@sakeetech/viva-payments-core 0.2.1

package/dist/webhooks/event-types.js

@@ -0,0 +1,50 @@
+/**
+ * Runtime helpers for Viva webhook event type IDs.
+ *
+ * Re-exports EVENT_TYPES and VivaEventTypeId from the types package, and
+ * provides runtime type-guard helpers for routing webhook payloads.
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:141
+ */
+export { EVENT_TYPES } from '../types/webhook-events.js';
+/**
+ * Returns `true` for event types that carry a transaction payload and require
+ * MerchantId-based tenant resolution.
+ *
+ * v1-scope transaction events:
+ *   1796 — Transaction Payment Created
+ *   1797 — Transaction Reversal Created
+ *   1798 — Transaction Failed
+ *   4865 — Order Updated (cancellation)
+ *   7936 — Sale Transactions (HMAC-signed, deferred from v1 core but type-guard kept)
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:141
+ */
+export function isTransactionEvent(id) {
+    return id === 1796 || id === 1797 || id === 1798 || id === 4865 || id === 7936;
+}
+/**
+ * Returns `true` for event types that carry an onboarding payload and require
+ * ConnectedAccountId-based tenant resolution.
+ *
+ * v1-scope onboarding events:
+ *   8193 — Account Connected
+ *   8194 — Account Verification Status Changed
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:224
+ */
+export function isOnboardingEvent(id) {
+    return id === 8193 || id === 8194;
+}
+/**
+ * All v1-scope event IDs as a frozen array.
+ *
+ * Used by `viva:register-webhooks` CLI to enumerate the required registrations
+ * and by the route handler to reject unknown event types.
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:141
+ */
+export const V1_EVENT_TYPE_IDS = Object.freeze([
+    1796, 1797, 1798, 4865, 8193, 8194,
+]);
+//# sourceMappingURL=event-types.js.map

package/dist/webhooks/event-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"event-types.js","sourceRoot":"","sources":["../../src/webhooks/event-types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,WAAW,EAAwB,MAAM,4BAA4B,CAAC;AAE/E;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,EAAU;IAC3C,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,CAAC;AACjF,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAU;IAC1C,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAyD,MAAM,CAAC,MAAM,CAAC;IACnG,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;CAC1B,CAAC,CAAC"}

package/dist/webhooks/extract-client-ip.d.ts

@@ -0,0 +1,40 @@
+/**
+ * extract-client-ip.ts — Source IP extraction with explicit proxy-depth trust.
+ *
+ * CSO Finding #2 (HIGH). Unconditionally trusting `X-Forwarded-For` lets any
+ * client append a value and bypass the in-app IP allowlist. The remedy is to
+ * walk the X-F-F chain from the *rightmost* end, counting back exactly
+ * `trustedProxyDepth` hops. Anything earlier in the chain was set by upstream
+ * proxies the operator does not control.
+ *
+ * Usage:
+ *   trustedProxyDepth = 0 → ignore X-F-F entirely; use req.socket.remoteAddress
+ *   trustedProxyDepth = 1 → one trusted reverse proxy (typical)
+ *   trustedProxyDepth = 2 → CDN + LB (e.g. Cloudflare → ALB)
+ *
+ * When the chain is shorter than `trustedProxyDepth`, the request is treated
+ * as misconfigured or malicious: we fall back to the socket address rather
+ * than picking an attacker-controllable value.
+ *
+ * @see docs/TODO-CSO.md "Finding 2"
+ */
+import type { IncomingMessage } from 'node:http';
+/**
+ * Minimal request shape — accepts Node's IncomingMessage and any framework
+ * request that exposes headers + socket (Medusa, Express, NestJS, etc.).
+ */
+export interface ClientIpRequest {
+    readonly headers: IncomingMessage['headers'];
+    readonly socket?: {
+        readonly remoteAddress?: string | undefined;
+    } | undefined;
+}
+/**
+ * Extract the trusted client IP from a request.
+ *
+ * Returns an empty string if no source can be determined (caller decides
+ * whether to reject or fall back to a default). Strips IPv6 brackets if
+ * present (e.g. `[2001:db8::1]:443` → `2001:db8::1`).
+ */
+export declare function extractClientIp(req: ClientIpRequest, trustedProxyDepth: number): string;
+//# sourceMappingURL=extract-client-ip.d.ts.map

package/dist/webhooks/extract-client-ip.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract-client-ip.d.ts","sourceRoot":"","sources":["../../src/webhooks/extract-client-ip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEjD;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,GAAG,SAAS,CAAC;CAC/E;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,eAAe,EACpB,iBAAiB,EAAE,MAAM,GACxB,MAAM,CAoBR"}

package/dist/webhooks/extract-client-ip.js

@@ -0,0 +1,72 @@
+/**
+ * extract-client-ip.ts — Source IP extraction with explicit proxy-depth trust.
+ *
+ * CSO Finding #2 (HIGH). Unconditionally trusting `X-Forwarded-For` lets any
+ * client append a value and bypass the in-app IP allowlist. The remedy is to
+ * walk the X-F-F chain from the *rightmost* end, counting back exactly
+ * `trustedProxyDepth` hops. Anything earlier in the chain was set by upstream
+ * proxies the operator does not control.
+ *
+ * Usage:
+ *   trustedProxyDepth = 0 → ignore X-F-F entirely; use req.socket.remoteAddress
+ *   trustedProxyDepth = 1 → one trusted reverse proxy (typical)
+ *   trustedProxyDepth = 2 → CDN + LB (e.g. Cloudflare → ALB)
+ *
+ * When the chain is shorter than `trustedProxyDepth`, the request is treated
+ * as misconfigured or malicious: we fall back to the socket address rather
+ * than picking an attacker-controllable value.
+ *
+ * @see docs/TODO-CSO.md "Finding 2"
+ */
+/**
+ * Extract the trusted client IP from a request.
+ *
+ * Returns an empty string if no source can be determined (caller decides
+ * whether to reject or fall back to a default). Strips IPv6 brackets if
+ * present (e.g. `[2001:db8::1]:443` → `2001:db8::1`).
+ */
+export function extractClientIp(req, trustedProxyDepth) {
+    const depth = Number.isInteger(trustedProxyDepth) && trustedProxyDepth >= 0
+        ? trustedProxyDepth
+        : 0;
+    if (depth === 0) {
+        return normalizeIp(req.socket?.remoteAddress ?? '');
+    }
+    const xff = req.headers['x-forwarded-for'];
+    const chain = flattenXff(xff);
+    if (chain.length < depth) {
+        // Chain shorter than configured trust depth — operator misconfig or an
+        // attacker omitting expected hops. Fall back to socket; do NOT pick the
+        // leftmost (attacker-controllable) value.
+        return normalizeIp(req.socket?.remoteAddress ?? '');
+    }
+    return normalizeIp(chain[chain.length - depth] ?? '');
+}
+function flattenXff(xff) {
+    if (!xff)
+        return [];
+    // Node may surface repeated headers as either a comma-joined string or an
+    // array of strings; normalize both into one comma-separated source.
+    const joined = Array.isArray(xff) ? xff.join(',') : xff;
+    return joined
+        .split(',')
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+}
+function normalizeIp(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return '';
+    // IPv6-mapped IPv4 (::ffff:1.2.3.4) → 1.2.3.4
+    if (trimmed.toLowerCase().startsWith('::ffff:')) {
+        return trimmed.slice(7);
+    }
+    // Bracketed IPv6 with optional :port — [2001:db8::1]:443 → 2001:db8::1
+    if (trimmed.startsWith('[')) {
+        const close = trimmed.indexOf(']');
+        if (close > 0)
+            return trimmed.slice(1, close);
+    }
+    return trimmed;
+}
+//# sourceMappingURL=extract-client-ip.js.map

package/dist/webhooks/extract-client-ip.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract-client-ip.js","sourceRoot":"","sources":["../../src/webhooks/extract-client-ip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAaH;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAoB,EACpB,iBAAyB;IAEzB,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,iBAAiB,IAAI,CAAC;QACzE,CAAC,CAAC,iBAAiB;QACnB,CAAC,CAAC,CAAC,CAAC;IAEN,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAE9B,IAAI,KAAK,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QACzB,uEAAuE;QACvE,wEAAwE;QACxE,0CAA0C;QAC1C,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,UAAU,CACjB,GAAkC;IAElC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,0EAA0E;IAC1E,oEAAoE;IACpE,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACxD,OAAO,MAAM;SACV,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IACxB,8CAA8C;IAC9C,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IACD,uEAAuE;IACvE,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/webhooks/hmac-verify.d.ts

@@ -0,0 +1,38 @@
+/**
+ * HMAC-SHA256 signature verification for the Sale Transactions webhook (event 7936).
+ *
+ * PER PLAN A8: HMAC verification applies ONLY to event 7936 (Sale Transactions).
+ * Viva does NOT document an HMAC header for any other v1 event type. For all
+ * other events, security relies on:
+ *   (a) IP allowlist — see ip-allowlist.ts
+ *   (b) Challenge-response URL verification — see challenge-response.ts
+ *   (c) DB-level deduplication via opaque MessageId (ON CONFLICT DO NOTHING)
+ *
+ * Header format (from Viva documentation):
+ *   `Viva-Signature-256`: HMAC hex digest of the request body,
+ *    generated using SHA-256 and the webhook secret as the HMAC key.
+ *
+ * @see references/viva-docs/md/wh-sale-transactions.txt:149
+ */
+/**
+ * Verify the `Viva-Signature-256` header for the Sale Transactions webhook
+ * (event 7936 only).
+ *
+ * Uses `crypto.timingSafeEqual` for constant-time comparison. Length mismatches
+ * are handled without calling `timingSafeEqual` (which would throw on unequal
+ * lengths) by comparing against a zeroed buffer of the same expected length.
+ *
+ * @param rawBody    The exact raw request body bytes received over the wire.
+ *                   Pass a `Buffer` or `Uint8Array` for binary-safe comparison;
+ *                   a `string` is accepted and UTF-8-encoded internally.
+ * @param signature  Value of the `Viva-Signature-256` HTTP header.
+ *                   Must be a lowercase hex digest (64 hex chars for SHA-256).
+ * @param secret     HMAC secret from Viva configuration.
+ *
+ * @throws VivaWebhookError when the signature is missing, malformed, or does
+ *   not match the computed digest.
+ *
+ * @see references/viva-docs/md/wh-sale-transactions.txt:149
+ */
+export declare function verifyHmacSignature(rawBody: Uint8Array | string, signature: string | undefined | null, secret: string): void;
+//# sourceMappingURL=hmac-verify.d.ts.map

package/dist/webhooks/hmac-verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac-verify.d.ts","sourceRoot":"","sources":["../../src/webhooks/hmac-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,UAAU,GAAG,MAAM,EAC5B,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACpC,MAAM,EAAE,MAAM,GACb,IAAI,CA0DN"}

package/dist/webhooks/hmac-verify.js

@@ -0,0 +1,92 @@
+/**
+ * HMAC-SHA256 signature verification for the Sale Transactions webhook (event 7936).
+ *
+ * PER PLAN A8: HMAC verification applies ONLY to event 7936 (Sale Transactions).
+ * Viva does NOT document an HMAC header for any other v1 event type. For all
+ * other events, security relies on:
+ *   (a) IP allowlist — see ip-allowlist.ts
+ *   (b) Challenge-response URL verification — see challenge-response.ts
+ *   (c) DB-level deduplication via opaque MessageId (ON CONFLICT DO NOTHING)
+ *
+ * Header format (from Viva documentation):
+ *   `Viva-Signature-256`: HMAC hex digest of the request body,
+ *    generated using SHA-256 and the webhook secret as the HMAC key.
+ *
+ * @see references/viva-docs/md/wh-sale-transactions.txt:149
+ */
+import { createHmac, timingSafeEqual } from 'node:crypto';
+import { VivaWebhookError } from '../errors/index.js';
+/**
+ * Verify the `Viva-Signature-256` header for the Sale Transactions webhook
+ * (event 7936 only).
+ *
+ * Uses `crypto.timingSafeEqual` for constant-time comparison. Length mismatches
+ * are handled without calling `timingSafeEqual` (which would throw on unequal
+ * lengths) by comparing against a zeroed buffer of the same expected length.
+ *
+ * @param rawBody    The exact raw request body bytes received over the wire.
+ *                   Pass a `Buffer` or `Uint8Array` for binary-safe comparison;
+ *                   a `string` is accepted and UTF-8-encoded internally.
+ * @param signature  Value of the `Viva-Signature-256` HTTP header.
+ *                   Must be a lowercase hex digest (64 hex chars for SHA-256).
+ * @param secret     HMAC secret from Viva configuration.
+ *
+ * @throws VivaWebhookError when the signature is missing, malformed, or does
+ *   not match the computed digest.
+ *
+ * @see references/viva-docs/md/wh-sale-transactions.txt:149
+ */
+export function verifyHmacSignature(rawBody, signature, secret) {
+    // --- 1. Guard: signature header must be present and non-empty ---
+    if (signature == null || signature.length === 0) {
+        throw new VivaWebhookError({
+            message: 'Missing Viva-Signature-256 header. This header is required for event 7936 (Sale Transactions).',
+        });
+    }
+    // --- 2. Decode candidate hex string to bytes ---
+    // The header value is a hex digest per wh-sale-transactions.txt:149.
+    // A SHA-256 hex digest is always exactly 64 hex characters (32 bytes).
+    const expectedByteLength = 32; // SHA-256 output is 32 bytes
+    const hexRegex = /^[0-9a-f]+$/i;
+    if (!hexRegex.test(signature)) {
+        throw new VivaWebhookError({
+            message: `Malformed Viva-Signature-256 header: not a valid hex string. Received: "${signature.slice(0, 20)}..."`,
+        });
+    }
+    let candidateBuffer;
+    try {
+        candidateBuffer = Buffer.from(signature, 'hex');
+    }
+    catch {
+        throw new VivaWebhookError({
+            message: 'Malformed Viva-Signature-256 header: hex decode failed.',
+        });
+    }
+    // --- 3. Compute expected HMAC-SHA256 ---
+    const hmac = createHmac('sha256', secret);
+    hmac.update(rawBody);
+    const expectedBuffer = hmac.digest(); // returns a Buffer (32 bytes)
+    // --- 4. Constant-time comparison ---
+    // timingSafeEqual requires both buffers to have the same length.
+    // If candidateBuffer.length !== expectedByteLength, we still do a
+    // constant-time comparison against a zeroed buffer to avoid timing leaks,
+    // then unconditionally throw.
+    if (candidateBuffer.length !== expectedByteLength) {
+        // Compare candidate against a zero buffer of the expected length.
+        // This runs in constant time relative to expectedByteLength.
+        const zeros = Buffer.alloc(expectedByteLength, 0);
+        // We deliberately ignore the result here — length mismatch is always a fail.
+        void timingSafeEqual(zeros, expectedBuffer);
+        throw new VivaWebhookError({
+            message: `Viva-Signature-256 header length mismatch: expected ${expectedByteLength} bytes (${expectedByteLength * 2} hex chars), got ${candidateBuffer.length} bytes.`,
+        });
+    }
+    // Both buffers are 32 bytes — safe to call timingSafeEqual.
+    const valid = timingSafeEqual(expectedBuffer, candidateBuffer);
+    if (!valid) {
+        throw new VivaWebhookError({
+            message: 'Viva-Signature-256 signature mismatch. Request body may have been tampered with.',
+        });
+    }
+}
+//# sourceMappingURL=hmac-verify.js.map

package/dist/webhooks/hmac-verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac-verify.js","sourceRoot":"","sources":["../../src/webhooks/hmac-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAA4B,EAC5B,SAAoC,EACpC,MAAc;IAEd,mEAAmE;IACnE,IAAI,SAAS,IAAI,IAAI,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,gBAAgB,CAAC;YACzB,OAAO,EAAE,gGAAgG;SAC1G,CAAC,CAAC;IACL,CAAC;IAED,kDAAkD;IAClD,qEAAqE;IACrE,uEAAuE;IACvE,MAAM,kBAAkB,GAAG,EAAE,CAAC,CAAC,6BAA6B;IAC5D,MAAM,QAAQ,GAAG,cAAc,CAAC;IAEhC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,gBAAgB,CAAC;YACzB,OAAO,EAAE,2EAA2E,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;SACjH,CAAC,CAAC;IACL,CAAC;IAED,IAAI,eAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,gBAAgB,CAAC;YACzB,OAAO,EAAE,yDAAyD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,8BAA8B;IAEpE,sCAAsC;IACtC,iEAAiE;IACjE,kEAAkE;IAClE,0EAA0E;IAC1E,8BAA8B;IAC9B,IAAI,eAAe,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;QAClD,kEAAkE;QAClE,6DAA6D;QAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC;QAClD,6EAA6E;QAC7E,KAAK,eAAe,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC5C,MAAM,IAAI,gBAAgB,CAAC;YACzB,OAAO,EAAE,uDAAuD,kBAAkB,WAAW,kBAAkB,GAAG,CAAC,oBAAoB,eAAe,CAAC,MAAM,SAAS;SACvK,CAAC,CAAC;IACL,CAAC;IAED,4DAA4D;IAC5D,MAAM,KAAK,GAAG,eAAe,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;IAE/D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,gBAAgB,CAAC;YACzB,OAAO,EAAE,kFAAkF;SAC5F,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/webhooks/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * viva-payments-core/webhooks — barrel export.
+ *
+ * Provides three security layers for the Viva webhook endpoint:
+ *   (a) IP allowlist         — isAllowedSourceIp()
+ *   (b) Challenge-response   — buildChallengeResponse()
+ *   (c) HMAC signature       — verifyHmacSignature() (event 7936 only, per plan A8)
+ *
+ * Plus runtime helpers for event types and the monotonic status lattice.
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:254
+ */
+export { buildChallengeResponse } from './challenge-response.js';
+export { VIVA_DEMO_IPS, VIVA_PROD_IPS, isAllowedSourceIp, } from './ip-allowlist.js';
+export { extractClientIp, type ClientIpRequest, } from './extract-client-ip.js';
+export { verifyHmacSignature } from './hmac-verify.js';
+export { EVENT_TYPES, type VivaEventTypeId, isTransactionEvent, isOnboardingEvent, V1_EVENT_TYPE_IDS, } from './event-types.js';
+export { mapStatusLetter, validateStatusTransition, applyStatusTransition, type StatusTransitionResult, } from './status-lattice.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/webhooks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/webhooks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,OAAO,EACL,aAAa,EACb,aAAa,EACb,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,eAAe,EACf,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,EACL,WAAW,EACX,KAAK,eAAe,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,qBAAqB,EACrB,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC"}

package/dist/webhooks/index.js

@@ -0,0 +1,19 @@
+/**
+ * viva-payments-core/webhooks — barrel export.
+ *
+ * Provides three security layers for the Viva webhook endpoint:
+ *   (a) IP allowlist         — isAllowedSourceIp()
+ *   (b) Challenge-response   — buildChallengeResponse()
+ *   (c) HMAC signature       — verifyHmacSignature() (event 7936 only, per plan A8)
+ *
+ * Plus runtime helpers for event types and the monotonic status lattice.
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:254
+ */
+export { buildChallengeResponse } from './challenge-response.js';
+export { VIVA_DEMO_IPS, VIVA_PROD_IPS, isAllowedSourceIp, } from './ip-allowlist.js';
+export { extractClientIp, } from './extract-client-ip.js';
+export { verifyHmacSignature } from './hmac-verify.js';
+export { EVENT_TYPES, isTransactionEvent, isOnboardingEvent, V1_EVENT_TYPE_IDS, } from './event-types.js';
+export { mapStatusLetter, validateStatusTransition, applyStatusTransition, } from './status-lattice.js';
+//# sourceMappingURL=index.js.map

package/dist/webhooks/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/webhooks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,OAAO,EACL,aAAa,EACb,aAAa,EACb,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,eAAe,GAEhB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,EACL,WAAW,EAEX,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,qBAAqB,GAEtB,MAAM,qBAAqB,CAAC"}

package/dist/webhooks/ip-allowlist.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Viva Wallet webhook source IP allowlist.
+ *
+ * Viva documents the following source IP addresses/ranges for webhook POST
+ * requests. Only requests from these IPs should be processed; others are
+ * rejected with 403 by the route handler.
+ *
+ * Production IPs (literal + CIDR):
+ *   51.138.37.238
+ *   13.80.70.181
+ *   13.80.71.223
+ *   13.79.28.70
+ *   40.127.253.112/28
+ *   51.105.129.192/28
+ *   20.54.89.16
+ *   4.223.76.50
+ *   51.12.157.0/28
+ *
+ * Demo IPs (literal):
+ *   20.50.240.57
+ *   40.74.20.78
+ *   195.167.87.181
+ *   195.167.87.180
+ *   20.13.195.185
+ *   135.225.16.50
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:270
+ */
+/**
+ * Viva demo-environment webhook source IPs.
+ * All are literal IPv4 addresses (no CIDR ranges in the demo list).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:289
+ */
+export declare const VIVA_DEMO_IPS: readonly string[];
+/**
+ * Viva production-environment webhook source IPs (mix of literals and CIDRs).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:276
+ */
+export declare const VIVA_PROD_IPS: readonly string[];
+/**
+ * Returns `true` if `ip` is in Viva's published source list for `env`,
+ * or if it appears in the optional `extraAllowlist`.
+ *
+ * Does NOT throw — the route handler decides whether to 403.
+ *
+ * IPv4 literals and CIDR ranges are matched via `node:net.BlockList`.
+ * IPv6 is normalised (lowercase + bracket-strip) before checking.
+ *
+ * @param ip             The source IP of the incoming request.
+ * @param env            Target environment: `'demo'` or `'production'`.
+ * @param extraAllowlist Optional operator-configured IPs (e.g. reverse proxies
+ *                       that sit upstream of Viva before reaching this server).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:270
+ */
+export declare function isAllowedSourceIp(ip: string, env: 'demo' | 'production', extraAllowlist?: readonly string[]): boolean;
+//# sourceMappingURL=ip-allowlist.d.ts.map

package/dist/webhooks/ip-allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-allowlist.d.ts","sourceRoot":"","sources":["../../src/webhooks/ip-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAQH;;;;;GAKG;AACH,eAAO,MAAM,aAAa,EAAE,SAAS,MAAM,EAOjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,SAAS,MAAM,EAUjC,CAAC;AA2DX;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iBAAiB,CAC/B,EAAE,EAAE,MAAM,EACV,GAAG,EAAE,MAAM,GAAG,YAAY,EAC1B,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,GACjC,OAAO,CAmBT"}

package/dist/webhooks/ip-allowlist.js

@@ -0,0 +1,147 @@
+/**
+ * Viva Wallet webhook source IP allowlist.
+ *
+ * Viva documents the following source IP addresses/ranges for webhook POST
+ * requests. Only requests from these IPs should be processed; others are
+ * rejected with 403 by the route handler.
+ *
+ * Production IPs (literal + CIDR):
+ *   51.138.37.238
+ *   13.80.70.181
+ *   13.80.71.223
+ *   13.79.28.70
+ *   40.127.253.112/28
+ *   51.105.129.192/28
+ *   20.54.89.16
+ *   4.223.76.50
+ *   51.12.157.0/28
+ *
+ * Demo IPs (literal):
+ *   20.50.240.57
+ *   40.74.20.78
+ *   195.167.87.181
+ *   195.167.87.180
+ *   20.13.195.185
+ *   135.225.16.50
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:270
+ */
+import { BlockList } from 'node:net';
+// ---------------------------------------------------------------------------
+// Published IP lists
+// ---------------------------------------------------------------------------
+/**
+ * Viva demo-environment webhook source IPs.
+ * All are literal IPv4 addresses (no CIDR ranges in the demo list).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:289
+ */
+export const VIVA_DEMO_IPS = [
+    '20.50.240.57',
+    '40.74.20.78',
+    '195.167.87.181',
+    '195.167.87.180',
+    '20.13.195.185',
+    '135.225.16.50',
+];
+/**
+ * Viva production-environment webhook source IPs (mix of literals and CIDRs).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:276
+ */
+export const VIVA_PROD_IPS = [
+    '51.138.37.238',
+    '13.80.70.181',
+    '13.80.71.223',
+    '13.79.28.70',
+    '40.127.253.112/28',
+    '51.105.129.192/28',
+    '20.54.89.16',
+    '4.223.76.50',
+    '51.12.157.0/28',
+];
+// ---------------------------------------------------------------------------
+// BlockList builder
+// ---------------------------------------------------------------------------
+/**
+ * Parse a single IP string or CIDR string and add it to a BlockList.
+ * Supports:
+ *   - Literal IPv4:  "1.2.3.4"
+ *   - IPv4 CIDR:     "1.2.3.0/24"
+ *   - Literal IPv6:  "::1"
+ */
+function addToBlockList(bl, entry) {
+    const slash = entry.indexOf('/');
+    if (slash !== -1) {
+        const addr = entry.slice(0, slash);
+        const prefix = parseInt(entry.slice(slash + 1), 10);
+        // node:net BlockList.addSubnet(addr, prefix, type)
+        bl.addSubnet(addr, prefix, addr.includes(':') ? 'ipv6' : 'ipv4');
+    }
+    else {
+        bl.addAddress(entry, entry.includes(':') ? 'ipv6' : 'ipv4');
+    }
+}
+/** Build a BlockList from an array of IP/CIDR strings. */
+function buildBlockList(ips) {
+    const bl = new BlockList();
+    for (const entry of ips) {
+        addToBlockList(bl, entry);
+    }
+    return bl;
+}
+// Cached BlockLists built once per process.
+const _demoList = buildBlockList(VIVA_DEMO_IPS);
+const _prodList = buildBlockList(VIVA_PROD_IPS);
+// ---------------------------------------------------------------------------
+// Normaliser
+// ---------------------------------------------------------------------------
+/**
+ * Normalise an IP string for comparison:
+ * - Lowercase
+ * - Strip surrounding brackets (e.g. `[::1]` → `::1`)
+ */
+function normaliseIp(ip) {
+    let s = ip.trim().toLowerCase();
+    if (s.startsWith('[') && s.endsWith(']')) {
+        s = s.slice(1, -1);
+    }
+    return s;
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Returns `true` if `ip` is in Viva's published source list for `env`,
+ * or if it appears in the optional `extraAllowlist`.
+ *
+ * Does NOT throw — the route handler decides whether to 403.
+ *
+ * IPv4 literals and CIDR ranges are matched via `node:net.BlockList`.
+ * IPv6 is normalised (lowercase + bracket-strip) before checking.
+ *
+ * @param ip             The source IP of the incoming request.
+ * @param env            Target environment: `'demo'` or `'production'`.
+ * @param extraAllowlist Optional operator-configured IPs (e.g. reverse proxies
+ *                       that sit upstream of Viva before reaching this server).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:270
+ */
+export function isAllowedSourceIp(ip, env, extraAllowlist) {
+    const normalised = normaliseIp(ip);
+    const type = normalised.includes(':') ? 'ipv6' : 'ipv4';
+    // Check the env-specific block list.
+    const list = env === 'demo' ? _demoList : _prodList;
+    if (list.check(normalised, type)) {
+        return true;
+    }
+    // Check extra allowlist if provided.
+    if (extraAllowlist && extraAllowlist.length > 0) {
+        const extraList = buildBlockList(extraAllowlist);
+        if (extraList.check(normalised, type)) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=ip-allowlist.js.map

package/dist/webhooks/ip-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-allowlist.js","sourceRoot":"","sources":["../../src/webhooks/ip-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAErC,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAsB;IAC9C,cAAc;IACd,aAAa;IACb,gBAAgB;IAChB,gBAAgB;IAChB,eAAe;IACf,eAAe;CACP,CAAC;AAEX;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAsB;IAC9C,eAAe;IACf,cAAc;IACd,cAAc;IACd,aAAa;IACb,mBAAmB;IACnB,mBAAmB;IACnB,aAAa;IACb,aAAa;IACb,gBAAgB;CACR,CAAC;AAEX,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;;GAMG;AACH,SAAS,cAAc,CAAC,EAAa,EAAE,KAAa;IAClD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpD,mDAAmD;QACnD,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED,0DAA0D;AAC1D,SAAS,cAAc,CAAC,GAAsB;IAC5C,MAAM,EAAE,GAAG,IAAI,SAAS,EAAE,CAAC;IAC3B,KAAK,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,4CAA4C;AAC5C,MAAM,SAAS,GAAG,cAAc,CAAC,aAAa,CAAC,CAAC;AAChD,MAAM,SAAS,GAAG,cAAc,CAAC,aAAa,CAAC,CAAC;AAEhD,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,WAAW,CAAC,EAAU;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,iBAAiB,CAC/B,EAAU,EACV,GAA0B,EAC1B,cAAkC;IAElC,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAExD,qCAAqC;IACrC,MAAM,IAAI,GAAG,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IACpD,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qCAAqC;IACrC,IAAI,cAAc,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,MAAM,SAAS,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/webhooks/status-lattice.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Viva transaction status mapping and monotonic status lattice.
+ *
+ * Implements plan P17 (status letter → plugin enum) and plan A9
+ * (authorized → cancelled allowed — void-before-capture transition).
+ *
+ * Status lattice (per P17 + A9):
+ *   initiated  → authorized | captured | failed
+ *   authorized → captured | cancelled | failed | disputed   ← A9 added cancelled
+ *   captured   → refunded | disputed
+ *   refunded   → disputed
+ *   failed, cancelled, disputed → TERMINAL (no further transitions)
+ *
+ * Terminal states never transition except to themselves (idempotent re-apply).
+ *
+ * @see references/viva-docs/md/wh-sale-transactions.txt:210
+ * @see references/viva-docs/md/wh-transaction-payment-created.txt:398
+ */
+import type { VivaStatusLetter, VivaTransactionStatus, VivaClaimSubstate } from '../types/status.js';
+/**
+ * Pure mapping from Viva's `StatusId` letter to the plugin's canonical status.
+ *
+ * M-family letters (M, MA, MI, ML, MS, MW) all map to `'disputed'` with the
+ * specific letter preserved as `claimSubstate`.
+ *
+ * @see references/viva-docs/md/wh-sale-transactions.txt:210
+ * @see references/viva-docs/md/wh-transaction-payment-created.txt:398
+ */
+export declare function mapStatusLetter(letter: VivaStatusLetter): {
+    status: VivaTransactionStatus;
+    claimSubstate: VivaClaimSubstate | null;
+};
+export type StatusTransitionResult = {
+    ok: true;
+    next: VivaTransactionStatus;
+} | {
+    ok: false;
+    reason: 'TERMINAL' | 'BACKWARD' | 'ILLEGAL';
+    current: VivaTransactionStatus;
+    attempted: VivaTransactionStatus;
+};
+/**
+ * Pure validator. Does NOT mutate state. Returns a typed result describing
+ * whether the `current → next` transition is allowed by the lattice.
+ *
+ * Returns:
+ * - `{ ok: true, next }` if the transition is allowed OR if `next === current`
+ *   (idempotent re-apply).
+ * - `{ ok: false, reason: 'TERMINAL' }` if `current` is terminal and
+ *   `next !== current`.
+ * - `{ ok: false, reason: 'BACKWARD' }` if `next` is an ancestor of `current`
+ *   in the DAG.
+ * - `{ ok: false, reason: 'ILLEGAL' }` for any other invalid pair.
+ *
+ * Callers (the Medusa subscriber) use this before issuing an UPDATE to
+ * `viva_transaction.status`.
+ *
+ * @see Plan P17 (status lattice), Plan A9 (authorized → cancelled)
+ * @see references/viva-docs/md/wh-transaction-payment-created.txt:398
+ */
+export declare function validateStatusTransition(current: VivaTransactionStatus, next: VivaTransactionStatus): StatusTransitionResult;
+/**
+ * Convenience wrapper: looks up `mapStatusLetter` then calls
+ * `validateStatusTransition`. Returns the full result so callers can decide
+ * whether to apply or log.
+ *
+ * Not part of the core interface spec, provided for S8 convenience.
+ */
+export declare function applyStatusTransition(current: VivaTransactionStatus, incomingLetter: VivaStatusLetter): StatusTransitionResult & {
+    claimSubstate: VivaClaimSubstate | null;
+};
+//# sourceMappingURL=status-lattice.d.ts.map

package/dist/webhooks/status-lattice.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status-lattice.d.ts","sourceRoot":"","sources":["../../src/webhooks/status-lattice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAUrG;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG;IACzD,MAAM,EAAE,qBAAqB,CAAC;IAC9B,aAAa,EAAE,iBAAiB,GAAG,IAAI,CAAC;CACzC,CA2BA;AAqHD,MAAM,MAAM,sBAAsB,GAC9B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,qBAAqB,CAAA;CAAE,GACzC;IACE,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IAC5C,OAAO,EAAE,qBAAqB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC;AAMN;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,qBAAqB,EAC9B,IAAI,EAAE,qBAAqB,GAC1B,sBAAsB,CA0BxB;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,qBAAqB,EAC9B,cAAc,EAAE,gBAAgB,GAC/B,sBAAsB,GAAG;IAAE,aAAa,EAAE,iBAAiB,GAAG,IAAI,CAAA;CAAE,CAItE"}