@shdan/submesh 0.1.0

package/dist/providers/google/security/pubsub-verification.js

@@ -0,0 +1,229 @@
+import { verifySignedTokenSignature } from "../../../security/jwt.js";
+const DEFAULT_CERTS_URL = "https://www.googleapis.com/oauth2/v1/certs";
+const CLOCK_SKEW_SECONDS = 300;
+const DEFAULT_TRUSTED_CERT_HOSTS = new Set([
+    "www.googleapis.com",
+    "oauth2.googleapis.com",
+]);
+const MAX_CERT_CACHE_SIZE = 20;
+const certCache = new Map();
+function readHeader(headers, key) {
+    const value = headers[key] ?? headers[key.toLowerCase()];
+    return Array.isArray(value) ? value[0] : value;
+}
+function getBearerToken(headers) {
+    const authorization = readHeader(headers, "authorization");
+    if (!authorization) {
+        return undefined;
+    }
+    const [scheme, token] = authorization.split(/\s+/, 2);
+    if (!scheme || !token || scheme.toLowerCase() !== "bearer") {
+        return undefined;
+    }
+    return token;
+}
+function getStringRecord(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        return {};
+    }
+    return Object.fromEntries(Object.entries(value).filter((entry) => typeof entry[1] === "string"));
+}
+function getString(value) {
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+function getStringArray(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value.filter((entry) => typeof entry === "string" && entry.length > 0);
+}
+function isExplicitlyEnabled(value) {
+    return value === true || value === "true";
+}
+function assertTrustedCertsUrl(certsUrl, config) {
+    let parsed;
+    try {
+        parsed = new URL(certsUrl);
+    }
+    catch {
+        throw new Error(`Invalid Google OpenID certificate URL: ${certsUrl}.`);
+    }
+    if (parsed.protocol !== "https:") {
+        throw new Error("Google OpenID certificate URL must use HTTPS.");
+    }
+    if (isExplicitlyEnabled(config.allowCustomGoogleOpenIdCertsUrlHost)) {
+        return;
+    }
+    const configuredHosts = new Set(getStringArray(config.googleTrustedOpenIdCertHosts));
+    const trustedHosts = configuredHosts.size > 0 ? configuredHosts : DEFAULT_TRUSTED_CERT_HOSTS;
+    if (!trustedHosts.has(parsed.hostname)) {
+        throw new Error(`Refusing Google OpenID certificate URL host "${parsed.hostname}". Set allowCustomGoogleOpenIdCertsUrlHost=true to override intentionally.`);
+    }
+}
+function getNumericDate(value) {
+    if (typeof value === "number" && Number.isFinite(value)) {
+        return value;
+    }
+    if (typeof value === "string" && value.length > 0) {
+        const parsed = Number(value);
+        return Number.isFinite(parsed) ? parsed : undefined;
+    }
+    return undefined;
+}
+function parseMaxAgeSeconds(value) {
+    if (!value) {
+        return 3600;
+    }
+    const match = value.match(/max-age=(\d+)/i);
+    return match ? Number(match[1]) : 3600;
+}
+function isAudienceMatch(expected, actual) {
+    if (!expected) {
+        return true;
+    }
+    if (typeof actual === "string") {
+        return actual === expected;
+    }
+    if (Array.isArray(actual)) {
+        return actual.includes(expected);
+    }
+    return false;
+}
+async function loadGoogleOpenIdCertificates(config) {
+    const inline = getStringRecord(config.googleOpenIdPublicKeys);
+    if (Object.keys(inline).length > 0) {
+        return inline;
+    }
+    const certsUrl = getString(config.googleOpenIdCertsUrl) ?? DEFAULT_CERTS_URL;
+    assertTrustedCertsUrl(certsUrl, config);
+    const cached = certCache.get(certsUrl);
+    if (cached && cached.expiresAt > Date.now()) {
+        return cached.certs;
+    }
+    const response = await fetch(certsUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to load Google public certificates from ${certsUrl}.`);
+    }
+    const payload = getStringRecord(await response.json());
+    if (Object.keys(payload).length === 0) {
+        throw new Error("Google public certificate response did not contain any certificates.");
+    }
+    certCache.set(certsUrl, {
+        expiresAt: Date.now() + parseMaxAgeSeconds(response.headers.get("cache-control")) * 1000,
+        certs: payload,
+    });
+    for (const [key, entry] of certCache.entries()) {
+        if (entry.expiresAt <= Date.now()) {
+            certCache.delete(key);
+        }
+    }
+    if (certCache.size > MAX_CERT_CACHE_SIZE) {
+        const firstKey = certCache.keys().next().value;
+        if (firstKey !== undefined) {
+            certCache.delete(firstKey);
+        }
+    }
+    return payload;
+}
+function hasGoogleVerificationConfig(config) {
+    return (typeof config.googlePubSubAudience === "string" ||
+        typeof config.googlePubSubServiceAccountEmail === "string" ||
+        Object.keys(getStringRecord(config.googleOpenIdPublicKeys)).length > 0 ||
+        typeof config.googleOpenIdCertsUrl === "string");
+}
+export async function verifyGooglePubSubWebhook(envelope, config) {
+    if (!hasGoogleVerificationConfig(config)) {
+        return undefined;
+    }
+    const token = getBearerToken(envelope.headers);
+    if (!token) {
+        return {
+            verified: false,
+            strategy: "custom",
+            metadata: {
+                provider: "google-play",
+                reason: "missing_bearer_token",
+            },
+        };
+    }
+    try {
+        const certificates = await loadGoogleOpenIdCertificates(config);
+        const parsed = verifySignedTokenSignature({
+            token,
+            algorithm: "RS256",
+            publicKeys: typeof parsedKid(token) === "string" && certificates[parsedKid(token)]
+                ? [certificates[parsedKid(token)]]
+                : Object.values(certificates),
+        });
+        const payload = parsed.payload;
+        const issuer = getString(payload.iss);
+        const email = getString(payload.email);
+        const expectedAudience = getString(config.googlePubSubAudience);
+        const expectedEmail = getString(config.googlePubSubServiceAccountEmail);
+        const exp = getNumericDate(payload.exp);
+        const nbf = getNumericDate(payload.nbf);
+        const nowSeconds = Date.now() / 1000;
+        const issuerAllowed = issuer === "accounts.google.com" || issuer === "https://accounts.google.com";
+        const audienceAllowed = isAudienceMatch(expectedAudience, payload.aud);
+        const emailAllowed = !expectedEmail || email === expectedEmail;
+        const emailVerified = payload.email_verified === undefined ||
+            payload.email_verified === true ||
+            payload.email_verified === "true";
+        const timeAllowed = (exp === undefined || nowSeconds <= exp + CLOCK_SKEW_SECONDS) &&
+            (nbf === undefined || nowSeconds + CLOCK_SKEW_SECONDS >= nbf);
+        if (!issuerAllowed ||
+            !audienceAllowed ||
+            !emailAllowed ||
+            !emailVerified ||
+            !timeAllowed) {
+            return {
+                verified: false,
+                strategy: "custom",
+                metadata: {
+                    provider: "google-play",
+                    issuer,
+                    audience: payload.aud,
+                    email,
+                },
+            };
+        }
+        return {
+            verified: true,
+            strategy: "custom",
+            metadata: {
+                provider: "google-play",
+                issuer,
+                audience: payload.aud,
+                email,
+            },
+        };
+    }
+    catch (error) {
+        return {
+            verified: false,
+            strategy: "custom",
+            metadata: {
+                provider: "google-play",
+                error: error instanceof Error ? error.message : "Unknown Google verification error.",
+            },
+        };
+    }
+}
+function parsedKid(token) {
+    const [encodedHeader] = token.split(".", 1);
+    if (!encodedHeader) {
+        return undefined;
+    }
+    try {
+        const raw = Buffer.from(encodedHeader
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(encodedHeader.length / 4) * 4, "="), "base64").toString("utf8");
+        const header = JSON.parse(raw);
+        return typeof header.kid === "string" ? header.kid : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=pubsub-verification.js.map

package/dist/providers/google/security/pubsub-verification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pubsub-verification.js","sourceRoot":"","sources":["../../../../src/providers/google/security/pubsub-verification.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAEtE,MAAM,iBAAiB,GAAG,4CAA4C,CAAC;AACvE,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAC/B,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IACzC,oBAAoB;IACpB,uBAAuB;CACxB,CAAC,CAAC;AACH,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,MAAM,SAAS,GAAG,IAAI,GAAG,EAAgE,CAAC;AAE1F,SAAS,UAAU,CACjB,OAAsD,EACtD,GAAW;IAEX,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IACzD,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACjD,CAAC;AAED,SAAS,cAAc,CACrB,OAAsD;IAEtD,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IAC3D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACtD,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC3D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,CAAC,MAAM,CACrD,CAAC,KAAK,EAA6B,EAAE,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,CACnE,CACF,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAc;IAC/B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3E,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CACjB,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAC1E,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc;IACzC,OAAO,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,MAAM,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,MAA+B;IAC9E,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,0CAA0C,QAAQ,GAAG,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,mBAAmB,CAAC,MAAM,CAAC,mCAAmC,CAAC,EAAE,CAAC;QACpE,OAAO;IACT,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,4BAA4B,CAAC,CAAC,CAAC;IACrF,MAAM,YAAY,GAChB,eAAe,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,0BAA0B,CAAC;IAC1E,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,gDAAgD,MAAM,CAAC,QAAQ,4EAA4E,CAC5I,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7B,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IACtD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAoB;IAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,QAA4B,EAAE,MAAe;IACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC7B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAA+B;IAE/B,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,oBAAoB,CAAC,IAAI,iBAAiB,CAAC;IAC7E,qBAAqB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,kDAAkD,QAAQ,GAAG,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE;QACtB,SAAS,EACP,IAAI,CAAC,GAAG,EAAE,GAAG,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,GAAG,IAAI;QAC/E,KAAK,EAAE,OAAO;KACf,CAAC,CAAC;IAEH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QAC/C,IAAI,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,IAAI,SAAS,CAAC,IAAI,GAAG,mBAAmB,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QAC/C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,2BAA2B,CAAC,MAA+B;IAClE,OAAO,CACL,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ;QAC/C,OAAO,MAAM,CAAC,+BAA+B,KAAK,QAAQ;QAC1D,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC;QACtE,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ,CAChD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,QAA+B,EAC/B,MAA+B;IAE/B,IAAI,CAAC,2BAA2B,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE;gBACR,QAAQ,EAAE,aAAa;gBACvB,MAAM,EAAE,sBAAsB;aAC/B;SACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAChE,MAAM,MAAM,GAAG,0BAA0B,CAAC;YACxC,KAAK;YACL,SAAS,EAAE,OAAO;YAClB,UAAU,EACR,OAAO,SAAS,CAAC,KAAK,CAAC,KAAK,QAAQ,IAAI,YAAY,CAAC,SAAS,CAAC,KAAK,CAAE,CAAC;gBACrE,CAAC,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,KAAK,CAAE,CAAE,CAAC;gBACpC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC/B,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACvC,MAAM,gBAAgB,GAAG,SAAS,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAChE,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,+BAA+B,CAAC,CAAC;QACxE,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAErC,MAAM,aAAa,GACjB,MAAM,KAAK,qBAAqB,IAAI,MAAM,KAAK,6BAA6B,CAAC;QAC/E,MAAM,eAAe,GAAG,eAAe,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,CAAC,aAAa,IAAI,KAAK,KAAK,aAAa,CAAC;QAC/D,MAAM,aAAa,GACjB,OAAO,CAAC,cAAc,KAAK,SAAS;YACpC,OAAO,CAAC,cAAc,KAAK,IAAI;YAC/B,OAAO,CAAC,cAAc,KAAK,MAAM,CAAC;QACpC,MAAM,WAAW,GACf,CAAC,GAAG,KAAK,SAAS,IAAI,UAAU,IAAI,GAAG,GAAG,kBAAkB,CAAC;YAC7D,CAAC,GAAG,KAAK,SAAS,IAAI,UAAU,GAAG,kBAAkB,IAAI,GAAG,CAAC,CAAC;QAEhE,IACE,CAAC,aAAa;YACd,CAAC,eAAe;YAChB,CAAC,YAAY;YACb,CAAC,aAAa;YACd,CAAC,WAAW,EACZ,CAAC;YACD,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE;oBACR,QAAQ,EAAE,aAAa;oBACvB,MAAM;oBACN,QAAQ,EAAE,OAAO,CAAC,GAAG;oBACrB,KAAK;iBACN;aACF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE;gBACR,QAAQ,EAAE,aAAa;gBACvB,MAAM;gBACN,QAAQ,EAAE,OAAO,CAAC,GAAG;gBACrB,KAAK;aACN;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE;gBACR,QAAQ,EAAE,aAAa;gBACvB,KAAK,EACH,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,oCAAoC;aAChF;SACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAC5C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CACrB,aAAa;aACV,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;aAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;aAClB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,EACvD,QAAQ,CACT,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,OAAO,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/providers/google/services/play-subscription-verification-service.d.ts

@@ -0,0 +1,3 @@
+import type { VerifiedProviderSubscription, VerifyGooglePlaySubscriptionInput } from "../../../contracts.js";
+export declare function verifyGooglePlaySubscription(input: VerifyGooglePlaySubscriptionInput, config?: Record<string, unknown>): Promise<VerifiedProviderSubscription>;
+//# sourceMappingURL=play-subscription-verification-service.d.ts.map

package/dist/providers/google/services/play-subscription-verification-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"play-subscription-verification-service.d.ts","sourceRoot":"","sources":["../../../../src/providers/google/services/play-subscription-verification-service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAEV,4BAA4B,EAC5B,iCAAiC,EAClC,MAAM,uBAAuB,CAAC;AAoH/B,wBAAsB,4BAA4B,CAChD,KAAK,EAAE,iCAAiC,EACxC,MAAM,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GACnC,OAAO,CAAC,4BAA4B,CAAC,CAmBvC"}

package/dist/providers/google/services/play-subscription-verification-service.js

@@ -0,0 +1,96 @@
+import { ValidationError } from "../../../errors.js";
+import { googlePlayPlugin } from "../plugin/play.js";
+import { getGoogleAccessToken } from "../security/oauth.js";
+function asObject(value) {
+    return value && typeof value === "object" && !Array.isArray(value)
+        ? value
+        : {};
+}
+function getString(value) {
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+function readGoogleServiceAccount(value) {
+    const record = asObject(value);
+    const clientEmail = getString(record.clientEmail);
+    const privateKey = getString(record.privateKey);
+    if (!clientEmail || !privateKey) {
+        return undefined;
+    }
+    return {
+        clientEmail,
+        privateKey,
+        privateKeyId: getString(record.privateKeyId),
+        tokenUri: getString(record.tokenUri),
+        scope: getString(record.scope),
+    };
+}
+function resolvePackageName(input, config) {
+    const planSync = asObject(config.planSync);
+    const googlePlay = asObject(config.googlePlay);
+    const packageName = input.packageName ??
+        getString(googlePlay.packageName) ??
+        getString(planSync.packageName);
+    if (!packageName) {
+        throw new ValidationError("Google Play subscription verification requires packageName in the method input or plugin config.planSync.packageName.");
+    }
+    return packageName;
+}
+function resolveServiceAccount(input, config) {
+    const planSync = asObject(config.planSync);
+    const googlePlay = asObject(config.googlePlay);
+    const serviceAccount = input.serviceAccount ??
+        readGoogleServiceAccount(googlePlay.serviceAccount) ??
+        readGoogleServiceAccount(planSync.serviceAccount);
+    if (!serviceAccount) {
+        throw new ValidationError("Google Play subscription verification requires serviceAccount credentials in the method input or plugin config.planSync.serviceAccount.");
+    }
+    return serviceAccount;
+}
+async function parseGooglePlayRecord(body) {
+    const parsed = await googlePlayPlugin.parseWebhook?.({
+        body,
+        headers: {},
+        receivedAt: new Date().toISOString(),
+    });
+    const [event] = Array.isArray(parsed) ? parsed : [parsed];
+    const record = event?.records[0];
+    if (!record) {
+        throw new Error("Google Play verification did not produce a canonical subscription record.");
+    }
+    return record;
+}
+async function loadGooglePlaySubscription(input, config) {
+    const packageName = resolvePackageName(input, config);
+    const serviceAccount = resolveServiceAccount(input, config);
+    const accessToken = await getGoogleAccessToken(serviceAccount);
+    const url = new URL(`https://androidpublisher.googleapis.com/androidpublisher/v3/applications/${encodeURIComponent(packageName)}/purchases/subscriptionsv2/tokens/${encodeURIComponent(input.purchaseToken)}`);
+    const response = await fetch(url, {
+        headers: {
+            authorization: `Bearer ${accessToken}`,
+        },
+    });
+    if (!response.ok) {
+        throw new ValidationError(`Google Play subscription lookup failed for purchase token ${input.purchaseToken} with status ${response.status}.`);
+    }
+    return asObject(await response.json());
+}
+export async function verifyGooglePlaySubscription(input, config = {}) {
+    const purchase = await loadGooglePlaySubscription(input, config);
+    const raw = {
+        eventKey: `google-play.verify:${input.purchaseToken}`,
+        eventType: "google-play.subscription.verified",
+        purchaseToken: input.purchaseToken,
+        subjectId: input.subjectId,
+        planCode: input.planCode,
+        subscriptionPurchaseV2: purchase,
+    };
+    const canonical = await parseGooglePlayRecord(raw);
+    return {
+        provider: "google-play",
+        sourceRef: canonical.sourceRef,
+        status: canonical.status,
+        canonical,
+        raw: purchase,
+    };
+}
+//# sourceMappingURL=play-subscription-verification-service.js.map

package/dist/providers/google/services/play-subscription-verification-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"play-subscription-verification-service.js","sourceRoot":"","sources":["../../../../src/providers/google/services/play-subscription-verification-service.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE5D,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,SAAS,CAAC,KAAc;IAC/B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3E,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAc;IAC9C,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QAChC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,WAAW;QACX,UAAU;QACV,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC;QAC5C,QAAQ,EAAE,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC;QACpC,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC;KAC/B,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAwC,EACxC,MAA+B;IAE/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,WAAW,GACf,KAAK,CAAC,WAAW;QACjB,SAAS,CAAC,UAAU,CAAC,WAAW,CAAC;QACjC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,eAAe,CACvB,uHAAuH,CACxH,CAAC;IACJ,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAwC,EACxC,MAA+B;IAE/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,cAAc,GAClB,KAAK,CAAC,cAAc;QACpB,wBAAwB,CAAC,UAAU,CAAC,cAAc,CAAC;QACnD,wBAAwB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IACpD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,eAAe,CACvB,yIAAyI,CAC1I,CAAC;IACJ,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,IAA6B;IAE7B,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,YAAY,EAAE,CAAC;QACnD,IAAI;QACJ,OAAO,EAAE,EAAE;QACX,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,KAAwC,EACxC,MAA+B;IAE/B,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,cAAc,GAAG,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,4EAA4E,kBAAkB,CAC5F,WAAW,CACZ,qCAAqC,kBAAkB,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAChF,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;SACvC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,eAAe,CACvB,6DAA6D,KAAK,CAAC,aAAa,gBAAgB,QAAQ,CAAC,MAAM,GAAG,CACnH,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,KAAwC,EACxC,SAAkC,EAAE;IAEpC,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG;QACV,QAAQ,EAAE,sBAAsB,KAAK,CAAC,aAAa,EAAE;QACrD,SAAS,EAAE,mCAAmC;QAC9C,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,sBAAsB,EAAE,QAAQ;KACC,CAAC;IACpC,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;IAEnD,OAAO;QACL,QAAQ,EAAE,aAAa;QACvB,SAAS,EAAE,SAAS,CAAC,SAAS;QAC9B,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,SAAS;QACT,GAAG,EAAE,QAAQ;KACd,CAAC;AACJ,CAAC"}

package/dist/repositories/catalog-mapping-repository.d.ts

@@ -0,0 +1,9 @@
+import type { CatalogMapping } from "@shdan/submesh-core";
+import type { UpsertCatalogMappingInput } from "../contracts.js";
+export interface CatalogMappingRepository {
+    list(): Promise<CatalogMapping[]> | CatalogMapping[];
+    findByExternalProduct(pluginKey: string, externalProductId: string): Promise<CatalogMapping | undefined> | CatalogMapping | undefined;
+    upsert(input: UpsertCatalogMappingInput): Promise<CatalogMapping> | CatalogMapping;
+    delete(pluginKey: string, externalProductId: string): Promise<boolean> | boolean;
+}
+//# sourceMappingURL=catalog-mapping-repository.d.ts.map

package/dist/repositories/catalog-mapping-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog-mapping-repository.d.ts","sourceRoot":"","sources":["../../src/repositories/catalog-mapping-repository.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAEjE,MAAM,WAAW,wBAAwB;IACvC,IAAI,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC,GAAG,cAAc,EAAE,CAAC;IACrD,qBAAqB,CACnB,SAAS,EAAE,MAAM,EACjB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC,GAAG,cAAc,GAAG,SAAS,CAAC;IACpE,MAAM,CAAC,KAAK,EAAE,yBAAyB,GAAG,OAAO,CAAC,cAAc,CAAC,GAAG,cAAc,CAAC;IACnF,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;CAClF"}

package/dist/repositories/catalog-mapping-repository.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=catalog-mapping-repository.js.map

package/dist/repositories/catalog-mapping-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog-mapping-repository.js","sourceRoot":"","sources":["../../src/repositories/catalog-mapping-repository.ts"],"names":[],"mappings":""}

package/dist/repositories/inbound-event-repository.d.ts

@@ -0,0 +1,23 @@
+import type { InboundEvent, InboundEventStatus } from "@shdan/submesh-core";
+export interface CreateInboundEventInput {
+    pluginKey: string;
+    eventKey: string;
+    eventType: string;
+    sourceRef?: string | null;
+    payload: Record<string, unknown>;
+}
+export interface MarkReceivedResult {
+    event: InboundEvent;
+    claimed: boolean;
+}
+export interface InboundEventRepository {
+    list(limit?: number): Promise<InboundEvent[]> | InboundEvent[];
+    listByStatus(status: InboundEventStatus, limit?: number): Promise<InboundEvent[]> | InboundEvent[];
+    getById(id: string): Promise<InboundEvent | undefined> | InboundEvent | undefined;
+    getByEventKey(pluginKey: string, eventKey: string): Promise<InboundEvent | undefined> | InboundEvent | undefined;
+    markReceived(input: CreateInboundEventInput): Promise<MarkReceivedResult> | MarkReceivedResult;
+    markProcessed(id: string, processedCount: number): Promise<InboundEvent> | InboundEvent;
+    markIgnored(id: string): Promise<InboundEvent> | InboundEvent;
+    markFailed(id: string, errorMessage: string): Promise<InboundEvent> | InboundEvent;
+}
+//# sourceMappingURL=inbound-event-repository.d.ts.map

package/dist/repositories/inbound-event-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inbound-event-repository.d.ts","sourceRoot":"","sources":["../../src/repositories/inbound-event-repository.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE5E,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,YAAY,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,GAAG,YAAY,EAAE,CAAC;IAC/D,YAAY,CACV,MAAM,EAAE,kBAAkB,EAC1B,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,EAAE,CAAC,GAAG,YAAY,EAAE,CAAC;IAC5C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,GAAG,YAAY,GAAG,SAAS,CAAC;IAClF,aAAa,CACX,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,GAAG,YAAY,GAAG,SAAS,CAAC;IAChE,YAAY,CACV,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB,CAAC;IACpD,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;IACxF,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;IAC9D,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;CACpF"}

package/dist/repositories/inbound-event-repository.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=inbound-event-repository.js.map

package/dist/repositories/inbound-event-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inbound-event-repository.js","sourceRoot":"","sources":["../../src/repositories/inbound-event-repository.ts"],"names":[],"mappings":""}

package/dist/repositories/index.d.ts

@@ -0,0 +1,30 @@
+import type { DashboardSummary } from "@shdan/submesh-core";
+import type { CatalogMappingRepository } from "./catalog-mapping-repository.js";
+import type { InboundEventRepository } from "./inbound-event-repository.js";
+import type { PlanRepository } from "./plan-repository.js";
+import type { PluginInstallationRepository } from "./plugin-installation-repository.js";
+import type { SubjectRepository } from "./subject-repository.js";
+import type { SubscriptionRepository } from "./subscription-repository.js";
+export interface SummaryRepository {
+    getSummary(): Promise<DashboardSummary> | DashboardSummary;
+}
+export interface RepositorySet {
+    subjects: SubjectRepository;
+    plans: PlanRepository;
+    catalogMappings: CatalogMappingRepository;
+    subscriptions: SubscriptionRepository;
+    pluginInstallations: PluginInstallationRepository;
+    inboundEvents: InboundEventRepository;
+    summary: SummaryRepository;
+}
+export interface SubmeshRepositories extends RepositorySet {
+    transaction<T>(operation: (repositories: RepositorySet) => Promise<T> | T): Promise<T>;
+    close?(): Promise<void> | void;
+}
+export type { CatalogMappingRepository } from "./catalog-mapping-repository.js";
+export type { CreateInboundEventInput, InboundEventRepository, } from "./inbound-event-repository.js";
+export type { PlanRepository } from "./plan-repository.js";
+export type { PluginInstallationRepository, UpsertPluginInstallationInput, } from "./plugin-installation-repository.js";
+export type { SubjectRepository } from "./subject-repository.js";
+export type { SubscriptionRepository, UpsertSubscriptionInput, } from "./subscription-repository.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/repositories/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/repositories/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,qCAAqC,CAAC;AACxF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAE3E,MAAM,WAAW,iBAAiB;IAChC,UAAU,IAAI,OAAO,CAAC,gBAAgB,CAAC,GAAG,gBAAgB,CAAC;CAC5D;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,KAAK,EAAE,cAAc,CAAC;IACtB,eAAe,EAAE,wBAAwB,CAAC;IAC1C,aAAa,EAAE,sBAAsB,CAAC;IACtC,mBAAmB,EAAE,4BAA4B,CAAC;IAClD,aAAa,EAAE,sBAAsB,CAAC;IACtC,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAED,MAAM,WAAW,mBAAoB,SAAQ,aAAa;IACxD,WAAW,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,YAAY,EAAE,aAAa,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACvF,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAChC;AAED,YAAY,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAChF,YAAY,EACV,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,+BAA+B,CAAC;AACvC,YAAY,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,YAAY,EACV,4BAA4B,EAC5B,6BAA6B,GAC9B,MAAM,qCAAqC,CAAC;AAC7C,YAAY,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,YAAY,EACV,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC"}

package/dist/repositories/index.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.js.map

package/dist/repositories/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/repositories/index.ts"],"names":[],"mappings":""}

package/dist/repositories/plan-repository.d.ts

@@ -0,0 +1,10 @@
+import type { Plan } from "@shdan/submesh-core";
+import type { CreatePlanInput, UpdatePlanInput } from "../contracts.js";
+export interface PlanRepository {
+    list(): Promise<Plan[]> | Plan[];
+    getByCode(code: string): Promise<Plan | undefined> | Plan | undefined;
+    create(input: CreatePlanInput): Promise<Plan> | Plan;
+    update(code: string, input: UpdatePlanInput): Promise<Plan | undefined> | Plan | undefined;
+    delete(code: string): Promise<boolean> | boolean;
+}
+//# sourceMappingURL=plan-repository.d.ts.map

package/dist/repositories/plan-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plan-repository.d.ts","sourceRoot":"","sources":["../../src/repositories/plan-repository.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAEhD,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,MAAM,WAAW,cAAc;IAC7B,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC;IACjC,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,GAAG,IAAI,GAAG,SAAS,CAAC;IACtE,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACrD,MAAM,CACJ,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,GAAG,IAAI,GAAG,SAAS,CAAC;IAChD,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;CAClD"}

package/dist/repositories/plan-repository.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=plan-repository.js.map

package/dist/repositories/plan-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plan-repository.js","sourceRoot":"","sources":["../../src/repositories/plan-repository.ts"],"names":[],"mappings":""}

package/dist/repositories/plugin-installation-repository.d.ts

@@ -0,0 +1,13 @@
+import type { PluginInstallation } from "@shdan/submesh-core";
+export interface UpsertPluginInstallationInput {
+    pluginKey: string;
+    displayName: string;
+    enabled: boolean;
+    config?: Record<string, unknown>;
+}
+export interface PluginInstallationRepository {
+    list(): Promise<PluginInstallation[]> | PluginInstallation[];
+    upsert(input: UpsertPluginInstallationInput): Promise<PluginInstallation> | PluginInstallation;
+    delete(pluginKey: string): Promise<boolean> | boolean;
+}
+//# sourceMappingURL=plugin-installation-repository.d.ts.map

package/dist/repositories/plugin-installation-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-installation-repository.d.ts","sourceRoot":"","sources":["../../src/repositories/plugin-installation-repository.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE9D,MAAM,WAAW,6BAA6B;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,4BAA4B;IAC3C,IAAI,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC,GAAG,kBAAkB,EAAE,CAAC;IAC7D,MAAM,CACJ,KAAK,EAAE,6BAA6B,GACnC,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB,CAAC;IACpD,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;CACvD"}

package/dist/repositories/plugin-installation-repository.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=plugin-installation-repository.js.map

package/dist/repositories/plugin-installation-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-installation-repository.js","sourceRoot":"","sources":["../../src/repositories/plugin-installation-repository.ts"],"names":[],"mappings":""}

package/dist/repositories/subject-repository.d.ts

@@ -0,0 +1,10 @@
+import type { Subject, SubjectIdentity } from "@shdan/submesh-core";
+import type { LinkIdentityInput, UpsertSubjectInput } from "../contracts.js";
+export interface SubjectRepository {
+    list(): Promise<Subject[]> | Subject[];
+    getById(id: string): Promise<Subject | undefined> | Subject | undefined;
+    upsert(input: UpsertSubjectInput): Promise<Subject> | Subject;
+    findIdentity(provider: string, externalId: string): Promise<SubjectIdentity | undefined> | SubjectIdentity | undefined;
+    upsertIdentity(input: LinkIdentityInput): Promise<SubjectIdentity> | SubjectIdentity;
+}
+//# sourceMappingURL=subject-repository.d.ts.map

package/dist/repositories/subject-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-repository.d.ts","sourceRoot":"","sources":["../../src/repositories/subject-repository.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAE7E,MAAM,WAAW,iBAAiB;IAChC,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC;IACvC,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,GAAG,OAAO,GAAG,SAAS,CAAC;IACxE,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAC9D,YAAY,CACV,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC,GAAG,eAAe,GAAG,SAAS,CAAC;IACtE,cAAc,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,eAAe,CAAC,GAAG,eAAe,CAAC;CACtF"}

package/dist/repositories/subject-repository.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=subject-repository.js.map

package/dist/repositories/subject-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-repository.js","sourceRoot":"","sources":["../../src/repositories/subject-repository.ts"],"names":[],"mappings":""}

package/dist/repositories/subscription-repository.d.ts

@@ -0,0 +1,24 @@
+import type { Subscription, SubscriptionStatus, SubscriptionWithPlan } from "@shdan/submesh-core";
+import { UpdateSubscriptionInput } from "../contracts.js";
+export interface UpsertSubscriptionInput {
+    subjectId: string;
+    planId: string;
+    pluginKey: string;
+    sourceType: string;
+    sourceRef: string;
+    status: SubscriptionStatus;
+    currentPeriodStart?: string | null;
+    currentPeriodEnd?: string | null;
+    trialEndAt?: string | null;
+    cancelAt?: string | null;
+    metadata?: Record<string, unknown>;
+}
+export interface SubscriptionRepository {
+    list(): Promise<SubscriptionWithPlan[]> | SubscriptionWithPlan[];
+    listBySubjectId(subjectId: string): Promise<SubscriptionWithPlan[]> | SubscriptionWithPlan[];
+    getById(id: string): Promise<SubscriptionWithPlan | undefined> | SubscriptionWithPlan | undefined;
+    getBySource(pluginKey: string, sourceRef: string): Promise<Subscription | undefined> | Subscription | undefined;
+    upsert(input: UpsertSubscriptionInput): Promise<Subscription> | Subscription;
+    update(id: string, input: UpdateSubscriptionInput): Promise<Subscription | undefined> | Subscription | undefined;
+}
+//# sourceMappingURL=subscription-repository.d.ts.map

package/dist/repositories/subscription-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subscription-repository.d.ts","sourceRoot":"","sources":["../../src/repositories/subscription-repository.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,YAAY,EACZ,kBAAkB,EAClB,oBAAoB,EACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC,GAAG,oBAAoB,EAAE,CAAC;IACjE,eAAe,CACb,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,oBAAoB,EAAE,CAAC,GAAG,oBAAoB,EAAE,CAAC;IAC5D,OAAO,CACL,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,GAAG,oBAAoB,GAAG,SAAS,CAAC;IAChF,WAAW,CACT,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,GAAG,YAAY,GAAG,SAAS,CAAC;IAChE,MAAM,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;IAC7E,MAAM,CACJ,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,GAAG,YAAY,GAAG,SAAS,CAAC;CACjE"}

package/dist/repositories/subscription-repository.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=subscription-repository.js.map

package/dist/repositories/subscription-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subscription-repository.js","sourceRoot":"","sources":["../../src/repositories/subscription-repository.ts"],"names":[],"mappings":""}

package/dist/security/jwt.d.ts

@@ -0,0 +1,22 @@
+import { type KeyObject } from "node:crypto";
+type SupportedJwtAlgorithm = "ES256" | "RS256";
+export interface ParsedSignedToken<TPayload extends Record<string, unknown> = Record<string, unknown>> {
+    header: Record<string, unknown>;
+    payload: TPayload;
+    signingInput: string;
+    signature: Buffer;
+}
+export declare function parseSignedToken<TPayload extends Record<string, unknown> = Record<string, unknown>>(token: string): ParsedSignedToken<TPayload>;
+export declare function decodeSignedPayload<TPayload extends Record<string, unknown> = Record<string, unknown>>(token: string): TPayload;
+export declare function verifySignedTokenSignature(input: {
+    token: string;
+    algorithm: SupportedJwtAlgorithm;
+    publicKeys: Array<string | KeyObject>;
+}): ParsedSignedToken;
+export declare function resolveX5cLeafPublicKeys(input: {
+    x5c: unknown;
+    trustedRootCertificates: string[];
+    now?: Date;
+}): KeyObject[];
+export {};
+//# sourceMappingURL=jwt.d.ts.map

package/dist/security/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/security/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,SAAS,EAEf,MAAM,aAAa,CAAC;AAErB,KAAK,qBAAqB,GAAG,OAAO,GAAG,OAAO,CAAC;AAE/C,MAAM,WAAW,iBAAiB,CAChC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAElE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,EAAE,QAAQ,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAgFD,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,EAAE,MAAM,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAsB5C;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,EAAE,MAAM,GAAG,QAAQ,CAEzB;AAED,wBAAgB,0BAA0B,CAAC,KAAK,EAAE;IAChD,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,qBAAqB,CAAC;IACjC,UAAU,EAAE,KAAK,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;CACvC,GAAG,iBAAiB,CAwBpB;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE;IAC9C,GAAG,EAAE,OAAO,CAAC;IACb,uBAAuB,EAAE,MAAM,EAAE,CAAC;IAClC,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ,GAAG,SAAS,EAAE,CAyCd"}