@sakeetech/viva-payments-core 0.2.1

package/dist/isv/payments.js

@@ -0,0 +1,385 @@
+/**
+ * IsvPayments — ISV Payment API methods.
+ *
+ * Covers:
+ *   - createOrder         → POST /checkout/v2/orders?merchantId={merchantId} (OAuth2)
+ *   - retrieveTransaction → GET /checkout/v2/transactions/{transactionId}    (OAuth2)
+ *   - refundPayment       → POST /api/transactions/{transactionId}           (Legacy/Basic)
+ *   - cancelOrder         → DELETE /checkout/v2/orders/{orderCode}           (OAuth2)
+ *
+ * All methods validate inputs locally before making HTTP calls.
+ * Amounts are in integer minor units (bigint) per plan P15.
+ *
+ * Idempotency: createOrder and refundPayment are non-idempotent (idempotent: false).
+ * retrieveTransaction and cancelOrder are idempotent.
+ *
+ * --- Refund path (F1 — probe-verified 2026-04-25) ---
+ * Viva returns 405 on `POST /checkout/v2/transactions/{id}` (v2/OAuth2 path).
+ * The ONLY working refund path is `POST /api/transactions/{transactionId}` on the
+ * LEGACY HOST (`demo.vivapayments.com` / `www.vivapayments.com`) with Basic auth
+ * (MerchantId + ApiKey). The 401-fallback design is NOT applicable here — Viva
+ * returns 405 (not 401) on the v2 path, so no fallback would ever trigger.
+ * refundPayment now calls `legacyClient` DIRECTLY without any v2 attempt.
+ *
+ * @see references/viva-docs/md/tut-create-recurring-payment.txt:288 (legacy refund endpoint)
+ *
+ * --- retrieveTransaction / cancelOrder fallback (D15 — kept defensive) ---
+ *   The optional `secondaryClient` is a fallback for retrieveTransaction and
+ *   cancelOrder. When the primary OAuth2 client returns 401 (after force-refresh),
+ *   the call retries once with the secondary client. A 401 from secondary surfaces
+ *   as VivaAuthError — no further retry.
+ *   Note: cancelOrder is unverified against live sandbox as of 2026-04-25 probe;
+ *   kept on OAuth2 + 401-fallback path defensively.
+ *
+ * --- Idempotency-Key header (F2 — probe-verified 2026-04-25) ---
+ *   The `Idempotency-Key` header is sent on createOrder but Viva does NOT appear
+ *   to deduplicate server-side (same key returned two different orderCodes in probe).
+ *   Local dedup via `viva_transaction` row is the authoritative dedup mechanism.
+ *   Header is retained for forward-compat (zero cost, may be honoured in future).
+ *
+ * @see references/viva-docs/md/payment-isv-api.txt:1
+ * @see references/viva-docs/md/webhooks-for-payments.txt:248 (retrieve before update)
+ * @see references/viva-docs/md/isv-partner-program.txt:104 (ISV overview)
+ * @see references/viva-docs/md/isv-credentials.txt:107 (reseller credentials)
+ * @see docs/plans/vendure-plugin-v0.md §D15 (reseller fallback scope)
+ */
+import { VivaValidationError, VivaAuthError } from '../errors/index.js';
+// ---------------------------------------------------------------------------
+// Validation helpers
+// ---------------------------------------------------------------------------
+/**
+ * Validates an ISO 4217 numeric currency code (3-digit numeric string).
+ *
+ * Per plan P15: currencyCode must be a valid 3-digit numeric string.
+ * Examples: '978' (EUR), '826' (GBP), '840' (USD).
+ *
+ * @see references/viva-docs/md/webhooks-for-payments.txt:487
+ */
+function isValidCurrencyCode(code) {
+    return /^\d{3}$/.test(code);
+}
+// ---------------------------------------------------------------------------
+// IsvPayments
+// ---------------------------------------------------------------------------
+/**
+ * ISV Payment API client.
+ *
+ * Constructed with an IsvHttpClient instance shared across all ISV modules.
+ * Each method scopes its request to a specific merchant via the merchantId
+ * query parameter per the ISV integration model.
+ *
+ * - `client`: primary OAuth2 client for createOrder, retrieveTransaction, cancelOrder.
+ * - `secondaryClient`: optional 401-fallback for retrieveTransaction and cancelOrder.
+ *   When undefined, 401 errors propagate normally.
+ * - `legacyClient`: REQUIRED for refundPayment. Calls `POST /api/transactions/{id}`
+ *   on the legacy host with Basic auth (MerchantId + ApiKey). If absent, refundPayment
+ *   throws `VIVA_REFUND_REJECTED` with a config-missing message.
+ *
+ * Probe-verified 2026-04-25: refund MUST go through legacy client — v2/OAuth2 path
+ * returns 405. cancelOrder is unverified but kept on v2/OAuth2 + 401-fallback defensively.
+ *
+ * @see references/viva-docs/md/tut-create-recurring-payment.txt:288 (legacy refund path)
+ * @see references/viva-docs/md/payment-isv-api.txt:1
+ * @see references/viva-docs/md/isv-partner-program.txt:61 (P1: merchant scoping)
+ * @see references/viva-docs/md/isv-credentials.txt:107 (reseller credentials)
+ * @see docs/plans/vendure-plugin-v0.md §D15 (reseller fallback)
+ */
+export class IsvPayments {
+    client;
+    secondaryClient;
+    legacyClient;
+    constructor(client, secondaryClient, legacyClient) {
+        this.client = client;
+        this.secondaryClient = secondaryClient;
+        this.legacyClient = legacyClient;
+    }
+    /**
+     * Create a payment order for a specific ISV merchant.
+     *
+     * Sends a POST /checkout/v2/orders?merchantId={merchantId} request.
+     * The `Idempotency-Key` header is sent on every call but Viva does NOT appear
+     * to deduplicate server-side as of 2026-04-25 (probe: same key → two different
+     * orderCodes). Local dedup via `viva_transaction` row is the authoritative
+     * dedup mechanism. Header retained for forward-compat only.
+     *
+     * Input validation (throws VivaValidationError before HTTP call):
+     *   - amountMinor must be > 0 (per plan P15)
+     *   - currencyCode must be a valid 3-digit numeric string (per plan P15)
+     *
+     * Non-idempotent: does not retry on 4xx/5xx (only connection-level errors).
+     *
+     * @see references/viva-docs/md/payment-isv-api.txt:1
+     * @see references/viva-docs/md/isv-partner-program.txt:61 (P14 idempotency)
+     * @see references/viva-docs/md/isv-partner-program.txt:83 (P15 amounts)
+     */
+    async createOrder(req, opts) {
+        // Local validation per P14 and P15
+        if (req.amount <= 0n) {
+            throw new VivaValidationError({
+                message: `createOrder: amountMinor must be > 0, got ${req.amount}`,
+            });
+        }
+        if (!isValidCurrencyCode(req.currencyCode)) {
+            throw new VivaValidationError({
+                message: `createOrder: currencyCode must be a 3-digit numeric string (ISO 4217), got "${req.currencyCode}"`,
+            });
+        }
+        // Build wire body: convert bigint amount to number for JSON.
+        // Amount in minor units is always within safe integer range for real payments.
+        const wireBody = {
+            amount: req.amount, // bigintSafeStringify in client handles this
+            currencyCode: Number(req.currencyCode), // Viva expects numeric currency code as number
+        };
+        if (req.merchantTrns !== undefined)
+            wireBody['merchantTrns'] = req.merchantTrns;
+        if (req.customerTrns !== undefined)
+            wireBody['customerTrns'] = req.customerTrns;
+        if (req.customerEmail !== undefined)
+            wireBody['email'] = req.customerEmail;
+        if (req.customerPhone !== undefined)
+            wireBody['phone'] = req.customerPhone;
+        if (req.customerFullName !== undefined)
+            wireBody['fullName'] = req.customerFullName;
+        if (req.successUrl !== undefined)
+            wireBody['successUrl'] = req.successUrl;
+        if (req.failureUrl !== undefined)
+            wireBody['failureUrl'] = req.failureUrl;
+        if (req.tags !== undefined)
+            wireBody['tags'] = req.tags;
+        if (req.sourceCode !== undefined)
+            wireBody['sourceCode'] = req.sourceCode;
+        if (req.paymentTimeoutSeconds !== undefined)
+            wireBody['paymentTimeout'] = req.paymentTimeoutSeconds;
+        if (req.preselectedPaymentMethod !== undefined)
+            wireBody['preselectedPaymentMethod'] = req.preselectedPaymentMethod;
+        const raw = await this.client.request({
+            method: 'POST',
+            path: '/checkout/v2/orders',
+            query: { merchantId: opts.merchantId },
+            body: wireBody,
+            idempotencyKey: opts.idempotencyKey,
+            idempotent: false, // per plan Auth Flow line 319
+            endpoint: 'POST /checkout/v2/orders',
+        });
+        return { orderCode: raw.OrderCode };
+    }
+    /**
+     * Retrieve transaction details for a specific ISV merchant transaction.
+     *
+     * Per Viva docs, this SHOULD be called before updating any local transaction
+     * status on receipt of a webhook. Validates orderCode and statusId from Viva.
+     *
+     * Idempotent: safe to retry on 429 and 5xx.
+     *
+     * Path + auth verified 2026-04-25 (F3):
+     *   `GET /checkout/v2/transactions/{transactionId}` with OAuth2 Bearer → correct.
+     *   404 error envelope shape: `{"status": 404, "message": null, "eventId": "0"}`.
+     *   Note: `message` can be null — handle defensively.
+     *
+     * 401 → reseller fallback (D15) — kept DEFENSIVE:
+     *   If the primary OAuth2 client receives a 401 and secondaryClient is configured,
+     *   the request is retried once with the secondary (Reseller basic-auth) client.
+     *   A 401 from the secondary surfaces immediately as VivaAuthError — no further retry.
+     *   The primary path is verified working; fallback is defensive for edge-case tenants.
+     *
+     * @see references/viva-docs/md/webhooks-for-payments.txt:248 (retrieve before update)
+     * @see references/viva-docs/md/payment-isv-api.txt:1
+     * @see references/viva-docs/md/isv-credentials.txt:107 (reseller basic-auth)
+     * @see docs/plans/vendure-plugin-v0.md §D15 (reseller fallback scope)
+     */
+    async retrieveTransaction(transactionId, opts = {}) {
+        const query = {};
+        if (opts.merchantId)
+            query['merchantId'] = opts.merchantId;
+        const requestOpts = {
+            method: 'GET',
+            path: `/checkout/v2/transactions/${transactionId}`,
+            query,
+            idempotent: true,
+            endpoint: 'GET /checkout/v2/transactions/{transactionId}',
+        };
+        // Viva API returns PascalCase field names (e.g. OrderCode, StatusId).
+        // We normalize to camelCase matching RetrieveTransactionResponse.
+        // The bigint-safe parser in IsvHttpClient already converts OrderCode to bigint.
+        let raw;
+        try {
+            raw = await this.client.request(requestOpts);
+        }
+        catch (err) {
+            // 401 → reseller fallback (D15). Only attempt if secondaryClient is present.
+            // A 401 from the secondary surfaces immediately — no further retry.
+            // @see docs/plans/vendure-plugin-v0.md §D15
+            // @see references/viva-docs/md/isv-credentials.txt:107
+            if (err instanceof VivaAuthError && err.httpStatus === 401 && this.secondaryClient) {
+                raw = await this.secondaryClient.request(requestOpts);
+            }
+            else {
+                throw err;
+            }
+        }
+        // Normalize: accept both PascalCase (wire) and camelCase (normalized) field names.
+        // @see references/viva-docs/md/account-api.txt:1584 (OrderCode: long)
+        const orderCode = (raw['orderCode'] ?? raw['OrderCode']);
+        const cardNumber = raw['cardNumber'] ?? raw['CardNumber'];
+        const cardTypeId = raw['cardTypeId'] ?? raw['CardTypeId'];
+        const email = raw['email'] ?? raw['Email'];
+        const fullName = raw['fullName'] ?? raw['FullName'];
+        const merchantTrns = raw['merchantTrns'] ?? raw['MerchantTrns'];
+        const customerTrns = raw['customerTrns'] ?? raw['CustomerTrns'];
+        const connectedAccountId = raw['connectedAccountId'] ?? raw['ConnectedAccountId'];
+        // Build with conditional optional fields to satisfy exactOptionalPropertyTypes.
+        // (Cannot assign to readonly Partial<> properties so we use spread.)
+        return {
+            transactionId: (raw['transactionId'] ?? raw['TransactionId']),
+            orderCode,
+            statusId: (raw['statusId'] ?? raw['StatusId']),
+            amount: BigInt((raw['amount'] ?? raw['Amount']) ?? 0),
+            currencyCode: (raw['currencyCode'] ?? raw['CurrencyCode']),
+            merchantId: (raw['merchantId'] ?? raw['MerchantId']),
+            parentId: (raw['parentId'] ?? raw['ParentId']) ?? null,
+            insDate: (raw['insDate'] ?? raw['InsDate'] ?? ''),
+            transactionTypeId: (raw['transactionTypeId'] ?? raw['TransactionTypeId']) ?? 0,
+            ...(typeof cardNumber === 'string' ? { cardNumber } : {}),
+            ...(typeof cardTypeId === 'number' ? { cardTypeId } : {}),
+            ...(typeof email === 'string' ? { email } : {}),
+            ...(typeof fullName === 'string' ? { fullName } : {}),
+            ...(typeof merchantTrns === 'string' ? { merchantTrns } : {}),
+            ...(typeof customerTrns === 'string' ? { customerTrns } : {}),
+            ...(typeof connectedAccountId === 'string' ? { connectedAccountId } : {}),
+        };
+    }
+    /**
+     * Issue a full or partial refund for a captured transaction.
+     *
+     * IMPORTANT — probe-verified 2026-04-25 (F1):
+     *   Viva returns 405 Method Not Allowed on `POST /checkout/v2/transactions/{id}`
+     *   (the v2/OAuth2 path). The ONLY working refund path is:
+     *     `POST /api/transactions/{transactionId}` on the LEGACY HOST
+     *     (`demo.vivapayments.com` / `www.vivapayments.com`) with Basic auth
+     *     (MerchantId:ApiKey) and form-urlencoded body.
+     *
+     *   This method calls `legacyClient` DIRECTLY. The 401-fallback (D15) does NOT
+     *   apply here — Viva returns 405 (not 401) on the v2 path, so no fallback
+     *   could ever trigger.
+     *
+     *   If `legacyClient` is not configured (absent from constructor), this method
+     *   throws VivaValidationError with code VIVA_REFUND_REJECTED indicating that
+     *   the basic-auth credentials are required and missing.
+     *
+     * Per plan P18:
+     *   - Full refund: omit amountMinor (no Amount in form body per Viva convention).
+     *   - Partial refund: provide amountMinor > 0 (Amount sent in form body).
+     *   - ISV fee reverses automatically on refund (per isv-partner-program.txt:296).
+     *   - Failed refund (4xx) surfaces as VivaApiError; payment NOT marked refunded.
+     *
+     * Non-idempotent: does not retry on 4xx/5xx.
+     *
+     * Viva response fields (PascalCase, mapped to camelCase):
+     *   StatusId → statusId, Amount → amount, TransactionId → transactionId.
+     *
+     * @see references/viva-docs/md/tut-create-recurring-payment.txt:288 (legacy path + basic auth)
+     * @see references/viva-docs/md/isv-partner-program.txt:296 (ISV fee reversal on refund)
+     * @see references/viva-docs/md/merchant-id-and-api-key.txt:1 (basic auth credentials)
+     */
+    async refundPayment(transactionId, opts) {
+        // Local validation per P18
+        if (opts.amountMinor !== undefined && opts.amountMinor <= 0n) {
+            throw new VivaValidationError({
+                message: `refundPayment: amountMinor must be > 0 when specified, got ${opts.amountMinor}`,
+            });
+        }
+        // legacyClient REQUIRED for refund (F1 — probe-verified 2026-04-25).
+        if (!this.legacyClient) {
+            throw new VivaValidationError({
+                message: 'refundPayment requires a legacyClient (Basic auth with MerchantId + ApiKey). ' +
+                    'Configure VIVA_MERCHANT_ID and VIVA_API_KEY in plugin options. ' +
+                    'Viva returns 405 on the v2/OAuth2 refund path (probe-verified 2026-04-25).',
+            });
+        }
+        // Build form-urlencoded body.
+        // - Amount: send only for partial refund; omit for full refund per Viva convention.
+        // - SourceCode: defaults to 'Default'.
+        // @see references/viva-docs/md/tut-create-recurring-payment.txt:288
+        const formBody = {
+            SourceCode: opts.sourceCode ?? 'Default',
+        };
+        if (opts.amountMinor !== undefined) {
+            // Viva legacy endpoint expects amount in minor units as integer.
+            formBody['Amount'] = opts.amountMinor;
+        }
+        const result = await this.legacyClient.request({
+            method: 'POST',
+            path: `/api/transactions/${transactionId}`,
+            formBody,
+            idempotent: false, // non-idempotent POST — no 4xx/5xx retry
+            endpoint: 'POST /api/transactions/{transactionId}',
+        });
+        const raw = result.data;
+        // Map PascalCase → camelCase and return typed RefundResponse.
+        return {
+            transactionId: (raw.TransactionId ?? transactionId),
+            ...(raw.StatusId !== undefined ? { statusId: raw.StatusId } : {}),
+            ...(raw.Amount !== undefined ? { amount: BigInt(raw.Amount) } : {}),
+        };
+    }
+    /**
+     * Cancel an order that has not yet been paid.
+     *
+     * Idempotent per Viva docs: calling cancel on an already-cancelled or
+     * captured order returns the existing Viva response without error.
+     *
+     * Per plan P18: cancellation triggers webhook 4865 (Order Updated).
+     *
+     * Path: `DELETE /checkout/v2/orders/{orderCode}?merchantId={merchantId}` (OAuth2).
+     *
+     * UNVERIFIED against live sandbox as of 2026-04-25 probe. Only
+     * cancel-transaction (refund/reverse) was tested; cancel-order was not.
+     * Kept on v2/OAuth2 + 401-fallback path defensively.
+     *
+     * 401 → reseller fallback (D15) — kept DEFENSIVE:
+     *   If the primary OAuth2 client receives a 401 and secondaryClient is configured,
+     *   the request is retried once with the secondary (Reseller basic-auth) client.
+     *   A 401 from the secondary surfaces immediately as VivaAuthError — no further retry.
+     *
+     * Note: if cancelOrder already succeeded on Viva's side before any 401 is
+     * observed, a 4xx from Viva on a subsequent attempt signals the order is
+     * already cancelled (idempotent). The fallback does NOT apply to non-401
+     * errors — those propagate as VivaApiError unchanged.
+     *
+     * @see references/viva-docs/md/payment-isv-api.txt:1
+     * @see references/viva-docs/md/webhooks-for-payments.txt:205 (4865 Order Updated)
+     * @see references/viva-docs/md/isv-credentials.txt:107 (reseller basic-auth)
+     * @see docs/plans/vendure-plugin-v0.md §D15 (reseller fallback scope)
+     */
+    async cancelOrder(orderCode, opts) {
+        const requestOpts = {
+            method: 'DELETE',
+            path: `/checkout/v2/orders/${orderCode}`,
+            query: { merchantId: opts.merchantId },
+            idempotent: true, // idempotent per Viva docs
+            endpoint: 'DELETE /checkout/v2/orders/{orderCode}',
+        };
+        let raw;
+        try {
+            raw = await this.client.request(requestOpts);
+        }
+        catch (err) {
+            // 401 → reseller fallback (D15). Only attempt if secondaryClient is present.
+            // A 401 from the secondary surfaces immediately — no further retry.
+            // @see docs/plans/vendure-plugin-v0.md §D15
+            // @see references/viva-docs/md/isv-credentials.txt:107
+            if (err instanceof VivaAuthError && err.httpStatus === 401 && this.secondaryClient) {
+                raw = await this.secondaryClient.request(requestOpts);
+            }
+            else {
+                throw err;
+            }
+        }
+        return {
+            orderCode: raw.OrderCode,
+            errorCode: raw.ErrorCode,
+            errorText: raw.ErrorText,
+        };
+    }
+}
+//# sourceMappingURL=payments.js.map

package/dist/isv/payments.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payments.js","sourceRoot":"","sources":["../../src/isv/payments.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAeH,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAExE,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;GAOG;AACH,SAAS,mBAAmB,CAAC,IAAY;IACvC,OAAO,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,OAAO,WAAW;IAEH;IACA;IACA;IAHnB,YACmB,MAAqB,EACrB,eAA+B,EAC/B,YAAgC;QAFhC,WAAM,GAAN,MAAM,CAAe;QACrB,oBAAe,GAAf,eAAe,CAAgB;QAC/B,iBAAY,GAAZ,YAAY,CAAoB;IAChD,CAAC;IAEJ;;;;;;;;;;;;;;;;;;OAkBG;IACH,KAAK,CAAC,WAAW,CACf,GAAuB,EACvB,IAAwD;QAExD,mCAAmC;QACnC,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACrB,MAAM,IAAI,mBAAmB,CAAC;gBAC5B,OAAO,EAAE,6CAA6C,GAAG,CAAC,MAAM,EAAE;aACnE,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,mBAAmB,CAAC;gBAC5B,OAAO,EAAE,+EAA+E,GAAG,CAAC,YAAY,GAAG;aAC5G,CAAC,CAAC;QACL,CAAC;QAED,6DAA6D;QAC7D,+EAA+E;QAC/E,MAAM,QAAQ,GAA4B;YACxC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,6CAA6C;YACjE,YAAY,EAAE,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,+CAA+C;SACxF,CAAC;QACF,IAAI,GAAG,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,cAAc,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC;QAChF,IAAI,GAAG,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,cAAc,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC;QAChF,IAAI,GAAG,CAAC,aAAa,KAAK,SAAS;YAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,aAAa,CAAC;QAC3E,IAAI,GAAG,CAAC,aAAa,KAAK,SAAS;YAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,aAAa,CAAC;QAC3E,IAAI,GAAG,CAAC,gBAAgB,KAAK,SAAS;YAAE,QAAQ,CAAC,UAAU,CAAC,GAAG,GAAG,CAAC,gBAAgB,CAAC;QACpF,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC;QAC1E,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC;QAC1E,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;YAAE,QAAQ,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;QACxD,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC;QAC1E,IAAI,GAAG,CAAC,qBAAqB,KAAK,SAAS;YAAE,QAAQ,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC,qBAAqB,CAAC;QACpG,IAAI,GAAG,CAAC,wBAAwB,KAAK,SAAS;YAAE,QAAQ,CAAC,0BAA0B,CAAC,GAAG,GAAG,CAAC,wBAAwB,CAAC;QAEpH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAA2B;YAC9D,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,qBAAqB;YAC3B,KAAK,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;YACtC,IAAI,EAAE,QAAQ;YACd,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,UAAU,EAAE,KAAK,EAAE,8BAA8B;YACjD,QAAQ,EAAE,0BAA0B;SACrC,CAAC,CAAC;QAEH,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC;IACtC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,KAAK,CAAC,mBAAmB,CACvB,aAA4B,EAC5B,OAAoC,EAAE;QAEtC,MAAM,KAAK,GAAuC,EAAE,CAAC;QACrD,IAAI,IAAI,CAAC,UAAU;YAAE,KAAK,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC;QAE3D,MAAM,WAAW,GAAG;YAClB,MAAM,EAAE,KAAc;YACtB,IAAI,EAAE,6BAA6B,aAAa,EAAE;YAClD,KAAK;YACL,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,+CAA+C;SAC1D,CAAC;QAEF,sEAAsE;QACtE,kEAAkE;QAClE,gFAAgF;QAChF,IAAI,GAA4B,CAAC;QACjC,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAA0B,WAAW,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,6EAA6E;YAC7E,oEAAoE;YACpE,4CAA4C;YAC5C,uDAAuD;YACvD,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACnF,GAAG,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAA0B,WAAW,CAAC,CAAC;YACjF,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,mFAAmF;QACnF,sEAAsE;QACtE,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,WAAW,CAAC,CAAc,CAAC;QACtE,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1D,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,GAAG,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QAChE,MAAM,YAAY,GAAG,GAAG,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QAChE,MAAM,kBAAkB,GAAG,GAAG,CAAC,oBAAoB,CAAC,IAAI,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAElF,gFAAgF;QAChF,qEAAqE;QACrE,OAAO;YACL,aAAa,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,eAAe,CAAC,CAAkB;YAC9E,SAAS;YACT,QAAQ,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAW;YACxD,MAAM,EAAE,MAAM,CAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAqB,IAAI,CAAC,CAAe;YACxF,YAAY,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,cAAc,CAAC,CAA6C;YACtG,UAAU,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAW;YAC9D,QAAQ,EAAG,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAsC,IAAI,IAAI;YAC5F,OAAO,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAW;YAC3D,iBAAiB,EAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAY,IAAI,CAAC;YAC1F,GAAG,CAAC,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzD,GAAG,CAAC,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzD,GAAG,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/C,GAAG,CAAC,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,GAAG,CAAC,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,GAAG,CAAC,OAAO,kBAAkB,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,KAAK,CAAC,aAAa,CACjB,aAA4B,EAC5B,IAKC;QAED,2BAA2B;QAC3B,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;YAC7D,MAAM,IAAI,mBAAmB,CAAC;gBAC5B,OAAO,EAAE,8DAA8D,IAAI,CAAC,WAAW,EAAE;aAC1F,CAAC,CAAC;QACL,CAAC;QAED,qEAAqE;QACrE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,mBAAmB,CAAC;gBAC5B,OAAO,EACL,+EAA+E;oBAC/E,iEAAiE;oBACjE,4EAA4E;aAC/E,CAAC,CAAC;QACL,CAAC;QAED,8BAA8B;QAC9B,oFAAoF;QACpF,uCAAuC;QACvC,oEAAoE;QACpE,MAAM,QAAQ,GAAyD;YACrE,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,SAAS;SACzC,CAAC;QACF,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACnC,iEAAiE;YACjE,QAAQ,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC;QACxC,CAAC;QASD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAkB;YAC9D,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,qBAAqB,aAAa,EAAE;YAC1C,QAAQ;YACR,UAAU,EAAE,KAAK,EAAE,yCAAyC;YAC5D,QAAQ,EAAE,wCAAwC;SACnD,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC;QAExB,8DAA8D;QAC9D,OAAO;YACL,aAAa,EAAE,CAAC,GAAG,CAAC,aAAa,IAAI,aAAa,CAAkB;YACpE,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClF,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,KAAK,CAAC,WAAW,CACf,SAAoB,EACpB,IAAgC;QAIhC,MAAM,WAAW,GAAG;YAClB,MAAM,EAAE,QAAiB;YACzB,IAAI,EAAE,uBAAuB,SAAS,EAAE;YACxC,KAAK,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;YACtC,UAAU,EAAE,IAAa,EAAE,2BAA2B;YACtD,QAAQ,EAAE,wCAAwC;SACnD,CAAC;QAEF,IAAI,GAAc,CAAC;QACnB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAY,WAAW,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,6EAA6E;YAC7E,oEAAoE;YACpE,4CAA4C;YAC5C,uDAAuD;YACvD,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACnF,GAAG,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAY,WAAW,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO;YACL,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC;IACJ,CAAC;CACF"}

package/dist/isv/sources.d.ts

@@ -0,0 +1,80 @@
+/**
+ * IsvSources — ISV-mode admin operations on payment sources for connected merchants.
+ *
+ * Wraps `POST /api/sources` on the Viva legacy host using a `BasicAuthClient`
+ * configured with `authVariant: 'reseller'`. A "source" is a payment-source
+ * configuration on a merchant account — e.g. a Smart Checkout source linked to
+ * a domain + success/fail callback paths, or a physical (in-store) source.
+ *
+ * The reseller credentials baked into the underlying `BasicAuthClient` are
+ * scoped to **one** connected merchant per client instance. To operate on
+ * multiple merchants under the same reseller account, construct multiple
+ * `BasicAuthClient` instances (one per merchant) and pass each to its own
+ * `IsvSources`.
+ *
+ * @see references/payment-isv-api.yaml:135
+ * @see docs/AUTH.md §1.2 (Reseller Basic)
+ * @see docs/ENDPOINTS.md §5.1
+ */
+import type { BasicAuthClient } from '../legacy/client.js';
+/**
+ * Input for `createEcommerceSource` — Smart Checkout source for a website.
+ */
+export interface CreateEcommerceSourceInput {
+    /** Domain the source is bound to, e.g. `www.example.com`. */
+    domain: string;
+    /** URL path the customer is redirected to after a successful checkout. */
+    pathSuccess: string;
+    /** URL path the customer is redirected to after a failed checkout. */
+    pathFail: string;
+    /** Friendly label for the source (optional). */
+    name?: string;
+    /**
+     * 4-digit source code (1000..9999). Auto-assigned by Viva when omitted.
+     */
+    sourceCode?: number;
+    /** Whether the domain is served over HTTPS. Defaults to `true`. */
+    isSecure?: boolean;
+}
+/**
+ * Input for `createPhysicalSource` — in-store / terminal source.
+ */
+export interface CreatePhysicalSourceInput {
+    /** Friendly label for the physical source. Required. */
+    name: string;
+    /** 4-digit source code (1000..9999). Auto-assigned by Viva when omitted. */
+    sourceCode?: number;
+}
+/**
+ * Response shape from `POST /api/sources`. Kept permissive — Viva's response
+ * may include additional fields depending on the source type / account state.
+ */
+export interface SourceResponse {
+    sourceCode: number;
+    name?: string;
+    [k: string]: unknown;
+}
+export declare class IsvSources {
+    private readonly basic;
+    /**
+     * @param basic A `BasicAuthClient` already configured with
+     *   `authVariant: 'reseller'`. The reseller credentials are tied to ONE
+     *   connected merchant per client instance.
+     */
+    constructor(basic: BasicAuthClient);
+    /**
+     * Create a Smart Checkout (ecommerce) payment source for the connected
+     * merchant.
+     *
+     * @see docs/ENDPOINTS.md §5.1
+     */
+    createEcommerceSource(input: CreateEcommerceSourceInput): Promise<SourceResponse>;
+    /**
+     * Create a physical (in-store / terminal) payment source for the connected
+     * merchant.
+     *
+     * @see docs/ENDPOINTS.md §5.1
+     */
+    createPhysicalSource(input: CreatePhysicalSourceInput): Promise<SourceResponse>;
+}
+//# sourceMappingURL=sources.d.ts.map

package/dist/isv/sources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.d.ts","sourceRoot":"","sources":["../../src/isv/sources.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAO3D;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,6DAA6D;IAC7D,MAAM,EAAE,MAAM,CAAC;IACf,0EAA0E;IAC1E,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,wDAAwD;IACxD,IAAI,EAAE,MAAM,CAAC;IACb,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CACtB;AA8BD,qBAAa,UAAU;IAMT,OAAO,CAAC,QAAQ,CAAC,KAAK;IALlC;;;;OAIG;gBAC0B,KAAK,EAAE,eAAe;IAEnD;;;;;OAKG;IACG,qBAAqB,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,cAAc,CAAC;IA6BvF;;;;;OAKG;IACG,oBAAoB,CAAC,KAAK,EAAE,yBAAyB,GAAG,OAAO,CAAC,cAAc,CAAC;CAqBtF"}

package/dist/isv/sources.js

@@ -0,0 +1,112 @@
+/**
+ * IsvSources — ISV-mode admin operations on payment sources for connected merchants.
+ *
+ * Wraps `POST /api/sources` on the Viva legacy host using a `BasicAuthClient`
+ * configured with `authVariant: 'reseller'`. A "source" is a payment-source
+ * configuration on a merchant account — e.g. a Smart Checkout source linked to
+ * a domain + success/fail callback paths, or a physical (in-store) source.
+ *
+ * The reseller credentials baked into the underlying `BasicAuthClient` are
+ * scoped to **one** connected merchant per client instance. To operate on
+ * multiple merchants under the same reseller account, construct multiple
+ * `BasicAuthClient` instances (one per merchant) and pass each to its own
+ * `IsvSources`.
+ *
+ * @see references/payment-isv-api.yaml:135
+ * @see docs/AUTH.md §1.2 (Reseller Basic)
+ * @see docs/ENDPOINTS.md §5.1
+ */
+import { VivaValidationError } from '../errors/index.js';
+// ---------------------------------------------------------------------------
+// Validation helpers
+// ---------------------------------------------------------------------------
+const SOURCE_CODE_MIN = 1000;
+const SOURCE_CODE_MAX = 9999;
+function requireNonEmptyString(value, field) {
+    if (typeof value !== 'string' || value.trim() === '') {
+        throw new VivaValidationError({
+            message: `IsvSources: ${field} is required and must be a non-empty string`,
+        });
+    }
+}
+function validateSourceCode(value) {
+    if (value === undefined)
+        return;
+    if (!Number.isInteger(value) || value < SOURCE_CODE_MIN || value > SOURCE_CODE_MAX) {
+        throw new VivaValidationError({
+            message: `IsvSources: sourceCode must be a 4-digit integer in [${SOURCE_CODE_MIN}, ${SOURCE_CODE_MAX}]`,
+        });
+    }
+}
+// ---------------------------------------------------------------------------
+// IsvSources
+// ---------------------------------------------------------------------------
+export class IsvSources {
+    basic;
+    /**
+     * @param basic A `BasicAuthClient` already configured with
+     *   `authVariant: 'reseller'`. The reseller credentials are tied to ONE
+     *   connected merchant per client instance.
+     */
+    constructor(basic) {
+        this.basic = basic;
+    }
+    /**
+     * Create a Smart Checkout (ecommerce) payment source for the connected
+     * merchant.
+     *
+     * @see docs/ENDPOINTS.md §5.1
+     */
+    async createEcommerceSource(input) {
+        requireNonEmptyString(input.domain, 'domain');
+        requireNonEmptyString(input.pathSuccess, 'pathSuccess');
+        requireNonEmptyString(input.pathFail, 'pathFail');
+        validateSourceCode(input.sourceCode);
+        const body = {
+            domain: input.domain,
+            isSecure: input.isSecure ?? true,
+            pathFail: input.pathFail,
+            pathSuccess: input.pathSuccess,
+        };
+        if (input.name !== undefined) {
+            body['name'] = input.name;
+        }
+        if (input.sourceCode !== undefined) {
+            body['sourceCode'] = input.sourceCode;
+        }
+        const result = await this.basic.request({
+            method: 'POST',
+            path: '/api/sources',
+            jsonBody: body,
+            idempotent: false,
+            endpoint: 'POST /api/sources',
+        });
+        return result.data;
+    }
+    /**
+     * Create a physical (in-store / terminal) payment source for the connected
+     * merchant.
+     *
+     * @see docs/ENDPOINTS.md §5.1
+     */
+    async createPhysicalSource(input) {
+        requireNonEmptyString(input.name, 'name');
+        validateSourceCode(input.sourceCode);
+        const body = {
+            isPhysical: true,
+            name: input.name,
+        };
+        if (input.sourceCode !== undefined) {
+            body['sourceCode'] = input.sourceCode;
+        }
+        const result = await this.basic.request({
+            method: 'POST',
+            path: '/api/sources',
+            jsonBody: body,
+            idempotent: false,
+            endpoint: 'POST /api/sources',
+        });
+        return result.data;
+    }
+}
+//# sourceMappingURL=sources.js.map

package/dist/isv/sources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.js","sourceRoot":"","sources":["../../src/isv/sources.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AA8CzD,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,eAAe,GAAG,IAAI,CAAC;AAC7B,MAAM,eAAe,GAAG,IAAI,CAAC;AAE7B,SAAS,qBAAqB,CAAC,KAAc,EAAE,KAAa;IAC1D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACrD,MAAM,IAAI,mBAAmB,CAAC;YAC5B,OAAO,EAAE,eAAe,KAAK,6CAA6C;SAC3E,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAyB;IACnD,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO;IAChC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,eAAe,IAAI,KAAK,GAAG,eAAe,EAAE,CAAC;QACnF,MAAM,IAAI,mBAAmB,CAAC;YAC5B,OAAO,EAAE,wDAAwD,eAAe,KAAK,eAAe,GAAG;SACxG,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,OAAO,UAAU;IAMQ;IAL7B;;;;OAIG;IACH,YAA6B,KAAsB;QAAtB,UAAK,GAAL,KAAK,CAAiB;IAAG,CAAC;IAEvD;;;;;OAKG;IACH,KAAK,CAAC,qBAAqB,CAAC,KAAiC;QAC3D,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC9C,qBAAqB,CAAC,KAAK,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QACxD,qBAAqB,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAClD,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAErC,MAAM,IAAI,GAA4B;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;YAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;SAC/B,CAAC;QACF,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;QACxC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAiB;YACtD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,cAAc;YACpB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,mBAAmB;SAC9B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAAgC;QACzD,qBAAqB,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1C,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAErC,MAAM,IAAI,GAA4B;YACpC,UAAU,EAAE,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB,CAAC;QACF,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;QACxC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAiB;YACtD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,cAAc;YACpB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,mBAAmB;SAC9B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;CACF"}

package/dist/isv/webhooks-api.d.ts

@@ -0,0 +1,48 @@
+/**
+ * IsvWebhooks — ISV Webhook Registration API.
+ *
+ * Probe-verified 2026-05-11. Endpoints below match `docs/payment-isv-api.yaml`.
+ *
+ *   - registerWebhook     → POST /isv/v1/webhooks               (204 No Content)
+ *   - getVerificationKey  → GET  /isv/v1/webhooks/token         (200 {key})
+ *
+ * Intentionally absent — these endpoints are NOT exposed by the ISV API:
+ *
+ *   - listWebhooks       (no GET on /isv/v1/webhooks; only POST)
+ *   - deactivate/delete  (no PATCH/DELETE; manage existing entries via the
+ *                         banking UI or by re-registering)
+ *
+ * Auth: OAuth2 Bearer with scopes
+ *   `urn:viva:payments:core:api:isv urn:viva:payments:core:api:redirectcheckout`.
+ *
+ * Limits: max 10 URLs per `eventTypeId`. Exceeding the cap returns HTTP 400
+ * with `eventId: 3732` (`SecurityCreateWebhookFailedLimitReached`).
+ */
+import type { IsvHttpClient } from './client.js';
+import type { RegisterWebhookRequest, RetrieveWebhookKeyResponse } from '../types/index.js';
+export declare class IsvWebhooks {
+    private readonly client;
+    constructor(client: IsvHttpClient);
+    /**
+     * Register a webhook URL for an event type.
+     *
+     * Server returns 204 No Content on success. Re-posting the same URL for
+     * the same event type does not error — it is the caller's responsibility
+     * to avoid duplicates (the API has no list endpoint).
+     *
+     * Throws `VivaApiError` with `vivaCode: '3732'` if the 10-URL-per-event cap
+     * is exceeded.
+     */
+    registerWebhook(req: RegisterWebhookRequest): Promise<void>;
+    /**
+     * Retrieve the ISV-level webhook verification key.
+     *
+     * The returned `key` must be echoed in the JSON response to the URL-verify
+     * GET handshake Viva performs against the webhook endpoint.
+     *
+     * Note: a single key is issued per ISV account; it does not vary per
+     * registered URL.
+     */
+    getVerificationKey(): Promise<RetrieveWebhookKeyResponse>;
+}
+//# sourceMappingURL=webhooks-api.d.ts.map

package/dist/isv/webhooks-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhooks-api.d.ts","sourceRoot":"","sources":["../../src/isv/webhooks-api.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,KAAK,EACV,sBAAsB,EACtB,0BAA0B,EAC3B,MAAM,mBAAmB,CAAC;AAE3B,qBAAa,WAAW;IACV,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,aAAa;IAElD;;;;;;;;;OASG;IACG,eAAe,CAAC,GAAG,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAajE;;;;;;;;OAQG;IACG,kBAAkB,IAAI,OAAO,CAAC,0BAA0B,CAAC;CAQhE"}