@fedpulse/sdk 1.0.0

package/dist/cjs/resources/webhooks.cjs

@@ -0,0 +1,262 @@
+"use strict";
+/**
+ * Webhooks resource client.
+ *
+ * Wraps all /v1/webhooks endpoints:
+ *   - create           POST   /v1/webhooks
+ *   - list             GET    /v1/webhooks
+ *   - get              GET    /v1/webhooks/:id
+ *   - update           PATCH  /v1/webhooks/:id
+ *   - delete           DELETE /v1/webhooks/:id
+ *   - test             POST   /v1/webhooks/:id/test
+ *   - resume           POST   /v1/webhooks/:id/resume
+ *   - listDeliveries   GET    /v1/webhooks/:id/deliveries
+ *   - getDelivery      GET    /v1/webhooks/:id/deliveries/:deliveryId
+ *   - deliveryPages    async generator over deliveries
+ *
+ * Requires: `webhook` API key scope for all operations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebhooksResource = void 0;
+class WebhooksResource {
+    http;
+    constructor(http) {
+        this.http = http;
+    }
+    /**
+     * Create a new webhook subscription.
+     *
+     * **Important:** The raw signing secret is returned once in the response
+     * (`result.data.secret`) and can never be retrieved again. Store it securely
+     * and use it to verify incoming deliveries with `FedPulse.verifyWebhook()`.
+     *
+     * @param params  Webhook creation parameters.
+     * @throws {PermissionError} If the API key lacks the `webhook` scope.
+     * @throws {PermissionError} If the plan limit for webhooks has been reached.
+     *
+     * @example
+     * ```ts
+     * const result = await client.webhooks.create({
+     *   url: 'https://my-app.example.com/webhooks/fedpulse',
+     *   events: ['opportunity.new', 'opportunity.modified'],
+     *   filters: { naics: ['541512'], state: 'VA' },
+     * });
+     * const signingSecret = result.data.secret; // Store this securely!
+     * ```
+     */
+    async create(params) {
+        validateCreateParams(params);
+        return this.http.post('/v1/webhooks', params);
+    }
+    /**
+     * List all webhook subscriptions for the authenticated user.
+     *
+     * @example
+     * ```ts
+     * const webhooks = await client.webhooks.list();
+     * for (const wh of webhooks.data) {
+     *   console.log(wh.id, wh.url, wh.isActive);
+     * }
+     * ```
+     */
+    async list() {
+        return this.http.get('/v1/webhooks', {}, { cacheTtlMs: 0 });
+    }
+    /**
+     * Get a single webhook subscription.
+     *
+     * @param id  Webhook UUID.
+     * @throws {NotFoundError} If the webhook does not exist or belongs to another user.
+     *
+     * @example
+     * ```ts
+     * const wh = await client.webhooks.get('wh-uuid');
+     * console.log(wh.data.isActive, wh.data.consecutiveFailures);
+     * ```
+     */
+    async get(id) {
+        validateId(id, 'id');
+        return this.http.get(`/v1/webhooks/${encodeURIComponent(id)}`, {}, { cacheTtlMs: 0 });
+    }
+    /**
+     * Update a webhook subscription.
+     *
+     * Pass `rotateSecret: true` to generate a new signing secret.
+     * The new secret will be returned in the response.
+     *
+     * @param id      Webhook UUID.
+     * @param params  Fields to update. At least one non-`rotateSecret` field required.
+     * @throws {NotFoundError} If the webhook does not exist.
+     * @throws {ValidationError} If no update fields are provided.
+     *
+     * @example
+     * ```ts
+     * const updated = await client.webhooks.update('wh-uuid', {
+     *   url: 'https://new-endpoint.example.com/webhooks',
+     *   events: ['opportunity.new'],
+     * });
+     * ```
+     */
+    async update(id, params) {
+        validateId(id, 'id');
+        if (Object.keys(params).length === 0) {
+            throw new Error('At least one field must be provided for update');
+        }
+        return this.http.patch(`/v1/webhooks/${encodeURIComponent(id)}`, params);
+    }
+    /**
+     * Delete a webhook subscription.
+     *
+     * @param id  Webhook UUID.
+     * @throws {NotFoundError} If the webhook does not exist.
+     *
+     * @example
+     * ```ts
+     * await client.webhooks.delete('wh-uuid');
+     * ```
+     */
+    async delete(id) {
+        validateId(id, 'id');
+        return this.http.del(`/v1/webhooks/${encodeURIComponent(id)}`);
+    }
+    /**
+     * Send a test event to a webhook endpoint (synchronous delivery).
+     *
+     * Unlike real deliveries, test events are sent immediately (no queue) and
+     * do not count against the circuit-breaker failure counter.
+     *
+     * @param id  Webhook UUID.
+     * @throws {NotFoundError} If the webhook does not exist.
+     *
+     * @example
+     * ```ts
+     * const result = await client.webhooks.test('wh-uuid');
+     * console.log('Test delivery status:', result.data);
+     * ```
+     */
+    async test(id) {
+        validateId(id, 'id');
+        return this.http.post(`/v1/webhooks/${encodeURIComponent(id)}/test`, {});
+    }
+    /**
+     * Resume a paused webhook (clear the circuit-breaker).
+     *
+     * Webhooks are auto-paused after 5 consecutive delivery failures.
+     * Use this to re-enable delivery after fixing the endpoint.
+     *
+     * @param id  Webhook UUID.
+     * @throws {NotFoundError} If the webhook does not exist.
+     *
+     * @example
+     * ```ts
+     * await client.webhooks.resume('wh-uuid');
+     * ```
+     */
+    async resume(id) {
+        validateId(id, 'id');
+        return this.http.post(`/v1/webhooks/${encodeURIComponent(id)}/resume`, {});
+    }
+    /**
+     * Get paginated delivery history for a webhook.
+     *
+     * @param id      Webhook UUID.
+     * @param params  Filter and pagination parameters.
+     * @throws {NotFoundError} If the webhook does not exist.
+     *
+     * @example
+     * ```ts
+     * const deliveries = await client.webhooks.listDeliveries('wh-uuid', {
+     *   status: 'failed',
+     *   limit: 50,
+     * });
+     * ```
+     */
+    async listDeliveries(id, params = {}) {
+        validateId(id, 'id');
+        return this.http.get(`/v1/webhooks/${encodeURIComponent(id)}/deliveries`, params, { cacheTtlMs: 0 });
+    }
+    /**
+     * Get the full detail of a single webhook delivery, including the payload.
+     *
+     * @param id          Webhook UUID.
+     * @param deliveryId  Delivery UUID.
+     * @throws {NotFoundError} If the webhook or delivery does not exist.
+     *
+     * @example
+     * ```ts
+     * const delivery = await client.webhooks.getDelivery('wh-uuid', 'del-uuid');
+     * console.log('Payload:', delivery.data.payload);
+     * ```
+     */
+    async getDelivery(id, deliveryId) {
+        validateId(id, 'id');
+        validateId(deliveryId, 'deliveryId');
+        return this.http.get(`/v1/webhooks/${encodeURIComponent(id)}/deliveries/${encodeURIComponent(deliveryId)}`, {}, { cacheTtlMs: 0 });
+    }
+    /**
+     * Async generator that automatically paginates through delivery history.
+     *
+     * @param id      Webhook UUID.
+     * @param params  Same filter parameters as `listDeliveries()`. Do not pass `page`.
+     *
+     * @example
+     * ```ts
+     * for await (const page of client.webhooks.deliveryPages('wh-uuid', { status: 'failed' })) {
+     *   for (const delivery of page.data) {
+     *     console.log(delivery.id, delivery.status, delivery.httpStatus);
+     *   }
+     * }
+     * ```
+     */
+    async *deliveryPages(id, params = {}) {
+        validateId(id, 'id');
+        let page = 1;
+        let hasMore = true;
+        while (hasMore) {
+            const result = await this.listDeliveries(id, { ...params, page });
+            yield result;
+            const pagination = result.pagination;
+            if (pagination === null) {
+                hasMore = false;
+            }
+            else if ('hasNextPage' in pagination) {
+                hasMore = pagination.hasNextPage;
+                if (hasMore)
+                    page++;
+            }
+            else {
+                hasMore = false;
+            }
+        }
+    }
+}
+exports.WebhooksResource = WebhooksResource;
+// ── Helpers ────────────────────────────────────────────────────────────────────
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function validateId(value, name) {
+    if (!value || typeof value !== 'string' || value.trim() === '') {
+        throw new Error(`${name} must be a non-empty string`);
+    }
+    if (!UUID_RE.test(value.trim())) {
+        throw new Error(`${name} must be a valid UUID`);
+    }
+}
+function validateCreateParams(params) {
+    if (!params.url || typeof params.url !== 'string' || params.url.trim() === '') {
+        throw new Error('url must be a non-empty string');
+    }
+    try {
+        const parsed = new URL(params.url);
+        if (parsed.protocol !== 'https:') {
+            throw new Error('url must use the https:// scheme');
+        }
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.includes('https://'))
+            throw err;
+        throw new Error(`url is not a valid URL: ${params.url}`);
+    }
+    if (!Array.isArray(params.events) || params.events.length === 0) {
+        throw new Error('events must be a non-empty array of webhook event types');
+    }
+}

package/dist/cjs/types/analytics.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Analytics domain (/v1/analytics).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/assistance.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Assistance Listings domain (/v1/assistance).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/common.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Common types shared across all FedPulse API domains.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/entities.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Entities domain (/v1/entities).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/exclusions.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Exclusions domain (/v1/exclusions).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/index.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Barrel export for all FedPulse SDK TypeScript types.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/intelligence.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Intelligence domain (/v1/intelligence).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/opportunities.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Opportunities domain (/v1/opportunities).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/types/webhooks.cjs

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * Types for the Webhooks domain (/v1/webhooks).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/webhooks-verify.cjs

@@ -0,0 +1,184 @@
+"use strict";
+/**
+ * Webhook signature verification for FedPulse webhook deliveries.
+ *
+ * FedPulse signs every outgoing webhook POST with HMAC-SHA256.
+ * Use these utilities to verify that incoming requests are genuinely from
+ * FedPulse and have not been tampered with or replayed.
+ *
+ * ## Signing algorithm:
+ *   signed_body = `${timestampSeconds}.${rawPayloadJson}`
+ *   signature   = HMAC-SHA256(rawSecret, signed_body) → hex
+ *
+ * ## Delivery headers (all present on every POST):
+ *   X-FedPulse-Signature   : `sha256={hex_hmac}`
+ *   X-FedPulse-Timestamp   : Unix epoch seconds (string)
+ *   X-FedPulse-Event       : Event type (e.g. "opportunity.new")
+ *   X-FedPulse-Delivery-Id : UUIDv4 delivery identifier
+ *
+ * ## Replay protection:
+ *   Reject deliveries where |now − timestamp| > maxAgeSeconds (default 300s).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebhookVerificationError = void 0;
+exports.verifyWebhook = verifyWebhook;
+exports.extractWebhookHeaders = extractWebhookHeaders;
+const node_crypto_1 = require("node:crypto");
+const errors_js_1 = require("./errors.cjs");
+// ── Constants ─────────────────────────────────────────────────────────────────
+const DEFAULT_MAX_AGE_SECONDS = 300; // 5 minutes — matches API server policy.
+// ── Error types ────────────────────────────────────────────────────────────────
+/** Thrown when webhook signature verification fails. */
+class WebhookVerificationError extends errors_js_1.FedPulseError {
+    constructor(message) {
+        super({ message, status: 0, code: 'WEBHOOK_VERIFICATION_FAILED' });
+        this.name = 'WebhookVerificationError';
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+exports.WebhookVerificationError = WebhookVerificationError;
+// ── Public API ─────────────────────────────────────────────────────────────────
+/**
+ * Verify a FedPulse webhook delivery and parse the payload.
+ *
+ * This function performs three checks:
+ *   1. **Format check** — headers are present and in the expected format.
+ *   2. **Timestamp check** — delivery is not older than `maxAgeSeconds`.
+ *   3. **Signature check** — HMAC-SHA256 matches using constant-time comparison.
+ *
+ * Throws `WebhookVerificationError` on any failure.
+ * Returns the parsed, verified `WebhookPayload<T>`.
+ *
+ * @param input  Headers, raw body, and secret.
+ * @returns Parsed and verified webhook payload.
+ *
+ * @throws {WebhookVerificationError} If the signature is invalid, the timestamp
+ *   is out of range, or the headers are malformed.
+ *
+ * @example
+ * ```ts
+ * // Express.js example (use bodyParser.raw() to get the raw buffer):
+ * app.post('/webhooks', express.raw({ type: 'application/json' }), (req, res) => {
+ *   let payload;
+ *   try {
+ *     payload = FedPulse.verifyWebhook({
+ *       rawBody: req.body,
+ *       signatureHeader: req.headers['x-fedpulse-signature'] as string,
+ *       timestampHeader: req.headers['x-fedpulse-timestamp'] as string,
+ *       secret: process.env.FEDPULSE_WEBHOOK_SECRET!,
+ *     });
+ *   } catch (err) {
+ *     return res.status(400).send('Invalid signature');
+ *   }
+ *   console.log('Event:', payload.event, 'Data:', payload.data);
+ *   res.status(200).send('OK');
+ * });
+ * ```
+ */
+function verifyWebhook(input) {
+    const { rawBody, signatureHeader, timestampHeader, secret, options } = input;
+    const maxAgeSeconds = options?.maxAgeSeconds ?? DEFAULT_MAX_AGE_SECONDS;
+    // ── 1. Validate input presence ─────────────────────────────────────────────
+    if (!signatureHeader || typeof signatureHeader !== 'string') {
+        throw new WebhookVerificationError('Missing X-FedPulse-Signature header. Ensure the request is from FedPulse.');
+    }
+    if (!timestampHeader || typeof timestampHeader !== 'string') {
+        throw new WebhookVerificationError('Missing X-FedPulse-Timestamp header. Ensure the request is from FedPulse.');
+    }
+    if (!secret || typeof secret !== 'string' || secret.trim() === '') {
+        throw new WebhookVerificationError('Webhook secret must be a non-empty string.');
+    }
+    if (rawBody === undefined || rawBody === null) {
+        throw new WebhookVerificationError('rawBody is required. Pass the exact bytes received from the HTTP request.');
+    }
+    // ── 2. Parse and validate timestamp ────────────────────────────────────────
+    const timestampSeconds = Number(timestampHeader);
+    if (!Number.isFinite(timestampSeconds) || timestampSeconds <= 0) {
+        throw new WebhookVerificationError(`X-FedPulse-Timestamp is not a valid Unix timestamp: "${timestampHeader}"`);
+    }
+    const nowSeconds = Math.floor(Date.now() / 1000);
+    const ageSeconds = Math.abs(nowSeconds - timestampSeconds);
+    if (ageSeconds > maxAgeSeconds) {
+        throw new WebhookVerificationError(`Webhook delivery is too old (age: ${ageSeconds}s, max: ${maxAgeSeconds}s). ` +
+            'This may indicate a replay attack. Ensure your server clock is synchronised.');
+    }
+    // ── 3. Parse and validate signature header ─────────────────────────────────
+    if (!signatureHeader.startsWith('sha256=')) {
+        throw new WebhookVerificationError(`Unsupported signature algorithm. Expected "sha256=..." prefix, got: "${signatureHeader}"`);
+    }
+    const receivedHex = signatureHeader.slice('sha256='.length);
+    if (!receivedHex || !/^[0-9a-f]+$/i.test(receivedHex)) {
+        throw new WebhookVerificationError('X-FedPulse-Signature contains an invalid hex string');
+    }
+    // ── 4. Compute expected signature ──────────────────────────────────────────
+    const bodyString = typeof rawBody === 'string' ? rawBody : rawBody.toString('utf8');
+    const signedPayload = `${timestampSeconds}.${bodyString}`;
+    const expectedHex = (0, node_crypto_1.createHmac)('sha256', secret)
+        .update(signedPayload, 'utf8')
+        .digest('hex');
+    // ── 5. Constant-time comparison ────────────────────────────────────────────
+    // Pad both to the same length to avoid length-based timing differences, then
+    // use timingSafeEqual to prevent timing attacks.
+    const receivedBuf = Buffer.from(receivedHex.toLowerCase(), 'hex');
+    const expectedBuf = Buffer.from(expectedHex, 'hex');
+    if (receivedBuf.length !== expectedBuf.length ||
+        !(0, node_crypto_1.timingSafeEqual)(receivedBuf, expectedBuf)) {
+        throw new WebhookVerificationError('Webhook signature does not match. The request may have been tampered with.');
+    }
+    // ── 6. Parse and return payload ────────────────────────────────────────────
+    let payload;
+    try {
+        payload = JSON.parse(bodyString);
+    }
+    catch {
+        throw new WebhookVerificationError('Webhook body is not valid JSON despite a valid signature.');
+    }
+    if (payload === null ||
+        typeof payload !== 'object' ||
+        !('event' in payload) ||
+        !('timestamp' in payload) ||
+        !('data' in payload)) {
+        throw new WebhookVerificationError('Webhook payload does not match the expected envelope shape ' +
+            '{ event, timestamp, apiVersion, data }.');
+    }
+    return payload;
+}
+/**
+ * Extract the FedPulse webhook headers from a plain headers object.
+ *
+ * Normalises both lowercase and original-casing variants so you don't
+ * have to worry about header casing differences between frameworks.
+ *
+ * @param headers  A plain object or Map of request headers.
+ * @returns  Extracted signature and timestamp values.
+ *
+ * @example
+ * ```ts
+ * // Works with Express, Fastify, Koa, Next.js API routes, etc.
+ * const { signatureHeader, timestampHeader } = extractWebhookHeaders(req.headers);
+ * const payload = FedPulse.verifyWebhook({ rawBody, signatureHeader, timestampHeader, secret });
+ * ```
+ */
+function extractWebhookHeaders(headers) {
+    const get = (key) => {
+        let value;
+        if (headers instanceof Headers) {
+            value = headers.get(key);
+        }
+        else {
+            // Case-insensitive lookup for plain objects.
+            const lowerKey = key.toLowerCase();
+            const entry = Object.entries(headers).find(([k]) => k.toLowerCase() === lowerKey);
+            value = entry?.[1];
+        }
+        if (Array.isArray(value))
+            return value[0] ?? '';
+        return value ?? '';
+    };
+    return {
+        signatureHeader: get('x-fedpulse-signature'),
+        timestampHeader: get('x-fedpulse-timestamp'),
+        event: get('x-fedpulse-event'),
+        deliveryId: get('x-fedpulse-delivery-id'),
+    };
+}

package/dist/esm/client.js

@@ -0,0 +1,135 @@
+/**
+ * FedPulse SDK — main client class.
+ *
+ * Instantiate this class with your API key to access all FedPulse
+ * data resources and the webhook verification utility.
+ *
+ * @example
+ * ```ts
+ * import { FedPulse } from '@fedpulse/sdk';
+ *
+ * const client = new FedPulse({ apiKey: process.env.FEDPULSE_API_KEY! });
+ *
+ * // Search contracts
+ * const { data } = await client.opportunities.list({ q: 'cloud', naics: '541512' });
+ *
+ * // Compliance check
+ * const { data: status } = await client.exclusions.check({ entities: [{ uei: 'ABCDEF123456' }] });
+ *
+ * // Verify an incoming webhook
+ * const payload = FedPulse.verifyWebhook({ rawBody, signatureHeader, timestampHeader, secret });
+ * ```
+ */
+import { HttpClient } from './http.js';
+import { OpportunitiesResource } from './resources/opportunities.js';
+import { ExclusionsResource } from './resources/exclusions.js';
+import { EntitiesResource } from './resources/entities.js';
+import { IntelligenceResource } from './resources/intelligence.js';
+import { AssistanceResource } from './resources/assistance.js';
+import { AnalyticsResource } from './resources/analytics.js';
+import { WebhooksResource } from './resources/webhooks.js';
+import { verifyWebhook, extractWebhookHeaders, WebhookVerificationError, } from './webhooks-verify.js';
+// ── Main client class ──────────────────────────────────────────────────────────
+/**
+ * The FedPulse SDK client.
+ *
+ * All API interactions go through the resource properties on this class.
+ * The static `verifyWebhook` method can be used independently of a client instance.
+ */
+export class FedPulse {
+    /** Low-level HTTP client (exposed for advanced usage only). */
+    http;
+    /** Federal contract opportunities (/v1/opportunities). */
+    opportunities;
+    /** SAM.gov exclusions and bulk compliance checks (/v1/exclusions). */
+    exclusions;
+    /** SAM.gov registered entities / vendors (/v1/entities). */
+    entities;
+    /** 360° entity intelligence and market analysis (/v1/intelligence). */
+    intelligence;
+    /** Federal assistance listings / CFDA programs (/v1/assistance). */
+    assistance;
+    /** Per-user API usage analytics (/v1/analytics). */
+    analytics;
+    /** Webhook subscription management (/v1/webhooks). */
+    webhooks;
+    constructor(options) {
+        this.http = new HttpClient(options);
+        this.opportunities = new OpportunitiesResource(this.http);
+        this.exclusions = new ExclusionsResource(this.http);
+        this.entities = new EntitiesResource(this.http);
+        this.intelligence = new IntelligenceResource(this.http);
+        this.assistance = new AssistanceResource(this.http);
+        this.analytics = new AnalyticsResource(this.http);
+        this.webhooks = new WebhooksResource(this.http);
+    }
+    /**
+     * Most recent rate-limit info observed from API responses.
+     *
+     * Updated after every API call. Useful for monitoring your rate-limit usage.
+     *
+     * @example
+     * ```ts
+     * await client.opportunities.list({ limit: 25 });
+     * console.log('Remaining requests:', client.rateLimit?.remaining);
+     * ```
+     */
+    get rateLimit() {
+        return this.http.lastRateLimit;
+    }
+    /**
+     * Clear the in-memory response cache.
+     *
+     * Useful after writes that may invalidate cached GET responses.
+     */
+    clearCache() {
+        this.http.clearCache();
+    }
+    // ── Static webhook utilities ───────────────────────────────────────────────
+    /**
+     * Verify an incoming FedPulse webhook delivery.
+     *
+     * Validates the HMAC-SHA256 signature, checks the timestamp against replay
+     * attacks, and returns the parsed payload on success.
+     *
+     * **IMPORTANT:** Pass the raw request body bytes — do not parse to JSON first.
+     *
+     * @param input  Headers, raw body, and signing secret.
+     * @returns Parsed, verified webhook payload.
+     * @throws {WebhookVerificationError} If signature/timestamp is invalid.
+     *
+     * @example
+     * ```ts
+     * // Express.js with `express.raw({ type: 'application/json' })`:
+     * const payload = FedPulse.verifyWebhook<{ noticeId: string }>({
+     *   rawBody: req.body,               // Buffer from express.raw()
+     *   signatureHeader: req.headers['x-fedpulse-signature'] as string,
+     *   timestampHeader: req.headers['x-fedpulse-timestamp'] as string,
+     *   secret: process.env.FEDPULSE_WEBHOOK_SECRET!,
+     * });
+     * console.log(payload.event, payload.data.noticeId);
+     * ```
+     */
+    static verifyWebhook(input) {
+        return verifyWebhook(input);
+    }
+    /**
+     * Extract FedPulse webhook headers from a request headers object.
+     *
+     * Handles case-insensitive lookup across Express, Fastify, Next.js, etc.
+     *
+     * @param headers  Headers object (plain object or `Headers` instance).
+     * @returns  Signature header, timestamp header, event type, and delivery ID.
+     *
+     * @example
+     * ```ts
+     * const { signatureHeader, timestampHeader } = FedPulse.extractWebhookHeaders(req.headers);
+     * const payload = FedPulse.verifyWebhook({ rawBody, signatureHeader, timestampHeader, secret });
+     * ```
+     */
+    static extractWebhookHeaders(headers) {
+        return extractWebhookHeaders(headers);
+    }
+}
+export { WebhookVerificationError };
+//# sourceMappingURL=client.js.map

package/dist/esm/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAyB9B,kFAAkF;AAElF;;;;;GAKG;AACH,MAAM,OAAO,QAAQ;IACnB,+DAA+D;IACtD,IAAI,CAAa;IAE1B,0DAA0D;IACjD,aAAa,CAAwB;IAE9C,sEAAsE;IAC7D,UAAU,CAAqB;IAExC,4DAA4D;IACnD,QAAQ,CAAmB;IAEpC,uEAAuE;IAC9D,YAAY,CAAuB;IAE5C,oEAAoE;IAC3D,UAAU,CAAqB;IAExC,oDAAoD;IAC3C,SAAS,CAAoB;IAEtC,sDAAsD;IAC7C,QAAQ,CAAmB;IAEpC,YAAY,OAAwB;QAClC,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;QAEpC,IAAI,CAAC,aAAa,GAAG,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,UAAU,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IAED;;;;;;;;;;OAUG;IACH,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACH,UAAU;QACR,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;IACzB,CAAC;IAED,8EAA8E;IAE9E;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,aAAa,CAAc,KAAyB;QACzD,OAAO,aAAa,CAAI,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,qBAAqB,CAC1B,OAAgE;QAEhE,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;CACF;AAED,OAAO,EAAE,wBAAwB,EAAE,CAAC"}