@rotorsoft/act-http 1.1.0 → 1.2.1

package/dist/@types/api/actor.d.ts

@@ -0,0 +1,20 @@
+import type { Actor } from "@rotorsoft/act";
+/**
+ * Extractor function the host supplies to resolve an {@link Actor}
+ * from an incoming request. The framework keeps auth out of the
+ * package — JWT vs session vs API key is the host's call — and asks
+ * for this single closure that every transport (tRPC, Hono, OpenAPI
+ * docs) composes against.
+ *
+ * The `request` argument is intentionally generic. Each transport
+ * narrows it at the call site (`IncomingMessage` for Hono, the tRPC
+ * context object for tRPC, etc.) — keeping the contract here
+ * transport-agnostic means one extractor implementation plugs into
+ * every adapter unchanged.
+ *
+ * Async is allowed so the extractor can verify a JWT against a
+ * remote JWKS endpoint without forcing every host to synchronously
+ * cache.
+ */
+export type ActorExtractor = (request: unknown) => Actor | Promise<Actor>;
+//# sourceMappingURL=actor.d.ts.map

package/dist/@types/api/actor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor.d.ts","sourceRoot":"","sources":["../../../src/api/actor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC"}

package/dist/@types/api/errors.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Uniform error envelope shipped over the wire by every act-http
+ * transport. Hosts get the same shape from REST, tRPC, and OpenAPI —
+ * a client that talks to two transports doesn't have to invent two
+ * error parsers.
+ *
+ * - `error` — the framework error name (`"ValidationError"`,
+ *   `"InvariantError"`, …). Stable identifier, safe to switch on.
+ * - `detail` — the framework's message text. Human-readable; not
+ *   parsed by clients.
+ * - `code` — a machine-readable status code from {@link ERROR_MAP}
+ *   for clients that prefer enum-style branching over name strings.
+ */
+export type ApiError = {
+    error: string;
+    detail?: string;
+    code?: string;
+};
+/**
+ * Status + code pair for one known framework error.
+ */
+export type ErrorMapEntry = {
+    status: number;
+    code: string;
+};
+/**
+ * The single table that maps framework error types to HTTP status
+ * codes and machine-readable codes. One table, three consumers
+ * (Hono, tRPC, OpenAPI) — cross-transport consistency by
+ * construction.
+ *
+ * Operators wanting different mappings wrap the generated transport
+ * rather than mutating this — the consistency is the load-bearing
+ * property, not the specific status codes.
+ */
+export declare const ERROR_MAP: {
+    readonly ValidationError: {
+        readonly status: 422;
+        readonly code: "VALIDATION";
+    };
+    readonly InvariantError: {
+        readonly status: 409;
+        readonly code: "INVARIANT";
+    };
+    readonly ConcurrencyError: {
+        readonly status: 412;
+        readonly code: "CONCURRENCY";
+    };
+    readonly StreamClosedError: {
+        readonly status: 410;
+        readonly code: "STREAM_CLOSED";
+    };
+    readonly NonRetryableError: {
+        readonly status: 400;
+        readonly code: "NON_RETRYABLE";
+    };
+};
+/**
+ * Translate an unknown thrown value into the canonical
+ * {@link ApiError} envelope plus HTTP status. Each transport's error
+ * boundary calls this once and forwards the result to the wire.
+ *
+ * Known framework errors map per {@link ERROR_MAP}. Everything else
+ * surfaces as a 500 with `code: "INTERNAL"`; the `detail` field is
+ * populated when the throw was an `Error` instance, omitted
+ * otherwise (a thrown string or object doesn't get to leak its
+ * payload to the client).
+ */
+export declare function toApiError(err: unknown): {
+    status: number;
+    body: ApiError;
+};
+//# sourceMappingURL=errors.d.ts.map

package/dist/@types/api/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/api/errors.ts"],"names":[],"mappings":"AAQA;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,QAAQ,GAAG;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;CAM4B,CAAC;AAanD;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAA;CAAE,CAuB3E"}

package/dist/@types/api/idempotency.d.ts

@@ -0,0 +1,36 @@
+import type { IdempotencyStore } from "@rotorsoft/act-ops/idempotency";
+/**
+ * Result of a {@link withIdempotency} call.
+ *
+ * - `{ deduped: false, result }` — the claim was fresh; the handler
+ *   ran and produced `result`.
+ * - `{ deduped: true }` — the claim was already taken; the handler
+ *   was *not* invoked. The caller decides how to respond (typically
+ *   a 2xx with no body, matching the receiver-side convention).
+ *
+ * Note: the contract does not cache the previous response. A
+ * duplicate call returns the deduped marker only — replaying the
+ * original handler's output would require a response-caching
+ * adapter, which is out of scope here. The receiver-side convention
+ * (and the convention the generated transports follow) is "ack the
+ * duplicate; do nothing else."
+ */
+export type IdempotencyResult<T> = {
+    deduped: false;
+    result: T;
+} | {
+    deduped: true;
+};
+/**
+ * Wrap an action handler so the framework honors `Idempotency-Key`
+ * dedup. Acquires the key via {@link IdempotencyStore.claim}, runs
+ * the handler exactly when the claim was fresh, and skips the
+ * handler entirely on a duplicate.
+ *
+ * Reuses the contract `@rotorsoft/act-ops/idempotency` already
+ * defines for the receiver-side `Idempotency-Key` story. A single
+ * `IdempotencyStore` implementation covers both halves of the "Act
+ * over the wire" surface — receiver and generated API.
+ */
+export declare function withIdempotency<T>(store: IdempotencyStore, key: string, handler: () => Promise<T>): Promise<IdempotencyResult<T>>;
+//# sourceMappingURL=idempotency.d.ts.map

package/dist/@types/api/idempotency.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.d.ts","sourceRoot":"","sources":["../../../src/api/idempotency.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAEvE;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,iBAAiB,CAAC,CAAC,IAC3B;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,CAAC,CAAA;CAAE,GAC7B;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,CAAC;AAEtB;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACxB,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAM/B"}

package/dist/@types/api/index.d.ts

@@ -0,0 +1,39 @@
+/**
+ * @packageDocumentation
+ * @module act-http/api
+ *
+ * Shared utilities for the act-http auto-generated API surfaces.
+ * Three concerns that every transport (tRPC, Hono, OpenAPI) has to
+ * address — actor extraction, error envelope mapping,
+ * `Idempotency-Key` wiring — defined once here and composed by each
+ * transport sibling subpath.
+ *
+ * - {@link ActorExtractor} — the host-supplied closure that resolves
+ *   an `Actor` from an incoming request. Auth (JWT, session, API
+ *   key) stays in the host; the package only asks for this one
+ *   function.
+ * - {@link ApiError}, {@link ERROR_MAP}, {@link toApiError} — the
+ *   uniform error envelope and the status/code mapping every
+ *   transport uses. Cross-transport consistency by construction.
+ * - {@link withIdempotency} — the helper that wraps action handlers
+ *   in an `Idempotency-Key` claim. Reuses the
+ *   `@rotorsoft/act-ops/idempotency` contract that
+ *   `@rotorsoft/act-http/receiver` already speaks, so receivers and
+ *   generated APIs share one `IdempotencyStore` implementation.
+ *
+ * Sibling subpaths in the same package consume the utilities here:
+ *
+ * - `@rotorsoft/act-http/trpc` — tRPC adapter (#843).
+ * - `@rotorsoft/act-http/hono` — Hono adapter (#844).
+ * - `@rotorsoft/act-http/openapi` — OpenAPI emitter (#845).
+ *
+ * Existing siblings unrelated to the generated-API work:
+ *
+ * - `@rotorsoft/act-http/webhook` — outbound POST delivery.
+ * - `@rotorsoft/act-http/sse` — incremental state broadcast.
+ * - `@rotorsoft/act-http/receiver` — inbound webhook ingestion.
+ */
+export type { ActorExtractor } from "./actor.js";
+export { type ApiError, ERROR_MAP, type ErrorMapEntry, toApiError, } from "./errors.js";
+export { type IdempotencyResult, withIdempotency } from "./idempotency.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/@types/api/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/api/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,YAAY,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EACL,KAAK,QAAQ,EACb,SAAS,EACT,KAAK,aAAa,EAClB,UAAU,GACX,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,iBAAiB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/@types/receiver/start.d.ts

@@ -19,7 +19,7 @@ import type { ReceiverBuilder, ReceiverOptions } from "@rotorsoft/act-ops/receiv
  *   }), async (event, ctx) => {
  *     // event.orderId and event.total are typed
  *     // ctx.key is the deduplicated Idempotency-Key
- *     await processOrder(event.orderId, event.total);
+ *     await process_order(event.orderId, event.total);
  *   })
  *   .build();
  *

package/dist/@types/sse/apply-patch.d.ts

@@ -22,12 +22,12 @@ export type ApplyResult<S extends BroadcastState = BroadcastState> = {
  *
  * ```typescript
  * onData: (msg) => {
- *   const cached = utils.getState.getData({ streamId });
+ *   const cached = utils.get_state.get_data({ streamId });
  *   const result = applyPatchMessage(msg, cached);
  *   if (result.ok) {
- *     utils.getState.setData({ streamId }, result.state);
+ *     utils.get_state.setData({ streamId }, result.state);
  *   } else if (result.reason === "behind") {
- *     utils.getState.invalidate({ streamId }); // trigger full refetch
+ *     utils.get_state.invalidate({ streamId }); // trigger full refetch
  *   }
  *   // "stale" → no-op, client already has newer state
  * }

package/dist/@types/sse/broadcast.d.ts

@@ -25,7 +25,7 @@ import type { BroadcastState, PatchMessage, Subscriber } from "./types.js";
  * });
  *
  * // Initial state for reconnects:
- * const cached = broadcast.getState(streamId);
+ * const cached = broadcast.get_state(streamId);
  * ```
  *
  * ## Version Contract
@@ -36,9 +36,9 @@ import type { BroadcastState, PatchMessage, Subscriber } from "./types.js";
  */
 export declare class BroadcastChannel<S extends BroadcastState = BroadcastState> {
     private channels;
-    private stateCache;
+    private state_cache;
     constructor(options?: {
-        cacheSize?: number;
+        cache_size?: number;
     });
     /**
      * Publish domain patches from a commit.
@@ -54,16 +54,16 @@ export declare class BroadcastChannel<S extends BroadcastState = BroadcastState>
      * (e.g. presence overlay, computed field refresh).
      * Uses the same version as the cached state, single entry.
      */
-    publishOverlay(streamId: string, overlayPatch: Partial<S>): PatchMessage<S> | undefined;
+    publish_overlay(streamId: string, overlay_patch: Partial<S>): PatchMessage<S> | undefined;
     /**
      * Subscribe to broadcast messages for a stream.
      * Returns a cleanup function that removes the subscription.
      */
     subscribe(streamId: string, cb: Subscriber<S>): () => void;
     /** Get the number of subscribers for a stream. */
-    getSubscriberCount(streamId: string): number;
+    get_subscriber_count(streamId: string): number;
     /** Get the cached state for a stream (for reconnects / initial SSE yield). */
-    getState(streamId: string): S | undefined;
+    get_state(streamId: string): S | undefined;
     /** Direct access to the state cache (for app-specific reads like presence). */
     get cache(): StateCache<S>;
 }

package/dist/@types/sse/broadcast.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"broadcast.d.ts","sourceRoot":"","sources":["../../../src/sse/broadcast.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE3E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,qBAAa,gBAAgB,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACrE,OAAO,CAAC,QAAQ,CAAyC;IACzD,OAAO,CAAC,UAAU,CAAgB;gBAEtB,OAAO,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE;IAI5C;;;;;;;OAOG;IACH,OAAO,CACL,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,CAAC,EACR,OAAO,GAAE,OAAO,CAAC,CAAC,CAAC,EAAO,GACzB,YAAY,CAAC,CAAC,CAAC;IAgBlB;;;;OAIG;IACH,cAAc,CACZ,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,GACvB,YAAY,CAAC,CAAC,CAAC,GAAG,SAAS;IAe9B;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI;IAW1D,kDAAkD;IAClD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAI5C,8EAA8E;IAC9E,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,CAAC,GAAG,SAAS;IAIzC,+EAA+E;IAC/E,IAAI,KAAK,IAAI,UAAU,CAAC,CAAC,CAAC,CAEzB;CACF"}
+{"version":3,"file":"broadcast.d.ts","sourceRoot":"","sources":["../../../src/sse/broadcast.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE3E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,qBAAa,gBAAgB,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACrE,OAAO,CAAC,QAAQ,CAAyC;IACzD,OAAO,CAAC,WAAW,CAAgB;gBAEvB,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;IAI7C;;;;;;;OAOG;IACH,OAAO,CACL,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,CAAC,EACR,OAAO,GAAE,OAAO,CAAC,CAAC,CAAC,EAAO,GACzB,YAAY,CAAC,CAAC,CAAC;IAgBlB;;;;OAIG;IACH,eAAe,CACb,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC,GACxB,YAAY,CAAC,CAAC,CAAC,GAAG,SAAS;IAe9B;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI;IAW1D,kDAAkD;IAClD,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAI9C,8EAA8E;IAC9E,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,CAAC,GAAG,SAAS;IAI1C,+EAA+E;IAC/E,IAAI,KAAK,IAAI,UAAU,CAAC,CAAC,CAAC,CAEzB;CACF"}

package/dist/@types/sse/presence.d.ts

@@ -11,24 +11,24 @@
  * const presence = new PresenceTracker();
  *
  * // On SSE connect:
- * presence.add(gameId, playerId);
+ * presence.add(game_id, player_id);
  *
  * // On SSE disconnect:
- * presence.remove(gameId, playerId);
+ * presence.remove(game_id, player_id);
  *
  * // Query:
- * presence.getOnline(gameId); // Set<string>
+ * presence.get_online(game_id); // Set<string>
  * ```
  */
 export declare class PresenceTracker {
     private streams;
     /** Increment ref count for an identity on a stream. */
-    add(streamId: string, identityId: string): void;
+    add(streamId: string, identity_id: string): void;
     /** Decrement ref count. Removes the identity when count reaches 0. */
-    remove(streamId: string, identityId: string): void;
+    remove(streamId: string, identity_id: string): void;
     /** Get the set of online identity IDs for a stream. */
-    getOnline(streamId: string): Set<string>;
+    get_online(streamId: string): Set<string>;
     /** Check if a specific identity is online for a stream. */
-    isOnline(streamId: string, identityId: string): boolean;
+    is_online(streamId: string, identity_id: string): boolean;
 }
 //# sourceMappingURL=presence.d.ts.map

package/dist/@types/sse/presence.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"presence.d.ts","sourceRoot":"","sources":["../../../src/sse/presence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAA0C;IAEzD,uDAAuD;IACvD,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAM/C,sEAAsE;IACtE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IASlD,uDAAuD;IACvD,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAKxC,2DAA2D;IAC3D,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;CAGxD"}
+{"version":3,"file":"presence.d.ts","sourceRoot":"","sources":["../../../src/sse/presence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAA0C;IAEzD,uDAAuD;IACvD,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAMhD,sEAAsE;IACtE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IASnD,uDAAuD;IACvD,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAKzC,2DAA2D;IAC3D,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;CAG1D"}

package/dist/@types/webhook/classify.d.ts

@@ -22,14 +22,14 @@ export type HttpDisposition = "ok" | "retry" | "block";
  * SDK-based reactions, etc.) can apply the same retry semantics
  * without inventing a parallel rule.
  */
-export declare function classifyHttpResponse(response: Response): HttpDisposition;
-/** Options for {@link tryOk}. */
+export declare function classify_http_response(response: Response): HttpDisposition;
+/** Options for {@link try_ok}. */
 export type TryOkOptions = {
     /** The endpoint that received the request. Surfaced on the thrown error and in its message. */
     url: string;
     /**
      * Label prefixed onto the error message — typically the
-     * integration's identity (`"webhook"`, `"mySdk"`, `"grpc"`).
+     * integration's identity (`"webhook"`, `"my_sdk"`, `"grpc"`).
      * Default: `"request"`.
      */
     label?: string;
@@ -43,8 +43,8 @@ export type TryOkOptions = {
  *
  * ```ts
  * .on("OrderConfirmed").do(async (event) => {
- *   const response = await mySdk.deliver(event);
- *   await tryOk(response, { url: mySdk.url, label: "mySdk" });
+ *   const response = await my_sdk.deliver(event);
+ *   await try_ok(response, { url: my_sdk.url, label: "my_sdk" });
  *   // ...response was 2xx; continue with downstream work...
  * });
  * ```
@@ -55,5 +55,5 @@ export type TryOkOptions = {
  * here, so `instanceof RetryableHttpError` matches both webhook and
  * custom-integration errors uniformly.
  */
-export declare function tryOk(response: Response, options: TryOkOptions): Promise<void>;
+export declare function try_ok(response: Response, options: TryOkOptions): Promise<void>;
 //# sourceMappingURL=classify.d.ts.map

package/dist/@types/webhook/classify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"classify.d.ts","sourceRoot":"","sources":["../../../src/webhook/classify.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG,OAAO,GAAG,OAAO,CAAC;AAEvD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,GAAG,eAAe,CAIxE;AAED,iCAAiC;AACjC,MAAM,MAAM,YAAY,GAAG;IACzB,+FAA+F;IAC/F,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,KAAK,CACzB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,IAAI,CAAC,CAmBf"}
+{"version":3,"file":"classify.d.ts","sourceRoot":"","sources":["../../../src/webhook/classify.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG,OAAO,GAAG,OAAO,CAAC;AAEvD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,QAAQ,GAAG,eAAe,CAI1E;AAED,kCAAkC;AAClC,MAAM,MAAM,YAAY,GAAG;IACzB,+FAA+F;IAC/F,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,IAAI,CAAC,CAmBf"}

package/dist/@types/webhook/index.d.ts

@@ -26,7 +26,7 @@
  */
 import type { ReactionHandler, Schemas } from "@rotorsoft/act";
 import { type WebhookConfig } from "./types.js";
-export { classifyHttpResponse, type HttpDisposition, type TryOkOptions, tryOk, } from "./classify.js";
+export type { HttpDisposition } from "./classify.js";
 export type { HttpDeliveryErrorInit, WebhookBody, WebhookConfig, WebhookResolver, } from "./types.js";
 export { NonRetryableHttpError, NonRetryableWebhookError, RetryableHttpError, WebhookError, } from "./types.js";
 /**

package/dist/@types/webhook/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/webhook/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAa,eAAe,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAG1E,OAAO,EAEL,KAAK,aAAa,EAEnB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,GACN,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,qBAAqB,EACrB,WAAW,EACX,aAAa,EACb,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,YAAY,GACb,MAAM,YAAY,CAAC;AAsBpB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,OAAO,CAAC,OAAO,SAAS,OAAO,GAAG,OAAO,EACvD,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,GAC7B,eAAe,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,CA+EzC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/webhook/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAa,eAAe,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAG1E,OAAO,EAEL,KAAK,aAAa,EAEnB,MAAM,YAAY,CAAC;AAEpB,YAAY,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACrD,YAAY,EACV,qBAAqB,EACrB,WAAW,EACX,aAAa,EACb,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,YAAY,GACb,MAAM,YAAY,CAAC;AAsBpB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,OAAO,CAAC,OAAO,SAAS,OAAO,GAAG,OAAO,EACvD,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,GAC7B,eAAe,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,CA+EzC"}

package/dist/@types/webhook/sign.d.ts

@@ -18,7 +18,7 @@
  *   from the package's `./webhook` entry — the webhook helper calls
  *   it internally, and operators don't need it directly.
  */
-export declare function signRequest(body: string, secret: string, now?: number): {
+export declare function sign_request(body: string, secret: string, now?: number): {
     signature: string;
     timestamp: string;
 };

package/dist/@types/webhook/sign.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../../src/webhook/sign.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,GAAG,GAAE,MAAsC,GAC1C;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAK1C"}
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../../src/webhook/sign.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,GAAG,GAAE,MAAsC,GAC1C;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAK1C"}

package/dist/api/index.cjs

@@ -0,0 +1,85 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/api/index.ts
+var api_exports = {};
+__export(api_exports, {
+  ERROR_MAP: () => ERROR_MAP,
+  toApiError: () => toApiError,
+  withIdempotency: () => withIdempotency
+});
+module.exports = __toCommonJS(api_exports);
+
+// src/api/errors.ts
+var import_act = require("@rotorsoft/act");
+var ERROR_MAP = {
+  ValidationError: { status: 422, code: "VALIDATION" },
+  InvariantError: { status: 409, code: "INVARIANT" },
+  ConcurrencyError: { status: 412, code: "CONCURRENCY" },
+  StreamClosedError: { status: 410, code: "STREAM_CLOSED" },
+  NonRetryableError: { status: 400, code: "NON_RETRYABLE" }
+};
+var lookup_known = (err) => {
+  if (err instanceof import_act.ValidationError) return { name: "ValidationError" };
+  if (err instanceof import_act.InvariantError) return { name: "InvariantError" };
+  if (err instanceof import_act.ConcurrencyError) return { name: "ConcurrencyError" };
+  if (err instanceof import_act.StreamClosedError) return { name: "StreamClosedError" };
+  if (err instanceof import_act.NonRetryableError) return { name: "NonRetryableError" };
+  return null;
+};
+function toApiError(err) {
+  const known = lookup_known(err);
+  if (known) {
+    const entry = ERROR_MAP[known.name];
+    return {
+      status: entry.status,
+      body: {
+        error: known.name,
+        detail: err.message,
+        code: entry.code
+      }
+    };
+  }
+  if (err instanceof Error) {
+    return {
+      status: 500,
+      body: { error: "InternalError", detail: err.message, code: "INTERNAL" }
+    };
+  }
+  return {
+    status: 500,
+    body: { error: "InternalError", code: "INTERNAL" }
+  };
+}
+
+// src/api/idempotency.ts
+async function withIdempotency(store, key, handler) {
+  const fresh = await store.claim(key);
+  if (!fresh) {
+    return { deduped: true };
+  }
+  return { deduped: false, result: await handler() };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ERROR_MAP,
+  toApiError,
+  withIdempotency
+});
+//# sourceMappingURL=index.cjs.map

package/dist/api/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/api/index.ts","../../src/api/errors.ts","../../src/api/idempotency.ts"],"sourcesContent":["/**\n * @packageDocumentation\n * @module act-http/api\n *\n * Shared utilities for the act-http auto-generated API surfaces.\n * Three concerns that every transport (tRPC, Hono, OpenAPI) has to\n * address — actor extraction, error envelope mapping,\n * `Idempotency-Key` wiring — defined once here and composed by each\n * transport sibling subpath.\n *\n * - {@link ActorExtractor} — the host-supplied closure that resolves\n *   an `Actor` from an incoming request. Auth (JWT, session, API\n *   key) stays in the host; the package only asks for this one\n *   function.\n * - {@link ApiError}, {@link ERROR_MAP}, {@link toApiError} — the\n *   uniform error envelope and the status/code mapping every\n *   transport uses. Cross-transport consistency by construction.\n * - {@link withIdempotency} — the helper that wraps action handlers\n *   in an `Idempotency-Key` claim. Reuses the\n *   `@rotorsoft/act-ops/idempotency` contract that\n *   `@rotorsoft/act-http/receiver` already speaks, so receivers and\n *   generated APIs share one `IdempotencyStore` implementation.\n *\n * Sibling subpaths in the same package consume the utilities here:\n *\n * - `@rotorsoft/act-http/trpc` — tRPC adapter (#843).\n * - `@rotorsoft/act-http/hono` — Hono adapter (#844).\n * - `@rotorsoft/act-http/openapi` — OpenAPI emitter (#845).\n *\n * Existing siblings unrelated to the generated-API work:\n *\n * - `@rotorsoft/act-http/webhook` — outbound POST delivery.\n * - `@rotorsoft/act-http/sse` — incremental state broadcast.\n * - `@rotorsoft/act-http/receiver` — inbound webhook ingestion.\n */\n\nexport type { ActorExtractor } from \"./actor.js\";\nexport {\n  type ApiError,\n  ERROR_MAP,\n  type ErrorMapEntry,\n  toApiError,\n} from \"./errors.js\";\nexport { type IdempotencyResult, withIdempotency } from \"./idempotency.js\";\n","import {\n  ConcurrencyError,\n  InvariantError,\n  NonRetryableError,\n  StreamClosedError,\n  ValidationError,\n} from \"@rotorsoft/act\";\n\n/**\n * Uniform error envelope shipped over the wire by every act-http\n * transport. Hosts get the same shape from REST, tRPC, and OpenAPI —\n * a client that talks to two transports doesn't have to invent two\n * error parsers.\n *\n * - `error` — the framework error name (`\"ValidationError\"`,\n *   `\"InvariantError\"`, …). Stable identifier, safe to switch on.\n * - `detail` — the framework's message text. Human-readable; not\n *   parsed by clients.\n * - `code` — a machine-readable status code from {@link ERROR_MAP}\n *   for clients that prefer enum-style branching over name strings.\n */\nexport type ApiError = {\n  error: string;\n  detail?: string;\n  code?: string;\n};\n\n/**\n * Status + code pair for one known framework error.\n */\nexport type ErrorMapEntry = {\n  status: number;\n  code: string;\n};\n\n/**\n * The single table that maps framework error types to HTTP status\n * codes and machine-readable codes. One table, three consumers\n * (Hono, tRPC, OpenAPI) — cross-transport consistency by\n * construction.\n *\n * Operators wanting different mappings wrap the generated transport\n * rather than mutating this — the consistency is the load-bearing\n * property, not the specific status codes.\n */\nexport const ERROR_MAP = {\n  ValidationError: { status: 422, code: \"VALIDATION\" },\n  InvariantError: { status: 409, code: \"INVARIANT\" },\n  ConcurrencyError: { status: 412, code: \"CONCURRENCY\" },\n  StreamClosedError: { status: 410, code: \"STREAM_CLOSED\" },\n  NonRetryableError: { status: 400, code: \"NON_RETRYABLE\" },\n} as const satisfies Record<string, ErrorMapEntry>;\n\nconst lookup_known = (\n  err: unknown\n): { name: keyof typeof ERROR_MAP } | null => {\n  if (err instanceof ValidationError) return { name: \"ValidationError\" };\n  if (err instanceof InvariantError) return { name: \"InvariantError\" };\n  if (err instanceof ConcurrencyError) return { name: \"ConcurrencyError\" };\n  if (err instanceof StreamClosedError) return { name: \"StreamClosedError\" };\n  if (err instanceof NonRetryableError) return { name: \"NonRetryableError\" };\n  return null;\n};\n\n/**\n * Translate an unknown thrown value into the canonical\n * {@link ApiError} envelope plus HTTP status. Each transport's error\n * boundary calls this once and forwards the result to the wire.\n *\n * Known framework errors map per {@link ERROR_MAP}. Everything else\n * surfaces as a 500 with `code: \"INTERNAL\"`; the `detail` field is\n * populated when the throw was an `Error` instance, omitted\n * otherwise (a thrown string or object doesn't get to leak its\n * payload to the client).\n */\nexport function toApiError(err: unknown): { status: number; body: ApiError } {\n  const known = lookup_known(err);\n  if (known) {\n    const entry = ERROR_MAP[known.name];\n    return {\n      status: entry.status,\n      body: {\n        error: known.name,\n        detail: (err as Error).message,\n        code: entry.code,\n      },\n    };\n  }\n  if (err instanceof Error) {\n    return {\n      status: 500,\n      body: { error: \"InternalError\", detail: err.message, code: \"INTERNAL\" },\n    };\n  }\n  return {\n    status: 500,\n    body: { error: \"InternalError\", code: \"INTERNAL\" },\n  };\n}\n","import type { IdempotencyStore } from \"@rotorsoft/act-ops/idempotency\";\n\n/**\n * Result of a {@link withIdempotency} call.\n *\n * - `{ deduped: false, result }` — the claim was fresh; the handler\n *   ran and produced `result`.\n * - `{ deduped: true }` — the claim was already taken; the handler\n *   was *not* invoked. The caller decides how to respond (typically\n *   a 2xx with no body, matching the receiver-side convention).\n *\n * Note: the contract does not cache the previous response. A\n * duplicate call returns the deduped marker only — replaying the\n * original handler's output would require a response-caching\n * adapter, which is out of scope here. The receiver-side convention\n * (and the convention the generated transports follow) is \"ack the\n * duplicate; do nothing else.\"\n */\nexport type IdempotencyResult<T> =\n  | { deduped: false; result: T }\n  | { deduped: true };\n\n/**\n * Wrap an action handler so the framework honors `Idempotency-Key`\n * dedup. Acquires the key via {@link IdempotencyStore.claim}, runs\n * the handler exactly when the claim was fresh, and skips the\n * handler entirely on a duplicate.\n *\n * Reuses the contract `@rotorsoft/act-ops/idempotency` already\n * defines for the receiver-side `Idempotency-Key` story. A single\n * `IdempotencyStore` implementation covers both halves of the \"Act\n * over the wire\" surface — receiver and generated API.\n */\nexport async function withIdempotency<T>(\n  store: IdempotencyStore,\n  key: string,\n  handler: () => Promise<T>\n): Promise<IdempotencyResult<T>> {\n  const fresh = await store.claim(key);\n  if (!fresh) {\n    return { deduped: true };\n  }\n  return { deduped: false, result: await handler() };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,iBAMO;AAuCA,IAAM,YAAY;AAAA,EACvB,iBAAiB,EAAE,QAAQ,KAAK,MAAM,aAAa;AAAA,EACnD,gBAAgB,EAAE,QAAQ,KAAK,MAAM,YAAY;AAAA,EACjD,kBAAkB,EAAE,QAAQ,KAAK,MAAM,cAAc;AAAA,EACrD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAAA,EACxD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAC1D;AAEA,IAAM,eAAe,CACnB,QAC4C;AAC5C,MAAI,eAAe,2BAAiB,QAAO,EAAE,MAAM,kBAAkB;AACrE,MAAI,eAAe,0BAAgB,QAAO,EAAE,MAAM,iBAAiB;AACnE,MAAI,eAAe,4BAAkB,QAAO,EAAE,MAAM,mBAAmB;AACvE,MAAI,eAAe,6BAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,MAAI,eAAe,6BAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,SAAO;AACT;AAaO,SAAS,WAAW,KAAkD;AAC3E,QAAM,QAAQ,aAAa,GAAG;AAC9B,MAAI,OAAO;AACT,UAAM,QAAQ,UAAU,MAAM,IAAI;AAClC,WAAO;AAAA,MACL,QAAQ,MAAM;AAAA,MACd,MAAM;AAAA,QACJ,OAAO,MAAM;AAAA,QACb,QAAS,IAAc;AAAA,QACvB,MAAM,MAAM;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACA,MAAI,eAAe,OAAO;AACxB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,iBAAiB,QAAQ,IAAI,SAAS,MAAM,WAAW;AAAA,IACxE;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,iBAAiB,MAAM,WAAW;AAAA,EACnD;AACF;;;ACjEA,eAAsB,gBACpB,OACA,KACA,SAC+B;AAC/B,QAAM,QAAQ,MAAM,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,SAAS,KAAK;AAAA,EACzB;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,MAAM,QAAQ,EAAE;AACnD;","names":[]}

package/dist/api/index.js

@@ -0,0 +1,62 @@
+// src/api/errors.ts
+import {
+  ConcurrencyError,
+  InvariantError,
+  NonRetryableError,
+  StreamClosedError,
+  ValidationError
+} from "@rotorsoft/act";
+var ERROR_MAP = {
+  ValidationError: { status: 422, code: "VALIDATION" },
+  InvariantError: { status: 409, code: "INVARIANT" },
+  ConcurrencyError: { status: 412, code: "CONCURRENCY" },
+  StreamClosedError: { status: 410, code: "STREAM_CLOSED" },
+  NonRetryableError: { status: 400, code: "NON_RETRYABLE" }
+};
+var lookup_known = (err) => {
+  if (err instanceof ValidationError) return { name: "ValidationError" };
+  if (err instanceof InvariantError) return { name: "InvariantError" };
+  if (err instanceof ConcurrencyError) return { name: "ConcurrencyError" };
+  if (err instanceof StreamClosedError) return { name: "StreamClosedError" };
+  if (err instanceof NonRetryableError) return { name: "NonRetryableError" };
+  return null;
+};
+function toApiError(err) {
+  const known = lookup_known(err);
+  if (known) {
+    const entry = ERROR_MAP[known.name];
+    return {
+      status: entry.status,
+      body: {
+        error: known.name,
+        detail: err.message,
+        code: entry.code
+      }
+    };
+  }
+  if (err instanceof Error) {
+    return {
+      status: 500,
+      body: { error: "InternalError", detail: err.message, code: "INTERNAL" }
+    };
+  }
+  return {
+    status: 500,
+    body: { error: "InternalError", code: "INTERNAL" }
+  };
+}
+
+// src/api/idempotency.ts
+async function withIdempotency(store, key, handler) {
+  const fresh = await store.claim(key);
+  if (!fresh) {
+    return { deduped: true };
+  }
+  return { deduped: false, result: await handler() };
+}
+export {
+  ERROR_MAP,
+  toApiError,
+  withIdempotency
+};
+//# sourceMappingURL=index.js.map

package/dist/api/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/api/errors.ts","../../src/api/idempotency.ts"],"sourcesContent":["import {\n  ConcurrencyError,\n  InvariantError,\n  NonRetryableError,\n  StreamClosedError,\n  ValidationError,\n} from \"@rotorsoft/act\";\n\n/**\n * Uniform error envelope shipped over the wire by every act-http\n * transport. Hosts get the same shape from REST, tRPC, and OpenAPI —\n * a client that talks to two transports doesn't have to invent two\n * error parsers.\n *\n * - `error` — the framework error name (`\"ValidationError\"`,\n *   `\"InvariantError\"`, …). Stable identifier, safe to switch on.\n * - `detail` — the framework's message text. Human-readable; not\n *   parsed by clients.\n * - `code` — a machine-readable status code from {@link ERROR_MAP}\n *   for clients that prefer enum-style branching over name strings.\n */\nexport type ApiError = {\n  error: string;\n  detail?: string;\n  code?: string;\n};\n\n/**\n * Status + code pair for one known framework error.\n */\nexport type ErrorMapEntry = {\n  status: number;\n  code: string;\n};\n\n/**\n * The single table that maps framework error types to HTTP status\n * codes and machine-readable codes. One table, three consumers\n * (Hono, tRPC, OpenAPI) — cross-transport consistency by\n * construction.\n *\n * Operators wanting different mappings wrap the generated transport\n * rather than mutating this — the consistency is the load-bearing\n * property, not the specific status codes.\n */\nexport const ERROR_MAP = {\n  ValidationError: { status: 422, code: \"VALIDATION\" },\n  InvariantError: { status: 409, code: \"INVARIANT\" },\n  ConcurrencyError: { status: 412, code: \"CONCURRENCY\" },\n  StreamClosedError: { status: 410, code: \"STREAM_CLOSED\" },\n  NonRetryableError: { status: 400, code: \"NON_RETRYABLE\" },\n} as const satisfies Record<string, ErrorMapEntry>;\n\nconst lookup_known = (\n  err: unknown\n): { name: keyof typeof ERROR_MAP } | null => {\n  if (err instanceof ValidationError) return { name: \"ValidationError\" };\n  if (err instanceof InvariantError) return { name: \"InvariantError\" };\n  if (err instanceof ConcurrencyError) return { name: \"ConcurrencyError\" };\n  if (err instanceof StreamClosedError) return { name: \"StreamClosedError\" };\n  if (err instanceof NonRetryableError) return { name: \"NonRetryableError\" };\n  return null;\n};\n\n/**\n * Translate an unknown thrown value into the canonical\n * {@link ApiError} envelope plus HTTP status. Each transport's error\n * boundary calls this once and forwards the result to the wire.\n *\n * Known framework errors map per {@link ERROR_MAP}. Everything else\n * surfaces as a 500 with `code: \"INTERNAL\"`; the `detail` field is\n * populated when the throw was an `Error` instance, omitted\n * otherwise (a thrown string or object doesn't get to leak its\n * payload to the client).\n */\nexport function toApiError(err: unknown): { status: number; body: ApiError } {\n  const known = lookup_known(err);\n  if (known) {\n    const entry = ERROR_MAP[known.name];\n    return {\n      status: entry.status,\n      body: {\n        error: known.name,\n        detail: (err as Error).message,\n        code: entry.code,\n      },\n    };\n  }\n  if (err instanceof Error) {\n    return {\n      status: 500,\n      body: { error: \"InternalError\", detail: err.message, code: \"INTERNAL\" },\n    };\n  }\n  return {\n    status: 500,\n    body: { error: \"InternalError\", code: \"INTERNAL\" },\n  };\n}\n","import type { IdempotencyStore } from \"@rotorsoft/act-ops/idempotency\";\n\n/**\n * Result of a {@link withIdempotency} call.\n *\n * - `{ deduped: false, result }` — the claim was fresh; the handler\n *   ran and produced `result`.\n * - `{ deduped: true }` — the claim was already taken; the handler\n *   was *not* invoked. The caller decides how to respond (typically\n *   a 2xx with no body, matching the receiver-side convention).\n *\n * Note: the contract does not cache the previous response. A\n * duplicate call returns the deduped marker only — replaying the\n * original handler's output would require a response-caching\n * adapter, which is out of scope here. The receiver-side convention\n * (and the convention the generated transports follow) is \"ack the\n * duplicate; do nothing else.\"\n */\nexport type IdempotencyResult<T> =\n  | { deduped: false; result: T }\n  | { deduped: true };\n\n/**\n * Wrap an action handler so the framework honors `Idempotency-Key`\n * dedup. Acquires the key via {@link IdempotencyStore.claim}, runs\n * the handler exactly when the claim was fresh, and skips the\n * handler entirely on a duplicate.\n *\n * Reuses the contract `@rotorsoft/act-ops/idempotency` already\n * defines for the receiver-side `Idempotency-Key` story. A single\n * `IdempotencyStore` implementation covers both halves of the \"Act\n * over the wire\" surface — receiver and generated API.\n */\nexport async function withIdempotency<T>(\n  store: IdempotencyStore,\n  key: string,\n  handler: () => Promise<T>\n): Promise<IdempotencyResult<T>> {\n  const fresh = await store.claim(key);\n  if (!fresh) {\n    return { deduped: true };\n  }\n  return { deduped: false, result: await handler() };\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAuCA,IAAM,YAAY;AAAA,EACvB,iBAAiB,EAAE,QAAQ,KAAK,MAAM,aAAa;AAAA,EACnD,gBAAgB,EAAE,QAAQ,KAAK,MAAM,YAAY;AAAA,EACjD,kBAAkB,EAAE,QAAQ,KAAK,MAAM,cAAc;AAAA,EACrD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAAA,EACxD,mBAAmB,EAAE,QAAQ,KAAK,MAAM,gBAAgB;AAC1D;AAEA,IAAM,eAAe,CACnB,QAC4C;AAC5C,MAAI,eAAe,gBAAiB,QAAO,EAAE,MAAM,kBAAkB;AACrE,MAAI,eAAe,eAAgB,QAAO,EAAE,MAAM,iBAAiB;AACnE,MAAI,eAAe,iBAAkB,QAAO,EAAE,MAAM,mBAAmB;AACvE,MAAI,eAAe,kBAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,MAAI,eAAe,kBAAmB,QAAO,EAAE,MAAM,oBAAoB;AACzE,SAAO;AACT;AAaO,SAAS,WAAW,KAAkD;AAC3E,QAAM,QAAQ,aAAa,GAAG;AAC9B,MAAI,OAAO;AACT,UAAM,QAAQ,UAAU,MAAM,IAAI;AAClC,WAAO;AAAA,MACL,QAAQ,MAAM;AAAA,MACd,MAAM;AAAA,QACJ,OAAO,MAAM;AAAA,QACb,QAAS,IAAc;AAAA,QACvB,MAAM,MAAM;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACA,MAAI,eAAe,OAAO;AACxB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,iBAAiB,QAAQ,IAAI,SAAS,MAAM,WAAW;AAAA,IACxE;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,iBAAiB,MAAM,WAAW;AAAA,EACnD;AACF;;;ACjEA,eAAsB,gBACpB,OACA,KACA,SAC+B;AAC/B,QAAM,QAAQ,MAAM,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,SAAS,KAAK;AAAA,EACzB;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,MAAM,QAAQ,EAAE;AACnD;","names":[]}

package/dist/{chunk-NOIXOF2I.js → chunk-4CGAUB5H.js}

@@ -14,12 +14,12 @@ import { createHmac, timingSafeEqual } from "crypto";
 function verifyWebhook(headers, body, secret, options) {
   const maxAgeSeconds = options?.maxAgeSeconds ?? 300;
   const now = options?.now ?? Math.floor(Date.now() / 1e3);
-  const signature = pickHeader(headers, "x-webhook-signature");
+  const signature = pick_header(headers, "x-webhook-signature");
   if (!signature) return { ok: false, reason: "missing-signature" };
-  const timestampStr = pickHeader(headers, "x-webhook-timestamp");
-  if (!timestampStr) return { ok: false, reason: "missing-timestamp" };
-  const timestamp = Number.parseInt(timestampStr, 10);
-  if (Number.isNaN(timestamp) || String(timestamp) !== timestampStr) {
+  const timestamp_str = pick_header(headers, "x-webhook-timestamp");
+  if (!timestamp_str) return { ok: false, reason: "missing-timestamp" };
+  const timestamp = Number.parseInt(timestamp_str, 10);
+  if (Number.isNaN(timestamp) || String(timestamp) !== timestamp_str) {
     return { ok: false, reason: "missing-timestamp" };
   }
   const delta = now - timestamp;
@@ -28,21 +28,21 @@ function verifyWebhook(headers, body, secret, options) {
   if (!signature.startsWith("sha256=")) {
     return { ok: false, reason: "bad-signature" };
   }
-  const providedHex = signature.slice("sha256=".length);
-  if (!/^[0-9a-fA-F]{64}$/.test(providedHex)) {
+  const provided_hex = signature.slice("sha256=".length);
+  if (!/^[0-9a-fA-F]{64}$/.test(provided_hex)) {
     return { ok: false, reason: "bad-signature" };
   }
-  const expectedHex = createHmac("sha256", secret).update(`${timestampStr}.${body}`).digest("hex");
-  const a = Buffer.from(providedHex, "hex");
-  const b = Buffer.from(expectedHex, "hex");
+  const expected_hex = createHmac("sha256", secret).update(`${timestamp_str}.${body}`).digest("hex");
+  const a = Buffer.from(provided_hex, "hex");
+  const b = Buffer.from(expected_hex, "hex");
   if (!timingSafeEqual(a, b)) {
     return { ok: false, reason: "bad-signature" };
   }
   return { ok: true };
 }
-function pickHeader(headers, lowerName) {
+function pick_header(headers, lower_name) {
   for (const [name, value] of Object.entries(headers)) {
-    if (name.toLowerCase() !== lowerName) continue;
+    if (name.toLowerCase() !== lower_name) continue;
     if (Array.isArray(value) || value === void 0 || value === "") {
       return void 0;
     }
@@ -75,4 +75,4 @@ export {
   verifyWebhook,
   checkWebhook
 };
-//# sourceMappingURL=chunk-NOIXOF2I.js.map
+//# sourceMappingURL=chunk-4CGAUB5H.js.map