punchout-simulator 0.1.0

package/dist/server/cli.js

@@ -0,0 +1,1889 @@
+#!/usr/bin/env node
+
+// src/server/cli.ts
+import { fileURLToPath } from "url";
+import { serve } from "@hono/node-server";
+
+// src/server/app.ts
+import { existsSync as existsSync3 } from "fs";
+import { Hono as Hono7 } from "hono";
+import { logger } from "hono/logger";
+import { serveStatic } from "@hono/node-server/serve-static";
+
+// src/server/routes/connections.ts
+import { Hono } from "hono";
+
+// src/server/store/config.ts
+import { Low } from "lowdb";
+import { JSONFile } from "lowdb/node";
+import { nanoid } from "nanoid";
+
+// src/server/store/paths.ts
+import { mkdirSync } from "fs";
+import { resolve } from "path";
+var dataDir = resolve(process.cwd(), "data");
+function setDataDir(dir) {
+  dataDir = resolve(dir);
+  ensureDirs();
+}
+function sessionsDir() {
+  return resolve(dataDir, "sessions");
+}
+function attachmentsDir() {
+  return resolve(dataDir, "attachments");
+}
+function configPath() {
+  return resolve(dataDir, "config.json");
+}
+function sessionFile(sessionId) {
+  const safe = sessionId.replace(/[^a-zA-Z0-9._-]/g, "_").slice(0, 200) || "unknown";
+  return resolve(sessionsDir(), `${safe}.jsonl`);
+}
+function ensureDirs() {
+  mkdirSync(dataDir, { recursive: true });
+  mkdirSync(sessionsDir(), { recursive: true });
+  mkdirSync(attachmentsDir(), { recursive: true });
+}
+
+// src/server/store/config.ts
+var db = null;
+async function initConfig() {
+  ensureDirs();
+  const adapter = new JSONFile(configPath());
+  db = new Low(adapter, { connections: [] });
+  await db.read();
+  db.data ||= { connections: [] };
+  await db.write();
+}
+function requireDb() {
+  if (!db) throw new Error("config store not initialized \u2014 call initConfig() first");
+  return db;
+}
+function listConnections() {
+  return requireDb().data.connections;
+}
+function getConnection(id) {
+  return requireDb().data.connections.find((c) => c.id === id);
+}
+async function createConnection(input) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const conn = {
+    ...input,
+    id: input.id ?? nanoid(8),
+    createdAt: now,
+    updatedAt: now
+  };
+  const d = requireDb();
+  d.data.connections.push(conn);
+  await d.write();
+  return conn;
+}
+async function updateConnection(id, patch) {
+  const d = requireDb();
+  const existing = d.data.connections.find((c) => c.id === id);
+  if (!existing) return void 0;
+  Object.assign(existing, patch, { id, updatedAt: (/* @__PURE__ */ new Date()).toISOString() });
+  await d.write();
+  return existing;
+}
+async function deleteConnection(id) {
+  const d = requireDb();
+  const before = d.data.connections.length;
+  d.data.connections = d.data.connections.filter((c) => c.id !== id);
+  const removed = d.data.connections.length < before;
+  if (removed) await d.write();
+  return removed;
+}
+
+// src/server/routes/connections.ts
+var connectionsRoute = new Hono();
+var emptyCredential = () => ({ domain: "", identity: "" });
+function normalize(body) {
+  const cred = (c) => c && typeof c === "object" ? { domain: String(c.domain ?? ""), identity: String(c.identity ?? "") } : emptyCredential();
+  return {
+    name: String(body?.name ?? "Untitled connection"),
+    mode: body?.mode === "virtual-supplier" ? "virtual-supplier" : "virtual-buyer",
+    from: cred(body?.from),
+    to: cred(body?.to),
+    sender: cred(body?.sender),
+    sharedSecret: String(body?.sharedSecret ?? ""),
+    deploymentMode: body?.deploymentMode === "production" ? "production" : "test",
+    authStyle: body?.authStyle === "MAC" ? "MAC" : "SharedSecret",
+    punchoutUrl: body?.punchoutUrl ? String(body.punchoutUrl) : void 0,
+    orderUrl: body?.orderUrl ? String(body.orderUrl) : void 0,
+    catalog: Array.isArray(body?.catalog) ? body.catalog : void 0
+  };
+}
+function validateConnection(input) {
+  const errors = [];
+  if (!input.name.trim()) errors.push("name is required");
+  if (input.mode === "virtual-buyer") {
+    if (!input.punchoutUrl) errors.push("punchoutUrl is required for virtual-buyer");
+    if (!input.orderUrl) errors.push("orderUrl is required for virtual-buyer");
+  }
+  return errors;
+}
+connectionsRoute.get("/", (c) => c.json(listConnections()));
+connectionsRoute.post("/", async (c) => {
+  const input = normalize(await c.req.json().catch(() => ({})));
+  const errors = validateConnection(input);
+  if (errors.length) return c.json({ errors }, 400);
+  const created = await createConnection(input);
+  return c.json(created, 201);
+});
+connectionsRoute.get("/:id", (c) => {
+  const conn = getConnection(c.req.param("id"));
+  return conn ? c.json(conn) : c.json({ error: "not found" }, 404);
+});
+connectionsRoute.put("/:id", async (c) => {
+  const id = c.req.param("id");
+  const existing = getConnection(id);
+  if (!existing) return c.json({ error: "not found" }, 404);
+  const merged = { ...existing, ...await c.req.json().catch(() => ({})) };
+  const input = normalize(merged);
+  const errors = validateConnection(input);
+  if (errors.length) return c.json({ errors }, 400);
+  const updated = await updateConnection(id, input);
+  return c.json(updated);
+});
+connectionsRoute.delete("/:id", async (c) => {
+  const ok = await deleteConnection(c.req.param("id"));
+  return ok ? c.json({ ok: true }) : c.json({ error: "not found" }, 404);
+});
+
+// src/server/routes/flow.ts
+import { Hono as Hono2 } from "hono";
+import { nanoid as nanoid5 } from "nanoid";
+
+// src/server/store/log.ts
+import { appendFileSync, existsSync, readdirSync, readFileSync } from "fs";
+import { nanoid as nanoid2 } from "nanoid";
+
+// src/server/bus.ts
+import { EventEmitter } from "events";
+var Bus = class extends EventEmitter {
+  emitLog(record) {
+    this.emit("event", { type: "log", record });
+  }
+  emitCart(connectionId, cart) {
+    this.emit("event", { type: "cart", connectionId, cart });
+  }
+  onEvent(fn) {
+    this.on("event", fn);
+    return () => this.off("event", fn);
+  }
+};
+var bus = new Bus();
+bus.setMaxListeners(0);
+
+// src/server/store/log.ts
+function appendLog(input) {
+  ensureDirs();
+  const record = {
+    ...input,
+    id: input.id ?? nanoid2(12),
+    ts: input.ts ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+  appendFileSync(sessionFile(record.sessionId), JSON.stringify(record) + "\n", "utf8");
+  bus.emitLog(record);
+  return record;
+}
+function readSession(sessionId) {
+  const file = sessionFile(sessionId);
+  if (!existsSync(file)) return [];
+  return readFileSync(file, "utf8").split("\n").filter((l) => l.trim().length > 0).map((l) => {
+    try {
+      return JSON.parse(l);
+    } catch {
+      return null;
+    }
+  }).filter((r) => r !== null);
+}
+function listSessions() {
+  ensureDirs();
+  const files = readdirSync(sessionsDir()).filter((f) => f.endsWith(".jsonl"));
+  const summaries = [];
+  for (const file of files) {
+    const sessionId = file.replace(/\.jsonl$/, "");
+    const records = readSession(sessionId);
+    if (records.length === 0) continue;
+    summaries.push({
+      sessionId: records[0].sessionId ?? sessionId,
+      connectionId: records[0].connectionId,
+      count: records.length,
+      firstTs: records[0].ts,
+      lastTs: records[records.length - 1].ts,
+      docTypes: [...new Set(records.map((r) => r.docType))],
+      hasErrors: records.some((r) => r.validation && !r.validation.ok)
+    });
+  }
+  return summaries.sort((a, b) => (b.lastTs ?? "").localeCompare(a.lastTs ?? ""));
+}
+function readAllRecent(limit = 200) {
+  return listSessions().flatMap((s) => readSession(s.sessionId)).sort((a, b) => a.ts.localeCompare(b.ts)).slice(-limit);
+}
+
+// src/server/store/attachments.ts
+import { createHash } from "crypto";
+import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve2 } from "path";
+
+// src/server/cxml/multipart.ts
+import { nanoid as nanoid3 } from "nanoid";
+function normalizeContentId(cid) {
+  if (!cid) return "";
+  return cid.trim().replace(/^<+/, "").replace(/>+$/, "").trim();
+}
+function buildMultipartRelated(cxml, attachments, opts = {}) {
+  const boundary = `cxml-${nanoid3(20)}`;
+  const mainCid = opts.mainContentId ?? `cxml-main@punchout-simulator`;
+  const CRLF = "\r\n";
+  const parts = [];
+  const pushPart = (headers, data) => {
+    parts.push(Buffer.from(`--${boundary}${CRLF}`, "utf8"));
+    parts.push(Buffer.from(headers.join(CRLF) + CRLF + CRLF, "utf8"));
+    parts.push(data);
+    parts.push(Buffer.from(CRLF, "utf8"));
+  };
+  pushPart(
+    [
+      `Content-Type: application/xml; charset=UTF-8`,
+      `Content-Transfer-Encoding: binary`,
+      `Content-ID: <${mainCid}>`
+    ],
+    Buffer.from(cxml, "utf8")
+  );
+  for (const att of attachments) {
+    const disposition = att.filename ? `Content-Disposition: attachment; filename="${att.filename}"` : `Content-Disposition: attachment`;
+    pushPart(
+      [
+        `Content-Type: ${att.contentType}`,
+        `Content-Transfer-Encoding: binary`,
+        `Content-ID: <${normalizeContentId(att.contentId)}>`,
+        disposition
+      ],
+      att.data
+    );
+  }
+  parts.push(Buffer.from(`--${boundary}--${CRLF}`, "utf8"));
+  return {
+    body: Buffer.concat(parts),
+    boundary,
+    contentType: `multipart/related; boundary="${boundary}"; type="application/xml"; start="<${mainCid}>"`
+  };
+}
+function getBoundary(contentType) {
+  const m = /boundary="?([^";]+)"?/i.exec(contentType);
+  return m?.[1];
+}
+function isMultipart(contentType) {
+  return !!contentType && /^multipart\//i.test(contentType.trim());
+}
+function parseMultipartRelated(body, contentType) {
+  const boundary = getBoundary(contentType);
+  if (!boundary) {
+    return { parts: [], byContentId: /* @__PURE__ */ new Map() };
+  }
+  const delimiter = Buffer.from(`--${boundary}`, "utf8");
+  const segments = splitBuffer(body, delimiter);
+  const parts = [];
+  for (const seg of segments) {
+    const trimmed = trimLeadingCrlf(seg);
+    if (trimmed.length === 0) continue;
+    if (trimmed.length >= 2 && trimmed[0] === 45 && trimmed[1] === 45) {
+      continue;
+    }
+    const splitIdx = findHeaderBodySplit(trimmed);
+    if (splitIdx < 0) continue;
+    const headerText = trimmed.subarray(0, splitIdx).toString("utf8");
+    let bodyBuf = trimmed.subarray(splitIdx);
+    bodyBuf = stripBoundaryTrailingCrlf(bodyBuf);
+    const headers = {};
+    for (const line of headerText.split(/\r?\n/)) {
+      const idx = line.indexOf(":");
+      if (idx > 0) {
+        headers[line.slice(0, idx).trim().toLowerCase()] = line.slice(idx + 1).trim();
+      }
+    }
+    parts.push({
+      headers,
+      contentId: normalizeContentId(headers["content-id"]),
+      contentType: headers["content-type"],
+      body: bodyBuf
+    });
+  }
+  const start = normalizeContentId(/start="?<?([^">]+)>?"?/i.exec(contentType)?.[1]);
+  const byContentId = /* @__PURE__ */ new Map();
+  for (const p of parts) if (p.contentId) byContentId.set(p.contentId, p);
+  const root2 = start && byContentId.get(start) || parts.find((p) => /xml/i.test(p.contentType ?? "")) || parts[0];
+  return { parts, root: root2, byContentId };
+}
+function splitBuffer(buf, delimiter) {
+  const out = [];
+  let start = 0;
+  let idx = buf.indexOf(delimiter, start);
+  while (idx !== -1) {
+    out.push(buf.subarray(start, idx));
+    start = idx + delimiter.length;
+    idx = buf.indexOf(delimiter, start);
+  }
+  out.push(buf.subarray(start));
+  return out;
+}
+function trimLeadingCrlf(buf) {
+  let i = 0;
+  while (i < buf.length && (buf[i] === 13 || buf[i] === 10)) i++;
+  return buf.subarray(i);
+}
+function stripBoundaryTrailingCrlf(buf) {
+  let end = buf.length;
+  while (end > 0 && (buf[end - 1] === 13 || buf[end - 1] === 10)) end--;
+  return buf.subarray(0, end);
+}
+function findHeaderBodySplit(buf) {
+  const crlfcrlf = buf.indexOf("\r\n\r\n");
+  const lflf = buf.indexOf("\n\n");
+  if (crlfcrlf !== -1 && (lflf === -1 || crlfcrlf < lflf)) return crlfcrlf + 4;
+  if (lflf !== -1) return lflf + 2;
+  return -1;
+}
+
+// src/server/store/attachments.ts
+function saveAttachment(data, meta) {
+  ensureDirs();
+  const hash = createHash("sha256").update(data).digest("hex");
+  const path = resolve2(attachmentsDir(), hash);
+  if (!existsSync2(path)) writeFileSync(path, data);
+  return {
+    contentId: normalizeContentId(meta.contentId),
+    filename: meta.filename,
+    contentType: meta.contentType,
+    hash,
+    size: data.length,
+    referenced: meta.referenced
+  };
+}
+function readAttachment(hash) {
+  const safe = hash.replace(/[^a-f0-9]/gi, "");
+  if (!safe) return void 0;
+  const path = resolve2(attachmentsDir(), safe);
+  if (!existsSync2(path)) return void 0;
+  return readFileSync2(path);
+}
+
+// src/server/cart-store.ts
+var carts = /* @__PURE__ */ new Map();
+var connectionBySession = /* @__PURE__ */ new Map();
+function setCart(cart) {
+  carts.set(cart.sessionId, cart);
+}
+function getCart(sessionId) {
+  return carts.get(sessionId);
+}
+function rememberSessionConnection(sessionId, connectionId) {
+  connectionBySession.set(sessionId, connectionId);
+}
+function connectionForSession(sessionId) {
+  return connectionBySession.get(sessionId);
+}
+
+// src/server/http.ts
+async function sendCxml(url, body, contentType = "text/xml; charset=UTF-8", timeoutMs = 3e4) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": contentType },
+      body,
+      signal: controller.signal
+    });
+    const headers = {};
+    res.headers.forEach((v, k) => headers[k] = v);
+    const buf = Buffer.from(await res.arrayBuffer());
+    return {
+      status: res.status,
+      headers,
+      body: buf.toString("utf8"),
+      rawBody: buf,
+      contentType: res.headers.get("content-type") ?? void 0
+    };
+  } catch (e) {
+    return {
+      status: 0,
+      headers: {},
+      body: "",
+      rawBody: Buffer.alloc(0),
+      error: e instanceof Error ? e.message : String(e)
+    };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+// src/server/runtime.ts
+var runtime = {
+  port: 8080,
+  publicUrl: "http://localhost:8080"
+};
+function setRuntime(r) {
+  Object.assign(runtime, r);
+}
+function getPublicUrl() {
+  return runtime.publicUrl.replace(/\/$/, "");
+}
+function browserFormPostUrl() {
+  return `${getPublicUrl()}/punchout/return`;
+}
+
+// src/server/cxml/build.ts
+import { nanoid as nanoid4 } from "nanoid";
+function escapeXml(value) {
+  if (value == null) return "";
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function makePayloadId(host3, nowIso) {
+  return `${nowIso}.${nanoid4(10)}@${host3}`;
+}
+function credentialBlock(tag, c) {
+  return `    <${tag}>
+      <Credential domain="${escapeXml(c.domain)}">
+        <Identity>${escapeXml(c.identity)}</Identity>
+      </Credential>
+    </${tag}>`;
+}
+function senderBlock(c, sharedSecret, userAgent) {
+  const secret = sharedSecret != null && sharedSecret !== "" ? `
+        <SharedSecret>${escapeXml(sharedSecret)}</SharedSecret>` : "";
+  return `    <Sender>
+      <Credential domain="${escapeXml(c.domain)}">
+        <Identity>${escapeXml(c.identity)}</Identity>${secret}
+      </Credential>
+      <UserAgent>${escapeXml(userAgent ?? "punchout-simulator")}</UserAgent>
+    </Sender>`;
+}
+function header(p) {
+  return `  <Header>
+${credentialBlock("From", p.from)}
+${credentialBlock("To", p.to)}
+${senderBlock(p.sender, p.sharedSecret, p.userAgent)}
+  </Header>`;
+}
+var DECLARATION = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE cXML SYSTEM "http://xml.cxml.org/schemas/cXML/1.2.045/cXML.dtd">`;
+function envelope(payloadId, timestamp, lang, inner) {
+  return `${DECLARATION}
+<cXML payloadID="${escapeXml(payloadId)}" timestamp="${escapeXml(timestamp)}" xml:lang="${escapeXml(lang)}">
+${inner}
+</cXML>`;
+}
+function buildSetupRequest(o) {
+  const lang = o.lang ?? "en-US";
+  const deployment = o.deploymentMode ? ` deploymentMode="${escapeXml(o.deploymentMode)}"` : "";
+  const inner = `${header({
+    from: o.from,
+    to: o.to,
+    sender: o.sender,
+    sharedSecret: o.sharedSecret
+  })}
+  <Request${deployment}>
+    <PunchOutSetupRequest operation="${escapeXml(o.operation ?? "create")}">
+      <BuyerCookie>${escapeXml(o.buyerCookie)}</BuyerCookie>
+      <BrowserFormPost>
+        <URL>${escapeXml(o.browserFormPostUrl)}</URL>
+      </BrowserFormPost>
+    </PunchOutSetupRequest>
+  </Request>`;
+  return envelope(o.payloadId, o.timestamp, lang, inner);
+}
+function addressBlock(tag, a) {
+  return `      <${tag}>
+        <Address${a.addressId ? ` addressID="${escapeXml(a.addressId)}"` : ""}>
+          <Name xml:lang="en">${escapeXml(a.name ?? "")}</Name>
+          <PostalAddress>
+${a.deliverTo ? `            <DeliverTo>${escapeXml(a.deliverTo)}</DeliverTo>
+` : ""}            <Street>${escapeXml(a.street ?? "")}</Street>
+            <City>${escapeXml(a.city ?? "")}</City>
+            <State>${escapeXml(a.state ?? "")}</State>
+            <PostalCode>${escapeXml(a.postalCode ?? "")}</PostalCode>
+            <Country isoCountryCode="${escapeXml(a.countryIsoCode ?? "US")}">${escapeXml(a.countryName ?? "United States")}</Country>
+          </PostalAddress>
+        </Address>
+      </${tag}>`;
+}
+function commentsWithAttachments(cids, indent) {
+  if (cids.length === 0) return "";
+  const atts = cids.map(
+    (cid) => `${indent}  <Attachment>
+${indent}    <URL>cid:${escapeXml(cid)}</URL>
+${indent}  </Attachment>`
+  ).join("\n");
+  return `
+${indent}<Comments>
+${atts}
+${indent}</Comments>`;
+}
+function buildOrderRequest(o) {
+  const lang = o.lang ?? "en-US";
+  const deployment = o.deploymentMode ? ` deploymentMode="${escapeXml(o.deploymentMode)}"` : "";
+  const orderLevelCids = (o.attachments ?? []).filter((a) => a.scope === "order").map((a) => a.contentId);
+  const itemCids = (idx) => (o.attachments ?? []).filter((a) => typeof a.scope === "object" && a.scope.itemIndex === idx).map((a) => a.contentId);
+  const items = o.items.map((it, i) => {
+    const idx = i + 1;
+    const cids = itemCids(idx);
+    return `      <ItemOut quantity="${escapeXml(it.quantity)}" lineNumber="${idx}">
+        <ItemID>
+          <SupplierPartID>${escapeXml(it.supplierPartId ?? "")}</SupplierPartID>${it.supplierPartAuxiliaryId ? `
+          <SupplierPartAuxiliaryID>${escapeXml(it.supplierPartAuxiliaryId)}</SupplierPartAuxiliaryID>` : ""}
+        </ItemID>
+        <ItemDetail>
+          <UnitPrice>
+            <Money currency="${escapeXml(it.currency ?? o.currency)}">${escapeXml(
+      it.unitPriceAmount ?? 0
+    )}</Money>
+          </UnitPrice>
+          <Description xml:lang="en">${escapeXml(it.description ?? "")}</Description>
+          <UnitOfMeasure>${escapeXml(it.uom ?? "EA")}</UnitOfMeasure>
+          <Classification domain="${escapeXml(it.classificationDomain ?? "UNSPSC")}">${escapeXml(
+      it.classification ?? ""
+    )}</Classification>${it.manufacturerPartId ? `
+          <ManufacturerPartID>${escapeXml(it.manufacturerPartId)}</ManufacturerPartID>` : ""}${it.manufacturerName ? `
+          <ManufacturerName>${escapeXml(it.manufacturerName)}</ManufacturerName>` : ""}${commentsWithAttachments(cids, "          ")}
+        </ItemDetail>
+      </ItemOut>`;
+  }).join("\n");
+  const inner = `${header({
+    from: o.from,
+    to: o.to,
+    sender: o.sender,
+    sharedSecret: o.sharedSecret
+  })}
+  <Request${deployment}>
+    <OrderRequest>
+      <OrderRequestHeader orderID="${escapeXml(o.orderId)}" orderDate="${escapeXml(
+    o.orderDate
+  )}" type="new">
+        <Total>
+          <Money currency="${escapeXml(o.currency)}">${escapeXml(o.total)}</Money>
+        </Total>
+${addressBlock("ShipTo", o.shipTo ?? {})}
+${addressBlock("BillTo", o.billTo ?? {})}${commentsWithAttachments(orderLevelCids, "        ")}
+      </OrderRequestHeader>
+${items}
+    </OrderRequest>
+  </Request>`;
+  return envelope(o.payloadId, o.timestamp, lang, inner);
+}
+function optionalHeader(p) {
+  return p ? `${header({ from: p.from, to: p.to, sender: p.sender })}
+` : "";
+}
+function buildSetupResponse(o) {
+  const head = o.from && o.to && o.sender ? optionalHeader({ from: o.from, to: o.to, sender: o.sender }) : "";
+  const inner = `${head}  <Response>
+    <Status code="${escapeXml(o.statusCode ?? "200")}" text="${escapeXml(
+    o.statusText ?? "OK"
+  )}"/>
+    <PunchOutSetupResponse>
+      <StartPage>
+        <URL>${escapeXml(o.startPageUrl)}</URL>
+      </StartPage>
+    </PunchOutSetupResponse>
+  </Response>`;
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+}
+function buildResponseStatus(o) {
+  const head = o.from && o.to && o.sender ? optionalHeader({ from: o.from, to: o.to, sender: o.sender }) : "";
+  const inner = `${head}  <Response>
+    <Status code="${escapeXml(o.statusCode ?? "200")}" text="${escapeXml(
+    o.statusText ?? "OK"
+  )}">${escapeXml(o.statusText === "OK" || !o.statusText ? "" : o.statusText)}</Status>
+  </Response>`;
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+}
+function buildPunchOutOrderMessage(o) {
+  const total = o.items.reduce(
+    (sum, it) => sum + (it.unitPriceAmount ?? 0) * it.quantity,
+    0
+  );
+  const items = o.items.map(
+    (it) => `    <ItemIn quantity="${escapeXml(it.quantity)}">
+      <ItemID>
+        <SupplierPartID>${escapeXml(it.supplierPartId ?? "")}</SupplierPartID>${it.supplierPartAuxiliaryId ? `
+        <SupplierPartAuxiliaryID>${escapeXml(it.supplierPartAuxiliaryId)}</SupplierPartAuxiliaryID>` : ""}
+      </ItemID>
+      <ItemDetail>
+        <UnitPrice>
+          <Money currency="${escapeXml(it.currency ?? o.currency)}">${escapeXml(
+      it.unitPriceAmount ?? 0
+    )}</Money>
+        </UnitPrice>
+        <Description xml:lang="en">${escapeXml(it.description ?? "")}</Description>
+        <UnitOfMeasure>${escapeXml(it.uom ?? "EA")}</UnitOfMeasure>
+        <Classification domain="${escapeXml(it.classificationDomain ?? "UNSPSC")}">${escapeXml(
+      it.classification ?? ""
+    )}</Classification>${it.manufacturerPartId ? `
+        <ManufacturerPartID>${escapeXml(it.manufacturerPartId)}</ManufacturerPartID>` : ""}
+      </ItemDetail>
+    </ItemIn>`
+  ).join("\n");
+  const inner = `${header({ from: o.from, to: o.to, sender: o.sender })}
+  <Message>
+    <PunchOutOrderMessage>
+      <BuyerCookie>${escapeXml(o.buyerCookie)}</BuyerCookie>
+      <PunchOutOrderMessageHeader operationAllowed="create">
+        <Total>
+          <Money currency="${escapeXml(o.currency)}">${escapeXml(total.toFixed(2))}</Money>
+        </Total>
+      </PunchOutOrderMessageHeader>
+${items}
+    </PunchOutOrderMessage>
+  </Message>`;
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+}
+
+// src/server/cxml/parse.ts
+import { XMLParser, XMLValidator } from "fast-xml-parser";
+var ATTR = "@_";
+var parser = new XMLParser({
+  ignoreAttributes: false,
+  attributeNamePrefix: ATTR,
+  parseTagValue: false,
+  parseAttributeValue: false,
+  trimValues: true,
+  // Always treat the repeated cXML containers as arrays so callers don't have
+  // to special-case "one item vs many".
+  isArray: (name) => ["ItemIn", "ItemOut", "Attachment", "Comments", "Extrinsic"].includes(name)
+});
+function parseXml(raw) {
+  const check = XMLValidator.validate(raw, { allowBooleanAttributes: true });
+  if (check !== true) {
+    return {
+      raw,
+      tree: null,
+      wellFormed: false,
+      wellFormedError: check?.err?.msg ?? "not well-formed"
+    };
+  }
+  try {
+    return { raw, tree: parser.parse(raw), wellFormed: true };
+  } catch (e) {
+    return {
+      raw,
+      tree: null,
+      wellFormed: false,
+      wellFormedError: e instanceof Error ? e.message : String(e)
+    };
+  }
+}
+function text(node) {
+  if (node == null) return void 0;
+  if (typeof node === "string") return node;
+  if (typeof node === "number" || typeof node === "boolean") return String(node);
+  if (typeof node === "object" && "#text" in node) {
+    const t = node["#text"];
+    return t == null ? void 0 : String(t);
+  }
+  return void 0;
+}
+function attr(node, name) {
+  if (node == null || typeof node !== "object") return void 0;
+  const v = node[ATTR + name];
+  return v == null ? void 0 : String(v);
+}
+function asArray(node) {
+  if (node == null) return [];
+  return Array.isArray(node) ? node : [node];
+}
+function root(doc) {
+  return doc.tree?.cXML;
+}
+function getDocType(doc) {
+  const r = root(doc);
+  if (!r) return "Unknown";
+  const req = r.Request;
+  const resp = r.Response;
+  const msg = r.Message;
+  if (req && typeof req === "object") {
+    if ("PunchOutSetupRequest" in req) return "SetupRequest";
+    if ("OrderRequest" in req) return "OrderRequest";
+  }
+  if (resp && typeof resp === "object") {
+    if ("PunchOutSetupResponse" in resp) return "SetupResponse";
+    return "OrderResponse";
+  }
+  if (msg && typeof msg === "object" && "PunchOutOrderMessage" in msg) {
+    return "PunchOutOrderMessage";
+  }
+  return "Unknown";
+}
+function credentialOf(node) {
+  const cred = node?.Credential;
+  if (!cred) return void 0;
+  const first = Array.isArray(cred) ? cred[0] : cred;
+  return {
+    domain: attr(first, "domain") ?? "",
+    identity: text(first?.Identity) ?? ""
+  };
+}
+function getHeaderCredentials(doc) {
+  const header2 = root(doc)?.Header;
+  if (!header2) return {};
+  const senderCred = header2.Sender?.Credential;
+  const senderFirst = Array.isArray(senderCred) ? senderCred[0] : senderCred;
+  return {
+    from: credentialOf(header2.From),
+    to: credentialOf(header2.To),
+    sender: credentialOf(header2.Sender),
+    sharedSecret: text(senderFirst?.SharedSecret)
+  };
+}
+function getPayloadId(doc) {
+  return attr(root(doc), "payloadID");
+}
+function getTimestamp(doc) {
+  return attr(root(doc), "timestamp");
+}
+function getStatus(doc) {
+  const status = root(doc)?.Response?.Status;
+  if (!status) return {};
+  return { code: attr(status, "code"), text: attr(status, "text") };
+}
+function getStartPage(doc) {
+  const sr = root(doc)?.Response?.PunchOutSetupResponse;
+  return text(sr?.StartPage?.URL);
+}
+function money(node) {
+  const m = node?.Money;
+  if (!m) return {};
+  const raw = text(m);
+  const amount = raw != null && raw !== "" ? Number(raw) : void 0;
+  return {
+    amount: Number.isFinite(amount) ? amount : void 0,
+    currency: attr(m, "currency")
+  };
+}
+function stripCid(url) {
+  const trimmed = url.trim();
+  if (/^cid:/i.test(trimmed)) {
+    const cid = trimmed.replace(/^cid:/i, "").trim().replace(/^<+/, "").replace(/>+$/, "");
+    return { cid, external: false };
+  }
+  return { cid: trimmed, external: true };
+}
+function attachmentsInComments(commentsNode) {
+  const urls = [];
+  for (const comments of asArray(commentsNode)) {
+    for (const att of asArray(comments?.Attachment)) {
+      const url = text(att?.URL);
+      if (url) urls.push(url);
+    }
+  }
+  return urls;
+}
+function collectCidReferences(doc) {
+  const orderReq = root(doc)?.Request?.OrderRequest;
+  if (!orderReq) return [];
+  const refs = [];
+  for (const rawUrl of attachmentsInComments(orderReq?.OrderRequestHeader?.Comments)) {
+    const { cid, external } = stripCid(rawUrl);
+    refs.push({ cid, rawUrl, level: "order", external });
+  }
+  asArray(orderReq?.ItemOut).forEach((item, i) => {
+    for (const rawUrl of attachmentsInComments(item?.ItemDetail?.Comments)) {
+      const { cid, external } = stripCid(rawUrl);
+      refs.push({ cid, rawUrl, level: "item", itemIndex: i + 1, external });
+    }
+    for (const rawUrl of attachmentsInComments(item?.Comments)) {
+      const { cid, external } = stripCid(rawUrl);
+      refs.push({ cid, rawUrl, level: "item", itemIndex: i + 1, external });
+    }
+  });
+  return refs;
+}
+function parseCart(doc) {
+  const pom = root(doc)?.Message?.PunchOutOrderMessage;
+  const sessionId = text(pom?.BuyerCookie) ?? "";
+  const headerNode = pom?.PunchOutOrderMessageHeader;
+  const total = money(headerNode?.Total);
+  const items = asArray(pom?.ItemIn).map((it) => {
+    const detail = it?.ItemDetail;
+    const up = money(detail?.UnitPrice);
+    const classification = detail?.Classification;
+    const classFirst = Array.isArray(classification) ? classification[0] : classification;
+    return {
+      quantity: Number(attr(it, "quantity") ?? "1") || 1,
+      supplierPartId: text(it?.ItemID?.SupplierPartID),
+      supplierPartAuxiliaryId: text(it?.ItemID?.SupplierPartAuxiliaryID),
+      description: text(detail?.Description),
+      uom: text(detail?.UnitOfMeasure),
+      unitPriceAmount: up.amount,
+      currency: up.currency,
+      classificationDomain: attr(classFirst, "domain"),
+      classification: text(classFirst),
+      manufacturerPartId: text(detail?.ManufacturerPartID),
+      manufacturerName: text(detail?.ManufacturerName)
+    };
+  });
+  return {
+    sessionId,
+    operationAllowed: attr(headerNode, "operationAllowed"),
+    total: total.amount != null && total.currency ? { amount: total.amount, currency: total.currency } : void 0,
+    items
+  };
+}
+
+// src/server/cxml/validate.ts
+var Issues = class {
+  list = [];
+  error(code, message, path) {
+    this.list.push({ severity: "error", code, message, path });
+  }
+  warn(code, message, path) {
+    this.list.push({ severity: "warning", code, message, path });
+  }
+  info(code, message, path) {
+    this.list.push({ severity: "info", code, message, path });
+  }
+};
+function isValidUrl(s) {
+  if (!s) return false;
+  try {
+    const u = new URL(s);
+    return u.protocol === "http:" || u.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+function credEq(a, b) {
+  if (!a || !b) return false;
+  return a.domain === b.domain && a.identity === b.identity;
+}
+function credKnown(c, conn) {
+  if (!c) return false;
+  return [conn.from, conn.to, conn.sender].some((k) => credEq(c, k));
+}
+function checkGeneral(doc, ctx, issues) {
+  const payloadId = getPayloadId(doc);
+  if (!payloadId) {
+    issues.error("missing-payloadID", "cXML/@payloadID is missing", "cXML/@payloadID");
+  } else if (!payloadId.includes("@")) {
+    issues.warn(
+      "payloadID-format",
+      "payloadID should have the form <unique>@<host>",
+      "cXML/@payloadID"
+    );
+  }
+  if (!getTimestamp(doc)) {
+    issues.error("missing-timestamp", "cXML/@timestamp is missing", "cXML/@timestamp");
+  }
+  if (!ctx.connection) return;
+  const conn = ctx.connection;
+  const creds = getHeaderCredentials(doc);
+  for (const [name, c] of [
+    ["From", creds.from],
+    ["To", creds.to],
+    ["Sender", creds.sender]
+  ]) {
+    if (!c) {
+      issues.warn("missing-credential", `Header/${name} credential is missing`, `cXML/Header/${name}`);
+      continue;
+    }
+    if (!c.domain) {
+      issues.warn("credential-domain", `Header/${name}/Credential/@domain is empty`, `cXML/Header/${name}`);
+    }
+    if (!c.identity) {
+      issues.warn("credential-identity", `Header/${name}/Credential/Identity is empty`, `cXML/Header/${name}`);
+    }
+    if (c.domain && c.identity && !credKnown(c, conn)) {
+      issues.warn(
+        "credential-mismatch",
+        `Header/${name} (${c.domain}/${c.identity}) does not match any identity configured on the connection`,
+        `cXML/Header/${name}`
+      );
+    }
+  }
+}
+function checkSharedSecret(doc, ctx, issues) {
+  if (!ctx.connection) return;
+  const conn = ctx.connection;
+  if (conn.authStyle !== "SharedSecret") return;
+  const creds = getHeaderCredentials(doc);
+  if (!creds.sharedSecret) {
+    issues.warn(
+      "missing-sharedsecret",
+      "Sender/Credential/SharedSecret is absent (required for SharedSecret auth)",
+      "cXML/Header/Sender/Credential/SharedSecret"
+    );
+  } else if (conn.sharedSecret && creds.sharedSecret !== conn.sharedSecret) {
+    issues.error(
+      "sharedsecret-mismatch",
+      "Sender SharedSecret does not match the connection's configured shared secret",
+      "cXML/Header/Sender/Credential/SharedSecret"
+    );
+  }
+}
+function checkSetupResponse(doc, issues) {
+  const status = getStatus(doc);
+  if (!status.code) {
+    issues.error("missing-status", "Response/Status/@code is missing", "cXML/Response/Status");
+  } else if (status.code !== "200") {
+    issues.error(
+      "status-not-200",
+      `PunchOutSetupResponse Status is ${status.code} (expected 200)`,
+      "cXML/Response/Status"
+    );
+  }
+  const startPage = getStartPage(doc);
+  if (!startPage) {
+    issues.error(
+      "missing-startpage",
+      "PunchOutSetupResponse/StartPage/URL is missing",
+      "cXML/Response/PunchOutSetupResponse/StartPage/URL"
+    );
+  } else if (!isValidUrl(startPage)) {
+    issues.error(
+      "invalid-startpage-url",
+      `StartPage/URL is not a valid http(s) URL: ${startPage}`,
+      "cXML/Response/PunchOutSetupResponse/StartPage/URL"
+    );
+  }
+}
+function num(s) {
+  if (s == null || s === "") return void 0;
+  const n = Number(s);
+  return Number.isFinite(n) ? n : void 0;
+}
+function checkPunchback(doc, ctx, issues) {
+  const pom = root(doc)?.Message?.PunchOutOrderMessage;
+  if (!pom) {
+    issues.error("missing-pom", "Message/PunchOutOrderMessage is missing", "cXML/Message");
+    return;
+  }
+  const buyerCookie = text(pom.BuyerCookie);
+  if (!buyerCookie) {
+    issues.error("missing-buyercookie", "BuyerCookie is missing", "cXML/Message/PunchOutOrderMessage/BuyerCookie");
+  } else if (ctx.expectedBuyerCookie && buyerCookie !== ctx.expectedBuyerCookie) {
+    issues.error(
+      "buyercookie-mismatch",
+      `BuyerCookie "${buyerCookie}" does not match the session "${ctx.expectedBuyerCookie}"`,
+      "cXML/Message/PunchOutOrderMessage/BuyerCookie"
+    );
+  }
+  const headerNode = pom.PunchOutOrderMessageHeader;
+  const totalMoney = headerNode?.Total?.Money;
+  const totalAmount = num(text(totalMoney));
+  const totalCurrency = attr(totalMoney, "currency");
+  if (totalMoney == null) {
+    issues.error("missing-total", "PunchOutOrderMessageHeader/Total/Money is missing", "cXML/.../PunchOutOrderMessageHeader/Total");
+  } else if (!totalCurrency) {
+    issues.error("missing-total-currency", "Total/Money/@currency is missing", "cXML/.../Total/Money");
+  }
+  const items = asArray(pom.ItemIn);
+  if (items.length === 0) {
+    issues.warn("empty-cart", "PunchOutOrderMessage contains no ItemIn elements", "cXML/.../PunchOutOrderMessage");
+  }
+  let lineSum = 0;
+  items.forEach((it, i) => {
+    const base = `cXML/.../ItemIn[${i + 1}]`;
+    const qty = num(attr(it, "quantity"));
+    if (qty == null) {
+      issues.error("item-missing-quantity", `ItemIn[${i + 1}] is missing @quantity`, base);
+    }
+    if (!text(it?.ItemID?.SupplierPartID)) {
+      issues.error("item-missing-supplierpartid", `ItemIn[${i + 1}] is missing ItemID/SupplierPartID`, `${base}/ItemID`);
+    }
+    const detail = it?.ItemDetail;
+    if (!detail) {
+      issues.error("item-missing-detail", `ItemIn[${i + 1}] is missing ItemDetail`, base);
+      return;
+    }
+    const up = detail.UnitPrice?.Money;
+    const upAmount = num(text(up));
+    if (up == null) {
+      issues.error("item-missing-unitprice", `ItemIn[${i + 1}] is missing ItemDetail/UnitPrice/Money`, `${base}/ItemDetail/UnitPrice`);
+    } else if (!attr(up, "currency")) {
+      issues.error("item-missing-currency", `ItemIn[${i + 1}] UnitPrice/Money is missing @currency`, `${base}/ItemDetail/UnitPrice/Money`);
+    }
+    if (!text(detail.Description)) {
+      issues.error("item-missing-description", `ItemIn[${i + 1}] is missing ItemDetail/Description`, `${base}/ItemDetail/Description`);
+    }
+    if (!text(detail.UnitOfMeasure)) {
+      issues.error("item-missing-uom", `ItemIn[${i + 1}] is missing ItemDetail/UnitOfMeasure`, `${base}/ItemDetail/UnitOfMeasure`);
+    }
+    const classification = Array.isArray(detail.Classification) ? detail.Classification[0] : detail.Classification;
+    if (classification == null) {
+      issues.error("item-missing-classification", `ItemIn[${i + 1}] is missing ItemDetail/Classification`, `${base}/ItemDetail/Classification`);
+    } else if (!attr(classification, "domain")) {
+      issues.error("item-classification-domain", `ItemIn[${i + 1}] Classification is missing @domain`, `${base}/ItemDetail/Classification`);
+    }
+    if (qty != null && upAmount != null) lineSum += qty * upAmount;
+  });
+  if (totalAmount != null && items.length > 0) {
+    const diff = Math.abs(totalAmount - lineSum);
+    if (diff > 0.01) {
+      issues.warn(
+        "total-mismatch",
+        `Header Total (${totalAmount.toFixed(2)}) does not equal the sum of line totals (${lineSum.toFixed(2)})`,
+        "cXML/.../PunchOutOrderMessageHeader/Total"
+      );
+    }
+  }
+}
+function checkOrderRequest(doc, ctx, issues) {
+  const orderReq = root(doc)?.Request?.OrderRequest;
+  if (!orderReq) {
+    issues.error("missing-orderrequest", "Request/OrderRequest is missing", "cXML/Request");
+    return;
+  }
+  const header2 = orderReq.OrderRequestHeader;
+  if (!attr(header2, "orderID")) {
+    issues.error("missing-orderid", "OrderRequestHeader/@orderID is missing", "cXML/.../OrderRequestHeader");
+  }
+  if (!attr(header2, "orderDate")) {
+    issues.error("missing-orderdate", "OrderRequestHeader/@orderDate is missing", "cXML/.../OrderRequestHeader");
+  }
+  if (header2?.Total?.Money == null) {
+    issues.error("missing-order-total", "OrderRequestHeader/Total/Money is missing", "cXML/.../OrderRequestHeader/Total");
+  }
+  if (!header2?.ShipTo) {
+    issues.warn("missing-shipto", "OrderRequestHeader/ShipTo is missing", "cXML/.../OrderRequestHeader/ShipTo");
+  }
+  if (!header2?.BillTo) {
+    issues.warn("missing-billto", "OrderRequestHeader/BillTo is missing", "cXML/.../OrderRequestHeader/BillTo");
+  }
+  const items = asArray(orderReq.ItemOut);
+  if (items.length === 0) {
+    issues.error("no-itemout", "OrderRequest contains no ItemOut elements", "cXML/.../OrderRequest");
+  }
+  items.forEach((it, i) => {
+    const base = `cXML/.../ItemOut[${i + 1}]`;
+    if (!text(it?.ItemID?.SupplierPartID)) {
+      issues.error("itemout-missing-id", `ItemOut[${i + 1}] is missing ItemID/SupplierPartID`, `${base}/ItemID`);
+    }
+    if (it?.ItemDetail?.UnitPrice?.Money == null) {
+      issues.error("itemout-missing-unitprice", `ItemOut[${i + 1}] is missing ItemDetail/UnitPrice/Money`, `${base}/ItemDetail/UnitPrice`);
+    }
+    if (num(attr(it, "quantity")) == null) {
+      issues.error("itemout-missing-quantity", `ItemOut[${i + 1}] is missing @quantity`, base);
+    }
+  });
+  const refs = collectCidReferences(doc);
+  const available = ctx.availableContentIds;
+  const referenced = /* @__PURE__ */ new Set();
+  for (const ref of refs) {
+    if (ref.external) {
+      issues.info(
+        "external-attachment",
+        `Attachment URL is an external reference (not a cid:): ${ref.rawUrl}`,
+        ref.level === "item" ? `cXML/.../ItemOut[${ref.itemIndex}]` : "cXML/.../OrderRequestHeader/Comments"
+      );
+      continue;
+    }
+    referenced.add(ref.cid);
+    if (available && !available.has(ref.cid)) {
+      issues.error(
+        "dangling-cid",
+        `Attachment references cid:"${ref.cid}" but no multipart part has that Content-ID (dangling attachment)`,
+        ref.level === "item" ? `cXML/.../ItemOut[${ref.itemIndex}]/Comments/Attachment` : "cXML/.../OrderRequestHeader/Comments/Attachment"
+      );
+    }
+  }
+  if (available) {
+    for (const cid of available) {
+      if (!referenced.has(cid)) {
+        issues.warn(
+          "unreferenced-attachment",
+          `Multipart part Content-ID "${cid}" is not referenced by any <Attachment><URL>cid:...`,
+          "multipart"
+        );
+      }
+    }
+  }
+}
+function checkOrderResponse(doc, issues) {
+  const status = getStatus(doc);
+  if (!status.code) {
+    issues.error("missing-status", "Response/Status/@code is missing", "cXML/Response/Status");
+  } else {
+    const code = Number(status.code);
+    if (Number.isFinite(code) && code >= 400) {
+      issues.error("status-error", `Response Status is ${status.code} ${status.text ?? ""}`.trim(), "cXML/Response/Status");
+    }
+  }
+}
+function validateDocument(raw, ctx = {}) {
+  const doc = parseXml(raw);
+  const issues = new Issues();
+  if (!doc.wellFormed) {
+    issues.error("not-well-formed", `XML is not well-formed: ${doc.wellFormedError}`);
+    return { docType: "Unknown", wellFormed: false, ok: false, issues: issues.list };
+  }
+  const docType = ctx.forceDocType ?? getDocType(doc);
+  checkGeneral(doc, ctx, issues);
+  switch (docType) {
+    case "SetupRequest":
+      checkSharedSecret(doc, ctx, issues);
+      if (!root(doc)?.Request?.PunchOutSetupRequest?.BrowserFormPost?.URL) {
+        issues.warn("missing-browserformpost", "PunchOutSetupRequest/BrowserFormPost/URL is missing", "cXML/.../PunchOutSetupRequest/BrowserFormPost/URL");
+      }
+      break;
+    case "SetupResponse":
+      checkSetupResponse(doc, issues);
+      break;
+    case "PunchOutOrderMessage":
+      checkPunchback(doc, ctx, issues);
+      break;
+    case "OrderRequest":
+      checkSharedSecret(doc, ctx, issues);
+      checkOrderRequest(doc, ctx, issues);
+      break;
+    case "OrderResponse":
+      checkOrderResponse(doc, issues);
+      break;
+    default:
+      issues.warn("unknown-doctype", "Could not classify the cXML document type");
+  }
+  const hasError = issues.list.some((i) => i.severity === "error");
+  return { docType, wellFormed: true, ok: !hasError, issues: issues.list };
+}
+
+// src/server/routes/flow.ts
+var flowRoute = new Hono2();
+function host() {
+  try {
+    return new URL(getPublicUrl()).host;
+  } catch {
+    return "punchout-simulator";
+  }
+}
+function requireVirtualBuyer(conn) {
+  if (!conn) return "connection not found";
+  if (conn.mode !== "virtual-buyer") return "connection is not in virtual-buyer mode";
+  return null;
+}
+flowRoute.get("/:id/setup/preview", (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireVirtualBuyer(conn);
+  if (err) return c.json({ error: err }, 400);
+  const buyerCookie = c.req.query("buyerCookie") || `pos-${nanoid5(16)}`;
+  const xml = buildSetupRequest({
+    from: conn.from,
+    to: conn.to,
+    sender: conn.sender,
+    sharedSecret: conn.sharedSecret,
+    buyerCookie,
+    browserFormPostUrl: browserFormPostUrl(),
+    payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    deploymentMode: conn.deploymentMode
+  });
+  return c.json({ buyerCookie, xml, browserFormPostUrl: browserFormPostUrl() });
+});
+flowRoute.post("/:id/setup", async (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireVirtualBuyer(conn);
+  if (err) return c.json({ error: err }, 400);
+  const body = await c.req.json().catch(() => ({}));
+  const buyerCookie = body.buyerCookie || `pos-${nanoid5(16)}`;
+  const xml = body.xml || buildSetupRequest({
+    from: conn.from,
+    to: conn.to,
+    sender: conn.sender,
+    sharedSecret: conn.sharedSecret,
+    buyerCookie,
+    browserFormPostUrl: browserFormPostUrl(),
+    payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    deploymentMode: conn.deploymentMode
+  });
+  rememberSessionConnection(buyerCookie, conn.id);
+  const reqValidation = validateDocument(xml, {
+    connection: conn,
+    forceDocType: "SetupRequest"
+  });
+  const reqLog = appendLog({
+    sessionId: buyerCookie,
+    connectionId: conn.id,
+    direction: "out",
+    docType: "SetupRequest",
+    headers: { "Content-Type": "text/xml; charset=UTF-8" },
+    body: xml,
+    contentType: "text/xml",
+    validation: reqValidation
+  });
+  const res = await sendCxml(conn.punchoutUrl, xml);
+  const respValidation = res.error ? void 0 : validateDocument(res.body, { connection: conn, forceDocType: "SetupResponse" });
+  const respLog = appendLog({
+    sessionId: buyerCookie,
+    connectionId: conn.id,
+    direction: "in",
+    docType: "SetupResponse",
+    status: res.status,
+    headers: res.headers,
+    body: res.error ? `<!-- transport error: ${res.error} -->` : res.body,
+    contentType: res.contentType,
+    validation: respValidation
+  });
+  const startPage = res.error ? void 0 : getStartPage(parseXml(res.body));
+  const status = res.error ? void 0 : getStatus(parseXml(res.body));
+  return c.json({
+    buyerCookie,
+    transportError: res.error,
+    httpStatus: res.status,
+    startPage,
+    statusCode: status?.code,
+    request: reqLog,
+    response: respLog
+  });
+});
+flowRoute.post("/:id/order", async (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireVirtualBuyer(conn);
+  if (err) return c.json({ error: err }, 400);
+  const body = await c.req.json().catch(() => ({}));
+  const sessionId = body.sessionId || `pos-${nanoid5(16)}`;
+  const items = body.items ?? [];
+  const currency = body.currency || items[0]?.currency || "USD";
+  const total = body.total ?? items.reduce((s, it) => s + (it.unitPriceAmount ?? 0) * it.quantity, 0);
+  const orderId = body.orderId || `PO-${nanoid5(8)}`;
+  const dangling = !!body.danglingCid;
+  const inputAtts = body.attachments ?? [];
+  const attMeta = inputAtts.map((a) => ({
+    contentId: a.contentId,
+    scope: a.scope === "order" || a.scope == null ? "order" : { itemIndex: Number(a.scope) }
+  }));
+  const xml = body.xml || buildOrderRequest({
+    from: conn.from,
+    to: conn.to,
+    sender: conn.sender,
+    sharedSecret: conn.sharedSecret,
+    orderId,
+    orderDate: (/* @__PURE__ */ new Date()).toISOString(),
+    payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    deploymentMode: conn.deploymentMode,
+    currency,
+    total,
+    items,
+    shipTo: body.shipTo,
+    billTo: body.billTo,
+    attachments: attMeta
+  });
+  let wireBody = xml;
+  let wireContentType = "text/xml; charset=UTF-8";
+  const availableContentIds = /* @__PURE__ */ new Set();
+  const savedRefs = [];
+  if (inputAtts.length > 0) {
+    const parts = inputAtts.map((a) => {
+      const actualCid = dangling ? `${a.contentId}-MISSING` : a.contentId;
+      availableContentIds.add(actualCid);
+      const data = Buffer.from(a.dataBase64, "base64");
+      savedRefs.push(
+        saveAttachment(data, {
+          contentId: actualCid,
+          filename: a.filename,
+          contentType: a.contentType || "application/octet-stream"
+        })
+      );
+      return {
+        contentId: actualCid,
+        filename: a.filename,
+        contentType: a.contentType || "application/octet-stream",
+        data
+      };
+    });
+    const built = buildMultipartRelated(xml, parts);
+    wireBody = built.body;
+    wireContentType = built.contentType;
+  }
+  const reqValidation = validateDocument(xml, {
+    connection: conn,
+    forceDocType: "OrderRequest",
+    availableContentIds: inputAtts.length > 0 ? availableContentIds : void 0
+  });
+  const reqLog = appendLog({
+    sessionId,
+    connectionId: conn.id,
+    direction: "out",
+    docType: "OrderRequest",
+    headers: { "Content-Type": wireContentType },
+    body: xml,
+    contentType: wireContentType,
+    validation: reqValidation,
+    attachments: savedRefs,
+    note: dangling ? "dangling-cid test" : void 0
+  });
+  const res = await sendCxml(conn.orderUrl, wireBody, wireContentType);
+  const respValidation = res.error ? void 0 : validateDocument(res.body, { connection: conn, forceDocType: "OrderResponse" });
+  const respLog = appendLog({
+    sessionId,
+    connectionId: conn.id,
+    direction: "in",
+    docType: "OrderResponse",
+    status: res.status,
+    headers: res.headers,
+    body: res.error ? `<!-- transport error: ${res.error} -->` : res.body,
+    contentType: res.contentType,
+    validation: respValidation
+  });
+  const status = res.error ? void 0 : getStatus(parseXml(res.body));
+  return c.json({
+    transportError: res.error,
+    httpStatus: res.status,
+    statusCode: status?.code,
+    statusText: status?.text,
+    request: reqLog,
+    response: respLog
+  });
+});
+
+// src/server/routes/punchout-return.ts
+import { Hono as Hono3 } from "hono";
+var punchoutReturnRoute = new Hono3();
+async function extractCxml(c) {
+  const ct = (c.req.header("content-type") ?? "").toLowerCase();
+  if (ct.includes("application/x-www-form-urlencoded") || ct.includes("multipart/form-data")) {
+    const form = await c.req.parseBody();
+    if (typeof form["cxml-urlencoded"] === "string") return form["cxml-urlencoded"];
+    if (typeof form["cxml-base64"] === "string") {
+      return Buffer.from(form["cxml-base64"], "base64").toString("utf8");
+    }
+    const firstString = Object.values(form).find((v) => typeof v === "string");
+    if (typeof firstString === "string" && firstString.includes("<cXML")) return firstString;
+  }
+  return c.req.text();
+}
+function htmlReceipt(ok, itemCount) {
+  return `<!doctype html><html lang="en"><head><meta charset="utf-8">
+<title>punchout-simulator \u2014 cart received</title>
+<style>
+  body{font-family:system-ui,sans-serif;background:#0f172a;color:#e2e8f0;display:flex;
+       min-height:100vh;align-items:center;justify-content:center;margin:0}
+  .card{background:#1e293b;padding:2.5rem 3rem;border-radius:14px;text-align:center;
+        box-shadow:0 10px 40px rgba(0,0,0,.4);max-width:420px}
+  .icon{font-size:3rem}
+  h1{font-size:1.25rem;margin:.5rem 0}
+  p{color:#94a3b8;line-height:1.5}
+  .ok{color:#34d399}.bad{color:#f87171}
+</style></head><body><div class="card">
+  <div class="icon ${ok ? "ok" : "bad"}">${ok ? "\u2713" : "\u26A0"}</div>
+  <h1>Cart returned to punchout-simulator</h1>
+  <p>${ok ? `Received ${itemCount} item(s).` : "The punchback had validation issues."}
+     Switch back to the punchout-simulator tab to inspect the cart and build the OrderRequest.
+     You can close this tab.</p>
+</div><script>setTimeout(()=>{try{window.close()}catch(e){}},1500)</script></body></html>`;
+}
+punchoutReturnRoute.post("/return", async (c) => {
+  const xml = await extractCxml(c);
+  const doc = parseXml(xml);
+  const cart = parseCart(doc);
+  const sessionId = cart.sessionId || text(root(doc)?.Message?.PunchOutOrderMessage?.BuyerCookie) || "unknown";
+  const connectionId = connectionForSession(sessionId);
+  const conn = connectionId ? getConnection(connectionId) : void 0;
+  const validation = validateDocument(xml, {
+    connection: conn,
+    expectedBuyerCookie: sessionId,
+    forceDocType: "PunchOutOrderMessage"
+  });
+  if (connectionId) rememberSessionConnection(sessionId, connectionId);
+  appendLog({
+    sessionId,
+    connectionId: connectionId ?? "",
+    direction: "in",
+    docType: "PunchOutOrderMessage",
+    headers: { "Content-Type": c.req.header("content-type") ?? "" },
+    body: xml,
+    contentType: c.req.header("content-type") ?? void 0,
+    validation
+  });
+  setCart(cart);
+  bus.emitCart(connectionId ?? "", cart);
+  return c.html(htmlReceipt(validation.ok, cart.items.length));
+});
+
+// src/server/routes/stream.ts
+import { Hono as Hono4 } from "hono";
+import { streamSSE } from "hono/streaming";
+var streamRoute = new Hono4();
+streamRoute.get("/stream", (c) => {
+  return streamSSE(c, async (stream) => {
+    let open = true;
+    let id = 0;
+    const unsubscribe = bus.onEvent((event) => {
+      if (!open) return;
+      void stream.writeSSE({
+        id: String(id++),
+        event: event.type,
+        data: JSON.stringify(event)
+      });
+    });
+    stream.onAbort(() => {
+      open = false;
+      unsubscribe();
+    });
+    await stream.writeSSE({ event: "ready", data: JSON.stringify({ ts: Date.now() }) });
+    while (open) {
+      await stream.sleep(15e3);
+      if (!open) break;
+      await stream.writeSSE({ event: "ping", data: JSON.stringify({ ts: Date.now() }) });
+    }
+  });
+});
+
+// src/server/routes/data.ts
+import { Hono as Hono5 } from "hono";
+var dataRoute = new Hono5();
+dataRoute.get("/health", (c) => c.json({ ok: true }));
+dataRoute.get(
+  "/runtime",
+  (c) => c.json({ publicUrl: getPublicUrl(), callbackUrl: `${getPublicUrl()}/punchout/return` })
+);
+dataRoute.get("/sessions", (c) => c.json(listSessions()));
+dataRoute.get("/sessions/:id", (c) => c.json(readSession(c.req.param("id"))));
+dataRoute.get("/recent", (c) => {
+  const limit = Number(c.req.query("limit") ?? "200");
+  return c.json(readAllRecent(Number.isFinite(limit) ? limit : 200));
+});
+dataRoute.get("/cart/:sessionId", (c) => {
+  const cart = getCart(c.req.param("sessionId"));
+  return cart ? c.json(cart) : c.json({ error: "no cart for session" }, 404);
+});
+dataRoute.get("/attachments/:hash", (c) => {
+  const data = readAttachment(c.req.param("hash"));
+  if (!data) return c.json({ error: "not found" }, 404);
+  c.header("Content-Type", "application/octet-stream");
+  return c.body(data);
+});
+
+// src/server/routes/sim.ts
+import { Hono as Hono6 } from "hono";
+import { nanoid as nanoid6 } from "nanoid";
+var simRoute = new Hono6();
+var DEMO_CATALOG = [
+  {
+    supplierPartId: "WIDGET-001",
+    description: "Premium Steel Widget",
+    unitPrice: 12.5,
+    currency: "USD",
+    uom: "EA",
+    unspsc: "31161500",
+    manufacturerPartId: "MFR-W001",
+    manufacturerName: "Acme Manufacturing"
+  },
+  {
+    supplierPartId: "BOLT-250",
+    description: "M8 Hex Bolt (pack of 250)",
+    unitPrice: 34,
+    currency: "USD",
+    uom: "PK",
+    unspsc: "31161600",
+    manufacturerPartId: "MFR-B250",
+    manufacturerName: "Acme Manufacturing"
+  },
+  {
+    supplierPartId: "TAPE-RED",
+    description: "Industrial Marking Tape, Red",
+    unitPrice: 5.75,
+    currency: "USD",
+    uom: "RL",
+    unspsc: "31201500"
+  }
+];
+function host2() {
+  try {
+    return new URL(getPublicUrl()).host;
+  } catch {
+    return "punchout-simulator";
+  }
+}
+function safeHttpUrl(u) {
+  if (!u) return "";
+  try {
+    const parsed = new URL(u.trim());
+    return parsed.protocol === "http:" || parsed.protocol === "https:" ? u.trim() : "";
+  } catch {
+    return "";
+  }
+}
+function catalogOf(conn) {
+  return conn.catalog && conn.catalog.length > 0 ? conn.catalog : DEMO_CATALOG;
+}
+function requireSupplier(conn) {
+  if (!conn) return "connection not found";
+  if (conn.mode !== "virtual-supplier") return "connection is not in virtual-supplier mode";
+  return null;
+}
+simRoute.post("/:id/punchout", async (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireSupplier(conn);
+  if (err) return c.text(err, 400);
+  const reqXml = await c.req.text();
+  const doc = parseXml(reqXml);
+  const reqRoot = root(doc)?.Request?.PunchOutSetupRequest;
+  const buyerCookie = text(reqRoot?.BuyerCookie) || `pos-${nanoid6(16)}`;
+  const formPost = safeHttpUrl(text(reqRoot?.BrowserFormPost?.URL));
+  const reqValidation = validateDocument(reqXml, {
+    connection: conn,
+    forceDocType: "SetupRequest"
+  });
+  appendLog({
+    sessionId: buyerCookie,
+    connectionId: conn.id,
+    direction: "in",
+    docType: "SetupRequest",
+    headers: { "Content-Type": c.req.header("content-type") ?? "" },
+    body: reqXml,
+    validation: reqValidation
+  });
+  const startPageUrl = `${getPublicUrl()}/sim/${conn.id}/catalog?cookie=${encodeURIComponent(
+    buyerCookie
+  )}&formpost=${encodeURIComponent(formPost)}`;
+  const respXml = buildSetupResponse({
+    payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    startPageUrl,
+    from: conn.from,
+    to: conn.to,
+    sender: conn.sender
+  });
+  appendLog({
+    sessionId: buyerCookie,
+    connectionId: conn.id,
+    direction: "out",
+    docType: "SetupResponse",
+    headers: { "Content-Type": "text/xml; charset=UTF-8" },
+    body: respXml,
+    validation: validateDocument(respXml, { forceDocType: "SetupResponse" })
+  });
+  c.header("Content-Type", "text/xml; charset=UTF-8");
+  return c.body(respXml);
+});
+simRoute.get("/:id/catalog", (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireSupplier(conn);
+  if (err) return c.text(err, 400);
+  const cookie = c.req.query("cookie") ?? "";
+  const formpost = c.req.query("formpost") ?? "";
+  const items = catalogOf(conn);
+  const rows = items.map(
+    (it, i) => `<tr>
+      <td><strong>${escapeHtml(it.description)}</strong><br><small>${escapeHtml(
+      it.supplierPartId
+    )} \xB7 ${escapeHtml(it.uom)} \xB7 UNSPSC ${escapeHtml(it.unspsc)}</small></td>
+      <td class="price">${it.currency} ${it.unitPrice.toFixed(2)}</td>
+      <td><input type="number" name="q_${i}" value="0" min="0" step="1" inputmode="numeric"></td>
+    </tr>`
+  ).join("\n");
+  return c.html(`<!doctype html><html lang="en"><head><meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>${escapeHtml(conn.name)} \u2014 mock catalog</title>
+<style>
+  body{font-family:system-ui,sans-serif;background:#0f172a;color:#e2e8f0;margin:0;padding:2rem}
+  .wrap{max-width:720px;margin:0 auto}
+  h1{font-size:1.4rem}.sub{color:#94a3b8;margin-bottom:1.5rem}
+  table{width:100%;border-collapse:collapse;background:#1e293b;border-radius:12px;overflow:hidden}
+  th,td{padding:.75rem 1rem;text-align:left;border-bottom:1px solid #334155}
+  th{background:#0b1220;font-size:.8rem;text-transform:uppercase;letter-spacing:.05em;color:#94a3b8}
+  .price{white-space:nowrap;color:#fbbf24}
+  input[type=number]{width:5rem;background:#0b1220;border:1px solid #334155;color:#e2e8f0;
+    border-radius:6px;padding:.35rem .5rem}
+  button{margin-top:1.5rem;background:#6366f1;color:#fff;border:0;border-radius:8px;
+    padding:.7rem 1.4rem;font-size:1rem;cursor:pointer}
+  button:hover{background:#4f46e5}
+</style></head><body><div class="wrap">
+  <h1>${escapeHtml(conn.name)} <small>(virtual supplier)</small></h1>
+  <div class="sub">Mock catalog served by punchout-simulator. Set quantities and return the cart.</div>
+  <form method="post" action="${getPublicUrl()}/sim/${conn.id}/checkout">
+    <input type="hidden" name="cookie" value="${escapeHtml(cookie)}">
+    <input type="hidden" name="formpost" value="${escapeHtml(formpost)}">
+    <table><thead><tr><th>Item</th><th>Price</th><th>Qty</th></tr></thead>
+    <tbody>${rows}</tbody></table>
+    <button type="submit">Return cart to buyer \u2192</button>
+  </form>
+</div></body></html>`);
+});
+simRoute.post("/:id/checkout", async (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireSupplier(conn);
+  if (err) return c.text(err, 400);
+  const form = await c.req.parseBody();
+  const cookie = String(form.cookie ?? `pos-${nanoid6(16)}`);
+  const formpost = safeHttpUrl(String(form.formpost ?? ""));
+  const catalog = catalogOf(conn);
+  const items = [];
+  catalog.forEach((it, i) => {
+    const qty = Number(form[`q_${i}`] ?? 0);
+    if (qty > 0) {
+      items.push({
+        quantity: qty,
+        supplierPartId: it.supplierPartId,
+        description: it.description,
+        uom: it.uom,
+        unitPriceAmount: it.unitPrice,
+        currency: it.currency,
+        classificationDomain: "UNSPSC",
+        classification: it.unspsc,
+        manufacturerPartId: it.manufacturerPartId,
+        manufacturerName: it.manufacturerName
+      });
+    }
+  });
+  const currency = items[0]?.currency ?? "USD";
+  const xml = buildPunchOutOrderMessage({
+    from: conn.from,
+    to: conn.to,
+    sender: conn.sender,
+    buyerCookie: cookie,
+    payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    currency,
+    items
+  });
+  appendLog({
+    sessionId: cookie,
+    connectionId: conn.id,
+    direction: "out",
+    docType: "PunchOutOrderMessage",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: xml,
+    validation: validateDocument(xml, { connection: conn, forceDocType: "PunchOutOrderMessage" })
+  });
+  return c.html(`<!doctype html><html lang="en"><head><meta charset="utf-8">
+<title>Returning cart\u2026</title></head>
+<body onload="document.forms[0].submit()" style="font-family:system-ui;background:#0f172a;color:#e2e8f0">
+  <p style="padding:2rem">Returning cart to the buyer\u2026</p>
+  <form method="post" action="${escapeHtml(formpost)}">
+    <input type="hidden" name="cxml-urlencoded" value="${escapeHtml(xml)}">
+    <noscript><button type="submit">Continue</button></noscript>
+  </form>
+</body></html>`);
+});
+simRoute.post("/:id/order", async (c) => {
+  const conn = getConnection(c.req.param("id"));
+  const err = requireSupplier(conn);
+  if (err) return c.text(err, 400);
+  const ct = c.req.header("content-type") ?? "";
+  const raw = Buffer.from(await c.req.arrayBuffer());
+  let xml;
+  const availableContentIds = /* @__PURE__ */ new Set();
+  const savedRefs = [];
+  if (isMultipart(ct)) {
+    const mp = parseMultipartRelated(raw, ct);
+    xml = mp.root?.body.toString("utf8") ?? "";
+    for (const part of mp.parts) {
+      if (part === mp.root) continue;
+      const cid = normalizeContentId(part.contentId);
+      if (cid) availableContentIds.add(cid);
+      savedRefs.push(
+        saveAttachment(part.body, {
+          contentId: cid,
+          contentType: part.contentType ?? "application/octet-stream"
+        })
+      );
+    }
+  } else {
+    xml = raw.toString("utf8");
+  }
+  const doc = parseXml(xml);
+  const sessionId = findSessionForOrder(doc) ?? `order-${nanoid6(8)}`;
+  const validation = validateDocument(xml, {
+    connection: conn,
+    forceDocType: "OrderRequest",
+    availableContentIds: isMultipart(ct) ? availableContentIds : void 0
+  });
+  appendLog({
+    sessionId,
+    connectionId: conn.id,
+    direction: "in",
+    docType: "OrderRequest",
+    headers: { "Content-Type": ct },
+    body: xml,
+    contentType: ct,
+    validation,
+    attachments: savedRefs
+  });
+  const ok = validation.ok;
+  const respXml = buildResponseStatus({
+    payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    statusCode: ok ? "200" : "400",
+    statusText: ok ? "OK" : "Bad Request",
+    from: conn.from,
+    to: conn.to,
+    sender: conn.sender
+  });
+  appendLog({
+    sessionId,
+    connectionId: conn.id,
+    direction: "out",
+    docType: "OrderResponse",
+    headers: { "Content-Type": "text/xml; charset=UTF-8" },
+    body: respXml,
+    validation: validateDocument(respXml, { forceDocType: "OrderResponse" })
+  });
+  c.header("Content-Type", "text/xml; charset=UTF-8");
+  return c.body(respXml, ok ? 200 : 400);
+});
+function findSessionForOrder(doc) {
+  const header2 = root(doc)?.Request?.OrderRequest?.OrderRequestHeader;
+  const orderId = header2 ? attrOf(header2, "orderID") : void 0;
+  return orderId ? `order-${orderId}` : void 0;
+}
+function attrOf(node, name) {
+  const v = node?.[`@_${name}`];
+  return v == null ? void 0 : String(v);
+}
+function escapeHtml(s) {
+  return escapeXml(s);
+}
+
+// src/server/app.ts
+import { relative } from "path";
+function createApp(opts = {}) {
+  const app = new Hono7();
+  if (!opts.quiet) app.use("*", logger());
+  app.route("/api/connections", connectionsRoute);
+  app.route("/api/connections", flowRoute);
+  app.route("/api", dataRoute);
+  app.route("/api", streamRoute);
+  app.route("/punchout", punchoutReturnRoute);
+  app.route("/sim", simRoute);
+  if (opts.webRoot && existsSync3(opts.webRoot)) {
+    app.use(
+      "/*",
+      serveStatic({
+        root: relativeToCwd(opts.webRoot),
+        // SPA fallback: unknown non-API routes return index.html.
+        rewriteRequestPath: (path) => path
+      })
+    );
+    app.get("/*", serveStatic({ root: relativeToCwd(opts.webRoot), path: "index.html" }));
+  }
+  return app;
+}
+function relativeToCwd(abs) {
+  const rel = relative(process.cwd(), abs);
+  return rel === "" ? "." : rel;
+}
+
+// src/server/seed.ts
+async function seedDemoIfEmpty() {
+  if (listConnections().length > 0) return;
+  const supplier = await createConnection({
+    id: "demo-supplier",
+    name: "Demo Supplier (built-in mock)",
+    mode: "virtual-supplier",
+    from: { domain: "DUNS", identity: "987654321" },
+    // supplier identity (the tool)
+    to: { domain: "DUNS", identity: "123456789" },
+    // buyer identity (counterparty)
+    sender: { domain: "DUNS", identity: "987654321" },
+    sharedSecret: "demo-secret",
+    deploymentMode: "test",
+    authStyle: "SharedSecret",
+    catalog: []
+  });
+  await createConnection({
+    id: "demo-buyer",
+    name: "Demo Buyer \u2192 built-in supplier",
+    mode: "virtual-buyer",
+    from: { domain: "DUNS", identity: "123456789" },
+    // buyer identity (the tool)
+    to: { domain: "DUNS", identity: "987654321" },
+    // supplier identity (counterparty)
+    sender: { domain: "DUNS", identity: "123456789" },
+    sharedSecret: "demo-secret",
+    deploymentMode: "test",
+    authStyle: "SharedSecret",
+    punchoutUrl: `${getPublicUrl()}/sim/${supplier.id}/punchout`,
+    orderUrl: `${getPublicUrl()}/sim/${supplier.id}/order`
+  });
+}
+
+// src/server/cli.ts
+function parseFlags(argv) {
+  const flags = {
+    port: Number(process.env.PORT ?? 8080),
+    dataDir: process.env.DATA_DIR ?? "./data",
+    open: true,
+    dev: false,
+    seed: true
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    const next = () => argv[++i];
+    switch (a) {
+      case "--port":
+      case "-p":
+        flags.port = Number(next());
+        break;
+      case "--data-dir":
+      case "-d":
+        flags.dataDir = next();
+        break;
+      case "--public-url":
+        flags.publicUrl = next();
+        break;
+      case "--no-open":
+        flags.open = false;
+        break;
+      case "--dev":
+        flags.dev = true;
+        flags.open = false;
+        break;
+      case "--no-seed":
+        flags.seed = false;
+        break;
+      case "--help":
+      case "-h":
+        printHelp();
+        process.exit(0);
+    }
+  }
+  return flags;
+}
+function printHelp() {
+  console.log(`punchout-simulator \u2014 test cXML PunchOut integrations as a virtual counterparty
+
+Usage: punchout-simulator [options]
+
+Options:
+  -p, --port <n>         Port to listen on (default 8080)
+  -d, --data-dir <path>  Where to store config + logs (default ./data)
+      --public-url <url> Externally reachable base URL (default http://localhost:<port>)
+                         Set this when fronting the tool with ngrok/cloudflared.
+      --no-open          Do not open a browser on start
+      --no-seed          Do not seed the built-in demo connections on first run
+      --dev              Dev mode (do not serve SPA, do not open browser)
+  -h, --help             Show this help
+`);
+}
+async function main() {
+  const flags = parseFlags(process.argv.slice(2));
+  const publicUrl = flags.publicUrl ?? `http://localhost:${flags.port}`;
+  setDataDir(flags.dataDir);
+  setRuntime({ port: flags.port, publicUrl });
+  await initConfig();
+  if (flags.seed) await seedDemoIfEmpty();
+  const webRoot = flags.dev ? void 0 : fileURLToPath(new URL("../web", import.meta.url));
+  const app = createApp({ webRoot, quiet: false });
+  serve({ fetch: app.fetch, port: flags.port }, (info) => {
+    const url = `http://localhost:${info.port}`;
+    console.log(`
+  punchout-simulator listening on ${url}`);
+    if (getPublicUrl() !== url) console.log(`  public URL: ${getPublicUrl()}`);
+    console.log(`  data dir:   ${flags.dataDir}`);
+    console.log(`  callback:   ${getPublicUrl()}/punchout/return
+`);
+    if (flags.open) {
+      import("open").then((m) => m.default(url)).catch(() => {
+      });
+    }
+  });
+}
+main().catch((e) => {
+  console.error(e);
+  process.exit(1);
+});
+//# sourceMappingURL=cli.js.map