@lunora/payment 0.0.0 → 1.0.0-alpha.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +105 -0
- package/README.md +150 -9
- package/__assets__/package-og.svg +14 -0
- package/dist/index.d.mts +778 -0
- package/dist/index.d.ts +778 -0
- package/dist/index.mjs +16 -0
- package/dist/packem_shared/LunoraPaymentError-B3hEzXSs.mjs +22 -0
- package/dist/packem_shared/MemoryPaymentStore-DvgdWa3C.mjs +72 -0
- package/dist/packem_shared/PAYMENT_TERMINAL_STATES-DrxV0clv.mjs +26 -0
- package/dist/packem_shared/addMoney-bCcs1nyw.mjs +60 -0
- package/dist/packem_shared/applyWebhookAction-DpAqf3Lw.mjs +177 -0
- package/dist/packem_shared/constantTimeEqual-CfY0jYcL.mjs +95 -0
- package/dist/packem_shared/createAdapterRegistry-BuDHFCBc.mjs +24 -0
- package/dist/packem_shared/createDatabasePaymentStore-bYB_HUE6.mjs +172 -0
- package/dist/packem_shared/createPayment-BccfPGyw.mjs +190 -0
- package/dist/packem_shared/createPolarAdapter-BJtVGSlF.mjs +217 -0
- package/dist/packem_shared/createStripeAdapter-D40MVBXg.mjs +270 -0
- package/dist/packem_shared/entitlementsForReference-CzZGXPoZ.mjs +51 -0
- package/dist/packem_shared/idempotencyKey-BFzDCA7g.mjs +3 -0
- package/dist/packem_shared/json-Db337f36.mjs +6 -0
- package/dist/packem_shared/lunoraDatabaseToPaymentDatabase-RlKX3Kcd.mjs +29 -0
- package/dist/packem_shared/observability-CvhJ205g.mjs +11 -0
- package/dist/packem_shared/paymentTables-DccHwWr_.mjs +127 -0
- package/dist/packem_shared/reconcile-CI1ukJF9.mjs +73 -0
- package/package.json +51 -18
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,778 @@
|
|
|
1
|
+
import { TableDefinition } from '@lunora/server';
|
|
2
|
+
/**
|
|
3
|
+
* Core domain types for `@lunora/payment`.
|
|
4
|
+
*
|
|
5
|
+
* The provider is a stateless translator; the store owns all state. These types are the
|
|
6
|
+
* provider-agnostic vocabulary every adapter normalizes onto.
|
|
7
|
+
*/
|
|
8
|
+
/** ISO-4217 currency code (uppercase, 3 letters). Not enumerated — provider coverage varies. */
|
|
9
|
+
type CurrencyCode = string;
|
|
10
|
+
/**
|
|
11
|
+
* Money as integer minor units + currency. Always carry the two together.
|
|
12
|
+
*
|
|
13
|
+
* `minorUnits` is a `bigint`, which is **not** JSON-serializable — cross the RPC/wire boundary
|
|
14
|
+
* with the `toMoneyJSON` / `fromMoneyJSON` helpers (see `./money`).
|
|
15
|
+
*/
|
|
16
|
+
interface Money {
|
|
17
|
+
readonly currency: CurrencyCode;
|
|
18
|
+
readonly minorUnits: bigint;
|
|
19
|
+
}
|
|
20
|
+
/** Stable provider identifier (Medusa-style). Scoped to what Convex ships: Stripe + Polar. */
|
|
21
|
+
type ProviderId = "polar" | "stripe";
|
|
22
|
+
/** What a provider can do — encoded in types so tax/UX assumptions aren't tribal knowledge. */
|
|
23
|
+
interface ProviderCapabilities {
|
|
24
|
+
/** True for Polar / Lemon Squeezy / Paddle; false for Stripe (PSP). Drives tax/invoice ownership. */
|
|
25
|
+
readonly merchantOfRecord: boolean;
|
|
26
|
+
/** Native hosted customer/billing portal. */
|
|
27
|
+
readonly portal: boolean;
|
|
28
|
+
/** Usage-based / metered billing. */
|
|
29
|
+
readonly usageMetering: boolean;
|
|
30
|
+
}
|
|
31
|
+
/** Lifecycle state of a one-time payment session. */
|
|
32
|
+
type PaymentState = "authorized" | "canceled" | "captured" | "failed" | "initiated" | "partially_refunded" | "refunded";
|
|
33
|
+
/** Lifecycle state of a subscription. */
|
|
34
|
+
type SubscriptionState = "active" | "canceled" | "past_due" | "paused" | "trialing";
|
|
35
|
+
interface Customer {
|
|
36
|
+
readonly createdAt: number;
|
|
37
|
+
readonly email?: string;
|
|
38
|
+
/** Provider-side customer id. */
|
|
39
|
+
readonly id: string;
|
|
40
|
+
readonly provider: ProviderId;
|
|
41
|
+
/** App-side owner the customer belongs to (user / org / workspace). Opaque to this package. */
|
|
42
|
+
readonly referenceId: string;
|
|
43
|
+
}
|
|
44
|
+
interface PaymentSession {
|
|
45
|
+
readonly amount: Money;
|
|
46
|
+
readonly capturedAmount: Money;
|
|
47
|
+
readonly createdAt: number;
|
|
48
|
+
/** Provider-side payment / intent / session id. */
|
|
49
|
+
readonly id: string;
|
|
50
|
+
readonly provider: ProviderId;
|
|
51
|
+
readonly referenceId: string;
|
|
52
|
+
readonly refundedAmount: Money;
|
|
53
|
+
readonly state: PaymentState;
|
|
54
|
+
readonly updatedAt: number;
|
|
55
|
+
}
|
|
56
|
+
interface Subscription {
|
|
57
|
+
readonly cancelAtPeriodEnd: boolean;
|
|
58
|
+
readonly createdAt: number;
|
|
59
|
+
readonly currentPeriodEnd?: number;
|
|
60
|
+
/** Start of the current billing period — the window `check` sums metered usage over. */
|
|
61
|
+
readonly currentPeriodStart?: number;
|
|
62
|
+
readonly id: string;
|
|
63
|
+
readonly priceId: string;
|
|
64
|
+
readonly provider: ProviderId;
|
|
65
|
+
readonly quantity: number;
|
|
66
|
+
readonly referenceId: string;
|
|
67
|
+
readonly state: SubscriptionState;
|
|
68
|
+
readonly updatedAt: number;
|
|
69
|
+
}
|
|
70
|
+
interface CustomerRef {
|
|
71
|
+
readonly email?: string;
|
|
72
|
+
readonly metadata?: Record<string, string>;
|
|
73
|
+
readonly referenceId: string;
|
|
74
|
+
}
|
|
75
|
+
interface CheckoutInput {
|
|
76
|
+
readonly cancelUrl: string;
|
|
77
|
+
/** Existing provider customer id, if known. */
|
|
78
|
+
readonly customerId?: string;
|
|
79
|
+
/** Outbound idempotency key for the provider call; auto-derived when omitted. */
|
|
80
|
+
readonly idempotencyKey?: string;
|
|
81
|
+
readonly metadata?: Record<string, string>;
|
|
82
|
+
readonly mode: "payment" | "subscription";
|
|
83
|
+
readonly priceId: string;
|
|
84
|
+
readonly quantity?: number;
|
|
85
|
+
readonly referenceId: string;
|
|
86
|
+
readonly successUrl: string;
|
|
87
|
+
}
|
|
88
|
+
interface CheckoutResult {
|
|
89
|
+
readonly id: string;
|
|
90
|
+
readonly provider: ProviderId;
|
|
91
|
+
readonly url: string;
|
|
92
|
+
}
|
|
93
|
+
/**
|
|
94
|
+
* `attach` input — subscribe a reference to a plan. A thin, plan-oriented skin over
|
|
95
|
+
* {@link CheckoutInput}: `mode` defaults to `"subscription"` (the common case), so callers pass
|
|
96
|
+
* just `{ referenceId, priceId, successUrl, cancelUrl }`.
|
|
97
|
+
*/
|
|
98
|
+
interface AttachInput extends Omit<CheckoutInput, "mode"> {
|
|
99
|
+
readonly mode?: CheckoutInput["mode"];
|
|
100
|
+
}
|
|
101
|
+
interface PortalInput {
|
|
102
|
+
readonly customerId: string;
|
|
103
|
+
readonly returnUrl: string;
|
|
104
|
+
}
|
|
105
|
+
/** A single durable usage record — one metered event for a `(referenceId, featureId)` pair. */
|
|
106
|
+
interface UsageEvent {
|
|
107
|
+
readonly createdAt: number;
|
|
108
|
+
readonly featureId: string;
|
|
109
|
+
/** Caller-stable dedupe key — recording the same key twice is a no-op (exactly-once `track`). */
|
|
110
|
+
readonly idempotencyKey: string;
|
|
111
|
+
readonly provider: ProviderId;
|
|
112
|
+
readonly quantity: number;
|
|
113
|
+
readonly referenceId: string;
|
|
114
|
+
/** Whether the event was successfully forwarded to the provider's metering API. */
|
|
115
|
+
readonly reportedToProvider: boolean;
|
|
116
|
+
}
|
|
117
|
+
/** `track` input — record metered usage for a reference's feature. */
|
|
118
|
+
interface TrackInput {
|
|
119
|
+
readonly featureId: string;
|
|
120
|
+
/** Caller-supplied dedupe key; a fresh one is generated when omitted (so each call records). */
|
|
121
|
+
readonly idempotencyKey?: string;
|
|
122
|
+
/** `"add"` (default) increments usage by `quantity`; `"set"` reconciles the period total to `quantity`. */
|
|
123
|
+
readonly mode?: "add" | "set";
|
|
124
|
+
/** Usage amount to add, or the absolute period total when `mode` is `"set"` (defaults to `1`). */
|
|
125
|
+
readonly quantity?: number;
|
|
126
|
+
readonly referenceId: string;
|
|
127
|
+
}
|
|
128
|
+
/** Result of a `track` call. */
|
|
129
|
+
interface TrackResult {
|
|
130
|
+
/** True when this call inserted a new usage event; false when deduplicated by idempotency key. */
|
|
131
|
+
readonly recorded: boolean;
|
|
132
|
+
/** True when the event was forwarded to the provider's metering API. */
|
|
133
|
+
readonly reportedToProvider: boolean;
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* `check` input — is a reference allowed something right now? Pass `featureId` to check a feature
|
|
137
|
+
* grant/allowance, or `priceId` to check active access to a product (one of the two is required).
|
|
138
|
+
*/
|
|
139
|
+
interface CheckInput {
|
|
140
|
+
/** Feature to check a grant/allowance for. Provide this **or** `priceId`. */
|
|
141
|
+
readonly featureId?: string;
|
|
142
|
+
/** Provider price/product id to check active access for. Provide this **or** `featureId`. */
|
|
143
|
+
readonly priceId?: string;
|
|
144
|
+
/** Units the caller intends to consume; the check passes only when this many remain (default `1`). */
|
|
145
|
+
readonly quantity?: number;
|
|
146
|
+
readonly referenceId: string;
|
|
147
|
+
}
|
|
148
|
+
/** Result of a `check` call. */
|
|
149
|
+
interface CheckResult {
|
|
150
|
+
/** Whether the reference may consume `quantity` units of the feature right now. */
|
|
151
|
+
readonly allowed: boolean;
|
|
152
|
+
/** Remaining units this period (`limit - used`), for metered features only. */
|
|
153
|
+
readonly balance?: number;
|
|
154
|
+
/** The plan-granted cap, for metered features only. */
|
|
155
|
+
readonly limit?: number;
|
|
156
|
+
/** True for a boolean feature granted without a numeric cap. */
|
|
157
|
+
readonly unlimited: boolean;
|
|
158
|
+
/** Usage consumed this period, for metered features only. */
|
|
159
|
+
readonly used?: number;
|
|
160
|
+
}
|
|
161
|
+
/** One feature's resolved allowance for a reference — a {@link CheckResult} tagged with its feature. */
|
|
162
|
+
interface FeatureBalance extends CheckResult {
|
|
163
|
+
readonly featureId: string;
|
|
164
|
+
}
|
|
165
|
+
/** Input the adapter forwards to the provider's metering API (Stripe Meter Events / Polar ingestion). */
|
|
166
|
+
interface ReportUsageInput {
|
|
167
|
+
/** Provider customer id, when known (Stripe meter events key on it). */
|
|
168
|
+
readonly customerId?: string;
|
|
169
|
+
readonly featureId: string;
|
|
170
|
+
readonly idempotencyKey: string;
|
|
171
|
+
readonly quantity: number;
|
|
172
|
+
readonly referenceId: string;
|
|
173
|
+
/** Event time in epoch ms; defaults to now at the provider. */
|
|
174
|
+
readonly timestamp?: number;
|
|
175
|
+
}
|
|
176
|
+
interface CaptureInput {
|
|
177
|
+
/** Partial capture amount; full capture when omitted. */
|
|
178
|
+
readonly amount?: Money;
|
|
179
|
+
readonly idempotencyKey?: string;
|
|
180
|
+
readonly sessionId: string;
|
|
181
|
+
}
|
|
182
|
+
interface RefundInput {
|
|
183
|
+
/** Partial refund amount; full refund when omitted. */
|
|
184
|
+
readonly amount?: Money;
|
|
185
|
+
readonly idempotencyKey?: string;
|
|
186
|
+
readonly reason?: string;
|
|
187
|
+
readonly sessionId: string;
|
|
188
|
+
}
|
|
189
|
+
interface CancelSubscriptionOptions {
|
|
190
|
+
/** Cancel at period end instead of immediately. */
|
|
191
|
+
readonly atPeriodEnd?: boolean;
|
|
192
|
+
readonly idempotencyKey?: string;
|
|
193
|
+
}
|
|
194
|
+
interface SubscriptionPatch {
|
|
195
|
+
readonly priceId?: string;
|
|
196
|
+
readonly quantity?: number;
|
|
197
|
+
}
|
|
198
|
+
/** Normalized webhook outcome — the *core state transition* a provider event implies. */
|
|
199
|
+
type WebhookActionType = "payment.authorized" | "payment.captured" | "payment.failed" | "payment.refunded" | "subscription.active" | "subscription.canceled" | "subscription.past_due" | "subscription.paused" | "subscription.updated" | "unhandled";
|
|
200
|
+
/**
|
|
201
|
+
* How a refund action's {@link WebhookAction.amount} should be interpreted by the sync layer.
|
|
202
|
+
*
|
|
203
|
+
* `"delta"` is an incremental amount added to the running refunded total (Polar `refund.created`,
|
|
204
|
+
* and the historical default), so multiple events accumulate. `"absolute"` is the provider's
|
|
205
|
+
* cumulative refunded-to-date total (Stripe `charge.refunded` carries `amount_refunded`, which
|
|
206
|
+
* already sums all prior partial refunds); the sync layer sets the refunded total to this value
|
|
207
|
+
* rather than adding, so repeated partial-refund events do not over-count.
|
|
208
|
+
*
|
|
209
|
+
* Omitted means `"delta"`, preserving the original behavior for callers that predate this field.
|
|
210
|
+
*/
|
|
211
|
+
type RefundAmountKind = "absolute" | "delta";
|
|
212
|
+
interface WebhookAction {
|
|
213
|
+
readonly amount?: Money;
|
|
214
|
+
/**
|
|
215
|
+
* Interpretation of {@link WebhookAction.amount} for refund actions (`payment.refunded`).
|
|
216
|
+
* Defaults to `"delta"` when omitted. Ignored for non-refund actions.
|
|
217
|
+
*/
|
|
218
|
+
readonly amountKind?: RefundAmountKind;
|
|
219
|
+
readonly cancelAtPeriodEnd?: boolean;
|
|
220
|
+
readonly currentPeriodEnd?: number;
|
|
221
|
+
readonly currentPeriodStart?: number;
|
|
222
|
+
readonly customerId?: string;
|
|
223
|
+
/** Provider event id — the inbound idempotency key. */
|
|
224
|
+
readonly eventId: string;
|
|
225
|
+
readonly priceId?: string;
|
|
226
|
+
readonly provider: ProviderId;
|
|
227
|
+
readonly quantity?: number;
|
|
228
|
+
/** Raw provider event, retained for the events log / debugging. */
|
|
229
|
+
readonly raw?: unknown;
|
|
230
|
+
readonly referenceId?: string;
|
|
231
|
+
readonly sessionId?: string;
|
|
232
|
+
readonly subscriptionId?: string;
|
|
233
|
+
readonly type: WebhookActionType;
|
|
234
|
+
}
|
|
235
|
+
/** Result of applying a webhook action to the store. */
|
|
236
|
+
interface ApplyResult {
|
|
237
|
+
readonly applied: boolean;
|
|
238
|
+
readonly reason?: "duplicate" | "illegal_transition" | "invalid_refund_amount" | "ok" | "unhandled";
|
|
239
|
+
}
|
|
240
|
+
/** A read-only header bag; the platform `Headers` object satisfies it. */
|
|
241
|
+
interface WebhookHeaders {
|
|
242
|
+
get: (name: string) => null | string;
|
|
243
|
+
}
|
|
244
|
+
interface WebhookInput {
|
|
245
|
+
/** Request headers (signature schemes read provider-specific headers from here). */
|
|
246
|
+
readonly headers: WebhookHeaders;
|
|
247
|
+
/** Raw request body, exactly as received (required for signature verification). */
|
|
248
|
+
readonly payload: string;
|
|
249
|
+
}
|
|
250
|
+
/**
|
|
251
|
+
* A stateless translator between the provider API and Lunora's normalized vocabulary.
|
|
252
|
+
*
|
|
253
|
+
* Adapters never own state — they make provider calls and normalize provider events into a
|
|
254
|
+
* `WebhookAction`. All durable state lives in the payment store.
|
|
255
|
+
*/
|
|
256
|
+
interface PaymentAdapter {
|
|
257
|
+
cancelPayment: (sessionId: string, options?: {
|
|
258
|
+
idempotencyKey?: string;
|
|
259
|
+
}) => Promise<PaymentSession>;
|
|
260
|
+
cancelSubscription: (subscriptionId: string, options?: CancelSubscriptionOptions) => Promise<Subscription>;
|
|
261
|
+
readonly capabilities: ProviderCapabilities;
|
|
262
|
+
capturePayment: (input: CaptureInput) => Promise<PaymentSession>;
|
|
263
|
+
createCheckout: (input: CheckoutInput) => Promise<CheckoutResult>;
|
|
264
|
+
createPortalSession: (input: PortalInput) => Promise<{
|
|
265
|
+
url: string;
|
|
266
|
+
}>;
|
|
267
|
+
getOrCreateCustomer: (ref: CustomerRef) => Promise<Customer>;
|
|
268
|
+
/** Fetch the provider's current truth for a payment session — the basis for reconciliation. */
|
|
269
|
+
getPaymentStatus: (sessionId: string) => Promise<PaymentSession>;
|
|
270
|
+
/** Fetch the provider's current truth for a subscription — the basis for reconciliation. */
|
|
271
|
+
getSubscriptionStatus: (subscriptionId: string) => Promise<Subscription>;
|
|
272
|
+
/** Stable provider identifier (Medusa-style). */
|
|
273
|
+
readonly identifier: ProviderId;
|
|
274
|
+
/** Verify the signature over the raw body, then normalize the event. Throws on invalid signature. */
|
|
275
|
+
parseWebhook: (input: WebhookInput) => Promise<WebhookAction>;
|
|
276
|
+
refundPayment: (input: RefundInput) => Promise<PaymentSession>;
|
|
277
|
+
/**
|
|
278
|
+
* Forward metered usage to the provider's billing API. Optional — present only on providers
|
|
279
|
+
* whose `capabilities.usageMetering` is `true` and that expose an ingestion endpoint. When
|
|
280
|
+
* absent, `track` still records usage durably and `check` enforces limits locally.
|
|
281
|
+
*/
|
|
282
|
+
reportUsage?: (input: ReportUsageInput) => Promise<void>;
|
|
283
|
+
resumeSubscription: (subscriptionId: string) => Promise<Subscription>;
|
|
284
|
+
updateSubscription: (subscriptionId: string, patch: SubscriptionPatch) => Promise<Subscription>;
|
|
285
|
+
}
|
|
286
|
+
/** Registry of adapters keyed by provider id — supports dual-register during provider migration. */
|
|
287
|
+
interface AdapterRegistry {
|
|
288
|
+
all: () => PaymentAdapter[];
|
|
289
|
+
get: (provider: ProviderId) => PaymentAdapter;
|
|
290
|
+
has: (provider: ProviderId) => boolean;
|
|
291
|
+
}
|
|
292
|
+
declare const createAdapterRegistry: (adapters: ReadonlyArray<PaymentAdapter>) => AdapterRegistry;
|
|
293
|
+
interface PaymentStore {
|
|
294
|
+
getCustomerByReference: (provider: ProviderId, referenceId: string) => Promise<Customer | undefined>;
|
|
295
|
+
getPaymentSession: (provider: ProviderId, id: string) => Promise<PaymentSession | undefined>;
|
|
296
|
+
getSubscription: (provider: ProviderId, id: string) => Promise<Subscription | undefined>;
|
|
297
|
+
listSubscriptionsByReference: (referenceId: string) => Promise<Subscription[]>;
|
|
298
|
+
/**
|
|
299
|
+
* Claims a provider event id for processing. Resolves `true` the first time an event is seen
|
|
300
|
+
* and `false` for a duplicate — the inbound-idempotency primitive.
|
|
301
|
+
*/
|
|
302
|
+
markEventProcessed: (provider: ProviderId, eventId: string) => Promise<boolean>;
|
|
303
|
+
/** Flag a recorded usage event as forwarded to the provider's metering API. */
|
|
304
|
+
markUsageReported: (provider: ProviderId, idempotencyKey: string) => Promise<void>;
|
|
305
|
+
/**
|
|
306
|
+
* Append a usage event. Resolves `true` when newly recorded and `false` when its
|
|
307
|
+
* `idempotencyKey` was already seen — the exactly-once primitive behind `track`.
|
|
308
|
+
*/
|
|
309
|
+
recordUsage: (event: UsageEvent) => Promise<boolean>;
|
|
310
|
+
/**
|
|
311
|
+
* Release a previously-claimed event id (see {@link PaymentStore.markEventProcessed}) so a
|
|
312
|
+
* provider retry can re-process it. Called only when applying the claimed event *throws* (a
|
|
313
|
+
* genuine store-write failure): the atomic insert-claim guards concurrent duplicates, but a
|
|
314
|
+
* claim that outlives a failed apply would dedupe the retry and lose the effect — so the claim
|
|
315
|
+
* is rolled back on failure. A no-op if the id was never claimed.
|
|
316
|
+
*/
|
|
317
|
+
releaseEvent: (provider: ProviderId, eventId: string) => Promise<void>;
|
|
318
|
+
/** Sum recorded usage `quantity` for a `(referenceId, featureId)` pair since `since` (epoch ms). */
|
|
319
|
+
sumUsage: (referenceId: string, featureId: string, since: number) => Promise<number>;
|
|
320
|
+
upsertCustomer: (customer: Customer) => Promise<void>;
|
|
321
|
+
upsertPaymentSession: (session: PaymentSession) => Promise<void>;
|
|
322
|
+
upsertSubscription: (subscription: Subscription) => Promise<void>;
|
|
323
|
+
}
|
|
324
|
+
/** In-memory {@link PaymentStore} for tests and local development. Not durable. */
|
|
325
|
+
declare class MemoryPaymentStore implements PaymentStore {
|
|
326
|
+
private readonly customers;
|
|
327
|
+
private readonly processedEvents;
|
|
328
|
+
private readonly sessions;
|
|
329
|
+
private readonly subscriptions;
|
|
330
|
+
private readonly usageEvents;
|
|
331
|
+
getCustomerByReference(provider: ProviderId, referenceId: string): Promise<Customer | undefined>;
|
|
332
|
+
getPaymentSession(provider: ProviderId, id: string): Promise<PaymentSession | undefined>;
|
|
333
|
+
getSubscription(provider: ProviderId, id: string): Promise<Subscription | undefined>;
|
|
334
|
+
listSubscriptionsByReference(referenceId: string): Promise<Subscription[]>;
|
|
335
|
+
markEventProcessed(provider: ProviderId, eventId: string): Promise<boolean>;
|
|
336
|
+
releaseEvent(provider: ProviderId, eventId: string): Promise<void>;
|
|
337
|
+
markUsageReported(provider: ProviderId, idempotencyKey: string): Promise<void>;
|
|
338
|
+
recordUsage(event: UsageEvent): Promise<boolean>;
|
|
339
|
+
sumUsage(referenceId: string, featureId: string, since: number): Promise<number>;
|
|
340
|
+
upsertCustomer(customer: Customer): Promise<void>;
|
|
341
|
+
upsertPaymentSession(session: PaymentSession): Promise<void>;
|
|
342
|
+
upsertSubscription(subscription: Subscription): Promise<void>;
|
|
343
|
+
}
|
|
344
|
+
interface PlanDefinition {
|
|
345
|
+
/** Feature flags this plan grants. */
|
|
346
|
+
readonly features?: ReadonlyArray<string>;
|
|
347
|
+
/** Numeric limits this plan grants (e.g. `{ seats: 5 }`). */
|
|
348
|
+
readonly limits?: Record<string, number>;
|
|
349
|
+
/** Provider price/product ids that grant this plan. */
|
|
350
|
+
readonly priceIds: ReadonlyArray<string>;
|
|
351
|
+
}
|
|
352
|
+
interface EntitlementsConfig {
|
|
353
|
+
/** Plan name → definition. */
|
|
354
|
+
readonly plans: Record<string, PlanDefinition>;
|
|
355
|
+
}
|
|
356
|
+
interface Entitlements {
|
|
357
|
+
readonly features: ReadonlySet<string>;
|
|
358
|
+
/** True when an active subscription grants `feature`. */
|
|
359
|
+
readonly has: (feature: string) => boolean;
|
|
360
|
+
/** The most-generous granted value for a numeric limit, or `undefined`. */
|
|
361
|
+
readonly limit: (key: string) => number | undefined;
|
|
362
|
+
/** Active plan names (a reference can hold more than one). */
|
|
363
|
+
readonly plans: ReadonlyArray<string>;
|
|
364
|
+
}
|
|
365
|
+
/**
|
|
366
|
+
* Start of the window `check` sums metered usage over: the most recent billing-period start among
|
|
367
|
+
* a reference's active subscriptions. `0` (count all-time) when no active subscription reports one
|
|
368
|
+
* — limits still bind, they just never reset until the provider sends a period.
|
|
369
|
+
*/
|
|
370
|
+
declare const usagePeriodStart: (subscriptions: ReadonlyArray<Subscription>) => number;
|
|
371
|
+
/** Every feature name a config can grant — the union of `features` flags and `limits` keys across all plans, sorted. */
|
|
372
|
+
declare const featureNames: (config: EntitlementsConfig) => string[];
|
|
373
|
+
/** Whether the reference holds an entitling (active/trialing) subscription on `priceId` — the basis of a product `check`. */
|
|
374
|
+
declare const hasActivePrice: (subscriptions: ReadonlyArray<Subscription>, priceId: string) => boolean;
|
|
375
|
+
/** Derive {@link Entitlements} from a reference's subscriptions. Pure — the basis of `check`. */
|
|
376
|
+
declare const resolveEntitlements: (config: EntitlementsConfig, subscriptions: ReadonlyArray<Subscription>) => Entitlements;
|
|
377
|
+
/** Convenience: resolve entitlements straight from the store for a reference. */
|
|
378
|
+
declare const entitlementsForReference: (store: PaymentStore, config: EntitlementsConfig, referenceId: string) => Promise<Entitlements>;
|
|
379
|
+
type PaymentEvent = {
|
|
380
|
+
action: WebhookActionType;
|
|
381
|
+
eventId: string;
|
|
382
|
+
provider: ProviderId;
|
|
383
|
+
reason: ApplyResult["reason"];
|
|
384
|
+
type: "webhook.applied";
|
|
385
|
+
} | {
|
|
386
|
+
eventId: string;
|
|
387
|
+
provider: ProviderId;
|
|
388
|
+
type: "webhook.duplicate";
|
|
389
|
+
} | {
|
|
390
|
+
error: unknown;
|
|
391
|
+
id: string;
|
|
392
|
+
kind: "payment" | "subscription";
|
|
393
|
+
provider: ProviderId;
|
|
394
|
+
type: "reconcile.error";
|
|
395
|
+
} | {
|
|
396
|
+
id: string;
|
|
397
|
+
kind: "payment" | "subscription";
|
|
398
|
+
provider: ProviderId;
|
|
399
|
+
type: "reconcile.drift";
|
|
400
|
+
} | {
|
|
401
|
+
provider: ProviderId;
|
|
402
|
+
referenceId?: string;
|
|
403
|
+
sessionId?: string;
|
|
404
|
+
type: "payment.failed";
|
|
405
|
+
} | {
|
|
406
|
+
provider: ProviderId;
|
|
407
|
+
referenceId?: string;
|
|
408
|
+
subscriptionId?: string;
|
|
409
|
+
type: "subscription.past_due";
|
|
410
|
+
} | {
|
|
411
|
+
failedPayments: number;
|
|
412
|
+
failedSubscriptions: number;
|
|
413
|
+
provider: ProviderId;
|
|
414
|
+
type: "reconcile.completed";
|
|
415
|
+
updatedPayments: number;
|
|
416
|
+
updatedSubscriptions: number;
|
|
417
|
+
} | {
|
|
418
|
+
featureId: string;
|
|
419
|
+
provider: ProviderId;
|
|
420
|
+
referenceId: string;
|
|
421
|
+
type: "usage.report_failed";
|
|
422
|
+
};
|
|
423
|
+
type PaymentObserver = (event: PaymentEvent) => void;
|
|
424
|
+
/** Returns whether the current caller may act on `referenceId`. Throwing is also treated as denial. */
|
|
425
|
+
type AuthorizeReference = (referenceId: string) => boolean | Promise<boolean>;
|
|
426
|
+
interface CreatePaymentOptions {
|
|
427
|
+
readonly adapter: PaymentAdapter;
|
|
428
|
+
/**
|
|
429
|
+
* Per-caller authorization for every mutation. Return `false` to reject with 403. Omit only
|
|
430
|
+
* for trusted server-internal callers (e.g. the reconciliation sweep).
|
|
431
|
+
*/
|
|
432
|
+
readonly authorize?: AuthorizeReference;
|
|
433
|
+
/** Plan → features/limits map. Required for `check`; omit if you don't gate features. */
|
|
434
|
+
readonly entitlements?: EntitlementsConfig;
|
|
435
|
+
/** Optional telemetry sink — fired on webhook apply, failed payments, and past-due subscriptions. */
|
|
436
|
+
readonly observability?: PaymentObserver;
|
|
437
|
+
readonly store: PaymentStore;
|
|
438
|
+
}
|
|
439
|
+
interface LunoraPayment {
|
|
440
|
+
readonly adapter: PaymentAdapter;
|
|
441
|
+
/**
|
|
442
|
+
* Subscribe a reference to a plan — a plan-oriented alias of {@link LunoraPayment.createCheckout}
|
|
443
|
+
* with `mode` defaulting to `"subscription"`. Returns a hosted-checkout URL to redirect to.
|
|
444
|
+
*/
|
|
445
|
+
attach: (input: AttachInput) => Promise<CheckoutResult>;
|
|
446
|
+
cancelSubscription: (subscriptionId: string, options?: CancelSubscriptionOptions) => Promise<Subscription>;
|
|
447
|
+
/**
|
|
448
|
+
* Is a reference allowed something right now? Pass `featureId` to check a grant/allowance (boolean
|
|
449
|
+
* features check plan grants; metered features subtract usage tracked this period) or `priceId` to
|
|
450
|
+
* check active access to a product. The feature path requires `entitlements` to be configured.
|
|
451
|
+
*/
|
|
452
|
+
check: (input: CheckInput) => Promise<CheckResult>;
|
|
453
|
+
createCheckout: (input: CheckoutInput) => Promise<CheckoutResult>;
|
|
454
|
+
/** Open the provider billing portal for the caller's own customer (derived from the store). */
|
|
455
|
+
createPortalSession: (referenceId: string, returnUrl: string) => Promise<{
|
|
456
|
+
url: string;
|
|
457
|
+
}>;
|
|
458
|
+
/** Verify + normalize + apply a provider webhook. Always 200 once verified, even on no-op. */
|
|
459
|
+
handleWebhook: (request: Request) => Promise<Response>;
|
|
460
|
+
/** Resolve every configured feature's allowance for a reference in one call. Requires `entitlements`. */
|
|
461
|
+
listBalances: (referenceId: string) => Promise<FeatureBalance[]>;
|
|
462
|
+
listSubscriptions: (referenceId: string) => Promise<Subscription[]>;
|
|
463
|
+
readonly store: PaymentStore;
|
|
464
|
+
/**
|
|
465
|
+
* Record metered usage for a reference's feature — durably (exactly-once by idempotency key) and,
|
|
466
|
+
* when the provider supports it, forwarded to its metering API. Best-effort upstream: a reporting
|
|
467
|
+
* failure is observed, never thrown, and the local ledger that `check` reads is always updated.
|
|
468
|
+
*/
|
|
469
|
+
track: (input: TrackInput) => Promise<TrackResult>;
|
|
470
|
+
}
|
|
471
|
+
declare const createPayment: (options: CreatePaymentOptions) => LunoraPayment;
|
|
472
|
+
/** A stored row, carrying Lunora's document id. */
|
|
473
|
+
interface PaymentRow extends Record<string, unknown> {
|
|
474
|
+
readonly _id: string;
|
|
475
|
+
}
|
|
476
|
+
/** Minimal write/read surface this store needs; `ctx.db` satisfies it structurally. */
|
|
477
|
+
interface PaymentDatabase {
|
|
478
|
+
delete: (id: string) => Promise<void>;
|
|
479
|
+
findFirst: (table: string, where: Record<string, unknown>) => Promise<PaymentRow | null>;
|
|
480
|
+
findMany: (table: string, where: Record<string, unknown>) => Promise<PaymentRow[]>;
|
|
481
|
+
insert: (table: string, document: Record<string, unknown>) => Promise<string>;
|
|
482
|
+
patch: (id: string, patch: Record<string, unknown>) => Promise<void>;
|
|
483
|
+
}
|
|
484
|
+
declare const createDatabasePaymentStore: (database: PaymentDatabase) => PaymentStore;
|
|
485
|
+
/** Structural subset of Lunora's `ctx.db` (the `findFirst`/`findMany(tableName, { where })` form). */
|
|
486
|
+
interface LunoraDatabaseLike {
|
|
487
|
+
delete: (id: string) => Promise<void>;
|
|
488
|
+
findFirst: (table: string, args?: {
|
|
489
|
+
where?: Record<string, unknown>;
|
|
490
|
+
}) => Promise<Record<string, unknown> | null>;
|
|
491
|
+
findMany: (table: string, args?: {
|
|
492
|
+
where?: Record<string, unknown>;
|
|
493
|
+
}) => Promise<{
|
|
494
|
+
page: Record<string, unknown>[];
|
|
495
|
+
}>;
|
|
496
|
+
insert: (table: string, document: Record<string, unknown>) => Promise<string>;
|
|
497
|
+
patch: (id: string, patch: Record<string, unknown>) => Promise<void>;
|
|
498
|
+
}
|
|
499
|
+
/** Structural subset of a Lunora function context used to build payments. */
|
|
500
|
+
interface PaymentContextLike {
|
|
501
|
+
auth?: {
|
|
502
|
+
userId?: null | string;
|
|
503
|
+
};
|
|
504
|
+
db: LunoraDatabaseLike;
|
|
505
|
+
}
|
|
506
|
+
interface PaymentsFromContextOptions {
|
|
507
|
+
readonly adapter: PaymentAdapter;
|
|
508
|
+
/** Override the default "caller owns the referenceId" authorization. */
|
|
509
|
+
readonly authorize?: AuthorizeReference;
|
|
510
|
+
/** Plan → features/limits map, forwarded to the facade. Required to use `ctx.payments.check`. */
|
|
511
|
+
readonly entitlements?: EntitlementsConfig;
|
|
512
|
+
/** Optional telemetry sink, forwarded to the facade. */
|
|
513
|
+
readonly observability?: PaymentObserver;
|
|
514
|
+
}
|
|
515
|
+
/** Adapt a Lunora `ctx.db` to the {@link PaymentDatabase} port the store writes through. */
|
|
516
|
+
declare const lunoraDatabaseToPaymentDatabase: (database: LunoraDatabaseLike) => PaymentDatabase;
|
|
517
|
+
declare const paymentsFromContext: (context: PaymentContextLike, options: PaymentsFromContextOptions) => LunoraPayment;
|
|
518
|
+
type PaymentErrorCode = "CONFIG_INVALID" | "CURRENCY_MISMATCH" | "FORBIDDEN" | "INVALID_TRANSITION" | "NOT_FOUND" | "PROVIDER_ERROR" | "WEBHOOK_SIGNATURE_INVALID" | "WEBHOOK_TIMESTAMP_INVALID";
|
|
519
|
+
/** Typed error for all `@lunora/payment` failures. `status` maps onto an HTTP response. */
|
|
520
|
+
declare class LunoraPaymentError extends Error {
|
|
521
|
+
readonly code: PaymentErrorCode;
|
|
522
|
+
readonly status: number;
|
|
523
|
+
constructor(code: PaymentErrorCode, message: string);
|
|
524
|
+
}
|
|
525
|
+
/**
|
|
526
|
+
* Outbound idempotency keys.
|
|
527
|
+
*
|
|
528
|
+
* Every mutating provider call carries a stable key derived from our own operation + inputs, so
|
|
529
|
+
* a Worker retry can never double-charge. Distinct from inbound webhook dedupe (keyed on the
|
|
530
|
+
* provider event id).
|
|
531
|
+
*/
|
|
532
|
+
/** Build a deterministic idempotency key from an operation name and stable parts. */
|
|
533
|
+
declare const idempotencyKey: (operation: string, ...parts: ReadonlyArray<number | string>) => string;
|
|
534
|
+
/** True when the currency has no minor unit (e.g. JPY). */
|
|
535
|
+
declare const isZeroDecimalCurrency: (currency: CurrencyCode) => boolean;
|
|
536
|
+
/** Construct money. Currency is normalized to uppercase; never use floats for amounts. */
|
|
537
|
+
declare const money: (minorUnits: bigint | number, currency: CurrencyCode) => Money;
|
|
538
|
+
declare const zeroMoney: (currency: CurrencyCode) => Money;
|
|
539
|
+
/** Localized currency string for display (e.g. `$19.99`). For UI only — never for arithmetic. */
|
|
540
|
+
declare const formatMoney: (value: Money, locale?: string) => string;
|
|
541
|
+
declare const addMoney: (a: Money, b: Money) => Money;
|
|
542
|
+
declare const subtractMoney: (a: Money, b: Money) => Money;
|
|
543
|
+
/** Compares two same-currency amounts, returning -1, 0, or 1. */
|
|
544
|
+
declare const compareMoney: (a: Money, b: Money) => -1 | 0 | 1;
|
|
545
|
+
/**
|
|
546
|
+
* Split an amount across integer ratios, distributing the remainder to the smallest unit so the
|
|
547
|
+
* parts always sum back to the original. The basis for seat/proration math.
|
|
548
|
+
*/
|
|
549
|
+
declare const allocateMoney: (amount: Money, ratios: ReadonlyArray<bigint>) => Money[];
|
|
550
|
+
declare const isZeroMoney: (a: Money) => boolean;
|
|
551
|
+
/** JSON-safe wire form of money (bigint encoded as a decimal string). */
|
|
552
|
+
interface MoneyJSON {
|
|
553
|
+
readonly currency: CurrencyCode;
|
|
554
|
+
readonly minorUnits: string;
|
|
555
|
+
}
|
|
556
|
+
declare const toMoneyJSON: (m: Money) => MoneyJSON;
|
|
557
|
+
declare const fromMoneyJSON: (json: MoneyJSON) => Money;
|
|
558
|
+
interface PolarSubscriptionLike {
|
|
559
|
+
readonly cancelAtPeriodEnd?: boolean;
|
|
560
|
+
readonly currentPeriodEnd?: null | string;
|
|
561
|
+
readonly currentPeriodStart?: null | string;
|
|
562
|
+
readonly customerId?: null | string;
|
|
563
|
+
readonly id: string;
|
|
564
|
+
readonly metadata?: Record<string, string>;
|
|
565
|
+
readonly productId?: string;
|
|
566
|
+
readonly status: string;
|
|
567
|
+
}
|
|
568
|
+
interface PolarOrderLike {
|
|
569
|
+
readonly amount?: number;
|
|
570
|
+
readonly currency?: string;
|
|
571
|
+
readonly id: string;
|
|
572
|
+
readonly status: string;
|
|
573
|
+
readonly totalAmount?: number;
|
|
574
|
+
}
|
|
575
|
+
interface PolarClientLike {
|
|
576
|
+
readonly checkouts: {
|
|
577
|
+
create: (parameters: Record<string, unknown>) => Promise<{
|
|
578
|
+
id: string;
|
|
579
|
+
url: string;
|
|
580
|
+
}>;
|
|
581
|
+
};
|
|
582
|
+
readonly customers: {
|
|
583
|
+
create: (parameters: Record<string, unknown>) => Promise<{
|
|
584
|
+
email: null | string;
|
|
585
|
+
id: string;
|
|
586
|
+
}>;
|
|
587
|
+
};
|
|
588
|
+
readonly customerSessions: {
|
|
589
|
+
create: (parameters: Record<string, unknown>) => Promise<{
|
|
590
|
+
customerPortalUrl: string;
|
|
591
|
+
}>;
|
|
592
|
+
};
|
|
593
|
+
readonly events: {
|
|
594
|
+
ingest: (parameters: Record<string, unknown>) => Promise<{
|
|
595
|
+
inserted?: number;
|
|
596
|
+
}>;
|
|
597
|
+
};
|
|
598
|
+
readonly orders: {
|
|
599
|
+
get: (parameters: Record<string, unknown>) => Promise<PolarOrderLike>;
|
|
600
|
+
};
|
|
601
|
+
readonly refunds: {
|
|
602
|
+
create: (parameters: Record<string, unknown>) => Promise<{
|
|
603
|
+
id: string;
|
|
604
|
+
}>;
|
|
605
|
+
};
|
|
606
|
+
readonly subscriptions: {
|
|
607
|
+
get: (parameters: Record<string, unknown>) => Promise<PolarSubscriptionLike>;
|
|
608
|
+
revoke: (parameters: Record<string, unknown>) => Promise<PolarSubscriptionLike>;
|
|
609
|
+
update: (parameters: Record<string, unknown>) => Promise<PolarSubscriptionLike>;
|
|
610
|
+
};
|
|
611
|
+
}
|
|
612
|
+
interface PolarAdapterOptions {
|
|
613
|
+
readonly client: PolarClientLike;
|
|
614
|
+
readonly webhookSecret: string;
|
|
615
|
+
readonly webhookToleranceSeconds?: number;
|
|
616
|
+
}
|
|
617
|
+
declare const createPolarAdapter: (options: PolarAdapterOptions) => PaymentAdapter;
|
|
618
|
+
interface StripeRequestOptions {
|
|
619
|
+
readonly idempotencyKey?: string;
|
|
620
|
+
}
|
|
621
|
+
interface StripePaymentIntentLike {
|
|
622
|
+
readonly amount: number;
|
|
623
|
+
readonly amount_received?: number;
|
|
624
|
+
readonly currency: string;
|
|
625
|
+
readonly customer?: null | string;
|
|
626
|
+
readonly id: string;
|
|
627
|
+
readonly metadata?: Record<string, string>;
|
|
628
|
+
readonly status: string;
|
|
629
|
+
}
|
|
630
|
+
interface StripeSubscriptionLike {
|
|
631
|
+
readonly cancel_at_period_end?: boolean;
|
|
632
|
+
readonly current_period_end?: number;
|
|
633
|
+
readonly current_period_start?: number;
|
|
634
|
+
readonly customer?: null | string;
|
|
635
|
+
readonly id: string;
|
|
636
|
+
readonly items?: {
|
|
637
|
+
data: ReadonlyArray<{
|
|
638
|
+
price?: {
|
|
639
|
+
id?: string;
|
|
640
|
+
};
|
|
641
|
+
quantity?: number;
|
|
642
|
+
}>;
|
|
643
|
+
};
|
|
644
|
+
readonly metadata?: Record<string, string>;
|
|
645
|
+
readonly status: string;
|
|
646
|
+
}
|
|
647
|
+
/** The subset of the Stripe SDK surface this adapter calls. A real `Stripe` instance satisfies it. */
|
|
648
|
+
interface StripeClientLike {
|
|
649
|
+
readonly billing: {
|
|
650
|
+
meterEvents: {
|
|
651
|
+
create: (parameters: Record<string, unknown>, options?: StripeRequestOptions) => Promise<{
|
|
652
|
+
identifier?: string;
|
|
653
|
+
}>;
|
|
654
|
+
};
|
|
655
|
+
};
|
|
656
|
+
readonly billingPortal: {
|
|
657
|
+
sessions: {
|
|
658
|
+
create: (parameters: Record<string, unknown>) => Promise<{
|
|
659
|
+
url: string;
|
|
660
|
+
}>;
|
|
661
|
+
};
|
|
662
|
+
};
|
|
663
|
+
readonly checkout: {
|
|
664
|
+
sessions: {
|
|
665
|
+
create: (parameters: Record<string, unknown>, options?: StripeRequestOptions) => Promise<{
|
|
666
|
+
id: string;
|
|
667
|
+
url: null | string;
|
|
668
|
+
}>;
|
|
669
|
+
};
|
|
670
|
+
};
|
|
671
|
+
readonly customers: {
|
|
672
|
+
create: (parameters: Record<string, unknown>, options?: StripeRequestOptions) => Promise<{
|
|
673
|
+
email: null | string;
|
|
674
|
+
id: string;
|
|
675
|
+
}>;
|
|
676
|
+
};
|
|
677
|
+
readonly paymentIntents: {
|
|
678
|
+
cancel: (id: string, parameters?: Record<string, unknown>, options?: StripeRequestOptions) => Promise<StripePaymentIntentLike>;
|
|
679
|
+
capture: (id: string, parameters?: Record<string, unknown>, options?: StripeRequestOptions) => Promise<StripePaymentIntentLike>;
|
|
680
|
+
retrieve: (id: string) => Promise<StripePaymentIntentLike>;
|
|
681
|
+
};
|
|
682
|
+
readonly refunds: {
|
|
683
|
+
create: (parameters: Record<string, unknown>, options?: StripeRequestOptions) => Promise<{
|
|
684
|
+
id: string;
|
|
685
|
+
}>;
|
|
686
|
+
};
|
|
687
|
+
readonly subscriptions: {
|
|
688
|
+
cancel: (id: string, parameters?: Record<string, unknown>, options?: StripeRequestOptions) => Promise<StripeSubscriptionLike>;
|
|
689
|
+
retrieve: (id: string) => Promise<StripeSubscriptionLike>;
|
|
690
|
+
update: (id: string, parameters: Record<string, unknown>, options?: StripeRequestOptions) => Promise<StripeSubscriptionLike>;
|
|
691
|
+
};
|
|
692
|
+
}
|
|
693
|
+
interface StripeAdapterOptions {
|
|
694
|
+
readonly client: StripeClientLike;
|
|
695
|
+
readonly webhookSecret: string;
|
|
696
|
+
readonly webhookToleranceSeconds?: number;
|
|
697
|
+
}
|
|
698
|
+
declare const createStripeAdapter: (options: StripeAdapterOptions) => PaymentAdapter;
|
|
699
|
+
interface ReconcileInput {
|
|
700
|
+
readonly adapter: PaymentAdapter;
|
|
701
|
+
/** Optional telemetry sink — fired per drifted row and once on completion. */
|
|
702
|
+
readonly observability?: PaymentObserver;
|
|
703
|
+
readonly paymentSessionIds?: ReadonlyArray<string>;
|
|
704
|
+
readonly store: PaymentStore;
|
|
705
|
+
readonly subscriptionIds?: ReadonlyArray<string>;
|
|
706
|
+
}
|
|
707
|
+
interface ReconcileResult {
|
|
708
|
+
readonly checkedPayments: number;
|
|
709
|
+
readonly checkedSubscriptions: number;
|
|
710
|
+
readonly failedPayments: number;
|
|
711
|
+
readonly failedSubscriptions: number;
|
|
712
|
+
readonly updatedPayments: number;
|
|
713
|
+
readonly updatedSubscriptions: number;
|
|
714
|
+
}
|
|
715
|
+
declare const reconcile: (input: ReconcileInput) => Promise<ReconcileResult>;
|
|
716
|
+
declare const paymentTables: Record<string, TableDefinition>;
|
|
717
|
+
/** Action that may advance a payment session. */
|
|
718
|
+
type PaymentAction = "authorize" | "cancel" | "capture" | "fail" | "partial_refund" | "refund";
|
|
719
|
+
/** Action that may advance a subscription. */
|
|
720
|
+
type SubscriptionAction = "activate" | "cancel" | "mark_past_due" | "pause" | "renew" | "resume";
|
|
721
|
+
declare const PAYMENT_TERMINAL_STATES: ReadonlySet<PaymentState>;
|
|
722
|
+
declare const SUBSCRIPTION_TERMINAL_STATES: ReadonlySet<SubscriptionState>;
|
|
723
|
+
/** Next payment state for an action, or `undefined` if the transition is illegal from `from`. */
|
|
724
|
+
declare const nextPaymentState: (from: PaymentState, action: PaymentAction) => PaymentState | undefined;
|
|
725
|
+
declare const canTransitionPayment: (from: PaymentState, action: PaymentAction) => boolean;
|
|
726
|
+
/** Next subscription state for an action, or `undefined` if the transition is illegal from `from`. */
|
|
727
|
+
declare const nextSubscriptionState: (from: SubscriptionState, action: SubscriptionAction) => SubscriptionState | undefined;
|
|
728
|
+
declare const canTransitionSubscription: (from: SubscriptionState, action: SubscriptionAction) => boolean;
|
|
729
|
+
declare const applyWebhookAction: (store: PaymentStore, action: WebhookAction, observer?: PaymentObserver) => Promise<ApplyResult>;
|
|
730
|
+
/** Constant-time string comparison to avoid leaking byte positions via timing. */
|
|
731
|
+
declare const constantTimeEqual: (a: string, b: string) => boolean;
|
|
732
|
+
declare const hmacSha256Hex: (secret: string, payload: string) => Promise<string>;
|
|
733
|
+
interface StripeSignatureParts {
|
|
734
|
+
readonly signatures: string[];
|
|
735
|
+
readonly timestamp: number;
|
|
736
|
+
}
|
|
737
|
+
/** Parse a Stripe-style `t=...,v1=...,v1=...` signature header. */
|
|
738
|
+
declare const parseStripeSignatureHeader: (header: string) => StripeSignatureParts;
|
|
739
|
+
interface VerifyStripeSignatureInput {
|
|
740
|
+
/** Injectable clock (ms since epoch) for tests. */
|
|
741
|
+
readonly now?: number;
|
|
742
|
+
/** Raw request body, exactly as received. */
|
|
743
|
+
readonly payload: string;
|
|
744
|
+
readonly secret: string;
|
|
745
|
+
/** The `Stripe-Signature` header value. */
|
|
746
|
+
readonly signatureHeader: string;
|
|
747
|
+
/** Whole-second tolerance for the signed timestamp (default 300). */
|
|
748
|
+
readonly toleranceSeconds?: number;
|
|
749
|
+
}
|
|
750
|
+
/**
|
|
751
|
+
* Verify a Stripe-scheme webhook signature: `HMAC_SHA256(secret, "{t}.{payload}")` compared
|
|
752
|
+
* against the header's `v1` values, with a timestamp tolerance to reject replays. Throws a
|
|
753
|
+
* {@link LunoraPaymentError} on any failure.
|
|
754
|
+
*/
|
|
755
|
+
declare const verifyStripeSignature: (input: VerifyStripeSignatureInput) => Promise<void>;
|
|
756
|
+
interface VerifyStandardWebhookInput {
|
|
757
|
+
/** Injectable clock (ms since epoch) for tests. */
|
|
758
|
+
readonly now?: number;
|
|
759
|
+
/** Raw request body, exactly as received. */
|
|
760
|
+
readonly payload: string;
|
|
761
|
+
/** Endpoint secret, optionally `whsec_`-prefixed; the remainder is base64-decoded to the key. */
|
|
762
|
+
readonly secret: string;
|
|
763
|
+
/** Whole-second tolerance for the signed timestamp (default 300). */
|
|
764
|
+
readonly toleranceSeconds?: number;
|
|
765
|
+
/** `webhook-id` header. */
|
|
766
|
+
readonly webhookId: string;
|
|
767
|
+
/** `webhook-signature` header — space-separated `v1,<base64>` entries. */
|
|
768
|
+
readonly webhookSignature: string;
|
|
769
|
+
/** `webhook-timestamp` header — unix seconds as a string. */
|
|
770
|
+
readonly webhookTimestamp: string;
|
|
771
|
+
}
|
|
772
|
+
/**
|
|
773
|
+
* Verify a Standard Webhooks signature (the scheme Polar and svix use):
|
|
774
|
+
* `base64(HMAC_SHA256(key, "{id}.{timestamp}.{payload}"))` compared against the header's `v1`
|
|
775
|
+
* entries, with a replay-window check. Throws a {@link LunoraPaymentError} on any failure.
|
|
776
|
+
*/
|
|
777
|
+
declare const verifyStandardWebhook: (input: VerifyStandardWebhookInput) => Promise<void>;
|
|
778
|
+
export { type AdapterRegistry, type ApplyResult, type AttachInput, type AuthorizeReference, type CancelSubscriptionOptions, type CaptureInput, type CheckInput, type CheckResult, type CheckoutInput, type CheckoutResult, type CreatePaymentOptions, type CurrencyCode, type Customer, type CustomerRef, type Entitlements, type EntitlementsConfig, type FeatureBalance, type LunoraDatabaseLike, type LunoraPayment, LunoraPaymentError, MemoryPaymentStore, type Money, type MoneyJSON, PAYMENT_TERMINAL_STATES, type PaymentAction, type PaymentAdapter, type PaymentContextLike, type PaymentDatabase, type PaymentErrorCode, type PaymentEvent, type PaymentObserver, type PaymentRow, type PaymentSession, type PaymentState, type PaymentStore, type PaymentsFromContextOptions, type PlanDefinition, type PolarAdapterOptions, type PolarClientLike, type PortalInput, type ProviderCapabilities, type ProviderId, type ReconcileInput, type ReconcileResult, type RefundAmountKind, type RefundInput, type ReportUsageInput, SUBSCRIPTION_TERMINAL_STATES, type StripeAdapterOptions, type StripeClientLike, type Subscription, type SubscriptionAction, type SubscriptionPatch, type SubscriptionState, type TrackInput, type TrackResult, type UsageEvent, type WebhookAction, type WebhookActionType, type WebhookHeaders, type WebhookInput, addMoney, allocateMoney, applyWebhookAction, canTransitionPayment, canTransitionSubscription, compareMoney, constantTimeEqual, createAdapterRegistry, createDatabasePaymentStore, createPayment, createPolarAdapter, createStripeAdapter, entitlementsForReference, featureNames, formatMoney, fromMoneyJSON, hasActivePrice, hmacSha256Hex, idempotencyKey, isZeroDecimalCurrency, isZeroMoney, lunoraDatabaseToPaymentDatabase, money, nextPaymentState, nextSubscriptionState, parseStripeSignatureHeader, paymentTables, paymentsFromContext, reconcile, resolveEntitlements, subtractMoney, toMoneyJSON, usagePeriodStart, verifyStandardWebhook, verifyStripeSignature, zeroMoney };
|