# Internal API (`xlyEntry`)

The `xlyEntry` service hosts the SPA's runtime API. It is the largest of
the three tiers — its controllers compile into the same WAR as the
framework's metadata-driven runtime, and most calls hit one of a handful
of universal endpoints that read or write any module.

This API is **not a stable contract for external callers**. Endpoint
shapes change as the framework changes. External integrations belong on
the [External API](external.md). This page exists for maintainers and
SPA-extension authors.

For the request-lifecycle and code-level walkthrough, see the
[Maintainer runtime chapter](../reference/maintainer/runtime.md). This
page is the catalog of HTTP entry points.

## The universal CRUD surface — `/business/*`

| Endpoint | Method | Purpose |
|---|---|---|
| `/business/getModelBysId/{moduleId}` | GET | Returns the form layout for a module — the five-key composite (`formData`, `gdsformconst`, `gdsjurisdiction`, `billnosetting`, `report`). |
| `/business/getBusinessDataByFormcustomId/{formId}` | POST | Returns rows of business data for a form, paginated. Branches to `getBusinessDataByGroup` when `sGroupList` is set. |
| `/business/getBusinessDataByIndex` | POST | First / last / next / previous-record navigation. |
| `/business/addBusinessData` | POST | Single insert. |
| `/business/addUpdateDelBusinessData` | POST | Bundled add+update+delete in one transactional call. The frontend names the target table directly via `sTable`. |
| `/business/getSelectDataBysControlId/{sId}` | POST | Dropdown population for a single control, by control `sId`. |
| `/business/getSelectLimit/{sId}` | POST | Paginated variant of the dropdown call. |

These endpoints are documented in detail by [Slice 1](../slices/01-hello-world.md)
(`getModelBysId` + grid load + save) and
[Slice 3](../slices/03-report.md) (the view-backed read variant). The
handler classes are in
`xlyEntry/src/main/java/com/xly/web/businessweb/`.

## Metadata-management endpoints

For builder-side actions (creating modules, defining forms, declaring
virtual tables) there is a parallel surface in
`xlyEntry/src/main/java/com/xly/web/systemweb/`:

| Endpoint root | Controller | Purpose |
|---|---|---|
| `/gdsmodule/*` | `GdsmoduleController` | Module-tree CRUD, including `getModuleTreePro`, `addGdsmodule`, `updateGdsmodule`. |
| `/gdsconfigform/*` | `GdsconfigformController` | Form-master and form-slave metadata CRUD. |
| `/gdsconfigtb/*` | `GdsconfigtbController` | Virtual-table master/slave metadata CRUD. |

## Specialised runtime endpoints

| Endpoint root | Controller | Purpose |
|---|---|---|
| `/configform/*` | `BusinessConfigformController` | Per-user / per-group display customization. |
| `/treegrid/*` | `BusinessTreeGridController` | Tree-grid endpoints (the proc-backed path is implemented in this branch). |
| `/procedureCall/*` | `GenericProcedureCallController` | Generic stored-procedure invocation by name + parameters — see [generic procedure dispatch](../reference/maintainer/proc-dispatch.md). |
| `/panel/*` | `ConfigformPanelController` | Panel-layout persistence in `gdsconfigformpanel`. |
| `/checkFlow/*` | `CheckFlowController` | Activiti workflow surface (approve / reject / view) — only meaningful in deployments that run a flow. |

## Reporting and printing

The print surface lives under `xlyEntry/src/main/java/com/xly/web/report/`:

- `PrintReportController` — current jxls / iText print path.
- `PrintReportControllerOld` — legacy print path retained for older
  templates.

The frontend's "打印" / "导出" buttons hit these controllers, which load a
template from `sysreport`, run the matching view-backed query, and stream
a binary file back. See [Slice 3](../slices/03-report.md#6-printable-reports-when-present)
for the flow.

## Authentication

Every controller method that participates in business data is annotated
with `@Authorization` and receives a resolved `UserInfo` via
`@CurrentUser`. The session-to-`UserInfo` mapping is the framework's
own (cookie + Redis-backed session); see
[the multi-tenancy concept page](../concepts/multi-tenancy.md).

A request that reaches a controller without authentication does not
get past `@Authorization`; if it does (e.g., an unannotated method),
that method also bypasses the universal tenant injection in
`RequestAddParamUtil` — and is therefore a multi-tenant bug.

## What this API is *not*

- **Not stable** — endpoint shapes change with the framework.
- **Not authenticated for outside callers** — there is no API-key flow
  here; cookies/sessions are not what an integrator wants.
- **Not documented for self-service** — the surface is too large and
  too generic to publish as an OpenAPI doc. External integrators get
  the curated [External API](external.md) instead.