@fiado/api-invoker 4.4.0 → 4.6.0

package/bin/container.config.js

@@ -103,6 +103,7 @@ const BenefitsMarketplaceApi_1 = __importDefault(require("./benefits-marketplace
 // UniTeller remittance connector (Fase 2 remittance)
 const uniteller_connector_1 = require("./uniteller-connector");
 const CognitoBackofficeConnectorApi_1 = __importDefault(require("./cognitoBackofficeConnector/api/CognitoBackofficeConnectorApi"));
+const PlatformRbacBusinessApi_1 = __importDefault(require("./platformRbac/api/PlatformRbacBusinessApi"));
 exports.apiInvokerBindings = new inversify_1.ContainerModule(({ bind }) => {
     // UTILS bindings
     bind("InvokerUtils").to(InvokerUtils_1.InvokerUtils);
@@ -210,4 +211,6 @@ exports.apiInvokerBindings = new inversify_1.ContainerModule(({ bind }) => {
     bind("IUnitellerConnectorApi").to(uniteller_connector_1.UnitellerConnectorApi);
     // Cognito backoffice connector (Fase 0 SureKeep)
     bind("ICognitoBackofficeConnectorApi").to(CognitoBackofficeConnectorApi_1.default);
+    // Platform RBAC business — Custom Auth Challenge endpoints (Fase 0 SureKeep)
+    bind("IPlatformRbacBusinessApi").to(PlatformRbacBusinessApi_1.default);
 });

package/bin/index.d.ts

@@ -74,3 +74,4 @@ export * from "./ai-engine-connector";
 export * from "./benefits-marketplace";
 export * from "./milestone-business";
 export * from "./cognitoBackofficeConnector";
+export * from "./platformRbac";

package/bin/index.js

@@ -90,3 +90,4 @@ __exportStar(require("./ai-engine-connector"), exports);
 __exportStar(require("./benefits-marketplace"), exports);
 __exportStar(require("./milestone-business"), exports);
 __exportStar(require("./cognitoBackofficeConnector"), exports);
+__exportStar(require("./platformRbac"), exports);

package/bin/multicommServicePayment/api/MulticommServicePaymentApi.d.ts

@@ -32,4 +32,5 @@ export default class MulticommServicePaymentApi implements IMulticommServicePaym
     payStandard(request: BenefitPaymentRequest): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     consultStandard(transactionNumber: string): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     updateService(idServicio: number, patch: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
+    createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
 }

package/bin/multicommServicePayment/api/MulticommServicePaymentApi.js

@@ -85,6 +85,10 @@ let MulticommServicePaymentApi = class MulticommServicePaymentApi {
         const url = `${this.baseUrl}/internal/services/${idServicio}`;
         return await this.httpRequest.put(url, patch);
     }
+    async createService(payload) {
+        const url = `${this.baseUrl}/internal/services`;
+        return await this.httpRequest.post(url, payload);
+    }
 };
 MulticommServicePaymentApi = __decorate([
     (0, inversify_1.injectable)(),

package/bin/multicommServicePayment/api/interfaces/IMulticommServicePaymentApi.d.ts

@@ -27,4 +27,5 @@ export interface IMulticommServicePaymentApi {
     payStandard(request: BenefitPaymentRequest): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     consultStandard(transactionNumber: string): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     updateService(idServicio: number, patch: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
+    createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
 }

package/bin/platformRbac/api/PlatformRbacBusinessApi.d.ts

@@ -0,0 +1,26 @@
+import { IHttpRequest } from "@fiado/http-client";
+import { ApiGatewayResponse } from "@fiado/gateway-adapter";
+import { DefineNextChallengeRequest, DefineNextChallengeResponse, PrepareChallengeRequest, PrepareChallengeResponse, VerifyChallengeRequest, VerifyChallengeResponse } from "@fiado/type-kit/bin/platformRbac";
+import { IPlatformRbacBusinessApi } from "./interfaces/IPlatformRbacBusinessApi";
+/**
+ * Publisher HTTP del lambda `platform-rbac-business` (componente 06 SureKeep Fase 0)
+ * para los 3 endpoints internos del Custom Auth Challenge flow.
+ *
+ * Env var requerida en el consumer: `PLATFORM_RBAC_BUSINESS_URL`.
+ * El template.yml del consumer la setea con:
+ *
+ *   PLATFORM_RBAC_BUSINESS_URL: '{{resolve:ssm:platform-rbac-business}}'
+ *
+ * Convención CLAUDE.md global: SSM key = nombre del lambda owner de la URL.
+ * El rbac-business publica su URL en SSM bajo la key `platform-rbac-business`
+ * vía el `post_build` del buildspec.yml estándar Fiado.
+ */
+export default class PlatformRbacBusinessApi implements IPlatformRbacBusinessApi {
+    private httpRequest;
+    /** URL base del lambda. Leída de env var en cold start del consumer. */
+    private readonly baseUrl;
+    constructor(httpRequest: IHttpRequest);
+    defineNextChallenge(input: DefineNextChallengeRequest): Promise<ApiGatewayResponse<DefineNextChallengeResponse>>;
+    prepareChallenge(input: PrepareChallengeRequest): Promise<ApiGatewayResponse<PrepareChallengeResponse>>;
+    verifyChallenge(input: VerifyChallengeRequest): Promise<ApiGatewayResponse<VerifyChallengeResponse>>;
+}

package/bin/platformRbac/api/PlatformRbacBusinessApi.js

@@ -0,0 +1,54 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const inversify_1 = require("inversify");
+/**
+ * Publisher HTTP del lambda `platform-rbac-business` (componente 06 SureKeep Fase 0)
+ * para los 3 endpoints internos del Custom Auth Challenge flow.
+ *
+ * Env var requerida en el consumer: `PLATFORM_RBAC_BUSINESS_URL`.
+ * El template.yml del consumer la setea con:
+ *
+ *   PLATFORM_RBAC_BUSINESS_URL: '{{resolve:ssm:platform-rbac-business}}'
+ *
+ * Convención CLAUDE.md global: SSM key = nombre del lambda owner de la URL.
+ * El rbac-business publica su URL en SSM bajo la key `platform-rbac-business`
+ * vía el `post_build` del buildspec.yml estándar Fiado.
+ */
+let PlatformRbacBusinessApi = class PlatformRbacBusinessApi {
+    httpRequest;
+    /** URL base del lambda. Leída de env var en cold start del consumer. */
+    baseUrl = process.env.PLATFORM_RBAC_BUSINESS_URL || "";
+    constructor(httpRequest) {
+        this.httpRequest = httpRequest;
+    }
+    async defineNextChallenge(input) {
+        const url = `${this.baseUrl}/internal/auth/define-next-challenge`;
+        return await this.httpRequest.post(url, input);
+    }
+    async prepareChallenge(input) {
+        const url = `${this.baseUrl}/internal/auth/prepare-challenge`;
+        return await this.httpRequest.post(url, input);
+    }
+    async verifyChallenge(input) {
+        const url = `${this.baseUrl}/internal/auth/verify-challenge`;
+        return await this.httpRequest.post(url, input);
+    }
+};
+PlatformRbacBusinessApi = __decorate([
+    (0, inversify_1.injectable)(),
+    __param(0, (0, inversify_1.inject)("IHttpRequest")),
+    __metadata("design:paramtypes", [Object])
+], PlatformRbacBusinessApi);
+exports.default = PlatformRbacBusinessApi;

package/bin/platformRbac/api/interfaces/IPlatformRbacBusinessApi.d.ts

@@ -0,0 +1,40 @@
+import { ApiGatewayResponse } from "@fiado/gateway-adapter";
+import { DefineNextChallengeRequest, DefineNextChallengeResponse, PrepareChallengeRequest, PrepareChallengeResponse, VerifyChallengeRequest, VerifyChallengeResponse } from "@fiado/type-kit/bin/platformRbac";
+/**
+ * Contrato del publisher HTTP del lambda `platform-rbac-business` (componente 06 SureKeep Fase 0)
+ * para los 3 endpoints internos del Custom Auth Challenge flow (MFA).
+ *
+ * Consumidores: `cognito-backoffice-connector` desde los Lambda Triggers
+ * `defineAuthChallenge`, `createAuthChallenge` y `verifyAuthChallengeResponse`
+ * configurados en cada User Pool aprovisionado por la saga `TenantOnboardingManager`.
+ *
+ * Patrón de retorno: `Promise<ApiGatewayResponse<T>>` sin unwrap (v4 canonical Fiado).
+ * El consumer accede `result.body.data` para llegar al payload tipado.
+ *
+ * Env var requerida en el consumer: `PLATFORM_RBAC_BUSINESS_URL`.
+ * El template.yml del consumer la setea con:
+ *
+ *   PLATFORM_RBAC_BUSINESS_URL: '{{resolve:ssm:platform-rbac-business}}'
+ *
+ * Convención CLAUDE.md global: SSM key = nombre del lambda owner de la URL.
+ */
+export interface IPlatformRbacBusinessApi {
+    /**
+     * POST /internal/auth/define-next-challenge — decide el próximo challenge MFA
+     * según los resultados acumulados en `session`. Invocado por el trigger
+     * `defineAuthChallenge` en cada paso del Custom Auth Challenge flow.
+     */
+    defineNextChallenge(input: DefineNextChallengeRequest): Promise<ApiGatewayResponse<DefineNextChallengeResponse>>;
+    /**
+     * POST /internal/auth/prepare-challenge — prepara el challenge (genera y envía
+     * código OTP por email/SMS, o computa el `privateChallenge` para TOTP).
+     * Invocado por el trigger `createAuthChallenge`.
+     */
+    prepareChallenge(input: PrepareChallengeRequest): Promise<ApiGatewayResponse<PrepareChallengeResponse>>;
+    /**
+     * POST /internal/auth/verify-challenge — verifica la respuesta del usuario
+     * contra el `privateChallenge`. Invocado por el trigger
+     * `verifyAuthChallengeResponse`.
+     */
+    verifyChallenge(input: VerifyChallengeRequest): Promise<ApiGatewayResponse<VerifyChallengeResponse>>;
+}

package/bin/platformRbac/api/interfaces/IPlatformRbacBusinessApi.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/bin/platformRbac/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./api/interfaces/IPlatformRbacBusinessApi";
+export { default as PlatformRbacBusinessApi } from "./api/PlatformRbacBusinessApi";

package/bin/platformRbac/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PlatformRbacBusinessApi = void 0;
+__exportStar(require("./api/interfaces/IPlatformRbacBusinessApi"), exports);
+var PlatformRbacBusinessApi_1 = require("./api/PlatformRbacBusinessApi");
+Object.defineProperty(exports, "PlatformRbacBusinessApi", { enumerable: true, get: function () { return __importDefault(PlatformRbacBusinessApi_1).default; } });

package/bin/stpServicePayment/api/StpServicePaymentApi.d.ts

@@ -28,4 +28,5 @@ export default class StpServicePaymentApi implements IStpServicePaymentApi {
     payStandard(request: BenefitPaymentRequest): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     consultStandard(transactionNumber: string): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     updateService(idServicio: number, patch: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
+    createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
 }

package/bin/stpServicePayment/api/StpServicePaymentApi.js

@@ -85,6 +85,10 @@ let StpServicePaymentApi = class StpServicePaymentApi {
         const url = `${this.baseUrl}/internal/services/${idServicio}`;
         return await this.httpRequest.put(url, patch);
     }
+    async createService(payload) {
+        const url = `${this.baseUrl}/internal/services`;
+        return await this.httpRequest.post(url, payload);
+    }
 };
 StpServicePaymentApi = __decorate([
     (0, inversify_1.injectable)(),

package/bin/stpServicePayment/api/interfaces/IStpServicePaymentApi.d.ts

@@ -23,4 +23,5 @@ export interface IStpServicePaymentApi {
     payStandard(request: BenefitPaymentRequest): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     consultStandard(transactionNumber: string): Promise<ApiGatewayResponse<BenefitPaymentResponse>>;
     updateService(idServicio: number, patch: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
+    createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
 }

package/docs/TECH_DEBT.md

@@ -0,0 +1,16 @@
+# TECH_DEBT — @fiado/api-invoker
+
+Registro vivo de deudas conscientes del repo. Cada entrada con ID estable `TD-AI-NNN` y los 4 campos canónicos (contexto / asunción / condición para cerrar / bloqueante).
+
+## TD-AI-001 — 2026-05-29 — npm link @fiado/type-kit activo
+
+- **Contexto:** `node_modules/@fiado/type-kit` es symlink local a `C:/Users/Fiado/Documents/Repos/fiado-type-kit/` (v3.43.1) — el publicado en CodeArtifact es v3.42.0 sin el módulo `platformRbac` que el Publisher `PlatformRbacBusinessApi` nuevo (`src/platformRbac/`) importa. El link se activó para iterar localmente sin publish prematuro del type-kit (decisión del user en el plan `2026-05-29-custom-auth-challenge-mfa.md`).
+- **Asunción / pendiente:** el `npm run build` y `tsc --noEmit` funcionan con el link, pero CI y cualquier `npm install` fresh van a resolver desde CodeArtifact (3.42.0) y fallar con `TS2307: Cannot find module '@fiado/type-kit/bin/platformRbac'` en los 2 archivos nuevos del Publisher.
+- **Condición para cerrar:** secuencia obligatoria al final del plan de auth (después de todas las tasks):
+  1. `cd /c/Users/Fiado/Documents/Repos/fiado-type-kit && npm publish` (Andres ejecuta).
+  2. `cd /c/Users/Fiado/fiado-workspace/fiado-api-invoker && npm unlink @fiado/type-kit`.
+  3. Actualizar `package.json` del api-invoker con la version publicada del type-kit (`"@fiado/type-kit": "^3.43.1"`).
+  4. `npm install` fresh.
+  5. `npx tsc --noEmit` verde.
+  6. `npm publish` del api-invoker en su nueva version (Andres ejecuta).
+- **Bloqueante:** SÍ — el primer deploy productivo o CI run del api-invoker (y de cualquier consumer que bumpee a la 4.6.0) rompe si el publish del type-kit NO se materializó antes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fiado/api-invoker",
-  "version": "4.4.0",
+  "version": "4.6.0",
   "description": "Sirve como un puente entre diferentes funciones lambda, facilitando la comunicación entre ellas a través de invocaciones http",
   "main": "bin/index.js",
   "types": "bin/index.d.ts",

package/src/container.config.ts

@@ -154,6 +154,8 @@ import BenefitsMarketplaceApi from "./benefits-marketplace/api/BenefitsMarketpla
 import { IUnitellerConnectorApi, UnitellerConnectorApi } from "./uniteller-connector";
 import { ICognitoBackofficeConnectorApi } from "./cognitoBackofficeConnector";
 import CognitoBackofficeConnectorApi from "./cognitoBackofficeConnector/api/CognitoBackofficeConnectorApi";
+import { IPlatformRbacBusinessApi } from "./platformRbac";
+import PlatformRbacBusinessApi from "./platformRbac/api/PlatformRbacBusinessApi";
 
 export const apiInvokerBindings = new ContainerModule(({ bind }) => {
     // UTILS bindings
@@ -273,4 +275,7 @@ export const apiInvokerBindings = new ContainerModule(({ bind }) => {
 
     // Cognito backoffice connector (Fase 0 SureKeep)
     bind<ICognitoBackofficeConnectorApi>("ICognitoBackofficeConnectorApi").to(CognitoBackofficeConnectorApi);
+
+    // Platform RBAC business — Custom Auth Challenge endpoints (Fase 0 SureKeep)
+    bind<IPlatformRbacBusinessApi>("IPlatformRbacBusinessApi").to(PlatformRbacBusinessApi);
 });

package/src/index.ts

@@ -74,3 +74,4 @@ export * from "./ai-engine-connector";
 export * from "./benefits-marketplace";
 export * from "./milestone-business";
 export * from "./cognitoBackofficeConnector";
+export * from "./platformRbac";

package/src/multicommServicePayment/api/MulticommServicePaymentApi.ts

@@ -87,4 +87,9 @@ export default class MulticommServicePaymentApi implements IMulticommServicePaym
         const url = `${this.baseUrl}/internal/services/${idServicio}`;
         return await this.httpRequest.put(url, patch);
     }
+
+    async createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>> {
+        const url = `${this.baseUrl}/internal/services`;
+        return await this.httpRequest.post(url, payload);
+    }
 }

package/src/multicommServicePayment/api/interfaces/IMulticommServicePaymentApi.ts

@@ -38,4 +38,8 @@ export interface IMulticommServicePaymentApi {
     // admin. Consumido por LeafAdminManager de benefits-marketplace-business para
     // edición editorial in-place (admin-leaves v2).
     updateService(idServicio: number, patch: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
+
+    // POST /internal/services — alta manual de un servicio nuevo (admin-leaves v2).
+    // Consumido por LeafAdminManager de benefits-marketplace-business.
+    createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
 }

package/src/platformRbac/api/PlatformRbacBusinessApi.ts

@@ -0,0 +1,55 @@
+import { inject, injectable } from "inversify";
+import { IHttpRequest } from "@fiado/http-client";
+import { ApiGatewayResponse } from "@fiado/gateway-adapter";
+// TD-AI-001: import de @fiado/type-kit/bin/platformRbac requiere npm link a type-kit 3.43.1 hasta publish final. Ver docs/TECH_DEBT.md.
+import {
+    DefineNextChallengeRequest,
+    DefineNextChallengeResponse,
+    PrepareChallengeRequest,
+    PrepareChallengeResponse,
+    VerifyChallengeRequest,
+    VerifyChallengeResponse,
+} from "@fiado/type-kit/bin/platformRbac";
+import { IPlatformRbacBusinessApi } from "./interfaces/IPlatformRbacBusinessApi";
+
+/**
+ * Publisher HTTP del lambda `platform-rbac-business` (componente 06 SureKeep Fase 0)
+ * para los 3 endpoints internos del Custom Auth Challenge flow.
+ *
+ * Env var requerida en el consumer: `PLATFORM_RBAC_BUSINESS_URL`.
+ * El template.yml del consumer la setea con:
+ *
+ *   PLATFORM_RBAC_BUSINESS_URL: '{{resolve:ssm:platform-rbac-business}}'
+ *
+ * Convención CLAUDE.md global: SSM key = nombre del lambda owner de la URL.
+ * El rbac-business publica su URL en SSM bajo la key `platform-rbac-business`
+ * vía el `post_build` del buildspec.yml estándar Fiado.
+ */
+@injectable()
+export default class PlatformRbacBusinessApi implements IPlatformRbacBusinessApi {
+    /** URL base del lambda. Leída de env var en cold start del consumer. */
+    private readonly baseUrl = process.env.PLATFORM_RBAC_BUSINESS_URL || "";
+
+    constructor(@inject("IHttpRequest") private httpRequest: IHttpRequest) {}
+
+    async defineNextChallenge(
+        input: DefineNextChallengeRequest,
+    ): Promise<ApiGatewayResponse<DefineNextChallengeResponse>> {
+        const url = `${this.baseUrl}/internal/auth/define-next-challenge`;
+        return await this.httpRequest.post(url, input);
+    }
+
+    async prepareChallenge(
+        input: PrepareChallengeRequest,
+    ): Promise<ApiGatewayResponse<PrepareChallengeResponse>> {
+        const url = `${this.baseUrl}/internal/auth/prepare-challenge`;
+        return await this.httpRequest.post(url, input);
+    }
+
+    async verifyChallenge(
+        input: VerifyChallengeRequest,
+    ): Promise<ApiGatewayResponse<VerifyChallengeResponse>> {
+        const url = `${this.baseUrl}/internal/auth/verify-challenge`;
+        return await this.httpRequest.post(url, input);
+    }
+}

package/src/platformRbac/api/interfaces/IPlatformRbacBusinessApi.ts

@@ -0,0 +1,56 @@
+import { ApiGatewayResponse } from "@fiado/gateway-adapter";
+import {
+    DefineNextChallengeRequest,
+    DefineNextChallengeResponse,
+    PrepareChallengeRequest,
+    PrepareChallengeResponse,
+    VerifyChallengeRequest,
+    VerifyChallengeResponse,
+} from "@fiado/type-kit/bin/platformRbac";
+
+/**
+ * Contrato del publisher HTTP del lambda `platform-rbac-business` (componente 06 SureKeep Fase 0)
+ * para los 3 endpoints internos del Custom Auth Challenge flow (MFA).
+ *
+ * Consumidores: `cognito-backoffice-connector` desde los Lambda Triggers
+ * `defineAuthChallenge`, `createAuthChallenge` y `verifyAuthChallengeResponse`
+ * configurados en cada User Pool aprovisionado por la saga `TenantOnboardingManager`.
+ *
+ * Patrón de retorno: `Promise<ApiGatewayResponse<T>>` sin unwrap (v4 canonical Fiado).
+ * El consumer accede `result.body.data` para llegar al payload tipado.
+ *
+ * Env var requerida en el consumer: `PLATFORM_RBAC_BUSINESS_URL`.
+ * El template.yml del consumer la setea con:
+ *
+ *   PLATFORM_RBAC_BUSINESS_URL: '{{resolve:ssm:platform-rbac-business}}'
+ *
+ * Convención CLAUDE.md global: SSM key = nombre del lambda owner de la URL.
+ */
+export interface IPlatformRbacBusinessApi {
+    /**
+     * POST /internal/auth/define-next-challenge — decide el próximo challenge MFA
+     * según los resultados acumulados en `session`. Invocado por el trigger
+     * `defineAuthChallenge` en cada paso del Custom Auth Challenge flow.
+     */
+    defineNextChallenge(
+        input: DefineNextChallengeRequest,
+    ): Promise<ApiGatewayResponse<DefineNextChallengeResponse>>;
+
+    /**
+     * POST /internal/auth/prepare-challenge — prepara el challenge (genera y envía
+     * código OTP por email/SMS, o computa el `privateChallenge` para TOTP).
+     * Invocado por el trigger `createAuthChallenge`.
+     */
+    prepareChallenge(
+        input: PrepareChallengeRequest,
+    ): Promise<ApiGatewayResponse<PrepareChallengeResponse>>;
+
+    /**
+     * POST /internal/auth/verify-challenge — verifica la respuesta del usuario
+     * contra el `privateChallenge`. Invocado por el trigger
+     * `verifyAuthChallengeResponse`.
+     */
+    verifyChallenge(
+        input: VerifyChallengeRequest,
+    ): Promise<ApiGatewayResponse<VerifyChallengeResponse>>;
+}

package/src/platformRbac/index.ts

@@ -0,0 +1,2 @@
+export * from "./api/interfaces/IPlatformRbacBusinessApi";
+export { default as PlatformRbacBusinessApi } from "./api/PlatformRbacBusinessApi";

package/src/stpServicePayment/api/StpServicePaymentApi.ts

@@ -87,4 +87,9 @@ export default class StpServicePaymentApi implements IStpServicePaymentApi {
         const url = `${this.baseUrl}/internal/services/${idServicio}`;
         return await this.httpRequest.put(url, patch);
     }
+
+    async createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>> {
+        const url = `${this.baseUrl}/internal/services`;
+        return await this.httpRequest.post(url, payload);
+    }
 }

package/src/stpServicePayment/api/interfaces/IStpServicePaymentApi.ts

@@ -38,4 +38,8 @@ export interface IStpServicePaymentApi {
     // admin. Consumido por LeafAdminManager de benefits-marketplace-business para
     // edición editorial in-place (admin-leaves v2).
     updateService(idServicio: number, patch: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
+
+    // POST /internal/services — alta manual de un servicio nuevo (admin-leaves v2).
+    // Consumido por LeafAdminManager de benefits-marketplace-business.
+    createService(payload: Record<string, unknown>): Promise<ApiGatewayResponse<any>>;
 }