@closeloop/sdk 0.1.6 → 0.1.8

package/dist/index.js

@@ -39,12 +39,14 @@ module.exports = __toCommonJS(src_exports);
 // src/constants.ts
 var DEFAULT_BASE_URL = "https://closeloop.app";
 var DEFAULT_TIMEOUT = 3e4;
-var SDK_VERSION = "0.1.0";
+var SDK_VERSION = true ? "0.1.8" : "0.0.0";
 var USER_AGENT = `closeloop-node/${SDK_VERSION}`;
+var WEBHOOK_TIMESTAMP_TOLERANCE_SECONDS = 300;
 
 // src/schemas/validation.ts
 var import_zod = require("zod");
 var walletAddressSchema = import_zod.z.string().regex(/^0x[a-fA-F0-9]{40}$/, "Invalid Ethereum wallet address");
+var productIdSchema = import_zod.z.string().min(1, "Product ID is required").max(100, "Product ID too long");
 var planIdSchema = import_zod.z.string().min(1, "Plan ID is required").max(100, "Plan ID too long");
 var balanceIdSchema = import_zod.z.string().min(1, "Balance ID is required").max(100, "Balance ID too long");
 var creditAmountSchema = import_zod.z.number().int("Amount must be an integer").positive("Amount must be positive").max(1e9, "Amount exceeds maximum");
@@ -56,43 +58,43 @@ var transactionTypeSchema = import_zod.z.enum([
   "EXPIRATION"
 ]);
 var DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
-function sanitizeMetadata(metadata) {
+var MAX_METADATA_DEPTH = 5;
+function sanitizeMetadata(metadata, depth = 0) {
+  if (depth > MAX_METADATA_DEPTH) return void 0;
   if (!metadata) return void 0;
   const clean = /* @__PURE__ */ Object.create(null);
   for (const [key, value] of Object.entries(metadata)) {
     if (DANGEROUS_KEYS.has(key)) continue;
-    clean[key] = value;
+    if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+      const sanitizedNested = sanitizeMetadata(
+        value,
+        depth + 1
+      );
+      if (sanitizedNested !== void 0) {
+        clean[key] = sanitizedNested;
+      }
+    } else {
+      clean[key] = value;
+    }
   }
   return Object.freeze(clean);
 }
 var verifyCreditsSchema = import_zod.z.object({
   walletAddress: walletAddressSchema,
-  planId: planIdSchema,
-  amount: creditAmountSchema
+  amount: creditAmountSchema,
+  productId: productIdSchema
 });
 var consumeCreditsSchema = import_zod.z.object({
+  productId: productIdSchema,
   walletAddress: walletAddressSchema,
-  planId: planIdSchema,
   amount: creditAmountSchema,
   consumedBy: import_zod.z.string().max(100).optional(),
   metadata: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional(),
   idempotencyKey: import_zod.z.string().max(100).optional()
 });
-var batchConsumeSchema = import_zod.z.object({
-  operations: import_zod.z.array(
-    import_zod.z.object({
-      walletAddress: walletAddressSchema,
-      planId: planIdSchema,
-      amount: creditAmountSchema,
-      consumedBy: import_zod.z.string().max(100).optional(),
-      metadata: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
-    })
-  ).min(1, "At least one operation required").max(100, "Maximum 100 operations per batch"),
-  atomic: import_zod.z.boolean().optional()
-});
 var getBalanceSchema = import_zod.z.object({
-  walletAddress: walletAddressSchema,
-  planId: planIdSchema
+  productId: productIdSchema,
+  walletAddress: walletAddressSchema
 });
 var listBalancesSchema = import_zod.z.object({
   walletAddress: walletAddressSchema,
@@ -106,6 +108,10 @@ var listTransactionsSchema = import_zod.z.object({
   limit: paginationLimitSchema.optional(),
   cursor: import_zod.z.string().max(200).optional()
 });
+var getStatsSchema = import_zod.z.object({
+  productId: productIdSchema,
+  walletAddress: walletAddressSchema
+});
 var webhookEventTypeSchema = import_zod.z.enum([
   "payment.success",
   "credits.low",
@@ -119,21 +125,20 @@ var webhookEventSchema = import_zod.z.object({
 });
 var paymentSuccessPayloadSchema = import_zod.z.object({
   type: import_zod.z.string(),
+  productId: import_zod.z.string(),
   planId: import_zod.z.string(),
-  planName: import_zod.z.string(),
-  price: import_zod.z.number(),
-  walletAddress: import_zod.z.string(),
-  transactionId: import_zod.z.string()
+  transactionId: import_zod.z.string(),
+  walletAddress: import_zod.z.string()
 }).loose();
 var creditsLowPayloadSchema = import_zod.z.object({
+  productId: import_zod.z.string(),
   walletAddress: import_zod.z.string(),
-  planId: import_zod.z.string(),
   remainingCredits: import_zod.z.number(),
   threshold: import_zod.z.number()
 });
 var creditsExpiredPayloadSchema = import_zod.z.object({
+  productId: import_zod.z.string(),
   walletAddress: import_zod.z.string(),
-  planId: import_zod.z.string(),
   expiredCredits: import_zod.z.number(),
   expiresAt: import_zod.z.string()
 });
@@ -205,6 +210,17 @@ var ValidationError = class extends CloseLoopError {
   }
 };
 
+// src/utils/query.ts
+function buildQueryString(params) {
+  const query = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value !== void 0) {
+      query.set(key, String(value));
+    }
+  }
+  return query.toString();
+}
+
 // src/utils/validation.ts
 function validateInput(schema, data) {
   const result = schema.safeParse(data);
@@ -234,8 +250,7 @@ var Balances = class {
    * @example
    * ```typescript
    * const balance = await client.balances.get({
-   *   walletAddress: "0x1234...",
-   *   planId: "plan_abc123"
+   *   walletAddress: "0x1234..."
    * })
    *
    * if (balance) {
@@ -248,9 +263,9 @@ var Balances = class {
    */
   async get(params) {
     const validated = validateInput(getBalanceSchema, params);
-    const query = this.buildQueryString({
+    const query = buildQueryString({
       walletAddress: validated.walletAddress,
-      plan: validated.planId
+      productId: validated.productId
     });
     try {
       return await this.http.request({
@@ -276,7 +291,7 @@ var Balances = class {
    * })
    *
    * for (const balance of balances) {
-   *   console.log(`${balance.planName}: ${balance.remainingCredits} credits`)
+   *   console.log(`${balance.totalCredits}: ${balance.remainingCredits} credits`)
    * }
    *
    * // Paginate if needed
@@ -292,7 +307,7 @@ var Balances = class {
    */
   async list(params) {
     const validated = validateInput(listBalancesSchema, params);
-    const query = this.buildQueryString({
+    const query = buildQueryString({
       walletAddress: validated.walletAddress,
       activeOnly: validated.activeOnly,
       limit: validated.limit,
@@ -323,7 +338,7 @@ var Balances = class {
    */
   async transactions(params) {
     const validated = validateInput(listTransactionsSchema, params);
-    const query = this.buildQueryString({
+    const query = buildQueryString({
       type: validated.type,
       limit: validated.limit,
       cursor: validated.cursor
@@ -340,42 +355,32 @@ var Balances = class {
    *
    * @example
    * ```typescript
-   * const stats = await client.balances.stats("0x1234...")
+   * const stats = await client.balances.stats({
+   *   walletAddress: "0x1234...",
+   *   productId: "prod_123"
+   * })
    * console.log(`Total: ${stats.totalCredits}, Used: ${stats.totalUsed}`)
    * ```
    *
    * @throws {CloseLoopError} When input validation fails
    */
-  async stats(walletAddress) {
-    validateInput(walletAddressSchema, walletAddress);
-    const query = this.buildQueryString({ walletAddress });
+  async stats(params) {
+    validateInput(getStatsSchema, params);
+    const query = buildQueryString({
+      walletAddress: params.walletAddress,
+      productId: params.productId
+    });
     return this.http.request({
       method: "GET",
       path: `${ENDPOINTS.STATS}?${query}`
     });
   }
-  // ==========================================================================
-  // Private Helpers
-  // ==========================================================================
-  /**
-   * Build URL query string from params, filtering out undefined values
-   */
-  buildQueryString(params) {
-    const query = new URLSearchParams();
-    for (const [key, value] of Object.entries(params)) {
-      if (value !== void 0) {
-        query.set(key, String(value));
-      }
-    }
-    return query.toString();
-  }
 };
 
 // src/resources/credits.ts
 var ENDPOINTS2 = {
   VERIFY: "/api/credit/verify",
-  CONSUME: "/api/credit/consume",
-  BATCH_CONSUME: "/api/credit/consume/batch"
+  CONSUME: "/api/credit/consume"
 };
 var Credits = class {
   constructor(http) {
@@ -388,11 +393,10 @@ var Credits = class {
    * ```typescript
    * const result = await client.credits.verify({
    *   walletAddress: "0x1234...",
-   *   planId: "plan_abc123",
    *   amount: 10
    * })
    *
-   * if (result.hasEnoughCredits) {
+   * if (result.hasEnough) {
    *   // Proceed with service
    * }
    * ```
@@ -414,7 +418,6 @@ var Credits = class {
    * ```typescript
    * const result = await client.credits.consume({
    *   walletAddress: "0x1234...",
-   *   planId: "plan_abc123",
    *   amount: 1,
    *   consumedBy: "ai-generation",
    *   metadata: { requestId: "req_xyz" }
@@ -437,18 +440,22 @@ var Credits = class {
     });
   }
   /**
-   * Verify and consume credits in a single atomic operation.
-   * This is useful when you want to ensure credits are available
-   * before consuming them, without race conditions.
+   * Verify and consume credits in a two-step operation.
+   *
+   * **Important**: This method performs TWO separate API calls (verify, then consume).
+   * There is a potential race condition between the verify and consume steps where
+   * another request could consume credits. For critical operations, consider:
+   * - Using an `idempotencyKey` to prevent duplicate consumption
+   * - Implementing server-side locking if your use case requires strict atomicity
    *
    * @example
    * ```typescript
    * try {
    *   const result = await client.credits.verifyAndConsume({
    *     walletAddress: "0x1234...",
-   *     planId: "plan_abc123",
    *     amount: 5,
-   *     consumedBy: "batch-processing"
+   *     consumedBy: "batch-processing",
+   *     idempotencyKey: "unique-request-id" // Recommended for safety
    *   })
    *   // Credits were verified and consumed
    * } catch (error) {
@@ -469,8 +476,8 @@ var Credits = class {
       path: ENDPOINTS2.VERIFY,
       body: {
         walletAddress: validated.walletAddress,
-        planId: validated.planId,
-        amount: validated.amount
+        amount: validated.amount,
+        productId: validated.productId
       }
     });
     this.assertCreditsAvailable(verification, validated.amount);
@@ -481,39 +488,6 @@ var Credits = class {
       headers: this.buildIdempotencyHeaders(validated.idempotencyKey)
     });
   }
-  /**
-   * Consume credits in batch.
-   *
-   * @example
-   * ```typescript
-   * const result = await client.credits.batchConsume({
-   *   operations: [
-   *     { walletAddress: "0x1234...", planId: "plan_a", amount: 1 },
-   *     { walletAddress: "0x5678...", planId: "plan_b", amount: 2 }
-   *   ],
-   *   atomic: false // Allow partial success
-   * })
-   *
-   * console.log(`Success: ${result.successCount}, Failed: ${result.failedCount}`)
-   * ```
-   *
-   * @throws {CloseLoopError} When input validation fails
-   */
-  async batchConsume(params) {
-    const validated = validateInput(batchConsumeSchema, params);
-    const sanitizedOperations = validated.operations.map((op) => ({
-      ...op,
-      metadata: sanitizeMetadata(op.metadata)
-    }));
-    return this.http.request({
-      method: "POST",
-      path: ENDPOINTS2.BATCH_CONSUME,
-      body: {
-        operations: sanitizedOperations,
-        atomic: validated.atomic
-      }
-    });
-  }
   // ==========================================================================
   // Private Helpers
   // ==========================================================================
@@ -523,8 +497,8 @@ var Credits = class {
   buildConsumeBody(validated) {
     return {
       walletAddress: validated.walletAddress,
-      planId: validated.planId,
       amount: validated.amount,
+      productId: validated.productId,
       consumedBy: validated.consumedBy,
       metadata: sanitizeMetadata(validated.metadata)
     };
@@ -540,9 +514,9 @@ var Credits = class {
    * Assert credits are available, throw typed errors if not
    */
   assertCreditsAvailable(verification, requiredAmount) {
-    if (!verification.hasEnoughCredits) {
+    if (!verification.hasEnough) {
       throw new InsufficientCreditsError(
-        verification.remainingCredits,
+        verification.totalRemaining,
         requiredAmount
       );
     }
@@ -572,7 +546,8 @@ function verifySignature(payload, signature, secret) {
 var ERROR_CODES = {
   VALIDATION: "VALIDATION_ERROR",
   INVALID_SIGNATURE: "INVALID_SIGNATURE",
-  INVALID_PAYLOAD: "INVALID_PAYLOAD"
+  INVALID_PAYLOAD: "INVALID_PAYLOAD",
+  TIMESTAMP_EXPIRED: "TIMESTAMP_EXPIRED"
 };
 var Webhooks = class {
   /**
@@ -626,7 +601,10 @@ var Webhooks = class {
     const payloadString = this.normalizePayload(params.payload);
     this.verifySignatureOrThrow(payloadString, params.signature, params.secret);
     const parsed = this.parseJsonOrThrow(payloadString);
-    return this.validateEventStructure(parsed);
+    const event = this.validateEventStructure(parsed);
+    const tolerance = params.toleranceSeconds ?? WEBHOOK_TIMESTAMP_TOLERANCE_SECONDS;
+    this.validateTimestamp(event.createdAt, tolerance);
+    return event;
   }
   /**
    * Type guard for payment.success events
@@ -746,7 +724,29 @@ var Webhooks = class {
         400
       );
     }
-    return result.data;
+    const validatedData = result.data;
+    return {
+      id: validatedData.id,
+      type: validatedData.type,
+      createdAt: validatedData.createdAt,
+      data: validatedData.data
+    };
+  }
+  /**
+   * Validate webhook timestamp to prevent replay attacks
+   * Rejects webhooks older than the specified tolerance
+   */
+  validateTimestamp(createdAt, toleranceSeconds) {
+    const eventTime = new Date(createdAt).getTime();
+    const now = Date.now();
+    const ageSeconds = (now - eventTime) / 1e3;
+    if (ageSeconds > toleranceSeconds || ageSeconds < -60) {
+      throw new CloseLoopError(
+        `Webhook timestamp expired or invalid. Event age: ${Math.round(ageSeconds)}s, tolerance: ${toleranceSeconds}s`,
+        ERROR_CODES.TIMESTAMP_EXPIRED,
+        400
+      );
+    }
   }
 };
 
@@ -847,8 +847,10 @@ var CloseLoop = class {
    */
   webhooks;
   constructor(options) {
-    if (!options.apiKey) {
-      throw new Error("CloseLoop API key is required");
+    if (!options.apiKey || typeof options.apiKey !== "string" || options.apiKey.trim().length < 10) {
+      throw new AuthenticationError(
+        "CloseLoop API key is required and must be at least 10 characters"
+      );
     }
     const baseUrl = options.baseUrl ?? DEFAULT_BASE_URL;
     this.httpClient = new HttpClient({