@gr4vy/sdk 2.1.2 → 2.1.3

package/tests/processing/payment-methods.test.ts

@@ -0,0 +1,121 @@
+import { beforeAll, describe, expect, test } from "vitest";
+import { Gr4vy } from "../../src";
+import { buyer, cardPaymentMethod } from "../utils/fixtures";
+import { setupMerchant } from "../utils/setup";
+
+let gr4vy: Gr4vy;
+
+beforeAll(async () => {
+  ({ client: gr4vy } = await setupMerchant());
+});
+
+const storeCard = () => gr4vy.paymentMethods.create(cardPaymentMethod());
+
+describe("Payment Methods", () => {
+  test("create → get → list → delete", async () => {
+    const created = await storeCard();
+    expect(created.id).toBeDefined();
+    expect(created.method).toBe("card");
+
+    const fetched = await gr4vy.paymentMethods.get(created.id);
+    expect(fetched.id).toBe(created.id);
+
+    const page = await gr4vy.paymentMethods.list({});
+    expect(page).toBeDefined();
+
+    await gr4vy.paymentMethods.delete(created.id);
+    await expect(() => gr4vy.paymentMethods.get(created.id)).rejects.toThrow();
+  });
+
+  test("update changes only the expiration date (partial)", async () => {
+    const created = await storeCard();
+    const updated = await gr4vy.paymentMethods.update(
+      { expirationDate: "12/30" },
+      created.id
+    );
+    expect(updated.id).toBe(created.id);
+    expect(updated.expirationDate).toBe("12/30");
+  });
+
+  test("can be stored against a buyer", async () => {
+    const owner = await gr4vy.buyers.create(buyer());
+    const method = await gr4vy.paymentMethods.create({
+      ...cardPaymentMethod(),
+      buyerId: owner.id,
+    });
+    expect(method.buyer?.id).toBe(owner.id);
+  });
+
+  describe("network tokens", () => {
+    test("listing tokens for a fresh card returns an empty collection", async () => {
+      const card = await storeCard();
+      const tokens = await gr4vy.paymentMethods.networkTokens.list(card.id);
+      expect(Array.isArray(tokens.items)).toBe(true);
+    });
+
+    // Provisioning a network token (and the suspend/resume/delete/cryptogram
+    // operations that follow it) requires the merchant account to be onboarded
+    // with the card schemes (Visa/Mastercard requestor IDs) — not available on
+    // the mock merchant. Each call is asserted to be well-formed and rejected by
+    // the API for a real reason rather than silently skipping coverage.
+    test("provision / suspend / resume / delete / cryptogram are exercised at the request level", async () => {
+      const card = await storeCard();
+      const bogusToken = "00000000-0000-0000-0000-000000000000";
+
+      await expect(
+        gr4vy.paymentMethods.networkTokens.create(
+          { merchantInitiated: true, isSubsequentPayment: false },
+          card.id
+        )
+      ).rejects.toThrow();
+
+      await expect(
+        gr4vy.paymentMethods.networkTokens.suspend(card.id, bogusToken)
+      ).rejects.toThrow();
+      await expect(
+        gr4vy.paymentMethods.networkTokens.resume(card.id, bogusToken)
+      ).rejects.toThrow();
+      await expect(
+        gr4vy.paymentMethods.networkTokens.delete(card.id, bogusToken)
+      ).rejects.toThrow();
+      await expect(
+        gr4vy.paymentMethods.networkTokens.cryptogram.create(
+          { merchantInitiated: true },
+          card.id,
+          bogusToken
+        )
+      ).rejects.toThrow();
+    });
+  });
+
+  describe("payment service tokens", () => {
+    test("listing service tokens for a fresh card returns a collection", async () => {
+      const card = await storeCard();
+      const tokens = await gr4vy.paymentMethods.paymentServiceTokens.list(
+        card.id
+      );
+      expect(Array.isArray(tokens.items)).toBe(true);
+    });
+
+    // Creating/deleting a service token requires a tokenization-capable service,
+    // which mock-card is not; exercise the call shape at the request level.
+    test("create and delete are exercised at the request level", async () => {
+      const card = await storeCard();
+      await expect(
+        gr4vy.paymentMethods.paymentServiceTokens.create(
+          {
+            paymentServiceId: "00000000-0000-0000-0000-000000000000",
+            redirectUrl: "https://example.com/return",
+          },
+          card.id
+        )
+      ).rejects.toThrow();
+      await expect(
+        gr4vy.paymentMethods.paymentServiceTokens.delete(
+          card.id,
+          "00000000-0000-0000-0000-000000000000"
+        )
+      ).rejects.toThrow();
+    });
+  });
+});

package/tests/processing/transactions.test.ts

@@ -0,0 +1,118 @@
+import fc from "fast-check";
+import { beforeAll, describe, expect, test } from "vitest";
+import { Gr4vy } from "../../src";
+import { amount, currency, fcParams, metadata } from "../utils/arbitraries";
+import { buyer, cardPaymentMethod, uniqueId } from "../utils/fixtures";
+import { authorizeViaCheckoutSession } from "../utils/transactions";
+import { setupMerchant } from "../utils/setup";
+
+let gr4vy: Gr4vy;
+
+beforeAll(async () => {
+  ({ client: gr4vy } = await setupMerchant());
+});
+
+// There are two ways to start processing a payment:
+//   1. via a checkout session (covered throughout — see the lifecycle flow and
+//      the helper authorizeViaCheckoutSession), and
+//   2. by posting payment-method details directly to POST /transactions.
+// This block covers entry point (2) — both raw card details and a stored token.
+describe("Transaction entry points", () => {
+  test("creates a transaction with card details posted directly", async () => {
+    const transaction = await gr4vy.transactions.create({
+      amount: 1299,
+      currency: "USD",
+      externalIdentifier: uniqueId("txn"),
+      paymentMethod: cardPaymentMethod(),
+    });
+    expect(transaction.status).toBe("authorization_succeeded");
+    expect(transaction.amount).toBe(1299);
+  });
+
+  test("direct card details can be vaulted against a buyer with store=true", async () => {
+    const owner = await gr4vy.buyers.create(buyer());
+
+    const transaction = await gr4vy.transactions.create({
+      amount: 1299,
+      currency: "USD",
+      buyerId: owner.id,
+      store: true,
+      externalIdentifier: uniqueId("txn"),
+      paymentMethod: cardPaymentMethod(),
+    });
+    expect(transaction.status).toBe("authorization_succeeded");
+
+    // The vaulted method is now reusable as a stored token.
+    const stored = await gr4vy.buyers.paymentMethods.list({ buyerId: owner.id });
+    expect(stored.items.length).toBeGreaterThanOrEqual(1);
+
+    const reused = await gr4vy.transactions.create({
+      amount: 500,
+      currency: "USD",
+      externalIdentifier: uniqueId("txn"),
+      paymentMethod: { method: "id", id: stored.items[0]!.id, securityCode: "123" },
+    });
+    expect(reused.status).toBe("authorization_succeeded");
+  });
+});
+
+describe("Transactions", () => {
+  test("get and list reflect a created transaction", async () => {
+    const created = await authorizeViaCheckoutSession(gr4vy, 1299);
+
+    const fetched = await gr4vy.transactions.get(created.id);
+    expect(fetched.id).toBe(created.id);
+
+    const page = await gr4vy.transactions.list({});
+    expect(page).toBeDefined();
+  });
+
+  test("update overrides metadata and external identifier (partial)", async () => {
+    const created = await authorizeViaCheckoutSession(gr4vy, 1299, {
+      metadata: { original: "value" },
+    });
+
+    const newExternalIdentifier = uniqueId("txn-updated");
+    const updated = await gr4vy.transactions.update(
+      {
+        metadata: { updated: "value" },
+        externalIdentifier: newExternalIdentifier,
+      },
+      created.id
+    );
+    expect(updated.metadata?.["updated"]).toBe("value");
+    // metadata is fully replaced on update, per the API contract.
+    expect(updated.metadata?.["original"]).toBeUndefined();
+    expect(updated.externalIdentifier).toBe(newExternalIdentifier);
+  });
+
+  // Property: any accepted amount/currency authorises and the response echoes
+  // the amount and currency we sent.
+  test("authorizes across a range of amounts and echoes them back", async () => {
+    await fc.assert(
+      fc.asyncProperty(amount(), currency(), async (amt, cur) => {
+        const transaction = await authorizeViaCheckoutSession(gr4vy, amt, {
+          currency: cur,
+        });
+        expect(transaction.status).toBe("authorization_succeeded");
+        expect(transaction.amount).toBe(amt);
+        expect(transaction.currency).toBe(cur);
+      }),
+      fcParams(5)
+    );
+  });
+
+  // Property: arbitrary mixed-case metadata survives the create → get round-trip.
+  test("metadata round-trips through create and get unchanged", async () => {
+    await fc.assert(
+      fc.asyncProperty(metadata(), async (meta) => {
+        const created = await authorizeViaCheckoutSession(gr4vy, 1299, {
+          metadata: meta,
+        });
+        const fetched = await gr4vy.transactions.get(created.id);
+        expect(fetched.metadata).toEqual(meta);
+      }),
+      fcParams(4)
+    );
+  });
+});

package/tests/utils/arbitraries.ts

@@ -0,0 +1,87 @@
+import fc from "fast-check";
+import { Address, BillingDetails, CartItem } from "../../src/models/components";
+
+/**
+ * Shared fast-check parameters for E2E property tests. `numRuns` is deliberately
+ * small because every run is a real network round-trip — we want broad-ish input
+ * coverage without blowing the CI time budget. The seed is fixed (overridable via
+ * `FC_SEED`) so a failing case is reproducible from the CI logs.
+ */
+const DEFAULT_SEED = 42;
+
+// Use FC_SEED when it parses to a real number; otherwise fall back to the
+// default so a non-numeric env value (common in CI templating) can't turn the
+// seed into NaN and make fast-check behave unexpectedly.
+const resolveSeed = (): number => {
+  const raw = process.env["FC_SEED"];
+  if (!raw) return DEFAULT_SEED;
+  const parsed = Number(raw);
+  return Number.isFinite(parsed) ? parsed : DEFAULT_SEED;
+};
+
+export const fcParams = <Ts = unknown>(numRuns = 5): fc.Parameters<Ts> => ({
+  numRuns,
+  seed: resolveSeed(),
+});
+
+/** Minor-unit amount the mock connector reliably authorises. */
+export const amount = (): fc.Arbitrary<number> =>
+  fc.integer({ min: 50, max: 100_000 });
+
+/** Currencies the test merchant's `mock-card` service accepts. */
+export const currency = (): fc.Arbitrary<string> => fc.constantFrom("USD");
+
+/** Countries the test merchant's `mock-card` service accepts. */
+export const country = (): fc.Arbitrary<string> => fc.constantFrom("US");
+
+/**
+ * Metadata maps mixing camelCase and snake_case keys, to exercise the
+ * snakecase-keys serialisation boundary the way the auth/embed tests do. Values
+ * are always strings to match the transaction metadata type.
+ */
+export const metadata = (): fc.Arbitrary<Record<string, string>> =>
+  fc.dictionary(
+    fc.oneof(
+      fc.constantFrom("orderId", "campaign", "noteForOps"),
+      fc.constantFrom("order_id", "campaign_ref", "internal_note")
+    ),
+    fc.string({ minLength: 1, maxLength: 40 }),
+    { minKeys: 1, maxKeys: 4 }
+  );
+
+/** Human-ish names with the odd unicode/whitespace edge case. */
+export const name = (): fc.Arbitrary<string> =>
+  fc
+    .string({ minLength: 1, maxLength: 30 })
+    .filter((s) => s.trim().length > 0);
+
+export const addressArb = (): fc.Arbitrary<Address> =>
+  fc.record(
+    {
+      city: fc.constantFrom("London", "Paris", "Berlin", "San Francisco"),
+      country: country(),
+      postalCode: fc.constantFrom("94110", "10001", "SW1A 1AA"),
+      state: fc.constantFrom("CA", "NY", "TX"),
+      line1: fc.string({ minLength: 1, maxLength: 50 }),
+      line2: fc.option(fc.string({ maxLength: 20 }), { nil: undefined }),
+    },
+    { requiredKeys: ["country", "line1"] }
+  );
+
+export const billingDetailsArb = (): fc.Arbitrary<BillingDetails> =>
+  fc.record(
+    {
+      firstName: name(),
+      lastName: name(),
+      emailAddress: fc.emailAddress(),
+      address: addressArb(),
+    },
+    { requiredKeys: ["firstName", "lastName"] }
+  );
+
+export const cartItemArb = (): fc.Arbitrary<CartItem> =>
+  fc.record({
+    name: name(),
+    quantity: fc.integer({ min: 1, max: 5 }),
+    unitAmount: fc.integer({ min: 1, max: 5_000 }),
+  });

package/tests/utils/fields.ts

@@ -0,0 +1,65 @@
+import { CheckoutSession } from "../../src/models/components";
+
+const FIELDS_BASE_URL = "https://api.sandbox.e2e.gr4vy.app";
+
+/**
+ * Submits payment-method fields to a checkout session.
+ *
+ * `PUT /checkout/sessions/{id}/fields` is an Embed/secure-fields endpoint that is
+ * intentionally not exposed through the SDK (it is normally called by the
+ * client-side SDKs, not the server SDK). The original checkout-sessions test
+ * called it inline with a raw `fetch`; this helper centralises that so the
+ * lifecycle flows can tokenise a card into a session without duplicating it.
+ *
+ * Returns nothing; throws if the API does not return the expected `204`.
+ */
+const putFields = async (
+  session: CheckoutSession,
+  paymentMethod: Record<string, unknown>
+): Promise<void> => {
+  const response = await fetch(
+    `${FIELDS_BASE_URL}/checkout/sessions/${session.id}/fields`,
+    {
+      method: "PUT",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ payment_method: paymentMethod }),
+    }
+  );
+
+  if (response.status !== 204) {
+    const body = await response.text().catch(() => "");
+    throw new Error(
+      `Unexpected status ${response.status} submitting checkout session fields: ${body}`
+    );
+  }
+};
+
+export interface RawCard {
+  number: string;
+  expiration_date: string;
+  security_code: string;
+}
+
+/** Tokenises a raw card into the checkout session. */
+export const putCheckoutSessionCard = (
+  session: CheckoutSession,
+  card: RawCard
+): Promise<void> =>
+  putFields(session, {
+    method: "card",
+    number: card.number,
+    expiration_date: card.expiration_date,
+    security_code: card.security_code,
+  });
+
+/** Attaches a previously stored payment method to the checkout session. */
+export const putCheckoutSessionStoredMethod = (
+  session: CheckoutSession,
+  paymentMethodId: string,
+  securityCode?: string
+): Promise<void> =>
+  putFields(session, {
+    method: "id",
+    id: paymentMethodId,
+    ...(securityCode ? { security_code: securityCode } : {}),
+  });

package/tests/utils/fixtures.ts

@@ -0,0 +1,84 @@
+import crypto from "crypto";
+import {
+  Address,
+  BillingDetails,
+  BuyerCreate,
+  CardPaymentMethodCreate,
+  CartItem,
+  Transaction,
+} from "../../src/models/components";
+import { RawCard } from "./fields";
+
+/**
+ * Capture/void/cancel return either a bare {@link Transaction} or a wrapper that
+ * nests it under `transaction` (depending on the `Prefer` header). This narrows
+ * both shapes to the underlying transaction.
+ */
+export const unwrapTransaction = (
+  result: Transaction | { transaction: Transaction }
+): Transaction => ("transaction" in result ? result.transaction : result);
+
+/**
+ * Generates a process-unique identifier. Namespaced with a random suffix so
+ * external identifiers never collide across parallel test files / CI shards.
+ */
+export const uniqueId = (prefix = "ts-e2e"): string =>
+  `${prefix}-${crypto.randomBytes(6).toString("hex")}`;
+
+/**
+ * The `mock-card` connector used by the test merchant accepts this Visa test
+ * number and authorises it. Used both as raw fields (checkout sessions) and as
+ * an SDK `CardPaymentMethodCreate`.
+ */
+export const APPROVING_CARD: RawCard = {
+  number: "4111111111111111",
+  // Far-future expiry so the fixture never lapses and gets rejected as expired.
+  expiration_date: "12/35",
+  security_code: "123",
+};
+
+export const cardPaymentMethod = (
+  overrides: Partial<CardPaymentMethodCreate> = {}
+): CardPaymentMethodCreate => ({
+  method: "card",
+  number: APPROVING_CARD.number,
+  expirationDate: APPROVING_CARD.expiration_date,
+  securityCode: APPROVING_CARD.security_code,
+  ...overrides,
+});
+
+export const address = (overrides: Partial<Address> = {}): Address => ({
+  city: "London",
+  country: "US",
+  postalCode: "94110",
+  state: "CA",
+  line1: "123 Example Street",
+  line2: "Apt 4",
+  organization: "Gr4vy",
+  ...overrides,
+});
+
+export const billingDetails = (
+  overrides: Partial<BillingDetails> = {}
+): BillingDetails => ({
+  firstName: "John",
+  lastName: "Doe",
+  emailAddress: "john.doe@example.com",
+  phoneNumber: "+14155551234",
+  address: address(),
+  ...overrides,
+});
+
+export const buyer = (overrides: Partial<BuyerCreate> = {}): BuyerCreate => ({
+  displayName: "John Doe",
+  externalIdentifier: uniqueId("buyer"),
+  billingDetails: billingDetails(),
+  ...overrides,
+});
+
+export const cartItem = (overrides: Partial<CartItem> = {}): CartItem => ({
+  name: "Joust Duffle Bag",
+  quantity: 1,
+  unitAmount: 1299,
+  ...overrides,
+});

package/tests/utils/poll.ts

@@ -0,0 +1,40 @@
+export interface PollOptions {
+  /** Maximum total time to wait before giving up. Defaults to 20s. */
+  timeoutMs?: number;
+  /** Delay between attempts. Defaults to 1s. */
+  intervalMs?: number;
+  /** Label used in the timeout error message. */
+  description?: string;
+}
+
+/**
+ * Repeatedly calls `fetchFn` until `predicate` returns true, then resolves with
+ * the last fetched value. Used for the eventually-consistent endpoints in the
+ * lifecycle flows (a capture settling, a report execution finishing, a payout
+ * status advancing) so tests don't race ahead of the backend. Bounded by
+ * `timeoutMs` so a stuck state fails fast instead of hanging the worker.
+ */
+export const pollUntil = async <T>(
+  fetchFn: () => Promise<T>,
+  predicate: (value: T) => boolean,
+  options: PollOptions = {}
+): Promise<T> => {
+  const { timeoutMs = 20_000, intervalMs = 1_000, description = "condition" } =
+    options;
+  const deadline = Date.now() + timeoutMs;
+  let last: T;
+
+  do {
+    last = await fetchFn();
+    if (predicate(last)) {
+      return last;
+    }
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+  } while (Date.now() < deadline);
+
+  throw new Error(
+    `Timed out after ${timeoutMs}ms waiting for ${description}. Last value: ${JSON.stringify(
+      last!
+    )}`
+  );
+};

package/tests/utils/setup.ts

@@ -5,7 +5,7 @@ import { Gr4vy, withToken } from "../../src";
 import { HTTPClient } from "../../src/lib/http";
 
 const loadPrivateKey = (): string => {
-  let privateKey = process.env.PRIVATE_KEY;
+  let privateKey = process.env["PRIVATE_KEY"];
 
   if (!privateKey) {
     const filename = path.resolve(__dirname, "./../../private_key.pem");
@@ -15,12 +15,44 @@ const loadPrivateKey = (): string => {
   return privateKey;
 };
 
+// When GR4VY_TRACK_HTTP is set (the CI coverage job sets it), record every
+// outgoing request's method + path. scripts/endpoint-coverage.mjs uses these to
+// compute endpoint reach from *observed HTTP calls* rather than statement
+// coverage, so an operation only counts as reached if a request was actually
+// sent. Each worker writes its own file to avoid cross-process races.
+const httpLogDir = path.resolve(__dirname, "./../../coverage/http");
+let httpLogFile: string | undefined;
+const recordHttpCall = (method: string, url: string): void => {
+  if (!process.env["GR4VY_TRACK_HTTP"]) return;
+  try {
+    if (!httpLogFile) {
+      fs.mkdirSync(httpLogDir, { recursive: true });
+      const suffix = crypto.randomBytes(4).toString("hex");
+      httpLogFile = path.join(httpLogDir, `calls-${process.pid}-${suffix}.jsonl`);
+    }
+    const pathname = new URL(url).pathname;
+    // Fire-and-forget async append: keeps instrumentation off the request hot
+    // path (no synchronous I/O blocking the event loop). O_APPEND keeps each
+    // small line atomic, and errors are ignored — this is best-effort tracking.
+    fs.appendFile(
+      httpLogFile,
+      JSON.stringify({ method, pathname }) + "\n",
+      () => {}
+    );
+  } catch {
+    // best-effort instrumentation; never fail a test because of it
+  }
+};
+
 const httpClient = new HTTPClient({
   /**
    * Adds a custom HTTP client that inserts random fields in the response,
-   * ensuring we test for forward compatibility. 
+   * ensuring we test for forward compatibility.
    */
   fetcher: async (request) => {
+    if (request instanceof Request) {
+      recordHttpCall(request.method, request.url);
+    }
     const originalResponse = await fetch(request);
     const contentType = originalResponse.headers.get("content-type");
     if (!contentType || !contentType.includes("application/json")) {
@@ -50,7 +82,7 @@ const httpClient = new HTTPClient({
   },
 });
 
-const createGr4vyClient = (
+export const createGr4vyClient = (
   privateKey: string,
   merchantAccountId?: string
 ): Gr4vy => {
@@ -63,8 +95,22 @@ const createGr4vyClient = (
   });
 };
 
-export const setupEnvironment = async (): Promise<Gr4vy> => {
-  // Create a merchant account
+export interface TestMerchant {
+  /** Merchant-scoped client, with a `mock-card` payment service provisioned. */
+  client: Gr4vy;
+  /** The randomly generated merchant account id this client is scoped to. */
+  merchantAccountId: string;
+  /** The private key, for spinning up additional clients in the same suite. */
+  privateKey: string;
+}
+
+/**
+ * Provisions an isolated merchant account with a `mock-card` payment service and
+ * returns a merchant-scoped client plus its identifiers. Each test file should
+ * call this once in `beforeAll` so files never share state and can run in
+ * parallel across vitest workers / CI shards.
+ */
+export const setupMerchant = async (): Promise<TestMerchant> => {
   const privateKey = loadPrivateKey();
   const adminClient = createGr4vyClient(privateKey);
   const merchantAccountId = crypto.randomBytes(8).toString("hex");
@@ -72,9 +118,8 @@ export const setupEnvironment = async (): Promise<Gr4vy> => {
     id: merchantAccountId,
     displayName: merchantAccountId,
   });
-  const merchantClient = createGr4vyClient(privateKey, merchantAccount.id);
-  // Setup a payment service
-  await merchantClient.paymentServices.create({
+  const client = createGr4vyClient(privateKey, merchantAccount.id);
+  await client.paymentServices.create({
     acceptedCountries: ["US"],
     acceptedCurrencies: ["USD"],
     displayName: "Payment service",
@@ -82,9 +127,20 @@ export const setupEnvironment = async (): Promise<Gr4vy> => {
     fields: [{ key: "merchant_id", value: "test" }],
   });
 
-  return merchantClient;
+  return { client, merchantAccountId: merchantAccount.id, privateKey };
+};
+
+/**
+ * Back-compat helper used by the original suites: returns only the merchant
+ * client. New suites should prefer {@link setupMerchant} when they need the
+ * merchant id (e.g. to namespace external identifiers).
+ */
+export const setupEnvironment = async (): Promise<Gr4vy> => {
+  const { client } = await setupMerchant();
+  return client;
 };
 
 export const cleanupEnvironment = async (): Promise<void> => {
-  // no-op
+  // Merchant accounts in the sandbox are disposable and left in place; there is
+  // no public delete endpoint for them, so cleanup is intentionally a no-op.
 };

package/tests/utils/transactions.ts

@@ -0,0 +1,26 @@
+import { Gr4vy } from "../../src";
+import { Transaction, TransactionCreate } from "../../src/models/components";
+import { APPROVING_CARD, uniqueId } from "./fixtures";
+import { putCheckoutSessionCard } from "./fields";
+
+/**
+ * Authorises (or captures) a transaction the way a real integration does: open a
+ * checkout session, tokenise the approving test card into it, then create the
+ * transaction against that session. Extra `TransactionCreate` fields can be
+ * merged in via `overrides`.
+ */
+export const authorizeViaCheckoutSession = async (
+  client: Gr4vy,
+  amount: number,
+  overrides: Partial<TransactionCreate> = {}
+): Promise<Transaction> => {
+  const session = await client.checkoutSessions.create();
+  await putCheckoutSessionCard(session, APPROVING_CARD);
+  return client.transactions.create({
+    amount,
+    currency: "USD",
+    externalIdentifier: uniqueId("txn"),
+    ...overrides,
+    paymentMethod: { method: "checkout-session", id: session.id },
+  });
+};