fix(core): DSD injection regex now handles slashes inside attribute values

Bug: <auth-forms then=\"/dashboard\"> rendered as an EMPTY custom element
with no shadow root — the sign-in and sign-up pages appeared blank.
Root cause: the DSD-injection regex in render-server.js used
`[^>/]*` to bound the attribute section, which stopped matching the
instant it saw \`/\` inside an attribute value. The whole opening tag
then failed to match the pattern, so injectDSD silently skipped the
tag and the server sent the bare \`<auth-forms>\` (which has no
light-DOM content) to the browser.

Fix: attribute section is now \`(?:\"[^\"]*\"|'[^']*'|[^>])*?\` —
quoted values are matched as a single unit (so slashes inside them
are fine), anything-but-\`>\` outside quotes. Non-greedy so
self-closing \`/>\` still lands in the selfClose capture group.

+ 1 regression test: component whose attr value is a URL path renders
  with DSD (without the fix, this test would show DSD absent).

Verified end-to-end: /login now renders the tabbed login/signup form
server-side.

Author: vivek7405

packages/core/src/render-server.js

@@ -220,8 +220,12 @@ async function renderTemplate(tr, ctx) {
 async function injectDSD(html, ctx) {
   const tags = allTags();
   if (!tags.length) return html;
+  // Attribute section is "anything that isn't `>`, with quoted values as a
+  // single unit" so slashes in URL-valued attrs (e.g. then="/dashboard") don't
+  // prevent the match. Non-greedy so self-closing `/>` still captures into the
+  // third group.
   const pattern = new RegExp(
-    `<(${tags.map(escapeRegex).join('|')})((?:\\s+[^>/]*)?)(/?)>`,
+    `<(${tags.map(escapeRegex).join('|')})((?:"[^"]*"|'[^']*'|[^>])*?)(/?)>`,
     'g'
   );
   /** @type {{start:number, end:number, text:string}[]} */

test/render-server.test.js

@@ -55,6 +55,18 @@ test('awaits async template (page-style)', async () => {
   assert.equal(await renderToString(page), '<p>data</p>');
 });
 
+test('DSD injection handles attribute values containing slashes', async () => {
+  class SlashTag extends WebComponent {
+    static tag = 'slash-tag';
+    static properties = { href: { type: String } };
+    render() { return html`<a href=${this.href}>x</a>`; }
+  }
+  SlashTag.register();
+  const out = await renderToString(html`<slash-tag href="/some/path"></slash-tag>`);
+  // The opening tag must have DSD injected even though the attribute has /.
+  assert.match(out, /<slash-tag href="\/some\/path"><template shadowrootmode="open">/);
+});
+
 test('custom element injects declarative shadow DOM', async () => {
   class Greet extends WebComponent {
     static tag = 'g-reet';