@betterportal/plugin-bsb 0.0.1

package/README.md

@@ -0,0 +1,3 @@
+# BetterPortal BSB Integration
+
+Thin Node.js integration package that connects BetterPortal core contracts to BSB observability and runtime primitives.

package/lib/bootstrapState.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Persistent state held by each BPService instance:
+ *  - apiKey: control-plane API key (delivered via setup)
+ *  - cpUrl: control-plane URL (delivered via setup)
+ *  - tenantLock: first-tenant lock for auto-single-tenant default
+ *
+ * Stored encrypted on disk at the configured path. Encryption key derived from
+ * `configEncryptionKey` (same as service config store).
+ */
+export interface BootstrapStateFile {
+    version: 1;
+    apiKey?: string;
+    cpUrl?: string;
+    cpId?: string;
+    cpJwksUri?: string;
+    configEncryptionKey?: string;
+    tenantLock?: string;
+    installedAt?: string;
+}
+export interface BootstrapStateOptions {
+    filePath: string;
+    encryptionKey?: string;
+}
+export declare class BootstrapStateStore {
+    private cache;
+    private readonly filePath;
+    private readonly key;
+    constructor(options: BootstrapStateOptions);
+    read(): BootstrapStateFile;
+    write(patch: Partial<BootstrapStateFile>): BootstrapStateFile;
+    clear(): void;
+    hasApiKey(): boolean;
+}
+//# sourceMappingURL=bootstrapState.d.ts.map

package/lib/bootstrapState.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrapState.d.ts","sourceRoot":"","sources":["../src/bootstrapState.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,CAAC;IACX,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAOD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,KAAK,CAAmC;IAChD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;gBAEjB,OAAO,EAAE,qBAAqB;IAK1C,IAAI,IAAI,kBAAkB;IAiB1B,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB;IAU7D,KAAK,IAAI,IAAI;IAOb,SAAS,IAAI,OAAO;CAKrB"}

package/lib/bootstrapState.js

@@ -0,0 +1,100 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+const ALGO = "aes-256-gcm";
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const SALT = Buffer.from("bp-bootstrap-state-v1", "utf8");
+export class BootstrapStateStore {
+    cache = null;
+    filePath;
+    key;
+    constructor(options) {
+        this.filePath = resolve(options.filePath);
+        this.key = deriveKey(options.encryptionKey ?? loadOrCreateLocalKey(`${this.filePath}.key`));
+    }
+    read() {
+        if (this.cache)
+            return this.cache;
+        if (!existsSync(this.filePath)) {
+            this.cache = { version: 1 };
+            return this.cache;
+        }
+        const raw = readFileSync(this.filePath, "utf8");
+        try {
+            this.cache = decrypt(raw, this.key);
+        }
+        catch {
+            const parsed = JSON.parse(raw);
+            if (parsed.version !== 1)
+                throw new Error(`Bootstrap state ${this.filePath} version mismatch`);
+            this.cache = parsed;
+        }
+        return this.cache;
+    }
+    write(patch) {
+        const current = this.read();
+        const next = { ...current, ...patch, version: 1 };
+        mkdirSync(dirname(this.filePath), { recursive: true });
+        const payload = encrypt(next, this.key);
+        writeFileSync(this.filePath, payload, { mode: 0o600 });
+        this.cache = next;
+        return next;
+    }
+    clear() {
+        this.cache = { version: 1 };
+        if (existsSync(this.filePath)) {
+            writeFileSync(this.filePath, encrypt(this.cache, this.key), { mode: 0o600 });
+        }
+    }
+    hasApiKey() {
+        const s = this.read();
+        return typeof s.apiKey === "string" && s.apiKey.length > 0
+            && typeof s.cpUrl === "string" && s.cpUrl.length > 0;
+    }
+}
+function deriveKey(passphrase) {
+    return scryptSync(passphrase, SALT, 32);
+}
+function loadOrCreateLocalKey(filePath) {
+    if (existsSync(filePath)) {
+        const key = readFileSync(filePath, "utf8").trim();
+        if (key.length >= 16)
+            return key;
+    }
+    mkdirSync(dirname(filePath), { recursive: true });
+    const key = `bp_bsk_${randomBytes(32).toString("base64url")}`;
+    writeFileSync(filePath, key, { mode: 0o600 });
+    return key;
+}
+function encrypt(state, key) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGO, key, iv);
+    const plaintext = Buffer.from(JSON.stringify(state), "utf8");
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return JSON.stringify({
+        v: 1,
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+        ct: encrypted.toString("base64")
+    });
+}
+function decrypt(payload, key) {
+    const envelope = JSON.parse(payload);
+    if (envelope.v !== 1)
+        throw new Error("Bootstrap state envelope version mismatch");
+    const iv = Buffer.from(envelope.iv, "base64");
+    const tag = Buffer.from(envelope.tag, "base64");
+    if (tag.length !== AUTH_TAG_LENGTH)
+        throw new Error("Bootstrap state auth tag invalid");
+    const ct = Buffer.from(envelope.ct, "base64");
+    const decipher = createDecipheriv(ALGO, key, iv);
+    decipher.setAuthTag(tag);
+    const plaintext = Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+    const parsed = JSON.parse(plaintext);
+    if (parsed.version !== 1)
+        throw new Error("Bootstrap state version mismatch");
+    return parsed;
+}
+//# sourceMappingURL=bootstrapState.js.map

package/lib/bootstrapState.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrapState.js","sourceRoot":"","sources":["../src/bootstrapState.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAsBxF,MAAM,IAAI,GAAG,aAAa,CAAC;AAC3B,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;AAO1D,MAAM,OAAO,mBAAmB;IACtB,KAAK,GAA8B,IAAI,CAAC;IAC/B,QAAQ,CAAS;IACjB,GAAG,CAAS;IAE7B,YAAY,OAA8B;QACxC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,aAAa,IAAI,oBAAoB,CAAC,GAAG,IAAI,CAAC,QAAQ,MAAM,CAAC,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC;QAClC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAuB,CAAC;YACrD,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,QAAQ,mBAAmB,CAAC,CAAC;YAC/F,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;QACtB,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,KAAkC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAuB,EAAE,GAAG,OAAO,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACtE,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACxC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QAC5B,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,SAAS;QACP,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;eACrD,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IACzD,CAAC;CACF;AAED,SAAS,SAAS,CAAC,UAAkB;IACnC,OAAO,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE;YAAE,OAAO,GAAG,CAAC;IACnC,CAAC;IACD,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,UAAU,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;IAC9D,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9C,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,KAAyB,EAAE,GAAW;IACrD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,CAAC,EAAE,CAAC;QACJ,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3B,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;KACjC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,OAAO,CAAC,OAAe,EAAE,GAAW;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAuD,CAAC;IAC3F,IAAI,QAAQ,CAAC,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IACnF,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,GAAG,CAAC,MAAM,KAAK,eAAe;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACxF,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1F,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAuB,CAAC;IAC3D,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAC9E,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/lib/index.d.ts

@@ -0,0 +1,6 @@
+import type { Observable } from "@bsb/base";
+import type { BetterPortalLogger, BetterPortalObservability } from "@betterportal/framework";
+export declare function createBsbObservability(observable: Observable): BetterPortalObservability;
+export declare function createBsbLogger(observable: Observable): BetterPortalLogger;
+export { BPService, BetterPortalConfigSchema, type BetterPortalConfig, type BPServiceConfig, type BPServiceDefinition } from "./service.js";
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,KAAK,EAIV,kBAAkB,EAElB,yBAAyB,EAK1B,MAAM,yBAAyB,CAAC;AAwMjC,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,UAAU,GAAG,yBAAyB,CAExF;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,UAAU,GAAG,kBAAkB,CAE1E;AAED,OAAO,EACL,SAAS,EACT,wBAAwB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACzB,MAAM,cAAc,CAAC"}

package/lib/index.js

@@ -0,0 +1,148 @@
+function mergeAttributes(current, next) {
+    return {
+        ...current,
+        ...next
+    };
+}
+function toResource(observable) {
+    return {
+        serviceName: observable.resource["service.name"],
+        serviceVersion: observable.resource["service.version"],
+        serviceInstanceId: observable.resource["service.instance.id"],
+        environment: observable.resource["deployment.environment"],
+        ...(observable.resource["deployment.region"] ? { region: observable.resource["deployment.region"] } : {})
+    };
+}
+class BsbCounterAdapter {
+    counter;
+    constructor(counter) {
+        this.counter = counter;
+    }
+    increment(value, labels) {
+        this.counter.increment(value, labels);
+    }
+}
+class BsbGaugeAdapter {
+    gauge;
+    constructor(gauge) {
+        this.gauge = gauge;
+    }
+    set(value, labels) {
+        this.gauge.set(value, labels);
+    }
+    increment(value, labels) {
+        this.gauge.increment(value, labels);
+    }
+    decrement(value, labels) {
+        this.gauge.decrement(value, labels);
+    }
+}
+class BsbHistogramAdapter {
+    histogram;
+    constructor(histogram) {
+        this.histogram = histogram;
+    }
+    observe(value, labels) {
+        this.histogram.record(value, labels);
+    }
+}
+class BsbTimerAdapter {
+    timer;
+    constructor(timer) {
+        this.timer = timer;
+    }
+    stop() {
+        return this.timer.stop();
+    }
+}
+class BsbMetricsAdapter {
+    observable;
+    constructor(observable) {
+        this.observable = observable;
+    }
+    counter(name, description, help, labels) {
+        return new BsbCounterAdapter(this.observable.metrics.counter(name, description, help, labels ? [...labels] : undefined));
+    }
+    gauge(name, description, help, labels) {
+        return new BsbGaugeAdapter(this.observable.metrics.gauge(name, description, help, labels ? [...labels] : undefined));
+    }
+    histogram(name, description, help, boundaries, labels) {
+        return new BsbHistogramAdapter(this.observable.metrics.histogram(name, description, help, boundaries ? [...boundaries] : undefined, labels ? [...labels] : undefined));
+    }
+    timer() {
+        return new BsbTimerAdapter(this.observable.metrics.timer());
+    }
+}
+class BsbLoggerAdapter {
+    observable;
+    constructor(observable) {
+        this.observable = observable;
+    }
+    meta(attributes) {
+        if (attributes === undefined || Object.keys(attributes).length === 0) {
+            return [];
+        }
+        return [attributes];
+    }
+    debug(message, attributes) {
+        this.observable.log.debug(message, ...this.meta(attributes));
+    }
+    info(message, attributes) {
+        this.observable.log.info(message, ...this.meta(attributes));
+    }
+    warn(message, attributes) {
+        this.observable.log.warn(message, ...this.meta(attributes));
+    }
+    error(message, attributes) {
+        this.observable.log.error(message, ...this.meta(attributes));
+    }
+}
+class BsbObservabilityAdapter {
+    observable;
+    attributes;
+    trace;
+    traceId;
+    spanId;
+    resource;
+    logger;
+    metrics;
+    constructor(observable, attributes = {}) {
+        this.observable = observable;
+        this.attributes = attributes;
+        this.trace = {
+            traceId: this.observable.traceId,
+            spanId: this.observable.spanId
+        };
+        this.traceId = this.observable.traceId;
+        this.spanId = this.observable.spanId;
+        this.resource = toResource(this.observable);
+        this.logger = new BsbLoggerAdapter(this.observable);
+        this.metrics = new BsbMetricsAdapter(this.observable);
+    }
+    startSpan(name, attributes = {}) {
+        return new BsbObservabilityAdapter(this.observable.startSpan(name, attributes), mergeAttributes(this.attributes, attributes));
+    }
+    setAttribute(key, value) {
+        return new BsbObservabilityAdapter(this.observable.setAttribute(key, value), {
+            ...this.attributes,
+            [key]: value
+        });
+    }
+    setAttributes(attributes) {
+        return new BsbObservabilityAdapter(this.observable.setAttributes(attributes), mergeAttributes(this.attributes, attributes));
+    }
+    end(attributes) {
+        this.observable.end(attributes);
+    }
+    error(error, attributes) {
+        this.observable.error(error, attributes);
+    }
+}
+export function createBsbObservability(observable) {
+    return new BsbObservabilityAdapter(observable, observable.attributes);
+}
+export function createBsbLogger(observable) {
+    return new BsbLoggerAdapter(observable);
+}
+export { BPService, BetterPortalConfigSchema } from "./service.js";
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAcA,SAAS,eAAe,CACtB,OAAgC,EAChC,IAA6B;IAE7B,OAAO;QACL,GAAG,OAAO;QACV,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,UAAsB;IACxC,OAAO;QACL,WAAW,EAAE,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC;QAChD,cAAc,EAAE,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QACtD,iBAAiB,EAAE,UAAU,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QAC7D,WAAW,EAAE,UAAU,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAC1D,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1G,CAAC;AACJ,CAAC;AAED,MAAM,iBAAiB;IACQ;IAA7B,YAA6B,OAAsF;QAAtF,YAAO,GAAP,OAAO,CAA+E;IAAG,CAAC;IAEvH,SAAS,CAAC,KAAc,EAAE,MAA2D;QACnF,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,MAAqD,CAAC,CAAC;IACvF,CAAC;CACF;AAED,MAAM,eAAe;IAEA;IADnB,YACmB,KAIhB;QAJgB,UAAK,GAAL,KAAK,CAIrB;IACA,CAAC;IAEJ,GAAG,CAAC,KAAa,EAAE,MAA2D;QAC5E,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,MAAqD,CAAC,CAAC;IAC/E,CAAC;IAED,SAAS,CAAC,KAAc,EAAE,MAA2D;QACnF,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,MAAqD,CAAC,CAAC;IACrF,CAAC;IAED,SAAS,CAAC,KAAc,EAAE,MAA2D;QACnF,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,MAAqD,CAAC,CAAC;IACrF,CAAC;CACF;AAED,MAAM,mBAAmB;IACM;IAA7B,YAA6B,SAAoF;QAApF,cAAS,GAAT,SAAS,CAA2E;IAAG,CAAC;IAErH,OAAO,CAAC,KAAa,EAAE,MAA2D;QAChF,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,EAAE,MAAqD,CAAC,CAAC;IACtF,CAAC;CACF;AAED,MAAM,eAAe;IACU;IAA7B,YAA6B,KAAyB;QAAzB,UAAK,GAAL,KAAK,CAAoB;IAAG,CAAC;IAE1D,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;CACF;AAED,MAAM,iBAAiB;IACQ;IAA7B,YAA6B,UAAsB;QAAtB,eAAU,GAAV,UAAU,CAAY;IAAG,CAAC;IAEvD,OAAO,CACL,IAAY,EACZ,WAAmB,EACnB,IAAY,EACZ,MAA0B;QAE1B,OAAO,IAAI,iBAAiB,CAC1B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAC3F,CAAC;IACJ,CAAC;IAED,KAAK,CACH,IAAY,EACZ,WAAmB,EACnB,IAAY,EACZ,MAA0B;QAE1B,OAAO,IAAI,eAAe,CACxB,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CACzF,CAAC;IACJ,CAAC;IAED,SAAS,CACP,IAAY,EACZ,WAAmB,EACnB,IAAY,EACZ,UAA8B,EAC9B,MAA0B;QAE1B,OAAO,IAAI,mBAAmB,CAC5B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAC/B,IAAI,EACJ,WAAW,EACX,IAAI,EACJ,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,EACxC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CACjC,CACF,CAAC;IACJ,CAAC;IAED,KAAK;QACH,OAAO,IAAI,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;CACF;AAED,MAAM,gBAAgB;IACS;IAA7B,YAA6B,UAAsB;QAAtB,eAAU,GAAV,UAAU,CAAY;IAAG,CAAC;IAE/C,IAAI,CAAC,UAAoC;QAC/C,IAAI,UAAU,KAAK,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,UAAmB,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,UAAoC;QACzD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,UAAoC;QACxD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,UAAoC;QACxD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,OAAuB,EAAE,UAAoC;QACjE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAC/D,CAAC;CACF;AAED,MAAM,uBAAuB;IASR;IACD;IATT,KAAK,CAAC;IACN,OAAO,CAAC;IACR,MAAM,CAAC;IACP,QAAQ,CAAC;IACT,MAAM,CAAqB;IAC3B,OAAO,CAAsB;IAEtC,YACmB,UAAsB,EACvB,aAAsC,EAAE;QADvC,eAAU,GAAV,UAAU,CAAY;QACvB,eAAU,GAAV,UAAU,CAA8B;QAExD,IAAI,CAAC,KAAK,GAAG;YACX,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM;SAC/B,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QACrC,IAAI,CAAC,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACxD,CAAC;IAED,SAAS,CAAC,IAAY,EAAE,aAAsC,EAAE;QAC9D,OAAO,IAAI,uBAAuB,CAChC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,EAAE,UAAU,CAAC,EAC3C,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAC7C,CAAC;IACJ,CAAC;IAED,YAAY,CAAC,GAAW,EAAE,KAAyB;QACjD,OAAO,IAAI,uBAAuB,CAChC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,EACxC;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,CAAC,GAAG,CAAC,EAAE,KAAK;SACb,CACF,CAAC;IACJ,CAAC;IAED,aAAa,CAAC,UAAmC;QAC/C,OAAO,IAAI,uBAAuB,CAChC,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,UAAU,CAAC,EACzC,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAC7C,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,UAAoC;QACtC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,KAAY,EAAE,UAAoC;QACtD,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC3C,CAAC;CACF;AAED,MAAM,UAAU,sBAAsB,CAAC,UAAsB;IAC3D,OAAO,IAAI,uBAAuB,CAAC,UAAU,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;AACxE,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAsB;IACpD,OAAO,IAAI,gBAAgB,CAAC,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED,OAAO,EACL,SAAS,EACT,wBAAwB,EAIzB,MAAM,cAAc,CAAC"}

package/lib/scopedConfigCache.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Local cache for the scoped platform config that a BPService receives from
+ * its control plane (CM). Lets the service serve requests on restart before
+ * the first sync completes, and means BP services NEVER share CM's bp-config.yaml
+ * - they hold their own cached projection of just the slice the CP sent them.
+ *
+ * Default file backend; will become pluggable (redis/psql) - keep this surface
+ * narrow so other backends slot in with `read()` / `write()`.
+ */
+export interface ScopedConfigCacheOptions {
+    filePath: string;
+}
+export declare class ScopedConfigCache {
+    private cache;
+    private readonly filePath;
+    constructor(options: ScopedConfigCacheOptions);
+    read(): unknown | null;
+    write(scopedConfig: unknown): void;
+    clear(): void;
+}
+//# sourceMappingURL=scopedConfigCache.d.ts.map

package/lib/scopedConfigCache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopedConfigCache.d.ts","sourceRoot":"","sources":["../src/scopedConfigCache.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,OAAO,EAAE,wBAAwB;IAI7C,IAAI,IAAI,OAAO,GAAG,IAAI;IAYtB,KAAK,CAAC,YAAY,EAAE,OAAO,GAAG,IAAI;IAMlC,KAAK,IAAI,IAAI;CAGd"}

package/lib/scopedConfigCache.js

@@ -0,0 +1,32 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+export class ScopedConfigCache {
+    cache = null;
+    filePath;
+    constructor(options) {
+        this.filePath = resolve(options.filePath);
+    }
+    read() {
+        if (this.cache !== null)
+            return this.cache;
+        if (!existsSync(this.filePath))
+            return null;
+        try {
+            const raw = readFileSync(this.filePath, "utf8");
+            this.cache = JSON.parse(raw);
+            return this.cache;
+        }
+        catch {
+            return null;
+        }
+    }
+    write(scopedConfig) {
+        mkdirSync(dirname(this.filePath), { recursive: true });
+        writeFileSync(this.filePath, JSON.stringify(scopedConfig, null, 2), { mode: 0o600 });
+        this.cache = scopedConfig;
+    }
+    clear() {
+        this.cache = null;
+    }
+}
+//# sourceMappingURL=scopedConfigCache.js.map

package/lib/scopedConfigCache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopedConfigCache.js","sourceRoot":"","sources":["../src/scopedConfigCache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAe7C,MAAM,OAAO,iBAAiB;IACpB,KAAK,GAAY,IAAI,CAAC;IACb,QAAQ,CAAS;IAElC,YAAY,OAAiC;QAC3C,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC;QAC3C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAChD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAqB;QACzB,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;IAC5B,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;CACF"}

package/lib/service.d.ts

@@ -0,0 +1,199 @@
+import { BSBService, type BSBServiceConstructor, type BSBEventSchemas, type BSBPluginConfig, type BSBReferencePluginConfigType, type Observable } from "@bsb/base";
+import * as av from "anyvali";
+import { type Server } from "node:http";
+import { type AppAuthConfig, type BetterPortalResolvedRequestContext, type BetterPortalObservability, type BetterPortalRegistry, type JwtVerifier, type ManifestBaseFields, type PluginManifest, type BetterPortalConfig as PlatformConfig, type ServiceConfigAction, type ServiceConfigStore, type ServiceConfigTicketClaims, type RouteHandlerContext, type TenantAppValidation } from "@betterportal/framework";
+import { BootstrapStateStore } from "./bootstrapState.js";
+import { type BetterPortalEvent, type BetterPortalH3App } from "@betterportal/framework/lib/runtime/h3.js";
+export interface BPServiceConfig {
+    host: string;
+    port: number;
+    betterportal?: BetterPortalConfig;
+    bpConfigPath?: string;
+    configApiToken?: string;
+    configEncryptionKey?: string;
+    controlPlaneUrl?: string;
+    serviceApiKey?: string;
+    bootstrapStatePath?: string;
+    trustedProxyHeaders?: boolean;
+    cfProxy?: boolean;
+    trustedProxyIps?: string[];
+}
+type BPServicePluginConfig = BSBPluginConfig<av.BaseSchema<unknown, BPServiceConfig>>;
+export interface BetterPortalConfig {
+    bpConfigPath?: string;
+    configApiToken?: string;
+    configEncryptionKey?: string;
+    controlPlaneUrl?: string;
+    serviceApiKey?: string;
+    bootstrapStatePath?: string;
+    /**
+     * Local cache of the scoped platform config delivered by the CP. Persisted
+     * on each sync so the service can serve requests immediately on restart,
+     * without sharing CM's source-of-truth bp-config.yaml. Default is per-service.
+     */
+    scopedConfigCachePath?: string;
+    trustedProxyHeaders?: boolean;
+    cfProxy?: boolean;
+    trustedProxyIps?: string[];
+}
+export declare const BetterPortalConfigSchema: av.OptionalSchema<av.ObjectSchema<{
+    bpConfigPath: av.OptionalSchema<av.StringSchema>;
+    configApiToken: av.OptionalSchema<av.StringSchema>;
+    configEncryptionKey: av.OptionalSchema<av.StringSchema>;
+    controlPlaneUrl: av.OptionalSchema<av.StringSchema>;
+    serviceApiKey: av.OptionalSchema<av.StringSchema>;
+    bootstrapStatePath: av.StringSchema;
+    scopedConfigCachePath: av.StringSchema;
+    trustedProxyHeaders: av.BoolSchema;
+    cfProxy: av.BoolSchema;
+    trustedProxyIps: av.ArraySchema<av.StringSchema>;
+}>>;
+export interface BPServiceDefinition {
+    manifest: ManifestBaseFields;
+    registry: BetterPortalRegistry;
+}
+export declare abstract class BPService<TConfig extends BSBReferencePluginConfigType & BPServicePluginConfig = BPServicePluginConfig, TEvents extends BSBEventSchemas = BSBEventSchemas> extends BSBService<TConfig, TEvents> {
+    private get service();
+    protected get bp(): BetterPortalConfig;
+    /**
+     * Resolve header-trust options for a request. Proxy-supplied host headers are
+     * only honoured when the request's direct socket peer IP is in the configured
+     * `trustedProxyIps` allowlist - otherwise an attacker connecting directly
+     * could spoof X-Forwarded-Host/Forwarded/CF-* to impersonate another tenant.
+     */
+    protected headerTrustOptions(event: BetterPortalEvent): {
+        trustedProxyHeaders?: boolean;
+        cfProxy?: boolean;
+    };
+    readonly initBeforePlugins: string[];
+    readonly initAfterPlugins: string[];
+    readonly runBeforePlugins: string[];
+    readonly runAfterPlugins: string[];
+    protected readonly requireBetterPortalConfigSource: boolean;
+    protected app: BetterPortalH3App;
+    protected server: Server;
+    protected observability: BetterPortalObservability;
+    protected manifest: PluginManifest;
+    protected configStore: ServiceConfigStore;
+    private runtimeConfigEncryptionKey;
+    private configProvider;
+    private scopedConfig;
+    private scopedConfigCache;
+    private sseAbortController;
+    protected bootstrapState: BootstrapStateStore;
+    /**
+     * Synthesize a BetterPortalConfig-shaped view from the synced scoped config.
+     * Lets services that need the full-portal-config API (e.g. themes for
+     * `resolveThemeRequestContext` / `resolveServiceForTenant`) operate without
+     * sharing CM's bp-config.yaml. Returns null until the first sync completes.
+     */
+    protected getPortalConfig(): PlatformConfig | null;
+    private resolvedApiKey;
+    private resolvedCpUrl;
+    private inSetupMode;
+    protected abstract definition(): BPServiceDefinition;
+    protected onRegistered?(registry: BetterPortalRegistry, obs: Observable): void | Promise<void>;
+    /**
+     * Override to provide a JWT verifier for incoming requests.
+     * Receives the resolved tenant/app context. Return undefined to skip auth for the request.
+     */
+    protected getJwtVerifier(_tenantId: string, _appId: string): JwtVerifier | undefined;
+    /**
+     * Override to provide the app's resolved auth config (roles[], expectedIssuer, etc).
+     * Default: reads from scopedConfig synced from the control plane.
+     */
+    protected getAppAuthConfig(tenantId: string, appId: string): AppAuthConfig | undefined;
+    /**
+     * Override to provide the service-instance-id -> pluginId alias map used by the
+     * permission check (role grants use instance ids, route auth uses pluginIds).
+     * Default: reads the tenant's service bindings from scopedConfig.
+     */
+    protected getServiceIdAliases(tenantId: string): Record<string, string> | undefined;
+    /**
+     * Override to validate that a given (tenantId, appId) is allowed to consume this service.
+     *
+     * Default behavior: auto-single-tenant via lock. On first request from a tenant, the
+     * tenant is stored as the lock. Subsequent requests from other tenants are blocked
+     * with 426 Upgrade Required. Services wanting shared/multi-tenant behavior must override.
+     */
+    protected validateTenantApp(tenantId: string, _appId: string): Promise<TenantAppValidation>;
+    /**
+     * Register this service as an auth provider by exposing a JWKS endpoint.
+     *
+     * Mounts `GET /.well-known/jwks.json` returning the supplied JWK set.
+     * Call this from `init()` AFTER `super.init()` so the H3 app exists.
+     */
+    /** JWKS published by this service when it acts as an auth provider; sent
+     *  to the CP at /redeem so verifiers can use static keys (no network fetch). */
+    private publishedJwks;
+    protected registerAsAuthProvider(input: {
+        jwks: {
+            keys: ReadonlyArray<Record<string, unknown>>;
+        };
+        cacheMaxAgeSeconds?: number;
+    }): void;
+    constructor(cfg: BSBServiceConstructor<TConfig, TEvents>);
+    init(obs: Observable): Promise<void>;
+    run(obs: Observable): Promise<void>;
+    dispose(): Promise<void>;
+    private connectToControlPlane;
+    private logScopedConfigDebug;
+    protected resolveCorsContext(event: BetterPortalEvent): Promise<BetterPortalResolvedRequestContext | null>;
+    private resolveAuthForRequest;
+    private handleWithCors;
+    private isPublicBpDiscoveryPath;
+    private isConfigManagementPath;
+    private managementOrigins;
+    private resolveFromScopedConfig;
+    protected applyRequestContext(event: BetterPortalEvent, context: BetterPortalResolvedRequestContext): void;
+    protected resolveHandlerContext(event: BetterPortalEvent): Partial<RouteHandlerContext>;
+    private emitWebhook;
+    private effectiveServiceConfig;
+    private internalConfigReadTicket;
+    protected describeCorsContextFailure(event: BetterPortalEvent): Promise<{
+        candidateHosts: string;
+        configuredAppHosts: string;
+    } | undefined>;
+    private logContextResolutionFailure;
+    /**
+     * Resolve API key + CP URL using the 3-layer chain:
+     *   1. Bootstrap state store (default)
+     *   2. sec-config (this.bp.serviceApiKey + this.bp.controlPlaneUrl)
+     *   3. Process env BP_SERVICE_API_KEY + BP_CONTROL_PLANE_URL (arg layer)
+     * If none yield credentials, enter setup mode.
+     */
+    private resolveCredentials;
+    private validateBetterPortalConfig;
+    private requireTenantConfigSource;
+    private resolveConfigEncryptionKey;
+    private isPreSyncCorePath;
+    private renderHealth;
+    /**
+     * Mounts POST /.well-known/bp/install - the browser-driven service installer.
+     * Caller posts { setupToken, cpUrl }. Service fetches CP JWKS, verifies the
+     * setup token, then redeems it for the real apiKey via CP /services/redeem.
+     * Persists credentials and starts CP sync.
+     */
+    private registerInstallEndpoint;
+    private serviceConfigStorePath;
+    private deriveOwnUrl;
+    private registerDefaultConfigRoutes;
+    protected validateConfigScope(tenantId: string, appId?: string): Promise<boolean>;
+    /**
+     * Validate a service-config ticket. Primary path: verify a CP-signed RS256
+     * ticket against the CP JWKS learned at install/redeem - there is no shared
+     * secret and only the CP can mint tickets. Before install (no cpJwksUri yet)
+     * the service fails closed: config endpoints reject every request until it has
+     * been provisioned.
+     */
+    protected validateConfigTicket(ticketValue: string | null, event: BetterPortalEvent, action: ServiceConfigAction): Promise<ServiceConfigTicketClaims | null>;
+    /**
+     * Static shared-secret fallback for LOCAL DEVELOPMENT ONLY. Disabled unless
+     * BP_ALLOW_DEV_CONFIG_TOKEN=true AND configApiToken is explicitly set. It
+     * trusts the x-bp-tenant-id header to choose the tenant, so it must never be
+     * enabled in production.
+     */
+    private validateDevConfigToken;
+}
+export {};
+//# sourceMappingURL=service.d.ts.map

package/lib/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,KAAK,qBAAqB,EAC1B,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,4BAA4B,EACjC,KAAK,UAAU,EAChB,MAAM,WAAW,CAAC;AACnB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAC;AAEtD,OAAO,EAkBL,KAAK,aAAa,EAClB,KAAK,kCAAkC,EACvC,KAAK,yBAAyB,EAC9B,KAAK,oBAAoB,EACzB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EAGnB,KAAK,kBAAkB,IAAI,cAAc,EACzC,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,yBAAyB,EAC9B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACzB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,mBAAmB,EAA2B,MAAM,qBAAqB,CAAC;AAEnF,OAAO,EAQL,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACvB,MAAM,2CAA2C,CAAC;AAKnD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,KAAK,qBAAqB,GAAG,eAAe,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC;AAEtF,MAAM,WAAW,kBAAkB;IACjC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,eAAO,MAAM,wBAAwB;;;;;;;;;;;GAmBR,CAAC;AAI9B,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,QAAQ,EAAE,oBAAoB,CAAC;CAChC;AAID,8BAAsB,SAAS,CAC7B,OAAO,SAAS,4BAA4B,GAAG,qBAAqB,GAAG,qBAAqB,EAC5F,OAAO,SAAS,eAAe,GAAG,eAAe,CACjD,SAAQ,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC;IAEpC,OAAO,KAAK,OAAO,GAElB;IAED,SAAS,KAAK,EAAE,IAAI,kBAAkB,CAgBrC;IAED;;;;;OAKG;IACH,SAAS,CAAC,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,GAAG;QAAE,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE;IAY5G,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAM;IAC1C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAM;IACzC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAM;IACzC,QAAQ,CAAC,eAAe,EAAE,MAAM,EAAE,CAAM;IACxC,SAAS,CAAC,QAAQ,CAAC,+BAA+B,EAAE,OAAO,CAAQ;IAEnE,SAAS,CAAC,GAAG,EAAG,iBAAiB,CAAC;IAClC,SAAS,CAAC,MAAM,EAAG,MAAM,CAAC;IAC1B,SAAS,CAAC,aAAa,EAAG,yBAAyB,CAAC;IACpD,SAAS,CAAC,QAAQ,EAAG,cAAc,CAAC;IACpC,SAAS,CAAC,WAAW,EAAE,kBAAkB,CAAoC;IAC7E,OAAO,CAAC,0BAA0B,CAAqB;IACvD,OAAO,CAAC,cAAc,CAAqD;IAC3E,OAAO,CAAC,YAAY,CAAoC;IACxD,OAAO,CAAC,iBAAiB,CAAqB;IAC9C,OAAO,CAAC,kBAAkB,CAAgC;IAC1D,SAAS,CAAC,cAAc,EAAG,mBAAmB,CAAC;IAE/C;;;;;OAKG;IACH,SAAS,CAAC,eAAe,IAAI,cAAc,GAAG,IAAI;IAsClD,OAAO,CAAC,cAAc,CAAuB;IAC7C,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,WAAW,CAAkB;IAErC,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,mBAAmB;IAEpD,SAAS,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,oBAAoB,EAAE,GAAG,EAAE,UAAU,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAE9F;;;OAGG;IACH,SAAS,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAqBpF;;;OAGG;IACH,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAMtF;;;;OAIG;IACH,SAAS,CAAC,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS;IAUnF;;;;;;OAMG;cACa,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAejG;;;;;OAKG;IACH;oFACgF;IAChF,OAAO,CAAC,aAAa,CAAiE;IAEtF,SAAS,CAAC,sBAAsB,CAAC,KAAK,EAAE;QACtC,IAAI,EAAE;YAAE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;SAAE,CAAC;QACvD,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,GAAG,IAAI;gBAeI,GAAG,EAAE,qBAAqB,CAAC,OAAO,EAAE,OAAO,CAAC;IAIlD,IAAI,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IA0GpC,GAAG,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IA2DnC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAW9B,OAAO,CAAC,qBAAqB;IA6R7B,OAAO,CAAC,oBAAoB;cA0BZ,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,kCAAkC,GAAG,IAAI,CAAC;IAehH,OAAO,CAAC,qBAAqB;YAcf,cAAc;IAkG5B,OAAO,CAAC,uBAAuB;IAoB/B,OAAO,CAAC,sBAAsB;YAIhB,iBAAiB;IA0B/B,OAAO,CAAC,uBAAuB;IAqC/B,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,kCAAkC,GAAG,IAAI;IAiB1G,SAAS,CAAC,qBAAqB,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,mBAAmB,CAAC;YAqBzE,WAAW;IAoCzB,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,wBAAwB;cAgBhB,0BAA0B,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAAE,cAAc,EAAE,MAAM,CAAC;QAAC,kBAAkB,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS,CAAC;IA4BjJ,OAAO,CAAC,2BAA2B;IAwBnC;;;;;;OAMG;IACH,OAAO,CAAC,kBAAkB;IAiC1B,OAAO,CAAC,0BAA0B;IA+BlC,OAAO,CAAC,yBAAyB;IAuBjC,OAAO,CAAC,0BAA0B;IAKlC,OAAO,CAAC,iBAAiB;IAazB,OAAO,CAAC,YAAY;IA0CpB;;;;;OAKG;IACH,OAAO,CAAC,uBAAuB;IA8F/B,OAAO,CAAC,sBAAsB;IAO9B,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,2BAA2B;cAkBnB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAoBvF;;;;;;OAMG;cACa,oBAAoB,CAClC,WAAW,EAAE,MAAM,GAAG,IAAI,EAC1B,KAAK,EAAE,iBAAiB,EACxB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAC;IAmB5C;;;;;OAKG;IACH,OAAO,CAAC,sBAAsB;CA8B/B"}