vinext 0.1.3 → 0.1.4

package/dist/server/app-browser-state.js

@@ -8,6 +8,7 @@ import "./app-bfcache-id.js";
 import { createHistoryStateWithNavigationMetadata, createHistoryStateWithPreviousNextUrl, isBfcacheSegmentId, isHistoryStateBfcacheVersionCurrent, readHistoryStateBfcacheIds, readHistoryStateBfcacheVersion, readHistoryStatePreviousNextUrl, readHistoryStateTraversalIndex, resolveHistoryTraversalIntent } from "./app-history-state.js";
 import { createRscRequestHeaders } from "./app-rsc-cache-busting.js";
 import { NavigationTraceReasonCodes, createNavigationLifecycleTraceFields, createNavigationTrace } from "./navigation-trace.js";
+import { verifyOperationTokenForCommit } from "./operation-token.js";
 import { navigationPlanner, resolveDefaultOrUnmatchedSlotPersistenceForLayouts } from "./navigation-planner.js";
 import { createSnapshotPathAndSearch } from "../shims/navigation.js";
 import { createCacheEntryReuseProof } from "./cache-proof.js";
@@ -192,7 +193,17 @@ function resolveServerActionRequestState(options) {
 }
 function resolvePendingNavigationCommitDispositionDecision(options) {
 	const traceFields = createPendingNavigationTraceFields(options);
-	if (options.startedNavigationId !== options.activeNavigationId || options.pending.action.operation.startedVisibleCommitVersion !== options.currentState.visibleCommitVersion) return {
+	const targetSnapshot = createPendingRouteSnapshot(options.pending);
+	const verdict = verifyOperationTokenForCommit(createPendingNavigationOperationToken({
+		pending: options.pending,
+		routeManifest: options.routeManifest ?? null,
+		startedNavigationId: options.startedNavigationId,
+		targetSnapshot
+	}), {
+		activeNavigationId: options.activeNavigationId,
+		visibleCommitVersion: options.currentState.visibleCommitVersion
+	});
+	if (!verdict.authorized) return {
 		disposition: "skip",
 		preserveElementIds: [],
 		trace: createNavigationTrace(NavigationTraceReasonCodes.staleOperation, traceFields)
@@ -202,6 +213,8 @@ function resolvePendingNavigationCommitDispositionDecision(options) {
 		pending: options.pending,
 		routeManifest: options.routeManifest ?? null,
 		targetHref: options.targetHref,
+		targetSnapshot,
+		token: verdict.token,
 		traceFields
 	}));
 	return mergeSkippedLayoutPreservation({
@@ -277,6 +290,7 @@ function createPendingNavigationOperationToken(options) {
 		deploymentVersion: null,
 		graphVersion: options.routeManifest?.graphVersion ?? null,
 		lane: options.pending.action.operation.lane,
+		navigationId: options.startedNavigationId,
 		operationId: options.pending.action.operation.id,
 		targetSnapshotFingerprint: createRootBoundarySnapshotFingerprint(options.targetSnapshot)
 	};
@@ -285,17 +299,11 @@ function createRootBoundarySnapshotFingerprint(snapshot) {
 	return `${snapshot.routeId}|root:${snapshot.rootBoundaryId ?? "unknown"}`;
 }
 function planPendingRootBoundaryFlightResponse(options) {
-	const targetSnapshot = createPendingRouteSnapshot(options.pending);
-	const token = createPendingNavigationOperationToken({
-		pending: options.pending,
-		routeManifest: options.routeManifest,
-		targetSnapshot
-	});
 	const cacheEntryReuseProof = options.pending.cacheEntryReuseProof;
 	return navigationPlanner.plan({
 		routeManifest: options.routeManifest,
 		state: {
-			nextOperationToken: token,
+			nextOperationToken: options.token,
 			traceFields: options.traceFields,
 			visibleCommitVersion: options.currentState.visibleCommitVersion,
 			visibleSnapshot: createVisibleRouteSnapshot(options.currentState)
@@ -304,10 +312,10 @@ function planPendingRootBoundaryFlightResponse(options) {
 			kind: "flightResponseArrived",
 			result: {
 				...cacheEntryReuseProof ? { cacheEntryReuseProof } : {},
-				href: options.targetHref ?? targetSnapshot.displayUrl,
-				targetSnapshot
+				href: options.targetHref ?? options.targetSnapshot.displayUrl,
+				targetSnapshot: options.targetSnapshot
 			},
-			token
+			token: options.token
 		}
 	});
 }

package/dist/server/app-browser-visible-commit.d.ts

@@ -1,7 +1,7 @@
 import { RouteManifest } from "../routing/app-route-graph.js";
 import { AppElements } from "./app-elements-wire.js";
 import { NavigationTrace } from "./navigation-trace.js";
-import { OperationLane } from "./navigation-planner.js";
+import { OperationLane } from "./operation-token.js";
 import { ClientNavigationRenderSnapshot } from "../shims/navigation.js";
 import { AppNavigationPayloadOrigin, AppRouterAction, AppRouterState, PendingNavigationCommit } from "./app-browser-state.js";
 

package/dist/server/app-pages-bridge.d.ts

@@ -5,7 +5,9 @@ type PagesEntry = {
   handleApiRoute?: (request: Request, url: string) => Promise<Response> | Response;
   matchApiRoute?: (url: string, request: Request) => PagesRouteMatch | null;
   matchPageRoute?: (url: string, request: Request) => PagesRouteMatch | null;
-  renderPage?: (request: Request, url: string, query: Record<string, unknown>, parsedUrl: unknown, middlewareRequestHeaders?: Headers | null) => Promise<Response> | Response;
+  renderPage?: (request: Request, url: string, query: Record<string, unknown>, parsedUrl: unknown, middlewareRequestHeaders?: Headers | null, options?: {
+    isDataReq?: boolean;
+  }) => Promise<Response> | Response;
 };
 type PagesRouteMatch = {
   route: {
@@ -44,10 +46,12 @@ type RenderPagesFallbackDependencies = {
 type RenderPagesFallbackOptions = {
   allowRscDocumentFallback?: boolean;
   appRouteMatch?: AppRouteMatch | null;
+  isDataRequest?: boolean;
   isRscRequest: boolean;
   matchKind?: "dynamic" | "static";
   middlewareContext: AppMiddlewareContext;
   pathname?: string;
+  pagesDataRequest?: Request | null;
   request: Request;
   url: URL;
 };

package/dist/server/app-pages-bridge.js

@@ -1,26 +1,17 @@
+import { cloneRequestWithHeaders, cloneRequestWithUrl } from "./request-pipeline.js";
 import { pagesRouteHasPriorityOverAppRoute } from "./hybrid-route-priority.js";
 //#region src/server/app-pages-bridge.ts
 /**
 * Fallback handler to route App Router requests to the Pages Router when no App Router route matches.
 */
 async function renderPagesFallback(options, dependencies) {
-	const { allowRscDocumentFallback = false, appRouteMatch = null, isRscRequest, matchKind, middlewareContext, pathname = options.url.pathname, request, url } = options;
+	const { allowRscDocumentFallback = false, appRouteMatch = null, isDataRequest = false, isRscRequest, matchKind, middlewareContext, pathname = options.url.pathname, pagesDataRequest = null, request, url } = options;
 	const { loadPagesEntry, buildRequestHeaders, decodePathParams, applyRouteHandlerMiddlewareContext, getDraftModeCookieHeader } = dependencies;
 	if (isRscRequest && !allowRscDocumentFallback) return null;
 	const pagesEntry = await loadPagesEntry();
 	const pagesRequestHeaders = middlewareContext.requestHeaders ? buildRequestHeaders(request.headers, middlewareContext.requestHeaders) : null;
 	let pagesRequest = request;
-	if (pagesRequestHeaders) {
-		const pagesRequestInit = {
-			method: request.method,
-			headers: pagesRequestHeaders
-		};
-		if (request.method !== "GET" && request.method !== "HEAD") {
-			pagesRequestInit.body = request.body;
-			pagesRequestInit.duplex = "half";
-		}
-		pagesRequest = new Request(request.url, pagesRequestInit);
-	}
+	if (pagesRequestHeaders) pagesRequest = cloneRequestWithHeaders(request, pagesRequestHeaders);
 	const queryIndex = pathname.indexOf("?");
 	const pagesPathname = queryIndex === -1 ? pathname : pathname.slice(0, queryIndex);
 	const pagesSearch = queryIndex === -1 ? url.search || "" : pathname.slice(queryIndex);
@@ -46,7 +37,8 @@ async function renderPagesFallback(options, dependencies) {
 	if (pageMatch !== null && matchKind === "static" && pageMatch.route.isDynamic) return null;
 	if (pageMatch !== null && matchKind === "dynamic" && !pageMatch.route.isDynamic) return null;
 	if (appRouteMatch !== null && (pageMatch === null || !pagesRouteHasPriorityOverAppRoute(pageMatch.route, appRouteMatch.route))) return null;
-	const pagesRes = await pagesEntry.renderPage(pagesRequest, pagesUrl, {}, void 0, middlewareContext.requestHeaders);
+	const renderRequest = pagesDataRequest ? cloneRequestWithUrl(pagesRequest, pagesDataRequest.url) : pagesRequest;
+	const pagesRes = isDataRequest ? await pagesEntry.renderPage(renderRequest, pagesUrl, {}, void 0, middlewareContext.requestHeaders, { isDataReq: true }) : await pagesEntry.renderPage(renderRequest, pagesUrl, {}, void 0, middlewareContext.requestHeaders);
 	if (pagesRes.status === 404 && pageMatch === null) return null;
 	return applyDraftModeCookie(pagesRes, getDraftModeCookieHeader());
 }

package/dist/server/app-rsc-handler.d.ts

@@ -130,10 +130,12 @@ type RenderPagesFallbackOptions = {
       pattern: string;
     };
   } | null;
+  isDataRequest?: boolean;
   isRscRequest: boolean;
   matchKind?: "dynamic" | "static";
   middlewareContext: AppRscMiddlewareContext;
   pathname?: string;
+  pagesDataRequest?: Request | null;
   request: Request;
   url: URL;
 };
@@ -144,6 +146,7 @@ type NavigationContextValue = {
 };
 type CreateAppRscHandlerOptions<TRoute extends AppRscHandlerRoute> = {
   basePath: string;
+  buildId: string | null;
   cacheComponents?: boolean;
   clearRequestContext: () => void;
   configHeaders: NextHeader[];

package/dist/server/app-rsc-handler.js

@@ -1,5 +1,5 @@
 import { createRequestContext, runWithRequestContext } from "../shims/unified-request-context.js";
-import { hasBasePath } from "../utils/base-path.js";
+import { addBasePathToPathname, hasBasePath, stripBasePath } from "../utils/base-path.js";
 import { getRequestExecutionContext } from "../shims/request-context.js";
 import { ACTION_REVALIDATED_HEADER, VINEXT_MW_CTX_HEADER, VINEXT_PRERENDER_ROUTE_PARAMS_HEADER } from "./headers.js";
 import { isExternalUrl, matchRedirect, matchRewrite, preserveRedirectDestinationQuery, proxyExternalRequest, requestContextFromRequest, sanitizeDestination } from "../config/config-matchers.js";
@@ -14,6 +14,7 @@ import { normalizeDefaultLocalePathname } from "./pages-i18n.js";
 import { DEFAULT_DEVICE_SIZES, DEFAULT_IMAGE_SIZES, isImageOptimizationPath, resolveDevImageRedirect } from "./image-optimization.js";
 import { mergeMiddlewareResponseHeaders } from "./middleware-response-headers.js";
 import "./app-page-response.js";
+import { buildNextDataNotFoundResponse, normalizePagesDataRequest } from "./pages-data-route.js";
 import { createAppPprFallbackShells } from "./app-ppr-fallback-shell.js";
 import { matchPrerenderRouteParamsPayload, readTrustedPrerenderRouteParams, serializePrerenderRouteParamsHeader } from "./prerender-route-params.js";
 import { getRenderedConcreteUrlPathsForRoute } from "./pregenerated-concrete-paths.js";
@@ -108,7 +109,7 @@ function requestWithoutRscSuffix(request) {
 	url.pathname = pathname;
 	return cloneRequestWithUrl(request.body ? request.clone() : request, url.toString());
 }
-async function handleAppRscRequest(options, request, preMiddlewareRequestContext, isDataRequest) {
+async function handleAppRscRequest(options, request, preMiddlewareRequestContext, isDataRequest, pagesDataRequest) {
 	const handlerStart = process.env.NODE_ENV !== "production" ? performance.now() : 0;
 	if (process.env.NODE_ENV !== "production") {
 		const originBlock = options.validateDevRequestOrigin?.(request);
@@ -119,6 +120,7 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 	const { url, isRscRequest, interceptionContextHeader, mountedSlotsHeader, renderMode, clientReuseManifest } = normalized;
 	let { pathname, cleanPathname } = normalized;
 	let resolvedUrl = cleanPathname + url.search;
+	const originalResolvedUrl = resolvedUrl;
 	const getResolvedSearchParams = () => new URL(resolvedUrl, url).searchParams;
 	const canonicalPathname = cleanPathname;
 	const basePathState = {
@@ -142,6 +144,10 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 	if (redirect) {
 		const destination = sanitizeDestination(redirectDestinationWithBasePath(redirect.destination, options.basePath));
 		const location = isRscRequest && request.headers.get("RSC") === "1" ? await createRscRedirectLocation(destination, request) : preserveRedirectDestinationQuery(destination, url.search);
+		if (isDataRequest) return new Response(null, {
+			status: 200,
+			headers: { "x-nextjs-redirect": location }
+		});
 		return new Response(null, {
 			status: redirect.permanent ? 308 : 307,
 			headers: { Location: location }
@@ -269,16 +275,28 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 	});
 	if (serverActionResponse) return serverActionResponse;
 	let match = preActionMatch;
-	const renderPagesForMatchKind = async (matchKind) => match === null || match.route.isDynamic ? await options.renderPagesFallback?.({
-		appRouteMatch: match ?? null,
-		allowRscDocumentFallback: didMiddlewareRewrite,
-		isRscRequest,
-		matchKind,
-		middlewareContext,
-		pathname: resolvedUrl,
-		request,
-		url
-	}) ?? null : null;
+	const renderPagesForMatchKind = async (matchKind) => {
+		const response = match === null || match.route.isDynamic ? await options.renderPagesFallback?.({
+			appRouteMatch: match ?? null,
+			allowRscDocumentFallback: didMiddlewareRewrite,
+			isDataRequest,
+			isRscRequest,
+			matchKind,
+			middlewareContext,
+			pathname: resolvedUrl,
+			pagesDataRequest,
+			request,
+			url
+		}) ?? null : null;
+		if (!response || !pagesDataRequest || resolvedUrl === originalResolvedUrl) return response;
+		const headers = new Headers(response.headers);
+		headers.set("x-nextjs-rewrite", resolvedUrl);
+		return new Response(response.body, {
+			headers,
+			status: response.status,
+			statusText: response.statusText
+		});
+	};
 	const staticPagesFallbackResponse = await renderPagesForMatchKind("static");
 	if (staticPagesFallbackResponse) {
 		options.clearRequestContext();
@@ -339,6 +357,10 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		}
 		if (match) break;
 	}
+	if (pagesDataRequest) {
+		options.clearRequestContext();
+		return buildNextDataNotFoundResponse();
+	}
 	if (!match) {
 		if (process.env.NODE_ENV !== "production" && canonicalPathname === "/favicon.ico") {
 			options.clearRequestContext();
@@ -461,13 +483,27 @@ function createAppRscHandler(options) {
 		options.registerCacheAdapters();
 		await options.ensureInstrumentation?.();
 		const mwCtx = rawRequest.headers.get(VINEXT_MW_CTX_HEADER);
-		const isDataRequest = rawRequest.headers.get("x-nextjs-data") === "1";
+		const hasDataRequestHeader = rawRequest.headers.get("x-nextjs-data") === "1";
+		const pagesDataUrl = new URL(rawRequest.url);
+		const pagesDataInScope = !options.basePath || hasBasePath(pagesDataUrl.pathname, options.basePath);
+		if (pagesDataInScope) pagesDataUrl.pathname = stripBasePath(pagesDataUrl.pathname, options.basePath);
+		const pagesDataCandidate = pagesDataInScope ? cloneRequestWithUrl(rawRequest, pagesDataUrl.toString()) : null;
+		const pagesDataNormalization = options.renderPagesFallback && pagesDataCandidate ? normalizePagesDataRequest(pagesDataCandidate, options.buildId) : null;
+		if (pagesDataNormalization?.notFoundResponse) return pagesDataNormalization.notFoundResponse;
+		const isDataRequest = hasDataRequestHeader || pagesDataNormalization?.isDataReq === true;
 		const prerenderRouteParamsPayload = readTrustedPrerenderRouteParams(rawRequest);
 		const filteredHeaders = filterInternalHeaders(rawRequest.headers);
 		if (mwCtx !== null) filteredHeaders.set(VINEXT_MW_CTX_HEADER, mwCtx);
 		const prerenderRouteParamsHeader = serializePrerenderRouteParamsHeader(prerenderRouteParamsPayload);
 		if (prerenderRouteParamsHeader !== null) filteredHeaders.set(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, prerenderRouteParamsHeader);
-		const request = cloneRequestWithHeaders(rawRequest, filteredHeaders);
+		let appRequest = rawRequest;
+		if (pagesDataNormalization?.isDataReq) {
+			const appRequestUrl = new URL(pagesDataNormalization.request.url);
+			appRequestUrl.pathname = addBasePathToPathname(appRequestUrl.pathname, options.basePath);
+			appRequest = cloneRequestWithUrl(pagesDataCandidate, appRequestUrl.toString());
+		}
+		const request = cloneRequestWithHeaders(appRequest, filteredHeaders);
+		const pagesDataRequest = pagesDataNormalization?.isDataReq ? cloneRequestWithHeaders(pagesDataCandidate, filteredHeaders) : null;
 		const executionContext = isExecutionContextLike(ctx) ? ctx : getRequestExecutionContext() ?? null;
 		return runWithRequestContext(createRequestContext({
 			headersContext: headersContextFromRequest(request, { draftModeSecret: options.draftModeSecret }),
@@ -478,7 +514,7 @@ function createAppRscHandler(options) {
 			const preMiddlewareRequestContext = requestContextFromRequest(request);
 			let response;
 			try {
-				response = await handleAppRscRequest(options, request, preMiddlewareRequestContext, isDataRequest);
+				response = await handleAppRscRequest(options, request, preMiddlewareRequestContext, isDataRequest, pagesDataRequest);
 			} catch (error) {
 				if (process.env.NODE_ENV !== "production") flattenErrorCauses(error);
 				throw error;

package/dist/server/app-rsc-route-matching.js

@@ -18,6 +18,7 @@ function appRscPathnameParts(pathname) {
 function createAppRscRouteMatcher(routes) {
 	const routeTrie = buildRouteTrie(routes);
 	const interceptLookup = createInterceptLookup(routes);
+	const routeIndexes = new Map(routes.map((route, index) => [route, index]));
 	return {
 		matchRoute(url) {
 			return trieMatch(routeTrie, appRscPathnameParts(url));
@@ -26,16 +27,19 @@ function createAppRscRouteMatcher(routes) {
 			if (sourcePathname === null) return null;
 			const urlParts = appRscPathnameParts(pathname);
 			const sourceParts = appRscPathnameParts(sourcePathname);
+			const matchedSourceRoute = trieMatch(routeTrie, sourceParts);
 			for (const entry of interceptLookup) {
 				if (!matchInterceptSource(sourceParts, entry)) continue;
 				const params = matchAppRscRoutePattern(urlParts, entry.targetPatternParts);
 				if (params === null) continue;
-				const sourceRoute = routes[entry.sourceRouteIndex];
-				const matchedSourceParams = sourceRoute ? matchAppRscRoutePattern(sourceParts, sourceRoute.patternParts) : null;
+				const concreteSourceRouteIndex = matchedSourceRoute && entry.sourceMatchPatternParts !== null ? routeIndexes.get(matchedSourceRoute.route) ?? entry.sourceRouteIndex : entry.sourceRouteIndex;
+				const sourceRoute = routes[concreteSourceRouteIndex];
+				const matchedSourceParams = matchedSourceRoute && entry.sourceMatchPatternParts !== null ? matchedSourceRoute.params : sourceRoute ? matchAppRscRoutePattern(sourceParts, sourceRoute.patternParts) : null;
 				if (matchedSourceParams === null && entry.sourceMatchPatternParts === null) continue;
 				const sourceParams = matchedSourceParams ?? createRouteParams();
 				return {
 					...entry,
+					sourceRouteIndex: concreteSourceRouteIndex,
 					matchedParams: mergeMatchedParams(sourceParams, params)
 				};
 			}

package/dist/server/app-server-action-execution.js

@@ -177,7 +177,7 @@ async function readActionFormDataWithLimit(request, maxBytes) {
 		if (result.done) break;
 		totalSize += result.value.byteLength;
 		if (totalSize > maxBytes) {
-			await reader.cancel();
+			reader.cancel();
 			throw new Error("Request body too large");
 		}
 		chunks.push(result.value);
@@ -485,7 +485,10 @@ async function handleServerActionRscRequest(options) {
 	if (options.request.method.toUpperCase() !== "POST" || !options.actionId) return null;
 	const csrfResponse = validateCsrfOrigin(options.request, options.allowedOrigins);
 	if (csrfResponse) return csrfResponse;
-	if (parseInt(options.request.headers.get("content-length") || "0", 10) > options.maxActionBodySize) return renderFetchActionBodyExceededResponse(options);
+	if (parseInt(options.request.headers.get("content-length") || "0", 10) > options.maxActionBodySize) {
+		if (options.request.body) options.request.body.cancel().catch(() => {});
+		return renderFetchActionBodyExceededResponse(options);
+	}
 	try {
 		let action;
 		if (options.contentType.startsWith("multipart/form-data")) {

package/dist/server/app-ssr-entry.js

@@ -21,6 +21,7 @@ import { createBfcacheSegmentStateKeyMap, createInitialBfcacheIdMap } from "./ap
 import { RSC_FORM_STATE_GLOBAL } from "./app-browser-hydration.js";
 import { createClientReferencePreloader } from "./app-client-reference-preloader.js";
 import { deferUntilStreamConsumed } from "./app-page-stream.js";
+import { renderBeforeInteractiveInlineScripts } from "./before-interactive-head.js";
 import { createInitialDevServerErrorScript } from "./dev-initial-server-error.js";
 import { Fragment, createElement, use } from "react";
 import { renderToReadableStream, renderToStaticMarkup } from "react-dom/server.edge";
@@ -107,35 +108,6 @@ function renderInsertedHtml(insertedElements) {
 	} catch {}
 	return insertedHTML;
 }
-/**
-* Render captured `<Script strategy="beforeInteractive">` inline scripts to
-* HTML, ready to splice immediately after `<head ...>` opens. Each entry has
-* already had its inline content escaped via `escapeInlineContent(..., "script")`
-* inside the Script shim, so this function only quotes the attributes that
-* actually go on the tag (id, nonce, plus the residual passthroughs).
-*
-* Keeping this function colocated with the rest of the head-injection
-* helpers makes it obvious where the boundary is: anything passed through
-* here is being concatenated directly into HTML; treat the inputs
-* accordingly.
-*/
-const VALID_ATTR_NAME = /^[a-zA-Z][\w.-]*$/;
-function renderBeforeInteractiveInlineScripts(scripts) {
-	if (scripts.length === 0) return "";
-	let html = "";
-	for (const script of scripts) {
-		let attrs = "";
-		if (script.id) attrs += ` id="${escapeHtmlAttr(script.id)}"`;
-		attrs += createNonceAttribute(script.nonce);
-		if (script.attributes) for (const [key, value] of Object.entries(script.attributes)) {
-			if (!VALID_ATTR_NAME.test(key)) continue;
-			if (value === true) attrs += ` ${key}`;
-			else if (typeof value === "string") attrs += ` ${key}="${escapeHtmlAttr(value)}"`;
-		}
-		html += `<script${attrs}>${script.innerHTML}<\/script>`;
-	}
-	return html;
-}
 function renderFontHtml(fontData, nonce, options = {}) {
 	if (!fontData) return "";
 	let fontHTML = "";

package/dist/server/before-interactive-head.d.ts

@@ -0,0 +1,17 @@
+import { BeforeInteractiveInlineScript } from "../shims/before-interactive-context.js";
+
+//#region src/server/before-interactive-head.d.ts
+/**
+ * Render captured `<Script strategy="beforeInteractive">` scripts to HTML,
+ * ready to splice immediately after `<head ...>` opens. Each entry has already
+ * had its inline content escaped via `escapeInlineContent(..., "script")`
+ * inside the Script shim, so this function only quotes the attributes that
+ * actually go on the tag (id, src, nonce, plus the residual passthroughs).
+ *
+ * Keeping this function in its own module makes the boundary obvious: anything
+ * passed through here is being concatenated directly into HTML; treat the
+ * inputs accordingly.
+ */
+declare function renderBeforeInteractiveInlineScripts(scripts: readonly BeforeInteractiveInlineScript[]): string;
+//#endregion
+export { renderBeforeInteractiveInlineScripts };

package/dist/server/before-interactive-head.js

@@ -0,0 +1,35 @@
+import { createNonceAttribute, escapeHtmlAttr } from "./html.js";
+//#region src/server/before-interactive-head.ts
+const VALID_ATTR_NAME = /^[a-zA-Z][\w.-]*$/;
+/**
+* Render captured `<Script strategy="beforeInteractive">` scripts to HTML,
+* ready to splice immediately after `<head ...>` opens. Each entry has already
+* had its inline content escaped via `escapeInlineContent(..., "script")`
+* inside the Script shim, so this function only quotes the attributes that
+* actually go on the tag (id, src, nonce, plus the residual passthroughs).
+*
+* Keeping this function in its own module makes the boundary obvious: anything
+* passed through here is being concatenated directly into HTML; treat the
+* inputs accordingly.
+*/
+function renderBeforeInteractiveInlineScripts(scripts) {
+	if (scripts.length === 0) return "";
+	let html = "";
+	for (const script of scripts) {
+		let attrs = "";
+		if (script.id) attrs += ` id="${escapeHtmlAttr(script.id)}"`;
+		if (script.src) attrs += ` src="${escapeHtmlAttr(script.src)}"`;
+		attrs += createNonceAttribute(script.nonce);
+		if (script.attributes) for (const [key, value] of Object.entries(script.attributes)) {
+			if (!VALID_ATTR_NAME.test(key)) continue;
+			if (key === "data-nscript") continue;
+			if (value === true) attrs += ` ${key}`;
+			else if (typeof value === "string") attrs += ` ${key}="${escapeHtmlAttr(value)}"`;
+		}
+		attrs += ` data-nscript="beforeInteractive"`;
+		html += `<script${attrs}>${script.innerHTML ?? ""}<\/script>`;
+	}
+	return html;
+}
+//#endregion
+export { renderBeforeInteractiveInlineScripts };

package/dist/server/csp.js

@@ -1,8 +1,5 @@
 //#region src/server/csp.ts
 const ESCAPE_REGEX = /[&><\u2028\u2029]/;
-function matchesDirectiveName(directive, name) {
-	return directive === name || directive.startsWith(`${name} `);
-}
 function getNodeHeaderValue(headers, key) {
 	const value = headers?.[key];
 	if (Array.isArray(value)) return value.join(", ");
@@ -11,7 +8,7 @@ function getNodeHeaderValue(headers, key) {
 }
 function getScriptNonceFromHeader(cspHeaderValue) {
 	const directives = cspHeaderValue.split(";").map((directive) => directive.trim());
-	const directive = directives.find((value) => matchesDirectiveName(value, "script-src")) ?? directives.find((value) => matchesDirectiveName(value, "default-src"));
+	const directive = directives.find((value) => value.startsWith("script-src")) ?? directives.find((value) => value.startsWith("default-src"));
 	if (!directive) return;
 	const nonce = directive.split(" ").slice(1).map((source) => source.trim()).find((source) => source.startsWith("'nonce-") && source.length > 8 && source.endsWith("'"))?.slice(7, -1);
 	if (!nonce) return;