Add API routes, CORS middleware, and rate limiting

File-based API routes: .ts files in src/routes/api/ export HTTP method
handlers (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS). Auto-generated
via virtual:zero/api-routes virtual module with URL pattern matching
and dynamic parameter extraction.

CORS middleware: configurable origins (string, array, function),
methods, credentials, preflight handling with Access-Control headers.

Rate limit middleware: in-memory per-client limiting with X-RateLimit
headers, configurable max/window, include/exclude patterns, custom
key function.

- Add api-routes.ts with route detection, pattern matching, middleware
- Add cors.ts with corsMiddleware()
- Add rate-limit.ts with rateLimitMiddleware()
- Wire virtual:zero/api-routes into Vite plugin and server entry
- Add ./api-routes, ./cors, ./rate-limit subpath exports
- Add template API examples (posts CRUD, health check)
- Update template entry-server with CORS + rate limiting
- 38 new tests (202 total)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vitbokisch

CLAUDE.md

@@ -109,14 +109,26 @@ Route files can `export const middleware` — the Vite plugin generates a virtua
 
 Dev-only styled HTML overlay for SSR errors with source-mapped stack traces. Injected via Vite plugin's `configureServer` hook.
 
+### API Routes (`api-routes.ts`)
+
+File-based API routes: `.ts` files in `src/routes/api/` export HTTP method handlers (`GET`, `POST`, `PUT`, `PATCH`, `DELETE`). Auto-generated via `virtual:zero/api-routes`. Handlers receive `ApiContext` with `request`, `url`, `params`, `headers`. Matched by URL pattern with dynamic params.
+
+### CORS (`cors.ts`)
+
+`corsMiddleware(config)` — configurable origins (string, array, function), methods, credentials, preflight handling. Handles `OPTIONS` automatically.
+
+### Rate Limiting (`rate-limit.ts`)
+
+`rateLimitMiddleware(config)` — in-memory per-client limiting with `X-RateLimit-*` headers. Configurable `max`, `window`, `include`/`exclude` patterns, custom key function.
+
 ### Shared Utilities (`utils/`)
 
 - `use-intersection-observer.ts` — reusable observer composable (used by Image, Link)
 - `with-headers.ts` — clone Response with modified headers (used by cache middleware)
 
 ## Package Exports
 
-`.` (core), `./client`, `./config`, `./image`, `./link`, `./script`, `./font`, `./cache`, `./seo`, `./theme`, `./image-plugin`, `./actions`
+`.` (core), `./client`, `./config`, `./image`, `./link`, `./script`, `./font`, `./cache`, `./seo`, `./theme`, `./image-plugin`, `./actions`, `./api-routes`, `./cors`, `./rate-limit`
 
 ## Starter Template (`packages/create-zero/templates/default/`)
 

packages/create-zero/templates/default/env.d.ts

@@ -9,3 +9,8 @@ declare module 'virtual:zero/route-middleware' {
   import type { RouteMiddlewareEntry } from '@pyreon/zero'
   export const routeMiddleware: RouteMiddlewareEntry[]
 }
+
+declare module 'virtual:zero/api-routes' {
+  import type { ApiRouteEntry } from '@pyreon/zero'
+  export const apiRoutes: ApiRouteEntry[]
+}

packages/create-zero/templates/default/src/entry-server.ts

@@ -1,19 +1,25 @@
-import { routes } from 'virtual:zero/routes'
+import { apiRoutes } from 'virtual:zero/api-routes'
 import { routeMiddleware } from 'virtual:zero/route-middleware'
+import { routes } from 'virtual:zero/routes'
 import { createServer } from '@pyreon/zero'
 import {
   cacheMiddleware,
   securityHeaders,
   varyEncoding,
 } from '@pyreon/zero/cache'
+import { corsMiddleware } from '@pyreon/zero/cors'
+import { rateLimitMiddleware } from '@pyreon/zero/rate-limit'
 
 export default createServer({
   routes,
   routeMiddleware,
+  apiRoutes,
   config: {
     ssr: { mode: 'stream' },
   },
   middleware: [
+    corsMiddleware(),
+    rateLimitMiddleware({ max: 100, window: 60, include: ['/api/*'] }),
     securityHeaders(),
     cacheMiddleware({ staleWhileRevalidate: 120 }),
     varyEncoding(),

packages/create-zero/templates/default/src/routes/api/health.ts

@@ -0,0 +1,7 @@
+/**
+ * Health check endpoint — /api/health
+ * Useful for load balancers and uptime monitoring.
+ */
+export function GET() {
+  return Response.json({ status: 'ok', timestamp: new Date().toISOString() })
+}

packages/create-zero/templates/default/src/routes/api/posts.ts

@@ -0,0 +1,40 @@
+import type { ApiContext } from '@pyreon/zero'
+
+/**
+ * API route example — /api/posts
+ *
+ * API routes are plain .ts files in src/routes/api/ that export
+ * HTTP method handlers: GET, POST, PUT, PATCH, DELETE, OPTIONS.
+ *
+ * They run on the server and return Response objects directly.
+ */
+
+const POSTS = [
+  { id: 1, title: 'Getting Started with Pyreon Zero', published: true },
+  { id: 2, title: 'Understanding Signals', published: true },
+  { id: 3, title: 'Server-Side Rendering Made Simple', published: false },
+]
+
+export function GET(_ctx: ApiContext) {
+  return Response.json(POSTS.filter((p) => p.published))
+}
+
+export async function POST(ctx: ApiContext) {
+  const body = (await ctx.request.json()) as {
+    title: string
+    published?: boolean
+  }
+
+  if (!body.title) {
+    return Response.json({ error: 'Title is required' }, { status: 400 })
+  }
+
+  const post = {
+    id: POSTS.length + 1,
+    title: body.title,
+    published: body.published ?? false,
+  }
+
+  POSTS.push(post)
+  return Response.json(post, { status: 201 })
+}

packages/zero/package.json

@@ -81,6 +81,21 @@
       "bun": "./src/actions.ts",
       "import": "./lib/actions.js",
       "types": "./lib/types/actions.d.ts"
+    },
+    "./api-routes": {
+      "bun": "./src/api-routes.ts",
+      "import": "./lib/api-routes.js",
+      "types": "./lib/types/api-routes.d.ts"
+    },
+    "./cors": {
+      "bun": "./src/cors.ts",
+      "import": "./lib/cors.js",
+      "types": "./lib/types/cors.d.ts"
+    },
+    "./rate-limit": {
+      "bun": "./src/rate-limit.ts",
+      "import": "./lib/rate-limit.js",
+      "types": "./lib/types/rate-limit.d.ts"
     }
   },
   "scripts": {

packages/zero/src/api-routes.ts

@@ -0,0 +1,233 @@
+import type { Middleware, MiddlewareContext } from '@pyreon/server'
+
+// ─── Types ───────────────────────────────────────────────────────────────────
+
+/** HTTP methods supported by API routes. */
+export type HttpMethod =
+  | 'GET'
+  | 'POST'
+  | 'PUT'
+  | 'PATCH'
+  | 'DELETE'
+  | 'HEAD'
+  | 'OPTIONS'
+
+/** Context passed to API route handlers. */
+export interface ApiContext {
+  /** The incoming request. */
+  request: Request
+  /** Parsed URL. */
+  url: URL
+  /** URL path. */
+  path: string
+  /** Dynamic route parameters (e.g., { id: "123" }). */
+  params: Record<string, string>
+  /** Request headers. */
+  headers: Headers
+}
+
+/** An API route handler function. */
+export type ApiHandler = (ctx: ApiContext) => Response | Promise<Response>
+
+/** An API route module — exports named HTTP method handlers. */
+export interface ApiRouteModule {
+  GET?: ApiHandler
+  POST?: ApiHandler
+  PUT?: ApiHandler
+  PATCH?: ApiHandler
+  DELETE?: ApiHandler
+  HEAD?: ApiHandler
+  OPTIONS?: ApiHandler
+}
+
+/** A registered API route entry. */
+export interface ApiRouteEntry {
+  /** URL pattern (e.g., "/api/posts/:id"). */
+  pattern: string
+  /** The route module with method handlers. */
+  module: ApiRouteModule
+}
+
+// ─── Pattern matching ────────────────────────────────────────────────────────
+
+/**
+ * Match a URL path against an API route pattern.
+ * Returns extracted params or null if no match.
+ */
+export function matchApiRoute(
+  pattern: string,
+  path: string,
+): Record<string, string> | null {
+  const patternParts = pattern.split('/').filter(Boolean)
+  const pathParts = path.split('/').filter(Boolean)
+  const params: Record<string, string> = {}
+
+  for (let i = 0; i < patternParts.length; i++) {
+    const pp = patternParts[i]
+
+    // Catch-all: :param*
+    if (pp.endsWith('*')) {
+      const paramName = pp.slice(1, -1)
+      params[paramName] = pathParts.slice(i).join('/')
+      return params
+    }
+
+    // No more path segments
+    if (i >= pathParts.length) return null
+
+    // Dynamic segment: :param
+    if (pp.startsWith(':')) {
+      params[pp.slice(1)] = pathParts[i]
+      continue
+    }
+
+    // Static segment
+    if (pp !== pathParts[i]) return null
+  }
+
+  return patternParts.length === pathParts.length ? params : null
+}
+
+// ─── Middleware ───────────────────────────────────────────────────────────────
+
+const HTTP_METHODS: HttpMethod[] = [
+  'GET',
+  'POST',
+  'PUT',
+  'PATCH',
+  'DELETE',
+  'HEAD',
+  'OPTIONS',
+]
+
+/**
+ * Create a middleware that dispatches API route requests.
+ * API routes are matched by URL pattern and HTTP method.
+ */
+export function createApiMiddleware(routes: ApiRouteEntry[]): Middleware {
+  return async (ctx: MiddlewareContext) => {
+    for (const route of routes) {
+      const params = matchApiRoute(route.pattern, ctx.path)
+      if (!params) continue
+
+      const method = ctx.req.method.toUpperCase() as HttpMethod
+      const handler = route.module[method]
+
+      if (!handler) {
+        // Route matched but method not supported
+        const allowed = HTTP_METHODS.filter((m) => route.module[m]).join(', ')
+        return new Response(null, {
+          status: 405,
+          headers: {
+            Allow: allowed,
+            'Content-Type': 'application/json',
+          },
+        })
+      }
+
+      return handler({
+        request: ctx.req,
+        url: ctx.url,
+        path: ctx.path,
+        params,
+        headers: ctx.req.headers,
+      })
+    }
+  }
+}
+
+// ─── Virtual module generation ───────────────────────────────────────────────
+
+/**
+ * Detect whether a route file is an API route.
+ * API routes are `.ts` or `.js` files inside an `api/` directory.
+ */
+export function isApiRoute(filePath: string): boolean {
+  const normalized = filePath.replace(/\\/g, '/')
+  return (
+    normalized.startsWith('api/') &&
+    (normalized.endsWith('.ts') || normalized.endsWith('.js')) &&
+    !normalized.endsWith('.tsx') &&
+    !normalized.endsWith('.jsx')
+  )
+}
+
+/**
+ * Convert an API route file path to a URL pattern.
+ *
+ * Examples:
+ *   "api/posts.ts"        → "/api/posts"
+ *   "api/posts/index.ts"  → "/api/posts"
+ *   "api/posts/[id].ts"   → "/api/posts/:id"
+ *   "api/[...path].ts"    → "/api/:path*"
+ */
+export function apiFilePathToPattern(filePath: string): string {
+  let route = filePath
+  // Remove extension
+  for (const ext of ['.ts', '.js']) {
+    if (route.endsWith(ext)) {
+      route = route.slice(0, -ext.length)
+      break
+    }
+  }
+
+  const segments = route.split('/')
+  const urlSegments: string[] = []
+
+  for (const seg of segments) {
+    if (seg === 'index') continue
+
+    // Catch-all: [...param]
+    const catchAll = seg.match(/^\[\.\.\.(\w+)\]$/)
+    if (catchAll) {
+      urlSegments.push(`:${catchAll[1]}*`)
+      continue
+    }
+
+    // Dynamic: [param]
+    const dynamic = seg.match(/^\[(\w+)\]$/)
+    if (dynamic) {
+      urlSegments.push(`:${dynamic[1]}`)
+      continue
+    }
+
+    urlSegments.push(seg)
+  }
+
+  return `/${urlSegments.join('/')}`
+}
+
+/**
+ * Generate a virtual module that exports API route entries.
+ * Each entry maps a URL pattern to a module with HTTP method handlers.
+ */
+export function generateApiRouteModule(
+  files: string[],
+  routesDir: string,
+): string {
+  const apiFiles = files.filter(isApiRoute)
+
+  if (apiFiles.length === 0) {
+    return 'export const apiRoutes = []\n'
+  }
+
+  const imports: string[] = []
+  const entries: string[] = []
+
+  for (let i = 0; i < apiFiles.length; i++) {
+    const name = `_api${i}`
+    const fullPath = `${routesDir}/${apiFiles[i]}`
+    const pattern = apiFilePathToPattern(apiFiles[i])
+
+    imports.push(`import * as ${name} from "${fullPath}"`)
+    entries.push(`  { pattern: ${JSON.stringify(pattern)}, module: ${name} }`)
+  }
+
+  return [
+    ...imports,
+    '',
+    'export const apiRoutes = [',
+    entries.join(',\n'),
+    ']',
+  ].join('\n')
+}