@havenpay/server 1.0.0

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025 7Haven
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -0,0 +1,160 @@
+# Havenpay Server SDK
+
+Backend-only TypeScript SDK for Havenpay merchant integrations.
+
+This package is for trusted server runtimes only. It uses secret API keys, server-side webhook verification, and management APIs that must never be imported by `@havenpay/web` or `@havenpay/react-native`.
+
+## Implemented Surface
+
+```ts
+import { Havenpay } from '@havenpay/server'
+
+const _havenpay = new Havenpay({
+  secretKey: process.env.HAVENPAY_SECRET_KEY!,
+  apiVersion: '2026-05-24.haven',
+})
+
+const _intent = await havenpay.paymentIntents.create({
+  projectId: 'proj_...',
+  amount: 1000,
+  currency: 'usd',
+  customer: { phone: '+263771234567' },
+  mobileMoney: { provider: 'fake', phone: '+263771234567' },
+  idempotencyKey: crypto.randomUUID(),
+})
+```
+
+Available resources:
+
+- `accounts.create/list/update`
+- `apiKeys.create/list/revoke`
+- `balanceTransactions.list`
+- `events.list/replay`
+- `paymentIntents.create/retrieve`
+- `projects.create/list/update/archive/getConfig`
+- `providerAccounts.create/list/rotate/revoke`
+- `refunds.create/retrieve/list`
+- `webhookEndpoints.create/list/update/delete`
+- `webhooks.constructEvent`
+
+## Error Handling
+
+Non-2xx REST responses throw `HavenpayApiError`. The class extends `Error` and preserves the legacy message format:
+
+```text
+Havenpay API Error: <status> <body>
+```
+
+It also exposes:
+
+- `status`
+- `requestId`
+- `body`
+- `error`
+- `type`
+- `code`
+
+```ts
+import { HavenpayApiError } from '@havenpay/server'
+
+try {
+  await havenpay.paymentIntents.retrieve('pi_missing')
+}
+catch (error) {
+  if (error instanceof HavenpayApiError) {
+    console.error(error.status, error.requestId, error.code)
+  }
+}
+```
+
+Configured request timeouts throw `HavenpayTimeoutError`:
+
+```ts
+import { HavenpayTimeoutError } from '@havenpay/server'
+
+try {
+  await havenpay.paymentIntents.retrieve('pi_slow')
+}
+catch (error) {
+  if (error instanceof HavenpayTimeoutError) {
+    console.error(error.timeoutMs)
+  }
+}
+```
+
+## Retry Policy
+
+Retries are disabled by default. Configure `retry` to retry network failures and HTTP 5xx responses with exponential backoff:
+
+```ts
+const _havenpay = new Havenpay({
+  secretKey: process.env.HAVENPAY_SECRET_KEY!,
+  retry: {
+    maxAttempts: 3,
+    initialDelayMs: 100,
+    maxDelayMs: 2000,
+  },
+})
+```
+
+- Safe reads may retry.
+- Mutating requests retry only when they carry an `Idempotency-Key`.
+- Do not retry validation, authentication, authorization, tenant-scope, or not-found errors without changing the request or credentials.
+
+## API-Version Pinning
+
+Set `apiVersion` to send `X-Haven-API-Version` on server SDK REST requests:
+
+```ts
+const _havenpay = new Havenpay({
+  secretKey: process.env.HAVENPAY_SECRET_KEY!,
+  apiVersion: '2026-05-24.haven',
+})
+```
+
+## Timeouts
+
+Set `timeoutMs` to apply a per-attempt timeout to server SDK REST requests:
+
+```ts
+const _havenpay = new Havenpay({
+  secretKey: process.env.HAVENPAY_SECRET_KEY!,
+  timeoutMs: 30000,
+})
+```
+
+Caller-provided abort signals are preserved by the shared request helper and are not converted into timeout errors.
+
+## Observability
+
+Set `onRequestEvent` to receive redacted server SDK request lifecycle events:
+
+```ts
+const _havenpay = new Havenpay({
+  secretKey: process.env.HAVENPAY_SECRET_KEY!,
+  onRequestEvent: (event) => {
+    console.info(event.type, event.operationName, event.requestId, event.status)
+  },
+})
+```
+
+Events include method, path, generated operation name, attempt, status, error kind, and API response request ID only. They do not include headers, request bodies, API keys, idempotency keys, provider credentials, webhook secrets, or client secrets.
+
+## Webhook Verification
+
+`webhooks.constructEvent` verifies the exact raw request body with the endpoint webhook secret:
+
+```ts
+const _event = havenpay.webhooks.constructEvent({
+  rawBody,
+  signature: request.headers.get('havenpay-signature') ?? '',
+  secret: process.env.HAVENPAY_WEBHOOK_SECRET!,
+})
+```
+
+## Boundaries
+
+- Do not use this package in browser or React Native code.
+- Do not pass provider credentials or webhook secrets to client SDKs.
+- Do not claim live provider support unless the provider adapter and tests prove it.
+- Public client integrations should use `projectId` plus a short-lived payment `clientSecret` through the Web or React Native SDKs.