@secondlayer/shared 6.21.0 → 6.23.0

package/dist/src/crypto/ed25519.d.ts

@@ -0,0 +1,22 @@
+import { KeyObject } from "node:crypto";
+/**
+* Asymmetric ed25519 signing for Streams response proofs.
+*
+* Asymmetric (not HMAC) so the proof is real: only the server holds the private
+* key, and any consumer verifies with the published public key — no shared
+* secret to leak. ed25519 uses node's `sign`/`verify` with a `null` algorithm.
+* Keys are PEM (PKCS8 private / SPKI public) for env transport; load once and
+* reuse the KeyObject on hot paths.
+*/
+declare function generateEd25519KeyPair(): {
+	privateKeyPem: string
+	publicKeyPem: string
+};
+declare function loadEd25519PrivateKey(pem: string): KeyObject;
+declare function loadEd25519PublicKey(pem: string): KeyObject;
+declare function publicKeyPemFromPrivate(privateKeyPem: string): string;
+/** Stable short id for a public key (rotation hint via X-Signature-KeyId). */
+declare function ed25519KeyId(publicKeyPem: string): string;
+declare function signEd25519(payload: string, privateKey: KeyObject): string;
+declare function verifyEd25519(payload: string, signatureBase64: string, publicKey: KeyObject): boolean;
+export { verifyEd25519, signEd25519, publicKeyPemFromPrivate, loadEd25519PublicKey, loadEd25519PrivateKey, generateEd25519KeyPair, ed25519KeyId };

package/dist/src/crypto/ed25519.js

@@ -0,0 +1,80 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/crypto/ed25519.ts
+var exports_ed25519 = {};
+__export(exports_ed25519, {
+  verifyEd25519: () => verifyEd25519,
+  signEd25519: () => signEd25519,
+  publicKeyPemFromPrivate: () => publicKeyPemFromPrivate,
+  loadEd25519PublicKey: () => loadEd25519PublicKey,
+  loadEd25519PrivateKey: () => loadEd25519PrivateKey,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
+  ed25519KeyId: () => ed25519KeyId
+});
+import {
+  createHash,
+  createPrivateKey,
+  createPublicKey,
+  generateKeyPairSync,
+  sign as nodeSign,
+  verify as nodeVerify
+} from "node:crypto";
+function generateEd25519KeyPair() {
+  const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+  return {
+    privateKeyPem: privateKey.export({ format: "pem", type: "pkcs8" }).toString(),
+    publicKeyPem: publicKey.export({ format: "pem", type: "spki" }).toString()
+  };
+}
+function loadEd25519PrivateKey(pem) {
+  return createPrivateKey(pem);
+}
+function loadEd25519PublicKey(pem) {
+  return createPublicKey(pem);
+}
+function publicKeyPemFromPrivate(privateKeyPem) {
+  return createPublicKey(createPrivateKey(privateKeyPem)).export({ format: "pem", type: "spki" }).toString();
+}
+function ed25519KeyId(publicKeyPem) {
+  const der = createPublicKey(publicKeyPem).export({
+    format: "der",
+    type: "spki"
+  });
+  return createHash("sha256").update(der).digest("base64url").slice(0, 16);
+}
+function signEd25519(payload, privateKey) {
+  return nodeSign(null, Buffer.from(payload, "utf8"), privateKey).toString("base64");
+}
+function verifyEd25519(payload, signatureBase64, publicKey) {
+  try {
+    return nodeVerify(null, Buffer.from(payload, "utf8"), publicKey, Buffer.from(signatureBase64, "base64"));
+  } catch {
+    return false;
+  }
+}
+export {
+  verifyEd25519,
+  signEd25519,
+  publicKeyPemFromPrivate,
+  loadEd25519PublicKey,
+  loadEd25519PrivateKey,
+  generateEd25519KeyPair,
+  ed25519KeyId
+};
+
+//# debugId=B4FC95F24211B0D064756E2164756E21
+//# sourceMappingURL=ed25519.js.map

package/dist/src/crypto/ed25519.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/ed25519.ts"],
+  "sourcesContent": [
+    "import {\n\ttype KeyObject,\n\tcreateHash,\n\tcreatePrivateKey,\n\tcreatePublicKey,\n\tgenerateKeyPairSync,\n\tsign as nodeSign,\n\tverify as nodeVerify,\n} from \"node:crypto\";\n\n/**\n * Asymmetric ed25519 signing for Streams response proofs.\n *\n * Asymmetric (not HMAC) so the proof is real: only the server holds the private\n * key, and any consumer verifies with the published public key — no shared\n * secret to leak. ed25519 uses node's `sign`/`verify` with a `null` algorithm.\n * Keys are PEM (PKCS8 private / SPKI public) for env transport; load once and\n * reuse the KeyObject on hot paths.\n */\n\nexport function generateEd25519KeyPair(): {\n\tprivateKeyPem: string;\n\tpublicKeyPem: string;\n} {\n\tconst { privateKey, publicKey } = generateKeyPairSync(\"ed25519\");\n\treturn {\n\t\tprivateKeyPem: privateKey\n\t\t\t.export({ format: \"pem\", type: \"pkcs8\" })\n\t\t\t.toString(),\n\t\tpublicKeyPem: publicKey.export({ format: \"pem\", type: \"spki\" }).toString(),\n\t};\n}\n\nexport function loadEd25519PrivateKey(pem: string): KeyObject {\n\treturn createPrivateKey(pem);\n}\n\nexport function loadEd25519PublicKey(pem: string): KeyObject {\n\treturn createPublicKey(pem);\n}\n\nexport function publicKeyPemFromPrivate(privateKeyPem: string): string {\n\treturn createPublicKey(createPrivateKey(privateKeyPem))\n\t\t.export({ format: \"pem\", type: \"spki\" })\n\t\t.toString();\n}\n\n/** Stable short id for a public key (rotation hint via X-Signature-KeyId). */\nexport function ed25519KeyId(publicKeyPem: string): string {\n\tconst der = createPublicKey(publicKeyPem).export({\n\t\tformat: \"der\",\n\t\ttype: \"spki\",\n\t});\n\treturn createHash(\"sha256\").update(der).digest(\"base64url\").slice(0, 16);\n}\n\nexport function signEd25519(payload: string, privateKey: KeyObject): string {\n\treturn nodeSign(null, Buffer.from(payload, \"utf8\"), privateKey).toString(\n\t\t\"base64\",\n\t);\n}\n\nexport function verifyEd25519(\n\tpayload: string,\n\tsignatureBase64: string,\n\tpublicKey: KeyObject,\n): boolean {\n\ttry {\n\t\treturn nodeVerify(\n\t\t\tnull,\n\t\t\tBuffer.from(payload, \"utf8\"),\n\t\t\tpublicKey,\n\t\t\tBuffer.from(signatureBase64, \"base64\"),\n\t\t);\n\t} catch {\n\t\treturn false;\n\t}\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,UAMC;AAAA,YACA;AAAA;AAaM,SAAS,sBAAsB,GAGpC;AAAA,EACD,QAAQ,YAAY,cAAc,oBAAoB,SAAS;AAAA,EAC/D,OAAO;AAAA,IACN,eAAe,WACb,OAAO,EAAE,QAAQ,OAAO,MAAM,QAAQ,CAAC,EACvC,SAAS;AAAA,IACX,cAAc,UAAU,OAAO,EAAE,QAAQ,OAAO,MAAM,OAAO,CAAC,EAAE,SAAS;AAAA,EAC1E;AAAA;AAGM,SAAS,qBAAqB,CAAC,KAAwB;AAAA,EAC7D,OAAO,iBAAiB,GAAG;AAAA;AAGrB,SAAS,oBAAoB,CAAC,KAAwB;AAAA,EAC5D,OAAO,gBAAgB,GAAG;AAAA;AAGpB,SAAS,uBAAuB,CAAC,eAA+B;AAAA,EACtE,OAAO,gBAAgB,iBAAiB,aAAa,CAAC,EACpD,OAAO,EAAE,QAAQ,OAAO,MAAM,OAAO,CAAC,EACtC,SAAS;AAAA;AAIL,SAAS,YAAY,CAAC,cAA8B;AAAA,EAC1D,MAAM,MAAM,gBAAgB,YAAY,EAAE,OAAO;AAAA,IAChD,QAAQ;AAAA,IACR,MAAM;AAAA,EACP,CAAC;AAAA,EACD,OAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,WAAW,EAAE,MAAM,GAAG,EAAE;AAAA;AAGjE,SAAS,WAAW,CAAC,SAAiB,YAA+B;AAAA,EAC3E,OAAO,SAAS,MAAM,OAAO,KAAK,SAAS,MAAM,GAAG,UAAU,EAAE,SAC/D,QACD;AAAA;AAGM,SAAS,aAAa,CAC5B,SACA,iBACA,WACU;AAAA,EACV,IAAI;AAAA,IACH,OAAO,WACN,MACA,OAAO,KAAK,SAAS,MAAM,GAC3B,WACA,OAAO,KAAK,iBAAiB,QAAQ,CACtC;AAAA,IACC,MAAM;AAAA,IACP,OAAO;AAAA;AAAA;",
+  "debugId": "B4FC95F24211B0D064756E2164756E21",
+  "names": []
+}

package/dist/src/crypto/secondlayer-webhook.d.ts

@@ -0,0 +1,40 @@
+/**
+* Universal Secondlayer webhook authenticity — an ed25519 signature attached to
+* EVERY delivery regardless of body format.
+*
+* Only the `standard-webhooks` format carries an HMAC; `raw`/`cloudevents`/etc.
+* carried no Secondlayer proof, so a receiver had no way to know a payload came
+* from us. This signs each delivery with a single platform ed25519 key so any
+* receiver verifies with the published public key — no per-subscription secret,
+* and the body shape stays format-specific.
+*
+* Header names are lowercase to match the format builders' header maps (HTTP
+* header names are case-insensitive on the wire).
+*/
+declare const WEBHOOK_ID_HEADER = "webhook-id";
+declare const SECONDLAYER_SIGNATURE_HEADER = "x-secondlayer-signature";
+declare const SECONDLAYER_KEY_ID_HEADER = "x-secondlayer-signature-keyid";
+type SecondlayerWebhookSigner = {
+	keyId: string
+	publicKeyPem: string
+	sign(payload: string): string
+};
+/**
+* Memoized webhook signer, or null when no key is configured (signing is then a
+* no-op, so the universal header is safe to ship before a key is provisioned).
+*/
+declare function getSecondlayerWebhookSigner(): SecondlayerWebhookSigner | null;
+/** Reset the memoized signer. Tests only. */
+declare function resetSecondlayerWebhookSignerForTest(): void;
+/**
+* Build the universal authenticity headers for a delivery. Returns null when no
+* signing key is configured (caller leaves the delivery unsigned).
+*/
+declare function signSecondlayerWebhook(webhookId: string, body: string): Record<string, string> | null;
+/**
+* Verify a delivery's ed25519 signature over `${webhookId}.${rawBody}` against
+* the published public key. Low-level (raw values); receivers use the SDK's
+* `verifySecondlayerSignature`, which extracts the headers ergonomically.
+*/
+declare function verifySecondlayerSignatureValues(rawBody: string, webhookId: string | undefined, signatureBase64: string | undefined, publicKeyPem: string): boolean;
+export { verifySecondlayerSignatureValues, signSecondlayerWebhook, resetSecondlayerWebhookSignerForTest, getSecondlayerWebhookSigner, WEBHOOK_ID_HEADER, SecondlayerWebhookSigner, SECONDLAYER_SIGNATURE_HEADER, SECONDLAYER_KEY_ID_HEADER };

package/dist/src/crypto/secondlayer-webhook.js

@@ -0,0 +1,130 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+
+// src/crypto/ed25519.ts
+var exports_ed25519 = {};
+__export(exports_ed25519, {
+  verifyEd25519: () => verifyEd25519,
+  signEd25519: () => signEd25519,
+  publicKeyPemFromPrivate: () => publicKeyPemFromPrivate,
+  loadEd25519PublicKey: () => loadEd25519PublicKey,
+  loadEd25519PrivateKey: () => loadEd25519PrivateKey,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
+  ed25519KeyId: () => ed25519KeyId
+});
+import {
+  createHash,
+  createPrivateKey,
+  createPublicKey,
+  generateKeyPairSync,
+  sign as nodeSign,
+  verify as nodeVerify
+} from "node:crypto";
+function generateEd25519KeyPair() {
+  const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+  return {
+    privateKeyPem: privateKey.export({ format: "pem", type: "pkcs8" }).toString(),
+    publicKeyPem: publicKey.export({ format: "pem", type: "spki" }).toString()
+  };
+}
+function loadEd25519PrivateKey(pem) {
+  return createPrivateKey(pem);
+}
+function loadEd25519PublicKey(pem) {
+  return createPublicKey(pem);
+}
+function publicKeyPemFromPrivate(privateKeyPem) {
+  return createPublicKey(createPrivateKey(privateKeyPem)).export({ format: "pem", type: "spki" }).toString();
+}
+function ed25519KeyId(publicKeyPem) {
+  const der = createPublicKey(publicKeyPem).export({
+    format: "der",
+    type: "spki"
+  });
+  return createHash("sha256").update(der).digest("base64url").slice(0, 16);
+}
+function signEd25519(payload, privateKey) {
+  return nodeSign(null, Buffer.from(payload, "utf8"), privateKey).toString("base64");
+}
+function verifyEd25519(payload, signatureBase64, publicKey) {
+  try {
+    return nodeVerify(null, Buffer.from(payload, "utf8"), publicKey, Buffer.from(signatureBase64, "base64"));
+  } catch {
+    return false;
+  }
+}
+
+// src/crypto/secondlayer-webhook.ts
+var WEBHOOK_ID_HEADER = "webhook-id";
+var SECONDLAYER_SIGNATURE_HEADER = "x-secondlayer-signature";
+var SECONDLAYER_KEY_ID_HEADER = "x-secondlayer-signature-keyid";
+var cached;
+function signingKeyFromEnv() {
+  return process.env.SECONDLAYER_WEBHOOK_SIGNING_PRIVATE_KEY || process.env.STREAMS_SIGNING_PRIVATE_KEY || undefined;
+}
+function getSecondlayerWebhookSigner() {
+  if (cached !== undefined)
+    return cached;
+  const raw = signingKeyFromEnv();
+  if (!raw) {
+    cached = null;
+    return null;
+  }
+  const pem = raw.includes("\\n") ? raw.replace(/\\n/g, `
+`) : raw;
+  const privateKey = loadEd25519PrivateKey(pem);
+  const publicKeyPem = publicKeyPemFromPrivate(pem);
+  cached = {
+    keyId: ed25519KeyId(publicKeyPem),
+    publicKeyPem,
+    sign: (payload) => signEd25519(payload, privateKey)
+  };
+  return cached;
+}
+function resetSecondlayerWebhookSignerForTest() {
+  cached = undefined;
+}
+function signedContent(webhookId, body) {
+  return `${webhookId}.${body}`;
+}
+function signSecondlayerWebhook(webhookId, body) {
+  const signer = getSecondlayerWebhookSigner();
+  if (!signer)
+    return null;
+  return {
+    [WEBHOOK_ID_HEADER]: webhookId,
+    [SECONDLAYER_SIGNATURE_HEADER]: signer.sign(signedContent(webhookId, body)),
+    [SECONDLAYER_KEY_ID_HEADER]: signer.keyId
+  };
+}
+function verifySecondlayerSignatureValues(rawBody, webhookId, signatureBase64, publicKeyPem) {
+  if (!webhookId || !signatureBase64)
+    return false;
+  const publicKey = loadEd25519PublicKey(publicKeyPem);
+  return verifyEd25519(signedContent(webhookId, rawBody), signatureBase64, publicKey);
+}
+export {
+  verifySecondlayerSignatureValues,
+  signSecondlayerWebhook,
+  resetSecondlayerWebhookSignerForTest,
+  getSecondlayerWebhookSigner,
+  WEBHOOK_ID_HEADER,
+  SECONDLAYER_SIGNATURE_HEADER,
+  SECONDLAYER_KEY_ID_HEADER
+};
+
+//# debugId=ECECE08A1A6DA84764756E2164756E21
+//# sourceMappingURL=secondlayer-webhook.js.map

package/dist/src/crypto/secondlayer-webhook.js.map

@@ -0,0 +1,11 @@
+{
+  "version": 3,
+  "sources": ["../src/crypto/ed25519.ts", "../src/crypto/secondlayer-webhook.ts"],
+  "sourcesContent": [
+    "import {\n\ttype KeyObject,\n\tcreateHash,\n\tcreatePrivateKey,\n\tcreatePublicKey,\n\tgenerateKeyPairSync,\n\tsign as nodeSign,\n\tverify as nodeVerify,\n} from \"node:crypto\";\n\n/**\n * Asymmetric ed25519 signing for Streams response proofs.\n *\n * Asymmetric (not HMAC) so the proof is real: only the server holds the private\n * key, and any consumer verifies with the published public key — no shared\n * secret to leak. ed25519 uses node's `sign`/`verify` with a `null` algorithm.\n * Keys are PEM (PKCS8 private / SPKI public) for env transport; load once and\n * reuse the KeyObject on hot paths.\n */\n\nexport function generateEd25519KeyPair(): {\n\tprivateKeyPem: string;\n\tpublicKeyPem: string;\n} {\n\tconst { privateKey, publicKey } = generateKeyPairSync(\"ed25519\");\n\treturn {\n\t\tprivateKeyPem: privateKey\n\t\t\t.export({ format: \"pem\", type: \"pkcs8\" })\n\t\t\t.toString(),\n\t\tpublicKeyPem: publicKey.export({ format: \"pem\", type: \"spki\" }).toString(),\n\t};\n}\n\nexport function loadEd25519PrivateKey(pem: string): KeyObject {\n\treturn createPrivateKey(pem);\n}\n\nexport function loadEd25519PublicKey(pem: string): KeyObject {\n\treturn createPublicKey(pem);\n}\n\nexport function publicKeyPemFromPrivate(privateKeyPem: string): string {\n\treturn createPublicKey(createPrivateKey(privateKeyPem))\n\t\t.export({ format: \"pem\", type: \"spki\" })\n\t\t.toString();\n}\n\n/** Stable short id for a public key (rotation hint via X-Signature-KeyId). */\nexport function ed25519KeyId(publicKeyPem: string): string {\n\tconst der = createPublicKey(publicKeyPem).export({\n\t\tformat: \"der\",\n\t\ttype: \"spki\",\n\t});\n\treturn createHash(\"sha256\").update(der).digest(\"base64url\").slice(0, 16);\n}\n\nexport function signEd25519(payload: string, privateKey: KeyObject): string {\n\treturn nodeSign(null, Buffer.from(payload, \"utf8\"), privateKey).toString(\n\t\t\"base64\",\n\t);\n}\n\nexport function verifyEd25519(\n\tpayload: string,\n\tsignatureBase64: string,\n\tpublicKey: KeyObject,\n): boolean {\n\ttry {\n\t\treturn nodeVerify(\n\t\t\tnull,\n\t\t\tBuffer.from(payload, \"utf8\"),\n\t\t\tpublicKey,\n\t\t\tBuffer.from(signatureBase64, \"base64\"),\n\t\t);\n\t} catch {\n\t\treturn false;\n\t}\n}\n",
+    "import {\n\ted25519KeyId,\n\tloadEd25519PrivateKey,\n\tloadEd25519PublicKey,\n\tpublicKeyPemFromPrivate,\n\tsignEd25519,\n\tverifyEd25519,\n} from \"./ed25519.ts\";\n\n/**\n * Universal Secondlayer webhook authenticity — an ed25519 signature attached to\n * EVERY delivery regardless of body format.\n *\n * Only the `standard-webhooks` format carries an HMAC; `raw`/`cloudevents`/etc.\n * carried no Secondlayer proof, so a receiver had no way to know a payload came\n * from us. This signs each delivery with a single platform ed25519 key so any\n * receiver verifies with the published public key — no per-subscription secret,\n * and the body shape stays format-specific.\n *\n * Header names are lowercase to match the format builders' header maps (HTTP\n * header names are case-insensitive on the wire).\n */\nexport const WEBHOOK_ID_HEADER = \"webhook-id\";\nexport const SECONDLAYER_SIGNATURE_HEADER = \"x-secondlayer-signature\";\nexport const SECONDLAYER_KEY_ID_HEADER = \"x-secondlayer-signature-keyid\";\n\nexport type SecondlayerWebhookSigner = {\n\tkeyId: string;\n\tpublicKeyPem: string;\n\tsign(payload: string): string;\n};\n\nlet cached: SecondlayerWebhookSigner | null | undefined;\n\nfunction signingKeyFromEnv(): string | undefined {\n\t// A dedicated webhook key if provided, else the platform Streams key — both\n\t// are the same ed25519 \"single platform identity\", so reusing it keeps key\n\t// distribution to one published public key.\n\treturn (\n\t\tprocess.env.SECONDLAYER_WEBHOOK_SIGNING_PRIVATE_KEY ||\n\t\tprocess.env.STREAMS_SIGNING_PRIVATE_KEY ||\n\t\tundefined\n\t);\n}\n\n/**\n * Memoized webhook signer, or null when no key is configured (signing is then a\n * no-op, so the universal header is safe to ship before a key is provisioned).\n */\nexport function getSecondlayerWebhookSigner(): SecondlayerWebhookSigner | null {\n\tif (cached !== undefined) return cached;\n\tconst raw = signingKeyFromEnv();\n\tif (!raw) {\n\t\tcached = null;\n\t\treturn null;\n\t}\n\t// Env transport often escapes newlines; restore real PEM line breaks.\n\tconst pem = raw.includes(\"\\\\n\") ? raw.replace(/\\\\n/g, \"\\n\") : raw;\n\tconst privateKey = loadEd25519PrivateKey(pem);\n\tconst publicKeyPem = publicKeyPemFromPrivate(pem);\n\tcached = {\n\t\tkeyId: ed25519KeyId(publicKeyPem),\n\t\tpublicKeyPem,\n\t\tsign: (payload) => signEd25519(payload, privateKey),\n\t};\n\treturn cached;\n}\n\n/** Reset the memoized signer. Tests only. */\nexport function resetSecondlayerWebhookSignerForTest(): void {\n\tcached = undefined;\n}\n\n/**\n * The exact bytes the signature covers: `${webhookId}.${body}`. Binding the id\n * into the signed content stops a captured body from being replayed under a\n * different delivery id.\n */\nfunction signedContent(webhookId: string, body: string): string {\n\treturn `${webhookId}.${body}`;\n}\n\n/**\n * Build the universal authenticity headers for a delivery. Returns null when no\n * signing key is configured (caller leaves the delivery unsigned).\n */\nexport function signSecondlayerWebhook(\n\twebhookId: string,\n\tbody: string,\n): Record<string, string> | null {\n\tconst signer = getSecondlayerWebhookSigner();\n\tif (!signer) return null;\n\treturn {\n\t\t[WEBHOOK_ID_HEADER]: webhookId,\n\t\t[SECONDLAYER_SIGNATURE_HEADER]: signer.sign(signedContent(webhookId, body)),\n\t\t[SECONDLAYER_KEY_ID_HEADER]: signer.keyId,\n\t};\n}\n\n/**\n * Verify a delivery's ed25519 signature over `${webhookId}.${rawBody}` against\n * the published public key. Low-level (raw values); receivers use the SDK's\n * `verifySecondlayerSignature`, which extracts the headers ergonomically.\n */\nexport function verifySecondlayerSignatureValues(\n\trawBody: string,\n\twebhookId: string | undefined,\n\tsignatureBase64: string | undefined,\n\tpublicKeyPem: string,\n): boolean {\n\tif (!webhookId || !signatureBase64) return false;\n\tconst publicKey = loadEd25519PublicKey(publicKeyPem);\n\treturn verifyEd25519(\n\t\tsignedContent(webhookId, rawBody),\n\t\tsignatureBase64,\n\t\tpublicKey,\n\t);\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,UAMC;AAAA,YACA;AAAA;AAaM,SAAS,sBAAsB,GAGpC;AAAA,EACD,QAAQ,YAAY,cAAc,oBAAoB,SAAS;AAAA,EAC/D,OAAO;AAAA,IACN,eAAe,WACb,OAAO,EAAE,QAAQ,OAAO,MAAM,QAAQ,CAAC,EACvC,SAAS;AAAA,IACX,cAAc,UAAU,OAAO,EAAE,QAAQ,OAAO,MAAM,OAAO,CAAC,EAAE,SAAS;AAAA,EAC1E;AAAA;AAGM,SAAS,qBAAqB,CAAC,KAAwB;AAAA,EAC7D,OAAO,iBAAiB,GAAG;AAAA;AAGrB,SAAS,oBAAoB,CAAC,KAAwB;AAAA,EAC5D,OAAO,gBAAgB,GAAG;AAAA;AAGpB,SAAS,uBAAuB,CAAC,eAA+B;AAAA,EACtE,OAAO,gBAAgB,iBAAiB,aAAa,CAAC,EACpD,OAAO,EAAE,QAAQ,OAAO,MAAM,OAAO,CAAC,EACtC,SAAS;AAAA;AAIL,SAAS,YAAY,CAAC,cAA8B;AAAA,EAC1D,MAAM,MAAM,gBAAgB,YAAY,EAAE,OAAO;AAAA,IAChD,QAAQ;AAAA,IACR,MAAM;AAAA,EACP,CAAC;AAAA,EACD,OAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,WAAW,EAAE,MAAM,GAAG,EAAE;AAAA;AAGjE,SAAS,WAAW,CAAC,SAAiB,YAA+B;AAAA,EAC3E,OAAO,SAAS,MAAM,OAAO,KAAK,SAAS,MAAM,GAAG,UAAU,EAAE,SAC/D,QACD;AAAA;AAGM,SAAS,aAAa,CAC5B,SACA,iBACA,WACU;AAAA,EACV,IAAI;AAAA,IACH,OAAO,WACN,MACA,OAAO,KAAK,SAAS,MAAM,GAC3B,WACA,OAAO,KAAK,iBAAiB,QAAQ,CACtC;AAAA,IACC,MAAM;AAAA,IACP,OAAO;AAAA;AAAA;;;ACrDF,IAAM,oBAAoB;AAC1B,IAAM,+BAA+B;AACrC,IAAM,4BAA4B;AAQzC,IAAI;AAEJ,SAAS,iBAAiB,GAAuB;AAAA,EAIhD,OACC,QAAQ,IAAI,2CACZ,QAAQ,IAAI,+BACZ;AAAA;AAQK,SAAS,2BAA2B,GAAoC;AAAA,EAC9E,IAAI,WAAW;AAAA,IAAW,OAAO;AAAA,EACjC,MAAM,MAAM,kBAAkB;AAAA,EAC9B,IAAI,CAAC,KAAK;AAAA,IACT,SAAS;AAAA,IACT,OAAO;AAAA,EACR;AAAA,EAEA,MAAM,MAAM,IAAI,SAAS,KAAK,IAAI,IAAI,QAAQ,QAAQ;AAAA,CAAI,IAAI;AAAA,EAC9D,MAAM,aAAa,sBAAsB,GAAG;AAAA,EAC5C,MAAM,eAAe,wBAAwB,GAAG;AAAA,EAChD,SAAS;AAAA,IACR,OAAO,aAAa,YAAY;AAAA,IAChC;AAAA,IACA,MAAM,CAAC,YAAY,YAAY,SAAS,UAAU;AAAA,EACnD;AAAA,EACA,OAAO;AAAA;AAID,SAAS,oCAAoC,GAAS;AAAA,EAC5D,SAAS;AAAA;AAQV,SAAS,aAAa,CAAC,WAAmB,MAAsB;AAAA,EAC/D,OAAO,GAAG,aAAa;AAAA;AAOjB,SAAS,sBAAsB,CACrC,WACA,MACgC;AAAA,EAChC,MAAM,SAAS,4BAA4B;AAAA,EAC3C,IAAI,CAAC;AAAA,IAAQ,OAAO;AAAA,EACpB,OAAO;AAAA,KACL,oBAAoB;AAAA,KACpB,+BAA+B,OAAO,KAAK,cAAc,WAAW,IAAI,CAAC;AAAA,KACzE,4BAA4B,OAAO;AAAA,EACrC;AAAA;AAQM,SAAS,gCAAgC,CAC/C,SACA,WACA,iBACA,cACU;AAAA,EACV,IAAI,CAAC,aAAa,CAAC;AAAA,IAAiB,OAAO;AAAA,EAC3C,MAAM,YAAY,qBAAqB,YAAY;AAAA,EACnD,OAAO,cACN,cAAc,WAAW,OAAO,GAChC,iBACA,SACD;AAAA;",
+  "debugId": "ECECE08A1A6DA84764756E2164756E21",
+  "names": []
+}

package/dist/src/db/index.d.ts

@@ -948,6 +948,113 @@ declare const SOURCE_READ_COLUMNS: {
 	readonly events: readonly ["block_height", "data", "event_index", "tx_id", "type"]
 	readonly chain_reorgs: readonly ["detected_at"]
 };
+/**
+* Per-migration DB-plane gating for the source/target split.
+*
+* Under the split, SOURCE (chain DB) holds only chain+decoded tables — the
+* control-plane tables were dropped to reclaim space — while TARGET (platform
+* DB) holds the control plane. `migrate.ts` still runs EVERY migration on EVERY
+* database (kysely integrity: the provider set must never be filtered per-DB, or
+* kysely throws "previously executed migration is missing" because each DB's
+* `kysely_migration` already records all of them). Instead, `migrate.ts` sets a
+* role before each pass and a migration gates its DDL with the helpers below: a
+* control migration's `up()` is a no-op on SOURCE but is still recorded applied,
+* so there is no missing-migration error and no re-run.
+*
+* `'both'` is single-DB / collapsed-split mode (dev / OSS / CI): every helper
+* runs, identical to pre-split behavior.
+*
+* Authoring a new migration under the split:
+*   async function up(db: Kysely<unknown>): Promise<void> {
+*     await onControlPlane(() => sql`ALTER TABLE accounts ADD COLUMN …`.execute(db));
+*     await onChainPlane(() => sql`ALTER TABLE blocks ADD COLUMN …`.execute(db));
+*     // schema-wide / mixed statements: leave unwrapped (run on both).
+*   }
+*/
+type MigrationRole = "source" | "target" | "both";
+declare function setMigrationRole(role: MigrationRole): void;
+declare function getMigrationRole(): MigrationRole;
+/** Run control-plane (TARGET) DDL only when this pass targets the control plane. */
+declare function onControlPlane(fn: () => Promise<void>): Promise<void>;
+/** Run chain/decoded (SOURCE) DDL only when this pass targets the chain plane. */
+declare function onChainPlane(fn: () => Promise<void>): Promise<void>;
+type DbPlane = "source" | "target" | "both";
+/**
+* Canonical table → DB-plane mapping for the source/target split.
+*
+* SOURCE = chain + decoded (the `postgres` instance); TARGET = control plane
+* (the `postgres-platform` instance). `both` = present/used on both planes
+* (`service_heartbeats`: the indexer writes its row on SOURCE, the
+* subgraph-processor writes its row on TARGET).
+*
+* `satisfies Record<keyof Database, DbPlane>` makes adding a table to `Database`
+* without classifying it here a COMPILE error. This is the single source of
+* truth for the split — `docker/SCHEMA_SPLIT.md` and the cutover script's
+* `CONTROL_TABLES` mirror the `target` set (guarded by `table-plane.test.ts`).
+* Use it to decide which migration helper a table's DDL belongs in
+* (`onControlPlane` for `target`, `onChainPlane` for `source`).
+*
+* Note: `kysely_migration` / `kysely_migration_lock` are kysely-managed (not in
+* `Database`) and exist on both — they are intentionally not listed here.
+*/
+declare const TABLE_TO_DB: {
+	blocks: string
+	transactions: string
+	events: string
+	transactions_archive: string
+	events_archive: string
+	dead_letter_events: string
+	mempool_transactions: string
+	index_progress: string
+	contracts: string
+	chain_reorgs: string
+	decoded_events: string
+	l2_decoder_checkpoints: string
+	pox4_calls: string
+	pox4_cycles_daily: string
+	pox4_signers_daily: string
+	burn_block_rewards: string
+	burn_block_reward_slots: string
+	sbtc_events: string
+	sbtc_token_events: string
+	sbtc_supply_snapshots: string
+	bns_name_events: string
+	bns_namespace_events: string
+	bns_marketplace_events: string
+	bns_names: string
+	bns_namespaces: string
+	accounts: string
+	api_keys: string
+	sessions: string
+	magic_links: string
+	usage_daily: string
+	usage_snapshots: string
+	account_insights: string
+	account_agent_runs: string
+	account_spend_caps: string
+	processed_stripe_events: string
+	tenants: string
+	tenant_usage_monthly: string
+	tenant_compute_addons: string
+	provisioning_audit_log: string
+	projects: string
+	team_members: string
+	team_invitations: string
+	chat_sessions: string
+	chat_messages: string
+	subscriptions: string
+	subscription_outbox: string
+	subscription_deliveries: string
+	trigger_evaluator_state: string
+	subgraphs: string
+	subgraph_operations: string
+	subgraph_health_snapshots: string
+	subgraph_gaps: string
+	subgraph_usage_daily: string
+	subgraph_processing_stats: string
+	subgraph_table_snapshots: string
+	service_heartbeats: string
+};
 interface DbSplitStatus {
 	/** "split" when source/target resolve to different DBs, else "single". */
 	mode: "split" | "single";
@@ -1015,4 +1122,4 @@ declare function getRawClient(role?: "source" | "target"): ReturnType<typeof pos
 declare function getRawClientFor(url: string): ReturnType<typeof postgres>;
 /** Close all DB connection pools. Call in CLI commands to allow process exit. */
 declare function closeDb(): Promise<void>;
-export { sql, parseJsonb, jsonb, getTargetDb, getSourceDb, getRawClientFor, getRawClient, getDbSplitStatus, getDb, closeDb, assertDbSplit, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateTransaction, UpdateTenantUsageMonthly, UpdateTenantComputeAddon, UpdateTenant, UpdateSubscriptionOutbox, UpdateSubscription, UpdateSubgraphOperation, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateContract, UpdateChatSession, UpdateBlock, UpdateApiKey, UpdateAccountSpendCap, TriggerEvaluatorStateTable, TriggerEvaluatorState, TransactionsTable, TransactionsArchiveTable, Transaction, TenantsTable, TenantUsageMonthlyTable, TenantUsageMonthly, TenantStatus, TenantComputeAddonsTable, TenantComputeAddon, Tenant, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, SubscriptionsTable, SubscriptionStatus, SubscriptionRuntime, SubscriptionOutboxTable, SubscriptionOutbox, SubscriptionKind, SubscriptionFormat, SubscriptionDelivery, SubscriptionDeliveriesTable, Subscription, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphOperationsTable, SubgraphOperationStatus, SubgraphOperationKind, SubgraphOperation, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ServiceHeartbeatsTable, SbtcTokenEventsTable, SbtcTokenEventType, SbtcSupplySnapshotsTable, SbtcEventsTable, SbtcEventTopic, SOURCE_READ_COLUMNS, ProvisioningAuditStatus, ProvisioningAuditLogTable, ProvisioningAuditLog, ProvisioningAuditEvent, ProjectsTable, Project, ProcessedStripeEventsTable, Pox4SignersDailyTable, Pox4FunctionName, Pox4CyclesDailyTable, Pox4CallsTable, OutboxStatus, NumericAsText, MempoolTransactionsTable, MempoolTransaction, MagicLinksTable, MagicLink, L2DecoderCheckpointsTable, InsertTransaction, InsertTenantUsageMonthly, InsertTenantComputeAddon, InsertTenant, InsertTeamMember, InsertTeamInvitation, InsertSubscriptionOutbox, InsertSubscriptionDelivery, InsertSubscription, InsertSubgraphUsageDaily, InsertSubgraphOperation, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProvisioningAuditLog, InsertProject, InsertMempoolTransaction, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertContract, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountSpendCap, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, EventsArchiveTable, Event, DecodedEventsTable, DeadLetterEventsTable, DbSplitStatus, DbReadRow, Database, ContractsTable, Contract, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, ChainReorgsTable, BurnBlockRewardsTable, BurnBlockRewardSlotsTable, BnsNamespacesTable, BnsNamespaceEventsTable, BnsNamespaceEventStatus, BnsNamesTable, BnsNameEventsTable, BnsNameEventTopic, BnsMarketplaceEventsTable, BnsMarketplaceAction, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountSpendCapsTable, AccountSpendCap, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };
+export { sql, setMigrationRole, parseJsonb, onControlPlane, onChainPlane, jsonb, getTargetDb, getSourceDb, getRawClientFor, getRawClient, getMigrationRole, getDbSplitStatus, getDb, closeDb, assertDbSplit, UsageSnapshotsTable, UsageSnapshot, UsageDailyTable, UsageDaily, UpdateTransaction, UpdateTenantUsageMonthly, UpdateTenantComputeAddon, UpdateTenant, UpdateSubscriptionOutbox, UpdateSubscription, UpdateSubgraphOperation, UpdateSubgraph, UpdateProject, UpdateIndexProgress, UpdateEvent, UpdateContract, UpdateChatSession, UpdateBlock, UpdateApiKey, UpdateAccountSpendCap, TriggerEvaluatorStateTable, TriggerEvaluatorState, TransactionsTable, TransactionsArchiveTable, Transaction, TenantsTable, TenantUsageMonthlyTable, TenantUsageMonthly, TenantStatus, TenantComputeAddonsTable, TenantComputeAddon, Tenant, TeamMembersTable, TeamMember, TeamInvitationsTable, TeamInvitation, TABLE_TO_DB, SubscriptionsTable, SubscriptionStatus, SubscriptionRuntime, SubscriptionOutboxTable, SubscriptionOutbox, SubscriptionKind, SubscriptionFormat, SubscriptionDelivery, SubscriptionDeliveriesTable, Subscription, SubgraphsTable, SubgraphUsageDailyTable, SubgraphUsageDaily, SubgraphTableSnapshotsTable, SubgraphProcessingStatsTable, SubgraphOperationsTable, SubgraphOperationStatus, SubgraphOperationKind, SubgraphOperation, SubgraphHealthSnapshotsTable, SubgraphHealthSnapshot, SubgraphGapsTable, SubgraphGap, Subgraph, SessionsTable, Session, ServiceHeartbeatsTable, SbtcTokenEventsTable, SbtcTokenEventType, SbtcSupplySnapshotsTable, SbtcEventsTable, SbtcEventTopic, SOURCE_READ_COLUMNS, ProvisioningAuditStatus, ProvisioningAuditLogTable, ProvisioningAuditLog, ProvisioningAuditEvent, ProjectsTable, Project, ProcessedStripeEventsTable, Pox4SignersDailyTable, Pox4FunctionName, Pox4CyclesDailyTable, Pox4CallsTable, OutboxStatus, NumericAsText, MigrationRole, MempoolTransactionsTable, MempoolTransaction, MagicLinksTable, MagicLink, L2DecoderCheckpointsTable, InsertTransaction, InsertTenantUsageMonthly, InsertTenantComputeAddon, InsertTenant, InsertTeamMember, InsertTeamInvitation, InsertSubscriptionOutbox, InsertSubscriptionDelivery, InsertSubscription, InsertSubgraphUsageDaily, InsertSubgraphOperation, InsertSubgraphHealthSnapshot, InsertSubgraphGap, InsertSubgraph, InsertSession, InsertProvisioningAuditLog, InsertProject, InsertMempoolTransaction, InsertMagicLink, InsertIndexProgress, InsertEvent, InsertContract, InsertChatSession, InsertChatMessage, InsertBlock, InsertApiKey, InsertAccountSpendCap, InsertAccountInsight, InsertAccountAgentRun, InsertAccount, IndexProgressTable, IndexProgress, EventsTable, EventsArchiveTable, Event, DecodedEventsTable, DeadLetterEventsTable, DbSplitStatus, DbReadRow, DbPlane, Database, ContractsTable, Contract, ChatSessionsTable, ChatSession, ChatMessagesTable, ChatMessage, ChainReorgsTable, BurnBlockRewardsTable, BurnBlockRewardSlotsTable, BnsNamespacesTable, BnsNamespaceEventsTable, BnsNamespaceEventStatus, BnsNamesTable, BnsNameEventsTable, BnsNameEventTopic, BnsMarketplaceEventsTable, BnsMarketplaceAction, BlocksTable, Block, ApiKeysTable, ApiKey, AccountsTable, AccountSpendCapsTable, AccountSpendCap, AccountInsightsTable, AccountInsight, AccountAgentRunsTable, AccountAgentRun, Account };

package/dist/src/db/index.js

@@ -378,6 +378,81 @@ var SOURCE_READ_COLUMNS = {
   events: ["block_height", "data", "event_index", "tx_id", "type"],
   chain_reorgs: ["detected_at"]
 };
+// src/db/migration-role.ts
+var currentRole = "both";
+function setMigrationRole(role) {
+  currentRole = role;
+}
+function getMigrationRole() {
+  return currentRole;
+}
+async function onControlPlane(fn) {
+  if (currentRole === "target" || currentRole === "both")
+    await fn();
+}
+async function onChainPlane(fn) {
+  if (currentRole === "source" || currentRole === "both")
+    await fn();
+}
+// src/db/table-plane.ts
+var TABLE_TO_DB = {
+  blocks: "source",
+  transactions: "source",
+  events: "source",
+  transactions_archive: "source",
+  events_archive: "source",
+  dead_letter_events: "source",
+  mempool_transactions: "source",
+  index_progress: "source",
+  contracts: "source",
+  chain_reorgs: "source",
+  decoded_events: "source",
+  l2_decoder_checkpoints: "source",
+  pox4_calls: "source",
+  pox4_cycles_daily: "source",
+  pox4_signers_daily: "source",
+  burn_block_rewards: "source",
+  burn_block_reward_slots: "source",
+  sbtc_events: "source",
+  sbtc_token_events: "source",
+  sbtc_supply_snapshots: "source",
+  bns_name_events: "source",
+  bns_namespace_events: "source",
+  bns_marketplace_events: "source",
+  bns_names: "source",
+  bns_namespaces: "source",
+  accounts: "target",
+  api_keys: "target",
+  sessions: "target",
+  magic_links: "target",
+  usage_daily: "target",
+  usage_snapshots: "target",
+  account_insights: "target",
+  account_agent_runs: "target",
+  account_spend_caps: "target",
+  processed_stripe_events: "target",
+  tenants: "target",
+  tenant_usage_monthly: "target",
+  tenant_compute_addons: "target",
+  provisioning_audit_log: "target",
+  projects: "target",
+  team_members: "target",
+  team_invitations: "target",
+  chat_sessions: "target",
+  chat_messages: "target",
+  subscriptions: "target",
+  subscription_outbox: "target",
+  subscription_deliveries: "target",
+  trigger_evaluator_state: "target",
+  subgraphs: "target",
+  subgraph_operations: "target",
+  subgraph_health_snapshots: "target",
+  subgraph_gaps: "target",
+  subgraph_usage_daily: "target",
+  subgraph_processing_stats: "target",
+  subgraph_table_snapshots: "target",
+  service_heartbeats: "both"
+};
 
 // src/db/index.ts
 var DEFAULT_URL = "postgres://postgres:postgres@localhost:5432/secondlayer_dev";
@@ -537,18 +612,23 @@ async function closeDb() {
 }
 export {
   sql2 as sql,
+  setMigrationRole,
   parseJsonb,
+  onControlPlane,
+  onChainPlane,
   jsonb,
   getTargetDb,
   getSourceDb,
   getRawClientFor,
   getRawClient,
+  getMigrationRole,
   getDbSplitStatus,
   getDb,
   closeDb,
   assertDbSplit,
+  TABLE_TO_DB,
   SOURCE_READ_COLUMNS
 };
 
-//# debugId=8E009B207AB7E55D64756E2164756E21
+//# debugId=9BD00555AB68090864756E2164756E21
 //# sourceMappingURL=index.js.map