@nehorai/payments 0.1.0

package/dist/types/index.d.cts

@@ -0,0 +1,127 @@
+import { k as PaymentProvider } from '../payment-types-68W-PlGg.cjs';
+export { A as AuthorizationResult, a as AuthorizePaymentParams, C as CapturePaymentParams, b as CaptureResult, c as CardBrand, d as CreatePaymentIntentParams, e as CurrencyConversion, P as PaymentAmount, f as PaymentError, g as PaymentErrorCode, h as PaymentIntentResult, i as PaymentMetadata, j as PaymentMethodType, l as ProviderHealthStatus, m as ProviderMetadata, R as RefundParams, n as RefundResult, T as TaxInvoiceStatus, o as TransactionType, V as VoidPaymentParams, p as VoidResult } from '../payment-types-68W-PlGg.cjs';
+import { c as TransactionStatus } from '../state-machine-Cu6_qKnv.cjs';
+export { D as DEFAULT_AUTH_HOLD_DAYS, H as HOLD_STATES, S as SUCCESS_STATES, a as StateTransitionResult, T as TERMINAL_STATES, b as TransactionEvent, V as VALID_TRANSITIONS, d as attemptTransition, e as calculateCaptureDeadline, f as canCapture, g as canRefund, h as canTransition, i as canVoid, j as getNextStatus, k as isAuthorizationExpired, l as isHoldState, m as isSuccessState, n as isTerminalState } from '../state-machine-Cu6_qKnv.cjs';
+
+/**
+ * @nehorai/payments - Webhook Types
+ *
+ * Types for processing incoming webhooks from payment providers.
+ * Includes signature verification and idempotent event handling.
+ */
+
+/**
+ * Status of webhook processing
+ */
+type WebhookStatus = 'pending' | 'processing' | 'processed' | 'failed' | 'ignored';
+/**
+ * Incoming webhook event from any provider
+ */
+interface WebhookEvent {
+    /** Source payment provider */
+    provider: PaymentProvider;
+    /** Provider's unique event ID (for idempotency) */
+    eventId: string;
+    /** Type of event (e.g., 'payment_intent.succeeded') */
+    eventType: string;
+    /** When the event occurred */
+    timestamp: Date;
+    /** Raw event payload */
+    payload: Record<string, unknown>;
+    /** Signature from provider for verification */
+    signature: string;
+}
+/**
+ * Result of processing a webhook event
+ */
+interface WebhookProcessingResult {
+    success: boolean;
+    /** Associated transaction ID if applicable */
+    transactionId?: string;
+    /** What action was taken */
+    action?: WebhookAction;
+    /** Error message if failed */
+    error?: string;
+    /** Whether this was a duplicate event */
+    wasDuplicate?: boolean;
+}
+/**
+ * Actions taken when processing webhooks
+ */
+type WebhookAction = 'transaction_created' | 'status_updated' | 'refund_processed' | 'dispute_created' | 'skipped_duplicate' | 'ignored_event_type' | 'no_action_needed';
+/**
+ * Stripe webhook event types we handle
+ */
+type StripeEventType = 'payment_intent.created' | 'payment_intent.processing' | 'payment_intent.succeeded' | 'payment_intent.payment_failed' | 'payment_intent.canceled' | 'payment_intent.amount_capturable_updated' | 'charge.succeeded' | 'charge.failed' | 'charge.refunded' | 'charge.dispute.created' | 'charge.dispute.closed' | 'customer.subscription.created' | 'customer.subscription.updated' | 'customer.subscription.deleted' | 'invoice.paid' | 'invoice.payment_failed';
+/**
+ * Map of Stripe events to transaction status updates
+ */
+declare const STRIPE_EVENT_TO_STATUS: Partial<Record<StripeEventType, TransactionStatus>>;
+/**
+ * Parameters for verifying webhook signature
+ */
+interface WebhookVerificationParams {
+    payload: string;
+    signature: string;
+    secret: string;
+    /** Tolerance in seconds for timestamp validation */
+    tolerance?: number;
+}
+/**
+ * Result of webhook signature verification
+ */
+interface WebhookVerificationResult {
+    valid: boolean;
+    error?: string;
+}
+/**
+ * Message format for webhook queue
+ */
+interface WebhookQueueMessage {
+    /** Message ID for deduplication */
+    messageId: string;
+    /** Provider that sent the webhook */
+    provider: PaymentProvider;
+    /** Provider's event ID */
+    eventId: string;
+    /** Event type */
+    eventType: string;
+    /** Raw payload (JSON string) */
+    payload: string;
+    /** Signature for verification */
+    signature: string;
+    /** When received by our API */
+    receivedAt: string;
+    /** Number of processing attempts */
+    attemptCount: number;
+}
+/**
+ * Result of queue message processing
+ */
+interface QueueProcessingResult {
+    success: boolean;
+    messageId: string;
+    action?: WebhookAction;
+    shouldDelete: boolean;
+    shouldRetry: boolean;
+    error?: string;
+}
+/**
+ * Result of reconciling payment state
+ * Handles race condition between redirect and webhook
+ */
+interface ReconciliationResult {
+    reconciled: boolean;
+    /** Final determined status */
+    finalStatus: TransactionStatus;
+    /** Source of truth (redirect callback vs webhook) */
+    source: 'redirect' | 'webhook' | 'provider_query';
+    /** Whether status was updated */
+    statusChanged: boolean;
+}
+/**
+ * Reconciliation strategy when redirect and webhook conflict
+ */
+type ReconciliationStrategy = 'prefer_webhook' | 'prefer_redirect' | 'query_provider';
+
+export { PaymentProvider, type QueueProcessingResult, type ReconciliationResult, type ReconciliationStrategy, STRIPE_EVENT_TO_STATUS, type StripeEventType, TransactionStatus, type WebhookAction, type WebhookEvent, type WebhookProcessingResult, type WebhookQueueMessage, type WebhookStatus, type WebhookVerificationParams, type WebhookVerificationResult };

package/dist/types/index.d.ts

@@ -0,0 +1,127 @@
+import { k as PaymentProvider } from '../payment-types-68W-PlGg.js';
+export { A as AuthorizationResult, a as AuthorizePaymentParams, C as CapturePaymentParams, b as CaptureResult, c as CardBrand, d as CreatePaymentIntentParams, e as CurrencyConversion, P as PaymentAmount, f as PaymentError, g as PaymentErrorCode, h as PaymentIntentResult, i as PaymentMetadata, j as PaymentMethodType, l as ProviderHealthStatus, m as ProviderMetadata, R as RefundParams, n as RefundResult, T as TaxInvoiceStatus, o as TransactionType, V as VoidPaymentParams, p as VoidResult } from '../payment-types-68W-PlGg.js';
+import { c as TransactionStatus } from '../state-machine-Cu6_qKnv.js';
+export { D as DEFAULT_AUTH_HOLD_DAYS, H as HOLD_STATES, S as SUCCESS_STATES, a as StateTransitionResult, T as TERMINAL_STATES, b as TransactionEvent, V as VALID_TRANSITIONS, d as attemptTransition, e as calculateCaptureDeadline, f as canCapture, g as canRefund, h as canTransition, i as canVoid, j as getNextStatus, k as isAuthorizationExpired, l as isHoldState, m as isSuccessState, n as isTerminalState } from '../state-machine-Cu6_qKnv.js';
+
+/**
+ * @nehorai/payments - Webhook Types
+ *
+ * Types for processing incoming webhooks from payment providers.
+ * Includes signature verification and idempotent event handling.
+ */
+
+/**
+ * Status of webhook processing
+ */
+type WebhookStatus = 'pending' | 'processing' | 'processed' | 'failed' | 'ignored';
+/**
+ * Incoming webhook event from any provider
+ */
+interface WebhookEvent {
+    /** Source payment provider */
+    provider: PaymentProvider;
+    /** Provider's unique event ID (for idempotency) */
+    eventId: string;
+    /** Type of event (e.g., 'payment_intent.succeeded') */
+    eventType: string;
+    /** When the event occurred */
+    timestamp: Date;
+    /** Raw event payload */
+    payload: Record<string, unknown>;
+    /** Signature from provider for verification */
+    signature: string;
+}
+/**
+ * Result of processing a webhook event
+ */
+interface WebhookProcessingResult {
+    success: boolean;
+    /** Associated transaction ID if applicable */
+    transactionId?: string;
+    /** What action was taken */
+    action?: WebhookAction;
+    /** Error message if failed */
+    error?: string;
+    /** Whether this was a duplicate event */
+    wasDuplicate?: boolean;
+}
+/**
+ * Actions taken when processing webhooks
+ */
+type WebhookAction = 'transaction_created' | 'status_updated' | 'refund_processed' | 'dispute_created' | 'skipped_duplicate' | 'ignored_event_type' | 'no_action_needed';
+/**
+ * Stripe webhook event types we handle
+ */
+type StripeEventType = 'payment_intent.created' | 'payment_intent.processing' | 'payment_intent.succeeded' | 'payment_intent.payment_failed' | 'payment_intent.canceled' | 'payment_intent.amount_capturable_updated' | 'charge.succeeded' | 'charge.failed' | 'charge.refunded' | 'charge.dispute.created' | 'charge.dispute.closed' | 'customer.subscription.created' | 'customer.subscription.updated' | 'customer.subscription.deleted' | 'invoice.paid' | 'invoice.payment_failed';
+/**
+ * Map of Stripe events to transaction status updates
+ */
+declare const STRIPE_EVENT_TO_STATUS: Partial<Record<StripeEventType, TransactionStatus>>;
+/**
+ * Parameters for verifying webhook signature
+ */
+interface WebhookVerificationParams {
+    payload: string;
+    signature: string;
+    secret: string;
+    /** Tolerance in seconds for timestamp validation */
+    tolerance?: number;
+}
+/**
+ * Result of webhook signature verification
+ */
+interface WebhookVerificationResult {
+    valid: boolean;
+    error?: string;
+}
+/**
+ * Message format for webhook queue
+ */
+interface WebhookQueueMessage {
+    /** Message ID for deduplication */
+    messageId: string;
+    /** Provider that sent the webhook */
+    provider: PaymentProvider;
+    /** Provider's event ID */
+    eventId: string;
+    /** Event type */
+    eventType: string;
+    /** Raw payload (JSON string) */
+    payload: string;
+    /** Signature for verification */
+    signature: string;
+    /** When received by our API */
+    receivedAt: string;
+    /** Number of processing attempts */
+    attemptCount: number;
+}
+/**
+ * Result of queue message processing
+ */
+interface QueueProcessingResult {
+    success: boolean;
+    messageId: string;
+    action?: WebhookAction;
+    shouldDelete: boolean;
+    shouldRetry: boolean;
+    error?: string;
+}
+/**
+ * Result of reconciling payment state
+ * Handles race condition between redirect and webhook
+ */
+interface ReconciliationResult {
+    reconciled: boolean;
+    /** Final determined status */
+    finalStatus: TransactionStatus;
+    /** Source of truth (redirect callback vs webhook) */
+    source: 'redirect' | 'webhook' | 'provider_query';
+    /** Whether status was updated */
+    statusChanged: boolean;
+}
+/**
+ * Reconciliation strategy when redirect and webhook conflict
+ */
+type ReconciliationStrategy = 'prefer_webhook' | 'prefer_redirect' | 'query_provider';
+
+export { PaymentProvider, type QueueProcessingResult, type ReconciliationResult, type ReconciliationStrategy, STRIPE_EVENT_TO_STATUS, type StripeEventType, TransactionStatus, type WebhookAction, type WebhookEvent, type WebhookProcessingResult, type WebhookQueueMessage, type WebhookStatus, type WebhookVerificationParams, type WebhookVerificationResult };

package/dist/types/index.js

@@ -0,0 +1,130 @@
+// src/types/state-machine.ts
+var TERMINAL_STATES = [
+  "voided",
+  "failed",
+  "expired",
+  "fully_refunded"
+];
+var SUCCESS_STATES = [
+  "captured",
+  "partially_refunded",
+  "fully_refunded"
+];
+var HOLD_STATES = [
+  "authorized"
+];
+var VALID_TRANSITIONS = {
+  created: ["INITIATE", "AUTHORIZE_PENDING", "AUTHORIZE_FAILED"],
+  pending_authorization: ["AUTHORIZE_SUCCESS", "AUTHORIZE_FAILED", "EXPIRED"],
+  authorized: ["CAPTURE_STARTED", "VOID_SUCCESS", "VOID_FAILED", "EXPIRED"],
+  capturing: ["CAPTURE_SUCCESS", "CAPTURE_FAILED"],
+  captured: ["PARTIAL_REFUND", "FULL_REFUND"],
+  voided: [],
+  // Terminal state
+  failed: [],
+  // Terminal state
+  expired: [],
+  // Terminal state
+  partially_refunded: ["PARTIAL_REFUND", "FULL_REFUND"],
+  fully_refunded: []
+  // Terminal state
+};
+var EVENT_TO_STATE = {
+  INITIATE: "pending_authorization",
+  AUTHORIZE_PENDING: "pending_authorization",
+  AUTHORIZE_SUCCESS: "authorized",
+  AUTHORIZE_FAILED: "failed",
+  CAPTURE_STARTED: "capturing",
+  CAPTURE_SUCCESS: "captured",
+  CAPTURE_FAILED: "failed",
+  VOID_SUCCESS: "voided",
+  VOID_FAILED: "authorized",
+  // Remain authorized if void fails
+  EXPIRED: "expired",
+  PARTIAL_REFUND: "partially_refunded",
+  FULL_REFUND: "fully_refunded"
+};
+function canTransition(currentStatus, event) {
+  return VALID_TRANSITIONS[currentStatus].includes(event);
+}
+function getNextStatus(currentStatus, event) {
+  if (!canTransition(currentStatus, event)) {
+    return null;
+  }
+  return EVENT_TO_STATE[event];
+}
+function isTerminalState(status) {
+  return TERMINAL_STATES.includes(status);
+}
+function isSuccessState(status) {
+  return SUCCESS_STATES.includes(status);
+}
+function isHoldState(status) {
+  return HOLD_STATES.includes(status);
+}
+function canRefund(status) {
+  return status === "captured" || status === "partially_refunded";
+}
+function canCapture(status) {
+  return status === "authorized";
+}
+function canVoid(status) {
+  return status === "authorized";
+}
+function attemptTransition(currentStatus, event) {
+  const nextStatus = getNextStatus(currentStatus, event);
+  if (nextStatus === null) {
+    return {
+      success: false,
+      previousStatus: currentStatus,
+      newStatus: currentStatus,
+      event,
+      error: `Invalid transition: ${currentStatus} -> ${event}`
+    };
+  }
+  return {
+    success: true,
+    previousStatus: currentStatus,
+    newStatus: nextStatus,
+    event
+  };
+}
+var DEFAULT_AUTH_HOLD_DAYS = 7;
+function calculateCaptureDeadline(authorizedAt, holdDays = DEFAULT_AUTH_HOLD_DAYS) {
+  const deadline = new Date(authorizedAt);
+  deadline.setDate(deadline.getDate() + holdDays);
+  return deadline;
+}
+function isAuthorizationExpired(captureDeadline) {
+  return /* @__PURE__ */ new Date() > captureDeadline;
+}
+
+// src/types/webhook-types.ts
+var STRIPE_EVENT_TO_STATUS = {
+  "payment_intent.succeeded": "captured",
+  "payment_intent.payment_failed": "failed",
+  "payment_intent.canceled": "voided",
+  "payment_intent.amount_capturable_updated": "authorized",
+  "charge.refunded": "partially_refunded"
+  // or fully_refunded based on amount
+};
+export {
+  DEFAULT_AUTH_HOLD_DAYS,
+  HOLD_STATES,
+  STRIPE_EVENT_TO_STATUS,
+  SUCCESS_STATES,
+  TERMINAL_STATES,
+  VALID_TRANSITIONS,
+  attemptTransition,
+  calculateCaptureDeadline,
+  canCapture,
+  canRefund,
+  canTransition,
+  canVoid,
+  getNextStatus,
+  isAuthorizationExpired,
+  isHoldState,
+  isSuccessState,
+  isTerminalState
+};
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/types/state-machine.ts","../../src/types/webhook-types.ts"],"sourcesContent":["/**\r\n * @nehorai/payments - Transaction State Machine\r\n *\r\n * Defines the strict state transitions for payment transactions.\r\n * Implements the J5 (Two-Phase Commit) pattern for authorize/capture flows.\r\n *\r\n * State Flow:\r\n * +-------------------------------------------------------------+\r\n * |  CREATED --------------------------------------------------+ |\r\n * |     |                                                  |   |\r\n * |     v                                                  v   |\r\n * |  PENDING_AUTHORIZATION -----------------------------> FAILED |\r\n * |     |                                                  ^   |\r\n * |     v                                                  |   |\r\n * |  AUTHORIZED ---------> VOIDED                          |   |\r\n * |     |                                                  |   |\r\n * |     +----------------> EXPIRED ------------------------+   |\r\n * |     |                                                  |   |\r\n * |     v                                                  |   |\r\n * |  CAPTURING --------------------------------------------+   |\r\n * |     |                                                      |\r\n * |     v                                                      |\r\n * |  CAPTURED ------> PARTIALLY_REFUNDED ------> FULLY_REFUNDED |\r\n * +-------------------------------------------------------------+\r\n */\r\n\r\n// ============================================================================\r\n// Transaction States\r\n// ============================================================================\r\n\r\n/**\r\n * All possible transaction states\r\n */\r\nexport type TransactionStatus =\r\n  | 'created'\r\n  | 'pending_authorization'\r\n  | 'authorized'\r\n  | 'capturing'\r\n  | 'captured'\r\n  | 'voided'\r\n  | 'failed'\r\n  | 'expired'\r\n  | 'partially_refunded'\r\n  | 'fully_refunded';\r\n\r\n/**\r\n * Terminal states - no further transitions possible\r\n */\r\nexport const TERMINAL_STATES: readonly TransactionStatus[] = [\r\n  'voided',\r\n  'failed',\r\n  'expired',\r\n  'fully_refunded',\r\n] as const;\r\n\r\n/**\r\n * States that indicate successful completion\r\n */\r\nexport const SUCCESS_STATES: readonly TransactionStatus[] = [\r\n  'captured',\r\n  'partially_refunded',\r\n  'fully_refunded',\r\n] as const;\r\n\r\n/**\r\n * States where funds are held but not captured\r\n */\r\nexport const HOLD_STATES: readonly TransactionStatus[] = [\r\n  'authorized',\r\n] as const;\r\n\r\n// ============================================================================\r\n// Transaction Events\r\n// ============================================================================\r\n\r\n/**\r\n * Events that trigger state transitions\r\n */\r\nexport type TransactionEvent =\r\n  | 'INITIATE'\r\n  | 'AUTHORIZE_PENDING'\r\n  | 'AUTHORIZE_SUCCESS'\r\n  | 'AUTHORIZE_FAILED'\r\n  | 'CAPTURE_STARTED'\r\n  | 'CAPTURE_SUCCESS'\r\n  | 'CAPTURE_FAILED'\r\n  | 'VOID_SUCCESS'\r\n  | 'VOID_FAILED'\r\n  | 'EXPIRED'\r\n  | 'PARTIAL_REFUND'\r\n  | 'FULL_REFUND';\r\n\r\n// ============================================================================\r\n// State Transition Map\r\n// ============================================================================\r\n\r\n/**\r\n * Valid transitions from each state\r\n */\r\nexport const VALID_TRANSITIONS: Record<TransactionStatus, TransactionEvent[]> = {\r\n  created: ['INITIATE', 'AUTHORIZE_PENDING', 'AUTHORIZE_FAILED'],\r\n  pending_authorization: ['AUTHORIZE_SUCCESS', 'AUTHORIZE_FAILED', 'EXPIRED'],\r\n  authorized: ['CAPTURE_STARTED', 'VOID_SUCCESS', 'VOID_FAILED', 'EXPIRED'],\r\n  capturing: ['CAPTURE_SUCCESS', 'CAPTURE_FAILED'],\r\n  captured: ['PARTIAL_REFUND', 'FULL_REFUND'],\r\n  voided: [], // Terminal state\r\n  failed: [], // Terminal state\r\n  expired: [], // Terminal state\r\n  partially_refunded: ['PARTIAL_REFUND', 'FULL_REFUND'],\r\n  fully_refunded: [], // Terminal state\r\n};\r\n\r\n/**\r\n * Event to next state mapping\r\n */\r\nconst EVENT_TO_STATE: Record<TransactionEvent, TransactionStatus> = {\r\n  INITIATE: 'pending_authorization',\r\n  AUTHORIZE_PENDING: 'pending_authorization',\r\n  AUTHORIZE_SUCCESS: 'authorized',\r\n  AUTHORIZE_FAILED: 'failed',\r\n  CAPTURE_STARTED: 'capturing',\r\n  CAPTURE_SUCCESS: 'captured',\r\n  CAPTURE_FAILED: 'failed',\r\n  VOID_SUCCESS: 'voided',\r\n  VOID_FAILED: 'authorized', // Remain authorized if void fails\r\n  EXPIRED: 'expired',\r\n  PARTIAL_REFUND: 'partially_refunded',\r\n  FULL_REFUND: 'fully_refunded',\r\n};\r\n\r\n// ============================================================================\r\n// State Machine Functions\r\n// ============================================================================\r\n\r\n/**\r\n * Check if a transition is valid\r\n */\r\nexport function canTransition(\r\n  currentStatus: TransactionStatus,\r\n  event: TransactionEvent\r\n): boolean {\r\n  return VALID_TRANSITIONS[currentStatus].includes(event);\r\n}\r\n\r\n/**\r\n * Get the next state after an event, or null if transition is invalid\r\n */\r\nexport function getNextStatus(\r\n  currentStatus: TransactionStatus,\r\n  event: TransactionEvent\r\n): TransactionStatus | null {\r\n  if (!canTransition(currentStatus, event)) {\r\n    return null;\r\n  }\r\n  return EVENT_TO_STATE[event];\r\n}\r\n\r\n/**\r\n * Check if a state is terminal (no further transitions)\r\n */\r\nexport function isTerminalState(status: TransactionStatus): boolean {\r\n  return TERMINAL_STATES.includes(status);\r\n}\r\n\r\n/**\r\n * Check if a state represents a successful payment\r\n */\r\nexport function isSuccessState(status: TransactionStatus): boolean {\r\n  return SUCCESS_STATES.includes(status);\r\n}\r\n\r\n/**\r\n * Check if funds are currently held (authorized but not captured)\r\n */\r\nexport function isHoldState(status: TransactionStatus): boolean {\r\n  return HOLD_STATES.includes(status);\r\n}\r\n\r\n/**\r\n * Check if a refund is possible from current state\r\n */\r\nexport function canRefund(status: TransactionStatus): boolean {\r\n  return status === 'captured' || status === 'partially_refunded';\r\n}\r\n\r\n/**\r\n * Check if capture is possible from current state\r\n */\r\nexport function canCapture(status: TransactionStatus): boolean {\r\n  return status === 'authorized';\r\n}\r\n\r\n/**\r\n * Check if void is possible from current state\r\n */\r\nexport function canVoid(status: TransactionStatus): boolean {\r\n  return status === 'authorized';\r\n}\r\n\r\n// ============================================================================\r\n// State Transition Result Types\r\n// ============================================================================\r\n\r\n/**\r\n * Result of a state transition attempt\r\n */\r\nexport interface StateTransitionResult {\r\n  success: boolean;\r\n  previousStatus: TransactionStatus;\r\n  newStatus: TransactionStatus;\r\n  event: TransactionEvent;\r\n  error?: string;\r\n}\r\n\r\n/**\r\n * Attempt a state transition with validation\r\n */\r\nexport function attemptTransition(\r\n  currentStatus: TransactionStatus,\r\n  event: TransactionEvent\r\n): StateTransitionResult {\r\n  const nextStatus = getNextStatus(currentStatus, event);\r\n\r\n  if (nextStatus === null) {\r\n    return {\r\n      success: false,\r\n      previousStatus: currentStatus,\r\n      newStatus: currentStatus,\r\n      event,\r\n      error: `Invalid transition: ${currentStatus} -> ${event}`,\r\n    };\r\n  }\r\n\r\n  return {\r\n    success: true,\r\n    previousStatus: currentStatus,\r\n    newStatus: nextStatus,\r\n    event,\r\n  };\r\n}\r\n\r\n// ============================================================================\r\n// Authorization Expiry\r\n// ============================================================================\r\n\r\n/**\r\n * Default authorization hold period (7 days for most providers)\r\n */\r\nexport const DEFAULT_AUTH_HOLD_DAYS = 7;\r\n\r\n/**\r\n * Calculate capture deadline from authorization time\r\n */\r\nexport function calculateCaptureDeadline(\r\n  authorizedAt: Date,\r\n  holdDays: number = DEFAULT_AUTH_HOLD_DAYS\r\n): Date {\r\n  const deadline = new Date(authorizedAt);\r\n  deadline.setDate(deadline.getDate() + holdDays);\r\n  return deadline;\r\n}\r\n\r\n/**\r\n * Check if authorization has expired\r\n */\r\nexport function isAuthorizationExpired(captureDeadline: Date): boolean {\r\n  return new Date() > captureDeadline;\r\n}\r\n","/**\r\n * @nehorai/payments - Webhook Types\r\n *\r\n * Types for processing incoming webhooks from payment providers.\r\n * Includes signature verification and idempotent event handling.\r\n */\r\n\r\nimport type { PaymentProvider } from './payment-types.js';\r\nimport type { TransactionStatus } from './state-machine.js';\r\n\r\n// ============================================================================\r\n// Webhook Event Types\r\n// ============================================================================\r\n\r\n/**\r\n * Status of webhook processing\r\n */\r\nexport type WebhookStatus =\r\n  | 'pending'\r\n  | 'processing'\r\n  | 'processed'\r\n  | 'failed'\r\n  | 'ignored';\r\n\r\n/**\r\n * Incoming webhook event from any provider\r\n */\r\nexport interface WebhookEvent {\r\n  /** Source payment provider */\r\n  provider: PaymentProvider;\r\n  /** Provider's unique event ID (for idempotency) */\r\n  eventId: string;\r\n  /** Type of event (e.g., 'payment_intent.succeeded') */\r\n  eventType: string;\r\n  /** When the event occurred */\r\n  timestamp: Date;\r\n  /** Raw event payload */\r\n  payload: Record<string, unknown>;\r\n  /** Signature from provider for verification */\r\n  signature: string;\r\n}\r\n\r\n/**\r\n * Result of processing a webhook event\r\n */\r\nexport interface WebhookProcessingResult {\r\n  success: boolean;\r\n  /** Associated transaction ID if applicable */\r\n  transactionId?: string;\r\n  /** What action was taken */\r\n  action?: WebhookAction;\r\n  /** Error message if failed */\r\n  error?: string;\r\n  /** Whether this was a duplicate event */\r\n  wasDuplicate?: boolean;\r\n}\r\n\r\n/**\r\n * Actions taken when processing webhooks\r\n */\r\nexport type WebhookAction =\r\n  | 'transaction_created'\r\n  | 'status_updated'\r\n  | 'refund_processed'\r\n  | 'dispute_created'\r\n  | 'skipped_duplicate'\r\n  | 'ignored_event_type'\r\n  | 'no_action_needed';\r\n\r\n// ============================================================================\r\n// Provider-Specific Event Types\r\n// ============================================================================\r\n\r\n/**\r\n * Stripe webhook event types we handle\r\n */\r\nexport type StripeEventType =\r\n  | 'payment_intent.created'\r\n  | 'payment_intent.processing'\r\n  | 'payment_intent.succeeded'\r\n  | 'payment_intent.payment_failed'\r\n  | 'payment_intent.canceled'\r\n  | 'payment_intent.amount_capturable_updated'\r\n  | 'charge.succeeded'\r\n  | 'charge.failed'\r\n  | 'charge.refunded'\r\n  | 'charge.dispute.created'\r\n  | 'charge.dispute.closed'\r\n  | 'customer.subscription.created'\r\n  | 'customer.subscription.updated'\r\n  | 'customer.subscription.deleted'\r\n  | 'invoice.paid'\r\n  | 'invoice.payment_failed';\r\n\r\n/**\r\n * Map of Stripe events to transaction status updates\r\n */\r\nexport const STRIPE_EVENT_TO_STATUS: Partial<Record<StripeEventType, TransactionStatus>> = {\r\n  'payment_intent.succeeded': 'captured',\r\n  'payment_intent.payment_failed': 'failed',\r\n  'payment_intent.canceled': 'voided',\r\n  'payment_intent.amount_capturable_updated': 'authorized',\r\n  'charge.refunded': 'partially_refunded', // or fully_refunded based on amount\r\n};\r\n\r\n// ============================================================================\r\n// Webhook Signature Verification\r\n// ============================================================================\r\n\r\n/**\r\n * Parameters for verifying webhook signature\r\n */\r\nexport interface WebhookVerificationParams {\r\n  payload: string;\r\n  signature: string;\r\n  secret: string;\r\n  /** Tolerance in seconds for timestamp validation */\r\n  tolerance?: number;\r\n}\r\n\r\n/**\r\n * Result of webhook signature verification\r\n */\r\nexport interface WebhookVerificationResult {\r\n  valid: boolean;\r\n  error?: string;\r\n}\r\n\r\n// ============================================================================\r\n// Webhook Queue Types (for SQS processing)\r\n// ============================================================================\r\n\r\n/**\r\n * Message format for webhook queue\r\n */\r\nexport interface WebhookQueueMessage {\r\n  /** Message ID for deduplication */\r\n  messageId: string;\r\n  /** Provider that sent the webhook */\r\n  provider: PaymentProvider;\r\n  /** Provider's event ID */\r\n  eventId: string;\r\n  /** Event type */\r\n  eventType: string;\r\n  /** Raw payload (JSON string) */\r\n  payload: string;\r\n  /** Signature for verification */\r\n  signature: string;\r\n  /** When received by our API */\r\n  receivedAt: string;\r\n  /** Number of processing attempts */\r\n  attemptCount: number;\r\n}\r\n\r\n/**\r\n * Result of queue message processing\r\n */\r\nexport interface QueueProcessingResult {\r\n  success: boolean;\r\n  messageId: string;\r\n  action?: WebhookAction;\r\n  shouldDelete: boolean;\r\n  shouldRetry: boolean;\r\n  error?: string;\r\n}\r\n\r\n// ============================================================================\r\n// Reconciliation Types\r\n// ============================================================================\r\n\r\n/**\r\n * Result of reconciling payment state\r\n * Handles race condition between redirect and webhook\r\n */\r\nexport interface ReconciliationResult {\r\n  reconciled: boolean;\r\n  /** Final determined status */\r\n  finalStatus: TransactionStatus;\r\n  /** Source of truth (redirect callback vs webhook) */\r\n  source: 'redirect' | 'webhook' | 'provider_query';\r\n  /** Whether status was updated */\r\n  statusChanged: boolean;\r\n}\r\n\r\n/**\r\n * Reconciliation strategy when redirect and webhook conflict\r\n */\r\nexport type ReconciliationStrategy =\r\n  | 'prefer_webhook'      // Wait for webhook (more reliable)\r\n  | 'prefer_redirect'     // Use redirect result immediately\r\n  | 'query_provider';     // Query provider API directly\r\n"],"mappings":";AAgDO,IAAM,kBAAgD;AAAA,EAC3D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKO,IAAM,iBAA+C;AAAA,EAC1D;AAAA,EACA;AAAA,EACA;AACF;AAKO,IAAM,cAA4C;AAAA,EACvD;AACF;AA8BO,IAAM,oBAAmE;AAAA,EAC9E,SAAS,CAAC,YAAY,qBAAqB,kBAAkB;AAAA,EAC7D,uBAAuB,CAAC,qBAAqB,oBAAoB,SAAS;AAAA,EAC1E,YAAY,CAAC,mBAAmB,gBAAgB,eAAe,SAAS;AAAA,EACxE,WAAW,CAAC,mBAAmB,gBAAgB;AAAA,EAC/C,UAAU,CAAC,kBAAkB,aAAa;AAAA,EAC1C,QAAQ,CAAC;AAAA;AAAA,EACT,QAAQ,CAAC;AAAA;AAAA,EACT,SAAS,CAAC;AAAA;AAAA,EACV,oBAAoB,CAAC,kBAAkB,aAAa;AAAA,EACpD,gBAAgB,CAAC;AAAA;AACnB;AAKA,IAAM,iBAA8D;AAAA,EAClE,UAAU;AAAA,EACV,mBAAmB;AAAA,EACnB,mBAAmB;AAAA,EACnB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,iBAAiB;AAAA,EACjB,gBAAgB;AAAA,EAChB,cAAc;AAAA,EACd,aAAa;AAAA;AAAA,EACb,SAAS;AAAA,EACT,gBAAgB;AAAA,EAChB,aAAa;AACf;AASO,SAAS,cACd,eACA,OACS;AACT,SAAO,kBAAkB,aAAa,EAAE,SAAS,KAAK;AACxD;AAKO,SAAS,cACd,eACA,OAC0B;AAC1B,MAAI,CAAC,cAAc,eAAe,KAAK,GAAG;AACxC,WAAO;AAAA,EACT;AACA,SAAO,eAAe,KAAK;AAC7B;AAKO,SAAS,gBAAgB,QAAoC;AAClE,SAAO,gBAAgB,SAAS,MAAM;AACxC;AAKO,SAAS,eAAe,QAAoC;AACjE,SAAO,eAAe,SAAS,MAAM;AACvC;AAKO,SAAS,YAAY,QAAoC;AAC9D,SAAO,YAAY,SAAS,MAAM;AACpC;AAKO,SAAS,UAAU,QAAoC;AAC5D,SAAO,WAAW,cAAc,WAAW;AAC7C;AAKO,SAAS,WAAW,QAAoC;AAC7D,SAAO,WAAW;AACpB;AAKO,SAAS,QAAQ,QAAoC;AAC1D,SAAO,WAAW;AACpB;AAoBO,SAAS,kBACd,eACA,OACuB;AACvB,QAAM,aAAa,cAAc,eAAe,KAAK;AAErD,MAAI,eAAe,MAAM;AACvB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,gBAAgB;AAAA,MAChB,WAAW;AAAA,MACX;AAAA,MACA,OAAO,uBAAuB,aAAa,OAAO,KAAK;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT,gBAAgB;AAAA,IAChB,WAAW;AAAA,IACX;AAAA,EACF;AACF;AASO,IAAM,yBAAyB;AAK/B,SAAS,yBACd,cACA,WAAmB,wBACb;AACN,QAAM,WAAW,IAAI,KAAK,YAAY;AACtC,WAAS,QAAQ,SAAS,QAAQ,IAAI,QAAQ;AAC9C,SAAO;AACT;AAKO,SAAS,uBAAuB,iBAAgC;AACrE,SAAO,oBAAI,KAAK,IAAI;AACtB;;;AC1KO,IAAM,yBAA8E;AAAA,EACzF,4BAA4B;AAAA,EAC5B,iCAAiC;AAAA,EACjC,2BAA2B;AAAA,EAC3B,4CAA4C;AAAA,EAC5C,mBAAmB;AAAA;AACrB;","names":[]}

package/dist/utils/index.cjs

@@ -0,0 +1,167 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/utils/index.ts
+var utils_exports = {};
+__export(utils_exports, {
+  extractUuid: () => extractUuid,
+  generateDeterministicKey: () => generateDeterministicKey,
+  generateIdempotencyKey: () => generateIdempotencyKey,
+  generateInternalPaymentId: () => generateInternalPaymentId,
+  generateOperationKey: () => generateOperationKey,
+  getSignatureHeaderName: () => getSignatureHeaderName,
+  getSignatureVerifier: () => getSignatureVerifier,
+  isValidIdempotencyKey: () => isValidIdempotencyKey,
+  isValidInternalPaymentId: () => isValidInternalPaymentId,
+  registerSignatureVerifier: () => registerSignatureVerifier,
+  verifyHmacSha256Signature: () => verifyHmacSha256Signature,
+  verifySortedFieldsHmacSignature: () => verifySortedFieldsHmacSignature,
+  verifyStripeStyleSignature: () => verifyStripeStyleSignature,
+  verifyWebhookSignature: () => verifyWebhookSignature
+});
+module.exports = __toCommonJS(utils_exports);
+
+// src/utils/idempotency.ts
+var import_crypto = require("crypto");
+function generateInternalPaymentId() {
+  return `pay_${(0, import_crypto.randomUUID)()}`;
+}
+function generateIdempotencyKey() {
+  return `idem_${(0, import_crypto.randomUUID)()}`;
+}
+function generateDeterministicKey(...components) {
+  const data = components.join(":");
+  const hash = (0, import_crypto.createHash)("sha256").update(data).digest("hex");
+  return `idem_${hash.substring(0, 32)}`;
+}
+function generateOperationKey(operation, transactionId) {
+  return `${operation}_${transactionId}`;
+}
+function isValidIdempotencyKey(key) {
+  return /^idem_[a-f0-9-]{32,36}$/.test(key);
+}
+function isValidInternalPaymentId(id) {
+  return /^pay_[a-f0-9-]{36}$/.test(id);
+}
+function extractUuid(key) {
+  const match = key.match(/^(?:pay|idem)_([a-f0-9-]+)$/);
+  return match ? match[1] : null;
+}
+
+// src/utils/signature-verification.ts
+var import_crypto2 = require("crypto");
+function verifyStripeStyleSignature(payload, signature, secret, tolerance) {
+  try {
+    const elements = signature.split(",");
+    const timestamp = elements.find((e) => e.startsWith("t="))?.slice(2);
+    const sig = elements.find((e) => e.startsWith("v1="))?.slice(3);
+    if (!timestamp || !sig) {
+      return { valid: false, error: "Invalid signature format" };
+    }
+    const timestampNum = parseInt(timestamp, 10);
+    const now = Math.floor(Date.now() / 1e3);
+    if (Math.abs(now - timestampNum) > tolerance) {
+      return { valid: false, error: "Timestamp outside tolerance" };
+    }
+    const signedPayload = `${timestamp}.${payload}`;
+    const expectedSig = (0, import_crypto2.createHmac)("sha256", secret).update(signedPayload).digest("hex");
+    const valid = (0, import_crypto2.timingSafeEqual)(
+      Buffer.from(sig),
+      Buffer.from(expectedSig)
+    );
+    return { valid };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Verification failed"
+    };
+  }
+}
+function verifySortedFieldsHmacSignature(payload, signature, secret, _tolerance) {
+  try {
+    const data = JSON.parse(payload);
+    const sortedKeys = Object.keys(data).sort();
+    const sortedPayload = sortedKeys.map((k) => `${k}=${data[k]}`).join("&");
+    const expectedSig = (0, import_crypto2.createHmac)("sha256", secret).update(sortedPayload).digest("hex");
+    const valid = (0, import_crypto2.timingSafeEqual)(
+      Buffer.from(signature.toLowerCase()),
+      Buffer.from(expectedSig)
+    );
+    return { valid };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Verification failed"
+    };
+  }
+}
+function verifyHmacSha256Signature(payload, signature, secret, _tolerance) {
+  try {
+    const expectedSig = (0, import_crypto2.createHmac)("sha256", secret).update(payload).digest("hex");
+    const valid = (0, import_crypto2.timingSafeEqual)(
+      Buffer.from(signature.toLowerCase()),
+      Buffer.from(expectedSig.toLowerCase())
+    );
+    return { valid };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Verification failed"
+    };
+  }
+}
+var verifierRegistry = /* @__PURE__ */ new Map();
+function registerSignatureVerifier(provider, verifier) {
+  verifierRegistry.set(provider, verifier);
+}
+function getSignatureVerifier(provider) {
+  return verifierRegistry.get(provider);
+}
+function verifyWebhookSignature(params) {
+  const { provider, payload, signature, secret, tolerance = 300 } = params;
+  if (!signature || !secret) {
+    return { valid: false, error: "Missing signature or secret" };
+  }
+  const verifier = verifierRegistry.get(provider);
+  if (verifier) {
+    return verifier(payload, signature, secret, tolerance);
+  }
+  return verifyHmacSha256Signature(payload, signature, secret, tolerance);
+}
+function getSignatureHeaderName(provider) {
+  return `x-${provider}-signature`;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  extractUuid,
+  generateDeterministicKey,
+  generateIdempotencyKey,
+  generateInternalPaymentId,
+  generateOperationKey,
+  getSignatureHeaderName,
+  getSignatureVerifier,
+  isValidIdempotencyKey,
+  isValidInternalPaymentId,
+  registerSignatureVerifier,
+  verifyHmacSha256Signature,
+  verifySortedFieldsHmacSignature,
+  verifyStripeStyleSignature,
+  verifyWebhookSignature
+});
+//# sourceMappingURL=index.cjs.map

package/dist/utils/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utils/index.ts","../../src/utils/idempotency.ts","../../src/utils/signature-verification.ts"],"sourcesContent":["/**\r\n * @nehorai/payments - Utilities Exports\r\n */\r\n\r\n// Idempotency\r\nexport {\r\n  generateInternalPaymentId,\r\n  generateIdempotencyKey,\r\n  generateDeterministicKey,\r\n  generateOperationKey,\r\n  isValidIdempotencyKey,\r\n  isValidInternalPaymentId,\r\n  extractUuid,\r\n} from './idempotency.js'\r\n\r\n// Signature Verification\r\nexport {\r\n  verifyWebhookSignature,\r\n  verifyStripeStyleSignature,\r\n  verifySortedFieldsHmacSignature,\r\n  verifyHmacSha256Signature,\r\n  registerSignatureVerifier,\r\n  getSignatureVerifier,\r\n  getSignatureHeaderName,\r\n  type SignatureVerificationParams,\r\n  type SignatureVerificationResult,\r\n  type SignatureVerifier,\r\n} from './signature-verification.js'\r\n","/**\r\n * @nehorai/payments - Idempotency Utilities\r\n *\r\n * Generates and validates idempotency keys to prevent duplicate charges.\r\n * Framework-agnostic utility that can be used anywhere.\r\n */\r\n\r\nimport { randomUUID, createHash } from 'crypto'\r\n\r\n/**\r\n * Generate a unique internal payment ID\r\n * Format: pay_{uuid}\r\n */\r\nexport function generateInternalPaymentId(): string {\r\n  return `pay_${randomUUID()}`\r\n}\r\n\r\n/**\r\n * Generate an idempotency key for API calls\r\n * Format: idem_{uuid}\r\n */\r\nexport function generateIdempotencyKey(): string {\r\n  return `idem_${randomUUID()}`\r\n}\r\n\r\n/**\r\n * Generate a deterministic idempotency key based on inputs\r\n * Useful when you need the same key for retries\r\n *\r\n * @param components - Array of values to hash together\r\n */\r\nexport function generateDeterministicKey(\r\n  ...components: (string | number)[]\r\n): string {\r\n  const data = components.join(':')\r\n  const hash = createHash('sha256').update(data).digest('hex')\r\n  return `idem_${hash.substring(0, 32)}`\r\n}\r\n\r\n/**\r\n * Generate idempotency key for a specific operation\r\n *\r\n * @param operation - Type of operation (e.g., 'capture', 'refund')\r\n * @param transactionId - Associated transaction ID\r\n */\r\nexport function generateOperationKey(\r\n  operation: string,\r\n  transactionId: string\r\n): string {\r\n  return `${operation}_${transactionId}`\r\n}\r\n\r\n/**\r\n * Validate idempotency key format\r\n */\r\nexport function isValidIdempotencyKey(key: string): boolean {\r\n  return /^idem_[a-f0-9-]{32,36}$/.test(key)\r\n}\r\n\r\n/**\r\n * Validate internal payment ID format\r\n */\r\nexport function isValidInternalPaymentId(id: string): boolean {\r\n  return /^pay_[a-f0-9-]{36}$/.test(id)\r\n}\r\n\r\n/**\r\n * Extract UUID from payment ID or idempotency key\r\n */\r\nexport function extractUuid(key: string): string | null {\r\n  const match = key.match(/^(?:pay|idem)_([a-f0-9-]+)$/)\r\n  return match ? match[1] : null\r\n}\r\n","/**\r\n * @nehorai/payments - Webhook Signature Verification\r\n *\r\n * Verifies HMAC signatures from payment providers to prevent spoofing.\r\n * Provides generic verification functions plus a registry pattern\r\n * for provider-specific verification strategies.\r\n */\r\n\r\nimport { createHmac, createHash, timingSafeEqual } from 'crypto'\r\nimport type { PaymentProvider } from '../types/index.js'\r\n\r\n// ============================================================================\r\n// Types\r\n// ============================================================================\r\n\r\nexport interface SignatureVerificationParams {\r\n  provider: PaymentProvider\r\n  payload: string\r\n  signature: string\r\n  secret: string\r\n  /** Tolerance in seconds for timestamp validation (default: 300) */\r\n  tolerance?: number\r\n}\r\n\r\nexport interface SignatureVerificationResult {\r\n  valid: boolean\r\n  error?: string\r\n}\r\n\r\n/**\r\n * A function that verifies a webhook signature for a specific provider\r\n */\r\nexport type SignatureVerifier = (\r\n  payload: string,\r\n  signature: string,\r\n  secret: string,\r\n  tolerance: number\r\n) => SignatureVerificationResult\r\n\r\n// ============================================================================\r\n// Built-in Verification Strategies\r\n// ============================================================================\r\n\r\n/**\r\n * Verify a Stripe-style webhook signature\r\n * Stripe uses: t={timestamp},v1={signature}\r\n */\r\nexport function verifyStripeStyleSignature(\r\n  payload: string,\r\n  signature: string,\r\n  secret: string,\r\n  tolerance: number\r\n): SignatureVerificationResult {\r\n  try {\r\n    const elements = signature.split(',')\r\n    const timestamp = elements.find((e) => e.startsWith('t='))?.slice(2)\r\n    const sig = elements.find((e) => e.startsWith('v1='))?.slice(3)\r\n\r\n    if (!timestamp || !sig) {\r\n      return { valid: false, error: 'Invalid signature format' }\r\n    }\r\n\r\n    const timestampNum = parseInt(timestamp, 10)\r\n    const now = Math.floor(Date.now() / 1000)\r\n    if (Math.abs(now - timestampNum) > tolerance) {\r\n      return { valid: false, error: 'Timestamp outside tolerance' }\r\n    }\r\n\r\n    const signedPayload = `${timestamp}.${payload}`\r\n    const expectedSig = createHmac('sha256', secret)\r\n      .update(signedPayload)\r\n      .digest('hex')\r\n\r\n    const valid = timingSafeEqual(\r\n      Buffer.from(sig),\r\n      Buffer.from(expectedSig)\r\n    )\r\n\r\n    return { valid }\r\n  } catch (error) {\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : 'Verification failed',\r\n    }\r\n  }\r\n}\r\n\r\n/**\r\n * Verify an HMAC-SHA256 signature of sorted payload fields\r\n */\r\nexport function verifySortedFieldsHmacSignature(\r\n  payload: string,\r\n  signature: string,\r\n  secret: string,\r\n  _tolerance: number\r\n): SignatureVerificationResult {\r\n  try {\r\n    const data = JSON.parse(payload)\r\n    const sortedKeys = Object.keys(data).sort()\r\n    const sortedPayload = sortedKeys.map((k) => `${k}=${data[k]}`).join('&')\r\n\r\n    const expectedSig = createHmac('sha256', secret)\r\n      .update(sortedPayload)\r\n      .digest('hex')\r\n\r\n    const valid = timingSafeEqual(\r\n      Buffer.from(signature.toLowerCase()),\r\n      Buffer.from(expectedSig)\r\n    )\r\n\r\n    return { valid }\r\n  } catch (error) {\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : 'Verification failed',\r\n    }\r\n  }\r\n}\r\n\r\n/**\r\n * Verify a simple HMAC-SHA256 signature of the raw payload\r\n */\r\nexport function verifyHmacSha256Signature(\r\n  payload: string,\r\n  signature: string,\r\n  secret: string,\r\n  _tolerance: number\r\n): SignatureVerificationResult {\r\n  try {\r\n    const expectedSig = createHmac('sha256', secret)\r\n      .update(payload)\r\n      .digest('hex')\r\n\r\n    const valid = timingSafeEqual(\r\n      Buffer.from(signature.toLowerCase()),\r\n      Buffer.from(expectedSig.toLowerCase())\r\n    )\r\n\r\n    return { valid }\r\n  } catch (error) {\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : 'Verification failed',\r\n    }\r\n  }\r\n}\r\n\r\n// ============================================================================\r\n// Verifier Registry\r\n// ============================================================================\r\n\r\nconst verifierRegistry = new Map<string, SignatureVerifier>()\r\n\r\n/**\r\n * Register a custom signature verifier for a provider\r\n */\r\nexport function registerSignatureVerifier(\r\n  provider: PaymentProvider,\r\n  verifier: SignatureVerifier\r\n): void {\r\n  verifierRegistry.set(provider, verifier)\r\n}\r\n\r\n/**\r\n * Get the registered verifier for a provider\r\n */\r\nexport function getSignatureVerifier(provider: PaymentProvider): SignatureVerifier | undefined {\r\n  return verifierRegistry.get(provider)\r\n}\r\n\r\n// ============================================================================\r\n// Main Verification Function\r\n// ============================================================================\r\n\r\n/**\r\n * Verify webhook signature based on provider.\r\n * Uses registered verifiers. Falls back to HMAC-SHA256 if no verifier is registered.\r\n */\r\nexport function verifyWebhookSignature(\r\n  params: SignatureVerificationParams\r\n): SignatureVerificationResult {\r\n  const { provider, payload, signature, secret, tolerance = 300 } = params\r\n\r\n  if (!signature || !secret) {\r\n    return { valid: false, error: 'Missing signature or secret' }\r\n  }\r\n\r\n  const verifier = verifierRegistry.get(provider)\r\n  if (verifier) {\r\n    return verifier(payload, signature, secret, tolerance)\r\n  }\r\n\r\n  // Default: simple HMAC-SHA256\r\n  return verifyHmacSha256Signature(payload, signature, secret, tolerance)\r\n}\r\n\r\n/**\r\n * Get signature header name for a provider.\r\n * Returns a generic default; override per provider if needed.\r\n */\r\nexport function getSignatureHeaderName(provider: PaymentProvider): string {\r\n  return `x-${provider}-signature`\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACOA,oBAAuC;AAMhC,SAAS,4BAAoC;AAClD,SAAO,WAAO,0BAAW,CAAC;AAC5B;AAMO,SAAS,yBAAiC;AAC/C,SAAO,YAAQ,0BAAW,CAAC;AAC7B;AAQO,SAAS,4BACX,YACK;AACR,QAAM,OAAO,WAAW,KAAK,GAAG;AAChC,QAAM,WAAO,0BAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO,KAAK;AAC3D,SAAO,QAAQ,KAAK,UAAU,GAAG,EAAE,CAAC;AACtC;AAQO,SAAS,qBACd,WACA,eACQ;AACR,SAAO,GAAG,SAAS,IAAI,aAAa;AACtC;AAKO,SAAS,sBAAsB,KAAsB;AAC1D,SAAO,0BAA0B,KAAK,GAAG;AAC3C;AAKO,SAAS,yBAAyB,IAAqB;AAC5D,SAAO,sBAAsB,KAAK,EAAE;AACtC;AAKO,SAAS,YAAY,KAA4B;AACtD,QAAM,QAAQ,IAAI,MAAM,6BAA6B;AACrD,SAAO,QAAQ,MAAM,CAAC,IAAI;AAC5B;;;AChEA,IAAAA,iBAAwD;AAuCjD,SAAS,2BACd,SACA,WACA,QACA,WAC6B;AAC7B,MAAI;AACF,UAAM,WAAW,UAAU,MAAM,GAAG;AACpC,UAAM,YAAY,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,GAAG,MAAM,CAAC;AACnE,UAAM,MAAM,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,KAAK,CAAC,GAAG,MAAM,CAAC;AAE9D,QAAI,CAAC,aAAa,CAAC,KAAK;AACtB,aAAO,EAAE,OAAO,OAAO,OAAO,2BAA2B;AAAA,IAC3D;AAEA,UAAM,eAAe,SAAS,WAAW,EAAE;AAC3C,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAI,KAAK,IAAI,MAAM,YAAY,IAAI,WAAW;AAC5C,aAAO,EAAE,OAAO,OAAO,OAAO,8BAA8B;AAAA,IAC9D;AAEA,UAAM,gBAAgB,GAAG,SAAS,IAAI,OAAO;AAC7C,UAAM,kBAAc,2BAAW,UAAU,MAAM,EAC5C,OAAO,aAAa,EACpB,OAAO,KAAK;AAEf,UAAM,YAAQ;AAAA,MACZ,OAAO,KAAK,GAAG;AAAA,MACf,OAAO,KAAK,WAAW;AAAA,IACzB;AAEA,WAAO,EAAE,MAAM;AAAA,EACjB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;AAKO,SAAS,gCACd,SACA,WACA,QACA,YAC6B;AAC7B,MAAI;AACF,UAAM,OAAO,KAAK,MAAM,OAAO;AAC/B,UAAM,aAAa,OAAO,KAAK,IAAI,EAAE,KAAK;AAC1C,UAAM,gBAAgB,WAAW,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,EAAE,EAAE,KAAK,GAAG;AAEvE,UAAM,kBAAc,2BAAW,UAAU,MAAM,EAC5C,OAAO,aAAa,EACpB,OAAO,KAAK;AAEf,UAAM,YAAQ;AAAA,MACZ,OAAO,KAAK,UAAU,YAAY,CAAC;AAAA,MACnC,OAAO,KAAK,WAAW;AAAA,IACzB;AAEA,WAAO,EAAE,MAAM;AAAA,EACjB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;AAKO,SAAS,0BACd,SACA,WACA,QACA,YAC6B;AAC7B,MAAI;AACF,UAAM,kBAAc,2BAAW,UAAU,MAAM,EAC5C,OAAO,OAAO,EACd,OAAO,KAAK;AAEf,UAAM,YAAQ;AAAA,MACZ,OAAO,KAAK,UAAU,YAAY,CAAC;AAAA,MACnC,OAAO,KAAK,YAAY,YAAY,CAAC;AAAA,IACvC;AAEA,WAAO,EAAE,MAAM;AAAA,EACjB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;AAMA,IAAM,mBAAmB,oBAAI,IAA+B;AAKrD,SAAS,0BACd,UACA,UACM;AACN,mBAAiB,IAAI,UAAU,QAAQ;AACzC;AAKO,SAAS,qBAAqB,UAA0D;AAC7F,SAAO,iBAAiB,IAAI,QAAQ;AACtC;AAUO,SAAS,uBACd,QAC6B;AAC7B,QAAM,EAAE,UAAU,SAAS,WAAW,QAAQ,YAAY,IAAI,IAAI;AAElE,MAAI,CAAC,aAAa,CAAC,QAAQ;AACzB,WAAO,EAAE,OAAO,OAAO,OAAO,8BAA8B;AAAA,EAC9D;AAEA,QAAM,WAAW,iBAAiB,IAAI,QAAQ;AAC9C,MAAI,UAAU;AACZ,WAAO,SAAS,SAAS,WAAW,QAAQ,SAAS;AAAA,EACvD;AAGA,SAAO,0BAA0B,SAAS,WAAW,QAAQ,SAAS;AACxE;AAMO,SAAS,uBAAuB,UAAmC;AACxE,SAAO,KAAK,QAAQ;AACtB;","names":["import_crypto"]}