punchout-simulator 0.2.0 → 0.3.0

package/dist/server/cli.js

@@ -3,23 +3,149 @@
 // src/server/cli.ts
 import { fileURLToPath } from "url";
 import { serve } from "@hono/node-server";
+import { nanoid as nanoid7 } from "nanoid";
 
 // src/server/app.ts
 import { existsSync as existsSync3 } from "fs";
-import { Hono as Hono8 } from "hono";
+import { Hono as Hono9 } from "hono";
 import { logger } from "hono/logger";
+import { bodyLimit } from "hono/body-limit";
+import { getCookie } from "hono/cookie";
 import { serveStatic } from "@hono/node-server/serve-static";
 
+// src/server/runtime.ts
+var runtime = {
+  port: 8080,
+  publicUrl: "http://localhost:8080"
+};
+function setRuntime(r) {
+  Object.assign(runtime, r);
+}
+function getToken() {
+  return runtime.token;
+}
+function getPublicUrl() {
+  return runtime.publicUrl.replace(/\/$/, "");
+}
+function browserFormPostUrl() {
+  return `${getPublicUrl()}/punchout/return`;
+}
+
 // src/server/routes/connections.ts
 import { Hono } from "hono";
 
 // src/server/store/config.ts
+import { chmodSync as chmodSync2 } from "fs";
 import { Low } from "lowdb";
 import { JSONFile } from "lowdb/node";
 import { nanoid } from "nanoid";
 
+// src/server/cxml/profile-presets.ts
+var PROFILE_PRESETS = [
+  {
+    id: "generic",
+    name: "Generic cXML",
+    platform: "Generic",
+    builtin: true,
+    dtdVersions: { default: "1.2.045" },
+    userAgent: "punchout-simulator",
+    setupOperation: "create",
+    attachmentEncoding: "binary",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "ariba",
+    name: "SAP Ariba",
+    platform: "Ariba",
+    builtin: true,
+    dtdVersions: { default: "1.2.045", PunchOutOrderMessage: "1.2.045" },
+    userAgent: "Ariba Network/1.0",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: [{ name: "User", value: "${buyerCookie}", scope: "setup" }]
+  },
+  {
+    id: "coupa",
+    name: "Coupa",
+    platform: "Coupa",
+    builtin: true,
+    // Coupa publishes specific DTD versions per document type.
+    dtdVersions: { default: "1.2.014", PunchOutOrderMessage: "1.2.023" },
+    userAgent: "Coupa Procurement",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "jaggaer",
+    name: "JAGGAER",
+    platform: "Jaggaer",
+    builtin: true,
+    dtdVersions: { default: "1.2.021" },
+    userAgent: "JAGGAER Procurement",
+    setupOperation: "create",
+    attachmentEncoding: "binary",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "oracle",
+    name: "Oracle iProcurement",
+    platform: "Oracle",
+    builtin: true,
+    dtdVersions: { default: "1.2.008" },
+    userAgent: "Oracle iProcurement",
+    setupOperation: "create",
+    attachmentEncoding: "binary",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  },
+  {
+    id: "sap-srm",
+    name: "SAP SRM / Business Network",
+    platform: "SAP",
+    builtin: true,
+    // NOTE: real SAP SRM speaks OCI (form parameters), which this cXML-only tool
+    // cannot emit. This profile models the cXML/Business-Network side: base64
+    // attachments and a base64 cart return.
+    dtdVersions: { default: "1.2.040" },
+    userAgent: "SAP Business Network",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-base64",
+    extrinsics: []
+  },
+  {
+    id: "workday",
+    name: "Workday",
+    platform: "Workday",
+    builtin: true,
+    dtdVersions: { default: "1.2.045" },
+    userAgent: "Workday Strategic Sourcing",
+    setupOperation: "create",
+    attachmentEncoding: "base64",
+    cartReturnTransport: "cxml-urlencoded",
+    extrinsics: []
+  }
+];
+var GENERIC_PROFILE = {
+  ...PROFILE_PRESETS[0],
+  createdAt: "",
+  updatedAt: ""
+};
+function seedBuiltinProfiles(data, now2) {
+  for (const preset of PROFILE_PRESETS) {
+    if (!data.profiles.some((p) => p.id === preset.id)) {
+      data.profiles.push({ ...preset, createdAt: now2, updatedAt: now2 });
+    }
+  }
+}
+
 // src/server/store/paths.ts
-import { mkdirSync } from "fs";
+import { chmodSync, mkdirSync } from "fs";
 import { resolve } from "path";
 var dataDir = resolve(process.cwd(), "data");
 function setDataDir(dir) {
@@ -40,9 +166,13 @@ function sessionFile(sessionId) {
   return resolve(sessionsDir(), `${safe}.jsonl`);
 }
 function ensureDirs() {
-  mkdirSync(dataDir, { recursive: true });
-  mkdirSync(sessionsDir(), { recursive: true });
-  mkdirSync(attachmentsDir(), { recursive: true });
+  for (const d of [dataDir, sessionsDir(), attachmentsDir()]) {
+    mkdirSync(d, { recursive: true, mode: 448 });
+    try {
+      chmodSync(d, 448);
+    } catch {
+    }
+  }
 }
 
 // src/server/store/config.ts
@@ -50,14 +180,20 @@ var db = null;
 async function initConfig() {
   ensureDirs();
   const adapter = new JSONFile(configPath());
-  db = new Low(adapter, { buyers: [], suppliers: [], connections: [] });
+  db = new Low(adapter, { buyers: [], suppliers: [], connections: [], profiles: [] });
   await db.read();
-  db.data ||= { buyers: [], suppliers: [], connections: [] };
+  db.data ||= { buyers: [], suppliers: [], connections: [], profiles: [] };
   db.data.buyers ||= [];
   db.data.suppliers ||= [];
   db.data.connections ||= [];
+  db.data.profiles ||= [];
+  seedBuiltinProfiles(db.data, now());
   migrateLegacy(db.data);
   await db.write();
+  try {
+    chmodSync2(configPath(), 384);
+  } catch {
+  }
 }
 function requireDb() {
   if (!db) throw new Error("config store not initialized \u2014 call initConfig() first");
@@ -166,6 +302,53 @@ function findConnectionBySupplierAndBuyerIdentity(supplierId, from) {
   }
   return void 0;
 }
+var listProfiles = () => requireDb().data.profiles;
+var getProfile = (id) => requireDb().data.profiles.find((p) => p.id === id);
+async function createProfile(input) {
+  const profile = { ...input, id: input.id ?? nanoid(8), createdAt: now(), updatedAt: now() };
+  const d = requireDb();
+  d.data.profiles.push(profile);
+  await d.write();
+  return profile;
+}
+async function updateProfile(id, patch) {
+  const d = requireDb();
+  const existing = d.data.profiles.find((p) => p.id === id);
+  if (!existing) return void 0;
+  Object.assign(existing, patch, { id, updatedAt: now() });
+  await d.write();
+  return existing;
+}
+async function deleteProfile(id) {
+  const d = requireDb();
+  if (d.data.buyers.some((b) => b.profileId === id)) {
+    throw new Error("profile is referenced by a buyer");
+  }
+  const before = d.data.profiles.length;
+  d.data.profiles = d.data.profiles.filter((p) => p.id !== id);
+  const removed = d.data.profiles.length < before;
+  if (removed) await d.write();
+  return removed;
+}
+function profileForBuyer(buyer) {
+  const p = buyer.profileId ? getProfile(buyer.profileId) : void 0;
+  return p ?? getProfile("generic") ?? GENERIC_PROFILE;
+}
+function effectiveProfile(connection, buyer) {
+  const p = profileForBuyer(buyer);
+  return {
+    dtdVersions: p.dtdVersions,
+    userAgent: p.userAgent,
+    setupOperation: p.setupOperation,
+    // Connection attachmentEncoding is concrete by construction → explicit override.
+    attachmentEncoding: connection.attachmentEncoding ?? p.attachmentEncoding,
+    cartReturnTransport: p.cartReturnTransport,
+    extrinsics: p.extrinsics
+  };
+}
+function dtdVersionFor(eff, docType) {
+  return eff.dtdVersions[docType] ?? eff.dtdVersions.default;
+}
 function migrateLegacy(data) {
   const legacy = data.connections.filter((c) => "from" in c || "to" in c);
   if (legacy.length === 0) return;
@@ -219,7 +402,6 @@ function migrateLegacy(data) {
       sharedSecret: c.sharedSecret ?? "",
       senderIdentity: c.sender,
       deploymentMode: c.deploymentMode ?? "test",
-      authStyle: c.authStyle ?? "SharedSecret",
       createdAt: c.createdAt ?? now(),
       updatedAt: now()
     });
@@ -239,7 +421,7 @@ function normalize(body) {
     sharedSecret: String(body?.sharedSecret ?? ""),
     senderIdentity: sender,
     deploymentMode: body?.deploymentMode === "production" ? "production" : "test",
-    authStyle: body?.authStyle === "MAC" ? "MAC" : "SharedSecret"
+    attachmentEncoding: body?.attachmentEncoding === "base64" ? "base64" : "binary"
   };
 }
 function validate(input) {
@@ -254,11 +436,14 @@ function withLabel(input) {
   const supplier = getSupplier(input.supplierId);
   return { ...input, name: `${buyer?.name ?? "Buyer"} \u2192 ${supplier?.name ?? "Supplier"}` };
 }
+function maskSecret(conn) {
+  return { ...conn, sharedSecret: "", hasSharedSecret: !!conn.sharedSecret };
+}
 connectionsRoute.get(
   "/",
   (c) => c.json(
     listConnections().map((conn) => ({
-      ...conn,
+      ...maskSecret(conn),
       buyer: getBuyer(conn.buyerId),
       supplier: getSupplier(conn.supplierId)
     }))
@@ -268,21 +453,23 @@ connectionsRoute.post("/", async (c) => {
   const input = normalize(await c.req.json().catch(() => ({})));
   const errors = validate(input);
   if (errors.length) return c.json({ errors }, 400);
-  return c.json(await createConnection(withLabel(input)), 201);
+  return c.json(maskSecret(await createConnection(withLabel(input))), 201);
 });
 connectionsRoute.get("/:id", (c) => {
   const resolved = resolveConnection(c.req.param("id"));
-  if (resolved) return c.json({ ...resolved.connection, buyer: resolved.buyer, supplier: resolved.supplier });
+  if (resolved) return c.json({ ...maskSecret(resolved.connection), buyer: resolved.buyer, supplier: resolved.supplier });
   const conn = getConnection(c.req.param("id"));
-  return conn ? c.json(conn) : c.json({ error: "not found" }, 404);
+  return conn ? c.json(maskSecret(conn)) : c.json({ error: "not found" }, 404);
 });
 connectionsRoute.put("/:id", async (c) => {
   const existing = getConnection(c.req.param("id"));
   if (!existing) return c.json({ error: "not found" }, 404);
-  const input = normalize({ ...existing, ...await c.req.json().catch(() => ({})) });
+  const body = await c.req.json().catch(() => ({}));
+  if (!body || !body.sharedSecret) delete body.sharedSecret;
+  const input = normalize({ ...existing, ...body });
   const errors = validate(input);
   if (errors.length) return c.json({ errors }, 400);
-  return c.json(await updateConnection(c.req.param("id"), withLabel(input)));
+  return c.json(maskSecret(await updateConnection(c.req.param("id"), withLabel(input))));
 });
 connectionsRoute.delete("/:id", async (c) => {
   const ok = await deleteConnection(c.req.param("id"));
@@ -297,7 +484,11 @@ var cred = (c) => ({
 });
 var buyersRoute = new Hono2();
 function normalizeBuyer(body) {
-  return { name: String(body?.name ?? "Untitled buyer"), identity: cred(body?.identity) };
+  return {
+    name: String(body?.name ?? "Untitled buyer"),
+    identity: cred(body?.identity),
+    profileId: body?.profileId ? String(body.profileId) : void 0
+  };
 }
 buyersRoute.get("/", (c) => c.json(listBuyers()));
 buyersRoute.post("/", async (c) => {
@@ -366,8 +557,77 @@ suppliersRoute.delete("/:id", async (c) => {
   }
 });
 
-// src/server/routes/flow.ts
+// src/server/routes/profiles.ts
 import { Hono as Hono3 } from "hono";
+var profilesRoute = new Hono3();
+var profilePresetsRoute = new Hono3();
+var VERSION_KEYS = [
+  "SetupRequest",
+  "SetupResponse",
+  "PunchOutOrderMessage",
+  "OrderRequest",
+  "OrderResponse"
+];
+function normalizeDtdVersions(v) {
+  const out = { default: String(v?.default ?? "1.2.045") };
+  for (const k of VERSION_KEYS) {
+    if (v?.[k]) out[k] = String(v[k]);
+  }
+  return out;
+}
+function normalizeExtrinsics(v) {
+  if (!Array.isArray(v)) return [];
+  return v.map((e) => ({
+    name: String(e?.name ?? ""),
+    value: String(e?.value ?? ""),
+    scope: e?.scope === "order" ? "order" : "setup"
+  })).filter((e) => e.name.trim().length > 0);
+}
+function normalizeProfile(body) {
+  const setupOperation = ["create", "edit", "inspect"].includes(body?.setupOperation) ? body.setupOperation : "create";
+  const attachmentEncoding = body?.attachmentEncoding === "base64" ? "base64" : "binary";
+  const cartReturnTransport = ["cxml-urlencoded", "cxml-base64", "raw"].includes(
+    body?.cartReturnTransport
+  ) ? body.cartReturnTransport : "cxml-urlencoded";
+  return {
+    name: String(body?.name ?? "Untitled profile"),
+    platform: body?.platform ? String(body.platform) : void 0,
+    dtdVersions: normalizeDtdVersions(body?.dtdVersions),
+    userAgent: String(body?.userAgent ?? "punchout-simulator"),
+    setupOperation,
+    attachmentEncoding,
+    cartReturnTransport,
+    extrinsics: normalizeExtrinsics(body?.extrinsics)
+    // `builtin` is never set from the wire — only code-seeded presets carry it.
+  };
+}
+profilesRoute.get("/", (c) => c.json(listProfiles()));
+profilesRoute.post("/", async (c) => {
+  const input = normalizeProfile(await c.req.json().catch(() => ({})));
+  if (!input.name.trim()) return c.json({ errors: ["name is required"] }, 400);
+  return c.json(await createProfile(input), 201);
+});
+profilesRoute.get("/:id", (c) => {
+  const p = getProfile(c.req.param("id"));
+  return p ? c.json(p) : c.json({ error: "not found" }, 404);
+});
+profilesRoute.put("/:id", async (c) => {
+  if (!getProfile(c.req.param("id"))) return c.json({ error: "not found" }, 404);
+  const input = normalizeProfile(await c.req.json().catch(() => ({})));
+  return c.json(await updateProfile(c.req.param("id"), input));
+});
+profilesRoute.delete("/:id", async (c) => {
+  try {
+    const ok = await deleteProfile(c.req.param("id"));
+    return ok ? c.json({ ok: true }) : c.json({ error: "not found" }, 404);
+  } catch (e) {
+    return c.json({ error: e instanceof Error ? e.message : String(e) }, 409);
+  }
+});
+profilePresetsRoute.get("/", (c) => c.json(PROFILE_PRESETS));
+
+// src/server/routes/flow.ts
+import { Hono as Hono4 } from "hono";
 import { nanoid as nanoid5 } from "nanoid";
 
 // src/server/store/log.ts
@@ -392,14 +652,19 @@ var bus = new Bus();
 bus.setMaxListeners(0);
 
 // src/server/store/log.ts
+function redactSecrets(body) {
+  if (!body) return body ?? "";
+  return body.replace(/(<SharedSecret>)[\s\S]*?(<\/SharedSecret>)/g, "$1***$2");
+}
 function appendLog(input) {
   ensureDirs();
   const record = {
     ...input,
+    body: redactSecrets(input.body),
     id: input.id ?? nanoid2(12),
     ts: input.ts ?? (/* @__PURE__ */ new Date()).toISOString()
   };
-  appendFileSync(sessionFile(record.sessionId), JSON.stringify(record) + "\n", "utf8");
+  appendFileSync(sessionFile(record.sessionId), JSON.stringify(record) + "\n", { encoding: "utf8", mode: 384 });
   bus.emitLog(record);
   return record;
 }
@@ -449,8 +714,13 @@ function normalizeContentId(cid) {
   if (!cid) return "";
   return cid.trim().replace(/^<+/, "").replace(/>+$/, "").trim();
 }
+function base64Wrapped(data) {
+  const lines = data.toString("base64").match(/.{1,76}/g) ?? [];
+  return Buffer.from(lines.join("\r\n"), "utf8");
+}
 function buildMultipartRelated(cxml, attachments, opts = {}) {
-  const boundary = `cxml-${nanoid3(20)}`;
+  const boundary = opts.boundary || `cxml-${nanoid3(20)}`;
+  const useBase64 = opts.attachmentEncoding === "base64";
   const mainCid = opts.mainContentId ?? `cxml-main@punchout-simulator`;
   const CRLF = "\r\n";
   const parts = [];
@@ -473,11 +743,11 @@ function buildMultipartRelated(cxml, attachments, opts = {}) {
     pushPart(
       [
         `Content-Type: ${att.contentType}`,
-        `Content-Transfer-Encoding: binary`,
+        `Content-Transfer-Encoding: ${useBase64 ? "base64" : "binary"}`,
         `Content-ID: <${normalizeContentId(att.contentId)}>`,
         disposition
       ],
-      att.data
+      useBase64 ? base64Wrapped(att.data) : att.data
     );
   }
   parts.push(Buffer.from(`--${boundary}--${CRLF}`, "utf8"));
@@ -491,6 +761,10 @@ function getBoundary(contentType) {
   const m = /boundary="?([^";]+)"?/i.exec(contentType);
   return m?.[1];
 }
+function getStartCid(contentType) {
+  const m = /start="?<?([^">]+)>?"?/i.exec(contentType);
+  return m ? normalizeContentId(m[1]) : void 0;
+}
 function isMultipart(contentType) {
   return !!contentType && /^multipart\//i.test(contentType.trim());
 }
@@ -520,6 +794,9 @@ function parseMultipartRelated(body, contentType) {
         headers[line.slice(0, idx).trim().toLowerCase()] = line.slice(idx + 1).trim();
       }
     }
+    if (headers["content-transfer-encoding"]?.toLowerCase() === "base64") {
+      bodyBuf = Buffer.from(bodyBuf.toString("utf8"), "base64");
+    }
     parts.push({
       headers,
       contentId: normalizeContentId(headers["content-id"]),
@@ -568,7 +845,7 @@ function saveAttachment(data, meta) {
   ensureDirs();
   const hash = createHash("sha256").update(data).digest("hex");
   const path = resolve2(attachmentsDir(), hash);
-  if (!existsSync2(path)) writeFileSync(path, data);
+  if (!existsSync2(path)) writeFileSync(path, data, { mode: 384 });
   return {
     contentId: normalizeContentId(meta.contentId),
     filename: meta.filename,
@@ -603,14 +880,32 @@ function connectionForSession(sessionId) {
 }
 
 // src/server/http.ts
+function assertSafeOutboundUrl(url) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    throw new Error(`invalid URL: ${url}`);
+  }
+  if (u.protocol !== "http:" && u.protocol !== "https:") {
+    throw new Error(`unsupported URL scheme "${u.protocol}" (only http/https allowed)`);
+  }
+  if (u.username || u.password) {
+    throw new Error("credentials embedded in the URL are not allowed");
+  }
+}
 async function sendCxml(url, body, contentType = "text/xml; charset=UTF-8", timeoutMs = 3e4) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   try {
+    assertSafeOutboundUrl(url);
     const res = await fetch(url, {
       method: "POST",
       headers: { "Content-Type": contentType },
       body,
+      // Do not transparently follow redirects to a different host (SSRF pivot);
+      // a 3xx is surfaced to the caller as the response instead.
+      redirect: "manual",
       signal: controller.signal
     });
     const headers = {};
@@ -636,21 +931,6 @@ async function sendCxml(url, body, contentType = "text/xml; charset=UTF-8", time
   }
 }
 
-// src/server/runtime.ts
-var runtime = {
-  port: 8080,
-  publicUrl: "http://localhost:8080"
-};
-function setRuntime(r) {
-  Object.assign(runtime, r);
-}
-function getPublicUrl() {
-  return runtime.publicUrl.replace(/\/$/, "");
-}
-function browserFormPostUrl() {
-  return `${getPublicUrl()}/punchout/return`;
-}
-
 // src/server/cxml/build.ts
 import { nanoid as nanoid4 } from "nanoid";
 function escapeXml(value) {
@@ -684,14 +964,24 @@ ${credentialBlock("To", p.to)}
 ${senderBlock(p.sender, p.sharedSecret, p.userAgent)}
   </Header>`;
 }
-var DECLARATION = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE cXML SYSTEM "http://xml.cxml.org/schemas/cXML/1.2.045/cXML.dtd">`;
-function envelope(payloadId, timestamp, lang, inner) {
-  return `${DECLARATION}
+var DEFAULT_DTD_VERSION = "1.2.045";
+function doctype(version) {
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE cXML SYSTEM "http://xml.cxml.org/schemas/cXML/${escapeXml(version)}/cXML.dtd">`;
+}
+function envelope(payloadId, timestamp, lang, inner, dtdVersion = DEFAULT_DTD_VERSION) {
+  return `${doctype(dtdVersion)}
 <cXML payloadID="${escapeXml(payloadId)}" timestamp="${escapeXml(timestamp)}" xml:lang="${escapeXml(lang)}">
 ${inner}
 </cXML>`;
 }
+function applyExtrinsicTokens(value, tokens) {
+  return value.replace(/\$\{(\w+)\}/g, (_, k) => tokens[k] ?? "");
+}
+function extrinsicBlock(items, indent) {
+  if (!items || items.length === 0) return "";
+  return "\n" + items.map((e) => `${indent}<Extrinsic name="${escapeXml(e.name)}">${escapeXml(e.value)}</Extrinsic>`).join("\n");
+}
 function buildSetupRequest(o) {
   const lang = o.lang ?? "en-US";
   const deployment = o.deploymentMode ? ` deploymentMode="${escapeXml(o.deploymentMode)}"` : "";
@@ -699,17 +989,18 @@ function buildSetupRequest(o) {
     from: o.from,
     to: o.to,
     sender: o.sender,
-    sharedSecret: o.sharedSecret
+    sharedSecret: o.sharedSecret,
+    userAgent: o.userAgent
   })}
   <Request${deployment}>
     <PunchOutSetupRequest operation="${escapeXml(o.operation ?? "create")}">
       <BuyerCookie>${escapeXml(o.buyerCookie)}</BuyerCookie>
       <BrowserFormPost>
         <URL>${escapeXml(o.browserFormPostUrl)}</URL>
-      </BrowserFormPost>
+      </BrowserFormPost>${extrinsicBlock(o.extrinsics, "      ")}
     </PunchOutSetupRequest>
   </Request>`;
-  return envelope(o.payloadId, o.timestamp, lang, inner);
+  return envelope(o.payloadId, o.timestamp, lang, inner, o.dtdVersion);
 }
 function addressBlock(tag, a) {
   return `      <${tag}>
@@ -771,7 +1062,8 @@ function buildOrderRequest(o) {
     from: o.from,
     to: o.to,
     sender: o.sender,
-    sharedSecret: o.sharedSecret
+    sharedSecret: o.sharedSecret,
+    userAgent: o.userAgent
   })}
   <Request${deployment}>
     <OrderRequest>
@@ -782,12 +1074,15 @@ function buildOrderRequest(o) {
           <Money currency="${escapeXml(o.currency)}">${escapeXml(o.total)}</Money>
         </Total>
 ${addressBlock("ShipTo", o.shipTo ?? {})}
-${addressBlock("BillTo", o.billTo ?? {})}${commentsWithAttachments(orderLevelCids, "        ")}
+${addressBlock("BillTo", o.billTo ?? {})}${commentsWithAttachments(orderLevelCids, "        ")}${extrinsicBlock(
+    o.extrinsics,
+    "        "
+  )}
       </OrderRequestHeader>
 ${items}
     </OrderRequest>
   </Request>`;
-  return envelope(o.payloadId, o.timestamp, lang, inner);
+  return envelope(o.payloadId, o.timestamp, lang, inner, o.dtdVersion);
 }
 function optionalHeader(p) {
   return p ? `${header({ from: p.from, to: p.to, sender: p.sender })}
@@ -805,7 +1100,7 @@ function buildSetupResponse(o) {
       </StartPage>
     </PunchOutSetupResponse>
   </Response>`;
-  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner, o.dtdVersion);
 }
 function buildResponseStatus(o) {
   const head = o.from && o.to && o.sender ? optionalHeader({ from: o.from, to: o.to, sender: o.sender }) : "";
@@ -814,7 +1109,7 @@ function buildResponseStatus(o) {
     o.statusText ?? "OK"
   )}">${escapeXml(o.statusText === "OK" || !o.statusText ? "" : o.statusText)}</Status>
   </Response>`;
-  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner, o.dtdVersion);
 }
 function buildPunchOutOrderMessage(o) {
   const total = o.items.reduce(
@@ -846,7 +1141,7 @@ function buildPunchOutOrderMessage(o) {
   <Message>
     <PunchOutOrderMessage>
       <BuyerCookie>${escapeXml(o.buyerCookie)}</BuyerCookie>
-      <PunchOutOrderMessageHeader operationAllowed="create">
+      <PunchOutOrderMessageHeader operationAllowed="${escapeXml(o.operationAllowed ?? "create")}">
         <Total>
           <Money currency="${escapeXml(o.currency)}">${escapeXml(total.toFixed(2))}</Money>
         </Total>
@@ -854,7 +1149,7 @@ function buildPunchOutOrderMessage(o) {
 ${items}
     </PunchOutOrderMessage>
   </Message>`;
-  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner);
+  return envelope(o.payloadId, o.timestamp, o.lang ?? "en-US", inner, o.dtdVersion);
 }
 
 // src/server/cxml/parse.ts
@@ -871,6 +1166,9 @@ var parser = new XMLParser({
   isArray: (name) => ["ItemIn", "ItemOut", "Attachment", "Comments", "Extrinsic"].includes(name)
 });
 function parseXml(raw) {
+  if (/<!ENTITY/i.test(raw)) {
+    return { raw, tree: null, wellFormed: false, wellFormedError: "DTD entity definitions are not allowed" };
+  }
   const check = XMLValidator.validate(raw, { allowBooleanAttributes: true });
   if (check !== true) {
     return {
@@ -1121,7 +1419,7 @@ function checkGeneral(doc, ctx, issues) {
 }
 function checkSharedSecret(doc, ctx, issues) {
   const exp = ctx.expected;
-  if (!exp || exp.authStyle !== "SharedSecret") return;
+  if (!exp) return;
   const creds = getHeaderCredentials(doc);
   if (!creds.sharedSecret) {
     issues.warn(
@@ -1363,7 +1661,7 @@ function validateDocument(raw, ctx = {}) {
 }
 
 // src/server/routes/flow.ts
-var flowRoute = new Hono3();
+var flowRoute = new Hono4();
 function host() {
   try {
     return new URL(getPublicUrl()).host;
@@ -1376,6 +1674,7 @@ function buyerContext(r) {
   const from = buyer.identity;
   const to = supplier.identity;
   const sender = connection.senderIdentity ?? buyer.identity;
+  const eff = effectiveProfile(connection, buyer);
   return {
     from,
     to,
@@ -1385,9 +1684,17 @@ function buyerContext(r) {
     orderUrl: supplier.orderUrl,
     deploymentMode: connection.deploymentMode,
     connectionId: connection.id,
-    expected: { from, to, sender, sharedSecret: connection.sharedSecret, authStyle: connection.authStyle }
+    attachmentEncoding: eff.attachmentEncoding,
+    eff,
+    expected: { from, to, sender, sharedSecret: connection.sharedSecret }
   };
 }
+function setupExtrinsics(ctx, buyerCookie) {
+  return ctx.eff.extrinsics.filter((e) => e.scope === "setup").map((e) => ({ name: e.name, value: applyExtrinsicTokens(e.value, { buyerCookie }) }));
+}
+function orderExtrinsics(ctx, orderId) {
+  return ctx.eff.extrinsics.filter((e) => e.scope === "order").map((e) => ({ name: e.name, value: applyExtrinsicTokens(e.value, { orderId }) }));
+}
 function resolveVirtualBuyer(id) {
   const r = resolveConnection(id);
   if (!r) return { error: "connection not found (or its buyer/supplier is missing)" };
@@ -1408,7 +1715,11 @@ flowRoute.get("/:id/setup/preview", (c) => {
     browserFormPostUrl: browserFormPostUrl(),
     payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    deploymentMode: ctx.deploymentMode
+    deploymentMode: ctx.deploymentMode,
+    operation: ctx.eff.setupOperation,
+    dtdVersion: dtdVersionFor(ctx.eff, "SetupRequest"),
+    userAgent: ctx.eff.userAgent,
+    extrinsics: setupExtrinsics(ctx, buyerCookie)
   });
   return c.json({ buyerCookie, xml, browserFormPostUrl: browserFormPostUrl() });
 });
@@ -1427,7 +1738,11 @@ flowRoute.post("/:id/setup", async (c) => {
     browserFormPostUrl: browserFormPostUrl(),
     payloadId: makePayloadId(host(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    deploymentMode: ctx.deploymentMode
+    deploymentMode: ctx.deploymentMode,
+    operation: ctx.eff.setupOperation,
+    dtdVersion: dtdVersionFor(ctx.eff, "SetupRequest"),
+    userAgent: ctx.eff.userAgent,
+    extrinsics: setupExtrinsics(ctx, buyerCookie)
   });
   rememberSessionConnection(buyerCookie, ctx.connectionId);
   const reqValidation = validateDocument(xml, { expected: ctx.expected, forceDocType: "SetupRequest" });
@@ -1491,7 +1806,10 @@ function buildOrderXml(ctx, body) {
     items,
     shipTo: body.shipTo,
     billTo: body.billTo,
-    attachments: attMeta
+    attachments: attMeta,
+    dtdVersion: dtdVersionFor(ctx.eff, "OrderRequest"),
+    userAgent: ctx.eff.userAgent,
+    extrinsics: orderExtrinsics(ctx, orderId)
   });
   return { xml, orderId };
 }
@@ -1534,7 +1852,7 @@ flowRoute.post("/:id/order", async (c) => {
         data
       };
     });
-    const built = buildMultipartRelated(xml, parts);
+    const built = buildMultipartRelated(xml, parts, { attachmentEncoding: ctx.attachmentEncoding });
     wireBody = built.body;
     wireContentType = built.contentType;
   }
@@ -1553,6 +1871,7 @@ flowRoute.post("/:id/order", async (c) => {
     contentType: wireContentType,
     validation: reqValidation,
     attachments: savedRefs,
+    attachmentEncoding: inputAtts.length > 0 ? ctx.attachmentEncoding : void 0,
     note: dangling ? "dangling-cid test" : void 0
   });
   if (!ctx.orderUrl) return c.json({ error: "supplier has no orderUrl configured" }, 400);
@@ -1581,8 +1900,8 @@ flowRoute.post("/:id/order", async (c) => {
 });
 
 // src/server/routes/punchout-return.ts
-import { Hono as Hono4 } from "hono";
-var punchoutReturnRoute = new Hono4();
+import { Hono as Hono5 } from "hono";
+var punchoutReturnRoute = new Hono5();
 async function extractCxml(c) {
   const ct = (c.req.header("content-type") ?? "").toLowerCase();
   if (ct.includes("application/x-www-form-urlencoded") || ct.includes("multipart/form-data")) {
@@ -1626,8 +1945,7 @@ punchoutReturnRoute.post("/return", async (c) => {
   const expected = resolved ? {
     from: resolved.buyer.identity,
     to: resolved.supplier.identity,
-    sender: resolved.connection.senderIdentity ?? resolved.supplier.identity,
-    authStyle: resolved.connection.authStyle
+    sender: resolved.connection.senderIdentity ?? resolved.supplier.identity
   } : void 0;
   const validation = validateDocument(xml, {
     expected,
@@ -1651,10 +1969,14 @@ punchoutReturnRoute.post("/return", async (c) => {
 });
 
 // src/server/routes/stream.ts
-import { Hono as Hono5 } from "hono";
+import { Hono as Hono6 } from "hono";
 import { streamSSE } from "hono/streaming";
-var streamRoute = new Hono5();
+var streamRoute = new Hono6();
+var MAX_STREAMS = 64;
+var activeStreams = 0;
 streamRoute.get("/stream", (c) => {
+  if (activeStreams >= MAX_STREAMS) return c.text("too many live-log connections", 503);
+  activeStreams++;
   return streamSSE(c, async (stream) => {
     let open = true;
     let id = 0;
@@ -1668,6 +1990,7 @@ streamRoute.get("/stream", (c) => {
     });
     stream.onAbort(() => {
       open = false;
+      activeStreams = Math.max(0, activeStreams - 1);
       unsubscribe();
     });
     await stream.writeSSE({ event: "ready", data: JSON.stringify({ ts: Date.now() }) });
@@ -1680,8 +2003,30 @@ streamRoute.get("/stream", (c) => {
 });
 
 // src/server/routes/data.ts
-import { Hono as Hono6 } from "hono";
-var dataRoute = new Hono6();
+import { Hono as Hono7 } from "hono";
+var dataRoute = new Hono7();
+function rawMessage(record) {
+  const ct = record.contentType ?? record.headers?.["Content-Type"] ?? record.headers?.["content-type"];
+  let body = record.body;
+  if (ct && isMultipart(ct) && record.attachments && record.attachments.length > 0) {
+    const parts = record.attachments.map((a) => ({
+      contentId: a.contentId,
+      filename: a.filename,
+      contentType: a.contentType,
+      data: readAttachment(a.hash) ?? Buffer.alloc(0)
+    }));
+    const built = buildMultipartRelated(record.body, parts, {
+      boundary: getBoundary(ct),
+      mainContentId: getStartCid(ct),
+      attachmentEncoding: record.attachmentEncoding
+    });
+    body = built.body.toString("utf8");
+  }
+  const headerLines = Object.entries(record.headers ?? {}).map(([k, v]) => `${k}: ${v}`);
+  return headerLines.length > 0 ? `${headerLines.join("\r\n")}\r
+\r
+${body}` : body;
+}
 dataRoute.get("/health", (c) => c.json({ ok: true }));
 dataRoute.get(
   "/runtime",
@@ -1689,6 +2034,12 @@ dataRoute.get(
 );
 dataRoute.get("/sessions", (c) => c.json(listSessions()));
 dataRoute.get("/sessions/:id", (c) => c.json(readSession(c.req.param("id"))));
+dataRoute.get("/sessions/:sessionId/records/:recordId/raw", (c) => {
+  const record = readSession(c.req.param("sessionId")).find((r) => r.id === c.req.param("recordId"));
+  if (!record) return c.json({ error: "not found" }, 404);
+  c.header("Content-Type", "text/plain; charset=utf-8");
+  return c.body(rawMessage(record));
+});
 dataRoute.get("/recent", (c) => {
   const limit = Number(c.req.query("limit") ?? "200");
   return c.json(readAllRecent(Number.isFinite(limit) ? limit : 200));
@@ -1705,9 +2056,9 @@ dataRoute.get("/attachments/:hash", (c) => {
 });
 
 // src/server/routes/sim.ts
-import { Hono as Hono7 } from "hono";
+import { Hono as Hono8 } from "hono";
 import { nanoid as nanoid6 } from "nanoid";
-var simRoute = new Hono7();
+var simRoute = new Hono8();
 var DEMO_CATALOG = [
   { supplierPartId: "WIDGET-001", description: "Premium Steel Widget", unitPrice: 12.5, currency: "USD", uom: "EA", unspsc: "31161500", manufacturerPartId: "MFR-W001", manufacturerName: "Acme Manufacturing" },
   { supplierPartId: "BOLT-250", description: "M8 Hex Bolt (pack of 250)", unitPrice: 34, currency: "USD", uom: "PK", unspsc: "31161600", manufacturerPartId: "MFR-B250", manufacturerName: "Acme Manufacturing" },
@@ -1725,11 +2076,14 @@ function safeHttpUrl(u) {
   if (!u) return "";
   try {
     const p = new URL(u.trim());
-    return p.protocol === "http:" || p.protocol === "https:" ? u.trim() : "";
+    return p.protocol === "http:" || p.protocol === "https:" ? p.href : "";
   } catch {
     return "";
   }
 }
+function jsonForScript(value) {
+  return JSON.stringify(value).replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
 function expectedFor(supplierId, from) {
   const r = findConnectionBySupplierAndBuyerIdentity(supplierId, from);
   if (!r) return void 0;
@@ -1737,10 +2091,13 @@ function expectedFor(supplierId, from) {
     from: r.buyer.identity,
     to: r.supplier.identity,
     sender: r.connection.senderIdentity ?? r.buyer.identity,
-    sharedSecret: r.connection.sharedSecret,
-    authStyle: r.connection.authStyle
+    sharedSecret: r.connection.sharedSecret
   };
 }
+function effFor(supplierId, from) {
+  const r = findConnectionBySupplierAndBuyerIdentity(supplierId, from);
+  return r ? effectiveProfile(r.connection, r.buyer) : void 0;
+}
 simRoute.post("/:id/punchout", async (c) => {
   const supplier = getSupplier(c.req.param("id"));
   if (!supplier) return c.text("supplier not found", 404);
@@ -1761,13 +2118,15 @@ simRoute.post("/:id/punchout", async (c) => {
   });
   const buyerCred = from ?? { domain: "", identity: "" };
   const startPageUrl = `${getPublicUrl()}/sim/${supplier.id}/catalog?cookie=${encodeURIComponent(buyerCookie)}&formpost=${encodeURIComponent(formPost)}&bd=${encodeURIComponent(buyerCred.domain)}&bi=${encodeURIComponent(buyerCred.identity)}`;
+  const eff = effFor(supplier.id, from);
   const respXml = buildSetupResponse({
     payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     startPageUrl,
     from: supplier.identity,
     to: buyerCred,
-    sender: supplier.identity
+    sender: supplier.identity,
+    dtdVersion: eff ? dtdVersionFor(eff, "SetupResponse") : void 0
   });
   appendLog({
     sessionId: buyerCookie,
@@ -1851,6 +2210,7 @@ simRoute.post("/:id/checkout", async (c) => {
     }
   });
   const currency = items[0]?.currency ?? "USD";
+  const eff = effFor(supplier.id, buyerCred);
   const xml = buildPunchOutOrderMessage({
     from: supplier.identity,
     to: buyerCred,
@@ -1859,7 +2219,8 @@ simRoute.post("/:id/checkout", async (c) => {
     payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     currency,
-    items
+    items,
+    dtdVersion: eff ? dtdVersionFor(eff, "PunchOutOrderMessage") : void 0
   });
   appendLog({
     sessionId: cookie,
@@ -1870,16 +2231,43 @@ simRoute.post("/:id/checkout", async (c) => {
     body: xml,
     validation: validateDocument(xml, { forceDocType: "PunchOutOrderMessage" })
   });
-  return c.html(`<!doctype html><html lang="en"><head><meta charset="utf-8">
+  const transport = eff?.cartReturnTransport ?? "cxml-urlencoded";
+  return c.html(cartReturnPage(formpost, xml, transport));
+});
+function cartReturnPage(formpost, xml, transport) {
+  const shell = (inner) => `<!doctype html><html lang="en"><head><meta charset="utf-8">
 <title>Returning cart\u2026</title></head>
-<body onload="document.forms[0].submit()" style="font-family:system-ui;background:#0f172a;color:#e2e8f0">
+<body style="font-family:system-ui;background:#0f172a;color:#e2e8f0">
   <p style="padding:2rem">Returning cart to the buyer\u2026</p>
-  <form method="post" action="${escapeXml(formpost)}">
+${inner}
+</body></html>`;
+  if (transport === "raw") {
+    return shell(`  <form method="post" action="${escapeXml(formpost)}">
     <input type="hidden" name="cxml-urlencoded" value="${escapeXml(xml)}">
     <noscript><button type="submit">Continue</button></noscript>
   </form>
-</body></html>`);
-});
+  <script>
+    fetch(${jsonForScript(formpost)}, { method: "POST",
+      headers: { "Content-Type": "text/xml; charset=UTF-8" },
+      body: ${jsonForScript(xml)} })
+      .then(function () {
+        document.body.replaceChildren();
+        var p = document.createElement("p");
+        p.style.padding = "2rem";
+        p.textContent = "Cart returned to the buyer. You can close this tab.";
+        document.body.appendChild(p);
+      })
+      .catch(function () { document.forms[0].submit(); });
+  </script>`);
+  }
+  const field = transport === "cxml-base64" ? "cxml-base64" : "cxml-urlencoded";
+  const value = transport === "cxml-base64" ? Buffer.from(xml, "utf8").toString("base64") : xml;
+  return shell(`  <form method="post" action="${escapeXml(formpost)}">
+    <input type="hidden" name="${field}" value="${escapeXml(value)}">
+    <noscript><button type="submit">Continue</button></noscript>
+  </form>
+  <script>document.forms[0].submit()</script>`);
+}
 simRoute.post("/:id/order", async (c) => {
   const supplier = getSupplier(c.req.param("id"));
   if (!supplier) return c.text("supplier not found", 404);
@@ -1888,6 +2276,7 @@ simRoute.post("/:id/order", async (c) => {
   let xml;
   const availableContentIds = /* @__PURE__ */ new Set();
   const savedRefs = [];
+  let attachmentEncoding;
   if (isMultipart(ct)) {
     const mp = parseMultipartRelated(raw, ct);
     xml = mp.root?.body.toString("utf8") ?? "";
@@ -1895,8 +2284,12 @@ simRoute.post("/:id/order", async (c) => {
       if (part === mp.root) continue;
       const cid = normalizeContentId(part.contentId);
       if (cid) availableContentIds.add(cid);
+      if ((part.headers["content-transfer-encoding"] ?? "").toLowerCase() === "base64") {
+        attachmentEncoding = "base64";
+      }
       savedRefs.push(saveAttachment(part.body, { contentId: cid, contentType: part.contentType ?? "application/octet-stream" }));
     }
+    if (savedRefs.length > 0 && !attachmentEncoding) attachmentEncoding = "binary";
   } else {
     xml = raw.toString("utf8");
   }
@@ -1917,9 +2310,11 @@ simRoute.post("/:id/order", async (c) => {
     body: xml,
     contentType: ct,
     validation,
-    attachments: savedRefs
+    attachments: savedRefs,
+    attachmentEncoding
   });
   const ok = validation.ok;
+  const eff = effFor(supplier.id, from);
   const respXml = buildResponseStatus({
     payloadId: makePayloadId(host2(), (/* @__PURE__ */ new Date()).toISOString()),
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
@@ -1927,7 +2322,8 @@ simRoute.post("/:id/order", async (c) => {
     statusText: ok ? "OK" : "Bad Request",
     from: supplier.identity,
     to: from ?? { domain: "", identity: "" },
-    sender: supplier.identity
+    sender: supplier.identity,
+    dtdVersion: eff ? dtdVersionFor(eff, "OrderResponse") : void 0
   });
   appendLog({
     sessionId,
@@ -1950,10 +2346,25 @@ function findSessionForOrder(doc) {
 // src/server/app.ts
 import { relative } from "path";
 function createApp(opts = {}) {
-  const app = new Hono8();
+  const app = new Hono9();
   if (!opts.quiet) app.use("*", logger());
+  app.use(
+    "*",
+    bodyLimit({ maxSize: 24 * 1024 * 1024, onError: (c) => c.json({ error: "payload too large" }, 413) })
+  );
+  app.use("/api/*", async (c, next) => {
+    const token = getToken();
+    if (!token) return next();
+    if (c.req.path === "/api/health") return next();
+    const auth = c.req.header("authorization") ?? "";
+    const provided = (auth.toLowerCase().startsWith("bearer ") ? auth.slice(7).trim() : "") || c.req.header("x-pos-token") || c.req.query("token") || getCookie(c, "pos-api-token") || "";
+    if (provided === token) return next();
+    return c.json({ error: "unauthorized" }, 401);
+  });
   app.route("/api/buyers", buyersRoute);
   app.route("/api/suppliers", suppliersRoute);
+  app.route("/api/profiles", profilesRoute);
+  app.route("/api/profile-presets", profilePresetsRoute);
   app.route("/api/connections", connectionsRoute);
   app.route("/api/connections", flowRoute);
   app.route("/api", dataRoute);
@@ -1984,7 +2395,10 @@ async function seedDemoIfEmpty() {
   const buyer = await createBuyer({
     id: "demo-buyer",
     name: "Demo Buyer",
-    identity: { domain: "DUNS", identity: "123456789" }
+    identity: { domain: "DUNS", identity: "123456789" },
+    // Exercise a non-default platform profile end-to-end (Coupa: per-doc-type
+    // DTD versions, base64 attachments). Built-in profiles are seeded by initConfig.
+    profileId: "coupa"
   });
   const supplier = await createSupplier({
     id: "demo-supplier",
@@ -2001,8 +2415,7 @@ async function seedDemoIfEmpty() {
     supplierId: supplier.id,
     mode: "virtual-buyer",
     sharedSecret: "demo-secret",
-    deploymentMode: "test",
-    authStyle: "SharedSecret"
+    deploymentMode: "test"
   });
 }
 
@@ -2011,6 +2424,8 @@ function parseFlags(argv) {
   const flags = {
     port: Number(process.env.PORT ?? 8080),
     dataDir: process.env.DATA_DIR ?? "./data",
+    host: process.env.HOST,
+    token: process.env.POS_TOKEN,
     open: true,
     dev: false,
     seed: true
@@ -2030,6 +2445,12 @@ function parseFlags(argv) {
       case "--public-url":
         flags.publicUrl = next();
         break;
+      case "--host":
+        flags.host = next();
+        break;
+      case "--token":
+        flags.token = next();
+        break;
       case "--no-open":
         flags.open = false;
         break;
@@ -2048,6 +2469,14 @@ function parseFlags(argv) {
   }
   return flags;
 }
+var LOOPBACK = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1", "[::1]", ""]);
+function hostnameOf(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return "";
+  }
+}
 function printHelp() {
   console.log(`punchout-simulator \u2014 test cXML PunchOut integrations as a virtual counterparty
 
@@ -2058,6 +2487,9 @@ Options:
   -d, --data-dir <path>  Where to store config + logs (default ./data)
       --public-url <url> Externally reachable base URL (default http://localhost:<port>)
                          Set this when fronting the tool with ngrok/cloudflared.
+      --host <addr>      Bind address (default 127.0.0.1; use 0.0.0.0 for LAN)
+      --token <secret>   Require this token on /api (auto-generated when exposed
+                         and not provided; or set POS_TOKEN)
       --no-open          Do not open a browser on start
       --no-seed          Do not seed the built-in demo connections on first run
       --dev              Dev mode (do not serve SPA, do not open browser)
@@ -2067,22 +2499,32 @@ Options:
 async function main() {
   const flags = parseFlags(process.argv.slice(2));
   const publicUrl = flags.publicUrl ?? `http://localhost:${flags.port}`;
+  const bindHost = flags.host ?? "127.0.0.1";
+  const exposed = !LOOPBACK.has(hostnameOf(publicUrl)) || !LOOPBACK.has(bindHost);
+  const token = flags.token || (exposed ? nanoid7(24) : void 0);
   setDataDir(flags.dataDir);
-  setRuntime({ port: flags.port, publicUrl });
+  setRuntime({ port: flags.port, publicUrl, token });
   await initConfig();
   if (flags.seed) await seedDemoIfEmpty();
   const webRoot = flags.dev ? void 0 : fileURLToPath(new URL("../web", import.meta.url));
   const app = createApp({ webRoot, quiet: false });
-  serve({ fetch: app.fetch, port: flags.port }, (info) => {
-    const url = `http://localhost:${info.port}`;
+  serve({ fetch: app.fetch, port: flags.port, hostname: bindHost }, (info) => {
+    const local = `http://${bindHost}:${info.port}`;
     console.log(`
-  punchout-simulator listening on ${url}`);
-    if (getPublicUrl() !== url) console.log(`  public URL: ${getPublicUrl()}`);
+  punchout-simulator listening on ${local}`);
+    if (getPublicUrl() !== local) console.log(`  public URL: ${getPublicUrl()}`);
     console.log(`  data dir:   ${flags.dataDir}`);
-    console.log(`  callback:   ${getPublicUrl()}/punchout/return
-`);
+    console.log(`  callback:   ${getPublicUrl()}/punchout/return`);
+    const openUrl = token ? `${getPublicUrl()}/?token=${token}` : local;
+    if (token) {
+      console.log(`
+  \u26A0 EXPOSED: /api requires a token. Open the UI with the token:`);
+      console.log(`     ${openUrl}`);
+      console.log(`     (inbound /sim and /punchout stay open for buyer traffic)`);
+    }
+    console.log("");
     if (flags.open) {
-      import("open").then((m) => m.default(url)).catch(() => {
+      import("open").then((m) => m.default(token ? `http://localhost:${info.port}/?token=${token}` : local)).catch(() => {
       });
     }
   });
@@ -2091,4 +2533,3 @@ main().catch((e) => {
   console.error(e);
   process.exit(1);
 });
-//# sourceMappingURL=cli.js.map