KES Shared Dependency Reduction

Current Status Note

This document now reflects the post-extraction state.

• canonical KES runtime: services/svc-kes
• retired host: old colocated KES HTTP routing in svc-tenders
• removed compatibility layer: former services/svc-tenders/src/kes/*

What shell dependencies were narrowed

Sprint 89 narrowed the KES shell dependency surface by grouping payment-sensitive ingress behavior behind a clearer KES-facing contract. Later runtime extraction and compatibility cleanup carried that narrower contract into the extracted runtime.

New explicit KES-facing ingress contract:

• contracts.ts defines KesPaymentIngressSupport
• KesRouteSupport exposes paymentIngress instead of mixing KYC/signature helpers directly into the broader parser/auth surface

Route/support wiring changes:

• kesRouteSupport.ts accepts and returns a nested paymentIngress object
• server.ts adapts shared KYC/signature semantics into that narrower KES-facing contract
• registerKesRoutes.ts consumes payment-sensitive ingress through support.paymentIngress.*
• server.ts constructs the real KES repository directly inside the extracted runtime

What root/shared dependencies shrank further

Shrank across Sprints 90, 97, and 99:

• KES route registration no longer depends on the mixed root repository as the primary persistence owner
• KES SQL, row mapping, payment-note encryption, and event hash-chain logic no longer live in the root repository
• the old root repository delegation layer has now been removed entirely

What remains shared on purpose

Still shared:

• gateway seam in kes-orchestrator.ts
• bearer auth ingress and /auth/me principal resolution
• shell-owned KYC boundary helper implementation
• shell-owned signature verification helper implementation

Reason:

• these are still real shared-shell ingress concerns even though KES is their strongest current consumer

What can move later

• KYC/signature ownership can move further inward if the team wants KES-local ingress policy
• parser/helper normalization can move further inward if the team wants fewer shared conventions
• shared backbone workers can move later if the team wants fuller KES-local event ownership

What event/orchestrator dependencies remain genuinely shared

Still genuinely shared/backbone-heavy:

• gateway mutation proxy event production
• Kafka proxy-event consumer
• outbox relay
• domain-event projection consumer
• idempotency store
• DLQ replay tooling

These were intentionally not reassigned into fake KES-local ownership in Sprint 89.

Notes

• Auth behavior did not change.
• KYC/signature semantics did not change.
• This sprint also made persistence ownership more real without pretending KES is already independent of shared ingress or event backbone concerns.