import { CanActivate, ExecutionContext } from "@nestjs/common"; import { GarmrOptions } from "../garmr.options"; /** * Guard that verifies Svix-standard webhook signatures. * * Validates the HMAC-SHA256 signature in the `svix-signature` header against * the request's raw body using the secret configured in `GarmrOptions.webhook`. * * Requires `rawBody: true` on the NestJS application factory so that * `req.rawBody` is available. * * @example * ```typescript * @Post("webhooks/inbound-email") * @UseGuards(WebhookSignatureGuard) * async handleInboundEmail(@Body() payload: InboundEmailPayload) { * // Guard already verified the signature * } * ``` * * @throws {Error} If `webhook.secret` is not configured in GarmrModule options * (boot-time configuration error). * @throws {InternalServerErrorException} If rawBody is unavailable (server * misconfiguration). * @throws {UnauthorizedException} If headers are missing or signature is invalid. */ export declare class WebhookSignatureGuard implements CanActivate { private readonly options; /** * Validates that `webhook.secret` is configured and fails fast during * module initialisation if it is missing. * * @param options - The Garmr module options injected via DI * @throws {Error} If `webhook.secret` is not configured in GarmrModule options */ constructor(options: GarmrOptions); /** * Validates the Svix-standard HMAC-SHA256 signature on the incoming request. * * @param context - Execution context providing access to the request * @returns true if the signature is valid * @throws {InternalServerErrorException} If rawBody is not available * (server misconfiguration) * @throws {UnauthorizedException} If required headers are missing or the * signature is invalid */ canActivate(context: ExecutionContext): boolean; }