@dwk/websub 0.1.0-beta.0

package/dist/distribute.d.ts

@@ -0,0 +1,109 @@
+/**
+ * `@dwk/websub` — signed content distribution.
+ *
+ * On publish, the hub fetches the topic's current content and `POST`s it to every
+ * active subscriber's callback (WebSub §7). When a subscriber registered a
+ * `hub.secret`, the body is authenticated with an HMAC signature in the
+ * `X-Hub-Signature: <method>=<hex>` header so the subscriber can verify the
+ * delivery came from this hub (§8). The digest method is a hub-level config
+ * option (`sha256` by default; `sha1`/`sha384`/`sha512` are also permitted by
+ * §8 and selected via `signatureAlgorithm`). Deliveries carry `Link` headers
+ * advertising
+ * the hub (`rel="hub"`) and the topic (`rel="self"`). Every POST goes through
+ * {@link safeFetch}. See `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { type Logger, type Metrics } from "@dwk/log";
+import type { FetchLike } from "./fetch";
+import type { Subscription } from "./store";
+/** A topic's current content, as fetched from the topic URL. */
+export interface TopicContent {
+    /** The raw body bytes to forward to subscribers. */
+    readonly body: Uint8Array;
+    /** The topic's `Content-Type`, forwarded verbatim to subscribers. */
+    readonly contentType: string;
+}
+/**
+ * The HMAC digest methods WebSub §8 permits for `X-Hub-Signature`. The method
+ * name is emitted verbatim as the header's `<method>=` prefix, so it must match
+ * the WebSub spelling (`sha1`, not `sha-1`).
+ */
+export type SignatureAlgorithm = "sha1" | "sha256" | "sha384" | "sha512";
+/** WebSub's secure default signature method; SHA-1 interop is opt-in only. */
+export declare const DEFAULT_SIGNATURE_ALGORITHM: SignatureAlgorithm;
+/** Outcome of delivering content to one subscriber. */
+export interface DeliveryResult {
+    readonly callback: string;
+    /** Whether the callback accepted the delivery (2xx). */
+    readonly delivered: boolean;
+    /** The delivery's HTTP status (`0` when the POST threw or was blocked). */
+    readonly status: number;
+}
+/**
+ * Compute the `X-Hub-Signature` value for `body` under `secret`:
+ * `<method>=<lowercase hex HMAC>` (WebSub §8). `method` defaults to the secure
+ * `sha256`; WebSub also permits `sha1`/`sha384`/`sha512`. The header prefix is
+ * the WebSub method name verbatim (e.g. `sha1=`, not `sha-1=`).
+ */
+export declare function contentSignature(secret: string, body: Uint8Array, method?: SignatureAlgorithm): Promise<string>;
+/** Build the `Link` header advertising this hub and the topic (WebSub §5.1). */
+export declare function buildLinkHeader(hubUrl: string, topic: string): string;
+/** Inputs shared by distribution helpers. */
+export interface DistributeOptions {
+    readonly fetch?: FetchLike;
+    readonly logger?: Logger;
+    readonly metrics?: Metrics;
+    /**
+     * HMAC method used for the `X-Hub-Signature` header. WebSub §8 has no
+     * per-request method parameter, so this is a hub-level choice; it defaults to
+     * the secure {@link DEFAULT_SIGNATURE_ALGORITHM} (`sha256`). Set it to `sha1`
+     * only for interop with subscribers that require the legacy method.
+     */
+    readonly signatureAlgorithm?: SignatureAlgorithm;
+    /**
+     * Media type to forward when the topic response declares no `Content-Type`.
+     * WebSub §7 requires the distribution `Content-Type` to correspond to the
+     * topic's, so the hub never fabricates a generic `application/octet-stream`:
+     * when the topic omits the header and no fallback is configured here, the
+     * content is refused rather than mislabeled.
+     */
+    readonly defaultContentType?: string;
+}
+/**
+ * Outcome of {@link fetchTopicContent}, telling the caller what to do with the
+ * queue message:
+ *
+ * - **`ok`** — the topic's current content, ready to fan out.
+ * - **`retry`** — a transient failure (topic unreachable, non-2xx, or an
+ *   over-cap body that may be a truncated response): re-enqueue and try later.
+ * - **`drop`** — a deterministic refusal that re-fetching cannot fix, so the
+ *   caller acks rather than burning retries and re-hammering the topic. Today
+ *   this is a topic that declares no `Content-Type` and for which no
+ *   {@link DistributeOptions.defaultContentType} fallback is configured, since
+ *   forwarding it would mislabel the feed (WebSub §7).
+ */
+export type TopicFetchResult = {
+    readonly kind: "ok";
+    readonly content: TopicContent;
+} | {
+    readonly kind: "retry";
+} | {
+    readonly kind: "drop";
+};
+/**
+ * Fetch the topic's current content through {@link safeFetch}, classifying the
+ * outcome as `ok` / `retry` / `drop` (see {@link TopicFetchResult}). A missing,
+ * unlabelable `Content-Type` is a `drop` — a permanent format/config error that
+ * retrying would only turn into a self-inflicted hammering of the topic — while
+ * unreachable/non-2xx/over-cap responses are transient `retry`s.
+ */
+export declare function fetchTopicContent(topic: string, options?: DistributeOptions): Promise<TopicFetchResult>;
+/**
+ * Deliver `content` to one subscriber. POSTs the body with the topic's
+ * `Content-Type`, the hub/self `Link` header, and — when the subscription
+ * carries a secret — the `X-Hub-Signature`. Never throws: a failed or blocked
+ * POST is reported as `delivered: false`.
+ */
+export declare function deliverToSubscriber(subscription: Subscription, content: TopicContent, hubUrl: string, options?: DistributeOptions): Promise<DeliveryResult>;
+//# sourceMappingURL=distribute.d.ts.map

package/dist/distribute.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"distribute.d.ts","sourceRoot":"","sources":["../src/distribute.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAIL,KAAK,MAAM,EACX,KAAK,OAAO,EACb,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAIzC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,gEAAgE;AAChE,MAAM,WAAW,YAAY;IAC3B,oDAAoD;IACpD,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,qEAAqE;IACrE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAUzE,8EAA8E;AAC9E,eAAO,MAAM,2BAA2B,EAAE,kBAA6B,CAAC;AAExE,uDAAuD;AACvD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,wDAAwD;IACxD,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,2EAA2E;IAC3E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,UAAU,EAChB,MAAM,GAAE,kBAAgD,GACvD,OAAO,CAAC,MAAM,CAAC,CAajB;AAED,gFAAgF;AAChF,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAErE;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACjD;;;;;;OAMG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,gBAAgB,GACxB;IAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAA;CAAE,GACvD;IAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GAC1B;IAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC;AAE9B;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,iBAAiB,GAC1B,OAAO,CAAC,gBAAgB,CAAC,CAoD3B;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,YAAY,EACrB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,iBAAiB,GAC1B,OAAO,CAAC,cAAc,CAAC,CA8CzB"}

package/dist/distribute.js

@@ -0,0 +1,140 @@
+/**
+ * `@dwk/websub` — signed content distribution.
+ *
+ * On publish, the hub fetches the topic's current content and `POST`s it to every
+ * active subscriber's callback (WebSub §7). When a subscriber registered a
+ * `hub.secret`, the body is authenticated with an HMAC signature in the
+ * `X-Hub-Signature: <method>=<hex>` header so the subscriber can verify the
+ * delivery came from this hub (§8). The digest method is a hub-level config
+ * option (`sha256` by default; `sha1`/`sha384`/`sha512` are also permitted by
+ * §8 and selected via `signatureAlgorithm`). Deliveries carry `Link` headers
+ * advertising
+ * the hub (`rel="hub"`) and the topic (`rel="self"`). Every POST goes through
+ * {@link safeFetch}. See `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { hostFromUrl, noopLogger, noopMetrics, } from "@dwk/log";
+import { readBytesCapped } from "./fetch";
+import { WebSubLogEvent } from "./log";
+import { safeFetch } from "./safe-fetch";
+/** Map a WebSub signature method name to its WebCrypto SHA hash name. */
+const HASH_FOR_METHOD = {
+    sha1: "SHA-1",
+    sha256: "SHA-256",
+    sha384: "SHA-384",
+    sha512: "SHA-512",
+};
+/** WebSub's secure default signature method; SHA-1 interop is opt-in only. */
+export const DEFAULT_SIGNATURE_ALGORITHM = "sha256";
+/**
+ * Compute the `X-Hub-Signature` value for `body` under `secret`:
+ * `<method>=<lowercase hex HMAC>` (WebSub §8). `method` defaults to the secure
+ * `sha256`; WebSub also permits `sha1`/`sha384`/`sha512`. The header prefix is
+ * the WebSub method name verbatim (e.g. `sha1=`, not `sha-1=`).
+ */
+export async function contentSignature(secret, body, method = DEFAULT_SIGNATURE_ALGORITHM) {
+    const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), { name: "HMAC", hash: HASH_FOR_METHOD[method] }, false, ["sign"]);
+    const mac = await crypto.subtle.sign("HMAC", key, body);
+    const hex = [...new Uint8Array(mac)]
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+    return `${method}=${hex}`;
+}
+/** Build the `Link` header advertising this hub and the topic (WebSub §5.1). */
+export function buildLinkHeader(hubUrl, topic) {
+    return `<${hubUrl}>; rel="hub", <${topic}>; rel="self"`;
+}
+/**
+ * Fetch the topic's current content through {@link safeFetch}, classifying the
+ * outcome as `ok` / `retry` / `drop` (see {@link TopicFetchResult}). A missing,
+ * unlabelable `Content-Type` is a `drop` — a permanent format/config error that
+ * retrying would only turn into a self-inflicted hammering of the topic — while
+ * unreachable/non-2xx/over-cap responses are transient `retry`s.
+ */
+export async function fetchTopicContent(topic, options) {
+    const doFetch = options?.fetch ?? ((input, init) => fetch(input, init));
+    const logger = options?.logger ?? noopLogger;
+    const metrics = options?.metrics ?? noopMetrics;
+    let response;
+    try {
+        const result = await safeFetch(doFetch, topic, { method: "GET" }, { logger, metrics });
+        response = result.response;
+    }
+    catch {
+        const fields = { topicHost: hostFromUrl(topic), status: 0 };
+        logger.warn(WebSubLogEvent.TopicFetchFailed, fields);
+        metrics.count(WebSubLogEvent.TopicFetchFailed, fields);
+        return { kind: "retry" };
+    }
+    if (!response.ok) {
+        await response.body?.cancel().catch(() => undefined);
+        const fields = { topicHost: hostFromUrl(topic), status: response.status };
+        logger.warn(WebSubLogEvent.TopicFetchFailed, fields);
+        metrics.count(WebSubLogEvent.TopicFetchFailed, fields);
+        return { kind: "retry" };
+    }
+    const contentType = response.headers.get("content-type") ?? options?.defaultContentType;
+    if (contentType === undefined || contentType === "") {
+        // WebSub §7: the distribution Content-Type MUST correspond to the topic's.
+        // With neither a topic header nor a configured fallback, forwarding would
+        // mislabel the feed. Re-fetching can't conjure a Content-Type, so drop the
+        // job (the caller acks) rather than retry — retrying would only clog the
+        // queue and re-hammer the topic for a permanent configuration error.
+        await response.body?.cancel().catch(() => undefined);
+        const fields = { topicHost: hostFromUrl(topic), status: response.status };
+        logger.warn(WebSubLogEvent.TopicContentTypeMissing, fields);
+        metrics.count(WebSubLogEvent.TopicContentTypeMissing, fields);
+        return { kind: "drop" };
+    }
+    const body = await readBytesCapped(response);
+    if (body === null) {
+        const fields = { topicHost: hostFromUrl(topic), status: response.status };
+        logger.warn(WebSubLogEvent.TopicFetchFailed, fields);
+        metrics.count(WebSubLogEvent.TopicFetchFailed, fields);
+        return { kind: "retry" };
+    }
+    return { kind: "ok", content: { body, contentType } };
+}
+/**
+ * Deliver `content` to one subscriber. POSTs the body with the topic's
+ * `Content-Type`, the hub/self `Link` header, and — when the subscription
+ * carries a secret — the `X-Hub-Signature`. Never throws: a failed or blocked
+ * POST is reported as `delivered: false`.
+ */
+export async function deliverToSubscriber(subscription, content, hubUrl, options) {
+    const doFetch = options?.fetch ?? ((input, init) => fetch(input, init));
+    const logger = options?.logger ?? noopLogger;
+    const metrics = options?.metrics ?? noopMetrics;
+    const headers = {
+        "content-type": content.contentType,
+        link: buildLinkHeader(hubUrl, subscription.topic),
+    };
+    if (subscription.secret !== null) {
+        headers["x-hub-signature"] = await contentSignature(subscription.secret, content.body, options?.signatureAlgorithm ?? DEFAULT_SIGNATURE_ALGORITHM);
+    }
+    const finish = (delivered, status) => {
+        const fields = {
+            callbackHost: hostFromUrl(subscription.callback),
+            delivered,
+            status,
+        };
+        logger.info(WebSubLogEvent.DeliveryCompleted, fields);
+        metrics.count(WebSubLogEvent.DeliveryCompleted, fields);
+        return { callback: subscription.callback, delivered, status };
+    };
+    try {
+        const result = await safeFetch(doFetch, subscription.callback, {
+            method: "POST",
+            headers,
+            // `content.body` is a Uint8Array; pass its backing buffer as the body.
+            body: content.body,
+        }, { logger, metrics });
+        await result.response.body?.cancel().catch(() => undefined);
+        return finish(result.response.ok, result.response.status);
+    }
+    catch {
+        return finish(false, 0);
+    }
+}
+//# sourceMappingURL=distribute.js.map

package/dist/distribute.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"distribute.js","sourceRoot":"","sources":["../src/distribute.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,WAAW,EACX,UAAU,EACV,WAAW,GAGZ,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAkBzC,yEAAyE;AACzE,MAAM,eAAe,GAAuC;IAC1D,IAAI,EAAE,OAAO;IACb,MAAM,EAAE,SAAS;IACjB,MAAM,EAAE,SAAS;IACjB,MAAM,EAAE,SAAS;CAClB,CAAC;AAEF,8EAA8E;AAC9E,MAAM,CAAC,MAAM,2BAA2B,GAAuB,QAAQ,CAAC;AAWxE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAc,EACd,IAAgB,EAChB,SAA6B,2BAA2B;IAExD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,EAAE,EAC/C,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAoB,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;SACjC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,OAAO,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC;AAC5B,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,eAAe,CAAC,MAAc,EAAE,KAAa;IAC3D,OAAO,IAAI,MAAM,kBAAkB,KAAK,eAAe,CAAC;AAC1D,CAAC;AA0CD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,OAA2B;IAE3B,MAAM,OAAO,GACX,OAAO,EAAE,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,UAAU,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,WAAW,CAAC;IAEhD,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,OAAO,EACP,KAAK,EACL,EAAE,MAAM,EAAE,KAAK,EAAE,EACjB,EAAE,MAAM,EAAE,OAAO,EAAE,CACpB,CAAC;QACF,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACvD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC1E,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACvD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,WAAW,GACf,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,OAAO,EAAE,kBAAkB,CAAC;IACtE,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,EAAE,EAAE,CAAC;QACpD,2EAA2E;QAC3E,0EAA0E;QAC1E,2EAA2E;QAC3E,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC1E,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QAC5D,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC1B,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC1E,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACvD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAA0B,EAC1B,OAAqB,EACrB,MAAc,EACd,OAA2B;IAE3B,MAAM,OAAO,GACX,OAAO,EAAE,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,UAAU,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,WAAW,CAAC;IAEhD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,OAAO,CAAC,WAAW;QACnC,IAAI,EAAE,eAAe,CAAC,MAAM,EAAE,YAAY,CAAC,KAAK,CAAC;KAClD,CAAC;IACF,IAAI,YAAY,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO,CAAC,iBAAiB,CAAC,GAAG,MAAM,gBAAgB,CACjD,YAAY,CAAC,MAAM,EACnB,OAAO,CAAC,IAAI,EACZ,OAAO,EAAE,kBAAkB,IAAI,2BAA2B,CAC3D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,SAAkB,EAAE,MAAc,EAAkB,EAAE;QACpE,MAAM,MAAM,GAAG;YACb,YAAY,EAAE,WAAW,CAAC,YAAY,CAAC,QAAQ,CAAC;YAChD,SAAS;YACT,MAAM;SACP,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACxD,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAChE,CAAC,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,OAAO,EACP,YAAY,CAAC,QAAQ,EACrB;YACE,MAAM,EAAE,MAAM;YACd,OAAO;YACP,uEAAuE;YACvE,IAAI,EAAE,OAAO,CAAC,IAAgB;SAC/B,EACD,EAAE,MAAM,EAAE,OAAO,EAAE,CACpB,CAAC;QACF,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC5D,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC"}

package/dist/fetch.d.ts

@@ -0,0 +1,28 @@
+/**
+ * `@dwk/websub` — injectable `fetch` type and a body-size cap.
+ *
+ * Intent verification, topic fetching, and content distribution all perform HTTP
+ * I/O. They accept a {@link FetchLike} so callers can inject a stub in tests (no
+ * network) and so the package never reaches for a global it didn't receive.
+ *
+ * @packageDocumentation
+ */
+/** A minimal, injectable `fetch` signature. */
+export type FetchLike = (input: string, init?: RequestInit) => Promise<Response>;
+/**
+ * Default cap on a fetched body (4 MB). A challenge echo is tiny and a feed is
+ * modest; a larger body is almost certainly hostile or irrelevant, and buffering
+ * it would risk an OOM (the Worker memory limit is 128 MB). See
+ * `spec/non-functional-requirements.md`.
+ */
+export declare const MAX_BODY_BYTES: number;
+/**
+ * Read a response body as a `Uint8Array`, refusing bodies larger than `maxBytes`.
+ *
+ * A declared `Content-Length` over the cap is rejected up front; the stream is
+ * then read incrementally and aborted the moment the cap is exceeded, so a
+ * missing or lying `Content-Length` cannot force the whole body into memory.
+ * Returns `null` when the body is too large or cannot be read.
+ */
+export declare function readBytesCapped(response: Response, maxBytes?: number): Promise<Uint8Array | null>;
+//# sourceMappingURL=fetch.d.ts.map

package/dist/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,+CAA+C;AAC/C,MAAM,MAAM,SAAS,GAAG,CACtB,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE,WAAW,KACf,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEvB;;;;;GAKG;AACH,eAAO,MAAM,cAAc,QAAkB,CAAC;AAE9C;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,QAAQ,EAClB,QAAQ,SAAiB,GACxB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAgD5B"}

package/dist/fetch.js

@@ -0,0 +1,73 @@
+/**
+ * `@dwk/websub` — injectable `fetch` type and a body-size cap.
+ *
+ * Intent verification, topic fetching, and content distribution all perform HTTP
+ * I/O. They accept a {@link FetchLike} so callers can inject a stub in tests (no
+ * network) and so the package never reaches for a global it didn't receive.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Default cap on a fetched body (4 MB). A challenge echo is tiny and a feed is
+ * modest; a larger body is almost certainly hostile or irrelevant, and buffering
+ * it would risk an OOM (the Worker memory limit is 128 MB). See
+ * `spec/non-functional-requirements.md`.
+ */
+export const MAX_BODY_BYTES = 4 * 1024 * 1024;
+/**
+ * Read a response body as a `Uint8Array`, refusing bodies larger than `maxBytes`.
+ *
+ * A declared `Content-Length` over the cap is rejected up front; the stream is
+ * then read incrementally and aborted the moment the cap is exceeded, so a
+ * missing or lying `Content-Length` cannot force the whole body into memory.
+ * Returns `null` when the body is too large or cannot be read.
+ */
+export async function readBytesCapped(response, maxBytes = MAX_BODY_BYTES) {
+    const declared = response.headers.get("content-length");
+    if (declared !== null) {
+        const length = Number.parseInt(declared, 10);
+        if (Number.isFinite(length) && length > maxBytes) {
+            return null;
+        }
+    }
+    const body = response.body;
+    if (body === null) {
+        try {
+            const buffer = await response.arrayBuffer();
+            return buffer.byteLength > maxBytes ? null : new Uint8Array(buffer);
+        }
+        catch {
+            return null;
+        }
+    }
+    const reader = body.getReader();
+    const chunks = [];
+    let total = 0;
+    try {
+        for (;;) {
+            const { done, value } = await reader.read();
+            if (done) {
+                break;
+            }
+            if (value !== undefined) {
+                total += value.byteLength;
+                if (total > maxBytes) {
+                    await reader.cancel();
+                    return null;
+                }
+                chunks.push(value);
+            }
+        }
+    }
+    catch {
+        return null;
+    }
+    const merged = new Uint8Array(total);
+    let offset = 0;
+    for (const chunk of chunks) {
+        merged.set(chunk, offset);
+        offset += chunk.byteLength;
+    }
+    return merged;
+}
+//# sourceMappingURL=fetch.js.map

package/dist/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9C;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAkB,EAClB,QAAQ,GAAG,cAAc;IAEzB,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACxD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC7C,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,QAAQ,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC3B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC5C,OAAO,MAAM,CAAC,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QACtE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAChC,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,CAAC;QACH,SAAS,CAAC;YACR,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM;YACR,CAAC;YACD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC;gBAC1B,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;oBACrB,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;oBACtB,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC;IAC7B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/handler.d.ts

@@ -0,0 +1,43 @@
+/**
+ * `@dwk/websub` — the hub `fetch` handler and publish-notifier factory.
+ *
+ * `createWebSub` builds the WebSub hub endpoint: a single `POST`-only handler,
+ * mountable under any path prefix, that fields subscribe/unsubscribe requests and
+ * publish pings. Slow work (intent verification, content fan-out) is validated
+ * synchronously and pushed onto the queue, so the handler returns `202 Accepted`
+ * fast and the queue consumer (see {@link createWebSubQueueConsumer}) does the
+ * I/O with retries. `createPublishNotifier` is the in-process equivalent of a
+ * publish ping, for the Micropub write / Anglesite rebuild path. See
+ * `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import type { ExecutionContext } from "@cloudflare/workers-types";
+import { type WebSubConfig, type WebSubEnv } from "./config";
+/** A `fetch`-compatible Worker handler. */
+export type WebSubHandler = (request: Request, env: WebSubEnv, ctx: ExecutionContext) => Promise<Response>;
+/**
+ * An in-process publish notifier: call it from the Micropub write path or an
+ * Anglesite rebuild hook to enqueue distribution of `topic` to its subscribers.
+ */
+export type PublishNotifier = (env: WebSubEnv, topic: string) => Promise<void>;
+/**
+ * Build the WebSub hub handler from configuration.
+ *
+ * Accepts a form-encoded `POST`. `hub.mode=subscribe|unsubscribe` is validated
+ * and the verification-of-intent job enqueued (`202`); `hub.mode=publish`
+ * enqueues a distribution job (`202`). Invalid requests get `400` with a stable
+ * error code; other methods get `405`. Fails loudly if `WEBSUB_QUEUE` is missing.
+ */
+export declare function createWebSub(config: WebSubConfig): WebSubHandler;
+/**
+ * Build an in-process publish notifier. The returned function enqueues a
+ * distribution job for `topic` (after checking it is a topic this hub serves),
+ * so a Micropub write or static rebuild can fan out a push without going through
+ * the HTTP publish endpoint.
+ *
+ * @throws when `topic` is not one this hub serves — a caller wiring this into its
+ * own write path should only ever publish its own feeds.
+ */
+export declare function createPublishNotifier(config: WebSubConfig): PublishNotifier;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,EAGL,KAAK,YAAY,EACjB,KAAK,SAAS,EACf,MAAM,UAAU,CAAC;AAIlB,2CAA2C;AAC3C,MAAM,MAAM,aAAa,GAAG,CAC1B,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,SAAS,EACd,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEvB;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAyB/E;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,aAAa,CAmEhE;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,YAAY,GAAG,eAAe,CAc3E"}

package/dist/handler.js

@@ -0,0 +1,127 @@
+/**
+ * `@dwk/websub` — the hub `fetch` handler and publish-notifier factory.
+ *
+ * `createWebSub` builds the WebSub hub endpoint: a single `POST`-only handler,
+ * mountable under any path prefix, that fields subscribe/unsubscribe requests and
+ * publish pings. Slow work (intent verification, content fan-out) is validated
+ * synchronously and pushed onto the queue, so the handler returns `202 Accepted`
+ * fast and the queue consumer (see {@link createWebSubQueueConsumer}) does the
+ * I/O with retries. `createPublishNotifier` is the in-process equivalent of a
+ * publish ping, for the Micropub write / Anglesite rebuild path. See
+ * `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { hostFromUrl } from "@dwk/log";
+import { resolveConfig, } from "./config";
+import { WebSubLogEvent } from "./log";
+import { readHubParams, validatePublish, validateSubscribe } from "./validate";
+function textResponse(status, body) {
+    return new Response(body, {
+        status,
+        headers: { "content-type": "text/plain; charset=utf-8" },
+    });
+}
+function requireQueue(env) {
+    if (env.WEBSUB_QUEUE === undefined) {
+        throw new Error("@dwk/websub: missing required binding WEBSUB_QUEUE.");
+    }
+}
+function emit(config, level, event, fields) {
+    config.logger[level](event, fields);
+    config.metrics.count(event, fields);
+}
+/**
+ * Build the WebSub hub handler from configuration.
+ *
+ * Accepts a form-encoded `POST`. `hub.mode=subscribe|unsubscribe` is validated
+ * and the verification-of-intent job enqueued (`202`); `hub.mode=publish`
+ * enqueues a distribution job (`202`). Invalid requests get `400` with a stable
+ * error code; other methods get `405`. Fails loudly if `WEBSUB_QUEUE` is missing.
+ */
+export function createWebSub(config) {
+    const resolved = resolveConfig(config);
+    return async (request, env, _ctx) => {
+        if (request.method !== "POST") {
+            return new Response("Method Not Allowed", {
+                status: 405,
+                headers: { allow: "POST" },
+            });
+        }
+        requireQueue(env);
+        let form;
+        try {
+            form = await request.formData();
+        }
+        catch {
+            return textResponse(400, "invalid_request");
+        }
+        // Lift the form into a string-only URLSearchParams; a `File`-valued field
+        // (multipart upload) is not a valid `hub.*` parameter and is dropped.
+        const search = new URLSearchParams();
+        for (const [key, value] of form.entries()) {
+            if (typeof value === "string") {
+                search.append(key, value);
+            }
+        }
+        const params = readHubParams(search);
+        if (params.mode === "publish") {
+            const result = validatePublish(params, resolved);
+            if (!result.ok) {
+                emit(resolved, "warn", WebSubLogEvent.PublishRejected, {
+                    reason: result.error,
+                });
+                return textResponse(400, result.error);
+            }
+            await env.WEBSUB_QUEUE.send({ kind: "distribute", topic: result.topic });
+            emit(resolved, "info", WebSubLogEvent.PublishAccepted, {
+                topicHost: hostFromUrl(result.topic),
+            });
+            return new Response(null, { status: 202 });
+        }
+        const result = validateSubscribe(params, resolved);
+        if (!result.ok) {
+            emit(resolved, "warn", WebSubLogEvent.RequestRejected, {
+                reason: result.error,
+            });
+            return textResponse(400, result.error);
+        }
+        await env.WEBSUB_QUEUE.send({
+            kind: "verify",
+            mode: result.mode,
+            callback: result.callback,
+            topic: result.topic,
+            leaseSeconds: result.leaseSeconds,
+            ...(result.secret !== undefined ? { secret: result.secret } : {}),
+        });
+        emit(resolved, "info", WebSubLogEvent.RequestAccepted, {
+            mode: result.mode,
+            callbackHost: hostFromUrl(result.callback),
+            topicHost: hostFromUrl(result.topic),
+        });
+        return new Response(null, { status: 202 });
+    };
+}
+/**
+ * Build an in-process publish notifier. The returned function enqueues a
+ * distribution job for `topic` (after checking it is a topic this hub serves),
+ * so a Micropub write or static rebuild can fan out a push without going through
+ * the HTTP publish endpoint.
+ *
+ * @throws when `topic` is not one this hub serves — a caller wiring this into its
+ * own write path should only ever publish its own feeds.
+ */
+export function createPublishNotifier(config) {
+    const resolved = resolveConfig(config);
+    return async (env, topic) => {
+        requireQueue(env);
+        if (!resolved.isAllowedTopic(topic)) {
+            throw new Error(`@dwk/websub: refusing to publish unsupported topic ${hostFromUrl(topic) ?? "<invalid>"}.`);
+        }
+        await env.WEBSUB_QUEUE.send({ kind: "distribute", topic });
+        emit(resolved, "info", WebSubLogEvent.PublishAccepted, {
+            topicHost: hostFromUrl(topic),
+        });
+    };
+}
+//# sourceMappingURL=handler.js.map

package/dist/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,UAAU,CAAC;AAEvD,OAAO,EACL,aAAa,GAId,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAe/E,SAAS,YAAY,CAAC,MAAc,EAAE,IAAY;IAChD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,2BAA2B,EAAE;KACzD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CAAC,GAAc;IAClC,IAAI,GAAG,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED,SAAS,IAAI,CACX,MAAsB,EACtB,KAAsB,EACtB,KAAa,EACb,MAAkB;IAElB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,MAAoB;IAC/C,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC9B,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE;gBACxC,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;aAC3B,CAAC,CAAC;QACL,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAC;QAElB,IAAI,IAAc,CAAC;QACnB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC;QAC9C,CAAC;QAED,0EAA0E;QAC1E,sEAAsE;QACtE,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAErC,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBACf,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,eAAe,EAAE;oBACrD,MAAM,EAAE,MAAM,CAAC,KAAK;iBACrB,CAAC,CAAC;gBACH,OAAO,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YACzC,CAAC;YACD,MAAM,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,eAAe,EAAE;gBACrD,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC;aACrC,CAAC,CAAC;YACH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,eAAe,EAAE;gBACrD,MAAM,EAAE,MAAM,CAAC,KAAK;aACrB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC;YAC1B,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClE,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,eAAe,EAAE;YACrD,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,YAAY,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;YAC1C,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC;SACrC,CAAC,CAAC;QACH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAoB;IACxD,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QAC1B,YAAY,CAAC,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,sDAAsD,WAAW,CAAC,KAAK,CAAC,IAAI,WAAW,GAAG,CAC3F,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,eAAe,EAAE;YACrD,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,32 @@
+/**
+ * `@dwk/websub` — WebSub (W3C) hub.
+ *
+ * Endpoint package. The publish-side, real-time complement to `@dwk/webmention`:
+ * subscribers receive a push when the user's feed changes instead of polling. The
+ * hub fields `hub.mode=subscribe|unsubscribe` requests (validated synchronously,
+ * verified-of-intent and persisted asynchronously) and publish pings, keeps a
+ * strongly-consistent D1 subscription store with lease expiry, and on publish
+ * fans the topic's content out to every verified callback — signing the body with
+ * HMAC-SHA256 (`X-Hub-Signature`) when the subscriber registered a secret. The
+ * feeds themselves are static SSG artifacts (Anglesite's job, including the
+ * `Link rel="hub"`/`rel="self"` advertisement); this package is only the dynamic
+ * layer. Cloudflare specifics (D1, Queue) are confined here; validation, lease
+ * math, verification, and signing are pure and unit-test without a Workers
+ * runtime.
+ *
+ * @see spec/packages/websub.md
+ * @packageDocumentation
+ */
+export { createWebSub, createPublishNotifier, type WebSubHandler, type PublishNotifier, } from "./handler";
+export { createWebSubQueueConsumer, type WebSubQueueConsumer, type ConsumerOptions, } from "./consumer";
+export { resolveConfig, normalizeTopic, clampLease, DEFAULT_MIN_LEASE_SECONDS, DEFAULT_MAX_LEASE_SECONDS, type WebSubConfig, type WebSubEnv, type ResolvedConfig, } from "./config";
+export { createD1SubscriptionStore, type SubscriptionStore, type Subscription, type SubscriptionUpsert, type D1StoreOptions, } from "./store";
+export { validateSubscribe, validatePublish, readHubParams, MAX_SECRET_BYTES, type SubscribeResult, type SubscribeRequest, type SubscribeError, type PublishResult, type PublishRequest, type PublishError, type RawHubParams, } from "./validate";
+export { verifyIntent, buildVerificationUrl, generateChallenge, notifyDenial, buildDenialUrl, type VerifyIntentOptions, type VerifyIntentResult, type NotifyDenialOptions, } from "./verify";
+export { contentSignature, buildLinkHeader, fetchTopicContent, deliverToSubscriber, DEFAULT_SIGNATURE_ALGORITHM, type SignatureAlgorithm, type TopicContent, type TopicFetchResult, type DeliveryResult, type DistributeOptions, } from "./distribute";
+export type { WebSubJob, VerifyJob, DistributeJob } from "./queue";
+export type { FetchLike } from "./fetch";
+export { safeFetch, assertPublicUrl, isPrivateOrReservedHost, SsrfError, DEFAULT_MAX_REDIRECTS, DEFAULT_TIMEOUT_MS, type SafeFetchOptions, type SafeFetchResult, type SsrfReason, } from "./safe-fetch";
+export { WebSubLogEvent } from "./log";
+export type { Logger, Metrics } from "@dwk/log";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,KAAK,aAAa,EAClB,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,yBAAyB,EACzB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,aAAa,EACb,cAAc,EACd,UAAU,EACV,yBAAyB,EACzB,yBAAyB,EACzB,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,cAAc,GACpB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,yBAAyB,EACzB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,kBAAkB,EACvB,KAAK,cAAc,GACpB,MAAM,SAAS,CAAC;AACjB,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,YAAY,EACjB,KAAK,YAAY,GAClB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,2BAA2B,EAC3B,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACnE,YAAY,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EACL,SAAS,EACT,eAAe,EACf,uBAAuB,EACvB,SAAS,EACT,qBAAqB,EACrB,kBAAkB,EAClB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,UAAU,GAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,29 @@
+/**
+ * `@dwk/websub` — WebSub (W3C) hub.
+ *
+ * Endpoint package. The publish-side, real-time complement to `@dwk/webmention`:
+ * subscribers receive a push when the user's feed changes instead of polling. The
+ * hub fields `hub.mode=subscribe|unsubscribe` requests (validated synchronously,
+ * verified-of-intent and persisted asynchronously) and publish pings, keeps a
+ * strongly-consistent D1 subscription store with lease expiry, and on publish
+ * fans the topic's content out to every verified callback — signing the body with
+ * HMAC-SHA256 (`X-Hub-Signature`) when the subscriber registered a secret. The
+ * feeds themselves are static SSG artifacts (Anglesite's job, including the
+ * `Link rel="hub"`/`rel="self"` advertisement); this package is only the dynamic
+ * layer. Cloudflare specifics (D1, Queue) are confined here; validation, lease
+ * math, verification, and signing are pure and unit-test without a Workers
+ * runtime.
+ *
+ * @see spec/packages/websub.md
+ * @packageDocumentation
+ */
+export { createWebSub, createPublishNotifier, } from "./handler";
+export { createWebSubQueueConsumer, } from "./consumer";
+export { resolveConfig, normalizeTopic, clampLease, DEFAULT_MIN_LEASE_SECONDS, DEFAULT_MAX_LEASE_SECONDS, } from "./config";
+export { createD1SubscriptionStore, } from "./store";
+export { validateSubscribe, validatePublish, readHubParams, MAX_SECRET_BYTES, } from "./validate";
+export { verifyIntent, buildVerificationUrl, generateChallenge, notifyDenial, buildDenialUrl, } from "./verify";
+export { contentSignature, buildLinkHeader, fetchTopicContent, deliverToSubscriber, DEFAULT_SIGNATURE_ALGORITHM, } from "./distribute";
+export { safeFetch, assertPublicUrl, isPrivateOrReservedHost, SsrfError, DEFAULT_MAX_REDIRECTS, DEFAULT_TIMEOUT_MS, } from "./safe-fetch";
+export { WebSubLogEvent } from "./log";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,YAAY,EACZ,qBAAqB,GAGtB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,yBAAyB,GAG1B,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,aAAa,EACb,cAAc,EACd,UAAU,EACV,yBAAyB,EACzB,yBAAyB,GAI1B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,yBAAyB,GAK1B,MAAM,SAAS,CAAC;AACjB,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,gBAAgB,GAQjB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,EACZ,cAAc,GAIf,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,2BAA2B,GAM5B,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,SAAS,EACT,eAAe,EACf,uBAAuB,EACvB,SAAS,EACT,qBAAqB,EACrB,kBAAkB,GAInB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC"}