pkg-sdk-test 0.0.18 → 0.0.19

package/dist/cjs/core/webhooks/verifyAsymmetricSignature.js

@@ -0,0 +1,210 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyAsymmetricSignature = verifyAsymmetricSignature;
+const index_js_1 = require("../runtime/index.js");
+function getNodeAlgorithmName(algorithm) {
+    switch (algorithm) {
+        case "RSA_SHA256":
+            return "RSA-SHA256";
+        case "RSA_SHA384":
+            return "RSA-SHA384";
+        case "RSA_SHA512":
+            return "RSA-SHA512";
+        case "ECDSA_SHA256":
+            return "SHA256";
+        case "ECDSA_SHA384":
+            return "SHA384";
+        case "ECDSA_SHA512":
+            return "SHA512";
+    }
+}
+// Each ECDSA curve has a fixed coordinate size for IEEE P1363 format.
+// Web Crypto requires P1363 (r ∥ s), while Node's createVerify accepts DER (ASN.1 SEQUENCE).
+function ecdsaCoordSize(algorithm) {
+    switch (algorithm) {
+        case "ECDSA_SHA256":
+            return 32; // P-256
+        case "ECDSA_SHA384":
+            return 48; // P-384
+        case "ECDSA_SHA512":
+            return 66; // P-521
+    }
+}
+// Read a DER length field starting at der[offset]. Returns [length, bytesConsumed].
+// Handles both short form (1 byte) and long form (0x81/0x82 prefix).
+function readDerLength(der, offset) {
+    const first = der[offset];
+    if (first < 0x80) {
+        return [first, 1];
+    }
+    const numLenBytes = first & 0x7f;
+    let length = 0;
+    for (let i = 0; i < numLenBytes; i++) {
+        length = (length << 8) | der[offset + 1 + i];
+    }
+    return [length, 1 + numLenBytes];
+}
+// Convert a DER-encoded ECDSA signature (ASN.1 SEQUENCE { INTEGER r, INTEGER s })
+// to IEEE P1363 format (r ∥ s, each zero-padded to coordSize bytes).
+function derToP1363(der, coordSize) {
+    // DER structure: 0x30 <len> 0x02 <rLen> <r> 0x02 <sLen> <s>
+    // Skip the outer SEQUENCE tag (0x30) and its length (may be long-form for P-521).
+    let offset = 1; // skip 0x30
+    const [, seqLenBytes] = readDerLength(der, offset);
+    offset += seqLenBytes;
+    if (der[offset] !== 0x02) {
+        throw new Error("Invalid DER signature: expected INTEGER tag for r");
+    }
+    offset++; // skip 0x02 tag
+    const [rLen, rLenBytes] = readDerLength(der, offset);
+    offset += rLenBytes;
+    const r = der.slice(offset, offset + rLen);
+    offset += rLen;
+    if (der[offset] !== 0x02) {
+        throw new Error("Invalid DER signature: expected INTEGER tag for s");
+    }
+    offset++; // skip 0x02 tag
+    const [sLen, sLenBytes] = readDerLength(der, offset);
+    offset += sLenBytes;
+    const s = der.slice(offset, offset + sLen);
+    const result = new Uint8Array(new ArrayBuffer(coordSize * 2));
+    // r and s may have a leading 0x00 padding byte (DER positive integer) — strip it,
+    // then right-align into the fixed-size output.
+    const rStripped = r[0] === 0x00 ? r.slice(1) : r;
+    const sStripped = s[0] === 0x00 ? s.slice(1) : s;
+    result.set(rStripped, coordSize - rStripped.length);
+    result.set(sStripped, coordSize * 2 - sStripped.length);
+    return result;
+}
+function pemToBytes(pem) {
+    const lines = pem.replace(/-----[A-Z ]+-----/g, "").replace(/\s+/g, "");
+    const binary = atob(lines);
+    const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function signatureToBytes(signature, encoding) {
+    if (encoding === "base64") {
+        const binary = atob(signature);
+        const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+        for (let i = 0; i < binary.length; i++) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    // hex
+    const bytes = new Uint8Array(new ArrayBuffer(signature.length / 2));
+    for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(signature.slice(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+function getSubtleAlgorithms(algorithm) {
+    switch (algorithm) {
+        case "RSA_SHA256":
+            return {
+                importAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+                verifyAlgorithm: { name: "RSASSA-PKCS1-v1_5" },
+            };
+        case "RSA_SHA384":
+            return {
+                importAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" },
+                verifyAlgorithm: { name: "RSASSA-PKCS1-v1_5" },
+            };
+        case "RSA_SHA512":
+            return {
+                importAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" },
+                verifyAlgorithm: { name: "RSASSA-PKCS1-v1_5" },
+            };
+        case "ECDSA_SHA256":
+            return {
+                importAlgorithm: { name: "ECDSA", namedCurve: "P-256" },
+                verifyAlgorithm: { name: "ECDSA", hash: "SHA-256" },
+            };
+        case "ECDSA_SHA384":
+            return {
+                importAlgorithm: { name: "ECDSA", namedCurve: "P-384" },
+                verifyAlgorithm: { name: "ECDSA", hash: "SHA-384" },
+            };
+        case "ECDSA_SHA512":
+            return {
+                importAlgorithm: { name: "ECDSA", namedCurve: "P-521" },
+                verifyAlgorithm: { name: "ECDSA", hash: "SHA-512" },
+            };
+        case "ED25519":
+            return {
+                importAlgorithm: { name: "Ed25519" },
+                verifyAlgorithm: { name: "Ed25519" },
+            };
+    }
+}
+function verifyAsymmetricSignature(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (index_js_1.RUNTIME.type === "node") {
+            const crypto = yield Promise.resolve().then(() => __importStar(require("crypto")));
+            if (args.algorithm === "ED25519") {
+                const signatureBytes = Uint8Array.from(Buffer.from(args.signature, args.encoding));
+                return crypto.verify(null, Uint8Array.from(Buffer.from(args.payload)), args.publicKey, signatureBytes);
+            }
+            const verifier = crypto.createVerify(getNodeAlgorithmName(args.algorithm));
+            verifier.update(args.payload);
+            return verifier.verify(args.publicKey, args.signature, args.encoding);
+        }
+        const subtle = globalThis.crypto.subtle;
+        const { importAlgorithm, verifyAlgorithm } = getSubtleAlgorithms(args.algorithm);
+        const keyBytes = pemToBytes(args.publicKey);
+        const key = yield subtle.importKey("spki", keyBytes, importAlgorithm, false, ["verify"]);
+        let signatureBytes = signatureToBytes(args.signature, args.encoding);
+        // Web Crypto requires IEEE P1363 format for ECDSA (raw r ∥ s), but the
+        // incoming signature is DER-encoded (the format Node and most libraries produce).
+        if (args.algorithm === "ECDSA_SHA256" || args.algorithm === "ECDSA_SHA384" || args.algorithm === "ECDSA_SHA512") {
+            signatureBytes = derToP1363(signatureBytes, ecdsaCoordSize(args.algorithm));
+        }
+        const payloadBytes = new TextEncoder().encode(args.payload);
+        return subtle.verify(verifyAlgorithm, key, signatureBytes, payloadBytes);
+    });
+}

package/dist/cjs/index.d.ts

@@ -4,3 +4,4 @@ export { SuwardSDKClient } from "./Client.js";
 export { SuwardSDKEnvironment } from "./environments.js";
 export { SuwardSDKError, SuwardSDKTimeoutError } from "./errors/index.js";
 export * from "./exports.js";
+export * as webhooks from "./webhooks/index.js";

package/dist/cjs/index.js

@@ -36,7 +36,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SuwardSDKTimeoutError = exports.SuwardSDKError = exports.SuwardSDKEnvironment = exports.SuwardSDKClient = exports.SuwardSDK = void 0;
+exports.webhooks = exports.SuwardSDKTimeoutError = exports.SuwardSDKError = exports.SuwardSDKEnvironment = exports.SuwardSDKClient = exports.SuwardSDK = void 0;
 exports.SuwardSDK = __importStar(require("./api/index.js"));
 var Client_js_1 = require("./Client.js");
 Object.defineProperty(exports, "SuwardSDKClient", { enumerable: true, get: function () { return Client_js_1.SuwardSDKClient; } });
@@ -46,3 +46,4 @@ var index_js_1 = require("./errors/index.js");
 Object.defineProperty(exports, "SuwardSDKError", { enumerable: true, get: function () { return index_js_1.SuwardSDKError; } });
 Object.defineProperty(exports, "SuwardSDKTimeoutError", { enumerable: true, get: function () { return index_js_1.SuwardSDKTimeoutError; } });
 __exportStar(require("./exports.js"), exports);
+exports.webhooks = __importStar(require("./webhooks/index.js"));

package/dist/cjs/version.d.ts

@@ -1 +1 @@
-export declare const SDK_VERSION = "0.0.18";
+export declare const SDK_VERSION = "0.0.19";

package/dist/cjs/version.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SDK_VERSION = void 0;
-exports.SDK_VERSION = "0.0.18";
+exports.SDK_VERSION = "0.0.19";

package/dist/cjs/webhooks/WebhooksHelper.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Verify an asymmetric webhook signature.
+ *
+ * Extract the signature from the "X-Suward-Signature" header and pass it as the signatureHeader parameter.
+ * Extract the timestamp from the "X-Suward-Timestamp" header and pass it as the timestampHeader parameter.
+ */
+export declare class WebhooksHelper {
+    static verifySignature(requestBody: string, signatureHeader: string, publicKey: string, timestampHeader: string): Promise<boolean>;
+}

package/dist/cjs/webhooks/WebhooksHelper.js

@@ -0,0 +1,87 @@
+"use strict";
+// This file was auto-generated by Fern from our API Definition.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebhooksHelper = void 0;
+const core = __importStar(require("../core/index.js"));
+const TIMESTAMP_TOLERANCE_SECONDS = 300;
+const SIGNATURE_PREFIX = "ed25519=";
+/**
+ * Verify an asymmetric webhook signature.
+ *
+ * Extract the signature from the "X-Suward-Signature" header and pass it as the signatureHeader parameter.
+ * Extract the timestamp from the "X-Suward-Timestamp" header and pass it as the timestampHeader parameter.
+ */
+class WebhooksHelper {
+    static verifySignature(requestBody, signatureHeader, publicKey, timestampHeader) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (requestBody == null || signatureHeader == null || publicKey == null) {
+                throw new Error("Missing required parameters for webhook signature verification");
+            }
+            if (timestampHeader == null || timestampHeader === "") {
+                throw new Error("Missing timestamp header 'X-Suward-Timestamp' for webhook signature verification");
+            }
+            const timestampValue = parseInt(timestampHeader, 10);
+            if (Number.isNaN(timestampValue)) {
+                throw new Error("Invalid timestamp format: expected unix milliseconds");
+            }
+            const timestampMs = timestampValue;
+            if (Math.abs(Date.now() - timestampMs) > TIMESTAMP_TOLERANCE_SECONDS * 1000) {
+                return false;
+            }
+            const sig = signatureHeader.startsWith(SIGNATURE_PREFIX)
+                ? signatureHeader.slice(SIGNATURE_PREFIX.length)
+                : signatureHeader;
+            const payload = requestBody;
+            return yield core.verifyAsymmetricSignature({
+                payload: payload,
+                signature: sig,
+                publicKey: publicKey,
+                algorithm: "ED25519",
+                encoding: "hex",
+            });
+        });
+    }
+}
+exports.WebhooksHelper = WebhooksHelper;

package/dist/cjs/webhooks/index.d.ts

@@ -0,0 +1 @@
+export { WebhooksHelper } from "./WebhooksHelper.js";

package/dist/cjs/webhooks/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebhooksHelper = void 0;
+var WebhooksHelper_js_1 = require("./WebhooksHelper.js");
+Object.defineProperty(exports, "WebhooksHelper", { enumerable: true, get: function () { return WebhooksHelper_js_1.WebhooksHelper; } });

package/dist/esm/BaseClient.mjs

@@ -6,8 +6,8 @@ export function normalizeClientOptions(options) {
     const headers = mergeHeaders({
         "X-Fern-Language": "JavaScript",
         "X-Fern-SDK-Name": "pkg-sdk-test",
-        "X-Fern-SDK-Version": "0.0.18",
-        "User-Agent": "pkg-sdk-test/0.0.18",
+        "X-Fern-SDK-Version": "0.0.19",
+        "User-Agent": "pkg-sdk-test/0.0.19",
         "X-Fern-Runtime": core.RUNTIME.type,
         "X-Fern-Runtime-Version": core.RUNTIME.version,
     }, options === null || options === void 0 ? void 0 : options.headers);

package/dist/esm/api/types/WebhookPaymentEvent.d.mts

@@ -0,0 +1,26 @@
+/**
+ * Webhook body for a payment lifecycle transition. Signed over the raw body with the project's Ed25519 key; verify with project.webhookPublicKey. `createdAt` is the signed, trusted timestamp.
+ */
+export interface WebhookPaymentEvent {
+    type: WebhookPaymentEvent.Type;
+    eventId: string;
+    /** Event creation time, unix milliseconds. */
+    createdAt: number;
+    paymentId: string;
+    projectId: string;
+    externalId?: string | undefined;
+    status: string;
+    subStatus: string;
+    amount: string;
+    amountReceived: string;
+    amountConfirmed: string;
+    assetId?: number | undefined;
+}
+export declare namespace WebhookPaymentEvent {
+    const Type: {
+        readonly PaymentAccepted: "payment.accepted";
+        readonly PaymentSuccess: "payment.success";
+        readonly PaymentFailed: "payment.failed";
+    };
+    type Type = (typeof Type)[keyof typeof Type];
+}

package/dist/esm/api/types/WebhookPaymentEvent.mjs

@@ -0,0 +1,9 @@
+// This file was auto-generated by Fern from our API Definition.
+export var WebhookPaymentEvent;
+(function (WebhookPaymentEvent) {
+    WebhookPaymentEvent.Type = {
+        PaymentAccepted: "payment.accepted",
+        PaymentSuccess: "payment.success",
+        PaymentFailed: "payment.failed",
+    };
+})(WebhookPaymentEvent || (WebhookPaymentEvent = {}));

package/dist/esm/api/types/WebhookStaticDepositEvent.d.mts

@@ -0,0 +1,29 @@
+/**
+ * Webhook body for a static-wallet deposit transition. Signed over the raw body with the project's Ed25519 key; verify with project.webhookPublicKey. `createdAt` is the signed, trusted timestamp.
+ */
+export interface WebhookStaticDepositEvent {
+    type: WebhookStaticDepositEvent.Type;
+    eventId: string;
+    /** Event creation time, unix milliseconds. */
+    createdAt: number;
+    staticWalletId: string;
+    depositId: string;
+    projectId: string;
+    externalId?: string | undefined;
+    address: string;
+    txHash: string;
+    transferIndex: string;
+    assetId: number;
+    amount: string;
+    netAmount: string;
+    fee: string;
+    networkFee: string;
+    status: string;
+}
+export declare namespace WebhookStaticDepositEvent {
+    const Type: {
+        readonly StaticDepositAccepted: "static_deposit.accepted";
+        readonly StaticDepositSuccess: "static_deposit.success";
+    };
+    type Type = (typeof Type)[keyof typeof Type];
+}

package/dist/esm/api/types/WebhookStaticDepositEvent.mjs

@@ -0,0 +1,8 @@
+// This file was auto-generated by Fern from our API Definition.
+export var WebhookStaticDepositEvent;
+(function (WebhookStaticDepositEvent) {
+    WebhookStaticDepositEvent.Type = {
+        StaticDepositAccepted: "static_deposit.accepted",
+        StaticDepositSuccess: "static_deposit.success",
+    };
+})(WebhookStaticDepositEvent || (WebhookStaticDepositEvent = {}));

package/dist/esm/api/types/index.d.mts

@@ -12,3 +12,5 @@ export * from "./CryptopayRedirectConfigDto.mjs";
 export * from "./CryptopayStaticDepositResponse.mjs";
 export * from "./CryptopayStaticWalletResponse.mjs";
 export * from "./CryptopayTransactionResponse.mjs";
+export * from "./WebhookPaymentEvent.mjs";
+export * from "./WebhookStaticDepositEvent.mjs";

package/dist/esm/api/types/index.mjs

@@ -12,3 +12,5 @@ export * from "./CryptopayRedirectConfigDto.mjs";
 export * from "./CryptopayStaticDepositResponse.mjs";
 export * from "./CryptopayStaticWalletResponse.mjs";
 export * from "./CryptopayTransactionResponse.mjs";
+export * from "./WebhookPaymentEvent.mjs";
+export * from "./WebhookStaticDepositEvent.mjs";

package/dist/esm/core/index.d.mts

@@ -4,3 +4,4 @@ export * from "./fetcher/index.mjs";
 export * as logging from "./logging/index.mjs";
 export * from "./runtime/index.mjs";
 export * as url from "./url/index.mjs";
+export * from "./webhooks/index.mjs";

package/dist/esm/core/index.mjs

@@ -4,3 +4,4 @@ export * from "./fetcher/index.mjs";
 export * as logging from "./logging/index.mjs";
 export * from "./runtime/index.mjs";
 export * as url from "./url/index.mjs";
+export * from "./webhooks/index.mjs";

package/dist/esm/core/webhooks/computeHmacSignature.d.mts

@@ -0,0 +1,9 @@
+import type { SignatureEncoding } from "./types.mjs";
+export type HmacAlgorithm = "sha256" | "sha1" | "sha384" | "sha512";
+export interface ComputeHmacSignatureArgs {
+    payload: string;
+    secret: string;
+    algorithm: HmacAlgorithm;
+    encoding: SignatureEncoding;
+}
+export declare function computeHmacSignature(args: ComputeHmacSignatureArgs): Promise<string>;

package/dist/esm/core/webhooks/computeHmacSignature.mjs

@@ -0,0 +1,48 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { RUNTIME } from "../runtime/index.mjs";
+function hmacAlgorithmToSubtleName(algorithm) {
+    switch (algorithm) {
+        case "sha1":
+            return "SHA-1";
+        case "sha256":
+            return "SHA-256";
+        case "sha384":
+            return "SHA-384";
+        case "sha512":
+            return "SHA-512";
+    }
+}
+export function computeHmacSignature(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (RUNTIME.type === "node") {
+            const crypto = yield import("crypto");
+            const hmac = crypto.createHmac(args.algorithm, args.secret);
+            hmac.update(args.payload);
+            return hmac.digest(args.encoding);
+        }
+        const subtle = globalThis.crypto.subtle;
+        const enc = new TextEncoder();
+        const keyMaterial = yield subtle.importKey("raw", enc.encode(args.secret), { name: "HMAC", hash: hmacAlgorithmToSubtleName(args.algorithm) }, false, ["sign"]);
+        const signatureBuffer = yield subtle.sign("HMAC", keyMaterial, enc.encode(args.payload));
+        const bytes = new Uint8Array(signatureBuffer);
+        if (args.encoding === "hex") {
+            return Array.from(bytes)
+                .map((b) => b.toString(16).padStart(2, "0"))
+                .join("");
+        }
+        // base64
+        let binary = "";
+        for (const byte of bytes) {
+            binary += String.fromCharCode(byte);
+        }
+        return btoa(binary);
+    });
+}

package/dist/esm/core/webhooks/fetchJwks.d.mts

@@ -0,0 +1,15 @@
+export interface FetchJwksArgs {
+    url: string;
+    keyId?: string;
+}
+/**
+ * Fetches a public key from a JWKS endpoint and returns it as a PEM string.
+ *
+ * Only RSA keys (reconstructed from `n`/`e`) and keys with an `x5c` certificate chain are supported.
+ * EC (kty: "EC") and OKP (kty: "OKP") keys are **not** supported and will throw an error.
+ *
+ * @throws {Error} If the JWKS endpoint returns a non-OK response.
+ * @throws {Error} If no key matching `keyId` is found (after one cache-busting retry).
+ * @throws {Error} If the selected key has an unsupported type (e.g. EC or OKP).
+ */
+export declare function fetchJwks(args: FetchJwksArgs): Promise<string>;