@pikku/inspector 0.12.22 → 0.12.24

package/dist/utils/resolve-ref-contract.d.ts

@@ -0,0 +1,21 @@
+import * as ts from 'typescript';
+export interface RefContractResolution<T> {
+    contract: T;
+    /**
+     * Optional basePath override supplied by the consumer via the second
+     * argument, e.g. refHTTP('ns:routes', { basePath: '/ext' }). When undefined
+     * the addon contract's own basePath is preserved.
+     */
+    basePath?: string;
+}
+/**
+ * Resolve a refHTTP / refChannel / refCLI call expression against the addon
+ * contracts already loaded (and namespaced) by loadAddonFunctionsMeta.
+ *
+ * The first string argument has the form 'namespace:contractName', mirroring
+ * how ref('namespace:fn') references an addon function. Detection is purely
+ * syntactic — no import resolution is required because the namespace and
+ * contract name are carried in the string literal. An optional second object
+ * argument may override mount details such as basePath.
+ */
+export declare const resolveRefContract: <T>(node: ts.Node, helperName: "refHTTP" | "refChannel" | "refCLI", addonContracts: Record<string, Record<string, T>>) => RefContractResolution<T> | null;

package/dist/utils/resolve-ref-contract.js

@@ -0,0 +1,46 @@
+import * as ts from 'typescript';
+const getStringProperty = (obj, name) => {
+    for (const prop of obj.properties) {
+        if (ts.isPropertyAssignment(prop) &&
+            (ts.isIdentifier(prop.name) || ts.isStringLiteral(prop.name)) &&
+            prop.name.text === name &&
+            ts.isStringLiteral(prop.initializer)) {
+            return prop.initializer.text;
+        }
+    }
+    return undefined;
+};
+/**
+ * Resolve a refHTTP / refChannel / refCLI call expression against the addon
+ * contracts already loaded (and namespaced) by loadAddonFunctionsMeta.
+ *
+ * The first string argument has the form 'namespace:contractName', mirroring
+ * how ref('namespace:fn') references an addon function. Detection is purely
+ * syntactic — no import resolution is required because the namespace and
+ * contract name are carried in the string literal. An optional second object
+ * argument may override mount details such as basePath.
+ */
+export const resolveRefContract = (node, helperName, addonContracts) => {
+    if (!ts.isCallExpression(node))
+        return null;
+    if (!ts.isIdentifier(node.expression) ||
+        node.expression.text !== helperName) {
+        return null;
+    }
+    const [arg, optionsArg] = node.arguments;
+    if (!arg || !ts.isStringLiteral(arg))
+        return null;
+    const separator = arg.text.indexOf(':');
+    if (separator === -1)
+        return null;
+    const namespace = arg.text.slice(0, separator);
+    const contractName = arg.text.slice(separator + 1);
+    const contract = addonContracts[namespace]?.[contractName];
+    if (contract === undefined)
+        return null;
+    let basePath;
+    if (optionsArg && ts.isObjectLiteralExpression(optionsArg)) {
+        basePath = getStringProperty(optionsArg, 'basePath');
+    }
+    return { contract, basePath };
+};

package/dist/utils/serialize-inspector-state.d.ts

@@ -267,6 +267,7 @@ export interface SerializableInspectorState {
     openAPISpec: Record<string, any> | null;
     diagnostics: InspectorDiagnostic[];
     addonFunctions: InspectorState['addonFunctions'];
+    exportedContracts: InspectorState['exportedContracts'];
 }
 /**
  * Serializes InspectorState to a JSON-compatible format

package/dist/utils/serialize-inspector-state.js

@@ -150,6 +150,7 @@ export function serializeInspectorState(state) {
         openAPISpec: state.openAPISpec,
         diagnostics: state.diagnostics,
         addonFunctions: state.addonFunctions,
+        exportedContracts: state.exportedContracts,
     };
 }
 /**
@@ -314,6 +315,14 @@ export function deserializeInspectorState(data) {
         openAPISpec: data.openAPISpec || null,
         diagnostics: data.diagnostics || [],
         addonFunctions: data.addonFunctions || {},
+        exportedContracts: data.exportedContracts || {
+            http: {},
+            cli: {},
+            channel: {},
+            addonHttp: {},
+            addonCli: {},
+            addonChannel: {},
+        },
         program: null,
     };
 }

package/dist/visit.js

@@ -3,6 +3,7 @@ import { addFileWithFactory } from './add/add-file-with-factory.js';
 import { addFileExtendsCoreType } from './add/add-file-extends-core-type.js';
 import { addHTTPRoute } from './add/add-http-route.js';
 import { addHTTPRoutes } from './add/add-http-routes.js';
+import { checkAddonBans } from './add/add-addon-bans.js';
 import { addSchedule } from './add/add-schedule.js';
 import { addTrigger } from './add/add-trigger.js';
 import { addQueueWorker } from './add/add-queue-worker.js';
@@ -41,23 +42,27 @@ export const visitSetup = (logger, checker, node, state, options) => {
     ts.forEachChild(node, (child) => visitSetup(logger, checker, child, state, options));
 };
 export const visitRoutes = (logger, checker, node, state, options) => {
-    addFunctions(logger, node, checker, state, options);
-    addAuth(logger, node, checker, state, options);
-    addSecret(logger, node, checker, state, options);
-    addCredential(logger, node, checker, state, options);
-    addVariable(logger, node, checker, state, options);
-    addHTTPRoute(logger, node, checker, state, options);
-    addHTTPRoutes(logger, node, checker, state, options);
-    addSchedule(logger, node, checker, state, options);
-    addTrigger(logger, node, checker, state, options);
-    addQueueWorker(logger, node, checker, state, options);
-    addChannel(logger, node, checker, state, options);
-    addGateway(logger, node, checker, state, options);
-    addCLI(logger, node, checker, state, options);
-    addCLIRenderers(logger, node, checker, state, options);
-    addMCPResource(logger, node, checker, state, options);
-    addMCPPrompt(logger, node, checker, state, options);
-    addWorkflowGraph(logger, node, checker, state, options);
-    addAIAgent(logger, node, checker, state, options);
-    ts.forEachChild(node, (child) => visitRoutes(logger, checker, child, state, options));
+    const nextOptions = ts.isSourceFile(node)
+        ? { ...options, sourceFile: node }
+        : options;
+    checkAddonBans(logger, node, checker, state, nextOptions);
+    addFunctions(logger, node, checker, state, nextOptions);
+    addAuth(logger, node, checker, state, nextOptions);
+    addSecret(logger, node, checker, state, nextOptions);
+    addCredential(logger, node, checker, state, nextOptions);
+    addVariable(logger, node, checker, state, nextOptions);
+    addHTTPRoute(logger, node, checker, state, nextOptions);
+    addHTTPRoutes(logger, node, checker, state, nextOptions);
+    addSchedule(logger, node, checker, state, nextOptions);
+    addTrigger(logger, node, checker, state, nextOptions);
+    addQueueWorker(logger, node, checker, state, nextOptions);
+    addChannel(logger, node, checker, state, nextOptions);
+    addGateway(logger, node, checker, state, nextOptions);
+    addCLI(logger, node, checker, state, nextOptions);
+    addCLIRenderers(logger, node, checker, state, nextOptions);
+    addMCPResource(logger, node, checker, state, nextOptions);
+    addMCPPrompt(logger, node, checker, state, nextOptions);
+    addWorkflowGraph(logger, node, checker, state, nextOptions);
+    addAIAgent(logger, node, checker, state, nextOptions);
+    ts.forEachChild(node, (child) => visitRoutes(logger, checker, child, state, nextOptions));
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/inspector",
-  "version": "0.12.22",
+  "version": "0.12.24",
   "author": "yasser.fadl@gmail.com",
   "license": "BUSL-1.1",
   "type": "module",

package/src/add/add-addon-bans.ts

@@ -0,0 +1,84 @@
+import * as ts from 'typescript'
+import type { AddWiring } from '../types.js'
+import { ErrorCode } from '../error-codes.js'
+
+/**
+ * Wiring helpers an addon must not call. Addons declare contracts with the
+ * define* helpers and export functions; the consuming app does the wiring via
+ * refHTTP / refChannel / refCLI. Service declarations remain allowed.
+ */
+const BANNED_WIRINGS = new Set([
+  'wireAddon',
+  'wireChannel',
+  'wireCLI',
+  'wireGateway',
+  'wireHTTP',
+  'wireHTTPRoutes',
+  'wireMCPPrompt',
+  'wireMCPResource',
+  'wireQueueWorker',
+  'wireScheduler',
+  'wireTrigger',
+  'wireTriggerSource',
+])
+
+const CONTRACT_DEFINERS = new Set([
+  'defineHTTPRoutes',
+  'defineChannelRoutes',
+  'defineCLICommands',
+])
+
+const hasHandlerProperty = (node: ts.Node): boolean => {
+  let found = false
+  const visit = (current: ts.Node) => {
+    if (found) return
+    if (
+      ts.isPropertyAssignment(current) &&
+      (ts.isIdentifier(current.name) || ts.isStringLiteral(current.name)) &&
+      (current.name.text === 'middleware' ||
+        current.name.text === 'permissions')
+    ) {
+      found = true
+      return
+    }
+    ts.forEachChild(current, visit)
+  }
+  visit(node)
+  return found
+}
+
+/**
+ * Enforce addon authoring rules. Only runs when inspecting an addon package
+ * (options.isAddon). Addons cannot wire transports, and their contracts cannot
+ * carry middleware or permissions — those are the consuming app's concern.
+ */
+export const checkAddonBans: AddWiring = (
+  logger,
+  node,
+  _checker,
+  _state,
+  options
+) => {
+  if (!options.isAddon) return
+  if (!ts.isCallExpression(node) || !ts.isIdentifier(node.expression)) return
+
+  const name = node.expression.text
+
+  if (BANNED_WIRINGS.has(name)) {
+    logger.critical(
+      ErrorCode.ADDON_WIRING_NOT_ALLOWED,
+      `Addons must not call '${name}'. Declare contracts with define* and export functions; the consuming app wires them via refHTTP / refChannel / refCLI.`
+    )
+    return
+  }
+
+  if (CONTRACT_DEFINERS.has(name)) {
+    const [arg] = node.arguments
+    if (arg && hasHandlerProperty(arg)) {
+      logger.critical(
+        ErrorCode.ADDON_CONTRACT_HANDLERS_NOT_ALLOWED,
+        `Addon contract '${name}' must not declare middleware or permissions — these are applied by the consuming app, not the addon.`
+      )
+    }
+  }
+}

package/src/add/add-auth.test.ts

@@ -522,4 +522,98 @@ describe('addAuth inspector', () => {
       await rm(rootDir, { recursive: true, force: true })
     }
   })
+
+  test('user-registered betterAuthStatelessSession sets userStatelessSession', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-stateless-'))
+    const file = join(rootDir, 'middleware.ts')
+    await writeFile(
+      file,
+      [
+        "import { addHTTPMiddleware } from '#pikku'",
+        "import { betterAuthStatelessSession } from '@pikku/better-auth'",
+        "addHTTPMiddleware('*', [",
+        '  betterAuthStatelessSession({',
+        '    mapSession: (r: any) => ({ userId: r.user.id, role: r.user.role }),',
+        '  }),',
+        '])',
+      ].join('\n')
+    )
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(state.auth.userStatelessSession, true)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('a standalone betterAuthStatelessSession() call (not a registration) does NOT set the flag', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-standalone-'))
+    const file = join(rootDir, 'start.ts')
+    await writeFile(
+      file,
+      [
+        "import { betterAuthStatelessSession } from '@pikku/better-auth'",
+        '// harness use, not a global registration',
+        'const mw = betterAuthStatelessSession()',
+        'void mw',
+      ].join('\n')
+    )
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.ok(
+        !state.auth.userStatelessSession,
+        'a bare call must not count as a registration'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('a route-scoped addHTTPMiddleware registration does NOT set the flag', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-scoped-'))
+    const file = join(rootDir, 'middleware.ts')
+    await writeFile(
+      file,
+      [
+        "import { addHTTPMiddleware } from '#pikku'",
+        "import { betterAuthStatelessSession } from '@pikku/better-auth'",
+        "addHTTPMiddleware('/api/admin/*', [betterAuthStatelessSession()])",
+      ].join('\n')
+    )
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.ok(
+        !state.auth.userStatelessSession,
+        'a route-scoped registration must not suppress the global generated middleware'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('betterAuthStatelessSession in a .gen.ts file does NOT set the flag', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-genonly-'))
+    const file = join(rootDir, 'auth-middleware.gen.ts')
+    await writeFile(
+      file,
+      [
+        "import { addHTTPMiddleware } from '#pikku'",
+        "import { betterAuthStatelessSession } from '@pikku/better-auth'",
+        "addHTTPMiddleware('*', [betterAuthStatelessSession()])",
+      ].join('\n')
+    )
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.ok(
+        !state.auth.userStatelessSession,
+        'generated file must not self-trigger the skip'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
 })

package/src/add/add-auth.ts

@@ -99,6 +99,35 @@ const readPluginId = (el: ts.Expression): string | undefined => {
   return undefined
 }
 
+/**
+ * True when `node` sits inside a GLOBAL middleware registration — i.e. an actual
+ * global registration, not a bare standalone call or a route-scoped one.
+ *
+ * `addGlobalMiddleware(...)` is always global. `addHTTPMiddleware` is global only
+ * in its array form (`addHTTPMiddleware([...])`) or with the `'*'` wildcard
+ * pattern; a specific route pattern (`addHTTPMiddleware('/api/admin/*', [...])`)
+ * scopes the middleware to that route and must NOT count as a global stateless
+ * registration (#754).
+ */
+const isInsideGlobalMiddlewareRegistration = (node: ts.Node): boolean => {
+  let parent: ts.Node | undefined = node.parent
+  while (parent) {
+    if (ts.isCallExpression(parent) && ts.isIdentifier(parent.expression)) {
+      const fn = parent.expression.text
+      if (fn === 'addGlobalMiddleware') return true
+      if (fn === 'addHTTPMiddleware') {
+        const first = parent.arguments[0]
+        if (!first) return false
+        // String first arg → route pattern (global only when '*'); otherwise
+        // the array form, which is global.
+        return ts.isStringLiteral(first) ? first.text === '*' : true
+      }
+    }
+    parent = parent.parent
+  }
+  return false
+}
+
 /**
  * Detects `pikkuBetterAuth((services) => betterAuth({...}))` calls.
  *
@@ -122,6 +151,23 @@ export const addAuth: AddWiring = (logger, node, _checker, state) => {
   if (!ts.isCallExpression(node)) return
 
   const expression = node.expression
+
+  // A user-registered stateless session middleware (custom mapSession) means the
+  // CLI must NOT auto-generate its own default-map one — the generated one runs
+  // first and pre-empts the user's via the `if (session) next()` short-circuit
+  // (pikkujs/pikku#754). Only a GLOBAL registration counts (inside
+  // addHTTPMiddleware/addGlobalMiddleware) — a bare betterAuthStatelessSession()
+  // call (e.g. a test harness) is not a registration. Ignore generated files so
+  // the emitted middleware can't self-trigger the skip.
+  if (
+    ts.isIdentifier(expression) &&
+    expression.text === 'betterAuthStatelessSession' &&
+    !node.getSourceFile().fileName.endsWith('.gen.ts') &&
+    isInsideGlobalMiddlewareRegistration(node)
+  ) {
+    state.auth.userStatelessSession = true
+  }
+
   if (!ts.isIdentifier(expression) || expression.text !== 'pikkuBetterAuth')
     return
 

package/src/add/add-channel.ts

@@ -21,6 +21,8 @@ import { resolveIdentifier } from '../utils/resolve-identifier.js'
 import { resolveFunctionMeta } from '../utils/resolve-function-meta.js'
 import { resolveAddonName } from '../utils/resolve-addon-package.js'
 import { validateAuthSessionless } from '../utils/validate-auth-sessionless.js'
+import { getExportedVariableName } from '../utils/get-exported-variable-name.js'
+import { resolveRefContract } from '../utils/resolve-ref-contract.js'
 
 /**
  * Safely get the "initializer" expression of a property-like AST node:
@@ -40,6 +42,16 @@ function getInitializerOf(
   return undefined
 }
 
+function getObjectPropertyName(
+  name: ts.PropertyName | undefined
+): string | null {
+  if (!name) return null
+  if (ts.isIdentifier(name)) return name.text
+  if (ts.isStringLiteral(name) || ts.isNumericLiteral(name)) return name.text
+  if (ts.isComputedPropertyName(name)) return null
+  return name.getText()
+}
+
 /**
  * Resolve a handler expression (Identifier, CallExpression, or { func })
  * into its underlying function name.
@@ -116,6 +128,27 @@ function getHandlerNameFromExpression(
   return null
 }
 
+function extractExportedChannelRoutes(
+  logger: {
+    error: (msg: string) => void
+    critical: (code: ErrorCode, msg: string) => void
+  },
+  routes: ts.ObjectLiteralExpression,
+  state: InspectorState,
+  checker: ts.TypeChecker
+): Record<string, ChannelMessageMeta> {
+  const wrapper = ts.factory.createObjectLiteralExpression([
+    ts.factory.createPropertyAssignment(
+      'onMessageWiring',
+      ts.factory.createObjectLiteralExpression([
+        ts.factory.createPropertyAssignment('contract', routes),
+      ])
+    ),
+  ])
+
+  return addMessagesRoutes(logger, wrapper, state, checker).contract ?? {}
+}
+
 /**
  * Build out the nested message-routes by looking up each handler
  * in state.functions.meta instead of re-inferring it here.
@@ -155,9 +188,24 @@ export function addMessagesRoutes(
       }
     }
 
+    const refContract = resolveRefContract(
+      chanInit,
+      'refChannel',
+      state.exportedContracts.addonChannel
+    )
+    if (refContract) {
+      const refChannelKey = getObjectPropertyName(chanElem.name)
+      if (!refChannelKey) continue
+      result[refChannelKey] = {
+        ...refContract.contract,
+      }
+      continue
+    }
+
     if (!ts.isObjectLiteralExpression(chanInit)) continue
 
-    const channelKey = chanElem.name!.getText()
+    const channelKey = getObjectPropertyName(chanElem.name)
+    if (!channelKey) continue
     result[channelKey] = {}
 
     for (const routeElem of chanInit.properties) {
@@ -168,11 +216,8 @@ export function addMessagesRoutes(
       const routeName = routeElem.name
       if (!routeName) continue
 
-      let routeKey = routeName.getText()
-      // For string literals like 'greet' or "greet", strip the quotes
-      if (ts.isStringLiteral(routeName)) {
-        routeKey = routeName.text
-      }
+      const routeKey = getObjectPropertyName(routeName)
+      if (!routeKey) continue
 
       // For shorthand properties, we need to resolve the identifier to its declaration
       if (ts.isShorthandPropertyAssignment(routeElem)) {
@@ -529,6 +574,18 @@ export const addChannel: AddWiring = (
   options
 ) => {
   if (!ts.isCallExpression(node)) return
+  if (
+    ts.isIdentifier(node.expression) &&
+    node.expression.text === 'defineChannelRoutes'
+  ) {
+    const exportName = getExportedVariableName(node, options.sourceFile)
+    const [firstArg] = node.arguments
+    if (exportName && firstArg && ts.isObjectLiteralExpression(firstArg)) {
+      state.exportedContracts.channel[exportName] =
+        extractExportedChannelRoutes(logger, firstArg, state, checker)
+    }
+    return
+  }
   const { expression, arguments: args } = node
   if (!ts.isIdentifier(expression) || expression.text !== 'wireChannel') return
   const first = args[0]
@@ -664,7 +721,9 @@ export const addChannel: AddWiring = (
     state.serviceAggregation.usedFunctions.add(message.pikkuFuncId)
   }
 
-  for (const channelHandlers of Object.values(messageWirings)) {
+  for (const channelHandlers of Object.values(
+    messageWirings as Record<string, Record<string, ChannelMessageMeta>>
+  )) {
     for (const handler of Object.values(channelHandlers)) {
       state.serviceAggregation.usedFunctions.add(handler.pikkuFuncId)
     }

package/src/add/add-cli.ts

@@ -19,6 +19,8 @@ import { resolveIdentifier } from '../utils/resolve-identifier.js'
 import { resolveAddonName } from '../utils/resolve-addon-package.js'
 import { validateAuthSessionless } from '../utils/validate-auth-sessionless.js'
 import { extractServicesFromFunction } from '../utils/extract-services.js'
+import { getExportedVariableName } from '../utils/get-exported-variable-name.js'
+import { resolveRefContract } from '../utils/resolve-ref-contract.js'
 
 // Track if we've warned about missing Config type to avoid duplicate warnings
 const configTypeWarningShown = new Set<string>()
@@ -34,6 +36,25 @@ export const addCLI: AddWiring = (
   options
 ) => {
   if (!ts.isCallExpression(node)) return
+  if (
+    ts.isIdentifier(node.expression) &&
+    node.expression.text === 'defineCLICommands'
+  ) {
+    const exportName = getExportedVariableName(node, options.sourceFile)
+    const [firstArg] = node.arguments
+    if (exportName && firstArg && ts.isObjectLiteralExpression(firstArg)) {
+      inspectorState.exportedContracts.cli[exportName] = processCommands(
+        logger,
+        firstArg,
+        node.getSourceFile(),
+        typeChecker,
+        exportName,
+        inspectorState,
+        options
+      )
+    }
+    return
+  }
   // Check if this is a wireCLI call
   if (!node || !node.expression) {
     return
@@ -214,6 +235,15 @@ function processCommands(
           programTags
         )
         Object.assign(commands, spreadCommands)
+      } else {
+        const refCommands = resolveRefContract(
+          prop.expression,
+          'refCLI',
+          inspectorState.exportedContracts.addonCli
+        )
+        if (refCommands) {
+          Object.assign(commands, refCommands.contract)
+        }
       }
       continue
     }

package/src/add/add-http-route.ts

@@ -13,7 +13,11 @@ import {
   getPropertyAssignmentInitializer,
   extractTypeKeys,
 } from '../utils/type-utils.js'
-import type { AddWiring, InspectorState } from '../types.js'
+import type {
+  AddWiring,
+  ExportedHTTPRouteConfigMeta,
+  InspectorState,
+} from '../types.js'
 import { resolveHTTPMiddlewareFromObject } from '../utils/middleware.js'
 import { resolveHTTPPermissionsFromObject } from '../utils/permissions.js'
 import { extractWireNames } from '../utils/post-process.js'
@@ -40,6 +44,16 @@ export interface RegisterHTTPRouteParams {
   inheritedAuth?: boolean
 }
 
+export interface RegisterHTTPRouteMetaParams {
+  route: ExportedHTTPRouteConfigMeta
+  state: InspectorState
+  logger: InspectorLogger
+  sourceFile: ts.SourceFile
+  basePath?: string
+  inheritedTags?: string[]
+  inheritedAuth?: boolean
+}
+
 /**
  * Extract header schema reference from headers property
  */
@@ -421,6 +435,66 @@ export function registerHTTPRoute({
   }
 }
 
+export function registerHTTPRouteMeta({
+  route,
+  state,
+  logger,
+  sourceFile,
+  basePath = '',
+  inheritedTags = [],
+  inheritedAuth,
+}: RegisterHTTPRouteMetaParams): void {
+  const method = route.method.toLowerCase()
+  const fullRoute = basePath + route.route
+  const tags = [...inheritedTags, ...(route.tags || [])]
+  const funcName = route.func.pikkuFuncId
+  const fnMeta = resolveFunctionMeta(state, funcName)
+
+  if (!fnMeta) {
+    logger.critical(
+      ErrorCode.FUNCTION_METADATA_NOT_FOUND,
+      `No function metadata found for '${funcName}'.`
+    )
+    return
+  }
+
+  let params: string[] = []
+  try {
+    const keys = pathToRegexp(fullRoute).keys
+    params = keys.filter((k) => k.type === 'param').map((k) => k.name)
+  } catch (error) {
+    logger.error(
+      `Failed to parse route '${fullRoute}': ${error instanceof Error ? error.message : error}`
+    )
+    return
+  }
+
+  if (!route.func.packageName) {
+    computeInputTypes(
+      state.http.metaInputTypes,
+      method,
+      fnMeta.inputs?.[0] || null,
+      [],
+      params
+    )
+  }
+
+  state.serviceAggregation.usedFunctions.add(funcName)
+  state.http.files.add(sourceFile.fileName)
+  state.http.meta[method][fullRoute] = {
+    pikkuFuncId: funcName,
+    ...(route.func.packageName && { packageName: route.func.packageName }),
+    route: fullRoute,
+    sourceFile: sourceFile.fileName,
+    method: method as HTTPMethod,
+    params: params.length > 0 ? params : undefined,
+    inputTypes: undefined,
+    tags: tags.length > 0 ? tags : undefined,
+    sse: route.sse ? true : undefined,
+    groupBasePath: basePath || undefined,
+  }
+}
+
 /**
  * Process wireHTTP calls
  */