create-softeneers-app 0.2.2 → 0.2.3

package/templates/express-api/src/storage/store.ts

@@ -0,0 +1,13 @@
+import { createStorage } from "@softeneers/storage";
+
+import { env } from "../env.js";
+
+// An S3-compatible storage handle (AWS S3 / Cloudflare R2 / MinIO). No network
+// call until you upload or sign a URL.
+export const storage = createStorage({
+  accessKeyId: env.S3_ACCESS_KEY_ID,
+  secretAccessKey: env.S3_SECRET_ACCESS_KEY,
+  bucket: env.S3_BUCKET,
+  region: env.S3_REGION,
+  endpoint: env.S3_ENDPOINT || undefined,
+});

package/templates/hono-api/.env.example

@@ -11,3 +11,26 @@ DB_PASSWORD=
 AUTH_SECRET=dev-secret-change-me-to-a-long-random-string
 AUTH_BASE_URL=http://localhost:4000
 # #endif
+# #if email
+# Get a key at https://resend.com — the app boots without it; sending needs it.
+RESEND_API_KEY=re_set_me
+EMAIL_FROM=onboarding@resend.dev
+# #endif
+# #if storage
+# S3-compatible storage (AWS S3 / Cloudflare R2 / MinIO).
+S3_ACCESS_KEY_ID=
+S3_SECRET_ACCESS_KEY=
+S3_BUCKET=uploads
+S3_REGION=auto
+S3_ENDPOINT=
+# #endif
+# #if payments
+# Stripe — the ONLY thing you must set for payments to work. Test keys from
+# https://dashboard.stripe.com/test/apikeys ; webhook secret from `stripe listen`
+# or the dashboard. Create two Prices and paste their ids below.
+APP_URL=http://localhost:4000
+STRIPE_SECRET_KEY=sk_test_set_me
+STRIPE_WEBHOOK_SECRET=whsec_set_me
+STRIPE_PRICE_ID=price_set_me
+STRIPE_SUBSCRIPTION_PRICE_ID=price_set_me
+# #endif

package/templates/hono-api/README.md

@@ -30,7 +30,21 @@ npm run db:reset   # drop, recreate, reseed
 | PUT    | `/api/cars/:id`  | Update a car       |
 | DELETE | `/api/cars/:id`  | Delete a car       |
 # #if auth
-| GET/POST | `/api/auth/*`  | better-auth routes |
+| ALL    | `/api/auth/*`    | better-auth routes |
+# #endif
+# #if email
+| POST   | `/api/email/welcome` | Send a welcome email |
+# #endif
+# #if storage
+| POST   | `/api/files/:key`    | Upload an object   |
+| GET    | `/api/files/:key/url`| Signed download URL |
+| DELETE | `/api/files/:key`    | Delete an object   |
+# #endif
+# #if payments
+| POST   | `/api/payments/checkout`  | One-time Stripe checkout |
+| POST   | `/api/payments/subscribe` | Subscription checkout |
+| POST   | `/api/payments/portal`    | Billing portal |
+| POST   | `/api/webhooks/stripe`    | Stripe webhook (verified) |
 # #endif
 
 ```bash
@@ -61,7 +75,60 @@ npm run db:migrate && npm run db:seed
 ## Authentication
 
 Email + password auth via better-auth ([`@softeneers/auth`](https://www.npmjs.com/package/@softeneers/auth)),
-mounted at `/api/auth/*`. Set a strong `AUTH_SECRET` in `.env` before deploying.
+mounted at `/api/auth/*` (`sign-up/email`, `sign-in/email`, `get-session`, …).
+Set a strong `AUTH_SECRET` in `.env` before deploying.
+# #endif
+# #if email
+
+## Email
+
+Transactional email via Resend ([`@softeneers/email`](https://www.npmjs.com/package/@softeneers/email)).
+Set `RESEND_API_KEY` (and `EMAIL_FROM`) in `.env`, then:
+
+```bash
+curl -X POST localhost:4000/api/email/welcome -H 'content-type: application/json' \
+  -d '{"to":"you@example.com","name":"Ada"}'
+```
+# #endif
+# #if storage
+
+## Storage
+
+S3-compatible uploads ([`@softeneers/storage`](https://www.npmjs.com/package/@softeneers/storage))
+— works with AWS S3, Cloudflare R2, and MinIO. Set the `S3_*` keys in `.env`, then:
+
+```bash
+curl -X POST --data-binary @photo.png localhost:4000/api/files/photo.png
+curl localhost:4000/api/files/photo.png/url   # → a signed download URL
+```
+# #endif
+# #if payments
+
+## Payments (Stripe)
+
+Stripe checkout, subscriptions, the billing portal, and a verified webhook
+([`@softeneers/payments`](https://www.npmjs.com/package/@softeneers/payments)) —
+**all pre-wired**. The only thing you do is paste your keys into `.env`:
+
+```
+STRIPE_SECRET_KEY=sk_test_…
+STRIPE_WEBHOOK_SECRET=whsec_…
+STRIPE_PRICE_ID=price_…                # one-time price
+STRIPE_SUBSCRIPTION_PRICE_ID=price_…   # recurring price
+```
+
+Get test keys at <https://dashboard.stripe.com/test/apikeys> and create two
+Prices. Locally, forward webhooks with the Stripe CLI (this also prints the
+`whsec_…` secret):
+
+```bash
+stripe listen --forward-to localhost:4000/api/webhooks/stripe
+```
+
+Then `POST /api/payments/checkout` (or `/subscribe`) returns a Stripe URL to
+redirect the customer to. The webhook handles `checkout.session.completed` and
+the `customer.subscription.*` events — add your fulfilment logic in
+`src/payments/webhook.ts`.
 # #endif
 
 ## Getting started

package/templates/hono-api/package.json

@@ -21,7 +21,10 @@
     "@hono/node-server": "^1.13.0",
     "@softeneers/auth": "^0.1.0",
     "@softeneers/db": "^0.1.0",
+    "@softeneers/email": "^0.1.0",
     "@softeneers/env": "^0.1.0",
+    "@softeneers/payments": "^0.1.0",
+    "@softeneers/storage": "^0.1.0",
     "dotenv": "^16.4.5",
     "hono": "^4.6.0",
     "mysql2": "^3.11.0"

package/templates/hono-api/softeneers.template.json

@@ -1,5 +1,12 @@
 {
-  "toggles": { "db": false, "auth": false, "docker": false },
+  "toggles": {
+    "db": false,
+    "auth": false,
+    "docker": false,
+    "email": false,
+    "storage": false,
+    "payments": false
+  },
   "fragments": {
     "db": {
       "removePaths": ["src/db.ts", "src/scripts", "docker-compose.yml"],
@@ -12,6 +19,18 @@
     },
     "docker": {
       "removePaths": ["docker-compose.yml"]
+    },
+    "email": {
+      "removePaths": ["src/email"],
+      "removeDeps": ["@softeneers/email"]
+    },
+    "storage": {
+      "removePaths": ["src/storage"],
+      "removeDeps": ["@softeneers/storage"]
+    },
+    "payments": {
+      "removePaths": ["src/payments"],
+      "removeDeps": ["@softeneers/payments"]
     }
   }
 }

package/templates/hono-api/src/email/mailer.ts

@@ -0,0 +1,6 @@
+import { createEmailClient } from "@softeneers/email";
+
+import { env } from "../env.js";
+
+// A Resend client. No network call until you send.
+export const mailer = createEmailClient(env.RESEND_API_KEY);

package/templates/hono-api/src/email/routes.ts

@@ -0,0 +1,24 @@
+import { Hono } from "hono";
+
+import { sendEmail } from "@softeneers/email";
+
+import { env } from "../env.js";
+import { mailer } from "./mailer.js";
+
+export const email = new Hono();
+
+// Demo: send a welcome email. POST { "to": "a@b.com", "name": "Ada" }
+email.post("/welcome", async (c) => {
+  const body = await c.req.json().catch(() => ({}) as Record<string, unknown>);
+  const to = typeof body.to === "string" ? body.to : "";
+  const name = typeof body.name === "string" ? body.name : "there";
+  if (!to) return c.json({ message: "to (email address) is required." }, 400);
+  await sendEmail(mailer, {
+    from: env.EMAIL_FROM,
+    to,
+    subject: "Welcome!",
+    html: `<h1>Welcome, ${name}!</h1><p>Thanks for joining.</p>`,
+    text: `Welcome, ${name}! Thanks for joining.`,
+  });
+  return c.json({ sent: true });
+});

package/templates/hono-api/src/env.ts

@@ -19,5 +19,23 @@ export const env = createEnv({
     AUTH_SECRET: z.string().min(16).default("dev-secret-change-me-to-a-long-random-string"),
     AUTH_BASE_URL: z.string().default("http://localhost:4000"),
     // #endif
+    // #if email
+    RESEND_API_KEY: z.string().default("re_set_me_in_dotenv"),
+    EMAIL_FROM: z.string().default("onboarding@resend.dev"),
+    // #endif
+    // #if storage
+    S3_ACCESS_KEY_ID: z.string().default(""),
+    S3_SECRET_ACCESS_KEY: z.string().default(""),
+    S3_BUCKET: z.string().default("uploads"),
+    S3_REGION: z.string().default("auto"),
+    S3_ENDPOINT: z.string().default(""),
+    // #endif
+    // #if payments
+    APP_URL: z.string().default("http://localhost:4000"),
+    STRIPE_SECRET_KEY: z.string().default("sk_test_set_me_in_dotenv"),
+    STRIPE_WEBHOOK_SECRET: z.string().default("whsec_set_me_in_dotenv"),
+    STRIPE_PRICE_ID: z.string().default("price_set_me_in_dotenv"),
+    STRIPE_SUBSCRIPTION_PRICE_ID: z.string().default("price_set_me_in_dotenv"),
+    // #endif
   },
 });

package/templates/hono-api/src/index.ts

@@ -7,6 +7,16 @@ import { env } from "./env.js";
 // #if auth
 import { auth } from "./auth/auth.js";
 // #endif
+// #if email
+import { email } from "./email/routes.js";
+// #endif
+// #if storage
+import { files } from "./storage/routes.js";
+// #endif
+// #if payments
+import { payments } from "./payments/routes.js";
+import { stripeWebhook } from "./payments/webhook.js";
+// #endif
 
 const app = new Hono();
 
@@ -20,6 +30,16 @@ app.route("/api/cars", cars);
 // better-auth speaks the Fetch API, so hand it the raw Request and return its Response.
 app.on(["GET", "POST"], "/api/auth/*", (c) => auth.handler(c.req.raw));
 // #endif
+// #if email
+app.route("/api/email", email);
+// #endif
+// #if storage
+app.route("/api/files", files);
+// #endif
+// #if payments
+app.post("/api/webhooks/stripe", stripeWebhook);
+app.route("/api/payments", payments);
+// #endif
 
 serve({ fetch: app.fetch, port: env.PORT }, (info) => {
   console.log(`API running on http://localhost:${info.port}`);

package/templates/hono-api/src/payments/routes.ts

@@ -0,0 +1,41 @@
+import { Hono } from "hono";
+
+import { createBillingPortalSession, createCheckoutSession } from "@softeneers/payments";
+
+import { env } from "../env.js";
+import { stripe } from "./stripe.js";
+
+export const payments = new Hono();
+
+// One-time purchase → returns a Stripe Checkout URL.
+payments.post("/checkout", async (c) => {
+  const session = await createCheckoutSession(stripe, {
+    mode: "payment",
+    priceId: env.STRIPE_PRICE_ID,
+    successUrl: `${env.APP_URL}/?paid=1`,
+    cancelUrl: `${env.APP_URL}/?canceled=1`,
+  });
+  return c.json({ url: session.url });
+});
+
+// Subscription checkout.
+payments.post("/subscribe", async (c) => {
+  const session = await createCheckoutSession(stripe, {
+    mode: "subscription",
+    priceId: env.STRIPE_SUBSCRIPTION_PRICE_ID,
+    successUrl: `${env.APP_URL}/?subscribed=1`,
+    cancelUrl: `${env.APP_URL}/?canceled=1`,
+  });
+  return c.json({ url: session.url });
+});
+
+// Billing portal — pass ?customer=cus_…
+payments.post("/portal", async (c) => {
+  const customer = c.req.query("customer") ?? "";
+  if (!customer) return c.json({ message: "A Stripe customer id (?customer=cus_…) is required." }, 400);
+  const session = await createBillingPortalSession(stripe, {
+    customer,
+    returnUrl: `${env.APP_URL}/`,
+  });
+  return c.json({ url: session.url });
+});

package/templates/hono-api/src/payments/stripe.ts

@@ -0,0 +1,6 @@
+import { createStripe } from "@softeneers/payments";
+
+import { env } from "../env.js";
+
+// A Stripe client. No network call until you actually create a session.
+export const stripe = createStripe(env.STRIPE_SECRET_KEY);

package/templates/hono-api/src/payments/webhook.ts

@@ -0,0 +1,36 @@
+import type { Context } from "hono";
+
+import { constructWebhookEvent } from "@softeneers/payments";
+
+import { env } from "../env.js";
+import { stripe } from "./stripe.js";
+
+// Stripe webhook handler. Reads the raw body via c.req.text() (needed for
+// signature verification) and handles both payment and subscription events.
+export async function stripeWebhook(c: Context) {
+  const signature = c.req.header("stripe-signature");
+  if (!signature) return c.text("Missing stripe-signature header.", 400);
+
+  let event;
+  try {
+    event = constructWebhookEvent(stripe, await c.req.text(), signature, env.STRIPE_WEBHOOK_SECRET);
+  } catch (error) {
+    console.error("Stripe webhook signature verification failed:", error);
+    return c.text("Invalid signature.", 400);
+  }
+
+  switch (event.type) {
+    case "checkout.session.completed":
+      console.log("✓ checkout.session.completed", event.data.object.id);
+      break;
+    case "customer.subscription.created":
+    case "customer.subscription.updated":
+    case "customer.subscription.deleted":
+      console.log(`✓ ${event.type}`, event.data.object.id);
+      break;
+    default:
+      console.log("Unhandled Stripe event:", event.type);
+  }
+
+  return c.json({ received: true });
+}

package/templates/hono-api/src/storage/routes.ts

@@ -0,0 +1,29 @@
+import { Hono } from "hono";
+
+import { deleteFile, getSignedDownloadUrl, uploadFile } from "@softeneers/storage";
+
+import { storage } from "./store.js";
+
+export const files = new Hono();
+
+// Upload raw bytes: POST the file body to /api/files/:key
+files.post("/:key", async (c) => {
+  const key = c.req.param("key");
+  await uploadFile(storage, {
+    key,
+    body: Buffer.from(await c.req.arrayBuffer()),
+    contentType: c.req.header("content-type"),
+  });
+  return c.json({ key }, 201);
+});
+
+// Get a time-limited download URL for an object.
+files.get("/:key/url", async (c) => {
+  return c.json({ url: await getSignedDownloadUrl(storage, c.req.param("key")) });
+});
+
+// Delete an object.
+files.delete("/:key", async (c) => {
+  await deleteFile(storage, c.req.param("key"));
+  return c.body(null, 204);
+});

package/templates/hono-api/src/storage/store.ts

@@ -0,0 +1,13 @@
+import { createStorage } from "@softeneers/storage";
+
+import { env } from "../env.js";
+
+// An S3-compatible storage handle (AWS S3 / Cloudflare R2 / MinIO). No network
+// call until you upload or sign a URL.
+export const storage = createStorage({
+  accessKeyId: env.S3_ACCESS_KEY_ID,
+  secretAccessKey: env.S3_SECRET_ACCESS_KEY,
+  bucket: env.S3_BUCKET,
+  region: env.S3_REGION,
+  endpoint: env.S3_ENDPOINT || undefined,
+});

package/templates/tanstack-start/.env.example

@@ -9,3 +9,26 @@ DB_PASSWORD=
 AUTH_SECRET=dev-secret-change-me-to-a-long-random-string
 AUTH_BASE_URL=http://localhost:3000
 # #endif
+# #if email
+# Get a key at https://resend.com — the app boots without it; sending needs it.
+RESEND_API_KEY=re_set_me
+EMAIL_FROM=onboarding@resend.dev
+# #endif
+# #if storage
+# S3-compatible storage (AWS S3 / Cloudflare R2 / MinIO).
+S3_ACCESS_KEY_ID=
+S3_SECRET_ACCESS_KEY=
+S3_BUCKET=uploads
+S3_REGION=auto
+S3_ENDPOINT=
+# #endif
+# #if payments
+# Stripe — the ONLY thing you must set for payments to work. Test keys from
+# https://dashboard.stripe.com/test/apikeys ; webhook secret from `stripe listen`
+# or the dashboard. Create two Prices and paste their ids below.
+APP_URL=http://localhost:3000
+STRIPE_SECRET_KEY=sk_test_set_me
+STRIPE_WEBHOOK_SECRET=whsec_set_me
+STRIPE_PRICE_ID=price_set_me
+STRIPE_SUBSCRIPTION_PRICE_ID=price_set_me
+# #endif

package/templates/tanstack-start/README.md

@@ -27,9 +27,23 @@ src/routes/cars.tsx         cars CRUD UI (loader + server functions)
 src/server/cars.ts          createServerFn RPCs (list / create / remove)
 src/server/store.ts         data layer (MySQL or in-memory)
 # #if auth
+src/routes/login.tsx        sign-in / sign-up UI
+src/routes/account.tsx      session + sign-out UI
+src/lib/auth-client.ts      better-auth/react client
 src/routes/api/auth/$.ts    better-auth catch-all route (/api/auth/*)
 src/server/auth.ts          better-auth instance
 # #endif
+# #if payments
+src/routes/billing.tsx      Buy / Subscribe UI
+src/server/payments.ts      Stripe server functions
+src/routes/api/webhooks/stripe.ts   verified Stripe webhook
+# #endif
+# #if email
+src/server/email.ts         sendWelcomeEmail server function
+# #endif
+# #if storage
+src/server/storage.ts       upload / signed-URL / delete server functions
+# #endif
 ```
 
 The `/cars` page loads data with a route `loader` and mutates via server
@@ -54,11 +68,52 @@ npm run db:migrate && npm run db:seed
 # #endif
 # #if auth
 
-## Authentication
+## Authentication (with UI)
 
 Email + password auth via better-auth ([`@softeneers/auth`](https://www.npmjs.com/package/@softeneers/auth)),
-served at `/api/auth/*`. Set a strong `AUTH_SECRET` in `.env`, and add the
-`better-auth/react` client in your components to drive sign-in/up flows.
+served at `/api/auth/*`, **with the UI included**: visit `/login` to sign up or
+in, and `/account` to see the session and sign out (driven by the
+`better-auth/react` client in `src/lib/auth-client.ts`). Set a strong
+`AUTH_SECRET` in `.env`.
+# #endif
+# #if email
+
+## Email
+
+Transactional email via Resend ([`@softeneers/email`](https://www.npmjs.com/package/@softeneers/email)).
+Set `RESEND_API_KEY` + `EMAIL_FROM` in `.env`, then call the `sendWelcomeEmail`
+server function from any component.
+# #endif
+# #if storage
+
+## Storage
+
+S3-compatible uploads ([`@softeneers/storage`](https://www.npmjs.com/package/@softeneers/storage),
+AWS S3 / Cloudflare R2 / MinIO) via the `uploadText` / `getFileUrl` / `removeFile`
+server functions. Set the `S3_*` keys in `.env`.
+# #endif
+# #if payments
+
+## Payments (Stripe)
+
+Stripe checkout, subscriptions, the billing portal, and a verified webhook
+([`@softeneers/payments`](https://www.npmjs.com/package/@softeneers/payments)) —
+**all pre-wired, with a `/billing` page**. The only thing you do is paste your
+keys into `.env`:
+
+```
+STRIPE_SECRET_KEY=sk_test_…
+STRIPE_WEBHOOK_SECRET=whsec_…
+STRIPE_PRICE_ID=price_…                # one-time price
+STRIPE_SUBSCRIPTION_PRICE_ID=price_…   # recurring price
+```
+
+Get test keys at <https://dashboard.stripe.com/test/apikeys>, create two Prices,
+and forward webhooks locally with the Stripe CLI:
+
+```bash
+stripe listen --forward-to localhost:3000/api/webhooks/stripe
+```
 # #endif
 
 ## Getting started

package/templates/tanstack-start/package.json

@@ -19,7 +19,11 @@
   "dependencies": {
     "@softeneers/auth": "^0.1.0",
     "@softeneers/db": "^0.1.0",
+    "@softeneers/email": "^0.1.0",
     "@softeneers/env": "^0.1.0",
+    "@softeneers/payments": "^0.1.0",
+    "@softeneers/storage": "^0.1.0",
+    "better-auth": "^1.6.0",
     "@tailwindcss/vite": "^4.1.18",
     "@tanstack/react-devtools": "latest",
     "@tanstack/react-router": "latest",

package/templates/tanstack-start/softeneers.template.json

@@ -1,5 +1,12 @@
 {
-  "toggles": { "db": false, "auth": false, "docker": false },
+  "toggles": {
+    "db": false,
+    "auth": false,
+    "docker": false,
+    "email": false,
+    "storage": false,
+    "payments": false
+  },
   "fragments": {
     "db": {
       "removePaths": ["src/server/db.ts", "src/server/scripts", "docker-compose.yml"],
@@ -7,11 +14,29 @@
       "removeScripts": ["db:migrate", "db:seed", "db:reset"]
     },
     "auth": {
-      "removePaths": ["src/server/auth.ts", "src/routes/api"],
-      "removeDeps": ["@softeneers/auth"]
+      "removePaths": [
+        "src/server/auth.ts",
+        "src/routes/api/auth",
+        "src/lib/auth-client.ts",
+        "src/routes/login.tsx",
+        "src/routes/account.tsx"
+      ],
+      "removeDeps": ["@softeneers/auth", "better-auth"]
     },
     "docker": {
       "removePaths": ["docker-compose.yml"]
+    },
+    "email": {
+      "removePaths": ["src/server/email.ts"],
+      "removeDeps": ["@softeneers/email"]
+    },
+    "storage": {
+      "removePaths": ["src/server/storage.ts"],
+      "removeDeps": ["@softeneers/storage"]
+    },
+    "payments": {
+      "removePaths": ["src/server/payments.ts", "src/routes/api/webhooks", "src/routes/billing.tsx"],
+      "removeDeps": ["@softeneers/payments"]
     }
   }
 }

package/templates/tanstack-start/src/lib/auth-client.ts

@@ -0,0 +1,4 @@
+import { createAuthClient } from 'better-auth/react'
+
+// Talks to the better-auth routes mounted at /api/auth/* (same origin).
+export const authClient = createAuthClient()

package/templates/tanstack-start/src/routes/account.tsx

@@ -0,0 +1,47 @@
+import { Link, createFileRoute, useRouter } from '@tanstack/react-router'
+
+import { authClient } from '../lib/auth-client'
+
+export const Route = createFileRoute('/account')({ component: Account })
+
+function Account() {
+  const router = useRouter()
+  const { data: session, isPending } = authClient.useSession()
+
+  if (isPending) {
+    return <div className="mx-auto max-w-sm p-8 text-gray-500">Loading…</div>
+  }
+
+  if (!session) {
+    return (
+      <div className="mx-auto max-w-sm p-8">
+        <p>You're not signed in.</p>
+        <Link to="/login" className="mt-3 inline-block text-blue-600 hover:underline">
+          Go to sign in →
+        </Link>
+      </div>
+    )
+  }
+
+  async function signOut() {
+    await authClient.signOut()
+    router.navigate({ to: '/login' })
+  }
+
+  return (
+    <div className="mx-auto max-w-sm p-8">
+      <h1 className="text-3xl font-bold">Account</h1>
+      <p className="mt-3">
+        Signed in as <strong>{session.user.email}</strong>
+        {session.user.name ? ` (${session.user.name})` : ''}.
+      </p>
+      <button
+        className="mt-6 rounded border border-gray-300 px-4 py-2 font-medium"
+        type="button"
+        onClick={signOut}
+      >
+        Sign out
+      </button>
+    </div>
+  )
+}

package/templates/tanstack-start/src/routes/api/webhooks/stripe.ts

@@ -0,0 +1,43 @@
+import { createFileRoute } from '@tanstack/react-router'
+
+import { constructWebhookEvent, createStripe } from '@softeneers/payments'
+
+import { env } from '../../../server/env'
+
+const stripe = createStripe(env.STRIPE_SECRET_KEY)
+
+// Catch-all Stripe webhook server route. Reads the raw body for signature
+// verification and handles both payment and subscription events.
+export const Route = createFileRoute('/api/webhooks/stripe')({
+  server: {
+    handlers: {
+      POST: async ({ request }) => {
+        const signature = request.headers.get('stripe-signature')
+        if (!signature) return new Response('Missing stripe-signature header.', { status: 400 })
+
+        let event
+        try {
+          event = constructWebhookEvent(stripe, await request.text(), signature, env.STRIPE_WEBHOOK_SECRET)
+        } catch (error) {
+          console.error('Stripe webhook signature verification failed:', error)
+          return new Response('Invalid signature.', { status: 400 })
+        }
+
+        switch (event.type) {
+          case 'checkout.session.completed':
+            console.log('✓ checkout.session.completed', event.data.object.id)
+            break
+          case 'customer.subscription.created':
+          case 'customer.subscription.updated':
+          case 'customer.subscription.deleted':
+            console.log(`✓ ${event.type}`, event.data.object.id)
+            break
+          default:
+            console.log('Unhandled Stripe event:', event.type)
+        }
+
+        return Response.json({ received: true })
+      },
+    },
+  },
+})