torque-webhooks 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Torque
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,53 @@
+# torque-webhooks
+
+Merchant webhook helpers for Torque Checkout integrations.
+
+## Install
+
+```bash
+yarn add torque-webhooks
+```
+
+## Verify inbound webhooks (Torque → your server)
+
+```ts
+import { verifyWebhookSignature } from 'torque-webhooks'
+
+const ok = verifyWebhookSignature(rawBody, request.headers.get('x-torque-signature'), secret)
+```
+
+## Push order status (your server → Torque)
+
+```ts
+import { createTorqueWebhooksFromEnv } from 'torque-webhooks'
+
+const webhooks = createTorqueWebhooksFromEnv()
+
+await webhooks.pushOrderUpdate({
+  orderId: 'ord_123',
+  status: 'shipped',
+  metadata: { trackingNumber: '1Z999' },
+})
+```
+
+Uses `POST /api/webhooks/order-update` with header `x-order-webhook-secret`.
+
+**Env:** `TORQUE_WEBHOOK_SECRET` or `ORDER_WEBHOOK_SECRET`, optional `TORQUE_BASE_URL`.
+
+## Next.js inbound handler
+
+```ts
+// app/api/webhooks/torque/route.ts
+import { handleWebhook } from 'torque-webhooks/nextjs'
+
+export const POST = handleWebhook({
+  secret: process.env.TORQUE_WEBHOOK_SECRET,
+  onOrderCompleted: async (event) => {
+    await fulfillOrder(event.orderId!)
+  },
+})
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,60 @@
+export type TorqueOutboundWebhookEventType = 'order.created' | 'order.completed' | 'order.failed' | 'subscription.created' | 'subscription.cancelled';
+/** Payload Torque may send to merchant webhook endpoints (outbound). */
+export interface TorqueOutboundWebhookEvent {
+    type: TorqueOutboundWebhookEventType;
+    orderId?: string;
+    subscriptionId?: string;
+    data: Record<string, unknown>;
+    timestamp: number;
+}
+export type OrderUpdateStatus = 'created' | 'paid' | 'shipped' | 'delivered' | 'cancelled' | 'refunded';
+export interface PushOrderUpdateParams {
+    orderId: string;
+    status: OrderUpdateStatus;
+    customerData?: Record<string, unknown>;
+    metadata?: Record<string, unknown>;
+}
+export interface TorqueWebhooksConfig {
+    /** Shared secret for POST /api/webhooks/order-update (`x-order-webhook-secret`). */
+    webhookSecret: string;
+    baseUrl?: string;
+    timeout?: number;
+}
+export declare class TorqueWebhooksError extends Error {
+    code: string;
+    statusCode: number;
+    details?: Record<string, unknown>;
+    constructor(message: string, options: {
+        code: string;
+        statusCode: number;
+        details?: Record<string, unknown>;
+    });
+}
+/**
+ * Verify `X-Torque-Signature` (or raw hex) against HMAC-SHA256 of the **raw** webhook body.
+ * Accepts `hex`, `sha256=<hex>`, or `v1=<hex>` prefix forms.
+ */
+export declare function verifyWebhookSignature(rawBody: string, signatureHeader: string | null, secret: string): boolean;
+/** Checkout-compatible alias. */
+export declare const verifyTorqueWebhookSignature: typeof verifyWebhookSignature;
+export declare function pushOrderUpdate(params: PushOrderUpdateParams, config: TorqueWebhooksConfig): Promise<{
+    success: boolean;
+    message?: string;
+    timestamp?: string;
+}>;
+export declare function createTorqueWebhooks(config: TorqueWebhooksConfig): {
+    pushOrderUpdate: (params: PushOrderUpdateParams) => Promise<{
+        success: boolean;
+        message?: string;
+        timestamp?: string;
+    }>;
+    verifyWebhookSignature: (rawBody: string, signatureHeader: string | null, secret?: string) => boolean;
+};
+export declare function createTorqueWebhooksFromEnv(overrides?: Partial<TorqueWebhooksConfig>): {
+    pushOrderUpdate: (params: PushOrderUpdateParams) => Promise<{
+        success: boolean;
+        message?: string;
+        timestamp?: string;
+    }>;
+    verifyWebhookSignature: (rawBody: string, signatureHeader: string | null, secret?: string) => boolean;
+};

package/dist/index.esm.js

@@ -0,0 +1,122 @@
+import { createHmac, timingSafeEqual } from 'crypto';
+
+class TorqueWebhooksError extends Error {
+    constructor(message, options) {
+        super(message);
+        this.name = 'TorqueWebhooksError';
+        this.code = options.code;
+        this.statusCode = options.statusCode;
+        this.details = options.details;
+        Object.setPrototypeOf(this, TorqueWebhooksError.prototype);
+    }
+}
+/**
+ * Verify `X-Torque-Signature` (or raw hex) against HMAC-SHA256 of the **raw** webhook body.
+ * Accepts `hex`, `sha256=<hex>`, or `v1=<hex>` prefix forms.
+ */
+function verifyWebhookSignature(rawBody, signatureHeader, secret) {
+    if (!signatureHeader || !secret)
+        return false;
+    const expectedHex = createHmac('sha256', secret).update(rawBody, 'utf8').digest('hex');
+    const normalized = signatureHeader.trim().replace(/^(sha256|v1)=/i, '');
+    try {
+        const a = Buffer.from(normalized, 'hex');
+        const b = Buffer.from(expectedHex, 'hex');
+        if (a.length !== b.length)
+            return false;
+        return timingSafeEqual(a, b);
+    }
+    catch {
+        return false;
+    }
+}
+/** Checkout-compatible alias. */
+const verifyTorqueWebhookSignature = verifyWebhookSignature;
+async function pushOrderUpdate(params, config) {
+    if (!params.orderId?.trim()) {
+        throw new TorqueWebhooksError('orderId is required', {
+            code: 'VALIDATION_ERROR',
+            statusCode: 400,
+        });
+    }
+    if (!params.status) {
+        throw new TorqueWebhooksError('status is required', {
+            code: 'VALIDATION_ERROR',
+            statusCode: 400,
+        });
+    }
+    if (!config.webhookSecret?.trim()) {
+        throw new TorqueWebhooksError('webhookSecret is required', {
+            code: 'INVALID_CONFIG',
+            statusCode: 400,
+        });
+    }
+    const baseUrl = (config.baseUrl || 'https://app.torque.fi').replace(/\/$/, '');
+    const timeout = config.timeout ?? 30000;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+        const response = await fetch(`${baseUrl}/api/webhooks/order-update`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-order-webhook-secret': config.webhookSecret.trim(),
+            },
+            body: JSON.stringify({
+                orderId: params.orderId,
+                status: params.status,
+                customerData: params.customerData,
+                metadata: params.metadata,
+            }),
+            signal: controller.signal,
+        });
+        clearTimeout(timeoutId);
+        const body = (await response.json().catch(() => ({})));
+        if (!response.ok) {
+            throw new TorqueWebhooksError(body.message || `HTTP ${response.status}`, {
+                code: typeof body.error === 'string' ? body.error : 'API_ERROR',
+                statusCode: response.status,
+                details: body.details,
+            });
+        }
+        return {
+            success: body.success ?? true,
+            message: body.message,
+            timestamp: body.timestamp,
+        };
+    }
+    catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof TorqueWebhooksError)
+            throw error;
+        if (error instanceof Error && error.name === 'AbortError') {
+            throw new TorqueWebhooksError('Request timeout', { code: 'TIMEOUT', statusCode: 408 });
+        }
+        throw new TorqueWebhooksError(error instanceof Error ? error.message : 'Request failed', {
+            code: 'NETWORK_ERROR',
+            statusCode: 500,
+        });
+    }
+}
+function createTorqueWebhooks(config) {
+    return {
+        pushOrderUpdate: (params) => pushOrderUpdate(params, config),
+        verifyWebhookSignature: (rawBody, signatureHeader, secret) => verifyWebhookSignature(rawBody, signatureHeader, secret ?? config.webhookSecret),
+    };
+}
+function createTorqueWebhooksFromEnv(overrides) {
+    const webhookSecret = process.env.TORQUE_WEBHOOK_SECRET ||
+        process.env.ORDER_WEBHOOK_SECRET ||
+        overrides?.webhookSecret;
+    if (!webhookSecret) {
+        throw new TorqueWebhooksError('TORQUE_WEBHOOK_SECRET or ORDER_WEBHOOK_SECRET environment variable is required', { code: 'MISSING_ENV_VARS', statusCode: 400 });
+    }
+    return createTorqueWebhooks({
+        webhookSecret,
+        baseUrl: process.env.TORQUE_BASE_URL || overrides?.baseUrl,
+        timeout: overrides?.timeout,
+    });
+}
+
+export { TorqueWebhooksError, createTorqueWebhooks, createTorqueWebhooksFromEnv, pushOrderUpdate, verifyTorqueWebhookSignature, verifyWebhookSignature };
+//# sourceMappingURL=index.esm.js.map

package/dist/index.esm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.esm.js","sources":["../src/index.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from 'crypto'\n\nexport type TorqueOutboundWebhookEventType =\n  | 'order.created'\n  | 'order.completed'\n  | 'order.failed'\n  | 'subscription.created'\n  | 'subscription.cancelled'\n\n/** Payload Torque may send to merchant webhook endpoints (outbound). */\nexport interface TorqueOutboundWebhookEvent {\n  type: TorqueOutboundWebhookEventType\n  orderId?: string\n  subscriptionId?: string\n  data: Record<string, unknown>\n  timestamp: number\n}\n\nexport type OrderUpdateStatus =\n  | 'created'\n  | 'paid'\n  | 'shipped'\n  | 'delivered'\n  | 'cancelled'\n  | 'refunded'\n\nexport interface PushOrderUpdateParams {\n  orderId: string\n  status: OrderUpdateStatus\n  customerData?: Record<string, unknown>\n  metadata?: Record<string, unknown>\n}\n\nexport interface TorqueWebhooksConfig {\n  /** Shared secret for POST /api/webhooks/order-update (`x-order-webhook-secret`). */\n  webhookSecret: string\n  baseUrl?: string\n  timeout?: number\n}\n\nexport class TorqueWebhooksError extends Error {\n  code: string\n  statusCode: number\n  details?: Record<string, unknown>\n\n  constructor(\n    message: string,\n    options: { code: string; statusCode: number; details?: Record<string, unknown> },\n  ) {\n    super(message)\n    this.name = 'TorqueWebhooksError'\n    this.code = options.code\n    this.statusCode = options.statusCode\n    this.details = options.details\n    Object.setPrototypeOf(this, TorqueWebhooksError.prototype)\n  }\n}\n\n/**\n * Verify `X-Torque-Signature` (or raw hex) against HMAC-SHA256 of the **raw** webhook body.\n * Accepts `hex`, `sha256=<hex>`, or `v1=<hex>` prefix forms.\n */\nexport function verifyWebhookSignature(\n  rawBody: string,\n  signatureHeader: string | null,\n  secret: string,\n): boolean {\n  if (!signatureHeader || !secret) return false\n  const expectedHex = createHmac('sha256', secret).update(rawBody, 'utf8').digest('hex')\n  const normalized = signatureHeader.trim().replace(/^(sha256|v1)=/i, '')\n  try {\n    const a = Buffer.from(normalized, 'hex')\n    const b = Buffer.from(expectedHex, 'hex')\n    if (a.length !== b.length) return false\n    return timingSafeEqual(a, b)\n  } catch {\n    return false\n  }\n}\n\n/** Checkout-compatible alias. */\nexport const verifyTorqueWebhookSignature = verifyWebhookSignature\n\nexport async function pushOrderUpdate(\n  params: PushOrderUpdateParams,\n  config: TorqueWebhooksConfig,\n): Promise<{ success: boolean; message?: string; timestamp?: string }> {\n  if (!params.orderId?.trim()) {\n    throw new TorqueWebhooksError('orderId is required', {\n      code: 'VALIDATION_ERROR',\n      statusCode: 400,\n    })\n  }\n  if (!params.status) {\n    throw new TorqueWebhooksError('status is required', {\n      code: 'VALIDATION_ERROR',\n      statusCode: 400,\n    })\n  }\n  if (!config.webhookSecret?.trim()) {\n    throw new TorqueWebhooksError('webhookSecret is required', {\n      code: 'INVALID_CONFIG',\n      statusCode: 400,\n    })\n  }\n\n  const baseUrl = (config.baseUrl || 'https://app.torque.fi').replace(/\\/$/, '')\n  const timeout = config.timeout ?? 30_000\n  const controller = new AbortController()\n  const timeoutId = setTimeout(() => controller.abort(), timeout)\n\n  try {\n    const response = await fetch(`${baseUrl}/api/webhooks/order-update`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'x-order-webhook-secret': config.webhookSecret.trim(),\n      },\n      body: JSON.stringify({\n        orderId: params.orderId,\n        status: params.status,\n        customerData: params.customerData,\n        metadata: params.metadata,\n      }),\n      signal: controller.signal,\n    })\n\n    clearTimeout(timeoutId)\n    const body = (await response.json().catch(() => ({}))) as {\n      success?: boolean\n      message?: string\n      timestamp?: string\n      error?: string\n      details?: Record<string, unknown>\n    }\n\n    if (!response.ok) {\n      throw new TorqueWebhooksError(body.message || `HTTP ${response.status}`, {\n        code: typeof body.error === 'string' ? body.error : 'API_ERROR',\n        statusCode: response.status,\n        details: body.details,\n      })\n    }\n\n    return {\n      success: body.success ?? true,\n      message: body.message,\n      timestamp: body.timestamp,\n    }\n  } catch (error) {\n    clearTimeout(timeoutId)\n    if (error instanceof TorqueWebhooksError) throw error\n    if (error instanceof Error && error.name === 'AbortError') {\n      throw new TorqueWebhooksError('Request timeout', { code: 'TIMEOUT', statusCode: 408 })\n    }\n    throw new TorqueWebhooksError(error instanceof Error ? error.message : 'Request failed', {\n      code: 'NETWORK_ERROR',\n      statusCode: 500,\n    })\n  }\n}\n\nexport function createTorqueWebhooks(config: TorqueWebhooksConfig) {\n  return {\n    pushOrderUpdate: (params: PushOrderUpdateParams) => pushOrderUpdate(params, config),\n    verifyWebhookSignature: (\n      rawBody: string,\n      signatureHeader: string | null,\n      secret?: string,\n    ) => verifyWebhookSignature(rawBody, signatureHeader, secret ?? config.webhookSecret),\n  }\n}\n\nexport function createTorqueWebhooksFromEnv(overrides?: Partial<TorqueWebhooksConfig>) {\n  const webhookSecret =\n    process.env.TORQUE_WEBHOOK_SECRET ||\n    process.env.ORDER_WEBHOOK_SECRET ||\n    overrides?.webhookSecret\n  if (!webhookSecret) {\n    throw new TorqueWebhooksError(\n      'TORQUE_WEBHOOK_SECRET or ORDER_WEBHOOK_SECRET environment variable is required',\n      { code: 'MISSING_ENV_VARS', statusCode: 400 },\n    )\n  }\n  return createTorqueWebhooks({\n    webhookSecret,\n    baseUrl: process.env.TORQUE_BASE_URL || overrides?.baseUrl,\n    timeout: overrides?.timeout,\n  })\n}\n"],"names":[],"mappings":";;AAwCM,MAAO,mBAAoB,SAAQ,KAAK,CAAA;IAK5C,WAAA,CACE,OAAe,EACf,OAAgF,EAAA;QAEhF,KAAK,CAAC,OAAO,CAAC;AACd,QAAA,IAAI,CAAC,IAAI,GAAG,qBAAqB;AACjC,QAAA,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI;AACxB,QAAA,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU;AACpC,QAAA,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO;QAC9B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,SAAS,CAAC;IAC5D;AACD;AAED;;;AAGG;SACa,sBAAsB,CACpC,OAAe,EACf,eAA8B,EAC9B,MAAc,EAAA;AAEd,IAAA,IAAI,CAAC,eAAe,IAAI,CAAC,MAAM;AAAE,QAAA,OAAO,KAAK;IAC7C,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;AACtF,IAAA,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC;AACvE,IAAA,IAAI;QACF,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC;QACxC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC;AACzC,QAAA,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;AAAE,YAAA,OAAO,KAAK;AACvC,QAAA,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC;IAC9B;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,KAAK;IACd;AACF;AAEA;AACO,MAAM,4BAA4B,GAAG;AAErC,eAAe,eAAe,CACnC,MAA6B,EAC7B,MAA4B,EAAA;IAE5B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;AAC3B,QAAA,MAAM,IAAI,mBAAmB,CAAC,qBAAqB,EAAE;AACnD,YAAA,IAAI,EAAE,kBAAkB;AACxB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;AACA,IAAA,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;AAClB,QAAA,MAAM,IAAI,mBAAmB,CAAC,oBAAoB,EAAE;AAClD,YAAA,IAAI,EAAE,kBAAkB;AACxB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;IACA,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,IAAI,EAAE,EAAE;AACjC,QAAA,MAAM,IAAI,mBAAmB,CAAC,2BAA2B,EAAE;AACzD,YAAA,IAAI,EAAE,gBAAgB;AACtB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;AAEA,IAAA,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,uBAAuB,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AAC9E,IAAA,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,KAAM;AACxC,IAAA,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE;AACxC,IAAA,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC;AAE/D,IAAA,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,OAAO,4BAA4B,EAAE;AACnE,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AAClC,gBAAA,wBAAwB,EAAE,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE;AACtD,aAAA;AACD,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC;YACF,MAAM,EAAE,UAAU,CAAC,MAAM;AAC1B,SAAA,CAAC;QAEF,YAAY,CAAC,SAAS,CAAC;AACvB,QAAA,MAAM,IAAI,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAMpD;AAED,QAAA,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AAChB,YAAA,MAAM,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,IAAI,CAAA,KAAA,EAAQ,QAAQ,CAAC,MAAM,CAAA,CAAE,EAAE;AACvE,gBAAA,IAAI,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,GAAG,IAAI,CAAC,KAAK,GAAG,WAAW;gBAC/D,UAAU,EAAE,QAAQ,CAAC,MAAM;gBAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;AACtB,aAAA,CAAC;QACJ;QAEA,OAAO;AACL,YAAA,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;YAC7B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B;IACH;IAAE,OAAO,KAAK,EAAE;QACd,YAAY,CAAC,SAAS,CAAC;QACvB,IAAI,KAAK,YAAY,mBAAmB;AAAE,YAAA,MAAM,KAAK;QACrD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE;AACzD,YAAA,MAAM,IAAI,mBAAmB,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QACxF;AACA,QAAA,MAAM,IAAI,mBAAmB,CAAC,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,gBAAgB,EAAE;AACvF,YAAA,IAAI,EAAE,eAAe;AACrB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;AACF;AAEM,SAAU,oBAAoB,CAAC,MAA4B,EAAA;IAC/D,OAAO;QACL,eAAe,EAAE,CAAC,MAA6B,KAAK,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC;QACnF,sBAAsB,EAAE,CACtB,OAAe,EACf,eAA8B,EAC9B,MAAe,KACZ,sBAAsB,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,MAAM,CAAC,aAAa,CAAC;KACtF;AACH;AAEM,SAAU,2BAA2B,CAAC,SAAyC,EAAA;AACnF,IAAA,MAAM,aAAa,GACjB,OAAO,CAAC,GAAG,CAAC,qBAAqB;QACjC,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,SAAS,EAAE,aAAa;IAC1B,IAAI,CAAC,aAAa,EAAE;AAClB,QAAA,MAAM,IAAI,mBAAmB,CAC3B,gFAAgF,EAChF,EAAE,IAAI,EAAE,kBAAkB,EAAE,UAAU,EAAE,GAAG,EAAE,CAC9C;IACH;AACA,IAAA,OAAO,oBAAoB,CAAC;QAC1B,aAAa;QACb,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,SAAS,EAAE,OAAO;QAC1D,OAAO,EAAE,SAAS,EAAE,OAAO;AAC5B,KAAA,CAAC;AACJ;;;;"}

package/dist/index.js

@@ -0,0 +1,129 @@
+'use strict';
+
+var crypto = require('crypto');
+
+class TorqueWebhooksError extends Error {
+    constructor(message, options) {
+        super(message);
+        this.name = 'TorqueWebhooksError';
+        this.code = options.code;
+        this.statusCode = options.statusCode;
+        this.details = options.details;
+        Object.setPrototypeOf(this, TorqueWebhooksError.prototype);
+    }
+}
+/**
+ * Verify `X-Torque-Signature` (or raw hex) against HMAC-SHA256 of the **raw** webhook body.
+ * Accepts `hex`, `sha256=<hex>`, or `v1=<hex>` prefix forms.
+ */
+function verifyWebhookSignature(rawBody, signatureHeader, secret) {
+    if (!signatureHeader || !secret)
+        return false;
+    const expectedHex = crypto.createHmac('sha256', secret).update(rawBody, 'utf8').digest('hex');
+    const normalized = signatureHeader.trim().replace(/^(sha256|v1)=/i, '');
+    try {
+        const a = Buffer.from(normalized, 'hex');
+        const b = Buffer.from(expectedHex, 'hex');
+        if (a.length !== b.length)
+            return false;
+        return crypto.timingSafeEqual(a, b);
+    }
+    catch {
+        return false;
+    }
+}
+/** Checkout-compatible alias. */
+const verifyTorqueWebhookSignature = verifyWebhookSignature;
+async function pushOrderUpdate(params, config) {
+    if (!params.orderId?.trim()) {
+        throw new TorqueWebhooksError('orderId is required', {
+            code: 'VALIDATION_ERROR',
+            statusCode: 400,
+        });
+    }
+    if (!params.status) {
+        throw new TorqueWebhooksError('status is required', {
+            code: 'VALIDATION_ERROR',
+            statusCode: 400,
+        });
+    }
+    if (!config.webhookSecret?.trim()) {
+        throw new TorqueWebhooksError('webhookSecret is required', {
+            code: 'INVALID_CONFIG',
+            statusCode: 400,
+        });
+    }
+    const baseUrl = (config.baseUrl || 'https://app.torque.fi').replace(/\/$/, '');
+    const timeout = config.timeout ?? 30000;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+        const response = await fetch(`${baseUrl}/api/webhooks/order-update`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-order-webhook-secret': config.webhookSecret.trim(),
+            },
+            body: JSON.stringify({
+                orderId: params.orderId,
+                status: params.status,
+                customerData: params.customerData,
+                metadata: params.metadata,
+            }),
+            signal: controller.signal,
+        });
+        clearTimeout(timeoutId);
+        const body = (await response.json().catch(() => ({})));
+        if (!response.ok) {
+            throw new TorqueWebhooksError(body.message || `HTTP ${response.status}`, {
+                code: typeof body.error === 'string' ? body.error : 'API_ERROR',
+                statusCode: response.status,
+                details: body.details,
+            });
+        }
+        return {
+            success: body.success ?? true,
+            message: body.message,
+            timestamp: body.timestamp,
+        };
+    }
+    catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof TorqueWebhooksError)
+            throw error;
+        if (error instanceof Error && error.name === 'AbortError') {
+            throw new TorqueWebhooksError('Request timeout', { code: 'TIMEOUT', statusCode: 408 });
+        }
+        throw new TorqueWebhooksError(error instanceof Error ? error.message : 'Request failed', {
+            code: 'NETWORK_ERROR',
+            statusCode: 500,
+        });
+    }
+}
+function createTorqueWebhooks(config) {
+    return {
+        pushOrderUpdate: (params) => pushOrderUpdate(params, config),
+        verifyWebhookSignature: (rawBody, signatureHeader, secret) => verifyWebhookSignature(rawBody, signatureHeader, secret ?? config.webhookSecret),
+    };
+}
+function createTorqueWebhooksFromEnv(overrides) {
+    const webhookSecret = process.env.TORQUE_WEBHOOK_SECRET ||
+        process.env.ORDER_WEBHOOK_SECRET ||
+        overrides?.webhookSecret;
+    if (!webhookSecret) {
+        throw new TorqueWebhooksError('TORQUE_WEBHOOK_SECRET or ORDER_WEBHOOK_SECRET environment variable is required', { code: 'MISSING_ENV_VARS', statusCode: 400 });
+    }
+    return createTorqueWebhooks({
+        webhookSecret,
+        baseUrl: process.env.TORQUE_BASE_URL || overrides?.baseUrl,
+        timeout: overrides?.timeout,
+    });
+}
+
+exports.TorqueWebhooksError = TorqueWebhooksError;
+exports.createTorqueWebhooks = createTorqueWebhooks;
+exports.createTorqueWebhooksFromEnv = createTorqueWebhooksFromEnv;
+exports.pushOrderUpdate = pushOrderUpdate;
+exports.verifyTorqueWebhookSignature = verifyTorqueWebhookSignature;
+exports.verifyWebhookSignature = verifyWebhookSignature;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sources":["../src/index.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from 'crypto'\n\nexport type TorqueOutboundWebhookEventType =\n  | 'order.created'\n  | 'order.completed'\n  | 'order.failed'\n  | 'subscription.created'\n  | 'subscription.cancelled'\n\n/** Payload Torque may send to merchant webhook endpoints (outbound). */\nexport interface TorqueOutboundWebhookEvent {\n  type: TorqueOutboundWebhookEventType\n  orderId?: string\n  subscriptionId?: string\n  data: Record<string, unknown>\n  timestamp: number\n}\n\nexport type OrderUpdateStatus =\n  | 'created'\n  | 'paid'\n  | 'shipped'\n  | 'delivered'\n  | 'cancelled'\n  | 'refunded'\n\nexport interface PushOrderUpdateParams {\n  orderId: string\n  status: OrderUpdateStatus\n  customerData?: Record<string, unknown>\n  metadata?: Record<string, unknown>\n}\n\nexport interface TorqueWebhooksConfig {\n  /** Shared secret for POST /api/webhooks/order-update (`x-order-webhook-secret`). */\n  webhookSecret: string\n  baseUrl?: string\n  timeout?: number\n}\n\nexport class TorqueWebhooksError extends Error {\n  code: string\n  statusCode: number\n  details?: Record<string, unknown>\n\n  constructor(\n    message: string,\n    options: { code: string; statusCode: number; details?: Record<string, unknown> },\n  ) {\n    super(message)\n    this.name = 'TorqueWebhooksError'\n    this.code = options.code\n    this.statusCode = options.statusCode\n    this.details = options.details\n    Object.setPrototypeOf(this, TorqueWebhooksError.prototype)\n  }\n}\n\n/**\n * Verify `X-Torque-Signature` (or raw hex) against HMAC-SHA256 of the **raw** webhook body.\n * Accepts `hex`, `sha256=<hex>`, or `v1=<hex>` prefix forms.\n */\nexport function verifyWebhookSignature(\n  rawBody: string,\n  signatureHeader: string | null,\n  secret: string,\n): boolean {\n  if (!signatureHeader || !secret) return false\n  const expectedHex = createHmac('sha256', secret).update(rawBody, 'utf8').digest('hex')\n  const normalized = signatureHeader.trim().replace(/^(sha256|v1)=/i, '')\n  try {\n    const a = Buffer.from(normalized, 'hex')\n    const b = Buffer.from(expectedHex, 'hex')\n    if (a.length !== b.length) return false\n    return timingSafeEqual(a, b)\n  } catch {\n    return false\n  }\n}\n\n/** Checkout-compatible alias. */\nexport const verifyTorqueWebhookSignature = verifyWebhookSignature\n\nexport async function pushOrderUpdate(\n  params: PushOrderUpdateParams,\n  config: TorqueWebhooksConfig,\n): Promise<{ success: boolean; message?: string; timestamp?: string }> {\n  if (!params.orderId?.trim()) {\n    throw new TorqueWebhooksError('orderId is required', {\n      code: 'VALIDATION_ERROR',\n      statusCode: 400,\n    })\n  }\n  if (!params.status) {\n    throw new TorqueWebhooksError('status is required', {\n      code: 'VALIDATION_ERROR',\n      statusCode: 400,\n    })\n  }\n  if (!config.webhookSecret?.trim()) {\n    throw new TorqueWebhooksError('webhookSecret is required', {\n      code: 'INVALID_CONFIG',\n      statusCode: 400,\n    })\n  }\n\n  const baseUrl = (config.baseUrl || 'https://app.torque.fi').replace(/\\/$/, '')\n  const timeout = config.timeout ?? 30_000\n  const controller = new AbortController()\n  const timeoutId = setTimeout(() => controller.abort(), timeout)\n\n  try {\n    const response = await fetch(`${baseUrl}/api/webhooks/order-update`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'x-order-webhook-secret': config.webhookSecret.trim(),\n      },\n      body: JSON.stringify({\n        orderId: params.orderId,\n        status: params.status,\n        customerData: params.customerData,\n        metadata: params.metadata,\n      }),\n      signal: controller.signal,\n    })\n\n    clearTimeout(timeoutId)\n    const body = (await response.json().catch(() => ({}))) as {\n      success?: boolean\n      message?: string\n      timestamp?: string\n      error?: string\n      details?: Record<string, unknown>\n    }\n\n    if (!response.ok) {\n      throw new TorqueWebhooksError(body.message || `HTTP ${response.status}`, {\n        code: typeof body.error === 'string' ? body.error : 'API_ERROR',\n        statusCode: response.status,\n        details: body.details,\n      })\n    }\n\n    return {\n      success: body.success ?? true,\n      message: body.message,\n      timestamp: body.timestamp,\n    }\n  } catch (error) {\n    clearTimeout(timeoutId)\n    if (error instanceof TorqueWebhooksError) throw error\n    if (error instanceof Error && error.name === 'AbortError') {\n      throw new TorqueWebhooksError('Request timeout', { code: 'TIMEOUT', statusCode: 408 })\n    }\n    throw new TorqueWebhooksError(error instanceof Error ? error.message : 'Request failed', {\n      code: 'NETWORK_ERROR',\n      statusCode: 500,\n    })\n  }\n}\n\nexport function createTorqueWebhooks(config: TorqueWebhooksConfig) {\n  return {\n    pushOrderUpdate: (params: PushOrderUpdateParams) => pushOrderUpdate(params, config),\n    verifyWebhookSignature: (\n      rawBody: string,\n      signatureHeader: string | null,\n      secret?: string,\n    ) => verifyWebhookSignature(rawBody, signatureHeader, secret ?? config.webhookSecret),\n  }\n}\n\nexport function createTorqueWebhooksFromEnv(overrides?: Partial<TorqueWebhooksConfig>) {\n  const webhookSecret =\n    process.env.TORQUE_WEBHOOK_SECRET ||\n    process.env.ORDER_WEBHOOK_SECRET ||\n    overrides?.webhookSecret\n  if (!webhookSecret) {\n    throw new TorqueWebhooksError(\n      'TORQUE_WEBHOOK_SECRET or ORDER_WEBHOOK_SECRET environment variable is required',\n      { code: 'MISSING_ENV_VARS', statusCode: 400 },\n    )\n  }\n  return createTorqueWebhooks({\n    webhookSecret,\n    baseUrl: process.env.TORQUE_BASE_URL || overrides?.baseUrl,\n    timeout: overrides?.timeout,\n  })\n}\n"],"names":["createHmac","timingSafeEqual"],"mappings":";;;;AAwCM,MAAO,mBAAoB,SAAQ,KAAK,CAAA;IAK5C,WAAA,CACE,OAAe,EACf,OAAgF,EAAA;QAEhF,KAAK,CAAC,OAAO,CAAC;AACd,QAAA,IAAI,CAAC,IAAI,GAAG,qBAAqB;AACjC,QAAA,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI;AACxB,QAAA,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU;AACpC,QAAA,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO;QAC9B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,SAAS,CAAC;IAC5D;AACD;AAED;;;AAGG;SACa,sBAAsB,CACpC,OAAe,EACf,eAA8B,EAC9B,MAAc,EAAA;AAEd,IAAA,IAAI,CAAC,eAAe,IAAI,CAAC,MAAM;AAAE,QAAA,OAAO,KAAK;IAC7C,MAAM,WAAW,GAAGA,iBAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;AACtF,IAAA,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC;AACvE,IAAA,IAAI;QACF,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC;QACxC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC;AACzC,QAAA,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;AAAE,YAAA,OAAO,KAAK;AACvC,QAAA,OAAOC,sBAAe,CAAC,CAAC,EAAE,CAAC,CAAC;IAC9B;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,KAAK;IACd;AACF;AAEA;AACO,MAAM,4BAA4B,GAAG;AAErC,eAAe,eAAe,CACnC,MAA6B,EAC7B,MAA4B,EAAA;IAE5B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;AAC3B,QAAA,MAAM,IAAI,mBAAmB,CAAC,qBAAqB,EAAE;AACnD,YAAA,IAAI,EAAE,kBAAkB;AACxB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;AACA,IAAA,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;AAClB,QAAA,MAAM,IAAI,mBAAmB,CAAC,oBAAoB,EAAE;AAClD,YAAA,IAAI,EAAE,kBAAkB;AACxB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;IACA,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,IAAI,EAAE,EAAE;AACjC,QAAA,MAAM,IAAI,mBAAmB,CAAC,2BAA2B,EAAE;AACzD,YAAA,IAAI,EAAE,gBAAgB;AACtB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;AAEA,IAAA,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,uBAAuB,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AAC9E,IAAA,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,KAAM;AACxC,IAAA,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE;AACxC,IAAA,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC;AAE/D,IAAA,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,OAAO,4BAA4B,EAAE;AACnE,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AAClC,gBAAA,wBAAwB,EAAE,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE;AACtD,aAAA;AACD,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC;YACF,MAAM,EAAE,UAAU,CAAC,MAAM;AAC1B,SAAA,CAAC;QAEF,YAAY,CAAC,SAAS,CAAC;AACvB,QAAA,MAAM,IAAI,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAMpD;AAED,QAAA,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AAChB,YAAA,MAAM,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,IAAI,CAAA,KAAA,EAAQ,QAAQ,CAAC,MAAM,CAAA,CAAE,EAAE;AACvE,gBAAA,IAAI,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,GAAG,IAAI,CAAC,KAAK,GAAG,WAAW;gBAC/D,UAAU,EAAE,QAAQ,CAAC,MAAM;gBAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;AACtB,aAAA,CAAC;QACJ;QAEA,OAAO;AACL,YAAA,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;YAC7B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B;IACH;IAAE,OAAO,KAAK,EAAE;QACd,YAAY,CAAC,SAAS,CAAC;QACvB,IAAI,KAAK,YAAY,mBAAmB;AAAE,YAAA,MAAM,KAAK;QACrD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE;AACzD,YAAA,MAAM,IAAI,mBAAmB,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QACxF;AACA,QAAA,MAAM,IAAI,mBAAmB,CAAC,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,gBAAgB,EAAE;AACvF,YAAA,IAAI,EAAE,eAAe;AACrB,YAAA,UAAU,EAAE,GAAG;AAChB,SAAA,CAAC;IACJ;AACF;AAEM,SAAU,oBAAoB,CAAC,MAA4B,EAAA;IAC/D,OAAO;QACL,eAAe,EAAE,CAAC,MAA6B,KAAK,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC;QACnF,sBAAsB,EAAE,CACtB,OAAe,EACf,eAA8B,EAC9B,MAAe,KACZ,sBAAsB,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,MAAM,CAAC,aAAa,CAAC;KACtF;AACH;AAEM,SAAU,2BAA2B,CAAC,SAAyC,EAAA;AACnF,IAAA,MAAM,aAAa,GACjB,OAAO,CAAC,GAAG,CAAC,qBAAqB;QACjC,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,SAAS,EAAE,aAAa;IAC1B,IAAI,CAAC,aAAa,EAAE;AAClB,QAAA,MAAM,IAAI,mBAAmB,CAC3B,gFAAgF,EAChF,EAAE,IAAI,EAAE,kBAAkB,EAAE,UAAU,EAAE,GAAG,EAAE,CAC9C;IACH;AACA,IAAA,OAAO,oBAAoB,CAAC;QAC1B,aAAa;QACb,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,SAAS,EAAE,OAAO;QAC1D,OAAO,EAAE,SAAS,EAAE,OAAO;AAC5B,KAAA,CAAC;AACJ;;;;;;;;;"}

package/dist/nextjs.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Next.js webhook route helpers for merchant apps.
+ * @requires next >= 13.0.0
+ */
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import { type TorqueOutboundWebhookEvent } from './index';
+export type { TorqueOutboundWebhookEvent as WebhookEvent };
+export interface WebhookHandlerOptions {
+    secret?: string;
+    onOrderCreated?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void;
+    onOrderCompleted?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void;
+    onOrderFailed?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void;
+    onSubscriptionCreated?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void;
+    onSubscriptionCancelled?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void;
+}
+/**
+ * Next.js App Router handler for inbound Torque outbound webhooks.
+ */
+export declare function handleWebhook(options?: WebhookHandlerOptions): (request: NextRequest) => Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    received: boolean;
+}>>;
+export { verifyWebhookSignature, verifyTorqueWebhookSignature } from './index';

package/dist/nextjs.esm.js

@@ -0,0 +1,59 @@
+import { NextResponse } from 'next/server';
+import { verifyWebhookSignature } from './index.esm.js';
+export { verifyTorqueWebhookSignature } from './index.esm.js';
+import 'crypto';
+
+/**
+ * Next.js webhook route helpers for merchant apps.
+ * @requires next >= 13.0.0
+ */
+/**
+ * Next.js App Router handler for inbound Torque outbound webhooks.
+ */
+function handleWebhook(options = {}) {
+    return async (request) => {
+        try {
+            const rawBody = await request.text();
+            let event;
+            try {
+                event = JSON.parse(rawBody);
+            }
+            catch {
+                return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 });
+            }
+            if (options.secret) {
+                const signature = request.headers.get('x-torque-signature');
+                if (!verifyWebhookSignature(rawBody, signature, options.secret)) {
+                    return NextResponse.json({ error: 'Invalid signature' }, { status: 401 });
+                }
+            }
+            switch (event.type) {
+                case 'order.created':
+                    await options.onOrderCreated?.(event);
+                    break;
+                case 'order.completed':
+                    await options.onOrderCompleted?.(event);
+                    break;
+                case 'order.failed':
+                    await options.onOrderFailed?.(event);
+                    break;
+                case 'subscription.created':
+                    await options.onSubscriptionCreated?.(event);
+                    break;
+                case 'subscription.cancelled':
+                    await options.onSubscriptionCancelled?.(event);
+                    break;
+                default:
+                    console.warn('Unknown webhook event type:', event.type);
+            }
+            return NextResponse.json({ received: true });
+        }
+        catch (error) {
+            console.error('Webhook handler error:', error);
+            return NextResponse.json({ error: 'Webhook processing failed' }, { status: 500 });
+        }
+    };
+}
+
+export { handleWebhook, verifyWebhookSignature };
+//# sourceMappingURL=nextjs.esm.js.map

package/dist/nextjs.esm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.esm.js","sources":["../src/nextjs.ts"],"sourcesContent":["/**\n * Next.js webhook route helpers for merchant apps.\n * @requires next >= 13.0.0\n */\n\nimport type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\n\nimport {\n  verifyWebhookSignature,\n  type TorqueOutboundWebhookEvent,\n} from './index'\n\nexport type { TorqueOutboundWebhookEvent as WebhookEvent }\n\nexport interface WebhookHandlerOptions {\n  secret?: string\n  onOrderCreated?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onOrderCompleted?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onOrderFailed?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onSubscriptionCreated?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onSubscriptionCancelled?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n}\n\n/**\n * Next.js App Router handler for inbound Torque outbound webhooks.\n */\nexport function handleWebhook(options: WebhookHandlerOptions = {}) {\n  return async (request: NextRequest) => {\n    try {\n      const rawBody = await request.text()\n      let event: TorqueOutboundWebhookEvent\n      try {\n        event = JSON.parse(rawBody) as TorqueOutboundWebhookEvent\n      } catch {\n        return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 })\n      }\n\n      if (options.secret) {\n        const signature = request.headers.get('x-torque-signature')\n        if (!verifyWebhookSignature(rawBody, signature, options.secret)) {\n          return NextResponse.json({ error: 'Invalid signature' }, { status: 401 })\n        }\n      }\n\n      switch (event.type) {\n        case 'order.created':\n          await options.onOrderCreated?.(event)\n          break\n        case 'order.completed':\n          await options.onOrderCompleted?.(event)\n          break\n        case 'order.failed':\n          await options.onOrderFailed?.(event)\n          break\n        case 'subscription.created':\n          await options.onSubscriptionCreated?.(event)\n          break\n        case 'subscription.cancelled':\n          await options.onSubscriptionCancelled?.(event)\n          break\n        default:\n          console.warn('Unknown webhook event type:', (event as { type?: string }).type)\n      }\n\n      return NextResponse.json({ received: true })\n    } catch (error) {\n      console.error('Webhook handler error:', error)\n      return NextResponse.json({ error: 'Webhook processing failed' }, { status: 500 })\n    }\n  }\n}\n\nexport { verifyWebhookSignature, verifyTorqueWebhookSignature } from './index'\n"],"names":[],"mappings":";;;;;AAAA;;;AAGG;AAqBH;;AAEG;AACG,SAAU,aAAa,CAAC,OAAA,GAAiC,EAAE,EAAA;AAC/D,IAAA,OAAO,OAAO,OAAoB,KAAI;AACpC,QAAA,IAAI;AACF,YAAA,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE;AACpC,YAAA,IAAI,KAAiC;AACrC,YAAA,IAAI;AACF,gBAAA,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B;YAC3D;AAAE,YAAA,MAAM;AACN,gBAAA,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YACtE;AAEA,YAAA,IAAI,OAAO,CAAC,MAAM,EAAE;gBAClB,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;AAC3D,gBAAA,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE;AAC/D,oBAAA,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBAC3E;YACF;AAEA,YAAA,QAAQ,KAAK,CAAC,IAAI;AAChB,gBAAA,KAAK,eAAe;AAClB,oBAAA,MAAM,OAAO,CAAC,cAAc,GAAG,KAAK,CAAC;oBACrC;AACF,gBAAA,KAAK,iBAAiB;AACpB,oBAAA,MAAM,OAAO,CAAC,gBAAgB,GAAG,KAAK,CAAC;oBACvC;AACF,gBAAA,KAAK,cAAc;AACjB,oBAAA,MAAM,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC;oBACpC;AACF,gBAAA,KAAK,sBAAsB;AACzB,oBAAA,MAAM,OAAO,CAAC,qBAAqB,GAAG,KAAK,CAAC;oBAC5C;AACF,gBAAA,KAAK,wBAAwB;AAC3B,oBAAA,MAAM,OAAO,CAAC,uBAAuB,GAAG,KAAK,CAAC;oBAC9C;AACF,gBAAA;oBACE,OAAO,CAAC,IAAI,CAAC,6BAA6B,EAAG,KAA2B,CAAC,IAAI,CAAC;;YAGlF,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAC9C;QAAE,OAAO,KAAK,EAAE;AACd,YAAA,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC;AAC9C,YAAA,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACnF;AACF,IAAA,CAAC;AACH;;;;"}

package/dist/nextjs.js

@@ -0,0 +1,62 @@
+'use strict';
+
+var server = require('next/server');
+var index = require('./index.js');
+require('crypto');
+
+/**
+ * Next.js webhook route helpers for merchant apps.
+ * @requires next >= 13.0.0
+ */
+/**
+ * Next.js App Router handler for inbound Torque outbound webhooks.
+ */
+function handleWebhook(options = {}) {
+    return async (request) => {
+        try {
+            const rawBody = await request.text();
+            let event;
+            try {
+                event = JSON.parse(rawBody);
+            }
+            catch {
+                return server.NextResponse.json({ error: 'Invalid JSON' }, { status: 400 });
+            }
+            if (options.secret) {
+                const signature = request.headers.get('x-torque-signature');
+                if (!index.verifyWebhookSignature(rawBody, signature, options.secret)) {
+                    return server.NextResponse.json({ error: 'Invalid signature' }, { status: 401 });
+                }
+            }
+            switch (event.type) {
+                case 'order.created':
+                    await options.onOrderCreated?.(event);
+                    break;
+                case 'order.completed':
+                    await options.onOrderCompleted?.(event);
+                    break;
+                case 'order.failed':
+                    await options.onOrderFailed?.(event);
+                    break;
+                case 'subscription.created':
+                    await options.onSubscriptionCreated?.(event);
+                    break;
+                case 'subscription.cancelled':
+                    await options.onSubscriptionCancelled?.(event);
+                    break;
+                default:
+                    console.warn('Unknown webhook event type:', event.type);
+            }
+            return server.NextResponse.json({ received: true });
+        }
+        catch (error) {
+            console.error('Webhook handler error:', error);
+            return server.NextResponse.json({ error: 'Webhook processing failed' }, { status: 500 });
+        }
+    };
+}
+
+exports.verifyTorqueWebhookSignature = index.verifyTorqueWebhookSignature;
+exports.verifyWebhookSignature = index.verifyWebhookSignature;
+exports.handleWebhook = handleWebhook;
+//# sourceMappingURL=nextjs.js.map

package/dist/nextjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.js","sources":["../src/nextjs.ts"],"sourcesContent":["/**\n * Next.js webhook route helpers for merchant apps.\n * @requires next >= 13.0.0\n */\n\nimport type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\n\nimport {\n  verifyWebhookSignature,\n  type TorqueOutboundWebhookEvent,\n} from './index'\n\nexport type { TorqueOutboundWebhookEvent as WebhookEvent }\n\nexport interface WebhookHandlerOptions {\n  secret?: string\n  onOrderCreated?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onOrderCompleted?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onOrderFailed?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onSubscriptionCreated?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n  onSubscriptionCancelled?: (event: TorqueOutboundWebhookEvent) => Promise<void> | void\n}\n\n/**\n * Next.js App Router handler for inbound Torque outbound webhooks.\n */\nexport function handleWebhook(options: WebhookHandlerOptions = {}) {\n  return async (request: NextRequest) => {\n    try {\n      const rawBody = await request.text()\n      let event: TorqueOutboundWebhookEvent\n      try {\n        event = JSON.parse(rawBody) as TorqueOutboundWebhookEvent\n      } catch {\n        return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 })\n      }\n\n      if (options.secret) {\n        const signature = request.headers.get('x-torque-signature')\n        if (!verifyWebhookSignature(rawBody, signature, options.secret)) {\n          return NextResponse.json({ error: 'Invalid signature' }, { status: 401 })\n        }\n      }\n\n      switch (event.type) {\n        case 'order.created':\n          await options.onOrderCreated?.(event)\n          break\n        case 'order.completed':\n          await options.onOrderCompleted?.(event)\n          break\n        case 'order.failed':\n          await options.onOrderFailed?.(event)\n          break\n        case 'subscription.created':\n          await options.onSubscriptionCreated?.(event)\n          break\n        case 'subscription.cancelled':\n          await options.onSubscriptionCancelled?.(event)\n          break\n        default:\n          console.warn('Unknown webhook event type:', (event as { type?: string }).type)\n      }\n\n      return NextResponse.json({ received: true })\n    } catch (error) {\n      console.error('Webhook handler error:', error)\n      return NextResponse.json({ error: 'Webhook processing failed' }, { status: 500 })\n    }\n  }\n}\n\nexport { verifyWebhookSignature, verifyTorqueWebhookSignature } from './index'\n"],"names":["NextResponse","verifyWebhookSignature"],"mappings":";;;;;;AAAA;;;AAGG;AAqBH;;AAEG;AACG,SAAU,aAAa,CAAC,OAAA,GAAiC,EAAE,EAAA;AAC/D,IAAA,OAAO,OAAO,OAAoB,KAAI;AACpC,QAAA,IAAI;AACF,YAAA,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE;AACpC,YAAA,IAAI,KAAiC;AACrC,YAAA,IAAI;AACF,gBAAA,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B;YAC3D;AAAE,YAAA,MAAM;AACN,gBAAA,OAAOA,mBAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YACtE;AAEA,YAAA,IAAI,OAAO,CAAC,MAAM,EAAE;gBAClB,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;AAC3D,gBAAA,IAAI,CAACC,4BAAsB,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE;AAC/D,oBAAA,OAAOD,mBAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBAC3E;YACF;AAEA,YAAA,QAAQ,KAAK,CAAC,IAAI;AAChB,gBAAA,KAAK,eAAe;AAClB,oBAAA,MAAM,OAAO,CAAC,cAAc,GAAG,KAAK,CAAC;oBACrC;AACF,gBAAA,KAAK,iBAAiB;AACpB,oBAAA,MAAM,OAAO,CAAC,gBAAgB,GAAG,KAAK,CAAC;oBACvC;AACF,gBAAA,KAAK,cAAc;AACjB,oBAAA,MAAM,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC;oBACpC;AACF,gBAAA,KAAK,sBAAsB;AACzB,oBAAA,MAAM,OAAO,CAAC,qBAAqB,GAAG,KAAK,CAAC;oBAC5C;AACF,gBAAA,KAAK,wBAAwB;AAC3B,oBAAA,MAAM,OAAO,CAAC,uBAAuB,GAAG,KAAK,CAAC;oBAC9C;AACF,gBAAA;oBACE,OAAO,CAAC,IAAI,CAAC,6BAA6B,EAAG,KAA2B,CAAC,IAAI,CAAC;;YAGlF,OAAOA,mBAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAC9C;QAAE,OAAO,KAAK,EAAE;AACd,YAAA,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC;AAC9C,YAAA,OAAOA,mBAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACnF;AACF,IAAA,CAAC;AACH;;;;;;"}

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "torque-webhooks",
+  "version": "0.1.0",
+  "description": "Torque webhook helpers — verify inbound signatures and push order status updates",
+  "main": "dist/index.js",
+  "module": "dist/index.esm.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.esm.js",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./nextjs": {
+      "import": "./dist/nextjs.esm.js",
+      "require": "./dist/nextjs.js",
+      "types": "./dist/nextjs.d.ts"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "rollup -c",
+    "dev": "rollup -c -w",
+    "clean": "rimraf dist",
+    "prepublishOnly": "yarn clean && yarn build"
+  },
+  "keywords": [
+    "torque",
+    "webhooks",
+    "merchant",
+    "checkout",
+    "ecommerce"
+  ],
+  "author": "Torque <hello@torque.fi>",
+  "license": "MIT",
+  "homepage": "https://torque.fi",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/torque-fi/torque_webapp.git",
+    "directory": "packages/torque-webhooks"
+  },
+  "devDependencies": {
+    "@rollup/plugin-typescript": "^12.1.4",
+    "@types/node": "^20.0.0",
+    "rimraf": "^5.0.0",
+    "rollup": "^4.0.0",
+    "typescript": "^5.0.0"
+  },
+  "peerDependencies": {
+    "next": ">=13.0.0"
+  },
+  "peerDependenciesMeta": {
+    "next": {
+      "optional": true
+    }
+  },
+  "engines": {
+    "node": ">=16.0.0"
+  }
+}