passlet 0.2.0

package/dist/index.js

@@ -0,0 +1,1367 @@
+import { createHash } from 'crypto';
+import JSZip from 'jszip';
+import forge from 'node-forge';
+import { importPKCS8, SignJWT } from 'jose';
+import { z } from 'zod';
+
+// src/errors.ts
+var WALLET_ERROR_CODES = {
+  // Config validation — message comes from the schema
+  PASS_CONFIG_INVALID: "PassConfig invalid",
+  CREATE_CONFIG_INVALID: "CreateConfig invalid",
+  // Apple — provider-level constraints the schema cannot enforce
+  APPLE_INVALID_SIGNER_CERT: "Apple signing failed: signerCert is not a valid PEM certificate",
+  APPLE_INVALID_SIGNER_KEY: "Apple signing failed: signerKey is not a valid PEM private key",
+  APPLE_INVALID_WWDR: "Apple signing failed: wwdr is not a valid PEM certificate",
+  APPLE_SIGNING_FAILED: "Apple signing failed: could not create PKCS#7 signature",
+  APPLE_MISSING_ICON: "Apple Wallet requires an icon image for every pass",
+  APPLE_UNSUPPORTED_BARCODE_FORMAT: "Apple Wallet does not support this barcode format \u2014 use QR, PDF417, or Aztec",
+  APPLE_BOARDING_MISSING_TRANSIT_TYPE: "Apple Wallet boarding passes require a transitType",
+  // Google — provider-level constraints the schema cannot enforce
+  GOOGLE_INVALID_PRIVATE_KEY: "Google signing failed: privateKey is not a valid PKCS#8 PEM private key",
+  GOOGLE_SIGNING_FAILED: "Google signing failed: could not sign the Wallet JWT",
+  GOOGLE_API_ERROR: "Google Wallet API error",
+  GOOGLE_MISSING_LOGO: "Google Wallet requires a public logo URL for this pass type",
+  GOOGLE_FLIGHT_MISSING_CLASS_FIELDS: "Google Wallet flightClass requires flightHeader and localScheduledDepartureDateTime",
+  GOOGLE_FLIGHT_MISSING_PASSENGER_NAME: "Google Wallet flightObject requires passengerName",
+  // Images
+  IMAGE_FETCH_NETWORK_ERROR: "Failed to fetch image: network error",
+  IMAGE_FETCH_FAILED: "Failed to fetch image: non-2xx response"
+};
+var WalletError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message ?? WALLET_ERROR_CODES[code], options);
+    this.name = "WalletError";
+    this.code = code;
+  }
+};
+function signManifest(options) {
+  const { manifest, signerCert, signerKey, wwdr } = options;
+  let cert;
+  let key;
+  let wwdrCert;
+  try {
+    cert = forge.pki.certificateFromPem(signerCert);
+  } catch (cause) {
+    throw new WalletError("APPLE_INVALID_SIGNER_CERT", void 0, { cause });
+  }
+  try {
+    key = forge.pki.privateKeyFromPem(signerKey);
+  } catch (cause) {
+    throw new WalletError("APPLE_INVALID_SIGNER_KEY", void 0, { cause });
+  }
+  try {
+    wwdrCert = forge.pki.certificateFromPem(wwdr);
+  } catch (cause) {
+    throw new WalletError("APPLE_INVALID_WWDR", void 0, { cause });
+  }
+  try {
+    const binaryStr = new TextDecoder("iso-8859-1").decode(manifest);
+    const p7 = forge.pkcs7.createSignedData();
+    p7.content = forge.util.createBuffer(binaryStr);
+    p7.addCertificate(cert);
+    p7.addCertificate(wwdrCert);
+    p7.addSigner({
+      key,
+      certificate: cert,
+      digestAlgorithm: forge.pki.oids.sha1,
+      authenticatedAttributes: [
+        {
+          type: forge.pki.oids.contentType,
+          value: forge.pki.oids.data
+        },
+        { type: forge.pki.oids.messageDigest },
+        { type: forge.pki.oids.signingTime }
+      ]
+    });
+    p7.sign({ detached: true });
+    const der = forge.asn1.toDer(p7.toAsn1()).getBytes();
+    return Uint8Array.from(der, (c) => c.charCodeAt(0));
+  } catch (cause) {
+    throw new WalletError("APPLE_SIGNING_FAILED", void 0, { cause });
+  }
+}
+
+// src/providers/apple/utils.ts
+function hexToRgb(hex) {
+  const clean = hex.replace("#", "");
+  const r = Number.parseInt(clean.slice(0, 2), 16);
+  const g = Number.parseInt(clean.slice(2, 4), 16);
+  const b = Number.parseInt(clean.slice(4, 6), 16);
+  return `rgb(${r}, ${g}, ${b})`;
+}
+var APPLE_BARCODE_FORMAT = {
+  QR: "PKBarcodeFormatQR",
+  PDF417: "PKBarcodeFormatPDF417",
+  Aztec: "PKBarcodeFormatAztec",
+  Code128: "PKBarcodeFormatCode128"
+};
+function toAppleBarcodeFormat(format) {
+  return APPLE_BARCODE_FORMAT[format] ?? "PKBarcodeFormatQR";
+}
+async function fetchAsBytes(url) {
+  let response;
+  try {
+    response = await fetch(url);
+  } catch (cause) {
+    throw new WalletError(
+      "IMAGE_FETCH_NETWORK_ERROR",
+      `Failed to fetch image: ${url} (network error)`,
+      { cause }
+    );
+  }
+  if (!response.ok) {
+    throw new WalletError(
+      "IMAGE_FETCH_FAILED",
+      `Failed to fetch image: ${url} (${response.status})`
+    );
+  }
+  return new Uint8Array(await response.arrayBuffer());
+}
+function resolveSource(src) {
+  return src instanceof Uint8Array ? Promise.resolve(src) : fetchAsBytes(src);
+}
+async function resolveImageSet(name, imageSet2, warnings) {
+  if (!imageSet2) {
+    return {};
+  }
+  const files = {};
+  const tryLoad = async (filename, src) => {
+    try {
+      files[filename] = await resolveSource(src);
+    } catch (e) {
+      warnings.push(
+        `Could not load ${filename}: ${e instanceof Error ? e.message : String(e)}`
+      );
+    }
+  };
+  if (typeof imageSet2 === "string" || imageSet2 instanceof Uint8Array) {
+    await tryLoad(`${name}.png`, imageSet2);
+  } else {
+    await tryLoad(`${name}.png`, imageSet2.base);
+    if (imageSet2.retina) {
+      await tryLoad(`${name}@2x.png`, imageSet2.retina);
+    }
+    if (imageSet2.superRetina) {
+      await tryLoad(`${name}@3x.png`, imageSet2.superRetina);
+    }
+  }
+  return files;
+}
+async function resolveRequiredImageSet(name, imageSet2) {
+  const files = {};
+  if (typeof imageSet2 === "string" || imageSet2 instanceof Uint8Array) {
+    files[`${name}.png`] = await resolveSource(imageSet2);
+  } else {
+    files[`${name}.png`] = await resolveSource(imageSet2.base);
+    if (imageSet2.retina) {
+      files[`${name}@2x.png`] = await resolveSource(imageSet2.retina);
+    }
+    if (imageSet2.superRetina) {
+      files[`${name}@3x.png`] = await resolveSource(imageSet2.superRetina);
+    }
+  }
+  return files;
+}
+
+// src/providers/apple/index.ts
+var PASS_TYPE_KEY = {
+  loyalty: "storeCard",
+  coupon: "coupon",
+  event: "eventTicket",
+  flight: "boardingPass",
+  giftCard: "storeCard",
+  generic: "generic"
+};
+var TRANSIT_TYPE = {
+  air: "PKTransitTypeAir",
+  train: "PKTransitTypeTrain",
+  bus: "PKTransitTypeBus",
+  boat: "PKTransitTypeBoat"
+};
+var SLOT_KEY = {
+  header: "headerFields",
+  primary: "primaryFields",
+  secondary: "secondaryFields",
+  auxiliary: "auxiliaryFields",
+  back: "backFields"
+};
+function validateAppleRequirements(pass) {
+  if (!pass.apple?.icon) {
+    throw new WalletError("APPLE_MISSING_ICON");
+  }
+  if (pass.type === "flight" && !pass.transitType) {
+    throw new WalletError("APPLE_BOARDING_MISSING_TRANSIT_TYPE");
+  }
+}
+function buildSlots(fields, values) {
+  const slots = {
+    headerFields: [],
+    primaryFields: [],
+    secondaryFields: [],
+    auxiliaryFields: [],
+    backFields: []
+  };
+  for (const f of fields) {
+    const value = f.key in values ? values[f.key] : f.value;
+    if (value === null || value === void 0) {
+      continue;
+    }
+    slots[SLOT_KEY[f.slot]]?.push({
+      key: f.key,
+      label: f.label,
+      value,
+      ...f.changeMessage && { changeMessage: f.changeMessage },
+      ...f.dateStyle && { dateStyle: f.dateStyle },
+      ...f.timeStyle && { timeStyle: f.timeStyle },
+      ...f.numberStyle && { numberStyle: f.numberStyle },
+      ...f.currencyCode && { currencyCode: f.currencyCode },
+      ...f.textAlignment && { textAlignment: f.textAlignment },
+      ...f.row !== void 0 && { row: f.row }
+    });
+  }
+  return slots;
+}
+function buildPassTypeContent(pass, slots) {
+  const content = { ...slots };
+  if (pass.type === "flight") {
+    content.transitType = TRANSIT_TYPE[pass.transitType ?? "air"] ?? "PKTransitTypeAir";
+  }
+  return content;
+}
+function buildEventAppleFields(pass) {
+  const a = pass.apple;
+  return {
+    eventLogoText: a?.eventLogoText,
+    footerBackgroundColor: a?.footerBackgroundColor ? hexToRgb(a.footerBackgroundColor) : void 0,
+    suppressHeaderDarkening: a?.suppressHeaderDarkening,
+    useAutomaticColors: a?.useAutomaticColors,
+    preferredStyleSchemes: a?.preferredStyleSchemes,
+    auxiliaryStoreIdentifiers: a?.auxiliaryStoreIdentifiers,
+    accessibilityURL: a?.accessibilityURL,
+    addOnURL: a?.addOnURL,
+    bagPolicyURL: a?.bagPolicyURL,
+    contactVenueEmail: a?.contactVenueEmail,
+    contactVenuePhoneNumber: a?.contactVenuePhoneNumber,
+    contactVenueWebsite: a?.contactVenueWebsite,
+    directionsInformationURL: a?.directionsInformationURL,
+    merchandiseURL: a?.merchandiseURL,
+    orderFoodURL: a?.orderFoodURL,
+    parkingInformationURL: a?.parkingInformationURL,
+    purchaseParkingURL: a?.purchaseParkingURL,
+    sellURL: a?.sellURL,
+    transferURL: a?.transferURL,
+    transitInformationURL: a?.transitInformationURL
+  };
+}
+function buildFlightAppleFields(pass) {
+  const a = pass.apple;
+  return {
+    changeSeatURL: a?.changeSeatURL,
+    entertainmentURL: a?.entertainmentURL,
+    managementURL: a?.managementURL,
+    purchaseAdditionalBaggageURL: a?.purchaseAdditionalBaggageURL,
+    purchaseLoungeAccessURL: a?.purchaseLoungeAccessURL,
+    purchaseWifiURL: a?.purchaseWifiURL,
+    registerServiceAnimalURL: a?.registerServiceAnimalURL,
+    reportLostBagURL: a?.reportLostBagURL,
+    requestWheelchairURL: a?.requestWheelchairURL,
+    trackBagsURL: a?.trackBagsURL,
+    transitProviderEmail: a?.transitProviderEmail,
+    transitProviderPhoneNumber: a?.transitProviderPhoneNumber,
+    transitProviderWebsiteURL: a?.transitProviderWebsiteURL,
+    upgradeURL: a?.upgradeURL
+  };
+}
+function buildAppleCommonFields(pass, createConfig) {
+  const a = pass.apple;
+  return {
+    backgroundColor: pass.color ? hexToRgb(pass.color) : void 0,
+    foregroundColor: a?.foregroundColor ? hexToRgb(a.foregroundColor) : void 0,
+    labelColor: a?.labelColor ? hexToRgb(a.labelColor) : void 0,
+    expirationDate: createConfig.expiresAt,
+    voided: createConfig.apple?.voided,
+    // Barcode — Apple supports up to 10 but we expose one per recipient
+    barcodes: createConfig.barcode ? [
+      {
+        message: createConfig.barcode.value,
+        format: toAppleBarcodeFormat(createConfig.barcode.format),
+        messageEncoding: "iso-8859-1",
+        altText: createConfig.barcode.altText ?? createConfig.barcode.value
+      }
+    ] : void 0,
+    // Locations — altitude and relevantText are Apple-only
+    locations: pass.locations?.map(
+      ({ latitude, longitude, altitude, relevantText }) => ({
+        latitude,
+        longitude,
+        altitude,
+        relevantText
+      })
+    ),
+    beacons: a?.beacons,
+    relevantDate: a?.relevantDate,
+    relevantDates: a?.relevantDates,
+    groupingIdentifier: a?.groupingIdentifier,
+    suppressStripShine: a?.suppressStripShine,
+    sharingProhibited: a?.sharingProhibited,
+    maxDistance: a?.maxDistance,
+    nfc: a?.nfc ? {
+      message: a.nfc.message,
+      encryptionPublicKey: a.nfc.encryptionPublicKey
+    } : void 0,
+    appLaunchURL: a?.appLaunchURL,
+    associatedStoreIdentifiers: a?.associatedStoreIdentifiers,
+    webServiceURL: a?.webServiceURL,
+    authenticationToken: a?.webServiceURL ? a.authenticationToken : void 0,
+    userInfo: a?.userInfo
+  };
+}
+function buildPassJson(pass, createConfig, credentials) {
+  const passTypeKey = PASS_TYPE_KEY[pass.type] ?? "generic";
+  const slots = buildSlots(pass.fields, createConfig.values ?? {});
+  const a = pass.apple;
+  return {
+    formatVersion: 1,
+    passTypeIdentifier: credentials.passTypeIdentifier,
+    serialNumber: createConfig.serialNumber,
+    teamIdentifier: credentials.teamId,
+    organizationName: pass.name,
+    description: a?.description ?? pass.name,
+    logoText: a?.logoText ?? pass.name,
+    ...buildAppleCommonFields(pass, createConfig),
+    ...pass.type === "event" && buildEventAppleFields(pass),
+    ...pass.type === "flight" && buildFlightAppleFields(pass),
+    [passTypeKey]: buildPassTypeContent(pass, slots)
+  };
+}
+async function collectImages(pass, warnings) {
+  const images = {};
+  const icon = pass.apple?.icon;
+  if (!icon) {
+    throw new WalletError("APPLE_MISSING_ICON");
+  }
+  const iconFiles = await resolveRequiredImageSet("icon", icon);
+  Object.assign(images, iconFiles);
+  const optional = await Promise.all([
+    resolveImageSet("logo", pass.logo, warnings),
+    resolveImageSet("strip", pass.banner, warnings),
+    // banner → strip on Apple
+    resolveImageSet("background", pass.apple?.background, warnings),
+    resolveImageSet("thumbnail", pass.apple?.thumbnail, warnings),
+    resolveImageSet("footer", pass.apple?.footer, warnings)
+  ]);
+  for (const set of optional) {
+    Object.assign(images, set);
+  }
+  return images;
+}
+async function generateApplePass(pass, createConfig, credentials) {
+  const warnings = [];
+  validateAppleRequirements(pass);
+  const encoder = new TextEncoder();
+  const zip = new JSZip();
+  const files = {};
+  const passJson = buildPassJson(pass, createConfig, credentials);
+  files["pass.json"] = encoder.encode(JSON.stringify(passJson));
+  if (pass.locales) {
+    for (const [language, translations] of Object.entries(pass.locales)) {
+      const lines = Object.entries(translations).map(
+        ([key, value]) => `"${key}" = "${value.replace(/"/g, '\\"')}";`
+      );
+      files[`${language}.lproj/pass.strings`] = encoder.encode(
+        lines.join("\n")
+      );
+    }
+  }
+  const images = await collectImages(pass, warnings);
+  for (const [name, bytes] of Object.entries(images)) {
+    files[name] = bytes;
+  }
+  const manifest = {};
+  for (const [name, content] of Object.entries(files)) {
+    manifest[name] = createHash("sha1").update(content).digest("hex");
+  }
+  const manifestBytes = encoder.encode(JSON.stringify(manifest));
+  const signature = signManifest({
+    manifest: manifestBytes,
+    signerCert: credentials.signerCert,
+    signerKey: credentials.signerKey,
+    wwdr: credentials.wwdr
+  });
+  for (const [name, content] of Object.entries(files)) {
+    zip.file(name, content);
+  }
+  zip.file("manifest.json", manifestBytes);
+  zip.file("signature", signature);
+  return { pass: await zip.generateAsync({ type: "uint8array" }), warnings };
+}
+var WALLET_BASE = "https://walletobjects.googleapis.com/walletobjects/v1";
+var TOKEN_URL = "https://oauth2.googleapis.com/token";
+var WALLET_SCOPE = "https://www.googleapis.com/auth/wallet_object.issuer";
+var tokenCache = /* @__PURE__ */ new Map();
+async function importGoogleKey(credentials) {
+  try {
+    return await importPKCS8(credentials.privateKey, "RS256");
+  } catch (cause) {
+    throw new WalletError("GOOGLE_INVALID_PRIVATE_KEY", void 0, { cause });
+  }
+}
+async function getAccessToken(credentials, privateKey) {
+  const cacheKey = `${credentials.issuerId}:${credentials.clientEmail}`;
+  const cached = tokenCache.get(cacheKey);
+  if (cached && Date.now() < cached.expiresAt) {
+    return cached.token;
+  }
+  let assertion;
+  try {
+    assertion = await new SignJWT({ scope: WALLET_SCOPE }).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setExpirationTime("1h").setIssuer(credentials.clientEmail).setAudience(TOKEN_URL).sign(privateKey);
+  } catch (cause) {
+    throw new WalletError("GOOGLE_SIGNING_FAILED", void 0, { cause });
+  }
+  const response = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion
+    }).toString()
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new WalletError(
+      "GOOGLE_API_ERROR",
+      `Failed to obtain access token (${response.status}): ${text}`
+    );
+  }
+  const data = await response.json();
+  tokenCache.set(cacheKey, {
+    token: data.access_token,
+    expiresAt: Date.now() + 55 * 60 * 1e3
+  });
+  return data.access_token;
+}
+async function walletRequest(method, path, credentials, privateKey, body) {
+  const accessToken = await getAccessToken(credentials, privateKey);
+  return fetch(`${WALLET_BASE}${path}`, {
+    method,
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: body === void 0 ? void 0 : JSON.stringify(body)
+  });
+}
+async function assertOk(response) {
+  if (!response.ok) {
+    const text = await response.text();
+    throw new WalletError(
+      "GOOGLE_API_ERROR",
+      `Google Wallet API error (${response.status}): ${text}`
+    );
+  }
+}
+async function ensureClass(classType, classId, classBody, credentials, privateKey) {
+  const existing = await walletRequest(
+    "GET",
+    `/${classType}/${classId}`,
+    credentials,
+    privateKey
+  );
+  if (existing.ok) {
+    await existing.body?.cancel();
+    return;
+  }
+  if (existing.status !== 404) {
+    const text = await existing.text();
+    throw new WalletError(
+      "GOOGLE_API_ERROR",
+      `Google Wallet API error (${existing.status}): ${text}`
+    );
+  }
+  await assertOk(
+    await walletRequest("POST", `/${classType}`, credentials, privateKey, {
+      id: classId,
+      ...classBody
+    })
+  );
+}
+async function deleteObject(objectType, objectId, credentials, privateKey) {
+  const response = await walletRequest(
+    "DELETE",
+    `/${objectType}/${objectId}`,
+    credentials,
+    privateKey
+  );
+  if (response.status === 404) {
+    await response.body?.cancel();
+    return;
+  }
+  await assertOk(response);
+  await response.body?.cancel();
+}
+async function patchObject(objectType, objectId, patch, credentials, privateKey) {
+  const response = await walletRequest(
+    "PATCH",
+    `/${objectType}/${objectId}`,
+    credentials,
+    privateKey,
+    patch
+  );
+  await assertOk(response);
+}
+
+// src/providers/google/utils.ts
+var GOOGLE_BARCODE_TYPE = {
+  QR: "QR_CODE",
+  PDF417: "PDF_417",
+  Aztec: "AZTEC",
+  Code128: "CODE_128"
+};
+function toGoogleBarcodeType(format) {
+  return GOOGLE_BARCODE_TYPE[format] ?? "QR_CODE";
+}
+function localized(value, language = "en-US", translatedValues) {
+  return {
+    defaultValue: { language, value },
+    translatedValues: translatedValues?.length ? translatedValues : void 0
+  };
+}
+function translationsFor(key, locales) {
+  if (!locales) {
+    return void 0;
+  }
+  const result = Object.entries(locales).filter(([, t]) => t[key] !== void 0).map(([lang, t]) => ({ language: lang, value: t[key] }));
+  return result.length > 0 ? result : void 0;
+}
+function imageUri(url) {
+  return typeof url === "string" ? { sourceUri: { uri: url } } : void 0;
+}
+
+// src/providers/google/index.ts
+var CLASS_TYPE = {
+  loyalty: "loyaltyClass",
+  event: "eventTicketClass",
+  flight: "flightClass",
+  coupon: "offerClass",
+  giftCard: "giftCardClass",
+  generic: "genericClass"
+};
+var OBJECT_TYPE = {
+  loyalty: "loyaltyObject",
+  event: "eventTicketObject",
+  flight: "flightObject",
+  coupon: "offerObject",
+  giftCard: "giftCardObject",
+  generic: "genericObject"
+};
+function validateGoogleRequirements(pass) {
+  if (pass.logo !== void 0 && pass.logo instanceof Uint8Array) {
+    throw new WalletError(
+      "GOOGLE_MISSING_LOGO",
+      "Google Wallet logo must be a URL string, not bytes"
+    );
+  }
+  if (pass.type === "flight") {
+    const { carrier, flightNumber, origin, destination } = pass;
+    if (!(carrier && flightNumber && origin && destination)) {
+      throw new WalletError(
+        "GOOGLE_FLIGHT_MISSING_CLASS_FIELDS",
+        "Flight passes require carrier, flightNumber, origin, and destination"
+      );
+    }
+  }
+}
+function buildTextModules(fields, values, excludeSlots) {
+  const modules = [];
+  for (const f of fields) {
+    if (excludeSlots.includes(f.slot)) {
+      continue;
+    }
+    const value = f.key in values ? values[f.key] : f.value;
+    if (value === null || value === void 0) {
+      continue;
+    }
+    modules.push({ header: f.label, body: value, id: f.key });
+  }
+  return modules;
+}
+function buildInfoModuleData(fields, values) {
+  const rows = [];
+  for (const f of fields) {
+    if (f.slot !== "back") {
+      continue;
+    }
+    const value = f.key in values ? values[f.key] : f.value;
+    if (value === null || value === void 0) {
+      continue;
+    }
+    rows.push({ label: f.label, value });
+  }
+  if (rows.length === 0) {
+    return void 0;
+  }
+  return { labelValueRows: rows.map((r) => ({ columns: [r] })) };
+}
+function buildClassTypeFields(pass, locales) {
+  const nameTranslations = translationsFor("name", locales);
+  if (pass.type === "loyalty") {
+    return { programName: pass.name };
+  }
+  if (pass.type === "event") {
+    return {
+      eventName: localized(pass.name, "en-US", nameTranslations),
+      localScheduledStartDateTime: pass.startsAt?.replace("Z", ""),
+      localScheduledEndDateTime: pass.endsAt?.replace("Z", "")
+    };
+  }
+  if (pass.type === "flight") {
+    return {
+      // flightClass represents a single flight — departure time is class-level
+      flightHeader: {
+        carrier: { carrierIataCode: pass.carrier },
+        flightNumber: pass.flightNumber,
+        operatingCarrier: { carrierIataCode: pass.carrier },
+        operatingFlightNumber: pass.flightNumber
+      },
+      localScheduledDepartureDateTime: pass.departure?.replace("Z", ""),
+      origin: pass.origin ? { airportIataCode: pass.origin } : void 0,
+      destination: pass.destination ? {
+        airportIataCode: pass.destination,
+        localScheduledArrivalDateTime: pass.arrival?.replace("Z", "")
+      } : void 0
+    };
+  }
+  if (pass.type === "coupon") {
+    return {
+      title: pass.name,
+      // provider is required by Google offerClass — defaults to the pass name
+      provider: pass.name,
+      redemptionChannel: pass.redemptionChannel.toUpperCase()
+    };
+  }
+  return { cardTitle: localized(pass.name, "en-US", nameTranslations) };
+}
+function buildAppLinkInfo(info) {
+  return {
+    appLogoImage: imageUri(info.logoUrl),
+    title: info.title ? localized(info.title) : void 0,
+    description: info.description ? localized(info.description) : void 0,
+    appTarget: { targetUri: { uri: info.uri } }
+  };
+}
+function buildAppLinkData(d) {
+  return {
+    androidAppLinkInfo: d.android ? buildAppLinkInfo(d.android) : void 0,
+    iosAppLinkInfo: d.ios ? buildAppLinkInfo(d.ios) : void 0,
+    webAppLinkInfo: d.web ? buildAppLinkInfo(d.web) : void 0
+  };
+}
+function buildClassBody(pass) {
+  const logo = imageUri(pass.logo);
+  const wideLogo = imageUri(pass.google?.wideLogo);
+  const hero = imageUri(
+    typeof pass.banner === "string" ? pass.banner : void 0
+  );
+  const body = {
+    ...buildClassTypeFields(pass, pass.locales),
+    hexBackgroundColor: pass.color,
+    issuerName: pass.google?.issuerName ?? pass.name
+  };
+  if (pass.type === "loyalty") {
+    if (logo) {
+      body.programLogo = logo;
+    }
+  } else if (logo) {
+    body.logo = logo;
+  }
+  if (wideLogo) {
+    body.wideProgramBanner = wideLogo;
+  }
+  if (hero) {
+    body.heroImage = hero;
+  }
+  if (pass.type !== "generic") {
+    body.reviewStatus = pass.google?.reviewStatus ?? "UNDER_REVIEW";
+  }
+  if (pass.google?.enableSmartTap) {
+    body.enableSmartTap = pass.google.enableSmartTap;
+  }
+  if (pass.google?.redemptionIssuers) {
+    body.redemptionIssuers = pass.google.redemptionIssuers;
+  }
+  if (pass.google?.messages) {
+    body.messages = pass.google.messages;
+  }
+  if (pass.google?.appLinkData) {
+    body.appLinkData = buildAppLinkData(pass.google.appLinkData);
+  }
+  if (pass.locations?.length) {
+    body.locations = pass.locations.map(({ latitude, longitude }) => ({
+      latitude,
+      longitude
+    }));
+  }
+  return body;
+}
+function buildLoyaltyObjectFields(fields, values) {
+  const resolve = (key) => values[key] ?? fields.find((f) => f.key === key)?.value;
+  const points = resolve("points");
+  const member = resolve("member");
+  const memberId = resolve("memberId");
+  return {
+    loyaltyPoints: points == null ? void 0 : { balance: { string: points } },
+    accountName: member ?? void 0,
+    accountId: memberId ?? void 0
+  };
+}
+function buildFlightObjectFields(_pass, serialNumber, values, warnings) {
+  const passengerName = values.passengerName;
+  if (!passengerName) {
+    warnings.push(
+      "Google flight pass: passengerName not set in values \u2014 passenger name will be blank"
+    );
+  }
+  return {
+    passengerName: passengerName ?? "",
+    reservationInfo: { confirmationCode: serialNumber }
+  };
+}
+function buildGiftCardObjectFields(pass, fields, values) {
+  const raw = values.balance ?? fields.find((f) => f.key === "balance")?.value;
+  return {
+    balance: raw == null ? void 0 : {
+      micros: String(Math.round(Number.parseFloat(raw) * 1e6)),
+      currencyCode: pass.currency ?? "USD"
+    }
+  };
+}
+function buildDisplayFields(fields, values, locales) {
+  const primaryField = fields.find((f) => f.slot === "primary");
+  const primaryValue = primaryField && (primaryField.key in values ? values[primaryField.key] : primaryField.value);
+  const textModules = buildTextModules(fields, values, ["primary", "back"]);
+  return {
+    subheader: primaryField && primaryValue != null ? localized(
+      primaryField.label,
+      "en-US",
+      translationsFor(primaryField.key, locales)
+    ) : void 0,
+    header: primaryField && primaryValue != null ? localized(
+      primaryValue,
+      "en-US",
+      translationsFor(`${primaryField.key}_value`, locales)
+    ) : void 0,
+    textModulesData: textModules.length > 0 ? textModules : void 0,
+    infoModuleData: buildInfoModuleData(fields, values)
+  };
+}
+function buildObjectBody(pass, createConfig, classId, objectId, warnings) {
+  const values = createConfig.values ?? {};
+  const fields = pass.fields;
+  return {
+    id: objectId,
+    classId,
+    state: "ACTIVE",
+    barcode: createConfig.barcode ? {
+      type: toGoogleBarcodeType(createConfig.barcode.format),
+      value: createConfig.barcode.value,
+      alternateText: createConfig.barcode.altText ?? createConfig.barcode.value
+    } : void 0,
+    validTimeInterval: createConfig.validFrom || createConfig.expiresAt ? {
+      start: createConfig.validFrom ? { date: createConfig.validFrom } : void 0,
+      end: createConfig.expiresAt ? { date: createConfig.expiresAt } : void 0
+    } : void 0,
+    // Smart Tap: per-recipient redemption value sent to NFC terminals
+    smartTapRedemptionValue: createConfig.google?.smartTapRedemptionValue,
+    // Rotating barcode replaces the static barcode when set
+    rotatingBarcode: createConfig.google?.rotatingBarcode,
+    // Per-recipient messages
+    messages: createConfig.google?.messages,
+    ...pass.type === "loyalty" && buildLoyaltyObjectFields(fields, values),
+    ...pass.type === "flight" && buildFlightObjectFields(
+      pass,
+      createConfig.serialNumber,
+      values,
+      warnings
+    ),
+    ...pass.type === "giftCard" && buildGiftCardObjectFields(pass, fields, values),
+    // genericObject requires cardTitle in the object body (in addition to the class)
+    ...pass.type === "generic" && {
+      cardTitle: localized(
+        pass.name,
+        "en-US",
+        translationsFor("name", pass.locales)
+      )
+    },
+    ...buildDisplayFields(fields, values, pass.locales)
+  };
+}
+async function generateGooglePass(pass, createConfig, credentials) {
+  const warnings = [];
+  validateGoogleRequirements(pass);
+  const privateKey = await importGoogleKey(credentials);
+  const classType = CLASS_TYPE[pass.type];
+  const objectType = OBJECT_TYPE[pass.type];
+  const classId = `${credentials.issuerId}.${pass.id}`;
+  const objectId = `${credentials.issuerId}.${createConfig.serialNumber}`;
+  const classBody = buildClassBody(pass);
+  await ensureClass(classType, classId, classBody, credentials, privateKey);
+  const objectBody = buildObjectBody(
+    pass,
+    createConfig,
+    classId,
+    objectId,
+    warnings
+  );
+  const objectsKey = objectType.replace("Object", "Objects");
+  const payload = {
+    iss: credentials.clientEmail,
+    aud: "google",
+    typ: "savetowallet",
+    iat: Math.floor(Date.now() / 1e3),
+    payload: {
+      [objectsKey]: [objectBody]
+    }
+  };
+  const { SignJWT: SignJWT2 } = await import('jose');
+  const jwt = await new SignJWT2(payload).setProtectedHeader({ alg: "RS256" }).sign(privateKey);
+  return { pass: jwt, warnings };
+}
+async function updateGooglePass(pass, createConfig, credentials) {
+  const privateKey = await importGoogleKey(credentials);
+  const objectType = OBJECT_TYPE[pass.type];
+  const classId = `${credentials.issuerId}.${pass.id}`;
+  const objectId = `${credentials.issuerId}.${createConfig.serialNumber}`;
+  const patch = buildObjectBody(pass, createConfig, classId, objectId, []);
+  await patchObject(objectType, objectId, patch, credentials, privateKey);
+}
+async function deleteGooglePass(pass, serialNumber, credentials) {
+  const privateKey = await importGoogleKey(credentials);
+  const objectType = OBJECT_TYPE[pass.type];
+  const objectId = `${credentials.issuerId}.${serialNumber}`;
+  await deleteObject(objectType, objectId, credentials, privateKey);
+}
+async function expireGooglePass(pass, serialNumber, credentials) {
+  const privateKey = await importGoogleKey(credentials);
+  const objectType = OBJECT_TYPE[pass.type];
+  const objectId = `${credentials.issuerId}.${serialNumber}`;
+  await patchObject(
+    objectType,
+    objectId,
+    { state: "EXPIRED" },
+    credentials,
+    privateKey
+  );
+}
+var hexColor = z.string().regex(/^#[0-9a-fA-F]{6}$/, 'must be a 6-digit hex color like "#1a1a1a"').optional();
+var BCP47_RE = /^[a-z]{2,3}(-[A-Za-z0-9]+)*$/;
+var localeCodeSchema = z.string().regex(
+  BCP47_RE,
+  'must be a BCP 47 language tag (e.g. "en-US", "es", "zh-Hans")'
+);
+var imageValue = z.union([
+  z.url(),
+  z.custom((v) => v instanceof Uint8Array)
+]);
+var imageSet = z.union([
+  imageValue,
+  z.object({
+    base: imageValue,
+    retina: imageValue.optional(),
+    superRetina: imageValue.optional()
+  })
+]).optional();
+var dateStyleSchema = z.enum([
+  "none",
+  "short",
+  "medium",
+  "long",
+  "full"
+]);
+var numberStyleSchema = z.enum([
+  "decimal",
+  "percent",
+  "scientific",
+  "spellOut"
+]);
+var textAlignmentSchema = z.enum([
+  "left",
+  "center",
+  "right",
+  "natural"
+]);
+var fieldDefSchema = z.object({
+  // Apple: headerFields / primaryFields / secondaryFields / auxiliaryFields / backFields
+  // Google: primary → subheader (label) + header (value), others → textModulesData
+  slot: z.enum(["header", "primary", "secondary", "auxiliary", "back"]),
+  key: z.string(),
+  label: z.string(),
+  value: z.string().optional(),
+  changeMessage: z.string().optional(),
+  dateStyle: dateStyleSchema.optional(),
+  timeStyle: dateStyleSchema.optional(),
+  numberStyle: numberStyleSchema.optional(),
+  currencyCode: z.string().optional(),
+  textAlignment: textAlignmentSchema.optional(),
+  row: z.union([z.literal(0), z.literal(1)]).optional()
+});
+var barcodeFormatSchema = z.enum(["QR", "PDF417", "Aztec", "Code128"]);
+var barcodeSchema = z.object({
+  format: barcodeFormatSchema.default("QR"),
+  value: z.string().min(1, "barcode.value must not be empty"),
+  altText: z.string().optional()
+});
+var beaconSchema = z.object({
+  // Required: device UUID of the Bluetooth Low Energy beacon
+  proximityUUID: z.uuid(),
+  // 16-bit major value to narrow the region of the beacon
+  major: z.number().int().min(0).max(65535).optional(),
+  // 16-bit minor value to further narrow the region of the beacon
+  minor: z.number().int().min(0).max(65535).optional(),
+  // Text shown on lock screen when the pass becomes relevant near this beacon
+  relevantText: z.string().optional()
+});
+var relevantDateSchema = z.object({
+  startDate: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T20:00:00Z"'
+  }),
+  endDate: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T23:00:00Z"'
+  }).optional()
+});
+var appleOptionsSchema = z.object({
+  // Required by Apple Wallet — validated at create() time
+  icon: imageSet,
+  // Apple-only image slots
+  background: imageSet,
+  thumbnail: imageSet,
+  footer: imageSet,
+  // Apple: description (shown in Wallet list view, defaults to pass name)
+  description: z.string().optional(),
+  // Apple: logoText (text shown next to the logo, not for poster event tickets)
+  logoText: z.string().optional(),
+  // Apple: foregroundColor (text color), labelColor (label text color)
+  foregroundColor: hexColor,
+  labelColor: hexColor,
+  // Deprecated — use relevantDates instead
+  relevantDate: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T20:00:00Z"'
+  }).optional(),
+  // Date intervals during which the pass is relevant (replaces relevantDate)
+  relevantDates: z.array(relevantDateSchema).optional(),
+  // Groups passes of the same type into a single stack in Wallet
+  groupingIdentifier: z.string().optional(),
+  // Disables the glossy shine effect rendered over strip images
+  suppressStripShine: z.boolean().optional(),
+  // NFC payload — message is passed to the contactless reader on tap
+  nfc: z.object({
+    message: z.string(),
+    // Public key used to encrypt the NFC payload (Base64-encoded X.509)
+    encryptionPublicKey: z.string().optional()
+  }).optional(),
+  // Deep link opened when the user taps "Open" on the pass (requires associatedStoreIdentifiers)
+  appLaunchURL: z.url().optional(),
+  // App Store app IDs — adds an "Open" button that launches your app from Wallet
+  associatedStoreIdentifiers: z.array(z.number().int().positive()).optional(),
+  // Maximum distance in meters from a location at which the pass is shown
+  maxDistance: z.number().positive().optional(),
+  // Removes the Share button from the back of the pass
+  sharingProhibited: z.boolean().optional(),
+  // Arbitrary JSON passed to your companion app via NFC or URL — not shown to users
+  userInfo: z.record(z.string(), z.unknown()).optional(),
+  // URL for a web service that receives push update notifications for this pass
+  webServiceURL: z.url().optional(),
+  // Authentication token sent with web service requests (required with webServiceURL)
+  authenticationToken: z.string().min(16).optional(),
+  // Bluetooth LE beacons that trigger lock screen relevance
+  beacons: z.array(beaconSchema).optional()
+});
+var appleEventOptionsSchema = appleOptionsSchema.extend({
+  // Text next to the logo on poster event tickets (use logoText for standard event tickets)
+  eventLogoText: z.string().optional(),
+  // Background color for the footer bar on poster event tickets
+  footerBackgroundColor: hexColor,
+  // Disables the header darkening gradient on poster event tickets
+  suppressHeaderDarkening: z.boolean().optional(),
+  // Derives foreground and label colors from the background image (poster event tickets only)
+  useAutomaticColors: z.boolean().optional(),
+  // Schemes to validate the pass against (falls back to designed type if all fail)
+  preferredStyleSchemes: z.array(z.string()).optional(),
+  // Additional App Store app IDs shown in the event guide (poster event tickets only)
+  auxiliaryStoreIdentifiers: z.array(z.number().int().positive()).optional(),
+  // Poster event ticket action URLs
+  accessibilityURL: z.url().optional(),
+  addOnURL: z.url().optional(),
+  bagPolicyURL: z.url().optional(),
+  contactVenueEmail: z.email().optional(),
+  contactVenuePhoneNumber: z.string().optional(),
+  contactVenueWebsite: z.url().optional(),
+  directionsInformationURL: z.url().optional(),
+  merchandiseURL: z.url().optional(),
+  orderFoodURL: z.url().optional(),
+  parkingInformationURL: z.url().optional(),
+  purchaseParkingURL: z.url().optional(),
+  sellURL: z.url().optional(),
+  transferURL: z.url().optional(),
+  transitInformationURL: z.url().optional()
+});
+var appleFlightOptionsSchema = appleOptionsSchema.extend({
+  changeSeatURL: z.url().optional(),
+  entertainmentURL: z.url().optional(),
+  managementURL: z.url().optional(),
+  purchaseAdditionalBaggageURL: z.url().optional(),
+  purchaseLoungeAccessURL: z.url().optional(),
+  purchaseWifiURL: z.url().optional(),
+  registerServiceAnimalURL: z.url().optional(),
+  reportLostBagURL: z.url().optional(),
+  requestWheelchairURL: z.url().optional(),
+  trackBagsURL: z.url().optional(),
+  transitProviderEmail: z.email().optional(),
+  transitProviderPhoneNumber: z.string().optional(),
+  transitProviderWebsiteURL: z.url().optional(),
+  upgradeURL: z.url().optional()
+});
+var googleMessageSchema = z.object({
+  header: z.string(),
+  body: z.string(),
+  id: z.string().optional(),
+  // TEXT (default), expireNotification, or TEXT_AND_NOTIFY (push + in-app)
+  messageType: z.enum(["TEXT", "expireNotification", "TEXT_AND_NOTIFY"]).default("TEXT"),
+  displayInterval: z.object({
+    start: z.object({ date: z.iso.datetime() }).optional(),
+    end: z.object({ date: z.iso.datetime() }).optional()
+  }).optional()
+});
+var googleRotatingBarcodeSchema = z.object({
+  type: z.enum(["QR_CODE", "PDF_417", "AZTEC", "CODE_128"]).default("QR_CODE"),
+  // Pattern containing the TOTP placeholder, e.g. "https://example.com/redeem/{totp_value_hex}"
+  valuePattern: z.string().min(1, "rotatingBarcode.valuePattern must not be empty"),
+  totpDetails: z.object({
+    periodMillis: z.string().default("30000"),
+    algorithm: z.literal("TOTP_SHA1").default("TOTP_SHA1"),
+    parameters: z.array(
+      z.object({
+        key: z.string(),
+        valueLength: z.number().int().min(1).max(8)
+      })
+    )
+  }),
+  renderEncoding: z.literal("UTF_8").optional()
+});
+var googleAppLinkInfoSchema = z.object({
+  // Deep link URI (e.g. intent:// for Android, https:// scheme for iOS universal links)
+  uri: z.url(),
+  title: z.string().optional(),
+  description: z.string().optional(),
+  logoUrl: z.url().optional()
+});
+var googleAppLinkDataSchema = z.object({
+  android: googleAppLinkInfoSchema.optional(),
+  ios: googleAppLinkInfoSchema.optional(),
+  web: googleAppLinkInfoSchema.optional()
+});
+var googleOptionsSchema = z.object({
+  // Google: wideLogo — wider variant of the logo shown on some pass layouts
+  wideLogo: z.url().optional(),
+  // Google: issuerName — displayed as the pass issuer
+  issuerName: z.string().optional(),
+  // Required by Google for loyalty, event, flight, coupon, and giftCard classes.
+  // "UNDER_REVIEW" is the default for new classes; set to "APPROVED" once approved in the console.
+  reviewStatus: z.enum(["UNDER_REVIEW", "APPROVED", "REJECTED", "DRAFT"]).default("UNDER_REVIEW"),
+  // Smart Tap NFC — enable tap-to-redeem at supported terminals
+  enableSmartTap: z.boolean().optional(),
+  // Smart Tap issuer IDs allowed to redeem this pass (required when enableSmartTap is true)
+  redemptionIssuers: z.array(z.string()).optional(),
+  // Class-level info messages shown inside the pass view for all holders
+  messages: z.array(googleMessageSchema).optional(),
+  // App link shown on the pass to open a companion app
+  appLinkData: googleAppLinkDataSchema.optional()
+});
+var locationSchema = z.object({
+  latitude: z.number(),
+  longitude: z.number(),
+  // Apple: altitude in meters above sea level (optional)
+  altitude: z.number().optional(),
+  // Apple: text shown on lock screen when the pass becomes relevant near this location
+  // Google: no equivalent — ignored
+  relevantText: z.string().optional()
+});
+var basePassSchema = z.object({
+  // Apple: description (pass name shown in Wallet list)
+  // Google: cardTitle
+  id: z.string().min(1, "PassConfig missing: id"),
+  name: z.string().min(1, "PassConfig missing: name"),
+  // Apple: backgroundColor
+  // Google: hexBackgroundColor
+  color: hexColor,
+  // Shared logo image.
+  // Apple: logo (accepts bytes or URL)
+  // Google: logo (URL only — validated at create() time)
+  logo: imageSet,
+  // Shared banner image — same visual purpose, different placement per platform.
+  // Apple: strip (shown behind the fields, top of pass)
+  // Google: hero (shown at the bottom of the pass)
+  banner: imageSet,
+  // Geo-relevance — show pass on lock screen when near these coordinates.
+  // Apple: locations[] — up to 10 entries
+  // Google: locations[] — up to 20 entries
+  locations: z.array(locationSchema).optional(),
+  // Display fields — use field.primary(), field.secondary(), etc.
+  // Apple: maps to headerFields / primaryFields / secondaryFields / auxiliaryFields / backFields
+  // Google: primary → subheader + header, all others → textModulesData
+  fields: z.array(fieldDefSchema).default([]),
+  // Translations for field labels and pass-level strings.
+  // Keys are field keys (matching field.key) or the reserved key "name" for the pass title.
+  // Use "fieldKey_value" to translate a field's static default value.
+  // Apple: generates {language}.lproj/pass.strings files in the .pkpass zip.
+  // Google: adds translatedValues to LocalizedString objects.
+  locales: z.record(localeCodeSchema, z.record(z.string(), z.string())).optional(),
+  apple: appleOptionsSchema.optional(),
+  google: googleOptionsSchema.optional()
+});
+var loyaltyPassSchema = basePassSchema.extend({
+  type: z.literal("loyalty")
+  // No extra structured props — Google maps field keys by convention:
+  // "points" → loyaltyPoints, "member" → accountName, "memberId" → accountId
+});
+var eventPassSchema = basePassSchema.extend({
+  type: z.literal("event"),
+  // Apple: relevant date for lock screen suggestion
+  // Google: localScheduledStartDateTime (required for eventTicketClass)
+  startsAt: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T20:00:00Z"'
+  }).optional(),
+  endsAt: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T23:00:00Z"'
+  }).optional()
+}).extend({ apple: appleEventOptionsSchema.optional() });
+var flightPassSchema = basePassSchema.extend({
+  type: z.literal("flight"),
+  // Apple: transitType (required for boardingPass layout, defaults to "air")
+  // Google: inferred from flightHeader
+  transitType: z.enum(["air", "train", "bus", "boat"]).optional(),
+  // Required by Google flightClass — IATA codes and datetimes
+  // Apple: shown as display fields; provider maps these to the correct slots
+  carrier: z.string().regex(
+    /^[A-Z0-9]{2}$/,
+    'must be a 2-character IATA carrier code e.g. "AA"'
+  ).optional(),
+  flightNumber: z.string().regex(/^\d{1,4}[A-Z]?$/, 'must be a flight number e.g. "100" or "1234A"').optional(),
+  origin: z.string().regex(/^[A-Z]{3}$/, 'must be a 3-letter IATA airport code e.g. "JFK"').optional(),
+  destination: z.string().regex(/^[A-Z]{3}$/, 'must be a 3-letter IATA airport code e.g. "LAX"').optional(),
+  departure: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T08:00:00Z"'
+  }).optional(),
+  arrival: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-06-01T11:30:00Z"'
+  }).optional()
+  // passengerName is per-recipient — pass in values at create() time
+}).extend({ apple: appleFlightOptionsSchema.optional() });
+var couponPassSchema = basePassSchema.extend({
+  type: z.literal("coupon"),
+  // Google: redemptionChannel (required for offerClass)
+  // Apple: no equivalent — ignored
+  // Defaults to "both" — Google requires this field for offerClass
+  redemptionChannel: z.enum(["online", "instore", "both"]).default("both")
+});
+var giftCardPassSchema = basePassSchema.extend({
+  type: z.literal("giftCard"),
+  // Google: balance.currencyCode (needed to format the balance amount)
+  // Apple: use currencyCode on the balance field definition instead
+  currency: z.string().regex(/^[A-Z]{3}$/, 'must be a 3-letter ISO 4217 currency code e.g. "USD"').optional()
+});
+var genericPassSchema = basePassSchema.extend({
+  type: z.literal("generic")
+  // No extra structured props — full control via fields
+});
+var passConfigSchema = z.discriminatedUnion("type", [
+  loyaltyPassSchema,
+  eventPassSchema,
+  flightPassSchema,
+  couponPassSchema,
+  giftCardPassSchema,
+  genericPassSchema
+]);
+var createConfigSchema = z.object({
+  serialNumber: z.string().min(1, "CreateConfig missing: serialNumber"),
+  barcode: barcodeSchema.optional(),
+  // Apple: no equivalent — ignored
+  // Google: validTimeInterval.start
+  validFrom: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2024-01-01T00:00:00Z"'
+  }).optional(),
+  expiresAt: z.iso.datetime({
+    message: 'must be an ISO datetime e.g. "2025-01-01T00:00:00Z"'
+  }).optional(),
+  // Per-recipient field values. null hides the field for this recipient.
+  values: z.record(z.string(), z.string().nullable()).optional(),
+  // Apple-specific per-recipient options.
+  apple: z.object({
+    // Mark this issued pass as void. Displays a "Void" banner on the pass.
+    // For Google, use pass.expire() instead — it transitions state via the API.
+    voided: z.boolean().optional()
+  }).optional(),
+  // Google-specific per-recipient options.
+  google: z.object({
+    // Smart Tap NFC value for this specific pass holder (required when enableSmartTap is true)
+    smartTapRedemptionValue: z.string().optional(),
+    // TOTP rotating barcode — replaces the static barcode for this pass holder
+    rotatingBarcode: googleRotatingBarcodeSchema.optional(),
+    // Per-recipient info messages shown inside the pass view
+    messages: z.array(googleMessageSchema).optional()
+  }).optional()
+});
+
+// src/pass.ts
+function resolveOptions(arg) {
+  if (arg === void 0) {
+    return void 0;
+  }
+  return typeof arg === "string" ? { value: arg } : arg;
+}
+var field = {
+  /** Top-right of the pass. Compact — typically one field. */
+  header: (key, label, arg) => ({
+    slot: "header",
+    key,
+    label,
+    ...resolveOptions(arg)
+  }),
+  /** Large, prominent area. Apple: primaryFields. Google: subheader (label) + header (value). */
+  primary: (key, label, arg) => ({
+    slot: "primary",
+    key,
+    label,
+    ...resolveOptions(arg)
+  }),
+  /** Below primary. Apple: secondaryFields. Google: textModulesData. */
+  secondary: (key, label, arg) => ({
+    slot: "secondary",
+    key,
+    label,
+    ...resolveOptions(arg)
+  }),
+  /** Below secondary. Supports two rows via { row: 0 | 1 }. Apple: auxiliaryFields. Google: textModulesData. */
+  auxiliary: (key, label, arg) => ({
+    slot: "auxiliary",
+    key,
+    label,
+    ...resolveOptions(arg)
+  }),
+  /** Back of the pass — hidden by default. Apple: backFields. Google: infoModuleData. */
+  back: (key, label, arg) => ({
+    slot: "back",
+    key,
+    label,
+    ...resolveOptions(arg)
+  })
+};
+function validatePassConfig(config) {
+  const result = passConfigSchema.safeParse(config);
+  if (!result.success) {
+    throw new WalletError(
+      "PASS_CONFIG_INVALID",
+      result.error.issues[0]?.message
+    );
+  }
+}
+function validateCreateConfig(config) {
+  const result = createConfigSchema.safeParse(config);
+  if (!result.success) {
+    throw new WalletError(
+      "CREATE_CONFIG_INVALID",
+      result.error.issues[0]?.message
+    );
+  }
+}
+var Pass = class {
+  config;
+  credentials;
+  constructor(config, credentials) {
+    validatePassConfig(config);
+    this.config = config;
+    this.credentials = credentials;
+  }
+  async create(createConfig) {
+    validateCreateConfig(createConfig);
+    const [appleResult, googleResult] = await Promise.allSettled([
+      this.credentials.apple ? generateApplePass(this.config, createConfig, this.credentials.apple) : Promise.resolve({ pass: null, warnings: [] }),
+      this.credentials.google ? generateGooglePass(this.config, createConfig, this.credentials.google) : Promise.resolve({ pass: null, warnings: [] })
+    ]);
+    if (appleResult.status === "rejected") {
+      throw appleResult.reason;
+    }
+    if (googleResult.status === "rejected") {
+      throw googleResult.reason;
+    }
+    return {
+      apple: appleResult.value.pass,
+      google: googleResult.value.pass,
+      warnings: [...appleResult.value.warnings, ...googleResult.value.warnings]
+    };
+  }
+  // Update an existing pass. For Google: PATCHes the object via the Wallet REST API.
+  async update(createConfig) {
+    validateCreateConfig(createConfig);
+    if (this.credentials.google) {
+      await updateGooglePass(
+        this.config,
+        createConfig,
+        this.credentials.google
+      );
+    }
+  }
+  // Delete a pass. For Google: permanently removes the object via the Wallet REST API.
+  // Apple passes cannot be remotely deleted — use expire() to invalidate them instead.
+  async delete(serialNumber) {
+    if (this.credentials.google) {
+      await deleteGooglePass(
+        this.config,
+        serialNumber,
+        this.credentials.google
+      );
+    }
+  }
+  // Expire a pass. For Google: sets object state to EXPIRED via the Wallet REST API.
+  // Apple passes expire automatically when expiresAt is reached.
+  async expire(serialNumber) {
+    if (this.credentials.google) {
+      await expireGooglePass(
+        this.config,
+        serialNumber,
+        this.credentials.google
+      );
+    }
+  }
+};
+
+// src/wallet.ts
+var Wallet = class {
+  credentials;
+  constructor(credentials) {
+    this.credentials = credentials;
+  }
+  loyalty(config) {
+    return new Pass({ ...config, type: "loyalty" }, this.credentials);
+  }
+  event(config) {
+    return new Pass({ ...config, type: "event" }, this.credentials);
+  }
+  flight(config) {
+    return new Pass({ ...config, type: "flight" }, this.credentials);
+  }
+  coupon(config) {
+    return new Pass({ ...config, type: "coupon" }, this.credentials);
+  }
+  giftCard(config) {
+    return new Pass({ ...config, type: "giftCard" }, this.credentials);
+  }
+  generic(config) {
+    return new Pass({ ...config, type: "generic" }, this.credentials);
+  }
+};
+
+export { Pass, WALLET_ERROR_CODES, Wallet, WalletError, field };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map