fix(app-router): validate RSC cache-busting params

[NathanDrake2406]

What this changes

Adds a shared App Router RSC cache-busting helper and wires generated RSC entries to reject malformed RSC requests by redirecting them to the canonical _rsc URL. Client-side RSC fetches now send RSC: 1 plus a cache-busting _rsc search param derived from the request headers that can change the RSC payload.

The shared helper also centralizes the App Router RSC Vary header set and includes both Next-compatible headers and Vinext-specific variant headers:

• RSC
• Accept
• Next-Router-State-Tree
• Next-Router-Prefetch
• Next-Router-Segment-Prefetch
• Next-Url
• X-Vinext-Interception-Context
• X-Vinext-Mounted-Slots

Fixes #988.

Why

Next.js now treats the URL as the defensive cache key for RSC requests because some CDNs do not respect Vary. The relevant upstream behavior is:

• Next sends RSC: 1 on Flight fetches: https://github.com/vercel/next.js/blob/canary/packages/next/src/client/components/router-reducer/fetch-server-response.ts#L147-L155
• Next appends a cache-busting _rsc search param before fetching: https://github.com/vercel/next.js/blob/canary/packages/next/src/client/components/router-reducer/fetch-server-response.ts#L532-L537
• Next computes a compact SHA-256-derived header hash: https://github.com/vercel/next.js/blob/canary/packages/next/src/shared/lib/router/utils/cache-busting-search-param.ts#L47-L77
• Next validates the incoming hash and redirects mismatches to the canonical URL: https://github.com/vercel/next.js/blob/canary/packages/next/src/server/base-server.ts#L2051-L2123
• Next includes the RSC variant headers in Vary, with Next-Url added for interception-sensitive routes: https://github.com/vercel/next.js/blob/canary/packages/next/src/server/base-server.ts#L2003-L2023 and https://github.com/vercel/next.js/blob/canary/packages/next/src/server/route-modules/app-page/module.ts#L188-L195

Vinext uses .rsc URLs rather than the exact same visible URL for HTML and RSC, so the HTML-vs-RSC variant is already separated by pathname. The gap is still real because Vinext's .rsc response can vary by request headers such as mounted slots and interception context. A CDN that keys only by URL could serve the wrong RSC payload for another slot or interception context.

Approach

• Add server/app-rsc-cache-busting.ts as the normal module that owns request headers, _rsc hashing, canonical redirect validation, and the shared RSC Vary value.
• Keep entries/app-rsc-entry.ts as app-shape codegen: it imports the helper, computes isRscRequest, and delegates validation.
• Update browser navigation, link prefetch, router prefetch, initial hydration fetches, HMR fetches, and server-action fetches to build canonical RSC request URLs through the helper.
• Update App Router response helpers to use the shared Vary value.
• De-duplicate Vary tokens when merging middleware headers, so middleware can add its own Vary values without duplicating the base App Router set.

Validation

• vp check
• vp run knip --no-progress
• vp test run tests/app-rsc-cache-busting.test.ts tests/app-browser-entry.test.ts tests/prefetch-cache.test.ts tests/entry-templates.test.ts
• vp test run tests/app-rsc-cache-busting.test.ts tests/app-browser-entry.test.ts tests/app-page-cache.test.ts tests/app-page-response.test.ts tests/app-page-boundary-render.test.ts tests/app-page-stream.test.ts tests/app-server-action-execution.test.ts tests/entry-templates.test.ts
• vp test run tests/app-router.test.ts -t "RSC"

Risks / follow-ups

This intentionally adapts the Next.js invariant to Vinext's current .rsc URL model instead of switching Vinext to same-URL Flight fetches. The hash includes Next-compatible RSC variant headers for forward compatibility and the Vinext-specific headers that currently affect payload shape.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/vinext@991

commit: 535233d