npm - @thebes/cadmea-plugin-ecommerce-stripe - Versions diffs - 1.0.0 - Mend

@thebes/cadmea-plugin-ecommerce-stripe 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 BowenLabs
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,70 @@
+# @thebes/cadmea-plugin-ecommerce-stripe
+Stripe's [`PaymentProvider`](https://www.npmjs.com/package/@thebes/cadmea-plugin-ecommerce)
+implementation for [Cadmea](https://github.com/bowenlabs/project-thebes)'s
+ecommerce extension — raw `fetch()` against Stripe's REST API +
+`crypto.subtle` for webhook signature verification. **No Stripe Node SDK,
+ever** — it relies on `node:crypto`/`node:http` internally and never runs
+in a V8 isolate.
+```bash
+pnpm add @thebes/cadmea-plugin-ecommerce-stripe @thebes/cadmea-plugin-ecommerce
+```
+## Server-side
+```ts
+import { createStripePaymentProvider } from "@thebes/cadmea-plugin-ecommerce-stripe";
+const provider = createStripePaymentProvider({
+  secretKey: env.STRIPE_SECRET_KEY,
+});
+```
+Pass `provider` to `@thebes/cadmea-plugin-ecommerce`'s `createCheckoutHandler`/
+`createWebhookHandler`. Webhook signature verification follows Stripe's
+documented scheme: `Stripe-Signature: t=<timestamp>,v1=<signature>`, message
+`${timestamp}.${rawBody}`, `HMAC-SHA256` hex — with a staleness check on the
+timestamp (`webhookToleranceSeconds`, default `300`, matching Stripe's own
+recommended tolerance) before the signature is even compared.
+### Real interface friction vs. Square — by design, not a bug
+`PaymentProvider` was deliberately pressure-tested against a second real
+provider after Square. The asymmetries this package absorbs:
+- Stripe's API takes `application/x-www-form-urlencoded` bodies, not JSON.
+- Stripe's idempotency key is an `Idempotency-Key` HTTP **header**, not a
+  body field the way Square's `idempotency_key` is.
+- Stripe has no object analogous to Square's separate Order — a
+  `PaymentIntent` is both "the order" and "the payment" in one call. This
+  provider sets `providerOrderRef` and `providerPaymentRef` to the same
+  PaymentIntent id rather than inventing a fake second id.
+- Stripe has no native inventory/catalog concept matching Square's
+  Catalog+Inventory APIs — `checkCatalogPrices` reads `Price` objects
+  (`unit_amount`/`currency`) and always returns `availableQuantity:
+  undefined`.
+- Stripe's native Subscriptions API **is** implemented here (unlike the
+  Square provider, which omits the optional `subscriptions` capability) —
+  it's a much better fit than Square's loyalty/recurring-order model.
+## Client-side tokenization
+A separate `/client` subpath, the same shape as
+`@thebes/cadmea-plugin-ecommerce-square/client`'s `createSquareCardField` —
+card data never reaches the Worker:
+```ts
+import { createStripeCardField } from "@thebes/cadmea-plugin-ecommerce-stripe/client";
+const card = await createStripeCardField(containerEl, {
+  publishableKey: PUBLIC_STRIPE_PUBLISHABLE_KEY,
+});
+// on checkout submit:
+const paymentSourceToken = await card.tokenize();
+```
+## License
+MIT © BowenLabs

package/dist/client.cjs ADDED Viewed

@@ -0,0 +1,51 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+//#region src/client.ts
+const SDK_URL = "https://js.stripe.com/v3/";
+let sdkLoadPromise;
+function loadStripeSdk() {
+	if (window.Stripe) return Promise.resolve(window.Stripe);
+	if (sdkLoadPromise) return sdkLoadPromise;
+	sdkLoadPromise = new Promise((resolve, reject) => {
+		const script = document.createElement("script");
+		script.src = SDK_URL;
+		script.onload = () => resolve(window.Stripe);
+		script.onerror = () => reject(/* @__PURE__ */ new Error(`Failed to load Stripe.js from ${SDK_URL}`));
+		document.head.appendChild(script);
+	});
+	return sdkLoadPromise;
+}
+/**
+* Loads Stripe.js (if not already present), mounts a Card Element on
+* `container`. The returned `tokenize()` produces a PaymentMethod id
+* suitable for `PaymentProvider.checkout`'s `paymentSourceToken` — raw
+* card data never leaves the browser.
+*
+* ```ts
+* const card = await createStripeCardField(containerEl, { publishableKey });
+* // ...on checkout submit:
+* const token = await card.tokenize();
+* await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+* ```
+*/
+async function createStripeCardField(container, options) {
+	const stripe = (await loadStripeSdk())(options.publishableKey);
+	const card = stripe.elements().create("card");
+	card.mount(container);
+	return {
+		async tokenize() {
+			const { paymentMethod, error } = await stripe.createPaymentMethod({
+				type: "card",
+				card
+			});
+			if (error) throw new Error(`Stripe card tokenization failed: ${error.message}`);
+			return paymentMethod.id;
+		},
+		async destroy() {
+			card.unmount();
+		}
+	};
+}
+//#endregion
+exports.createStripeCardField = createStripeCardField;
+//# sourceMappingURL=client.cjs.map

package/dist/client.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.cjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Browser-only client-side tokenization helper — a separate subpath\n// (`@thebes/cadmea-plugin-ecommerce-stripe/client`), matching\n// `@thebes/cadmea-plugin-ecommerce-square/client`'s shape exactly\n// (`createXCardField` → `{ tokenize(), destroy() }`) so a consumer's\n// checkout UI can swap providers without rewriting its own component —\n// the client-side mirror of `PaymentProvider`'s own swappability.\n//\n// Stripe.js/Elements is likewise vanilla and framework-agnostic with no\n// official Solid binding — same precedent as the Square client (see\n// DECISIONS.md's 2026-06-19 entry on Phosphor/TipTap). Card data never\n// reaches the Worker — tokenization happens entirely in the browser, here.\n\nexport interface StripeCardFieldOptions {\n publishableKey: string;\n}\n\nexport interface CardField {\n tokenize(): Promise<string>;\n destroy(): Promise<void>;\n}\n\n// biome-ignore lint/suspicious/noExplicitAny: Stripe.js ships no official TypeScript types loadable without the `@stripe/stripe-js` npm package, which this plugin deliberately doesn't depend on\ntype StripeGlobal = any;\n\nconst SDK_URL = \"https://js.stripe.com/v3/\";\n\nlet sdkLoadPromise: Promise<StripeGlobal> | undefined;\n\nfunction loadStripeSdk(): Promise<StripeGlobal> {\n if ((window as { Stripe?: StripeGlobal }).Stripe) {\n return Promise.resolve((window as { Stripe?: StripeGlobal }).Stripe);\n }\n if (sdkLoadPromise) return sdkLoadPromise;\n\n sdkLoadPromise = new Promise((resolve, reject) => {\n const script = document.createElement(\"script\");\n script.src = SDK_URL;\n script.onload = () => resolve((window as { Stripe?: StripeGlobal }).Stripe);\n script.onerror = () =>\n reject(new Error(`Failed to load Stripe.js from ${SDK_URL}`));\n document.head.appendChild(script);\n });\n return sdkLoadPromise;\n}\n\n/**\n * Loads Stripe.js (if not already present), mounts a Card Element on\n * `container`. The returned `tokenize()` produces a PaymentMethod id\n * suitable for `PaymentProvider.checkout`'s `paymentSourceToken` — raw\n * card data never leaves the browser.\n *\n * ```ts\n * const card = await createStripeCardField(containerEl, { publishableKey });\n * // ...on checkout submit:\n * const token = await card.tokenize();\n * await fetch(\"/api/checkout\", { method: \"POST\", body: JSON.stringify({ paymentSourceToken: token, ... }) });\n * ```\n */\nexport async function createStripeCardField(\n container: HTMLElement | string,\n options: StripeCardFieldOptions,\n): Promise<CardField> {\n const StripeCtor = await loadStripeSdk();\n const stripe = StripeCtor(options.publishableKey);\n const elements = stripe.elements();\n const card = elements.create(\"card\");\n card.mount(container);\n\n return {\n async tokenize() {\n const { paymentMethod, error } = await stripe.createPaymentMethod({\n type: \"card\",\n card,\n });\n if (error) {\n throw new Error(`Stripe card tokenization failed: ${error.message}`);\n }\n return paymentMethod.id as string;\n },\n async destroy() {\n card.unmount();\n },\n };\n}\n"],"mappings":";;AA2BA,MAAM,UAAU;AAEhB,IAAI;AAEJ,SAAS,gBAAuC;CAC9C,IAAK,OAAqC,QACxC,OAAO,QAAQ,QAAS,OAAqC,MAAM;CAErE,IAAI,gBAAgB,OAAO;CAE3B,iBAAiB,IAAI,SAAS,SAAS,WAAW;EAChD,MAAM,SAAS,SAAS,cAAc,QAAQ;EAC9C,OAAO,MAAM;EACb,OAAO,eAAe,QAAS,OAAqC,MAAM;EAC1E,OAAO,gBACL,uBAAO,IAAI,MAAM,iCAAiC,SAAS,CAAC;EAC9D,SAAS,KAAK,YAAY,MAAM;CAClC,CAAC;CACD,OAAO;AACT;;;;;;;;;;;;;;AAeA,eAAsB,sBACpB,WACA,SACoB;CAEpB,MAAM,UAAS,MADU,cAAc,EAAA,CACb,QAAQ,cAAc;CAEhD,MAAM,OADW,OAAO,SACJ,CAAC,CAAC,OAAO,MAAM;CACnC,KAAK,MAAM,SAAS;CAEpB,OAAO;EACL,MAAM,WAAW;GACf,MAAM,EAAE,eAAe,UAAU,MAAM,OAAO,oBAAoB;IAChE,MAAM;IACN;GACF,CAAC;GACD,IAAI,OACF,MAAM,IAAI,MAAM,oCAAoC,MAAM,SAAS;GAErE,OAAO,cAAc;EACvB;EACA,MAAM,UAAU;GACd,KAAK,QAAQ;EACf;CACF;AACF"}

package/dist/client.d.cts ADDED Viewed

@@ -0,0 +1,25 @@
+//#region src/client.d.ts
+interface StripeCardFieldOptions {
+  publishableKey: string;
+}
+interface CardField {
+  tokenize(): Promise<string>;
+  destroy(): Promise<void>;
+}
+/**
+ * Loads Stripe.js (if not already present), mounts a Card Element on
+ * `container`. The returned `tokenize()` produces a PaymentMethod id
+ * suitable for `PaymentProvider.checkout`'s `paymentSourceToken` — raw
+ * card data never leaves the browser.
+ *
+ * ```ts
+ * const card = await createStripeCardField(containerEl, { publishableKey });
+ * // ...on checkout submit:
+ * const token = await card.tokenize();
+ * await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+ * ```
+ */
+declare function createStripeCardField(container: HTMLElement | string, options: StripeCardFieldOptions): Promise<CardField>;
+//#endregion
+export { CardField, StripeCardFieldOptions, createStripeCardField };
+//# sourceMappingURL=client.d.cts.map

package/dist/client.d.cts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"client.d.cts","names":[],"sources":["../src/client.ts"],"mappings":";UAeiB,sBAAA;EACf,cAAc;AAAA;AAAA,UAGC,SAAA;EACf,QAAA,IAAY,OAAA;EACZ,OAAA,IAAW,OAAO;AAAA;;;;;;;;;AAAA;AAwCpB;;;;iBAAsB,qBAAA,CACpB,SAAA,EAAW,WAAA,WACX,OAAA,EAAS,sBAAA,GACR,OAAA,CAAQ,SAAA"}

package/dist/client.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+//#region src/client.d.ts
+interface StripeCardFieldOptions {
+  publishableKey: string;
+}
+interface CardField {
+  tokenize(): Promise<string>;
+  destroy(): Promise<void>;
+}
+/**
+ * Loads Stripe.js (if not already present), mounts a Card Element on
+ * `container`. The returned `tokenize()` produces a PaymentMethod id
+ * suitable for `PaymentProvider.checkout`'s `paymentSourceToken` — raw
+ * card data never leaves the browser.
+ *
+ * ```ts
+ * const card = await createStripeCardField(containerEl, { publishableKey });
+ * // ...on checkout submit:
+ * const token = await card.tokenize();
+ * await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+ * ```
+ */
+declare function createStripeCardField(container: HTMLElement | string, options: StripeCardFieldOptions): Promise<CardField>;
+//#endregion
+export { CardField, StripeCardFieldOptions, createStripeCardField };
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"client.d.ts","names":[],"sources":["../src/client.ts"],"mappings":";UAeiB,sBAAA;EACf,cAAc;AAAA;AAAA,UAGC,SAAA;EACf,QAAA,IAAY,OAAA;EACZ,OAAA,IAAW,OAAO;AAAA;;;;;;;;;AAAA;AAwCpB;;;;iBAAsB,qBAAA,CACpB,SAAA,EAAW,WAAA,WACX,OAAA,EAAS,sBAAA,GACR,OAAA,CAAQ,SAAA"}

package/dist/client.js ADDED Viewed

@@ -0,0 +1,50 @@
+//#region src/client.ts
+const SDK_URL = "https://js.stripe.com/v3/";
+let sdkLoadPromise;
+function loadStripeSdk() {
+	if (window.Stripe) return Promise.resolve(window.Stripe);
+	if (sdkLoadPromise) return sdkLoadPromise;
+	sdkLoadPromise = new Promise((resolve, reject) => {
+		const script = document.createElement("script");
+		script.src = SDK_URL;
+		script.onload = () => resolve(window.Stripe);
+		script.onerror = () => reject(/* @__PURE__ */ new Error(`Failed to load Stripe.js from ${SDK_URL}`));
+		document.head.appendChild(script);
+	});
+	return sdkLoadPromise;
+}
+/**
+* Loads Stripe.js (if not already present), mounts a Card Element on
+* `container`. The returned `tokenize()` produces a PaymentMethod id
+* suitable for `PaymentProvider.checkout`'s `paymentSourceToken` — raw
+* card data never leaves the browser.
+*
+* ```ts
+* const card = await createStripeCardField(containerEl, { publishableKey });
+* // ...on checkout submit:
+* const token = await card.tokenize();
+* await fetch("/api/checkout", { method: "POST", body: JSON.stringify({ paymentSourceToken: token, ... }) });
+* ```
+*/
+async function createStripeCardField(container, options) {
+	const stripe = (await loadStripeSdk())(options.publishableKey);
+	const card = stripe.elements().create("card");
+	card.mount(container);
+	return {
+		async tokenize() {
+			const { paymentMethod, error } = await stripe.createPaymentMethod({
+				type: "card",
+				card
+			});
+			if (error) throw new Error(`Stripe card tokenization failed: ${error.message}`);
+			return paymentMethod.id;
+		},
+		async destroy() {
+			card.unmount();
+		}
+	};
+}
+//#endregion
+export { createStripeCardField };
+//# sourceMappingURL=client.js.map

package/dist/client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.js","names":[],"sources":["../src/client.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Browser-only client-side tokenization helper — a separate subpath\n// (`@thebes/cadmea-plugin-ecommerce-stripe/client`), matching\n// `@thebes/cadmea-plugin-ecommerce-square/client`'s shape exactly\n// (`createXCardField` → `{ tokenize(), destroy() }`) so a consumer's\n// checkout UI can swap providers without rewriting its own component —\n// the client-side mirror of `PaymentProvider`'s own swappability.\n//\n// Stripe.js/Elements is likewise vanilla and framework-agnostic with no\n// official Solid binding — same precedent as the Square client (see\n// DECISIONS.md's 2026-06-19 entry on Phosphor/TipTap). Card data never\n// reaches the Worker — tokenization happens entirely in the browser, here.\n\nexport interface StripeCardFieldOptions {\n publishableKey: string;\n}\n\nexport interface CardField {\n tokenize(): Promise<string>;\n destroy(): Promise<void>;\n}\n\n// biome-ignore lint/suspicious/noExplicitAny: Stripe.js ships no official TypeScript types loadable without the `@stripe/stripe-js` npm package, which this plugin deliberately doesn't depend on\ntype StripeGlobal = any;\n\nconst SDK_URL = \"https://js.stripe.com/v3/\";\n\nlet sdkLoadPromise: Promise<StripeGlobal> | undefined;\n\nfunction loadStripeSdk(): Promise<StripeGlobal> {\n if ((window as { Stripe?: StripeGlobal }).Stripe) {\n return Promise.resolve((window as { Stripe?: StripeGlobal }).Stripe);\n }\n if (sdkLoadPromise) return sdkLoadPromise;\n\n sdkLoadPromise = new Promise((resolve, reject) => {\n const script = document.createElement(\"script\");\n script.src = SDK_URL;\n script.onload = () => resolve((window as { Stripe?: StripeGlobal }).Stripe);\n script.onerror = () =>\n reject(new Error(`Failed to load Stripe.js from ${SDK_URL}`));\n document.head.appendChild(script);\n });\n return sdkLoadPromise;\n}\n\n/**\n * Loads Stripe.js (if not already present), mounts a Card Element on\n * `container`. The returned `tokenize()` produces a PaymentMethod id\n * suitable for `PaymentProvider.checkout`'s `paymentSourceToken` — raw\n * card data never leaves the browser.\n *\n * ```ts\n * const card = await createStripeCardField(containerEl, { publishableKey });\n * // ...on checkout submit:\n * const token = await card.tokenize();\n * await fetch(\"/api/checkout\", { method: \"POST\", body: JSON.stringify({ paymentSourceToken: token, ... }) });\n * ```\n */\nexport async function createStripeCardField(\n container: HTMLElement | string,\n options: StripeCardFieldOptions,\n): Promise<CardField> {\n const StripeCtor = await loadStripeSdk();\n const stripe = StripeCtor(options.publishableKey);\n const elements = stripe.elements();\n const card = elements.create(\"card\");\n card.mount(container);\n\n return {\n async tokenize() {\n const { paymentMethod, error } = await stripe.createPaymentMethod({\n type: \"card\",\n card,\n });\n if (error) {\n throw new Error(`Stripe card tokenization failed: ${error.message}`);\n }\n return paymentMethod.id as string;\n },\n async destroy() {\n card.unmount();\n },\n };\n}\n"],"mappings":";AA2BA,MAAM,UAAU;AAEhB,IAAI;AAEJ,SAAS,gBAAuC;CAC9C,IAAK,OAAqC,QACxC,OAAO,QAAQ,QAAS,OAAqC,MAAM;CAErE,IAAI,gBAAgB,OAAO;CAE3B,iBAAiB,IAAI,SAAS,SAAS,WAAW;EAChD,MAAM,SAAS,SAAS,cAAc,QAAQ;EAC9C,OAAO,MAAM;EACb,OAAO,eAAe,QAAS,OAAqC,MAAM;EAC1E,OAAO,gBACL,uBAAO,IAAI,MAAM,iCAAiC,SAAS,CAAC;EAC9D,SAAS,KAAK,YAAY,MAAM;CAClC,CAAC;CACD,OAAO;AACT;;;;;;;;;;;;;;AAeA,eAAsB,sBACpB,WACA,SACoB;CAEpB,MAAM,UAAS,MADU,cAAc,EAAA,CACb,QAAQ,cAAc;CAEhD,MAAM,OADW,OAAO,SACJ,CAAC,CAAC,OAAO,MAAM;CACnC,KAAK,MAAM,SAAS;CAEpB,OAAO;EACL,MAAM,WAAW;GACf,MAAM,EAAE,eAAe,UAAU,MAAM,OAAO,oBAAoB;IAChE,MAAM;IACN;GACF,CAAC;GACD,IAAI,OACF,MAAM,IAAI,MAAM,oCAAoC,MAAM,SAAS;GAErE,OAAO,cAAc;EACvB;EACA,MAAM,UAAU;GACd,KAAK,QAAQ;EACf;CACF;AACF"}

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,234 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+//#region src/provider.ts
+const DEFAULT_API_VERSION = "2024-12-18.acacia";
+const DEFAULT_WEBHOOK_TOLERANCE_SECONDS = 300;
+const BASE_URL = "https://api.stripe.com";
+var StripeApiError = class extends Error {
+	status;
+	body;
+	constructor(message, status, body) {
+		super(message);
+		this.status = status;
+		this.body = body;
+		this.name = "StripeApiError";
+	}
+};
+function toFormBody(params, prefix) {
+	const body = new URLSearchParams();
+	const append = (key, value) => {
+		if (value === void 0 || value === null) return;
+		if (Array.isArray(value)) {
+			value.forEach((item, index) => {
+				for (const [k, v] of toFormBody({ [String(index)]: item }, key).entries()) body.append(k, v);
+			});
+			return;
+		}
+		if (typeof value === "object") {
+			for (const [k, v] of toFormBody(value, key).entries()) body.append(k, v);
+			return;
+		}
+		body.append(key, String(value));
+	};
+	for (const [key, value] of Object.entries(params)) append(prefix ? `${prefix}[${key}]` : key, value);
+	return body;
+}
+async function stripeFetch(config, path, init) {
+	const url = new URL(`${BASE_URL}${path}`);
+	if (init.query) for (const [key, value] of Object.entries(init.query)) url.searchParams.set(key, value);
+	const headers = {
+		Authorization: `Bearer ${config.secretKey}`,
+		"Stripe-Version": config.apiVersion ?? DEFAULT_API_VERSION
+	};
+	if (init.idempotencyKey) headers["Idempotency-Key"] = init.idempotencyKey;
+	if (init.body) headers["Content-Type"] = "application/x-www-form-urlencoded";
+	const response = await fetch(url, {
+		method: init.method,
+		headers,
+		body: init.body ? toFormBody(init.body) : void 0
+	});
+	const text = await response.text();
+	const parsed = text ? JSON.parse(text) : {};
+	if (!response.ok) throw new StripeApiError(`Stripe API request to "${path}" failed with status ${response.status}`, response.status, parsed);
+	return parsed;
+}
+async function checkCatalogPrices(config, refs) {
+	return Promise.all(refs.map(async (catalogRef) => {
+		const price = await stripeFetch(config, `/v1/prices/${catalogRef}`, { method: "GET" });
+		return {
+			catalogRef,
+			serverUnitPrice: {
+				amount: price.unit_amount ?? 0,
+				currency: (price.currency ?? "usd").toUpperCase()
+			},
+			availableQuantity: void 0
+		};
+	}));
+}
+async function findOrCreateCustomer(config, email, idempotencyKey) {
+	const existing = (await stripeFetch(config, "/v1/customers", {
+		method: "GET",
+		query: {
+			email,
+			limit: "1"
+		}
+	})).data?.[0];
+	if (existing) return existing.id;
+	return (await stripeFetch(config, "/v1/customers", {
+		method: "POST",
+		body: { email },
+		idempotencyKey
+	})).id;
+}
+function mapStripePaymentIntentStatus(status) {
+	if (status === "succeeded") return "succeeded";
+	if (status === "requires_action" || status === "requires_confirmation") return "requires_action";
+	return "failed";
+}
+async function checkout(config, request) {
+	const amount = request.lineItems.reduce((sum, item) => sum + item.clientUnitPrice.amount * item.quantity, 0);
+	const currency = (request.lineItems[0]?.clientUnitPrice.currency ?? "USD").toLowerCase();
+	const paymentIntent = await stripeFetch(config, "/v1/payment_intents", {
+		method: "POST",
+		body: {
+			amount,
+			currency,
+			payment_method: request.paymentSourceToken,
+			confirm: true,
+			automatic_payment_methods: {
+				enabled: true,
+				allow_redirects: "never"
+			},
+			metadata: request.metadata
+		},
+		idempotencyKey: request.idempotencyKey
+	});
+	const id = paymentIntent.id;
+	return {
+		providerOrderRef: id,
+		providerPaymentRef: id,
+		status: mapStripePaymentIntentStatus(paymentIntent.status),
+		amount: {
+			amount: paymentIntent.amount,
+			currency: (paymentIntent.currency ?? currency).toUpperCase()
+		},
+		raw: paymentIntent
+	};
+}
+function timingSafeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let mismatch = 0;
+	for (let i = 0; i < a.length; i++) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	return mismatch === 0;
+}
+async function hmacSha256Hex(message, secret) {
+	const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(message));
+	return Array.from(new Uint8Array(signature), (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function createVerifyWebhookSignature(config) {
+	return async ({ rawBody, headers, secret }) => {
+		const header = headers.get("stripe-signature");
+		if (!header) return false;
+		const parts = /* @__PURE__ */ new Map();
+		for (const part of header.split(",")) {
+			const [key, value] = part.split("=");
+			if (key && value) parts.set(key, value);
+		}
+		const timestamp = parts.get("t");
+		const signature = parts.get("v1");
+		if (!timestamp || !signature) return false;
+		const tolerance = config.webhookToleranceSeconds ?? DEFAULT_WEBHOOK_TOLERANCE_SECONDS;
+		if (Math.abs(Date.now() / 1e3 - Number.parseInt(timestamp, 10)) > tolerance) return false;
+		return timingSafeEqual(await hmacSha256Hex(`${timestamp}.${rawBody}`, secret), signature);
+	};
+}
+function parseWebhookEvent(rawBody) {
+	const payload = JSON.parse(rawBody);
+	const eventId = payload.id;
+	const object = payload.data.object;
+	if (payload.type === "payment_intent.succeeded") return {
+		eventId,
+		event: {
+			kind: "payment.updated",
+			providerPaymentRef: object.id,
+			status: "succeeded"
+		}
+	};
+	if (payload.type === "payment_intent.payment_failed") return {
+		eventId,
+		event: {
+			kind: "payment.updated",
+			providerPaymentRef: object.id,
+			status: "failed"
+		}
+	};
+	if (payload.type === "charge.refunded") return {
+		eventId,
+		event: {
+			kind: "payment.updated",
+			providerPaymentRef: object.payment_intent,
+			status: "refunded"
+		}
+	};
+	if (payload.type === "customer.subscription.updated" || payload.type === "customer.subscription.created") return {
+		eventId,
+		event: {
+			kind: "subscription.updated",
+			providerSubscriptionRef: object.id,
+			status: object.status
+		}
+	};
+	return {
+		eventId,
+		event: {
+			kind: "unhandled",
+			rawType: payload.type
+		}
+	};
+}
+/**
+* Creates a `PaymentProvider` backed by Stripe's REST API — raw `fetch()`
+* + `crypto.subtle`, no Stripe Node SDK. Implements the required
+* `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+* `verifyWebhookSignature`/`parseWebhookEvent`, plus the optional
+* `subscriptions` capability via Stripe's native Subscriptions API (a
+* better fit than the Square provider's loyalty/recurring-order model,
+* which omits this capability entirely). `catalogSync` is omitted, same
+* as the Square provider's first cut.
+*/
+function createStripePaymentProvider(config) {
+	return {
+		name: "stripe",
+		checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),
+		findOrCreateCustomer: (email, idempotencyKey) => findOrCreateCustomer(config, email, idempotencyKey),
+		checkout: (request) => checkout(config, request),
+		verifyWebhookSignature: createVerifyWebhookSignature(config),
+		parseWebhookEvent,
+		subscriptions: {
+			async create(args) {
+				const subscription = await stripeFetch(config, "/v1/subscriptions", {
+					method: "POST",
+					body: {
+						customer: args.customerRef,
+						items: [{ price: args.planRef }]
+					},
+					idempotencyKey: args.idempotencyKey
+				});
+				return {
+					providerSubscriptionRef: subscription.id,
+					status: subscription.status
+				};
+			},
+			async cancel(providerSubscriptionRef) {
+				await stripeFetch(config, `/v1/subscriptions/${providerSubscriptionRef}`, { method: "DELETE" });
+			}
+		}
+	};
+}
+//#endregion
+exports.createStripePaymentProvider = createStripePaymentProvider;
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.cjs","names":[],"sources":["../src/provider.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Stripe's REST API directly via fetch() — never the `stripe` npm SDK\n// (Node-targeted; relies on node:crypto/node:http internally for some\n// operations). Webhook signature verification uses crypto.subtle.\n//\n// Real interface friction vs. the Square provider (PaymentProvider was\n// pressure-tested against this on purpose, per the build plan — these\n// aren't bugs, they're the asymmetry the interface has to absorb):\n// 1. Stripe's API takes `application/x-www-form-urlencoded` bodies, not\n// JSON — see `toFormBody` below.\n// 2. Stripe's idempotency key is an `Idempotency-Key` HTTP header, not a\n// body field the way Square's `idempotency_key` is.\n// 3. Stripe has no object analogous to Square's separate Order — a\n// `PaymentIntent` is both \"the order\" and \"the payment\" in one. This\n// provider sets `providerOrderRef` and `providerPaymentRef` to the\n// same PaymentIntent id rather than inventing a fake second id.\n// 4. Stripe has no native inventory/catalog concept matching Square's\n// Catalog+Inventory APIs — `checkCatalogPrices` reads `Price` objects\n// (`unit_amount`/`currency`) and always returns `availableQuantity:\n// undefined` (Stripe doesn't track it, so there's nothing honest to\n// report).\n// 5. Stripe's native Subscriptions API is a better fit for the optional\n// `subscriptions` capability than Square's loyalty/recurring-order\n// model — implemented here, omitted in the Square provider.\n\nimport type {\n CatalogPriceCheck,\n CheckoutRequest,\n CheckoutResult,\n PaymentProvider,\n} from \"@thebes/cadmea-plugin-ecommerce\";\n\nexport interface StripeProviderConfig {\n secretKey: string;\n /** Stripe's pinned API version header (`Stripe-Version`). Default: a fixed, tested version — bump deliberately, not implicitly. */\n apiVersion?: string;\n /** Seconds of clock skew tolerated on a webhook's `t=` timestamp before it's rejected as stale. Default: 300 (Stripe's own recommended tolerance). */\n webhookToleranceSeconds?: number;\n}\n\nconst DEFAULT_API_VERSION = \"2024-12-18.acacia\";\nconst DEFAULT_WEBHOOK_TOLERANCE_SECONDS = 300;\nconst BASE_URL = \"https://api.stripe.com\";\n\nclass StripeApiError extends Error {\n constructor(\n message: string,\n public readonly status: number,\n public readonly body: unknown,\n ) {\n super(message);\n this.name = \"StripeApiError\";\n }\n}\n\n// Stripe's form-encoding for nested objects uses bracket notation\n// (`items[0][price]=...`) — this plugin's own usage is shallow enough\n// that a small recursive flattener covers it without needing a general\n// qs-style library dependency.\nfunction toFormBody(\n params: Record<string, unknown>,\n prefix?: string,\n): URLSearchParams {\n const body = new URLSearchParams();\n const append = (key: string, value: unknown) => {\n if (value === undefined || value === null) return;\n if (Array.isArray(value)) {\n value.forEach((item, index) => {\n for (const [k, v] of toFormBody(\n { [String(index)]: item },\n key,\n ).entries()) {\n body.append(k, v);\n }\n });\n return;\n }\n if (typeof value === \"object\") {\n for (const [k, v] of toFormBody(\n value as Record<string, unknown>,\n key,\n ).entries()) {\n body.append(k, v);\n }\n return;\n }\n body.append(key, String(value));\n };\n for (const [key, value] of Object.entries(params)) {\n append(prefix ? `${prefix}[${key}]` : key, value);\n }\n return body;\n}\n\nasync function stripeFetch(\n config: StripeProviderConfig,\n path: string,\n init: {\n method: string;\n body?: Record<string, unknown>;\n idempotencyKey?: string;\n query?: Record<string, string>;\n },\n): Promise<Record<string, unknown>> {\n const url = new URL(`${BASE_URL}${path}`);\n if (init.query) {\n for (const [key, value] of Object.entries(init.query)) {\n url.searchParams.set(key, value);\n }\n }\n\n const headers: Record<string, string> = {\n Authorization: `Bearer ${config.secretKey}`,\n \"Stripe-Version\": config.apiVersion ?? DEFAULT_API_VERSION,\n };\n if (init.idempotencyKey) headers[\"Idempotency-Key\"] = init.idempotencyKey;\n if (init.body) headers[\"Content-Type\"] = \"application/x-www-form-urlencoded\";\n\n const response = await fetch(url, {\n method: init.method,\n headers,\n body: init.body ? toFormBody(init.body) : undefined,\n });\n const text = await response.text();\n const parsed = text ? JSON.parse(text) : {};\n if (!response.ok) {\n throw new StripeApiError(\n `Stripe API request to \"${path}\" failed with status ${response.status}`,\n response.status,\n parsed,\n );\n }\n return parsed;\n}\n\nasync function checkCatalogPrices(\n config: StripeProviderConfig,\n refs: string[],\n): Promise<CatalogPriceCheck[]> {\n return Promise.all(\n refs.map(async (catalogRef) => {\n const price = await stripeFetch(config, `/v1/prices/${catalogRef}`, {\n method: \"GET\",\n });\n return {\n catalogRef,\n serverUnitPrice: {\n amount: (price.unit_amount as number) ?? 0,\n currency: ((price.currency as string) ?? \"usd\").toUpperCase(),\n },\n // Stripe has no native inventory concept — nothing honest to report.\n availableQuantity: undefined,\n };\n }),\n );\n}\n\nasync function findOrCreateCustomer(\n config: StripeProviderConfig,\n email: string,\n idempotencyKey: string,\n): Promise<string> {\n const list = await stripeFetch(config, \"/v1/customers\", {\n method: \"GET\",\n query: { email, limit: \"1\" },\n });\n const existing = (list.data as Array<{ id: string }> | undefined)?.[0];\n if (existing) return existing.id;\n\n const created = await stripeFetch(config, \"/v1/customers\", {\n method: \"POST\",\n body: { email },\n idempotencyKey,\n });\n return created.id as string;\n}\n\nfunction mapStripePaymentIntentStatus(\n status: string | undefined,\n): CheckoutResult[\"status\"] {\n if (status === \"succeeded\") return \"succeeded\";\n if (status === \"requires_action\" || status === \"requires_confirmation\") {\n return \"requires_action\";\n }\n return \"failed\";\n}\n\nasync function checkout(\n config: StripeProviderConfig,\n request: CheckoutRequest,\n): Promise<CheckoutResult> {\n const amount = request.lineItems.reduce(\n (sum, item) => sum + item.clientUnitPrice.amount * item.quantity,\n 0,\n );\n const currency = (\n request.lineItems[0]?.clientUnitPrice.currency ?? \"USD\"\n ).toLowerCase();\n\n // One call, confirmed immediately — Stripe's PaymentIntent is both \"the\n // order\" and \"the charge\" at once, unlike Square's separate Orders +\n // Payments calls.\n const paymentIntent = await stripeFetch(config, \"/v1/payment_intents\", {\n method: \"POST\",\n body: {\n amount,\n currency,\n payment_method: request.paymentSourceToken,\n confirm: true,\n // automatic_payment_methods.allow_redirects: \"never\" keeps this a\n // single synchronous confirm — redirect-based methods would need a\n // requires_action round trip this checkout flow doesn't implement.\n automatic_payment_methods: { enabled: true, allow_redirects: \"never\" },\n metadata: request.metadata,\n },\n idempotencyKey: request.idempotencyKey,\n });\n\n const id = paymentIntent.id as string;\n return {\n providerOrderRef: id,\n providerPaymentRef: id,\n status: mapStripePaymentIntentStatus(paymentIntent.status as string),\n amount: {\n amount: paymentIntent.amount as number,\n currency: ((paymentIntent.currency as string) ?? currency).toUpperCase(),\n },\n raw: paymentIntent,\n };\n}\n\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let mismatch = 0;\n for (let i = 0; i < a.length; i++) {\n mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return mismatch === 0;\n}\n\nasync function hmacSha256Hex(message: string, secret: string): Promise<string> {\n const key = await crypto.subtle.importKey(\n \"raw\",\n new TextEncoder().encode(secret),\n { name: \"HMAC\", hash: \"SHA-256\" },\n false,\n [\"sign\"],\n );\n const signature = await crypto.subtle.sign(\n \"HMAC\",\n key,\n new TextEncoder().encode(message),\n );\n return Array.from(new Uint8Array(signature), (b) =>\n b.toString(16).padStart(2, \"0\"),\n ).join(\"\");\n}\n\nfunction createVerifyWebhookSignature(\n config: StripeProviderConfig,\n): PaymentProvider[\"verifyWebhookSignature\"] {\n return async ({ rawBody, headers, secret }) => {\n const header = headers.get(\"stripe-signature\");\n if (!header) return false;\n\n // Header format: \"t=<timestamp>,v1=<signature>[,v0=<old_signature>]\" —\n // parse rather than regex-matching positionally, since Stripe doesn't\n // guarantee component order.\n const parts = new Map<string, string>();\n for (const part of header.split(\",\")) {\n const [key, value] = part.split(\"=\");\n if (key && value) parts.set(key, value);\n }\n const timestamp = parts.get(\"t\");\n const signature = parts.get(\"v1\");\n if (!timestamp || !signature) return false;\n\n const tolerance =\n config.webhookToleranceSeconds ?? DEFAULT_WEBHOOK_TOLERANCE_SECONDS;\n const age = Math.abs(Date.now() / 1000 - Number.parseInt(timestamp, 10));\n if (age > tolerance) return false;\n\n const expected = await hmacSha256Hex(`${timestamp}.${rawBody}`, secret);\n return timingSafeEqual(expected, signature);\n };\n}\n\ninterface StripeWebhookPayload {\n id: string;\n type: string;\n data: { object: Record<string, unknown> };\n}\n\nfunction parseWebhookEvent(rawBody: string) {\n const payload = JSON.parse(rawBody) as StripeWebhookPayload;\n const eventId = payload.id;\n const object = payload.data.object;\n\n if (payload.type === \"payment_intent.succeeded\") {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: object.id as string,\n status: \"succeeded\" as const,\n },\n };\n }\n\n if (payload.type === \"payment_intent.payment_failed\") {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: object.id as string,\n status: \"failed\" as const,\n },\n };\n }\n\n if (payload.type === \"charge.refunded\") {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: object.payment_intent as string,\n status: \"refunded\" as const,\n },\n };\n }\n\n if (\n payload.type === \"customer.subscription.updated\" ||\n payload.type === \"customer.subscription.created\"\n ) {\n return {\n eventId,\n event: {\n kind: \"subscription.updated\" as const,\n providerSubscriptionRef: object.id as string,\n status: object.status as string,\n },\n };\n }\n\n return {\n eventId,\n event: { kind: \"unhandled\" as const, rawType: payload.type },\n };\n}\n\n/**\n * Creates a `PaymentProvider` backed by Stripe's REST API — raw `fetch()`\n * + `crypto.subtle`, no Stripe Node SDK. Implements the required\n * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/\n * `verifyWebhookSignature`/`parseWebhookEvent`, plus the optional\n * `subscriptions` capability via Stripe's native Subscriptions API (a\n * better fit than the Square provider's loyalty/recurring-order model,\n * which omits this capability entirely). `catalogSync` is omitted, same\n * as the Square provider's first cut.\n */\nexport function createStripePaymentProvider(\n config: StripeProviderConfig,\n): PaymentProvider {\n return {\n name: \"stripe\",\n checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),\n findOrCreateCustomer: (email, idempotencyKey) =>\n findOrCreateCustomer(config, email, idempotencyKey),\n checkout: (request) => checkout(config, request),\n verifyWebhookSignature: createVerifyWebhookSignature(config),\n parseWebhookEvent,\n subscriptions: {\n async create(args) {\n const subscription = await stripeFetch(config, \"/v1/subscriptions\", {\n method: \"POST\",\n body: {\n customer: args.customerRef,\n items: [{ price: args.planRef }],\n },\n idempotencyKey: args.idempotencyKey,\n });\n return {\n providerSubscriptionRef: subscription.id as string,\n status: subscription.status as string,\n };\n },\n async cancel(providerSubscriptionRef) {\n await stripeFetch(\n config,\n `/v1/subscriptions/${providerSubscriptionRef}`,\n { method: \"DELETE\" },\n );\n },\n },\n };\n}\n"],"mappings":";;AA0CA,MAAM,sBAAsB;AAC5B,MAAM,oCAAoC;AAC1C,MAAM,WAAW;AAEjB,IAAM,iBAAN,cAA6B,MAAM;CAGf;CACA;CAHlB,YACE,SACA,QACA,MACA;EACA,MAAM,OAAO;EAHG,KAAA,SAAA;EACA,KAAA,OAAA;EAGhB,KAAK,OAAO;CACd;AACF;AAMA,SAAS,WACP,QACA,QACiB;CACjB,MAAM,OAAO,IAAI,gBAAgB;CACjC,MAAM,UAAU,KAAa,UAAmB;EAC9C,IAAI,UAAU,KAAA,KAAa,UAAU,MAAM;EAC3C,IAAI,MAAM,QAAQ,KAAK,GAAG;GACxB,MAAM,SAAS,MAAM,UAAU;IAC7B,KAAK,MAAM,CAAC,GAAG,MAAM,WACnB,GAAG,OAAO,KAAK,IAAI,KAAK,GACxB,GACF,CAAC,CAAC,QAAQ,GACR,KAAK,OAAO,GAAG,CAAC;GAEpB,CAAC;GACD;EACF;EACA,IAAI,OAAO,UAAU,UAAU;GAC7B,KAAK,MAAM,CAAC,GAAG,MAAM,WACnB,OACA,GACF,CAAC,CAAC,QAAQ,GACR,KAAK,OAAO,GAAG,CAAC;GAElB;EACF;EACA,KAAK,OAAO,KAAK,OAAO,KAAK,CAAC;CAChC;CACA,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,GAC9C,OAAO,SAAS,GAAG,OAAO,GAAG,IAAI,KAAK,KAAK,KAAK;CAElD,OAAO;AACT;AAEA,eAAe,YACb,QACA,MACA,MAMkC;CAClC,MAAM,MAAM,IAAI,IAAI,GAAG,WAAW,MAAM;CACxC,IAAI,KAAK,OACP,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,KAAK,GAClD,IAAI,aAAa,IAAI,KAAK,KAAK;CAInC,MAAM,UAAkC;EACtC,eAAe,UAAU,OAAO;EAChC,kBAAkB,OAAO,cAAc;CACzC;CACA,IAAI,KAAK,gBAAgB,QAAQ,qBAAqB,KAAK;CAC3D,IAAI,KAAK,MAAM,QAAQ,kBAAkB;CAEzC,MAAM,WAAW,MAAM,MAAM,KAAK;EAChC,QAAQ,KAAK;EACb;EACA,MAAM,KAAK,OAAO,WAAW,KAAK,IAAI,IAAI,KAAA;CAC5C,CAAC;CACD,MAAM,OAAO,MAAM,SAAS,KAAK;CACjC,MAAM,SAAS,OAAO,KAAK,MAAM,IAAI,IAAI,CAAC;CAC1C,IAAI,CAAC,SAAS,IACZ,MAAM,IAAI,eACR,0BAA0B,KAAK,uBAAuB,SAAS,UAC/D,SAAS,QACT,MACF;CAEF,OAAO;AACT;AAEA,eAAe,mBACb,QACA,MAC8B;CAC9B,OAAO,QAAQ,IACb,KAAK,IAAI,OAAO,eAAe;EAC7B,MAAM,QAAQ,MAAM,YAAY,QAAQ,cAAc,cAAc,EAClE,QAAQ,MACV,CAAC;EACD,OAAO;GACL;GACA,iBAAiB;IACf,QAAS,MAAM,eAA0B;IACzC,WAAY,MAAM,YAAuB,MAAA,CAAO,YAAY;GAC9D;GAEA,mBAAmB,KAAA;EACrB;CACF,CAAC,CACH;AACF;AAEA,eAAe,qBACb,QACA,OACA,gBACiB;CAKjB,MAAM,YAAY,MAJC,YAAY,QAAQ,iBAAiB;EACtD,QAAQ;EACR,OAAO;GAAE;GAAO,OAAO;EAAI;CAC7B,CAAC,EAAA,CACsB,OAA6C;CACpE,IAAI,UAAU,OAAO,SAAS;CAO9B,QAAO,MALe,YAAY,QAAQ,iBAAiB;EACzD,QAAQ;EACR,MAAM,EAAE,MAAM;EACd;CACF,CAAC,EAAA,CACc;AACjB;AAEA,SAAS,6BACP,QAC0B;CAC1B,IAAI,WAAW,aAAa,OAAO;CACnC,IAAI,WAAW,qBAAqB,WAAW,yBAC7C,OAAO;CAET,OAAO;AACT;AAEA,eAAe,SACb,QACA,SACyB;CACzB,MAAM,SAAS,QAAQ,UAAU,QAC9B,KAAK,SAAS,MAAM,KAAK,gBAAgB,SAAS,KAAK,UACxD,CACF;CACA,MAAM,YACJ,QAAQ,UAAU,EAAE,EAAE,gBAAgB,YAAY,MAAA,CAClD,YAAY;CAKd,MAAM,gBAAgB,MAAM,YAAY,QAAQ,uBAAuB;EACrE,QAAQ;EACR,MAAM;GACJ;GACA;GACA,gBAAgB,QAAQ;GACxB,SAAS;GAIT,2BAA2B;IAAE,SAAS;IAAM,iBAAiB;GAAQ;GACrE,UAAU,QAAQ;EACpB;EACA,gBAAgB,QAAQ;CAC1B,CAAC;CAED,MAAM,KAAK,cAAc;CACzB,OAAO;EACL,kBAAkB;EAClB,oBAAoB;EACpB,QAAQ,6BAA6B,cAAc,MAAgB;EACnE,QAAQ;GACN,QAAQ,cAAc;GACtB,WAAY,cAAc,YAAuB,SAAA,CAAU,YAAY;EACzE;EACA,KAAK;CACP;AACF;AAEA,SAAS,gBAAgB,GAAW,GAAoB;CACtD,IAAI,EAAE,WAAW,EAAE,QAAQ,OAAO;CAClC,IAAI,WAAW;CACf,KAAK,IAAI,IAAI,GAAG,IAAI,EAAE,QAAQ,KAC5B,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;CAE9C,OAAO,aAAa;AACtB;AAEA,eAAe,cAAc,SAAiB,QAAiC;CAC7E,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,IAAI,YAAY,CAAC,CAAC,OAAO,MAAM,GAC/B;EAAE,MAAM;EAAQ,MAAM;CAAU,GAChC,OACA,CAAC,MAAM,CACT;CACA,MAAM,YAAY,MAAM,OAAO,OAAO,KACpC,QACA,KACA,IAAI,YAAY,CAAC,CAAC,OAAO,OAAO,CAClC;CACA,OAAO,MAAM,KAAK,IAAI,WAAW,SAAS,IAAI,MAC5C,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,GAAG,GAAG,CAChC,CAAC,CAAC,KAAK,EAAE;AACX;AAEA,SAAS,6BACP,QAC2C;CAC3C,OAAO,OAAO,EAAE,SAAS,SAAS,aAAa;EAC7C,MAAM,SAAS,QAAQ,IAAI,kBAAkB;EAC7C,IAAI,CAAC,QAAQ,OAAO;EAKpB,MAAM,wBAAQ,IAAI,IAAoB;EACtC,KAAK,MAAM,QAAQ,OAAO,MAAM,GAAG,GAAG;GACpC,MAAM,CAAC,KAAK,SAAS,KAAK,MAAM,GAAG;GACnC,IAAI,OAAO,OAAO,MAAM,IAAI,KAAK,KAAK;EACxC;EACA,MAAM,YAAY,MAAM,IAAI,GAAG;EAC/B,MAAM,YAAY,MAAM,IAAI,IAAI;EAChC,IAAI,CAAC,aAAa,CAAC,WAAW,OAAO;EAErC,MAAM,YACJ,OAAO,2BAA2B;EAEpC,IADY,KAAK,IAAI,KAAK,IAAI,IAAI,MAAO,OAAO,SAAS,WAAW,EAAE,CAChE,IAAI,WAAW,OAAO;EAG5B,OAAO,gBAAgB,MADA,cAAc,GAAG,UAAU,GAAG,WAAW,MAAM,GACrC,SAAS;CAC5C;AACF;AAQA,SAAS,kBAAkB,SAAiB;CAC1C,MAAM,UAAU,KAAK,MAAM,OAAO;CAClC,MAAM,UAAU,QAAQ;CACxB,MAAM,SAAS,QAAQ,KAAK;CAE5B,IAAI,QAAQ,SAAS,4BACnB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,oBAAoB,OAAO;GAC3B,QAAQ;EACV;CACF;CAGF,IAAI,QAAQ,SAAS,iCACnB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,oBAAoB,OAAO;GAC3B,QAAQ;EACV;CACF;CAGF,IAAI,QAAQ,SAAS,mBACnB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,oBAAoB,OAAO;GAC3B,QAAQ;EACV;CACF;CAGF,IACE,QAAQ,SAAS,mCACjB,QAAQ,SAAS,iCAEjB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,yBAAyB,OAAO;GAChC,QAAQ,OAAO;EACjB;CACF;CAGF,OAAO;EACL;EACA,OAAO;GAAE,MAAM;GAAsB,SAAS,QAAQ;EAAK;CAC7D;AACF;;;;;;;;;;;AAYA,SAAgB,4BACd,QACiB;CACjB,OAAO;EACL,MAAM;EACN,qBAAqB,SAAS,mBAAmB,QAAQ,IAAI;EAC7D,uBAAuB,OAAO,mBAC5B,qBAAqB,QAAQ,OAAO,cAAc;EACpD,WAAW,YAAY,SAAS,QAAQ,OAAO;EAC/C,wBAAwB,6BAA6B,MAAM;EAC3D;EACA,eAAe;GACb,MAAM,OAAO,MAAM;IACjB,MAAM,eAAe,MAAM,YAAY,QAAQ,qBAAqB;KAClE,QAAQ;KACR,MAAM;MACJ,UAAU,KAAK;MACf,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC;KACjC;KACA,gBAAgB,KAAK;IACvB,CAAC;IACD,OAAO;KACL,yBAAyB,aAAa;KACtC,QAAQ,aAAa;IACvB;GACF;GACA,MAAM,OAAO,yBAAyB;IACpC,MAAM,YACJ,QACA,qBAAqB,2BACrB,EAAE,QAAQ,SAAS,CACrB;GACF;EACF;CACF;AACF"}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,24 @@
+import { PaymentProvider } from "@thebes/cadmea-plugin-ecommerce";
+//#region src/provider.d.ts
+interface StripeProviderConfig {
+  secretKey: string;
+  /** Stripe's pinned API version header (`Stripe-Version`). Default: a fixed, tested version — bump deliberately, not implicitly. */
+  apiVersion?: string;
+  /** Seconds of clock skew tolerated on a webhook's `t=` timestamp before it's rejected as stale. Default: 300 (Stripe's own recommended tolerance). */
+  webhookToleranceSeconds?: number;
+}
+/**
+ * Creates a `PaymentProvider` backed by Stripe's REST API — raw `fetch()`
+ * + `crypto.subtle`, no Stripe Node SDK. Implements the required
+ * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+ * `verifyWebhookSignature`/`parseWebhookEvent`, plus the optional
+ * `subscriptions` capability via Stripe's native Subscriptions API (a
+ * better fit than the Square provider's loyalty/recurring-order model,
+ * which omits this capability entirely). `catalogSync` is omitted, same
+ * as the Square provider's first cut.
+ */
+declare function createStripePaymentProvider(config: StripeProviderConfig): PaymentProvider;
+//#endregion
+export { StripeProviderConfig, createStripePaymentProvider };
+//# sourceMappingURL=index.d.cts.map

package/dist/index.d.cts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.cts","names":[],"sources":["../src/provider.ts"],"mappings":";;;UAkCiB,oBAAA;EACf,SAAA;EADe;EAGf,UAAA;;EAEA,uBAAA;AAAA;;;;AAAuB;AAoUzB;;;;;;iBAAgB,2BAAA,CACd,MAAA,EAAQ,oBAAA,GACP,eAAe"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { PaymentProvider } from "@thebes/cadmea-plugin-ecommerce";
+//#region src/provider.d.ts
+interface StripeProviderConfig {
+  secretKey: string;
+  /** Stripe's pinned API version header (`Stripe-Version`). Default: a fixed, tested version — bump deliberately, not implicitly. */
+  apiVersion?: string;
+  /** Seconds of clock skew tolerated on a webhook's `t=` timestamp before it's rejected as stale. Default: 300 (Stripe's own recommended tolerance). */
+  webhookToleranceSeconds?: number;
+}
+/**
+ * Creates a `PaymentProvider` backed by Stripe's REST API — raw `fetch()`
+ * + `crypto.subtle`, no Stripe Node SDK. Implements the required
+ * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+ * `verifyWebhookSignature`/`parseWebhookEvent`, plus the optional
+ * `subscriptions` capability via Stripe's native Subscriptions API (a
+ * better fit than the Square provider's loyalty/recurring-order model,
+ * which omits this capability entirely). `catalogSync` is omitted, same
+ * as the Square provider's first cut.
+ */
+declare function createStripePaymentProvider(config: StripeProviderConfig): PaymentProvider;
+//#endregion
+export { StripeProviderConfig, createStripePaymentProvider };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/provider.ts"],"mappings":";;;UAkCiB,oBAAA;EACf,SAAA;EADe;EAGf,UAAA;;EAEA,uBAAA;AAAA;;;;AAAuB;AAoUzB;;;;;;iBAAgB,2BAAA,CACd,MAAA,EAAQ,oBAAA,GACP,eAAe"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,233 @@
+//#region src/provider.ts
+const DEFAULT_API_VERSION = "2024-12-18.acacia";
+const DEFAULT_WEBHOOK_TOLERANCE_SECONDS = 300;
+const BASE_URL = "https://api.stripe.com";
+var StripeApiError = class extends Error {
+	status;
+	body;
+	constructor(message, status, body) {
+		super(message);
+		this.status = status;
+		this.body = body;
+		this.name = "StripeApiError";
+	}
+};
+function toFormBody(params, prefix) {
+	const body = new URLSearchParams();
+	const append = (key, value) => {
+		if (value === void 0 || value === null) return;
+		if (Array.isArray(value)) {
+			value.forEach((item, index) => {
+				for (const [k, v] of toFormBody({ [String(index)]: item }, key).entries()) body.append(k, v);
+			});
+			return;
+		}
+		if (typeof value === "object") {
+			for (const [k, v] of toFormBody(value, key).entries()) body.append(k, v);
+			return;
+		}
+		body.append(key, String(value));
+	};
+	for (const [key, value] of Object.entries(params)) append(prefix ? `${prefix}[${key}]` : key, value);
+	return body;
+}
+async function stripeFetch(config, path, init) {
+	const url = new URL(`${BASE_URL}${path}`);
+	if (init.query) for (const [key, value] of Object.entries(init.query)) url.searchParams.set(key, value);
+	const headers = {
+		Authorization: `Bearer ${config.secretKey}`,
+		"Stripe-Version": config.apiVersion ?? DEFAULT_API_VERSION
+	};
+	if (init.idempotencyKey) headers["Idempotency-Key"] = init.idempotencyKey;
+	if (init.body) headers["Content-Type"] = "application/x-www-form-urlencoded";
+	const response = await fetch(url, {
+		method: init.method,
+		headers,
+		body: init.body ? toFormBody(init.body) : void 0
+	});
+	const text = await response.text();
+	const parsed = text ? JSON.parse(text) : {};
+	if (!response.ok) throw new StripeApiError(`Stripe API request to "${path}" failed with status ${response.status}`, response.status, parsed);
+	return parsed;
+}
+async function checkCatalogPrices(config, refs) {
+	return Promise.all(refs.map(async (catalogRef) => {
+		const price = await stripeFetch(config, `/v1/prices/${catalogRef}`, { method: "GET" });
+		return {
+			catalogRef,
+			serverUnitPrice: {
+				amount: price.unit_amount ?? 0,
+				currency: (price.currency ?? "usd").toUpperCase()
+			},
+			availableQuantity: void 0
+		};
+	}));
+}
+async function findOrCreateCustomer(config, email, idempotencyKey) {
+	const existing = (await stripeFetch(config, "/v1/customers", {
+		method: "GET",
+		query: {
+			email,
+			limit: "1"
+		}
+	})).data?.[0];
+	if (existing) return existing.id;
+	return (await stripeFetch(config, "/v1/customers", {
+		method: "POST",
+		body: { email },
+		idempotencyKey
+	})).id;
+}
+function mapStripePaymentIntentStatus(status) {
+	if (status === "succeeded") return "succeeded";
+	if (status === "requires_action" || status === "requires_confirmation") return "requires_action";
+	return "failed";
+}
+async function checkout(config, request) {
+	const amount = request.lineItems.reduce((sum, item) => sum + item.clientUnitPrice.amount * item.quantity, 0);
+	const currency = (request.lineItems[0]?.clientUnitPrice.currency ?? "USD").toLowerCase();
+	const paymentIntent = await stripeFetch(config, "/v1/payment_intents", {
+		method: "POST",
+		body: {
+			amount,
+			currency,
+			payment_method: request.paymentSourceToken,
+			confirm: true,
+			automatic_payment_methods: {
+				enabled: true,
+				allow_redirects: "never"
+			},
+			metadata: request.metadata
+		},
+		idempotencyKey: request.idempotencyKey
+	});
+	const id = paymentIntent.id;
+	return {
+		providerOrderRef: id,
+		providerPaymentRef: id,
+		status: mapStripePaymentIntentStatus(paymentIntent.status),
+		amount: {
+			amount: paymentIntent.amount,
+			currency: (paymentIntent.currency ?? currency).toUpperCase()
+		},
+		raw: paymentIntent
+	};
+}
+function timingSafeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let mismatch = 0;
+	for (let i = 0; i < a.length; i++) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	return mismatch === 0;
+}
+async function hmacSha256Hex(message, secret) {
+	const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(message));
+	return Array.from(new Uint8Array(signature), (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function createVerifyWebhookSignature(config) {
+	return async ({ rawBody, headers, secret }) => {
+		const header = headers.get("stripe-signature");
+		if (!header) return false;
+		const parts = /* @__PURE__ */ new Map();
+		for (const part of header.split(",")) {
+			const [key, value] = part.split("=");
+			if (key && value) parts.set(key, value);
+		}
+		const timestamp = parts.get("t");
+		const signature = parts.get("v1");
+		if (!timestamp || !signature) return false;
+		const tolerance = config.webhookToleranceSeconds ?? DEFAULT_WEBHOOK_TOLERANCE_SECONDS;
+		if (Math.abs(Date.now() / 1e3 - Number.parseInt(timestamp, 10)) > tolerance) return false;
+		return timingSafeEqual(await hmacSha256Hex(`${timestamp}.${rawBody}`, secret), signature);
+	};
+}
+function parseWebhookEvent(rawBody) {
+	const payload = JSON.parse(rawBody);
+	const eventId = payload.id;
+	const object = payload.data.object;
+	if (payload.type === "payment_intent.succeeded") return {
+		eventId,
+		event: {
+			kind: "payment.updated",
+			providerPaymentRef: object.id,
+			status: "succeeded"
+		}
+	};
+	if (payload.type === "payment_intent.payment_failed") return {
+		eventId,
+		event: {
+			kind: "payment.updated",
+			providerPaymentRef: object.id,
+			status: "failed"
+		}
+	};
+	if (payload.type === "charge.refunded") return {
+		eventId,
+		event: {
+			kind: "payment.updated",
+			providerPaymentRef: object.payment_intent,
+			status: "refunded"
+		}
+	};
+	if (payload.type === "customer.subscription.updated" || payload.type === "customer.subscription.created") return {
+		eventId,
+		event: {
+			kind: "subscription.updated",
+			providerSubscriptionRef: object.id,
+			status: object.status
+		}
+	};
+	return {
+		eventId,
+		event: {
+			kind: "unhandled",
+			rawType: payload.type
+		}
+	};
+}
+/**
+* Creates a `PaymentProvider` backed by Stripe's REST API — raw `fetch()`
+* + `crypto.subtle`, no Stripe Node SDK. Implements the required
+* `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/
+* `verifyWebhookSignature`/`parseWebhookEvent`, plus the optional
+* `subscriptions` capability via Stripe's native Subscriptions API (a
+* better fit than the Square provider's loyalty/recurring-order model,
+* which omits this capability entirely). `catalogSync` is omitted, same
+* as the Square provider's first cut.
+*/
+function createStripePaymentProvider(config) {
+	return {
+		name: "stripe",
+		checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),
+		findOrCreateCustomer: (email, idempotencyKey) => findOrCreateCustomer(config, email, idempotencyKey),
+		checkout: (request) => checkout(config, request),
+		verifyWebhookSignature: createVerifyWebhookSignature(config),
+		parseWebhookEvent,
+		subscriptions: {
+			async create(args) {
+				const subscription = await stripeFetch(config, "/v1/subscriptions", {
+					method: "POST",
+					body: {
+						customer: args.customerRef,
+						items: [{ price: args.planRef }]
+					},
+					idempotencyKey: args.idempotencyKey
+				});
+				return {
+					providerSubscriptionRef: subscription.id,
+					status: subscription.status
+				};
+			},
+			async cancel(providerSubscriptionRef) {
+				await stripeFetch(config, `/v1/subscriptions/${providerSubscriptionRef}`, { method: "DELETE" });
+			}
+		}
+	};
+}
+//#endregion
+export { createStripePaymentProvider };
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","names":[],"sources":["../src/provider.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// MIT licensed. See LICENSE in the repo root.\n//\n// Stripe's REST API directly via fetch() — never the `stripe` npm SDK\n// (Node-targeted; relies on node:crypto/node:http internally for some\n// operations). Webhook signature verification uses crypto.subtle.\n//\n// Real interface friction vs. the Square provider (PaymentProvider was\n// pressure-tested against this on purpose, per the build plan — these\n// aren't bugs, they're the asymmetry the interface has to absorb):\n// 1. Stripe's API takes `application/x-www-form-urlencoded` bodies, not\n// JSON — see `toFormBody` below.\n// 2. Stripe's idempotency key is an `Idempotency-Key` HTTP header, not a\n// body field the way Square's `idempotency_key` is.\n// 3. Stripe has no object analogous to Square's separate Order — a\n// `PaymentIntent` is both \"the order\" and \"the payment\" in one. This\n// provider sets `providerOrderRef` and `providerPaymentRef` to the\n// same PaymentIntent id rather than inventing a fake second id.\n// 4. Stripe has no native inventory/catalog concept matching Square's\n// Catalog+Inventory APIs — `checkCatalogPrices` reads `Price` objects\n// (`unit_amount`/`currency`) and always returns `availableQuantity:\n// undefined` (Stripe doesn't track it, so there's nothing honest to\n// report).\n// 5. Stripe's native Subscriptions API is a better fit for the optional\n// `subscriptions` capability than Square's loyalty/recurring-order\n// model — implemented here, omitted in the Square provider.\n\nimport type {\n CatalogPriceCheck,\n CheckoutRequest,\n CheckoutResult,\n PaymentProvider,\n} from \"@thebes/cadmea-plugin-ecommerce\";\n\nexport interface StripeProviderConfig {\n secretKey: string;\n /** Stripe's pinned API version header (`Stripe-Version`). Default: a fixed, tested version — bump deliberately, not implicitly. */\n apiVersion?: string;\n /** Seconds of clock skew tolerated on a webhook's `t=` timestamp before it's rejected as stale. Default: 300 (Stripe's own recommended tolerance). */\n webhookToleranceSeconds?: number;\n}\n\nconst DEFAULT_API_VERSION = \"2024-12-18.acacia\";\nconst DEFAULT_WEBHOOK_TOLERANCE_SECONDS = 300;\nconst BASE_URL = \"https://api.stripe.com\";\n\nclass StripeApiError extends Error {\n constructor(\n message: string,\n public readonly status: number,\n public readonly body: unknown,\n ) {\n super(message);\n this.name = \"StripeApiError\";\n }\n}\n\n// Stripe's form-encoding for nested objects uses bracket notation\n// (`items[0][price]=...`) — this plugin's own usage is shallow enough\n// that a small recursive flattener covers it without needing a general\n// qs-style library dependency.\nfunction toFormBody(\n params: Record<string, unknown>,\n prefix?: string,\n): URLSearchParams {\n const body = new URLSearchParams();\n const append = (key: string, value: unknown) => {\n if (value === undefined || value === null) return;\n if (Array.isArray(value)) {\n value.forEach((item, index) => {\n for (const [k, v] of toFormBody(\n { [String(index)]: item },\n key,\n ).entries()) {\n body.append(k, v);\n }\n });\n return;\n }\n if (typeof value === \"object\") {\n for (const [k, v] of toFormBody(\n value as Record<string, unknown>,\n key,\n ).entries()) {\n body.append(k, v);\n }\n return;\n }\n body.append(key, String(value));\n };\n for (const [key, value] of Object.entries(params)) {\n append(prefix ? `${prefix}[${key}]` : key, value);\n }\n return body;\n}\n\nasync function stripeFetch(\n config: StripeProviderConfig,\n path: string,\n init: {\n method: string;\n body?: Record<string, unknown>;\n idempotencyKey?: string;\n query?: Record<string, string>;\n },\n): Promise<Record<string, unknown>> {\n const url = new URL(`${BASE_URL}${path}`);\n if (init.query) {\n for (const [key, value] of Object.entries(init.query)) {\n url.searchParams.set(key, value);\n }\n }\n\n const headers: Record<string, string> = {\n Authorization: `Bearer ${config.secretKey}`,\n \"Stripe-Version\": config.apiVersion ?? DEFAULT_API_VERSION,\n };\n if (init.idempotencyKey) headers[\"Idempotency-Key\"] = init.idempotencyKey;\n if (init.body) headers[\"Content-Type\"] = \"application/x-www-form-urlencoded\";\n\n const response = await fetch(url, {\n method: init.method,\n headers,\n body: init.body ? toFormBody(init.body) : undefined,\n });\n const text = await response.text();\n const parsed = text ? JSON.parse(text) : {};\n if (!response.ok) {\n throw new StripeApiError(\n `Stripe API request to \"${path}\" failed with status ${response.status}`,\n response.status,\n parsed,\n );\n }\n return parsed;\n}\n\nasync function checkCatalogPrices(\n config: StripeProviderConfig,\n refs: string[],\n): Promise<CatalogPriceCheck[]> {\n return Promise.all(\n refs.map(async (catalogRef) => {\n const price = await stripeFetch(config, `/v1/prices/${catalogRef}`, {\n method: \"GET\",\n });\n return {\n catalogRef,\n serverUnitPrice: {\n amount: (price.unit_amount as number) ?? 0,\n currency: ((price.currency as string) ?? \"usd\").toUpperCase(),\n },\n // Stripe has no native inventory concept — nothing honest to report.\n availableQuantity: undefined,\n };\n }),\n );\n}\n\nasync function findOrCreateCustomer(\n config: StripeProviderConfig,\n email: string,\n idempotencyKey: string,\n): Promise<string> {\n const list = await stripeFetch(config, \"/v1/customers\", {\n method: \"GET\",\n query: { email, limit: \"1\" },\n });\n const existing = (list.data as Array<{ id: string }> | undefined)?.[0];\n if (existing) return existing.id;\n\n const created = await stripeFetch(config, \"/v1/customers\", {\n method: \"POST\",\n body: { email },\n idempotencyKey,\n });\n return created.id as string;\n}\n\nfunction mapStripePaymentIntentStatus(\n status: string | undefined,\n): CheckoutResult[\"status\"] {\n if (status === \"succeeded\") return \"succeeded\";\n if (status === \"requires_action\" || status === \"requires_confirmation\") {\n return \"requires_action\";\n }\n return \"failed\";\n}\n\nasync function checkout(\n config: StripeProviderConfig,\n request: CheckoutRequest,\n): Promise<CheckoutResult> {\n const amount = request.lineItems.reduce(\n (sum, item) => sum + item.clientUnitPrice.amount * item.quantity,\n 0,\n );\n const currency = (\n request.lineItems[0]?.clientUnitPrice.currency ?? \"USD\"\n ).toLowerCase();\n\n // One call, confirmed immediately — Stripe's PaymentIntent is both \"the\n // order\" and \"the charge\" at once, unlike Square's separate Orders +\n // Payments calls.\n const paymentIntent = await stripeFetch(config, \"/v1/payment_intents\", {\n method: \"POST\",\n body: {\n amount,\n currency,\n payment_method: request.paymentSourceToken,\n confirm: true,\n // automatic_payment_methods.allow_redirects: \"never\" keeps this a\n // single synchronous confirm — redirect-based methods would need a\n // requires_action round trip this checkout flow doesn't implement.\n automatic_payment_methods: { enabled: true, allow_redirects: \"never\" },\n metadata: request.metadata,\n },\n idempotencyKey: request.idempotencyKey,\n });\n\n const id = paymentIntent.id as string;\n return {\n providerOrderRef: id,\n providerPaymentRef: id,\n status: mapStripePaymentIntentStatus(paymentIntent.status as string),\n amount: {\n amount: paymentIntent.amount as number,\n currency: ((paymentIntent.currency as string) ?? currency).toUpperCase(),\n },\n raw: paymentIntent,\n };\n}\n\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let mismatch = 0;\n for (let i = 0; i < a.length; i++) {\n mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return mismatch === 0;\n}\n\nasync function hmacSha256Hex(message: string, secret: string): Promise<string> {\n const key = await crypto.subtle.importKey(\n \"raw\",\n new TextEncoder().encode(secret),\n { name: \"HMAC\", hash: \"SHA-256\" },\n false,\n [\"sign\"],\n );\n const signature = await crypto.subtle.sign(\n \"HMAC\",\n key,\n new TextEncoder().encode(message),\n );\n return Array.from(new Uint8Array(signature), (b) =>\n b.toString(16).padStart(2, \"0\"),\n ).join(\"\");\n}\n\nfunction createVerifyWebhookSignature(\n config: StripeProviderConfig,\n): PaymentProvider[\"verifyWebhookSignature\"] {\n return async ({ rawBody, headers, secret }) => {\n const header = headers.get(\"stripe-signature\");\n if (!header) return false;\n\n // Header format: \"t=<timestamp>,v1=<signature>[,v0=<old_signature>]\" —\n // parse rather than regex-matching positionally, since Stripe doesn't\n // guarantee component order.\n const parts = new Map<string, string>();\n for (const part of header.split(\",\")) {\n const [key, value] = part.split(\"=\");\n if (key && value) parts.set(key, value);\n }\n const timestamp = parts.get(\"t\");\n const signature = parts.get(\"v1\");\n if (!timestamp || !signature) return false;\n\n const tolerance =\n config.webhookToleranceSeconds ?? DEFAULT_WEBHOOK_TOLERANCE_SECONDS;\n const age = Math.abs(Date.now() / 1000 - Number.parseInt(timestamp, 10));\n if (age > tolerance) return false;\n\n const expected = await hmacSha256Hex(`${timestamp}.${rawBody}`, secret);\n return timingSafeEqual(expected, signature);\n };\n}\n\ninterface StripeWebhookPayload {\n id: string;\n type: string;\n data: { object: Record<string, unknown> };\n}\n\nfunction parseWebhookEvent(rawBody: string) {\n const payload = JSON.parse(rawBody) as StripeWebhookPayload;\n const eventId = payload.id;\n const object = payload.data.object;\n\n if (payload.type === \"payment_intent.succeeded\") {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: object.id as string,\n status: \"succeeded\" as const,\n },\n };\n }\n\n if (payload.type === \"payment_intent.payment_failed\") {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: object.id as string,\n status: \"failed\" as const,\n },\n };\n }\n\n if (payload.type === \"charge.refunded\") {\n return {\n eventId,\n event: {\n kind: \"payment.updated\" as const,\n providerPaymentRef: object.payment_intent as string,\n status: \"refunded\" as const,\n },\n };\n }\n\n if (\n payload.type === \"customer.subscription.updated\" ||\n payload.type === \"customer.subscription.created\"\n ) {\n return {\n eventId,\n event: {\n kind: \"subscription.updated\" as const,\n providerSubscriptionRef: object.id as string,\n status: object.status as string,\n },\n };\n }\n\n return {\n eventId,\n event: { kind: \"unhandled\" as const, rawType: payload.type },\n };\n}\n\n/**\n * Creates a `PaymentProvider` backed by Stripe's REST API — raw `fetch()`\n * + `crypto.subtle`, no Stripe Node SDK. Implements the required\n * `checkCatalogPrices`/`findOrCreateCustomer`/`checkout`/\n * `verifyWebhookSignature`/`parseWebhookEvent`, plus the optional\n * `subscriptions` capability via Stripe's native Subscriptions API (a\n * better fit than the Square provider's loyalty/recurring-order model,\n * which omits this capability entirely). `catalogSync` is omitted, same\n * as the Square provider's first cut.\n */\nexport function createStripePaymentProvider(\n config: StripeProviderConfig,\n): PaymentProvider {\n return {\n name: \"stripe\",\n checkCatalogPrices: (refs) => checkCatalogPrices(config, refs),\n findOrCreateCustomer: (email, idempotencyKey) =>\n findOrCreateCustomer(config, email, idempotencyKey),\n checkout: (request) => checkout(config, request),\n verifyWebhookSignature: createVerifyWebhookSignature(config),\n parseWebhookEvent,\n subscriptions: {\n async create(args) {\n const subscription = await stripeFetch(config, \"/v1/subscriptions\", {\n method: \"POST\",\n body: {\n customer: args.customerRef,\n items: [{ price: args.planRef }],\n },\n idempotencyKey: args.idempotencyKey,\n });\n return {\n providerSubscriptionRef: subscription.id as string,\n status: subscription.status as string,\n };\n },\n async cancel(providerSubscriptionRef) {\n await stripeFetch(\n config,\n `/v1/subscriptions/${providerSubscriptionRef}`,\n { method: \"DELETE\" },\n );\n },\n },\n };\n}\n"],"mappings":";AA0CA,MAAM,sBAAsB;AAC5B,MAAM,oCAAoC;AAC1C,MAAM,WAAW;AAEjB,IAAM,iBAAN,cAA6B,MAAM;CAGf;CACA;CAHlB,YACE,SACA,QACA,MACA;EACA,MAAM,OAAO;EAHG,KAAA,SAAA;EACA,KAAA,OAAA;EAGhB,KAAK,OAAO;CACd;AACF;AAMA,SAAS,WACP,QACA,QACiB;CACjB,MAAM,OAAO,IAAI,gBAAgB;CACjC,MAAM,UAAU,KAAa,UAAmB;EAC9C,IAAI,UAAU,KAAA,KAAa,UAAU,MAAM;EAC3C,IAAI,MAAM,QAAQ,KAAK,GAAG;GACxB,MAAM,SAAS,MAAM,UAAU;IAC7B,KAAK,MAAM,CAAC,GAAG,MAAM,WACnB,GAAG,OAAO,KAAK,IAAI,KAAK,GACxB,GACF,CAAC,CAAC,QAAQ,GACR,KAAK,OAAO,GAAG,CAAC;GAEpB,CAAC;GACD;EACF;EACA,IAAI,OAAO,UAAU,UAAU;GAC7B,KAAK,MAAM,CAAC,GAAG,MAAM,WACnB,OACA,GACF,CAAC,CAAC,QAAQ,GACR,KAAK,OAAO,GAAG,CAAC;GAElB;EACF;EACA,KAAK,OAAO,KAAK,OAAO,KAAK,CAAC;CAChC;CACA,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,GAC9C,OAAO,SAAS,GAAG,OAAO,GAAG,IAAI,KAAK,KAAK,KAAK;CAElD,OAAO;AACT;AAEA,eAAe,YACb,QACA,MACA,MAMkC;CAClC,MAAM,MAAM,IAAI,IAAI,GAAG,WAAW,MAAM;CACxC,IAAI,KAAK,OACP,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,KAAK,GAClD,IAAI,aAAa,IAAI,KAAK,KAAK;CAInC,MAAM,UAAkC;EACtC,eAAe,UAAU,OAAO;EAChC,kBAAkB,OAAO,cAAc;CACzC;CACA,IAAI,KAAK,gBAAgB,QAAQ,qBAAqB,KAAK;CAC3D,IAAI,KAAK,MAAM,QAAQ,kBAAkB;CAEzC,MAAM,WAAW,MAAM,MAAM,KAAK;EAChC,QAAQ,KAAK;EACb;EACA,MAAM,KAAK,OAAO,WAAW,KAAK,IAAI,IAAI,KAAA;CAC5C,CAAC;CACD,MAAM,OAAO,MAAM,SAAS,KAAK;CACjC,MAAM,SAAS,OAAO,KAAK,MAAM,IAAI,IAAI,CAAC;CAC1C,IAAI,CAAC,SAAS,IACZ,MAAM,IAAI,eACR,0BAA0B,KAAK,uBAAuB,SAAS,UAC/D,SAAS,QACT,MACF;CAEF,OAAO;AACT;AAEA,eAAe,mBACb,QACA,MAC8B;CAC9B,OAAO,QAAQ,IACb,KAAK,IAAI,OAAO,eAAe;EAC7B,MAAM,QAAQ,MAAM,YAAY,QAAQ,cAAc,cAAc,EAClE,QAAQ,MACV,CAAC;EACD,OAAO;GACL;GACA,iBAAiB;IACf,QAAS,MAAM,eAA0B;IACzC,WAAY,MAAM,YAAuB,MAAA,CAAO,YAAY;GAC9D;GAEA,mBAAmB,KAAA;EACrB;CACF,CAAC,CACH;AACF;AAEA,eAAe,qBACb,QACA,OACA,gBACiB;CAKjB,MAAM,YAAY,MAJC,YAAY,QAAQ,iBAAiB;EACtD,QAAQ;EACR,OAAO;GAAE;GAAO,OAAO;EAAI;CAC7B,CAAC,EAAA,CACsB,OAA6C;CACpE,IAAI,UAAU,OAAO,SAAS;CAO9B,QAAO,MALe,YAAY,QAAQ,iBAAiB;EACzD,QAAQ;EACR,MAAM,EAAE,MAAM;EACd;CACF,CAAC,EAAA,CACc;AACjB;AAEA,SAAS,6BACP,QAC0B;CAC1B,IAAI,WAAW,aAAa,OAAO;CACnC,IAAI,WAAW,qBAAqB,WAAW,yBAC7C,OAAO;CAET,OAAO;AACT;AAEA,eAAe,SACb,QACA,SACyB;CACzB,MAAM,SAAS,QAAQ,UAAU,QAC9B,KAAK,SAAS,MAAM,KAAK,gBAAgB,SAAS,KAAK,UACxD,CACF;CACA,MAAM,YACJ,QAAQ,UAAU,EAAE,EAAE,gBAAgB,YAAY,MAAA,CAClD,YAAY;CAKd,MAAM,gBAAgB,MAAM,YAAY,QAAQ,uBAAuB;EACrE,QAAQ;EACR,MAAM;GACJ;GACA;GACA,gBAAgB,QAAQ;GACxB,SAAS;GAIT,2BAA2B;IAAE,SAAS;IAAM,iBAAiB;GAAQ;GACrE,UAAU,QAAQ;EACpB;EACA,gBAAgB,QAAQ;CAC1B,CAAC;CAED,MAAM,KAAK,cAAc;CACzB,OAAO;EACL,kBAAkB;EAClB,oBAAoB;EACpB,QAAQ,6BAA6B,cAAc,MAAgB;EACnE,QAAQ;GACN,QAAQ,cAAc;GACtB,WAAY,cAAc,YAAuB,SAAA,CAAU,YAAY;EACzE;EACA,KAAK;CACP;AACF;AAEA,SAAS,gBAAgB,GAAW,GAAoB;CACtD,IAAI,EAAE,WAAW,EAAE,QAAQ,OAAO;CAClC,IAAI,WAAW;CACf,KAAK,IAAI,IAAI,GAAG,IAAI,EAAE,QAAQ,KAC5B,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;CAE9C,OAAO,aAAa;AACtB;AAEA,eAAe,cAAc,SAAiB,QAAiC;CAC7E,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,IAAI,YAAY,CAAC,CAAC,OAAO,MAAM,GAC/B;EAAE,MAAM;EAAQ,MAAM;CAAU,GAChC,OACA,CAAC,MAAM,CACT;CACA,MAAM,YAAY,MAAM,OAAO,OAAO,KACpC,QACA,KACA,IAAI,YAAY,CAAC,CAAC,OAAO,OAAO,CAClC;CACA,OAAO,MAAM,KAAK,IAAI,WAAW,SAAS,IAAI,MAC5C,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,GAAG,GAAG,CAChC,CAAC,CAAC,KAAK,EAAE;AACX;AAEA,SAAS,6BACP,QAC2C;CAC3C,OAAO,OAAO,EAAE,SAAS,SAAS,aAAa;EAC7C,MAAM,SAAS,QAAQ,IAAI,kBAAkB;EAC7C,IAAI,CAAC,QAAQ,OAAO;EAKpB,MAAM,wBAAQ,IAAI,IAAoB;EACtC,KAAK,MAAM,QAAQ,OAAO,MAAM,GAAG,GAAG;GACpC,MAAM,CAAC,KAAK,SAAS,KAAK,MAAM,GAAG;GACnC,IAAI,OAAO,OAAO,MAAM,IAAI,KAAK,KAAK;EACxC;EACA,MAAM,YAAY,MAAM,IAAI,GAAG;EAC/B,MAAM,YAAY,MAAM,IAAI,IAAI;EAChC,IAAI,CAAC,aAAa,CAAC,WAAW,OAAO;EAErC,MAAM,YACJ,OAAO,2BAA2B;EAEpC,IADY,KAAK,IAAI,KAAK,IAAI,IAAI,MAAO,OAAO,SAAS,WAAW,EAAE,CAChE,IAAI,WAAW,OAAO;EAG5B,OAAO,gBAAgB,MADA,cAAc,GAAG,UAAU,GAAG,WAAW,MAAM,GACrC,SAAS;CAC5C;AACF;AAQA,SAAS,kBAAkB,SAAiB;CAC1C,MAAM,UAAU,KAAK,MAAM,OAAO;CAClC,MAAM,UAAU,QAAQ;CACxB,MAAM,SAAS,QAAQ,KAAK;CAE5B,IAAI,QAAQ,SAAS,4BACnB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,oBAAoB,OAAO;GAC3B,QAAQ;EACV;CACF;CAGF,IAAI,QAAQ,SAAS,iCACnB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,oBAAoB,OAAO;GAC3B,QAAQ;EACV;CACF;CAGF,IAAI,QAAQ,SAAS,mBACnB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,oBAAoB,OAAO;GAC3B,QAAQ;EACV;CACF;CAGF,IACE,QAAQ,SAAS,mCACjB,QAAQ,SAAS,iCAEjB,OAAO;EACL;EACA,OAAO;GACL,MAAM;GACN,yBAAyB,OAAO;GAChC,QAAQ,OAAO;EACjB;CACF;CAGF,OAAO;EACL;EACA,OAAO;GAAE,MAAM;GAAsB,SAAS,QAAQ;EAAK;CAC7D;AACF;;;;;;;;;;;AAYA,SAAgB,4BACd,QACiB;CACjB,OAAO;EACL,MAAM;EACN,qBAAqB,SAAS,mBAAmB,QAAQ,IAAI;EAC7D,uBAAuB,OAAO,mBAC5B,qBAAqB,QAAQ,OAAO,cAAc;EACpD,WAAW,YAAY,SAAS,QAAQ,OAAO;EAC/C,wBAAwB,6BAA6B,MAAM;EAC3D;EACA,eAAe;GACb,MAAM,OAAO,MAAM;IACjB,MAAM,eAAe,MAAM,YAAY,QAAQ,qBAAqB;KAClE,QAAQ;KACR,MAAM;MACJ,UAAU,KAAK;MACf,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC;KACjC;KACA,gBAAgB,KAAK;IACvB,CAAC;IACD,OAAO;KACL,yBAAyB,aAAa;KACtC,QAAQ,aAAa;IACvB;GACF;GACA,MAAM,OAAO,yBAAyB;IACpC,MAAM,YACJ,QACA,qBAAqB,2BACrB,EAAE,QAAQ,SAAS,CACrB;GACF;EACF;CACF;AACF"}

package/package.json ADDED Viewed

@@ -0,0 +1,58 @@
+{
+  "name": "@thebes/cadmea-plugin-ecommerce-stripe",
+  "version": "1.0.0",
+  "description": "Stripe PaymentProvider for @thebes/cadmea-plugin-ecommerce — raw fetch() + crypto.subtle, no Stripe Node SDK",
+  "author": "BowenLabs <hello@bowenlabs.io>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bowenlabs/project-thebes",
+    "directory": "packages/cadmea-plugin-ecommerce-stripe"
+  },
+  "homepage": "https://github.com/bowenlabs/project-thebes/tree/main/packages/cadmea-plugin-ecommerce-stripe#readme",
+  "bugs": {
+    "url": "https://github.com/bowenlabs/project-thebes/issues"
+  },
+  "keywords": [
+    "cadmea",
+    "cadmus",
+    "cms",
+    "ecommerce",
+    "stripe",
+    "payments",
+    "cloudflare"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./client": {
+      "types": "./dist/client.d.ts",
+      "default": "./dist/client.js"
+    }
+  },
+  "peerDependencies": {
+    "@thebes/cadmea-plugin-ecommerce": "^1.0.0",
+    "@thebes/cadmus": "^0.2.1"
+  },
+  "devDependencies": {
+    "typescript": "latest",
+    "vite-plus": "latest",
+    "vitest": "latest",
+    "@thebes/cadmea-plugin-ecommerce": "^1.0.0",
+    "@thebes/cadmus": "^0.2.1"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "vp pack",
+    "dev": "vp pack --watch",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  }
+}