@sakeetech/medusa-payment-viva 0.2.2

package/dist/api/viva/admin/connected-accounts/[id]/sources/route.js

@@ -0,0 +1,234 @@
+"use strict";
+/**
+ * route.ts — POST /viva/admin/connected-accounts/:id/sources
+ *
+ * ISV-only admin endpoint. Creates a payment source (ecommerce or physical)
+ * on a connected merchant's Viva account via `POST /api/sources` on the
+ * legacy host, authenticated with **Reseller Basic** auth.
+ *
+ *   1. Validates plugin is in ISV mode (404 in merchant mode).
+ *   2. Validates admin token (401 if missing/wrong).
+ *   3. Requires `config.reseller` (412 with `VIVA_RESELLER_CREDENTIALS_MISSING`).
+ *   4. Resolves the connected merchant's `merchantId` UUID via
+ *      `IsvAccounts.retrieveConnectedAccount(:id)` — 409 with
+ *      `VIVA_ACCOUNT_NOT_VERIFIED` when `verified !== true` or `merchantId`
+ *      is null.
+ *   5. Builds a per-request `BasicAuthClient` with `authVariant: 'reseller'`
+ *      whose username slot carries `resellerId:account.merchantId` (NOT the
+ *      platform's merchant id — see AUTH.md §1.2 line 98 + ENDPOINTS.md §5.1).
+ *   6. Calls `IsvSources.createEcommerceSource` or `createPhysicalSource`
+ *      based on the body's `kind` discriminator.
+ *   7. Returns 201 + `{ sourceCode, name, kind }`.
+ *
+ * Viva 4xx on `/api/sources` is mapped to 422 with `VIVA_SOURCE_CREATION_FAILED`.
+ * Viva 5xx / non-API errors fall through to the existing 5xx envelope.
+ *
+ * @see docs/plans/multi-mode-v0.md §6 (admin REST table)
+ * @see docs/ENDPOINTS.md §5.1
+ * @see docs/AUTH.md §1.2 (Reseller Basic)
+ * @see docs/ERRORS.md (VIVA_SOURCE_CREATION_FAILED, VIVA_RESELLER_CREDENTIALS_MISSING)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+const isv_1 = require("@sakeetech/viva-payments-core/isv");
+const legacy_1 = require("@sakeetech/viva-payments-core/legacy");
+const errors_1 = require("@sakeetech/viva-payments-core/errors");
+const config_js_1 = require("../../../../../../config.js");
+const auth_strategy_factory_js_1 = require("../../../../../../resolvers/auth-strategy-factory.js");
+const _mode_gate_js_1 = require("../../../_mode-gate.js");
+const _admin_auth_js_1 = require("../../../_admin-auth.js");
+/**
+ * Narrow the raw body into an IsvSources input by `kind`. Returns either a
+ * validated `{ kind, input }` pair or a `{ error }` envelope describing the
+ * first validation failure.
+ */
+function parseBody(raw) {
+    const body = (raw ?? {});
+    const kind = body.kind;
+    if (kind !== 'ecommerce' && kind !== 'physical') {
+        return {
+            ok: false,
+            status: 400,
+            body: {
+                error: 'invalid_request',
+                message: "body.kind must be 'ecommerce' or 'physical'",
+            },
+        };
+    }
+    const sourceCode = body.sourceCode;
+    if (sourceCode !== undefined && typeof sourceCode !== 'number') {
+        return {
+            ok: false,
+            status: 400,
+            body: { error: 'invalid_request', message: 'sourceCode must be a number' },
+        };
+    }
+    if (kind === 'physical') {
+        if (typeof body.name !== 'string' || body.name.trim() === '') {
+            return {
+                ok: false,
+                status: 400,
+                body: { error: 'invalid_request', message: 'name is required for physical sources' },
+            };
+        }
+        const input = {
+            name: body.name,
+            ...(sourceCode !== undefined ? { sourceCode: sourceCode } : {}),
+        };
+        return { ok: true, kind, input };
+    }
+    // ecommerce
+    if (typeof body.domain !== 'string' || body.domain.trim() === '') {
+        return {
+            ok: false,
+            status: 400,
+            body: { error: 'invalid_request', message: 'domain is required for ecommerce sources' },
+        };
+    }
+    if (typeof body.pathSuccess !== 'string' || body.pathSuccess.trim() === '') {
+        return {
+            ok: false,
+            status: 400,
+            body: { error: 'invalid_request', message: 'pathSuccess is required for ecommerce sources' },
+        };
+    }
+    if (typeof body.pathFail !== 'string' || body.pathFail.trim() === '') {
+        return {
+            ok: false,
+            status: 400,
+            body: { error: 'invalid_request', message: 'pathFail is required for ecommerce sources' },
+        };
+    }
+    const ecomInput = {
+        domain: body.domain,
+        pathSuccess: body.pathSuccess,
+        pathFail: body.pathFail,
+        ...(typeof body.name === 'string' ? { name: body.name } : {}),
+        ...(typeof body.isSecure === 'boolean' ? { isSecure: body.isSecure } : {}),
+        ...(sourceCode !== undefined ? { sourceCode: sourceCode } : {}),
+    };
+    return { ok: true, kind, input: ecomInput };
+}
+// ---------------------------------------------------------------------------
+// Handler
+// ---------------------------------------------------------------------------
+const POST = async (req, res) => {
+    if ((0, _mode_gate_js_1.reject404IfNotIsv)(req, res))
+        return;
+    if ((0, _admin_auth_js_1.reject401IfUnauthorized)(req, res))
+        return;
+    const id = req.params?.id;
+    if (!id) {
+        res.status(400).json({ error: 'id is required' });
+        return;
+    }
+    // Load config + check reseller block before parsing body so misconfigured
+    // deployments fail fast with a clear envelope.
+    let config;
+    try {
+        config = (0, config_js_1.loadConfigFromEnv)(process.env);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        res.status(500).json({ error: 'internal_error', message });
+        return;
+    }
+    if (config.mode !== 'isv') {
+        // Defensive: reject404IfNotIsv already covered this, but the type guard
+        // narrows config to VivaIsvConfig below.
+        res.status(404).json({ error: 'Not Found' });
+        return;
+    }
+    if (!config.reseller) {
+        res.status(412).json({
+            error: 'precondition_failed',
+            code: 'VIVA_RESELLER_CREDENTIALS_MISSING',
+            message: 'POST /viva/admin/connected-accounts/:id/sources requires reseller credentials. ' +
+                'Set VIVA_RESELLER_ID, VIVA_RESELLER_MERCHANT_ID, VIVA_RESELLER_API_KEY.',
+        });
+        return;
+    }
+    const parsed = parseBody(req.body);
+    if (!parsed.ok) {
+        res.status(parsed.status).json(parsed.body);
+        return;
+    }
+    try {
+        // 1. Resolve the connected merchant's UUID via OAuth2 (platform) creds.
+        const authStrategies = (0, auth_strategy_factory_js_1.buildAuthStrategies)(config);
+        const httpClient = new isv_1.IsvHttpClient({
+            environment: config.environment,
+            authStrategy: authStrategies.primary,
+        });
+        const accounts = new isv_1.IsvAccounts(httpClient);
+        const account = await accounts.retrieveConnectedAccount(id);
+        if (account.verified !== true || account.merchantId == null) {
+            res.status(409).json({
+                error: 'conflict',
+                code: 'VIVA_ACCOUNT_NOT_VERIFIED',
+                message: `Connected account ${id} is not verified yet (verified=${String(account.verified)}, ` +
+                    `merchantId=${account.merchantId == null ? 'null' : 'set'}). ` +
+                    `Wait for webhook 8194 or POST /viva/admin/connected-accounts/${id}/reconcile.`,
+            });
+            return;
+        }
+        // 2. Build Reseller Basic client scoped to THIS connected merchant.
+        //    Per AUTH.md §1.2 line 98 + ENDPOINTS.md §5.1: the MerchantId slot of
+        //    Reseller Basic is the connected merchant's UUID (account.merchantId),
+        //    NOT the platform's merchant id (config.reseller.merchantId — which
+        //    is unused here, despite the field name).
+        const basic = new legacy_1.BasicAuthClient({
+            authVariant: 'reseller',
+            environment: config.environment,
+            resellerId: config.reseller.resellerId,
+            merchantId: account.merchantId,
+            resellerApiKey: config.reseller.resellerApiKey,
+        });
+        const sources = new isv_1.IsvSources(basic);
+        // 3. Dispatch on kind.
+        const response = parsed.kind === 'ecommerce'
+            ? await sources.createEcommerceSource(parsed.input)
+            : await sources.createPhysicalSource(parsed.input);
+        res.status(201).json({
+            sourceCode: response.sourceCode,
+            name: response.name ?? parsed.input.name,
+            kind: parsed.kind,
+        });
+    }
+    catch (err) {
+        if (err instanceof errors_1.VivaValidationError) {
+            res.status(400).json({
+                error: 'invalid_request',
+                code: err.code,
+                message: err.message,
+            });
+            return;
+        }
+        if (err instanceof errors_1.VivaApiError) {
+            const status = err.httpStatus;
+            // Map Viva 4xx on /api/sources to VIVA_SOURCE_CREATION_FAILED (422 envelope).
+            if (typeof status === 'number' && status >= 400 && status < 500) {
+                res.status(422).json({
+                    error: 'unprocessable_entity',
+                    code: 'VIVA_SOURCE_CREATION_FAILED',
+                    vivaStatus: status,
+                    vivaCode: err.code,
+                    message: err.message,
+                });
+                return;
+            }
+            // Non-4xx Viva error (network, 5xx) — pass through.
+            res.status(status ?? 502).json({
+                error: 'viva_api_error',
+                code: err.code,
+                message: err.message,
+            });
+            return;
+        }
+        const logger = req.scope?.resolve?.('logger');
+        logger?.error?.(`[viva] POST /viva/admin/connected-accounts/:id/sources failed: ${err instanceof Error ? err.message : String(err)}`);
+        res.status(500).json({ error: 'internal_error' });
+    }
+};
+exports.POST = POST;
+//# sourceMappingURL=route.js.map

package/dist/api/viva/admin/connected-accounts/[id]/sources/route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.js","sourceRoot":"","sources":["../../../../../../../src/api/viva/admin/connected-accounts/[id]/sources/route.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;;;AAGH,2DAI2C;AAC3C,iEAAuE;AACvE,iEAG8C;AAE9C,2DAAgE;AAChE,mGAA2F;AAC3F,0DAA2D;AAC3D,4DAAkE;AAmBlE;;;;GAIG;AACH,SAAS,SAAS,CAChB,GAAY;IAKZ,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,EAAE,CAAkB,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAEvB,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAChD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE,iBAAiB;gBACxB,OAAO,EAAE,6CAA6C;aACvD;SACF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACnC,IAAI,UAAU,KAAK,SAAS,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC/D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,6BAA6B,EAAE;SAC3E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QACxB,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC7D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,uCAAuC,EAAE;aACrF,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAsD;YAC/D,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAoB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1E,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,YAAY;IACZ,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,0CAA0C,EAAE;SACxF,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC3E,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,+CAA+C,EAAE;SAC7F,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACrE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,4CAA4C,EAAE;SAC1F,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAuD;QACpE,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,GAAG,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAoB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC;IACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAEvE,MAAM,IAAI,GAAG,KAAK,EACvB,GAA2C,EAC3C,GAAmB,EACJ,EAAE;IACjB,IAAI,IAAA,iCAAiB,EAAC,GAAG,EAAE,GAAG,CAAC;QAAE,OAAO;IACxC,IAAI,IAAA,wCAAuB,EAAC,GAAG,EAAE,GAAG,CAAC;QAAE,OAAO;IAE9C,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IAC1B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IAED,0EAA0E;IAC1E,+CAA+C;IAC/C,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,IAAA,6BAAiB,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,CAAC,CAAC;QAC3D,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1B,wEAAwE;QACxE,yCAAyC;QACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,qBAAqB;YAC5B,IAAI,EAAE,mCAAmC;YACzC,OAAO,EACL,iFAAiF;gBACjF,yEAAyE;SAC5E,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC5C,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,wEAAwE;QACxE,MAAM,cAAc,GAAG,IAAA,8CAAmB,EAAC,MAAM,CAAC,CAAC;QACnD,MAAM,UAAU,GAAG,IAAI,mBAAa,CAAC;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,cAAc,CAAC,OAAO;SACrC,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,iBAAW,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,wBAAwB,CACrD,EAAwB,CACzB,CAAC;QAEF,IAAI,OAAO,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;YAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,2BAA2B;gBACjC,OAAO,EACL,qBAAqB,EAAE,kCAAkC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI;oBACrF,cAAc,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK;oBAC9D,gEAAgE,EAAE,aAAa;aAClF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oEAAoE;QACpE,0EAA0E;QAC1E,2EAA2E;QAC3E,wEAAwE;QACxE,8CAA8C;QAC9C,MAAM,KAAK,GAAG,IAAI,wBAAe,CAAC;YAChC,WAAW,EAAE,UAAU;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU;YACtC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,cAAc;SAC/C,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,gBAAU,CAAC,KAAK,CAAC,CAAC;QAEtC,uBAAuB;QACvB,MAAM,QAAQ,GACZ,MAAM,CAAC,IAAI,KAAK,WAAW;YACzB,CAAC,CAAC,MAAM,OAAO,CAAC,qBAAqB,CAAC,MAAM,CAAC,KAAK,CAAC;YACnD,CAAC,CAAC,MAAM,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEvD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI;YACxC,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,4BAAmB,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,iBAAiB;gBACxB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,GAAG,YAAY,qBAAY,EAAE,CAAC;YAChC,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC;YAC9B,8EAA8E;YAC9E,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;gBAChE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,sBAAsB;oBAC7B,IAAI,EAAE,6BAA6B;oBACnC,UAAU,EAAE,MAAM;oBAClB,QAAQ,EAAE,GAAG,CAAC,IAAI;oBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,oDAAoD;YACpD,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC7B,KAAK,EAAE,gBAAgB;gBACvB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,QAAQ,CAE/B,CAAC;QACd,MAAM,EAAE,KAAK,EAAE,CACb,kEAAkE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACrH,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC,CAAC;AAvIW,QAAA,IAAI,QAuIf"}

package/dist/api/viva/admin/connected-accounts/route.d.ts

@@ -0,0 +1,19 @@
+/**
+ * route.ts — POST /viva/admin/connected-accounts
+ *
+ * ISV-only admin endpoint. Initiates a Viva connected-account onboarding flow:
+ *   1. Validates that the plugin is in ISV mode (404 in merchant mode).
+ *   2. Validates admin token (401 if missing/wrong).
+ *   3. Calls `IsvAccounts.createConnectedAccount` against Viva.
+ *   4. Returns `{ accountId, onboardingUrl }`.
+ *
+ * Merchant-mode gating uses Option 2 (per-handler 404 short-circuit) — see
+ * `_mode-gate.ts` for the rationale. Medusa v2 has no clean way to skip a
+ * `route.ts` file at boot based on plugin config.
+ *
+ * @see docs/plans/multi-mode-v0.md §6 (mode-surface gating)
+ * @see references/viva-docs/md/payment-isv-api.txt:1 (Connected Accounts API)
+ */
+import type { MedusaRequest, MedusaResponse } from '@medusajs/framework/http';
+export declare const POST: (req: MedusaRequest, res: MedusaResponse) => Promise<void>;
+//# sourceMappingURL=route.d.ts.map

package/dist/api/viva/admin/connected-accounts/route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/api/viva/admin/connected-accounts/route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAmB9E,eAAO,MAAM,IAAI,GACf,KAAK,aAAa,EAClB,KAAK,cAAc,KAClB,OAAO,CAAC,IAAI,CAsDd,CAAC"}

package/dist/api/viva/admin/connected-accounts/route.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * route.ts — POST /viva/admin/connected-accounts
+ *
+ * ISV-only admin endpoint. Initiates a Viva connected-account onboarding flow:
+ *   1. Validates that the plugin is in ISV mode (404 in merchant mode).
+ *   2. Validates admin token (401 if missing/wrong).
+ *   3. Calls `IsvAccounts.createConnectedAccount` against Viva.
+ *   4. Returns `{ accountId, onboardingUrl }`.
+ *
+ * Merchant-mode gating uses Option 2 (per-handler 404 short-circuit) — see
+ * `_mode-gate.ts` for the rationale. Medusa v2 has no clean way to skip a
+ * `route.ts` file at boot based on plugin config.
+ *
+ * @see docs/plans/multi-mode-v0.md §6 (mode-surface gating)
+ * @see references/viva-docs/md/payment-isv-api.txt:1 (Connected Accounts API)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+const isv_1 = require("@sakeetech/viva-payments-core/isv");
+const isv_2 = require("@sakeetech/viva-payments-core/isv");
+const errors_1 = require("@sakeetech/viva-payments-core/errors");
+const config_js_1 = require("../../../../config.js");
+const auth_strategy_factory_js_1 = require("../../../../resolvers/auth-strategy-factory.js");
+const _mode_gate_js_1 = require("../_mode-gate.js");
+const _admin_auth_js_1 = require("../_admin-auth.js");
+const POST = async (req, res) => {
+    // 1. Mode gate first — merchant mode pretends route doesn't exist.
+    if ((0, _mode_gate_js_1.reject404IfNotIsv)(req, res))
+        return;
+    // 2. Admin token gate.
+    if ((0, _admin_auth_js_1.reject401IfUnauthorized)(req, res))
+        return;
+    // 3. Body validation.
+    const body = (req.body ?? {});
+    if (!body.email || typeof body.email !== 'string') {
+        res.status(400).json({ error: 'email is required' });
+        return;
+    }
+    if (!body.returnUrl || typeof body.returnUrl !== 'string') {
+        res.status(400).json({ error: 'returnUrl is required' });
+        return;
+    }
+    // 4. Build client + call Viva.
+    try {
+        const config = (0, config_js_1.loadConfigFromEnv)(process.env);
+        const authStrategies = (0, auth_strategy_factory_js_1.buildAuthStrategies)(config);
+        const httpClient = new isv_1.IsvHttpClient({
+            environment: config.environment,
+            authStrategy: authStrategies.primary,
+        });
+        const accounts = new isv_2.IsvAccounts(httpClient);
+        const created = await accounts.createConnectedAccount({
+            email: body.email,
+            returnUrl: body.returnUrl,
+            ...(body.branding ? { branding: body.branding } : {}),
+        });
+        res.status(200).json({
+            accountId: created.accountId,
+            onboardingUrl: created.invitation.redirectUrl,
+        });
+    }
+    catch (err) {
+        if (err instanceof errors_1.VivaApiError) {
+            res.status(err.httpStatus ?? 502).json({
+                error: 'viva_api_error',
+                code: err.code,
+                message: err.message,
+            });
+            return;
+        }
+        const logger = req.scope?.resolve?.('logger');
+        logger?.error?.(`[viva] POST /viva/admin/connected-accounts failed: ${err instanceof Error ? err.message : String(err)}`);
+        res.status(500).json({ error: 'internal_error' });
+    }
+};
+exports.POST = POST;
+//# sourceMappingURL=route.js.map

package/dist/api/viva/admin/connected-accounts/route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.js","sourceRoot":"","sources":["../../../../../src/api/viva/admin/connected-accounts/route.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAGH,2DAAkE;AAClE,2DAAgE;AAChE,iEAAoE;AACpE,qDAA0D;AAC1D,6FAAqF;AACrF,oDAAqD;AACrD,sDAA4D;AAYrD,MAAM,IAAI,GAAG,KAAK,EACvB,GAAkB,EAClB,GAAmB,EACJ,EAAE;IACjB,mEAAmE;IACnE,IAAI,IAAA,iCAAiB,EAAC,GAAG,EAAE,GAAG,CAAC;QAAE,OAAO;IAExC,uBAAuB;IACvB,IAAI,IAAA,wCAAuB,EAAC,GAAG,EAAE,GAAG,CAAC;QAAE,OAAO;IAE9C,sBAAsB;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAsB,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC1D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,6BAAiB,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,cAAc,GAAG,IAAA,8CAAmB,EAAC,MAAM,CAAC,CAAC;QACnD,MAAM,UAAU,GAAG,IAAI,mBAAa,CAAC;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,cAAc,CAAC,OAAO;SACrC,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,iBAAW,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,sBAAsB,CAAC;YACpD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QAEH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,WAAW;SAC9C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,qBAAY,EAAE,CAAC;YAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrC,KAAK,EAAE,gBAAgB;gBACvB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,QAAQ,CAE/B,CAAC;QACd,MAAM,EAAE,KAAK,EAAE,CACb,sDAAsD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACzG,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC,CAAC;AAzDW,QAAA,IAAI,QAyDf"}

package/dist/api/viva/internal/auth-status/route.d.ts

@@ -0,0 +1,19 @@
+/**
+ * route.ts — GET /viva/internal/auth-status
+ *
+ * Admin-guarded endpoint. Returns current OAuth2 token expiry state for
+ * readiness checks and debugging.
+ *
+ * Auth gate: constant-time comparison of X-Viva-Admin-Token header against
+ * VIVA_ADMIN_TOKEN env var. 401 if missing or mismatch.
+ *
+ * Design decision: using env-var shared secret rather than Medusa admin auth
+ * because this route is accessed by ops tooling (healthcheck scripts, monitoring
+ * agents) that may not have a Medusa admin session. VIVA_ADMIN_TOKEN is rotated
+ * independently via secrets manager. Document this choice for operators.
+ *
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P16 health endpoints)
+ */
+import type { MedusaRequest, MedusaResponse } from '@medusajs/framework/http';
+export declare const GET: (req: MedusaRequest, res: MedusaResponse) => Promise<void>;
+//# sourceMappingURL=route.d.ts.map

package/dist/api/viva/internal/auth-status/route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/api/viva/internal/auth-status/route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAuB9E,eAAO,MAAM,GAAG,GACd,KAAK,aAAa,EAClB,KAAK,cAAc,KAClB,OAAO,CAAC,IAAI,CA8Dd,CAAC"}

package/dist/api/viva/internal/auth-status/route.js

@@ -0,0 +1,91 @@
+"use strict";
+/**
+ * route.ts — GET /viva/internal/auth-status
+ *
+ * Admin-guarded endpoint. Returns current OAuth2 token expiry state for
+ * readiness checks and debugging.
+ *
+ * Auth gate: constant-time comparison of X-Viva-Admin-Token header against
+ * VIVA_ADMIN_TOKEN env var. 401 if missing or mismatch.
+ *
+ * Design decision: using env-var shared secret rather than Medusa admin auth
+ * because this route is accessed by ops tooling (healthcheck scripts, monitoring
+ * agents) that may not have a Medusa admin session. VIVA_ADMIN_TOKEN is rotated
+ * independently via secrets manager. Document this choice for operators.
+ *
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P16 health endpoints)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = void 0;
+const node_crypto_1 = require("node:crypto");
+const viva_oauth2_strategy_js_1 = require("../../../../loaders/viva-oauth2-strategy.js");
+// ---------------------------------------------------------------------------
+// Admin token guard
+// ---------------------------------------------------------------------------
+/**
+ * Constant-time comparison of two strings.
+ * Returns false immediately if lengths differ (avoids timing side-channel on length).
+ */
+function isTokenValid(provided, expected) {
+    if (provided.length !== expected.length)
+        return false;
+    return (0, node_crypto_1.timingSafeEqual)(Buffer.from(provided, 'utf-8'), Buffer.from(expected, 'utf-8'));
+}
+// ---------------------------------------------------------------------------
+// GET handler
+// ---------------------------------------------------------------------------
+const GET = async (req, res) => {
+    const adminToken = process.env['VIVA_ADMIN_TOKEN'];
+    // If VIVA_ADMIN_TOKEN is not configured: always deny, document reason.
+    if (!adminToken) {
+        res.status(401).json({
+            error: 'unauthorized',
+            reason: 'admin-token-not-configured',
+        });
+        return;
+    }
+    const provided = req.headers['x-viva-admin-token'];
+    const providedStr = Array.isArray(provided) ? provided[0] : provided;
+    if (!providedStr || !isTokenValid(providedStr, adminToken)) {
+        res.status(401).json({ error: 'unauthorized' });
+        return;
+    }
+    // ---- Read token cache state from the singleton strategy ----
+    const environment = process.env['VIVA_ENVIRONMENT'] ?? 'demo';
+    let tokenExpiresAt = null;
+    let lastRefreshAt = null;
+    let tokenPresent = false;
+    try {
+        // Resolve the singleton OAuth2 strategy registered by the plugin loader.
+        // Using allowUnregistered so the route degrades gracefully when the loader
+        // hasn't run (e.g. bare test environments without full Medusa bootstrap).
+        const strategy = req.scope?.resolve(viva_oauth2_strategy_js_1.VIVA_OAUTH2_STRATEGY_KEY, { allowUnregistered: true });
+        if (strategy) {
+            const cache = strategy.tokenCache;
+            const clientId = process.env['VIVA_ISV_CLIENT_ID'] ?? '';
+            const cacheKey = `viva:isv:token:${clientId}:${environment}`;
+            const cached = await cache.get(cacheKey);
+            if (cached) {
+                tokenPresent = true;
+                tokenExpiresAt = new Date(cached.expires_at).toISOString();
+                // last_refresh_at: approximate — expires_at - (3600 - 60) seconds = expires_at - 3540s
+                // The cache stores expires_at = now_at_refresh + 3600000 - 60000.
+                // We can approximate refresh time = expires_at - 3540000ms.
+                lastRefreshAt = new Date(cached.expires_at - 3540 * 1000).toISOString();
+            }
+        }
+    }
+    catch {
+        // Strategy not available — return what we can
+    }
+    res.setHeader('Cache-Control', 'no-store');
+    res.status(200).json({
+        environment,
+        token_present: tokenPresent,
+        token_expires_at: tokenExpiresAt,
+        last_refresh_at: lastRefreshAt,
+        now: new Date().toISOString(),
+    });
+};
+exports.GET = GET;
+//# sourceMappingURL=route.js.map

package/dist/api/viva/internal/auth-status/route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.js","sourceRoot":"","sources":["../../../../../src/api/viva/internal/auth-status/route.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAGH,6CAA8C;AAG9C,yFAAuF;AAEvF,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,YAAY,CAAC,QAAgB,EAAE,QAAgB;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,IAAA,6BAAe,EAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;AACzF,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAEvE,MAAM,GAAG,GAAG,KAAK,EACtB,GAAkB,EAClB,GAAmB,EACJ,EAAE;IACjB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAEnD,uEAAuE;IACvE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,MAAM,EAAE,4BAA4B;SACrC,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAErE,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,CAAC;QAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,+DAA+D;IAC/D,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,MAAM,CAAC;IAC9D,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,IAAI,CAAC;QACH,yEAAyE;QACzE,2EAA2E;QAC3E,0EAA0E;QAC1E,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,EAAE,OAAO,CACjC,kDAAwB,EACxB,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAC5B,CAAC;QAEF,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,QAAQ,CAAC,UAAU,CAAC;YAClC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,EAAE,CAAC;YACzD,MAAM,QAAQ,GAAG,kBAAkB,QAAQ,IAAI,WAAW,EAAE,CAAC;YAC7D,MAAM,MAAM,GAAuB,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE7D,IAAI,MAAM,EAAE,CAAC;gBACX,YAAY,GAAG,IAAI,CAAC;gBACpB,cAAc,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC3D,uFAAuF;gBACvF,kEAAkE;gBAClE,4DAA4D;gBAC5D,aAAa,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IAED,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,WAAW;QACX,aAAa,EAAE,YAAY;QAC3B,gBAAgB,EAAE,cAAc;QAChC,eAAe,EAAE,aAAa;QAC9B,GAAG,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KAC9B,CAAC,CAAC;AACL,CAAC,CAAC;AAjEW,QAAA,GAAG,OAiEd"}

package/dist/api/viva/internal/metrics/route.d.ts

@@ -0,0 +1,13 @@
+/**
+ * route.ts — GET /viva/internal/metrics
+ *
+ * Admin-guarded Prometheus text format scrape endpoint.
+ * Returns in-process metric counters and histograms from PromMetricsHook.
+ *
+ * Auth gate: same X-Viva-Admin-Token / VIVA_ADMIN_TOKEN as auth-status.
+ *
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P16 observability)
+ */
+import type { MedusaRequest, MedusaResponse } from '@medusajs/framework/http';
+export declare const GET: (req: MedusaRequest, res: MedusaResponse) => Promise<void>;
+//# sourceMappingURL=route.d.ts.map

package/dist/api/viva/internal/metrics/route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/api/viva/internal/metrics/route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAiB9E,eAAO,MAAM,GAAG,GACd,KAAK,aAAa,EAClB,KAAK,cAAc,KAClB,OAAO,CAAC,IAAI,CAwBd,CAAC"}

package/dist/api/viva/internal/metrics/route.js

@@ -0,0 +1,48 @@
+"use strict";
+/**
+ * route.ts — GET /viva/internal/metrics
+ *
+ * Admin-guarded Prometheus text format scrape endpoint.
+ * Returns in-process metric counters and histograms from PromMetricsHook.
+ *
+ * Auth gate: same X-Viva-Admin-Token / VIVA_ADMIN_TOKEN as auth-status.
+ *
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P16 observability)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = void 0;
+const node_crypto_1 = require("node:crypto");
+const index_js_1 = require("../../../../observability/index.js");
+// ---------------------------------------------------------------------------
+// Admin token guard (same pattern as auth-status)
+// ---------------------------------------------------------------------------
+function isTokenValid(provided, expected) {
+    if (provided.length !== expected.length)
+        return false;
+    return (0, node_crypto_1.timingSafeEqual)(Buffer.from(provided, 'utf-8'), Buffer.from(expected, 'utf-8'));
+}
+// ---------------------------------------------------------------------------
+// GET handler
+// ---------------------------------------------------------------------------
+const GET = async (req, res) => {
+    const adminToken = process.env['VIVA_ADMIN_TOKEN'];
+    if (!adminToken) {
+        res.status(401).json({
+            error: 'unauthorized',
+            reason: 'admin-token-not-configured',
+        });
+        return;
+    }
+    const provided = req.headers['x-viva-admin-token'];
+    const providedStr = Array.isArray(provided) ? provided[0] : provided;
+    if (!providedStr || !isTokenValid(providedStr, adminToken)) {
+        res.status(401).json({ error: 'unauthorized' });
+        return;
+    }
+    const exposition = (0, index_js_1.getSharedMetrics)().toExposition();
+    res.setHeader('Content-Type', 'text/plain; version=0.0.4; charset=utf-8');
+    res.setHeader('Cache-Control', 'no-store');
+    res.status(200).send(exposition);
+};
+exports.GET = GET;
+//# sourceMappingURL=route.js.map

package/dist/api/viva/internal/metrics/route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.js","sourceRoot":"","sources":["../../../../../src/api/viva/internal/metrics/route.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAGH,6CAA8C;AAC9C,iEAAsE;AAEtE,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,SAAS,YAAY,CAAC,QAAgB,EAAE,QAAgB;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,IAAA,6BAAe,EAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;AACzF,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAEvE,MAAM,GAAG,GAAG,KAAK,EACtB,GAAkB,EAClB,GAAmB,EACJ,EAAE;IACjB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAEnD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,MAAM,EAAE,4BAA4B;SACrC,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAErE,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,CAAC;QAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,IAAA,2BAAgB,GAAE,CAAC,YAAY,EAAE,CAAC;IAErD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0CAA0C,CAAC,CAAC;IAC1E,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AACnC,CAAC,CAAC;AA3BW,QAAA,GAAG,OA2Bd"}

package/dist/api/viva/webhook/health/route.d.ts

@@ -0,0 +1,16 @@
+/**
+ * route.ts — GET /viva/webhook/health
+ *
+ * Liveness probe. No auth. Returns 200 { ok: true, environment, timestamp }.
+ *
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P16 health endpoints)
+ */
+import type { MedusaRequest, MedusaResponse } from '@medusajs/framework/http';
+/**
+ * GET /viva/webhook/health
+ *
+ * Returns 200 { ok: true } unconditionally.
+ * Cache-Control: no-store to prevent proxy caching.
+ */
+export declare const GET: (_req: MedusaRequest, res: MedusaResponse) => Promise<void>;
+//# sourceMappingURL=route.d.ts.map

package/dist/api/viva/webhook/health/route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/api/viva/webhook/health/route.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE9E;;;;;GAKG;AACH,eAAO,MAAM,GAAG,GACd,MAAM,aAAa,EACnB,KAAK,cAAc,KAClB,OAAO,CAAC,IAAI,CASd,CAAC"}

package/dist/api/viva/webhook/health/route.js

@@ -0,0 +1,27 @@
+"use strict";
+/**
+ * route.ts — GET /viva/webhook/health
+ *
+ * Liveness probe. No auth. Returns 200 { ok: true, environment, timestamp }.
+ *
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P16 health endpoints)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = void 0;
+/**
+ * GET /viva/webhook/health
+ *
+ * Returns 200 { ok: true } unconditionally.
+ * Cache-Control: no-store to prevent proxy caching.
+ */
+const GET = async (_req, res) => {
+    const environment = process.env['VIVA_ENVIRONMENT'] ?? 'demo';
+    res.setHeader('Cache-Control', 'no-store');
+    res.status(200).json({
+        ok: true,
+        environment,
+        timestamp: new Date().toISOString(),
+    });
+};
+exports.GET = GET;
+//# sourceMappingURL=route.js.map

package/dist/api/viva/webhook/health/route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.js","sourceRoot":"","sources":["../../../../../src/api/viva/webhook/health/route.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAIH;;;;;GAKG;AACI,MAAM,GAAG,GAAG,KAAK,EACtB,IAAmB,EACnB,GAAmB,EACJ,EAAE;IACjB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,MAAM,CAAC;IAE9D,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,IAAI;QACR,WAAW;QACX,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC,CAAC;AAZW,QAAA,GAAG,OAYd"}