punchout-simulator 0.1.5 → 0.3.0

package/dist/server/cli.js

@@ -3,23 +3,149 @@
 // src/server/cli.ts
 import { fileURLToPath } from "url";
 import { serve } from "@hono/node-server";
+import { nanoid as nanoid7 } from "nanoid";
 
 // src/server/app.ts
 import { existsSync as existsSync3 } from "fs";
-import { Hono as Hono7 } from "hono";
+import { Hono as Hono9 } from "hono";
 import { logger } from "hono/logger";
+import { bodyLimit } from "hono/body-limit";
+import { getCookie } from "hono/cookie";
 import { serveStatic } from "@hono/node-server/serve-static";
 
+// src/server/runtime.ts
+var runtime = {
+  port: 8080,
+  publicUrl: "http://localhost:8080"
+};
+function setRuntime(r) {
+  Object.assign(runtime, r);
+}
+function getToken() {
+  return runtime.token;
+}
+function getPublicUrl() {
+  return runtime.publicUrl.replace(/\/$/, "");
+}
+function browserFormPostUrl() {
+  return `${getPublicUrl()}/punchout/return`;
+}
+
 // src/server/routes/connections.ts
 import { Hono } from "hono";
 
 // src/server/store/config.ts
+import { chmodSync as chmodSync2 } from "fs";
 import { Low } from "lowdb";
 import { JSONFile } from "lowdb/node";
 import { nanoid } from "nanoid";
 
+// src/server/cxml/profile-presets.ts
+var PROFILE_PRESETS = [
+  {
+    id: "generic",
+    name: "Generic cXML",
+    platform: "Generic",
+    builtin: true,
+    dtdVersions: { default: "1.2.045" },
+    userAgent: "punchout-simulator",
+    setupOperation: "create",
+    attachmentEncoding: "binary",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "ariba",
+    name: "SAP Ariba",
+    platform: "Ariba",
+    builtin: true,
+    dtdVersions: { default: "1.2.045", PunchOutOrderMessage: "1.2.045" },
+    userAgent: "Ariba Network/1.0",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: [{ name: "User", value: "${buyerCookie}", scope: "setup" }]
+  },
+  {
+    id: "coupa",
+    name: "Coupa",
+    platform: "Coupa",
+    builtin: true,
+    // Coupa publishes specific DTD versions per document type.
+    dtdVersions: { default: "1.2.014", PunchOutOrderMessage: "1.2.023" },
+    userAgent: "Coupa Procurement",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "jaggaer",
+    name: "JAGGAER",
+    platform: "Jaggaer",
+    builtin: true,
+    dtdVersions: { default: "1.2.021" },
+    userAgent: "JAGGAER Procurement",
+    setupOperation: "create",
+    attachmentEncoding: "binary",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "oracle",
+    name: "Oracle iProcurement",
+    platform: "Oracle",
+    builtin: true,
+    dtdVersions: { default: "1.2.008" },
+    userAgent: "Oracle iProcurement",
+    setupOperation: "create",
+    attachmentEncoding: "binary",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "sap-srm",
+    name: "SAP SRM / Business Network",
+    platform: "SAP",
+    builtin: true,
+    // NOTE: real SAP SRM speaks OCI (form parameters), which this cXML-only tool
+    // cannot emit. This profile models the cXML/Business-Network side: base64
+    // attachments and a base64 cart return.
+    dtdVersions: { default: "1.2.040" },
+    userAgent: "SAP Business Network",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-base64",
+    extrinsics: []
+  },
+  {
+    id: "workday",
+    name: "Workday",
+    platform: "Workday",
+    builtin: true,
+    dtdVersions: { default: "1.2.045" },
+    userAgent: "Workday Strategic Sourcing",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  }
+];
+var GENERIC_PROFILE = {
+  ...PROFILE_PRESETS[0],
+  createdAt: "",
+  updatedAt: ""
+};
+function seedBuiltinProfiles(data, now2) {
+  for (const preset of PROFILE_PRESETS) {
+    if (!data.profiles.some((p) => p.id === preset.id)) {
+      data.profiles.push({ ...preset, createdAt: now2, updatedAt: now2 });
+    }
+  }
+}
+
 // src/server/store/paths.ts
-import { mkdirSync } from "fs";
+import { chmodSync, mkdirSync } from "fs";
 import { resolve } from "path";
 var dataDir = resolve(process.cwd(), "data");
 function setDataDir(dir) {
@@ -40,9 +166,13 @@ function sessionFile(sessionId) {
   return resolve(sessionsDir(), `${safe}.jsonl`);
 }
 function ensureDirs() {
-  mkdirSync(dataDir, { recursive: true });
-  mkdirSync(sessionsDir(), { recursive: true });
-  mkdirSync(attachmentsDir(), { recursive: true });
+  for (const d of [dataDir, sessionsDir(), attachmentsDir()]) {
+    mkdirSync(d, { recursive: true, mode: 448 });
+    try {
+      chmodSync(d, 448);
+    } catch {
+    }
+  }
 }
 
 // src/server/store/config.ts
@@ -50,29 +180,86 @@ var db = null;
 async function initConfig() {
   ensureDirs();
   const adapter = new JSONFile(configPath());
-  db = new Low(adapter, { connections: [] });
+  db = new Low(adapter, { buyers: [], suppliers: [], connections: [], profiles: [] });
   await db.read();
-  db.data ||= { connections: [] };
+  db.data ||= { buyers: [], suppliers: [], connections: [], profiles: [] };
+  db.data.buyers ||= [];
+  db.data.suppliers ||= [];
+  db.data.connections ||= [];
+  db.data.profiles ||= [];
+  seedBuiltinProfiles(db.data, now());
+  migrateLegacy(db.data);
   await db.write();
+  try {
+    chmodSync2(configPath(), 384);
+  } catch {
+  }
 }
 function requireDb() {
   if (!db) throw new Error("config store not initialized \u2014 call initConfig() first");
   return db;
 }
-function listConnections() {
-  return requireDb().data.connections;
+var now = () => (/* @__PURE__ */ new Date()).toISOString();
+var listBuyers = () => requireDb().data.buyers;
+var getBuyer = (id) => requireDb().data.buyers.find((b) => b.id === id);
+async function createBuyer(input) {
+  const buyer = { ...input, id: input.id ?? nanoid(8), createdAt: now(), updatedAt: now() };
+  const d = requireDb();
+  d.data.buyers.push(buyer);
+  await d.write();
+  return buyer;
 }
-function getConnection(id) {
-  return requireDb().data.connections.find((c) => c.id === id);
+async function updateBuyer(id, patch) {
+  const d = requireDb();
+  const existing = d.data.buyers.find((b) => b.id === id);
+  if (!existing) return void 0;
+  Object.assign(existing, patch, { id, updatedAt: now() });
+  await d.write();
+  return existing;
+}
+async function deleteBuyer(id) {
+  const d = requireDb();
+  if (d.data.connections.some((c) => c.buyerId === id)) {
+    throw new Error("buyer is referenced by a connection");
+  }
+  const before = d.data.buyers.length;
+  d.data.buyers = d.data.buyers.filter((b) => b.id !== id);
+  const removed = d.data.buyers.length < before;
+  if (removed) await d.write();
+  return removed;
+}
+var listSuppliers = () => requireDb().data.suppliers;
+var getSupplier = (id) => requireDb().data.suppliers.find((s) => s.id === id);
+async function createSupplier(input) {
+  const supplier = { ...input, id: input.id ?? nanoid(8), createdAt: now(), updatedAt: now() };
+  const d = requireDb();
+  d.data.suppliers.push(supplier);
+  await d.write();
+  return supplier;
+}
+async function updateSupplier(id, patch) {
+  const d = requireDb();
+  const existing = d.data.suppliers.find((s) => s.id === id);
+  if (!existing) return void 0;
+  Object.assign(existing, patch, { id, updatedAt: now() });
+  await d.write();
+  return existing;
 }
+async function deleteSupplier(id) {
+  const d = requireDb();
+  if (d.data.connections.some((c) => c.supplierId === id)) {
+    throw new Error("supplier is referenced by a connection");
+  }
+  const before = d.data.suppliers.length;
+  d.data.suppliers = d.data.suppliers.filter((s) => s.id !== id);
+  const removed = d.data.suppliers.length < before;
+  if (removed) await d.write();
+  return removed;
+}
+var listConnections = () => requireDb().data.connections;
+var getConnection = (id) => requireDb().data.connections.find((c) => c.id === id);
 async function createConnection(input) {
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const conn = {
-    ...input,
-    id: input.id ?? nanoid(8),
-    createdAt: now,
-    updatedAt: now
-  };
+  const conn = { ...input, id: input.id ?? nanoid(8), createdAt: now(), updatedAt: now() };
   const d = requireDb();
   d.data.connections.push(conn);
   await d.write();
@@ -82,7 +269,7 @@ async function updateConnection(id, patch) {
   const d = requireDb();
   const existing = d.data.connections.find((c) => c.id === id);
   if (!existing) return void 0;
-  Object.assign(existing, patch, { id, updatedAt: (/* @__PURE__ */ new Date()).toISOString() });
+  Object.assign(existing, patch, { id, updatedAt: now() });
   await d.write();
   return existing;
 }
@@ -94,65 +281,353 @@ async function deleteConnection(id) {
   if (removed) await d.write();
   return removed;
 }
+function resolveConnection(id) {
+  const connection = getConnection(id);
+  if (!connection) return void 0;
+  const buyer = getBuyer(connection.buyerId);
+  const supplier = getSupplier(connection.supplierId);
+  if (!buyer || !supplier) return void 0;
+  return { connection, buyer, supplier };
+}
+function findConnectionBySupplierAndBuyerIdentity(supplierId, from) {
+  const d = requireDb();
+  for (const connection of d.data.connections) {
+    if (connection.supplierId !== supplierId) continue;
+    const buyer = getBuyer(connection.buyerId);
+    if (!buyer) continue;
+    if (from && buyer.identity.domain === from.domain && buyer.identity.identity === from.identity) {
+      const supplier = getSupplier(supplierId);
+      if (supplier) return { connection, buyer, supplier };
+    }
+  }
+  return void 0;
+}
+var listProfiles = () => requireDb().data.profiles;
+var getProfile = (id) => requireDb().data.profiles.find((p) => p.id === id);
+async function createProfile(input) {
+  const profile = { ...input, id: input.id ?? nanoid(8), createdAt: now(), updatedAt: now() };
+  const d = requireDb();
+  d.data.profiles.push(profile);
+  await d.write();
+  return profile;
+}
+async function updateProfile(id, patch) {
+  const d = requireDb();
+  const existing = d.data.profiles.find((p) => p.id === id);
+  if (!existing) return void 0;
+  Object.assign(existing, patch, { id, updatedAt: now() });
+  await d.write();
+  return existing;
+}
+async function deleteProfile(id) {
+  const d = requireDb();
+  if (d.data.buyers.some((b) => b.profileId === id)) {
+    throw new Error("profile is referenced by a buyer");
+  }
+  const before = d.data.profiles.length;
+  d.data.profiles = d.data.profiles.filter((p) => p.id !== id);
+  const removed = d.data.profiles.length < before;
+  if (removed) await d.write();
+  return removed;
+}
+function profileForBuyer(buyer) {
+  const p = buyer.profileId ? getProfile(buyer.profileId) : void 0;
+  return p ?? getProfile("generic") ?? GENERIC_PROFILE;
+}
+function effectiveProfile(connection, buyer) {
+  const p = profileForBuyer(buyer);
+  return {
+    dtdVersions: p.dtdVersions,
+    userAgent: p.userAgent,
+    setupOperation: p.setupOperation,
+    // Connection attachmentEncoding is concrete by construction → explicit override.
+    attachmentEncoding: connection.attachmentEncoding ?? p.attachmentEncoding,
+    cartReturnTransport: p.cartReturnTransport,
+    extrinsics: p.extrinsics
+  };
+}
+function dtdVersionFor(eff, docType) {
+  return eff.dtdVersions[docType] ?? eff.dtdVersions.default;
+}
+function migrateLegacy(data) {
+  const legacy = data.connections.filter((c) => "from" in c || "to" in c);
+  if (legacy.length === 0) return;
+  const buyerKey = (c) => `${c.domain}|${c.identity}`;
+  const findOrAddBuyer = (name, identity) => {
+    const found = data.buyers.find((b) => buyerKey(b.identity) === buyerKey(identity));
+    if (found) return found.id;
+    const buyer = { id: nanoid(8), name, identity, createdAt: now(), updatedAt: now() };
+    data.buyers.push(buyer);
+    return buyer.id;
+  };
+  const findOrAddSupplier = (s) => {
+    const found = data.suppliers.find((x) => buyerKey(x.identity) === buyerKey(s.identity));
+    if (found) return found.id;
+    const supplier = {
+      id: nanoid(8),
+      name: s.name ?? "Supplier",
+      identity: s.identity,
+      punchoutUrl: s.punchoutUrl,
+      orderUrl: s.orderUrl,
+      catalog: s.catalog,
+      createdAt: now(),
+      updatedAt: now()
+    };
+    data.suppliers.push(supplier);
+    return supplier.id;
+  };
+  const migrated = [];
+  for (const c of data.connections) {
+    if (!("from" in c) && !("to" in c)) {
+      migrated.push(c);
+      continue;
+    }
+    const isSupplierMode = c.mode === "virtual-supplier";
+    const buyerCred = isSupplierMode ? c.to : c.from;
+    const supplierCred = isSupplierMode ? c.from : c.to;
+    const buyerId = findOrAddBuyer(isSupplierMode ? "Buyer" : c.name, buyerCred);
+    const supplierId = findOrAddSupplier({
+      name: isSupplierMode ? c.name : "Supplier",
+      identity: supplierCred,
+      punchoutUrl: c.punchoutUrl,
+      orderUrl: c.orderUrl,
+      catalog: c.catalog
+    });
+    migrated.push({
+      id: c.id ?? nanoid(8),
+      name: c.name ?? "Connection",
+      buyerId,
+      supplierId,
+      mode: c.mode ?? "virtual-buyer",
+      sharedSecret: c.sharedSecret ?? "",
+      senderIdentity: c.sender,
+      deploymentMode: c.deploymentMode ?? "test",
+      createdAt: c.createdAt ?? now(),
+      updatedAt: now()
+    });
+  }
+  data.connections = migrated;
+}
 
 // src/server/routes/connections.ts
 var connectionsRoute = new Hono();
-var emptyCredential = () => ({ domain: "", identity: "" });
 function normalize(body) {
-  const cred = (c) => c && typeof c === "object" ? { domain: String(c.domain ?? ""), identity: String(c.identity ?? "") } : emptyCredential();
+  const sender = body?.senderIdentity && (body.senderIdentity.domain || body.senderIdentity.identity) ? { domain: String(body.senderIdentity.domain ?? ""), identity: String(body.senderIdentity.identity ?? "") } : void 0;
   return {
-    name: String(body?.name ?? "Untitled connection"),
+    name: String(body?.name ?? ""),
+    buyerId: String(body?.buyerId ?? ""),
+    supplierId: String(body?.supplierId ?? ""),
     mode: body?.mode === "virtual-supplier" ? "virtual-supplier" : "virtual-buyer",
-    from: cred(body?.from),
-    to: cred(body?.to),
-    sender: cred(body?.sender),
     sharedSecret: String(body?.sharedSecret ?? ""),
+    senderIdentity: sender,
     deploymentMode: body?.deploymentMode === "production" ? "production" : "test",
-    authStyle: body?.authStyle === "MAC" ? "MAC" : "SharedSecret",
-    punchoutUrl: body?.punchoutUrl ? String(body.punchoutUrl) : void 0,
-    orderUrl: body?.orderUrl ? String(body.orderUrl) : void 0,
-    catalog: Array.isArray(body?.catalog) ? body.catalog : void 0
+    attachmentEncoding: body?.attachmentEncoding === "base64" ? "base64" : "binary"
   };
 }
-function validateConnection(input) {
+function validate(input) {
   const errors = [];
-  if (!input.name.trim()) errors.push("name is required");
-  if (input.mode === "virtual-buyer") {
-    if (!input.punchoutUrl) errors.push("punchoutUrl is required for virtual-buyer");
-    if (!input.orderUrl) errors.push("orderUrl is required for virtual-buyer");
-  }
+  if (!input.buyerId || !getBuyer(input.buyerId)) errors.push("a valid buyer is required");
+  if (!input.supplierId || !getSupplier(input.supplierId)) errors.push("a valid supplier is required");
   return errors;
 }
-connectionsRoute.get("/", (c) => c.json(listConnections()));
+function withLabel(input) {
+  if (input.name.trim()) return input;
+  const buyer = getBuyer(input.buyerId);
+  const supplier = getSupplier(input.supplierId);
+  return { ...input, name: `${buyer?.name ?? "Buyer"} \u2192 ${supplier?.name ?? "Supplier"}` };
+}
+function maskSecret(conn) {
+  return { ...conn, sharedSecret: "", hasSharedSecret: !!conn.sharedSecret };
+}
+connectionsRoute.get(
+  "/",
+  (c) => c.json(
+    listConnections().map((conn) => ({
+      ...maskSecret(conn),
+      buyer: getBuyer(conn.buyerId),
+      supplier: getSupplier(conn.supplierId)
+    }))
+  )
+);
 connectionsRoute.post("/", async (c) => {
   const input = normalize(await c.req.json().catch(() => ({})));
-  const errors = validateConnection(input);
+  const errors = validate(input);
   if (errors.length) return c.json({ errors }, 400);
-  const created = await createConnection(input);
-  return c.json(created, 201);
+  return c.json(maskSecret(await createConnection(withLabel(input))), 201);
 });
 connectionsRoute.get("/:id", (c) => {
+  const resolved = resolveConnection(c.req.param("id"));
+  if (resolved) return c.json({ ...maskSecret(resolved.connection), buyer: resolved.buyer, supplier: resolved.supplier });
   const conn = getConnection(c.req.param("id"));
-  return conn ? c.json(conn) : c.json({ error: "not found" }, 404);
+  return conn ? c.json(maskSecret(conn)) : c.json({ error: "not found" }, 404);
 });
 connectionsRoute.put("/:id", async (c) => {
-  const id = c.req.param("id");
-  const existing = getConnection(id);
+  const existing = getConnection(c.req.param("id"));
   if (!existing) return c.json({ error: "not found" }, 404);
-  const merged = { ...existing, ...await c.req.json().catch(() => ({})) };
-  const input = normalize(merged);
-  const errors = validateConnection(input);
+  const body = await c.req.json().catch(() => ({}));
+  if (!body || !body.sharedSecret) delete body.sharedSecret;
+  const input = normalize({ ...existing, ...body });
+  const errors = validate(input);
   if (errors.length) return c.json({ errors }, 400);
-  const updated = await updateConnection(id, input);
-  return c.json(updated);
+  return c.json(maskSecret(await updateConnection(c.req.param("id"), withLabel(input))));
 });
 connectionsRoute.delete("/:id", async (c) => {
   const ok = await deleteConnection(c.req.param("id"));
   return ok ? c.json({ ok: true }) : c.json({ error: "not found" }, 404);
 });
 
-// src/server/routes/flow.ts
+// src/server/routes/parties.ts
 import { Hono as Hono2 } from "hono";
+var cred = (c) => ({
+  domain: String(c?.domain ?? ""),
+  identity: String(c?.identity ?? "")
+});
+var buyersRoute = new Hono2();
+function normalizeBuyer(body) {
+  return {
+    name: String(body?.name ?? "Untitled buyer"),
+    identity: cred(body?.identity),
+    profileId: body?.profileId ? String(body.profileId) : void 0
+  };
+}
+buyersRoute.get("/", (c) => c.json(listBuyers()));
+buyersRoute.post("/", async (c) => {
+  const input = normalizeBuyer(await c.req.json().catch(() => ({})));
+  if (!input.name.trim()) return c.json({ errors: ["name is required"] }, 400);
+  return c.json(await createBuyer(input), 201);
+});
+buyersRoute.get("/:id", (c) => {
+  const b = getBuyer(c.req.param("id"));
+  return b ? c.json(b) : c.json({ error: "not found" }, 404);
+});
+buyersRoute.put("/:id", async (c) => {
+  if (!getBuyer(c.req.param("id"))) return c.json({ error: "not found" }, 404);
+  const input = normalizeBuyer(await c.req.json().catch(() => ({})));
+  return c.json(await updateBuyer(c.req.param("id"), input));
+});
+buyersRoute.delete("/:id", async (c) => {
+  try {
+    const ok = await deleteBuyer(c.req.param("id"));
+    return ok ? c.json({ ok: true }) : c.json({ error: "not found" }, 404);
+  } catch (e) {
+    return c.json({ error: e instanceof Error ? e.message : String(e) }, 409);
+  }
+});
+var suppliersRoute = new Hono2();
+function normalizeSupplier(body) {
+  const catalog = Array.isArray(body?.catalog) ? body.catalog.map((it) => ({
+    supplierPartId: String(it?.supplierPartId ?? ""),
+    description: String(it?.description ?? ""),
+    unitPrice: Number(it?.unitPrice ?? 0) || 0,
+    currency: String(it?.currency ?? "USD"),
+    uom: String(it?.uom ?? "EA"),
+    unspsc: String(it?.unspsc ?? ""),
+    manufacturerPartId: it?.manufacturerPartId ? String(it.manufacturerPartId) : void 0,
+    manufacturerName: it?.manufacturerName ? String(it.manufacturerName) : void 0
+  })) : void 0;
+  return {
+    name: String(body?.name ?? "Untitled supplier"),
+    identity: cred(body?.identity),
+    punchoutUrl: body?.punchoutUrl ? String(body.punchoutUrl) : void 0,
+    orderUrl: body?.orderUrl ? String(body.orderUrl) : void 0,
+    catalog
+  };
+}
+suppliersRoute.get("/", (c) => c.json(listSuppliers()));
+suppliersRoute.post("/", async (c) => {
+  const input = normalizeSupplier(await c.req.json().catch(() => ({})));
+  if (!input.name.trim()) return c.json({ errors: ["name is required"] }, 400);
+  return c.json(await createSupplier(input), 201);
+});
+suppliersRoute.get("/:id", (c) => {
+  const s = getSupplier(c.req.param("id"));
+  return s ? c.json(s) : c.json({ error: "not found" }, 404);
+});
+suppliersRoute.put("/:id", async (c) => {
+  if (!getSupplier(c.req.param("id"))) return c.json({ error: "not found" }, 404);
+  const input = normalizeSupplier(await c.req.json().catch(() => ({})));
+  return c.json(await updateSupplier(c.req.param("id"), input));
+});
+suppliersRoute.delete("/:id", async (c) => {
+  try {
+    const ok = await deleteSupplier(c.req.param("id"));
+    return ok ? c.json({ ok: true }) : c.json({ error: "not found" }, 404);
+  } catch (e) {
+    return c.json({ error: e instanceof Error ? e.message : String(e) }, 409);
+  }
+});
+
+// src/server/routes/profiles.ts
+import { Hono as Hono3 } from "hono";
+var profilesRoute = new Hono3();
+var profilePresetsRoute = new Hono3();
+var VERSION_KEYS = [
+  "SetupRequest",
+  "SetupResponse",
+  "PunchOutOrderMessage",
+  "OrderRequest",
+  "OrderResponse"
+];
+function normalizeDtdVersions(v) {
+  const out = { default: String(v?.default ?? "1.2.045") };
+  for (const k of VERSION_KEYS) {
+    if (v?.[k]) out[k] = String(v[k]);
+  }
+  return out;
+}
+function normalizeExtrinsics(v) {
+  if (!Array.isArray(v)) return [];
+  return v.map((e) => ({
+    name: String(e?.name ?? ""),
+    value: String(e?.value ?? ""),
+    scope: e?.scope === "order" ? "order" : "setup"
+  })).filter((e) => e.name.trim().length > 0);
+}
+function normalizeProfile(body) {
+  const setupOperation = ["create", "edit", "inspect"].includes(body?.setupOperation) ? body.setupOperation : "create";
+  const attachmentEncoding = body?.attachmentEncoding === "base64" ? "base64" : "binary";
+  const cartReturnTransport = ["cxml-urlencoded", "cxml-base64", "raw"].includes(
+    body?.cartReturnTransport
+  ) ? body.cartReturnTransport : "cxml-urlencoded";
+  return {
+    name: String(body?.name ?? "Untitled profile"),
+    platform: body?.platform ? String(body.platform) : void 0,
+    dtdVersions: normalizeDtdVersions(body?.dtdVersions),
+    userAgent: String(body?.userAgent ?? "punchout-simulator"),
+    setupOperation,
+    attachmentEncoding,
+    cartReturnTransport,
+    extrinsics: normalizeExtrinsics(body?.extrinsics)
+    // `builtin` is never set from the wire — only code-seeded presets carry it.
+  };
+}
+profilesRoute.get("/", (c) => c.json(listProfiles()));
+profilesRoute.post("/", async (c) => {
+  const input = normalizeProfile(await c.req.json().catch(() => ({})));
+  if (!input.name.trim()) return c.json({ errors: ["name is required"] }, 400);
+  return c.json(await createProfile(input), 201);
+});
+profilesRoute.get("/:id", (c) => {
+  const p = getProfile(c.req.param("id"));
+  return p ? c.json(p) : c.json({ error: "not found" }, 404);
+});
+profilesRoute.put("/:id", async (c) => {
+  if (!getProfile(c.req.param("id"))) return c.json({ error: "not found" }, 404);
+  const input = normalizeProfile(await c.req.json().catch(() => ({})));
+  return c.json(await updateProfile(c.req.param("id"), input));
+});
+profilesRoute.delete("/:id", async (c) => {
+  try {
+    const ok = await deleteProfile(c.req.param("id"));
+    return ok ? c.json({ ok: true }) : c.json({ error: "not found" }, 404);
+  } catch (e) {
+    return c.json({ error: e instanceof Error ? e.message : String(e) }, 409);
+  }
+});
+profilePresetsRoute.get("/", (c) => c.json(PROFILE_PRESETS));
+
+// src/server/routes/flow.ts
+import { Hono as Hono4 } from "hono";
 import { nanoid as nanoid5 } from "nanoid";
 
 // src/server/store/log.ts
@@ -177,14 +652,19 @@ var bus = new Bus();
 bus.setMaxListeners(0);
 
 // src/server/store/log.ts
+function redactSecrets(body) {
+  if (!body) return body ?? "";
+  return body.replace(/(<SharedSecret>)[\s\S]*?(<\/SharedSecret>)/g, "$1***$2");
+}
 function appendLog(input) {
   ensureDirs();
   const record = {
     ...input,
+    body: redactSecrets(input.body),
     id: input.id ?? nanoid2(12),
     ts: input.ts ?? (/* @__PURE__ */ new Date()).toISOString()
   };
-  appendFileSync(sessionFile(record.sessionId), JSON.stringify(record) + "\n", "utf8");
+  appendFileSync(sessionFile(record.sessionId), JSON.stringify(record) + "\n", { encoding: "utf8", mode: 384 });
   bus.emitLog(record);
   return record;
 }
@@ -234,8 +714,13 @@ function normalizeContentId(cid) {
   if (!cid) return "";
   return cid.trim().replace(/^<+/, "").replace(/>+$/, "").trim();
 }
+function base64Wrapped(data) {
+  const lines = data.toString("base64").match(/.{1,76}/g) ?? [];
+  return Buffer.from(lines.join("\r\n"), "utf8");
+}
 function buildMultipartRelated(cxml, attachments, opts = {}) {
-  const boundary = `cxml-${nanoid3(20)}`;
+  const boundary = opts.boundary || `cxml-${nanoid3(20)}`;
+  const useBase64 = opts.attachmentEncoding === "base64";
   const mainCid = opts.mainContentId ?? `cxml-main@punchout-simulator`;
   const CRLF = "\r\n";
   const parts = [];
@@ -258,11 +743,11 @@ function buildMultipartRelated(cxml, attachments, opts = {}) {
     pushPart(
       [
         `Content-Type: ${att.contentType}`,
-        `Content-Transfer-Encoding: binary`,
+        `Content-Transfer-Encoding: ${useBase64 ? "base64" : "binary"}`,
         `Content-ID: <${normalizeContentId(att.contentId)}>`,
         disposition
       ],
-      att.data
+      useBase64 ? base64Wrapped(att.data) : att.data
     );
   }
   parts.push(Buffer.from(`--${boundary}--${CRLF}`, "utf8"));
@@ -276,6 +761,10 @@ function getBoundary(contentType) {
   const m = /boundary="?([^";]+)"?/i.exec(contentType);
   return m?.[1];
 }
+function getStartCid(contentType) {
+  const m = /start="?<?([^">]+)>?"?/i.exec(contentType);
+  return m ? normalizeContentId(m[1]) : void 0;
+}
 function isMultipart(contentType) {
   return !!contentType && /^multipart\//i.test(contentType.trim());
 }
@@ -305,6 +794,9 @@ function parseMultipartRelated(body, contentType) {
         headers[line.slice(0, idx).trim().toLowerCase()] = line.slice(idx + 1).trim();
       }
     }
+    if (headers["content-transfer-encoding"]?.toLowerCase() === "base64") {
+      bodyBuf = Buffer.from(bodyBuf.toString("utf8"), "base64");
+    }
     parts.push({
       headers,
       contentId: normalizeContentId(headers["content-id"]),
@@ -353,7 +845,7 @@ function saveAttachment(data, meta) {
   ensureDirs();
   const hash = createHash("sha256").update(data).digest("hex");
   const path = resolve2(attachmentsDir(), hash);
-  if (!existsSync2(path)) writeFileSync(path, data);
+  if (!existsSync2(path)) writeFileSync(path, data, { mode: 384 });
   return {
     contentId: normalizeContentId(meta.contentId),
     filename: meta.filename,
@@ -388,14 +880,32 @@ function connectionForSession(sessionId) {
 }
 
 // src/server/http.ts
+function assertSafeOutboundUrl(url) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    throw new Error(`invalid URL: ${url}`);
+  }
+  if (u.protocol !== "http:" && u.protocol !== "https:") {
+    throw new Error(`unsupported URL scheme "${u.protocol}" (only http/https allowed)`);
+  }
+  if (u.username || u.password) {
+    throw new Error("credentials embedded in the URL are not allowed");
+  }
+}
 async function sendCxml(url, body, contentType = "text/xml; charset=UTF-8", timeoutMs = 3e4) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   try {
+    assertSafeOutboundUrl(url);
     const res = await fetch(url, {
       method: "POST",
       headers: { "Content-Type": contentType },
       body,
+      // Do not transparently follow redirects to a different host (SSRF pivot);
+      // a 3xx is surfaced to the caller as the response instead.
+      redirect: "manual",
       signal: controller.signal
     });
     const headers = {};
@@ -421,21 +931,6 @@ async function sendCxml(url, body, contentType = "text/xml; charset=UTF-8", time
   }
 }
 
-// src/server/runtime.ts
-var runtime = {
-  port: 8080,
-  publicUrl: "http://localhost:8080"
-};
-function setRuntime(r) {
-  Object.assign(runtime, r);
-}
-function getPublicUrl() {
-  return runtime.publicUrl.replace(/\/$/, "");
-}
-function browserFormPostUrl() {
-  return `${getPublicUrl()}/punchout/return`;
-}
-
 // src/server/cxml/build.ts
 import { nanoid as nanoid4 } from "nanoid";
 function escapeXml(value) {
@@ -469,14 +964,24 @@ ${credentialBlock("To", p.to)}
 ${senderBlock(p.sender, p.sharedSecret, p.userAgent)}
   </Header>`;
 }
-var DECLARATION = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE cXML SYSTEM "http://xml.cxml.org/schemas/cXML/1.2.045/cXML.dtd">`;
-function envelope(payloadId, timestamp, lang, inner) {
-  return `${DECLARATION}
+var DEFAULT_DTD_VERSION = "1.2.045";
+function doctype(version) {
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE cXML SYSTEM "http://xml.cxml.org/schemas/cXML/${escapeXml(version)}/cXML.dtd">`;
+}
+function envelope(payloadId, timestamp, lang, inner, dtdVersion = DEFAULT_DTD_VERSION) {
+  return `${doctype(dtdVersion)}
 <cXML payloadID="${escapeXml(payloadId)}" timestamp="${escapeXml(timestamp)}" xml:lang="${escapeXml(lang)}">
 ${inner}
 </cXML>`;
 }
+function applyExtrinsicTokens(value, tokens) {
+  return value.replace(/\$\{(\w+)\}/g, (_, k) => tokens[k] ?? "");
+}
+function extrinsicBlock(items, indent) {
+  if (!items || items.length === 0) return "";
+  return "\n" + items.map((e) => `${indent}<Extrinsic name="${escapeXml(e.name)}">${escapeXml(e.value)}</Extrinsic>`).join("\n");
+}
 function buildSetupRequest(o) {
   const lang = o.lang ?? "en-US";
   const deployment = o.deploymentMode ? ` deploymentMode="${escapeXml(o.deploymentMode)}"` : "";
@@ -484,17 +989,18 @@ function buildSetupRequest(o) {
     from: o.from,
     to: o.to,
     sender: o.sender,
-    sharedSecret: o.sharedSecret
+    sharedSecret: o.sharedSecret,
+    userAgent: o.userAgent
   })}
   <Request${deployment}>
     <PunchOutSetupRequest operation="${escapeXml(o.operation ?? "create")}">
       <BuyerCookie>${escapeXml(o.buyerCookie)}</BuyerCookie>
       <BrowserFormPost>
         <URL>${escapeXml(o.browserFormPostUrl)}</URL>
-      </BrowserFormPost>
+      </BrowserFormPost>${extrinsicBlock(o.extrinsics, "      ")}
     </PunchOutSetupRequest>
   </Request>`;
-  return envelope(o.payloadId, o.timestamp, lang, inner);
+  return envelope(o.payloadId, o.timestamp, lang, inner, o.dtdVersion);
 }
 function addressBlock(tag, a) {
   return `      <${tag}>
@@ -556,7 +1062,8 @@ function buildOrderRequest(o) {
     from: o.from,
     to: o.to,
     sender: o.sender,
-    sharedSecret: o.sharedSecret
+    sharedSecret: o.sharedSecret,
+    userAgent: o.userAgent
   })}
   <Request${deployment}>
     <OrderRequest>
@@ -567,12 +1074,15 @@ function buildOrderRequest(o) {
           <Money currency="${escapeXml(o.currency)}">${escapeXml(o.total)}</Money>
         </Total>
 ${addressBlock("ShipTo", o.shipTo ?? {})}
-${addressBlock("BillTo", o.billTo ?? {})}${commentsWithAttachments(orderLevelCids, "        ")}
+${addressBlock("BillTo", o.billTo ?? {})}${commentsWithAttachments(orderLevelCids, "        ")}${extrinsicBlock(
+    o.extrinsics,
+    "        "
+  )}
       </OrderRequestHeader>
 ${items}
     </OrderRequest>
   </Request>`;
-  return envelope(o.payloadId, o.timestamp, lang, inner);
+  return envelope(o.payloadId, o.timestamp, lang, inner, o.dtdVersion);
 }
 function optionalHeader(p) {
   return p ? `${header({ from: p.from, to: p.to, sender: p.sender })}
@@ -590,7 +1100,7 @@ function buildSetupResponse(o) {
       </StartPage>
     </PunchOutSetupResponse>
   </Response>`;
-  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner, o.dtdVersion);
 }
 function buildResponseStatus(o) {
   const head = o.from && o.to && o.sender ? optionalHeader({ from: o.from, to: o.to, sender: o.sender }) : "";
@@ -599,7 +1109,7 @@ function buildResponseStatus(o) {
     o.statusText ?? "OK"
   )}">${escapeXml(o.statusText === "OK" || !o.statusText ? "" : o.statusText)}</Status>
   </Response>`;
-  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner, o.dtdVersion);
 }
 function buildPunchOutOrderMessage(o) {
   const total = o.items.reduce(
@@ -631,7 +1141,7 @@ function buildPunchOutOrderMessage(o) {
   <Message>
     <PunchOutOrderMessage>
       <BuyerCookie>${escapeXml(o.buyerCookie)}</BuyerCookie>
-      <PunchOutOrderMessageHeader operationAllowed="create">
+      <PunchOutOrderMessageHeader operationAllowed="${escapeXml(o.operationAllowed ?? "create")}">
         <Total>
           <Money currency="${escapeXml(o.currency)}">${escapeXml(total.toFixed(2))}</Money>
         </Total>
@@ -639,7 +1149,7 @@ function buildPunchOutOrderMessage(o) {
 ${items}
     </PunchOutOrderMessage>
   </Message>`;
-  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner, o.dtdVersion);
 }
 
 // src/server/cxml/parse.ts
@@ -656,6 +1166,9 @@ var parser = new XMLParser({
   isArray: (name) => ["ItemIn", "ItemOut", "Attachment", "Comments", "Extrinsic"].includes(name)
 });
 function parseXml(raw) {
+  if (/<!ENTITY/i.test(raw)) {
+    return { raw, tree: null, wellFormed: false, wellFormedError: "DTD entity definitions are not allowed" };
+  }
   const check = XMLValidator.validate(raw, { allowBooleanAttributes: true });
   if (check !== true) {
     return {
@@ -718,9 +1231,9 @@ function getDocType(doc) {
   return "Unknown";
 }
 function credentialOf(node) {
-  const cred = node?.Credential;
-  if (!cred) return void 0;
-  const first = Array.isArray(cred) ? cred[0] : cred;
+  const cred2 = node?.Credential;
+  if (!cred2) return void 0;
+  const first = Array.isArray(cred2) ? cred2[0] : cred2;
   return {
     domain: attr(first, "domain") ?? "",
     identity: text(first?.Identity) ?? ""
@@ -859,9 +1372,9 @@ function credEq(a, b) {
   if (!a || !b) return false;
   return a.domain === b.domain && a.identity === b.identity;
 }
-function credKnown(c, conn) {
+function credKnown(c, exp) {
   if (!c) return false;
-  return [conn.from, conn.to, conn.sender].some((k) => credEq(c, k));
+  return [exp.from, exp.to, exp.sender].some((k) => credEq(c, k));
 }
 function checkGeneral(doc, ctx, issues) {
   const payloadId = getPayloadId(doc);
@@ -877,8 +1390,8 @@ function checkGeneral(doc, ctx, issues) {
   if (!getTimestamp(doc)) {
     issues.error("missing-timestamp", "cXML/@timestamp is missing", "cXML/@timestamp");
   }
-  if (!ctx.connection) return;
-  const conn = ctx.connection;
+  if (!ctx.expected) return;
+  const exp = ctx.expected;
   const creds = getHeaderCredentials(doc);
   for (const [name, c] of [
     ["From", creds.from],
@@ -895,7 +1408,7 @@ function checkGeneral(doc, ctx, issues) {
     if (!c.identity) {
       issues.warn("credential-identity", `Header/${name}/Credential/Identity is empty`, `cXML/Header/${name}`);
     }
-    if (c.domain && c.identity && !credKnown(c, conn)) {
+    if (c.domain && c.identity && !credKnown(c, exp)) {
       issues.warn(
         "credential-mismatch",
         `Header/${name} (${c.domain}/${c.identity}) does not match any identity configured on the connection`,
@@ -905,9 +1418,8 @@ function checkGeneral(doc, ctx, issues) {
   }
 }
 function checkSharedSecret(doc, ctx, issues) {
-  if (!ctx.connection) return;
-  const conn = ctx.connection;
-  if (conn.authStyle !== "SharedSecret") return;
+  const exp = ctx.expected;
+  if (!exp) return;
   const creds = getHeaderCredentials(doc);
   if (!creds.sharedSecret) {
     issues.warn(
@@ -915,7 +1427,7 @@ function checkSharedSecret(doc, ctx, issues) {
       "Sender/Credential/SharedSecret is absent (required for SharedSecret auth)",
       "cXML/Header/Sender/Credential/SharedSecret"
     );
-  } else if (conn.sharedSecret && creds.sharedSecret !== conn.sharedSecret) {
+  } else if (exp.sharedSecret && creds.sharedSecret !== exp.sharedSecret) {
     issues.error(
       "sharedsecret-mismatch",
       "Sender SharedSecret does not match the connection's configured shared secret",
@@ -1149,7 +1661,7 @@ function validateDocument(raw, ctx = {}) {
 }
 
 // src/server/routes/flow.ts
-var flowRoute = new Hono2();
+var flowRoute = new Hono4();
 function host() {
   try {
     return new URL(getPublicUrl()).host;
@@ -1157,54 +1669,86 @@ function host() {
     return "punchout-simulator";
   }
 }
-function requireVirtualBuyer(conn) {
-  if (!conn) return "connection not found";
-  if (conn.mode !== "virtual-buyer") return "connection is not in virtual-buyer mode";
-  return null;
+function buyerContext(r) {
+  const { connection, buyer, supplier } = r;
+  const from = buyer.identity;
+  const to = supplier.identity;
+  const sender = connection.senderIdentity ?? buyer.identity;
+  const eff = effectiveProfile(connection, buyer);
+  return {
+    from,
+    to,
+    sender,
+    sharedSecret: connection.sharedSecret,
+    punchoutUrl: supplier.punchoutUrl,
+    orderUrl: supplier.orderUrl,
+    deploymentMode: connection.deploymentMode,
+    connectionId: connection.id,
+    attachmentEncoding: eff.attachmentEncoding,
+    eff,
+    expected: { from, to, sender, sharedSecret: connection.sharedSecret }
+  };
+}
+function setupExtrinsics(ctx, buyerCookie) {
+  return ctx.eff.extrinsics.filter((e) => e.scope === "setup").map((e) => ({ name: e.name, value: applyExtrinsicTokens(e.value, { buyerCookie }) }));
+}
+function orderExtrinsics(ctx, orderId) {
+  return ctx.eff.extrinsics.filter((e) => e.scope === "order").map((e) => ({ name: e.name, value: applyExtrinsicTokens(e.value, { orderId }) }));
+}
+function resolveVirtualBuyer(id) {
+  const r = resolveConnection(id);
+  if (!r) return { error: "connection not found (or its buyer/supplier is missing)" };
+  if (r.connection.mode !== "virtual-buyer") return { error: "connection is not in virtual-buyer mode" };
+  return { ctx: buyerContext(r) };
 }
 flowRoute.get("/:id/setup/preview", (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireVirtualBuyer(conn);
-  if (err) return c.json({ error: err }, 400);
+  const r = resolveVirtualBuyer(c.req.param("id"));
+  if ("error" in r) return c.json({ error: r.error }, 400);
+  const { ctx } = r;
   const buyerCookie = c.req.query("buyerCookie") || `pos-${nanoid5(16)}`;
   const xml = buildSetupRequest({
-    from: conn.from,
-    to: conn.to,
-    sender: conn.sender,
-    sharedSecret: conn.sharedSecret,
+    from: ctx.from,
+    to: ctx.to,
+    sender: ctx.sender,
+    sharedSecret: ctx.sharedSecret,
     buyerCookie,
     browserFormPostUrl: browserFormPostUrl(),
     payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    deploymentMode: conn.deploymentMode
+    deploymentMode: ctx.deploymentMode,
+    operation: ctx.eff.setupOperation,
+    dtdVersion: dtdVersionFor(ctx.eff, "SetupRequest"),
+    userAgent: ctx.eff.userAgent,
+    extrinsics: setupExtrinsics(ctx, buyerCookie)
   });
   return c.json({ buyerCookie, xml, browserFormPostUrl: browserFormPostUrl() });
 });
 flowRoute.post("/:id/setup", async (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireVirtualBuyer(conn);
-  if (err) return c.json({ error: err }, 400);
+  const r = resolveVirtualBuyer(c.req.param("id"));
+  if ("error" in r) return c.json({ error: r.error }, 400);
+  const { ctx } = r;
   const body = await c.req.json().catch(() => ({}));
   const buyerCookie = body.buyerCookie || `pos-${nanoid5(16)}`;
   const xml = body.xml || buildSetupRequest({
-    from: conn.from,
-    to: conn.to,
-    sender: conn.sender,
-    sharedSecret: conn.sharedSecret,
+    from: ctx.from,
+    to: ctx.to,
+    sender: ctx.sender,
+    sharedSecret: ctx.sharedSecret,
     buyerCookie,
     browserFormPostUrl: browserFormPostUrl(),
     payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    deploymentMode: conn.deploymentMode
-  });
-  rememberSessionConnection(buyerCookie, conn.id);
-  const reqValidation = validateDocument(xml, {
-    connection: conn,
-    forceDocType: "SetupRequest"
+    deploymentMode: ctx.deploymentMode,
+    operation: ctx.eff.setupOperation,
+    dtdVersion: dtdVersionFor(ctx.eff, "SetupRequest"),
+    userAgent: ctx.eff.userAgent,
+    extrinsics: setupExtrinsics(ctx, buyerCookie)
   });
+  rememberSessionConnection(buyerCookie, ctx.connectionId);
+  const reqValidation = validateDocument(xml, { expected: ctx.expected, forceDocType: "SetupRequest" });
   const reqLog = appendLog({
     sessionId: buyerCookie,
-    connectionId: conn.id,
+    connectionId: ctx.connectionId,
     direction: "out",
     docType: "SetupRequest",
     headers: { "Content-Type": "text/xml; charset=UTF-8" },
@@ -1212,11 +1756,12 @@ flowRoute.post("/:id/setup", async (c) => {
     contentType: "text/xml",
     validation: reqValidation
   });
-  const res = await sendCxml(conn.punchoutUrl, xml);
-  const respValidation = res.error ? void 0 : validateDocument(res.body, { connection: conn, forceDocType: "SetupResponse" });
+  if (!ctx.punchoutUrl) return c.json({ error: "supplier has no punchoutUrl configured" }, 400);
+  const res = await sendCxml(ctx.punchoutUrl, xml);
+  const respValidation = res.error ? void 0 : validateDocument(res.body, { expected: ctx.expected, forceDocType: "SetupResponse" });
   const respLog = appendLog({
     sessionId: buyerCookie,
-    connectionId: conn.id,
+    connectionId: ctx.connectionId,
     direction: "in",
     docType: "SetupResponse",
     status: res.status,
@@ -1237,7 +1782,7 @@ flowRoute.post("/:id/setup", async (c) => {
     response: respLog
   });
 });
-function buildOrderXml(conn, body) {
+function buildOrderXml(ctx, body) {
   const items = body.items ?? [];
   const currency = body.currency || items[0]?.currency || "USD";
   const total = body.total ?? items.reduce((s, it) => s + (it.unitPriceAmount ?? 0) * it.quantity, 0);
@@ -1247,41 +1792,43 @@ function buildOrderXml(conn, body) {
     scope: a.scope === "order" || a.scope == null ? "order" : { itemIndex: Number(a.scope) }
   }));
   const xml = buildOrderRequest({
-    from: conn.from,
-    to: conn.to,
-    sender: conn.sender,
-    sharedSecret: conn.sharedSecret,
+    from: ctx.from,
+    to: ctx.to,
+    sender: ctx.sender,
+    sharedSecret: ctx.sharedSecret,
     orderId,
     orderDate: (/* @__PURE__ */ new Date()).toISOString(),
     payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    deploymentMode: conn.deploymentMode,
+    deploymentMode: ctx.deploymentMode,
     currency,
     total,
     items,
     shipTo: body.shipTo,
     billTo: body.billTo,
-    attachments: attMeta
+    attachments: attMeta,
+    dtdVersion: dtdVersionFor(ctx.eff, "OrderRequest"),
+    userAgent: ctx.eff.userAgent,
+    extrinsics: orderExtrinsics(ctx, orderId)
   });
   return { xml, orderId };
 }
 flowRoute.post("/:id/order/preview", async (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireVirtualBuyer(conn);
-  if (err) return c.json({ error: err }, 400);
+  const r = resolveVirtualBuyer(c.req.param("id"));
+  if ("error" in r) return c.json({ error: r.error }, 400);
   const body = await c.req.json().catch(() => ({}));
-  const { xml, orderId } = buildOrderXml(conn, body);
+  const { xml, orderId } = buildOrderXml(r.ctx, body);
   return c.json({ xml, orderId });
 });
 flowRoute.post("/:id/order", async (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireVirtualBuyer(conn);
-  if (err) return c.json({ error: err }, 400);
+  const r = resolveVirtualBuyer(c.req.param("id"));
+  if ("error" in r) return c.json({ error: r.error }, 400);
+  const { ctx } = r;
   const body = await c.req.json().catch(() => ({}));
   const sessionId = body.sessionId || `pos-${nanoid5(16)}`;
   const dangling = !!body.danglingCid;
   const inputAtts = body.attachments ?? [];
-  const xml = body.xml || buildOrderXml(conn, body).xml;
+  const xml = body.xml || buildOrderXml(ctx, body).xml;
   let wireBody = xml;
   let wireContentType = "text/xml; charset=UTF-8";
   const availableContentIds = /* @__PURE__ */ new Set();
@@ -1305,18 +1852,18 @@ flowRoute.post("/:id/order", async (c) => {
         data
       };
     });
-    const built = buildMultipartRelated(xml, parts);
+    const built = buildMultipartRelated(xml, parts, { attachmentEncoding: ctx.attachmentEncoding });
     wireBody = built.body;
     wireContentType = built.contentType;
   }
   const reqValidation = validateDocument(xml, {
-    connection: conn,
+    expected: ctx.expected,
     forceDocType: "OrderRequest",
     availableContentIds: inputAtts.length > 0 ? availableContentIds : void 0
   });
   const reqLog = appendLog({
     sessionId,
-    connectionId: conn.id,
+    connectionId: ctx.connectionId,
     direction: "out",
     docType: "OrderRequest",
     headers: { "Content-Type": wireContentType },
@@ -1324,13 +1871,15 @@ flowRoute.post("/:id/order", async (c) => {
     contentType: wireContentType,
     validation: reqValidation,
     attachments: savedRefs,
+    attachmentEncoding: inputAtts.length > 0 ? ctx.attachmentEncoding : void 0,
     note: dangling ? "dangling-cid test" : void 0
   });
-  const res = await sendCxml(conn.orderUrl, wireBody, wireContentType);
-  const respValidation = res.error ? void 0 : validateDocument(res.body, { connection: conn, forceDocType: "OrderResponse" });
+  if (!ctx.orderUrl) return c.json({ error: "supplier has no orderUrl configured" }, 400);
+  const res = await sendCxml(ctx.orderUrl, wireBody, wireContentType);
+  const respValidation = res.error ? void 0 : validateDocument(res.body, { expected: ctx.expected, forceDocType: "OrderResponse" });
   const respLog = appendLog({
     sessionId,
-    connectionId: conn.id,
+    connectionId: ctx.connectionId,
     direction: "in",
     docType: "OrderResponse",
     status: res.status,
@@ -1351,8 +1900,8 @@ flowRoute.post("/:id/order", async (c) => {
 });
 
 // src/server/routes/punchout-return.ts
-import { Hono as Hono3 } from "hono";
-var punchoutReturnRoute = new Hono3();
+import { Hono as Hono5 } from "hono";
+var punchoutReturnRoute = new Hono5();
 async function extractCxml(c) {
   const ct = (c.req.header("content-type") ?? "").toLowerCase();
   if (ct.includes("application/x-www-form-urlencoded") || ct.includes("multipart/form-data")) {
@@ -1392,9 +1941,14 @@ punchoutReturnRoute.post("/return", async (c) => {
   const cart = parseCart(doc);
   const sessionId = cart.sessionId || text(root(doc)?.Message?.PunchOutOrderMessage?.BuyerCookie) || "unknown";
   const connectionId = connectionForSession(sessionId);
-  const conn = connectionId ? getConnection(connectionId) : void 0;
+  const resolved = connectionId ? resolveConnection(connectionId) : void 0;
+  const expected = resolved ? {
+    from: resolved.buyer.identity,
+    to: resolved.supplier.identity,
+    sender: resolved.connection.senderIdentity ?? resolved.supplier.identity
+  } : void 0;
   const validation = validateDocument(xml, {
-    connection: conn,
+    expected,
     expectedBuyerCookie: sessionId,
     forceDocType: "PunchOutOrderMessage"
   });
@@ -1415,10 +1969,14 @@ punchoutReturnRoute.post("/return", async (c) => {
 });
 
 // src/server/routes/stream.ts
-import { Hono as Hono4 } from "hono";
+import { Hono as Hono6 } from "hono";
 import { streamSSE } from "hono/streaming";
-var streamRoute = new Hono4();
+var streamRoute = new Hono6();
+var MAX_STREAMS = 64;
+var activeStreams = 0;
 streamRoute.get("/stream", (c) => {
+  if (activeStreams >= MAX_STREAMS) return c.text("too many live-log connections", 503);
+  activeStreams++;
   return streamSSE(c, async (stream) => {
     let open = true;
     let id = 0;
@@ -1432,6 +1990,7 @@ streamRoute.get("/stream", (c) => {
     });
     stream.onAbort(() => {
       open = false;
+      activeStreams = Math.max(0, activeStreams - 1);
       unsubscribe();
     });
     await stream.writeSSE({ event: "ready", data: JSON.stringify({ ts: Date.now() }) });
@@ -1444,8 +2003,30 @@ streamRoute.get("/stream", (c) => {
 });
 
 // src/server/routes/data.ts
-import { Hono as Hono5 } from "hono";
-var dataRoute = new Hono5();
+import { Hono as Hono7 } from "hono";
+var dataRoute = new Hono7();
+function rawMessage(record) {
+  const ct = record.contentType ?? record.headers?.["Content-Type"] ?? record.headers?.["content-type"];
+  let body = record.body;
+  if (ct && isMultipart(ct) && record.attachments && record.attachments.length > 0) {
+    const parts = record.attachments.map((a) => ({
+      contentId: a.contentId,
+      filename: a.filename,
+      contentType: a.contentType,
+      data: readAttachment(a.hash) ?? Buffer.alloc(0)
+    }));
+    const built = buildMultipartRelated(record.body, parts, {
+      boundary: getBoundary(ct),
+      mainContentId: getStartCid(ct),
+      attachmentEncoding: record.attachmentEncoding
+    });
+    body = built.body.toString("utf8");
+  }
+  const headerLines = Object.entries(record.headers ?? {}).map(([k, v]) => `${k}: ${v}`);
+  return headerLines.length > 0 ? `${headerLines.join("\r\n")}\r
+\r
+${body}` : body;
+}
 dataRoute.get("/health", (c) => c.json({ ok: true }));
 dataRoute.get(
   "/runtime",
@@ -1453,6 +2034,12 @@ dataRoute.get(
 );
 dataRoute.get("/sessions", (c) => c.json(listSessions()));
 dataRoute.get("/sessions/:id", (c) => c.json(readSession(c.req.param("id"))));
+dataRoute.get("/sessions/:sessionId/records/:recordId/raw", (c) => {
+  const record = readSession(c.req.param("sessionId")).find((r) => r.id === c.req.param("recordId"));
+  if (!record) return c.json({ error: "not found" }, 404);
+  c.header("Content-Type", "text/plain; charset=utf-8");
+  return c.body(rawMessage(record));
+});
 dataRoute.get("/recent", (c) => {
   const limit = Number(c.req.query("limit") ?? "200");
   return c.json(readAllRecent(Number.isFinite(limit) ? limit : 200));
@@ -1469,38 +2056,13 @@ dataRoute.get("/attachments/:hash", (c) => {
 });
 
 // src/server/routes/sim.ts
-import { Hono as Hono6 } from "hono";
+import { Hono as Hono8 } from "hono";
 import { nanoid as nanoid6 } from "nanoid";
-var simRoute = new Hono6();
+var simRoute = new Hono8();
 var DEMO_CATALOG = [
-  {
-    supplierPartId: "WIDGET-001",
-    description: "Premium Steel Widget",
-    unitPrice: 12.5,
-    currency: "USD",
-    uom: "EA",
-    unspsc: "31161500",
-    manufacturerPartId: "MFR-W001",
-    manufacturerName: "Acme Manufacturing"
-  },
-  {
-    supplierPartId: "BOLT-250",
-    description: "M8 Hex Bolt (pack of 250)",
-    unitPrice: 34,
-    currency: "USD",
-    uom: "PK",
-    unspsc: "31161600",
-    manufacturerPartId: "MFR-B250",
-    manufacturerName: "Acme Manufacturing"
-  },
-  {
-    supplierPartId: "TAPE-RED",
-    description: "Industrial Marking Tape, Red",
-    unitPrice: 5.75,
-    currency: "USD",
-    uom: "RL",
-    unspsc: "31201500"
-  }
+  { supplierPartId: "WIDGET-001", description: "Premium Steel Widget", unitPrice: 12.5, currency: "USD", uom: "EA", unspsc: "31161500", manufacturerPartId: "MFR-W001", manufacturerName: "Acme Manufacturing" },
+  { supplierPartId: "BOLT-250", description: "M8 Hex Bolt (pack of 250)", unitPrice: 34, currency: "USD", uom: "PK", unspsc: "31161600", manufacturerPartId: "MFR-B250", manufacturerName: "Acme Manufacturing" },
+  { supplierPartId: "TAPE-RED", description: "Industrial Marking Tape, Red", unitPrice: 5.75, currency: "USD", uom: "RL", unspsc: "31201500" }
 ];
 function host2() {
   try {
@@ -1509,59 +2071,66 @@ function host2() {
     return "punchout-simulator";
   }
 }
+var catalogOf = (s) => s.catalog && s.catalog.length > 0 ? s.catalog : DEMO_CATALOG;
 function safeHttpUrl(u) {
   if (!u) return "";
   try {
-    const parsed = new URL(u.trim());
-    return parsed.protocol === "http:" || parsed.protocol === "https:" ? u.trim() : "";
+    const p = new URL(u.trim());
+    return p.protocol === "http:" || p.protocol === "https:" ? p.href : "";
   } catch {
     return "";
   }
 }
-function catalogOf(conn) {
-  return conn.catalog && conn.catalog.length > 0 ? conn.catalog : DEMO_CATALOG;
+function jsonForScript(value) {
+  return JSON.stringify(value).replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
+function expectedFor(supplierId, from) {
+  const r = findConnectionBySupplierAndBuyerIdentity(supplierId, from);
+  if (!r) return void 0;
+  return {
+    from: r.buyer.identity,
+    to: r.supplier.identity,
+    sender: r.connection.senderIdentity ?? r.buyer.identity,
+    sharedSecret: r.connection.sharedSecret
+  };
 }
-function requireSupplier(conn) {
-  if (!conn) return "connection not found";
-  if (conn.mode !== "virtual-supplier") return "connection is not in virtual-supplier mode";
-  return null;
+function effFor(supplierId, from) {
+  const r = findConnectionBySupplierAndBuyerIdentity(supplierId, from);
+  return r ? effectiveProfile(r.connection, r.buyer) : void 0;
 }
 simRoute.post("/:id/punchout", async (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireSupplier(conn);
-  if (err) return c.text(err, 400);
+  const supplier = getSupplier(c.req.param("id"));
+  if (!supplier) return c.text("supplier not found", 404);
   const reqXml = await c.req.text();
   const doc = parseXml(reqXml);
   const reqRoot = root(doc)?.Request?.PunchOutSetupRequest;
   const buyerCookie = text(reqRoot?.BuyerCookie) || `pos-${nanoid6(16)}`;
   const formPost = safeHttpUrl(text(reqRoot?.BrowserFormPost?.URL));
-  const reqValidation = validateDocument(reqXml, {
-    connection: conn,
-    forceDocType: "SetupRequest"
-  });
+  const from = getHeaderCredentials(doc).from;
   appendLog({
     sessionId: buyerCookie,
-    connectionId: conn.id,
+    connectionId: supplier.id,
     direction: "in",
     docType: "SetupRequest",
     headers: { "Content-Type": c.req.header("content-type") ?? "" },
     body: reqXml,
-    validation: reqValidation
+    validation: validateDocument(reqXml, { expected: expectedFor(supplier.id, from), forceDocType: "SetupRequest" })
   });
-  const startPageUrl = `${getPublicUrl()}/sim/${conn.id}/catalog?cookie=${encodeURIComponent(
-    buyerCookie
-  )}&formpost=${encodeURIComponent(formPost)}`;
+  const buyerCred = from ?? { domain: "", identity: "" };
+  const startPageUrl = `${getPublicUrl()}/sim/${supplier.id}/catalog?cookie=${encodeURIComponent(buyerCookie)}&formpost=${encodeURIComponent(formPost)}&bd=${encodeURIComponent(buyerCred.domain)}&bi=${encodeURIComponent(buyerCred.identity)}`;
+  const eff = effFor(supplier.id, from);
   const respXml = buildSetupResponse({
     payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     startPageUrl,
-    from: conn.from,
-    to: conn.to,
-    sender: conn.sender
+    from: supplier.identity,
+    to: buyerCred,
+    sender: supplier.identity,
+    dtdVersion: eff ? dtdVersionFor(eff, "SetupResponse") : void 0
   });
   appendLog({
     sessionId: buyerCookie,
-    connectionId: conn.id,
+    connectionId: supplier.id,
     direction: "out",
     docType: "SetupResponse",
     headers: { "Content-Type": "text/xml; charset=UTF-8" },
@@ -1572,24 +2141,23 @@ simRoute.post("/:id/punchout", async (c) => {
   return c.body(respXml);
 });
 simRoute.get("/:id/catalog", (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireSupplier(conn);
-  if (err) return c.text(err, 400);
+  const supplier = getSupplier(c.req.param("id"));
+  if (!supplier) return c.text("supplier not found", 404);
   const cookie = c.req.query("cookie") ?? "";
-  const formpost = c.req.query("formpost") ?? "";
-  const items = catalogOf(conn);
+  const formpost = safeHttpUrl(c.req.query("formpost") ?? "");
+  const bd = c.req.query("bd") ?? "";
+  const bi = c.req.query("bi") ?? "";
+  const items = catalogOf(supplier);
   const rows = items.map(
     (it, i) => `<tr>
-      <td><strong>${escapeHtml(it.description)}</strong><br><small>${escapeHtml(
-      it.supplierPartId
-    )} \xB7 ${escapeHtml(it.uom)} \xB7 UNSPSC ${escapeHtml(it.unspsc)}</small></td>
-      <td class="price">${it.currency} ${it.unitPrice.toFixed(2)}</td>
+      <td><strong>${escapeXml(it.description)}</strong><br><small>${escapeXml(it.supplierPartId)} \xB7 ${escapeXml(it.uom)} \xB7 UNSPSC ${escapeXml(it.unspsc)}</small></td>
+      <td class="price">${escapeXml(it.currency)} ${it.unitPrice.toFixed(2)}</td>
       <td><input type="number" name="q_${i}" value="0" min="0" step="1" inputmode="numeric"></td>
     </tr>`
   ).join("\n");
   return c.html(`<!doctype html><html lang="en"><head><meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
-<title>${escapeHtml(conn.name)} \u2014 mock catalog</title>
+<title>${escapeXml(supplier.name)} \u2014 mock catalog</title>
 <style>
   body{font-family:system-ui,sans-serif;background:#0f172a;color:#e2e8f0;margin:0;padding:2rem}
   .wrap{max-width:720px;margin:0 auto}
@@ -1598,17 +2166,17 @@ simRoute.get("/:id/catalog", (c) => {
   th,td{padding:.75rem 1rem;text-align:left;border-bottom:1px solid #334155}
   th{background:#0b1220;font-size:.8rem;text-transform:uppercase;letter-spacing:.05em;color:#94a3b8}
   .price{white-space:nowrap;color:#fbbf24}
-  input[type=number]{width:5rem;background:#0b1220;border:1px solid #334155;color:#e2e8f0;
-    border-radius:6px;padding:.35rem .5rem}
-  button{margin-top:1.5rem;background:#6366f1;color:#fff;border:0;border-radius:8px;
-    padding:.7rem 1.4rem;font-size:1rem;cursor:pointer}
+  input[type=number]{width:5rem;background:#0b1220;border:1px solid #334155;color:#e2e8f0;border-radius:6px;padding:.35rem .5rem}
+  button{margin-top:1.5rem;background:#6366f1;color:#fff;border:0;border-radius:8px;padding:.7rem 1.4rem;font-size:1rem;cursor:pointer}
   button:hover{background:#4f46e5}
 </style></head><body><div class="wrap">
-  <h1>${escapeHtml(conn.name)} <small>(virtual supplier)</small></h1>
+  <h1>${escapeXml(supplier.name)} <small>(virtual supplier)</small></h1>
   <div class="sub">Mock catalog served by punchout-simulator. Set quantities and return the cart.</div>
-  <form method="post" action="${getPublicUrl()}/sim/${conn.id}/checkout">
-    <input type="hidden" name="cookie" value="${escapeHtml(cookie)}">
-    <input type="hidden" name="formpost" value="${escapeHtml(formpost)}">
+  <form method="post" action="${getPublicUrl()}/sim/${supplier.id}/checkout">
+    <input type="hidden" name="cookie" value="${escapeXml(cookie)}">
+    <input type="hidden" name="formpost" value="${escapeXml(formpost)}">
+    <input type="hidden" name="bd" value="${escapeXml(bd)}">
+    <input type="hidden" name="bi" value="${escapeXml(bi)}">
     <table><thead><tr><th>Item</th><th>Price</th><th>Qty</th></tr></thead>
     <tbody>${rows}</tbody></table>
     <button type="submit">Return cart to buyer \u2192</button>
@@ -1616,13 +2184,13 @@ simRoute.get("/:id/catalog", (c) => {
 </div></body></html>`);
 });
 simRoute.post("/:id/checkout", async (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireSupplier(conn);
-  if (err) return c.text(err, 400);
+  const supplier = getSupplier(c.req.param("id"));
+  if (!supplier) return c.text("supplier not found", 404);
   const form = await c.req.parseBody();
   const cookie = String(form.cookie ?? `pos-${nanoid6(16)}`);
   const formpost = safeHttpUrl(String(form.formpost ?? ""));
-  const catalog = catalogOf(conn);
+  const buyerCred = { domain: String(form.bd ?? ""), identity: String(form.bi ?? "") };
+  const catalog = catalogOf(supplier);
   const items = [];
   catalog.forEach((it, i) => {
     const qty = Number(form[`q_${i}`] ?? 0);
@@ -1642,44 +2210,73 @@ simRoute.post("/:id/checkout", async (c) => {
     }
   });
   const currency = items[0]?.currency ?? "USD";
+  const eff = effFor(supplier.id, buyerCred);
   const xml = buildPunchOutOrderMessage({
-    from: conn.from,
-    to: conn.to,
-    sender: conn.sender,
+    from: supplier.identity,
+    to: buyerCred,
+    sender: supplier.identity,
     buyerCookie: cookie,
     payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     currency,
-    items
+    items,
+    dtdVersion: eff ? dtdVersionFor(eff, "PunchOutOrderMessage") : void 0
   });
   appendLog({
     sessionId: cookie,
-    connectionId: conn.id,
+    connectionId: supplier.id,
     direction: "out",
     docType: "PunchOutOrderMessage",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
     body: xml,
-    validation: validateDocument(xml, { connection: conn, forceDocType: "PunchOutOrderMessage" })
+    validation: validateDocument(xml, { forceDocType: "PunchOutOrderMessage" })
   });
-  return c.html(`<!doctype html><html lang="en"><head><meta charset="utf-8">
+  const transport = eff?.cartReturnTransport ?? "cxml-urlencoded";
+  return c.html(cartReturnPage(formpost, xml, transport));
+});
+function cartReturnPage(formpost, xml, transport) {
+  const shell = (inner) => `<!doctype html><html lang="en"><head><meta charset="utf-8">
 <title>Returning cart\u2026</title></head>
-<body onload="document.forms[0].submit()" style="font-family:system-ui;background:#0f172a;color:#e2e8f0">
+<body style="font-family:system-ui;background:#0f172a;color:#e2e8f0">
   <p style="padding:2rem">Returning cart to the buyer\u2026</p>
-  <form method="post" action="${escapeHtml(formpost)}">
-    <input type="hidden" name="cxml-urlencoded" value="${escapeHtml(xml)}">
+${inner}
+</body></html>`;
+  if (transport === "raw") {
+    return shell(`  <form method="post" action="${escapeXml(formpost)}">
+    <input type="hidden" name="cxml-urlencoded" value="${escapeXml(xml)}">
     <noscript><button type="submit">Continue</button></noscript>
   </form>
-</body></html>`);
-});
+  <script>
+    fetch(${jsonForScript(formpost)}, { method: "POST",
+      headers: { "Content-Type": "text/xml; charset=UTF-8" },
+      body: ${jsonForScript(xml)} })
+      .then(function () {
+        document.body.replaceChildren();
+        var p = document.createElement("p");
+        p.style.padding = "2rem";
+        p.textContent = "Cart returned to the buyer. You can close this tab.";
+        document.body.appendChild(p);
+      })
+      .catch(function () { document.forms[0].submit(); });
+  </script>`);
+  }
+  const field = transport === "cxml-base64" ? "cxml-base64" : "cxml-urlencoded";
+  const value = transport === "cxml-base64" ? Buffer.from(xml, "utf8").toString("base64") : xml;
+  return shell(`  <form method="post" action="${escapeXml(formpost)}">
+    <input type="hidden" name="${field}" value="${escapeXml(value)}">
+    <noscript><button type="submit">Continue</button></noscript>
+  </form>
+  <script>document.forms[0].submit()</script>`);
+}
 simRoute.post("/:id/order", async (c) => {
-  const conn = getConnection(c.req.param("id"));
-  const err = requireSupplier(conn);
-  if (err) return c.text(err, 400);
+  const supplier = getSupplier(c.req.param("id"));
+  if (!supplier) return c.text("supplier not found", 404);
   const ct = c.req.header("content-type") ?? "";
   const raw = Buffer.from(await c.req.arrayBuffer());
   let xml;
   const availableContentIds = /* @__PURE__ */ new Set();
   const savedRefs = [];
+  let attachmentEncoding;
   if (isMultipart(ct)) {
     const mp = parseMultipartRelated(raw, ct);
     xml = mp.root?.body.toString("utf8") ?? "";
@@ -1687,47 +2284,50 @@ simRoute.post("/:id/order", async (c) => {
       if (part === mp.root) continue;
       const cid = normalizeContentId(part.contentId);
       if (cid) availableContentIds.add(cid);
-      savedRefs.push(
-        saveAttachment(part.body, {
-          contentId: cid,
-          contentType: part.contentType ?? "application/octet-stream"
-        })
-      );
+      if ((part.headers["content-transfer-encoding"] ?? "").toLowerCase() === "base64") {
+        attachmentEncoding = "base64";
+      }
+      savedRefs.push(saveAttachment(part.body, { contentId: cid, contentType: part.contentType ?? "application/octet-stream" }));
     }
+    if (savedRefs.length > 0 && !attachmentEncoding) attachmentEncoding = "binary";
   } else {
     xml = raw.toString("utf8");
   }
   const doc = parseXml(xml);
+  const from = getHeaderCredentials(doc).from;
   const sessionId = findSessionForOrder(doc) ?? `order-${nanoid6(8)}`;
   const validation = validateDocument(xml, {
-    connection: conn,
+    expected: expectedFor(supplier.id, from),
     forceDocType: "OrderRequest",
     availableContentIds: isMultipart(ct) ? availableContentIds : void 0
   });
   appendLog({
     sessionId,
-    connectionId: conn.id,
+    connectionId: supplier.id,
     direction: "in",
     docType: "OrderRequest",
     headers: { "Content-Type": ct },
     body: xml,
     contentType: ct,
     validation,
-    attachments: savedRefs
+    attachments: savedRefs,
+    attachmentEncoding
   });
   const ok = validation.ok;
+  const eff = effFor(supplier.id, from);
   const respXml = buildResponseStatus({
     payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     statusCode: ok ? "200" : "400",
     statusText: ok ? "OK" : "Bad Request",
-    from: conn.from,
-    to: conn.to,
-    sender: conn.sender
+    from: supplier.identity,
+    to: from ?? { domain: "", identity: "" },
+    sender: supplier.identity,
+    dtdVersion: eff ? dtdVersionFor(eff, "OrderResponse") : void 0
   });
   appendLog({
     sessionId,
-    connectionId: conn.id,
+    connectionId: supplier.id,
     direction: "out",
     docType: "OrderResponse",
     headers: { "Content-Type": "text/xml; charset=UTF-8" },
@@ -1739,22 +2339,32 @@ simRoute.post("/:id/order", async (c) => {
 });
 function findSessionForOrder(doc) {
   const header2 = root(doc)?.Request?.OrderRequest?.OrderRequestHeader;
-  const orderId = header2 ? attrOf(header2, "orderID") : void 0;
-  return orderId ? `order-${orderId}` : void 0;
-}
-function attrOf(node, name) {
-  const v = node?.[`@_${name}`];
-  return v == null ? void 0 : String(v);
-}
-function escapeHtml(s) {
-  return escapeXml(s);
+  const orderId = header2?.["@_orderID"];
+  return orderId ? `order-${String(orderId)}` : void 0;
 }
 
 // src/server/app.ts
 import { relative } from "path";
 function createApp(opts = {}) {
-  const app = new Hono7();
+  const app = new Hono9();
   if (!opts.quiet) app.use("*", logger());
+  app.use(
+    "*",
+    bodyLimit({ maxSize: 24 * 1024 * 1024, onError: (c) => c.json({ error: "payload too large" }, 413) })
+  );
+  app.use("/api/*", async (c, next) => {
+    const token = getToken();
+    if (!token) return next();
+    if (c.req.path === "/api/health") return next();
+    const auth = c.req.header("authorization") ?? "";
+    const provided = (auth.toLowerCase().startsWith("bearer ") ? auth.slice(7).trim() : "") || c.req.header("x-pos-token") || c.req.query("token") || getCookie(c, "pos-api-token") || "";
+    if (provided === token) return next();
+    return c.json({ error: "unauthorized" }, 401);
+  });
+  app.route("/api/buyers", buyersRoute);
+  app.route("/api/suppliers", suppliersRoute);
+  app.route("/api/profiles", profilesRoute);
+  app.route("/api/profile-presets", profilePresetsRoute);
   app.route("/api/connections", connectionsRoute);
   app.route("/api/connections", flowRoute);
   app.route("/api", dataRoute);
@@ -1782,34 +2392,30 @@ function relativeToCwd(abs) {
 // src/server/seed.ts
 async function seedDemoIfEmpty() {
   if (listConnections().length > 0) return;
-  const supplier = await createConnection({
+  const buyer = await createBuyer({
+    id: "demo-buyer",
+    name: "Demo Buyer",
+    identity: { domain: "DUNS", identity: "123456789" },
+    // Exercise a non-default platform profile end-to-end (Coupa: per-doc-type
+    // DTD versions, base64 attachments). Built-in profiles are seeded by initConfig.
+    profileId: "coupa"
+  });
+  const supplier = await createSupplier({
     id: "demo-supplier",
     name: "Demo Supplier (built-in mock)",
-    mode: "virtual-supplier",
-    from: { domain: "DUNS", identity: "987654321" },
-    // supplier identity (the tool)
-    to: { domain: "DUNS", identity: "123456789" },
-    // buyer identity (counterparty)
-    sender: { domain: "DUNS", identity: "987654321" },
-    sharedSecret: "demo-secret",
-    deploymentMode: "test",
-    authStyle: "SharedSecret",
+    identity: { domain: "DUNS", identity: "987654321" },
+    punchoutUrl: `${getPublicUrl()}/sim/demo-supplier/punchout`,
+    orderUrl: `${getPublicUrl()}/sim/demo-supplier/order`,
     catalog: []
   });
   await createConnection({
-    id: "demo-buyer",
-    name: "Demo Buyer \u2192 built-in supplier",
+    id: "demo",
+    name: "Demo Buyer \u2192 Demo Supplier",
+    buyerId: buyer.id,
+    supplierId: supplier.id,
     mode: "virtual-buyer",
-    from: { domain: "DUNS", identity: "123456789" },
-    // buyer identity (the tool)
-    to: { domain: "DUNS", identity: "987654321" },
-    // supplier identity (counterparty)
-    sender: { domain: "DUNS", identity: "123456789" },
     sharedSecret: "demo-secret",
-    deploymentMode: "test",
-    authStyle: "SharedSecret",
-    punchoutUrl: `${getPublicUrl()}/sim/${supplier.id}/punchout`,
-    orderUrl: `${getPublicUrl()}/sim/${supplier.id}/order`
+    deploymentMode: "test"
   });
 }
 
@@ -1818,6 +2424,8 @@ function parseFlags(argv) {
   const flags = {
     port: Number(process.env.PORT ?? 8080),
     dataDir: process.env.DATA_DIR ?? "./data",
+    host: process.env.HOST,
+    token: process.env.POS_TOKEN,
     open: true,
     dev: false,
     seed: true
@@ -1837,6 +2445,12 @@ function parseFlags(argv) {
       case "--public-url":
         flags.publicUrl = next();
         break;
+      case "--host":
+        flags.host = next();
+        break;
+      case "--token":
+        flags.token = next();
+        break;
       case "--no-open":
         flags.open = false;
         break;
@@ -1855,6 +2469,14 @@ function parseFlags(argv) {
   }
   return flags;
 }
+var LOOPBACK = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1", "[::1]", ""]);
+function hostnameOf(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return "";
+  }
+}
 function printHelp() {
   console.log(`punchout-simulator \u2014 test cXML PunchOut integrations as a virtual counterparty
 
@@ -1865,6 +2487,9 @@ Options:
   -d, --data-dir <path>  Where to store config + logs (default ./data)
       --public-url <url> Externally reachable base URL (default http://localhost:<port>)
                          Set this when fronting the tool with ngrok/cloudflared.
+      --host <addr>      Bind address (default 127.0.0.1; use 0.0.0.0 for LAN)
+      --token <secret>   Require this token on /api (auto-generated when exposed
+                         and not provided; or set POS_TOKEN)
       --no-open          Do not open a browser on start
       --no-seed          Do not seed the built-in demo connections on first run
       --dev              Dev mode (do not serve SPA, do not open browser)
@@ -1874,22 +2499,32 @@ Options:
 async function main() {
   const flags = parseFlags(process.argv.slice(2));
   const publicUrl = flags.publicUrl ?? `http://localhost:${flags.port}`;
+  const bindHost = flags.host ?? "127.0.0.1";
+  const exposed = !LOOPBACK.has(hostnameOf(publicUrl)) || !LOOPBACK.has(bindHost);
+  const token = flags.token || (exposed ? nanoid7(24) : void 0);
   setDataDir(flags.dataDir);
-  setRuntime({ port: flags.port, publicUrl });
+  setRuntime({ port: flags.port, publicUrl, token });
   await initConfig();
   if (flags.seed) await seedDemoIfEmpty();
   const webRoot = flags.dev ? void 0 : fileURLToPath(new URL("../web", import.meta.url));
   const app = createApp({ webRoot, quiet: false });
-  serve({ fetch: app.fetch, port: flags.port }, (info) => {
-    const url = `http://localhost:${info.port}`;
+  serve({ fetch: app.fetch, port: flags.port, hostname: bindHost }, (info) => {
+    const local = `http://${bindHost}:${info.port}`;
     console.log(`
-  punchout-simulator listening on ${url}`);
-    if (getPublicUrl() !== url) console.log(`  public URL: ${getPublicUrl()}`);
+  punchout-simulator listening on ${local}`);
+    if (getPublicUrl() !== local) console.log(`  public URL: ${getPublicUrl()}`);
     console.log(`  data dir:   ${flags.dataDir}`);
-    console.log(`  callback:   ${getPublicUrl()}/punchout/return
-`);
+    console.log(`  callback:   ${getPublicUrl()}/punchout/return`);
+    const openUrl = token ? `${getPublicUrl()}/?token=${token}` : local;
+    if (token) {
+      console.log(`
+  \u26A0 EXPOSED: /api requires a token. Open the UI with the token:`);
+      console.log(`     ${openUrl}`);
+      console.log(`     (inbound /sim and /punchout stay open for buyer traffic)`);
+    }
+    console.log("");
     if (flags.open) {
-      import("open").then((m) => m.default(url)).catch(() => {
+      import("open").then((m) => m.default(token ? `http://localhost:${info.port}/?token=${token}` : local)).catch(() => {
       });
     }
   });
@@ -1898,4 +2533,3 @@ main().catch((e) => {
   console.error(e);
   process.exit(1);
 });
-//# sourceMappingURL=cli.js.map