@outposted/node 0.1.0 → 0.1.1

package/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.1.1 — 2026-06-03
+- Inline webhook signing + types (no workspace: dependencies). Package is now self-contained and installable by external consumers.
+
 ## 0.1.0 — 2026-06-03
 
 - Initial release

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@outposted/node",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "private": false,
   "description": "Outposted Node.js client — publish to Instagram, Facebook, YouTube, LinkedIn, Threads from one API call.",
   "main": "src/index.ts",
@@ -43,11 +43,10 @@
     "typecheck": "tsc --noEmit",
     "lint": "eslint src __tests__ --max-warnings 0"
   },
-  "dependencies": {
-    "@outposted/domain": "workspace:*",
-    "@outposted/webhooks": "workspace:*"
-  },
+  "dependencies": {},
   "devDependencies": {
+    "@outposted/domain": "workspace:*",
+    "@outposted/webhooks": "workspace:*",
     "@types/node": "^22",
     "typescript": "^5",
     "vitest": "^2",

package/src/index.ts

@@ -34,4 +34,4 @@ export { OAuthResource } from './resources/oauth';
 
 // Re-export webhook signing helpers so consumers don't have to install a
 // second package to verify incoming Outposted webhooks.
-export { signPayload, verifyPayload } from '@outposted/webhooks';
+export { signPayload, verifyPayload } from './webhook-signing';

package/src/resources/brands.ts

@@ -15,7 +15,7 @@
 // OutpostedError subclasses produced by the transport layer.
 // ────────────────────────────────────────────────────────────────────────────
 
-import type { Brand, BrandCreateInput } from '@outposted/domain';
+import type { Brand, BrandCreateInput } from '../types';
 import { OutpostedNotFoundError } from '../errors';
 import type { HttpClient } from '../transport';
 

package/src/resources/connections.ts

@@ -19,7 +19,7 @@
 // once that route exists in `apps/api/src/app/api/v1/workspaces/[wsId]/brands/[brandId]/connections/route.ts`.
 // ────────────────────────────────────────────────────────────────────────────
 
-import type { ConnectedAccount, AccountType } from '@outposted/domain';
+import type { ConnectedAccount, AccountType } from '../types';
 import type { HttpClient } from '../transport';
 
 /** Platforms the OAuth start endpoint accepts. Mirrors `StartSchema.platform` in `connections/start/route.ts`. */

package/src/resources/contents.ts

@@ -30,7 +30,7 @@ import type {
   ContentPayload,
   ContentStatus,
   ContentType,
-} from '@outposted/domain';
+} from '../types';
 import type { HttpClient } from '../transport';
 
 /**

package/src/resources/deliveries.ts

@@ -22,7 +22,7 @@
 // transport layer (e.g. OutpostedNotFoundError on 404).
 // ────────────────────────────────────────────────────────────────────────────
 
-import type { WebhookDelivery, WebhookDeliveryStatus } from '@outposted/domain';
+import type { WebhookDelivery, WebhookDeliveryStatus } from '../types';
 import type { HttpClient } from '../transport';
 
 /** Query params accepted by `DeliveriesResource.list`. */

package/src/resources/webhooks.ts

@@ -19,7 +19,7 @@
 // can reuse it for inbound verification without installing a second package.
 // ────────────────────────────────────────────────────────────────────────────
 
-import { verifyPayload, type VerifyResult } from '@outposted/webhooks';
+import { verifyPayload, type VerifyResult } from '../webhook-signing';
 import type { HttpClient } from '../transport';
 
 export type { VerifyResult };

package/src/types.ts

@@ -0,0 +1,178 @@
+// ────────────────────────────────────────────────────────────────────────────
+// @outposted/node/types — inline domain types.
+//
+// These types are copied verbatim (type-only) from @outposted/domain to keep
+// the SDK self-contained and installable by external consumers (the package
+// is not in the workspace, so `workspace:*` deps are unusable).
+//
+// Keep these in sync with `packages/domain/src/{brand,connection,content,webhook}.ts`.
+// Runtime values (zod schemas, helper functions) are NOT mirrored here — the
+// SDK only needs type shapes.
+// ────────────────────────────────────────────────────────────────────────────
+
+// ── Brand ──────────────────────────────────────────────────────────────────
+
+export interface Brand {
+  id: string;
+  workspace_id: string;
+  slug: string;
+  name: string;
+  brand_type: string;
+  description: string | null;
+  metadata: Record<string, unknown>;
+  created_at: string;
+}
+
+export interface BrandCreateInput {
+  workspace_id: string;
+  slug: string;
+  name: string;
+  brand_type: string;
+  description?: string;
+  metadata?: Record<string, unknown>;
+}
+
+// ── Connection ─────────────────────────────────────────────────────────────
+
+export type ConnectionStatus = 'connected' | 'expired' | 'revoked' | 'error';
+
+export type AccountType =
+  | 'personal'
+  | 'page'
+  | 'organization'
+  | 'ig_business'
+  | 'channel'
+  | 'profile'
+  | 'unknown';
+
+export interface ConnectedAccount {
+  id: string;
+  brand_id: string;
+  platform_slug: string;
+  provider_slug: string;
+  external_account_id: string;
+  external_handle: string | null;
+  display_label: string | null;
+  status: ConnectionStatus;
+  /**
+   * pgcrypto-encrypted token bundle (hex-encoded bytea). The worker calls
+   * `decryptToken(token_encrypted)` just before invoking the adapter. Domain
+   * code MUST NEVER touch this — it's effectively opaque infrastructure.
+   */
+  token_encrypted: string | null;
+  metadata: Record<string, unknown>;
+  connected_at: string;
+}
+
+// ── Content ────────────────────────────────────────────────────────────────
+
+export type ContentStatus =
+  | 'awaiting_media'
+  | 'queued'
+  | 'scheduled'
+  | 'publishing'
+  | 'processing_remote'
+  | 'published'
+  | 'partial'
+  | 'failed'
+  | 'cancelled';
+
+export type JobStatus =
+  | 'queued'
+  | 'scheduled'
+  | 'processing'
+  | 'processing_remote'
+  | 'published'
+  | 'failed'
+  | 'cancelled';
+
+export type ContentType =
+  | 'post'
+  | 'carousel'
+  | 'reel'
+  | 'story'
+  | 'newsletter'
+  | 'thread'
+  | 'text_only'
+  | 'link_share'
+  | 'video'
+  | 'short';
+
+export interface MediaItem {
+  type: 'image' | 'video';
+  url?: string;
+  /** Multipart binary reference, e.g. "file_0". Resolved to `url` at ingest. */
+  ref?: string;
+  /** Large-media direct upload intent (E1.11). Server hands back a presigned PUT URL. */
+  upload?: true;
+  cover_url?: string;
+  alt_text?: string;
+  // Server-injected at ingest (#95). NOT accepted from clients.
+  content_type?: string;
+  size?: number;
+  checksum_sha256?: string;
+  transcoded_from?: string;
+}
+
+export interface ThreadChainPost {
+  text: string;
+  media?: MediaItem;
+}
+
+export interface ContentPayload {
+  text?: string;
+  caption?: string;
+  title?: string;
+  body_html?: string;
+  link?: string;
+  media?: MediaItem[];
+  /** Legacy image-only shape; upstreams maps to `media[]` with type='image'. */
+  media_urls?: string[];
+  hashtags?: string[];
+  posts?: ThreadChainPost[];
+  /**
+   * Per-publish visibility. YouTube-specific in V0 (video/short): controls
+   * snippet privacyStatus. Other platforms ignore it. Defaults to 'public'
+   * downstream when omitted.
+   */
+  privacy_status?: 'public' | 'unlisted' | 'private';
+}
+
+export interface Content {
+  id: string;
+  workspace_id: string;
+  brand_id: string;
+  content_type: ContentType;
+  target_platforms: string[];
+  target_connections: string[] | null;
+  payload: ContentPayload;
+  status: ContentStatus;
+  /** ISO-8601 timestamp when status is `scheduled`. Null otherwise. */
+  scheduled_at: string | null;
+  created_at: string;
+  updated_at: string;
+  created_by_api_key_id: string | null;
+  idempotency_key: string | null;
+}
+
+// ── Webhook ────────────────────────────────────────────────────────────────
+
+export type WebhookDeliveryStatus = 'pending' | 'delivered' | 'failed' | 'dlq';
+
+export interface WebhookDelivery {
+  id: string;
+  endpoint_id: string;
+  content_id: string | null;
+  job_id: string | null;
+  event_type: string;
+  status: WebhookDeliveryStatus;
+  attempt_count: number;
+  next_retry_at: string | null;
+  payload: Record<string, unknown> | null;
+  last_response_status: number | null;
+  last_response_body: string | null;
+  last_error: string | null;
+  delivered_at: string | null;
+  created_at: string;
+  updated_at: string;
+}

package/src/webhook-signing.ts

@@ -0,0 +1,144 @@
+// ────────────────────────────────────────────────────────────────────────────
+// @outposted/node/webhook-signing — inline HMAC-SHA256 signing + verification.
+//
+// Copied verbatim from `@outposted/webhooks/sign` (and a slice of `secret`)
+// so the SDK is self-contained and installable by external consumers without
+// the workspace-only `@outposted/webhooks` dependency.
+//
+// Single source of truth for the wire format lives in
+// `packages/webhooks/src/sign.ts` — keep these in sync.
+//
+// Format (Stripe-style): `X-Outposted-Signature: t=<unix_seconds>,v1=<hex_hmac>`
+//
+//   - `t`  = timestamp seconds (replay protection — receiver checks tolerance)
+//   - `v1` = HMAC-SHA256( `${t}.${rawBody}`, secret ) in lowercase hex
+//
+// node:crypto works in both Node and Cloudflare Workers (via nodejs_compat).
+// ────────────────────────────────────────────────────────────────────────────
+
+import { createHmac, timingSafeEqual } from 'node:crypto';
+
+const SIGNATURE_HEADER = 'X-Outposted-Signature';
+const SIGNATURE_VERSION = 'v1';
+
+/** Default replay tolerance: 5 minutes, matching Stripe's default. */
+export const DEFAULT_TOLERANCE_SECONDS = 5 * 60;
+
+export interface SignedSignature {
+  /** Header value (e.g. `t=1717209600,v1=abc123...`). Pass as-is into X-Outposted-Signature. */
+  header: string;
+  /** Timestamp used in the signature, unix seconds. */
+  timestamp: number;
+  /** Raw HMAC-SHA256 hex digest of `${timestamp}.${rawBody}`. */
+  signature: string;
+}
+
+export interface SignPayloadOptions {
+  /** Override the timestamp (mostly for tests). Defaults to `Math.floor(Date.now() / 1000)`. */
+  timestamp?: number;
+}
+
+/**
+ * Sign a raw body with the workspace's whsec secret. Returns the header value
+ * the sender writes into `X-Outposted-Signature`.
+ *
+ * `rawBody` MUST be the exact bytes sent on the wire — any whitespace,
+ * key-ordering, or encoding difference between sign-time and verify-time
+ * breaks the signature. Pass `JSON.stringify(payload)` once and reuse the
+ * same string for both the signature and the HTTP body.
+ */
+export function signPayload(
+  rawBody: string,
+  secret: string,
+  options: SignPayloadOptions = {},
+): SignedSignature {
+  if (!secret) throw new Error('signPayload: secret is required');
+  const timestamp = options.timestamp ?? Math.floor(Date.now() / 1000);
+  const signature = createHmac('sha256', secret).update(`${timestamp}.${rawBody}`).digest('hex');
+  return {
+    header: `t=${timestamp},${SIGNATURE_VERSION}=${signature}`,
+    timestamp,
+    signature,
+  };
+}
+
+export type VerifyResult =
+  | { ok: true; timestamp: number }
+  | { ok: false; code: 'missing'; detail: string }
+  | { ok: false; code: 'malformed'; detail: string }
+  | { ok: false; code: 'unsupported_version'; detail: string }
+  | { ok: false; code: 'timestamp_out_of_tolerance'; detail: string }
+  | { ok: false; code: 'signature_mismatch'; detail: string };
+
+export interface VerifyPayloadOptions {
+  /** Replay tolerance window in seconds (default: 5 min, Stripe-compatible). */
+  toleranceSeconds?: number;
+  /** Override the "now" reference for tests. Unix seconds. */
+  nowSeconds?: number;
+}
+
+/**
+ * Verify an inbound signed payload — for receivers (the customer side, and
+ * also our own E2E tests). Returns a discriminated union so callers branch on
+ * the specific failure mode (e.g. respond 400 for malformed, 401 for
+ * signature_mismatch, 408 for timestamp_out_of_tolerance).
+ *
+ * Constant-time compare is used on the signature itself to prevent the
+ * trivial timing-based oracle attack.
+ */
+export function verifyPayload(
+  rawBody: string,
+  headerValue: string | null | undefined,
+  secret: string,
+  options: VerifyPayloadOptions = {},
+): VerifyResult {
+  if (!headerValue) {
+    return { ok: false, code: 'missing', detail: `${SIGNATURE_HEADER} header not present` };
+  }
+  const parts = headerValue.split(',').map((s) => s.trim());
+  const kv = new Map<string, string>();
+  for (const part of parts) {
+    const eq = part.indexOf('=');
+    if (eq < 1) {
+      return { ok: false, code: 'malformed', detail: `bad pair: '${part}'` };
+    }
+    kv.set(part.slice(0, eq), part.slice(eq + 1));
+  }
+
+  const t = kv.get('t');
+  const sig = kv.get(SIGNATURE_VERSION);
+  if (!t || !sig) {
+    return {
+      ok: false,
+      code: kv.size === 0 ? 'malformed' : 'unsupported_version',
+      detail: `missing t/${SIGNATURE_VERSION} in '${headerValue}'`,
+    };
+  }
+  const timestamp = Number(t);
+  if (!Number.isFinite(timestamp) || timestamp <= 0) {
+    return { ok: false, code: 'malformed', detail: `bad timestamp: '${t}'` };
+  }
+
+  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;
+  const now = options.nowSeconds ?? Math.floor(Date.now() / 1000);
+  if (Math.abs(now - timestamp) > tolerance) {
+    return {
+      ok: false,
+      code: 'timestamp_out_of_tolerance',
+      detail: `timestamp ${timestamp} is ${Math.abs(now - timestamp)}s from now=${now}, tolerance=${tolerance}s`,
+    };
+  }
+
+  const expected = createHmac('sha256', secret).update(`${timestamp}.${rawBody}`).digest('hex');
+  if (sig.length !== expected.length) {
+    return { ok: false, code: 'signature_mismatch', detail: 'length mismatch' };
+  }
+  const a = Buffer.from(sig, 'utf8');
+  const b = Buffer.from(expected, 'utf8');
+  if (!timingSafeEqual(a, b)) {
+    return { ok: false, code: 'signature_mismatch', detail: 'HMAC does not match' };
+  }
+  return { ok: true, timestamp };
+}
+
+export { SIGNATURE_HEADER };