npm - @unifiedcommerce/plugin-marketplace - Versions diffs - 0.0.1 - Mend

@unifiedcommerce/plugin-marketplace 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/README.md +479 -0
package/dist/analytics-models.d.ts +13 -0
package/dist/analytics-models.d.ts.map +1 -0
package/dist/analytics-models.js +69 -0
package/dist/hooks.d.ts +4 -0
package/dist/hooks.d.ts.map +1 -0
package/dist/hooks.js +187 -0
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +105 -0
package/dist/mcp-tools.d.ts +21 -0
package/dist/mcp-tools.d.ts.map +1 -0
package/dist/mcp-tools.js +183 -0
package/dist/routes/b2b.d.ts +9 -0
package/dist/routes/b2b.d.ts.map +1 -0
package/dist/routes/b2b.js +156 -0
package/dist/routes/commission.d.ts +6 -0
package/dist/routes/commission.d.ts.map +1 -0
package/dist/routes/commission.js +85 -0
package/dist/routes/disputes-returns-reviews.d.ts +10 -0
package/dist/routes/disputes-returns-reviews.d.ts.map +1 -0
package/dist/routes/disputes-returns-reviews.js +179 -0
package/dist/routes/payouts.d.ts +6 -0
package/dist/routes/payouts.d.ts.map +1 -0
package/dist/routes/payouts.js +40 -0
package/dist/routes/sub-orders.d.ts +6 -0
package/dist/routes/sub-orders.d.ts.map +1 -0
package/dist/routes/sub-orders.js +44 -0
package/dist/routes/util.d.ts +23 -0
package/dist/routes/util.d.ts.map +1 -0
package/dist/routes/util.js +41 -0
package/dist/routes/vendor-portal.d.ts +14 -0
package/dist/routes/vendor-portal.d.ts.map +1 -0
package/dist/routes/vendor-portal.js +255 -0
package/dist/routes/vendors.d.ts +11 -0
package/dist/routes/vendors.d.ts.map +1 -0
package/dist/routes/vendors.js +185 -0
package/dist/schema.d.ts +3255 -0
package/dist/schema.d.ts.map +1 -0
package/dist/schema.js +225 -0
package/dist/schemas/b2b.d.ts +1009 -0
package/dist/schemas/b2b.d.ts.map +1 -0
package/dist/schemas/b2b.js +208 -0
package/dist/schemas/commission.d.ts +532 -0
package/dist/schemas/commission.d.ts.map +1 -0
package/dist/schemas/commission.js +113 -0
package/dist/schemas/disputes-returns-reviews.d.ts +1405 -0
package/dist/schemas/disputes-returns-reviews.d.ts.map +1 -0
package/dist/schemas/disputes-returns-reviews.js +270 -0
package/dist/schemas/payouts.d.ts +375 -0
package/dist/schemas/payouts.d.ts.map +1 -0
package/dist/schemas/payouts.js +78 -0
package/dist/schemas/sub-orders.d.ts +303 -0
package/dist/schemas/sub-orders.d.ts.map +1 -0
package/dist/schemas/sub-orders.js +67 -0
package/dist/schemas/vendor-portal.d.ts +1785 -0
package/dist/schemas/vendor-portal.d.ts.map +1 -0
package/dist/schemas/vendor-portal.js +294 -0
package/dist/schemas/vendors.d.ts +1348 -0
package/dist/schemas/vendors.d.ts.map +1 -0
package/dist/schemas/vendors.js +245 -0
package/dist/services/commission.d.ts +81 -0
package/dist/services/commission.d.ts.map +1 -0
package/dist/services/commission.js +98 -0
package/dist/services/contract-price.d.ts +64 -0
package/dist/services/contract-price.d.ts.map +1 -0
package/dist/services/contract-price.js +57 -0
package/dist/services/dispute.d.ts +156 -0
package/dist/services/dispute.d.ts.map +1 -0
package/dist/services/dispute.js +77 -0
package/dist/services/payout.d.ts +126 -0
package/dist/services/payout.d.ts.map +1 -0
package/dist/services/payout.js +130 -0
package/dist/services/return.d.ts +181 -0
package/dist/services/return.d.ts.map +1 -0
package/dist/services/return.js +80 -0
package/dist/services/review.d.ts +70 -0
package/dist/services/review.d.ts.map +1 -0
package/dist/services/review.js +60 -0
package/dist/services/rfq.d.ts +122 -0
package/dist/services/rfq.d.ts.map +1 -0
package/dist/services/rfq.js +60 -0
package/dist/services/sub-order.d.ts +336 -0
package/dist/services/sub-order.d.ts.map +1 -0
package/dist/services/sub-order.js +121 -0
package/dist/services/vendor.d.ts +528 -0
package/dist/services/vendor.d.ts.map +1 -0
package/dist/services/vendor.js +119 -0
package/dist/types.d.ts +67 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +13 -0
package/package.json +43 -0
package/src/analytics-models.ts +75 -0
package/src/hooks.ts +215 -0
package/src/index.ts +124 -0
package/src/mcp-tools.ts +210 -0
package/src/routes/b2b.ts +179 -0
package/src/routes/commission.ts +95 -0
package/src/routes/disputes-returns-reviews.ts +209 -0
package/src/routes/payouts.ts +49 -0
package/src/routes/sub-orders.ts +54 -0
package/src/routes/util.ts +42 -0
package/src/routes/vendor-portal.ts +277 -0
package/src/routes/vendors.ts +201 -0
package/src/schema.ts +260 -0
package/src/schemas/b2b.ts +238 -0
package/src/schemas/commission.ts +129 -0
package/src/schemas/disputes-returns-reviews.ts +311 -0
package/src/schemas/payouts.ts +90 -0
package/src/schemas/sub-orders.ts +77 -0
package/src/schemas/vendor-portal.ts +344 -0
package/src/schemas/vendors.ts +281 -0
package/src/services/commission.ts +120 -0
package/src/services/contract-price.ts +80 -0
package/src/services/dispute.ts +92 -0
package/src/services/payout.ts +154 -0
package/src/services/return.ts +92 -0
package/src/services/review.ts +76 -0
package/src/services/rfq.ts +82 -0
package/src/services/sub-order.ts +136 -0
package/src/services/vendor.ts +151 -0
package/src/types.ts +164 -0

package/src/routes/payouts.ts ADDED Viewed

@@ -0,0 +1,49 @@
+import { router } from "@unifiedcommerce/core";
+import type { PluginRouteRegistration } from "@unifiedcommerce/core";
+import type { PayoutService } from "../services/payout";
+import { stripUndefined } from "./util";
+export function buildPayoutRoutes(services: {
+  payout: PayoutService;
+}): PluginRouteRegistration[] {
+  const r = router("Marketplace - Payouts", "/marketplace/payouts");
+  // ─── List payouts ──────────────────────────────────────────────────────────
+  r.get("/")
+    .summary("List payouts")
+    .permission("marketplace:admin")
+    .handler(async ({ query }) => {
+      return services.payout.listPayouts(stripUndefined({
+        vendorId: query.vendorId as string | undefined,
+        status: query.status as string | undefined,
+      }));
+    });
+  // ─── Run payout cycle ──────────────────────────────────────────────────────
+  r.post("/run")
+    .summary("Run a payout cycle")
+    .permission("marketplace:admin")
+    .handler(async () => {
+      return services.payout.runPayoutCycle();
+    });
+  // ─── Retry payout ──────────────────────────────────────────────────────────
+  r.post("/{id}/retry")
+    .summary("Retry a failed payout")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      return services.payout.retryPayout(params.id!);
+    });
+  // ─── Get payout by id ──────────────────────────────────────────────────────
+  r.get("/{id}")
+    .summary("Get payout by ID")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const payout = await services.payout.getPayoutById(params.id!);
+      if (!payout) throw new Error("Payout not found");
+      return payout;
+    });
+  return r.routes();
+}

package/src/routes/sub-orders.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { router } from "@unifiedcommerce/core";
+import type { PluginRouteRegistration } from "@unifiedcommerce/core";
+import type { z } from "@hono/zod-openapi";
+import type { SubOrderService } from "../services/sub-order";
+import type { SubOrderStatus } from "../types";
+import { UpdateSubOrderStatusBodySchema } from "../schemas/sub-orders";
+import { stripUndefined } from "./util";
+export function buildSubOrderRoutes(services: {
+  subOrder: SubOrderService;
+}): PluginRouteRegistration[] {
+  const r = router("Marketplace - Sub-Orders", "/marketplace/sub-orders");
+  // ─── List sub-orders ───────────────────────────────────────────────────────
+  r.get("/")
+    .summary("List sub-orders")
+    .permission("marketplace:admin")
+    .handler(async ({ query }) => {
+      return services.subOrder.list(stripUndefined({
+        orderId: query.orderId as string | undefined,
+        vendorId: query.vendorId as string | undefined,
+        status: query.status as string | undefined,
+      }));
+    });
+  // ─── Get sub-order by id ───────────────────────────────────────────────────
+  r.get("/{id}")
+    .summary("Get sub-order by ID")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const subOrder = await services.subOrder.getById(params.id!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      return subOrder;
+    });
+  // ─── Force status change ───────────────────────────────────────────────────
+  r.patch("/{id}/status")
+    .summary("Force a sub-order status change")
+    .permission("marketplace:admin")
+    .input(UpdateSubOrderStatusBodySchema)
+    .handler(async ({ params, input }) => {
+      const body = input as z.infer<typeof UpdateSubOrderStatusBodySchema>;
+      const subOrder = await services.subOrder.getById(params.id!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      // Use cancel() for cancelled status to trigger side effects
+      // (inventory release + ledger reversal)
+      return body.status === "cancelled"
+        ? services.subOrder.cancel(params.id!, "Admin force cancel")
+        : services.subOrder.forceStatus(params.id!, body.status as SubOrderStatus);
+    });
+  return r.routes();
+}

package/src/routes/util.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * Removes keys whose value is `undefined` from an object, returning a
+ * cleaned copy that satisfies `exactOptionalPropertyTypes`.
+ *
+ * Zod's `.optional()` produces `T | undefined` in inferred types, which
+ * can't be assigned to optional properties under `exactOptionalPropertyTypes`.
+ * This helper strips those `undefined` entries at runtime and casts the
+ * result so TypeScript accepts it.
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export function stripUndefined<T>(obj: T): T extends Record<string, any> ? { [K in keyof T]: Exclude<T[K], undefined> } : T {
+  if (obj == null || typeof obj !== "object") return obj as never;
+  const result: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {
+    if (value !== undefined) {
+      result[key] = value;
+    }
+  }
+  return result as never;
+}
+/** Keys that must never be exposed in API responses. */
+const VENDOR_SECRET_KEYS = [
+  "storeAccessToken",
+  "storeConsumerSecret",
+  "storeWebhookSecret",
+  "bankAccount",
+] as const;
+/**
+ * Returns a copy of a vendor record with sensitive fields removed.
+ *
+ * Accepts any object with string keys so it works with both single vendor
+ * rows and Drizzle `InferSelectModel` types without importing the schema.
+ */
+export function stripVendorSecrets<T extends Record<string, unknown>>(vendor: T): Omit<T, (typeof VENDOR_SECRET_KEYS)[number]> {
+  const copy = { ...vendor };
+  for (const key of VENDOR_SECRET_KEYS) {
+    delete copy[key];
+  }
+  return copy as Omit<T, (typeof VENDOR_SECRET_KEYS)[number]>;
+}

package/src/routes/vendor-portal.ts ADDED Viewed

@@ -0,0 +1,277 @@
+import { router } from "@unifiedcommerce/core";
+import type { PluginRouteRegistration } from "@unifiedcommerce/core";
+import type { z } from "@hono/zod-openapi";
+import type { VendorService } from "../services/vendor";
+import type { SubOrderService } from "../services/sub-order";
+import type { PayoutService } from "../services/payout";
+import type { ReviewService } from "../services/review";
+import type { ReturnService } from "../services/return";
+import { vendorEntities } from "../schema";
+import { eq } from "drizzle-orm";
+import {
+  UpdateVendorProfileBodySchema,
+  UploadVendorDocumentBodySchema,
+  ShipSubOrderBodySchema,
+  CancelSubOrderBodySchema,
+  RespondToReviewBodySchema,
+  ApproveReturnBodySchema,
+  RejectReturnBodySchema,
+} from "../schemas/vendor-portal";
+import { stripUndefined, stripVendorSecrets } from "./util";
+/** Helper to extract vendorId from actor and throw if missing. */
+function requireVendorId(actor: { vendorId?: string | null } | null): string {
+  const vendorId = actor?.vendorId;
+  if (!vendorId) throw new Error("Forbidden");
+  return vendorId;
+}
+export function buildVendorPortalRoutes(services: {
+  vendor: VendorService;
+  subOrder: SubOrderService;
+  payout: PayoutService;
+  review: ReviewService;
+  return: ReturnService;
+}): PluginRouteRegistration[] {
+  const r = router("Marketplace - Vendor Portal", "/marketplace/vendor/me");
+  // ─── Get my vendor profile ─────────────────────────────────────────────────
+  r.get("/")
+    .summary("Get my vendor profile")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      const vendor = await services.vendor.getById(vendorId);
+      if (!vendor) throw new Error("Vendor not found");
+      return stripVendorSecrets(vendor);
+    });
+  // ─── Update my vendor profile ──────────────────────────────────────────────
+  r.patch("/")
+    .summary("Update my vendor profile")
+    .auth()
+    .input(UpdateVendorProfileBodySchema)
+    .handler(async ({ actor, input }) => {
+      const vendorId = requireVendorId(actor);
+      const body = input as z.infer<typeof UpdateVendorProfileBodySchema>;
+      const updated = await services.vendor.update(vendorId, stripUndefined(body));
+      if (!updated) throw new Error("Vendor not found");
+      return stripVendorSecrets(updated);
+    });
+  // ─── Upload document ───────────────────────────────────────────────────────
+  r.post("/documents")
+    .summary("Upload a document for my vendor profile")
+    .auth()
+    .input(UploadVendorDocumentBodySchema)
+    .handler(async ({ actor, input }) => {
+      const vendorId = requireVendorId(actor);
+      const body = input as z.infer<typeof UploadVendorDocumentBodySchema>;
+      return services.vendor.uploadDocument(vendorId, {
+        type: body.type,
+        fileUrl: body.fileUrl,
+      });
+    });
+  // ─── List my documents ─────────────────────────────────────────────────────
+  r.get("/documents")
+    .summary("List my vendor documents")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      return services.vendor.listDocuments(vendorId);
+    });
+  // ─── List my products ──────────────────────────────────────────────────────
+  r.get("/products")
+    .summary("List my products")
+    .auth()
+    .handler(async ({ actor, db }) => {
+      const vendorId = requireVendorId(actor);
+      const drizzle = db as import("../types").Db;
+      const entities = await drizzle
+        .select()
+        .from(vendorEntities)
+        .where(eq(vendorEntities.vendorId, vendorId));
+      return entities;
+    });
+  // ─── List my sub-orders ────────────────────────────────────────────────────
+  r.get("/orders")
+    .summary("List my sub-orders")
+    .auth()
+    .handler(async ({ actor, query }) => {
+      const vendorId = requireVendorId(actor);
+      const status = query.status as string | undefined;
+      return services.subOrder.listByVendor(vendorId, stripUndefined({ status }));
+    });
+  // ─── Get single sub-order ──────────────────────────────────────────────────
+  r.get("/orders/{subOrderId}")
+    .summary("Get a single sub-order")
+    .auth()
+    .handler(async ({ actor, params }) => {
+      const vendorId = requireVendorId(actor);
+      const subOrder = await services.subOrder.getById(params.subOrderId!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      if (subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      return subOrder;
+    });
+  // ─── Confirm sub-order ─────────────────────────────────────────────────────
+  r.post("/orders/{subOrderId}/confirm")
+    .summary("Confirm a sub-order")
+    .auth()
+    .handler(async ({ actor, params }) => {
+      const vendorId = requireVendorId(actor);
+      const subOrder = await services.subOrder.getById(params.subOrderId!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      if (subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      return services.subOrder.confirm(params.subOrderId!);
+    });
+  // ─── Ship sub-order ────────────────────────────────────────────────────────
+  r.post("/orders/{subOrderId}/ship")
+    .summary("Ship a sub-order")
+    .auth()
+    .input(ShipSubOrderBodySchema)
+    .handler(async ({ actor, params, input }) => {
+      const vendorId = requireVendorId(actor);
+      const body = input as z.infer<typeof ShipSubOrderBodySchema>;
+      const subOrder = await services.subOrder.getById(params.subOrderId!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      if (subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      return services.subOrder.ship(params.subOrderId!, {
+        trackingNumber: body.trackingNumber,
+        carrier: body.carrier,
+      });
+    });
+  // ─── Deliver sub-order ─────────────────────────────────────────────────────
+  r.post("/orders/{subOrderId}/deliver")
+    .summary("Mark a sub-order as delivered")
+    .auth()
+    .handler(async ({ actor, params }) => {
+      const vendorId = requireVendorId(actor);
+      const subOrder = await services.subOrder.getById(params.subOrderId!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      if (subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      return services.subOrder.deliver(params.subOrderId!);
+    });
+  // ─── Cancel sub-order ──────────────────────────────────────────────────────
+  r.post("/orders/{subOrderId}/cancel")
+    .summary("Cancel a sub-order")
+    .auth()
+    .input(CancelSubOrderBodySchema)
+    .handler(async ({ actor, params, input }) => {
+      const vendorId = requireVendorId(actor);
+      const body = input as z.infer<typeof CancelSubOrderBodySchema>;
+      const subOrder = await services.subOrder.getById(params.subOrderId!);
+      if (!subOrder) throw new Error("Sub-order not found");
+      if (subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      return services.subOrder.cancel(params.subOrderId!, body.reason);
+    });
+  // ─── List my payouts ───────────────────────────────────────────────────────
+  r.get("/payouts")
+    .summary("List my payouts")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      return services.payout.listPayouts({ vendorId });
+    });
+  // ─── My balance ────────────────────────────────────────────────────────────
+  r.get("/balance")
+    .summary("Get my balance")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      const balance = await services.payout.getBalance(vendorId);
+      const ledger = await services.payout.getLedger(vendorId);
+      return { balanceCents: balance, ledger };
+    });
+  // ─── My analytics ──────────────────────────────────────────────────────────
+  r.get("/analytics")
+    .summary("Get my analytics")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      const rating = await services.review.getAggregateRating(vendorId);
+      const balance = await services.payout.getBalance(vendorId);
+      return { rating, balanceCents: balance };
+    });
+  // ─── My reviews ────────────────────────────────────────────────────────────
+  r.get("/reviews")
+    .summary("List my reviews")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      return services.review.getForVendor(vendorId, true);
+    });
+  // ─── Respond to review ─────────────────────────────────────────────────────
+  r.post("/reviews/{id}/respond")
+    .summary("Respond to a review")
+    .auth()
+    .input(RespondToReviewBodySchema)
+    .handler(async ({ actor, params, input }) => {
+      const vendorId = requireVendorId(actor);
+      const body = input as z.infer<typeof RespondToReviewBodySchema>;
+      // IDOR prevention: verify the review belongs to this vendor
+      const vendorReviews = await services.review.getForVendor(vendorId, true);
+      const ownsReview = vendorReviews.some((rev: { id: string }) => rev.id === params.id!);
+      if (!ownsReview) throw new Error("Forbidden: review does not belong to this vendor");
+      const updated = await services.review.respond(params.id!, body.response);
+      if (!updated) throw new Error("Review not found");
+      return updated;
+    });
+  // ─── My returns ────────────────────────────────────────────────────────────
+  r.get("/returns")
+    .summary("List my returns")
+    .auth()
+    .handler(async ({ actor }) => {
+      const vendorId = requireVendorId(actor);
+      return services.return.listByVendor(vendorId);
+    });
+  // ─── Approve return ────────────────────────────────────────────────────────
+  r.post("/returns/{id}/approve")
+    .summary("Approve a return request")
+    .auth()
+    .input(ApproveReturnBodySchema)
+    .handler(async ({ actor, params, input }) => {
+      const vendorId = requireVendorId(actor);
+      const ret = await services.return.getById(params.id!);
+      if (!ret) throw new Error("Return not found");
+      const subOrder = await services.subOrder.getById(ret.subOrderId);
+      if (!subOrder || subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      const body = input as z.infer<typeof ApproveReturnBodySchema>;
+      const updated = await services.return.vendorApprove(params.id!, body.refundAmountCents);
+      if (!updated) throw new Error("Return not found");
+      return updated;
+    });
+  // ─── Reject return ─────────────────────────────────────────────────────────
+  r.post("/returns/{id}/reject")
+    .summary("Reject a return request")
+    .auth()
+    .input(RejectReturnBodySchema)
+    .handler(async ({ actor, params, input }) => {
+      const vendorId = requireVendorId(actor);
+      const ret = await services.return.getById(params.id!);
+      if (!ret) throw new Error("Return not found");
+      const subOrder = await services.subOrder.getById(ret.subOrderId);
+      if (!subOrder || subOrder.vendorId !== vendorId) throw new Error("Forbidden");
+      const body = input as z.infer<typeof RejectReturnBodySchema>;
+      const updated = await services.return.vendorReject(params.id!, body.notes);
+      if (!updated) throw new Error("Return not found");
+      return updated;
+    });
+  return r.routes();
+}

package/src/routes/vendors.ts ADDED Viewed

@@ -0,0 +1,201 @@
+import { router, resolveOrgId } from "@unifiedcommerce/core";
+import type { PluginRouteRegistration } from "@unifiedcommerce/core";
+import type { z } from "@hono/zod-openapi";
+import type { VendorService } from "../services/vendor";
+import type { PayoutService } from "../services/payout";
+import type { ReviewService } from "../services/review";
+import type { MarketplacePluginOptions } from "../types";
+import {
+  CreateVendorBodySchema,
+  UpdateVendorBodySchema,
+  RejectVendorBodySchema,
+  SuspendVendorBodySchema,
+  UploadDocumentBodySchema,
+} from "../schemas/vendors";
+import { stripUndefined, stripVendorSecrets } from "./util";
+export function buildVendorRoutes(services: {
+  vendor: VendorService;
+  payout: PayoutService;
+  review: ReviewService;
+}, options?: MarketplacePluginOptions): PluginRouteRegistration[] {
+  const r = router("Marketplace - Vendors", "/marketplace/vendors");
+  // ─── List vendors ──────────────────────────────────────────────────────────
+  r.get("/")
+    .summary("List all vendors")
+    .permission("marketplace:admin")
+    .handler(async ({ query }) => {
+      const vendors = await services.vendor.list(stripUndefined({
+        status: query.status as string | undefined,
+        tier: query.tier as string | undefined,
+        search: query.search as string | undefined,
+      }));
+      return vendors.map(stripVendorSecrets);
+    });
+  // ─── Create vendor ─────────────────────────────────────────────────────────
+  r.post("/")
+    .summary("Create a vendor")
+    .permission("marketplace:admin")
+    .input(CreateVendorBodySchema)
+    .handler(async ({ input, actor }) => {
+      const body = input as z.infer<typeof CreateVendorBodySchema>;
+      const defaultBps = options?.defaultCommissionRateBps ?? 1000;
+      return services.vendor.create(resolveOrgId(actor), stripUndefined({
+        ...body,
+        commissionRateBps: body.commissionRateBps ?? defaultBps,
+      }));
+    });
+  // ─── Get vendor detail ─────────────────────────────────────────────────────
+  r.get("/{id}")
+    .summary("Get vendor detail")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      return stripVendorSecrets(vendor);
+    });
+  // ─── Update vendor ─────────────────────────────────────────────────────────
+  r.patch("/{id}")
+    .summary("Update a vendor")
+    .permission("marketplace:admin")
+    .input(UpdateVendorBodySchema)
+    .handler(async ({ params, input }) => {
+      const body = input as z.infer<typeof UpdateVendorBodySchema>;
+      const updated = await services.vendor.update(params.id!, stripUndefined(body));
+      if (!updated) throw new Error("Vendor not found");
+      return stripVendorSecrets(updated);
+    });
+  // ─── Approve vendor ────────────────────────────────────────────────────────
+  r.post("/{id}/approve")
+    .summary("Approve a vendor application")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      const approved = await services.vendor.approve(params.id!);
+      if (!approved) throw new Error("Vendor not found");
+      return stripVendorSecrets(approved);
+    });
+  // ─── Reject vendor ─────────────────────────────────────────────────────────
+  r.post("/{id}/reject")
+    .summary("Reject a vendor application")
+    .permission("marketplace:admin")
+    .input(RejectVendorBodySchema)
+    .handler(async ({ params, input }) => {
+      const body = input as z.infer<typeof RejectVendorBodySchema>;
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      const rejected = await services.vendor.reject(params.id!, body.reason);
+      if (!rejected) throw new Error("Vendor not found");
+      return stripVendorSecrets(rejected);
+    });
+  // ─── Suspend vendor ────────────────────────────────────────────────────────
+  r.post("/{id}/suspend")
+    .summary("Suspend a vendor")
+    .permission("marketplace:admin")
+    .input(SuspendVendorBodySchema)
+    .handler(async ({ params, input }) => {
+      const body = input as z.infer<typeof SuspendVendorBodySchema>;
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      const suspended = await services.vendor.suspend(params.id!, body.reason);
+      if (!suspended) throw new Error("Vendor not found");
+      return stripVendorSecrets(suspended);
+    });
+  // ─── Reinstate vendor ──────────────────────────────────────────────────────
+  r.post("/{id}/reinstate")
+    .summary("Reinstate a suspended vendor")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      const reinstated = await services.vendor.reinstate(params.id!);
+      if (!reinstated) throw new Error("Vendor not found");
+      return stripVendorSecrets(reinstated);
+    });
+  // ─── Upload vendor document ────────────────────────────────────────────────
+  r.post("/{id}/documents")
+    .summary("Upload a vendor document")
+    .permission("marketplace:admin")
+    .input(UploadDocumentBodySchema)
+    .handler(async ({ params, input }) => {
+      const body = input as z.infer<typeof UploadDocumentBodySchema>;
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      return services.vendor.uploadDocument(params.id!, {
+        type: body.type,
+        fileUrl: body.fileUrl,
+      });
+    });
+  // ─── List vendor documents ─────────────────────────────────────────────────
+  r.get("/{id}/documents")
+    .summary("List vendor documents")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      return services.vendor.listDocuments(params.id!);
+    });
+  // ─── Approve document ──────────────────────────────────────────────────────
+  r.post("/{id}/documents/{docId}/approve")
+    .summary("Approve a vendor document")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const updated = await services.vendor.approveDocument(params.docId!);
+      if (!updated) throw new Error("Document not found");
+      return updated;
+    });
+  // ─── Reject document ───────────────────────────────────────────────────────
+  r.post("/{id}/documents/{docId}/reject")
+    .summary("Reject a vendor document")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const updated = await services.vendor.rejectDocument(params.docId!);
+      if (!updated) throw new Error("Document not found");
+      return updated;
+    });
+  // ─── Vendor balance ────────────────────────────────────────────────────────
+  r.get("/{id}/balance")
+    .summary("Get vendor balance")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      const balance = await services.payout.getBalance(params.id!);
+      const ledger = await services.payout.getLedger(params.id!);
+      return { balanceCents: balance, ledger };
+    });
+  // ─── Vendor performance ────────────────────────────────────────────────────
+  r.get("/{id}/performance")
+    .summary("Get vendor performance metrics")
+    .permission("marketplace:admin")
+    .handler(async ({ params }) => {
+      const vendor = await services.vendor.getById(params.id!);
+      if (!vendor) throw new Error("Vendor not found");
+      const rating = await services.review.getAggregateRating(params.id!);
+      const balance = await services.payout.getBalance(params.id!);
+      return {
+        vendorId: params.id!,
+        performanceScore: vendor.performanceScore,
+        tier: vendor.tier,
+        rating,
+        balanceCents: balance,
+      };
+    });
+  return r.routes();
+}