@xapps-platform/backend-kit 0.1.1

package/dist/backend/modes/publisher-delegated/payment.js

@@ -0,0 +1,50 @@
+import { buildPaymentUrl as buildPublisherDelegatedPaymentUrl } from "./paymentSession.js";
+const paymentMode = "publisher_delegated";
+const paymentModeLabel = "Gateway delegated by publisher";
+const paymentModeDescription = "Gateway executes checkout with publisher-scoped delegated credentials and delegated signing.";
+const paymentSessionModel = {
+  uses_gateway_payment_session: true,
+  tenant_owns_payment_page: false,
+  tenant_owns_payment_session_endpoints: false,
+  tenant_calls_gateway_payment_session_api_directly: false,
+  tenant_session_reference: "gateway-hosted delegated session only"
+};
+const requiredSettings = [
+  "backend guard ingest API key",
+  "delegated publisher payment credential refs in the manifest/guard config",
+  "publisher delegated payment return secret or secret ref"
+];
+const paymentResponsibilities = [
+  "keep publisher-delegated payment lane configured",
+  "provide delegated publisher credential/signing configuration",
+  "reuse gateway-hosted checkout returned by the platform"
+];
+const paymentEndpoints = [];
+const referenceEndpointGroup = {
+  key: "publisher_delegated_payment_reference",
+  label: "Publisher-delegated payment reference",
+  when_to_use: "Use this when checkout is still gateway-hosted but publisher delegated credentials/signing are required.",
+  endpoints: [],
+  notes: [
+    "Existing xapps keep the gateway-hosted payment page for this mode too.",
+    "The backend participates through guard execution and delegated publisher configuration."
+  ]
+};
+async function buildPaymentUrl(input, runtime = {}) {
+  return buildPublisherDelegatedPaymentUrl(input, runtime);
+}
+async function registerRoutes() {
+}
+export {
+  buildPaymentUrl,
+  paymentEndpoints,
+  paymentMode,
+  paymentModeDescription,
+  paymentModeLabel,
+  paymentResponsibilities,
+  paymentSessionModel,
+  referenceEndpointGroup,
+  registerRoutes,
+  requiredSettings
+};
+//# sourceMappingURL=payment.js.map

package/dist/backend/modes/publisher-delegated/payment.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/publisher-delegated/payment.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { buildPaymentUrl as buildPublisherDelegatedPaymentUrl } from \"./paymentSession.js\";\n\nexport const paymentMode = \"publisher_delegated\";\nexport const paymentModeLabel = \"Gateway delegated by publisher\";\nexport const paymentModeDescription =\n  \"Gateway executes checkout with publisher-scoped delegated credentials and delegated signing.\";\nexport const paymentSessionModel = {\n  uses_gateway_payment_session: true,\n  tenant_owns_payment_page: false,\n  tenant_owns_payment_session_endpoints: false,\n  tenant_calls_gateway_payment_session_api_directly: false,\n  tenant_session_reference: \"gateway-hosted delegated session only\",\n};\nexport const requiredSettings = [\n  \"backend guard ingest API key\",\n  \"delegated publisher payment credential refs in the manifest/guard config\",\n  \"publisher delegated payment return secret or secret ref\",\n];\nexport const paymentResponsibilities = [\n  \"keep publisher-delegated payment lane configured\",\n  \"provide delegated publisher credential/signing configuration\",\n  \"reuse gateway-hosted checkout returned by the platform\",\n];\nexport const paymentEndpoints = [];\n\nexport const referenceEndpointGroup = {\n  key: \"publisher_delegated_payment_reference\",\n  label: \"Publisher-delegated payment reference\",\n  when_to_use:\n    \"Use this when checkout is still gateway-hosted but publisher delegated credentials/signing are required.\",\n  endpoints: [],\n  notes: [\n    \"Existing xapps keep the gateway-hosted payment page for this mode too.\",\n    \"The backend participates through guard execution and delegated publisher configuration.\",\n  ],\n};\n\nexport async function buildPaymentUrl(input, runtime = {}) {\n  return buildPublisherDelegatedPaymentUrl(input, runtime);\n}\n\nexport async function registerRoutes() {}\n"],
+  "mappings": "AACA,SAAS,mBAAmB,yCAAyC;AAE9D,MAAM,cAAc;AACpB,MAAM,mBAAmB;AACzB,MAAM,yBACX;AACK,MAAM,sBAAsB;AAAA,EACjC,8BAA8B;AAAA,EAC9B,0BAA0B;AAAA,EAC1B,uCAAuC;AAAA,EACvC,mDAAmD;AAAA,EACnD,0BAA0B;AAC5B;AACO,MAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AACF;AACO,MAAM,0BAA0B;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AACF;AACO,MAAM,mBAAmB,CAAC;AAE1B,MAAM,yBAAyB;AAAA,EACpC,KAAK;AAAA,EACL,OAAO;AAAA,EACP,aACE;AAAA,EACF,WAAW,CAAC;AAAA,EACZ,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,gBAAgB,OAAO,UAAU,CAAC,GAAG;AACzD,SAAO,kCAAkC,OAAO,OAAO;AACzD;AAEA,eAAsB,iBAAiB;AAAC;",
+  "names": []
+}

package/dist/backend/modes/publisher-delegated/paymentSession.d.ts

@@ -0,0 +1,4 @@
+import { extractHostedPaymentSessionId } from "../../../index.js";
+export declare function buildPaymentUrl(input: any, runtime?: {}): Promise<string>;
+export { extractHostedPaymentSessionId };
+//# sourceMappingURL=paymentSession.d.ts.map

package/dist/backend/modes/publisher-delegated/paymentSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paymentSession.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/publisher-delegated/paymentSession.ts"],"names":[],"mappings":"AACA,OAAO,EAAoC,6BAA6B,EAAE,MAAM,mBAAmB,CAAC;AAEpG,wBAAsB,eAAe,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK,mBASxD;AAED,OAAO,EAAE,6BAA6B,EAAE,CAAC"}

package/dist/backend/modes/publisher-delegated/paymentSession.js

@@ -0,0 +1,16 @@
+import { buildModeHostedGatewayPaymentUrl, extractHostedPaymentSessionId } from "../../../index.js";
+async function buildPaymentUrl(input, runtime = {}) {
+  return buildModeHostedGatewayPaymentUrl(
+    input,
+    {
+      fallbackIssuer: "publisher_delegated",
+      storedIssuer: "publisher_delegated"
+    },
+    runtime
+  );
+}
+export {
+  buildPaymentUrl,
+  extractHostedPaymentSessionId
+};
+//# sourceMappingURL=paymentSession.js.map

package/dist/backend/modes/publisher-delegated/paymentSession.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/publisher-delegated/paymentSession.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { buildModeHostedGatewayPaymentUrl, extractHostedPaymentSessionId } from \"../../../index.js\";\n\nexport async function buildPaymentUrl(input, runtime = {}) {\n  return buildModeHostedGatewayPaymentUrl(\n    input,\n    {\n      fallbackIssuer: \"publisher_delegated\",\n      storedIssuer: \"publisher_delegated\",\n    },\n    runtime,\n  );\n}\n\nexport { extractHostedPaymentSessionId };\n"],
+  "mappings": "AACA,SAAS,kCAAkC,qCAAqC;AAEhF,eAAsB,gBAAgB,OAAO,UAAU,CAAC,GAAG;AACzD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,gBAAgB;AAAA,MAChB,cAAc;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/backend/modes/publisher-delegated/policy.d.ts

@@ -0,0 +1,68 @@
+export declare const policyResponsibilities: string[];
+export declare const policyEndpoints: {
+    method: string;
+    path: string;
+    purpose: string;
+}[];
+export declare function buildBlockedResult(input: any, runtime?: {}): Promise<{
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function resolvePolicyResult(input: any, runtime?: {}): Promise<{
+    allowed: boolean;
+    reason: string;
+    message: string;
+    details: {
+        reference_mode?: any;
+        payment_status: any;
+        orchestrationApproved: any;
+        gatewayPaymentVerified: any;
+        paidByGatewayHint: boolean;
+        paidByPlainStatusFallback: boolean;
+        paidByVerifiedEvidence: any;
+        verified_contract: any;
+        payment_mode: any;
+    };
+} | {
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function resolvePolicyRequest(payloadInput: any, { log, paymentRuntime }: {
+    log: any;
+    paymentRuntime?: {};
+}): Promise<any>;
+//# sourceMappingURL=policy.d.ts.map

package/dist/backend/modes/publisher-delegated/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/publisher-delegated/policy.ts"],"names":[],"mappings":"AAUA,eAAO,MAAM,sBAAsB,UAGlC,CAAC;AACF,eAAO,MAAM,eAAe;;;;GAM3B,CAAC;AAMF,wBAAsB,kBAAkB,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK;;;;;;;;;;;;;;;;;;;;GAM3D;AAED,wBAAsB,mBAAmB,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAK5D;AAED,wBAAsB,oBAAoB,CAAC,YAAY,KAAA,EAAE,EAAE,GAAG,EAAE,cAAmB,EAAE;;;CAAA,gBASpF"}

package/dist/backend/modes/publisher-delegated/policy.js

@@ -0,0 +1,53 @@
+import { resolveAllowedIssuers, resolveExpectedPaymentIssuer } from "./policyContext.js";
+import {
+  buildPaymentPolicyAllowedResult,
+  buildPaymentPolicyBlockedResult,
+  resolvePolicyRequestCommon
+} from "../../policies/common.js";
+import { extractHostedPaymentSessionId } from "./paymentSession.js";
+import { buildPaymentUrl, paymentMode } from "./payment.js";
+const policyResponsibilities = [
+  "verify signed payment evidence for the publisher-delegated lane",
+  "block and return the delegated gateway-hosted payment action when evidence is missing"
+];
+const policyEndpoints = [
+  {
+    method: "POST",
+    path: "/xapps/requests",
+    purpose: "Runs the payment policy for publisher-delegated xapps."
+  }
+];
+function buildAllowedResult(input) {
+  return buildPaymentPolicyAllowedResult(input, { paymentMode });
+}
+async function buildBlockedResult(input, runtime = {}) {
+  return buildPaymentPolicyBlockedResult(input, {
+    buildPaymentUrl: (payload) => buildPaymentUrl(payload, runtime),
+    extractHostedPaymentSessionId,
+    modeMeta: { paymentMode }
+  });
+}
+async function resolvePolicyResult(input, runtime = {}) {
+  if (input.paidByVerifiedEvidence && !input.verificationFailure) {
+    return buildAllowedResult(input);
+  }
+  return buildBlockedResult(input, runtime);
+}
+async function resolvePolicyRequest(payloadInput, { log, paymentRuntime = {} }) {
+  return resolvePolicyRequestCommon({
+    payloadInput,
+    log,
+    resolveAllowedIssuers,
+    resolveExpectedPaymentIssuer,
+    resolveModeResult: resolvePolicyResult,
+    paymentRuntime
+  });
+}
+export {
+  buildBlockedResult,
+  policyEndpoints,
+  policyResponsibilities,
+  resolvePolicyRequest,
+  resolvePolicyResult
+};
+//# sourceMappingURL=policy.js.map

package/dist/backend/modes/publisher-delegated/policy.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/publisher-delegated/policy.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { resolveAllowedIssuers, resolveExpectedPaymentIssuer } from \"./policyContext.js\";\nimport {\n  buildPaymentPolicyAllowedResult,\n  buildPaymentPolicyBlockedResult,\n  resolvePolicyRequestCommon,\n} from \"../../policies/common.js\";\nimport { extractHostedPaymentSessionId } from \"./paymentSession.js\";\nimport { buildPaymentUrl, paymentMode } from \"./payment.js\";\n\nexport const policyResponsibilities = [\n  \"verify signed payment evidence for the publisher-delegated lane\",\n  \"block and return the delegated gateway-hosted payment action when evidence is missing\",\n];\nexport const policyEndpoints = [\n  {\n    method: \"POST\",\n    path: \"/xapps/requests\",\n    purpose: \"Runs the payment policy for publisher-delegated xapps.\",\n  },\n];\n\nfunction buildAllowedResult(input) {\n  return buildPaymentPolicyAllowedResult(input, { paymentMode });\n}\n\nexport async function buildBlockedResult(input, runtime = {}) {\n  return buildPaymentPolicyBlockedResult(input, {\n    buildPaymentUrl: (payload) => buildPaymentUrl(payload, runtime),\n    extractHostedPaymentSessionId,\n    modeMeta: { paymentMode },\n  });\n}\n\nexport async function resolvePolicyResult(input, runtime = {}) {\n  if (input.paidByVerifiedEvidence && !input.verificationFailure) {\n    return buildAllowedResult(input);\n  }\n  return buildBlockedResult(input, runtime);\n}\n\nexport async function resolvePolicyRequest(payloadInput, { log, paymentRuntime = {} }) {\n  return resolvePolicyRequestCommon({\n    payloadInput,\n    log,\n    resolveAllowedIssuers,\n    resolveExpectedPaymentIssuer,\n    resolveModeResult: resolvePolicyResult,\n    paymentRuntime,\n  });\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB,oCAAoC;AACpE;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qCAAqC;AAC9C,SAAS,iBAAiB,mBAAmB;AAEtC,MAAM,yBAAyB;AAAA,EACpC;AAAA,EACA;AACF;AACO,MAAM,kBAAkB;AAAA,EAC7B;AAAA,IACE,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,SAAS;AAAA,EACX;AACF;AAEA,SAAS,mBAAmB,OAAO;AACjC,SAAO,gCAAgC,OAAO,EAAE,YAAY,CAAC;AAC/D;AAEA,eAAsB,mBAAmB,OAAO,UAAU,CAAC,GAAG;AAC5D,SAAO,gCAAgC,OAAO;AAAA,IAC5C,iBAAiB,CAAC,YAAY,gBAAgB,SAAS,OAAO;AAAA,IAC9D;AAAA,IACA,UAAU,EAAE,YAAY;AAAA,EAC1B,CAAC;AACH;AAEA,eAAsB,oBAAoB,OAAO,UAAU,CAAC,GAAG;AAC7D,MAAI,MAAM,0BAA0B,CAAC,MAAM,qBAAqB;AAC9D,WAAO,mBAAmB,KAAK;AAAA,EACjC;AACA,SAAO,mBAAmB,OAAO,OAAO;AAC1C;AAEA,eAAsB,qBAAqB,cAAc,EAAE,KAAK,iBAAiB,CAAC,EAAE,GAAG;AACrF,SAAO,2BAA2B;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB;AAAA,EACF,CAAC;AACH;",
+  "names": []
+}

package/dist/backend/modes/publisher-delegated/policyContext.d.ts

@@ -0,0 +1,5 @@
+import { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount } from "../../policies/common.js";
+export { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount };
+export declare function resolveExpectedPaymentIssuer(): string;
+export declare function resolveAllowedIssuers(guardConfig: any): string[];
+//# sourceMappingURL=policyContext.d.ts.map

package/dist/backend/modes/publisher-delegated/policyContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyContext.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/publisher-delegated/policyContext.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,0BAA0B,EAE1B,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,CAAC;AAEpG,wBAAgB,4BAA4B,WAE3C;AAED,wBAAgB,qBAAqB,CAAC,WAAW,KAAA,YAEhD"}

package/dist/backend/modes/publisher-delegated/policyContext.js

@@ -0,0 +1,22 @@
+import {
+  buildPaymentAction,
+  hasUpstreamPaymentVerified,
+  normalizeAllowedIssuers,
+  resolveMergedContext,
+  resolvePriceAmount
+} from "../../policies/common.js";
+function resolveExpectedPaymentIssuer() {
+  return "publisher_delegated";
+}
+function resolveAllowedIssuers(guardConfig) {
+  return normalizeAllowedIssuers(guardConfig, "publisher_delegated");
+}
+export {
+  buildPaymentAction,
+  hasUpstreamPaymentVerified,
+  resolveAllowedIssuers,
+  resolveExpectedPaymentIssuer,
+  resolveMergedContext,
+  resolvePriceAmount
+};
+//# sourceMappingURL=policyContext.js.map

package/dist/backend/modes/publisher-delegated/policyContext.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/publisher-delegated/policyContext.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport {\n  buildPaymentAction,\n  hasUpstreamPaymentVerified,\n  normalizeAllowedIssuers,\n  resolveMergedContext,\n  resolvePriceAmount,\n} from \"../../policies/common.js\";\n\nexport { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount };\n\nexport function resolveExpectedPaymentIssuer() {\n  return \"publisher_delegated\";\n}\n\nexport function resolveAllowedIssuers(guardConfig) {\n  return normalizeAllowedIssuers(guardConfig, \"publisher_delegated\");\n}\n"],
+  "mappings": "AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIA,SAAS,+BAA+B;AAC7C,SAAO;AACT;AAEO,SAAS,sBAAsB,aAAa;AACjD,SAAO,wBAAwB,aAAa,qBAAqB;AACnE;",
+  "names": []
+}

package/dist/backend/modes/tenant-delegated/payment.d.ts

@@ -0,0 +1,23 @@
+export declare const paymentMode = "tenant_delegated";
+export declare const paymentModeLabel = "Gateway delegated by tenant";
+export declare const paymentModeDescription = "Gateway executes checkout with tenant-scoped delegated credentials and delegated signing.";
+export declare const paymentSessionModel: {
+    uses_gateway_payment_session: boolean;
+    tenant_owns_payment_page: boolean;
+    tenant_owns_payment_session_endpoints: boolean;
+    tenant_calls_gateway_payment_session_api_directly: boolean;
+    tenant_session_reference: string;
+};
+export declare const requiredSettings: string[];
+export declare const paymentResponsibilities: string[];
+export declare const paymentEndpoints: any[];
+export declare const referenceEndpointGroup: {
+    key: string;
+    label: string;
+    when_to_use: string;
+    endpoints: any[];
+    notes: string[];
+};
+export declare function buildPaymentUrl(input: any, runtime?: {}): Promise<string>;
+export declare function registerRoutes(): Promise<void>;
+//# sourceMappingURL=payment.d.ts.map

package/dist/backend/modes/tenant-delegated/payment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payment.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/tenant-delegated/payment.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,WAAW,qBAAqB,CAAC;AAC9C,eAAO,MAAM,gBAAgB,gCAAgC,CAAC;AAC9D,eAAO,MAAM,sBAAsB,8FAC0D,CAAC;AAC9F,eAAO,MAAM,mBAAmB;;;;;;CAM/B,CAAC;AACF,eAAO,MAAM,gBAAgB,UAI5B,CAAC;AACF,eAAO,MAAM,uBAAuB,UAInC,CAAC;AACF,eAAO,MAAM,gBAAgB,OAAK,CAAC;AAEnC,eAAO,MAAM,sBAAsB;;;;;;CAUlC,CAAC;AAEF,wBAAsB,eAAe,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK,mBAExD;AAED,wBAAsB,cAAc,kBAAK"}

package/dist/backend/modes/tenant-delegated/payment.js

@@ -0,0 +1,50 @@
+import { buildPaymentUrl as buildTenantDelegatedPaymentUrl } from "./paymentSession.js";
+const paymentMode = "tenant_delegated";
+const paymentModeLabel = "Gateway delegated by tenant";
+const paymentModeDescription = "Gateway executes checkout with tenant-scoped delegated credentials and delegated signing.";
+const paymentSessionModel = {
+  uses_gateway_payment_session: true,
+  tenant_owns_payment_page: false,
+  tenant_owns_payment_session_endpoints: false,
+  tenant_calls_gateway_payment_session_api_directly: false,
+  tenant_session_reference: "gateway-hosted delegated session only"
+};
+const requiredSettings = [
+  "XCONECT_GUARD_INGEST_API_KEY",
+  "delegated payment credential refs in the manifest/guard config",
+  "XCONECT_TENANT_PAYMENT_RETURN_SECRET or XCONECT_TENANT_PAYMENT_RETURN_SECRET_REF"
+];
+const paymentResponsibilities = [
+  "keep tenant-delegated payment lane configured",
+  "provide delegated credential/signing configuration",
+  "reuse gateway-hosted checkout returned by the platform"
+];
+const paymentEndpoints = [];
+const referenceEndpointGroup = {
+  key: "tenant_delegated_payment_reference",
+  label: "Tenant-delegated payment reference",
+  when_to_use: "Use this when checkout is still gateway-hosted but tenant delegated credentials/signing are required.",
+  endpoints: [],
+  notes: [
+    "Existing xapps keep the gateway-hosted payment page for this mode too.",
+    "The tenant backend participates through guard execution and delegated tenant configuration."
+  ]
+};
+async function buildPaymentUrl(input, runtime = {}) {
+  return buildTenantDelegatedPaymentUrl(input, runtime);
+}
+async function registerRoutes() {
+}
+export {
+  buildPaymentUrl,
+  paymentEndpoints,
+  paymentMode,
+  paymentModeDescription,
+  paymentModeLabel,
+  paymentResponsibilities,
+  paymentSessionModel,
+  referenceEndpointGroup,
+  registerRoutes,
+  requiredSettings
+};
+//# sourceMappingURL=payment.js.map

package/dist/backend/modes/tenant-delegated/payment.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/tenant-delegated/payment.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { buildPaymentUrl as buildTenantDelegatedPaymentUrl } from \"./paymentSession.js\";\n\nexport const paymentMode = \"tenant_delegated\";\nexport const paymentModeLabel = \"Gateway delegated by tenant\";\nexport const paymentModeDescription =\n  \"Gateway executes checkout with tenant-scoped delegated credentials and delegated signing.\";\nexport const paymentSessionModel = {\n  uses_gateway_payment_session: true,\n  tenant_owns_payment_page: false,\n  tenant_owns_payment_session_endpoints: false,\n  tenant_calls_gateway_payment_session_api_directly: false,\n  tenant_session_reference: \"gateway-hosted delegated session only\",\n};\nexport const requiredSettings = [\n  \"XCONECT_GUARD_INGEST_API_KEY\",\n  \"delegated payment credential refs in the manifest/guard config\",\n  \"XCONECT_TENANT_PAYMENT_RETURN_SECRET or XCONECT_TENANT_PAYMENT_RETURN_SECRET_REF\",\n];\nexport const paymentResponsibilities = [\n  \"keep tenant-delegated payment lane configured\",\n  \"provide delegated credential/signing configuration\",\n  \"reuse gateway-hosted checkout returned by the platform\",\n];\nexport const paymentEndpoints = [];\n\nexport const referenceEndpointGroup = {\n  key: \"tenant_delegated_payment_reference\",\n  label: \"Tenant-delegated payment reference\",\n  when_to_use:\n    \"Use this when checkout is still gateway-hosted but tenant delegated credentials/signing are required.\",\n  endpoints: [],\n  notes: [\n    \"Existing xapps keep the gateway-hosted payment page for this mode too.\",\n    \"The tenant backend participates through guard execution and delegated tenant configuration.\",\n  ],\n};\n\nexport async function buildPaymentUrl(input, runtime = {}) {\n  return buildTenantDelegatedPaymentUrl(input, runtime);\n}\n\nexport async function registerRoutes() {}\n"],
+  "mappings": "AACA,SAAS,mBAAmB,sCAAsC;AAE3D,MAAM,cAAc;AACpB,MAAM,mBAAmB;AACzB,MAAM,yBACX;AACK,MAAM,sBAAsB;AAAA,EACjC,8BAA8B;AAAA,EAC9B,0BAA0B;AAAA,EAC1B,uCAAuC;AAAA,EACvC,mDAAmD;AAAA,EACnD,0BAA0B;AAC5B;AACO,MAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AACF;AACO,MAAM,0BAA0B;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AACF;AACO,MAAM,mBAAmB,CAAC;AAE1B,MAAM,yBAAyB;AAAA,EACpC,KAAK;AAAA,EACL,OAAO;AAAA,EACP,aACE;AAAA,EACF,WAAW,CAAC;AAAA,EACZ,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,gBAAgB,OAAO,UAAU,CAAC,GAAG;AACzD,SAAO,+BAA+B,OAAO,OAAO;AACtD;AAEA,eAAsB,iBAAiB;AAAC;",
+  "names": []
+}

package/dist/backend/modes/tenant-delegated/paymentSession.d.ts

@@ -0,0 +1,4 @@
+import { extractHostedPaymentSessionId } from "../../../index.js";
+export declare function buildPaymentUrl(input: any, runtime?: {}): Promise<string>;
+export { extractHostedPaymentSessionId };
+//# sourceMappingURL=paymentSession.d.ts.map

package/dist/backend/modes/tenant-delegated/paymentSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paymentSession.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/tenant-delegated/paymentSession.ts"],"names":[],"mappings":"AACA,OAAO,EAAoC,6BAA6B,EAAE,MAAM,mBAAmB,CAAC;AAEpG,wBAAsB,eAAe,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK,mBASxD;AAED,OAAO,EAAE,6BAA6B,EAAE,CAAC"}

package/dist/backend/modes/tenant-delegated/paymentSession.js

@@ -0,0 +1,16 @@
+import { buildModeHostedGatewayPaymentUrl, extractHostedPaymentSessionId } from "../../../index.js";
+async function buildPaymentUrl(input, runtime = {}) {
+  return buildModeHostedGatewayPaymentUrl(
+    input,
+    {
+      fallbackIssuer: "tenant_delegated",
+      storedIssuer: "tenant_delegated"
+    },
+    runtime
+  );
+}
+export {
+  buildPaymentUrl,
+  extractHostedPaymentSessionId
+};
+//# sourceMappingURL=paymentSession.js.map

package/dist/backend/modes/tenant-delegated/paymentSession.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/tenant-delegated/paymentSession.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { buildModeHostedGatewayPaymentUrl, extractHostedPaymentSessionId } from \"../../../index.js\";\n\nexport async function buildPaymentUrl(input, runtime = {}) {\n  return buildModeHostedGatewayPaymentUrl(\n    input,\n    {\n      fallbackIssuer: \"tenant_delegated\",\n      storedIssuer: \"tenant_delegated\",\n    },\n    runtime,\n  );\n}\n\nexport { extractHostedPaymentSessionId };\n"],
+  "mappings": "AACA,SAAS,kCAAkC,qCAAqC;AAEhF,eAAsB,gBAAgB,OAAO,UAAU,CAAC,GAAG;AACzD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,gBAAgB;AAAA,MAChB,cAAc;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/backend/modes/tenant-delegated/policy.d.ts

@@ -0,0 +1,68 @@
+export declare const policyResponsibilities: string[];
+export declare const policyEndpoints: {
+    method: string;
+    path: string;
+    purpose: string;
+}[];
+export declare function buildBlockedResult(input: any, runtime?: {}): Promise<{
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function resolvePolicyResult(input: any, runtime?: {}): Promise<{
+    allowed: boolean;
+    reason: string;
+    message: string;
+    details: {
+        reference_mode?: any;
+        payment_status: any;
+        orchestrationApproved: any;
+        gatewayPaymentVerified: any;
+        paidByGatewayHint: boolean;
+        paidByPlainStatusFallback: boolean;
+        paidByVerifiedEvidence: any;
+        verified_contract: any;
+        payment_mode: any;
+    };
+} | {
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function resolvePolicyRequest(payloadInput: any, { log, paymentRuntime }: {
+    log: any;
+    paymentRuntime?: {};
+}): Promise<any>;
+//# sourceMappingURL=policy.d.ts.map

package/dist/backend/modes/tenant-delegated/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/tenant-delegated/policy.ts"],"names":[],"mappings":"AAUA,eAAO,MAAM,sBAAsB,UAGlC,CAAC;AACF,eAAO,MAAM,eAAe;;;;GAM3B,CAAC;AAMF,wBAAsB,kBAAkB,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK;;;;;;;;;;;;;;;;;;;;GAM3D;AAED,wBAAsB,mBAAmB,CAAC,KAAK,KAAA,EAAE,OAAO,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAK5D;AAED,wBAAsB,oBAAoB,CAAC,YAAY,KAAA,EAAE,EAAE,GAAG,EAAE,cAAmB,EAAE;;;CAAA,gBASpF"}

package/dist/backend/modes/tenant-delegated/policy.js

@@ -0,0 +1,53 @@
+import { resolveAllowedIssuers, resolveExpectedPaymentIssuer } from "./policyContext.js";
+import {
+  buildPaymentPolicyAllowedResult,
+  buildPaymentPolicyBlockedResult,
+  resolvePolicyRequestCommon
+} from "../../policies/common.js";
+import { extractHostedPaymentSessionId } from "./paymentSession.js";
+import { buildPaymentUrl, paymentMode } from "./payment.js";
+const policyResponsibilities = [
+  "verify signed payment evidence for the tenant-delegated lane",
+  "block and return the delegated gateway-hosted payment action when evidence is missing"
+];
+const policyEndpoints = [
+  {
+    method: "POST",
+    path: "/xapps/requests",
+    purpose: "Runs the tenant payment policy for tenant-delegated xapps."
+  }
+];
+function buildAllowedResult(input) {
+  return buildPaymentPolicyAllowedResult(input, { paymentMode });
+}
+async function buildBlockedResult(input, runtime = {}) {
+  return buildPaymentPolicyBlockedResult(input, {
+    buildPaymentUrl: (payload) => buildPaymentUrl(payload, runtime),
+    extractHostedPaymentSessionId,
+    modeMeta: { paymentMode }
+  });
+}
+async function resolvePolicyResult(input, runtime = {}) {
+  if (input.paidByVerifiedEvidence && !input.verificationFailure) {
+    return buildAllowedResult(input);
+  }
+  return buildBlockedResult(input, runtime);
+}
+async function resolvePolicyRequest(payloadInput, { log, paymentRuntime = {} }) {
+  return resolvePolicyRequestCommon({
+    payloadInput,
+    log,
+    resolveAllowedIssuers,
+    resolveExpectedPaymentIssuer,
+    resolveModeResult: resolvePolicyResult,
+    paymentRuntime
+  });
+}
+export {
+  buildBlockedResult,
+  policyEndpoints,
+  policyResponsibilities,
+  resolvePolicyRequest,
+  resolvePolicyResult
+};
+//# sourceMappingURL=policy.js.map

package/dist/backend/modes/tenant-delegated/policy.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/tenant-delegated/policy.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { resolveAllowedIssuers, resolveExpectedPaymentIssuer } from \"./policyContext.js\";\nimport {\n  buildPaymentPolicyAllowedResult,\n  buildPaymentPolicyBlockedResult,\n  resolvePolicyRequestCommon,\n} from \"../../policies/common.js\";\nimport { extractHostedPaymentSessionId } from \"./paymentSession.js\";\nimport { buildPaymentUrl, paymentMode } from \"./payment.js\";\n\nexport const policyResponsibilities = [\n  \"verify signed payment evidence for the tenant-delegated lane\",\n  \"block and return the delegated gateway-hosted payment action when evidence is missing\",\n];\nexport const policyEndpoints = [\n  {\n    method: \"POST\",\n    path: \"/xapps/requests\",\n    purpose: \"Runs the tenant payment policy for tenant-delegated xapps.\",\n  },\n];\n\nfunction buildAllowedResult(input) {\n  return buildPaymentPolicyAllowedResult(input, { paymentMode });\n}\n\nexport async function buildBlockedResult(input, runtime = {}) {\n  return buildPaymentPolicyBlockedResult(input, {\n    buildPaymentUrl: (payload) => buildPaymentUrl(payload, runtime),\n    extractHostedPaymentSessionId,\n    modeMeta: { paymentMode },\n  });\n}\n\nexport async function resolvePolicyResult(input, runtime = {}) {\n  if (input.paidByVerifiedEvidence && !input.verificationFailure) {\n    return buildAllowedResult(input);\n  }\n  return buildBlockedResult(input, runtime);\n}\n\nexport async function resolvePolicyRequest(payloadInput, { log, paymentRuntime = {} }) {\n  return resolvePolicyRequestCommon({\n    payloadInput,\n    log,\n    resolveAllowedIssuers,\n    resolveExpectedPaymentIssuer,\n    resolveModeResult: resolvePolicyResult,\n    paymentRuntime,\n  });\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB,oCAAoC;AACpE;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qCAAqC;AAC9C,SAAS,iBAAiB,mBAAmB;AAEtC,MAAM,yBAAyB;AAAA,EACpC;AAAA,EACA;AACF;AACO,MAAM,kBAAkB;AAAA,EAC7B;AAAA,IACE,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,SAAS;AAAA,EACX;AACF;AAEA,SAAS,mBAAmB,OAAO;AACjC,SAAO,gCAAgC,OAAO,EAAE,YAAY,CAAC;AAC/D;AAEA,eAAsB,mBAAmB,OAAO,UAAU,CAAC,GAAG;AAC5D,SAAO,gCAAgC,OAAO;AAAA,IAC5C,iBAAiB,CAAC,YAAY,gBAAgB,SAAS,OAAO;AAAA,IAC9D;AAAA,IACA,UAAU,EAAE,YAAY;AAAA,EAC1B,CAAC;AACH;AAEA,eAAsB,oBAAoB,OAAO,UAAU,CAAC,GAAG;AAC7D,MAAI,MAAM,0BAA0B,CAAC,MAAM,qBAAqB;AAC9D,WAAO,mBAAmB,KAAK;AAAA,EACjC;AACA,SAAO,mBAAmB,OAAO,OAAO;AAC1C;AAEA,eAAsB,qBAAqB,cAAc,EAAE,KAAK,iBAAiB,CAAC,EAAE,GAAG;AACrF,SAAO,2BAA2B;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB;AAAA,EACF,CAAC;AACH;",
+  "names": []
+}

package/dist/backend/modes/tenant-delegated/policyContext.d.ts

@@ -0,0 +1,5 @@
+import { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount } from "../../policies/common.js";
+export { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount };
+export declare function resolveExpectedPaymentIssuer(): string;
+export declare function resolveAllowedIssuers(guardConfig: any): string[];
+//# sourceMappingURL=policyContext.d.ts.map

package/dist/backend/modes/tenant-delegated/policyContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyContext.d.ts","sourceRoot":"","sources":["../../../../src/backend/modes/tenant-delegated/policyContext.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,0BAA0B,EAE1B,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,CAAC;AAEpG,wBAAgB,4BAA4B,WAE3C;AAED,wBAAgB,qBAAqB,CAAC,WAAW,KAAA,YAEhD"}

package/dist/backend/modes/tenant-delegated/policyContext.js

@@ -0,0 +1,22 @@
+import {
+  buildPaymentAction,
+  hasUpstreamPaymentVerified,
+  normalizeAllowedIssuers,
+  resolveMergedContext,
+  resolvePriceAmount
+} from "../../policies/common.js";
+function resolveExpectedPaymentIssuer() {
+  return "tenant_delegated";
+}
+function resolveAllowedIssuers(guardConfig) {
+  return normalizeAllowedIssuers(guardConfig, "tenant_delegated");
+}
+export {
+  buildPaymentAction,
+  hasUpstreamPaymentVerified,
+  resolveAllowedIssuers,
+  resolveExpectedPaymentIssuer,
+  resolveMergedContext,
+  resolvePriceAmount
+};
+//# sourceMappingURL=policyContext.js.map

package/dist/backend/modes/tenant-delegated/policyContext.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/modes/tenant-delegated/policyContext.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport {\n  buildPaymentAction,\n  hasUpstreamPaymentVerified,\n  normalizeAllowedIssuers,\n  resolveMergedContext,\n  resolvePriceAmount,\n} from \"../../policies/common.js\";\n\nexport { buildPaymentAction, hasUpstreamPaymentVerified, resolveMergedContext, resolvePriceAmount };\n\nexport function resolveExpectedPaymentIssuer() {\n  return \"tenant_delegated\";\n}\n\nexport function resolveAllowedIssuers(guardConfig) {\n  return normalizeAllowedIssuers(guardConfig, \"tenant_delegated\");\n}\n"],
+  "mappings": "AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIA,SAAS,+BAA+B;AAC7C,SAAO;AACT;AAEO,SAAS,sBAAsB,aAAa;AACjD,SAAO,wBAAwB,aAAa,kBAAkB;AAChE;",
+  "names": []
+}

package/dist/backend/modules.d.ts

@@ -0,0 +1,33 @@
+export declare function createHostReferenceModule({ gateway, branding, reference, enableLifecycle, enableBridge, allowedOrigins, bootstrap, hostProxyService, }?: {
+    gateway?: {};
+    branding?: {};
+    reference?: {};
+    enableLifecycle?: boolean;
+    enableBridge?: boolean;
+    allowedOrigins?: any[];
+    bootstrap?: {};
+    hostProxyService?: any;
+}, deps?: {}): {
+    registerRoutes(app: any): Promise<void>;
+};
+export declare function createHostProxyService({ gateway, reference }?: {
+    gateway?: {};
+    reference?: {};
+}, deps?: {}): any;
+export declare function createGatewayExecutionModule({ enabledModes, subjectProfiles, paymentRuntime }?: {
+    subjectProfiles?: {};
+    paymentRuntime?: {};
+}, deps?: {}): {
+    registerRoutes(app: any): Promise<void>;
+};
+export declare function createReferenceSurfaceModule({ gateway, branding, enableReference, enableLifecycle, enableBridge, enabledModes, reference, }?: {
+    gateway?: {};
+    branding?: {};
+    enableReference?: boolean;
+    enableLifecycle?: boolean;
+    enableBridge?: boolean;
+    reference?: {};
+}, deps?: {}): {
+    registerRoutes(app: any): Promise<void>;
+};
+//# sourceMappingURL=modules.d.ts.map

package/dist/backend/modules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"modules.d.ts","sourceRoot":"","sources":["../../src/backend/modules.ts"],"names":[],"mappings":"AAGA,wBAAgB,yBAAyB,CACvC,EACE,OAAY,EACZ,QAAa,EACb,SAAc,EACd,eAAsB,EACtB,YAAmB,EACnB,cAAmB,EACnB,SAAc,EACd,gBAAuB,GACxB;;;;;;;;;CAAK,EACN,IAAI,KAAK;;EA+BV;AAED,wBAAgB,sBAAsB,CAAC,EAAE,OAAY,EAAE,SAAc,EAAE;;;CAAK,EAAE,IAAI,KAAK,OAoBtF;AAED,wBAAgB,4BAA4B,CAC1C,EAAE,YAAY,EAAE,eAAoB,EAAE,cAAmB,EAAE;;;CAAK,EAChE,IAAI,KAAK;;EAqBV;AAED,wBAAgB,4BAA4B,CAC1C,EACE,OAAY,EACZ,QAAa,EACb,eAAsB,EACtB,eAAsB,EACtB,YAAmB,EACnB,YAAY,EACZ,SAAc,GACf;;;;;;;CAAK,EACN,IAAI,KAAK;;EAuBV"}