@opencard-dev/webhook-server 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,46 @@
+/**
+ * OpenCard Webhook Server
+ * =======================
+ * A lightweight HTTP server built with Hono that receives real-time
+ * authorization requests from Stripe and responds with approve/decline
+ * decisions based on the card's spend rules.
+ *
+ * ─── Why Hono? ──────────────────────────────────────────────────────────────
+ * Hono is a tiny, fast web framework — roughly 14KB. We chose it over Express
+ * because it's TypeScript-native, has cleaner middleware, and is significantly
+ * faster. Speed matters here: Stripe gives us ~2 seconds to respond to
+ * authorization requests before automatically declining.
+ *
+ * ─── The one endpoint that matters ─────────────────────────────────────────
+ * POST /webhooks/stripe
+ *  ↑ Stripe calls this in real time for every card event.
+ *  We verify the signature, parse the event, and route it to a handler.
+ *  For authorization requests, we return { approved: true/false }.
+ *
+ * ─── Security ───────────────────────────────────────────────────────────────
+ * Stripe signs every webhook with HMAC-SHA256 using a shared secret.
+ * We verify this signature before processing ANYTHING. An invalid signature
+ * means the request didn't come from Stripe — we reject it with a 400.
+ *
+ * ─── Running the server ─────────────────────────────────────────────────────
+ * Set env vars and start:
+ *   STRIPE_SECRET_KEY=sk_test_... \
+ *   STRIPE_WEBHOOK_SECRET=whsec_... \
+ *   PORT=3000 \
+ *   node dist/index.js
+ *
+ * Get your webhook secret from the Stripe CLI:
+ *   stripe listen --forward-to localhost:3000/webhooks/stripe
+ */
+import { Hono } from 'hono';
+/**
+ * Create and return the Hono webhook application.
+ * This is exported so the serve command can reuse the same app.
+ */
+export declare function createWebhookApp(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
+/**
+ * Start the webhook server on the specified port.
+ * Returns a promise that resolves when the server is ready.
+ */
+export declare function startWebhookServer(port: number): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAGH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAyU5B;;;GAGG;AACH,wBAAgB,gBAAgB,+EAE/B;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA4C9D"}

package/dist/index.js

@@ -0,0 +1,389 @@
+"use strict";
+/**
+ * OpenCard Webhook Server
+ * =======================
+ * A lightweight HTTP server built with Hono that receives real-time
+ * authorization requests from Stripe and responds with approve/decline
+ * decisions based on the card's spend rules.
+ *
+ * ─── Why Hono? ──────────────────────────────────────────────────────────────
+ * Hono is a tiny, fast web framework — roughly 14KB. We chose it over Express
+ * because it's TypeScript-native, has cleaner middleware, and is significantly
+ * faster. Speed matters here: Stripe gives us ~2 seconds to respond to
+ * authorization requests before automatically declining.
+ *
+ * ─── The one endpoint that matters ─────────────────────────────────────────
+ * POST /webhooks/stripe
+ *  ↑ Stripe calls this in real time for every card event.
+ *  We verify the signature, parse the event, and route it to a handler.
+ *  For authorization requests, we return { approved: true/false }.
+ *
+ * ─── Security ───────────────────────────────────────────────────────────────
+ * Stripe signs every webhook with HMAC-SHA256 using a shared secret.
+ * We verify this signature before processing ANYTHING. An invalid signature
+ * means the request didn't come from Stripe — we reject it with a 400.
+ *
+ * ─── Running the server ─────────────────────────────────────────────────────
+ * Set env vars and start:
+ *   STRIPE_SECRET_KEY=sk_test_... \
+ *   STRIPE_WEBHOOK_SECRET=whsec_... \
+ *   PORT=3000 \
+ *   node dist/index.js
+ *
+ * Get your webhook secret from the Stripe CLI:
+ *   stripe listen --forward-to localhost:3000/webhooks/stripe
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createWebhookApp = createWebhookApp;
+exports.startWebhookServer = startWebhookServer;
+const node_server_1 = require("@hono/node-server");
+const hono_1 = require("hono");
+const stripe_1 = __importDefault(require("stripe"));
+const core_1 = require("@opencard-dev/core");
+// ─── Configuration ────────────────────────────────────────────────────────────
+/**
+ * The port this server listens on. Default 3000.
+ * Override with the PORT environment variable.
+ */
+const PORT = parseInt(process.env.PORT || '3000', 10);
+/**
+ * Your Stripe secret key. Used to initialize the Stripe SDK so we can
+ * call Stripe's API (e.g., to update card status after a decision).
+ * Must start with sk_test_... for test mode, sk_live_... for production.
+ */
+const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
+/**
+ * The webhook signing secret Stripe uses to sign webhook payloads.
+ * Get this from:
+ *   - Stripe CLI: `stripe listen` prints it on first run
+ *   - Stripe Dashboard: Developers → Webhooks → your endpoint → Signing secret
+ *
+ * Without this, we can't verify that webhook requests actually came from Stripe.
+ * The server will still start without it (for ease of local dev), but will
+ * print a clear warning and skip verification.
+ */
+const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET;
+// ─── Initialize Stripe (deferred) ──────────────────────────────────────────────
+/**
+ * The Stripe SDK instance. Created lazily when the server starts.
+ * This allows the module to be imported without requiring STRIPE_SECRET_KEY.
+ */
+let stripe = null;
+// ─── Server State ───────────────────────────────────────────────────────────
+/**
+ * Track when the server started so we can report uptime in health checks.
+ */
+const startTime = Date.now();
+// ─── Hono App ─────────────────────────────────────────────────────────────────
+/**
+ * Create the Hono application.
+ * Hono is structured as an app with routes — similar to Express but more
+ * TypeScript-friendly. Each route is defined with app.get/post/etc.
+ */
+const app = new hono_1.Hono();
+// ─── Health check ─────────────────────────────────────────────────────────────
+/**
+ * GET /health
+ * A simple endpoint that returns 200 OK.
+ * Used by monitoring systems, load balancers, and developers to confirm
+ * the server is up and responding. The webhook doesn't do any Stripe logic here.
+ */
+app.get('/health', (c) => {
+    const uptime = Math.floor((Date.now() - startTime) / 1000); // seconds
+    return c.json({
+        status: 'ok',
+        service: 'opencard-webhook-server',
+        version: '0.1.0',
+        uptime, // seconds
+        timestamp: new Date().toISOString(),
+        // Tell the caller whether signature verification is active.
+        // If this shows false in production, something is wrong.
+        signatureVerification: !!STRIPE_WEBHOOK_SECRET,
+    });
+});
+// ─── Webhook handler ──────────────────────────────────────────────────────────
+/**
+ * POST /webhooks/stripe
+ * ──────────────────────
+ * The main endpoint. Stripe calls this for every Issuing event.
+ *
+ * IMPORTANT: Stripe signature verification requires the raw request body
+ * (the exact bytes Stripe sent), not a parsed JSON object. If we let Hono
+ * parse the body first, the byte-for-byte signature check will fail.
+ * That's why we read `req.arrayBuffer()` and convert to text manually.
+ */
+app.post('/webhooks/stripe', async (c) => {
+    // ── Step 1: Read the raw request body ────────────────────────────────────
+    //
+    // We need the raw bytes for signature verification. Hono doesn't parse
+    // the body automatically, so we read it ourselves.
+    const rawBody = await c.req.text();
+    // ── Step 2: Get the Stripe signature header ───────────────────────────────
+    //
+    // Stripe attaches a `Stripe-Signature` header to every webhook request.
+    // It contains a timestamp and an HMAC signature computed from the body.
+    // We need this to verify the request is authentic.
+    const signature = c.req.header('stripe-signature');
+    if (!signature) {
+        // No signature header at all — definitely not a legitimate Stripe request.
+        console.warn('[Webhook] Request missing Stripe-Signature header — rejecting');
+        return c.json({ error: 'Missing Stripe-Signature header' }, 400);
+    }
+    // ── Step 3: Verify the signature (if we have a secret) ───────────────────
+    //
+    // stripe.webhooks.constructEvent() does three things:
+    //  1. Parses the raw body as JSON to get the event object
+    //  2. Verifies the HMAC signature using our webhook secret
+    //  3. Checks that the timestamp isn't too old (prevents replay attacks)
+    //
+    // If any of those checks fail, it throws an error.
+    let event;
+    const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+    if (!stripe) {
+        console.error('[Webhook] Stripe not initialized — server not started with startWebhookServer()');
+        return c.json({ error: 'Server not initialized' }, 500);
+    }
+    if (webhookSecret) {
+        try {
+            event = stripe.webhooks.constructEvent(rawBody, signature, webhookSecret);
+        }
+        catch (err) {
+            // Signature invalid or timestamp too old. This could mean:
+            //  - Someone is trying to send fake events (attack)
+            //  - The webhook secret is misconfigured
+            //  - The request was somehow corrupted in transit
+            console.error('[Webhook] Signature verification failed:', err instanceof Error ? err.message : err);
+            return c.json({ error: 'Webhook signature verification failed' }, 400);
+        }
+    }
+    else {
+        // No webhook secret configured — skip verification.
+        // Parse the body directly. Only acceptable in local development.
+        try {
+            event = JSON.parse(rawBody);
+        }
+        catch {
+            return c.json({ error: 'Invalid JSON body' }, 400);
+        }
+    }
+    // ── Step 4: Route the event to the right handler ─────────────────────────
+    //
+    // Stripe sends different event types for different things. We pattern-match
+    // on `event.type` to decide what to do.
+    //
+    // Reference: https://stripe.com/docs/api/events/types
+    console.log(`[Webhook] Received event: ${event.type} (id: ${event.id})`);
+    switch (event.type) {
+        // ── issuing_authorization.request ──────────────────────────────────────
+        //
+        // THE critical real-time event. Stripe sends this synchronously when a
+        // card is presented for payment. We MUST respond within ~2 seconds with
+        // our approve/decline decision.
+        //
+        // The response body is what Stripe actually uses to decide:
+        //   { approved: true }  → Stripe approves the charge
+        //   { approved: false } → Stripe declines the charge
+        //
+        // Note: For this event type, Stripe expects a specific response format.
+        // Any non-200 response or a response missing `approved` will cause
+        // Stripe to decline by default.
+        case 'issuing_authorization.request': {
+            const authorization = event.data.object;
+            // handleAuthorizationRequest is now async (it looks up rules from the store)
+            const result = await (0, core_1.handleAuthorizationRequest)(authorization);
+            // Return the decision to Stripe. This is the actual approve/decline.
+            return c.json({ approved: result.approved });
+        }
+        // ── issuing_authorization.created ──────────────────────────────────────
+        //
+        // Fired AFTER an authorization is definitively approved or declined.
+        // This is NOT the real-time request — it's a notification after the fact.
+        // We log it but don't need to return any special response.
+        case 'issuing_authorization.created': {
+            const authorization = event.data.object;
+            (0, core_1.handleAuthorizationCreated)(authorization);
+            return c.json({ received: true });
+        }
+        // ── issuing_transaction.created ────────────────────────────────────────
+        //
+        // Fired when a transaction is fully captured (money actually moved).
+        // This can happen hours or days after the authorization, and the final
+        // amount may differ from the authorization amount (e.g. tips at restaurants).
+        case 'issuing_transaction.created': {
+            const transaction = event.data.object;
+            (0, core_1.handleTransactionCreated)(transaction);
+            return c.json({ received: true });
+        }
+        // ── issuing_card.updated ───────────────────────────────────────────────
+        //
+        // Fired when a card's status, spending limits, or metadata changes.
+        // Useful for tracking when agents' cards are paused or resumed.
+        case 'issuing_card.updated': {
+            const card = event.data.object;
+            (0, core_1.handleCardUpdated)(card);
+            return c.json({ received: true });
+        }
+        // ── Unhandled event types ──────────────────────────────────────────────
+        //
+        // Stripe may send many other event types. We acknowledge receipt (200 OK)
+        // without doing anything — this prevents Stripe from retrying the event.
+        // Silently ignoring is intentional; we only care about Issuing events.
+        default:
+            console.log(`[Webhook] Unhandled event type: ${event.type} — acknowledged and ignored`);
+            return c.json({ received: true });
+    }
+});
+// ─── Approval API endpoints ───────────────────────────────────────────────────
+/**
+ * GET /approvals
+ * List pending approval requests. Useful for building custom approval UIs,
+ * Slack bots, or mobile apps that show pending requests.
+ */
+app.get('/approvals', (c) => {
+    try {
+        const db = new core_1.OpenCardDatabase();
+        const pending = db.listPendingApprovalRequests();
+        db.close();
+        return c.json({ pending });
+    }
+    catch (err) {
+        console.error('[Approvals] Error listing requests:', err);
+        return c.json({ error: 'Failed to list approval requests' }, 500);
+    }
+});
+/**
+ * POST /approvals/:id/approve
+ * Approve a pending request. Body: { decided_by: string, note?: string }
+ */
+app.post('/approvals/:id/approve', async (c) => {
+    const id = c.req.param('id');
+    try {
+        const body = await c.req.json();
+        const decidedBy = body.decided_by || 'api';
+        const db = new core_1.OpenCardDatabase();
+        const request = db.approveRequest(id, decidedBy, body.note);
+        db.close();
+        console.log(`[Approvals] Approved request ${id} by ${decidedBy}`);
+        return c.json({
+            status: 'approved',
+            request_id: request.id,
+            approved_by: request.decided_by,
+            note: request.decision_note ?? null,
+            approved_at: request.decided_at,
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[Approvals] Error approving ${id}:`, message);
+        if (message.includes('not found'))
+            return c.json({ error: message }, 404);
+        if (message.includes('already'))
+            return c.json({ error: message }, 409);
+        return c.json({ error: 'Failed to approve request' }, 500);
+    }
+});
+/**
+ * POST /approvals/:id/deny
+ * Deny a pending request. Body: { decided_by: string, note?: string }
+ */
+app.post('/approvals/:id/deny', async (c) => {
+    const id = c.req.param('id');
+    try {
+        const body = await c.req.json();
+        const decidedBy = body.decided_by || 'api';
+        const db = new core_1.OpenCardDatabase();
+        const request = db.denyRequest(id, decidedBy, body.note);
+        db.close();
+        console.log(`[Approvals] Denied request ${id} by ${decidedBy}`);
+        return c.json({
+            status: 'denied',
+            request_id: request.id,
+            denied_by: request.decided_by,
+            note: request.decision_note ?? null,
+            denied_at: request.decided_at,
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[Approvals] Error denying ${id}:`, message);
+        if (message.includes('not found'))
+            return c.json({ error: message }, 404);
+        if (message.includes('already'))
+            return c.json({ error: message }, 409);
+        return c.json({ error: 'Failed to deny request' }, 500);
+    }
+});
+// ─── Initialize Database ─────────────────────────────────────────────────────
+/**
+ * Initialize the SQLite database and wire it into the reconciler.
+ * This runs at startup, before the server begins listening.
+ * If DB init fails, we log a warning and continue without persistence —
+ * the auth decision path must never be blocked by DB availability.
+ */
+try {
+    const db = (0, core_1.initDatabase)();
+    const reconciler = new core_1.TransactionReconciler(db);
+    (0, core_1.setReconciler)(reconciler);
+    console.log('[WebhookServer] SQLite database initialized and reconciler wired ✓');
+}
+catch (err) {
+    console.error('[WebhookServer] ⚠ Failed to initialize SQLite database — webhook events will NOT be persisted.');
+    console.error('[WebhookServer] ⚠ Auth decisions are unaffected. Fix the DB issue to restore audit trail.');
+    console.error('[WebhookServer] DB init error:', err instanceof Error ? err.message : String(err));
+}
+// ─── Export app creation and server startup functions ─────────────────────────
+/**
+ * Create and return the Hono webhook application.
+ * This is exported so the serve command can reuse the same app.
+ */
+function createWebhookApp() {
+    return app;
+}
+/**
+ * Start the webhook server on the specified port.
+ * Returns a promise that resolves when the server is ready.
+ */
+function startWebhookServer(port) {
+    return new Promise((resolve, reject) => {
+        // ── Validate and initialize Stripe ──────────────────────────────────────
+        const stripeKey = process.env.STRIPE_SECRET_KEY;
+        if (!stripeKey) {
+            console.error('[WebhookServer] FATAL: STRIPE_SECRET_KEY environment variable is not set.');
+            console.error('[WebhookServer] Set it with: export STRIPE_SECRET_KEY=sk_test_...');
+            reject(new Error('STRIPE_SECRET_KEY not set'));
+            return;
+        }
+        if (!stripe) {
+            stripe = new stripe_1.default(stripeKey, {
+                apiVersion: '2023-10-16',
+            });
+        }
+        const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+        if (!webhookSecret) {
+            console.warn('[WebhookServer] ⚠ WARNING: STRIPE_WEBHOOK_SECRET not set — signature verification DISABLED');
+            console.warn('[WebhookServer] ⚠ This is insecure. Only acceptable for local development.');
+            console.warn('[WebhookServer] ⚠ Get your secret from: stripe listen --forward-to localhost:3000/webhooks/stripe');
+        }
+        // ── Start server ────────────────────────────────────────────────────────
+        console.log('[WebhookServer] OpenCard webhook server starting...');
+        console.log(`[WebhookServer] Stripe signature verification: ${webhookSecret ? 'ENABLED ✓' : 'DISABLED ⚠'}`);
+        (0, node_server_1.serve)({
+            fetch: app.fetch,
+            port: port,
+        }, (info) => {
+            console.log(`[WebhookServer] Server listening on port ${info.port}`);
+            console.log(`[WebhookServer] Webhook endpoint: POST http://localhost:${info.port}/webhooks/stripe`);
+            console.log(`[WebhookServer] Health check:     GET  http://localhost:${info.port}/health`);
+            console.log('[WebhookServer] Ready to handle Stripe events.');
+            resolve();
+        });
+    });
+}
+// ─── Auto-start when run directly ──────────────────────────────────────────────
+// Note: This is now a library module imported by the CLI.
+// The CLI uses startWebhookServer() to control when the server starts.
+// Auto-start is no longer supported from the library itself.
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;;;;;AAgVH,4CAEC;AAMD,gDA4CC;AAlYD,mDAA0C;AAC1C,+BAA4B;AAC5B,oDAA4B;AAC5B,6CAS4B;AAE5B,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;AAEtD;;;;GAIG;AACH,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;AAExD;;;;;;;;;GASG;AACH,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;AAEhE,kFAAkF;AAElF;;;GAGG;AACH,IAAI,MAAM,GAAkB,IAAI,CAAC;AAEjC,+EAA+E;AAE/E;;GAEG;AACH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AAE7B,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,GAAG,GAAG,IAAI,WAAI,EAAE,CAAC;AAEvB,iFAAiF;AAEjF;;;;;GAKG;AACH,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE;IACvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,UAAU;IAEtE,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,IAAI;QACZ,OAAO,EAAE,yBAAyB;QAClC,OAAO,EAAE,OAAO;QAChB,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,4DAA4D;QAC5D,yDAAyD;QACzD,qBAAqB,EAAE,CAAC,CAAC,qBAAqB;KAC/C,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,iFAAiF;AAEjF;;;;;;;;;GASG;AACH,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,4EAA4E;IAC5E,EAAE;IACF,uEAAuE;IACvE,mDAAmD;IACnD,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAEnC,6EAA6E;IAC7E,EAAE;IACF,wEAAwE;IACxE,wEAAwE;IACxE,mDAAmD;IACnD,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAEnD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,2EAA2E;QAC3E,OAAO,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;QAC9E,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,EAAE,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,4EAA4E;IAC5E,EAAE;IACF,sDAAsD;IACtD,0DAA0D;IAC1D,2DAA2D;IAC3D,wEAAwE;IACxE,EAAE;IACF,mDAAmD;IACnD,IAAI,KAAmB,CAAC;IAExB,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;IACxD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,iFAAiF,CAAC,CAAC;QACjG,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAAE,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,2DAA2D;YAC3D,oDAAoD;YACpD,yCAAyC;YACzC,kDAAkD;YAClD,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACpG,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,oDAAoD;QACpD,iEAAiE;QACjE,IAAI,CAAC;YACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAiB,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,EAAE;IACF,4EAA4E;IAC5E,wCAAwC;IACxC,EAAE;IACF,sDAAsD;IACtD,OAAO,CAAC,GAAG,CAAC,6BAA6B,KAAK,CAAC,IAAI,SAAS,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC;IAEzE,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QAEnB,0EAA0E;QAC1E,EAAE;QACF,uEAAuE;QACvE,wEAAwE;QACxE,gCAAgC;QAChC,EAAE;QACF,4DAA4D;QAC5D,qDAAqD;QACrD,qDAAqD;QACrD,EAAE;QACF,wEAAwE;QACxE,mEAAmE;QACnE,gCAAgC;QAChC,KAAK,+BAA+B,CAAC,CAAC,CAAC;YACrC,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC,MAAsC,CAAC;YACxE,6EAA6E;YAC7E,MAAM,MAAM,GAAG,MAAM,IAAA,iCAA0B,EAAC,aAAa,CAAC,CAAC;YAE/D,qEAAqE;YACrE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC/C,CAAC;QAED,0EAA0E;QAC1E,EAAE;QACF,qEAAqE;QACrE,0EAA0E;QAC1E,2DAA2D;QAC3D,KAAK,+BAA+B,CAAC,CAAC,CAAC;YACrC,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC,MAAsC,CAAC;YACxE,IAAA,iCAA0B,EAAC,aAAa,CAAC,CAAC;YAC1C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,CAAC;QAED,0EAA0E;QAC1E,EAAE;QACF,qEAAqE;QACrE,uEAAuE;QACvE,8EAA8E;QAC9E,KAAK,6BAA6B,CAAC,CAAC,CAAC;YACnC,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,MAAoC,CAAC;YACpE,IAAA,+BAAwB,EAAC,WAAW,CAAC,CAAC;YACtC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,CAAC;QAED,0EAA0E;QAC1E,EAAE;QACF,oEAAoE;QACpE,gEAAgE;QAChE,KAAK,sBAAsB,CAAC,CAAC,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAA6B,CAAC;YACtD,IAAA,wBAAiB,EAAC,IAAI,CAAC,CAAC;YACxB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,CAAC;QAED,0EAA0E;QAC1E,EAAE;QACF,0EAA0E;QAC1E,yEAAyE;QACzE,uEAAuE;QACvE;YACE,OAAO,CAAC,GAAG,CAAC,mCAAmC,KAAK,CAAC,IAAI,6BAA6B,CAAC,CAAC;YACxF,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,iFAAiF;AAEjF;;;;GAIG;AACH,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;IAC1B,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,uBAAgB,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,2BAA2B,EAAE,CAAC;QACjD,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,kCAAkC,EAAE,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;AACH,CAAC,CAAC,CAAC;AAEH;;;GAGG;AACH,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7C,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAA4C,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC;QAC3C,MAAM,EAAE,GAAG,IAAI,uBAAgB,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,gCAAgC,EAAE,OAAO,SAAS,EAAE,CAAC,CAAC;QAClE,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,UAAU;YAClB,UAAU,EAAE,OAAO,CAAC,EAAE;YACtB,WAAW,EAAE,OAAO,CAAC,UAAU;YAC/B,IAAI,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;YACnC,WAAW,EAAE,OAAO,CAAC,UAAU;SAChC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC7D,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QACxE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH;;;GAGG;AACH,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1C,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAA4C,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC;QAC3C,MAAM,EAAE,GAAG,IAAI,uBAAgB,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,OAAO,SAAS,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,QAAQ;YAChB,UAAU,EAAE,OAAO,CAAC,EAAE;YACtB,SAAS,EAAE,OAAO,CAAC,UAAU;YAC7B,IAAI,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;YACnC,SAAS,EAAE,OAAO,CAAC,UAAU;SAC9B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QACxE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAAE,GAAG,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAEhF;;;;;GAKG;AACH,IAAI,CAAC;IACH,MAAM,EAAE,GAAG,IAAA,mBAAY,GAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,IAAI,4BAAqB,CAAC,EAAE,CAAC,CAAC;IACjD,IAAA,oBAAa,EAAC,UAAU,CAAC,CAAC;IAC1B,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;AACpF,CAAC;AAAC,OAAO,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,KAAK,CAAC,gGAAgG,CAAC,CAAC;IAChH,OAAO,CAAC,KAAK,CAAC,2FAA2F,CAAC,CAAC;IAC3G,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AACpG,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,IAAY;IAC7C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,2EAA2E;QAE3E,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,2EAA2E,CAAC,CAAC;YAC3F,OAAO,CAAC,KAAK,CAAC,mEAAmE,CAAC,CAAC;YACnF,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG,IAAI,gBAAM,CAAC,SAAS,EAAE;gBAC7B,UAAU,EAAE,YAAY;aACzB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACxD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CAAC,4FAA4F,CAAC,CAAC;YAC3G,OAAO,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;YAC3F,OAAO,CAAC,IAAI,CAAC,mGAAmG,CAAC,CAAC;QACpH,CAAC;QAED,2EAA2E;QAE3E,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;QACnE,OAAO,CAAC,GAAG,CAAC,kDAAkD,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;QAE5G,IAAA,mBAAK,EACH;YACE,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,IAAI,EAAE,IAAI;SACX,EACD,CAAC,IAAI,EAAE,EAAE;YACP,OAAO,CAAC,GAAG,CAAC,4CAA4C,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACrE,OAAO,CAAC,GAAG,CAAC,2DAA2D,IAAI,CAAC,IAAI,kBAAkB,CAAC,CAAC;YACpG,OAAO,CAAC,GAAG,CAAC,2DAA2D,IAAI,CAAC,IAAI,SAAS,CAAC,CAAC;YAC3F,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;YAC9D,OAAO,EAAE,CAAC;QACZ,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,kFAAkF;AAElF,0DAA0D;AAC1D,uEAAuE;AACvE,6DAA6D"}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@opencard-dev/webhook-server",
+  "version": "0.1.0",
+  "description": "Hono-based webhook server for real-time Stripe Issuing authorization decisions",
+  "main": "dist/index.js",
+  "scripts": {
+    "build": "tsc",
+    "type-check": "tsc --noEmit",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@hono/node-server": "^1.13.8",
+    "@opencard-dev/core": "workspace:*",
+    "hono": "^4.7.7",
+    "stripe": "^14.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.3.0",
+    "vitest": "^1.0.0"
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "webhook",
+    "stripe",
+    "hono",
+    "opencard"
+  ],
+  "author": "Longshot Design",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/JLongshot/opencard.git",
+    "directory": "packages/webhook-server"
+  }
+}