npm - @vesant-sdk/transaction - Versions diffs - 0.1.0-dev.40d1c39 → 0.1.0-dev.51108af - Mend

@vesant-sdk/transaction 0.1.0-dev.40d1c39 → 0.1.0-dev.51108af

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -4,9 +4,9 @@ import { Timestamp, BaseClient, BaseClientConfig, RequestOptions } from '@vesant
  * TypeScript types for the Transaction Monitoring (TM) Service
  */
-type TransactionType = "deposit" | "withdrawal" | "transfer" | "payment" | "refund" | "fee" | "adjustment";
-type TransactionMode = "fiat" | "crypto" | "bank_transfer" | "card" | "wallet";
-type TransactionStatus = "pending" | "processing" | "completed" | "failed" | "cancelled" | "reversed";
+type TransactionType = "deposit" | "withdrawal" | "transfer" | "payment" | "refund" | "fee" | "adjustment" | "bet" | "payout";
+type TransactionMode = "fiat" | "crypto" | "bank_transfer" | "card" | "wallet" | "ach" | "wire_transfer" | "swift";
+type TransactionStatus = "pending" | "processing" | "completed" | "failed" | "cancelled" | "reversed" | "suspend" | "hold";
 interface TransactionCreateDTO {
     tx_id: string;
     reference: string;
@@ -16,16 +16,29 @@ interface TransactionCreateDTO {
     transaction_mode: TransactionMode;
     amount: string;
     currency: string;
-    status: TransactionStatus;
-    source_account: string;
-    destination_account: string;
-    country: string;
-    ip_address: string;
-    metadata: Record<string, any>;
-    benificiary_comment: string;
+    /**
+     * Required for non-USD currencies. The backend only auto-converts when currency is "USD".
+     * If omitted for crypto or foreign-currency withdrawals, withheld_usd and released_usd
+     * will be 0 and the gateway will receive $0.
+     */
+    amount_usd?: number;
+    status?: TransactionStatus;
+    source_account?: string;
+    destination_account?: string;
+    country?: string;
+    ip_address?: string;
+    metadata?: Record<string, any>;
+    beneficiary_comment?: string;
     transaction_date: Timestamp;
 }
 type WithholdingType = "none" | "backup_us" | "backup_non_us" | "treaty";
+/** Reason backup withholding or treaty rate was applied. */
+type WithholdingReason = "tin_not_verified" | "customer_tax_form_not_verified" | "b_notice_backup_withholding";
+/**
+ * Reason a withdrawal was blocked (status = "suspend" or "hold").
+ * Reflects TIN/W-9 deficiencies that triggered the tenant's configured transaction action.
+ */
+type HoldReason = "no_tax_profile_found" | "tin_rejected" | "tin_expired" | "tin_not_provided" | "tin_not_verified" | "form_not_certified";
 type JSONB = Record<string, any>;
 type Transaction = {
     id: string;
@@ -39,8 +52,24 @@ type Transaction = {
     withheld_amount: string;
     released_amount: string;
     withholding_rate: number;
-    withholding_reason?: string;
     withholding_type?: WithholdingType;
+    /** Set when withholding applies; null/absent when withholding_type is "none". */
+    withholding_reason?: WithholdingReason;
+    /** Set when status is "suspend" or "hold" due to TIN/W-9 deficiency. */
+    hold_reason?: HoldReason;
+    /** Gross transaction amount in USD. */
+    amount_usd?: number;
+    /** Withheld amount in USD. */
+    withheld_usd?: number;
+    /** Released (net) amount in USD. */
+    released_usd?: number;
+    /**
+     * True when this is the customer's first withdrawal.
+     * Correct on the POST /transactions response and on tm.transaction.callback (both read
+     * from the in-memory struct before any DB re-fetch). Not persisted — getTransaction()
+     * always returns false regardless of actual history.
+     */
+    is_first_withdrawal?: boolean;
     tax_year: number;
     currency: string;
     status: TransactionStatus;
@@ -50,7 +79,7 @@ type Transaction = {
     ip_address?: string;
     risk_score: number;
     metadata?: JSONB;
-    benificiary_comment?: string;
+    beneficiary_comment?: string;
     transaction_date: string;
     created_at: string;
     updated_at: string;
@@ -66,10 +95,65 @@ interface TransactionClientConfig {
     debug?: boolean;
     environment?: 'production' | 'sandbox';
 }
+/**
+ * Response from POST /api/v1/tm/transactions.
+ *
+ * Status → outcome mapping:
+ *   "completed" — Vesant accepted; trigger the payment gateway (clean TIN,
+ *                 backup withholding applied, or treaty rate applied)
+ *   "hold"      — blocked, hold_reason set, no funds moved
+ *   "suspend"   — blocked, hold_reason set, no funds moved
+ */
 type TransactionCreateResponse = {
     transaction: Transaction;
     message: string;
 };
+/**
+ * Fired after every transaction is created.
+ * Delivers the final transaction state including withholding outcome so clients
+ * can mirror it without a separate polling call.
+ */
+interface TransactionCallbackEvent {
+    event_type: "tm.transaction.callback";
+    tx_id: string;
+    reference: string;
+    customer_id: string;
+    transaction_type: TransactionType;
+    transaction_mode: TransactionMode;
+    status: TransactionStatus;
+    amount: string;
+    currency: string;
+    withheld_amount: string;
+    released_amount: string;
+    withholding_rate: number;
+    withholding_type: WithholdingType;
+    /** Null when withholding_type is "none". */
+    withholding_reason: WithholdingReason | null;
+    amount_usd: number;
+    withheld_usd: number;
+    released_usd: number;
+    is_first_withdrawal: boolean;
+    /** Set when status is "suspend" or "hold"; null otherwise. */
+    hold_reason: HoldReason | null;
+    transaction_date: string;
+}
+/**
+ * Fired when a withdrawal is blocked due to missing or unverified W-9/TIN
+ * (status = "suspend" or "hold").
+ * Use this to notify the customer that TIN verification or W-9 submission is required.
+ */
+interface TransactionHeldEvent {
+    event_type: "tm.transaction.held";
+    tx_id: string;
+    customer_id: string;
+    customer_email: string;
+    customer_name: string;
+    /** Reflects the tenant's configured transaction action that was applied. */
+    action: "suspend" | "hold";
+    hold_reason: HoldReason;
+}
+/** Discriminated union of all TM service webhook event payloads. */
+type TransactionWebhookEvent = TransactionCallbackEvent | TransactionHeldEvent;
 /**
  * TransactionClient — SDK for the Transaction Monitoring service
@@ -78,7 +162,34 @@ type TransactionCreateResponse = {
 declare class TransactionClient extends BaseClient {
     constructor(config: BaseClientConfig);
     createTransaction(request: TransactionCreateDTO, requestOptions?: RequestOptions): Promise<TransactionCreateResponse>;
-    getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<void>;
+    getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<Transaction>;
+}
+type EventHandler<T> = (event: T) => void | Promise<void>;
+interface TransactionWebhookHandlerConfig {
+    secret: string;
+    /** Reject duplicate event_type+tx_id pairs within replayWindow. Default: true. */
+    replayProtection?: boolean;
+    /** How long (ms) to remember seen events for replay detection. Default: 300_000 (5 min). */
+    replayWindow?: number;
+}
+declare class TransactionWebhookHandler {
+    private readonly handlers;
+    private readonly secret;
+    private readonly replayProtection;
+    private readonly replayWindow;
+    private seenEvents;
+    constructor(config: TransactionWebhookHandlerConfig);
+    on(eventType: 'tm.transaction.callback', handler: EventHandler<TransactionCallbackEvent>): this;
+    on(eventType: 'tm.transaction.held', handler: EventHandler<TransactionHeldEvent>): this;
+    /** Verify HMAC-SHA256 signature only. Returns false instead of throwing. */
+    verify(rawBody: string, signature: string): Promise<boolean>;
+    /** Parse and validate required fields. Does not verify signature — use verifyAndParse in production. */
+    parse(body: string): TransactionWebhookEvent;
+    /** Verify signature, parse, and check for replays. Throws ValidationError on any failure. */
+    verifyAndParse(body: string, signature: string): Promise<TransactionWebhookEvent>;
+    /** Verify signature, parse, and dispatch to registered handlers. */
+    handle(body: string, signature: string): Promise<void>;
 }
-export { type JSONB, type Transaction, TransactionClient, type TransactionClientConfig, type TransactionCreateDTO, type TransactionCreateResponse, type TransactionMode, type TransactionStatus, type TransactionType, type WithholdingType };
+export { type HoldReason, type JSONB, type Transaction, type TransactionCallbackEvent, TransactionClient, type TransactionClientConfig, type TransactionCreateDTO, type TransactionCreateResponse, type TransactionHeldEvent, type TransactionMode, type TransactionStatus, type TransactionType, type TransactionWebhookEvent, TransactionWebhookHandler, type TransactionWebhookHandlerConfig, type WithholdingReason, type WithholdingType };

package/dist/index.d.ts CHANGED Viewed

@@ -4,9 +4,9 @@ import { Timestamp, BaseClient, BaseClientConfig, RequestOptions } from '@vesant
  * TypeScript types for the Transaction Monitoring (TM) Service
  */
-type TransactionType = "deposit" | "withdrawal" | "transfer" | "payment" | "refund" | "fee" | "adjustment";
-type TransactionMode = "fiat" | "crypto" | "bank_transfer" | "card" | "wallet";
-type TransactionStatus = "pending" | "processing" | "completed" | "failed" | "cancelled" | "reversed";
+type TransactionType = "deposit" | "withdrawal" | "transfer" | "payment" | "refund" | "fee" | "adjustment" | "bet" | "payout";
+type TransactionMode = "fiat" | "crypto" | "bank_transfer" | "card" | "wallet" | "ach" | "wire_transfer" | "swift";
+type TransactionStatus = "pending" | "processing" | "completed" | "failed" | "cancelled" | "reversed" | "suspend" | "hold";
 interface TransactionCreateDTO {
     tx_id: string;
     reference: string;
@@ -16,16 +16,29 @@ interface TransactionCreateDTO {
     transaction_mode: TransactionMode;
     amount: string;
     currency: string;
-    status: TransactionStatus;
-    source_account: string;
-    destination_account: string;
-    country: string;
-    ip_address: string;
-    metadata: Record<string, any>;
-    benificiary_comment: string;
+    /**
+     * Required for non-USD currencies. The backend only auto-converts when currency is "USD".
+     * If omitted for crypto or foreign-currency withdrawals, withheld_usd and released_usd
+     * will be 0 and the gateway will receive $0.
+     */
+    amount_usd?: number;
+    status?: TransactionStatus;
+    source_account?: string;
+    destination_account?: string;
+    country?: string;
+    ip_address?: string;
+    metadata?: Record<string, any>;
+    beneficiary_comment?: string;
     transaction_date: Timestamp;
 }
 type WithholdingType = "none" | "backup_us" | "backup_non_us" | "treaty";
+/** Reason backup withholding or treaty rate was applied. */
+type WithholdingReason = "tin_not_verified" | "customer_tax_form_not_verified" | "b_notice_backup_withholding";
+/**
+ * Reason a withdrawal was blocked (status = "suspend" or "hold").
+ * Reflects TIN/W-9 deficiencies that triggered the tenant's configured transaction action.
+ */
+type HoldReason = "no_tax_profile_found" | "tin_rejected" | "tin_expired" | "tin_not_provided" | "tin_not_verified" | "form_not_certified";
 type JSONB = Record<string, any>;
 type Transaction = {
     id: string;
@@ -39,8 +52,24 @@ type Transaction = {
     withheld_amount: string;
     released_amount: string;
     withholding_rate: number;
-    withholding_reason?: string;
     withholding_type?: WithholdingType;
+    /** Set when withholding applies; null/absent when withholding_type is "none". */
+    withholding_reason?: WithholdingReason;
+    /** Set when status is "suspend" or "hold" due to TIN/W-9 deficiency. */
+    hold_reason?: HoldReason;
+    /** Gross transaction amount in USD. */
+    amount_usd?: number;
+    /** Withheld amount in USD. */
+    withheld_usd?: number;
+    /** Released (net) amount in USD. */
+    released_usd?: number;
+    /**
+     * True when this is the customer's first withdrawal.
+     * Correct on the POST /transactions response and on tm.transaction.callback (both read
+     * from the in-memory struct before any DB re-fetch). Not persisted — getTransaction()
+     * always returns false regardless of actual history.
+     */
+    is_first_withdrawal?: boolean;
     tax_year: number;
     currency: string;
     status: TransactionStatus;
@@ -50,7 +79,7 @@ type Transaction = {
     ip_address?: string;
     risk_score: number;
     metadata?: JSONB;
-    benificiary_comment?: string;
+    beneficiary_comment?: string;
     transaction_date: string;
     created_at: string;
     updated_at: string;
@@ -66,10 +95,65 @@ interface TransactionClientConfig {
     debug?: boolean;
     environment?: 'production' | 'sandbox';
 }
+/**
+ * Response from POST /api/v1/tm/transactions.
+ *
+ * Status → outcome mapping:
+ *   "completed" — Vesant accepted; trigger the payment gateway (clean TIN,
+ *                 backup withholding applied, or treaty rate applied)
+ *   "hold"      — blocked, hold_reason set, no funds moved
+ *   "suspend"   — blocked, hold_reason set, no funds moved
+ */
 type TransactionCreateResponse = {
     transaction: Transaction;
     message: string;
 };
+/**
+ * Fired after every transaction is created.
+ * Delivers the final transaction state including withholding outcome so clients
+ * can mirror it without a separate polling call.
+ */
+interface TransactionCallbackEvent {
+    event_type: "tm.transaction.callback";
+    tx_id: string;
+    reference: string;
+    customer_id: string;
+    transaction_type: TransactionType;
+    transaction_mode: TransactionMode;
+    status: TransactionStatus;
+    amount: string;
+    currency: string;
+    withheld_amount: string;
+    released_amount: string;
+    withholding_rate: number;
+    withholding_type: WithholdingType;
+    /** Null when withholding_type is "none". */
+    withholding_reason: WithholdingReason | null;
+    amount_usd: number;
+    withheld_usd: number;
+    released_usd: number;
+    is_first_withdrawal: boolean;
+    /** Set when status is "suspend" or "hold"; null otherwise. */
+    hold_reason: HoldReason | null;
+    transaction_date: string;
+}
+/**
+ * Fired when a withdrawal is blocked due to missing or unverified W-9/TIN
+ * (status = "suspend" or "hold").
+ * Use this to notify the customer that TIN verification or W-9 submission is required.
+ */
+interface TransactionHeldEvent {
+    event_type: "tm.transaction.held";
+    tx_id: string;
+    customer_id: string;
+    customer_email: string;
+    customer_name: string;
+    /** Reflects the tenant's configured transaction action that was applied. */
+    action: "suspend" | "hold";
+    hold_reason: HoldReason;
+}
+/** Discriminated union of all TM service webhook event payloads. */
+type TransactionWebhookEvent = TransactionCallbackEvent | TransactionHeldEvent;
 /**
  * TransactionClient — SDK for the Transaction Monitoring service
@@ -78,7 +162,34 @@ type TransactionCreateResponse = {
 declare class TransactionClient extends BaseClient {
     constructor(config: BaseClientConfig);
     createTransaction(request: TransactionCreateDTO, requestOptions?: RequestOptions): Promise<TransactionCreateResponse>;
-    getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<void>;
+    getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<Transaction>;
+}
+type EventHandler<T> = (event: T) => void | Promise<void>;
+interface TransactionWebhookHandlerConfig {
+    secret: string;
+    /** Reject duplicate event_type+tx_id pairs within replayWindow. Default: true. */
+    replayProtection?: boolean;
+    /** How long (ms) to remember seen events for replay detection. Default: 300_000 (5 min). */
+    replayWindow?: number;
+}
+declare class TransactionWebhookHandler {
+    private readonly handlers;
+    private readonly secret;
+    private readonly replayProtection;
+    private readonly replayWindow;
+    private seenEvents;
+    constructor(config: TransactionWebhookHandlerConfig);
+    on(eventType: 'tm.transaction.callback', handler: EventHandler<TransactionCallbackEvent>): this;
+    on(eventType: 'tm.transaction.held', handler: EventHandler<TransactionHeldEvent>): this;
+    /** Verify HMAC-SHA256 signature only. Returns false instead of throwing. */
+    verify(rawBody: string, signature: string): Promise<boolean>;
+    /** Parse and validate required fields. Does not verify signature — use verifyAndParse in production. */
+    parse(body: string): TransactionWebhookEvent;
+    /** Verify signature, parse, and check for replays. Throws ValidationError on any failure. */
+    verifyAndParse(body: string, signature: string): Promise<TransactionWebhookEvent>;
+    /** Verify signature, parse, and dispatch to registered handlers. */
+    handle(body: string, signature: string): Promise<void>;
 }
-export { type JSONB, type Transaction, TransactionClient, type TransactionClientConfig, type TransactionCreateDTO, type TransactionCreateResponse, type TransactionMode, type TransactionStatus, type TransactionType, type WithholdingType };
+export { type HoldReason, type JSONB, type Transaction, type TransactionCallbackEvent, TransactionClient, type TransactionClientConfig, type TransactionCreateDTO, type TransactionCreateResponse, type TransactionHeldEvent, type TransactionMode, type TransactionStatus, type TransactionType, type TransactionWebhookEvent, TransactionWebhookHandler, type TransactionWebhookHandlerConfig, type WithholdingReason, type WithholdingType };

package/dist/index.js CHANGED Viewed

@@ -15,12 +15,80 @@ var TransactionClient = class extends core.BaseClient {
     return data;
   }
   async getTransaction(transactionId, requestOptions) {
-    await this.requestWithRetry(`/api/v1/tm/transactions/status/${transactionId}`, {
+    const data = await this.requestWithRetry(`/api/v1/tm/transactions/status/${transactionId}`, {
       method: "GET"
     }, void 0, void 0, requestOptions);
+    return data;
+  }
+};
+var TransactionWebhookHandler = class {
+  constructor(config) {
+    this.handlers = {
+      "tm.transaction.callback": [],
+      "tm.transaction.held": []
+    };
+    this.seenEvents = /* @__PURE__ */ new Map();
+    this.secret = config.secret;
+    this.replayProtection = config.replayProtection ?? true;
+    this.replayWindow = config.replayWindow ?? 3e5;
+  }
+  on(eventType, handler) {
+    this.handlers[eventType].push(handler);
+    return this;
+  }
+  /** Verify HMAC-SHA256 signature only. Returns false instead of throwing. */
+  async verify(rawBody, signature) {
+    return core.verifyWebhookSignature(rawBody, signature, this.secret);
+  }
+  /** Parse and validate required fields. Does not verify signature — use verifyAndParse in production. */
+  parse(body) {
+    const event = JSON.parse(body);
+    if (!event.event_type || !event.tx_id) {
+      throw new core.ValidationError(
+        "Invalid TM webhook event: missing required fields (event_type, tx_id)",
+        ["event_type", "tx_id"]
+      );
+    }
+    return event;
+  }
+  /** Verify signature, parse, and check for replays. Throws ValidationError on any failure. */
+  async verifyAndParse(body, signature) {
+    const isValid = await core.verifyWebhookSignature(body, signature, this.secret);
+    if (!isValid) {
+      throw new core.ValidationError("Invalid webhook signature", ["signature"]);
+    }
+    const event = this.parse(body);
+    if (this.replayProtection) {
+      const key = `${event.event_type}:${event.tx_id}`;
+      if (this.seenEvents.has(key)) {
+        throw new core.ValidationError(
+          `Duplicate webhook event: ${event.event_type} for ${event.tx_id} has already been processed`,
+          ["tx_id"]
+        );
+      }
+      const now = Date.now();
+      this.seenEvents.set(key, now);
+      if (this.seenEvents.size > 1e3) {
+        for (const [k, seenAt] of this.seenEvents) {
+          if (now - seenAt > this.replayWindow) {
+            this.seenEvents.delete(k);
+          }
+        }
+      }
+    }
+    return event;
+  }
+  /** Verify signature, parse, and dispatch to registered handlers. */
+  async handle(body, signature) {
+    const event = await this.verifyAndParse(body, signature);
+    const handlers = this.handlers[event.event_type];
+    for (const handler of handlers) {
+      await handler(event);
+    }
   }
 };
 exports.TransactionClient = TransactionClient;
+exports.TransactionWebhookHandler = TransactionWebhookHandler;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/client.ts"],"names":["BaseClient"],"mappings":";;;;;AAQO,IAAM,iBAAA,GAAN,cAAgCA,eAAA,CAAW;AAAA,EAChD,YAAY,MAAA,EAA0B;AACpC,IAAA,KAAA,CAAM,MAAM,CAAA;AAAA,EACd;AAAA,EAEA,MAAM,iBAAA,CACJ,OAAA,EACA,cAAA,EACoC;AACpC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,gBAAA,CAA4C,yBAAA,EAA2B;AAAA,MAC7F,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO;AAAA,KAC9B,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AACvC,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,cAAA,CAAe,aAAA,EAAuB,cAAA,~~EAAgD~~;~~AAC1F~~,IAAA,MAAM,IAAA,CAAK,gBAAA,~~CAAuB~~,CAAA,+BAAA,EAAkC,aAAa,CAAA,CAAA,EAAI;AAAA,~~MACnF~~,MAAA,EAAQ;AAAA,KACV,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AAAA,~~EACzC~~;AACF","file":"index.js","sourcesContent":["/*\n TransactionClient — SDK for the Transaction Monitoring service\n */\n\nimport { BaseClient } from '@vesant-sdk/core';\nimport type { BaseClientConfig, RequestOptions } from '@vesant-sdk/core';\nimport type { TransactionCreateDTO, TransactionCreateResponse } from './types';\n\nexport class TransactionClient extends BaseClient {\n constructor(config: BaseClientConfig) {\n super(config);\n }\n\n async createTransaction(\n request: TransactionCreateDTO,\n requestOptions?: RequestOptions\n ): Promise<TransactionCreateResponse> {\n const data = await this.requestWithRetry<TransactionCreateResponse>('/api/v1/tm/transactions', {\n method: 'POST',\n body: JSON.stringify(request),\n }, undefined, undefined, requestOptions);\n return data;\n }\n\n async getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<~~void~~> {\n await this.requestWithRetry<~~void~~>(`/api/v1/tm/transactions/status/${transactionId}`, {\n method: 'GET',\n }, undefined, undefined, requestOptions);\n }\n}\n"]}
1	+ {"version":3,"sources":["../src/client.ts","../src/webhook-handler.ts"],"names":["BaseClient","verifyWebhookSignature","ValidationError"],"mappings":";;;;;AAQO,IAAM,iBAAA,GAAN,cAAgCA,eAAA,CAAW;AAAA,EAChD,YAAY,MAAA,EAA0B;AACpC,IAAA,KAAA,CAAM,MAAM,CAAA;AAAA,EACd;AAAA,EAEA,MAAM,iBAAA,CACJ,OAAA,EACA,cAAA,EACoC;AACpC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,gBAAA,CAA4C,yBAAA,EAA2B;AAAA,MAC7F,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO;AAAA,KAC9B,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AACvC,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,cAAA,CAAe,aAAA,EAAuB,cAAA,EAAuD;AACjG,IAAA,MAAM,OAAO,MAAM,IAAA,CAAK,gBAAA,CAA8B,CAAA,+BAAA,EAAkC,aAAa,CAAA,CAAA,EAAI;AAAA,MACvG,MAAA,EAAQ;AAAA,KACV,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AACvC,IAAA,OAAO,IAAA;AAAA,EACT;AACF;ACRO,IAAM,4BAAN,MAAgC;AAAA,EAUrC,YAAY,MAAA,EAAyC;AATrD,IAAA,IAAA,CAAiB,QAAA,GAAuB;AAAA,MACtC,2BAA2B,EAAC;AAAA,MAC5B,uBAAuB;AAAC,KAC1B;AAIA,IAAA,IAAA,CAAQ,UAAA,uBAAiB,GAAA,EAAoB;AAG3C,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AACrB,IAAA,IAAA,CAAK,gBAAA,GAAmB,OAAO,gBAAA,IAAoB,IAAA;AACnD,IAAA,IAAA,CAAK,YAAA,GAAe,OAAO,YAAA,IAAgB,GAAA;AAAA,EAC7C;AAAA,EAIA,EAAA,CAAG,WAA6B,OAAA,EAA4F;AAC1H,IAAC,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA,CAA4B,KAAK,OAAO,CAAA;AAChE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,MAAA,CAAO,OAAA,EAAiB,SAAA,EAAqC;AACjE,IAAA,OAAOC,2BAAA,CAAuB,OAAA,EAAS,SAAA,EAAW,IAAA,CAAK,MAAM,CAAA;AAAA,EAC/D;AAAA;AAAA,EAGA,MAAM,IAAA,EAAuC;AAC3C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAC7B,IAAA,IAAI,CAAC,KAAA,CAAM,UAAA,IAAc,CAAC,MAAM,KAAA,EAAO;AACrC,MAAA,MAAM,IAAIC,oBAAA;AAAA,QACR,uEAAA;AAAA,QACA,CAAC,cAAc,OAAO;AAAA,OACxB;AAAA,IACF;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,cAAA,CAAe,IAAA,EAAc,SAAA,EAAqD;AACtF,IAAA,MAAM,UAAU,MAAMD,2BAAA,CAAuB,IAAA,EAAM,SAAA,EAAW,KAAK,MAAM,CAAA;AACzE,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAIC,oBAAA,CAAgB,2BAAA,EAA6B,CAAC,WAAW,CAAC,CAAA;AAAA,IACtE;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAE7B,IAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,MAAA,MAAM,MAAM,CAAA,EAAG,KAAA,CAAM,UAAU,CAAA,CAAA,EAAI,MAAM,KAAK,CAAA,CAAA;AAC9C,MAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5B,QAAA,MAAM,IAAIA,oBAAA;AAAA,UACR,CAAA,yBAAA,EAA4B,KAAA,CAAM,UAAU,CAAA,KAAA,EAAQ,MAAM,KAAK,CAAA,2BAAA,CAAA;AAAA,UAC/D,CAAC,OAAO;AAAA,SACV;AAAA,MACF;AACA,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,GAAA,EAAK,GAAG,CAAA;AAC5B,MAAA,IAAI,IAAA,CAAK,UAAA,CAAW,IAAA,GAAO,GAAA,EAAM;AAC/B,QAAA,KAAA,MAAW,CAAC,CAAA,EAAG,MAAM,CAAA,IAAK,KAAK,UAAA,EAAY;AACzC,UAAA,IAAI,GAAA,GAAM,MAAA,GAAS,IAAA,CAAK,YAAA,EAAc;AACpC,YAAA,IAAA,CAAK,UAAA,CAAW,OAAO,CAAC,CAAA;AAAA,UAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,MAAA,CAAO,IAAA,EAAc,SAAA,EAAkC;AAC3D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,cAAA,CAAe,MAAM,SAAS,CAAA;AACvD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,KAAA,CAAM,UAAU,CAAA;AAC/C,IAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,MAAA,MAAM,QAAQ,KAAK,CAAA;AAAA,IACrB;AAAA,EACF;AACF","file":"index.js","sourcesContent":["/*\n TransactionClient — SDK for the Transaction Monitoring service\n /\n\nimport { BaseClient } from '@vesant-sdk/core';\nimport type { BaseClientConfig, RequestOptions } from '@vesant-sdk/core';\nimport type { Transaction, TransactionCreateDTO, TransactionCreateResponse } from './types';\n\nexport class TransactionClient extends BaseClient {\n constructor(config: BaseClientConfig) {\n super(config);\n }\n\n async createTransaction(\n request: TransactionCreateDTO,\n requestOptions?: RequestOptions\n ): Promise<TransactionCreateResponse> {\n const data = await this.requestWithRetry<TransactionCreateResponse>('/api/v1/tm/transactions', {\n method: 'POST',\n body: JSON.stringify(request),\n }, undefined, undefined, requestOptions);\n return data;\n }\n\n async getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<Transaction> {\n const data = await this.requestWithRetry<Transaction>(`/api/v1/tm/transactions/status/${transactionId}`, {\n method: 'GET',\n }, undefined, undefined, requestOptions);\n return data;\n }\n}\n","import { verifyWebhookSignature, ValidationError } from '@vesant-sdk/core';\nimport type {\n TransactionCallbackEvent,\n TransactionHeldEvent,\n TransactionWebhookEvent,\n} from './types';\n\ntype EventHandler<T> = (event: T) => void \| Promise<void>;\n\ntype HandlerMap = {\n 'tm.transaction.callback': Array<EventHandler<TransactionCallbackEvent>>;\n 'tm.transaction.held': Array<EventHandler<TransactionHeldEvent>>;\n};\n\nexport interface TransactionWebhookHandlerConfig {\n secret: string;\n /* Reject duplicate event_type+tx_id pairs within replayWindow. Default: true. /\n replayProtection?: boolean;\n /* How long (ms) to remember seen events for replay detection. Default: 300_000 (5 min). /\n replayWindow?: number;\n}\n\nexport class TransactionWebhookHandler {\n private readonly handlers: HandlerMap = {\n 'tm.transaction.callback': [],\n 'tm.transaction.held': [],\n };\n private readonly secret: string;\n private readonly replayProtection: boolean;\n private readonly replayWindow: number;\n private seenEvents = new Map<string, number>();\n\n constructor(config: TransactionWebhookHandlerConfig) {\n this.secret = config.secret;\n this.replayProtection = config.replayProtection ?? true;\n this.replayWindow = config.replayWindow ?? 300_000;\n }\n\n on(eventType: 'tm.transaction.callback', handler: EventHandler<TransactionCallbackEvent>): this;\n on(eventType: 'tm.transaction.held', handler: EventHandler<TransactionHeldEvent>): this;\n on(eventType: keyof HandlerMap, handler: EventHandler<TransactionCallbackEvent> \| EventHandler<TransactionHeldEvent>): this {\n (this.handlers[eventType] as Array<typeof handler>).push(handler);\n return this;\n }\n\n /* Verify HMAC-SHA256 signature only. Returns false instead of throwing. /\n async verify(rawBody: string, signature: string): Promise<boolean> {\n return verifyWebhookSignature(rawBody, signature, this.secret);\n }\n\n /* Parse and validate required fields. Does not verify signature — use verifyAndParse in production. /\n parse(body: string): TransactionWebhookEvent {\n const event = JSON.parse(body) as TransactionWebhookEvent;\n if (!event.event_type \|\| !event.tx_id) {\n throw new ValidationError(\n 'Invalid TM webhook event: missing required fields (event_type, tx_id)',\n ['event_type', 'tx_id']\n );\n }\n return event;\n }\n\n /* Verify signature, parse, and check for replays. Throws ValidationError on any failure. /\n async verifyAndParse(body: string, signature: string): Promise<TransactionWebhookEvent> {\n const isValid = await verifyWebhookSignature(body, signature, this.secret);\n if (!isValid) {\n throw new ValidationError('Invalid webhook signature', ['signature']);\n }\n\n const event = this.parse(body);\n\n if (this.replayProtection) {\n const key = `${event.event_type}:${event.tx_id}`;\n if (this.seenEvents.has(key)) {\n throw new ValidationError(\n `Duplicate webhook event: ${event.event_type} for ${event.tx_id} has already been processed`,\n ['tx_id']\n );\n }\n const now = Date.now();\n this.seenEvents.set(key, now);\n if (this.seenEvents.size > 1000) {\n for (const [k, seenAt] of this.seenEvents) {\n if (now - seenAt > this.replayWindow) {\n this.seenEvents.delete(k);\n }\n }\n }\n }\n\n return event;\n }\n\n /* Verify signature, parse, and dispatch to registered handlers. */\n async handle(body: string, signature: string): Promise<void> {\n const event = await this.verifyAndParse(body, signature);\n const handlers = this.handlers[event.event_type] as Array<EventHandler<typeof event>>;\n for (const handler of handlers) {\n await handler(event);\n }\n }\n}\n"]}

package/dist/index.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { BaseClient } from '@vesant-sdk/core';
+import { BaseClient, verifyWebhookSignature, ValidationError } from '@vesant-sdk/core';
 // src/client.ts
 var TransactionClient = class extends BaseClient {
@@ -13,12 +13,79 @@ var TransactionClient = class extends BaseClient {
     return data;
   }
   async getTransaction(transactionId, requestOptions) {
-    await this.requestWithRetry(`/api/v1/tm/transactions/status/${transactionId}`, {
+    const data = await this.requestWithRetry(`/api/v1/tm/transactions/status/${transactionId}`, {
       method: "GET"
     }, void 0, void 0, requestOptions);
+    return data;
+  }
+};
+var TransactionWebhookHandler = class {
+  constructor(config) {
+    this.handlers = {
+      "tm.transaction.callback": [],
+      "tm.transaction.held": []
+    };
+    this.seenEvents = /* @__PURE__ */ new Map();
+    this.secret = config.secret;
+    this.replayProtection = config.replayProtection ?? true;
+    this.replayWindow = config.replayWindow ?? 3e5;
+  }
+  on(eventType, handler) {
+    this.handlers[eventType].push(handler);
+    return this;
+  }
+  /** Verify HMAC-SHA256 signature only. Returns false instead of throwing. */
+  async verify(rawBody, signature) {
+    return verifyWebhookSignature(rawBody, signature, this.secret);
+  }
+  /** Parse and validate required fields. Does not verify signature — use verifyAndParse in production. */
+  parse(body) {
+    const event = JSON.parse(body);
+    if (!event.event_type || !event.tx_id) {
+      throw new ValidationError(
+        "Invalid TM webhook event: missing required fields (event_type, tx_id)",
+        ["event_type", "tx_id"]
+      );
+    }
+    return event;
+  }
+  /** Verify signature, parse, and check for replays. Throws ValidationError on any failure. */
+  async verifyAndParse(body, signature) {
+    const isValid = await verifyWebhookSignature(body, signature, this.secret);
+    if (!isValid) {
+      throw new ValidationError("Invalid webhook signature", ["signature"]);
+    }
+    const event = this.parse(body);
+    if (this.replayProtection) {
+      const key = `${event.event_type}:${event.tx_id}`;
+      if (this.seenEvents.has(key)) {
+        throw new ValidationError(
+          `Duplicate webhook event: ${event.event_type} for ${event.tx_id} has already been processed`,
+          ["tx_id"]
+        );
+      }
+      const now = Date.now();
+      this.seenEvents.set(key, now);
+      if (this.seenEvents.size > 1e3) {
+        for (const [k, seenAt] of this.seenEvents) {
+          if (now - seenAt > this.replayWindow) {
+            this.seenEvents.delete(k);
+          }
+        }
+      }
+    }
+    return event;
+  }
+  /** Verify signature, parse, and dispatch to registered handlers. */
+  async handle(body, signature) {
+    const event = await this.verifyAndParse(body, signature);
+    const handlers = this.handlers[event.event_type];
+    for (const handler of handlers) {
+      await handler(event);
+    }
   }
 };
-export { TransactionClient };
+export { TransactionClient, TransactionWebhookHandler };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/client.ts"],"names":[],"mappings":";;;AAQO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,MAAA,EAA0B;AACpC,IAAA,KAAA,CAAM,MAAM,CAAA;AAAA,EACd;AAAA,EAEA,MAAM,iBAAA,CACJ,OAAA,EACA,cAAA,EACoC;AACpC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,gBAAA,CAA4C,yBAAA,EAA2B;AAAA,MAC7F,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO;AAAA,KAC9B,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AACvC,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,cAAA,CAAe,aAAA,EAAuB,cAAA,~~EAAgD~~;~~AAC1F~~,IAAA,MAAM,IAAA,CAAK,gBAAA,~~CAAuB~~,CAAA,+BAAA,EAAkC,aAAa,CAAA,CAAA,EAAI;AAAA,~~MACnF~~,MAAA,EAAQ;AAAA,KACV,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AAAA,~~EACzC~~;AACF","file":"index.mjs","sourcesContent":["/*\n TransactionClient — SDK for the Transaction Monitoring service\n */\n\nimport { BaseClient } from '@vesant-sdk/core';\nimport type { BaseClientConfig, RequestOptions } from '@vesant-sdk/core';\nimport type { TransactionCreateDTO, TransactionCreateResponse } from './types';\n\nexport class TransactionClient extends BaseClient {\n constructor(config: BaseClientConfig) {\n super(config);\n }\n\n async createTransaction(\n request: TransactionCreateDTO,\n requestOptions?: RequestOptions\n ): Promise<TransactionCreateResponse> {\n const data = await this.requestWithRetry<TransactionCreateResponse>('/api/v1/tm/transactions', {\n method: 'POST',\n body: JSON.stringify(request),\n }, undefined, undefined, requestOptions);\n return data;\n }\n\n async getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<~~void~~> {\n await this.requestWithRetry<~~void~~>(`/api/v1/tm/transactions/status/${transactionId}`, {\n method: 'GET',\n }, undefined, undefined, requestOptions);\n }\n}\n"]}
1	+ {"version":3,"sources":["../src/client.ts","../src/webhook-handler.ts"],"names":[],"mappings":";;;AAQO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,MAAA,EAA0B;AACpC,IAAA,KAAA,CAAM,MAAM,CAAA;AAAA,EACd;AAAA,EAEA,MAAM,iBAAA,CACJ,OAAA,EACA,cAAA,EACoC;AACpC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,gBAAA,CAA4C,yBAAA,EAA2B;AAAA,MAC7F,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO;AAAA,KAC9B,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AACvC,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,cAAA,CAAe,aAAA,EAAuB,cAAA,EAAuD;AACjG,IAAA,MAAM,OAAO,MAAM,IAAA,CAAK,gBAAA,CAA8B,CAAA,+BAAA,EAAkC,aAAa,CAAA,CAAA,EAAI;AAAA,MACvG,MAAA,EAAQ;AAAA,KACV,EAAG,MAAA,EAAW,MAAA,EAAW,cAAc,CAAA;AACvC,IAAA,OAAO,IAAA;AAAA,EACT;AACF;ACRO,IAAM,4BAAN,MAAgC;AAAA,EAUrC,YAAY,MAAA,EAAyC;AATrD,IAAA,IAAA,CAAiB,QAAA,GAAuB;AAAA,MACtC,2BAA2B,EAAC;AAAA,MAC5B,uBAAuB;AAAC,KAC1B;AAIA,IAAA,IAAA,CAAQ,UAAA,uBAAiB,GAAA,EAAoB;AAG3C,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AACrB,IAAA,IAAA,CAAK,gBAAA,GAAmB,OAAO,gBAAA,IAAoB,IAAA;AACnD,IAAA,IAAA,CAAK,YAAA,GAAe,OAAO,YAAA,IAAgB,GAAA;AAAA,EAC7C;AAAA,EAIA,EAAA,CAAG,WAA6B,OAAA,EAA4F;AAC1H,IAAC,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA,CAA4B,KAAK,OAAO,CAAA;AAChE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,MAAA,CAAO,OAAA,EAAiB,SAAA,EAAqC;AACjE,IAAA,OAAO,sBAAA,CAAuB,OAAA,EAAS,SAAA,EAAW,IAAA,CAAK,MAAM,CAAA;AAAA,EAC/D;AAAA;AAAA,EAGA,MAAM,IAAA,EAAuC;AAC3C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAC7B,IAAA,IAAI,CAAC,KAAA,CAAM,UAAA,IAAc,CAAC,MAAM,KAAA,EAAO;AACrC,MAAA,MAAM,IAAI,eAAA;AAAA,QACR,uEAAA;AAAA,QACA,CAAC,cAAc,OAAO;AAAA,OACxB;AAAA,IACF;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,cAAA,CAAe,IAAA,EAAc,SAAA,EAAqD;AACtF,IAAA,MAAM,UAAU,MAAM,sBAAA,CAAuB,IAAA,EAAM,SAAA,EAAW,KAAK,MAAM,CAAA;AACzE,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAI,eAAA,CAAgB,2BAAA,EAA6B,CAAC,WAAW,CAAC,CAAA;AAAA,IACtE;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAE7B,IAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,MAAA,MAAM,MAAM,CAAA,EAAG,KAAA,CAAM,UAAU,CAAA,CAAA,EAAI,MAAM,KAAK,CAAA,CAAA;AAC9C,MAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5B,QAAA,MAAM,IAAI,eAAA;AAAA,UACR,CAAA,yBAAA,EAA4B,KAAA,CAAM,UAAU,CAAA,KAAA,EAAQ,MAAM,KAAK,CAAA,2BAAA,CAAA;AAAA,UAC/D,CAAC,OAAO;AAAA,SACV;AAAA,MACF;AACA,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,GAAA,EAAK,GAAG,CAAA;AAC5B,MAAA,IAAI,IAAA,CAAK,UAAA,CAAW,IAAA,GAAO,GAAA,EAAM;AAC/B,QAAA,KAAA,MAAW,CAAC,CAAA,EAAG,MAAM,CAAA,IAAK,KAAK,UAAA,EAAY;AACzC,UAAA,IAAI,GAAA,GAAM,MAAA,GAAS,IAAA,CAAK,YAAA,EAAc;AACpC,YAAA,IAAA,CAAK,UAAA,CAAW,OAAO,CAAC,CAAA;AAAA,UAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,MAAA,CAAO,IAAA,EAAc,SAAA,EAAkC;AAC3D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,cAAA,CAAe,MAAM,SAAS,CAAA;AACvD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,KAAA,CAAM,UAAU,CAAA;AAC/C,IAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,MAAA,MAAM,QAAQ,KAAK,CAAA;AAAA,IACrB;AAAA,EACF;AACF","file":"index.mjs","sourcesContent":["/*\n TransactionClient — SDK for the Transaction Monitoring service\n /\n\nimport { BaseClient } from '@vesant-sdk/core';\nimport type { BaseClientConfig, RequestOptions } from '@vesant-sdk/core';\nimport type { Transaction, TransactionCreateDTO, TransactionCreateResponse } from './types';\n\nexport class TransactionClient extends BaseClient {\n constructor(config: BaseClientConfig) {\n super(config);\n }\n\n async createTransaction(\n request: TransactionCreateDTO,\n requestOptions?: RequestOptions\n ): Promise<TransactionCreateResponse> {\n const data = await this.requestWithRetry<TransactionCreateResponse>('/api/v1/tm/transactions', {\n method: 'POST',\n body: JSON.stringify(request),\n }, undefined, undefined, requestOptions);\n return data;\n }\n\n async getTransaction(transactionId: string, requestOptions?: RequestOptions): Promise<Transaction> {\n const data = await this.requestWithRetry<Transaction>(`/api/v1/tm/transactions/status/${transactionId}`, {\n method: 'GET',\n }, undefined, undefined, requestOptions);\n return data;\n }\n}\n","import { verifyWebhookSignature, ValidationError } from '@vesant-sdk/core';\nimport type {\n TransactionCallbackEvent,\n TransactionHeldEvent,\n TransactionWebhookEvent,\n} from './types';\n\ntype EventHandler<T> = (event: T) => void \| Promise<void>;\n\ntype HandlerMap = {\n 'tm.transaction.callback': Array<EventHandler<TransactionCallbackEvent>>;\n 'tm.transaction.held': Array<EventHandler<TransactionHeldEvent>>;\n};\n\nexport interface TransactionWebhookHandlerConfig {\n secret: string;\n /* Reject duplicate event_type+tx_id pairs within replayWindow. Default: true. /\n replayProtection?: boolean;\n /* How long (ms) to remember seen events for replay detection. Default: 300_000 (5 min). /\n replayWindow?: number;\n}\n\nexport class TransactionWebhookHandler {\n private readonly handlers: HandlerMap = {\n 'tm.transaction.callback': [],\n 'tm.transaction.held': [],\n };\n private readonly secret: string;\n private readonly replayProtection: boolean;\n private readonly replayWindow: number;\n private seenEvents = new Map<string, number>();\n\n constructor(config: TransactionWebhookHandlerConfig) {\n this.secret = config.secret;\n this.replayProtection = config.replayProtection ?? true;\n this.replayWindow = config.replayWindow ?? 300_000;\n }\n\n on(eventType: 'tm.transaction.callback', handler: EventHandler<TransactionCallbackEvent>): this;\n on(eventType: 'tm.transaction.held', handler: EventHandler<TransactionHeldEvent>): this;\n on(eventType: keyof HandlerMap, handler: EventHandler<TransactionCallbackEvent> \| EventHandler<TransactionHeldEvent>): this {\n (this.handlers[eventType] as Array<typeof handler>).push(handler);\n return this;\n }\n\n /* Verify HMAC-SHA256 signature only. Returns false instead of throwing. /\n async verify(rawBody: string, signature: string): Promise<boolean> {\n return verifyWebhookSignature(rawBody, signature, this.secret);\n }\n\n /* Parse and validate required fields. Does not verify signature — use verifyAndParse in production. /\n parse(body: string): TransactionWebhookEvent {\n const event = JSON.parse(body) as TransactionWebhookEvent;\n if (!event.event_type \|\| !event.tx_id) {\n throw new ValidationError(\n 'Invalid TM webhook event: missing required fields (event_type, tx_id)',\n ['event_type', 'tx_id']\n );\n }\n return event;\n }\n\n /* Verify signature, parse, and check for replays. Throws ValidationError on any failure. /\n async verifyAndParse(body: string, signature: string): Promise<TransactionWebhookEvent> {\n const isValid = await verifyWebhookSignature(body, signature, this.secret);\n if (!isValid) {\n throw new ValidationError('Invalid webhook signature', ['signature']);\n }\n\n const event = this.parse(body);\n\n if (this.replayProtection) {\n const key = `${event.event_type}:${event.tx_id}`;\n if (this.seenEvents.has(key)) {\n throw new ValidationError(\n `Duplicate webhook event: ${event.event_type} for ${event.tx_id} has already been processed`,\n ['tx_id']\n );\n }\n const now = Date.now();\n this.seenEvents.set(key, now);\n if (this.seenEvents.size > 1000) {\n for (const [k, seenAt] of this.seenEvents) {\n if (now - seenAt > this.replayWindow) {\n this.seenEvents.delete(k);\n }\n }\n }\n }\n\n return event;\n }\n\n /* Verify signature, parse, and dispatch to registered handlers. */\n async handle(body: string, signature: string): Promise<void> {\n const event = await this.verifyAndParse(body, signature);\n const handlers = this.handlers[event.event_type] as Array<EventHandler<typeof event>>;\n for (const handler of handlers) {\n await handler(event);\n }\n }\n}\n"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vesant-sdk/transaction",
-  "version": "0.1.0-dev.40d1c39",
+  "version": "0.1.0-dev.51108af",
   "description": "Transaction monitoring client for the Vesant Compliance Platform",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",