@timbenniks/contentstack-platform-sdk 0.1.0

package/dist/server/index.cjs

@@ -0,0 +1,917 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  checkScope: () => checkScope,
+  createBrandKitProxy: () => createBrandKitProxy,
+  createCMAProxy: () => createCMAProxy,
+  createContentstackAuth: () => createContentstackAuth,
+  createLaunchProxy: () => createLaunchProxy,
+  createWebhookHandler: () => createWebhookHandler,
+  getAccessToken: () => getAccessToken,
+  getSession: () => getSession,
+  requireSession: () => requireSession,
+  resolveScope: () => resolveScope,
+  verifyWebhookSignature: () => verifyWebhookSignature
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/http/errors.ts
+var ContentstackError = class extends Error {
+  name = "ContentstackError";
+  status;
+  errorCode;
+  errors;
+  requestPath;
+  constructor(message, options) {
+    super(message, options?.cause ? { cause: options.cause } : void 0);
+    this.status = options?.status;
+    this.errorCode = options?.errorCode;
+    this.errors = options?.errors;
+    this.requestPath = options?.requestPath;
+  }
+};
+var ContentstackAuthError = class extends ContentstackError {
+  name = "ContentstackAuthError";
+  status = 401;
+};
+var ContentstackForbiddenError = class extends ContentstackError {
+  name = "ContentstackForbiddenError";
+  status = 403;
+};
+var ContentstackNotFoundError = class extends ContentstackError {
+  name = "ContentstackNotFoundError";
+  status = 404;
+};
+var ContentstackValidationError = class extends ContentstackError {
+  name = "ContentstackValidationError";
+  status;
+  constructor(message, options) {
+    super(message, options);
+    this.status = options?.status ?? 400;
+  }
+};
+var ContentstackInvalidApiKeyError = class extends ContentstackError {
+  name = "ContentstackInvalidApiKeyError";
+  status = 412;
+};
+var ContentstackRateLimitError = class extends ContentstackError {
+  name = "ContentstackRateLimitError";
+  status = 429;
+  retryAfter;
+  constructor(message, options) {
+    super(message, { ...options, status: 429 });
+    this.retryAfter = options?.retryAfter;
+  }
+};
+var ContentstackServerError = class extends ContentstackError {
+  name = "ContentstackServerError";
+};
+var ContentstackConfigError = class extends ContentstackError {
+  name = "ContentstackConfigError";
+};
+
+// src/regions/endpoints.ts
+var import_contentstack_endpoints = require("@timbenniks/contentstack-endpoints");
+var BRAND_KIT_URLS = {
+  us: {
+    brandKit: "https://brand-kits-api.contentstack.com",
+    brandKitAI: "https://ai.contentstack.com/brand-kits"
+  },
+  eu: {
+    brandKit: "https://eu-brand-kits-api.contentstack.com",
+    brandKitAI: "https://eu-ai.contentstack.com/brand-kits"
+  },
+  au: {
+    brandKit: "https://au-brand-kits-api.contentstack.com",
+    brandKitAI: "https://au-ai.contentstack.com/brand-kits"
+  },
+  "azure-na": {
+    brandKit: "https://azure-na-brand-kits-api.contentstack.com",
+    brandKitAI: "https://azure-na-ai.contentstack.com/brand-kits"
+  },
+  "azure-eu": {
+    brandKit: "https://azure-eu-brand-kits-api.contentstack.com",
+    brandKitAI: "https://azure-eu-ai.contentstack.com/brand-kits"
+  },
+  "gcp-na": {
+    brandKit: "https://gcp-na-brand-kits-api.contentstack.com",
+    brandKitAI: "https://gcp-na-ai.contentstack.com/brand-kits"
+  },
+  "gcp-eu": {
+    brandKit: "https://gcp-eu-brand-kits-api.contentstack.com",
+    brandKitAI: "https://gcp-eu-ai.contentstack.com/brand-kits"
+  }
+};
+function mapEndpoints(upstream, region, hostsOnly) {
+  const bk = BRAND_KIT_URLS[region];
+  const stripProtocol = (url) => url.replace(/^https?:\/\//, "");
+  return Object.freeze({
+    cma: upstream.contentManagement ?? "",
+    cda: upstream.contentDelivery ?? "",
+    graphql: upstream.graphqlDelivery ?? "",
+    images: upstream.images ?? "",
+    app: upstream.application ?? "",
+    preview: upstream.preview ?? "",
+    graphqlPreview: upstream.graphqlPreview ?? "",
+    launch: upstream.launch ?? "",
+    personalizeEdge: upstream.personalizeEdge ?? "",
+    brandKit: hostsOnly ? stripProtocol(bk.brandKit) : bk.brandKit,
+    brandKitAI: hostsOnly ? stripProtocol(bk.brandKitAI) : bk.brandKitAI
+  });
+}
+var ALL_REGIONS = [
+  "us",
+  "eu",
+  "au",
+  "azure-na",
+  "azure-eu",
+  "gcp-na",
+  "gcp-eu"
+];
+function buildEndpointMap() {
+  const map = {};
+  for (const region of ALL_REGIONS) {
+    map[region] = mapEndpoints((0, import_contentstack_endpoints.getContentstackEndpoints)(region), region, false);
+  }
+  return Object.freeze(map);
+}
+function buildHostMap() {
+  const map = {};
+  for (const region of ALL_REGIONS) {
+    map[region] = mapEndpoints((0, import_contentstack_endpoints.getContentstackEndpoints)(region, true), region, true);
+  }
+  return Object.freeze(map);
+}
+var ENDPOINT_MAP = buildEndpointMap();
+var HOST_MAP = buildHostMap();
+
+// src/regions/resolver.ts
+var VALID_REGIONS = new Set(Object.keys(ENDPOINT_MAP));
+function resolveEndpoints(region) {
+  return ENDPOINT_MAP[region];
+}
+
+// src/http/client.ts
+var DEFAULT_TIMEOUT = 3e4;
+var DEFAULT_RETRY_LIMIT = 5;
+var DEFAULT_RETRY_DELAY = 300;
+var MAX_JITTER = 100;
+var ContentstackHttpClient = class _ContentstackHttpClient {
+  config;
+  constructor(config) {
+    this.config = {
+      baseUrl: config.baseUrl,
+      headers: config.headers ?? {},
+      timeout: config.timeout ?? DEFAULT_TIMEOUT,
+      retryOnError: config.retryOnError ?? true,
+      retryLimit: config.retryLimit ?? DEFAULT_RETRY_LIMIT,
+      retryDelay: config.retryDelay ?? DEFAULT_RETRY_DELAY,
+      fetch: config.fetch ?? globalThis.fetch.bind(globalThis)
+    };
+  }
+  async get(path, params) {
+    let url = `${this.config.baseUrl}${path}`;
+    if (params) {
+      const searchParams = new URLSearchParams(params);
+      url += `?${searchParams.toString()}`;
+    }
+    return this.request(url, { method: "GET" }, path);
+  }
+  async post(path, body) {
+    const url = `${this.config.baseUrl}${path}`;
+    return this.request(
+      url,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: body !== void 0 ? JSON.stringify(body) : void 0
+      },
+      path
+    );
+  }
+  async put(path, body) {
+    const url = `${this.config.baseUrl}${path}`;
+    return this.request(
+      url,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: body !== void 0 ? JSON.stringify(body) : void 0
+      },
+      path
+    );
+  }
+  async patch(path, body) {
+    const url = `${this.config.baseUrl}${path}`;
+    return this.request(
+      url,
+      {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        body: body !== void 0 ? JSON.stringify(body) : void 0
+      },
+      path
+    );
+  }
+  async delete(path) {
+    const url = `${this.config.baseUrl}${path}`;
+    return this.request(url, { method: "DELETE" }, path);
+  }
+  async postForm(path, params) {
+    const url = `${this.config.baseUrl}${path}`;
+    return this.request(
+      url,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: params.toString()
+      },
+      path
+    );
+  }
+  async upload(path, form) {
+    const url = `${this.config.baseUrl}${path}`;
+    return this.request(url, { method: "POST", body: form }, path);
+  }
+  /** Return a new client with additional headers merged */
+  withHeaders(headers) {
+    return new _ContentstackHttpClient({
+      ...this.config,
+      headers: { ...this.config.headers, ...headers }
+    });
+  }
+  /** Return a new client with a different base URL */
+  withBaseUrl(baseUrl) {
+    return new _ContentstackHttpClient({
+      ...this.config,
+      baseUrl
+    });
+  }
+  async request(url, init, path) {
+    const headers = new Headers(this.config.headers);
+    if (init.headers) {
+      const initHeaders = init.headers instanceof Headers ? init.headers : new Headers(init.headers);
+      initHeaders.forEach((value, key) => headers.set(key, value));
+    }
+    let lastError;
+    const maxAttempts = this.config.retryOnError ? this.config.retryLimit + 1 : 1;
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
+      try {
+        const response = await this.config.fetch(url, {
+          ...init,
+          headers,
+          signal: controller.signal
+        });
+        if (response.ok) {
+          const data = await response.json().catch(() => ({}));
+          return { data, status: response.status, headers: response.headers };
+        }
+        const isRetryable = response.status === 429 || response.status >= 500;
+        if (isRetryable && this.config.retryOnError && attempt < maxAttempts - 1) {
+          const delay = this.calculateDelay(response, attempt);
+          await sleep(delay);
+          lastError = await this.createError(response, path);
+          continue;
+        }
+        throw await this.createError(response, path);
+      } catch (error) {
+        if (error instanceof ContentstackError) {
+          throw error;
+        }
+        if (error instanceof DOMException && error.name === "AbortError") {
+          throw new ContentstackError(`Request timed out after ${this.config.timeout}ms`, {
+            requestPath: path,
+            cause: error
+          });
+        }
+        throw new ContentstackError("Network request failed", {
+          requestPath: path,
+          cause: error instanceof Error ? error : new Error(String(error))
+        });
+      } finally {
+        clearTimeout(timeoutId);
+      }
+    }
+    throw lastError ?? new ContentstackError("Request failed after retries", { requestPath: path });
+  }
+  calculateDelay(response, attempt) {
+    const retryAfter = response.headers.get("Retry-After");
+    if (retryAfter) {
+      const seconds = Number.parseFloat(retryAfter);
+      if (!Number.isNaN(seconds)) {
+        return seconds * 1e3;
+      }
+    }
+    const jitter = Math.random() * MAX_JITTER;
+    return this.config.retryDelay * 2 ** attempt + jitter;
+  }
+  async createError(response, path) {
+    let body = {};
+    try {
+      body = await response.json();
+    } catch {
+    }
+    const message = body.error_message ?? body.error_description ?? body.message ?? `HTTP ${response.status} error`;
+    const errorCode = body.error_code;
+    const errors = body.errors;
+    const retryAfter = response.headers.get("Retry-After");
+    const opts = { status: response.status, errorCode, errors, requestPath: path };
+    switch (response.status) {
+      case 400:
+        return new ContentstackValidationError(message, { ...opts, status: 400 });
+      case 401:
+        return new ContentstackAuthError(message, opts);
+      case 403:
+        return new ContentstackForbiddenError(message, opts);
+      case 404:
+        return new ContentstackNotFoundError(message, opts);
+      case 412:
+        return new ContentstackInvalidApiKeyError(message, opts);
+      case 422:
+        return new ContentstackValidationError(message, { ...opts, status: 422 });
+      case 429:
+        return new ContentstackRateLimitError(message, {
+          ...opts,
+          retryAfter: retryAfter ? Number.parseFloat(retryAfter) : void 0
+        });
+      default:
+        if (response.status >= 500) {
+          return new ContentstackServerError(message, opts);
+        }
+        return new ContentstackError(message, opts);
+    }
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/auth/oauth-client.ts
+function validateConfig(config) {
+  if (!config.appId) {
+    throw new ContentstackConfigError(
+      "appId is required for OAuth. This is your Contentstack app's UID, not the client ID."
+    );
+  }
+  if (config.appId === config.clientId) {
+    throw new ContentstackConfigError(
+      "appId and clientId must be different. appId is your Contentstack app UID; clientId is the OAuth client identifier."
+    );
+  }
+}
+function mapTokenResponse(data) {
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in,
+    tokenType: data.token_type
+  };
+}
+async function makeTokenRequest(appBaseUrl, body, errorMessage) {
+  const client = new ContentstackHttpClient({ baseUrl: appBaseUrl });
+  try {
+    const { data } = await client.postForm("/apps-api/token", body);
+    return mapTokenResponse(data);
+  } catch (err) {
+    if (err instanceof ContentstackError) {
+      throw new ContentstackAuthError(err.message || errorMessage, {
+        status: err.status,
+        requestPath: "/apps-api/token",
+        cause: err
+      });
+    }
+    throw new ContentstackAuthError(errorMessage, {
+      requestPath: "/apps-api/token",
+      cause: err instanceof Error ? err : void 0
+    });
+  }
+}
+async function refreshToken(config, token) {
+  const endpoints = resolveEndpoints(config.region);
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: token,
+    client_id: config.clientId,
+    client_secret: config.clientSecret
+  });
+  return makeTokenRequest(endpoints.app, body, "Failed to refresh token");
+}
+function mapUser(user) {
+  return {
+    uid: user.uid,
+    email: user.email,
+    firstName: user.first_name ?? void 0,
+    lastName: user.last_name ?? void 0,
+    username: user.username ?? void 0,
+    profileImage: user.profile_image ?? void 0
+  };
+}
+async function getUser(region, accessToken) {
+  const endpoints = resolveEndpoints(region);
+  const client = new ContentstackHttpClient({
+    baseUrl: `${endpoints.cma}/v3`,
+    headers: { Authorization: `Bearer ${accessToken}` }
+  });
+  try {
+    const { data } = await client.get("/user");
+    return mapUser(data.user);
+  } catch (err) {
+    if (err instanceof ContentstackError) {
+      throw new ContentstackAuthError(err.message || "Failed to fetch user profile", {
+        status: err.status,
+        requestPath: "/v3/user",
+        cause: err
+      });
+    }
+    throw new ContentstackAuthError("Failed to fetch user profile", {
+      requestPath: "/v3/user",
+      cause: err instanceof Error ? err : void 0
+    });
+  }
+}
+function createAuthProvider(config) {
+  validateConfig(config);
+  const endpoints = resolveEndpoints(config.region);
+  const userClient = new ContentstackHttpClient({ baseUrl: `${endpoints.cma}/v3` });
+  return {
+    id: "contentstack",
+    name: "Contentstack",
+    type: "oauth",
+    checks: ["state"],
+    authorization: {
+      url: `${endpoints.app}/apps/${config.appId}/authorize`,
+      params: {
+        response_type: "code",
+        scope: config.scopes.join(" ")
+      }
+    },
+    token: `${endpoints.app}/apps-api/token`,
+    userinfo: {
+      url: `${endpoints.cma}/v3/user`,
+      async request({ tokens }) {
+        const authedClient = userClient.withHeaders({
+          Authorization: `Bearer ${tokens.access_token}`
+        });
+        const { data } = await authedClient.get("/user");
+        return data;
+      }
+    },
+    profile(profile) {
+      const user = profile.user;
+      return {
+        id: user.uid,
+        name: [user.first_name, user.last_name].filter(Boolean).join(" ") || user.username,
+        email: user.email,
+        image: user.profile_image ?? null
+      };
+    },
+    clientId: config.clientId,
+    clientSecret: config.clientSecret
+  };
+}
+function contentstackAuthCallbacks(config) {
+  return {
+    async jwt({
+      token,
+      account
+    }) {
+      if (account) {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.accessTokenExpiresAt = Date.now() + (account.expires_in ?? 3600) * 1e3;
+        return token;
+      }
+      const expiresAt = token.accessTokenExpiresAt;
+      if (expiresAt && Date.now() < expiresAt - 6e4) {
+        return token;
+      }
+      const currentRefreshToken = token.refreshToken;
+      if (!currentRefreshToken) {
+        token.error = "RefreshAccessTokenError";
+        return token;
+      }
+      try {
+        const tokens = await refreshToken(config, currentRefreshToken);
+        token.accessToken = tokens.accessToken;
+        token.refreshToken = tokens.refreshToken;
+        token.accessTokenExpiresAt = Date.now() + tokens.expiresIn * 1e3;
+        token.error = void 0;
+      } catch {
+        token.error = "RefreshAccessTokenError";
+      }
+      return token;
+    },
+    async session({
+      session,
+      token
+    }) {
+      session.accessToken = token.accessToken;
+      if (token.error) {
+        session.error = token.error;
+      }
+      return session;
+    }
+  };
+}
+
+// src/server/middleware/auth.ts
+async function createContentstackAuth(config) {
+  const { default: NextAuth } = await import("next-auth");
+  const oauthConfig = {
+    region: config.region,
+    appId: config.appId,
+    clientId: config.clientId,
+    clientSecret: config.clientSecret,
+    scopes: config.scopes,
+    redirectUri: "auto"
+  };
+  const provider = createAuthProvider(oauthConfig);
+  const baseCallbacks = contentstackAuthCallbacks(oauthConfig);
+  const callbacks = {
+    async jwt(params) {
+      const token = await baseCallbacks.jwt(params);
+      if (params.account && config.onSignIn) {
+        try {
+          const user = await getUser(config.region, token.accessToken);
+          const tokens = {
+            accessToken: token.accessToken,
+            refreshToken: token.refreshToken,
+            expiresIn: Math.floor((token.accessTokenExpiresAt - Date.now()) / 1e3),
+            tokenType: "Bearer"
+          };
+          await config.onSignIn(user, tokens);
+        } catch {
+        }
+      }
+      return token;
+    },
+    session: baseCallbacks.session
+  };
+  return NextAuth({
+    providers: [provider],
+    callbacks,
+    secret: config.secret,
+    trustHost: config.trustHost ?? true,
+    session: { strategy: "jwt" },
+    pages: {
+      signIn: config.signInPage ?? "/login",
+      error: config.errorPage ?? "/login"
+    }
+  });
+}
+
+// src/server/middleware/session.ts
+async function getSession(authFn) {
+  const session = await authFn();
+  if (!session?.accessToken) return null;
+  return { accessToken: session.accessToken, user: session.user };
+}
+async function requireSession(authFn, redirectTo) {
+  const session = await getSession(authFn);
+  if (!session) {
+    throw new ContentstackAuthError(
+      redirectTo ? `Authentication required. Redirect to: ${redirectTo}` : "Authentication required",
+      { status: 401 }
+    );
+  }
+  return session;
+}
+async function getAccessToken(authFn) {
+  const session = await authFn();
+  return session?.accessToken ?? null;
+}
+
+// src/server/proxy/proxy-base.ts
+function jsonErrorResponse(error, status) {
+  return new Response(JSON.stringify({ error }), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function createBaseProxy(config, handleRequest) {
+  return async (request) => {
+    const token = await config.getAccessToken(request);
+    if (!token) {
+      return jsonErrorResponse("Unauthorized", 401);
+    }
+    const url = new URL(request.url);
+    const apiPath = url.pathname.replace(config.basePath, "");
+    const body = ["GET", "HEAD"].includes(request.method) || request.body === null ? void 0 : await request.arrayBuffer();
+    return handleRequest({
+      token,
+      apiPath,
+      search: url.search,
+      method: request.method,
+      body,
+      request
+    });
+  };
+}
+async function forwardRequest(url, method, headers, body, timeout) {
+  try {
+    const upstream = await fetch(url, {
+      method,
+      headers,
+      body,
+      signal: AbortSignal.timeout(timeout)
+    });
+    return new Response(upstream.body, {
+      status: upstream.status,
+      headers: {
+        "content-type": upstream.headers.get("content-type") ?? "application/json"
+      }
+    });
+  } catch {
+    return jsonErrorResponse("Bad Gateway", 502);
+  }
+}
+
+// src/server/proxy/rate-limiter.ts
+function createRateLimiter(maxRequests, windowMs = 6e4) {
+  const windows = /* @__PURE__ */ new Map();
+  return {
+    /**
+     * Check if the request is within rate limits.
+     * @returns `true` if the request is allowed, `false` if rate limited.
+     */
+    check(key) {
+      const now = Date.now();
+      const window = windows.get(key);
+      for (const [k, w] of windows) {
+        if (now - w.windowStart > windowMs) {
+          windows.delete(k);
+        }
+      }
+      if (!window || now - window.windowStart > windowMs) {
+        windows.set(key, { count: 1, windowStart: now });
+        return true;
+      }
+      window.count++;
+      return window.count <= maxRequests;
+    }
+  };
+}
+
+// src/server/proxy/scope-guard.ts
+var READ_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD"]);
+function resolveScope(method, path) {
+  const isRead = READ_METHODS.has(method.toUpperCase());
+  const suffix = isRead ? ":read" : ":write";
+  const segments = path.split("/");
+  if (segments.includes("entries")) return `entries${suffix}`;
+  if (segments.includes("content_types")) return `content-types${suffix}`;
+  if (segments.includes("assets")) return `assets${suffix}`;
+  if (segments.includes("environments")) return "environments:read";
+  if (segments.includes("locales")) return "locales:read";
+  if (segments.includes("releases")) return `releases${suffix}`;
+  if (segments.includes("taxonomies")) return `taxonomies${suffix}`;
+  if (segments.includes("workflows")) return `workflows${suffix}`;
+  if (segments.includes("webhooks")) return `webhooks${suffix}`;
+  return null;
+}
+function checkScope(required, allowed) {
+  if (allowed.includes(required)) return null;
+  return `Scope "${required}" is not allowed. Allowed scopes: ${allowed.join(", ")}`;
+}
+
+// src/server/proxy/cma-proxy.ts
+function createCMAProxy(config) {
+  const endpoints = resolveEndpoints(config.region);
+  const cmaBase = `${endpoints.cma}/v3`;
+  const timeout = config.timeout ?? 3e4;
+  const rateLimiter = config.rateLimit ? createRateLimiter(config.rateLimit) : null;
+  return createBaseProxy(
+    {
+      getAccessToken: config.getAccessToken,
+      basePath: config.basePath ?? "/api/cma",
+      timeout
+    },
+    async (ctx) => {
+      if (rateLimiter && !rateLimiter.check(ctx.token)) {
+        return jsonErrorResponse("Too Many Requests", 429);
+      }
+      if (config.allowedScopes) {
+        const scope = resolveScope(ctx.method, ctx.apiPath);
+        if (!scope) {
+          if ((config.unmappedScopeBehavior ?? "deny") === "deny") {
+            return jsonErrorResponse(
+              `No scope mapping found for "${ctx.method} ${ctx.apiPath}". Add a mapping or set unmappedScopeBehavior: "allow".`,
+              403
+            );
+          }
+        } else {
+          const rejection = checkScope(scope, config.allowedScopes);
+          if (rejection) {
+            return jsonErrorResponse(rejection, 403);
+          }
+        }
+      }
+      const headers = {
+        api_key: config.apiKey,
+        authorization: `Bearer ${ctx.token}`
+      };
+      const contentType = ctx.request.headers.get("content-type");
+      if (contentType) {
+        headers["content-type"] = contentType;
+      }
+      return forwardRequest(
+        cmaBase + ctx.apiPath + ctx.search,
+        ctx.method,
+        headers,
+        ctx.body,
+        timeout
+      );
+    }
+  );
+}
+
+// src/server/proxy/launch-proxy.ts
+function createLaunchProxy(config) {
+  const endpoints = resolveEndpoints(config.region);
+  const launchBase = endpoints.launch;
+  const timeout = config.timeout ?? 3e4;
+  return createBaseProxy(
+    {
+      getAccessToken: config.getAccessToken,
+      basePath: config.basePath ?? "/api/launch",
+      timeout
+    },
+    async (ctx) => {
+      const headers = {
+        authorization: `Bearer ${ctx.token}`,
+        organization_uid: config.organizationUid,
+        "content-type": "application/json"
+      };
+      return forwardRequest(
+        launchBase + ctx.apiPath + ctx.search,
+        ctx.method,
+        headers,
+        ctx.body,
+        timeout
+      );
+    }
+  );
+}
+
+// src/server/proxy/brandkit-proxy.ts
+function createBrandKitProxy(config) {
+  const endpoints = resolveEndpoints(config.region);
+  const brandKitBase = endpoints.brandKit;
+  const brandKitAIBase = endpoints.brandKitAI;
+  const timeout = config.timeout ?? 3e4;
+  return createBaseProxy(
+    {
+      getAccessToken: config.getAccessToken,
+      basePath: config.basePath ?? "/api/brandkit",
+      timeout
+    },
+    async (ctx) => {
+      if (config.allowedOperations?.length) {
+        const hasManage = config.allowedOperations.includes("manage");
+        if (!hasManage && !["GET", "HEAD"].includes(ctx.method)) {
+          return jsonErrorResponse("Forbidden: read-only mode", 403);
+        }
+      }
+      const headers = {
+        authorization: `Bearer ${ctx.token}`,
+        organization_uid: config.organizationUid,
+        brand_kit_uid: config.brandKitUid,
+        "content-type": "application/json"
+      };
+      const isAIPath = ctx.apiPath.includes("/knowledge-vault") || ctx.apiPath.includes("/generative-ai");
+      const baseUrl = isAIPath ? brandKitAIBase : brandKitBase;
+      return forwardRequest(
+        baseUrl + ctx.apiPath + ctx.search,
+        ctx.method,
+        headers,
+        ctx.body,
+        timeout
+      );
+    }
+  );
+}
+
+// src/server/webhooks/verify.ts
+function hexDecode(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = Number.parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= (a[i] ?? 0) ^ (b[i] ?? 0);
+  }
+  return result === 0;
+}
+async function verifyWebhookSignature(body, signature, secret) {
+  const encoder = new TextEncoder();
+  const key = await globalThis.crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const expectedBuffer = await globalThis.crypto.subtle.sign("HMAC", key, encoder.encode(body));
+  const expectedBytes = new Uint8Array(expectedBuffer);
+  const signatureBytes = hexDecode(signature);
+  return timingSafeEqual(expectedBytes, signatureBytes);
+}
+
+// src/server/webhooks/handler.ts
+var SIGNATURE_HEADER = "x-contentstack-request-signature";
+function parseWebhookBody(body) {
+  const raw = JSON.parse(body);
+  const module2 = raw.module;
+  const event = raw.event;
+  const type = `${module2}.${event}`;
+  return {
+    ...raw,
+    type,
+    module: module2,
+    event
+  };
+}
+function createWebhookHandler(config) {
+  return {
+    /**
+     * Read the request body, verify the signature, and return a typed event.
+     * Throws `ContentstackAuthError` if the signature is missing or invalid.
+     */
+    async verify(request) {
+      const body = await request.text();
+      const signature = request.headers.get(SIGNATURE_HEADER);
+      if (!signature) {
+        throw new ContentstackAuthError("Missing webhook signature header", {
+          status: 401,
+          requestPath: new URL(request.url).pathname
+        });
+      }
+      const valid = await verifyWebhookSignature(body, signature, config.secret);
+      if (!valid) {
+        throw new ContentstackAuthError("Invalid webhook signature", {
+          status: 401,
+          requestPath: new URL(request.url).pathname
+        });
+      }
+      return parseWebhookBody(body);
+    },
+    /**
+     * Read the request body and return a typed event without verifying the signature.
+     */
+    async parse(request) {
+      const body = await request.text();
+      return parseWebhookBody(body);
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkScope,
+  createBrandKitProxy,
+  createCMAProxy,
+  createContentstackAuth,
+  createLaunchProxy,
+  createWebhookHandler,
+  getAccessToken,
+  getSession,
+  requireSession,
+  resolveScope,
+  verifyWebhookSignature
+});
+//# sourceMappingURL=index.cjs.map