@tangle-network/agent-integrations 0.33.1 → 0.34.0

package/dist/webhooks/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/webhooks/router.ts","../../src/webhooks/providers.ts"],"sourcesContent":["/**\n * @stable Provider-agnostic inbound webhook router.\n *\n * Consumer hooks a single HTTP handler at `/webhook/:provider/:event`\n * (or whatever pathing they prefer) and forwards the request through\n * `WebhookRouter.handle()`. The router:\n *\n *   1. Resolves the registered provider entry.\n *   2. Calls the provider's `verifySignature(rawBody, headers, secrets)`.\n *      Failure → 401 fast, no downstream work.\n *   3. Calls the provider's `parse(rawBody, headers)` to extract zero or\n *      more normalized events.\n *   4. Enqueues each event for async processing via the consumer-supplied\n *      `deliver(event)` callback (best-effort fire-and-forget — the\n *      router does NOT block the HTTP response on the consumer's work).\n *   5. Returns 200 fast with `{received: events.length}`.\n *\n * Replay protection: providers that sign timestamps (Stripe, Slack)\n * already reject stale signatures inside `verifySignature`. For providers\n * that don't (DocuSeal, GDrive push), the router exposes a pluggable\n * `idempotency` hook: if `idempotency.seen(providerEventId)` returns\n * true, the router 200s without invoking `deliver()`. Consumers wire\n * this to a durable kv (D1 / Redis / Postgres unique-index).\n *\n * Why a router and not a per-provider express app: the runtime contract\n * a product cares about is \"an inbound event came in, here's the\n * normalized envelope\". Verification, parsing, and idempotency-dedup\n * are mechanical and provider-specific — the router owns them. The\n * consumer's `deliver()` is the only place product logic runs.\n *\n * Stability: `@stable` — additions to `WebhookEnvelope` must be\n * additive; the router's HTTP contract (paths, status codes) is frozen\n * at 200 (ok), 400 (bad request), 401 (bad signature), 404 (unknown\n * provider), 405 (provider has no inbound surface).\n */\n\nexport interface WebhookHeaders {\n  [name: string]: string | string[] | undefined\n}\n\n/** Normalized inbound event the router emits after parsing. */\nexport interface WebhookEnvelope<TPayload = unknown> {\n  /** Provider id (matches the `:provider` path segment). */\n  provider: string\n  /** Optional event class — e.g., 'customer.subscription.deleted'. The\n   *  provider's parser decides. Used for routing inside `deliver()`. */\n  eventType: string\n  /** Provider-emitted event id, when present. Used for the idempotency\n   *  short-circuit. */\n  providerEventId?: string\n  /** Wall-clock receive time. */\n  receivedAt: number\n  /** Provider payload, normalized to the provider's documented event\n   *  shape. The router does NOT reshape this — `parse()` is the contract. */\n  payload: TPayload\n  /** Headers passed through for downstream handlers that want them\n   *  (e.g., to extract custom routing metadata). Always lowercased keys. */\n  headers: Record<string, string>\n}\n\nexport type SignatureVerification =\n  | { valid: true }\n  | { valid: false; reason: string }\n\n/** Per-provider plug-in. Stateless — the router calls `verifySignature`\n *  then `parse` on every request. The provider's HTTP-shape concerns\n *  (e.g., raw body required) are documented per provider. */\nexport interface WebhookProvider {\n  /** Stable provider id (`stripe`, `docuseal`, `gdrive`, ...). */\n  id: string\n  /** Verify the inbound signature. Receives the EXACT raw body string —\n   *  consumers MUST preserve raw bytes through their HTTP server (do not\n   *  parse JSON before forwarding here). */\n  verifySignature(input: {\n    rawBody: string\n    headers: WebhookHeaders\n    secret: string\n  }): SignatureVerification\n  /** Parse the validated raw body into zero or more normalized events.\n   *  A single push payload may carry multiple events (e.g., Slack bulk\n   *  delivery). Return [] to ack the push as a no-op. */\n  parse(input: {\n    rawBody: string\n    headers: WebhookHeaders\n    now?: number\n  }): WebhookEnvelope[] | Promise<WebhookEnvelope[]>\n}\n\nexport interface WebhookIdempotencyStore {\n  /** Returns true if this providerEventId has been processed already.\n   *  Implementations should be O(1) (Redis SETNX, D1 UNIQUE constraint). */\n  seen(providerEventId: string): Promise<boolean> | boolean\n  /** Marks a providerEventId as processed. Called AFTER `deliver()` has\n   *  been invoked. */\n  remember(providerEventId: string, ttlMs: number): Promise<void> | void\n}\n\nexport interface WebhookRouterOptions {\n  /** Provider registry. Pass any number of providers; routing is by id. */\n  providers: WebhookProvider[]\n  /** Async callback invoked with every accepted event. Fire-and-forget\n   *  from the router's perspective — the HTTP response is sent before\n   *  this resolves. Throws are caught and reported via `onError`. */\n  deliver(event: WebhookEnvelope): Promise<void> | void\n  /** Resolve the signing secret for a provider id at request time. The\n   *  router never holds secrets — the consumer's vault resolves them. */\n  resolveSecret(providerId: string, headers: WebhookHeaders): Promise<string | null> | string | null\n  /** Optional idempotency-dedup hook. Required for providers that don't\n   *  sign timestamps in their signature scheme (DocuSeal, Drive push). */\n  idempotency?: WebhookIdempotencyStore\n  /** TTL on idempotency entries. Default 7 days — long enough that a\n   *  provider's normal retry-window can't re-deliver. */\n  idempotencyTtlMs?: number\n  /** Surface delivery errors. Default: console.error. */\n  onError?(err: unknown, context: { provider: string; eventType?: string; providerEventId?: string }): void\n  /** Override `now()` for tests. */\n  now?(): number\n}\n\nexport interface WebhookRouterRequest {\n  providerId: string\n  rawBody: string\n  headers: WebhookHeaders\n}\n\nexport interface WebhookRouterResponse {\n  status: number\n  body: unknown\n  headers?: Record<string, string>\n}\n\n/**\n * Router instance. Stateless aside from the provider registry — safe to\n * share across requests; build once per process.\n */\nexport class WebhookRouter {\n  private readonly providers: Map<string, WebhookProvider>\n  private readonly deliver: WebhookRouterOptions['deliver']\n  private readonly resolveSecret: WebhookRouterOptions['resolveSecret']\n  private readonly idempotency?: WebhookIdempotencyStore\n  private readonly idempotencyTtlMs: number\n  private readonly onError: NonNullable<WebhookRouterOptions['onError']>\n  private readonly nowFn: () => number\n\n  constructor(opts: WebhookRouterOptions) {\n    this.providers = new Map(opts.providers.map((p) => [p.id, p]))\n    this.deliver = opts.deliver\n    this.resolveSecret = opts.resolveSecret\n    this.idempotency = opts.idempotency\n    this.idempotencyTtlMs = opts.idempotencyTtlMs ?? 7 * 24 * 60 * 60 * 1000\n    this.onError = opts.onError ?? defaultOnError\n    this.nowFn = opts.now ?? Date.now\n  }\n\n  /** Process one inbound webhook request. Pure with respect to side-\n   *  effects on the router instance — safe to call concurrently. */\n  async handle(request: WebhookRouterRequest): Promise<WebhookRouterResponse> {\n    const provider = this.providers.get(request.providerId)\n    if (!provider) {\n      return { status: 404, body: { error: 'unknown_provider', provider: request.providerId } }\n    }\n    const secret = await this.resolveSecret(provider.id, request.headers)\n    if (!secret) {\n      return { status: 401, body: { error: 'missing_secret', provider: provider.id } }\n    }\n    const verification = provider.verifySignature({\n      rawBody: request.rawBody,\n      headers: request.headers,\n      secret,\n    })\n    if (!verification.valid) {\n      return { status: 401, body: { error: 'invalid_signature', reason: verification.reason } }\n    }\n\n    let events: WebhookEnvelope[]\n    try {\n      events = await provider.parse({ rawBody: request.rawBody, headers: request.headers, now: this.nowFn() })\n    } catch (err) {\n      this.onError(err, { provider: provider.id })\n      return { status: 400, body: { error: 'parse_error', message: errMessage(err) } }\n    }\n\n    const accepted: WebhookEnvelope[] = []\n    for (const event of events) {\n      if (event.providerEventId && this.idempotency) {\n        const already = await this.idempotency.seen(event.providerEventId)\n        if (already) continue\n      }\n      accepted.push(event)\n    }\n\n    // Deliver async — do NOT block the HTTP response. Errors land in\n    // `onError`; the provider already got its 200 by then so it will\n    // not retry.\n    queueMicrotask(() => {\n      void this.deliverEach(accepted)\n    })\n\n    return { status: 200, body: { received: accepted.length, total: events.length } }\n  }\n\n  private async deliverEach(events: WebhookEnvelope[]): Promise<void> {\n    for (const event of events) {\n      try {\n        await this.deliver(event)\n        if (event.providerEventId && this.idempotency) {\n          await this.idempotency.remember(event.providerEventId, this.idempotencyTtlMs)\n        }\n      } catch (err) {\n        this.onError(err, {\n          provider: event.provider,\n          eventType: event.eventType,\n          providerEventId: event.providerEventId,\n        })\n      }\n    }\n  }\n}\n\nfunction defaultOnError(err: unknown, context: { provider: string; eventType?: string; providerEventId?: string }): void {\n  // eslint-disable-next-line no-console\n  console.error('[WebhookRouter]', context, err)\n}\n\nfunction errMessage(err: unknown): string {\n  return err instanceof Error ? err.message : String(err)\n}\n","/**\n * Pre-built `WebhookProvider` implementations for the inbound surfaces\n * the substrate ships first-party verifiers for.\n *\n * Each provider implementation is intentionally thin: it delegates\n * signature verification to the corresponding pure function in\n * `connectors/webhooks.ts` and parses the body into one or more\n * normalized `WebhookEnvelope` rows. Anything provider-specific that\n * doesn't fit cleanly (Slack URL-verification handshake, etc.) is\n * surfaced via the envelope `eventType` so the consumer's `deliver()`\n * can branch.\n */\n\nimport {\n  firstHeader,\n  verifyHmacSignature,\n  verifySlackSignature,\n  verifyStripeSignature,\n} from '../connectors/webhooks.js'\nimport type { WebhookEnvelope, WebhookHeaders, WebhookProvider, SignatureVerification } from './router.js'\nimport { createHmac, timingSafeEqual } from 'node:crypto'\n\n/** Stripe webhook provider. Signature header `Stripe-Signature`. */\nexport const stripeWebhookProvider: WebhookProvider = {\n  id: 'stripe',\n  verifySignature({ rawBody, headers, secret }): SignatureVerification {\n    const sig = firstHeader(headers, 'stripe-signature')\n    if (!sig) return { valid: false, reason: 'missing_stripe_signature' }\n    return verifyStripeSignature(rawBody, sig, secret)\n      ? { valid: true }\n      : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const evt = safeJson(rawBody)\n    if (!evt || typeof evt !== 'object') return []\n    const e = evt as { id?: unknown; type?: unknown }\n    return [\n      {\n        provider: 'stripe',\n        eventType: typeof e.type === 'string' ? e.type : 'stripe.unknown',\n        providerEventId: typeof e.id === 'string' ? e.id : undefined,\n        receivedAt: now ?? Date.now(),\n        payload: evt,\n        headers: normalizeHeaders(headers),\n      },\n    ]\n  },\n}\n\n/** Slack Events API provider. Handles the `url_verification` handshake\n *  by emitting a synthetic event the consumer's `deliver()` can echo. */\nexport const slackWebhookProvider: WebhookProvider = {\n  id: 'slack',\n  verifySignature({ rawBody, headers, secret }): SignatureVerification {\n    const sig = firstHeader(headers, 'x-slack-signature')\n    const ts = firstHeader(headers, 'x-slack-request-timestamp')\n    if (!sig || !ts) return { valid: false, reason: 'missing_slack_signature_or_timestamp' }\n    return verifySlackSignature(rawBody, sig, ts, secret)\n      ? { valid: true }\n      : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const evt = safeJson(rawBody) as { type?: string; event_id?: string; event?: { type?: string } } | null\n    if (!evt || typeof evt !== 'object') return []\n    if (evt.type === 'url_verification') {\n      return [{\n        provider: 'slack',\n        eventType: 'slack.url_verification',\n        receivedAt: now ?? Date.now(),\n        payload: evt,\n        headers: normalizeHeaders(headers),\n      }]\n    }\n    const eventType = `slack.${evt.event?.type ?? evt.type ?? 'unknown'}`\n    return [{\n      provider: 'slack',\n      eventType,\n      providerEventId: typeof evt.event_id === 'string' ? evt.event_id : undefined,\n      receivedAt: now ?? Date.now(),\n      payload: evt,\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** DocuSeal webhook provider. Signature header `X-Docuseal-Signature`. */\nexport const docusealWebhookProvider: WebhookProvider = {\n  id: 'docuseal',\n  verifySignature({ rawBody, headers, secret }): SignatureVerification {\n    const sig = firstHeader(headers, 'x-docuseal-signature')\n    if (!sig) return { valid: false, reason: 'missing_docuseal_signature' }\n    const expected = createHmac('sha256', secret).update(rawBody).digest('hex')\n    const a = Buffer.from(sig.toLowerCase(), 'utf-8')\n    const b = Buffer.from(expected, 'utf-8')\n    if (a.length !== b.length) return { valid: false, reason: 'invalid_signature' }\n    return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const evt = safeJson(rawBody) as { event_type?: string; event_id?: string } | null\n    if (!evt || typeof evt !== 'object') return []\n    return [{\n      provider: 'docuseal',\n      eventType: `docuseal.${evt.event_type ?? 'unknown'}`,\n      providerEventId: typeof evt.event_id === 'string' ? evt.event_id : undefined,\n      receivedAt: now ?? Date.now(),\n      payload: evt,\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** Gmail push provider. Cloud Pub/Sub posts a JWT-signed envelope; the\n *  *payload* is base64 JSON describing the changed history range. The\n *  signature scheme here is the Pub/Sub JWT auth header — when supplied,\n *  consumers SHOULD verify the JWT against Google's well-known\n *  certificates. We accept the simpler \"Bearer <pubsub-shared-secret>\"\n *  variant by default (matching `verifyHmacSignature`). */\nexport const gmailWebhookProvider: WebhookProvider = {\n  id: 'gmail',\n  verifySignature({ headers, secret }): SignatureVerification {\n    const auth = firstHeader(headers, 'authorization')\n    if (!auth) return { valid: false, reason: 'missing_authorization' }\n    // Accept either \"Bearer <secret>\" or \"Token <secret>\" formats. This\n    // is the simple per-tenant shared-secret path; JWT verification is\n    // left to the consumer's `deliver()` when they need full Google JWT\n    // chain validation.\n    const m = /^(?:Bearer|Token)\\s+(.+)$/i.exec(auth)\n    if (!m) return { valid: false, reason: 'invalid_authorization_format' }\n    const a = Buffer.from(m[1]!, 'utf-8')\n    const b = Buffer.from(secret, 'utf-8')\n    if (a.length !== b.length) return { valid: false, reason: 'invalid_signature' }\n    return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const envelope = safeJson(rawBody) as { message?: { data?: string; messageId?: string; publishTime?: string } } | null\n    if (!envelope?.message?.data) return []\n    let payload: unknown\n    try {\n      payload = JSON.parse(Buffer.from(envelope.message.data, 'base64').toString('utf-8'))\n    } catch {\n      return []\n    }\n    const inner = payload as { historyId?: number | string; emailAddress?: string }\n    return [{\n      provider: 'gmail',\n      eventType: 'gmail.history_changed',\n      providerEventId: envelope.message.messageId,\n      receivedAt: now ?? Date.now(),\n      payload: { ...inner, publishTime: envelope.message.publishTime },\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** Google Drive push provider. Drive does NOT sign the body — it uses\n *  the per-channel token (`X-Goog-Channel-Token`) as the shared secret.\n *  The router compares it constant-time against the resolved secret. */\nexport const gdriveWebhookProvider: WebhookProvider = {\n  id: 'gdrive',\n  verifySignature({ headers, secret }): SignatureVerification {\n    const token = firstHeader(headers, 'x-goog-channel-token')\n    if (!token) return { valid: false, reason: 'missing_channel_token' }\n    const a = Buffer.from(token, 'utf-8')\n    const b = Buffer.from(secret, 'utf-8')\n    if (a.length !== b.length) return { valid: false, reason: 'invalid_signature' }\n    return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ headers, now }): WebhookEnvelope[] {\n    const resourceId = firstHeader(headers, 'x-goog-resource-id')\n    const resourceState = firstHeader(headers, 'x-goog-resource-state') ?? 'unknown'\n    const channelId = firstHeader(headers, 'x-goog-channel-id')\n    const messageNumber = firstHeader(headers, 'x-goog-message-number')\n    if (resourceState === 'sync') {\n      return [{\n        provider: 'gdrive',\n        eventType: 'gdrive.channel.sync',\n        providerEventId: messageNumber ? `${channelId}-${messageNumber}` : undefined,\n        receivedAt: now ?? Date.now(),\n        payload: { channelId, resourceId, resourceState },\n        headers: normalizeHeaders(headers),\n      }]\n    }\n    return [{\n      provider: 'gdrive',\n      eventType: `gdrive.resource.${resourceState}`,\n      providerEventId: messageNumber ? `${channelId}-${messageNumber}` : undefined,\n      receivedAt: now ?? Date.now(),\n      payload: { channelId, resourceId, resourceState },\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** Generic HMAC provider — for the long-tail webhook source where the\n *  caller has standardised on a single sha256-of-body scheme. Header\n *  `X-Signature` by default; override at provider-build time if needed. */\nexport function genericHmacWebhookProvider(options: {\n  id: string\n  signatureHeader?: string\n  algorithm?: 'sha256' | 'sha1' | 'sha512'\n  signaturePrefix?: string\n  /** Parser to convert the raw body into envelopes. Defaults to\n   *  \"one event with eventType=<provider>.event and payload=JSON\". */\n  parse?: WebhookProvider['parse']\n}): WebhookProvider {\n  const header = options.signatureHeader ?? 'x-signature'\n  return {\n    id: options.id,\n    verifySignature({ rawBody, headers, secret }) {\n      const sig = firstHeader(headers, header)\n      if (!sig) return { valid: false, reason: `missing_${header}` }\n      return verifyHmacSignature(rawBody, sig, secret, {\n        algorithm: options.algorithm ?? 'sha256',\n        signaturePrefix: options.signaturePrefix,\n      })\n        ? { valid: true }\n        : { valid: false, reason: 'invalid_signature' }\n    },\n    parse:\n      options.parse ??\n      (({ rawBody, headers, now }) => {\n        const evt = safeJson(rawBody) ?? rawBody\n        return [{\n          provider: options.id,\n          eventType: `${options.id}.event`,\n          receivedAt: now ?? Date.now(),\n          payload: evt,\n          headers: normalizeHeaders(headers),\n        }]\n      }),\n  }\n}\n\nfunction safeJson(s: string): unknown {\n  try {\n    return JSON.parse(s)\n  } catch {\n    return null\n  }\n}\n\nfunction normalizeHeaders(headers: WebhookHeaders): Record<string, string> {\n  const out: Record<string, string> = {}\n  for (const [k, v] of Object.entries(headers)) {\n    if (v === undefined) continue\n    const value = Array.isArray(v) ? v[0] : v\n    if (typeof value === 'string') out[k.toLowerCase()] = value\n  }\n  return out\n}\n"],"mappings":";;;;;;;;AAuIO,IAAM,gBAAN,MAAoB;AAAA,EACR;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAA4B;AACtC,SAAK,YAAY,IAAI,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAC7D,SAAK,UAAU,KAAK;AACpB,SAAK,gBAAgB,KAAK;AAC1B,SAAK,cAAc,KAAK;AACxB,SAAK,mBAAmB,KAAK,oBAAoB,IAAI,KAAK,KAAK,KAAK;AACpE,SAAK,UAAU,KAAK,WAAW;AAC/B,SAAK,QAAQ,KAAK,OAAO,KAAK;AAAA,EAChC;AAAA;AAAA;AAAA,EAIA,MAAM,OAAO,SAA+D;AAC1E,UAAM,WAAW,KAAK,UAAU,IAAI,QAAQ,UAAU;AACtD,QAAI,CAAC,UAAU;AACb,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,oBAAoB,UAAU,QAAQ,WAAW,EAAE;AAAA,IAC1F;AACA,UAAM,SAAS,MAAM,KAAK,cAAc,SAAS,IAAI,QAAQ,OAAO;AACpE,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,kBAAkB,UAAU,SAAS,GAAG,EAAE;AAAA,IACjF;AACA,UAAM,eAAe,SAAS,gBAAgB;AAAA,MAC5C,SAAS,QAAQ;AAAA,MACjB,SAAS,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AACD,QAAI,CAAC,aAAa,OAAO;AACvB,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,qBAAqB,QAAQ,aAAa,OAAO,EAAE;AAAA,IAC1F;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,MAAM,SAAS,MAAM,EAAE,SAAS,QAAQ,SAAS,SAAS,QAAQ,SAAS,KAAK,KAAK,MAAM,EAAE,CAAC;AAAA,IACzG,SAAS,KAAK;AACZ,WAAK,QAAQ,KAAK,EAAE,UAAU,SAAS,GAAG,CAAC;AAC3C,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,eAAe,SAAS,WAAW,GAAG,EAAE,EAAE;AAAA,IACjF;AAEA,UAAM,WAA8B,CAAC;AACrC,eAAW,SAAS,QAAQ;AAC1B,UAAI,MAAM,mBAAmB,KAAK,aAAa;AAC7C,cAAM,UAAU,MAAM,KAAK,YAAY,KAAK,MAAM,eAAe;AACjE,YAAI,QAAS;AAAA,MACf;AACA,eAAS,KAAK,KAAK;AAAA,IACrB;AAKA,mBAAe,MAAM;AACnB,WAAK,KAAK,YAAY,QAAQ;AAAA,IAChC,CAAC;AAED,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,UAAU,SAAS,QAAQ,OAAO,OAAO,OAAO,EAAE;AAAA,EAClF;AAAA,EAEA,MAAc,YAAY,QAA0C;AAClE,eAAW,SAAS,QAAQ;AAC1B,UAAI;AACF,cAAM,KAAK,QAAQ,KAAK;AACxB,YAAI,MAAM,mBAAmB,KAAK,aAAa;AAC7C,gBAAM,KAAK,YAAY,SAAS,MAAM,iBAAiB,KAAK,gBAAgB;AAAA,QAC9E;AAAA,MACF,SAAS,KAAK;AACZ,aAAK,QAAQ,KAAK;AAAA,UAChB,UAAU,MAAM;AAAA,UAChB,WAAW,MAAM;AAAA,UACjB,iBAAiB,MAAM;AAAA,QACzB,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,eAAe,KAAc,SAAmF;AAEvH,UAAQ,MAAM,mBAAmB,SAAS,GAAG;AAC/C;AAEA,SAAS,WAAW,KAAsB;AACxC,SAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AACxD;;;AC9MA,SAAS,YAAY,uBAAuB;AAGrC,IAAM,wBAAyC;AAAA,EACpD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAA0B;AACnE,UAAM,MAAM,YAAY,SAAS,kBAAkB;AACnD,QAAI,CAAC,IAAK,QAAO,EAAE,OAAO,OAAO,QAAQ,2BAA2B;AACpE,WAAO,sBAAsB,SAAS,KAAK,MAAM,IAC7C,EAAE,OAAO,KAAK,IACd,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,MAAM,SAAS,OAAO;AAC5B,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,CAAC;AAC7C,UAAM,IAAI;AACV,WAAO;AAAA,MACL;AAAA,QACE,UAAU;AAAA,QACV,WAAW,OAAO,EAAE,SAAS,WAAW,EAAE,OAAO;AAAA,QACjD,iBAAiB,OAAO,EAAE,OAAO,WAAW,EAAE,KAAK;AAAA,QACnD,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,SAAS,iBAAiB,OAAO;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AACF;AAIO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAA0B;AACnE,UAAM,MAAM,YAAY,SAAS,mBAAmB;AACpD,UAAM,KAAK,YAAY,SAAS,2BAA2B;AAC3D,QAAI,CAAC,OAAO,CAAC,GAAI,QAAO,EAAE,OAAO,OAAO,QAAQ,uCAAuC;AACvF,WAAO,qBAAqB,SAAS,KAAK,IAAI,MAAM,IAChD,EAAE,OAAO,KAAK,IACd,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,MAAM,SAAS,OAAO;AAC5B,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,CAAC;AAC7C,QAAI,IAAI,SAAS,oBAAoB;AACnC,aAAO,CAAC;AAAA,QACN,UAAU;AAAA,QACV,WAAW;AAAA,QACX,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,SAAS,iBAAiB,OAAO;AAAA,MACnC,CAAC;AAAA,IACH;AACA,UAAM,YAAY,SAAS,IAAI,OAAO,QAAQ,IAAI,QAAQ,SAAS;AACnE,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV;AAAA,MACA,iBAAiB,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AAAA,MACnE,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS;AAAA,MACT,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAGO,IAAM,0BAA2C;AAAA,EACtD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAA0B;AACnE,UAAM,MAAM,YAAY,SAAS,sBAAsB;AACvD,QAAI,CAAC,IAAK,QAAO,EAAE,OAAO,OAAO,QAAQ,6BAA6B;AACtE,UAAM,WAAW,WAAW,UAAU,MAAM,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC1E,UAAM,IAAI,OAAO,KAAK,IAAI,YAAY,GAAG,OAAO;AAChD,UAAM,IAAI,OAAO,KAAK,UAAU,OAAO;AACvC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAC9E,WAAO,gBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAC/F;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,MAAM,SAAS,OAAO;AAC5B,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,CAAC;AAC7C,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV,WAAW,YAAY,IAAI,cAAc,SAAS;AAAA,MAClD,iBAAiB,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AAAA,MACnE,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS;AAAA,MACT,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAQO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,OAAO,GAA0B;AAC1D,UAAM,OAAO,YAAY,SAAS,eAAe;AACjD,QAAI,CAAC,KAAM,QAAO,EAAE,OAAO,OAAO,QAAQ,wBAAwB;AAKlE,UAAM,IAAI,6BAA6B,KAAK,IAAI;AAChD,QAAI,CAAC,EAAG,QAAO,EAAE,OAAO,OAAO,QAAQ,+BAA+B;AACtE,UAAM,IAAI,OAAO,KAAK,EAAE,CAAC,GAAI,OAAO;AACpC,UAAM,IAAI,OAAO,KAAK,QAAQ,OAAO;AACrC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAC9E,WAAO,gBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAC/F;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,WAAW,SAAS,OAAO;AACjC,QAAI,CAAC,UAAU,SAAS,KAAM,QAAO,CAAC;AACtC,QAAI;AACJ,QAAI;AACF,gBAAU,KAAK,MAAM,OAAO,KAAK,SAAS,QAAQ,MAAM,QAAQ,EAAE,SAAS,OAAO,CAAC;AAAA,IACrF,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AACA,UAAM,QAAQ;AACd,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV,WAAW;AAAA,MACX,iBAAiB,SAAS,QAAQ;AAAA,MAClC,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS,EAAE,GAAG,OAAO,aAAa,SAAS,QAAQ,YAAY;AAAA,MAC/D,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAKO,IAAM,wBAAyC;AAAA,EACpD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,OAAO,GAA0B;AAC1D,UAAM,QAAQ,YAAY,SAAS,sBAAsB;AACzD,QAAI,CAAC,MAAO,QAAO,EAAE,OAAO,OAAO,QAAQ,wBAAwB;AACnE,UAAM,IAAI,OAAO,KAAK,OAAO,OAAO;AACpC,UAAM,IAAI,OAAO,KAAK,QAAQ,OAAO;AACrC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAC9E,WAAO,gBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAC/F;AAAA,EACA,MAAM,EAAE,SAAS,IAAI,GAAsB;AACzC,UAAM,aAAa,YAAY,SAAS,oBAAoB;AAC5D,UAAM,gBAAgB,YAAY,SAAS,uBAAuB,KAAK;AACvE,UAAM,YAAY,YAAY,SAAS,mBAAmB;AAC1D,UAAM,gBAAgB,YAAY,SAAS,uBAAuB;AAClE,QAAI,kBAAkB,QAAQ;AAC5B,aAAO,CAAC;AAAA,QACN,UAAU;AAAA,QACV,WAAW;AAAA,QACX,iBAAiB,gBAAgB,GAAG,SAAS,IAAI,aAAa,KAAK;AAAA,QACnE,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS,EAAE,WAAW,YAAY,cAAc;AAAA,QAChD,SAAS,iBAAiB,OAAO;AAAA,MACnC,CAAC;AAAA,IACH;AACA,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV,WAAW,mBAAmB,aAAa;AAAA,MAC3C,iBAAiB,gBAAgB,GAAG,SAAS,IAAI,aAAa,KAAK;AAAA,MACnE,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS,EAAE,WAAW,YAAY,cAAc;AAAA,MAChD,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAKO,SAAS,2BAA2B,SAQvB;AAClB,QAAM,SAAS,QAAQ,mBAAmB;AAC1C,SAAO;AAAA,IACL,IAAI,QAAQ;AAAA,IACZ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAAG;AAC5C,YAAM,MAAM,YAAY,SAAS,MAAM;AACvC,UAAI,CAAC,IAAK,QAAO,EAAE,OAAO,OAAO,QAAQ,WAAW,MAAM,GAAG;AAC7D,aAAO,oBAAoB,SAAS,KAAK,QAAQ;AAAA,QAC/C,WAAW,QAAQ,aAAa;AAAA,QAChC,iBAAiB,QAAQ;AAAA,MAC3B,CAAC,IACG,EAAE,OAAO,KAAK,IACd,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,IAClD;AAAA,IACA,OACE,QAAQ,UACP,CAAC,EAAE,SAAS,SAAS,IAAI,MAAM;AAC9B,YAAM,MAAM,SAAS,OAAO,KAAK;AACjC,aAAO,CAAC;AAAA,QACN,UAAU,QAAQ;AAAA,QAClB,WAAW,GAAG,QAAQ,EAAE;AAAA,QACxB,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,SAAS,iBAAiB,OAAO;AAAA,MACnC,CAAC;AAAA,IACH;AAAA,EACJ;AACF;AAEA,SAAS,SAAS,GAAoB;AACpC,MAAI;AACF,WAAO,KAAK,MAAM,CAAC;AAAA,EACrB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,iBAAiB,SAAiD;AACzE,QAAM,MAA8B,CAAC;AACrC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC5C,QAAI,MAAM,OAAW;AACrB,UAAM,QAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI;AACxC,QAAI,OAAO,UAAU,SAAU,KAAI,EAAE,YAAY,CAAC,IAAI;AAAA,EACxD;AACA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../src/webhooks/router.ts","../../src/webhooks/providers.ts"],"sourcesContent":["/**\n * @stable Provider-agnostic inbound webhook router.\n *\n * Consumer hooks a single HTTP handler at `/webhook/:provider/:event`\n * (or whatever pathing they prefer) and forwards the request through\n * `WebhookRouter.handle()`. The router:\n *\n *   1. Resolves the registered provider entry.\n *   2. Calls the provider's `verifySignature(rawBody, headers, secrets)`.\n *      Failure → 401 fast, no downstream work.\n *   3. Calls the provider's `parse(rawBody, headers)` to extract zero or\n *      more normalized events.\n *   4. Enqueues each event for async processing via the consumer-supplied\n *      `deliver(event)` callback (best-effort fire-and-forget — the\n *      router does NOT block the HTTP response on the consumer's work).\n *   5. Returns 200 fast with `{received: events.length}`.\n *\n * Replay protection: providers that sign timestamps (Stripe, Slack)\n * already reject stale signatures inside `verifySignature`. For providers\n * that don't (DocuSeal, GDrive push), the router exposes a pluggable\n * `idempotency` hook: if `idempotency.seen(providerEventId)` returns\n * true, the router 200s without invoking `deliver()`. Consumers wire\n * this to a durable kv (D1 / Redis / Postgres unique-index).\n *\n * Why a router and not a per-provider express app: the runtime contract\n * a product cares about is \"an inbound event came in, here's the\n * normalized envelope\". Verification, parsing, and idempotency-dedup\n * are mechanical and provider-specific — the router owns them. The\n * consumer's `deliver()` is the only place product logic runs.\n *\n * Stability: `@stable` — additions to `WebhookEnvelope` must be\n * additive; the router's HTTP contract (paths, status codes) is frozen\n * at 200 (ok), 400 (bad request), 401 (bad signature), 404 (unknown\n * provider), 405 (provider has no inbound surface).\n */\n\nexport interface WebhookHeaders {\n  [name: string]: string | string[] | undefined\n}\n\n/** Normalized inbound event the router emits after parsing. */\nexport interface WebhookEnvelope<TPayload = unknown> {\n  /** Provider id (matches the `:provider` path segment). */\n  provider: string\n  /** Optional event class — e.g., 'customer.subscription.deleted'. The\n   *  provider's parser decides. Used for routing inside `deliver()`. */\n  eventType: string\n  /** Provider-emitted event id, when present. Used for the idempotency\n   *  short-circuit. */\n  providerEventId?: string\n  /** Wall-clock receive time. */\n  receivedAt: number\n  /** Provider payload, normalized to the provider's documented event\n   *  shape. The router does NOT reshape this — `parse()` is the contract. */\n  payload: TPayload\n  /** Headers passed through for downstream handlers that want them\n   *  (e.g., to extract custom routing metadata). Always lowercased keys. */\n  headers: Record<string, string>\n}\n\nexport type SignatureVerification =\n  | { valid: true }\n  | { valid: false; reason: string }\n\n/** Per-provider plug-in. Stateless — the router calls `verifySignature`\n *  then `parse` on every request. The provider's HTTP-shape concerns\n *  (e.g., raw body required) are documented per provider. */\nexport interface WebhookProvider {\n  /** Stable provider id (`stripe`, `docuseal`, `gdrive`, ...). */\n  id: string\n  /** Verify the inbound signature. Receives the EXACT raw body string —\n   *  consumers MUST preserve raw bytes through their HTTP server (do not\n   *  parse JSON before forwarding here). */\n  verifySignature(input: {\n    rawBody: string\n    headers: WebhookHeaders\n    secret: string\n  }): SignatureVerification\n  /** Parse the validated raw body into zero or more normalized events.\n   *  A single push payload may carry multiple events (e.g., Slack bulk\n   *  delivery). Return [] to ack the push as a no-op. */\n  parse(input: {\n    rawBody: string\n    headers: WebhookHeaders\n    now?: number\n  }): WebhookEnvelope[] | Promise<WebhookEnvelope[]>\n}\n\nexport interface WebhookIdempotencyStore {\n  /** Returns true if this providerEventId has been processed already.\n   *  Implementations should be O(1) (Redis SETNX, D1 UNIQUE constraint). */\n  seen(providerEventId: string): Promise<boolean> | boolean\n  /** Marks a providerEventId as processed. Called AFTER `deliver()` has\n   *  been invoked. */\n  remember(providerEventId: string, ttlMs: number): Promise<void> | void\n}\n\nexport interface WebhookRouterOptions {\n  /** Provider registry. Pass any number of providers; routing is by id. */\n  providers: WebhookProvider[]\n  /** Async callback invoked with every accepted event. Fire-and-forget\n   *  from the router's perspective — the HTTP response is sent before\n   *  this resolves. Throws are caught and reported via `onError`. */\n  deliver(event: WebhookEnvelope): Promise<void> | void\n  /** Resolve the signing secret for a provider id at request time. The\n   *  router never holds secrets — the consumer's vault resolves them. */\n  resolveSecret(providerId: string, headers: WebhookHeaders): Promise<string | null> | string | null\n  /** Optional idempotency-dedup hook. Required for providers that don't\n   *  sign timestamps in their signature scheme (DocuSeal, Drive push). */\n  idempotency?: WebhookIdempotencyStore\n  /** TTL on idempotency entries. Default 7 days — long enough that a\n   *  provider's normal retry-window can't re-deliver. */\n  idempotencyTtlMs?: number\n  /** Surface delivery errors. Default: console.error. */\n  onError?(err: unknown, context: { provider: string; eventType?: string; providerEventId?: string }): void\n  /** Override `now()` for tests. */\n  now?(): number\n}\n\nexport interface WebhookRouterRequest {\n  providerId: string\n  rawBody: string\n  headers: WebhookHeaders\n}\n\nexport interface WebhookRouterResponse {\n  status: number\n  body: unknown\n  headers?: Record<string, string>\n}\n\n/**\n * Router instance. Stateless aside from the provider registry — safe to\n * share across requests; build once per process.\n */\nexport class WebhookRouter {\n  private readonly providers: Map<string, WebhookProvider>\n  private readonly deliver: WebhookRouterOptions['deliver']\n  private readonly resolveSecret: WebhookRouterOptions['resolveSecret']\n  private readonly idempotency?: WebhookIdempotencyStore\n  private readonly idempotencyTtlMs: number\n  private readonly onError: NonNullable<WebhookRouterOptions['onError']>\n  private readonly nowFn: () => number\n\n  constructor(opts: WebhookRouterOptions) {\n    this.providers = new Map(opts.providers.map((p) => [p.id, p]))\n    this.deliver = opts.deliver\n    this.resolveSecret = opts.resolveSecret\n    this.idempotency = opts.idempotency\n    this.idempotencyTtlMs = opts.idempotencyTtlMs ?? 7 * 24 * 60 * 60 * 1000\n    this.onError = opts.onError ?? defaultOnError\n    this.nowFn = opts.now ?? Date.now\n  }\n\n  /** Process one inbound webhook request. Pure with respect to side-\n   *  effects on the router instance — safe to call concurrently. */\n  async handle(request: WebhookRouterRequest): Promise<WebhookRouterResponse> {\n    const provider = this.providers.get(request.providerId)\n    if (!provider) {\n      return { status: 404, body: { error: 'unknown_provider', provider: request.providerId } }\n    }\n    const secret = await this.resolveSecret(provider.id, request.headers)\n    if (!secret) {\n      return { status: 401, body: { error: 'missing_secret', provider: provider.id } }\n    }\n    const verification = provider.verifySignature({\n      rawBody: request.rawBody,\n      headers: request.headers,\n      secret,\n    })\n    if (!verification.valid) {\n      return { status: 401, body: { error: 'invalid_signature', reason: verification.reason } }\n    }\n\n    let events: WebhookEnvelope[]\n    try {\n      events = await provider.parse({ rawBody: request.rawBody, headers: request.headers, now: this.nowFn() })\n    } catch (err) {\n      this.onError(err, { provider: provider.id })\n      return { status: 400, body: { error: 'parse_error', message: errMessage(err) } }\n    }\n\n    const accepted: WebhookEnvelope[] = []\n    for (const event of events) {\n      if (event.providerEventId && this.idempotency) {\n        const already = await this.idempotency.seen(event.providerEventId)\n        if (already) continue\n      }\n      accepted.push(event)\n    }\n\n    // Deliver async — do NOT block the HTTP response. Errors land in\n    // `onError`; the provider already got its 200 by then so it will\n    // not retry.\n    queueMicrotask(() => {\n      void this.deliverEach(accepted)\n    })\n\n    return { status: 200, body: { received: accepted.length, total: events.length } }\n  }\n\n  private async deliverEach(events: WebhookEnvelope[]): Promise<void> {\n    for (const event of events) {\n      try {\n        await this.deliver(event)\n        if (event.providerEventId && this.idempotency) {\n          await this.idempotency.remember(event.providerEventId, this.idempotencyTtlMs)\n        }\n      } catch (err) {\n        this.onError(err, {\n          provider: event.provider,\n          eventType: event.eventType,\n          providerEventId: event.providerEventId,\n        })\n      }\n    }\n  }\n}\n\nfunction defaultOnError(err: unknown, context: { provider: string; eventType?: string; providerEventId?: string }): void {\n  // eslint-disable-next-line no-console\n  console.error('[WebhookRouter]', context, err)\n}\n\nfunction errMessage(err: unknown): string {\n  return err instanceof Error ? err.message : String(err)\n}\n","/**\n * Pre-built `WebhookProvider` implementations for the inbound surfaces\n * the substrate ships first-party verifiers for.\n *\n * Each provider implementation is intentionally thin: it delegates\n * signature verification to the corresponding pure function in\n * `connectors/webhooks.ts` and parses the body into one or more\n * normalized `WebhookEnvelope` rows. Anything provider-specific that\n * doesn't fit cleanly (Slack URL-verification handshake, etc.) is\n * surfaced via the envelope `eventType` so the consumer's `deliver()`\n * can branch.\n */\n\nimport {\n  firstHeader,\n  verifyHmacSignature,\n  verifySlackSignature,\n  verifyStripeSignature,\n} from '../connectors/webhooks.js'\nimport type { WebhookEnvelope, WebhookHeaders, WebhookProvider, SignatureVerification } from './router.js'\nimport { createHmac, timingSafeEqual } from 'node:crypto'\n\n/** Stripe webhook provider. Signature header `Stripe-Signature`. */\nexport const stripeWebhookProvider: WebhookProvider = {\n  id: 'stripe',\n  verifySignature({ rawBody, headers, secret }): SignatureVerification {\n    const sig = firstHeader(headers, 'stripe-signature')\n    if (!sig) return { valid: false, reason: 'missing_stripe_signature' }\n    return verifyStripeSignature(rawBody, sig, secret)\n      ? { valid: true }\n      : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const evt = safeJson(rawBody)\n    if (!evt || typeof evt !== 'object') return []\n    const e = evt as { id?: unknown; type?: unknown }\n    return [\n      {\n        provider: 'stripe',\n        eventType: typeof e.type === 'string' ? e.type : 'stripe.unknown',\n        providerEventId: typeof e.id === 'string' ? e.id : undefined,\n        receivedAt: now ?? Date.now(),\n        payload: evt,\n        headers: normalizeHeaders(headers),\n      },\n    ]\n  },\n}\n\n/** Slack Events API provider. Handles the `url_verification` handshake\n *  by emitting a synthetic event the consumer's `deliver()` can echo. */\nexport const slackWebhookProvider: WebhookProvider = {\n  id: 'slack',\n  verifySignature({ rawBody, headers, secret }): SignatureVerification {\n    const sig = firstHeader(headers, 'x-slack-signature')\n    const ts = firstHeader(headers, 'x-slack-request-timestamp')\n    if (!sig || !ts) return { valid: false, reason: 'missing_slack_signature_or_timestamp' }\n    return verifySlackSignature(rawBody, sig, ts, secret)\n      ? { valid: true }\n      : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const evt = safeJson(rawBody) as { type?: string; event_id?: string; event?: { type?: string } } | null\n    if (!evt || typeof evt !== 'object') return []\n    if (evt.type === 'url_verification') {\n      return [{\n        provider: 'slack',\n        eventType: 'slack.url_verification',\n        receivedAt: now ?? Date.now(),\n        payload: evt,\n        headers: normalizeHeaders(headers),\n      }]\n    }\n    const eventType = `slack.${evt.event?.type ?? evt.type ?? 'unknown'}`\n    return [{\n      provider: 'slack',\n      eventType,\n      providerEventId: typeof evt.event_id === 'string' ? evt.event_id : undefined,\n      receivedAt: now ?? Date.now(),\n      payload: evt,\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** DocuSeal webhook provider. Signature header `X-Docuseal-Signature`. */\nexport const docusealWebhookProvider: WebhookProvider = {\n  id: 'docuseal',\n  verifySignature({ rawBody, headers, secret }): SignatureVerification {\n    const sig = firstHeader(headers, 'x-docuseal-signature')\n    if (!sig) return { valid: false, reason: 'missing_docuseal_signature' }\n    const expected = createHmac('sha256', secret).update(rawBody).digest('hex')\n    const a = Buffer.from(sig.toLowerCase(), 'utf-8')\n    const b = Buffer.from(expected, 'utf-8')\n    if (a.length !== b.length) return { valid: false, reason: 'invalid_signature' }\n    return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const evt = safeJson(rawBody) as { event_type?: string; event_id?: string } | null\n    if (!evt || typeof evt !== 'object') return []\n    return [{\n      provider: 'docuseal',\n      eventType: `docuseal.${evt.event_type ?? 'unknown'}`,\n      providerEventId: typeof evt.event_id === 'string' ? evt.event_id : undefined,\n      receivedAt: now ?? Date.now(),\n      payload: evt,\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** Gmail push provider. Cloud Pub/Sub posts a JWT-signed envelope; the\n *  *payload* is base64 JSON describing the changed history range. The\n *  signature scheme here is the Pub/Sub JWT auth header — when supplied,\n *  consumers SHOULD verify the JWT against Google's well-known\n *  certificates. We accept the simpler \"Bearer <pubsub-shared-secret>\"\n *  variant by default (matching `verifyHmacSignature`). */\nexport const gmailWebhookProvider: WebhookProvider = {\n  id: 'gmail',\n  verifySignature({ headers, secret }): SignatureVerification {\n    const auth = firstHeader(headers, 'authorization')\n    if (!auth) return { valid: false, reason: 'missing_authorization' }\n    // Accept either \"Bearer <secret>\" or \"Token <secret>\" formats. This\n    // is the simple per-tenant shared-secret path; JWT verification is\n    // left to the consumer's `deliver()` when they need full Google JWT\n    // chain validation.\n    const m = /^(?:Bearer|Token)\\s+(.+)$/i.exec(auth)\n    if (!m) return { valid: false, reason: 'invalid_authorization_format' }\n    const a = Buffer.from(m[1]!, 'utf-8')\n    const b = Buffer.from(secret, 'utf-8')\n    if (a.length !== b.length) return { valid: false, reason: 'invalid_signature' }\n    return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ rawBody, headers, now }): WebhookEnvelope[] {\n    const envelope = safeJson(rawBody) as { message?: { data?: string; messageId?: string; publishTime?: string } } | null\n    if (!envelope?.message?.data) return []\n    let payload: unknown\n    try {\n      payload = JSON.parse(Buffer.from(envelope.message.data, 'base64').toString('utf-8'))\n    } catch {\n      return []\n    }\n    const inner = payload as { historyId?: number | string; emailAddress?: string }\n    return [{\n      provider: 'gmail',\n      eventType: 'gmail.history_changed',\n      providerEventId: envelope.message.messageId,\n      receivedAt: now ?? Date.now(),\n      payload: { ...inner, publishTime: envelope.message.publishTime },\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** Google Drive push provider. Drive does NOT sign the body — it uses\n *  the per-channel token (`X-Goog-Channel-Token`) as the shared secret.\n *  The router compares it constant-time against the resolved secret. */\nexport const gdriveWebhookProvider: WebhookProvider = {\n  id: 'gdrive',\n  verifySignature({ headers, secret }): SignatureVerification {\n    const token = firstHeader(headers, 'x-goog-channel-token')\n    if (!token) return { valid: false, reason: 'missing_channel_token' }\n    const a = Buffer.from(token, 'utf-8')\n    const b = Buffer.from(secret, 'utf-8')\n    if (a.length !== b.length) return { valid: false, reason: 'invalid_signature' }\n    return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: 'invalid_signature' }\n  },\n  parse({ headers, now }): WebhookEnvelope[] {\n    const resourceId = firstHeader(headers, 'x-goog-resource-id')\n    const resourceState = firstHeader(headers, 'x-goog-resource-state') ?? 'unknown'\n    const channelId = firstHeader(headers, 'x-goog-channel-id')\n    const messageNumber = firstHeader(headers, 'x-goog-message-number')\n    if (resourceState === 'sync') {\n      return [{\n        provider: 'gdrive',\n        eventType: 'gdrive.channel.sync',\n        providerEventId: messageNumber ? `${channelId}-${messageNumber}` : undefined,\n        receivedAt: now ?? Date.now(),\n        payload: { channelId, resourceId, resourceState },\n        headers: normalizeHeaders(headers),\n      }]\n    }\n    return [{\n      provider: 'gdrive',\n      eventType: `gdrive.resource.${resourceState}`,\n      providerEventId: messageNumber ? `${channelId}-${messageNumber}` : undefined,\n      receivedAt: now ?? Date.now(),\n      payload: { channelId, resourceId, resourceState },\n      headers: normalizeHeaders(headers),\n    }]\n  },\n}\n\n/** Generic HMAC provider — for the long-tail webhook source where the\n *  caller has standardised on a single sha256-of-body scheme. Header\n *  `X-Signature` by default; override at provider-build time if needed. */\nexport function genericHmacWebhookProvider(options: {\n  id: string\n  signatureHeader?: string\n  algorithm?: 'sha256' | 'sha1' | 'sha512'\n  signaturePrefix?: string\n  /** Parser to convert the raw body into envelopes. Defaults to\n   *  \"one event with eventType=<provider>.event and payload=JSON\". */\n  parse?: WebhookProvider['parse']\n}): WebhookProvider {\n  const header = options.signatureHeader ?? 'x-signature'\n  return {\n    id: options.id,\n    verifySignature({ rawBody, headers, secret }) {\n      const sig = firstHeader(headers, header)\n      if (!sig) return { valid: false, reason: `missing_${header}` }\n      return verifyHmacSignature(rawBody, sig, secret, {\n        algorithm: options.algorithm ?? 'sha256',\n        signaturePrefix: options.signaturePrefix,\n      })\n        ? { valid: true }\n        : { valid: false, reason: 'invalid_signature' }\n    },\n    parse:\n      options.parse ??\n      (({ rawBody, headers, now }) => {\n        const evt = safeJson(rawBody) ?? rawBody\n        return [{\n          provider: options.id,\n          eventType: `${options.id}.event`,\n          receivedAt: now ?? Date.now(),\n          payload: evt,\n          headers: normalizeHeaders(headers),\n        }]\n      }),\n  }\n}\n\nfunction safeJson(s: string): unknown {\n  try {\n    return JSON.parse(s)\n  } catch {\n    return null\n  }\n}\n\nfunction normalizeHeaders(headers: WebhookHeaders): Record<string, string> {\n  const out: Record<string, string> = {}\n  for (const [k, v] of Object.entries(headers)) {\n    if (v === undefined) continue\n    const value = Array.isArray(v) ? v[0] : v\n    if (typeof value === 'string') out[k.toLowerCase()] = value\n  }\n  return out\n}\n"],"mappings":";;;;;;;;;AAuIO,IAAM,gBAAN,MAAoB;AAAA,EACR;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAA4B;AACtC,SAAK,YAAY,IAAI,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAC7D,SAAK,UAAU,KAAK;AACpB,SAAK,gBAAgB,KAAK;AAC1B,SAAK,cAAc,KAAK;AACxB,SAAK,mBAAmB,KAAK,oBAAoB,IAAI,KAAK,KAAK,KAAK;AACpE,SAAK,UAAU,KAAK,WAAW;AAC/B,SAAK,QAAQ,KAAK,OAAO,KAAK;AAAA,EAChC;AAAA;AAAA;AAAA,EAIA,MAAM,OAAO,SAA+D;AAC1E,UAAM,WAAW,KAAK,UAAU,IAAI,QAAQ,UAAU;AACtD,QAAI,CAAC,UAAU;AACb,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,oBAAoB,UAAU,QAAQ,WAAW,EAAE;AAAA,IAC1F;AACA,UAAM,SAAS,MAAM,KAAK,cAAc,SAAS,IAAI,QAAQ,OAAO;AACpE,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,kBAAkB,UAAU,SAAS,GAAG,EAAE;AAAA,IACjF;AACA,UAAM,eAAe,SAAS,gBAAgB;AAAA,MAC5C,SAAS,QAAQ;AAAA,MACjB,SAAS,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AACD,QAAI,CAAC,aAAa,OAAO;AACvB,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,qBAAqB,QAAQ,aAAa,OAAO,EAAE;AAAA,IAC1F;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,MAAM,SAAS,MAAM,EAAE,SAAS,QAAQ,SAAS,SAAS,QAAQ,SAAS,KAAK,KAAK,MAAM,EAAE,CAAC;AAAA,IACzG,SAAS,KAAK;AACZ,WAAK,QAAQ,KAAK,EAAE,UAAU,SAAS,GAAG,CAAC;AAC3C,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,eAAe,SAAS,WAAW,GAAG,EAAE,EAAE;AAAA,IACjF;AAEA,UAAM,WAA8B,CAAC;AACrC,eAAW,SAAS,QAAQ;AAC1B,UAAI,MAAM,mBAAmB,KAAK,aAAa;AAC7C,cAAM,UAAU,MAAM,KAAK,YAAY,KAAK,MAAM,eAAe;AACjE,YAAI,QAAS;AAAA,MACf;AACA,eAAS,KAAK,KAAK;AAAA,IACrB;AAKA,mBAAe,MAAM;AACnB,WAAK,KAAK,YAAY,QAAQ;AAAA,IAChC,CAAC;AAED,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,UAAU,SAAS,QAAQ,OAAO,OAAO,OAAO,EAAE;AAAA,EAClF;AAAA,EAEA,MAAc,YAAY,QAA0C;AAClE,eAAW,SAAS,QAAQ;AAC1B,UAAI;AACF,cAAM,KAAK,QAAQ,KAAK;AACxB,YAAI,MAAM,mBAAmB,KAAK,aAAa;AAC7C,gBAAM,KAAK,YAAY,SAAS,MAAM,iBAAiB,KAAK,gBAAgB;AAAA,QAC9E;AAAA,MACF,SAAS,KAAK;AACZ,aAAK,QAAQ,KAAK;AAAA,UAChB,UAAU,MAAM;AAAA,UAChB,WAAW,MAAM;AAAA,UACjB,iBAAiB,MAAM;AAAA,QACzB,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,eAAe,KAAc,SAAmF;AAEvH,UAAQ,MAAM,mBAAmB,SAAS,GAAG;AAC/C;AAEA,SAAS,WAAW,KAAsB;AACxC,SAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AACxD;;;AC9MA,SAAS,YAAY,uBAAuB;AAGrC,IAAM,wBAAyC;AAAA,EACpD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAA0B;AACnE,UAAM,MAAM,YAAY,SAAS,kBAAkB;AACnD,QAAI,CAAC,IAAK,QAAO,EAAE,OAAO,OAAO,QAAQ,2BAA2B;AACpE,WAAO,sBAAsB,SAAS,KAAK,MAAM,IAC7C,EAAE,OAAO,KAAK,IACd,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,MAAM,SAAS,OAAO;AAC5B,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,CAAC;AAC7C,UAAM,IAAI;AACV,WAAO;AAAA,MACL;AAAA,QACE,UAAU;AAAA,QACV,WAAW,OAAO,EAAE,SAAS,WAAW,EAAE,OAAO;AAAA,QACjD,iBAAiB,OAAO,EAAE,OAAO,WAAW,EAAE,KAAK;AAAA,QACnD,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,SAAS,iBAAiB,OAAO;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AACF;AAIO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAA0B;AACnE,UAAM,MAAM,YAAY,SAAS,mBAAmB;AACpD,UAAM,KAAK,YAAY,SAAS,2BAA2B;AAC3D,QAAI,CAAC,OAAO,CAAC,GAAI,QAAO,EAAE,OAAO,OAAO,QAAQ,uCAAuC;AACvF,WAAO,qBAAqB,SAAS,KAAK,IAAI,MAAM,IAChD,EAAE,OAAO,KAAK,IACd,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,MAAM,SAAS,OAAO;AAC5B,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,CAAC;AAC7C,QAAI,IAAI,SAAS,oBAAoB;AACnC,aAAO,CAAC;AAAA,QACN,UAAU;AAAA,QACV,WAAW;AAAA,QACX,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,SAAS,iBAAiB,OAAO;AAAA,MACnC,CAAC;AAAA,IACH;AACA,UAAM,YAAY,SAAS,IAAI,OAAO,QAAQ,IAAI,QAAQ,SAAS;AACnE,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV;AAAA,MACA,iBAAiB,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AAAA,MACnE,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS;AAAA,MACT,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAGO,IAAM,0BAA2C;AAAA,EACtD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAA0B;AACnE,UAAM,MAAM,YAAY,SAAS,sBAAsB;AACvD,QAAI,CAAC,IAAK,QAAO,EAAE,OAAO,OAAO,QAAQ,6BAA6B;AACtE,UAAM,WAAW,WAAW,UAAU,MAAM,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC1E,UAAM,IAAI,OAAO,KAAK,IAAI,YAAY,GAAG,OAAO;AAChD,UAAM,IAAI,OAAO,KAAK,UAAU,OAAO;AACvC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAC9E,WAAO,gBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAC/F;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,MAAM,SAAS,OAAO;AAC5B,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,CAAC;AAC7C,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV,WAAW,YAAY,IAAI,cAAc,SAAS;AAAA,MAClD,iBAAiB,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AAAA,MACnE,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS;AAAA,MACT,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAQO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,OAAO,GAA0B;AAC1D,UAAM,OAAO,YAAY,SAAS,eAAe;AACjD,QAAI,CAAC,KAAM,QAAO,EAAE,OAAO,OAAO,QAAQ,wBAAwB;AAKlE,UAAM,IAAI,6BAA6B,KAAK,IAAI;AAChD,QAAI,CAAC,EAAG,QAAO,EAAE,OAAO,OAAO,QAAQ,+BAA+B;AACtE,UAAM,IAAI,OAAO,KAAK,EAAE,CAAC,GAAI,OAAO;AACpC,UAAM,IAAI,OAAO,KAAK,QAAQ,OAAO;AACrC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAC9E,WAAO,gBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAC/F;AAAA,EACA,MAAM,EAAE,SAAS,SAAS,IAAI,GAAsB;AAClD,UAAM,WAAW,SAAS,OAAO;AACjC,QAAI,CAAC,UAAU,SAAS,KAAM,QAAO,CAAC;AACtC,QAAI;AACJ,QAAI;AACF,gBAAU,KAAK,MAAM,OAAO,KAAK,SAAS,QAAQ,MAAM,QAAQ,EAAE,SAAS,OAAO,CAAC;AAAA,IACrF,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AACA,UAAM,QAAQ;AACd,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV,WAAW;AAAA,MACX,iBAAiB,SAAS,QAAQ;AAAA,MAClC,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS,EAAE,GAAG,OAAO,aAAa,SAAS,QAAQ,YAAY;AAAA,MAC/D,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAKO,IAAM,wBAAyC;AAAA,EACpD,IAAI;AAAA,EACJ,gBAAgB,EAAE,SAAS,OAAO,GAA0B;AAC1D,UAAM,QAAQ,YAAY,SAAS,sBAAsB;AACzD,QAAI,CAAC,MAAO,QAAO,EAAE,OAAO,OAAO,QAAQ,wBAAwB;AACnE,UAAM,IAAI,OAAO,KAAK,OAAO,OAAO;AACpC,UAAM,IAAI,OAAO,KAAK,QAAQ,OAAO;AACrC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAC9E,WAAO,gBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,EAC/F;AAAA,EACA,MAAM,EAAE,SAAS,IAAI,GAAsB;AACzC,UAAM,aAAa,YAAY,SAAS,oBAAoB;AAC5D,UAAM,gBAAgB,YAAY,SAAS,uBAAuB,KAAK;AACvE,UAAM,YAAY,YAAY,SAAS,mBAAmB;AAC1D,UAAM,gBAAgB,YAAY,SAAS,uBAAuB;AAClE,QAAI,kBAAkB,QAAQ;AAC5B,aAAO,CAAC;AAAA,QACN,UAAU;AAAA,QACV,WAAW;AAAA,QACX,iBAAiB,gBAAgB,GAAG,SAAS,IAAI,aAAa,KAAK;AAAA,QACnE,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS,EAAE,WAAW,YAAY,cAAc;AAAA,QAChD,SAAS,iBAAiB,OAAO;AAAA,MACnC,CAAC;AAAA,IACH;AACA,WAAO,CAAC;AAAA,MACN,UAAU;AAAA,MACV,WAAW,mBAAmB,aAAa;AAAA,MAC3C,iBAAiB,gBAAgB,GAAG,SAAS,IAAI,aAAa,KAAK;AAAA,MACnE,YAAY,OAAO,KAAK,IAAI;AAAA,MAC5B,SAAS,EAAE,WAAW,YAAY,cAAc;AAAA,MAChD,SAAS,iBAAiB,OAAO;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAKO,SAAS,2BAA2B,SAQvB;AAClB,QAAM,SAAS,QAAQ,mBAAmB;AAC1C,SAAO;AAAA,IACL,IAAI,QAAQ;AAAA,IACZ,gBAAgB,EAAE,SAAS,SAAS,OAAO,GAAG;AAC5C,YAAM,MAAM,YAAY,SAAS,MAAM;AACvC,UAAI,CAAC,IAAK,QAAO,EAAE,OAAO,OAAO,QAAQ,WAAW,MAAM,GAAG;AAC7D,aAAO,oBAAoB,SAAS,KAAK,QAAQ;AAAA,QAC/C,WAAW,QAAQ,aAAa;AAAA,QAChC,iBAAiB,QAAQ;AAAA,MAC3B,CAAC,IACG,EAAE,OAAO,KAAK,IACd,EAAE,OAAO,OAAO,QAAQ,oBAAoB;AAAA,IAClD;AAAA,IACA,OACE,QAAQ,UACP,CAAC,EAAE,SAAS,SAAS,IAAI,MAAM;AAC9B,YAAM,MAAM,SAAS,OAAO,KAAK;AACjC,aAAO,CAAC;AAAA,QACN,UAAU,QAAQ;AAAA,QAClB,WAAW,GAAG,QAAQ,EAAE;AAAA,QACxB,YAAY,OAAO,KAAK,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,SAAS,iBAAiB,OAAO;AAAA,MACnC,CAAC;AAAA,IACH;AAAA,EACJ;AACF;AAEA,SAAS,SAAS,GAAoB;AACpC,MAAI;AACF,WAAO,KAAK,MAAM,CAAC;AAAA,EACrB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,iBAAiB,SAAiD;AACzE,QAAM,MAA8B,CAAC;AACrC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC5C,QAAI,MAAM,OAAW;AACrB,UAAM,QAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI;AACxC,QAAI,OAAO,UAAU,SAAU,KAAI,EAAE,YAAY,CAAC,IAAI;AAAA,EACxD;AACA,SAAO;AACT;","names":[]}

package/docs/adapter-triage.md

@@ -49,48 +49,15 @@ Aliases matter when comparing coverage:
 - `stripe` maps to `stripe-pack` for outbound payment actions.
 - `twilio` maps to `twilio-sms`.
 
-## Tangle Catalog Execution Path
-
-The repo does not need hundreds of hand-written adapter files. Long-tail
-execution uses one strict catalog executor:
-
-```ts
-import {
-  createTangleCatalogExecutorProvider,
-  createTangleCatalogHttpExecutor,
-  IntegrationHub,
-} from '@tangle-network/agent-integrations'
-
-const provider = createTangleCatalogExecutorProvider({
-  executeAction: createTangleCatalogHttpExecutor({
-    endpoint: 'https://integrations.example.com/integration-runtime',
-    secret: process.env.TANGLE_CATALOG_RUNTIME_SECRET,
-  }),
-})
-
-const hub = new IntegrationHub({ providers: [provider], store, capabilitySecret })
-```
-
-This routes normalized Tangle Integrations Catalog contracts through a signed
-runtime executor. Without that executor, the same contracts remain useful for
-connection discovery, planning, and setup UI, but they are not exposed as
-callable tools.
-
-The execution boundary remains the Tangle boundary:
-
-- `IntegrationHub` checks connection status, scopes, capability tokens, policy,
-  approvals, and guard hooks.
-- The provider validates the connector and action before calling the executor.
-- The executor owns package loading, provider credentials, sandboxing, and
-  upstream runtime quirks.
-- Trigger contracts and provider hooks are present; runtime services still need
-  package-specific webhook or polling hosting for live trigger execution.
-
-Runtime images can prove their installed package coverage with:
-
-```sh
-tangle-catalog-runtime --audit-packages
-```
+## Direct Adapter Execution Path
+
+Product execution goes through native `ConnectorAdapter` implementations. The
+imported catalog is a coverage and backlog source, not an execution backend.
+
+When a connector matters, add or improve a file in `src/connectors/adapters/`,
+export it from `src/connectors/adapters/index.ts`, and cover the important
+actions with focused adapter tests. Keep action ids stable when porting from
+catalog metadata so agents and capability policies do not churn.
 
 ## Current Setup/Catalog Coverage
 

package/docs/external-product-integration.md

@@ -165,12 +165,11 @@ backend:
 
 - native adapter
 - hosted integration gateway
-- Tangle catalog runtime
 - product-specific provider
 
-Use `buildDefaultIntegrationRegistry({ tangleCatalogRuntimeExecutable: true })`
-only after the catalog runtime is deployed and audited with
-`auditTangleCatalogRuntimePackages()`.
+Imported catalog entries are backlog only. Do not expose them as callable tools
+until they are backed by a reviewed adapter or an intentionally owned hosted
+provider.
 
 ## Security Requirements
 

package/docs/integration-execution-audit.md

@@ -7,7 +7,7 @@ This audit separates product contracts from implementation backends:
 - **Tangle contract**: the connector has a Tangle-owned action/trigger/auth contract.
 - **Setup-ready**: we have setup/auth/runbook metadata for product UI and admin configuration.
 - **Native adapter backend**: this repo ships a reviewed direct adapter implementation.
-- **Package runtime backend**: a Tangle runtime service executes the connector package behind the same Tangle contract.
+- **Native adapter backlog**: a connector contract exists, but product-grade direct execution still needs a reviewed adapter.
 
 ## Summary
 
@@ -30,12 +30,12 @@ This audit separates product contracts from implementation backends:
 | Contracts with mapped actions | 669 |
 | Contracts with mapped triggers | 669 |
 | Contracts with mapped auth | 669 |
-| Native adapter backends | 10 |
-| Native adapter surfaces shipped | 17 |
-| Package-runtime backends | 659 |
-| Runtime manifest dependencies | 670 |
-| Tangle catalog connectors exposable behind runtime | 669 |
-| Tangle catalog actions exposable behind runtime | 3790 |
+| Native adapter backends | 432 |
+| Native adapter surfaces shipped | 466 |
+| Package-runtime backends | 237 |
+| Runtime manifest dependencies for catalog-only connectors | 238 |
+| Catalog-only connectors exposable behind runtime | 237 |
+| Catalog-only actions exposable behind runtime | 1081 |
 
 Full machine-readable matrix: [integration-execution-matrix.json](./integration-execution-matrix.json).
 
@@ -65,25 +65,91 @@ Full machine-readable matrix: [integration-execution-matrix.json](./integration-
 
 ## Native Adapter Backends
 
-These are direct in-repo implementations. They are not the only first-class contracts:
-
-- `google-calendar`
-- `google-sheets`
-- `microsoft-calendar`
-- `hubspot`
-- `slack`
-- `notion-database`
-- `twilio-sms`
-- `phony`
-- `stripe-pack`
-- `webhook`
-- `stripe`
-- `slack-inbound`
-- `github`
-- `gitlab`
+These are direct in-repo implementations. They are not the only first-class contracts.
+The full set is in the machine-readable matrix; representative native adapters:
+
+- `activecampaign`
+- `acumbamail`
+- `adobe-creative-cloud`
+- `afforai`
+- `agentx`
+- `aidbase`
+- `aiprise`
+- `air-ops`
+- `aircall`
 - `airtable`
+- `airtop`
+- `alai`
+- `alt-text-ai`
+- `alttextify`
+- `amazon-bedrock`
+- `amazon-secrets-manager`
+- `amazon-ses`
+- `amazon-sns`
+- `amazon-sqs`
+- `amazon-textract`
+- `aminos`
+- `ampeco`
+- `anthropic`
+- `apitable`
+- `apitemplate-io`
+- `apollo`
+- `appfollow`
 - `asana`
-- `salesforce`
+- `ashby`
+- `asknews`
+- `assemblyai`
+- `attio`
+- `auth0`
+- `autocalls`
+- `avian`
+- `avoma`
+- `azure-ad`
+- `azure-communication-services`
+- `azure-openai`
+- `backblaze`
+- `bamboohr`
+- `barcode-lookup`
+- `baremetrics`
+- `basecamp`
+- `beamer`
+- `bettermode`
+- `bexio`
+- `bigcommerce`
+- `bigin-by-zoho`
+- `billplz`
+- `bitly`
+- `bland-ai`
+- `bluesky`
+- `bolna`
+- `bonjoro`
+- `bookedin`
+- `box`
+- `brave-search`
+- `braze`
+- `brilliant-directories`
+- `browse-ai`
+- `cal-com`
+- `calendly`
+- `campaign-monitor`
+- `canny`
+- `canva`
+- `capsule-crm`
+- `captain-data`
+- `cashfree-payments`
+- `certopus`
+- `chainalysis-api`
+- `chargebee`
+- `chargekeep`
+- `chartly`
+- `chat-data`
+- `chatbase`
+- `chatling`
+- `chatnode`
+- `chatwoot`
+- `checkout`
+
+...and 386 more native adapter surfaces.
 
 Executable setup specs:
 
@@ -109,77 +175,77 @@ Executable setup specs:
 | --- | --- | --- |
 | Tangle first-class contracts | Done | 669 connectors have Tangle-owned action/trigger/auth/runtime contracts. |
 | Connector discovery/catalog search | Done | 669 catalog connectors, 3790 actions, 998 triggers normalized into Tangle catalog shapes. |
-| Native adapter execution | Done for listed native backends | 17 reviewed native adapter surfaces ship from this package; 10 overlap the 669 catalog contracts. |
+| Native adapter execution | Done for listed native backends | 466 reviewed native adapter surfaces ship from this package; 432 overlap the 669 catalog contracts. |
 | OAuth/API-key setup metadata | Partial | 142 setup specs exist; 14 are executable setup specs and 128 are catalog/setup-only. |
-| Package-runtime action execution | Wiring done; runtime deployment/smoke pending | 659 contracts use package-runtime backends with package names and 3790 catalog upstream action names. |
-| Runtime dependency manifest | Done | `buildTangleCatalogRuntimePackageManifest()` emits 670 dependencies for a complete package-runtime worker install. |
-| Runtime package coverage audit | Done | `auditTangleCatalogRuntimePackages()` and `tangle-catalog-runtime --audit-packages` verify installed packages, piece exports, exact action mappings, and trigger surfaces in a deployed worker. |
+| Direct adapter backlog | Tracked | 237 contracts still need native/direct adapters before they should be product-executable. |
+| Legacy runtime dependency manifest | Deprecated | `buildTangleCatalogRuntimePackageManifest()` is retained only as an audit/provenance helper; products should not deploy a package runner for normal execution. |
+| Runtime package coverage audit | Removed from launch path | Package-runner smoke is no longer a product launch gate; port demanded integrations to direct adapters instead. |
 | Long-tail credential mapping | Mostly mapped | 648 connectors have auth field metadata. 0 custom-auth connectors still need exact manual auth fields. |
 | Trigger provider flow | Done structurally | 998 triggers are cataloged, 998 have upstream names, and catalog providers can route subscribe/unsubscribe/normalize hooks. Runtime services still need package-specific trigger hosting. |
-| Sandbox/app invocation envelope | Done | The library has capability bundles, invocation envelopes, policy checks, guard hooks, signed catalog runtime HTTP calls, and generated-app client helpers. |
+| Sandbox/app invocation envelope | Done | The library has capability bundles, invocation envelopes, policy checks, guard hooks, and generated-app client helpers. |
 | Live provider smoke tests | Not globally done | First-party adapters can be tested by consumers with credentials; long-tail smoke matrix is not generated yet. |
 
 ## Concrete Not-Done Buckets
 
 | Bucket | Count | What it means |
 | --- | ---: | --- |
-| Package-runtime contracts needing deployed runtime smoke verification | 659 | Connector has a Tangle contract and package backend; deployed runtime still needs package-load/live-smoke proof. |
+| Contracts needing native/direct adapters | 237 | Connector has a Tangle contract but no reviewed direct adapter yet. |
 | Catalog connectors with zero upstream action names | 0 | These entries need catalog action-name mapping before exact package-runtime invocation can work. |
 | Custom-auth catalog connectors needing manual credential-field mapping | 0 | These are still custom auth and no field names were extracted from source. |
 | Catalog connectors with triggers needing runtime-service hosting | 288 | Trigger metadata and provider hooks exist; runtime services still need package-specific webhook/polling hosting. |
 
-Examples needing deployed runtime smoke verification:
+Examples needing native/direct adapter ports:
 
-- `activecampaign` -> `@activepieces/piece-activecampaign`
 - `activepieces` -> `@activepieces/piece-activepieces`
 - `actualbudget` -> `@activepieces/piece-actualbudget`
 - `acuity-scheduling` -> `@activepieces/piece-acuity-scheduling`
-- `acumbamail` -> `@activepieces/piece-acumbamail`
-- `afforai` -> `@activepieces/piece-afforai`
-- `agentx` -> `@activepieces/piece-agentx`
 - `ai` -> `@activepieces/piece-ai`
 - `aianswer` -> `@activepieces/piece-aianswer`
-- `aidbase` -> `@activepieces/piece-aidbase`
-- `aiprise` -> `@activepieces/piece-aiprise`
-- `air-ops` -> `@activepieces/piece-air-ops`
-- `aircall` -> `@activepieces/piece-aircall`
 - `airparser` -> `@activepieces/piece-airparser`
-- `airtop` -> `@activepieces/piece-airtop`
-- `alai` -> `@activepieces/piece-alai`
 - `algolia` -> `@activepieces/piece-algolia`
-- `alt-text-ai` -> `@activepieces/piece-alt-text-ai`
-- `alttextify` -> `@activepieces/piece-alttextify`
-- `amazon-bedrock` -> `@activepieces/piece-amazon-bedrock`
 - `amazon-s3` -> `@activepieces/piece-amazon-s3`
-- `amazon-secrets-manager` -> `@activepieces/piece-amazon-secrets-manager`
-- `amazon-ses` -> `@activepieces/piece-amazon-ses`
-- `amazon-sns` -> `@activepieces/piece-amazon-sns`
-- `amazon-sqs` -> `@activepieces/piece-amazon-sqs`
-- `amazon-textract` -> `@activepieces/piece-amazon-textract`
-- `aminos` -> `@activepieces/piece-aminos`
-- `ampeco` -> `@activepieces/piece-ampeco`
 - `anyhook-graphql` -> `@activepieces/piece-anyhook-graphql`
 - `anyhook-websocket` -> `@activepieces/piece-anyhook-websocket`
 - `apify` -> `@activepieces/piece-apify`
-- `apitable` -> `@activepieces/piece-apitable`
-- `apitemplate-io` -> `@activepieces/piece-apitemplate-io`
-- `apollo` -> `@activepieces/piece-apollo`
-- `appfollow` -> `@activepieces/piece-appfollow`
-- `ashby` -> `@activepieces/piece-ashby`
 - `ask-handle` -> `@activepieces/piece-ask-handle`
-- `asknews` -> `@activepieces/piece-asknews`
 - `assembled` -> `@activepieces/piece-assembled`
-- `assemblyai` -> `@activepieces/piece-assemblyai`
+- `azure-blob-storage` -> `@activepieces/piece-azure-blob-storage`
+- `bannerbear` -> `@activepieces/piece-bannerbear`
+- `base44` -> `@activepieces/piece-base44`
+- `baserow` -> `@activepieces/piece-baserow`
+- `beehiiv` -> `@activepieces/piece-beehiiv`
+- `bika` -> `@activepieces/piece-bika`
+- `binance` -> `@activepieces/piece-binance`
+- `blockscout` -> `@activepieces/piece-blockscout`
+- `bokio` -> `@activepieces/piece-bokio`
+- `browserless` -> `@activepieces/piece-browserless`
+- `bubble` -> `@activepieces/piece-bubble`
+- `bumpups` -> `@activepieces/piece-bumpups`
+- `bursty-ai` -> `@activepieces/piece-bursty-ai`
+- `buttondown` -> `@activepieces/piece-buttondown`
+- `call-rounded` -> `@activepieces/piece-rounded-studio`
+- `camb-ai` -> `@activepieces/piece-camb-ai`
+- `carbone` -> `@activepieces/piece-carbone`
+- `cartloom` -> `@activepieces/piece-cartloom`
+- `chain-aware` -> `@activepieces/piece-chain-aware`
+- `chaindesk` -> `@activepieces/piece-chaindesk`
+- `chat-aid` -> `@activepieces/piece-chat-aid`
+- `chatfly` -> `@activepieces/piece-chatfly`
+- `chatsistant` -> `@activepieces/piece-chatsistant`
+- `chess-com` -> `@activepieces/piece-chess-com`
+- `clarifai` -> `@activepieces/piece-clarifai`
+- `claude` -> `@activepieces/piece-claude`
+- `clearoutphone` -> `@activepieces/piece-clearoutphone`
 
 Manual custom auth mapping gap: none.
 
 ## Completion Claims And Remaining Proof Gates
 
 1. **Tangle first-class connector contracts are complete.**
-   All 669 catalog entries have Tangle-owned contracts. 10 use native adapter backends; 659 use package-runtime backends.
+   All 669 catalog entries have Tangle-owned contracts. 432 use native adapter backends; 237 are backlog for native ports.
 
 2. **Action-name mapping exists for cataloged actions.**
-   Done for cataloged actions: the catalog currently has 3790 actions and 3790 upstream action-name mappings in the checked-in catalog. The runtime executor uses those names automatically and still accepts explicit `actionAliases` for overrides. Deployed smoke verification proves those names against the installed packages.
+   Done for cataloged actions: the catalog currently has 3790 actions and 3790 upstream action-name mappings in the checked-in catalog. Direct adapters should preserve stable Tangle action ids when porting demanded backlog connectors.
 
 3. **Credential field mapping is complete for catalog auth setup.**
    Auth shapes are api_key: 519, oauth2: 118, none: 21, custom: 11. The catalog now includes auth field metadata for all 648 connectors that require credentials. 0 custom-auth connectors need manual auth-field mapping.
@@ -188,19 +254,17 @@ Manual custom auth mapping gap: none.
    There are 998 catalog triggers and 998 upstream trigger names. The provider flow supports trigger subscribe/unsubscribe/normalize hooks. Runtime services still need live webhook/polling smoke verification.
 
 5. **Native adapter coverage is intentionally smaller than contract breadth.**
-   This repo ships 17 native adapter surfaces. 10 overlap the 669 catalog contracts; the other first-class contracts use package-runtime backends.
+   This repo ships 466 native adapter surfaces. 432 overlap the 669 catalog contracts; the remaining catalog contracts are not product-executable until ported.
 
 ## Concrete Launch Interpretation
 
 - It is accurate to say: **we have 669 first-class Tangle integration contracts.**
-- It is accurate to say: **all product code can use one IntegrationHub/tool contract across native and package-runtime backends.**
-- It is accurate to say: **deployed runtime smoke verification is the remaining proof step for package-runtime connectors.**
+- It is accurate to say: **product execution should use direct/native adapters.**
+- It is accurate to say: **the remaining 237 catalog-only contracts are backlog, not runtime-ready product surface.**
 
-## Runtime Proof Gate
+## Native Port Gate
 
-Run `tangle-catalog-runtime --audit-packages` inside the deployed runtime image
-after installing the manifest from `--print-package-json` or
-`--print-pnpm-add`. That produces the concrete package-load/action-map/trigger
-surface matrix for the exact runtime image products will call. Live provider
-smoke tests still require real OAuth/API-key credentials from the product
-environment.
+Port high-demand backlog connectors into `src/connectors/adapters/`, export
+them from `src/connectors/adapters/index.ts`, add focused adapter tests, and
+rerun this audit. Live provider smoke tests still require real OAuth/API-key
+credentials from the product environment.