npm - @thebes/cadmea-plugin-ecommerce-square - Versions diffs - 1.0.0 - Mend

@thebes/cadmea-plugin-ecommerce-square 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 BowenLabs
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,68 @@
+# @thebes/cadmea-plugin-ecommerce-square
+Square's [`PaymentProvider`](https://www.npmjs.com/package/@thebes/cadmea-plugin-ecommerce)
+implementation for [Cadmea](https://github.com/bowenlabs/project-thebes)'s
+ecommerce extension — raw `fetch()` against Square's REST API +
+`crypto.subtle` for webhook signature verification. **No Square Node SDK,
+ever** — it's Node-targeted and never runs in a V8 isolate.
+```bash
+pnpm add @thebes/cadmea-plugin-ecommerce-square @thebes/cadmea-plugin-ecommerce
+```
+## Server-side
+```ts
+import { createSquarePaymentProvider } from "@thebes/cadmea-plugin-ecommerce-square";
+const provider = createSquarePaymentProvider({
+  accessToken: env.SQUARE_ACCESS_TOKEN,
+  locationId: env.SQUARE_LOCATION_ID, // or string[] for multi-location
+  environment: "sandbox", // or "production"
+});
+```
+Pass `provider` to `@thebes/cadmea-plugin-ecommerce`'s `createCheckoutHandler`/
+`createWebhookHandler`. Webhook signature verification follows Square's
+documented algorithm exactly: `HMAC-SHA256(notificationUrl + rawBody,
+signatureKey)`, base64-encoded, checked against the
+`x-square-hmacsha256-signature` header — fails closed (returns `false`,
+never throws) if no `notificationUrl` is configured, since Square's scheme
+genuinely needs one.
+**Not implemented in this first cut:** `catalogSync` and `subscriptions` —
+Square's loyalty/recurring-order model doesn't map cleanly onto either
+optional `PaymentProvider` capability without further design. Use
+`@thebes/cadmea-plugin-ecommerce-stripe` if you need native subscriptions.
+## Client-side tokenization
+A separate `/client` subpath — card data must never reach the Worker, so
+tokenization happens entirely in the browser via Square's Web Payments SDK
+(loaded dynamically, no bundler config needed). This is **not a SolidJS
+component** — it's a thin, framework-agnostic helper, the same precedent
+this codebase already set for Phosphor icons and TipTap (no official Solid
+binding exists for Square's SDK either, so the vendor's own
+framework-agnostic build is used directly):
+```ts
+import { createSquareCardField } from "@thebes/cadmea-plugin-ecommerce-square/client";
+const card = await createSquareCardField(containerEl, {
+  applicationId: PUBLIC_SQUARE_APPLICATION_ID,
+  locationId: PUBLIC_SQUARE_LOCATION_ID,
+  environment: "sandbox",
+});
+// on checkout submit:
+const paymentSourceToken = await card.tokenize();
+```
+`@thebes/cadmea-plugin-ecommerce-stripe/client`'s `createStripeCardField`
+shares the exact same `{ tokenize(), destroy() }` shape — swapping
+providers means swapping which helper you call, not rewriting your
+checkout UI.
+## License
+MIT © BowenLabs

package/dist/client.cjs ADDED Viewed

@@ -0,0 +1,50 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+//#region src/client.ts
+function sdkUrl(environment) {
+	return environment === "production" ? "https://web.squarecdn.com/v1/square.js" : "https://sandbox.web.squarecdn.com/v1/square.js";
+}
+let sdkLoadPromise;
+function loadSquareSdk(environment) {
+	if (window.Square) return Promise.resolve(window.Square);
+	if (sdkLoadPromise) return sdkLoadPromise;
+	sdkLoadPromise = new Promise((resolve, reject) => {
+		const script = document.createElement("script");
+		script.src = sdkUrl(environment);
+		script.onload = () => resolve(window.Square);
+		script.onerror = () => reject(/* @__PURE__ */ new Error(`Failed to load Square Web Payments SDK from ${script.src}`));
+		document.head.appendChild(script);
+	});
+	return sdkLoadPromise;
+}
+/**
+* Loads the Square Web Payments SDK (if not already present), initializes
+* a card field, and attaches it to `container`. The returned `tokenize()`
+* produces a one-time payment source token suitable for
+* `PaymentProvider.checkout`'s `paymentSourceToken` — raw card data never
+* leaves the browser.
+*
+* ```ts
+* const card = await createSquareCardField(containerEl, { applicationId, locationId });
+* // ...on checkout submit:
+* const token = await card.tokenize();
+* await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+* ```
+*/
+async function createSquareCardField(container, options) {
+	const card = await (await loadSquareSdk(options.environment)).payments(options.applicationId, options.locationId).card();
+	await card.attach(container);
+	return {
+		async tokenize() {
+			const result = await card.tokenize();
+			if (result.status !== "OK") throw new Error(`Square card tokenization failed: ${result.status}${result.errors ? ` — ${JSON.stringify(result.errors)}` : ""}`);
+			return result.token;
+		},
+		async destroy() {
+			await card.destroy();
+		}
+	};
+}
+//#endregion
+exports.createSquareCardField = createSquareCardField;
+//# sourceMappingURL=client.cjs.map

package/dist/client.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.cjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Browser-only client-side tokenization helper — a separate subpath\n// (`@thebes/cadmea-plugin-ecommerce-square/client`) so the server-side\n// provider entry never pulls in anything DOM-shaped, and vice versa.\n//\n// Square's Web Payments SDK is already vanilla, framework-agnostic,\n// DOM-attach JS with no official Solid binding — same shape of gap as\n// Phosphor icons and TipTap (both resolved in this codebase's DECISIONS.md\n// 2026-06-19 entry by using the vendor's framework-agnostic build\n// directly, not an unofficial wrapper). This file follows that precedent:\n// it is NOT a Solid component, has no JSX — just script-tag loading + SDK\n// init + card.attach()/card.tokenize() boilerplate, so every consumer\n// doesn't hand-roll the same dance. Card data never reaches the Worker —\n// tokenization happens entirely in the browser, here.\n\nexport interface SquareCardFieldOptions {\n applicationId: string;\n locationId: string;\n environment?: \"sandbox\" | \"production\";\n}\n\nexport interface CardField {\n tokenize(): Promise<string>;\n destroy(): Promise<void>;\n}\n\n// biome-ignore lint/suspicious/noExplicitAny: the Square Web Payments SDK ships no official TypeScript types for the `window.Square` global\ntype SquareGlobal = any;\n\nfunction sdkUrl(environment: SquareCardFieldOptions[\"environment\"]): string {\n return environment === \"production\"\n ? \"https://web.squarecdn.com/v1/square.js\"\n : \"https://sandbox.web.squarecdn.com/v1/square.js\";\n}\n\nlet sdkLoadPromise: Promise<SquareGlobal> | undefined;\n\nfunction loadSquareSdk(\n environment: SquareCardFieldOptions[\"environment\"],\n): Promise<SquareGlobal> {\n if ((window as { Square?: SquareGlobal }).Square) {\n return Promise.resolve((window as { Square?: SquareGlobal }).Square);\n }\n if (sdkLoadPromise) return sdkLoadPromise;\n\n sdkLoadPromise = new Promise((resolve, reject) => {\n const script = document.createElement(\"script\");\n script.src = sdkUrl(environment);\n script.onload = () => resolve((window as { Square?: SquareGlobal }).Square);\n script.onerror = () =>\n reject(\n new Error(`Failed to load Square Web Payments SDK from ${script.src}`),\n );\n document.head.appendChild(script);\n });\n return sdkLoadPromise;\n}\n\n/**\n * Loads the Square Web Payments SDK (if not already present), initializes\n * a card field, and attaches it to `container`. The returned `tokenize()`\n * produces a one-time payment source token suitable for\n * `PaymentProvider.checkout`'s `paymentSourceToken` — raw card data never\n * leaves the browser.\n *\n * ```ts\n * const card = await createSquareCardField(containerEl, { applicationId, locationId });\n * // ...on checkout submit:\n * const token = await card.tokenize();\n * await fetch(\"/api/checkout\", { method: \"POST\", body: JSON.stringify({ paymentSourceToken: token, ... }) });\n * ```\n */\nexport async function createSquareCardField(\n container: HTMLElement | string,\n options: SquareCardFieldOptions,\n): Promise<CardField> {\n const Square = await loadSquareSdk(options.environment);\n const payments = Square.payments(options.applicationId, options.locationId);\n const card = await payments.card();\n await card.attach(container);\n\n return {\n async tokenize() {\n const result = await card.tokenize();\n if (result.status !== \"OK\") {\n throw new Error(\n `Square card tokenization failed: ${result.status}${\n result.errors ? ` — ${JSON.stringify(result.errors)}` : \"\"\n }`,\n );\n }\n return result.token as string;\n },\n async destroy() {\n await card.destroy();\n },\n };\n}\n"],"mappings":";;AA+BA,SAAS,OAAO,aAA4D;CAC1E,OAAO,gBAAgB,eACnB,2CACA;AACN;AAEA,IAAI;AAEJ,SAAS,cACP,aACuB;CACvB,IAAK,OAAqC,QACxC,OAAO,QAAQ,QAAS,OAAqC,MAAM;CAErE,IAAI,gBAAgB,OAAO;CAE3B,iBAAiB,IAAI,SAAS,SAAS,WAAW;EAChD,MAAM,SAAS,SAAS,cAAc,QAAQ;EAC9C,OAAO,MAAM,OAAO,WAAW;EAC/B,OAAO,eAAe,QAAS,OAAqC,MAAM;EAC1E,OAAO,gBACL,uBACE,IAAI,MAAM,+CAA+C,OAAO,KAAK,CACvE;EACF,SAAS,KAAK,YAAY,MAAM;CAClC,CAAC;CACD,OAAO;AACT;;;;;;;;;;;;;;;AAgBA,eAAsB,sBACpB,WACA,SACoB;CAGpB,MAAM,OAAO,OADI,MADI,cAAc,QAAQ,WAAW,EAAA,CAC9B,SAAS,QAAQ,eAAe,QAAQ,UACtC,CAAC,CAAC,KAAK;CACjC,MAAM,KAAK,OAAO,SAAS;CAE3B,OAAO;EACL,MAAM,WAAW;GACf,MAAM,SAAS,MAAM,KAAK,SAAS;GACnC,IAAI,OAAO,WAAW,MACpB,MAAM,IAAI,MACR,oCAAoC,OAAO,SACzC,OAAO,SAAS,MAAM,KAAK,UAAU,OAAO,MAAM,MAAM,IAE5D;GAEF,OAAO,OAAO;EAChB;EACA,MAAM,UAAU;GACd,MAAM,KAAK,QAAQ;EACrB;CACF;AACF"}

package/dist/client.d.cts ADDED Viewed

@@ -0,0 +1,28 @@
+//#region src/client.d.ts
+interface SquareCardFieldOptions {
+  applicationId: string;
+  locationId: string;
+  environment?: "sandbox" | "production";
+}
+interface CardField {
+  tokenize(): Promise<string>;
+  destroy(): Promise<void>;
+}
+/**
+ * Loads the Square Web Payments SDK (if not already present), initializes
+ * a card field, and attaches it to `container`. The returned `tokenize()`
+ * produces a one-time payment source token suitable for
+ * `PaymentProvider.checkout`'s `paymentSourceToken` — raw card data never
+ * leaves the browser.
+ *
+ * ```ts
+ * const card = await createSquareCardField(containerEl, { applicationId, locationId });
+ * // ...on checkout submit:
+ * const token = await card.tokenize();
+ * await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+ * ```
+ */
+declare function createSquareCardField(container: HTMLElement | string, options: SquareCardFieldOptions): Promise<CardField>;
+//#endregion
+export { CardField, SquareCardFieldOptions, createSquareCardField };
+//# sourceMappingURL=client.d.cts.map

package/dist/client.d.cts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"client.d.cts","names":[],"sources":["../src/client.ts"],"mappings":";UAiBiB,sBAAA;EACf,aAAA;EACA,UAAA;EACA,WAAA;AAAA;AAAA,UAGe,SAAA;EACf,QAAA,IAAY,OAAA;EACZ,OAAA,IAAW,OAAO;AAAA;AALP;AAGb;;;;;;;;;AAEoB;AAiDpB;;;AAtDa,iBAsDS,qBAAA,CACpB,SAAA,EAAW,WAAA,WACX,OAAA,EAAS,sBAAA,GACR,OAAA,CAAQ,SAAA"}

package/dist/client.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+//#region src/client.d.ts
+interface SquareCardFieldOptions {
+  applicationId: string;
+  locationId: string;
+  environment?: "sandbox" | "production";
+}
+interface CardField {
+  tokenize(): Promise<string>;
+  destroy(): Promise<void>;
+}
+/**
+ * Loads the Square Web Payments SDK (if not already present), initializes
+ * a card field, and attaches it to `container`. The returned `tokenize()`
+ * produces a one-time payment source token suitable for
+ * `PaymentProvider.checkout`'s `paymentSourceToken` — raw card data never
+ * leaves the browser.
+ *
+ * ```ts
+ * const card = await createSquareCardField(containerEl, { applicationId, locationId });
+ * // ...on checkout submit:
+ * const token = await card.tokenize();
+ * await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+ * ```
+ */
+declare function createSquareCardField(container: HTMLElement | string, options: SquareCardFieldOptions): Promise<CardField>;
+//#endregion
+export { CardField, SquareCardFieldOptions, createSquareCardField };
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"client.d.ts","names":[],"sources":["../src/client.ts"],"mappings":";UAiBiB,sBAAA;EACf,aAAA;EACA,UAAA;EACA,WAAA;AAAA;AAAA,UAGe,SAAA;EACf,QAAA,IAAY,OAAA;EACZ,OAAA,IAAW,OAAO;AAAA;AALP;AAGb;;;;;;;;;AAEoB;AAiDpB;;;AAtDa,iBAsDS,qBAAA,CACpB,SAAA,EAAW,WAAA,WACX,OAAA,EAAS,sBAAA,GACR,OAAA,CAAQ,SAAA"}

package/dist/client.js ADDED Viewed

@@ -0,0 +1,49 @@
+//#region src/client.ts
+function sdkUrl(environment) {
+	return environment === "production" ? "https://web.squarecdn.com/v1/square.js" : "https://sandbox.web.squarecdn.com/v1/square.js";
+}
+let sdkLoadPromise;
+function loadSquareSdk(environment) {
+	if (window.Square) return Promise.resolve(window.Square);
+	if (sdkLoadPromise) return sdkLoadPromise;
+	sdkLoadPromise = new Promise((resolve, reject) => {
+		const script = document.createElement("script");
+		script.src = sdkUrl(environment);
+		script.onload = () => resolve(window.Square);
+		script.onerror = () => reject(/* @__PURE__ */ new Error(`Failed to load Square Web Payments SDK from ${script.src}`));
+		document.head.appendChild(script);
+	});
+	return sdkLoadPromise;
+}
+/**
+* Loads the Square Web Payments SDK (if not already present), initializes
+* a card field, and attaches it to `container`. The returned `tokenize()`
+* produces a one-time payment source token suitable for
+* `PaymentProvider.checkout`'s `paymentSourceToken` — raw card data never
+* leaves the browser.
+*
+* ```ts
+* const card = await createSquareCardField(containerEl, { applicationId, locationId });
+* // ...on checkout submit:
+* const token = await card.tokenize();
+* await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+* ```
+*/
+async function createSquareCardField(container, options) {
+	const card = await (await loadSquareSdk(options.environment)).payments(options.applicationId, options.locationId).card();
+	await card.attach(container);
+	return {
+		async tokenize() {
+			const result = await card.tokenize();
+			if (result.status !== "OK") throw new Error(`Square card tokenization failed: ${result.status}${result.errors ? ` — ${JSON.stringify(result.errors)}` : ""}`);
+			return result.token;
+		},
+		async destroy() {
+			await card.destroy();
+		}
+	};
+}
+//#endregion
+export { createSquareCardField };
+//# sourceMappingURL=client.js.map

package/dist/client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.js","names":[],"sources":["../src/client.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Browser-only client-side tokenization helper — a separate subpath\n// (`@thebes/cadmea-plugin-ecommerce-square/client`) so the server-side\n// provider entry never pulls in anything DOM-shaped, and vice versa.\n//\n// Square's Web Payments SDK is already vanilla, framework-agnostic,\n// DOM-attach JS with no official Solid binding — same shape of gap as\n// Phosphor icons and TipTap (both resolved in this codebase's DECISIONS.md\n// 2026-06-19 entry by using the vendor's framework-agnostic build\n// directly, not an unofficial wrapper). This file follows that precedent:\n// it is NOT a Solid component, has no JSX — just script-tag loading + SDK\n// init + card.attach()/card.tokenize() boilerplate, so every consumer\n// doesn't hand-roll the same dance. Card data never reaches the Worker —\n// tokenization happens entirely in the browser, here.\n\nexport interface SquareCardFieldOptions {\n applicationId: string;\n locationId: string;\n environment?: \"sandbox\" | \"production\";\n}\n\nexport interface CardField {\n tokenize(): Promise<string>;\n destroy(): Promise<void>;\n}\n\n// biome-ignore lint/suspicious/noExplicitAny: the Square Web Payments SDK ships no official TypeScript types for the `window.Square` global\ntype SquareGlobal = any;\n\nfunction sdkUrl(environment: SquareCardFieldOptions[\"environment\"]): string {\n return environment === \"production\"\n ? \"https://web.squarecdn.com/v1/square.js\"\n : \"https://sandbox.web.squarecdn.com/v1/square.js\";\n}\n\nlet sdkLoadPromise: Promise<SquareGlobal> | undefined;\n\nfunction loadSquareSdk(\n environment: SquareCardFieldOptions[\"environment\"],\n): Promise<SquareGlobal> {\n if ((window as { Square?: SquareGlobal }).Square) {\n return Promise.resolve((window as { Square?: SquareGlobal }).Square);\n }\n if (sdkLoadPromise) return sdkLoadPromise;\n\n sdkLoadPromise = new Promise((resolve, reject) => {\n const script = document.createElement(\"script\");\n script.src = sdkUrl(environment);\n script.onload = () => resolve((window as { Square?: SquareGlobal }).Square);\n script.onerror = () =>\n reject(\n new Error(`Failed to load Square Web Payments SDK from ${script.src}`),\n );\n document.head.appendChild(script);\n });\n return sdkLoadPromise;\n}\n\n/**\n * Loads the Square Web Payments SDK (if not already present), initializes\n * a card field, and attaches it to `container`. The returned `tokenize()`\n * produces a one-time payment source token suitable for\n * `PaymentProvider.checkout`'s `paymentSourceToken` — raw card data never\n * leaves the browser.\n *\n * ```ts\n * const card = await createSquareCardField(containerEl, { applicationId, locationId });\n * // ...on checkout submit:\n * const token = await card.tokenize();\n * await fetch(\"/api/checkout\", { method: \"POST\", body: JSON.stringify({ paymentSourceToken: token, ... }) });\n * ```\n */\nexport async function createSquareCardField(\n container: HTMLElement | string,\n options: SquareCardFieldOptions,\n): Promise<CardField> {\n const Square = await loadSquareSdk(options.environment);\n const payments = Square.payments(options.applicationId, options.locationId);\n const card = await payments.card();\n await card.attach(container);\n\n return {\n async tokenize() {\n const result = await card.tokenize();\n if (result.status !== \"OK\") {\n throw new Error(\n `Square card tokenization failed: ${result.status}${\n result.errors ? ` — ${JSON.stringify(result.errors)}` : \"\"\n }`,\n );\n }\n return result.token as string;\n },\n async destroy() {\n await card.destroy();\n },\n };\n}\n"],"mappings":";AA+BA,SAAS,OAAO,aAA4D;CAC1E,OAAO,gBAAgB,eACnB,2CACA;AACN;AAEA,IAAI;AAEJ,SAAS,cACP,aACuB;CACvB,IAAK,OAAqC,QACxC,OAAO,QAAQ,QAAS,OAAqC,MAAM;CAErE,IAAI,gBAAgB,OAAO;CAE3B,iBAAiB,IAAI,SAAS,SAAS,WAAW;EAChD,MAAM,SAAS,SAAS,cAAc,QAAQ;EAC9C,OAAO,MAAM,OAAO,WAAW;EAC/B,OAAO,eAAe,QAAS,OAAqC,MAAM;EAC1E,OAAO,gBACL,uBACE,IAAI,MAAM,+CAA+C,OAAO,KAAK,CACvE;EACF,SAAS,KAAK,YAAY,MAAM;CAClC,CAAC;CACD,OAAO;AACT;;;;;;;;;;;;;;;AAgBA,eAAsB,sBACpB,WACA,SACoB;CAGpB,MAAM,OAAO,OADI,MADI,cAAc,QAAQ,WAAW,EAAA,CAC9B,SAAS,QAAQ,eAAe,QAAQ,UACtC,CAAC,CAAC,KAAK;CACjC,MAAM,KAAK,OAAO,SAAS;CAE3B,OAAO;EACL,MAAM,WAAW;GACf,MAAM,SAAS,MAAM,KAAK,SAAS;GACnC,IAAI,OAAO,WAAW,MACpB,MAAM,IAAI,MACR,oCAAoC,OAAO,SACzC,OAAO,SAAS,MAAM,KAAK,UAAU,OAAO,MAAM,MAAM,IAE5D;GAEF,OAAO,OAAO;EAChB;EACA,MAAM,UAAU;GACd,MAAM,KAAK,QAAQ;EACrB;CACF;AACF"}

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,213 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+//#region src/provider.ts
+const DEFAULT_API_VERSION = "2025-01-23";
+function baseUrl(environment) {
+	return environment === "production" ? "https://connect.squareup.com" : "https://connect.squareupsandbox.com";
+}
+function primaryLocation(locationId) {
+	return Array.isArray(locationId) ? locationId[0] : locationId;
+}
+function allLocations(locationId) {
+	return Array.isArray(locationId) ? locationId : [locationId];
+}
+var SquareApiError = class extends Error {
+	status;
+	body;
+	constructor(message, status, body) {
+		super(message);
+		this.status = status;
+		this.body = body;
+		this.name = "SquareApiError";
+	}
+};
+async function squareFetch(config, path, init) {
+	const response = await fetch(`${baseUrl(config.environment)}${path}`, {
+		method: init.method,
+		headers: {
+			Authorization: `Bearer ${config.accessToken}`,
+			"Content-Type": "application/json",
+			"Square-Version": config.apiVersion ?? DEFAULT_API_VERSION
+		},
+		body: init.body !== void 0 ? JSON.stringify(init.body) : void 0
+	});
+	const text = await response.text();
+	const parsed = text ? JSON.parse(text) : {};
+	if (!response.ok) throw new SquareApiError(`Square API request to "${path}" failed with status ${response.status}`, response.status, parsed);
+	return parsed;
+}
+async function hmacSha256Base64(message, secret) {
+	const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(message));
+	return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+function timingSafeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let mismatch = 0;
+	for (let i = 0; i < a.length; i++) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	return mismatch === 0;
+}
+async function checkCatalogPrices(config, refs) {
+	if (refs.length === 0) return [];
+	const objects = (await squareFetch(config, "/v2/catalog/batch-retrieve", {
+		method: "POST",
+		body: { object_ids: refs }
+	})).objects ?? [];
+	const priceByRef = new Map(objects.map((object) => [object.id, object.item_variation_data?.price_money]));
+	const counts = (await squareFetch(config, "/v2/inventory/batch-retrieve-counts", {
+		method: "POST",
+		body: {
+			catalog_object_ids: refs,
+			location_ids: allLocations(config.locationId)
+		}
+	})).counts ?? [];
+	const quantityByRef = /* @__PURE__ */ new Map();
+	for (const count of counts) {
+		const existing = quantityByRef.get(count.catalog_object_id) ?? 0;
+		quantityByRef.set(count.catalog_object_id, existing + Number.parseFloat(count.quantity));
+	}
+	return refs.map((catalogRef) => {
+		const price = priceByRef.get(catalogRef);
+		return {
+			catalogRef,
+			serverUnitPrice: {
+				amount: price?.amount ?? 0,
+				currency: price?.currency ?? "USD"
+			},
+			availableQuantity: quantityByRef.get(catalogRef)
+		};
+	});
+}
+async function findOrCreateCustomer(config, email, idempotencyKey) {
+	const existing = (await squareFetch(config, "/v2/customers/search", {
+		method: "POST",
+		body: { query: { filter: { email_address: { exact: email } } } }
+	})).customers?.[0];
+	if (existing) return existing.id;
+	return (await squareFetch(config, "/v2/customers", {
+		method: "POST",
+		body: {
+			idempotency_key: idempotencyKey,
+			email_address: email
+		}
+	})).customer.id;
+}
+function mapSquarePaymentStatus(status) {
+	if (status === "COMPLETED" || status === "APPROVED") return "succeeded";
+	if (status === "PENDING") return "requires_action";
+	return "failed";
+}
+async function checkout(config, request) {
+	const order = (await squareFetch(config, "/v2/orders", {
+		method: "POST",
+		body: {
+			idempotency_key: request.idempotencyKey,
+			order: {
+				location_id: primaryLocation(config.locationId),
+				line_items: request.lineItems.map((item) => ({
+					catalog_object_id: item.catalogRef,
+					quantity: String(item.quantity)
+				}))
+			}
+		}
+	})).order;
+	const paymentResponse = await squareFetch(config, "/v2/payments", {
+		method: "POST",
+		body: {
+			idempotency_key: crypto.randomUUID(),
+			source_id: request.paymentSourceToken,
+			amount_money: order.total_money,
+			order_id: order.id,
+			location_id: primaryLocation(config.locationId)
+		}
+	});
+	const payment = paymentResponse.payment;
+	return {
+		providerOrderRef: order.id,
+		providerPaymentRef: payment.id,
+		status: mapSquarePaymentStatus(payment.status),
+		amount: {
+			amount: payment.amount_money.amount,
+			currency: payment.amount_money.currency
+		},
+		raw: paymentResponse
+	};
+}
+async function verifyWebhookSignature(args) {
+	if (!args.notificationUrl) return false;
+	const signatureHeader = args.headers.get("x-square-hmacsha256-signature");
+	if (!signatureHeader) return false;
+	return timingSafeEqual(await hmacSha256Base64(args.notificationUrl + args.rawBody, args.secret), signatureHeader);
+}
+function parseWebhookEvent(rawBody) {
+	const payload = JSON.parse(rawBody);
+	const eventId = payload.event_id;
+	if (payload.type === "payment.updated") {
+		const payment = payload.data.object.payment;
+		if (payment) return {
+			eventId,
+			event: {
+				kind: "payment.updated",
+				providerPaymentRef: payment.id,
+				status: mapSquarePaymentStatus(payment.status) === "succeeded" ? "succeeded" : "failed"
+			}
+		};
+	}
+	if (payload.type === "order.updated") {
+		const orderUpdated = payload.data.object.order_updated;
+		if (orderUpdated) {
+			const status = orderUpdated.state === "COMPLETED" ? "paid" : orderUpdated.state === "CANCELED" ? "canceled" : "failed";
+			return {
+				eventId,
+				event: {
+					kind: "order.updated",
+					providerOrderRef: orderUpdated.order_id,
+					status
+				}
+			};
+		}
+	}
+	if (payload.type === "subscription.updated") {
+		const subscription = payload.data.object.subscription;
+		if (subscription) return {
+			eventId,
+			event: {
+				kind: "subscription.updated",
+				providerSubscriptionRef: subscription.id,
+				status: subscription.status
+			}
+		};
+	}
+	return {
+		eventId,
+		event: {
+			kind: "unhandled",
+			rawType: payload.type
+		}
+	};
+}
+/**
+* Creates a `PaymentProvider` backed by Square's REST API — raw `fetch()`
+* + `crypto.subtle`, no Square Node SDK. Implements the required
+* `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+* `verifyWebhookSignature`/`parseWebhookEvent`; omits `catalogSync` and
+* `subscriptions` in this first cut (Square's loyalty/recurring-order
+* model doesn't map cleanly onto either optional capability without
+* further design — see the package README for the gap).
+*/
+function createSquarePaymentProvider(config) {
+	return {
+		name: "square",
+		checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),
+		findOrCreateCustomer: (email, idempotencyKey) => findOrCreateCustomer(config, email, idempotencyKey),
+		checkout: (request) => checkout(config, request),
+		verifyWebhookSignature,
+		parseWebhookEvent
+	};
+}
+//#endregion
+exports.createSquarePaymentProvider = createSquarePaymentProvider;
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.cjs","names":[],"sources":["../src/provider.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Square's REST API directly via fetch() — never the `square` npm SDK\n// (Node-targeted, BigInt-typed monetary amounts the raw REST API doesn't\n// actually return — its JSON responses use plain numbers; BigInt is purely\n// an artifact of the SDK's own typed wrapper). Webhook signature\n// verification uses crypto.subtle, mirroring the exact HMAC idiom already\n// in @thebes/cadmus/cms's webhooks.ts (compute-and-compare instead of\n// sign-and-attach).\n\nimport type {\n CatalogPriceCheck,\n CheckoutRequest,\n CheckoutResult,\n PaymentProvider,\n} from \"@thebes/cadmea-plugin-ecommerce\";\n\nexport interface SquareProviderConfig {\n accessToken: string;\n /** First entry is used as the primary location for orders/payments; all entries are queried for inventory. */\n locationId: string | string[];\n environment?: \"sandbox\" | \"production\";\n /** Square's API version header. Default: a fixed, tested version — bump deliberately, not implicitly. */\n apiVersion?: string;\n}\n\nconst DEFAULT_API_VERSION = \"2025-01-23\";\n\nfunction baseUrl(environment: SquareProviderConfig[\"environment\"]): string {\n return environment === \"production\"\n ? \"https://connect.squareup.com\"\n : \"https://connect.squareupsandbox.com\";\n}\n\nfunction primaryLocation(\n locationId: SquareProviderConfig[\"locationId\"],\n): string {\n return Array.isArray(locationId) ? locationId[0] : locationId;\n}\n\nfunction allLocations(\n locationId: SquareProviderConfig[\"locationId\"],\n): string[] {\n return Array.isArray(locationId) ? locationId : [locationId];\n}\n\nclass SquareApiError extends Error {\n constructor(\n message: string,\n public readonly status: number,\n public readonly body: unknown,\n ) {\n super(message);\n this.name = \"SquareApiError\";\n }\n}\n\nasync function squareFetch(\n config: SquareProviderConfig,\n path: string,\n init: { method: string; body?: unknown },\n): Promise<Record<string, unknown>> {\n const response = await fetch(`${baseUrl(config.environment)}${path}`, {\n method: init.method,\n headers: {\n Authorization: `Bearer ${config.accessToken}`,\n \"Content-Type\": \"application/json\",\n \"Square-Version\": config.apiVersion ?? DEFAULT_API_VERSION,\n },\n body: init.body !== undefined ? JSON.stringify(init.body) : undefined,\n });\n const text = await response.text();\n const parsed = text ? JSON.parse(text) : {};\n if (!response.ok) {\n throw new SquareApiError(\n `Square API request to \"${path}\" failed with status ${response.status}`,\n response.status,\n parsed,\n );\n }\n return parsed;\n}\n\nasync function hmacSha256Base64(\n message: string,\n secret: string,\n): Promise<string> {\n const key = await crypto.subtle.importKey(\n \"raw\",\n new TextEncoder().encode(secret),\n { name: \"HMAC\", hash: \"SHA-256\" },\n false,\n [\"sign\"],\n );\n const signature = await crypto.subtle.sign(\n \"HMAC\",\n key,\n new TextEncoder().encode(message),\n );\n return btoa(String.fromCharCode(...new Uint8Array(signature)));\n}\n\n// Constant-time string comparison — a plain `===` on a signature leaks,\n// via early-exit timing, how many leading bytes matched, which is enough\n// to forge a valid HMAC byte-by-byte. Mirrors the Stripe provider's helper.\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let mismatch = 0;\n for (let i = 0; i < a.length; i++) {\n mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return mismatch === 0;\n}\n\ninterface SquareCatalogObject {\n id: string;\n type: string;\n item_variation_data?: {\n price_money?: { amount: number; currency: string };\n };\n}\n\ninterface SquareInventoryCount {\n catalog_object_id: string;\n quantity: string;\n}\n\nasync function checkCatalogPrices(\n config: SquareProviderConfig,\n refs: string[],\n): Promise<CatalogPriceCheck[]> {\n if (refs.length === 0) return [];\n\n const catalogResponse = await squareFetch(\n config,\n \"/v2/catalog/batch-retrieve\",\n {\n method: \"POST\",\n body: { object_ids: refs },\n },\n );\n const objects = (catalogResponse.objects ?? []) as SquareCatalogObject[];\n const priceByRef = new Map(\n objects.map((object) => [\n object.id,\n object.item_variation_data?.price_money,\n ]),\n );\n\n const inventoryResponse = await squareFetch(\n config,\n \"/v2/inventory/batch-retrieve-counts\",\n {\n method: \"POST\",\n body: {\n catalog_object_ids: refs,\n location_ids: allLocations(config.locationId),\n },\n },\n );\n const counts = (inventoryResponse.counts ?? []) as SquareInventoryCount[];\n const quantityByRef = new Map<string, number>();\n for (const count of counts) {\n const existing = quantityByRef.get(count.catalog_object_id) ?? 0;\n quantityByRef.set(\n count.catalog_object_id,\n existing + Number.parseFloat(count.quantity),\n );\n }\n\n return refs.map((catalogRef) => {\n const price = priceByRef.get(catalogRef);\n return {\n catalogRef,\n serverUnitPrice: {\n amount: price?.amount ?? 0,\n currency: price?.currency ?? \"USD\",\n },\n availableQuantity: quantityByRef.get(catalogRef),\n };\n });\n}\n\nasync function findOrCreateCustomer(\n config: SquareProviderConfig,\n email: string,\n idempotencyKey: string,\n): Promise<string> {\n const searchResponse = await squareFetch(config, \"/v2/customers/search\", {\n method: \"POST\",\n body: { query: { filter: { email_address: { exact: email } } } },\n });\n const existing = (\n searchResponse.customers as Array<{ id: string }> | undefined\n )?.[0];\n if (existing) return existing.id;\n\n const createResponse = await squareFetch(config, \"/v2/customers\", {\n method: \"POST\",\n body: { idempotency_key: idempotencyKey, email_address: email },\n });\n return (createResponse.customer as { id: string }).id;\n}\n\nfunction mapSquarePaymentStatus(\n status: string | undefined,\n): CheckoutResult[\"status\"] {\n if (status === \"COMPLETED\" || status === \"APPROVED\") return \"succeeded\";\n if (status === \"PENDING\") return \"requires_action\";\n return \"failed\";\n}\n\nasync function checkout(\n config: SquareProviderConfig,\n request: CheckoutRequest,\n): Promise<CheckoutResult> {\n const orderResponse = await squareFetch(config, \"/v2/orders\", {\n method: \"POST\",\n body: {\n idempotency_key: request.idempotencyKey,\n order: {\n location_id: primaryLocation(config.locationId),\n line_items: request.lineItems.map((item) => ({\n catalog_object_id: item.catalogRef,\n quantity: String(item.quantity),\n })),\n },\n },\n });\n const order = orderResponse.order as {\n id: string;\n total_money: { amount: number; currency: string };\n };\n\n const paymentResponse = await squareFetch(config, \"/v2/payments\", {\n method: \"POST\",\n body: {\n idempotency_key: crypto.randomUUID(),\n source_id: request.paymentSourceToken,\n amount_money: order.total_money,\n order_id: order.id,\n location_id: primaryLocation(config.locationId),\n },\n });\n const payment = paymentResponse.payment as {\n id: string;\n status: string;\n amount_money: { amount: number; currency: string };\n };\n\n return {\n providerOrderRef: order.id,\n providerPaymentRef: payment.id,\n status: mapSquarePaymentStatus(payment.status),\n amount: {\n amount: payment.amount_money.amount,\n currency: payment.amount_money.currency,\n },\n raw: paymentResponse as Record<string, unknown>,\n };\n}\n\nasync function verifyWebhookSignature(args: {\n rawBody: string;\n headers: Headers;\n secret: string;\n notificationUrl?: string;\n}): Promise<boolean> {\n // Square signs `notificationUrl + rawBody` (in that order) with the\n // webhook signature key, base64-encoded, checked against the\n // `x-square-hmacsha256-signature` header — without a notification URL\n // there's nothing correct to verify against, so this fails closed.\n if (!args.notificationUrl) return false;\n const signatureHeader = args.headers.get(\"x-square-hmacsha256-signature\");\n if (!signatureHeader) return false;\n const expected = await hmacSha256Base64(\n args.notificationUrl + args.rawBody,\n args.secret,\n );\n return timingSafeEqual(expected, signatureHeader);\n}\n\ninterface SquareWebhookPayload {\n event_id: string;\n type: string;\n data: {\n object: Record<string, unknown>;\n };\n}\n\nfunction parseWebhookEvent(rawBody: string) {\n const payload = JSON.parse(rawBody) as SquareWebhookPayload;\n const eventId = payload.event_id;\n\n if (payload.type === \"payment.updated\") {\n const payment = payload.data.object.payment as\n | { id: string; status: string }\n | undefined;\n if (payment) {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: payment.id,\n status:\n mapSquarePaymentStatus(payment.status) === \"succeeded\"\n ? (\"succeeded\" as const)\n : (\"failed\" as const),\n },\n };\n }\n }\n\n if (payload.type === \"order.updated\") {\n const orderUpdated = payload.data.object.order_updated as\n | { order_id: string; state: string }\n | undefined;\n if (orderUpdated) {\n const status =\n orderUpdated.state === \"COMPLETED\"\n ? (\"paid\" as const)\n : orderUpdated.state === \"CANCELED\"\n ? (\"canceled\" as const)\n : (\"failed\" as const);\n return {\n eventId,\n event: {\n kind: \"order.updated\" as const,\n providerOrderRef: orderUpdated.order_id,\n status,\n },\n };\n }\n }\n\n if (payload.type === \"subscription.updated\") {\n const subscription = payload.data.object.subscription as\n | { id: string; status: string }\n | undefined;\n if (subscription) {\n return {\n eventId,\n event: {\n kind: \"subscription.updated\" as const,\n providerSubscriptionRef: subscription.id,\n status: subscription.status,\n },\n };\n }\n }\n\n return {\n eventId,\n event: { kind: \"unhandled\" as const, rawType: payload.type },\n };\n}\n\n/**\n * Creates a `PaymentProvider` backed by Square's REST API — raw `fetch()`\n * + `crypto.subtle`, no Square Node SDK. Implements the required\n * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/\n * `verifyWebhookSignature`/`parseWebhookEvent`; omits `catalogSync` and\n * `subscriptions` in this first cut (Square's loyalty/recurring-order\n * model doesn't map cleanly onto either optional capability without\n * further design — see the package README for the gap).\n */\nexport function createSquarePaymentProvider(\n config: SquareProviderConfig,\n): PaymentProvider {\n return {\n name: \"square\",\n checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),\n findOrCreateCustomer: (email, idempotencyKey) =>\n findOrCreateCustomer(config, email, idempotencyKey),\n checkout: (request) => checkout(config, request),\n verifyWebhookSignature,\n parseWebhookEvent,\n };\n}\n"],"mappings":";;AA2BA,MAAM,sBAAsB;AAE5B,SAAS,QAAQ,aAA0D;CACzE,OAAO,gBAAgB,eACnB,iCACA;AACN;AAEA,SAAS,gBACP,YACQ;CACR,OAAO,MAAM,QAAQ,UAAU,IAAI,WAAW,KAAK;AACrD;AAEA,SAAS,aACP,YACU;CACV,OAAO,MAAM,QAAQ,UAAU,IAAI,aAAa,CAAC,UAAU;AAC7D;AAEA,IAAM,iBAAN,cAA6B,MAAM;CAGf;CACA;CAHlB,YACE,SACA,QACA,MACA;EACA,MAAM,OAAO;EAHG,KAAA,SAAA;EACA,KAAA,OAAA;EAGhB,KAAK,OAAO;CACd;AACF;AAEA,eAAe,YACb,QACA,MACA,MACkC;CAClC,MAAM,WAAW,MAAM,MAAM,GAAG,QAAQ,OAAO,WAAW,IAAI,QAAQ;EACpE,QAAQ,KAAK;EACb,SAAS;GACP,eAAe,UAAU,OAAO;GAChC,gBAAgB;GAChB,kBAAkB,OAAO,cAAc;EACzC;EACA,MAAM,KAAK,SAAS,KAAA,IAAY,KAAK,UAAU,KAAK,IAAI,IAAI,KAAA;CAC9D,CAAC;CACD,MAAM,OAAO,MAAM,SAAS,KAAK;CACjC,MAAM,SAAS,OAAO,KAAK,MAAM,IAAI,IAAI,CAAC;CAC1C,IAAI,CAAC,SAAS,IACZ,MAAM,IAAI,eACR,0BAA0B,KAAK,uBAAuB,SAAS,UAC/D,SAAS,QACT,MACF;CAEF,OAAO;AACT;AAEA,eAAe,iBACb,SACA,QACiB;CACjB,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,IAAI,YAAY,CAAC,CAAC,OAAO,MAAM,GAC/B;EAAE,MAAM;EAAQ,MAAM;CAAU,GAChC,OACA,CAAC,MAAM,CACT;CACA,MAAM,YAAY,MAAM,OAAO,OAAO,KACpC,QACA,KACA,IAAI,YAAY,CAAC,CAAC,OAAO,OAAO,CAClC;CACA,OAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,SAAS,CAAC,CAAC;AAC/D;AAKA,SAAS,gBAAgB,GAAW,GAAoB;CACtD,IAAI,EAAE,WAAW,EAAE,QAAQ,OAAO;CAClC,IAAI,WAAW;CACf,KAAK,IAAI,IAAI,GAAG,IAAI,EAAE,QAAQ,KAC5B,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;CAE9C,OAAO,aAAa;AACtB;AAeA,eAAe,mBACb,QACA,MAC8B;CAC9B,IAAI,KAAK,WAAW,GAAG,OAAO,CAAC;CAU/B,MAAM,WAAW,MARa,YAC5B,QACA,8BACA;EACE,QAAQ;EACR,MAAM,EAAE,YAAY,KAAK;CAC3B,CACF,EAAA,CACiC,WAAW,CAAC;CAC7C,MAAM,aAAa,IAAI,IACrB,QAAQ,KAAK,WAAW,CACtB,OAAO,IACP,OAAO,qBAAqB,WAC9B,CAAC,CACH;CAaA,MAAM,UAAU,MAXgB,YAC9B,QACA,uCACA;EACE,QAAQ;EACR,MAAM;GACJ,oBAAoB;GACpB,cAAc,aAAa,OAAO,UAAU;EAC9C;CACF,CACF,EAAA,CACkC,UAAU,CAAC;CAC7C,MAAM,gCAAgB,IAAI,IAAoB;CAC9C,KAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,WAAW,cAAc,IAAI,MAAM,iBAAiB,KAAK;EAC/D,cAAc,IACZ,MAAM,mBACN,WAAW,OAAO,WAAW,MAAM,QAAQ,CAC7C;CACF;CAEA,OAAO,KAAK,KAAK,eAAe;EAC9B,MAAM,QAAQ,WAAW,IAAI,UAAU;EACvC,OAAO;GACL;GACA,iBAAiB;IACf,QAAQ,OAAO,UAAU;IACzB,UAAU,OAAO,YAAY;GAC/B;GACA,mBAAmB,cAAc,IAAI,UAAU;EACjD;CACF,CAAC;AACH;AAEA,eAAe,qBACb,QACA,OACA,gBACiB;CAKjB,MAAM,YACJ,MAL2B,YAAY,QAAQ,wBAAwB;EACvE,QAAQ;EACR,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,MAAM,EAAE,EAAE,EAAE;CACjE,CAAC,EAAA,CAEgB,YACb;CACJ,IAAI,UAAU,OAAO,SAAS;CAM9B,QAAQ,MAJqB,YAAY,QAAQ,iBAAiB;EAChE,QAAQ;EACR,MAAM;GAAE,iBAAiB;GAAgB,eAAe;EAAM;CAChE,CAAC,EAAA,CACsB,SAA4B;AACrD;AAEA,SAAS,uBACP,QAC0B;CAC1B,IAAI,WAAW,eAAe,WAAW,YAAY,OAAO;CAC5D,IAAI,WAAW,WAAW,OAAO;CACjC,OAAO;AACT;AAEA,eAAe,SACb,QACA,SACyB;CAczB,MAAM,SAAQ,MAbc,YAAY,QAAQ,cAAc;EAC5D,QAAQ;EACR,MAAM;GACJ,iBAAiB,QAAQ;GACzB,OAAO;IACL,aAAa,gBAAgB,OAAO,UAAU;IAC9C,YAAY,QAAQ,UAAU,KAAK,UAAU;KAC3C,mBAAmB,KAAK;KACxB,UAAU,OAAO,KAAK,QAAQ;IAChC,EAAE;GACJ;EACF;CACF,CAAC,EAAA,CAC2B;CAK5B,MAAM,kBAAkB,MAAM,YAAY,QAAQ,gBAAgB;EAChE,QAAQ;EACR,MAAM;GACJ,iBAAiB,OAAO,WAAW;GACnC,WAAW,QAAQ;GACnB,cAAc,MAAM;GACpB,UAAU,MAAM;GAChB,aAAa,gBAAgB,OAAO,UAAU;EAChD;CACF,CAAC;CACD,MAAM,UAAU,gBAAgB;CAMhC,OAAO;EACL,kBAAkB,MAAM;EACxB,oBAAoB,QAAQ;EAC5B,QAAQ,uBAAuB,QAAQ,MAAM;EAC7C,QAAQ;GACN,QAAQ,QAAQ,aAAa;GAC7B,UAAU,QAAQ,aAAa;EACjC;EACA,KAAK;CACP;AACF;AAEA,eAAe,uBAAuB,MAKjB;CAKnB,IAAI,CAAC,KAAK,iBAAiB,OAAO;CAClC,MAAM,kBAAkB,KAAK,QAAQ,IAAI,+BAA+B;CACxE,IAAI,CAAC,iBAAiB,OAAO;CAK7B,OAAO,gBAAgB,MAJA,iBACrB,KAAK,kBAAkB,KAAK,SAC5B,KAAK,MACP,GACiC,eAAe;AAClD;AAUA,SAAS,kBAAkB,SAAiB;CAC1C,MAAM,UAAU,KAAK,MAAM,OAAO;CAClC,MAAM,UAAU,QAAQ;CAExB,IAAI,QAAQ,SAAS,mBAAmB;EACtC,MAAM,UAAU,QAAQ,KAAK,OAAO;EAGpC,IAAI,SACF,OAAO;GACL;GACA,OAAO;IACL,MAAM;IACN,oBAAoB,QAAQ;IAC5B,QACE,uBAAuB,QAAQ,MAAM,MAAM,cACtC,cACA;GACT;EACF;CAEJ;CAEA,IAAI,QAAQ,SAAS,iBAAiB;EACpC,MAAM,eAAe,QAAQ,KAAK,OAAO;EAGzC,IAAI,cAAc;GAChB,MAAM,SACJ,aAAa,UAAU,cAClB,SACD,aAAa,UAAU,aACpB,aACA;GACT,OAAO;IACL;IACA,OAAO;KACL,MAAM;KACN,kBAAkB,aAAa;KAC/B;IACF;GACF;EACF;CACF;CAEA,IAAI,QAAQ,SAAS,wBAAwB;EAC3C,MAAM,eAAe,QAAQ,KAAK,OAAO;EAGzC,IAAI,cACF,OAAO;GACL;GACA,OAAO;IACL,MAAM;IACN,yBAAyB,aAAa;IACtC,QAAQ,aAAa;GACvB;EACF;CAEJ;CAEA,OAAO;EACL;EACA,OAAO;GAAE,MAAM;GAAsB,SAAS,QAAQ;EAAK;CAC7D;AACF;;;;;;;;;;AAWA,SAAgB,4BACd,QACiB;CACjB,OAAO;EACL,MAAM;EACN,qBAAqB,SAAS,mBAAmB,QAAQ,IAAI;EAC7D,uBAAuB,OAAO,mBAC5B,qBAAqB,QAAQ,OAAO,cAAc;EACpD,WAAW,YAAY,SAAS,QAAQ,OAAO;EAC/C;EACA;CACF;AACF"}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,24 @@
+import { PaymentProvider } from "@thebes/cadmea-plugin-ecommerce";
+//#region src/provider.d.ts
+interface SquareProviderConfig {
+  accessToken: string;
+  /** First entry is used as the primary location for orders/payments; all entries are queried for inventory. */
+  locationId: string | string[];
+  environment?: "sandbox" | "production";
+  /** Square's API version header. Default: a fixed, tested version — bump deliberately, not implicitly. */
+  apiVersion?: string;
+}
+/**
+ * Creates a `PaymentProvider` backed by Square's REST API — raw `fetch()`
+ * + `crypto.subtle`, no Square Node SDK. Implements the required
+ * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+ * `verifyWebhookSignature`/`parseWebhookEvent`; omits `catalogSync` and
+ * `subscriptions` in this first cut (Square's loyalty/recurring-order
+ * model doesn't map cleanly onto either optional capability without
+ * further design — see the package README for the gap).
+ */
+declare function createSquarePaymentProvider(config: SquareProviderConfig): PaymentProvider;
+//#endregion
+export { SquareProviderConfig, createSquarePaymentProvider };
+//# sourceMappingURL=index.d.cts.map

package/dist/index.d.cts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.cts","names":[],"sources":["../src/provider.ts"],"mappings":";;;UAkBiB,oBAAA;EACf,WAAA;EADe;EAGf,UAAA;EACA,WAAA;EAJmC;EAMnC,UAAA;AAAA;;;;AAAU;AAuVZ;;;;;iBAAgB,2BAAA,CACd,MAAA,EAAQ,oBAAA,GACP,eAAe"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { PaymentProvider } from "@thebes/cadmea-plugin-ecommerce";
+//#region src/provider.d.ts
+interface SquareProviderConfig {
+  accessToken: string;
+  /** First entry is used as the primary location for orders/payments; all entries are queried for inventory. */
+  locationId: string | string[];
+  environment?: "sandbox" | "production";
+  /** Square's API version header. Default: a fixed, tested version — bump deliberately, not implicitly. */
+  apiVersion?: string;
+}
+/**
+ * Creates a `PaymentProvider` backed by Square's REST API — raw `fetch()`
+ * + `crypto.subtle`, no Square Node SDK. Implements the required
+ * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+ * `verifyWebhookSignature`/`parseWebhookEvent`; omits `catalogSync` and
+ * `subscriptions` in this first cut (Square's loyalty/recurring-order
+ * model doesn't map cleanly onto either optional capability without
+ * further design — see the package README for the gap).
+ */
+declare function createSquarePaymentProvider(config: SquareProviderConfig): PaymentProvider;
+//#endregion
+export { SquareProviderConfig, createSquarePaymentProvider };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/provider.ts"],"mappings":";;;UAkBiB,oBAAA;EACf,WAAA;EADe;EAGf,UAAA;EACA,WAAA;EAJmC;EAMnC,UAAA;AAAA;;;;AAAU;AAuVZ;;;;;iBAAgB,2BAAA,CACd,MAAA,EAAQ,oBAAA,GACP,eAAe"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,212 @@
+//#region src/provider.ts
+const DEFAULT_API_VERSION = "2025-01-23";
+function baseUrl(environment) {
+	return environment === "production" ? "https://connect.squareup.com" : "https://connect.squareupsandbox.com";
+}
+function primaryLocation(locationId) {
+	return Array.isArray(locationId) ? locationId[0] : locationId;
+}
+function allLocations(locationId) {
+	return Array.isArray(locationId) ? locationId : [locationId];
+}
+var SquareApiError = class extends Error {
+	status;
+	body;
+	constructor(message, status, body) {
+		super(message);
+		this.status = status;
+		this.body = body;
+		this.name = "SquareApiError";
+	}
+};
+async function squareFetch(config, path, init) {
+	const response = await fetch(`${baseUrl(config.environment)}${path}`, {
+		method: init.method,
+		headers: {
+			Authorization: `Bearer ${config.accessToken}`,
+			"Content-Type": "application/json",
+			"Square-Version": config.apiVersion ?? DEFAULT_API_VERSION
+		},
+		body: init.body !== void 0 ? JSON.stringify(init.body) : void 0
+	});
+	const text = await response.text();
+	const parsed = text ? JSON.parse(text) : {};
+	if (!response.ok) throw new SquareApiError(`Square API request to "${path}" failed with status ${response.status}`, response.status, parsed);
+	return parsed;
+}
+async function hmacSha256Base64(message, secret) {
+	const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(message));
+	return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+function timingSafeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let mismatch = 0;
+	for (let i = 0; i < a.length; i++) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	return mismatch === 0;
+}
+async function checkCatalogPrices(config, refs) {
+	if (refs.length === 0) return [];
+	const objects = (await squareFetch(config, "/v2/catalog/batch-retrieve", {
+		method: "POST",
+		body: { object_ids: refs }
+	})).objects ?? [];
+	const priceByRef = new Map(objects.map((object) => [object.id, object.item_variation_data?.price_money]));
+	const counts = (await squareFetch(config, "/v2/inventory/batch-retrieve-counts", {
+		method: "POST",
+		body: {
+			catalog_object_ids: refs,
+			location_ids: allLocations(config.locationId)
+		}
+	})).counts ?? [];
+	const quantityByRef = /* @__PURE__ */ new Map();
+	for (const count of counts) {
+		const existing = quantityByRef.get(count.catalog_object_id) ?? 0;
+		quantityByRef.set(count.catalog_object_id, existing + Number.parseFloat(count.quantity));
+	}
+	return refs.map((catalogRef) => {
+		const price = priceByRef.get(catalogRef);
+		return {
+			catalogRef,
+			serverUnitPrice: {
+				amount: price?.amount ?? 0,
+				currency: price?.currency ?? "USD"
+			},
+			availableQuantity: quantityByRef.get(catalogRef)
+		};
+	});
+}
+async function findOrCreateCustomer(config, email, idempotencyKey) {
+	const existing = (await squareFetch(config, "/v2/customers/search", {
+		method: "POST",
+		body: { query: { filter: { email_address: { exact: email } } } }
+	})).customers?.[0];
+	if (existing) return existing.id;
+	return (await squareFetch(config, "/v2/customers", {
+		method: "POST",
+		body: {
+			idempotency_key: idempotencyKey,
+			email_address: email
+		}
+	})).customer.id;
+}
+function mapSquarePaymentStatus(status) {
+	if (status === "COMPLETED" || status === "APPROVED") return "succeeded";
+	if (status === "PENDING") return "requires_action";
+	return "failed";
+}
+async function checkout(config, request) {
+	const order = (await squareFetch(config, "/v2/orders", {
+		method: "POST",
+		body: {
+			idempotency_key: request.idempotencyKey,
+			order: {
+				location_id: primaryLocation(config.locationId),
+				line_items: request.lineItems.map((item) => ({
+					catalog_object_id: item.catalogRef,
+					quantity: String(item.quantity)
+				}))
+			}
+		}
+	})).order;
+	const paymentResponse = await squareFetch(config, "/v2/payments", {
+		method: "POST",
+		body: {
+			idempotency_key: crypto.randomUUID(),
+			source_id: request.paymentSourceToken,
+			amount_money: order.total_money,
+			order_id: order.id,
+			location_id: primaryLocation(config.locationId)
+		}
+	});
+	const payment = paymentResponse.payment;
+	return {
+		providerOrderRef: order.id,
+		providerPaymentRef: payment.id,
+		status: mapSquarePaymentStatus(payment.status),
+		amount: {
+			amount: payment.amount_money.amount,
+			currency: payment.amount_money.currency
+		},
+		raw: paymentResponse
+	};
+}
+async function verifyWebhookSignature(args) {
+	if (!args.notificationUrl) return false;
+	const signatureHeader = args.headers.get("x-square-hmacsha256-signature");
+	if (!signatureHeader) return false;
+	return timingSafeEqual(await hmacSha256Base64(args.notificationUrl + args.rawBody, args.secret), signatureHeader);
+}
+function parseWebhookEvent(rawBody) {
+	const payload = JSON.parse(rawBody);
+	const eventId = payload.event_id;
+	if (payload.type === "payment.updated") {
+		const payment = payload.data.object.payment;
+		if (payment) return {
+			eventId,
+			event: {
+				kind: "payment.updated",
+				providerPaymentRef: payment.id,
+				status: mapSquarePaymentStatus(payment.status) === "succeeded" ? "succeeded" : "failed"
+			}
+		};
+	}
+	if (payload.type === "order.updated") {
+		const orderUpdated = payload.data.object.order_updated;
+		if (orderUpdated) {
+			const status = orderUpdated.state === "COMPLETED" ? "paid" : orderUpdated.state === "CANCELED" ? "canceled" : "failed";
+			return {
+				eventId,
+				event: {
+					kind: "order.updated",
+					providerOrderRef: orderUpdated.order_id,
+					status
+				}
+			};
+		}
+	}
+	if (payload.type === "subscription.updated") {
+		const subscription = payload.data.object.subscription;
+		if (subscription) return {
+			eventId,
+			event: {
+				kind: "subscription.updated",
+				providerSubscriptionRef: subscription.id,
+				status: subscription.status
+			}
+		};
+	}
+	return {
+		eventId,
+		event: {
+			kind: "unhandled",
+			rawType: payload.type
+		}
+	};
+}
+/**
+* Creates a `PaymentProvider` backed by Square's REST API — raw `fetch()`
+* + `crypto.subtle`, no Square Node SDK. Implements the required
+* `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+* `verifyWebhookSignature`/`parseWebhookEvent`; omits `catalogSync` and
+* `subscriptions` in this first cut (Square's loyalty/recurring-order
+* model doesn't map cleanly onto either optional capability without
+* further design — see the package README for the gap).
+*/
+function createSquarePaymentProvider(config) {
+	return {
+		name: "square",
+		checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),
+		findOrCreateCustomer: (email, idempotencyKey) => findOrCreateCustomer(config, email, idempotencyKey),
+		checkout: (request) => checkout(config, request),
+		verifyWebhookSignature,
+		parseWebhookEvent
+	};
+}
+//#endregion
+export { createSquarePaymentProvider };
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","names":[],"sources":["../src/provider.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Square's REST API directly via fetch() — never the `square` npm SDK\n// (Node-targeted, BigInt-typed monetary amounts the raw REST API doesn't\n// actually return — its JSON responses use plain numbers; BigInt is purely\n// an artifact of the SDK's own typed wrapper). Webhook signature\n// verification uses crypto.subtle, mirroring the exact HMAC idiom already\n// in @thebes/cadmus/cms's webhooks.ts (compute-and-compare instead of\n// sign-and-attach).\n\nimport type {\n CatalogPriceCheck,\n CheckoutRequest,\n CheckoutResult,\n PaymentProvider,\n} from \"@thebes/cadmea-plugin-ecommerce\";\n\nexport interface SquareProviderConfig {\n accessToken: string;\n /** First entry is used as the primary location for orders/payments; all entries are queried for inventory. */\n locationId: string | string[];\n environment?: \"sandbox\" | \"production\";\n /** Square's API version header. Default: a fixed, tested version — bump deliberately, not implicitly. */\n apiVersion?: string;\n}\n\nconst DEFAULT_API_VERSION = \"2025-01-23\";\n\nfunction baseUrl(environment: SquareProviderConfig[\"environment\"]): string {\n return environment === \"production\"\n ? \"https://connect.squareup.com\"\n : \"https://connect.squareupsandbox.com\";\n}\n\nfunction primaryLocation(\n locationId: SquareProviderConfig[\"locationId\"],\n): string {\n return Array.isArray(locationId) ? locationId[0] : locationId;\n}\n\nfunction allLocations(\n locationId: SquareProviderConfig[\"locationId\"],\n): string[] {\n return Array.isArray(locationId) ? locationId : [locationId];\n}\n\nclass SquareApiError extends Error {\n constructor(\n message: string,\n public readonly status: number,\n public readonly body: unknown,\n ) {\n super(message);\n this.name = \"SquareApiError\";\n }\n}\n\nasync function squareFetch(\n config: SquareProviderConfig,\n path: string,\n init: { method: string; body?: unknown },\n): Promise<Record<string, unknown>> {\n const response = await fetch(`${baseUrl(config.environment)}${path}`, {\n method: init.method,\n headers: {\n Authorization: `Bearer ${config.accessToken}`,\n \"Content-Type\": \"application/json\",\n \"Square-Version\": config.apiVersion ?? DEFAULT_API_VERSION,\n },\n body: init.body !== undefined ? JSON.stringify(init.body) : undefined,\n });\n const text = await response.text();\n const parsed = text ? JSON.parse(text) : {};\n if (!response.ok) {\n throw new SquareApiError(\n `Square API request to \"${path}\" failed with status ${response.status}`,\n response.status,\n parsed,\n );\n }\n return parsed;\n}\n\nasync function hmacSha256Base64(\n message: string,\n secret: string,\n): Promise<string> {\n const key = await crypto.subtle.importKey(\n \"raw\",\n new TextEncoder().encode(secret),\n { name: \"HMAC\", hash: \"SHA-256\" },\n false,\n [\"sign\"],\n );\n const signature = await crypto.subtle.sign(\n \"HMAC\",\n key,\n new TextEncoder().encode(message),\n );\n return btoa(String.fromCharCode(...new Uint8Array(signature)));\n}\n\n// Constant-time string comparison — a plain `===` on a signature leaks,\n// via early-exit timing, how many leading bytes matched, which is enough\n// to forge a valid HMAC byte-by-byte. Mirrors the Stripe provider's helper.\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let mismatch = 0;\n for (let i = 0; i < a.length; i++) {\n mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return mismatch === 0;\n}\n\ninterface SquareCatalogObject {\n id: string;\n type: string;\n item_variation_data?: {\n price_money?: { amount: number; currency: string };\n };\n}\n\ninterface SquareInventoryCount {\n catalog_object_id: string;\n quantity: string;\n}\n\nasync function checkCatalogPrices(\n config: SquareProviderConfig,\n refs: string[],\n): Promise<CatalogPriceCheck[]> {\n if (refs.length === 0) return [];\n\n const catalogResponse = await squareFetch(\n config,\n \"/v2/catalog/batch-retrieve\",\n {\n method: \"POST\",\n body: { object_ids: refs },\n },\n );\n const objects = (catalogResponse.objects ?? []) as SquareCatalogObject[];\n const priceByRef = new Map(\n objects.map((object) => [\n object.id,\n object.item_variation_data?.price_money,\n ]),\n );\n\n const inventoryResponse = await squareFetch(\n config,\n \"/v2/inventory/batch-retrieve-counts\",\n {\n method: \"POST\",\n body: {\n catalog_object_ids: refs,\n location_ids: allLocations(config.locationId),\n },\n },\n );\n const counts = (inventoryResponse.counts ?? []) as SquareInventoryCount[];\n const quantityByRef = new Map<string, number>();\n for (const count of counts) {\n const existing = quantityByRef.get(count.catalog_object_id) ?? 0;\n quantityByRef.set(\n count.catalog_object_id,\n existing + Number.parseFloat(count.quantity),\n );\n }\n\n return refs.map((catalogRef) => {\n const price = priceByRef.get(catalogRef);\n return {\n catalogRef,\n serverUnitPrice: {\n amount: price?.amount ?? 0,\n currency: price?.currency ?? \"USD\",\n },\n availableQuantity: quantityByRef.get(catalogRef),\n };\n });\n}\n\nasync function findOrCreateCustomer(\n config: SquareProviderConfig,\n email: string,\n idempotencyKey: string,\n): Promise<string> {\n const searchResponse = await squareFetch(config, \"/v2/customers/search\", {\n method: \"POST\",\n body: { query: { filter: { email_address: { exact: email } } } },\n });\n const existing = (\n searchResponse.customers as Array<{ id: string }> | undefined\n )?.[0];\n if (existing) return existing.id;\n\n const createResponse = await squareFetch(config, \"/v2/customers\", {\n method: \"POST\",\n body: { idempotency_key: idempotencyKey, email_address: email },\n });\n return (createResponse.customer as { id: string }).id;\n}\n\nfunction mapSquarePaymentStatus(\n status: string | undefined,\n): CheckoutResult[\"status\"] {\n if (status === \"COMPLETED\" || status === \"APPROVED\") return \"succeeded\";\n if (status === \"PENDING\") return \"requires_action\";\n return \"failed\";\n}\n\nasync function checkout(\n config: SquareProviderConfig,\n request: CheckoutRequest,\n): Promise<CheckoutResult> {\n const orderResponse = await squareFetch(config, \"/v2/orders\", {\n method: \"POST\",\n body: {\n idempotency_key: request.idempotencyKey,\n order: {\n location_id: primaryLocation(config.locationId),\n line_items: request.lineItems.map((item) => ({\n catalog_object_id: item.catalogRef,\n quantity: String(item.quantity),\n })),\n },\n },\n });\n const order = orderResponse.order as {\n id: string;\n total_money: { amount: number; currency: string };\n };\n\n const paymentResponse = await squareFetch(config, \"/v2/payments\", {\n method: \"POST\",\n body: {\n idempotency_key: crypto.randomUUID(),\n source_id: request.paymentSourceToken,\n amount_money: order.total_money,\n order_id: order.id,\n location_id: primaryLocation(config.locationId),\n },\n });\n const payment = paymentResponse.payment as {\n id: string;\n status: string;\n amount_money: { amount: number; currency: string };\n };\n\n return {\n providerOrderRef: order.id,\n providerPaymentRef: payment.id,\n status: mapSquarePaymentStatus(payment.status),\n amount: {\n amount: payment.amount_money.amount,\n currency: payment.amount_money.currency,\n },\n raw: paymentResponse as Record<string, unknown>,\n };\n}\n\nasync function verifyWebhookSignature(args: {\n rawBody: string;\n headers: Headers;\n secret: string;\n notificationUrl?: string;\n}): Promise<boolean> {\n // Square signs `notificationUrl + rawBody` (in that order) with the\n // webhook signature key, base64-encoded, checked against the\n // `x-square-hmacsha256-signature` header — without a notification URL\n // there's nothing correct to verify against, so this fails closed.\n if (!args.notificationUrl) return false;\n const signatureHeader = args.headers.get(\"x-square-hmacsha256-signature\");\n if (!signatureHeader) return false;\n const expected = await hmacSha256Base64(\n args.notificationUrl + args.rawBody,\n args.secret,\n );\n return timingSafeEqual(expected, signatureHeader);\n}\n\ninterface SquareWebhookPayload {\n event_id: string;\n type: string;\n data: {\n object: Record<string, unknown>;\n };\n}\n\nfunction parseWebhookEvent(rawBody: string) {\n const payload = JSON.parse(rawBody) as SquareWebhookPayload;\n const eventId = payload.event_id;\n\n if (payload.type === \"payment.updated\") {\n const payment = payload.data.object.payment as\n | { id: string; status: string }\n | undefined;\n if (payment) {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: payment.id,\n status:\n mapSquarePaymentStatus(payment.status) === \"succeeded\"\n ? (\"succeeded\" as const)\n : (\"failed\" as const),\n },\n };\n }\n }\n\n if (payload.type === \"order.updated\") {\n const orderUpdated = payload.data.object.order_updated as\n | { order_id: string; state: string }\n | undefined;\n if (orderUpdated) {\n const status =\n orderUpdated.state === \"COMPLETED\"\n ? (\"paid\" as const)\n : orderUpdated.state === \"CANCELED\"\n ? (\"canceled\" as const)\n : (\"failed\" as const);\n return {\n eventId,\n event: {\n kind: \"order.updated\" as const,\n providerOrderRef: orderUpdated.order_id,\n status,\n },\n };\n }\n }\n\n if (payload.type === \"subscription.updated\") {\n const subscription = payload.data.object.subscription as\n | { id: string; status: string }\n | undefined;\n if (subscription) {\n return {\n eventId,\n event: {\n kind: \"subscription.updated\" as const,\n providerSubscriptionRef: subscription.id,\n status: subscription.status,\n },\n };\n }\n }\n\n return {\n eventId,\n event: { kind: \"unhandled\" as const, rawType: payload.type },\n };\n}\n\n/**\n * Creates a `PaymentProvider` backed by Square's REST API — raw `fetch()`\n * + `crypto.subtle`, no Square Node SDK. Implements the required\n * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/\n * `verifyWebhookSignature`/`parseWebhookEvent`; omits `catalogSync` and\n * `subscriptions` in this first cut (Square's loyalty/recurring-order\n * model doesn't map cleanly onto either optional capability without\n * further design — see the package README for the gap).\n */\nexport function createSquarePaymentProvider(\n config: SquareProviderConfig,\n): PaymentProvider {\n return {\n name: \"square\",\n checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),\n findOrCreateCustomer: (email, idempotencyKey) =>\n findOrCreateCustomer(config, email, idempotencyKey),\n checkout: (request) => checkout(config, request),\n verifyWebhookSignature,\n parseWebhookEvent,\n };\n}\n"],"mappings":";AA2BA,MAAM,sBAAsB;AAE5B,SAAS,QAAQ,aAA0D;CACzE,OAAO,gBAAgB,eACnB,iCACA;AACN;AAEA,SAAS,gBACP,YACQ;CACR,OAAO,MAAM,QAAQ,UAAU,IAAI,WAAW,KAAK;AACrD;AAEA,SAAS,aACP,YACU;CACV,OAAO,MAAM,QAAQ,UAAU,IAAI,aAAa,CAAC,UAAU;AAC7D;AAEA,IAAM,iBAAN,cAA6B,MAAM;CAGf;CACA;CAHlB,YACE,SACA,QACA,MACA;EACA,MAAM,OAAO;EAHG,KAAA,SAAA;EACA,KAAA,OAAA;EAGhB,KAAK,OAAO;CACd;AACF;AAEA,eAAe,YACb,QACA,MACA,MACkC;CAClC,MAAM,WAAW,MAAM,MAAM,GAAG,QAAQ,OAAO,WAAW,IAAI,QAAQ;EACpE,QAAQ,KAAK;EACb,SAAS;GACP,eAAe,UAAU,OAAO;GAChC,gBAAgB;GAChB,kBAAkB,OAAO,cAAc;EACzC;EACA,MAAM,KAAK,SAAS,KAAA,IAAY,KAAK,UAAU,KAAK,IAAI,IAAI,KAAA;CAC9D,CAAC;CACD,MAAM,OAAO,MAAM,SAAS,KAAK;CACjC,MAAM,SAAS,OAAO,KAAK,MAAM,IAAI,IAAI,CAAC;CAC1C,IAAI,CAAC,SAAS,IACZ,MAAM,IAAI,eACR,0BAA0B,KAAK,uBAAuB,SAAS,UAC/D,SAAS,QACT,MACF;CAEF,OAAO;AACT;AAEA,eAAe,iBACb,SACA,QACiB;CACjB,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,IAAI,YAAY,CAAC,CAAC,OAAO,MAAM,GAC/B;EAAE,MAAM;EAAQ,MAAM;CAAU,GAChC,OACA,CAAC,MAAM,CACT;CACA,MAAM,YAAY,MAAM,OAAO,OAAO,KACpC,QACA,KACA,IAAI,YAAY,CAAC,CAAC,OAAO,OAAO,CAClC;CACA,OAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,SAAS,CAAC,CAAC;AAC/D;AAKA,SAAS,gBAAgB,GAAW,GAAoB;CACtD,IAAI,EAAE,WAAW,EAAE,QAAQ,OAAO;CAClC,IAAI,WAAW;CACf,KAAK,IAAI,IAAI,GAAG,IAAI,EAAE,QAAQ,KAC5B,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;CAE9C,OAAO,aAAa;AACtB;AAeA,eAAe,mBACb,QACA,MAC8B;CAC9B,IAAI,KAAK,WAAW,GAAG,OAAO,CAAC;CAU/B,MAAM,WAAW,MARa,YAC5B,QACA,8BACA;EACE,QAAQ;EACR,MAAM,EAAE,YAAY,KAAK;CAC3B,CACF,EAAA,CACiC,WAAW,CAAC;CAC7C,MAAM,aAAa,IAAI,IACrB,QAAQ,KAAK,WAAW,CACtB,OAAO,IACP,OAAO,qBAAqB,WAC9B,CAAC,CACH;CAaA,MAAM,UAAU,MAXgB,YAC9B,QACA,uCACA;EACE,QAAQ;EACR,MAAM;GACJ,oBAAoB;GACpB,cAAc,aAAa,OAAO,UAAU;EAC9C;CACF,CACF,EAAA,CACkC,UAAU,CAAC;CAC7C,MAAM,gCAAgB,IAAI,IAAoB;CAC9C,KAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,WAAW,cAAc,IAAI,MAAM,iBAAiB,KAAK;EAC/D,cAAc,IACZ,MAAM,mBACN,WAAW,OAAO,WAAW,MAAM,QAAQ,CAC7C;CACF;CAEA,OAAO,KAAK,KAAK,eAAe;EAC9B,MAAM,QAAQ,WAAW,IAAI,UAAU;EACvC,OAAO;GACL;GACA,iBAAiB;IACf,QAAQ,OAAO,UAAU;IACzB,UAAU,OAAO,YAAY;GAC/B;GACA,mBAAmB,cAAc,IAAI,UAAU;EACjD;CACF,CAAC;AACH;AAEA,eAAe,qBACb,QACA,OACA,gBACiB;CAKjB,MAAM,YACJ,MAL2B,YAAY,QAAQ,wBAAwB;EACvE,QAAQ;EACR,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,MAAM,EAAE,EAAE,EAAE;CACjE,CAAC,EAAA,CAEgB,YACb;CACJ,IAAI,UAAU,OAAO,SAAS;CAM9B,QAAQ,MAJqB,YAAY,QAAQ,iBAAiB;EAChE,QAAQ;EACR,MAAM;GAAE,iBAAiB;GAAgB,eAAe;EAAM;CAChE,CAAC,EAAA,CACsB,SAA4B;AACrD;AAEA,SAAS,uBACP,QAC0B;CAC1B,IAAI,WAAW,eAAe,WAAW,YAAY,OAAO;CAC5D,IAAI,WAAW,WAAW,OAAO;CACjC,OAAO;AACT;AAEA,eAAe,SACb,QACA,SACyB;CAczB,MAAM,SAAQ,MAbc,YAAY,QAAQ,cAAc;EAC5D,QAAQ;EACR,MAAM;GACJ,iBAAiB,QAAQ;GACzB,OAAO;IACL,aAAa,gBAAgB,OAAO,UAAU;IAC9C,YAAY,QAAQ,UAAU,KAAK,UAAU;KAC3C,mBAAmB,KAAK;KACxB,UAAU,OAAO,KAAK,QAAQ;IAChC,EAAE;GACJ;EACF;CACF,CAAC,EAAA,CAC2B;CAK5B,MAAM,kBAAkB,MAAM,YAAY,QAAQ,gBAAgB;EAChE,QAAQ;EACR,MAAM;GACJ,iBAAiB,OAAO,WAAW;GACnC,WAAW,QAAQ;GACnB,cAAc,MAAM;GACpB,UAAU,MAAM;GAChB,aAAa,gBAAgB,OAAO,UAAU;EAChD;CACF,CAAC;CACD,MAAM,UAAU,gBAAgB;CAMhC,OAAO;EACL,kBAAkB,MAAM;EACxB,oBAAoB,QAAQ;EAC5B,QAAQ,uBAAuB,QAAQ,MAAM;EAC7C,QAAQ;GACN,QAAQ,QAAQ,aAAa;GAC7B,UAAU,QAAQ,aAAa;EACjC;EACA,KAAK;CACP;AACF;AAEA,eAAe,uBAAuB,MAKjB;CAKnB,IAAI,CAAC,KAAK,iBAAiB,OAAO;CAClC,MAAM,kBAAkB,KAAK,QAAQ,IAAI,+BAA+B;CACxE,IAAI,CAAC,iBAAiB,OAAO;CAK7B,OAAO,gBAAgB,MAJA,iBACrB,KAAK,kBAAkB,KAAK,SAC5B,KAAK,MACP,GACiC,eAAe;AAClD;AAUA,SAAS,kBAAkB,SAAiB;CAC1C,MAAM,UAAU,KAAK,MAAM,OAAO;CAClC,MAAM,UAAU,QAAQ;CAExB,IAAI,QAAQ,SAAS,mBAAmB;EACtC,MAAM,UAAU,QAAQ,KAAK,OAAO;EAGpC,IAAI,SACF,OAAO;GACL;GACA,OAAO;IACL,MAAM;IACN,oBAAoB,QAAQ;IAC5B,QACE,uBAAuB,QAAQ,MAAM,MAAM,cACtC,cACA;GACT;EACF;CAEJ;CAEA,IAAI,QAAQ,SAAS,iBAAiB;EACpC,MAAM,eAAe,QAAQ,KAAK,OAAO;EAGzC,IAAI,cAAc;GAChB,MAAM,SACJ,aAAa,UAAU,cAClB,SACD,aAAa,UAAU,aACpB,aACA;GACT,OAAO;IACL;IACA,OAAO;KACL,MAAM;KACN,kBAAkB,aAAa;KAC/B;IACF;GACF;EACF;CACF;CAEA,IAAI,QAAQ,SAAS,wBAAwB;EAC3C,MAAM,eAAe,QAAQ,KAAK,OAAO;EAGzC,IAAI,cACF,OAAO;GACL;GACA,OAAO;IACL,MAAM;IACN,yBAAyB,aAAa;IACtC,QAAQ,aAAa;GACvB;EACF;CAEJ;CAEA,OAAO;EACL;EACA,OAAO;GAAE,MAAM;GAAsB,SAAS,QAAQ;EAAK;CAC7D;AACF;;;;;;;;;;AAWA,SAAgB,4BACd,QACiB;CACjB,OAAO;EACL,MAAM;EACN,qBAAqB,SAAS,mBAAmB,QAAQ,IAAI;EAC7D,uBAAuB,OAAO,mBAC5B,qBAAqB,QAAQ,OAAO,cAAc;EACpD,WAAW,YAAY,SAAS,QAAQ,OAAO;EAC/C;EACA;CACF;AACF"}

package/package.json ADDED Viewed

@@ -0,0 +1,58 @@
+{
+  "name": "@thebes/cadmea-plugin-ecommerce-square",
+  "version": "1.0.0",
+  "description": "Square PaymentProvider for @thebes/cadmea-plugin-ecommerce — raw fetch() + crypto.subtle, no Square Node SDK",
+  "author": "BowenLabs <hello@bowenlabs.io>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bowenlabs/project-thebes",
+    "directory": "packages/cadmea-plugin-ecommerce-square"
+  },
+  "homepage": "https://github.com/bowenlabs/project-thebes/tree/main/packages/cadmea-plugin-ecommerce-square#readme",
+  "bugs": {
+    "url": "https://github.com/bowenlabs/project-thebes/issues"
+  },
+  "keywords": [
+    "cadmea",
+    "cadmus",
+    "cms",
+    "ecommerce",
+    "square",
+    "payments",
+    "cloudflare"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./client": {
+      "types": "./dist/client.d.ts",
+      "default": "./dist/client.js"
+    }
+  },
+  "peerDependencies": {
+    "@thebes/cadmea-plugin-ecommerce": "^1.0.0",
+    "@thebes/cadmus": "^0.2.1"
+  },
+  "devDependencies": {
+    "typescript": "latest",
+    "vite-plus": "latest",
+    "vitest": "latest",
+    "@thebes/cadmus": "^0.2.1",
+    "@thebes/cadmea-plugin-ecommerce": "^1.0.0"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "vp pack",
+    "dev": "vp pack --watch",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  }
+}