@rotorsoft/act-http 1.0.0 → 1.2.0

package/dist/@types/webhook/classify.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Three buckets for an HTTP response from an outbound delivery:
+ *
+ * - `ok` — the receiver accepted the delivery (2xx). Stop and return.
+ * - `retry` — the receiver had a transient problem (5xx). Throw a
+ *   retryable error; drain will pace the next attempt per `backoff`.
+ * - `block` — the receiver rejected the delivery permanently (3xx
+ *   or 4xx). Throw a non-retryable error; drain blocks the stream
+ *   on the first failed attempt (when `blockOnError` is true) and
+ *   surfaces it via the `"blocked"` lifecycle event.
+ *
+ * The 3xx → `block` mapping is intentional: a redirect at the
+ * delivery layer means the configured URL is wrong, and retrying
+ * the same URL won't fix that. Manual operator review is the right
+ * next step, which is what the block path produces.
+ */
+export type HttpDisposition = "ok" | "retry" | "block";
+/**
+ * Classify an HTTP response as `ok` (2xx), `retry` (5xx), or
+ * `block` (3xx, 4xx). The classification {@link webhook} uses
+ * internally, lifted here so custom integrations (gRPC bridges,
+ * SDK-based reactions, etc.) can apply the same retry semantics
+ * without inventing a parallel rule.
+ */
+export declare function classifyHttpResponse(response: Response): HttpDisposition;
+/** Options for {@link tryOk}. */
+export type TryOkOptions = {
+    /** The endpoint that received the request. Surfaced on the thrown error and in its message. */
+    url: string;
+    /**
+     * Label prefixed onto the error message — typically the
+     * integration's identity (`"webhook"`, `"mySdk"`, `"grpc"`).
+     * Default: `"request"`.
+     */
+    label?: string;
+};
+/**
+ * If `response` is 2xx, return. Otherwise, capture the response body
+ * (best-effort) and throw a {@link RetryableHttpError} (for 5xx) or
+ * {@link NonRetryableHttpError} (for 3xx/4xx). Collapses the
+ * classify-and-throw boilerplate every custom HTTP-like reaction
+ * would otherwise write into one line:
+ *
+ * ```ts
+ * .on("OrderConfirmed").do(async (event) => {
+ *   const response = await mySdk.deliver(event);
+ *   await tryOk(response, { url: mySdk.url, label: "mySdk" });
+ *   // ...response was 2xx; continue with downstream work...
+ * });
+ * ```
+ *
+ * The {@link webhook} helper throws webhook-specific subclasses
+ * ({@link WebhookError} / {@link NonRetryableWebhookError}) for
+ * backward compatibility — both extend the generic classes thrown
+ * here, so `instanceof RetryableHttpError` matches both webhook and
+ * custom-integration errors uniformly.
+ */
+export declare function tryOk(response: Response, options: TryOkOptions): Promise<void>;
+//# sourceMappingURL=classify.d.ts.map

package/dist/@types/webhook/classify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"classify.d.ts","sourceRoot":"","sources":["../../../src/webhook/classify.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG,OAAO,GAAG,OAAO,CAAC;AAEvD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,GAAG,eAAe,CAIxE;AAED,iCAAiC;AACjC,MAAM,MAAM,YAAY,GAAG;IACzB,+FAA+F;IAC/F,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,KAAK,CACzB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,IAAI,CAAC,CAmBf"}

package/dist/@types/webhook/index.d.ts

@@ -26,8 +26,9 @@
  */
 import type { ReactionHandler, Schemas } from "@rotorsoft/act";
 import { type WebhookConfig } from "./types.js";
-export type { WebhookBody, WebhookConfig, WebhookResolver } from "./types.js";
-export { NonRetryableWebhookError, WebhookError } from "./types.js";
+export { classifyHttpResponse, type HttpDisposition, type TryOkOptions, tryOk, } from "./classify.js";
+export type { HttpDeliveryErrorInit, WebhookBody, WebhookConfig, WebhookResolver, } from "./types.js";
+export { NonRetryableHttpError, NonRetryableWebhookError, RetryableHttpError, WebhookError, } from "./types.js";
 /**
  * Build a reaction handler that POSTs each event to an external URL.
  *

package/dist/@types/webhook/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/webhook/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAa,eAAe,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAC1E,OAAO,EAEL,KAAK,aAAa,EAEnB,MAAM,YAAY,CAAC;AAEpB,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC9E,OAAO,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAsBpE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,OAAO,CAAC,OAAO,SAAS,OAAO,GAAG,OAAO,EACvD,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,GAC7B,eAAe,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,CAsEzC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/webhook/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAa,eAAe,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAG1E,OAAO,EAEL,KAAK,aAAa,EAEnB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,GACN,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,qBAAqB,EACrB,WAAW,EACX,aAAa,EACb,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,YAAY,GACb,MAAM,YAAY,CAAC;AAsBpB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,OAAO,CAAC,OAAO,SAAS,OAAO,GAAG,OAAO,EACvD,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,GAC7B,eAAe,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,CA+EzC"}

package/dist/@types/webhook/sign.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Compute the HMAC-SHA256 signature for an outbound webhook request.
+ *
+ * The signed payload is `${timestamp}.${body}` — Stripe-style. The
+ * timestamp is included so the receiver can reject replays via a
+ * window check, and the dot separator prevents `timestamp + body`
+ * ambiguity (12 + 345 vs 123 + 45).
+ *
+ * Returns `{ signature, timestamp }` so the webhook helper can attach
+ * both as headers — `X-Webhook-Signature: sha256=<hex>` and
+ * `X-Webhook-Timestamp: <unix-seconds>` — for the receiver to verify
+ * via `verifyWebhook` from `@rotorsoft/act-http/receiver`.
+ *
+ * `now` is exposed for tests; production callers should leave it
+ * undefined so wall-clock is used.
+ *
+ * @internal Reachable from tests via the source path. Not re-exported
+ *   from the package's `./webhook` entry — the webhook helper calls
+ *   it internally, and operators don't need it directly.
+ */
+export declare function signRequest(body: string, secret: string, now?: number): {
+    signature: string;
+    timestamp: string;
+};
+//# sourceMappingURL=sign.d.ts.map

package/dist/@types/webhook/sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../../src/webhook/sign.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,GAAG,GAAE,MAAsC,GAC1C;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAK1C"}

package/dist/@types/webhook/types.d.ts

@@ -54,48 +54,89 @@ export type WebhookConfig<TEvents extends Schemas = Schemas> = {
      * Injection point for tests. Defaults to global `fetch`.
      */
     readonly fetch?: typeof fetch;
+    /**
+     * HMAC-SHA256 signing key. When set, the webhook helper attaches
+     * two headers to every request:
+     *
+     * - `X-Webhook-Signature: sha256=<hex>` — HMAC of
+     *   `${timestamp}.${body}` (`body` is the final serialized payload)
+     * - `X-Webhook-Timestamp: <unix-seconds>`
+     *
+     * Pair with `verifyWebhook` from `@rotorsoft/act-http/receiver` on
+     * the receiving side. When undefined, no signature headers are
+     * added — back-compat with consumers that don't need signing.
+     *
+     * Callers can override either header by returning it from the
+     * `headers` resolver (case-insensitive), the same way the
+     * `Idempotency-Key` and `Content-Type` defaults yield to caller
+     * intent.
+     */
+    readonly secret?: string;
 };
 /**
- * Common fields carried on both webhook error subclasses.
+ * Common fields carried on every HTTP delivery error in this package.
  */
-type WebhookErrorInit = {
+export type HttpDeliveryErrorInit = {
     status: number;
     url: string;
     responseBody?: string;
 };
 /**
- * Thrown when a webhook request fails in a way the drain pipeline
+ * Thrown when an HTTP delivery fails in a way the drain pipeline
  * should retry: network failure, timeout, or 5xx response. `status` is
  * `0` for network / timeout errors, the HTTP status code otherwise.
  *
- * The class itself is the retry signal — if the helper throws this,
+ * The class itself is the retry signal — if a reaction throws this,
  * drain treats it like any other error (counts against `maxRetries`,
- * paces with `backoff`). For permanent failures, the helper throws
- * {@link NonRetryableWebhookError} instead.
+ * paces with `backoff`). For permanent failures, throw
+ * {@link NonRetryableHttpError} instead.
+ *
+ * Generic enough to cover any custom HTTP-like integration (gRPC
+ * bridges, SDK-based reactions). {@link WebhookError} is a
+ * webhook-specific subclass kept for backward compatibility.
  */
-export declare class WebhookError extends Error {
+export declare class RetryableHttpError extends Error {
     readonly status: number;
     readonly url: string;
     readonly responseBody?: string;
-    constructor(message: string, init: WebhookErrorInit);
+    constructor(message: string, init: HttpDeliveryErrorInit);
 }
 /**
- * Thrown when a webhook returns a 4xx response. Extends
- * {@link NonRetryableError} so the drain finalizer blocks the stream on
- * the first failed attempt (when `blockOnError` is true) — no wasted
- * retries on permanent client errors.
+ * Thrown when an HTTP delivery returns a 3xx or 4xx response —
+ * permanent client errors that won't recover on retry. Extends
+ * {@link NonRetryableError} so the drain finalizer blocks the stream
+ * on the first failed attempt (when `blockOnError` is true) — no
+ * wasted retries on a malformed payload or wrong URL.
  *
- * Carries the same `status` / `url` / `responseBody` fields as
- * {@link WebhookError}; not a subclass of it (a single instance can't
- * be both `WebhookError` and `NonRetryableError`). Callers catching
- * either retryable or non-retryable webhook failures should check both
- * classes, or check the shared fields directly.
+ * Generic enough to cover any custom HTTP-like integration.
+ * {@link NonRetryableWebhookError} is a webhook-specific subclass kept
+ * for backward compatibility.
  */
-export declare class NonRetryableWebhookError extends NonRetryableError {
+export declare class NonRetryableHttpError extends NonRetryableError {
     readonly status: number;
     readonly url: string;
     readonly responseBody?: string;
-    constructor(message: string, init: WebhookErrorInit);
+    constructor(message: string, init: HttpDeliveryErrorInit);
+}
+/**
+ * Webhook-specific subclass of {@link RetryableHttpError}. Thrown by
+ * the {@link webhook} helper on 5xx responses, network failures, and
+ * timeouts. Existing `instanceof WebhookError` checks continue to
+ * work; new code targeting the generic HTTP integration shape can
+ * catch {@link RetryableHttpError} instead and handle webhook +
+ * custom integrations uniformly.
+ */
+export declare class WebhookError extends RetryableHttpError {
+    constructor(message: string, init: HttpDeliveryErrorInit);
+}
+/**
+ * Webhook-specific subclass of {@link NonRetryableHttpError}. Thrown
+ * by the {@link webhook} helper on 3xx/4xx responses. Existing
+ * `instanceof NonRetryableWebhookError` checks continue to work; new
+ * code can catch {@link NonRetryableHttpError} or
+ * {@link NonRetryableError} for broader coverage.
+ */
+export declare class NonRetryableWebhookError extends NonRetryableHttpError {
+    constructor(message: string, init: HttpDeliveryErrorInit);
 }
-export {};
 //# sourceMappingURL=types.d.ts.map

package/dist/@types/webhook/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/webhook/types.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,SAAS,EACd,iBAAiB,EACjB,KAAK,OAAO,EACb,MAAM,gBAAgB,CAAC;AAExB;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,CAAC,OAAO,SAAS,OAAO,EAAE,CAAC,IAClD,CAAC,GACD,CAAC,CAAC,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,WAAW,GACnB,MAAM,GACN;IAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CAAE,GACjC,SAAS,OAAO,EAAE,CAAC;AAEvB;;;;GAIG;AACH,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,OAAO,GAAG,OAAO,IAAI;IAC7D,wDAAwD;IACxD,QAAQ,CAAC,GAAG,EAAE,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC/C,yCAAyC;IACzC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACtD;;;;;OAKG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACpE;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EACV,WAAW,GACX,CAAC,CAAC,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,KAAK,WAAW,CAAC,CAAC;IAChE;;;OAGG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;OAIG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CACxB,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,KACrC,MAAM,GAAG,IAAI,CAAC;IACnB;;OAEG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CAC/B,CAAC;AAEF;;GAEG;AACH,KAAK,gBAAgB,GAAG;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,qBAAa,YAAa,SAAQ,KAAK;IACrC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;CAOpD;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,wBAAyB,SAAQ,iBAAiB;IAC7D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;CAOpD"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/webhook/types.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,SAAS,EACd,iBAAiB,EACjB,KAAK,OAAO,EACb,MAAM,gBAAgB,CAAC;AAExB;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,CAAC,OAAO,SAAS,OAAO,EAAE,CAAC,IAClD,CAAC,GACD,CAAC,CAAC,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,WAAW,GACnB,MAAM,GACN;IAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CAAE,GACjC,SAAS,OAAO,EAAE,CAAC;AAEvB;;;;GAIG;AACH,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,OAAO,GAAG,OAAO,IAAI;IAC7D,wDAAwD;IACxD,QAAQ,CAAC,GAAG,EAAE,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC/C,yCAAyC;IACzC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACtD;;;;;OAKG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACpE;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EACV,WAAW,GACX,CAAC,CAAC,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,KAAK,WAAW,CAAC,CAAC;IAChE;;;OAGG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;OAIG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CACxB,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,KACrC,MAAM,GAAG,IAAI,CAAC;IACnB;;OAEG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IAC9B;;;;;;;;;;;;;;;;OAgBG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB;CAOzD;AAED;;;;;;;;;;GAUG;AACH,qBAAa,qBAAsB,SAAQ,iBAAiB;IAC1D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB;CAOzD;AAED;;;;;;;GAOG;AACH,qBAAa,YAAa,SAAQ,kBAAkB;gBACtC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB;CAIzD;AAED;;;;;;GAMG;AACH,qBAAa,wBAAyB,SAAQ,qBAAqB;gBACrD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB;CAIzD"}

package/dist/api/index.cjs

@@ -0,0 +1,85 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/api/index.ts
+var api_exports = {};
+__export(api_exports, {
+  ERROR_MAP: () => ERROR_MAP,
+  toApiError: () => toApiError,
+  withIdempotency: () => withIdempotency
+});
+module.exports = __toCommonJS(api_exports);
+
+// src/api/errors.ts
+var import_act = require("@rotorsoft/act");
+var ERROR_MAP = {
+  ValidationError: { status: 422, code: "VALIDATION" },
+  InvariantError: { status: 409, code: "INVARIANT" },
+  ConcurrencyError: { status: 412, code: "CONCURRENCY" },
+  StreamClosedError: { status: 410, code: "STREAM_CLOSED" },
+  NonRetryableError: { status: 400, code: "NON_RETRYABLE" }
+};
+var lookupKnown = (err) => {
+  if (err instanceof import_act.ValidationError) return { name: "ValidationError" };
+  if (err instanceof import_act.InvariantError) return { name: "InvariantError" };
+  if (err instanceof import_act.ConcurrencyError) return { name: "ConcurrencyError" };
+  if (err instanceof import_act.StreamClosedError) return { name: "StreamClosedError" };
+  if (err instanceof import_act.NonRetryableError) return { name: "NonRetryableError" };
+  return null;
+};
+function toApiError(err) {
+  const known = lookupKnown(err);
+  if (known) {
+    const entry = ERROR_MAP[known.name];
+    return {
+      status: entry.status,
+      body: {
+        error: known.name,
+        detail: err.message,
+        code: entry.code
+      }
+    };
+  }
+  if (err instanceof Error) {
+    return {
+      status: 500,
+      body: { error: "InternalError", detail: err.message, code: "INTERNAL" }
+    };
+  }
+  return {
+    status: 500,
+    body: { error: "InternalError", code: "INTERNAL" }
+  };
+}
+
+// src/api/idempotency.ts
+async function withIdempotency(store, key, handler) {
+  const fresh = await store.claim(key);
+  if (!fresh) {
+    return { deduped: true };
+  }
+  return { deduped: false, result: await handler() };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ERROR_MAP,
+  toApiError,
+  withIdempotency
+});
+//# sourceMappingURL=index.cjs.map

package/dist/api/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/api/index.ts","../../src/api/errors.ts","../../src/api/idempotency.ts"],"sourcesContent":["/**\n * @packageDocumentation\n * @module act-http/api\n *\n * Shared utilities for the act-http auto-generated API surfaces.\n * Three concerns that every transport (tRPC, Hono, OpenAPI) has to\n * address — actor extraction, error envelope mapping,\n * `Idempotency-Key` wiring — defined once here and composed by each\n * transport sibling subpath.\n *\n * - {@link ActorExtractor} — the host-supplied closure that resolves\n *   an `Actor` from an incoming request. Auth (JWT, session, API\n *   key) stays in the host; the package only asks for this one\n *   function.\n * - {@link ApiError}, {@link ERROR_MAP}, {@link toApiError} — the\n *   uniform error envelope and the status/code mapping every\n *   transport uses. Cross-transport consistency by construction.\n * - {@link withIdempotency} — the helper that wraps action handlers\n *   in an `Idempotency-Key` claim. Reuses the\n *   `@rotorsoft/act-ops/idempotency` contract that\n *   `@rotorsoft/act-http/receiver` already speaks, so receivers and\n *   generated APIs share one `IdempotencyStore` implementation.\n *\n * Sibling subpaths in the same package consume the utilities here:\n *\n * - `@rotorsoft/act-http/trpc` — tRPC adapter (#843).\n * - `@rotorsoft/act-http/hono` — Hono adapter (#844).\n * - `@rotorsoft/act-http/openapi` — OpenAPI emitter (#845).\n *\n * Existing siblings unrelated to the generated-API work:\n *\n * - `@rotorsoft/act-http/webhook` — outbound POST delivery.\n * - `@rotorsoft/act-http/sse` — incremental state broadcast.\n * - `@rotorsoft/act-http/receiver` — inbound webhook ingestion.\n */\n\nexport type { ActorExtractor } from \"./actor.js\";\nexport {\n  type ApiError,\n  ERROR_MAP,\n  type ErrorMapEntry,\n  toApiError,\n} from \"./errors.js\";\nexport { type IdempotencyResult, withIdempotency } from \"./idempotency.js\";\n","import {\n  ConcurrencyError,\n  InvariantError,\n  NonRetryableError,\n  StreamClosedError,\n  ValidationError,\n} from \"@rotorsoft/act\";\n\n/**\n * Uniform error envelope shipped over the wire by every act-http\n * transport. Hosts get the same shape from REST, tRPC, and OpenAPI —\n * a client that talks to two transports doesn't have to invent two\n * error parsers.\n *\n * - `error` — the framework error name (`\"ValidationError\"`,\n *   `\"InvariantError\"`, …). Stable identifier, safe to switch on.\n * - `detail` — the framework's message text. Human-readable; not\n *   parsed by clients.\n * - `code` — a machine-readable status code from {@link ERROR_MAP}\n *   for clients that prefer enum-style branching over name strings.\n */\nexport type ApiError = {\n  error: string;\n  detail?: string;\n  code?: string;\n};\n\n/**\n * Status + code pair for one known framework error.\n */\nexport type ErrorMapEntry = {\n  status: number;\n  code: string;\n};\n\n/**\n * The single table that maps framework error types to HTTP status\n * codes and machine-readable codes. One table, three consumers\n * (Hono, tRPC, OpenAPI) — cross-transport consistency by\n * construction.\n *\n * Operators wanting different mappings wrap the generated transport\n * rather than mutating this — the consistency is the load-bearing\n * property, not the specific status codes.\n */\nexport const ERROR_MAP = {\n  ValidationError: { status: 422, code: \"VALIDATION\" },\n  InvariantError: { status: 409, code: \"INVARIANT\" },\n  ConcurrencyError: { status: 412, code: \"CONCURRENCY\" },\n  StreamClosedError: { status: 410, code: \"STREAM_CLOSED\" },\n  NonRetryableError: { status: 400, code: \"NON_RETRYABLE\" },\n} as const satisfies Record<string, ErrorMapEntry>;\n\nconst lookupKnown = (err: unknown): { name: keyof typeof ERROR_MAP } | null => {\n  if (err instanceof ValidationError) return { name: \"ValidationError\" };\n  if (err instanceof InvariantError) return { name: \"InvariantError\" };\n  if (err instanceof ConcurrencyError) return { name: \"ConcurrencyError\" };\n  if (err instanceof StreamClosedError) return { name: \"StreamClosedError\" };\n  if (err instanceof NonRetryableError) return { name: \"NonRetryableError\" };\n  return null;\n};\n\n/**\n * Translate an unknown thrown value into the canonical\n * {@link ApiError} envelope plus HTTP status. Each transport's error\n * boundary calls this once and forwards the result to the wire.\n *\n * Known framework errors map per {@link ERROR_MAP}. Everything else\n * surfaces as a 500 with `code: \"INTERNAL\"`; the `detail` field is\n * populated when the throw was an `Error` instance, omitted\n * otherwise (a thrown string or object doesn't get to leak its\n * payload to the client).\n */\nexport function toApiError(err: unknown): { status: number; body: ApiError } {\n  const known = lookupKnown(err);\n  if (known) {\n    const entry = ERROR_MAP[known.name];\n    return {\n      status: entry.status,\n      body: {\n        error: known.name,\n        detail: (err as Error).message,\n        code: entry.code,\n      },\n    };\n  }\n  if (err instanceof Error) {\n    return {\n      status: 500,\n      body: { error: \"InternalError\", detail: err.message, code: \"INTERNAL\" },\n    };\n  }\n  return {\n    status: 500,\n    body: { error: \"InternalError\", code: \"INTERNAL\" },\n  };\n}\n","import type { IdempotencyStore } from \"@rotorsoft/act-ops/idempotency\";\n\n/**\n * Result of a {@link withIdempotency} call.\n *\n * - `{ deduped: false, result }` — the claim was fresh; the handler\n *   ran and produced `result`.\n * - `{ deduped: true }` — the claim was already taken; the handler\n *   was *not* invoked. The caller decides how to respond (typically\n *   a 2xx with no body, matching the receiver-side convention).\n *\n * Note: the contract does not cache the previous response. A\n * duplicate call returns the deduped marker only — replaying the\n * original handler's output would require a response-caching\n * adapter, which is out of scope here. The receiver-side convention\n * (and the convention the generated transports follow) is \"ack the\n * duplicate; do nothing else.\"\n */\nexport type IdempotencyResult<T> =\n  | { deduped: false; result: T }\n  | { deduped: true };\n\n/**\n * Wrap an action handler so the framework honors `Idempotency-Key`\n * dedup. Acquires the key via {@link IdempotencyStore.claim}, runs\n * the handler exactly when the claim was fresh, and skips the\n * handler entirely on a duplicate.\n *\n * Reuses the contract `@rotorsoft/act-ops/idempotency` already\n * defines for the receiver-side `Idempotency-Key` story. A single\n * `IdempotencyStore` implementation covers both halves of the \"Act\n * over the wire\" surface — receiver and generated API.\n */\nexport async function withIdempotency<T>(\n  store: IdempotencyStore,\n  key: string,\n  handler: () => Promise<T>\n): Promise<IdempotencyResult<T>> {\n  const fresh = await store.claim(key);\n  if (!fresh) {\n    return { deduped: true };\n  }\n  return { deduped: false, result: await handler() };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,iBAMO;AAuCA,IAAM,YAAY;AAAA,EACvB,iBAAiB,EAAE,QAAQ,KAAK,MAAM,aAAa;AAAA,EACnD,gBAAgB,EAAE,QAAQ,KAAK,MAAM,YAAY;AAAA,EACjD,kBAAkB,EAAE,QAAQ,KAAK,MAAM,cAAc;AAAA,EACrD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAAA,EACxD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAC1D;AAEA,IAAM,cAAc,CAAC,QAA0D;AAC7E,MAAI,eAAe,2BAAiB,QAAO,EAAE,MAAM,kBAAkB;AACrE,MAAI,eAAe,0BAAgB,QAAO,EAAE,MAAM,iBAAiB;AACnE,MAAI,eAAe,4BAAkB,QAAO,EAAE,MAAM,mBAAmB;AACvE,MAAI,eAAe,6BAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,MAAI,eAAe,6BAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,SAAO;AACT;AAaO,SAAS,WAAW,KAAkD;AAC3E,QAAM,QAAQ,YAAY,GAAG;AAC7B,MAAI,OAAO;AACT,UAAM,QAAQ,UAAU,MAAM,IAAI;AAClC,WAAO;AAAA,MACL,QAAQ,MAAM;AAAA,MACd,MAAM;AAAA,QACJ,OAAO,MAAM;AAAA,QACb,QAAS,IAAc;AAAA,QACvB,MAAM,MAAM;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACA,MAAI,eAAe,OAAO;AACxB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,iBAAiB,QAAQ,IAAI,SAAS,MAAM,WAAW;AAAA,IACxE;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,iBAAiB,MAAM,WAAW;AAAA,EACnD;AACF;;;AC/DA,eAAsB,gBACpB,OACA,KACA,SAC+B;AAC/B,QAAM,QAAQ,MAAM,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,SAAS,KAAK;AAAA,EACzB;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,MAAM,QAAQ,EAAE;AACnD;","names":[]}

package/dist/api/index.js

@@ -0,0 +1,62 @@
+// src/api/errors.ts
+import {
+  ConcurrencyError,
+  InvariantError,
+  NonRetryableError,
+  StreamClosedError,
+  ValidationError
+} from "@rotorsoft/act";
+var ERROR_MAP = {
+  ValidationError: { status: 422, code: "VALIDATION" },
+  InvariantError: { status: 409, code: "INVARIANT" },
+  ConcurrencyError: { status: 412, code: "CONCURRENCY" },
+  StreamClosedError: { status: 410, code: "STREAM_CLOSED" },
+  NonRetryableError: { status: 400, code: "NON_RETRYABLE" }
+};
+var lookupKnown = (err) => {
+  if (err instanceof ValidationError) return { name: "ValidationError" };
+  if (err instanceof InvariantError) return { name: "InvariantError" };
+  if (err instanceof ConcurrencyError) return { name: "ConcurrencyError" };
+  if (err instanceof StreamClosedError) return { name: "StreamClosedError" };
+  if (err instanceof NonRetryableError) return { name: "NonRetryableError" };
+  return null;
+};
+function toApiError(err) {
+  const known = lookupKnown(err);
+  if (known) {
+    const entry = ERROR_MAP[known.name];
+    return {
+      status: entry.status,
+      body: {
+        error: known.name,
+        detail: err.message,
+        code: entry.code
+      }
+    };
+  }
+  if (err instanceof Error) {
+    return {
+      status: 500,
+      body: { error: "InternalError", detail: err.message, code: "INTERNAL" }
+    };
+  }
+  return {
+    status: 500,
+    body: { error: "InternalError", code: "INTERNAL" }
+  };
+}
+
+// src/api/idempotency.ts
+async function withIdempotency(store, key, handler) {
+  const fresh = await store.claim(key);
+  if (!fresh) {
+    return { deduped: true };
+  }
+  return { deduped: false, result: await handler() };
+}
+export {
+  ERROR_MAP,
+  toApiError,
+  withIdempotency
+};
+//# sourceMappingURL=index.js.map

package/dist/api/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/api/errors.ts","../../src/api/idempotency.ts"],"sourcesContent":["import {\n  ConcurrencyError,\n  InvariantError,\n  NonRetryableError,\n  StreamClosedError,\n  ValidationError,\n} from \"@rotorsoft/act\";\n\n/**\n * Uniform error envelope shipped over the wire by every act-http\n * transport. Hosts get the same shape from REST, tRPC, and OpenAPI —\n * a client that talks to two transports doesn't have to invent two\n * error parsers.\n *\n * - `error` — the framework error name (`\"ValidationError\"`,\n *   `\"InvariantError\"`, …). Stable identifier, safe to switch on.\n * - `detail` — the framework's message text. Human-readable; not\n *   parsed by clients.\n * - `code` — a machine-readable status code from {@link ERROR_MAP}\n *   for clients that prefer enum-style branching over name strings.\n */\nexport type ApiError = {\n  error: string;\n  detail?: string;\n  code?: string;\n};\n\n/**\n * Status + code pair for one known framework error.\n */\nexport type ErrorMapEntry = {\n  status: number;\n  code: string;\n};\n\n/**\n * The single table that maps framework error types to HTTP status\n * codes and machine-readable codes. One table, three consumers\n * (Hono, tRPC, OpenAPI) — cross-transport consistency by\n * construction.\n *\n * Operators wanting different mappings wrap the generated transport\n * rather than mutating this — the consistency is the load-bearing\n * property, not the specific status codes.\n */\nexport const ERROR_MAP = {\n  ValidationError: { status: 422, code: \"VALIDATION\" },\n  InvariantError: { status: 409, code: \"INVARIANT\" },\n  ConcurrencyError: { status: 412, code: \"CONCURRENCY\" },\n  StreamClosedError: { status: 410, code: \"STREAM_CLOSED\" },\n  NonRetryableError: { status: 400, code: \"NON_RETRYABLE\" },\n} as const satisfies Record<string, ErrorMapEntry>;\n\nconst lookupKnown = (err: unknown): { name: keyof typeof ERROR_MAP } | null => {\n  if (err instanceof ValidationError) return { name: \"ValidationError\" };\n  if (err instanceof InvariantError) return { name: \"InvariantError\" };\n  if (err instanceof ConcurrencyError) return { name: \"ConcurrencyError\" };\n  if (err instanceof StreamClosedError) return { name: \"StreamClosedError\" };\n  if (err instanceof NonRetryableError) return { name: \"NonRetryableError\" };\n  return null;\n};\n\n/**\n * Translate an unknown thrown value into the canonical\n * {@link ApiError} envelope plus HTTP status. Each transport's error\n * boundary calls this once and forwards the result to the wire.\n *\n * Known framework errors map per {@link ERROR_MAP}. Everything else\n * surfaces as a 500 with `code: \"INTERNAL\"`; the `detail` field is\n * populated when the throw was an `Error` instance, omitted\n * otherwise (a thrown string or object doesn't get to leak its\n * payload to the client).\n */\nexport function toApiError(err: unknown): { status: number; body: ApiError } {\n  const known = lookupKnown(err);\n  if (known) {\n    const entry = ERROR_MAP[known.name];\n    return {\n      status: entry.status,\n      body: {\n        error: known.name,\n        detail: (err as Error).message,\n        code: entry.code,\n      },\n    };\n  }\n  if (err instanceof Error) {\n    return {\n      status: 500,\n      body: { error: \"InternalError\", detail: err.message, code: \"INTERNAL\" },\n    };\n  }\n  return {\n    status: 500,\n    body: { error: \"InternalError\", code: \"INTERNAL\" },\n  };\n}\n","import type { IdempotencyStore } from \"@rotorsoft/act-ops/idempotency\";\n\n/**\n * Result of a {@link withIdempotency} call.\n *\n * - `{ deduped: false, result }` — the claim was fresh; the handler\n *   ran and produced `result`.\n * - `{ deduped: true }` — the claim was already taken; the handler\n *   was *not* invoked. The caller decides how to respond (typically\n *   a 2xx with no body, matching the receiver-side convention).\n *\n * Note: the contract does not cache the previous response. A\n * duplicate call returns the deduped marker only — replaying the\n * original handler's output would require a response-caching\n * adapter, which is out of scope here. The receiver-side convention\n * (and the convention the generated transports follow) is \"ack the\n * duplicate; do nothing else.\"\n */\nexport type IdempotencyResult<T> =\n  | { deduped: false; result: T }\n  | { deduped: true };\n\n/**\n * Wrap an action handler so the framework honors `Idempotency-Key`\n * dedup. Acquires the key via {@link IdempotencyStore.claim}, runs\n * the handler exactly when the claim was fresh, and skips the\n * handler entirely on a duplicate.\n *\n * Reuses the contract `@rotorsoft/act-ops/idempotency` already\n * defines for the receiver-side `Idempotency-Key` story. A single\n * `IdempotencyStore` implementation covers both halves of the \"Act\n * over the wire\" surface — receiver and generated API.\n */\nexport async function withIdempotency<T>(\n  store: IdempotencyStore,\n  key: string,\n  handler: () => Promise<T>\n): Promise<IdempotencyResult<T>> {\n  const fresh = await store.claim(key);\n  if (!fresh) {\n    return { deduped: true };\n  }\n  return { deduped: false, result: await handler() };\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAuCA,IAAM,YAAY;AAAA,EACvB,iBAAiB,EAAE,QAAQ,KAAK,MAAM,aAAa;AAAA,EACnD,gBAAgB,EAAE,QAAQ,KAAK,MAAM,YAAY;AAAA,EACjD,kBAAkB,EAAE,QAAQ,KAAK,MAAM,cAAc;AAAA,EACrD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAAA,EACxD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAC1D;AAEA,IAAM,cAAc,CAAC,QAA0D;AAC7E,MAAI,eAAe,gBAAiB,QAAO,EAAE,MAAM,kBAAkB;AACrE,MAAI,eAAe,eAAgB,QAAO,EAAE,MAAM,iBAAiB;AACnE,MAAI,eAAe,iBAAkB,QAAO,EAAE,MAAM,mBAAmB;AACvE,MAAI,eAAe,kBAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,MAAI,eAAe,kBAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,SAAO;AACT;AAaO,SAAS,WAAW,KAAkD;AAC3E,QAAM,QAAQ,YAAY,GAAG;AAC7B,MAAI,OAAO;AACT,UAAM,QAAQ,UAAU,MAAM,IAAI;AAClC,WAAO;AAAA,MACL,QAAQ,MAAM;AAAA,MACd,MAAM;AAAA,QACJ,OAAO,MAAM;AAAA,QACb,QAAS,IAAc;AAAA,QACvB,MAAM,MAAM;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACA,MAAI,eAAe,OAAO;AACxB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,iBAAiB,QAAQ,IAAI,SAAS,MAAM,WAAW;AAAA,IACxE;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,iBAAiB,MAAM,WAAW;AAAA,EACnD;AACF;;;AC/DA,eAAsB,gBACpB,OACA,KACA,SAC+B;AAC/B,QAAM,QAAQ,MAAM,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,SAAS,KAAK;AAAA,EACzB;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,MAAM,QAAQ,EAAE;AACnD;","names":[]}

package/dist/chunk-F7VWYZ37.js

@@ -0,0 +1,29 @@
+import {
+  checkWebhook
+} from "./chunk-NOIXOF2I.js";
+
+// src/receiver/hono/index.ts
+function webhookMiddleware(options) {
+  return async function check(c, next) {
+    const headers = headersBag(c.req.raw.headers);
+    const rawBody = await c.req.text();
+    const result = await checkWebhook(headers, rawBody, options);
+    if (!result.ok) {
+      return c.json({ error: result.reason }, result.status);
+    }
+    c.set("idempotency", { key: result.key, deduped: result.deduped });
+    await next();
+  };
+}
+function headersBag(headers) {
+  const out = {};
+  headers.forEach((value, key) => {
+    out[key] = value;
+  });
+  return out;
+}
+
+export {
+  webhookMiddleware
+};
+//# sourceMappingURL=chunk-F7VWYZ37.js.map

package/dist/chunk-F7VWYZ37.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/receiver/hono/index.ts"],"sourcesContent":["/**\n * @packageDocumentation\n * @module act-http/receiver/hono\n *\n * Hono adapter for the receiver-side webhook check.\n *\n * Usage:\n *\n * ```ts\n * import { Hono } from \"hono\";\n * import { webhookMiddleware } from \"@rotorsoft/act-http/receiver/hono\";\n * import { InMemoryIdempotencyStore } from \"@rotorsoft/act-ops/idempotency\";\n *\n * const app = new Hono();\n * const dedup = new InMemoryIdempotencyStore();\n *\n * app.post(\n *   \"/webhooks/orders\",\n *   webhookMiddleware({ store: dedup, secret: process.env.WEBHOOK_SECRET }),\n *   async (c) => {\n *     const idem = c.get(\"idempotency\") as { key: string; deduped: boolean };\n *     if (idem.deduped) return c.json({ status: \"dedup-skipped\", key: idem.key });\n *     // ... process the inbound event ...\n *     return c.json({ status: \"processed\", key: idem.key });\n *   }\n * );\n * ```\n *\n * On failure: returns `c.json({ error: <reason> }, status)` directly\n * (Hono short-circuits when middleware returns a Response). On\n * success: stashes `c.set(\"idempotency\", { key, deduped })` and\n * continues with `await next()`.\n *\n * **Raw body**: Hono exposes `await c.req.text()` natively, which\n * the middleware reads when `secret` is configured. No extra setup\n * needed.\n */\nimport type { MiddlewareHandler } from \"hono\";\nimport { type CheckWebhookOptions, checkWebhook } from \"../check.js\";\n\n/**\n * Variables this middleware contributes to the Hono context. The\n * generic on the returned {@link MiddlewareHandler} threads it\n * through so route handlers downstream of `app.post(..., webhookMiddleware(...), handler)`\n * see `c.get(\"idempotency\")` typed without a manual cast.\n */\nexport type WebhookVariables = {\n  idempotency: { key: string; deduped: boolean };\n};\n\n/**\n * Build a Hono middleware that verifies the request signature (when\n * `secret` is set), enforces `Idempotency-Key`, and claims the key\n * on the configured store. See the module-level docs for usage.\n */\nexport function webhookMiddleware(\n  options: CheckWebhookOptions\n): MiddlewareHandler<{ Variables: WebhookVariables }> {\n  return async function check(c, next) {\n    const headers = headersBag(c.req.raw.headers);\n    const rawBody = await c.req.text();\n    const result = await checkWebhook(headers, rawBody, options);\n    if (!result.ok) {\n      return c.json({ error: result.reason }, result.status);\n    }\n    c.set(\"idempotency\", { key: result.key, deduped: result.deduped });\n    await next();\n  };\n}\n\nfunction headersBag(\n  headers: Headers\n): Record<string, string | string[] | undefined> {\n  const out: Record<string, string | string[] | undefined> = {};\n  headers.forEach((value, key) => {\n    out[key] = value;\n  });\n  return out;\n}\n"],"mappings":";;;;;AAuDO,SAAS,kBACd,SACoD;AACpD,SAAO,eAAe,MAAM,GAAG,MAAM;AACnC,UAAM,UAAU,WAAW,EAAE,IAAI,IAAI,OAAO;AAC5C,UAAM,UAAU,MAAM,EAAE,IAAI,KAAK;AACjC,UAAM,SAAS,MAAM,aAAa,SAAS,SAAS,OAAO;AAC3D,QAAI,CAAC,OAAO,IAAI;AACd,aAAO,EAAE,KAAK,EAAE,OAAO,OAAO,OAAO,GAAG,OAAO,MAAM;AAAA,IACvD;AACA,MAAE,IAAI,eAAe,EAAE,KAAK,OAAO,KAAK,SAAS,OAAO,QAAQ,CAAC;AACjE,UAAM,KAAK;AAAA,EACb;AACF;AAEA,SAAS,WACP,SAC+C;AAC/C,QAAM,MAAqD,CAAC;AAC5D,UAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC9B,QAAI,GAAG,IAAI;AAAA,EACb,CAAC;AACD,SAAO;AACT;","names":[]}

package/dist/chunk-NOIXOF2I.js

@@ -0,0 +1,78 @@
+// src/receiver/extract.ts
+function extractIdempotencyKey(headers) {
+  for (const [name, value] of Object.entries(headers)) {
+    if (name.toLowerCase() !== "idempotency-key") continue;
+    if (Array.isArray(value)) return void 0;
+    if (value === "") return void 0;
+    return value;
+  }
+  return void 0;
+}
+
+// src/receiver/verify.ts
+import { createHmac, timingSafeEqual } from "crypto";
+function verifyWebhook(headers, body, secret, options) {
+  const maxAgeSeconds = options?.maxAgeSeconds ?? 300;
+  const now = options?.now ?? Math.floor(Date.now() / 1e3);
+  const signature = pickHeader(headers, "x-webhook-signature");
+  if (!signature) return { ok: false, reason: "missing-signature" };
+  const timestampStr = pickHeader(headers, "x-webhook-timestamp");
+  if (!timestampStr) return { ok: false, reason: "missing-timestamp" };
+  const timestamp = Number.parseInt(timestampStr, 10);
+  if (Number.isNaN(timestamp) || String(timestamp) !== timestampStr) {
+    return { ok: false, reason: "missing-timestamp" };
+  }
+  const delta = now - timestamp;
+  if (delta > maxAgeSeconds) return { ok: false, reason: "stale" };
+  if (delta < -maxAgeSeconds) return { ok: false, reason: "future" };
+  if (!signature.startsWith("sha256=")) {
+    return { ok: false, reason: "bad-signature" };
+  }
+  const providedHex = signature.slice("sha256=".length);
+  if (!/^[0-9a-fA-F]{64}$/.test(providedHex)) {
+    return { ok: false, reason: "bad-signature" };
+  }
+  const expectedHex = createHmac("sha256", secret).update(`${timestampStr}.${body}`).digest("hex");
+  const a = Buffer.from(providedHex, "hex");
+  const b = Buffer.from(expectedHex, "hex");
+  if (!timingSafeEqual(a, b)) {
+    return { ok: false, reason: "bad-signature" };
+  }
+  return { ok: true };
+}
+function pickHeader(headers, lowerName) {
+  for (const [name, value] of Object.entries(headers)) {
+    if (name.toLowerCase() !== lowerName) continue;
+    if (Array.isArray(value) || value === void 0 || value === "") {
+      return void 0;
+    }
+    return value;
+  }
+  return void 0;
+}
+
+// src/receiver/check.ts
+async function checkWebhook(headers, body, options) {
+  if (options.secret !== void 0) {
+    const verification = verifyWebhook(
+      headers,
+      body,
+      options.secret,
+      options.verify
+    );
+    if (!verification.ok) {
+      return { ok: false, status: 401, reason: verification.reason };
+    }
+  }
+  const key = extractIdempotencyKey(headers);
+  if (!key) return { ok: false, status: 400, reason: "missing-key" };
+  const claimed = await options.store.claim(key);
+  return { ok: true, key, deduped: !claimed };
+}
+
+export {
+  extractIdempotencyKey,
+  verifyWebhook,
+  checkWebhook
+};
+//# sourceMappingURL=chunk-NOIXOF2I.js.map

package/dist/chunk-NOIXOF2I.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/receiver/extract.ts","../src/receiver/verify.ts","../src/receiver/check.ts"],"sourcesContent":["/**\n * Pull the `Idempotency-Key` header from a Node-style headers bag,\n * case-insensitive. Returns `undefined` when any of the following\n * carries no usable key:\n *\n * - the header is missing\n * - its value is an array (ambiguous — can't pick one without a\n *   policy the receiver hasn't declared)\n * - its value is the empty string (carries no idempotency\n *   information; structurally equivalent to \"no header at all\")\n *\n * Pair with `IdempotencyStore.claim` from\n * `@rotorsoft/act-ops/idempotency`: extract the key from the inbound\n * request, claim it on the store, return a `deduped` marker when the\n * claim fails. The framework-agnostic middleware that wires these\n * together lands in #744.\n *\n * Validation beyond \"is there a usable key?\" (length bounds, format\n * checks, normalization) is intentionally out of scope. Receivers\n * picking a policy can layer it on top — or, when #744 ships, opt\n * into the middleware's opinionated defaults.\n */\nexport function extractIdempotencyKey(\n  headers: Record<string, string | string[] | undefined>\n): string | undefined {\n  for (const [name, value] of Object.entries(headers)) {\n    if (name.toLowerCase() !== \"idempotency-key\") continue;\n    if (Array.isArray(value)) return undefined;\n    if (value === \"\") return undefined;\n    return value;\n  }\n  return undefined;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\n/**\n * Outcome of {@link verifyWebhook}. Either the request signature\n * checks out, or one of five distinct failure reasons applies. Each\n * reason maps to an operator-meaningful telemetry bucket — separated\n * deliberately so dashboards can distinguish \"client lost its secret\"\n * from \"client clock is wrong\" from \"this is a replay attack.\"\n */\nexport type VerifyResult =\n  | { ok: true }\n  | {\n      ok: false;\n      reason:\n        | \"missing-signature\"\n        | \"missing-timestamp\"\n        | \"stale\"\n        | \"future\"\n        | \"bad-signature\";\n    };\n\n/** Options for {@link verifyWebhook}. */\nexport type VerifyOptions = {\n  /**\n   * Maximum acceptable timestamp drift in either direction, in\n   * seconds. Default: 300 (±5 minutes) — matches Stripe / GitHub /\n   * Slack conventions. Tightening narrows the replay window;\n   * loosening accommodates clients with worse clock sync.\n   */\n  maxAgeSeconds?: number;\n  /**\n   * Current Unix-seconds time. Exposed for tests; production\n   * callers should leave it undefined so wall-clock is used.\n   */\n  now?: number;\n};\n\n/**\n * Verify an inbound webhook's signature and timestamp against the\n * shared secret. Pair with the sender side: configure\n * `webhook({ secret })` from `@rotorsoft/act-http/webhook`.\n *\n * Returns `{ ok: true }` on success or `{ ok: false; reason }` on\n * failure. The reasons are:\n *\n * - `missing-signature` — no `X-Webhook-Signature` header, value\n *   was an array, or value was empty.\n * - `missing-timestamp` — no `X-Webhook-Timestamp` header, value\n *   was empty, or value isn't a parseable integer.\n * - `stale` — timestamp older than `maxAgeSeconds` from `now`.\n * - `future` — timestamp more than `maxAgeSeconds` ahead of `now`.\n * - `bad-signature` — signature header didn't start with `sha256=`,\n *   wasn't 64 hex chars, or the recomputed HMAC didn't match\n *   (constant-time compare).\n *\n * The signed payload is `${timestamp}.${body}`, so `body` must be\n * the **raw request body bytes**. Any pre-parse normalization\n * (whitespace trimming, JSON re-stringification) would change the\n * hash and reject every otherwise-valid request. Framework adapters\n * in #744 will provide the raw body alongside the parsed one.\n *\n * Uses Node's `crypto.timingSafeEqual` for the final comparison to\n * avoid signature-equality timing attacks.\n */\nexport function verifyWebhook(\n  headers: Record<string, string | string[] | undefined>,\n  body: string,\n  secret: string,\n  options?: VerifyOptions\n): VerifyResult {\n  const maxAgeSeconds = options?.maxAgeSeconds ?? 300;\n  const now = options?.now ?? Math.floor(Date.now() / 1000);\n\n  const signature = pickHeader(headers, \"x-webhook-signature\");\n  if (!signature) return { ok: false, reason: \"missing-signature\" };\n\n  const timestampStr = pickHeader(headers, \"x-webhook-timestamp\");\n  if (!timestampStr) return { ok: false, reason: \"missing-timestamp\" };\n  const timestamp = Number.parseInt(timestampStr, 10);\n  if (Number.isNaN(timestamp) || String(timestamp) !== timestampStr) {\n    return { ok: false, reason: \"missing-timestamp\" };\n  }\n\n  const delta = now - timestamp;\n  if (delta > maxAgeSeconds) return { ok: false, reason: \"stale\" };\n  if (delta < -maxAgeSeconds) return { ok: false, reason: \"future\" };\n\n  if (!signature.startsWith(\"sha256=\")) {\n    return { ok: false, reason: \"bad-signature\" };\n  }\n  const providedHex = signature.slice(\"sha256=\".length);\n  if (!/^[0-9a-fA-F]{64}$/.test(providedHex)) {\n    return { ok: false, reason: \"bad-signature\" };\n  }\n\n  const expectedHex = createHmac(\"sha256\", secret)\n    .update(`${timestampStr}.${body}`)\n    .digest(\"hex\");\n\n  const a = Buffer.from(providedHex, \"hex\");\n  const b = Buffer.from(expectedHex, \"hex\");\n  if (!timingSafeEqual(a, b)) {\n    return { ok: false, reason: \"bad-signature\" };\n  }\n\n  return { ok: true };\n}\n\nfunction pickHeader(\n  headers: Record<string, string | string[] | undefined>,\n  lowerName: string\n): string | undefined {\n  for (const [name, value] of Object.entries(headers)) {\n    if (name.toLowerCase() !== lowerName) continue;\n    if (Array.isArray(value) || value === undefined || value === \"\") {\n      return undefined;\n    }\n    return value;\n  }\n  return undefined;\n}\n","import type { IdempotencyStore } from \"@rotorsoft/act-ops/idempotency\";\nimport { extractIdempotencyKey } from \"./extract.js\";\nimport { type VerifyOptions, verifyWebhook } from \"./verify.js\";\n\n/**\n * Failure reasons returned by {@link checkWebhook}. The shape splits\n * `missing-key` (a client error, mapped to HTTP 400) from the five\n * verification failures (authentication errors, HTTP 401) so each\n * maps to its own telemetry bucket.\n */\nexport type CheckFailureReason =\n  | \"missing-key\"\n  | \"missing-signature\"\n  | \"missing-timestamp\"\n  | \"stale\"\n  | \"future\"\n  | \"bad-signature\";\n\n/**\n * Outcome of {@link checkWebhook}. Either the request passed every\n * configured check and carries a usable idempotency key, or it\n * failed one of them and the framework adapter should reply with the\n * corresponding HTTP status.\n */\nexport type CheckResult =\n  | { ok: false; status: 400 | 401; reason: CheckFailureReason }\n  | { ok: true; key: string; deduped: boolean };\n\n/** Options for {@link checkWebhook}. */\nexport type CheckWebhookOptions = {\n  /** Idempotency store the framework-agnostic core claims the key on. */\n  store: IdempotencyStore;\n  /**\n   * Optional HMAC-SHA256 secret. When set, the request's\n   * `X-Webhook-Signature` and `X-Webhook-Timestamp` headers are\n   * verified before the dedup claim. When omitted, signature\n   * verification is skipped (unsigned receivers).\n   */\n  secret?: string;\n  /**\n   * Verification options forwarded to {@link verifyWebhook}. Only\n   * meaningful when `secret` is set. Defaults to a ±300-second\n   * timestamp window.\n   */\n  verify?: VerifyOptions;\n};\n\n/**\n * Framework-agnostic receiver check: verify the signature (when a\n * secret is configured), extract the `Idempotency-Key`, and claim\n * it on the store. Returns the request's fate as a discriminated\n * union the per-framework adapter translates into the framework's\n * idiomatic 4xx response or context injection.\n *\n * **Order of checks** (matters):\n *\n * 1. Verify signature + timestamp window (when `secret` is set).\n *    Rejecting bad signatures *before* extracting and claiming the\n *    key keeps attacker-supplied keys out of the dedup store —\n *    otherwise a flood of spoofed POSTs would pollute the LRU.\n * 2. Extract the `Idempotency-Key`. Missing → reject with 400.\n * 3. Claim the key on the store. If already seen, return\n *    `{ ok: true; deduped: true }` so the framework adapter can\n *    short-circuit the handler without re-running side effects.\n *\n * The dedup store may be sync (`InMemoryIdempotencyStore`) or async\n * (durable adapters like a future `PostgresIdempotencyStore`); the\n * core awaits unconditionally so both shapes compose cleanly.\n */\nexport async function checkWebhook(\n  headers: Record<string, string | string[] | undefined>,\n  body: string,\n  options: CheckWebhookOptions\n): Promise<CheckResult> {\n  if (options.secret !== undefined) {\n    const verification = verifyWebhook(\n      headers,\n      body,\n      options.secret,\n      options.verify\n    );\n    if (!verification.ok) {\n      return { ok: false, status: 401, reason: verification.reason };\n    }\n  }\n\n  const key = extractIdempotencyKey(headers);\n  if (!key) return { ok: false, status: 400, reason: \"missing-key\" };\n\n  const claimed = await options.store.claim(key);\n  return { ok: true, key, deduped: !claimed };\n}\n"],"mappings":";AAsBO,SAAS,sBACd,SACoB;AACpB,aAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,QAAI,KAAK,YAAY,MAAM,kBAAmB;AAC9C,QAAI,MAAM,QAAQ,KAAK,EAAG,QAAO;AACjC,QAAI,UAAU,GAAI,QAAO;AACzB,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;AChCA,SAAS,YAAY,uBAAuB;AAgErC,SAAS,cACd,SACA,MACA,QACA,SACc;AACd,QAAM,gBAAgB,SAAS,iBAAiB;AAChD,QAAM,MAAM,SAAS,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExD,QAAM,YAAY,WAAW,SAAS,qBAAqB;AAC3D,MAAI,CAAC,UAAW,QAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAEhE,QAAM,eAAe,WAAW,SAAS,qBAAqB;AAC9D,MAAI,CAAC,aAAc,QAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AACnE,QAAM,YAAY,OAAO,SAAS,cAAc,EAAE;AAClD,MAAI,OAAO,MAAM,SAAS,KAAK,OAAO,SAAS,MAAM,cAAc;AACjE,WAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AAEA,QAAM,QAAQ,MAAM;AACpB,MAAI,QAAQ,cAAe,QAAO,EAAE,IAAI,OAAO,QAAQ,QAAQ;AAC/D,MAAI,QAAQ,CAAC,cAAe,QAAO,EAAE,IAAI,OAAO,QAAQ,SAAS;AAEjE,MAAI,CAAC,UAAU,WAAW,SAAS,GAAG;AACpC,WAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB;AAAA,EAC9C;AACA,QAAM,cAAc,UAAU,MAAM,UAAU,MAAM;AACpD,MAAI,CAAC,oBAAoB,KAAK,WAAW,GAAG;AAC1C,WAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB;AAAA,EAC9C;AAEA,QAAM,cAAc,WAAW,UAAU,MAAM,EAC5C,OAAO,GAAG,YAAY,IAAI,IAAI,EAAE,EAChC,OAAO,KAAK;AAEf,QAAM,IAAI,OAAO,KAAK,aAAa,KAAK;AACxC,QAAM,IAAI,OAAO,KAAK,aAAa,KAAK;AACxC,MAAI,CAAC,gBAAgB,GAAG,CAAC,GAAG;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB;AAAA,EAC9C;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,WACP,SACA,WACoB;AACpB,aAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,QAAI,KAAK,YAAY,MAAM,UAAW;AACtC,QAAI,MAAM,QAAQ,KAAK,KAAK,UAAU,UAAa,UAAU,IAAI;AAC/D,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACnDA,eAAsB,aACpB,SACA,MACA,SACsB;AACtB,MAAI,QAAQ,WAAW,QAAW;AAChC,UAAM,eAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,IACV;AACA,QAAI,CAAC,aAAa,IAAI;AACpB,aAAO,EAAE,IAAI,OAAO,QAAQ,KAAK,QAAQ,aAAa,OAAO;AAAA,IAC/D;AAAA,EACF;AAEA,QAAM,MAAM,sBAAsB,OAAO;AACzC,MAAI,CAAC,IAAK,QAAO,EAAE,IAAI,OAAO,QAAQ,KAAK,QAAQ,cAAc;AAEjE,QAAM,UAAU,MAAM,QAAQ,MAAM,MAAM,GAAG;AAC7C,SAAO,EAAE,IAAI,MAAM,KAAK,SAAS,CAAC,QAAQ;AAC5C;","names":[]}