@ar-agents/mercadopago 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,58 @@
 # Changelog
 
+## 0.3.0
+
+### Minor Changes
+
+- Robustness pass + 5 new features across both packages.
+
+  # `@ar-agents/mercadopago@0.3.0`
+
+  **Robustness (Section 6 of v0.3 spec)**
+
+  - Per-request timeout via `AbortSignal` (default 30s, configurable via `requestTimeoutMs`).
+  - Auto-retry on 5xx + 429 with exponential backoff (default 1 retry, configurable via `maxRetries`). Honors `Retry-After` header on rate-limit. **Never retries on 4xx** (deterministic user/config errors).
+  - New typed errors: `MercadoPagoTimeoutError`, `MercadoPagoOverloadedError` (HTML 503 detection — when MP returns HTML instead of JSON).
+  - `onCall` observability hook fires after every request with `{ method, path, durationMs, httpStatus, retried, success }`. Wire into OpenTelemetry / Sentry / Axiom without forking the lib.
+  - **Deterministic idempotency keys** — `create_payment` and `refund_payment` now use `sha256(meaningful_fields)` instead of `Date.now()`. Retries dedupe correctly on MP's side.
+
+  **New tools (3)**
+
+  - **`charge_saved_card`** — server-side retokenize + charge for returning customers. Requires CVV (AR MP doesn't support CVV-less via public API). Idempotent on (card_id, amount, external_reference).
+  - **`create_qr_payment`** — dynamic in-store QR via MP Point. Returns raw `qr_data` (EMVCo) + ready-to-display base64 PNG `qr_data_url`. Compatible with all AR wallets (Modo, BNA+, Cuenta DNI, Naranja X) via Transferencias 3.0 interop.
+  - **`cancel_qr_payment`** — clear a pending QR order on a POS so the next `create_qr_payment` doesn't 409.
+
+  **Total tool count: 24** (was 21 in v0.2). Added `qrcode` as runtime dep for in-store flow.
+
+  # `@ar-agents/identity-attest@0.2.0`
+
+  **3 new adapters bringing total to 5**
+
+  - **`Auth0Adapter`** (trust 0.7, or 0.85 with MFA) — OAuth2 Authorization Code flow with PKCE. Server-side `id_token` verification via `jose` JWKS. Optional MFA step-up via `acr_values` — when MFA is completed, `effective_trust_level` bumps to 0.85.
+  - **`MagicLinkSdkAdapter`** (trust 0.7) — Magic.link DIDToken validation via `@magic-sdk/admin` (optional peer dep). Lazy-loaded so users without Magic don't pay cold-start cost. Returns DID + email/phone/wallet claims.
+  - **`MercadoPagoIdentityAdapter`** (trust 0.5) — partial KYC via $1 micro-charge. MP doesn't expose a public KYC API, so we use payment-payer attestation: a successful payment proves MP validated the buyer's CUIT/DNI against their internal database. Auto-refunds the $1 by default. Returns `identification_type` + `identification_number` + email + name claims.
+
+  **New client methods**
+
+  - `submitOauthCode(requestId, code)` — for OAuth callbacks (Auth0)
+  - `submitMagicDidToken(requestId, didToken)` — for Magic.link
+  - `submitMercadoPagoPaymentId(requestId, paymentId)` — for MP webhook callbacks
+
+  **Quality**
+
+  - 28/28 tests pass (was 15 in v0.1)
+  - 12.93 KB ESM brotli'd (jose is treeshakeable; was 4.44 KB without OAuth adapter)
+  - publint + arethetypeswrong all 🟢
+  - `jose` is a dep (used by Auth0Adapter); `@magic-sdk/admin` is optional peer dep
+
+  **Trust levels reference (current)**
+
+  - 0.3 — `WhatsAppOtpAdapter` (phone-owned)
+  - 0.5 — `EmailMagicLinkAdapter` (email-owned), `MercadoPagoIdentityAdapter` (partial KYC)
+  - 0.7 — `Auth0Adapter` (federated identity), `MagicLinkSdkAdapter` (Magic-managed)
+  - 0.85 — `Auth0Adapter` with MFA enforcement
+  - 0.95 — gov-verified (planned, blocked on AR SID rollout)
+
 ## 0.2.0
 
 ### Minor Changes

package/dist/index.cjs

@@ -1,8 +1,8 @@
 'use strict';
 
+var crypto = require('crypto');
 var ai = require('ai');
 var zod = require('zod');
-var crypto = require('crypto');
 
 // src/errors.ts
 var MercadoPagoError = class extends Error {
@@ -100,12 +100,38 @@ var MercadoPagoRateLimitError = class extends MercadoPagoError {
   }
   retryAfterSeconds;
 };
+var MercadoPagoOverloadedError = class extends MercadoPagoError {
+  constructor(endpoint, status) {
+    super(
+      `Mercado Pago appears overloaded \u2014 returned a non-JSON ${status} response for ${endpoint}. Wait a few seconds and retry.`,
+      status,
+      endpoint
+    );
+    this.name = "MercadoPagoOverloadedError";
+  }
+};
+var MercadoPagoTimeoutError = class extends MercadoPagoError {
+  constructor(endpoint, timeoutMs) {
+    super(
+      `Mercado Pago request timed out after ${timeoutMs}ms on ${endpoint}. Increase requestTimeoutMs or check connectivity.`,
+      0,
+      endpoint
+    );
+    this.timeoutMs = timeoutMs;
+    this.name = "MercadoPagoTimeoutError";
+  }
+  timeoutMs;
+};
 function classifyError(status, endpoint, body, context) {
   const bodyText = typeof body === "string" ? body : body && typeof body === "object" ? JSON.stringify(body) : "";
   const lower = bodyText.toLowerCase();
   if (status === 401) return new MercadoPagoAuthError(endpoint, body);
   if (status === 429) {
-    return new MercadoPagoRateLimitError(endpoint, null, body);
+    let retryAfter = null;
+    const obj = body;
+    if (obj?.retry_after) retryAfter = Number(obj.retry_after);
+    else if (obj?.["retry-after"]) retryAfter = Number(obj["retry-after"]);
+    return new MercadoPagoRateLimitError(endpoint, retryAfter, body);
   }
   if (status === 400) {
     if (lower.includes("back_url") && lower.includes("not a valid url")) {
@@ -131,10 +157,16 @@ function classifyError(status, endpoint, body, context) {
 
 // src/client.ts
 var DEFAULT_BASE_URL = "https://api.mercadopago.com";
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 var MercadoPagoClient = class {
   accessToken;
   baseUrl;
   fetchImpl;
+  requestTimeoutMs;
+  maxRetries;
+  onCall;
   constructor(options) {
     if (!options.accessToken) {
       throw new Error(
@@ -144,6 +176,9 @@ var MercadoPagoClient = class {
     this.accessToken = options.accessToken;
     this.baseUrl = options.baseUrl ?? DEFAULT_BASE_URL;
     this.fetchImpl = options.fetch;
+    this.requestTimeoutMs = options.requestTimeoutMs ?? 3e4;
+    this.maxRetries = Math.max(0, options.maxRetries ?? 1);
+    this.onCall = options.onCall;
   }
   async request(method, path, body, options) {
     const headers = {
@@ -153,10 +188,6 @@ var MercadoPagoClient = class {
     if (options?.idempotencyKey) {
       headers["X-Idempotency-Key"] = options.idempotencyKey;
     }
-    const init = { method, headers };
-    if (body !== void 0) {
-      init.body = JSON.stringify(body);
-    }
     let url = `${this.baseUrl}${path}`;
     if (options?.query) {
       const search = new URLSearchParams();
@@ -169,20 +200,95 @@ var MercadoPagoClient = class {
       if (qs) url += `?${qs}`;
     }
     const fetchFn = this.fetchImpl ?? globalThis.fetch;
-    const res = await fetchFn(url, init);
-    if (!res.ok) {
-      let parsed;
-      const text2 = await res.text();
+    const t0 = Date.now();
+    let attempt = 0;
+    let lastError;
+    let lastStatus = null;
+    while (attempt <= this.maxRetries) {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), this.requestTimeoutMs);
+      const init = { method, headers, signal: controller.signal };
+      if (body !== void 0) init.body = JSON.stringify(body);
       try {
-        parsed = JSON.parse(text2);
-      } catch {
-        parsed = text2;
+        const res = await fetchFn(url, init);
+        clearTimeout(timer);
+        lastStatus = res.status;
+        if (res.ok) {
+          const text2 = await res.text();
+          this.onCall?.({
+            method,
+            path,
+            durationMs: Date.now() - t0,
+            httpStatus: res.status,
+            retried: attempt,
+            success: true
+          });
+          if (!text2) return void 0;
+          return JSON.parse(text2);
+        }
+        const isRetryable = res.status >= 500 || res.status === 429;
+        if (isRetryable && attempt < this.maxRetries) {
+          const retryAfter = res.headers.get("retry-after");
+          const waitMs = retryAfter ? Number(retryAfter) * 1e3 : 250 * Math.pow(2, attempt);
+          attempt++;
+          await sleep(waitMs);
+          continue;
+        }
+        const contentType = res.headers.get("content-type") ?? "";
+        if (res.status >= 500 && !contentType.includes("application/json")) {
+          this.onCall?.({
+            method,
+            path,
+            durationMs: Date.now() - t0,
+            httpStatus: res.status,
+            retried: attempt,
+            success: false
+          });
+          throw new MercadoPagoOverloadedError(path, res.status);
+        }
+        let parsed;
+        const text = await res.text();
+        try {
+          parsed = JSON.parse(text);
+        } catch {
+          parsed = text;
+        }
+        const err = classifyError(res.status, path, parsed, options?.classifyContext);
+        this.onCall?.({
+          method,
+          path,
+          durationMs: Date.now() - t0,
+          httpStatus: res.status,
+          retried: attempt,
+          success: false
+        });
+        throw err;
+      } catch (err) {
+        clearTimeout(timer);
+        if (err instanceof MercadoPagoError) throw err;
+        const isAbort = err instanceof Error && err.name === "AbortError";
+        const isNetwork = !lastStatus && !isAbort;
+        if ((isNetwork || isAbort) && attempt < this.maxRetries) {
+          lastError = err;
+          attempt++;
+          await sleep(250 * Math.pow(2, attempt - 1));
+          continue;
+        }
+        this.onCall?.({
+          method,
+          path,
+          durationMs: Date.now() - t0,
+          httpStatus: lastStatus,
+          retried: attempt,
+          success: false
+        });
+        if (isAbort) {
+          throw new MercadoPagoTimeoutError(path, this.requestTimeoutMs);
+        }
+        throw err;
       }
-      throw classifyError(res.status, path, parsed, options?.classifyContext);
     }
-    const text = await res.text();
-    if (!text) return void 0;
-    return JSON.parse(text);
+    throw lastError ?? new Error(`MercadoPago request failed after ${this.maxRetries} retries`);
   }
   // ───────────────────────────────────────────────────────────────────────────
   // Subscriptions (Preapprovals) — v0.1 surface, kept stable
@@ -500,7 +606,119 @@ var MercadoPagoClient = class {
   async getMe() {
     return this.request("GET", "/users/me");
   }
+  // ───────────────────────────────────────────────────────────────────────────
+  // Card tokens (server-side, for saved-card retokenization)
+  // ───────────────────────────────────────────────────────────────────────────
+  /**
+   * Create a single-use card token from a saved card. This is the server-side
+   * retokenization path (PCI-safe because the card data lives in MP's vault,
+   * we only pass the saved card_id + customer_id + the user-supplied CVV).
+   *
+   * Tokens expire in 7 days but typically burn on first use. AR currently
+   * REQUIRES CVV on every charge (MP doesn't store it); skipping CVV requires
+   * a private MP product enablement, not a public API.
+   */
+  async createCardToken(params) {
+    return this.request("POST", "/v1/card_tokens", {
+      card_id: params.cardId,
+      customer_id: params.customerId,
+      security_code: params.securityCode
+    });
+  }
+  /**
+   * High-level helper: charge a saved card in 3 steps.
+   * 1. Mint a card token from {customer_id, card_id, security_code}
+   * 2. Lookup card to fill payment_method_id (avoids agent guessing)
+   * 3. Create the payment with the token + idempotency key
+   *
+   * Returns the resulting Payment. Uses deterministic idempotency from
+   * (card_id, amount, externalReference) so retries dedupe on MP's side.
+   */
+  async chargeSavedCard(params) {
+    const token = await this.createCardToken({
+      cardId: params.cardId,
+      customerId: params.customerId,
+      securityCode: params.securityCode
+    });
+    const card = await this.getCustomerCard(params.customerId, params.cardId);
+    const paymentMethodId = card.payment_method?.id;
+    if (!paymentMethodId) {
+      throw new MercadoPagoError(
+        `Saved card ${params.cardId} has no payment_method.id. Cannot charge.`,
+        0,
+        `/v1/customers/${params.customerId}/cards/${params.cardId}`
+      );
+    }
+    const body = {
+      transaction_amount: params.amount,
+      token: token.id,
+      payment_method_id: paymentMethodId,
+      installments: params.installments ?? 1,
+      description: params.description,
+      payer: { type: "customer", id: params.customerId }
+    };
+    if (params.externalReference) body.external_reference = params.externalReference;
+    if (params.statementDescriptor) body.statement_descriptor = params.statementDescriptor;
+    return this.request("POST", "/v1/payments", body, {
+      ...params.idempotencyKey !== void 0 ? { idempotencyKey: params.idempotencyKey } : {},
+      classifyContext: { customerId: params.customerId }
+    });
+  }
+  // ───────────────────────────────────────────────────────────────────────────
+  // QR (in-store dynamic) — Section 2 of v0.3 spec
+  // ───────────────────────────────────────────────────────────────────────────
+  /**
+   * Create a dynamic in-store QR order. Returns `qr_data` (EMVCo TLV string)
+   * + `in_store_order_id`. The buyer scans the QR with any AR wallet (Modo,
+   * BNA+, Cuenta DNI, Naranja X, etc. — interop is mandated by Transferencias
+   * 3.0). On payment, MP fires `point_integration_wh` then `payment` topics.
+   *
+   * Requires a pre-configured POS (`external_pos_id` from MP dashboard or
+   * `POST /pos`). The seller's `user_id` is auto-fetched from `/users/me`.
+   *
+   * The lib does NOT render the QR image — pass `qr_data` to a QR renderer
+   * (e.g., `qrcode` package) to get a data URL. The agent tool layer wraps
+   * this and returns both raw + data URL.
+   */
+  async createQrPayment(userId, params) {
+    const body = {
+      total_amount: params.totalAmount,
+      title: params.title
+    };
+    if (params.description) body.description = params.description;
+    if (params.notificationUrl) body.notification_url = params.notificationUrl;
+    if (params.externalReference) body.external_reference = params.externalReference;
+    if (params.expirationDate) body.expiration_date = params.expirationDate;
+    body.items = params.items ?? [
+      {
+        title: params.title,
+        quantity: 1,
+        unit_price: params.totalAmount,
+        unit_measure: "unit",
+        total_amount: params.totalAmount
+      }
+    ];
+    return this.request(
+      "PUT",
+      `/instore/orders/qr/seller/collectors/${encodeURIComponent(userId)}/pos/${encodeURIComponent(params.externalPosId)}/qrs`,
+      body
+    );
+  }
+  /**
+   * Cancel a pending QR order on a POS. Necessary if the buyer never scans
+   * — otherwise the next `createQrPayment` on the same POS returns 409.
+   */
+  async cancelQrPayment(userId, externalPosId) {
+    await this.request(
+      "DELETE",
+      `/instore/orders/qr/seller/collectors/${encodeURIComponent(userId)}/pos/${encodeURIComponent(externalPosId)}/qrs`
+    );
+  }
 };
+function deterministicIdempotencyKey(...parts) {
+  const payload = parts.filter((p) => p !== void 0 && p !== null).map(String).join("|");
+  return crypto.createHash("sha256").update(payload).digest("hex").slice(0, 32);
+}
 var DEFAULT_DESCRIPTIONS = {
   // ── Subscriptions ────────────────────────────────────────────────────────
   create_subscription: "Create a Mercado Pago recurring subscription. Returns an init_point URL where the customer must complete the FIRST payment with their card and CVV (this is a hard MP requirement; agents cannot bypass it). After they pay, MP will auto-charge at the configured frequency without further intervention.",
@@ -529,7 +747,12 @@ var DEFAULT_DESCRIPTIONS = {
   list_payment_methods: "List all payment methods enabled for the seller's MP account (visa, master, naranja, naranja_x, cabal, account_money, rapipago, pagofacil, etc.). Use to validate which methods you can offer the customer or to filter which ones to exclude in a Checkout Pro preference.",
   calculate_installments: "Calculate cuotas (installments) options for a given amount. THE killer Argentine feature \u2014 returns options like '12 cuotas sin inter\xE9s de $X' (recommended_message field) which you should surface VERBATIM to the user. Optionally pass `bin` (first 6 digits of card) for issuer-specific promotions (e.g., Naranja's interest-free deals). Use before create_payment to let the user pick installments knowingly.",
   // ── Account ──────────────────────────────────────────────────────────────
-  get_account_info: "Get info about the Mercado Pago account that owns the access token: site_id (MLA=Argentina), country_id, user_type (registered, partial, etc.). Useful to verify the agent is connected to the right account before taking actions."
+  get_account_info: "Get info about the Mercado Pago account that owns the access token: site_id (MLA=Argentina), country_id, user_type (registered, partial, etc.). Useful to verify the agent is connected to the right account before taking actions.",
+  // ── Saved-card charging (v0.3) ───────────────────────────────────────────
+  charge_saved_card: "Charge a previously-saved card for a returning customer. Requires customer_id + card_id (from list_customer_cards) AND a fresh CVV the user provides this session. AR Mercado Pago does NOT support CVV-less charges via the public API \u2014 every charge needs CVV. Idempotent on (card_id, amount, external_reference): retries dedupe automatically. Returns the resulting Payment.",
+  // ── QR in-store (v0.3) ───────────────────────────────────────────────────
+  create_qr_payment: "Generate a dynamic in-store QR for a buyer to scan with any AR wallet (Modo, BNA+, Cuenta DNI, Naranja X, Mercado Pago, etc. \u2014 interop is mandated by Transferencias 3.0). Requires a pre-configured POS external_id (one-time setup in MP dashboard). Returns the qr_data string + a base64 PNG data URL ready to display. The QR expires in `expires_in_seconds` (default 600). MP fires `point_integration_wh` then `payment` webhooks when scanned.",
+  cancel_qr_payment: "Cancel a pending QR order on a POS. Necessary if the buyer never scans \u2014 otherwise the next create_qr_payment on the same POS returns 409."
 };
 function mercadoPagoTools(client, options) {
   const desc = (name) => options.descriptions?.[name] ?? DEFAULT_DESCRIPTIONS[name];
@@ -671,8 +894,15 @@ function mercadoPagoTools(client, options) {
           ...input.identification !== void 0 ? { identification: input.identification } : {},
           ...input.statement_descriptor !== void 0 ? { statementDescriptor: input.statement_descriptor } : {},
           ...options.notificationUrl !== void 0 ? { notificationUrl: options.notificationUrl } : {},
-          // Auto-generate idempotency key from caller-meaningful fields
-          idempotencyKey: `${input.external_reference ?? input.payer_email}-${input.amount_ars}-${Date.now()}`
+          // Deterministic idempotency key — safe to retry, same inputs always
+          // produce the same key (MP dedupes on its side).
+          idempotencyKey: deterministicIdempotencyKey(
+            "create_payment",
+            input.external_reference ?? input.payer_email,
+            input.amount_ars,
+            input.payment_method_id,
+            input.token
+          )
         });
         return {
           payment_id: payment.id,
@@ -789,7 +1019,7 @@ function mercadoPagoTools(client, options) {
         const refund = await client.createRefund({
           paymentId: payment_id,
           ...amount_ars !== void 0 ? { amount: amount_ars } : {},
-          idempotencyKey: `refund-${payment_id}-${amount_ars ?? "full"}`
+          idempotencyKey: deterministicIdempotencyKey("refund", payment_id, amount_ars ?? "full")
         });
         return {
           refund_id: refund.id,
@@ -1029,6 +1259,109 @@ function mercadoPagoTools(client, options) {
           user_type: me.user_type
         };
       }
+    }),
+    // ─────────────────────────────────────────────────────────────────────────
+    // Saved-card charging (v0.3)
+    // ─────────────────────────────────────────────────────────────────────────
+    charge_saved_card: ai.tool({
+      description: desc("charge_saved_card"),
+      inputSchema: zod.z.object({
+        customer_id: zod.z.string().describe("MP customer id (from create_customer / find_customer_by_email)"),
+        card_id: zod.z.string().describe("Saved card id (from list_customer_cards)"),
+        security_code: zod.z.string().regex(/^\d{3,4}$/).describe("CVV \u2014 3 digits (Visa/Master) or 4 (Amex). User must provide this each charge in AR."),
+        amount_ars: zod.z.number().positive(),
+        description: zod.z.string().min(1).max(255),
+        installments: zod.z.number().int().min(1).max(24).optional().describe("Default 1. Use calculate_installments first to pick a valid count."),
+        external_reference: zod.z.string().optional(),
+        statement_descriptor: zod.z.string().max(13).optional()
+      }),
+      execute: async (input) => {
+        const payment = await client.chargeSavedCard({
+          customerId: input.customer_id,
+          cardId: input.card_id,
+          securityCode: input.security_code,
+          amount: input.amount_ars,
+          description: input.description,
+          ...input.installments !== void 0 ? { installments: input.installments } : {},
+          ...input.external_reference !== void 0 ? { externalReference: input.external_reference } : {},
+          ...input.statement_descriptor !== void 0 ? { statementDescriptor: input.statement_descriptor } : {},
+          idempotencyKey: deterministicIdempotencyKey(
+            "charge_saved_card",
+            input.card_id,
+            input.amount_ars,
+            input.external_reference
+          )
+        });
+        return {
+          payment_id: payment.id,
+          status: payment.status,
+          status_detail: payment.status_detail,
+          amount: payment.transaction_amount,
+          installments: payment.installments,
+          payment_method: payment.payment_method_id,
+          customer_id: input.customer_id,
+          card_id: input.card_id,
+          external_reference: payment.external_reference,
+          date_approved: payment.date_approved
+        };
+      }
+    }),
+    // ─────────────────────────────────────────────────────────────────────────
+    // QR in-store (v0.3)
+    // ─────────────────────────────────────────────────────────────────────────
+    create_qr_payment: ai.tool({
+      description: desc("create_qr_payment"),
+      inputSchema: zod.z.object({
+        external_pos_id: zod.z.string().describe("Pre-configured POS external_id from MP dashboard. Required."),
+        amount_ars: zod.z.number().positive(),
+        title: zod.z.string().min(1).max(80).describe("Display title shown when scanning"),
+        description: zod.z.string().max(255).optional(),
+        external_reference: zod.z.string().optional(),
+        notification_url: zod.z.string().url().optional().describe("Webhook URL \u2014 falls back to dashboard config if omitted"),
+        expires_in_seconds: zod.z.number().int().min(60).max(3600).optional().describe("Default 600 (10 min)")
+      }),
+      execute: async (input) => {
+        const QRCode = (await import('qrcode')).default;
+        const me = await client.getMe();
+        const userId = String(me.id);
+        const expiresAt = new Date(
+          Date.now() + (input.expires_in_seconds ?? 600) * 1e3
+        ).toISOString();
+        const qr = await client.createQrPayment(userId, {
+          externalPosId: input.external_pos_id,
+          totalAmount: input.amount_ars,
+          title: input.title,
+          ...input.description !== void 0 ? { description: input.description } : {},
+          ...input.external_reference !== void 0 ? { externalReference: input.external_reference } : {},
+          ...input.notification_url !== void 0 ? { notificationUrl: input.notification_url } : {},
+          expirationDate: expiresAt
+        });
+        const qrDataUrl = await QRCode.toDataURL(qr.qr_data, {
+          errorCorrectionLevel: "M",
+          margin: 1,
+          width: 512
+        });
+        return {
+          in_store_order_id: qr.in_store_order_id,
+          qr_data: qr.qr_data,
+          qr_data_url: qrDataUrl,
+          expires_at: expiresAt,
+          external_pos_id: input.external_pos_id,
+          amount: input.amount_ars,
+          next_step: "Display the qr_data_url image to the buyer. Wait for the payment webhook (point_integration_wh fires first, then payment topic). If buyer doesn't scan in time, call cancel_qr_payment to free the POS."
+        };
+      }
+    }),
+    cancel_qr_payment: ai.tool({
+      description: desc("cancel_qr_payment"),
+      inputSchema: zod.z.object({
+        external_pos_id: zod.z.string()
+      }),
+      execute: async ({ external_pos_id }) => {
+        const me = await client.getMe();
+        await client.cancelQrPayment(String(me.id), external_pos_id);
+        return { external_pos_id, cancelled: true };
+      }
     })
   };
 }
@@ -1229,6 +1562,17 @@ zod.z.object({
     }).passthrough()
   )
 }).passthrough();
+zod.z.object({
+  in_store_order_id: zod.z.string(),
+  qr_data: zod.z.string()
+}).passthrough();
+zod.z.object({
+  id: zod.z.string(),
+  status: zod.z.string().optional(),
+  date_due: zod.z.string().optional(),
+  card_id: zod.z.string().optional(),
+  cardholder: zod.z.unknown().optional()
+}).passthrough();
 zod.z.object({
   id: zod.z.union([zod.z.string(), zod.z.number()]).transform(String),
   email: zod.z.string().nullable().optional(),
@@ -1276,9 +1620,11 @@ exports.MercadoPagoAuthorizeForbiddenError = MercadoPagoAuthorizeForbiddenError;
 exports.MercadoPagoBackUrlInvalidError = MercadoPagoBackUrlInvalidError;
 exports.MercadoPagoClient = MercadoPagoClient;
 exports.MercadoPagoError = MercadoPagoError;
+exports.MercadoPagoOverloadedError = MercadoPagoOverloadedError;
 exports.MercadoPagoPaymentRejectedError = MercadoPagoPaymentRejectedError;
 exports.MercadoPagoRateLimitError = MercadoPagoRateLimitError;
 exports.MercadoPagoSelfPaymentError = MercadoPagoSelfPaymentError;
+exports.MercadoPagoTimeoutError = MercadoPagoTimeoutError;
 exports.classifyError = classifyError;
 exports.mercadoPagoTools = mercadoPagoTools;
 exports.parseWebhookEvent = parseWebhookEvent;