@emisso/sii-api 0.1.0

package/dist/adapters/next.cjs

@@ -0,0 +1,1035 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc2) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc2 = __getOwnPropDesc(from, key)) || desc2.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/adapters/next.ts
+var next_exports = {};
+__export(next_exports, {
+  createSiiRouter: () => createSiiRouter
+});
+module.exports = __toCommonJS(next_exports);
+var import_postgres = __toESM(require("postgres"), 1);
+var import_postgres_js = require("drizzle-orm/postgres-js");
+
+// src/handlers/router.ts
+function compilePattern(pattern) {
+  const paramNames = [];
+  const regexStr = pattern.split("/").map((segment) => {
+    if (segment.startsWith(":")) {
+      paramNames.push(segment.slice(1));
+      return "([^/]+)";
+    }
+    return segment;
+  }).join("/");
+  return { regex: new RegExp(`^${regexStr}$`), paramNames };
+}
+function createRouter(routes) {
+  const compiled = routes.map((r) => {
+    const { regex, paramNames } = compilePattern(r.pattern);
+    return { method: r.method, regex, paramNames, handler: r.handler };
+  });
+  return async (req, tenantId) => {
+    const url = new URL(req.url);
+    const method = req.method.toUpperCase();
+    const path = url.pathname;
+    for (const route of compiled) {
+      if (route.method !== method) continue;
+      const match = path.match(route.regex);
+      if (!match) continue;
+      const params = {};
+      route.paramNames.forEach((name, i) => {
+        params[name] = match[i + 1];
+      });
+      return route.handler(req, { tenantId, params });
+    }
+    return Response.json(
+      { error: { _type: "NotFoundError", message: "Route not found" } },
+      { status: 404 }
+    );
+  };
+}
+
+// src/repos/credential-repo.ts
+var import_effect3 = require("effect");
+var import_drizzle_orm = require("drizzle-orm");
+
+// src/db/schema/index.ts
+var import_pg_core5 = require("drizzle-orm/pg-core");
+
+// src/db/schema/credentials.ts
+var import_pg_core = require("drizzle-orm/pg-core");
+var credentials = siiSchema.table(
+  "credentials",
+  {
+    id: (0, import_pg_core.uuid)("id").defaultRandom().primaryKey(),
+    tenantId: (0, import_pg_core.uuid)("tenant_id").notNull(),
+    // NOTE: `env` is typed as SiiEnv at the application layer via Drizzle's $type<>().
+    // A DB-level CHECK constraint (env IN ('production','certification')) should be
+    // added via a future migration to enforce this at the database level as well.
+    env: (0, import_pg_core.text)("env").notNull().$type(),
+    // TODO: ENCRYPT AT REST — these fields store sensitive SII credentials.
+    // Must implement application-level encryption (AES-256-GCM) before production.
+    certBase64: (0, import_pg_core.text)("cert_base64"),
+    certPassword: (0, import_pg_core.text)("cert_password"),
+    portalRut: (0, import_pg_core.text)("portal_rut"),
+    // TODO: ENCRYPT AT REST — portal password stores sensitive SII credentials.
+    // Must implement application-level encryption (AES-256-GCM) before production.
+    portalPassword: (0, import_pg_core.text)("portal_password"),
+    createdAt: (0, import_pg_core.timestamp)("created_at").notNull().defaultNow(),
+    updatedAt: (0, import_pg_core.timestamp)("updated_at").notNull().defaultNow()
+  },
+  (table) => [(0, import_pg_core.unique)("uq_credentials_tenant_env").on(table.tenantId, table.env)]
+);
+
+// src/db/schema/token-cache.ts
+var import_pg_core2 = require("drizzle-orm/pg-core");
+var tokenCache = siiSchema.table(
+  "token_cache",
+  {
+    id: (0, import_pg_core2.uuid)("id").defaultRandom().primaryKey(),
+    credentialId: (0, import_pg_core2.uuid)("credential_id").notNull().references(() => credentials.id, { onDelete: "cascade" }),
+    tokenType: (0, import_pg_core2.text)("token_type").notNull().$type(),
+    tokenValue: (0, import_pg_core2.text)("token_value").notNull(),
+    expiresAt: (0, import_pg_core2.timestamp)("expires_at", { withTimezone: true }).notNull(),
+    createdAt: (0, import_pg_core2.timestamp)("created_at").notNull().defaultNow()
+  },
+  (table) => [(0, import_pg_core2.unique)("uq_token_cache_cred_type").on(table.credentialId, table.tokenType)]
+);
+
+// src/db/schema/invoices.ts
+var import_pg_core3 = require("drizzle-orm/pg-core");
+var invoices = siiSchema.table(
+  "invoices",
+  {
+    id: (0, import_pg_core3.uuid)("id").defaultRandom().primaryKey(),
+    tenantId: (0, import_pg_core3.uuid)("tenant_id").notNull(),
+    documentType: (0, import_pg_core3.text)("document_type").notNull().$type(),
+    number: (0, import_pg_core3.integer)("number").notNull(),
+    issuerRut: (0, import_pg_core3.text)("issuer_rut"),
+    issuerName: (0, import_pg_core3.text)("issuer_name"),
+    receiverRut: (0, import_pg_core3.text)("receiver_rut"),
+    receiverName: (0, import_pg_core3.text)("receiver_name"),
+    date: (0, import_pg_core3.date)("date"),
+    netAmount: (0, import_pg_core3.numeric)("net_amount", { precision: 16, scale: 0 }),
+    exemptAmount: (0, import_pg_core3.numeric)("exempt_amount", { precision: 16, scale: 0 }),
+    vatAmount: (0, import_pg_core3.numeric)("vat_amount", { precision: 16, scale: 0 }),
+    totalAmount: (0, import_pg_core3.numeric)("total_amount", { precision: 16, scale: 0 }),
+    taxPeriodYear: (0, import_pg_core3.integer)("tax_period_year").notNull(),
+    taxPeriodMonth: (0, import_pg_core3.integer)("tax_period_month").notNull(),
+    issueType: (0, import_pg_core3.text)("issue_type").notNull().$type(),
+    confirmationStatus: (0, import_pg_core3.text)("confirmation_status").$type(),
+    raw: (0, import_pg_core3.jsonb)("raw").$type(),
+    createdAt: (0, import_pg_core3.timestamp)("created_at").notNull().defaultNow(),
+    updatedAt: (0, import_pg_core3.timestamp)("updated_at").notNull().defaultNow()
+  },
+  (table) => [
+    (0, import_pg_core3.unique)("uq_invoices_natural_key").on(
+      table.tenantId,
+      table.documentType,
+      table.number,
+      table.issuerRut,
+      table.receiverRut,
+      table.issueType
+    ),
+    (0, import_pg_core3.index)("idx_invoices_tenant_period").on(
+      table.tenantId,
+      table.taxPeriodYear,
+      table.taxPeriodMonth
+    )
+  ]
+);
+
+// src/db/schema/sync-jobs.ts
+var import_pg_core4 = require("drizzle-orm/pg-core");
+var syncJobs = siiSchema.table("sync_jobs", {
+  id: (0, import_pg_core4.uuid)("id").defaultRandom().primaryKey(),
+  tenantId: (0, import_pg_core4.uuid)("tenant_id").notNull(),
+  operation: (0, import_pg_core4.text)("operation").notNull().$type(),
+  periodYear: (0, import_pg_core4.integer)("period_year").notNull(),
+  periodMonth: (0, import_pg_core4.integer)("period_month").notNull(),
+  issueType: (0, import_pg_core4.text)("issue_type").notNull().$type(),
+  status: (0, import_pg_core4.text)("status").notNull().default("pending").$type(),
+  startedAt: (0, import_pg_core4.timestamp)("started_at"),
+  completedAt: (0, import_pg_core4.timestamp)("completed_at"),
+  recordsFetched: (0, import_pg_core4.integer)("records_fetched"),
+  errorMessage: (0, import_pg_core4.text)("error_message"),
+  createdAt: (0, import_pg_core4.timestamp)("created_at").notNull().defaultNow()
+});
+
+// src/db/schema/index.ts
+var siiSchema = (0, import_pg_core5.pgSchema)("sii");
+
+// src/core/effect/app-error.ts
+var import_effect = require("effect");
+var NotFoundError = class _NotFoundError extends import_effect.Data.TaggedError("NotFoundError") {
+  static make(entity, entityId) {
+    return new _NotFoundError({
+      message: `${entity} not found${entityId ? `: ${entityId}` : ""}`,
+      entity,
+      entityId
+    });
+  }
+};
+var ValidationError = class _ValidationError extends import_effect.Data.TaggedError("ValidationError") {
+  static make(message, field, details) {
+    return new _ValidationError({
+      message,
+      field,
+      details
+    });
+  }
+  static fromZodErrors(message, issues) {
+    return new _ValidationError({
+      message,
+      fieldErrors: issues.map((i) => ({
+        path: i.path.join("."),
+        message: i.message
+      }))
+    });
+  }
+};
+var ForbiddenError = class _ForbiddenError extends import_effect.Data.TaggedError("ForbiddenError") {
+  static make(message = "Forbidden", requiredPermission) {
+    return new _ForbiddenError({
+      message,
+      requiredPermission
+    });
+  }
+};
+var DbError = class _DbError extends import_effect.Data.TaggedError("DbError") {
+  static make(operation, cause) {
+    const message = cause instanceof Error ? cause.message : "Database operation failed";
+    return new _DbError({
+      message,
+      operation,
+      cause
+    });
+  }
+};
+var ConflictError = class _ConflictError extends import_effect.Data.TaggedError("ConflictError") {
+  static make(message, resource, conflictingValue) {
+    return new _ConflictError({
+      message,
+      resource,
+      conflictingValue
+    });
+  }
+};
+var SiiAuthError = class _SiiAuthError extends import_effect.Data.TaggedError("SiiAuthError") {
+  static make(message, cause) {
+    return new _SiiAuthError({
+      message,
+      cause
+    });
+  }
+};
+function serializeAppError(error) {
+  const result = {
+    _type: error._tag,
+    message: error.message
+  };
+  switch (error._tag) {
+    case "NotFoundError":
+      if (error.entity) result.entity = error.entity;
+      if (error.entityId) result.entityId = error.entityId;
+      break;
+    case "ValidationError":
+      if (error.field) result.field = error.field;
+      if (error.details) result.details = error.details;
+      if (error.fieldErrors) result.fieldErrors = error.fieldErrors;
+      break;
+    case "ForbiddenError":
+      if (error.requiredPermission)
+        result.requiredPermission = error.requiredPermission;
+      break;
+    case "DbError":
+      if (error.operation) result.operation = error.operation;
+      break;
+    case "ConflictError":
+      if (error.resource) result.resource = error.resource;
+      if (error.conflictingValue)
+        result.conflictingValue = error.conflictingValue;
+      break;
+    case "SiiAuthError":
+      break;
+    default: {
+      const _exhaustive = error;
+      return result;
+    }
+  }
+  return result;
+}
+
+// src/core/effect/repo-helpers.ts
+var import_effect2 = require("effect");
+function queryOneOrFail(operation, entity, entityId, query) {
+  return import_effect2.Effect.tryPromise({
+    try: query,
+    catch: (e) => DbError.make(operation, e)
+  }).pipe(
+    import_effect2.Effect.flatMap(
+      (row) => row ? import_effect2.Effect.succeed(row) : import_effect2.Effect.fail(NotFoundError.make(entity, entityId))
+    )
+  );
+}
+
+// src/repos/credential-repo.ts
+function createCredentialRepo(db) {
+  return {
+    getByTenantAndEnv(tenantId, env) {
+      return queryOneOrFail(
+        "credential.getByTenantAndEnv",
+        "Credential",
+        `${tenantId}/${env}`,
+        () => db.select().from(credentials).where(
+          (0, import_drizzle_orm.and)(
+            (0, import_drizzle_orm.eq)(credentials.tenantId, tenantId),
+            (0, import_drizzle_orm.eq)(credentials.env, env)
+          )
+        ).then((rows) => rows[0])
+      );
+    },
+    upsert(tenantId, data) {
+      return import_effect3.Effect.tryPromise({
+        try: () => db.insert(credentials).values({ ...data, tenantId }).onConflictDoUpdate({
+          target: [credentials.tenantId, credentials.env],
+          set: { ...data, updatedAt: /* @__PURE__ */ new Date() }
+        }).returning().then((rows) => rows[0]),
+        catch: (e) => DbError.make("credential.upsert", e)
+      });
+    },
+    delete(tenantId, env) {
+      return import_effect3.Effect.tryPromise({
+        try: () => db.delete(credentials).where(
+          (0, import_drizzle_orm.and)(
+            (0, import_drizzle_orm.eq)(credentials.tenantId, tenantId),
+            (0, import_drizzle_orm.eq)(credentials.env, env)
+          )
+        ).returning().then((rows) => rows.length > 0),
+        catch: (e) => DbError.make("credential.delete", e)
+      });
+    }
+  };
+}
+
+// src/repos/token-cache-repo.ts
+var import_effect4 = require("effect");
+var import_drizzle_orm2 = require("drizzle-orm");
+function createTokenCacheRepo(db) {
+  return {
+    get(credentialId, tokenType) {
+      return import_effect4.Effect.tryPromise({
+        try: () => db.select().from(tokenCache).where(
+          (0, import_drizzle_orm2.and)(
+            (0, import_drizzle_orm2.eq)(tokenCache.credentialId, credentialId),
+            (0, import_drizzle_orm2.eq)(tokenCache.tokenType, tokenType)
+          )
+        ).then((rows) => rows[0] ?? null),
+        catch: (e) => DbError.make("tokenCache.get", e)
+      });
+    },
+    upsert(credentialId, tokenType, tokenValue, expiresAt) {
+      return import_effect4.Effect.tryPromise({
+        try: () => db.insert(tokenCache).values({ credentialId, tokenType, tokenValue, expiresAt }).onConflictDoUpdate({
+          target: [tokenCache.credentialId, tokenCache.tokenType],
+          set: { tokenValue, expiresAt, createdAt: /* @__PURE__ */ new Date() }
+        }).returning().then((rows) => rows[0]),
+        catch: (e) => DbError.make("tokenCache.upsert", e)
+      });
+    },
+    deleteByCredential(credentialId) {
+      return import_effect4.Effect.tryPromise({
+        try: () => db.delete(tokenCache).where((0, import_drizzle_orm2.eq)(tokenCache.credentialId, credentialId)).then(() => void 0),
+        catch: (e) => DbError.make("tokenCache.deleteByCredential", e)
+      });
+    }
+  };
+}
+
+// src/repos/invoice-repo.ts
+var import_effect5 = require("effect");
+var import_drizzle_orm3 = require("drizzle-orm");
+function createInvoiceRepo(db) {
+  return {
+    list(tenantId, filters) {
+      return import_effect5.Effect.tryPromise({
+        try: () => {
+          const conditions = [(0, import_drizzle_orm3.eq)(invoices.tenantId, tenantId)];
+          if (filters?.periodYear !== void 0) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.taxPeriodYear, filters.periodYear));
+          }
+          if (filters?.periodMonth !== void 0) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.taxPeriodMonth, filters.periodMonth));
+          }
+          if (filters?.issueType) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.issueType, filters.issueType));
+          }
+          if (filters?.documentType) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.documentType, filters.documentType));
+          }
+          return db.select().from(invoices).where((0, import_drizzle_orm3.and)(...conditions)).limit(filters?.limit ?? 100).offset(filters?.offset ?? 0);
+        },
+        catch: (e) => DbError.make("invoice.list", e)
+      });
+    },
+    upsertMany(rows) {
+      if (rows.length === 0) return import_effect5.Effect.succeed(0);
+      return import_effect5.Effect.tryPromise({
+        try: () => db.insert(invoices).values(rows).onConflictDoUpdate({
+          target: [
+            invoices.tenantId,
+            invoices.documentType,
+            invoices.number,
+            invoices.issuerRut,
+            invoices.receiverRut,
+            invoices.issueType
+          ],
+          set: {
+            issuerName: import_drizzle_orm3.sql`excluded.issuer_name`,
+            receiverName: import_drizzle_orm3.sql`excluded.receiver_name`,
+            date: import_drizzle_orm3.sql`excluded.date`,
+            netAmount: import_drizzle_orm3.sql`excluded.net_amount`,
+            exemptAmount: import_drizzle_orm3.sql`excluded.exempt_amount`,
+            vatAmount: import_drizzle_orm3.sql`excluded.vat_amount`,
+            totalAmount: import_drizzle_orm3.sql`excluded.total_amount`,
+            confirmationStatus: import_drizzle_orm3.sql`excluded.confirmation_status`,
+            raw: import_drizzle_orm3.sql`excluded.raw`,
+            updatedAt: /* @__PURE__ */ new Date()
+          }
+        }).returning({ id: invoices.id }).then((rows2) => rows2.length),
+        catch: (e) => DbError.make("invoice.upsertMany", e)
+      });
+    },
+    count(tenantId, filters) {
+      return import_effect5.Effect.tryPromise({
+        try: () => {
+          const conditions = [(0, import_drizzle_orm3.eq)(invoices.tenantId, tenantId)];
+          if (filters?.periodYear !== void 0) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.taxPeriodYear, filters.periodYear));
+          }
+          if (filters?.periodMonth !== void 0) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.taxPeriodMonth, filters.periodMonth));
+          }
+          if (filters?.issueType) {
+            conditions.push((0, import_drizzle_orm3.eq)(invoices.issueType, filters.issueType));
+          }
+          return db.select({ count: import_drizzle_orm3.sql`count(*)::int` }).from(invoices).where((0, import_drizzle_orm3.and)(...conditions)).then((rows) => rows[0]?.count ?? 0);
+        },
+        catch: (e) => DbError.make("invoice.count", e)
+      });
+    }
+  };
+}
+
+// src/repos/sync-job-repo.ts
+var import_effect6 = require("effect");
+var import_drizzle_orm4 = require("drizzle-orm");
+function createSyncJobRepo(db) {
+  return {
+    create(data) {
+      return import_effect6.Effect.tryPromise({
+        try: () => db.insert(syncJobs).values(data).returning().then((rows) => rows[0]),
+        catch: (e) => DbError.make("syncJob.create", e)
+      });
+    },
+    getById(id) {
+      return queryOneOrFail(
+        "syncJob.getById",
+        "SyncJob",
+        id,
+        () => db.select().from(syncJobs).where((0, import_drizzle_orm4.eq)(syncJobs.id, id)).then((rows) => rows[0])
+      );
+    },
+    listByTenant(tenantId, filters) {
+      return import_effect6.Effect.tryPromise({
+        try: () => {
+          const conditions = [(0, import_drizzle_orm4.eq)(syncJobs.tenantId, tenantId)];
+          if (filters?.periodYear !== void 0) {
+            conditions.push((0, import_drizzle_orm4.eq)(syncJobs.periodYear, filters.periodYear));
+          }
+          if (filters?.periodMonth !== void 0) {
+            conditions.push((0, import_drizzle_orm4.eq)(syncJobs.periodMonth, filters.periodMonth));
+          }
+          if (filters?.issueType) {
+            conditions.push((0, import_drizzle_orm4.eq)(syncJobs.issueType, filters.issueType));
+          }
+          return db.select().from(syncJobs).where((0, import_drizzle_orm4.and)(...conditions)).orderBy((0, import_drizzle_orm4.desc)(syncJobs.createdAt)).limit(20);
+        },
+        catch: (e) => DbError.make("syncJob.listByTenant", e)
+      });
+    },
+    update(id, data) {
+      return queryOneOrFail(
+        "syncJob.update",
+        "SyncJob",
+        id,
+        () => db.update(syncJobs).set(data).where((0, import_drizzle_orm4.eq)(syncJobs.id, id)).returning().then((rows) => rows[0])
+      );
+    }
+  };
+}
+
+// src/services/credential-service.ts
+var import_effect7 = require("effect");
+function createCredentialService(deps) {
+  const { credentialRepo, tokenCacheRepo } = deps;
+  const enc = (v) => v && deps.encrypt ? deps.encrypt(v) : v;
+  const dec = (v) => v && deps.decrypt ? deps.decrypt(v) : v;
+  return {
+    save(tenantId, input) {
+      return credentialRepo.upsert(tenantId, {
+        env: input.env,
+        certBase64: enc(input.certBase64) ?? null,
+        certPassword: enc(input.certPassword) ?? null,
+        portalRut: input.portalRut ?? null,
+        portalPassword: enc(input.portalPassword) ?? null
+      });
+    },
+    getStatus(tenantId, env) {
+      return credentialRepo.getByTenantAndEnv(tenantId, env).pipe(
+        import_effect7.Effect.map((cred) => ({
+          connected: true,
+          env: cred.env,
+          hasCert: !!cred.certBase64,
+          hasPortal: !!cred.portalRut && !!cred.portalPassword,
+          portalRut: cred.portalRut
+        })),
+        import_effect7.Effect.catchTag(
+          "NotFoundError",
+          () => import_effect7.Effect.succeed({
+            connected: false,
+            env,
+            hasCert: false,
+            hasPortal: false,
+            portalRut: null
+          })
+        )
+      );
+    },
+    disconnect(tenantId, env) {
+      return import_effect7.Effect.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        yield* tokenCacheRepo.deleteByCredential(cred.id);
+        yield* credentialRepo.delete(tenantId, env);
+      });
+    }
+  };
+}
+
+// src/services/auth-service.ts
+var import_effect8 = require("effect");
+var import_sii = require("@emisso/sii");
+function toMessage(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+async function authenticateSoap(certBase64, certPassword, env) {
+  const certData = (0, import_sii.loadCertFromBase64)(certBase64, certPassword);
+  const seed = await (0, import_sii.getSeed)({ certPath: "", certPassword: "", env });
+  const signedSeed = (0, import_sii.signSeedFromCertData)(seed, certData);
+  return (0, import_sii.getToken)(signedSeed, { certPath: "", certPassword: "", env });
+}
+function createAuthService(deps) {
+  const { credentialRepo, tokenCacheRepo } = deps;
+  const dec = (v) => deps.decrypt ? deps.decrypt(v) : v;
+  return {
+    /**
+     * Get a valid SOAP token, using cache if available.
+     */
+    getSoapToken(tenantId, env) {
+      return import_effect8.Effect.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        if (!cred.certBase64 || !cred.certPassword) {
+          return yield* import_effect8.Effect.fail(
+            SiiAuthError.make("No certificate configured for SOAP authentication")
+          );
+        }
+        const cached = yield* tokenCacheRepo.get(cred.id, "soap");
+        if (cached && new Date(cached.expiresAt).getTime() > Date.now()) {
+          return { token: cached.tokenValue, expiresAt: new Date(cached.expiresAt) };
+        }
+        const siiToken = yield* import_effect8.Effect.tryPromise({
+          try: () => authenticateSoap(dec(cred.certBase64), dec(cred.certPassword), env),
+          catch: (e) => SiiAuthError.make(`SOAP authentication failed: ${toMessage(e)}`, e)
+        });
+        yield* tokenCacheRepo.upsert(
+          cred.id,
+          "soap",
+          siiToken.token,
+          siiToken.expiresAt
+        );
+        return siiToken;
+      });
+    },
+    /**
+     * Get a portal session via fresh login.
+     */
+    getPortalSession(tenantId, env) {
+      return import_effect8.Effect.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        if (!cred.portalRut || !cred.portalPassword) {
+          return yield* import_effect8.Effect.fail(
+            SiiAuthError.make("No portal credentials configured")
+          );
+        }
+        const session = yield* import_effect8.Effect.tryPromise({
+          try: () => (0, import_sii.portalLogin)(
+            { rut: cred.portalRut, claveTributaria: dec(cred.portalPassword), env },
+            { connectBrowser: deps.connectBrowser }
+          ),
+          catch: (e) => SiiAuthError.make(`Portal login failed: ${toMessage(e)}`, e)
+        });
+        return session;
+      });
+    },
+    /**
+     * Test credentials by attempting authentication.
+     * Runs SOAP and portal tests concurrently.
+     */
+    testConnection(tenantId, env) {
+      return import_effect8.Effect.gen(function* () {
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        const errors = [];
+        const soapTest = cred.certBase64 && cred.certPassword ? import_effect8.Effect.tryPromise({
+          try: () => authenticateSoap(dec(cred.certBase64), dec(cred.certPassword), env).then(() => true),
+          catch: (e) => toMessage(e)
+        }).pipe(import_effect8.Effect.catchAll((msg) => {
+          errors.push(`SOAP: ${msg}`);
+          return import_effect8.Effect.succeed(false);
+        })) : import_effect8.Effect.sync(() => {
+          errors.push("SOAP: No certificate configured");
+          return false;
+        });
+        const portalTest = cred.portalRut && cred.portalPassword ? import_effect8.Effect.tryPromise({
+          try: () => (0, import_sii.portalLogin)(
+            { rut: cred.portalRut, claveTributaria: dec(cred.portalPassword), env },
+            { connectBrowser: deps.connectBrowser }
+          ).then(() => true),
+          catch: (e) => toMessage(e)
+        }).pipe(import_effect8.Effect.catchAll((msg) => {
+          errors.push(`Portal: ${msg}`);
+          return import_effect8.Effect.succeed(false);
+        })) : import_effect8.Effect.sync(() => {
+          errors.push("Portal: No portal credentials configured");
+          return false;
+        });
+        const [soapOk, portalOk] = yield* import_effect8.Effect.all(
+          [soapTest, portalTest],
+          { concurrency: 2 }
+        );
+        return { soap: soapOk, portal: portalOk, errors };
+      });
+    }
+  };
+}
+
+// src/services/invoice-service.ts
+var import_effect9 = require("effect");
+var import_sii2 = require("@emisso/sii");
+
+// src/core/bridge.ts
+function invoiceToRow(tenantId, invoice, issueType) {
+  return {
+    tenantId,
+    documentType: invoice.documentType,
+    number: invoice.number,
+    issuerRut: invoice.issuer.rut || null,
+    issuerName: invoice.issuer.name || null,
+    receiverRut: invoice.receiver.rut || null,
+    receiverName: invoice.receiver.name || null,
+    date: invoice.date || null,
+    netAmount: String(invoice.netAmount),
+    exemptAmount: String(invoice.exemptAmount),
+    vatAmount: String(invoice.vatAmount),
+    totalAmount: String(invoice.totalAmount),
+    taxPeriodYear: invoice.taxPeriod.year,
+    taxPeriodMonth: invoice.taxPeriod.month,
+    issueType,
+    confirmationStatus: invoice.confirmationStatus ?? null,
+    raw: invoice.raw ?? null
+  };
+}
+function rowToInvoice(row) {
+  return {
+    id: `${row.documentType}-${row.number}-${row.issuerRut || row.receiverRut || ""}`,
+    number: row.number,
+    issuer: {
+      rut: row.issuerRut ?? "",
+      name: row.issuerName ?? ""
+    },
+    receiver: {
+      rut: row.receiverRut ?? "",
+      name: row.receiverName ?? ""
+    },
+    date: row.date ?? "",
+    netAmount: Number(row.netAmount ?? 0),
+    exemptAmount: Number(row.exemptAmount ?? 0),
+    vatAmount: Number(row.vatAmount ?? 0),
+    totalAmount: Number(row.totalAmount ?? 0),
+    currency: "CLP",
+    taxPeriod: {
+      year: row.taxPeriodYear,
+      month: row.taxPeriodMonth
+    },
+    documentType: row.documentType,
+    confirmationStatus: row.confirmationStatus ?? "REGISTRO",
+    raw: row.raw ?? {}
+  };
+}
+
+// src/services/invoice-service.ts
+function createInvoiceService(deps) {
+  const { invoiceRepo, syncJobRepo, authService, credentialRepo } = deps;
+  return {
+    /**
+     * Trigger an RCV invoice sync for a given period.
+     * Creates a sync job, fetches from SII, upserts into DB.
+     */
+    sync(tenantId, env, periodYear, periodMonth, issueType) {
+      return import_effect9.Effect.gen(function* () {
+        const job = yield* syncJobRepo.create({
+          tenantId,
+          operation: "rcv_sync",
+          periodYear,
+          periodMonth,
+          issueType,
+          status: "running",
+          startedAt: /* @__PURE__ */ new Date()
+        });
+        const failJob = (err) => syncJobRepo.update(job.id, {
+          status: "failed",
+          completedAt: /* @__PURE__ */ new Date(),
+          errorMessage: err.message
+        }).pipe(import_effect9.Effect.flatMap(() => import_effect9.Effect.fail(err)));
+        const cred = yield* credentialRepo.getByTenantAndEnv(tenantId, env);
+        if (!cred.portalRut) {
+          const err = SiiAuthError.make("No portal RUT configured for RCV sync");
+          return yield* failJob(err);
+        }
+        const session = yield* authService.getPortalSession(tenantId, env).pipe(import_effect9.Effect.catchAll(failJob));
+        const siiInvoices = yield* import_effect9.Effect.tryPromise({
+          try: () => (0, import_sii2.listInvoices)(session, {
+            rut: cred.portalRut,
+            issueType,
+            period: { year: periodYear, month: periodMonth }
+          }),
+          catch: (e) => SiiAuthError.make(
+            `RCV fetch failed: ${e instanceof Error ? e.message : String(e)}`,
+            e
+          )
+        }).pipe(import_effect9.Effect.catchAll(failJob));
+        const rows = siiInvoices.map(
+          (inv) => invoiceToRow(tenantId, inv, issueType)
+        );
+        const count = yield* invoiceRepo.upsertMany(rows);
+        return yield* syncJobRepo.update(job.id, {
+          status: "completed",
+          completedAt: /* @__PURE__ */ new Date(),
+          recordsFetched: count
+        });
+      });
+    }
+  };
+}
+
+// src/handlers/auth-handlers.ts
+var import_effect11 = require("effect");
+
+// src/handlers/handler-utils.ts
+function resolveEnv(req) {
+  const url = new URL(req.url);
+  const env = url.searchParams.get("env");
+  return env === "certification" ? "certification" : "production";
+}
+function parsePeriod(period) {
+  const [y, m] = period.split("-");
+  return { year: parseInt(y, 10), month: parseInt(m, 10) };
+}
+
+// src/validation/schemas.ts
+var import_zod = require("zod");
+var import_sii3 = require("@emisso/sii");
+var SaveCredentialsSchema = import_zod.z.object({
+  env: import_sii3.SiiEnvSchema.default("production"),
+  certBase64: import_zod.z.string().optional(),
+  certPassword: import_zod.z.string().optional(),
+  portalRut: import_zod.z.string().optional(),
+  portalPassword: import_zod.z.string().optional()
+}).refine(
+  (d) => d.certBase64 || d.certPassword || (d.portalRut || d.portalPassword),
+  { message: "At least one credential pair is required: certificate (certBase64 + certPassword) or portal (portalRut + portalPassword)" }
+).refine(
+  (d) => !d.certBase64 && !d.certPassword || d.certBase64 && d.certPassword,
+  { message: "certBase64 and certPassword must both be provided or both omitted" }
+).refine(
+  (d) => !d.portalRut && !d.portalPassword || d.portalRut && d.portalPassword,
+  { message: "portalRut and portalPassword must both be provided or both omitted" }
+);
+var SyncInvoicesSchema = import_zod.z.object({
+  period: import_zod.z.string().regex(/^\d{4}-\d{2}$/, "Period must be YYYY-MM format"),
+  type: import_sii3.IssueTypeSchema.default("received")
+});
+var ListInvoicesQuerySchema = import_zod.z.object({
+  period: import_zod.z.string().regex(/^\d{4}-\d{2}$/).optional(),
+  type: import_sii3.IssueTypeSchema.optional(),
+  documentType: import_sii3.DteTypeSchema.optional(),
+  limit: import_zod.z.coerce.number().int().positive().max(1e3).default(100),
+  offset: import_zod.z.coerce.number().int().nonnegative().default(0)
+});
+var SyncStatusQuerySchema = import_zod.z.object({
+  period: import_zod.z.string().regex(/^\d{4}-\d{2}$/).optional(),
+  type: import_sii3.IssueTypeSchema.optional()
+});
+
+// src/core/effect/http-response.ts
+var import_effect10 = require("effect");
+var STATUS_MAP = {
+  ValidationError: 400,
+  ForbiddenError: 403,
+  NotFoundError: 404,
+  ConflictError: 409,
+  SiiAuthError: 502,
+  DbError: 500
+};
+function toErrorResponse(error) {
+  const status = STATUS_MAP[error._tag] ?? 500;
+  const body = serializeAppError(error);
+  return Response.json({ error: body }, { status });
+}
+function handleEffect(effect, toResponse = jsonResponse) {
+  return import_effect10.Effect.runPromise(
+    effect.pipe(
+      import_effect10.Effect.map(toResponse),
+      import_effect10.Effect.catchAll((err) => import_effect10.Effect.succeed(toErrorResponse(err)))
+    )
+  );
+}
+function jsonResponse(data, status = 200) {
+  return Response.json(data, { status });
+}
+function createdResponse(data) {
+  return Response.json(data, { status: 201 });
+}
+function noContentResponse() {
+  return new Response(null, { status: 204 });
+}
+
+// src/handlers/auth-handlers.ts
+function createAuthHandlers(deps) {
+  const { credentialService, authService } = deps;
+  const saveCredentials = (req, ctx) => handleEffect(
+    import_effect11.Effect.gen(function* () {
+      const body = yield* import_effect11.Effect.tryPromise({
+        try: () => req.json(),
+        catch: () => ValidationError.make("Invalid JSON body")
+      });
+      const parsed = SaveCredentialsSchema.safeParse(body);
+      if (!parsed.success) {
+        return yield* import_effect11.Effect.fail(
+          ValidationError.fromZodErrors("Invalid credentials data", parsed.error.issues)
+        );
+      }
+      const result = yield* credentialService.save(ctx.tenantId, parsed.data);
+      return {
+        id: result.id,
+        env: result.env,
+        hasCert: !!result.certBase64,
+        hasPortal: !!result.portalRut,
+        portalRut: result.portalRut,
+        createdAt: result.createdAt,
+        updatedAt: result.updatedAt
+      };
+    })
+  );
+  const getStatus = (req, ctx) => {
+    const env = resolveEnv(req);
+    return handleEffect(credentialService.getStatus(ctx.tenantId, env));
+  };
+  const testConnection = (req, ctx) => {
+    const env = resolveEnv(req);
+    return handleEffect(authService.testConnection(ctx.tenantId, env));
+  };
+  const disconnect = (req, ctx) => {
+    const env = resolveEnv(req);
+    return handleEffect(
+      credentialService.disconnect(ctx.tenantId, env).pipe(import_effect11.Effect.map(() => null)),
+      () => noContentResponse()
+    );
+  };
+  return {
+    saveCredentials,
+    getStatus,
+    testConnection,
+    disconnect
+  };
+}
+
+// src/handlers/invoice-handlers.ts
+var import_effect12 = require("effect");
+function createInvoiceHandlers(deps) {
+  const { invoiceService, invoiceRepo, syncJobRepo } = deps;
+  const listInvoices2 = (req, ctx) => handleEffect(
+    import_effect12.Effect.gen(function* () {
+      const url = new URL(req.url);
+      const query = ListInvoicesQuerySchema.safeParse(
+        Object.fromEntries(url.searchParams)
+      );
+      if (!query.success) {
+        return yield* import_effect12.Effect.fail(
+          ValidationError.fromZodErrors("Invalid query parameters", query.error.issues)
+        );
+      }
+      const { period, type, documentType, limit, offset } = query.data;
+      const periodParsed = period ? parsePeriod(period) : void 0;
+      const rows = yield* invoiceRepo.list(ctx.tenantId, {
+        periodYear: periodParsed?.year,
+        periodMonth: periodParsed?.month,
+        issueType: type,
+        documentType,
+        limit,
+        offset
+      });
+      return { data: rows.map(rowToInvoice), count: rows.length };
+    })
+  );
+  const syncInvoices = (req, ctx) => handleEffect(
+    import_effect12.Effect.gen(function* () {
+      const body = yield* import_effect12.Effect.tryPromise({
+        try: () => req.json(),
+        catch: () => ValidationError.make("Invalid JSON body")
+      });
+      const parsed = SyncInvoicesSchema.safeParse(body);
+      if (!parsed.success) {
+        return yield* import_effect12.Effect.fail(
+          ValidationError.fromZodErrors("Invalid sync parameters", parsed.error.issues)
+        );
+      }
+      const { year: periodYear, month: periodMonth } = parsePeriod(parsed.data.period);
+      const env = resolveEnv(req);
+      return yield* invoiceService.sync(ctx.tenantId, env, periodYear, periodMonth, parsed.data.type);
+    }),
+    createdResponse
+  );
+  const getSyncStatus = (req, ctx) => handleEffect(
+    import_effect12.Effect.gen(function* () {
+      const url = new URL(req.url);
+      const query = SyncStatusQuerySchema.safeParse(
+        Object.fromEntries(url.searchParams)
+      );
+      if (!query.success) {
+        return yield* import_effect12.Effect.fail(
+          ValidationError.fromZodErrors("Invalid query parameters", query.error.issues)
+        );
+      }
+      const { period, type } = query.data;
+      const periodParsed = period ? parsePeriod(period) : void 0;
+      const jobs = yield* syncJobRepo.listByTenant(ctx.tenantId, {
+        periodYear: periodParsed?.year,
+        periodMonth: periodParsed?.month,
+        issueType: type
+      });
+      return { data: jobs };
+    })
+  );
+  return {
+    listInvoices: listInvoices2,
+    syncInvoices,
+    getSyncStatus
+  };
+}
+
+// src/adapters/next.ts
+function createSiiRouter(config) {
+  if (!!config.encrypt !== !!config.decrypt) {
+    throw new Error("SiiRouterConfig: encrypt and decrypt must be provided together");
+  }
+  const sql2 = (0, import_postgres.default)(config.databaseUrl);
+  const db = (0, import_postgres_js.drizzle)(sql2);
+  const credentialRepo = createCredentialRepo(db);
+  const tokenCacheRepo = createTokenCacheRepo(db);
+  const invoiceRepo = createInvoiceRepo(db);
+  const syncJobRepo = createSyncJobRepo(db);
+  const credentialService = createCredentialService({
+    credentialRepo,
+    tokenCacheRepo,
+    encrypt: config.encrypt,
+    decrypt: config.decrypt
+  });
+  const authService = createAuthService({
+    credentialRepo,
+    tokenCacheRepo,
+    decrypt: config.decrypt,
+    connectBrowser: config.connectBrowser
+  });
+  const invoiceService = createInvoiceService({
+    invoiceRepo,
+    syncJobRepo,
+    authService,
+    credentialRepo
+  });
+  const authHandlers = createAuthHandlers({ credentialService, authService });
+  const invoiceHandlers = createInvoiceHandlers({
+    invoiceService,
+    invoiceRepo,
+    syncJobRepo
+  });
+  const base = config.basePath;
+  const routes = [
+    // Auth / Credentials
+    { method: "PUT", pattern: `${base}/auth`, handler: authHandlers.saveCredentials },
+    { method: "GET", pattern: `${base}/auth`, handler: authHandlers.getStatus },
+    { method: "POST", pattern: `${base}/auth/test`, handler: authHandlers.testConnection },
+    { method: "DELETE", pattern: `${base}/auth`, handler: authHandlers.disconnect },
+    // Invoices
+    { method: "GET", pattern: `${base}/invoices`, handler: invoiceHandlers.listInvoices },
+    { method: "POST", pattern: `${base}/invoices/sync`, handler: invoiceHandlers.syncInvoices },
+    { method: "GET", pattern: `${base}/invoices/sync`, handler: invoiceHandlers.getSyncStatus }
+  ];
+  const router = createRouter(routes);
+  const resolveTenantId = config.resolveTenantId ?? ((req) => req.headers.get("X-Tenant-Id"));
+  async function handle(req) {
+    const tenantId = await resolveTenantId(req);
+    if (!tenantId) {
+      return Response.json(
+        { error: { _type: "ForbiddenError", message: "Missing tenant ID" } },
+        { status: 403 }
+      );
+    }
+    return router(req, tenantId);
+  }
+  return {
+    GET: handle,
+    POST: handle,
+    PUT: handle,
+    DELETE: handle
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createSiiRouter
+});
+//# sourceMappingURL=next.cjs.map