@astrasyncai/verification-gateway 2.2.0 → 2.3.4

package/dist/webhooks.d.mts

@@ -0,0 +1,59 @@
+/**
+ * AstraSync webhook signature verification.
+ *
+ * AstraSync signs every webhook delivery with HMAC-SHA256 over
+ * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret
+ * (returned ONCE at endpoint registration). The signature is sent in
+ * the `X-AstraSync-Signature` header in the form:
+ *
+ *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>
+ *
+ * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.
+ *
+ * Usage:
+ *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';
+ *
+ *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {
+ *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);
+ *     if (!result.ok) return res.status(401).json({error: result.reason});
+ *     // ... process event
+ *   });
+ */
+interface VerifyWebhookOptions {
+    /**
+     * Maximum age (seconds) for the signature timestamp. Older deliveries
+     * are rejected as replays. Default 300 (5 minutes) — matches Stripe.
+     */
+    toleranceSeconds?: number;
+    /**
+     * Override "now" for tests. Defaults to Date.now().
+     */
+    nowMs?: number;
+}
+interface VerifyWebhookResult {
+    ok: boolean;
+    reason?: string;
+}
+/**
+ * Verify an AstraSync-issued webhook delivery.
+ *
+ * @param rawBody - The raw request body as a string (NOT the parsed JSON).
+ *                  Use `express.raw({type:'application/json'})` to preserve bytes.
+ * @param headers - Incoming request headers (case-insensitive).
+ * @param secret  - The merchant's webhook secret from endpoint registration.
+ * @param options - Optional tolerance overrides.
+ * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.
+ */
+declare function verifyAstraSyncWebhook(rawBody: string, headers: Record<string, string | string[] | undefined>, secret: string, options?: VerifyWebhookOptions): VerifyWebhookResult;
+/**
+ * Server-side companion: produce an `X-AstraSync-Signature` header value for
+ * an outbound webhook delivery. Exposed for completeness and for test
+ * harnesses that want to verify the verifier; the AstraSync platform itself
+ * uses an internal version of the same logic.
+ */
+declare function signAstraSyncWebhook(rawBody: string, secret: string, nowMs?: number): {
+    header: string;
+    timestamp: number;
+};
+
+export { type VerifyWebhookOptions, type VerifyWebhookResult, signAstraSyncWebhook, verifyAstraSyncWebhook };

package/dist/webhooks.d.ts

@@ -0,0 +1,59 @@
+/**
+ * AstraSync webhook signature verification.
+ *
+ * AstraSync signs every webhook delivery with HMAC-SHA256 over
+ * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret
+ * (returned ONCE at endpoint registration). The signature is sent in
+ * the `X-AstraSync-Signature` header in the form:
+ *
+ *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>
+ *
+ * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.
+ *
+ * Usage:
+ *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';
+ *
+ *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {
+ *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);
+ *     if (!result.ok) return res.status(401).json({error: result.reason});
+ *     // ... process event
+ *   });
+ */
+interface VerifyWebhookOptions {
+    /**
+     * Maximum age (seconds) for the signature timestamp. Older deliveries
+     * are rejected as replays. Default 300 (5 minutes) — matches Stripe.
+     */
+    toleranceSeconds?: number;
+    /**
+     * Override "now" for tests. Defaults to Date.now().
+     */
+    nowMs?: number;
+}
+interface VerifyWebhookResult {
+    ok: boolean;
+    reason?: string;
+}
+/**
+ * Verify an AstraSync-issued webhook delivery.
+ *
+ * @param rawBody - The raw request body as a string (NOT the parsed JSON).
+ *                  Use `express.raw({type:'application/json'})` to preserve bytes.
+ * @param headers - Incoming request headers (case-insensitive).
+ * @param secret  - The merchant's webhook secret from endpoint registration.
+ * @param options - Optional tolerance overrides.
+ * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.
+ */
+declare function verifyAstraSyncWebhook(rawBody: string, headers: Record<string, string | string[] | undefined>, secret: string, options?: VerifyWebhookOptions): VerifyWebhookResult;
+/**
+ * Server-side companion: produce an `X-AstraSync-Signature` header value for
+ * an outbound webhook delivery. Exposed for completeness and for test
+ * harnesses that want to verify the verifier; the AstraSync platform itself
+ * uses an internal version of the same logic.
+ */
+declare function signAstraSyncWebhook(rawBody: string, secret: string, nowMs?: number): {
+    header: string;
+    timestamp: number;
+};
+
+export { type VerifyWebhookOptions, type VerifyWebhookResult, signAstraSyncWebhook, verifyAstraSyncWebhook };

package/dist/webhooks.js

@@ -0,0 +1,81 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/webhooks.ts
+var webhooks_exports = {};
+__export(webhooks_exports, {
+  signAstraSyncWebhook: () => signAstraSyncWebhook,
+  verifyAstraSyncWebhook: () => verifyAstraSyncWebhook
+});
+module.exports = __toCommonJS(webhooks_exports);
+var import_crypto = require("crypto");
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  const parts = {};
+  for (const segment of header.split(",")) {
+    const [k, v] = segment.split("=");
+    if (k === "t" || k === "v1") parts[k] = v;
+  }
+  return parts;
+}
+function computeHmac(secret, signedPayload) {
+  return (0, import_crypto.createHmac)("sha256", secret).update(signedPayload, "utf8").digest("hex");
+}
+function constantTimeEquals(a, b) {
+  const aBuf = Buffer.from(a, "utf8");
+  const bBuf = Buffer.from(b, "utf8");
+  if (aBuf.length !== bBuf.length) return false;
+  return (0, import_crypto.timingSafeEqual)(aBuf, bBuf);
+}
+function verifyAstraSyncWebhook(rawBody, headers, secret, options = {}) {
+  if (!secret) return { ok: false, reason: "no_secret_provided" };
+  const rawHeader = headers["x-astrasync-signature"] ?? headers["X-Astrasync-Signature"] ?? headers["X-AstraSync-Signature"] ?? headers["X-ASTRASYNC-SIGNATURE"];
+  if (!rawHeader) return { ok: false, reason: "missing_signature_header" };
+  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;
+  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);
+  if (!timestamp || !receivedSignature) {
+    return { ok: false, reason: "malformed_signature_header" };
+  }
+  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;
+  const now = options.nowMs ?? Date.now();
+  const tsSeconds = Number(timestamp);
+  if (!Number.isFinite(tsSeconds)) {
+    return { ok: false, reason: "invalid_timestamp" };
+  }
+  const ageSeconds = Math.abs(now / 1e3 - tsSeconds);
+  if (ageSeconds > tolerance) {
+    return { ok: false, reason: "timestamp_outside_tolerance" };
+  }
+  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);
+  if (!constantTimeEquals(expectedSignature, receivedSignature)) {
+    return { ok: false, reason: "signature_mismatch" };
+  }
+  return { ok: true };
+}
+function signAstraSyncWebhook(rawBody, secret, nowMs = Date.now()) {
+  const timestamp = Math.floor(nowMs / 1e3);
+  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);
+  return { header: `t=${timestamp},v1=${v1}`, timestamp };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  signAstraSyncWebhook,
+  verifyAstraSyncWebhook
+});
+//# sourceMappingURL=webhooks.js.map

package/dist/webhooks.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/webhooks.ts"],"sourcesContent":["/**\n * AstraSync webhook signature verification.\n *\n * AstraSync signs every webhook delivery with HMAC-SHA256 over\n * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret\n * (returned ONCE at endpoint registration). The signature is sent in\n * the `X-AstraSync-Signature` header in the form:\n *\n *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>\n *\n * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.\n *\n * Usage:\n *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';\n *\n *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {\n *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);\n *     if (!result.ok) return res.status(401).json({error: result.reason});\n *     // ... process event\n *   });\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\n\nexport interface VerifyWebhookOptions {\n  /**\n   * Maximum age (seconds) for the signature timestamp. Older deliveries\n   * are rejected as replays. Default 300 (5 minutes) — matches Stripe.\n   */\n  toleranceSeconds?: number;\n  /**\n   * Override \"now\" for tests. Defaults to Date.now().\n   */\n  nowMs?: number;\n}\n\nexport interface VerifyWebhookResult {\n  ok: boolean;\n  reason?: string;\n}\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nfunction parseSignatureHeader(header: string): { t?: string; v1?: string } {\n  const parts: { t?: string; v1?: string } = {};\n  for (const segment of header.split(',')) {\n    const [k, v] = segment.split('=');\n    if (k === 't' || k === 'v1') parts[k] = v;\n  }\n  return parts;\n}\n\nfunction computeHmac(secret: string, signedPayload: string): string {\n  return createHmac('sha256', secret).update(signedPayload, 'utf8').digest('hex');\n}\n\nfunction constantTimeEquals(a: string, b: string): boolean {\n  const aBuf = Buffer.from(a, 'utf8');\n  const bBuf = Buffer.from(b, 'utf8');\n  if (aBuf.length !== bBuf.length) return false;\n  return timingSafeEqual(aBuf, bBuf);\n}\n\n/**\n * Verify an AstraSync-issued webhook delivery.\n *\n * @param rawBody - The raw request body as a string (NOT the parsed JSON).\n *                  Use `express.raw({type:'application/json'})` to preserve bytes.\n * @param headers - Incoming request headers (case-insensitive).\n * @param secret  - The merchant's webhook secret from endpoint registration.\n * @param options - Optional tolerance overrides.\n * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.\n */\nexport function verifyAstraSyncWebhook(\n  rawBody: string,\n  headers: Record<string, string | string[] | undefined>,\n  secret: string,\n  options: VerifyWebhookOptions = {}\n): VerifyWebhookResult {\n  if (!secret) return { ok: false, reason: 'no_secret_provided' };\n\n  // Header lookup is case-insensitive — support common variants.\n  const rawHeader =\n    headers['x-astrasync-signature'] ??\n    headers['X-Astrasync-Signature'] ??\n    headers['X-AstraSync-Signature'] ??\n    headers['X-ASTRASYNC-SIGNATURE'];\n  if (!rawHeader) return { ok: false, reason: 'missing_signature_header' };\n\n  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;\n  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);\n  if (!timestamp || !receivedSignature) {\n    return { ok: false, reason: 'malformed_signature_header' };\n  }\n\n  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;\n  const now = options.nowMs ?? Date.now();\n  const tsSeconds = Number(timestamp);\n  if (!Number.isFinite(tsSeconds)) {\n    return { ok: false, reason: 'invalid_timestamp' };\n  }\n  const ageSeconds = Math.abs(now / 1000 - tsSeconds);\n  if (ageSeconds > tolerance) {\n    return { ok: false, reason: 'timestamp_outside_tolerance' };\n  }\n\n  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);\n  if (!constantTimeEquals(expectedSignature, receivedSignature)) {\n    return { ok: false, reason: 'signature_mismatch' };\n  }\n\n  return { ok: true };\n}\n\n/**\n * Server-side companion: produce an `X-AstraSync-Signature` header value for\n * an outbound webhook delivery. Exposed for completeness and for test\n * harnesses that want to verify the verifier; the AstraSync platform itself\n * uses an internal version of the same logic.\n */\nexport function signAstraSyncWebhook(\n  rawBody: string,\n  secret: string,\n  nowMs: number = Date.now()\n): { header: string; timestamp: number } {\n  const timestamp = Math.floor(nowMs / 1000);\n  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);\n  return { header: `t=${timestamp},v1=${v1}`, timestamp };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAsBA,oBAA4C;AAmB5C,IAAM,4BAA4B;AAElC,SAAS,qBAAqB,QAA6C;AACzE,QAAM,QAAqC,CAAC;AAC5C,aAAW,WAAW,OAAO,MAAM,GAAG,GAAG;AACvC,UAAM,CAAC,GAAG,CAAC,IAAI,QAAQ,MAAM,GAAG;AAChC,QAAI,MAAM,OAAO,MAAM,KAAM,OAAM,CAAC,IAAI;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAAgB,eAA+B;AAClE,aAAO,0BAAW,UAAU,MAAM,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK;AAChF;AAEA,SAAS,mBAAmB,GAAW,GAAoB;AACzD,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,aAAO,+BAAgB,MAAM,IAAI;AACnC;AAYO,SAAS,uBACd,SACA,SACA,QACA,UAAgC,CAAC,GACZ;AACrB,MAAI,CAAC,OAAQ,QAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAG9D,QAAM,YACJ,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB;AACjC,MAAI,CAAC,UAAW,QAAO,EAAE,IAAI,OAAO,QAAQ,2BAA2B;AAEvE,QAAM,cAAc,MAAM,QAAQ,SAAS,IAAI,UAAU,CAAC,IAAI;AAC9D,QAAM,EAAE,GAAG,WAAW,IAAI,kBAAkB,IAAI,qBAAqB,WAAW;AAChF,MAAI,CAAC,aAAa,CAAC,mBAAmB;AACpC,WAAO,EAAE,IAAI,OAAO,QAAQ,6BAA6B;AAAA,EAC3D;AAEA,QAAM,YAAY,QAAQ,oBAAoB;AAC9C,QAAM,MAAM,QAAQ,SAAS,KAAK,IAAI;AACtC,QAAM,YAAY,OAAO,SAAS;AAClC,MAAI,CAAC,OAAO,SAAS,SAAS,GAAG;AAC/B,WAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AACA,QAAM,aAAa,KAAK,IAAI,MAAM,MAAO,SAAS;AAClD,MAAI,aAAa,WAAW;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,8BAA8B;AAAA,EAC5D;AAEA,QAAM,oBAAoB,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACvE,MAAI,CAAC,mBAAmB,mBAAmB,iBAAiB,GAAG;AAC7D,WAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAAA,EACnD;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAQO,SAAS,qBACd,SACA,QACA,QAAgB,KAAK,IAAI,GACc;AACvC,QAAM,YAAY,KAAK,MAAM,QAAQ,GAAI;AACzC,QAAM,KAAK,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACxD,SAAO,EAAE,QAAQ,KAAK,SAAS,OAAO,EAAE,IAAI,UAAU;AACxD;","names":[]}

package/dist/webhooks.mjs

@@ -0,0 +1,55 @@
+// src/webhooks.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  const parts = {};
+  for (const segment of header.split(",")) {
+    const [k, v] = segment.split("=");
+    if (k === "t" || k === "v1") parts[k] = v;
+  }
+  return parts;
+}
+function computeHmac(secret, signedPayload) {
+  return createHmac("sha256", secret).update(signedPayload, "utf8").digest("hex");
+}
+function constantTimeEquals(a, b) {
+  const aBuf = Buffer.from(a, "utf8");
+  const bBuf = Buffer.from(b, "utf8");
+  if (aBuf.length !== bBuf.length) return false;
+  return timingSafeEqual(aBuf, bBuf);
+}
+function verifyAstraSyncWebhook(rawBody, headers, secret, options = {}) {
+  if (!secret) return { ok: false, reason: "no_secret_provided" };
+  const rawHeader = headers["x-astrasync-signature"] ?? headers["X-Astrasync-Signature"] ?? headers["X-AstraSync-Signature"] ?? headers["X-ASTRASYNC-SIGNATURE"];
+  if (!rawHeader) return { ok: false, reason: "missing_signature_header" };
+  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;
+  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);
+  if (!timestamp || !receivedSignature) {
+    return { ok: false, reason: "malformed_signature_header" };
+  }
+  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;
+  const now = options.nowMs ?? Date.now();
+  const tsSeconds = Number(timestamp);
+  if (!Number.isFinite(tsSeconds)) {
+    return { ok: false, reason: "invalid_timestamp" };
+  }
+  const ageSeconds = Math.abs(now / 1e3 - tsSeconds);
+  if (ageSeconds > tolerance) {
+    return { ok: false, reason: "timestamp_outside_tolerance" };
+  }
+  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);
+  if (!constantTimeEquals(expectedSignature, receivedSignature)) {
+    return { ok: false, reason: "signature_mismatch" };
+  }
+  return { ok: true };
+}
+function signAstraSyncWebhook(rawBody, secret, nowMs = Date.now()) {
+  const timestamp = Math.floor(nowMs / 1e3);
+  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);
+  return { header: `t=${timestamp},v1=${v1}`, timestamp };
+}
+export {
+  signAstraSyncWebhook,
+  verifyAstraSyncWebhook
+};
+//# sourceMappingURL=webhooks.mjs.map

package/dist/webhooks.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/webhooks.ts"],"sourcesContent":["/**\n * AstraSync webhook signature verification.\n *\n * AstraSync signs every webhook delivery with HMAC-SHA256 over\n * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret\n * (returned ONCE at endpoint registration). The signature is sent in\n * the `X-AstraSync-Signature` header in the form:\n *\n *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>\n *\n * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.\n *\n * Usage:\n *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';\n *\n *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {\n *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);\n *     if (!result.ok) return res.status(401).json({error: result.reason});\n *     // ... process event\n *   });\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\n\nexport interface VerifyWebhookOptions {\n  /**\n   * Maximum age (seconds) for the signature timestamp. Older deliveries\n   * are rejected as replays. Default 300 (5 minutes) — matches Stripe.\n   */\n  toleranceSeconds?: number;\n  /**\n   * Override \"now\" for tests. Defaults to Date.now().\n   */\n  nowMs?: number;\n}\n\nexport interface VerifyWebhookResult {\n  ok: boolean;\n  reason?: string;\n}\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nfunction parseSignatureHeader(header: string): { t?: string; v1?: string } {\n  const parts: { t?: string; v1?: string } = {};\n  for (const segment of header.split(',')) {\n    const [k, v] = segment.split('=');\n    if (k === 't' || k === 'v1') parts[k] = v;\n  }\n  return parts;\n}\n\nfunction computeHmac(secret: string, signedPayload: string): string {\n  return createHmac('sha256', secret).update(signedPayload, 'utf8').digest('hex');\n}\n\nfunction constantTimeEquals(a: string, b: string): boolean {\n  const aBuf = Buffer.from(a, 'utf8');\n  const bBuf = Buffer.from(b, 'utf8');\n  if (aBuf.length !== bBuf.length) return false;\n  return timingSafeEqual(aBuf, bBuf);\n}\n\n/**\n * Verify an AstraSync-issued webhook delivery.\n *\n * @param rawBody - The raw request body as a string (NOT the parsed JSON).\n *                  Use `express.raw({type:'application/json'})` to preserve bytes.\n * @param headers - Incoming request headers (case-insensitive).\n * @param secret  - The merchant's webhook secret from endpoint registration.\n * @param options - Optional tolerance overrides.\n * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.\n */\nexport function verifyAstraSyncWebhook(\n  rawBody: string,\n  headers: Record<string, string | string[] | undefined>,\n  secret: string,\n  options: VerifyWebhookOptions = {}\n): VerifyWebhookResult {\n  if (!secret) return { ok: false, reason: 'no_secret_provided' };\n\n  // Header lookup is case-insensitive — support common variants.\n  const rawHeader =\n    headers['x-astrasync-signature'] ??\n    headers['X-Astrasync-Signature'] ??\n    headers['X-AstraSync-Signature'] ??\n    headers['X-ASTRASYNC-SIGNATURE'];\n  if (!rawHeader) return { ok: false, reason: 'missing_signature_header' };\n\n  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;\n  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);\n  if (!timestamp || !receivedSignature) {\n    return { ok: false, reason: 'malformed_signature_header' };\n  }\n\n  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;\n  const now = options.nowMs ?? Date.now();\n  const tsSeconds = Number(timestamp);\n  if (!Number.isFinite(tsSeconds)) {\n    return { ok: false, reason: 'invalid_timestamp' };\n  }\n  const ageSeconds = Math.abs(now / 1000 - tsSeconds);\n  if (ageSeconds > tolerance) {\n    return { ok: false, reason: 'timestamp_outside_tolerance' };\n  }\n\n  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);\n  if (!constantTimeEquals(expectedSignature, receivedSignature)) {\n    return { ok: false, reason: 'signature_mismatch' };\n  }\n\n  return { ok: true };\n}\n\n/**\n * Server-side companion: produce an `X-AstraSync-Signature` header value for\n * an outbound webhook delivery. Exposed for completeness and for test\n * harnesses that want to verify the verifier; the AstraSync platform itself\n * uses an internal version of the same logic.\n */\nexport function signAstraSyncWebhook(\n  rawBody: string,\n  secret: string,\n  nowMs: number = Date.now()\n): { header: string; timestamp: number } {\n  const timestamp = Math.floor(nowMs / 1000);\n  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);\n  return { header: `t=${timestamp},v1=${v1}`, timestamp };\n}\n"],"mappings":";AAsBA,SAAS,YAAY,uBAAuB;AAmB5C,IAAM,4BAA4B;AAElC,SAAS,qBAAqB,QAA6C;AACzE,QAAM,QAAqC,CAAC;AAC5C,aAAW,WAAW,OAAO,MAAM,GAAG,GAAG;AACvC,UAAM,CAAC,GAAG,CAAC,IAAI,QAAQ,MAAM,GAAG;AAChC,QAAI,MAAM,OAAO,MAAM,KAAM,OAAM,CAAC,IAAI;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAAgB,eAA+B;AAClE,SAAO,WAAW,UAAU,MAAM,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK;AAChF;AAEA,SAAS,mBAAmB,GAAW,GAAoB;AACzD,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,SAAO,gBAAgB,MAAM,IAAI;AACnC;AAYO,SAAS,uBACd,SACA,SACA,QACA,UAAgC,CAAC,GACZ;AACrB,MAAI,CAAC,OAAQ,QAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAG9D,QAAM,YACJ,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB;AACjC,MAAI,CAAC,UAAW,QAAO,EAAE,IAAI,OAAO,QAAQ,2BAA2B;AAEvE,QAAM,cAAc,MAAM,QAAQ,SAAS,IAAI,UAAU,CAAC,IAAI;AAC9D,QAAM,EAAE,GAAG,WAAW,IAAI,kBAAkB,IAAI,qBAAqB,WAAW;AAChF,MAAI,CAAC,aAAa,CAAC,mBAAmB;AACpC,WAAO,EAAE,IAAI,OAAO,QAAQ,6BAA6B;AAAA,EAC3D;AAEA,QAAM,YAAY,QAAQ,oBAAoB;AAC9C,QAAM,MAAM,QAAQ,SAAS,KAAK,IAAI;AACtC,QAAM,YAAY,OAAO,SAAS;AAClC,MAAI,CAAC,OAAO,SAAS,SAAS,GAAG;AAC/B,WAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AACA,QAAM,aAAa,KAAK,IAAI,MAAM,MAAO,SAAS;AAClD,MAAI,aAAa,WAAW;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,8BAA8B;AAAA,EAC5D;AAEA,QAAM,oBAAoB,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACvE,MAAI,CAAC,mBAAmB,mBAAmB,iBAAiB,GAAG;AAC7D,WAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAAA,EACnD;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAQO,SAAS,qBACd,SACA,QACA,QAAgB,KAAK,IAAI,GACc;AACvC,QAAM,YAAY,KAAK,MAAM,QAAQ,GAAI;AACzC,QAAM,KAAK,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACxD,SAAO,EAAE,QAAQ,KAAK,SAAS,OAAO,EAAE,IAAI,UAAU;AACxD;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrasyncai/verification-gateway",
-  "version": "2.2.0",
+  "version": "2.3.4",
   "description": "Universal Verification Gateway for AstraSync KYA Platform - verify AI agents across any counterparty type",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -75,6 +75,11 @@
       "types": "./dist/git-trigger/git-hooks.d.ts",
       "import": "./dist/git-trigger/git-hooks.mjs",
       "require": "./dist/git-trigger/git-hooks.js"
+    },
+    "./webhooks": {
+      "types": "./dist/webhooks.d.ts",
+      "import": "./dist/webhooks.mjs",
+      "require": "./dist/webhooks.js"
     }
   },
   "files": [