@zenithbuild/cli 0.7.4 → 0.7.5

package/dist/resource-response.js

@@ -0,0 +1,71 @@
+import { appLocalRedirectLocation } from './base-path.js';
+import { buildAttachmentContentDisposition, decodeDownloadResultBody } from './download-result.js';
+import { clientFacingRouteMessage, defaultRouteDenyMessage } from './server-error.js';
+function serializeJsonBody(payload) {
+    return JSON.stringify(payload);
+}
+export function buildResourceResponseDescriptor(result, basePath = '/', setCookies = []) {
+    if (!result || typeof result !== 'object') {
+        return {
+            status: 500,
+            headers: { 'Content-Type': 'text/plain; charset=utf-8' },
+            body: defaultRouteDenyMessage(500),
+            setCookies
+        };
+    }
+    if (result.kind === 'redirect') {
+        return {
+            status: Number.isInteger(result.status) ? result.status : 302,
+            headers: {
+                Location: appLocalRedirectLocation(result.location, basePath),
+                'Cache-Control': 'no-store'
+            },
+            body: '',
+            setCookies
+        };
+    }
+    if (result.kind === 'deny') {
+        const status = Number.isInteger(result.status) ? result.status : 403;
+        return {
+            status,
+            headers: { 'Content-Type': 'text/plain; charset=utf-8' },
+            body: clientFacingRouteMessage(status, result.message),
+            setCookies
+        };
+    }
+    if (result.kind === 'json') {
+        return {
+            status: Number.isInteger(result.status) ? result.status : 200,
+            headers: { 'Content-Type': 'application/json; charset=utf-8' },
+            body: serializeJsonBody(result.data),
+            setCookies
+        };
+    }
+    if (result.kind === 'text') {
+        return {
+            status: Number.isInteger(result.status) ? result.status : 200,
+            headers: { 'Content-Type': 'text/plain; charset=utf-8' },
+            body: result.body,
+            setCookies
+        };
+    }
+    if (result.kind === 'download') {
+        const body = decodeDownloadResultBody(result, 'resource download response');
+        return {
+            status: 200,
+            headers: {
+                'Content-Type': result.contentType,
+                'Content-Disposition': buildAttachmentContentDisposition(result.filename),
+                'Content-Length': String(body.byteLength)
+            },
+            body,
+            setCookies
+        };
+    }
+    return {
+        status: 500,
+        headers: { 'Content-Type': 'text/plain; charset=utf-8' },
+        body: defaultRouteDenyMessage(500),
+        setCookies
+    };
+}

package/dist/resource-route-module.d.ts

@@ -0,0 +1,15 @@
+export function isResourceRouteFile(fileName: any): boolean;
+export function resourceRouteFileToRoute(filePath: any, root: any): string;
+export function analyzeResourceRouteModule(fullPath: any, root: any): {
+    path: string;
+    file: string;
+    path_kind: string;
+    render_mode: string;
+    route_kind: string;
+    params: string[];
+    server_script: string;
+    server_script_path: any;
+    has_guard: boolean;
+    has_load: boolean;
+    has_action: boolean;
+};

package/dist/resource-route-module.js

@@ -0,0 +1,129 @@
+import { readFileSync } from 'node:fs';
+import { relative, sep } from 'node:path';
+const RESOURCE_EXTENSIONS = ['.resource.ts', '.resource.js', '.resource.mts', '.resource.cts', '.resource.mjs', '.resource.cjs'];
+const FORBIDDEN_RESOURCE_EXPORT_RE = /\bexport\s+const\s+(?:data|prerender|exportPaths|ssr_data|props|ssr)\b/;
+function readSingleExport(source, name) {
+    const fnMatch = source.match(new RegExp(`\\bexport\\s+(?:async\\s+)?function\\s+${name}\\s*\\(([^)]*)\\)`));
+    const constParenMatch = source.match(new RegExp(`\\bexport\\s+const\\s+${name}\\s*=\\s*(?:async\\s*)?\\(([^)]*)\\)\\s*=>`));
+    const constSingleArgMatch = source.match(new RegExp(`\\bexport\\s+const\\s+${name}\\s*=\\s*(?:async\\s*)?([a-zA-Z_$][a-zA-Z0-9_$]*)\\s*=>`));
+    const matchCount = Number(Boolean(fnMatch)) +
+        Number(Boolean(constParenMatch)) +
+        Number(Boolean(constSingleArgMatch));
+    return {
+        fnMatch,
+        constParenMatch,
+        constSingleArgMatch,
+        hasExport: matchCount > 0,
+        matchCount
+    };
+}
+function assertSingleCtxArg(sourceFile, name, exportMatch) {
+    const singleArg = String(exportMatch.constSingleArgMatch?.[1] || '').trim();
+    const paramsText = String((exportMatch.fnMatch || exportMatch.constParenMatch)?.[1] || '').trim();
+    const arity = singleArg ? 1 : paramsText.length === 0 ? 0 : paramsText.split(',').length;
+    if (arity !== 1) {
+        throw new Error(`Zenith resource route contract violation:\n` +
+            `  File: ${sourceFile}\n` +
+            `  Reason: ${name}(ctx) must accept exactly one argument\n` +
+            `  Example: export async function ${name}(ctx) { ... }`);
+    }
+}
+function segmentsToRoute(segments) {
+    const routeSegments = segments.map((seg) => {
+        const optionalCatchAllMatch = seg.match(/^\[\[\.\.\.([a-zA-Z_][a-zA-Z0-9_]*)\]\]$/);
+        if (optionalCatchAllMatch) {
+            return `*${optionalCatchAllMatch[1]}?`;
+        }
+        const catchAllMatch = seg.match(/^\[\.\.\.([a-zA-Z_][a-zA-Z0-9_]*)\]$/);
+        if (catchAllMatch) {
+            return `*${catchAllMatch[1]}`;
+        }
+        const paramMatch = seg.match(/^\[([a-zA-Z_][a-zA-Z0-9_]*)\]$/);
+        if (paramMatch) {
+            return `:${paramMatch[1]}`;
+        }
+        return seg;
+    });
+    if (routeSegments.length > 0) {
+        const last = routeSegments[routeSegments.length - 1];
+        if (last === 'index' || last === 'page') {
+            routeSegments.pop();
+        }
+    }
+    return `/${routeSegments.join('/')}`;
+}
+export function isResourceRouteFile(fileName) {
+    return RESOURCE_EXTENSIONS.some((extension) => fileName.endsWith(extension));
+}
+export function resourceRouteFileToRoute(filePath, root) {
+    const rel = relative(root, filePath);
+    const extension = RESOURCE_EXTENSIONS.find((candidate) => rel.endsWith(candidate));
+    if (!extension) {
+        throw new Error(`[Zenith CLI] Resource route "${filePath}" does not use a supported .resource.* extension.`);
+    }
+    const withoutExt = rel.slice(0, -extension.length);
+    const segments = withoutExt.split(sep).filter(Boolean);
+    const route = segmentsToRoute(segments);
+    return route === '/' ? '/' : route.replace(/\/+/g, '/');
+}
+export function analyzeResourceRouteModule(fullPath, root) {
+    const source = readFileSync(fullPath, 'utf8').trim();
+    if (!source) {
+        throw new Error(`Zenith resource route contract violation:\n` +
+            `  File: ${fullPath}\n` +
+            `  Reason: resource route module is empty\n` +
+            `  Example: export async function load(ctx) { return ctx.json({ ok: true }); }`);
+    }
+    if (FORBIDDEN_RESOURCE_EXPORT_RE.test(source)) {
+        throw new Error(`Zenith resource route contract violation:\n` +
+            `  File: ${fullPath}\n` +
+            `  Reason: resource routes may only export guard(ctx), load(ctx), and action(ctx)\n` +
+            `  Example: remove page-only exports such as data/prerender/exportPaths`);
+    }
+    const guardExport = readSingleExport(source, 'guard');
+    const loadExport = readSingleExport(source, 'load');
+    const actionExport = readSingleExport(source, 'action');
+    for (const [name, exportMatch] of [
+        ['guard', guardExport],
+        ['load', loadExport],
+        ['action', actionExport]
+    ]) {
+        if (exportMatch.matchCount > 1) {
+            throw new Error(`Zenith resource route contract violation:\n` +
+                `  File: ${fullPath}\n` +
+                `  Reason: multiple ${name} exports detected\n` +
+                `  Example: keep exactly one export for ${name}(ctx)`);
+        }
+        if (exportMatch.hasExport) {
+            assertSingleCtxArg(fullPath, name, exportMatch);
+        }
+    }
+    if (!loadExport.hasExport && !actionExport.hasExport) {
+        throw new Error(`Zenith resource route contract violation:\n` +
+            `  File: ${fullPath}\n` +
+            `  Reason: resource routes must export load(ctx), action(ctx), or both\n` +
+            `  Example: export async function load(ctx) { return ctx.text('ok'); }`);
+    }
+    return {
+        path: resourceRouteFileToRoute(fullPath, root),
+        file: relative(root, fullPath).replaceAll('\\', '/'),
+        path_kind: resourceRouteFileToRoute(fullPath, root).split('/').some((segment) => segment.startsWith(':') || segment.startsWith('*'))
+            ? 'dynamic'
+            : 'static',
+        render_mode: 'server',
+        route_kind: 'resource',
+        params: resourceRouteFileToRoute(fullPath, root)
+            .split('/')
+            .filter(Boolean)
+            .filter((segment) => segment.startsWith(':') || segment.startsWith('*'))
+            .map((segment) => {
+            const raw = segment.slice(1);
+            return raw.endsWith('?') ? raw.slice(0, -1) : raw;
+        }),
+        server_script: source,
+        server_script_path: fullPath,
+        has_guard: guardExport.hasExport,
+        has_load: loadExport.hasExport,
+        has_action: actionExport.hasExport
+    };
+}

package/dist/route-check-support.js

@@ -1,4 +1,4 @@
-const ROUTE_CHECK_UNSUPPORTED_TARGETS = new Set(['vercel', 'netlify']);
+const ROUTE_CHECK_UNSUPPORTED_TARGETS = new Set(['vercel', 'netlify', 'static-export']);
 export function supportsTargetRouteCheck(target) {
     return !ROUTE_CHECK_UNSUPPORTED_TARGETS.has(String(target || '').trim());
 }

package/dist/server-contract.d.ts

@@ -20,32 +20,40 @@ export function invalid(payload: any, status?: number): {
     data: any;
     status: number;
 };
-export function validateServerExports({ exports, filePath }: {
+export function json(payload: any, status?: number): {
+    kind: string;
+    data: any;
+    status: number;
+};
+export function text(body: any, status?: number): {
+    kind: string;
+    body: string;
+    status: number;
+};
+export function download(body: any, options?: {}): {
+    kind: string;
+    body: any;
+    bodyEncoding: string;
+    bodySize: number;
+    filename: string;
+    contentType: string;
+    status: number;
+};
+export function validateServerExports({ exports, filePath, routeKind }: {
     exports: any;
     filePath: any;
+    routeKind?: string | undefined;
 }): void;
 export function assertJsonSerializable(value: any, where?: string): void;
-export function resolveRouteResult({ exports, ctx, filePath, guardOnly }: {
+export function resolveRouteResult({ exports, ctx, filePath, guardOnly, routeKind }: {
     exports: any;
     ctx: any;
     filePath: any;
     guardOnly?: boolean | undefined;
+    routeKind?: string | undefined;
 }): Promise<{
     result: any;
-    trace: {
-        guard: string;
-        action: string;
-        load: string;
-    };
-    status?: undefined;
-} | {
-    result: any;
-    trace: {
-        guard: string;
-        action: string;
-        load: string;
-    };
-    status: number | undefined;
+    trace: any;
 }>;
 export function resolveServerPayload({ exports, ctx, filePath }: {
     exports: any;

package/dist/server-contract.js

@@ -1,10 +1,12 @@
 // server-contract.js — Zenith CLI V0
 // ---------------------------------------------------------------------------
 // Shared validation and payload resolution logic for <script server> blocks.
-const NEW_KEYS = new Set(['data', 'load', 'guard', 'action', 'prerender']);
-const LEGACY_KEYS = new Set(['ssr_data', 'props', 'ssr', 'prerender']);
-const ALLOWED_KEYS = new Set(['data', 'load', 'guard', 'action', 'prerender', 'ssr_data', 'props', 'ssr']);
-const ROUTE_RESULT_KINDS = new Set(['allow', 'redirect', 'deny', 'data', 'invalid']);
+import { assertValidDownloadResult, createDownloadResult } from './download-result.js';
+const ALLOWED_KEYS = new Set(['data', 'load', 'guard', 'action', 'prerender', 'exportPaths', 'ssr_data', 'props', 'ssr']);
+const RESOURCE_ALLOWED_KEYS = new Set(['load', 'guard', 'action']);
+const ROUTE_RESULT_KINDS = new Set(['allow', 'redirect', 'deny', 'data', 'invalid', 'json', 'text', 'download']);
+const AUTH_CONTROL_FLOW_FLAG = '__zenith_auth_control_flow';
+const STAGED_SET_COOKIES_KEY = '__zenith_staged_set_cookies';
 export function allow() {
     return { kind: 'allow' };
 }
@@ -32,6 +34,23 @@ export function invalid(payload, status = 400) {
         status: Number.isInteger(status) ? status : 400
     };
 }
+export function json(payload, status = 200) {
+    return {
+        kind: 'json',
+        data: payload,
+        status: Number.isInteger(status) ? status : 200
+    };
+}
+export function text(body, status = 200) {
+    return {
+        kind: 'text',
+        body: typeof body === 'string' ? body : String(body ?? ''),
+        status: Number.isInteger(status) ? status : 200
+    };
+}
+export function download(body, options = {}) {
+    return createDownloadResult(body, options);
+}
 function isRouteResultLike(value) {
     if (!value || typeof value !== 'object' || Array.isArray(value)) {
         return false;
@@ -69,6 +88,17 @@ function assertValidRouteResultShape(value, where, allowedKinds) {
             throw new Error(`[Zenith] ${where}: invalid status must be 400 or 422.`);
         }
     }
+    if (kind === 'json' || kind === 'text') {
+        if (!Number.isInteger(value.status) || value.status < 200 || value.status > 599 || (value.status >= 300 && value.status <= 399)) {
+            throw new Error(`[Zenith] ${where}: ${kind} status must be an integer between 200-599 and may not be 3xx.`);
+        }
+        if (kind === 'text' && typeof value.body !== 'string') {
+            throw new Error(`[Zenith] ${where}: text body must be a string.`);
+        }
+    }
+    if (kind === 'download') {
+        assertValidDownloadResult(value, where);
+    }
 }
 function assertOneArgRouteFunction({ filePath, exportName, value }) {
     if (typeof value !== 'function') {
@@ -103,9 +133,43 @@ function buildActionState(result) {
     }
     return null;
 }
-export function validateServerExports({ exports, filePath }) {
+function unwrapAuthControlFlow(error, where, allowedKinds) {
+    if (!error || typeof error !== 'object' || error[AUTH_CONTROL_FLOW_FLAG] !== true) {
+        return null;
+    }
+    const result = error.result;
+    assertValidRouteResultShape(result, where, allowedKinds);
+    return result;
+}
+async function invokeRouteStage({ fn, ctx, where, allowedKinds }) {
+    try {
+        return await fn(ctx);
+    }
+    catch (error) {
+        const authResult = unwrapAuthControlFlow(error, where, allowedKinds);
+        if (authResult) {
+            return authResult;
+        }
+        throw error;
+    }
+}
+function buildResolvedEnvelope({ result, trace, status, ctx }) {
+    const envelope = { result, trace };
+    if (status !== undefined) {
+        envelope.status = status;
+    }
+    const setCookies = Array.isArray(ctx?.[STAGED_SET_COOKIES_KEY])
+        ? ctx[STAGED_SET_COOKIES_KEY].slice()
+        : [];
+    if (setCookies.length > 0) {
+        envelope.setCookies = setCookies;
+    }
+    return envelope;
+}
+export function validateServerExports({ exports, filePath, routeKind = 'page' }) {
     const exportKeys = Object.keys(exports);
-    const illegalKeys = exportKeys.filter(k => !ALLOWED_KEYS.has(k));
+    const allowedKeys = routeKind === 'resource' ? RESOURCE_ALLOWED_KEYS : ALLOWED_KEYS;
+    const illegalKeys = exportKeys.filter(k => !allowedKeys.has(k));
     if (illegalKeys.length > 0) {
         throw new Error(`[Zenith] ${filePath}: illegal export(s): ${illegalKeys.join(', ')}`);
     }
@@ -115,15 +179,28 @@ export function validateServerExports({ exports, filePath }) {
     const hasAction = 'action' in exports;
     const hasNew = hasData || hasLoad || hasAction;
     const hasLegacy = ('ssr_data' in exports) || ('props' in exports) || ('ssr' in exports);
+    if (routeKind === 'resource') {
+        if (hasData) {
+            throw new Error(`[Zenith] ${filePath}: resource routes may not export "data". Use load(ctx) or action(ctx) with ctx.json()/ctx.text().`);
+        }
+        if (!hasLoad && !hasAction) {
+            throw new Error(`[Zenith] ${filePath}: resource routes must export load(ctx), action(ctx), or both.`);
+        }
+    }
     if (hasData && hasLoad) {
         throw new Error(`[Zenith] ${filePath}: cannot export both "data" and "load". Choose one.`);
     }
-    if (hasNew && hasLegacy) {
+    if (routeKind === 'page' && hasNew && hasLegacy) {
         throw new Error(`[Zenith] ${filePath}: cannot mix new ("data"/"load") with legacy ("ssr_data"/"props"/"ssr") exports.`);
     }
-    if ('prerender' in exports && typeof exports.prerender !== 'boolean') {
+    if (routeKind === 'page' && 'prerender' in exports && typeof exports.prerender !== 'boolean') {
         throw new Error(`[Zenith] ${filePath}: "prerender" must be a boolean.`);
     }
+    if (routeKind === 'page' && 'exportPaths' in exports) {
+        if (!Array.isArray(exports.exportPaths) || exports.exportPaths.some((value) => typeof value !== 'string')) {
+            throw new Error(`[Zenith] ${filePath}: "exportPaths" must be an array of string pathnames.`);
+        }
+    }
     if (hasLoad) {
         assertOneArgRouteFunction({ filePath, exportName: 'load', value: exports.load });
     }
@@ -185,8 +262,11 @@ export function assertJsonSerializable(value, where = 'payload') {
     }
     walk(value, '$');
 }
-export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = false }) {
-    validateServerExports({ exports, filePath });
+export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = false, routeKind = 'page' }) {
+    validateServerExports({ exports, filePath, routeKind });
+    if (routeKind === 'resource') {
+        return resolveResourceRouteResult({ exports, ctx, filePath, guardOnly });
+    }
     const trace = {
         guard: 'none',
         action: 'none',
@@ -199,7 +279,12 @@ export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = f
         ctx.action = null;
     }
     if ('guard' in exports) {
-        const guardRaw = await exports.guard(ctx);
+        const guardRaw = await invokeRouteStage({
+            fn: exports.guard,
+            ctx,
+            where: `${filePath}: guard(ctx)`,
+            allowedKinds: new Set(['allow', 'redirect', 'deny'])
+        });
         const guardResult = guardRaw == null ? allow() : guardRaw;
         if (guardResult.kind === 'data') {
             throw new Error(`[Zenith] ${filePath}: guard(ctx) returned data(payload) which is a critical invariant violation. guard() can only return allow(), redirect(), or deny(). Use load(ctx) for data injection.`);
@@ -207,14 +292,19 @@ export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = f
         assertValidRouteResultShape(guardResult, `${filePath}: guard(ctx) return`, new Set(['allow', 'redirect', 'deny']));
         trace.guard = guardResult.kind;
         if (guardResult.kind === 'redirect' || guardResult.kind === 'deny') {
-            return { result: guardResult, trace };
+            return buildResolvedEnvelope({ result: guardResult, trace, ctx });
         }
     }
     if (guardOnly) {
-        return { result: allow(), trace };
+        return buildResolvedEnvelope({ result: allow(), trace, ctx });
     }
     if (isActionRequest && 'action' in exports) {
-        const actionRaw = await exports.action(ctx);
+        const actionRaw = await invokeRouteStage({
+            fn: exports.action,
+            ctx,
+            where: `${filePath}: action(ctx)`,
+            allowedKinds: new Set(['data', 'invalid', 'redirect', 'deny'])
+        });
         let actionResult = null;
         if (isRouteResultLike(actionRaw)) {
             actionResult = actionRaw;
@@ -229,7 +319,7 @@ export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = f
         }
         trace.action = actionResult.kind;
         if (actionResult.kind === 'redirect' || actionResult.kind === 'deny') {
-            return { result: actionResult, trace };
+            return buildResolvedEnvelope({ result: actionResult, trace, ctx });
         }
         const actionState = buildActionState(actionResult);
         if (ctx && typeof ctx === 'object') {
@@ -241,7 +331,12 @@ export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = f
     }
     let payload;
     if ('load' in exports) {
-        const loadRaw = await exports.load(ctx);
+        const loadRaw = await invokeRouteStage({
+            fn: exports.load,
+            ctx,
+            where: `${filePath}: load(ctx)`,
+            allowedKinds: new Set(['data', 'redirect', 'deny'])
+        });
         let loadResult = null;
         if (isRouteResultLike(loadRaw)) {
             loadResult = loadRaw;
@@ -252,42 +347,139 @@ export async function resolveRouteResult({ exports, ctx, filePath, guardOnly = f
             loadResult = data(loadRaw);
         }
         trace.load = loadResult.kind;
-        return { result: loadResult, trace, status: loadResult.kind === 'data' ? responseStatus : undefined };
+        return buildResolvedEnvelope({
+            result: loadResult,
+            trace,
+            status: loadResult.kind === 'data' ? responseStatus : undefined,
+            ctx
+        });
     }
     if ('data' in exports) {
         payload = exports.data;
         assertJsonSerializable(payload, `${filePath}: data export`);
         trace.load = 'data';
-        return { result: data(payload), trace, status: responseStatus };
+        return buildResolvedEnvelope({ result: data(payload), trace, status: responseStatus, ctx });
     }
     // legacy fallback
     if ('ssr_data' in exports) {
         payload = exports.ssr_data;
         assertJsonSerializable(payload, `${filePath}: ssr_data export`);
         trace.load = 'data';
-        return { result: data(payload), trace, status: responseStatus };
+        return buildResolvedEnvelope({ result: data(payload), trace, status: responseStatus, ctx });
     }
     if ('props' in exports) {
         payload = exports.props;
         assertJsonSerializable(payload, `${filePath}: props export`);
         trace.load = 'data';
-        return { result: data(payload), trace, status: responseStatus };
+        return buildResolvedEnvelope({ result: data(payload), trace, status: responseStatus, ctx });
     }
     if ('ssr' in exports) {
         payload = exports.ssr;
         assertJsonSerializable(payload, `${filePath}: ssr export`);
         trace.load = 'data';
-        return { result: data(payload), trace, status: responseStatus };
+        return buildResolvedEnvelope({ result: data(payload), trace, status: responseStatus, ctx });
     }
     if (isActionRequest && ctx?.action) {
         trace.load = 'data';
-        return {
+        return buildResolvedEnvelope({
             result: data({ action: ctx.action }),
             trace,
-            status: responseStatus
-        };
+            status: responseStatus,
+            ctx
+        });
+    }
+    return buildResolvedEnvelope({ result: data({}), trace, status: responseStatus, ctx });
+}
+async function resolveResourceRouteResult({ exports, ctx, filePath, guardOnly = false }) {
+    const trace = {
+        guard: 'none',
+        action: 'none',
+        load: 'none'
+    };
+    const requestMethod = String(ctx?.method || ctx?.request?.method || 'GET').toUpperCase();
+    if (ctx && typeof ctx === 'object') {
+        ctx.action = null;
     }
-    return { result: data({}), trace, status: responseStatus };
+    if ('guard' in exports) {
+        const guardRaw = await invokeRouteStage({
+            fn: exports.guard,
+            ctx,
+            where: `${filePath}: guard(ctx)`,
+            allowedKinds: new Set(['allow', 'redirect', 'deny'])
+        });
+        const guardResult = guardRaw == null ? allow() : guardRaw;
+        assertValidRouteResultShape(guardResult, `${filePath}: guard(ctx) return`, new Set(['allow', 'redirect', 'deny']));
+        trace.guard = guardResult.kind;
+        if (guardResult.kind === 'redirect' || guardResult.kind === 'deny') {
+            return buildResolvedEnvelope({ result: guardResult, trace, ctx });
+        }
+    }
+    if (guardOnly) {
+        return buildResolvedEnvelope({ result: allow(), trace, ctx });
+    }
+    if (requestMethod === 'GET' || requestMethod === 'HEAD') {
+        if (!('load' in exports)) {
+            trace.load = 'text';
+            return buildResolvedEnvelope({ result: text('Method Not Allowed', 405), trace, status: 405, ctx });
+        }
+        const loadResult = await resolveResourceStage({
+            exports,
+            exportName: 'load',
+            ctx,
+            filePath,
+            trace,
+            traceKey: 'load'
+        });
+        return buildResolvedEnvelope({
+            result: loadResult,
+            trace,
+            status: loadResult.status,
+            ctx
+        });
+    }
+    if (requestMethod === 'POST') {
+        if (!('action' in exports)) {
+            trace.action = 'text';
+            return buildResolvedEnvelope({ result: text('Method Not Allowed', 405), trace, status: 405, ctx });
+        }
+        const actionResult = await resolveResourceStage({
+            exports,
+            exportName: 'action',
+            ctx,
+            filePath,
+            trace,
+            traceKey: 'action'
+        });
+        return buildResolvedEnvelope({
+            result: actionResult,
+            trace,
+            status: actionResult.status,
+            ctx
+        });
+    }
+    return buildResolvedEnvelope({
+        result: text('Method Not Allowed', 405),
+        trace,
+        status: 405,
+        ctx
+    });
+}
+async function resolveResourceStage({ exports, exportName, ctx, filePath, trace, traceKey }) {
+    const raw = await invokeRouteStage({
+        fn: exports[exportName],
+        ctx,
+        where: `${filePath}: ${exportName}(ctx)`,
+        allowedKinds: new Set(['json', 'text', 'download', 'redirect', 'deny'])
+    });
+    if (!isRouteResultLike(raw)) {
+        throw new Error(`[Zenith] ${filePath}: ${exportName}(ctx) on a resource route must return json(...), text(...), download(...), redirect(...), or deny(...).`);
+    }
+    assertValidRouteResultShape(raw, `${filePath}: ${exportName}(ctx) return`, new Set(['json', 'text', 'download', 'redirect', 'deny']));
+    if (raw.kind === 'json') {
+        assertJsonSerializable(raw.data, `${filePath}: ${exportName}(ctx) return`);
+    }
+    trace[traceKey] = raw.kind;
+    return raw;
 }
 export async function resolveServerPayload({ exports, ctx, filePath }) {
     const resolved = await resolveRouteResult({ exports, ctx, filePath });

package/dist/server-error.d.ts

@@ -1,4 +1,4 @@
-export function defaultRouteDenyMessage(status: any): "Unauthorized" | "Forbidden" | "Not Found" | "Internal Server Error";
+export function defaultRouteDenyMessage(status: any): "Unauthorized" | "Forbidden" | "Not Found" | "Method Not Allowed" | "Internal Server Error";
 export function clientFacingRouteMessage(status: any, message: any): string;
 export function sanitizeRouteResult(result: any): any;
 export function logServerException(scope: any, error: any): void;

package/dist/server-error.js

@@ -5,6 +5,8 @@ export function defaultRouteDenyMessage(status) {
         return 'Forbidden';
     if (status === 404)
         return 'Not Found';
+    if (status === 405)
+        return 'Method Not Allowed';
     return 'Internal Server Error';
 }
 export function clientFacingRouteMessage(status, message) {

package/dist/server-output.d.ts

@@ -9,6 +9,7 @@ export function writeServerOutput({ coreOutputDir, staticDir, projectRoot, confi
     routes: {
         name: any;
         path: any;
+        route_kind: any;
         output: any;
         base_path: string;
         page_asset: any;
@@ -21,7 +22,7 @@ export function writeServerOutput({ coreOutputDir, staticDir, projectRoot, confi
         has_guard: boolean;
         has_load: boolean;
         has_action: boolean;
-        params: string[];
+        params: any[];
         image_manifest_file: string | null;
         image_config: any;
     }[];