vinext 0.1.0 → 0.1.1

package/dist/server/app-server-action-execution.js

@@ -110,6 +110,15 @@ function isRequestBodyTooLarge(error) {
 	return error instanceof Error && error.message === "Request body too large";
 }
 /**
+* Build the error thrown when a server-action request body exceeds the
+* configured size limit. Matches Next.js' `Body exceeded {limit} limit.`
+* message + docs link (action-handler.ts) verbatim — including the original
+* config string (e.g. "2mb") — so it reads identically in logs.
+*/
+function createBodyExceededError(limitLabel) {
+	return /* @__PURE__ */ new Error(`Body exceeded ${limitLabel} limit.\nTo configure the body size limit for Server Actions, see: https://nextjs.org/docs/app/api-reference/next-config-js/serverActions#bodysizelimit`);
+}
+/**
 * Collapse repeated `cookies().set(name, ...)` / `cookies().delete(name)`
 * calls down to the last value per name, matching Next.js'
 * `MutableRequestCookiesAdapter` semantics. Next.js stores response cookies in
@@ -325,7 +334,13 @@ async function handleProgressiveServerActionRequest(options) {
 			return payloadResponse;
 		}
 		const action = await options.decodeAction(body);
-		if (!isAppServerActionFunction(action)) return null;
+		if (!isAppServerActionFunction(action)) {
+			if (options.hasPageRoute) return createActionNotFoundResponse(null, {
+				clearRequestContext: options.clearRequestContext,
+				getAndClearPendingCookies: options.getAndClearPendingCookies
+			});
+			return null;
+		}
 		let actionRedirect = null;
 		let actionError = void 0;
 		let actionFailed = false;
@@ -411,23 +426,66 @@ async function handleProgressiveServerActionRequest(options) {
 		return internalServerErrorResponse(process.env.NODE_ENV === "production" ? void 0 : "Server action parsing failed: " + getServerActionFailureMessage(error));
 	}
 }
+/**
+* Render the response for a fetch (client-invoked) server action whose request
+* body exceeds the configured `serverActions.bodySizeLimit`.
+*
+* Next.js does not return a bare 413 here: it throws the body-exceeded error
+* before the action runs, then — for fetch actions — emits a Flight response
+* with status 500 carrying the rejected action result, so the nearest client
+* error boundary catches it (see action-handler.ts, the `isFetchAction` branch
+* of the generic error path). vinext mirrors that by rendering a Flight stream
+* with `returnValue: { ok: false }` and no page root (the action never ran, so
+* nothing was revalidated and the page render is skipped). A bare 413 plain
+* response would bypass the boundary and surface the wrong status/content-type.
+*/
+async function renderFetchActionBodyExceededResponse(options) {
+	const error = createBodyExceededError(options.maxActionBodySizeLabel);
+	console.error("[vinext] Server action error:", error);
+	options.reportRequestError(normalizeError(error), {
+		path: options.cleanPathname,
+		method: options.request.method,
+		headers: Object.fromEntries(options.request.headers.entries())
+	}, {
+		routerKind: "App Router",
+		routePath: options.cleanPathname,
+		routeType: "action"
+	});
+	getAndClearActionRevalidationKind();
+	options.getAndClearPendingCookies();
+	const returnValue = {
+		ok: false,
+		data: options.sanitizeErrorForClient(error)
+	};
+	const temporaryReferences = options.createTemporaryReferenceSet();
+	const onRenderError = options.createRscOnErrorHandler(options.request, options.cleanPathname, options.cleanPathname);
+	const rscStream = await options.renderToReadableStream({ returnValue }, {
+		temporaryReferences,
+		onError: onRenderError
+	});
+	const headers = new Headers({
+		"Content-Type": VINEXT_RSC_CONTENT_TYPE,
+		Vary: VINEXT_RSC_VARY_HEADER
+	});
+	applyEdgeRuntimeHeader(headers, options.isEdgeRuntime);
+	mergeMiddlewareResponseHeaders(headers, options.middlewareHeaders);
+	applyRscCompatibilityIdHeader(headers);
+	return createServerActionRscResponse(rscStream, {
+		status: 500,
+		headers
+	}, options.clearRequestContext);
+}
 async function handleServerActionRscRequest(options) {
 	if (options.request.method.toUpperCase() !== "POST" || !options.actionId) return null;
 	const csrfResponse = validateCsrfOrigin(options.request, options.allowedOrigins);
 	if (csrfResponse) return csrfResponse;
-	if (parseInt(options.request.headers.get("content-length") || "0", 10) > options.maxActionBodySize) {
-		options.clearRequestContext();
-		return payloadTooLargeResponse();
-	}
+	if (parseInt(options.request.headers.get("content-length") || "0", 10) > options.maxActionBodySize) return renderFetchActionBodyExceededResponse(options);
 	try {
 		let body;
 		try {
 			body = options.contentType.startsWith("multipart/form-data") ? await options.readFormDataWithLimit(options.request, options.maxActionBodySize) : await options.readBodyWithLimit(options.request, options.maxActionBodySize);
 		} catch (error) {
-			if (isRequestBodyTooLarge(error)) {
-				options.clearRequestContext();
-				return payloadTooLargeResponse();
-			}
+			if (isRequestBodyTooLarge(error)) return renderFetchActionBodyExceededResponse(options);
 			throw error;
 		}
 		const payloadResponse = await validateServerActionPayload(body);
@@ -599,7 +657,7 @@ async function handleServerActionRscRequest(options) {
 		let errorPattern = match ? match.route.pattern : options.cleanPathname;
 		if (match) {
 			const { route: actionRoute, params: actionParams } = match;
-			const actionRerenderTarget = resolveAppPageActionRerenderTarget({
+			const actionRerenderTarget = await resolveAppPageActionRerenderTarget({
 				cleanPathname: options.cleanPathname,
 				currentParams: actionParams,
 				currentRoute: actionRoute,

package/dist/server/app-ssr-entry.d.ts

@@ -30,6 +30,12 @@ declare function handleSsr(rscStream: ReadableStream<Uint8Array>, navContext: Na
    * SSR head. Undefined or empty disables emission entirely.
    */
   clientTraceMetadata?: readonly string[];
+  /**
+   * Maximum total length (in characters) of the preload `Link` header React
+   * emits during SSR. `0` disables emission. From `reactMaxHeadersLength` in
+   * `next.config`. Undefined falls back to React's own default.
+   */
+  reactMaxHeadersLength?: number;
   rootParams?: RootParams; /** Dev-only: original server error to surface in the browser overlay. */
   initialDevServerError?: unknown;
   /** When true, wait for the full React tree (including Suspense boundaries)

package/dist/server/app-ssr-entry.js

@@ -24,6 +24,13 @@ import { renderToReadableStream, renderToStaticMarkup } from "react-dom/server.e
 import { createFromReadableStream } from "@vitejs/plugin-rsc/ssr";
 import clientReferences from "virtual:vite-rsc/client-references";
 //#region src/server/app-ssr-entry.ts
+/**
+* Default cap for the preload `Link` header, matching Next.js's
+* `defaultConfig.reactMaxHeadersLength`. Used when no config value threads
+* through (e.g. error-boundary renders) so React's internal cap agrees with
+* the response-layer combine cap.
+*/
+const DEFAULT_REACT_MAX_HEADERS_LENGTH = 6e3;
 const clientReferencePreloader = createClientReferencePreloader({
 	getReferences() {
 		return clientReferences;
@@ -175,7 +182,15 @@ async function handleSsr(rscStream, navContext, fontData, options) {
 				const ssrRoot = withScriptNonce(createElement(BeforeInteractiveContext.Provider, { value: registerBeforeInteractiveInlineScript }, ssrTree), options?.scriptNonce);
 				const bootstrapModuleUrl = extractBootstrapModuleUrl(await import.meta.viteRsc.loadBootstrapScriptContent("index"));
 				const errorMetaRenderer = createSsrErrorMetaRenderer({ basePath: options?.basePath });
+				let reactLinkHeader = "";
+				const maxHeadersLength = options?.reactMaxHeadersLength ?? DEFAULT_REACT_MAX_HEADERS_LENGTH;
+				const captureHeaders = maxHeadersLength > 0;
 				const htmlStream = await renderToReadableStream(ssrRoot, {
+					onHeaders: captureHeaders ? (headers) => {
+						const link = headers.get("Link");
+						if (link) reactLinkHeader = link;
+					} : void 0,
+					maxHeadersLength: captureHeaders ? maxHeadersLength : void 0,
 					bootstrapModules: bootstrapModuleUrl ? [bootstrapModuleUrl] : void 0,
 					formState: options?.formState ?? null,
 					nonce: options?.scriptNonce,
@@ -210,7 +225,8 @@ async function handleSsr(rscStream, navContext, fontData, options) {
 				return {
 					htmlStream: deferUntilStreamConsumed(htmlStream.pipeThrough(createTickBufferedTransform(rscEmbed, getInsertedHTML, getBeforeInteractiveHeadHTML, inlineCssManifest, inlineCssFontStyles, inlineCssFontStyleFallbackHTML, options?.scriptNonce)), cleanup),
 					metadataReady: Promise.resolve(),
-					capturedRscData: options?.capturedRscDataRef?.value ?? null
+					capturedRscData: options?.capturedRscDataRef?.value ?? null,
+					linkHeader: reactLinkHeader
 				};
 			} catch (error) {
 				cleanup();

package/dist/server/dev-server.d.ts

@@ -36,7 +36,7 @@ declare function parseCookieLocale(req: IncomingMessage, i18nConfig: NextI18nCon
  * 4. Render the component to HTML
  * 5. Wrap in _document shell and send response
  */
-declare function createSSRHandler(server: ViteDevServer, runner: ModuleImporter, routes: Route[], pagesDir: string, i18nConfig?: NextI18nConfig | null, fileMatcher?: ValidFileMatcher, basePath?: string, trailingSlash?: boolean, hasMiddleware?: boolean,
+declare function createSSRHandler(server: ViteDevServer, runner: ModuleImporter, routes: Route[], pagesDir: string, i18nConfig?: NextI18nConfig | null, fileMatcher?: ValidFileMatcher, basePath?: string, trailingSlash?: boolean, hasMiddleware?: boolean, hasRewrites?: boolean,
 /**
  * Allow-list of OpenTelemetry propagation keys to emit as `<meta>` tags
  * in the SSR head. Sourced from `experimental.clientTraceMetadata` in

package/dist/server/dev-server.js

@@ -6,9 +6,9 @@ import { normalizeStaticPathname } from "../routing/route-pattern.js";
 import { importModule, reportRequestError } from "./instrumentation.js";
 import { buildCacheStateHeaders } from "./cache-headers.js";
 import { _runWithCacheState } from "../shims/cache.js";
-import { buildPagesCacheValue, getRevalidateDuration, isrCacheKey, isrGet, isrSet, setRevalidateDuration, triggerBackgroundRegeneration } from "./isr-cache.js";
-import { runWithPrivateCache } from "../shims/cache-runtime.js";
+import { PRERENDER_REVALIDATE_HEADER, buildPagesCacheValue, getRevalidateDuration, isOnDemandRevalidateRequest, isrCacheKey, isrGet, isrSet, setRevalidateDuration, triggerBackgroundRegeneration } from "./isr-cache.js";
 import { ensureFetchPatch, runWithFetchCache } from "../shims/fetch-cache.js";
+import { runWithPrivateCache } from "../shims/cache-runtime.js";
 import { mergeRouteParamsIntoQuery, parseQueryString } from "../utils/query.js";
 import "../shims/router-state.js";
 import { runWithHeadState } from "../shims/head-state.js";
@@ -20,6 +20,7 @@ import { getScriptNonceFromNodeHeaderSources } from "./csp.js";
 import { logRequest, now } from "./request-log.js";
 import { detectLocaleFromAcceptLanguage, extractLocaleFromUrl as extractLocaleFromUrl$1, parseCookieLocaleFromHeader, resolvePagesI18nRequest } from "./pages-i18n.js";
 import { buildDefaultPagesNotFoundResponse } from "./pages-default-404.js";
+import { buildPagesReadinessNextData } from "./pages-readiness.js";
 import { resolvePagesPageMethodResponse } from "./pages-page-method.js";
 import { isSerializableProps } from "./pages-serializable-props.js";
 import { loadUserDocumentInitialProps, runDocumentRenderPage } from "./pages-document-initial-props.js";
@@ -183,8 +184,9 @@ function parseCookieLocale(req, i18nConfig) {
 * 4. Render the component to HTML
 * 5. Wrap in _document shell and send response
 */
-function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatcher, basePath = "", trailingSlash = false, hasMiddleware = false, clientTraceMetadata) {
+function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatcher, basePath = "", trailingSlash = false, hasMiddleware = false, hasRewrites = false, clientTraceMetadata) {
 	const matcher = fileMatcher ?? createValidFileMatcher();
+	const pagePatterns = routes.map((r) => patternToNextFormat(r.pattern));
 	const _alsRegistration = Promise.all([runner.import("vinext/head-state"), runner.import("vinext/router-state")]);
 	_alsRegistration.catch(() => {});
 	return async (req, res, url, statusCode, isDataReq = false) => {
@@ -241,15 +243,6 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 			try {
 				await _alsRegistration;
 				const routerShim = await importModule(runner, "next/router");
-				if (typeof routerShim.setSSRContext === "function") routerShim.setSSRContext({
-					pathname: patternToNextFormat(route.pattern),
-					query,
-					asPath: url,
-					locale: locale ?? currentDefaultLocale,
-					locales: i18nConfig?.locales,
-					defaultLocale: currentDefaultLocale,
-					domainLocales
-				});
 				if (i18nConfig) {
 					await runner.import("vinext/i18n-state");
 					const i18nCtx = await importModule(runner, "vinext/i18n-context");
@@ -262,6 +255,28 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 					});
 				}
 				const pageModule = await importModule(runner, route.filePath);
+				let AppComponent = null;
+				const appPath = path.join(pagesDir, "_app");
+				if (findFileWithExtensions(appPath, matcher)) try {
+					AppComponent = (await importModule(runner, appPath)).default ?? null;
+				} catch {}
+				const pagesNextData = buildPagesReadinessNextData({
+					pageModule,
+					appComponent: AppComponent,
+					hasRewrites
+				});
+				const navigationIsReady = typeof routerShim.getPagesNavigationIsReadyFromSerializedState === "function" ? routerShim.getPagesNavigationIsReadyFromSerializedState(patternToNextFormat(route.pattern), new URL(url, "http://_").search, pagesNextData) : true;
+				if (typeof routerShim.setSSRContext === "function") routerShim.setSSRContext({
+					pathname: patternToNextFormat(route.pattern),
+					query,
+					asPath: url,
+					navigationIsReady,
+					nextData: pagesNextData,
+					locale: locale ?? currentDefaultLocale,
+					locales: i18nConfig?.locales,
+					defaultLocale: currentDefaultLocale,
+					domainLocales
+				});
 				_compileEnd = now();
 				const PageComponent = pageModule.default;
 				if (!PageComponent) {
@@ -323,6 +338,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 							pathname: patternToNextFormat(route.pattern),
 							query,
 							asPath: url,
+							navigationIsReady: false,
 							locale: locale ?? currentDefaultLocale,
 							locales: i18nConfig?.locales,
 							defaultLocale: currentDefaultLocale,
@@ -385,7 +401,8 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 				if (typeof pageModule.getStaticProps === "function" && !isFallbackRender) {
 					const cacheKey = pagesIsrCacheKey(url.split("?")[0]);
 					const cached = await isrGet(cacheKey);
-					if (cached && !cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
+					const isOnDemandRevalidate = isOnDemandRevalidateRequest(req.headers[PRERENDER_REVALIDATE_HEADER]);
+					if (!isOnDemandRevalidate && cached && !cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
 						const cachedHtml = cached.value.value.html;
 						const transformedHtml = await server.transformIndexHtml(url, cachedHtml);
 						const revalidateSecs = getRevalidateDuration(cacheKey) ?? 60;
@@ -399,7 +416,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 						res.end(transformedHtml);
 						return;
 					}
-					if (cached && cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
+					if (!isOnDemandRevalidate && cached && cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
 						const cachedHtml = cached.value.value.html;
 						const transformedHtml = await server.transformIndexHtml(url, cachedHtml);
 						triggerBackgroundRegeneration(cacheKey, async () => {
@@ -420,6 +437,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 											pathname: patternToNextFormat(route.pattern),
 											query,
 											asPath: url,
+											navigationIsReady,
 											locale: locale ?? currentDefaultLocale,
 											locales: i18nConfig?.locales,
 											defaultLocale: currentDefaultLocale,
@@ -450,6 +468,15 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 										const viteRoot = server.config?.root;
 										const regenPageUrl = viteRoot ? "/" + path.relative(viteRoot, route.filePath) : route.filePath;
 										const regenAppUrl = RegenApp ? viteRoot ? "/" + path.relative(viteRoot, path.join(pagesDir, "_app")) : path.join(pagesDir, "_app") : null;
+										const freshPagesNextData = {
+											...pagesNextData,
+											__vinext: {
+												...pagesNextData.__vinext,
+												pageModuleUrl: regenPageUrl,
+												appModuleUrl: regenAppUrl,
+												hasMiddleware
+											}
+										};
 										await isrSet(cacheKey, buildPagesCacheValue(`<!DOCTYPE html><html><head></head><body><div id="__next">${freshBody}</div>${`<script>window.__NEXT_DATA__ = ${safeJsonStringify({
 											props: { pageProps: freshProps },
 											page: patternToNextFormat(route.pattern),
@@ -460,11 +487,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 											locales: i18nConfig?.locales,
 											defaultLocale: currentDefaultLocale,
 											domainLocales,
-											__vinext: {
-												pageModuleUrl: regenPageUrl,
-												appModuleUrl: regenAppUrl,
-												hasMiddleware
-											}
+											...freshPagesNextData
 										})}${i18nConfig ? `;window.__VINEXT_LOCALE__=${safeJsonStringify(locale ?? currentDefaultLocale)};window.__VINEXT_LOCALES__=${safeJsonStringify(i18nConfig.locales)};window.__VINEXT_DEFAULT_LOCALE__=${safeJsonStringify(currentDefaultLocale)}` : ""}<\/script>`}\n  ${cachedHtml.match(/<script type="module">[\s\S]*?<\/script>/)?.[0] ?? ""}</body></html>`, freshProps), revalidate);
 										setRevalidateDuration(cacheKey, revalidate);
 									}
@@ -491,7 +514,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 						locale: locale ?? currentDefaultLocale,
 						locales: i18nConfig?.locales,
 						defaultLocale: currentDefaultLocale,
-						revalidateReason: "stale"
+						revalidateReason: isOnDemandRevalidate ? "on-demand" : "stale"
 					};
 					const result = await pageModule.getStaticProps(context);
 					if (result && "props" in result) pageProps = result.props;
@@ -536,11 +559,6 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 					_renderEnd = now();
 					return;
 				}
-				let AppComponent = null;
-				const appPath = path.join(pagesDir, "_app");
-				if (findFileWithExtensions(appPath, matcher)) try {
-					AppComponent = (await importModule(runner, appPath)).default ?? null;
-				} catch {}
 				const createElement = React.createElement;
 				let element;
 				const wrapWithRouterContext = routerShim.wrapWithRouterContext;
@@ -584,6 +602,15 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 				const viteRoot = server.config.root;
 				const pageModuleUrl = "/" + path.relative(viteRoot, route.filePath);
 				const appModuleUrl = AppComponent ? "/" + path.relative(viteRoot, path.join(pagesDir, "_app")) : null;
+				const serializedPagesNextData = {
+					...pagesNextData,
+					__vinext: {
+						...pagesNextData.__vinext,
+						pageModuleUrl,
+						appModuleUrl,
+						hasMiddleware
+					}
+				};
 				const hydrationScript = `
 <script type="module"${nonceAttr}>
 import "vinext/instrumentation-client";
@@ -641,18 +668,14 @@ hydrate();
 					locales: i18nConfig?.locales,
 					defaultLocale: currentDefaultLocale,
 					domainLocales,
-					__vinext: {
-						pageModuleUrl,
-						appModuleUrl,
-						hasMiddleware
-					}
+					...serializedPagesNextData
 				})}${i18nConfig ? `;window.__VINEXT_LOCALE__=${safeJsonStringify(locale ?? currentDefaultLocale)};window.__VINEXT_LOCALES__=${safeJsonStringify(i18nConfig.locales)};window.__VINEXT_DEFAULT_LOCALE__=${safeJsonStringify(currentDefaultLocale)}` : ""}`, scriptNonce);
 				const docPath = path.join(pagesDir, "_document");
 				let DocumentComponent = null;
 				if (findFileWithExtensions(docPath, matcher)) try {
 					DocumentComponent = (await runner.import(docPath)).default ?? null;
 				} catch {}
-				const allScripts = `${nextDataScript}\n  ${hydrationScript}`;
+				const allScripts = `${nextDataScript}\n  ${createInlineScriptTag(`window.__VINEXT_PAGE_PATTERNS__=${safeJsonStringify(pagePatterns)}`, scriptNonce)}\n  ${hydrationScript}`;
 				const extraHeaders = { ...gsspExtraHeaders };
 				if (isrRevalidateSeconds) if (scriptNonce) extraHeaders["Cache-Control"] = "no-store, must-revalidate";
 				else {

package/dist/server/isr-cache.d.ts

@@ -5,6 +5,42 @@ import { normalizeMountedSlotsHeader } from "./app-mounted-slots-header.js";
 import { AppRscRenderMode } from "./app-rsc-render-mode.js";
 
 //#region src/server/isr-cache.d.ts
+/**
+ * Header set on the internal request that `res.revalidate()` issues to
+ * trigger on-demand ISR regeneration of a Pages Router route. Mirrors Next.js's
+ * `PRERENDER_REVALIDATE_HEADER` (`x-prerender-revalidate`) — see
+ * `.nextjs-ref/packages/next/src/lib/constants.ts`.
+ *
+ * SECURITY: in Next.js this header is NOT a presence flag — it carries the
+ * secret `previewModeId`, and `checkIsOnDemandRevalidate`
+ * (`.nextjs-ref/packages/next/src/server/api-utils/index.ts`) only treats a
+ * request as on-demand revalidation when the value *equals* that secret. If we
+ * gated on presence alone, any external client could send
+ * `x-prerender-revalidate: <anything>` to force synchronous regeneration of any
+ * ISR page, bypassing the fresh/stale cache short-circuits — a
+ * cache-stampede/DoS vector. We therefore validate the value against
+ * {@link getRevalidateSecret} (a build-time secret shared across all Workers
+ * isolates) with a constant-time comparison, and only the matching value (sent
+ * by our own `res.revalidate()`) is honored.
+ */
+declare const PRERENDER_REVALIDATE_HEADER = "x-prerender-revalidate";
+/**
+ * Companion header to {@link PRERENDER_REVALIDATE_HEADER}. When set,
+ * `res.revalidate(path, { unstable_onlyGenerated: true })` only revalidates the
+ * path if it was already generated, and a 404 response counts as a successful
+ * no-op. Mirrors Next.js's `PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER`
+ * (`x-prerender-revalidate-if-generated`) — see
+ * `.nextjs-ref/packages/next/src/lib/constants.ts`.
+ */
+declare const PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER = "x-prerender-revalidate-if-generated";
+declare function getRevalidateSecret(): string;
+/**
+ * Authorize an incoming request as an on-demand revalidation trigger. Mirrors
+ * Next.js's `checkIsOnDemandRevalidate`: the {@link PRERENDER_REVALIDATE_HEADER}
+ * value must *equal* the process revalidate secret. Header presence alone is
+ * NOT sufficient — see the security note on {@link PRERENDER_REVALIDATE_HEADER}.
+ */
+declare function isOnDemandRevalidateRequest(headerValue: string | string[] | null | undefined): boolean;
 type ISRCacheEntry = {
   value: CacheHandlerValue;
   isStale: boolean;
@@ -88,4 +124,4 @@ declare function setRevalidateDuration(key: string, seconds: number): void;
  */
 declare function getRevalidateDuration(key: string): number | undefined;
 //#endregion
-export { ISRCacheEntry, appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };
+export { ISRCacheEntry, PRERENDER_REVALIDATE_HEADER, PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER, appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, getRevalidateSecret, isOnDemandRevalidateRequest, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };

package/dist/server/isr-cache.js

@@ -7,6 +7,90 @@ import { APP_RSC_RENDER_MODE_NAVIGATION, getRscRenderModeCacheVariant } from "./
 import { normalizeAppPageInterceptionProofPathname } from "./app-page-render-identity.js";
 //#region src/server/isr-cache.ts
 /**
+* Header set on the internal request that `res.revalidate()` issues to
+* trigger on-demand ISR regeneration of a Pages Router route. Mirrors Next.js's
+* `PRERENDER_REVALIDATE_HEADER` (`x-prerender-revalidate`) — see
+* `.nextjs-ref/packages/next/src/lib/constants.ts`.
+*
+* SECURITY: in Next.js this header is NOT a presence flag — it carries the
+* secret `previewModeId`, and `checkIsOnDemandRevalidate`
+* (`.nextjs-ref/packages/next/src/server/api-utils/index.ts`) only treats a
+* request as on-demand revalidation when the value *equals* that secret. If we
+* gated on presence alone, any external client could send
+* `x-prerender-revalidate: <anything>` to force synchronous regeneration of any
+* ISR page, bypassing the fresh/stale cache short-circuits — a
+* cache-stampede/DoS vector. We therefore validate the value against
+* {@link getRevalidateSecret} (a build-time secret shared across all Workers
+* isolates) with a constant-time comparison, and only the matching value (sent
+* by our own `res.revalidate()`) is honored.
+*/
+const PRERENDER_REVALIDATE_HEADER = "x-prerender-revalidate";
+/**
+* Companion header to {@link PRERENDER_REVALIDATE_HEADER}. When set,
+* `res.revalidate(path, { unstable_onlyGenerated: true })` only revalidates the
+* path if it was already generated, and a 404 response counts as a successful
+* no-op. Mirrors Next.js's `PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER`
+* (`x-prerender-revalidate-if-generated`) — see
+* `.nextjs-ref/packages/next/src/lib/constants.ts`.
+*/
+const PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER = "x-prerender-revalidate-if-generated";
+/**
+* Build-time secret that authenticates on-demand revalidation requests, the
+* vinext analog of Next.js's prerender-manifest `previewModeId`.
+*
+* `res.revalidate()` loops back into the server via an internal `fetch()`. On
+* Cloudflare Workers that loopback can land on a *different* isolate than the
+* sender, so a per-process random secret would mismatch across isolates and
+* false-reject legitimate revalidations (and, symmetrically, two isolates with
+* independently-rolled secrets could never agree). The fix mirrors Next.js's
+* `previewModeId`: the secret is generated once at BUILD time and baked
+* (server-only — never into the client bundle) into every server bundle via the
+* `__VINEXT_REVALIDATE_SECRET` Vite `define`, so it is byte-for-byte identical in
+* every isolate. See `vinext build` CLI (`__VINEXT_SHARED_REVALIDATE_SECRET`) and
+* the `vinext:compiler-define-server` plugin. The sender attaches it as the
+* {@link PRERENDER_REVALIDATE_HEADER} value; the receiver authorizes a request
+* only when the incoming value equals this secret (see
+* {@link isOnDemandRevalidateRequest}).
+*
+* When the build-time define is absent — dev mode, and any path that doesn't
+* run through `vinext build` — we fall back to a lazily-generated random secret.
+* Those paths are single-process, so a module-scoped value is shared by sender
+* and receiver there — no regression.
+*/
+let devRevalidateSecret;
+function getRevalidateSecret() {
+	const baked = process.env.__VINEXT_REVALIDATE_SECRET;
+	if (baked) return baked;
+	if (devRevalidateSecret === void 0) {
+		const bytes = new Uint8Array(32);
+		crypto.getRandomValues(bytes);
+		devRevalidateSecret = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+	}
+	return devRevalidateSecret;
+}
+/**
+* Constant-time string equality. Avoids leaking secret length / prefix via
+* early-exit timing on the on-demand revalidation auth check. Returns false
+* for length mismatch (the only safe option without revealing the secret
+* length, and equality is impossible anyway).
+*/
+function safeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let mismatch = 0;
+	for (let i = 0; i < a.length; i++) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	return mismatch === 0;
+}
+/**
+* Authorize an incoming request as an on-demand revalidation trigger. Mirrors
+* Next.js's `checkIsOnDemandRevalidate`: the {@link PRERENDER_REVALIDATE_HEADER}
+* value must *equal* the process revalidate secret. Header presence alone is
+* NOT sufficient — see the security note on {@link PRERENDER_REVALIDATE_HEADER}.
+*/
+function isOnDemandRevalidateRequest(headerValue) {
+	if (typeof headerValue !== "string" || headerValue.length === 0) return false;
+	return safeEqual(headerValue, getRevalidateSecret());
+}
+/**
 * Get a cache entry with staleness information.
 *
 * Returns { value, isStale: false } for fresh entries,
@@ -195,4 +279,4 @@ function getRevalidateDuration(key) {
 	return revalidateDurations.get(key);
 }
 //#endregion
-export { appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };
+export { PRERENDER_REVALIDATE_HEADER, PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER, appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, getRevalidateSecret, isOnDemandRevalidateRequest, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };

package/dist/server/navigation-planner.js

@@ -1,5 +1,5 @@
 import { splitPathnameForRouteMatch } from "../routing/utils.js";
-import { matchRoutePattern, matchRoutePatternPrefix } from "../routing/route-pattern.js";
+import { matchRoutePattern, matchRoutePatternPrefix, matchRoutePatternWithOptionalDynamicSegments } from "../routing/route-pattern.js";
 import { compareAppElementsSlotIds } from "./app-elements-wire.js";
 import "./app-elements.js";
 import { NavigationTraceReasonCodes, createNavigationLifecycleTraceFields, createNavigationTrace } from "./navigation-trace.js";
@@ -119,8 +119,10 @@ function findRouteManifestInterceptionForProof(routeManifest, proof) {
 	const candidateInterceptions = routeManifest.segmentGraph.interceptionsBySlotId.get(proof.slotId) ?? [];
 	for (const interception of candidateInterceptions) {
 		if (!matchRoutePatternPrefix(sourceParts, interception.sourcePatternParts)) continue;
-		if (matchRoutePattern(targetParts, interception.targetPatternParts) === null) continue;
-		if (interception.targetRouteId !== null && targetRoute?.id !== interception.targetRouteId) continue;
+		const exactTargetParams = matchRoutePattern(targetParts, interception.targetPatternParts);
+		const allowsMiddlewareRewriteTarget = exactTargetParams === null && matchRoutePatternWithOptionalDynamicSegments(targetParts, interception.targetPatternParts);
+		if (exactTargetParams === null && !allowsMiddlewareRewriteTarget) continue;
+		if (!allowsMiddlewareRewriteTarget && interception.targetRouteId !== null && targetRoute?.id !== interception.targetRouteId) continue;
 		return interception;
 	}
 	return null;

package/dist/server/navigation-trace.d.ts

@@ -47,4 +47,4 @@ declare function createNavigationLifecycleTraceFields(options: {
 declare function createNavigationTrace(code: NavigationTraceCode, fields?: NavigationTraceFields): NavigationTrace;
 declare function prependNavigationTraceEntry(trace: NavigationTrace, code: NavigationTraceCode, fields?: NavigationTraceFields): NavigationTrace;
 //#endregion
-export { NAVIGATION_TRACE_SCHEMA_VERSION, NavigationTrace, NavigationTraceCode, NavigationTraceFields, NavigationTraceReasonCode, NavigationTraceReasonCodes, NavigationTraceTransactionCode, NavigationTraceTransactionCodes, createNavigationLifecycleTraceFields, createNavigationTrace, prependNavigationTraceEntry };
+export { NAVIGATION_TRACE_SCHEMA_VERSION, NavigationTrace, NavigationTraceFields, NavigationTraceReasonCode, NavigationTraceReasonCodes, NavigationTraceTransactionCode, NavigationTraceTransactionCodes, createNavigationLifecycleTraceFields, createNavigationTrace, prependNavigationTraceEntry };

package/dist/server/pages-node-compat.d.ts

@@ -1,4 +1,5 @@
 import { PagesBodyParseError } from "./pages-media-type.js";
+import { RevalidateOptions } from "./pages-revalidate.js";
 
 //#region src/server/pages-node-compat.d.ts
 type PagesRequestQuery = Record<string, string | string[]>;
@@ -33,6 +34,7 @@ type PagesReqResResponse = {
   send: (data: unknown) => void;
   redirect: (statusOrUrl: number | string, url?: string) => void;
   getHeaders: () => PagesReqResHeaders;
+  revalidate: (urlPath: string, opts?: RevalidateOptions) => Promise<void>;
 };
 type CreatePagesReqResOptions = {
   body: unknown;

package/dist/server/pages-node-compat.js

@@ -2,6 +2,7 @@ import { parseCookies } from "../config/config-matchers.js";
 import { readStreamAsTextWithLimit } from "../utils/text-stream.js";
 import { PagesBodyParseError, getMediaType, isJsonMediaType } from "./pages-media-type.js";
 import { DEFAULT_PAGES_API_BODY_SIZE_LIMIT } from "./pages-body-parser-config.js";
+import { performOnDemandRevalidate } from "./pages-revalidate.js";
 import { decode } from "node:querystring";
 //#region src/server/pages-node-compat.ts
 const MAX_PAGES_API_BODY_SIZE = DEFAULT_PAGES_API_BODY_SIZE_LIMIT;
@@ -166,6 +167,9 @@ function createPagesReqRes(options) {
 			const headers = { ...resHeaders };
 			if (setCookieHeaders.length > 0) headers["set-cookie"] = setCookieHeaders;
 			return headers;
+		},
+		async revalidate(urlPath, opts) {
+			await performOnDemandRevalidate(options.request.headers, urlPath, opts);
 		}
 	};
 	return {

package/dist/server/pages-page-data.d.ts

@@ -2,7 +2,7 @@ import { Route } from "../routing/pages-router.js";
 import { VinextNextData } from "../client/vinext-next-data.js";
 import { CachedPagesValue } from "../shims/cache.js";
 import { ISRCacheEntry } from "./isr-cache.js";
-import { PagesGsspResponse, PagesI18nRenderContext } from "./pages-page-response.js";
+import { PagesGsspResponse, PagesI18nRenderContext, PagesNextDataExtras } from "./pages-page-response.js";
 import { ReactNode } from "react";
 
 //#region src/server/pages-page-data.d.ts
@@ -90,6 +90,7 @@ type RenderPagesIsrHtmlOptions = {
   routePattern: string;
   safeJsonStringify: (value: unknown) => string;
   vinext?: VinextNextData["__vinext"];
+  nextData?: PagesNextDataExtras;
 };
 type ResolvePagesPageDataOptions = {
   applyRequestContexts: () => void;
@@ -125,15 +126,16 @@ type ResolvePagesPageDataOptions = {
    * When true, this dispatch was triggered by an on-demand revalidation
    * request (e.g. `res.revalidate()` in a Pages Router API route, or an
    * equivalent webhook). Maps to `revalidateReason: "on-demand"` when
-   * `getStaticProps` is invoked. Mirrors Next.js's
+   * `getStaticProps` is invoked, and bypasses the fresh/stale cache-hit
+   * short-circuits so the entry is regenerated synchronously. Mirrors Next.js's
    * `renderOpts.isOnDemandRevalidate` flag — see
    * `.nextjs-ref/packages/next/src/server/render.tsx`.
    *
-   * Forward-looking plumbing: no caller currently sets this — `res.revalidate()`
-   * is not yet implemented in vinext. The `"on-demand"` branch in the
-   * `revalidateReason` resolver is intentionally unreachable today; keeping the
-   * typed contract here means wiring it up will be a one-line change once the
-   * trigger lands.
+   * The page handler sets this only when the incoming request's
+   * `x-prerender-revalidate` header (`PRERENDER_REVALIDATE_HEADER`) *equals* the
+   * process revalidate secret that `res.revalidate()` attaches to its internal
+   * request (`isOnDemandRevalidateRequest`). It is never set on mere header
+   * presence — see the security note in `isr-cache.ts`.
    */
   isOnDemandRevalidate?: boolean;
   pageModule: PagesPageModule;
@@ -155,6 +157,7 @@ type ResolvePagesPageDataOptions = {
   }) => void;
   renderIsrPassToStringAsync: (element: ReactNode) => Promise<string>;
   vinext?: VinextNextData["__vinext"];
+  nextData?: PagesNextDataExtras;
 };
 type ResolvePagesPageDataRenderResult = {
   kind: "render";