@primitivedotdev/sdk 0.4.0 → 0.5.1

package/dist/contract/index.d.ts

@@ -1,5 +1,5 @@
-import { EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, ParsedDataComplete, ParsedDataFailed, ParsedError, RawContentDownloadOnly, RawContentInline, WebhookAttachment } from "../types-C3ms4R0d.js";
-import { SignResult, StandardWebhooksSignResult, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, signStandardWebhooksPayload$1 as signStandardWebhooksPayload, signWebhookPayload$1 as signWebhookPayload } from "../index-D2OuDGVz.js";
+import { EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, ParsedDataComplete, ParsedDataFailed, ParsedError, RawContentDownloadOnly, RawContentInline, WebhookAttachment } from "../types-CKFmgitP.js";
+import { SignResult, StandardWebhooksSignResult, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, signStandardWebhooksPayload$1 as signStandardWebhooksPayload, signWebhookPayload$1 as signWebhookPayload } from "../index-DLmAI4UQ.js";
 
 //#region src/contract/contract.d.ts
 /** Maximum raw email size for inline inclusion (256 KB). */
@@ -146,5 +146,83 @@ declare function buildEmailReceivedEvent(input: EmailReceivedEventInput, options
   event_id?: string;
   /** Override the attempted-at timestamp, typically for tests. */
   attempted_at?: string;
-}): EmailReceivedEvent; //#endregion
-export { EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EmailReceivedEventInput, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedInput, ParsedInputComplete, ParsedInputFailed, RAW_EMAIL_INLINE_THRESHOLD, RawContentDownloadOnly, RawContentInline, SignResult, StandardWebhooksSignResult, WEBHOOK_VERSION, WebhookAttachment, buildEmailReceivedEvent, generateEventId, signStandardWebhooksPayload, signWebhookPayload };
+}): EmailReceivedEvent;
+/**
+ * Input for building an `EmailReceivedEvent` directly from parser output.
+ */
+interface BuildEventFromParsedDataOptions {
+  /** Unique email ID chosen by the producer. */
+  emailId: string;
+  /** ID of the webhook endpoint receiving this event. */
+  endpointId: string;
+  /** Raw RFC 5322 bytes. Used to compute sha256 and inline data. */
+  rawBytes: Buffer;
+  /** Parser output with attachments, body, and threading headers populated. */
+  parsed: ParsedDataComplete;
+  /** Message-ID header value, or null if the email had none. */
+  messageId: string | null;
+  /** From header value. */
+  sender: string;
+  /** To header value. */
+  recipient: string;
+  /** Subject header value, or null. */
+  subject: string | null;
+  /** ISO 8601 timestamp when the producer accepted the email. */
+  receivedAt: string;
+  /** SMTP HELO/EHLO hostname, or null if not captured. */
+  smtpHelo: string | null;
+  /** SMTP envelope MAIL FROM. */
+  smtpMailFrom: string;
+  /** SMTP envelope RCPT TO recipients. Must contain at least one entry. */
+  smtpRcptTo: [string, ...string[]];
+  /** Email authentication results (camelCase per the schema). */
+  auth: EmailAuth;
+  /** Email analysis block. */
+  analysis: EmailAnalysis;
+  /** HTTPS download URL for the raw email. Always populated. */
+  downloadUrl: string;
+  /** ISO 8601 expiry for the raw-email download URL. */
+  downloadExpiresAt: string;
+  /**
+   * Download URL for the attachments tarball.
+   * Must be null iff `parsed.attachments` is empty — mismatch throws.
+   */
+  attachmentsDownloadUrl: string | null;
+  /** Delivery attempt number, starting at 1. */
+  attemptCount: number;
+  /** Original Date header value, or null. */
+  dateHeader?: string | null;
+  /** Optional overrides forwarded to `buildEmailReceivedEvent`. */
+  buildOptions?: {
+    event_id?: string;
+    attempted_at?: string;
+  };
+}
+/**
+ * Build an `EmailReceivedEvent` from parsed email data plus delivery metadata.
+ *
+ * Pure adapter: the caller supplies the raw bytes and the already-parsed
+ * data; this function computes sha256 and size, enforces the attachments
+ * invariant, and delegates to `buildEmailReceivedEvent` for schema
+ * validation. It never reads from disk, so it is safe to use in any
+ * runtime that has the data in memory.
+ *
+ * Inline vs. download-only behavior: when `rawBytes.length` is at or below
+ * `RAW_EMAIL_INLINE_THRESHOLD`, the event's `raw.data` is populated and
+ * `download.url` is still populated. Above the threshold, only `download.url`
+ * is populated. The download URL is always set regardless of inline status.
+ *
+ * Callers using the bundled parser can populate the header fields
+ * (`messageId`, `sender`, `recipient`, `subject`, `dateHeader`) directly
+ * from `toCanonicalHeaders(parsed)`. Accepting the flat fields rather than
+ * a canonical-headers object keeps this function usable by callers that
+ * do not use the bundled parser. A future release may add an optional
+ * canonical-headers parameter as an ergonomic alternative.
+ *
+ * @throws Error if `attachmentsDownloadUrl` disagrees with whether
+ *   `parsed.attachments` is empty.
+ * @throws Error if `smtpRcptTo` is empty.
+ * @throws WebhookValidationError if the assembled event fails schema validation.
+ */
+declare function buildEventFromParsedData(params: BuildEventFromParsedDataOptions): EmailReceivedEvent; //#endregion
+export { BuildEventFromParsedDataOptions, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EmailReceivedEventInput, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedInput, ParsedInputComplete, ParsedInputFailed, RAW_EMAIL_INLINE_THRESHOLD, RawContentDownloadOnly, RawContentInline, SignResult, StandardWebhooksSignResult, WEBHOOK_VERSION, WebhookAttachment, buildEmailReceivedEvent, buildEventFromParsedData, generateEventId, signStandardWebhooksPayload, signWebhookPayload };

package/dist/contract/index.js

@@ -1,4 +1,4 @@
-import { WEBHOOK_VERSION, signStandardWebhooksPayload, signWebhookPayload, validateEmailReceivedEvent } from "../webhook-uSco6pyX.js";
+import { WEBHOOK_VERSION, signStandardWebhooksPayload, signWebhookPayload, validateEmailReceivedEvent } from "../webhook-COe5N_Uj.js";
 import { createHash } from "node:crypto";
 
 //#region src/contract/contract.ts
@@ -194,6 +194,76 @@ function buildEmailReceivedEvent(input, options) {
 	};
 	return validateEmailReceivedEvent(event);
 }
+/**
+* Build an `EmailReceivedEvent` from parsed email data plus delivery metadata.
+*
+* Pure adapter: the caller supplies the raw bytes and the already-parsed
+* data; this function computes sha256 and size, enforces the attachments
+* invariant, and delegates to `buildEmailReceivedEvent` for schema
+* validation. It never reads from disk, so it is safe to use in any
+* runtime that has the data in memory.
+*
+* Inline vs. download-only behavior: when `rawBytes.length` is at or below
+* `RAW_EMAIL_INLINE_THRESHOLD`, the event's `raw.data` is populated and
+* `download.url` is still populated. Above the threshold, only `download.url`
+* is populated. The download URL is always set regardless of inline status.
+*
+* Callers using the bundled parser can populate the header fields
+* (`messageId`, `sender`, `recipient`, `subject`, `dateHeader`) directly
+* from `toCanonicalHeaders(parsed)`. Accepting the flat fields rather than
+* a canonical-headers object keeps this function usable by callers that
+* do not use the bundled parser. A future release may add an optional
+* canonical-headers parameter as an ergonomic alternative.
+*
+* @throws Error if `attachmentsDownloadUrl` disagrees with whether
+*   `parsed.attachments` is empty.
+* @throws Error if `smtpRcptTo` is empty.
+* @throws WebhookValidationError if the assembled event fails schema validation.
+*/
+function buildEventFromParsedData(params) {
+	const { parsed, attachmentsDownloadUrl, smtpRcptTo } = params;
+	const hasAttachments = parsed.attachments.length > 0;
+	if (hasAttachments && attachmentsDownloadUrl === null) throw new Error(`[@primitivedotdev/sdk/contract] attachmentsDownloadUrl must be non-null when parsed.attachments has ${parsed.attachments.length} entries`);
+	if (!hasAttachments && attachmentsDownloadUrl !== null) throw new Error(`[@primitivedotdev/sdk/contract] attachmentsDownloadUrl must be null when parsed.attachments is empty (got: ${JSON.stringify(attachmentsDownloadUrl)})`);
+	if (smtpRcptTo.length === 0) throw new Error("[@primitivedotdev/sdk/contract] smtpRcptTo must contain at least one recipient");
+	const raw_size_bytes = params.rawBytes.length;
+	const raw_sha256 = createHash("sha256").update(params.rawBytes).digest("hex");
+	const parsedInput = {
+		status: "complete",
+		body_text: parsed.body_text,
+		body_html: parsed.body_html,
+		reply_to: parsed.reply_to,
+		cc: parsed.cc,
+		bcc: parsed.bcc,
+		in_reply_to: parsed.in_reply_to,
+		references: parsed.references,
+		attachments: parsed.attachments
+	};
+	const input = {
+		email_id: params.emailId,
+		endpoint_id: params.endpointId,
+		message_id: params.messageId,
+		sender: params.sender,
+		recipient: params.recipient,
+		subject: params.subject,
+		received_at: params.receivedAt,
+		smtp_helo: params.smtpHelo,
+		smtp_mail_from: params.smtpMailFrom,
+		smtp_rcpt_to: smtpRcptTo,
+		raw_bytes: params.rawBytes,
+		raw_sha256,
+		raw_size_bytes,
+		attempt_count: params.attemptCount,
+		date_header: params.dateHeader ?? null,
+		download_url: params.downloadUrl,
+		download_expires_at: params.downloadExpiresAt,
+		attachments_download_url: attachmentsDownloadUrl,
+		parsed: parsedInput,
+		auth: params.auth,
+		analysis: params.analysis
+	};
+	return buildEmailReceivedEvent(input, params.buildOptions);
+}
 
 //#endregion
-export { RAW_EMAIL_INLINE_THRESHOLD, WEBHOOK_VERSION, buildEmailReceivedEvent, generateEventId, signStandardWebhooksPayload, signWebhookPayload };
+export { RAW_EMAIL_INLINE_THRESHOLD, WEBHOOK_VERSION, buildEmailReceivedEvent, buildEventFromParsedData, generateEventId, signStandardWebhooksPayload, signWebhookPayload };

package/dist/{index-D2OuDGVz.d.ts → index-DLmAI4UQ.d.ts}

@@ -1,4 +1,4 @@
-import { EmailAuth, EmailReceivedEvent, ValidateEmailAuthResult, WebhookEvent } from "./types-C3ms4R0d.js";
+import { EmailAuth, EmailReceivedEvent, ValidateEmailAuthResult, WebhookEvent } from "./types-CKFmgitP.js";
 import { ErrorObject } from "ajv";
 
 //#region src/webhook/errors.d.ts
@@ -224,6 +224,95 @@ type ValidationResult<T> = ValidationSuccess<T> | ValidationFailure;
 declare function validateEmailReceivedEvent(input: unknown): EmailReceivedEvent;
 declare function safeValidateEmailReceivedEvent(input: unknown): ValidationResult<EmailReceivedEvent>;
 
+//#endregion
+//#region src/webhook/download-tokens.d.ts
+/**
+ * Signed download tokens.
+ *
+ * A download token is a self-describing bearer credential for fetching a
+ * specific email's raw bytes or attachment bundle from a per-deployment
+ * download endpoint. It binds:
+ *
+ * - `email_id` — the specific email the token authorizes.
+ * - `aud` — a caller-chosen audience label (e.g. the resource kind being
+ *   downloaded). Tokens minted for one audience will not verify under another.
+ * - `exp` — an absolute expiration time (unix seconds).
+ *
+ * Format: `<base64url(payload)>.<base64url(signature)>` where `signature`
+ * is HMAC-SHA256 over the base64url-encoded payload using the shared secret.
+ *
+ * The audience is an opaque caller-chosen string. Both the issuer and the
+ * verifier must agree on the exact bytes; the SDK does not prescribe a
+ * convention. New integrations are encouraged to namespace audiences
+ * (e.g. `primitive:raw-download`).
+ *
+ * Tokens are stateless: verification needs only the shared secret. Keep
+ * expirations as short as operationally tolerable.
+ */
+/**
+ * Input for issuing a download token.
+ */
+interface GenerateDownloadTokenOptions {
+  /** The email ID the token authorizes. */
+  emailId: string;
+  /** Absolute expiration as unix seconds (not a TTL). */
+  expiresAt: number;
+  /** Caller-chosen audience label; the verifier must supply the same value. */
+  audience: string;
+  /** Shared HMAC secret. */
+  secret: string;
+}
+/**
+ * Issue a signed download token.
+ *
+ * The resulting token is `<base64url-payload>.<base64url-signature>`, where
+ * the payload is `{"email_id":"...","exp":...,"aud":"..."}` (snake_case,
+ * field order fixed) and the signature is HMAC-SHA256 of the base64url
+ * payload string using `secret`.
+ *
+ * @param params - Token inputs.
+ * @returns The signed token string.
+ */
+declare function generateDownloadToken(params: GenerateDownloadTokenOptions): string;
+/**
+ * Input for verifying a download token.
+ */
+interface VerifyDownloadTokenOptions {
+  /** The token string to verify. */
+  token: string;
+  /** Expected email ID — must match the token payload exactly. */
+  emailId: string;
+  /** Expected audience — must match the token payload exactly. */
+  audience: string;
+  /** Shared HMAC secret. */
+  secret: string;
+  /** Override the current time (unix seconds) for deterministic tests. */
+  nowSeconds?: number;
+}
+/**
+ * Result of verifying a download token.
+ *
+ * On failure, `error` is a short human-readable reason suitable for logs.
+ * Do not surface it to untrusted clients — it may reveal which check failed.
+ */
+type VerifyDownloadTokenResult = {
+  valid: true;
+} | {
+  valid: false;
+  error: string;
+};
+/**
+ * Verify a signed download token.
+ *
+ * Returns a discriminated-union result. The function never throws for
+ * verification failures — only malformed inputs at the crypto layer would
+ * surface. Callers should check `result.valid` and log `result.error`.
+ *
+ * @param params - Verification inputs.
+ * @returns Whether the token is valid, plus a reason on failure.
+ */
+declare function verifyDownloadToken(params: VerifyDownloadTokenOptions): VerifyDownloadTokenResult;
+
 //#endregion
 //#region src/webhook/signing.d.ts
 /**
@@ -522,8 +611,8 @@ declare const emailReceivedEventJsonSchema: {
                     readonly url: {
                       readonly type: "string";
                       readonly format: "uri";
-                      readonly pattern: "^https://";
-                      readonly description: "HTTPS URL to download the raw email. Returns the email as-is in RFC 5322 format.";
+                      readonly pattern: "^https?://";
+                      readonly description: "URL to download the raw email as-is in RFC 5322 format. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network (e.g. `http://localhost:4001/...`). Receivers that want to refuse plaintext downloads should check the scheme explicitly.";
                     };
                     readonly expires_at: {
                       readonly type: "string";
@@ -734,8 +823,8 @@ declare const emailReceivedEventJsonSchema: {
         readonly attachments_download_url: {
           readonly type: ["string", "null"];
           readonly format: "uri";
-          readonly pattern: "^https://";
-          readonly description: "HTTPS URL to download all attachments as a tar.gz archive. Null if the email had no attachments. URL expires - check the expiration before downloading.";
+          readonly pattern: "^https?://";
+          readonly description: "URL to download all attachments as a tar.gz archive. Null if the email had no attachments. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network. URL expires - check the expiration before downloading.";
         };
       };
       readonly required: ["status", "error", "body_text", "body_html", "reply_to", "cc", "bcc", "in_reply_to", "references", "attachments", "attachments_download_url"];
@@ -1552,4 +1641,4 @@ declare function decodeRawEmail(event: EmailReceivedEvent, options?: DecodeRawEm
 declare function verifyRawEmailDownload(downloaded: Buffer | ArrayBuffer | Uint8Array, event: EmailReceivedEvent): Buffer;
 
 //#endregion
-export { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER as LEGACY_CONFIRMED_HEADER$1, LEGACY_SIGNATURE_HEADER as LEGACY_SIGNATURE_HEADER$1, PAYLOAD_ERRORS as PAYLOAD_ERRORS$1, PRIMITIVE_CONFIRMED_HEADER as PRIMITIVE_CONFIRMED_HEADER$1, PRIMITIVE_SIGNATURE_HEADER as PRIMITIVE_SIGNATURE_HEADER$1, PrimitiveWebhookError as PrimitiveWebhookError$1, RAW_EMAIL_ERRORS as RAW_EMAIL_ERRORS$1, RawEmailDecodeError as RawEmailDecodeError$1, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER as STANDARD_WEBHOOK_ID_HEADER$1, STANDARD_WEBHOOK_SIGNATURE_HEADER as STANDARD_WEBHOOK_SIGNATURE_HEADER$1, STANDARD_WEBHOOK_TIMESTAMP_HEADER as STANDARD_WEBHOOK_TIMESTAMP_HEADER$1, SignResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, VERIFICATION_ERRORS as VERIFICATION_ERRORS$1, VerifyOptions, WEBHOOK_VERSION as WEBHOOK_VERSION$1, WebhookErrorCode, WebhookHeaders, WebhookPayloadError as WebhookPayloadError$1, WebhookPayloadErrorCode, WebhookValidationError as WebhookValidationError$1, WebhookValidationErrorCode, WebhookVerificationError as WebhookVerificationError$1, WebhookVerificationErrorCode, confirmedHeaders as confirmedHeaders$1, decodeRawEmail as decodeRawEmail$1, emailReceivedEventJsonSchema as emailReceivedEventJsonSchema$1, getDownloadTimeRemaining as getDownloadTimeRemaining$1, handleWebhook as handleWebhook$1, isDownloadExpired as isDownloadExpired$1, isEmailReceivedEvent as isEmailReceivedEvent$1, isRawIncluded as isRawIncluded$1, parseWebhookEvent as parseWebhookEvent$1, safeValidateEmailReceivedEvent as safeValidateEmailReceivedEvent$1, signStandardWebhooksPayload as signStandardWebhooksPayload$1, signWebhookPayload as signWebhookPayload$1, validateEmailAuth as validateEmailAuth$1, validateEmailReceivedEvent as validateEmailReceivedEvent$1, verifyRawEmailDownload as verifyRawEmailDownload$1, verifyStandardWebhooksSignature as verifyStandardWebhooksSignature$1, verifyWebhookSignature as verifyWebhookSignature$1 };
+export { DecodeRawEmailOptions, GenerateDownloadTokenOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER as LEGACY_CONFIRMED_HEADER$1, LEGACY_SIGNATURE_HEADER as LEGACY_SIGNATURE_HEADER$1, PAYLOAD_ERRORS as PAYLOAD_ERRORS$1, PRIMITIVE_CONFIRMED_HEADER as PRIMITIVE_CONFIRMED_HEADER$1, PRIMITIVE_SIGNATURE_HEADER as PRIMITIVE_SIGNATURE_HEADER$1, PrimitiveWebhookError as PrimitiveWebhookError$1, RAW_EMAIL_ERRORS as RAW_EMAIL_ERRORS$1, RawEmailDecodeError as RawEmailDecodeError$1, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER as STANDARD_WEBHOOK_ID_HEADER$1, STANDARD_WEBHOOK_SIGNATURE_HEADER as STANDARD_WEBHOOK_SIGNATURE_HEADER$1, STANDARD_WEBHOOK_TIMESTAMP_HEADER as STANDARD_WEBHOOK_TIMESTAMP_HEADER$1, SignResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, VERIFICATION_ERRORS as VERIFICATION_ERRORS$1, VerifyDownloadTokenOptions, VerifyDownloadTokenResult, VerifyOptions, WEBHOOK_VERSION as WEBHOOK_VERSION$1, WebhookErrorCode, WebhookHeaders, WebhookPayloadError as WebhookPayloadError$1, WebhookPayloadErrorCode, WebhookValidationError as WebhookValidationError$1, WebhookValidationErrorCode, WebhookVerificationError as WebhookVerificationError$1, WebhookVerificationErrorCode, confirmedHeaders as confirmedHeaders$1, decodeRawEmail as decodeRawEmail$1, emailReceivedEventJsonSchema as emailReceivedEventJsonSchema$1, generateDownloadToken as generateDownloadToken$1, getDownloadTimeRemaining as getDownloadTimeRemaining$1, handleWebhook as handleWebhook$1, isDownloadExpired as isDownloadExpired$1, isEmailReceivedEvent as isEmailReceivedEvent$1, isRawIncluded as isRawIncluded$1, parseWebhookEvent as parseWebhookEvent$1, safeValidateEmailReceivedEvent as safeValidateEmailReceivedEvent$1, signStandardWebhooksPayload as signStandardWebhooksPayload$1, signWebhookPayload as signWebhookPayload$1, validateEmailAuth as validateEmailAuth$1, validateEmailReceivedEvent as validateEmailReceivedEvent$1, verifyDownloadToken as verifyDownloadToken$1, verifyRawEmailDownload as verifyRawEmailDownload$1, verifyStandardWebhooksSignature as verifyStandardWebhooksSignature$1, verifyWebhookSignature as verifyWebhookSignature$1 };

package/dist/index.d.ts

@@ -1,3 +1,3 @@
-import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "./types-C3ms4R0d.js";
-import { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER$1 as STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER$1 as STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER$1 as STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signStandardWebhooksPayload$1 as signStandardWebhooksPayload, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyStandardWebhooksSignature$1 as verifyStandardWebhooksSignature, verifyWebhookSignature$1 as verifyWebhookSignature } from "./index-D2OuDGVz.js";
-export { AuthConfidence, AuthVerdict, DecodeRawEmailOptions, DkimResult, DkimSignature, DmarcPolicy, DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict, ForwardVerification, HandleWebhookOptions, KnownWebhookEvent, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawContent, RawContentDownloadOnly, RawContentInline, RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, SpfResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, UnknownEvent, VERIFICATION_ERRORS, ValidateEmailAuthResult, VerifyOptions, WEBHOOK_VERSION, WebhookAttachment, WebhookErrorCode, WebhookEvent, WebhookHeaders, WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };
+import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "./types-CKFmgitP.js";
+import { DecodeRawEmailOptions, GenerateDownloadTokenOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER$1 as STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER$1 as STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER$1 as STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyDownloadTokenOptions, VerifyDownloadTokenResult, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, generateDownloadToken$1 as generateDownloadToken, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signStandardWebhooksPayload$1 as signStandardWebhooksPayload, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyDownloadToken$1 as verifyDownloadToken, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyStandardWebhooksSignature$1 as verifyStandardWebhooksSignature, verifyWebhookSignature$1 as verifyWebhookSignature } from "./index-DLmAI4UQ.js";
+export { AuthConfidence, AuthVerdict, DecodeRawEmailOptions, DkimResult, DkimSignature, DmarcPolicy, DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict, ForwardVerification, GenerateDownloadTokenOptions, HandleWebhookOptions, KnownWebhookEvent, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawContent, RawContentDownloadOnly, RawContentInline, RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, SpfResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, UnknownEvent, VERIFICATION_ERRORS, ValidateEmailAuthResult, VerifyDownloadTokenOptions, VerifyDownloadTokenResult, VerifyOptions, WEBHOOK_VERSION, WebhookAttachment, WebhookErrorCode, WebhookEvent, WebhookHeaders, WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };

package/dist/index.js

@@ -1,3 +1,3 @@
-import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature } from "./webhook-uSco6pyX.js";
+import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature } from "./webhook-COe5N_Uj.js";
 
-export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };
+export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };

package/dist/parser/index.d.ts

@@ -1,4 +1,4 @@
-import { EmailAddress, ParsedDataComplete, WebhookAttachment } from "../types-C3ms4R0d.js";
+import { EmailAddress, ParsedDataComplete, WebhookAttachment } from "../types-CKFmgitP.js";
 
 //#region src/parser/attachment-parser.d.ts
 interface ParsedAttachment {

package/dist/{types-C3ms4R0d.d.ts → types-CKFmgitP.d.ts}

@@ -132,7 +132,7 @@ interface EmailReceivedEvent$1 {
        */
       download: {
         /**
-         * HTTPS URL to download the raw email. Returns the email as-is in RFC 5322 format.
+         * URL to download the raw email as-is in RFC 5322 format. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network (e.g. `http://localhost:4001/...`). Receivers that want to refuse plaintext downloads should check the scheme explicitly.
          */
         url: string;
         /**
@@ -263,7 +263,7 @@ interface ParsedDataComplete$1 {
    */
   attachments: WebhookAttachment$1[];
   /**
-   * HTTPS URL to download all attachments as a tar.gz archive. Null if the email had no attachments. URL expires - check the expiration before downloading.
+   * URL to download all attachments as a tar.gz archive. Null if the email had no attachments. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network. URL expires - check the expiration before downloading.
    */
   attachments_download_url: (string | null);
 }

package/dist/webhook/index.d.ts

@@ -1,3 +1,3 @@
-import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "../types-C3ms4R0d.js";
-import { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER$1 as STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER$1 as STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER$1 as STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signStandardWebhooksPayload$1 as signStandardWebhooksPayload, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyStandardWebhooksSignature$1 as verifyStandardWebhooksSignature, verifyWebhookSignature$1 as verifyWebhookSignature } from "../index-D2OuDGVz.js";
-export { AuthConfidence, AuthVerdict, DecodeRawEmailOptions, DkimResult, DkimSignature, DmarcPolicy, DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict, ForwardVerification, HandleWebhookOptions, KnownWebhookEvent, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawContent, RawContentDownloadOnly, RawContentInline, RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, SpfResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, UnknownEvent, VERIFICATION_ERRORS, ValidateEmailAuthResult, VerifyOptions, WEBHOOK_VERSION, WebhookAttachment, WebhookErrorCode, WebhookEvent, WebhookHeaders, WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };
+import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "../types-CKFmgitP.js";
+import { DecodeRawEmailOptions, GenerateDownloadTokenOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER$1 as STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER$1 as STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER$1 as STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyDownloadTokenOptions, VerifyDownloadTokenResult, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, generateDownloadToken$1 as generateDownloadToken, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signStandardWebhooksPayload$1 as signStandardWebhooksPayload, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyDownloadToken$1 as verifyDownloadToken, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyStandardWebhooksSignature$1 as verifyStandardWebhooksSignature, verifyWebhookSignature$1 as verifyWebhookSignature } from "../index-DLmAI4UQ.js";
+export { AuthConfidence, AuthVerdict, DecodeRawEmailOptions, DkimResult, DkimSignature, DmarcPolicy, DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict, ForwardVerification, GenerateDownloadTokenOptions, HandleWebhookOptions, KnownWebhookEvent, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawContent, RawContentDownloadOnly, RawContentInline, RawEmailDecodeError, RawEmailDecodeErrorCode, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SignResult, SpfResult, StandardWebhooksSignResult, StandardWebhooksVerifyOptions, UnknownEvent, VERIFICATION_ERRORS, ValidateEmailAuthResult, VerifyDownloadTokenOptions, VerifyDownloadTokenResult, VerifyOptions, WEBHOOK_VERSION, WebhookAttachment, WebhookErrorCode, WebhookEvent, WebhookHeaders, WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };

package/dist/webhook/index.js

@@ -1,3 +1,3 @@
-import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature } from "../webhook-uSco6pyX.js";
+import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature } from "../webhook-COe5N_Uj.js";
 
-export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };
+export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };

package/dist/{webhook-uSco6pyX.js → webhook-COe5N_Uj.js}

@@ -131,8 +131,8 @@ const schema12 = {
 								"url": {
 									"type": "string",
 									"format": "uri",
-									"pattern": "^https://",
-									"description": "HTTPS URL to download the raw email. Returns the email as-is in RFC 5322 format."
+									"pattern": "^https?://",
+									"description": "URL to download the raw email as-is in RFC 5322 format. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network (e.g. `http://localhost:4001/...`). Receivers that want to refuse plaintext downloads should check the scheme explicitly."
 								},
 								"expires_at": {
 									"type": "string",
@@ -184,7 +184,7 @@ const schema12 = {
 };
 const pattern0 = new RegExp("^evt_[a-f0-9]{64}$", "u");
 const pattern1 = new RegExp("^(?:(?:\\d{4}-(?:(?:01|03|05|07|08|10|12)-(?:0[1-9]|[12]\\d|3[01])|(?:04|06|09|11)-(?:0[1-9]|[12]\\d|30)|02-(?:0[1-9]|1\\d|2[0-8])))|(?:(?:[02468][048]00|[13579][26]00|\\d{2}(?:0[48]|[2468][048]|[13579][26]))-02-29))$", "u");
-const pattern4 = new RegExp("^https://", "u");
+const pattern4 = new RegExp("^https?://", "u");
 const formats0 = /^\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])[T\t ](?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d(?:\.\d+)?(?:[Zz]|[+-](?:[01]\d|2[0-3]):?[0-5]\d)$/;
 const formats4 = /^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;
 const pattern2 = new RegExp("^[a-fA-F0-9]{64}$", "u");
@@ -749,8 +749,8 @@ const schema18 = {
 		"attachments_download_url": {
 			"type": ["string", "null"],
 			"format": "uri",
-			"pattern": "^https://",
-			"description": "HTTPS URL to download all attachments as a tar.gz archive. Null if the email had no attachments. URL expires - check the expiration before downloading."
+			"pattern": "^https?://",
+			"description": "URL to download all attachments as a tar.gz archive. Null if the email had no attachments. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network. URL expires - check the expiration before downloading."
 		}
 	},
 	"required": [
@@ -1797,8 +1797,8 @@ function validate15(data, { instancePath = "", parentData, parentDataProperty, r
 						instancePath: instancePath + "/attachments_download_url",
 						schemaPath: "#/properties/attachments_download_url/pattern",
 						keyword: "pattern",
-						params: { pattern: "^https://" },
-						message: "must match pattern \"^https://\""
+						params: { pattern: "^https?://" },
+						message: "must match pattern \"^https?://\""
 					};
 					if (vErrors === null) vErrors = [err66];
 					else vErrors.push(err66);
@@ -5465,8 +5465,8 @@ function validate11(data, { instancePath = "", parentData, parentDataProperty, r
 												instancePath: instancePath + "/email/content/download/url",
 												schemaPath: "#/properties/email/properties/content/properties/download/properties/url/pattern",
 												keyword: "pattern",
-												params: { pattern: "^https://" },
-												message: "must match pattern \"^https://\""
+												params: { pattern: "^https?://" },
+												message: "must match pattern \"^https?://\""
 											};
 											if (vErrors === null) vErrors = [err57];
 											else vErrors.push(err57);
@@ -5961,10 +5961,10 @@ function formatValidationIssue(error, input) {
 				message: `Invalid version format: ${JSON.stringify(actualValue ?? "unknown")}`,
 				suggestion: "Version must be a date in YYYY-MM-DD format (e.g., \"2025-12-14\")."
 			};
-			if (pattern === "^https://") return {
+			if (pattern === "^https?://") return {
 				field,
-				message: `Invalid value for ${field}: must be a valid HTTPS URL`,
-				suggestion: `Check that ${fromFieldLabel(field)} is a complete URL including the scheme and uses https://.`
+				message: `Invalid value for ${field}: must be a valid http:// or https:// URL`,
+				suggestion: `Check that ${fromFieldLabel(field)} is a complete URL including the http:// or https:// scheme.`
 			};
 			if (pattern === "^[a-fA-F0-9]{64}$") return {
 				field,
@@ -6043,6 +6043,102 @@ function safeValidateEmailReceivedEvent(input) {
 	};
 }
 
+//#endregion
+//#region src/webhook/download-tokens.ts
+const BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
+/**
+* Issue a signed download token.
+*
+* The resulting token is `<base64url-payload>.<base64url-signature>`, where
+* the payload is `{"email_id":"...","exp":...,"aud":"..."}` (snake_case,
+* field order fixed) and the signature is HMAC-SHA256 of the base64url
+* payload string using `secret`.
+*
+* @param params - Token inputs.
+* @returns The signed token string.
+*/
+function generateDownloadToken(params) {
+	const { emailId, expiresAt, audience, secret } = params;
+	const payload = {
+		email_id: emailId,
+		exp: expiresAt,
+		aud: audience
+	};
+	const payloadJson = JSON.stringify(payload);
+	const payloadStr = Buffer.from(payloadJson, "utf8").toString("base64url");
+	const signature = createHmac("sha256", secret).update(payloadStr).digest("base64url");
+	return `${payloadStr}.${signature}`;
+}
+/**
+* Verify a signed download token.
+*
+* Returns a discriminated-union result. The function never throws for
+* verification failures — only malformed inputs at the crypto layer would
+* surface. Callers should check `result.valid` and log `result.error`.
+*
+* @param params - Verification inputs.
+* @returns Whether the token is valid, plus a reason on failure.
+*/
+function verifyDownloadToken(params) {
+	const { token, emailId, audience, secret, nowSeconds } = params;
+	if (typeof token !== "string" || token.length === 0) return {
+		valid: false,
+		error: "Token is empty"
+	};
+	const firstDot = token.indexOf(".");
+	const lastDot = token.lastIndexOf(".");
+	if (firstDot === -1 || firstDot !== lastDot) return {
+		valid: false,
+		error: "Token is malformed: expected one '.'"
+	};
+	const payloadStr = token.slice(0, firstDot);
+	const providedSignature = token.slice(firstDot + 1);
+	if (payloadStr.length === 0 || providedSignature.length === 0) return {
+		valid: false,
+		error: "Token is malformed: empty part"
+	};
+	const expectedSignature = createHmac("sha256", secret).update(payloadStr).digest("base64url");
+	const providedBytes = Buffer.from(providedSignature, "base64url");
+	const expectedBytes = Buffer.from(expectedSignature, "base64url");
+	if (providedBytes.length !== expectedBytes.length || !timingSafeEqual(providedBytes, expectedBytes)) return {
+		valid: false,
+		error: "Invalid signature"
+	};
+	if (!BASE64URL_PATTERN.test(payloadStr)) return {
+		valid: false,
+		error: "Token payload is not valid base64url"
+	};
+	const decodedJson = Buffer.from(payloadStr, "base64url").toString("utf8");
+	let payload;
+	try {
+		payload = JSON.parse(decodedJson);
+	} catch {
+		return {
+			valid: false,
+			error: "Token payload is not valid JSON"
+		};
+	}
+	if (!payload || typeof payload !== "object" || Array.isArray(payload) || typeof payload.email_id !== "string" || typeof payload.aud !== "string" || typeof payload.exp !== "number") return {
+		valid: false,
+		error: "Token payload has wrong shape"
+	};
+	const { email_id, aud, exp } = payload;
+	if (aud !== audience) return {
+		valid: false,
+		error: "Audience mismatch"
+	};
+	if (email_id !== emailId) return {
+		valid: false,
+		error: "Email ID mismatch"
+	};
+	const now = nowSeconds ?? Math.floor(Date.now() / 1e3);
+	if (exp <= now) return {
+		valid: false,
+		error: "Token is expired"
+	};
+	return { valid: true };
+}
+
 //#endregion
 //#region src/webhook/encoding.ts
 const utf8Decoder = new TextDecoder("utf-8", { fatal: true });
@@ -6479,8 +6575,8 @@ const emailReceivedEventJsonSchema = {
 										"url": {
 											"type": "string",
 											"format": "uri",
-											"pattern": "^https://",
-											"description": "HTTPS URL to download the raw email. Returns the email as-is in RFC 5322 format."
+											"pattern": "^https?://",
+											"description": "URL to download the raw email as-is in RFC 5322 format. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network (e.g. `http://localhost:4001/...`). Receivers that want to refuse plaintext downloads should check the scheme explicitly."
 										},
 										"expires_at": {
 											"type": "string",
@@ -6689,8 +6785,8 @@ const emailReceivedEventJsonSchema = {
 				"attachments_download_url": {
 					"type": ["string", "null"],
 					"format": "uri",
-					"pattern": "^https://",
-					"description": "HTTPS URL to download all attachments as a tar.gz archive. Null if the email had no attachments. URL expires - check the expiration before downloading."
+					"pattern": "^https?://",
+					"description": "URL to download all attachments as a tar.gz archive. Null if the email had no attachments. Managed Primitive always issues HTTPS. Self-host deployments may issue HTTP URLs that resolve inside the operator's network. URL expires - check the expiration before downloading."
 				}
 			},
 			"required": [
@@ -7907,4 +8003,4 @@ function verifyRawEmailDownload(downloaded, event) {
 }
 
 //#endregion
-export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };
+export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };

package/oclif.manifest.json

@@ -1263,5 +1263,5 @@
       "enableJsonFlag": false
     }
   },
-  "version": "0.4.0"
+  "version": "0.5.1"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/sdk",
-  "version": "0.4.0",
+  "version": "0.5.1",
   "description": "Official Primitive Node.js SDK — webhook, api, openapi, contract, and parser modules",
   "type": "module",
   "module": "./dist/index.js",
@@ -93,9 +93,9 @@
     "test": "vitest run",
     "test:coverage": "vitest run --coverage",
     "test:watch": "vitest",
-    "typecheck": "pnpm generate && tsc --noEmit",
-    "lint": "biome check src/index.ts src/validation.ts src/types.ts src/webhook src/contract src/parser src/api/index.ts src/openapi/index.ts src/oclif tests/",
-    "lint:fix": "biome check --write src/index.ts src/validation.ts src/types.ts src/webhook src/contract src/parser src/api/index.ts src/openapi/index.ts src/oclif tests/",
+    "typecheck": "pnpm generate && tsc --noEmit -p tsconfig.typecheck.json",
+    "lint": "biome check --error-on-warnings src/index.ts src/validation.ts src/types.ts src/webhook src/contract src/parser src/api/index.ts src/openapi/index.ts src/oclif tests/",
+    "lint:fix": "biome check --write --error-on-warnings src/index.ts src/validation.ts src/types.ts src/webhook src/contract src/parser src/api/index.ts src/openapi/index.ts src/oclif tests/",
     "prepack": "pnpm build && oclif manifest",
     "postpack": "shx rm -f oclif.manifest.json",
     "prepublishOnly": "pnpm build"