@datacline/langos-sdk-node 0.2.0-alpha.1

package/dist/index.mjs

@@ -0,0 +1,758 @@
+import { createHmac, timingSafeEqual, randomUUID } from 'crypto';
+
+// src/core/errors.ts
+var LangosError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "LangosError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+var LangosAPIError = class _LangosAPIError extends LangosError {
+  status;
+  code;
+  requestId;
+  headers;
+  body;
+  errors;
+  constructor(status, body, headers, fallbackMessage) {
+    super(body?.detail || body?.title || fallbackMessage);
+    this.name = "LangosAPIError";
+    this.status = status;
+    this.code = body?.code;
+    this.requestId = body?.request_id || headers.get("x-request-id") || void 0;
+    this.headers = headers;
+    this.body = body;
+    this.errors = body?.errors;
+  }
+  /**
+   * Typed accessor for 402 `quota_exceeded` errors. Returns the structured
+   * details payload (sessions used/limit, reset timestamp, upgrade URL, plan
+   * tier) when the error matches; otherwise `null`.
+   *
+   * Use this instead of reaching into `err.body` to render upgrade prompts.
+   */
+  get quotaDetails() {
+    if (this.status !== 402 || this.code !== "quota_exceeded" || !this.body) return null;
+    const b = this.body;
+    if (typeof b.sessions_used !== "number" || typeof b.sessions_limit !== "number") return null;
+    return {
+      sessions_used: b.sessions_used,
+      sessions_limit: b.sessions_limit,
+      reset_at: typeof b.reset_at === "string" ? b.reset_at : "",
+      upgrade_url: typeof b.upgrade_url === "string" ? b.upgrade_url : null,
+      plan_tier: typeof b.plan_tier === "string" ? b.plan_tier : ""
+    };
+  }
+  /**
+   * Typed accessor for 403 `feature_not_available` errors. Returns the gated
+   * feature key and an upgrade URL; otherwise `null`.
+   */
+  get featureDetails() {
+    if (this.status !== 403 || this.code !== "feature_not_available" || !this.body) return null;
+    const b = this.body;
+    if (typeof b.feature !== "string") return null;
+    return {
+      feature: b.feature,
+      upgrade_url: typeof b.upgrade_url === "string" ? b.upgrade_url : null
+    };
+  }
+  static from(status, body, headers) {
+    const parsed = body && typeof body === "object" ? body : void 0;
+    switch (status) {
+      case 400:
+        return new LangosBadRequestError(status, parsed, headers, "Bad Request");
+      case 401:
+        return new LangosAuthenticationError(status, parsed, headers, "Unauthorized");
+      case 403:
+        return new LangosForbiddenError(status, parsed, headers, "Forbidden");
+      case 404:
+        return new LangosNotFoundError(status, parsed, headers, "Not Found");
+      case 409:
+        return new LangosConflictError(status, parsed, headers, "Conflict");
+      case 422:
+        return new LangosBadRequestError(status, parsed, headers, "Unprocessable Entity");
+      case 429: {
+        const retryAfterRaw = headers.get("retry-after");
+        const retryAfter = retryAfterRaw ? parseInt(retryAfterRaw, 10) : void 0;
+        return new LangosRateLimitError(
+          status,
+          parsed,
+          headers,
+          "Rate limit exceeded",
+          Number.isFinite(retryAfter) ? retryAfter : void 0
+        );
+      }
+      default:
+        if (status >= 500) {
+          return new LangosServerError(status, parsed, headers, "Server Error");
+        }
+        return new _LangosAPIError(status, parsed, headers, `HTTP ${status}`);
+    }
+  }
+};
+function tagged(Cls, tag) {
+  return class extends Cls {
+    constructor(...args) {
+      super(...args);
+      this.name = tag;
+    }
+  };
+}
+var LangosAuthenticationError = tagged(LangosAPIError, "LangosAuthenticationError");
+var LangosForbiddenError = tagged(LangosAPIError, "LangosForbiddenError");
+var LangosNotFoundError = tagged(LangosAPIError, "LangosNotFoundError");
+var LangosBadRequestError = tagged(LangosAPIError, "LangosBadRequestError");
+var LangosConflictError = tagged(LangosAPIError, "LangosConflictError");
+var LangosServerError = tagged(LangosAPIError, "LangosServerError");
+var LangosRateLimitError = class extends LangosAPIError {
+  retryAfter;
+  constructor(status, body, headers, fallback, retryAfter) {
+    super(status, body, headers, fallback);
+    this.name = "LangosRateLimitError";
+    this.retryAfter = retryAfter;
+  }
+};
+var LangosConnectionError = class extends LangosError {
+  cause;
+  constructor(message, cause) {
+    super(message);
+    this.name = "LangosConnectionError";
+    this.cause = cause;
+  }
+};
+var LangosTimeoutError = class extends LangosError {
+  timeoutMs;
+  constructor(timeoutMs) {
+    super(`Request timed out after ${timeoutMs}ms`);
+    this.name = "LangosTimeoutError";
+    this.timeoutMs = timeoutMs;
+  }
+};
+var LangosSignatureVerificationError = class extends LangosError {
+  constructor(reason) {
+    super(`Webhook signature verification failed: ${reason}`);
+    this.name = "LangosSignatureVerificationError";
+  }
+};
+
+// src/core/retry.ts
+var INITIAL_MS = 500;
+var MAX_MS = 8e3;
+function shouldRetry(status, isNetworkError) {
+  if (isNetworkError) return true;
+  if (status === null) return false;
+  if (status === 408 || status === 429) return true;
+  if (status >= 500 && status !== 501) return true;
+  return false;
+}
+function backoffDelay(attempt, retryAfterSeconds) {
+  if (retryAfterSeconds && retryAfterSeconds > 0) {
+    return Math.min(retryAfterSeconds * 1e3, MAX_MS * 4);
+  }
+  const base = Math.min(INITIAL_MS * Math.pow(2, attempt), MAX_MS);
+  return Math.floor(base * (0.5 + Math.random() * 0.5));
+}
+function sleep(ms, signal) {
+  return new Promise((resolve, reject) => {
+    setTimeout(resolve, ms);
+  });
+}
+var UNSAFE = /* @__PURE__ */ new Set(["POST", "PATCH", "DELETE", "PUT"]);
+function shouldAddIdempotencyKey(method, hasUserKey) {
+  if (hasUserKey) return false;
+  return UNSAFE.has(method.toUpperCase());
+}
+function newIdempotencyKey() {
+  return randomUUID();
+}
+
+// src/core/version.ts
+var version = "0.2.0-alpha.1";
+
+// src/core/request.ts
+async function makeRequest(cfg, req) {
+  const url = buildUrl(cfg.baseUrl, req.path, req.query);
+  const headers = buildHeaders(cfg, req);
+  const userMaxRetries = req.options?.maxRetries ?? cfg.maxRetries;
+  const userTimeout = req.options?.timeout ?? cfg.timeout;
+  const userSignal = req.options?.signal;
+  const bodyJson = req.body !== void 0 ? JSON.stringify(req.body) : void 0;
+  let attempt = 0;
+  while (true) {
+    const ac = new AbortController();
+    const onUserAbort = () => ac.abort();
+    if (userSignal) {
+      if (userSignal.aborted) ac.abort();
+      else userSignal.addEventListener("abort", onUserAbort, { once: true });
+    }
+    const timer = setTimeout(() => ac.abort(), userTimeout);
+    let response = null;
+    let networkError = null;
+    cfg.logger.debug({ method: req.method, url, attempt }, "langos request");
+    try {
+      response = await cfg.fetchImpl(url, {
+        method: req.method,
+        headers,
+        body: bodyJson,
+        signal: ac.signal
+      });
+    } catch (err) {
+      networkError = err;
+    } finally {
+      clearTimeout(timer);
+      if (userSignal) userSignal.removeEventListener("abort", onUserAbort);
+    }
+    if (networkError) {
+      const isTimeout = ac.signal.aborted && !userSignal?.aborted && networkError?.name === "AbortError";
+      if (userSignal?.aborted) throw networkError;
+      if (attempt < userMaxRetries && shouldRetry(null, true)) {
+        const delay = backoffDelay(attempt);
+        cfg.logger.debug({ delay, err: String(networkError) }, "langos retry (network)");
+        await sleep(delay);
+        attempt++;
+        continue;
+      }
+      if (isTimeout) throw new LangosTimeoutError(userTimeout);
+      throw new LangosConnectionError(
+        `Network error: ${networkError?.message || String(networkError)}`,
+        networkError
+      );
+    }
+    const status = response.status;
+    if (status >= 400) {
+      const retryAfterRaw = response.headers.get("retry-after");
+      const retryAfter = retryAfterRaw ? parseInt(retryAfterRaw, 10) : void 0;
+      const body = await safeReadJson(response);
+      if (attempt < userMaxRetries && shouldRetry(status, false)) {
+        const delay = backoffDelay(
+          attempt,
+          Number.isFinite(retryAfter) ? retryAfter : void 0
+        );
+        cfg.logger.debug({ delay, status }, "langos retry (status)");
+        await sleep(delay);
+        attempt++;
+        LangosAPIError.from(status, body, response.headers);
+        continue;
+      }
+      throw LangosAPIError.from(status, body, response.headers);
+    }
+    if (status === 204) return void 0;
+    const data = await safeReadJson(response);
+    return data;
+  }
+}
+function buildUrl(baseUrl, path, query) {
+  const trimmed = baseUrl.replace(/\/$/, "");
+  const url = new URL(`${trimmed}${path.startsWith("/") ? path : `/${path}`}`);
+  if (query) {
+    for (const [k, v] of Object.entries(query)) {
+      if (v !== void 0 && v !== null && v !== "") url.searchParams.set(k, String(v));
+    }
+  }
+  return url.toString();
+}
+function buildHeaders(cfg, req) {
+  const headers = new Headers();
+  headers.set("Authorization", `Bearer ${cfg.apiKey}`);
+  headers.set("Accept", "application/json");
+  if (req.body !== void 0) headers.set("Content-Type", "application/json");
+  headers.set("User-Agent", buildUserAgent(cfg));
+  if (cfg.telemetry !== false) {
+    headers.set(
+      "X-Langos-Client-Telemetry",
+      JSON.stringify({
+        lang: "node",
+        sdkVersion: version,
+        runtime: typeof process !== "undefined" ? `${process.platform}/${process.version}` : "unknown"
+      })
+    );
+  }
+  if (req.options?.idempotencyKey || shouldAddIdempotencyKey(req.method, !!req.options?.idempotencyKey)) {
+    headers.set("Idempotency-Key", req.options?.idempotencyKey ?? newIdempotencyKey());
+  }
+  for (const [k, v] of Object.entries(req.options?.headers ?? {})) {
+    headers.set(k, v);
+  }
+  return headers;
+}
+function buildUserAgent(cfg) {
+  const base = `langos-node/${version}`;
+  return cfg.appName ? `${base} ${cfg.appName}` : base;
+}
+async function safeReadJson(response) {
+  const text = await response.text();
+  if (!text) return void 0;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return text;
+  }
+}
+
+// src/resources/base.ts
+var APIResource = class {
+  cfg;
+  constructor(cfg) {
+    this.cfg = cfg;
+  }
+  get(path, query, options) {
+    return makeRequest(this.cfg, { method: "GET", path, query, options });
+  }
+  post(path, body, options) {
+    return makeRequest(this.cfg, { method: "POST", path, body, options });
+  }
+  delete(path, options) {
+    return makeRequest(this.cfg, { method: "DELETE", path, options });
+  }
+  patch(path, body, options) {
+    return makeRequest(this.cfg, { method: "PATCH", path, body, options });
+  }
+};
+
+// src/core/transform.ts
+function assessmentFromWire(w) {
+  return {
+    id: String(w.id),
+    object: "assessment",
+    name: String(w.name),
+    description: w.description ?? null,
+    challengeCount: Number(w.challenge_count ?? 0),
+    createdAt: String(w.created_at),
+    updatedAt: String(w.updated_at)
+  };
+}
+function candidateFromWire(w) {
+  return {
+    id: String(w.id),
+    object: "candidate",
+    email: String(w.email),
+    name: w.name ?? null,
+    assessmentId: String(w.assessment_id),
+    externalId: w.external_id ?? null,
+    status: w.status,
+    invitationUrl: w.invitation_url ?? null,
+    invitedAt: w.invited_at ?? null,
+    startedAt: w.started_at ?? null,
+    completedAt: w.completed_at ?? null,
+    cancelledAt: w.cancelled_at ?? null,
+    expiresAt: w.expires_at ?? null,
+    latestSessionId: w.latest_session_id ?? null,
+    score: w.score === null || w.score === void 0 ? null : Number(w.score),
+    metadata: w.metadata ?? null,
+    createdAt: String(w.created_at),
+    updatedAt: String(w.updated_at)
+  };
+}
+function candidateCreateToWire(p) {
+  const expires = p.expiresAt instanceof Date ? p.expiresAt.toISOString() : p.expiresAt ?? null;
+  return {
+    email: p.email,
+    assessment_id: p.assessmentId,
+    name: p.name ?? null,
+    external_id: p.externalId ?? null,
+    expires_at: expires,
+    metadata: p.metadata ?? null
+  };
+}
+function submissionFromWire(w) {
+  if (!w) return null;
+  return {
+    language: w.language ?? null,
+    finalCode: w.final_code ?? null,
+    diff: w.diff ?? null,
+    commitSha: w.commit_sha ?? null,
+    previewUrl: w.preview_url ?? null
+  };
+}
+function feedbackFromWire(w) {
+  if (!w) return null;
+  return {
+    notes: w.notes ?? null,
+    problemSolvingScore: w.problem_solving_score === null || w.problem_solving_score === void 0 ? null : Number(w.problem_solving_score),
+    codeQualityScore: w.code_quality_score === null || w.code_quality_score === void 0 ? null : Number(w.code_quality_score)
+  };
+}
+function analyticsFromWire(w) {
+  const a = w || {};
+  return {
+    editorEventCount: Number(a.editor_event_count ?? 0),
+    runEventCount: Number(a.run_event_count ?? 0),
+    testEventCount: Number(a.test_event_count ?? 0),
+    aiEventCount: Number(a.ai_event_count ?? 0),
+    pasteEventCount: Number(a.paste_event_count ?? 0),
+    activeSeconds: Number(a.active_seconds ?? 0),
+    idleSeconds: Number(a.idle_seconds ?? 0),
+    codingSeconds: Number(a.coding_seconds ?? 0)
+  };
+}
+function sessionFromWire(w) {
+  return {
+    id: String(w.id),
+    object: "session",
+    candidateId: String(w.candidate_id),
+    assessmentId: String(w.assessment_id),
+    status: w.status,
+    attempt: Number(w.attempt ?? 1),
+    startedAt: w.started_at ?? null,
+    completedAt: w.completed_at ?? null,
+    durationSeconds: w.duration_seconds ?? null,
+    score: w.score === null || w.score === void 0 ? null : Number(w.score),
+    passed: typeof w.passed === "boolean" ? w.passed : null,
+    reportUrl: w.report_url ?? null,
+    submission: submissionFromWire(w.submission),
+    analytics: analyticsFromWire(w.analytics),
+    insights: insightsFromWire(w.insights),
+    feedback: feedbackFromWire(w.feedback),
+    createdAt: String(w.created_at),
+    updatedAt: String(w.updated_at)
+  };
+}
+var PLAN_TIERS = ["free", "starter", "mid_tier", "growth", "custom"];
+function planTierFromWire(raw) {
+  return typeof raw === "string" && PLAN_TIERS.includes(raw) ? raw : "free";
+}
+function accountFromWire(w) {
+  return {
+    id: String(w.id),
+    object: "account",
+    name: String(w.name),
+    slug: String(w.slug ?? ""),
+    planTier: planTierFromWire(w.plan_tier),
+    billingCycle: String(w.billing_cycle),
+    status: String(w.status),
+    sessionsUsed: Number(w.sessions_used ?? 0),
+    sessionsLimit: w.sessions_limit === null || w.sessions_limit === void 0 ? null : Number(w.sessions_limit),
+    sessionsRemaining: w.sessions_remaining === null || w.sessions_remaining === void 0 ? null : Number(w.sessions_remaining),
+    trialEndsAt: w.trial_ends_at ?? null,
+    features: {
+      webIdeEnabled: !!w.features?.web_ide_enabled,
+      replayEnabled: !!w.features?.replay_enabled,
+      aiAssistanceEnabled: !!w.features?.ai_assistance_enabled
+    },
+    planCaps: w.plan_caps ? {
+      label: String(w.plan_caps.label ?? ""),
+      priceMonthly: w.plan_caps.price_monthly === null || w.plan_caps.price_monthly === void 0 ? null : Number(w.plan_caps.price_monthly),
+      billing: "monthly",
+      currency: "USD",
+      sessionLimit: w.plan_caps.session_limit === null || w.plan_caps.session_limit === void 0 ? null : Number(w.plan_caps.session_limit),
+      readyMadeChallenges: w.plan_caps.ready_made_challenges === null || w.plan_caps.ready_made_challenges === void 0 ? null : Number(w.plan_caps.ready_made_challenges),
+      customChallengesMax: w.plan_caps.custom_challenges_max === null || w.plan_caps.custom_challenges_max === void 0 ? null : Number(w.plan_caps.custom_challenges_max),
+      features: w.plan_caps.features ?? {},
+      support: String(w.plan_caps.support ?? ""),
+      popular: w.plan_caps.popular === true,
+      contactSales: w.plan_caps.contact_sales === true
+    } : null,
+    integration: {
+      provider: String(w.integration?.provider ?? ""),
+      apiKeyPrefix: String(w.integration?.api_key_prefix ?? ""),
+      scopes: Array.isArray(w.integration?.scopes) ? w.integration.scopes.map(String) : [],
+      rateLimitPerMinute: w.integration?.rate_limit_per_minute === null || w.integration?.rate_limit_per_minute === void 0 ? null : Number(w.integration.rate_limit_per_minute),
+      webhookUrl: w.integration?.webhook_url ?? null
+    }
+  };
+}
+function webhookEndpointFromWire(w) {
+  return {
+    object: "webhook_endpoint",
+    webhookUrl: w.webhook_url ?? null,
+    signingSecret: w.signing_secret ?? null
+  };
+}
+function webhookEndpointParamsToWire(p) {
+  const out = {};
+  if (p.webhookUrl !== void 0) out.webhook_url = p.webhookUrl;
+  if (p.rotateSigningSecret !== void 0) out.rotate_signing_secret = p.rotateSigningSecret;
+  return out;
+}
+function insightsFromWire(w) {
+  if (!w) return null;
+  return {
+    aiUsagePercent: w.ai_usage_percent === null || w.ai_usage_percent === void 0 ? null : Number(w.ai_usage_percent),
+    testPassRate: w.test_pass_rate === null || w.test_pass_rate === void 0 ? null : Number(w.test_pass_rate),
+    codeQuality: w.code_quality ?? null,
+    ...passthroughExtras(w, ["ai_usage_percent", "test_pass_rate", "code_quality"])
+  };
+}
+function passthroughExtras(o, known) {
+  const out = {};
+  for (const [k, v] of Object.entries(o)) {
+    if (!known.includes(k)) out[k] = v;
+  }
+  return out;
+}
+
+// src/resources/account.ts
+var AccountResource = class extends APIResource {
+  /**
+   * Read the calling integration's account.
+   *
+   *  Includes plan, quota, feature flags, and integration metadata
+   *  (key prefix, scopes, rate limit, webhook URL).
+   *
+   * @returns {Promise<Account>}
+   */
+  async retrieve(options) {
+    const w = await this.get("/account", void 0, options);
+    return accountFromWire(w);
+  }
+  /**
+   * Set or clear the outbound webhook URL, and optionally rotate the signing
+   * secret.
+   *
+   *  When `rotateSigningSecret: true`, the response includes the new secret in
+   *  `signingSecret`. Store it — the secret cannot be re-fetched. Subsequent
+   *  reads return `signingSecret: null`.
+   *
+   * @param {WebhookEndpointParams} params
+   */
+  async setWebhookEndpoint(params, options) {
+    const body = webhookEndpointParamsToWire(params);
+    const w = await this.patch("/account/webhook-endpoint", body, options);
+    return webhookEndpointFromWire(w);
+  }
+};
+
+// src/core/pagination.ts
+async function fetchPage(fetcher, mapItem, initialCursor) {
+  const wire = await fetcher(initialCursor);
+  return wrapPage(wire, mapItem, fetcher);
+}
+function wrapPage(wire, mapItem, fetcher) {
+  const data = wire.data.map(mapItem);
+  const page = {
+    data,
+    hasMore: !!wire.has_more,
+    nextCursor: wire.next_cursor ?? null,
+    async getNextPage() {
+      if (!wire.has_more || !wire.next_cursor) return null;
+      const next = await fetcher(wire.next_cursor);
+      return wrapPage(next, mapItem, fetcher);
+    }
+  };
+  const iter = {
+    async *[Symbol.asyncIterator]() {
+      let current = page;
+      while (current) {
+        for (const item of current.data) yield item;
+        current = await current.getNextPage();
+      }
+    }
+  };
+  return Object.assign({}, page, iter, {
+    [Symbol.asyncIterator]: iter[Symbol.asyncIterator].bind(iter)
+  });
+}
+
+// src/resources/assessments.ts
+var AssessmentsResource = class extends APIResource {
+  list(params = {}, options) {
+    return fetchPage(
+      (cursor) => this.get(
+        "/assessments",
+        { limit: params.limit, cursor: cursor ?? params.cursor },
+        options
+      ),
+      assessmentFromWire
+    );
+  }
+  async retrieve(id, options) {
+    const w = await this.get(`/assessments/${encodeURIComponent(id)}`, void 0, options);
+    return assessmentFromWire(w);
+  }
+};
+
+// src/resources/candidates.ts
+var CandidatesResource = class extends APIResource {
+  list(params = {}, options) {
+    return fetchPage(
+      (cursor) => this.get("/candidates", {
+        limit: params.limit,
+        cursor: cursor ?? params.cursor,
+        status: params.status,
+        assessment_id: params.assessmentId
+      }, options),
+      candidateFromWire
+    );
+  }
+  async retrieve(id, options) {
+    const w = await this.get(`/candidates/${encodeURIComponent(id)}`, void 0, options);
+    return candidateFromWire(w);
+  }
+  async create(params, options) {
+    const w = await this.post("/candidates", candidateCreateToWire(params), options);
+    return candidateFromWire(w);
+  }
+  /** Idempotent — calling twice on a cancelled candidate returns the same record. */
+  async cancel(id, options) {
+    const w = await this.delete(`/candidates/${encodeURIComponent(id)}`, options);
+    return candidateFromWire(w);
+  }
+};
+
+// src/resources/sessions.ts
+var SessionsResource = class extends APIResource {
+  async retrieve(id, options) {
+    const w = await this.get(`/sessions/${encodeURIComponent(id)}`, void 0, options);
+    return sessionFromWire(w);
+  }
+  listForCandidate(candidateId, params = {}, options) {
+    return fetchPage(
+      (cursor) => this.get(
+        `/candidates/${encodeURIComponent(candidateId)}/sessions`,
+        { limit: params.limit, cursor: cursor ?? params.cursor },
+        options
+      ),
+      sessionFromWire
+    );
+  }
+};
+var DEFAULT_TOLERANCE_SECONDS = 300;
+var MIN_SECRET_LENGTH = 16;
+var MAX_TIMESTAMP_SECONDS = 2 ** 32;
+var Webhooks = {
+  constructEvent(payload, signatureHeader, secret, tolerance = DEFAULT_TOLERANCE_SECONDS) {
+    if (typeof secret !== "string" || secret.length < MIN_SECRET_LENGTH) {
+      throw new LangosSignatureVerificationError(
+        `Signing secret missing or too short (need at least ${MIN_SECRET_LENGTH} chars). Set the secret returned by \`client.account.rotateSigningSecret()\`.`
+      );
+    }
+    if (!signatureHeader) {
+      throw new LangosSignatureVerificationError("Missing Langos-Signature header");
+    }
+    const sigHeader = Array.isArray(signatureHeader) ? signatureHeader[0] : signatureHeader;
+    const parsed = parseSignatureHeader(sigHeader);
+    if (parsed.timestamp === null || parsed.signatures.length === 0) {
+      throw new LangosSignatureVerificationError(
+        "Malformed signature header (expected t=...,v1=...)"
+      );
+    }
+    const nowSec = Math.floor(Date.now() / 1e3);
+    if (Math.abs(nowSec - parsed.timestamp) > tolerance) {
+      throw new LangosSignatureVerificationError(
+        `Timestamp outside the tolerance window (${tolerance}s)`
+      );
+    }
+    const rawBody = typeof payload === "string" ? payload : payload.toString("utf-8");
+    const expected = computeSignature(secret, parsed.timestamp, rawBody);
+    const ok = parsed.signatures.some((s) => safeEquals(s, expected));
+    if (!ok) {
+      throw new LangosSignatureVerificationError("No signatures matched");
+    }
+    let event;
+    try {
+      event = JSON.parse(rawBody);
+    } catch {
+      throw new LangosSignatureVerificationError("Payload is not valid JSON");
+    }
+    return event;
+  }
+};
+function parseSignatureHeader(header) {
+  let timestamp = null;
+  const signatures = [];
+  for (const part of header.split(",")) {
+    const [k, v] = part.trim().split("=");
+    if (k === "t" && v) {
+      const n = parseInt(v, 10);
+      if (Number.isFinite(n) && n > 0 && n < MAX_TIMESTAMP_SECONDS) {
+        timestamp = n;
+      }
+    }
+    if (k === "v1" && v) signatures.push(v);
+  }
+  return { timestamp, signatures };
+}
+function computeSignature(secret, timestamp, body) {
+  return createHmac("sha256", secret).update(`${timestamp}.${body}`).digest("hex");
+}
+function safeEquals(a, b) {
+  const ab = Buffer.from(a, "hex");
+  const bb = Buffer.from(b, "hex");
+  if (ab.length !== bb.length || ab.length === 0) return false;
+  try {
+    return timingSafeEqual(ab, bb);
+  } catch {
+    return false;
+  }
+}
+
+// src/core/logger.ts
+var noopLogger = {
+  debug() {
+  },
+  info() {
+  },
+  warn() {
+  },
+  error() {
+  }
+};
+
+// src/client.ts
+var DEFAULT_BASE_URL = "https://app.langos.io/api/v1";
+var DEFAULT_TIMEOUT_MS = 3e4;
+var DEFAULT_MAX_RETRIES = 2;
+var Langos = class {
+  account;
+  assessments;
+  candidates;
+  sessions;
+  /**
+   * Webhook signature helpers (`Langos.webhooks.constructEvent`). Static-style:
+   * does not need the client instance, since signing is independent of API
+   * calls. Exposed both as a class member and as `Langos.webhooks` for parity
+   * with Stripe's `stripe.webhooks` style.
+   */
+  webhooks = Webhooks;
+  static webhooks = Webhooks;
+  cfg;
+  constructor(options) {
+    if (!options.apiKey) {
+      throw new Error(
+        "Langos: missing apiKey. Pass via constructor or set LANGOS_API_KEY environment variable and read it."
+      );
+    }
+    const fetchImpl = options.fetch ?? globalThis.fetch;
+    if (!fetchImpl) {
+      throw new Error(
+        "Langos: no fetch implementation found. Use Node 18+ or pass `fetch` via the options."
+      );
+    }
+    if (options.appName !== void 0) {
+      assertHeaderSafe("appName", options.appName);
+    }
+    if (options.apiKey !== void 0) {
+      assertHeaderSafe("apiKey", options.apiKey);
+    }
+    this.cfg = {
+      apiKey: options.apiKey,
+      baseUrl: (options.baseUrl ?? DEFAULT_BASE_URL).replace(/\/$/, ""),
+      timeout: options.timeout ?? DEFAULT_TIMEOUT_MS,
+      maxRetries: options.maxRetries ?? DEFAULT_MAX_RETRIES,
+      fetchImpl,
+      logger: options.logger ?? noopLogger,
+      appName: options.appName,
+      telemetry: options.telemetry !== false
+    };
+    this.account = new AccountResource(this.cfg);
+    this.assessments = new AssessmentsResource(this.cfg);
+    this.candidates = new CandidatesResource(this.cfg);
+    this.sessions = new SessionsResource(this.cfg);
+  }
+};
+var HEADER_UNSAFE = /[\r\n\0\x00-\x1f\x7f]/;
+function assertHeaderSafe(field, value) {
+  if (typeof value !== "string") {
+    throw new TypeError(`Langos: ${field} must be a string`);
+  }
+  if (HEADER_UNSAFE.test(value)) {
+    throw new TypeError(
+      `Langos: ${field} contains control characters (\\r, \\n, \\0, or other C0). These are not allowed in HTTP headers and would enable header injection.`
+    );
+  }
+}
+
+export { Langos, LangosAPIError, LangosAuthenticationError, LangosBadRequestError, LangosConflictError, LangosConnectionError, LangosError, LangosForbiddenError, LangosNotFoundError, LangosRateLimitError, LangosServerError, LangosSignatureVerificationError, LangosTimeoutError, Webhooks, version };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map