vinext 0.0.52 → 0.0.54

package/dist/config/config-matchers.js.map

@@ -1 +1 @@
-{"version":3,"file":"config-matchers.js","names":[],"sources":["../../src/config/config-matchers.ts"],"sourcesContent":["/**\n * Config pattern matching and rule application utilities.\n *\n * Shared between the dev server (index.ts) and the production server\n * (prod-server.ts) so both apply next.config.js rules identically.\n */\n\nimport type {\n  NextI18nConfig,\n  NextRedirect,\n  NextRewrite,\n  NextHeader,\n  HasCondition,\n} from \"./next-config.js\";\nimport {\n  MIDDLEWARE_HEADER_PREFIX,\n  VINEXT_MW_CTX_HEADER,\n  VINEXT_PRERENDER_SECRET_HEADER,\n} from \"../server/headers.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"../server/middleware-request-headers.js\";\n\n/**\n * Cache for compiled regex patterns in matchConfigPattern.\n *\n * Redirect/rewrite patterns are static — they come from next.config.js and\n * never change at runtime. Without caching, every request that hits the regex\n * branch re-runs the full tokeniser walk + isSafeRegex + new RegExp() for\n * every rule in the array. On apps with many locale-prefixed rules (which all\n * contain `(` and therefore enter the regex branch) this dominated profiling\n * at ~2.4 seconds of CPU self-time.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk), so we\n * skip it on subsequent requests too without re-running the scanner.\n */\nconst _compiledPatternCache = new Map<string, { re: RegExp; paramNames: string[] } | null>();\n\n/**\n * Cache for compiled header source regexes in matchHeaders.\n *\n * Each NextHeader rule has a `source` that is run through escapeHeaderSource()\n * then safeRegExp() to produce a RegExp. Both are pure functions of the source\n * string and the result never changes. Without caching, every request\n * re-runs the full escapeHeaderSource tokeniser + isSafeRegex scan + new RegExp()\n * for every header rule.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk).\n */\nconst _compiledHeaderSourceCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for compiled has/missing condition value regexes in checkSingleCondition.\n *\n * Each has/missing condition may carry a `value` string that is passed directly\n * to safeRegExp() for matching against header/cookie/query/host values. The\n * condition objects are static (from next.config.js) so the compiled RegExp\n * never changes. Without caching, safeRegExp() is called on every request for\n * every condition on every rule.\n *\n * Value is `null` when safeRegExp rejected the pattern, or `false` when the\n * value string was undefined (no regex needed — use exact string comparison).\n */\nconst _compiledConditionCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for destination substitution regexes in substituteDestinationParams.\n *\n * The regex depends only on the set of param keys captured from the matched\n * source pattern. Caching by sorted key list avoids recompiling a new RegExp\n * for repeated redirect/rewrite calls that use the same param shape.\n */\nconst _compiledDestinationParamCache = new Map<string, RegExp>();\n\n/**\n * Generic helper for the regex compilation caches above.\n *\n * Each cache stores the compiled artifact (or `null` when safeRegExp rejected\n * the pattern) the first time a key is seen, and reuses it forever. The\n * `undefined` sentinel distinguishes \"not yet seen\" from \"seen and rejected\"\n * so we never re-run isSafeRegex on the same input.\n *\n * Keep the security path intact: `compile()` is responsible for calling\n * safeRegExp(); this helper only handles caching.\n */\nfunction getCachedRegex<K, V>(cache: Map<K, V | null>, key: K, compile: () => V | null): V | null {\n  let value = cache.get(key);\n  if (value === undefined) {\n    value = compile();\n    cache.set(key, value);\n  }\n  return value;\n}\n\n/**\n * Redirect index for O(1) locale-static rule lookup.\n *\n * Many Next.js apps generate 50-100 redirect rules of the form:\n *   /:locale(en|es|fr|...)?/some-static-path  →  /some-destination\n *\n * The compiled regex for each is like:\n *   ^/(en|es|fr|...)?/some-static-path$\n *\n * When no redirect matches (the common case for ordinary page loads),\n * matchRedirect previously ran exec() on every one of those regexes —\n * ~2ms per call, ~2992ms total self-time in profiles.\n *\n * The index splits rules into two buckets:\n *\n *   localeStatic — rules whose source is exactly /:paramName(alt1|alt2|...)?/suffix\n *     where `suffix` is a static path with no further params or regex groups.\n *     These are indexed in a Map<suffix, entry[]> for O(1) lookup after a\n *     single fast strip of the optional locale prefix.\n *\n *   linear — all other rules. Matched with the original O(n) loop.\n *\n * The index is stored in a WeakMap keyed by the redirects array so it is\n * computed once per config load and GC'd when the array is no longer live.\n *\n * ## Ordering invariant\n *\n * Redirect rules must be evaluated in their original order (first match wins).\n * Each locale-static entry stores its `originalIndex` so that, when a\n * locale-static fast-path match is found, any linear rules that appear earlier\n * in the array are still checked first.\n */\n\n/**\n * Matches `/:param(alternation)?/static/suffix` — the locale-static pattern.\n *\n * The `?` after the capture group is itself optional so that both forms are\n * detected:\n *   - `/:locale(en|fr)?/foo` (locale segment optional — user-written rules)\n *   - `/:nextInternalLocale(en|fr)/foo` (locale segment mandatory — emitted\n *      by `applyLocaleToRoutes` for the locale-capture variant)\n * Both forms benefit from O(1) suffix lookup; the optionality is recorded\n * on the entry so we know whether to try the no-locale-prefix bucket.\n */\nconst _LOCALE_STATIC_RE = /^\\/:[\\w-]+\\(([^)]+)\\)(\\??)\\/([a-zA-Z0-9_~.%@!$&'*+,;=:/-]+)$/;\n\ntype LocaleStaticEntry = {\n  /** The param name extracted from the source (e.g. \"locale\"). */\n  paramName: string;\n  /** The compiled regex matching just the alternation, used at match time. */\n  altRe: RegExp;\n  /** Whether the locale segment is optional (the source had `?` after the group). */\n  optional: boolean;\n  /** The original redirect rule. */\n  redirect: NextRedirect;\n  /** Position of this rule in the original redirects array. */\n  originalIndex: number;\n};\n\ntype RedirectIndex = {\n  /** Fast-path map: strippedPath (e.g. \"/security\") → matching entries. */\n  localeStatic: Map<string, LocaleStaticEntry[]>;\n  /**\n   * Linear fallback for rules that couldn't be indexed.\n   * Each entry is [originalIndex, redirect].\n   */\n  linear: Array<[number, NextRedirect]>;\n};\n\nconst _redirectIndexCache = new WeakMap<NextRedirect[], RedirectIndex>();\n\n/**\n * Build (or retrieve from cache) the redirect index for a given redirects array.\n *\n * Called once per config load from matchRedirect. The WeakMap ensures the index\n * is recomputed if the config is reloaded (new array reference) and GC'd when\n * the array is collected.\n */\nfunction _getRedirectIndex(redirects: NextRedirect[]): RedirectIndex {\n  let index = _redirectIndexCache.get(redirects);\n  if (index !== undefined) return index;\n\n  const localeStatic = new Map<string, LocaleStaticEntry[]>();\n  const linear: Array<[number, NextRedirect]> = [];\n\n  for (let i = 0; i < redirects.length; i++) {\n    const redirect = redirects[i];\n    const m = _LOCALE_STATIC_RE.exec(redirect.source);\n    if (m) {\n      const paramName = redirect.source.slice(2, redirect.source.indexOf(\"(\"));\n      const alternation = m[1];\n      const optional = m[2] === \"?\";\n      const suffix = \"/\" + m[3]; // e.g. \"/security\"\n      // Build a small regex to validate the captured locale value against the\n      // alternation. Using anchored match to avoid partial matches.\n      // The alternation comes from user config; run it through safeRegExp to\n      // guard against ReDoS in pathological configs.\n      const altRe = safeRegExp(\"^(?:\" + alternation + \")$\");\n      if (!altRe) {\n        // Unsafe alternation — fall back to linear scan for this rule.\n        linear.push([i, redirect]);\n        continue;\n      }\n      const entry: LocaleStaticEntry = {\n        paramName,\n        altRe,\n        optional,\n        redirect,\n        originalIndex: i,\n      };\n      const bucket = localeStatic.get(suffix);\n      if (bucket) {\n        bucket.push(entry);\n      } else {\n        localeStatic.set(suffix, [entry]);\n      }\n    } else {\n      linear.push([i, redirect]);\n    }\n  }\n\n  index = { localeStatic, linear };\n  _redirectIndexCache.set(redirects, index);\n  return index;\n}\n\n/** Hop-by-hop headers that should not be forwarded through a proxy. */\nconst HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"proxy-authenticate\",\n  \"proxy-authorization\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\n/**\n * Request hop-by-hop headers to strip before proxying with fetch().\n * Intentionally narrower than HOP_BY_HOP_HEADERS: external rewrite proxying\n * still forwards proxy auth credentials, while response sanitization strips\n * them before returning data to the client.\n */\nconst REQUEST_HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\nfunction stripHopByHopRequestHeaders(headers: Headers): void {\n  const connectionTokens = (headers.get(\"connection\") || \"\")\n    .split(\",\")\n    .map((value) => value.trim().toLowerCase())\n    .filter(Boolean);\n\n  for (const header of REQUEST_HOP_BY_HOP_HEADERS) {\n    headers.delete(header);\n  }\n\n  for (const token of connectionTokens) {\n    headers.delete(token);\n  }\n}\n\n/**\n * Detect regex patterns vulnerable to catastrophic backtracking (ReDoS).\n *\n * Uses a lightweight heuristic: scans the pattern string for nested quantifiers\n * (a quantifier applied to a group that itself contains a quantifier). This\n * catches the most common pathological patterns like `(a+)+`, `(.*)*`,\n * `([^/]+)+`, `(a|a+)+` without needing a full regex parser.\n *\n * Returns true if the pattern appears safe, false if it's potentially dangerous.\n */\nexport function isSafeRegex(pattern: string): boolean {\n  // Track parenthesis nesting depth and whether we've seen a quantifier\n  // at each depth level.\n  const quantifierAtDepth: boolean[] = [];\n  let depth = 0;\n  let i = 0;\n\n  while (i < pattern.length) {\n    const ch = pattern[i];\n\n    // Skip escaped characters\n    if (ch === \"\\\\\") {\n      i += 2;\n      continue;\n    }\n\n    // Skip character classes [...] — quantifiers inside them are literal\n    if (ch === \"[\") {\n      i++;\n      while (i < pattern.length && pattern[i] !== \"]\") {\n        if (pattern[i] === \"\\\\\") i++; // skip escaped char in class\n        i++;\n      }\n      i++; // skip closing ]\n      continue;\n    }\n\n    if (ch === \"(\") {\n      depth++;\n      // Initialize: no quantifier seen yet at this new depth\n      if (quantifierAtDepth.length <= depth) {\n        quantifierAtDepth.push(false);\n      } else {\n        quantifierAtDepth[depth] = false;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \")\") {\n      const hadQuantifier = depth > 0 && quantifierAtDepth[depth];\n      if (depth > 0) depth--;\n\n      // Look ahead for a quantifier on this group: +, *, {n,m}\n      // Note: '?' after ')' means \"zero or one\" which does NOT cause catastrophic\n      // backtracking — it only allows 2 paths (match/skip), not exponential.\n      // Only unbounded repetition (+, *, {n,}) on a group with inner quantifiers is dangerous.\n      const next = pattern[i + 1];\n      if (next === \"+\" || next === \"*\" || next === \"{\") {\n        if (hadQuantifier) {\n          // Nested quantifier detected: quantifier on a group that contains a quantifier\n          return false;\n        }\n        // Mark the enclosing depth as having a quantifier\n        if (depth >= 0 && depth < quantifierAtDepth.length) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    // Detect quantifiers: +, *, ?, {n,m}\n    // '?' is a quantifier (optional) unless it follows another quantifier (+, *, ?, })\n    // in which case it's a non-greedy modifier.\n    if (ch === \"+\" || ch === \"*\") {\n      if (depth > 0) {\n        quantifierAtDepth[depth] = true;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"?\") {\n      // '?' after +, *, ?, or } is a non-greedy modifier, not a quantifier\n      const prev = i > 0 ? pattern[i - 1] : \"\";\n      if (prev !== \"+\" && prev !== \"*\" && prev !== \"?\" && prev !== \"}\") {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"{\") {\n      // Check if this is a quantifier {n}, {n,}, {n,m}\n      let j = i + 1;\n      while (j < pattern.length && /[\\d,]/.test(pattern[j])) j++;\n      if (j < pattern.length && pattern[j] === \"}\" && j > i + 1) {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n        i = j + 1;\n        continue;\n      }\n    }\n\n    i++;\n  }\n\n  return true;\n}\n\n/**\n * Compile a regex pattern safely. Returns the compiled RegExp or null if the\n * pattern is invalid or vulnerable to ReDoS.\n *\n * Logs a warning when a pattern is rejected so developers can fix their config.\n */\nexport function safeRegExp(pattern: string, flags?: string): RegExp | null {\n  if (!isSafeRegex(pattern)) {\n    console.warn(\n      `[vinext] Ignoring potentially unsafe regex pattern (ReDoS risk): ${pattern}\\n` +\n        `  Patterns with nested quantifiers (e.g. (a+)+) can cause catastrophic backtracking.\\n` +\n        `  Simplify the pattern to avoid nested repetition.`,\n    );\n    return null;\n  }\n  try {\n    return new RegExp(pattern, flags);\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Convert a Next.js header/rewrite/redirect source pattern into a regex string.\n *\n * Regex groups in the source (e.g. `(\\d+)`) are extracted first, the remaining\n * text is escaped/converted in a **single pass** (avoiding chained `.replace()`\n * which CodeQL flags as incomplete sanitization), then groups are restored.\n */\nexport function escapeHeaderSource(source: string): string {\n  // Sentinel character for group placeholders. Uses a Unicode private-use-area\n  // codepoint that will never appear in real source patterns.\n  const S = \"\\uE000\";\n\n  // Step 1: extract regex groups and replace with numbered placeholders.\n  const groups: string[] = [];\n  const withPlaceholders = source.replace(/\\(([^)]+)\\)/g, (_m, inner) => {\n    groups.push(inner);\n    return `${S}G${groups.length - 1}${S}`;\n  });\n\n  // Step 2: single-pass conversion of the placeholder-bearing string.\n  // Match named params (:[\\w-]+), sentinel group placeholders, metacharacters, and literal text.\n  // The regex uses non-overlapping alternatives to avoid backtracking:\n  //   :[\\w-]+  — named parameter (constraint sentinel is checked procedurally;\n  //              param names may contain hyphens, e.g. :auth-method)\n  //   sentinel group — standalone regex group placeholder\n  //   [.+?*] — single metachar to escape/convert\n  //   [^.+?*:\\uE000]+ — literal text (excludes all chars that start other alternatives)\n  let result = \"\";\n  const re = new RegExp(\n    `${S}G(\\\\d+)${S}|:[\\\\w-]+|[.+?*]|[^.+?*:\\\\uE000]+`, // lgtm[js/redos] — alternatives are non-overlapping\n    \"g\",\n  );\n  let m: RegExpExecArray | null;\n  while ((m = re.exec(withPlaceholders)) !== null) {\n    if (m[1] !== undefined) {\n      // Standalone regex group — restore as-is\n      result += `(${groups[Number(m[1])]})`;\n    } else if (m[0].startsWith(\":\")) {\n      // Named parameter — check if followed by a constraint group placeholder\n      const afterParam = withPlaceholders.slice(re.lastIndex);\n      const constraintMatch = afterParam.match(new RegExp(`^${S}G(\\\\d+)${S}`));\n      if (constraintMatch) {\n        // :param(constraint) — use the constraint as the capture group\n        re.lastIndex += constraintMatch[0].length;\n        result += `(${groups[Number(constraintMatch[1])]})`;\n      } else {\n        // Plain named parameter → match one segment\n        result += \"[^/]+\";\n      }\n    } else {\n      switch (m[0]) {\n        case \".\":\n          result += \"\\\\.\";\n          break;\n        case \"+\":\n          result += \"\\\\+\";\n          break;\n        case \"?\":\n          result += \"\\\\?\";\n          break;\n        case \"*\":\n          result += \".*\";\n          break;\n        default:\n          result += m[0];\n          break;\n      }\n    }\n  }\n\n  return result;\n}\n\n/**\n * Request context needed for evaluating has/missing conditions.\n * Callers extract the relevant parts from the incoming Request.\n */\nexport type RequestContext = {\n  headers: Headers;\n  cookies: Record<string, string>;\n  query: URLSearchParams;\n  host: string;\n};\n\n/**\n * basePath gating state passed alongside the pathname to every matcher.\n *\n * Rewrites/redirects/headers run with default `basePath: true` semantics in\n * Next.js: the rule only matches when the inbound request was under the\n * configured `basePath`. Rules with `basePath: false` opt out and match\n * the original (un-stripped) pathname regardless of prefix.\n *\n * When `basePath` is empty (not configured) every rule is treated as\n * basePath-defaulted: every request matches.\n *\n * @see .nextjs-ref/packages/next/src/lib/load-custom-routes.ts:198-220\n */\nexport type BasePathMatchState = {\n  /** Configured `basePath` (without trailing slash) or \"\" when unset. */\n  basePath: string;\n  /**\n   * True when the inbound request was originally under `basePath` (i.e.\n   * the prod-server/handler stripped the prefix before the matcher runs).\n   * Ignored when `basePath` is empty.\n   */\n  hadBasePath: boolean;\n};\n\nconst _BASEPATH_DEFAULT: BasePathMatchState = { basePath: \"\", hadBasePath: true };\n\n/**\n * Decide whether a rule should be evaluated at all given the current\n * basePath-gating state.\n *\n * Encodes the Next.js rules:\n *   - basePath: false rule → only when the request was NOT under basePath\n *     (i.e. it's the explicit opt-out path). When `basePath` itself is\n *     empty, basePath: false rules are still allowed to match — there's\n *     just no basePath to gate them.\n *   - default rule (basePath !== false) → only when the request WAS under\n *     basePath (or no basePath is configured).\n */\nfunction shouldEvaluateRule(ruleBasePath: false | undefined, state: BasePathMatchState): boolean {\n  if (!state.basePath) return true;\n  return ruleBasePath === false ? !state.hadBasePath : state.hadBasePath;\n}\n\n/**\n * Parse a Cookie header string into a key-value record.\n */\nexport function parseCookies(cookieHeader: string | null): Record<string, string> {\n  if (!cookieHeader) return {};\n  const cookies: Record<string, string> = {};\n  for (const part of cookieHeader.split(\";\")) {\n    const eq = part.indexOf(\"=\");\n    if (eq === -1) continue;\n    const key = part.slice(0, eq).trim();\n    const value = part.slice(eq + 1).trim();\n    if (key) cookies[key] = value;\n  }\n  return cookies;\n}\n\n/**\n * Build a RequestContext from a Web Request object.\n */\nexport function requestContextFromRequest(request: Request): RequestContext {\n  const url = new URL(request.url);\n  return {\n    headers: request.headers,\n    cookies: parseCookies(request.headers.get(\"cookie\")),\n    query: url.searchParams,\n    host: normalizeHost(request.headers.get(\"host\"), url.hostname),\n  };\n}\n\nexport function normalizeHost(hostHeader: string | null, fallbackHostname: string): string {\n  const host = hostHeader ?? fallbackHostname;\n  return host.split(\":\", 1)[0].toLowerCase();\n}\n\n/**\n * Unpack `x-middleware-request-*` headers from the collected middleware\n * response headers into the actual request, and strip all `x-middleware-*`\n * internal signals so they never reach clients.\n *\n * `middlewareHeaders` is mutated in-place (matching keys are deleted).\n * Returns a (possibly cloned) `Request` with the unpacked headers applied,\n * and a fresh `RequestContext` built from it — ready for post-middleware\n * config rule matching (beforeFiles, afterFiles, fallback).\n *\n * Works for both Node.js requests (mutable headers) and Workers requests\n * (immutable — cloned only when there are headers to apply).\n *\n * `x-middleware-request-*` values are always plain strings (they carry\n * individual header values), so the wider `string | string[]` type of\n * `middlewareHeaders` is safe to cast here.\n */\nexport function applyMiddlewareRequestHeaders(\n  middlewareHeaders: Record<string, string | string[]>,\n  request: Request,\n  options: { preserveCredentialHeaders?: boolean } = {},\n): { request: Request; postMwReqCtx: RequestContext } {\n  const nextHeaders = buildRequestHeadersFromMiddlewareResponse(\n    request.headers,\n    middlewareHeaders,\n    options,\n  );\n\n  for (const key of Object.keys(middlewareHeaders)) {\n    if (key.startsWith(MIDDLEWARE_HEADER_PREFIX)) {\n      delete middlewareHeaders[key];\n    }\n  }\n\n  if (nextHeaders) {\n    // Headers may be immutable (Workers), so always clone via new Headers().\n    request = new Request(request.url, {\n      method: request.method,\n      headers: nextHeaders,\n      body: request.body,\n      // @ts-expect-error — duplex needed for streaming request bodies\n      duplex: request.body ? \"half\" : undefined,\n    });\n  }\n\n  return { request, postMwReqCtx: requestContextFromRequest(request) };\n}\n\nfunction _emptyParams(): Record<string, string> {\n  return Object.create(null) as Record<string, string>;\n}\n\nfunction _matchConditionValue(\n  actualValue: string,\n  expectedValue: string | undefined,\n): Record<string, string> | null {\n  if (expectedValue === undefined) return _emptyParams();\n\n  const re = _cachedConditionRegex(expectedValue);\n  if (re) {\n    const match = re.exec(actualValue);\n    if (!match) return null;\n\n    const params = _emptyParams();\n    if (match.groups) {\n      for (const [key, value] of Object.entries(match.groups)) {\n        if (value !== undefined) params[key] = value;\n      }\n    }\n    return params;\n  }\n\n  return actualValue === expectedValue ? _emptyParams() : null;\n}\n\n/**\n * Check a single has/missing condition against request context.\n * Returns captured params when the condition is satisfied, or null otherwise.\n */\nfunction matchSingleCondition(\n  condition: HasCondition,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  switch (condition.type) {\n    case \"header\": {\n      const headerValue = ctx.headers.get(condition.key);\n      if (headerValue === null) return null;\n      return _matchConditionValue(headerValue, condition.value);\n    }\n    case \"cookie\": {\n      const cookieValue = ctx.cookies[condition.key];\n      if (cookieValue === undefined) return null;\n      return _matchConditionValue(cookieValue, condition.value);\n    }\n    case \"query\": {\n      const queryValue = ctx.query.get(condition.key);\n      if (queryValue === null) return null;\n      return _matchConditionValue(queryValue, condition.value);\n    }\n    case \"host\": {\n      if (condition.value !== undefined) return _matchConditionValue(ctx.host, condition.value);\n      return ctx.host === condition.key ? _emptyParams() : null;\n    }\n    default:\n      return null;\n  }\n}\n\n/**\n * Return a cached RegExp for a has/missing condition value string, compiling\n * on first use. Returns null if safeRegExp rejected the pattern or if the\n * value is not a valid regex (fall back to exact string comparison).\n */\nfunction _cachedConditionRegex(value: string): RegExp | null {\n  return getCachedRegex(_compiledConditionCache, value, () =>\n    // Anchor the regex to match the full value, not a substring.\n    // Matches Next.js: new RegExp(`^${hasItem.value}$`)\n    // Without anchoring, has:[cookie:role=admin] would match \"not-admin\".\n    safeRegExp(`^${value}$`),\n  );\n}\n\n/**\n * Check all has/missing conditions for a config rule.\n * Returns true if the rule should be applied (all has conditions pass, all missing conditions pass).\n *\n * - has: every condition must match (the request must have it)\n * - missing: every condition must NOT match (the request must not have it)\n */\nfunction collectConditionParams(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  const params = _emptyParams();\n\n  if (has) {\n    for (const condition of has) {\n      const conditionParams = matchSingleCondition(condition, ctx);\n      if (!conditionParams) return null;\n      Object.assign(params, conditionParams);\n    }\n  }\n\n  if (missing) {\n    for (const condition of missing) {\n      if (matchSingleCondition(condition, ctx)) return null;\n    }\n  }\n\n  return params;\n}\n\nexport function checkHasConditions(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): boolean {\n  return collectConditionParams(has, missing, ctx) !== null;\n}\n\n/**\n * If the current position in `str` starts with a parenthesized group, consume\n * it and advance `re.lastIndex` past the closing `)`. Returns the group\n * contents or null if no group is present.\n */\nfunction extractConstraint(str: string, re: RegExp): string | null {\n  if (str[re.lastIndex] !== \"(\") return null;\n  const start = re.lastIndex + 1;\n  let depth = 1;\n  let i = start;\n  while (i < str.length && depth > 0) {\n    if (str[i] === \"(\") depth++;\n    else if (str[i] === \")\") depth--;\n    i++;\n  }\n  if (depth !== 0) return null;\n  re.lastIndex = i;\n  return str.slice(start, i - 1);\n}\n\n/**\n * Match a Next.js config pattern (from redirects/rewrites sources) against a pathname.\n * Returns matched params or null.\n *\n * Supports:\n *   :param     - matches a single path segment\n *   :param*    - matches zero or more segments (catch-all)\n *   :param+    - matches one or more segments\n *   (regex)    - inline regex patterns in the source\n *   :param(constraint) - named param with inline regex constraint\n */\n/**\n * Strip a single trailing slash from a pathname for config-source matching.\n *\n * Next.js conditionally appends `(/)?` to rewrite/redirect/header source\n * regexes when `trailingSlash: true` (see Next.js\n * `resolve-rewrites.ts` and `server-utils.ts:checkRewrite`). Rather than\n * threading the trailingSlash flag through every matcher, we unconditionally\n * strip a trailing slash from the incoming pathname. When `trailingSlash: false`\n * the request pipeline emits a normalizing redirect (step 3) before config\n * rewrites/redirects (step 6) ever run, so the pathname is already slash-free;\n * the unconditional strip is defense-in-depth for that ordering. When\n * `trailingSlash: true` it bridges the gap between the canonicalized request\n * path (`/rewrite-1/`) and source patterns written without a trailing slash\n * (`/rewrite-1`).\n *\n * The root path `\"/\"` is preserved as-is.\n */\nfunction stripTrailingSlashForConfigMatch(pathname: string): string {\n  return pathname.length > 1 && pathname.endsWith(\"/\") ? pathname.slice(0, -1) : pathname;\n}\n\nexport function matchConfigPattern(\n  pathname: string,\n  pattern: string,\n): Record<string, string> | null {\n  // See `stripTrailingSlashForConfigMatch` — the source pattern itself is left\n  // unchanged because catch-all patterns (`:param*` / `:param+`) and the root\n  // `/` already consume any trailing slash; stripping the pattern would change\n  // those semantics.\n  pathname = stripTrailingSlashForConfigMatch(pathname);\n\n  // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.\n  // Also enter this branch when a catch-all parameter (:param* or :param+) is\n  // followed by a literal suffix (e.g. \"/:path*.md\"). Without this, the suffix\n  // pattern falls through to the simple segment matcher which incorrectly treats\n  // the whole segment (\":path*.md\") as a named parameter and matches everything.\n  // The last condition catches simple params with literal suffixes (e.g. \"/:slug.md\")\n  // where the param name is followed by a dot — the simple matcher would treat\n  // \"slug.md\" as the param name and match any single segment regardless of suffix.\n  // Enter the full regex branch when:\n  //   - the pattern uses explicit regex groups or escapes,\n  //   - a catch-all (`:foo*` / `:foo+`) is followed by a literal suffix that\n  //     the simple catch-all branch cannot express,\n  //   - a named param is followed by a dot (the simple branch would treat\n  //     \"slug.md\" as the whole param name),\n  //   - the pattern has multiple named params and any of them is a catch-all\n  //     (e.g. `/:locale/files/:path*`). The simple catch-all branch only\n  //     handles trailing-catch-all-with-static-prefix; mixed cases need regex.\n  const catchAllAnchor = /:[\\w-]+[*+]/.test(pattern);\n  const namedParamCount = (pattern.match(/:[\\w-]+/g) || []).length;\n  if (\n    pattern.includes(\"(\") ||\n    pattern.includes(\"\\\\\") ||\n    /:[\\w-]+[*+][^/]/.test(pattern) ||\n    /:[\\w-]+\\./.test(pattern) ||\n    (catchAllAnchor && namedParamCount > 1)\n  ) {\n    try {\n      // Look up the compiled regex in the module-level cache. Patterns come\n      // from next.config.js and are static, so we only need to compile each\n      // one once across the lifetime of the worker/server process.\n      // null is stored for rejected patterns so we don't re-run isSafeRegex.\n      const compiled = getCachedRegex(_compiledPatternCache, pattern, () => {\n        // Cache miss — compile the pattern now and store the result.\n        // Param names may contain hyphens (e.g. :auth-method, :sign-in).\n        const paramNames: string[] = [];\n        // Single-pass conversion with procedural suffix handling. The tokenizer\n        // matches only simple, non-overlapping tokens; quantifier/constraint\n        // suffixes after :param are consumed procedurally to avoid polynomial\n        // backtracking in the regex engine.\n        let regexStr = \"\";\n        const tokenRe = /:([\\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)\n        let tok: RegExpExecArray | null;\n        while ((tok = tokenRe.exec(pattern)) !== null) {\n          if (tok[1] !== undefined) {\n            const name = tok[1];\n            const rest = pattern.slice(tokenRe.lastIndex);\n            // Check for quantifier (* or +) with optional constraint\n            if (rest.startsWith(\"*\") || rest.startsWith(\"+\")) {\n              const quantifier = rest[0];\n              tokenRe.lastIndex += 1;\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              if (constraint !== null) {\n                regexStr += `(${constraint})`;\n              } else {\n                regexStr += quantifier === \"*\" ? \"(.*)\" : \"(.+)\";\n              }\n            } else {\n              // Check for inline constraint without quantifier\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              regexStr += constraint !== null ? `(${constraint})` : \"([^/]+)\";\n            }\n          } else if (tok[0] === \".\") {\n            regexStr += \"\\\\.\";\n          } else {\n            regexStr += tok[0];\n          }\n        }\n        const re = safeRegExp(\"^\" + regexStr + \"$\");\n        return re ? { re, paramNames } : null;\n      });\n      if (!compiled) return null;\n      const match = compiled.re.exec(pathname);\n      if (!match) return null;\n      const params: Record<string, string> = Object.create(null);\n      for (let i = 0; i < compiled.paramNames.length; i++) {\n        params[compiled.paramNames[i]] = match[i + 1] ?? \"\";\n      }\n      return params;\n    } catch {\n      // Fall through to segment-based matching\n    }\n  }\n\n  // Check for catch-all patterns (:param* or :param+) without regex groups\n  // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).\n  const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);\n  if (catchAllMatch) {\n    const prefix = pattern.slice(0, pattern.lastIndexOf(\":\"));\n    const paramName = catchAllMatch[1];\n    const isPlus = catchAllMatch[2] === \"+\";\n\n    const prefixNoSlash = prefix.replace(/\\/$/, \"\");\n    if (!pathname.startsWith(prefixNoSlash)) return null;\n    const charAfter = pathname[prefixNoSlash.length];\n    if (charAfter !== undefined && charAfter !== \"/\") return null;\n\n    const rest = pathname.slice(prefixNoSlash.length);\n    if (isPlus && (!rest || rest === \"/\")) return null;\n    let restValue = rest.startsWith(\"/\") ? rest.slice(1) : rest;\n    // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at\n    // the request entry point. Decoding again would produce incorrect param values.\n    return { [paramName]: restValue };\n  }\n\n  // Simple segment-based matching for exact patterns and :param\n  const parts = pattern.split(\"/\");\n  const pathParts = pathname.split(\"/\");\n\n  if (parts.length !== pathParts.length) return null;\n\n  const params: Record<string, string> = Object.create(null);\n  for (let i = 0; i < parts.length; i++) {\n    if (parts[i].startsWith(\":\")) {\n      params[parts[i].slice(1)] = pathParts[i];\n    } else if (parts[i] !== pathParts[i]) {\n      return null;\n    }\n  }\n  return params;\n}\n\n/**\n * Apply redirect rules from next.config.js.\n * Returns the redirect info if a redirect was matched, or null.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating redirects, so this parameter is required.\n *\n * ## Performance\n *\n * Rules with a locale-capture-group prefix (the dominant pattern in large\n * Next.js apps — e.g. `/:locale(en|es|fr|...)?/some-path`) are handled via\n * a pre-built index. Instead of running exec() on each locale regex\n * individually, we:\n *\n *   1. Strip the optional locale prefix from the pathname with one cheap\n *      string-slice check (no regex exec on the hot path).\n *   2. Look up the stripped suffix in a Map<suffix, entry[]>.\n *   3. For each matching entry, validate the captured locale string against\n *      a small, anchored alternation regex.\n *\n * This reduces the per-request cost from O(n × regex) to O(1) map lookup +\n * O(matches × tiny-regex), eliminating the ~2992ms self-time reported in\n * profiles for apps with 63+ locale-prefixed rules.\n *\n * Rules that don't fit the locale-static pattern fall back to the original\n * linear matchConfigPattern scan.\n *\n * ## Ordering invariant\n *\n * First match wins, preserving the original redirect array order. When a\n * locale-static fast-path match is found at position N, all linear rules with\n * an original index < N are checked via matchConfigPattern first — they are\n * few in practice (typically zero) so this is not a hot-path concern.\n */\nexport function matchRedirect(\n  pathname: string,\n  redirects: NextRedirect[],\n  ctx: RequestContext,\n  basePathState: BasePathMatchState = _BASEPATH_DEFAULT,\n): { destination: string; permanent: boolean } | null {\n  if (redirects.length === 0) return null;\n\n  // Strip trailing slash so the locale-static fast path (Map.get on the\n  // pathname) matches keys derived from slash-free source patterns. The\n  // linear fallback also passes through `matchConfigPattern` which strips\n  // again, but normalizing once here keeps both paths consistent.\n  pathname = stripTrailingSlashForConfigMatch(pathname);\n\n  const index = _getRedirectIndex(redirects);\n\n  // --- Locate the best locale-static candidate ---\n  //\n  // We look for the locale-static entry with the LOWEST originalIndex that\n  // matches this pathname (and passes has/missing conditions).\n  //\n  // Strategy: try both the full pathname (locale omitted, e.g. \"/security\")\n  // and the pathname with the first segment stripped (locale present, e.g.\n  // \"/en/security\" → suffix \"/security\", locale \"en\").\n  //\n  // We do NOT use a regex here — just a single indexOf('/') to locate the\n  // second slash, which is O(n) on the path length but far cheaper than\n  // running 63 compiled regexes.\n\n  let localeMatch: { destination: string; permanent: boolean } | null = null;\n  let localeMatchIndex = Infinity;\n\n  if (index.localeStatic.size > 0) {\n    // Case 1: no locale prefix — pathname IS the suffix.\n    // Only valid for entries whose source had `?` after the alternation\n    // (the locale segment was optional). Mandatory-locale entries — emitted\n    // by `applyLocaleToRoutes` as `/:nextInternalLocale(en|fr)/foo` — must\n    // not match here because they require the locale segment to be present.\n    const noLocaleBucket = index.localeStatic.get(pathname);\n    if (noLocaleBucket) {\n      for (const entry of noLocaleBucket) {\n        if (!entry.optional) continue; // mandatory-locale rule — skip\n        if (entry.originalIndex >= localeMatchIndex) continue; // already have a better match\n        const redirect = entry.redirect;\n        if (!shouldEvaluateRule(redirect.basePath, basePathState)) continue;\n        const conditionParams =\n          redirect.has || redirect.missing\n            ? collectConditionParams(redirect.has, redirect.missing, ctx)\n            : _emptyParams();\n        if (!conditionParams) continue;\n        // Locale was omitted (the `?` made it optional) — param value is \"\".\n        const dest = substituteAndSanitizeDestination(redirect.destination, {\n          [entry.paramName]: \"\",\n          ...conditionParams,\n        });\n        localeMatch = { destination: dest, permanent: redirect.permanent };\n        localeMatchIndex = entry.originalIndex;\n        break; // bucket entries are in insertion order = original order\n      }\n    }\n\n    // Case 2: locale prefix present — first path segment is the locale.\n    // Find the second slash: pathname = \"/locale/rest/of/path\"\n    //                                         ^--- slashTwo\n    const slashTwo = pathname.indexOf(\"/\", 1);\n    if (slashTwo !== -1) {\n      const suffix = pathname.slice(slashTwo); // e.g. \"/security\"\n      const localePart = pathname.slice(1, slashTwo); // e.g. \"en\"\n      const localeBucket = index.localeStatic.get(suffix);\n      if (localeBucket) {\n        for (const entry of localeBucket) {\n          if (entry.originalIndex >= localeMatchIndex) continue;\n          // Validate that `localePart` is one of the allowed alternation values.\n          if (!entry.altRe.test(localePart)) continue;\n          const redirect = entry.redirect;\n          if (!shouldEvaluateRule(redirect.basePath, basePathState)) continue;\n          const conditionParams =\n            redirect.has || redirect.missing\n              ? collectConditionParams(redirect.has, redirect.missing, ctx)\n              : _emptyParams();\n          if (!conditionParams) continue;\n          const dest = substituteAndSanitizeDestination(redirect.destination, {\n            [entry.paramName]: localePart,\n            ...conditionParams,\n          });\n          localeMatch = { destination: dest, permanent: redirect.permanent };\n          localeMatchIndex = entry.originalIndex;\n          break; // bucket entries are in insertion order = original order\n        }\n      }\n    }\n  }\n\n  // --- Linear fallback: all non-locale-static rules ---\n  //\n  // We only need to check linear rules whose originalIndex < localeMatchIndex.\n  // If localeMatchIndex is Infinity (no locale match), we check all of them.\n  for (const [origIdx, redirect] of index.linear) {\n    if (origIdx >= localeMatchIndex) {\n      // This linear rule comes after the best locale-static match —\n      // the locale-static match wins. Stop scanning.\n      break;\n    }\n    if (!shouldEvaluateRule(redirect.basePath, basePathState)) continue;\n    const params = matchConfigPattern(pathname, redirect.source);\n    if (params) {\n      const conditionParams =\n        redirect.has || redirect.missing\n          ? collectConditionParams(redirect.has, redirect.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      const dest = substituteAndSanitizeDestination(redirect.destination, {\n        ...params,\n        ...conditionParams,\n      });\n      return { destination: dest, permanent: redirect.permanent };\n    }\n  }\n\n  // Return the locale-static match if found (no earlier linear rule matched).\n  return localeMatch;\n}\n\n/**\n * Apply rewrite rules from next.config.js.\n * Returns the rewritten URL or null if no rewrite matched.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating rewrites, so this parameter is required.\n */\nexport function matchRewrite(\n  pathname: string,\n  rewrites: NextRewrite[],\n  ctx: RequestContext,\n  basePathState: BasePathMatchState = _BASEPATH_DEFAULT,\n): string | null {\n  for (const rewrite of rewrites) {\n    if (!shouldEvaluateRule(rewrite.basePath, basePathState)) continue;\n    const params = matchConfigPattern(pathname, rewrite.source);\n    if (params) {\n      const conditionParams =\n        rewrite.has || rewrite.missing\n          ? collectConditionParams(rewrite.has, rewrite.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      return substituteAndSanitizeDestination(rewrite.destination, {\n        ...params,\n        ...conditionParams,\n      });\n    }\n  }\n  return null;\n}\n\n/**\n * Substitute all matched route params into a redirect/rewrite destination.\n *\n * Handles repeated params (e.g. `/api/:id/:id`) and catch-all suffix forms\n * (`:path*`, `:path+`) in a single pass. Unknown params are left intact.\n */\nfunction substituteDestinationParams(destination: string, params: Record<string, string>): string {\n  const keys = Object.keys(params);\n  if (keys.length === 0) return destination;\n\n  // Match only the concrete param keys captured from the source pattern.\n  // Sorting longest-first ensures hyphenated names like `auth-method`\n  // win over shorter prefixes like `auth`. The negative lookahead keeps\n  // alphanumeric/underscore suffixes attached, while allowing `-` to act\n  // as a literal delimiter in destinations like `:year-:month`.\n  const sortedKeys = [...keys].sort((a, b) => b.length - a.length);\n  const cacheKey = sortedKeys.join(\"\\0\");\n  let paramRe = _compiledDestinationParamCache.get(cacheKey);\n  if (!paramRe) {\n    const paramAlternation = sortedKeys\n      .map((key) => key.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\"))\n      .join(\"|\");\n    paramRe = new RegExp(`:(${paramAlternation})([+*])?(?![A-Za-z0-9_])`, \"g\");\n    _compiledDestinationParamCache.set(cacheKey, paramRe);\n  }\n\n  return destination.replace(paramRe, (_token, key: string) => params[key]);\n}\n\n/**\n * Substitute params into a redirect/rewrite destination and sanitize the\n * result. Used by every redirect/rewrite branch — the substitution can\n * introduce protocol-relative URLs (e.g. `//evil.com` from a decoded `%2F`\n * in a catch-all param), which sanitizeDestination collapses.\n */\nfunction substituteAndSanitizeDestination(\n  destination: string,\n  params: Record<string, string>,\n): string {\n  return sanitizeDestination(substituteDestinationParams(destination, params));\n}\n\n/**\n * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.\n *\n * After parameter substitution, a destination like `/:path*` can become\n * `//evil.com` if the catch-all captured a decoded `%2F` (`/evil.com`).\n * Browsers interpret `//evil.com` as a protocol-relative URL, redirecting\n * users off-site.\n *\n * This function collapses any leading double (or more) slashes to a single\n * slash for non-external (relative) destinations.\n */\nexport function sanitizeDestination(dest: string): string {\n  // External URLs (http://, https://) are intentional — don't touch them\n  if (dest.startsWith(\"http://\") || dest.startsWith(\"https://\")) {\n    return dest;\n  }\n  // Normalize leading backslashes to forward slashes. Browsers interpret\n  // backslash as forward slash in URL contexts, so \"\\/evil.com\" becomes\n  // \"//evil.com\" (protocol-relative redirect). Replace any mix of leading\n  // slashes and backslashes with a single forward slash.\n  dest = dest.replace(/^[\\\\/]+/, \"/\");\n  return dest;\n}\n\n/**\n * Check if a URL is external (absolute URL or protocol-relative).\n * Detects any URL scheme (http:, https:, data:, javascript:, blob:, etc.)\n * per RFC 3986, plus protocol-relative URLs (//).\n */\nexport function isExternalUrl(url: string): boolean {\n  return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith(\"//\");\n}\n\n/**\n * Proxy an incoming request to an external URL and return the upstream response.\n *\n * Used for external rewrites (e.g. `/ph/:path*` → `https://us.i.posthog.com/:path*`).\n * Next.js handles these as server-side reverse proxies, forwarding the request\n * method, headers, and body to the external destination.\n *\n * Works in all runtimes (Node.js, Cloudflare Workers) via the standard fetch() API.\n */\nexport async function proxyExternalRequest(\n  request: Request,\n  externalUrl: string,\n): Promise<Response> {\n  // Build the full external URL, preserving query parameters from the original request\n  const originalUrl = new URL(request.url);\n  const targetUrl = new URL(externalUrl);\n  const destinationKeys = new Set(targetUrl.searchParams.keys());\n\n  // If the rewrite destination already has query params, merge them.\n  // Destination params take precedence — original request params are only added\n  // when the destination doesn't already specify that key.\n  for (const [key, value] of originalUrl.searchParams) {\n    if (!destinationKeys.has(key)) {\n      targetUrl.searchParams.append(key, value);\n    }\n  }\n\n  // Forward the request with appropriate headers\n  const headers = new Headers(request.headers);\n  // Set Host to the external target (required for correct routing)\n  headers.set(\"host\", targetUrl.host);\n  // Remove headers that should not be forwarded to external services.\n  // fetch() handles framing independently, so hop-by-hop transport headers\n  // from the client must not be forwarded upstream. In particular,\n  // transfer-encoding could cause request boundary disagreement between the\n  // proxy and backend (defense-in-depth against request smuggling,\n  // ref: CVE GHSA-ggv3-7p47-pfv8).\n  stripHopByHopRequestHeaders(headers);\n  const keysToDelete: string[] = [];\n  for (const key of headers.keys()) {\n    if (key.startsWith(MIDDLEWARE_HEADER_PREFIX)) {\n      keysToDelete.push(key);\n    }\n  }\n  for (const key of keysToDelete) {\n    headers.delete(key);\n  }\n  // Internal prerender authentication header must never be forwarded to\n  // external rewrite destinations. It authorizes hidden production endpoints\n  // used only by vinext's own prerender pipeline.\n  headers.delete(VINEXT_PRERENDER_SECRET_HEADER);\n  // Internal App Router dev middleware context must never leave the dev server.\n  headers.delete(VINEXT_MW_CTX_HEADER);\n\n  const method = request.method;\n  const hasBody = method !== \"GET\" && method !== \"HEAD\";\n\n  const init: RequestInit & { duplex?: string } = {\n    method,\n    headers,\n    redirect: \"manual\", // Don't follow redirects — pass them through to the client\n  };\n\n  if (hasBody && request.body) {\n    init.body = request.body;\n    init.duplex = \"half\";\n  }\n\n  // Enforce a timeout so slow/unresponsive upstreams don't hold connections\n  // open indefinitely (DoS amplification risk on Node.js dev/prod servers).\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), 30_000);\n  let upstreamResponse: Response;\n  try {\n    upstreamResponse = await fetch(targetUrl.href, { ...init, signal: controller.signal });\n  } catch (e) {\n    if (e instanceof Error && e.name === \"AbortError\") {\n      console.error(\"[vinext] External rewrite proxy timeout:\", targetUrl.href);\n      return new Response(\"Gateway Timeout\", { status: 504 });\n    }\n    console.error(\"[vinext] External rewrite proxy error:\", e);\n    return new Response(\"Bad Gateway\", { status: 502 });\n  } finally {\n    clearTimeout(timeout);\n  }\n\n  // Build the response to return to the client.\n  // Copy all upstream headers except hop-by-hop headers.\n  // Node.js fetch() auto-decompresses responses (gzip, br, etc.), so the body\n  // we receive is already plain text. Forwarding the original content-encoding\n  // and content-length headers causes the browser to attempt a second\n  // decompression on the already-decoded body, resulting in\n  // ERR_CONTENT_DECODING_FAILED. Strip both headers on Node.js only.\n  // On Workers, fetch() preserves wire encoding, so the headers stay accurate.\n  const isNodeRuntime = typeof process !== \"undefined\" && !!process.versions?.node;\n  const responseHeaders = new Headers();\n  upstreamResponse.headers.forEach((value, key) => {\n    const lower = key.toLowerCase();\n    if (HOP_BY_HOP_HEADERS.has(lower)) return;\n    if (isNodeRuntime && (lower === \"content-encoding\" || lower === \"content-length\")) return;\n    responseHeaders.append(key, value);\n  });\n\n  return new Response(upstreamResponse.body, {\n    status: upstreamResponse.status,\n    statusText: upstreamResponse.statusText,\n    headers: responseHeaders,\n  });\n}\n\n/**\n * Apply custom header rules from next.config.js.\n * Returns an array of { key, value } pairs to set on the response.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating headers, so this parameter is required.\n */\nexport function matchHeaders(\n  pathname: string,\n  headers: NextHeader[],\n  ctx: RequestContext,\n  basePathState: BasePathMatchState = _BASEPATH_DEFAULT,\n): Array<{ key: string; value: string }> {\n  // Header source regexes are compiled without a trailing-slash tolerance,\n  // so the incoming pathname must be normalized the same way config rewrites\n  // and redirects are. See `stripTrailingSlashForConfigMatch`.\n  pathname = stripTrailingSlashForConfigMatch(pathname);\n\n  const result: Array<{ key: string; value: string }> = [];\n  for (const rule of headers) {\n    if (!shouldEvaluateRule(rule.basePath, basePathState)) continue;\n    // Cache the compiled source regex — escapeHeaderSource() + safeRegExp() are\n    // pure functions of rule.source and the result never changes between requests.\n    const sourceRegex = getCachedRegex(_compiledHeaderSourceCache, rule.source, () =>\n      safeRegExp(\"^\" + escapeHeaderSource(rule.source) + \"$\"),\n    );\n    if (sourceRegex && sourceRegex.test(pathname)) {\n      if (rule.has || rule.missing) {\n        if (!checkHasConditions(rule.has, rule.missing, ctx)) {\n          continue;\n        }\n      }\n      result.push(...rule.headers);\n    }\n  }\n  return result;\n}\n\n/**\n * Escape a string for inclusion in a regex character class / alternation.\n * Mirrors `escape-string-regexp` semantics used by Next.js's processRoutes.\n */\nfunction _escapeRegexString(value: string): string {\n  return value.replace(/[|\\\\{}()[\\]^$+*?.]/g, \"\\\\$&\");\n}\n\n/**\n * Apply Next.js i18n locale-prefix transformation to a set of redirect or\n * rewrite rules. Mirrors the relevant slice of Next.js's `processRoutes`\n * (load-custom-routes.ts) with one deliberate divergence noted below.\n *\n * For each rule:\n *   - If `locale === false` or no i18n is configured, the rule is emitted\n *     untouched. This is the core of issue #1336 item 1: with `locale: false`\n *     the user-supplied source is matched against the raw locale-prefixed\n *     URL so a `:locale` segment in the source captures the prefix itself.\n *   - Otherwise an internal locale-capture variant is produced whose source\n *     starts with `/:nextInternalLocale(en|sv|nl)` so that locale-prefixed\n *     URLs match. For redirects only, a second variant prefixed with\n *     `/${defaultLocale}` is also emitted, matching Next.js exactly.\n *   - **Vinext divergence**: we ALSO retain the original (unprefixed) source\n *     so that requests for the default locale that arrive without a prefix\n *     still match. Next.js solves this upstream by path-normalising every\n *     incoming default-locale request to include the prefix\n *     (`resolve-routes.ts` lines ~251-263); vinext currently does that\n *     normalisation only inside the pages-server-entry route matcher, so\n *     the rewrite/redirect matcher would otherwise miss unprefixed paths.\n *     Keeping the unprefixed variant gives functionally identical behaviour\n *     without requiring a server-wide path normalisation pass. The original\n *     source is appended LAST so the locale-aware variants win when both\n *     forms could match.\n *\n * Destinations that are local (start with `/`) are similarly rewritten with\n * `/:nextInternalLocale` for the locale-capture variant so the locale\n * survives the rewrite/redirect target.\n *\n * Mirrors the Next.js reference in\n * packages/next/src/lib/load-custom-routes.ts — see `processRoutes`.\n */\nexport function applyLocaleToRoutes<T extends NextRedirect | NextRewrite>(\n  routes: T[],\n  i18n: NextI18nConfig | null | undefined,\n  type: \"redirect\" | \"rewrite\",\n  options: { trailingSlash?: boolean } = {},\n): T[] {\n  if (!i18n || routes.length === 0) return routes;\n\n  const trailingSlash = options.trailingSlash ?? false;\n  const localesAlternation = i18n.locales.map(_escapeRegexString).join(\"|\");\n  const internalLocale = `/:nextInternalLocale(${localesAlternation})`;\n\n  // Mirrors Next.js: the root source `\"/\"` is collapsed to `\"\"` only when\n  // `trailingSlash` is unset. With `trailingSlash: true` the source is\n  // preserved so the emitted variant is `/:nextInternalLocale(en|fr)/`\n  // rather than `/:nextInternalLocale(en|fr)`.\n  const suffixFor = (source: string): string => (source === \"/\" && !trailingSlash ? \"\" : source);\n\n  // For redirects, Next.js emits a per-default-locale literal variant\n  // (so that `/${defaultLocale}/old` redirects to the unprefixed destination\n  // and the default locale is implicitly stripped). For rewrites Next.js\n  // emits only the `:nextInternalLocale` form. We mirror that distinction.\n  //\n  // The list is a single-element array today; domain-locale support (which\n  // Next.js wires up alongside `i18n.domains`) will append each domain's\n  // `defaultLocale` here once vinext mirrors that branch — tracked as part\n  // of #1336's follow-ups.\n  const defaultLocales: string[] = type === \"redirect\" ? [i18n.defaultLocale] : [];\n\n  const out: T[] = [];\n  for (const r of routes) {\n    if (r.locale === false) {\n      out.push(r);\n      continue;\n    }\n\n    // Destinations may be absolute URLs (external) — Next.js skips the\n    // locale-prefix injection on external destinations.\n    const isExternal = !!r.destination && !r.destination.startsWith(\"/\");\n\n    // For each default locale, emit a literal `/${locale}/...` variant\n    // whose destination does NOT carry a locale prefix (Next.js parity).\n    if (!isExternal) {\n      for (const locale of defaultLocales) {\n        const localizedSource = `/${locale}${suffixFor(r.source)}`;\n        out.push({\n          ...r,\n          source: localizedSource,\n        });\n      }\n    }\n\n    // Emit the `:nextInternalLocale` variant that matches all locales.\n    const internalSource = `${internalLocale}${suffixFor(r.source)}`;\n    let internalDestination = r.destination;\n    if (internalDestination && internalDestination.startsWith(\"/\") && !isExternal) {\n      internalDestination = `/:nextInternalLocale${\n        internalDestination === \"/\" && !trailingSlash ? \"\" : internalDestination\n      }`;\n    }\n    out.push({\n      ...r,\n      source: internalSource,\n      destination: internalDestination,\n    });\n\n    // Retain the original unprefixed source as a fallback so default-locale\n    // requests that arrive without a prefix (e.g. `/old`) still match.\n    // See the docblock above for why this differs from upstream Next.js.\n    out.push(r);\n  }\n  return out;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAkCA,MAAM,wCAAwB,IAAI,KAA0D;;;;;;;;;;;;AAa5F,MAAM,6CAA6B,IAAI,KAA4B;;;;;;;;;;;;;AAcnE,MAAM,0CAA0B,IAAI,KAA4B;;;;;;;;AAShE,MAAM,iDAAiC,IAAI,KAAqB;;;;;;;;;;;;AAahE,SAAS,eAAqB,OAAyB,KAAQ,SAAmC;CAChG,IAAI,QAAQ,MAAM,IAAI,IAAI;CAC1B,IAAI,UAAU,KAAA,GAAW;EACvB,QAAQ,SAAS;EACjB,MAAM,IAAI,KAAK,MAAM;;CAEvB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CT,MAAM,oBAAoB;AAyB1B,MAAM,sCAAsB,IAAI,SAAwC;;;;;;;;AASxE,SAAS,kBAAkB,WAA0C;CACnE,IAAI,QAAQ,oBAAoB,IAAI,UAAU;CAC9C,IAAI,UAAU,KAAA,GAAW,OAAO;CAEhC,MAAM,+BAAe,IAAI,KAAkC;CAC3D,MAAM,SAAwC,EAAE;CAEhD,KAAK,IAAI,IAAI,GAAG,IAAI,UAAU,QAAQ,KAAK;EACzC,MAAM,WAAW,UAAU;EAC3B,MAAM,IAAI,kBAAkB,KAAK,SAAS,OAAO;EACjD,IAAI,GAAG;GACL,MAAM,YAAY,SAAS,OAAO,MAAM,GAAG,SAAS,OAAO,QAAQ,IAAI,CAAC;GACxE,MAAM,cAAc,EAAE;GACtB,MAAM,WAAW,EAAE,OAAO;GAC1B,MAAM,SAAS,MAAM,EAAE;GAKvB,MAAM,QAAQ,WAAW,SAAS,cAAc,KAAK;GACrD,IAAI,CAAC,OAAO;IAEV,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;IAC1B;;GAEF,MAAM,QAA2B;IAC/B;IACA;IACA;IACA;IACA,eAAe;IAChB;GACD,MAAM,SAAS,aAAa,IAAI,OAAO;GACvC,IAAI,QACF,OAAO,KAAK,MAAM;QAElB,aAAa,IAAI,QAAQ,CAAC,MAAM,CAAC;SAGnC,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;;CAI9B,QAAQ;EAAE;EAAc;EAAQ;CAChC,oBAAoB,IAAI,WAAW,MAAM;CACzC,OAAO;;;AAIT,MAAM,qBAAqB,IAAI,IAAI;CACjC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;;;;;;;AAQF,MAAM,6BAA6B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,4BAA4B,SAAwB;CAC3D,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,IACpD,MAAM,IAAI,CACV,KAAK,UAAU,MAAM,MAAM,CAAC,aAAa,CAAC,CAC1C,OAAO,QAAQ;CAElB,KAAK,MAAM,UAAU,4BACnB,QAAQ,OAAO,OAAO;CAGxB,KAAK,MAAM,SAAS,kBAClB,QAAQ,OAAO,MAAM;;;;;;;;;;;;AAczB,SAAgB,YAAY,SAA0B;CAGpD,MAAM,oBAA+B,EAAE;CACvC,IAAI,QAAQ;CACZ,IAAI,IAAI;CAER,OAAO,IAAI,QAAQ,QAAQ;EACzB,MAAM,KAAK,QAAQ;EAGnB,IAAI,OAAO,MAAM;GACf,KAAK;GACL;;EAIF,IAAI,OAAO,KAAK;GACd;GACA,OAAO,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK;IAC/C,IAAI,QAAQ,OAAO,MAAM;IACzB;;GAEF;GACA;;EAGF,IAAI,OAAO,KAAK;GACd;GAEA,IAAI,kBAAkB,UAAU,OAC9B,kBAAkB,KAAK,MAAM;QAE7B,kBAAkB,SAAS;GAE7B;GACA;;EAGF,IAAI,OAAO,KAAK;GACd,MAAM,gBAAgB,QAAQ,KAAK,kBAAkB;GACrD,IAAI,QAAQ,GAAG;GAMf,MAAM,OAAO,QAAQ,IAAI;GACzB,IAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;IAChD,IAAI,eAEF,OAAO;IAGT,IAAI,SAAS,KAAK,QAAQ,kBAAkB,QAC1C,kBAAkB,SAAS;;GAG/B;GACA;;EAMF,IAAI,OAAO,OAAO,OAAO,KAAK;GAC5B,IAAI,QAAQ,GACV,kBAAkB,SAAS;GAE7B;GACA;;EAGF,IAAI,OAAO,KAAK;GAEd,MAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,KAAK;GACtC,IAAI,SAAS,OAAO,SAAS,OAAO,SAAS,OAAO,SAAS;QACvD,QAAQ,GACV,kBAAkB,SAAS;;GAG/B;GACA;;EAGF,IAAI,OAAO,KAAK;GAEd,IAAI,IAAI,IAAI;GACZ,OAAO,IAAI,QAAQ,UAAU,QAAQ,KAAK,QAAQ,GAAG,EAAE;GACvD,IAAI,IAAI,QAAQ,UAAU,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG;IACzD,IAAI,QAAQ,GACV,kBAAkB,SAAS;IAE7B,IAAI,IAAI;IACR;;;EAIJ;;CAGF,OAAO;;;;;;;;AAST,SAAgB,WAAW,SAAiB,OAA+B;CACzE,IAAI,CAAC,YAAY,QAAQ,EAAE;EACzB,QAAQ,KACN,oEAAoE,QAAQ,4IAG7E;EACD,OAAO;;CAET,IAAI;EACF,OAAO,IAAI,OAAO,SAAS,MAAM;SAC3B;EACN,OAAO;;;;;;;;;;AAWX,SAAgB,mBAAmB,QAAwB;CAGzD,MAAM,IAAI;CAGV,MAAM,SAAmB,EAAE;CAC3B,MAAM,mBAAmB,OAAO,QAAQ,iBAAiB,IAAI,UAAU;EACrE,OAAO,KAAK,MAAM;EAClB,OAAO,GAAG,EAAE,GAAG,OAAO,SAAS,IAAI;GACnC;CAUF,IAAI,SAAS;CACb,MAAM,KAAK,IAAI,OACb,GAAG,EAAE,SAAS,EAAE,oCAChB,IACD;CACD,IAAI;CACJ,QAAQ,IAAI,GAAG,KAAK,iBAAiB,MAAM,MACzC,IAAI,EAAE,OAAO,KAAA,GAEX,UAAU,IAAI,OAAO,OAAO,EAAE,GAAG,EAAE;MAC9B,IAAI,EAAE,GAAG,WAAW,IAAI,EAAE;EAG/B,MAAM,kBADa,iBAAiB,MAAM,GAAG,UACX,CAAC,MAAM,IAAI,OAAO,IAAI,EAAE,SAAS,IAAI,CAAC;EACxE,IAAI,iBAAiB;GAEnB,GAAG,aAAa,gBAAgB,GAAG;GACnC,UAAU,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE;SAGjD,UAAU;QAGZ,QAAQ,EAAE,IAAV;EACE,KAAK;GACH,UAAU;GACV;EACF,KAAK;GACH,UAAU;GACV;EACF,KAAK;GACH,UAAU;GACV;EACF,KAAK;GACH,UAAU;GACV;EACF;GACE,UAAU,EAAE;GACZ;;CAKR,OAAO;;AAsCT,MAAM,oBAAwC;CAAE,UAAU;CAAI,aAAa;CAAM;;;;;;;;;;;;;AAcjF,SAAS,mBAAmB,cAAiC,OAAoC;CAC/F,IAAI,CAAC,MAAM,UAAU,OAAO;CAC5B,OAAO,iBAAiB,QAAQ,CAAC,MAAM,cAAc,MAAM;;;;;AAM7D,SAAgB,aAAa,cAAqD;CAChF,IAAI,CAAC,cAAc,OAAO,EAAE;CAC5B,MAAM,UAAkC,EAAE;CAC1C,KAAK,MAAM,QAAQ,aAAa,MAAM,IAAI,EAAE;EAC1C,MAAM,KAAK,KAAK,QAAQ,IAAI;EAC5B,IAAI,OAAO,IAAI;EACf,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM;EACpC,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;EACvC,IAAI,KAAK,QAAQ,OAAO;;CAE1B,OAAO;;;;;AAMT,SAAgB,0BAA0B,SAAkC;CAC1E,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAChC,OAAO;EACL,SAAS,QAAQ;EACjB,SAAS,aAAa,QAAQ,QAAQ,IAAI,SAAS,CAAC;EACpD,OAAO,IAAI;EACX,MAAM,cAAc,QAAQ,QAAQ,IAAI,OAAO,EAAE,IAAI,SAAS;EAC/D;;AAGH,SAAgB,cAAc,YAA2B,kBAAkC;CAEzF,QADa,cAAc,kBACf,MAAM,KAAK,EAAE,CAAC,GAAG,aAAa;;;;;;;;;;;;;;;;;;;AAoB5C,SAAgB,8BACd,mBACA,SACA,UAAmD,EAAE,EACD;CACpD,MAAM,cAAc,0CAClB,QAAQ,SACR,mBACA,QACD;CAED,KAAK,MAAM,OAAO,OAAO,KAAK,kBAAkB,EAC9C,IAAI,IAAI,WAAA,gBAAoC,EAC1C,OAAO,kBAAkB;CAI7B,IAAI,aAEF,UAAU,IAAI,QAAQ,QAAQ,KAAK;EACjC,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EAEd,QAAQ,QAAQ,OAAO,SAAS,KAAA;EACjC,CAAC;CAGJ,OAAO;EAAE;EAAS,cAAc,0BAA0B,QAAQ;EAAE;;AAGtE,SAAS,eAAuC;CAC9C,OAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,qBACP,aACA,eAC+B;CAC/B,IAAI,kBAAkB,KAAA,GAAW,OAAO,cAAc;CAEtD,MAAM,KAAK,sBAAsB,cAAc;CAC/C,IAAI,IAAI;EACN,MAAM,QAAQ,GAAG,KAAK,YAAY;EAClC,IAAI,CAAC,OAAO,OAAO;EAEnB,MAAM,SAAS,cAAc;EAC7B,IAAI,MAAM;QACH,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,OAAO,EACrD,IAAI,UAAU,KAAA,GAAW,OAAO,OAAO;;EAG3C,OAAO;;CAGT,OAAO,gBAAgB,gBAAgB,cAAc,GAAG;;;;;;AAO1D,SAAS,qBACP,WACA,KAC+B;CAC/B,QAAQ,UAAU,MAAlB;EACE,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,IAAI,UAAU,IAAI;GAClD,IAAI,gBAAgB,MAAM,OAAO;GACjC,OAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,UAAU;GAC1C,IAAI,gBAAgB,KAAA,GAAW,OAAO;GACtC,OAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,SAAS;GACZ,MAAM,aAAa,IAAI,MAAM,IAAI,UAAU,IAAI;GAC/C,IAAI,eAAe,MAAM,OAAO;GAChC,OAAO,qBAAqB,YAAY,UAAU,MAAM;;EAE1D,KAAK;GACH,IAAI,UAAU,UAAU,KAAA,GAAW,OAAO,qBAAqB,IAAI,MAAM,UAAU,MAAM;GACzF,OAAO,IAAI,SAAS,UAAU,MAAM,cAAc,GAAG;EAEvD,SACE,OAAO;;;;;;;;AASb,SAAS,sBAAsB,OAA8B;CAC3D,OAAO,eAAe,yBAAyB,aAI7C,WAAW,IAAI,MAAM,GAAG,CACzB;;;;;;;;;AAUH,SAAS,uBACP,KACA,SACA,KAC+B;CAC/B,MAAM,SAAS,cAAc;CAE7B,IAAI,KACF,KAAK,MAAM,aAAa,KAAK;EAC3B,MAAM,kBAAkB,qBAAqB,WAAW,IAAI;EAC5D,IAAI,CAAC,iBAAiB,OAAO;EAC7B,OAAO,OAAO,QAAQ,gBAAgB;;CAI1C,IAAI;OACG,MAAM,aAAa,SACtB,IAAI,qBAAqB,WAAW,IAAI,EAAE,OAAO;;CAIrD,OAAO;;AAGT,SAAgB,mBACd,KACA,SACA,KACS;CACT,OAAO,uBAAuB,KAAK,SAAS,IAAI,KAAK;;;;;;;AAQvD,SAAS,kBAAkB,KAAa,IAA2B;CACjE,IAAI,IAAI,GAAG,eAAe,KAAK,OAAO;CACtC,MAAM,QAAQ,GAAG,YAAY;CAC7B,IAAI,QAAQ;CACZ,IAAI,IAAI;CACR,OAAO,IAAI,IAAI,UAAU,QAAQ,GAAG;EAClC,IAAI,IAAI,OAAO,KAAK;OACf,IAAI,IAAI,OAAO,KAAK;EACzB;;CAEF,IAAI,UAAU,GAAG,OAAO;CACxB,GAAG,YAAY;CACf,OAAO,IAAI,MAAM,OAAO,IAAI,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BhC,SAAS,iCAAiC,UAA0B;CAClE,OAAO,SAAS,SAAS,KAAK,SAAS,SAAS,IAAI,GAAG,SAAS,MAAM,GAAG,GAAG,GAAG;;AAGjF,SAAgB,mBACd,UACA,SAC+B;CAK/B,WAAW,iCAAiC,SAAS;CAmBrD,MAAM,iBAAiB,cAAc,KAAK,QAAQ;CAClD,MAAM,mBAAmB,QAAQ,MAAM,WAAW,IAAI,EAAE,EAAE;CAC1D,IACE,QAAQ,SAAS,IAAI,IACrB,QAAQ,SAAS,KAAK,IACtB,kBAAkB,KAAK,QAAQ,IAC/B,YAAY,KAAK,QAAQ,IACxB,kBAAkB,kBAAkB,GAErC,IAAI;EAKF,MAAM,WAAW,eAAe,uBAAuB,eAAe;GAGpE,MAAM,aAAuB,EAAE;GAK/B,IAAI,WAAW;GACf,MAAM,UAAU;GAChB,IAAI;GACJ,QAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,MACvC,IAAI,IAAI,OAAO,KAAA,GAAW;IACxB,MAAM,OAAO,IAAI;IACjB,MAAM,OAAO,QAAQ,MAAM,QAAQ,UAAU;IAE7C,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,EAAE;KAChD,MAAM,aAAa,KAAK;KACxB,QAAQ,aAAa;KACrB,MAAM,aAAa,kBAAkB,SAAS,QAAQ;KACtD,WAAW,KAAK,KAAK;KACrB,IAAI,eAAe,MACjB,YAAY,IAAI,WAAW;UAE3B,YAAY,eAAe,MAAM,SAAS;WAEvC;KAEL,MAAM,aAAa,kBAAkB,SAAS,QAAQ;KACtD,WAAW,KAAK,KAAK;KACrB,YAAY,eAAe,OAAO,IAAI,WAAW,KAAK;;UAEnD,IAAI,IAAI,OAAO,KACpB,YAAY;QAEZ,YAAY,IAAI;GAGpB,MAAM,KAAK,WAAW,MAAM,WAAW,IAAI;GAC3C,OAAO,KAAK;IAAE;IAAI;IAAY,GAAG;IACjC;EACF,IAAI,CAAC,UAAU,OAAO;EACtB,MAAM,QAAQ,SAAS,GAAG,KAAK,SAAS;EACxC,IAAI,CAAC,OAAO,OAAO;EACnB,MAAM,SAAiC,OAAO,OAAO,KAAK;EAC1D,KAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,KAC9C,OAAO,SAAS,WAAW,MAAM,MAAM,IAAI,MAAM;EAEnD,OAAO;SACD;CAOV,MAAM,gBAAgB,QAAQ,MAAM,oBAAoB;CACxD,IAAI,eAAe;EACjB,MAAM,SAAS,QAAQ,MAAM,GAAG,QAAQ,YAAY,IAAI,CAAC;EACzD,MAAM,YAAY,cAAc;EAChC,MAAM,SAAS,cAAc,OAAO;EAEpC,MAAM,gBAAgB,OAAO,QAAQ,OAAO,GAAG;EAC/C,IAAI,CAAC,SAAS,WAAW,cAAc,EAAE,OAAO;EAChD,MAAM,YAAY,SAAS,cAAc;EACzC,IAAI,cAAc,KAAA,KAAa,cAAc,KAAK,OAAO;EAEzD,MAAM,OAAO,SAAS,MAAM,cAAc,OAAO;EACjD,IAAI,WAAW,CAAC,QAAQ,SAAS,MAAM,OAAO;EAC9C,IAAI,YAAY,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG;EAGvD,OAAO,GAAG,YAAY,WAAW;;CAInC,MAAM,QAAQ,QAAQ,MAAM,IAAI;CAChC,MAAM,YAAY,SAAS,MAAM,IAAI;CAErC,IAAI,MAAM,WAAW,UAAU,QAAQ,OAAO;CAE9C,MAAM,SAAiC,OAAO,OAAO,KAAK;CAC1D,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAChC,IAAI,MAAM,GAAG,WAAW,IAAI,EAC1B,OAAO,MAAM,GAAG,MAAM,EAAE,IAAI,UAAU;MACjC,IAAI,MAAM,OAAO,UAAU,IAChC,OAAO;CAGX,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCT,SAAgB,cACd,UACA,WACA,KACA,gBAAoC,mBACgB;CACpD,IAAI,UAAU,WAAW,GAAG,OAAO;CAMnC,WAAW,iCAAiC,SAAS;CAErD,MAAM,QAAQ,kBAAkB,UAAU;CAe1C,IAAI,cAAkE;CACtE,IAAI,mBAAmB;CAEvB,IAAI,MAAM,aAAa,OAAO,GAAG;EAM/B,MAAM,iBAAiB,MAAM,aAAa,IAAI,SAAS;EACvD,IAAI,gBACF,KAAK,MAAM,SAAS,gBAAgB;GAClC,IAAI,CAAC,MAAM,UAAU;GACrB,IAAI,MAAM,iBAAiB,kBAAkB;GAC7C,MAAM,WAAW,MAAM;GACvB,IAAI,CAAC,mBAAmB,SAAS,UAAU,cAAc,EAAE;GAC3D,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;GACpB,IAAI,CAAC,iBAAiB;GAMtB,cAAc;IAAE,aAJH,iCAAiC,SAAS,aAAa;MACjE,MAAM,YAAY;KACnB,GAAG;KACJ,CACgC;IAAE,WAAW,SAAS;IAAW;GAClE,mBAAmB,MAAM;GACzB;;EAOJ,MAAM,WAAW,SAAS,QAAQ,KAAK,EAAE;EACzC,IAAI,aAAa,IAAI;GACnB,MAAM,SAAS,SAAS,MAAM,SAAS;GACvC,MAAM,aAAa,SAAS,MAAM,GAAG,SAAS;GAC9C,MAAM,eAAe,MAAM,aAAa,IAAI,OAAO;GACnD,IAAI,cACF,KAAK,MAAM,SAAS,cAAc;IAChC,IAAI,MAAM,iBAAiB,kBAAkB;IAE7C,IAAI,CAAC,MAAM,MAAM,KAAK,WAAW,EAAE;IACnC,MAAM,WAAW,MAAM;IACvB,IAAI,CAAC,mBAAmB,SAAS,UAAU,cAAc,EAAE;IAC3D,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;IACpB,IAAI,CAAC,iBAAiB;IAKtB,cAAc;KAAE,aAJH,iCAAiC,SAAS,aAAa;OACjE,MAAM,YAAY;MACnB,GAAG;MACJ,CACgC;KAAE,WAAW,SAAS;KAAW;IAClE,mBAAmB,MAAM;IACzB;;;;CAUR,KAAK,MAAM,CAAC,SAAS,aAAa,MAAM,QAAQ;EAC9C,IAAI,WAAW,kBAGb;EAEF,IAAI,CAAC,mBAAmB,SAAS,UAAU,cAAc,EAAE;EAC3D,MAAM,SAAS,mBAAmB,UAAU,SAAS,OAAO;EAC5D,IAAI,QAAQ;GACV,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;GACpB,IAAI,CAAC,iBAAiB;GAMtB,OAAO;IAAE,aAJI,iCAAiC,SAAS,aAAa;KAClE,GAAG;KACH,GAAG;KACJ,CACyB;IAAE,WAAW,SAAS;IAAW;;;CAK/D,OAAO;;;;;;;;;;AAWT,SAAgB,aACd,UACA,UACA,KACA,gBAAoC,mBACrB;CACf,KAAK,MAAM,WAAW,UAAU;EAC9B,IAAI,CAAC,mBAAmB,QAAQ,UAAU,cAAc,EAAE;EAC1D,MAAM,SAAS,mBAAmB,UAAU,QAAQ,OAAO;EAC3D,IAAI,QAAQ;GACV,MAAM,kBACJ,QAAQ,OAAO,QAAQ,UACnB,uBAAuB,QAAQ,KAAK,QAAQ,SAAS,IAAI,GACzD,cAAc;GACpB,IAAI,CAAC,iBAAiB;GAEtB,OAAO,iCAAiC,QAAQ,aAAa;IAC3D,GAAG;IACH,GAAG;IACJ,CAAC;;;CAGN,OAAO;;;;;;;;AAST,SAAS,4BAA4B,aAAqB,QAAwC;CAChG,MAAM,OAAO,OAAO,KAAK,OAAO;CAChC,IAAI,KAAK,WAAW,GAAG,OAAO;CAO9B,MAAM,aAAa,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,OAAO;CAChE,MAAM,WAAW,WAAW,KAAK,KAAK;CACtC,IAAI,UAAU,+BAA+B,IAAI,SAAS;CAC1D,IAAI,CAAC,SAAS;EACZ,MAAM,mBAAmB,WACtB,KAAK,QAAQ,IAAI,QAAQ,uBAAuB,OAAO,CAAC,CACxD,KAAK,IAAI;EACZ,UAAU,IAAI,OAAO,KAAK,iBAAiB,2BAA2B,IAAI;EAC1E,+BAA+B,IAAI,UAAU,QAAQ;;CAGvD,OAAO,YAAY,QAAQ,UAAU,QAAQ,QAAgB,OAAO,KAAK;;;;;;;;AAS3E,SAAS,iCACP,aACA,QACQ;CACR,OAAO,oBAAoB,4BAA4B,aAAa,OAAO,CAAC;;;;;;;;;;;;;AAc9E,SAAgB,oBAAoB,MAAsB;CAExD,IAAI,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,EAC3D,OAAO;CAMT,OAAO,KAAK,QAAQ,WAAW,IAAI;CACnC,OAAO;;;;;;;AAQT,SAAgB,cAAc,KAAsB;CAClD,OAAO,uBAAuB,KAAK,IAAI,IAAI,IAAI,WAAW,KAAK;;;;;;;;;;;AAYjE,eAAsB,qBACpB,SACA,aACmB;CAEnB,MAAM,cAAc,IAAI,IAAI,QAAQ,IAAI;CACxC,MAAM,YAAY,IAAI,IAAI,YAAY;CACtC,MAAM,kBAAkB,IAAI,IAAI,UAAU,aAAa,MAAM,CAAC;CAK9D,KAAK,MAAM,CAAC,KAAK,UAAU,YAAY,cACrC,IAAI,CAAC,gBAAgB,IAAI,IAAI,EAC3B,UAAU,aAAa,OAAO,KAAK,MAAM;CAK7C,MAAM,UAAU,IAAI,QAAQ,QAAQ,QAAQ;CAE5C,QAAQ,IAAI,QAAQ,UAAU,KAAK;CAOnC,4BAA4B,QAAQ;CACpC,MAAM,eAAyB,EAAE;CACjC,KAAK,MAAM,OAAO,QAAQ,MAAM,EAC9B,IAAI,IAAI,WAAA,gBAAoC,EAC1C,aAAa,KAAK,IAAI;CAG1B,KAAK,MAAM,OAAO,cAChB,QAAQ,OAAO,IAAI;CAKrB,QAAQ,OAAO,+BAA+B;CAE9C,QAAQ,OAAO,qBAAqB;CAEpC,MAAM,SAAS,QAAQ;CACvB,MAAM,UAAU,WAAW,SAAS,WAAW;CAE/C,MAAM,OAA0C;EAC9C;EACA;EACA,UAAU;EACX;CAED,IAAI,WAAW,QAAQ,MAAM;EAC3B,KAAK,OAAO,QAAQ;EACpB,KAAK,SAAS;;CAKhB,MAAM,aAAa,IAAI,iBAAiB;CACxC,MAAM,UAAU,iBAAiB,WAAW,OAAO,EAAE,IAAO;CAC5D,IAAI;CACJ,IAAI;EACF,mBAAmB,MAAM,MAAM,UAAU,MAAM;GAAE,GAAG;GAAM,QAAQ,WAAW;GAAQ,CAAC;UAC/E,GAAG;EACV,IAAI,aAAa,SAAS,EAAE,SAAS,cAAc;GACjD,QAAQ,MAAM,4CAA4C,UAAU,KAAK;GACzE,OAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,KAAK,CAAC;;EAEzD,QAAQ,MAAM,0CAA0C,EAAE;EAC1D,OAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;WAC3C;EACR,aAAa,QAAQ;;CAWvB,MAAM,gBAAgB,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,UAAU;CAC5E,MAAM,kBAAkB,IAAI,SAAS;CACrC,iBAAiB,QAAQ,SAAS,OAAO,QAAQ;EAC/C,MAAM,QAAQ,IAAI,aAAa;EAC/B,IAAI,mBAAmB,IAAI,MAAM,EAAE;EACnC,IAAI,kBAAkB,UAAU,sBAAsB,UAAU,mBAAmB;EACnF,gBAAgB,OAAO,KAAK,MAAM;GAClC;CAEF,OAAO,IAAI,SAAS,iBAAiB,MAAM;EACzC,QAAQ,iBAAiB;EACzB,YAAY,iBAAiB;EAC7B,SAAS;EACV,CAAC;;;;;;;;;;AAWJ,SAAgB,aACd,UACA,SACA,KACA,gBAAoC,mBACG;CAIvC,WAAW,iCAAiC,SAAS;CAErD,MAAM,SAAgD,EAAE;CACxD,KAAK,MAAM,QAAQ,SAAS;EAC1B,IAAI,CAAC,mBAAmB,KAAK,UAAU,cAAc,EAAE;EAGvD,MAAM,cAAc,eAAe,4BAA4B,KAAK,cAClE,WAAW,MAAM,mBAAmB,KAAK,OAAO,GAAG,IAAI,CACxD;EACD,IAAI,eAAe,YAAY,KAAK,SAAS,EAAE;GAC7C,IAAI,KAAK,OAAO,KAAK;QACf,CAAC,mBAAmB,KAAK,KAAK,KAAK,SAAS,IAAI,EAClD;;GAGJ,OAAO,KAAK,GAAG,KAAK,QAAQ;;;CAGhC,OAAO;;;;;;AAOT,SAAS,mBAAmB,OAAuB;CACjD,OAAO,MAAM,QAAQ,uBAAuB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCrD,SAAgB,oBACd,QACA,MACA,MACA,UAAuC,EAAE,EACpC;CACL,IAAI,CAAC,QAAQ,OAAO,WAAW,GAAG,OAAO;CAEzC,MAAM,gBAAgB,QAAQ,iBAAiB;CAE/C,MAAM,iBAAiB,wBADI,KAAK,QAAQ,IAAI,mBAAmB,CAAC,KAAK,IACJ,CAAC;CAMlE,MAAM,aAAa,WAA4B,WAAW,OAAO,CAAC,gBAAgB,KAAK;CAWvF,MAAM,iBAA2B,SAAS,aAAa,CAAC,KAAK,cAAc,GAAG,EAAE;CAEhF,MAAM,MAAW,EAAE;CACnB,KAAK,MAAM,KAAK,QAAQ;EACtB,IAAI,EAAE,WAAW,OAAO;GACtB,IAAI,KAAK,EAAE;GACX;;EAKF,MAAM,aAAa,CAAC,CAAC,EAAE,eAAe,CAAC,EAAE,YAAY,WAAW,IAAI;EAIpE,IAAI,CAAC,YACH,KAAK,MAAM,UAAU,gBAAgB;GACnC,MAAM,kBAAkB,IAAI,SAAS,UAAU,EAAE,OAAO;GACxD,IAAI,KAAK;IACP,GAAG;IACH,QAAQ;IACT,CAAC;;EAKN,MAAM,iBAAiB,GAAG,iBAAiB,UAAU,EAAE,OAAO;EAC9D,IAAI,sBAAsB,EAAE;EAC5B,IAAI,uBAAuB,oBAAoB,WAAW,IAAI,IAAI,CAAC,YACjE,sBAAsB,uBACpB,wBAAwB,OAAO,CAAC,gBAAgB,KAAK;EAGzD,IAAI,KAAK;GACP,GAAG;GACH,QAAQ;GACR,aAAa;GACd,CAAC;EAKF,IAAI,KAAK,EAAE;;CAEb,OAAO"}
+{"version":3,"file":"config-matchers.js","names":[],"sources":["../../src/config/config-matchers.ts"],"sourcesContent":["/**\n * Config pattern matching and rule application utilities.\n *\n * Shared between the dev server (index.ts) and the production server\n * (prod-server.ts) so both apply next.config.js rules identically.\n */\n\nimport type {\n  NextI18nConfig,\n  NextRedirect,\n  NextRewrite,\n  NextHeader,\n  HasCondition,\n} from \"./next-config.js\";\nimport {\n  MIDDLEWARE_HEADER_PREFIX,\n  VINEXT_MW_CTX_HEADER,\n  VINEXT_PRERENDER_ROUTE_PARAMS_HEADER,\n  VINEXT_PRERENDER_SECRET_HEADER,\n} from \"../server/headers.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"../server/middleware-request-headers.js\";\n\n/**\n * Cache for compiled regex patterns in matchConfigPattern.\n *\n * Redirect/rewrite patterns are static — they come from next.config.js and\n * never change at runtime. Without caching, every request that hits the regex\n * branch re-runs the full tokeniser walk + isSafeRegex + new RegExp() for\n * every rule in the array. On apps with many locale-prefixed rules (which all\n * contain `(` and therefore enter the regex branch) this dominated profiling\n * at ~2.4 seconds of CPU self-time.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk), so we\n * skip it on subsequent requests too without re-running the scanner.\n */\nconst _compiledPatternCache = new Map<string, { re: RegExp; paramNames: string[] } | null>();\n\n/**\n * Cache for compiled header source regexes in matchHeaders.\n *\n * Each NextHeader rule has a `source` that is run through escapeHeaderSource()\n * then safeRegExp() to produce a RegExp. Both are pure functions of the source\n * string and the result never changes. Without caching, every request\n * re-runs the full escapeHeaderSource tokeniser + isSafeRegex scan + new RegExp()\n * for every header rule.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk).\n */\nconst _compiledHeaderSourceCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for compiled has/missing condition value regexes in checkSingleCondition.\n *\n * Each has/missing condition may carry a `value` string that is passed directly\n * to safeRegExp() for matching against header/cookie/query/host values. The\n * condition objects are static (from next.config.js) so the compiled RegExp\n * never changes. Without caching, safeRegExp() is called on every request for\n * every condition on every rule.\n *\n * Value is `null` when safeRegExp rejected the pattern, or `false` when the\n * value string was undefined (no regex needed — use exact string comparison).\n */\nconst _compiledConditionCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for destination substitution regexes in substituteDestinationParams.\n *\n * The regex depends only on the set of param keys captured from the matched\n * source pattern. Caching by sorted key list avoids recompiling a new RegExp\n * for repeated redirect/rewrite calls that use the same param shape.\n */\nconst _compiledDestinationParamCache = new Map<string, RegExp>();\n\n/**\n * Generic helper for the regex compilation caches above.\n *\n * Each cache stores the compiled artifact (or `null` when safeRegExp rejected\n * the pattern) the first time a key is seen, and reuses it forever. The\n * `undefined` sentinel distinguishes \"not yet seen\" from \"seen and rejected\"\n * so we never re-run isSafeRegex on the same input.\n *\n * Keep the security path intact: `compile()` is responsible for calling\n * safeRegExp(); this helper only handles caching.\n */\nfunction getCachedRegex<K, V>(cache: Map<K, V | null>, key: K, compile: () => V | null): V | null {\n  let value = cache.get(key);\n  if (value === undefined) {\n    value = compile();\n    cache.set(key, value);\n  }\n  return value;\n}\n\n/**\n * Redirect index for O(1) locale-static rule lookup.\n *\n * Many Next.js apps generate 50-100 redirect rules of the form:\n *   /:locale(en|es|fr|...)?/some-static-path  →  /some-destination\n *\n * The compiled regex for each is like:\n *   ^/(en|es|fr|...)?/some-static-path$\n *\n * When no redirect matches (the common case for ordinary page loads),\n * matchRedirect previously ran exec() on every one of those regexes —\n * ~2ms per call, ~2992ms total self-time in profiles.\n *\n * The index splits rules into two buckets:\n *\n *   localeStatic — rules whose source is exactly /:paramName(alt1|alt2|...)?/suffix\n *     where `suffix` is a static path with no further params or regex groups.\n *     These are indexed in a Map<suffix, entry[]> for O(1) lookup after a\n *     single fast strip of the optional locale prefix.\n *\n *   linear — all other rules. Matched with the original O(n) loop.\n *\n * The index is stored in a WeakMap keyed by the redirects array so it is\n * computed once per config load and GC'd when the array is no longer live.\n *\n * ## Ordering invariant\n *\n * Redirect rules must be evaluated in their original order (first match wins).\n * Each locale-static entry stores its `originalIndex` so that, when a\n * locale-static fast-path match is found, any linear rules that appear earlier\n * in the array are still checked first.\n */\n\n/**\n * Matches `/:param(alternation)?/static/suffix` — the locale-static pattern.\n *\n * The `?` after the capture group is itself optional so that both forms are\n * detected:\n *   - `/:locale(en|fr)?/foo` (locale segment optional — user-written rules)\n *   - `/:nextInternalLocale(en|fr)/foo` (locale segment mandatory — emitted\n *      by `applyLocaleToRoutes` for the locale-capture variant)\n * Both forms benefit from O(1) suffix lookup; the optionality is recorded\n * on the entry so we know whether to try the no-locale-prefix bucket.\n */\nconst _LOCALE_STATIC_RE = /^\\/:[\\w-]+\\(([^)]+)\\)(\\??)\\/([a-zA-Z0-9_~.%@!$&'*+,;=:/-]+)$/;\n\ntype LocaleStaticEntry = {\n  /** The param name extracted from the source (e.g. \"locale\"). */\n  paramName: string;\n  /** The compiled regex matching just the alternation, used at match time. */\n  altRe: RegExp;\n  /** Whether the locale segment is optional (the source had `?` after the group). */\n  optional: boolean;\n  /** The original redirect rule. */\n  redirect: NextRedirect;\n  /** Position of this rule in the original redirects array. */\n  originalIndex: number;\n};\n\ntype RedirectIndex = {\n  /** Fast-path map: strippedPath (e.g. \"/security\") → matching entries. */\n  localeStatic: Map<string, LocaleStaticEntry[]>;\n  /**\n   * Linear fallback for rules that couldn't be indexed.\n   * Each entry is [originalIndex, redirect].\n   */\n  linear: Array<[number, NextRedirect]>;\n};\n\nconst _redirectIndexCache = new WeakMap<NextRedirect[], RedirectIndex>();\n\n/**\n * Build (or retrieve from cache) the redirect index for a given redirects array.\n *\n * Called once per config load from matchRedirect. The WeakMap ensures the index\n * is recomputed if the config is reloaded (new array reference) and GC'd when\n * the array is collected.\n */\nfunction _getRedirectIndex(redirects: NextRedirect[]): RedirectIndex {\n  let index = _redirectIndexCache.get(redirects);\n  if (index !== undefined) return index;\n\n  const localeStatic = new Map<string, LocaleStaticEntry[]>();\n  const linear: Array<[number, NextRedirect]> = [];\n\n  for (let i = 0; i < redirects.length; i++) {\n    const redirect = redirects[i];\n    const m = _LOCALE_STATIC_RE.exec(redirect.source);\n    if (m) {\n      const paramName = redirect.source.slice(2, redirect.source.indexOf(\"(\"));\n      const alternation = m[1];\n      const optional = m[2] === \"?\";\n      const suffix = \"/\" + m[3]; // e.g. \"/security\"\n      // Build a small regex to validate the captured locale value against the\n      // alternation. Using anchored match to avoid partial matches.\n      // The alternation comes from user config; run it through safeRegExp to\n      // guard against ReDoS in pathological configs.\n      const altRe = safeRegExp(\"^(?:\" + alternation + \")$\");\n      if (!altRe) {\n        // Unsafe alternation — fall back to linear scan for this rule.\n        linear.push([i, redirect]);\n        continue;\n      }\n      const entry: LocaleStaticEntry = {\n        paramName,\n        altRe,\n        optional,\n        redirect,\n        originalIndex: i,\n      };\n      const bucket = localeStatic.get(suffix);\n      if (bucket) {\n        bucket.push(entry);\n      } else {\n        localeStatic.set(suffix, [entry]);\n      }\n    } else {\n      linear.push([i, redirect]);\n    }\n  }\n\n  index = { localeStatic, linear };\n  _redirectIndexCache.set(redirects, index);\n  return index;\n}\n\n/** Hop-by-hop headers that should not be forwarded through a proxy. */\nconst HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"proxy-authenticate\",\n  \"proxy-authorization\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\n/**\n * Request hop-by-hop headers to strip before proxying with fetch().\n * Intentionally narrower than HOP_BY_HOP_HEADERS: external rewrite proxying\n * still forwards proxy auth credentials, while response sanitization strips\n * them before returning data to the client.\n */\nconst REQUEST_HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\nfunction stripHopByHopRequestHeaders(headers: Headers): void {\n  const connectionTokens = (headers.get(\"connection\") || \"\")\n    .split(\",\")\n    .map((value) => value.trim().toLowerCase())\n    .filter(Boolean);\n\n  for (const header of REQUEST_HOP_BY_HOP_HEADERS) {\n    headers.delete(header);\n  }\n\n  for (const token of connectionTokens) {\n    headers.delete(token);\n  }\n}\n\n/**\n * Detect regex patterns vulnerable to catastrophic backtracking (ReDoS).\n *\n * Uses a lightweight heuristic: scans the pattern string for nested quantifiers\n * (a quantifier applied to a group that itself contains a quantifier). This\n * catches the most common pathological patterns like `(a+)+`, `(.*)*`,\n * `([^/]+)+`, `(a|a+)+` without needing a full regex parser.\n *\n * Returns true if the pattern appears safe, false if it's potentially dangerous.\n */\nexport function isSafeRegex(pattern: string): boolean {\n  // Track parenthesis nesting depth and whether we've seen a quantifier\n  // at each depth level.\n  const quantifierAtDepth: boolean[] = [];\n  let depth = 0;\n  let i = 0;\n\n  while (i < pattern.length) {\n    const ch = pattern[i];\n\n    // Skip escaped characters\n    if (ch === \"\\\\\") {\n      i += 2;\n      continue;\n    }\n\n    // Skip character classes [...] — quantifiers inside them are literal\n    if (ch === \"[\") {\n      i++;\n      while (i < pattern.length && pattern[i] !== \"]\") {\n        if (pattern[i] === \"\\\\\") i++; // skip escaped char in class\n        i++;\n      }\n      i++; // skip closing ]\n      continue;\n    }\n\n    if (ch === \"(\") {\n      depth++;\n      // Initialize: no quantifier seen yet at this new depth\n      if (quantifierAtDepth.length <= depth) {\n        quantifierAtDepth.push(false);\n      } else {\n        quantifierAtDepth[depth] = false;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \")\") {\n      const hadQuantifier = depth > 0 && quantifierAtDepth[depth];\n      if (depth > 0) depth--;\n\n      // Look ahead for a quantifier on this group: +, *, {n,m}\n      // Note: '?' after ')' means \"zero or one\" which does NOT cause catastrophic\n      // backtracking — it only allows 2 paths (match/skip), not exponential.\n      // Only unbounded repetition (+, *, {n,}) on a group with inner quantifiers is dangerous.\n      const next = pattern[i + 1];\n      if (next === \"+\" || next === \"*\" || next === \"{\") {\n        if (hadQuantifier) {\n          // Nested quantifier detected: quantifier on a group that contains a quantifier\n          return false;\n        }\n        // Mark the enclosing depth as having a quantifier\n        if (depth >= 0 && depth < quantifierAtDepth.length) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    // Detect quantifiers: +, *, ?, {n,m}\n    // '?' is a quantifier (optional) unless it follows another quantifier (+, *, ?, })\n    // in which case it's a non-greedy modifier.\n    if (ch === \"+\" || ch === \"*\") {\n      if (depth > 0) {\n        quantifierAtDepth[depth] = true;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"?\") {\n      // '?' after +, *, ?, or } is a non-greedy modifier, not a quantifier\n      const prev = i > 0 ? pattern[i - 1] : \"\";\n      if (prev !== \"+\" && prev !== \"*\" && prev !== \"?\" && prev !== \"}\") {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"{\") {\n      // Check if this is a quantifier {n}, {n,}, {n,m}\n      let j = i + 1;\n      while (j < pattern.length && /[\\d,]/.test(pattern[j])) j++;\n      if (j < pattern.length && pattern[j] === \"}\" && j > i + 1) {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n        i = j + 1;\n        continue;\n      }\n    }\n\n    i++;\n  }\n\n  return true;\n}\n\n/**\n * Compile a regex pattern safely. Returns the compiled RegExp or null if the\n * pattern is invalid or vulnerable to ReDoS.\n *\n * Logs a warning when a pattern is rejected so developers can fix their config.\n */\nexport function safeRegExp(pattern: string, flags?: string): RegExp | null {\n  if (!isSafeRegex(pattern)) {\n    console.warn(\n      `[vinext] Ignoring potentially unsafe regex pattern (ReDoS risk): ${pattern}\\n` +\n        `  Patterns with nested quantifiers (e.g. (a+)+) can cause catastrophic backtracking.\\n` +\n        `  Simplify the pattern to avoid nested repetition.`,\n    );\n    return null;\n  }\n  try {\n    return new RegExp(pattern, flags);\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Convert a Next.js header/rewrite/redirect source pattern into a regex string.\n *\n * Regex groups in the source (e.g. `(\\d+)`) are extracted first, the remaining\n * text is escaped/converted in a **single pass** (avoiding chained `.replace()`\n * which CodeQL flags as incomplete sanitization), then groups are restored.\n */\nexport function escapeHeaderSource(source: string): string {\n  // Sentinel character for group placeholders. Uses a Unicode private-use-area\n  // codepoint that will never appear in real source patterns.\n  const S = \"\\uE000\";\n\n  // Step 1: extract regex groups and replace with numbered placeholders.\n  const groups: string[] = [];\n  const withPlaceholders = source.replace(/\\(([^)]+)\\)/g, (_m, inner) => {\n    groups.push(inner);\n    return `${S}G${groups.length - 1}${S}`;\n  });\n\n  // Step 2: single-pass conversion of the placeholder-bearing string.\n  // Match named params (:[\\w-]+), sentinel group placeholders, metacharacters, and literal text.\n  // The regex uses non-overlapping alternatives to avoid backtracking:\n  //   :[\\w-]+  — named parameter (constraint sentinel is checked procedurally;\n  //              param names may contain hyphens, e.g. :auth-method)\n  //   sentinel group — standalone regex group placeholder\n  //   [.+?*] — single metachar to escape/convert\n  //   [^.+?*:\\uE000]+ — literal text (excludes all chars that start other alternatives)\n  let result = \"\";\n  const re = new RegExp(\n    `${S}G(\\\\d+)${S}|:[\\\\w-]+|[.+?*]|[^.+?*:\\\\uE000]+`, // lgtm[js/redos] — alternatives are non-overlapping\n    \"g\",\n  );\n  let m: RegExpExecArray | null;\n  while ((m = re.exec(withPlaceholders)) !== null) {\n    if (m[1] !== undefined) {\n      // Standalone regex group — restore as-is\n      result += `(${groups[Number(m[1])]})`;\n    } else if (m[0].startsWith(\":\")) {\n      // Named parameter — check if followed by a constraint group placeholder\n      const afterParam = withPlaceholders.slice(re.lastIndex);\n      const constraintMatch = afterParam.match(new RegExp(`^${S}G(\\\\d+)${S}`));\n      if (constraintMatch) {\n        // :param(constraint) — use the constraint as the capture group\n        re.lastIndex += constraintMatch[0].length;\n        result += `(${groups[Number(constraintMatch[1])]})`;\n      } else {\n        // Plain named parameter → match one segment\n        result += \"[^/]+\";\n      }\n    } else {\n      switch (m[0]) {\n        case \".\":\n          result += \"\\\\.\";\n          break;\n        case \"+\":\n          result += \"\\\\+\";\n          break;\n        case \"?\":\n          result += \"\\\\?\";\n          break;\n        case \"*\":\n          result += \".*\";\n          break;\n        default:\n          result += m[0];\n          break;\n      }\n    }\n  }\n\n  return result;\n}\n\n/**\n * Request context needed for evaluating has/missing conditions.\n * Callers extract the relevant parts from the incoming Request.\n */\nexport type RequestContext = {\n  headers: Headers;\n  cookies: Record<string, string>;\n  query: URLSearchParams;\n  host: string;\n};\n\n/**\n * basePath gating state passed alongside the pathname to every matcher.\n *\n * Rewrites/redirects/headers run with default `basePath: true` semantics in\n * Next.js: the rule only matches when the inbound request was under the\n * configured `basePath`. Rules with `basePath: false` opt out and match\n * the original (un-stripped) pathname regardless of prefix.\n *\n * When `basePath` is empty (not configured) every rule is treated as\n * basePath-defaulted: every request matches.\n *\n * @see .nextjs-ref/packages/next/src/lib/load-custom-routes.ts:198-220\n */\nexport type BasePathMatchState = {\n  /** Configured `basePath` (without trailing slash) or \"\" when unset. */\n  basePath: string;\n  /**\n   * True when the inbound request was originally under `basePath` (i.e.\n   * the prod-server/handler stripped the prefix before the matcher runs).\n   * Ignored when `basePath` is empty.\n   */\n  hadBasePath: boolean;\n};\n\nconst _BASEPATH_DEFAULT: BasePathMatchState = { basePath: \"\", hadBasePath: true };\n\n/**\n * Decide whether a rule should be evaluated at all given the current\n * basePath-gating state.\n *\n * Encodes the Next.js rules:\n *   - basePath: false rule → only when the request was NOT under basePath\n *     (i.e. it's the explicit opt-out path). When `basePath` itself is\n *     empty, basePath: false rules are still allowed to match — there's\n *     just no basePath to gate them.\n *   - default rule (basePath !== false) → only when the request WAS under\n *     basePath (or no basePath is configured).\n */\nfunction shouldEvaluateRule(ruleBasePath: false | undefined, state: BasePathMatchState): boolean {\n  if (!state.basePath) return true;\n  return ruleBasePath === false ? !state.hadBasePath : state.hadBasePath;\n}\n\n/**\n * Parse a Cookie header string into a key-value record.\n */\nexport function parseCookies(cookieHeader: string | null): Record<string, string> {\n  if (!cookieHeader) return {};\n  const cookies: Record<string, string> = {};\n  for (const part of cookieHeader.split(\";\")) {\n    const eq = part.indexOf(\"=\");\n    if (eq === -1) continue;\n    const key = part.slice(0, eq).trim();\n    const value = part.slice(eq + 1).trim();\n    if (key) cookies[key] = value;\n  }\n  return cookies;\n}\n\n/**\n * Build a RequestContext from a Web Request object.\n */\nexport function requestContextFromRequest(request: Request): RequestContext {\n  const url = new URL(request.url);\n  return {\n    headers: request.headers,\n    cookies: parseCookies(request.headers.get(\"cookie\")),\n    query: url.searchParams,\n    host: normalizeHost(request.headers.get(\"host\"), url.hostname),\n  };\n}\n\nexport function normalizeHost(hostHeader: string | null, fallbackHostname: string): string {\n  const host = hostHeader ?? fallbackHostname;\n  return host.split(\":\", 1)[0].toLowerCase();\n}\n\n/**\n * Unpack `x-middleware-request-*` headers from the collected middleware\n * response headers into the actual request, and strip all `x-middleware-*`\n * internal signals so they never reach clients.\n *\n * `middlewareHeaders` is mutated in-place (matching keys are deleted).\n * Returns a (possibly cloned) `Request` with the unpacked headers applied,\n * and a fresh `RequestContext` built from it — ready for post-middleware\n * config rule matching (beforeFiles, afterFiles, fallback).\n *\n * Works for both Node.js requests (mutable headers) and Workers requests\n * (immutable — cloned only when there are headers to apply).\n *\n * `x-middleware-request-*` values are always plain strings (they carry\n * individual header values), so the wider `string | string[]` type of\n * `middlewareHeaders` is safe to cast here.\n */\nexport function applyMiddlewareRequestHeaders(\n  middlewareHeaders: Record<string, string | string[]>,\n  request: Request,\n  options: { preserveCredentialHeaders?: boolean } = {},\n): { request: Request; postMwReqCtx: RequestContext } {\n  const nextHeaders = buildRequestHeadersFromMiddlewareResponse(\n    request.headers,\n    middlewareHeaders,\n    options,\n  );\n\n  for (const key of Object.keys(middlewareHeaders)) {\n    if (key.startsWith(MIDDLEWARE_HEADER_PREFIX)) {\n      delete middlewareHeaders[key];\n    }\n  }\n\n  if (nextHeaders) {\n    // Headers may be immutable (Workers), so always clone via new Headers().\n    request = new Request(request.url, {\n      method: request.method,\n      headers: nextHeaders,\n      body: request.body,\n      // @ts-expect-error — duplex needed for streaming request bodies\n      duplex: request.body ? \"half\" : undefined,\n    });\n  }\n\n  return { request, postMwReqCtx: requestContextFromRequest(request) };\n}\n\nfunction _emptyParams(): Record<string, string> {\n  return Object.create(null) as Record<string, string>;\n}\n\nfunction _matchConditionValue(\n  actualValue: string,\n  expectedValue: string | undefined,\n): Record<string, string> | null {\n  if (expectedValue === undefined) return _emptyParams();\n\n  const re = _cachedConditionRegex(expectedValue);\n  if (re) {\n    const match = re.exec(actualValue);\n    if (!match) return null;\n\n    const params = _emptyParams();\n    if (match.groups) {\n      for (const [key, value] of Object.entries(match.groups)) {\n        if (value !== undefined) params[key] = value;\n      }\n    }\n    return params;\n  }\n\n  return actualValue === expectedValue ? _emptyParams() : null;\n}\n\n/**\n * Check a single has/missing condition against request context.\n * Returns captured params when the condition is satisfied, or null otherwise.\n */\nfunction matchSingleCondition(\n  condition: HasCondition,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  switch (condition.type) {\n    case \"header\": {\n      const headerValue = ctx.headers.get(condition.key);\n      if (headerValue === null) return null;\n      return _matchConditionValue(headerValue, condition.value);\n    }\n    case \"cookie\": {\n      const cookieValue = ctx.cookies[condition.key];\n      if (cookieValue === undefined) return null;\n      return _matchConditionValue(cookieValue, condition.value);\n    }\n    case \"query\": {\n      const queryValue = ctx.query.get(condition.key);\n      if (queryValue === null) return null;\n      return _matchConditionValue(queryValue, condition.value);\n    }\n    case \"host\": {\n      if (condition.value !== undefined) return _matchConditionValue(ctx.host, condition.value);\n      return ctx.host === condition.key ? _emptyParams() : null;\n    }\n    default:\n      return null;\n  }\n}\n\n/**\n * Return a cached RegExp for a has/missing condition value string, compiling\n * on first use. Returns null if safeRegExp rejected the pattern or if the\n * value is not a valid regex (fall back to exact string comparison).\n */\nfunction _cachedConditionRegex(value: string): RegExp | null {\n  return getCachedRegex(_compiledConditionCache, value, () =>\n    // Anchor the regex to match the full value, not a substring.\n    // Matches Next.js: new RegExp(`^${hasItem.value}$`)\n    // Without anchoring, has:[cookie:role=admin] would match \"not-admin\".\n    safeRegExp(`^${value}$`),\n  );\n}\n\n/**\n * Check all has/missing conditions for a config rule.\n * Returns true if the rule should be applied (all has conditions pass, all missing conditions pass).\n *\n * - has: every condition must match (the request must have it)\n * - missing: every condition must NOT match (the request must not have it)\n */\nfunction collectConditionParams(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  const params = _emptyParams();\n\n  if (has) {\n    for (const condition of has) {\n      const conditionParams = matchSingleCondition(condition, ctx);\n      if (!conditionParams) return null;\n      Object.assign(params, conditionParams);\n    }\n  }\n\n  if (missing) {\n    for (const condition of missing) {\n      if (matchSingleCondition(condition, ctx)) return null;\n    }\n  }\n\n  return params;\n}\n\nexport function checkHasConditions(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): boolean {\n  return collectConditionParams(has, missing, ctx) !== null;\n}\n\n/**\n * If the current position in `str` starts with a parenthesized group, consume\n * it and advance `re.lastIndex` past the closing `)`. Returns the group\n * contents or null if no group is present.\n */\nfunction extractConstraint(str: string, re: RegExp): string | null {\n  if (str[re.lastIndex] !== \"(\") return null;\n  const start = re.lastIndex + 1;\n  let depth = 1;\n  let i = start;\n  while (i < str.length && depth > 0) {\n    if (str[i] === \"(\") depth++;\n    else if (str[i] === \")\") depth--;\n    i++;\n  }\n  if (depth !== 0) return null;\n  re.lastIndex = i;\n  return str.slice(start, i - 1);\n}\n\n/**\n * Match a Next.js config pattern (from redirects/rewrites sources) against a pathname.\n * Returns matched params or null.\n *\n * Supports:\n *   :param     - matches a single path segment\n *   :param*    - matches zero or more segments (catch-all)\n *   :param+    - matches one or more segments\n *   (regex)    - inline regex patterns in the source\n *   :param(constraint) - named param with inline regex constraint\n */\n/**\n * Strip a single trailing slash from a pathname for config-source matching.\n *\n * Next.js conditionally appends `(/)?` to rewrite/redirect/header source\n * regexes when `trailingSlash: true` (see Next.js\n * `resolve-rewrites.ts` and `server-utils.ts:checkRewrite`). Rather than\n * threading the trailingSlash flag through every matcher, we unconditionally\n * strip a trailing slash from the incoming pathname. When `trailingSlash: false`\n * the request pipeline emits a normalizing redirect (step 3) before config\n * rewrites/redirects (step 6) ever run, so the pathname is already slash-free;\n * the unconditional strip is defense-in-depth for that ordering. When\n * `trailingSlash: true` it bridges the gap between the canonicalized request\n * path (`/rewrite-1/`) and source patterns written without a trailing slash\n * (`/rewrite-1`).\n *\n * The root path `\"/\"` is preserved as-is.\n */\nfunction stripTrailingSlashForConfigMatch(pathname: string): string {\n  return pathname.length > 1 && pathname.endsWith(\"/\") ? pathname.slice(0, -1) : pathname;\n}\n\nexport function matchConfigPattern(\n  pathname: string,\n  pattern: string,\n): Record<string, string> | null {\n  // See `stripTrailingSlashForConfigMatch` — the source pattern itself is left\n  // unchanged because catch-all patterns (`:param*` / `:param+`) and the root\n  // `/` already consume any trailing slash; stripping the pattern would change\n  // those semantics.\n  pathname = stripTrailingSlashForConfigMatch(pathname);\n\n  // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.\n  // Also enter this branch when a catch-all parameter (:param* or :param+) is\n  // followed by a literal suffix (e.g. \"/:path*.md\"). Without this, the suffix\n  // pattern falls through to the simple segment matcher which incorrectly treats\n  // the whole segment (\":path*.md\") as a named parameter and matches everything.\n  // The last condition catches simple params with literal suffixes (e.g. \"/:slug.md\")\n  // where the param name is followed by a dot — the simple matcher would treat\n  // \"slug.md\" as the param name and match any single segment regardless of suffix.\n  // Enter the full regex branch when:\n  //   - the pattern uses explicit regex groups or escapes,\n  //   - a catch-all (`:foo*` / `:foo+`) is followed by a literal suffix that\n  //     the simple catch-all branch cannot express,\n  //   - a named param is followed by a dot (the simple branch would treat\n  //     \"slug.md\" as the whole param name),\n  //   - the pattern has multiple named params and any of them is a catch-all\n  //     (e.g. `/:locale/files/:path*`). The simple catch-all branch only\n  //     handles trailing-catch-all-with-static-prefix; mixed cases need regex.\n  const catchAllAnchor = /:[\\w-]+[*+]/.test(pattern);\n  const namedParamCount = (pattern.match(/:[\\w-]+/g) || []).length;\n  if (\n    pattern.includes(\"(\") ||\n    pattern.includes(\"\\\\\") ||\n    /:[\\w-]+[*+][^/]/.test(pattern) ||\n    /:[\\w-]+\\./.test(pattern) ||\n    (catchAllAnchor && namedParamCount > 1)\n  ) {\n    try {\n      // Look up the compiled regex in the module-level cache. Patterns come\n      // from next.config.js and are static, so we only need to compile each\n      // one once across the lifetime of the worker/server process.\n      // null is stored for rejected patterns so we don't re-run isSafeRegex.\n      const compiled = getCachedRegex(_compiledPatternCache, pattern, () => {\n        // Cache miss — compile the pattern now and store the result.\n        // Param names may contain hyphens (e.g. :auth-method, :sign-in).\n        const paramNames: string[] = [];\n        // Single-pass conversion with procedural suffix handling. The tokenizer\n        // matches only simple, non-overlapping tokens; quantifier/constraint\n        // suffixes after :param are consumed procedurally to avoid polynomial\n        // backtracking in the regex engine.\n        let regexStr = \"\";\n        const tokenRe = /:([\\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)\n        let tok: RegExpExecArray | null;\n        while ((tok = tokenRe.exec(pattern)) !== null) {\n          if (tok[1] !== undefined) {\n            const name = tok[1];\n            const rest = pattern.slice(tokenRe.lastIndex);\n            // Check for quantifier (* or +) with optional constraint\n            if (rest.startsWith(\"*\") || rest.startsWith(\"+\")) {\n              const quantifier = rest[0];\n              tokenRe.lastIndex += 1;\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              if (constraint !== null) {\n                regexStr += `(${constraint})`;\n              } else {\n                regexStr += quantifier === \"*\" ? \"(.*)\" : \"(.+)\";\n              }\n            } else {\n              // Check for inline constraint without quantifier\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              regexStr += constraint !== null ? `(${constraint})` : \"([^/]+)\";\n            }\n          } else if (tok[0] === \".\") {\n            regexStr += \"\\\\.\";\n          } else {\n            regexStr += tok[0];\n          }\n        }\n        const re = safeRegExp(\"^\" + regexStr + \"$\");\n        return re ? { re, paramNames } : null;\n      });\n      if (!compiled) return null;\n      const match = compiled.re.exec(pathname);\n      if (!match) return null;\n      const params: Record<string, string> = Object.create(null);\n      for (let i = 0; i < compiled.paramNames.length; i++) {\n        params[compiled.paramNames[i]] = match[i + 1] ?? \"\";\n      }\n      return params;\n    } catch {\n      // Fall through to segment-based matching\n    }\n  }\n\n  // Check for catch-all patterns (:param* or :param+) without regex groups\n  // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).\n  const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);\n  if (catchAllMatch) {\n    const prefix = pattern.slice(0, pattern.lastIndexOf(\":\"));\n    const paramName = catchAllMatch[1];\n    const isPlus = catchAllMatch[2] === \"+\";\n\n    const prefixNoSlash = prefix.replace(/\\/$/, \"\");\n    if (!pathname.startsWith(prefixNoSlash)) return null;\n    const charAfter = pathname[prefixNoSlash.length];\n    if (charAfter !== undefined && charAfter !== \"/\") return null;\n\n    const rest = pathname.slice(prefixNoSlash.length);\n    if (isPlus && (!rest || rest === \"/\")) return null;\n    let restValue = rest.startsWith(\"/\") ? rest.slice(1) : rest;\n    // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at\n    // the request entry point. Decoding again would produce incorrect param values.\n    return { [paramName]: restValue };\n  }\n\n  // Simple segment-based matching for exact patterns and :param\n  const parts = pattern.split(\"/\");\n  const pathParts = pathname.split(\"/\");\n\n  if (parts.length !== pathParts.length) return null;\n\n  const params: Record<string, string> = Object.create(null);\n  for (let i = 0; i < parts.length; i++) {\n    if (parts[i].startsWith(\":\")) {\n      params[parts[i].slice(1)] = pathParts[i];\n    } else if (parts[i] !== pathParts[i]) {\n      return null;\n    }\n  }\n  return params;\n}\n\n/**\n * Apply redirect rules from next.config.js.\n * Returns the redirect info if a redirect was matched, or null.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating redirects, so this parameter is required.\n *\n * ## Performance\n *\n * Rules with a locale-capture-group prefix (the dominant pattern in large\n * Next.js apps — e.g. `/:locale(en|es|fr|...)?/some-path`) are handled via\n * a pre-built index. Instead of running exec() on each locale regex\n * individually, we:\n *\n *   1. Strip the optional locale prefix from the pathname with one cheap\n *      string-slice check (no regex exec on the hot path).\n *   2. Look up the stripped suffix in a Map<suffix, entry[]>.\n *   3. For each matching entry, validate the captured locale string against\n *      a small, anchored alternation regex.\n *\n * This reduces the per-request cost from O(n × regex) to O(1) map lookup +\n * O(matches × tiny-regex), eliminating the ~2992ms self-time reported in\n * profiles for apps with 63+ locale-prefixed rules.\n *\n * Rules that don't fit the locale-static pattern fall back to the original\n * linear matchConfigPattern scan.\n *\n * ## Ordering invariant\n *\n * First match wins, preserving the original redirect array order. When a\n * locale-static fast-path match is found at position N, all linear rules with\n * an original index < N are checked via matchConfigPattern first — they are\n * few in practice (typically zero) so this is not a hot-path concern.\n */\nexport function matchRedirect(\n  pathname: string,\n  redirects: NextRedirect[],\n  ctx: RequestContext,\n  basePathState: BasePathMatchState = _BASEPATH_DEFAULT,\n): { destination: string; permanent: boolean } | null {\n  if (redirects.length === 0) return null;\n\n  // Strip trailing slash so the locale-static fast path (Map.get on the\n  // pathname) matches keys derived from slash-free source patterns. The\n  // linear fallback also passes through `matchConfigPattern` which strips\n  // again, but normalizing once here keeps both paths consistent.\n  pathname = stripTrailingSlashForConfigMatch(pathname);\n\n  const index = _getRedirectIndex(redirects);\n\n  // --- Locate the best locale-static candidate ---\n  //\n  // We look for the locale-static entry with the LOWEST originalIndex that\n  // matches this pathname (and passes has/missing conditions).\n  //\n  // Strategy: try both the full pathname (locale omitted, e.g. \"/security\")\n  // and the pathname with the first segment stripped (locale present, e.g.\n  // \"/en/security\" → suffix \"/security\", locale \"en\").\n  //\n  // We do NOT use a regex here — just a single indexOf('/') to locate the\n  // second slash, which is O(n) on the path length but far cheaper than\n  // running 63 compiled regexes.\n\n  let localeMatch: { destination: string; permanent: boolean } | null = null;\n  let localeMatchIndex = Infinity;\n\n  if (index.localeStatic.size > 0) {\n    // Case 1: no locale prefix — pathname IS the suffix.\n    // Only valid for entries whose source had `?` after the alternation\n    // (the locale segment was optional). Mandatory-locale entries — emitted\n    // by `applyLocaleToRoutes` as `/:nextInternalLocale(en|fr)/foo` — must\n    // not match here because they require the locale segment to be present.\n    const noLocaleBucket = index.localeStatic.get(pathname);\n    if (noLocaleBucket) {\n      for (const entry of noLocaleBucket) {\n        if (!entry.optional) continue; // mandatory-locale rule — skip\n        if (entry.originalIndex >= localeMatchIndex) continue; // already have a better match\n        const redirect = entry.redirect;\n        if (!shouldEvaluateRule(redirect.basePath, basePathState)) continue;\n        const conditionParams =\n          redirect.has || redirect.missing\n            ? collectConditionParams(redirect.has, redirect.missing, ctx)\n            : _emptyParams();\n        if (!conditionParams) continue;\n        // Locale was omitted (the `?` made it optional) — param value is \"\".\n        const dest = substituteAndSanitizeDestination(redirect.destination, {\n          [entry.paramName]: \"\",\n          ...conditionParams,\n        });\n        localeMatch = { destination: dest, permanent: redirect.permanent };\n        localeMatchIndex = entry.originalIndex;\n        break; // bucket entries are in insertion order = original order\n      }\n    }\n\n    // Case 2: locale prefix present — first path segment is the locale.\n    // Find the second slash: pathname = \"/locale/rest/of/path\"\n    //                                         ^--- slashTwo\n    const slashTwo = pathname.indexOf(\"/\", 1);\n    if (slashTwo !== -1) {\n      const suffix = pathname.slice(slashTwo); // e.g. \"/security\"\n      const localePart = pathname.slice(1, slashTwo); // e.g. \"en\"\n      const localeBucket = index.localeStatic.get(suffix);\n      if (localeBucket) {\n        for (const entry of localeBucket) {\n          if (entry.originalIndex >= localeMatchIndex) continue;\n          // Validate that `localePart` is one of the allowed alternation values.\n          if (!entry.altRe.test(localePart)) continue;\n          const redirect = entry.redirect;\n          if (!shouldEvaluateRule(redirect.basePath, basePathState)) continue;\n          const conditionParams =\n            redirect.has || redirect.missing\n              ? collectConditionParams(redirect.has, redirect.missing, ctx)\n              : _emptyParams();\n          if (!conditionParams) continue;\n          const dest = substituteAndSanitizeDestination(redirect.destination, {\n            [entry.paramName]: localePart,\n            ...conditionParams,\n          });\n          localeMatch = { destination: dest, permanent: redirect.permanent };\n          localeMatchIndex = entry.originalIndex;\n          break; // bucket entries are in insertion order = original order\n        }\n      }\n    }\n  }\n\n  // --- Linear fallback: all non-locale-static rules ---\n  //\n  // We only need to check linear rules whose originalIndex < localeMatchIndex.\n  // If localeMatchIndex is Infinity (no locale match), we check all of them.\n  for (const [origIdx, redirect] of index.linear) {\n    if (origIdx >= localeMatchIndex) {\n      // This linear rule comes after the best locale-static match —\n      // the locale-static match wins. Stop scanning.\n      break;\n    }\n    if (!shouldEvaluateRule(redirect.basePath, basePathState)) continue;\n    const params = matchConfigPattern(pathname, redirect.source);\n    if (params) {\n      const conditionParams =\n        redirect.has || redirect.missing\n          ? collectConditionParams(redirect.has, redirect.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      const dest = substituteAndSanitizeDestination(redirect.destination, {\n        ...params,\n        ...conditionParams,\n      });\n      return { destination: dest, permanent: redirect.permanent };\n    }\n  }\n\n  // Return the locale-static match if found (no earlier linear rule matched).\n  return localeMatch;\n}\n\n/**\n * Apply rewrite rules from next.config.js.\n * Returns the rewritten URL or null if no rewrite matched.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating rewrites, so this parameter is required.\n */\nexport function matchRewrite(\n  pathname: string,\n  rewrites: NextRewrite[],\n  ctx: RequestContext,\n  basePathState: BasePathMatchState = _BASEPATH_DEFAULT,\n): string | null {\n  for (const rewrite of rewrites) {\n    if (!shouldEvaluateRule(rewrite.basePath, basePathState)) continue;\n    const params = matchConfigPattern(pathname, rewrite.source);\n    if (params) {\n      const conditionParams =\n        rewrite.has || rewrite.missing\n          ? collectConditionParams(rewrite.has, rewrite.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      return substituteAndSanitizeDestination(rewrite.destination, {\n        ...params,\n        ...conditionParams,\n      });\n    }\n  }\n  return null;\n}\n\n/**\n * Substitute all matched route params into a redirect/rewrite destination.\n *\n * Handles repeated params (e.g. `/api/:id/:id`) and catch-all suffix forms\n * (`:path*`, `:path+`) in a single pass. Unknown params are left intact.\n */\nfunction substituteDestinationParams(destination: string, params: Record<string, string>): string {\n  const keys = Object.keys(params);\n  if (keys.length === 0) return destination;\n\n  // Match only the concrete param keys captured from the source pattern.\n  // Sorting longest-first ensures hyphenated names like `auth-method`\n  // win over shorter prefixes like `auth`. The negative lookahead keeps\n  // alphanumeric/underscore suffixes attached, while allowing `-` to act\n  // as a literal delimiter in destinations like `:year-:month`.\n  const sortedKeys = [...keys].sort((a, b) => b.length - a.length);\n  const cacheKey = sortedKeys.join(\"\\0\");\n  let paramRe = _compiledDestinationParamCache.get(cacheKey);\n  if (!paramRe) {\n    const paramAlternation = sortedKeys\n      .map((key) => key.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\"))\n      .join(\"|\");\n    paramRe = new RegExp(`:(${paramAlternation})([+*])?(?![A-Za-z0-9_])`, \"g\");\n    _compiledDestinationParamCache.set(cacheKey, paramRe);\n  }\n\n  return destination.replace(paramRe, (_token, key: string) => params[key]);\n}\n\n/**\n * Substitute params into a redirect/rewrite destination and sanitize the\n * result. Used by every redirect/rewrite branch — the substitution can\n * introduce protocol-relative URLs (e.g. `//evil.com` from a decoded `%2F`\n * in a catch-all param), which sanitizeDestination collapses.\n */\nfunction substituteAndSanitizeDestination(\n  destination: string,\n  params: Record<string, string>,\n): string {\n  return sanitizeDestination(substituteDestinationParams(destination, params));\n}\n\n/**\n * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.\n *\n * After parameter substitution, a destination like `/:path*` can become\n * `//evil.com` if the catch-all captured a decoded `%2F` (`/evil.com`).\n * Browsers interpret `//evil.com` as a protocol-relative URL, redirecting\n * users off-site.\n *\n * This function collapses any leading double (or more) slashes to a single\n * slash for non-external (relative) destinations.\n */\nexport function sanitizeDestination(dest: string): string {\n  // External URLs (http://, https://) are intentional — don't touch them\n  if (dest.startsWith(\"http://\") || dest.startsWith(\"https://\")) {\n    return dest;\n  }\n  // Normalize leading backslashes to forward slashes. Browsers interpret\n  // backslash as forward slash in URL contexts, so \"\\/evil.com\" becomes\n  // \"//evil.com\" (protocol-relative redirect). Replace any mix of leading\n  // slashes and backslashes with a single forward slash.\n  dest = dest.replace(/^[\\\\/]+/, \"/\");\n  return dest;\n}\n\n/**\n * Check if a URL is external (absolute URL or protocol-relative).\n * Detects any URL scheme (http:, https:, data:, javascript:, blob:, etc.)\n * per RFC 3986, plus protocol-relative URLs (//).\n */\nexport function isExternalUrl(url: string): boolean {\n  return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith(\"//\");\n}\n\n/**\n * Proxy an incoming request to an external URL and return the upstream response.\n *\n * Used for external rewrites (e.g. `/ph/:path*` → `https://us.i.posthog.com/:path*`).\n * Next.js handles these as server-side reverse proxies, forwarding the request\n * method, headers, and body to the external destination.\n *\n * Works in all runtimes (Node.js, Cloudflare Workers) via the standard fetch() API.\n */\nexport async function proxyExternalRequest(\n  request: Request,\n  externalUrl: string,\n): Promise<Response> {\n  // Build the full external URL, preserving query parameters from the original request\n  const originalUrl = new URL(request.url);\n  const targetUrl = new URL(externalUrl);\n  const destinationKeys = new Set(targetUrl.searchParams.keys());\n\n  // If the rewrite destination already has query params, merge them.\n  // Destination params take precedence — original request params are only added\n  // when the destination doesn't already specify that key.\n  for (const [key, value] of originalUrl.searchParams) {\n    if (!destinationKeys.has(key)) {\n      targetUrl.searchParams.append(key, value);\n    }\n  }\n\n  // Forward the request with appropriate headers\n  const headers = new Headers(request.headers);\n  // Set Host to the external target (required for correct routing)\n  headers.set(\"host\", targetUrl.host);\n  // Remove headers that should not be forwarded to external services.\n  // fetch() handles framing independently, so hop-by-hop transport headers\n  // from the client must not be forwarded upstream. In particular,\n  // transfer-encoding could cause request boundary disagreement between the\n  // proxy and backend (defense-in-depth against request smuggling,\n  // ref: CVE GHSA-ggv3-7p47-pfv8).\n  stripHopByHopRequestHeaders(headers);\n  const keysToDelete: string[] = [];\n  for (const key of headers.keys()) {\n    if (key.startsWith(MIDDLEWARE_HEADER_PREFIX)) {\n      keysToDelete.push(key);\n    }\n  }\n  for (const key of keysToDelete) {\n    headers.delete(key);\n  }\n  // Internal prerender authentication header must never be forwarded to\n  // external rewrite destinations. It authorizes hidden production endpoints\n  // used only by vinext's own prerender pipeline.\n  headers.delete(VINEXT_PRERENDER_SECRET_HEADER);\n  headers.delete(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER);\n  // Internal App Router dev middleware context must never leave the dev server.\n  headers.delete(VINEXT_MW_CTX_HEADER);\n\n  const method = request.method;\n  const hasBody = method !== \"GET\" && method !== \"HEAD\";\n\n  const init: RequestInit & { duplex?: string } = {\n    method,\n    headers,\n    redirect: \"manual\", // Don't follow redirects — pass them through to the client\n  };\n\n  if (hasBody && request.body) {\n    init.body = request.body;\n    init.duplex = \"half\";\n  }\n\n  // Enforce a timeout so slow/unresponsive upstreams don't hold connections\n  // open indefinitely (DoS amplification risk on Node.js dev/prod servers).\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), 30_000);\n  let upstreamResponse: Response;\n  try {\n    upstreamResponse = await fetch(targetUrl.href, { ...init, signal: controller.signal });\n  } catch (e) {\n    if (e instanceof Error && e.name === \"AbortError\") {\n      console.error(\"[vinext] External rewrite proxy timeout:\", targetUrl.href);\n      return new Response(\"Gateway Timeout\", { status: 504 });\n    }\n    console.error(\"[vinext] External rewrite proxy error:\", e);\n    return new Response(\"Bad Gateway\", { status: 502 });\n  } finally {\n    clearTimeout(timeout);\n  }\n\n  // Build the response to return to the client.\n  // Copy all upstream headers except hop-by-hop headers.\n  // Node.js fetch() auto-decompresses responses (gzip, br, etc.), so the body\n  // we receive is already plain text. Forwarding the original content-encoding\n  // and content-length headers causes the browser to attempt a second\n  // decompression on the already-decoded body, resulting in\n  // ERR_CONTENT_DECODING_FAILED. Strip both headers on Node.js only.\n  // On Workers, fetch() preserves wire encoding, so the headers stay accurate.\n  const isNodeRuntime = typeof process !== \"undefined\" && !!process.versions?.node;\n  const responseHeaders = new Headers();\n  upstreamResponse.headers.forEach((value, key) => {\n    const lower = key.toLowerCase();\n    if (HOP_BY_HOP_HEADERS.has(lower)) return;\n    if (isNodeRuntime && (lower === \"content-encoding\" || lower === \"content-length\")) return;\n    responseHeaders.append(key, value);\n  });\n\n  return new Response(upstreamResponse.body, {\n    status: upstreamResponse.status,\n    statusText: upstreamResponse.statusText,\n    headers: responseHeaders,\n  });\n}\n\n/**\n * Apply custom header rules from next.config.js.\n * Returns an array of { key, value } pairs to set on the response.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating headers, so this parameter is required.\n */\nexport function matchHeaders(\n  pathname: string,\n  headers: NextHeader[],\n  ctx: RequestContext,\n  basePathState: BasePathMatchState = _BASEPATH_DEFAULT,\n): Array<{ key: string; value: string }> {\n  // Header source regexes are compiled without a trailing-slash tolerance,\n  // so the incoming pathname must be normalized the same way config rewrites\n  // and redirects are. See `stripTrailingSlashForConfigMatch`.\n  pathname = stripTrailingSlashForConfigMatch(pathname);\n\n  const result: Array<{ key: string; value: string }> = [];\n  for (const rule of headers) {\n    if (!shouldEvaluateRule(rule.basePath, basePathState)) continue;\n    // Cache the compiled source regex — escapeHeaderSource() + safeRegExp() are\n    // pure functions of rule.source and the result never changes between requests.\n    const sourceRegex = getCachedRegex(_compiledHeaderSourceCache, rule.source, () =>\n      safeRegExp(\"^\" + escapeHeaderSource(rule.source) + \"$\"),\n    );\n    if (sourceRegex && sourceRegex.test(pathname)) {\n      if (rule.has || rule.missing) {\n        if (!checkHasConditions(rule.has, rule.missing, ctx)) {\n          continue;\n        }\n      }\n      result.push(...rule.headers);\n    }\n  }\n  return result;\n}\n\n/**\n * Escape a string for inclusion in a regex character class / alternation.\n * Mirrors `escape-string-regexp` semantics used by Next.js's processRoutes.\n */\nfunction _escapeRegexString(value: string): string {\n  return value.replace(/[|\\\\{}()[\\]^$+*?.]/g, \"\\\\$&\");\n}\n\n/**\n * Apply Next.js i18n locale-prefix transformation to a set of redirect or\n * rewrite rules. Mirrors the relevant slice of Next.js's `processRoutes`\n * (load-custom-routes.ts) with one deliberate divergence noted below.\n *\n * For each rule:\n *   - If `locale === false` or no i18n is configured, the rule is emitted\n *     untouched. This is the core of issue #1336 item 1: with `locale: false`\n *     the user-supplied source is matched against the raw locale-prefixed\n *     URL so a `:locale` segment in the source captures the prefix itself.\n *   - Otherwise an internal locale-capture variant is produced whose source\n *     starts with `/:nextInternalLocale(en|sv|nl)` so that locale-prefixed\n *     URLs match. For redirects only, a second variant prefixed with\n *     `/${defaultLocale}` is also emitted, matching Next.js exactly.\n *   - **Vinext divergence**: we ALSO retain the original (unprefixed) source\n *     so that requests for the default locale that arrive without a prefix\n *     still match. Next.js solves this upstream by path-normalising every\n *     incoming default-locale request to include the prefix\n *     (`resolve-routes.ts` lines ~251-263); vinext currently does that\n *     normalisation only inside the pages-server-entry route matcher, so\n *     the rewrite/redirect matcher would otherwise miss unprefixed paths.\n *     Keeping the unprefixed variant gives functionally identical behaviour\n *     without requiring a server-wide path normalisation pass. The original\n *     source is appended LAST so the locale-aware variants win when both\n *     forms could match.\n *\n * Destinations that are local (start with `/`) are similarly rewritten with\n * `/:nextInternalLocale` for the locale-capture variant so the locale\n * survives the rewrite/redirect target.\n *\n * Mirrors the Next.js reference in\n * packages/next/src/lib/load-custom-routes.ts — see `processRoutes`.\n */\nexport function applyLocaleToRoutes<T extends NextRedirect | NextRewrite>(\n  routes: T[],\n  i18n: NextI18nConfig | null | undefined,\n  type: \"redirect\" | \"rewrite\",\n  options: { trailingSlash?: boolean } = {},\n): T[] {\n  if (!i18n || routes.length === 0) return routes;\n\n  const trailingSlash = options.trailingSlash ?? false;\n  const localesAlternation = i18n.locales.map(_escapeRegexString).join(\"|\");\n  const internalLocale = `/:nextInternalLocale(${localesAlternation})`;\n\n  // Mirrors Next.js: the root source `\"/\"` is collapsed to `\"\"` only when\n  // `trailingSlash` is unset. With `trailingSlash: true` the source is\n  // preserved so the emitted variant is `/:nextInternalLocale(en|fr)/`\n  // rather than `/:nextInternalLocale(en|fr)`.\n  const suffixFor = (source: string): string => (source === \"/\" && !trailingSlash ? \"\" : source);\n\n  // For redirects, Next.js emits a per-default-locale literal variant\n  // (so that `/${defaultLocale}/old` redirects to the unprefixed destination\n  // and the default locale is implicitly stripped). For rewrites Next.js\n  // emits only the `:nextInternalLocale` form. We mirror that distinction.\n  //\n  // The list is a single-element array today; domain-locale support (which\n  // Next.js wires up alongside `i18n.domains`) will append each domain's\n  // `defaultLocale` here once vinext mirrors that branch — tracked as part\n  // of #1336's follow-ups.\n  const defaultLocales: string[] = type === \"redirect\" ? [i18n.defaultLocale] : [];\n\n  const out: T[] = [];\n  for (const r of routes) {\n    if (r.locale === false) {\n      out.push(r);\n      continue;\n    }\n\n    // Destinations may be absolute URLs (external) — Next.js skips the\n    // locale-prefix injection on external destinations.\n    const isExternal = !!r.destination && !r.destination.startsWith(\"/\");\n\n    // For each default locale, emit a literal `/${locale}/...` variant\n    // whose destination does NOT carry a locale prefix (Next.js parity).\n    if (!isExternal) {\n      for (const locale of defaultLocales) {\n        const localizedSource = `/${locale}${suffixFor(r.source)}`;\n        out.push({\n          ...r,\n          source: localizedSource,\n        });\n      }\n    }\n\n    // Emit the `:nextInternalLocale` variant that matches all locales.\n    const internalSource = `${internalLocale}${suffixFor(r.source)}`;\n    let internalDestination = r.destination;\n    if (internalDestination && internalDestination.startsWith(\"/\") && !isExternal) {\n      internalDestination = `/:nextInternalLocale${\n        internalDestination === \"/\" && !trailingSlash ? \"\" : internalDestination\n      }`;\n    }\n    out.push({\n      ...r,\n      source: internalSource,\n      destination: internalDestination,\n    });\n\n    // Retain the original unprefixed source as a fallback so default-locale\n    // requests that arrive without a prefix (e.g. `/old`) still match.\n    // See the docblock above for why this differs from upstream Next.js.\n    out.push(r);\n  }\n  return out;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAmCA,MAAM,wCAAwB,IAAI,KAA0D;;;;;;;;;;;;AAa5F,MAAM,6CAA6B,IAAI,KAA4B;;;;;;;;;;;;;AAcnE,MAAM,0CAA0B,IAAI,KAA4B;;;;;;;;AAShE,MAAM,iDAAiC,IAAI,KAAqB;;;;;;;;;;;;AAahE,SAAS,eAAqB,OAAyB,KAAQ,SAAmC;CAChG,IAAI,QAAQ,MAAM,IAAI,IAAI;CAC1B,IAAI,UAAU,KAAA,GAAW;EACvB,QAAQ,SAAS;EACjB,MAAM,IAAI,KAAK,MAAM;;CAEvB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CT,MAAM,oBAAoB;AAyB1B,MAAM,sCAAsB,IAAI,SAAwC;;;;;;;;AASxE,SAAS,kBAAkB,WAA0C;CACnE,IAAI,QAAQ,oBAAoB,IAAI,UAAU;CAC9C,IAAI,UAAU,KAAA,GAAW,OAAO;CAEhC,MAAM,+BAAe,IAAI,KAAkC;CAC3D,MAAM,SAAwC,EAAE;CAEhD,KAAK,IAAI,IAAI,GAAG,IAAI,UAAU,QAAQ,KAAK;EACzC,MAAM,WAAW,UAAU;EAC3B,MAAM,IAAI,kBAAkB,KAAK,SAAS,OAAO;EACjD,IAAI,GAAG;GACL,MAAM,YAAY,SAAS,OAAO,MAAM,GAAG,SAAS,OAAO,QAAQ,IAAI,CAAC;GACxE,MAAM,cAAc,EAAE;GACtB,MAAM,WAAW,EAAE,OAAO;GAC1B,MAAM,SAAS,MAAM,EAAE;GAKvB,MAAM,QAAQ,WAAW,SAAS,cAAc,KAAK;GACrD,IAAI,CAAC,OAAO;IAEV,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;IAC1B;;GAEF,MAAM,QAA2B;IAC/B;IACA;IACA;IACA;IACA,eAAe;IAChB;GACD,MAAM,SAAS,aAAa,IAAI,OAAO;GACvC,IAAI,QACF,OAAO,KAAK,MAAM;QAElB,aAAa,IAAI,QAAQ,CAAC,MAAM,CAAC;SAGnC,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;;CAI9B,QAAQ;EAAE;EAAc;EAAQ;CAChC,oBAAoB,IAAI,WAAW,MAAM;CACzC,OAAO;;;AAIT,MAAM,qBAAqB,IAAI,IAAI;CACjC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;;;;;;;AAQF,MAAM,6BAA6B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,4BAA4B,SAAwB;CAC3D,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,IACpD,MAAM,IAAI,CACV,KAAK,UAAU,MAAM,MAAM,CAAC,aAAa,CAAC,CAC1C,OAAO,QAAQ;CAElB,KAAK,MAAM,UAAU,4BACnB,QAAQ,OAAO,OAAO;CAGxB,KAAK,MAAM,SAAS,kBAClB,QAAQ,OAAO,MAAM;;;;;;;;;;;;AAczB,SAAgB,YAAY,SAA0B;CAGpD,MAAM,oBAA+B,EAAE;CACvC,IAAI,QAAQ;CACZ,IAAI,IAAI;CAER,OAAO,IAAI,QAAQ,QAAQ;EACzB,MAAM,KAAK,QAAQ;EAGnB,IAAI,OAAO,MAAM;GACf,KAAK;GACL;;EAIF,IAAI,OAAO,KAAK;GACd;GACA,OAAO,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK;IAC/C,IAAI,QAAQ,OAAO,MAAM;IACzB;;GAEF;GACA;;EAGF,IAAI,OAAO,KAAK;GACd;GAEA,IAAI,kBAAkB,UAAU,OAC9B,kBAAkB,KAAK,MAAM;QAE7B,kBAAkB,SAAS;GAE7B;GACA;;EAGF,IAAI,OAAO,KAAK;GACd,MAAM,gBAAgB,QAAQ,KAAK,kBAAkB;GACrD,IAAI,QAAQ,GAAG;GAMf,MAAM,OAAO,QAAQ,IAAI;GACzB,IAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;IAChD,IAAI,eAEF,OAAO;IAGT,IAAI,SAAS,KAAK,QAAQ,kBAAkB,QAC1C,kBAAkB,SAAS;;GAG/B;GACA;;EAMF,IAAI,OAAO,OAAO,OAAO,KAAK;GAC5B,IAAI,QAAQ,GACV,kBAAkB,SAAS;GAE7B;GACA;;EAGF,IAAI,OAAO,KAAK;GAEd,MAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,KAAK;GACtC,IAAI,SAAS,OAAO,SAAS,OAAO,SAAS,OAAO,SAAS;QACvD,QAAQ,GACV,kBAAkB,SAAS;;GAG/B;GACA;;EAGF,IAAI,OAAO,KAAK;GAEd,IAAI,IAAI,IAAI;GACZ,OAAO,IAAI,QAAQ,UAAU,QAAQ,KAAK,QAAQ,GAAG,EAAE;GACvD,IAAI,IAAI,QAAQ,UAAU,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG;IACzD,IAAI,QAAQ,GACV,kBAAkB,SAAS;IAE7B,IAAI,IAAI;IACR;;;EAIJ;;CAGF,OAAO;;;;;;;;AAST,SAAgB,WAAW,SAAiB,OAA+B;CACzE,IAAI,CAAC,YAAY,QAAQ,EAAE;EACzB,QAAQ,KACN,oEAAoE,QAAQ,4IAG7E;EACD,OAAO;;CAET,IAAI;EACF,OAAO,IAAI,OAAO,SAAS,MAAM;SAC3B;EACN,OAAO;;;;;;;;;;AAWX,SAAgB,mBAAmB,QAAwB;CAGzD,MAAM,IAAI;CAGV,MAAM,SAAmB,EAAE;CAC3B,MAAM,mBAAmB,OAAO,QAAQ,iBAAiB,IAAI,UAAU;EACrE,OAAO,KAAK,MAAM;EAClB,OAAO,GAAG,EAAE,GAAG,OAAO,SAAS,IAAI;GACnC;CAUF,IAAI,SAAS;CACb,MAAM,KAAK,IAAI,OACb,GAAG,EAAE,SAAS,EAAE,oCAChB,IACD;CACD,IAAI;CACJ,QAAQ,IAAI,GAAG,KAAK,iBAAiB,MAAM,MACzC,IAAI,EAAE,OAAO,KAAA,GAEX,UAAU,IAAI,OAAO,OAAO,EAAE,GAAG,EAAE;MAC9B,IAAI,EAAE,GAAG,WAAW,IAAI,EAAE;EAG/B,MAAM,kBADa,iBAAiB,MAAM,GAAG,UACX,CAAC,MAAM,IAAI,OAAO,IAAI,EAAE,SAAS,IAAI,CAAC;EACxE,IAAI,iBAAiB;GAEnB,GAAG,aAAa,gBAAgB,GAAG;GACnC,UAAU,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE;SAGjD,UAAU;QAGZ,QAAQ,EAAE,IAAV;EACE,KAAK;GACH,UAAU;GACV;EACF,KAAK;GACH,UAAU;GACV;EACF,KAAK;GACH,UAAU;GACV;EACF,KAAK;GACH,UAAU;GACV;EACF;GACE,UAAU,EAAE;GACZ;;CAKR,OAAO;;AAsCT,MAAM,oBAAwC;CAAE,UAAU;CAAI,aAAa;CAAM;;;;;;;;;;;;;AAcjF,SAAS,mBAAmB,cAAiC,OAAoC;CAC/F,IAAI,CAAC,MAAM,UAAU,OAAO;CAC5B,OAAO,iBAAiB,QAAQ,CAAC,MAAM,cAAc,MAAM;;;;;AAM7D,SAAgB,aAAa,cAAqD;CAChF,IAAI,CAAC,cAAc,OAAO,EAAE;CAC5B,MAAM,UAAkC,EAAE;CAC1C,KAAK,MAAM,QAAQ,aAAa,MAAM,IAAI,EAAE;EAC1C,MAAM,KAAK,KAAK,QAAQ,IAAI;EAC5B,IAAI,OAAO,IAAI;EACf,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM;EACpC,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;EACvC,IAAI,KAAK,QAAQ,OAAO;;CAE1B,OAAO;;;;;AAMT,SAAgB,0BAA0B,SAAkC;CAC1E,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAChC,OAAO;EACL,SAAS,QAAQ;EACjB,SAAS,aAAa,QAAQ,QAAQ,IAAI,SAAS,CAAC;EACpD,OAAO,IAAI;EACX,MAAM,cAAc,QAAQ,QAAQ,IAAI,OAAO,EAAE,IAAI,SAAS;EAC/D;;AAGH,SAAgB,cAAc,YAA2B,kBAAkC;CAEzF,QADa,cAAc,kBACf,MAAM,KAAK,EAAE,CAAC,GAAG,aAAa;;;;;;;;;;;;;;;;;;;AAoB5C,SAAgB,8BACd,mBACA,SACA,UAAmD,EAAE,EACD;CACpD,MAAM,cAAc,0CAClB,QAAQ,SACR,mBACA,QACD;CAED,KAAK,MAAM,OAAO,OAAO,KAAK,kBAAkB,EAC9C,IAAI,IAAI,WAAA,gBAAoC,EAC1C,OAAO,kBAAkB;CAI7B,IAAI,aAEF,UAAU,IAAI,QAAQ,QAAQ,KAAK;EACjC,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EAEd,QAAQ,QAAQ,OAAO,SAAS,KAAA;EACjC,CAAC;CAGJ,OAAO;EAAE;EAAS,cAAc,0BAA0B,QAAQ;EAAE;;AAGtE,SAAS,eAAuC;CAC9C,OAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,qBACP,aACA,eAC+B;CAC/B,IAAI,kBAAkB,KAAA,GAAW,OAAO,cAAc;CAEtD,MAAM,KAAK,sBAAsB,cAAc;CAC/C,IAAI,IAAI;EACN,MAAM,QAAQ,GAAG,KAAK,YAAY;EAClC,IAAI,CAAC,OAAO,OAAO;EAEnB,MAAM,SAAS,cAAc;EAC7B,IAAI,MAAM;QACH,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,OAAO,EACrD,IAAI,UAAU,KAAA,GAAW,OAAO,OAAO;;EAG3C,OAAO;;CAGT,OAAO,gBAAgB,gBAAgB,cAAc,GAAG;;;;;;AAO1D,SAAS,qBACP,WACA,KAC+B;CAC/B,QAAQ,UAAU,MAAlB;EACE,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,IAAI,UAAU,IAAI;GAClD,IAAI,gBAAgB,MAAM,OAAO;GACjC,OAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,UAAU;GAC1C,IAAI,gBAAgB,KAAA,GAAW,OAAO;GACtC,OAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,SAAS;GACZ,MAAM,aAAa,IAAI,MAAM,IAAI,UAAU,IAAI;GAC/C,IAAI,eAAe,MAAM,OAAO;GAChC,OAAO,qBAAqB,YAAY,UAAU,MAAM;;EAE1D,KAAK;GACH,IAAI,UAAU,UAAU,KAAA,GAAW,OAAO,qBAAqB,IAAI,MAAM,UAAU,MAAM;GACzF,OAAO,IAAI,SAAS,UAAU,MAAM,cAAc,GAAG;EAEvD,SACE,OAAO;;;;;;;;AASb,SAAS,sBAAsB,OAA8B;CAC3D,OAAO,eAAe,yBAAyB,aAI7C,WAAW,IAAI,MAAM,GAAG,CACzB;;;;;;;;;AAUH,SAAS,uBACP,KACA,SACA,KAC+B;CAC/B,MAAM,SAAS,cAAc;CAE7B,IAAI,KACF,KAAK,MAAM,aAAa,KAAK;EAC3B,MAAM,kBAAkB,qBAAqB,WAAW,IAAI;EAC5D,IAAI,CAAC,iBAAiB,OAAO;EAC7B,OAAO,OAAO,QAAQ,gBAAgB;;CAI1C,IAAI;OACG,MAAM,aAAa,SACtB,IAAI,qBAAqB,WAAW,IAAI,EAAE,OAAO;;CAIrD,OAAO;;AAGT,SAAgB,mBACd,KACA,SACA,KACS;CACT,OAAO,uBAAuB,KAAK,SAAS,IAAI,KAAK;;;;;;;AAQvD,SAAS,kBAAkB,KAAa,IAA2B;CACjE,IAAI,IAAI,GAAG,eAAe,KAAK,OAAO;CACtC,MAAM,QAAQ,GAAG,YAAY;CAC7B,IAAI,QAAQ;CACZ,IAAI,IAAI;CACR,OAAO,IAAI,IAAI,UAAU,QAAQ,GAAG;EAClC,IAAI,IAAI,OAAO,KAAK;OACf,IAAI,IAAI,OAAO,KAAK;EACzB;;CAEF,IAAI,UAAU,GAAG,OAAO;CACxB,GAAG,YAAY;CACf,OAAO,IAAI,MAAM,OAAO,IAAI,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BhC,SAAS,iCAAiC,UAA0B;CAClE,OAAO,SAAS,SAAS,KAAK,SAAS,SAAS,IAAI,GAAG,SAAS,MAAM,GAAG,GAAG,GAAG;;AAGjF,SAAgB,mBACd,UACA,SAC+B;CAK/B,WAAW,iCAAiC,SAAS;CAmBrD,MAAM,iBAAiB,cAAc,KAAK,QAAQ;CAClD,MAAM,mBAAmB,QAAQ,MAAM,WAAW,IAAI,EAAE,EAAE;CAC1D,IACE,QAAQ,SAAS,IAAI,IACrB,QAAQ,SAAS,KAAK,IACtB,kBAAkB,KAAK,QAAQ,IAC/B,YAAY,KAAK,QAAQ,IACxB,kBAAkB,kBAAkB,GAErC,IAAI;EAKF,MAAM,WAAW,eAAe,uBAAuB,eAAe;GAGpE,MAAM,aAAuB,EAAE;GAK/B,IAAI,WAAW;GACf,MAAM,UAAU;GAChB,IAAI;GACJ,QAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,MACvC,IAAI,IAAI,OAAO,KAAA,GAAW;IACxB,MAAM,OAAO,IAAI;IACjB,MAAM,OAAO,QAAQ,MAAM,QAAQ,UAAU;IAE7C,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,EAAE;KAChD,MAAM,aAAa,KAAK;KACxB,QAAQ,aAAa;KACrB,MAAM,aAAa,kBAAkB,SAAS,QAAQ;KACtD,WAAW,KAAK,KAAK;KACrB,IAAI,eAAe,MACjB,YAAY,IAAI,WAAW;UAE3B,YAAY,eAAe,MAAM,SAAS;WAEvC;KAEL,MAAM,aAAa,kBAAkB,SAAS,QAAQ;KACtD,WAAW,KAAK,KAAK;KACrB,YAAY,eAAe,OAAO,IAAI,WAAW,KAAK;;UAEnD,IAAI,IAAI,OAAO,KACpB,YAAY;QAEZ,YAAY,IAAI;GAGpB,MAAM,KAAK,WAAW,MAAM,WAAW,IAAI;GAC3C,OAAO,KAAK;IAAE;IAAI;IAAY,GAAG;IACjC;EACF,IAAI,CAAC,UAAU,OAAO;EACtB,MAAM,QAAQ,SAAS,GAAG,KAAK,SAAS;EACxC,IAAI,CAAC,OAAO,OAAO;EACnB,MAAM,SAAiC,OAAO,OAAO,KAAK;EAC1D,KAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,KAC9C,OAAO,SAAS,WAAW,MAAM,MAAM,IAAI,MAAM;EAEnD,OAAO;SACD;CAOV,MAAM,gBAAgB,QAAQ,MAAM,oBAAoB;CACxD,IAAI,eAAe;EACjB,MAAM,SAAS,QAAQ,MAAM,GAAG,QAAQ,YAAY,IAAI,CAAC;EACzD,MAAM,YAAY,cAAc;EAChC,MAAM,SAAS,cAAc,OAAO;EAEpC,MAAM,gBAAgB,OAAO,QAAQ,OAAO,GAAG;EAC/C,IAAI,CAAC,SAAS,WAAW,cAAc,EAAE,OAAO;EAChD,MAAM,YAAY,SAAS,cAAc;EACzC,IAAI,cAAc,KAAA,KAAa,cAAc,KAAK,OAAO;EAEzD,MAAM,OAAO,SAAS,MAAM,cAAc,OAAO;EACjD,IAAI,WAAW,CAAC,QAAQ,SAAS,MAAM,OAAO;EAC9C,IAAI,YAAY,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG;EAGvD,OAAO,GAAG,YAAY,WAAW;;CAInC,MAAM,QAAQ,QAAQ,MAAM,IAAI;CAChC,MAAM,YAAY,SAAS,MAAM,IAAI;CAErC,IAAI,MAAM,WAAW,UAAU,QAAQ,OAAO;CAE9C,MAAM,SAAiC,OAAO,OAAO,KAAK;CAC1D,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAChC,IAAI,MAAM,GAAG,WAAW,IAAI,EAC1B,OAAO,MAAM,GAAG,MAAM,EAAE,IAAI,UAAU;MACjC,IAAI,MAAM,OAAO,UAAU,IAChC,OAAO;CAGX,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCT,SAAgB,cACd,UACA,WACA,KACA,gBAAoC,mBACgB;CACpD,IAAI,UAAU,WAAW,GAAG,OAAO;CAMnC,WAAW,iCAAiC,SAAS;CAErD,MAAM,QAAQ,kBAAkB,UAAU;CAe1C,IAAI,cAAkE;CACtE,IAAI,mBAAmB;CAEvB,IAAI,MAAM,aAAa,OAAO,GAAG;EAM/B,MAAM,iBAAiB,MAAM,aAAa,IAAI,SAAS;EACvD,IAAI,gBACF,KAAK,MAAM,SAAS,gBAAgB;GAClC,IAAI,CAAC,MAAM,UAAU;GACrB,IAAI,MAAM,iBAAiB,kBAAkB;GAC7C,MAAM,WAAW,MAAM;GACvB,IAAI,CAAC,mBAAmB,SAAS,UAAU,cAAc,EAAE;GAC3D,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;GACpB,IAAI,CAAC,iBAAiB;GAMtB,cAAc;IAAE,aAJH,iCAAiC,SAAS,aAAa;MACjE,MAAM,YAAY;KACnB,GAAG;KACJ,CACgC;IAAE,WAAW,SAAS;IAAW;GAClE,mBAAmB,MAAM;GACzB;;EAOJ,MAAM,WAAW,SAAS,QAAQ,KAAK,EAAE;EACzC,IAAI,aAAa,IAAI;GACnB,MAAM,SAAS,SAAS,MAAM,SAAS;GACvC,MAAM,aAAa,SAAS,MAAM,GAAG,SAAS;GAC9C,MAAM,eAAe,MAAM,aAAa,IAAI,OAAO;GACnD,IAAI,cACF,KAAK,MAAM,SAAS,cAAc;IAChC,IAAI,MAAM,iBAAiB,kBAAkB;IAE7C,IAAI,CAAC,MAAM,MAAM,KAAK,WAAW,EAAE;IACnC,MAAM,WAAW,MAAM;IACvB,IAAI,CAAC,mBAAmB,SAAS,UAAU,cAAc,EAAE;IAC3D,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;IACpB,IAAI,CAAC,iBAAiB;IAKtB,cAAc;KAAE,aAJH,iCAAiC,SAAS,aAAa;OACjE,MAAM,YAAY;MACnB,GAAG;MACJ,CACgC;KAAE,WAAW,SAAS;KAAW;IAClE,mBAAmB,MAAM;IACzB;;;;CAUR,KAAK,MAAM,CAAC,SAAS,aAAa,MAAM,QAAQ;EAC9C,IAAI,WAAW,kBAGb;EAEF,IAAI,CAAC,mBAAmB,SAAS,UAAU,cAAc,EAAE;EAC3D,MAAM,SAAS,mBAAmB,UAAU,SAAS,OAAO;EAC5D,IAAI,QAAQ;GACV,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;GACpB,IAAI,CAAC,iBAAiB;GAMtB,OAAO;IAAE,aAJI,iCAAiC,SAAS,aAAa;KAClE,GAAG;KACH,GAAG;KACJ,CACyB;IAAE,WAAW,SAAS;IAAW;;;CAK/D,OAAO;;;;;;;;;;AAWT,SAAgB,aACd,UACA,UACA,KACA,gBAAoC,mBACrB;CACf,KAAK,MAAM,WAAW,UAAU;EAC9B,IAAI,CAAC,mBAAmB,QAAQ,UAAU,cAAc,EAAE;EAC1D,MAAM,SAAS,mBAAmB,UAAU,QAAQ,OAAO;EAC3D,IAAI,QAAQ;GACV,MAAM,kBACJ,QAAQ,OAAO,QAAQ,UACnB,uBAAuB,QAAQ,KAAK,QAAQ,SAAS,IAAI,GACzD,cAAc;GACpB,IAAI,CAAC,iBAAiB;GAEtB,OAAO,iCAAiC,QAAQ,aAAa;IAC3D,GAAG;IACH,GAAG;IACJ,CAAC;;;CAGN,OAAO;;;;;;;;AAST,SAAS,4BAA4B,aAAqB,QAAwC;CAChG,MAAM,OAAO,OAAO,KAAK,OAAO;CAChC,IAAI,KAAK,WAAW,GAAG,OAAO;CAO9B,MAAM,aAAa,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,OAAO;CAChE,MAAM,WAAW,WAAW,KAAK,KAAK;CACtC,IAAI,UAAU,+BAA+B,IAAI,SAAS;CAC1D,IAAI,CAAC,SAAS;EACZ,MAAM,mBAAmB,WACtB,KAAK,QAAQ,IAAI,QAAQ,uBAAuB,OAAO,CAAC,CACxD,KAAK,IAAI;EACZ,UAAU,IAAI,OAAO,KAAK,iBAAiB,2BAA2B,IAAI;EAC1E,+BAA+B,IAAI,UAAU,QAAQ;;CAGvD,OAAO,YAAY,QAAQ,UAAU,QAAQ,QAAgB,OAAO,KAAK;;;;;;;;AAS3E,SAAS,iCACP,aACA,QACQ;CACR,OAAO,oBAAoB,4BAA4B,aAAa,OAAO,CAAC;;;;;;;;;;;;;AAc9E,SAAgB,oBAAoB,MAAsB;CAExD,IAAI,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,EAC3D,OAAO;CAMT,OAAO,KAAK,QAAQ,WAAW,IAAI;CACnC,OAAO;;;;;;;AAQT,SAAgB,cAAc,KAAsB;CAClD,OAAO,uBAAuB,KAAK,IAAI,IAAI,IAAI,WAAW,KAAK;;;;;;;;;;;AAYjE,eAAsB,qBACpB,SACA,aACmB;CAEnB,MAAM,cAAc,IAAI,IAAI,QAAQ,IAAI;CACxC,MAAM,YAAY,IAAI,IAAI,YAAY;CACtC,MAAM,kBAAkB,IAAI,IAAI,UAAU,aAAa,MAAM,CAAC;CAK9D,KAAK,MAAM,CAAC,KAAK,UAAU,YAAY,cACrC,IAAI,CAAC,gBAAgB,IAAI,IAAI,EAC3B,UAAU,aAAa,OAAO,KAAK,MAAM;CAK7C,MAAM,UAAU,IAAI,QAAQ,QAAQ,QAAQ;CAE5C,QAAQ,IAAI,QAAQ,UAAU,KAAK;CAOnC,4BAA4B,QAAQ;CACpC,MAAM,eAAyB,EAAE;CACjC,KAAK,MAAM,OAAO,QAAQ,MAAM,EAC9B,IAAI,IAAI,WAAA,gBAAoC,EAC1C,aAAa,KAAK,IAAI;CAG1B,KAAK,MAAM,OAAO,cAChB,QAAQ,OAAO,IAAI;CAKrB,QAAQ,OAAO,+BAA+B;CAC9C,QAAQ,OAAO,qCAAqC;CAEpD,QAAQ,OAAO,qBAAqB;CAEpC,MAAM,SAAS,QAAQ;CACvB,MAAM,UAAU,WAAW,SAAS,WAAW;CAE/C,MAAM,OAA0C;EAC9C;EACA;EACA,UAAU;EACX;CAED,IAAI,WAAW,QAAQ,MAAM;EAC3B,KAAK,OAAO,QAAQ;EACpB,KAAK,SAAS;;CAKhB,MAAM,aAAa,IAAI,iBAAiB;CACxC,MAAM,UAAU,iBAAiB,WAAW,OAAO,EAAE,IAAO;CAC5D,IAAI;CACJ,IAAI;EACF,mBAAmB,MAAM,MAAM,UAAU,MAAM;GAAE,GAAG;GAAM,QAAQ,WAAW;GAAQ,CAAC;UAC/E,GAAG;EACV,IAAI,aAAa,SAAS,EAAE,SAAS,cAAc;GACjD,QAAQ,MAAM,4CAA4C,UAAU,KAAK;GACzE,OAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,KAAK,CAAC;;EAEzD,QAAQ,MAAM,0CAA0C,EAAE;EAC1D,OAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;WAC3C;EACR,aAAa,QAAQ;;CAWvB,MAAM,gBAAgB,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,UAAU;CAC5E,MAAM,kBAAkB,IAAI,SAAS;CACrC,iBAAiB,QAAQ,SAAS,OAAO,QAAQ;EAC/C,MAAM,QAAQ,IAAI,aAAa;EAC/B,IAAI,mBAAmB,IAAI,MAAM,EAAE;EACnC,IAAI,kBAAkB,UAAU,sBAAsB,UAAU,mBAAmB;EACnF,gBAAgB,OAAO,KAAK,MAAM;GAClC;CAEF,OAAO,IAAI,SAAS,iBAAiB,MAAM;EACzC,QAAQ,iBAAiB;EACzB,YAAY,iBAAiB;EAC7B,SAAS;EACV,CAAC;;;;;;;;;;AAWJ,SAAgB,aACd,UACA,SACA,KACA,gBAAoC,mBACG;CAIvC,WAAW,iCAAiC,SAAS;CAErD,MAAM,SAAgD,EAAE;CACxD,KAAK,MAAM,QAAQ,SAAS;EAC1B,IAAI,CAAC,mBAAmB,KAAK,UAAU,cAAc,EAAE;EAGvD,MAAM,cAAc,eAAe,4BAA4B,KAAK,cAClE,WAAW,MAAM,mBAAmB,KAAK,OAAO,GAAG,IAAI,CACxD;EACD,IAAI,eAAe,YAAY,KAAK,SAAS,EAAE;GAC7C,IAAI,KAAK,OAAO,KAAK;QACf,CAAC,mBAAmB,KAAK,KAAK,KAAK,SAAS,IAAI,EAClD;;GAGJ,OAAO,KAAK,GAAG,KAAK,QAAQ;;;CAGhC,OAAO;;;;;;AAOT,SAAS,mBAAmB,OAAuB;CACjD,OAAO,MAAM,QAAQ,uBAAuB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCrD,SAAgB,oBACd,QACA,MACA,MACA,UAAuC,EAAE,EACpC;CACL,IAAI,CAAC,QAAQ,OAAO,WAAW,GAAG,OAAO;CAEzC,MAAM,gBAAgB,QAAQ,iBAAiB;CAE/C,MAAM,iBAAiB,wBADI,KAAK,QAAQ,IAAI,mBAAmB,CAAC,KAAK,IACJ,CAAC;CAMlE,MAAM,aAAa,WAA4B,WAAW,OAAO,CAAC,gBAAgB,KAAK;CAWvF,MAAM,iBAA2B,SAAS,aAAa,CAAC,KAAK,cAAc,GAAG,EAAE;CAEhF,MAAM,MAAW,EAAE;CACnB,KAAK,MAAM,KAAK,QAAQ;EACtB,IAAI,EAAE,WAAW,OAAO;GACtB,IAAI,KAAK,EAAE;GACX;;EAKF,MAAM,aAAa,CAAC,CAAC,EAAE,eAAe,CAAC,EAAE,YAAY,WAAW,IAAI;EAIpE,IAAI,CAAC,YACH,KAAK,MAAM,UAAU,gBAAgB;GACnC,MAAM,kBAAkB,IAAI,SAAS,UAAU,EAAE,OAAO;GACxD,IAAI,KAAK;IACP,GAAG;IACH,QAAQ;IACT,CAAC;;EAKN,MAAM,iBAAiB,GAAG,iBAAiB,UAAU,EAAE,OAAO;EAC9D,IAAI,sBAAsB,EAAE;EAC5B,IAAI,uBAAuB,oBAAoB,WAAW,IAAI,IAAI,CAAC,YACjE,sBAAsB,uBACpB,wBAAwB,OAAO,CAAC,gBAAgB,KAAK;EAGzD,IAAI,KAAK;GACP,GAAG;GACH,QAAQ;GACR,aAAa;GACd,CAAC;EAKF,IAAI,KAAK,EAAE;;CAEb,OAAO"}

package/dist/config/next-config.d.ts

@@ -124,9 +124,16 @@ type NextConfig = {
     contentSecurityPolicy?: string;
   }; /** Build output mode: 'export' for full static export, 'standalone' for single server */
   output?: "export" | "standalone"; /** File extensions treated as routable pages/routes (Next.js pageExtensions) */
-  pageExtensions?: string[]; /** Extra origins allowed to access the dev server. */
+  pageExtensions?: string[];
+  /**
+   * Module specifiers that are required for side effects on the client before
+   * hydration, in array order, ahead of the user's `instrumentation-client.{ts,js}`.
+   * Each entry may be a bare npm package name or a path relative to the project root.
+   */
+  instrumentationClientInject?: string[]; /** Extra origins allowed to access the dev server. */
   allowedDevOrigins?: string[]; /** Maximum age in seconds for stale ISR entries before blocking regeneration. */
-  expireTime?: number;
+  expireTime?: number; /** User agents that require blocking metadata in the initial head. */
+  htmlLimitedBots?: RegExp | string;
   /**
    * Enable Cache Components (Next.js 16).
    * When true, enables the "use cache" directive for pages, components, and functions.
@@ -147,6 +154,26 @@ type NextConfig = {
    */
   serverExternalPackages?: string[]; /** Webpack config (ignored — we use Vite) */
   webpack?: unknown;
+  /**
+   * Compiler options for build-time code transforms.
+   * vinext supports the subset that maps to Vite-compatible transforms.
+   */
+  compiler?: {
+    /** Remove `console.*` calls from the client bundle. */removeConsole?: boolean | {
+      exclude?: string[];
+    };
+    /**
+     * Inline compile-time constants in both client and server bundles.
+     * Mirrors Next.js `compiler.define`.
+     * @see https://nextjs.org/docs/app/api-reference/config/next-config-js/compiler#define
+     */
+    define?: Record<string, string | number | boolean>;
+    /**
+     * Inline compile-time constants in server bundles only (not client).
+     * Mirrors Next.js `compiler.defineServer`.
+     */
+    defineServer?: Record<string, string | number | boolean>;
+  };
   /**
    * Path to a custom cache handler module (e.g., KV, Redis, DynamoDB).
    * Accepts relative paths, absolute paths, or file:// URLs from import.meta.resolve().
@@ -194,6 +221,7 @@ type ResolvedNextConfig = {
   trailingSlash: boolean;
   output: "" | "export" | "standalone";
   pageExtensions: string[];
+  instrumentationClientInject: string[];
   cacheComponents: boolean;
   redirects: NextRedirect[];
   rewrites: {
@@ -208,9 +236,11 @@ type ResolvedNextConfig = {
   aliases: Record<string, string>; /** Extra allowed origins for dev server access (from allowedDevOrigins). */
   allowedDevOrigins: string[]; /** Extra allowed origins for server action CSRF validation (from experimental.serverActions.allowedOrigins). */
   serverActionsAllowedOrigins: string[]; /** Packages whose barrel imports should be optimized (from experimental.optimizePackageImports). */
-  optimizePackageImports: string[]; /** Parsed body size limit for server actions in bytes (from experimental.serverActions.bodySizeLimit). Defaults to 1MB. */
+  optimizePackageImports: string[]; /** Inline app CSS into production HTML (from experimental.inlineCss). */
+  inlineCss: boolean; /** Parsed body size limit for server actions in bytes (from experimental.serverActions.bodySizeLimit). Defaults to 1MB. */
   serverActionsBodySizeLimit: number; /** Route-level expire fallback in seconds for ISR entries with numeric revalidate. */
-  expireTime: number;
+  expireTime: number; /** Serialized htmlLimitedBots regexp source from next.config. */
+  htmlLimitedBots: string | undefined;
   /**
    * Packages that should be treated as server-external (not bundled by Vite).
    * Sourced from `serverExternalPackages` or the legacy
@@ -248,6 +278,67 @@ type ResolvedNextConfig = {
    * the object is forwarded to Sass and may contain any modern Sass option.
    */
   sassOptions: Record<string, unknown> | null;
+  /**
+   * When enabled, strip `console.*` calls from the client bundle.
+   * Mirrors Next.js `compiler.removeConsole` option.
+   * `true` strips all console calls; `{ exclude: ["error"] }` strips all
+   * except the specified method names (case-insensitive).
+   */
+  removeConsole: boolean | {
+    exclude: string[];
+  };
+  /**
+   * Mirrors Next.js `experimental.disableOptimizedLoading`. When `false`
+   * (the default), Pages Router page scripts are emitted with `defer` in
+   * `<head>` so the browser can prefetch them in parallel with HTML parsing.
+   * When `true`, scripts are emitted without `defer` (legacy behaviour).
+   *
+   * See `.nextjs-ref/packages/next/src/pages/_document.tsx` (`getScripts` →
+   * `defer={!disableOptimizedLoading}`) and the upstream
+   * `test/e2e/optimized-loading` test fixture.
+   */
+  disableOptimizedLoading: boolean;
+  /**
+   * Build-time constant replacement map applied to BOTH client and server
+   * bundles. Sourced from `compiler.define` in next.config. Values are
+   * pre-serialized via `JSON.stringify` so they can be fed straight into
+   * Vite's `define` config (which expects strings of source code).
+   *
+   * Mirrors Next.js — strings, numbers, and booleans are accepted; other
+   * value shapes are dropped.
+   * @see https://nextjs.org/docs/app/api-reference/config/next-config-js/compiler#define
+   */
+  compilerDefine: Record<string, string>;
+  /**
+   * Build-time constant replacement map applied to SERVER bundles only
+   * (RSC + SSR + middleware). Sourced from `compiler.defineServer` in
+   * next.config. Same serialization rules as `compilerDefine`. Client
+   * bundles intentionally never see these substitutions, so referencing
+   * a `defineServer` identifier from the browser stays as the raw
+   * identifier (typically resolving to `undefined`).
+   */
+  compilerDefineServer: Record<string, string>;
+  /**
+   * Allow-list of keys, sourced from `experimental.clientTraceMetadata`,
+   * to forward from the active OpenTelemetry context into the SSR HTML head
+   * as `<meta>` tags. `undefined` (or empty) disables injection.
+   *
+   * Mirrors Next.js: packages/next/src/server/lib/trace/utils.ts (getTracedMetadata).
+   */
+  clientTraceMetadata: string[] | undefined;
+  /**
+   * App Router client cache freshness windows in seconds, sourced from
+   * `experimental.staleTimes`. Controls how long prefetched route segments
+   * are considered fresh in the client-side router cache.
+   *
+   * `dynamic` applies to partial/dynamic prefetches (default 0 — no reuse).
+   * `static` applies to full-route prefetches (default 300 — 5 minutes).
+   * Mirrors Next.js' `process.env.__NEXT_CLIENT_ROUTER_{DYNAMIC,STATIC}_STALETIME`.
+   */
+  staleTimes: {
+    dynamic: number;
+    static: number;
+  };
 };
 /**
  * Whole-word substring check for any of the CJS-style globals that the