@dotsetlabs/tollgate 0.2.2 → 0.3.0

package/dist/approval/rate-limiter.js

@@ -0,0 +1,200 @@
+/**
+ * Rate Limiter for Tollgate Approval Requests
+ *
+ * Prevents DoS and approval fatigue attacks by limiting the rate of
+ * approval prompts per server/tool combination.
+ *
+ * Uses a sliding window algorithm for accurate rate limiting.
+ *
+ * @module approval/rate-limiter
+ */
+import { approvalLogger as logger } from '../utils/logger.js';
+// =============================================================================
+// Rate Limiter Implementation
+// =============================================================================
+/**
+ * Sliding window rate limiter for approval requests.
+ *
+ * @example
+ * ```typescript
+ * const limiter = new RateLimiter({ maxPerMinute: 30, maxPerHour: 300 });
+ *
+ * const result = limiter.check('postgres:query');
+ * if (!result.allowed) {
+ *   console.log(`Rate limited: ${result.reason}`);
+ * }
+ * ```
+ */
+export class RateLimiter {
+    config;
+    requests = new Map();
+    stats = {
+        totalRequests: 0,
+        allowedRequests: 0,
+        deniedRequests: 0,
+        activeKeys: 0,
+        deniedByKey: {},
+    };
+    cleanupInterval = null;
+    constructor(config = {}) {
+        this.config = {
+            maxPerMinute: config.maxPerMinute ?? 30,
+            maxPerHour: config.maxPerHour ?? 300,
+            autoDeny: config.autoDeny ?? true,
+            windowMs: config.windowMs ?? 3600000, // 1 hour
+        };
+        // Start cleanup interval
+        this.cleanupInterval = setInterval(() => this.cleanup(), 60000);
+    }
+    /**
+     * Check if a request is allowed for the given key.
+     *
+     * @param key - Unique key for rate limiting (e.g., "server:tool")
+     * @returns Rate limit result
+     */
+    check(key) {
+        const now = Date.now();
+        const oneMinuteAgo = now - 60000;
+        const oneHourAgo = now - 3600000;
+        this.stats.totalRequests++;
+        // Get or create request history for this key
+        const history = this.requests.get(key) ?? [];
+        // Filter to requests within the window
+        const recentMinute = history.filter((t) => t > oneMinuteAgo);
+        const recentHour = history.filter((t) => t > oneHourAgo);
+        const remainingPerMinute = Math.max(0, this.config.maxPerMinute - recentMinute.length);
+        const remainingPerHour = Math.max(0, this.config.maxPerHour - recentHour.length);
+        // Check if rate exceeded
+        if (recentMinute.length >= this.config.maxPerMinute) {
+            this.stats.deniedRequests++;
+            this.stats.deniedByKey[key] = (this.stats.deniedByKey[key] ?? 0) + 1;
+            const oldestInMinute = Math.min(...recentMinute);
+            const retryAfterMs = oldestInMinute + 60000 - now;
+            logger.warn('Rate limit exceeded (per minute)', {
+                key,
+                count: recentMinute.length,
+                limit: this.config.maxPerMinute,
+            });
+            return {
+                allowed: false,
+                reason: `Rate limit exceeded: ${recentMinute.length}/${this.config.maxPerMinute} requests per minute`,
+                remainingPerMinute: 0,
+                remainingPerHour,
+                retryAfterMs: Math.max(0, retryAfterMs),
+            };
+        }
+        if (recentHour.length >= this.config.maxPerHour) {
+            this.stats.deniedRequests++;
+            this.stats.deniedByKey[key] = (this.stats.deniedByKey[key] ?? 0) + 1;
+            const oldestInHour = Math.min(...recentHour);
+            const retryAfterMs = oldestInHour + 3600000 - now;
+            logger.warn('Rate limit exceeded (per hour)', {
+                key,
+                count: recentHour.length,
+                limit: this.config.maxPerHour,
+            });
+            return {
+                allowed: false,
+                reason: `Rate limit exceeded: ${recentHour.length}/${this.config.maxPerHour} requests per hour`,
+                remainingPerMinute,
+                remainingPerHour: 0,
+                retryAfterMs: Math.max(0, retryAfterMs),
+            };
+        }
+        // Request allowed - record it
+        recentHour.push(now);
+        this.requests.set(key, recentHour);
+        this.stats.allowedRequests++;
+        this.stats.activeKeys = this.requests.size;
+        return {
+            allowed: true,
+            remainingPerMinute: remainingPerMinute - 1,
+            remainingPerHour: remainingPerHour - 1,
+        };
+    }
+    /**
+     * Record a request without checking limits.
+     * Useful for tracking requests that bypass rate limiting.
+     */
+    record(key) {
+        const now = Date.now();
+        const history = this.requests.get(key) ?? [];
+        history.push(now);
+        this.requests.set(key, history);
+    }
+    /**
+     * Reset rate limiting for a specific key.
+     */
+    reset(key) {
+        this.requests.delete(key);
+        delete this.stats.deniedByKey[key];
+    }
+    /**
+     * Reset all rate limiting.
+     */
+    resetAll() {
+        this.requests.clear();
+        this.stats = {
+            totalRequests: 0,
+            allowedRequests: 0,
+            deniedRequests: 0,
+            activeKeys: 0,
+            deniedByKey: {},
+        };
+    }
+    /**
+     * Get current statistics.
+     */
+    getStats() {
+        return { ...this.stats, activeKeys: this.requests.size };
+    }
+    /**
+     * Clean up old entries to prevent memory leaks.
+     */
+    cleanup() {
+        const cutoff = Date.now() - this.config.windowMs;
+        for (const [key, history] of this.requests.entries()) {
+            const recent = history.filter((t) => t > cutoff);
+            if (recent.length === 0) {
+                this.requests.delete(key);
+            }
+            else {
+                this.requests.set(key, recent);
+            }
+        }
+        this.stats.activeKeys = this.requests.size;
+    }
+    /**
+     * Close the rate limiter and stop cleanup interval.
+     */
+    close() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+    }
+}
+// =============================================================================
+// Global Rate Limiter Instance
+// =============================================================================
+let globalRateLimiter = null;
+/**
+ * Get the global rate limiter instance.
+ * Creates one if it doesn't exist.
+ */
+export function getRateLimiter(config) {
+    if (!globalRateLimiter) {
+        globalRateLimiter = new RateLimiter(config);
+    }
+    return globalRateLimiter;
+}
+/**
+ * Reset the global rate limiter.
+ */
+export function resetGlobalRateLimiter() {
+    if (globalRateLimiter) {
+        globalRateLimiter.close();
+        globalRateLimiter = null;
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/approval/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/approval/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,cAAc,IAAI,MAAM,EAAE,MAAM,oBAAoB,CAAC;AA+D9D,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,WAAW;IACZ,MAAM,CAA8B;IACpC,QAAQ,GAA0B,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,GAAqB;QAC9B,aAAa,EAAE,CAAC;QAChB,eAAe,EAAE,CAAC;QAClB,cAAc,EAAE,CAAC;QACjB,UAAU,EAAE,CAAC;QACb,WAAW,EAAE,EAAE;KAClB,CAAC;IACM,eAAe,GAA0C,IAAI,CAAC;IAEtE,YAAY,SAA4B,EAAE;QACtC,IAAI,CAAC,MAAM,GAAG;YACV,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,EAAE;YACvC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,GAAG;YACpC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,IAAI;YACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,OAAO,EAAE,SAAS;SAClD,CAAC;QAEF,yBAAyB;QACzB,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;IACpE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAW;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,YAAY,GAAG,GAAG,GAAG,KAAK,CAAC;QACjC,MAAM,UAAU,GAAG,GAAG,GAAG,OAAO,CAAC;QAEjC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;QAE3B,6CAA6C;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAE7C,uCAAuC;QACvC,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC;QAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC;QAEzD,MAAM,kBAAkB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QACvF,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEjF,yBAAyB;QACzB,IAAI,YAAY,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAClD,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAErE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;YACjD,MAAM,YAAY,GAAG,cAAc,GAAG,KAAK,GAAG,GAAG,CAAC;YAElD,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;gBAC5C,GAAG;gBACH,KAAK,EAAE,YAAY,CAAC,MAAM;gBAC1B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;aAClC,CAAC,CAAC;YAEH,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,wBAAwB,YAAY,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,sBAAsB;gBACrG,kBAAkB,EAAE,CAAC;gBACrB,gBAAgB;gBAChB,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,CAAC;aAC1C,CAAC;QACN,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAErE,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;YAC7C,MAAM,YAAY,GAAG,YAAY,GAAG,OAAO,GAAG,GAAG,CAAC;YAElD,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE;gBAC1C,GAAG;gBACH,KAAK,EAAE,UAAU,CAAC,MAAM;gBACxB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;aAChC,CAAC,CAAC;YAEH,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,wBAAwB,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,oBAAoB;gBAC/F,kBAAkB;gBAClB,gBAAgB,EAAE,CAAC;gBACnB,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,CAAC;aAC1C,CAAC;QACN,CAAC;QAED,8BAA8B;QAC9B,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAE3C,OAAO;YACH,OAAO,EAAE,IAAI;YACb,kBAAkB,EAAE,kBAAkB,GAAG,CAAC;YAC1C,gBAAgB,EAAE,gBAAgB,GAAG,CAAC;SACzC,CAAC;IACN,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,GAAW;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAW;QACb,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1B,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,QAAQ;QACJ,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG;YACT,aAAa,EAAE,CAAC;YAChB,eAAe,EAAE,CAAC;YAClB,cAAc,EAAE,CAAC;YACjB,UAAU,EAAE,CAAC;YACb,WAAW,EAAE,EAAE;SAClB,CAAC;IACN,CAAC;IAED;;OAEG;IACH,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC7D,CAAC;IAED;;OAEG;IACK,OAAO;QACX,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAEjD,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;YACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACJ,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACnC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK;QACD,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACvB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAChC,CAAC;IACL,CAAC;CACJ;AAED,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF,IAAI,iBAAiB,GAAuB,IAAI,CAAC;AAEjD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAA0B;IACrD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACrB,iBAAiB,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB;IAClC,IAAI,iBAAiB,EAAE,CAAC;QACpB,iBAAiB,CAAC,KAAK,EAAE,CAAC;QAC1B,iBAAiB,GAAG,IAAI,CAAC;IAC7B,CAAC;AACL,CAAC"}

package/dist/approval/url-validator.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Webhook URL Validator
+ *
+ * Validates webhook URLs to prevent SSRF attacks via configuration.
+ * Blocks localhost, private IPs, and dangerous protocols.
+ *
+ * @module approval/url-validator
+ */
+/**
+ * Options for URL validation.
+ */
+export interface UrlValidationOptions {
+    /** Allow localhost URLs (default: false) */
+    allowLocalhost?: boolean;
+    /** Allow private IP ranges (default: false) */
+    allowPrivateIps?: boolean;
+    /** Require HTTPS (default: true in production) */
+    requireHttps?: boolean;
+    /** Additional blocked hosts */
+    blockedHosts?: string[];
+    /** Additional allowed hosts (overrides blocks) */
+    allowedHosts?: string[];
+}
+/**
+ * Result of URL validation.
+ */
+export interface UrlValidationResult {
+    /** Whether the URL is valid */
+    valid: boolean;
+    /** Reason if invalid */
+    reason?: string;
+    /** Parsed URL (if valid) */
+    url?: URL;
+}
+/**
+ * Validate a webhook URL.
+ *
+ * @param urlString - URL to validate
+ * @param options - Validation options
+ * @returns Validation result
+ */
+export declare function validateWebhookUrl(urlString: string, options?: UrlValidationOptions): UrlValidationResult;
+/**
+ * Validate URL and throw on invalid.
+ *
+ * @param urlString - URL to validate
+ * @param options - Validation options
+ * @throws Error if URL is invalid
+ */
+export declare function assertValidWebhookUrl(urlString: string, options?: UrlValidationOptions): URL;
+//# sourceMappingURL=url-validator.d.ts.map

package/dist/approval/url-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-validator.d.ts","sourceRoot":"","sources":["../../src/approval/url-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACjC,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB,+CAA+C;IAC/C,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B,kDAAkD;IAClD,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,+BAA+B;IAC/B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,kDAAkD;IAClD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,+BAA+B;IAC/B,KAAK,EAAE,OAAO,CAAC;IAEf,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,GAAG,CAAC;CACb;AAyDD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAC9B,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,oBAAyB,GACnC,mBAAmB,CAyFrB;AAsCD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACjC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,oBAAyB,GACnC,GAAG,CAML"}

package/dist/approval/url-validator.js

@@ -0,0 +1,184 @@
+/**
+ * Webhook URL Validator
+ *
+ * Validates webhook URLs to prevent SSRF attacks via configuration.
+ * Blocks localhost, private IPs, and dangerous protocols.
+ *
+ * @module approval/url-validator
+ */
+import { approvalLogger as logger } from '../utils/logger.js';
+// =============================================================================
+// URL Validation Patterns
+// =============================================================================
+/**
+ * Localhost patterns.
+ */
+const LOCALHOST_PATTERNS = [
+    'localhost',
+    '127.0.0.1',
+    '::1',
+    '0.0.0.0',
+    '[::1]',
+    '0:0:0:0:0:0:0:1',
+    '[0:0:0:0:0:0:0:1]',
+];
+/**
+ * Private IP ranges (RFC 1918).
+ */
+const PRIVATE_IP_PATTERNS = [
+    /^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$/,
+    /^172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}$/,
+    /^192\.168\.\d{1,3}\.\d{1,3}$/,
+    /^169\.254\.\d{1,3}\.\d{1,3}$/, // Link-local
+];
+/**
+ * Cloud metadata endpoints.
+ */
+const METADATA_HOSTS = [
+    '169.254.169.254',
+    'metadata.google.internal',
+    '100.100.100.200',
+    '169.254.170.2',
+];
+/**
+ * Dangerous protocols.
+ */
+const DANGEROUS_PROTOCOLS = [
+    'file:',
+    'ftp:',
+    'gopher:',
+    'ldap:',
+    'dict:',
+    'sftp:',
+    'data:',
+    'javascript:',
+];
+// =============================================================================
+// URL Validator
+// =============================================================================
+/**
+ * Validate a webhook URL.
+ *
+ * @param urlString - URL to validate
+ * @param options - Validation options
+ * @returns Validation result
+ */
+export function validateWebhookUrl(urlString, options = {}) {
+    const { allowLocalhost = false, allowPrivateIps = false, requireHttps = process.env.NODE_ENV === 'production', blockedHosts = [], allowedHosts = [], } = options;
+    // Parse URL
+    let url;
+    try {
+        url = new URL(urlString);
+    }
+    catch {
+        return {
+            valid: false,
+            reason: 'Invalid URL format',
+        };
+    }
+    const hostname = url.hostname.toLowerCase();
+    // Check allowed hosts first (whitelist takes precedence)
+    if (allowedHosts.some((h) => h.toLowerCase() === hostname)) {
+        return { valid: true, url };
+    }
+    // Check protocol
+    if (DANGEROUS_PROTOCOLS.includes(url.protocol)) {
+        logger.warn('Webhook URL uses dangerous protocol', { url: urlString, protocol: url.protocol });
+        return {
+            valid: false,
+            reason: `Dangerous protocol: ${url.protocol}`,
+        };
+    }
+    // Check HTTPS requirement
+    if (requireHttps && url.protocol !== 'https:') {
+        return {
+            valid: false,
+            reason: 'Webhook URL must use HTTPS in production',
+        };
+    }
+    // Check localhost
+    if (!allowLocalhost && isLocalhost(hostname)) {
+        logger.warn('Webhook URL targets localhost', { url: urlString });
+        return {
+            valid: false,
+            reason: 'Webhook URL cannot target localhost',
+        };
+    }
+    // Check private IPs
+    if (!allowPrivateIps && isPrivateIp(hostname)) {
+        logger.warn('Webhook URL targets private IP', { url: urlString });
+        return {
+            valid: false,
+            reason: 'Webhook URL cannot target private IP ranges',
+        };
+    }
+    // Check metadata endpoints
+    if (METADATA_HOSTS.some((h) => hostname === h || hostname.includes(h))) {
+        logger.warn('Webhook URL targets cloud metadata', { url: urlString });
+        return {
+            valid: false,
+            reason: 'Webhook URL cannot target cloud metadata endpoints',
+        };
+    }
+    // Check custom blocked hosts
+    if (blockedHosts.some((h) => h.toLowerCase() === hostname)) {
+        return {
+            valid: false,
+            reason: `Host is blocked: ${hostname}`,
+        };
+    }
+    // Check for IP obfuscation (octal, hex, decimal)
+    if (isObfuscatedIp(hostname)) {
+        logger.warn('Webhook URL uses obfuscated IP', { url: urlString });
+        return {
+            valid: false,
+            reason: 'Webhook URL appears to use obfuscated IP notation',
+        };
+    }
+    return { valid: true, url };
+}
+/**
+ * Check if hostname is localhost.
+ */
+function isLocalhost(hostname) {
+    return LOCALHOST_PATTERNS.some((p) => hostname === p || hostname === `[${p}]`);
+}
+/**
+ * Check if hostname is a private IP.
+ */
+function isPrivateIp(hostname) {
+    return PRIVATE_IP_PATTERNS.some((p) => p.test(hostname));
+}
+/**
+ * Check for obfuscated IP notation.
+ */
+function isObfuscatedIp(hostname) {
+    // Octal notation (e.g., 0177.0.0.1)
+    if (/^0[0-7]+\./.test(hostname)) {
+        return true;
+    }
+    // Hex notation (e.g., 0x7f.0x0.0x0.0x1)
+    if (/^0x[0-9a-f]+/i.test(hostname)) {
+        return true;
+    }
+    // Decimal notation (e.g., 2130706433)
+    if (/^\d{8,10}$/.test(hostname)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Validate URL and throw on invalid.
+ *
+ * @param urlString - URL to validate
+ * @param options - Validation options
+ * @throws Error if URL is invalid
+ */
+export function assertValidWebhookUrl(urlString, options = {}) {
+    const result = validateWebhookUrl(urlString, options);
+    if (!result.valid) {
+        throw new Error(`Invalid webhook URL: ${result.reason}`);
+    }
+    return result.url;
+}
+//# sourceMappingURL=url-validator.js.map

package/dist/approval/url-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-validator.js","sourceRoot":"","sources":["../../src/approval/url-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,cAAc,IAAI,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAwC9D,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACvB,WAAW;IACX,WAAW;IACX,KAAK;IACL,SAAS;IACT,OAAO;IACP,iBAAiB;IACjB,mBAAmB;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IACxB,iCAAiC;IACjC,6CAA6C;IAC7C,8BAA8B;IAC9B,8BAA8B,EAAE,aAAa;CAChD,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAG;IACnB,iBAAiB;IACjB,0BAA0B;IAC1B,iBAAiB;IACjB,eAAe;CAClB,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IACxB,OAAO;IACP,MAAM;IACN,SAAS;IACT,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,aAAa;CAChB,CAAC;AAEF,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAC9B,SAAiB,EACjB,UAAgC,EAAE;IAElC,MAAM,EACF,cAAc,GAAG,KAAK,EACtB,eAAe,GAAG,KAAK,EACvB,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EACpD,YAAY,GAAG,EAAE,EACjB,YAAY,GAAG,EAAE,GACpB,GAAG,OAAO,CAAC;IAEZ,YAAY;IACZ,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACD,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACL,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,oBAAoB;SAC/B,CAAC;IACN,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE5C,yDAAyD;IACzD,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,EAAE,CAAC;QACzD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,iBAAiB;IACjB,IAAI,mBAAmB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC/F,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,uBAAuB,GAAG,CAAC,QAAQ,EAAE;SAChD,CAAC;IACN,CAAC;IAED,0BAA0B;IAC1B,IAAI,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,0CAA0C;SACrD,CAAC;IACN,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,cAAc,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,+BAA+B,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC;QACjE,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,qCAAqC;SAChD,CAAC;IACN,CAAC;IAED,oBAAoB;IACpB,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC;QAClE,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,6CAA6C;SACxD,CAAC;IACN,CAAC;IAED,2BAA2B;IAC3B,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC;QACtE,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,oDAAoD;SAC/D,CAAC;IACN,CAAC;IAED,6BAA6B;IAC7B,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,EAAE,CAAC;QACzD,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,oBAAoB,QAAQ,EAAE;SACzC,CAAC;IACN,CAAC;IAED,iDAAiD;IACjD,IAAI,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC;QAClE,OAAO;YACH,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,mDAAmD;SAC9D,CAAC;IACN,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAAgB;IACjC,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,GAAG,CAAC,CAAC;AACnF,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAAgB;IACjC,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,QAAgB;IACpC,oCAAoC;IACpC,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,wCAAwC;IACxC,IAAI,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,sCAAsC;IACtC,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CACjC,SAAiB,EACjB,UAAgC,EAAE;IAElC,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,wBAAwB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,MAAM,CAAC,GAAI,CAAC;AACvB,CAAC"}

package/dist/approval/webhook.d.ts

@@ -71,4 +71,52 @@ export declare class WebhookApprovalHandler implements ApprovalHandler {
     private computeSignature;
     close(): void;
 }
+/**
+ * Verify a webhook signature from Tollgate.
+ *
+ * Use this function in your webhook receiver to validate that requests
+ * are authentic and haven't been tampered with.
+ *
+ * @example
+ * ```typescript
+ * import { verifyWebhookSignature } from '@dotsetlabs/tollgate';
+ *
+ * app.post('/webhook/tollgate', async (req, res) => {
+ *   const signature = req.headers['x-tollgate-signature'];
+ *   const body = JSON.stringify(req.body);
+ *
+ *   const isValid = await verifyWebhookSignature(body, signature, process.env.WEBHOOK_SECRET);
+ *
+ *   if (!isValid) {
+ *     return res.status(401).json({ error: 'Invalid signature' });
+ *   }
+ *
+ *   // Process the webhook...
+ * });
+ * ```
+ *
+ * @param body - The raw request body as a string
+ * @param signature - The X-Tollgate-Signature header value
+ * @param secret - Your webhook secret
+ * @returns Promise<boolean> - True if signature is valid
+ */
+export declare function verifyWebhookSignature(body: string, signature: string | null | undefined, secret: string): Promise<boolean>;
+/**
+ * Result type for webhook signature verification.
+ */
+export interface WebhookVerificationResult {
+    /** Whether the signature is valid */
+    valid: boolean;
+    /** Reason for invalid signature */
+    reason?: string;
+}
+/**
+ * Verify a webhook signature with detailed result.
+ *
+ * @param body - The raw request body as a string
+ * @param signature - The X-Tollgate-Signature header value
+ * @param secret - Your webhook secret
+ * @returns Promise<WebhookVerificationResult>
+ */
+export declare function verifyWebhookSignatureDetailed(body: string, signature: string | null | undefined, secret: string): Promise<WebhookVerificationResult>;
 //# sourceMappingURL=webhook.d.ts.map

package/dist/approval/webhook.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/approval/webhook.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,gBAAgB,EAGjB,MAAM,YAAY,CAAC;AACpB,OAAO,EAA0B,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAInF;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;IAEZ,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,gDAAgD;IAChD,QAAQ,EAAE,OAAO,CAAC;IAElB,sCAAsC;IACtC,QAAQ,CAAC,EAAE,eAAe,CAAC;IAE3B,mCAAmC;IACnC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,sBAAuB,YAAW,eAAe;IAC5D,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,eAAe,CAAgC;gBAE3C,MAAM,EAAE,qBAAqB;IAOnC,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA0CjE;;OAEG;YACW,kBAAkB;IAqEhC;;OAEG;YACW,gBAAgB;IAmB9B,KAAK,IAAI,IAAI;CAId"}
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/approval/webhook.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,gBAAgB,EAGjB,MAAM,YAAY,CAAC;AACpB,OAAO,EAA0B,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAInF;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;IAEZ,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,gDAAgD;IAChD,QAAQ,EAAE,OAAO,CAAC;IAElB,sCAAsC;IACtC,QAAQ,CAAC,EAAE,eAAe,CAAC;IAE3B,mCAAmC;IACnC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,sBAAuB,YAAW,eAAe;IAC5D,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,eAAe,CAAgC;gBAE3C,MAAM,EAAE,qBAAqB;IAOnC,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA0CjE;;OAEG;YACW,kBAAkB;IAqEhC;;OAEG;YACW,gBAAgB;IAmB9B,KAAK,IAAI,IAAI;CAId;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACpC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CA2ClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAC;IAEf,mCAAmC;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,wBAAsB,8BAA8B,CAClD,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACpC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,yBAAyB,CAAC,CAoBpC"}

package/dist/approval/webhook.js

@@ -157,4 +157,93 @@ export class WebhookApprovalHandler {
         this.abortController = null;
     }
 }
+// =============================================================================
+// Webhook Signature Verification Helper
+// =============================================================================
+/**
+ * Verify a webhook signature from Tollgate.
+ *
+ * Use this function in your webhook receiver to validate that requests
+ * are authentic and haven't been tampered with.
+ *
+ * @example
+ * ```typescript
+ * import { verifyWebhookSignature } from '@dotsetlabs/tollgate';
+ *
+ * app.post('/webhook/tollgate', async (req, res) => {
+ *   const signature = req.headers['x-tollgate-signature'];
+ *   const body = JSON.stringify(req.body);
+ *
+ *   const isValid = await verifyWebhookSignature(body, signature, process.env.WEBHOOK_SECRET);
+ *
+ *   if (!isValid) {
+ *     return res.status(401).json({ error: 'Invalid signature' });
+ *   }
+ *
+ *   // Process the webhook...
+ * });
+ * ```
+ *
+ * @param body - The raw request body as a string
+ * @param signature - The X-Tollgate-Signature header value
+ * @param secret - Your webhook secret
+ * @returns Promise<boolean> - True if signature is valid
+ */
+export async function verifyWebhookSignature(body, signature, secret) {
+    if (!signature || !secret) {
+        return false;
+    }
+    // Remove 'sha256=' prefix if present
+    const providedSig = signature.startsWith('sha256=')
+        ? signature.slice(7)
+        : signature;
+    try {
+        // Compute expected signature
+        const encoder = new TextEncoder();
+        const key = await crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        const computed = await crypto.subtle.sign('HMAC', key, encoder.encode(body));
+        const expectedSig = Array.from(new Uint8Array(computed))
+            .map((b) => b.toString(16).padStart(2, '0'))
+            .join('');
+        // Timing-safe comparison to prevent timing attacks
+        if (providedSig.length !== expectedSig.length) {
+            return false;
+        }
+        // Use subtle timing-safe comparison
+        // Convert to buffers for comparison
+        let mismatch = 0;
+        for (let i = 0; i < providedSig.length; i++) {
+            mismatch |= providedSig.charCodeAt(i) ^ expectedSig.charCodeAt(i);
+        }
+        return mismatch === 0;
+    }
+    catch (error) {
+        logger.error('Webhook signature verification error', { error });
+        return false;
+    }
+}
+/**
+ * Verify a webhook signature with detailed result.
+ *
+ * @param body - The raw request body as a string
+ * @param signature - The X-Tollgate-Signature header value
+ * @param secret - Your webhook secret
+ * @returns Promise<WebhookVerificationResult>
+ */
+export async function verifyWebhookSignatureDetailed(body, signature, secret) {
+    if (!signature) {
+        return { valid: false, reason: 'Missing signature header' };
+    }
+    if (!secret) {
+        return { valid: false, reason: 'Missing webhook secret' };
+    }
+    if (!signature.startsWith('sha256=')) {
+        return { valid: false, reason: 'Invalid signature format (expected sha256=...)' };
+    }
+    const isValid = await verifyWebhookSignature(body, signature, secret);
+    if (isValid) {
+        return { valid: true };
+    }
+    return { valid: false, reason: 'Signature mismatch' };
+}
 //# sourceMappingURL=webhook.js.map

package/dist/approval/webhook.js.map

@@ -1 +1 @@
-{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/approval/webhook.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,OAAO,EAAE,sBAAsB,EAAwB,MAAM,qBAAqB,CAAC;AACnF,OAAO,EAAE,cAAc,IAAI,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAiC9D;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,sBAAsB;IACzB,MAAM,CAAwB;IAC9B,eAAe,GAA2B,IAAI,CAAC;IAEvD,YAAY,MAA6B;QACvC,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,2BAA2B;YACtC,GAAG,MAAM;SACV,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAwB;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,sBAAsB,CAAC;QAEtE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACtD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAE1C,gDAAgD;YAChD,IAAI,YAA0C,CAAC;YAC/C,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACvC,MAAM,gBAAgB,GAAG,aAAa,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;gBAChG,IAAI,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/C,YAAY,GAAG;wBACb,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,aAAa,CAAC,YAAY,IAAI,MAAM;wBAC3D,QAAQ,EAAE,MAAM,CAAC,QAAQ;qBAC1B,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;gBAC/C,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,UAAU;gBACV,YAAY;aACb,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAE3D,+CAA+C;YAC/C,MAAM,MAAM,GACV,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YAE/E,OAAO;gBACL,MAAM;gBACN,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,UAAU;aACX,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAAC,OAAwB;QACvD,IAAI,CAAC,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,2BAA2B,CAAC;QAErE,iBAAiB;QACjB,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;YAChC,IAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC;QAChC,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,cAAc,EAAE,kBAAkB;gBAClC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO;aACvB,CAAC;YAEF,6CAA6C;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC1B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE;gBAC1C,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM;gBAC9B,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;gBAC1B,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;gBAC1B,QAAQ,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;oBAC/B,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;oBAC/B,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,WAAW;oBACzC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ;iBACpC;aACF,CAAC,CAAC;YAEH,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;gBACpD,OAAO,CAAC,sBAAsB,CAAC,GAAG,SAAS,CAAC;YAC9C,CAAC;YAED,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;gBAC9C,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;gBACpB,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;aAC3B,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;gBAC5C,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI;gBACJ,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,MAAM;aACpC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACxF,CAAC;YAED,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2B,CAAC;YAElE,oBAAoB;YACpB,IAAI,OAAO,OAAO,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC1C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;YACxE,CAAC;YAED,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;gBAChD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B,CAAC,CAAC;YAEH,OAAO,OAAO,CAAC;QACjB,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAClC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QACxD,OAAO,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,KAAK;QACH,IAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC;QAC9B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,CAAC;CACF"}
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/approval/webhook.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,OAAO,EAAE,sBAAsB,EAAwB,MAAM,qBAAqB,CAAC;AACnF,OAAO,EAAE,cAAc,IAAI,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAiC9D;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,sBAAsB;IACzB,MAAM,CAAwB;IAC9B,eAAe,GAA2B,IAAI,CAAC;IAEvD,YAAY,MAA6B;QACvC,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,2BAA2B;YACtC,GAAG,MAAM;SACV,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAwB;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,sBAAsB,CAAC;QAEtE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACtD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAE1C,gDAAgD;YAChD,IAAI,YAA0C,CAAC;YAC/C,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACvC,MAAM,gBAAgB,GAAG,aAAa,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;gBAChG,IAAI,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/C,YAAY,GAAG;wBACb,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,aAAa,CAAC,YAAY,IAAI,MAAM;wBAC3D,QAAQ,EAAE,MAAM,CAAC,QAAQ;qBAC1B,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;gBAC/C,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,UAAU;gBACV,YAAY;aACb,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAE3D,+CAA+C;YAC/C,MAAM,MAAM,GACV,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;YAE/E,OAAO;gBACL,MAAM;gBACN,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,UAAU;aACX,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAAC,OAAwB;QACvD,IAAI,CAAC,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,2BAA2B,CAAC;QAErE,iBAAiB;QACjB,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;YAChC,IAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC;QAChC,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,cAAc,EAAE,kBAAkB;gBAClC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO;aACvB,CAAC;YAEF,6CAA6C;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC1B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE;gBAC1C,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM;gBAC9B,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;gBAC1B,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;gBAC1B,QAAQ,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;oBAC/B,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;oBAC/B,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,WAAW;oBACzC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ;iBACpC;aACF,CAAC,CAAC;YAEH,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;gBACpD,OAAO,CAAC,sBAAsB,CAAC,GAAG,SAAS,CAAC;YAC9C,CAAC;YAED,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;gBAC9C,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;gBACpB,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;aAC3B,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;gBAC5C,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI;gBACJ,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,MAAM;aACpC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACxF,CAAC;YAED,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA2B,CAAC;YAElE,oBAAoB;YACpB,IAAI,OAAO,OAAO,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC1C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;YACxE,CAAC;YAED,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;gBAChD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B,CAAC,CAAC;YAEH,OAAO,OAAO,CAAC;QACjB,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAClC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QACxD,OAAO,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,KAAK;QACH,IAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC;QAC9B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,CAAC;CACF;AAED,gFAAgF;AAChF,wCAAwC;AACxC,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAY,EACZ,SAAoC,EACpC,MAAc;IAEd,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qCAAqC;IACrC,MAAM,WAAW,GAAG,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC;QACjD,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACpB,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,CAAC;QACH,6BAA6B;QAC7B,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7E,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;aACrD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;QAEZ,mDAAmD;QACnD,IAAI,WAAW,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,oCAAoC;QACpC,oCAAoC;QACpC,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,QAAQ,IAAI,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACpE,CAAC;QAED,OAAO,QAAQ,KAAK,CAAC,CAAC;IACxB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAaD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,IAAY,EACZ,SAAoC,EACpC,MAAc;IAEd,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC5D,CAAC;IAED,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gDAAgD,EAAE,CAAC;IACpF,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAEtE,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;AACxD,CAAC"}