Resolving locale, route permissions, and workspace projection.
Current scope: Guest
Category: 10_normative | Version: v1.0.0
Owner: DOCUMENT_CUSTODIAN | Review cycle: 90 days
Approval authority: GOVERNANCE_ADMIN
Documentation portal is read-only. Editing and mutation endpoints are disabled.
Kvary platform is originally created in Georgian. Where a Georgian version exists, Georgian is authoritative for platform UI, documentation, and legal interpretation.
Translations into other languages are provided for convenience. Some records may originate in other languages and carry their own source or legal locale for a specific flow, but where a Georgian version is available, the Georgian version prevails for platform-level wording and interpretation.
Metadata incomplete: Document ID, Version, Status, Owner Role, Last Review Date, Next Review Date, Change Log
This document defines what intentionally remains shared when ICPI leaves svc-tenders.
It describes the contract ICPI should continue to rely on, not the parts that should move with ICPI.
Gateway ownership remains in services/api/src/routes/icpi.ts.
Current behavior that should remain unchanged:
GET /api/v1/icpi/pricesGET /api/v1/icpi/suggestGET /api/v1/icpi/latest/:itemCodeGET /api/v1/icpi/estimatePOST /api/v1/icpi/upsertGateway route behavior today:
Authorization when presentx-request-id when present502 icpi_service_unavailable or 504 icpi_service_timeout on upstream failureThis is a stable shared shell seam and should stay outside the ICPI extraction package.
Protected ICPI writes stay behind services/api/src/auth/middleware.ts requireGatewayAuth.
Current shared behavior:
/auth/meThis should remain shared because it is public-facade auth behavior, not ICPI business logic.
Current gateway target contract:
ICPI_SERVICE_URL ?? TENDERS_SERVICE_URL ?? "http://localhost:4020"ICPI_PROXY_TIMEOUT_MS with current default 15000Post-extraction expectation:
ICPI_SERVICE_URL should point to the new ICPI runtimeTENDERS_SERVICE_URL remains a fallback only during staged migration or rollbackICPI currently depends on service-side auth ingress equivalent to requireServiceAuth in services/svc-tenders/src/server.ts.
Current behavior that must remain compatible after extraction:
AuthorizationJWT_SECRETAUTH_SERVICE_URL/auth/meThis behavior may move into an ICPI-local runtime shell, but the contract with shared auth/identity remains intentionally shared.
These dependencies remain shared on purpose:
/auth/me principal payload expectationsThese are backbone platform dependencies, not reasons to keep ICPI inside svc-tenders.
The following should move with ICPI and should not remain shared:
The intended post-extraction contract is: