@xapps-platform/backend-kit 0.1.1

package/README.md

@@ -0,0 +1,196 @@
+# @xapps-platform/backend-kit
+
+Modular Node backend kit for the current Xapps backend contract.
+
+Current public surface:
+
+- backend composition for the shipped integrator contract
+
+Direction:
+
+- Node and PHP variants should converge on the same backend contract
+- actor differences should live in adapters, rights/scope, config, and data access
+- not in duplicated platform backend logic
+
+This package sits above:
+
+- `@xapps-platform/server-sdk`
+
+Use it when you want a working backend with default routes, default modes, and
+override seams, while keeping the later shared tenant/publisher direction
+open. The current shipped reference consumers are still tenant backends, but
+the package direction is actor-agnostic where possible.
+
+This is now a real package, not a placeholder or extraction stub. Keep the
+public entry surface stable and split internal package code behind it.
+
+Current package shape:
+
+- TypeScript source in `src/*`
+- ESM Node outputs in `dist/*`
+- public package exports stay stable while internal modules remain split
+
+## Start Here
+
+Consumer rule:
+
+- import `@xapps-platform/backend-kit`
+- import package entry surfaces such as `@xapps-platform/backend-kit/backend/...`
+- do not consume raw `src/...` files directly from apps
+
+## What It Gives You
+
+The current package surface provides:
+
+- backend-kit option normalization
+- backend-kit composition
+- default route surface
+- default mode tree
+- payment runtime assembly
+- host-proxy service assembly
+- subject-profile sourcing hooks
+
+Internal package structure is intentionally modular:
+
+- `src/index.ts`
+  thin public facade
+- `src/backend/options.ts`
+  option normalization and config shaping
+- `src/backend/paymentRuntime.ts`
+  payment runtime assembly and payment-page API helpers
+- `src/backend/modules.ts`
+  backend module composition
+- `src/backend/modes/*`
+  explicit default mode tree
+- `src/backend/routes/*`
+  explicit default route tree
+
+Current route surface includes:
+
+- health
+- reference
+- host core
+- lifecycle
+- bridge
+- payment
+- guard
+- subject profiles
+
+For hosted-integrator mode, the host API surface can also enforce explicit
+frontend-origin allowlists through `host.allowedOrigins`. Leave it empty for
+same-origin consumers; set it when the browser host runs on another domain and
+must call the tenant backend cross-origin. In practice that allowlist covers
+the browser-facing host API surface, including:
+
+- `/api/host-config`
+- `/api/resolve-subject`
+- `/api/create-catalog-session`
+- `/api/create-widget-session`
+- lifecycle routes under `/api/install*`
+- bridge routes under `/api/bridge/*`
+
+For the secure long-term hosted-integrator path, use a short-lived bootstrap
+token instead of trusting browser subject input:
+
+- integrator backend calls `POST /api/host-bootstrap`
+- tenant backend authenticates with `X-API-Key`
+- tenant backend resolves the subject through the gateway/host proxy
+- tenant backend returns a short-lived `bootstrapToken`
+- browser host sends that token in `X-Xapps-Host-Bootstrap`
+
+In the current design, the tenant backend signs that bootstrap token locally.
+The gateway participates in subject resolution, but does not issue the browser
+bootstrap token itself.
+
+That token should be treated as temporary bootstrap state. After expiry, the
+frontend should re-run bootstrap instead of trying to continue on stored
+`subjectId` alone.
+
+Recommended host config for that mode:
+
+- `host.allowedOrigins`
+- `host.bootstrap.apiKeys`
+- `host.bootstrap.signingSecret`
+- optional `host.bootstrap.ttlSeconds`
+
+Current default mode tree includes:
+
+- `gateway_managed`
+- `tenant_delegated`
+- `publisher_delegated`
+- `owner_managed`
+
+For `owner_managed`, the packaged default can run tenant-owned or
+publisher-owned. Use `payments.ownerIssuer` when the backend should default the
+owner-managed lane to `publisher` instead of `tenant` when the guard config
+does not narrow the issuer explicitly.
+
+If the owner-managed payment page redirects back to an integrator frontend on a
+different domain, include that frontend origin in the payment return URL
+allowlist as well.
+
+## What Should Stay Local
+
+A consuming app should still keep these local when they are actor-specific:
+
+- startup and env/config mapping
+- branding and host pages/assets
+- actor-specific subject-profile catalogs or resolver hooks
+- explicit mode or route overrides
+
+## Recommended Consumer Structure
+
+Start small and keep local ownership obvious.
+
+```text
+tenant-backend/
+  server.js
+  lib/
+    config.js
+    appSurfaceModule.js
+    subjectProfiles/defaultProfiles.js
+  routes/
+    host.js
+    host/
+      pages.js
+      shared.js
+  modes/
+    index.js
+    */README.md
+  public/
+    branding-assets...
+```
+
+Recommended override order:
+
+1. backend-kit options
+2. local branding/assets and subject-profile data
+3. injected services or resolver hooks
+4. explicit route or mode overrides
+
+Do not copy package default route implementations into the app just to mirror
+the package layout.
+
+## When To Drop Lower
+
+Use `@xapps-platform/server-sdk` directly only when the consumer needs a lower-level
+seam that the backend kit intentionally does not own.
+
+## Rule
+
+Do not add route-level wrapper aliases here.
+
+Keep the public surface:
+
+- module oriented
+- config driven
+- hook based
+
+Keep internals:
+
+- explicit
+- modular
+- safe to refactor behind the stable entry surface
+
+Node and PHP should keep the same backend behavior in the end. Differences
+should be runtime-adapter concerns, not separate platform feature lines.

package/dist/backend/modes/gateway-managed/payment.d.ts

@@ -0,0 +1,23 @@
+export declare const paymentMode = "gateway_managed";
+export declare const paymentModeLabel = "Gateway managed";
+export declare const paymentModeDescription = "Gateway owns hosted checkout and provider execution. Tenant mainly consumes the lane.";
+export declare const paymentSessionModel: {
+    uses_gateway_payment_session: boolean;
+    tenant_owns_payment_page: boolean;
+    tenant_owns_payment_session_endpoints: boolean;
+    tenant_calls_gateway_payment_session_api_directly: boolean;
+    tenant_session_reference: string;
+};
+export declare const requiredSettings: string[];
+export declare const paymentResponsibilities: string[];
+export declare const paymentEndpoints: any[];
+export declare const referenceEndpointGroup: {
+    key: string;
+    label: string;
+    when_to_use: string;
+    endpoints: any[];
+    notes: string[];
+};
+export declare function buildPaymentUrl(input: any, runtime?: {}): Promise<string>;
+export declare function registerRoutes(): Promise<void>;
+//# sourceMappingURL=payment.d.ts.map

package/dist/backend/modes/gateway-managed/payment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payment.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/gateway-managed/payment.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,WAAW,oBAAoB,CAAC;AAC7C,eAAO,MAAM,gBAAgB,oBAAoB,CAAC;AAClD,eAAO,MAAM,sBAAsB,0FACsD,CAAC;AAC1F,eAAO,MAAM,mBAAmB;;;;;;CAM/B,CAAC;AACF,eAAO,MAAM,gBAAgB,UAG5B,CAAC;AACF,eAAO,MAAM,uBAAuB,UAInC,CAAC;AACF,eAAO,MAAM,gBAAgB,OAAK,CAAC;AAEnC,eAAO,MAAM,sBAAsB;;;;;;CAUlC,CAAC;AAEF,wBAAsB,eAAe,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK,mBAExD;AAED,wBAAsB,cAAc,kBAAK"}

package/dist/backend/modes/gateway-managed/payment.js

@@ -0,0 +1,49 @@
+import { buildPaymentUrl as buildGatewayManagedPaymentUrl } from "./paymentSession.js";
+const paymentMode = "gateway_managed";
+const paymentModeLabel = "Gateway managed";
+const paymentModeDescription = "Gateway owns hosted checkout and provider execution. Tenant mainly consumes the lane.";
+const paymentSessionModel = {
+  uses_gateway_payment_session: true,
+  tenant_owns_payment_page: false,
+  tenant_owns_payment_session_endpoints: false,
+  tenant_calls_gateway_payment_session_api_directly: false,
+  tenant_session_reference: "gateway-hosted session only"
+};
+const requiredSettings = [
+  "XCONECT_GUARD_INGEST_API_KEY",
+  "XCONECT_TENANT_PAYMENT_RETURN_SECRET or XCONECT_TENANT_PAYMENT_RETURN_SECRET_REF"
+];
+const paymentResponsibilities = [
+  "keep gateway-managed payment lane configured",
+  "do not implement a tenant payment page for this mode",
+  "reuse gateway-hosted checkout returned by the platform"
+];
+const paymentEndpoints = [];
+const referenceEndpointGroup = {
+  key: "gateway_managed_payment_reference",
+  label: "Gateway-managed payment reference",
+  when_to_use: "Use this when the tenant keeps the first-lane managed payment flow and the gateway owns checkout orchestration.",
+  endpoints: [],
+  notes: [
+    "Existing xapps use the gateway-hosted payment page for this mode.",
+    "The tenant backend participates through guard execution and tenant configuration, not through a tenant payment page."
+  ]
+};
+async function buildPaymentUrl(input, runtime = {}) {
+  return buildGatewayManagedPaymentUrl(input, runtime);
+}
+async function registerRoutes() {
+}
+export {
+  buildPaymentUrl,
+  paymentEndpoints,
+  paymentMode,
+  paymentModeDescription,
+  paymentModeLabel,
+  paymentResponsibilities,
+  paymentSessionModel,
+  referenceEndpointGroup,
+  registerRoutes,
+  requiredSettings
+};
+//# sourceMappingURL=payment.js.map

package/dist/backend/modes/gateway-managed/payment.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/gateway-managed/payment.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { buildPaymentUrl as buildGatewayManagedPaymentUrl } from \"./paymentSession.js\";\n\nexport const paymentMode = \"gateway_managed\";\nexport const paymentModeLabel = \"Gateway managed\";\nexport const paymentModeDescription =\n  \"Gateway owns hosted checkout and provider execution. Tenant mainly consumes the lane.\";\nexport const paymentSessionModel = {\n  uses_gateway_payment_session: true,\n  tenant_owns_payment_page: false,\n  tenant_owns_payment_session_endpoints: false,\n  tenant_calls_gateway_payment_session_api_directly: false,\n  tenant_session_reference: \"gateway-hosted session only\",\n};\nexport const requiredSettings = [\n  \"XCONECT_GUARD_INGEST_API_KEY\",\n  \"XCONECT_TENANT_PAYMENT_RETURN_SECRET or XCONECT_TENANT_PAYMENT_RETURN_SECRET_REF\",\n];\nexport const paymentResponsibilities = [\n  \"keep gateway-managed payment lane configured\",\n  \"do not implement a tenant payment page for this mode\",\n  \"reuse gateway-hosted checkout returned by the platform\",\n];\nexport const paymentEndpoints = [];\n\nexport const referenceEndpointGroup = {\n  key: \"gateway_managed_payment_reference\",\n  label: \"Gateway-managed payment reference\",\n  when_to_use:\n    \"Use this when the tenant keeps the first-lane managed payment flow and the gateway owns checkout orchestration.\",\n  endpoints: [],\n  notes: [\n    \"Existing xapps use the gateway-hosted payment page for this mode.\",\n    \"The tenant backend participates through guard execution and tenant configuration, not through a tenant payment page.\",\n  ],\n};\n\nexport async function buildPaymentUrl(input, runtime = {}) {\n  return buildGatewayManagedPaymentUrl(input, runtime);\n}\n\nexport async function registerRoutes() {}\n"],
+  "mappings": "AACA,SAAS,mBAAmB,qCAAqC;AAE1D,MAAM,cAAc;AACpB,MAAM,mBAAmB;AACzB,MAAM,yBACX;AACK,MAAM,sBAAsB;AAAA,EACjC,8BAA8B;AAAA,EAC9B,0BAA0B;AAAA,EAC1B,uCAAuC;AAAA,EACvC,mDAAmD;AAAA,EACnD,0BAA0B;AAC5B;AACO,MAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AACF;AACO,MAAM,0BAA0B;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AACF;AACO,MAAM,mBAAmB,CAAC;AAE1B,MAAM,yBAAyB;AAAA,EACpC,KAAK;AAAA,EACL,OAAO;AAAA,EACP,aACE;AAAA,EACF,WAAW,CAAC;AAAA,EACZ,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,gBAAgB,OAAO,UAAU,CAAC,GAAG;AACzD,SAAO,8BAA8B,OAAO,OAAO;AACrD;AAEA,eAAsB,iBAAiB;AAAC;",
+  "names": []
+}

package/dist/backend/modes/gateway-managed/paymentSession.d.ts

@@ -0,0 +1,4 @@
+import { extractHostedPaymentSessionId } from "../../../index.js";
+export declare function buildPaymentUrl(input: any, runtime?: {}): Promise<string>;
+export { extractHostedPaymentSessionId };
+//# sourceMappingURL=paymentSession.d.ts.map

package/dist/backend/modes/gateway-managed/paymentSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paymentSession.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/gateway-managed/paymentSession.ts"],"names":[],"mappings":"AACA,OAAO,EAAoC,6BAA6B,EAAE,MAAM,mBAAmB,CAAC;AAEpG,wBAAsB,eAAe,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK,mBASxD;AAED,OAAO,EAAE,6BAA6B,EAAE,CAAC"}

package/dist/backend/modes/gateway-managed/paymentSession.js

@@ -0,0 +1,16 @@
+import { buildModeHostedGatewayPaymentUrl, extractHostedPaymentSessionId } from "../../../index.js";
+async function buildPaymentUrl(input, runtime = {}) {
+  return buildModeHostedGatewayPaymentUrl(
+    input,
+    {
+      fallbackIssuer: "gateway",
+      storedIssuer: "gateway"
+    },
+    runtime
+  );
+}
+export {
+  buildPaymentUrl,
+  extractHostedPaymentSessionId
+};
+//# sourceMappingURL=paymentSession.js.map

package/dist/backend/modes/gateway-managed/paymentSession.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/gateway-managed/paymentSession.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { buildModeHostedGatewayPaymentUrl, extractHostedPaymentSessionId } from \"../../../index.js\";\n\nexport async function buildPaymentUrl(input, runtime = {}) {\n  return buildModeHostedGatewayPaymentUrl(\n    input,\n    {\n      fallbackIssuer: \"gateway\",\n      storedIssuer: \"gateway\",\n    },\n    runtime,\n  );\n}\n\nexport { extractHostedPaymentSessionId };\n"],
+  "mappings": "AACA,SAAS,kCAAkC,qCAAqC;AAEhF,eAAsB,gBAAgB,OAAO,UAAU,CAAC,GAAG;AACzD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,gBAAgB;AAAA,MAChB,cAAc;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/backend/modes/gateway-managed/policy.d.ts

@@ -0,0 +1,68 @@
+export declare const policyResponsibilities: string[];
+export declare const policyEndpoints: {
+    method: string;
+    path: string;
+    purpose: string;
+}[];
+export declare function buildBlockedResult(input: any, runtime?: {}): Promise<{
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function resolvePolicyResult(input: any, runtime?: {}): Promise<{
+    allowed: boolean;
+    reason: string;
+    message: string;
+    details: {
+        reference_mode?: any;
+        payment_status: any;
+        orchestrationApproved: any;
+        gatewayPaymentVerified: any;
+        paidByGatewayHint: boolean;
+        paidByPlainStatusFallback: boolean;
+        paidByVerifiedEvidence: any;
+        verified_contract: any;
+        payment_mode: any;
+    };
+} | {
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function resolvePolicyRequest(payloadInput: any, { log, paymentRuntime }: {
+    log: any;
+    paymentRuntime?: {};
+}): Promise<any>;
+//# sourceMappingURL=policy.d.ts.map

package/dist/backend/modes/gateway-managed/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/gateway-managed/policy.ts"],"names":[],"mappings":"AAUA,eAAO,MAAM,sBAAsB,UAGlC,CAAC;AACF,eAAO,MAAM,eAAe;;;;GAM3B,CAAC;AAMF,wBAAsB,kBAAkB,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK;;;;;;;;;;;;;;;;;;;;GAM3D;AAED,wBAAsB,mBAAmB,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAK5D;AAED,wBAAsB,oBAAoB,CAAC,YAAY,KAAA,EAAE,EAAE,GAAG,EAAE,cAAmB,EAAE;;;CAAA,gBASpF"}

package/dist/backend/modes/gateway-managed/policy.js

@@ -0,0 +1,53 @@
+import { resolveAllowedIssuers, resolveExpectedPaymentIssuer } from "./policyContext.js";
+import {
+  buildPaymentPolicyAllowedResult,
+  buildPaymentPolicyBlockedResult,
+  resolvePolicyRequestCommon
+} from "../../policies/common.js";
+import { extractHostedPaymentSessionId } from "./paymentSession.js";
+import { buildPaymentUrl, paymentMode } from "./payment.js";
+const policyResponsibilities = [
+  "verify signed payment evidence for the gateway-managed lane",
+  "block and return the gateway-hosted payment action when evidence is missing"
+];
+const policyEndpoints = [
+  {
+    method: "POST",
+    path: "/xapps/requests",
+    purpose: "Runs the tenant payment policy for gateway-managed xapps."
+  }
+];
+function buildAllowedResult(input) {
+  return buildPaymentPolicyAllowedResult(input, { paymentMode });
+}
+async function buildBlockedResult(input, runtime = {}) {
+  return buildPaymentPolicyBlockedResult(input, {
+    buildPaymentUrl: (payload) => buildPaymentUrl(payload, runtime),
+    extractHostedPaymentSessionId,
+    modeMeta: { paymentMode }
+  });
+}
+async function resolvePolicyResult(input, runtime = {}) {
+  if (input.paidByVerifiedEvidence && !input.verificationFailure) {
+    return buildAllowedResult(input);
+  }
+  return buildBlockedResult(input, runtime);
+}
+async function resolvePolicyRequest(payloadInput, { log, paymentRuntime = {} }) {
+  return resolvePolicyRequestCommon({
+    payloadInput,
+    log,
+    resolveAllowedIssuers,
+    resolveExpectedPaymentIssuer,
+    resolveModeResult: resolvePolicyResult,
+    paymentRuntime
+  });
+}
+export {
+  buildBlockedResult,
+  policyEndpoints,
+  policyResponsibilities,
+  resolvePolicyRequest,
+  resolvePolicyResult
+};
+//# sourceMappingURL=policy.js.map

package/dist/backend/modes/gateway-managed/policy.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/gateway-managed/policy.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { resolveAllowedIssuers, resolveExpectedPaymentIssuer } from \"./policyContext.js\";\nimport {\n  buildPaymentPolicyAllowedResult,\n  buildPaymentPolicyBlockedResult,\n  resolvePolicyRequestCommon,\n} from \"../../policies/common.js\";\nimport { extractHostedPaymentSessionId } from \"./paymentSession.js\";\nimport { buildPaymentUrl, paymentMode } from \"./payment.js\";\n\nexport const policyResponsibilities = [\n  \"verify signed payment evidence for the gateway-managed lane\",\n  \"block and return the gateway-hosted payment action when evidence is missing\",\n];\nexport const policyEndpoints = [\n  {\n    method: \"POST\",\n    path: \"/xapps/requests\",\n    purpose: \"Runs the tenant payment policy for gateway-managed xapps.\",\n  },\n];\n\nfunction buildAllowedResult(input) {\n  return buildPaymentPolicyAllowedResult(input, { paymentMode });\n}\n\nexport async function buildBlockedResult(input, runtime = {}) {\n  return buildPaymentPolicyBlockedResult(input, {\n    buildPaymentUrl: (payload) => buildPaymentUrl(payload, runtime),\n    extractHostedPaymentSessionId,\n    modeMeta: { paymentMode },\n  });\n}\n\nexport async function resolvePolicyResult(input, runtime = {}) {\n  if (input.paidByVerifiedEvidence && !input.verificationFailure) {\n    return buildAllowedResult(input);\n  }\n  return buildBlockedResult(input, runtime);\n}\n\nexport async function resolvePolicyRequest(payloadInput, { log, paymentRuntime = {} }) {\n  return resolvePolicyRequestCommon({\n    payloadInput,\n    log,\n    resolveAllowedIssuers,\n    resolveExpectedPaymentIssuer,\n    resolveModeResult: resolvePolicyResult,\n    paymentRuntime,\n  });\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB,oCAAoC;AACpE;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qCAAqC;AAC9C,SAAS,iBAAiB,mBAAmB;AAEtC,MAAM,yBAAyB;AAAA,EACpC;AAAA,EACA;AACF;AACO,MAAM,kBAAkB;AAAA,EAC7B;AAAA,IACE,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,SAAS;AAAA,EACX;AACF;AAEA,SAAS,mBAAmB,OAAO;AACjC,SAAO,gCAAgC,OAAO,EAAE,YAAY,CAAC;AAC/D;AAEA,eAAsB,mBAAmB,OAAO,UAAU,CAAC,GAAG;AAC5D,SAAO,gCAAgC,OAAO;AAAA,IAC5C,iBAAiB,CAAC,YAAY,gBAAgB,SAAS,OAAO;AAAA,IAC9D;AAAA,IACA,UAAU,EAAE,YAAY;AAAA,EAC1B,CAAC;AACH;AAEA,eAAsB,oBAAoB,OAAO,UAAU,CAAC,GAAG;AAC7D,MAAI,MAAM,0BAA0B,CAAC,MAAM,qBAAqB;AAC9D,WAAO,mBAAmB,KAAK;AAAA,EACjC;AACA,SAAO,mBAAmB,OAAO,OAAO;AAC1C;AAEA,eAAsB,qBAAqB,cAAc,EAAE,KAAK,iBAAiB,CAAC,EAAE,GAAG;AACrF,SAAO,2BAA2B;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB;AAAA,EACF,CAAC;AACH;",
+  "names": []
+}

package/dist/backend/modes/gateway-managed/policyContext.d.ts

@@ -0,0 +1,5 @@
+import { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount } from "../../policies/common.js";
+export { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount };
+export declare function resolveExpectedPaymentIssuer(): string;
+export declare function resolveAllowedIssuers(guardConfig: any): string[];
+//# sourceMappingURL=policyContext.d.ts.map

package/dist/backend/modes/gateway-managed/policyContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyContext.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/gateway-managed/policyContext.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,0BAA0B,EAE1B,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,CAAC;AAEpG,wBAAgB,4BAA4B,WAE3C;AAED,wBAAgB,qBAAqB,CAAC,WAAW,KAAA,YAEhD"}

package/dist/backend/modes/gateway-managed/policyContext.js

@@ -0,0 +1,22 @@
+import {
+  buildPaymentAction,
+  hasUpstreamPaymentVerified,
+  normalizeAllowedIssuers,
+  resolveMergedContext,
+  resolvePriceAmount
+} from "../../policies/common.js";
+function resolveExpectedPaymentIssuer() {
+  return "gateway";
+}
+function resolveAllowedIssuers(guardConfig) {
+  return normalizeAllowedIssuers(guardConfig, "gateway");
+}
+export {
+  buildPaymentAction,
+  hasUpstreamPaymentVerified,
+  resolveAllowedIssuers,
+  resolveExpectedPaymentIssuer,
+  resolveMergedContext,
+  resolvePriceAmount
+};
+//# sourceMappingURL=policyContext.js.map

package/dist/backend/modes/gateway-managed/policyContext.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/gateway-managed/policyContext.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport {\n  buildPaymentAction,\n  hasUpstreamPaymentVerified,\n  normalizeAllowedIssuers,\n  resolveMergedContext,\n  resolvePriceAmount,\n} from \"../../policies/common.js\";\n\nexport { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount };\n\nexport function resolveExpectedPaymentIssuer() {\n  return \"gateway\";\n}\n\nexport function resolveAllowedIssuers(guardConfig) {\n  return normalizeAllowedIssuers(guardConfig, \"gateway\");\n}\n"],
+  "mappings": "AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIA,SAAS,+BAA+B;AAC7C,SAAO;AACT;AAEO,SAAS,sBAAsB,aAAa;AACjD,SAAO,wBAAwB,aAAa,SAAS;AACvD;",
+  "names": []
+}

package/dist/backend/modes/index.d.ts

@@ -0,0 +1,72 @@
+export declare const ALL_BACKEND_MODE_KEYS: readonly string[];
+export declare function normalizeEnabledBackendModes(enabledModes: any): any[];
+export declare function getBackendModeHandlers(enabledModes: any): any;
+export declare function getBackendModeEndpointGroups(enabledModes: any): ({
+    key: string;
+    label: string;
+    when_to_use: string;
+    endpoints: any[];
+    notes: string[];
+} | {
+    key: string;
+    label: string;
+    when_to_use: string;
+    endpoints: {
+        method: string;
+        path: string;
+        purpose: string;
+    }[];
+})[];
+export declare function getBackendModeReferenceDetails(enabledModes: any): ({
+    key: string;
+    label: string;
+    description: string;
+    payment_session_model: {
+        uses_gateway_payment_session: boolean;
+        tenant_owns_payment_page: boolean;
+        tenant_owns_payment_session_endpoints: boolean;
+        tenant_calls_gateway_payment_session_api_directly: boolean;
+        tenant_session_reference: string;
+    };
+    required_settings: string[];
+    payment_responsibilities: string[];
+    payment_endpoints: any[];
+    policy_responsibilities: string[];
+    policy_endpoints: {
+        method: string;
+        path: string;
+        purpose: string;
+    }[];
+    guide_path: string;
+    reference_key?: undefined;
+} | {
+    key: string;
+    reference_key: string;
+    label: string;
+    description: string;
+    payment_session_model: {
+        uses_gateway_payment_session: boolean;
+        tenant_owns_payment_page: boolean;
+        tenant_owns_payment_session_endpoints: boolean;
+        tenant_calls_gateway_payment_session_api_directly: boolean;
+        tenant_session_reference: string;
+    };
+    required_settings: string[];
+    payment_responsibilities: string[];
+    payment_endpoints: {
+        method: string;
+        path: string;
+        purpose: string;
+    }[];
+    policy_responsibilities: string[];
+    policy_endpoints: {
+        method: string;
+        path: string;
+        purpose: string;
+    }[];
+    guide_path: string;
+})[];
+export declare function resolveBackendPaymentPolicy(payloadInput: any, { log, enabledModes, paymentRuntime }?: {
+    paymentRuntime?: {};
+}): Promise<any>;
+//# sourceMappingURL=index.d.ts.map

package/dist/backend/modes/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/backend/modes/index.ts"],"names":[],"mappings":"AAwFA,eAAO,MAAM,qBAAqB,mBAAoD,CAAC;AAUvF,wBAAgB,4BAA4B,CAAC,YAAY,KAAA,SAYxD;AAED,wBAAgB,sBAAsB,CAAC,YAAY,KAAA,OAGlD;AAED,wBAAgB,4BAA4B,CAAC,YAAY,KAAA;;;;;;;;;;;;;;;KAWxD;AAED,wBAAgB,8BAA8B,CAAC,YAAY,KAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAG1D;AAeD,wBAAsB,2BAA2B,CAC/C,YAAY,KAAA,EACZ,EAAE,GAAG,EAAE,YAAY,EAAE,cAAmB,EAAE;;CAAK,gBAqBhD"}