@emisso/sii-api 0.1.0

package/dist/index.js

@@ -0,0 +1,1012 @@
+// src/db/schema/index.ts
+import { pgSchema } from "drizzle-orm/pg-core";
+
+// src/db/schema/credentials.ts
+import {
+  text,
+  timestamp,
+  unique,
+  uuid
+} from "drizzle-orm/pg-core";
+var credentials = siiSchema.table(
+  "credentials",
+  {
+    id: uuid("id").defaultRandom().primaryKey(),
+    tenantId: uuid("tenant_id").notNull(),
+    // NOTE: `env` is typed as SiiEnv at the application layer via Drizzle's $type<>().
+    // A DB-level CHECK constraint (env IN ('production','certification')) should be
+    // added via a future migration to enforce this at the database level as well.
+    env: text("env").notNull().$type(),
+    // TODO: ENCRYPT AT REST — these fields store sensitive SII credentials.
+    // Must implement application-level encryption (AES-256-GCM) before production.
+    certBase64: text("cert_base64"),
+    certPassword: text("cert_password"),
+    portalRut: text("portal_rut"),
+    // TODO: ENCRYPT AT REST — portal password stores sensitive SII credentials.
+    // Must implement application-level encryption (AES-256-GCM) before production.
+    portalPassword: text("portal_password"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow()
+  },
+  (table) => [unique("uq_credentials_tenant_env").on(table.tenantId, table.env)]
+);
+
+// src/db/schema/token-cache.ts
+import {
+  text as text2,
+  timestamp as timestamp2,
+  unique as unique2,
+  uuid as uuid2
+} from "drizzle-orm/pg-core";
+var tokenCache = siiSchema.table(
+  "token_cache",
+  {
+    id: uuid2("id").defaultRandom().primaryKey(),
+    credentialId: uuid2("credential_id").notNull().references(() => credentials.id, { onDelete: "cascade" }),
+    tokenType: text2("token_type").notNull().$type(),
+    tokenValue: text2("token_value").notNull(),
+    expiresAt: timestamp2("expires_at", { withTimezone: true }).notNull(),
+    createdAt: timestamp2("created_at").notNull().defaultNow()
+  },
+  (table) => [unique2("uq_token_cache_cred_type").on(table.credentialId, table.tokenType)]
+);
+
+// src/db/schema/invoices.ts
+import {
+  date,
+  index,
+  integer,
+  jsonb,
+  numeric,
+  text as text3,
+  timestamp as timestamp3,
+  unique as unique3,
+  uuid as uuid3
+} from "drizzle-orm/pg-core";
+var invoices = siiSchema.table(
+  "invoices",
+  {
+    id: uuid3("id").defaultRandom().primaryKey(),
+    tenantId: uuid3("tenant_id").notNull(),
+    documentType: text3("document_type").notNull().$type(),
+    number: integer("number").notNull(),
+    issuerRut: text3("issuer_rut"),
+    issuerName: text3("issuer_name"),
+    receiverRut: text3("receiver_rut"),
+    receiverName: text3("receiver_name"),
+    date: date("date"),
+    netAmount: numeric("net_amount", { precision: 16, scale: 0 }),
+    exemptAmount: numeric("exempt_amount", { precision: 16, scale: 0 }),
+    vatAmount: numeric("vat_amount", { precision: 16, scale: 0 }),
+    totalAmount: numeric("total_amount", { precision: 16, scale: 0 }),
+    taxPeriodYear: integer("tax_period_year").notNull(),
+    taxPeriodMonth: integer("tax_period_month").notNull(),
+    issueType: text3("issue_type").notNull().$type(),
+    confirmationStatus: text3("confirmation_status").$type(),
+    raw: jsonb("raw").$type(),
+    createdAt: timestamp3("created_at").notNull().defaultNow(),
+    updatedAt: timestamp3("updated_at").notNull().defaultNow()
+  },
+  (table) => [
+    unique3("uq_invoices_natural_key").on(
+      table.tenantId,
+      table.documentType,
+      table.number,
+      table.issuerRut,
+      table.receiverRut,
+      table.issueType
+    ),
+    index("idx_invoices_tenant_period").on(
+      table.tenantId,
+      table.taxPeriodYear,
+      table.taxPeriodMonth
+    )
+  ]
+);
+
+// src/db/schema/sync-jobs.ts
+import {
+  integer as integer2,
+  text as text4,
+  timestamp as timestamp4,
+  uuid as uuid4
+} from "drizzle-orm/pg-core";
+var syncJobs = siiSchema.table("sync_jobs", {
+  id: uuid4("id").defaultRandom().primaryKey(),
+  tenantId: uuid4("tenant_id").notNull(),
+  operation: text4("operation").notNull().$type(),
+  periodYear: integer2("period_year").notNull(),
+  periodMonth: integer2("period_month").notNull(),
+  issueType: text4("issue_type").notNull().$type(),
+  status: text4("status").notNull().default("pending").$type(),
+  startedAt: timestamp4("started_at"),
+  completedAt: timestamp4("completed_at"),
+  recordsFetched: integer2("records_fetched"),
+  errorMessage: text4("error_message"),
+  createdAt: timestamp4("created_at").notNull().defaultNow()
+});
+
+// src/db/schema/index.ts
+var siiSchema = pgSchema("sii");
+
+// src/core/effect/app-error.ts
+import { Data } from "effect";
+var NotFoundError = class _NotFoundError extends Data.TaggedError("NotFoundError") {
+  static make(entity, entityId) {
+    return new _NotFoundError({
+      message: `${entity} not found${entityId ? `: ${entityId}` : ""}`,
+      entity,
+      entityId
+    });
+  }
+};
+var ValidationError = class _ValidationError extends Data.TaggedError("ValidationError") {
+  static make(message, field, details) {
+    return new _ValidationError({
+      message,
+      field,
+      details
+    });
+  }
+  static fromZodErrors(message, issues) {
+    return new _ValidationError({
+      message,
+      fieldErrors: issues.map((i) => ({
+        path: i.path.join("."),
+        message: i.message
+      }))
+    });
+  }
+};
+var ForbiddenError = class _ForbiddenError extends Data.TaggedError("ForbiddenError") {
+  static make(message = "Forbidden", requiredPermission) {
+    return new _ForbiddenError({
+      message,
+      requiredPermission
+    });
+  }
+};
+var DbError = class _DbError extends Data.TaggedError("DbError") {
+  static make(operation, cause) {
+    const message = cause instanceof Error ? cause.message : "Database operation failed";
+    return new _DbError({
+      message,
+      operation,
+      cause
+    });
+  }
+};
+var ConflictError = class _ConflictError extends Data.TaggedError("ConflictError") {
+  static make(message, resource, conflictingValue) {
+    return new _ConflictError({
+      message,
+      resource,
+      conflictingValue
+    });
+  }
+};
+var SiiAuthError = class _SiiAuthError extends Data.TaggedError("SiiAuthError") {
+  static make(message, cause) {
+    return new _SiiAuthError({
+      message,
+      cause
+    });
+  }
+};
+function isAppError(error) {
+  return error instanceof NotFoundError || error instanceof ValidationError || error instanceof ForbiddenError || error instanceof DbError || error instanceof ConflictError || error instanceof SiiAuthError;
+}
+function serializeAppError(error) {
+  const result = {
+    _type: error._tag,
+    message: error.message
+  };
+  switch (error._tag) {
+    case "NotFoundError":
+      if (error.entity) result.entity = error.entity;
+      if (error.entityId) result.entityId = error.entityId;
+      break;
+    case "ValidationError":
+      if (error.field) result.field = error.field;
+      if (error.details) result.details = error.details;
+      if (error.fieldErrors) result.fieldErrors = error.fieldErrors;
+      break;
+    case "ForbiddenError":
+      if (error.requiredPermission)
+        result.requiredPermission = error.requiredPermission;
+      break;
+    case "DbError":
+      if (error.operation) result.operation = error.operation;
+      break;
+    case "ConflictError":
+      if (error.resource) result.resource = error.resource;
+      if (error.conflictingValue)
+        result.conflictingValue = error.conflictingValue;
+      break;
+    case "SiiAuthError":
+      break;
+    default: {
+      const _exhaustive = error;
+      return result;
+    }
+  }
+  return result;
+}
+
+// src/core/effect/http-response.ts
+import { Effect } from "effect";
+var STATUS_MAP = {
+  ValidationError: 400,
+  ForbiddenError: 403,
+  NotFoundError: 404,
+  ConflictError: 409,
+  SiiAuthError: 502,
+  DbError: 500
+};
+function toErrorResponse(error) {
+  const status = STATUS_MAP[error._tag] ?? 500;
+  const body = serializeAppError(error);
+  return Response.json({ error: body }, { status });
+}
+function extractAppError(error) {
+  if (isAppError(error)) return error;
+  const cause = error?.cause;
+  if (cause) {
+    const inner = cause?.error;
+    if (isAppError(inner)) return inner;
+  }
+  return null;
+}
+function toErrorResponseFromUnknown(error) {
+  const appError = extractAppError(error);
+  if (appError) return toErrorResponse(appError);
+  console.error("[sii-api] Unhandled error:", error);
+  return Response.json(
+    { error: { _type: "InternalError", message: "Internal server error" } },
+    { status: 500 }
+  );
+}
+function handleEffect(effect, toResponse = jsonResponse) {
+  return Effect.runPromise(
+    effect.pipe(
+      Effect.map(toResponse),
+      Effect.catchAll((err) => Effect.succeed(toErrorResponse(err)))
+    )
+  );
+}
+function jsonResponse(data, status = 200) {
+  return Response.json(data, { status });
+}
+function createdResponse(data) {
+  return Response.json(data, { status: 201 });
+}
+function noContentResponse() {
+  return new Response(null, { status: 204 });
+}
+
+// src/core/effect/repo-helpers.ts
+import { Effect as Effect2 } from "effect";
+function queryOneOrFail(operation, entity, entityId, query) {
+  return Effect2.tryPromise({
+    try: query,
+    catch: (e) => DbError.make(operation, e)
+  }).pipe(
+    Effect2.flatMap(
+      (row) => row ? Effect2.succeed(row) : Effect2.fail(NotFoundError.make(entity, entityId))
+    )
+  );
+}
+
+// src/core/bridge.ts
+function invoiceToRow(tenantId, invoice, issueType) {
+  return {
+    tenantId,
+    documentType: invoice.documentType,
+    number: invoice.number,
+    issuerRut: invoice.issuer.rut || null,
+    issuerName: invoice.issuer.name || null,
+    receiverRut: invoice.receiver.rut || null,
+    receiverName: invoice.receiver.name || null,
+    date: invoice.date || null,
+    netAmount: String(invoice.netAmount),
+    exemptAmount: String(invoice.exemptAmount),
+    vatAmount: String(invoice.vatAmount),
+    totalAmount: String(invoice.totalAmount),
+    taxPeriodYear: invoice.taxPeriod.year,
+    taxPeriodMonth: invoice.taxPeriod.month,
+    issueType,
+    confirmationStatus: invoice.confirmationStatus ?? null,
+    raw: invoice.raw ?? null
+  };
+}
+function rowToInvoice(row) {
+  return {
+    id: `${row.documentType}-${row.number}-${row.issuerRut || row.receiverRut || ""}`,
+    number: row.number,
+    issuer: {
+      rut: row.issuerRut ?? "",
+      name: row.issuerName ?? ""
+    },
+    receiver: {
+      rut: row.receiverRut ?? "",
+      name: row.receiverName ?? ""
+    },
+    date: row.date ?? "",
+    netAmount: Number(row.netAmount ?? 0),
+    exemptAmount: Number(row.exemptAmount ?? 0),
+    vatAmount: Number(row.vatAmount ?? 0),
+    totalAmount: Number(row.totalAmount ?? 0),
+    currency: "CLP",
+    taxPeriod: {
+      year: row.taxPeriodYear,
+      month: row.taxPeriodMonth
+    },
+    documentType: row.documentType,
+    confirmationStatus: row.confirmationStatus ?? "REGISTRO",
+    raw: row.raw ?? {}
+  };
+}
+
+// src/validation/schemas.ts
+import { z } from "zod";
+import { SiiEnvSchema, IssueTypeSchema, DteTypeSchema } from "@emisso/sii";
+var SaveCredentialsSchema = z.object({
+  env: SiiEnvSchema.default("production"),
+  certBase64: z.string().optional(),
+  certPassword: z.string().optional(),
+  portalRut: z.string().optional(),
+  portalPassword: z.string().optional()
+}).refine(
+  (d) => d.certBase64 || d.certPassword || (d.portalRut || d.portalPassword),
+  { message: "At least one credential pair is required: certificate (certBase64 + certPassword) or portal (portalRut + portalPassword)" }
+).refine(
+  (d) => !d.certBase64 && !d.certPassword || d.certBase64 && d.certPassword,
+  { message: "certBase64 and certPassword must both be provided or both omitted" }
+).refine(
+  (d) => !d.portalRut && !d.portalPassword || d.portalRut && d.portalPassword,
+  { message: "portalRut and portalPassword must both be provided or both omitted" }
+);
+var SyncInvoicesSchema = z.object({
+  period: z.string().regex(/^\d{4}-\d{2}$/, "Period must be YYYY-MM format"),
+  type: IssueTypeSchema.default("received")
+});
+var ListInvoicesQuerySchema = z.object({
+  period: z.string().regex(/^\d{4}-\d{2}$/).optional(),
+  type: IssueTypeSchema.optional(),
+  documentType: DteTypeSchema.optional(),
+  limit: z.coerce.number().int().positive().max(1e3).default(100),
+  offset: z.coerce.number().int().nonnegative().default(0)
+});
+var SyncStatusQuerySchema = z.object({
+  period: z.string().regex(/^\d{4}-\d{2}$/).optional(),
+  type: IssueTypeSchema.optional()
+});
+
+// src/repos/credential-repo.ts
+import { Effect as Effect3 } from "effect";
+import { and, eq } from "drizzle-orm";
+function createCredentialRepo(db) {
+  return {
+    getByTenantAndEnv(tenantId, env) {
+      return queryOneOrFail(
+        "credential.getByTenantAndEnv",
+        "Credential",
+        `${tenantId}/${env}`,
+        () => db.select().from(credentials).where(
+          and(
+            eq(credentials.tenantId, tenantId),
+            eq(credentials.env, env)
+          )
+        ).then((rows) => rows[0])
+      );
+    },
+    upsert(tenantId, data) {
+      return Effect3.tryPromise({
+        try: () => db.insert(credentials).values({ ...data, tenantId }).onConflictDoUpdate({
+          target: [credentials.tenantId, credentials.env],
+          set: { ...data, updatedAt: /* @__PURE__ */ new Date() }
+        }).returning().then((rows) => rows[0]),
+        catch: (e) => DbError.make("credential.upsert", e)
+      });
+    },
+    delete(tenantId, env) {
+      return Effect3.tryPromise({
+        try: () => db.delete(credentials).where(
+          and(
+            eq(credentials.tenantId, tenantId),
+            eq(credentials.env, env)
+          )
+        ).returning().then((rows) => rows.length > 0),
+        catch: (e) => DbError.make("credential.delete", e)
+      });
+    }
+  };
+}
+
+// src/repos/token-cache-repo.ts
+import { Effect as Effect4 } from "effect";
+import { and as and2, eq as eq2 } from "drizzle-orm";
+function createTokenCacheRepo(db) {
+  return {
+    get(credentialId, tokenType) {
+      return Effect4.tryPromise({
+        try: () => db.select().from(tokenCache).where(
+          and2(
+            eq2(tokenCache.credentialId, credentialId),
+            eq2(tokenCache.tokenType, tokenType)
+          )
+        ).then((rows) => rows[0] ?? null),
+        catch: (e) => DbError.make("tokenCache.get", e)
+      });
+    },
+    upsert(credentialId, tokenType, tokenValue, expiresAt) {
+      return Effect4.tryPromise({
+        try: () => db.insert(tokenCache).values({ credentialId, tokenType, tokenValue, expiresAt }).onConflictDoUpdate({
+          target: [tokenCache.credentialId, tokenCache.tokenType],
+          set: { tokenValue, expiresAt, createdAt: /* @__PURE__ */ new Date() }
+        }).returning().then((rows) => rows[0]),
+        catch: (e) => DbError.make("tokenCache.upsert", e)
+      });
+    },
+    deleteByCredential(credentialId) {
+      return Effect4.tryPromise({
+        try: () => db.delete(tokenCache).where(eq2(tokenCache.credentialId, credentialId)).then(() => void 0),
+        catch: (e) => DbError.make("tokenCache.deleteByCredential", e)
+      });
+    }
+  };
+}
+
+// src/repos/invoice-repo.ts
+import { Effect as Effect5 } from "effect";
+import { and as and3, eq as eq3, sql } from "drizzle-orm";
+function createInvoiceRepo(db) {
+  return {
+    list(tenantId, filters) {
+      return Effect5.tryPromise({
+        try: () => {
+          const conditions = [eq3(invoices.tenantId, tenantId)];
+          if (filters?.periodYear !== void 0) {
+            conditions.push(eq3(invoices.taxPeriodYear, filters.periodYear));
+          }
+          if (filters?.periodMonth !== void 0) {
+            conditions.push(eq3(invoices.taxPeriodMonth, filters.periodMonth));
+          }
+          if (filters?.issueType) {
+            conditions.push(eq3(invoices.issueType, filters.issueType));
+          }
+          if (filters?.documentType) {
+            conditions.push(eq3(invoices.documentType, filters.documentType));
+          }
+          return db.select().from(invoices).where(and3(...conditions)).limit(filters?.limit ?? 100).offset(filters?.offset ?? 0);
+        },
+        catch: (e) => DbError.make("invoice.list", e)
+      });
+    },
+    upsertMany(rows) {
+      if (rows.length === 0) return Effect5.succeed(0);
+      return Effect5.tryPromise({
+        try: () => db.insert(invoices).values(rows).onConflictDoUpdate({
+          target: [
+            invoices.tenantId,
+            invoices.documentType,
+            invoices.number,
+            invoices.issuerRut,
+            invoices.receiverRut,
+            invoices.issueType
+          ],
+          set: {
+            issuerName: sql`excluded.issuer_name`,
+            receiverName: sql`excluded.receiver_name`,
+            date: sql`excluded.date`,
+            netAmount: sql`excluded.net_amount`,
+            exemptAmount: sql`excluded.exempt_amount`,
+            vatAmount: sql`excluded.vat_amount`,
+            totalAmount: sql`excluded.total_amount`,
+            confirmationStatus: sql`excluded.confirmation_status`,
+            raw: sql`excluded.raw`,
+            updatedAt: /* @__PURE__ */ new Date()
+          }
+        }).returning({ id: invoices.id }).then((rows2) => rows2.length),
+        catch: (e) => DbError.make("invoice.upsertMany", e)
+      });
+    },
+    count(tenantId, filters) {
+      return Effect5.tryPromise({
+        try: () => {
+          const conditions = [eq3(invoices.tenantId, tenantId)];
+          if (filters?.periodYear !== void 0) {
+            conditions.push(eq3(invoices.taxPeriodYear, filters.periodYear));
+          }
+          if (filters?.periodMonth !== void 0) {
+            conditions.push(eq3(invoices.taxPeriodMonth, filters.periodMonth));
+          }
+          if (filters?.issueType) {
+            conditions.push(eq3(invoices.issueType, filters.issueType));
+          }
+          return db.select({ count: sql`count(*)::int` }).from(invoices).where(and3(...conditions)).then((rows) => rows[0]?.count ?? 0);
+        },
+        catch: (e) => DbError.make("invoice.count", e)
+      });
+    }
+  };
+}
+
+// src/repos/sync-job-repo.ts
+import { Effect as Effect6 } from "effect";
+import { and as and4, eq as eq4, desc } from "drizzle-orm";
+function createSyncJobRepo(db) {
+  return {
+    create(data) {
+      return Effect6.tryPromise({
+        try: () => db.insert(syncJobs).values(data).returning().then((rows) => rows[0]),
+        catch: (e) => DbError.make("syncJob.create", e)
+      });
+    },
+    getById(id) {
+      return queryOneOrFail(
+        "syncJob.getById",
+        "SyncJob",
+        id,
+        () => db.select().from(syncJobs).where(eq4(syncJobs.id, id)).then((rows) => rows[0])
+      );
+    },
+    listByTenant(tenantId, filters) {
+      return Effect6.tryPromise({
+        try: () => {
+          const conditions = [eq4(syncJobs.tenantId, tenantId)];
+          if (filters?.periodYear !== void 0) {
+            conditions.push(eq4(syncJobs.periodYear, filters.periodYear));
+          }
+          if (filters?.periodMonth !== void 0) {
+            conditions.push(eq4(syncJobs.periodMonth, filters.periodMonth));
+          }
+          if (filters?.issueType) {
+            conditions.push(eq4(syncJobs.issueType, filters.issueType));
+          }
+          return db.select().from(syncJobs).where(and4(...conditions)).orderBy(desc(syncJobs.createdAt)).limit(20);
+        },
+        catch: (e) => DbError.make("syncJob.listByTenant", e)
+      });
+    },
+    update(id, data) {
+      return queryOneOrFail(
+        "syncJob.update",
+        "SyncJob",
+        id,
+        () => db.update(syncJobs).set(data).where(eq4(syncJobs.id, id)).returning().then((rows) => rows[0])
+      );
+    }
+  };
+}
+
+// src/services/credential-service.ts
+import { Effect as Effect7 } from "effect";
+function createCredentialService(deps) {
+  const { credentialRepo, tokenCacheRepo } = deps;
+  const enc = (v) => v && deps.encrypt ? deps.encrypt(v) : v;
+  const dec = (v) => v && deps.decrypt ? deps.decrypt(v) : v;
+  return {
+    save(tenantId, input) {
+      return credentialRepo.upsert(tenantId, {
+        env: input.env,
+        certBase64: enc(input.certBase64) ?? null,
+        certPassword: enc(input.certPassword) ?? null,
+        portalRut: input.portalRut ?? null,
+        portalPassword: enc(input.portalPassword) ?? null
+      });
+    },
+    getStatus(tenantId, env) {
+      return credentialRepo.getByTenantAndEnv(tenantId, env).pipe(
+        Effect7.map((cred) => ({
+          connected: true,
+          env: cred.env,
+          hasCert: !!cred.certBase64,
+          hasPortal: !!cred.portalRut && !!cred.portalPassword,
+          portalRut: cred.portalRut
+        })),
+        Effect7.catchTag(
+          "NotFoundError",
+          () => Effect7.succeed({
+            connected: false,
+            env,
+            hasCert: false,
+            hasPortal: false,
+            portalRut: null
+          })
+        )
+      );
+    },
+    disconnect(tenantId, env) {
+      return Effect7.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        yield* tokenCacheRepo.deleteByCredential(cred.id);
+        yield* credentialRepo.delete(tenantId, env);
+      });
+    }
+  };
+}
+
+// src/services/auth-service.ts
+import { Effect as Effect8 } from "effect";
+import {
+  loadCertFromBase64,
+  getSeed,
+  signSeedFromCertData,
+  getToken,
+  portalLogin
+} from "@emisso/sii";
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+async function authenticateSoap(certBase64, certPassword, env) {
+  const certData = loadCertFromBase64(certBase64, certPassword);
+  const seed = await getSeed({ certPath: "", certPassword: "", env });
+  const signedSeed = signSeedFromCertData(seed, certData);
+  return getToken(signedSeed, { certPath: "", certPassword: "", env });
+}
+function createAuthService(deps) {
+  const { credentialRepo, tokenCacheRepo } = deps;
+  const dec = (v) => deps.decrypt ? deps.decrypt(v) : v;
+  return {
+    /**
+     * Get a valid SOAP token, using cache if available.
+     */
+    getSoapToken(tenantId, env) {
+      return Effect8.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        if (!cred.certBase64 || !cred.certPassword) {
+          return yield* Effect8.fail(
+            SiiAuthError.make("No certificate configured for SOAP authentication")
+          );
+        }
+        const cached = yield* tokenCacheRepo.get(cred.id, "soap");
+        if (cached && new Date(cached.expiresAt).getTime() > Date.now()) {
+          return { token: cached.tokenValue, expiresAt: new Date(cached.expiresAt) };
+        }
+        const siiToken = yield* Effect8.tryPromise({
+          try: () => authenticateSoap(dec(cred.certBase64), dec(cred.certPassword), env),
+          catch: (e) => SiiAuthError.make(`SOAP authentication failed: ${toMessage(e)}`, e)
+        });
+        yield* tokenCacheRepo.upsert(
+          cred.id,
+          "soap",
+          siiToken.token,
+          siiToken.expiresAt
+        );
+        return siiToken;
+      });
+    },
+    /**
+     * Get a portal session via fresh login.
+     */
+    getPortalSession(tenantId, env) {
+      return Effect8.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        if (!cred.portalRut || !cred.portalPassword) {
+          return yield* Effect8.fail(
+            SiiAuthError.make("No portal credentials configured")
+          );
+        }
+        const session = yield* Effect8.tryPromise({
+          try: () => portalLogin(
+            { rut: cred.portalRut, claveTributaria: dec(cred.portalPassword), env },
+            { connectBrowser: deps.connectBrowser }
+          ),
+          catch: (e) => SiiAuthError.make(`Portal login failed: ${toMessage(e)}`, e)
+        });
+        return session;
+      });
+    },
+    /**
+     * Test credentials by attempting authentication.
+     * Runs SOAP and portal tests concurrently.
+     */
+    testConnection(tenantId, env) {
+      return Effect8.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        const errors = [];
+        const soapTest = cred.certBase64 && cred.certPassword ? Effect8.tryPromise({
+          try: () => authenticateSoap(dec(cred.certBase64), dec(cred.certPassword), env).then(() => true),
+          catch: (e) => toMessage(e)
+        }).pipe(Effect8.catchAll((msg) => {
+          errors.push(`SOAP: ${msg}`);
+          return Effect8.succeed(false);
+        })) : Effect8.sync(() => {
+          errors.push("SOAP: No certificate configured");
+          return false;
+        });
+        const portalTest = cred.portalRut && cred.portalPassword ? Effect8.tryPromise({
+          try: () => portalLogin(
+            { rut: cred.portalRut, claveTributaria: dec(cred.portalPassword), env },
+            { connectBrowser: deps.connectBrowser }
+          ).then(() => true),
+          catch: (e) => toMessage(e)
+        }).pipe(Effect8.catchAll((msg) => {
+          errors.push(`Portal: ${msg}`);
+          return Effect8.succeed(false);
+        })) : Effect8.sync(() => {
+          errors.push("Portal: No portal credentials configured");
+          return false;
+        });
+        const [soapOk, portalOk] = yield* Effect8.all(
+          [soapTest, portalTest],
+          { concurrency: 2 }
+        );
+        return { soap: soapOk, portal: portalOk, errors };
+      });
+    }
+  };
+}
+
+// src/services/invoice-service.ts
+import { Effect as Effect9 } from "effect";
+import { listInvoices } from "@emisso/sii";
+function createInvoiceService(deps) {
+  const { invoiceRepo, syncJobRepo, authService, credentialRepo } = deps;
+  return {
+    /**
+     * Trigger an RCV invoice sync for a given period.
+     * Creates a sync job, fetches from SII, upserts into DB.
+     */
+    sync(tenantId, env, periodYear, periodMonth, issueType) {
+      return Effect9.gen(function* () {
+        const job = yield* syncJobRepo.create({
+          tenantId,
+          operation: "rcv_sync",
+          periodYear,
+          periodMonth,
+          issueType,
+          status: "running",
+          startedAt: /* @__PURE__ */ new Date()
+        });
+        const failJob = (err) => syncJobRepo.update(job.id, {
+          status: "failed",
+          completedAt: /* @__PURE__ */ new Date(),
+          errorMessage: err.message
+        }).pipe(Effect9.flatMap(() => Effect9.fail(err)));
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        if (!cred.portalRut) {
+          const err = SiiAuthError.make("No portal RUT configured for RCV sync");
+          return yield* failJob(err);
+        }
+        const session = yield* authService.getPortalSession(tenantId, env).pipe(Effect9.catchAll(failJob));
+        const siiInvoices = yield* Effect9.tryPromise({
+          try: () => listInvoices(session, {
+            rut: cred.portalRut,
+            issueType,
+            period: { year: periodYear, month: periodMonth }
+          }),
+          catch: (e) => SiiAuthError.make(
+            `RCV fetch failed: ${e instanceof Error ? e.message : String(e)}`,
+            e
+          )
+        }).pipe(Effect9.catchAll(failJob));
+        const rows = siiInvoices.map(
+          (inv) => invoiceToRow(tenantId, inv, issueType)
+        );
+        const count = yield* invoiceRepo.upsertMany(rows);
+        return yield* syncJobRepo.update(job.id, {
+          status: "completed",
+          completedAt: /* @__PURE__ */ new Date(),
+          recordsFetched: count
+        });
+      });
+    }
+  };
+}
+
+// src/handlers/router.ts
+function compilePattern(pattern) {
+  const paramNames = [];
+  const regexStr = pattern.split("/").map((segment) => {
+    if (segment.startsWith(":")) {
+      paramNames.push(segment.slice(1));
+      return "([^/]+)";
+    }
+    return segment;
+  }).join("/");
+  return { regex: new RegExp(`^${regexStr}$`), paramNames };
+}
+function createRouter(routes) {
+  const compiled = routes.map((r) => {
+    const { regex, paramNames } = compilePattern(r.pattern);
+    return { method: r.method, regex, paramNames, handler: r.handler };
+  });
+  return async (req, tenantId) => {
+    const url = new URL(req.url);
+    const method = req.method.toUpperCase();
+    const path = url.pathname;
+    for (const route of compiled) {
+      if (route.method !== method) continue;
+      const match = path.match(route.regex);
+      if (!match) continue;
+      const params = {};
+      route.paramNames.forEach((name, i) => {
+        params[name] = match[i + 1];
+      });
+      return route.handler(req, { tenantId, params });
+    }
+    return Response.json(
+      { error: { _type: "NotFoundError", message: "Route not found" } },
+      { status: 404 }
+    );
+  };
+}
+
+// src/handlers/auth-handlers.ts
+import { Effect as Effect10 } from "effect";
+
+// src/handlers/handler-utils.ts
+function resolveEnv(req) {
+  const url = new URL(req.url);
+  const env = url.searchParams.get("env");
+  return env === "certification" ? "certification" : "production";
+}
+function parsePeriod(period) {
+  const [y, m] = period.split("-");
+  return { year: parseInt(y, 10), month: parseInt(m, 10) };
+}
+
+// src/handlers/auth-handlers.ts
+function createAuthHandlers(deps) {
+  const { credentialService, authService } = deps;
+  const saveCredentials = (req, ctx) => handleEffect(
+    Effect10.gen(function* () {
+      const body = yield* Effect10.tryPromise({
+        try: () => req.json(),
+        catch: () => ValidationError.make("Invalid JSON body")
+      });
+      const parsed = SaveCredentialsSchema.safeParse(body);
+      if (!parsed.success) {
+        return yield* Effect10.fail(
+          ValidationError.fromZodErrors("Invalid credentials data", parsed.error.issues)
+        );
+      }
+      const result = yield* credentialService.save(ctx.tenantId, parsed.data);
+      return {
+        id: result.id,
+        env: result.env,
+        hasCert: !!result.certBase64,
+        hasPortal: !!result.portalRut,
+        portalRut: result.portalRut,
+        createdAt: result.createdAt,
+        updatedAt: result.updatedAt
+      };
+    })
+  );
+  const getStatus = (req, ctx) => {
+    const env = resolveEnv(req);
+    return handleEffect(credentialService.getStatus(ctx.tenantId, env));
+  };
+  const testConnection = (req, ctx) => {
+    const env = resolveEnv(req);
+    return handleEffect(authService.testConnection(ctx.tenantId, env));
+  };
+  const disconnect = (req, ctx) => {
+    const env = resolveEnv(req);
+    return handleEffect(
+      credentialService.disconnect(ctx.tenantId, env).pipe(Effect10.map(() => null)),
+      () => noContentResponse()
+    );
+  };
+  return {
+    saveCredentials,
+    getStatus,
+    testConnection,
+    disconnect
+  };
+}
+
+// src/handlers/invoice-handlers.ts
+import { Effect as Effect11 } from "effect";
+function createInvoiceHandlers(deps) {
+  const { invoiceService, invoiceRepo, syncJobRepo } = deps;
+  const listInvoices2 = (req, ctx) => handleEffect(
+    Effect11.gen(function* () {
+      const url = new URL(req.url);
+      const query = ListInvoicesQuerySchema.safeParse(
+        Object.fromEntries(url.searchParams)
+      );
+      if (!query.success) {
+        return yield* Effect11.fail(
+          ValidationError.fromZodErrors("Invalid query parameters", query.error.issues)
+        );
+      }
+      const { period, type, documentType, limit, offset } = query.data;
+      const periodParsed = period ? parsePeriod(period) : void 0;
+      const rows = yield* invoiceRepo.list(ctx.tenantId, {
+        periodYear: periodParsed?.year,
+        periodMonth: periodParsed?.month,
+        issueType: type,
+        documentType,
+        limit,
+        offset
+      });
+      return { data: rows.map(rowToInvoice), count: rows.length };
+    })
+  );
+  const syncInvoices = (req, ctx) => handleEffect(
+    Effect11.gen(function* () {
+      const body = yield* Effect11.tryPromise({
+        try: () => req.json(),
+        catch: () => ValidationError.make("Invalid JSON body")
+      });
+      const parsed = SyncInvoicesSchema.safeParse(body);
+      if (!parsed.success) {
+        return yield* Effect11.fail(
+          ValidationError.fromZodErrors("Invalid sync parameters", parsed.error.issues)
+        );
+      }
+      const { year: periodYear, month: periodMonth } = parsePeriod(parsed.data.period);
+      const env = resolveEnv(req);
+      return yield* invoiceService.sync(ctx.tenantId, env, periodYear, periodMonth, parsed.data.type);
+    }),
+    createdResponse
+  );
+  const getSyncStatus = (req, ctx) => handleEffect(
+    Effect11.gen(function* () {
+      const url = new URL(req.url);
+      const query = SyncStatusQuerySchema.safeParse(
+        Object.fromEntries(url.searchParams)
+      );
+      if (!query.success) {
+        return yield* Effect11.fail(
+          ValidationError.fromZodErrors("Invalid query parameters", query.error.issues)
+        );
+      }
+      const { period, type } = query.data;
+      const periodParsed = period ? parsePeriod(period) : void 0;
+      const jobs = yield* syncJobRepo.listByTenant(ctx.tenantId, {
+        periodYear: periodParsed?.year,
+        periodMonth: periodParsed?.month,
+        issueType: type
+      });
+      return { data: jobs };
+    })
+  );
+  return {
+    listInvoices: listInvoices2,
+    syncInvoices,
+    getSyncStatus
+  };
+}
+export {
+  ConflictError,
+  DbError,
+  ForbiddenError,
+  ListInvoicesQuerySchema,
+  NotFoundError,
+  SaveCredentialsSchema,
+  SiiAuthError,
+  SyncInvoicesSchema,
+  SyncStatusQuerySchema,
+  ValidationError,
+  createAuthHandlers,
+  createAuthService,
+  createCredentialRepo,
+  createCredentialService,
+  createInvoiceHandlers,
+  createInvoiceRepo,
+  createInvoiceService,
+  createRouter,
+  createSyncJobRepo,
+  createTokenCacheRepo,
+  createdResponse,
+  credentials,
+  handleEffect,
+  invoiceToRow,
+  invoices,
+  isAppError,
+  jsonResponse,
+  noContentResponse,
+  queryOneOrFail,
+  rowToInvoice,
+  serializeAppError,
+  siiSchema,
+  syncJobs,
+  toErrorResponse,
+  toErrorResponseFromUnknown,
+  tokenCache
+};
+//# sourceMappingURL=index.js.map