Resolving locale, route permissions, and workspace projection.
Current scope: Guest
Category: 10_normative | Version: v1.0.0
Owner: DOCUMENT_CUSTODIAN | Review cycle: 90 days
Approval authority: GOVERNANCE_ADMIN
Documentation portal is read-only. Editing and mutation endpoints are disabled.
Kvary platform is originally created in Georgian. Where a Georgian version exists, Georgian is authoritative for platform UI, documentation, and legal interpretation.
Translations into other languages are provided for convenience. Some records may originate in other languages and carry their own source or legal locale for a specific flow, but where a Georgian version is available, the Georgian version prevails for platform-level wording and interpretation.
Metadata incomplete: Document ID, Version, Status, Owner Role, Last Review Date, Next Review Date, Change Log
This document defines the smallest realistic shared shell ICPI would still need if lifted out of svc-tenders without changing current gateway behavior or current auth behavior.
| Shared dependency | Why it is needed now | After extraction verdict | Later direction | Notes |
| --- | --- | --- | --- | --- |
| API gateway proxy in services/api/src/routes/icpi.ts | Keeps public /icpi/* gateway surface stable while routing to the current ICPI host | should remain shared | keep as a narrow HTTP contract | Current seam already supports ICPI_SERVICE_URL ?? TENDERS_SERVICE_URL |
| Gateway auth middleware requireGatewayAuth | Protects POST /icpi/upsert before proxying | should remain shared | keep shared as backbone auth middleware | This is gateway-level behavior, not ICPI domain logic |
| Service-side auth ingress requireServiceAuth | Preserves current bearer-token and principal-resolution behavior for POST /icpi/upsert | can be wrapped behind a narrow contract | re-home into an ICPI-local hosting shell later | Auth behavior stays unchanged in current runtime |
| Auth service /auth/me resolution path | Supplies principal resolution behind service auth ingress | should remain shared | keep shared as auth/identity service contract | This is a Kvary-wide identity dependency |
| Express/runtime bootstrap | Needed only because ICPI is currently hosted inside svc-tenders | should be removed before extraction | replace with ICPI-owned runtime bootstrap | This is hosting, not domain ownership |
| ICPI query parsing in queryParsers.ts | Normalizes ICPI request values | should move with ICPI | already ICPI-owned | No reason for this to stay shared |
| IcpiRepository and ICPI contracts/validation | Own ICPI persistence and route-facing data shapes | should move with ICPI | move as extraction core | These are now ICPI-owned surfaces |
| Web/client ICPI request-response expectations | UI depends on current API shape | should remain contract-compatible | reduce duplication later | Shape stability matters more than package placement right now |
If ICPI were lifted out next, the minimum truthful shared shell would be:
Everything else in the current svc-tenders host is either:
svc-tenders implementation of requireServiceAuth