feat(runtime): support dynamic fragment routes

[cssbruno]

Summary

• Add M7 dynamic fragment route support with raw and typed route params, generated dynamic dispatch, backend router pattern dispatch, and cross-endpoint conflict validation.
• Add guard redirect/custom-response helpers for generated request-time routes while preserving fail-closed ordinary guard errors.
• Add build-report cache-policy events, route/endpoint param metadata, M7 docs/spec/plan updates, and release-plan closure notes for deferred examples.

Issue Closure

Closes #7
Closes #9
Closes #10
Closes #25
Closes #63
Closes #177

Related: #102
Related: #337

Verification

• I ran the relevant tests, lint, and build commands.
• I ran scripts/test-go-modules.sh when Go code or compiler behavior changed.
• I ran go build ./cmd/gowdk when CLI, compiler, runtime, addon, or release behavior changed.
• I ran node --check editors/vscode/extension.js when editor files changed. Not applicable; no editor files changed.
• I updated docs for behavior, setup, or architecture changes.
• I added or updated tests for changed behavior.
• I considered security-sensitive surfaces such as auth, CSRF, redirects, request-time handlers, logs, diagnostics, embedded assets, editor commands, WASM, contracts, and realtime behavior.

Commands run:

go test ./runtime/guard
go test ./internal/buildgen
go test ./internal/appgen
go test ./...
scripts/test-go-modules.sh
go build ./cmd/gowdk
go run ./cmd/gowdk check --ssr examples/partials/patients-fragment.page.gwdk
go run ./cmd/gowdk routes --ssr examples/partials/patients-fragment.page.gwdk
git diff --check

LLM Assistance

• LLM session summary: Codex implemented the M7 dynamic fragment route slice, guard response helper hardening, build-report cache visibility, tests, docs, and example updates.
• Human-reviewed assumptions: M7 closes with broader example cookbook work intentionally deferred to [Examples] Flagship full-stack native GOWDK example #102 and [DX] Broaden endpoint examples cookbook #337; hybrid remains an internal/configured route mode with no separate .gwdk source syntax.
• Follow-up work: Broaden SSR/auth/example cookbook coverage under the linked M10 issues.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d8a3d61f06

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Revalidate RedirectError before emitting redirects

When a guard returns or wraps a manually constructed guard.RedirectError (its fields are exported), this path bypasses Redirect's local-URL and 3xx status checks and writes whatever URL/Status it contains. A guard that copies a next query parameter into RedirectError{URL: next, Status: 302} can therefore produce an external Location even though the helper promises safe local redirects; re-run the URL/status validation here or make the error opaque.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include contract routes in overlap validation

This new dynamic-overlap check still only runs over pages and Go endpoints, because ValidateProgram calls validateAmbiguousDynamicPageRoutes(ir.Pages, ir.GoEndpoints) and never passes ir.ContractRefs. As a result a query contract such as GET /patients/42 can validate next to a dynamic fragment GET /patients/{id}; at runtime the exact query registration is found first and document requests do not fall through to the fragment pattern, making /patients/42's fragment route unreachable. Include contract refs in this overlap pass or otherwise reject/fall through these same-method overlaps.

Useful? React with 👍 / 👎.