@shdan/submesh 0.1.0

package/dist/security/jwt.js

@@ -0,0 +1,132 @@
+import { createPublicKey, createVerify, X509Certificate, } from "node:crypto";
+function assertObject(value, message) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw new Error(message);
+    }
+    return value;
+}
+function decodeBase64UrlSegment(value) {
+    const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, "=");
+    return Buffer.from(padded, "base64");
+}
+function encodePem(label, body) {
+    const chunks = body.match(/.{1,64}/g) ?? [body];
+    return `-----BEGIN ${label}-----\n${chunks.join("\n")}\n-----END ${label}-----`;
+}
+function normalizeIntegerBytes(value) {
+    let offset = 0;
+    while (offset < value.length - 1 && value[offset] === 0) {
+        offset += 1;
+    }
+    const normalized = value.subarray(offset);
+    return normalized[0] && normalized[0] >= 0x80
+        ? Buffer.concat([Buffer.from([0]), normalized])
+        : normalized;
+}
+function encodeDerLength(length) {
+    if (length < 0x80) {
+        return Buffer.from([length]);
+    }
+    const bytes = [];
+    let remaining = length;
+    while (remaining > 0) {
+        bytes.unshift(remaining & 0xff);
+        remaining >>= 8;
+    }
+    return Buffer.from([0x80 | bytes.length, ...bytes]);
+}
+function joseToDerSignature(signature) {
+    if (signature.length === 0 || signature.length % 2 !== 0) {
+        throw new Error("Invalid JOSE ECDSA signature length.");
+    }
+    const componentLength = signature.length / 2;
+    const r = normalizeIntegerBytes(signature.subarray(0, componentLength));
+    const s = normalizeIntegerBytes(signature.subarray(componentLength));
+    const rDer = Buffer.concat([Buffer.from([0x02]), encodeDerLength(r.length), r]);
+    const sDer = Buffer.concat([Buffer.from([0x02]), encodeDerLength(s.length), s]);
+    const body = Buffer.concat([rDer, sDer]);
+    return Buffer.concat([Buffer.from([0x30]), encodeDerLength(body.length), body]);
+}
+function toPublicKey(input) {
+    if (typeof input !== "string") {
+        return input;
+    }
+    if (input.includes("BEGIN CERTIFICATE")) {
+        return new X509Certificate(input).publicKey;
+    }
+    return createPublicKey(input);
+}
+function isCertificateValidAt(certificate, now) {
+    const validFrom = new Date(certificate.validFrom);
+    const validTo = new Date(certificate.validTo);
+    return validFrom <= now && now <= validTo;
+}
+export function parseSignedToken(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Signed token must contain exactly three segments.");
+    }
+    const [encodedHeader, encodedPayload, encodedSignature] = parts;
+    const header = assertObject(JSON.parse(decodeBase64UrlSegment(encodedHeader).toString("utf8")), "Signed token header must decode to an object.");
+    const payload = assertObject(JSON.parse(decodeBase64UrlSegment(encodedPayload).toString("utf8")), "Signed token payload must decode to an object.");
+    return {
+        header,
+        payload,
+        signingInput: `${encodedHeader}.${encodedPayload}`,
+        signature: decodeBase64UrlSegment(encodedSignature),
+    };
+}
+export function decodeSignedPayload(token) {
+    return parseSignedToken(token).payload;
+}
+export function verifySignedTokenSignature(input) {
+    const parsed = parseSignedToken(input.token);
+    const actualAlgorithm = parsed.header.alg;
+    if (actualAlgorithm !== input.algorithm) {
+        throw new Error(`Expected ${input.algorithm} token algorithm but received ${String(actualAlgorithm)}.`);
+    }
+    const signature = input.algorithm === "ES256" ? joseToDerSignature(parsed.signature) : parsed.signature;
+    const verified = input.publicKeys.some((candidate) => {
+        const verifier = createVerify("sha256");
+        verifier.update(parsed.signingInput);
+        verifier.end();
+        return verifier.verify(toPublicKey(candidate), signature);
+    });
+    if (!verified) {
+        throw new Error("Signed token verification failed.");
+    }
+    return parsed;
+}
+export function resolveX5cLeafPublicKeys(input) {
+    if (!Array.isArray(input.x5c) || input.x5c.length === 0) {
+        throw new Error("Signed payload is missing the x5c certificate chain.");
+    }
+    const certificates = input.x5c.map((entry, index) => {
+        if (typeof entry !== "string" || entry.length === 0) {
+            throw new Error(`x5c certificate at index ${index} must be a non-empty string.`);
+        }
+        return new X509Certificate(encodePem("CERTIFICATE", entry));
+    });
+    const now = input.now ?? new Date();
+    for (const certificate of certificates) {
+        if (!isCertificateValidAt(certificate, now)) {
+            throw new Error("Signed payload includes an expired certificate.");
+        }
+    }
+    for (let index = 0; index < certificates.length - 1; index += 1) {
+        if (!certificates[index].verify(certificates[index + 1].publicKey)) {
+            throw new Error("Signed payload certificate chain is invalid.");
+        }
+    }
+    const trustedRoots = input.trustedRootCertificates.map((certificate) => new X509Certificate(certificate));
+    const leafChainTail = certificates[certificates.length - 1];
+    const trusted = trustedRoots.some((root) => {
+        return root.raw.equals(leafChainTail.raw) || leafChainTail.verify(root.publicKey);
+    });
+    if (!trusted) {
+        throw new Error("Signed payload certificate chain is not rooted in a trusted certificate.");
+    }
+    return [certificates[0].publicKey];
+}
+//# sourceMappingURL=jwt.js.map

package/dist/security/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/security/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,YAAY,EAEZ,eAAe,GAChB,MAAM,aAAa,CAAC;AAarB,SAAS,YAAY,CAAC,KAAc,EAAE,OAAe;IACnD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5E,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,SAAS,CAAC,KAAa,EAAE,IAAY;IAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,OAAO,cAAc,KAAK,UAAU,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,KAAK,OAAO,CAAC;AAClF,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa;IAC1C,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,OAAO,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,CAAC,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1C,OAAO,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI;QAC3C,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QAC/C,CAAC,CAAC,UAAU,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,IAAI,MAAM,GAAG,IAAI,EAAE,CAAC;QAClB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,SAAS,GAAG,MAAM,CAAC;IACvB,OAAO,SAAS,GAAG,CAAC,EAAE,CAAC;QACrB,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;QAChC,SAAS,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7C,MAAM,CAAC,GAAG,qBAAqB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC,CAAC;IACxE,MAAM,CAAC,GAAG,qBAAqB,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;IACrE,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAChF,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAChF,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IACzC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,WAAW,CAAC,KAAyB;IAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACxC,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC;IAC9C,CAAC;IAED,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,oBAAoB,CAAC,WAA4B,EAAE,GAAS;IACnE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9C,OAAO,SAAS,IAAI,GAAG,IAAI,GAAG,IAAI,OAAO,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAE9B,KAAa;IACb,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,gBAAgB,CAAC,GAAG,KAAK,CAAC;IAChE,MAAM,MAAM,GAAG,YAAY,CACzB,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAClE,+CAA+C,CAChD,CAAC;IACF,MAAM,OAAO,GAAG,YAAY,CAC1B,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EACnE,gDAAgD,CACrC,CAAC;IAEd,OAAO;QACL,MAAM;QACN,OAAO;QACP,YAAY,EAAE,GAAG,aAAa,IAAI,cAAc,EAAE;QAClD,SAAS,EAAE,sBAAsB,CAAC,gBAAgB,CAAC;KACpD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAEjC,KAAa;IACb,OAAO,gBAAgB,CAAW,KAAK,CAAC,CAAC,OAAO,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,KAI1C;IACC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC;IAC1C,IAAI,eAAe,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,YAAY,KAAK,CAAC,SAAS,iCAAiC,MAAM,CAAC,eAAe,CAAC,GAAG,CACvF,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GACb,KAAK,CAAC,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;IAExF,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QACnD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACxC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACrC,QAAQ,CAAC,GAAG,EAAE,CAAC;QACf,OAAO,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,KAIxC;IACC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,YAAY,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,8BAA8B,CAAC,CAAC;QACnF,CAAC;QAED,OAAO,IAAI,eAAe,CAAC,SAAS,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IACpC,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,oBAAoB,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAChE,IAAI,CAAC,YAAY,CAAC,KAAK,CAAE,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,GAAG,CAAC,CAAE,CAAC,SAAS,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,KAAK,CAAC,uBAAuB,CAAC,GAAG,CACpD,CAAC,WAAW,EAAE,EAAE,CAAC,IAAI,eAAe,CAAC,WAAW,CAAC,CAClD,CAAC;IACF,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QACzC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,0EAA0E,CAC3E,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,YAAY,CAAC,CAAC,CAAE,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC"}

package/dist/security/plugin-webhook-verification.d.ts

@@ -0,0 +1,3 @@
+import type { PluginWebhookEnvelope, PluginWebhookVerification } from "@shdan/submesh-core";
+export declare function verifyTrustedRelayWebhook(envelope: PluginWebhookEnvelope, config: Record<string, unknown>): PluginWebhookVerification;
+//# sourceMappingURL=plugin-webhook-verification.d.ts.map

package/dist/security/plugin-webhook-verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-webhook-verification.d.ts","sourceRoot":"","sources":["../../src/security/plugin-webhook-verification.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,qBAAqB,EACrB,yBAAyB,EAC1B,MAAM,qBAAqB,CAAC;AAgB7B,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,qBAAqB,EAC/B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,yBAAyB,CAsC3B"}

package/dist/security/plugin-webhook-verification.js

@@ -0,0 +1,44 @@
+import { verifyRelaySignature } from "./relay-signature.js";
+function readHeader(headers, key) {
+    const value = headers[key] ?? headers[key.toLowerCase()];
+    return Array.isArray(value) ? value[0] : value;
+}
+function isExplicitlyEnabled(value) {
+    return value === true || value === "true";
+}
+export function verifyTrustedRelayWebhook(envelope, config) {
+    const secret = config.relaySigningSecret;
+    if (typeof secret !== "string" || secret.length === 0) {
+        if (isExplicitlyEnabled(config.allowInsecureWebhook)) {
+            return {
+                verified: true,
+                strategy: "none",
+                metadata: {
+                    reason: "explicit_insecure_override",
+                },
+            };
+        }
+        return {
+            verified: false,
+            strategy: "relay-hmac",
+            metadata: {
+                reason: "missing_relay_signing_secret",
+            },
+        };
+    }
+    const signature = readHeader(envelope.headers, "x-submesh-signature");
+    const timestamp = readHeader(envelope.headers, "x-submesh-timestamp");
+    const body = envelope.rawBody ?? envelope.body;
+    const verified = verifyRelaySignature({
+        body,
+        secret,
+        signature,
+        timestamp,
+    });
+    return {
+        verified,
+        strategy: "relay-hmac",
+        metadata: timestamp ? { timestamp } : undefined,
+    };
+}
+//# sourceMappingURL=plugin-webhook-verification.js.map

package/dist/security/plugin-webhook-verification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-webhook-verification.js","sourceRoot":"","sources":["../../src/security/plugin-webhook-verification.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE5D,SAAS,UAAU,CACjB,OAAsD,EACtD,GAAW;IAEX,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IACzD,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACjD,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc;IACzC,OAAO,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,MAAM,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,QAA+B,EAC/B,MAA+B;IAE/B,MAAM,MAAM,GAAG,MAAM,CAAC,kBAAkB,CAAC;IACzC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,IAAI,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE;oBACR,MAAM,EAAE,4BAA4B;iBACrC;aACF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE;gBACR,MAAM,EAAE,8BAA8B;aACvC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC;IAE/C,MAAM,QAAQ,GAAG,oBAAoB,CAAC;QACpC,IAAI;QACJ,MAAM;QACN,SAAS;QACT,SAAS;KACV,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS;KAChD,CAAC;AACJ,CAAC"}

package/dist/security/relay-signature.d.ts

@@ -0,0 +1,12 @@
+export declare function createRelaySignature(body: unknown, secret: string, timestamp?: string): {
+    signature: string;
+    timestamp: string;
+};
+export declare function verifyRelaySignature(input: {
+    body: unknown;
+    secret: string;
+    signature?: string;
+    timestamp?: string;
+    toleranceSeconds?: number;
+}): boolean;
+//# sourceMappingURL=relay-signature.d.ts.map

package/dist/security/relay-signature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay-signature.d.ts","sourceRoot":"","sources":["../../src/security/relay-signature.ts"],"names":[],"mappings":"AAoBA,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,OAAO,EACb,MAAM,EAAE,MAAM,EACd,SAAS,SAA2C,GACnD;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAM1C;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE;IAC1C,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GAAG,OAAO,CA0BV"}

package/dist/security/relay-signature.js

@@ -0,0 +1,39 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+const DEFAULT_TOLERANCE_SECONDS = 300;
+function toBodyString(body) {
+    if (typeof body === "string") {
+        return body;
+    }
+    if (body instanceof Uint8Array) {
+        return Buffer.from(body).toString("utf8");
+    }
+    return JSON.stringify(body);
+}
+function computeSignature(secret, timestamp, payload) {
+    return createHmac("sha256", secret).update(`${timestamp}.${payload}`).digest("hex");
+}
+export function createRelaySignature(body, secret, timestamp = Math.floor(Date.now() / 1000).toString()) {
+    const payload = toBodyString(body);
+    return {
+        signature: computeSignature(secret, timestamp, payload),
+        timestamp,
+    };
+}
+export function verifyRelaySignature(input) {
+    if (!input.signature || !input.timestamp) {
+        return false;
+    }
+    const age = Math.abs(Math.floor(Date.now() / 1000) - Number(input.timestamp));
+    if (!Number.isFinite(age) ||
+        age > (input.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS)) {
+        return false;
+    }
+    const expected = computeSignature(input.secret, input.timestamp, toBodyString(input.body));
+    const actualBuffer = Buffer.from(input.signature, "hex");
+    const expectedBuffer = Buffer.from(expected, "hex");
+    if (actualBuffer.length !== expectedBuffer.length) {
+        return false;
+    }
+    return timingSafeEqual(actualBuffer, expectedBuffer);
+}
+//# sourceMappingURL=relay-signature.js.map

package/dist/security/relay-signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay-signature.js","sourceRoot":"","sources":["../../src/security/relay-signature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D,MAAM,yBAAyB,GAAG,GAAG,CAAC;AAEtC,SAAS,YAAY,CAAC,IAAa;IACjC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAAI,YAAY,UAAU,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc,EAAE,SAAiB,EAAE,OAAe;IAC1E,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,IAAa,EACb,MAAc,EACd,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,EAAE;IAEpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,SAAS,EAAE,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC;QACvD,SAAS;KACV,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,KAMpC;IACC,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;IAC9E,IACE,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;QACrB,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,IAAI,yBAAyB,CAAC,EAC3D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,SAAS,EACf,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CACzB,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,IAAI,YAAY,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,eAAe,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;AACvD,CAAC"}

package/dist/services/canonical-subscription-service.d.ts

@@ -0,0 +1,4 @@
+import type { CanonicalSubscriptionInput, Subscription } from "@shdan/submesh-core";
+import type { RepositorySet } from "../repositories/index.js";
+export declare function ingestCanonicalSubscription(repositories: RepositorySet, input: CanonicalSubscriptionInput): Promise<Subscription>;
+//# sourceMappingURL=canonical-subscription-service.d.ts.map

package/dist/services/canonical-subscription-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-subscription-service.d.ts","sourceRoot":"","sources":["../../src/services/canonical-subscription-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEpF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAI9D,wBAAsB,2BAA2B,CAC/C,YAAY,EAAE,aAAa,EAC3B,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC,YAAY,CAAC,CAiBvB"}

package/dist/services/canonical-subscription-service.js

@@ -0,0 +1,20 @@
+import { resolvePlanForRecord } from "./plan-resolution.js";
+import { resolveSubjectForRecord } from "./subject-resolution.js";
+export async function ingestCanonicalSubscription(repositories, input) {
+    const subject = await resolveSubjectForRecord(repositories, input);
+    const plan = await resolvePlanForRecord(repositories, input);
+    return repositories.subscriptions.upsert({
+        subjectId: subject.id,
+        planId: plan.id,
+        pluginKey: input.pluginKey,
+        sourceType: input.sourceType,
+        sourceRef: input.sourceRef,
+        status: input.status,
+        currentPeriodStart: input.currentPeriodStart ?? null,
+        currentPeriodEnd: input.currentPeriodEnd ?? null,
+        trialEndAt: input.trialEndAt ?? null,
+        cancelAt: input.cancelAt ?? null,
+        metadata: input.metadata ?? {},
+    });
+}
+//# sourceMappingURL=canonical-subscription-service.js.map

package/dist/services/canonical-subscription-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-subscription-service.js","sourceRoot":"","sources":["../../src/services/canonical-subscription-service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,YAA2B,EAC3B,KAAiC;IAEjC,MAAM,OAAO,GAAG,MAAM,uBAAuB,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IAE7D,OAAO,YAAY,CAAC,aAAa,CAAC,MAAM,CAAC;QACvC,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB,IAAI,IAAI;QACpD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,IAAI,IAAI;QAChD,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;QACpC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;KAC/B,CAAC,CAAC;AACL,CAAC"}

package/dist/services/managed-subscription-service.d.ts

@@ -0,0 +1,5 @@
+import type { Subscription } from "@shdan/submesh-core";
+import type { CreateManagedSubscriptionInput } from "../contracts.js";
+import type { SubmeshRepositories } from "../repositories/index.js";
+export declare function createManagedSubscription(repositories: SubmeshRepositories, input: CreateManagedSubscriptionInput): Promise<Subscription>;
+//# sourceMappingURL=managed-subscription-service.d.ts.map

package/dist/services/managed-subscription-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-subscription-service.d.ts","sourceRoot":"","sources":["../../src/services/managed-subscription-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,KAAK,EAAE,8BAA8B,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAEpE,wBAAsB,yBAAyB,CAC7C,YAAY,EAAE,mBAAmB,EACjC,KAAK,EAAE,8BAA8B,GACpC,OAAO,CAAC,YAAY,CAAC,CAsBvB"}

package/dist/services/managed-subscription-service.js

@@ -0,0 +1,24 @@
+import { NotFoundError } from "../errors.js";
+export async function createManagedSubscription(repositories, input) {
+    const plan = await repositories.plans.getByCode(input.planCode);
+    if (!plan) {
+        throw new NotFoundError(`Plan ${input.planCode} was not found.`);
+    }
+    return repositories.transaction(async (tx) => {
+        await tx.subjects.upsert({ id: input.subjectId });
+        return tx.subscriptions.upsert({
+            subjectId: input.subjectId,
+            planId: plan.id,
+            pluginKey: input.pluginKey ?? "manual",
+            sourceType: input.sourceType ?? "manual",
+            sourceRef: input.sourceRef ?? `${input.subjectId}:${plan.code}`,
+            status: input.status ?? "active",
+            currentPeriodStart: input.currentPeriodStart ?? null,
+            currentPeriodEnd: input.currentPeriodEnd ?? null,
+            trialEndAt: input.trialEndAt ?? null,
+            cancelAt: input.cancelAt ?? null,
+            metadata: input.metadata ?? {},
+        });
+    });
+}
+//# sourceMappingURL=managed-subscription-service.js.map

package/dist/services/managed-subscription-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-subscription-service.js","sourceRoot":"","sources":["../../src/services/managed-subscription-service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,YAAiC,EACjC,KAAqC;IAErC,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,aAAa,CAAC,QAAQ,KAAK,CAAC,QAAQ,iBAAiB,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QAC3C,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAClD,OAAO,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YAC7B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,QAAQ;YACtC,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,QAAQ;YACxC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,GAAG,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,IAAI,EAAE;YAC/D,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,QAAQ;YAChC,kBAAkB,EAAE,KAAK,CAAC,kBAAkB,IAAI,IAAI;YACpD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,IAAI,IAAI;YAChD,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACpC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;YAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;SAC/B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/services/plan-provisioning-service.d.ts

@@ -0,0 +1,5 @@
+import type { CreatePlanInput } from "../contracts.js";
+import type { PluginRegistry } from "../plugins/plugin-registry.js";
+import type { SubmeshRepositories } from "../repositories/index.js";
+export declare function createPlanWithProvisioning(repositories: SubmeshRepositories, pluginRegistry: PluginRegistry, input: CreatePlanInput): Promise<import("@shdan/submesh-core").Plan>;
+//# sourceMappingURL=plan-provisioning-service.d.ts.map

package/dist/services/plan-provisioning-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plan-provisioning-service.d.ts","sourceRoot":"","sources":["../../src/services/plan-provisioning-service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,eAAe,EAGhB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAoEpE,wBAAsB,0BAA0B,CAC9C,YAAY,EAAE,mBAAmB,EACjC,cAAc,EAAE,cAAc,EAC9B,KAAK,EAAE,eAAe,+CA0EvB"}

package/dist/services/plan-provisioning-service.js

@@ -0,0 +1,100 @@
+import { ValidationError } from "../errors.js";
+function mergeProvisioningMetadata(metadata, provisions) {
+    if (provisions.length === 0) {
+        return metadata ?? {};
+    }
+    return {
+        ...(metadata ?? {}),
+        provisioning: {
+            ...(metadata?.provisioning ?? {}),
+            ...Object.fromEntries(provisions.map((provision) => [
+                provision.pluginKey,
+                {
+                    mappings: provision.mappings.map((mapping) => ({
+                        externalProductId: mapping.externalProductId,
+                        metadata: mapping.metadata ?? {},
+                    })),
+                    metadata: provision.metadata ?? {},
+                },
+            ])),
+        },
+    };
+}
+async function rollbackProvisioning(pluginRegistry, input, provisions) {
+    const failures = [];
+    for (const provision of provisions) {
+        const plugin = pluginRegistry.get(provision.pluginKey);
+        if (!plugin?.deprovisionPlan) {
+            continue;
+        }
+        try {
+            await plugin.deprovisionPlan(input, {
+                config: provision.installationConfig ?? {},
+                result: provision.result,
+            });
+        }
+        catch (error) {
+            failures.push(`${provision.pluginKey}: ${error instanceof Error ? error.message : "Unknown deprovisioning error."}`);
+        }
+    }
+    return failures;
+}
+export async function createPlanWithProvisioning(repositories, pluginRegistry, input) {
+    const provisions = [];
+    try {
+        const installations = await repositories.pluginInstallations.list();
+        for (const installation of installations) {
+            if (!installation.enabled) {
+                continue;
+            }
+            const plugin = pluginRegistry.get(installation.pluginKey);
+            if (!plugin?.provisionPlan) {
+                continue;
+            }
+            const result = await plugin.provisionPlan(input, {
+                config: installation.config ?? {},
+            });
+            if (!result.mappings.length) {
+                continue;
+            }
+            provisions.push({
+                pluginKey: installation.pluginKey,
+                installationConfig: installation.config,
+                result,
+                mappings: result.mappings.map((mapping) => ({
+                    pluginKey: installation.pluginKey,
+                    externalProductId: mapping.externalProductId,
+                    planCode: input.code,
+                    metadata: mapping.metadata ?? {},
+                })),
+                metadata: result.metadata,
+            });
+        }
+        return await repositories.transaction(async (tx) => {
+            const created = await tx.plans.create({
+                ...input,
+                metadata: mergeProvisioningMetadata(input.metadata, provisions),
+            });
+            for (const provision of provisions) {
+                for (const mapping of provision.mappings) {
+                    await tx.catalogMappings.upsert(mapping);
+                }
+            }
+            return created;
+        });
+    }
+    catch (error) {
+        const rollbackFailures = await rollbackProvisioning(pluginRegistry, input, provisions);
+        if (rollbackFailures.length > 0) {
+            const baseMessage = error instanceof Error
+                ? error.message
+                : "Plan creation failed during provider provisioning.";
+            throw new ValidationError(`${baseMessage} External deprovisioning also failed: ${rollbackFailures.join("; ")}`);
+        }
+        if (error instanceof Error) {
+            throw error;
+        }
+        throw new ValidationError("Plan creation failed during provider provisioning.");
+    }
+}
+//# sourceMappingURL=plan-provisioning-service.js.map

package/dist/services/plan-provisioning-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plan-provisioning-service.js","sourceRoot":"","sources":["../../src/services/plan-provisioning-service.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAY/C,SAAS,yBAAyB,CAChC,QAA6C,EAC7C,UAAmC;IAEnC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,QAAQ,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,OAAO;QACL,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;QACnB,YAAY,EAAE;YACZ,GAAG,CAAE,QAAQ,EAAE,YAAoD,IAAI,EAAE,CAAC;YAC1E,GAAG,MAAM,CAAC,WAAW,CACnB,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC;gBAC5B,SAAS,CAAC,SAAS;gBACnB;oBACE,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;wBAC7C,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;wBAC5C,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;qBACjC,CAAC,CAAC;oBACH,QAAQ,EAAE,SAAS,CAAC,QAAQ,IAAI,EAAE;iBACnC;aACF,CAAC,CACH;SACF;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,cAA8B,EAC9B,KAAsB,EACtB,UAAmC;IAEnC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC;YAC7B,SAAS;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE;gBAClC,MAAM,EAAE,SAAS,CAAC,kBAAkB,IAAI,EAAE;gBAC1C,MAAM,EAAE,SAAS,CAAC,MAAM;aACzB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CACX,GAAG,SAAS,CAAC,SAAS,KACpB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,+BAC3C,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,YAAiC,EACjC,cAA8B,EAC9B,KAAsB;IAEtB,MAAM,UAAU,GAA4B,EAAE,CAAC;IAE/C,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;QACpE,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;gBAC1B,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,EAAE,aAAa,EAAE,CAAC;gBAC3B,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE;gBAC/C,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,EAAE;aAClC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC5B,SAAS;YACX,CAAC;YAED,UAAU,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,YAAY,CAAC,SAAS;gBACjC,kBAAkB,EAAE,YAAY,CAAC,MAAM;gBACvC,MAAM;gBACN,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBAC1C,SAAS,EAAE,YAAY,CAAC,SAAS;oBACjC,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;oBAC5C,QAAQ,EAAE,KAAK,CAAC,IAAI;oBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;iBACjC,CAAC,CAAC;gBACH,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,MAAM,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YACjD,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC;gBACpC,GAAG,KAAK;gBACR,QAAQ,EAAE,yBAAyB,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC;aAChE,CAAC,CAAC;YAEH,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,KAAK,MAAM,OAAO,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;oBACzC,MAAM,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CACjD,cAAc,EACd,KAAK,EACL,UAAU,CACX,CAAC;QAEF,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,WAAW,GACf,KAAK,YAAY,KAAK;gBACpB,CAAC,CAAC,KAAK,CAAC,OAAO;gBACf,CAAC,CAAC,oDAAoD,CAAC;YAC3D,MAAM,IAAI,eAAe,CACvB,GAAG,WAAW,yCAAyC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACrF,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,IAAI,eAAe,CAAC,oDAAoD,CAAC,CAAC;IAClF,CAAC;AACH,CAAC"}

package/dist/services/plan-resolution.d.ts

@@ -0,0 +1,4 @@
+import type { CanonicalSubscriptionInput, Plan } from "@shdan/submesh-core";
+import type { RepositorySet } from "../repositories/index.js";
+export declare function resolvePlanForRecord(repositories: RepositorySet, input: CanonicalSubscriptionInput): Promise<Plan>;
+//# sourceMappingURL=plan-resolution.d.ts.map

package/dist/services/plan-resolution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plan-resolution.d.ts","sourceRoot":"","sources":["../../src/services/plan-resolution.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAG5E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAG9D,wBAAsB,oBAAoB,CACxC,YAAY,EAAE,aAAa,EAC3B,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC,IAAI,CAAC,CAiDf"}

package/dist/services/plan-resolution.js

@@ -0,0 +1,33 @@
+import { NotFoundError, ValidationError } from "../errors.js";
+import { getExternalSubjectId } from "../utils/canonical.js";
+export async function resolvePlanForRecord(repositories, input) {
+    if (input.planCode) {
+        const plan = await repositories.plans.getByCode(input.planCode);
+        if (!plan) {
+            throw new NotFoundError(`Plan ${input.planCode} was not found.`);
+        }
+        if (input.externalProductId) {
+            const mapping = await repositories.catalogMappings.findByExternalProduct(input.pluginKey, input.externalProductId);
+            if (mapping && mapping.planCode !== input.planCode) {
+                throw new ValidationError(`Catalog mapping for ${input.pluginKey}:${input.externalProductId} points to ${mapping.planCode}, not ${input.planCode}.`);
+            }
+        }
+        return plan;
+    }
+    if (!input.externalProductId) {
+        const identityHint = getExternalSubjectId(input);
+        throw new ValidationError(identityHint
+            ? `Canonical subscription input for ${input.pluginKey}:${identityHint} is missing planCode or externalProductId.`
+            : "Canonical subscription input is missing planCode or externalProductId.");
+    }
+    const mapping = await repositories.catalogMappings.findByExternalProduct(input.pluginKey, input.externalProductId);
+    if (!mapping) {
+        throw new NotFoundError(`No catalog mapping found for ${input.pluginKey}:${input.externalProductId}.`);
+    }
+    const plan = await repositories.plans.getByCode(mapping.planCode);
+    if (!plan) {
+        throw new NotFoundError(`Plan ${mapping.planCode} was not found.`);
+    }
+    return plan;
+}
+//# sourceMappingURL=plan-resolution.js.map

package/dist/services/plan-resolution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plan-resolution.js","sourceRoot":"","sources":["../../src/services/plan-resolution.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAE7D,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,YAA2B,EAC3B,KAAiC;IAEjC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,aAAa,CAAC,QAAQ,KAAK,CAAC,QAAQ,iBAAiB,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,eAAe,CAAC,qBAAqB,CACtE,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,iBAAiB,CACxB,CAAC;YAEF,IAAI,OAAO,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACnD,MAAM,IAAI,eAAe,CACvB,uBAAuB,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,iBAAiB,cAAc,OAAO,CAAC,QAAQ,SAAS,KAAK,CAAC,QAAQ,GAAG,CAC1H,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;QACjD,MAAM,IAAI,eAAe,CACvB,YAAY;YACV,CAAC,CAAC,oCAAoC,KAAK,CAAC,SAAS,IAAI,YAAY,4CAA4C;YACjH,CAAC,CAAC,wEAAwE,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,eAAe,CAAC,qBAAqB,CACtE,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,iBAAiB,CACxB,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,aAAa,CACrB,gCAAgC,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,iBAAiB,GAAG,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,aAAa,CAAC,QAAQ,OAAO,CAAC,QAAQ,iBAAiB,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/services/plugin-installation-service.d.ts

@@ -0,0 +1,6 @@
+import type { PluginInstallation } from "@shdan/submesh-core";
+import type { InstallPluginInput } from "../contracts.js";
+import type { PluginRegistry } from "../plugins/plugin-registry.js";
+import type { SubmeshRepositories } from "../repositories/index.js";
+export declare function installPlugin(repositories: SubmeshRepositories, pluginRegistry: PluginRegistry, input: InstallPluginInput): Promise<PluginInstallation>;
+//# sourceMappingURL=plugin-installation-service.d.ts.map

package/dist/services/plugin-installation-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-installation-service.d.ts","sourceRoot":"","sources":["../../src/services/plugin-installation-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE9D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAEpE,wBAAsB,aAAa,CACjC,YAAY,EAAE,mBAAmB,EACjC,cAAc,EAAE,cAAc,EAC9B,KAAK,EAAE,kBAAkB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAkB7B"}

package/dist/services/plugin-installation-service.js

@@ -0,0 +1,19 @@
+import { NotFoundError } from "../errors.js";
+export async function installPlugin(repositories, pluginRegistry, input) {
+    const plugin = pluginRegistry.get(input.pluginKey);
+    if (!plugin) {
+        throw new NotFoundError(`Plugin ${input.pluginKey} is not registered.`);
+    }
+    const config = {
+        ...(plugin.defaultConfig ?? {}),
+        ...(input.config ?? {}),
+    };
+    const finalConfig = plugin.install ? await plugin.install(config) : config;
+    return repositories.pluginInstallations.upsert({
+        pluginKey: plugin.key,
+        displayName: plugin.displayName,
+        enabled: input.enabled ?? true,
+        config: finalConfig,
+    });
+}
+//# sourceMappingURL=plugin-installation-service.js.map

package/dist/services/plugin-installation-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-installation-service.js","sourceRoot":"","sources":["../../src/services/plugin-installation-service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAI7C,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,YAAiC,EACjC,cAA8B,EAC9B,KAAyB;IAEzB,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACnD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,aAAa,CAAC,UAAU,KAAK,CAAC,SAAS,qBAAqB,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;QAC/B,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;KACxB,CAAC;IACF,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAE3E,OAAO,YAAY,CAAC,mBAAmB,CAAC,MAAM,CAAC;QAC7C,SAAS,EAAE,MAAM,CAAC,GAAG;QACrB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;QAC9B,MAAM,EAAE,WAAW;KACpB,CAAC,CAAC;AACL,CAAC"}

package/dist/services/provider-subscription-sync-service.d.ts

@@ -0,0 +1,4 @@
+import type { CanonicalSubscriptionInput, Subscription } from "@shdan/submesh-core";
+import type { SubmeshRepositories } from "../repositories/index.js";
+export declare function syncVerifiedProviderSubscription(repositories: SubmeshRepositories, input: CanonicalSubscriptionInput): Promise<Subscription>;
+//# sourceMappingURL=provider-subscription-sync-service.d.ts.map

package/dist/services/provider-subscription-sync-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-subscription-sync-service.d.ts","sourceRoot":"","sources":["../../src/services/provider-subscription-sync-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGpF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAGpE,wBAAsB,gCAAgC,CACpD,YAAY,EAAE,mBAAmB,EACjC,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC,YAAY,CAAC,CAgBvB"}

package/dist/services/provider-subscription-sync-service.js

@@ -0,0 +1,13 @@
+import { ConflictError } from "../errors.js";
+import { ingestCanonicalSubscription } from "./canonical-subscription-service.js";
+export async function syncVerifiedProviderSubscription(repositories, input) {
+    if (!input.subjectId) {
+        throw new Error("Verified provider subscription sync requires subjectId.");
+    }
+    const existing = await repositories.subscriptions.getBySource(input.pluginKey, input.sourceRef);
+    if (existing && existing.subjectId !== input.subjectId) {
+        throw new ConflictError(`Provider subscription ${input.pluginKey}:${input.sourceRef} is already linked to subject ${existing.subjectId}.`);
+    }
+    return repositories.transaction((tx) => ingestCanonicalSubscription(tx, input));
+}
+//# sourceMappingURL=provider-subscription-sync-service.js.map

package/dist/services/provider-subscription-sync-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-subscription-sync-service.js","sourceRoot":"","sources":["../../src/services/provider-subscription-sync-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,2BAA2B,EAAE,MAAM,qCAAqC,CAAC;AAElF,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,YAAiC,EACjC,KAAiC;IAEjC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,aAAa,CAAC,WAAW,CAC3D,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,QAAQ,IAAI,QAAQ,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;QACvD,MAAM,IAAI,aAAa,CACrB,yBAAyB,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,iCAAiC,QAAQ,CAAC,SAAS,GAAG,CAClH,CAAC;IACJ,CAAC;IAED,OAAO,YAAY,CAAC,WAAW,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,2BAA2B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;AAClF,CAAC"}

package/dist/services/subject-resolution.d.ts

@@ -0,0 +1,4 @@
+import type { CanonicalSubscriptionInput, Subject } from "@shdan/submesh-core";
+import type { RepositorySet } from "../repositories/index.js";
+export declare function resolveSubjectForRecord(repositories: RepositorySet, input: CanonicalSubscriptionInput): Promise<Subject>;
+//# sourceMappingURL=subject-resolution.d.ts.map

package/dist/services/subject-resolution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-resolution.d.ts","sourceRoot":"","sources":["../../src/services/subject-resolution.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAI/E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAkB9D,wBAAsB,uBAAuB,CAC3C,YAAY,EAAE,aAAa,EAC3B,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC,OAAO,CAAC,CA2DlB"}