pkg-sdk-test 0.0.17 → 0.0.19

package/dist/cjs/BaseClient.js

@@ -43,8 +43,8 @@ function normalizeClientOptions(options) {
     const headers = (0, headers_js_1.mergeHeaders)({
         "X-Fern-Language": "JavaScript",
         "X-Fern-SDK-Name": "pkg-sdk-test",
-        "X-Fern-SDK-Version": "0.0.17",
-        "User-Agent": "pkg-sdk-test/0.0.17",
+        "X-Fern-SDK-Version": "0.0.19",
+        "User-Agent": "pkg-sdk-test/0.0.19",
         "X-Fern-Runtime": core.RUNTIME.type,
         "X-Fern-Runtime-Version": core.RUNTIME.version,
     }, options === null || options === void 0 ? void 0 : options.headers);

package/dist/cjs/api/resources/payments/client/requests/CryptopayCreatePaymentRequest.d.ts

@@ -11,7 +11,7 @@ export interface CryptopayCreatePaymentRequest {
     isTest?: boolean;
     metadata?: Record<string, unknown>;
     paymentWindowSeconds?: number;
-    redirect?: SuwardSDK.CryptopayRedirectConfigDto;
+    redirectConfig?: SuwardSDK.CryptopayRedirectConfigDto;
     underpaymentTolerance?: string;
     webhookUrl?: string;
 }

package/dist/cjs/api/types/CryptopayPaymentResponse.d.ts

@@ -18,7 +18,7 @@ export interface CryptopayPaymentResponse {
     networkFee?: string | undefined;
     paymentWindowSeconds?: number | undefined;
     projectId?: string | undefined;
-    redirect?: SuwardSDK.CryptopayRedirectConfigDto | undefined;
+    redirectConfig?: SuwardSDK.CryptopayRedirectConfigDto | undefined;
     status?: SuwardSDK.CryptopayPaymentStatusEnum | undefined;
     subStatus?: SuwardSDK.CryptopayPaymentSubStatusEnum | undefined;
     transactions?: SuwardSDK.CryptopayTransactionResponse[] | undefined;

package/dist/cjs/api/types/WebhookPaymentEvent.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Webhook body for a payment lifecycle transition. Signed over the raw body with the project's Ed25519 key; verify with project.webhookPublicKey. `createdAt` is the signed, trusted timestamp.
+ */
+export interface WebhookPaymentEvent {
+    type: WebhookPaymentEvent.Type;
+    eventId: string;
+    /** Event creation time, unix milliseconds. */
+    createdAt: number;
+    paymentId: string;
+    projectId: string;
+    externalId?: string | undefined;
+    status: string;
+    subStatus: string;
+    amount: string;
+    amountReceived: string;
+    amountConfirmed: string;
+    assetId?: number | undefined;
+}
+export declare namespace WebhookPaymentEvent {
+    const Type: {
+        readonly PaymentAccepted: "payment.accepted";
+        readonly PaymentSuccess: "payment.success";
+        readonly PaymentFailed: "payment.failed";
+    };
+    type Type = (typeof Type)[keyof typeof Type];
+}

package/dist/cjs/api/types/WebhookPaymentEvent.js

@@ -0,0 +1,12 @@
+"use strict";
+// This file was auto-generated by Fern from our API Definition.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebhookPaymentEvent = void 0;
+var WebhookPaymentEvent;
+(function (WebhookPaymentEvent) {
+    WebhookPaymentEvent.Type = {
+        PaymentAccepted: "payment.accepted",
+        PaymentSuccess: "payment.success",
+        PaymentFailed: "payment.failed",
+    };
+})(WebhookPaymentEvent || (exports.WebhookPaymentEvent = WebhookPaymentEvent = {}));

package/dist/cjs/api/types/WebhookStaticDepositEvent.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Webhook body for a static-wallet deposit transition. Signed over the raw body with the project's Ed25519 key; verify with project.webhookPublicKey. `createdAt` is the signed, trusted timestamp.
+ */
+export interface WebhookStaticDepositEvent {
+    type: WebhookStaticDepositEvent.Type;
+    eventId: string;
+    /** Event creation time, unix milliseconds. */
+    createdAt: number;
+    staticWalletId: string;
+    depositId: string;
+    projectId: string;
+    externalId?: string | undefined;
+    address: string;
+    txHash: string;
+    transferIndex: string;
+    assetId: number;
+    amount: string;
+    netAmount: string;
+    fee: string;
+    networkFee: string;
+    status: string;
+}
+export declare namespace WebhookStaticDepositEvent {
+    const Type: {
+        readonly StaticDepositAccepted: "static_deposit.accepted";
+        readonly StaticDepositSuccess: "static_deposit.success";
+    };
+    type Type = (typeof Type)[keyof typeof Type];
+}

package/dist/cjs/api/types/WebhookStaticDepositEvent.js

@@ -0,0 +1,11 @@
+"use strict";
+// This file was auto-generated by Fern from our API Definition.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebhookStaticDepositEvent = void 0;
+var WebhookStaticDepositEvent;
+(function (WebhookStaticDepositEvent) {
+    WebhookStaticDepositEvent.Type = {
+        StaticDepositAccepted: "static_deposit.accepted",
+        StaticDepositSuccess: "static_deposit.success",
+    };
+})(WebhookStaticDepositEvent || (exports.WebhookStaticDepositEvent = WebhookStaticDepositEvent = {}));

package/dist/cjs/api/types/index.d.ts

@@ -12,3 +12,5 @@ export * from "./CryptopayRedirectConfigDto.js";
 export * from "./CryptopayStaticDepositResponse.js";
 export * from "./CryptopayStaticWalletResponse.js";
 export * from "./CryptopayTransactionResponse.js";
+export * from "./WebhookPaymentEvent.js";
+export * from "./WebhookStaticDepositEvent.js";

package/dist/cjs/api/types/index.js

@@ -28,3 +28,5 @@ __exportStar(require("./CryptopayRedirectConfigDto.js"), exports);
 __exportStar(require("./CryptopayStaticDepositResponse.js"), exports);
 __exportStar(require("./CryptopayStaticWalletResponse.js"), exports);
 __exportStar(require("./CryptopayTransactionResponse.js"), exports);
+__exportStar(require("./WebhookPaymentEvent.js"), exports);
+__exportStar(require("./WebhookStaticDepositEvent.js"), exports);

package/dist/cjs/core/index.d.ts

@@ -4,3 +4,4 @@ export * from "./fetcher/index.js";
 export * as logging from "./logging/index.js";
 export * from "./runtime/index.js";
 export * as url from "./url/index.js";
+export * from "./webhooks/index.js";

package/dist/cjs/core/index.js

@@ -43,3 +43,4 @@ __exportStar(require("./fetcher/index.js"), exports);
 exports.logging = __importStar(require("./logging/index.js"));
 __exportStar(require("./runtime/index.js"), exports);
 exports.url = __importStar(require("./url/index.js"));
+__exportStar(require("./webhooks/index.js"), exports);

package/dist/cjs/core/webhooks/computeHmacSignature.d.ts

@@ -0,0 +1,9 @@
+import type { SignatureEncoding } from "./types.js";
+export type HmacAlgorithm = "sha256" | "sha1" | "sha384" | "sha512";
+export interface ComputeHmacSignatureArgs {
+    payload: string;
+    secret: string;
+    algorithm: HmacAlgorithm;
+    encoding: SignatureEncoding;
+}
+export declare function computeHmacSignature(args: ComputeHmacSignatureArgs): Promise<string>;

package/dist/cjs/core/webhooks/computeHmacSignature.js

@@ -0,0 +1,84 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeHmacSignature = computeHmacSignature;
+const index_js_1 = require("../runtime/index.js");
+function hmacAlgorithmToSubtleName(algorithm) {
+    switch (algorithm) {
+        case "sha1":
+            return "SHA-1";
+        case "sha256":
+            return "SHA-256";
+        case "sha384":
+            return "SHA-384";
+        case "sha512":
+            return "SHA-512";
+    }
+}
+function computeHmacSignature(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (index_js_1.RUNTIME.type === "node") {
+            const crypto = yield Promise.resolve().then(() => __importStar(require("crypto")));
+            const hmac = crypto.createHmac(args.algorithm, args.secret);
+            hmac.update(args.payload);
+            return hmac.digest(args.encoding);
+        }
+        const subtle = globalThis.crypto.subtle;
+        const enc = new TextEncoder();
+        const keyMaterial = yield subtle.importKey("raw", enc.encode(args.secret), { name: "HMAC", hash: hmacAlgorithmToSubtleName(args.algorithm) }, false, ["sign"]);
+        const signatureBuffer = yield subtle.sign("HMAC", keyMaterial, enc.encode(args.payload));
+        const bytes = new Uint8Array(signatureBuffer);
+        if (args.encoding === "hex") {
+            return Array.from(bytes)
+                .map((b) => b.toString(16).padStart(2, "0"))
+                .join("");
+        }
+        // base64
+        let binary = "";
+        for (const byte of bytes) {
+            binary += String.fromCharCode(byte);
+        }
+        return btoa(binary);
+    });
+}

package/dist/cjs/core/webhooks/fetchJwks.d.ts

@@ -0,0 +1,15 @@
+export interface FetchJwksArgs {
+    url: string;
+    keyId?: string;
+}
+/**
+ * Fetches a public key from a JWKS endpoint and returns it as a PEM string.
+ *
+ * Only RSA keys (reconstructed from `n`/`e`) and keys with an `x5c` certificate chain are supported.
+ * EC (kty: "EC") and OKP (kty: "OKP") keys are **not** supported and will throw an error.
+ *
+ * @throws {Error} If the JWKS endpoint returns a non-OK response.
+ * @throws {Error} If no key matching `keyId` is found (after one cache-busting retry).
+ * @throws {Error} If the selected key has an unsupported type (e.g. EC or OKP).
+ */
+export declare function fetchJwks(args: FetchJwksArgs): Promise<string>;

package/dist/cjs/core/webhooks/fetchJwks.js

@@ -0,0 +1,156 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchJwks = fetchJwks;
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const CACHE_MAX_SIZE = 50;
+const cache = new Map();
+function base64UrlToBase64(base64url) {
+    let base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    while (base64.length % 4 !== 0) {
+        base64 += "=";
+    }
+    return base64;
+}
+function jwkToPem(jwk) {
+    if (jwk.x5c != null && jwk.x5c.length > 0) {
+        const cert = jwk.x5c[0];
+        return `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----`;
+    }
+    if (jwk.kty === "RSA" && jwk.n != null && jwk.e != null) {
+        return constructRsaPem(jwk.n, jwk.e);
+    }
+    throw new Error(`Unsupported JWK key type for PEM conversion: ${jwk.kty}`);
+}
+function base64UrlToBytes(base64url) {
+    const binary = atob(base64UrlToBase64(base64url));
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function concatBytes(arrays) {
+    const total = arrays.reduce((sum, a) => sum + a.length, 0);
+    const result = new Uint8Array(total);
+    let offset = 0;
+    for (const array of arrays) {
+        result.set(array, offset);
+        offset += array.length;
+    }
+    return result;
+}
+function constructRsaPem(nBase64Url, eBase64Url) {
+    const nBytes = base64UrlToBytes(nBase64Url);
+    const eBytes = base64UrlToBytes(eBase64Url);
+    // ASN.1 DER encoding of RSA public key
+    const nEncoded = asn1Integer(nBytes);
+    const eEncoded = asn1Integer(eBytes);
+    const sequence = asn1Sequence(concatBytes([nEncoded, eEncoded]));
+    const bitString = asn1BitString(sequence);
+    const algorithmIdentifier = asn1Sequence(new Uint8Array([
+        // OID for rsaEncryption (1.2.840.113549.1.1.1)
+        0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+        // NULL
+        0x05, 0x00,
+    ]));
+    const spki = asn1Sequence(concatBytes([algorithmIdentifier, bitString]));
+    let binary = "";
+    for (const byte of spki) {
+        binary += String.fromCharCode(byte);
+    }
+    const base64 = btoa(binary);
+    const lines = [];
+    for (let i = 0; i < base64.length; i += 64) {
+        lines.push(base64.substring(i, i + 64));
+    }
+    return `-----BEGIN PUBLIC KEY-----\n${lines.join("\n")}\n-----END PUBLIC KEY-----`;
+}
+function asn1Length(length) {
+    if (length < 0x80) {
+        return new Uint8Array([length]);
+    }
+    const bytes = [];
+    let temp = length;
+    while (temp > 0) {
+        bytes.unshift(temp & 0xff);
+        temp >>= 8;
+    }
+    return new Uint8Array([0x80 | bytes.length, ...bytes]);
+}
+function asn1Integer(bytes) {
+    // Add leading zero if high bit is set (to ensure positive integer)
+    const needsPadding = bytes[0] >= 0x80;
+    const content = needsPadding ? concatBytes([new Uint8Array([0x00]), bytes]) : bytes;
+    return concatBytes([new Uint8Array([0x02]), asn1Length(content.length), content]);
+}
+function asn1Sequence(content) {
+    return concatBytes([new Uint8Array([0x30]), asn1Length(content.length), content]);
+}
+function asn1BitString(content) {
+    // Prepend a zero byte for unused bits
+    return concatBytes([new Uint8Array([0x03]), asn1Length(content.length + 1), new Uint8Array([0x00]), content]);
+}
+function fetchKeys(url) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const cached = cache.get(url);
+        if (cached != null && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+            return cached.keys;
+        }
+        const response = yield fetch(url);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch JWKS from ${url}: ${response.status} ${response.statusText}`);
+        }
+        const jwks = (yield response.json());
+        if (cache.size >= CACHE_MAX_SIZE) {
+            for (const key of cache.keys()) {
+                cache.delete(key);
+                break;
+            }
+        }
+        cache.set(url, { keys: jwks.keys, fetchedAt: Date.now() });
+        return jwks.keys;
+    });
+}
+/**
+ * Fetches a public key from a JWKS endpoint and returns it as a PEM string.
+ *
+ * Only RSA keys (reconstructed from `n`/`e`) and keys with an `x5c` certificate chain are supported.
+ * EC (kty: "EC") and OKP (kty: "OKP") keys are **not** supported and will throw an error.
+ *
+ * @throws {Error} If the JWKS endpoint returns a non-OK response.
+ * @throws {Error} If no key matching `keyId` is found (after one cache-busting retry).
+ * @throws {Error} If the selected key has an unsupported type (e.g. EC or OKP).
+ */
+function fetchJwks(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const keys = yield fetchKeys(args.url);
+        let selectedKey;
+        if (args.keyId != null) {
+            selectedKey = keys.find((k) => k.kid === args.keyId);
+            if (selectedKey == null) {
+                // Invalidate cache and retry once
+                cache.delete(args.url);
+                const refreshedKeys = yield fetchKeys(args.url);
+                selectedKey = refreshedKeys.find((k) => k.kid === args.keyId);
+            }
+        }
+        else {
+            selectedKey = keys[0];
+        }
+        if (selectedKey == null) {
+            throw new Error(args.keyId != null
+                ? `No key found with kid "${args.keyId}" in JWKS at ${args.url}`
+                : `No keys found in JWKS at ${args.url}`);
+        }
+        return jwkToPem(selectedKey);
+    });
+}

package/dist/cjs/core/webhooks/index.d.ts

@@ -0,0 +1,8 @@
+export type { ComputeHmacSignatureArgs, HmacAlgorithm } from "./computeHmacSignature.js";
+export { computeHmacSignature } from "./computeHmacSignature.js";
+export type { FetchJwksArgs } from "./fetchJwks.js";
+export { fetchJwks } from "./fetchJwks.js";
+export { timingSafeEqual } from "./timingSafeEqual.js";
+export type { SignatureEncoding } from "./types.js";
+export type { AsymmetricAlgorithm, VerifyAsymmetricSignatureArgs } from "./verifyAsymmetricSignature.js";
+export { verifyAsymmetricSignature } from "./verifyAsymmetricSignature.js";

package/dist/cjs/core/webhooks/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyAsymmetricSignature = exports.timingSafeEqual = exports.fetchJwks = exports.computeHmacSignature = void 0;
+var computeHmacSignature_js_1 = require("./computeHmacSignature.js");
+Object.defineProperty(exports, "computeHmacSignature", { enumerable: true, get: function () { return computeHmacSignature_js_1.computeHmacSignature; } });
+var fetchJwks_js_1 = require("./fetchJwks.js");
+Object.defineProperty(exports, "fetchJwks", { enumerable: true, get: function () { return fetchJwks_js_1.fetchJwks; } });
+var timingSafeEqual_js_1 = require("./timingSafeEqual.js");
+Object.defineProperty(exports, "timingSafeEqual", { enumerable: true, get: function () { return timingSafeEqual_js_1.timingSafeEqual; } });
+var verifyAsymmetricSignature_js_1 = require("./verifyAsymmetricSignature.js");
+Object.defineProperty(exports, "verifyAsymmetricSignature", { enumerable: true, get: function () { return verifyAsymmetricSignature_js_1.verifyAsymmetricSignature; } });

package/dist/cjs/core/webhooks/timingSafeEqual.d.ts

@@ -0,0 +1 @@
+export declare function timingSafeEqual(a: string, b: string): Promise<boolean>;

package/dist/cjs/core/webhooks/timingSafeEqual.js

@@ -0,0 +1,85 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.timingSafeEqual = timingSafeEqual;
+const index_js_1 = require("../runtime/index.js");
+function timingSafeEqual(a, b) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a;
+        if (index_js_1.RUNTIME.type === "node") {
+            const crypto = yield Promise.resolve().then(() => __importStar(require("crypto")));
+            const bufA = Buffer.from(a);
+            const bufB = Buffer.from(b);
+            if (bufA.length !== bufB.length) {
+                // Still perform comparison to avoid leaking length via timing
+                const dummy = Buffer.alloc(bufA.length);
+                crypto.timingSafeEqual(bufA, dummy);
+                return false;
+            }
+            return crypto.timingSafeEqual(bufA, bufB);
+        }
+        // Fallback: constant-time XOR comparison using Uint8Array
+        const enc = new TextEncoder();
+        const bytesA = enc.encode(a);
+        const bytesB = enc.encode(b);
+        if (bytesA.length !== bytesB.length) {
+            // XOR each byte of bytesA against bytesB[0] (a runtime value) so the
+            // loop cannot be trivially folded to a constant by the engine. This is
+            // best-effort timing-stability: JS has no guarantee, but we avoid an
+            // obvious early-exit that would trivially leak length via timing.
+            const pivot = (_a = bytesB[0]) !== null && _a !== void 0 ? _a : 0;
+            let sink = 0;
+            for (let i = 0; i < bytesA.length; i++) {
+                sink |= bytesA[i] ^ pivot;
+            }
+            void sink;
+            return false;
+        }
+        let result = 0;
+        for (let i = 0; i < bytesA.length; i++) {
+            result |= bytesA[i] ^ bytesB[i];
+        }
+        return result === 0;
+    });
+}

package/dist/cjs/core/webhooks/types.d.ts

@@ -0,0 +1 @@
+export type SignatureEncoding = "base64" | "hex";

package/dist/cjs/core/webhooks/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/core/webhooks/verifyAsymmetricSignature.d.ts

@@ -0,0 +1,10 @@
+import type { SignatureEncoding } from "./types.js";
+export type AsymmetricAlgorithm = "RSA_SHA256" | "RSA_SHA384" | "RSA_SHA512" | "ECDSA_SHA256" | "ECDSA_SHA384" | "ECDSA_SHA512" | "ED25519";
+export interface VerifyAsymmetricSignatureArgs {
+    payload: string;
+    signature: string;
+    publicKey: string;
+    algorithm: AsymmetricAlgorithm;
+    encoding: SignatureEncoding;
+}
+export declare function verifyAsymmetricSignature(args: VerifyAsymmetricSignatureArgs): Promise<boolean>;