fix: apply middleware headers to intercept route and server action responses

packages/vinext/src/entries/app-rsc-entry.ts

@@ -56,6 +56,7 @@ const appPageBoundaryRenderPath = resolveEntryPath(
   import.meta.url,
 );
 const appPageRenderPath = resolveEntryPath("../server/app-page-render.js", import.meta.url);
+const appPageResponsePath = resolveEntryPath("../server/app-page-response.js", import.meta.url);
 const appPageRequestPath = resolveEntryPath("../server/app-page-request.js", import.meta.url);
 const appRouteHandlerResponsePath = resolveEntryPath(
   "../server/app-route-handler-response.js",
@@ -378,6 +379,9 @@ import {
 import {
   renderAppPageLifecycle as __renderAppPageLifecycle,
 } from ${JSON.stringify(appPageRenderPath)};
+import {
+  mergeMiddlewareResponseHeaders as __mergeMiddlewareResponseHeaders,
+} from ${JSON.stringify(appPageResponsePath)};
 import {
   buildAppPageElement as __buildAppPageElement,
   resolveAppPageIntercept as __resolveAppPageIntercept,
@@ -1877,10 +1881,14 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
         const redirectHeaders = new Headers({
           "Content-Type": "text/x-component; charset=utf-8",
           "Vary": "RSC, Accept",
-          "x-action-redirect": actionRedirect.url,
-          "x-action-redirect-type": actionRedirect.type,
-          "x-action-redirect-status": String(actionRedirect.status),
         });
+        // Merge middleware headers first so the framework's own redirect control
+        // headers below are always authoritative and cannot be clobbered by
+        // middleware that happens to set x-action-redirect* keys.
+        __mergeMiddlewareResponseHeaders(redirectHeaders, _mwCtx.headers);
+        redirectHeaders.set("x-action-redirect", actionRedirect.url);
+        redirectHeaders.set("x-action-redirect-type", actionRedirect.type);
+        redirectHeaders.set("x-action-redirect-status", String(actionRedirect.status));
         for (const cookie of actionPendingCookies) {
           redirectHeaders.append("Set-Cookie", cookie);
         }
@@ -1923,15 +1931,15 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       const actionPendingCookies = getAndClearPendingCookies();
       const actionDraftCookie = getDraftModeCookieHeader();
 
-      const actionHeaders = { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" };
-      const actionResponse = new Response(rscStream, { headers: actionHeaders });
+      const actionHeaders = new Headers({ "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" });
+      __mergeMiddlewareResponseHeaders(actionHeaders, _mwCtx.headers);
       if (actionPendingCookies.length > 0 || actionDraftCookie) {
         for (const cookie of actionPendingCookies) {
-          actionResponse.headers.append("Set-Cookie", cookie);
+          actionHeaders.append("Set-Cookie", cookie);
         }
-        if (actionDraftCookie) actionResponse.headers.append("Set-Cookie", actionDraftCookie);
+        if (actionDraftCookie) actionHeaders.append("Set-Cookie", actionDraftCookie);
       }
-      return actionResponse;
+      return new Response(rscStream, { status: _mwCtx.status ?? 200, headers: actionHeaders });
     } catch (err) {
       getAndClearPendingCookies(); // Clear pending cookies on error
       console.error("[vinext] Server action error:", err);
@@ -2330,8 +2338,11 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       // by the client, and async server components that run during consumption need the
       // context to still be live. The AsyncLocalStorage scope from runWithRequestContext
       // handles cleanup naturally when all async continuations complete.
+      const interceptHeaders = new Headers({ "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" });
+      __mergeMiddlewareResponseHeaders(interceptHeaders, _mwCtx.headers);
       return new Response(interceptStream, {
-        headers: { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" },
+        status: _mwCtx.status ?? 200,
+        headers: interceptHeaders,
       });
     },
     searchParams: url.searchParams,

packages/vinext/src/server/app-page-response.ts

@@ -157,6 +157,34 @@ export function resolveAppPageHtmlResponsePolicy(
   return { shouldWriteToCache: false };
 }
 
+/**
+ * Merge middleware response headers into a target Headers object.
+ *
+ * Set-Cookie and Vary are accumulated (append) since multiple sources can
+ * contribute values. All other headers use set() so middleware owns singular
+ * response headers like Cache-Control.
+ *
+ * Used by buildAppPageRscResponse and the generated entry for intercepting
+ * route and server action responses that bypass the normal page render path.
+ */
+export function mergeMiddlewareResponseHeaders(
+  target: Headers,
+  middlewareHeaders: Headers | null,
+): void {
+  if (!middlewareHeaders) {
+    return;
+  }
+
+  for (const [key, value] of middlewareHeaders) {
+    const lowerKey = key.toLowerCase();
+    if (lowerKey === "set-cookie" || lowerKey === "vary") {
+      target.append(key, value);
+    } else {
+      target.set(key, value);
+    }
+  }
+}
+
 export function buildAppPageRscResponse(
   body: ReadableStream,
   options: BuildAppPageRscResponseOptions,
@@ -178,20 +206,7 @@ export function buildAppPageRscResponse(
     headers.set("X-Vinext-Cache", options.policy.cacheState);
   }
 
-  if (options.middlewareContext.headers) {
-    for (const [key, value] of options.middlewareContext.headers) {
-      const lowerKey = key.toLowerCase();
-      if (lowerKey === "set-cookie" || lowerKey === "vary") {
-        headers.append(key, value);
-      } else {
-        // Keep parity with the old inline RSC path: middleware owns singular
-        // response headers like Cache-Control here, while Set-Cookie and Vary
-        // are accumulated. The HTML helper intentionally keeps its legacy
-        // append-for-everything behavior below.
-        headers.set(key, value);
-      }
-    }
-  }
+  mergeMiddlewareResponseHeaders(headers, options.middlewareContext.headers);
 
   applyTimingHeader(headers, options.timing);