@ovra/ts-sdk 0.5.1 → 0.5.2

package/README.md

@@ -1,193 +1,112 @@
-# `@ovra/ts-sdk`
+# Ovra SDK for TypeScript
 
-[![npm](https://img.shields.io/npm/v/@ovra/ts-sdk?label=npm&color=2bc760)](https://www.npmjs.com/package/@ovra/ts-sdk)
-[![downloads](https://img.shields.io/npm/dm/@ovra/ts-sdk?color=2bc760)](https://www.npmjs.com/package/@ovra/ts-sdk)
-[![bundle](https://img.shields.io/bundlephobia/minzip/@ovra/ts-sdk?label=size)](https://bundlephobia.com/package/@ovra/ts-sdk)
-[![types](https://img.shields.io/npm/types/@ovra/ts-sdk?color=3178c6)](https://www.npmjs.com/package/@ovra/ts-sdk)
+[![npm](https://img.shields.io/npm/v/@ovra/ts-sdk.svg)](https://www.npmjs.com/package/@ovra/ts-sdk)
+[![downloads](https://img.shields.io/npm/dm/@ovra/ts-sdk.svg)](https://www.npmjs.com/package/@ovra/ts-sdk)
+[![types](https://img.shields.io/npm/types/@ovra/ts-sdk.svg)](https://www.npmjs.com/package/@ovra/ts-sdk)
 
-> Payment infrastructure for AI agents. Mint virtual Visa cards bound to
-> AP2 mandate chains, settle in one call, never see a PAN.
+The Ovra SDK for TypeScript provides access to the [Ovra API](https://getovra.com)
+— payment infrastructure for AI agents — from server-side TypeScript or JavaScript.
 
-```ts
-import { Ovra } from "@ovra/ts-sdk";
-
-const ovra = new Ovra({ apiKey: process.env.OVRA_API_KEY! });
-
-const result = await ovra.pay({
-  agentId: "agt_…",          // an active agent in your workspace
-  offerId: "aic_openai-1000", // catalog offer id
-  merchant: "OpenAI",
-  amount: 10.0,               // €10.00
-  purpose: "Top up OpenAI credits",
-});
-
-if (result.status === "completed") {
-  console.log(result.orderId);                                // cmo_…
-  console.log(result.order.amount);                           // { amount: 1000, currency: "eur" }
-  console.log(result.order.authorization.network_auth_code);  // "000123"
-  console.log(result.order.receipt.id);                       // vrcpt_…
-}
-```
-
-One call. The SDK declares the intent, runs the policy gate, debits
-the wallet, mints the DPAN, signs the 4-mandate AP2 chain, captures
-with the merchant, and returns the order envelope.
-
----
+## Documentation
 
-## What you get
+Full documentation lives at **[app.getovra.com/docs/quickstart](https://app.getovra.com/docs/quickstart)**.
+Error reference at **[app.getovra.com/docs/errors](https://app.getovra.com/docs/errors)**.
 
-- **Typed end-to-end** — every request body, response envelope, and error
-  code is generated from the live OpenAPI spec. No `any` leaking.
-- **One-call payments** — `ovra.pay()` for the AP2 happy path, or drop
-  to primitives (`agents`, `intents`, `agenticCommerce.buy`) when you
-  need control.
-- **Card data never reaches your code** — PAN/CVV stay inside Ovra;
-  you get `last4` + a single-use DPAN + cryptogram per transaction.
-- **33 namespaces** — agents, cards, wallets, intents, transactions,
-  agentic-commerce, refunds, webhooks, audit, billing, and 23 more.
-- **Idempotent by default** — every mutating call mints a UUID
-  Idempotency-Key; safe to retry on network failure.
-- **Sender-agnostic** — Node 20+, Bun, Deno, Cloudflare Workers,
-  Vercel Edge, any runtime with `fetch`.
-
----
-
-## Install
+## Installation
 
 ```sh
-npm i @ovra/ts-sdk        # or pnpm add / yarn add / bun add
+npm install @ovra/ts-sdk
 ```
 
-Get a `sk_test_*` key from `app.getovra.com` → Settings → API keys.
-
----
-
-## 60-second tour
-
-### The one-call AP2 purchase (recommended)
+## Getting started
 
 ```ts
 import { Ovra } from "@ovra/ts-sdk";
 
-const ovra = new Ovra({ apiKey: process.env.OVRA_API_KEY! });
-
-// 1. Discover an offer
-const { data: offers } = await ovra.agenticCommerce.search({
-  body: { vertical: "ai-credits", query: { provider: "openai", amount_usd: 10 } },
+const ovra = new Ovra({
+  apiKey: process.env.OVRA_API_KEY!, // sk_test_… in sandbox, sk_live_… in prod
 });
 
-// 2. Buy it — one call covers intent + policy + wallet + DPAN + AP2 chain + capture
-const order = await ovra.pay({
+const result = await ovra.pay({
   agentId: "agt_…",
-  offerId: offers[0].id,
-  merchant: offers[0].merchant.name,
-  amount: offers[0].amountCents / 100,
+  offerId: "aic_openai-1000",
+  merchant: "OpenAI",
+  amount: 10.0,
+  purpose: "Top up OpenAI credits",
 });
 
-console.log(order.orderId);                  // cmo_…
-console.log(order.status);                   // "completed" | "pending_approval" | "failed"
-console.log(order.order?.receipt?.id);       // vrcpt_…
-console.log(order.order?.mandate_chain);     // { open_checkout, open_payment, closed_checkout, closed_payment }
-```
-
-### Reading + reconciling
-
-```ts
-// List orders (cursor-paginated, auto-unwrapped)
-const orders = await ovra.agenticCommerce.listOrders();
-for (const o of orders.data) console.log(o.id, o.status, o.totals);
-
-// Get one with the full UCP envelope (line_items + fulfillment + adjustments)
-const detail = await ovra.agenticCommerce.getOrder({ path: { order_id: "cmo_…" } });
-
-// Verify the AP2 chain integrity server-side
-const verified = await ovra.agenticCommerce.verifyOrder({ path: { order_id: "cmo_…" } });
-if (!verified.data.valid) console.warn("chain tampered:", verified.data.reasons);
+if (result.status === "completed") {
+  console.log(result.orderId);                               // cmo_…
+  console.log(result.order.amount);                          // { amount: 1000, currency: "eur" }
+  console.log(result.order.authorization.network_auth_code); // "000123"
+}
 ```
 
-### Refunds
+`ovra.pay()` declares the intent, runs the policy gate, debits the wallet,
+mints the DPAN, signs the 4-mandate AP2 chain, captures with the merchant,
+and returns the order envelope in a single round-trip.
 
-```ts
-// Partial refund — order goes COMPLETED → COMPENSATED
-await ovra.agenticCommerce.refundOrder({
-  path: { order_id: "cmo_…" },
-  body: { amount_cents: 500, reason: "customer cancellation" },
-});
+Need the lower-level primitives (custom approval UI, manual intent, raw
+generated operations)? See [app.getovra.com/docs/quickstart](https://app.getovra.com/docs/quickstart).
 
-// Or full refund (no body) — order goes COMPLETED → REFUNDED
-await ovra.agenticCommerce.refundOrder({ path: { order_id: "cmo_…" } });
-```
+## Requirements
 
----
+Node.js 20+, or any runtime with global `fetch` (Bun, Deno, Cloudflare
+Workers, Vercel Edge).
 
-## Auth scopes
+## Authentication
 
-The constructor takes any Ovra credential prefix. Pick the smallest scope that fits.
+The constructor accepts any Ovra credential prefix. Pick the smallest
+scope that fits the call site.
 
-| Prefix         | What                  | When                                                                       |
-| -------------- | --------------------- | -------------------------------------------------------------------------- |
-| `sk_live_…`    | Full live key         | Server-side prod code that mints / rotates / manages.                      |
-| `sk_test_…`    | Full sandbox key      | Local dev + CI. Every envelope returns `livemode: false`.                  |
-| `rk_…`         | Restricted key        | Read + scoped writes. Blocked from keys / webhooks / billing / policies.   |
-| `at_…`         | Agent token           | Bound to one agent with a hard spend cap. The credential you ship to the agent runtime. |
+| Prefix         | What                  | Use when                                                                       |
+| -------------- | --------------------- | ------------------------------------------------------------------------------ |
+| `sk_live_…`    | Full live key         | Server-side prod code that mints / rotates / manages.                          |
+| `sk_test_…`    | Full sandbox key      | Local dev + CI. Every envelope returns `livemode: false`.                      |
+| `rk_…`         | Restricted key        | Read + scoped writes. Blocked from keys / webhooks / billing / policies.       |
+| `at_…`         | Agent token           | Bound to one agent with a hard spend cap. Safe to ship to an agent runtime.    |
 
 ```ts
 const ovra = new Ovra({
   apiKey: process.env.OVRA_API_KEY!,
-  appInfo: { name: "AcmeCRM", version: "1.4.2" }, // X-Ovra-Client-App header
+  appInfo: { name: "AcmeCRM", version: "1.4.2" }, // X-Ovra-Client-App
 });
 
-console.log(ovra.keyScope); // "full" | "restricted" | "agent" | "unknown" (dev-time hint)
+// Dev-time scope hint (not enforced — server is the source of truth):
+console.log(ovra.keyScope); // "full" | "restricted" | "agent" | "unknown"
 ```
 
----
-
 ## Errors
 
-Typed exceptions per error category — branch on `e.code` (machine-readable),
-show `e.message` to humans, link to `e.docUrl` from your own UI.
+Errors are typed exceptions per category — branch on `e.code` (machine-
+readable), show `e.message` to humans, link to `e.docUrl` from your own UI.
 
 ```ts
-import {
-  Ovra,
-  OvraError,
-  OvraAuthenticationError,
-  OvraPermissionError,
-  OvraPaymentRequiredError,
-  OvraConflictError,
-  OvraNotFoundError,
-} from "@ovra/ts-sdk";
+import { OvraError } from "@ovra/ts-sdk";
 
 try {
   await ovra.pay({ agentId, offerId, merchant, amount });
 } catch (e) {
   if (!(e instanceof OvraError)) throw e;
-
   switch (e.code) {
-    case "E_INSUFFICIENT_FUNDS":     return refillAndRetry(e.message);
-    case "E_POLICY_LIMIT_EXCEEDED":  return showLimits(e.escalationReason);
-    case "E_OFFER_EXPIRED":          return reSearch();
-    case "E_MANDATE_BINDING_FAIL":   return audit(e.requestId);
-    case "E_FSM_INVALID_TRANSITION": return refreshState();
-    default:                          return showError(e.message, e.docUrl);
+    case "E_INSUFFICIENT_FUNDS":     return topUpAndRetry();
+    case "E_POLICY_LIMIT_EXCEEDED":  return showLimits(e.message);
+    case "E_OFFER_EXPIRED":          return refreshOffer();
+    case "E_FSM_INVALID_TRANSITION": return refetchOrder();
+    default:                          return reportError(e.message, e.docUrl);
   }
 }
 ```
 
-Every error envelope carries `code`, `type`, `message`, `param`, `docUrl`,
-`requestId`, and `status`. See the [error reference](https://app.getovra.com/docs/errors).
-
----
+Every envelope carries `code`, `type`, `message`, `param`, `docUrl`,
+`requestId`, `status`. Full reference: [app.getovra.com/docs/errors](https://app.getovra.com/docs/errors).
 
 ## Idempotency
 
-Every mutating call (POST / PATCH / DELETE) is idempotent by default — the
-SDK mints a UUID `Idempotency-Key` per logical operation and reuses it
-across retries. Replays inside the 24h dedup window return the original
-response with `X-Idempotent-Replayed: true`.
-
-Bring your own key when you need cross-process dedup:
+Every mutating call is idempotent by default — the SDK mints a UUID
+`Idempotency-Key` per logical operation and reuses it across retries.
+Replays inside the 24h dedup window return the original response with
+`X-Idempotent-Replayed: true`. Pass your own key for cross-process dedup:
 
 ```ts
 await ovra.intents.create({
@@ -196,223 +115,11 @@ await ovra.intents.create({
 });
 ```
 
----
-
-## Pagination
-
-List endpoints return `{ data, has_more, next_cursor }` (auto-unwrapped from
-the hey-api envelope). Walk pages with `next_cursor`:
-
-```ts
-let cursor: string | undefined;
-do {
-  const page = await ovra.transactions.list({ query: { limit: 100, starting_after: cursor } });
-  for (const tx of page.data) process(tx);
-  cursor = page.has_more ? page.next_cursor : undefined;
-} while (cursor);
-```
-
-Default `limit` is 50, max 100. Bad cursors return `400 E_VALIDATION` —
-no silent full-list fallback.
-
----
-
-## Money
-
-Wire amounts are integer cents inside a Money object: `{ amount, currency }`.
-
-```ts
-import { parseMoney, formatMoney } from "@ovra/ts-sdk";
-
-parseMoney(79.0)                                        // { amount: 7900, currency: "eur" }
-parseMoney("79.00", "usd")                              // { amount: 7900, currency: "usd" }
-formatMoney({ amount: 7900, currency: "eur" }, "de-DE") // "79,00 €"
-```
-
-`ovra.pay()` accepts decimals (`amount: 79.0` = €79.00) and converts at the
-boundary. Lower-level `agents/intents/transactions` operate on Money objects
-directly.
-
----
-
-## Resource matrix
-
-33 typed namespaces. Scope + plan gating shown.
-
-<details><summary><b>Money &amp; orders</b> (8 namespaces) — click to expand</summary>
-
-| Namespace                | Ops                                                | Scope | Plan |
-| ------------------------ | -------------------------------------------------- | :---: | :--: |
-| `wallets`                | list / get / fund / topup                          | any   | free |
-| `transactions`           | list / get / memo                                  | any   | free |
-| `intents`                | create / list / get / approve / cancel / verify    | any   | free |
-| `agenticCommerce`        | listVerticals / search / getOffer / buy / listOrders / getOrder / verifyOrder / refundOrder | any | free |
-| `ledgerEntries`          | list                                               | full  | free |
-| `invoices`               | list / get                                         | full  | free |
-| `billing`                | getBalance / addPaymentMethod                      | full  | free |
-
-</details>
-
-<details><summary><b>Agents &amp; spending</b> (7 namespaces)</summary>
-
-| Namespace          | Ops                                                                     | Scope | Plan     |
-| ------------------ | ----------------------------------------------------------------------- | :---: | :------: |
-| `agents`           | create / list / get / update / attest / freeze / unfreeze               | any   | free     |
-| `cards`            | issue / list / get / freeze / unfreeze / rotate / close                 | any   | free     |
-| `policies`         | list / get / create / update / delete / assign                          | full  | free     |
-| `delegations`      | create / list / get / redeem / revoke                                   | full  | pro      |
-| `approvalPolicies` | list / get / create / update / delete                                   | full  | business |
-| `costAllocations`  | list / create / assign / delete                                         | full  | pro      |
-| `spendAnomalies`   | list / ack / dismiss                                                    | full  | pro      |
-
-</details>
-
-<details><summary><b>Compliance &amp; governance</b> (5 namespaces)</summary>
-
-| Namespace          | Ops                                       | Scope | Plan     |
-| ------------------ | ----------------------------------------- | :---: | :------: |
-| `riskEvents`       | list                                      | full  | business |
-| `disputeEvidence`  | list / upload / get                       | any   | free     |
-| `auditEvents`      | list                                      | full  | business |
-| `accessEvents`     | list                                      | any   | free     |
-| `metrics`          | list                                      | full  | business |
-
-</details>
-
-<details><summary><b>Identity &amp; access</b> (3 namespaces)</summary>
-
-| Namespace            | Ops                                  | Scope | Plan |
-| -------------------- | ------------------------------------ | :---: | :--: |
-| `customers`          | get / update / gdpr_* (dashboard)    | full  | free |
-| `apiKeys`            | list / create / revoke               | full  | free |
-| `merchantCategories` | list / explain                       | any   | free |
-
-</details>
-
-<details><summary><b>Webhooks &amp; notifications</b> (3 namespaces)</summary>
-
-| Namespace           | Ops                                                  | Scope | Plan |
-| ------------------- | ---------------------------------------------------- | :---: | :--: |
-| `webhooks`          | list / create / get / update / delete / rotate-secret| full  | free |
-| `notifications`     | list / unread_count / mark_read / mark_all_read      | any   | free |
-| `pushSubscriptions` | subscribe / unsubscribe / vapidPublicKey             | any   | free |
-
-</details>
-
-> **Want a different namespace?** Generated functions for every operation
-> live in `@ovra/ts-sdk/api` — bypass the bound facade and call them
-> directly. The bindings exist for ergonomics; nothing's hidden.
-
----
-
-## Recipes
-
-<details><summary><b>Manual intent → approve → checkout</b></summary>
-
-```ts
-// 1. Create an agent (policy is required; profile.purpose is required)
-const { data: agent } = await ovra.agents.create({
-  body: {
-    name: "Notion Buyer",
-    policy: "po_…",
-    profile: { purpose: "Monthly Notion Team Plan renewal" },
-  },
-});
-
-// 2. Declare a spending intent (field is `agent`, not `agent_id`)
-const { data: intent } = await ovra.intents.create({
-  body: {
-    agent: agent.id,
-    merchant: "Notion",
-    amount: { amount: 7900, currency: "eur" },
-    purpose: "Monthly Notion Team Plan renewal",
-  },
-});
-
-// 3. Approve (production: passkey ceremony; sandbox: viaFixture=true)
-await ovra.intents.approve({ path: { id: intent.id }, body: { confirm: true } });
-
-// 4. Execute the checkout — `intent` + `target_url` both required
-const { data: result } = await ovra.checkout.execute({
-  body: { intent: intent.id, target_url: "https://www.notion.so/checkout" },
-});
-console.log(result.transaction_id, result.status);
-```
-
-</details>
-
-<details><summary><b>List + reconcile transactions for one agent</b></summary>
-
-```ts
-let cursor: string | undefined;
-const all: Transaction[] = [];
-do {
-  const page = await ovra.transactions.list({
-    query: { agent: "agt_…", limit: 100, starting_after: cursor },
-  });
-  all.push(...page.data);
-  cursor = page.has_more ? page.next_cursor : undefined;
-} while (cursor);
-
-const totalCents = all
-  .filter(t => t.status === "completed")
-  .reduce((sum, t) => sum + t.amount.amount, 0);
-```
-
-</details>
-
-<details><summary><b>Register a webhook + handle delivery</b></summary>
-
-```ts
-// One-time setup
-const { data: hook } = await ovra.webhooks.create({
-  body: {
-    url: "https://app.example.com/ovra/webhook",
-    events: ["intent.approved", "transaction.completed", "order.refunded"],
-  },
-});
-console.log("save this secret:", hook.signing_secret);
-
-// In your HTTP handler — verify signature with the shared secret.
-// Ovra uses HMAC-SHA256 over the raw body (Stripe-style):
-//   sig = hex( hmac_sha256(secret, raw_body) )
-//   compare in constant time against the `X-Ovra-Signature` header
-import { createHmac, timingSafeEqual } from "node:crypto";
-
-const expected = createHmac("sha256", process.env.OVRA_WEBHOOK_SECRET!)
-  .update(rawBody)
-  .digest("hex");
-const got = (req.headers["x-ovra-signature"] as string).replace(/^sha256=/, "");
-if (!timingSafeEqual(Buffer.from(expected, "hex"), Buffer.from(got, "hex"))) {
-  return res.status(401).send("bad signature");
-}
-```
-
-</details>
-
-<details><summary><b>Issue a delegation (sub-agent / B2B2B)</b></summary>
-
-```ts
-const { data: delegation } = await ovra.delegations.create({
-  body: {
-    grantor_agent: "agt_…",
-    purpose: "Marketing team — quarterly spend",
-    spend_cap_cents: 500_00,
-    ttl_seconds: 60 * 60 * 24 * 90, // 90 days
-  },
-});
-// Hand `delegation.redemption_url` to the delegate; they exchange for an at_*
-```
-
-</details>
-
----
-
 ## MCP server
 
-Prefer using Ovra straight from Claude / Cursor / any MCP-capable agent?
-The same surface lives in [`@ovra/mcp`](https://www.npmjs.com/package/@ovra/mcp)
-(10 tools). Add to `.mcp.json`:
+Want to call Ovra from Claude / Cursor / any MCP client? The same surface
+ships as [`@ovra/mcp`](https://www.npmjs.com/package/@ovra/mcp) (10 tools).
+Add to `.mcp.json`:
 
 ```json
 {
@@ -426,36 +133,22 @@ The same surface lives in [`@ovra/mcp`](https://www.npmjs.com/package/@ovra/mcp)
 }
 ```
 
----
-
-## Publishing
-
-<details><summary>How releases ship (npm + GitHub Actions)</summary>
-
-The SDK is regenerated from `apps/api/openapi.json` whenever the spec or
-`packages/sdk/src` changes. The publish workflow at
-`.github/workflows/sdk-publish.yaml` is wired but currently **blocked on
-GitHub Actions billing**. Until that's resolved, releases ship manually:
-
-```sh
-# From the repo root
-pnpm run publish:sdk           # builds, tests, publishes (refuses dirty tree)
-pnpm run publish:sdk:dry       # rehearsal — no actual npm publish
-```
+## Resource coverage
 
-Or directly: `cd packages/sdk && pnpm run publish-manual`.
+33 typed namespaces — agents, cards, wallets, intents, transactions,
+agentic-commerce (search / buy / order / refund / verify), policies,
+delegations, customers, disputes, webhooks, audit, billing, and 20 more.
+Generated functions for every operation are also accessible as raw exports.
 
-The script enforces:
-- Clean working tree (refuses to publish over uncommitted changes)
-- Local version > current npm `latest`
-- Valid `npm whoami` (must be authenticated)
-- Regen + build + tests must all pass before `npm publish`
+See the [API reference](https://app.getovra.com/docs/errors) for the full
+list with scope and plan requirements.
 
-</details>
+## Support
 
----
+- Documentation: [app.getovra.com/docs/quickstart](https://app.getovra.com/docs/quickstart)
+- Issues: [github.com/ovra/ovra/issues](https://github.com/ovra/ovra/issues)
+- Email: support@getovra.com
 
 ## License
 
-UNLICENSED — internal use only until the public release lands. See the
-repo for the in-progress [terms](https://github.com/ovra/ovra/blob/main/LICENSE).
+UNLICENSED — internal use only until the public release lands.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ovra/ts-sdk",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "description": "Official TypeScript SDK for the Ovra API — payment infrastructure for AI agents.",
   "author": "Ovra",
   "license": "SEE LICENSE IN LICENSE",