@experia-labs/plugin-dev-mcp 0.1.0

package/dist/manifest/starter.js

@@ -0,0 +1,79 @@
+export function generateStarterManifest(args) {
+    const flavor = args.flavor ?? 'attendee-app';
+    const base = args.baseUrl.replace(/\/+$/, '');
+    const common = {
+        key: args.key,
+        version: '0.1.0',
+        name: args.name,
+        tagline: 'Describe your plugin in one sentence',
+        developer: {
+            name: args.developerName,
+            email: args.developerEmail,
+        },
+        pricing: { model: 'free' },
+        lifecycle: {
+            onInstall: `${base}/experia/hooks/install`,
+            onUninstall: `${base}/experia/hooks/uninstall`,
+        },
+        timeWindow: 'always',
+    };
+    if (flavor === 'minimal') {
+        return {
+            ...common,
+            scopes: ['event.read'],
+            events: [],
+            extensions: {},
+        };
+    }
+    if (flavor === 'organizer-tool') {
+        return {
+            ...common,
+            scopes: ['event.read', 'event.attendees.read'],
+            events: ['event.started', 'event.ended'],
+            extensions: {
+                'organizer.event.tabs': [
+                    {
+                        id: 'config',
+                        label: args.name,
+                        iframe: `${base}/organizer/config?eventId={eventId}`,
+                    },
+                    {
+                        id: 'insights',
+                        label: `${args.name} Insights`,
+                        iframe: `${base}/organizer/insights?eventId={eventId}`,
+                    },
+                ],
+            },
+        };
+    }
+    // attendee-app — covers networking-style plugins
+    return {
+        ...common,
+        timeWindow: 'event-live',
+        scopes: [
+            'event.read',
+            'event.attendees.read',
+            'attendee.profile.read',
+            'attendee.profile.write',
+            'messaging.send',
+        ],
+        events: ['event.started', 'event.ended', 'attendee.checked_in'],
+        extensions: {
+            'organizer.event.tabs': [
+                {
+                    id: 'config',
+                    label: args.name,
+                    iframe: `${base}/organizer/config?eventId={eventId}`,
+                },
+            ],
+            'experia.event.tabs': [
+                {
+                    id: 'home',
+                    label: args.name,
+                    iframe: `${base}/experia/home?eventId={eventId}&jwt={pluginJwt}`,
+                },
+            ],
+        },
+    };
+}
+//# sourceMappingURL=starter.js.map

package/dist/manifest/starter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"starter.js","sourceRoot":"","sources":["../../src/manifest/starter.ts"],"names":[],"mappings":"AAgBA,MAAM,UAAU,uBAAuB,CAAC,IAAiB;IACvD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,cAAc,CAAC;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAE9C,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,sCAAsC;QAC/C,SAAS,EAAE;YACT,IAAI,EAAE,IAAI,CAAC,aAAa;YACxB,KAAK,EAAE,IAAI,CAAC,cAAc;SAC3B;QACD,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;QAC1B,SAAS,EAAE;YACT,SAAS,EAAE,GAAG,IAAI,wBAAwB;YAC1C,WAAW,EAAE,GAAG,IAAI,0BAA0B;SAC/C;QACD,UAAU,EAAE,QAAQ;KACZ,CAAC;IAEX,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,OAAO;YACL,GAAG,MAAM;YACT,MAAM,EAAE,CAAC,YAAY,CAAC;YACtB,MAAM,EAAE,EAAE;YACV,UAAU,EAAE,EAAE;SACf,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;QAChC,OAAO;YACL,GAAG,MAAM;YACT,MAAM,EAAE,CAAC,YAAY,EAAE,sBAAsB,CAAC;YAC9C,MAAM,EAAE,CAAC,eAAe,EAAE,aAAa,CAAC;YACxC,UAAU,EAAE;gBACV,sBAAsB,EAAE;oBACtB;wBACE,EAAE,EAAE,QAAQ;wBACZ,KAAK,EAAE,IAAI,CAAC,IAAI;wBAChB,MAAM,EAAE,GAAG,IAAI,qCAAqC;qBACrD;oBACD;wBACE,EAAE,EAAE,UAAU;wBACd,KAAK,EAAE,GAAG,IAAI,CAAC,IAAI,WAAW;wBAC9B,MAAM,EAAE,GAAG,IAAI,uCAAuC;qBACvD;iBACF;aACF;SACF,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,OAAO;QACL,GAAG,MAAM;QACT,UAAU,EAAE,YAAY;QACxB,MAAM,EAAE;YACN,YAAY;YACZ,sBAAsB;YACtB,uBAAuB;YACvB,wBAAwB;YACxB,gBAAgB;SACjB;QACD,MAAM,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,qBAAqB,CAAC;QAC/D,UAAU,EAAE;YACV,sBAAsB,EAAE;gBACtB;oBACE,EAAE,EAAE,QAAQ;oBACZ,KAAK,EAAE,IAAI,CAAC,IAAI;oBAChB,MAAM,EAAE,GAAG,IAAI,qCAAqC;iBACrD;aACF;YACD,oBAAoB,EAAE;gBACpB;oBACE,EAAE,EAAE,MAAM;oBACV,KAAK,EAAE,IAAI,CAAC,IAAI;oBAChB,MAAM,EAAE,GAAG,IAAI,iDAAiD;iBACjE;aACF;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/manifest/validate.d.ts

@@ -0,0 +1,8 @@
+export interface ManifestValidationResult {
+    ok: boolean;
+    issues: string[];
+    /** Suggested fixes / next steps (only set when there are issues). */
+    hints: string[];
+}
+export declare function validateManifest(raw: unknown): ManifestValidationResult;
+//# sourceMappingURL=validate.d.ts.map

package/dist/manifest/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/manifest/validate.ts"],"names":[],"mappings":"AAyBA,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,qEAAqE;IACrE,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,OAAO,GAAG,wBAAwB,CAgNvE"}

package/dist/manifest/validate.js

@@ -0,0 +1,182 @@
+// Stateless port of the platform's PluginManifestValidatorService.
+// Keep these rules in lock-step with
+//   creatoros-api/src/features/plugin-platform/manifest/plugin-manifest.validator.service.ts
+// so a manifest that passes locally also passes server-side at publish time.
+import { ALL_SCOPES, isValidScope } from '../data/scopes.js';
+import { VALID_DOMAIN_EVENT_TYPES, isValidDomainEvent, } from '../data/events.js';
+import { ALL_SLOTS } from '../data/slots.js';
+const SEMVER_RE = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
+const KEY_RE = /^[a-z0-9](?:[a-z0-9._-]{0,62}[a-z0-9])?$/;
+const HTTPS_RE = /^https:\/\/[^\s]+$/;
+const VALID_TIME_WINDOWS = new Set(['always', 'event-live', 'post-event']);
+const VALID_PRICING_MODELS = new Set([
+    'free',
+    'flat',
+    'per_attendee',
+    'revshare',
+]);
+const VALID_EXTENSION_SLOTS = new Set(ALL_SLOTS);
+export function validateManifest(raw) {
+    const issues = [];
+    const hints = [];
+    if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+        return {
+            ok: false,
+            issues: ['Manifest must be a non-array object'],
+            hints: ['Pass the parsed JSON, not a string. Use get_starter_manifest to scaffold.'],
+        };
+    }
+    const m = raw;
+    if (typeof m.key !== 'string' || !KEY_RE.test(m.key)) {
+        issues.push('key: must be a lowercase string of [a-z0-9._-], 1-64 chars, no leading/trailing punctuation');
+        hints.push('Use the pattern "<vendor>.<name>" — e.g. "acme.sponsors-lounge".');
+    }
+    if (typeof m.version !== 'string' || !SEMVER_RE.test(m.version)) {
+        issues.push('version: must be a valid semver string (e.g. "1.0.0")');
+    }
+    if (typeof m.name !== 'string' ||
+        m.name.length === 0 ||
+        m.name.length > 100) {
+        issues.push('name: must be a non-empty string, max 100 chars');
+    }
+    for (const f of ['tagline', 'description', 'category', 'iconUrl']) {
+        if (m[f] !== undefined && typeof m[f] !== 'string') {
+            issues.push(`${f}: must be a string when present`);
+        }
+    }
+    if (m.iconUrl !== undefined &&
+        typeof m.iconUrl === 'string' &&
+        !HTTPS_RE.test(m.iconUrl)) {
+        issues.push('iconUrl: must use https://');
+    }
+    if (m.screenshots !== undefined) {
+        if (!Array.isArray(m.screenshots)) {
+            issues.push('screenshots: must be an array of https URLs');
+        }
+        else {
+            for (const s of m.screenshots) {
+                if (typeof s !== 'string' || !HTTPS_RE.test(s)) {
+                    issues.push('screenshots: every entry must be an https URL');
+                    break;
+                }
+            }
+        }
+    }
+    const dev = m.developer;
+    if (!dev || typeof dev !== 'object') {
+        issues.push('developer: missing or not an object');
+    }
+    else {
+        if (typeof dev.name !== 'string' || dev.name.length === 0) {
+            issues.push('developer.name: required, non-empty string');
+        }
+        if (typeof dev.email !== 'string' || !dev.email.includes('@')) {
+            issues.push('developer.email: required, must be an email');
+        }
+        if (dev.url !== undefined &&
+            (typeof dev.url !== 'string' || !HTTPS_RE.test(dev.url))) {
+            issues.push('developer.url: must be an https URL when present');
+        }
+    }
+    const pricing = m.pricing;
+    if (!pricing || typeof pricing !== 'object') {
+        issues.push('pricing: missing or not an object');
+        hints.push('Add pricing: { "model": "free" } if your plugin is free.');
+    }
+    else {
+        if (typeof pricing.model !== 'string' ||
+            !VALID_PRICING_MODELS.has(pricing.model)) {
+            issues.push(`pricing.model: must be one of ${Array.from(VALID_PRICING_MODELS).join(', ')}`);
+        }
+        if (pricing.model === 'flat' || pricing.model === 'per_attendee') {
+            if (typeof pricing.amount !== 'number' || pricing.amount < 0) {
+                issues.push(`pricing.amount: required and >= 0 for model=${pricing.model}`);
+            }
+        }
+        if (pricing.model === 'revshare') {
+            if (typeof pricing.revshareBps !== 'number' ||
+                pricing.revshareBps < 0 ||
+                pricing.revshareBps > 10000) {
+                issues.push('pricing.revshareBps: required, integer between 0 and 10000');
+            }
+        }
+    }
+    if (!Array.isArray(m.scopes)) {
+        issues.push('scopes: must be an array of scope strings');
+        hints.push(`Pick from: ${ALL_SCOPES.join(', ')}`);
+    }
+    else {
+        for (const s of m.scopes) {
+            if (typeof s !== 'string' || !isValidScope(s)) {
+                issues.push(`scopes: "${String(s)}" is not a valid scope. Valid scopes: ${ALL_SCOPES.join(', ')}`);
+            }
+        }
+    }
+    const lc = m.lifecycle;
+    if (lc !== undefined) {
+        if (typeof lc !== 'object' || Array.isArray(lc)) {
+            issues.push('lifecycle: must be an object when present');
+        }
+        else {
+            for (const f of ['onInstall', 'onUninstall', 'onConfigure']) {
+                const v = lc[f];
+                if (v !== undefined && (typeof v !== 'string' || !HTTPS_RE.test(v))) {
+                    issues.push(`lifecycle.${f}: must be an https URL when present`);
+                }
+            }
+        }
+    }
+    if (!Array.isArray(m.events)) {
+        issues.push('events: must be an array (use [] if no domain event subscriptions)');
+    }
+    else {
+        for (const e of m.events) {
+            if (typeof e !== 'string' || !isValidDomainEvent(e)) {
+                issues.push(`events: "${String(e)}" is not a valid domain event. Valid events: ${VALID_DOMAIN_EVENT_TYPES.join(', ')}`);
+            }
+        }
+    }
+    if (m.extensions !== undefined) {
+        if (typeof m.extensions !== 'object' || Array.isArray(m.extensions)) {
+            issues.push('extensions: must be an object keyed by slot name');
+        }
+        else {
+            for (const [slot, val] of Object.entries(m.extensions)) {
+                if (!VALID_EXTENSION_SLOTS.has(slot)) {
+                    issues.push(`extensions: "${slot}" is not a known extension slot. Valid slots: ${ALL_SLOTS.join(', ')}`);
+                    continue;
+                }
+                if (!Array.isArray(val)) {
+                    issues.push(`extensions.${slot}: must be an array`);
+                    continue;
+                }
+                val.forEach((ext, i) => {
+                    if (!ext || typeof ext !== 'object') {
+                        issues.push(`extensions.${slot}[${i}]: must be an object`);
+                        return;
+                    }
+                    const e = ext;
+                    if (typeof e.id !== 'string' || e.id.length === 0) {
+                        issues.push(`extensions.${slot}[${i}].id: required string`);
+                    }
+                    if (typeof e.label !== 'string' || e.label.length === 0) {
+                        issues.push(`extensions.${slot}[${i}].label: required string`);
+                    }
+                    if (typeof e.iframe !== 'string' || !HTTPS_RE.test(e.iframe)) {
+                        issues.push(`extensions.${slot}[${i}].iframe: required https URL`);
+                    }
+                });
+            }
+        }
+    }
+    if (m.configSchema !== undefined &&
+        (typeof m.configSchema !== 'object' || Array.isArray(m.configSchema))) {
+        issues.push('configSchema: must be a JSON Schema object when present');
+    }
+    if (typeof m.timeWindow !== 'string' ||
+        !VALID_TIME_WINDOWS.has(m.timeWindow)) {
+        issues.push(`timeWindow: required, one of ${Array.from(VALID_TIME_WINDOWS).join(', ')}`);
+    }
+    return { ok: issues.length === 0, issues, hints };
+}
+//# sourceMappingURL=validate.js.map

package/dist/manifest/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/manifest/validate.ts"],"names":[],"mappings":"AAAA,mEAAmE;AACnE,qCAAqC;AACrC,6FAA6F;AAC7F,6EAA6E;AAE7E,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EACL,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,MAAM,SAAS,GAAG,0DAA0D,CAAC;AAC7E,MAAM,MAAM,GAAG,0CAA0C,CAAC;AAC1D,MAAM,QAAQ,GAAG,oBAAoB,CAAC;AAEtC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC;AAC3E,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,MAAM;IACN,MAAM;IACN,cAAc;IACd,UAAU;CACX,CAAC,CAAC;AACH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;AASjD,MAAM,UAAU,gBAAgB,CAAC,GAAY;IAC3C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,CAAC,qCAAqC,CAAC;YAC/C,KAAK,EAAE,CAAC,2EAA2E,CAAC;SACrF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,GAAG,GAA8B,CAAC;IAEzC,IAAI,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CACT,6FAA6F,CAC9F,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACvE,CAAC;IAED,IACE,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;QAC1B,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC;QACnB,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EACnB,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAU,EAAE,CAAC;QAC3E,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,IACE,CAAC,CAAC,OAAO,KAAK,SAAS;QACvB,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;QAC7B,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EACzB,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;QAC7D,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC9B,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC/C,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;oBAC7D,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAG,CAAC,CAAC,SAAgD,CAAC;IAC/D,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;QAC7D,CAAC;QACD,IACE,GAAG,CAAC,GAAG,KAAK,SAAS;YACrB,CAAC,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EACxD,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,CAAC,OAA8C,CAAC;IACjE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACzE,CAAC;SAAM,CAAC;QACN,IACE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;YACjC,CAAC,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,EACxC,CAAC;YACD,MAAM,CAAC,IAAI,CACT,iCAAiC,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC/E,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,KAAK,MAAM,IAAI,OAAO,CAAC,KAAK,KAAK,cAAc,EAAE,CAAC;YACjE,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7D,MAAM,CAAC,IAAI,CACT,+CAA+C,OAAO,CAAC,KAAK,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YACjC,IACE,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ;gBACvC,OAAO,CAAC,WAAW,GAAG,CAAC;gBACvB,OAAO,CAAC,WAAW,GAAG,KAAK,EAC3B,CAAC;gBACD,MAAM,CAAC,IAAI,CACT,4DAA4D,CAC7D,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACzD,KAAK,CAAC,IAAI,CAAC,cAAc,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;YACzB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9C,MAAM,CAAC,IAAI,CACT,YAAY,MAAM,CAAC,CAAC,CAAC,yCAAyC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,CAAC,CAAC,SAAgD,CAAC;IAC9D,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;QACrB,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,aAAa,CAAU,EAAE,CAAC;gBACrE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;gBAChB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,qCAAqC,CAAC,CAAC;gBACnE,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CACT,oEAAoE,CACrE,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;YACzB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CACT,YAAY,MAAM,CAAC,CAAC,CAAC,gDAAgD,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3G,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC;YACpE,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CACtC,CAAC,CAAC,UAAqC,CACxC,EAAE,CAAC;gBACF,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrC,MAAM,CAAC,IAAI,CACT,gBAAgB,IAAI,iDAAiD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5F,CAAC;oBACF,SAAS;gBACX,CAAC;gBACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,oBAAoB,CAAC,CAAC;oBACpD,SAAS;gBACX,CAAC;gBACD,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;oBACrB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;wBACpC,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,sBAAsB,CAAC,CAAC;wBAC3D,OAAO;oBACT,CAAC;oBACD,MAAM,CAAC,GAAG,GAA8B,CAAC;oBACzC,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,CAAC,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAClD,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,uBAAuB,CAAC,CAAC;oBAC9D,CAAC;oBACD,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACxD,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,0BAA0B,CAAC,CAAC;oBACjE,CAAC;oBACD,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC7D,MAAM,CAAC,IAAI,CACT,cAAc,IAAI,IAAI,CAAC,8BAA8B,CACtD,CAAC;oBACJ,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,IACE,CAAC,CAAC,YAAY,KAAK,SAAS;QAC5B,CAAC,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,EACrE,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;IACzE,CAAC;IAED,IACE,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAChC,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,gCAAgC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5E,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACpD,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,7 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+/**
+ * Builds the MCP server. Exported so tests can drive it without
+ * spawning a stdio process.
+ */
+export declare function createServer(): McpServer;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAoBpE;;;GAGG;AACH,wBAAgB,YAAY,IAAI,SAAS,CAkLxC"}

package/dist/server.js

@@ -0,0 +1,243 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { z } from 'zod';
+import { validateManifest } from './manifest/validate.js';
+import { generateStarterManifest } from './manifest/starter.js';
+import { verifyWebhookSignature } from './webhook/verify.js';
+import { SCOPE_REGISTRY } from './data/scopes.js';
+import { LIFECYCLE_EVENTS, DOMAIN_EVENTS } from './data/events.js';
+import { SLOT_REGISTRY } from './data/slots.js';
+import { PLUGIN_API_ENDPOINTS } from './data/api-endpoints.js';
+function asJson(value) {
+    return {
+        content: [{ type: 'text', text: JSON.stringify(value, null, 2) }],
+    };
+}
+function asMarkdown(text) {
+    return { content: [{ type: 'text', text }] };
+}
+/**
+ * Builds the MCP server. Exported so tests can drive it without
+ * spawning a stdio process.
+ */
+export function createServer() {
+    const server = new McpServer({
+        name: 'experia-plugin-dev',
+        version: '0.1.0',
+    });
+    // ---- Discovery tools (no inputs) ----
+    server.registerTool('list_scopes', {
+        title: 'List plugin scopes',
+        description: 'Returns every OAuth-style scope a plugin can request in its manifest, with a description and the /plugin-api/v1 endpoints each unlocks. Use this when picking the minimal set of scopes for a plugin.',
+    }, async () => asJson(SCOPE_REGISTRY));
+    server.registerTool('list_events', {
+        title: 'List webhook events',
+        description: 'Returns the lifecycle events (always delivered) and domain events (subscribe via manifest.events) a plugin can receive, with example payloads. Use this when planning your webhook handler.',
+    }, async () => asJson({ lifecycle: LIFECYCLE_EVENTS, domain: DOMAIN_EVENTS }));
+    server.registerTool('list_extension_slots', {
+        title: 'List UI extension slots',
+        description: 'Returns every named slot where a plugin\'s iframe can render (organizer dashboard, attendee app, check-in flow). Use this when picking where in the host UI your plugin should appear.',
+    }, async () => asJson(SLOT_REGISTRY));
+    server.registerTool('list_api_endpoints', {
+        title: 'List /plugin-api/v1 endpoints',
+        description: 'Returns every endpoint your plugin can call after install (Bearer = installationToken). Each entry lists the required scope. Use this to plan API calls and the matching scope set.',
+    }, async () => asJson(PLUGIN_API_ENDPOINTS));
+    // ---- Manifest helpers ----
+    server.registerTool('validate_manifest', {
+        title: 'Validate a plugin manifest',
+        description: 'Validates a JSON manifest against the platform\'s rules. Identical to the server-side check at publish time — if this passes, POST /developer-portal/plugins/:id/versions will too. Returns { ok, issues, hints }.',
+        inputSchema: {
+            manifest: z
+                .unknown()
+                .describe('The parsed JSON manifest object (NOT a string).'),
+        },
+    }, async ({ manifest }) => asJson(validateManifest(manifest)));
+    server.registerTool('get_starter_manifest', {
+        title: 'Generate a starter manifest',
+        description: 'Returns a manifest skeleton wired for a common plugin shape. Pick "minimal" for the smallest possible plugin, "organizer-tool" for an organizer-facing config+insights pattern, or "attendee-app" for a Networking-style plugin (default).',
+        inputSchema: {
+            key: z
+                .string()
+                .describe('Vendor-prefixed plugin key, e.g. "acme.sponsors-lounge".'),
+            name: z.string().describe('Display name shown in the marketplace.'),
+            developerName: z.string().describe('Your organization name.'),
+            developerEmail: z.string().describe('Contact email for review feedback.'),
+            baseUrl: z
+                .string()
+                .describe('HTTPS base URL where your plugin is hosted (no trailing slash).'),
+            flavor: z
+                .enum(['minimal', 'attendee-app', 'organizer-tool'])
+                .optional()
+                .describe('Which template to use. Default: attendee-app.'),
+        },
+    }, async (args) => asJson(generateStarterManifest(args)));
+    // ---- Webhook helpers ----
+    server.registerTool('verify_webhook_signature', {
+        title: 'Verify an X-Experia-Signature header',
+        description: 'Verifies a webhook delivery using the per-installation `webhookSecret` you stored from plugin.installed. Use this when debugging a 401/403 from your handler — it will tell you exactly why a signature failed (malformed-header / timestamp-out-of-tolerance / signature-mismatch).',
+        inputSchema: {
+            payload: z
+                .string()
+                .describe('Raw request body, exactly as received (do not JSON.parse).'),
+            signatureHeader: z
+                .string()
+                .describe('Value of the X-Experia-Signature header.'),
+            secret: z.string().describe('Per-installation webhookSecret.'),
+            toleranceSeconds: z
+                .number()
+                .optional()
+                .describe('Replay-window tolerance in seconds. Default 300.'),
+        },
+    }, async (args) => asJson(verifyWebhookSignature(args)));
+    // ---- Resources (read-only docs) ----
+    server.registerResource('plugin-overview', 'experia://docs/overview', {
+        title: 'Experia Plugin Platform Overview',
+        description: 'High-level explanation of the plugin lifecycle, manifests, webhooks, and the public /plugin-api/v1.',
+        mimeType: 'text/markdown',
+    }, async (uri) => ({
+        contents: [
+            {
+                uri: uri.href,
+                mimeType: 'text/markdown',
+                text: OVERVIEW_DOC,
+            },
+        ],
+    }));
+    server.registerResource('manifest-spec', 'experia://docs/manifest', {
+        title: 'Manifest field-by-field reference',
+        description: 'Every field of the manifest, what it does, validation rules.',
+        mimeType: 'text/markdown',
+    }, async (uri) => ({
+        contents: [
+            {
+                uri: uri.href,
+                mimeType: 'text/markdown',
+                text: MANIFEST_DOC,
+            },
+        ],
+    }));
+    server.registerResource('webhook-spec', 'experia://docs/webhooks', {
+        title: 'Webhook delivery, signing, retries',
+        description: 'How HMAC signatures work, the retry schedule, and how to verify deliveries.',
+        mimeType: 'text/markdown',
+    }, async (uri) => ({
+        contents: [
+            {
+                uri: uri.href,
+                mimeType: 'text/markdown',
+                text: WEBHOOKS_DOC,
+            },
+        ],
+    }));
+    // Side-effect: silence unused-import linters for asMarkdown if no doc tool uses it.
+    void asMarkdown;
+    return server;
+}
+const OVERVIEW_DOC = `# Experia Plugin Platform — Overview
+
+Plugins extend Experia for organizers and attendees. They are described by a
+JSON **manifest** and talk to the platform over a public API.
+
+## Lifecycle
+
+1. You **submit a plugin** via the developer portal (creates a Plugin row in DRAFT/PRIVATE).
+2. You **publish a version** (uploads a manifest snapshot, validated by the platform).
+3. An organizer **installs** your plugin on one of their events. The platform:
+   - generates a one-time \`installationToken\` (Bearer for /plugin-api/v1)
+   - generates a per-install \`webhookSecret\` (HMAC for verifying webhooks)
+   - delivers them in a \`plugin.installed\` webhook to your \`lifecycle.onInstall\` URL
+4. Your plugin receives subsequent **webhook events** and calls
+   \`/plugin-api/v1/*\` to read/write data — limited to the **scopes** declared
+   in your manifest.
+5. Your plugin's iframes render in **extension slots** chosen in the manifest.
+
+## What you build
+
+- **A web service** that hosts \`lifecycle.onInstall\` (and optionally
+  \`onUninstall\`/\`onConfigure\`) and any iframe pages declared in
+  \`manifest.extensions\`.
+- A storage layer (your DB) keyed by \`eventPluginId\` to remember the
+  installation token + webhook secret.
+
+## What you DON'T do
+
+- You don't host the database. Plugin data that's per-installation can use the
+  built-in \`storage.read\` / \`storage.write\` scopes.
+- You don't manage auth. Bearer = installation token; iframe = JWT.
+`;
+const MANIFEST_DOC = `# Manifest reference
+
+\`\`\`jsonc
+{
+  "key": "vendor.name",                          // [a-z0-9._-], 1-64 chars
+  "version": "1.0.0",                            // semver
+  "name": "Display name",                        // ≤100 chars
+  "tagline": "One-sentence pitch.",              // optional
+  "description": "Long description.",            // optional
+  "category": "engagement",                      // optional
+  "iconUrl": "https://...",                      // optional, https
+  "screenshots": ["https://..."],                // optional, all https
+
+  "developer": {
+    "name": "Acme Corp",                         // required
+    "email": "dev@acme.com",                     // required, must contain @
+    "url": "https://acme.com"                    // optional, https
+  },
+
+  "pricing": { "model": "free" },                // or flat/per_attendee + amount, or revshare + revshareBps (0-10000)
+
+  "scopes": ["event.read", "event.attendees.read"],   // see list_scopes
+
+  "lifecycle": {                                 // entire object optional
+    "onInstall": "https://api.acme.com/experia/install",
+    "onUninstall": "https://api.acme.com/experia/uninstall",
+    "onConfigure": "https://api.acme.com/experia/configure"
+  },
+
+  "events": ["event.started", "attendee.checked_in"],   // see list_events (domain only)
+
+  "extensions": {                                // see list_extension_slots
+    "experia.event.tabs": [
+      { "id": "home", "label": "Network", "iframe": "https://acme.com/?eventId={eventId}&jwt={pluginJwt}" }
+    ]
+  },
+
+  "configSchema": { "type": "object", "properties": { ... } },   // optional JSON Schema
+  "timeWindow": "always"                         // always | event-live | post-event
+}
+\`\`\`
+
+Use **validate_manifest** in this MCP server to confirm a manifest passes
+the same rules as the platform's publish endpoint.
+`;
+const WEBHOOKS_DOC = `# Webhooks
+
+Outbound webhook deliveries are signed Stripe-style:
+
+\`\`\`
+X-Experia-Signature: t=<unix_seconds>,v1=<hex_hmac_sha256>
+Body: <raw JSON>
+\`\`\`
+
+Where \`v1 = HMAC_SHA256(webhookSecret, "${"$"}{t}.${"$"}{rawBody}")\`.
+
+The \`webhookSecret\` is **per-installation** — you receive it once in the
+\`plugin.installed\` payload. Persist it immediately.
+
+## Verification rule
+
+1. Parse the header into \`t\` and \`v1\`.
+2. Reject if \`abs(now - t) > 300\` (replay window).
+3. Recompute \`v1\` using your saved secret + the raw body.
+4. Constant-time compare. Reject on mismatch.
+
+The **verify_webhook_signature** tool in this MCP server runs the exact same
+algorithm — useful for debugging a 401/403 from your handler.
+
+## Retries
+
+Failed deliveries are retried with exponential backoff (~1m, 5m, 30m, 2h, 12h).
+After ~5 attempts the delivery is marked failed; you can replay it from the
+developer portal once the issue is fixed. All deliveries are logged in
+\`PluginWebhookDelivery\`.
+`;
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACnE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE/D,SAAS,MAAM,CAAC,KAAc;IAC5B,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,wCAAwC;IAExC,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,uMAAuM;KAC1M,EACD,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CACnC,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EACT,6LAA6L;KAChM,EACD,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAC3E,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,sBAAsB,EACtB;QACE,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,wLAAwL;KAC3L,EACD,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,oBAAoB,EACpB;QACE,KAAK,EAAE,+BAA+B;QACtC,WAAW,EACT,qLAAqL;KACxL,EACD,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CACzC,CAAC;IAEF,6BAA6B;IAE7B,MAAM,CAAC,YAAY,CACjB,mBAAmB,EACnB;QACE,KAAK,EAAE,4BAA4B;QACnC,WAAW,EACT,oNAAoN;QACtN,WAAW,EAAE;YACX,QAAQ,EAAE,CAAC;iBACR,OAAO,EAAE;iBACT,QAAQ,CAAC,iDAAiD,CAAC;SAC/D;KACF,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAC3D,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,sBAAsB,EACtB;QACE,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,4OAA4O;QAC9O,WAAW,EAAE;YACX,GAAG,EAAE,CAAC;iBACH,MAAM,EAAE;iBACR,QAAQ,CAAC,0DAA0D,CAAC;YACvE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;YACnE,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;YAC7D,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;YACzE,OAAO,EAAE,CAAC;iBACP,MAAM,EAAE;iBACR,QAAQ,CAAC,iEAAiE,CAAC;YAC9E,MAAM,EAAE,CAAC;iBACN,IAAI,CAAC,CAAC,SAAS,EAAE,cAAc,EAAE,gBAAgB,CAAC,CAAC;iBACnD,QAAQ,EAAE;iBACV,QAAQ,CAAC,+CAA+C,CAAC;SAC7D;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CACtD,CAAC;IAEF,4BAA4B;IAE5B,MAAM,CAAC,YAAY,CACjB,0BAA0B,EAC1B;QACE,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EACT,sRAAsR;QACxR,WAAW,EAAE;YACX,OAAO,EAAE,CAAC;iBACP,MAAM,EAAE;iBACR,QAAQ,CAAC,4DAA4D,CAAC;YACzE,eAAe,EAAE,CAAC;iBACf,MAAM,EAAE;iBACR,QAAQ,CAAC,0CAA0C,CAAC;YACvD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iCAAiC,CAAC;YAC9D,gBAAgB,EAAE,CAAC;iBAChB,MAAM,EAAE;iBACR,QAAQ,EAAE;iBACV,QAAQ,CAAC,kDAAkD,CAAC;SAChE;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CACrD,CAAC;IAEF,uCAAuC;IAEvC,MAAM,CAAC,gBAAgB,CACrB,iBAAiB,EACjB,yBAAyB,EACzB;QACE,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qGAAqG;QAClH,QAAQ,EAAE,eAAe;KAC1B,EACD,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACd,QAAQ,EAAE;YACR;gBACE,GAAG,EAAE,GAAG,CAAC,IAAI;gBACb,QAAQ,EAAE,eAAe;gBACzB,IAAI,EAAE,YAAY;aACnB;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,gBAAgB,CACrB,eAAe,EACf,yBAAyB,EACzB;QACE,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,8DAA8D;QAC3E,QAAQ,EAAE,eAAe;KAC1B,EACD,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACd,QAAQ,EAAE;YACR;gBACE,GAAG,EAAE,GAAG,CAAC,IAAI;gBACb,QAAQ,EAAE,eAAe;gBACzB,IAAI,EAAE,YAAY;aACnB;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,gBAAgB,CACrB,cAAc,EACd,yBAAyB,EACzB;QACE,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,6EAA6E;QAC1F,QAAQ,EAAE,eAAe;KAC1B,EACD,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACd,QAAQ,EAAE;YACR;gBACE,GAAG,EAAE,GAAG,CAAC,IAAI;gBACb,QAAQ,EAAE,eAAe;gBACzB,IAAI,EAAE,YAAY;aACnB;SACF;KACF,CAAC,CACH,CAAC;IAEF,oFAAoF;IACpF,KAAK,UAAU,CAAC;IAEhB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BpB,CAAC;AAEF,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4CpB,CAAC;AAEF,MAAM,YAAY,GAAG;;;;;;;;;2CASsB,GAAG,OAAO,GAAG;;;;;;;;;;;;;;;;;;;;;CAqBvD,CAAC"}

package/dist/webhook/verify.d.ts

@@ -0,0 +1,28 @@
+export interface VerifyWebhookArgs {
+    /** Raw request body as it was received (string or Buffer). */
+    payload: string | Buffer;
+    /** Value of the `X-Experia-Signature` header. Format: `t=<unix>,v1=<hex>`. */
+    signatureHeader: string;
+    /** The webhookSecret you stored from the plugin.installed payload. */
+    secret: string;
+    /** Tolerance window in seconds. Default 5 minutes. */
+    toleranceSeconds?: number;
+    /** Override "now" (testing only). */
+    nowSeconds?: number;
+}
+export interface VerifyWebhookResult {
+    ok: boolean;
+    reason?: 'malformed-header' | 'timestamp-out-of-tolerance' | 'signature-mismatch';
+    /** Parsed timestamp (when header parses). */
+    timestamp?: number;
+}
+/**
+ * Verifies an `X-Experia-Signature` header. Uses constant-time compare
+ * and a timestamp-tolerance window to prevent replay.
+ *
+ * Mirrors the signing rule:
+ *   sig = HMAC_SHA256(secret, `${timestamp}.${rawPayload}`)
+ *   header = `t=${timestamp},v1=${sig}`
+ */
+export declare function verifyWebhookSignature(args: VerifyWebhookArgs): VerifyWebhookResult;
+//# sourceMappingURL=verify.d.ts.map

package/dist/webhook/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/webhook/verify.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,iBAAiB;IAChC,8DAA8D;IAC9D,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,8EAA8E;IAC9E,eAAe,EAAE,MAAM,CAAC;IACxB,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,CAAC,EACH,kBAAkB,GAClB,4BAA4B,GAC5B,oBAAoB,CAAC;IACzB,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,iBAAiB,GACtB,mBAAmB,CAyCrB"}

package/dist/webhook/verify.js

@@ -0,0 +1,42 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+/**
+ * Verifies an `X-Experia-Signature` header. Uses constant-time compare
+ * and a timestamp-tolerance window to prevent replay.
+ *
+ * Mirrors the signing rule:
+ *   sig = HMAC_SHA256(secret, `${timestamp}.${rawPayload}`)
+ *   header = `t=${timestamp},v1=${sig}`
+ */
+export function verifyWebhookSignature(args) {
+    const tolerance = args.toleranceSeconds ?? 300;
+    const now = args.nowSeconds ?? Math.floor(Date.now() / 1000);
+    const parts = args.signatureHeader.split(',').reduce((acc, p) => {
+        const [k, v] = p.split('=');
+        if (k && v)
+            acc[k.trim()] = v.trim();
+        return acc;
+    }, {});
+    const t = parts['t'];
+    const v1 = parts['v1'];
+    if (!t || !v1)
+        return { ok: false, reason: 'malformed-header' };
+    const ts = Number(t);
+    if (!Number.isFinite(ts))
+        return { ok: false, reason: 'malformed-header' };
+    if (Math.abs(now - ts) > tolerance) {
+        return { ok: false, reason: 'timestamp-out-of-tolerance', timestamp: ts };
+    }
+    const payloadStr = typeof args.payload === 'string'
+        ? args.payload
+        : args.payload.toString('utf8');
+    const expected = createHmac('sha256', args.secret)
+        .update(`${t}.${payloadStr}`)
+        .digest('hex');
+    const a = Buffer.from(expected, 'hex');
+    const b = Buffer.from(v1, 'hex');
+    if (a.length !== b.length || !timingSafeEqual(a, b)) {
+        return { ok: false, reason: 'signature-mismatch', timestamp: ts };
+    }
+    return { ok: true, timestamp: ts };
+}
+//# sourceMappingURL=verify.js.map

package/dist/webhook/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/webhook/verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAyB1D;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAAuB;IAEvB,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,IAAI,GAAG,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE7D,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAClD,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QACT,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,IAAI,CAAC;YAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAAE,CACH,CAAC;IAEF,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;IACrB,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;IACvB,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAEhE,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAE3E,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IAC5E,CAAC;IAED,MAAM,UAAU,GACd,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAC9B,CAAC,CAAC,IAAI,CAAC,OAAO;QACd,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEpC,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC;SAC/C,MAAM,CAAC,GAAG,CAAC,IAAI,UAAU,EAAE,CAAC;SAC5B,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAEjC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACrC,CAAC"}