@blamejs/blamejs-shop 0.0.59 → 0.0.61

package/lib/webhook-subscriptions.js

@@ -0,0 +1,565 @@
+"use strict";
+/**
+ * @module shop.webhookSubscriptions
+ * @title  Webhook subscription registry — owner-scoped fan-out targets
+ *
+ * @intro
+ *   The webhook subscription registry is the registration layer for
+ *   outbound webhook fan-out. Operators (or third-party apps wiring
+ *   integrations on behalf of the operator, or customers opting in to
+ *   self-service notifications) call `subscribe(...)` to register an
+ *   endpoint + event-type filter + signing-secret pair; when the
+ *   framework emits an event, the delivery primitive
+ *   (`lib/webhooks.js`) calls `subscriptionsForEvent(eventType)` to
+ *   build the fan-out set.
+ *
+ *   Distinct from the `webhooks` primitive — that primitive owns
+ *   delivery, retry, DLQ, and signature signing. This primitive owns
+ *   the registration FSM (active / paused), the signing-secret rotation
+ *   surface (with a 24h grace where the previous secret is also
+ *   accepted), and the owner-scoped listing surface.
+ *
+ *   Signing-secret posture — `signing_secret` is generated by the
+ *   framework via `b.crypto.generateBytes(32)` (base64url-encoded). The
+ *   plaintext is returned ONCE on `subscribe(...)` and ONCE on
+ *   `rotateSecret(...)`; at rest the framework keeps a SHA3-512
+ *   namespace hash (`b.crypto.namespaceHash("webhook-signing-secret",
+ *   plaintext)`). The delivery primitive does not need the plaintext
+ *   at sign time — it composes the hash + an HMAC binding the row id
+ *   into the signed envelope. Storing the hash (not the plaintext)
+ *   means a database compromise doesn't leak active signing material.
+ *
+ *   Rotation grace — `rotateSecret(...)` stores the new hash in
+ *   `signing_secret_hash` AND preserves the prior hash in
+ *   `signing_secret_previous_hash` with `signing_secret_rotated_at`
+ *   stamped to the rotation moment. Operators rolling a secret give
+ *   their downstream receivers 24h to switch over; after the grace
+ *   expires, the previous hash is cleared lazily on the next mutation
+ *   of the row (or eagerly via `expireRotationGrace`).
+ *
+ *   Composes only blamejs primitives:
+ *     - `b.guardUuid`            — UUID-shape validation
+ *     - `b.safeUrl.parse`        — https-only endpoint validation
+ *     - `b.crypto.generateBytes` — uniform draw for signing secrets
+ *     - `b.crypto.namespaceHash` — SHA3-512 namespaced hashing
+ *     - `b.uuid.v7`              — row ids
+ *
+ * @primitive webhookSubscriptions
+ * @related   webhooks, b.guardUuid, b.safeUrl, b.crypto
+ */
+
+var OWNER_TYPES         = Object.freeze(["operator", "app", "customer"]);
+var MAX_OWNER_ID_LEN    = 200;
+var MAX_NAME_LEN        = 200;
+var MAX_EVENT_TYPE_LEN  = 200;
+var MAX_EVENT_TYPES     = 64;
+var MAX_ENDPOINT_URL_LEN = 2048;
+var SECRET_BYTES        = 32;
+var SECRET_NAMESPACE    = "webhook-signing-secret";
+var ROTATION_GRACE_MS   = 24 * 60 * 60 * 1000;
+
+var WILDCARD_EVENT = "*";
+
+// Control bytes + zero-width / direction-override family. Subscription
+// names + event_type strings render in operator dashboards; embedded
+// control bytes are a slipping-class for header injection + visual
+// spoofing downstream. Spelled with \u-escapes so ESLint's
+// no-irregular-whitespace stays happy.
+var CONTROL_BYTE_RE = /[\x00-\x1f\x7f]/;
+var ZERO_WIDTH_RE = new RegExp(
+  "[\\u200B-\\u200F\\u202A-\\u202E\\u2060-\\u2064\\u2066-\\u2069\\uFEFF\\u061C]"
+);
+
+// Event-type identifier shape — `domain.action[.qualifier]` segments
+// of ASCII letters / digits / underscore, joined by `.`. The wildcard
+// `*` is handled separately. The cap is generous (200 chars) but the
+// segment shape is tight so a smuggled control byte / whitespace /
+// path-traversal token never lands in the JSON blob.
+var EVENT_TYPE_RE = /^[a-z][a-z0-9_]*(?:\.[a-z][a-z0-9_]*)*$/;
+
+var ALLOWED_UPDATE_COLUMNS = Object.freeze([
+  "endpoint_url", "event_types", "name",
+]);
+
+// Lazy framework handle — matches the pattern every other shop
+// primitive uses; avoids the require cycle that would arise from
+// importing `./index` at module-eval time.
+var bShop;
+function _b() {
+  if (!bShop) bShop = require("./index");
+  return bShop.framework;
+}
+
+function _now() { return Date.now(); }
+
+// ---- validators ---------------------------------------------------------
+
+function _uuid(s, label) {
+  try { return _b().guardUuid.sanitize(s, { profile: "strict" }); }
+  catch (e) { throw new TypeError("webhookSubscriptions: " + label + " — " + (e && e.message || "invalid UUID")); }
+}
+
+function _ownerType(s) {
+  if (typeof s !== "string" || OWNER_TYPES.indexOf(s) === -1) {
+    throw new TypeError("webhookSubscriptions: owner_type must be one of " + OWNER_TYPES.join(", "));
+  }
+  return s;
+}
+
+function _ownerId(s) {
+  if (typeof s !== "string") {
+    throw new TypeError("webhookSubscriptions: owner_id must be a string");
+  }
+  var trimmed = s.trim();
+  if (!trimmed.length) {
+    throw new TypeError("webhookSubscriptions: owner_id must be non-empty after trim");
+  }
+  if (s.length > MAX_OWNER_ID_LEN) {
+    throw new TypeError("webhookSubscriptions: owner_id must be <= " + MAX_OWNER_ID_LEN + " characters");
+  }
+  if (CONTROL_BYTE_RE.test(s) || ZERO_WIDTH_RE.test(s)) {
+    throw new TypeError("webhookSubscriptions: owner_id contains control / zero-width bytes");
+  }
+  return s;
+}
+
+function _endpointUrl(url) {
+  if (typeof url !== "string" || url.length === 0) {
+    throw new TypeError("webhookSubscriptions: endpoint_url must be a non-empty string");
+  }
+  if (url.length > MAX_ENDPOINT_URL_LEN) {
+    throw new TypeError("webhookSubscriptions: endpoint_url must be <= " + MAX_ENDPOINT_URL_LEN + " characters");
+  }
+  // safeUrl.parse defaults to ALLOW_HTTP_TLS (https only). The framework
+  // refuses http:// + non-http schemes + user:pass@ userinfo + bracketed
+  // raw-IP forms at this gate — no separate validation needed here.
+  try {
+    _b().safeUrl.parse(url);
+  } catch (e) {
+    throw new TypeError("webhookSubscriptions: endpoint_url — " + (e && e.message || "rejected"));
+  }
+  return url;
+}
+
+function _eventTypesArray(input) {
+  if (!Array.isArray(input)) {
+    throw new TypeError("webhookSubscriptions: event_types must be a non-empty array");
+  }
+  if (input.length === 0) {
+    throw new TypeError("webhookSubscriptions: event_types must list at least one event type");
+  }
+  if (input.length > MAX_EVENT_TYPES) {
+    throw new TypeError("webhookSubscriptions: event_types must be <= " + MAX_EVENT_TYPES + " entries");
+  }
+  var out = [];
+  var seen = {};
+  for (var i = 0; i < input.length; i += 1) {
+    var et = input[i];
+    if (typeof et !== "string" || et.length === 0) {
+      throw new TypeError("webhookSubscriptions: event_types[" + i + "] must be a non-empty string");
+    }
+    if (et.length > MAX_EVENT_TYPE_LEN) {
+      throw new TypeError("webhookSubscriptions: event_types[" + i + "] must be <= " + MAX_EVENT_TYPE_LEN + " characters");
+    }
+    if (et !== WILDCARD_EVENT && !EVENT_TYPE_RE.test(et)) {
+      throw new TypeError("webhookSubscriptions: event_types[" + i + "] must match domain.action segment shape or be '*'");
+    }
+    if (Object.prototype.hasOwnProperty.call(seen, et)) {
+      throw new TypeError("webhookSubscriptions: event_types[" + i + "] is a duplicate of an earlier entry");
+    }
+    seen[et] = true;
+    out.push(et);
+  }
+  return out;
+}
+
+function _name(s) {
+  if (s == null) return null;
+  if (typeof s !== "string") {
+    throw new TypeError("webhookSubscriptions: name must be a string or null");
+  }
+  if (s.length === 0) return null;
+  if (s.length > MAX_NAME_LEN) {
+    throw new TypeError("webhookSubscriptions: name must be <= " + MAX_NAME_LEN + " characters");
+  }
+  if (CONTROL_BYTE_RE.test(s) || ZERO_WIDTH_RE.test(s)) {
+    throw new TypeError("webhookSubscriptions: name contains control / zero-width bytes");
+  }
+  return s;
+}
+
+function _activeFlag(v) {
+  if (v === true || v === 1)  return 1;
+  if (v === false || v === 0) return 0;
+  throw new TypeError("webhookSubscriptions: active must be boolean / 0 / 1");
+}
+
+function _signingSecret(s) {
+  // Operator-supplied secret on subscribe — optional override path.
+  // Must be at least 32 chars (256 bits at 8 bits/char minimum) so an
+  // accidentally-weak passphrase doesn't sneak past the registration
+  // gate. The framework's default (b.crypto.generateBytes) produces a
+  // 43-char base64url string; the floor lets operators paste a hex
+  // secret of equivalent strength without rejecting reasonable inputs.
+  if (typeof s !== "string") {
+    throw new TypeError("webhookSubscriptions: signing_secret must be a string when provided");
+  }
+  if (s.length < 32) {
+    throw new TypeError("webhookSubscriptions: signing_secret must be >= 32 characters");
+  }
+  if (s.length > 512) {
+    throw new TypeError("webhookSubscriptions: signing_secret must be <= 512 characters");
+  }
+  if (CONTROL_BYTE_RE.test(s) || ZERO_WIDTH_RE.test(s)) {
+    throw new TypeError("webhookSubscriptions: signing_secret contains control / zero-width bytes");
+  }
+  return s;
+}
+
+// ---- secret generation + hashing ----------------------------------------
+
+function _generateSecret() {
+  // base64url alphabet so the operator can paste the secret into a
+  // header / curl invocation without shell-escaping. b.crypto.generateBytes
+  // returns a Node Buffer; the framework's standard base64url encoding
+  // path is .toString("base64url") which is unpadded by design.
+  return _b().crypto.generateBytes(SECRET_BYTES).toString("base64url");
+}
+
+function _hashSecret(plaintext) {
+  return _b().crypto.namespaceHash(SECRET_NAMESPACE, plaintext);
+}
+
+// ---- factory ------------------------------------------------------------
+
+function create(opts) {
+  opts = opts || {};
+  var query = opts.query;
+  if (!query) {
+    query = function (sql, params) { return _b().externalDb.query(sql, params); };
+  }
+  // Injectable clock — tests fast-forward through the 24h rotation
+  // grace by passing a synthetic `now()` that jumps ahead by the
+  // grace interval. Production callers leave it undefined and pick up
+  // the wall clock.
+  var nowFn = (typeof opts.now === "function") ? opts.now : _now;
+
+  async function _getSubscriptionRaw(id) {
+    var r = await query("SELECT * FROM webhook_subscriptions WHERE id = ?1", [id]);
+    return r.rows[0] || null;
+  }
+
+  // Strip an expired rotation grace lazily — any mutation that touches
+  // a row whose `signing_secret_previous_hash` is older than the
+  // grace window discards the previous hash. The receiver was given a
+  // full grace cycle to roll forward; further reads of the previous
+  // hash would be a security smell (a longer-than-stated grace lets a
+  // leaked-old-secret attacker linger).
+  function _maybeExpireGrace(row, now) {
+    if (!row) return row;
+    if (row.signing_secret_previous_hash == null) return row;
+    var rotatedAt = Number(row.signing_secret_rotated_at);
+    if (!isFinite(rotatedAt)) return row;
+    if (now - rotatedAt < ROTATION_GRACE_MS) return row;
+    // The previous hash is expired but we have not yet been asked to
+    // mutate the row. Return a synthesized view that hides the
+    // expired previous hash; the persistent clear happens the next
+    // time the row is updated through the primitive's mutators.
+    var view = {};
+    var keys = Object.keys(row);
+    for (var i = 0; i < keys.length; i += 1) {
+      view[keys[i]] = row[keys[i]];
+    }
+    view.signing_secret_previous_hash = null;
+    return view;
+  }
+
+  return {
+    OWNER_TYPES:           OWNER_TYPES.slice(),
+    MAX_OWNER_ID_LEN:      MAX_OWNER_ID_LEN,
+    MAX_NAME_LEN:          MAX_NAME_LEN,
+    MAX_EVENT_TYPES:       MAX_EVENT_TYPES,
+    MAX_EVENT_TYPE_LEN:    MAX_EVENT_TYPE_LEN,
+    MAX_ENDPOINT_URL_LEN:  MAX_ENDPOINT_URL_LEN,
+    SECRET_BYTES:          SECRET_BYTES,
+    SECRET_NAMESPACE:      SECRET_NAMESPACE,
+    ROTATION_GRACE_MS:     ROTATION_GRACE_MS,
+    WILDCARD_EVENT:        WILDCARD_EVENT,
+
+    subscribe: async function (input) {
+      if (!input || typeof input !== "object") {
+        throw new TypeError("webhookSubscriptions.subscribe: input object required");
+      }
+      var ownerType  = _ownerType(input.owner_type);
+      var ownerId    = _ownerId(input.owner_id);
+      var endpointUrl = _endpointUrl(input.endpoint_url);
+      var eventTypes = _eventTypesArray(input.event_types);
+      var name       = _name(input.name);
+      var active = 1;
+      if (Object.prototype.hasOwnProperty.call(input, "active")) {
+        active = _activeFlag(input.active);
+      }
+
+      var plaintext;
+      if (Object.prototype.hasOwnProperty.call(input, "signing_secret") &&
+          input.signing_secret != null) {
+        plaintext = _signingSecret(input.signing_secret);
+      } else {
+        plaintext = _generateSecret();
+      }
+      var secretHash = _hashSecret(plaintext);
+
+      var id = _b().uuid.v7();
+      var ts = nowFn();
+      await query(
+        "INSERT INTO webhook_subscriptions " +
+        "(id, owner_type, owner_id, endpoint_url, event_types_json, " +
+        " signing_secret_hash, signing_secret_previous_hash, " +
+        " signing_secret_rotated_at, name, active, paused_at, " +
+        " created_at, updated_at) " +
+        "VALUES (?1, ?2, ?3, ?4, ?5, ?6, NULL, NULL, ?7, ?8, NULL, ?9, ?9)",
+        [id, ownerType, ownerId, endpointUrl, JSON.stringify(eventTypes),
+         secretHash, name, active, ts],
+      );
+      var row = await _getSubscriptionRaw(id);
+      // Return the row PLUS the plaintext secret — the operator must
+      // capture it now; the framework never reveals it again.
+      return {
+        subscription:    row,
+        signing_secret:  plaintext,
+      };
+    },
+
+    get: async function (subscriptionId) {
+      var id = _uuid(subscriptionId, "subscription_id");
+      var row = await _getSubscriptionRaw(id);
+      if (!row) return null;
+      return _maybeExpireGrace(row, nowFn());
+    },
+
+    listForOwner: async function (listOpts) {
+      if (!listOpts || typeof listOpts !== "object") {
+        throw new TypeError("webhookSubscriptions.listForOwner: input object required");
+      }
+      var ownerType = _ownerType(listOpts.owner_type);
+      var ownerId   = _ownerId(listOpts.owner_id);
+      var r = await query(
+        "SELECT * FROM webhook_subscriptions " +
+        "WHERE owner_type = ?1 AND owner_id = ?2 " +
+        "ORDER BY created_at DESC, id DESC",
+        [ownerType, ownerId],
+      );
+      var now = nowFn();
+      return r.rows.map(function (row) { return _maybeExpireGrace(row, now); });
+    },
+
+    // Fan-out helper — the delivery primitive calls this at emit time
+    // to build the subscription set whose event_types_json contains
+    // either the wildcard `*` or the literal event_type being sent.
+    // Returns only active subscriptions (paused / inactive rows do
+    // NOT receive deliveries). Returns the rows in insertion order
+    // so a multi-subscription receiver sees a stable fan-out shape.
+    subscriptionsForEvent: async function (eventType) {
+      if (typeof eventType !== "string" || eventType.length === 0) {
+        throw new TypeError("webhookSubscriptions.subscriptionsForEvent: eventType must be a non-empty string");
+      }
+      // Don't validate against EVENT_TYPE_RE here — operators may emit
+      // a custom event type from a future primitive and we'd rather
+      // route it through subscribed receivers (whose subscription was
+      // already validated at subscribe time) than reject the emit.
+      // The cheap shape gate (non-empty string) is enough to keep the
+      // SQL safe; the JSON-membership match below is exact-string.
+      var r = await query(
+        "SELECT * FROM webhook_subscriptions WHERE active = 1",
+        [],
+      );
+      var out = [];
+      var now = nowFn();
+      for (var i = 0; i < r.rows.length; i += 1) {
+        var row = r.rows[i];
+        var list;
+        try { list = JSON.parse(row.event_types_json); }
+        catch (_e) { continue; }                                       // allow:empty-catch-swallow — drop-silent: a malformed JSON cell never reached us through `subscribe()`, but if the operator manually edited the DB we skip the row rather than crash the fan-out
+        if (!Array.isArray(list)) continue;
+        var match = false;
+        for (var j = 0; j < list.length; j += 1) {
+          if (list[j] === WILDCARD_EVENT || list[j] === eventType) {
+            match = true;
+            break;
+          }
+        }
+        if (match) out.push(_maybeExpireGrace(row, now));
+      }
+      return out;
+    },
+
+    pauseSubscription: async function (subscriptionId) {
+      var id = _uuid(subscriptionId, "subscription_id");
+      var current = await _getSubscriptionRaw(id);
+      if (!current) return null;
+      var ts = nowFn();
+      var prevHash = current.signing_secret_previous_hash;
+      var rotatedAt = current.signing_secret_rotated_at;
+      if (prevHash != null && rotatedAt != null &&
+          (ts - Number(rotatedAt)) >= ROTATION_GRACE_MS) {
+        prevHash = null;
+        rotatedAt = null;
+      }
+      await query(
+        "UPDATE webhook_subscriptions SET active = 0, paused_at = ?1, " +
+        "signing_secret_previous_hash = ?2, signing_secret_rotated_at = ?3, " +
+        "updated_at = ?1 WHERE id = ?4",
+        [ts, prevHash, rotatedAt, id],
+      );
+      return await _getSubscriptionRaw(id);
+    },
+
+    resumeSubscription: async function (subscriptionId) {
+      var id = _uuid(subscriptionId, "subscription_id");
+      var current = await _getSubscriptionRaw(id);
+      if (!current) return null;
+      var ts = nowFn();
+      var prevHash = current.signing_secret_previous_hash;
+      var rotatedAt = current.signing_secret_rotated_at;
+      if (prevHash != null && rotatedAt != null &&
+          (ts - Number(rotatedAt)) >= ROTATION_GRACE_MS) {
+        prevHash = null;
+        rotatedAt = null;
+      }
+      await query(
+        "UPDATE webhook_subscriptions SET active = 1, paused_at = NULL, " +
+        "signing_secret_previous_hash = ?1, signing_secret_rotated_at = ?2, " +
+        "updated_at = ?3 WHERE id = ?4",
+        [prevHash, rotatedAt, ts, id],
+      );
+      return await _getSubscriptionRaw(id);
+    },
+
+    // Patch-style update — only ALLOWED_UPDATE_COLUMNS can be set.
+    // owner_type / owner_id are immutable post-subscribe (changing the
+    // owner would orphan downstream receivers + invalidate auth on the
+    // app surface). Signing secret rotation goes through rotateSecret;
+    // active flag goes through pause / resume.
+    update: async function (subscriptionId, patch) {
+      var id = _uuid(subscriptionId, "subscription_id");
+      if (!patch || typeof patch !== "object") {
+        throw new TypeError("webhookSubscriptions.update: patch object required");
+      }
+      var keys = Object.keys(patch);
+      if (!keys.length) {
+        throw new TypeError("webhookSubscriptions.update: patch must contain at least one column");
+      }
+      for (var i = 0; i < keys.length; i += 1) {
+        if (ALLOWED_UPDATE_COLUMNS.indexOf(keys[i]) === -1) {
+          throw new TypeError("webhookSubscriptions.update: column '" + keys[i] + "' not updatable");
+        }
+      }
+
+      var current = await _getSubscriptionRaw(id);
+      if (!current) return null;
+
+      var sets   = [];
+      var params = [];
+      var idx    = 1;
+      function _set(col, val) {
+        sets.push(col + " = ?" + idx);
+        params.push(val);
+        idx += 1;
+      }
+      if (Object.prototype.hasOwnProperty.call(patch, "endpoint_url")) {
+        _set("endpoint_url", _endpointUrl(patch.endpoint_url));
+      }
+      if (Object.prototype.hasOwnProperty.call(patch, "event_types")) {
+        var nextTypes = _eventTypesArray(patch.event_types);
+        _set("event_types_json", JSON.stringify(nextTypes));
+      }
+      if (Object.prototype.hasOwnProperty.call(patch, "name")) {
+        _set("name", _name(patch.name));
+      }
+
+      var ts = nowFn();
+      // Lazy grace-expiry — if the previous hash is past its window,
+      // clear it as part of this mutation so the operator doesn't see
+      // a longer-than-stated grace via direct row inspection.
+      if (current.signing_secret_previous_hash != null &&
+          current.signing_secret_rotated_at != null &&
+          (ts - Number(current.signing_secret_rotated_at)) >= ROTATION_GRACE_MS) {
+        _set("signing_secret_previous_hash", null);
+        _set("signing_secret_rotated_at",    null);
+      }
+      _set("updated_at", ts);
+      params.push(id);
+      var sql = "UPDATE webhook_subscriptions SET " + sets.join(", ") +
+                " WHERE id = ?" + idx;
+      await query(sql, params);
+      return await _getSubscriptionRaw(id);
+    },
+
+    unsubscribe: async function (subscriptionId) {
+      var id = _uuid(subscriptionId, "subscription_id");
+      var r = await query(
+        "DELETE FROM webhook_subscriptions WHERE id = ?1", [id]
+      );
+      return r.rowCount > 0;
+    },
+
+    // Rotate the signing secret — generate a new plaintext, hash it
+    // into `signing_secret_hash`, preserve the prior hash in
+    // `signing_secret_previous_hash` with the rotation timestamp.
+    // Returns the new plaintext ONCE; the framework never reveals it
+    // again. The grace window means the delivery primitive can
+    // verify with EITHER hash for the next 24h — receivers rolling
+    // forward to the new secret don't see a hard cutover.
+    rotateSecret: async function (subscriptionId) {
+      var id = _uuid(subscriptionId, "subscription_id");
+      var current = await _getSubscriptionRaw(id);
+      if (!current) return null;
+      var plaintext = _generateSecret();
+      var newHash   = _hashSecret(plaintext);
+      var ts = nowFn();
+      await query(
+        "UPDATE webhook_subscriptions SET signing_secret_hash = ?1, " +
+        "signing_secret_previous_hash = ?2, signing_secret_rotated_at = ?3, " +
+        "updated_at = ?3 WHERE id = ?4",
+        [newHash, current.signing_secret_hash, ts, id],
+      );
+      var row = await _getSubscriptionRaw(id);
+      return {
+        subscription:   row,
+        signing_secret: plaintext,
+      };
+    },
+
+    // Operator-callable + scheduler-callable — sweeps any row whose
+    // rotation grace has expired and clears the previous hash + the
+    // rotation timestamp. The lazy expiry on read/mutation covers the
+    // common case; this sweep is for deployments wiring a periodic
+    // task to keep the at-rest schema tidy.
+    expireRotationGrace: async function (procOpts) {
+      var now = (procOpts && typeof procOpts.now === "number") ? procOpts.now : nowFn();
+      var cutoff = now - ROTATION_GRACE_MS;
+      await query(
+        "UPDATE webhook_subscriptions SET signing_secret_previous_hash = NULL, " +
+        "signing_secret_rotated_at = NULL, updated_at = ?1 " +
+        "WHERE signing_secret_previous_hash IS NOT NULL " +
+        "AND signing_secret_rotated_at IS NOT NULL " +
+        "AND signing_secret_rotated_at <= ?2",
+        [now, cutoff],
+      );
+    },
+  };
+}
+
+module.exports = {
+  create:                create,
+  OWNER_TYPES:           OWNER_TYPES.slice(),
+  MAX_OWNER_ID_LEN:      MAX_OWNER_ID_LEN,
+  MAX_NAME_LEN:          MAX_NAME_LEN,
+  MAX_EVENT_TYPES:       MAX_EVENT_TYPES,
+  MAX_EVENT_TYPE_LEN:    MAX_EVENT_TYPE_LEN,
+  MAX_ENDPOINT_URL_LEN:  MAX_ENDPOINT_URL_LEN,
+  SECRET_BYTES:          SECRET_BYTES,
+  SECRET_NAMESPACE:      SECRET_NAMESPACE,
+  ROTATION_GRACE_MS:     ROTATION_GRACE_MS,
+  WILDCARD_EVENT:        WILDCARD_EVENT,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.59",
+  "version": "0.0.61",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {