@xapps-platform/backend-kit 0.1.1

package/dist/backend/routes/gateway/shared.js

@@ -0,0 +1,208 @@
+import {
+  EmbedHostProxyInputError,
+  EmbedHostProxyNotConfiguredError,
+  GatewayApiClientError
+} from "@xapps/server-sdk";
+import crypto from "node:crypto";
+const HOST_BOOTSTRAP_HEADER = "x-xapps-host-bootstrap";
+function toBase64Url(input) {
+  return Buffer.from(String(input), "utf8").toString("base64url");
+}
+function fromBase64UrlJson(input) {
+  const raw = Buffer.from(String(input || ""), "base64url").toString("utf8");
+  return JSON.parse(raw);
+}
+function normalizeOrigin(value) {
+  const raw = String(value || "").trim();
+  return raw ? raw.replace(/\/+$/, "") : "";
+}
+function normalizeAllowedOrigins(allowedOrigins = []) {
+  return Array.isArray(allowedOrigins) ? allowedOrigins.map((entry) => normalizeOrigin(entry)).filter(Boolean) : [];
+}
+function readBodyRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function requireHostProxyService(hostProxyService) {
+  if (!hostProxyService || typeof hostProxyService.getHostConfig !== "function") {
+    throw new EmbedHostProxyNotConfiguredError("Host proxy service is not configured");
+  }
+  return hostProxyService;
+}
+function readRequestOrigin(request) {
+  return normalizeOrigin(request?.headers?.origin);
+}
+function readHostBootstrapToken(request) {
+  return String(request?.headers?.[HOST_BOOTSTRAP_HEADER] || "").trim();
+}
+function issueHostBootstrapToken(payload, signingSecret) {
+  const encodedPayload = toBase64Url(JSON.stringify(payload));
+  const signature = crypto.createHmac("sha256", String(signingSecret)).update(encodedPayload).digest("base64url");
+  return `${encodedPayload}.${signature}`;
+}
+function verifyHostBootstrapToken(token, signingSecret) {
+  const parts = String(token || "").trim().split(".");
+  if (parts.length !== 2) {
+    throw new EmbedHostProxyInputError("host bootstrap token is malformed", 401);
+  }
+  const [encodedPayload, receivedSignature] = parts;
+  const expectedSignature = crypto.createHmac("sha256", String(signingSecret)).update(encodedPayload).digest("base64url");
+  const received = Buffer.from(receivedSignature, "utf8");
+  const expected = Buffer.from(expectedSignature, "utf8");
+  if (received.length !== expected.length || !crypto.timingSafeEqual(received, expected)) {
+    throw new EmbedHostProxyInputError("host bootstrap token is invalid", 401);
+  }
+  const payload = fromBase64UrlJson(encodedPayload);
+  if (!payload || typeof payload !== "object") {
+    throw new EmbedHostProxyInputError("host bootstrap token payload is invalid", 401);
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (Number(payload.exp || 0) <= now) {
+    throw new EmbedHostProxyInputError("host bootstrap token expired", 401);
+  }
+  return payload;
+}
+function readHostBootstrapContext(request, bootstrap = {}) {
+  const signingSecret = String(bootstrap?.signingSecret || "").trim();
+  const token = readHostBootstrapToken(request);
+  if (!token || !signingSecret) return null;
+  const payload = verifyHostBootstrapToken(token, signingSecret);
+  const requestOrigin = readRequestOrigin(request);
+  const tokenOrigin = normalizeOrigin(payload.origin);
+  if (tokenOrigin && requestOrigin && tokenOrigin !== requestOrigin) {
+    throw new EmbedHostProxyInputError("host bootstrap token origin mismatch", 401);
+  }
+  return {
+    subjectId: String(payload.subjectId || "").trim() || null,
+    email: String(payload.email || "").trim() || null,
+    name: String(payload.name || "").trim() || null,
+    origin: tokenOrigin || null,
+    token
+  };
+}
+function requireHostBootstrapRequest(request, bootstrap = {}) {
+  const allowedApiKeys = Array.isArray(bootstrap?.apiKeys) ? bootstrap.apiKeys.map((entry) => String(entry || "").trim()).filter(Boolean) : [];
+  const signingSecret = String(bootstrap?.signingSecret || "").trim();
+  if (allowedApiKeys.length === 0 || !signingSecret) {
+    throw new EmbedHostProxyNotConfiguredError("Host bootstrap is not configured");
+  }
+  const apiKey = String(request?.headers?.["x-api-key"] || "").trim();
+  if (!apiKey || !allowedApiKeys.includes(apiKey)) {
+    throw new EmbedHostProxyInputError("Invalid host bootstrap api key", 401);
+  }
+  return {
+    apiKey,
+    signingSecret,
+    ttlSeconds: Number.isFinite(Number(bootstrap?.ttlSeconds)) && Number(bootstrap?.ttlSeconds) > 0 ? Math.floor(Number(bootstrap.ttlSeconds)) : 300
+  };
+}
+function buildHostBootstrapResult({
+  subjectId,
+  email,
+  name,
+  origin,
+  signingSecret,
+  ttlSeconds
+}) {
+  const now = Math.floor(Date.now() / 1e3);
+  const expiresIn = Number(ttlSeconds) > 0 ? Math.floor(Number(ttlSeconds)) : 300;
+  const bootstrapToken = issueHostBootstrapToken(
+    {
+      v: 1,
+      type: "host_bootstrap",
+      subjectId: String(subjectId || "").trim(),
+      email: String(email || "").trim(),
+      name: String(name || "").trim(),
+      origin: normalizeOrigin(origin),
+      iat: now,
+      exp: now + expiresIn
+    },
+    signingSecret
+  );
+  return {
+    subjectId: String(subjectId || "").trim(),
+    email: String(email || "").trim(),
+    name: String(name || "").trim() || null,
+    bootstrapToken,
+    expiresIn
+  };
+}
+function isOriginAllowed(origin, allowedOrigins = []) {
+  const normalizedOrigin = normalizeOrigin(origin);
+  if (!normalizedOrigin) return true;
+  const normalizedAllowedOrigins = normalizeAllowedOrigins(allowedOrigins);
+  if (normalizedAllowedOrigins.length === 0) {
+    return true;
+  }
+  return normalizedAllowedOrigins.includes(normalizedOrigin);
+}
+function applyHostApiCorsHeaders(reply, request, allowedOrigins = []) {
+  const origin = readRequestOrigin(request);
+  if (!origin) return;
+  const normalizedAllowedOrigins = normalizeAllowedOrigins(allowedOrigins);
+  if (normalizedAllowedOrigins.length === 0) return;
+  if (!normalizedAllowedOrigins.includes(origin)) return;
+  reply.header("Access-Control-Allow-Origin", origin);
+  reply.header("Vary", "Origin");
+}
+function ensureHostApiOriginAllowed(request, reply, allowedOrigins = []) {
+  const origin = readRequestOrigin(request);
+  if (!origin) return true;
+  if (!isOriginAllowed(origin, allowedOrigins)) {
+    reply.code(403).send({ message: "Origin is not allowed" });
+    return false;
+  }
+  applyHostApiCorsHeaders(reply, request, allowedOrigins);
+  return true;
+}
+function sendHostApiPreflight(request, reply, allowedOrigins = []) {
+  const origin = readRequestOrigin(request);
+  if (origin && !isOriginAllowed(origin, allowedOrigins)) {
+    return reply.code(403).send({ message: "Origin is not allowed" });
+  }
+  applyHostApiCorsHeaders(reply, request, allowedOrigins);
+  const requestedHeaders = String(
+    request?.headers?.["access-control-request-headers"] || ""
+  ).trim();
+  reply.header("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  reply.header(
+    "Access-Control-Allow-Headers",
+    requestedHeaders || "Content-Type, Authorization, X-Xapps-Host-Bootstrap"
+  );
+  reply.header("Access-Control-Max-Age", "600");
+  return reply.code(204).send();
+}
+function applyNoStoreHeaders(reply, hostProxyService) {
+  const service = requireHostProxyService(hostProxyService);
+  const headers = service.getNoStoreHeaders();
+  reply.header("Cache-Control", headers["Cache-Control"]);
+  reply.header("Pragma", headers.Pragma);
+  reply.header("Expires", headers.Expires);
+  return reply;
+}
+function sendServiceError(request, reply, err, fallbackMessage) {
+  if (err instanceof EmbedHostProxyInputError || err instanceof EmbedHostProxyNotConfiguredError) {
+    return reply.code(err.status).send({ message: err.message });
+  }
+  if (err instanceof GatewayApiClientError) {
+    return reply.code(err.status || 502).send(
+      err.details && typeof err.details === "object" ? err.details : { message: err.message }
+    );
+  }
+  request.log.error({ err }, fallbackMessage);
+  return reply.code(500).send({ message: fallbackMessage });
+}
+export {
+  applyHostApiCorsHeaders,
+  applyNoStoreHeaders,
+  buildHostBootstrapResult,
+  ensureHostApiOriginAllowed,
+  isOriginAllowed,
+  readBodyRecord,
+  readHostBootstrapContext,
+  readRequestOrigin,
+  requireHostBootstrapRequest,
+  requireHostProxyService,
+  sendHostApiPreflight,
+  sendServiceError
+};
+//# sourceMappingURL=shared.js.map

package/dist/backend/routes/gateway/shared.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/routes/gateway/shared.ts"],
+  "sourcesContent": ["// @ts-nocheck\nimport {\n  EmbedHostProxyInputError,\n  EmbedHostProxyNotConfiguredError,\n  GatewayApiClientError,\n} from \"@xapps/server-sdk\";\nimport crypto from \"node:crypto\";\n\nconst HOST_BOOTSTRAP_HEADER = \"x-xapps-host-bootstrap\";\n\nfunction toBase64Url(input) {\n  return Buffer.from(String(input), \"utf8\").toString(\"base64url\");\n}\n\nfunction fromBase64UrlJson(input) {\n  const raw = Buffer.from(String(input || \"\"), \"base64url\").toString(\"utf8\");\n  return JSON.parse(raw);\n}\n\nfunction normalizeOrigin(value) {\n  const raw = String(value || \"\").trim();\n  return raw ? raw.replace(/\\/+$/, \"\") : \"\";\n}\n\nfunction normalizeAllowedOrigins(allowedOrigins = []) {\n  return Array.isArray(allowedOrigins)\n    ? allowedOrigins.map((entry) => normalizeOrigin(entry)).filter(Boolean)\n    : [];\n}\n\nexport function readBodyRecord(value) {\n  return value && typeof value === \"object\" && !Array.isArray(value) ? value : {};\n}\n\nexport function requireHostProxyService(hostProxyService) {\n  if (!hostProxyService || typeof hostProxyService.getHostConfig !== \"function\") {\n    throw new EmbedHostProxyNotConfiguredError(\"Host proxy service is not configured\");\n  }\n  return hostProxyService;\n}\n\nexport function readRequestOrigin(request) {\n  return normalizeOrigin(request?.headers?.origin);\n}\n\nfunction readHostBootstrapToken(request) {\n  return String(request?.headers?.[HOST_BOOTSTRAP_HEADER] || \"\").trim();\n}\n\nfunction issueHostBootstrapToken(payload, signingSecret) {\n  const encodedPayload = toBase64Url(JSON.stringify(payload));\n  const signature = crypto\n    .createHmac(\"sha256\", String(signingSecret))\n    .update(encodedPayload)\n    .digest(\"base64url\");\n  return `${encodedPayload}.${signature}`;\n}\n\nfunction verifyHostBootstrapToken(token, signingSecret) {\n  const parts = String(token || \"\")\n    .trim()\n    .split(\".\");\n  if (parts.length !== 2) {\n    throw new EmbedHostProxyInputError(\"host bootstrap token is malformed\", 401);\n  }\n  const [encodedPayload, receivedSignature] = parts;\n  const expectedSignature = crypto\n    .createHmac(\"sha256\", String(signingSecret))\n    .update(encodedPayload)\n    .digest(\"base64url\");\n  const received = Buffer.from(receivedSignature, \"utf8\");\n  const expected = Buffer.from(expectedSignature, \"utf8\");\n  if (received.length !== expected.length || !crypto.timingSafeEqual(received, expected)) {\n    throw new EmbedHostProxyInputError(\"host bootstrap token is invalid\", 401);\n  }\n  const payload = fromBase64UrlJson(encodedPayload);\n  if (!payload || typeof payload !== \"object\") {\n    throw new EmbedHostProxyInputError(\"host bootstrap token payload is invalid\", 401);\n  }\n  const now = Math.floor(Date.now() / 1000);\n  if (Number(payload.exp || 0) <= now) {\n    throw new EmbedHostProxyInputError(\"host bootstrap token expired\", 401);\n  }\n  return payload;\n}\n\nexport function readHostBootstrapContext(request, bootstrap = {}) {\n  const signingSecret = String(bootstrap?.signingSecret || \"\").trim();\n  const token = readHostBootstrapToken(request);\n  if (!token || !signingSecret) return null;\n  const payload = verifyHostBootstrapToken(token, signingSecret);\n  const requestOrigin = readRequestOrigin(request);\n  const tokenOrigin = normalizeOrigin(payload.origin);\n  if (tokenOrigin && requestOrigin && tokenOrigin !== requestOrigin) {\n    throw new EmbedHostProxyInputError(\"host bootstrap token origin mismatch\", 401);\n  }\n  return {\n    subjectId: String(payload.subjectId || \"\").trim() || null,\n    email: String(payload.email || \"\").trim() || null,\n    name: String(payload.name || \"\").trim() || null,\n    origin: tokenOrigin || null,\n    token,\n  };\n}\n\nexport function requireHostBootstrapRequest(request, bootstrap = {}) {\n  const allowedApiKeys = Array.isArray(bootstrap?.apiKeys)\n    ? bootstrap.apiKeys.map((entry) => String(entry || \"\").trim()).filter(Boolean)\n    : [];\n  const signingSecret = String(bootstrap?.signingSecret || \"\").trim();\n  if (allowedApiKeys.length === 0 || !signingSecret) {\n    throw new EmbedHostProxyNotConfiguredError(\"Host bootstrap is not configured\");\n  }\n  const apiKey = String(request?.headers?.[\"x-api-key\"] || \"\").trim();\n  if (!apiKey || !allowedApiKeys.includes(apiKey)) {\n    throw new EmbedHostProxyInputError(\"Invalid host bootstrap api key\", 401);\n  }\n  return {\n    apiKey,\n    signingSecret,\n    ttlSeconds:\n      Number.isFinite(Number(bootstrap?.ttlSeconds)) && Number(bootstrap?.ttlSeconds) > 0\n        ? Math.floor(Number(bootstrap.ttlSeconds))\n        : 300,\n  };\n}\n\nexport function buildHostBootstrapResult({\n  subjectId,\n  email,\n  name,\n  origin,\n  signingSecret,\n  ttlSeconds,\n}) {\n  const now = Math.floor(Date.now() / 1000);\n  const expiresIn = Number(ttlSeconds) > 0 ? Math.floor(Number(ttlSeconds)) : 300;\n  const bootstrapToken = issueHostBootstrapToken(\n    {\n      v: 1,\n      type: \"host_bootstrap\",\n      subjectId: String(subjectId || \"\").trim(),\n      email: String(email || \"\").trim(),\n      name: String(name || \"\").trim(),\n      origin: normalizeOrigin(origin),\n      iat: now,\n      exp: now + expiresIn,\n    },\n    signingSecret,\n  );\n  return {\n    subjectId: String(subjectId || \"\").trim(),\n    email: String(email || \"\").trim(),\n    name: String(name || \"\").trim() || null,\n    bootstrapToken,\n    expiresIn,\n  };\n}\n\nexport function isOriginAllowed(origin, allowedOrigins = []) {\n  const normalizedOrigin = normalizeOrigin(origin);\n  if (!normalizedOrigin) return true;\n  const normalizedAllowedOrigins = normalizeAllowedOrigins(allowedOrigins);\n  if (normalizedAllowedOrigins.length === 0) {\n    return true;\n  }\n  return normalizedAllowedOrigins.includes(normalizedOrigin);\n}\n\nexport function applyHostApiCorsHeaders(reply, request, allowedOrigins = []) {\n  const origin = readRequestOrigin(request);\n  if (!origin) return;\n  const normalizedAllowedOrigins = normalizeAllowedOrigins(allowedOrigins);\n  if (normalizedAllowedOrigins.length === 0) return;\n  if (!normalizedAllowedOrigins.includes(origin)) return;\n  reply.header(\"Access-Control-Allow-Origin\", origin);\n  reply.header(\"Vary\", \"Origin\");\n}\n\nexport function ensureHostApiOriginAllowed(request, reply, allowedOrigins = []) {\n  const origin = readRequestOrigin(request);\n  if (!origin) return true;\n  if (!isOriginAllowed(origin, allowedOrigins)) {\n    reply.code(403).send({ message: \"Origin is not allowed\" });\n    return false;\n  }\n  applyHostApiCorsHeaders(reply, request, allowedOrigins);\n  return true;\n}\n\nexport function sendHostApiPreflight(request, reply, allowedOrigins = []) {\n  const origin = readRequestOrigin(request);\n  if (origin && !isOriginAllowed(origin, allowedOrigins)) {\n    return reply.code(403).send({ message: \"Origin is not allowed\" });\n  }\n  applyHostApiCorsHeaders(reply, request, allowedOrigins);\n  const requestedHeaders = String(\n    request?.headers?.[\"access-control-request-headers\"] || \"\",\n  ).trim();\n  reply.header(\"Access-Control-Allow-Methods\", \"GET, POST, OPTIONS\");\n  reply.header(\n    \"Access-Control-Allow-Headers\",\n    requestedHeaders || \"Content-Type, Authorization, X-Xapps-Host-Bootstrap\",\n  );\n  reply.header(\"Access-Control-Max-Age\", \"600\");\n  return reply.code(204).send();\n}\n\nexport function applyNoStoreHeaders(reply, hostProxyService) {\n  const service = requireHostProxyService(hostProxyService);\n  const headers = service.getNoStoreHeaders();\n  reply.header(\"Cache-Control\", headers[\"Cache-Control\"]);\n  reply.header(\"Pragma\", headers.Pragma);\n  reply.header(\"Expires\", headers.Expires);\n  return reply;\n}\n\nexport function sendServiceError(request, reply, err, fallbackMessage) {\n  if (err instanceof EmbedHostProxyInputError || err instanceof EmbedHostProxyNotConfiguredError) {\n    return reply.code(err.status).send({ message: err.message });\n  }\n  if (err instanceof GatewayApiClientError) {\n    return reply\n      .code(err.status || 502)\n      .send(\n        err.details && typeof err.details === \"object\" ? err.details : { message: err.message },\n      );\n  }\n  request.log.error({ err }, fallbackMessage);\n  return reply.code(500).send({ message: fallbackMessage });\n}\n"],
+  "mappings": "AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,OAAO,YAAY;AAEnB,MAAM,wBAAwB;AAE9B,SAAS,YAAY,OAAO;AAC1B,SAAO,OAAO,KAAK,OAAO,KAAK,GAAG,MAAM,EAAE,SAAS,WAAW;AAChE;AAEA,SAAS,kBAAkB,OAAO;AAChC,QAAM,MAAM,OAAO,KAAK,OAAO,SAAS,EAAE,GAAG,WAAW,EAAE,SAAS,MAAM;AACzE,SAAO,KAAK,MAAM,GAAG;AACvB;AAEA,SAAS,gBAAgB,OAAO;AAC9B,QAAM,MAAM,OAAO,SAAS,EAAE,EAAE,KAAK;AACrC,SAAO,MAAM,IAAI,QAAQ,QAAQ,EAAE,IAAI;AACzC;AAEA,SAAS,wBAAwB,iBAAiB,CAAC,GAAG;AACpD,SAAO,MAAM,QAAQ,cAAc,IAC/B,eAAe,IAAI,CAAC,UAAU,gBAAgB,KAAK,CAAC,EAAE,OAAO,OAAO,IACpE,CAAC;AACP;AAEO,SAAS,eAAe,OAAO;AACpC,SAAO,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AAChF;AAEO,SAAS,wBAAwB,kBAAkB;AACxD,MAAI,CAAC,oBAAoB,OAAO,iBAAiB,kBAAkB,YAAY;AAC7E,UAAM,IAAI,iCAAiC,sCAAsC;AAAA,EACnF;AACA,SAAO;AACT;AAEO,SAAS,kBAAkB,SAAS;AACzC,SAAO,gBAAgB,SAAS,SAAS,MAAM;AACjD;AAEA,SAAS,uBAAuB,SAAS;AACvC,SAAO,OAAO,SAAS,UAAU,qBAAqB,KAAK,EAAE,EAAE,KAAK;AACtE;AAEA,SAAS,wBAAwB,SAAS,eAAe;AACvD,QAAM,iBAAiB,YAAY,KAAK,UAAU,OAAO,CAAC;AAC1D,QAAM,YAAY,OACf,WAAW,UAAU,OAAO,aAAa,CAAC,EAC1C,OAAO,cAAc,EACrB,OAAO,WAAW;AACrB,SAAO,GAAG,cAAc,IAAI,SAAS;AACvC;AAEA,SAAS,yBAAyB,OAAO,eAAe;AACtD,QAAM,QAAQ,OAAO,SAAS,EAAE,EAC7B,KAAK,EACL,MAAM,GAAG;AACZ,MAAI,MAAM,WAAW,GAAG;AACtB,UAAM,IAAI,yBAAyB,qCAAqC,GAAG;AAAA,EAC7E;AACA,QAAM,CAAC,gBAAgB,iBAAiB,IAAI;AAC5C,QAAM,oBAAoB,OACvB,WAAW,UAAU,OAAO,aAAa,CAAC,EAC1C,OAAO,cAAc,EACrB,OAAO,WAAW;AACrB,QAAM,WAAW,OAAO,KAAK,mBAAmB,MAAM;AACtD,QAAM,WAAW,OAAO,KAAK,mBAAmB,MAAM;AACtD,MAAI,SAAS,WAAW,SAAS,UAAU,CAAC,OAAO,gBAAgB,UAAU,QAAQ,GAAG;AACtF,UAAM,IAAI,yBAAyB,mCAAmC,GAAG;AAAA,EAC3E;AACA,QAAM,UAAU,kBAAkB,cAAc;AAChD,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,UAAM,IAAI,yBAAyB,2CAA2C,GAAG;AAAA,EACnF;AACA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,MAAI,OAAO,QAAQ,OAAO,CAAC,KAAK,KAAK;AACnC,UAAM,IAAI,yBAAyB,gCAAgC,GAAG;AAAA,EACxE;AACA,SAAO;AACT;AAEO,SAAS,yBAAyB,SAAS,YAAY,CAAC,GAAG;AAChE,QAAM,gBAAgB,OAAO,WAAW,iBAAiB,EAAE,EAAE,KAAK;AAClE,QAAM,QAAQ,uBAAuB,OAAO;AAC5C,MAAI,CAAC,SAAS,CAAC,cAAe,QAAO;AACrC,QAAM,UAAU,yBAAyB,OAAO,aAAa;AAC7D,QAAM,gBAAgB,kBAAkB,OAAO;AAC/C,QAAM,cAAc,gBAAgB,QAAQ,MAAM;AAClD,MAAI,eAAe,iBAAiB,gBAAgB,eAAe;AACjE,UAAM,IAAI,yBAAyB,wCAAwC,GAAG;AAAA,EAChF;AACA,SAAO;AAAA,IACL,WAAW,OAAO,QAAQ,aAAa,EAAE,EAAE,KAAK,KAAK;AAAA,IACrD,OAAO,OAAO,QAAQ,SAAS,EAAE,EAAE,KAAK,KAAK;AAAA,IAC7C,MAAM,OAAO,QAAQ,QAAQ,EAAE,EAAE,KAAK,KAAK;AAAA,IAC3C,QAAQ,eAAe;AAAA,IACvB;AAAA,EACF;AACF;AAEO,SAAS,4BAA4B,SAAS,YAAY,CAAC,GAAG;AACnE,QAAM,iBAAiB,MAAM,QAAQ,WAAW,OAAO,IACnD,UAAU,QAAQ,IAAI,CAAC,UAAU,OAAO,SAAS,EAAE,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,IAC3E,CAAC;AACL,QAAM,gBAAgB,OAAO,WAAW,iBAAiB,EAAE,EAAE,KAAK;AAClE,MAAI,eAAe,WAAW,KAAK,CAAC,eAAe;AACjD,UAAM,IAAI,iCAAiC,kCAAkC;AAAA,EAC/E;AACA,QAAM,SAAS,OAAO,SAAS,UAAU,WAAW,KAAK,EAAE,EAAE,KAAK;AAClE,MAAI,CAAC,UAAU,CAAC,eAAe,SAAS,MAAM,GAAG;AAC/C,UAAM,IAAI,yBAAyB,kCAAkC,GAAG;AAAA,EAC1E;AACA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,YACE,OAAO,SAAS,OAAO,WAAW,UAAU,CAAC,KAAK,OAAO,WAAW,UAAU,IAAI,IAC9E,KAAK,MAAM,OAAO,UAAU,UAAU,CAAC,IACvC;AAAA,EACR;AACF;AAEO,SAAS,yBAAyB;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAAG;AACD,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,YAAY,OAAO,UAAU,IAAI,IAAI,KAAK,MAAM,OAAO,UAAU,CAAC,IAAI;AAC5E,QAAM,iBAAiB;AAAA,IACrB;AAAA,MACE,GAAG;AAAA,MACH,MAAM;AAAA,MACN,WAAW,OAAO,aAAa,EAAE,EAAE,KAAK;AAAA,MACxC,OAAO,OAAO,SAAS,EAAE,EAAE,KAAK;AAAA,MAChC,MAAM,OAAO,QAAQ,EAAE,EAAE,KAAK;AAAA,MAC9B,QAAQ,gBAAgB,MAAM;AAAA,MAC9B,KAAK;AAAA,MACL,KAAK,MAAM;AAAA,IACb;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,WAAW,OAAO,aAAa,EAAE,EAAE,KAAK;AAAA,IACxC,OAAO,OAAO,SAAS,EAAE,EAAE,KAAK;AAAA,IAChC,MAAM,OAAO,QAAQ,EAAE,EAAE,KAAK,KAAK;AAAA,IACnC;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,gBAAgB,QAAQ,iBAAiB,CAAC,GAAG;AAC3D,QAAM,mBAAmB,gBAAgB,MAAM;AAC/C,MAAI,CAAC,iBAAkB,QAAO;AAC9B,QAAM,2BAA2B,wBAAwB,cAAc;AACvE,MAAI,yBAAyB,WAAW,GAAG;AACzC,WAAO;AAAA,EACT;AACA,SAAO,yBAAyB,SAAS,gBAAgB;AAC3D;AAEO,SAAS,wBAAwB,OAAO,SAAS,iBAAiB,CAAC,GAAG;AAC3E,QAAM,SAAS,kBAAkB,OAAO;AACxC,MAAI,CAAC,OAAQ;AACb,QAAM,2BAA2B,wBAAwB,cAAc;AACvE,MAAI,yBAAyB,WAAW,EAAG;AAC3C,MAAI,CAAC,yBAAyB,SAAS,MAAM,EAAG;AAChD,QAAM,OAAO,+BAA+B,MAAM;AAClD,QAAM,OAAO,QAAQ,QAAQ;AAC/B;AAEO,SAAS,2BAA2B,SAAS,OAAO,iBAAiB,CAAC,GAAG;AAC9E,QAAM,SAAS,kBAAkB,OAAO;AACxC,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,CAAC,gBAAgB,QAAQ,cAAc,GAAG;AAC5C,UAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,wBAAwB,CAAC;AACzD,WAAO;AAAA,EACT;AACA,0BAAwB,OAAO,SAAS,cAAc;AACtD,SAAO;AACT;AAEO,SAAS,qBAAqB,SAAS,OAAO,iBAAiB,CAAC,GAAG;AACxE,QAAM,SAAS,kBAAkB,OAAO;AACxC,MAAI,UAAU,CAAC,gBAAgB,QAAQ,cAAc,GAAG;AACtD,WAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,wBAAwB,CAAC;AAAA,EAClE;AACA,0BAAwB,OAAO,SAAS,cAAc;AACtD,QAAM,mBAAmB;AAAA,IACvB,SAAS,UAAU,gCAAgC,KAAK;AAAA,EAC1D,EAAE,KAAK;AACP,QAAM,OAAO,gCAAgC,oBAAoB;AACjE,QAAM;AAAA,IACJ;AAAA,IACA,oBAAoB;AAAA,EACtB;AACA,QAAM,OAAO,0BAA0B,KAAK;AAC5C,SAAO,MAAM,KAAK,GAAG,EAAE,KAAK;AAC9B;AAEO,SAAS,oBAAoB,OAAO,kBAAkB;AAC3D,QAAM,UAAU,wBAAwB,gBAAgB;AACxD,QAAM,UAAU,QAAQ,kBAAkB;AAC1C,QAAM,OAAO,iBAAiB,QAAQ,eAAe,CAAC;AACtD,QAAM,OAAO,UAAU,QAAQ,MAAM;AACrC,QAAM,OAAO,WAAW,QAAQ,OAAO;AACvC,SAAO;AACT;AAEO,SAAS,iBAAiB,SAAS,OAAO,KAAK,iBAAiB;AACrE,MAAI,eAAe,4BAA4B,eAAe,kCAAkC;AAC9F,WAAO,MAAM,KAAK,IAAI,MAAM,EAAE,KAAK,EAAE,SAAS,IAAI,QAAQ,CAAC;AAAA,EAC7D;AACA,MAAI,eAAe,uBAAuB;AACxC,WAAO,MACJ,KAAK,IAAI,UAAU,GAAG,EACtB;AAAA,MACC,IAAI,WAAW,OAAO,IAAI,YAAY,WAAW,IAAI,UAAU,EAAE,SAAS,IAAI,QAAQ;AAAA,IACxF;AAAA,EACJ;AACA,UAAQ,IAAI,MAAM,EAAE,IAAI,GAAG,eAAe;AAC1C,SAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,SAAS,gBAAgB,CAAC;AAC1D;",
+  "names": []
+}

package/dist/backend/routes/gateway/subjectProfiles.d.ts

@@ -0,0 +1,2 @@
+export default function subjectProfileRoutes(fastify: any, options?: {}): Promise<void>;
+//# sourceMappingURL=subjectProfiles.d.ts.map

package/dist/backend/routes/gateway/subjectProfiles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subjectProfiles.d.ts","sourceRoot":"","sources":["../../../../src/backend/routes/gateway/subjectProfiles.ts"],"names":[],"mappings":"AAyKA,wBAA8B,oBAAoB,CAAC,OAAO,KAAA,EAAE,OAAO,KAAK,iBAMvE"}

package/dist/backend/routes/gateway/subjectProfiles.js

@@ -0,0 +1,150 @@
+function asObject(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function asArray(value) {
+  return Array.isArray(value) ? value : [];
+}
+function readBool(value) {
+  if (typeof value === "boolean") return value;
+  return ["1", "true", "yes", "y", "on"].includes(
+    String(value ?? "").trim().toLowerCase()
+  );
+}
+function readString(...values) {
+  for (const value of values) {
+    const normalized = String(value ?? "").trim();
+    if (normalized) return normalized;
+  }
+  return "";
+}
+function readCatalogProfiles(rawCatalog) {
+  if (!rawCatalog) return [];
+  try {
+    const parsed = JSON.parse(rawCatalog);
+    if (Array.isArray(parsed)) return parsed;
+    const root = asObject(parsed);
+    const directProfiles = [...asArray(root.profiles), ...asArray(root.items)];
+    const scoped = [];
+    const bySubject = asObject(root.by_subject || root.bySubject || root.subjects);
+    for (const [subjectId, value] of Object.entries(bySubject)) {
+      for (const entry of asArray(value)) {
+        scoped.push({
+          ...asObject(entry) || {},
+          subject_id: readString(asObject(entry).subject_id, asObject(entry).subjectId, subjectId)
+        });
+      }
+    }
+    return [...directProfiles, ...scoped];
+  } catch {
+    return [];
+  }
+}
+function normalizeSubjectProfileCandidate(raw, index, requestedFamily, workspace) {
+  const record = asObject(raw);
+  const nestedData = asObject(
+    record.data ?? record.profile ?? record.customerProfile ?? record.customer_profile
+  );
+  const inferredFamily = readString(record.profile_family, record.profileFamily, nestedData.profile_family) || (() => {
+    const hasBusinessIdentity = readString(
+      nestedData.company_name,
+      nestedData.companyName,
+      nestedData.company_identification_number,
+      nestedData.vat_code,
+      nestedData.company_registration_number
+    );
+    if (hasBusinessIdentity) return "billing_business";
+    const hasIdentityOnly = readString(nestedData.name, nestedData.email, nestedData.phone) && !readString(nestedData.address, nestedData.city, nestedData.country);
+    return hasIdentityOnly ? "identity_basic" : "billing_individual";
+  })();
+  const data = Object.keys(nestedData).length > 0 ? { ...nestedData, profile_family: inferredFamily } : {
+    profile_family: inferredFamily,
+    company_name: readString(record.company_name, record.companyName) || null,
+    company_identification_number: readString(record.company_identification_number) || null,
+    vat_code: readString(record.vat_code) || null,
+    company_registration_number: readString(record.company_registration_number) || null,
+    address: readString(record.address) || null,
+    city: readString(record.city) || null,
+    country: readString(record.country) || null,
+    email: readString(record.email) || null,
+    phone: readString(record.phone) || null,
+    name: readString(record.name) || null,
+    linked_profiles: asArray(record.linked_profiles || record.linkedProfiles)
+  };
+  const candidate = {
+    id: readString(record.id, record.profile_id, record.profileId) || `${workspace}_profile_${index + 1}`,
+    label: readString(
+      record.label,
+      record.profile_label,
+      record.profileLabel,
+      data.company_name,
+      data.name
+    ) || `${workspace} profile ${index + 1}`,
+    profile_family: inferredFamily,
+    is_default: readBool(record.is_default ?? record.isDefault) || index === 0,
+    data,
+    subject_id: readString(record.subject_id, record.subjectId) || null
+  };
+  if (requestedFamily && candidate.profile_family !== requestedFamily) return null;
+  return candidate;
+}
+async function buildSubjectProfileCandidateEnvelope(payload, options = {}) {
+  const guardContext = asObject(payload.guard_context || payload.guardContext);
+  const subjectId = readString(payload.subjectId, payload.subject_id, guardContext.subjectId);
+  const requestedFamily = readString(payload.profile_family, payload.profileFamily) || null;
+  const xappSlug = readString(payload.xapp_slug, payload.xappSlug);
+  const toolName = readString(payload.tool_name, payload.toolName);
+  const workspace = readString(options.workspace) || "tenant";
+  const source = readString(options.source) || "tenant_subject_profile";
+  const configuredProfiles = readCatalogProfiles(readString(options.catalogJson));
+  let resolvedProfiles = [];
+  if (typeof options.resolveCandidates === "function") {
+    const resolved = await options.resolveCandidates({
+      payload,
+      subjectId: subjectId || null,
+      requestedFamily,
+      xappSlug: xappSlug || null,
+      toolName: toolName || null
+    });
+    resolvedProfiles = Array.isArray(resolved) ? resolved : [];
+  }
+  const providedDefaultProfiles = Array.isArray(options.defaultProfiles) ? options.defaultProfiles : [];
+  const effectiveCatalog = resolvedProfiles.length > 0 ? resolvedProfiles : configuredProfiles.length > 0 ? configuredProfiles : providedDefaultProfiles;
+  const profiles = effectiveCatalog.map(
+    (entry, index) => normalizeSubjectProfileCandidate(entry, index, requestedFamily, workspace)
+  ).filter(Boolean).filter((entry) => {
+    const scopedSubjectId = readString(entry.subject_id);
+    return !subjectId || !scopedSubjectId || scopedSubjectId === subjectId;
+  });
+  const selected = profiles.find((entry) => entry.is_default) || profiles[0] || null;
+  return {
+    ok: true,
+    selected_profile_id: selected?.id || null,
+    profiles: profiles.map((entry) => {
+      const { subject_id, ...rest } = entry;
+      void subject_id;
+      return rest;
+    }),
+    source,
+    metadata: {
+      workspace,
+      subject_id: subjectId || null,
+      requested_family: requestedFamily,
+      xapp_slug: xappSlug || null,
+      tool_name: toolName || null,
+      profile_count: profiles.length,
+      configured_catalog: configuredProfiles.length > 0,
+      default_catalog: configuredProfiles.length === 0 && providedDefaultProfiles.length > 0
+    }
+  };
+}
+async function subjectProfileRoutes(fastify, options = {}) {
+  fastify.post("/guard/subject-profiles/tenant-candidates", async (request, reply) => {
+    const body = request.body && typeof request.body === "object" ? request.body : {};
+    const payload = body.payload && typeof body.payload === "object" ? body.payload : body;
+    return reply.send(await buildSubjectProfileCandidateEnvelope(payload, options));
+  });
+}
+export {
+  subjectProfileRoutes as default
+};
+//# sourceMappingURL=subjectProfiles.js.map

package/dist/backend/routes/gateway/subjectProfiles.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/backend/routes/gateway/subjectProfiles.ts"],
+  "sourcesContent": ["// @ts-nocheck\nfunction asObject(value) {\n  return value && typeof value === \"object\" && !Array.isArray(value) ? value : {};\n}\n\nfunction asArray(value) {\n  return Array.isArray(value) ? value : [];\n}\n\nfunction readBool(value) {\n  if (typeof value === \"boolean\") return value;\n  return [\"1\", \"true\", \"yes\", \"y\", \"on\"].includes(\n    String(value ?? \"\")\n      .trim()\n      .toLowerCase(),\n  );\n}\n\nfunction readString(...values) {\n  for (const value of values) {\n    const normalized = String(value ?? \"\").trim();\n    if (normalized) return normalized;\n  }\n  return \"\";\n}\n\nfunction readCatalogProfiles(rawCatalog) {\n  if (!rawCatalog) return [];\n  try {\n    const parsed = JSON.parse(rawCatalog);\n    if (Array.isArray(parsed)) return parsed;\n    const root = asObject(parsed);\n    const directProfiles = [...asArray(root.profiles), ...asArray(root.items)];\n    const scoped = [];\n    const bySubject = asObject(root.by_subject || root.bySubject || root.subjects);\n    for (const [subjectId, value] of Object.entries(bySubject)) {\n      for (const entry of asArray(value)) {\n        scoped.push({\n          ...(asObject(entry) || {}),\n          subject_id: readString(asObject(entry).subject_id, asObject(entry).subjectId, subjectId),\n        });\n      }\n    }\n    return [...directProfiles, ...scoped];\n  } catch {\n    return [];\n  }\n}\n\nfunction normalizeSubjectProfileCandidate(raw, index, requestedFamily, workspace) {\n  const record = asObject(raw);\n  const nestedData = asObject(\n    record.data ?? record.profile ?? record.customerProfile ?? record.customer_profile,\n  );\n  const inferredFamily =\n    readString(record.profile_family, record.profileFamily, nestedData.profile_family) ||\n    (() => {\n      const hasBusinessIdentity = readString(\n        nestedData.company_name,\n        nestedData.companyName,\n        nestedData.company_identification_number,\n        nestedData.vat_code,\n        nestedData.company_registration_number,\n      );\n      if (hasBusinessIdentity) return \"billing_business\";\n      const hasIdentityOnly =\n        readString(nestedData.name, nestedData.email, nestedData.phone) &&\n        !readString(nestedData.address, nestedData.city, nestedData.country);\n      return hasIdentityOnly ? \"identity_basic\" : \"billing_individual\";\n    })();\n  const data =\n    Object.keys(nestedData).length > 0\n      ? { ...nestedData, profile_family: inferredFamily }\n      : {\n          profile_family: inferredFamily,\n          company_name: readString(record.company_name, record.companyName) || null,\n          company_identification_number: readString(record.company_identification_number) || null,\n          vat_code: readString(record.vat_code) || null,\n          company_registration_number: readString(record.company_registration_number) || null,\n          address: readString(record.address) || null,\n          city: readString(record.city) || null,\n          country: readString(record.country) || null,\n          email: readString(record.email) || null,\n          phone: readString(record.phone) || null,\n          name: readString(record.name) || null,\n          linked_profiles: asArray(record.linked_profiles || record.linkedProfiles),\n        };\n  const candidate = {\n    id:\n      readString(record.id, record.profile_id, record.profileId) ||\n      `${workspace}_profile_${index + 1}`,\n    label:\n      readString(\n        record.label,\n        record.profile_label,\n        record.profileLabel,\n        data.company_name,\n        data.name,\n      ) || `${workspace} profile ${index + 1}`,\n    profile_family: inferredFamily,\n    is_default: readBool(record.is_default ?? record.isDefault) || index === 0,\n    data,\n    subject_id: readString(record.subject_id, record.subjectId) || null,\n  };\n  if (requestedFamily && candidate.profile_family !== requestedFamily) return null;\n  return candidate;\n}\n\nasync function buildSubjectProfileCandidateEnvelope(payload, options = {}) {\n  const guardContext = asObject(payload.guard_context || payload.guardContext);\n  const subjectId = readString(payload.subjectId, payload.subject_id, guardContext.subjectId);\n  const requestedFamily = readString(payload.profile_family, payload.profileFamily) || null;\n  const xappSlug = readString(payload.xapp_slug, payload.xappSlug);\n  const toolName = readString(payload.tool_name, payload.toolName);\n  const workspace = readString(options.workspace) || \"tenant\";\n  const source = readString(options.source) || \"tenant_subject_profile\";\n  const configuredProfiles = readCatalogProfiles(readString(options.catalogJson));\n  let resolvedProfiles = [];\n  if (typeof options.resolveCandidates === \"function\") {\n    const resolved = await options.resolveCandidates({\n      payload,\n      subjectId: subjectId || null,\n      requestedFamily,\n      xappSlug: xappSlug || null,\n      toolName: toolName || null,\n    });\n    resolvedProfiles = Array.isArray(resolved) ? resolved : [];\n  }\n  const providedDefaultProfiles = Array.isArray(options.defaultProfiles)\n    ? options.defaultProfiles\n    : [];\n  const effectiveCatalog =\n    resolvedProfiles.length > 0\n      ? resolvedProfiles\n      : configuredProfiles.length > 0\n        ? configuredProfiles\n        : providedDefaultProfiles;\n  const profiles = effectiveCatalog\n    .map((entry, index) =>\n      normalizeSubjectProfileCandidate(entry, index, requestedFamily, workspace),\n    )\n    .filter(Boolean)\n    .filter((entry) => {\n      const scopedSubjectId = readString(entry.subject_id);\n      return !subjectId || !scopedSubjectId || scopedSubjectId === subjectId;\n    });\n  const selected = profiles.find((entry) => entry.is_default) || profiles[0] || null;\n  return {\n    ok: true,\n    selected_profile_id: selected?.id || null,\n    profiles: profiles.map((entry) => {\n      const { subject_id, ...rest } = entry;\n      void subject_id;\n      return rest;\n    }),\n    source,\n    metadata: {\n      workspace,\n      subject_id: subjectId || null,\n      requested_family: requestedFamily,\n      xapp_slug: xappSlug || null,\n      tool_name: toolName || null,\n      profile_count: profiles.length,\n      configured_catalog: configuredProfiles.length > 0,\n      default_catalog: configuredProfiles.length === 0 && providedDefaultProfiles.length > 0,\n    },\n  };\n}\n\nexport default async function subjectProfileRoutes(fastify, options = {}) {\n  fastify.post(\"/guard/subject-profiles/tenant-candidates\", async (request, reply) => {\n    const body = request.body && typeof request.body === \"object\" ? request.body : {};\n    const payload = body.payload && typeof body.payload === \"object\" ? body.payload : body;\n    return reply.send(await buildSubjectProfileCandidateEnvelope(payload, options));\n  });\n}\n"],
+  "mappings": "AACA,SAAS,SAAS,OAAO;AACvB,SAAO,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AAChF;AAEA,SAAS,QAAQ,OAAO;AACtB,SAAO,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACzC;AAEA,SAAS,SAAS,OAAO;AACvB,MAAI,OAAO,UAAU,UAAW,QAAO;AACvC,SAAO,CAAC,KAAK,QAAQ,OAAO,KAAK,IAAI,EAAE;AAAA,IACrC,OAAO,SAAS,EAAE,EACf,KAAK,EACL,YAAY;AAAA,EACjB;AACF;AAEA,SAAS,cAAc,QAAQ;AAC7B,aAAW,SAAS,QAAQ;AAC1B,UAAM,aAAa,OAAO,SAAS,EAAE,EAAE,KAAK;AAC5C,QAAI,WAAY,QAAO;AAAA,EACzB;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,YAAY;AACvC,MAAI,CAAC,WAAY,QAAO,CAAC;AACzB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,UAAU;AACpC,QAAI,MAAM,QAAQ,MAAM,EAAG,QAAO;AAClC,UAAM,OAAO,SAAS,MAAM;AAC5B,UAAM,iBAAiB,CAAC,GAAG,QAAQ,KAAK,QAAQ,GAAG,GAAG,QAAQ,KAAK,KAAK,CAAC;AACzE,UAAM,SAAS,CAAC;AAChB,UAAM,YAAY,SAAS,KAAK,cAAc,KAAK,aAAa,KAAK,QAAQ;AAC7E,eAAW,CAAC,WAAW,KAAK,KAAK,OAAO,QAAQ,SAAS,GAAG;AAC1D,iBAAW,SAAS,QAAQ,KAAK,GAAG;AAClC,eAAO,KAAK;AAAA,UACV,GAAI,SAAS,KAAK,KAAK,CAAC;AAAA,UACxB,YAAY,WAAW,SAAS,KAAK,EAAE,YAAY,SAAS,KAAK,EAAE,WAAW,SAAS;AAAA,QACzF,CAAC;AAAA,MACH;AAAA,IACF;AACA,WAAO,CAAC,GAAG,gBAAgB,GAAG,MAAM;AAAA,EACtC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,iCAAiC,KAAK,OAAO,iBAAiB,WAAW;AAChF,QAAM,SAAS,SAAS,GAAG;AAC3B,QAAM,aAAa;AAAA,IACjB,OAAO,QAAQ,OAAO,WAAW,OAAO,mBAAmB,OAAO;AAAA,EACpE;AACA,QAAM,iBACJ,WAAW,OAAO,gBAAgB,OAAO,eAAe,WAAW,cAAc,MAChF,MAAM;AACL,UAAM,sBAAsB;AAAA,MAC1B,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,IACb;AACA,QAAI,oBAAqB,QAAO;AAChC,UAAM,kBACJ,WAAW,WAAW,MAAM,WAAW,OAAO,WAAW,KAAK,KAC9D,CAAC,WAAW,WAAW,SAAS,WAAW,MAAM,WAAW,OAAO;AACrE,WAAO,kBAAkB,mBAAmB;AAAA,EAC9C,GAAG;AACL,QAAM,OACJ,OAAO,KAAK,UAAU,EAAE,SAAS,IAC7B,EAAE,GAAG,YAAY,gBAAgB,eAAe,IAChD;AAAA,IACE,gBAAgB;AAAA,IAChB,cAAc,WAAW,OAAO,cAAc,OAAO,WAAW,KAAK;AAAA,IACrE,+BAA+B,WAAW,OAAO,6BAA6B,KAAK;AAAA,IACnF,UAAU,WAAW,OAAO,QAAQ,KAAK;AAAA,IACzC,6BAA6B,WAAW,OAAO,2BAA2B,KAAK;AAAA,IAC/E,SAAS,WAAW,OAAO,OAAO,KAAK;AAAA,IACvC,MAAM,WAAW,OAAO,IAAI,KAAK;AAAA,IACjC,SAAS,WAAW,OAAO,OAAO,KAAK;AAAA,IACvC,OAAO,WAAW,OAAO,KAAK,KAAK;AAAA,IACnC,OAAO,WAAW,OAAO,KAAK,KAAK;AAAA,IACnC,MAAM,WAAW,OAAO,IAAI,KAAK;AAAA,IACjC,iBAAiB,QAAQ,OAAO,mBAAmB,OAAO,cAAc;AAAA,EAC1E;AACN,QAAM,YAAY;AAAA,IAChB,IACE,WAAW,OAAO,IAAI,OAAO,YAAY,OAAO,SAAS,KACzD,GAAG,SAAS,YAAY,QAAQ,CAAC;AAAA,IACnC,OACE;AAAA,MACE,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,KAAK;AAAA,MACL,KAAK;AAAA,IACP,KAAK,GAAG,SAAS,YAAY,QAAQ,CAAC;AAAA,IACxC,gBAAgB;AAAA,IAChB,YAAY,SAAS,OAAO,cAAc,OAAO,SAAS,KAAK,UAAU;AAAA,IACzE;AAAA,IACA,YAAY,WAAW,OAAO,YAAY,OAAO,SAAS,KAAK;AAAA,EACjE;AACA,MAAI,mBAAmB,UAAU,mBAAmB,gBAAiB,QAAO;AAC5E,SAAO;AACT;AAEA,eAAe,qCAAqC,SAAS,UAAU,CAAC,GAAG;AACzE,QAAM,eAAe,SAAS,QAAQ,iBAAiB,QAAQ,YAAY;AAC3E,QAAM,YAAY,WAAW,QAAQ,WAAW,QAAQ,YAAY,aAAa,SAAS;AAC1F,QAAM,kBAAkB,WAAW,QAAQ,gBAAgB,QAAQ,aAAa,KAAK;AACrF,QAAM,WAAW,WAAW,QAAQ,WAAW,QAAQ,QAAQ;AAC/D,QAAM,WAAW,WAAW,QAAQ,WAAW,QAAQ,QAAQ;AAC/D,QAAM,YAAY,WAAW,QAAQ,SAAS,KAAK;AACnD,QAAM,SAAS,WAAW,QAAQ,MAAM,KAAK;AAC7C,QAAM,qBAAqB,oBAAoB,WAAW,QAAQ,WAAW,CAAC;AAC9E,MAAI,mBAAmB,CAAC;AACxB,MAAI,OAAO,QAAQ,sBAAsB,YAAY;AACnD,UAAM,WAAW,MAAM,QAAQ,kBAAkB;AAAA,MAC/C;AAAA,MACA,WAAW,aAAa;AAAA,MACxB;AAAA,MACA,UAAU,YAAY;AAAA,MACtB,UAAU,YAAY;AAAA,IACxB,CAAC;AACD,uBAAmB,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC;AAAA,EAC3D;AACA,QAAM,0BAA0B,MAAM,QAAQ,QAAQ,eAAe,IACjE,QAAQ,kBACR,CAAC;AACL,QAAM,mBACJ,iBAAiB,SAAS,IACtB,mBACA,mBAAmB,SAAS,IAC1B,qBACA;AACR,QAAM,WAAW,iBACd;AAAA,IAAI,CAAC,OAAO,UACX,iCAAiC,OAAO,OAAO,iBAAiB,SAAS;AAAA,EAC3E,EACC,OAAO,OAAO,EACd,OAAO,CAAC,UAAU;AACjB,UAAM,kBAAkB,WAAW,MAAM,UAAU;AACnD,WAAO,CAAC,aAAa,CAAC,mBAAmB,oBAAoB;AAAA,EAC/D,CAAC;AACH,QAAM,WAAW,SAAS,KAAK,CAAC,UAAU,MAAM,UAAU,KAAK,SAAS,CAAC,KAAK;AAC9E,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,qBAAqB,UAAU,MAAM;AAAA,IACrC,UAAU,SAAS,IAAI,CAAC,UAAU;AAChC,YAAM,EAAE,YAAY,GAAG,KAAK,IAAI;AAChC,WAAK;AACL,aAAO;AAAA,IACT,CAAC;AAAA,IACD;AAAA,IACA,UAAU;AAAA,MACR;AAAA,MACA,YAAY,aAAa;AAAA,MACzB,kBAAkB;AAAA,MAClB,WAAW,YAAY;AAAA,MACvB,WAAW,YAAY;AAAA,MACvB,eAAe,SAAS;AAAA,MACxB,oBAAoB,mBAAmB,SAAS;AAAA,MAChD,iBAAiB,mBAAmB,WAAW,KAAK,wBAAwB,SAAS;AAAA,IACvF;AAAA,EACF;AACF;AAEA,eAAO,qBAA4C,SAAS,UAAU,CAAC,GAAG;AACxE,UAAQ,KAAK,6CAA6C,OAAO,SAAS,UAAU;AAClF,UAAM,OAAO,QAAQ,QAAQ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO,CAAC;AAChF,UAAM,UAAU,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU;AAClF,WAAO,MAAM,KAAK,MAAM,qCAAqC,SAAS,OAAO,CAAC;AAAA,EAChF,CAAC;AACH;",
+  "names": []
+}

package/dist/backend/routes/health.d.ts

@@ -0,0 +1,2 @@
+export default function healthRoutes(fastify: any, options?: {}): Promise<void>;
+//# sourceMappingURL=health.d.ts.map

package/dist/backend/routes/health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../../src/backend/routes/health.ts"],"names":[],"mappings":"AAKA,wBAA8B,YAAY,CAAC,OAAO,KAAA,EAAE,OAAO,KAAK,iBAe/D"}

package/dist/backend/routes/health.js

@@ -0,0 +1,20 @@
+function nowIso() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+async function healthRoutes(fastify, options = {}) {
+  const branding = options.branding && typeof options.branding === "object" ? options.branding : {};
+  const reference = options.reference && typeof options.reference === "object" ? options.reference : {};
+  const tools = Array.isArray(options.tools) ? options.tools.filter(Boolean) : [];
+  fastify.get("/health", async () => ({
+    ok: true,
+    service: String(branding.serviceName || "").trim() || "tenant-backend",
+    mode: String(reference.mode || "").trim() || "reference-minimum",
+    ...String(branding.stackLabel || "").trim() ? { stack: String(branding.stackLabel).trim() } : {},
+    ...tools.length > 0 ? { tools } : {},
+    time: nowIso()
+  }));
+}
+export {
+  healthRoutes as default
+};
+//# sourceMappingURL=health.js.map

package/dist/backend/routes/health.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/backend/routes/health.ts"],
+  "sourcesContent": ["// @ts-nocheck\nfunction nowIso() {\n  return new Date().toISOString();\n}\n\nexport default async function healthRoutes(fastify, options = {}) {\n  const branding = options.branding && typeof options.branding === \"object\" ? options.branding : {};\n  const reference =\n    options.reference && typeof options.reference === \"object\" ? options.reference : {};\n  const tools = Array.isArray(options.tools) ? options.tools.filter(Boolean) : [];\n  fastify.get(\"/health\", async () => ({\n    ok: true,\n    service: String(branding.serviceName || \"\").trim() || \"tenant-backend\",\n    mode: String(reference.mode || \"\").trim() || \"reference-minimum\",\n    ...(String(branding.stackLabel || \"\").trim()\n      ? { stack: String(branding.stackLabel).trim() }\n      : {}),\n    ...(tools.length > 0 ? { tools } : {}),\n    time: nowIso(),\n  }));\n}\n"],
+  "mappings": "AACA,SAAS,SAAS;AAChB,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;AAEA,eAAO,aAAoC,SAAS,UAAU,CAAC,GAAG;AAChE,QAAM,WAAW,QAAQ,YAAY,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW,CAAC;AAChG,QAAM,YACJ,QAAQ,aAAa,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY,CAAC;AACpF,QAAM,QAAQ,MAAM,QAAQ,QAAQ,KAAK,IAAI,QAAQ,MAAM,OAAO,OAAO,IAAI,CAAC;AAC9E,UAAQ,IAAI,WAAW,aAAa;AAAA,IAClC,IAAI;AAAA,IACJ,SAAS,OAAO,SAAS,eAAe,EAAE,EAAE,KAAK,KAAK;AAAA,IACtD,MAAM,OAAO,UAAU,QAAQ,EAAE,EAAE,KAAK,KAAK;AAAA,IAC7C,GAAI,OAAO,SAAS,cAAc,EAAE,EAAE,KAAK,IACvC,EAAE,OAAO,OAAO,SAAS,UAAU,EAAE,KAAK,EAAE,IAC5C,CAAC;AAAA,IACL,GAAI,MAAM,SAAS,IAAI,EAAE,MAAM,IAAI,CAAC;AAAA,IACpC,MAAM,OAAO;AAAA,EACf,EAAE;AACJ;",
+  "names": []
+}

package/dist/backend/routes/reference.d.ts

@@ -0,0 +1,2 @@
+export default function referenceRoutes(fastify: any, options?: {}): Promise<void>;
+//# sourceMappingURL=reference.d.ts.map

package/dist/backend/routes/reference.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reference.d.ts","sourceRoot":"","sources":["../../../src/backend/routes/reference.ts"],"names":[],"mappings":"AA8XA,wBAA8B,eAAe,CAAC,OAAO,KAAA,EAAE,OAAO,KAAK,iBA2ElE"}