@riseworks/riseworks-sdk 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +240 -0
  2. package/ai-skills/README.md +28 -0
  3. package/ai-skills/STANDARDS.md +66 -0
  4. package/ai-skills/references/API_WORKFLOWS.md +200 -0
  5. package/ai-skills/references/TYPES.md +190 -0
  6. package/ai-skills/rise-auth-and-setup/README.md +14 -0
  7. package/ai-skills/rise-auth-and-setup/SKILL.md +57 -0
  8. package/ai-skills/rise-auth-and-setup/metadata.json +12 -0
  9. package/ai-skills/rise-auth-and-setup/references/SETUP_PATTERNS.md +26 -0
  10. package/ai-skills/rise-debugging-and-errors/SKILL.md +51 -0
  11. package/ai-skills/rise-payments-workflows/README.md +19 -0
  12. package/ai-skills/rise-payments-workflows/SKILL.md +109 -0
  13. package/ai-skills/rise-payments-workflows/metadata.json +12 -0
  14. package/ai-skills/rise-payments-workflows/references/PAYMENT_PATTERNS.md +36 -0
  15. package/ai-skills/rise-sdk-integration/README.md +25 -0
  16. package/ai-skills/rise-sdk-integration/SKILL.md +130 -0
  17. package/ai-skills/rise-sdk-integration/metadata.json +12 -0
  18. package/ai-skills/rise-sdk-integration/references/PATTERNS.md +28 -0
  19. package/ai-skills/rise-security-and-approvals/SKILL.md +33 -0
  20. package/ai-skills/rise-teams-and-invites/README.md +13 -0
  21. package/ai-skills/rise-teams-and-invites/SKILL.md +66 -0
  22. package/ai-skills/rise-teams-and-invites/metadata.json +12 -0
  23. package/ai-skills/rise-teams-and-invites/references/TEAM_PATTERNS.md +25 -0
  24. package/ai-skills/rise-v1-migration/README.md +22 -0
  25. package/ai-skills/rise-v1-migration/SKILL.md +184 -0
  26. package/ai-skills/rise-v1-migration/metadata.json +13 -0
  27. package/ai-skills/rise-v1-migration/references/ENDPOINT_MAPPINGS.md +72 -0
  28. package/ai-skills/rise-v1-migration/references/MIGRATION_PATTERNS.md +66 -0
  29. package/ai-skills/rise-webhooks/README.md +41 -0
  30. package/ai-skills/rise-webhooks/SKILL.md +143 -0
  31. package/ai-skills/rise-webhooks/metadata.json +13 -0
  32. package/ai-skills/rise-webhooks/references/HANDLER.md +60 -0
  33. package/ai-skills/rise-webhooks/references/REGISTRATION.md +113 -0
  34. package/dist/index.cjs +1406 -0
  35. package/dist/index.d.cts +6865 -0
  36. package/dist/index.d.cts.map +1 -0
  37. package/dist/index.d.mts +6865 -0
  38. package/dist/index.d.mts.map +1 -0
  39. package/dist/index.mjs +1383 -0
  40. package/package.json +87 -0
  41. package/scripts/add-skills.mjs +158 -0
@@ -0,0 +1,66 @@
1
+ # V1 migration patterns
2
+
3
+ Use this reference when the user is actively rewriting legacy Rise V1 code.
4
+
5
+ ## Default recommendation
6
+
7
+ - Prefer `riseworks-sdk` over raw `/v2/...` HTTP when the project is Node.js,
8
+ TypeScript, or JavaScript.
9
+ - Preserve existing behavior first.
10
+ - Only introduce new B2B-only capabilities after parity is reached.
11
+
12
+ ## Recommended migration order
13
+
14
+ 1. Inventory the V1 endpoints and wrappers still in use.
15
+ 2. Rebuild authentication and client initialization.
16
+ 3. Replace numeric IDs with nanoids and add discovery calls.
17
+ 4. Swap endpoint logic for SDK methods.
18
+ 5. Update response/error handling.
19
+ 6. Re-test side-effectful flows and signing paths.
20
+
21
+ ## ID migration defaults
22
+
23
+ - `teamId` -> `team_nanoid`
24
+ - `talentId` -> `user_nanoid`
25
+ - company-scoped operations often need `company_nanoid`
26
+ - do not invent numeric-to-nanoid conversion rules; fetch or provide the real
27
+ nanoids
28
+
29
+ ## Auth migration defaults
30
+
31
+ - If the new code can keep a private key server-side, prefer
32
+ `new RiseApiClient({ riseIdAuth: { riseId, privateKey } })`.
33
+ - If the application already issues valid JWTs, use
34
+ `new RiseApiClient({ jwtToken })`.
35
+ - If JWT is available but automatic signing is not, use typed-data methods and
36
+ execute with a signature.
37
+
38
+ ## Flow selection rules
39
+
40
+ ### Read-heavy migrations
41
+
42
+ - `client.me.get()`
43
+ - `client.user.getTeams()`
44
+ - `client.user.getOrganizations()`
45
+ - `client.teams.getUsers()`
46
+ - `client.entityBalance.get()`
47
+ - `client.payments.get()`
48
+
49
+ ### Side-effectful migrations
50
+
51
+ - payments -> `sendPayment()` or typed-data flow
52
+ - manager invites -> `sendManagerInvite()` or typed-data flow
53
+ - withdrawals -> Withdrawals are not available via the SDK: the withdraw endpoints require reCAPTCHA verification headers only a browser session can produce. Point users to the Rise dashboard for withdrawals.
54
+
55
+ ### Webhook migrations
56
+
57
+ - split webhook migration into:
58
+ - event payload and event-name migration
59
+ - signature verification migration
60
+ - endpoint rollout / cutover strategy
61
+
62
+ ## Output bar
63
+
64
+ - Show the old V1 surface and the new B2B surface.
65
+ - Mention missing inputs such as nanoids or auth material.
66
+ - Prefer complete migration-ready examples over abstract summaries.
@@ -0,0 +1,41 @@
1
+ # Rise Webhooks Skill
2
+
3
+ Human-facing notes for the `rise-webhooks` skill.
4
+
5
+ ## Purpose
6
+
7
+ This skill helps agents implement two related webhook surfaces:
8
+
9
+ - **registration/management** of webhook endpoints using `riseworks-sdk`
10
+ - **receiving/validation** of incoming webhook events using `WebhookValidator`
11
+
12
+ ## Why this skill has extra files
13
+
14
+ `SKILL.md` is the concise agent-facing document.
15
+
16
+ The files in `references/` provide deeper, task-specific guidance so agents can
17
+ load extra detail only when needed:
18
+
19
+ - `references/REGISTRATION.md` — admin/settings UI and server-side registration
20
+ - `references/HANDLER.md` — receiving endpoint, validation, idempotent handling
21
+
22
+ ## Scope
23
+
24
+ Use this skill when users ask for:
25
+
26
+ - webhook setup
27
+ - webhook registration UI
28
+ - webhook endpoint management
29
+ - signature validation
30
+ - delivery history
31
+ - typed webhook event handlers
32
+
33
+ ## Main SDK surfaces
34
+
35
+ - `client.webhooks.list()`
36
+ - `client.webhooks.register()`
37
+ - `client.webhooks.update()`
38
+ - `client.webhooks.delete()`
39
+ - `client.webhooks.test()`
40
+ - `client.webhooks.getDeliveryHistory()`
41
+ - `WebhookValidator`
@@ -0,0 +1,143 @@
1
+ ---
2
+ name: rise-webhooks
3
+ description: Implements Rise webhook registration, validation, and event handlers. Use when the user mentions webhooks, event delivery, webhook secrets, webhook signatures, delivery history, or validating Rise events.
4
+ compatibility: Server-side (Node.js, etc.). Works with Claude Code, Cursor, Windsurf, Codex.
5
+ metadata:
6
+ author: Rise Works
7
+ version: "1.0"
8
+ ---
9
+
10
+ # Rise Webhooks
11
+
12
+ **Note:** Always read the installed `riseworks-sdk` source when implementing—the SDK may have new functions or types not yet reflected in this skill.
13
+
14
+ ## Default approach
15
+
16
+ - Use `WebhookValidator` from `riseworks-sdk` for signature validation.
17
+ - Keep the webhook secret server-side.
18
+ - Preserve the raw request body when validating signatures.
19
+ - Return a `2xx` quickly, then hand off heavier processing asynchronously when possible.
20
+
21
+ ## Think in two surfaces
22
+
23
+ - **Registration and management**: Default to the Rise UI / dashboard for webhook creation and event selection. Use SDK registration only when the user explicitly wants programmatic admin automation. If SDK registration is used, the actual call must stay server-side because it includes the secret.
24
+ - **Receiving and processing**: The webhook endpoint that validates signatures and handles `RiseWebhookEvent` payloads.
25
+ - If the user asks to "set up webhooks", ask whether they need:
26
+ - guidance for registering the webhook in the Rise UI,
27
+ - a settings/admin flow to programmatically create and manage webhook endpoints,
28
+ - a receiving endpoint to validate and process events,
29
+ - or both.
30
+
31
+ ## TypeScript types
32
+
33
+ Import event and management types from the SDK so handlers and API calls are correctly typed:
34
+
35
+ - **Validated event**: `validator.validateEvent()` / `validateEventSafe().event` returns `RiseWebhookEvent`. Narrow by `event.event_type` to get typed payloads (e.g. `PaymentSentV2`, `DepositReceivedV2`).
36
+ - **Register/list/update**: Use `RegisterWebhookRequest`, `ListWebhooksResponse`, `WebhookListItem`, `DeliveryHistoryItem`, `WebhookEndpointNanoid` for params and responses.
37
+ - **Event type strings**: Use literal strings for `events` when registering (e.g. `'payment.sent'`, `'deposit.received'`). Same values appear as `event.event_type` on payloads.
38
+
39
+ For the full type list and imports, see [references/TYPES.md](../references/TYPES.md).
40
+
41
+ ## Management surface
42
+
43
+ - List webhooks with `client.webhooks.list()`.
44
+ - Register endpoints with `client.webhooks.register()` — payload shape: `RegisterWebhookRequest` (company_nanoid, url, events, secret, optional team_nanoid, name, description).
45
+ - Delete or inspect delivery history with the extended webhook helpers when needed.
46
+ - For most apps, prefer guiding the user to:
47
+ - create the webhook in the Rise UI,
48
+ - select only the events they need,
49
+ - store the secret server-side,
50
+ - then implement the receiver endpoint in code.
51
+ - Only when the user explicitly wants programmatic webhook management, prefer generating:
52
+ - a UI form or settings screen for webhook configuration,
53
+ - a server action / backend route that builds `RegisterWebhookRequest`,
54
+ - and a secure server-side call to `client.webhooks.register()`.
55
+
56
+ ## Handler expectations
57
+
58
+ - Validate the incoming signature before trusting payload contents.
59
+ - Log the event type and relevant identifiers for support and debugging.
60
+ - Fail closed on signature errors.
61
+
62
+ ## Common edge cases
63
+
64
+ - **Raw body**: Signature validation requires the exact raw request body. If the framework parses JSON automatically, the agent must use the raw body (e.g. `req.rawBody` or read the stream before parsing).
65
+ - **Secret**: The webhook secret must match the one used when registering the endpoint; keep it server-side and never log it.
66
+ - **Idempotency**: Handlers may receive the same event more than once; design for idempotency where possible.
67
+ - **UI vs browser**: `RegisterWebhookRequest` often comes from UI form state, but the browser should not call `client.webhooks.register()` with the secret directly. Put the SDK call in a server action, route handler, or backend service.
68
+ - **Event selection**: Start with a minimal set of events (`payment.sent`, `payment.group.created`, `deposit.received`) instead of subscribing to everything by default.
69
+ - **Default registration path**: Unless the user explicitly asks for admin automation, assume webhook creation happens in the Rise UI rather than through the SDK.
70
+
71
+ ## When not to use this skill
72
+
73
+ - User is asking about outbound HTTP calls from their app (e.g. calling Rise API), not receiving webhooks. Use rise-sdk-integration for API usage.
74
+ - User mentions webhooks for a different product (e.g. Stripe). Do not assume Rise.
75
+
76
+ ## Example (validation and typed handler)
77
+
78
+ ```ts
79
+ import { WebhookValidator } from 'riseworks-sdk'
80
+ import type { RiseWebhookEvent, PaymentSentV2, DepositReceivedV2 } from 'riseworks-sdk'
81
+
82
+ const validator = new WebhookValidator(process.env.WEBHOOK_SECRET!)
83
+ const rawBody = getRawBodyFromRequest(req) // framework-specific: use raw body
84
+ const signature = req.headers['x-rise-signature'] ?? req.headers['x-signature']
85
+
86
+ const event = validator.validateEvent(rawBody, signature) as RiseWebhookEvent
87
+ // Narrow by event_type for typed payload access
88
+ if (event.event_type === 'payment.sent') {
89
+ const ev = event as PaymentSentV2
90
+ console.log(ev.payment.nanoid, ev.payment.amount_cents)
91
+ }
92
+ if (event.event_type === 'deposit.received') {
93
+ const ev = event as DepositReceivedV2
94
+ console.log(ev.deposit.nanoid, ev.deposit.entity_nanoid)
95
+ }
96
+ ```
97
+
98
+ For a non-throwing check, use `validator.validateEventSafe(rawBody, signature)` and read `result.isValid` (and `result.code` for the failure reason). `validateEvent` throws `WebhookValidationError` on failure.
99
+
100
+ ## Example (register with types)
101
+
102
+ ```ts
103
+ import { RiseApiClient } from 'riseworks-sdk'
104
+ import type { RegisterWebhookRequest } from 'riseworks-sdk'
105
+
106
+ const client = new RiseApiClient({ environment: 'stg', jwtToken })
107
+ const body: RegisterWebhookRequest = {
108
+ company_nanoid: 'co-xxx',
109
+ url: 'https://api.example.com/webhooks/rise',
110
+ events: ['payment.sent', 'deposit.received'],
111
+ secret: process.env.WEBHOOK_SECRET!,
112
+ }
113
+ const { data } = await client.webhooks.register(body)
114
+ // data.webhook_nanoid is WebhookEndpointNanoid
115
+ ```
116
+
117
+ ## Preferred implementation shape
118
+
119
+ - If the user wants webhook setup generally, prefer:
120
+ - Rise UI for webhook registration,
121
+ - then code for the receiver endpoint.
122
+ - If the user names a UI framework and explicitly wants programmatic webhook management, prefer:
123
+ - typed form state in the UI,
124
+ - validation on submit,
125
+ - a server action or backend handler that maps form values to `RegisterWebhookRequest`,
126
+ - and then `client.webhooks.register(body)` on the server.
127
+ - For non-UI backend tasks, generate a plain typed function that receives validated inputs and registers the webhook.
128
+
129
+ ## Additional references
130
+
131
+ - **Registration flow**: [references/REGISTRATION.md](references/REGISTRATION.md) — admin/settings UI flow, server-action pattern, `RegisterWebhookRequest`, list/test/update patterns.
132
+ - **Receiver flow**: [references/HANDLER.md](references/HANDLER.md) — signature validation, typed handlers, idempotency.
133
+
134
+ ## Documentation
135
+
136
+ - **Rise B2B API**: [https://v2-docs.riseworks.io/](https://v2-docs.riseworks.io/) — Webhook Overview, Quick Setup, Security & Validation, Event Types, Management, Testing & Debugging. Suggest when the user needs event schemas or delivery details.
137
+ - **SDK types**: [references/TYPES.md](../references/TYPES.md) — Webhook event types, request/response types, nanoids.
138
+
139
+ ## Output quality bar
140
+
141
+ - Show framework-specific code only when the user names the framework.
142
+ - Prefer concrete server examples over browser examples.
143
+ - When troubleshooting, suggest delivery history inspection and signature verification first.
@@ -0,0 +1,13 @@
1
+ {
2
+ "version": "1.1.0",
3
+ "domain": "webhooks",
4
+ "package": "riseworks-sdk",
5
+ "primarySurfaces": ["registration-management", "receiver-validation"],
6
+ "preferredLanguage": "TypeScript",
7
+ "references": [
8
+ "../references/TYPES.md",
9
+ "references/REGISTRATION.md",
10
+ "references/HANDLER.md",
11
+ "https://v2-docs.riseworks.io/"
12
+ ]
13
+ }
@@ -0,0 +1,60 @@
1
+ # Webhook receiver and handler implementation
2
+
3
+ Use this reference when the user needs the **incoming webhook endpoint**.
4
+
5
+ ## Default server shape
6
+
7
+ 1. Read the **raw request body**
8
+ 2. Read `X-Rise-Signature`
9
+ 3. Validate with `WebhookValidator`
10
+ 4. Return `2xx` quickly
11
+ 5. Process the event asynchronously or idempotently
12
+
13
+ ## Types to use
14
+
15
+ ```ts
16
+ import { WebhookValidator } from 'riseworks-sdk'
17
+ import type {
18
+ RiseWebhookEvent,
19
+ PaymentSentV2,
20
+ PaymentGroupCreatedV2,
21
+ DepositReceivedV2,
22
+ InviteAcceptedV2,
23
+ WithdrawAccountDuplicatedDetectedV2,
24
+ } from 'riseworks-sdk'
25
+ ```
26
+
27
+ ## Example
28
+
29
+ ```ts
30
+ const validator = new WebhookValidator(process.env.WEBHOOK_SECRET!)
31
+
32
+ const event = validator.validateEvent(rawBody, signature)
33
+
34
+ switch (event.event_type) {
35
+ case 'payment.sent': {
36
+ const e = event as PaymentSentV2
37
+ console.log(e.payment.nanoid)
38
+ break
39
+ }
40
+ case 'deposit.received': {
41
+ const e = event as DepositReceivedV2
42
+ console.log(e.deposit.nanoid)
43
+ break
44
+ }
45
+ }
46
+ ```
47
+
48
+ ## Important constraints
49
+
50
+ - Signature verification requires the **exact raw body**
51
+ - The secret used here must match the secret used during registration
52
+ - Do not block the HTTP response on slow downstream work
53
+ - Handle duplicate deliveries with idempotency checks when side effects exist
54
+
55
+ ## Good default behaviors
56
+
57
+ - Log `event_type`, `event_version`, and `idempotency_key`
58
+ - Reject invalid signatures with `400` or `401`
59
+ - Treat unknown event types as non-fatal and log them
60
+ - Keep framework-specific code minimal unless the user asked for a framework
@@ -0,0 +1,113 @@
1
+ # Webhook registration and management
2
+
3
+ Use this reference when the user needs to **create, edit, test, or list** Rise
4
+ webhook endpoints programmatically.
5
+
6
+ ## Default recommendation
7
+
8
+ For most customers, webhook registration should be done in the **Rise UI**:
9
+
10
+ 1. Create the endpoint in the Rise app/dashboard
11
+ 2. Select the event types there
12
+ 3. Store the secret server-side
13
+ 4. Implement the receiving endpoint in code
14
+
15
+ Only use the SDK registration flow when the user explicitly wants:
16
+
17
+ - backend-managed webhook provisioning
18
+ - an admin/settings UI inside their own app
19
+ - automated setup across environments or tenants
20
+
21
+ ## Default architecture
22
+
23
+ Programmatic registration is usually part of an **admin UI**, **settings page**, or
24
+ **internal platform flow**:
25
+
26
+ 1. The UI collects the endpoint URL, selected events, optional team/company
27
+ scope, description, and activation state.
28
+ 2. A server action, route handler, or backend service validates those values.
29
+ 3. The server builds a `RegisterWebhookRequest` (or `UpdateWebhookRequest`) and
30
+ calls `client.webhooks.register()` / `client.webhooks.update()`.
31
+
32
+ Do **not** put the webhook secret directly in browser-only code.
33
+
34
+ ## Types to use
35
+
36
+ ```ts
37
+ import { RiseApiClient } from 'riseworks-sdk'
38
+ import type {
39
+ RegisterWebhookRequest,
40
+ UpdateWebhookRequest,
41
+ ListWebhooksRequest,
42
+ ListWebhooksResponse,
43
+ TestWebhookRequest,
44
+ TestWebhookResponse,
45
+ WebhookListItem,
46
+ WebhookEndpointNanoid,
47
+ } from 'riseworks-sdk'
48
+ ```
49
+
50
+ ## Methods to prefer
51
+
52
+ - `client.webhooks.list(params)` — list existing webhook endpoints
53
+ - `client.webhooks.register(body)` — create a new endpoint
54
+ - `client.webhooks.update(webhookNanoid, body)` — update an endpoint
55
+ - `client.webhooks.delete(webhookNanoid)` — delete an endpoint
56
+ - `client.webhooks.test(webhookNanoid, body)` — send a test delivery
57
+ - `client.webhooks.getDeliveryHistory(webhookNanoid, params)` — inspect results
58
+
59
+ ## Registration example
60
+
61
+ ```ts
62
+ import { RiseApiClient } from 'riseworks-sdk'
63
+ import type { RegisterWebhookRequest } from 'riseworks-sdk'
64
+
65
+ export async function registerRiseWebhook(input: RegisterWebhookRequest) {
66
+ const client = new RiseApiClient({
67
+ environment: 'stg',
68
+ jwtToken: process.env.RISE_JWT!,
69
+ })
70
+
71
+ const { data } = await client.webhooks.register(input)
72
+ return data
73
+ }
74
+ ```
75
+
76
+ ## UI-oriented pattern
77
+
78
+ If the user is building a UI, prefer code shaped like this:
79
+
80
+ - **client/UI**: typed form values
81
+ - **server action / route handler**: validation + `RegisterWebhookRequest`
82
+ - **SDK call**: `client.webhooks.register(body)`
83
+
84
+ Example fields to expose in the UI:
85
+
86
+ - `url`
87
+ - `events`
88
+ - `company_nanoid`
89
+ - `team_nanoid` (optional)
90
+ - `name`
91
+ - `description`
92
+ - `is_active`
93
+
94
+ Only collect `secret` in a server-safe flow. If the UI must accept the secret,
95
+ submit it to a server action immediately and do not reuse it in browser logic.
96
+
97
+ ## Event selection guidance
98
+
99
+ Recommend starting with a small event set:
100
+
101
+ - `payment.sent`
102
+ - `payment.group.created`
103
+ - `deposit.received`
104
+ - `invite.accepted`
105
+
106
+ Avoid subscribing to every event unless the user explicitly needs that breadth.
107
+
108
+ ## Output quality bar
109
+
110
+ - If the user mentions a UI, generate both the form model and the server-side
111
+ registration path.
112
+ - Use real exported SDK types instead of anonymous object shapes.
113
+ - Mention role/permission expectations for admin settings screens.