@dwk/websub 0.1.0-beta.0

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2026 David W. Keith
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,155 @@
+# `@dwk/websub`
+
+> WebSub (W3C) hub. Endpoint package.
+
+Part of the [`@dwk` IndieWeb + Solid cohort](../../README.md). See the
+[package specification](../../spec/packages/websub.md) for the full
+requirements.
+
+A WebSub hub is the **publish-side, real-time complement** to
+[`@dwk/webmention`](../webmention)'s interaction side: subscribers receive a
+push when the user's feed changes instead of polling. Subscribe/unsubscribe
+requests are validated **synchronously** (fast `202 Accepted`); the
+verification-of-intent callback and content fan-out run **asynchronously** on a
+queue with retries and backoff. The subscription store is **D1 (strongly
+consistent), never KV** — a stale or lost subscription is a correctness bug. On
+publish the hub fetches the topic and POSTs it to every verified callback,
+signing the body with HMAC-SHA256 (`X-Hub-Signature`) when the subscriber
+registered a secret.
+
+## What this package does *not* do
+
+The **feeds themselves are static** — RSS / Atom / JSON Feed and `h-feed` /
+`h-entry` microformats are SSG build artifacts that **Anglesite generates**, so
+there is no `@dwk/feeds` package and feed generation is out of scope here. The
+feed's `Link rel="hub"` / `rel="self"` advertisement is likewise Anglesite's to
+emit. This package is only the dynamic hub a static host can't provide.
+
+## Hub endpoint
+
+```ts
+import { createWebSub } from "@dwk/websub";
+
+const websub = createWebSub({
+  baseUrl: "https://hub.example.com",
+  // The feeds this hub serves; a subscribe/publish for any other topic is 400.
+  allowedTopics: ["https://example.com/feed.xml"],
+});
+
+// In your Worker's fetch handler, mount under any path prefix:
+//   POST /websub   (application/x-www-form-urlencoded)
+return websub(request, env, ctx);
+```
+
+`createWebSub` parses the form body and routes on `hub.mode`:
+
+- **`subscribe` / `unsubscribe`** — validates `hub.callback`, `hub.topic`,
+  optional `hub.lease_seconds` (clamped into the hub's bounds), and optional
+  `hub.secret` (< 200 bytes); enqueues a verification job and returns `202`.
+- **`publish`** — validates `hub.url` (or legacy `hub.topic`) against the
+  allowed topics; enqueues a distribution job and returns `202`.
+
+Invalid requests get `400` with a stable error code in the body; other methods
+get `405`. The handler **fails loudly** if the required `WEBSUB_QUEUE` binding
+is missing.
+
+### Async work (queue consumer)
+
+```ts
+import { createWebSub, createWebSubQueueConsumer } from "@dwk/websub";
+
+const config = {
+  baseUrl: "https://hub.example.com",
+  allowedTopics: ["https://example.com/feed.xml"],
+};
+
+export default {
+  fetch: createWebSub(config),
+  queue: createWebSubQueueConsumer(config), // bound to WEBSUB_QUEUE
+};
+```
+
+The consumer handles both job kinds:
+
+- **verify** — issues the `hub.challenge` GET to the callback; on a confirming
+  `2xx` echo it activates the subscription (subscribe) or removes it
+  (unsubscribe). A subscription row is written **only after** verification
+  succeeds, so an unverified callback never lands in the store.
+- **distribute** — prunes expired leases, fetches the topic's current content,
+  and POSTs it (signed per-subscriber when a secret is set) to every active
+  callback.
+
+A store/queue failure — or a distribution that can't fetch the topic — is
+retried; everything else is acked.
+
+### Publishing from your own write path
+
+To ping the hub in-process when [`@dwk/micropub`](../micropub) writes or a static
+rebuild finishes — instead of POSTing the HTTP publish endpoint — use the
+notifier:
+
+```ts
+import { createPublishNotifier } from "@dwk/websub";
+
+const notifyPublish = createPublishNotifier(config);
+// After a write that changed the feed:
+await notifyPublish(env, "https://example.com/feed.xml");
+```
+
+## Bindings (`Env` fragment)
+
+| Binding        | Type         | Required | Purpose                                          |
+| -------------- | ------------ | -------- | ------------------------------------------------ |
+| `WEBSUB_DB`    | `D1Database` | yes      | Strongly-consistent subscription store.          |
+| `WEBSUB_QUEUE` | `Queue`      | yes      | Verification + distribution fan-out and retries. |
+
+The subscription store **MUST** be D1 (or another strongly-consistent store),
+**never KV**: staleness here is a correctness/security bug, not a safe-to-be-stale
+cache (see [`spec/non-functional-requirements.md`](../../spec/non-functional-requirements.md)).
+
+## Config
+
+| Field                 | Type                          | Default          | Purpose                                                       |
+| --------------------- | ----------------------------- | ---------------- | ------------------------------------------------------------- |
+| `baseUrl`             | `string`                      | —                | Hub base URL.                                                 |
+| `hubUrl`              | `string`                      | `baseUrl`        | URL advertised in the `rel="hub"` `Link` header.              |
+| `allowedTopics`       | `string[]`                    | —                | Topics this hub serves (normalized match).                    |
+| `isAllowedTopic`      | `(topic) => boolean`          | from `allowed…`  | Predicate alternative for a dynamic feed set.                 |
+| `minLeaseSeconds`     | `number`                      | `300`            | Lower bound on a granted lease.                               |
+| `maxLeaseSeconds`     | `number`                      | `864000`         | Upper bound on a granted lease (10 days).                     |
+| `defaultLeaseSeconds` | `number`                      | `864000`         | Lease when the subscriber omits `hub.lease_seconds`.          |
+| `fetch`               | `FetchLike`                   | global `fetch`   | Override `fetch` (verification / distribution).               |
+| `logger`              | `Logger`                      | `noopLogger`     | Structured logs (see `@dwk/log`).                             |
+| `metrics`             | `Metrics`                     | `noopMetrics`    | Queryable counters (see `@dwk/log`).                          |
+
+Either `allowedTopics` or `isAllowedTopic` is required — a hub must know which
+topics it serves.
+
+## Security
+
+Every outbound request — the verification GET and each distribution POST — goes
+through an SSRF-safe `fetch`: the callback host (and every redirect hop) is
+validated against private, loopback, link-local (incl. the cloud metadata IP),
+and reserved ranges, redirects are followed manually with re-validation and a
+hop cap, and the whole operation is bounded by a timeout. Credential-bearing
+headers (including `X-Hub-Signature`) are stripped on a cross-origin redirect.
+
+## Observability
+
+Logging and metrics are **opt-in and injected** (see [`@dwk/log`](../log)),
+defaulting to no-ops. Both seams share one event vocabulary (`WebSubLogEvent`),
+so a log line and its counter line up — SSRF blocks (by reason), request
+accepted/rejected, verification outcomes (by confirmed/status), subscription
+activated/removed, deliveries (by delivered/status), topic-fetch failures, and
+queue retries. Only sanitized hosts, status, reason codes, booleans, and counts
+are recorded — never secrets, bodies, or full URLs.
+
+## Conformance
+
+The hub targets the [websub.rocks](https://websub.rocks/) hub test suite. The
+lease math, request validation, intent verification, and HMAC signing are
+unit-tested without a Workers runtime; the D1 store is tested under Miniflare.
+
+## License
+
+[ISC](../../LICENSE)

package/dist/config.d.ts

@@ -0,0 +1,122 @@
+/**
+ * `@dwk/websub` — injected configuration and the Cloudflare `Env` fragment.
+ *
+ * Per the composition contract, a package never reads the global environment
+ * directly: all config (base URL, the topics this hub serves, lease bounds) is
+ * passed into {@link createWebSub}, so the hub can be instantiated multiple times
+ * and unit-tested in isolation. The Cloudflare bindings the hub needs are
+ * declared as a TypeScript `Env` fragment that the composed Worker's `Env` is a
+ * superset of. See `spec/composition-contract.md` and `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { type Logger, type Metrics } from "@dwk/log";
+import type { D1Database, Queue } from "@cloudflare/workers-types";
+import { type SignatureAlgorithm } from "./distribute";
+import type { FetchLike } from "./fetch";
+import type { WebSubJob } from "./queue";
+/**
+ * Cloudflare bindings required by the hub handler and its queue consumer.
+ *
+ * The subscription store **MUST** be strongly consistent — D1 (session
+ * consistency), never KV: a stale or lost subscription is a correctness bug, not
+ * a safe-to-be-stale cache (`spec/non-functional-requirements.md`).
+ */
+export interface WebSubEnv {
+    /** D1 database backing the subscription table. */
+    readonly WEBSUB_DB: D1Database;
+    /** Queue for intent verification and content-distribution fan-out + retries. */
+    readonly WEBSUB_QUEUE: Queue<WebSubJob>;
+}
+/** Configuration passed to {@link createWebSub}. */
+export interface WebSubConfig {
+    /** Base URL of this hub; informational and used for self-advertisement. */
+    readonly baseUrl: string;
+    /**
+     * Absolute URL of the hub endpoint itself, advertised to subscribers in the
+     * `rel="hub"` `Link` header on each delivery. Defaults to {@link baseUrl};
+     * set it when the hub is mounted under a path prefix.
+     */
+    readonly hubUrl?: string;
+    /**
+     * The topic URLs this hub will serve (the user's own feeds). A subscribe or
+     * publish request for any other topic is rejected. Compared by normalized URL
+     * (default ports and a trailing-slash-only path are folded). Provide either
+     * this or {@link isAllowedTopic}.
+     */
+    readonly allowedTopics?: readonly string[];
+    /**
+     * Predicate deciding whether a topic URL is one this hub serves, for callers
+     * whose feed set is dynamic. Takes precedence over {@link allowedTopics}.
+     */
+    readonly isAllowedTopic?: (topic: string) => boolean;
+    /** Minimum lease (seconds) the hub will grant. Default 300 (5 minutes). */
+    readonly minLeaseSeconds?: number;
+    /** Maximum lease (seconds) the hub will grant. Default 864000 (10 days). */
+    readonly maxLeaseSeconds?: number;
+    /**
+     * Lease granted when a subscriber omits `hub.lease_seconds`. Default 864000
+     * (10 days). Clamped into `[minLeaseSeconds, maxLeaseSeconds]`.
+     */
+    readonly defaultLeaseSeconds?: number;
+    /**
+     * HMAC digest method for the `X-Hub-Signature` on signed deliveries (WebSub
+     * §8 permits `sha1`/`sha256`/`sha384`/`sha512`). WebSub has no per-request
+     * method parameter, so this is a hub-level choice; it defaults to the secure
+     * `sha256`. Set it to `sha1` **only** when a subscriber requires the legacy
+     * method for interop — SHA-1 is weaker and not the default for that reason.
+     */
+    readonly signatureAlgorithm?: SignatureAlgorithm;
+    /**
+     * Media type to forward on distribution when the topic response declares no
+     * `Content-Type`. WebSub §7 requires the distribution `Content-Type` to
+     * correspond to the topic's, so the hub never fabricates a generic
+     * `application/octet-stream`. Set this to the type the hub's feeds are served
+     * as (e.g. `application/atom+xml`) so a topic that omits the header is still
+     * distributable; left unset, such a topic is refused rather than mislabeled.
+     */
+    readonly defaultContentType?: string;
+    /** `fetch` implementation for verification/distribution; defaults to global `fetch`. */
+    readonly fetch?: FetchLike;
+    /** Logger; defaults to a no-op (see `@dwk/log`). */
+    readonly logger?: Logger;
+    /** Metrics sink; defaults to a no-op (see `@dwk/log`). */
+    readonly metrics?: Metrics;
+}
+/** Default lower bound on a granted lease (5 minutes). */
+export declare const DEFAULT_MIN_LEASE_SECONDS = 300;
+/** Default upper bound on a granted lease (10 days). */
+export declare const DEFAULT_MAX_LEASE_SECONDS = 864000;
+/** Config with defaults resolved and the topic check normalized to a predicate. */
+export interface ResolvedConfig {
+    readonly baseUrl: string;
+    readonly hubUrl: string;
+    readonly isAllowedTopic: (topic: string) => boolean;
+    readonly minLeaseSeconds: number;
+    readonly maxLeaseSeconds: number;
+    readonly defaultLeaseSeconds: number;
+    readonly signatureAlgorithm: SignatureAlgorithm;
+    /** Fallback distribution `Content-Type`; `undefined` refuses to mislabel. */
+    readonly defaultContentType?: string;
+    readonly fetch: FetchLike;
+    readonly logger: Logger;
+    readonly metrics: Metrics;
+}
+/**
+ * Normalize a topic URL for comparison: lowercase host, default port dropped,
+ * a bare `/` path elided, and fragment removed. Query strings are preserved
+ * (a feed may legitimately carry one). Returns `null` when `raw` is unparseable
+ * or not `http(s)`.
+ */
+export declare function normalizeTopic(raw: string): string | null;
+/**
+ * Resolve {@link WebSubConfig} into {@link ResolvedConfig}, filling defaults and
+ * turning the topic allowlist into a single predicate.
+ *
+ * @throws when neither `allowedTopics` nor `isAllowedTopic` is supplied — a hub
+ * with no topics would accept subscriptions it can never serve.
+ */
+export declare function resolveConfig(config: WebSubConfig): ResolvedConfig;
+/** Clamp a requested lease into the hub's `[min, max]` bounds. */
+export declare function clampLease(requested: number, config: ResolvedConfig): number;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAA2B,KAAK,MAAM,EAAE,KAAK,OAAO,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC;;;;;;GAMG;AACH,MAAM,WAAW,SAAS;IACxB,kDAAkD;IAClD,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC;IAC/B,gFAAgF;IAChF,QAAQ,CAAC,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CACzC;AAED,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;OAKG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C;;;OAGG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IACrD,2EAA2E;IAC3E,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,4EAA4E;IAC5E,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC;;;OAGG;IACH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC;;;;;;OAMG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACjD;;;;;;;OAOG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,wFAAwF;IACxF,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;IAC3B,oDAAoD;IACpD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,0DAA0D;IAC1D,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,0DAA0D;AAC1D,eAAO,MAAM,yBAAyB,MAAM,CAAC;AAC7C,wDAAwD;AACxD,eAAO,MAAM,yBAAyB,SAAU,CAAC;AAEjD,mFAAmF;AACnF,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IACpD,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,kBAAkB,EAAE,kBAAkB,CAAC;IAChD,6EAA6E;IAC7E,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAazD;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,YAAY,GAAG,cAAc,CAiDlE;AAED,kEAAkE;AAClE,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,MAAM,CAK5E"}

package/dist/config.js

@@ -0,0 +1,96 @@
+/**
+ * `@dwk/websub` — injected configuration and the Cloudflare `Env` fragment.
+ *
+ * Per the composition contract, a package never reads the global environment
+ * directly: all config (base URL, the topics this hub serves, lease bounds) is
+ * passed into {@link createWebSub}, so the hub can be instantiated multiple times
+ * and unit-tested in isolation. The Cloudflare bindings the hub needs are
+ * declared as a TypeScript `Env` fragment that the composed Worker's `Env` is a
+ * superset of. See `spec/composition-contract.md` and `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { noopLogger, noopMetrics } from "@dwk/log";
+import { DEFAULT_SIGNATURE_ALGORITHM, } from "./distribute";
+/** Default lower bound on a granted lease (5 minutes). */
+export const DEFAULT_MIN_LEASE_SECONDS = 300;
+/** Default upper bound on a granted lease (10 days). */
+export const DEFAULT_MAX_LEASE_SECONDS = 864_000;
+/**
+ * Normalize a topic URL for comparison: lowercase host, default port dropped,
+ * a bare `/` path elided, and fragment removed. Query strings are preserved
+ * (a feed may legitimately carry one). Returns `null` when `raw` is unparseable
+ * or not `http(s)`.
+ */
+export function normalizeTopic(raw) {
+    let url;
+    try {
+        url = new URL(raw);
+    }
+    catch {
+        return null;
+    }
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+        return null;
+    }
+    url.hash = "";
+    const path = url.pathname === "/" ? "" : url.pathname;
+    return `${url.protocol}//${url.host}${path}${url.search}`;
+}
+/**
+ * Resolve {@link WebSubConfig} into {@link ResolvedConfig}, filling defaults and
+ * turning the topic allowlist into a single predicate.
+ *
+ * @throws when neither `allowedTopics` nor `isAllowedTopic` is supplied — a hub
+ * with no topics would accept subscriptions it can never serve.
+ */
+export function resolveConfig(config) {
+    const min = config.minLeaseSeconds ?? DEFAULT_MIN_LEASE_SECONDS;
+    const max = config.maxLeaseSeconds ?? DEFAULT_MAX_LEASE_SECONDS;
+    if (min > max) {
+        throw new Error(`@dwk/websub: minLeaseSeconds (${min}) exceeds maxLeaseSeconds (${max}).`);
+    }
+    const fallback = config.defaultLeaseSeconds ?? DEFAULT_MAX_LEASE_SECONDS;
+    const defaultLeaseSeconds = Math.min(Math.max(fallback, min), max);
+    let isAllowedTopic;
+    if (config.isAllowedTopic !== undefined) {
+        isAllowedTopic = config.isAllowedTopic;
+    }
+    else if (config.allowedTopics !== undefined) {
+        const allowed = new Set();
+        for (const topic of config.allowedTopics) {
+            const normalized = normalizeTopic(topic);
+            if (normalized !== null) {
+                allowed.add(normalized);
+            }
+        }
+        isAllowedTopic = (topic) => {
+            const normalized = normalizeTopic(topic);
+            return normalized !== null && allowed.has(normalized);
+        };
+    }
+    else {
+        throw new Error("@dwk/websub: configure allowedTopics or isAllowedTopic — a hub must " +
+            "know which topics it serves.");
+    }
+    return {
+        baseUrl: config.baseUrl,
+        hubUrl: config.hubUrl ?? config.baseUrl,
+        isAllowedTopic,
+        minLeaseSeconds: min,
+        maxLeaseSeconds: max,
+        defaultLeaseSeconds,
+        signatureAlgorithm: config.signatureAlgorithm ?? DEFAULT_SIGNATURE_ALGORITHM,
+        ...(config.defaultContentType !== undefined
+            ? { defaultContentType: config.defaultContentType }
+            : {}),
+        fetch: config.fetch ?? ((input, init) => fetch(input, init)),
+        logger: config.logger ?? noopLogger,
+        metrics: config.metrics ?? noopMetrics,
+    };
+}
+/** Clamp a requested lease into the hub's `[min, max]` bounds. */
+export function clampLease(requested, config) {
+    return Math.min(Math.max(requested, config.minLeaseSeconds), config.maxLeaseSeconds);
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAA6B,MAAM,UAAU,CAAC;AAE9E,OAAO,EACL,2BAA2B,GAE5B,MAAM,cAAc,CAAC;AA0EtB,0DAA0D;AAC1D,MAAM,CAAC,MAAM,yBAAyB,GAAG,GAAG,CAAC;AAC7C,wDAAwD;AACxD,MAAM,CAAC,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAkBjD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;IACd,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IACtD,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;AAC5D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,MAAoB;IAChD,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,yBAAyB,CAAC;IAChE,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,yBAAyB,CAAC;IAChE,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,8BAA8B,GAAG,IAAI,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,CAAC,mBAAmB,IAAI,yBAAyB,CAAC;IACzE,MAAM,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAEnE,IAAI,cAA0C,CAAC;IAC/C,IAAI,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACxC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;IACzC,CAAC;SAAM,IAAI,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAClC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;YACzC,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,cAAc,GAAG,CAAC,KAAK,EAAE,EAAE;YACzB,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;YACzC,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxD,CAAC,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,sEAAsE;YACpE,8BAA8B,CACjC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO;QACvC,cAAc;QACd,eAAe,EAAE,GAAG;QACpB,eAAe,EAAE,GAAG;QACpB,mBAAmB;QACnB,kBAAkB,EAChB,MAAM,CAAC,kBAAkB,IAAI,2BAA2B;QAC1D,GAAG,CAAC,MAAM,CAAC,kBAAkB,KAAK,SAAS;YACzC,CAAC,CAAC,EAAE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,EAAE;YACnD,CAAC,CAAC,EAAE,CAAC;QACP,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC5D,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,WAAW;KACvC,CAAC;AACJ,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,UAAU,CAAC,SAAiB,EAAE,MAAsB;IAClE,OAAO,IAAI,CAAC,GAAG,CACb,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,EAC3C,MAAM,CAAC,eAAe,CACvB,CAAC;AACJ,CAAC"}

package/dist/consumer.d.ts

@@ -0,0 +1,39 @@
+/**
+ * `@dwk/websub` — the queue consumer.
+ *
+ * The hub's slow work runs here, off the request path, with the queue providing
+ * retries and backoff. Two job kinds flow through:
+ *
+ * - **verify** — issue the verification-of-intent GET; on a confirmed subscribe,
+ *   write the subscription to the D1 store with its lease expiry, and on a
+ *   confirmed unsubscribe, remove it. A subscription row is created only after
+ *   verification succeeds, so an unverified callback never lands in the store.
+ * - **distribute** — prune expired leases, fetch the topic's current content, and
+ *   fan it out (signed per-subscriber when a secret is set) to every active
+ *   subscriber.
+ *
+ * A job whose store/fetch work throws — or a distribution that cannot fetch the
+ * topic — is retried; everything else is acked. See `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import type { ExecutionContext, MessageBatch } from "@cloudflare/workers-types";
+import { type WebSubConfig, type WebSubEnv } from "./config";
+import type { WebSubJob } from "./queue";
+import { type SubscriptionStore } from "./store";
+/** A Queue consumer for WebSub verification and distribution jobs. */
+export type WebSubQueueConsumer = (batch: MessageBatch<WebSubJob>, env: WebSubEnv, ctx: ExecutionContext) => Promise<void>;
+/** Extra wiring for the consumer, primarily to inject a store in tests. */
+export interface ConsumerOptions {
+    /** Override the subscription store; defaults to a D1 store over `WEBSUB_DB`. */
+    readonly store?: SubscriptionStore;
+    /** Clock injection for deterministic tests; defaults to `Date.now`. */
+    readonly now?: () => number;
+}
+/**
+ * Build the Queue consumer that performs intent verification and content
+ * distribution. Fails loudly if no store is configured (neither
+ * `options.store` nor the `WEBSUB_DB` binding).
+ */
+export declare function createWebSubQueueConsumer(config: WebSubConfig, options?: ConsumerOptions): WebSubQueueConsumer;
+//# sourceMappingURL=consumer.d.ts.map

package/dist/consumer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consumer.d.ts","sourceRoot":"","sources":["../src/consumer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAChF,OAAO,EAGL,KAAK,YAAY,EACjB,KAAK,SAAS,EACf,MAAM,UAAU,CAAC;AAGlB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAA6B,KAAK,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAG5E,sEAAsE;AACtE,MAAM,MAAM,mBAAmB,GAAG,CAChC,KAAK,EAAE,YAAY,CAAC,SAAS,CAAC,EAC9B,GAAG,EAAE,SAAS,EACd,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,2EAA2E;AAC3E,MAAM,WAAW,eAAe;IAC9B,gFAAgF;IAChF,QAAQ,CAAC,KAAK,CAAC,EAAE,iBAAiB,CAAC;IACnC,uEAAuE;IACvE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAyBD;;;;GAIG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,YAAY,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,mBAAmB,CA0GrB"}

package/dist/consumer.js

@@ -0,0 +1,146 @@
+/**
+ * `@dwk/websub` — the queue consumer.
+ *
+ * The hub's slow work runs here, off the request path, with the queue providing
+ * retries and backoff. Two job kinds flow through:
+ *
+ * - **verify** — issue the verification-of-intent GET; on a confirmed subscribe,
+ *   write the subscription to the D1 store with its lease expiry, and on a
+ *   confirmed unsubscribe, remove it. A subscription row is created only after
+ *   verification succeeds, so an unverified callback never lands in the store.
+ * - **distribute** — prune expired leases, fetch the topic's current content, and
+ *   fan it out (signed per-subscriber when a secret is set) to every active
+ *   subscriber.
+ *
+ * A job whose store/fetch work throws — or a distribution that cannot fetch the
+ * topic — is retried; everything else is acked. See `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { hostFromUrl } from "@dwk/log";
+import { resolveConfig, } from "./config";
+import { deliverToSubscriber, fetchTopicContent } from "./distribute";
+import { WebSubLogEvent } from "./log";
+import { createD1SubscriptionStore } from "./store";
+import { notifyDenial, verifyIntent } from "./verify";
+function emit(config, level, event, fields) {
+    config.logger[level](event, fields);
+    config.metrics.count(event, fields);
+}
+function resolveStore(options, env) {
+    if (options?.store !== undefined) {
+        return options.store;
+    }
+    if (env.WEBSUB_DB === undefined) {
+        throw new Error("@dwk/websub: missing required binding WEBSUB_DB.");
+    }
+    return createD1SubscriptionStore(env.WEBSUB_DB);
+}
+/**
+ * Build the Queue consumer that performs intent verification and content
+ * distribution. Fails loudly if no store is configured (neither
+ * `options.store` nor the `WEBSUB_DB` binding).
+ */
+export function createWebSubQueueConsumer(config, options) {
+    const resolved = resolveConfig(config);
+    const clock = options?.now ?? (() => Date.now());
+    return async (batch, env, _ctx) => {
+        const store = resolveStore(options, env);
+        for (const message of batch.messages) {
+            const job = message.body;
+            try {
+                if (job.kind === "verify") {
+                    const result = await verifyIntent(job.callback, job.topic, {
+                        mode: job.mode,
+                        leaseSeconds: job.mode === "subscribe" ? job.leaseSeconds : undefined,
+                        fetch: resolved.fetch,
+                        logger: resolved.logger,
+                        metrics: resolved.metrics,
+                    });
+                    if (result.confirmed) {
+                        if (job.mode === "subscribe") {
+                            await store.upsert({
+                                callback: job.callback,
+                                topic: job.topic,
+                                secret: job.secret,
+                                leaseSeconds: job.leaseSeconds,
+                                now: clock(),
+                            });
+                            emit(resolved, "info", WebSubLogEvent.SubscriptionActivated, {
+                                callbackHost: hostFromUrl(job.callback),
+                                topicHost: hostFromUrl(job.topic),
+                                leaseSeconds: job.leaseSeconds,
+                            });
+                        }
+                        else {
+                            await store.remove(job.callback, job.topic);
+                            emit(resolved, "info", WebSubLogEvent.SubscriptionRemoved, {
+                                callbackHost: hostFromUrl(job.callback),
+                                topicHost: hostFromUrl(job.topic),
+                                reason: "unsubscribed",
+                            });
+                        }
+                    }
+                    else if (job.mode === "subscribe") {
+                        // Intent unconfirmed: signal denial to the subscriber (WebSub §5.2)
+                        // instead of silently dropping the request. (An unconfirmed
+                        // unsubscribe simply leaves the existing subscription in place.)
+                        await notifyDenial(job.callback, job.topic, {
+                            reason: "verification_failed",
+                            fetch: resolved.fetch,
+                            logger: resolved.logger,
+                            metrics: resolved.metrics,
+                        });
+                    }
+                    message.ack();
+                    continue;
+                }
+                // kind === "distribute"
+                const now = clock();
+                await store.pruneExpired(now);
+                const fetched = await fetchTopicContent(job.topic, {
+                    fetch: resolved.fetch,
+                    logger: resolved.logger,
+                    metrics: resolved.metrics,
+                    defaultContentType: resolved.defaultContentType,
+                });
+                if (fetched.kind === "retry") {
+                    // The topic was unreachable / non-2xx — retry the whole job later
+                    // rather than dropping the push.
+                    message.retry();
+                    continue;
+                }
+                if (fetched.kind === "drop") {
+                    // A permanent, deterministic refusal (e.g. an unlabelable topic):
+                    // retrying can't fix it, so ack and move on rather than clog the
+                    // queue and re-hammer the topic. fetchTopicContent already logged why.
+                    message.ack();
+                    continue;
+                }
+                const content = fetched.content;
+                const subscribers = await store.listActive(job.topic, now);
+                // Fan out in parallel: deliverToSubscriber never throws (it reports a
+                // failed/blocked POST as delivered:false), so one slow or dead callback
+                // must not head-of-line block the rest and risk timing out the whole
+                // consumer invocation.
+                await Promise.all(subscribers.map((subscriber) => deliverToSubscriber(subscriber, content, resolved.hubUrl, {
+                    fetch: resolved.fetch,
+                    logger: resolved.logger,
+                    metrics: resolved.metrics,
+                    signatureAlgorithm: resolved.signatureAlgorithm,
+                })));
+                message.ack();
+            }
+            catch (err) {
+                // A store/queue failure must not retry silently — name the kind and
+                // error so an operator can tell a transient blip from a wedged job.
+                emit(resolved, "warn", WebSubLogEvent.QueueRetry, {
+                    kind: job.kind,
+                    error: err instanceof Error ? err.name : "unknown",
+                });
+                message.retry();
+            }
+        }
+    };
+}
+//# sourceMappingURL=consumer.js.map

package/dist/consumer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consumer.js","sourceRoot":"","sources":["../src/consumer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,UAAU,CAAC;AAEvD,OAAO,EACL,aAAa,GAId,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AAEvC,OAAO,EAAE,yBAAyB,EAA0B,MAAM,SAAS,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAiBtD,SAAS,IAAI,CACX,MAAsB,EACtB,KAAsB,EACtB,KAAa,EACb,MAAkB;IAElB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,YAAY,CACnB,OAAoC,EACpC,GAAc;IAEd,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,OAAO,CAAC,KAAK,CAAC;IACvB,CAAC;IACD,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,yBAAyB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AAClD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAoB,EACpB,OAAyB;IAEzB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAEjD,OAAO,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAChC,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEzC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;YACzB,IAAI,CAAC;gBACH,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC1B,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,KAAK,EAAE;wBACzD,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,YAAY,EACV,GAAG,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;wBACzD,KAAK,EAAE,QAAQ,CAAC,KAAK;wBACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;qBAC1B,CAAC,CAAC;oBACH,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;wBACrB,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;4BAC7B,MAAM,KAAK,CAAC,MAAM,CAAC;gCACjB,QAAQ,EAAE,GAAG,CAAC,QAAQ;gCACtB,KAAK,EAAE,GAAG,CAAC,KAAK;gCAChB,MAAM,EAAE,GAAG,CAAC,MAAM;gCAClB,YAAY,EAAE,GAAG,CAAC,YAAY;gCAC9B,GAAG,EAAE,KAAK,EAAE;6BACb,CAAC,CAAC;4BACH,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,qBAAqB,EAAE;gCAC3D,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC;gCACvC,SAAS,EAAE,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC;gCACjC,YAAY,EAAE,GAAG,CAAC,YAAY;6BAC/B,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;4BAC5C,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,mBAAmB,EAAE;gCACzD,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC;gCACvC,SAAS,EAAE,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC;gCACjC,MAAM,EAAE,cAAc;6BACvB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;wBACpC,oEAAoE;wBACpE,4DAA4D;wBAC5D,iEAAiE;wBACjE,MAAM,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,KAAK,EAAE;4BAC1C,MAAM,EAAE,qBAAqB;4BAC7B,KAAK,EAAE,QAAQ,CAAC,KAAK;4BACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;4BACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;yBAC1B,CAAC,CAAC;oBACL,CAAC;oBACD,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,SAAS;gBACX,CAAC;gBAED,wBAAwB;gBACxB,MAAM,GAAG,GAAG,KAAK,EAAE,CAAC;gBACpB,MAAM,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBAC9B,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,KAAK,EAAE;oBACjD,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;oBACzB,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;iBAChD,CAAC,CAAC;gBACH,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAC7B,kEAAkE;oBAClE,iCAAiC;oBACjC,OAAO,CAAC,KAAK,EAAE,CAAC;oBAChB,SAAS;gBACX,CAAC;gBACD,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC5B,kEAAkE;oBAClE,iEAAiE;oBACjE,uEAAuE;oBACvE,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,SAAS;gBACX,CAAC;gBACD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;gBAChC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC3D,sEAAsE;gBACtE,wEAAwE;gBACxE,qEAAqE;gBACrE,uBAAuB;gBACvB,MAAM,OAAO,CAAC,GAAG,CACf,WAAW,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAC7B,mBAAmB,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE;oBACxD,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;oBACzB,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;iBAChD,CAAC,CACH,CACF,CAAC;gBACF,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,oEAAoE;gBACpE,oEAAoE;gBACpE,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,UAAU,EAAE;oBAChD,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;iBACnD,CAAC,CAAC;gBACH,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}