@sakeetech/viva-payments-core 0.2.1

package/dist/isv/webhooks-api.js

@@ -0,0 +1,66 @@
+/**
+ * IsvWebhooks — ISV Webhook Registration API.
+ *
+ * Probe-verified 2026-05-11. Endpoints below match `docs/payment-isv-api.yaml`.
+ *
+ *   - registerWebhook     → POST /isv/v1/webhooks               (204 No Content)
+ *   - getVerificationKey  → GET  /isv/v1/webhooks/token         (200 {key})
+ *
+ * Intentionally absent — these endpoints are NOT exposed by the ISV API:
+ *
+ *   - listWebhooks       (no GET on /isv/v1/webhooks; only POST)
+ *   - deactivate/delete  (no PATCH/DELETE; manage existing entries via the
+ *                         banking UI or by re-registering)
+ *
+ * Auth: OAuth2 Bearer with scopes
+ *   `urn:viva:payments:core:api:isv urn:viva:payments:core:api:redirectcheckout`.
+ *
+ * Limits: max 10 URLs per `eventTypeId`. Exceeding the cap returns HTTP 400
+ * with `eventId: 3732` (`SecurityCreateWebhookFailedLimitReached`).
+ */
+export class IsvWebhooks {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Register a webhook URL for an event type.
+     *
+     * Server returns 204 No Content on success. Re-posting the same URL for
+     * the same event type does not error — it is the caller's responsibility
+     * to avoid duplicates (the API has no list endpoint).
+     *
+     * Throws `VivaApiError` with `vivaCode: '3732'` if the 10-URL-per-event cap
+     * is exceeded.
+     */
+    async registerWebhook(req) {
+        await this.client.request({
+            method: 'POST',
+            path: '/isv/v1/webhooks',
+            body: {
+                eventTypeId: req.eventTypeId,
+                url: req.url,
+            },
+            idempotent: true,
+            endpoint: 'POST /isv/v1/webhooks',
+        });
+    }
+    /**
+     * Retrieve the ISV-level webhook verification key.
+     *
+     * The returned `key` must be echoed in the JSON response to the URL-verify
+     * GET handshake Viva performs against the webhook endpoint.
+     *
+     * Note: a single key is issued per ISV account; it does not vary per
+     * registered URL.
+     */
+    async getVerificationKey() {
+        return this.client.request({
+            method: 'GET',
+            path: '/isv/v1/webhooks/token',
+            idempotent: true,
+            endpoint: 'GET /isv/v1/webhooks/token',
+        });
+    }
+}
+//# sourceMappingURL=webhooks-api.js.map

package/dist/isv/webhooks-api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhooks-api.js","sourceRoot":"","sources":["../../src/isv/webhooks-api.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAQH,MAAM,OAAO,WAAW;IACO;IAA7B,YAA6B,MAAqB;QAArB,WAAM,GAAN,MAAM,CAAe;IAAG,CAAC;IAEtD;;;;;;;;;OASG;IACH,KAAK,CAAC,eAAe,CAAC,GAA2B;QAC/C,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAO;YAC9B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,kBAAkB;YACxB,IAAI,EAAE;gBACJ,WAAW,EAAE,GAAG,CAAC,WAAW;gBAC5B,GAAG,EAAE,GAAG,CAAC,GAAG;aACb;YACD,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,uBAAuB;SAClC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,kBAAkB;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAA6B;YACrD,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,wBAAwB;YAC9B,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,4BAA4B;SACvC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/legacy/client.d.ts

@@ -0,0 +1,199 @@
+/**
+ * BasicAuthClient — HTTP client for Viva legacy API endpoints (Basic auth).
+ *
+ * Viva exposes a subset of endpoints ONLY on their legacy host
+ * (`demo.vivapayments.com` / `www.vivapayments.com`) behind Basic auth
+ * (MerchantId:ApiKey). These endpoints are NOT available on the v2/OAuth2
+ * surface (`demo-api.vivapayments.com`).
+ *
+ * Verified against Viva sandbox 2026-04-25:
+ * - Refund: `POST /api/transactions/{transactionId}` on legacy host with Basic auth.
+ *   - Body: `application/x-www-form-urlencoded` — `Amount={minor}&SourceCode={code}`.
+ *   - Response: PascalCase JSON `{StatusId, Amount, TransactionId, ...}`.
+ *   - `POST /checkout/v2/transactions/{id}` (v2) returns 405 → NOT valid.
+ *
+ * Design:
+ *   - NOT a fallback. This is the PRIMARY (and only) client for legacy endpoints.
+ *   - Same retry / error-shape conventions as IsvHttpClient.
+ *   - Form-encoded body builder via URLSearchParams (built-in, zero deps).
+ *   - Tracing headers (`x-viva-correlationid`, `x-viva-eventid`) extracted and
+ *     attached to errors and successful responses.
+ *
+ * @see references/viva-docs/md/tut-create-recurring-payment.txt:288
+ * @see references/viva-docs/md/merchant-id-and-api-key.txt:1
+ */
+import type { Dispatcher } from 'undici';
+import type { VivaEnvironment } from '../types/index.js';
+import type { MetricsHook } from '../observability/index.js';
+/**
+ * Which Basic-auth flavour to use when calling Viva's legacy host.
+ *
+ * - `merchant`: standard MerchantId/ApiKey Basic auth — used by single-merchant
+ *   integrations (the original `BasicAuthClient` flavour).
+ * - `reseller`: ISV/reseller Basic auth scoped to one connected merchant —
+ *   username is `ResellerId:MerchantId`, password is `ResellerApiKey`. Used by
+ *   ISV admin operations such as `POST /api/sources`.
+ *
+ * @see docs/AUTH.md §1.2
+ */
+export type BasicAuthVariant = 'merchant' | 'reseller';
+/** Fields shared by both Basic-auth variants. */
+interface BasicAuthClientCommonConfig {
+    /**
+     * Viva environment selector. Determines legacy host.
+     *   demo       → https://demo.vivapayments.com
+     *   production → https://www.vivapayments.com
+     */
+    environment: VivaEnvironment;
+    /** Override undici dispatcher for tests (e.g. MockAgent). */
+    dispatcher?: Dispatcher;
+    /** Override global fetch. Defaults to undici fetch when dispatcher is provided. */
+    fetchImpl?: typeof fetch;
+    /** Clock override for tests. Defaults to Date.now. */
+    now?: () => number;
+    /**
+     * Exponential backoff schedule in milliseconds.
+     * Default: [500, 1500, 4500].
+     */
+    retryBackoffsMs?: number[];
+    /** Jitter ratio applied to each backoff (±ratio * backoff). Default: 0.2. */
+    jitterRatio?: number;
+    /** Default per-request timeout in milliseconds. Default: 30_000. */
+    defaultTimeoutMs?: number;
+    /** Optional metrics hook. */
+    metrics?: MetricsHook;
+}
+/**
+ * Merchant-flavoured Basic auth: `Basic base64(merchantId:apiKey)`.
+ *
+ * `authVariant` is optional and defaults to `'merchant'` so pre-existing call
+ * sites that did not set the discriminator continue to compile.
+ *
+ * @see docs/AUTH.md §1.2 (Merchant Basic)
+ * @see references/viva-docs/md/merchant-id-and-api-key.txt:1
+ */
+export interface MerchantBasicAuthClientConfig extends BasicAuthClientCommonConfig {
+    authVariant?: 'merchant';
+    /**
+     * Merchant ID (UUID). Used as the Basic-auth username.
+     * @see references/viva-docs/md/merchant-id-and-api-key.txt:1
+     */
+    merchantId: string;
+    /**
+     * API Key. Used as the Basic-auth password.
+     * @see references/viva-docs/md/merchant-id-and-api-key.txt:1
+     */
+    apiKey: string;
+}
+/**
+ * Reseller-flavoured Basic auth: `Basic base64(resellerId:merchantId:resellerApiKey)`.
+ *
+ * The reseller credentials are scoped to **one** connected merchant per
+ * instance — to operate on multiple merchants under the same reseller account,
+ * construct multiple `BasicAuthClient` instances.
+ *
+ * @see docs/AUTH.md §1.2 (Reseller Basic)
+ */
+export interface ResellerBasicAuthClientConfig extends BasicAuthClientCommonConfig {
+    authVariant: 'reseller';
+    /** Reseller ID (UUID) — the ISV's reseller account. */
+    resellerId: string;
+    /** Connected merchant ID (UUID) — the merchant the reseller is operating on. */
+    merchantId: string;
+    /** Reseller API key. */
+    resellerApiKey: string;
+}
+export type BasicAuthClientConfig = MerchantBasicAuthClientConfig | ResellerBasicAuthClientConfig;
+export interface LegacyRequestOptions {
+    method: 'GET' | 'POST';
+    path: string;
+    /** Form-encoded key-value pairs (values coerced to string). */
+    formBody?: Record<string, string | number | bigint | undefined>;
+    /**
+     * JSON body (sent as `application/json`). Mutually exclusive with `formBody`.
+     * Used by endpoints such as `POST /api/sources` that expect JSON rather than
+     * the legacy `application/x-www-form-urlencoded` shape.
+     */
+    jsonBody?: Record<string, unknown>;
+    /**
+     * When true: retries on 429 and 5xx per the backoff schedule.
+     * When false: only retries on connection-level errors.
+     */
+    idempotent: boolean;
+    timeoutMs?: number;
+    /** Endpoint label for metrics. */
+    endpoint?: string;
+}
+/**
+ * Wrapper returned from successful legacy API calls.
+ * Includes Viva tracing headers for observability.
+ */
+export interface LegacyApiResult<T> {
+    data: T;
+    /** `x-viva-correlationid` header value (e.g. "26-115-EDAA55BC"). */
+    vivaCorrelationId: string | undefined;
+    /** `x-viva-eventid` header value (e.g. "0"). */
+    vivaEventId: string | undefined;
+}
+/**
+ * HTTP client for Viva legacy API endpoints (Basic auth + legacy host).
+ *
+ * Instantiate once per (merchantId + apiKey + environment) tuple.
+ * Thread-safe; no shared mutable state.
+ */
+export declare class BasicAuthClient {
+    private readonly legacyBaseUrl;
+    private readonly authorizationHeader;
+    private readonly authVariant;
+    private readonly dispatcher;
+    private readonly fetchImpl;
+    private readonly now;
+    private readonly backoffsMs;
+    private readonly jitterRatio;
+    private readonly defaultTimeoutMs;
+    private readonly metrics;
+    constructor(config: BasicAuthClientConfig);
+    /**
+     * Execute a request against the Viva legacy API.
+     *
+     * Returns a `LegacyApiResult<T>` wrapping both the parsed response and the
+     * Viva tracing headers (`x-viva-correlationid`, `x-viva-eventid`).
+     *
+     * @see references/viva-docs/md/tut-create-recurring-payment.txt:288
+     */
+    request<T>(opts: LegacyRequestOptions): Promise<LegacyApiResult<T>>;
+    /**
+     * Fetch the webhook verification key from the merchant-mode Viva legacy API.
+     *
+     * Calls `GET /api/messages/config/token` with Merchant Basic auth and returns
+     * the verification key string that the operator must paste into Viva Self
+     * Care → Sales → API Access → Webhooks. Used by the
+     * `viva-register-webhooks --apply` CLI in merchant mode.
+     *
+     * Response shape is tolerated in both casings — the Viva docs show `"Key"`
+     * but field-name canonicality has not been probe-verified yet, so both
+     * `{ Key }` and `{ key }` are accepted.
+     *
+     * @see docs/ENDPOINTS.md §8.1
+     * @see references/viva-docs/md/webhooks-for-payments.txt:311
+     */
+    fetchWebhookVerificationKey(): Promise<string>;
+    /**
+     * Build the `Authorization: Basic <base64>` header per variant.
+     *
+     * - merchant: `base64(merchantId:apiKey)`
+     * - reseller: `base64(resellerId:merchantId:resellerApiKey)`
+     *
+     * @see docs/AUTH.md §1.2
+     */
+    private static buildAuthorizationHeader;
+    private _executeWithRetry;
+    private _attempt;
+    private _backoffMs;
+    private _retryAfterMs;
+    private _parseErrorBody;
+    private _isConnectionError;
+    private _sleep;
+}
+export {};
+//# sourceMappingURL=client.d.ts.map

package/dist/legacy/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/legacy/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGzC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAO7D;;;;;;;;;;GAUG;AACH,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,UAAU,CAAC;AAEvD,iDAAiD;AACjD,UAAU,2BAA2B;IACnC;;;;OAIG;IACH,WAAW,EAAE,eAAe,CAAC;IAE7B,6DAA6D;IAC7D,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB,mFAAmF;IACnF,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAEzB,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAEnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B,6EAA6E;IAC7E,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,oEAAoE;IACpE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,6BAA6B;IAC7B,OAAO,CAAC,EAAE,WAAW,CAAC;CACvB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,6BAA8B,SAAQ,2BAA2B;IAChF,WAAW,CAAC,EAAE,UAAU,CAAC;IAEzB;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,6BAA8B,SAAQ,2BAA2B;IAChF,WAAW,EAAE,UAAU,CAAC;IAExB,uDAAuD;IACvD,UAAU,EAAE,MAAM,CAAC;IAEnB,gFAAgF;IAChF,UAAU,EAAE,MAAM,CAAC;IAEnB,wBAAwB;IACxB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,MAAM,qBAAqB,GAC7B,6BAA6B,GAC7B,6BAA6B,CAAC;AAElC,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,KAAK,GAAG,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC,CAAC;IAChE;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC;;;OAGG;IACH,UAAU,EAAE,OAAO,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe,CAAC,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC;IACR,oEAAoE;IACpE,iBAAiB,EAAE,MAAM,GAAG,SAAS,CAAC;IACtC,gDAAgD;IAChD,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;CACjC;AA0BD;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAC7C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAmB;IAC/C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAyB;IACpD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAe;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAoB;IAC/C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;gBAE1B,MAAM,EAAE,qBAAqB;IAoBzC;;;;;;;OAOG;IACG,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IASzE;;;;;;;;;;;;;;OAcG;IACG,2BAA2B,IAAI,OAAO,CAAC,MAAM,CAAC;IAgCpD;;;;;;;OAOG;IACH,OAAO,CAAC,MAAM,CAAC,wBAAwB;YAwBzB,iBAAiB;YA8EjB,QAAQ;IAoEtB,OAAO,CAAC,UAAU;IAMlB,OAAO,CAAC,aAAa;IAUrB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,MAAM;CAGf"}

package/dist/legacy/client.js

@@ -0,0 +1,351 @@
+/**
+ * BasicAuthClient — HTTP client for Viva legacy API endpoints (Basic auth).
+ *
+ * Viva exposes a subset of endpoints ONLY on their legacy host
+ * (`demo.vivapayments.com` / `www.vivapayments.com`) behind Basic auth
+ * (MerchantId:ApiKey). These endpoints are NOT available on the v2/OAuth2
+ * surface (`demo-api.vivapayments.com`).
+ *
+ * Verified against Viva sandbox 2026-04-25:
+ * - Refund: `POST /api/transactions/{transactionId}` on legacy host with Basic auth.
+ *   - Body: `application/x-www-form-urlencoded` — `Amount={minor}&SourceCode={code}`.
+ *   - Response: PascalCase JSON `{StatusId, Amount, TransactionId, ...}`.
+ *   - `POST /checkout/v2/transactions/{id}` (v2) returns 405 → NOT valid.
+ *
+ * Design:
+ *   - NOT a fallback. This is the PRIMARY (and only) client for legacy endpoints.
+ *   - Same retry / error-shape conventions as IsvHttpClient.
+ *   - Form-encoded body builder via URLSearchParams (built-in, zero deps).
+ *   - Tracing headers (`x-viva-correlationid`, `x-viva-eventid`) extracted and
+ *     attached to errors and successful responses.
+ *
+ * @see references/viva-docs/md/tut-create-recurring-payment.txt:288
+ * @see references/viva-docs/md/merchant-id-and-api-key.txt:1
+ */
+import { fetch as undiciFetch } from 'undici';
+import { LEGACY_HOST } from '../types/index.js';
+import { VivaApiError, VivaAuthError, VivaRateLimitError } from '../errors/index.js';
+import { NoopMetricsHook } from '../observability/index.js';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const DEFAULT_BACKOFFS_MS = [500, 1500, 4500];
+const DEFAULT_JITTER_RATIO = 0.2;
+const DEFAULT_TIMEOUT_MS = 30_000;
+const MAX_RETRIES = 3;
+const CONNECTION_ERROR_CODES = new Set([
+    'ECONNRESET',
+    'ENOTFOUND',
+    'ETIMEDOUT',
+    'ECONNREFUSED',
+    'ECONNABORTED',
+    'UND_ERR_CONNECT_TIMEOUT',
+    'UND_ERR_HEADERS_TIMEOUT',
+    'UND_ERR_BODY_TIMEOUT',
+]);
+// ---------------------------------------------------------------------------
+// BasicAuthClient
+// ---------------------------------------------------------------------------
+/**
+ * HTTP client for Viva legacy API endpoints (Basic auth + legacy host).
+ *
+ * Instantiate once per (merchantId + apiKey + environment) tuple.
+ * Thread-safe; no shared mutable state.
+ */
+export class BasicAuthClient {
+    legacyBaseUrl;
+    authorizationHeader;
+    authVariant;
+    dispatcher;
+    fetchImpl;
+    now;
+    backoffsMs;
+    jitterRatio;
+    defaultTimeoutMs;
+    metrics;
+    constructor(config) {
+        this.legacyBaseUrl = LEGACY_HOST[config.environment];
+        this.authVariant = config.authVariant ?? 'merchant';
+        this.authorizationHeader = BasicAuthClient.buildAuthorizationHeader(config);
+        this.now = config.now ?? (() => Date.now());
+        this.backoffsMs = config.retryBackoffsMs ?? DEFAULT_BACKOFFS_MS;
+        this.jitterRatio = config.jitterRatio ?? DEFAULT_JITTER_RATIO;
+        this.defaultTimeoutMs = config.defaultTimeoutMs ?? DEFAULT_TIMEOUT_MS;
+        this.metrics = config.metrics ?? new NoopMetricsHook();
+        if (config.dispatcher) {
+            this.dispatcher = config.dispatcher;
+            this.fetchImpl = config.fetchImpl ?? undiciFetch;
+        }
+        else {
+            this.dispatcher = undefined;
+            this.fetchImpl = config.fetchImpl ?? undiciFetch;
+        }
+    }
+    /**
+     * Execute a request against the Viva legacy API.
+     *
+     * Returns a `LegacyApiResult<T>` wrapping both the parsed response and the
+     * Viva tracing headers (`x-viva-correlationid`, `x-viva-eventid`).
+     *
+     * @see references/viva-docs/md/tut-create-recurring-payment.txt:288
+     */
+    async request(opts) {
+        const endpoint = opts.endpoint ?? `${opts.method} ${opts.path}`;
+        return this.metrics.timeAsync('viva_legacy_api_request_duration_seconds', () => this._executeWithRetry(opts), { endpoint });
+    }
+    /**
+     * Fetch the webhook verification key from the merchant-mode Viva legacy API.
+     *
+     * Calls `GET /api/messages/config/token` with Merchant Basic auth and returns
+     * the verification key string that the operator must paste into Viva Self
+     * Care → Sales → API Access → Webhooks. Used by the
+     * `viva-register-webhooks --apply` CLI in merchant mode.
+     *
+     * Response shape is tolerated in both casings — the Viva docs show `"Key"`
+     * but field-name canonicality has not been probe-verified yet, so both
+     * `{ Key }` and `{ key }` are accepted.
+     *
+     * @see docs/ENDPOINTS.md §8.1
+     * @see references/viva-docs/md/webhooks-for-payments.txt:311
+     */
+    async fetchWebhookVerificationKey() {
+        const result = await this.request({
+            method: 'GET',
+            path: '/api/messages/config/token',
+            idempotent: true,
+            endpoint: 'GET /api/messages/config/token',
+        });
+        const body = result.data ?? {};
+        const rawKey = typeof body['Key'] === 'string'
+            ? body['Key']
+            : typeof body['key'] === 'string'
+                ? body['key']
+                : undefined;
+        if (!rawKey || rawKey.length === 0) {
+            throw new VivaApiError({
+                message: 'Viva legacy API returned no verification key from GET /api/messages/config/token ' +
+                    '(expected `Key` or `key` field on the response body)',
+                requestId: result.vivaCorrelationId,
+            });
+        }
+        return rawKey;
+    }
+    // --------------------------------------------------------------------------
+    // Private helpers
+    // --------------------------------------------------------------------------
+    /**
+     * Build the `Authorization: Basic <base64>` header per variant.
+     *
+     * - merchant: `base64(merchantId:apiKey)`
+     * - reseller: `base64(resellerId:merchantId:resellerApiKey)`
+     *
+     * @see docs/AUTH.md §1.2
+     */
+    static buildAuthorizationHeader(config) {
+        if (config.authVariant === 'reseller') {
+            const { resellerId, merchantId, resellerApiKey } = config;
+            if (!resellerId || !merchantId || !resellerApiKey) {
+                throw new TypeError('BasicAuthClient: reseller variant requires non-empty resellerId, merchantId, and resellerApiKey');
+            }
+            const encoded = Buffer.from(`${resellerId}:${merchantId}:${resellerApiKey}`).toString('base64');
+            return `Basic ${encoded}`;
+        }
+        // merchant (default — authVariant either 'merchant' or undefined)
+        const { merchantId, apiKey } = config;
+        if (!merchantId || !apiKey) {
+            throw new TypeError('BasicAuthClient: merchant variant requires non-empty merchantId and apiKey');
+        }
+        const encoded = Buffer.from(`${merchantId}:${apiKey}`).toString('base64');
+        return `Basic ${encoded}`;
+    }
+    async _executeWithRetry(opts) {
+        let attempt = 0;
+        // eslint-disable-next-line no-constant-condition
+        while (true) {
+            const { response, text } = await this._attempt(opts);
+            const vivaCorrelationId = response.headers.get('x-viva-correlationid') ?? undefined;
+            const vivaEventId = response.headers.get('x-viva-eventid') ?? undefined;
+            // --- happy path ---
+            if (response.status >= 200 && response.status < 300) {
+                if (!text || response.status === 204) {
+                    return { data: undefined, vivaCorrelationId, vivaEventId };
+                }
+                const data = JSON.parse(text);
+                return { data, vivaCorrelationId, vivaEventId };
+            }
+            // --- 401 ---
+            if (response.status === 401) {
+                const hint = this.authVariant === 'reseller'
+                    ? 'check resellerId, merchantId, and resellerApiKey'
+                    : 'check merchantId and apiKey';
+                throw new VivaAuthError({
+                    message: `Viva legacy API authentication failed (HTTP 401) — ${hint}`,
+                    httpStatus: 401,
+                    requestId: vivaCorrelationId,
+                });
+            }
+            // --- 429 ---
+            if (response.status === 429) {
+                if (opts.idempotent && attempt < MAX_RETRIES) {
+                    const retryAfterMs = this._retryAfterMs(response) ?? this._backoffMs(attempt);
+                    await this._sleep(retryAfterMs);
+                    attempt++;
+                    continue;
+                }
+                const retryAfterMs = this._retryAfterMs(response);
+                throw new VivaRateLimitError({
+                    message: 'Viva legacy API rate limited (HTTP 429)',
+                    httpStatus: 429,
+                    requestId: vivaCorrelationId,
+                    ...(retryAfterMs !== undefined ? { retryAfterMs } : {}),
+                });
+            }
+            // --- 5xx ---
+            if (response.status >= 500) {
+                if (opts.idempotent && attempt < MAX_RETRIES) {
+                    const backoffMs = this._backoffMs(attempt);
+                    await this._sleep(backoffMs);
+                    attempt++;
+                    continue;
+                }
+                const { vivaCode, vivaMessage } = this._parseErrorBody(text);
+                throw new VivaApiError({
+                    message: vivaMessage ?? `Viva legacy API error (HTTP ${response.status})`,
+                    httpStatus: response.status,
+                    vivaCode,
+                    requestId: vivaCorrelationId,
+                });
+            }
+            // --- other 4xx ---
+            {
+                const { vivaCode, vivaMessage } = this._parseErrorBody(text);
+                throw new VivaApiError({
+                    message: vivaMessage ?? `Viva legacy API error (HTTP ${response.status})`,
+                    httpStatus: response.status,
+                    vivaCode,
+                    requestId: vivaCorrelationId,
+                });
+            }
+        }
+    }
+    async _attempt(opts) {
+        const url = `${this.legacyBaseUrl}${opts.path}`;
+        const timeoutMs = opts.timeoutMs ?? this.defaultTimeoutMs;
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+        const headers = {
+            Authorization: this.authorizationHeader,
+            Accept: 'application/json',
+        };
+        const fetchOptions = {
+            method: opts.method,
+            headers,
+            signal: controller.signal,
+        };
+        // Body encoding — JSON for endpoints that take `application/json`
+        // (e.g. POST /api/sources under reseller Basic auth), form-urlencoded for
+        // legacy endpoints (refunds). Mutually exclusive — JSON wins if both set.
+        if (opts.jsonBody !== undefined) {
+            fetchOptions.body = JSON.stringify(opts.jsonBody);
+            headers['Content-Type'] = 'application/json';
+        }
+        else if (opts.formBody && Object.keys(opts.formBody).length > 0) {
+            const params = new URLSearchParams();
+            for (const [k, v] of Object.entries(opts.formBody)) {
+                if (v !== undefined) {
+                    params.set(k, String(v));
+                }
+            }
+            fetchOptions.body = params.toString();
+            headers['Content-Type'] = 'application/x-www-form-urlencoded';
+        }
+        if (this.dispatcher) {
+            fetchOptions['dispatcher'] = this.dispatcher;
+        }
+        let maxConnectionRetries = opts.idempotent ? 0 : 1;
+        let connAttempt = 0;
+        // eslint-disable-next-line no-constant-condition
+        while (true) {
+            try {
+                const response = await this.fetchImpl(url, fetchOptions);
+                clearTimeout(timeoutId);
+                const text = await response.text();
+                return { response, text };
+            }
+            catch (err) {
+                clearTimeout(timeoutId);
+                const isConnectionError = this._isConnectionError(err);
+                const isAbort = err instanceof Error && err.name === 'AbortError';
+                if ((isConnectionError || isAbort) && !opts.idempotent && connAttempt < maxConnectionRetries) {
+                    connAttempt++;
+                    continue;
+                }
+                throw new VivaApiError({
+                    message: isAbort
+                        ? `Viva legacy API request timed out after ${timeoutMs}ms`
+                        : `Viva legacy API network error: ${err instanceof Error ? err.message : String(err)}`,
+                    cause: err,
+                });
+            }
+        }
+    }
+    _backoffMs(attempt) {
+        const base = this.backoffsMs[attempt] ?? this.backoffsMs[this.backoffsMs.length - 1] ?? 500;
+        const jitter = base * this.jitterRatio * (Math.random() * 2 - 1);
+        return Math.max(0, Math.round(base + jitter));
+    }
+    _retryAfterMs(response) {
+        const header = response.headers.get('Retry-After');
+        if (!header)
+            return undefined;
+        const seconds = parseFloat(header);
+        if (!isNaN(seconds))
+            return Math.max(0, Math.round(seconds * 1000));
+        const date = new Date(header).getTime();
+        if (!isNaN(date))
+            return Math.max(0, date - this.now());
+        return undefined;
+    }
+    _parseErrorBody(text) {
+        if (!text)
+            return {};
+        try {
+            const parsed = JSON.parse(text);
+            const vivaCode = typeof parsed['ErrorCode'] === 'number'
+                ? String(parsed['ErrorCode'])
+                : typeof parsed['errorCode'] === 'number'
+                    ? String(parsed['errorCode'])
+                    : typeof parsed['error'] === 'string'
+                        ? parsed['error']
+                        : undefined;
+            const vivaMessage = typeof parsed['Message'] === 'string'
+                ? parsed['Message']
+                : typeof parsed['message'] === 'string'
+                    ? parsed['message']
+                    : undefined;
+            const result = {};
+            if (vivaCode !== undefined)
+                result.vivaCode = vivaCode;
+            if (vivaMessage !== undefined)
+                result.vivaMessage = vivaMessage;
+            return result;
+        }
+        catch {
+            return {};
+        }
+    }
+    _isConnectionError(err) {
+        if (!(err instanceof Error))
+            return false;
+        const code = err.code;
+        if (code && CONNECTION_ERROR_CODES.has(code))
+            return true;
+        if (err.message.includes('ECONNRESET') || err.message.includes('ENOTFOUND'))
+            return true;
+        return false;
+    }
+    _sleep(ms) {
+        return new Promise((resolve) => setTimeout(resolve, ms));
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/legacy/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/legacy/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,EAAE,KAAK,IAAI,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAErF,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAyI5D,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAU,CAAC;AACvD,MAAM,oBAAoB,GAAG,GAAG,CAAC;AACjC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,WAAW,GAAG,CAAC,CAAC;AAEtB,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,YAAY;IACZ,WAAW;IACX,WAAW;IACX,cAAc;IACd,cAAc;IACd,yBAAyB;IACzB,yBAAyB;IACzB,sBAAsB;CACvB,CAAC,CAAC;AAEH,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IACT,aAAa,CAAS;IACtB,mBAAmB,CAAS;IAC5B,WAAW,CAAmB;IAC9B,UAAU,CAAyB;IACnC,SAAS,CAAe;IACxB,GAAG,CAAe;IAClB,UAAU,CAAoB;IAC9B,WAAW,CAAS;IACpB,gBAAgB,CAAS;IACzB,OAAO,CAAc;IAEtC,YAAY,MAA6B;QACvC,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACrD,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,UAAU,CAAC;QACpD,IAAI,CAAC,mBAAmB,GAAG,eAAe,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAE5E,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,eAAe,IAAI,mBAAmB,CAAC;QAChE,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,oBAAoB,CAAC;QAC9D,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,IAAI,kBAAkB,CAAC;QACtE,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,IAAI,eAAe,EAAE,CAAC;QAEvD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;YACpC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAK,WAAuC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;YAC5B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAK,WAAuC,CAAC;QAChF,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,OAAO,CAAI,IAA0B;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAC3B,0CAA0C,EAC1C,GAAG,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAI,IAAI,CAAC,EACrC,EAAE,QAAQ,EAAE,CACb,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,2BAA2B;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAA0B;YACzD,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,4BAA4B;YAClC,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,gCAAgC;SAC3C,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAC/B,MAAM,MAAM,GACV,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ;YAC7B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC;YACb,CAAC,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ;gBACjC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC;gBACb,CAAC,CAAC,SAAS,CAAC;QAEhB,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,YAAY,CAAC;gBACrB,OAAO,EACL,mFAAmF;oBACnF,sDAAsD;gBACxD,SAAS,EAAE,MAAM,CAAC,iBAAiB;aACpC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6EAA6E;IAC7E,kBAAkB;IAClB,6EAA6E;IAE7E;;;;;;;OAOG;IACK,MAAM,CAAC,wBAAwB,CAAC,MAA6B;QACnE,IAAI,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YACtC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,GAAG,MAAM,CAAC;YAC1D,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,CAAC,cAAc,EAAE,CAAC;gBAClD,MAAM,IAAI,SAAS,CACjB,iGAAiG,CAClG,CAAC;YACJ,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,UAAU,IAAI,cAAc,EAAE,CAAC,CAAC,QAAQ,CACnF,QAAQ,CACT,CAAC;YACF,OAAO,SAAS,OAAO,EAAE,CAAC;QAC5B,CAAC;QACD,kEAAkE;QAClE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;QACtC,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,SAAS,CACjB,4EAA4E,CAC7E,CAAC;QACJ,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1E,OAAO,SAAS,OAAO,EAAE,CAAC;IAC5B,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAI,IAA0B;QAC3D,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,iDAAiD;QACjD,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACrD,MAAM,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,SAAS,CAAC;YACpF,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC;YAExE,qBAAqB;YACrB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACpD,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACrC,OAAO,EAAE,IAAI,EAAE,SAAyB,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC;gBAC7E,CAAC;gBACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;gBACnC,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC;YAClD,CAAC;YAED,cAAc;YACd,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,GACR,IAAI,CAAC,WAAW,KAAK,UAAU;oBAC7B,CAAC,CAAC,kDAAkD;oBACpD,CAAC,CAAC,6BAA6B,CAAC;gBACpC,MAAM,IAAI,aAAa,CAAC;oBACtB,OAAO,EAAE,sDAAsD,IAAI,EAAE;oBACrE,UAAU,EAAE,GAAG;oBACf,SAAS,EAAE,iBAAiB;iBAC7B,CAAC,CAAC;YACL,CAAC;YAED,cAAc;YACd,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,IAAI,IAAI,CAAC,UAAU,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;oBAC7C,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;oBAC9E,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;oBAChC,OAAO,EAAE,CAAC;oBACV,SAAS;gBACX,CAAC;gBACD,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;gBAClD,MAAM,IAAI,kBAAkB,CAAC;oBAC3B,OAAO,EAAE,yCAAyC;oBAClD,UAAU,EAAE,GAAG;oBACf,SAAS,EAAE,iBAAiB;oBAC5B,GAAG,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;YAED,cAAc;YACd,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC3B,IAAI,IAAI,CAAC,UAAU,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;oBAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;oBAC3C,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;oBAC7B,OAAO,EAAE,CAAC;oBACV,SAAS;gBACX,CAAC;gBACD,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;gBAC7D,MAAM,IAAI,YAAY,CAAC;oBACrB,OAAO,EAAE,WAAW,IAAI,+BAA+B,QAAQ,CAAC,MAAM,GAAG;oBACzE,UAAU,EAAE,QAAQ,CAAC,MAAM;oBAC3B,QAAQ;oBACR,SAAS,EAAE,iBAAiB;iBAC7B,CAAC,CAAC;YACL,CAAC;YAED,oBAAoB;YACpB,CAAC;gBACC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;gBAC7D,MAAM,IAAI,YAAY,CAAC;oBACrB,OAAO,EAAE,WAAW,IAAI,+BAA+B,QAAQ,CAAC,MAAM,GAAG;oBACzE,UAAU,EAAE,QAAQ,CAAC,MAAM;oBAC3B,QAAQ;oBACR,SAAS,EAAE,iBAAiB;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,IAA0B;QAC/C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAElE,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,IAAI,CAAC,mBAAmB;YACvC,MAAM,EAAE,kBAAkB;SAC3B,CAAC;QAEF,MAAM,YAAY,GAA8C;YAC9D,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO;YACP,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC;QAEF,kEAAkE;QAClE,0EAA0E;QAC1E,0EAA0E;QAC1E,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAChC,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClD,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC/C,CAAC;aAAM,IAAI,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClE,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;oBACpB,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;YACD,YAAY,CAAC,IAAI,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,cAAc,CAAC,GAAG,mCAAmC,CAAC;QAChE,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnB,YAAwC,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC;QAC5E,CAAC;QAED,IAAI,oBAAoB,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,IAAI,WAAW,GAAG,CAAC,CAAC;QAEpB,iDAAiD;QACjD,OAAO,IAAI,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,YAA2B,CAAC,CAAC;gBACxE,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC5B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,MAAM,iBAAiB,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;gBACvD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,CAAC;gBAElE,IAAI,CAAC,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,WAAW,GAAG,oBAAoB,EAAE,CAAC;oBAC7F,WAAW,EAAE,CAAC;oBACd,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,YAAY,CAAC;oBACrB,OAAO,EAAE,OAAO;wBACd,CAAC,CAAC,2CAA2C,SAAS,IAAI;wBAC1D,CAAC,CAAC,kCAAkC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;oBACxF,KAAK,EAAE,GAAG;iBACX,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,UAAU,CAAC,OAAe;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;QAC5F,MAAM,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,WAAW,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC;IAChD,CAAC;IAEO,aAAa,CAAC,QAAkB;QACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAC9B,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QACxD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,eAAe,CAAC,IAAY;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;YAC3D,MAAM,QAAQ,GACZ,OAAO,MAAM,CAAC,WAAW,CAAC,KAAK,QAAQ;gBACrC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBAC7B,CAAC,CAAC,OAAO,MAAM,CAAC,WAAW,CAAC,KAAK,QAAQ;oBACzC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;oBAC7B,CAAC,CAAC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;wBACrC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;wBACjB,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,WAAW,GACf,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,QAAQ;gBACnC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;gBACnB,CAAC,CAAC,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,QAAQ;oBACvC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;oBACnB,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,MAAM,GAAgD,EAAE,CAAC;YAC/D,IAAI,QAAQ,KAAK,SAAS;gBAAE,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;YACvD,IAAI,WAAW,KAAK,SAAS;gBAAE,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;YAChE,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,kBAAkB,CAAC,GAAY;QACrC,IAAI,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1C,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;QACjD,IAAI,IAAI,IAAI,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1D,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,MAAM,CAAC,EAAU;QACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;CACF"}

package/dist/legacy/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * viva-payments-core/legacy — barrel export.
+ *
+ * Subpath: `viva-payments-core/legacy`
+ *
+ * BasicAuthClient covers Viva's legacy host endpoints (Basic auth +
+ * MerchantId/ApiKey). Currently the only path that works for refunds —
+ * Viva returns 405 on the v2/OAuth2 refund route.
+ *
+ * @see references/viva-docs/md/tut-create-recurring-payment.txt:288
+ * @see references/viva-docs/md/merchant-id-and-api-key.txt:1
+ */
+export { BasicAuthClient } from './client.js';
+export type { BasicAuthClientConfig, BasicAuthVariant, MerchantBasicAuthClientConfig, ResellerBasicAuthClientConfig, LegacyApiResult, LegacyRequestOptions, } from './client.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/legacy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/legacy/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EACV,qBAAqB,EACrB,gBAAgB,EAChB,6BAA6B,EAC7B,6BAA6B,EAC7B,eAAe,EACf,oBAAoB,GACrB,MAAM,aAAa,CAAC"}