@open-mercato/webhooks 0.5.1-develop.2912.8d7b1fef24 → 0.5.1-develop.2917.31ee9898e3

package/dist/modules/webhooks/lib/delivery.js

@@ -4,7 +4,11 @@ import { WebhookDeliveryEntity, WebhookEntity } from "../data/entities.js";
 import { emitWebhooksEvent } from "../events.js";
 import { enqueueWebhookDelivery } from "./queue.js";
 import { isWebhookIntegrationEnabled, WEBHOOK_INTEGRATION_DISABLED_MESSAGE } from "./integration-state.js";
-import { assertSafeWebhookDeliveryUrl, UnsafeWebhookUrlError } from "./url-safety.js";
+import {
+  assertSafeWebhookDeliveryUrl,
+  safeWebhookFetch,
+  UnsafeWebhookUrlError
+} from "./url-safety.js";
 async function createWebhookDelivery(input) {
   const bodyPayload = {
     type: input.eventId,
@@ -84,26 +88,12 @@ async function processWebhookDeliveryJob(em, job, options = {}) {
   try {
     await assertSafeWebhookDeliveryUrl(webhook.url);
   } catch (error) {
-    const message = error instanceof UnsafeWebhookUrlError ? error.message : "Webhook URL rejected by safety check";
-    delivery.status = "failed";
-    delivery.errorMessage = message;
-    delivery.nextRetryAt = null;
-    delivery.lastAttemptAt = /* @__PURE__ */ new Date();
-    delivery.attemptNumber += 1;
-    webhook.consecutiveFailures += 1;
-    webhook.lastFailureAt = /* @__PURE__ */ new Date();
-    await em.flush();
-    await emitWebhooksEvent("webhooks.delivery.failed", {
-      deliveryId: delivery.id,
-      webhookId: webhook.id,
-      eventType: delivery.eventType,
-      errorMessage: message,
-      durationMs: 0,
-      organizationId: delivery.organizationId,
-      tenantId: delivery.tenantId,
-      willRetry: false
+    return await recordWebhookSafetyFailure({
+      em,
+      delivery,
+      webhook,
+      error
     });
-    return { status: delivery.status, deliveryId: delivery.id };
   }
   const bodyPayload = normalizeWebhookBody(delivery.eventType, delivery.payload);
   delivery.payload = bodyPayload;
@@ -124,18 +114,22 @@ async function processWebhookDeliveryJob(em, job, options = {}) {
   try {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), webhook.timeoutMs);
-    const response = await fetch(webhook.url, {
-      method: webhook.httpMethod,
-      redirect: "manual",
-      headers: {
-        "content-type": "application/json",
-        ...headers,
-        ...webhook.customHeaders ?? {}
-      },
-      body,
-      signal: controller.signal
-    });
-    clearTimeout(timeoutId);
+    let response;
+    try {
+      response = await safeWebhookFetch(webhook.url, {
+        method: webhook.httpMethod,
+        redirect: "manual",
+        headers: {
+          "content-type": "application/json",
+          ...headers,
+          ...webhook.customHeaders ?? {}
+        },
+        body,
+        signal: controller.signal
+      });
+    } finally {
+      clearTimeout(timeoutId);
+    }
     delivery.attemptNumber += 1;
     delivery.responseStatus = response.status;
     delivery.responseBody = (await response.text()).slice(0, 4096);
@@ -179,6 +173,17 @@ async function processWebhookDeliveryJob(em, job, options = {}) {
     });
     return { status: delivery.status, deliveryId: delivery.id };
   } catch (error) {
+    if (error instanceof UnsafeWebhookUrlError) {
+      const durationMs = Date.now() - delivery.enqueuedAt.getTime();
+      delivery.durationMs = durationMs;
+      return await recordWebhookSafetyFailure({
+        em,
+        delivery,
+        webhook,
+        error,
+        durationMs
+      });
+    }
     delivery.attemptNumber += 1;
     delivery.durationMs = Date.now() - delivery.enqueuedAt.getTime();
     delivery.lastAttemptAt = /* @__PURE__ */ new Date();
@@ -206,6 +211,29 @@ async function processWebhookDeliveryJob(em, job, options = {}) {
     return { status: delivery.status, deliveryId: delivery.id };
   }
 }
+async function recordWebhookSafetyFailure(input) {
+  const { em, delivery, webhook, error } = input;
+  const message = error instanceof UnsafeWebhookUrlError ? error.message : "Webhook URL rejected by safety check";
+  delivery.status = "failed";
+  delivery.errorMessage = message;
+  delivery.nextRetryAt = null;
+  delivery.lastAttemptAt = /* @__PURE__ */ new Date();
+  delivery.attemptNumber += 1;
+  webhook.consecutiveFailures += 1;
+  webhook.lastFailureAt = /* @__PURE__ */ new Date();
+  await em.flush();
+  await emitWebhooksEvent("webhooks.delivery.failed", {
+    deliveryId: delivery.id,
+    webhookId: webhook.id,
+    eventType: delivery.eventType,
+    errorMessage: message,
+    durationMs: input.durationMs ?? 0,
+    organizationId: delivery.organizationId,
+    tenantId: delivery.tenantId,
+    willRetry: false
+  });
+  return { status: delivery.status, deliveryId: delivery.id };
+}
 async function handleFailedDelivery(input) {
   const { delivery, webhook } = input;
   const retriesRemaining = delivery.attemptNumber < Math.max(delivery.maxAttempts, 1);

package/dist/modules/webhooks/lib/delivery.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/webhooks/lib/delivery.ts"],
-  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport { buildWebhookHeaders, generateMessageId } from '@open-mercato/shared/lib/webhooks'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { WebhookDeliveryEntity, WebhookEntity } from '../data/entities'\nimport { emitWebhooksEvent } from '../events'\nimport { enqueueWebhookDelivery } from './queue'\nimport { isWebhookIntegrationEnabled, WEBHOOK_INTEGRATION_DISABLED_MESSAGE } from './integration-state'\nimport { assertSafeWebhookDeliveryUrl, UnsafeWebhookUrlError } from './url-safety'\n\nexport interface WebhookDeliveryJob {\n  deliveryId: string\n  tenantId: string\n  organizationId: string\n}\n\nexport interface CreateWebhookDeliveryInput {\n  em: EntityManager\n  webhook: WebhookEntity\n  eventId: string\n  payload: Record<string, unknown>\n}\n\ntype ProcessWebhookDeliveryOptions = {\n  scheduleRetries?: boolean\n}\n\ntype WebhookBody = {\n  type: string\n  timestamp: string\n  data: Record<string, unknown>\n}\n\nexport async function createWebhookDelivery(input: CreateWebhookDeliveryInput): Promise<WebhookDeliveryEntity> {\n  const bodyPayload: WebhookBody = {\n    type: input.eventId,\n    timestamp: new Date().toISOString(),\n    data: input.payload,\n  }\n  const now = new Date()\n\n  const delivery = input.em.create(WebhookDeliveryEntity, {\n    webhookId: input.webhook.id,\n    eventType: input.eventId,\n    messageId: generateMessageId(),\n    payload: bodyPayload,\n    status: 'pending',\n    attemptNumber: 0,\n    maxAttempts: input.webhook.maxRetries,\n    targetUrl: input.webhook.url,\n    organizationId: input.webhook.organizationId,\n    tenantId: input.webhook.tenantId,\n    enqueuedAt: now,\n    createdAt: now,\n    updatedAt: now,\n  })\n\n  await input.em.flush()\n  await emitWebhooksEvent('webhooks.delivery.enqueued', {\n    deliveryId: delivery.id,\n    webhookId: input.webhook.id,\n    eventType: input.eventId,\n    organizationId: input.webhook.organizationId,\n    tenantId: input.webhook.tenantId,\n  })\n  return delivery\n}\n\nexport async function processWebhookDeliveryJob(\n  em: EntityManager,\n  job: WebhookDeliveryJob,\n  options: ProcessWebhookDeliveryOptions = {},\n): Promise<{ status: string; deliveryId: string } | null> {\n  const delivery = await em.findOne(WebhookDeliveryEntity, {\n    id: job.deliveryId,\n    tenantId: job.tenantId,\n    organizationId: job.organizationId,\n  })\n\n  if (!delivery) return null\n\n  const webhook = await findOneWithDecryption(\n    em,\n    WebhookEntity,\n    {\n      id: delivery.webhookId,\n      tenantId: job.tenantId,\n      organizationId: job.organizationId,\n      deletedAt: null,\n    },\n    {},\n    { tenantId: job.tenantId, organizationId: job.organizationId },\n  )\n\n  if (!webhook) {\n    delivery.status = 'failed'\n    delivery.errorMessage = 'Webhook not found'\n    delivery.nextRetryAt = null\n    await em.flush()\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  if (!webhook.isActive) {\n    delivery.status = 'expired'\n    delivery.errorMessage = 'Webhook is inactive'\n    delivery.nextRetryAt = null\n    await em.flush()\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  const integrationEnabled = await isWebhookIntegrationEnabled(em, {\n    tenantId: webhook.tenantId,\n    organizationId: webhook.organizationId,\n  })\n\n  if (!integrationEnabled) {\n    delivery.status = 'expired'\n    delivery.errorMessage = WEBHOOK_INTEGRATION_DISABLED_MESSAGE\n    delivery.nextRetryAt = null\n    await em.flush()\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  try {\n    await assertSafeWebhookDeliveryUrl(webhook.url)\n  } catch (error) {\n    const message = error instanceof UnsafeWebhookUrlError\n      ? error.message\n      : 'Webhook URL rejected by safety check'\n    delivery.status = 'failed'\n    delivery.errorMessage = message\n    delivery.nextRetryAt = null\n    delivery.lastAttemptAt = new Date()\n    delivery.attemptNumber += 1\n    webhook.consecutiveFailures += 1\n    webhook.lastFailureAt = new Date()\n    await em.flush()\n    await emitWebhooksEvent('webhooks.delivery.failed', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      errorMessage: message,\n      durationMs: 0,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      willRetry: false,\n    })\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  const bodyPayload = normalizeWebhookBody(delivery.eventType, delivery.payload)\n  delivery.payload = bodyPayload\n  delivery.status = 'sending'\n  delivery.lastAttemptAt = new Date()\n  delivery.errorMessage = null\n  await em.flush()\n\n  const body = JSON.stringify(bodyPayload)\n  const timestamp = Math.floor(Date.now() / 1000)\n  const headers = buildWebhookHeaders(\n    delivery.messageId,\n    timestamp,\n    body,\n    webhook.secret,\n    webhook.previousSecret,\n  )\n\n  const attemptStartedAt = Date.now()\n\n  try {\n    const controller = new AbortController()\n    const timeoutId = setTimeout(() => controller.abort(), webhook.timeoutMs)\n\n    const response = await fetch(webhook.url, {\n      method: webhook.httpMethod,\n      redirect: 'manual',\n      headers: {\n        'content-type': 'application/json',\n        ...headers,\n        ...(webhook.customHeaders ?? {}),\n      },\n      body,\n      signal: controller.signal,\n    })\n\n    clearTimeout(timeoutId)\n\n    delivery.attemptNumber += 1\n    delivery.responseStatus = response.status\n    delivery.responseBody = (await response.text()).slice(0, 4096)\n    delivery.responseHeaders = Object.fromEntries(response.headers.entries())\n    delivery.durationMs = Date.now() - delivery.enqueuedAt.getTime()\n    delivery.lastAttemptAt = new Date()\n\n    if (response.ok) {\n      delivery.status = 'delivered'\n      delivery.deliveredAt = new Date()\n      delivery.nextRetryAt = null\n      webhook.consecutiveFailures = 0\n      webhook.lastSuccessAt = new Date()\n\n      await emitWebhooksEvent('webhooks.delivery.succeeded', {\n        deliveryId: delivery.id,\n        webhookId: webhook.id,\n        eventType: delivery.eventType,\n        organizationId: delivery.organizationId,\n        tenantId: delivery.tenantId,\n      })\n\n      await em.flush()\n      return { status: delivery.status, deliveryId: delivery.id }\n    }\n\n    webhook.consecutiveFailures += 1\n    webhook.lastFailureAt = new Date()\n\n    await handleFailedDelivery({\n      em,\n      webhook,\n      delivery,\n      canRetry: shouldRetryStatus(response.status),\n      scheduleRetries: options.scheduleRetries !== false,\n      fallbackMessage: `HTTP ${response.status}`,\n    })\n\n    await emitWebhooksEvent('webhooks.delivery.failed', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      responseStatus: response.status,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      willRetry: delivery.status === 'pending',\n    })\n\n    return { status: delivery.status, deliveryId: delivery.id }\n  } catch (error) {\n    delivery.attemptNumber += 1\n    delivery.durationMs = Date.now() - delivery.enqueuedAt.getTime()\n    delivery.lastAttemptAt = new Date()\n    delivery.errorMessage = error instanceof Error ? error.message : 'Unknown delivery error'\n\n    webhook.consecutiveFailures += 1\n    webhook.lastFailureAt = new Date()\n\n    await handleFailedDelivery({\n      em,\n      webhook,\n      delivery,\n      canRetry: true,\n      scheduleRetries: options.scheduleRetries !== false,\n      fallbackMessage: delivery.errorMessage,\n    })\n\n    await emitWebhooksEvent('webhooks.delivery.failed', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      errorMessage: delivery.errorMessage,\n      durationMs: Date.now() - attemptStartedAt,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      willRetry: delivery.status === 'pending',\n    })\n\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n}\n\ntype HandleFailedDeliveryInput = {\n  em: EntityManager\n  webhook: WebhookEntity\n  delivery: WebhookDeliveryEntity\n  canRetry: boolean\n  scheduleRetries: boolean\n  fallbackMessage: string\n}\n\nasync function handleFailedDelivery(input: HandleFailedDeliveryInput): Promise<void> {\n  const { delivery, webhook } = input\n  const retriesRemaining = delivery.attemptNumber < Math.max(delivery.maxAttempts, 1)\n  const shouldRetry = input.canRetry && retriesRemaining\n\n  if (shouldRetry) {\n    const nextRetryAt = calculateNextRetry(delivery.attemptNumber)\n    delivery.status = 'pending'\n    delivery.nextRetryAt = nextRetryAt\n\n    await input.em.flush()\n\n    if (input.scheduleRetries) {\n      try {\n        await enqueueWebhookDelivery(\n          {\n            deliveryId: delivery.id,\n            tenantId: delivery.tenantId,\n            organizationId: delivery.organizationId,\n          },\n          Math.max(nextRetryAt.getTime() - Date.now(), 0),\n        )\n      } catch (error) {\n        delivery.status = 'failed'\n        delivery.nextRetryAt = null\n        delivery.errorMessage = error instanceof Error\n          ? `Retry scheduling failed: ${error.message}`\n          : 'Retry scheduling failed'\n      }\n    }\n  } else {\n    delivery.status = 'expired'\n    delivery.nextRetryAt = null\n\n    await emitWebhooksEvent('webhooks.delivery.exhausted', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      errorMessage: delivery.errorMessage ?? input.fallbackMessage,\n    })\n  }\n\n  if (webhook.autoDisableThreshold > 0 && webhook.consecutiveFailures >= webhook.autoDisableThreshold) {\n    webhook.isActive = false\n    await emitWebhooksEvent('webhooks.webhook.disabled', {\n      webhookId: webhook.id,\n      organizationId: webhook.organizationId,\n      tenantId: webhook.tenantId,\n      consecutiveFailures: webhook.consecutiveFailures,\n    })\n  }\n\n  await input.em.flush()\n}\n\nfunction normalizeWebhookBody(eventType: string, payload: Record<string, unknown>): WebhookBody {\n  const candidateType = typeof payload.type === 'string' ? payload.type : null\n  const candidateTimestamp = typeof payload.timestamp === 'string' ? payload.timestamp : null\n  const candidateData = isRecord(payload.data) ? payload.data : null\n\n  if (candidateType && candidateTimestamp && candidateData) {\n    return {\n      type: candidateType,\n      timestamp: candidateTimestamp,\n      data: candidateData,\n    }\n  }\n\n  return {\n    type: eventType,\n    timestamp: new Date().toISOString(),\n    data: payload,\n  }\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n  return typeof value === 'object' && value !== null && !Array.isArray(value)\n}\n\nfunction shouldRetryStatus(status: number): boolean {\n  if (status >= 200 && status < 300) return false\n  if (status === 408 || status === 429) return true\n  return status >= 500\n}\n\nfunction calculateNextRetry(attemptNumber: number): Date {\n  const baseDelayMs = 1000\n  const jitterMs = Math.floor(Math.random() * 1000)\n  const delayMs = baseDelayMs * Math.pow(2, Math.max(attemptNumber - 1, 0)) + jitterMs\n  return new Date(Date.now() + delayMs)\n}\n"],
-  "mappings": "AACA,SAAS,qBAAqB,yBAAyB;AACvD,SAAS,6BAA6B;AACtC,SAAS,uBAAuB,qBAAqB;AACrD,SAAS,yBAAyB;AAClC,SAAS,8BAA8B;AACvC,SAAS,6BAA6B,4CAA4C;AAClF,SAAS,8BAA8B,6BAA6B;AAyBpE,eAAsB,sBAAsB,OAAmE;AAC7G,QAAM,cAA2B;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,MAAM,MAAM;AAAA,EACd;AACA,QAAM,MAAM,oBAAI,KAAK;AAErB,QAAM,WAAW,MAAM,GAAG,OAAO,uBAAuB;AAAA,IACtD,WAAW,MAAM,QAAQ;AAAA,IACzB,WAAW,MAAM;AAAA,IACjB,WAAW,kBAAkB;AAAA,IAC7B,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,eAAe;AAAA,IACf,aAAa,MAAM,QAAQ;AAAA,IAC3B,WAAW,MAAM,QAAQ;AAAA,IACzB,gBAAgB,MAAM,QAAQ;AAAA,IAC9B,UAAU,MAAM,QAAQ;AAAA,IACxB,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,WAAW;AAAA,EACb,CAAC;AAED,QAAM,MAAM,GAAG,MAAM;AACrB,QAAM,kBAAkB,8BAA8B;AAAA,IACpD,YAAY,SAAS;AAAA,IACrB,WAAW,MAAM,QAAQ;AAAA,IACzB,WAAW,MAAM;AAAA,IACjB,gBAAgB,MAAM,QAAQ;AAAA,IAC9B,UAAU,MAAM,QAAQ;AAAA,EAC1B,CAAC;AACD,SAAO;AACT;AAEA,eAAsB,0BACpB,IACA,KACA,UAAyC,CAAC,GACc;AACxD,QAAM,WAAW,MAAM,GAAG,QAAQ,uBAAuB;AAAA,IACvD,IAAI,IAAI;AAAA,IACR,UAAU,IAAI;AAAA,IACd,gBAAgB,IAAI;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE,IAAI,SAAS;AAAA,MACb,UAAU,IAAI;AAAA,MACd,gBAAgB,IAAI;AAAA,MACpB,WAAW;AAAA,IACb;AAAA,IACA,CAAC;AAAA,IACD,EAAE,UAAU,IAAI,UAAU,gBAAgB,IAAI,eAAe;AAAA,EAC/D;AAEA,MAAI,CAAC,SAAS;AACZ,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,UAAM,GAAG,MAAM;AACf,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,MAAI,CAAC,QAAQ,UAAU;AACrB,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,UAAM,GAAG,MAAM;AACf,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,QAAM,qBAAqB,MAAM,4BAA4B,IAAI;AAAA,IAC/D,UAAU,QAAQ;AAAA,IAClB,gBAAgB,QAAQ;AAAA,EAC1B,CAAC;AAED,MAAI,CAAC,oBAAoB;AACvB,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,UAAM,GAAG,MAAM;AACf,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,MAAI;AACF,UAAM,6BAA6B,QAAQ,GAAG;AAAA,EAChD,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,wBAC7B,MAAM,UACN;AACJ,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,aAAS,gBAAgB,oBAAI,KAAK;AAClC,aAAS,iBAAiB;AAC1B,YAAQ,uBAAuB;AAC/B,YAAQ,gBAAgB,oBAAI,KAAK;AACjC,UAAM,GAAG,MAAM;AACf,UAAM,kBAAkB,4BAA4B;AAAA,MAClD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,WAAW;AAAA,IACb,CAAC;AACD,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,QAAM,cAAc,qBAAqB,SAAS,WAAW,SAAS,OAAO;AAC7E,WAAS,UAAU;AACnB,WAAS,SAAS;AAClB,WAAS,gBAAgB,oBAAI,KAAK;AAClC,WAAS,eAAe;AACxB,QAAM,GAAG,MAAM;AAEf,QAAM,OAAO,KAAK,UAAU,WAAW;AACvC,QAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC9C,QAAM,UAAU;AAAA,IACd,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,EACV;AAEA,QAAM,mBAAmB,KAAK,IAAI;AAElC,MAAI;AACF,UAAM,aAAa,IAAI,gBAAgB;AACvC,UAAM,YAAY,WAAW,MAAM,WAAW,MAAM,GAAG,QAAQ,SAAS;AAExE,UAAM,WAAW,MAAM,MAAM,QAAQ,KAAK;AAAA,MACxC,QAAQ,QAAQ;AAAA,MAChB,UAAU;AAAA,MACV,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,GAAG;AAAA,QACH,GAAI,QAAQ,iBAAiB,CAAC;AAAA,MAChC;AAAA,MACA;AAAA,MACA,QAAQ,WAAW;AAAA,IACrB,CAAC;AAED,iBAAa,SAAS;AAEtB,aAAS,iBAAiB;AAC1B,aAAS,iBAAiB,SAAS;AACnC,aAAS,gBAAgB,MAAM,SAAS,KAAK,GAAG,MAAM,GAAG,IAAI;AAC7D,aAAS,kBAAkB,OAAO,YAAY,SAAS,QAAQ,QAAQ,CAAC;AACxE,aAAS,aAAa,KAAK,IAAI,IAAI,SAAS,WAAW,QAAQ;AAC/D,aAAS,gBAAgB,oBAAI,KAAK;AAElC,QAAI,SAAS,IAAI;AACf,eAAS,SAAS;AAClB,eAAS,cAAc,oBAAI,KAAK;AAChC,eAAS,cAAc;AACvB,cAAQ,sBAAsB;AAC9B,cAAQ,gBAAgB,oBAAI,KAAK;AAEjC,YAAM,kBAAkB,+BAA+B;AAAA,QACrD,YAAY,SAAS;AAAA,QACrB,WAAW,QAAQ;AAAA,QACnB,WAAW,SAAS;AAAA,QACpB,gBAAgB,SAAS;AAAA,QACzB,UAAU,SAAS;AAAA,MACrB,CAAC;AAED,YAAM,GAAG,MAAM;AACf,aAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,IAC5D;AAEA,YAAQ,uBAAuB;AAC/B,YAAQ,gBAAgB,oBAAI,KAAK;AAEjC,UAAM,qBAAqB;AAAA,MACzB;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU,kBAAkB,SAAS,MAAM;AAAA,MAC3C,iBAAiB,QAAQ,oBAAoB;AAAA,MAC7C,iBAAiB,QAAQ,SAAS,MAAM;AAAA,IAC1C,CAAC;AAED,UAAM,kBAAkB,4BAA4B;AAAA,MAClD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,gBAAgB,SAAS;AAAA,MACzB,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,WAAW,SAAS,WAAW;AAAA,IACjC,CAAC;AAED,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D,SAAS,OAAO;AACd,aAAS,iBAAiB;AAC1B,aAAS,aAAa,KAAK,IAAI,IAAI,SAAS,WAAW,QAAQ;AAC/D,aAAS,gBAAgB,oBAAI,KAAK;AAClC,aAAS,eAAe,iBAAiB,QAAQ,MAAM,UAAU;AAEjE,YAAQ,uBAAuB;AAC/B,YAAQ,gBAAgB,oBAAI,KAAK;AAEjC,UAAM,qBAAqB;AAAA,MACzB;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU;AAAA,MACV,iBAAiB,QAAQ,oBAAoB;AAAA,MAC7C,iBAAiB,SAAS;AAAA,IAC5B,CAAC;AAED,UAAM,kBAAkB,4BAA4B;AAAA,MAClD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,cAAc,SAAS;AAAA,MACvB,YAAY,KAAK,IAAI,IAAI;AAAA,MACzB,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,WAAW,SAAS,WAAW;AAAA,IACjC,CAAC;AAED,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AACF;AAWA,eAAe,qBAAqB,OAAiD;AACnF,QAAM,EAAE,UAAU,QAAQ,IAAI;AAC9B,QAAM,mBAAmB,SAAS,gBAAgB,KAAK,IAAI,SAAS,aAAa,CAAC;AAClF,QAAM,cAAc,MAAM,YAAY;AAEtC,MAAI,aAAa;AACf,UAAM,cAAc,mBAAmB,SAAS,aAAa;AAC7D,aAAS,SAAS;AAClB,aAAS,cAAc;AAEvB,UAAM,MAAM,GAAG,MAAM;AAErB,QAAI,MAAM,iBAAiB;AACzB,UAAI;AACF,cAAM;AAAA,UACJ;AAAA,YACE,YAAY,SAAS;AAAA,YACrB,UAAU,SAAS;AAAA,YACnB,gBAAgB,SAAS;AAAA,UAC3B;AAAA,UACA,KAAK,IAAI,YAAY,QAAQ,IAAI,KAAK,IAAI,GAAG,CAAC;AAAA,QAChD;AAAA,MACF,SAAS,OAAO;AACd,iBAAS,SAAS;AAClB,iBAAS,cAAc;AACvB,iBAAS,eAAe,iBAAiB,QACrC,4BAA4B,MAAM,OAAO,KACzC;AAAA,MACN;AAAA,IACF;AAAA,EACF,OAAO;AACL,aAAS,SAAS;AAClB,aAAS,cAAc;AAEvB,UAAM,kBAAkB,+BAA+B;AAAA,MACrD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,cAAc,SAAS,gBAAgB,MAAM;AAAA,IAC/C,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,uBAAuB,KAAK,QAAQ,uBAAuB,QAAQ,sBAAsB;AACnG,YAAQ,WAAW;AACnB,UAAM,kBAAkB,6BAA6B;AAAA,MACnD,WAAW,QAAQ;AAAA,MACnB,gBAAgB,QAAQ;AAAA,MACxB,UAAU,QAAQ;AAAA,MAClB,qBAAqB,QAAQ;AAAA,IAC/B,CAAC;AAAA,EACH;AAEA,QAAM,MAAM,GAAG,MAAM;AACvB;AAEA,SAAS,qBAAqB,WAAmB,SAA+C;AAC9F,QAAM,gBAAgB,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;AACxE,QAAM,qBAAqB,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY;AACvF,QAAM,gBAAgB,SAAS,QAAQ,IAAI,IAAI,QAAQ,OAAO;AAE9D,MAAI,iBAAiB,sBAAsB,eAAe;AACxD,WAAO;AAAA,MACL,MAAM;AAAA,MACN,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,MAAM;AAAA,EACR;AACF;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,kBAAkB,QAAyB;AAClD,MAAI,UAAU,OAAO,SAAS,IAAK,QAAO;AAC1C,MAAI,WAAW,OAAO,WAAW,IAAK,QAAO;AAC7C,SAAO,UAAU;AACnB;AAEA,SAAS,mBAAmB,eAA6B;AACvD,QAAM,cAAc;AACpB,QAAM,WAAW,KAAK,MAAM,KAAK,OAAO,IAAI,GAAI;AAChD,QAAM,UAAU,cAAc,KAAK,IAAI,GAAG,KAAK,IAAI,gBAAgB,GAAG,CAAC,CAAC,IAAI;AAC5E,SAAO,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO;AACtC;",
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport { buildWebhookHeaders, generateMessageId } from '@open-mercato/shared/lib/webhooks'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { WebhookDeliveryEntity, WebhookEntity } from '../data/entities'\nimport { emitWebhooksEvent } from '../events'\nimport { enqueueWebhookDelivery } from './queue'\nimport { isWebhookIntegrationEnabled, WEBHOOK_INTEGRATION_DISABLED_MESSAGE } from './integration-state'\nimport {\n  assertSafeWebhookDeliveryUrl,\n  safeWebhookFetch,\n  UnsafeWebhookUrlError,\n} from './url-safety'\n\nexport interface WebhookDeliveryJob {\n  deliveryId: string\n  tenantId: string\n  organizationId: string\n}\n\nexport interface CreateWebhookDeliveryInput {\n  em: EntityManager\n  webhook: WebhookEntity\n  eventId: string\n  payload: Record<string, unknown>\n}\n\ntype ProcessWebhookDeliveryOptions = {\n  scheduleRetries?: boolean\n}\n\ntype WebhookBody = {\n  type: string\n  timestamp: string\n  data: Record<string, unknown>\n}\n\nexport async function createWebhookDelivery(input: CreateWebhookDeliveryInput): Promise<WebhookDeliveryEntity> {\n  const bodyPayload: WebhookBody = {\n    type: input.eventId,\n    timestamp: new Date().toISOString(),\n    data: input.payload,\n  }\n  const now = new Date()\n\n  const delivery = input.em.create(WebhookDeliveryEntity, {\n    webhookId: input.webhook.id,\n    eventType: input.eventId,\n    messageId: generateMessageId(),\n    payload: bodyPayload,\n    status: 'pending',\n    attemptNumber: 0,\n    maxAttempts: input.webhook.maxRetries,\n    targetUrl: input.webhook.url,\n    organizationId: input.webhook.organizationId,\n    tenantId: input.webhook.tenantId,\n    enqueuedAt: now,\n    createdAt: now,\n    updatedAt: now,\n  })\n\n  await input.em.flush()\n  await emitWebhooksEvent('webhooks.delivery.enqueued', {\n    deliveryId: delivery.id,\n    webhookId: input.webhook.id,\n    eventType: input.eventId,\n    organizationId: input.webhook.organizationId,\n    tenantId: input.webhook.tenantId,\n  })\n  return delivery\n}\n\nexport async function processWebhookDeliveryJob(\n  em: EntityManager,\n  job: WebhookDeliveryJob,\n  options: ProcessWebhookDeliveryOptions = {},\n): Promise<{ status: string; deliveryId: string } | null> {\n  const delivery = await em.findOne(WebhookDeliveryEntity, {\n    id: job.deliveryId,\n    tenantId: job.tenantId,\n    organizationId: job.organizationId,\n  })\n\n  if (!delivery) return null\n\n  const webhook = await findOneWithDecryption(\n    em,\n    WebhookEntity,\n    {\n      id: delivery.webhookId,\n      tenantId: job.tenantId,\n      organizationId: job.organizationId,\n      deletedAt: null,\n    },\n    {},\n    { tenantId: job.tenantId, organizationId: job.organizationId },\n  )\n\n  if (!webhook) {\n    delivery.status = 'failed'\n    delivery.errorMessage = 'Webhook not found'\n    delivery.nextRetryAt = null\n    await em.flush()\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  if (!webhook.isActive) {\n    delivery.status = 'expired'\n    delivery.errorMessage = 'Webhook is inactive'\n    delivery.nextRetryAt = null\n    await em.flush()\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  const integrationEnabled = await isWebhookIntegrationEnabled(em, {\n    tenantId: webhook.tenantId,\n    organizationId: webhook.organizationId,\n  })\n\n  if (!integrationEnabled) {\n    delivery.status = 'expired'\n    delivery.errorMessage = WEBHOOK_INTEGRATION_DISABLED_MESSAGE\n    delivery.nextRetryAt = null\n    await em.flush()\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n\n  try {\n    await assertSafeWebhookDeliveryUrl(webhook.url)\n  } catch (error) {\n    return await recordWebhookSafetyFailure({\n      em,\n      delivery,\n      webhook,\n      error,\n    })\n  }\n\n  const bodyPayload = normalizeWebhookBody(delivery.eventType, delivery.payload)\n  delivery.payload = bodyPayload\n  delivery.status = 'sending'\n  delivery.lastAttemptAt = new Date()\n  delivery.errorMessage = null\n  await em.flush()\n\n  const body = JSON.stringify(bodyPayload)\n  const timestamp = Math.floor(Date.now() / 1000)\n  const headers = buildWebhookHeaders(\n    delivery.messageId,\n    timestamp,\n    body,\n    webhook.secret,\n    webhook.previousSecret,\n  )\n\n  const attemptStartedAt = Date.now()\n\n  try {\n    const controller = new AbortController()\n    const timeoutId = setTimeout(() => controller.abort(), webhook.timeoutMs)\n\n    let response: Response\n    try {\n      response = await safeWebhookFetch(webhook.url, {\n        method: webhook.httpMethod,\n        redirect: 'manual',\n        headers: {\n          'content-type': 'application/json',\n          ...headers,\n          ...(webhook.customHeaders ?? {}),\n        },\n        body,\n        signal: controller.signal,\n      })\n    } finally {\n      clearTimeout(timeoutId)\n    }\n\n    delivery.attemptNumber += 1\n    delivery.responseStatus = response.status\n    delivery.responseBody = (await response.text()).slice(0, 4096)\n    delivery.responseHeaders = Object.fromEntries(response.headers.entries())\n    delivery.durationMs = Date.now() - delivery.enqueuedAt.getTime()\n    delivery.lastAttemptAt = new Date()\n\n    if (response.ok) {\n      delivery.status = 'delivered'\n      delivery.deliveredAt = new Date()\n      delivery.nextRetryAt = null\n      webhook.consecutiveFailures = 0\n      webhook.lastSuccessAt = new Date()\n\n      await emitWebhooksEvent('webhooks.delivery.succeeded', {\n        deliveryId: delivery.id,\n        webhookId: webhook.id,\n        eventType: delivery.eventType,\n        organizationId: delivery.organizationId,\n        tenantId: delivery.tenantId,\n      })\n\n      await em.flush()\n      return { status: delivery.status, deliveryId: delivery.id }\n    }\n\n    webhook.consecutiveFailures += 1\n    webhook.lastFailureAt = new Date()\n\n    await handleFailedDelivery({\n      em,\n      webhook,\n      delivery,\n      canRetry: shouldRetryStatus(response.status),\n      scheduleRetries: options.scheduleRetries !== false,\n      fallbackMessage: `HTTP ${response.status}`,\n    })\n\n    await emitWebhooksEvent('webhooks.delivery.failed', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      responseStatus: response.status,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      willRetry: delivery.status === 'pending',\n    })\n\n    return { status: delivery.status, deliveryId: delivery.id }\n  } catch (error) {\n    if (error instanceof UnsafeWebhookUrlError) {\n      // DNS rebinding caught between the upfront safety check and the pinned connect:\n      // the same attacker-controlled DNS would defeat retries too, so fail terminally.\n      const durationMs = Date.now() - delivery.enqueuedAt.getTime()\n      delivery.durationMs = durationMs\n      return await recordWebhookSafetyFailure({\n        em,\n        delivery,\n        webhook,\n        error,\n        durationMs,\n      })\n    }\n\n    delivery.attemptNumber += 1\n    delivery.durationMs = Date.now() - delivery.enqueuedAt.getTime()\n    delivery.lastAttemptAt = new Date()\n    delivery.errorMessage = error instanceof Error ? error.message : 'Unknown delivery error'\n\n    webhook.consecutiveFailures += 1\n    webhook.lastFailureAt = new Date()\n\n    await handleFailedDelivery({\n      em,\n      webhook,\n      delivery,\n      canRetry: true,\n      scheduleRetries: options.scheduleRetries !== false,\n      fallbackMessage: delivery.errorMessage,\n    })\n\n    await emitWebhooksEvent('webhooks.delivery.failed', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      errorMessage: delivery.errorMessage,\n      durationMs: Date.now() - attemptStartedAt,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      willRetry: delivery.status === 'pending',\n    })\n\n    return { status: delivery.status, deliveryId: delivery.id }\n  }\n}\n\ntype RecordWebhookSafetyFailureInput = {\n  em: EntityManager\n  delivery: WebhookDeliveryEntity\n  webhook: WebhookEntity\n  error: unknown\n  durationMs?: number | null\n}\n\nasync function recordWebhookSafetyFailure(\n  input: RecordWebhookSafetyFailureInput,\n): Promise<{ status: string; deliveryId: string }> {\n  const { em, delivery, webhook, error } = input\n  const message = error instanceof UnsafeWebhookUrlError\n    ? error.message\n    : 'Webhook URL rejected by safety check'\n\n  delivery.status = 'failed'\n  delivery.errorMessage = message\n  delivery.nextRetryAt = null\n  delivery.lastAttemptAt = new Date()\n  delivery.attemptNumber += 1\n  webhook.consecutiveFailures += 1\n  webhook.lastFailureAt = new Date()\n  await em.flush()\n\n  await emitWebhooksEvent('webhooks.delivery.failed', {\n    deliveryId: delivery.id,\n    webhookId: webhook.id,\n    eventType: delivery.eventType,\n    errorMessage: message,\n    durationMs: input.durationMs ?? 0,\n    organizationId: delivery.organizationId,\n    tenantId: delivery.tenantId,\n    willRetry: false,\n  })\n\n  return { status: delivery.status, deliveryId: delivery.id }\n}\n\ntype HandleFailedDeliveryInput = {\n  em: EntityManager\n  webhook: WebhookEntity\n  delivery: WebhookDeliveryEntity\n  canRetry: boolean\n  scheduleRetries: boolean\n  fallbackMessage: string\n}\n\nasync function handleFailedDelivery(input: HandleFailedDeliveryInput): Promise<void> {\n  const { delivery, webhook } = input\n  const retriesRemaining = delivery.attemptNumber < Math.max(delivery.maxAttempts, 1)\n  const shouldRetry = input.canRetry && retriesRemaining\n\n  if (shouldRetry) {\n    const nextRetryAt = calculateNextRetry(delivery.attemptNumber)\n    delivery.status = 'pending'\n    delivery.nextRetryAt = nextRetryAt\n\n    await input.em.flush()\n\n    if (input.scheduleRetries) {\n      try {\n        await enqueueWebhookDelivery(\n          {\n            deliveryId: delivery.id,\n            tenantId: delivery.tenantId,\n            organizationId: delivery.organizationId,\n          },\n          Math.max(nextRetryAt.getTime() - Date.now(), 0),\n        )\n      } catch (error) {\n        delivery.status = 'failed'\n        delivery.nextRetryAt = null\n        delivery.errorMessage = error instanceof Error\n          ? `Retry scheduling failed: ${error.message}`\n          : 'Retry scheduling failed'\n      }\n    }\n  } else {\n    delivery.status = 'expired'\n    delivery.nextRetryAt = null\n\n    await emitWebhooksEvent('webhooks.delivery.exhausted', {\n      deliveryId: delivery.id,\n      webhookId: webhook.id,\n      eventType: delivery.eventType,\n      organizationId: delivery.organizationId,\n      tenantId: delivery.tenantId,\n      errorMessage: delivery.errorMessage ?? input.fallbackMessage,\n    })\n  }\n\n  if (webhook.autoDisableThreshold > 0 && webhook.consecutiveFailures >= webhook.autoDisableThreshold) {\n    webhook.isActive = false\n    await emitWebhooksEvent('webhooks.webhook.disabled', {\n      webhookId: webhook.id,\n      organizationId: webhook.organizationId,\n      tenantId: webhook.tenantId,\n      consecutiveFailures: webhook.consecutiveFailures,\n    })\n  }\n\n  await input.em.flush()\n}\n\nfunction normalizeWebhookBody(eventType: string, payload: Record<string, unknown>): WebhookBody {\n  const candidateType = typeof payload.type === 'string' ? payload.type : null\n  const candidateTimestamp = typeof payload.timestamp === 'string' ? payload.timestamp : null\n  const candidateData = isRecord(payload.data) ? payload.data : null\n\n  if (candidateType && candidateTimestamp && candidateData) {\n    return {\n      type: candidateType,\n      timestamp: candidateTimestamp,\n      data: candidateData,\n    }\n  }\n\n  return {\n    type: eventType,\n    timestamp: new Date().toISOString(),\n    data: payload,\n  }\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n  return typeof value === 'object' && value !== null && !Array.isArray(value)\n}\n\nfunction shouldRetryStatus(status: number): boolean {\n  if (status >= 200 && status < 300) return false\n  if (status === 408 || status === 429) return true\n  return status >= 500\n}\n\nfunction calculateNextRetry(attemptNumber: number): Date {\n  const baseDelayMs = 1000\n  const jitterMs = Math.floor(Math.random() * 1000)\n  const delayMs = baseDelayMs * Math.pow(2, Math.max(attemptNumber - 1, 0)) + jitterMs\n  return new Date(Date.now() + delayMs)\n}\n"],
+  "mappings": "AACA,SAAS,qBAAqB,yBAAyB;AACvD,SAAS,6BAA6B;AACtC,SAAS,uBAAuB,qBAAqB;AACrD,SAAS,yBAAyB;AAClC,SAAS,8BAA8B;AACvC,SAAS,6BAA6B,4CAA4C;AAClF;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAyBP,eAAsB,sBAAsB,OAAmE;AAC7G,QAAM,cAA2B;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,MAAM,MAAM;AAAA,EACd;AACA,QAAM,MAAM,oBAAI,KAAK;AAErB,QAAM,WAAW,MAAM,GAAG,OAAO,uBAAuB;AAAA,IACtD,WAAW,MAAM,QAAQ;AAAA,IACzB,WAAW,MAAM;AAAA,IACjB,WAAW,kBAAkB;AAAA,IAC7B,SAAS;AAAA,IACT,QAAQ;AAAA,IACR,eAAe;AAAA,IACf,aAAa,MAAM,QAAQ;AAAA,IAC3B,WAAW,MAAM,QAAQ;AAAA,IACzB,gBAAgB,MAAM,QAAQ;AAAA,IAC9B,UAAU,MAAM,QAAQ;AAAA,IACxB,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,WAAW;AAAA,EACb,CAAC;AAED,QAAM,MAAM,GAAG,MAAM;AACrB,QAAM,kBAAkB,8BAA8B;AAAA,IACpD,YAAY,SAAS;AAAA,IACrB,WAAW,MAAM,QAAQ;AAAA,IACzB,WAAW,MAAM;AAAA,IACjB,gBAAgB,MAAM,QAAQ;AAAA,IAC9B,UAAU,MAAM,QAAQ;AAAA,EAC1B,CAAC;AACD,SAAO;AACT;AAEA,eAAsB,0BACpB,IACA,KACA,UAAyC,CAAC,GACc;AACxD,QAAM,WAAW,MAAM,GAAG,QAAQ,uBAAuB;AAAA,IACvD,IAAI,IAAI;AAAA,IACR,UAAU,IAAI;AAAA,IACd,gBAAgB,IAAI;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE,IAAI,SAAS;AAAA,MACb,UAAU,IAAI;AAAA,MACd,gBAAgB,IAAI;AAAA,MACpB,WAAW;AAAA,IACb;AAAA,IACA,CAAC;AAAA,IACD,EAAE,UAAU,IAAI,UAAU,gBAAgB,IAAI,eAAe;AAAA,EAC/D;AAEA,MAAI,CAAC,SAAS;AACZ,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,UAAM,GAAG,MAAM;AACf,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,MAAI,CAAC,QAAQ,UAAU;AACrB,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,UAAM,GAAG,MAAM;AACf,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,QAAM,qBAAqB,MAAM,4BAA4B,IAAI;AAAA,IAC/D,UAAU,QAAQ;AAAA,IAClB,gBAAgB,QAAQ;AAAA,EAC1B,CAAC;AAED,MAAI,CAAC,oBAAoB;AACvB,aAAS,SAAS;AAClB,aAAS,eAAe;AACxB,aAAS,cAAc;AACvB,UAAM,GAAG,MAAM;AACf,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AAEA,MAAI;AACF,UAAM,6BAA6B,QAAQ,GAAG;AAAA,EAChD,SAAS,OAAO;AACd,WAAO,MAAM,2BAA2B;AAAA,MACtC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,qBAAqB,SAAS,WAAW,SAAS,OAAO;AAC7E,WAAS,UAAU;AACnB,WAAS,SAAS;AAClB,WAAS,gBAAgB,oBAAI,KAAK;AAClC,WAAS,eAAe;AACxB,QAAM,GAAG,MAAM;AAEf,QAAM,OAAO,KAAK,UAAU,WAAW;AACvC,QAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC9C,QAAM,UAAU;AAAA,IACd,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,EACV;AAEA,QAAM,mBAAmB,KAAK,IAAI;AAElC,MAAI;AACF,UAAM,aAAa,IAAI,gBAAgB;AACvC,UAAM,YAAY,WAAW,MAAM,WAAW,MAAM,GAAG,QAAQ,SAAS;AAExE,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,iBAAiB,QAAQ,KAAK;AAAA,QAC7C,QAAQ,QAAQ;AAAA,QAChB,UAAU;AAAA,QACV,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,GAAG;AAAA,UACH,GAAI,QAAQ,iBAAiB,CAAC;AAAA,QAChC;AAAA,QACA;AAAA,QACA,QAAQ,WAAW;AAAA,MACrB,CAAC;AAAA,IACH,UAAE;AACA,mBAAa,SAAS;AAAA,IACxB;AAEA,aAAS,iBAAiB;AAC1B,aAAS,iBAAiB,SAAS;AACnC,aAAS,gBAAgB,MAAM,SAAS,KAAK,GAAG,MAAM,GAAG,IAAI;AAC7D,aAAS,kBAAkB,OAAO,YAAY,SAAS,QAAQ,QAAQ,CAAC;AACxE,aAAS,aAAa,KAAK,IAAI,IAAI,SAAS,WAAW,QAAQ;AAC/D,aAAS,gBAAgB,oBAAI,KAAK;AAElC,QAAI,SAAS,IAAI;AACf,eAAS,SAAS;AAClB,eAAS,cAAc,oBAAI,KAAK;AAChC,eAAS,cAAc;AACvB,cAAQ,sBAAsB;AAC9B,cAAQ,gBAAgB,oBAAI,KAAK;AAEjC,YAAM,kBAAkB,+BAA+B;AAAA,QACrD,YAAY,SAAS;AAAA,QACrB,WAAW,QAAQ;AAAA,QACnB,WAAW,SAAS;AAAA,QACpB,gBAAgB,SAAS;AAAA,QACzB,UAAU,SAAS;AAAA,MACrB,CAAC;AAED,YAAM,GAAG,MAAM;AACf,aAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,IAC5D;AAEA,YAAQ,uBAAuB;AAC/B,YAAQ,gBAAgB,oBAAI,KAAK;AAEjC,UAAM,qBAAqB;AAAA,MACzB;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU,kBAAkB,SAAS,MAAM;AAAA,MAC3C,iBAAiB,QAAQ,oBAAoB;AAAA,MAC7C,iBAAiB,QAAQ,SAAS,MAAM;AAAA,IAC1C,CAAC;AAED,UAAM,kBAAkB,4BAA4B;AAAA,MAClD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,gBAAgB,SAAS;AAAA,MACzB,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,WAAW,SAAS,WAAW;AAAA,IACjC,CAAC;AAED,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D,SAAS,OAAO;AACd,QAAI,iBAAiB,uBAAuB;AAG1C,YAAM,aAAa,KAAK,IAAI,IAAI,SAAS,WAAW,QAAQ;AAC5D,eAAS,aAAa;AACtB,aAAO,MAAM,2BAA2B;AAAA,QACtC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAEA,aAAS,iBAAiB;AAC1B,aAAS,aAAa,KAAK,IAAI,IAAI,SAAS,WAAW,QAAQ;AAC/D,aAAS,gBAAgB,oBAAI,KAAK;AAClC,aAAS,eAAe,iBAAiB,QAAQ,MAAM,UAAU;AAEjE,YAAQ,uBAAuB;AAC/B,YAAQ,gBAAgB,oBAAI,KAAK;AAEjC,UAAM,qBAAqB;AAAA,MACzB;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU;AAAA,MACV,iBAAiB,QAAQ,oBAAoB;AAAA,MAC7C,iBAAiB,SAAS;AAAA,IAC5B,CAAC;AAED,UAAM,kBAAkB,4BAA4B;AAAA,MAClD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,cAAc,SAAS;AAAA,MACvB,YAAY,KAAK,IAAI,IAAI;AAAA,MACzB,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,WAAW,SAAS,WAAW;AAAA,IACjC,CAAC;AAED,WAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAAA,EAC5D;AACF;AAUA,eAAe,2BACb,OACiD;AACjD,QAAM,EAAE,IAAI,UAAU,SAAS,MAAM,IAAI;AACzC,QAAM,UAAU,iBAAiB,wBAC7B,MAAM,UACN;AAEJ,WAAS,SAAS;AAClB,WAAS,eAAe;AACxB,WAAS,cAAc;AACvB,WAAS,gBAAgB,oBAAI,KAAK;AAClC,WAAS,iBAAiB;AAC1B,UAAQ,uBAAuB;AAC/B,UAAQ,gBAAgB,oBAAI,KAAK;AACjC,QAAM,GAAG,MAAM;AAEf,QAAM,kBAAkB,4BAA4B;AAAA,IAClD,YAAY,SAAS;AAAA,IACrB,WAAW,QAAQ;AAAA,IACnB,WAAW,SAAS;AAAA,IACpB,cAAc;AAAA,IACd,YAAY,MAAM,cAAc;AAAA,IAChC,gBAAgB,SAAS;AAAA,IACzB,UAAU,SAAS;AAAA,IACnB,WAAW;AAAA,EACb,CAAC;AAED,SAAO,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,GAAG;AAC5D;AAWA,eAAe,qBAAqB,OAAiD;AACnF,QAAM,EAAE,UAAU,QAAQ,IAAI;AAC9B,QAAM,mBAAmB,SAAS,gBAAgB,KAAK,IAAI,SAAS,aAAa,CAAC;AAClF,QAAM,cAAc,MAAM,YAAY;AAEtC,MAAI,aAAa;AACf,UAAM,cAAc,mBAAmB,SAAS,aAAa;AAC7D,aAAS,SAAS;AAClB,aAAS,cAAc;AAEvB,UAAM,MAAM,GAAG,MAAM;AAErB,QAAI,MAAM,iBAAiB;AACzB,UAAI;AACF,cAAM;AAAA,UACJ;AAAA,YACE,YAAY,SAAS;AAAA,YACrB,UAAU,SAAS;AAAA,YACnB,gBAAgB,SAAS;AAAA,UAC3B;AAAA,UACA,KAAK,IAAI,YAAY,QAAQ,IAAI,KAAK,IAAI,GAAG,CAAC;AAAA,QAChD;AAAA,MACF,SAAS,OAAO;AACd,iBAAS,SAAS;AAClB,iBAAS,cAAc;AACvB,iBAAS,eAAe,iBAAiB,QACrC,4BAA4B,MAAM,OAAO,KACzC;AAAA,MACN;AAAA,IACF;AAAA,EACF,OAAO;AACL,aAAS,SAAS;AAClB,aAAS,cAAc;AAEvB,UAAM,kBAAkB,+BAA+B;AAAA,MACrD,YAAY,SAAS;AAAA,MACrB,WAAW,QAAQ;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,gBAAgB,SAAS;AAAA,MACzB,UAAU,SAAS;AAAA,MACnB,cAAc,SAAS,gBAAgB,MAAM;AAAA,IAC/C,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,uBAAuB,KAAK,QAAQ,uBAAuB,QAAQ,sBAAsB;AACnG,YAAQ,WAAW;AACnB,UAAM,kBAAkB,6BAA6B;AAAA,MACnD,WAAW,QAAQ;AAAA,MACnB,gBAAgB,QAAQ;AAAA,MACxB,UAAU,QAAQ;AAAA,MAClB,qBAAqB,QAAQ;AAAA,IAC/B,CAAC;AAAA,EACH;AAEA,QAAM,MAAM,GAAG,MAAM;AACvB;AAEA,SAAS,qBAAqB,WAAmB,SAA+C;AAC9F,QAAM,gBAAgB,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;AACxE,QAAM,qBAAqB,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY;AACvF,QAAM,gBAAgB,SAAS,QAAQ,IAAI,IAAI,QAAQ,OAAO;AAE9D,MAAI,iBAAiB,sBAAsB,eAAe;AACxD,WAAO;AAAA,MACL,MAAM;AAAA,MACN,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,MAAM;AAAA,EACR;AACF;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,kBAAkB,QAAyB;AAClD,MAAI,UAAU,OAAO,SAAS,IAAK,QAAO;AAC1C,MAAI,WAAW,OAAO,WAAW,IAAK,QAAO;AAC7C,SAAO,UAAU;AACnB;AAEA,SAAS,mBAAmB,eAA6B;AACvD,QAAM,cAAc;AACpB,QAAM,WAAW,KAAK,MAAM,KAAK,OAAO,IAAI,GAAI;AAChD,QAAM,UAAU,cAAc,KAAK,IAAI,GAAG,KAAK,IAAI,gBAAgB,GAAG,CAAC,CAAC,IAAI;AAC5E,SAAO,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO;AACtC;",
   "names": []
 }

package/dist/modules/webhooks/lib/url-safety.js

@@ -1,7 +1,8 @@
 import {
   assertSafeOutboundUrl,
   assertStaticallySafeOutboundUrl,
-  parseOutboundUrl
+  parseOutboundUrl,
+  safeOutboundFetch
 } from "@open-mercato/shared/lib/url-safety";
 import { parseBooleanWithDefault } from "@open-mercato/shared/lib/boolean";
 import { isPrivateIpAddress } from "@open-mercato/shared/lib/network";
@@ -37,12 +38,23 @@ async function assertSafeWebhookDeliveryUrl(rawUrl, deps = {}) {
     lookupHost: deps.lookupHost
   });
 }
+async function safeWebhookFetch(rawUrl, init = {}, deps = {}) {
+  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled();
+  return safeOutboundFetch(rawUrl, init, {
+    errorFactory: webhookErrorFactory,
+    subject: SUBJECT,
+    allowPrivate,
+    lookupHost: deps.lookupHost,
+    fetchImpl: deps.fetchImpl
+  });
+}
 export {
   UnsafeWebhookUrlError,
   assertSafeWebhookDeliveryUrl,
   assertStaticallySafeWebhookUrl,
   isAllowPrivateWebhookUrlsEnabled,
   isPrivateIpAddress,
-  parseWebhookUrl
+  parseWebhookUrl,
+  safeWebhookFetch
 };
 //# sourceMappingURL=url-safety.js.map

package/dist/modules/webhooks/lib/url-safety.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/webhooks/lib/url-safety.ts"],
-  "sourcesContent": ["import {\n  assertSafeOutboundUrl,\n  assertStaticallySafeOutboundUrl,\n  parseOutboundUrl,\n  type HostLookup,\n  type UrlSafetyReason,\n} from '@open-mercato/shared/lib/url-safety'\nimport { parseBooleanWithDefault } from '@open-mercato/shared/lib/boolean'\n\nexport { isPrivateIpAddress } from '@open-mercato/shared/lib/network'\n\nconst SUBJECT = 'Webhook URL'\n\n// reason: string (not UrlSafetyReason) preserves BC per BACKWARD_COMPATIBILITY.md \u00A72\nexport class UnsafeWebhookUrlError extends Error {\n  public readonly reason: string\n\n  constructor(reason: string, message?: string) {\n    super(message ?? `Webhook URL rejected: ${reason}`)\n    this.name = 'UnsafeWebhookUrlError'\n    this.reason = reason\n  }\n}\n\nconst webhookErrorFactory = (reason: UrlSafetyReason, message: string) =>\n  new UnsafeWebhookUrlError(reason, message)\n\ntype ParsedWebhookUrl = {\n  url: URL\n  hostname: string\n}\n\nexport function parseWebhookUrl(rawUrl: string): ParsedWebhookUrl {\n  return parseOutboundUrl(rawUrl, { errorFactory: webhookErrorFactory, subject: SUBJECT })\n}\n\nexport type AssertStaticWebhookUrlDeps = {\n  allowPrivate?: boolean\n}\n\nexport function assertStaticallySafeWebhookUrl(\n  rawUrl: string,\n  deps: AssertStaticWebhookUrlDeps = {},\n): void {\n  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled()\n  assertStaticallySafeOutboundUrl(rawUrl, {\n    errorFactory: webhookErrorFactory,\n    subject: SUBJECT,\n    allowPrivate,\n  })\n}\n\nexport function isAllowPrivateWebhookUrlsEnabled(): boolean {\n  return parseBooleanWithDefault(process.env.OM_WEBHOOKS_ALLOW_PRIVATE_URLS, false)\n}\n\nexport type AssertSafeWebhookDeliveryDeps = {\n  lookupHost?: HostLookup\n  allowPrivate?: boolean\n}\n\nexport async function assertSafeWebhookDeliveryUrl(\n  rawUrl: string,\n  deps: AssertSafeWebhookDeliveryDeps = {},\n): Promise<void> {\n  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled()\n  await assertSafeOutboundUrl(rawUrl, {\n    errorFactory: webhookErrorFactory,\n    subject: SUBJECT,\n    allowPrivate,\n    lookupHost: deps.lookupHost,\n  })\n}\n"],
-  "mappings": "AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAGK;AACP,SAAS,+BAA+B;AAExC,SAAS,0BAA0B;AAEnC,MAAM,UAAU;AAGT,MAAM,8BAA8B,MAAM;AAAA,EAG/C,YAAY,QAAgB,SAAkB;AAC5C,UAAM,WAAW,yBAAyB,MAAM,EAAE;AAClD,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAEA,MAAM,sBAAsB,CAAC,QAAyB,YACpD,IAAI,sBAAsB,QAAQ,OAAO;AAOpC,SAAS,gBAAgB,QAAkC;AAChE,SAAO,iBAAiB,QAAQ,EAAE,cAAc,qBAAqB,SAAS,QAAQ,CAAC;AACzF;AAMO,SAAS,+BACd,QACA,OAAmC,CAAC,GAC9B;AACN,QAAM,eAAe,KAAK,gBAAgB,iCAAiC;AAC3E,kCAAgC,QAAQ;AAAA,IACtC,cAAc;AAAA,IACd,SAAS;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAEO,SAAS,mCAA4C;AAC1D,SAAO,wBAAwB,QAAQ,IAAI,gCAAgC,KAAK;AAClF;AAOA,eAAsB,6BACpB,QACA,OAAsC,CAAC,GACxB;AACf,QAAM,eAAe,KAAK,gBAAgB,iCAAiC;AAC3E,QAAM,sBAAsB,QAAQ;AAAA,IAClC,cAAc;AAAA,IACd,SAAS;AAAA,IACT;AAAA,IACA,YAAY,KAAK;AAAA,EACnB,CAAC;AACH;",
+  "sourcesContent": ["import {\n  assertSafeOutboundUrl,\n  assertStaticallySafeOutboundUrl,\n  parseOutboundUrl,\n  safeOutboundFetch,\n  type HostLookup,\n  type SafeOutboundFetchOptions,\n  type UrlSafetyReason,\n} from '@open-mercato/shared/lib/url-safety'\nimport { parseBooleanWithDefault } from '@open-mercato/shared/lib/boolean'\n\nexport { isPrivateIpAddress } from '@open-mercato/shared/lib/network'\n\nconst SUBJECT = 'Webhook URL'\n\n// reason: string (not UrlSafetyReason) preserves BC per BACKWARD_COMPATIBILITY.md \u00A72\nexport class UnsafeWebhookUrlError extends Error {\n  public readonly reason: string\n\n  constructor(reason: string, message?: string) {\n    super(message ?? `Webhook URL rejected: ${reason}`)\n    this.name = 'UnsafeWebhookUrlError'\n    this.reason = reason\n  }\n}\n\nconst webhookErrorFactory = (reason: UrlSafetyReason, message: string) =>\n  new UnsafeWebhookUrlError(reason, message)\n\ntype ParsedWebhookUrl = {\n  url: URL\n  hostname: string\n}\n\nexport function parseWebhookUrl(rawUrl: string): ParsedWebhookUrl {\n  return parseOutboundUrl(rawUrl, { errorFactory: webhookErrorFactory, subject: SUBJECT })\n}\n\nexport type AssertStaticWebhookUrlDeps = {\n  allowPrivate?: boolean\n}\n\nexport function assertStaticallySafeWebhookUrl(\n  rawUrl: string,\n  deps: AssertStaticWebhookUrlDeps = {},\n): void {\n  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled()\n  assertStaticallySafeOutboundUrl(rawUrl, {\n    errorFactory: webhookErrorFactory,\n    subject: SUBJECT,\n    allowPrivate,\n  })\n}\n\nexport function isAllowPrivateWebhookUrlsEnabled(): boolean {\n  return parseBooleanWithDefault(process.env.OM_WEBHOOKS_ALLOW_PRIVATE_URLS, false)\n}\n\nexport type AssertSafeWebhookDeliveryDeps = {\n  lookupHost?: HostLookup\n  allowPrivate?: boolean\n}\n\nexport async function assertSafeWebhookDeliveryUrl(\n  rawUrl: string,\n  deps: AssertSafeWebhookDeliveryDeps = {},\n): Promise<void> {\n  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled()\n  await assertSafeOutboundUrl(rawUrl, {\n    errorFactory: webhookErrorFactory,\n    subject: SUBJECT,\n    allowPrivate,\n    lookupHost: deps.lookupHost,\n  })\n}\n\nexport type SafeWebhookFetchDeps = {\n  lookupHost?: HostLookup\n  allowPrivate?: boolean\n  fetchImpl?: SafeOutboundFetchOptions['fetchImpl']\n}\n\n/**\n * Validates the webhook URL and performs a `fetch()` with the connection pinned to a\n * pre-validated address \u2014 defeats DNS rebinding by ensuring the validation lookup and\n * the connect lookup return the same IP. Always sets `redirect: 'manual'` unless the\n * caller overrides it.\n */\nexport async function safeWebhookFetch(\n  rawUrl: string,\n  init: RequestInit = {},\n  deps: SafeWebhookFetchDeps = {},\n): Promise<Response> {\n  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled()\n  return safeOutboundFetch(rawUrl, init, {\n    errorFactory: webhookErrorFactory,\n    subject: SUBJECT,\n    allowPrivate,\n    lookupHost: deps.lookupHost,\n    fetchImpl: deps.fetchImpl,\n  })\n}\n"],
+  "mappings": "AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,+BAA+B;AAExC,SAAS,0BAA0B;AAEnC,MAAM,UAAU;AAGT,MAAM,8BAA8B,MAAM;AAAA,EAG/C,YAAY,QAAgB,SAAkB;AAC5C,UAAM,WAAW,yBAAyB,MAAM,EAAE;AAClD,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAEA,MAAM,sBAAsB,CAAC,QAAyB,YACpD,IAAI,sBAAsB,QAAQ,OAAO;AAOpC,SAAS,gBAAgB,QAAkC;AAChE,SAAO,iBAAiB,QAAQ,EAAE,cAAc,qBAAqB,SAAS,QAAQ,CAAC;AACzF;AAMO,SAAS,+BACd,QACA,OAAmC,CAAC,GAC9B;AACN,QAAM,eAAe,KAAK,gBAAgB,iCAAiC;AAC3E,kCAAgC,QAAQ;AAAA,IACtC,cAAc;AAAA,IACd,SAAS;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAEO,SAAS,mCAA4C;AAC1D,SAAO,wBAAwB,QAAQ,IAAI,gCAAgC,KAAK;AAClF;AAOA,eAAsB,6BACpB,QACA,OAAsC,CAAC,GACxB;AACf,QAAM,eAAe,KAAK,gBAAgB,iCAAiC;AAC3E,QAAM,sBAAsB,QAAQ;AAAA,IAClC,cAAc;AAAA,IACd,SAAS;AAAA,IACT;AAAA,IACA,YAAY,KAAK;AAAA,EACnB,CAAC;AACH;AAcA,eAAsB,iBACpB,QACA,OAAoB,CAAC,GACrB,OAA6B,CAAC,GACX;AACnB,QAAM,eAAe,KAAK,gBAAgB,iCAAiC;AAC3E,SAAO,kBAAkB,QAAQ,MAAM;AAAA,IACrC,cAAc;AAAA,IACd,SAAS;AAAA,IACT;AAAA,IACA,YAAY,KAAK;AAAA,IACjB,WAAW,KAAK;AAAA,EAClB,CAAC;AACH;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/webhooks",
-  "version": "0.5.1-develop.2912.8d7b1fef24",
+  "version": "0.5.1-develop.2917.31ee9898e3",
   "description": "Webhooks module for Open Mercato — Standard Webhooks compliant outbound/inbound delivery",
   "type": "module",
   "main": "./dist/index.js",
@@ -69,18 +69,18 @@
     }
   },
   "dependencies": {
-    "@open-mercato/core": "0.5.1-develop.2912.8d7b1fef24",
-    "@open-mercato/queue": "0.5.1-develop.2912.8d7b1fef24",
-    "@open-mercato/ui": "0.5.1-develop.2912.8d7b1fef24"
+    "@open-mercato/core": "0.5.1-develop.2917.31ee9898e3",
+    "@open-mercato/queue": "0.5.1-develop.2917.31ee9898e3",
+    "@open-mercato/ui": "0.5.1-develop.2917.31ee9898e3"
   },
   "peerDependencies": {
     "@mikro-orm/postgresql": "^7.0.10",
-    "@open-mercato/shared": "0.5.1-develop.2912.8d7b1fef24",
+    "@open-mercato/shared": "0.5.1-develop.2917.31ee9898e3",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
-    "@open-mercato/shared": "0.5.1-develop.2912.8d7b1fef24",
+    "@open-mercato/shared": "0.5.1-develop.2917.31ee9898e3",
     "@types/jest": "^30.0.0",
     "esbuild": "^0.28.0",
     "glob": "^13.0.6",

package/src/modules/webhooks/lib/__tests__/url-safety.test.ts

@@ -3,6 +3,7 @@ import {
   assertStaticallySafeWebhookUrl,
   isPrivateIpAddress,
   parseWebhookUrl,
+  safeWebhookFetch,
   UnsafeWebhookUrlError,
 } from '../url-safety'
 
@@ -191,3 +192,54 @@ describe('url-safety — assertSafeWebhookDeliveryUrl (DNS rebinding guard)', ()
     ).rejects.toMatchObject({ reason: 'forbidden_protocol' })
   })
 })
+
+describe('url-safety — safeWebhookFetch', () => {
+  it('rejects DNS-rebinding hosts before any fetch attempt', async () => {
+    const fetchImpl = jest.fn() as unknown as typeof fetch
+    const lookupHost = async () => [{ address: '10.0.0.5', family: 4 }]
+    await expect(
+      safeWebhookFetch('https://rebind.evil.example/', {}, {
+        fetchImpl,
+        lookupHost,
+        allowPrivate: false,
+      }),
+    ).rejects.toBeInstanceOf(UnsafeWebhookUrlError)
+    expect(fetchImpl).not.toHaveBeenCalled()
+  })
+
+  it('reports the private resolved address in the error reason', async () => {
+    const fetchImpl = jest.fn() as unknown as typeof fetch
+    const lookupHost = async () => [{ address: '10.0.0.5', family: 4 }]
+    try {
+      await safeWebhookFetch('https://rebind.evil.example/', {}, {
+        fetchImpl,
+        lookupHost,
+        allowPrivate: false,
+      })
+      throw new Error('expected throw')
+    } catch (error) {
+      expect(error).toBeInstanceOf(UnsafeWebhookUrlError)
+      expect((error as UnsafeWebhookUrlError).reason).toBe('private_ip_resolved')
+    }
+  })
+
+  it('forwards init through fetchImpl with redirect:"manual"', async () => {
+    const fetchImpl = jest.fn(async () => new Response('ok', { status: 200 })) as unknown as typeof fetch
+    const lookupHost = async () => [{ address: '93.184.216.34', family: 4 }]
+    const response = await safeWebhookFetch(
+      'https://hooks.example.com/in',
+      { method: 'POST', body: 'payload' },
+      { fetchImpl, lookupHost, allowPrivate: false },
+    )
+    expect(response.status).toBe(200)
+    expect(fetchImpl).toHaveBeenCalledTimes(1)
+    const [, init] = (fetchImpl as unknown as jest.Mock).mock.calls[0]
+    expect(init).toEqual(
+      expect.objectContaining({
+        method: 'POST',
+        body: 'payload',
+        redirect: 'manual',
+      }),
+    )
+  })
+})

package/src/modules/webhooks/lib/delivery.ts

@@ -5,7 +5,11 @@ import { WebhookDeliveryEntity, WebhookEntity } from '../data/entities'
 import { emitWebhooksEvent } from '../events'
 import { enqueueWebhookDelivery } from './queue'
 import { isWebhookIntegrationEnabled, WEBHOOK_INTEGRATION_DISABLED_MESSAGE } from './integration-state'
-import { assertSafeWebhookDeliveryUrl, UnsafeWebhookUrlError } from './url-safety'
+import {
+  assertSafeWebhookDeliveryUrl,
+  safeWebhookFetch,
+  UnsafeWebhookUrlError,
+} from './url-safety'
 
 export interface WebhookDeliveryJob {
   deliveryId: string
@@ -123,28 +127,12 @@ export async function processWebhookDeliveryJob(
   try {
     await assertSafeWebhookDeliveryUrl(webhook.url)
   } catch (error) {
-    const message = error instanceof UnsafeWebhookUrlError
-      ? error.message
-      : 'Webhook URL rejected by safety check'
-    delivery.status = 'failed'
-    delivery.errorMessage = message
-    delivery.nextRetryAt = null
-    delivery.lastAttemptAt = new Date()
-    delivery.attemptNumber += 1
-    webhook.consecutiveFailures += 1
-    webhook.lastFailureAt = new Date()
-    await em.flush()
-    await emitWebhooksEvent('webhooks.delivery.failed', {
-      deliveryId: delivery.id,
-      webhookId: webhook.id,
-      eventType: delivery.eventType,
-      errorMessage: message,
-      durationMs: 0,
-      organizationId: delivery.organizationId,
-      tenantId: delivery.tenantId,
-      willRetry: false,
+    return await recordWebhookSafetyFailure({
+      em,
+      delivery,
+      webhook,
+      error,
     })
-    return { status: delivery.status, deliveryId: delivery.id }
   }
 
   const bodyPayload = normalizeWebhookBody(delivery.eventType, delivery.payload)
@@ -170,19 +158,22 @@ export async function processWebhookDeliveryJob(
     const controller = new AbortController()
     const timeoutId = setTimeout(() => controller.abort(), webhook.timeoutMs)
 
-    const response = await fetch(webhook.url, {
-      method: webhook.httpMethod,
-      redirect: 'manual',
-      headers: {
-        'content-type': 'application/json',
-        ...headers,
-        ...(webhook.customHeaders ?? {}),
-      },
-      body,
-      signal: controller.signal,
-    })
-
-    clearTimeout(timeoutId)
+    let response: Response
+    try {
+      response = await safeWebhookFetch(webhook.url, {
+        method: webhook.httpMethod,
+        redirect: 'manual',
+        headers: {
+          'content-type': 'application/json',
+          ...headers,
+          ...(webhook.customHeaders ?? {}),
+        },
+        body,
+        signal: controller.signal,
+      })
+    } finally {
+      clearTimeout(timeoutId)
+    }
 
     delivery.attemptNumber += 1
     delivery.responseStatus = response.status
@@ -234,6 +225,20 @@ export async function processWebhookDeliveryJob(
 
     return { status: delivery.status, deliveryId: delivery.id }
   } catch (error) {
+    if (error instanceof UnsafeWebhookUrlError) {
+      // DNS rebinding caught between the upfront safety check and the pinned connect:
+      // the same attacker-controlled DNS would defeat retries too, so fail terminally.
+      const durationMs = Date.now() - delivery.enqueuedAt.getTime()
+      delivery.durationMs = durationMs
+      return await recordWebhookSafetyFailure({
+        em,
+        delivery,
+        webhook,
+        error,
+        durationMs,
+      })
+    }
+
     delivery.attemptNumber += 1
     delivery.durationMs = Date.now() - delivery.enqueuedAt.getTime()
     delivery.lastAttemptAt = new Date()
@@ -266,6 +271,45 @@ export async function processWebhookDeliveryJob(
   }
 }
 
+type RecordWebhookSafetyFailureInput = {
+  em: EntityManager
+  delivery: WebhookDeliveryEntity
+  webhook: WebhookEntity
+  error: unknown
+  durationMs?: number | null
+}
+
+async function recordWebhookSafetyFailure(
+  input: RecordWebhookSafetyFailureInput,
+): Promise<{ status: string; deliveryId: string }> {
+  const { em, delivery, webhook, error } = input
+  const message = error instanceof UnsafeWebhookUrlError
+    ? error.message
+    : 'Webhook URL rejected by safety check'
+
+  delivery.status = 'failed'
+  delivery.errorMessage = message
+  delivery.nextRetryAt = null
+  delivery.lastAttemptAt = new Date()
+  delivery.attemptNumber += 1
+  webhook.consecutiveFailures += 1
+  webhook.lastFailureAt = new Date()
+  await em.flush()
+
+  await emitWebhooksEvent('webhooks.delivery.failed', {
+    deliveryId: delivery.id,
+    webhookId: webhook.id,
+    eventType: delivery.eventType,
+    errorMessage: message,
+    durationMs: input.durationMs ?? 0,
+    organizationId: delivery.organizationId,
+    tenantId: delivery.tenantId,
+    willRetry: false,
+  })
+
+  return { status: delivery.status, deliveryId: delivery.id }
+}
+
 type HandleFailedDeliveryInput = {
   em: EntityManager
   webhook: WebhookEntity

package/src/modules/webhooks/lib/url-safety.ts

@@ -2,7 +2,9 @@ import {
   assertSafeOutboundUrl,
   assertStaticallySafeOutboundUrl,
   parseOutboundUrl,
+  safeOutboundFetch,
   type HostLookup,
+  type SafeOutboundFetchOptions,
   type UrlSafetyReason,
 } from '@open-mercato/shared/lib/url-safety'
 import { parseBooleanWithDefault } from '@open-mercato/shared/lib/boolean'
@@ -71,3 +73,30 @@ export async function assertSafeWebhookDeliveryUrl(
     lookupHost: deps.lookupHost,
   })
 }
+
+export type SafeWebhookFetchDeps = {
+  lookupHost?: HostLookup
+  allowPrivate?: boolean
+  fetchImpl?: SafeOutboundFetchOptions['fetchImpl']
+}
+
+/**
+ * Validates the webhook URL and performs a `fetch()` with the connection pinned to a
+ * pre-validated address — defeats DNS rebinding by ensuring the validation lookup and
+ * the connect lookup return the same IP. Always sets `redirect: 'manual'` unless the
+ * caller overrides it.
+ */
+export async function safeWebhookFetch(
+  rawUrl: string,
+  init: RequestInit = {},
+  deps: SafeWebhookFetchDeps = {},
+): Promise<Response> {
+  const allowPrivate = deps.allowPrivate ?? isAllowPrivateWebhookUrlsEnabled()
+  return safeOutboundFetch(rawUrl, init, {
+    errorFactory: webhookErrorFactory,
+    subject: SUBJECT,
+    allowPrivate,
+    lookupHost: deps.lookupHost,
+    fetchImpl: deps.fetchImpl,
+  })
+}