Feature Brief: [DevRock] Order Endpoint for DevOps

Branch: issue/6355-devrock-order-endpoint-for-devops
JTBD Commitment: APIs available for Integrations
Release Note: Adds a DevOps-only order lookup endpoint so ops dev teams can pull PMD, order metadata, and product context by order ID without exposing PII.

1. Prerequisite — Enable Internal APIs for the App Domain

1. Open the API Keys editor: https://test.tokenoftrust.com/admin/apikeys
2. Search for the target appDomain
3. Ensure the JSON contains:

{
  "appOptions": {
    "internalApis": {
      "mode": "enabled"
    }
  }
}

1. Save. This unlocks internal API documentation (and Try-It) for that vendor context.

2. How DevOps Uses the Endpoint (Test Environment Walkthrough)

1. Go to https://test.tokenoftrust.com/hq/ and select the vendor app.
2. In the left nav, click Integration (not the Support link).
3. On the Integration page, scroll to Docs and Resources and click Internal API Documentation (appears only when internalApis.mode === 'enabled').
4. The API Docs hub opens in Stoplight Elements. Open “Excise Tax Order Lookup.”
5. Within the spec, choose GET /exciseTax/order/{orderId}, enter an order ID, and hit Try It.
   • HQ auto-injects a bearer token, so the credentials panel shows “Authentication is ready.”
   • Stoplight also generates a curl command you can copy for terminal testing.

Production link: https://app.tokenoftrust.com/hq/ (same workflow—ensure API keys are configured in prod first).

3. Endpoint Summary

• Route: GET /exciseTax/order/{orderId}
• Returns: orderId, timestamp, integrationSource, sanitized shippingLocation, exciseTaxCollected, transactionLines[], and a products{} map keyed by SKU.
• Security: Shipping location strips givenName, familyName, line1, line2; Cassandra query scoped by app_domain; bearer token or internal creds required.
• Docs: modules/exciseTax/api/exciseTax-order-api.openapi-spec.yaml registered via modules/api-docs/api-registry.json.