@revenexx/cover 0.1.0

package/server/api/orders/index.post.ts

@@ -0,0 +1,376 @@
+// Method codes are generic — live mode validates them against the
+// payments app; the demo-only methods keep their extra fields.
+interface OrderPayment {
+	method: string;
+	poNumber?: string;
+	costCenter?: string;
+}
+
+// Business orders require company data; private (B2C guest) orders don't.
+const REQUIRED_ADDRESS_FIELDS_BUSINESS = ["companyName", "contactName", "street", "city", "postalCode", "country"] as const;
+const REQUIRED_ADDRESS_FIELDS_PRIVATE = ["contactName", "street", "city", "postalCode", "country"] as const;
+const REQUIRED_BILLING_FIELDS = ["street", "city", "postalCode", "country"] as const;
+const VALID_DELIVERY_METHODS = ["standard", "express"] as const;
+
+interface OrderPayload {
+	checkoutSessionToken: string;
+	billingCountry?: string;
+	customerType?: "business" | "private";
+	contactEmail?: string;
+	orderNumber?: string;
+	quoteNumber?: string;
+	noOrderConfirmation?: boolean;
+	address: Record<string, unknown>;
+	payment: Record<string, unknown>;
+	items: Array<{ id: string; quantity: number; price: number }>;
+	deliveryMethod?: string;
+	requestedDate?: string;
+	deliveryNote?: string;
+	partialDelivery?: boolean;
+	orderNote?: string;
+	promoCode?: string;
+}
+
+function isNonEmptyString(v: unknown): v is string {
+	return typeof v === "string" && v.trim().length > 0;
+}
+
+function validateAddress(address: Record<string, unknown>, customerType: "business" | "private"): string | null {
+	const requiredFields = customerType === "private"
+		? REQUIRED_ADDRESS_FIELDS_PRIVATE
+		: REQUIRED_ADDRESS_FIELDS_BUSINESS;
+	for (const field of requiredFields) {
+		if (!isNonEmptyString(address[field])) {
+			return `Missing required address field: ${field}`;
+		}
+	}
+	if (address.billingAddressSameAsShipping === false) {
+		const billing = address.billing as Record<string, unknown> | undefined;
+		if (!billing || typeof billing !== "object") {
+			return "Billing address is required when different from shipping";
+		}
+		for (const field of REQUIRED_BILLING_FIELDS) {
+			if (!isNonEmptyString(billing[field])) {
+				return `Missing required billing address field: ${field}`;
+			}
+		}
+	}
+	return null;
+}
+
+function buildPayment(raw: Record<string, unknown>, live: boolean): OrderPayment {
+	const method = raw.method as string;
+	if (!isNonEmptyString(method)) {
+		throw createError({ status: 422, message: "Payment method is required" });
+	}
+	if (method === "po_number") {
+		if (!isNonEmptyString(raw.poNumber)) {
+			throw createError({ status: 422, message: "PO number is required for po_number payment method" });
+		}
+		return { method, poNumber: raw.poNumber };
+	}
+	if (method === "cost_center") {
+		if (!isNonEmptyString(raw.costCenter)) {
+			throw createError({ status: 422, message: "Cost center is required for cost_center payment method" });
+		}
+		return { method, costCenter: raw.costCenter };
+	}
+	// Live codes are validated by the payments app at payment creation;
+	// mock mode only knows the demo methods.
+	if (!live && method !== "invoice") {
+		throw createError({ status: 422, message: `Invalid payment method: ${method}` });
+	}
+	return { method };
+}
+
+export default defineEventHandler(async (event) => {
+	const body = await readBody<OrderPayload>(event);
+
+	try {
+		if (!body?.checkoutSessionToken || !consumeCheckoutSession(body.checkoutSessionToken)) {
+			throw createError({ status: 401, message: "Invalid or expired checkout session" });
+		}
+
+		if (!body.items?.length) {
+			throw createError({ status: 400, message: "Cart is empty" });
+		}
+
+		const customerType = body.customerType === "private" ? "private" : "business";
+		const addressError = validateAddress(body.address ?? {}, customerType);
+		if (addressError) {
+			throw createError({ status: 422, message: addressError });
+		}
+
+		const liveShipping = resolveShippingServiceKey(event) === "api";
+		if (
+			!liveShipping
+			&& body.deliveryMethod !== undefined
+			&& !(VALID_DELIVERY_METHODS as readonly string[]).includes(body.deliveryMethod)
+		) {
+			throw createError({
+				status: 422,
+				message: `Invalid delivery method: ${body.deliveryMethod}`,
+			});
+		}
+
+		const livePayments = resolvePaymentServiceKey(event) === "api";
+		const payment = buildPayment(body.payment ?? {}, livePayments);
+
+		// Approval limits are checked at order time: exceeding a blocking
+		// limit turns the order into an approval request (it does not fail).
+		const user = await getAuthService(event).me(event);
+		const context = await getB2BContextService(event).getContext(user?.$id ?? null);
+		const locale = resolveLocale(event);
+		const calculation = await getCartCalculationService().calculate(
+			{
+				items: body.items as never,
+				...(body.deliveryMethod ? { deliveryMethod: body.deliveryMethod } : {}),
+			},
+			context,
+			locale,
+		);
+		const blockingApprovals = calculation.approvalLimits.filter(
+			l => l.status === "exceeded" && l.approval.required,
+		);
+
+		// Live shipping: the chosen method must be a real rate for this
+		// buyer context; its price replaces the demo calculation's shipping
+		// line in the order totals and the amount the payment is created over.
+		let liveShippingAdjustment = 0;
+		if (liveShipping && body.deliveryMethod) {
+			const address = body.address as Record<string, unknown> | undefined;
+			try {
+				const { rates } = await useRevenexxApi().post<{ rates: Array<{ code: string; price: number }> }>("/v1/shipping/rates", {
+					order_value: calculation.totals.find(row => row.key === "subtotal")?.amount
+						?? calculation.totals.find(row => row.key === "total")?.amount ?? 0,
+					country: String(address?.country ?? ""),
+				});
+				const rate = rates.find(r => r.code === body.deliveryMethod);
+				if (!rate) {
+					throw createError({ status: 422, message: `Delivery method '${body.deliveryMethod}' is not available for this order` });
+				}
+				const mockShipping = calculation.totals.find(row => row.key === "shipping")?.amount ?? 0;
+				liveShippingAdjustment = rate.price - mockShipping;
+			}
+			catch (err) {
+				if (isError(err)) {
+					throw err;
+				}
+				getLogService().error("Shipping rate resolution failed", apiErrorContext(err));
+				throw createError({ status: 502, message: "Shipping service unavailable" });
+			}
+		}
+
+		let orderId = `ORD-${Date.now()}-${Math.random().toString(36).slice(2, 7).toUpperCase()}`;
+
+		// Live orders: place through the orders app FIRST — the real order
+		// number becomes the payment's order_ref and the cart freeze ref.
+		// Orders that await a (demo) approval stay in the mock flow; the
+		// approvals domain is deliberately not part of OM phase 1.
+		const liveOrders = resolveOrderServiceKey(event) === "api" && blockingApprovals.length === 0;
+		let liveOrderUuid: string | null = null;
+		if (liveOrders) {
+			const address = body.address as Record<string, unknown>;
+			const billing = address?.billingAddressSameAsShipping === false
+				? address?.billing as Record<string, unknown> | undefined
+				: address;
+			const totalRow = calculation.totals.find(row => row.key === "total");
+			const shippingRow = calculation.totals.find(row => row.key === "shipping");
+			try {
+				const placed = await useRevenexxApi().post<{ id: string; number: string }>("/v1/orders/place", {
+					...sessionOrderRefs(event),
+					currency: calculation.currency,
+					...(body.orderNumber ? { customer_order_number: body.orderNumber } : {}),
+					buyer: user ? { name: user.name, email: user.email } : { email: body.contactEmail ?? null },
+					billing_address: billing ?? null,
+					shipping_address: address ?? null,
+					payment: { method: payment.method },
+					shipping: {
+						method: body.deliveryMethod ?? "standard",
+						price: Math.max(0, (shippingRow?.amount ?? 0) + liveShippingAdjustment),
+					},
+					// The order carries what the customer saw (and the payment
+					// charges): the checkout calculation's total.
+					grand_total: Math.max(0, Math.round(((totalRow?.amount ?? 0) + liveShippingAdjustment) * 100) / 100),
+					items: (body.items as Array<Record<string, unknown>>).map((item, index) => ({
+						product_id: String(item.id),
+						sku: String(item.sku ?? "") || undefined,
+						name: String(item.name ?? item.sku ?? item.id),
+						quantity: calculation.lines[index]?.adjustedQuantity ?? Number(item.quantity),
+						unit_price: calculation.lines[index]?.unitPrice ?? Number(item.price ?? 0),
+						tax_rate: 19,
+						product: {
+							...(item.image ? { image: String(item.image) } : {}),
+							...(item.categorySlug ? { categorySlug: String(item.categorySlug) } : {}),
+							...(item.subcategorySlug ? { subcategorySlug: String(item.subcategorySlug) } : {}),
+						},
+					})),
+					user_data: {
+						...(body.deliveryNote ? { delivery_note: body.deliveryNote } : {}),
+						...(body.orderNote ? { order_note: body.orderNote } : {}),
+						...(body.partialDelivery !== undefined ? { partial_delivery: body.partialDelivery } : {}),
+						...(body.requestedDate ? { requested_date: body.requestedDate } : {}),
+					},
+				});
+				orderId = placed.number;
+				liveOrderUuid = placed.id;
+			}
+			catch (err) {
+				if (err instanceof RevenexxApiError && (err.statusCode === 400 || err.statusCode === 422)) {
+					throw createError({ status: 422, message: err.message });
+				}
+				getLogService().error("Order placement failed", apiErrorContext(err));
+				throw createError({ status: 502, message: "Order service unavailable" });
+			}
+		}
+
+		// Live payments: create + authorize through the payments app —
+		// eligibility (countries, order-value bounds) is enforced there
+		// again; a declined payment fails the order with 402 (and cancels
+		// the already placed live order).
+		let livePaymentStatus: string | null = null;
+		if (livePayments) {
+			const totalRow = calculation.totals.find(row => row.key === "total");
+			const address = body.address as Record<string, unknown> | undefined;
+			const billing = address?.billingAddressSameAsShipping === false
+				? address?.billing as Record<string, unknown> | undefined
+				: address;
+			const country = String(body.billingCountry ?? billing?.country ?? "");
+			try {
+				const created = await useRevenexxApi().post<{ id: string; status: string; error_message?: string | null }>("/v1/payments", {
+					method_code: payment.method,
+					amount: Math.max(0, Math.round(((totalRow?.amount ?? 0) + liveShippingAdjustment) * 100) / 100),
+					currency: calculation.currency,
+					country,
+					order_ref: orderId,
+					contact_id: undefined,
+					idempotency_key: body.checkoutSessionToken,
+					metadata: {
+						...(payment.poNumber ? { po_number: payment.poNumber } : {}),
+						...(payment.costCenter ? { cost_center: payment.costCenter } : {}),
+					},
+				});
+				if (created.status === "failed") {
+					throw createError({ status: 402, message: created.error_message ?? "Payment was declined" });
+				}
+				livePaymentStatus = created.status;
+			}
+			catch (err) {
+				// A placed live order must not survive a failed payment.
+				if (liveOrderUuid) {
+					try {
+						await useRevenexxApi().post(`/v1/orders/${liveOrderUuid}/cancel`, { reason: "payment failed" });
+					}
+					catch (cancelErr) {
+						getLogService().error("Order cancel after payment failure failed", apiErrorContext(cancelErr));
+					}
+				}
+				if (isError(err)) {
+					throw err;
+				}
+				if (err instanceof RevenexxApiError && (err.statusCode === 400 || err.statusCode === 422)) {
+					throw createError({ status: 422, message: err.message });
+				}
+				getLogService().error("Payment creation failed", apiErrorContext(err));
+				throw createError({ status: 502, message: "Payment service unavailable" });
+			}
+		}
+
+		// The payment dimension of the live order follows the payment outcome.
+		if (liveOrderUuid && livePaymentStatus) {
+			const mapped = livePaymentStatus === "succeeded" || livePaymentStatus === "paid"
+				? "paid"
+				: livePaymentStatus === "authorized" ? "authorized" : "pending";
+			try {
+				await useRevenexxApi().post(`/v1/orders/${liveOrderUuid}/payment-status`, { status: mapped });
+			}
+			catch (err) {
+				getLogService().error("Order payment-status sync failed", apiErrorContext(err));
+			}
+		}
+
+		// The live cart freezes as the order source (best-effort).
+		if (livePayments || liveOrders) {
+			const manager = getCartManager(event);
+			if (manager) {
+				try {
+					await manager.orderActiveCart(event, orderId);
+				}
+				catch (cartErr) {
+					getLogService().error("Cart order hand-over failed", toErrorContext(cartErr));
+				}
+			}
+		}
+
+		// Demo persistence: signed-in orders land in the account history
+		// (mutable store) so the checkout outcome shows up immediately.
+		// With live orders the history comes from the orders app instead.
+		if (user && !liveOrders) {
+			try {
+				const lineByIndex = calculation.lines;
+				const positions = (body.items as Array<Record<string, unknown>>).map((item, index) => ({
+					id: String(item.id),
+					sku: String(item.sku ?? ""),
+					name: String(item.name ?? ""),
+					...(item.image ? { image: String(item.image) } : {}),
+					quantity: lineByIndex[index]?.adjustedQuantity ?? Number(item.quantity),
+					unitPrice: lineByIndex[index]?.unitPrice ?? Number(item.price ?? 0),
+					lineTotal: lineByIndex[index]?.lineTotal ?? 0,
+					...(item.categorySlug ? { categorySlug: String(item.categorySlug) } : {}),
+					...(item.subcategorySlug ? { subcategorySlug: String(item.subcategorySlug) } : {}),
+				}));
+				const totalRow = calculation.totals.find(row => row.key === "total");
+				const address = body.address as Record<string, unknown>;
+				const billing = address?.billingAddressSameAsShipping === false
+					? address?.billing as Record<string, unknown> | undefined
+					: address;
+				const addressLine = (a: Record<string, unknown> | undefined): string =>
+					[a?.companyName, a?.street, `${a?.postalCode ?? ""} ${a?.city ?? ""}`.trim()]
+						.filter(Boolean).join(" · ");
+				const today = new Date().toISOString().slice(0, 10);
+				const history = await readCoverMutableJson<{ orders: unknown[] }>("account/order-list.json");
+				history.orders.unshift({
+					id: orderId,
+					date: today,
+					status: blockingApprovals.length ? "approval-pending" : "processing",
+					paymentStatus: "open",
+					total: totalRow?.amount ?? 0,
+					currency: calculation.currency,
+					...(body.orderNumber ? { orderNumber: body.orderNumber } : {}),
+					positions,
+					deliveryAddress: addressLine(address),
+					billingAddress: addressLine(billing),
+					paymentMethod: payment.method,
+					progress: blockingApprovals.length
+						? [{ step: "ordered", date: today }]
+						: [{ step: "ordered", date: today }, { step: "processing", date: today }],
+					...(blockingApprovals.length
+						? { approvers: [...new Set(blockingApprovals.map(l => l.approval.approverName).filter(Boolean))] }
+						: {}),
+				});
+				await writeCoverMutableJson("account/order-list.json", history);
+			}
+			catch (persistErr) {
+				getLogService().error("Order history persistence failed", toErrorContext(persistErr));
+			}
+		}
+
+		return {
+			orderId,
+			status: blockingApprovals.length ? "approval-pending" : "confirmed",
+			createdAt: new Date().toISOString(),
+			payment,
+			approvalRequired: blockingApprovals.length > 0,
+			approvers: [...new Set(blockingApprovals
+				.map(l => l.approval.approverName)
+				.filter((name): name is string => Boolean(name)))],
+		};
+	}
+	catch (err) {
+		if (err !== null && typeof err === "object" && "statusCode" in err) {
+			throw err;
+		}
+		getLogService().error("Service error: orders/create", toErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/payment/methods.post.ts

@@ -0,0 +1,65 @@
+import type { PaymentOption } from "../../../app/interfaces/payment";
+import type { Locale } from "../../utils/locale";
+
+/** Eligible method row of the payments app. */
+interface ApiEligibleMethod {
+	code: string;
+	name: string;
+	labels: Record<string, string> | null;
+	description: string | null;
+	kind: string;
+	provider: string | null;
+	fee: number;
+	fee_type: "none" | "fixed" | "percent";
+	currency: string;
+	position: number;
+}
+
+/**
+ * The checkout's payment question — "what can THIS buyer pay with?".
+ * Live mode resolves against the payments app (restrictions + fees are
+ * evaluated server-side there); mock mode answers the demo profile's
+ * static methods. Body: { amount, country, currency? }.
+ */
+export default defineEventHandler(async (event) => {
+	const { amount = 0, country = "", currency = "EUR" } = await readBody<{
+		amount?: number; country?: string; currency?: string;
+	}>(event);
+
+	if (resolvePaymentServiceKey(event) !== "api") {
+		const user = await getAuthService(event).me(event);
+		const profile = await getCheckoutProfileService().getProfile(user?.$id ?? null);
+		return {
+			managed: false,
+			methods: profile.availablePaymentMethods,
+			defaultMethod: profile.defaultPaymentMethod,
+		};
+	}
+
+	const locale: Locale = resolveLocale(event);
+	try {
+		const { methods } = await useRevenexxApi().post<{ methods: ApiEligibleMethod[] }>(
+			"/v1/payments/methods/eligible",
+			{ amount, country, currency },
+		);
+
+		const options: PaymentOption[] = methods.map(m => ({
+			method: m.code,
+			label: m.labels?.[locale] ?? m.name,
+			...(m.description ? { description: m.description } : {}),
+			fee: m.fee,
+			feeType: m.fee_type,
+			kind: m.kind,
+		}));
+
+		return {
+			managed: true,
+			methods: options,
+			defaultMethod: options[0]?.method ?? null,
+		};
+	}
+	catch (err) {
+		getLogService().error("Service error: payment/methods", apiErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/product/[id].get.ts

@@ -0,0 +1,29 @@
+export default defineEventHandler(async (event) => {
+	const id = getRouterParam(event, "id") ?? "";
+	if (!id) {
+		throw createError({ statusCode: 400, message: "Invalid product id" });
+	}
+
+	const locale = resolveLocale(event);
+
+	try {
+		let detail = await getProductService(event).getProductDetail(id, locale);
+		if (!detail) {
+			throw createError({ statusCode: 404, message: "Product not found" });
+		}
+		if (resolvePriceServiceKey(event) === "api") {
+			detail = await enrichDetailWithLivePrices(event, detail);
+		}
+		if (resolveInventoryServiceKey(event) === "api") {
+			detail = await enrichDetailWithLiveAvailability(event, detail);
+		}
+		return detail;
+	}
+	catch (err) {
+		if (err !== null && typeof err === "object" && "statusCode" in err) {
+			throw err;
+		}
+		getLogService().error("Service error: product/detail", { id, ...toErrorContext(err) });
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/products/[id].get.ts

@@ -0,0 +1,30 @@
+export default defineEventHandler(async (event) => {
+	const locale = resolveLocale(event);
+	const id = getRouterParam(event, "id") ?? "";
+	if (!id) {
+		throw createError({ status: 400, message: "Invalid product id" });
+	}
+
+	try {
+		let product = await getProductService(event).getProductById(id, locale);
+		if (!product) {
+			throw createError({ status: 404, message: "Product not found" });
+		}
+		if (resolvePriceServiceKey(event) === "api") {
+			const [enriched] = await enrichProductsWithLivePrices(event, [product]);
+			product = enriched ?? product;
+		}
+		if (resolveInventoryServiceKey(event) === "api") {
+			const [enriched] = await enrichProductsWithLiveAvailability(event, [product]);
+			product = enriched ?? product;
+		}
+		return product;
+	}
+	catch (err) {
+		if (err !== null && typeof err === "object" && "statusCode" in err) {
+			throw err;
+		}
+		getLogService().error("Service error: products/by-id", { id, ...toErrorContext(err) });
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/products/index.get.ts

@@ -0,0 +1,21 @@
+export default defineEventHandler(async (event) => {
+	const locale = resolveLocale(event);
+	const { category, subcategory } = getQuery(event) as {
+		category?: string; subcategory?: string;
+	};
+
+	try {
+		let products = await getProductService(event).listProducts({ category, subcategory, locale });
+		if (resolvePriceServiceKey(event) === "api") {
+			products = await enrichProductsWithLivePrices(event, products);
+		}
+		if (resolveInventoryServiceKey(event) === "api") {
+			products = await enrichProductsWithLiveAvailability(event, products);
+		}
+		return products;
+	}
+	catch (err) {
+		getLogService().error("Service error: products/list", toErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/requisitions/index.post.ts

@@ -0,0 +1,67 @@
+import type { Requisition, RequisitionItemSnapshot } from "../../../app/interfaces/b2b";
+
+interface RequisitionPayload {
+	workflowId: string;
+	items: RequisitionItemSnapshot[];
+	deliveryAddress?: Requisition["deliveryAddress"];
+	note?: string;
+}
+
+const r2 = (n: number): number => Math.round(n * 100) / 100;
+
+/**
+ * Creates a requisition (order request): the requester's checkout outcome.
+ * The requisition enters its workflow with a `submitted` audit entry and
+ * becomes loadable by the workflow's orderers.
+ */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const body = await readBody<RequisitionPayload>(event);
+	if (!body?.workflowId || !Array.isArray(body.items) || body.items.length === 0) {
+		throw createError({ statusCode: 400, message: "workflowId and items[] required" });
+	}
+
+	const context = await getB2BContextService(event).getContext(user.$id);
+	if (!context.settings.workflows.enabled) {
+		throw createError({ statusCode: 403, message: "Workflows are disabled" });
+	}
+	const workflow = context.workflows.find(wf => wf.id === body.workflowId);
+	if (!workflow) {
+		throw createError({ statusCode: 403, message: "Not a member of this workflow" });
+	}
+
+	try {
+		const requisitions = await readCoverMutableJson<Requisition[]>("account/requisitions.json");
+
+		const requisition: Requisition = {
+			id: `REQ-${Date.now().toString(36).toUpperCase()}`,
+			workflowId: workflow.id,
+			workflowName: workflow.name,
+			requestedBy: { id: user.$id, name: user.name },
+			requestedAt: new Date().toISOString(),
+			status: "open",
+			totalValue: r2(body.items.reduce((sum, i) => sum + i.price * i.quantity, 0)),
+			items: body.items,
+			history: [{
+				id: `wh-${Date.now().toString(36)}`,
+				stepSequence: 1,
+				action: "submitted",
+				actorName: user.name,
+				actionDate: new Date().toISOString(),
+				...(body.note ? { comment: body.note } : {}),
+			}],
+			...(body.deliveryAddress ? { deliveryAddress: body.deliveryAddress } : {}),
+		};
+
+		await writeCoverMutableJson("account/requisitions.json", [requisition, ...requisitions]);
+		return { requisitionId: requisition.id, status: requisition.status };
+	}
+	catch (err) {
+		getLogService().error("Service error: requisitions/create", toErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/shipping/rates.post.ts

@@ -0,0 +1,70 @@
+import type { DeliveryOption } from "../../../app/interfaces/delivery";
+import type { Locale } from "../../utils/locale";
+
+/** Rate row of the shipping app. */
+interface ApiShippingRate {
+	code: string;
+	name: string;
+	labels: Record<string, string> | null;
+	price: number;
+	eta_days_min: number | null;
+	eta_days_max: number | null;
+}
+
+function formatEta(rate: ApiShippingRate): string {
+	if (rate.eta_days_min === null && rate.eta_days_max === null) {
+		return "";
+	}
+	if (rate.eta_days_min !== null && rate.eta_days_max !== null && rate.eta_days_min !== rate.eta_days_max) {
+		return `${rate.eta_days_min}–${rate.eta_days_max}`;
+	}
+	return String(rate.eta_days_max ?? rate.eta_days_min);
+}
+
+/**
+ * The checkout's delivery question — "how can THIS order ship, at what
+ * price?". Live mode resolves against the shipping app (fixed/free/matrix
+ * pricing, free-above, country restrictions evaluated server-side); mock
+ * mode answers the demo profile's static methods.
+ * Body: { amount, country, weight?, quantity? }.
+ */
+export default defineEventHandler(async (event) => {
+	const { amount = 0, country = "", weight, quantity } = await readBody<{
+		amount?: number; country?: string; weight?: number; quantity?: number;
+	}>(event);
+
+	if (resolveShippingServiceKey(event) !== "api") {
+		const user = await getAuthService(event).me(event);
+		const profile = await getCheckoutProfileService().getProfile(user?.$id ?? null);
+		return {
+			managed: false,
+			methods: profile.availableDeliveryMethods,
+			defaultMethod: profile.defaultDeliveryMethod,
+		};
+	}
+
+	const locale: Locale = resolveLocale(event);
+	try {
+		const { rates } = await useRevenexxApi().post<{ rates: ApiShippingRate[] }>(
+			"/v1/shipping/rates",
+			{ order_value: amount, country, weight, quantity },
+		);
+
+		const methods: DeliveryOption[] = rates.map(rate => ({
+			method: rate.code,
+			label: rate.labels?.[locale] ?? rate.name,
+			price: rate.price,
+			eta: formatEta(rate),
+		}));
+
+		return {
+			managed: true,
+			methods,
+			defaultMethod: methods[0]?.method ?? null,
+		};
+	}
+	catch (err) {
+		getLogService().error("Service error: shipping/rates", apiErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/themes/index.get.ts

@@ -0,0 +1,9 @@
+export default defineEventHandler(async (event) => {
+	try {
+		return await getThemeService(event).listThemes();
+	}
+	catch (err) {
+		getLogService().error("Service error: themes/list", toErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});