@zenithbuild/cli 0.7.5 → 0.7.7

package/dist/preview/server-runner.d.ts

@@ -0,0 +1,49 @@
+/**
+ * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl?: string, requestMethod?: string, requestHeaders?: Record<string, string | string[] | undefined>, requestBodyBuffer?: Buffer | null, routePattern?: string, routeFile?: string, routeId?: string, routeKind?: 'page' | 'resource' }} input
+ * @returns {Promise<{ result: { kind: string, [key: string]: unknown }, trace: { guard: string, action: string, load: string }, status?: number, setCookies?: string[] }>}
+ */
+export function executeServerRoute({ source, sourcePath, params, requestUrl, requestMethod, requestHeaders, requestBodyBuffer, routePattern, routeFile, routeId, routeKind, guardOnly }: {
+    source: string;
+    sourcePath: string;
+    params: Record<string, string>;
+    requestUrl?: string;
+    requestMethod?: string;
+    requestHeaders?: Record<string, string | string[] | undefined>;
+    requestBodyBuffer?: Buffer | null;
+    routePattern?: string;
+    routeFile?: string;
+    routeId?: string;
+    routeKind?: "page" | "resource";
+}): Promise<{
+    result: {
+        kind: string;
+        [key: string]: unknown;
+    };
+    trace: {
+        guard: string;
+        action: string;
+        load: string;
+    };
+    status?: number;
+    setCookies?: string[];
+}>;
+/**
+ * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl?: string, requestMethod?: string, requestHeaders?: Record<string, string | string[] | undefined>, routePattern?: string, routeFile?: string, routeId?: string }} input
+ * @returns {Promise<Record<string, unknown> | null>}
+ */
+export function executeServerScript(input: {
+    source: string;
+    sourcePath: string;
+    params: Record<string, string>;
+    requestUrl?: string;
+    requestMethod?: string;
+    requestHeaders?: Record<string, string | string[] | undefined>;
+    routePattern?: string;
+    routeFile?: string;
+    routeId?: string;
+}): Promise<Record<string, unknown> | null>;
+/**
+ * @param {string} sourcePath
+ * @returns {string}
+ */
+export function routeIdFromSourcePath(sourcePath: string): string;

package/dist/preview/server-runner.js

@@ -0,0 +1,220 @@
+import { spawn } from 'node:child_process';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { clientFacingRouteMessage, defaultRouteDenyMessage } from '../server-error.js';
+import { SERVER_SCRIPT_RUNNER } from './server-script-runner-template.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl?: string, requestMethod?: string, requestHeaders?: Record<string, string | string[] | undefined>, requestBodyBuffer?: Buffer | null, routePattern?: string, routeFile?: string, routeId?: string, routeKind?: 'page' | 'resource' }} input
+ * @returns {Promise<{ result: { kind: string, [key: string]: unknown }, trace: { guard: string, action: string, load: string }, status?: number, setCookies?: string[] }>}
+ */
+export async function executeServerRoute({ source, sourcePath, params, requestUrl, requestMethod, requestHeaders, requestBodyBuffer, routePattern, routeFile, routeId, routeKind = 'page', guardOnly = false }) {
+    if (!source || !String(source).trim()) {
+        return {
+            result: { kind: 'data', data: {} },
+            trace: { guard: 'none', action: 'none', load: 'none' }
+        };
+    }
+    const payload = await spawnNodeServerRunner({
+        source,
+        sourcePath,
+        params,
+        requestUrl: requestUrl || 'http://localhost/',
+        requestMethod: requestMethod || 'GET',
+        requestHeaders: sanitizeRequestHeaders(requestHeaders || {}),
+        requestBodyBuffer: Buffer.isBuffer(requestBodyBuffer) ? requestBodyBuffer : null,
+        routePattern: routePattern || '',
+        routeFile: routeFile || sourcePath || '',
+        routeId: routeId || routeIdFromSourcePath(sourcePath || ''),
+        routeKind,
+        guardOnly
+    });
+    if (payload === null || payload === undefined) {
+        return {
+            result: { kind: 'data', data: {} },
+            trace: { guard: 'none', action: 'none', load: 'none' }
+        };
+    }
+    if (typeof payload !== 'object' || Array.isArray(payload)) {
+        throw new Error('[zenith-preview] server script payload must be an object');
+    }
+    const errorEnvelope = payload.__zenith_error;
+    if (errorEnvelope && typeof errorEnvelope === 'object') {
+        return {
+            result: {
+                kind: 'deny',
+                status: 500,
+                message: defaultRouteDenyMessage(500)
+            },
+            trace: { guard: 'none', action: 'none', load: 'deny' }
+        };
+    }
+    const result = payload.result;
+    const trace = payload.trace;
+    if (result && typeof result === 'object' && !Array.isArray(result) && typeof result.kind === 'string') {
+        return {
+            result,
+            trace: trace && typeof trace === 'object'
+                ? {
+                    guard: String(trace.guard || 'none'),
+                    action: String(trace.action || 'none'),
+                    load: String(trace.load || 'none')
+                }
+                : { guard: 'none', action: 'none', load: 'none' },
+            status: Number.isInteger(payload.status) ? payload.status : undefined,
+            setCookies: Array.isArray(payload.setCookies)
+                ? payload.setCookies.filter((value) => typeof value === 'string' && value.length > 0)
+                : []
+        };
+    }
+    return {
+        result: {
+            kind: 'data',
+            data: payload
+        },
+        trace: { guard: 'none', action: 'none', load: 'data' }
+    };
+}
+/**
+ * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl?: string, requestMethod?: string, requestHeaders?: Record<string, string | string[] | undefined>, routePattern?: string, routeFile?: string, routeId?: string }} input
+ * @returns {Promise<Record<string, unknown> | null>}
+ */
+export async function executeServerScript(input) {
+    const execution = await executeServerRoute(input);
+    const result = execution?.result;
+    if (!result || typeof result !== 'object') {
+        return null;
+    }
+    if (result.kind === 'data' && result.data && typeof result.data === 'object' && !Array.isArray(result.data)) {
+        return result.data;
+    }
+    if (result.kind === 'redirect') {
+        return {
+            __zenith_error: {
+                status: Number.isInteger(result.status) ? result.status : 302,
+                code: 'REDIRECT',
+                message: `Redirect to ${String(result.location || '')}`
+            }
+        };
+    }
+    if (result.kind === 'deny') {
+        const status = Number.isInteger(result.status) ? result.status : 403;
+        return {
+            __zenith_error: {
+                status,
+                code: status >= 500 ? 'LOAD_FAILED' : (status === 404 ? 'NOT_FOUND' : 'ACCESS_DENIED'),
+                message: clientFacingRouteMessage(status, result.message)
+            }
+        };
+    }
+    return {};
+}
+/**
+ * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl: string, requestMethod: string, requestHeaders: Record<string, string>, requestBodyBuffer?: Buffer | null, routePattern: string, routeFile: string, routeId: string, routeKind?: 'page' | 'resource' }} input
+ * @returns {Promise<unknown>}
+ */
+function spawnNodeServerRunner(input) {
+    return new Promise((resolvePromise, rejectPromise) => {
+        const child = spawn(process.execPath, ['--experimental-vm-modules', '--input-type=module', '-e', SERVER_SCRIPT_RUNNER], {
+            env: {
+                ...process.env,
+                ZENITH_SERVER_SOURCE: input.source,
+                ZENITH_SERVER_SOURCE_PATH: input.sourcePath || '',
+                ZENITH_SERVER_PARAMS: JSON.stringify(input.params || {}),
+                ZENITH_SERVER_REQUEST_URL: input.requestUrl || 'http://localhost/',
+                ZENITH_SERVER_REQUEST_METHOD: input.requestMethod || 'GET',
+                ZENITH_SERVER_REQUEST_HEADERS: JSON.stringify(input.requestHeaders || {}),
+                ZENITH_SERVER_ROUTE_PATTERN: input.routePattern || '',
+                ZENITH_SERVER_ROUTE_FILE: input.routeFile || input.sourcePath || '',
+                ZENITH_SERVER_ROUTE_ID: input.routeId || '',
+                ZENITH_SERVER_ROUTE_KIND: input.routeKind || 'page',
+                ZENITH_SERVER_GUARD_ONLY: input.guardOnly ? '1' : '',
+                ZENITH_SERVER_CONTRACT_PATH: join(__dirname, '..', 'server-contract.js'),
+                ZENITH_SERVER_ROUTE_AUTH_PATH: join(__dirname, '..', 'auth', 'route-auth.js')
+            },
+            stdio: ['pipe', 'pipe', 'pipe']
+        });
+        const runnerRequestBody = Buffer.isBuffer(input.requestBodyBuffer) ? input.requestBodyBuffer : null;
+        child.stdin.on('error', () => {
+            // ignore broken pipes when the runner exits before consuming stdin
+        });
+        child.stdin.end(runnerRequestBody && runnerRequestBody.length > 0 ? runnerRequestBody : undefined);
+        let stdout = '';
+        let stderr = '';
+        child.stdout.on('data', (chunk) => {
+            stdout += String(chunk);
+        });
+        child.stderr.on('data', (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on('error', (error) => {
+            rejectPromise(error);
+        });
+        child.on('close', (code) => {
+            if (code !== 0) {
+                rejectPromise(new Error(`[zenith-preview] server script execution failed (${code}): ${stderr.trim() || stdout.trim()}`));
+                return;
+            }
+            const stderrOutput = stderr.trim();
+            const internalErrorIndex = stderrOutput.indexOf('[Zenith:Server]');
+            if (internalErrorIndex >= 0) {
+                console.error(stderrOutput.slice(internalErrorIndex).trim());
+            }
+            const raw = stdout.trim();
+            if (!raw || raw === 'null') {
+                resolvePromise(null);
+                return;
+            }
+            try {
+                resolvePromise(JSON.parse(raw));
+            }
+            catch (error) {
+                rejectPromise(new Error(`[zenith-preview] invalid server payload JSON: ${error instanceof Error ? error.message : String(error)}`));
+            }
+        });
+    });
+}
+/**
+ * @param {Record<string, string | string[] | undefined>} headers
+ * @returns {Record<string, string>}
+ */
+function sanitizeRequestHeaders(headers) {
+    const out = Object.create(null);
+    const denyExact = new Set(['proxy-authorization', 'set-cookie']);
+    const denyPrefixes = ['x-forwarded-', 'cf-'];
+    for (const [rawKey, rawValue] of Object.entries(headers || {})) {
+        const key = String(rawKey || '').toLowerCase();
+        if (!key)
+            continue;
+        if (denyExact.has(key))
+            continue;
+        if (denyPrefixes.some((prefix) => key.startsWith(prefix)))
+            continue;
+        let value = '';
+        if (Array.isArray(rawValue)) {
+            value = rawValue.filter((entry) => entry !== undefined).map(String).join(', ');
+        }
+        else if (rawValue !== undefined) {
+            value = String(rawValue);
+        }
+        out[key] = value;
+    }
+    return out;
+}
+/**
+ * @param {string} sourcePath
+ * @returns {string}
+ */
+export function routeIdFromSourcePath(sourcePath) {
+    const normalized = String(sourcePath || '').replaceAll('\\', '/');
+    const marker = '/pages/';
+    const markerIndex = normalized.lastIndexOf(marker);
+    let routeId = markerIndex >= 0
+        ? normalized.slice(markerIndex + marker.length)
+        : normalized.split('/').pop() || normalized;
+    routeId = routeId.replace(/\.zen$/i, '');
+    if (routeId.endsWith('/index')) {
+        routeId = routeId.slice(0, -('/index'.length));
+    }
+    return routeId || 'index';
+}

package/dist/preview/server-script-runner-template.d.ts

@@ -0,0 +1 @@
+export const SERVER_SCRIPT_RUNNER: string;

package/dist/preview/server-script-runner-template.js

@@ -0,0 +1,425 @@
+export const SERVER_SCRIPT_RUNNER = String.raw `
+import vm from 'node:vm';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { pathToFileURL, fileURLToPath } from 'node:url';
+
+const source = process.env.ZENITH_SERVER_SOURCE || '';
+const sourcePath = process.env.ZENITH_SERVER_SOURCE_PATH || '';
+const params = JSON.parse(process.env.ZENITH_SERVER_PARAMS || '{}');
+const requestUrl = process.env.ZENITH_SERVER_REQUEST_URL || 'http://localhost/';
+const requestMethod = String(process.env.ZENITH_SERVER_REQUEST_METHOD || 'GET').toUpperCase();
+const requestHeaders = JSON.parse(process.env.ZENITH_SERVER_REQUEST_HEADERS || '{}');
+const routePattern = process.env.ZENITH_SERVER_ROUTE_PATTERN || '';
+const routeFile = process.env.ZENITH_SERVER_ROUTE_FILE || sourcePath || '';
+const routeId = process.env.ZENITH_SERVER_ROUTE_ID || routePattern || '';
+const routeKind = process.env.ZENITH_SERVER_ROUTE_KIND || 'page';
+const guardOnly = process.env.ZENITH_SERVER_GUARD_ONLY === '1';
+
+if (!source.trim()) {
+  process.stdout.write('null');
+  process.exit(0);
+}
+
+let cachedTypeScript = undefined;
+async function loadTypeScript() {
+  if (cachedTypeScript !== undefined) {
+    return cachedTypeScript;
+  }
+  try {
+    const mod = await import('typescript');
+    cachedTypeScript = mod.default || mod;
+  } catch {
+    cachedTypeScript = null;
+  }
+  return cachedTypeScript;
+}
+
+async function transpileIfNeeded(filename, code) {
+  const lower = String(filename || '').toLowerCase();
+  const isTs =
+    lower.endsWith('.ts') ||
+    lower.endsWith('.tsx') ||
+    lower.endsWith('.mts') ||
+    lower.endsWith('.cts');
+  if (!isTs) {
+    return code;
+  }
+  const ts = await loadTypeScript();
+  if (!ts || typeof ts.transpileModule !== 'function') {
+    throw new Error('[zenith-preview] TypeScript is required to execute server modules that import .ts files');
+  }
+  const output = ts.transpileModule(code, {
+    fileName: filename || 'server-script.ts',
+    compilerOptions: {
+      target: ts.ScriptTarget.ES2022,
+      module: ts.ModuleKind.ESNext,
+      moduleResolution: ts.ModuleResolutionKind.NodeNext
+    },
+    reportDiagnostics: false
+  });
+  return output.outputText;
+}
+
+async function exists(filePath) {
+  try {
+    await fs.access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function resolveRelativeSpecifier(specifier, parentIdentifier) {
+  let basePath = sourcePath;
+  if (parentIdentifier && parentIdentifier.startsWith('file:')) {
+    basePath = fileURLToPath(parentIdentifier);
+  }
+
+  const baseDir = basePath ? path.dirname(basePath) : process.cwd();
+  const candidateBase = specifier.startsWith('file:')
+    ? fileURLToPath(specifier)
+    : path.resolve(baseDir, specifier);
+
+  const candidates = [];
+  if (path.extname(candidateBase)) {
+    candidates.push(candidateBase);
+  } else {
+    candidates.push(candidateBase);
+    candidates.push(candidateBase + '.ts');
+    candidates.push(candidateBase + '.tsx');
+    candidates.push(candidateBase + '.mts');
+    candidates.push(candidateBase + '.cts');
+    candidates.push(candidateBase + '.js');
+    candidates.push(candidateBase + '.mjs');
+    candidates.push(candidateBase + '.cjs');
+    candidates.push(path.join(candidateBase, 'index.ts'));
+    candidates.push(path.join(candidateBase, 'index.tsx'));
+    candidates.push(path.join(candidateBase, 'index.mts'));
+    candidates.push(path.join(candidateBase, 'index.cts'));
+    candidates.push(path.join(candidateBase, 'index.js'));
+    candidates.push(path.join(candidateBase, 'index.mjs'));
+    candidates.push(path.join(candidateBase, 'index.cjs'));
+  }
+
+  for (const candidate of candidates) {
+    if (await exists(candidate)) {
+      return pathToFileURL(candidate).href;
+    }
+  }
+
+  throw new Error(
+    '[zenith-preview] Cannot resolve server import "' + specifier + '" from "' + (basePath || '<inline>') + '"'
+  );
+}
+
+function isRelativeSpecifier(specifier) {
+  return (
+    specifier.startsWith('./') ||
+    specifier.startsWith('../') ||
+    specifier.startsWith('/') ||
+    specifier.startsWith('file:')
+  );
+}
+
+const safeRequestHeaders =
+  requestHeaders && typeof requestHeaders === 'object'
+    ? { ...requestHeaders }
+    : {};
+function parseCookies(rawCookieHeader) {
+  const out = Object.create(null);
+  const raw = String(rawCookieHeader || '');
+  if (!raw) return out;
+  const pairs = raw.split(';');
+  for (let i = 0; i < pairs.length; i++) {
+    const part = pairs[i];
+    const eq = part.indexOf('=');
+    if (eq <= 0) continue;
+    const key = part.slice(0, eq).trim();
+    if (!key) continue;
+    const value = part.slice(eq + 1).trim();
+    try {
+      out[key] = decodeURIComponent(value);
+    } catch {
+      out[key] = value;
+    }
+  }
+  return out;
+}
+const cookieHeader = typeof safeRequestHeaders.cookie === 'string'
+  ? safeRequestHeaders.cookie
+  : '';
+const requestCookies = parseCookies(cookieHeader);
+
+function ctxAllow() {
+  return { kind: 'allow' };
+}
+function ctxRedirect(location, status = 302) {
+  return {
+    kind: 'redirect',
+    location: String(location || ''),
+    status: Number.isInteger(status) ? status : 302
+  };
+}
+function ctxDeny(status = 403, message = undefined) {
+  return {
+    kind: 'deny',
+    status: Number.isInteger(status) ? status : 403,
+    message: typeof message === 'string' ? message : undefined
+  };
+}
+function ctxInvalid(payload, status = 400) {
+  return {
+    kind: 'invalid',
+    data: payload,
+    status: Number.isInteger(status) ? status : 400
+  };
+}
+function ctxData(payload) {
+  return {
+    kind: 'data',
+    data: payload
+  };
+}
+function ctxJson(payload, status = 200) {
+  return {
+    kind: 'json',
+    data: payload,
+    status: Number.isInteger(status) ? status : 200
+  };
+}
+function ctxText(body, status = 200) {
+  return {
+    kind: 'text',
+    body: typeof body === 'string' ? body : String(body ?? ''),
+    status: Number.isInteger(status) ? status : 200
+  };
+}
+
+async function readStdinBuffer() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  return Buffer.concat(chunks);
+}
+
+const requestInit = {
+  method: requestMethod,
+  headers: new Headers(safeRequestHeaders)
+};
+const requestBodyBuffer =
+  requestMethod !== 'GET' && requestMethod !== 'HEAD'
+    ? await readStdinBuffer()
+    : Buffer.alloc(0);
+if (requestMethod !== 'GET' && requestMethod !== 'HEAD' && requestBodyBuffer.length > 0) {
+  requestInit.body = requestBodyBuffer;
+  requestInit.duplex = 'half';
+}
+const requestSnapshot = new Request(requestUrl, requestInit);
+const routeParams = { ...params };
+const routeMeta = {
+  id: routeId,
+  pattern: routePattern,
+  file: routeFile ? path.relative(process.cwd(), routeFile) : ''
+};
+const routeContext = {
+  params: routeParams,
+  url: new URL(requestUrl),
+  headers: { ...safeRequestHeaders },
+  cookies: requestCookies,
+  request: requestSnapshot,
+  method: requestMethod,
+  route: routeMeta,
+  env: {},
+  action: null,
+  allow: ctxAllow,
+  redirect: ctxRedirect,
+  deny: ctxDeny,
+  invalid: ctxInvalid,
+  data: ctxData,
+  json: ctxJson,
+  text: ctxText
+};
+
+const context = vm.createContext({
+  params: routeParams,
+  ctx: routeContext,
+  fetch: globalThis.fetch,
+  Blob: globalThis.Blob,
+  File: globalThis.File,
+  FormData: globalThis.FormData,
+  Headers: globalThis.Headers,
+  Request: globalThis.Request,
+  Response: globalThis.Response,
+  TextEncoder: globalThis.TextEncoder,
+  TextDecoder: globalThis.TextDecoder,
+  URL,
+  URLSearchParams,
+  Buffer,
+  console,
+  process,
+  setTimeout,
+  clearTimeout,
+  setInterval,
+  clearInterval
+});
+
+const moduleCache = new Map();
+const syntheticModuleCache = new Map();
+
+async function createSyntheticModule(specifier) {
+  if (syntheticModuleCache.has(specifier)) {
+    return syntheticModuleCache.get(specifier);
+  }
+
+  const ns = await import(specifier);
+  const exportNames = Object.keys(ns);
+  const module = new vm.SyntheticModule(
+    exportNames,
+    function() {
+      for (const key of exportNames) {
+        this.setExport(key, ns[key]);
+      }
+    },
+    { context }
+  );
+  await module.link(() => {
+    throw new Error(
+      '[zenith-preview] synthetic modules cannot contain nested imports: ' + specifier
+    );
+  });
+  syntheticModuleCache.set(specifier, module);
+  return module;
+}
+
+async function loadFileModule(moduleUrl) {
+  if (moduleCache.has(moduleUrl)) {
+    return moduleCache.get(moduleUrl);
+  }
+  const modulePromise = (async () => {
+    const filename = fileURLToPath(moduleUrl);
+    let code = await fs.readFile(filename, 'utf8');
+    code = await transpileIfNeeded(filename, code);
+    const module = new vm.SourceTextModule(code, {
+      context,
+      identifier: moduleUrl,
+      initializeImportMeta(meta) {
+        meta.url = moduleUrl;
+      }
+    });
+
+    await module.link((specifier, referencingModule) => {
+      return linkModule(specifier, referencingModule.identifier);
+    });
+    return module;
+  })();
+
+  moduleCache.set(moduleUrl, modulePromise);
+  try {
+    return await modulePromise;
+  } catch (error) {
+    moduleCache.delete(moduleUrl);
+    throw error;
+  }
+}
+
+async function linkModule(specifier, parentIdentifier) {
+  if (!isRelativeSpecifier(specifier)) {
+    return createSyntheticModule(specifier);
+  }
+  const resolvedUrl = await resolveRelativeSpecifier(specifier, parentIdentifier);
+  return loadFileModule(resolvedUrl);
+}
+
+const allowed = new Set(['data', 'load', 'guard', 'action', 'ssr_data', 'props', 'ssr', 'prerender', 'exportPaths']);
+const prelude = "const params = globalThis.params;\n" +
+  "const ctx = globalThis.ctx;\n" +
+  "import { download, resolveRouteResult } from 'zenith:server-contract';\n" +
+  "import { attachRouteAuth } from 'zenith:route-auth';\n" +
+  "ctx.download = download;\n" +
+  "globalThis.resolveRouteResult = resolveRouteResult;\n" +
+  "globalThis.attachRouteAuth = attachRouteAuth;\n";
+const entryIdentifier = sourcePath
+  ? pathToFileURL(sourcePath).href
+  : 'zenith:server-script';
+const entryTranspileFilename = sourcePath && sourcePath.toLowerCase().endsWith('.zen')
+  ? sourcePath.replace(/\.zen$/i, '.ts')
+  : (sourcePath || 'server-script.ts');
+
+const entryCode = await transpileIfNeeded(entryTranspileFilename, prelude + source);
+const entryModule = new vm.SourceTextModule(entryCode, {
+  context,
+  identifier: entryIdentifier,
+  initializeImportMeta(meta) {
+    meta.url = entryIdentifier;
+  }
+});
+
+moduleCache.set(entryIdentifier, entryModule);
+await entryModule.link((specifier, referencingModule) => {
+  if (specifier === 'zenith:server-contract') {
+    const defaultPath = path.join(process.cwd(), 'node_modules', '@zenithbuild', 'cli', 'src', 'server-contract.js');
+    const configuredPath = process.env.ZENITH_SERVER_CONTRACT_PATH || '';
+    const contractUrl = pathToFileURL(configuredPath || defaultPath).href;
+    if (configuredPath) {
+      return loadFileModule(contractUrl);
+    }
+    return loadFileModule(contractUrl).catch(() =>
+      loadFileModule(pathToFileURL(defaultPath).href)
+    );
+  }
+  if (specifier === 'zenith:route-auth') {
+    const defaultPath = path.join(process.cwd(), 'node_modules', '@zenithbuild', 'cli', 'src', 'auth', 'route-auth.js');
+    const configuredPath = process.env.ZENITH_SERVER_ROUTE_AUTH_PATH || '';
+    const authUrl = pathToFileURL(configuredPath || defaultPath).href;
+    if (configuredPath) {
+      return loadFileModule(authUrl);
+    }
+    return loadFileModule(authUrl).catch(() =>
+      loadFileModule(pathToFileURL(defaultPath).href)
+    );
+  }
+  return linkModule(specifier, referencingModule.identifier);
+});
+await entryModule.evaluate();
+context.attachRouteAuth(routeContext, {
+  requestUrl: routeContext.url,
+  guardOnly,
+  redirect: ctxRedirect,
+  deny: ctxDeny
+});
+
+const namespaceKeys = Object.keys(entryModule.namespace);
+for (const key of namespaceKeys) {
+  if (!allowed.has(key)) {
+    throw new Error('[zenith-preview] unsupported server export "' + key + '"');
+  }
+}
+
+const exported = entryModule.namespace;
+try {
+  const resolved = await context.resolveRouteResult({
+    exports: exported,
+    ctx: context.ctx,
+    filePath: sourcePath || 'server_script',
+    guardOnly: guardOnly,
+    routeKind: routeKind
+  });
+
+  process.stdout.write(JSON.stringify(resolved || null));
+} catch (error) {
+  const message = error instanceof Error
+    ? (typeof error.stack === 'string' && error.stack.length > 0 ? error.stack : error.message)
+    : String(error);
+  process.stderr.write('[Zenith:Server] preview route execution failed\\n' + message + '\\n');
+  process.stdout.write(
+    JSON.stringify({
+      __zenith_error: {
+        status: 500,
+        code: 'LOAD_FAILED'
+      }
+    })
+  );
+}
+`;