@aquarian-metals/coin-moebius-square 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 aquarian-metals
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,90 @@
+# @aquarian-metals/coin-moebius-square
+
+Square (Block) provider for **[Coin Moebius](https://github.com/aquarian-metals/coin-moebius)**.
+
+Two entries in one package:
+
+- `@aquarian-metals/coin-moebius-square` — browser entry, redirects to Square's hosted checkout (Payment Link flow).
+- `@aquarian-metals/coin-moebius-square/server` — Node-only HMAC-SHA256 webhook verifier. **Never import this from browser code.**
+
+## Install
+
+```bash
+npm install @aquarian-metals/coin-moebius-square
+```
+
+No additional dependencies — the server verifier uses Web Crypto exclusively.
+
+## Use — browser
+
+```ts
+import { createSquareProvider } from '@aquarian-metals/coin-moebius-square';
+import { createPaymentManager } from '@aquarian-metals/coin-moebius';
+
+const payments = createPaymentManager({
+  providers: [
+    createSquareProvider({
+      sessionEndpoint: '/api/checkout/square',
+    }),
+  ],
+});
+```
+
+Your session endpoint calls `POST /v2/online-checkout/payment-links` and returns the `payment_link.url` field as `{ url }`. The provider fires `onPending` and redirects the buyer to Square's hosted checkout.
+
+## Use — server (webhook verification)
+
+```ts
+import { createSquareVerifier } from '@aquarian-metals/coin-moebius-square/server';
+
+const verify = createSquareVerifier({
+  signatureKey: process.env.SQUARE_WEBHOOK_SIGNATURE_KEY,
+  notificationUrl: 'https://your-public-domain.example/webhooks/square',
+});
+
+// inside your webhook route:
+const result = await verify.verify(rawBody, request.headers);
+```
+
+### Why the verifier needs a `notificationUrl`
+
+Square signs the webhook over **`notificationUrl + rawBody`** — the public URL the merchant configured on the webhook subscription is part of the HMAC input. A worker running behind a reverse proxy or Cloudflare typically cannot recover the original public URL from the inbound request (it sees an internal route, a different host, or a stripped path), so the verifier requires the merchant to pass the URL explicitly.
+
+**The URL must match byte-for-byte** with what the merchant configured in Square's Developer Console (Webhooks → your subscription → Notification URL). Any difference — trailing slash, scheme, port, capitalization of the host — produces a silent signature failure. Treat the value like a secret and pin it in your environment configuration.
+
+### Signature key
+
+The signature key is **subscription-specific**, generated in Square's Developer Console alongside the subscription. It is not the same as the application's access token. To rotate, recreate the subscription.
+
+### Status mapping
+
+| Square event            | Inner status           | `PaymentResult.status`                               |
+| ----------------------- | ---------------------- | ---------------------------------------------------- |
+| `payment.created`       | —                      | `pending`                                            |
+| `payment.updated`       | `COMPLETED`            | `success`                                            |
+| `payment.updated`       | `APPROVED` (auth-only) | `pending`                                            |
+| `payment.updated`       | `FAILED` or `CANCELED` | `failed`                                             |
+| `refund.created`        | —                      | `pending`                                            |
+| `refund.updated`        | `COMPLETED`            | `refunded`                                           |
+| `refund.updated`        | `FAILED` or `REJECTED` | `failed`                                             |
+| `dispute.created`       | —                      | `disputed`                                           |
+| `dispute.state.updated` | —                      | `disputed`                                           |
+| anything else           | —                      | (verifier returns `null`, signature still validated) |
+
+The `paymentId` on the returned `PaymentResult` is the Square `payment.id` whenever available (preferred for cross-event correlation across payment / refund / dispute on the same purchase). Amounts are converted from Square's smallest-currency-unit integers (e.g., cents for USD) to a major-unit decimal to match the rest of the SDK.
+
+### Known gap: no replay-window enforcement
+
+Square's signature scheme does not include a timestamp, so the verifier cannot reject stale-and-replayed deliveries on its own. If your application is sensitive to replays, deduplicate at the application layer using the webhook's `event_id` field.
+
+### Sandbox vs production
+
+The signature scheme is the same in both environments — the verifier has no mode flag. Sandbox API endpoints are at `connect.squareupsandbox.com`; production is at `connect.squareup.com`. Your session endpoint chooses which one to hit; the verifier only cares about the signature key + notification URL pair.
+
+### Currency + locations
+
+Square locations have a per-location currency, but the webhook payload carries the actual currency on `amount_money.currency`, so the verifier surfaces whatever the payload says. Merchants with multiple locations don't need to override anything.
+
+## License
+
+MIT — see [LICENSE](./LICENSE).

package/dist/index.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Square client-side provider for Coin Moebius.
+ *
+ * Hosted-checkout flow via Square's Payment Link API. The provider POSTs the
+ * buyer's selection to the caller's `sessionEndpoint`, receives `{ url }`
+ * pointing at the hosted checkout (`https://square.link/u/<id>` or the
+ * longer `https://checkout.square.site/<id>` form), fires `onPending`, and
+ * redirects the buyer. Square handles the wallet, funding source, and
+ * receipt; the merchant's server receives the webhook on completion.
+ *
+ *     import { createSquareProvider } from '@aquarian-metals/coin-moebius-square';
+ *     const square = createSquareProvider({
+ *       sessionEndpoint: '/api/checkout/square',
+ *     });
+ *
+ *     const manager = createPaymentManager({ providers: [square] });
+ *     await manager.initiate({ productId: 'pro', amount: 9.99, currency: 'USD' });
+ *
+ * The session endpoint is expected to call Square's
+ * `POST /v2/online-checkout/payment-links` with a `quick_pay` or `order`
+ * body and return `{ url }` using the `payment_link.url` value from the
+ * response.
+ */
+import type { PaymentProvider } from '@aquarian-metals/coin-moebius-core';
+export interface SquareProviderConfig {
+    /** Full URL of the session endpoint that returns `{ url }`. */
+    sessionEndpoint: string;
+    /** Optional fetch override — used by tests. Defaults to global `fetch`. */
+    fetcher?: typeof fetch;
+    /** Optional navigation override — used by tests. Defaults to `location.assign`. */
+    navigate?: (url: string) => void;
+}
+/**
+ * Build a `PaymentProvider` registered as `id: 'square'`. Fires `onPending`
+ * immediately, then navigates to the Square-hosted checkout URL. Final
+ * settlement lands on the server via webhook (HMAC-SHA256, see `./server`).
+ */
+export declare function createSquareProvider(config: SquareProviderConfig): PaymentProvider;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,OAAO,KAAK,EACX,eAAe,EAGf,MAAM,oCAAoC,CAAC;AAE5C,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,eAAe,EAAE,MAAM,CAAC;IACxB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;IACvB,mFAAmF;IACnF,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACjC;AAQD;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,eAAe,CAiDlF"}

package/dist/index.js

@@ -0,0 +1,54 @@
+/**
+ * Build a `PaymentProvider` registered as `id: 'square'`. Fires `onPending`
+ * immediately, then navigates to the Square-hosted checkout URL. Final
+ * settlement lands on the server via webhook (HMAC-SHA256, see `./server`).
+ */
+export function createSquareProvider(config) {
+    const fetcher = config.fetcher ?? globalThis.fetch.bind(globalThis);
+    const navigate = config.navigate ??
+        ((url) => {
+            window.location.assign(url);
+        });
+    return {
+        id: 'square',
+        name: 'Square',
+        async initiate(options, callbacks) {
+            try {
+                const body = {
+                    productId: options.productId,
+                    amount: options.amount,
+                    currency: options.currency,
+                };
+                if (options.metadata)
+                    body.metadata = options.metadata;
+                const response = await fetcher(config.sessionEndpoint, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify(body),
+                });
+                if (!response.ok) {
+                    throw new Error(`coin-moebius/square: session endpoint responded ${response.status}`);
+                }
+                const payload = (await response.json());
+                if (!payload.url) {
+                    throw new Error('coin-moebius/square: session response missing `url`');
+                }
+                const result = {
+                    status: 'pending',
+                    paymentId: payload.paymentId ?? '',
+                    provider: 'square',
+                    amount: options.amount,
+                    currency: options.currency,
+                    metadata: options.metadata ?? {},
+                    timestamp: Date.now(),
+                };
+                callbacks.onPending?.(result);
+                navigate(payload.url);
+            }
+            catch (err) {
+                callbacks.onError(err instanceof Error ? err : new Error(String(err)));
+            }
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AA4CA;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAChE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,QAAQ,GACb,MAAM,CAAC,QAAQ;QACf,CAAC,CAAC,GAAW,EAAE,EAAE;YAChB,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IAEJ,OAAO;QACN,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,QAAQ;QACd,KAAK,CAAC,QAAQ,CAAC,OAAwB,EAAE,SAAS;YACjD,IAAI,CAAC;gBACJ,MAAM,IAAI,GAA4B;oBACrC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC1B,CAAC;gBACF,IAAI,OAAO,CAAC,QAAQ;oBAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;gBAEvD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,eAAe,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;iBAC1B,CAAC,CAAC;gBACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBAClB,MAAM,IAAI,KAAK,CAAC,mDAAmD,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBACvF,CAAC;gBACD,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAoB,CAAC;gBAC3D,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBAClB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;gBACxE,CAAC;gBAED,MAAM,MAAM,GAAkB;oBAC7B,MAAM,EAAE,SAAS;oBACjB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;oBAClC,QAAQ,EAAE,QAAQ;oBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;oBAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACrB,CAAC;gBACF,SAAS,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC,CAAC;gBAC9B,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,SAAS,CAAC,OAAO,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,CAAC;QACF,CAAC;KACD,CAAC;AACH,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Square server-side webhook verifier. Implements Square's HMAC-SHA256
+ * signature scheme as documented at
+ * <https://developer.squareup.com/docs/webhooks/step3validate>:
+ *
+ *   X-Square-HmacSha256-Signature: <base64(HMAC-SHA256(notificationUrl + rawBody, signatureKey))>
+ *
+ * The signature is computed over the **concatenation of the notification
+ * URL and the raw body**, with no separator. The `notificationUrl` must
+ * exactly match the URL the merchant configured on their webhook
+ * subscription in Square's Developer Console. The verifier accepts it as
+ * a required config field because workers running behind a reverse proxy
+ * or Cloudflare typically can't recover the original public URL from the
+ * inbound request.
+ *
+ * The signature key is **subscription-specific**, generated in Square's
+ * Developer Console alongside the subscription. It is not the same as the
+ * application's access token. Rotate by recreating the subscription.
+ *
+ * Status mapping. `null` results mean the event was signature-verified but
+ * does not map to a payment-status change consumers should record.
+ *
+ *   payment.created                              → pending
+ *   payment.updated  (status COMPLETED)          → success
+ *   payment.updated  (status APPROVED)           → pending (auth-only)
+ *   payment.updated  (status FAILED  or CANCELED) → failed
+ *   refund.created                               → pending
+ *   refund.updated   (status COMPLETED)          → refunded
+ *   refund.updated   (status FAILED)             → failed
+ *   dispute.created                              → disputed
+ *   dispute.state.updated                        → disputed
+ *   anything else                                → null
+ *
+ * **Known gap:** Square's signature scheme has no timestamp component, so
+ * the verifier cannot enforce a replay window. Merchants who care about
+ * replay protection should deduplicate at the application layer using the
+ * webhook's `event_id` field. Documented in the README.
+ */
+import type { WebhookEvent } from '@aquarian-metals/coin-moebius-core';
+export interface SquareVerifierConfig {
+    /**
+     * The subscription's signature key from Square's Developer Console
+     * (Webhooks → your subscription → Signature key).
+     */
+    signatureKey: string;
+    /**
+     * The exact notification URL configured on the Square webhook
+     * subscription. Must match byte-for-byte (including scheme, host, port,
+     * path, and any trailing slash) — Square HMACs over `notificationUrl +
+     * rawBody`, so a mismatch produces silent signature failure.
+     */
+    notificationUrl: string;
+}
+export interface WebhookVerifier {
+    verify(rawBody: unknown, headers: Record<string, string | undefined>): Promise<WebhookEvent | null>;
+}
+export declare function createSquareVerifier(config: SquareVerifierConfig): WebhookVerifier;
+/**
+ * Base64-encoded HMAC-SHA256 of `notificationUrl + rawBody`, keyed by the
+ * subscription's signature key. Exported so callers with non-standard
+ * rawBody pipelines can verify with the same routine without going through
+ * the full registry path.
+ */
+export declare function computeSquareSignature(notificationUrl: string, rawBody: Uint8Array, signatureKey: string): Promise<string>;
+/**
+ * Square does not expose a buyer-facing customer portal in its
+ * Subscriptions API. Buyers don't manage their own subscriptions on the
+ * Square side; the merchant cancels from their Square dashboard, and the
+ * buyer is notified by email. We surface the merchant-side dashboard URL
+ * so the merchant can drill into a specific subscription for support.
+ *
+ * `mode` toggles between live and sandbox dashboards. Pass the
+ * subscription id to deep-link directly into the row when available.
+ */
+export declare function getSquarePortalUrl(opts?: {
+    mode?: 'live' | 'sandbox';
+    subscriptionId?: string;
+}): string;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAiB,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAEtF,MAAM,WAAW,oBAAoB;IACpC;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,eAAe,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC/B,MAAM,CACL,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACzC,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;CAChC;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,GAAG,eAAe,CAqClF;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC3C,eAAe,EAAE,MAAM,EACvB,OAAO,EAAE,UAAU,EACnB,YAAY,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC,CAgBjB;AAkVD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CACjC,IAAI,GAAE;IACL,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;CACnB,GACJ,MAAM,CAMR"}

package/dist/server.js

@@ -0,0 +1,326 @@
+/**
+ * Square server-side webhook verifier. Implements Square's HMAC-SHA256
+ * signature scheme as documented at
+ * <https://developer.squareup.com/docs/webhooks/step3validate>:
+ *
+ *   X-Square-HmacSha256-Signature: <base64(HMAC-SHA256(notificationUrl + rawBody, signatureKey))>
+ *
+ * The signature is computed over the **concatenation of the notification
+ * URL and the raw body**, with no separator. The `notificationUrl` must
+ * exactly match the URL the merchant configured on their webhook
+ * subscription in Square's Developer Console. The verifier accepts it as
+ * a required config field because workers running behind a reverse proxy
+ * or Cloudflare typically can't recover the original public URL from the
+ * inbound request.
+ *
+ * The signature key is **subscription-specific**, generated in Square's
+ * Developer Console alongside the subscription. It is not the same as the
+ * application's access token. Rotate by recreating the subscription.
+ *
+ * Status mapping. `null` results mean the event was signature-verified but
+ * does not map to a payment-status change consumers should record.
+ *
+ *   payment.created                              → pending
+ *   payment.updated  (status COMPLETED)          → success
+ *   payment.updated  (status APPROVED)           → pending (auth-only)
+ *   payment.updated  (status FAILED  or CANCELED) → failed
+ *   refund.created                               → pending
+ *   refund.updated   (status COMPLETED)          → refunded
+ *   refund.updated   (status FAILED)             → failed
+ *   dispute.created                              → disputed
+ *   dispute.state.updated                        → disputed
+ *   anything else                                → null
+ *
+ * **Known gap:** Square's signature scheme has no timestamp component, so
+ * the verifier cannot enforce a replay window. Merchants who care about
+ * replay protection should deduplicate at the application layer using the
+ * webhook's `event_id` field. Documented in the README.
+ */
+export function createSquareVerifier(config) {
+    return {
+        async verify(rawBody, headers) {
+            if (!config.signatureKey) {
+                throw new Error('coin-moebius/square: signatureKey missing on verifier config');
+            }
+            if (!config.notificationUrl) {
+                throw new Error('coin-moebius/square: notificationUrl missing on verifier config');
+            }
+            const signatureHeader = headerValue(headers, 'x-square-hmacsha256-signature');
+            if (!signatureHeader) {
+                throw new Error('coin-moebius/square: missing x-square-hmacsha256-signature header');
+            }
+            const bodyBytes = bodyToBytes(rawBody);
+            const expected = await computeSquareSignature(config.notificationUrl, bodyBytes, config.signatureKey);
+            if (!timingSafeStringEqual(expected, signatureHeader.trim())) {
+                throw new Error('coin-moebius/square: invalid signature');
+            }
+            const bodyString = new TextDecoder().decode(bodyBytes);
+            let parsed;
+            try {
+                parsed = JSON.parse(bodyString);
+            }
+            catch {
+                throw new Error('coin-moebius/square: body is not valid JSON');
+            }
+            return toPaymentResult(parsed);
+        },
+    };
+}
+/**
+ * Base64-encoded HMAC-SHA256 of `notificationUrl + rawBody`, keyed by the
+ * subscription's signature key. Exported so callers with non-standard
+ * rawBody pipelines can verify with the same routine without going through
+ * the full registry path.
+ */
+export async function computeSquareSignature(notificationUrl, rawBody, signatureKey) {
+    const urlBytes = new TextEncoder().encode(notificationUrl);
+    const message = new Uint8Array(urlBytes.length + rawBody.length);
+    message.set(urlBytes, 0);
+    message.set(rawBody, urlBytes.length);
+    const keyBytes = new TextEncoder().encode(signatureKey);
+    const key = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const sigBuf = await crypto.subtle.sign('HMAC', key, message);
+    return toBase64(new Uint8Array(sigBuf));
+}
+function toPaymentResult(event) {
+    const eventType = event.type ?? '';
+    // Subscription lifecycle events take precedence over the one-time
+    // payment mapping. Square emits separate top-level event types for
+    // subscriptions (no overlap with payment events), so the dispatch is
+    // straightforward.
+    const subscriptionEvent = toSubscriptionEvent(event, eventType);
+    if (subscriptionEvent)
+        return subscriptionEvent;
+    const data = event.data?.object ?? {};
+    const payment = data.payment;
+    const refund = data.refund;
+    const dispute = data.dispute;
+    const status = mapEvent(eventType, payment, refund);
+    if (status === null)
+        return null;
+    const { paymentId, amount, currency } = readDetails(eventType, payment, refund, dispute);
+    return {
+        kind: 'payment',
+        status,
+        paymentId,
+        provider: 'square',
+        amount,
+        currency,
+        metadata: {
+            squareEventType: eventType,
+            squareEventId: event.event_id,
+            squarePaymentStatus: payment?.status,
+            squareRefundStatus: refund?.status,
+            squareDisputeState: dispute?.state,
+        },
+        timestamp: Date.now(),
+        raw: event,
+    };
+}
+/**
+ * Map Square subscription event types onto our normalized
+ * `SubscriptionEvent`. Returns `null` for any other event so the caller
+ * falls through to the payment-event path.
+ *
+ *   subscription.created                            → subscription.created
+ *   invoice.payment_made (subscription-linked)      → subscription.renewed
+ *   invoice.scheduled_charge_failed                 → subscription.payment_failed
+ *   subscription.updated                            → subscription.updated
+ *   subscription.canceled                           → subscription.canceled
+ */
+function toSubscriptionEvent(event, eventType) {
+    const innerObject = (event.data?.object ?? {});
+    let subscriptionType = null;
+    switch (eventType) {
+        case 'subscription.created':
+            subscriptionType = 'subscription.created';
+            break;
+        case 'subscription.updated':
+            subscriptionType = 'subscription.updated';
+            break;
+        case 'subscription.canceled':
+        case 'subscription.deactivated':
+            subscriptionType = 'subscription.canceled';
+            break;
+        case 'invoice.payment_made':
+            if (innerObject.invoice?.subscription_id)
+                subscriptionType = 'subscription.renewed';
+            break;
+        case 'invoice.scheduled_charge_failed':
+            if (innerObject.invoice?.subscription_id)
+                subscriptionType = 'subscription.payment_failed';
+            break;
+        default:
+            return null;
+    }
+    if (subscriptionType === null)
+        return null;
+    const subscription = innerObject.subscription;
+    const invoice = innerObject.invoice;
+    const subscriptionId = subscription?.id ?? invoice?.subscription_id ?? '';
+    if (!subscriptionId)
+        return null;
+    const status = mapSquareSubscriptionStatus(eventType, subscription?.status);
+    const { amount, currency } = readSquareSubscriptionAmount(invoice);
+    const charged = subscription?.charged_through_date;
+    // Square's `charged_through_date` is a calendar date (`YYYY-MM-DD`).
+    // Treat it as midnight UTC of the day AFTER, since that's when the
+    // next renewal becomes due.
+    const currentPeriodEnd = parseChargedThroughDate(charged);
+    return {
+        kind: 'subscription',
+        type: subscriptionType,
+        subscriptionId,
+        provider: 'square',
+        productId: typeof subscription?.plan_variation_id === 'string'
+            ? subscription.plan_variation_id
+            : typeof subscription?.plan_id === 'string'
+                ? subscription.plan_id
+                : null,
+        customerRef: typeof subscription?.customer_id === 'string' ? subscription.customer_id : null,
+        status,
+        currentPeriodEnd,
+        amount,
+        currency,
+        metadata: {
+            squareEventType: eventType,
+            squareEventId: event.event_id,
+        },
+        timestamp: Date.now(),
+        raw: event,
+    };
+}
+function mapSquareSubscriptionStatus(eventType, rawStatus) {
+    if (eventType === 'subscription.canceled' || eventType === 'subscription.deactivated') {
+        return 'canceled';
+    }
+    if (eventType === 'invoice.scheduled_charge_failed')
+        return 'past_due';
+    switch (rawStatus) {
+        case 'ACTIVE':
+            return 'active';
+        case 'PAUSED':
+            return 'paused';
+        case 'CANCELED':
+        case 'DEACTIVATED':
+            return 'canceled';
+        default:
+            return 'unknown';
+    }
+}
+function readSquareSubscriptionAmount(invoice) {
+    const money = invoice?.payment_requests?.[0]?.computed_amount_money;
+    const cents = money?.amount;
+    const amount = typeof cents === 'number' ? cents / 100 : 0;
+    const currency = (money?.currency ?? 'USD').toUpperCase();
+    return { amount, currency };
+}
+function parseChargedThroughDate(value) {
+    if (typeof value !== 'string')
+        return null;
+    const ms = Date.parse(`${value}T00:00:00Z`);
+    return Number.isFinite(ms) ? Math.floor(ms / 1000) : null;
+}
+function mapEvent(eventType, payment, refund) {
+    if (eventType === 'payment.created')
+        return 'pending';
+    if (eventType === 'payment.updated') {
+        const innerStatus = payment?.status;
+        if (innerStatus === 'COMPLETED')
+            return 'success';
+        if (innerStatus === 'APPROVED')
+            return 'pending';
+        if (innerStatus === 'FAILED' || innerStatus === 'CANCELED')
+            return 'failed';
+        // Unknown inner status — surface as pending so consumers don't miss
+        // it; they can inspect `raw.data.object.payment.status` for detail.
+        return 'pending';
+    }
+    if (eventType === 'refund.created')
+        return 'pending';
+    if (eventType === 'refund.updated') {
+        const innerStatus = refund?.status;
+        if (innerStatus === 'COMPLETED')
+            return 'refunded';
+        if (innerStatus === 'FAILED' || innerStatus === 'REJECTED')
+            return 'failed';
+        return 'pending';
+    }
+    if (eventType === 'dispute.created' || eventType === 'dispute.state.updated') {
+        return 'disputed';
+    }
+    return null;
+}
+function readDetails(eventType, payment, refund, dispute) {
+    // Prefer the original payment id as the stable correlation key across
+    // payment / refund / dispute events on the same purchase.
+    const correlationPaymentId = payment?.id ?? refund?.payment_id ?? dispute?.disputed_payment?.payment_id ?? '';
+    let money;
+    if (eventType.startsWith('payment.')) {
+        money = payment?.amount_money;
+    }
+    else if (eventType.startsWith('refund.')) {
+        money = refund?.amount_money;
+    }
+    else if (eventType.startsWith('dispute.')) {
+        money = dispute?.amount_money;
+    }
+    // Square uses smallest-currency-unit integers (cents for USD, etc.).
+    // Convert to a major-unit decimal here to match the rest of the SDK's
+    // `amount` semantics (Stripe verifier does the same `/100`).
+    const minorAmount = typeof money?.amount === 'number' ? money.amount : 0;
+    const currency = (money?.currency ?? 'USD').toUpperCase();
+    const amount = minorAmount / 100;
+    return { paymentId: correlationPaymentId, amount, currency };
+}
+// --- helpers ---------------------------------------------------------------
+function bodyToBytes(rawBody) {
+    if (rawBody instanceof Uint8Array)
+        return rawBody;
+    if (typeof rawBody === 'string')
+        return new TextEncoder().encode(rawBody);
+    if (rawBody && typeof rawBody === 'object') {
+        return new TextEncoder().encode(JSON.stringify(rawBody));
+    }
+    throw new Error('coin-moebius/square: unsupported body type');
+}
+function headerValue(headers, name) {
+    const lower = name.toLowerCase();
+    for (const [key, value] of Object.entries(headers)) {
+        if (key.toLowerCase() === lower)
+            return value;
+    }
+    return undefined;
+}
+function timingSafeStringEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let mismatch = 0;
+    for (let i = 0; i < a.length; i++) {
+        mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return mismatch === 0;
+}
+function toBase64(bytes) {
+    let binary = '';
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary);
+}
+/**
+ * Square does not expose a buyer-facing customer portal in its
+ * Subscriptions API. Buyers don't manage their own subscriptions on the
+ * Square side; the merchant cancels from their Square dashboard, and the
+ * buyer is notified by email. We surface the merchant-side dashboard URL
+ * so the merchant can drill into a specific subscription for support.
+ *
+ * `mode` toggles between live and sandbox dashboards. Pass the
+ * subscription id to deep-link directly into the row when available.
+ */
+export function getSquarePortalUrl(opts = {}) {
+    const base = opts.mode === 'sandbox'
+        ? 'https://app.squareupsandbox.com/dashboard/subscriptions'
+        : 'https://squareup.com/dashboard/subscriptions';
+    return opts.subscriptionId ? `${base}/${opts.subscriptionId}` : base;
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AA0BH,MAAM,UAAU,oBAAoB,CAAC,MAA4B;IAChE,OAAO;QACN,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO;YAC5B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;YACjF,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;YACpF,CAAC;YAED,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,EAAE,+BAA+B,CAAC,CAAC;YAC9E,IAAI,CAAC,eAAe,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;YACtF,CAAC;YAED,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;YACvC,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAC5C,MAAM,CAAC,eAAe,EACtB,SAAS,EACT,MAAM,CAAC,YAAY,CACnB,CAAC;YAEF,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;gBAC9D,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,MAA0B,CAAC;YAC/B,IAAI,CAAC;gBACJ,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAuB,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACR,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;YAChE,CAAC;YAED,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;KACD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC3C,eAAuB,EACvB,OAAmB,EACnB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEtC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACxC,KAAK,EACL,QAAwB,EACxB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACR,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IAC9D,OAAO,QAAQ,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACzC,CAAC;AAoDD,SAAS,eAAe,CAAC,KAAyB;IACjD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IAEnC,kEAAkE;IAClE,mEAAmE;IACnE,qEAAqE;IACrE,mBAAmB;IACnB,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAChE,IAAI,iBAAiB;QAAE,OAAO,iBAAiB,CAAC;IAEhD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAE7B,MAAM,MAAM,GAAG,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,WAAW,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAEzF,OAAO;QACN,IAAI,EAAE,SAAS;QACf,MAAM;QACN,SAAS;QACT,QAAQ,EAAE,QAAQ;QAClB,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,eAAe,EAAE,SAAS;YAC1B,aAAa,EAAE,KAAK,CAAC,QAAQ;YAC7B,mBAAmB,EAAE,OAAO,EAAE,MAAM;YACpC,kBAAkB,EAAE,MAAM,EAAE,MAAM;YAClC,kBAAkB,EAAE,OAAO,EAAE,KAAK;SAClC;QACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,GAAG,EAAE,KAAK;KACV,CAAC;AACH,CAAC;AA0BD;;;;;;;;;;GAUG;AACH,SAAS,mBAAmB,CAAC,KAAyB,EAAE,SAAiB;IACxE,MAAM,WAAW,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAG5C,CAAC;IAEF,IAAI,gBAAgB,GAMV,IAAI,CAAC;IAEf,QAAQ,SAAS,EAAE,CAAC;QACnB,KAAK,sBAAsB;YAC1B,gBAAgB,GAAG,sBAAsB,CAAC;YAC1C,MAAM;QACP,KAAK,sBAAsB;YAC1B,gBAAgB,GAAG,sBAAsB,CAAC;YAC1C,MAAM;QACP,KAAK,uBAAuB,CAAC;QAC7B,KAAK,0BAA0B;YAC9B,gBAAgB,GAAG,uBAAuB,CAAC;YAC3C,MAAM;QACP,KAAK,sBAAsB;YAC1B,IAAI,WAAW,CAAC,OAAO,EAAE,eAAe;gBAAE,gBAAgB,GAAG,sBAAsB,CAAC;YACpF,MAAM;QACP,KAAK,iCAAiC;YACrC,IAAI,WAAW,CAAC,OAAO,EAAE,eAAe;gBAAE,gBAAgB,GAAG,6BAA6B,CAAC;YAC3F,MAAM;QACP;YACC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,gBAAgB,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,YAAY,GAAG,WAAW,CAAC,YAAY,CAAC;IAC9C,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC;IACpC,MAAM,cAAc,GAAG,YAAY,EAAE,EAAE,IAAI,OAAO,EAAE,eAAe,IAAI,EAAE,CAAC;IAC1E,IAAI,CAAC,cAAc;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,MAAM,GAAG,2BAA2B,CAAC,SAAS,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,YAAY,EAAE,oBAAoB,CAAC;IACnD,qEAAqE;IACrE,mEAAmE;IACnE,4BAA4B;IAC5B,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAE1D,OAAO;QACN,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,gBAAgB;QACtB,cAAc;QACd,QAAQ,EAAE,QAAQ;QAClB,SAAS,EACR,OAAO,YAAY,EAAE,iBAAiB,KAAK,QAAQ;YAClD,CAAC,CAAC,YAAY,CAAC,iBAAiB;YAChC,CAAC,CAAC,OAAO,YAAY,EAAE,OAAO,KAAK,QAAQ;gBAC1C,CAAC,CAAC,YAAY,CAAC,OAAO;gBACtB,CAAC,CAAC,IAAI;QACT,WAAW,EAAE,OAAO,YAAY,EAAE,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI;QAC5F,MAAM;QACN,gBAAgB;QAChB,MAAM;QACN,QAAQ;QACR,QAAQ,EAAE;YACT,eAAe,EAAE,SAAS;YAC1B,aAAa,EAAE,KAAK,CAAC,QAAQ;SAC7B;QACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,GAAG,EAAE,KAAK;KACV,CAAC;AACH,CAAC;AAED,SAAS,2BAA2B,CACnC,SAAiB,EACjB,SAA6B;IAE7B,IAAI,SAAS,KAAK,uBAAuB,IAAI,SAAS,KAAK,0BAA0B,EAAE,CAAC;QACvF,OAAO,UAAU,CAAC;IACnB,CAAC;IACD,IAAI,SAAS,KAAK,iCAAiC;QAAE,OAAO,UAAU,CAAC;IACvE,QAAQ,SAAS,EAAE,CAAC;QACnB,KAAK,QAAQ;YACZ,OAAO,QAAQ,CAAC;QACjB,KAAK,QAAQ;YACZ,OAAO,QAAQ,CAAC;QACjB,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa;YACjB,OAAO,UAAU,CAAC;QACnB;YACC,OAAO,SAAS,CAAC;IACnB,CAAC;AACF,CAAC;AAED,SAAS,4BAA4B,CAAC,OAAwC;IAI7E,MAAM,KAAK,GAAG,OAAO,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,qBAAqB,CAAC;IACpE,MAAM,KAAK,GAAG,KAAK,EAAE,MAAM,CAAC;IAC5B,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,QAAQ,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAyB;IACzD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,KAAK,YAAY,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC3D,CAAC;AAED,SAAS,QAAQ,CAChB,SAAiB,EACjB,OAAwC,EACxC,MAAsC;IAEtC,IAAI,SAAS,KAAK,iBAAiB;QAAE,OAAO,SAAS,CAAC;IAEtD,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,OAAO,EAAE,MAAM,CAAC;QACpC,IAAI,WAAW,KAAK,WAAW;YAAE,OAAO,SAAS,CAAC;QAClD,IAAI,WAAW,KAAK,UAAU;YAAE,OAAO,SAAS,CAAC;QACjD,IAAI,WAAW,KAAK,QAAQ,IAAI,WAAW,KAAK,UAAU;YAAE,OAAO,QAAQ,CAAC;QAC5E,oEAAoE;QACpE,oEAAoE;QACpE,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,IAAI,SAAS,KAAK,gBAAgB;QAAE,OAAO,SAAS,CAAC;IAErD,IAAI,SAAS,KAAK,gBAAgB,EAAE,CAAC;QACpC,MAAM,WAAW,GAAG,MAAM,EAAE,MAAM,CAAC;QACnC,IAAI,WAAW,KAAK,WAAW;YAAE,OAAO,UAAU,CAAC;QACnD,IAAI,WAAW,KAAK,QAAQ,IAAI,WAAW,KAAK,UAAU;YAAE,OAAO,QAAQ,CAAC;QAC5E,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,IAAI,SAAS,KAAK,iBAAiB,IAAI,SAAS,KAAK,uBAAuB,EAAE,CAAC;QAC9E,OAAO,UAAU,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CACnB,SAAiB,EACjB,OAAwC,EACxC,MAAsC,EACtC,OAAwC;IAExC,sEAAsE;IACtE,0DAA0D;IAC1D,MAAM,oBAAoB,GACzB,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,UAAU,IAAI,OAAO,EAAE,gBAAgB,EAAE,UAAU,IAAI,EAAE,CAAC;IAElF,IAAI,KAA8B,CAAC;IACnC,IAAI,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,KAAK,GAAG,OAAO,EAAE,YAAY,CAAC;IAC/B,CAAC;SAAM,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5C,KAAK,GAAG,MAAM,EAAE,YAAY,CAAC;IAC9B,CAAC;SAAM,IAAI,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,KAAK,GAAG,OAAO,EAAE,YAAY,CAAC;IAC/B,CAAC;IAED,qEAAqE;IACrE,sEAAsE;IACtE,6DAA6D;IAC7D,MAAM,WAAW,GAAG,OAAO,KAAK,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,QAAQ,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,MAAM,MAAM,GAAG,WAAW,GAAG,GAAG,CAAC;IAEjC,OAAO,EAAE,SAAS,EAAE,oBAAoB,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9D,CAAC;AAED,8EAA8E;AAE9E,SAAS,WAAW,CAAC,OAAgB;IACpC,IAAI,OAAO,YAAY,UAAU;QAAE,OAAO,OAAO,CAAC;IAClD,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1E,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,WAAW,CACnB,OAA2C,EAC3C,IAAY;IAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAAC,CAAS,EAAE,CAAS;IAClD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,QAAQ,KAAK,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,QAAQ,CAAC,KAAiB;IAClC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CACjC,OAGI,EAAE;IAEN,MAAM,IAAI,GACT,IAAI,CAAC,IAAI,KAAK,SAAS;QACtB,CAAC,CAAC,yDAAyD;QAC3D,CAAC,CAAC,8CAA8C,CAAC;IACnD,OAAO,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtE,CAAC"}

package/package.json

@@ -0,0 +1,60 @@
+{
+	"name": "@aquarian-metals/coin-moebius-square",
+	"version": "1.0.0",
+	"description": "Square (Block) provider for Coin Moebius — Payment Link redirect flow, plus a server-only HMAC-SHA256 webhook verifier.",
+	"keywords": [
+		"payments",
+		"square",
+		"block",
+		"payment-link",
+		"checkout",
+		"webhook",
+		"coin-moebius"
+	],
+	"author": "aquarian-metals",
+	"license": "MIT",
+	"homepage": "https://github.com/aquarian-metals/coin-moebius#readme",
+	"bugs": {
+		"url": "https://github.com/aquarian-metals/coin-moebius/issues"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/aquarian-metals/coin-moebius.git",
+		"directory": "packages/providers/square"
+	},
+	"type": "module",
+	"main": "./dist/index.js",
+	"types": "./dist/index.d.ts",
+	"sideEffects": false,
+	"files": [
+		"dist"
+	],
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"import": "./dist/index.js"
+		},
+		"./server": {
+			"types": "./dist/server.d.ts",
+			"import": "./dist/server.js"
+		},
+		"./package.json": "./package.json"
+	},
+	"scripts": {
+		"clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\"",
+		"build": "npm run clean && tsc",
+		"prepublishOnly": "npm run build"
+	},
+	"engines": {
+		"node": ">=18"
+	},
+	"dependencies": {
+		"@aquarian-metals/coin-moebius-core": "^1.0.0"
+	},
+	"devDependencies": {
+		"typescript": "~5.8.0"
+	},
+	"publishConfig": {
+		"access": "public"
+	}
+}