pipework 0.1.2 → 0.1.3

package/dist/webhook/namespace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../src/webhook/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACvC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAA;AAErD,MAAM,CAAC,MAAM,OAAO,GAAG;IACrB,aAAa,EAAE,oBAAoB;IACnC,cAAc,EAAE,qBAAqB;IAErC,MAAM,EAAE;QACN,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,cAAc;KACvB;IAED,IAAI,EAAE,WAAW;CACT,CAAA"}

package/dist/webhook/outbound.d.ts

@@ -0,0 +1,48 @@
+import type { DB } from '../db/index.js';
+import { type WebhookSignatureOptions } from './sign.js';
+export interface OutboundWebhookConfig {
+    table?: string;
+    deliveryTable?: string;
+    signing?: WebhookSignatureOptions;
+    retry?: {
+        maxAttempts?: number;
+        initialDelayMs?: number;
+        maxDelayMs?: number;
+    };
+    timeoutMs?: number;
+}
+export interface WebhookEndpoint {
+    id: string;
+    tenantId: string;
+    url: string;
+    secret: string;
+    events: string[];
+    active: boolean;
+}
+export interface DeliveryAttempt {
+    id: string;
+    endpointId: string;
+    tenantId: string;
+    eventType: string;
+    payload: unknown;
+    statusCode: number | null;
+    responseBody: string | null;
+    attempt: number;
+    maxAttempts: number;
+    nextRetryAt: Date | null;
+    createdAt: Date;
+}
+export interface OutboundWebhook {
+    ensureTables(db: DB): Promise<void>;
+    send(db: DB, tenantId: string, eventType: string, payload: unknown): Promise<string[]>;
+    deliver(db: DB, deliveryId: string): Promise<{
+        success: boolean;
+        statusCode: number | null;
+    }>;
+    processPending(db: DB): Promise<number>;
+    registerEndpoint(db: DB, endpoint: Omit<WebhookEndpoint, 'id'>): Promise<string>;
+    listEndpoints(db: DB, tenantId: string): Promise<WebhookEndpoint[]>;
+    removeEndpoint(db: DB, tenantId: string, endpointId: string): Promise<boolean>;
+}
+export declare function createOutboundWebhook(config?: OutboundWebhookConfig): OutboundWebhook;
+//# sourceMappingURL=outbound.d.ts.map

package/dist/webhook/outbound.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"outbound.d.ts","sourceRoot":"","sources":["../../src/webhook/outbound.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAA;AACxC,OAAO,EAAe,KAAK,uBAAuB,EAAE,MAAM,WAAW,CAAA;AAErE,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,CAAC,EAAE,uBAAuB,CAAA;IACjC,KAAK,CAAC,EAAE;QACN,WAAW,CAAC,EAAE,MAAM,CAAA;QACpB,cAAc,CAAC,EAAE,MAAM,CAAA;QACvB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;IACD,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,QAAQ,EAAE,MAAM,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,MAAM,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAA;IAC3B,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAA;IACxB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,CAAC,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACtF,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC,CAAA;IAC7F,cAAc,CAAC,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACvC,gBAAgB,CAAC,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAChF,aAAa,CAAC,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAAA;IACnE,cAAc,CAAC,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CAC/E;AAWD,wBAAgB,qBAAqB,CAAC,MAAM,GAAE,qBAA0B,GAAG,eAAe,CAqLzF"}

package/dist/webhook/outbound.js

@@ -0,0 +1,160 @@
+import { sql } from '../db/sql.js';
+import { signPayload } from './sign.js';
+const DEFAULTS = {
+    table: '__pipework_webhook_endpoints',
+    deliveryTable: '__pipework_webhook_deliveries',
+    maxAttempts: 5,
+    initialDelayMs: 1000,
+    maxDelayMs: 3_600_000,
+    timeoutMs: 30_000,
+};
+export function createOutboundWebhook(config = {}) {
+    const endpointTable = config.table ?? DEFAULTS.table;
+    const deliveryTable = config.deliveryTable ?? DEFAULTS.deliveryTable;
+    const maxAttempts = config.retry?.maxAttempts ?? DEFAULTS.maxAttempts;
+    const initialDelayMs = config.retry?.initialDelayMs ?? DEFAULTS.initialDelayMs;
+    const maxDelayMs = config.retry?.maxDelayMs ?? DEFAULTS.maxDelayMs;
+    const timeoutMs = config.timeoutMs ?? DEFAULTS.timeoutMs;
+    const signingOptions = config.signing ?? {};
+    return {
+        async ensureTables(db) {
+            await db.execute(sql.raw(`
+        CREATE TABLE IF NOT EXISTS ${endpointTable} (
+          id TEXT NOT NULL PRIMARY KEY DEFAULT gen_random_uuid()::text,
+          tenant_id TEXT NOT NULL,
+          url TEXT NOT NULL,
+          secret TEXT NOT NULL,
+          events TEXT[] NOT NULL DEFAULT '{}',
+          active BOOLEAN NOT NULL DEFAULT true,
+          created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+        )
+      `));
+            await db.execute(sql.raw(`
+        CREATE TABLE IF NOT EXISTS ${deliveryTable} (
+          id TEXT NOT NULL PRIMARY KEY DEFAULT gen_random_uuid()::text,
+          endpoint_id TEXT NOT NULL,
+          tenant_id TEXT NOT NULL,
+          event_type TEXT NOT NULL,
+          payload JSONB NOT NULL,
+          status_code INTEGER,
+          response_body TEXT,
+          attempt INTEGER NOT NULL DEFAULT 0,
+          max_attempts INTEGER NOT NULL,
+          next_retry_at TIMESTAMPTZ,
+          completed_at TIMESTAMPTZ,
+          created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+        )
+      `));
+        },
+        async send(db, tenantId, eventType, payload) {
+            const endpoints = await db.execute(sql `SELECT id, url, secret FROM ${sql.raw(endpointTable)}
+            WHERE tenant_id = ${tenantId}
+              AND active = true
+              AND (events = '{}' OR ${eventType} = ANY(events))`);
+            const deliveryIds = [];
+            for (const row of endpoints) {
+                const result = await db.execute(sql `INSERT INTO ${sql.raw(deliveryTable)} (endpoint_id, tenant_id, event_type, payload, max_attempts, next_retry_at)
+              VALUES (${row.id}, ${tenantId}, ${eventType}, ${JSON.stringify(payload)}, ${maxAttempts}, now())
+              RETURNING id`);
+                const inserted = result[0];
+                if (inserted !== undefined)
+                    deliveryIds.push(inserted.id);
+            }
+            return deliveryIds;
+        },
+        async deliver(db, deliveryId) {
+            const rows = await db.execute(sql `SELECT d.id, d.endpoint_id, d.event_type, d.payload, d.attempt, d.max_attempts,
+                   e.url, e.secret
+            FROM ${sql.raw(deliveryTable)} d
+            JOIN ${sql.raw(endpointTable)} e ON e.id = d.endpoint_id
+            WHERE d.id = ${deliveryId} AND d.completed_at IS NULL`);
+            const delivery = rows[0];
+            if (delivery === undefined)
+                return { success: false, statusCode: null };
+            const attempt = delivery['attempt'] + 1;
+            const signed = signPayload(delivery['payload'], delivery['secret'], signingOptions);
+            let statusCode = null;
+            let responseBody = null;
+            let success = false;
+            try {
+                const controller = new AbortController();
+                const timer = setTimeout(() => controller.abort(), timeoutMs);
+                const response = await fetch(delivery['url'], {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'X-Webhook-Id': signed.messageId,
+                        'X-Webhook-Timestamp': signed.timestamp.toString(),
+                        'X-Webhook-Signature': signed.signature,
+                    },
+                    body: signed.body,
+                    signal: controller.signal,
+                });
+                clearTimeout(timer);
+                statusCode = response.status;
+                responseBody = await response.text().catch(() => null);
+                success = statusCode >= 200 && statusCode < 300;
+            }
+            catch {
+                statusCode = null;
+                responseBody = null;
+                success = false;
+            }
+            if (success || attempt >= delivery['max_attempts']) {
+                await db.execute(sql `UPDATE ${sql.raw(deliveryTable)}
+              SET attempt = ${attempt}, status_code = ${statusCode},
+                  response_body = ${responseBody}, completed_at = now(), next_retry_at = NULL
+              WHERE id = ${deliveryId}`);
+            }
+            else {
+                const delayMs = Math.min(initialDelayMs * Math.pow(2, attempt - 1), maxDelayMs);
+                const nextRetry = new Date(Date.now() + delayMs);
+                await db.execute(sql `UPDATE ${sql.raw(deliveryTable)}
+              SET attempt = ${attempt}, status_code = ${statusCode},
+                  response_body = ${responseBody}, next_retry_at = ${nextRetry.toISOString()}
+              WHERE id = ${deliveryId}`);
+            }
+            return { success, statusCode };
+        },
+        async processPending(db) {
+            const rows = await db.execute(sql `SELECT id FROM ${sql.raw(deliveryTable)}
+            WHERE completed_at IS NULL AND next_retry_at <= now()
+            ORDER BY next_retry_at ASC
+            LIMIT 100`);
+            let processed = 0;
+            for (const row of rows) {
+                await this.deliver(db, row.id);
+                processed++;
+            }
+            return processed;
+        },
+        async registerEndpoint(db, endpoint) {
+            const rows = await db.execute(sql `INSERT INTO ${sql.raw(endpointTable)} (tenant_id, url, secret, events, active)
+            VALUES (${endpoint.tenantId}, ${endpoint.url}, ${endpoint.secret},
+                    ${`{${endpoint.events.join(',')}}`}, ${endpoint.active})
+            RETURNING id`);
+            return (rows[0]).id;
+        },
+        async listEndpoints(db, tenantId) {
+            const rows = await db.execute(sql `SELECT id, tenant_id, url, secret, events, active
+            FROM ${sql.raw(endpointTable)}
+            WHERE tenant_id = ${tenantId}
+            ORDER BY created_at ASC`);
+            return rows.map(row => ({
+                id: row['id'],
+                tenantId: row['tenant_id'],
+                url: row['url'],
+                secret: row['secret'],
+                events: row['events'],
+                active: row['active'],
+            }));
+        },
+        async removeEndpoint(db, tenantId, endpointId) {
+            const rows = await db.execute(sql `DELETE FROM ${sql.raw(endpointTable)}
+            WHERE id = ${endpointId} AND tenant_id = ${tenantId}
+            RETURNING id`);
+            return rows.length > 0;
+        },
+    };
+}
+//# sourceMappingURL=outbound.js.map

package/dist/webhook/outbound.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"outbound.js","sourceRoot":"","sources":["../../src/webhook/outbound.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAElC,OAAO,EAAE,WAAW,EAAgC,MAAM,WAAW,CAAA;AA+CrE,MAAM,QAAQ,GAAG;IACf,KAAK,EAAE,8BAA8B;IACrC,aAAa,EAAE,+BAA+B;IAC9C,WAAW,EAAE,CAAC;IACd,cAAc,EAAE,IAAI;IACpB,UAAU,EAAE,SAAS;IACrB,SAAS,EAAE,MAAM;CACT,CAAA;AAEV,MAAM,UAAU,qBAAqB,CAAC,SAAgC,EAAE;IACtE,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAA;IACpD,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,QAAQ,CAAC,aAAa,CAAA;IACpE,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,EAAE,WAAW,IAAI,QAAQ,CAAC,WAAW,CAAA;IACrE,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,EAAE,cAAc,IAAI,QAAQ,CAAC,cAAc,CAAA;IAC9E,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,EAAE,UAAU,IAAI,QAAQ,CAAC,UAAU,CAAA;IAClE,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAA;IACxD,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAA;IAE3C,OAAO;QACL,KAAK,CAAC,YAAY,CAAC,EAAE;YACnB,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;qCACM,aAAa;;;;;;;;;OAS3C,CAAC,CAAC,CAAA;YAEH,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;qCACM,aAAa;;;;;;;;;;;;;;OAc3C,CAAC,CAAC,CAAA;QACL,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO;YACzC,MAAM,SAAS,GAAc,MAAM,EAAE,CAAC,OAAO,CAC3C,GAAG,CAAA,+BAA+B,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;gCAChC,QAAQ;;sCAEF,SAAS,iBAAiB,CACzD,CAAA;YAED,MAAM,WAAW,GAAa,EAAE,CAAA;YAChC,KAAK,MAAM,GAAG,IAAI,SAA6B,EAAE,CAAC;gBAChD,MAAM,MAAM,GAAc,MAAM,EAAE,CAAC,OAAO,CACxC,GAAG,CAAA,eAAe,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;wBAC1B,GAAG,CAAC,EAAE,KAAK,QAAQ,KAAK,SAAS,KAAK,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,WAAW;2BAC1E,CAClB,CAAA;gBACD,MAAM,QAAQ,GAAI,MAA2B,CAAC,CAAC,CAAC,CAAA;gBAChD,IAAI,QAAQ,KAAK,SAAS;oBAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAA;YAC3D,CAAC;YAED,OAAO,WAAW,CAAA;QACpB,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,UAAU;YAC1B,MAAM,IAAI,GAAc,MAAM,EAAE,CAAC,OAAO,CACtC,GAAG,CAAA;;mBAEQ,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;mBACtB,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;2BACd,UAAU,6BAA6B,CAC3D,CAAA;YAED,MAAM,QAAQ,GAAI,IAAkC,CAAC,CAAC,CAAC,CAAA;YACvD,IAAI,QAAQ,KAAK,SAAS;gBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,CAAA;YAEvE,MAAM,OAAO,GAAI,QAAQ,CAAC,SAAS,CAAY,GAAG,CAAC,CAAA;YACnD,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAW,EAAE,cAAc,CAAC,CAAA;YAE7F,IAAI,UAAU,GAAkB,IAAI,CAAA;YACpC,IAAI,YAAY,GAAkB,IAAI,CAAA;YACtC,IAAI,OAAO,GAAG,KAAK,CAAA;YAEnB,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAA;gBACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAA;gBAE7D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAW,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,cAAc,EAAE,MAAM,CAAC,SAAS;wBAChC,qBAAqB,EAAE,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE;wBAClD,qBAAqB,EAAE,MAAM,CAAC,SAAS;qBACxC;oBACD,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAA;gBAEF,YAAY,CAAC,KAAK,CAAC,CAAA;gBACnB,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAA;gBAC5B,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;gBACtD,OAAO,GAAG,UAAU,IAAI,GAAG,IAAI,UAAU,GAAG,GAAG,CAAA;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU,GAAG,IAAI,CAAA;gBACjB,YAAY,GAAG,IAAI,CAAA;gBACnB,OAAO,GAAG,KAAK,CAAA;YACjB,CAAC;YAED,IAAI,OAAO,IAAI,OAAO,IAAK,QAAQ,CAAC,cAAc,CAAY,EAAE,CAAC;gBAC/D,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA,UAAU,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;8BACf,OAAO,mBAAmB,UAAU;oCAC9B,YAAY;2BACrB,UAAU,EAAE,CAC9B,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;gBAC/E,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,CAAA;gBAChD,MAAM,EAAE,CAAC,OAAO,CACd,GAAG,CAAA,UAAU,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;8BACf,OAAO,mBAAmB,UAAU;oCAC9B,YAAY,qBAAqB,SAAS,CAAC,WAAW,EAAE;2BACjE,UAAU,EAAE,CAC9B,CAAA;YACH,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAA;QAChC,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,EAAE;YACrB,MAAM,IAAI,GAAc,MAAM,EAAE,CAAC,OAAO,CACtC,GAAG,CAAA,kBAAkB,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;;;sBAG7B,CACf,CAAA;YAED,IAAI,SAAS,GAAG,CAAC,CAAA;YACjB,KAAK,MAAM,GAAG,IAAI,IAAwB,EAAE,CAAC;gBAC3C,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAA;gBAC9B,SAAS,EAAE,CAAA;YACb,CAAC;YACD,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,EAAE,EAAE,QAAQ;YACjC,MAAM,IAAI,GAAc,MAAM,EAAE,CAAC,OAAO,CACtC,GAAG,CAAA,eAAe,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;sBAC1B,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC,GAAG,KAAK,QAAQ,CAAC,MAAM;sBACtD,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,MAAM;yBACjD,CAClB,CAAA;YACD,OAAO,CAAE,IAAyB,CAAC,CAAC,CAAC,CAAE,CAAC,EAAE,CAAA;QAC5C,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,EAAE,EAAE,QAAQ;YAC9B,MAAM,IAAI,GAAc,MAAM,EAAE,CAAC,OAAO,CACtC,GAAG,CAAA;mBACQ,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;gCACT,QAAQ;oCACJ,CAC7B,CAAA;YACD,OAAQ,IAAkC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACrD,EAAE,EAAE,GAAG,CAAC,IAAI,CAAW;gBACvB,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAW;gBACpC,GAAG,EAAE,GAAG,CAAC,KAAK,CAAW;gBACzB,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAW;gBAC/B,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAa;gBACjC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAY;aACjC,CAAC,CAAC,CAAA;QACL,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,EAAE,EAAE,QAAQ,EAAE,UAAU;YAC3C,MAAM,IAAI,GAAc,MAAM,EAAE,CAAC,OAAO,CACtC,GAAG,CAAA,eAAe,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC;yBACvB,UAAU,oBAAoB,QAAQ;yBACtC,CAClB,CAAA;YACD,OAAQ,IAAkB,CAAC,MAAM,GAAG,CAAC,CAAA;QACvC,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/webhook/sign.d.ts

@@ -0,0 +1,12 @@
+export interface WebhookSignatureOptions {
+    algorithm?: string;
+    encoding?: 'hex' | 'base64';
+}
+export interface SignedPayload {
+    body: string;
+    signature: string;
+    timestamp: number;
+    messageId: string;
+}
+export declare function signPayload(payload: unknown, secret: string, options?: WebhookSignatureOptions): SignedPayload;
+//# sourceMappingURL=sign.d.ts.map

package/dist/webhook/sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/webhook/sign.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,uBAAuB;IACtC,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,wBAAgB,WAAW,CACzB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,uBAA4B,GACpC,aAAa,CAWf"}

package/dist/webhook/sign.js

@@ -0,0 +1,12 @@
+import { createHmac, randomUUID } from 'node:crypto';
+export function signPayload(payload, secret, options = {}) {
+    const algorithm = options.algorithm ?? 'sha256';
+    const encoding = options.encoding ?? 'hex';
+    const messageId = randomUUID();
+    const timestamp = Math.floor(Date.now() / 1000);
+    const body = typeof payload === 'string' ? payload : JSON.stringify(payload);
+    const toSign = `${messageId}.${timestamp}.${body}`;
+    const signature = createHmac(algorithm, secret).update(toSign).digest(encoding);
+    return { body, signature, timestamp, messageId };
+}
+//# sourceMappingURL=sign.js.map

package/dist/webhook/sign.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/webhook/sign.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAcpD,MAAM,UAAU,WAAW,CACzB,OAAgB,EAChB,MAAc,EACd,UAAmC,EAAE;IAErC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAA;IAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAA;IAE1C,MAAM,SAAS,GAAG,UAAU,EAAE,CAAA;IAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IAC/C,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IAC5E,MAAM,MAAM,GAAG,GAAG,SAAS,IAAI,SAAS,IAAI,IAAI,EAAE,CAAA;IAClD,MAAM,SAAS,GAAG,UAAU,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAE/E,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAA;AAClD,CAAC"}

package/dist/webhook/verify.d.ts

@@ -0,0 +1,14 @@
+export interface SignatureVerifier {
+    verify(rawBody: Buffer, headers: Readonly<Record<string, string | undefined>>): boolean;
+}
+export declare function hmacVerifier(options: {
+    secret: string;
+    algorithm?: string;
+    header: string;
+    prefix?: string;
+    encoding?: 'hex' | 'base64';
+    computePayload?: (rawBody: Buffer, headers: Readonly<Record<string, string | undefined>>) => Buffer;
+}): SignatureVerifier;
+export declare function stripeVerifier(secret: string): SignatureVerifier;
+export declare function githubVerifier(secret: string): SignatureVerifier;
+//# sourceMappingURL=verify.d.ts.map

package/dist/webhook/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/webhook/verify.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,GAAG,OAAO,CAAA;CACxF;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE;IACpC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAA;IAC3B,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,KAAK,MAAM,CAAA;CACpG,GAAG,iBAAiB,CAuBpB;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,iBAAiB,CA2BhE;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,iBAAiB,CAQhE"}

package/dist/webhook/verify.js

@@ -0,0 +1,61 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+export function hmacVerifier(options) {
+    const algorithm = options.algorithm ?? 'sha256';
+    const encoding = options.encoding ?? 'hex';
+    const prefix = options.prefix ?? '';
+    return {
+        verify(rawBody, headers) {
+            const headerValue = headers[options.header.toLowerCase()];
+            if (headerValue === undefined || headerValue === '')
+                return false;
+            const payload = options.computePayload !== undefined
+                ? options.computePayload(rawBody, headers)
+                : rawBody;
+            const expected = prefix + createHmac(algorithm, options.secret).update(payload).digest(encoding);
+            try {
+                return timingSafeEqual(Buffer.from(headerValue), Buffer.from(expected));
+            }
+            catch {
+                return false;
+            }
+        },
+    };
+}
+export function stripeVerifier(secret) {
+    return {
+        verify(rawBody, headers) {
+            const sigHeader = headers['stripe-signature'];
+            if (sigHeader === undefined)
+                return false;
+            const parts = new Map();
+            for (const pair of sigHeader.split(',')) {
+                const eqIdx = pair.indexOf('=');
+                if (eqIdx === -1)
+                    continue;
+                parts.set(pair.slice(0, eqIdx).trim(), pair.slice(eqIdx + 1).trim());
+            }
+            const timestamp = parts.get('t');
+            const v1Sig = parts.get('v1');
+            if (timestamp === undefined || v1Sig === undefined)
+                return false;
+            const signedPayload = Buffer.from(`${timestamp}.${rawBody.toString('utf-8')}`);
+            const expected = createHmac('sha256', secret).update(signedPayload).digest('hex');
+            try {
+                return timingSafeEqual(Buffer.from(v1Sig), Buffer.from(expected));
+            }
+            catch {
+                return false;
+            }
+        },
+    };
+}
+export function githubVerifier(secret) {
+    return hmacVerifier({
+        secret,
+        algorithm: 'sha256',
+        header: 'x-hub-signature-256',
+        prefix: 'sha256=',
+        encoding: 'hex',
+    });
+}
+//# sourceMappingURL=verify.js.map

package/dist/webhook/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/webhook/verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAMzD,MAAM,UAAU,YAAY,CAAC,OAO5B;IACC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAA;IAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAA;IAC1C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAA;IAEnC,OAAO;QACL,MAAM,CAAC,OAAO,EAAE,OAAO;YACrB,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;YACzD,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,EAAE;gBAAE,OAAO,KAAK,CAAA;YAEjE,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,KAAK,SAAS;gBAClD,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC;gBAC1C,CAAC,CAAC,OAAO,CAAA;YAEX,MAAM,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;YAEhG,IAAI,CAAC;gBACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,OAAO;QACL,MAAM,CAAC,OAAO,EAAE,OAAO;YACrB,MAAM,SAAS,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAA;YAC7C,IAAI,SAAS,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAA;YAEzC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAA;YACvC,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBAC/B,IAAI,KAAK,KAAK,CAAC,CAAC;oBAAE,SAAQ;gBAC1B,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;YACtE,CAAC;YAED,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAChC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YAC7B,IAAI,SAAS,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAA;YAEhE,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;YAC9E,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YAEjF,IAAI,CAAC;gBACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;YACnE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,OAAO,YAAY,CAAC;QAClB,MAAM;QACN,SAAS,EAAE,QAAQ;QACnB,MAAM,EAAE,qBAAqB;QAC7B,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,KAAK;KAChB,CAAC,CAAA;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pipework",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "TypeScript framework for multi-tenant SaaS applications. PostgreSQL-only.",
   "type": "module",
   "license": "MIT",