npm - @ar-agents/mercadopago - Versions diffs - 0.2.0 → 0.3.0 - Mend

@ar-agents/mercadopago 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
+import { createHmac, timingSafeEqual, createHash } from 'crypto';
 import { tool } from 'ai';
 import { z } from 'zod';
-import { createHmac, timingSafeEqual } from 'crypto';
 // src/errors.ts
 var MercadoPagoError = class extends Error {
@@ -98,12 +98,38 @@ var MercadoPagoRateLimitError = class extends MercadoPagoError {
   }
   retryAfterSeconds;
 };
+var MercadoPagoOverloadedError = class extends MercadoPagoError {
+  constructor(endpoint, status) {
+    super(
+      `Mercado Pago appears overloaded \u2014 returned a non-JSON ${status} response for ${endpoint}. Wait a few seconds and retry.`,
+      status,
+      endpoint
+    );
+    this.name = "MercadoPagoOverloadedError";
+  }
+};
+var MercadoPagoTimeoutError = class extends MercadoPagoError {
+  constructor(endpoint, timeoutMs) {
+    super(
+      `Mercado Pago request timed out after ${timeoutMs}ms on ${endpoint}. Increase requestTimeoutMs or check connectivity.`,
+      0,
+      endpoint
+    );
+    this.timeoutMs = timeoutMs;
+    this.name = "MercadoPagoTimeoutError";
+  }
+  timeoutMs;
+};
 function classifyError(status, endpoint, body, context) {
   const bodyText = typeof body === "string" ? body : body && typeof body === "object" ? JSON.stringify(body) : "";
   const lower = bodyText.toLowerCase();
   if (status === 401) return new MercadoPagoAuthError(endpoint, body);
   if (status === 429) {
-    return new MercadoPagoRateLimitError(endpoint, null, body);
+    let retryAfter = null;
+    const obj = body;
+    if (obj?.retry_after) retryAfter = Number(obj.retry_after);
+    else if (obj?.["retry-after"]) retryAfter = Number(obj["retry-after"]);
+    return new MercadoPagoRateLimitError(endpoint, retryAfter, body);
   }
   if (status === 400) {
     if (lower.includes("back_url") && lower.includes("not a valid url")) {
@@ -129,10 +155,16 @@ function classifyError(status, endpoint, body, context) {
 // src/client.ts
 var DEFAULT_BASE_URL = "https://api.mercadopago.com";
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 var MercadoPagoClient = class {
   accessToken;
   baseUrl;
   fetchImpl;
+  requestTimeoutMs;
+  maxRetries;
+  onCall;
   constructor(options) {
     if (!options.accessToken) {
       throw new Error(
@@ -142,6 +174,9 @@ var MercadoPagoClient = class {
     this.accessToken = options.accessToken;
     this.baseUrl = options.baseUrl ?? DEFAULT_BASE_URL;
     this.fetchImpl = options.fetch;
+    this.requestTimeoutMs = options.requestTimeoutMs ?? 3e4;
+    this.maxRetries = Math.max(0, options.maxRetries ?? 1);
+    this.onCall = options.onCall;
   }
   async request(method, path, body, options) {
     const headers = {
@@ -151,10 +186,6 @@ var MercadoPagoClient = class {
     if (options?.idempotencyKey) {
       headers["X-Idempotency-Key"] = options.idempotencyKey;
     }
-    const init = { method, headers };
-    if (body !== void 0) {
-      init.body = JSON.stringify(body);
-    }
     let url = `${this.baseUrl}${path}`;
     if (options?.query) {
       const search = new URLSearchParams();
@@ -167,20 +198,95 @@ var MercadoPagoClient = class {
       if (qs) url += `?${qs}`;
     }
     const fetchFn = this.fetchImpl ?? globalThis.fetch;
-    const res = await fetchFn(url, init);
-    if (!res.ok) {
-      let parsed;
-      const text2 = await res.text();
+    const t0 = Date.now();
+    let attempt = 0;
+    let lastError;
+    let lastStatus = null;
+    while (attempt <= this.maxRetries) {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), this.requestTimeoutMs);
+      const init = { method, headers, signal: controller.signal };
+      if (body !== void 0) init.body = JSON.stringify(body);
       try {
-        parsed = JSON.parse(text2);
-      } catch {
-        parsed = text2;
+        const res = await fetchFn(url, init);
+        clearTimeout(timer);
+        lastStatus = res.status;
+        if (res.ok) {
+          const text2 = await res.text();
+          this.onCall?.({
+            method,
+            path,
+            durationMs: Date.now() - t0,
+            httpStatus: res.status,
+            retried: attempt,
+            success: true
+          });
+          if (!text2) return void 0;
+          return JSON.parse(text2);
+        }
+        const isRetryable = res.status >= 500 || res.status === 429;
+        if (isRetryable && attempt < this.maxRetries) {
+          const retryAfter = res.headers.get("retry-after");
+          const waitMs = retryAfter ? Number(retryAfter) * 1e3 : 250 * Math.pow(2, attempt);
+          attempt++;
+          await sleep(waitMs);
+          continue;
+        }
+        const contentType = res.headers.get("content-type") ?? "";
+        if (res.status >= 500 && !contentType.includes("application/json")) {
+          this.onCall?.({
+            method,
+            path,
+            durationMs: Date.now() - t0,
+            httpStatus: res.status,
+            retried: attempt,
+            success: false
+          });
+          throw new MercadoPagoOverloadedError(path, res.status);
+        }
+        let parsed;
+        const text = await res.text();
+        try {
+          parsed = JSON.parse(text);
+        } catch {
+          parsed = text;
+        }
+        const err = classifyError(res.status, path, parsed, options?.classifyContext);
+        this.onCall?.({
+          method,
+          path,
+          durationMs: Date.now() - t0,
+          httpStatus: res.status,
+          retried: attempt,
+          success: false
+        });
+        throw err;
+      } catch (err) {
+        clearTimeout(timer);
+        if (err instanceof MercadoPagoError) throw err;
+        const isAbort = err instanceof Error && err.name === "AbortError";
+        const isNetwork = !lastStatus && !isAbort;
+        if ((isNetwork || isAbort) && attempt < this.maxRetries) {
+          lastError = err;
+          attempt++;
+          await sleep(250 * Math.pow(2, attempt - 1));
+          continue;
+        }
+        this.onCall?.({
+          method,
+          path,
+          durationMs: Date.now() - t0,
+          httpStatus: lastStatus,
+          retried: attempt,
+          success: false
+        });
+        if (isAbort) {
+          throw new MercadoPagoTimeoutError(path, this.requestTimeoutMs);
+        }
+        throw err;
       }
-      throw classifyError(res.status, path, parsed, options?.classifyContext);
     }
-    const text = await res.text();
-    if (!text) return void 0;
-    return JSON.parse(text);
+    throw lastError ?? new Error(`MercadoPago request failed after ${this.maxRetries} retries`);
   }
   // ───────────────────────────────────────────────────────────────────────────
   // Subscriptions (Preapprovals) — v0.1 surface, kept stable
@@ -498,7 +604,119 @@ var MercadoPagoClient = class {
   async getMe() {
     return this.request("GET", "/users/me");
   }
+  // ───────────────────────────────────────────────────────────────────────────
+  // Card tokens (server-side, for saved-card retokenization)
+  // ───────────────────────────────────────────────────────────────────────────
+  /**
+   * Create a single-use card token from a saved card. This is the server-side
+   * retokenization path (PCI-safe because the card data lives in MP's vault,
+   * we only pass the saved card_id + customer_id + the user-supplied CVV).
+   *
+   * Tokens expire in 7 days but typically burn on first use. AR currently
+   * REQUIRES CVV on every charge (MP doesn't store it); skipping CVV requires
+   * a private MP product enablement, not a public API.
+   */
+  async createCardToken(params) {
+    return this.request("POST", "/v1/card_tokens", {
+      card_id: params.cardId,
+      customer_id: params.customerId,
+      security_code: params.securityCode
+    });
+  }
+  /**
+   * High-level helper: charge a saved card in 3 steps.
+   * 1. Mint a card token from {customer_id, card_id, security_code}
+   * 2. Lookup card to fill payment_method_id (avoids agent guessing)
+   * 3. Create the payment with the token + idempotency key
+   *
+   * Returns the resulting Payment. Uses deterministic idempotency from
+   * (card_id, amount, externalReference) so retries dedupe on MP's side.
+   */
+  async chargeSavedCard(params) {
+    const token = await this.createCardToken({
+      cardId: params.cardId,
+      customerId: params.customerId,
+      securityCode: params.securityCode
+    });
+    const card = await this.getCustomerCard(params.customerId, params.cardId);
+    const paymentMethodId = card.payment_method?.id;
+    if (!paymentMethodId) {
+      throw new MercadoPagoError(
+        `Saved card ${params.cardId} has no payment_method.id. Cannot charge.`,
+        0,
+        `/v1/customers/${params.customerId}/cards/${params.cardId}`
+      );
+    }
+    const body = {
+      transaction_amount: params.amount,
+      token: token.id,
+      payment_method_id: paymentMethodId,
+      installments: params.installments ?? 1,
+      description: params.description,
+      payer: { type: "customer", id: params.customerId }
+    };
+    if (params.externalReference) body.external_reference = params.externalReference;
+    if (params.statementDescriptor) body.statement_descriptor = params.statementDescriptor;
+    return this.request("POST", "/v1/payments", body, {
+      ...params.idempotencyKey !== void 0 ? { idempotencyKey: params.idempotencyKey } : {},
+      classifyContext: { customerId: params.customerId }
+    });
+  }
+  // ───────────────────────────────────────────────────────────────────────────
+  // QR (in-store dynamic) — Section 2 of v0.3 spec
+  // ───────────────────────────────────────────────────────────────────────────
+  /**
+   * Create a dynamic in-store QR order. Returns `qr_data` (EMVCo TLV string)
+   * + `in_store_order_id`. The buyer scans the QR with any AR wallet (Modo,
+   * BNA+, Cuenta DNI, Naranja X, etc. — interop is mandated by Transferencias
+   * 3.0). On payment, MP fires `point_integration_wh` then `payment` topics.
+   *
+   * Requires a pre-configured POS (`external_pos_id` from MP dashboard or
+   * `POST /pos`). The seller's `user_id` is auto-fetched from `/users/me`.
+   *
+   * The lib does NOT render the QR image — pass `qr_data` to a QR renderer
+   * (e.g., `qrcode` package) to get a data URL. The agent tool layer wraps
+   * this and returns both raw + data URL.
+   */
+  async createQrPayment(userId, params) {
+    const body = {
+      total_amount: params.totalAmount,
+      title: params.title
+    };
+    if (params.description) body.description = params.description;
+    if (params.notificationUrl) body.notification_url = params.notificationUrl;
+    if (params.externalReference) body.external_reference = params.externalReference;
+    if (params.expirationDate) body.expiration_date = params.expirationDate;
+    body.items = params.items ?? [
+      {
+        title: params.title,
+        quantity: 1,
+        unit_price: params.totalAmount,
+        unit_measure: "unit",
+        total_amount: params.totalAmount
+      }
+    ];
+    return this.request(
+      "PUT",
+      `/instore/orders/qr/seller/collectors/${encodeURIComponent(userId)}/pos/${encodeURIComponent(params.externalPosId)}/qrs`,
+      body
+    );
+  }
+  /**
+   * Cancel a pending QR order on a POS. Necessary if the buyer never scans
+   * — otherwise the next `createQrPayment` on the same POS returns 409.
+   */
+  async cancelQrPayment(userId, externalPosId) {
+    await this.request(
+      "DELETE",
+      `/instore/orders/qr/seller/collectors/${encodeURIComponent(userId)}/pos/${encodeURIComponent(externalPosId)}/qrs`
+    );
+  }
 };
+function deterministicIdempotencyKey(...parts) {
+  const payload = parts.filter((p) => p !== void 0 && p !== null).map(String).join("|");
+  return createHash("sha256").update(payload).digest("hex").slice(0, 32);
+}
 var DEFAULT_DESCRIPTIONS = {
   // ── Subscriptions ────────────────────────────────────────────────────────
   create_subscription: "Create a Mercado Pago recurring subscription. Returns an init_point URL where the customer must complete the FIRST payment with their card and CVV (this is a hard MP requirement; agents cannot bypass it). After they pay, MP will auto-charge at the configured frequency without further intervention.",
@@ -527,7 +745,12 @@ var DEFAULT_DESCRIPTIONS = {
   list_payment_methods: "List all payment methods enabled for the seller's MP account (visa, master, naranja, naranja_x, cabal, account_money, rapipago, pagofacil, etc.). Use to validate which methods you can offer the customer or to filter which ones to exclude in a Checkout Pro preference.",
   calculate_installments: "Calculate cuotas (installments) options for a given amount. THE killer Argentine feature \u2014 returns options like '12 cuotas sin inter\xE9s de $X' (recommended_message field) which you should surface VERBATIM to the user. Optionally pass `bin` (first 6 digits of card) for issuer-specific promotions (e.g., Naranja's interest-free deals). Use before create_payment to let the user pick installments knowingly.",
   // ── Account ──────────────────────────────────────────────────────────────
-  get_account_info: "Get info about the Mercado Pago account that owns the access token: site_id (MLA=Argentina), country_id, user_type (registered, partial, etc.). Useful to verify the agent is connected to the right account before taking actions."
+  get_account_info: "Get info about the Mercado Pago account that owns the access token: site_id (MLA=Argentina), country_id, user_type (registered, partial, etc.). Useful to verify the agent is connected to the right account before taking actions.",
+  // ── Saved-card charging (v0.3) ───────────────────────────────────────────
+  charge_saved_card: "Charge a previously-saved card for a returning customer. Requires customer_id + card_id (from list_customer_cards) AND a fresh CVV the user provides this session. AR Mercado Pago does NOT support CVV-less charges via the public API \u2014 every charge needs CVV. Idempotent on (card_id, amount, external_reference): retries dedupe automatically. Returns the resulting Payment.",
+  // ── QR in-store (v0.3) ───────────────────────────────────────────────────
+  create_qr_payment: "Generate a dynamic in-store QR for a buyer to scan with any AR wallet (Modo, BNA+, Cuenta DNI, Naranja X, Mercado Pago, etc. \u2014 interop is mandated by Transferencias 3.0). Requires a pre-configured POS external_id (one-time setup in MP dashboard). Returns the qr_data string + a base64 PNG data URL ready to display. The QR expires in `expires_in_seconds` (default 600). MP fires `point_integration_wh` then `payment` webhooks when scanned.",
+  cancel_qr_payment: "Cancel a pending QR order on a POS. Necessary if the buyer never scans \u2014 otherwise the next create_qr_payment on the same POS returns 409."
 };
 function mercadoPagoTools(client, options) {
   const desc = (name) => options.descriptions?.[name] ?? DEFAULT_DESCRIPTIONS[name];
@@ -669,8 +892,15 @@ function mercadoPagoTools(client, options) {
           ...input.identification !== void 0 ? { identification: input.identification } : {},
           ...input.statement_descriptor !== void 0 ? { statementDescriptor: input.statement_descriptor } : {},
           ...options.notificationUrl !== void 0 ? { notificationUrl: options.notificationUrl } : {},
-          // Auto-generate idempotency key from caller-meaningful fields
-          idempotencyKey: `${input.external_reference ?? input.payer_email}-${input.amount_ars}-${Date.now()}`
+          // Deterministic idempotency key — safe to retry, same inputs always
+          // produce the same key (MP dedupes on its side).
+          idempotencyKey: deterministicIdempotencyKey(
+            "create_payment",
+            input.external_reference ?? input.payer_email,
+            input.amount_ars,
+            input.payment_method_id,
+            input.token
+          )
         });
         return {
           payment_id: payment.id,
@@ -787,7 +1017,7 @@ function mercadoPagoTools(client, options) {
         const refund = await client.createRefund({
           paymentId: payment_id,
           ...amount_ars !== void 0 ? { amount: amount_ars } : {},
-          idempotencyKey: `refund-${payment_id}-${amount_ars ?? "full"}`
+          idempotencyKey: deterministicIdempotencyKey("refund", payment_id, amount_ars ?? "full")
         });
         return {
           refund_id: refund.id,
@@ -1027,6 +1257,109 @@ function mercadoPagoTools(client, options) {
           user_type: me.user_type
         };
       }
+    }),
+    // ─────────────────────────────────────────────────────────────────────────
+    // Saved-card charging (v0.3)
+    // ─────────────────────────────────────────────────────────────────────────
+    charge_saved_card: tool({
+      description: desc("charge_saved_card"),
+      inputSchema: z.object({
+        customer_id: z.string().describe("MP customer id (from create_customer / find_customer_by_email)"),
+        card_id: z.string().describe("Saved card id (from list_customer_cards)"),
+        security_code: z.string().regex(/^\d{3,4}$/).describe("CVV \u2014 3 digits (Visa/Master) or 4 (Amex). User must provide this each charge in AR."),
+        amount_ars: z.number().positive(),
+        description: z.string().min(1).max(255),
+        installments: z.number().int().min(1).max(24).optional().describe("Default 1. Use calculate_installments first to pick a valid count."),
+        external_reference: z.string().optional(),
+        statement_descriptor: z.string().max(13).optional()
+      }),
+      execute: async (input) => {
+        const payment = await client.chargeSavedCard({
+          customerId: input.customer_id,
+          cardId: input.card_id,
+          securityCode: input.security_code,
+          amount: input.amount_ars,
+          description: input.description,
+          ...input.installments !== void 0 ? { installments: input.installments } : {},
+          ...input.external_reference !== void 0 ? { externalReference: input.external_reference } : {},
+          ...input.statement_descriptor !== void 0 ? { statementDescriptor: input.statement_descriptor } : {},
+          idempotencyKey: deterministicIdempotencyKey(
+            "charge_saved_card",
+            input.card_id,
+            input.amount_ars,
+            input.external_reference
+          )
+        });
+        return {
+          payment_id: payment.id,
+          status: payment.status,
+          status_detail: payment.status_detail,
+          amount: payment.transaction_amount,
+          installments: payment.installments,
+          payment_method: payment.payment_method_id,
+          customer_id: input.customer_id,
+          card_id: input.card_id,
+          external_reference: payment.external_reference,
+          date_approved: payment.date_approved
+        };
+      }
+    }),
+    // ─────────────────────────────────────────────────────────────────────────
+    // QR in-store (v0.3)
+    // ─────────────────────────────────────────────────────────────────────────
+    create_qr_payment: tool({
+      description: desc("create_qr_payment"),
+      inputSchema: z.object({
+        external_pos_id: z.string().describe("Pre-configured POS external_id from MP dashboard. Required."),
+        amount_ars: z.number().positive(),
+        title: z.string().min(1).max(80).describe("Display title shown when scanning"),
+        description: z.string().max(255).optional(),
+        external_reference: z.string().optional(),
+        notification_url: z.string().url().optional().describe("Webhook URL \u2014 falls back to dashboard config if omitted"),
+        expires_in_seconds: z.number().int().min(60).max(3600).optional().describe("Default 600 (10 min)")
+      }),
+      execute: async (input) => {
+        const QRCode = (await import('qrcode')).default;
+        const me = await client.getMe();
+        const userId = String(me.id);
+        const expiresAt = new Date(
+          Date.now() + (input.expires_in_seconds ?? 600) * 1e3
+        ).toISOString();
+        const qr = await client.createQrPayment(userId, {
+          externalPosId: input.external_pos_id,
+          totalAmount: input.amount_ars,
+          title: input.title,
+          ...input.description !== void 0 ? { description: input.description } : {},
+          ...input.external_reference !== void 0 ? { externalReference: input.external_reference } : {},
+          ...input.notification_url !== void 0 ? { notificationUrl: input.notification_url } : {},
+          expirationDate: expiresAt
+        });
+        const qrDataUrl = await QRCode.toDataURL(qr.qr_data, {
+          errorCorrectionLevel: "M",
+          margin: 1,
+          width: 512
+        });
+        return {
+          in_store_order_id: qr.in_store_order_id,
+          qr_data: qr.qr_data,
+          qr_data_url: qrDataUrl,
+          expires_at: expiresAt,
+          external_pos_id: input.external_pos_id,
+          amount: input.amount_ars,
+          next_step: "Display the qr_data_url image to the buyer. Wait for the payment webhook (point_integration_wh fires first, then payment topic). If buyer doesn't scan in time, call cancel_qr_payment to free the POS."
+        };
+      }
+    }),
+    cancel_qr_payment: tool({
+      description: desc("cancel_qr_payment"),
+      inputSchema: z.object({
+        external_pos_id: z.string()
+      }),
+      execute: async ({ external_pos_id }) => {
+        const me = await client.getMe();
+        await client.cancelQrPayment(String(me.id), external_pos_id);
+        return { external_pos_id, cancelled: true };
+      }
     })
   };
 }
@@ -1227,6 +1560,17 @@ z.object({
     }).passthrough()
   )
 }).passthrough();
+z.object({
+  in_store_order_id: z.string(),
+  qr_data: z.string()
+}).passthrough();
+z.object({
+  id: z.string(),
+  status: z.string().optional(),
+  date_due: z.string().optional(),
+  card_id: z.string().optional(),
+  cardholder: z.unknown().optional()
+}).passthrough();
 z.object({
   id: z.union([z.string(), z.number()]).transform(String),
   email: z.string().nullable().optional(),
@@ -1267,6 +1611,6 @@ function verifyWebhookSignature(params) {
   return timingSafeEqual(Buffer.from(expected), Buffer.from(v1));
 }
-export { InMemoryStateAdapter, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, MercadoPagoError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, classifyError, mercadoPagoTools, parseWebhookEvent, verifyWebhookSignature };
+export { InMemoryStateAdapter, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, classifyError, mercadoPagoTools, parseWebhookEvent, verifyWebhookSignature };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map