@blamejs/blamejs-shop 0.0.44

package/lib/payment.js

@@ -0,0 +1,318 @@
+"use strict";
+/**
+ * @module shop.payment
+ * @title  Payment primitive — Stripe adapter
+ *
+ * @intro
+ *   v1 ships the Stripe adapter — inbound webhook signature
+ *   verification (HMAC-SHA256 over `<timestamp>.<body>` with
+ *   `whsec_...` secret, ±5 min tolerance, constant-time compare) and
+ *   outbound API calls (PaymentIntent create / retrieve / confirm /
+ *   cancel + Refund) composed on `b.httpClient` (SSRF-gated, retried,
+ *   circuit-broken, ALPN HTTP/2). No `stripe` npm dep — every byte is
+ *   either node built-in or vendored blamejs primitive.
+ *
+ *   Future Adyen / Mollie / Paddle adapters land as additional
+ *   factory functions returning the same `{ verifyWebhook,
+ *   createPaymentIntent, ... }` shape so caller code (checkout,
+ *   order) doesn't care which adapter is wired.
+ *
+ *   The verifier IS available on the Worker too (see
+ *   worker/index.js's `_verifyStripeSignature`) — the container
+ *   re-verifies as defense in depth so a compromised Worker
+ *   token can't smuggle unsigned events into the order pipeline.
+ */
+
+var bShop;
+function _b() {
+  if (!bShop) bShop = require("./index");
+  return bShop.framework;
+}
+
+var STRIPE_API_BASE_DEFAULT  = "https://api.stripe.com/v1";
+var STRIPE_WEBHOOK_TOLERANCE = 300;   // ± 5 minutes (Stripe default)
+var STRIPE_HTTP_TIMEOUT_MS   = 15000;
+var CURRENCY_RE              = /^[a-z]{3}$/;   // Stripe wants lowercase ISO 4217
+
+// ---- validation -----------------------------------------------------------
+
+function _assertSecret(s, label) {
+  if (typeof s !== "string" || s.length < 8) {
+    throw new TypeError("payment: " + label + " must be a non-empty string");
+  }
+}
+function _nonNegInt(n, label) {
+  if (!Number.isInteger(n) || n < 0) {
+    throw new TypeError("payment: " + label + " must be a non-negative integer (minor units)");
+  }
+}
+function _positiveInt(n, label) {
+  if (!Number.isInteger(n) || n <= 0) {
+    throw new TypeError("payment: " + label + " must be a positive integer");
+  }
+}
+
+// ---- Stripe form-encoding -------------------------------------------------
+//
+// Stripe accepts application/x-www-form-urlencoded with bracket
+// notation for nested fields:
+//
+//   amount=2999&currency=usd&automatic_payment_methods[enabled]=true
+//
+// `_formEncode({ amount: 2999, currency: "usd", automatic_payment_methods: { enabled: true } })`
+// yields the line above. Arrays use `key[]=v1&key[]=v2`.
+function _formEncode(obj, prefix) {
+  var parts = [];
+  Object.keys(obj).forEach(function (k) {
+    var v = obj[k];
+    if (v == null) return;
+    var name = prefix ? prefix + "[" + k + "]" : k;
+    if (Array.isArray(v)) {
+      v.forEach(function (item) {
+        if (item != null && typeof item === "object") {
+          parts.push(_formEncode(item, name + "[]"));
+        } else {
+          parts.push(encodeURIComponent(name + "[]") + "=" + encodeURIComponent(String(item)));
+        }
+      });
+    } else if (typeof v === "object") {
+      parts.push(_formEncode(v, name));
+    } else {
+      parts.push(encodeURIComponent(name) + "=" + encodeURIComponent(String(v)));
+    }
+  });
+  return parts.filter(Boolean).join("&");
+}
+
+// ---- webhook verifier -----------------------------------------------------
+//
+// Composes b.webhook.verify (alg: "hmac-sha256-stripe") — the
+// upstream primitive ships full Stripe-spec verification:
+// constant-time compare, multi-v1= rotation support, timestamp
+// tolerance, and optional nonce-store replay defense. We wrap the
+// throwing API in a { ok, reason } shape so checkout's handler can
+// branch on the failure mode without try/catch.
+
+async function _verifyWebhook(headers, rawBody, secret, opts) {
+  if (typeof rawBody !== "string") {
+    throw new TypeError("payment.verifyWebhook: rawBody must be the request body string (read BEFORE JSON.parse)");
+  }
+  opts = opts || {};
+  // Case-insensitive header lookup so caller framework conventions
+  // don't matter (Node http2 = lowercase, Express = preserved case).
+  var headerVal = null;
+  if (headers && typeof headers === "object") {
+    var keys = Object.keys(headers);
+    for (var k = 0; k < keys.length; k += 1) {
+      if (keys[k].toLowerCase() === "stripe-signature") { headerVal = headers[keys[k]]; break; }
+    }
+  }
+  if (!headerVal) return { ok: false, reason: "no-signature" };
+
+  var toleranceMs = opts.toleranceSeconds == null
+    ? STRIPE_WEBHOOK_TOLERANCE * 1000
+    : opts.toleranceSeconds * 1000;
+  if (typeof toleranceMs !== "number" || !isFinite(toleranceMs) || toleranceMs <= 0) {
+    throw new TypeError("payment.verifyWebhook: toleranceSeconds must be a positive number");
+  }
+
+  try {
+    await _b().webhook.verify({
+      alg:         "hmac-sha256-stripe",
+      secret:      secret,
+      header:      headerVal,
+      body:        rawBody,
+      toleranceMs: toleranceMs,
+      nonceStore:  opts.nonceStore || undefined,
+      _nowMs:      opts.now != null ? opts.now * 1000 : undefined,
+    });
+  } catch (e) {
+    var code = (e && e.code) || "";
+    var reason = "signature-mismatch";
+    if (code === "webhook/stale-timestamp") reason = "timestamp-outside-tolerance";
+    else if (code === "webhook/bad-stripe-header") reason = "no-signature";
+    else if (code === "webhook/bad-signature") reason = "signature-mismatch";
+    else if (code === "webhook/replay-detected") reason = "replay";
+    return { ok: false, reason: reason, code: code };
+  }
+
+  try {
+    return { ok: true, event: JSON.parse(rawBody) };
+  } catch (_e) {
+    return { ok: false, reason: "bad-json" };
+  }
+}
+
+// ---- Stripe API call ------------------------------------------------------
+
+async function _stripeCall(opts, method, path, params, idempotencyKey) {
+  var url = (opts.apiBase || STRIPE_API_BASE_DEFAULT) + path;
+  var headers = {
+    "authorization": "Bearer " + opts.apiKey,
+    "accept":         "application/json",
+    "user-agent":     "blamejs-shop (zero-dep)",
+  };
+  var body = null;
+  if (params && Object.keys(params).length) {
+    body = _formEncode(params);
+    headers["content-type"]   = "application/x-www-form-urlencoded";
+    headers["content-length"] = Buffer.byteLength(body, "utf8");
+  }
+  if (idempotencyKey) {
+    headers["idempotency-key"] = idempotencyKey;
+  }
+  var res = await _b().httpClient.request({
+    method:    method,
+    url:       url,
+    headers:   headers,
+    body:      body || undefined,
+    timeoutMs: opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
+  });
+  var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
+  var json = null;
+  try { json = text.length ? JSON.parse(text) : {}; } catch (_e) { json = { _raw: text }; }
+  if (res.statusCode < 200 || res.statusCode >= 300) {
+    var err = new Error("stripe: " + method + " " + path + " → HTTP " + res.statusCode +
+                        (json && json.error && json.error.message ? " — " + json.error.message : ""));
+    err.code = (json && json.error && json.error.code) || "STRIPE_HTTP_" + res.statusCode;
+    err.statusCode = res.statusCode;
+    err.stripe = json && json.error || null;
+    throw err;
+  }
+  return json;
+}
+
+// ---- adapter --------------------------------------------------------------
+
+function stripe(opts) {
+  opts = opts || {};
+  _assertSecret(opts.apiKey,        "apiKey");
+  _assertSecret(opts.webhookSecret, "webhookSecret");
+
+  return {
+    name: "stripe",
+
+    verifyWebhook: function (headers, rawBody, vOpts) {
+      return _verifyWebhook(headers, rawBody, opts.webhookSecret, vOpts);
+    },
+
+    createPaymentIntent: function (input, idempotencyKey) {
+      if (!input || typeof input !== "object") throw new TypeError("payment.createPaymentIntent: input object required");
+      _positiveInt(input.amount_minor, "amount_minor");
+      if (typeof input.currency !== "string" || !CURRENCY_RE.test(input.currency)) {
+        throw new TypeError("payment.createPaymentIntent: currency must be 3-letter lowercase ISO 4217");
+      }
+      var params = {
+        amount:   input.amount_minor,
+        currency: input.currency,
+        automatic_payment_methods: { enabled: true },
+      };
+      if (input.customer) params.customer  = input.customer;
+      if (input.metadata) params.metadata  = input.metadata;
+      if (input.description) params.description = input.description;
+      if (input.receipt_email) params.receipt_email = input.receipt_email;
+      return _stripeCall(opts, "POST", "/payment_intents", params, idempotencyKey);
+    },
+
+    retrievePaymentIntent: function (id) {
+      _assertSecret(id, "payment_intent id");
+      return _stripeCall(opts, "GET", "/payment_intents/" + encodeURIComponent(id), null, null);
+    },
+
+    confirmPaymentIntent: function (id, params, idempotencyKey) {
+      _assertSecret(id, "payment_intent id");
+      return _stripeCall(opts, "POST", "/payment_intents/" + encodeURIComponent(id) + "/confirm",
+                          params || {}, idempotencyKey);
+    },
+
+    cancelPaymentIntent: function (id, idempotencyKey) {
+      _assertSecret(id, "payment_intent id");
+      return _stripeCall(opts, "POST", "/payment_intents/" + encodeURIComponent(id) + "/cancel",
+                          {}, idempotencyKey);
+    },
+
+    refund: function (input, idempotencyKey) {
+      if (!input || typeof input !== "object") throw new TypeError("payment.refund: input object required");
+      _assertSecret(input.payment_intent, "refund.payment_intent");
+      var params = { payment_intent: input.payment_intent };
+      if (input.amount_minor != null) {
+        _positiveInt(input.amount_minor, "amount_minor");
+        params.amount = input.amount_minor;
+      }
+      if (input.reason) {
+        if (["duplicate", "fraudulent", "requested_by_customer"].indexOf(input.reason) === -1) {
+          throw new TypeError("payment.refund: reason must be one of duplicate, fraudulent, requested_by_customer");
+        }
+        params.reason = input.reason;
+      }
+      if (input.metadata) params.metadata = input.metadata;
+      return _stripeCall(opts, "POST", "/refunds", params, idempotencyKey);
+    },
+
+    // Stripe Subscriptions API. Operators pre-create the recurring
+    // Price in Stripe (the source of truth for pricing); the shop's
+    // `subscriptions` primitive stores the price id locally and
+    // calls these to bind a customer + price into an active
+    // subscription record.
+    subscriptions: {
+      create: function (input, idempotencyKey) {
+        if (!input || typeof input !== "object") throw new TypeError("payment.subscriptions.create: input object required");
+        _assertSecret(input.customer, "subscriptions.create.customer");
+        if (!Array.isArray(input.items) || input.items.length === 0) {
+          throw new TypeError("payment.subscriptions.create: items[] (at least one price) required");
+        }
+        var params = { customer: input.customer, items: input.items };
+        if (input.default_payment_method) params.default_payment_method = input.default_payment_method;
+        if (input.trial_period_days != null) {
+          _nonNegInt(input.trial_period_days, "trial_period_days");
+          params.trial_period_days = input.trial_period_days;
+        }
+        if (input.metadata) params.metadata = input.metadata;
+        if (input.payment_behavior) params.payment_behavior = input.payment_behavior;
+        if (input.expand) params.expand = input.expand;
+        return _stripeCall(opts, "POST", "/subscriptions", params, idempotencyKey);
+      },
+
+      retrieve: function (id) {
+        _assertSecret(id, "subscription id");
+        return _stripeCall(opts, "GET", "/subscriptions/" + encodeURIComponent(id), null, null);
+      },
+
+      update: function (id, input, idempotencyKey) {
+        _assertSecret(id, "subscription id");
+        if (!input || typeof input !== "object") throw new TypeError("payment.subscriptions.update: input object required");
+        return _stripeCall(opts, "POST", "/subscriptions/" + encodeURIComponent(id), input, idempotencyKey);
+      },
+
+      cancel: function (id, opts2, idempotencyKey) {
+        _assertSecret(id, "subscription id");
+        opts2 = opts2 || {};
+        if (opts2.at_period_end) {
+          // Stripe modeled "cancel at period end" as an UPDATE so the
+          // subscription stays active through the current billing
+          // window; DELETE is for immediate end-of-life.
+          return _stripeCall(opts, "POST", "/subscriptions/" + encodeURIComponent(id),
+                              { cancel_at_period_end: true }, idempotencyKey);
+        }
+        return _stripeCall(opts, "DELETE", "/subscriptions/" + encodeURIComponent(id), null, idempotencyKey);
+      },
+    },
+  };
+}
+
+function create(opts) {
+  opts = opts || {};
+  if (opts.adapter && opts.adapter !== "stripe") {
+    throw new TypeError("payment.create: unknown adapter " + JSON.stringify(opts.adapter) + " — only 'stripe' is supported in v1");
+  }
+  return stripe(opts);
+}
+
+module.exports = {
+  create:                    create,
+  stripe:                    stripe,
+  STRIPE_WEBHOOK_TOLERANCE:  STRIPE_WEBHOOK_TOLERANCE,
+  // Exposed for tests + Worker to share form-encoding shape.
+  _formEncode:               _formEncode,
+  _verifyWebhook:            _verifyWebhook,
+};

package/lib/pricing.js

@@ -0,0 +1,185 @@
+"use strict";
+/**
+ * @module shop.pricing
+ * @title  Pricing primitive — pure functions over cart lines
+ *
+ * @intro
+ *   Pure money math. No I/O, no database, no formatting that
+ *   depends on environment — every primitive returns the same
+ *   output for the same input.
+ *
+ *   All amounts are integer minor units (cents, pence) and carry
+ *   their ISO 4217 currency code. The primitives refuse to add
+ *   across currencies (a multi-currency cart is a programmer error
+ *   the storefront should never construct); they throw rather than
+ *   silently coerce.
+ *
+ *   v1 surface:
+ *
+ *     pricing.subtotal(lines)              → { amount_minor, currency, line_count }
+ *     pricing.lineTotal(line)              → integer minor units
+ *     pricing.totals(cart, lines, ctx)     → {
+ *       subtotal_minor, tax_minor, shipping_minor, discount_minor,
+ *       grand_total_minor, currency, breakdown: [...]
+ *     }
+ *     pricing.format(amount_minor, currency, opts?) → "$29.99"
+ *
+ *   Discounts / coupons land as a v1.x additive surface — the
+ *   `totals()` shape already exposes `discount_minor` so storefront
+ *   templates need no change when discount rules ship.
+ */
+
+var bShop;
+function _b() {
+  if (!bShop) bShop = require("./index");
+  return bShop.framework;
+}
+
+var CURRENCY_RE = /^[A-Z]{3}$/;
+
+function _assertCurrency(c) {
+  if (typeof c !== "string" || !CURRENCY_RE.test(c)) {
+    throw new TypeError("pricing: currency must be a 3-letter ISO 4217 code, got " + JSON.stringify(c));
+  }
+}
+
+function _assertNonNegInt(n, label) {
+  if (!Number.isInteger(n) || n < 0) {
+    throw new TypeError("pricing: " + label + " must be a non-negative integer (minor units), got " + JSON.stringify(n));
+  }
+}
+
+function _assertPositiveInt(n, label) {
+  if (!Number.isInteger(n) || n <= 0) {
+    throw new TypeError("pricing: " + label + " must be a positive integer, got " + JSON.stringify(n));
+  }
+}
+
+/**
+ * pricing.lineTotal({ qty, unit_amount_minor }) → integer minor units
+ *
+ * Safe over 32-bit JS integer range: a single line's total caps at
+ * ~Number.MAX_SAFE_INTEGER cents = $90 trillion. Practical carts
+ * have qty < 10K and unit < $10K, so a line is < $100M which is
+ * well within safe-integer range. No BigInt needed at this scale.
+ */
+function lineTotal(line) {
+  if (!line || typeof line !== "object") throw new TypeError("pricing.lineTotal: line object required");
+  _assertPositiveInt(line.qty, "qty");
+  _assertNonNegInt(line.unit_amount_minor, "unit_amount_minor");
+  return line.qty * line.unit_amount_minor;
+}
+
+/**
+ * pricing.subtotal(lines) → { amount_minor, currency, line_count }
+ *
+ * Sums up line totals. Refuses if lines mix currencies. Empty
+ * arrays return amount_minor=0; currency in that case must be
+ * supplied by the caller via the cart, not inferred from the
+ * (empty) lines list.
+ */
+function subtotal(lines, opts) {
+  if (!Array.isArray(lines)) throw new TypeError("pricing.subtotal: lines must be an array");
+  if (lines.length === 0) {
+    return { amount_minor: 0, currency: (opts && opts.currency) || null, line_count: 0 };
+  }
+  var currency = lines[0].unit_currency;
+  _assertCurrency(currency);
+  var total = 0;
+  for (var i = 0; i < lines.length; i += 1) {
+    var l = lines[i];
+    if (l.unit_currency !== currency) {
+      throw new TypeError("pricing.subtotal: line " + i + " currency " + JSON.stringify(l.unit_currency) +
+                          " ≠ cart currency " + JSON.stringify(currency) + " — multi-currency carts are refused");
+    }
+    total += lineTotal(l);
+  }
+  return { amount_minor: total, currency: currency, line_count: lines.length };
+}
+
+/**
+ * pricing.totals(cart, lines, ctx?) → totals breakdown
+ *
+ * ctx (all optional, defaults to zero):
+ *   - tax_minor:      tax-engine output (from b.shop.tax later)
+ *   - shipping_minor: shipping-engine output (from b.shop.shipping later)
+ *   - discount_minor: applied discount (from coupons / member pricing)
+ *
+ * Returns the operator-facing breakdown that storefront + admin
+ * templates render. Refuses if any minor-unit is negative or
+ * non-integer.
+ */
+function totals(cart, lines, ctx) {
+  if (!cart || typeof cart !== "object") throw new TypeError("pricing.totals: cart object required");
+  _assertCurrency(cart.currency);
+  ctx = ctx || {};
+  var subRow = subtotal(lines, { currency: cart.currency });
+  // If the cart has lines, the subtotal currency must match the
+  // cart currency. (The lines' currency comes from the snapshot at
+  // add-to-cart; in normal flow it equals the cart currency, but
+  // the test catches drift early.)
+  if (subRow.line_count > 0 && subRow.currency !== cart.currency) {
+    throw new TypeError("pricing.totals: cart.currency " + JSON.stringify(cart.currency) +
+                        " ≠ lines currency " + JSON.stringify(subRow.currency));
+  }
+  var tax      = ctx.tax_minor      == null ? 0 : ctx.tax_minor;
+  var shipping = ctx.shipping_minor == null ? 0 : ctx.shipping_minor;
+  var discount = ctx.discount_minor == null ? 0 : ctx.discount_minor;
+  _assertNonNegInt(tax,      "tax_minor");
+  _assertNonNegInt(shipping, "shipping_minor");
+  _assertNonNegInt(discount, "discount_minor");
+  if (discount > subRow.amount_minor) {
+    throw new TypeError("pricing.totals: discount_minor (" + discount +
+                        ") exceeds subtotal (" + subRow.amount_minor + ") — clamp at caller");
+  }
+  var grand = subRow.amount_minor - discount + tax + shipping;
+  return {
+    currency:          cart.currency,
+    line_count:        subRow.line_count,
+    subtotal_minor:    subRow.amount_minor,
+    discount_minor:    discount,
+    tax_minor:         tax,
+    shipping_minor:    shipping,
+    grand_total_minor: grand,
+    breakdown: [
+      { label: "subtotal", amount_minor:  subRow.amount_minor },
+      { label: "discount", amount_minor: -discount },
+      { label: "tax",      amount_minor:  tax },
+      { label: "shipping", amount_minor:  shipping },
+      { label: "total",    amount_minor:  grand },
+    ],
+  };
+}
+
+/**
+ * pricing.format(amount_minor, currency, opts?) → localized string
+ *
+ * Composes the upstream `b.money` primitive so the storefront's
+ * locale + currency rendering is consistent with the framework's
+ * Money class. `b.money.fromMinorUnits(bigint, currency)` carries
+ * the ISO 4217 exponent for free (JPY = 0, USD = 2, etc.) and
+ * `.format(locale)` runs through `Intl.NumberFormat` with the
+ * currency-correct minimum + maximum fraction digits.
+ *
+ * `opts.locale` overrides the default BCP 47 locale tag. Other
+ * opts are reserved for future extension (locale-bound symbols /
+ * format-as-units distinct from currency, etc.).
+ */
+function format(amountMinor, currency, opts) {
+  _assertNonNegInt(amountMinor, "amount_minor");
+  _assertCurrency(currency);
+  opts = opts || {};
+  var locale = opts.locale || "en-US";
+  // b.money.fromMinorUnits accepts BigInt minor units; coerce the
+  // Number-minor-unit at the boundary. Number is safe up to
+  // ~9 × 10^15; practical cart totals are well below.
+  var money = _b().money.fromMinorUnits(BigInt(amountMinor), currency);
+  return money.format(locale);
+}
+
+module.exports = {
+  lineTotal: lineTotal,
+  subtotal:  subtotal,
+  totals:    totals,
+  format:    format,
+};

package/lib/r2-bridge.js

@@ -0,0 +1,169 @@
+"use strict";
+/**
+ * @module shop.r2Bridge
+ * @title  R2 upload bridge — container → Worker → R2
+ *
+ * @intro
+ *   Container-side adapter that POSTs binary bodies to the Worker's
+ *   `/_/r2/put` endpoint. The Worker holds the R2 binding (the
+ *   container never carries an R2 API token); the bridge call is
+ *   authenticated with the same shared-secret header the D1 bridge
+ *   uses, so a misconfigured route can never accept arbitrary uploads
+ *   from anywhere other than the bound container.
+ *
+ *   Composed on `b.httpClient.request` so the outbound call inherits
+ *   the SSRF gate, retry policy, circuit breaker, TLS 1.3 minimum, and
+ *   ALPN-negotiated HTTP/2 transport. No npm dependency.
+ *
+ *       var r2 = require("blamejs-shop").r2Bridge.create({
+ *         bridgeUrl:    process.env.D1_BRIDGE_URL,
+ *         bridgeSecret: process.env.D1_BRIDGE_SECRET,
+ *         bridgePath:   "/_/r2/put",
+ *       });
+ *       var rec = await r2.put("media/abc.png", buf, "image/png");
+ *       // → { ok: true, key: "media/abc.png", size: 1024 }
+ *
+ *   The Worker side accepts POST with a binary body plus two headers:
+ *   `X-R2-Key` (the object key) and `X-R2-Content-Type` (the MIME type
+ *   to persist in R2 object metadata). The shared secret rides in
+ *   `x-d1-bridge-secret` — same header name the D1 bridge uses so the
+ *   operator has one secret to rotate, not two.
+ */
+
+var DEFAULT_TIMEOUT_MS  = 15000;
+var DEFAULT_BRIDGE_PATH = "/_/r2/put";
+var MAX_KEY_LENGTH      = 1024;
+var MAX_CONTENT_TYPE    = 255;
+
+var _bShop;
+function _b() {
+  if (!_bShop) _bShop = require("./index");
+  return _bShop.framework;
+}
+
+function _validateOpts(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new TypeError("r2Bridge.create({ opts }) — opts must be an object");
+  }
+  if (typeof opts.bridgeUrl !== "string" || !opts.bridgeUrl.length) {
+    throw new TypeError("r2Bridge.create — bridgeUrl required");
+  }
+  if (typeof opts.bridgeSecret !== "string" || !opts.bridgeSecret.length) {
+    throw new TypeError("r2Bridge.create — bridgeSecret required");
+  }
+  if (opts.bridgePath !== undefined && typeof opts.bridgePath !== "string") {
+    throw new TypeError("r2Bridge.create — bridgePath must be a string when provided");
+  }
+  if (opts.timeoutMs !== undefined && (typeof opts.timeoutMs !== "number" || !isFinite(opts.timeoutMs) || opts.timeoutMs <= 0)) {
+    throw new TypeError("r2Bridge.create — timeoutMs must be a positive number");
+  }
+  if (opts.httpClient !== undefined && (!opts.httpClient || typeof opts.httpClient.request !== "function")) {
+    throw new TypeError("r2Bridge.create — httpClient override must expose .request(...)");
+  }
+}
+
+function _validatePutArgs(key, body, contentType) {
+  if (typeof key !== "string" || !key.length) {
+    throw new TypeError("r2Bridge.put: key must be a non-empty string");
+  }
+  if (key.length > MAX_KEY_LENGTH) {
+    throw new TypeError("r2Bridge.put: key exceeds " + MAX_KEY_LENGTH + " chars");
+  }
+  if (key.indexOf("..") !== -1 || key.charAt(0) === "/") {
+    throw new TypeError("r2Bridge.put: key must be a relative path (no leading slash, no '..' segments)");
+  }
+  if (body == null) {
+    throw new TypeError("r2Bridge.put: body required");
+  }
+  if (!Buffer.isBuffer(body) && typeof body !== "string" && !(body instanceof Uint8Array)) {
+    throw new TypeError("r2Bridge.put: body must be Buffer | Uint8Array | string");
+  }
+  if (typeof contentType !== "string" || !contentType.length) {
+    throw new TypeError("r2Bridge.put: contentType must be a non-empty string");
+  }
+  if (contentType.length > MAX_CONTENT_TYPE) {
+    throw new TypeError("r2Bridge.put: contentType exceeds " + MAX_CONTENT_TYPE + " chars");
+  }
+  // RFC 7231 media-type shape — type/subtype with optional parameters.
+  // Stops control bytes / line breaks from being smuggled into the
+  // Worker's bound metadata.
+  if (!/^[\w.+\-]+\/[\w.+\-]+(?:\s*;\s*[\w.+\-]+=[\w.+\-"]+)*$/.test(contentType)) {
+    throw new TypeError("r2Bridge.put: contentType must match `type/subtype` shape");
+  }
+}
+
+function _httpErr(status, label) {
+  var e = new Error("r2Bridge: " + label + " failed with HTTP " + status);
+  e.code = "R2_HTTP_" + status;
+  e.status = status;
+  return e;
+}
+
+function create(opts) {
+  _validateOpts(opts);
+  var url        = opts.bridgeUrl.replace(/\/+$/, "") + (opts.bridgePath || DEFAULT_BRIDGE_PATH);
+  var secret     = opts.bridgeSecret;
+  var timeoutMs  = opts.timeoutMs || DEFAULT_TIMEOUT_MS;
+  var httpClient = opts.httpClient || _b().httpClient;
+
+  return {
+    put: async function (key, body, contentType) {
+      _validatePutArgs(key, body, contentType);
+      var buf = Buffer.isBuffer(body) ? body
+              : body instanceof Uint8Array ? Buffer.from(body)
+              : Buffer.from(body, "utf8");
+      var res;
+      try {
+        res = await httpClient.request({
+          method:    "POST",
+          url:       url,
+          headers:   {
+            "content-type":        "application/octet-stream",
+            "content-length":      buf.length,
+            "x-d1-bridge-secret":  secret,
+            "x-r2-key":            key,
+            "x-r2-content-type":   contentType,
+            "accept":               "application/json",
+          },
+          body:      buf,
+          timeoutMs: timeoutMs,
+        });
+      } catch (e) {
+        // Network / abort / timeout / SSRF refusal — surface as typed.
+        if (e && e.name === "AbortError") {
+          var t = new Error("r2Bridge: upload timed out after " + timeoutMs + "ms");
+          t.code = "R2_TIMEOUT";
+          throw t;
+        }
+        if (e && !e.code) e.code = "R2_NETWORK_ERROR";
+        throw e;
+      }
+      var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
+      var json = null;
+      try { json = text.length ? JSON.parse(text) : null; } catch (_e) { json = null; }
+      if (res.statusCode < 200 || res.statusCode >= 300) {
+        var err = _httpErr(res.statusCode, "upload");
+        if (json && json.error) {
+          err.code = json.error;
+          err.message += " — " + json.error;
+        }
+        if (json && json.message) {
+          err.message += ": " + json.message;
+        }
+        throw err;
+      }
+      if (!json || json.ok !== true || typeof json.key !== "string") {
+        var ee = new Error("r2Bridge: upload returned malformed JSON envelope");
+        ee.code = "R2_BAD_RESPONSE";
+        throw ee;
+      }
+      return {
+        ok:   true,
+        key:  json.key,
+        size: typeof json.size === "number" ? json.size : buf.length,
+      };
+    },
+  };
+}
+
+module.exports = { create: create };