@invonetwork/web-sdk 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,7 +1,53 @@
1
1
  # Changelog
2
2
 
3
3
  All notable changes to `@invonetwork/web-sdk` are documented here. This project follows
4
- [Semantic Versioning](https://semver.org/).
4
+ [Semantic Versioning](https://semver.org/). Releases are managed with
5
+ [changesets](https://github.com/changesets/changesets).
6
+
7
+ ## [0.4.0] — 2026-06-30
8
+
9
+ Additive release — more server reads, edge-ready webhooks, cancellation, and tooling.
10
+
11
+ - **`getInboundPending({ playerEmail | playerPhone })`** — live, unclaimed inbound
12
+ sends/transfers for a player (the source of truth behind the "you have X to collect"
13
+ badge; pairs with `transfer.claim_pending`).
14
+ - **`verifyWebhookAsync`** — Web Crypto variant of `verifyWebhook` that runs on
15
+ Cloudflare Workers / Deno / Vercel+Netlify Edge / Bun / browsers; and
16
+ **`createWebhookHandler`** — a zero-dep Fetch-API `(Request) => Promise<Response>`
17
+ webhook route handler (Next.js App Router, Workers, Deno, Hono, Bun).
18
+ - **`iterateItemPurchaseHistory`** — async iterator that pages through a player's
19
+ full item-purchase history.
20
+ - **Per-call `AbortSignal`** — every method accepts an optional `{ signal }`; an
21
+ aborted call throws `InvoError` code `ABORTED` and is never retried.
22
+ - **Tooling**: ESLint (+ lint in CI), changesets release automation, `SECURITY.md`,
23
+ and `CODEOWNERS`.
24
+
25
+ ## [0.3.0] — 2026-06-30
26
+
27
+ Additive release — new server capabilities plus transport resilience/observability.
28
+
29
+ - **Webhook verification** (`/server`): `verifyWebhook(rawBody, signatureHeader, secret | secrets, opts?)`
30
+ — constant-time HMAC-SHA256 over `${t}.${rawBody}`, 5-minute replay window,
31
+ multi-secret rotation; returns a typed `InvoWebhookEvent` discriminated union
32
+ (`purchase.*`, `item.purchased`, `transfer.*`, `payout.status_changed`, `webhook.test`).
33
+ Throws `InvoError` (`WEBHOOK_SIGNATURE_INVALID` / `WEBHOOK_TIMESTAMP_EXPIRED` /
34
+ `WEBHOOK_MALFORMED` / `WEBHOOK_SECRET_MISSING`). Server-only; the browser bundle
35
+ stays crypto-free. Independently security-audited.
36
+ - **`getPlayerBalance({ playerEmail | playerId })`** (`/server`): typed `player` / `balances` / `summary`.
37
+ - **Automatic retries**: network errors/timeouts, `429` (honoring `retry_after`), and
38
+ `5xx` are retried with exponential backoff + jitter. New config `maxRetries`
39
+ (default 2, `0` disables) and `retryBaseDelayMs` (default 250).
40
+ - **Observability hooks**: optional `onRequest` / `onResponse` / `onError` on both
41
+ entries (best-effort/non-throwing); `InvoError.requestId` carries the backend
42
+ request id for support/tracing.
43
+ - **Typed reads**: `confirmPayment` → `ConfirmPaymentResult`; `getOrderDetails` /
44
+ `getItemOrderDetails` → `OrderDetailsResult`; `getItemPurchaseHistory` →
45
+ `ItemHistoryResult` (previously untyped `Record`). All keep `raw`.
46
+ - **Light validation**: `mintPlayerToken` and `createCheckout` require a non-blank
47
+ `playerEmail` (throws `INVALID_INPUT` before the network call).
48
+ - **License**: `package.json` `license` is now `SEE LICENSE IN LICENSE` (was
49
+ `UNLICENSED`); `LICENSE` rewritten as an explicit install-and-use grant for
50
+ building INVO integrations.
5
51
 
6
52
  ## [0.2.1] — 2026-06-30
7
53
 
@@ -53,6 +99,7 @@ Initial scaffold.
53
99
  - Contracts extracted + auditor-verified against the INVO backend.
54
100
 
55
101
  ### Hardening (independent red-team pass)
102
+
56
103
  - **Guardian/minor `202` path no longer mismapped to `verificationMethod:"sms"`** —
57
104
  `initiateSend`/`initiateTransfer` now return `verificationMethod: undefined` and a
58
105
  `guardianApproval` block on the guardian path, so callers don't route into the
package/LICENSE CHANGED
@@ -1,17 +1,18 @@
1
- Copyright (c) 2026 Invo Tech Inc. All rights reserved.
2
-
3
- This software and associated documentation files (the "Software") are the
4
- proprietary and confidential property of Invo Tech Inc. ("INVO"). The Software
5
- is licensed, not sold, for use solely in connection with integrating the INVO
6
- platform under a separate written agreement with INVO.
7
-
8
- Without a valid agreement with INVO, you may not use, copy, modify, merge,
9
- publish, distribute, sublicense, or sell copies of the Software.
10
-
11
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
12
- IMPLIED. IN NO EVENT SHALL INVO BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER
13
- LIABILITY ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE.
14
-
15
- NOTE: Licensing for a partner-distributed SDK is a business decision — if INVO
16
- prefers a permissive license (e.g. MIT/Apache-2.0) so partners can freely
17
- vendor the package, replace this file and the "license" field in package.json.
1
+ Copyright (c) 2026 Invo Tech Inc. All rights reserved.
2
+
3
+ This software and associated documentation files (the "Software") are the
4
+ proprietary property of Invo Tech Inc. ("INVO"). The Software is licensed, not
5
+ sold.
6
+
7
+ GRANT. INVO grants you a non-exclusive, non-transferable, royalty-free license to
8
+ install and use the Software, in unmodified form, solely to build and operate
9
+ integrations with the INVO platform, subject to INVO's developer terms at
10
+ https://invo.network.
11
+
12
+ RESTRICTIONS. Except as expressly permitted above, you may not copy, modify,
13
+ distribute, sublicense, sell, or create derivative works of the Software, or
14
+ remove any proprietary notices, without INVO's prior written consent.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17
+ IMPLIED. IN NO EVENT SHALL INVO BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER
18
+ LIABILITY ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE.