@xapps-platform/backend-kit 0.1.1

package/dist/backend/paymentRuntime.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/backend/paymentRuntime.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport fs from \"node:fs\";\nimport {\n  buildHostedGatewayPaymentUrlFromGuardContext,\n  createPaymentHandlerAsync,\n  extractHostedPaymentSessionId,\n} from \"@xapps/server-sdk\";\nimport { normalizeOwnerIssuer, readRecord, readString } from \"./options.js\";\n\nfunction mapHostedSessionResult(input = {}) {\n  return {\n    ...(input?.redirectUrl ? { redirect_url: input.redirectUrl } : {}),\n    ...(input?.flow ? { flow: input.flow } : {}),\n    ...(input?.paymentSessionId ? { payment_session_id: input.paymentSessionId } : {}),\n    ...(input?.clientSettleUrl ? { client_settle_url: input.clientSettleUrl } : {}),\n    ...(input?.providerReference !== undefined\n      ? { provider_reference: input.providerReference }\n      : {}),\n    ...(input?.scheme ? { scheme: input.scheme } : {}),\n    ...(input?.metadata ? { metadata: input.metadata } : {}),\n  };\n}\n\nfunction readPaymentRequestParams(source = {}) {\n  const input = readRecord(source);\n  return {\n    paymentSessionId: readString(input.payment_session_id, input.paymentSessionId).trim(),\n    returnUrl: readString(input.return_url, input.returnUrl).trim(),\n    cancelUrl: readString(input.cancel_url, input.cancelUrl).trim(),\n    xappsResume: readString(input.xapps_resume, input.xappsResume).trim(),\n  };\n}\n\nfunction readClientSettleInput(source = {}) {\n  const input = readRecord(source);\n  const status = readString(input.status).trim();\n  return {\n    ...readPaymentRequestParams(input),\n    status: status === \"failed\" || status === \"cancelled\" ? status : \"paid\",\n    clientToken: readString(input.client_token, input.clientToken).trim() || undefined,\n    metadata:\n      input.metadata && typeof input.metadata === \"object\" && !Array.isArray(input.metadata)\n        ? input.metadata\n        : undefined,\n  };\n}\n\nfunction sendGatewayUnavailable(reply, message, statusCode = 500) {\n  return reply.code(statusCode).send({ message });\n}\n\nexport async function createPaymentRuntime(options = {}, deps = {}) {\n  const createPaymentHandler =\n    typeof deps.createPaymentHandler === \"function\"\n      ? deps.createPaymentHandler\n      : createPaymentEvidenceHandler;\n  const createGatewayClient =\n    typeof deps.createGatewayClient === \"function\" ? deps.createGatewayClient : null;\n\n  const resolvedGatewayClient =\n    options?.overrides?.gatewayClient ||\n    (createGatewayClient\n      ? createGatewayClient({\n          baseUrl: options?.gateway?.baseUrl,\n          apiKey: options?.gateway?.apiKey,\n        })\n      : null);\n  const resolvedPaymentHandler =\n    options?.overrides?.paymentHandler ||\n    (await createPaymentHandler({\n      payments: options?.payments || {},\n      gatewayClient: resolvedGatewayClient,\n    }));\n\n  return {\n    gatewayClient: resolvedGatewayClient,\n    paymentHandler: resolvedPaymentHandler,\n    paymentSettings: {\n      ownerIssuer: normalizeOwnerIssuer(options?.payments?.ownerIssuer),\n      paymentUrl: options?.payments?.paymentUrl,\n      returnSecret: options?.payments?.returnSecret,\n      returnSecretRef: options?.payments?.returnSecretRef,\n      returnUrlAllowlist: options?.payments?.returnUrlAllowlist,\n    },\n    paymentPageFile: options?.assets?.paymentPage?.filePath || \"\",\n    resolvePolicyRequest: options?.overrides?.resolvePolicyRequest || null,\n  };\n}\n\nexport async function createPaymentEvidenceHandler({\n  payments = {},\n  gatewayClient = null,\n  issuer = \"\",\n  resolvePlatformSecretRef,\n} = {}) {\n  const paymentSettings = readRecord(payments);\n  return createPaymentHandlerAsync({\n    secret: readString(paymentSettings.returnSecret).trim() || undefined,\n    secretRef: readString(paymentSettings.returnSecretRef).trim() || undefined,\n    secretRefResolverOptions: {\n      resolvePlatformSecretRef: async (input) => resolvePlatformSecretRef(input),\n    },\n    issuer:\n      normalizeOwnerIssuer(readString(issuer).trim() || readString(paymentSettings.ownerIssuer)) ||\n      \"tenant\",\n    returnUrlAllowlist: readString(paymentSettings.returnUrlAllowlist),\n    gatewayClient: gatewayClient || undefined,\n    requirePersistentStoreInProduction: false,\n  });\n}\n\nexport async function buildHostedGatewayPaymentUrl(input = {}, runtime = {}) {\n  const payloadInput = readRecord(input);\n  const paymentRuntime = readRecord(runtime);\n  const paymentSettings = readRecord(paymentRuntime.paymentSettings);\n  const ownerIssuer = normalizeOwnerIssuer(paymentSettings.ownerIssuer);\n  const gatewayClient = paymentRuntime.gatewayClient || null;\n  const paymentHandler = paymentRuntime.paymentHandler || null;\n  if (!gatewayClient) {\n    throw new Error(\"gateway payment session client not configured\");\n  }\n  if (!paymentHandler || typeof paymentHandler.upsertSession !== \"function\") {\n    throw new Error(\"payment evidence handler not configured\");\n  }\n\n  const result = await buildHostedGatewayPaymentUrlFromGuardContext({\n    deps: {\n      createPaymentSession: (payload) => gatewayClient.createPaymentSession(payload),\n      upsertSession: (payload) => paymentHandler.upsertSession(payload),\n    },\n    payload: payloadInput.payload,\n    context: payloadInput.context,\n    guard: payloadInput.guard,\n    guardConfig: payloadInput.guardConfig,\n    amount: payloadInput.amount,\n    currency: payloadInput.currency,\n    defaultPaymentUrl: readString(paymentSettings.paymentUrl),\n    fallbackIssuer: readString(payloadInput.fallbackIssuer, ownerIssuer) || ownerIssuer,\n    storedIssuer:\n      readString(payloadInput.storedIssuer, readString(payloadInput.fallbackIssuer, ownerIssuer)) ||\n      ownerIssuer,\n    defaultSecret: readString(paymentSettings.returnSecret),\n    defaultSecretRef: readString(paymentSettings.returnSecretRef),\n    allowDefaultSecretFallback: Boolean(payloadInput.allowDefaultSecretFallback),\n  });\n  return result.paymentUrl;\n}\n\nexport async function buildModeHostedGatewayPaymentUrl(input = {}, defaults = {}, runtime = {}) {\n  const payloadInput = readRecord(input);\n  const modeDefaults = readRecord(defaults);\n  const paymentRuntime = readRecord(runtime);\n  const paymentSettings = readRecord(paymentRuntime.paymentSettings);\n  const ownerIssuer = normalizeOwnerIssuer(paymentSettings.ownerIssuer);\n  return buildHostedGatewayPaymentUrl(\n    {\n      ...payloadInput,\n      fallbackIssuer:\n        readString(\n          modeDefaults.fallbackIssuer,\n          readString(payloadInput.fallbackIssuer, ownerIssuer),\n        ) || ownerIssuer,\n      storedIssuer:\n        readString(\n          modeDefaults.storedIssuer,\n          readString(\n            payloadInput.storedIssuer,\n            readString(\n              modeDefaults.fallbackIssuer,\n              readString(payloadInput.fallbackIssuer, ownerIssuer),\n            ),\n          ),\n        ) || ownerIssuer,\n      allowDefaultSecretFallback: Boolean(\n        modeDefaults.allowDefaultSecretFallback ?? payloadInput.allowDefaultSecretFallback,\n      ),\n    },\n    runtime,\n  );\n}\n\nexport async function registerPaymentPageAssetRoute(\n  fastify,\n  { pagePath = \"/tenant-payment.html\", pageFile = \"\" } = {},\n) {\n  fastify.get(pagePath, async (_request, reply) => {\n    const html = fs.readFileSync(pageFile, \"utf8\");\n    return reply.code(200).type(\"text/html; charset=utf-8\").send(html);\n  });\n}\n\nexport async function registerPaymentPageApiRoutes(\n  fastify,\n  { gatewayClient = null, pathPrefix = \"/api/tenant-payment\" } = {},\n) {\n  fastify.get(`${pathPrefix}/session`, async (request, reply) => {\n    const { paymentSessionId, returnUrl, cancelUrl, xappsResume } = readPaymentRequestParams(\n      request.query,\n    );\n    if (!gatewayClient || typeof gatewayClient.getGatewayPaymentSession !== \"function\") {\n      return sendGatewayUnavailable(reply, \"gateway payment client is not configured\");\n    }\n    if (!paymentSessionId) {\n      return reply.code(400).send({ message: \"payment_session_id is required\" });\n    }\n    const hosted = await gatewayClient.getGatewayPaymentSession({\n      paymentSessionId,\n      ...(returnUrl ? { returnUrl } : {}),\n      ...(cancelUrl ? { cancelUrl } : {}),\n      ...(xappsResume ? { xappsResume } : {}),\n    });\n    return reply.code(200).send({ status: \"success\", result: hosted.session });\n  });\n\n  fastify.post(`${pathPrefix}/complete`, async (request, reply) => {\n    const { paymentSessionId, returnUrl, cancelUrl, xappsResume } = readPaymentRequestParams(\n      request.body,\n    );\n    if (!gatewayClient || typeof gatewayClient.completeGatewayPayment !== \"function\") {\n      return sendGatewayUnavailable(reply, \"gateway payment client is not configured\");\n    }\n    if (!paymentSessionId) {\n      return reply.code(400).send({ message: \"payment_session_id is required\" });\n    }\n    const hosted = await gatewayClient.completeGatewayPayment({\n      paymentSessionId,\n      ...(returnUrl ? { returnUrl } : {}),\n      ...(cancelUrl ? { cancelUrl } : {}),\n      ...(xappsResume ? { xappsResume } : {}),\n    });\n    return reply.code(200).send({ status: \"success\", result: mapHostedSessionResult(hosted) });\n  });\n\n  fastify.post(`${pathPrefix}/client-settle`, async (request, reply) => {\n    const { paymentSessionId, returnUrl, xappsResume, status, clientToken, metadata } =\n      readClientSettleInput(request.body);\n    if (!paymentSessionId) {\n      return reply.code(400).send({ message: \"payment_session_id is required\" });\n    }\n    if (!gatewayClient || typeof gatewayClient.clientSettleGatewayPayment !== \"function\") {\n      return sendGatewayUnavailable(\n        reply,\n        \"client-settle is not available for this payment mode\",\n        409,\n      );\n    }\n    try {\n      const settled = await gatewayClient.clientSettleGatewayPayment({\n        paymentSessionId,\n        returnUrl: returnUrl || undefined,\n        xappsResume: xappsResume || undefined,\n        status,\n        clientToken,\n        metadata,\n      });\n      return reply.code(200).send({ status: \"success\", result: mapHostedSessionResult(settled) });\n    } catch (err) {\n      request.log.error(\n        { err: err instanceof Error ? err.message : String(err) },\n        \"client-settle failed\",\n      );\n      return reply.code(502).send({ message: \"client_settle_failed\" });\n    }\n  });\n}\n\nexport { extractHostedPaymentSessionId };\n"],
+  "mappings": "AACA,OAAO,QAAQ;AACf;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,sBAAsB,YAAY,kBAAkB;AAE7D,SAAS,uBAAuB,QAAQ,CAAC,GAAG;AAC1C,SAAO;AAAA,IACL,GAAI,OAAO,cAAc,EAAE,cAAc,MAAM,YAAY,IAAI,CAAC;AAAA,IAChE,GAAI,OAAO,OAAO,EAAE,MAAM,MAAM,KAAK,IAAI,CAAC;AAAA,IAC1C,GAAI,OAAO,mBAAmB,EAAE,oBAAoB,MAAM,iBAAiB,IAAI,CAAC;AAAA,IAChF,GAAI,OAAO,kBAAkB,EAAE,mBAAmB,MAAM,gBAAgB,IAAI,CAAC;AAAA,IAC7E,GAAI,OAAO,sBAAsB,SAC7B,EAAE,oBAAoB,MAAM,kBAAkB,IAC9C,CAAC;AAAA,IACL,GAAI,OAAO,SAAS,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;AAAA,IAChD,GAAI,OAAO,WAAW,EAAE,UAAU,MAAM,SAAS,IAAI,CAAC;AAAA,EACxD;AACF;AAEA,SAAS,yBAAyB,SAAS,CAAC,GAAG;AAC7C,QAAM,QAAQ,WAAW,MAAM;AAC/B,SAAO;AAAA,IACL,kBAAkB,WAAW,MAAM,oBAAoB,MAAM,gBAAgB,EAAE,KAAK;AAAA,IACpF,WAAW,WAAW,MAAM,YAAY,MAAM,SAAS,EAAE,KAAK;AAAA,IAC9D,WAAW,WAAW,MAAM,YAAY,MAAM,SAAS,EAAE,KAAK;AAAA,IAC9D,aAAa,WAAW,MAAM,cAAc,MAAM,WAAW,EAAE,KAAK;AAAA,EACtE;AACF;AAEA,SAAS,sBAAsB,SAAS,CAAC,GAAG;AAC1C,QAAM,QAAQ,WAAW,MAAM;AAC/B,QAAM,SAAS,WAAW,MAAM,MAAM,EAAE,KAAK;AAC7C,SAAO;AAAA,IACL,GAAG,yBAAyB,KAAK;AAAA,IACjC,QAAQ,WAAW,YAAY,WAAW,cAAc,SAAS;AAAA,IACjE,aAAa,WAAW,MAAM,cAAc,MAAM,WAAW,EAAE,KAAK,KAAK;AAAA,IACzE,UACE,MAAM,YAAY,OAAO,MAAM,aAAa,YAAY,CAAC,MAAM,QAAQ,MAAM,QAAQ,IACjF,MAAM,WACN;AAAA,EACR;AACF;AAEA,SAAS,uBAAuB,OAAO,SAAS,aAAa,KAAK;AAChE,SAAO,MAAM,KAAK,UAAU,EAAE,KAAK,EAAE,QAAQ,CAAC;AAChD;AAEA,eAAsB,qBAAqB,UAAU,CAAC,GAAG,OAAO,CAAC,GAAG;AAClE,QAAM,uBACJ,OAAO,KAAK,yBAAyB,aACjC,KAAK,uBACL;AACN,QAAM,sBACJ,OAAO,KAAK,wBAAwB,aAAa,KAAK,sBAAsB;AAE9E,QAAM,wBACJ,SAAS,WAAW,kBACnB,sBACG,oBAAoB;AAAA,IAClB,SAAS,SAAS,SAAS;AAAA,IAC3B,QAAQ,SAAS,SAAS;AAAA,EAC5B,CAAC,IACD;AACN,QAAM,yBACJ,SAAS,WAAW,kBACnB,MAAM,qBAAqB;AAAA,IAC1B,UAAU,SAAS,YAAY,CAAC;AAAA,IAChC,eAAe;AAAA,EACjB,CAAC;AAEH,SAAO;AAAA,IACL,eAAe;AAAA,IACf,gBAAgB;AAAA,IAChB,iBAAiB;AAAA,MACf,aAAa,qBAAqB,SAAS,UAAU,WAAW;AAAA,MAChE,YAAY,SAAS,UAAU;AAAA,MAC/B,cAAc,SAAS,UAAU;AAAA,MACjC,iBAAiB,SAAS,UAAU;AAAA,MACpC,oBAAoB,SAAS,UAAU;AAAA,IACzC;AAAA,IACA,iBAAiB,SAAS,QAAQ,aAAa,YAAY;AAAA,IAC3D,sBAAsB,SAAS,WAAW,wBAAwB;AAAA,EACpE;AACF;AAEA,eAAsB,6BAA6B;AAAA,EACjD,WAAW,CAAC;AAAA,EACZ,gBAAgB;AAAA,EAChB,SAAS;AAAA,EACT;AACF,IAAI,CAAC,GAAG;AACN,QAAM,kBAAkB,WAAW,QAAQ;AAC3C,SAAO,0BAA0B;AAAA,IAC/B,QAAQ,WAAW,gBAAgB,YAAY,EAAE,KAAK,KAAK;AAAA,IAC3D,WAAW,WAAW,gBAAgB,eAAe,EAAE,KAAK,KAAK;AAAA,IACjE,0BAA0B;AAAA,MACxB,0BAA0B,OAAO,UAAU,yBAAyB,KAAK;AAAA,IAC3E;AAAA,IACA,QACE,qBAAqB,WAAW,MAAM,EAAE,KAAK,KAAK,WAAW,gBAAgB,WAAW,CAAC,KACzF;AAAA,IACF,oBAAoB,WAAW,gBAAgB,kBAAkB;AAAA,IACjE,eAAe,iBAAiB;AAAA,IAChC,oCAAoC;AAAA,EACtC,CAAC;AACH;AAEA,eAAsB,6BAA6B,QAAQ,CAAC,GAAG,UAAU,CAAC,GAAG;AAC3E,QAAM,eAAe,WAAW,KAAK;AACrC,QAAM,iBAAiB,WAAW,OAAO;AACzC,QAAM,kBAAkB,WAAW,eAAe,eAAe;AACjE,QAAM,cAAc,qBAAqB,gBAAgB,WAAW;AACpE,QAAM,gBAAgB,eAAe,iBAAiB;AACtD,QAAM,iBAAiB,eAAe,kBAAkB;AACxD,MAAI,CAAC,eAAe;AAClB,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AACA,MAAI,CAAC,kBAAkB,OAAO,eAAe,kBAAkB,YAAY;AACzE,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AAEA,QAAM,SAAS,MAAM,6CAA6C;AAAA,IAChE,MAAM;AAAA,MACJ,sBAAsB,CAAC,YAAY,cAAc,qBAAqB,OAAO;AAAA,MAC7E,eAAe,CAAC,YAAY,eAAe,cAAc,OAAO;AAAA,IAClE;AAAA,IACA,SAAS,aAAa;AAAA,IACtB,SAAS,aAAa;AAAA,IACtB,OAAO,aAAa;AAAA,IACpB,aAAa,aAAa;AAAA,IAC1B,QAAQ,aAAa;AAAA,IACrB,UAAU,aAAa;AAAA,IACvB,mBAAmB,WAAW,gBAAgB,UAAU;AAAA,IACxD,gBAAgB,WAAW,aAAa,gBAAgB,WAAW,KAAK;AAAA,IACxE,cACE,WAAW,aAAa,cAAc,WAAW,aAAa,gBAAgB,WAAW,CAAC,KAC1F;AAAA,IACF,eAAe,WAAW,gBAAgB,YAAY;AAAA,IACtD,kBAAkB,WAAW,gBAAgB,eAAe;AAAA,IAC5D,4BAA4B,QAAQ,aAAa,0BAA0B;AAAA,EAC7E,CAAC;AACD,SAAO,OAAO;AAChB;AAEA,eAAsB,iCAAiC,QAAQ,CAAC,GAAG,WAAW,CAAC,GAAG,UAAU,CAAC,GAAG;AAC9F,QAAM,eAAe,WAAW,KAAK;AACrC,QAAM,eAAe,WAAW,QAAQ;AACxC,QAAM,iBAAiB,WAAW,OAAO;AACzC,QAAM,kBAAkB,WAAW,eAAe,eAAe;AACjE,QAAM,cAAc,qBAAqB,gBAAgB,WAAW;AACpE,SAAO;AAAA,IACL;AAAA,MACE,GAAG;AAAA,MACH,gBACE;AAAA,QACE,aAAa;AAAA,QACb,WAAW,aAAa,gBAAgB,WAAW;AAAA,MACrD,KAAK;AAAA,MACP,cACE;AAAA,QACE,aAAa;AAAA,QACb;AAAA,UACE,aAAa;AAAA,UACb;AAAA,YACE,aAAa;AAAA,YACb,WAAW,aAAa,gBAAgB,WAAW;AAAA,UACrD;AAAA,QACF;AAAA,MACF,KAAK;AAAA,MACP,4BAA4B;AAAA,QAC1B,aAAa,8BAA8B,aAAa;AAAA,MAC1D;AAAA,IACF;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,8BACpB,SACA,EAAE,WAAW,wBAAwB,WAAW,GAAG,IAAI,CAAC,GACxD;AACA,UAAQ,IAAI,UAAU,OAAO,UAAU,UAAU;AAC/C,UAAM,OAAO,GAAG,aAAa,UAAU,MAAM;AAC7C,WAAO,MAAM,KAAK,GAAG,EAAE,KAAK,0BAA0B,EAAE,KAAK,IAAI;AAAA,EACnE,CAAC;AACH;AAEA,eAAsB,6BACpB,SACA,EAAE,gBAAgB,MAAM,aAAa,sBAAsB,IAAI,CAAC,GAChE;AACA,UAAQ,IAAI,GAAG,UAAU,YAAY,OAAO,SAAS,UAAU;AAC7D,UAAM,EAAE,kBAAkB,WAAW,WAAW,YAAY,IAAI;AAAA,MAC9D,QAAQ;AAAA,IACV;AACA,QAAI,CAAC,iBAAiB,OAAO,cAAc,6BAA6B,YAAY;AAClF,aAAO,uBAAuB,OAAO,0CAA0C;AAAA,IACjF;AACA,QAAI,CAAC,kBAAkB;AACrB,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,iCAAiC,CAAC;AAAA,IAC3E;AACA,UAAM,SAAS,MAAM,cAAc,yBAAyB;AAAA,MAC1D;AAAA,MACA,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,MACjC,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,MACjC,GAAI,cAAc,EAAE,YAAY,IAAI,CAAC;AAAA,IACvC,CAAC;AACD,WAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,QAAQ,WAAW,QAAQ,OAAO,QAAQ,CAAC;AAAA,EAC3E,CAAC;AAED,UAAQ,KAAK,GAAG,UAAU,aAAa,OAAO,SAAS,UAAU;AAC/D,UAAM,EAAE,kBAAkB,WAAW,WAAW,YAAY,IAAI;AAAA,MAC9D,QAAQ;AAAA,IACV;AACA,QAAI,CAAC,iBAAiB,OAAO,cAAc,2BAA2B,YAAY;AAChF,aAAO,uBAAuB,OAAO,0CAA0C;AAAA,IACjF;AACA,QAAI,CAAC,kBAAkB;AACrB,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,iCAAiC,CAAC;AAAA,IAC3E;AACA,UAAM,SAAS,MAAM,cAAc,uBAAuB;AAAA,MACxD;AAAA,MACA,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,MACjC,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,MACjC,GAAI,cAAc,EAAE,YAAY,IAAI,CAAC;AAAA,IACvC,CAAC;AACD,WAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,QAAQ,WAAW,QAAQ,uBAAuB,MAAM,EAAE,CAAC;AAAA,EAC3F,CAAC;AAED,UAAQ,KAAK,GAAG,UAAU,kBAAkB,OAAO,SAAS,UAAU;AACpE,UAAM,EAAE,kBAAkB,WAAW,aAAa,QAAQ,aAAa,SAAS,IAC9E,sBAAsB,QAAQ,IAAI;AACpC,QAAI,CAAC,kBAAkB;AACrB,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,iCAAiC,CAAC;AAAA,IAC3E;AACA,QAAI,CAAC,iBAAiB,OAAO,cAAc,+BAA+B,YAAY;AACpF,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI;AACF,YAAM,UAAU,MAAM,cAAc,2BAA2B;AAAA,QAC7D;AAAA,QACA,WAAW,aAAa;AAAA,QACxB,aAAa,eAAe;AAAA,QAC5B;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AACD,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,QAAQ,WAAW,QAAQ,uBAAuB,OAAO,EAAE,CAAC;AAAA,IAC5F,SAAS,KAAK;AACZ,cAAQ,IAAI;AAAA,QACV,EAAE,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,EAAE;AAAA,QACxD;AAAA,MACF;AACA,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,uBAAuB,CAAC;AAAA,IACjE;AAAA,EACF,CAAC;AACH;",
+  "names": []
+}

package/dist/backend/policies/common.d.ts

@@ -0,0 +1,102 @@
+export declare function hasUpstreamPaymentVerified(value: any): boolean;
+export declare function resolveMergedContext(payloadInput: any): Record<string, unknown>;
+export declare function resolvePriceAmount(guardConfig: any, context: any): unknown;
+export declare function buildPaymentAction(action: any): import("@xapps/server-sdk").PaymentGuardAction;
+export declare function normalizeAllowedIssuers(guardConfig: any, fallbackIssuer: any): string[];
+export declare function buildPaymentPolicyAllowedResult(input: any, modeMeta?: {}): {
+    allowed: boolean;
+    reason: string;
+    message: string;
+    details: {
+        reference_mode?: any;
+        payment_status: any;
+        orchestrationApproved: any;
+        gatewayPaymentVerified: any;
+        paidByGatewayHint: boolean;
+        paidByPlainStatusFallback: boolean;
+        paidByVerifiedEvidence: any;
+        verified_contract: any;
+        payment_mode: any;
+    };
+};
+export declare function buildPaymentGuardFailClosedResult(upstreamStatus: any): {
+    allowed: boolean;
+    reason: string;
+    message: string;
+    action: {
+        kind: string;
+        label: string;
+        title: string;
+    };
+    details: {
+        uiRequired: boolean;
+        orchestration: {
+            mode: string;
+            surface: string;
+            status: string;
+        };
+        upstream_status: number;
+    };
+};
+export declare function buildPaymentPolicyBlockedResult(input: any, { buildPaymentUrl, extractHostedPaymentSessionId, modeMeta }: {
+    buildPaymentUrl: any;
+    extractHostedPaymentSessionId: any;
+    modeMeta?: {};
+}): Promise<{
+    allowed: boolean;
+    reason: any;
+    message: any;
+    action: import("@xapps/server-sdk").PaymentGuardAction;
+    details: {
+        verification_failure?: any;
+        uiRequired: boolean;
+        orchestration: {
+            reference_mode?: any;
+            mode: string;
+            surface: string;
+            status: string;
+            payment_session_id: any;
+            payment_mode: any;
+        };
+        payment_status: any;
+        expected_amount: any;
+        expected_currency: any;
+    };
+}>;
+export declare function buildPaymentPolicyInput({ payloadInput, log, resolveAllowedIssuers, resolveExpectedPaymentIssuer, paymentHandler, paymentRuntime, paymentSettings, guardSlugDefault, }: {
+    payloadInput: any;
+    log: any;
+    resolveAllowedIssuers: any;
+    resolveExpectedPaymentIssuer: any;
+    paymentHandler: any;
+    paymentRuntime?: {};
+    paymentSettings?: {};
+    guardSlugDefault?: string;
+}): Promise<{
+    payload: any;
+    context: Record<string, unknown>;
+    guard: any;
+    guardConfig: any;
+    policy: any;
+    amount: unknown;
+    currency: string;
+    plainStatus: string;
+    orchestrationApproved: boolean;
+    gatewayPaymentVerified: boolean;
+    verifiedPayment: any;
+    paidByVerifiedEvidence: boolean;
+    verificationFailure: any;
+    failReason: any;
+    baseMessage: string;
+    actionCfg: any;
+}>;
+export declare function resolvePolicyRequestCommon({ payloadInput, log, resolveAllowedIssuers, resolveExpectedPaymentIssuer, resolveModeResult, paymentRuntime, guardSlugDefault, }: {
+    payloadInput: any;
+    log: any;
+    resolveAllowedIssuers: any;
+    resolveExpectedPaymentIssuer: any;
+    resolveModeResult: any;
+    paymentRuntime?: {};
+    guardSlugDefault: any;
+}): Promise<any>;
+//# sourceMappingURL=common.d.ts.map

package/dist/backend/policies/common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../../src/backend/policies/common.ts"],"names":[],"mappings":"AAqBA,wBAAgB,0BAA0B,CAAC,KAAK,KAAA,WAE/C;AAED,wBAAgB,oBAAoB,CAAC,YAAY,KAAA,2BAEhD;AAED,wBAAgB,kBAAkB,CAAC,WAAW,KAAA,EAAE,OAAO,KAAA,WAEtD;AAED,wBAAgB,kBAAkB,CAAC,MAAM,KAAA,kDAExC;AAED,wBAAgB,uBAAuB,CAAC,WAAW,KAAA,EAAE,cAAc,KAAA,YAElE;AAED,wBAAgB,+BAA+B,CAAC,KAAK,KAAA,EAAE,QAAQ,KAAK;;;;;;;;;;;;;;;EAiBnE;AAED,wBAAgB,iCAAiC,CAAC,cAAc,KAAA;;;;;;;;;;;;;;;;;;EAoB/D;AAED,wBAAsB,+BAA+B,CACnD,KAAK,KAAA,EACL,EAAE,eAAe,EAAE,6BAA6B,EAAE,QAAa,EAAE;;;;CAAA;;;;;;;;;;;;;;;;;;;;GAgClE;AAED,wBAAsB,uBAAuB,CAAC,EAC5C,YAAY,EACZ,GAAG,EACH,qBAAqB,EACrB,4BAA4B,EAC5B,cAAc,EACd,cAAmB,EACnB,eAAoB,EACpB,gBAA0C,GAC3C;;;;;;;;;CAAA;;;;;;;;;;;;;;;;;GAsHA;AAED,wBAAsB,0BAA0B,CAAC,EAC/C,YAAY,EACZ,GAAG,EACH,qBAAqB,EACrB,4BAA4B,EAC5B,iBAAiB,EACjB,cAAmB,EACnB,gBAAgB,GACjB;;;;;;;;CAAA,gBAYA"}

package/dist/backend/policies/common.js

@@ -0,0 +1,226 @@
+import {
+  buildPaymentGuardAction,
+  hasUpstreamPaymentVerified as hasUpstreamPaymentVerifiedFromSdk,
+  normalizePaymentAllowedIssuers as normalizePaymentAllowedIssuersFromSdk,
+  resolveMergedPaymentGuardContext,
+  resolvePaymentGuardPriceAmount
+} from "@xapps/server-sdk";
+function asObject(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function toNumericAmount(amount) {
+  if (typeof amount === "number") return amount;
+  if (typeof amount === "string" && amount.trim() && Number.isFinite(Number(amount))) {
+    return Number(amount);
+  }
+  return amount;
+}
+function hasUpstreamPaymentVerified(value) {
+  return hasUpstreamPaymentVerifiedFromSdk(value);
+}
+function resolveMergedContext(payloadInput) {
+  return resolveMergedPaymentGuardContext(asObject(payloadInput));
+}
+function resolvePriceAmount(guardConfig, context) {
+  return resolvePaymentGuardPriceAmount(asObject(guardConfig), asObject(context));
+}
+function buildPaymentAction(action) {
+  return buildPaymentGuardAction(asObject(action));
+}
+function normalizeAllowedIssuers(guardConfig, fallbackIssuer) {
+  return normalizePaymentAllowedIssuersFromSdk(asObject(guardConfig), String(fallbackIssuer || ""));
+}
+function buildPaymentPolicyAllowedResult(input, modeMeta = {}) {
+  return {
+    allowed: true,
+    reason: String(input.policy?.reason || "tenant_payment_passed"),
+    message: "Tenant payment policy satisfied",
+    details: {
+      payment_status: input.verifiedPayment?.status || input.plainStatus || "paid",
+      orchestrationApproved: input.orchestrationApproved,
+      gatewayPaymentVerified: input.gatewayPaymentVerified,
+      paidByGatewayHint: false,
+      paidByPlainStatusFallback: false,
+      paidByVerifiedEvidence: input.paidByVerifiedEvidence,
+      verified_contract: input.verifiedPayment?.contract || null,
+      payment_mode: modeMeta.paymentMode || null,
+      ...modeMeta.referenceMode ? { reference_mode: modeMeta.referenceMode } : {}
+    }
+  };
+}
+function buildPaymentGuardFailClosedResult(upstreamStatus) {
+  return {
+    allowed: false,
+    reason: "payment_session_create_failed",
+    message: "Payment session could not be created at this time",
+    action: {
+      kind: "complete_payment",
+      label: "Open Payment",
+      title: "Complete Payment"
+    },
+    details: {
+      uiRequired: true,
+      orchestration: {
+        mode: "blocking",
+        surface: "redirect",
+        status: "failed_dependency"
+      },
+      upstream_status: Number(upstreamStatus || 500) || 500
+    }
+  };
+}
+async function buildPaymentPolicyBlockedResult(input, { buildPaymentUrl, extractHostedPaymentSessionId, modeMeta = {} }) {
+  const paymentUrl = await buildPaymentUrl(input);
+  return {
+    allowed: false,
+    reason: input.failReason,
+    message: input.verificationFailure?.ok === false ? "Payment verification failed" : input.baseMessage,
+    action: buildPaymentAction({
+      url: paymentUrl,
+      label: input.actionCfg?.label,
+      title: input.actionCfg?.title,
+      target: input.actionCfg?.target
+    }),
+    details: {
+      uiRequired: true,
+      orchestration: {
+        mode: "blocking",
+        surface: String(input.guardConfig?.ui_mode || "redirect"),
+        status: "pending_user_action",
+        payment_session_id: extractHostedPaymentSessionId(paymentUrl),
+        payment_mode: modeMeta.paymentMode || null,
+        ...modeMeta.referenceMode ? { reference_mode: modeMeta.referenceMode } : {}
+      },
+      payment_status: input.plainStatus || null,
+      expected_amount: toNumericAmount(input.amount),
+      expected_currency: input.currency,
+      ...input.verificationFailure?.ok === false ? { verification_failure: input.verificationFailure } : {}
+    }
+  };
+}
+async function buildPaymentPolicyInput({
+  payloadInput,
+  log,
+  resolveAllowedIssuers,
+  resolveExpectedPaymentIssuer,
+  paymentHandler,
+  paymentRuntime = {},
+  paymentSettings = {},
+  guardSlugDefault = "tenant-payment-policy"
+}) {
+  const payload = payloadInput && typeof payloadInput === "object" ? payloadInput : {};
+  const context = resolveMergedContext(payload);
+  const policyContext = asObject(payload.policyContext);
+  const payloadWithContext = { ...payload, context };
+  const guard = payload.guard && typeof payload.guard === "object" ? payload.guard : {};
+  const guardConfig = guard.config && typeof guard.config === "object" ? guard.config : {};
+  const policy = guardConfig.policy && typeof guardConfig.policy === "object" ? guardConfig.policy : {};
+  const actionCfg = guardConfig.action && typeof guardConfig.action === "object" ? guardConfig.action : {};
+  const guardSlug = String(guard.slug || guardSlugDefault).trim();
+  const orchestration = context.orchestration && typeof context.orchestration === "object" ? context.orchestration : {};
+  const orchestrationEntry = orchestration[guardSlug] && typeof orchestration[guardSlug] === "object" ? orchestration[guardSlug] : {};
+  const orchestrationPayment = orchestrationEntry.payment && typeof orchestrationEntry.payment === "object" ? orchestrationEntry.payment : null;
+  const allowOrchestrationBypassConfigured = Boolean(
+    guardConfig.allow_orchestration_bypass ?? guardConfig.allowOrchestrationBypass
+  );
+  if (allowOrchestrationBypassConfigured) {
+    log.warn("Ignoring allow_orchestration_bypass in canonical payment verification mode.");
+  }
+  const orchestrationApproved = false;
+  const amount = resolvePriceAmount(guardConfig, context);
+  const currency = String(guardConfig?.pricing?.currency || guardConfig.currency || "USD").trim().toUpperCase();
+  const settings = asObject(paymentSettings);
+  const allowedIssuers = resolveAllowedIssuers(guardConfig, settings, paymentRuntime);
+  const expectedIssuer = allowedIssuers[0] || resolveExpectedPaymentIssuer(guardConfig, settings, paymentRuntime);
+  const plainStatus = String(payload.payment_status || payload?.payment?.status || "").trim().toLowerCase();
+  const gatewayPaymentVerified = hasUpstreamPaymentVerified(payload.payment_verified) || hasUpstreamPaymentVerified(payload.paymentVerified) || hasUpstreamPaymentVerified(policyContext.payment_verified) || hasUpstreamPaymentVerified(policyContext.paymentVerified);
+  let verifiedPayment = null;
+  let verificationFailure = null;
+  const hasVerificationSecret = String(settings.returnSecret || "").trim().length > 0 || String(settings.returnSecretRef || "").trim().length > 0 || Boolean(paymentHandler && typeof paymentHandler.handleVerifyEvidence === "function");
+  if (gatewayPaymentVerified && orchestrationPayment && String(orchestrationPayment.status || "").trim().toLowerCase() === "paid") {
+    verifiedPayment = orchestrationPayment;
+  } else if (hasVerificationSecret && paymentHandler?.handleVerifyEvidence) {
+    const verificationPayload = orchestrationPayment ? { ...payloadWithContext, ...orchestrationPayment || {} } : payloadWithContext;
+    const verifyResult = await paymentHandler.handleVerifyEvidence({
+      payload: verificationPayload,
+      maxAgeSeconds: Number(guardConfig.payment_return_max_age_s || 900) || 900,
+      expected: {
+        issuer: expectedIssuer,
+        issuers: allowedIssuers,
+        amount,
+        currency,
+        xapp_id: String(context.xappId || context.xapp_id || "") || void 0,
+        tool_name: String(context.toolName || context.tool_name || "") || void 0,
+        subject_id: String(context.subjectId || context.subject_id || "") || void 0,
+        installation_id: String(context.installationId || context.installation_id || "") || void 0,
+        client_id: String(context.clientId || context.client_id || "") || void 0
+      }
+    });
+    if (verifyResult.ok) {
+      verifiedPayment = verifyResult.evidence;
+    } else if (verifyResult.reason !== "payment_evidence_not_found") {
+      verificationFailure = verifyResult;
+    }
+  }
+  const paidByVerifiedEvidence = Boolean(verifiedPayment);
+  if (!hasVerificationSecret) {
+    log.warn(
+      "Payment guard verification secret/secret_ref is not configured; canonical mode is fail-closed."
+    );
+  }
+  const baseReason = String(policy.reason || "payment_required").trim() || "payment_required";
+  const baseMessage = String(policy.message || "Payment is required before continuing.").trim();
+  const failReason = verificationFailure?.ok === false ? verificationFailure.reason : baseReason;
+  return {
+    payload: payloadWithContext,
+    context,
+    guard,
+    guardConfig,
+    policy,
+    amount,
+    currency,
+    plainStatus,
+    orchestrationApproved,
+    gatewayPaymentVerified,
+    verifiedPayment,
+    paidByVerifiedEvidence,
+    verificationFailure,
+    failReason,
+    baseMessage,
+    actionCfg
+  };
+}
+async function resolvePolicyRequestCommon({
+  payloadInput,
+  log,
+  resolveAllowedIssuers,
+  resolveExpectedPaymentIssuer,
+  resolveModeResult,
+  paymentRuntime = {},
+  guardSlugDefault
+}) {
+  const input = await buildPaymentPolicyInput({
+    payloadInput,
+    log,
+    resolveAllowedIssuers,
+    resolveExpectedPaymentIssuer,
+    paymentHandler: paymentRuntime.paymentHandler,
+    paymentRuntime,
+    paymentSettings: paymentRuntime.paymentSettings,
+    guardSlugDefault
+  });
+  return resolveModeResult(input, paymentRuntime);
+}
+export {
+  buildPaymentAction,
+  buildPaymentGuardFailClosedResult,
+  buildPaymentPolicyAllowedResult,
+  buildPaymentPolicyBlockedResult,
+  buildPaymentPolicyInput,
+  hasUpstreamPaymentVerified,
+  normalizeAllowedIssuers,
+  resolveMergedContext,
+  resolvePolicyRequestCommon,
+  resolvePriceAmount
+};
+//# sourceMappingURL=common.js.map

package/dist/backend/policies/common.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/backend/policies/common.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport {\n  buildPaymentGuardAction,\n  hasUpstreamPaymentVerified as hasUpstreamPaymentVerifiedFromSdk,\n  normalizePaymentAllowedIssuers as normalizePaymentAllowedIssuersFromSdk,\n  resolveMergedPaymentGuardContext,\n  resolvePaymentGuardPriceAmount,\n} from \"@xapps/server-sdk\";\n\nfunction asObject(value) {\n  return value && typeof value === \"object\" && !Array.isArray(value) ? value : {};\n}\n\nfunction toNumericAmount(amount) {\n  if (typeof amount === \"number\") return amount;\n  if (typeof amount === \"string\" && amount.trim() && Number.isFinite(Number(amount))) {\n    return Number(amount);\n  }\n  return amount;\n}\n\nexport function hasUpstreamPaymentVerified(value) {\n  return hasUpstreamPaymentVerifiedFromSdk(value);\n}\n\nexport function resolveMergedContext(payloadInput) {\n  return resolveMergedPaymentGuardContext(asObject(payloadInput));\n}\n\nexport function resolvePriceAmount(guardConfig, context) {\n  return resolvePaymentGuardPriceAmount(asObject(guardConfig), asObject(context));\n}\n\nexport function buildPaymentAction(action) {\n  return buildPaymentGuardAction(asObject(action));\n}\n\nexport function normalizeAllowedIssuers(guardConfig, fallbackIssuer) {\n  return normalizePaymentAllowedIssuersFromSdk(asObject(guardConfig), String(fallbackIssuer || \"\"));\n}\n\nexport function buildPaymentPolicyAllowedResult(input, modeMeta = {}) {\n  return {\n    allowed: true,\n    reason: String(input.policy?.reason || \"tenant_payment_passed\"),\n    message: \"Tenant payment policy satisfied\",\n    details: {\n      payment_status: input.verifiedPayment?.status || input.plainStatus || \"paid\",\n      orchestrationApproved: input.orchestrationApproved,\n      gatewayPaymentVerified: input.gatewayPaymentVerified,\n      paidByGatewayHint: false,\n      paidByPlainStatusFallback: false,\n      paidByVerifiedEvidence: input.paidByVerifiedEvidence,\n      verified_contract: input.verifiedPayment?.contract || null,\n      payment_mode: modeMeta.paymentMode || null,\n      ...(modeMeta.referenceMode ? { reference_mode: modeMeta.referenceMode } : {}),\n    },\n  };\n}\n\nexport function buildPaymentGuardFailClosedResult(upstreamStatus) {\n  return {\n    allowed: false,\n    reason: \"payment_session_create_failed\",\n    message: \"Payment session could not be created at this time\",\n    action: {\n      kind: \"complete_payment\",\n      label: \"Open Payment\",\n      title: \"Complete Payment\",\n    },\n    details: {\n      uiRequired: true,\n      orchestration: {\n        mode: \"blocking\",\n        surface: \"redirect\",\n        status: \"failed_dependency\",\n      },\n      upstream_status: Number(upstreamStatus || 500) || 500,\n    },\n  };\n}\n\nexport async function buildPaymentPolicyBlockedResult(\n  input,\n  { buildPaymentUrl, extractHostedPaymentSessionId, modeMeta = {} },\n) {\n  const paymentUrl = await buildPaymentUrl(input);\n  return {\n    allowed: false,\n    reason: input.failReason,\n    message:\n      input.verificationFailure?.ok === false ? \"Payment verification failed\" : input.baseMessage,\n    action: buildPaymentAction({\n      url: paymentUrl,\n      label: input.actionCfg?.label,\n      title: input.actionCfg?.title,\n      target: input.actionCfg?.target,\n    }),\n    details: {\n      uiRequired: true,\n      orchestration: {\n        mode: \"blocking\",\n        surface: String(input.guardConfig?.ui_mode || \"redirect\"),\n        status: \"pending_user_action\",\n        payment_session_id: extractHostedPaymentSessionId(paymentUrl),\n        payment_mode: modeMeta.paymentMode || null,\n        ...(modeMeta.referenceMode ? { reference_mode: modeMeta.referenceMode } : {}),\n      },\n      payment_status: input.plainStatus || null,\n      expected_amount: toNumericAmount(input.amount),\n      expected_currency: input.currency,\n      ...(input.verificationFailure?.ok === false\n        ? { verification_failure: input.verificationFailure }\n        : {}),\n    },\n  };\n}\n\nexport async function buildPaymentPolicyInput({\n  payloadInput,\n  log,\n  resolveAllowedIssuers,\n  resolveExpectedPaymentIssuer,\n  paymentHandler,\n  paymentRuntime = {},\n  paymentSettings = {},\n  guardSlugDefault = \"tenant-payment-policy\",\n}) {\n  const payload = payloadInput && typeof payloadInput === \"object\" ? payloadInput : {};\n  const context = resolveMergedContext(payload);\n  const policyContext = asObject(payload.policyContext);\n  const payloadWithContext = { ...payload, context };\n  const guard = payload.guard && typeof payload.guard === \"object\" ? payload.guard : {};\n  const guardConfig = guard.config && typeof guard.config === \"object\" ? guard.config : {};\n  const policy =\n    guardConfig.policy && typeof guardConfig.policy === \"object\" ? guardConfig.policy : {};\n  const actionCfg =\n    guardConfig.action && typeof guardConfig.action === \"object\" ? guardConfig.action : {};\n  const guardSlug = String(guard.slug || guardSlugDefault).trim();\n  const orchestration =\n    context.orchestration && typeof context.orchestration === \"object\" ? context.orchestration : {};\n  const orchestrationEntry =\n    orchestration[guardSlug] && typeof orchestration[guardSlug] === \"object\"\n      ? orchestration[guardSlug]\n      : {};\n  const orchestrationPayment =\n    orchestrationEntry.payment && typeof orchestrationEntry.payment === \"object\"\n      ? orchestrationEntry.payment\n      : null;\n\n  const allowOrchestrationBypassConfigured = Boolean(\n    guardConfig.allow_orchestration_bypass ?? guardConfig.allowOrchestrationBypass,\n  );\n  if (allowOrchestrationBypassConfigured) {\n    log.warn(\"Ignoring allow_orchestration_bypass in canonical payment verification mode.\");\n  }\n  const orchestrationApproved = false;\n\n  const amount = resolvePriceAmount(guardConfig, context);\n  const currency = String(guardConfig?.pricing?.currency || guardConfig.currency || \"USD\")\n    .trim()\n    .toUpperCase();\n  const settings = asObject(paymentSettings);\n  const allowedIssuers = resolveAllowedIssuers(guardConfig, settings, paymentRuntime);\n  const expectedIssuer =\n    allowedIssuers[0] || resolveExpectedPaymentIssuer(guardConfig, settings, paymentRuntime);\n  const plainStatus = String(payload.payment_status || payload?.payment?.status || \"\")\n    .trim()\n    .toLowerCase();\n  const gatewayPaymentVerified =\n    hasUpstreamPaymentVerified(payload.payment_verified) ||\n    hasUpstreamPaymentVerified(payload.paymentVerified) ||\n    hasUpstreamPaymentVerified(policyContext.payment_verified) ||\n    hasUpstreamPaymentVerified(policyContext.paymentVerified);\n  let verifiedPayment = null;\n  let verificationFailure = null;\n\n  const hasVerificationSecret =\n    String(settings.returnSecret || \"\").trim().length > 0 ||\n    String(settings.returnSecretRef || \"\").trim().length > 0 ||\n    Boolean(paymentHandler && typeof paymentHandler.handleVerifyEvidence === \"function\");\n\n  if (\n    gatewayPaymentVerified &&\n    orchestrationPayment &&\n    String(orchestrationPayment.status || \"\")\n      .trim()\n      .toLowerCase() === \"paid\"\n  ) {\n    verifiedPayment = orchestrationPayment;\n  } else if (hasVerificationSecret && paymentHandler?.handleVerifyEvidence) {\n    const verificationPayload = orchestrationPayment\n      ? { ...payloadWithContext, ...(orchestrationPayment || {}) }\n      : payloadWithContext;\n    const verifyResult = await paymentHandler.handleVerifyEvidence({\n      payload: verificationPayload,\n      maxAgeSeconds: Number(guardConfig.payment_return_max_age_s || 900) || 900,\n      expected: {\n        issuer: expectedIssuer,\n        issuers: allowedIssuers,\n        amount,\n        currency,\n        xapp_id: String(context.xappId || context.xapp_id || \"\") || undefined,\n        tool_name: String(context.toolName || context.tool_name || \"\") || undefined,\n        subject_id: String(context.subjectId || context.subject_id || \"\") || undefined,\n        installation_id:\n          String(context.installationId || context.installation_id || \"\") || undefined,\n        client_id: String(context.clientId || context.client_id || \"\") || undefined,\n      },\n    });\n    if (verifyResult.ok) {\n      verifiedPayment = verifyResult.evidence;\n    } else if (verifyResult.reason !== \"payment_evidence_not_found\") {\n      verificationFailure = verifyResult;\n    }\n  }\n\n  const paidByVerifiedEvidence = Boolean(verifiedPayment);\n  if (!hasVerificationSecret) {\n    log.warn(\n      \"Payment guard verification secret/secret_ref is not configured; canonical mode is fail-closed.\",\n    );\n  }\n\n  const baseReason = String(policy.reason || \"payment_required\").trim() || \"payment_required\";\n  const baseMessage = String(policy.message || \"Payment is required before continuing.\").trim();\n  const failReason = verificationFailure?.ok === false ? verificationFailure.reason : baseReason;\n  return {\n    payload: payloadWithContext,\n    context,\n    guard,\n    guardConfig,\n    policy,\n    amount,\n    currency,\n    plainStatus,\n    orchestrationApproved,\n    gatewayPaymentVerified,\n    verifiedPayment,\n    paidByVerifiedEvidence,\n    verificationFailure,\n    failReason,\n    baseMessage,\n    actionCfg,\n  };\n}\n\nexport async function resolvePolicyRequestCommon({\n  payloadInput,\n  log,\n  resolveAllowedIssuers,\n  resolveExpectedPaymentIssuer,\n  resolveModeResult,\n  paymentRuntime = {},\n  guardSlugDefault,\n}) {\n  const input = await buildPaymentPolicyInput({\n    payloadInput,\n    log,\n    resolveAllowedIssuers,\n    resolveExpectedPaymentIssuer,\n    paymentHandler: paymentRuntime.paymentHandler,\n    paymentRuntime,\n    paymentSettings: paymentRuntime.paymentSettings,\n    guardSlugDefault,\n  });\n  return resolveModeResult(input, paymentRuntime);\n}\n"],
+  "mappings": "AACA;AAAA,EACE;AAAA,EACA,8BAA8B;AAAA,EAC9B,kCAAkC;AAAA,EAClC;AAAA,EACA;AAAA,OACK;AAEP,SAAS,SAAS,OAAO;AACvB,SAAO,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AAChF;AAEA,SAAS,gBAAgB,QAAQ;AAC/B,MAAI,OAAO,WAAW,SAAU,QAAO;AACvC,MAAI,OAAO,WAAW,YAAY,OAAO,KAAK,KAAK,OAAO,SAAS,OAAO,MAAM,CAAC,GAAG;AAClF,WAAO,OAAO,MAAM;AAAA,EACtB;AACA,SAAO;AACT;AAEO,SAAS,2BAA2B,OAAO;AAChD,SAAO,kCAAkC,KAAK;AAChD;AAEO,SAAS,qBAAqB,cAAc;AACjD,SAAO,iCAAiC,SAAS,YAAY,CAAC;AAChE;AAEO,SAAS,mBAAmB,aAAa,SAAS;AACvD,SAAO,+BAA+B,SAAS,WAAW,GAAG,SAAS,OAAO,CAAC;AAChF;AAEO,SAAS,mBAAmB,QAAQ;AACzC,SAAO,wBAAwB,SAAS,MAAM,CAAC;AACjD;AAEO,SAAS,wBAAwB,aAAa,gBAAgB;AACnE,SAAO,sCAAsC,SAAS,WAAW,GAAG,OAAO,kBAAkB,EAAE,CAAC;AAClG;AAEO,SAAS,gCAAgC,OAAO,WAAW,CAAC,GAAG;AACpE,SAAO;AAAA,IACL,SAAS;AAAA,IACT,QAAQ,OAAO,MAAM,QAAQ,UAAU,uBAAuB;AAAA,IAC9D,SAAS;AAAA,IACT,SAAS;AAAA,MACP,gBAAgB,MAAM,iBAAiB,UAAU,MAAM,eAAe;AAAA,MACtE,uBAAuB,MAAM;AAAA,MAC7B,wBAAwB,MAAM;AAAA,MAC9B,mBAAmB;AAAA,MACnB,2BAA2B;AAAA,MAC3B,wBAAwB,MAAM;AAAA,MAC9B,mBAAmB,MAAM,iBAAiB,YAAY;AAAA,MACtD,cAAc,SAAS,eAAe;AAAA,MACtC,GAAI,SAAS,gBAAgB,EAAE,gBAAgB,SAAS,cAAc,IAAI,CAAC;AAAA,IAC7E;AAAA,EACF;AACF;AAEO,SAAS,kCAAkC,gBAAgB;AAChE,SAAO;AAAA,IACL,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,IACA,SAAS;AAAA,MACP,YAAY;AAAA,MACZ,eAAe;AAAA,QACb,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,MACV;AAAA,MACA,iBAAiB,OAAO,kBAAkB,GAAG,KAAK;AAAA,IACpD;AAAA,EACF;AACF;AAEA,eAAsB,gCACpB,OACA,EAAE,iBAAiB,+BAA+B,WAAW,CAAC,EAAE,GAChE;AACA,QAAM,aAAa,MAAM,gBAAgB,KAAK;AAC9C,SAAO;AAAA,IACL,SAAS;AAAA,IACT,QAAQ,MAAM;AAAA,IACd,SACE,MAAM,qBAAqB,OAAO,QAAQ,gCAAgC,MAAM;AAAA,IAClF,QAAQ,mBAAmB;AAAA,MACzB,KAAK;AAAA,MACL,OAAO,MAAM,WAAW;AAAA,MACxB,OAAO,MAAM,WAAW;AAAA,MACxB,QAAQ,MAAM,WAAW;AAAA,IAC3B,CAAC;AAAA,IACD,SAAS;AAAA,MACP,YAAY;AAAA,MACZ,eAAe;AAAA,QACb,MAAM;AAAA,QACN,SAAS,OAAO,MAAM,aAAa,WAAW,UAAU;AAAA,QACxD,QAAQ;AAAA,QACR,oBAAoB,8BAA8B,UAAU;AAAA,QAC5D,cAAc,SAAS,eAAe;AAAA,QACtC,GAAI,SAAS,gBAAgB,EAAE,gBAAgB,SAAS,cAAc,IAAI,CAAC;AAAA,MAC7E;AAAA,MACA,gBAAgB,MAAM,eAAe;AAAA,MACrC,iBAAiB,gBAAgB,MAAM,MAAM;AAAA,MAC7C,mBAAmB,MAAM;AAAA,MACzB,GAAI,MAAM,qBAAqB,OAAO,QAClC,EAAE,sBAAsB,MAAM,oBAAoB,IAClD,CAAC;AAAA,IACP;AAAA,EACF;AACF;AAEA,eAAsB,wBAAwB;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,iBAAiB,CAAC;AAAA,EAClB,kBAAkB,CAAC;AAAA,EACnB,mBAAmB;AACrB,GAAG;AACD,QAAM,UAAU,gBAAgB,OAAO,iBAAiB,WAAW,eAAe,CAAC;AACnF,QAAM,UAAU,qBAAqB,OAAO;AAC5C,QAAM,gBAAgB,SAAS,QAAQ,aAAa;AACpD,QAAM,qBAAqB,EAAE,GAAG,SAAS,QAAQ;AACjD,QAAM,QAAQ,QAAQ,SAAS,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ,CAAC;AACpF,QAAM,cAAc,MAAM,UAAU,OAAO,MAAM,WAAW,WAAW,MAAM,SAAS,CAAC;AACvF,QAAM,SACJ,YAAY,UAAU,OAAO,YAAY,WAAW,WAAW,YAAY,SAAS,CAAC;AACvF,QAAM,YACJ,YAAY,UAAU,OAAO,YAAY,WAAW,WAAW,YAAY,SAAS,CAAC;AACvF,QAAM,YAAY,OAAO,MAAM,QAAQ,gBAAgB,EAAE,KAAK;AAC9D,QAAM,gBACJ,QAAQ,iBAAiB,OAAO,QAAQ,kBAAkB,WAAW,QAAQ,gBAAgB,CAAC;AAChG,QAAM,qBACJ,cAAc,SAAS,KAAK,OAAO,cAAc,SAAS,MAAM,WAC5D,cAAc,SAAS,IACvB,CAAC;AACP,QAAM,uBACJ,mBAAmB,WAAW,OAAO,mBAAmB,YAAY,WAChE,mBAAmB,UACnB;AAEN,QAAM,qCAAqC;AAAA,IACzC,YAAY,8BAA8B,YAAY;AAAA,EACxD;AACA,MAAI,oCAAoC;AACtC,QAAI,KAAK,6EAA6E;AAAA,EACxF;AACA,QAAM,wBAAwB;AAE9B,QAAM,SAAS,mBAAmB,aAAa,OAAO;AACtD,QAAM,WAAW,OAAO,aAAa,SAAS,YAAY,YAAY,YAAY,KAAK,EACpF,KAAK,EACL,YAAY;AACf,QAAM,WAAW,SAAS,eAAe;AACzC,QAAM,iBAAiB,sBAAsB,aAAa,UAAU,cAAc;AAClF,QAAM,iBACJ,eAAe,CAAC,KAAK,6BAA6B,aAAa,UAAU,cAAc;AACzF,QAAM,cAAc,OAAO,QAAQ,kBAAkB,SAAS,SAAS,UAAU,EAAE,EAChF,KAAK,EACL,YAAY;AACf,QAAM,yBACJ,2BAA2B,QAAQ,gBAAgB,KACnD,2BAA2B,QAAQ,eAAe,KAClD,2BAA2B,cAAc,gBAAgB,KACzD,2BAA2B,cAAc,eAAe;AAC1D,MAAI,kBAAkB;AACtB,MAAI,sBAAsB;AAE1B,QAAM,wBACJ,OAAO,SAAS,gBAAgB,EAAE,EAAE,KAAK,EAAE,SAAS,KACpD,OAAO,SAAS,mBAAmB,EAAE,EAAE,KAAK,EAAE,SAAS,KACvD,QAAQ,kBAAkB,OAAO,eAAe,yBAAyB,UAAU;AAErF,MACE,0BACA,wBACA,OAAO,qBAAqB,UAAU,EAAE,EACrC,KAAK,EACL,YAAY,MAAM,QACrB;AACA,sBAAkB;AAAA,EACpB,WAAW,yBAAyB,gBAAgB,sBAAsB;AACxE,UAAM,sBAAsB,uBACxB,EAAE,GAAG,oBAAoB,GAAI,wBAAwB,CAAC,EAAG,IACzD;AACJ,UAAM,eAAe,MAAM,eAAe,qBAAqB;AAAA,MAC7D,SAAS;AAAA,MACT,eAAe,OAAO,YAAY,4BAA4B,GAAG,KAAK;AAAA,MACtE,UAAU;AAAA,QACR,QAAQ;AAAA,QACR,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,SAAS,OAAO,QAAQ,UAAU,QAAQ,WAAW,EAAE,KAAK;AAAA,QAC5D,WAAW,OAAO,QAAQ,YAAY,QAAQ,aAAa,EAAE,KAAK;AAAA,QAClE,YAAY,OAAO,QAAQ,aAAa,QAAQ,cAAc,EAAE,KAAK;AAAA,QACrE,iBACE,OAAO,QAAQ,kBAAkB,QAAQ,mBAAmB,EAAE,KAAK;AAAA,QACrE,WAAW,OAAO,QAAQ,YAAY,QAAQ,aAAa,EAAE,KAAK;AAAA,MACpE;AAAA,IACF,CAAC;AACD,QAAI,aAAa,IAAI;AACnB,wBAAkB,aAAa;AAAA,IACjC,WAAW,aAAa,WAAW,8BAA8B;AAC/D,4BAAsB;AAAA,IACxB;AAAA,EACF;AAEA,QAAM,yBAAyB,QAAQ,eAAe;AACtD,MAAI,CAAC,uBAAuB;AAC1B,QAAI;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAa,OAAO,OAAO,UAAU,kBAAkB,EAAE,KAAK,KAAK;AACzE,QAAM,cAAc,OAAO,OAAO,WAAW,wCAAwC,EAAE,KAAK;AAC5F,QAAM,aAAa,qBAAqB,OAAO,QAAQ,oBAAoB,SAAS;AACpF,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,2BAA2B;AAAA,EAC/C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,iBAAiB,CAAC;AAAA,EAClB;AACF,GAAG;AACD,QAAM,QAAQ,MAAM,wBAAwB;AAAA,IAC1C;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,eAAe;AAAA,IAC/B;AAAA,IACA,iBAAiB,eAAe;AAAA,IAChC;AAAA,EACF,CAAC;AACD,SAAO,kBAAkB,OAAO,cAAc;AAChD;",
+  "names": []
+}

package/dist/backend/routes/gateway/guard.d.ts

@@ -0,0 +1,7 @@
+export default function guardRoutes(fastify: any, { enabledModes, paymentRuntime, guardApiKey, guardToolName, logScope, }?: {
+    paymentRuntime?: {};
+    guardApiKey?: string;
+    guardToolName?: string;
+    logScope?: string;
+}): Promise<void>;
+//# sourceMappingURL=guard.d.ts.map

package/dist/backend/routes/gateway/guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../../../src/backend/routes/gateway/guard.ts"],"names":[],"mappings":"AAoCA,wBAA8B,WAAW,CACvC,OAAO,KAAA,EACP,EACE,YAAY,EACZ,cAAmB,EACnB,WAAgB,EAChB,aAAgD,EAChD,QAAmB,GACpB;;;;;CAAK,iBAkDP"}

package/dist/backend/routes/gateway/guard.js

@@ -0,0 +1,89 @@
+import { resolveBackendPaymentPolicy } from "../../modes/index.js";
+function buildPaymentGuardFailClosedResult(upstreamStatus) {
+  return {
+    allowed: false,
+    reason: "payment_session_create_failed",
+    message: "Payment session could not be created at this time",
+    action: {
+      kind: "complete_payment",
+      label: "Open Payment",
+      title: "Complete Payment"
+    },
+    details: {
+      uiRequired: true,
+      orchestration: {
+        mode: "blocking",
+        surface: "redirect",
+        status: "failed_dependency"
+      },
+      upstream_status: Number(upstreamStatus || 500) || 500
+    }
+  };
+}
+function requireGuardApiKey(request, reply, guardApiKey) {
+  const key = String(
+    request.headers["x-api-key"] || request.headers["x-xconect-guard-api-key"] || ""
+  ).trim();
+  if (!key || key !== String(guardApiKey || "").trim()) {
+    reply.code(401).send({ status: "error", result: { message: "Invalid API key" } });
+    return false;
+  }
+  return true;
+}
+async function guardRoutes(fastify, {
+  enabledModes,
+  paymentRuntime = {},
+  guardApiKey = "",
+  guardToolName = "evaluate_tenant_payment_policy",
+  logScope = "tenant"
+} = {}) {
+  fastify.post("/xapps/requests", async (request, reply) => {
+    if (!requireGuardApiKey(request, reply, guardApiKey)) return;
+    const body = request.body && typeof request.body === "object" ? request.body : {};
+    const requestId = String(body.requestId || body.request_id || "").trim();
+    const toolName = String(body.toolName || body.tool_name || "").trim();
+    const payload = body.payload && typeof body.payload === "object" ? body.payload : {};
+    if (!requestId || !toolName) {
+      return reply.code(400).send({
+        status: "error",
+        result: { message: "requestId and toolName are required" }
+      });
+    }
+    if (toolName !== guardToolName) {
+      return reply.code(400).send({
+        status: "error",
+        result: { message: `Unsupported tool: ${toolName}` }
+      });
+    }
+    try {
+      const result = typeof paymentRuntime.resolvePolicyRequest === "function" ? await paymentRuntime.resolvePolicyRequest(payload, {
+        log: fastify.log,
+        enabledModes
+      }) : await resolveBackendPaymentPolicy(payload, {
+        log: fastify.log,
+        enabledModes,
+        paymentRuntime
+      });
+      return reply.send({ status: "success", result });
+    } catch (err) {
+      const status = Number(err?.status || err?.statusCode || 500) || 500;
+      fastify.log.error(
+        {
+          err,
+          requestId,
+          toolName,
+          status
+        },
+        `${logScope} guard evaluation failed; returning fail-closed block`
+      );
+      return reply.send({
+        status: "success",
+        result: buildPaymentGuardFailClosedResult(status)
+      });
+    }
+  });
+}
+export {
+  guardRoutes as default
+};
+//# sourceMappingURL=guard.js.map

package/dist/backend/routes/gateway/guard.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/routes/gateway/guard.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport { resolveBackendPaymentPolicy } from \"../../modes/index.js\";\n\nfunction buildPaymentGuardFailClosedResult(upstreamStatus) {\n  return {\n    allowed: false,\n    reason: \"payment_session_create_failed\",\n    message: \"Payment session could not be created at this time\",\n    action: {\n      kind: \"complete_payment\",\n      label: \"Open Payment\",\n      title: \"Complete Payment\",\n    },\n    details: {\n      uiRequired: true,\n      orchestration: {\n        mode: \"blocking\",\n        surface: \"redirect\",\n        status: \"failed_dependency\",\n      },\n      upstream_status: Number(upstreamStatus || 500) || 500,\n    },\n  };\n}\n\nfunction requireGuardApiKey(request, reply, guardApiKey) {\n  const key = String(\n    request.headers[\"x-api-key\"] || request.headers[\"x-xconect-guard-api-key\"] || \"\",\n  ).trim();\n  if (!key || key !== String(guardApiKey || \"\").trim()) {\n    reply.code(401).send({ status: \"error\", result: { message: \"Invalid API key\" } });\n    return false;\n  }\n  return true;\n}\n\nexport default async function guardRoutes(\n  fastify,\n  {\n    enabledModes,\n    paymentRuntime = {},\n    guardApiKey = \"\",\n    guardToolName = \"evaluate_tenant_payment_policy\",\n    logScope = \"tenant\",\n  } = {},\n) {\n  fastify.post(\"/xapps/requests\", async (request, reply) => {\n    if (!requireGuardApiKey(request, reply, guardApiKey)) return;\n    const body = request.body && typeof request.body === \"object\" ? request.body : {};\n    const requestId = String(body.requestId || body.request_id || \"\").trim();\n    const toolName = String(body.toolName || body.tool_name || \"\").trim();\n    const payload = body.payload && typeof body.payload === \"object\" ? body.payload : {};\n    if (!requestId || !toolName) {\n      return reply.code(400).send({\n        status: \"error\",\n        result: { message: \"requestId and toolName are required\" },\n      });\n    }\n    if (toolName !== guardToolName) {\n      return reply.code(400).send({\n        status: \"error\",\n        result: { message: `Unsupported tool: ${toolName}` },\n      });\n    }\n    try {\n      const result =\n        typeof paymentRuntime.resolvePolicyRequest === \"function\"\n          ? await paymentRuntime.resolvePolicyRequest(payload, {\n              log: fastify.log,\n              enabledModes,\n            })\n          : await resolveBackendPaymentPolicy(payload, {\n              log: fastify.log,\n              enabledModes,\n              paymentRuntime,\n            });\n      return reply.send({ status: \"success\", result });\n    } catch (err) {\n      const status = Number(err?.status || err?.statusCode || 500) || 500;\n      fastify.log.error(\n        {\n          err,\n          requestId,\n          toolName,\n          status,\n        },\n        `${logScope} guard evaluation failed; returning fail-closed block`,\n      );\n      return reply.send({\n        status: \"success\",\n        result: buildPaymentGuardFailClosedResult(status),\n      });\n    }\n  });\n}\n"],
+  "mappings": "AACA,SAAS,mCAAmC;AAE5C,SAAS,kCAAkC,gBAAgB;AACzD,SAAO;AAAA,IACL,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,IACA,SAAS;AAAA,MACP,YAAY;AAAA,MACZ,eAAe;AAAA,QACb,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,MACV;AAAA,MACA,iBAAiB,OAAO,kBAAkB,GAAG,KAAK;AAAA,IACpD;AAAA,EACF;AACF;AAEA,SAAS,mBAAmB,SAAS,OAAO,aAAa;AACvD,QAAM,MAAM;AAAA,IACV,QAAQ,QAAQ,WAAW,KAAK,QAAQ,QAAQ,yBAAyB,KAAK;AAAA,EAChF,EAAE,KAAK;AACP,MAAI,CAAC,OAAO,QAAQ,OAAO,eAAe,EAAE,EAAE,KAAK,GAAG;AACpD,UAAM,KAAK,GAAG,EAAE,KAAK,EAAE,QAAQ,SAAS,QAAQ,EAAE,SAAS,kBAAkB,EAAE,CAAC;AAChF,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,eAAO,YACL,SACA;AAAA,EACE;AAAA,EACA,iBAAiB,CAAC;AAAA,EAClB,cAAc;AAAA,EACd,gBAAgB;AAAA,EAChB,WAAW;AACb,IAAI,CAAC,GACL;AACA,UAAQ,KAAK,mBAAmB,OAAO,SAAS,UAAU;AACxD,QAAI,CAAC,mBAAmB,SAAS,OAAO,WAAW,EAAG;AACtD,UAAM,OAAO,QAAQ,QAAQ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO,CAAC;AAChF,UAAM,YAAY,OAAO,KAAK,aAAa,KAAK,cAAc,EAAE,EAAE,KAAK;AACvE,UAAM,WAAW,OAAO,KAAK,YAAY,KAAK,aAAa,EAAE,EAAE,KAAK;AACpE,UAAM,UAAU,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACnF,QAAI,CAAC,aAAa,CAAC,UAAU;AAC3B,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK;AAAA,QAC1B,QAAQ;AAAA,QACR,QAAQ,EAAE,SAAS,sCAAsC;AAAA,MAC3D,CAAC;AAAA,IACH;AACA,QAAI,aAAa,eAAe;AAC9B,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK;AAAA,QAC1B,QAAQ;AAAA,QACR,QAAQ,EAAE,SAAS,qBAAqB,QAAQ,GAAG;AAAA,MACrD,CAAC;AAAA,IACH;AACA,QAAI;AACF,YAAM,SACJ,OAAO,eAAe,yBAAyB,aAC3C,MAAM,eAAe,qBAAqB,SAAS;AAAA,QACjD,KAAK,QAAQ;AAAA,QACb;AAAA,MACF,CAAC,IACD,MAAM,4BAA4B,SAAS;AAAA,QACzC,KAAK,QAAQ;AAAA,QACb;AAAA,QACA;AAAA,MACF,CAAC;AACP,aAAO,MAAM,KAAK,EAAE,QAAQ,WAAW,OAAO,CAAC;AAAA,IACjD,SAAS,KAAK;AACZ,YAAM,SAAS,OAAO,KAAK,UAAU,KAAK,cAAc,GAAG,KAAK;AAChE,cAAQ,IAAI;AAAA,QACV;AAAA,UACE;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA,GAAG,QAAQ;AAAA,MACb;AACA,aAAO,MAAM,KAAK;AAAA,QAChB,QAAQ;AAAA,QACR,QAAQ,kCAAkC,MAAM;AAAA,MAClD,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACH;",
+  "names": []
+}

package/dist/backend/routes/gateway/hostApi.d.ts

@@ -0,0 +1,8 @@
+export default function hostGatewayApiRoutes(fastify: any, { enableLifecycle, enableBridge, hostProxyService, allowedOrigins, bootstrap, }?: {
+    enableLifecycle?: boolean;
+    enableBridge?: boolean;
+    hostProxyService?: any;
+    allowedOrigins?: any[];
+    bootstrap?: {};
+}): Promise<void>;
+//# sourceMappingURL=hostApi.d.ts.map

package/dist/backend/routes/gateway/hostApi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hostApi.d.ts","sourceRoot":"","sources":["../../../../src/backend/routes/gateway/hostApi.ts"],"names":[],"mappings":"AAMA,wBAA8B,oBAAoB,CAChD,OAAO,KAAA,EACP,EACE,eAAsB,EACtB,YAAmB,EACnB,gBAAuB,EACvB,cAAmB,EACnB,SAAc,GACf;;;;;;CAAK,iBAkCP"}

package/dist/backend/routes/gateway/hostApi.js

@@ -0,0 +1,45 @@
+import hostApiBridgeRoutes from "./hostApiBridge.js";
+import hostApiCoreRoutes from "./hostApiCore.js";
+import hostApiLifecycleRoutes from "./hostApiLifecycle.js";
+import { sendHostApiPreflight } from "./shared.js";
+async function hostGatewayApiRoutes(fastify, {
+  enableLifecycle = true,
+  enableBridge = true,
+  hostProxyService = null,
+  allowedOrigins = [],
+  bootstrap = {}
+} = {}) {
+  const preflightPaths = [
+    "/api/host-config",
+    "/api/resolve-subject",
+    "/api/create-catalog-session",
+    "/api/create-widget-session"
+  ];
+  if (enableLifecycle) {
+    preflightPaths.push("/api/installations", "/api/install", "/api/update", "/api/uninstall");
+  }
+  if (enableBridge) {
+    preflightPaths.push(
+      "/api/bridge/token-refresh",
+      "/api/bridge/sign",
+      "/api/bridge/vendor-assertion"
+    );
+  }
+  for (const path of preflightPaths) {
+    fastify.options(
+      path,
+      async (request, reply) => sendHostApiPreflight(request, reply, allowedOrigins)
+    );
+  }
+  await fastify.register(hostApiCoreRoutes, { hostProxyService, allowedOrigins, bootstrap });
+  if (enableLifecycle) {
+    await fastify.register(hostApiLifecycleRoutes, { hostProxyService, allowedOrigins, bootstrap });
+  }
+  if (enableBridge) {
+    await fastify.register(hostApiBridgeRoutes, { hostProxyService, allowedOrigins, bootstrap });
+  }
+}
+export {
+  hostGatewayApiRoutes as default
+};
+//# sourceMappingURL=hostApi.js.map

package/dist/backend/routes/gateway/hostApi.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/routes/gateway/hostApi.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport hostApiBridgeRoutes from \"./hostApiBridge.js\";\nimport hostApiCoreRoutes from \"./hostApiCore.js\";\nimport hostApiLifecycleRoutes from \"./hostApiLifecycle.js\";\nimport { sendHostApiPreflight } from \"./shared.js\";\n\nexport default async function hostGatewayApiRoutes(\n  fastify,\n  {\n    enableLifecycle = true,\n    enableBridge = true,\n    hostProxyService = null,\n    allowedOrigins = [],\n    bootstrap = {},\n  } = {},\n) {\n  const preflightPaths = [\n    \"/api/host-config\",\n    \"/api/resolve-subject\",\n    \"/api/create-catalog-session\",\n    \"/api/create-widget-session\",\n  ];\n  if (enableLifecycle) {\n    preflightPaths.push(\"/api/installations\", \"/api/install\", \"/api/update\", \"/api/uninstall\");\n  }\n  if (enableBridge) {\n    preflightPaths.push(\n      \"/api/bridge/token-refresh\",\n      \"/api/bridge/sign\",\n      \"/api/bridge/vendor-assertion\",\n    );\n  }\n\n  for (const path of preflightPaths) {\n    fastify.options(path, async (request, reply) =>\n      sendHostApiPreflight(request, reply, allowedOrigins),\n    );\n  }\n\n  await fastify.register(hostApiCoreRoutes, { hostProxyService, allowedOrigins, bootstrap });\n\n  if (enableLifecycle) {\n    await fastify.register(hostApiLifecycleRoutes, { hostProxyService, allowedOrigins, bootstrap });\n  }\n\n  if (enableBridge) {\n    await fastify.register(hostApiBridgeRoutes, { hostProxyService, allowedOrigins, bootstrap });\n  }\n}\n"],
+  "mappings": "AACA,OAAO,yBAAyB;AAChC,OAAO,uBAAuB;AAC9B,OAAO,4BAA4B;AACnC,SAAS,4BAA4B;AAErC,eAAO,qBACL,SACA;AAAA,EACE,kBAAkB;AAAA,EAClB,eAAe;AAAA,EACf,mBAAmB;AAAA,EACnB,iBAAiB,CAAC;AAAA,EAClB,YAAY,CAAC;AACf,IAAI,CAAC,GACL;AACA,QAAM,iBAAiB;AAAA,IACrB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,MAAI,iBAAiB;AACnB,mBAAe,KAAK,sBAAsB,gBAAgB,eAAe,gBAAgB;AAAA,EAC3F;AACA,MAAI,cAAc;AAChB,mBAAe;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,aAAW,QAAQ,gBAAgB;AACjC,YAAQ;AAAA,MAAQ;AAAA,MAAM,OAAO,SAAS,UACpC,qBAAqB,SAAS,OAAO,cAAc;AAAA,IACrD;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS,mBAAmB,EAAE,kBAAkB,gBAAgB,UAAU,CAAC;AAEzF,MAAI,iBAAiB;AACnB,UAAM,QAAQ,SAAS,wBAAwB,EAAE,kBAAkB,gBAAgB,UAAU,CAAC;AAAA,EAChG;AAEA,MAAI,cAAc;AAChB,UAAM,QAAQ,SAAS,qBAAqB,EAAE,kBAAkB,gBAAgB,UAAU,CAAC;AAAA,EAC7F;AACF;",
+  "names": []
+}

package/dist/backend/routes/gateway/hostApiBridge.d.ts

@@ -0,0 +1,5 @@
+export default function hostApiBridgeRoutes(fastify: any, { hostProxyService, allowedOrigins, bootstrap }?: {
+    allowedOrigins?: any[];
+    bootstrap?: {};
+}): Promise<void>;
+//# sourceMappingURL=hostApiBridge.d.ts.map

package/dist/backend/routes/gateway/hostApiBridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hostApiBridge.d.ts","sourceRoot":"","sources":["../../../../src/backend/routes/gateway/hostApiBridge.ts"],"names":[],"mappings":"AAcA,wBAA8B,mBAAmB,CAC/C,OAAO,KAAA,EACP,EAAE,gBAAgB,EAAE,cAAmB,EAAE,SAAc,EAAE;;;CAAK,iBAkD/D"}