@pilotiq/pilotiq 0.7.1 → 0.8.0

package/dist/routes.js

@@ -1,428 +1,16 @@
-import { view } from '@rudderjs/view';
-import { Form } from './elements/Form.js';
-import { resolveSchema } from './schema/resolveSchema.js';
 import { dispatchFormSubmit, findForms, selectForm } from './elements/dispatchForm.js';
-import { dispatchAction, findActions, findRowExtraActions, parseActionBody } from './elements/dispatchAction.js';
-import { flashNotifications } from './notifications/flash.js';
-import { listFiltersKey, readPersistedListQuery, writePersistedListQuery, readPersistedLastTab, writePersistedLastTab, encodePersistedQuery, } from './sessionFilters.js';
-import { panelInfo, callPageSchema, tagFormActions, tagActionDispatch, dashboardData, resourceIndexData, resourceTableData, resourceCreateData, resourceEditData, resourceViewData, resourceRecordPageData, globalEditData, globalViewData, customPageData, formStateData, formWizardData, formCreateOptionData, mentionResolveData, searchData, relationManagerData, findRelatedResource, safeManagerPolicy, resolveRelationChain, widgetData, } from './pageData.js';
-import { listForUser as listDatabaseNotifications, markAsRead as markDatabaseNotificationAsRead, markAsUnread as markDatabaseNotificationAsUnread, markAllAsRead as markAllDatabaseNotificationsAsRead, } from './notifications/database.js';
-import { dispatchNotificationAction } from './notifications/dispatchNotificationAction.js';
-import { registerBroadcastAuth } from './notifications/registerBroadcastAuth.js';
-import { RESERVED_RELATIONSHIP_TOKENS, normalizeRelationMode, } from './RelationManager.js';
-import { modelSave, modelLoadRecord, findRecord, getPrimaryKey, getRelationType, getMorphRelationDescriptor, computeMorphPayload, } from './orm/modelDefaults.js';
+import { RESERVED_RELATIONSHIP_TOKENS } from './RelationManager.js';
 import { Table } from './elements/Table.js';
 import { Column } from './Column.js';
-import { coerceCellValue, CellCoerceError } from './cells/coerce.js';
-import { presets } from './theme/presets.js';
-import { baseColors } from './theme/base-colors.js';
-import { HUE_NAMES } from './theme/colors.js';
-import { migrateThemeOverrides } from './theme/migrate.js';
-import { radiusMap } from './theme/radius.js';
-import { resourceBasePath, globalBasePath, pageBasePath } from './clusterPaths.js';
-/** True when the client wants a JSON response (modal-form action submitting
- * via fetch), false for a browser-style form post that wants a 303 redirect.
- * Both action endpoints honor this so confirm/handler buttons (form-post)
- * keep working unchanged while modal dialogs use fetch. */
-function wantsJson(req) {
-    const headers = req.headers ?? {};
-    const accept = headers['accept'] ?? headers['Accept'] ?? '';
-    return accept.includes('application/json');
-}
-/**
- * Read the request body as a `Record<string, unknown>`. The hono adapter
- * auto-parses JSON, but `application/x-www-form-urlencoded` and
- * `multipart/form-data` need a manual fall-through to Hono's own parser.
- */
-async function readFormBody(req) {
-    if (req.body && typeof req.body === 'object' && !Array.isArray(req.body)) {
-        return { ...req.body };
-    }
-    const raw = req.raw;
-    if (raw?.req?.parseBody) {
-        try {
-            const parsed = await raw.req.parseBody();
-            return parsed && typeof parsed === 'object' ? { ...parsed } : {};
-        }
-        catch {
-            return {};
-        }
-    }
-    return {};
-}
-/**
- * Normalize a user-supplied redirect URL. Returns absolute URLs and
- * scheme-prefixed URLs unchanged. Bare relative paths (no leading `/`)
- * are joined under the panel's `basePath` — without this, the browser
- * resolves the redirect against the current request URL and produces
- * paths like `/admin/articles/{id}/articles/{id}/edit`.
- *
- * `getRedirectUrl` page hooks and `Form.redirectAfterSave` callbacks
- * are user-authored; this protects the framework against the common
- * authoring slip while keeping absolute URLs (the documented form)
- * working as-is.
- */
-function normalizeRedirect(url, basePath) {
-    if (!url)
-        return undefined;
-    if (url.startsWith('/'))
-        return url;
-    if (/^[a-z][a-z0-9+.-]*:/i.test(url))
-        return url; // http(s):, mailto:, etc.
-    const trimmedBase = basePath.replace(/\/$/, '');
-    return `${trimmedBase}/${url}`;
-}
-/** Strip framework meta keys (`_formId`, `_method`, `_continueCreate`)
- * from a parsed body. `continueCreate` mirrors the secondary
- * "Create & create another" submit on `CreatePage`: when `'1'`, the
- * create POST handler routes the redirect back to the create URL
- * instead of the new record's edit page. */
-function splitMeta(body) {
-    const { _formId, _method: _omitMethod, _continueCreate, ...rest } = body;
-    return {
-        values: rest,
-        formId: typeof _formId === 'string' ? _formId : undefined,
-        continueCreate: _continueCreate === '1' || _continueCreate === 1 || _continueCreate === true,
-    };
-}
-/** Strip control characters (`"\\\r\n`) from a download filename so
- *  the `Content-Disposition: attachment; filename="…"` header stays
- *  unbreakable. Defends against a handler that returns a hostile
- *  filename string. Empty fallback `'export'`. */
-function sanitizeFilename(name) {
-    const cleaned = (name ?? '').replace(/[\r\n"\\]/g, '').trim();
-    return cleaned.length > 0 ? cleaned : 'export';
-}
-/** Write an `Action`-handler download envelope as the response. Sets
- *  `Content-Type` + `Content-Disposition: attachment` and ends with
- *  the body. Mutually exclusive with redirect — call sites consult
- *  `result.download` first. */
-function sendDownload(res, env) {
-    res.header('Content-Type', env.contentType);
-    res.header('Content-Disposition', `attachment; filename="${sanitizeFilename(env.filename)}"`);
-    res.send(env.body);
-}
-/** Plan #10 — send a 403 response. Branches on `Accept: application/json`
- * the same way the action / form dispatch paths do. Used by every route
- * after a `Resource.canX(...)` check fails. We deliberately do NOT
- * redirect to login: 403 means "authenticated but not allowed"; the
- * 401-unauthenticated case is `Pilotiq.guard()`'s job. */
-function forbidden(res, json) {
-    res.status(403);
-    if (json)
-        return res.json({ ok: false, error: 'Forbidden' });
-    return res.send('Forbidden');
-}
-/** Extract a user-facing message from a thrown value inside an editable
- *  column's beforeStateUpdated / afterStateUpdated hook. Stamped under
- *  the reserved `_cell` key in the 422 response. */
-function cellHookErrorMessage(err) {
-    if (err instanceof Error && err.message)
-        return err.message;
-    if (typeof err === 'string' && err.length > 0)
-        return err;
-    return 'Update halted';
-}
-/** Run a `canX(...)` predicate, treating throws as `false`. The predicate
- * is user-authored and we want a flaky check to fail closed (deny) rather
- * than 500 the page. */
-async function checkPolicy(fn) {
-    try {
-        return Boolean(await fn());
-    }
-    catch {
-        return false;
-    }
-}
-async function policyAccess(owner, user) {
-    const [ownerOk, clusterOk] = await Promise.all([
-        checkPolicy(() => owner.canAccess(user)),
-        owner.cluster
-            ? checkPolicy(() => owner.cluster.canAccess(user))
-            : Promise.resolve(true),
-    ]);
-    return ownerOk && clusterOk;
-}
-/**
- * Locate an action by name in a resolved page schema. Looks at both
- * page-level actions (`findActions`) AND row-scoped extraItemActions on
- * Repeater/Builder fields (`findRowExtraActions`). When the match is
- * row-scoped, also returns the parent field reference and the form
- * schema array — the dispatcher uses both to coerce the form body and
- * navigate to the right row when stamping `ctx.row`.
- *
- * Page-level matches win when a page-level + row-scoped action share the
- * same name (page-level is strictly more privileged: it has access to
- * the full form, not just one row). The collision is undocumented
- * behavior — authors should use distinct names.
- */
-function resolveDispatchTarget(elements, actionName) {
-    const pageLevel = findActions(elements).find(a => a.name === actionName);
-    if (pageLevel)
-        return { action: pageLevel };
-    const rowMatches = findRowExtraActions(elements).filter(r => r.action.name === actionName);
-    if (rowMatches.length === 0)
-        return null;
-    if (rowMatches.length > 1) {
-        console.warn(`[pilotiq] Action "${actionName}" registered as extraItemActions on multiple ` +
-            `fields. Using the first match — disambiguate by renaming.`);
-    }
-    const first = rowMatches[0];
-    // `formSchema` is the entire page tree for v1 — `coerceFormValues`
-    // needs the field schema rooted at the form, not just the one row's
-    // children. Passing the page tree is over-broad but safe (the function
-    // walks until it finds the field). A future polish can narrow to the
-    // owning Form once we walk back from the matched field.
-    return { action: first.action, rowField: first.field, formSchema: elements };
-}
-async function handleFormState(req, res, pilotiq, scope, formId) {
-    const body = (await readFormBody(req));
-    const changed = typeof body.changed === 'string' ? body.changed : '';
-    const values = (body.values && typeof body.values === 'object' && !Array.isArray(body.values))
-        ? body.values
-        : {};
-    if (!formId || !changed) {
-        res.status(400);
-        return res.json({ ok: false, error: 'Missing formId or changed field' });
-    }
-    try {
-        const result = await formStateData(pilotiq, scope, { formId, changed, values }, req);
-        if (result === null) {
-            res.status(404);
-            return res.json({ ok: false, error: 'Page not found' });
-        }
-        if (!result.ok) {
-            res.status(result.status);
-            return res.json({ ok: false, error: result.error });
-        }
-        return res.json({ ok: true, form: result.form, dirty: result.dirty });
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : 'Form update failed';
-        res.status(500);
-        return res.json({ ok: false, error: message });
-    }
-}
-async function handleFormWizard(req, res, pilotiq, scope, formId) {
-    const body = (await readFormBody(req));
-    const stepN = typeof body.step === 'number' ? body.step
-        : typeof body.step === 'string' ? Number(body.step)
-            : NaN;
-    const values = (body.values && typeof body.values === 'object' && !Array.isArray(body.values))
-        ? body.values
-        : {};
-    if (!formId || !Number.isFinite(stepN) || stepN < 0) {
-        res.status(400);
-        return res.json({ ok: false, error: 'Missing formId or invalid step' });
-    }
-    try {
-        const result = await formWizardData(pilotiq, scope, { formId, step: stepN, values }, req);
-        if (result === null) {
-            res.status(404);
-            return res.json({ ok: false, error: 'Page not found' });
-        }
-        if (!result.ok) {
-            res.status(result.status);
-            const payload = { ok: false };
-            if (result.error)
-                payload['error'] = result.error;
-            if (result.errors)
-                payload['errors'] = result.errors;
-            return res.json(payload);
-        }
-        return res.json({ ok: true });
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : 'Wizard step validation failed';
-        res.status(500);
-        return res.json({ ok: false, error: message });
-    }
-}
-async function handleFormCreateOption(req, res, pilotiq, scope, formId, fieldName) {
-    const body = (await readFormBody(req));
-    const values = (body.values && typeof body.values === 'object' && !Array.isArray(body.values))
-        ? body.values
-        : {};
-    if (!formId || !fieldName) {
-        res.status(400);
-        return res.json({ ok: false, error: 'Missing formId or fieldName' });
-    }
-    try {
-        const result = await formCreateOptionData(pilotiq, scope, { formId, fieldName, values }, req);
-        if (result === null) {
-            res.status(404);
-            return res.json({ ok: false, error: 'Page not found' });
-        }
-        if (!result.ok) {
-            res.status(result.status);
-            const payload = { ok: false };
-            if (result.error)
-                payload['error'] = result.error;
-            if (result.errors)
-                payload['errors'] = result.errors;
-            return res.json(payload);
-        }
-        return res.json({ ok: true, option: result.option });
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : 'createOption failed';
-        res.status(500);
-        return res.json({ ok: false, error: message });
-    }
-}
-async function handleFormMentions(req, res, pilotiq, scope, formId) {
-    const body = (await readFormBody(req));
-    const field = typeof body.field === 'string' ? body.field : '';
-    const trigger = typeof body.trigger === 'string' ? body.trigger : '';
-    const query = typeof body.query === 'string' ? body.query : '';
-    if (!formId || !field || trigger.length !== 1) {
-        res.status(400);
-        return res.json({ ok: false, error: 'Missing formId / field / trigger' });
-    }
-    // Cap query length — the resolver runs the user's code; the trigger
-    // never sends more than a word's worth of characters in practice.
-    const cappedQuery = query.length > 200 ? query.slice(0, 200) : query;
-    try {
-        const result = await mentionResolveData(pilotiq, scope, { formId, field, trigger, query: cappedQuery }, req);
-        if (result === null) {
-            res.status(404);
-            return res.json({ ok: false, error: 'Page not found' });
-        }
-        if (!result.ok) {
-            res.status(result.status);
-            return res.json({ ok: false, error: result.error });
-        }
-        return res.json({ ok: true, items: result.items });
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : 'Mention resolve failed';
-        res.status(500);
-        return res.json({ ok: false, error: message });
-    }
-}
-async function handleWidgetData(req, res, pilotiq, scope, id) {
-    if (!id) {
-        res.status(400);
-        return res.json({ ok: false, error: 'Missing widget id' });
-    }
-    const body = (await readFormBody(req));
-    const filter = typeof body.filter === 'string' ? body.filter : undefined;
-    try {
-        const result = await widgetData(pilotiq, scope, filter !== undefined ? { id, filter } : { id }, req);
-        if (!result.ok) {
-            res.status(result.status);
-            return res.json({ ok: false, error: result.error });
-        }
-        return res.json({ ok: true, data: result.data, timestamp: result.timestamp });
-    }
-    catch (err) {
-        res.status(500);
-        return res.json({ ok: false, error: err instanceof Error ? err.message : 'Widget request failed' });
-    }
-}
-/**
- * Handle a single file upload from a `FileUpload` field. Validates
- * accept / maxSize against the (optional) per-request hints, hands
- * the file off to the configured adapter, returns `{ ok, url }`.
- *
- * Body shape (multipart/form-data):
- *   - `file`: the file blob
- *   - `directory`: optional sub-directory hint
- *   - `accept`: optional comma-separated MIME list to enforce
- *   - `maxSize`: optional byte cap
- *   - `fieldName`: optional tag forwarded to the adapter for routing
- */
-async function handleUploadRequest(req, res, pilotiq) {
-    const cfg = pilotiq.getConfig();
-    if (!cfg.uploads) {
-        res.status(500);
-        return res.json({ ok: false, error: 'No upload adapter configured' });
-    }
-    // Auth: panel-wide `guard` and per-request `user`. We don't enforce
-    // per-resource canEdit here because the field doesn't know which
-    // resource it belongs to — apps that need it should hook into
-    // their adapter's `put()` and consult their own auth there.
-    if (cfg.guard && !await cfg.guard(req)) {
-        res.status(401);
-        return res.json({ ok: false, error: 'Unauthorized' });
-    }
-    // Parse multipart body. Hono's parseBody returns `Record<string, File | string>`.
-    const raw = req.raw;
-    if (!raw?.req?.parseBody) {
-        res.status(500);
-        return res.json({ ok: false, error: 'Multipart parsing unavailable' });
-    }
-    let body;
-    try {
-        body = await raw.req.parseBody();
-    }
-    catch (err) {
-        res.status(400);
-        return res.json({ ok: false, error: err instanceof Error ? err.message : 'Bad request' });
-    }
-    const file = body['file'];
-    if (!file || !(file instanceof File)) {
-        res.status(422);
-        return res.json({ ok: false, error: 'No file provided' });
-    }
-    const directory = typeof body['directory'] === 'string' ? body['directory'] : undefined;
-    const fieldName = typeof body['fieldName'] === 'string' ? body['fieldName'] : '';
-    // Server-side validation. Both accept and maxSize are advisory hints
-    // shipped by the field meta, so we re-check here so a tampered client
-    // can't bypass the limits.
-    const acceptStr = typeof body['accept'] === 'string' ? body['accept'] : '';
-    if (acceptStr) {
-        const accept = acceptStr.split(',').map(s => s.trim()).filter(Boolean);
-        if (accept.length > 0 && !accept.includes(file.type)) {
-            res.status(422);
-            return res.json({ ok: false, error: `File type "${file.type}" not allowed` });
-        }
-    }
-    const maxSizeStr = typeof body['maxSize'] === 'string' ? body['maxSize'] : '';
-    if (maxSizeStr) {
-        const maxSize = Number(maxSizeStr);
-        if (Number.isFinite(maxSize) && file.size > maxSize) {
-            res.status(422);
-            return res.json({ ok: false, error: `File exceeds ${maxSize} bytes` });
-        }
-    }
-    // Server-side resize via @rudderjs/image (optional peer dep). Variable-
-    // string `import(name)` keeps Vite's static import-analysis from trying
-    // to pre-resolve the module on host apps that don't have @rudderjs/image
-    // installed — same pattern as `notifications/database.ts` for `@rudderjs/orm`.
-    const resizeWidthStr = typeof body['resize_width'] === 'string' ? body['resize_width'] : '';
-    const resizeHeightStr = typeof body['resize_height'] === 'string' ? body['resize_height'] : '';
-    let uploadFile = file;
-    if (resizeWidthStr && resizeHeightStr) {
-        const w = Number(resizeWidthStr);
-        const h = Number(resizeHeightStr);
-        if (Number.isFinite(w) && w > 0 && Number.isFinite(h) && h > 0) {
-            try {
-                const imageModuleName = '@rudderjs/image';
-                // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-                const pkg = await import(/* @vite-ignore */ imageModuleName);
-                const buf = await pkg.image(file).resize(w, h).format('webp').toBuffer();
-                const baseName = file.name.replace(/\.[^.]+$/, '');
-                uploadFile = new File([buf.buffer], `${baseName}.webp`, { type: 'image/webp' });
-            }
-            catch {
-                // @rudderjs/image not installed or resize failed — fall through with original file
-            }
-        }
-    }
-    try {
-        const result = await cfg.uploads.adapter.put({
-            file: uploadFile,
-            ...(directory ? { directory } : {}),
-            fieldName,
-        });
-        return res.json({ ok: true, url: result.url, ...(result.meta ? { meta: result.meta } : {}) });
-    }
-    catch (err) {
-        res.status(500);
-        return res.json({ ok: false, error: err instanceof Error ? err.message : 'Upload failed' });
-    }
-}
+// `routes.ts` is split into a directory of focused modules under
+// `./routes/`. This file is the orchestrator — boot-time validation
+// loops + the per-Resource / per-Global / per-Page registration
+// dispatchers. See `docs/plans/routes-split.md` for the per-phase map.
+import { registerPanelRoutes } from './routes/panel.js';
+import { registerResourceRoutes } from './routes/resources.js';
+import { registerGlobalRoutes } from './routes/globals.js';
+import { registerCustomPageRoutes } from './routes/pages.js';
+import { registerThemeRoutes } from './routes/theme.js';
 export function registerPilotiqRoutes(router, pilotiq) {
     const cfg = pilotiq.getConfig();
     const base = cfg.path;
@@ -544,2682 +132,80 @@ export function registerPilotiqRoutes(router, pilotiq) {
             }
         }
     }
-    // Reorderable rows — fail fast at boot when a Resource declares
-    // `Table.reorderable()` but the bound model can't actually persist a
-    // new order. We invoke `R.table(Table.make())` once per resource (the
-    // same call shape `defaultPages` uses at request time) and inspect
-    // `_reorderableColumn`. The model.reorder check is symmetric with
-    // Plan #13's restore/forceDelete guards. Result is cached per-resource
-    // so the route loop below can decide whether to mount `_reorder`.
+    // Reorderable rows + editable cell columns — fail fast at boot when a
+    // Resource declares either capability but its bound model can't
+    // persist. We invoke `R.table(Table.make())` once per resource (same
+    // call shape `defaultPages` uses at request time) and inspect both
+    // markers in a single pass. The model.reorder / model.update checks
+    // are symmetric with Plan #13's restore/forceDelete guards. Results
+    // cached per-resource so the route loop below can decide whether to
+    // mount `_reorder` / `_cell`.
     const reorderEnabled = new Map(); // slug → column
-    for (const R of cfg.resources) {
-        let probeColumn;
-        try {
-            probeColumn = R.table(Table.make()).getReorderableColumn();
-        }
-        catch {
-            continue;
-        } // user-side throw — not a reorder concern
-        if (probeColumn === undefined)
-            continue;
-        if (!R.model || typeof R.model.reorder !== 'function') {
-            throw new Error(`[Pilotiq] ${R.name}.table() calls reorderable("${probeColumn}") but the bound model has no reorder(ids) method. ` +
-                `Implement \`async reorder(ids)\` on the rudder Model (or remove the .reorderable() call).`);
-        }
-        reorderEnabled.set(R.getSlug(), probeColumn);
-    }
-    // Editable cell columns — fail fast at boot when a Resource declares
-    // at least one TextInput/Toggle/SelectColumn but the bound model
-    // can't persist a single-column update. Mirrors the reorder guard
-    // above. Result is cached per-resource so the route loop below can
-    // decide whether to mount `_cell`.
     const editableEnabled = new Set();
     for (const R of cfg.resources) {
-        let hasEditable = false;
+        let probe;
         try {
-            hasEditable = (R.table(Table.make()).getChildren() ?? [])
-                .some(c => c instanceof Column && c.isEditable());
+            probe = R.table(Table.make());
         }
         catch {
             continue;
-        }
-        if (!hasEditable)
-            continue;
-        if (!R.model || typeof R.model.update !== 'function') {
-            throw new Error(`[Pilotiq] ${R.name}.table() declares an editable cell column ` +
-                `(TextInputColumn / ToggleColumn / SelectColumn) but the bound ` +
-                `model has no update(id, data) method. Set Resource.model = M ` +
-                `(rudder ORM convention) or drop the editable column.`);
-        }
-        editableEnabled.add(R.getSlug());
-    }
-    // ── Dashboard (1-segment) ─────────────────────────────
-    router.get(base, async (req, res) => {
-        // Plan #15 — when `panel.dashboard(P)` is set, gate the dashboard
-        // route through the page's `canAccess` predicate. Same posture as
-        // custom pages — fail-closed on throw.
-        if (cfg.dashboardPage) {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(cfg.dashboardPage, user)) {
-                return forbidden(res, wantsJson(req));
-            }
-        }
-        return view('pilotiq.dashboard', await dashboardData(pilotiq, req));
-    });
-    // ── File uploads (FileUpload field POST target) ───────
-    router.post(`${base}/_uploads`, async (req, res) => {
-        return handleUploadRequest(req, res, pilotiq);
-    });
-    // ── Plan #15 dashboard widget polling ─────────────────
-    // POST ${base}/_widget/:id — re-resolves the dashboard page schema,
-    // finds widget by id, runs `getServerData(ctx)`. Body: `{ filter? }`.
-    // Mounted unconditionally — widgetData() returns 404 when no
-    // dashboard page is registered, so this stays cheap when unused.
-    router.post(`${base}/_widget/:id`, async (req, res) => {
-        if (cfg.dashboardPage) {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(cfg.dashboardPage, user))
-                return forbidden(res, true);
-        }
-        return handleWidgetData(req, res, pilotiq, { kind: 'panel' }, req.params['id']);
-    });
-    // ── Plan #12 global search ────────────────────────────
-    // GET ${base}/_search?q=…&limit=… → { ok, results }
-    // No 403 on unrecognised users — `searchAllResources` filters per
-    // resource. The Pilotiq.guard() layer above is the panel-level gate.
-    router.get(`${base}/_search`, async (req, res) => {
-        const query = req.query;
-        const rawQ = query?.['q'];
-        const q = typeof rawQ === 'string' ? rawQ.slice(0, 200) : '';
-        const data = await searchData(pilotiq, q, req);
-        return res.json(data);
-    });
-    // ── Database notifications (bell-icon dropdown) ───────
-    // Only mounted when `Pilotiq.databaseNotifications()` was called.
-    // Every route 401s when no user resolves so a non-authenticated
-    // request never sees another user's inbox. The `notifiable_type`
-    // value is configurable but defaults to `'users'` to match
-    // `@rudderjs/notification`'s `DatabaseChannel` writes.
-    if (cfg.databaseNotifications?.enabled) {
-        const dn = cfg.databaseNotifications;
-        const notifiableType = dn.notifiableType ?? 'users';
-        const pageSize = dn.pageSize ?? 25;
-        /** Resolve `{ id }` from the panel's user resolver. Returns null
-         *  when no user / unknown id — every route then 401s. The user
-         *  object is opaque to pilotiq; we duck-type `.id`. */
-        const resolveUserId = async (req) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!user || typeof user !== 'object')
-                return null;
-            const id = user.id;
-            if (id === undefined || id === null)
-                return null;
-            return String(id);
-        };
-        // GET ${base}/_notifications → { notifications, unreadCount }
-        router.get(`${base}/_notifications`, async (req, res) => {
-            const id = await resolveUserId(req);
-            if (id === null) {
-                res.status(401);
-                return res.json({ ok: false, error: 'Not authenticated' });
-            }
-            const url = new URL(req.url ?? '/', 'http://localhost');
-            const unreadOnly = url.searchParams.get('unread') === 'true';
-            const limitRaw = Number(url.searchParams.get('limit') ?? pageSize);
-            const limit = Number.isFinite(limitRaw) && limitRaw > 0 ? Math.min(limitRaw, 100) : pageSize;
-            const data = await listDatabaseNotifications({
-                notifiableType,
-                notifiableId: id,
-                limit,
-                unreadOnly,
-            });
-            return res.json({ ok: true, ...data });
-        });
-        // POST ${base}/_notifications/:id/read
-        router.post(`${base}/_notifications/:id/read`, async (req, res) => {
-            const userId = await resolveUserId(req);
-            if (userId === null) {
-                res.status(401);
-                return res.json({ ok: false, error: 'Not authenticated' });
-            }
-            const rowId = req.params['id'] ?? '';
-            const updated = await markDatabaseNotificationAsRead(rowId, {
-                notifiableType,
-                notifiableId: userId,
-            });
-            return res.json({ ok: updated });
-        });
-        // POST ${base}/_notifications/:id/unread
-        router.post(`${base}/_notifications/:id/unread`, async (req, res) => {
-            const userId = await resolveUserId(req);
-            if (userId === null) {
-                res.status(401);
-                return res.json({ ok: false, error: 'Not authenticated' });
-            }
-            const rowId = req.params['id'] ?? '';
-            const updated = await markDatabaseNotificationAsUnread(rowId, {
-                notifiableType,
-                notifiableId: userId,
-            });
-            return res.json({ ok: updated });
-        });
-        // POST ${base}/_notifications/read-all
-        router.post(`${base}/_notifications/read-all`, async (req, res) => {
-            const userId = await resolveUserId(req);
-            if (userId === null) {
-                res.status(401);
-                return res.json({ ok: false, error: 'Not authenticated' });
-            }
-            const count = await markAllDatabaseNotificationsAsRead({
-                notifiableType,
-                notifiableId: userId,
-            });
-            return res.json({ ok: true, count });
-        });
-        // POST ${base}/_notifications/:id/_action/:actionName
-        //
-        // Notification action dispatch — looks up the stored action on the
-        // row, resolves the named handler against the panel's
-        // `notificationHandlers` registry, and runs it with the row's
-        // stored payload. Optionally flips `read_at` server-side when the
-        // action carried `markAsRead: true`.
-        //
-        // Defends in depth: 404s on missing row / wrong owner / action
-        // missing / non-string handler / unknown registry name. Body is
-        // ignored — payload reads exclusively from the stored row, so a
-        // tampered client can't inject extra payload keys.
-        router.post(`${base}/_notifications/:id/_action/:actionName`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            const userId = user && typeof user === 'object'
-                ? (user.id !== undefined && user.id !== null
-                    ? String(user.id) : null)
-                : null;
-            if (userId === null) {
-                res.status(401);
-                return res.json({ ok: false, error: 'Not authenticated' });
-            }
-            const params = req.params;
-            const result = await dispatchNotificationAction(pilotiq, {
-                notificationId: params['id'] ?? '',
-                actionName: params['actionName'] ?? '',
-                notifiableType,
-                notifiableId: userId,
-                user,
-                request: req,
-            });
-            if (!result.ok) {
-                res.status(result.status);
-                return res.json({ ok: false, error: result.error });
-            }
-            return res.json(result);
-        });
-        // Phase 2 — register the broadcast auth callback for private
-        // `pilotiq-notifications.<userId>` channels. Soft-fails when
-        // `@rudderjs/broadcast` isn't installed; apps that haven't enabled
-        // broadcast on the toggle stay quiet either way.
-        void registerBroadcastAuth(pilotiq);
-    }
+        } // user-side throw — neither flag applies
+        const probeColumn = probe.getReorderableColumn();
+        if (probeColumn !== undefined) {
+            if (!R.model || typeof R.model.reorder !== 'function') {
+                throw new Error(`[Pilotiq] ${R.name}.table() calls reorderable("${probeColumn}") but the bound model has no reorder(ids) method. ` +
+                    `Implement \`async reorder(ids)\` on the rudder Model (or remove the .reorderable() call).`);
+            }
+            reorderEnabled.set(R.getSlug(), probeColumn);
+        }
+        const hasEditable = (probe.getChildren() ?? [])
+            .some(c => c instanceof Column && c.isEditable());
+        if (hasEditable) {
+            if (!R.model || typeof R.model.update !== 'function') {
+                throw new Error(`[Pilotiq] ${R.name}.table() declares an editable cell column ` +
+                    `(TextInputColumn / ToggleColumn / SelectColumn) but the bound ` +
+                    `model has no update(id, data) method. Set Resource.model = M ` +
+                    `(rudder ORM convention) or drop the editable column.`);
+            }
+            editableEnabled.add(R.getSlug());
+        }
+    }
+    // ── Panel-level sibling routes ────────────────────────
+    // Dashboard, _uploads, _widget, _search, _notifications.
+    // Pulled out 2026-05-12 (Phase 2 of the routes.ts split).
+    registerPanelRoutes(router, pilotiq, base);
     // ── Resource routes ───────────────────────────────────
+    // List / view / create / edit / delete + soft-delete / actions /
+    // widgets / deferred-table / reorder / per-row editable cells / the
+    // four form-state companion endpoints / record sub-pages. Each
+    // Resource also fans out into its registered relation managers
+    // (depth-1 + depth-2). Pulled out 2026-05-12 (Phase 5 of the
+    // routes.ts split).
     for (const R of cfg.resources) {
-        const slug = R.getSlug();
-        const resourceBase = resourceBasePath(base, R);
-        const pages = R.resolvePages();
-        // Index — GET ${resourceBase}
-        if (pages.index) {
-            const PageClass = pages.index;
-            const indexUrl = resourceBase;
-            router.get(indexUrl, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                if (!await checkPolicy(() => R.canViewAny(user)))
-                    return forbidden(res, wantsJson(req));
-                if (R.persistFiltersInSession) {
-                    const query = req.query ?? {};
-                    const sessionSlug = resourceBase.slice(base.length + 1);
-                    if (Object.keys(query).length === 0) {
-                        const restoreTab = readPersistedLastTab(req, base, sessionSlug) ?? '';
-                        const stored = readPersistedListQuery(req, listFiltersKey(base, sessionSlug, restoreTab));
-                        if (stored) {
-                            const qs = encodePersistedQuery(stored, restoreTab);
-                            if (qs !== '')
-                                return res.redirect(`${indexUrl}?${qs}`, 302);
-                        }
-                    }
-                    else {
-                        const tab = typeof query['tab'] === 'string' ? query['tab'] : '';
-                        writePersistedListQuery(req, listFiltersKey(base, sessionSlug, tab), query);
-                        writePersistedLastTab(req, base, sessionSlug, tab);
-                    }
-                }
-                const data = await resourceIndexData(pilotiq, slug, req.query, req);
-                return view('pilotiq.slug', data ?? {});
-            });
-            router.post(`${indexUrl}/_widget/:id`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => R.canViewAny(user)))
-                    return forbidden(res, true);
-                return handleWidgetData(req, res, pilotiq, { kind: 'resource', slug }, req.params['id']);
-            });
-            if (R.deferLoading) {
-                router.get(`${indexUrl}/_table`, async (req, res) => {
-                    const user = await pilotiq.resolveUser(req);
-                    if (!await policyAccess(R, user))
-                        return forbidden(res, true);
-                    if (!await checkPolicy(() => R.canViewAny(user)))
-                        return forbidden(res, true);
-                    const data = await resourceTableData(pilotiq, slug, req.query, req);
-                    if (!data) {
-                        res.status(404);
-                        return res.json({ ok: false, error: 'Resource not found' });
-                    }
-                    return res.json({ ok: true, ...data });
-                });
-            }
-            // Action dispatch — POST ${resourceBase}/_action/:actionName
-            router.post(`${indexUrl}/_action/:actionName`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                const actionName = req.params['actionName'];
-                const json = wantsJson(req);
-                const body = await readFormBody(req);
-                const input = parseActionBody(body);
-                const ctx = { mode: 'table', basePath: base, ...(user !== null ? { user: user } : {}) };
-                const elements = await callPageSchema(PageClass, ctx);
-                tagActionDispatch(elements, indexUrl);
-                const target = resolveDispatchTarget(elements, actionName);
-                if (!target) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: `Action "${actionName}" not found` });
-                    }
-                    res.status(404);
-                    return res.send(`Action "${actionName}" not found on ${R.label}`);
-                }
-                const resolveRecord = R.model
-                    ? (id) => findRecord(R, id, { user })
-                    : undefined;
-                const result = await dispatchAction(target.action, {
-                    ...input,
-                    request: req,
-                    user,
-                    ...(target.rowField ? { rowField: target.rowField } : {}),
-                    ...(target.formSchema ? { formSchema: target.formSchema } : {}),
-                }, resolveRecord);
-                if (!result.ok) {
-                    if (json) {
-                        res.status(result.errors ? 422 : 500);
-                        return res.json({ ok: false, error: result.error, ...(result.errors ? { errors: result.errors } : {}) });
-                    }
-                    res.status(500);
-                    return res.send(result.error);
-                }
-                // Download envelope wins over redirect — `Action.export` and friends
-                // return the file body inline. Notifications dropped on this branch
-                // because the binary response has no JSON envelope to carry them;
-                // the file itself is the success signal.
-                if (result.download)
-                    return sendDownload(res, result.download);
-                const redirect = normalizeRedirect(result.redirect, base) ?? indexUrl;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(result.notifications ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-            // Reorderable rows — POST ${resourceBase}/_reorder { ids: [] }
-            // Only mounted when `Resource.table()` opts in (boot-time probe
-            // populates `reorderEnabled`).
-            if (reorderEnabled.has(slug)) {
-                router.post(`${indexUrl}/_reorder`, async (req, res) => {
-                    const user = await pilotiq.resolveUser(req);
-                    if (!await policyAccess(R, user))
-                        return forbidden(res, true);
-                    // List-level edit gate. The drop affects many rows at once;
-                    // there's no single record to authorize against, so we pass
-                    // `undefined` and let user-supplied `canEdit` overrides branch
-                    // on `record === undefined` if they want row-level granularity.
-                    if (!await checkPolicy(() => R.canEdit(user, undefined)))
-                        return forbidden(res, true);
-                    const body = await readFormBody(req);
-                    const raw = body.ids;
-                    if (!Array.isArray(raw) || raw.length === 0) {
-                        res.status(400);
-                        return res.json({ ok: false, error: 'Missing or empty ids array' });
-                    }
-                    const ids = raw.filter((id) => typeof id === 'string' || typeof id === 'number');
-                    if (ids.length !== raw.length) {
-                        res.status(400);
-                        return res.json({ ok: false, error: 'ids must contain only strings or numbers' });
-                    }
-                    try {
-                        // Boot already verified `R.model?.reorder` exists; the `!`
-                        // assertions are safe.
-                        await R.model.reorder(ids);
-                        return res.json({ ok: true });
-                    }
-                    catch (err) {
-                        res.status(422);
-                        return res.json({
-                            ok: false,
-                            error: err instanceof Error ? err.message : 'Reorder failed',
-                        });
-                    }
-                });
-            }
-            // Editable cell columns — POST ${resourceBase}/:id/_cell/:column
-            // { value: <coerced> }. Only mounted when the resource declares at
-            // least one editable column (boot-time probe populates
-            // `editableEnabled`).
-            if (editableEnabled.has(slug)) {
-                router.post(`${indexUrl}/:id/_cell/:column`, async (req, res) => {
-                    const user = await pilotiq.resolveUser(req);
-                    if (!await policyAccess(R, user))
-                        return forbidden(res, true);
-                    const id = req.params['id'];
-                    const colName = req.params['column'];
-                    // Locate the column on the table. We re-derive `Table.make()`
-                    // here (same probe shape used by the boot guard + reorder route)
-                    // so the column instance carries its validators / discriminator.
-                    const probe = R.table(Table.make());
-                    const col = (probe.getChildren() ?? [])
-                        .find((c) => c instanceof Column && c.name === colName);
-                    if (!col) {
-                        res.status(400);
-                        return res.json({ ok: false, error: `Unknown column "${colName}"` });
-                    }
-                    if (!col.isEditable()) {
-                        res.status(400);
-                        return res.json({ ok: false, error: `Column "${colName}" is not editable` });
-                    }
-                    // Boot already verified `R.model?.update`; the `!` is safe.
-                    const record = await findRecord(R, id, { user });
-                    if (record === null || record === undefined) {
-                        res.status(404);
-                        return res.json({ ok: false, error: 'Record not found' });
-                    }
-                    if (!await checkPolicy(() => R.canEdit(user, record)))
-                        return forbidden(res, true);
-                    const body = await readFormBody(req);
-                    const raw = body.value;
-                    let value;
-                    try {
-                        value = coerceCellValue(col, raw);
-                    }
-                    catch (err) {
-                        const message = err instanceof CellCoerceError ? err.message
-                            : err instanceof Error ? err.message
-                                : 'Invalid value';
-                        res.status(422);
-                        return res.json({ ok: false, errors: { value: [message] } });
-                    }
-                    const errors = await col.runValidators(value, { record });
-                    if (errors.length > 0) {
-                        res.status(422);
-                        return res.json({ ok: false, errors: { value: errors } });
-                    }
-                    // beforeStateUpdated — runs after validators pass, before the
-                    // DB write. Throwing halts with 422 under `_cell`.
-                    const beforeHook = col.getBeforeStateUpdated();
-                    if (beforeHook) {
-                        try {
-                            await beforeHook(value, { record: record, user });
-                        }
-                        catch (err) {
-                            res.status(422);
-                            return res.json({ ok: false, errors: { _cell: [cellHookErrorMessage(err)] } });
-                        }
-                    }
-                    try {
-                        await R.model.update(id, { [col.name]: value });
-                    }
-                    catch (err) {
-                        res.status(422);
-                        return res.json({
-                            ok: false,
-                            error: err instanceof Error ? err.message : 'Update failed',
-                        });
-                    }
-                    // afterStateUpdated — runs only on a confirmed write. Throwing
-                    // surfaces the error to the user; the DB row is already
-                    // updated (the hook is for follow-up effects, not rollback).
-                    const afterHook = col.getAfterStateUpdated();
-                    if (afterHook) {
-                        try {
-                            await afterHook(value, { record: record, user });
-                        }
-                        catch (err) {
-                            res.status(422);
-                            return res.json({ ok: false, errors: { _cell: [cellHookErrorMessage(err)] } });
-                        }
-                    }
-                    return res.json({ ok: true, value, notifications: [] });
-                });
-            }
-        }
-        // Plan #5 — partial-resolve endpoint for create-mode forms.
-        // POST ${resourceBase}/_form/:formId/state
-        if (pages.create) {
-            router.post(`${resourceBase}/_form/:formId/state`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                return handleFormState(req, res, pilotiq, { kind: 'resource-create', slug }, formId);
-            });
-            // Plan #8 — wizard step-validate endpoint for create-mode forms.
-            router.post(`${resourceBase}/_form/:formId/wizard`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                return handleFormWizard(req, res, pilotiq, { kind: 'resource-create', slug }, formId);
-            });
-            // Async-mention endpoint for create-mode forms.
-            router.post(`${resourceBase}/_form/:formId/mentions`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                return handleFormMentions(req, res, pilotiq, { kind: 'resource-create', slug }, formId);
-            });
-            // SelectField inline-create modal endpoint for create-mode forms.
-            router.post(`${resourceBase}/_form/:formId/create-option/:fieldName`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                const fieldName = req.params['fieldName'];
-                return handleFormCreateOption(req, res, pilotiq, { kind: 'resource-create', slug }, formId, fieldName);
-            });
-        }
-        // Plan #5 — partial-resolve endpoint for edit-mode forms.
-        // POST ${resourceBase}/:id/_form/:formId/state
-        if (pages.edit) {
-            router.post(`${resourceBase}/:id/_form/:formId/state`, async (req, res) => {
-                const recordId = req.params['id'];
-                const formId = req.params['formId'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                const policyRecord = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, policyRecord)))
-                    return forbidden(res, true);
-                return handleFormState(req, res, pilotiq, { kind: 'resource-edit', slug, recordId }, formId);
-            });
-            // Plan #8 — wizard step-validate endpoint for edit-mode forms.
-            router.post(`${resourceBase}/:id/_form/:formId/wizard`, async (req, res) => {
-                const recordId = req.params['id'];
-                const formId = req.params['formId'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                const policyRecord = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, policyRecord)))
-                    return forbidden(res, true);
-                return handleFormWizard(req, res, pilotiq, { kind: 'resource-edit', slug, recordId }, formId);
-            });
-            // Async-mention endpoint for edit-mode forms.
-            router.post(`${resourceBase}/:id/_form/:formId/mentions`, async (req, res) => {
-                const recordId = req.params['id'];
-                const formId = req.params['formId'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                const policyRecord = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, policyRecord)))
-                    return forbidden(res, true);
-                return handleFormMentions(req, res, pilotiq, { kind: 'resource-edit', slug, recordId }, formId);
-            });
-            // SelectField inline-create modal endpoint for edit-mode forms.
-            router.post(`${resourceBase}/:id/_form/:formId/create-option/:fieldName`, async (req, res) => {
-                const recordId = req.params['id'];
-                const formId = req.params['formId'];
-                const fieldName = req.params['fieldName'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, true);
-                const policyRecord = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, policyRecord)))
-                    return forbidden(res, true);
-                return handleFormCreateOption(req, res, pilotiq, { kind: 'resource-edit', slug, recordId }, formId, fieldName);
-            });
-        }
-        // Create — GET ${resourceBase}/create
-        if (pages.create) {
-            const PageClass = pages.create;
-            const createUrl = `${resourceBase}/create`;
-            router.get(createUrl, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, wantsJson(req));
-                const data = await resourceCreateData(pilotiq, slug, undefined, req);
-                return view('pilotiq.resource-create', data ?? {});
-            });
-            // Create — POST ${resourceBase}/create
-            router.post(createUrl, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, wantsJson(req));
-                const body = await readFormBody(req);
-                const { values, formId, continueCreate } = splitMeta(body);
-                const json = wantsJson(req);
-                const ctx = { mode: 'create', basePath: base, ...(user !== null ? { user: user } : {}) };
-                const elements = await callPageSchema(PageClass, ctx);
-                tagFormActions(elements, createUrl);
-                const form = selectForm(findForms(elements), formId);
-                if (!form) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: 'No form found on page' });
-                    }
-                    res.status(404);
-                    return res.send('No form found on page');
-                }
-                const result = await dispatchFormSubmit(form, values, {
-                    values,
-                    basePath: base,
-                    ...(R.model ? { parentModel: R.model } : {}),
-                });
-                if (!result.ok) {
-                    if (json) {
-                        res.status(422);
-                        return res.json({ ok: false, errors: result.errors });
-                    }
-                    // Re-render through the same builder so the page is identical to GET,
-                    // just with values + errors prefilled.
-                    const data = await resourceCreateData(pilotiq, slug, { values, errors: result.errors });
-                    res.status(422);
-                    return view('pilotiq.resource-create', data ?? {});
-                }
-                const recordId = result.record?.id;
-                // "Create & create another" — when the secondary submit fired,
-                // route back to the create page with a fresh form. Skips any
-                // user-supplied `redirectAfterSave`: the user clicked the
-                // button asking explicitly to create another, so the
-                // continue-intent wins. `force: true` tells the SPA-mode
-                // FormRenderer to navigate even though the redirect URL
-                // matches the current page (otherwise the same-URL skip
-                // would preserve the just-submitted values on screen).
-                const fallback = continueCreate
-                    ? createUrl
-                    : recordId !== undefined ? `${resourceBase}/${String(recordId)}/edit` : `${resourceBase}`;
-                const redirect = continueCreate
-                    ? createUrl
-                    : normalizeRedirect(result.redirect, base) ?? fallback;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(continueCreate ? { force: true } : {}),
-                        ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-            // Action dispatch — POST ${createUrl}/_action/:actionName
-            // Handles both page-level handler-style actions AND Repeater /
-            // Builder `extraItemActions` rows. The latter pass `_rowPath` in
-            // the body so the dispatcher hydrates `ctx.row` from the form's
-            // coerced values.
-            router.post(`${createUrl}/_action/:actionName`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                if (!await checkPolicy(() => R.canCreate(user)))
-                    return forbidden(res, wantsJson(req));
-                const actionName = req.params['actionName'];
-                const json = wantsJson(req);
-                const body = await readFormBody(req);
-                const input = parseActionBody(body);
-                const ctx = { mode: 'create', basePath: base, ...(user !== null ? { user: user } : {}) };
-                const elements = await callPageSchema(PageClass, ctx);
-                tagActionDispatch(elements, createUrl);
-                const target = resolveDispatchTarget(elements, actionName);
-                if (!target) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: `Action "${actionName}" not found` });
-                    }
-                    res.status(404);
-                    return res.send(`Action "${actionName}" not found on ${R.label}`);
-                }
-                const result = await dispatchAction(target.action, {
-                    ...input,
-                    request: req,
-                    user,
-                    ...(target.rowField ? { rowField: target.rowField } : {}),
-                    ...(target.formSchema ? { formSchema: target.formSchema } : {}),
-                });
-                if (!result.ok) {
-                    if (json) {
-                        res.status(result.errors ? 422 : 500);
-                        return res.json({ ok: false, error: result.error, ...(result.errors ? { errors: result.errors } : {}) });
-                    }
-                    res.status(500);
-                    return res.send(result.error);
-                }
-                if (result.download)
-                    return sendDownload(res, result.download);
-                const redirect = normalizeRedirect(result.redirect, base) ?? createUrl;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(result.notifications ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-        }
-        // View — GET ${resourceBase}/:id (literal `create` matches first via
-        // Hono's literal-over-param routing, so `:id` only catches everything else.)
-        if (pages.view) {
-            router.get(`${resourceBase}/:id`, async (req, res) => {
-                const recordId = req.params['id'];
-                // Hono routes both `/create` and `/:id` against this slot; only the
-                // literal `create` segment hits the create route. Defensive guard:
-                if (recordId === 'create')
-                    return; // handled by create route
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                // Load the record once so canView can inspect it. Stub `{ id }`
-                // when the resource has no model wired — the user-authored
-                // predicate gets to decide what to do with it.
-                const record = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canView(user, record)))
-                    return forbidden(res, wantsJson(req));
-                const data = await resourceViewData(pilotiq, slug, recordId, req);
-                return view('pilotiq.resource-view', data ?? {});
-            });
-            // Delete — POST ${resourceBase}/:id/delete
-            router.post(`${resourceBase}/:id/delete`, async (req, res) => {
-                const recordId = req.params['id'];
-                const json = wantsJson(req);
-                const indexUrl = `${resourceBase}`;
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, json);
-                const record = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canDelete(user, record)))
-                    return forbidden(res, json);
-                try {
-                    await R.deleteRecord(recordId);
-                }
-                catch (err) {
-                    const message = err instanceof Error ? err.message : 'Delete failed';
-                    if (json) {
-                        res.status(500);
-                        return res.json({ ok: false, error: message });
-                    }
-                    res.status(500);
-                    return res.send(message);
-                }
-                if (json) {
-                    // Build a synthetic deletion notification so the SPA path gets
-                    // the same toast UX as a JSON-dispatched action handler. The
-                    // form-method 303 path doesn't have the form-lifecycle toast
-                    // pipeline, so we surface confirmation here. Plan #13: use
-                    // "moved to trash" framing on soft-delete resources so users
-                    // know the row is recoverable.
-                    const title = R.softDeletes
-                        ? `${R.labelSingular} moved to trash`
-                        : `${R.labelSingular} deleted`;
-                    const notifications = [
-                        { id: `n-delete-${recordId}-${Date.now()}`, type: 'success', title },
-                    ];
-                    return res.json({ ok: true, redirect: indexUrl, notifications });
-                }
-                return res.redirect(indexUrl, 303);
-            });
-        }
-        // ─── Plan #13 soft-delete routes (restore / force-delete) ─────
-        // Both routes opt-in only when `Resource.softDeletes = true`. They
-        // load the target row through `withTrashed()` so the lookup finds
-        // currently-trashed records (which the default scope hides). The
-        // `restore` route undoes a prior soft-delete; `force-delete`
-        // bypasses soft-delete entirely.
-        if (R.softDeletes) {
-            // Boot-time guard — yell loudly if the rudder ORM model isn't
-            // wired up. Keeps "why didn't restore work?" debug sessions
-            // short. Pilotiq's flag and rudder's flag are deliberately
-            // independent (see plan doc).
-            if (!R.model) {
-                throw new Error(`[Pilotiq] ${R.name}: softDeletes = true requires a Resource.model. Wire one up or unset softDeletes.`);
-            }
-            if (typeof R.model.restore !== 'function' || typeof R.model.forceDelete !== 'function') {
-                throw new Error(`[Pilotiq] ${R.name}: softDeletes = true but model.restore / model.forceDelete are missing. ` +
-                    `Set Model.softDeletes = true on the rudder side, or upgrade @rudderjs/orm.`);
-            }
-            const M = R.model;
-            const pk = (M.primaryKey ?? 'id');
-            // Helper — load a row through `withTrashed` so currently-trashed
-            // records resolve. Returns undefined when the lookup misses (route
-            // converts to 404).
-            const loadTrashable = async (id) => {
-                const q = M.query();
-                if (typeof q.withTrashed !== 'function')
-                    return M.find(id).catch(() => undefined);
-                const result = await q.withTrashed()
-                    .where(pk, '=', id)
-                    .paginate(1, 1)
-                    .catch(() => ({ data: [] }));
-                return Array.isArray(result.data) ? result.data[0] : undefined;
-            };
-            // Restore — POST ${resourceBase}/:id/restore
-            router.post(`${resourceBase}/:id/restore`, async (req, res) => {
-                const recordId = req.params['id'];
-                const json = wantsJson(req);
-                const indexUrl = `${resourceBase}`;
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, json);
-                const record = await loadTrashable(recordId);
-                if (!record) {
-                    res.status(404);
-                    return json ? res.json({ ok: false, error: 'Not found' }) : res.send('Not found');
-                }
-                if (!await checkPolicy(() => R.canRestore(user, record)))
-                    return forbidden(res, json);
-                try {
-                    await M.restore(recordId);
-                }
-                catch (err) {
-                    const message = err instanceof Error ? err.message : 'Restore failed';
-                    res.status(500);
-                    return json ? res.json({ ok: false, error: message }) : res.send(message);
-                }
-                if (json) {
-                    const notifications = [
-                        { id: `n-restore-${recordId}-${Date.now()}`, type: 'success', title: `${R.labelSingular} restored` },
-                    ];
-                    return res.json({ ok: true, redirect: indexUrl, notifications });
-                }
-                return res.redirect(indexUrl, 303);
-            });
-            // Force-delete — POST ${resourceBase}/:id/force-delete
-            router.post(`${resourceBase}/:id/force-delete`, async (req, res) => {
-                const recordId = req.params['id'];
-                const json = wantsJson(req);
-                const indexUrl = `${resourceBase}`;
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, json);
-                const record = await loadTrashable(recordId);
-                if (!record) {
-                    res.status(404);
-                    return json ? res.json({ ok: false, error: 'Not found' }) : res.send('Not found');
-                }
-                if (!await checkPolicy(() => R.canForceDelete(user, record)))
-                    return forbidden(res, json);
-                try {
-                    await M.forceDelete(recordId);
-                }
-                catch (err) {
-                    const message = err instanceof Error ? err.message : 'Force-delete failed';
-                    res.status(500);
-                    return json ? res.json({ ok: false, error: message }) : res.send(message);
-                }
-                if (json) {
-                    const notifications = [
-                        { id: `n-fdelete-${recordId}-${Date.now()}`, type: 'success', title: `${R.labelSingular} permanently deleted` },
-                    ];
-                    return res.json({ ok: true, redirect: indexUrl, notifications });
-                }
-                return res.redirect(indexUrl, 303);
-            });
-        }
-        // Edit — GET ${resourceBase}/:id/edit
-        if (pages.edit) {
-            const PageClass = pages.edit;
-            router.get(`${resourceBase}/:id/edit`, async (req, res) => {
-                const recordId = req.params['id'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                const record = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, record)))
-                    return forbidden(res, wantsJson(req));
-                const data = await resourceEditData(pilotiq, slug, recordId, undefined, req);
-                return view('pilotiq.resource-edit', data ?? {});
-            });
-            // Edit — POST ${resourceBase}/:id/edit
-            router.post(`${resourceBase}/:id/edit`, async (req, res) => {
-                const recordId = req.params['id'];
-                const editUrl = `${resourceBase}/${recordId}/edit`;
-                const body = await readFormBody(req);
-                const { values, formId } = splitMeta(body);
-                const json = wantsJson(req);
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, json);
-                const policyRecord = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, policyRecord)))
-                    return forbidden(res, json);
-                const ctx = { mode: 'edit', recordId, basePath: base, ...(user !== null ? { user: user } : {}) };
-                const elements = await callPageSchema(PageClass, ctx);
-                tagFormActions(elements, editUrl);
-                const form = selectForm(findForms(elements), formId);
-                if (!form) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: 'No form found on page' });
-                    }
-                    res.status(404);
-                    return res.send('No form found on page');
-                }
-                // Try to load the record so validators with cross-field rules see it.
-                let record = undefined;
-                if (form.getLoadRecord()) {
-                    try {
-                        record = await form.getLoadRecord()(recordId, { values });
-                    }
-                    catch { /* ignore */ }
-                }
-                const result = await dispatchFormSubmit(form, values, {
-                    values,
-                    basePath: base,
-                    ...(record !== undefined ? { record } : {}),
-                    ...(R.model ? { parentModel: R.model } : {}),
-                });
-                if (!result.ok) {
-                    if (json) {
-                        res.status(422);
-                        return res.json({ ok: false, errors: result.errors });
-                    }
-                    const data = await resourceEditData(pilotiq, slug, recordId, { values, errors: result.errors });
-                    res.status(422);
-                    return view('pilotiq.resource-edit', data ?? {});
-                }
-                const redirect = normalizeRedirect(result.redirect, base) ?? editUrl;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-            // Action dispatch — POST ${editUrl}/_action/:actionName
-            // Same shape as the create-page _action route. The `:id` segment
-            // gates record-aware policy (canEdit per record); row-scoped
-            // dispatch reuses the form schema we resolve here for `coerceFormValues`.
-            router.post(`${resourceBase}/:id/_action/:actionName`, async (req, res) => {
-                const recordId = req.params['id'];
-                // Hono routes `/edit` and `/delete` against this slot too — bail
-                // out so the dedicated handlers downstream pick them up. The
-                // `:actionName` capture catches anything; the explicit guard
-                // mirrors the view-route `recordId === 'create'` defensive branch.
-                const actionName = req.params['actionName'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                const policyRecord = R.model ? await findRecord(R, recordId, { user }).catch(() => undefined) : { id: recordId };
-                if (!await checkPolicy(() => R.canEdit(user, policyRecord)))
-                    return forbidden(res, wantsJson(req));
-                const json = wantsJson(req);
-                const body = await readFormBody(req);
-                const input = parseActionBody(body);
-                const editUrl = `${resourceBase}/${recordId}/edit`;
-                const ctx = { mode: 'edit', recordId, basePath: base, ...(user !== null ? { user: user } : {}) };
-                const elements = await callPageSchema(PageClass, ctx);
-                tagActionDispatch(elements, editUrl);
-                const target = resolveDispatchTarget(elements, actionName);
-                if (!target) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: `Action "${actionName}" not found` });
-                    }
-                    res.status(404);
-                    return res.send(`Action "${actionName}" not found on ${R.label}`);
-                }
-                const resolveRecord = R.model
-                    ? (id) => findRecord(R, id, { user })
-                    : undefined;
-                const result = await dispatchAction(target.action, {
-                    ...input,
-                    request: req,
-                    user,
-                    ...(target.rowField ? { rowField: target.rowField } : {}),
-                    ...(target.formSchema ? { formSchema: target.formSchema } : {}),
-                }, resolveRecord);
-                if (!result.ok) {
-                    if (json) {
-                        res.status(result.errors ? 422 : 500);
-                        return res.json({ ok: false, error: result.error, ...(result.errors ? { errors: result.errors } : {}) });
-                    }
-                    res.status(500);
-                    return res.send(result.error);
-                }
-                if (result.download)
-                    return sendDownload(res, result.download);
-                const redirect = normalizeRedirect(result.redirect, base) ?? editUrl;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(result.notifications ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-        }
-        // ── Plan #11 relation manager routes ───────────────
-        // Per-manager: list, create (GET/POST), edit (GET/POST), delete (POST).
-        // Mounted under ${resourceBase}/:id/${rel} — the `:id` segment is the
-        // PARENT record id; the `:childId` segment (where present) is the
-        // related record's id. Authorization runs in two layers: parent
-        // canAccess + canEdit(parent), then manager-scoped can*.
-        for (const M of R.relations()) {
-            const rel = M.getRelationship();
-            const parentBase = `${resourceBase}/:id/${rel}`;
-            // Read the relation type once at registration so the (R, M)-
-            // scoped closures all see the same mode without re-reading the
-            // relations map per request. `R.model` is asserted by
-            // `requireParent` at request time; here it may legitimately be
-            // missing during late binding, in which case we fall back to
-            // 'hasMany' (the safe default — no special action injection / no
-            // factory short-circuiting). See `normalizeRelationMode` for the
-            // M2M / polymorphic mappings.
-            const relationType = R.model ? getRelationType(R.model, rel) : 'hasMany';
-            const mode = normalizeRelationMode(relationType);
-            // Common policy prelude: load parent, gate access. Returns the
-            // parent record on success or a thrown 403/404 response. Returns
-            // `undefined` when the route should bail out (response already sent).
-            const requireParent = async (req, res, json) => {
-                const recordId = req.params['id'];
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user)) {
-                    forbidden(res, json);
-                    return undefined;
-                }
-                if (!R.model) {
-                    res.status(500);
-                    if (json)
-                        res.json({ ok: false, error: `Resource "${R.name}" has relations but no static model` });
-                    else
-                        res.send(`Resource "${R.name}" has relations but no static model`);
-                    return undefined;
-                }
-                const parent = await findRecord(R, recordId, { user }).catch(() => undefined);
-                if (!parent) {
-                    res.status(404);
-                    if (json)
-                        res.json({ ok: false, error: 'Parent not found' });
-                    else
-                        res.send('Parent not found');
-                    return undefined;
-                }
-                if (!await checkPolicy(() => R.canEdit(user, parent))) {
-                    forbidden(res, json);
-                    return undefined;
-                }
-                return { user, parent, recordId };
-            };
-            // List — GET ${resourceBase}/:id/${rel}
-            // Manager-level canViewAny is enforced inside relationManagerData via
-            // safeManagerPolicy (with related-resource fall-through). We just
-            // surface the {ok:false,status:403} from the data builder as 403.
-            router.get(parentBase, async (req, res) => {
-                const json = wantsJson(req);
-                const ctx = await requireParent(req, res, json);
-                if (!ctx)
-                    return;
-                const data = await relationManagerData(pilotiq, {
-                    kind: 'relation-list', slug, recordId: ctx.recordId, relationship: rel, query: req.query,
-                }, req);
-                if (data === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in data && data.ok === false)
-                    return forbidden(res, json);
-                return view('pilotiq.relation-list', data);
-            });
-            // Create — GET ${resourceBase}/:id/${rel}/create
-            router.get(`${parentBase}/create`, async (req, res) => {
-                const json = wantsJson(req);
-                const ctx = await requireParent(req, res, json);
-                if (!ctx)
-                    return;
-                const data = await relationManagerData(pilotiq, {
-                    kind: 'relation-create', slug, recordId: ctx.recordId, relationship: rel,
-                }, req);
-                if (data === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in data && data.ok === false)
-                    return forbidden(res, json);
-                return view('pilotiq.relation-create', data);
-            });
-            // Create submit — POST ${resourceBase}/:id/${rel}/create
-            router.post(`${parentBase}/create`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const Related = findRelatedResource(M, R, cfg);
-                if (!Related) {
-                    res.status(500);
-                    const msg = `RelationManager ${M.name}: cannot resolve related Resource for create`;
-                    return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                }
-                if (!await safeManagerPolicy(M, 'canCreate', Related, pre.user, pre.parent))
-                    return forbidden(res, json);
-                const body = await readFormBody(req);
-                const { values } = splitMeta(body);
-                const createUrl = `${parentBase}/create`.replace(':id', pre.recordId);
-                const listUrl = parentBase.replace(':id', pre.recordId);
-                const form = M.form(Form.make(), {
-                    basePath: base,
-                    parentSlug: slug,
-                    parentId: pre.recordId,
-                    relationship: rel,
-                    parentRecord: pre.parent,
-                    related: Related,
-                    mode,
-                });
-                if (Related.model) {
-                    if (!form.getSave())
-                        form.save(modelSave(Related.model));
-                    if (!form.getLoadRecord())
-                        form.loadRecord(modelLoadRecord(Related));
-                }
-                // Polymorphic auto-injection — when the parent's relation entry
-                // is `morphMany` / `morphOne`, fill the `{morphName}Id` and
-                // `{morphName}Type` columns on the child before persistence.
-                // Compose with any user-supplied `mutateDataBeforeCreate` and
-                // run AFTER it so morph values overwrite anything the form
-                // body or user hook might have set — the parent record is the
-                // single source of truth for who owns the new child, and a
-                // submitted form field cannot be allowed to tamper with that.
-                if (mode === 'morphMany' && R.model) {
-                    const morphDesc = getMorphRelationDescriptor(R.model, rel);
-                    if (!morphDesc) {
-                        res.status(500);
-                        const msg = `RelationManager ${M.name}: relations[${JSON.stringify(rel)}] reports a polymorphic type but is missing morphName.`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const morphPayload = computeMorphPayload(pre.parent, morphDesc);
-                    const existing = form.getMutateDataBeforeCreate();
-                    form.mutateDataBeforeCreate(async (data, ctx) => {
-                        const next = existing ? await existing(data, ctx) : data;
-                        return { ...next, ...morphPayload };
-                    });
-                }
-                // Stamp parent context onto FormContext so user hooks
-                // (mutateDataBeforeCreate, redirectAfterSave, etc.) can default
-                // foreign-key columns or build URLs from the parent.
-                const formCtx = {
-                    values,
-                    basePath: base,
-                    parent: pre.parent,
-                    parentId: pre.recordId,
-                    relationship: rel,
-                };
-                const result = await dispatchFormSubmit(form, values, formCtx);
-                if (!result.ok) {
-                    if (json) {
-                        res.status(422);
-                        return res.json({ ok: false, errors: result.errors });
-                    }
-                    const data = await relationManagerData(pilotiq, {
-                        kind: 'relation-create', slug, recordId: pre.recordId, relationship: rel,
-                        prefill: { values, errors: result.errors ?? {} },
-                    }, req);
-                    res.status(422);
-                    return view('pilotiq.relation-create', data ?? {});
-                }
-                const redirect = normalizeRedirect(result.redirect, base) ?? listUrl;
-                if (json) {
-                    return res.json({
-                        ok: true, redirect,
-                        ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-            // View — GET ${resourceBase}/:id/${rel}/:childId  (Phase A nested
-            // resources). 5-segment URL. The literal `${parentBase}/create`
-            // route is registered above and Hono prefers static segments over
-            // wildcards, but the `childId === 'create'` guard belt-and-suspenders
-            // against any router that doesn't.
-            router.get(`${parentBase}/:childId`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const childId = req.params['childId'];
-                if (childId === 'create') {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                const data = await relationManagerData(pilotiq, {
-                    kind: 'relation-view', slug, recordId: pre.recordId, relationship: rel, childId,
-                }, req);
-                if (data === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in data && data.ok === false)
-                    return forbidden(res, json);
-                return view('pilotiq.relation-view', data);
-            });
-            // Edit — GET ${resourceBase}/:id/${rel}/:childId/edit
-            router.get(`${parentBase}/:childId/edit`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const childId = req.params['childId'];
-                const data = await relationManagerData(pilotiq, {
-                    kind: 'relation-edit', slug, recordId: pre.recordId, relationship: rel, childId,
-                }, req);
-                if (data === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in data && data.ok === false)
-                    return forbidden(res, json);
-                return view('pilotiq.relation-edit', data);
-            });
-            // Edit submit — POST ${resourceBase}/:id/${rel}/:childId/edit
-            router.post(`${parentBase}/:childId/edit`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const childId = req.params['childId'];
-                const Related = findRelatedResource(M, R, cfg);
-                if (!Related?.model) {
-                    res.status(500);
-                    const msg = `RelationManager ${M.name}: cannot resolve related Resource for edit`;
-                    return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                }
-                // IDOR + load via the data builder's gating: re-use it to verify
-                // the child belongs to this parent, then do the form submit.
-                const childCheck = await relationManagerData(pilotiq, {
-                    kind: 'relation-edit', slug, recordId: pre.recordId, relationship: rel, childId,
-                }, req);
-                if (childCheck === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in childCheck && childCheck.ok === false)
-                    return forbidden(res, json);
-                const body = await readFormBody(req);
-                const { values } = splitMeta(body);
-                const editUrl = `${parentBase}/${childId}/edit`.replace(':id', pre.recordId);
-                const form = M.form(Form.make(), {
-                    basePath: base,
-                    parentSlug: slug,
-                    parentId: pre.recordId,
-                    relationship: rel,
-                    parentRecord: pre.parent,
-                    related: Related,
-                    mode,
-                });
-                if (!form.getSave())
-                    form.save(modelSave(Related.model));
-                if (!form.getLoadRecord())
-                    form.loadRecord(modelLoadRecord(Related));
-                // Re-load child for FormContext so cross-field validators see it.
-                let child = undefined;
-                try {
-                    child = await findRecord(Related, childId, { user: pre.user });
-                }
-                catch { /* ignore */ }
-                if (!child) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                // Polymorphic re-stamp on update — same posture as the create
-                // path. Re-injecting the morph columns from the live parent
-                // record ensures a tampered body (`commentableId=…` /
-                // `commentableType=…` posted by an attacker) can't reassign
-                // the child to another polymorphic parent. Composed AFTER any
-                // user `mutateDataBeforeUpdate` so the framework wins.
-                if (mode === 'morphMany' && R.model) {
-                    const morphDesc = getMorphRelationDescriptor(R.model, rel);
-                    if (morphDesc) {
-                        const morphPayload = computeMorphPayload(pre.parent, morphDesc);
-                        const existing = form.getMutateDataBeforeUpdate();
-                        form.mutateDataBeforeUpdate(async (data, ctx) => {
-                            const next = existing ? await existing(data, ctx) : data;
-                            return { ...next, ...morphPayload };
-                        });
-                    }
-                }
-                const formCtx = {
-                    values,
-                    basePath: base,
-                    record: child,
-                    parent: pre.parent,
-                    parentId: pre.recordId,
-                    relationship: rel,
-                };
-                const result = await dispatchFormSubmit(form, values, formCtx);
-                if (!result.ok) {
-                    if (json) {
-                        res.status(422);
-                        return res.json({ ok: false, errors: result.errors });
-                    }
-                    const data = await relationManagerData(pilotiq, {
-                        kind: 'relation-edit', slug, recordId: pre.recordId, relationship: rel, childId,
-                        prefill: { values, errors: result.errors ?? {} },
-                    }, req);
-                    res.status(422);
-                    return view('pilotiq.relation-edit', data ?? {});
-                }
-                const redirect = normalizeRedirect(result.redirect, base) ?? editUrl;
-                if (json) {
-                    return res.json({
-                        ok: true, redirect,
-                        ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-            // Delete — POST ${resourceBase}/:id/${rel}/:childId/delete
-            router.post(`${parentBase}/:childId/delete`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const childId = req.params['childId'];
-                const Related = findRelatedResource(M, R, cfg);
-                if (!Related?.model) {
-                    res.status(500);
-                    const msg = `RelationManager ${M.name}: cannot resolve related Resource for delete`;
-                    return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                }
-                // Anti-IDOR: re-use the data builder's child-belongs check.
-                const childCheck = await relationManagerData(pilotiq, {
-                    kind: 'relation-edit', slug, recordId: pre.recordId, relationship: rel, childId,
-                }, req);
-                if (childCheck === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in childCheck && childCheck.ok === false)
-                    return forbidden(res, json);
-                const child = await findRecord(Related, childId, { user: pre.user }).catch(() => undefined);
-                if (!child) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if (!await safeManagerPolicy(M, 'canDelete', Related, pre.user, pre.parent, child))
-                    return forbidden(res, json);
-                const listUrl = parentBase.replace(':id', pre.recordId);
-                try {
-                    await Related.model.delete(childId);
-                }
-                catch (err) {
-                    const message = err instanceof Error ? err.message : 'Delete failed';
-                    res.status(500);
-                    return json ? res.json({ ok: false, error: message }) : res.send(message);
-                }
-                if (json) {
-                    const notifications = [
-                        { id: `n-rdelete-${childId}-${Date.now()}`, type: 'success', title: `${M.getLabelSingular()} deleted` },
-                    ];
-                    return res.json({ ok: true, redirect: listUrl, notifications });
-                }
-                return res.redirect(listUrl, 303);
-            });
-            // ── Plan #13 polish — relation restore / force-delete ─────
-            // Mirror the resource-side soft-delete routes, scoped under the
-            // parent record. Both routes opt in only when the related Resource
-            // has `softDeletes = true` AND its model carries `restore` /
-            // `forceDelete`. Two-layer auth: parent canAccess + canEdit, then
-            // manager `canRestore / canForceDelete` (with related-Resource
-            // fall-through). IDOR check re-runs the parent's relation query
-            // through `withTrashed()` so trashed children still resolve.
-            const RelatedForSoft = findRelatedResource(M, R, cfg);
-            if (RelatedForSoft?.softDeletes) {
-                const RM = RelatedForSoft.model;
-                if (!RM) {
-                    throw new Error(`[Pilotiq] RelationManager ${M.name} on ${R.name}: related Resource ${RelatedForSoft.name} has softDeletes = true but no model. ` +
-                        `Wire one up or unset softDeletes.`);
-                }
-                if (typeof RM.restore !== 'function' || typeof RM.forceDelete !== 'function') {
-                    throw new Error(`[Pilotiq] RelationManager ${M.name} on ${R.name}: related Resource ${RelatedForSoft.name} has softDeletes = true but model.restore / model.forceDelete are missing. ` +
-                        `Set Model.softDeletes = true on the rudder side, or upgrade @rudderjs/orm.`);
-                }
-                // IDOR-safe load through the parent's relation query, broadened
-                // with `withTrashed()` so currently-trashed children resolve.
-                // Returns undefined when the child doesn't belong to this parent
-                // (under the broadened scope) or the lookup misses.
-                const loadTrashableChild = async (parent, childId) => {
-                    if (!R.model)
-                        return undefined;
-                    const pk = (RM.primaryKey ?? 'id');
-                    try {
-                        const q = R.model.relatedQuery
-                            ? R.model.relatedQuery(parent, rel)
-                            : parent.related(rel);
-                        const broadened = typeof q.withTrashed === 'function' ? q.withTrashed() : q;
-                        const result = await broadened.where(pk, '=', childId).paginate(1, 1);
-                        return Array.isArray(result.data) ? result.data[0] : undefined;
-                    }
-                    catch {
-                        return undefined;
-                    }
-                };
-                // Restore — POST ${resourceBase}/:id/${rel}/:childId/restore
-                router.post(`${parentBase}/:childId/restore`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const pre = await requireParent(req, res, json);
-                    if (!pre)
-                        return;
-                    const childId = req.params['childId'];
-                    const child = await loadTrashableChild(pre.parent, childId);
-                    if (!child) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if (!await safeManagerPolicy(M, 'canRestore', RelatedForSoft, pre.user, pre.parent, child))
-                        return forbidden(res, json);
-                    const listUrl = parentBase.replace(':id', pre.recordId);
-                    try {
-                        await RM.restore(childId);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : 'Restore failed';
-                        res.status(500);
-                        return json ? res.json({ ok: false, error: message }) : res.send(message);
-                    }
-                    if (json) {
-                        const notifications = [
-                            { id: `n-rrestore-${childId}-${Date.now()}`, type: 'success', title: `${M.getLabelSingular()} restored` },
-                        ];
-                        return res.json({ ok: true, redirect: listUrl, notifications });
-                    }
-                    return res.redirect(listUrl, 303);
-                });
-                // Force-delete — POST ${resourceBase}/:id/${rel}/:childId/force-delete
-                router.post(`${parentBase}/:childId/force-delete`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const pre = await requireParent(req, res, json);
-                    if (!pre)
-                        return;
-                    const childId = req.params['childId'];
-                    const child = await loadTrashableChild(pre.parent, childId);
-                    if (!child) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if (!await safeManagerPolicy(M, 'canForceDelete', RelatedForSoft, pre.user, pre.parent, child))
-                        return forbidden(res, json);
-                    const listUrl = parentBase.replace(':id', pre.recordId);
-                    try {
-                        await RM.forceDelete(childId);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : 'Force-delete failed';
-                        res.status(500);
-                        return json ? res.json({ ok: false, error: message }) : res.send(message);
-                    }
-                    if (json) {
-                        const notifications = [
-                            { id: `n-rforce-${childId}-${Date.now()}`, type: 'success', title: `${M.getLabelSingular()} permanently deleted` },
-                        ];
-                        return res.json({ ok: true, redirect: listUrl, notifications });
-                    }
-                    return res.redirect(listUrl, 303);
-                });
-            }
-            // ── M2M follow-up — manager-scoped action dispatch + detach ─────
-            // Two new routes per relation manager. Mounted unconditionally
-            // (even on hasMany managers) because handler-style actions are
-            // useful beyond M2M — any user-defined `Action.handler(...)` on a
-            // manager table needs a place to dispatch. The detach route is
-            // M2M-specific but cheap enough to register either way; non-M2M
-            // managers' `Action.relationDetach` factories return `visible=false`
-            // anyway, so the URL is unreachable in practice.
-            // Action dispatch — POST ${parentBase}/_action/:actionName
-            // Resolves the manager's table elements, finds the named action,
-            // and dispatches it with `ctx.relation = { parent, parentId, rel }`
-            // so M2M handlers can call `parent.related(rel).attach / detach`.
-            // Records hydrate against the related model (the rows visible in
-            // the manager's table are related-model records).
-            router.post(`${parentBase}/_action/:actionName`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const Related = findRelatedResource(M, R, cfg);
-                const actionName = req.params['actionName'];
-                const body = await readFormBody(req);
-                const input = parseActionBody(body);
-                // Rebuild the manager's table so the dispatcher can find the
-                // action by name. Pure recreation — same context the page-data
-                // builder uses — so factories that close over `ctx` (URL,
-                // mode, parent record) see the same shape as at page render.
-                const managerCtx = {
-                    basePath: base,
-                    parentSlug: slug,
-                    parentId: pre.recordId,
-                    relationship: rel,
-                    parentRecord: pre.parent,
-                    related: Related,
-                    mode,
-                };
-                const table = M.table(Table.make(), managerCtx);
-                const elements = [table];
-                // Stamp dispatch URLs so any nested action factories that read
-                // `dispatchUrl` (rare — most read it from the meta at render
-                // time) still see something sensible.
-                const listUrl = parentBase.replace(':id', pre.recordId);
-                tagActionDispatch(elements, listUrl);
-                const target = resolveDispatchTarget(elements, actionName);
-                if (!target) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: `Action "${actionName}" not found` });
-                    }
-                    res.status(404);
-                    return res.send(`Action "${actionName}" not found on ${M.name}`);
-                }
-                const resolveRecord = Related?.model
-                    ? (id) => Related.model.find(id)
-                    : undefined;
-                const result = await dispatchAction(target.action, {
-                    ...input,
-                    request: req,
-                    user: pre.user,
-                    relation: { parent: pre.parent, parentId: pre.recordId, relationship: rel },
-                    ...(target.rowField ? { rowField: target.rowField } : {}),
-                    ...(target.formSchema ? { formSchema: target.formSchema } : {}),
-                }, resolveRecord);
-                if (!result.ok) {
-                    if (json) {
-                        res.status(result.errors ? 422 : 500);
-                        return res.json({ ok: false, error: result.error, ...(result.errors ? { errors: result.errors } : {}) });
-                    }
-                    res.status(500);
-                    return res.send(result.error);
-                }
-                const redirect = normalizeRedirect(result.redirect, base) ?? listUrl;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(result.notifications ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-            // Detach — POST ${parentBase}/:childId/_detach
-            // Direct row-action target for `Action.relationDetach`. Removes the
-            // pivot row only; the related record stays in place. IDOR check:
-            // verify the child is currently attached before calling detach so
-            // a tampered URL can't probe random ids.
-            router.post(`${parentBase}/:childId/_detach`, async (req, res) => {
-                const json = wantsJson(req);
-                const pre = await requireParent(req, res, json);
-                if (!pre)
-                    return;
-                const childId = req.params['childId'];
-                if (mode !== 'belongsToMany' && mode !== 'morphToMany' && mode !== 'morphedByMany') {
-                    // Detach is meaningless for hasMany — the user wants `delete`.
-                    // Surface a clear 404 instead of silently no-op'ing.
-                    res.status(404);
-                    const msg = 'Detach is only supported on M2M relations (belongsToMany, morphToMany, morphedByMany)';
-                    return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                }
-                // Manager-only canDetach: pivot ops don't fall through to the
-                // related Resource. We don't have the related child loaded yet —
-                // pass `undefined` for the per-record arg; canDetach gates on
-                // (user, parent) by default and only sees `record` when a
-                // manager has explicitly overridden with a per-row predicate.
-                // Authors who need per-row gating can detect undefined and either
-                // load the child themselves or short-circuit.
-                // Two distinct accessors are needed under the real
-                // `@rudderjs/orm`:
-                //   - `parent.related(rel)` returns a deferred QueryBuilder
-                //     with `where / paginate` (IDOR read-side check).
-                //   - `parent[rel]()` returns the pivot-mutation accessor with
-                //     `attach / detach / sync` (write-side).
-                // Test stubs may collapse both onto the same `parent.related(rel)`
-                // shape — handle that fallback so existing tests keep passing.
-                let child = undefined;
-                const readSide = pre.parent
-                    ?.related?.(rel);
-                if (!readSide) {
-                    res.status(500);
-                    const msg = `Parent.related("${rel}") missing — wrong relation type or ORM version?`;
-                    return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                }
-                try {
-                    // IDOR: confirm the child is currently attached.
-                    if (typeof readSide.paginate === 'function') {
-                        const Related = findRelatedResource(M, R, cfg);
-                        const pk = Related?.model ? getPrimaryKey(Related.model) : 'id';
-                        const out = await readSide.where(pk, '=', childId).paginate(1, 1);
-                        child = Array.isArray(out.data) ? out.data[0] : undefined;
-                    }
-                }
-                catch {
-                    // fall through; null child means we couldn't verify — safer to 404
-                }
-                if (child === undefined) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if (!await safeManagerPolicy(M, 'canDetach', undefined, pre.user, pre.parent, child))
-                    return forbidden(res, json);
-                // Real ORM: `parent[rel]()` returns the pivot accessor. Test
-                // stubs: `parent.related(rel)` may carry `detach` directly.
-                // Try the prototype-installed instance method first, then fall
-                // back to the read-side shape.
-                let writeAccessor;
-                const inst = pre.parent[rel];
-                if (typeof inst === 'function') {
-                    try {
-                        const out = inst.call(pre.parent);
-                        if (out && typeof out.detach === 'function')
-                            writeAccessor = out;
-                    }
-                    catch { /* fall through to legacy shape */ }
-                }
-                if (!writeAccessor && typeof readSide.detach === 'function') {
-                    writeAccessor = readSide;
-                }
-                if (!writeAccessor) {
-                    res.status(500);
-                    const msg = `Pivot accessor missing on ${rel} — wrong relation type or ORM version?`;
-                    return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                }
-                try {
-                    await writeAccessor.detach([childId]);
-                }
-                catch (err) {
-                    const message = err instanceof Error ? err.message : 'Detach failed';
-                    res.status(500);
-                    return json ? res.json({ ok: false, error: message }) : res.send(message);
-                }
-                const listUrl = parentBase.replace(':id', pre.recordId);
-                if (json) {
-                    const notifications = [
-                        { id: `n-rdetach-${childId}-${Date.now()}`, type: 'success', title: `${M.getLabelSingular()} detached` },
-                    ];
-                    return res.json({ ok: true, redirect: listUrl, notifications });
-                }
-                return res.redirect(listUrl, 303);
-            });
-            // ── Phase B nested relation routes ──────────────────
-            // For each manager N declared under M.relations(), mount the
-            // depth-2 list/create/view/edit/delete handlers. Auth + chain
-            // IDOR are centralized in `nestedRelationManagerData` — route
-            // bodies dispatch the data builder and unwrap the tagged
-            // {ok:false,status:403} / null shapes. Surface area mirrors
-            // Phase A: no M2M attach/detach, no soft-delete restore on
-            // nested managers in v1 (open follow-ups if a consumer asks).
-            for (const N of M.relations()) {
-                const nestedRel = N.getRelationship();
-                const nestedBase = `${parentBase}/:childId/${nestedRel}`;
-                // Build a `chain` tuple from the URL params for relayed calls
-                // into `relationManagerData`. The childId of the *outer* manager
-                // is the recordId of the leaf step.
-                const buildChain = (id, childId1) => [
-                    { recordId: id, relationship: rel },
-                    { recordId: childId1, relationship: nestedRel },
-                ];
-                // ── List ──
-                router.get(nestedBase, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    const data = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-list', slug,
-                        chain: buildChain(id, childId1),
-                        query: req.query,
-                    }, req);
-                    if (data === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in data && data.ok === false)
-                        return forbidden(res, json);
-                    return view('pilotiq.nested-relation-list', data);
-                });
-                // ── Create (GET) ──
-                router.get(`${nestedBase}/create`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    const data = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-create', slug,
-                        chain: buildChain(id, childId1),
-                    }, req);
-                    if (data === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in data && data.ok === false)
-                        return forbidden(res, json);
-                    return view('pilotiq.nested-relation-create', data);
-                });
-                // ── Create (POST) ──
-                router.post(`${nestedBase}/create`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    // Run the chain walk once to verify auth + IDOR + load child1.
-                    // Any failure returns the same tagged shape we serve on GET.
-                    const pre = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-create', slug,
-                        chain: buildChain(id, childId1),
-                    }, req);
-                    if (pre === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in pre && pre.ok === false)
-                        return forbidden(res, json);
-                    // Re-resolve the leaf manager's bits for form submit. We need
-                    // the leaf parent record (`child1`) and the related class for
-                    // save/loadRecord wiring. Reuse `findRelatedResource` against
-                    // the chain walk's intermediate Resource (Related1).
-                    const Related1 = findRelatedResource(M, R, cfg);
-                    if (!Related1) {
-                        res.status(500);
-                        const msg = `Nested manager ${N.name}: cannot resolve middle Resource for create`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const Related2 = findRelatedResource(N, Related1, cfg);
-                    if (!Related2?.model) {
-                        res.status(500);
-                        const msg = `Nested manager ${N.name}: cannot resolve related Resource for create`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const user = await pilotiq.resolveUser(req);
-                    const child1 = await findRecord(Related1, childId1, { user }).catch(() => undefined);
-                    if (!child1) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    const body = await readFormBody(req);
-                    const { values } = splitMeta(body);
-                    const createUrl = `${nestedBase}/create`.replace(':id', id).replace(':childId', childId1);
-                    const listUrl = nestedBase.replace(':id', id).replace(':childId', childId1);
-                    const nestedMode = Related1.model
-                        ? normalizeRelationMode(getRelationType(Related1.model, nestedRel))
-                        : 'hasMany';
-                    const form = N.form(Form.make(), {
-                        basePath: base,
-                        parentSlug: slug,
-                        parentId: childId1,
-                        relationship: nestedRel,
-                        parentRecord: child1,
-                        related: Related2,
-                        mode: nestedMode,
-                        chain: [{ slug, recordId: id, relationship: rel }],
-                    });
-                    if (Related2.model) {
-                        if (!form.getSave())
-                            form.save(modelSave(Related2.model));
-                        if (!form.getLoadRecord())
-                            form.loadRecord(modelLoadRecord(Related2));
-                    }
-                    // Polymorphic morph-column auto-injection mirrors the depth-1
-                    // create handler — uses Related1 (the leaf parent's owner) as
-                    // the morph source on the leaf relation.
-                    if (nestedMode === 'morphMany' && Related1.model) {
-                        const morphDesc = getMorphRelationDescriptor(Related1.model, nestedRel);
-                        if (!morphDesc) {
-                            res.status(500);
-                            const msg = `Nested manager ${N.name}: relations[${JSON.stringify(nestedRel)}] reports a polymorphic type but is missing morphName.`;
-                            return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                        }
-                        const morphPayload = computeMorphPayload(child1, morphDesc);
-                        const existing = form.getMutateDataBeforeCreate();
-                        form.mutateDataBeforeCreate(async (data, ctx) => {
-                            const next = existing ? await existing(data, ctx) : data;
-                            return { ...next, ...morphPayload };
-                        });
-                    }
-                    const formCtx = {
-                        values,
-                        basePath: base,
-                        parent: child1,
-                        parentId: childId1,
-                        relationship: nestedRel,
-                    };
-                    const result = await dispatchFormSubmit(form, values, formCtx);
-                    if (!result.ok) {
-                        if (json) {
-                            res.status(422);
-                            return res.json({ ok: false, errors: result.errors });
-                        }
-                        const data = await relationManagerData(pilotiq, {
-                            kind: 'nested-relation-create', slug,
-                            chain: buildChain(id, childId1),
-                            prefill: { values, errors: result.errors ?? {} },
-                        }, req);
-                        res.status(422);
-                        return view('pilotiq.nested-relation-create', data ?? {});
-                    }
-                    const redirect = normalizeRedirect(result.redirect, base) ?? listUrl;
-                    if (json) {
-                        return res.json({
-                            ok: true, redirect,
-                            ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                        });
-                    }
-                    flashNotifications(req, result.notifications);
-                    return res.redirect(redirect, 303);
-                    // `createUrl` referenced above is intentionally unused on
-                    // success — kept for parity with the depth-1 path's prefill
-                    // re-render shape if a future caller wants to redirect to it.
-                    void createUrl;
-                });
-                // ── View ──
-                router.get(`${nestedBase}/:childId2`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    const childId2 = req.params['childId2'];
-                    if (childId2 === 'create') {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    const data = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-view', slug,
-                        chain: buildChain(id, childId1),
-                        childId: childId2,
-                    }, req);
-                    if (data === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in data && data.ok === false)
-                        return forbidden(res, json);
-                    return view('pilotiq.nested-relation-view', data);
-                });
-                // ── Edit (GET) ──
-                router.get(`${nestedBase}/:childId2/edit`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    const childId2 = req.params['childId2'];
-                    const data = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-edit', slug,
-                        chain: buildChain(id, childId1),
-                        childId: childId2,
-                    }, req);
-                    if (data === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in data && data.ok === false)
-                        return forbidden(res, json);
-                    return view('pilotiq.nested-relation-edit', data);
-                });
-                // ── Edit (POST) ──
-                router.post(`${nestedBase}/:childId2/edit`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    const childId2 = req.params['childId2'];
-                    // Replay the chain to verify auth, IDOR, load child1+child2.
-                    const pre = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-edit', slug,
-                        chain: buildChain(id, childId1),
-                        childId: childId2,
-                    }, req);
-                    if (pre === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in pre && pre.ok === false)
-                        return forbidden(res, json);
-                    const Related1 = findRelatedResource(M, R, cfg);
-                    if (!Related1) {
-                        res.status(500);
-                        const msg = `Nested manager ${N.name}: cannot resolve middle Resource for edit`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const Related2 = findRelatedResource(N, Related1, cfg);
-                    if (!Related2?.model) {
-                        res.status(500);
-                        const msg = `Nested manager ${N.name}: cannot resolve related Resource for edit`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const user = await pilotiq.resolveUser(req);
-                    const child1 = await findRecord(Related1, childId1, { user }).catch(() => undefined);
-                    if (!child1) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    const child2 = await findRecord(Related2, childId2, { user }).catch(() => undefined);
-                    if (!child2) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    const body = await readFormBody(req);
-                    const { values } = splitMeta(body);
-                    const editUrl = `${nestedBase}/${childId2}/edit`.replace(':id', id).replace(':childId', childId1);
-                    const nestedMode = Related1.model
-                        ? normalizeRelationMode(getRelationType(Related1.model, nestedRel))
-                        : 'hasMany';
-                    const form = N.form(Form.make(), {
-                        basePath: base,
-                        parentSlug: slug,
-                        parentId: childId1,
-                        relationship: nestedRel,
-                        parentRecord: child1,
-                        related: Related2,
-                        mode: nestedMode,
-                        chain: [{ slug, recordId: id, relationship: rel }],
-                    });
-                    if (!form.getSave())
-                        form.save(modelSave(Related2.model));
-                    if (!form.getLoadRecord())
-                        form.loadRecord(modelLoadRecord(Related2));
-                    if (nestedMode === 'morphMany' && Related1.model) {
-                        const morphDesc = getMorphRelationDescriptor(Related1.model, nestedRel);
-                        if (morphDesc) {
-                            const morphPayload = computeMorphPayload(child1, morphDesc);
-                            const existing = form.getMutateDataBeforeUpdate();
-                            form.mutateDataBeforeUpdate(async (data, ctx) => {
-                                const next = existing ? await existing(data, ctx) : data;
-                                return { ...next, ...morphPayload };
-                            });
-                        }
-                    }
-                    const formCtx = {
-                        values,
-                        basePath: base,
-                        record: child2,
-                        parent: child1,
-                        parentId: childId1,
-                        relationship: nestedRel,
-                    };
-                    const result = await dispatchFormSubmit(form, values, formCtx);
-                    if (!result.ok) {
-                        if (json) {
-                            res.status(422);
-                            return res.json({ ok: false, errors: result.errors });
-                        }
-                        const data = await relationManagerData(pilotiq, {
-                            kind: 'nested-relation-edit', slug,
-                            chain: buildChain(id, childId1),
-                            childId: childId2,
-                            prefill: { values, errors: result.errors ?? {} },
-                        }, req);
-                        res.status(422);
-                        return view('pilotiq.nested-relation-edit', data ?? {});
-                    }
-                    const redirect = normalizeRedirect(result.redirect, base) ?? editUrl;
-                    if (json) {
-                        return res.json({
-                            ok: true, redirect,
-                            ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                        });
-                    }
-                    flashNotifications(req, result.notifications);
-                    return res.redirect(redirect, 303);
-                });
-                // ── Delete ──
-                router.post(`${nestedBase}/:childId2/delete`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const id = req.params['id'];
-                    const childId1 = req.params['childId'];
-                    const childId2 = req.params['childId2'];
-                    // Replay the chain to verify auth + IDOR + load child2.
-                    // We piggy-back on the edit scope's checks (canEdit on the
-                    // leaf manager — same gate the depth-1 delete uses today via
-                    // the relation-edit scope).
-                    const pre = await relationManagerData(pilotiq, {
-                        kind: 'nested-relation-edit', slug,
-                        chain: buildChain(id, childId1),
-                        childId: childId2,
-                    }, req);
-                    if (pre === null) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if ('ok' in pre && pre.ok === false)
-                        return forbidden(res, json);
-                    const Related1 = findRelatedResource(M, R, cfg);
-                    if (!Related1) {
-                        res.status(500);
-                        const msg = `Nested manager ${N.name}: cannot resolve middle Resource for delete`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const Related2 = findRelatedResource(N, Related1, cfg);
-                    if (!Related2?.model) {
-                        res.status(500);
-                        const msg = `Nested manager ${N.name}: cannot resolve related Resource for delete`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    const user = await pilotiq.resolveUser(req);
-                    const child1 = await findRecord(Related1, childId1, { user }).catch(() => undefined);
-                    if (!child1) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    const child2 = await findRecord(Related2, childId2, { user }).catch(() => undefined);
-                    if (!child2) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if (!await safeManagerPolicy(N, 'canDelete', Related2, user, child1, child2))
-                        return forbidden(res, json);
-                    const listUrl = nestedBase.replace(':id', id).replace(':childId', childId1);
-                    try {
-                        await Related2.model.delete(childId2);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : 'Delete failed';
-                        res.status(500);
-                        return json ? res.json({ ok: false, error: message }) : res.send(message);
-                    }
-                    if (json) {
-                        const notifications = [
-                            { id: `n-nrdelete-${childId2}-${Date.now()}`, type: 'success', title: `${N.getLabelSingular()} deleted` },
-                        ];
-                        return res.json({ ok: true, redirect: listUrl, notifications });
-                    }
-                    return res.redirect(listUrl, 303);
-                });
-                // ── Phase B follow-up — nested action / detach / soft-delete ──
-                // Mirror the depth-1 manager surface (`_action`, `_detach`,
-                // `restore`, `force-delete`) under the nested manager. Auth +
-                // chain IDOR centralized in `resolveRelationChain`; each route
-                // layers its own scope-specific gate (canDetach / canRestore /
-                // canForceDelete; the action route mirrors depth-1 by not adding
-                // an extra manager-level gate beyond the chain walk).
-                const nestedChainSlug = slug;
-                const requireNestedChain = async (req, res, json) => {
-                    const id = req.params['id'];
-                    const child1Id = req.params['childId'];
-                    const user = await pilotiq.resolveUser(req);
-                    const resolved = await resolveRelationChain(pilotiq, {
-                        kind: 'nested-relation-list',
-                        slug: nestedChainSlug,
-                        chain: [
-                            { recordId: id, relationship: rel },
-                            { recordId: child1Id, relationship: nestedRel },
-                        ],
-                    }, user);
-                    if (resolved === null) {
-                        res.status(404);
-                        res.send('Not found');
-                        return undefined;
-                    }
-                    if ('ok' in resolved) {
-                        forbidden(res, json);
-                        return undefined;
-                    }
-                    return { user, resolved, parentId: id, child1Id };
-                };
-                // Listing URL (filled per request — `:id` / `:childId` get baked
-                // in once the params are known). All four routes redirect here
-                // on success so users land back on the nested-relation list.
-                const nestedListUrlFor = (id, child1Id) => nestedBase.replace(':id', id).replace(':childId', child1Id);
-                // ── Action dispatch — POST ${nestedBase}/_action/:actionName ──
-                // Resolves N's table elements, finds the named action, dispatches
-                // it with `ctx.relation = { parent: child1, parentId, rel }` so
-                // M2M handlers on the nested manager can call accessor methods.
-                // Handler-style actions are useful on hasMany too — mounted
-                // unconditionally.
-                router.post(`${nestedBase}/_action/:actionName`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const pre = await requireNestedChain(req, res, json);
-                    if (!pre)
-                        return;
-                    const { resolved } = pre;
-                    const { Related1, child1, M2, Related2, child2Mode } = resolved;
-                    const actionName = req.params['actionName'];
-                    const body = await readFormBody(req);
-                    const input = parseActionBody(body);
-                    // Manager ctx for N — same shape `nestedManagerCtx` builds for
-                    // the data-builder side, so factories that close over `ctx`
-                    // (URL templates, mode-aware visibility) see the same view as
-                    // at page render.
-                    const nestedManagerCtxObj = {
-                        basePath: base,
-                        parentSlug: resolved.R.getSlug(),
-                        parentId: pre.child1Id, // immediate parent of N = child1
-                        relationship: nestedRel,
-                        parentRecord: child1,
-                        related: Related2,
-                        mode: child2Mode,
-                        chain: [{
-                                slug: resolved.R.getSlug(),
-                                recordId: pre.parentId,
-                                relationship: rel,
-                            }],
-                    };
-                    const table = M2.table(Table.make(), nestedManagerCtxObj);
-                    const elements = [table];
-                    const listUrl = nestedListUrlFor(pre.parentId, pre.child1Id);
-                    tagActionDispatch(elements, listUrl);
-                    const target = resolveDispatchTarget(elements, actionName);
-                    if (!target) {
-                        if (json) {
-                            res.status(404);
-                            return res.json({ ok: false, error: `Action "${actionName}" not found` });
-                        }
-                        res.status(404);
-                        return res.send(`Action "${actionName}" not found on ${M2.name}`);
-                    }
-                    const resolveRecord = Related2?.model
-                        ? (id) => Related2.model.find(id)
-                        : undefined;
-                    const result = await dispatchAction(target.action, {
-                        ...input,
-                        request: req,
-                        user: pre.user,
-                        relation: { parent: child1, parentId: pre.child1Id, relationship: nestedRel },
-                        ...(target.rowField ? { rowField: target.rowField } : {}),
-                        ...(target.formSchema ? { formSchema: target.formSchema } : {}),
-                    }, resolveRecord);
-                    if (!result.ok) {
-                        if (json) {
-                            res.status(result.errors ? 422 : 500);
-                            return res.json({ ok: false, error: result.error, ...(result.errors ? { errors: result.errors } : {}) });
-                        }
-                        res.status(500);
-                        return res.send(result.error);
-                    }
-                    const redirect = normalizeRedirect(result.redirect, base) ?? listUrl;
-                    if (json) {
-                        return res.json({
-                            ok: true,
-                            redirect,
-                            ...(result.notifications ? { notifications: result.notifications } : {}),
-                        });
-                    }
-                    flashNotifications(req, result.notifications);
-                    return res.redirect(redirect, 303);
-                });
-                // ── Detach — POST ${nestedBase}/:childId2/_detach ──
-                // M2M-only direct row-detach. IDOR-checks the grandchild against
-                // child1.related(nestedRel), then calls accessor.detach. Mirrors
-                // the depth-1 detach route at line 1955.
-                router.post(`${nestedBase}/:childId2/_detach`, async (req, res) => {
-                    const json = wantsJson(req);
-                    const pre = await requireNestedChain(req, res, json);
-                    if (!pre)
-                        return;
-                    const childId2 = req.params['childId2'];
-                    const { resolved } = pre;
-                    const { Related1, child1, M2, Related2, child2Mode } = resolved;
-                    if (child2Mode !== 'belongsToMany' && child2Mode !== 'morphToMany' && child2Mode !== 'morphedByMany') {
-                        res.status(404);
-                        const msg = 'Detach is only supported on M2M relations (belongsToMany, morphToMany, morphedByMany)';
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    // IDOR: confirm child2 is currently attached to child1 under
-                    // nestedRel. Read-side accessor (`child1.related(nestedRel)`)
-                    // returns a deferred QueryBuilder; we never bypass it.
-                    const readSide = child1
-                        ?.related?.(nestedRel);
-                    if (!readSide) {
-                        res.status(500);
-                        const msg = `child1.related("${nestedRel}") missing — wrong relation type or ORM version?`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    let child2 = undefined;
-                    try {
-                        if (typeof readSide.paginate === 'function') {
-                            const pk = Related2?.model ? getPrimaryKey(Related2.model) : 'id';
-                            const out = await readSide.where(pk, '=', childId2).paginate(1, 1);
-                            child2 = Array.isArray(out.data) ? out.data[0] : undefined;
-                        }
-                    }
-                    catch { /* fall through */ }
-                    if (child2 === undefined) {
-                        res.status(404);
-                        return res.send('Not found');
-                    }
-                    if (!await safeManagerPolicy(M2, 'canDetach', Related2, pre.user, child1, child2))
-                        return forbidden(res, json);
-                    // Real ORM: child1[nestedRel]() returns the pivot accessor
-                    // with attach/detach/sync. Test stubs may collapse onto
-                    // `child1.related(nestedRel)` — try both.
-                    let writeAccessor;
-                    const inst = child1[nestedRel];
-                    if (typeof inst === 'function') {
-                        try {
-                            const out = inst.call(child1);
-                            if (out && typeof out.detach === 'function')
-                                writeAccessor = out;
-                        }
-                        catch { /* fall through */ }
-                    }
-                    if (!writeAccessor && typeof readSide.detach === 'function') {
-                        writeAccessor = readSide;
-                    }
-                    if (!writeAccessor) {
-                        res.status(500);
-                        const msg = `Pivot accessor missing on ${nestedRel} — wrong relation type or ORM version?`;
-                        return json ? res.json({ ok: false, error: msg }) : res.send(msg);
-                    }
-                    try {
-                        await writeAccessor.detach([childId2]);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : 'Detach failed';
-                        res.status(500);
-                        return json ? res.json({ ok: false, error: message }) : res.send(message);
-                    }
-                    const listUrl = nestedListUrlFor(pre.parentId, pre.child1Id);
-                    if (json) {
-                        const notifications = [
-                            { id: `n-nrdetach-${childId2}-${Date.now()}`, type: 'success', title: `${M2.getLabelSingular()} detached` },
-                        ];
-                        return res.json({ ok: true, redirect: listUrl, notifications });
-                    }
-                    return res.redirect(listUrl, 303);
-                });
-                // ── Soft-delete: restore + force-delete ───────────────────────
-                // Opt in only when Related2 has `softDeletes = true` AND its
-                // model carries `restore` / `forceDelete`. Mirrors the depth-1
-                // routes at line 1804+. IDOR runs against child1.related(nestedRel)
-                // broadened with `withTrashed()` so trashed grandchildren resolve.
-                const Related1ForSoft = findRelatedResource(M, R, cfg);
-                const Related2ForSoft = Related1ForSoft ? findRelatedResource(N, Related1ForSoft, cfg) : undefined;
-                if (Related2ForSoft?.softDeletes) {
-                    const RM2 = Related2ForSoft.model;
-                    if (!RM2) {
-                        throw new Error(`[Pilotiq] Nested RelationManager ${N.name} on ${M.name} (${R.name}): related Resource ${Related2ForSoft.name} has softDeletes = true but no model. ` +
-                            `Wire one up or unset softDeletes.`);
-                    }
-                    if (typeof RM2.restore !== 'function' || typeof RM2.forceDelete !== 'function') {
-                        throw new Error(`[Pilotiq] Nested RelationManager ${N.name} on ${M.name} (${R.name}): related Resource ${Related2ForSoft.name} has softDeletes = true but model.restore / model.forceDelete are missing. ` +
-                            `Set Model.softDeletes = true on the rudder side, or upgrade @rudderjs/orm.`);
-                    }
-                    // Like the depth-1 helper: load the grandchild via the parent's
-                    // relation query, broadened with `withTrashed()`. Returns
-                    // undefined when the lookup misses or the grandchild doesn't
-                    // belong to child1 under nestedRel.
-                    const loadTrashableGrandchild = async (parentChild, child2Id) => {
-                        const pk = (RM2.primaryKey ?? 'id');
-                        try {
-                            const q = parentChild.related(nestedRel);
-                            const broadened = typeof q.withTrashed === 'function' ? q.withTrashed() : q;
-                            const result = await broadened.where(pk, '=', child2Id).paginate(1, 1);
-                            return Array.isArray(result.data) ? result.data[0] : undefined;
-                        }
-                        catch {
-                            return undefined;
-                        }
-                    };
-                    // Restore — POST ${nestedBase}/:childId2/restore
-                    router.post(`${nestedBase}/:childId2/restore`, async (req, res) => {
-                        const json = wantsJson(req);
-                        const pre = await requireNestedChain(req, res, json);
-                        if (!pre)
-                            return;
-                        const childId2 = req.params['childId2'];
-                        const child2 = await loadTrashableGrandchild(pre.resolved.child1, childId2);
-                        if (!child2) {
-                            res.status(404);
-                            return res.send('Not found');
-                        }
-                        if (!await safeManagerPolicy(N, 'canRestore', Related2ForSoft, pre.user, pre.resolved.child1, child2))
-                            return forbidden(res, json);
-                        const listUrl = nestedListUrlFor(pre.parentId, pre.child1Id);
-                        try {
-                            await RM2.restore(childId2);
-                        }
-                        catch (err) {
-                            const message = err instanceof Error ? err.message : 'Restore failed';
-                            res.status(500);
-                            return json ? res.json({ ok: false, error: message }) : res.send(message);
-                        }
-                        if (json) {
-                            const notifications = [
-                                { id: `n-nrrestore-${childId2}-${Date.now()}`, type: 'success', title: `${N.getLabelSingular()} restored` },
-                            ];
-                            return res.json({ ok: true, redirect: listUrl, notifications });
-                        }
-                        return res.redirect(listUrl, 303);
-                    });
-                    // Force-delete — POST ${nestedBase}/:childId2/force-delete
-                    router.post(`${nestedBase}/:childId2/force-delete`, async (req, res) => {
-                        const json = wantsJson(req);
-                        const pre = await requireNestedChain(req, res, json);
-                        if (!pre)
-                            return;
-                        const childId2 = req.params['childId2'];
-                        const child2 = await loadTrashableGrandchild(pre.resolved.child1, childId2);
-                        if (!child2) {
-                            res.status(404);
-                            return res.send('Not found');
-                        }
-                        if (!await safeManagerPolicy(N, 'canForceDelete', Related2ForSoft, pre.user, pre.resolved.child1, child2))
-                            return forbidden(res, json);
-                        const listUrl = nestedListUrlFor(pre.parentId, pre.child1Id);
-                        try {
-                            await RM2.forceDelete(childId2);
-                        }
-                        catch (err) {
-                            const message = err instanceof Error ? err.message : 'Force-delete failed';
-                            res.status(500);
-                            return json ? res.json({ ok: false, error: message }) : res.send(message);
-                        }
-                        if (json) {
-                            const notifications = [
-                                { id: `n-nrforce-${childId2}-${Date.now()}`, type: 'success', title: `${N.getLabelSingular()} permanently deleted` },
-                            ];
-                            return res.json({ ok: true, redirect: listUrl, notifications });
-                        }
-                        return res.redirect(listUrl, 303);
-                    });
-                }
-            }
-        }
-        // ── Record sub-pages ───────────────────────────────
-        // `${resourceBase}/:id/${subSlug}` — same URL slot as a relation
-        // manager's `relationship`, distinguished by registry: the data
-        // builder tries the relation lookup first, then falls through to
-        // the record sub-page map. Boot-time validation ensures the slugs
-        // don't collide.
-        for (const [subPageSlug, SubPage] of Object.entries(R.getRecordPages())) {
-            void SubPage; // referenced inside `resourceRecordPageData` via the registry; the local binding is captured for closure-stable types only.
-            const recordPageUrl = `${resourceBase}/:id/${subPageSlug}`;
-            router.get(recordPageUrl, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(R, user))
-                    return forbidden(res, wantsJson(req));
-                const recordId = req.params['id'];
-                const data = await resourceRecordPageData(pilotiq, slug, recordId, subPageSlug, req);
-                if (data === null) {
-                    res.status(404);
-                    return res.send('Not found');
-                }
-                if ('ok' in data && data.ok === false)
-                    return forbidden(res, wantsJson(req));
-                return view('pilotiq.slug', data);
-            });
-        }
+        registerResourceRoutes(router, pilotiq, R, base, {
+            reorderable: reorderEnabled.has(R.getSlug()),
+            editable: editableEnabled.has(R.getSlug()),
+        });
     }
     // ── Globals (singletons — 2-segment, no /:id) ────────
+    // Pulled out 2026-05-12 (Phase 3 of the routes.ts split).
     for (const G of cfg.globals) {
-        const slug = G.getSlug();
-        const editUrl = globalBasePath(base, G);
-        const pages = G.resolvePages();
-        if (pages.edit) {
-            const PageClass = pages.edit;
-            // Plan #5 partial-resolve endpoint for the global's edit form.
-            // POST ${editUrl}/_form/:formId/state
-            router.post(`${editUrl}/_form/:formId/state`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => G.canEdit(user, undefined)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                return handleFormState(req, res, pilotiq, { kind: 'global-edit', slug }, formId);
-            });
-            // Plan #8 wizard step-validate endpoint for the global's edit form.
-            router.post(`${editUrl}/_form/:formId/wizard`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => G.canEdit(user, undefined)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                return handleFormWizard(req, res, pilotiq, { kind: 'global-edit', slug }, formId);
-            });
-            // Async-mention endpoint for the global's edit form.
-            router.post(`${editUrl}/_form/:formId/mentions`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => G.canEdit(user, undefined)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                return handleFormMentions(req, res, pilotiq, { kind: 'global-edit', slug }, formId);
-            });
-            // SelectField inline-create modal endpoint for the global's edit form.
-            router.post(`${editUrl}/_form/:formId/create-option/:fieldName`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, true);
-                if (!await checkPolicy(() => G.canEdit(user, undefined)))
-                    return forbidden(res, true);
-                const formId = req.params['formId'];
-                const fieldName = req.params['fieldName'];
-                return handleFormCreateOption(req, res, pilotiq, { kind: 'global-edit', slug }, formId, fieldName);
-            });
-            router.get(editUrl, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, wantsJson(req));
-                // Globals carry their record on the singleton form's `loadRecord`;
-                // we don't pre-load here — pass a stub so canEdit's signature is
-                // honored, and let user code decide whether to consult it.
-                if (!await checkPolicy(() => G.canEdit(user, undefined)))
-                    return forbidden(res, wantsJson(req));
-                const data = await globalEditData(pilotiq, slug, undefined, req);
-                return view('pilotiq.slug', data ?? {});
-            });
-            router.post(editUrl, async (req, res) => {
-                const body = await readFormBody(req);
-                const { values, formId } = splitMeta(body);
-                const json = wantsJson(req);
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, json);
-                if (!await checkPolicy(() => G.canEdit(user, undefined)))
-                    return forbidden(res, json);
-                const ctx = { mode: 'edit', basePath: base, ...(user !== null ? { user: user } : {}) };
-                const elements = await callPageSchema(PageClass, ctx);
-                tagFormActions(elements, editUrl);
-                const form = selectForm(findForms(elements), formId);
-                if (!form) {
-                    if (json) {
-                        res.status(404);
-                        return res.json({ ok: false, error: 'No form found on page' });
-                    }
-                    res.status(404);
-                    return res.send('No form found on page');
-                }
-                // Provide the existing singleton record to the lifecycle context
-                // so cross-field validators / mutateData see prior state.
-                let record = undefined;
-                if (form.getLoadRecord()) {
-                    try {
-                        record = await form.getLoadRecord()('', { values });
-                    }
-                    catch { /* ignore */ }
-                }
-                const result = await dispatchFormSubmit(form, values, record !== undefined ? { values, record, basePath: base } : { values, basePath: base });
-                if (!result.ok) {
-                    if (json) {
-                        res.status(422);
-                        return res.json({ ok: false, errors: result.errors });
-                    }
-                    const data = await globalEditData(pilotiq, slug, { values, errors: result.errors });
-                    res.status(422);
-                    return view('pilotiq.slug', data ?? {});
-                }
-                const redirect = normalizeRedirect(result.redirect, base) ?? editUrl;
-                if (json) {
-                    return res.json({
-                        ok: true,
-                        redirect,
-                        ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                    });
-                }
-                flashNotifications(req, result.notifications);
-                return res.redirect(redirect, 303);
-            });
-        }
-        // Optional view page when the user opts in via pages().view
-        if (pages.view) {
-            router.get(`${editUrl}/view`, async (req, res) => {
-                const user = await pilotiq.resolveUser(req);
-                if (!await policyAccess(G, user))
-                    return forbidden(res, wantsJson(req));
-                if (!await checkPolicy(() => G.canView(user, undefined)))
-                    return forbidden(res, wantsJson(req));
-                const data = await globalViewData(pilotiq, slug, req);
-                return view('pilotiq.resource-view', data ?? {});
-            });
-        }
+        registerGlobalRoutes(router, pilotiq, G, base);
     }
     // ── Custom pages (2-segment, slug route) ──────────────
+    // Pulled out 2026-05-12 (Phase 3 of the routes.ts split).
     for (const PageClass of cfg.pages) {
-        // Plan #15 — the dashboard page lives at `${base}` (handled by the
-        // dashboard route above), so skip it here to avoid registering a
-        // duplicate `${pageUrl}` route or a broken `${base}/` (when
-        // `slug = ''`).
+        // The dashboard page lives at `${base}` (panel routes handle it);
+        // skip it here so we don't register a duplicate `${pageUrl}` route
+        // or a broken `${base}/` (when `slug = ''`).
         if (cfg.dashboardPage === PageClass)
             continue;
-        const pageSlug = PageClass.getSlug();
-        const pageUrl = pageBasePath(base, PageClass);
-        // Plan #15 — per-page widget polling endpoint. Mirrors the
-        // panel-scope `${base}/_widget/:id` but resolves the custom page's
-        // schema instead of the dashboard's.
-        router.post(`${pageUrl}/_widget/:id`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, true);
-            return handleWidgetData(req, res, pilotiq, { kind: 'page', pageSlug }, req.params['id']);
-        });
-        // Plan #5 partial-resolve endpoint for custom pages with reactive forms.
-        // POST ${base}/${pageSlug}/_form/:formId/state
-        router.post(`${pageUrl}/_form/:formId/state`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, true);
-            const formId = req.params['formId'];
-            return handleFormState(req, res, pilotiq, { kind: 'page', pageSlug }, formId);
-        });
-        // Plan #8 wizard step-validate endpoint for custom pages.
-        router.post(`${pageUrl}/_form/:formId/wizard`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, true);
-            const formId = req.params['formId'];
-            return handleFormWizard(req, res, pilotiq, { kind: 'page', pageSlug }, formId);
-        });
-        // Async-mention endpoint for custom pages.
-        router.post(`${pageUrl}/_form/:formId/mentions`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, true);
-            const formId = req.params['formId'];
-            return handleFormMentions(req, res, pilotiq, { kind: 'page', pageSlug }, formId);
-        });
-        // SelectField inline-create modal endpoint for custom pages.
-        router.post(`${pageUrl}/_form/:formId/create-option/:fieldName`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, true);
-            const formId = req.params['formId'];
-            const fieldName = req.params['fieldName'];
-            return handleFormCreateOption(req, res, pilotiq, { kind: 'page', pageSlug }, formId, fieldName);
-        });
-        router.get(pageUrl, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, wantsJson(req));
-            const data = await customPageData(pilotiq, pageSlug, req);
-            return view('pilotiq.slug', data ?? {});
-        });
-        // Action dispatch — POST ${base}/${pageSlug}/_action/:actionName
-        router.post(`${pageUrl}/_action/:actionName`, async (req, res) => {
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, wantsJson(req));
-            const actionName = req.params['actionName'];
-            const json = wantsJson(req);
-            const body = await readFormBody(req);
-            const input = parseActionBody(body);
-            const ctx = user !== null ? { user: user } : {};
-            const elements = await callPageSchema(PageClass, ctx);
-            tagActionDispatch(elements, pageUrl);
-            const target = resolveDispatchTarget(elements, actionName);
-            if (!target) {
-                if (json) {
-                    res.status(404);
-                    return res.json({ ok: false, error: `Action "${actionName}" not found` });
-                }
-                res.status(404);
-                return res.send(`Action "${actionName}" not found on page`);
-            }
-            const result = await dispatchAction(target.action, {
-                ...input,
-                request: req,
-                user,
-                ...(target.rowField ? { rowField: target.rowField } : {}),
-                ...(target.formSchema ? { formSchema: target.formSchema } : {}),
-            });
-            if (!result.ok) {
-                if (json) {
-                    res.status(result.errors ? 422 : 500);
-                    return res.json({ ok: false, error: result.error, ...(result.errors ? { errors: result.errors } : {}) });
-                }
-                res.status(500);
-                return res.send(result.error);
-            }
-            if (result.download)
-                return sendDownload(res, result.download);
-            const redirect = normalizeRedirect(result.redirect, base) ?? pageUrl;
-            if (json) {
-                return res.json({
-                    ok: true,
-                    redirect,
-                    ...(result.notifications ? { notifications: result.notifications } : {}),
-                });
-            }
-            flashNotifications(req, result.notifications);
-            return res.redirect(redirect, 303);
-        });
-        // Custom pages can also accept submits when their schema includes a Form.
-        router.post(pageUrl, async (req, res) => {
-            const body = await readFormBody(req);
-            const { values, formId } = splitMeta(body);
-            const json = wantsJson(req);
-            const user = await pilotiq.resolveUser(req);
-            if (!await policyAccess(PageClass, user))
-                return forbidden(res, json);
-            const ctx = user !== null ? { user: user } : {};
-            const elements = await callPageSchema(PageClass, ctx);
-            tagFormActions(elements, pageUrl);
-            const form = selectForm(findForms(elements), formId);
-            if (!form) {
-                if (json) {
-                    res.status(404);
-                    return res.json({ ok: false, error: 'No form found on page' });
-                }
-                res.status(404);
-                return res.send('No form found on page');
-            }
-            const result = await dispatchFormSubmit(form, values, { values, basePath: base });
-            if (!result.ok) {
-                if (json) {
-                    res.status(422);
-                    return res.json({ ok: false, errors: result.errors });
-                }
-                form.withValues(values).withErrors(result.errors);
-                const schemaData = await resolveSchema(elements, ctx);
-                res.status(422);
-                return view('pilotiq.slug', {
-                    pageType: 'page',
-                    panel: await panelInfo(pilotiq, req),
-                    page: PageClass.toMeta(),
-                    schemaData,
-                    basePath: base,
-                    layout: cfg.layout,
-                    hasErrors: true,
-                });
-            }
-            const redirect = normalizeRedirect(result.redirect, base) ?? pageUrl;
-            if (json) {
-                return res.json({
-                    ok: true,
-                    redirect,
-                    ...(result.notifications && result.notifications.length > 0 ? { notifications: result.notifications } : {}),
-                });
-            }
-            flashNotifications(req, result.notifications);
-            return res.redirect(redirect, 303);
-        });
+        registerCustomPageRoutes(router, pilotiq, PageClass, base);
     }
     // ── Theme editor ──────────────────────────────────────
+    // Pulled out 2026-05-12 (Phase 3 of the routes.ts split).
     if (cfg.themeEditor) {
-        router.get(`${base}/theme`, async (req) => {
-            return view('pilotiq.theme', {
-                panel: await panelInfo(pilotiq, req),
-                basePath: base,
-                layout: cfg.layout,
-                themeConfig: pilotiq.getMergedTheme() ?? {},
-            });
-        });
-        router.get(`${base}/api/_theme`, async (_req, res) => {
-            let overrides = null;
-            try {
-                const { app } = await import(/* @vite-ignore */ '@rudderjs/core');
-                const prisma = app().make('prisma');
-                const slug = `${cfg.name}__theme`;
-                const row = await prisma.panelGlobal.findUnique({ where: { slug } });
-                if (row?.data) {
-                    const raw = typeof row.data === 'string' ? JSON.parse(row.data) : row.data;
-                    overrides = migrateThemeOverrides(raw);
-                }
-            }
-            catch { /* no DB or no table — that's fine */ }
-            return res.json({
-                config: cfg.theme ?? {},
-                overrides: overrides ?? {},
-                options: {
-                    presets: Object.keys(presets),
-                    baseColors: Object.keys(baseColors),
-                    themeColors: ['base', ...HUE_NAMES],
-                    chartColors: ['base', ...HUE_NAMES],
-                    radii: Object.keys(radiusMap),
-                    iconLibraries: ['lucide', 'tabler', 'phosphor', 'remix'],
-                },
-            });
-        });
-        router.put(`${base}/api/_theme`, async (req, res) => {
-            try {
-                const overrides = req.body;
-                const { app } = await import(/* @vite-ignore */ '@rudderjs/core');
-                const prisma = app().make('prisma');
-                const slug = `${cfg.name}__theme`;
-                await prisma.panelGlobal.upsert({
-                    where: { slug },
-                    update: { data: JSON.stringify(overrides) },
-                    create: { slug, data: JSON.stringify(overrides) },
-                });
-                pilotiq.setThemeOverrides(overrides);
-                return res.json({ ok: true });
-            }
-            catch (e) {
-                return res.status(500).json({ message: e instanceof Error ? e.message : 'Failed to save theme' });
-            }
-        });
-        router.delete(`${base}/api/_theme`, async (_req, res) => {
-            try {
-                const { app } = await import(/* @vite-ignore */ '@rudderjs/core');
-                const prisma = app().make('prisma');
-                const slug = `${cfg.name}__theme`;
-                await prisma.panelGlobal.delete({ where: { slug } }).catch(() => { });
-                pilotiq.setThemeOverrides(undefined);
-            }
-            catch { /* ignore */ }
-            return res.json({ ok: true });
-        });
+        registerThemeRoutes(router, pilotiq, base);
     }
     // Plugin route hook — runs AFTER all core routes register so plugins
     // can mount their own HTTP surface alongside the panel's. Order