vinext 0.1.0 → 0.1.2

package/dist/server/dev-server.js

@@ -2,13 +2,16 @@ import { createRequestContext, runWithRequestContext } from "../shims/unified-re
 import { createValidFileMatcher, findFileWithExtensions } from "../routing/file-matcher.js";
 import { patternToNextFormat } from "../routing/route-validation.js";
 import { matchRoute } from "../routing/pages-router.js";
+import { NEXTJS_DEPLOYMENT_ID_HEADER } from "./headers.js";
 import { normalizeStaticPathname } from "../routing/route-pattern.js";
 import { importModule, reportRequestError } from "./instrumentation.js";
 import { buildCacheStateHeaders } from "./cache-headers.js";
 import { _runWithCacheState } from "../shims/cache.js";
-import { buildPagesCacheValue, getRevalidateDuration, isrCacheKey, isrGet, isrSet, setRevalidateDuration, triggerBackgroundRegeneration } from "./isr-cache.js";
-import { runWithPrivateCache } from "../shims/cache-runtime.js";
+import { NEVER_CACHE_CONTROL, NO_STORE_CACHE_CONTROL } from "./cache-control.js";
+import { buildMissIsrCacheControl, decideIsr } from "./isr-decision.js";
+import { PRERENDER_REVALIDATE_HEADER, buildPagesCacheValue, getRevalidateDuration, isOnDemandRevalidateRequest, isrCacheKey, isrGet, isrSet, setRevalidateDuration, triggerBackgroundRegeneration } from "./isr-cache.js";
 import { ensureFetchPatch, runWithFetchCache } from "../shims/fetch-cache.js";
+import { runWithPrivateCache } from "../shims/cache-runtime.js";
 import { mergeRouteParamsIntoQuery, parseQueryString } from "../utils/query.js";
 import "../shims/router-state.js";
 import { runWithHeadState } from "../shims/head-state.js";
@@ -20,6 +23,7 @@ import { getScriptNonceFromNodeHeaderSources } from "./csp.js";
 import { logRequest, now } from "./request-log.js";
 import { detectLocaleFromAcceptLanguage, extractLocaleFromUrl as extractLocaleFromUrl$1, parseCookieLocaleFromHeader, resolvePagesI18nRequest } from "./pages-i18n.js";
 import { buildDefaultPagesNotFoundResponse } from "./pages-default-404.js";
+import { buildPagesReadinessNextData } from "./pages-readiness.js";
 import { resolvePagesPageMethodResponse } from "./pages-page-method.js";
 import { isSerializableProps } from "./pages-serializable-props.js";
 import { loadUserDocumentInitialProps, runDocumentRenderPage } from "./pages-document-initial-props.js";
@@ -61,7 +65,10 @@ function writeGsspRedirect(res, redirect, isDataReq) {
 	let dest = redirect.destination;
 	if (!dest.startsWith("http://") && !dest.startsWith("https://")) dest = dest.replace(/^[\\/]+/, "/");
 	if (isDataReq) {
-		res.writeHead(200, { "Content-Type": "application/json" });
+		const deploymentId = process.env.__VINEXT_DEPLOYMENT_ID || process.env.NEXT_DEPLOYMENT_ID;
+		const dataHeaders = { "Content-Type": "application/json" };
+		if (deploymentId) dataHeaders[NEXTJS_DEPLOYMENT_ID_HEADER] = deploymentId;
+		res.writeHead(200, dataHeaders);
 		res.end(JSON.stringify({ pageProps: {
 			__N_REDIRECT: dest,
 			__N_REDIRECT_STATUS: status
@@ -183,8 +190,9 @@ function parseCookieLocale(req, i18nConfig) {
 * 4. Render the component to HTML
 * 5. Wrap in _document shell and send response
 */
-function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatcher, basePath = "", trailingSlash = false, hasMiddleware = false, clientTraceMetadata) {
+function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatcher, basePath = "", trailingSlash = false, hasMiddleware = false, hasRewrites = false, clientTraceMetadata) {
 	const matcher = fileMatcher ?? createValidFileMatcher();
+	const pagePatterns = routes.map((r) => patternToNextFormat(r.pattern));
 	const _alsRegistration = Promise.all([runner.import("vinext/head-state"), runner.import("vinext/router-state")]);
 	_alsRegistration.catch(() => {});
 	return async (req, res, url, statusCode, isDataReq = false) => {
@@ -226,7 +234,10 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 		const match = matchRoute(localeStrippedUrl, routes);
 		if (!match) {
 			if (isDataReq) {
-				res.writeHead(404, { "Content-Type": "application/json" });
+				const deploymentId = process.env.__VINEXT_DEPLOYMENT_ID || process.env.NEXT_DEPLOYMENT_ID;
+				const notFoundHeaders = { "Content-Type": "application/json" };
+				if (deploymentId) notFoundHeaders[NEXTJS_DEPLOYMENT_ID_HEADER] = deploymentId;
+				res.writeHead(404, notFoundHeaders);
 				res.end("{}");
 				return;
 			}
@@ -241,15 +252,6 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 			try {
 				await _alsRegistration;
 				const routerShim = await importModule(runner, "next/router");
-				if (typeof routerShim.setSSRContext === "function") routerShim.setSSRContext({
-					pathname: patternToNextFormat(route.pattern),
-					query,
-					asPath: url,
-					locale: locale ?? currentDefaultLocale,
-					locales: i18nConfig?.locales,
-					defaultLocale: currentDefaultLocale,
-					domainLocales
-				});
 				if (i18nConfig) {
 					await runner.import("vinext/i18n-state");
 					const i18nCtx = await importModule(runner, "vinext/i18n-context");
@@ -262,6 +264,28 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 					});
 				}
 				const pageModule = await importModule(runner, route.filePath);
+				let AppComponent = null;
+				const appPath = path.join(pagesDir, "_app");
+				if (findFileWithExtensions(appPath, matcher)) try {
+					AppComponent = (await importModule(runner, appPath)).default ?? null;
+				} catch {}
+				const pagesNextData = buildPagesReadinessNextData({
+					pageModule,
+					appComponent: AppComponent,
+					hasRewrites
+				});
+				const navigationIsReady = typeof routerShim.getPagesNavigationIsReadyFromSerializedState === "function" ? routerShim.getPagesNavigationIsReadyFromSerializedState(patternToNextFormat(route.pattern), new URL(url, "http://_").search, pagesNextData) : true;
+				if (typeof routerShim.setSSRContext === "function") routerShim.setSSRContext({
+					pathname: patternToNextFormat(route.pattern),
+					query,
+					asPath: url,
+					navigationIsReady,
+					nextData: pagesNextData,
+					locale: locale ?? currentDefaultLocale,
+					locales: i18nConfig?.locales,
+					defaultLocale: currentDefaultLocale,
+					domainLocales
+				});
 				_compileEnd = now();
 				const PageComponent = pageModule.default;
 				if (!PageComponent) {
@@ -310,7 +334,10 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 					});
 					if (fallback === false && !isValidPath) {
 						if (isDataReq) {
-							res.writeHead(404, { "Content-Type": "application/json" });
+							const deploymentId = process.env.__VINEXT_DEPLOYMENT_ID || process.env.NEXT_DEPLOYMENT_ID;
+							const notFoundHeaders = { "Content-Type": "application/json" };
+							if (deploymentId) notFoundHeaders[NEXTJS_DEPLOYMENT_ID_HEADER] = deploymentId;
+							res.writeHead(404, notFoundHeaders);
 							res.end("{}");
 							return;
 						}
@@ -323,6 +350,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 							pathname: patternToNextFormat(route.pattern),
 							query,
 							asPath: url,
+							navigationIsReady: false,
 							locale: locale ?? currentDefaultLocale,
 							locales: i18nConfig?.locales,
 							defaultLocale: currentDefaultLocale,
@@ -353,7 +381,10 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 					}
 					if (result && "notFound" in result && result.notFound) {
 						if (isDataReq) {
-							res.writeHead(404, { "Content-Type": "application/json" });
+							const deploymentId = process.env.__VINEXT_DEPLOYMENT_ID || process.env.NEXT_DEPLOYMENT_ID;
+							const notFoundHeaders = { "Content-Type": "application/json" };
+							if (deploymentId) notFoundHeaders[NEXTJS_DEPLOYMENT_ID_HEADER] = deploymentId;
+							res.writeHead(404, notFoundHeaders);
 							res.end("{}");
 							return;
 						}
@@ -369,7 +400,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 						if (Array.isArray(val)) gsspExtraHeaders[key] = val.map(String);
 						else gsspExtraHeaders[key] = String(val);
 					}
-					if (!Object.keys(gsspExtraHeaders).some((k) => k.toLowerCase() === "cache-control")) gsspExtraHeaders["Cache-Control"] = "private, no-cache, no-store, max-age=0, must-revalidate";
+					if (!Object.keys(gsspExtraHeaders).some((k) => k.toLowerCase() === "cache-control")) gsspExtraHeaders["Cache-Control"] = NEVER_CACHE_CONTROL;
 				}
 				const responseHeaders = typeof res.getHeaders === "function" ? res.getHeaders() : void 0;
 				const scriptNonce = getScriptNonceFromNodeHeaderSources(req.headers, responseHeaders);
@@ -385,21 +416,26 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 				if (typeof pageModule.getStaticProps === "function" && !isFallbackRender) {
 					const cacheKey = pagesIsrCacheKey(url.split("?")[0]);
 					const cached = await isrGet(cacheKey);
-					if (cached && !cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
+					const isOnDemandRevalidate = isOnDemandRevalidateRequest(req.headers[PRERENDER_REVALIDATE_HEADER]);
+					if (!isOnDemandRevalidate && cached && !cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
 						const cachedHtml = cached.value.value.html;
 						const transformedHtml = await server.transformIndexHtml(url, cachedHtml);
-						const revalidateSecs = getRevalidateDuration(cacheKey) ?? 60;
+						const { cacheControl: hitCacheControl } = decideIsr({
+							cacheState: "HIT",
+							kind: "dev",
+							revalidateSeconds: getRevalidateDuration(cacheKey) ?? 60
+						});
 						const hitHeaders = {
 							"Content-Type": "text/html",
 							...buildCacheStateHeaders("HIT"),
-							"Cache-Control": `s-maxage=${revalidateSecs}, stale-while-revalidate`
+							"Cache-Control": hitCacheControl
 						};
 						if (earlyFontLinkHeader) hitHeaders["Link"] = earlyFontLinkHeader;
 						res.writeHead(200, hitHeaders);
 						res.end(transformedHtml);
 						return;
 					}
-					if (cached && cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
+					if (!isOnDemandRevalidate && cached && cached.isStale && cached.value.value?.kind === "PAGES" && !scriptNonce && !isDataReq) {
 						const cachedHtml = cached.value.value.html;
 						const transformedHtml = await server.transformIndexHtml(url, cachedHtml);
 						triggerBackgroundRegeneration(cacheKey, async () => {
@@ -420,6 +456,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 											pathname: patternToNextFormat(route.pattern),
 											query,
 											asPath: url,
+											navigationIsReady,
 											locale: locale ?? currentDefaultLocale,
 											locales: i18nConfig?.locales,
 											defaultLocale: currentDefaultLocale,
@@ -450,6 +487,15 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 										const viteRoot = server.config?.root;
 										const regenPageUrl = viteRoot ? "/" + path.relative(viteRoot, route.filePath) : route.filePath;
 										const regenAppUrl = RegenApp ? viteRoot ? "/" + path.relative(viteRoot, path.join(pagesDir, "_app")) : path.join(pagesDir, "_app") : null;
+										const freshPagesNextData = {
+											...pagesNextData,
+											__vinext: {
+												...pagesNextData.__vinext,
+												pageModuleUrl: regenPageUrl,
+												appModuleUrl: regenAppUrl,
+												hasMiddleware
+											}
+										};
 										await isrSet(cacheKey, buildPagesCacheValue(`<!DOCTYPE html><html><head></head><body><div id="__next">${freshBody}</div>${`<script>window.__NEXT_DATA__ = ${safeJsonStringify({
 											props: { pageProps: freshProps },
 											page: patternToNextFormat(route.pattern),
@@ -460,11 +506,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 											locales: i18nConfig?.locales,
 											defaultLocale: currentDefaultLocale,
 											domainLocales,
-											__vinext: {
-												pageModuleUrl: regenPageUrl,
-												appModuleUrl: regenAppUrl,
-												hasMiddleware
-											}
+											...freshPagesNextData
 										})}${i18nConfig ? `;window.__VINEXT_LOCALE__=${safeJsonStringify(locale ?? currentDefaultLocale)};window.__VINEXT_LOCALES__=${safeJsonStringify(i18nConfig.locales)};window.__VINEXT_DEFAULT_LOCALE__=${safeJsonStringify(currentDefaultLocale)}` : ""}<\/script>`}\n  ${cachedHtml.match(/<script type="module">[\s\S]*?<\/script>/)?.[0] ?? ""}</body></html>`, freshProps), revalidate);
 										setRevalidateDuration(cacheKey, revalidate);
 									}
@@ -475,11 +517,15 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 							routePath: route.pattern,
 							routeType: "render"
 						});
-						const revalidateSecs = getRevalidateDuration(cacheKey) ?? 60;
+						const { cacheControl: staleCacheControl } = decideIsr({
+							cacheState: "STALE",
+							kind: "dev",
+							revalidateSeconds: getRevalidateDuration(cacheKey) ?? 60
+						});
 						const staleHeaders = {
 							"Content-Type": "text/html",
 							...buildCacheStateHeaders("STALE"),
-							"Cache-Control": `s-maxage=${revalidateSecs}, stale-while-revalidate`
+							"Cache-Control": staleCacheControl
 						};
 						if (earlyFontLinkHeader) staleHeaders["Link"] = earlyFontLinkHeader;
 						res.writeHead(200, staleHeaders);
@@ -491,7 +537,7 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 						locale: locale ?? currentDefaultLocale,
 						locales: i18nConfig?.locales,
 						defaultLocale: currentDefaultLocale,
-						revalidateReason: "stale"
+						revalidateReason: isOnDemandRevalidate ? "on-demand" : "stale"
 					};
 					const result = await pageModule.getStaticProps(context);
 					if (result && "props" in result) pageProps = result.props;
@@ -501,7 +547,10 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 					}
 					if (result && "notFound" in result && result.notFound) {
 						if (isDataReq) {
-							res.writeHead(404, { "Content-Type": "application/json" });
+							const deploymentId = process.env.__VINEXT_DEPLOYMENT_ID || process.env.NEXT_DEPLOYMENT_ID;
+							const notFoundHeaders = { "Content-Type": "application/json" };
+							if (deploymentId) notFoundHeaders[NEXTJS_DEPLOYMENT_ID_HEADER] = deploymentId;
+							res.writeHead(404, notFoundHeaders);
 							res.end("{}");
 							return;
 						}
@@ -531,16 +580,16 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 				if (isDataReq) {
 					const dataHeaders = { "Content-Type": "application/json" };
 					if (gsspExtraHeaders) for (const [k, v] of Object.entries(gsspExtraHeaders)) dataHeaders[k] = v;
+					const dataRoutePattern = patternToNextFormat(route.pattern);
+					if (dataRoutePattern !== "/_error" && dataRoutePattern !== "/500") {
+						const deploymentId = process.env.__VINEXT_DEPLOYMENT_ID || process.env.NEXT_DEPLOYMENT_ID;
+						if (deploymentId) dataHeaders[NEXTJS_DEPLOYMENT_ID_HEADER] = deploymentId;
+					}
 					res.writeHead(statusCode ?? 200, dataHeaders);
 					res.end(JSON.stringify({ pageProps }));
 					_renderEnd = now();
 					return;
 				}
-				let AppComponent = null;
-				const appPath = path.join(pagesDir, "_app");
-				if (findFileWithExtensions(appPath, matcher)) try {
-					AppComponent = (await importModule(runner, appPath)).default ?? null;
-				} catch {}
 				const createElement = React.createElement;
 				let element;
 				const wrapWithRouterContext = routerShim.wrapWithRouterContext;
@@ -584,6 +633,15 @@ function createSSRHandler(server, runner, routes, pagesDir, i18nConfig, fileMatc
 				const viteRoot = server.config.root;
 				const pageModuleUrl = "/" + path.relative(viteRoot, route.filePath);
 				const appModuleUrl = AppComponent ? "/" + path.relative(viteRoot, path.join(pagesDir, "_app")) : null;
+				const serializedPagesNextData = {
+					...pagesNextData,
+					__vinext: {
+						...pagesNextData.__vinext,
+						pageModuleUrl,
+						appModuleUrl,
+						hasMiddleware
+					}
+				};
 				const hydrationScript = `
 <script type="module"${nonceAttr}>
 import "vinext/instrumentation-client";
@@ -641,22 +699,18 @@ hydrate();
 					locales: i18nConfig?.locales,
 					defaultLocale: currentDefaultLocale,
 					domainLocales,
-					__vinext: {
-						pageModuleUrl,
-						appModuleUrl,
-						hasMiddleware
-					}
+					...serializedPagesNextData
 				})}${i18nConfig ? `;window.__VINEXT_LOCALE__=${safeJsonStringify(locale ?? currentDefaultLocale)};window.__VINEXT_LOCALES__=${safeJsonStringify(i18nConfig.locales)};window.__VINEXT_DEFAULT_LOCALE__=${safeJsonStringify(currentDefaultLocale)}` : ""}`, scriptNonce);
 				const docPath = path.join(pagesDir, "_document");
 				let DocumentComponent = null;
 				if (findFileWithExtensions(docPath, matcher)) try {
 					DocumentComponent = (await runner.import(docPath)).default ?? null;
 				} catch {}
-				const allScripts = `${nextDataScript}\n  ${hydrationScript}`;
+				const allScripts = `${nextDataScript}\n  ${createInlineScriptTag(`window.__VINEXT_PAGE_PATTERNS__=${safeJsonStringify(pagePatterns)}`, scriptNonce)}\n  ${hydrationScript}`;
 				const extraHeaders = { ...gsspExtraHeaders };
-				if (isrRevalidateSeconds) if (scriptNonce) extraHeaders["Cache-Control"] = "no-store, must-revalidate";
+				if (isrRevalidateSeconds) if (scriptNonce) extraHeaders["Cache-Control"] = NO_STORE_CACHE_CONTROL;
 				else {
-					extraHeaders["Cache-Control"] = `s-maxage=${isrRevalidateSeconds}, stale-while-revalidate`;
+					extraHeaders["Cache-Control"] = buildMissIsrCacheControl(isrRevalidateSeconds);
 					Object.assign(extraHeaders, buildCacheStateHeaders("MISS"));
 				}
 				if (allFontPreloads.length > 0) extraHeaders["Link"] = allFontPreloads.map((p) => `<${p.href}>; rel=preload; as=font; type=${p.type}; crossorigin`).join(", ");

package/dist/server/headers.d.ts

@@ -60,6 +60,13 @@ declare const RSC_ACTION_HEADER = "x-rsc-action";
 declare const NEXT_ACTION_HEADER = "next-action";
 /** Next.js action-not-found indicator (value "1"). */
 declare const NEXTJS_ACTION_NOT_FOUND_HEADER = "x-nextjs-action-not-found";
+/**
+ * Deployment ID header used by the Pages Router for deployment-skew
+ * protection. Set on every `/_next/data/` response so the client can detect
+ * when a new deployment has been rolled out and trigger a hard navigation.
+ * Mirrors `NEXT_NAV_DEPLOYMENT_ID_HEADER` from Next.js `lib/constants.ts`.
+ */
+declare const NEXTJS_DEPLOYMENT_ID_HEADER = "x-nextjs-deployment-id";
 /** Forwarded action marker — set when a request has already been forwarded between workers. */
 declare const ACTION_FORWARDED_HEADER = "x-action-forwarded";
 /** Indicates revalidation occurred — value is JSON kind (1 = path/tag, 2 = dynamic-only). */
@@ -100,4 +107,4 @@ declare const INTERNAL_HEADERS: string[];
 /** Vinext-only internal headers stripped alongside Next.js protocol internals. */
 declare const VINEXT_INTERNAL_HEADERS: string[];
 //#endregion
-export { ACTION_FORWARDED_HEADER, ACTION_REDIRECT_HEADER, ACTION_REDIRECT_STATUS_HEADER, ACTION_REDIRECT_TYPE_HEADER, ACTION_REVALIDATED_HEADER, FLIGHT_HEADERS, INTERNAL_HEADERS, MIDDLEWARE_HEADER_PREFIX, MIDDLEWARE_NEXT_HEADER, MIDDLEWARE_OVERRIDE_HEADERS, MIDDLEWARE_REQUEST_HEADER_PREFIX, MIDDLEWARE_REWRITE_HEADER, MIDDLEWARE_SET_COOKIE_HEADER, NEXTJS_ACTION_NOT_FOUND_HEADER, NEXTJS_CACHE_HEADER, NEXT_ACTION_HEADER, NEXT_ROUTER_PREFETCH_HEADER, NEXT_ROUTER_SEGMENT_PREFETCH_HEADER, NEXT_ROUTER_STATE_TREE_HEADER, NEXT_URL_HEADER, RSC_ACTION_HEADER, RSC_HEADER, VINEXT_CACHE_HEADER, VINEXT_CLIENT_REUSE_MANIFEST_HEADER, VINEXT_DYNAMIC_STALE_TIME_HEADER, VINEXT_INTERCEPTION_CONTEXT_HEADER, VINEXT_INTERNAL_HEADERS, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_MW_CTX_HEADER, VINEXT_PARAMS_HEADER, VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER, VINEXT_REVALIDATE_HEADER, VINEXT_RSC_MARKER_HEADER, VINEXT_RSC_REDIRECT_HEADER, VINEXT_RSC_RENDER_MODE_HEADER, VINEXT_STATIC_FILE_HEADER, VINEXT_TIMING_HEADER };
+export { ACTION_FORWARDED_HEADER, ACTION_REDIRECT_HEADER, ACTION_REDIRECT_STATUS_HEADER, ACTION_REDIRECT_TYPE_HEADER, ACTION_REVALIDATED_HEADER, FLIGHT_HEADERS, INTERNAL_HEADERS, MIDDLEWARE_HEADER_PREFIX, MIDDLEWARE_NEXT_HEADER, MIDDLEWARE_OVERRIDE_HEADERS, MIDDLEWARE_REQUEST_HEADER_PREFIX, MIDDLEWARE_REWRITE_HEADER, MIDDLEWARE_SET_COOKIE_HEADER, NEXTJS_ACTION_NOT_FOUND_HEADER, NEXTJS_CACHE_HEADER, NEXTJS_DEPLOYMENT_ID_HEADER, NEXT_ACTION_HEADER, NEXT_ROUTER_PREFETCH_HEADER, NEXT_ROUTER_SEGMENT_PREFETCH_HEADER, NEXT_ROUTER_STATE_TREE_HEADER, NEXT_URL_HEADER, RSC_ACTION_HEADER, RSC_HEADER, VINEXT_CACHE_HEADER, VINEXT_CLIENT_REUSE_MANIFEST_HEADER, VINEXT_DYNAMIC_STALE_TIME_HEADER, VINEXT_INTERCEPTION_CONTEXT_HEADER, VINEXT_INTERNAL_HEADERS, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_MW_CTX_HEADER, VINEXT_PARAMS_HEADER, VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER, VINEXT_REVALIDATE_HEADER, VINEXT_RSC_MARKER_HEADER, VINEXT_RSC_REDIRECT_HEADER, VINEXT_RSC_RENDER_MODE_HEADER, VINEXT_STATIC_FILE_HEADER, VINEXT_TIMING_HEADER };

package/dist/server/headers.js

@@ -60,6 +60,13 @@ const RSC_ACTION_HEADER = "x-rsc-action";
 const NEXT_ACTION_HEADER = "next-action";
 /** Next.js action-not-found indicator (value "1"). */
 const NEXTJS_ACTION_NOT_FOUND_HEADER = "x-nextjs-action-not-found";
+/**
+* Deployment ID header used by the Pages Router for deployment-skew
+* protection. Set on every `/_next/data/` response so the client can detect
+* when a new deployment has been rolled out and trigger a hard navigation.
+* Mirrors `NEXT_NAV_DEPLOYMENT_ID_HEADER` from Next.js `lib/constants.ts`.
+*/
+const NEXTJS_DEPLOYMENT_ID_HEADER = "x-nextjs-deployment-id";
 /** Forwarded action marker — set when a request has already been forwarded between workers. */
 const ACTION_FORWARDED_HEADER = "x-action-forwarded";
 /** Indicates revalidation occurred — value is JSON kind (1 = path/tag, 2 = dynamic-only). */
@@ -122,4 +129,4 @@ const INTERNAL_HEADERS = [
 /** Vinext-only internal headers stripped alongside Next.js protocol internals. */
 const VINEXT_INTERNAL_HEADERS = [VINEXT_PRERENDER_ROUTE_PARAMS_HEADER];
 //#endregion
-export { ACTION_FORWARDED_HEADER, ACTION_REDIRECT_HEADER, ACTION_REDIRECT_STATUS_HEADER, ACTION_REDIRECT_TYPE_HEADER, ACTION_REVALIDATED_HEADER, FLIGHT_HEADERS, INTERNAL_HEADERS, MIDDLEWARE_HEADER_PREFIX, MIDDLEWARE_NEXT_HEADER, MIDDLEWARE_OVERRIDE_HEADERS, MIDDLEWARE_REQUEST_HEADER_PREFIX, MIDDLEWARE_REWRITE_HEADER, MIDDLEWARE_SET_COOKIE_HEADER, NEXTJS_ACTION_NOT_FOUND_HEADER, NEXTJS_CACHE_HEADER, NEXT_ACTION_HEADER, NEXT_ROUTER_PREFETCH_HEADER, NEXT_ROUTER_SEGMENT_PREFETCH_HEADER, NEXT_ROUTER_STATE_TREE_HEADER, NEXT_URL_HEADER, RSC_ACTION_HEADER, RSC_HEADER, VINEXT_CACHE_HEADER, VINEXT_CLIENT_REUSE_MANIFEST_HEADER, VINEXT_DYNAMIC_STALE_TIME_HEADER, VINEXT_INTERCEPTION_CONTEXT_HEADER, VINEXT_INTERNAL_HEADERS, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_MW_CTX_HEADER, VINEXT_PARAMS_HEADER, VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER, VINEXT_REVALIDATE_HEADER, VINEXT_RSC_MARKER_HEADER, VINEXT_RSC_REDIRECT_HEADER, VINEXT_RSC_RENDER_MODE_HEADER, VINEXT_STATIC_FILE_HEADER, VINEXT_TIMING_HEADER };
+export { ACTION_FORWARDED_HEADER, ACTION_REDIRECT_HEADER, ACTION_REDIRECT_STATUS_HEADER, ACTION_REDIRECT_TYPE_HEADER, ACTION_REVALIDATED_HEADER, FLIGHT_HEADERS, INTERNAL_HEADERS, MIDDLEWARE_HEADER_PREFIX, MIDDLEWARE_NEXT_HEADER, MIDDLEWARE_OVERRIDE_HEADERS, MIDDLEWARE_REQUEST_HEADER_PREFIX, MIDDLEWARE_REWRITE_HEADER, MIDDLEWARE_SET_COOKIE_HEADER, NEXTJS_ACTION_NOT_FOUND_HEADER, NEXTJS_CACHE_HEADER, NEXTJS_DEPLOYMENT_ID_HEADER, NEXT_ACTION_HEADER, NEXT_ROUTER_PREFETCH_HEADER, NEXT_ROUTER_SEGMENT_PREFETCH_HEADER, NEXT_ROUTER_STATE_TREE_HEADER, NEXT_URL_HEADER, RSC_ACTION_HEADER, RSC_HEADER, VINEXT_CACHE_HEADER, VINEXT_CLIENT_REUSE_MANIFEST_HEADER, VINEXT_DYNAMIC_STALE_TIME_HEADER, VINEXT_INTERCEPTION_CONTEXT_HEADER, VINEXT_INTERNAL_HEADERS, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_MW_CTX_HEADER, VINEXT_PARAMS_HEADER, VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER, VINEXT_REVALIDATE_HEADER, VINEXT_RSC_MARKER_HEADER, VINEXT_RSC_REDIRECT_HEADER, VINEXT_RSC_RENDER_MODE_HEADER, VINEXT_STATIC_FILE_HEADER, VINEXT_TIMING_HEADER };

package/dist/server/instrumentation-runtime.d.ts

@@ -34,6 +34,12 @@
  * Ensure the instrumentation module's `register()` and `onRequestError`
  * hooks have been applied exactly once.
  *
+ * After `register()` runs, we extend the OTel tracer provider so that spans
+ * created inside Cache Component renders (warmup / fallback-resume phases) use
+ * a fresh OTel context rather than inheriting the prerender work unit store.
+ * This mirrors Next.js's `afterRegistration()` call in
+ * `instrumentation-node-extensions.ts`.
+ *
  * @param instrumentationModule - The imported `instrumentation.ts` module.
  *   Passed as an argument so the generated entry can import it normally
  *   without this helper needing to know the module path.

package/dist/server/instrumentation-runtime.js

@@ -1,3 +1,4 @@
+import { extendTracerProviderForCacheComponents } from "./otel-tracer-extension.js";
 //#region src/server/instrumentation-runtime.ts
 let initialized = false;
 let initPromise = null;
@@ -8,6 +9,12 @@ function isOnRequestErrorHandler(value) {
 * Ensure the instrumentation module's `register()` and `onRequestError`
 * hooks have been applied exactly once.
 *
+* After `register()` runs, we extend the OTel tracer provider so that spans
+* created inside Cache Component renders (warmup / fallback-resume phases) use
+* a fresh OTel context rather than inheriting the prerender work unit store.
+* This mirrors Next.js's `afterRegistration()` call in
+* `instrumentation-node-extensions.ts`.
+*
 * @param instrumentationModule - The imported `instrumentation.ts` module.
 *   Passed as an argument so the generated entry can import it normally
 *   without this helper needing to know the module path.
@@ -18,6 +25,7 @@ async function ensureInstrumentationRegistered(instrumentationModule) {
 	if (initPromise) return initPromise;
 	initPromise = (async () => {
 		if (typeof instrumentationModule.register === "function") await instrumentationModule.register();
+		extendTracerProviderForCacheComponents();
 		if (isOnRequestErrorHandler(instrumentationModule.onRequestError)) globalThis.__VINEXT_onRequestErrorHandler__ = instrumentationModule.onRequestError;
 		initialized = true;
 	})();

package/dist/server/isr-cache.d.ts

@@ -5,6 +5,42 @@ import { normalizeMountedSlotsHeader } from "./app-mounted-slots-header.js";
 import { AppRscRenderMode } from "./app-rsc-render-mode.js";
 
 //#region src/server/isr-cache.d.ts
+/**
+ * Header set on the internal request that `res.revalidate()` issues to
+ * trigger on-demand ISR regeneration of a Pages Router route. Mirrors Next.js's
+ * `PRERENDER_REVALIDATE_HEADER` (`x-prerender-revalidate`) — see
+ * `.nextjs-ref/packages/next/src/lib/constants.ts`.
+ *
+ * SECURITY: in Next.js this header is NOT a presence flag — it carries the
+ * secret `previewModeId`, and `checkIsOnDemandRevalidate`
+ * (`.nextjs-ref/packages/next/src/server/api-utils/index.ts`) only treats a
+ * request as on-demand revalidation when the value *equals* that secret. If we
+ * gated on presence alone, any external client could send
+ * `x-prerender-revalidate: <anything>` to force synchronous regeneration of any
+ * ISR page, bypassing the fresh/stale cache short-circuits — a
+ * cache-stampede/DoS vector. We therefore validate the value against
+ * {@link getRevalidateSecret} (a build-time secret shared across all Workers
+ * isolates) with a constant-time comparison, and only the matching value (sent
+ * by our own `res.revalidate()`) is honored.
+ */
+declare const PRERENDER_REVALIDATE_HEADER = "x-prerender-revalidate";
+/**
+ * Companion header to {@link PRERENDER_REVALIDATE_HEADER}. When set,
+ * `res.revalidate(path, { unstable_onlyGenerated: true })` only revalidates the
+ * path if it was already generated, and a 404 response counts as a successful
+ * no-op. Mirrors Next.js's `PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER`
+ * (`x-prerender-revalidate-if-generated`) — see
+ * `.nextjs-ref/packages/next/src/lib/constants.ts`.
+ */
+declare const PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER = "x-prerender-revalidate-if-generated";
+declare function getRevalidateSecret(): string;
+/**
+ * Authorize an incoming request as an on-demand revalidation trigger. Mirrors
+ * Next.js's `checkIsOnDemandRevalidate`: the {@link PRERENDER_REVALIDATE_HEADER}
+ * value must *equal* the process revalidate secret. Header presence alone is
+ * NOT sufficient — see the security note on {@link PRERENDER_REVALIDATE_HEADER}.
+ */
+declare function isOnDemandRevalidateRequest(headerValue: string | string[] | null | undefined): boolean;
 type ISRCacheEntry = {
   value: CacheHandlerValue;
   isStale: boolean;
@@ -88,4 +124,4 @@ declare function setRevalidateDuration(key: string, seconds: number): void;
  */
 declare function getRevalidateDuration(key: string): number | undefined;
 //#endregion
-export { ISRCacheEntry, appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };
+export { ISRCacheEntry, PRERENDER_REVALIDATE_HEADER, PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER, appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, getRevalidateSecret, isOnDemandRevalidateRequest, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };

package/dist/server/isr-cache.js

@@ -7,6 +7,90 @@ import { APP_RSC_RENDER_MODE_NAVIGATION, getRscRenderModeCacheVariant } from "./
 import { normalizeAppPageInterceptionProofPathname } from "./app-page-render-identity.js";
 //#region src/server/isr-cache.ts
 /**
+* Header set on the internal request that `res.revalidate()` issues to
+* trigger on-demand ISR regeneration of a Pages Router route. Mirrors Next.js's
+* `PRERENDER_REVALIDATE_HEADER` (`x-prerender-revalidate`) — see
+* `.nextjs-ref/packages/next/src/lib/constants.ts`.
+*
+* SECURITY: in Next.js this header is NOT a presence flag — it carries the
+* secret `previewModeId`, and `checkIsOnDemandRevalidate`
+* (`.nextjs-ref/packages/next/src/server/api-utils/index.ts`) only treats a
+* request as on-demand revalidation when the value *equals* that secret. If we
+* gated on presence alone, any external client could send
+* `x-prerender-revalidate: <anything>` to force synchronous regeneration of any
+* ISR page, bypassing the fresh/stale cache short-circuits — a
+* cache-stampede/DoS vector. We therefore validate the value against
+* {@link getRevalidateSecret} (a build-time secret shared across all Workers
+* isolates) with a constant-time comparison, and only the matching value (sent
+* by our own `res.revalidate()`) is honored.
+*/
+const PRERENDER_REVALIDATE_HEADER = "x-prerender-revalidate";
+/**
+* Companion header to {@link PRERENDER_REVALIDATE_HEADER}. When set,
+* `res.revalidate(path, { unstable_onlyGenerated: true })` only revalidates the
+* path if it was already generated, and a 404 response counts as a successful
+* no-op. Mirrors Next.js's `PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER`
+* (`x-prerender-revalidate-if-generated`) — see
+* `.nextjs-ref/packages/next/src/lib/constants.ts`.
+*/
+const PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER = "x-prerender-revalidate-if-generated";
+/**
+* Build-time secret that authenticates on-demand revalidation requests, the
+* vinext analog of Next.js's prerender-manifest `previewModeId`.
+*
+* `res.revalidate()` loops back into the server via an internal `fetch()`. On
+* Cloudflare Workers that loopback can land on a *different* isolate than the
+* sender, so a per-process random secret would mismatch across isolates and
+* false-reject legitimate revalidations (and, symmetrically, two isolates with
+* independently-rolled secrets could never agree). The fix mirrors Next.js's
+* `previewModeId`: the secret is generated once at BUILD time and baked
+* (server-only — never into the client bundle) into every server bundle via the
+* `__VINEXT_REVALIDATE_SECRET` Vite `define`, so it is byte-for-byte identical in
+* every isolate. See `vinext build` CLI (`__VINEXT_SHARED_REVALIDATE_SECRET`) and
+* the `vinext:compiler-define-server` plugin. The sender attaches it as the
+* {@link PRERENDER_REVALIDATE_HEADER} value; the receiver authorizes a request
+* only when the incoming value equals this secret (see
+* {@link isOnDemandRevalidateRequest}).
+*
+* When the build-time define is absent — dev mode, and any path that doesn't
+* run through `vinext build` — we fall back to a lazily-generated random secret.
+* Those paths are single-process, so a module-scoped value is shared by sender
+* and receiver there — no regression.
+*/
+let devRevalidateSecret;
+function getRevalidateSecret() {
+	const baked = process.env.__VINEXT_REVALIDATE_SECRET;
+	if (baked) return baked;
+	if (devRevalidateSecret === void 0) {
+		const bytes = new Uint8Array(32);
+		crypto.getRandomValues(bytes);
+		devRevalidateSecret = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+	}
+	return devRevalidateSecret;
+}
+/**
+* Constant-time string equality. Avoids leaking secret length / prefix via
+* early-exit timing on the on-demand revalidation auth check. Returns false
+* for length mismatch (the only safe option without revealing the secret
+* length, and equality is impossible anyway).
+*/
+function safeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let mismatch = 0;
+	for (let i = 0; i < a.length; i++) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	return mismatch === 0;
+}
+/**
+* Authorize an incoming request as an on-demand revalidation trigger. Mirrors
+* Next.js's `checkIsOnDemandRevalidate`: the {@link PRERENDER_REVALIDATE_HEADER}
+* value must *equal* the process revalidate secret. Header presence alone is
+* NOT sufficient — see the security note on {@link PRERENDER_REVALIDATE_HEADER}.
+*/
+function isOnDemandRevalidateRequest(headerValue) {
+	if (typeof headerValue !== "string" || headerValue.length === 0) return false;
+	return safeEqual(headerValue, getRevalidateSecret());
+}
+/**
 * Get a cache entry with staleness information.
 *
 * Returns { value, isStale: false } for fresh entries,
@@ -195,4 +279,4 @@ function getRevalidateDuration(key) {
 	return revalidateDurations.get(key);
 }
 //#endregion
-export { appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };
+export { PRERENDER_REVALIDATE_HEADER, PRERENDER_REVALIDATE_ONLY_GENERATED_HEADER, appIsrHtmlKey, appIsrRouteKey, appIsrRscKey, buildAppPageCacheValue, buildPagesCacheValue, getRevalidateDuration, getRevalidateSecret, isOnDemandRevalidateRequest, isrCacheKey, isrGet, isrSet, isrSetPrerenderedAppPage, normalizeMountedSlotsHeader, setRevalidateDuration, triggerBackgroundRegeneration };

package/dist/server/isr-decision.d.ts

@@ -0,0 +1,79 @@
+import { CacheControlMetadata } from "../shims/cache.js";
+import { NEVER_CACHE_CONTROL, NO_STORE_CACHE_CONTROL } from "./cache-control.js";
+
+//#region src/server/isr-decision.d.ts
+type IsrDisposition = "HIT" | "STALE" | "MISS";
+type IsrDecision = {
+  disposition: IsrDisposition; /** True when the caller must schedule a background regeneration. */
+  scheduleRegeneration: boolean; /** The `Cache-Control` string to stamp on the response. */
+  cacheControl: string;
+};
+/**
+ * Per-router special-case policies for `Cache-Control`.
+ *
+ * - `"app-page"` / `"pages"`: `buildCachedRevalidateCacheControl` for HIT/STALE.
+ * - `"app-route"`: same, but `revalidateSeconds=0` forces `NEVER_CACHE_CONTROL`
+ *   and `revalidateSeconds=Infinity` forces `STATIC_CACHE_CONTROL`.
+ * - `"dev"`: like `"pages"`, but `revalidate=0`/`Infinity` guards are absent
+ *   (dev never caches when revalidate=0 and never has Infinity entries in practice).
+ */
+type IsrPolicyKind = "app-page" | "app-route" | "pages" | "dev";
+type DecideIsrOptions = {
+  /**
+   * The cache state. Content guards (kind-mismatch, empty body,
+   * query-variant-unproven) must have already passed before passing
+   * `"HIT"` or `"STALE"` here.
+   */
+  cacheState: "HIT" | "STALE" | "MISS"; /** Which router is making the decision. */
+  kind: IsrPolicyKind;
+  /**
+   * The route's configured revalidate window in seconds. Used as the fallback
+   * when `cacheControlMeta` is absent.
+   *
+   * For `"dev"` call sites this is the only source of the revalidate value —
+   * dev never has metadata attached to a cache entry.
+   */
+  revalidateSeconds: number;
+  /**
+   * The expire ceiling (seconds from epoch) read from the route config.
+   * Absent when the route pre-dates expire metadata support.
+   */
+  expireSeconds?: number;
+  /**
+   * Optional per-entry metadata written alongside the cache value.
+   * When present its `revalidate`/`expire` fields override the route defaults,
+   * exactly as the call sites do today with `cacheControl?.revalidate ?? revalidateSeconds`.
+   */
+  cacheControlMeta?: CacheControlMetadata;
+};
+/**
+ * Derive the `Cache-Control` string for an ISR response.
+ *
+ * Content guards (kind mismatch, query-variant-unproven, empty body) are the
+ * caller's responsibility and must happen *before* this call. `cacheState`
+ * must only be `"HIT"` or `"STALE"` when those guards have already passed.
+ */
+declare function decideIsr(options: DecideIsrOptions): IsrDecision;
+/**
+ * Build the `Cache-Control` string for a fresh MISS response whose ISR policy
+ * is known (i.e. revalidate is set and > 0). Uses the unbounded SWR form when
+ * no expire ceiling is available, exactly as `buildRevalidateCacheControl` does.
+ *
+ * Separate from `decideIsr` because a MISS doesn't read a cache entry and
+ * therefore never has `cacheControlMeta`. `expireSeconds` here is the route
+ * config ceiling passed directly from the caller (not a per-entry fallback).
+ */
+declare function buildMissIsrCacheControl(revalidateSeconds: number, expireSeconds?: number): string;
+/**
+ * Build the `Cache-Control` string for a fresh (MISS) app-route response.
+ *
+ * Applies the same `revalidateSeconds=0`→NEVER and `Infinity`→STATIC gates
+ * that `decideIsr` uses for app-route cached responses. `expireSeconds` is
+ * the route config ceiling passed directly (not per-entry metadata fallback).
+ *
+ * Used by `applyRouteHandlerRevalidateHeader` which operates on a fresh
+ * response that has no per-entry cache metadata.
+ */
+declare function buildAppRouteMissIsrCacheControl(revalidateSeconds: number, expireSeconds?: number): string;
+//#endregion
+export { NEVER_CACHE_CONTROL as ISR_NEVER_CACHE_CONTROL, NO_STORE_CACHE_CONTROL as ISR_NO_STORE_CACHE_CONTROL, buildAppRouteMissIsrCacheControl, buildMissIsrCacheControl, decideIsr };