npm - @ovra/ts-sdk - Versions diffs - 0.5.1 → 0.5.3 - Mend

@ovra/ts-sdk 0.5.1 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +69 -380
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,193 +1,108 @@
-# `@ovra/ts-sdk`
+# Ovra SDK for TypeScript
-[![npm](https://img.shields.io/npm/v/@ovra/ts-sdk?label=npm&color=2bc760)](https://www.npmjs.com/package/@ovra/ts-sdk)
-[![downloads](https://img.shields.io/npm/dm/@ovra/ts-sdk?color=2bc760)](https://www.npmjs.com/package/@ovra/ts-sdk)
-[![bundle](https://img.shields.io/bundlephobia/minzip/@ovra/ts-sdk?label=size)](https://bundlephobia.com/package/@ovra/ts-sdk)
-[![types](https://img.shields.io/npm/types/@ovra/ts-sdk?color=3178c6)](https://www.npmjs.com/package/@ovra/ts-sdk)
+[![npm](https://img.shields.io/npm/v/@ovra/ts-sdk.svg)](https://www.npmjs.com/package/@ovra/ts-sdk)
+[![downloads](https://img.shields.io/npm/dm/@ovra/ts-sdk.svg)](https://www.npmjs.com/package/@ovra/ts-sdk)
+[![types](https://img.shields.io/npm/types/@ovra/ts-sdk.svg)](https://www.npmjs.com/package/@ovra/ts-sdk)
-> Payment infrastructure for AI agents. Mint virtual Visa cards bound to
-> AP2 mandate chains, settle in one call, never see a PAN.
+The Ovra SDK for TypeScript provides access to the [Ovra API](https://getovra.com)
+— payment infrastructure for AI agents — from server-side TypeScript or JavaScript.
-```ts
-import { Ovra } from "@ovra/ts-sdk";
-const ovra = new Ovra({ apiKey: process.env.OVRA_API_KEY! });
-const result = await ovra.pay({
-  agentId: "agt_…",          // an active agent in your workspace
-  offerId: "aic_openai-1000", // catalog offer id
-  merchant: "OpenAI",
-  amount: 10.0,               // €10.00
-  purpose: "Top up OpenAI credits",
-});
-if (result.status === "completed") {
-  console.log(result.orderId);                                // cmo_…
-  console.log(result.order.amount);                           // { amount: 1000, currency: "eur" }
-  console.log(result.order.authorization.network_auth_code);  // "000123"
-  console.log(result.order.receipt.id);                       // vrcpt_…
-}
-```
-One call. The SDK declares the intent, runs the policy gate, debits
-the wallet, mints the DPAN, signs the 4-mandate AP2 chain, captures
-with the merchant, and returns the order envelope.
----
-## What you get
+## Documentation
-- **Typed end-to-end** — every request body, response envelope, and error
-  code is generated from the live OpenAPI spec. No `any` leaking.
-- **One-call payments** — `ovra.pay()` for the AP2 happy path, or drop
-  to primitives (`agents`, `intents`, `agenticCommerce.buy`) when you
-  need control.
-- **Card data never reaches your code** — PAN/CVV stay inside Ovra;
-  you get `last4` + a single-use DPAN + cryptogram per transaction.
-- **33 namespaces** — agents, cards, wallets, intents, transactions,
-  agentic-commerce, refunds, webhooks, audit, billing, and 23 more.
-- **Idempotent by default** — every mutating call mints a UUID
-  Idempotency-Key; safe to retry on network failure.
-- **Sender-agnostic** — Node 20+, Bun, Deno, Cloudflare Workers,
-  Vercel Edge, any runtime with `fetch`.
+Full documentation lives at **[app.getovra.com/docs/quickstart](https://app.getovra.com/docs/quickstart)**.
+Error reference at **[app.getovra.com/docs/errors](https://app.getovra.com/docs/errors)**.
----
-## Install
+## Installation
 ```sh
-npm i @ovra/ts-sdk        # or pnpm add / yarn add / bun add
+npm install @ovra/ts-sdk
 ```
-Get a `sk_test_*` key from `app.getovra.com` → Settings → API keys.
----
-## 60-second tour
-### The one-call AP2 purchase (recommended)
+## Getting started
 ```ts
 import { Ovra } from "@ovra/ts-sdk";
-const ovra = new Ovra({ apiKey: process.env.OVRA_API_KEY! });
-// 1. Discover an offer
-const { data: offers } = await ovra.agenticCommerce.search({
-  body: { vertical: "ai-credits", query: { provider: "openai", amount_usd: 10 } },
+const ovra = new Ovra({
+  apiKey: process.env.OVRA_API_KEY!, // sk_test_… in sandbox, sk_live_… in prod
 });
-// 2. Buy it — one call covers intent + policy + wallet + DPAN + AP2 chain + capture
-const order = await ovra.pay({
+const result = await ovra.pay({
   agentId: "agt_…",
-  offerId: offers[0].id,
-  merchant: offers[0].merchant.name,
-  amount: offers[0].amountCents / 100,
+  offerId: "aic_openai-1000",
+  merchant: "OpenAI",
+  amount: 10.0,
+  purpose: "Top up OpenAI credits",
 });
-console.log(order.orderId);                  // cmo_…
-console.log(order.status);                   // "completed" | "pending_approval" | "failed"
-console.log(order.order?.receipt?.id);       // vrcpt_…
-console.log(order.order?.mandate_chain);     // { open_checkout, open_payment, closed_checkout, closed_payment }
-```
-### Reading + reconciling
-```ts
-// List orders (cursor-paginated, auto-unwrapped)
-const orders = await ovra.agenticCommerce.listOrders();
-for (const o of orders.data) console.log(o.id, o.status, o.totals);
-// Get one with the full UCP envelope (line_items + fulfillment + adjustments)
-const detail = await ovra.agenticCommerce.getOrder({ path: { order_id: "cmo_…" } });
-// Verify the AP2 chain integrity server-side
-const verified = await ovra.agenticCommerce.verifyOrder({ path: { order_id: "cmo_…" } });
-if (!verified.data.valid) console.warn("chain tampered:", verified.data.reasons);
+console.log(result.orderId); // cmo_…
 ```
-### Refunds
+`ovra.pay()` declares the intent, runs the policy gate, debits the wallet,
+mints the DPAN, signs the 4-mandate AP2 chain, captures with the merchant,
+and returns the order envelope in a single round-trip.
-```ts
-// Partial refund — order goes COMPLETED → COMPENSATED
-await ovra.agenticCommerce.refundOrder({
-  path: { order_id: "cmo_…" },
-  body: { amount_cents: 500, reason: "customer cancellation" },
-});
+Need the lower-level primitives (custom approval UI, manual intent, raw
+generated operations)? See [app.getovra.com/docs/quickstart](https://app.getovra.com/docs/quickstart).
-// Or full refund (no body) — order goes COMPLETED → REFUNDED
-await ovra.agenticCommerce.refundOrder({ path: { order_id: "cmo_…" } });
-```
+## Requirements
----
+Node.js 20+, or any runtime with global `fetch` (Bun, Deno, Cloudflare
+Workers, Vercel Edge).
-## Auth scopes
+## Authentication
-The constructor takes any Ovra credential prefix. Pick the smallest scope that fits.
+The constructor accepts any Ovra credential prefix. Pick the smallest
+scope that fits the call site.
-| Prefix         | What                  | When                                                                       |
-| -------------- | --------------------- | -------------------------------------------------------------------------- |
-| `sk_live_…`    | Full live key         | Server-side prod code that mints / rotates / manages.                      |
-| `sk_test_…`    | Full sandbox key      | Local dev + CI. Every envelope returns `livemode: false`.                  |
-| `rk_…`         | Restricted key        | Read + scoped writes. Blocked from keys / webhooks / billing / policies.   |
-| `at_…`         | Agent token           | Bound to one agent with a hard spend cap. The credential you ship to the agent runtime. |
+| Prefix         | What                  | Use when                                                                       |
+| -------------- | --------------------- | ------------------------------------------------------------------------------ |
+| `sk_live_…`    | Full live key         | Server-side prod code that mints / rotates / manages.                          |
+| `sk_test_…`    | Full sandbox key      | Local dev + CI. Every envelope returns `livemode: false`.                      |
+| `rk_…`         | Restricted key        | Read + scoped writes. Blocked from keys / webhooks / billing / policies.       |
+| `at_…`         | Agent token           | Bound to one agent with a hard spend cap. Safe to ship to an agent runtime.    |
 ```ts
 const ovra = new Ovra({
   apiKey: process.env.OVRA_API_KEY!,
-  appInfo: { name: "AcmeCRM", version: "1.4.2" }, // X-Ovra-Client-App header
+  appInfo: { name: "AcmeCRM", version: "1.4.2" }, // X-Ovra-Client-App
 });
-console.log(ovra.keyScope); // "full" | "restricted" | "agent" | "unknown" (dev-time hint)
+// Dev-time scope hint (not enforced — server is the source of truth):
+console.log(ovra.keyScope); // "full" | "restricted" | "agent" | "unknown"
 ```
----
 ## Errors
-Typed exceptions per error category — branch on `e.code` (machine-readable),
-show `e.message` to humans, link to `e.docUrl` from your own UI.
+Errors are typed exceptions per category — branch on `e.code` (machine-
+readable), show `e.message` to humans, link to `e.docUrl` from your own UI.
 ```ts
-import {
-  Ovra,
-  OvraError,
-  OvraAuthenticationError,
-  OvraPermissionError,
-  OvraPaymentRequiredError,
-  OvraConflictError,
-  OvraNotFoundError,
-} from "@ovra/ts-sdk";
+import { OvraError } from "@ovra/ts-sdk";
 try {
   await ovra.pay({ agentId, offerId, merchant, amount });
 } catch (e) {
   if (!(e instanceof OvraError)) throw e;
   switch (e.code) {
-    case "E_INSUFFICIENT_FUNDS":     return refillAndRetry(e.message);
-    case "E_POLICY_LIMIT_EXCEEDED":  return showLimits(e.escalationReason);
-    case "E_OFFER_EXPIRED":          return reSearch();
-    case "E_MANDATE_BINDING_FAIL":   return audit(e.requestId);
-    case "E_FSM_INVALID_TRANSITION": return refreshState();
-    default:                          return showError(e.message, e.docUrl);
+    case "E_INSUFFICIENT_FUNDS":     return topUpAndRetry();
+    case "E_POLICY_LIMIT_EXCEEDED":  return showLimits(e.message);
+    case "E_OFFER_EXPIRED":          return refreshOffer();
+    case "E_FSM_INVALID_TRANSITION": return refetchOrder();
+    default:                          return reportError(e.message, e.docUrl);
   }
 }
 ```
-Every error envelope carries `code`, `type`, `message`, `param`, `docUrl`,
-`requestId`, and `status`. See the [error reference](https://app.getovra.com/docs/errors).
----
+Every envelope carries `code`, `type`, `message`, `param`, `docUrl`,
+`requestId`, `status`. Full reference: [app.getovra.com/docs/errors](https://app.getovra.com/docs/errors).
 ## Idempotency
-Every mutating call (POST / PATCH / DELETE) is idempotent by default — the
-SDK mints a UUID `Idempotency-Key` per logical operation and reuses it
-across retries. Replays inside the 24h dedup window return the original
-response with `X-Idempotent-Replayed: true`.
-Bring your own key when you need cross-process dedup:
+Every mutating call is idempotent by default — the SDK mints a UUID
+`Idempotency-Key` per logical operation and reuses it across retries.
+Replays inside the 24h dedup window return the original response with
+`X-Idempotent-Replayed: true`. Pass your own key for cross-process dedup:
 ```ts
 await ovra.intents.create({
@@ -196,223 +111,11 @@ await ovra.intents.create({
 });
 ```
----
-## Pagination
-List endpoints return `{ data, has_more, next_cursor }` (auto-unwrapped from
-the hey-api envelope). Walk pages with `next_cursor`:
-```ts
-let cursor: string | undefined;
-do {
-  const page = await ovra.transactions.list({ query: { limit: 100, starting_after: cursor } });
-  for (const tx of page.data) process(tx);
-  cursor = page.has_more ? page.next_cursor : undefined;
-} while (cursor);
-```
-Default `limit` is 50, max 100. Bad cursors return `400 E_VALIDATION` —
-no silent full-list fallback.
----
-## Money
-Wire amounts are integer cents inside a Money object: `{ amount, currency }`.
-```ts
-import { parseMoney, formatMoney } from "@ovra/ts-sdk";
-parseMoney(79.0)                                        // { amount: 7900, currency: "eur" }
-parseMoney("79.00", "usd")                              // { amount: 7900, currency: "usd" }
-formatMoney({ amount: 7900, currency: "eur" }, "de-DE") // "79,00 €"
-```
-`ovra.pay()` accepts decimals (`amount: 79.0` = €79.00) and converts at the
-boundary. Lower-level `agents/intents/transactions` operate on Money objects
-directly.
----
-## Resource matrix
-33 typed namespaces. Scope + plan gating shown.
-<details><summary><b>Money &amp; orders</b> (8 namespaces) — click to expand</summary>
-| Namespace                | Ops                                                | Scope | Plan |
-| ------------------------ | -------------------------------------------------- | :---: | :--: |
-| `wallets`                | list / get / fund / topup                          | any   | free |
-| `transactions`           | list / get / memo                                  | any   | free |
-| `intents`                | create / list / get / approve / cancel / verify    | any   | free |
-| `agenticCommerce`        | listVerticals / search / getOffer / buy / listOrders / getOrder / verifyOrder / refundOrder | any | free |
-| `ledgerEntries`          | list                                               | full  | free |
-| `invoices`               | list / get                                         | full  | free |
-| `billing`                | getBalance / addPaymentMethod                      | full  | free |
-</details>
-<details><summary><b>Agents &amp; spending</b> (7 namespaces)</summary>
-| Namespace          | Ops                                                                     | Scope | Plan     |
-| ------------------ | ----------------------------------------------------------------------- | :---: | :------: |
-| `agents`           | create / list / get / update / attest / freeze / unfreeze               | any   | free     |
-| `cards`            | issue / list / get / freeze / unfreeze / rotate / close                 | any   | free     |
-| `policies`         | list / get / create / update / delete / assign                          | full  | free     |
-| `delegations`      | create / list / get / redeem / revoke                                   | full  | pro      |
-| `approvalPolicies` | list / get / create / update / delete                                   | full  | business |
-| `costAllocations`  | list / create / assign / delete                                         | full  | pro      |
-| `spendAnomalies`   | list / ack / dismiss                                                    | full  | pro      |
-</details>
-<details><summary><b>Compliance &amp; governance</b> (5 namespaces)</summary>
-| Namespace          | Ops                                       | Scope | Plan     |
-| ------------------ | ----------------------------------------- | :---: | :------: |
-| `riskEvents`       | list                                      | full  | business |
-| `disputeEvidence`  | list / upload / get                       | any   | free     |
-| `auditEvents`      | list                                      | full  | business |
-| `accessEvents`     | list                                      | any   | free     |
-| `metrics`          | list                                      | full  | business |
-</details>
-<details><summary><b>Identity &amp; access</b> (3 namespaces)</summary>
-| Namespace            | Ops                                  | Scope | Plan |
-| -------------------- | ------------------------------------ | :---: | :--: |
-| `customers`          | get / update / gdpr_* (dashboard)    | full  | free |
-| `apiKeys`            | list / create / revoke               | full  | free |
-| `merchantCategories` | list / explain                       | any   | free |
-</details>
-<details><summary><b>Webhooks &amp; notifications</b> (3 namespaces)</summary>
-| Namespace           | Ops                                                  | Scope | Plan |
-| ------------------- | ---------------------------------------------------- | :---: | :--: |
-| `webhooks`          | list / create / get / update / delete / rotate-secret| full  | free |
-| `notifications`     | list / unread_count / mark_read / mark_all_read      | any   | free |
-| `pushSubscriptions` | subscribe / unsubscribe / vapidPublicKey             | any   | free |
-</details>
-> **Want a different namespace?** Generated functions for every operation
-> live in `@ovra/ts-sdk/api` — bypass the bound facade and call them
-> directly. The bindings exist for ergonomics; nothing's hidden.
----
-## Recipes
-<details><summary><b>Manual intent → approve → checkout</b></summary>
-```ts
-// 1. Create an agent (policy is required; profile.purpose is required)
-const { data: agent } = await ovra.agents.create({
-  body: {
-    name: "Notion Buyer",
-    policy: "po_…",
-    profile: { purpose: "Monthly Notion Team Plan renewal" },
-  },
-});
-// 2. Declare a spending intent (field is `agent`, not `agent_id`)
-const { data: intent } = await ovra.intents.create({
-  body: {
-    agent: agent.id,
-    merchant: "Notion",
-    amount: { amount: 7900, currency: "eur" },
-    purpose: "Monthly Notion Team Plan renewal",
-  },
-});
-// 3. Approve (production: passkey ceremony; sandbox: viaFixture=true)
-await ovra.intents.approve({ path: { id: intent.id }, body: { confirm: true } });
-// 4. Execute the checkout — `intent` + `target_url` both required
-const { data: result } = await ovra.checkout.execute({
-  body: { intent: intent.id, target_url: "https://www.notion.so/checkout" },
-});
-console.log(result.transaction_id, result.status);
-```
-</details>
-<details><summary><b>List + reconcile transactions for one agent</b></summary>
-```ts
-let cursor: string | undefined;
-const all: Transaction[] = [];
-do {
-  const page = await ovra.transactions.list({
-    query: { agent: "agt_…", limit: 100, starting_after: cursor },
-  });
-  all.push(...page.data);
-  cursor = page.has_more ? page.next_cursor : undefined;
-} while (cursor);
-const totalCents = all
-  .filter(t => t.status === "completed")
-  .reduce((sum, t) => sum + t.amount.amount, 0);
-```
-</details>
-<details><summary><b>Register a webhook + handle delivery</b></summary>
-```ts
-// One-time setup
-const { data: hook } = await ovra.webhooks.create({
-  body: {
-    url: "https://app.example.com/ovra/webhook",
-    events: ["intent.approved", "transaction.completed", "order.refunded"],
-  },
-});
-console.log("save this secret:", hook.signing_secret);
-// In your HTTP handler — verify signature with the shared secret.
-// Ovra uses HMAC-SHA256 over the raw body (Stripe-style):
-//   sig = hex( hmac_sha256(secret, raw_body) )
-//   compare in constant time against the `X-Ovra-Signature` header
-import { createHmac, timingSafeEqual } from "node:crypto";
-const expected = createHmac("sha256", process.env.OVRA_WEBHOOK_SECRET!)
-  .update(rawBody)
-  .digest("hex");
-const got = (req.headers["x-ovra-signature"] as string).replace(/^sha256=/, "");
-if (!timingSafeEqual(Buffer.from(expected, "hex"), Buffer.from(got, "hex"))) {
-  return res.status(401).send("bad signature");
-}
-```
-</details>
-<details><summary><b>Issue a delegation (sub-agent / B2B2B)</b></summary>
-```ts
-const { data: delegation } = await ovra.delegations.create({
-  body: {
-    grantor_agent: "agt_…",
-    purpose: "Marketing team — quarterly spend",
-    spend_cap_cents: 500_00,
-    ttl_seconds: 60 * 60 * 24 * 90, // 90 days
-  },
-});
-// Hand `delegation.redemption_url` to the delegate; they exchange for an at_*
-```
-</details>
----
 ## MCP server
-Prefer using Ovra straight from Claude / Cursor / any MCP-capable agent?
-The same surface lives in [`@ovra/mcp`](https://www.npmjs.com/package/@ovra/mcp)
-(10 tools). Add to `.mcp.json`:
+Want to call Ovra from Claude / Cursor / any MCP client? The same surface
+ships as [`@ovra/mcp`](https://www.npmjs.com/package/@ovra/mcp) (10 tools).
+Add to `.mcp.json`:
 ```json
 {
@@ -426,36 +129,22 @@ The same surface lives in [`@ovra/mcp`](https://www.npmjs.com/package/@ovra/mcp)
 }
 ```
----
-## Publishing
-<details><summary>How releases ship (npm + GitHub Actions)</summary>
-The SDK is regenerated from `apps/api/openapi.json` whenever the spec or
-`packages/sdk/src` changes. The publish workflow at
-`.github/workflows/sdk-publish.yaml` is wired but currently **blocked on
-GitHub Actions billing**. Until that's resolved, releases ship manually:
-```sh
-# From the repo root
-pnpm run publish:sdk           # builds, tests, publishes (refuses dirty tree)
-pnpm run publish:sdk:dry       # rehearsal — no actual npm publish
-```
+## Resource coverage
-Or directly: `cd packages/sdk && pnpm run publish-manual`.
+33 typed namespaces — agents, cards, wallets, intents, transactions,
+agentic-commerce (search / buy / order / refund / verify), policies,
+delegations, customers, disputes, webhooks, audit, billing, and 20 more.
+Generated functions for every operation are also accessible as raw exports.
-The script enforces:
-- Clean working tree (refuses to publish over uncommitted changes)
-- Local version > current npm `latest`
-- Valid `npm whoami` (must be authenticated)
-- Regen + build + tests must all pass before `npm publish`
+See the [API reference](https://app.getovra.com/docs/errors) for the full
+list with scope and plan requirements.
-</details>
+## Support
----
+- Documentation: [app.getovra.com/docs/quickstart](https://app.getovra.com/docs/quickstart)
+- Issues: [github.com/ovra/ovra/issues](https://github.com/ovra/ovra/issues)
+- Email: support@getovra.com
 ## License
-UNLICENSED — internal use only until the public release lands. See the
-repo for the in-progress [terms](https://github.com/ovra/ovra/blob/main/LICENSE).
+UNLICENSED — internal use only until the public release lands.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ovra/ts-sdk",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "description": "Official TypeScript SDK for the Ovra API — payment infrastructure for AI agents.",
   "author": "Ovra",
   "license": "SEE LICENSE IN LICENSE",