@ar-agents/mercadopago 0.7.0 → 0.8.0

package/dist/index.d.cts

@@ -1,5 +1,7 @@
 import { z } from 'zod';
 import { ToolSet } from 'ai';
+import { S as SubscriptionStateAdapter } from './state-C6Wzb_XX.cjs';
+export { I as IdempotencyCache, a as InMemoryIdempotencyCache, b as InMemoryOAuthTokenStore, c as InMemoryStateAdapter, O as OAuthTokenRecord, d as OAuthTokenStore, e as SubscriptionStateRecord } from './state-C6Wzb_XX.cjs';
 
 /**
  * Base class for any error originating from the Mercado Pago integration. All
@@ -1625,52 +1627,6 @@ declare class MercadoPagoClient {
     }>;
 }
 
-/**
- * In-memory record of a subscription. The lib persists the MP-side fields
- * needed to reason about a subscription without hitting the API every time
- * (status, last webhook info, customer email, etc.) plus a free-form metadata
- * bag for callers to attach business context (tenant id, plan name, etc.).
- */
-interface SubscriptionStateRecord {
-    status?: string;
-    payerEmail?: string;
-    amount?: number;
-    currency?: string;
-    frequency?: number;
-    frequencyType?: string;
-    initPoint?: string;
-    externalReference?: string;
-    createdAt?: string;
-    cancelledAt?: string;
-    lastWebhookStatus?: string;
-    lastWebhookAt?: string;
-    metadata?: Record<string, unknown>;
-}
-/**
- * Persistence surface for subscription state. Implementations may back this
- * with Upstash Redis, Vercel KV, Postgres, in-memory, or anything that
- * supports the three operations. The default `InMemoryStateAdapter` is
- * provided for tests and trivial single-process deployments; production
- * setups should plug in a durable store.
- */
-interface SubscriptionStateAdapter {
-    set(id: string, state: Partial<SubscriptionStateRecord>): Promise<void>;
-    get(id: string): Promise<SubscriptionStateRecord | null>;
-    list?(): Promise<string[]>;
-}
-/**
- * Volatile, single-process state adapter. Useful for tests and demos. Do not
- * use in production: state is lost on restart and is not safe across tenants.
- */
-declare class InMemoryStateAdapter implements SubscriptionStateAdapter {
-    private readonly store;
-    set(id: string, state: Partial<SubscriptionStateRecord>): Promise<void>;
-    get(id: string): Promise<SubscriptionStateRecord | null>;
-    list(): Promise<string[]>;
-    /** Test helper: drop everything. Not part of the adapter interface. */
-    reset(): void;
-}
-
 interface MercadoPagoToolsOptions {
     /** State adapter for persisting subscription records. */
     state: SubscriptionStateAdapter;
@@ -1733,12 +1689,26 @@ type ToolName = "create_subscription" | "get_subscription_status" | "cancel_subs
  */
 declare function mercadoPagoTools(client: MercadoPagoClient, options: MercadoPagoToolsOptions): ToolSet;
 
+/**
+ * Webhook helpers — parse incoming MP notifications and verify the
+ * HMAC-SHA256 signature MP sends in the `x-signature` header.
+ *
+ * # Edge Runtime
+ *
+ * Both `verifyWebhookSignature` and `parseWebhookEvent` work in Vercel
+ * Edge Runtime, Cloudflare Workers, Deno, browsers, and Node 18+. The
+ * HMAC verification uses Web Crypto under the hood (see `./crypto.ts`)
+ * and is **async** — make sure to `await` the call.
+ */
+
 /**
  * Parse a Mercado Pago webhook from the raw request body and URL search params.
  * MP sends the topic and resource id in EITHER the URL query string OR the
  * body, depending on integration version — this normalizes both shapes into a
  * single structure.
  *
+ * **Pure function — synchronous, no I/O.**
+ *
  * @example
  * ```ts
  * export async function POST(req: Request) {
@@ -1755,25 +1725,34 @@ declare function parseWebhookEvent(body: unknown, searchParams?: URLSearchParams
 /**
  * Verify the HMAC-SHA256 signature MP sends in the `x-signature` header for
  * webhook authenticity. Returns true if the signature matches the expected
- * value derived from the integration's secret key.
+ * value derived from the integration's secret key AND the timestamp is
+ * within the replay-tolerance window.
+ *
+ * **Async** — runs on Web Crypto under the hood, works in Edge Runtime.
  *
  * @param requestId The value of the `x-request-id` request header.
  * @param dataId The id of the resource the webhook is about (from query or body).
  * @param signatureHeader The full `x-signature` header value MP sent.
  * @param secret Your integration's webhook secret (configured in MP dev panel).
+ * @param replayToleranceSeconds Optional override. Default 300s (5 min).
  *
  * @remarks
  * MP's `x-signature` header has the form: `ts=NNNNNNNN,v1=HEXSIGNATURE`. We
  * extract the timestamp and the v1 signature, then compute
  * `HMAC-SHA256(secret, "id:${dataId};request-id:${requestId};ts:${ts};")`
  * and compare with constant-time equality.
+ *
+ * **Replay protection**: rejects signatures whose `ts` is older than
+ * `replayToleranceSeconds` (default 5min) — prevents an attacker who
+ * captured a valid webhook from replaying it later.
  */
 declare function verifyWebhookSignature(params: {
     requestId: string | null;
     dataId: string;
     signatureHeader: string | null;
     secret: string;
-}): boolean;
+    replayToleranceSeconds?: number;
+}): Promise<boolean>;
 
 /**
  * Mercado Pago OAuth flow — for marketplace integrations where YOUR app
@@ -2079,4 +2058,4 @@ interface PaymentStatusExplanation {
  */
 declare function explainPaymentStatus(payment: Payment): PaymentStatusExplanation;
 
-export { type AccountBalance, type AccountInfo, type AccountMovement, type AutoRecurring, type BankAccount, type CardToken, type CreateCardTokenParams, type CreateCustomerParams, type CreateOrderParams, type CreatePaymentParams, type CreatePointPaymentIntentParams, type CreatePosParams, type CreatePreapprovalParams, type CreatePreferenceParams, type CreateQrPaymentParams, type CreateRefundParams, type CreateStoreParams, type CreateSubscriptionPlanParams, type CreateWebhookParams, type CurrencyId, type Customer, type CustomerCard, type Dispute, type FrequencyType, type IdentificationType, InMemoryStateAdapter, type InstallmentOffer, type Issuer, type MarketplaceFeeRule, type MarketplaceParams, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, type MercadoPagoClientOptions, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, type MercadoPagoToolsOptions, type MerchantOrder, type OAuthToken, type Order, type OrderItem, type OrderStatus, type ParsedWebhookEvent, type Payment, type PaymentMethod, type PaymentStatus, type PaymentStatusExplanation, type PaymentsSearchResult, type PointDevice, type PointPaymentIntent, type PointPaymentIntentState, type Pos, type Preapproval, type PreapprovalStatus, type Preference, type PreferenceItem, type QrOrder, type Refund, type SearchPaymentsParams, type Settlement, type SiteId, type Store, type SubscriptionPayment, type SubscriptionPlan, type SubscriptionStateAdapter, type SubscriptionStateRecord, TEST_CARDS_AR, TEST_PAYERS_AR, type TestCard, type ThreeDSInfo, type ThreeDSStatus, type WebhookBody, type WebhookConfig, type WebhookTopic, analyze3DS, buildAuthorizeUrl, buildTestCardScenario, classifyError, computeMarketplaceFee, exchangeCodeForToken, expirationTimeMs, explainPaymentStatus, isExpiringSoon, mercadoPagoTools, parseWebhookEvent, refreshAccessToken, verifyWebhookSignature };
+export { type AccountBalance, type AccountInfo, type AccountMovement, type AutoRecurring, type BankAccount, type CardToken, type CreateCardTokenParams, type CreateCustomerParams, type CreateOrderParams, type CreatePaymentParams, type CreatePointPaymentIntentParams, type CreatePosParams, type CreatePreapprovalParams, type CreatePreferenceParams, type CreateQrPaymentParams, type CreateRefundParams, type CreateStoreParams, type CreateSubscriptionPlanParams, type CreateWebhookParams, type CurrencyId, type Customer, type CustomerCard, type Dispute, type FrequencyType, type IdentificationType, type InstallmentOffer, type Issuer, type MarketplaceFeeRule, type MarketplaceParams, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, type MercadoPagoClientOptions, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, type MercadoPagoToolsOptions, type MerchantOrder, type OAuthToken, type Order, type OrderItem, type OrderStatus, type ParsedWebhookEvent, type Payment, type PaymentMethod, type PaymentStatus, type PaymentStatusExplanation, type PaymentsSearchResult, type PointDevice, type PointPaymentIntent, type PointPaymentIntentState, type Pos, type Preapproval, type PreapprovalStatus, type Preference, type PreferenceItem, type QrOrder, type Refund, type SearchPaymentsParams, type Settlement, type SiteId, type Store, type SubscriptionPayment, type SubscriptionPlan, SubscriptionStateAdapter, TEST_CARDS_AR, TEST_PAYERS_AR, type TestCard, type ThreeDSInfo, type ThreeDSStatus, type WebhookBody, type WebhookConfig, type WebhookTopic, analyze3DS, buildAuthorizeUrl, buildTestCardScenario, classifyError, computeMarketplaceFee, exchangeCodeForToken, expirationTimeMs, explainPaymentStatus, isExpiringSoon, mercadoPagoTools, parseWebhookEvent, refreshAccessToken, verifyWebhookSignature };

package/dist/index.d.ts

@@ -1,5 +1,7 @@
 import { z } from 'zod';
 import { ToolSet } from 'ai';
+import { S as SubscriptionStateAdapter } from './state-C6Wzb_XX.js';
+export { I as IdempotencyCache, a as InMemoryIdempotencyCache, b as InMemoryOAuthTokenStore, c as InMemoryStateAdapter, O as OAuthTokenRecord, d as OAuthTokenStore, e as SubscriptionStateRecord } from './state-C6Wzb_XX.js';
 
 /**
  * Base class for any error originating from the Mercado Pago integration. All
@@ -1625,52 +1627,6 @@ declare class MercadoPagoClient {
     }>;
 }
 
-/**
- * In-memory record of a subscription. The lib persists the MP-side fields
- * needed to reason about a subscription without hitting the API every time
- * (status, last webhook info, customer email, etc.) plus a free-form metadata
- * bag for callers to attach business context (tenant id, plan name, etc.).
- */
-interface SubscriptionStateRecord {
-    status?: string;
-    payerEmail?: string;
-    amount?: number;
-    currency?: string;
-    frequency?: number;
-    frequencyType?: string;
-    initPoint?: string;
-    externalReference?: string;
-    createdAt?: string;
-    cancelledAt?: string;
-    lastWebhookStatus?: string;
-    lastWebhookAt?: string;
-    metadata?: Record<string, unknown>;
-}
-/**
- * Persistence surface for subscription state. Implementations may back this
- * with Upstash Redis, Vercel KV, Postgres, in-memory, or anything that
- * supports the three operations. The default `InMemoryStateAdapter` is
- * provided for tests and trivial single-process deployments; production
- * setups should plug in a durable store.
- */
-interface SubscriptionStateAdapter {
-    set(id: string, state: Partial<SubscriptionStateRecord>): Promise<void>;
-    get(id: string): Promise<SubscriptionStateRecord | null>;
-    list?(): Promise<string[]>;
-}
-/**
- * Volatile, single-process state adapter. Useful for tests and demos. Do not
- * use in production: state is lost on restart and is not safe across tenants.
- */
-declare class InMemoryStateAdapter implements SubscriptionStateAdapter {
-    private readonly store;
-    set(id: string, state: Partial<SubscriptionStateRecord>): Promise<void>;
-    get(id: string): Promise<SubscriptionStateRecord | null>;
-    list(): Promise<string[]>;
-    /** Test helper: drop everything. Not part of the adapter interface. */
-    reset(): void;
-}
-
 interface MercadoPagoToolsOptions {
     /** State adapter for persisting subscription records. */
     state: SubscriptionStateAdapter;
@@ -1733,12 +1689,26 @@ type ToolName = "create_subscription" | "get_subscription_status" | "cancel_subs
  */
 declare function mercadoPagoTools(client: MercadoPagoClient, options: MercadoPagoToolsOptions): ToolSet;
 
+/**
+ * Webhook helpers — parse incoming MP notifications and verify the
+ * HMAC-SHA256 signature MP sends in the `x-signature` header.
+ *
+ * # Edge Runtime
+ *
+ * Both `verifyWebhookSignature` and `parseWebhookEvent` work in Vercel
+ * Edge Runtime, Cloudflare Workers, Deno, browsers, and Node 18+. The
+ * HMAC verification uses Web Crypto under the hood (see `./crypto.ts`)
+ * and is **async** — make sure to `await` the call.
+ */
+
 /**
  * Parse a Mercado Pago webhook from the raw request body and URL search params.
  * MP sends the topic and resource id in EITHER the URL query string OR the
  * body, depending on integration version — this normalizes both shapes into a
  * single structure.
  *
+ * **Pure function — synchronous, no I/O.**
+ *
  * @example
  * ```ts
  * export async function POST(req: Request) {
@@ -1755,25 +1725,34 @@ declare function parseWebhookEvent(body: unknown, searchParams?: URLSearchParams
 /**
  * Verify the HMAC-SHA256 signature MP sends in the `x-signature` header for
  * webhook authenticity. Returns true if the signature matches the expected
- * value derived from the integration's secret key.
+ * value derived from the integration's secret key AND the timestamp is
+ * within the replay-tolerance window.
+ *
+ * **Async** — runs on Web Crypto under the hood, works in Edge Runtime.
  *
  * @param requestId The value of the `x-request-id` request header.
  * @param dataId The id of the resource the webhook is about (from query or body).
  * @param signatureHeader The full `x-signature` header value MP sent.
  * @param secret Your integration's webhook secret (configured in MP dev panel).
+ * @param replayToleranceSeconds Optional override. Default 300s (5 min).
  *
  * @remarks
  * MP's `x-signature` header has the form: `ts=NNNNNNNN,v1=HEXSIGNATURE`. We
  * extract the timestamp and the v1 signature, then compute
  * `HMAC-SHA256(secret, "id:${dataId};request-id:${requestId};ts:${ts};")`
  * and compare with constant-time equality.
+ *
+ * **Replay protection**: rejects signatures whose `ts` is older than
+ * `replayToleranceSeconds` (default 5min) — prevents an attacker who
+ * captured a valid webhook from replaying it later.
  */
 declare function verifyWebhookSignature(params: {
     requestId: string | null;
     dataId: string;
     signatureHeader: string | null;
     secret: string;
-}): boolean;
+    replayToleranceSeconds?: number;
+}): Promise<boolean>;
 
 /**
  * Mercado Pago OAuth flow — for marketplace integrations where YOUR app
@@ -2079,4 +2058,4 @@ interface PaymentStatusExplanation {
  */
 declare function explainPaymentStatus(payment: Payment): PaymentStatusExplanation;
 
-export { type AccountBalance, type AccountInfo, type AccountMovement, type AutoRecurring, type BankAccount, type CardToken, type CreateCardTokenParams, type CreateCustomerParams, type CreateOrderParams, type CreatePaymentParams, type CreatePointPaymentIntentParams, type CreatePosParams, type CreatePreapprovalParams, type CreatePreferenceParams, type CreateQrPaymentParams, type CreateRefundParams, type CreateStoreParams, type CreateSubscriptionPlanParams, type CreateWebhookParams, type CurrencyId, type Customer, type CustomerCard, type Dispute, type FrequencyType, type IdentificationType, InMemoryStateAdapter, type InstallmentOffer, type Issuer, type MarketplaceFeeRule, type MarketplaceParams, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, type MercadoPagoClientOptions, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, type MercadoPagoToolsOptions, type MerchantOrder, type OAuthToken, type Order, type OrderItem, type OrderStatus, type ParsedWebhookEvent, type Payment, type PaymentMethod, type PaymentStatus, type PaymentStatusExplanation, type PaymentsSearchResult, type PointDevice, type PointPaymentIntent, type PointPaymentIntentState, type Pos, type Preapproval, type PreapprovalStatus, type Preference, type PreferenceItem, type QrOrder, type Refund, type SearchPaymentsParams, type Settlement, type SiteId, type Store, type SubscriptionPayment, type SubscriptionPlan, type SubscriptionStateAdapter, type SubscriptionStateRecord, TEST_CARDS_AR, TEST_PAYERS_AR, type TestCard, type ThreeDSInfo, type ThreeDSStatus, type WebhookBody, type WebhookConfig, type WebhookTopic, analyze3DS, buildAuthorizeUrl, buildTestCardScenario, classifyError, computeMarketplaceFee, exchangeCodeForToken, expirationTimeMs, explainPaymentStatus, isExpiringSoon, mercadoPagoTools, parseWebhookEvent, refreshAccessToken, verifyWebhookSignature };
+export { type AccountBalance, type AccountInfo, type AccountMovement, type AutoRecurring, type BankAccount, type CardToken, type CreateCardTokenParams, type CreateCustomerParams, type CreateOrderParams, type CreatePaymentParams, type CreatePointPaymentIntentParams, type CreatePosParams, type CreatePreapprovalParams, type CreatePreferenceParams, type CreateQrPaymentParams, type CreateRefundParams, type CreateStoreParams, type CreateSubscriptionPlanParams, type CreateWebhookParams, type CurrencyId, type Customer, type CustomerCard, type Dispute, type FrequencyType, type IdentificationType, type InstallmentOffer, type Issuer, type MarketplaceFeeRule, type MarketplaceParams, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, type MercadoPagoClientOptions, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, type MercadoPagoToolsOptions, type MerchantOrder, type OAuthToken, type Order, type OrderItem, type OrderStatus, type ParsedWebhookEvent, type Payment, type PaymentMethod, type PaymentStatus, type PaymentStatusExplanation, type PaymentsSearchResult, type PointDevice, type PointPaymentIntent, type PointPaymentIntentState, type Pos, type Preapproval, type PreapprovalStatus, type Preference, type PreferenceItem, type QrOrder, type Refund, type SearchPaymentsParams, type Settlement, type SiteId, type Store, type SubscriptionPayment, type SubscriptionPlan, SubscriptionStateAdapter, TEST_CARDS_AR, TEST_PAYERS_AR, type TestCard, type ThreeDSInfo, type ThreeDSStatus, type WebhookBody, type WebhookConfig, type WebhookTopic, analyze3DS, buildAuthorizeUrl, buildTestCardScenario, classifyError, computeMarketplaceFee, exchangeCodeForToken, expirationTimeMs, explainPaymentStatus, isExpiringSoon, mercadoPagoTools, parseWebhookEvent, refreshAccessToken, verifyWebhookSignature };

package/dist/index.js

@@ -1,4 +1,3 @@
-import { createHmac, timingSafeEqual, createHash } from 'crypto';
 import { tool } from 'ai';
 import { z } from 'zod';
 
@@ -1233,6 +1232,54 @@ var MercadoPagoClient = class {
     return { id: intentId, canceled: true };
   }
 };
+
+// src/crypto.ts
+var subtle = (() => {
+  const c = globalThis.crypto;
+  if (!c?.subtle) {
+    throw new Error(
+      "@ar-agents/mercadopago: Web Crypto API is not available in this runtime. Use Node 18+, Vercel Edge Runtime, Cloudflare Workers, or any modern browser."
+    );
+  }
+  return c.subtle;
+})();
+var encoder = new TextEncoder();
+async function hmacSha256Hex(secret, message) {
+  const keyMaterial = await subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sigBuf = await subtle.sign(
+    "HMAC",
+    keyMaterial,
+    encoder.encode(message)
+  );
+  return bufferToHex(sigBuf);
+}
+async function sha256Hex(input) {
+  const digest = await subtle.digest("SHA-256", encoder.encode(input));
+  return bufferToHex(digest);
+}
+function timingSafeEqualHex(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+function bufferToHex(buf) {
+  const bytes = new Uint8Array(buf);
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    const b = bytes[i];
+    hex += (b < 16 ? "0" : "") + b.toString(16);
+  }
+  return hex;
+}
 z.enum(["MLA", "MLB", "MLM", "MCO", "MLC", "MLU"]);
 var CurrencyIdSchema = z.enum(["ARS", "USD", "BRL", "MXN"]);
 var FrequencyTypeSchema = z.enum(["months", "days"]);
@@ -2100,6 +2147,8 @@ function analyze3DS(payment) {
     description: "No se pudo determinar el estado 3DS \u2014 revisar payment.three_d_secure_mode + payment.status_detail manualmente."
   };
 }
+
+// src/webhook.ts
 function parseWebhookEvent(body, searchParams) {
   const parseResult = WebhookBodySchema.safeParse(body ?? {});
   const parsedBody = parseResult.success ? parseResult.data : {};
@@ -2115,7 +2164,8 @@ function parseWebhookEvent(body, searchParams) {
     raw: parsedBody
   };
 }
-function verifyWebhookSignature(params) {
+var DEFAULT_REPLAY_TOLERANCE_SECONDS = 300;
+async function verifyWebhookSignature(params) {
   if (!params.signatureHeader || !params.requestId) return false;
   const parts = Object.fromEntries(
     params.signatureHeader.split(",").map((segment) => segment.trim().split("="))
@@ -2123,16 +2173,20 @@ function verifyWebhookSignature(params) {
   const ts = parts.ts;
   const v1 = parts.v1;
   if (!ts || !v1) return false;
+  const tolerance = params.replayToleranceSeconds ?? DEFAULT_REPLAY_TOLERANCE_SECONDS;
+  const tsNumber = Number(ts);
+  if (!Number.isFinite(tsNumber)) return false;
+  const ageSeconds = Math.abs(Math.floor(Date.now() / 1e3) - tsNumber);
+  if (ageSeconds > tolerance) return false;
   const manifest = `id:${params.dataId};request-id:${params.requestId};ts:${ts};`;
-  const expected = createHmac("sha256", params.secret).update(manifest).digest("hex");
-  if (expected.length !== v1.length) return false;
-  return timingSafeEqual(Buffer.from(expected), Buffer.from(v1));
+  const expected = await hmacSha256Hex(params.secret, manifest);
+  return timingSafeEqualHex(expected, v1);
 }
 
 // src/tools.ts
-function deterministicIdempotencyKey(...parts) {
+async function deterministicIdempotencyKey(...parts) {
   const payload = parts.filter((p) => p !== void 0 && p !== null).map(String).join("|");
-  return createHash("sha256").update(payload).digest("hex").slice(0, 32);
+  return (await sha256Hex(payload)).slice(0, 32);
 }
 var DEFAULT_DESCRIPTIONS = {
   // ── Subscriptions ────────────────────────────────────────────────────────
@@ -2388,7 +2442,7 @@ function mercadoPagoTools(client, options) {
           ...options.notificationUrl !== void 0 ? { notificationUrl: options.notificationUrl } : {},
           // Deterministic idempotency key — safe to retry, same inputs always
           // produce the same key (MP dedupes on its side).
-          idempotencyKey: deterministicIdempotencyKey(
+          idempotencyKey: await deterministicIdempotencyKey(
             "create_payment",
             input.external_reference ?? input.payer_email,
             input.amount_ars,
@@ -2511,7 +2565,7 @@ function mercadoPagoTools(client, options) {
         const refund = await client.createRefund({
           paymentId: payment_id,
           ...amount_ars !== void 0 ? { amount: amount_ars } : {},
-          idempotencyKey: deterministicIdempotencyKey("refund", payment_id, amount_ars ?? "full")
+          idempotencyKey: await deterministicIdempotencyKey("refund", payment_id, amount_ars ?? "full")
         });
         return {
           refund_id: refund.id,
@@ -2777,7 +2831,7 @@ function mercadoPagoTools(client, options) {
           ...input.installments !== void 0 ? { installments: input.installments } : {},
           ...input.external_reference !== void 0 ? { externalReference: input.external_reference } : {},
           ...input.statement_descriptor !== void 0 ? { statementDescriptor: input.statement_descriptor } : {},
-          idempotencyKey: deterministicIdempotencyKey(
+          idempotencyKey: await deterministicIdempotencyKey(
             "charge_saved_card",
             input.card_id,
             input.amount_ars,
@@ -3288,7 +3342,7 @@ function mercadoPagoTools(client, options) {
             resource: null
           };
         }
-        const verified = verifyWebhookSignature({
+        const verified = await verifyWebhookSignature({
           requestId: request_id_header,
           dataId: event.dataId,
           signatureHeader: signature_header,
@@ -3486,7 +3540,7 @@ function mercadoPagoTools(client, options) {
         if (input.marketplace_fee !== void 0) params.marketplace_fee = input.marketplace_fee;
         if (input.collector_id !== void 0) params.collector_id = input.collector_id;
         const order = await client.createOrder(params, {
-          idempotencyKey: deterministicIdempotencyKey(
+          idempotencyKey: await deterministicIdempotencyKey(
             "create_order",
             input.external_reference,
             input.total_amount,
@@ -4050,7 +4104,48 @@ var InMemoryStateAdapter = class {
     this.store.clear();
   }
 };
+var InMemoryOAuthTokenStore = class {
+  store = /* @__PURE__ */ new Map();
+  async set(userId, token) {
+    this.store.set(userId, token);
+  }
+  async get(userId) {
+    return this.store.get(userId) ?? null;
+  }
+  async delete(userId) {
+    this.store.delete(userId);
+  }
+  async list() {
+    return Array.from(this.store.keys());
+  }
+  /** Test helper. */
+  reset() {
+    this.store.clear();
+  }
+};
+var InMemoryIdempotencyCache = class {
+  store = /* @__PURE__ */ new Map();
+  async get(key) {
+    const entry = this.store.get(key);
+    if (!entry) return null;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(key);
+      return null;
+    }
+    return entry.value;
+  }
+  async set(key, value, ttlSeconds = 86400) {
+    this.store.set(key, { value, expiresAt: Date.now() + ttlSeconds * 1e3 });
+  }
+  async delete(key) {
+    this.store.delete(key);
+  }
+  /** Test helper. */
+  reset() {
+    this.store.clear();
+  }
+};
 
-export { InMemoryStateAdapter, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, TEST_CARDS_AR, TEST_PAYERS_AR, analyze3DS, buildAuthorizeUrl, buildTestCardScenario, classifyError, computeMarketplaceFee, exchangeCodeForToken, expirationTimeMs, explainPaymentStatus, isExpiringSoon, mercadoPagoTools, parseWebhookEvent, refreshAccessToken, verifyWebhookSignature };
+export { InMemoryIdempotencyCache, InMemoryOAuthTokenStore, InMemoryStateAdapter, MercadoPagoAccountTypeMismatchError, MercadoPagoAuthError, MercadoPagoAuthorizeForbiddenError, MercadoPagoBackUrlInvalidError, MercadoPagoClient, MercadoPagoError, MercadoPagoOverloadedError, MercadoPagoPaymentRejectedError, MercadoPagoRateLimitError, MercadoPagoSelfPaymentError, MercadoPagoTimeoutError, TEST_CARDS_AR, TEST_PAYERS_AR, analyze3DS, buildAuthorizeUrl, buildTestCardScenario, classifyError, computeMarketplaceFee, exchangeCodeForToken, expirationTimeMs, explainPaymentStatus, isExpiringSoon, mercadoPagoTools, parseWebhookEvent, refreshAccessToken, verifyWebhookSignature };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map