@aquarian-metals/coin-moebius-paypal 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 aquarian-metals
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,108 @@
+# @aquarian-metals/coin-moebius-paypal
+
+PayPal provider for **[Coin Moebius](https://github.com/aquarian-metals/coin-moebius)**.
+
+Two entries in one package:
+
+- `@aquarian-metals/coin-moebius-paypal` — browser entry, redirects to PayPal's hosted approval page (Orders v2 flow).
+- `@aquarian-metals/coin-moebius-paypal/server` — Node-only webhook verifiers (two implementations of the same contract). **Never import this from browser code.**
+
+## Install
+
+For the browser:
+
+```bash
+npm install @aquarian-metals/coin-moebius-paypal
+```
+
+No additional dependencies required for the server verifiers — they use Web Crypto exclusively.
+
+## Use — browser
+
+```ts
+import { createPaypalProvider } from '@aquarian-metals/coin-moebius-paypal';
+import { createPaymentManager } from '@aquarian-metals/coin-moebius';
+
+const payments = createPaymentManager({
+  providers: [
+    createPaypalProvider({
+      sessionEndpoint: '/api/checkout/paypal',
+    }),
+  ],
+});
+```
+
+The session endpoint on your server is expected to call PayPal's `POST /v2/checkout/orders` with `intent: 'CAPTURE'` and return `{ url }` containing the response's `payer-action` HATEOAS link. The provider redirects the buyer to that URL and fires `onPending` synchronously. After the buyer approves and returns, your server captures the order via `POST /v2/checkout/orders/{id}/capture`; the final `PAYMENT.CAPTURE.COMPLETED` webhook lands on the server side.
+
+## Use — server (webhook verification)
+
+Two verifier implementations of the same `WebhookVerifier` contract. Pick one based on your traffic profile.
+
+### Default: REST-endpoint verifier
+
+PayPal does the crypto on their side. One OAuth call (cached for the returned `expires_in`, typically 9 hours) plus one verify call per webhook.
+
+```ts
+import { createPaypalVerifier } from '@aquarian-metals/coin-moebius-paypal/server';
+
+const verify = createPaypalVerifier({
+  clientId: process.env.PAYPAL_CLIENT_ID,
+  clientSecret: process.env.PAYPAL_CLIENT_SECRET,
+  webhookId: process.env.PAYPAL_WEBHOOK_ID,
+  mode: 'live', // or 'sandbox'
+});
+
+// inside your webhook route:
+const result = await verify.verify(rawBody, request.headers);
+```
+
+### Alternative: manual verifier
+
+Verifies the signature locally with no per-webhook PayPal round-trip after the first cert fetch. Use this when webhook volume is high enough that the extra round-trip cost matters.
+
+```ts
+import { createPaypalManualVerifier } from '@aquarian-metals/coin-moebius-paypal/server';
+
+const verify = createPaypalManualVerifier({
+  webhookId: process.env.PAYPAL_WEBHOOK_ID,
+  mode: 'live',
+});
+
+const result = await verify.verify(rawBody, request.headers);
+```
+
+**Safe by default.** Before fetching anything, the manual verifier rejects any `paypal-cert-url` whose origin is not the mode-appropriate PayPal host (`https://api.paypal.com/v1/notifications/certs/...` for live, `https://api.sandbox.paypal.com/v1/notifications/certs/...` for sandbox). HTTPS to that pinned host is the trust anchor; TLS handles cert chain validation. A forged signature header pointing at an attacker-controlled cert is refused before any network call.
+
+### Status mapping
+
+| PayPal event                | `PaymentResult.status`                                           |
+| --------------------------- | ---------------------------------------------------------------- |
+| `CHECKOUT.ORDER.APPROVED`   | `pending`                                                        |
+| `PAYMENT.CAPTURE.COMPLETED` | `success`                                                        |
+| `PAYMENT.CAPTURE.DENIED`    | `failed`                                                         |
+| `PAYMENT.CAPTURE.DECLINED`  | `failed`                                                         |
+| `PAYMENT.CAPTURE.REFUNDED`  | `refunded`                                                       |
+| `PAYMENT.CAPTURE.REVERSED`  | `refunded` (see `metadata` for the reversal indicator)           |
+| `CUSTOMER.DISPUTE.CREATED`  | `disputed`                                                       |
+| `CUSTOMER.DISPUTE.RESOLVED` | (verifier returns `null`; outcome shows on the original capture) |
+| anything else               | (verifier returns `null`, signature still validated)             |
+
+The `paymentId` field on the returned `PaymentResult` is the PayPal order id (`resource.supplementary_data.related_ids.order_id`) when available, so capture, refund, and dispute events linked to the same order all surface the same id.
+
+### Sandbox setup
+
+PayPal's sandbox requires two test accounts: one **business** (the merchant) and one **personal** (the buyer). Both are created from [developer.paypal.com](https://developer.paypal.com/dashboard/) under Apps & Credentials → Sandbox → Accounts.
+
+When testing manually, set `mode: 'sandbox'` on both the verifier and your order-creation call.
+
+### Currency support
+
+PayPal supports a fixed list of currencies that varies by account country. USD, EUR, GBP, CAD, and AUD are universally supported. See PayPal's currency reference for the full list.
+
+### Subscriptions
+
+This package handles one-off PayPal orders only. PayPal's billing-agreements / subscriptions API is out of scope.
+
+## License
+
+MIT — see [LICENSE](./LICENSE).

package/dist/index.d.ts

@@ -0,0 +1,41 @@
+/**
+ * PayPal client-side provider for Coin Moebius.
+ *
+ * Hosted-checkout flow (PayPal Orders v2). The provider POSTs the buyer's
+ * selection to the caller's `sessionEndpoint`, receives `{ url }` pointing at
+ * PayPal's hosted approval page (`https://www.paypal.com/checkoutnow?token=<id>`),
+ * fires `onPending`, and redirects the buyer. PayPal handles the wallet,
+ * funding source picker, and buyer approval; the buyer then returns to the
+ * merchant's return URL where the merchant captures the order. The final
+ * `PAYMENT.CAPTURE.COMPLETED` webhook lands on the server side.
+ *
+ *     import { createPaypalProvider } from '@aquarian-metals/coin-moebius-paypal';
+ *     const paypal = createPaypalProvider({
+ *       sessionEndpoint: '/api/checkout/paypal',
+ *     });
+ *
+ *     const manager = createPaymentManager({ providers: [paypal] });
+ *     await manager.initiate({ productId: 'pro', amount: 9.99, currency: 'USD' });
+ *
+ * The session endpoint is expected to call `POST /v2/checkout/orders` with
+ * `intent: 'CAPTURE'` and return `{ url }` containing the response's
+ * `payer-action` HATEOAS link.
+ */
+import type { PaymentProvider } from '@aquarian-metals/coin-moebius-core';
+export interface PaypalProviderConfig {
+    /** Full URL of the session endpoint that returns `{ url: payer-action }`. */
+    sessionEndpoint: string;
+    /** Optional fetch override — used by tests. Defaults to global `fetch`. */
+    fetcher?: typeof fetch;
+    /** Optional navigation override — used by tests. Defaults to `location.assign`. */
+    navigate?: (url: string) => void;
+}
+/**
+ * Build a `PaymentProvider` registered as `id: 'paypal'`. Fires `onPending`
+ * immediately after redirect; the actual settlement lands on the server via
+ * the webhook (`PAYMENT.CAPTURE.COMPLETED` is the canonical success event,
+ * after the merchant calls `POST /v2/checkout/orders/{id}/capture` on the
+ * buyer's return).
+ */
+export declare function createPaypalProvider(config: PaypalProviderConfig): PaymentProvider;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,OAAO,KAAK,EACX,eAAe,EAGf,MAAM,oCAAoC,CAAC;AAE5C,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,eAAe,EAAE,MAAM,CAAC;IACxB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;IACvB,mFAAmF;IACnF,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACjC;AAQD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,eAAe,CAiDlF"}

package/dist/index.js

@@ -0,0 +1,56 @@
+/**
+ * Build a `PaymentProvider` registered as `id: 'paypal'`. Fires `onPending`
+ * immediately after redirect; the actual settlement lands on the server via
+ * the webhook (`PAYMENT.CAPTURE.COMPLETED` is the canonical success event,
+ * after the merchant calls `POST /v2/checkout/orders/{id}/capture` on the
+ * buyer's return).
+ */
+export function createPaypalProvider(config) {
+    const fetcher = config.fetcher ?? globalThis.fetch.bind(globalThis);
+    const navigate = config.navigate ??
+        ((url) => {
+            window.location.assign(url);
+        });
+    return {
+        id: 'paypal',
+        name: 'PayPal',
+        async initiate(options, callbacks) {
+            try {
+                const body = {
+                    productId: options.productId,
+                    amount: options.amount,
+                    currency: options.currency,
+                };
+                if (options.metadata)
+                    body.metadata = options.metadata;
+                const response = await fetcher(config.sessionEndpoint, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify(body),
+                });
+                if (!response.ok) {
+                    throw new Error(`coin-moebius/paypal: session endpoint responded ${response.status}`);
+                }
+                const payload = (await response.json());
+                if (!payload.url) {
+                    throw new Error('coin-moebius/paypal: session response missing `url`');
+                }
+                const result = {
+                    status: 'pending',
+                    paymentId: payload.paymentId ?? '',
+                    provider: 'paypal',
+                    amount: options.amount,
+                    currency: options.currency,
+                    metadata: options.metadata ?? {},
+                    timestamp: Date.now(),
+                };
+                callbacks.onPending?.(result);
+                navigate(payload.url);
+            }
+            catch (err) {
+                callbacks.onError(err instanceof Error ? err : new Error(String(err)));
+            }
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AA4CA;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAChE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,QAAQ,GACb,MAAM,CAAC,QAAQ;QACf,CAAC,CAAC,GAAW,EAAE,EAAE;YAChB,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IAEJ,OAAO;QACN,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,QAAQ;QACd,KAAK,CAAC,QAAQ,CAAC,OAAwB,EAAE,SAAS;YACjD,IAAI,CAAC;gBACJ,MAAM,IAAI,GAA4B;oBACrC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC1B,CAAC;gBACF,IAAI,OAAO,CAAC,QAAQ;oBAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;gBAEvD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,eAAe,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;iBAC1B,CAAC,CAAC;gBACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBAClB,MAAM,IAAI,KAAK,CAAC,mDAAmD,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBACvF,CAAC;gBACD,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAoB,CAAC;gBAC3D,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBAClB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;gBACxE,CAAC;gBAED,MAAM,MAAM,GAAkB;oBAC7B,MAAM,EAAE,SAAS;oBACjB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;oBAClC,QAAQ,EAAE,QAAQ;oBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;oBAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACrB,CAAC;gBACF,SAAS,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC,CAAC;gBAC9B,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,SAAS,CAAC,OAAO,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,CAAC;QACF,CAAC;KACD,CAAC;AACH,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,93 @@
+/**
+ * PayPal server-side webhook verifiers.
+ *
+ * Two implementations of the same `WebhookVerifier` contract — pick one:
+ *
+ *   `createPaypalVerifier({ clientId, clientSecret, webhookId, mode })`
+ *     POSTs the incoming transmission fields to PayPal's
+ *     `/v1/notifications/verify-webhook-signature` endpoint. PayPal does the
+ *     crypto; we do one OAuth call (cached for the returned `expires_in`)
+ *     plus one verify call per webhook. Default choice for most callers.
+ *
+ *   `createPaypalManualVerifier({ webhookId, mode, certCache?, fetcher? })`
+ *     Verifies the signature locally. Faster on hot paths (no per-webhook
+ *     OAuth or verify round-trip after the first cert fetch). Safe by default:
+ *     rejects any `paypal-cert-url` whose origin is not the mode-appropriate
+ *     PayPal host before any fetch happens, so a forged header cannot trick
+ *     the verifier into trusting a third-party cert. HTTPS to the pinned
+ *     host is the trust anchor; chain validation is delegated to TLS itself.
+ *
+ * Both verifiers return a `PaymentResult` for recognized events or `null`
+ * for signed-but-non-payment events. Status mapping:
+ *
+ *   CHECKOUT.ORDER.APPROVED          → pending
+ *   PAYMENT.CAPTURE.COMPLETED        → success
+ *   PAYMENT.CAPTURE.DENIED           → failed
+ *   PAYMENT.CAPTURE.DECLINED         → failed
+ *   PAYMENT.CAPTURE.REFUNDED         → refunded
+ *   PAYMENT.CAPTURE.REVERSED         → refunded
+ *   CUSTOMER.DISPUTE.CREATED         → disputed
+ *   CUSTOMER.DISPUTE.RESOLVED        → null (no status change; outcome
+ *                                            shows on the original capture)
+ *   anything else                    → null (signature still validated)
+ */
+import type { WebhookEvent } from '@aquarian-metals/coin-moebius-core';
+export type PaypalMode = 'live' | 'sandbox';
+export interface WebhookVerifier {
+    verify(rawBody: unknown, headers: Record<string, string | undefined>): Promise<WebhookEvent | null>;
+}
+/** Pluggable OAuth-token cache for the REST-endpoint verifier. */
+export interface OAuthTokenCache {
+    get(key: string): Promise<CachedOAuthToken | null> | CachedOAuthToken | null;
+    set(key: string, value: CachedOAuthToken): Promise<void> | void;
+}
+export interface CachedOAuthToken {
+    accessToken: string;
+    expiresAt: number;
+}
+/** Pluggable cert cache for the manual verifier (cache by cert URL). */
+export interface CertCache {
+    get(url: string): Promise<string | null> | string | null;
+    set(url: string, pem: string): Promise<void> | void;
+}
+export interface PaypalVerifierConfig {
+    clientId: string;
+    clientSecret: string;
+    webhookId: string;
+    mode?: PaypalMode;
+    /** Defaults to in-memory `Map` per verifier instance. */
+    tokenCache?: OAuthTokenCache;
+    /** Defaults to global `fetch`. Useful for tests. */
+    fetcher?: typeof fetch;
+}
+export declare function createPaypalVerifier(config: PaypalVerifierConfig): WebhookVerifier;
+export interface PaypalManualVerifierConfig {
+    webhookId: string;
+    mode?: PaypalMode;
+    /** Defaults to in-memory `Map` keyed by cert URL. */
+    certCache?: CertCache;
+    /** Defaults to global `fetch`. Useful for tests. */
+    fetcher?: typeof fetch;
+}
+export declare function createPaypalManualVerifier(config: PaypalManualVerifierConfig): WebhookVerifier;
+/**
+ * IEEE 802.3 CRC-32 of the byte array. Returns an unsigned 32-bit integer.
+ * PayPal's manual webhook verification scheme requires this as a decimal
+ * string component of the signed payload.
+ */
+export declare function crc32(bytes: Uint8Array): number;
+/**
+ * Return the PayPal-hosted page a buyer manages their subscriptions on.
+ * PayPal does not offer a per-subscription "Customer Portal" session like
+ * Stripe; the buyer signs into their PayPal account and sees every
+ * automatic-payment they have, across all merchants, at the same URL. We
+ * just return that URL.
+ *
+ * The `mode` argument toggles between live and sandbox hosts so
+ * sandbox-mode test buyers don't get redirected to the live PayPal
+ * account UI (where their sandbox credentials wouldn't work).
+ */
+export declare function getPaypalPortalUrl(opts?: {
+    mode?: PaypalMode;
+}): string;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAiB,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAItF,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,SAAS,CAAC;AAE5C,MAAM,WAAW,eAAe;IAC/B,MAAM,CACL,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACzC,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;CAChC;AAED,kEAAkE;AAClE,MAAM,WAAW,eAAe;IAC/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,gBAAgB,GAAG,IAAI,CAAC;IAC7E,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAChE;AAED,MAAM,WAAW,gBAAgB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACzB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC;IACzD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACpD;AAgBD,MAAM,WAAW,oBAAoB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,yDAAyD;IACzD,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,oDAAoD;IACpD,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACvB;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,eAAe,CAwDlF;AAqDD,MAAM,WAAW,0BAA0B;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,qDAAqD;IACrD,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,oDAAoD;IACpD,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACvB;AAED,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,0BAA0B,GAAG,eAAe,CA6C9F;AAigBD;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAM/C;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,GAAE;IAAE,IAAI,CAAC,EAAE,UAAU,CAAA;CAAO,GAAG,MAAM,CAK3E"}

package/dist/server.js

@@ -0,0 +1,577 @@
+/**
+ * PayPal server-side webhook verifiers.
+ *
+ * Two implementations of the same `WebhookVerifier` contract — pick one:
+ *
+ *   `createPaypalVerifier({ clientId, clientSecret, webhookId, mode })`
+ *     POSTs the incoming transmission fields to PayPal's
+ *     `/v1/notifications/verify-webhook-signature` endpoint. PayPal does the
+ *     crypto; we do one OAuth call (cached for the returned `expires_in`)
+ *     plus one verify call per webhook. Default choice for most callers.
+ *
+ *   `createPaypalManualVerifier({ webhookId, mode, certCache?, fetcher? })`
+ *     Verifies the signature locally. Faster on hot paths (no per-webhook
+ *     OAuth or verify round-trip after the first cert fetch). Safe by default:
+ *     rejects any `paypal-cert-url` whose origin is not the mode-appropriate
+ *     PayPal host before any fetch happens, so a forged header cannot trick
+ *     the verifier into trusting a third-party cert. HTTPS to the pinned
+ *     host is the trust anchor; chain validation is delegated to TLS itself.
+ *
+ * Both verifiers return a `PaymentResult` for recognized events or `null`
+ * for signed-but-non-payment events. Status mapping:
+ *
+ *   CHECKOUT.ORDER.APPROVED          → pending
+ *   PAYMENT.CAPTURE.COMPLETED        → success
+ *   PAYMENT.CAPTURE.DENIED           → failed
+ *   PAYMENT.CAPTURE.DECLINED         → failed
+ *   PAYMENT.CAPTURE.REFUNDED         → refunded
+ *   PAYMENT.CAPTURE.REVERSED         → refunded
+ *   CUSTOMER.DISPUTE.CREATED         → disputed
+ *   CUSTOMER.DISPUTE.RESOLVED        → null (no status change; outcome
+ *                                            shows on the original capture)
+ *   anything else                    → null (signature still validated)
+ */
+// --- mode-bound endpoints --------------------------------------------------
+const API_BASE = {
+    live: 'https://api-m.paypal.com',
+    sandbox: 'https://api-m.sandbox.paypal.com',
+};
+const TRUSTED_CERT_PREFIXES = {
+    live: 'https://api.paypal.com/v1/notifications/certs/',
+    sandbox: 'https://api.sandbox.paypal.com/v1/notifications/certs/',
+};
+export function createPaypalVerifier(config) {
+    const mode = config.mode ?? 'live';
+    const apiBase = API_BASE[mode];
+    const fetcher = config.fetcher ?? globalThis.fetch.bind(globalThis);
+    const cache = config.tokenCache ?? memoryTokenCache();
+    return {
+        async verify(rawBody, headers) {
+            requireString(config.clientId, 'clientId');
+            requireString(config.clientSecret, 'clientSecret');
+            requireString(config.webhookId, 'webhookId');
+            const transmissionFields = extractTransmissionHeaders(headers);
+            const bodyString = normalizeBody(rawBody);
+            const webhookEvent = parseJson(bodyString, 'webhook event body');
+            const token = await getAccessToken({
+                cacheKey: config.clientId,
+                cache,
+                clientId: config.clientId,
+                clientSecret: config.clientSecret,
+                apiBase,
+                fetcher,
+            });
+            const verifyResponse = await fetcher(`${apiBase}/v1/notifications/verify-webhook-signature`, {
+                method: 'POST',
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    'Content-Type': 'application/json',
+                },
+                body: JSON.stringify({
+                    auth_algo: transmissionFields.authAlgo,
+                    cert_url: transmissionFields.certUrl,
+                    transmission_id: transmissionFields.transmissionId,
+                    transmission_sig: transmissionFields.transmissionSig,
+                    transmission_time: transmissionFields.transmissionTime,
+                    webhook_id: config.webhookId,
+                    webhook_event: webhookEvent,
+                }),
+            });
+            if (!verifyResponse.ok) {
+                const text = await verifyResponse.text();
+                throw new Error(`coin-moebius/paypal: verify-webhook-signature failed (${verifyResponse.status}): ${text}`);
+            }
+            const verifyPayload = (await verifyResponse.json());
+            if (verifyPayload.verification_status !== 'SUCCESS') {
+                throw new Error('coin-moebius/paypal: invalid signature');
+            }
+            return toPaymentResult(webhookEvent);
+        },
+    };
+}
+async function getAccessToken(input) {
+    const cached = await input.cache.get(input.cacheKey);
+    // Refresh when within 60s of expiry to avoid a near-miss race.
+    if (cached && cached.expiresAt - Date.now() > 60_000) {
+        return cached.accessToken;
+    }
+    const basic = base64(`${input.clientId}:${input.clientSecret}`);
+    const response = await input.fetcher(`${input.apiBase}/v1/oauth2/token`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Basic ${basic}`,
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+        },
+        body: 'grant_type=client_credentials',
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`coin-moebius/paypal: oauth token request failed (${response.status}): ${text}`);
+    }
+    const payload = (await response.json());
+    if (!payload.access_token || typeof payload.expires_in !== 'number') {
+        throw new Error('coin-moebius/paypal: oauth response missing access_token or expires_in');
+    }
+    const expiresAt = Date.now() + payload.expires_in * 1000;
+    await input.cache.set(input.cacheKey, { accessToken: payload.access_token, expiresAt });
+    return payload.access_token;
+}
+function memoryTokenCache() {
+    const store = new Map();
+    return {
+        get: (key) => store.get(key) ?? null,
+        set: (key, value) => {
+            store.set(key, value);
+        },
+    };
+}
+export function createPaypalManualVerifier(config) {
+    const mode = config.mode ?? 'live';
+    const trustedPrefix = TRUSTED_CERT_PREFIXES[mode];
+    const fetcher = config.fetcher ?? globalThis.fetch.bind(globalThis);
+    const cache = config.certCache ?? memoryCertCache();
+    return {
+        async verify(rawBody, headers) {
+            requireString(config.webhookId, 'webhookId');
+            const transmissionFields = extractTransmissionHeaders(headers);
+            // SAFE-BY-DEFAULT GUARD: refuse to fetch any cert URL that is not
+            // on the mode-appropriate PayPal host. HTTPS to a pinned host is
+            // the trust anchor; TLS handles cert chain validation for us.
+            if (!transmissionFields.certUrl.startsWith(trustedPrefix)) {
+                throw new Error(`coin-moebius/paypal: refusing untrusted paypal-cert-url (must start with ${trustedPrefix})`);
+            }
+            const bodyBytes = bodyToBytes(rawBody);
+            const bodyString = new TextDecoder().decode(bodyBytes);
+            const webhookEvent = parseJson(bodyString, 'webhook event body');
+            const crc = crc32(bodyBytes).toString(10);
+            const signedString = `${transmissionFields.transmissionId}|${transmissionFields.transmissionTime}|${config.webhookId}|${crc}`;
+            const pem = await fetchCertPem(transmissionFields.certUrl, cache, fetcher);
+            const publicKey = await importRsaPublicKeyFromCert(pem);
+            const signatureBytes = base64Decode(transmissionFields.transmissionSig);
+            const verified = await crypto.subtle.verify({ name: 'RSASSA-PKCS1-v1_5' }, publicKey, signatureBytes, new TextEncoder().encode(signedString));
+            if (!verified) {
+                throw new Error('coin-moebius/paypal: invalid signature');
+            }
+            return toPaymentResult(webhookEvent);
+        },
+    };
+}
+async function fetchCertPem(url, cache, fetcher) {
+    const cached = await cache.get(url);
+    if (cached)
+        return cached;
+    const response = await fetcher(url, { method: 'GET' });
+    if (!response.ok) {
+        throw new Error(`coin-moebius/paypal: cert fetch failed (${response.status}) for ${url}`);
+    }
+    const pem = await response.text();
+    await cache.set(url, pem);
+    return pem;
+}
+function memoryCertCache() {
+    const store = new Map();
+    return {
+        get: (url) => store.get(url) ?? null,
+        set: (url, pem) => {
+            store.set(url, pem);
+        },
+    };
+}
+/**
+ * Extract the SubjectPublicKeyInfo from an X.509 certificate (PEM) and import
+ * it as an RSA public key for SHA-256 verification.
+ *
+ * Web Crypto's `importKey('spki', ...)` accepts SubjectPublicKeyInfo bytes,
+ * not full X.509 certificates. We walk the cert's ASN.1 structure to extract
+ * the SPKI bytes, then hand them to Web Crypto. The walk is minimal: enter
+ * the outer Certificate SEQUENCE, enter the tbsCertificate SEQUENCE, skip
+ * the explicit-version, serial, signature, issuer, validity, subject fields,
+ * then read the SubjectPublicKeyInfo SEQUENCE as a complete TLV slice.
+ */
+async function importRsaPublicKeyFromCert(pem) {
+    const der = pemBlockToBytes(pem, 'CERTIFICATE');
+    const spki = extractSpkiFromX509(der);
+    return crypto.subtle.importKey('spki', spki, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['verify']);
+}
+function extractSpkiFromX509(der) {
+    // Outer: SEQUENCE (Certificate) — tag 0x30
+    const certSeq = readTlv(der, 0);
+    if (certSeq.tag !== 0x30) {
+        throw new Error('coin-moebius/paypal: unexpected outer ASN.1 tag (expected SEQUENCE)');
+    }
+    // Inside Certificate: tbsCertificate SEQUENCE — tag 0x30
+    const tbs = readTlv(certSeq.value, 0);
+    if (tbs.tag !== 0x30) {
+        throw new Error('coin-moebius/paypal: unexpected tbsCertificate tag (expected SEQUENCE)');
+    }
+    let offset = 0;
+    const body = tbs.value;
+    // Optional [0] EXPLICIT Version. Tag 0xA0 if present; skip when seen.
+    if (body[offset] === 0xa0) {
+        const version = readTlv(body, offset);
+        offset = version.end;
+    }
+    // CertificateSerialNumber — INTEGER (0x02)
+    offset = readTlv(body, offset).end;
+    // signature AlgorithmIdentifier — SEQUENCE (0x30)
+    offset = readTlv(body, offset).end;
+    // issuer Name — SEQUENCE (0x30)
+    offset = readTlv(body, offset).end;
+    // validity — SEQUENCE (0x30)
+    offset = readTlv(body, offset).end;
+    // subject Name — SEQUENCE (0x30)
+    offset = readTlv(body, offset).end;
+    // Next field is the SubjectPublicKeyInfo SEQUENCE. We need the entire
+    // TLV (tag + length + value) as a slice, because Web Crypto's `spki`
+    // format expects the full ASN.1 SubjectPublicKeyInfo structure.
+    const spkiTlv = readTlv(body, offset);
+    if (spkiTlv.tag !== 0x30) {
+        throw new Error('coin-moebius/paypal: expected SubjectPublicKeyInfo SEQUENCE at the post-subject position');
+    }
+    return body.subarray(offset, spkiTlv.end);
+}
+function readTlv(bytes, start) {
+    if (start >= bytes.length) {
+        throw new Error('coin-moebius/paypal: truncated ASN.1 input');
+    }
+    const tag = bytes[start];
+    let cursor = start + 1;
+    const lengthByte = bytes[cursor++];
+    let length;
+    if (lengthByte < 0x80) {
+        length = lengthByte;
+    }
+    else {
+        const numLengthBytes = lengthByte & 0x7f;
+        if (numLengthBytes === 0 || numLengthBytes > 4) {
+            // Forbid indefinite-length (numLengthBytes === 0) and anything
+            // over 32-bit since we're dealing with kB-scale certs.
+            throw new Error('coin-moebius/paypal: unsupported ASN.1 length encoding');
+        }
+        length = 0;
+        for (let i = 0; i < numLengthBytes; i++) {
+            length = (length << 8) | bytes[cursor++];
+        }
+    }
+    const valueStart = cursor;
+    const end = valueStart + length;
+    if (end > bytes.length) {
+        throw new Error('coin-moebius/paypal: ASN.1 length exceeds input');
+    }
+    return { tag, length, value: bytes.subarray(valueStart, end), end };
+}
+function extractTransmissionHeaders(headers) {
+    const transmissionId = headerValue(headers, 'paypal-transmission-id');
+    const transmissionTime = headerValue(headers, 'paypal-transmission-time');
+    const certUrl = headerValue(headers, 'paypal-cert-url');
+    const transmissionSig = headerValue(headers, 'paypal-transmission-sig');
+    // `paypal-auth-algo` is required for the REST verifier; the manual
+    // verifier assumes SHA256withRSA (PayPal's documented default) and
+    // ignores it, but we still surface it for forwarding.
+    const authAlgo = headerValue(headers, 'paypal-auth-algo') ?? 'SHA256withRSA';
+    if (!transmissionId || !transmissionTime || !certUrl || !transmissionSig) {
+        throw new Error('coin-moebius/paypal: missing one or more required paypal-* headers');
+    }
+    return { transmissionId, transmissionTime, certUrl, transmissionSig, authAlgo };
+}
+function headerValue(headers, name) {
+    const lower = name.toLowerCase();
+    for (const [key, value] of Object.entries(headers)) {
+        if (key.toLowerCase() === lower)
+            return value;
+    }
+    return undefined;
+}
+function normalizeBody(rawBody) {
+    if (typeof rawBody === 'string')
+        return rawBody;
+    if (rawBody instanceof Uint8Array)
+        return new TextDecoder().decode(rawBody);
+    if (rawBody && typeof rawBody === 'object')
+        return JSON.stringify(rawBody);
+    throw new Error('coin-moebius/paypal: unsupported body type');
+}
+function bodyToBytes(rawBody) {
+    if (rawBody instanceof Uint8Array)
+        return rawBody;
+    if (typeof rawBody === 'string')
+        return new TextEncoder().encode(rawBody);
+    if (rawBody && typeof rawBody === 'object') {
+        return new TextEncoder().encode(JSON.stringify(rawBody));
+    }
+    throw new Error('coin-moebius/paypal: unsupported body type');
+}
+function parseJson(s, label) {
+    try {
+        return JSON.parse(s);
+    }
+    catch {
+        throw new Error(`coin-moebius/paypal: ${label} is not valid JSON`);
+    }
+}
+function requireString(value, fieldName) {
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`coin-moebius/paypal: ${fieldName} missing on verifier config`);
+    }
+}
+function toPaymentResult(event) {
+    const typed = event;
+    const eventType = typed.event_type ?? '';
+    // Subscription lifecycle events take precedence over the one-time event
+    // mapping. The order events (PAYMENT.SALE.COMPLETED in particular) can
+    // fire for both legacy one-time payments AND for subscription cycles —
+    // the subscription path narrows by inspecting the resource shape.
+    const subscriptionEvent = toSubscriptionEvent(event, eventType);
+    if (subscriptionEvent)
+        return subscriptionEvent;
+    const status = mapEventType(eventType);
+    if (status === null)
+        return null;
+    const resource = typed.resource ?? {};
+    const { amount, currency } = readAmountAndCurrency(resource, eventType);
+    const paymentId = readPaymentId(resource);
+    return {
+        kind: 'payment',
+        status,
+        paymentId,
+        provider: 'paypal',
+        amount,
+        currency,
+        metadata: {
+            paypalEventType: eventType,
+            paypalResourceId: typeof resource.id === 'string' ? resource.id : undefined,
+        },
+        timestamp: Date.now(),
+        raw: event,
+    };
+}
+/**
+ * PayPal subscription-event mapper. Recognizes five event types covering
+ * the subscription lifecycle and emits the SDK's normalized
+ * `SubscriptionEvent`. Returns `null` for any other event so the caller
+ * falls through to the payment-event path.
+ *
+ *   BILLING.SUBSCRIPTION.ACTIVATED       → subscription.created
+ *   PAYMENT.SALE.COMPLETED (sub-linked)  → subscription.renewed
+ *   BILLING.SUBSCRIPTION.PAYMENT.FAILED  → subscription.payment_failed
+ *   BILLING.SUBSCRIPTION.UPDATED         → subscription.updated
+ *   BILLING.SUBSCRIPTION.CANCELLED       → subscription.canceled
+ *
+ * `PAYMENT.SALE.COMPLETED` is the only fork: PayPal uses it for legacy
+ * one-time payments AND for subscription cycle charges. We discriminate
+ * by checking whether the resource's `billing_agreement_id` is set, which
+ * it is on subscription-linked sales.
+ */
+function toSubscriptionEvent(event, eventType) {
+    const typed = event;
+    const resource = (typed.resource ?? {});
+    const isSaleForSubscription = eventType === 'PAYMENT.SALE.COMPLETED' && typeof resource.billing_agreement_id === 'string';
+    let subscriptionType = null;
+    switch (eventType) {
+        case 'BILLING.SUBSCRIPTION.ACTIVATED':
+            subscriptionType = 'subscription.created';
+            break;
+        case 'BILLING.SUBSCRIPTION.PAYMENT.FAILED':
+            subscriptionType = 'subscription.payment_failed';
+            break;
+        case 'BILLING.SUBSCRIPTION.UPDATED':
+        case 'BILLING.SUBSCRIPTION.SUSPENDED':
+        case 'BILLING.SUBSCRIPTION.RE-ACTIVATED':
+        case 'BILLING.SUBSCRIPTION.EXPIRED':
+            subscriptionType = 'subscription.updated';
+            break;
+        case 'BILLING.SUBSCRIPTION.CANCELLED':
+            subscriptionType = 'subscription.canceled';
+            break;
+        default:
+            if (isSaleForSubscription) {
+                subscriptionType = 'subscription.renewed';
+            }
+            else {
+                return null;
+            }
+    }
+    const subscriptionId = isSaleForSubscription
+        ? (resource.billing_agreement_id ?? '')
+        : (resource.id ?? '');
+    if (!subscriptionId)
+        return null;
+    const status = mapSubscriptionStatus(eventType, resource.status);
+    const { amount, currency } = readSubscriptionAmount(resource, isSaleForSubscription);
+    const nextBilling = resource.billing_info?.next_billing_time;
+    const currentPeriodEnd = typeof nextBilling === 'string' ? Math.floor(new Date(nextBilling).getTime() / 1000) : null;
+    return {
+        kind: 'subscription',
+        type: subscriptionType,
+        subscriptionId,
+        provider: 'paypal',
+        productId: typeof resource.plan_id === 'string' ? resource.plan_id : null,
+        customerRef: typeof resource.subscriber?.payer_id === 'string' ? resource.subscriber.payer_id : null,
+        status,
+        currentPeriodEnd: Number.isFinite(currentPeriodEnd) ? currentPeriodEnd : null,
+        amount,
+        currency,
+        metadata: {
+            paypalEventType: eventType,
+            ...(typeof resource.custom_id === 'string' ? { customerRef: resource.custom_id } : {}),
+        },
+        timestamp: Date.now(),
+        raw: event,
+    };
+}
+/**
+ * Map PayPal's subscription status field onto our neutral enum. PayPal
+ * statuses: `APPROVAL_PENDING`, `APPROVED`, `ACTIVE`, `SUSPENDED`,
+ * `CANCELLED`, `EXPIRED`. The event type itself sometimes carries more
+ * intent than the status field (e.g. CANCELLED sub still shows `ACTIVE`
+ * status briefly), so we let the event type win where they disagree.
+ */
+function mapSubscriptionStatus(eventType, rawStatus) {
+    if (eventType === 'BILLING.SUBSCRIPTION.CANCELLED')
+        return 'canceled';
+    if (eventType === 'BILLING.SUBSCRIPTION.PAYMENT.FAILED')
+        return 'past_due';
+    if (eventType === 'BILLING.SUBSCRIPTION.SUSPENDED')
+        return 'paused';
+    switch (rawStatus) {
+        case 'ACTIVE':
+        case 'APPROVED':
+            return 'active';
+        case 'SUSPENDED':
+            return 'paused';
+        case 'CANCELLED':
+        case 'EXPIRED':
+            return 'canceled';
+        default:
+            return 'unknown';
+    }
+}
+function readSubscriptionAmount(resource, isSaleForSubscription) {
+    const amountField = isSaleForSubscription
+        ? resource.amount
+        : resource.billing_info?.last_payment?.amount;
+    const value = amountField?.value;
+    const amount = typeof value === 'string' ? Number.parseFloat(value) : 0;
+    const currency = (amountField?.currency_code ?? 'USD').toUpperCase();
+    return { amount: Number.isFinite(amount) ? amount : 0, currency };
+}
+function mapEventType(eventType) {
+    switch (eventType) {
+        case 'CHECKOUT.ORDER.APPROVED':
+            return 'pending';
+        case 'PAYMENT.CAPTURE.COMPLETED':
+            return 'success';
+        case 'PAYMENT.CAPTURE.DENIED':
+        case 'PAYMENT.CAPTURE.DECLINED':
+            return 'failed';
+        case 'PAYMENT.CAPTURE.REFUNDED':
+        case 'PAYMENT.CAPTURE.REVERSED':
+            return 'refunded';
+        case 'CUSTOMER.DISPUTE.CREATED':
+            return 'disputed';
+        // CUSTOMER.DISPUTE.RESOLVED intentionally returns null: the resolution
+        // outcome is reflected on the original capture event's downstream
+        // state, not as a separate status change.
+        default:
+            return null;
+    }
+}
+function readAmountAndCurrency(resource, eventType) {
+    // Disputes use `dispute_amount`; captures use `amount`; orders nest amount
+    // inside the first `purchase_units` entry. Probe each, default safely.
+    let amountField;
+    if (eventType === 'CUSTOMER.DISPUTE.CREATED') {
+        amountField = resource.dispute_amount;
+    }
+    else if (resource.amount) {
+        amountField = resource.amount;
+    }
+    else if (resource.purchase_units?.[0]?.amount) {
+        amountField = resource.purchase_units[0].amount;
+    }
+    const value = amountField?.value;
+    const amount = typeof value === 'string' ? Number.parseFloat(value) : 0;
+    const currency = (amountField?.currency_code ?? 'USD').toUpperCase();
+    return { amount: Number.isFinite(amount) ? amount : 0, currency };
+}
+function readPaymentId(resource) {
+    // Prefer the underlying order id when a capture/refund event references
+    // one — gives consumers a stable id across the full payment lifecycle.
+    // Fall back to the resource id (the capture or order id itself).
+    const orderId = resource.supplementary_data?.related_ids?.order_id;
+    if (typeof orderId === 'string' && orderId.length > 0)
+        return orderId;
+    if (typeof resource.id === 'string')
+        return resource.id;
+    return '';
+}
+// --- crypto + encoding helpers --------------------------------------------
+function pemBlockToBytes(pem, label) {
+    const begin = `-----BEGIN ${label}-----`;
+    const end = `-----END ${label}-----`;
+    const beginIdx = pem.indexOf(begin);
+    const endIdx = pem.indexOf(end);
+    if (beginIdx === -1 || endIdx === -1) {
+        throw new Error(`coin-moebius/paypal: PEM missing ${label} block`);
+    }
+    const body = pem.slice(beginIdx + begin.length, endIdx).replace(/\s+/g, '');
+    return base64Decode(body);
+}
+function base64(input) {
+    let binary = '';
+    const bytes = new TextEncoder().encode(input);
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary);
+}
+function base64Decode(input) {
+    const binary = atob(input);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+// --- CRC32 -----------------------------------------------------------------
+const CRC32_TABLE = buildCrc32Table();
+function buildCrc32Table() {
+    const table = new Uint32Array(256);
+    for (let i = 0; i < 256; i++) {
+        let c = i;
+        for (let k = 0; k < 8; k++) {
+            c = c & 1 ? 0xedb88320 ^ (c >>> 1) : c >>> 1;
+        }
+        table[i] = c >>> 0;
+    }
+    return table;
+}
+/**
+ * IEEE 802.3 CRC-32 of the byte array. Returns an unsigned 32-bit integer.
+ * PayPal's manual webhook verification scheme requires this as a decimal
+ * string component of the signed payload.
+ */
+export function crc32(bytes) {
+    let crc = 0xffffffff;
+    for (const byte of bytes) {
+        crc = (crc >>> 8) ^ CRC32_TABLE[(crc ^ byte) & 0xff];
+    }
+    return (crc ^ 0xffffffff) >>> 0;
+}
+/**
+ * Return the PayPal-hosted page a buyer manages their subscriptions on.
+ * PayPal does not offer a per-subscription "Customer Portal" session like
+ * Stripe; the buyer signs into their PayPal account and sees every
+ * automatic-payment they have, across all merchants, at the same URL. We
+ * just return that URL.
+ *
+ * The `mode` argument toggles between live and sandbox hosts so
+ * sandbox-mode test buyers don't get redirected to the live PayPal
+ * account UI (where their sandbox credentials wouldn't work).
+ */
+export function getPaypalPortalUrl(opts = {}) {
+    const mode = opts.mode ?? 'live';
+    return mode === 'sandbox'
+        ? 'https://www.sandbox.paypal.com/myaccount/autopay/'
+        : 'https://www.paypal.com/myaccount/autopay/';
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAgCH,8EAA8E;AAE9E,MAAM,QAAQ,GAAG;IAChB,IAAI,EAAE,0BAA0B;IAChC,OAAO,EAAE,kCAAkC;CAClC,CAAC;AAEX,MAAM,qBAAqB,GAAG;IAC7B,IAAI,EAAE,gDAAgD;IACtD,OAAO,EAAE,wDAAwD;CACxD,CAAC;AAeX,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAChE,MAAM,IAAI,GAAe,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;IAC/C,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,KAAK,GAAoB,MAAM,CAAC,UAAU,IAAI,gBAAgB,EAAE,CAAC;IAEvE,OAAO;QACN,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO;YAC5B,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC3C,aAAa,CAAC,MAAM,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;YACnD,aAAa,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAE7C,MAAM,kBAAkB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC;YAC/D,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;YAC1C,MAAM,YAAY,GAAG,SAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC;YAEjE,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC;gBAClC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,KAAK;gBACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,OAAO;gBACP,OAAO;aACP,CAAC,CAAC;YAEH,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,OAAO,4CAA4C,EAAE;gBAC5F,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACR,aAAa,EAAE,UAAU,KAAK,EAAE;oBAChC,cAAc,EAAE,kBAAkB;iBAClC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACpB,SAAS,EAAE,kBAAkB,CAAC,QAAQ;oBACtC,QAAQ,EAAE,kBAAkB,CAAC,OAAO;oBACpC,eAAe,EAAE,kBAAkB,CAAC,cAAc;oBAClD,gBAAgB,EAAE,kBAAkB,CAAC,eAAe;oBACpD,iBAAiB,EAAE,kBAAkB,CAAC,gBAAgB;oBACtD,UAAU,EAAE,MAAM,CAAC,SAAS;oBAC5B,aAAa,EAAE,YAAY;iBAC3B,CAAC;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACd,yDAAyD,cAAc,CAAC,MAAM,MAAM,IAAI,EAAE,CAC1F,CAAC;YACH,CAAC;YACD,MAAM,aAAa,GAAG,CAAC,MAAM,cAAc,CAAC,IAAI,EAAE,CAAqC,CAAC;YACxF,IAAI,aAAa,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACrD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC3D,CAAC;YAED,OAAO,eAAe,CAAC,YAAY,CAAC,CAAC;QACtC,CAAC;KACD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,KAO7B;IACA,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACrD,+DAA+D;IAC/D,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QACtD,OAAO,MAAM,CAAC,WAAW,CAAC;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,OAAO,kBAAkB,EAAE;QACxE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACR,aAAa,EAAE,SAAS,KAAK,EAAE;YAC/B,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC1B;QACD,IAAI,EAAE,+BAA+B;KACrC,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACd,oDAAoD,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAC/E,CAAC;IACH,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmD,CAAC;IAC1F,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IACzD,MAAM,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,WAAW,EAAE,OAAO,CAAC,YAAY,EAAE,SAAS,EAAE,CAAC,CAAC;IACxF,OAAO,OAAO,CAAC,YAAY,CAAC;AAC7B,CAAC;AAED,SAAS,gBAAgB;IACxB,MAAM,KAAK,GAAG,IAAI,GAAG,EAA4B,CAAC;IAClD,OAAO;QACN,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;QACpC,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;YACnB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvB,CAAC;KACD,CAAC;AACH,CAAC;AAaD,MAAM,UAAU,0BAA0B,CAAC,MAAkC;IAC5E,MAAM,IAAI,GAAe,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;IAC/C,MAAM,aAAa,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,KAAK,GAAc,MAAM,CAAC,SAAS,IAAI,eAAe,EAAE,CAAC;IAE/D,OAAO;QACN,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO;YAC5B,aAAa,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAE7C,MAAM,kBAAkB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC;YAE/D,kEAAkE;YAClE,iEAAiE;YACjE,8DAA8D;YAC9D,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CACd,4EAA4E,aAAa,GAAG,CAC5F,CAAC;YACH,CAAC;YAED,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;YACvC,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,MAAM,YAAY,GAAG,SAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC;YAEjE,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC1C,MAAM,YAAY,GAAG,GAAG,kBAAkB,CAAC,cAAc,IAAI,kBAAkB,CAAC,gBAAgB,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;YAE9H,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;YAC3E,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAAC,GAAG,CAAC,CAAC;YACxD,MAAM,cAAc,GAAG,YAAY,CAAC,kBAAkB,CAAC,eAAe,CAAC,CAAC;YAExE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAC1C,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAC7B,SAAS,EACT,cAAc,EACd,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CACtC,CAAC;YACF,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC3D,CAAC;YAED,OAAO,eAAe,CAAC,YAAY,CAAC,CAAC;QACtC,CAAC;KACD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAW,EAAE,KAAgB,EAAE,OAAqB;IAC/E,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,2CAA2C,QAAQ,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAClC,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC1B,OAAO,GAAG,CAAC;AACZ,CAAC;AAED,SAAS,eAAe;IACvB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,OAAO;QACN,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;QACpC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACjB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrB,CAAC;KACD,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,0BAA0B,CAAC,GAAW;IACpD,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IACtC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7B,MAAM,EACN,IAAoB,EACpB,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,KAAK,EACL,CAAC,QAAQ,CAAC,CACV,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAe;IAC3C,2CAA2C;IAC3C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAChC,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACxF,CAAC;IACD,yDAAyD;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC;IAEvB,sEAAsE;IACtE,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACtC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IACtB,CAAC;IACD,2CAA2C;IAC3C,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC;IACnC,kDAAkD;IAClD,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC;IACnC,gCAAgC;IAChC,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC;IACnC,6BAA6B;IAC7B,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC;IACnC,iCAAiC;IACjC,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC;IAEnC,sEAAsE;IACtE,qEAAqE;IACrE,gEAAgE;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACtC,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACd,0FAA0F,CAC1F,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;AAC3C,CAAC;AASD,SAAS,OAAO,CAAC,KAAiB,EAAE,KAAa;IAChD,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,MAAM,GAAG,KAAK,GAAG,CAAC,CAAC;IACvB,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACnC,IAAI,MAAc,CAAC;IACnB,IAAI,UAAU,GAAG,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,UAAU,CAAC;IACrB,CAAC;SAAM,CAAC;QACP,MAAM,cAAc,GAAG,UAAU,GAAG,IAAI,CAAC;QACzC,IAAI,cAAc,KAAK,CAAC,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YAChD,+DAA+D;YAC/D,uDAAuD;YACvD,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC3E,CAAC;QACD,MAAM,GAAG,CAAC,CAAC;QACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,cAAc,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1C,CAAC;IACF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC;IAC1B,MAAM,GAAG,GAAG,UAAU,GAAG,MAAM,CAAC;IAChC,IAAI,GAAG,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC;AACrE,CAAC;AAYD,SAAS,0BAA0B,CAClC,OAA2C;IAE3C,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,EAAE,wBAAwB,CAAC,CAAC;IACtE,MAAM,gBAAgB,GAAG,WAAW,CAAC,OAAO,EAAE,0BAA0B,CAAC,CAAC;IAC1E,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IACxD,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;IACxE,mEAAmE;IACnE,mEAAmE;IACnE,sDAAsD;IACtD,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,kBAAkB,CAAC,IAAI,eAAe,CAAC;IAE7E,IAAI,CAAC,cAAc,IAAI,CAAC,gBAAgB,IAAI,CAAC,OAAO,IAAI,CAAC,eAAe,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACvF,CAAC;IACD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC;AACjF,CAAC;AAED,SAAS,WAAW,CACnB,OAA2C,EAC3C,IAAY;IAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,OAAgB;IACtC,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAChD,IAAI,OAAO,YAAY,UAAU;QAAE,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5E,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3E,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACpC,IAAI,OAAO,YAAY,UAAU;QAAE,OAAO,OAAO,CAAC;IAClD,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1E,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,SAAS,CAAC,CAAS,EAAE,KAAa;IAC1C,IAAI,CAAC;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAA4B,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACR,MAAM,IAAI,KAAK,CAAC,wBAAwB,KAAK,oBAAoB,CAAC,CAAC;IACpE,CAAC;AACF,CAAC;AAED,SAAS,aAAa,CAAC,KAAc,EAAE,SAAiB;IACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,wBAAwB,SAAS,6BAA6B,CAAC,CAAC;IACjF,CAAC;AACF,CAAC;AAsCD,SAAS,eAAe,CAAC,KAA8B;IACtD,MAAM,KAAK,GAAG,KAA2B,CAAC;IAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IAEzC,wEAAwE;IACxE,uEAAuE;IACvE,uEAAuE;IACvE,kEAAkE;IAClE,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAChE,IAAI,iBAAiB;QAAE,OAAO,iBAAiB,CAAC;IAEhD,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,qBAAqB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAE1C,OAAO;QACN,IAAI,EAAE,SAAS;QACf,MAAM;QACN,SAAS;QACT,QAAQ,EAAE,QAAQ;QAClB,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,eAAe,EAAE,SAAS;YAC1B,gBAAgB,EAAE,OAAO,QAAQ,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;SAC3E;QACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,GAAG,EAAE,KAAK;KACV,CAAC;AACH,CAAC;AAmBD;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,mBAAmB,CAC3B,KAA8B,EAC9B,SAAiB;IAEjB,MAAM,KAAK,GAAG,KAA2B,CAAC;IAC1C,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAErC,CAAC;IAEF,MAAM,qBAAqB,GAC1B,SAAS,KAAK,wBAAwB,IAAI,OAAO,QAAQ,CAAC,oBAAoB,KAAK,QAAQ,CAAC;IAE7F,IAAI,gBAAgB,GAMV,IAAI,CAAC;IAEf,QAAQ,SAAS,EAAE,CAAC;QACnB,KAAK,gCAAgC;YACpC,gBAAgB,GAAG,sBAAsB,CAAC;YAC1C,MAAM;QACP,KAAK,qCAAqC;YACzC,gBAAgB,GAAG,6BAA6B,CAAC;YACjD,MAAM;QACP,KAAK,8BAA8B,CAAC;QACpC,KAAK,gCAAgC,CAAC;QACtC,KAAK,mCAAmC,CAAC;QACzC,KAAK,8BAA8B;YAClC,gBAAgB,GAAG,sBAAsB,CAAC;YAC1C,MAAM;QACP,KAAK,gCAAgC;YACpC,gBAAgB,GAAG,uBAAuB,CAAC;YAC3C,MAAM;QACP;YACC,IAAI,qBAAqB,EAAE,CAAC;gBAC3B,gBAAgB,GAAG,sBAAsB,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACb,CAAC;IACH,CAAC;IAED,MAAM,cAAc,GAAG,qBAAqB;QAC3C,CAAC,CAAC,CAAC,QAAQ,CAAC,oBAAoB,IAAI,EAAE,CAAC;QACvC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,cAAc;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,sBAAsB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;IACrF,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAC;IAC7D,MAAM,gBAAgB,GACrB,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE7F,OAAO;QACN,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,gBAAgB;QACtB,cAAc;QACd,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QACzE,WAAW,EACV,OAAO,QAAQ,CAAC,UAAU,EAAE,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI;QACxF,MAAM;QACN,gBAAgB,EAAE,MAAM,CAAC,QAAQ,CAAC,gBAAiB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI;QAC9E,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,eAAe,EAAE,SAAS;YAC1B,GAAG,CAAC,OAAO,QAAQ,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF;QACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,GAAG,EAAE,KAAK;KACV,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,qBAAqB,CAC7B,SAAiB,EACjB,SAA6B;IAE7B,IAAI,SAAS,KAAK,gCAAgC;QAAE,OAAO,UAAU,CAAC;IACtE,IAAI,SAAS,KAAK,qCAAqC;QAAE,OAAO,UAAU,CAAC;IAC3E,IAAI,SAAS,KAAK,gCAAgC;QAAE,OAAO,QAAQ,CAAC;IACpE,QAAQ,SAAS,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,UAAU;YACd,OAAO,QAAQ,CAAC;QACjB,KAAK,WAAW;YACf,OAAO,QAAQ,CAAC;QACjB,KAAK,WAAW,CAAC;QACjB,KAAK,SAAS;YACb,OAAO,UAAU,CAAC;QACnB;YACC,OAAO,SAAS,CAAC;IACnB,CAAC;AACF,CAAC;AAED,SAAS,sBAAsB,CAC9B,QAAgE,EAChE,qBAA8B;IAE9B,MAAM,WAAW,GAAG,qBAAqB;QACxC,CAAC,CAAC,QAAQ,CAAC,MAAM;QACjB,CAAC,CAAC,QAAQ,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;IAC/C,MAAM,KAAK,GAAG,WAAW,EAAE,KAAK,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,MAAM,QAAQ,GAAG,CAAC,WAAW,EAAE,aAAa,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACrE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC;AACnE,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB;IACtC,QAAQ,SAAS,EAAE,CAAC;QACnB,KAAK,yBAAyB;YAC7B,OAAO,SAAS,CAAC;QAClB,KAAK,2BAA2B;YAC/B,OAAO,SAAS,CAAC;QAClB,KAAK,wBAAwB,CAAC;QAC9B,KAAK,0BAA0B;YAC9B,OAAO,QAAQ,CAAC;QACjB,KAAK,0BAA0B,CAAC;QAChC,KAAK,0BAA0B;YAC9B,OAAO,UAAU,CAAC;QACnB,KAAK,0BAA0B;YAC9B,OAAO,UAAU,CAAC;QACnB,uEAAuE;QACvE,kEAAkE;QAClE,0CAA0C;QAC1C;YACC,OAAO,IAAI,CAAC;IACd,CAAC;AACF,CAAC;AAED,SAAS,qBAAqB,CAC7B,QAAwB,EACxB,SAAiB;IAEjB,2EAA2E;IAC3E,uEAAuE;IACvE,IAAI,WAAqC,CAAC;IAC1C,IAAI,SAAS,KAAK,0BAA0B,EAAE,CAAC;QAC9C,WAAW,GAAG,QAAQ,CAAC,cAAc,CAAC;IACvC,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC5B,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC/B,CAAC;SAAM,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC;QACjD,WAAW,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACjD,CAAC;IACD,MAAM,KAAK,GAAG,WAAW,EAAE,KAAK,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,MAAM,QAAQ,GAAG,CAAC,WAAW,EAAE,aAAa,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACrE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC;AACnE,CAAC;AAED,SAAS,aAAa,CAAC,QAAwB;IAC9C,wEAAwE;IACxE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,OAAO,GAAG,QAAQ,CAAC,kBAAkB,EAAE,WAAW,EAAE,QAAQ,CAAC;IACnE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACtE,IAAI,OAAO,QAAQ,CAAC,EAAE,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC,EAAE,CAAC;IACxD,OAAO,EAAE,CAAC;AACX,CAAC;AAED,6EAA6E;AAE7E,SAAS,eAAe,CAAC,GAAW,EAAE,KAAa;IAClD,MAAM,KAAK,GAAG,cAAc,KAAK,OAAO,CAAC;IACzC,MAAM,GAAG,GAAG,YAAY,KAAK,OAAO,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,QAAQ,KAAK,CAAC,CAAC,IAAI,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,oCAAoC,KAAK,QAAQ,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5E,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,MAAM,CAAC,KAAa;IAC5B,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IAClC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC;AACd,CAAC;AAED,8EAA8E;AAE9E,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;AAEtC,SAAS,eAAe;IACvB,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,KAAK,CAAC,KAAiB;IACtC,IAAI,GAAG,GAAG,UAAU,CAAC;IACrB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QAC1B,GAAG,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAA8B,EAAE;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC;IACjC,OAAO,IAAI,KAAK,SAAS;QACxB,CAAC,CAAC,mDAAmD;QACrD,CAAC,CAAC,2CAA2C,CAAC;AAChD,CAAC"}

package/package.json

@@ -0,0 +1,59 @@
+{
+	"name": "@aquarian-metals/coin-moebius-paypal",
+	"version": "1.0.0",
+	"description": "PayPal provider for Coin Moebius — Orders v2 redirect flow, plus two server-only webhook verifiers (REST endpoint or local RSA verification with cert URL pinning).",
+	"keywords": [
+		"payments",
+		"paypal",
+		"orders-v2",
+		"checkout",
+		"webhook",
+		"coin-moebius"
+	],
+	"author": "aquarian-metals",
+	"license": "MIT",
+	"homepage": "https://github.com/aquarian-metals/coin-moebius#readme",
+	"bugs": {
+		"url": "https://github.com/aquarian-metals/coin-moebius/issues"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/aquarian-metals/coin-moebius.git",
+		"directory": "packages/providers/paypal"
+	},
+	"type": "module",
+	"main": "./dist/index.js",
+	"types": "./dist/index.d.ts",
+	"sideEffects": false,
+	"files": [
+		"dist"
+	],
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"import": "./dist/index.js"
+		},
+		"./server": {
+			"types": "./dist/server.d.ts",
+			"import": "./dist/server.js"
+		},
+		"./package.json": "./package.json"
+	},
+	"scripts": {
+		"clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\"",
+		"build": "npm run clean && tsc",
+		"prepublishOnly": "npm run build"
+	},
+	"engines": {
+		"node": ">=18"
+	},
+	"dependencies": {
+		"@aquarian-metals/coin-moebius-core": "^1.0.0"
+	},
+	"devDependencies": {
+		"typescript": "~5.8.0"
+	},
+	"publishConfig": {
+		"access": "public"
+	}
+}