@josephomills/esign 0.2.2

package/dist/server/index.cjs

@@ -0,0 +1,1016 @@
+'use strict';
+
+var crypto = require('crypto');
+var zod = require('zod');
+var pdfLib = require('pdf-lib');
+
+// src/server/tokens.ts
+function sha256Hex(input) {
+  return crypto.createHash("sha256").update(input).digest("hex");
+}
+function newSigningToken(bytes = 32) {
+  const cleartext = crypto.randomBytes(bytes).toString("base64url");
+  return { cleartext, tokenHash: sha256Hex(cleartext) };
+}
+
+// src/server/audit-chain.ts
+function canonicalize(value) {
+  if (value === void 0) return "null";
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return `[${value.map(canonicalize).join(",")}]`;
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  return `{${keys.map((k) => `${JSON.stringify(k)}:${canonicalize(obj[k])}`).join(",")}}`;
+}
+function linkHash(prevHash, seq, type, occurredAt, payload) {
+  return sha256Hex(
+    `${prevHash ?? ""}|${seq}|${type}|${occurredAt}|${canonicalize(payload)}`
+  );
+}
+function appendEvent(prev, input) {
+  const seq = prev ? prev.seq + 1 : 0;
+  const prevHash = prev ? prev.hash : null;
+  const hash = linkHash(prevHash, seq, input.type, input.occurredAt, input.payload);
+  return { ...input, seq, prevHash, hash };
+}
+function buildChain(inputs) {
+  const out = [];
+  let prev = null;
+  for (const input of inputs) {
+    prev = appendEvent(prev, input);
+    out.push(prev);
+  }
+  return out;
+}
+function verifyChain(links) {
+  let prev = null;
+  for (const link of links) {
+    const expectedSeq = prev ? prev.seq + 1 : 0;
+    const expectedPrev = prev ? prev.hash : null;
+    const expectedHash = linkHash(
+      expectedPrev,
+      link.seq,
+      link.type,
+      link.occurredAt,
+      link.payload
+    );
+    if (link.seq !== expectedSeq || link.prevHash !== expectedPrev || link.hash !== expectedHash) {
+      return { ok: false, brokenAt: link.seq };
+    }
+    prev = link;
+  }
+  return { ok: true, brokenAt: null };
+}
+
+// src/server/errors.ts
+var EsignError = class extends Error {
+  code;
+  details;
+  status;
+  constructor(code, message, details) {
+    super(message);
+    this.name = "EsignError";
+    this.code = code;
+    this.details = details;
+    this.status = statusFor(code);
+  }
+};
+function statusFor(code) {
+  switch (code) {
+    case "UNAUTHENTICATED":
+      return 401;
+    case "FORBIDDEN":
+      return 403;
+    case "NOT_FOUND":
+      return 404;
+    case "INVALID_INPUT":
+      return 422;
+    case "CONFLICT":
+      return 409;
+    case "GONE":
+      return 410;
+    case "RATE_LIMITED":
+      return 429;
+    case "PAYLOAD_TOO_LARGE":
+      return 413;
+    case "STORAGE_ERROR":
+      return 502;
+    case "INTERNAL":
+    default:
+      return 500;
+  }
+}
+function toErrorResponse(err) {
+  if (err instanceof EsignError) {
+    return Response.json(
+      { error: { code: err.code, message: err.message, details: err.details } },
+      { status: err.status }
+    );
+  }
+  console.error("[esign] unexpected error", err);
+  return Response.json(
+    { error: { code: "INTERNAL", message: "Unexpected error." } },
+    { status: 500 }
+  );
+}
+var ESIGN_CHANNELS = [
+  "EMAIL",
+  "TELEGRAM",
+  "SMS",
+  "WHATSAPP"
+];
+var esignChannelSchema = zod.z.enum(["EMAIL", "TELEGRAM", "SMS", "WHATSAPP"]);
+var unit = zod.z.number().min(0).max(1);
+var placementSchema = zod.z.object({
+  page: zod.z.number().int().min(1),
+  x: unit,
+  y: unit,
+  w: zod.z.number().min(0.01).max(1),
+  h: zod.z.number().min(0.01).max(1)
+}).strict();
+function addressFor(recipient, channel) {
+  switch (channel) {
+    case "EMAIL":
+      return recipient.email ?? null;
+    case "SMS":
+      return recipient.phone ?? null;
+    case "WHATSAPP":
+      return recipient.whatsapp ?? recipient.phone ?? null;
+    case "TELEGRAM":
+      return null;
+  }
+}
+var subjectSelectionSchema = zod.z.union([
+  zod.z.object({
+    mode: zod.z.literal("all"),
+    type: zod.z.string().min(1),
+    group: zod.z.string().min(1).optional(),
+    filter: zod.z.record(zod.z.unknown()).optional()
+  }).strict(),
+  zod.z.object({
+    mode: zod.z.literal("ids"),
+    type: zod.z.string().min(1),
+    subjectIds: zod.z.array(zod.z.string().min(1)).min(1)
+  }).strict()
+]);
+var submitSignatureSchema = zod.z.object({
+  signaturePng: zod.z.string().min(1).max(15e5),
+  // ~1MB cap on the data URL
+  signerName: zod.z.string().trim().min(1).max(200),
+  consent: zod.z.literal(true)
+}).strict();
+var declineSchema = zod.z.object({ reason: zod.z.string().trim().max(500).optional() }).strict();
+var ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+function uid(size = 16) {
+  let out = "";
+  while (out.length < size) {
+    for (const byte of crypto.randomBytes(size)) {
+      if (byte < 248) {
+        out += ALPHABET[byte % 62];
+        if (out.length === size) break;
+      }
+    }
+  }
+  return out;
+}
+
+// src/server/campaign.ts
+async function recordEvent(persistence, requestId, prev, input) {
+  const link = appendEvent(prev, input);
+  await persistence.appendAuditEvent({
+    requestId,
+    seq: link.seq,
+    type: link.type,
+    payload: link.payload,
+    prevHash: link.prevHash,
+    hash: link.hash
+  });
+  return link;
+}
+var defaultContent = ({
+  documentTitle,
+  note,
+  recipientName
+}) => ({
+  subject: `Please sign: ${documentTitle}`,
+  body: [
+    `Hello ${recipientName},`,
+    note ?? `You have a document to review and sign: ${documentTitle}.`,
+    "Open the secure link to sign \u2014 no account or login needed."
+  ].filter(Boolean).join("\n\n")
+});
+var DAY_MS = 864e5;
+async function createCampaign(deps, args) {
+  const { persistence, subjects, notifier, clock, baseUrl, defaultExpiryDays } = deps;
+  const content = deps.content ?? defaultContent;
+  if (args.channels.length === 0) {
+    throw new EsignError("INVALID_INPUT", "Choose at least one channel.");
+  }
+  const version = await persistence.getVersion(args.documentVersionId);
+  if (!version) throw new EsignError("NOT_FOUND", "Document version not found.");
+  const document = await persistence.getDocument(version.documentId);
+  if (!document) throw new EsignError("NOT_FOUND", "Document not found.");
+  const descriptor = subjects.get(args.selection.type);
+  if (!descriptor) {
+    throw new EsignError(
+      "INVALID_INPUT",
+      `Unknown subject type: ${args.selection.type}.`
+    );
+  }
+  const configured = new Set(notifier.configuredChannels());
+  const channels = args.channels.filter((c) => configured.has(c));
+  if (channels.length === 0) {
+    throw new EsignError(
+      "INVALID_INPUT",
+      "None of the chosen channels are configured."
+    );
+  }
+  const scopeId = args.scopeId ?? document.scopeId;
+  const resolved = await descriptor.resolveRecipients({
+    scopeId,
+    selection: args.selection,
+    channels
+  });
+  const skipped = resolved.skipped;
+  let recipients = resolved.recipients;
+  if (args.resendPolicy && args.resendPolicy !== "all") {
+    const summaries = await persistence.requestSummaryBySubject(version.documentId);
+    const byId = new Map(summaries.map((s) => [s.subjectId, s]));
+    const vNum = version.version;
+    recipients = recipients.filter((r) => {
+      const s = byId.get(r.subjectId);
+      switch (args.resendPolicy) {
+        case "uncovered":
+          return !s;
+        case "outstanding":
+          return !(s && s.status === "SIGNED" && s.version >= vNum);
+        case "olderVersion":
+          return Boolean(s && s.status === "SIGNED" && s.version < vNum);
+        default:
+          return true;
+      }
+    });
+  }
+  if (recipients.length === 0) return { campaignId: null, sent: 0, skipped };
+  const now = clock.now();
+  const expiresAt = new Date(
+    now.getTime() + (args.expiresInDays ?? defaultExpiryDays) * DAY_MS
+  );
+  const campaign = await persistence.createCampaign({
+    documentId: version.documentId,
+    documentVersionId: version.id,
+    scopeId,
+    note: args.note ?? null,
+    emailReceipt: args.emailReceipt ?? false,
+    targeting: args.selection,
+    expiresAt,
+    createdById: args.createdById ?? null
+  });
+  const targetedGroup = args.selection.mode === "all" ? args.selection.group ?? null : null;
+  const prepared = recipients.map((r) => {
+    const token = newSigningToken();
+    const row = {
+      id: uid(),
+      campaignId: campaign.id,
+      documentId: version.documentId,
+      documentVersionId: version.id,
+      scopeId,
+      subjectType: r.subjectType,
+      subjectId: r.subjectId,
+      subjectGroup: targetedGroup ?? r.group ?? null,
+      recipientName: r.name,
+      recipientEmail: r.email ?? null,
+      recipientWhatsapp: r.whatsapp ?? null,
+      channels,
+      tokenHash: token.tokenHash,
+      expiresAt
+    };
+    return { row, cleartext: token.cleartext, recipient: r };
+  });
+  await persistence.createRequests(prepared.map((p) => p.row));
+  const base = baseUrl.replace(/\/$/, "");
+  const nowIso = now.toISOString();
+  let sent = 0;
+  for (const { row, cleartext, recipient } of prepared) {
+    let prev = await recordEvent(persistence, row.id, null, {
+      type: "CREATED",
+      payload: {
+        subjectType: row.subjectType,
+        subjectId: row.subjectId,
+        by: args.createdById ?? null
+      },
+      occurredAt: nowIso
+    });
+    const actionUrl = `${base}/sign/${cleartext}`;
+    const c = content({
+      documentTitle: document.title,
+      note: args.note ?? null,
+      recipientName: recipient.name
+    });
+    for (const channel of channels) {
+      const address = addressFor(recipient, channel);
+      if (!address) continue;
+      let ok2 = false;
+      let error = null;
+      try {
+        const result = await notifier.send({
+          channel,
+          recipient: address,
+          subject: c.subject,
+          body: c.body,
+          actionUrl,
+          idempotencyKey: row.id
+        });
+        ok2 = result.ok;
+        error = result.error ?? null;
+      } catch (err) {
+        ok2 = false;
+        error = err instanceof Error ? err.message : String(err);
+      }
+      prev = await recordEvent(persistence, row.id, prev, {
+        type: "NOTIFIED",
+        payload: { channel, ok: ok2, error },
+        occurredAt: nowIso
+      });
+    }
+    sent++;
+  }
+  return { campaignId: campaign.id, sent, skipped };
+}
+
+// src/server/coverage.ts
+async function documentCoverage(deps, documentId) {
+  const { persistence, subjects } = deps;
+  const doc = await persistence.getDocument(documentId);
+  if (!doc) throw new EsignError("NOT_FOUND", "Document not found.");
+  const summaries = await persistence.requestSummaryBySubject(documentId);
+  const summaryIds = new Set(summaries.map((s) => s.subjectId));
+  let currentNumber = 0;
+  if (doc.currentVersionId) {
+    const v = await persistence.getVersion(doc.currentVersionId);
+    currentNumber = v?.version ?? 0;
+  }
+  let signed = 0;
+  let outstanding = 0;
+  let needsResign = 0;
+  for (const s of summaries) {
+    if (s.status === "SIGNED") {
+      if (s.version >= currentNumber) signed++;
+      else needsResign++;
+    } else if (s.status === "PENDING" || s.status === "VIEWED") {
+      outstanding++;
+    }
+  }
+  let live = [];
+  if (doc.audience) {
+    const descriptor = subjects.get(doc.audience.type);
+    if (descriptor) {
+      const page = await descriptor.listSubjects({
+        scopeId: doc.scopeId,
+        group: doc.audience.mode === "all" ? doc.audience.group : void 0,
+        filter: doc.audience.mode === "all" ? doc.audience.filter : void 0,
+        limit: 1e3
+      });
+      live = page.subjects;
+    }
+  }
+  const liveIds = new Set(live.map((s) => s.subjectId));
+  const uncovered = live.filter((s) => !summaryIds.has(s.subjectId));
+  const departed = doc.audience ? summaries.filter((s) => !liveIds.has(s.subjectId)).map((s) => ({ subjectType: doc.audience.type, subjectId: s.subjectId })) : [];
+  return {
+    documentId,
+    totalNow: live.length,
+    signed,
+    outstanding,
+    needsResign,
+    uncovered,
+    departed
+  };
+}
+async function createDocument(persistence, input) {
+  if (!input.title.trim()) {
+    throw new EsignError("INVALID_INPUT", "A document title is required.");
+  }
+  return persistence.createDocument({
+    scopeId: input.scopeId ?? null,
+    documentType: input.documentType ?? null,
+    title: input.title,
+    audience: input.audience ?? null,
+    createdById: input.createdById ?? null
+  });
+}
+async function assertReadablePdf(bytes) {
+  try {
+    await pdfLib.PDFDocument.load(bytes);
+  } catch {
+    throw new EsignError(
+      "INVALID_INPUT",
+      "The upload is not a readable PDF (it may be encrypted or corrupt)."
+    );
+  }
+}
+async function addVersion(deps, input) {
+  const { persistence, storage } = deps;
+  let sourceObjectKey;
+  let bytes;
+  if ("objectKey" in input.source) {
+    sourceObjectKey = input.source.objectKey;
+    const fetched = await storage.get(sourceObjectKey);
+    if (!fetched) {
+      throw new EsignError("INVALID_INPUT", "Uploaded PDF was not found in storage.");
+    }
+    bytes = fetched.bytes;
+  } else {
+    bytes = input.source.pdfBytes;
+    sourceObjectKey = storage.stampKey({
+      scopeId: input.source.scopeId ?? null,
+      documentId: input.documentId,
+      contentType: "application/pdf"
+    });
+    await storage.put({
+      objectKey: sourceObjectKey,
+      bytes,
+      contentType: "application/pdf"
+    });
+  }
+  await assertReadablePdf(bytes);
+  const latest = await persistence.latestVersion(input.documentId);
+  const version = await persistence.createVersion({
+    documentId: input.documentId,
+    version: (latest?.version ?? 0) + 1,
+    sourceObjectKey,
+    sourceSha256: sha256Hex(bytes),
+    placement: input.placement,
+    changeNote: input.changeNote ?? null,
+    createdById: input.createdById ?? null
+  });
+  await persistence.updateDocument(input.documentId, {
+    currentVersionId: version.id
+  });
+  return version;
+}
+
+// src/server/route-utils.ts
+function publicRoute(handler) {
+  return async (req, ctx) => {
+    try {
+      return await handler(req, ctx);
+    } catch (err) {
+      return toErrorResponse(err);
+    }
+  };
+}
+async function parseBody(req, schema) {
+  let raw;
+  try {
+    raw = await req.json();
+  } catch {
+    throw new EsignError("INVALID_INPUT", "Request body must be valid JSON.");
+  }
+  const parsed = schema.safeParse(raw);
+  if (!parsed.success) {
+    throw new EsignError("INVALID_INPUT", "Validation failed.", parsed.error.flatten());
+  }
+  return parsed.data;
+}
+function ok(data, init) {
+  return Response.json(data, init);
+}
+function clientIp(req) {
+  const fwd = req.headers.get("x-forwarded-for");
+  if (fwd) return fwd.split(",")[0]?.trim() ?? null;
+  return req.headers.get("x-real-ip");
+}
+
+// src/server/flow.ts
+var ESIGN_STATUSES = [
+  "PENDING",
+  "VIEWED",
+  "SIGNED",
+  "DECLINED",
+  "EXPIRED",
+  "REVOKED"
+];
+var ACTIVE_STATUSES = ["PENDING", "VIEWED"];
+var TERMINAL_STATUSES = [
+  "SIGNED",
+  "DECLINED",
+  "EXPIRED",
+  "REVOKED"
+];
+var TRANSITIONS = {
+  PENDING: ["VIEWED", "SIGNED", "DECLINED", "EXPIRED", "REVOKED"],
+  VIEWED: ["SIGNED", "DECLINED", "EXPIRED", "REVOKED"],
+  SIGNED: [],
+  DECLINED: [],
+  EXPIRED: [],
+  REVOKED: []
+};
+function isActive(status) {
+  return ACTIVE_STATUSES.includes(status);
+}
+function isTerminal(status) {
+  return TERMINAL_STATUSES.includes(status);
+}
+function canTransition(from, to) {
+  if (from === to) return true;
+  return TRANSITIONS[from].includes(to);
+}
+function assertTransition(from, to) {
+  if (!canTransition(from, to)) {
+    throw new EsignError(
+      "CONFLICT",
+      `Illegal signing-request transition: ${from} \u2192 ${to}.`
+    );
+  }
+}
+var A4 = [595.28, 841.89];
+var MARGIN = 48;
+var INK = pdfLib.rgb(0.12, 0.12, 0.14);
+var MUTED = pdfLib.rgb(0.4, 0.42, 0.46);
+async function renderAuditCertificatePage(pdf, info) {
+  const page = pdf.addPage(A4);
+  const font = await pdf.embedFont(pdfLib.StandardFonts.Helvetica);
+  const bold = await pdf.embedFont(pdfLib.StandardFonts.HelveticaBold);
+  const mono = await pdf.embedFont(pdfLib.StandardFonts.Courier);
+  const [pageW, pageH] = A4;
+  let y = pageH - MARGIN;
+  const draw = (text, opts = {}) => {
+    page.drawText(text, {
+      x: opts.x ?? MARGIN,
+      y,
+      size: opts.size ?? 10,
+      font: opts.font ?? font,
+      color: opts.color ?? INK
+    });
+  };
+  const advance = (by) => {
+    y -= by;
+  };
+  draw("Signature Certificate", { size: 20, font: bold });
+  advance(14);
+  draw("Electronic signature with a tamper-evident (Level-1 sealed) audit trail.", {
+    size: 9,
+    color: MUTED
+  });
+  advance(28);
+  const field = (label, value, valueFont = font) => {
+    draw(label, { size: 8, font: bold, color: MUTED });
+    advance(13);
+    draw(value, { size: 10, font: valueFont });
+    advance(20);
+  };
+  field("DOCUMENT", info.documentTitle);
+  field("SIGNED BY", info.signerName);
+  field("SIGNED AT", info.signedAt);
+  field("SIGNER IP", info.signerIp ?? "\u2014");
+  field("REQUEST ID", info.requestId, mono);
+  field("DOCUMENT SHA-256", info.documentSha256, mono);
+  field("AUDIT CHAIN TIP", info.finalHash, mono);
+  advance(6);
+  draw("AUDIT TRAIL", { size: 8, font: bold, color: MUTED });
+  advance(16);
+  draw("#", { x: MARGIN, size: 8, font: bold, color: MUTED });
+  draw("EVENT", { x: MARGIN + 24, size: 8, font: bold, color: MUTED });
+  draw("WHEN", { x: MARGIN + 170, size: 8, font: bold, color: MUTED });
+  draw("HASH", { x: MARGIN + 330, size: 8, font: bold, color: MUTED });
+  advance(4);
+  page.drawLine({
+    start: { x: MARGIN, y },
+    end: { x: pageW - MARGIN, y },
+    thickness: 0.5,
+    color: MUTED
+  });
+  advance(14);
+  for (const link of info.links) {
+    if (y < MARGIN + 20) break;
+    draw(String(link.seq), { x: MARGIN, size: 9 });
+    draw(link.type, { x: MARGIN + 24, size: 9 });
+    draw(link.occurredAt, { x: MARGIN + 170, size: 8, color: MUTED });
+    draw(`${link.hash.slice(0, 16)}\u2026`, { x: MARGIN + 330, size: 8, font: mono });
+    advance(15);
+  }
+}
+
+// src/server/seal.ts
+async function sealPdf(input) {
+  let pdf;
+  try {
+    pdf = await pdfLib.PDFDocument.load(input.sourcePdf);
+  } catch {
+    throw new EsignError(
+      "INVALID_INPUT",
+      "Could not read the PDF \u2014 it may be encrypted or corrupt."
+    );
+  }
+  const when = new Date(input.signedAt);
+  pdf.setCreationDate(when);
+  pdf.setModificationDate(when);
+  pdf.setProducer("@josephomills/esign");
+  pdf.setCreator("@josephomills/esign");
+  const pages = pdf.getPages();
+  const pageIndex = Math.min(
+    Math.max(input.placement.page - 1, 0),
+    pages.length - 1
+  );
+  const page = pages[pageIndex];
+  const pageW = page.getWidth();
+  const pageH = page.getHeight();
+  const boxX = input.placement.x * pageW;
+  const boxW = input.placement.w * pageW;
+  const boxH = input.placement.h * pageH;
+  const boxBottomY = pageH * (1 - input.placement.y - input.placement.h);
+  const png = await pdf.embedPng(input.signaturePng);
+  const scale = Math.min(boxW / png.width, boxH / png.height);
+  const drawW = png.width * scale;
+  const drawH = png.height * scale;
+  page.drawImage(png, {
+    x: boxX + (boxW - drawW) / 2,
+    y: boxBottomY + (boxH - drawH) / 2,
+    width: drawW,
+    height: drawH
+  });
+  const font = await pdf.embedFont(pdfLib.StandardFonts.Helvetica);
+  const caption = `Signed by ${input.signerName} \xB7 ${input.signedAt}${input.signerIp ? ` \xB7 IP ${input.signerIp}` : ""}`;
+  page.drawText(caption, {
+    x: boxX,
+    y: Math.max(boxBottomY - 11, 4),
+    size: 7,
+    font,
+    color: pdfLib.rgb(0.35, 0.35, 0.4)
+  });
+  const stampedBytes = await pdf.save({ useObjectStreams: false });
+  const documentSha256 = sha256Hex(stampedBytes);
+  const last = input.priorChain.at(-1) ?? null;
+  const signed = appendEvent(last, {
+    type: "SIGNED",
+    payload: {
+      signerName: input.signerName,
+      signerIp: input.signerIp,
+      signedAt: input.signedAt
+    },
+    occurredAt: input.signedAt
+  });
+  const sealed = appendEvent(signed, {
+    type: "SEALED",
+    payload: { documentSha256 },
+    occurredAt: input.signedAt
+  });
+  const finalHash = sealed.hash;
+  await renderAuditCertificatePage(pdf, {
+    documentTitle: input.documentTitle,
+    signerName: input.signerName,
+    signedAt: input.signedAt,
+    signerIp: input.signerIp,
+    requestId: input.requestId,
+    documentSha256,
+    finalHash,
+    links: [...input.priorChain, signed, sealed]
+  });
+  const sealedPdf = await pdf.save({ useObjectStreams: false });
+  return {
+    sealedPdf,
+    sealedSha256: sha256Hex(sealedPdf),
+    documentSha256,
+    finalHash,
+    newLinks: [signed, sealed]
+  };
+}
+
+// src/server/sign.ts
+var toLink = (e) => ({
+  seq: e.seq,
+  type: e.type,
+  payload: e.payload ?? {},
+  prevHash: e.prevHash,
+  hash: e.hash,
+  occurredAt: e.occurredAt
+});
+async function resolve(persistence, token) {
+  return persistence.findRequestByTokenHash(sha256Hex(token));
+}
+async function getSigningView(deps, token) {
+  const request = await resolve(deps.persistence, token);
+  if (!request) return null;
+  if (!isActive(request.status)) return null;
+  if (request.revokedAt) return null;
+  if (new Date(request.expiresAt) < deps.clock.now()) return null;
+  const version = await deps.persistence.getVersion(request.documentVersionId);
+  if (!version) return null;
+  const document = await deps.persistence.getDocument(request.documentId);
+  return {
+    request,
+    sourceObjectKey: version.sourceObjectKey,
+    placement: version.placement,
+    documentTitle: document?.title ?? "Document"
+  };
+}
+async function recordView(deps, token) {
+  const request = await resolve(deps.persistence, token);
+  if (!request || request.status !== "PENDING") return;
+  const existing = (await deps.persistence.listAuditEvents(request.id)).map(toLink);
+  const now = deps.clock.now();
+  await recordEvent(deps.persistence, request.id, existing.at(-1) ?? null, {
+    type: "VIEWED",
+    payload: {},
+    occurredAt: now.toISOString()
+  });
+  const updated = await deps.persistence.updateRequest(request.id, {
+    status: "VIEWED",
+    viewedAt: now
+  });
+  if (deps.hooks?.onRequestViewed) await deps.hooks.onRequestViewed(updated);
+}
+async function submitSignature(deps, input) {
+  const { persistence, storage, clock, notifier, hooks } = deps;
+  const request = await resolve(persistence, input.token);
+  if (!request) throw new EsignError("NOT_FOUND", "This signing link is not valid.");
+  if (request.status === "SIGNED") {
+    return {
+      requestId: request.id,
+      sealedObjectKey: request.sealedObjectKey ?? "",
+      alreadySigned: true
+    };
+  }
+  if (!isActive(request.status) || request.revokedAt) {
+    throw new EsignError("GONE", "This signing link is no longer available.");
+  }
+  const now = clock.now();
+  if (new Date(request.expiresAt) < now) {
+    await persistence.updateRequest(request.id, { status: "EXPIRED" });
+    throw new EsignError("GONE", "This signing link has expired.");
+  }
+  const version = await persistence.getVersion(request.documentVersionId);
+  if (!version) throw new EsignError("INTERNAL", "Document version missing.");
+  const src = await storage.get(version.sourceObjectKey);
+  if (!src) throw new EsignError("INTERNAL", "Source document missing.");
+  const document = await persistence.getDocument(request.documentId);
+  const existing = (await persistence.listAuditEvents(request.id)).map(toLink);
+  const nowIso = now.toISOString();
+  const consented = await recordEvent(persistence, request.id, existing.at(-1) ?? null, {
+    type: "CONSENTED",
+    payload: {
+      signerName: input.signerName,
+      ip: input.ip,
+      userAgent: input.userAgent
+    },
+    occurredAt: nowIso
+  });
+  const seal = await sealPdf({
+    sourcePdf: src.bytes,
+    signaturePng: input.signaturePng,
+    placement: version.placement,
+    signerName: input.signerName,
+    signedAt: nowIso,
+    signerIp: input.ip,
+    documentTitle: document?.title ?? "Document",
+    requestId: request.id,
+    priorChain: [...existing, consented]
+  });
+  const sealedObjectKey = storage.sealedKey({
+    scopeId: request.scopeId,
+    campaignId: request.campaignId,
+    requestId: request.id
+  });
+  await storage.put({
+    objectKey: sealedObjectKey,
+    bytes: seal.sealedPdf,
+    contentType: "application/pdf"
+  });
+  await persistence.updateRequest(request.id, {
+    status: "SIGNED",
+    signedAt: now,
+    signerName: input.signerName,
+    signerIp: input.ip ?? void 0,
+    signerUserAgent: input.userAgent ?? void 0,
+    sealedObjectKey,
+    sealedSha256: seal.sealedSha256,
+    finalAuditHash: seal.finalHash
+  });
+  for (const link of seal.newLinks) {
+    await persistence.appendAuditEvent({
+      requestId: request.id,
+      seq: link.seq,
+      type: link.type,
+      payload: link.payload,
+      prevHash: link.prevHash,
+      hash: link.hash
+    });
+  }
+  if (hooks?.onRequestSigned) {
+    await hooks.onRequestSigned({
+      subjectType: request.subjectType,
+      subjectId: request.subjectId,
+      documentId: request.documentId,
+      documentType: document?.documentType ?? null,
+      requestId: request.id,
+      sealedObjectKey,
+      signedAt: nowIso
+    });
+  }
+  const campaign = await persistence.getCampaign(request.campaignId);
+  if (campaign?.emailReceipt && request.recipientEmail) {
+    const title = document?.title ?? "Document";
+    try {
+      await notifier.send({
+        channel: "EMAIL",
+        recipient: request.recipientEmail,
+        subject: `Signed copy: ${title}`,
+        body: `Hello ${request.recipientName},
+
+Attached is your signed copy of "${title}".`,
+        idempotencyKey: `${request.id}:receipt`,
+        attachments: [
+          {
+            filename: `${title.replace(/[^a-z0-9-_ ]/gi, "_")}.pdf`,
+            content: seal.sealedPdf,
+            contentType: "application/pdf"
+          }
+        ]
+      });
+    } catch {
+    }
+  }
+  return { requestId: request.id, sealedObjectKey, alreadySigned: false };
+}
+async function declineRequest(deps, input) {
+  const request = await resolve(deps.persistence, input.token);
+  if (!request || !isActive(request.status) || request.revokedAt) {
+    throw new EsignError("GONE", "This signing link is no longer available.");
+  }
+  const existing = (await deps.persistence.listAuditEvents(request.id)).map(toLink);
+  const now = deps.clock.now();
+  await recordEvent(deps.persistence, request.id, existing.at(-1) ?? null, {
+    type: "DECLINED",
+    payload: { reason: input.reason },
+    occurredAt: now.toISOString()
+  });
+  const updated = await deps.persistence.updateRequest(request.id, {
+    status: "DECLINED",
+    declinedAt: now,
+    declineReason: input.reason ?? void 0
+  });
+  if (deps.hooks?.onRequestDeclined) await deps.hooks.onRequestDeclined(updated);
+}
+
+// src/server/routes/sign-actions.ts
+var PNG_MAGIC = [137, 80, 78, 71];
+function pngFromDataUrl(dataUrl) {
+  const comma = dataUrl.indexOf(",");
+  const b64 = comma >= 0 ? dataUrl.slice(comma + 1) : dataUrl;
+  const bytes = new Uint8Array(Buffer.from(b64, "base64"));
+  const isPng = PNG_MAGIC.every((b, i) => bytes[i] === b);
+  if (!isPng) {
+    throw new EsignError("INVALID_INPUT", "Signature must be a PNG image.");
+  }
+  return bytes;
+}
+function createSignActionsRoute(deps) {
+  return {
+    POST: publicRoute(async (req, ctx) => {
+      const { token } = await ctx.params;
+      const action = new URL(req.url).searchParams.get("action");
+      if (action === "decline") {
+        const { reason } = await parseBody(req, declineSchema);
+        await declineRequest(deps, { token, reason: reason ?? null });
+        return ok({ ok: true, declined: true });
+      }
+      const body = await parseBody(req, submitSignatureSchema);
+      const result = await submitSignature(deps, {
+        token,
+        signaturePng: pngFromDataUrl(body.signaturePng),
+        signerName: body.signerName,
+        ip: clientIp(req),
+        userAgent: req.headers.get("user-agent")
+      });
+      return ok({
+        ok: true,
+        requestId: result.requestId,
+        alreadySigned: result.alreadySigned
+      });
+    })
+  };
+}
+
+// src/server/routes/sign-serve.ts
+function createSignServeRoute(deps) {
+  return {
+    GET: publicRoute(async (_req, ctx) => {
+      const { token } = await ctx.params;
+      const view = await getSigningView(deps, token);
+      if (!view) throw new EsignError("NOT_FOUND", "Not available.");
+      const obj = await deps.storage.get(view.sourceObjectKey);
+      if (!obj) throw new EsignError("NOT_FOUND", "Not available.");
+      return new Response(obj.bytes, {
+        status: 200,
+        headers: {
+          "content-type": "application/pdf",
+          "content-disposition": "inline",
+          "cache-control": "private, no-store",
+          "x-robots-tag": "noindex"
+        }
+      });
+    })
+  };
+}
+
+// src/server/configure.ts
+var DEFAULT_BASE = "/api/esign";
+var DEFAULT_PRESIGN_TTL_S = 900;
+var DEFAULT_EXPIRY_DAYS = 30;
+var systemClock = { now: () => /* @__PURE__ */ new Date() };
+function configureEsign(opts) {
+  const config = {
+    ...opts,
+    routeBasePath: opts.routeBasePath ?? DEFAULT_BASE,
+    presignTtlS: opts.presignTtlS ?? DEFAULT_PRESIGN_TTL_S,
+    defaultExpiryDays: opts.defaultExpiryDays ?? DEFAULT_EXPIRY_DAYS,
+    clock: opts.clock ?? systemClock
+  };
+  const { persistence, storage, notifier, subjects, hooks, clock, baseUrl } = config;
+  const signDeps = { persistence, storage, clock, notifier, hooks };
+  return {
+    config,
+    newSigningToken,
+    createDocument: (input) => createDocument(persistence, input),
+    addVersion: (input) => addVersion({ persistence, storage }, input),
+    createCampaign: (args) => createCampaign(
+      {
+        persistence,
+        subjects,
+        notifier,
+        clock,
+        baseUrl,
+        defaultExpiryDays: config.defaultExpiryDays
+      },
+      args
+    ),
+    getSigningView: (token) => getSigningView({ persistence, clock }, token),
+    recordView: (token) => recordView({ persistence, clock, hooks }, token),
+    submitSignature: (input) => submitSignature(signDeps, input),
+    declineRequest: (input) => declineRequest({ persistence, clock, hooks }, input),
+    subjectSigningStatus: (args) => persistence.subjectSigningStatus(args),
+    documentCoverage: (documentId) => documentCoverage({ persistence, subjects }, documentId),
+    campaignStats: (campaignId) => persistence.campaignStats(campaignId),
+    documentStats: (documentId) => persistence.documentStats(documentId),
+    scopeStats: (scopeId, range) => persistence.scopeStats(scopeId, range),
+    outstandingRequests: (filter) => persistence.outstandingRequests(filter),
+    routes: {
+      signServe: createSignServeRoute({ persistence, storage, clock }),
+      signActions: createSignActionsRoute(signDeps)
+    }
+  };
+}
+
+// src/server/subjects.ts
+function registerSubjectTypes(types) {
+  const map = new Map(types.map((t) => [t.type, t]));
+  return {
+    types,
+    get: (type) => map.get(type)
+  };
+}
+
+exports.ACTIVE_STATUSES = ACTIVE_STATUSES;
+exports.ESIGN_CHANNELS = ESIGN_CHANNELS;
+exports.ESIGN_STATUSES = ESIGN_STATUSES;
+exports.EsignError = EsignError;
+exports.TERMINAL_STATUSES = TERMINAL_STATUSES;
+exports.addVersion = addVersion;
+exports.appendEvent = appendEvent;
+exports.assertTransition = assertTransition;
+exports.buildChain = buildChain;
+exports.canTransition = canTransition;
+exports.canonicalize = canonicalize;
+exports.clientIp = clientIp;
+exports.configureEsign = configureEsign;
+exports.createCampaign = createCampaign;
+exports.createDocument = createDocument;
+exports.createSignActionsRoute = createSignActionsRoute;
+exports.createSignServeRoute = createSignServeRoute;
+exports.declineRequest = declineRequest;
+exports.declineSchema = declineSchema;
+exports.documentCoverage = documentCoverage;
+exports.esignChannelSchema = esignChannelSchema;
+exports.getSigningView = getSigningView;
+exports.isActive = isActive;
+exports.isTerminal = isTerminal;
+exports.linkHash = linkHash;
+exports.newSigningToken = newSigningToken;
+exports.ok = ok;
+exports.parseBody = parseBody;
+exports.placementSchema = placementSchema;
+exports.recordEvent = recordEvent;
+exports.recordView = recordView;
+exports.registerSubjectTypes = registerSubjectTypes;
+exports.renderAuditCertificatePage = renderAuditCertificatePage;
+exports.sealPdf = sealPdf;
+exports.sha256Hex = sha256Hex;
+exports.subjectSelectionSchema = subjectSelectionSchema;
+exports.submitSignature = submitSignature;
+exports.submitSignatureSchema = submitSignatureSchema;
+exports.toErrorResponse = toErrorResponse;
+exports.uid = uid;
+exports.verifyChain = verifyChain;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map