ICPI Extraction Package

Purpose

This document defines the actual first extraction package for ICPI, file by file.

It is not the runtime cutover itself. It is the package boundary that Sprint 49 can execute against with low ambiguity.

Classification Labels

• MOVE TO ICPI: should move into the new ICPI-owned package/runtime
• KEEP SHARED WITH KVARY: should remain outside ICPI and be consumed through a stable contract
• KEEP TEMPORARILY IN CURRENT HOST: can stay in svc-tenders during a staged cutover, but is not the target owner
• REMOVE / REPLACE AFTER EXTRACTION: temporary residue that should disappear once cutover is complete
• UNRESOLVED: real dependency or duplication still needs an explicit later decision

File-By-File Package

| File / module | Classification | Rationale | Notes | | --- | --- | --- | --- | | | | Canonical ICPI request/response/repository/support contracts already live here | Extraction core | | | | Pure ICPI-local parsing logic | No reason to keep shared | | | | ICPI-owned validation/schema surface | Route behavior depends on it directly | | | | Canonical ICPI persistence module over | Extraction core | | | | Owns the current host surface | Can stay source-compatible if lifted into a new ICPI runtime | | | | Narrow adapter over shared auth ingress plus ICPI-local parsers | May later collapse into ICPI runtime bootstrap | | | | Creates the ICPI-owned table family | Canonical migration owner | | | | Adds ICPI-specific lookup optimization | Canonical migration owner | | | | This is the stable public gateway seam | Should not move into ICPI service code | | | | is gateway/auth-shell behavior | Shared backbone concern | | | | Owns public API process and route mounting | Outside ICPI domain ownership | | | | Documents gateway env contract including | Update during cutover, but do not move | | | | Current colocated runtime host and auth-ingress implementation site | Keep until new ICPI runtime is live | | | | Current monolith config host includes ICPI-needed env plus unrelated KES/evidence config | Future ICPI runtime should copy only the needed subset | | | | ICPI contracts currently refer to from here | Safe near-term options: copy a narrow ICPI-local auth-request type or re-home a tiny shared auth-request contract | | ICPI helper/types block | | Web stays on the gateway contract; helpers do not belong in the backend extraction package | Type duplication remains a follow-up concern | | | | UI consumer of the gateway contract | Should not move with backend extraction | | | | Locale/country alias UI surface | Same reasoning as main page | | | | Stale compiled artifact, not source-of-truth code | Removed in Sprint 48 |