selfpatch
diff --git a/‎src/ros2_medkit_gateway/include/ros2_medkit_gateway/core/http/handlers/auth_handlers.hpp‎
Lines changed: 30 additions & 16 deletions b/‎src/ros2_medkit_gateway/include/ros2_medkit_gateway/core/http/handlers/auth_handlers.hpp‎
Lines changed: 30 additions & 16 deletions
diff --git a/‎src/ros2_medkit_gateway/include/ros2_medkit_gateway/core/http/handlers/bulkdata_handlers.hpp‎
Lines changed: 25 additions & 69 deletions b/‎src/ros2_medkit_gateway/include/ros2_medkit_gateway/core/http/handlers/bulkdata_handlers.hpp‎
Lines changed: 25 additions & 69 deletions
diff --git a/‎src/ros2_medkit_gateway/include/ros2_medkit_gateway/core/http/handlers/config_handlers.hpp‎
Lines changed: 41 additions & 30 deletions b/‎src/ros2_medkit_gateway/include/ros2_medkit_gateway/core/http/handlers/config_handlers.hpp‎
Lines changed: 41 additions & 30 deletions
@@ -1,4 +1,4 @@
-// Copyright 2025 bburda
+// Copyright 2026 bburda
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -14,7 +14,9 @@
 
 #pragma once
 
+#include "ros2_medkit_gateway/dto/auth.hpp"
 #include "ros2_medkit_gateway/http/handlers/handler_context.hpp"
+#include "ros2_medkit_gateway/http/typed_router.hpp"
 
 namespace ros2_medkit_gateway {
 namespace handlers {
@@ -24,10 +26,25 @@ namespace handlers {
  *
  * Implements OAuth2-like authentication flow:
  * - POST /auth/authorize - Authenticate with client credentials
- * - POST /auth/token - Refresh access token
- * - POST /auth/revoke - Revoke refresh token
+ * - POST /auth/token     - Refresh access token (RFC 6749 token endpoint)
+ * - POST /auth/revoke    - Revoke refresh token (RFC 7009)
  *
- * @note These endpoints are only available when authentication is enabled.
+ * All three handlers follow the PR-403 typed RouteRegistry convention:
+ *
+ *   http::Result<dto::TResponse> X(const http::TypedRequest & req);
+ *
+ * The body is read directly from `req.body` (via the framework escape hatch)
+ * because the auth endpoints accept BOTH `application/json` AND
+ * `application/x-www-form-urlencoded` (RFC 6749 §4.1.3). The framework's
+ * typed-body parser only speaks JSON and would also emit SOVD's
+ * `invalid-request` (dash) code instead of OAuth2's `invalid_request`
+ * (underscore). The routes set `.error_renderer(kOAuth2Error)` so any returned
+ * `ErrorInfo` is rendered as `{error, error_description}` per RFC 6749 §5.2.
+ *
+ * @note These endpoints are only registered/exposed when authentication is
+ * enabled. The handlers still defensively return 404 when `auth.enabled` is
+ * false, so a misconfiguration that leaves the routes wired without a manager
+ * does not crash.
  */
 class AuthHandlers {
  public:
@@ -38,20 +55,17 @@ class AuthHandlers {
   explicit AuthHandlers(HandlerContext & ctx) : ctx_(ctx) {
   }
 
-  /**
-   * @brief Handle POST /auth/authorize - authenticate with client credentials.
-   */
-  void handle_auth_authorize(const httplib::Request & req, httplib::Response & res);
+  /// POST /auth/authorize - authenticate with client_credentials grant.
+  /// Returns an OAuth2 TokenResponse on success or an OAuth2 error on failure.
+  http::Result<dto::AuthTokenResponse> post_authorize(const http::TypedRequest & req);
 
-  /**
-   * @brief Handle POST /auth/token - refresh access token.
-   */
-  void handle_auth_token(const httplib::Request & req, httplib::Response & res);
+  /// POST /auth/token - refresh access token via the refresh_token grant.
+  http::Result<dto::AuthTokenResponse> post_token(const http::TypedRequest & req);
 
-  /**
-   * @brief Handle POST /auth/revoke - revoke refresh token.
-   */
-  void handle_auth_revoke(const httplib::Request & req, httplib::Response & res);
+  /// POST /auth/revoke - revoke a refresh token (RFC 7009).
+  /// Always returns 200 + `{"status":"revoked"}` regardless of whether the
+  /// token existed, to prevent token-enumeration side channels.
+  http::Result<dto::AuthRevokeResponse> post_revoke(const http::TypedRequest & req);
 
  private:
   HandlerContext & ctx_;
 
@@ -14,21 +14,31 @@
 
 #pragma once
 
-#include <httplib.h>
-
 #include <string>
+#include <utility>
 #include <vector>
 
+#include "ros2_medkit_gateway/dto/bulkdata.hpp"
 #include "ros2_medkit_gateway/http/handlers/handler_context.hpp"
+#include "ros2_medkit_gateway/http/response_types.hpp"
+#include "ros2_medkit_gateway/http/typed_router.hpp"
 
 namespace ros2_medkit_gateway {
 namespace handlers {
 
 /**
  * @brief HTTP handlers for SOVD bulk-data endpoints.
  *
- * Provides handlers for listing bulk-data categories, descriptors,
- * and downloading bulk-data files (rosbags) for any entity type.
+ * PR-403 commit 25: 11 bulk-data routes migrated to the typed RouteRegistry
+ * API. Every handler returns `http::Result<T>` (or a `pair<T,
+ * ResponseAttachments>` for the upload route that needs to emit 201 +
+ * Location). The download route uses `reg.binary_download` so it can emit
+ * `Content-Disposition`, set `supports_ranges`, and supply a chunked content
+ * provider without touching `httplib::Response`. The upload route uses
+ * `reg.multipart_upload<BulkDataDescriptor>` so multipart parsing remains
+ * inside the framework while the handler stays typed. Wire format is
+ * unchanged byte-for-byte, including the rosbag MIME-type-by-format mapping
+ * and the Content-Disposition filename sanitisation.
  *
  * Supports SOVD entity paths:
  * - /apps/{id}/bulk-data[/{category}[/{id}]]
@@ -45,65 +55,21 @@ class BulkDataHandlers {
    */
   explicit BulkDataHandlers(HandlerContext & ctx);
 
-  /**
-   * @brief GET {entity-path}/bulk-data - List bulk-data categories.
-   *
-   * Returns available bulk-data categories for an entity.
-   * Currently only "rosbags" category is supported.
-   *
-   * @param req HTTP request
-   * @param res HTTP response
-   */
-  void handle_list_categories(const httplib::Request & req, httplib::Response & res);
+  /// GET /{entity}/bulk-data - list bulk-data categories.
+  http::Result<dto::BulkDataCategoryList> list_categories(const http::TypedRequest & req);
 
-  /**
-   * @brief GET {entity-path}/bulk-data/{category} - List bulk-data descriptors.
-   *
-   * Returns BulkDataDescriptor array for the specified category.
-   * For "rosbags" category, returns descriptors for all rosbags
-   * associated with faults from this entity.
-   *
-   * @param req HTTP request
-   * @param res HTTP response
-   */
-  void handle_list_descriptors(const httplib::Request & req, httplib::Response & res);
+  /// GET /{entity}/bulk-data/{category_id} - list bulk-data descriptors.
+  http::Result<dto::Collection<dto::BulkDataDescriptor>> list_descriptors(const http::TypedRequest & req);
 
-  /**
-   * @brief GET {entity-path}/bulk-data/{category}/{id} - Download bulk-data file.
-   *
-   * Downloads the bulk-data file (rosbag) identified by the ID.
-   * Validates that the rosbag belongs to the specified entity.
-   *
-   * @param req HTTP request
-   * @param res HTTP response
-   */
-  void handle_download(const httplib::Request & req, httplib::Response & res);
+  /// GET /{entity}/bulk-data/{category_id}/{file_id} - binary download.
+  http::Result<http::BinaryResponse> download(const http::TypedRequest & req);
 
-  /**
-   * @brief POST {entity-path}/bulk-data/{category} - Upload bulk-data file.
-   *
-   * Accepts multipart/form-data with:
-   * - "file" (required): the file to upload
-   * - "description" (optional): text description
-   * - "metadata" (optional): JSON string with additional metadata
-   *
-   * Returns 201 with ItemDescriptor JSON on success.
-   *
-   * @param req HTTP request
-   * @param res HTTP response
-   */
-  void handle_upload(const httplib::Request & req, httplib::Response & res);
+  /// POST /{entity}/bulk-data/{category_id} - multipart upload, 201 + Location.
+  http::Result<std::pair<dto::BulkDataDescriptor, http::ResponseAttachments>> upload(const http::TypedRequest & req,
+                                                                                     const http::MultipartBody & body);
 
-  /**
-   * @brief DELETE {entity-path}/bulk-data/{category}/{id} - Delete bulk-data file.
-   *
-   * Removes an uploaded bulk-data item. Returns 204 on success, 404 if not found.
-   * Only items uploaded via POST can be deleted (rosbags managed by fault system cannot).
-   *
-   * @param req HTTP request
-   * @param res HTTP response
-   */
-  void handle_delete(const httplib::Request & req, httplib::Response & res);
+  /// DELETE /{entity}/bulk-data/{category_id}/{file_id} - 204 No Content.
+  http::Result<http::NoContent> remove(const http::TypedRequest & req);
 
   /**
    * @brief Get MIME type for rosbag format.
@@ -125,16 +91,6 @@ class BulkDataHandlers {
    */
   std::vector<std::string> get_source_filters(const EntityInfo & entity) const;
 
-  /**
-   * @brief Stream file contents to HTTP response.
-   * @param res HTTP response to write to
-   * @param file_path Path to file to stream (can be file or rosbag directory)
-   * @param content_type MIME type for Content-Type header
-   * @return true if successful, false if file could not be read
-   */
-  bool stream_file_to_response(httplib::Response & res, const std::string & file_path,
-                               const std::string & content_type);
-
   /**
    * @brief Resolve rosbag file path from storage path.
    *
 
@@ -1,4 +1,4 @@
-// Copyright 2025 bburda
+// Copyright 2026 bburda
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -14,7 +14,12 @@
 
 #pragma once
 
+#include <variant>
+
+#include "ros2_medkit_gateway/dto/config.hpp"
 #include "ros2_medkit_gateway/http/handlers/handler_context.hpp"
+#include "ros2_medkit_gateway/http/response_types.hpp"
+#include "ros2_medkit_gateway/http/typed_router.hpp"
 
 namespace ros2_medkit_gateway {
 namespace handlers {
@@ -23,45 +28,51 @@ namespace handlers {
  * @brief Handlers for configuration (parameter) REST API endpoints.
  *
  * Provides handlers for:
- * - GET /components/{component_id}/configurations - List all parameters
- * - GET /components/{component_id}/configurations/{param_name} - Get parameter
- * - PUT /components/{component_id}/configurations/{param_name} - Set parameter
- * - DELETE /components/{component_id}/configurations/{param_name} - Reset parameter
- * - DELETE /components/{component_id}/configurations - Reset all parameters
+ * - GET    /{entity-path}/configurations              - List parameters
+ * - GET    /{entity-path}/configurations/{param_name} - Read parameter value
+ * - PUT    /{entity-path}/configurations/{param_name} - Set parameter value
+ * - DELETE /{entity-path}/configurations/{param_name} - Reset parameter to default
+ * - DELETE /{entity-path}/configurations              - Reset all parameters
+ *
+ * PR-403 commit 26: 5 config routes migrated to the typed RouteRegistry API.
+ * The list endpoint uses the typed `fan_out_collection<ConfigurationMetaData>`
+ * (commit 7) for peer aggregation: per-item wire shape is now enforced by
+ * `JsonReader<ConfigurationMetaData>` on every contribution, closing the
+ * issue #338 gap on this endpoint by lifting the per-item schema enforcement
+ * from "spec only" to "compile-time + runtime contract".
+ *
+ * The delete-all endpoint uses `del_alternates<NoContent,
+ * ConfigurationDeleteMultiStatus>` so the framework picks 204 on full success
+ * or 207 on partial success based on which variant alternative the handler
+ * returned. Wire format is byte-identical for both branches.
  */
 class ConfigHandlers {
  public:
-  /**
-   * @brief Construct configuration handlers with shared context.
-   * @param ctx The shared handler context
-   */
+  /// Construct configuration handlers with shared context.
   explicit ConfigHandlers(HandlerContext & ctx) : ctx_(ctx) {
   }
 
-  /**
-   * @brief Handle GET /components/{component_id}/configurations - list all parameters.
-   */
-  void handle_list_configurations(const httplib::Request & req, httplib::Response & res);
+  /// GET /{entity-path}/configurations - list all parameters with typed
+  /// per-item parsing and typed fan-out to peers.
+  http::Result<dto::Collection<dto::ConfigurationMetaData, dto::ConfigListXMedkit>>
+  list_configurations(const http::TypedRequest & req);
 
-  /**
-   * @brief Handle GET /components/{component_id}/configurations/{param_name}.
-   */
-  void handle_get_configuration(const httplib::Request & req, httplib::Response & res);
+  /// GET /{entity-path}/configurations/{param_name} - read a single parameter.
+  http::Result<dto::ConfigurationReadValue> get_configuration(const http::TypedRequest & req);
 
-  /**
-   * @brief Handle PUT /components/{component_id}/configurations/{param_name}.
-   */
-  void handle_set_configuration(const httplib::Request & req, httplib::Response & res);
+  /// PUT /{entity-path}/configurations/{param_name} - set a single parameter.
+  http::Result<dto::ConfigurationReadValue> set_configuration(const http::TypedRequest & req,
+                                                              dto::ConfigurationWriteRequest body);
 
-  /**
-   * @brief Handle DELETE /components/{component_id}/configurations/{param_name}.
-   */
-  void handle_delete_configuration(const httplib::Request & req, httplib::Response & res);
+  /// DELETE /{entity-path}/configurations/{param_name} - reset a single
+  /// parameter to its default value, returning 204 No Content on success.
+  http::Result<http::NoContent> delete_configuration(const http::TypedRequest & req);
 
-  /**
-   * @brief Handle DELETE /components/{component_id}/configurations - reset all.
-   */
-  void handle_delete_all_configurations(const httplib::Request & req, httplib::Response & res);
+  /// DELETE /{entity-path}/configurations - reset all parameters. Returns
+  /// `NoContent` (204) on full success, or `ConfigurationDeleteMultiStatus`
+  /// (207) when one or more per-node reset operations failed.
+  http::Result<std::variant<http::NoContent, dto::ConfigurationDeleteMultiStatus>>
+  delete_all_configurations(const http::TypedRequest & req);
 
  private:
   HandlerContext & ctx_;