vesant-sdk 1.2.0 → 1.3.0

package/dist/index.mjs

@@ -69,6 +69,146 @@ var ComplianceError = class _ComplianceError extends CGSError {
     Object.setPrototypeOf(this, _ComplianceError.prototype);
   }
 };
+var CircuitBreakerOpenError = class _CircuitBreakerOpenError extends CGSError {
+  constructor() {
+    super("Circuit breaker is open \u2014 requests are temporarily blocked", "CIRCUIT_BREAKER_OPEN", 503);
+    this.name = "CircuitBreakerOpenError";
+    Object.setPrototypeOf(this, _CircuitBreakerOpenError.prototype);
+  }
+};
+
+// src/core/circuit-breaker.ts
+var CircuitBreaker = class {
+  constructor(config = {}) {
+    this.state = "closed";
+    this.failures = 0;
+    this.successes = 0;
+    this.lastFailureTime = null;
+    this.failureThreshold = config.failureThreshold ?? 5;
+    this.resetTimeout = config.resetTimeout ?? 3e4;
+    this.successThreshold = config.successThreshold ?? 1;
+  }
+  /**
+   * Check if a request can proceed through the circuit breaker.
+   */
+  canExecute() {
+    if (this.state === "closed") {
+      return true;
+    }
+    if (this.state === "open") {
+      const now = Date.now();
+      if (this.lastFailureTime && now - this.lastFailureTime >= this.resetTimeout) {
+        this.state = "half-open";
+        this.successes = 0;
+        return true;
+      }
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Record a successful request.
+   */
+  onSuccess() {
+    if (this.state === "half-open") {
+      this.successes++;
+      if (this.successes >= this.successThreshold) {
+        this.state = "closed";
+        this.failures = 0;
+        this.successes = 0;
+        this.lastFailureTime = null;
+      }
+    } else if (this.state === "closed") {
+      this.failures = 0;
+    }
+  }
+  /**
+   * Record a failed request.
+   */
+  onFailure() {
+    this.failures++;
+    this.lastFailureTime = Date.now();
+    if (this.state === "half-open") {
+      this.state = "open";
+      this.successes = 0;
+    } else if (this.state === "closed" && this.failures >= this.failureThreshold) {
+      this.state = "open";
+    }
+  }
+  /**
+   * Get current circuit breaker status.
+   */
+  getStatus() {
+    return {
+      state: this.state,
+      failures: this.failures,
+      successes: this.successes,
+      lastFailureTime: this.lastFailureTime,
+      nextRetryTime: this.state === "open" && this.lastFailureTime ? this.lastFailureTime + this.resetTimeout : null
+    };
+  }
+  /**
+   * Reset the circuit breaker to its initial closed state.
+   */
+  reset() {
+    this.state = "closed";
+    this.failures = 0;
+    this.successes = 0;
+    this.lastFailureTime = null;
+  }
+};
+
+// src/core/rate-limiter.ts
+var RateLimitTracker = class {
+  constructor() {
+    this.limit = null;
+    this.remaining = null;
+    this.reset = null;
+    this.retryAfter = null;
+  }
+  /**
+   * Extract rate limit information from response headers.
+   */
+  updateFromHeaders(headers) {
+    const limit = headers.get("x-ratelimit-limit");
+    const remaining = headers.get("x-ratelimit-remaining");
+    const reset = headers.get("x-ratelimit-reset");
+    const retryAfter = headers.get("retry-after");
+    if (limit !== null) this.limit = parseInt(limit, 10);
+    if (remaining !== null) this.remaining = parseInt(remaining, 10);
+    if (reset !== null) this.reset = parseInt(reset, 10);
+    if (retryAfter !== null) this.retryAfter = parseInt(retryAfter, 10);
+  }
+  /**
+   * Check if the rate limit has been exceeded based on tracked headers.
+   */
+  isLimitExceeded() {
+    if (this.remaining !== null && this.remaining <= 0) {
+      if (this.reset !== null) {
+        const now = Math.floor(Date.now() / 1e3);
+        if (now >= this.reset) {
+          this.remaining = null;
+          this.reset = null;
+          this.retryAfter = null;
+          return false;
+        }
+      }
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Get current rate limit status.
+   */
+  getStatus() {
+    return {
+      limit: this.limit,
+      remaining: this.remaining,
+      reset: this.reset,
+      retryAfter: this.retryAfter
+    };
+  }
+};
 
 // src/core/logger.ts
 function createConsoleLogger() {
@@ -99,11 +239,82 @@ var noopLogger = {
 };
 
 // src/core/version.ts
-var SDK_VERSION = "1.2.0";
+var SDK_VERSION = "1.3.0";
+
+// src/shared/browser-utils.ts
+function generateUUID() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
+    const r = Math.random() * 16 | 0;
+    const v = c === "x" ? r : r & 3 | 8;
+    return v.toString(16);
+  });
+}
+function generateDeviceId() {
+  if (typeof window === "undefined" || typeof localStorage === "undefined") {
+    return generateUUID();
+  }
+  const storageKey = "cgs_device_id";
+  let deviceId = localStorage.getItem(storageKey);
+  if (!deviceId) {
+    deviceId = generateUUID();
+    localStorage.setItem(storageKey, deviceId);
+  }
+  return deviceId;
+}
+function getBrowserInfo() {
+  if (typeof navigator === "undefined") {
+    return { browser: "unknown", browser_version: "", os: "unknown", os_version: "" };
+  }
+  const ua = navigator.userAgent;
+  let browser = "unknown";
+  let browserVersion = "";
+  let os = "unknown";
+  let osVersion = "";
+  if (ua.includes("Firefox/")) {
+    browser = "Firefox";
+    browserVersion = ua.match(/Firefox\/([\d.]+)/)?.[1] || "";
+  } else if (ua.includes("Edg/")) {
+    browser = "Edge";
+    browserVersion = ua.match(/Edg\/([\d.]+)/)?.[1] || "";
+  } else if (ua.includes("Chrome/")) {
+    browser = "Chrome";
+    browserVersion = ua.match(/Chrome\/([\d.]+)/)?.[1] || "";
+  } else if (ua.includes("Safari/") && !ua.includes("Chrome")) {
+    browser = "Safari";
+    browserVersion = ua.match(/Version\/([\d.]+)/)?.[1] || "";
+  } else if (ua.includes("Opera") || ua.includes("OPR/")) {
+    browser = "Opera";
+    browserVersion = ua.match(/(?:Opera|OPR)\/([\d.]+)/)?.[1] || "";
+  }
+  if (ua.includes("Windows")) {
+    os = "Windows";
+    if (ua.includes("Windows NT 10.0")) osVersion = "10";
+    else if (ua.includes("Windows NT 6.3")) osVersion = "8.1";
+    else if (ua.includes("Windows NT 6.2")) osVersion = "8";
+    else if (ua.includes("Windows NT 6.1")) osVersion = "7";
+  } else if (ua.includes("Mac OS X")) {
+    os = "macOS";
+    osVersion = ua.match(/Mac OS X ([\d_]+)/)?.[1]?.replace(/_/g, ".") || "";
+  } else if (ua.includes("Linux")) {
+    os = "Linux";
+  } else if (ua.includes("Android")) {
+    os = "Android";
+    osVersion = ua.match(/Android ([\d.]+)/)?.[1] || "";
+  } else if (ua.includes("iOS") || ua.includes("iPhone") || ua.includes("iPad")) {
+    os = "iOS";
+    osVersion = ua.match(/OS ([\d_]+)/)?.[1]?.replace(/_/g, ".") || "";
+  }
+  return { browser, browser_version: browserVersion, os, os_version: osVersion };
+}
 
 // src/core/client.ts
 var BaseClient = class {
   constructor(config) {
+    this.circuitBreaker = null;
+    this.rateLimitTracker = null;
     if (!config.baseURL?.trim()) {
       throw new ValidationError("baseURL is required and must be a non-empty string", ["baseURL"]);
     }
@@ -113,8 +324,7 @@ var BaseClient = class {
     this.interceptors = config.interceptors || [];
     this.logger = config.logger || createConsoleLogger();
     this.config = {
-      baseURL: config.baseURL,
-      tenantId: config.tenantId,
+      ...config,
       apiKey: config.apiKey || "",
       headers: config.headers || {},
       timeout: config.timeout || 1e4,
@@ -123,22 +333,49 @@ var BaseClient = class {
       interceptors: this.interceptors,
       logger: this.logger
     };
+    if (config.circuitBreaker) {
+      this.circuitBreaker = new CircuitBreaker(config.circuitBreaker);
+    }
+    if (config.enableRateLimitTracking) {
+      this.rateLimitTracker = new RateLimitTracker();
+    }
   }
   /**
    * Make an HTTP request with timeout and error handling
    */
   async request(endpoint, options = {}, serviceURL, requestOptions) {
-    const url = `${serviceURL || this.config.baseURL}${endpoint}`;
+    const requestId = generateUUID();
+    if (this.circuitBreaker && !this.circuitBreaker.canExecute()) {
+      const error = new CircuitBreakerOpenError();
+      error.requestId = requestId;
+      throw error;
+    }
+    if (this.rateLimitTracker && this.rateLimitTracker.isLimitExceeded()) {
+      const status = this.rateLimitTracker.getStatus();
+      const error = new RateLimitError(status.retryAfter ?? void 0);
+      error.requestId = requestId;
+      throw error;
+    }
+    const baseURL = this.config.environment === "sandbox" && this.config.sandboxBaseURL ? this.config.sandboxBaseURL : serviceURL || this.config.baseURL;
+    const url = `${serviceURL || baseURL}${endpoint}`;
     const headers = {
       "Content-Type": "application/json",
       "X-Tenant-ID": this.config.tenantId,
       "X-SDK-Version": `vesant-sdk-ts/${SDK_VERSION}`,
+      "X-Request-ID": requestId,
       ...this.config.headers,
       ...options.headers || {}
     };
     if (this.config.apiKey) {
       headers["Authorization"] = `Bearer ${this.config.apiKey}`;
     }
+    if (this.config.environment === "sandbox") {
+      headers["X-Sandbox"] = "true";
+    }
+    const method = (options.method || "GET").toUpperCase();
+    if (["POST", "PUT", "PATCH"].includes(method)) {
+      headers["Idempotency-Key"] = requestOptions?.idempotencyKey || generateUUID();
+    }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
     if (requestOptions?.signal) {
@@ -166,6 +403,9 @@ var BaseClient = class {
         signal: controller.signal
       });
       clearTimeout(timeoutId);
+      if (this.rateLimitTracker) {
+        this.rateLimitTracker.updateFromHeaders(response.headers);
+      }
       let data;
       try {
         data = await response.json();
@@ -174,13 +414,15 @@ var BaseClient = class {
           this.handleErrorResponse(response.status, {
             error: `HTTP ${response.status}`,
             message: response.statusText
-          });
+          }, requestId);
         }
+        this.circuitBreaker?.onSuccess();
         return void 0;
       }
       if (!response.ok) {
-        this.handleErrorResponse(response.status, data || {});
+        this.handleErrorResponse(response.status, data || {}, requestId);
       }
+      this.circuitBreaker?.onSuccess();
       let result = data;
       for (const interceptor of this.interceptors) {
         if (interceptor.onResponse) {
@@ -193,6 +435,14 @@ var BaseClient = class {
       return result;
     } catch (error) {
       clearTimeout(timeoutId);
+      if (error instanceof CGSError && error.statusCode && error.statusCode >= 500) {
+        this.circuitBreaker?.onFailure();
+      } else if (error instanceof NetworkError || error instanceof TimeoutError) {
+        this.circuitBreaker?.onFailure();
+      }
+      if (error instanceof CGSError && !error.requestId) {
+        error.requestId = requestId;
+      }
       if (error instanceof Error) {
         for (const interceptor of this.interceptors) {
           if (interceptor.onError) {
@@ -203,15 +453,23 @@ var BaseClient = class {
       if (error instanceof Error) {
         if (error.name === "AbortError") {
           if (requestOptions?.signal?.aborted) {
-            throw new CGSError("Request aborted", "REQUEST_ABORTED");
+            const abortError = new CGSError("Request aborted", "REQUEST_ABORTED");
+            abortError.requestId = requestId;
+            throw abortError;
           }
-          throw new TimeoutError(this.config.timeout);
+          this.circuitBreaker?.onFailure();
+          const timeoutError = new TimeoutError(this.config.timeout);
+          timeoutError.requestId = requestId;
+          throw timeoutError;
         }
         if (error instanceof CGSError) {
           throw error;
         }
       }
-      throw new NetworkError("Network request failed", error);
+      const networkError = new NetworkError("Network request failed", error);
+      networkError.requestId = requestId;
+      this.circuitBreaker?.onFailure();
+      throw networkError;
     }
   }
   /**
@@ -250,29 +508,36 @@ var BaseClient = class {
   /**
    * Handle error responses from API
    */
-  handleErrorResponse(status, data) {
+  handleErrorResponse(status, data, requestId) {
     const message = data.error || data.message || `HTTP ${status}`;
-    switch (status) {
-      case 400:
-        throw new CGSError(message, "BAD_REQUEST", 400, data);
-      case 401:
-        throw new AuthenticationError(message);
-      case 403:
-        throw new CGSError(message, "FORBIDDEN", 403, data);
-      case 404:
-        throw new CGSError(message, "NOT_FOUND", 404, data);
-      case 429: {
-        const retryAfter = data.retry_after || data.retryAfter;
-        throw new RateLimitError(retryAfter);
+    const createError = () => {
+      switch (status) {
+        case 400:
+          return new CGSError(message, "BAD_REQUEST", 400, data);
+        case 401:
+          return new AuthenticationError(message);
+        case 403:
+          return new CGSError(message, "FORBIDDEN", 403, data);
+        case 404:
+          return new CGSError(message, "NOT_FOUND", 404, data);
+        case 429: {
+          const retryAfter = data.retry_after || data.retryAfter;
+          return new RateLimitError(retryAfter);
+        }
+        case 500:
+        case 502:
+        case 503:
+        case 504:
+          return new ServiceUnavailableError(message);
+        default:
+          return new CGSError(message, "UNKNOWN_ERROR", status, data);
       }
-      case 500:
-      case 502:
-      case 503:
-      case 504:
-        throw new ServiceUnavailableError(message);
-      default:
-        throw new CGSError(message, "UNKNOWN_ERROR", status, data);
+    };
+    const error = createError();
+    if (requestId) {
+      error.requestId = requestId;
     }
+    throw error;
   }
   /**
    * Build query string from parameters
@@ -316,6 +581,18 @@ var BaseClient = class {
   getConfig() {
     return { ...this.config };
   }
+  /**
+   * Get rate limit status from tracked response headers.
+   */
+  getRateLimitStatus() {
+    return this.rateLimitTracker?.getStatus() ?? null;
+  }
+  /**
+   * Get circuit breaker status.
+   */
+  getCircuitBreakerStatus() {
+    return this.circuitBreaker?.getStatus() ?? null;
+  }
   /**
    * Health check endpoint
    */
@@ -324,73 +601,46 @@ var BaseClient = class {
   }
 };
 
-// src/shared/browser-utils.ts
-function generateUUID() {
-  if (typeof crypto !== "undefined" && crypto.randomUUID) {
-    return crypto.randomUUID();
-  }
-  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
-    const r = Math.random() * 16 | 0;
-    const v = c === "x" ? r : r & 3 | 8;
-    return v.toString(16);
-  });
+// src/core/webhook-utils.ts
+async function verifyWebhookSignature(payload, signature, secret) {
+  const hexDigest = await computeHmacSha256(payload, secret);
+  const expectedPrefixed = `sha256=${hexDigest}`;
+  if (signature.startsWith("sha256=")) {
+    return constantTimeEqual(signature, expectedPrefixed);
+  }
+  return constantTimeEqual(signature, hexDigest);
 }
-function generateDeviceId() {
-  if (typeof window === "undefined" || typeof localStorage === "undefined") {
-    return generateUUID();
+async function computeHmacSha256(message, secret) {
+  if (typeof globalThis.crypto !== "undefined" && globalThis.crypto.subtle) {
+    const encoder = new TextEncoder();
+    const key = await globalThis.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(secret),
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+    const sig = await globalThis.crypto.subtle.sign("HMAC", key, encoder.encode(message));
+    return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
   }
-  const storageKey = "cgs_device_id";
-  let deviceId = localStorage.getItem(storageKey);
-  if (!deviceId) {
-    deviceId = generateUUID();
-    localStorage.setItem(storageKey, deviceId);
+  try {
+    const { createHmac } = await import('crypto');
+    return createHmac("sha256", secret).update(message).digest("hex");
+  } catch {
+    throw new Error(
+      "No crypto implementation available. Requires Web Crypto API or Node.js crypto module."
+    );
   }
-  return deviceId;
 }
-function getBrowserInfo() {
-  if (typeof navigator === "undefined") {
-    return { browser: "unknown", browser_version: "", os: "unknown", os_version: "" };
-  }
-  const ua = navigator.userAgent;
-  let browser = "unknown";
-  let browserVersion = "";
-  let os = "unknown";
-  let osVersion = "";
-  if (ua.includes("Firefox/")) {
-    browser = "Firefox";
-    browserVersion = ua.match(/Firefox\/([\d.]+)/)?.[1] || "";
-  } else if (ua.includes("Edg/")) {
-    browser = "Edge";
-    browserVersion = ua.match(/Edg\/([\d.]+)/)?.[1] || "";
-  } else if (ua.includes("Chrome/")) {
-    browser = "Chrome";
-    browserVersion = ua.match(/Chrome\/([\d.]+)/)?.[1] || "";
-  } else if (ua.includes("Safari/") && !ua.includes("Chrome")) {
-    browser = "Safari";
-    browserVersion = ua.match(/Version\/([\d.]+)/)?.[1] || "";
-  } else if (ua.includes("Opera") || ua.includes("OPR/")) {
-    browser = "Opera";
-    browserVersion = ua.match(/(?:Opera|OPR)\/([\d.]+)/)?.[1] || "";
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
   }
-  if (ua.includes("Windows")) {
-    os = "Windows";
-    if (ua.includes("Windows NT 10.0")) osVersion = "10";
-    else if (ua.includes("Windows NT 6.3")) osVersion = "8.1";
-    else if (ua.includes("Windows NT 6.2")) osVersion = "8";
-    else if (ua.includes("Windows NT 6.1")) osVersion = "7";
-  } else if (ua.includes("Mac OS X")) {
-    os = "macOS";
-    osVersion = ua.match(/Mac OS X ([\d_]+)/)?.[1]?.replace(/_/g, ".") || "";
-  } else if (ua.includes("Linux")) {
-    os = "Linux";
-  } else if (ua.includes("Android")) {
-    os = "Android";
-    osVersion = ua.match(/Android ([\d.]+)/)?.[1] || "";
-  } else if (ua.includes("iOS") || ua.includes("iPhone") || ua.includes("iPad")) {
-    os = "iOS";
-    osVersion = ua.match(/OS ([\d_]+)/)?.[1]?.replace(/_/g, ".") || "";
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
   }
-  return { browser, browser_version: browserVersion, os, os_version: osVersion };
+  return result === 0;
 }
 
 // src/geolocation/ciphertext.ts
@@ -2514,6 +2764,297 @@ var KycClient = class extends BaseClient {
   // ============================================================================
 };
 
-export { AuthenticationError, BaseClient, CGSError, ComplianceBlockedError, ComplianceClient, ComplianceError, DEFAULT_CURRENCY_RATES, GeolocationClient, KycClient, NetworkError, RateLimitError, RiskProfileClient, SDK_VERSION, ServiceUnavailableError, TimeoutError, ValidationError, createConsoleLogger, decodeCipherText, generateCipherText, isCipherTextExpired, noopLogger };
+// src/decisions/client.ts
+var DecisionsClient = class extends BaseClient {
+  /**
+   * Record a new decision for a customer.
+   */
+  async recordDecision(request, requestOptions) {
+    return this.requestWithRetry(
+      "/api/v1/decisions",
+      { method: "POST", body: JSON.stringify(request) },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Get decisions for a customer.
+   */
+  async getDecisions(customerId, filters, requestOptions) {
+    const queryString = this.buildQueryString({
+      customer_id: customerId,
+      ...filters
+    });
+    return this.requestWithRetry(
+      `/api/v1/decisions${queryString}`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Get a specific decision by ID.
+   */
+  async getDecision(decisionId, requestOptions) {
+    return this.requestWithRetry(
+      `/api/v1/decisions/${encodeURIComponent(decisionId)}`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Apply a label to a customer.
+   */
+  async applyLabel(request, requestOptions) {
+    return this.requestWithRetry(
+      "/api/v1/labels",
+      { method: "POST", body: JSON.stringify(request) },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Remove a label from a customer.
+   */
+  async removeLabel(customerId, requestOptions) {
+    return this.requestWithRetry(
+      `/api/v1/labels/${encodeURIComponent(customerId)}`,
+      { method: "DELETE" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Get labels for a customer.
+   */
+  async getLabels(customerId, requestOptions) {
+    const queryString = this.buildQueryString({ customer_id: customerId });
+    return this.requestWithRetry(
+      `/api/v1/labels${queryString}`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+};
+
+// src/scores/client.ts
+var ScoresClient = class extends BaseClient {
+  /**
+   * Get the current risk score for a customer.
+   */
+  async getScore(customerId, requestOptions) {
+    return this.requestWithRetry(
+      `/api/v1/scores/${encodeURIComponent(customerId)}`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Get a detailed score breakdown for a customer.
+   */
+  async getScoreBreakdown(customerId, requestOptions) {
+    return this.requestWithRetry(
+      `/api/v1/scores/${encodeURIComponent(customerId)}/breakdown`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+};
+var WorkflowClient = class extends BaseClient {
+  /**
+   * Get the current workflow status for a customer.
+   */
+  async getWorkflowStatus(customerId, requestOptions) {
+    return this.requestWithRetry(
+      `/api/v1/workflows/${encodeURIComponent(customerId)}/status`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * List workflows with optional filters.
+   */
+  async listWorkflows(filters, requestOptions) {
+    const queryString = this.buildQueryString(filters || {});
+    return this.requestWithRetry(
+      `/api/v1/workflows${queryString}`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+  /**
+   * Get a specific workflow by ID.
+   */
+  async getWorkflow(workflowId, requestOptions) {
+    return this.requestWithRetry(
+      `/api/v1/workflows/${encodeURIComponent(workflowId)}`,
+      { method: "GET" },
+      void 0,
+      void 0,
+      requestOptions
+    );
+  }
+};
+
+// src/webhooks/handler.ts
+var WebhookHandler = class {
+  constructor(config) {
+    this.handlers = /* @__PURE__ */ new Map();
+    this.anyHandlers = [];
+    this.secret = config.secret;
+    this.tolerance = config.tolerance ?? 3e5;
+  }
+  /**
+   * Register a handler for a specific event type.
+   */
+  on(eventType, handler) {
+    const existing = this.handlers.get(eventType) || [];
+    existing.push(handler);
+    this.handlers.set(eventType, existing);
+    return this;
+  }
+  /**
+   * Register a catch-all handler for all event types.
+   */
+  onAny(handler) {
+    this.anyHandlers.push(handler);
+    return this;
+  }
+  /**
+   * Verify signature and parse the webhook body.
+   */
+  async verifyAndParse(body, signature) {
+    const isValid = await verifyWebhookSignature(body, signature, this.secret);
+    if (!isValid) {
+      throw new Error("Invalid webhook signature");
+    }
+    return this.parseAndValidate(body);
+  }
+  /**
+   * Verify signature, parse, and dispatch to registered handlers.
+   */
+  async handle(body, signature) {
+    const event = await this.verifyAndParse(body, signature);
+    await this.dispatch(event);
+  }
+  /**
+   * Parse an event without signature verification (for testing).
+   */
+  parseEvent(body) {
+    return this.parseAndValidate(body);
+  }
+  parseAndValidate(body) {
+    const event = JSON.parse(body);
+    if (!event.type || !event.id || !event.timestamp) {
+      throw new Error("Invalid webhook event: missing required fields (type, id, timestamp)");
+    }
+    if (this.tolerance > 0) {
+      const eventTime = new Date(event.timestamp).getTime();
+      const now = Date.now();
+      if (Math.abs(now - eventTime) > this.tolerance) {
+        throw new Error(
+          `Webhook event timestamp is outside tolerance window (${this.tolerance}ms)`
+        );
+      }
+    }
+    return event;
+  }
+  async dispatch(event) {
+    const typeHandlers = this.handlers.get(event.type) || [];
+    const allHandlers = [...typeHandlers, ...this.anyHandlers];
+    for (const handler of allHandlers) {
+      await handler(event);
+    }
+  }
+};
+
+// src/webhooks/middleware.ts
+function createWebhookMiddleware(options) {
+  const handler = buildHandler(options);
+  const signatureHeader = options.signatureHeader || "x-webhook-signature";
+  return async (req, res, next) => {
+    try {
+      const body = typeof req.body === "string" ? req.body : req.body.toString("utf-8");
+      const signature = req.headers[signatureHeader];
+      if (!signature || typeof signature !== "string") {
+        res.status(401).json({ error: "Missing webhook signature" });
+        return;
+      }
+      await handler.handle(body, signature);
+      res.status(200).json({ received: true });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Webhook processing failed";
+      if (message.includes("signature")) {
+        res.status(401).json({ error: message });
+      } else if (message.includes("tolerance") || message.includes("timestamp")) {
+        res.status(400).json({ error: message });
+      } else if (next) {
+        next(error);
+      } else {
+        res.status(500).json({ error: message });
+      }
+    }
+  };
+}
+function createNextWebhookHandler(options) {
+  const handler = buildHandler(options);
+  const signatureHeader = options.signatureHeader || "x-webhook-signature";
+  return async (request) => {
+    try {
+      const body = await request.text();
+      const signature = request.headers.get(signatureHeader);
+      if (!signature) {
+        return new Response(JSON.stringify({ error: "Missing webhook signature" }), {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+      await handler.handle(body, signature);
+      return new Response(JSON.stringify({ received: true }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" }
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Webhook processing failed";
+      const status = message.includes("signature") ? 401 : message.includes("tolerance") || message.includes("timestamp") ? 400 : 500;
+      return new Response(JSON.stringify({ error: message }), {
+        status,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  };
+}
+function buildHandler(options) {
+  const handler = new WebhookHandler(options);
+  if (options.handlers) {
+    for (const [eventType, eventHandler] of Object.entries(options.handlers)) {
+      if (eventHandler) {
+        handler.on(eventType, eventHandler);
+      }
+    }
+  }
+  if (options.onAny) {
+    handler.onAny(options.onAny);
+  }
+  return handler;
+}
+
+export { AuthenticationError, BaseClient, CGSError, CircuitBreaker, CircuitBreakerOpenError, ComplianceBlockedError, ComplianceClient, ComplianceError, DEFAULT_CURRENCY_RATES, DecisionsClient, GeolocationClient, KycClient, NetworkError, RateLimitError, RateLimitTracker, RiskProfileClient, SDK_VERSION, ScoresClient, ServiceUnavailableError, TimeoutError, ValidationError, WebhookHandler, WorkflowClient, createConsoleLogger, createNextWebhookHandler, createWebhookMiddleware, decodeCipherText, generateCipherText, isCipherTextExpired, noopLogger, verifyWebhookSignature };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map