react-servercommit70a320f0e40f

fix: eval (#383)

Summary

Previously, react-server and react-server build would silently treat piped stdin as the server entrypoint whenever fd 0 happened to be a pipe, file redirect, or (in production) any non-TTY context outside CI. That made the CLI's behavior depend on invisible environmental state: the same command could behave differently depending on whether it was invoked from a shell, an editor task runner, a process manager, or a subprocess whose parent happened to close stdin. It also meant stdin could be read without the user ever asking for it, which is surprising at best and unsafe at worst.

This change makes --eval the single, explicit opt-in. Stdin is now only consulted when the user passes --eval, and nothing else changes the CLI's entrypoint resolution.

Behavior

--eval "<code>" passes the inline string as the virtualized server entrypoint, the same as before. --eval with no value reads the full entrypoint from stdin — this is the new, explicit way to pipe code in. With no --eval at all, stdin is never touched, even if it is a pipe or a file redirect; the CLI falls back to the positional root or the file-router as it always did.

The JS-level signal is that the plugin's options.eval is now tri-valued: string for inline code, true for "read stdin", and anything else (undefined / false) for "don't use eval at all". The CLI option definition changed from -e, --eval <code> (required value) to -e, --eval [code] (optional value) in both dev and build commands to support the bare form.

Why

The previous auto-detection had three concrete problems. It could consume stdin from an unrelated parent process that happened to leave fd 0 open as a pipe, producing confusing "Root module not provided" errors or worse, running attacker-controlled code. It was non-deterministic across environments: the production path additionally gated on !process.env.CI, so the same invocation would take different branches in CI vs. local. And it made the --eval flag's contract ambiguous, because stdin could be the entrypoint even when --eval was absent, so users couldn't reason about the CLI from the flags alone. Making stdin opt-in via --eval collapses these three cases into one rule that is trivial to explain and impossible to trigger by accident.

Changes

lib/plugins/react-server-eval.mjs drops the fstatSync-based isStdinPiped probe entirely. The load handler now branches cleanly on options.eval: string → return it verbatim, true → read stdin, otherwise → return the "Root module not provided" stub. lib/dev/action.mjs no longer runs its own fstat on fd 0 to pick the virtual entrypoint; it selects the virtual module only when options.eval != null && options.eval !== false. lib/build/server.mjs drops the !process.stdin.isTTY && !process.env.CI heuristic at the production root-module decision and uses the same explicit check. bin/commands/dev.mjs and bin/commands/build.mjs change the cac option shape to -e, --eval [code] with clarified help text describing both forms.

Docs

Both the English and Japanese features/cli.mdx have been updated for the dev and build --eval sections. The prose explicitly calls out that stdin is never auto-consumed, and each section now carries three runnable examples: inline code, bare --eval with a pipe, and bare --eval with a shell file redirect.

Tests

Two new specs guard the contract at complementary levels. test/__test__/react-server-eval.spec.mjs is a fast unit spec that imports the react-server:eval plugin directly and exercises its load hook with a poisoned process.stdin that throws on read. It verifies that the "no --eval", "eval: false", and "--eval "<inline>"" paths all return the expected result without ever touching stdin, and that eval: true correctly reads both single-chunk and multi-chunk stdin payloads. The poisoned-stdin trick is what lets the test make a positive assertion about the absence of stdin reads, which a black-box HTTP test cannot observe. test/__test__/cli-eval.spec.mjs is an end-to-end spec that spawns the real CLI binary as a subprocess. In dev mode it covers three cases: --eval "<inline>" serves the inline marker, bare --eval + piped stdin serves the stdin marker, and a positional root file + piped invalid JavaScript serves the positional marker (the critical regression guard — if auto-eval ever comes back, the bogus stdin would either crash the server or be rendered instead of the positional root). In production mode it runs build --eval "<inline>" with bogus stdin piped in and asserts the build exits successfully, covering the build/server.mjs code path. The subprocess helper forces NO_COLOR=1 and strips ANSI defensively so readiness detection isn't broken by colored log output.

Compatibility

This is a behavior change that could in principle affect users who were relying on the undocumented auto-stdin path. In practice, the documented way to pipe code was always --eval, and the auto path was an implementation detail of the plugin. Users who were piping code without --eval need to add the flag. No API surface outside the CLI is affected.

Author: Viktor Lázár <lazarv1982@gmail.com>
Date: 2026-04-09T15:11:17+02:00
Commit: 70a320f0e40f2b5d8078d77bf807eb3d3380ecfa
Parent: 6b845f63712f

9 files changed+524 -44

Mdocs/src/pages/en/(pages)/features/cli.mdx+24 -2
Mdocs/src/pages/ja/(pages)/features/cli.mdx+24 -2
Mpackages/react-server/bin/commands/build.mjs+4 -1
Mpackages/react-server/bin/commands/dev.mjs+4 -1
Mpackages/react-server/lib/build/server.mjs+1 -1
Mpackages/react-server/lib/dev/action.mjs+4 -19
Mpackages/react-server/lib/plugins/react-server-eval.mjs+6 -18
Atest/__test__/cli-eval.spec.mjs+343 -0
Atest/__test__/react-server-eval.spec.mjs+114 -0

Mdocs/src/pages/en/(pages)/features/cli.mdx+24 -2

@@ -140,7 +140,18 @@When set, the development server will not validate your `react-server.config.*`

140	140		`### --eval`
141	141		`</Link>`
142	142
143		-	Evaluate the server entrypoint from the argument, like `node -e`. You can also use _stdin_ as the entrypoint. This type of entrypoint becomes a virtualized entrypoint and is not written to the file system.
	143	+	Evaluate the server entrypoint from the argument, like `node -e`. Pass `--eval` without a value to read the entrypoint from _stdin_ instead. Stdin is never auto-consumed — it is only read when `--eval` is explicitly passed. This type of entrypoint becomes a virtualized entrypoint and is not written to the file system.
	144	+
	145	+	```sh
	146	+	`# Inline code`
	147	+	`pnpm exec react-server --eval "export default () => <h1>Hello</h1>;"`
	148	+
	149	+	`# From stdin (note the bare --eval, with no value)`
	150	+	`echo 'export default () => <h1>Hello from stdin</h1>;' \| pnpm exec react-server --eval`
	151	+
	152	+	`# From a file via shell redirect`
	153	+	`pnpm exec react-server --eval < ./entry.jsx`
	154	+	```
144	155
145	156		`<Link name="dev-version">`
146	157		`### --version`

Mdocs/src/pages/ja/(pages)/features/cli.mdx+24 -2

@@ -140,7 +140,18 @@export default {

140	140		`### --eval`
141	141		`</Link>`
142	142
143		-	`node -e`と同じように引数からサーバーのエントリーポイントを評価します。または標準入力も指定することが出来ます。このエントリーポイントは仮想化エントリーポイントとなり、ファイルシステムには書き込まれません。
	143	+	`node -e`と同じように引数からサーバーのエントリーポイントを評価します。値を指定せずに `--eval` だけを渡すと、エントリーポイントを _標準入力_ から読み込みます。標準入力は自動的には消費されません — `--eval` が明示的に指定された場合にのみ読み込まれます。このエントリーポイントは仮想化エントリーポイントとなり、ファイルシステムには書き込まれません。
	144	+
	145	+	```sh
	146	+	`# インラインコード`
	147	+	`pnpm exec react-server --eval "export default () => <h1>Hello</h1>;"`
	148	+
	149	+	# 標準入力から（値を指定しない `--eval` に注意）
	150	+	`echo 'export default () => <h1>Hello from stdin</h1>;' \| pnpm exec react-server --eval`
	151	+
	152	+	`# シェルのリダイレクトでファイルから`
	153	+	`pnpm exec react-server --eval < ./entry.jsx`
	154	+	```
144	155
145	156		`<Link name="dev-version">`
146	157		`### --version`

Mpackages/react-server/bin/commands/build.mjs+4 -1

@@ -25,7 +25,10 @@export default (cli) =>

25	25		`"[boolean\|json] deploy using adapter, optionally pass JSON adapter options",`
26	26		`{ default: false }`
27	27		`)`
28		-	`.option("-e, --eval <code>", "evaluate code", { type: "string" })`
	28	+	`.option(`
	29	+	`"-e, --eval [code]",`
	30	+	`"evaluate code as the server entrypoint; pass without a value to read from stdin"`
	31	+	`)`
29	32		`.option("--outDir <dir>", "[string] output directory", {`
30	33		`default: ".react-server",`
31	34		`})`

Mpackages/react-server/bin/commands/dev.mjs+4 -1

@@ -24,7 +24,10 @@export default (cli) =>

24	24		`.option("--no-color", "disable color output", { default: false })`
25	25		`.option("--no-check", "skip dependency checks", { default: false })`
26	26		`.option("--no-validation", "skip config validation", { default: false })`
27		-	`.option("-e, --eval <code>", "evaluate code", { type: "string" })`
	27	+	`.option(`
	28	+	`"-e, --eval [code]",`
	29	+	`"evaluate code as the server entrypoint; pass without a value to read from stdin"`
	30	+	`)`
28	31		`.option("-o, --outDir <dir>", "[string] output directory", {`
29	32		`default: ".react-server",`
30	33		`})`

Mpackages/react-server/lib/build/server.mjs+1 -1

@@ -344,7 +344,7 @@export default async function serverBuild(root, options, clientManifestBus) {

344	344		`{ paths: [cwd] }`
345	345		`);`
346	346		`const rootModulePath =`
347		-	`!root && (options.eval \|\| (!process.stdin.isTTY && !process.env.CI))`
	347	+	`!root && options.eval != null && options.eval !== false`
348	348		`? "virtual:react-server-eval.jsx"`
349	349		`: root?.startsWith("virtual:")`
350	350		`? root`

Mpackages/react-server/lib/dev/action.mjs+4 -19

@@ -1,4 +1,3 @@

1		-	`import { fstatSync } from "node:fs";`
2	1		`import { isIPv6 } from "node:net";`
3	2
4	3		`import open from "open";`

Mpackages/react-server/lib/plugins/react-server-eval.mjs+6 -18

@@ -1,19 +1,3 @@

1		-	`import { fstatSync } from "node:fs";`
2		-
3		-	`// Check whether stdin is an actual pipe or file redirect (i.e. the user`
4		-	`// is piping code into react-server), as opposed to a TTY, /dev/null`
5		-	`// (background process), or a closed fd (spawned subprocess).`
6		-	// `isFIFO()` catches `echo "code" \| react-server`
7		-	// `isFile()` catches `react-server < file.jsx`
8		-	`function isStdinPiped() {`
9		-	`try {`
10		-	`const stat = fstatSync(0);`
11		-	`return stat.isFIFO() \|\| stat.isFile();`
12		-	`} catch {`
13		-	`return false;`
14		-	`}`
15		-	`}`
16		-
17	1		`export default function reactServerEval(options) {`
18	2		`return {`
19	3		`name: "react-server:eval",`

Atest/__test__/cli-eval.spec.mjs+343 -0

@@ -0,0 +1,343 @@

Atest/__test__/react-server-eval.spec.mjs+114 -0

@@ -0,0 +1,114 @@

1	+	// Unit tests for the `react-server:eval` Vite plugin.
2	+	`//`
3	+	`// Guards the contract:`
4	+	`// • stdin is NEVER auto-consumed — even if fd 0 is a pipe/file, the plugin`
5	+	// must not read it unless `--eval` was explicitly passed.
6	+	// • `--eval <code>` (string option) → the load handler returns that code
7	+	`// verbatim as the virtual entrypoint.`
8	+	// • `--eval` bare (boolean option === true) → the load handler reads the
9	+	`// entire entrypoint from stdin.`
10	+	`//`
11	+	// We exercise the plugin's `load` handler directly rather than spawning the
12	+	`// CLI because: (a) the decision lives entirely inside the plugin, (b) it's`
13	+	`// synchronous to set up, and (c) we can assert the "stdin is NOT touched"`
14	+	`// case by installing a process.stdin that would throw on read — something a`
15	+	`// black-box HTTP test cannot observe.`
16	+
17	+	`import { Readable } from "node:stream";`
18	+
19	+	`import { afterEach, describe, expect, test } from "vitest";`
20	+
21	+	// The plugin isn't in the package `exports`, so import it via its workspace
22	+	// file path. The `@lazarv/react-server` package is symlinked into
23	+	`// test/node_modules, so this resolves to the same source file the CLI loads.`
24	+	`import reactServerEval from "@lazarv/react-server/lib/plugins/react-server-eval.mjs";`
25	+
26	+	`// Invoke the plugin's load hook the way Vite would: the exported plugin has`
27	+	// `load` as an object with a `handler` function (filtered load hook shape).
28	+	`async function invokeLoad(plugin) {`
29	+	`const fn =`
30	+	`typeof plugin.load === "function" ? plugin.load : plugin.load.handler;`
31	+	`return fn.call({}, "virtual:react-server-eval.jsx");`
32	+	`}`
33	+
34	+	`const originalStdin = process.stdin;`
35	+
36	+	`function installStdin(stream) {`
37	+	`Object.defineProperty(process, "stdin", {`
38	+	`value: stream,`
39	+	`configurable: true,`
40	+	`writable: true,`
41	+	`});`
42	+	`}`
43	+
44	+	`function restoreStdin() {`
45	+	`Object.defineProperty(process, "stdin", {`
46	+	`value: originalStdin,`
47	+	`configurable: true,`
48	+	`writable: true,`
49	+	`});`
50	+	`}`
51	+
52	+	`// A stdin stand-in that blows up if anything tries to read from it.`
53	+	`// Used to prove that the "no --eval" path never touches stdin.`
54	+	`function poisonStdin() {`
55	+	`const s = new Readable({`
56	+	`read() {`
57	+	`throw new Error("stdin was read without --eval — auto-eval regression!");`
58	+	`},`
59	+	`});`
60	+	// `for await (chunk of stream)` calls setEncoding on the source; make
61	+	`// sure that call alone does not count as "reading".`
62	+	`s.setEncoding = () => {};`
63	+	`return s;`
64	+	`}`
65	+
66	+	`// A stdin stand-in that yields a fixed payload and then ends — used for`
67	+	`// the "bare --eval reads stdin" path.`
68	+	`function fakeStdin(payload) {`
69	+	`return Readable.from([payload]);`
70	+	`}`
71	+
72	+	`describe("react-server:eval plugin", () => {`
73	+	`afterEach(() => {`
74	+	`restoreStdin();`
75	+	`});`
76	+
77	+	`test("no --eval: returns the throw stub and never reads stdin", async () => {`
78	+	`installStdin(poisonStdin());`
79	+	`const plugin = reactServerEval({});`
80	+	`const code = await invokeLoad(plugin);`
81	+	`expect(code).toContain("Root module not provided");`
82	+	`});`
83	+
84	+	test("no --eval: `eval: false` is also treated as not passed", async () => {
85	+	`installStdin(poisonStdin());`
86	+	`const plugin = reactServerEval({ eval: false });`
87	+	`const code = await invokeLoad(plugin);`
88	+	`expect(code).toContain("Root module not provided");`
89	+	`});`
90	+
91	+	`test("--eval <code>: returns the inline string verbatim and does not read stdin", async () => {`
92	+	`installStdin(poisonStdin());`
93	+	`const inline = "export default () => 'inline-eval-marker';";`
94	+	`const plugin = reactServerEval({ eval: inline });`
95	+	`const code = await invokeLoad(plugin);`
96	+	`expect(code).toBe(inline);`
97	+	`});`
98	+
99	+	`test("--eval (bare): reads the full entrypoint from stdin", async () => {`
100	+	`const payload = "export default () => 'stdin-eval-marker';";`
101	+	`installStdin(fakeStdin(payload));`
102	+	`const plugin = reactServerEval({ eval: true });`
103	+	`const code = await invokeLoad(plugin);`
104	+	`expect(code).toBe(payload);`
105	+	`});`
106	+
107	+	`test("--eval (bare): concatenates multi-chunk stdin", async () => {`
108	+	`const chunks = ["export default ", "() => 'multi", "-chunk';"];`
109	+	`installStdin(Readable.from(chunks));`
110	+	`const plugin = reactServerEval({ eval: true });`
111	+	`const code = await invokeLoad(plugin);`
112	+	`expect(code).toBe(chunks.join(""));`
113	+	`});`
114	+	`});`

259	270		`### --eval`
260	271		`</Link>`
261	272
262		-	Evaluate the server entrypoint from the argument, like `node -e`. You can also use _stdin_ as the entrypoint. This type of entrypoint becomes a virtualized entrypoint and is not written to the file system.
	273	+	Evaluate the server entrypoint from the argument, like `node -e`. Pass `--eval` without a value to read the entrypoint from _stdin_ instead. Stdin is never auto-consumed — it is only read when `--eval` is explicitly passed. This type of entrypoint becomes a virtualized entrypoint and is not written to the file system.
	274	+
	275	+	```sh
	276	+	`# Inline code`
	277	+	`pnpm exec react-server build --eval "export default () => <h1>Hello</h1>;"`
	278	+
	279	+	`# From stdin`
	280	+	`echo 'export default () => <h1>Hi</h1>;' \| pnpm exec react-server build --eval`
	281	+
	282	+	`# From a file via shell redirect`
	283	+	`pnpm exec react-server build --eval < ./entry.jsx`
	284	+	```
263	285
264	286		`<Link name="build-outdir">`
265	287		`### --outDir`

259	270		`### --eval`
260	271		`</Link>`
261	272
262		-	`node -e`と同じように引数に指定したエントリーポイントを評価します。または標準入力も指定することが出来ます。このエントリーポイントはファイルシステムに書き込んだものではなく仮想的なエントリーポイントです。
	273	+	`node -e`と同じように引数に指定したエントリーポイントを評価します。値を指定せずに `--eval` だけを渡すと、エントリーポイントを _標準入力_ から読み込みます。標準入力は自動的には消費されません — `--eval` が明示的に指定された場合にのみ読み込まれます。このエントリーポイントはファイルシステムに書き込んだものではなく仮想的なエントリーポイントです。
	274	+
	275	+	```sh
	276	+	`# インラインコード`
	277	+	`pnpm exec react-server build --eval "export default () => <h1>Hello</h1>;"`
	278	+
	279	+	`# 標準入力から`
	280	+	`echo 'export default () => <h1>Hi</h1>;' \| pnpm exec react-server build --eval`
	281	+
	282	+	`# シェルのリダイレクトでファイルから`
	283	+	`pnpm exec react-server build --eval < ./entry.jsx`
	284	+	```
263	285
264	286		`<Link name="build-outdir">`
265	287		`### --outDir`

132	131		`await import("../../server/action-crypto.mjs");`
133	132		`await initSecretFromConfig(configRoot);`
134	133
135		-	`// Detect whether the user is piping code via stdin.`
136		-	`// Use fstat on fd 0 to distinguish a real pipe/file redirect`
137		-	`// from a non-TTY background process, Docker, or CI runner`
138		-	`// where stdin is /dev/null or closed.`
139		-	`// Only relevant when no explicit root module was provided —`
140		-	// if the user passed `react-server ./app.jsx`, use that even
141		-	`// when stdin happens to be piped (e.g. via npm-run-all/run-p).`
142		-	`let isStdinPiped = false;`
143		-	`if (!root) {`
144		-	`try {`
145		-	`const stat = fstatSync(0);`
146		-	`isStdinPiped = stat.isFIFO() \|\| stat.isFile();`
147		-	`} catch {`
148		-	`// fd 0 not available — not piped`
149		-	`}`
150		-	`}`
151		-
	134	+	`// Stdin is never auto-detected as the entrypoint — the user must`
	135	+	// explicitly opt in by passing `--eval` (with a string value, or
	136	+	`// bare to read the entrypoint from stdin).`
152	137		`server = await createServer(`
153		-	`options.eval \|\| isStdinPiped`
	138	+	`options.eval != null && options.eval !== false`
154	139		`? "virtual:react-server-eval.jsx"`
155	140		`: root,`
156	141		`options`

259	270		`### --eval`
260	271		`</Link>`
261	272
262		-	Evaluate the server entrypoint from the argument, like `node -e`. You can also use _stdin_ as the entrypoint. This type of entrypoint becomes a virtualized entrypoint and is not written to the file system.
	273	+	Evaluate the server entrypoint from the argument, like `node -e`. Pass `--eval` without a value to read the entrypoint from _stdin_ instead. Stdin is never auto-consumed — it is only read when `--eval` is explicitly passed. This type of entrypoint becomes a virtualized entrypoint and is not written to the file system.
	274	+
	275	+	```sh
	276	+	`# Inline code`
	277	+	`pnpm exec react-server build --eval "export default () => <h1>Hello</h1>;"`
	278	+
	279	+	`# From stdin`
	280	+	`echo 'export default () => <h1>Hi</h1>;' \| pnpm exec react-server build --eval`
	281	+
	282	+	`# From a file via shell redirect`
	283	+	`pnpm exec react-server build --eval < ./entry.jsx`
	284	+	```
263	285
264	286		`<Link name="build-outdir">`
265	287		`### --outDir`

259	270		`### --eval`
260	271		`</Link>`
261	272
262		-	`node -e`と同じように引数に指定したエントリーポイントを評価します。または標準入力も指定することが出来ます。このエントリーポイントはファイルシステムに書き込んだものではなく仮想的なエントリーポイントです。
	273	+	`node -e`と同じように引数に指定したエントリーポイントを評価します。値を指定せずに `--eval` だけを渡すと、エントリーポイントを _標準入力_ から読み込みます。標準入力は自動的には消費されません — `--eval` が明示的に指定された場合にのみ読み込まれます。このエントリーポイントはファイルシステムに書き込んだものではなく仮想的なエントリーポイントです。
	274	+
	275	+	```sh
	276	+	`# インラインコード`
	277	+	`pnpm exec react-server build --eval "export default () => <h1>Hello</h1>;"`
	278	+
	279	+	`# 標準入力から`
	280	+	`echo 'export default () => <h1>Hi</h1>;' \| pnpm exec react-server build --eval`
	281	+
	282	+	`# シェルのリダイレクトでファイルから`
	283	+	`pnpm exec react-server build --eval < ./entry.jsx`
	284	+	```
263	285
264	286		`<Link name="build-outdir">`
265	287		`### --outDir`

30	14		`id: /^virtual:react-server-eval\.jsx$/,`
31	15		`},`
32	16		`async handler() {`
33		-	`if (options.eval) {`
	17	+	// `--eval <code>` → use the literal code string.
	18	+	// `--eval` (no value) → read the entrypoint from stdin.
	19	+	// Stdin is never consulted unless `--eval` was explicitly passed.
	20	+	`if (typeof options.eval === "string") {`
34	21		`return options.eval;`
35		-	`} else if (isStdinPiped()) {`
	22	+	`}`
	23	+	`if (options.eval === true) {`
36	24		`let code = "";`
37	25		`process.stdin.setEncoding("utf8");`
38	26		`for await (const chunk of process.stdin) {`

1	+	// End-to-end integration test for the `--eval` CLI flag.
2	+	`//`
3	+	// The companion unit spec (`react-server-eval.spec.mjs`) tests the plugin
4	+	`// load-hook contract in isolation. This spec exercises the real CLI binary`
5	+	// as a subprocess — `node bin/cli.mjs ...` — to prove the full wiring:
6	+	`//`
7	+	// 1. `--eval "<inline>"` → dev server renders the inline code
8	+	// 2. bare `--eval` with piped stdin → dev server renders the piped code
9	+	`// 3. positional root + piped stdin → stdin is NOT auto-consumed; the`
10	+	`// positional root file wins`
11	+	// 4. `build --eval "<inline>"` → production build succeeds and
12	+	`// emits the inline entrypoint`
13	+	`//`
14	+	`// Case 3 is the critical regression guard: it proves stdin is untouched when`
15	+	// `--eval` was not passed, even though fd 0 is a live pipe. Previously the
16	+	`// CLI would fstat fd 0 and auto-route stdin into the virtual entrypoint.`
17	+	`//`
18	+	// We run the CLI through `node` directly (not via the `server()` helper)
19	+	`// because the helper speaks to a programmatic API and bypasses the exact`
20	+	`// CLI-argument parsing path we need to cover. These tests are intentionally`
21	+	// standalone — they do not use the shared `browser/page/server` harness.
22	+
23	+	`import { spawn } from "node:child_process";`
24	+	`import { mkdtemp, rm, writeFile } from "node:fs/promises";`
25	+	`import { join } from "node:path";`
26	+	`import { fileURLToPath } from "node:url";`
27	+
28	+	`import { afterAll, beforeAll, describe, expect, test } from "vitest";`
29	+
30	+	// Run inside the `test/` directory so `@lazarv/react-server` (and its deps)
31	+	// resolve cleanly from the workspace link in `test/node_modules`. A fresh
32	+	`// tmpdir would have no node_modules and the dev server would hang during`
33	+	`// module resolution. We still use a unique subdir per run for the fixture`
34	+	`// files so parallel runs don't stomp each other.`
35	+	`const TEST_ROOT = fileURLToPath(new URL("../", import.meta.url));`
36	+
37	+	`const CLI = fileURLToPath(`
38	+	`new URL("../../packages/react-server/bin/cli.mjs", import.meta.url)`
39	+	`);`
40	+
41	+	`// Pick a port range well above the shared harness's BASE_PORT=3000 band so`
42	+	// these tests don't collide with concurrent `server()`-driven specs.
43	+	`let portCounter = 0;`
44	+	`function nextPort() {`
45	+	`return 40000 + (portCounter++ % 1000);`
46	+	`}`
47	+
48	+	`// Spawn the CLI, optionally pipe stdin, wait for a readiness marker on`
49	+	// stdout/stderr, then invoke `onReady` with the subprocess handle. Always
50	+	`// kills the subprocess on the way out.`
51	+	`async function runCli({`
52	+	`args,`
53	+	`cwd,`
54	+	`stdin,`
55	+	`readyRegex,`
56	+	`timeoutMs = 60000,`
57	+	`onReady,`
58	+	`}) {`
59	+	`const child = spawn(process.execPath, [CLI, ...args], {`
60	+	`cwd,`
61	+	`stdio: ["pipe", "pipe", "pipe"],`
62	+	`env: {`
63	+	`...process.env,`
64	+	`NODE_ENV: "development",`
65	+	`CI: "true",`
66	+	`REACT_SERVER_TELEMETRY: "false",`
67	+	`// Disable ANSI color codes so our readiness regex matches the raw`
68	+	`// "Server listening on" string without wrestling escape sequences.`
69	+	`NO_COLOR: "1",`
70	+	`FORCE_COLOR: "0",`
71	+	`},`
72	+	`});`
73	+
74	+	`// Strip ANSI escapes defensively even with NO_COLOR set — some libraries`
75	+	`// ignore it and emit colors anyway.`
76	+	`// eslint-disable-next-line no-control-regex`
77	+	`const ANSI = /\x1B\[[0-?][ -/][@-~]/g;`
78	+	`const stripAnsi = (s) => s.replace(ANSI, "");`
79	+
80	+	`let stdout = "";`
81	+	`let stderr = "";`
82	+	`child.stdout.setEncoding("utf8");`
83	+	`child.stderr.setEncoding("utf8");`
84	+	`child.stdout.on("data", (c) => (stdout += stripAnsi(c)));`
85	+	`child.stderr.on("data", (c) => (stderr += stripAnsi(c)));`
86	+
87	+	`if (stdin !== undefined) {`
88	+	`child.stdin.write(stdin);`
89	+	`child.stdin.end();`
90	+	`} else {`
91	+	`child.stdin.end();`
92	+	`}`
93	+
94	+	`const ready = new Promise((resolve, reject) => {`
95	+	`const t = setTimeout(() => {`
96	+	`reject(`
97	+	`new Error(`
98	+	`CLI did not become ready within ${timeoutMs}ms.\n` +
99	+	`args: ${args.join(" ")}\n` +
100	+	`stdout:\n${stdout}\nstderr:\n${stderr}`
101	+	`)`
102	+	`);`
103	+	`}, timeoutMs);`
104	+	`const check = () => {`
105	+	`if (readyRegex.test(stdout) \|\| readyRegex.test(stderr)) {`
106	+	`clearTimeout(t);`
107	+	`resolve();`
108	+	`}`
109	+	`};`
110	+	`child.stdout.on("data", check);`
111	+	`child.stderr.on("data", check);`
112	+	`child.on("exit", (code) => {`
113	+	`clearTimeout(t);`
114	+	`reject(`
115	+	`new Error(`
116	+	`CLI exited (code ${code}) before becoming ready.\n` +
117	+	`args: ${args.join(" ")}\n` +
118	+	`stdout:\n${stdout}\nstderr:\n${stderr}`
119	+	`)`
120	+	`);`
121	+	`});`
122	+	`});`
123	+
124	+	`try {`
125	+	`await ready;`
126	+	`return await onReady({ child, stdout: () => stdout, stderr: () => stderr });`
127	+	`} finally {`
128	+	`if (!child.killed) {`
129	+	`child.kill("SIGTERM");`
130	+	`await new Promise((res) => {`
131	+	`const t = setTimeout(() => {`
132	+	`try {`
133	+	`child.kill("SIGKILL");`
134	+	`} catch {}`
135	+	`res();`
136	+	`}, 3000);`
137	+	`child.once("exit", () => {`
138	+	`clearTimeout(t);`
139	+	`res();`
140	+	`});`
141	+	`});`
142	+	`}`
143	+	`}`
144	+	`}`
145	+
146	+	`// Run a build-only CLI invocation. Build exits on completion, so we wait`
147	+	`// for exit rather than a readiness marker.`
148	+	`function runCliToCompletion({ args, cwd, stdin, timeoutMs = 120000, env }) {`
149	+	`return new Promise((resolve, reject) => {`
150	+	`const child = spawn(process.execPath, [CLI, ...args], {`
151	+	`cwd,`
152	+	`stdio: ["pipe", "pipe", "pipe"],`
153	+	`env: {`
154	+	`...process.env,`
155	+	`NODE_ENV: "production",`
156	+	`CI: "true",`
157	+	`REACT_SERVER_TELEMETRY: "false",`
158	+	`...env,`
159	+	`},`
160	+	`});`
161	+	`let stdout = "";`
162	+	`let stderr = "";`
163	+	`child.stdout.setEncoding("utf8");`
164	+	`child.stderr.setEncoding("utf8");`
165	+	`child.stdout.on("data", (c) => (stdout += c));`
166	+	`child.stderr.on("data", (c) => (stderr += c));`
167	+
168	+	`const t = setTimeout(() => {`
169	+	`child.kill("SIGKILL");`
170	+	`reject(`
171	+	`new Error(`
172	+	`CLI did not exit within ${timeoutMs}ms.\n` +
173	+	`args: ${args.join(" ")}\nstdout:\n${stdout}\nstderr:\n${stderr}`
174	+	`)`
175	+	`);`
176	+	`}, timeoutMs);`
177	+
178	+	`if (stdin !== undefined) {`
179	+	`child.stdin.write(stdin);`
180	+	`child.stdin.end();`
181	+	`} else {`
182	+	`child.stdin.end();`
183	+	`}`
184	+
185	+	`child.on("exit", (code) => {`
186	+	`clearTimeout(t);`
187	+	`resolve({ code, stdout, stderr });`
188	+	`});`
189	+	`child.on("error", (e) => {`
190	+	`clearTimeout(t);`
191	+	`reject(e);`
192	+	`});`
193	+	`});`
194	+	`}`
195	+
196	+	`async function fetchText(url, { timeoutMs = 10000 } = {}) {`
197	+	`const deadline = Date.now() + timeoutMs;`
198	+	`let lastErr;`
199	+	`while (Date.now() < deadline) {`
200	+	`try {`

201	+	`const res = await fetch(url);`
202	+	`return await res.text();`
203	+	`} catch (e) {`
204	+	`lastErr = e;`
205	+	`await new Promise((r) => setTimeout(r, 150));`
206	+	`}`
207	+	`}`
208	+	throw lastErr ?? new Error(`fetch ${url} timed out`);
209	+	`}`
210	+
211	+	// Dev-mode readiness marker. `create-server.mjs` prints "Server listening on"
212	+	`// after the HTTP listener emits 'listening'. We also accept a bare "Local:"`
213	+	`// URL line (Vite's printUrls output) as a secondary signal in case the`
214	+	`// wrapper log changes.`
215	+	`const DEV_READY = /(Server\s+listening\s+on\|Local:\s+https?:\/\/)/i;`
216	+
217	+	`describe.sequential("CLI --eval wiring", () => {`
218	+	`let workdir;`
219	+
220	+	`beforeAll(async () => {`
221	+	`// Scratch subdir inside test/ so node_modules resolution works via the`
222	+	// workspace-linked `@lazarv/react-server`. mkdtemp needs a prefix.
223	+	`workdir = await mkdtemp(join(TEST_ROOT, ".cli-eval-"));`
224	+	`// Positional root file used by the "no --eval, stdin piped" case.`
225	+	`await writeFile(`
226	+	`join(workdir, "root.jsx"),`
227	+	`export default function Root() {
228	+	`return <div data-testid="source">positional-root-marker</div>;`
229	+	`}`
230	+	`
231	+	`);`
232	+	`});`
233	+
234	+	`afterAll(async () => {`
235	+	`if (workdir) {`
236	+	`try {`
237	+	`await rm(workdir, { recursive: true, force: true });`
238	+	`} catch {}`
239	+	`}`
240	+	`});`
241	+
242	+	`test(`
243	+	`"dev: --eval <inline> renders inline code",`
244	+	`{ timeout: 120000 },`
245	+	`async () => {`
246	+	`const port = nextPort();`
247	+	const inline = `export default function Root() {
248	+	`return <div data-testid="source">inline-eval-marker</div>;`
249	+	}`;
250	+	`await runCli({`
251	+	`args: ["--port", String(port), "--eval", inline],`
252	+	`cwd: workdir,`
253	+	`readyRegex: DEV_READY,`
254	+	`onReady: async () => {`
255	+	const body = await fetchText(`http://localhost:${port}/`);
256	+	`expect(body).toContain("inline-eval-marker");`
257	+	`expect(body).not.toContain("positional-root-marker");`
258	+	`},`
259	+	`});`
260	+	`}`
261	+	`);`
262	+
263	+	`test(`
264	+	`"dev: bare --eval reads entrypoint from stdin",`
265	+	`{ timeout: 120000 },`
266	+	`async () => {`
267	+	`const port = nextPort();`
268	+	const stdinCode = `export default function Root() {
269	+	`return <div data-testid="source">stdin-eval-marker</div>;`
270	+	}`;
271	+	`await runCli({`
272	+	`args: ["--port", String(port), "--eval"],`
273	+	`cwd: workdir,`
274	+	`stdin: stdinCode,`
275	+	`readyRegex: DEV_READY,`
276	+	`onReady: async () => {`
277	+	const body = await fetchText(`http://localhost:${port}/`);
278	+	`expect(body).toContain("stdin-eval-marker");`
279	+	`},`
280	+	`});`
281	+	`}`
282	+	`);`
283	+
284	+	`test(`
285	+	`"dev: stdin is NOT auto-consumed when --eval is absent",`
286	+	`{ timeout: 120000 },`
287	+	`async () => {`
288	+	`const port = nextPort();`
289	+	`// Payload that would be a SYNTAX ERROR if eval'd — if the old auto-eval`
290	+	`// path ever comes back, the server will fail to start and we'll catch`
291	+	`// it via the readiness timeout / explicit marker mismatch.`
292	+	`const bogusStdin = "this is not valid javascript <<<<< !!!\n";`
293	+	`await runCli({`
294	+	`args: ["--port", String(port), "./root.jsx"],`
295	+	`cwd: workdir,`
296	+	`stdin: bogusStdin,`
297	+	`readyRegex: DEV_READY,`
298	+	`onReady: async () => {`
299	+	const body = await fetchText(`http://localhost:${port}/`);
300	+	`expect(body).toContain("positional-root-marker");`
301	+	`expect(body).not.toContain("inline-eval-marker");`
302	+	`expect(body).not.toContain("stdin-eval-marker");`
303	+	`},`
304	+	`});`
305	+	`}`
306	+	`);`
307	+
308	+	`test(`
309	+	`"build: --eval <inline> produces a successful production build and ignores stdin",`
310	+	`{ timeout: 180000 },`
311	+	`async () => {`
312	+	const outDir = `.react-server-cli-eval-build-${Date.now()}`;
313	+	const inline = `export default function Root() {
314	+	`return <div data-testid="source">build-inline-eval-marker</div>;`
315	+	}`;
316	+	`// Pipe bogus stdin too — if the production path ever regresses to`
317	+	`// auto-reading stdin when --eval is present, the inline value would`
318	+	`// be overwritten or the build would blow up on invalid code.`
319	+	`const bogusStdin = "this is not valid javascript <<<<< !!!\n";`
320	+	`const result = await runCliToCompletion({`
321	+	`args: [`
322	+	`"build",`
323	+	`"--eval",`
324	+	`inline,`
325	+	`"--outDir",`
326	+	`outDir,`
327	+	`"--no-minify",`
328	+	`"--adapter",`
329	+	`"false",`
330	+	`],`
331	+	`cwd: workdir,`
332	+	`stdin: bogusStdin,`
333	+	`});`
334	+	`try {`
335	+	expect(result.code, `build failed:\n${result.stderr}`).toBe(0);
336	+	`} finally {`
337	+	`try {`
338	+	`await rm(join(workdir, outDir), { recursive: true, force: true });`
339	+	`} catch {}`
340	+	`}`
341	+	`}`
342	+	`);`
343	+	`});`