@vigneshreddy/cms-sdk 1.0.14 → 1.0.16

package/README.md

@@ -1,10 +1,20 @@
 # @vigneshreddy/cms-sdk
 
-Official TypeScript/JavaScript SDK for the CutMeShort CMS API.
+[![npm version](https://img.shields.io/npm/v/@vigneshreddy/cms-sdk)](https://www.npmjs.com/package/@vigneshreddy/cms-sdk)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Node.js 18+](https://img.shields.io/badge/Node.js-18%2B-green)](https://nodejs.org/)
 
-Use this package to send:
-- lead tracking events (`cms.trackLead`)
-- sale tracking events (`cms.trackSale`)
+Official TypeScript/JavaScript SDK for the CutMeShort CMS API. Track leads and sales with reliable retry logic, comprehensive validation, and security best practices.
+
+**Key Features:**
+- 🚀 Full TypeScript support with strict types
+- ✅ Input validation with Zod
+- 🔄 Automatic retry with exponential backoff
+- 🛡️ Security hardened (API key validation, sensitive data redaction)
+- ⚡ Sub-second tracking events
+- 📊 Comprehensive error handling with specific error types
+
+---
 
 ## Install
 
@@ -41,7 +51,7 @@ const cms = new CMS({
 const response = await cms.trackLead({
   clickId: "id_123",
   eventName: "signup_started",
-  customerId: "user_42",
+  customerExternalId: "user_42",
 });
 
 console.log(response);
@@ -59,16 +69,15 @@ const cms = new CMS({ apiKey: "sk_live_xxx" });
 await cms.trackLead({
   clickId: "id_123",
   eventName: "signup_started",
-  customerId: "user_42",
+  customerExternalId: "user_42",
 });
 ```
 
 Lead payload fields:
 - `clickId: string` (optional in **deferred** follow-up calls)
 - `eventName: string`
-- `customerId: string`
+- `customerExternalId: string`
 - `timestamp?: string` (ISO 8601, e.g. `new Date().toISOString()`)
-- `customerExternalId?: string`
 - `customerName?: string`
 - `customerEmail?: string`
 - `customerAvatar?: string`
@@ -82,18 +91,18 @@ import { CMS } from "@vigneshreddy/cms-sdk";
 
 const cms = new CMS({ apiKey: "sk_live_xxx" });
 
-// Step 1: store the clickId <-> customerId association
+// Step 1: store the clickId <-> customerExternalId association
 await cms.trackLead({
   clickId: "id_123",
   eventName: "signup_started",
-  customerId: "user_42",
+  customerExternalId: "user_42",
   mode: "deferred",
 });
 
-// Step 2: later, track using just customerId (no clickId)
+// Step 2: later, track using just customerExternalId (no clickId)
 await cms.trackLead({
   eventName: "email_verified",
-  customerId: "user_42",
+  customerExternalId: "user_42",
   mode: "deferred",
 });
 ```
@@ -103,10 +112,11 @@ await cms.trackLead({
 ```ts
 import { CMS } from "@vigneshreddy/cms-sdk";
 
-const cms = new CMS({ apiKey: "sk_live_xxx" });
+const cms = new CMS({ apiKey: "xxx" });
 
 await cms.trackSale({
   clickId: "id_123",
+  customerExternalId: "user_123",
   eventName: "purchase_completed",
   invoiceId: "inv_987",
   amount: 4999,
@@ -118,7 +128,7 @@ Sale payload fields:
 - `clickId: string`
 - `eventName: string`
 - `timestamp?: string` (ISO 8601, e.g. `new Date().toISOString()`)
-- `customerExternalId?: string`
+- `customerExternalId: string`
 - `customerName?: string`
 - `customerEmail?: string`
 - `customerAvatar?: string`
@@ -144,7 +154,7 @@ type CMSConfig = {
 ```
 
 Defaults:
-- `baseUrl`: `https://www.cutmeshort.com/sdk`
+- `baseUrl`: `https://www.cutmeshort.com`
 - `timeout`: `10000`
 - `maxRetries`: `2`
 - `retryDelayMs`: `500`
@@ -165,7 +175,7 @@ await cms.trackLead(
   {
     clickId: "id_123",
     eventName: "signup_started",
-    customerId: "user_42",
+    customerExternalId: "user_42",
   },
   {
     timeout: 5000,
@@ -177,42 +187,117 @@ await cms.trackLead(
 
 ## Error Handling
 
-Class-based methods (`cms.trackLead`, `cms.trackSale`) throw `CMSAPIError` on failure.
+The SDK provides specific error classes for different failure scenarios. Catch and handle them appropriately:
 
 ```ts
-import { CMS, CMSAPIError } from "@vigneshreddy/cms-sdk";
+import { 
+  CMS, 
+  CMSAPIError,
+  UnauthorizedError,
+  RateLimitError,
+  ValidationError 
+} from "@vigneshreddy/cms-sdk";
 
-const cms = new CMS({ apiKey: "sk_live_xxx" });
+const cms = new CMS({ apiKey: process.env.CMS_API_KEY });
 
 try {
-  await cms.trackSale({
+  await cms.trackLead({
     clickId: "id_123",
-    eventName: "purchase_completed",
-    invoiceId: "inv_987",
-    amount: 4999,
-    currency: "USD",
+    eventName: "signup_started",
+    customerExternalId: "user_42",
   });
 } catch (error) {
-  if (error instanceof CMSAPIError) {
-    console.error("CMS API error", {
-      statusCode: error.statusCode,
-      type: error.type,
-      message: error.message,
-    });
+  if (error instanceof UnauthorizedError) {
+    console.error("Invalid API key - check your credentials");
+  } else if (error instanceof RateLimitError) {
+    console.error("Rate limited - wait before retrying");
+  } else if (error instanceof CMSAPIError) {
+    console.error(`CMS API error [${error.statusCode}]:`, error.message);
+    console.debug("Type:", error.type);
   } else {
-    console.error("Unexpected error", error);
+    console.error("Unexpected error:", error);
   }
 }
 ```
 
+### Available Error Types
+
+| Error Type | HTTP Code | When It Happens |
+|---|---|---|
+| `BadRequestError` | 400 | Invalid payload format |
+| `UnauthorizedError` | 401 | Invalid/missing API key |
+| `ForbiddenError` | 403 | Insufficient permissions |
+| `NotFoundError` | 404 | Resource not found |
+| `ConflictError` | 409 | Resource already exists |
+| `UnprocessableEntityError` | 422 | Validation failed |
+| `RateLimitError` | 429 | Too many requests |
+| `InternalServerError` | 500 | Server error |
+| `BadGatewayError` | 502 | Gateway error (retried) |
+| `ServiceUnavailableError` | 503 | Service down (retried) |
+| `GatewayTimeoutError` | 504 | Timeout (retried) |
+
+**Note:** Errors with HTTP codes 429, 500, 502, 503, 504 are automatically retried (configurable).
+
+### Retry Behavior
+
+The SDK automatically retries transient failures with exponential backoff:
+
+```ts
+const cms = new CMS({
+  apiKey: process.env.CMS_API_KEY,
+  maxRetries: 2,           // default: 2
+  retryDelayMs: 500,       // initial delay: 500ms
+  retryMaxDelayMs: 10000,  // max delay cap: 10s
+  retryOnNetworkError: true,
+});
+
+// Override for a specific request
+await cms.trackLead(
+  { clickId: "id_123", eventName: "event", customerExternalId: "user_1" },
+  { maxRetries: 5, retryDelayMs: 1000 }
+);
+```
+## TypeScript Usage
+
+The SDK is fully typed. Utilize TypeScript for better DX:
+
+```ts
+import { 
+  CMS, 
+  type CMSConfig,
+  type LeadPayload,
+  type SalePayload,
+  type RequestOptions 
+} from "@vigneshreddy/cms-sdk";
+
+// Config is validated at initialization
+const config: CMSConfig = {
+  apiKey: process.env.CMS_API_KEY!,
+  timeout: 5000,
+  maxRetries: 3,
+};
+
+const cms = new CMS(config);
+
+// Payloads have full type hints
+const leadPayload: LeadPayload = {
+  clickId: "id_123",
+  eventName: "signup_started",
+  customerExteranlId: "user_42",
+  customerEmail: "user@example.com",
+};
+
+// RequestOptions for per-call configuration
+const options: RequestOptions = {
+  timeout: 3000,
+  maxRetries: 1,
+};
+
+await cms.trackLead(leadPayload, options);
+```
+
 ## Public API
 
 This package intentionally exposes only:
 - `CMS` (use `cms.trackLead` and `cms.trackSale`)
 - `CMSAPIError` (for `instanceof` checks)
-
-Deep imports (example: `@vigneshreddy/cms-sdk/client`) are intentionally blocked.
-
-## Security Best Practice
-
-Do not expose private API keys in public frontend code. Use this SDK from a trusted backend/server environment when using secret keys.

package/dist/src/client.d.ts

@@ -1,4 +1,4 @@
-import { EventsApi, TrackLeadRequest, TrackSaleRequest } from "./generated";
+import { EventsApi, TrackLeadRequest, TrackSaleRequest } from "./funcs";
 export type LeadPayload = TrackLeadRequest;
 export type SalePayload = TrackSaleRequest;
 export interface CMSConfig {
@@ -57,6 +57,6 @@ export declare class CMS {
     private toGeneratedRequestOptions;
     private withRetry;
     private isRetryableErrorWithOptions;
-    trackLead(leadData: LeadPayload, options?: RequestOptions): Promise<import("./generated").TrackResponse>;
-    trackSale(saleData: SalePayload, options?: RequestOptions): Promise<import("./generated").TrackResponse>;
+    trackLead(leadData: LeadPayload, options?: RequestOptions): Promise<import("./funcs").TrackResponse>;
+    trackSale(saleData: SalePayload, options?: RequestOptions): Promise<import("./funcs").TrackResponse>;
 }

package/dist/src/client.js

@@ -2,19 +2,26 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CMS = void 0;
 // src/client.ts
-const generated_1 = require("./generated");
+const funcs_1 = require("./funcs");
 const errors_1 = require("./errors");
-const DEFAULT_BASE_URL = "https://www.cutmeshort.com";
-const DEFAULT_TIMEOUT_MS = 10000;
-const DEFAULT_MAX_RETRIES = 2;
-const DEFAULT_RETRY_DELAY_MS = 500;
-const DEFAULT_RETRY_MAX_DELAY_MS = 10000;
-const DEFAULT_RETRY_STATUSES = [429, 500, 502, 503, 504];
+const validation_1 = require("./validations/validation");
+const constants_1 = require("./constants/constants");
+const DEFAULT_BASE_URL = constants_1.API_CONFIG.BASE_URL;
+const DEFAULT_TIMEOUT_MS = constants_1.API_CONFIG.TIMEOUT_MS;
+const DEFAULT_MAX_RETRIES = constants_1.RETRY_CONFIG.MAX_RETRIES;
+const DEFAULT_RETRY_DELAY_MS = constants_1.RETRY_CONFIG.DELAY_MS;
+const DEFAULT_RETRY_MAX_DELAY_MS = constants_1.RETRY_CONFIG.MAX_DELAY_MS;
+const DEFAULT_RETRY_STATUSES = [...constants_1.RETRY_CONFIG.ON_STATUSES];
 class CMS {
     constructor(config) {
         var _a, _b, _c, _d;
-        if (!config.apiKey) {
-            throw new Error("CMS SDK: apiKey is required.");
+        // Validate configuration with strict schema
+        try {
+            (0, validation_1.validateCMSConfig)(config);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`CMS SDK: Invalid configuration - ${message}`);
         }
         const basePath = this.normalizeBaseUrl((_a = config.baseUrl) !== null && _a !== void 0 ? _a : DEFAULT_BASE_URL);
         // Retry configuration with sensible defaults
@@ -24,20 +31,22 @@ class CMS {
         this.retryOnStatuses = this.resolveRetryStatuses((_b = config.retryOnStatuses) !== null && _b !== void 0 ? _b : DEFAULT_RETRY_STATUSES);
         this.retryOnNetworkError = (_c = config.retryOnNetworkError) !== null && _c !== void 0 ? _c : true;
         // Create the Configuration object
-        const apiConfig = new generated_1.Configuration({
+        const apiConfig = new funcs_1.Configuration({
             basePath,
             accessToken: config.apiKey,
             baseOptions: {
                 // Ensure generated client uses the same timeout & headers
                 timeout: (_d = config.timeout) !== null && _d !== void 0 ? _d : DEFAULT_TIMEOUT_MS,
                 headers: {
-                    'Content-Type': 'application/json'
+                    'Content-Type': 'application/json',
+                    'X-CMS-SDK-Version': constants_1.SDK_VERSION,
+                    'X-CMS-SDK-Runtime': typeof globalThis !== 'undefined' ? constants_1.HTTP_HEADERS.RUNTIME_NODEJS : constants_1.HTTP_HEADERS.RUNTIME_BROWSER,
                 },
             },
         });
         // Instantiate the EventsApi using configuration and basePath.
         // The underlying implementation uses the global `fetch` API.
-        this.events = new generated_1.EventsApi(apiConfig, basePath);
+        this.events = new funcs_1.EventsApi(apiConfig, basePath);
     }
     async sleep(ms) {
         return new Promise((resolve) => setTimeout(resolve, ms));
@@ -182,12 +191,28 @@ class CMS {
         return false;
     }
     async trackLead(leadData, options) {
+        // Validate lead data
+        try {
+            (0, validation_1.validateLeadPayload)(leadData);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`CMS SDK: Invalid lead data - ${message}`);
+        }
         const requestOptions = this.toGeneratedRequestOptions(options);
         return this.withRetry(async () => {
             return this.events.trackLead(leadData, requestOptions);
         }, options);
     }
     async trackSale(saleData, options) {
+        // Validate sale data
+        try {
+            (0, validation_1.validateSalePayload)(saleData);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`CMS SDK: Invalid sale data - ${message}`);
+        }
         const requestOptions = this.toGeneratedRequestOptions(options);
         return this.withRetry(async () => {
             return this.events.trackSale(saleData, requestOptions);

package/dist/src/constants/constants.d.ts

@@ -0,0 +1,128 @@
+/**
+ * Centralized constants for the CMS SDK
+ * This single source of truth makes it easy to adjust configuration without updating multiple files
+ */
+export declare const SDK_VERSION = "1.0.14";
+export declare const API_CONFIG: {
+    /** Default base URL for the CMS API */
+    readonly BASE_URL: "https://www.cutmeshort.com";
+    /** Default timeout in milliseconds for HTTP requests */
+    readonly TIMEOUT_MS: 10000;
+};
+export declare const RETRY_CONFIG: {
+    /** Default maximum number of retry attempts for transient failures */
+    readonly MAX_RETRIES: 2;
+    /** Default base delay (in ms) between retries for transient failures */
+    readonly DELAY_MS: 500;
+    /** Default maximum delay cap (in ms) for retry backoff */
+    readonly MAX_DELAY_MS: 10000;
+    /** HTTP status codes that should be retried by default */
+    readonly ON_STATUSES: readonly [429, 500, 502, 503, 504];
+    /** Whether to retry on network errors (no response / timeout) by default */
+    readonly ON_NETWORK_ERROR: true;
+};
+export declare const VALIDATION_CONSTRAINTS: {
+    readonly API_KEY: {
+        /** Regex pattern for valid API keys: must be 20+ alphanumeric chars */
+        readonly PATTERN: RegExp;
+    };
+    readonly TIMEOUT: {
+        readonly MIN_MS: 1000;
+        readonly MAX_MS: 60000;
+    };
+    readonly MAX_RETRIES: {
+        readonly MIN: 0;
+        readonly MAX: 10;
+    };
+    readonly RETRY_DELAY: {
+        readonly MIN_MS: 100;
+        readonly MAX_MS: 30000;
+    };
+    readonly RETRY_MAX_DELAY: {
+        readonly MIN_MS: 1000;
+        readonly MAX_MS: 120000;
+    };
+    readonly STRING_FIELDS: {
+        readonly CLICK_ID: {
+            readonly MIN: 1;
+            readonly MAX: 255;
+        };
+        readonly CUSTOMER_ID: {
+            readonly MIN: 1;
+            readonly MAX: 255;
+        };
+        readonly CUSTOMER_EXTERNAL_ID: {
+            readonly MIN: 1;
+            readonly MAX: 255;
+        };
+        readonly CUSTOMER_NAME: {
+            readonly MAX: 255;
+        };
+        readonly CUSTOMER_EMAIL: {
+            readonly MAX: 255;
+        };
+        readonly EVENT_NAME: {
+            readonly MIN: 1;
+            readonly MAX: 255;
+        };
+        readonly INVOICE_ID: {
+            readonly MIN: 1;
+            readonly MAX: 255;
+        };
+    };
+    readonly CURRENCY: {
+        readonly LENGTH: 3;
+        readonly PATTERN: RegExp;
+    };
+    readonly AMOUNT: {
+        readonly MIN: 0;
+    };
+};
+export declare const ERROR_MESSAGES: {
+    readonly API_KEY_REQUIRED: "apiKey is required";
+    readonly API_KEY_INVALID_FORMAT: "apiKey must be a valid API key format";
+    readonly BASE_URL_INVALID: "baseUrl must be a valid absolute URL";
+    readonly TIMEOUT_TOO_LOW: "timeout must be at least 1000ms";
+    readonly TIMEOUT_TOO_HIGH: "timeout must not exceed 60000ms";
+    readonly MAX_RETRIES_NEGATIVE: "maxRetries must be non-negative";
+    readonly MAX_RETRIES_TOO_HIGH: "maxRetries must not exceed 10";
+    readonly RETRY_DELAY_TOO_LOW: "retryDelayMs must be at least 100ms";
+    readonly RETRY_DELAY_TOO_HIGH: "retryDelayMs must not exceed 30000ms";
+    readonly RETRY_MAX_DELAY_TOO_LOW: "retryMaxDelayMs must be at least 1000ms";
+    readonly RETRY_MAX_DELAY_TOO_HIGH: "retryMaxDelayMs must not exceed 120000ms";
+    readonly EVENT_NAME_REQUIRED: "eventName is required";
+    readonly EVENT_NAME_TOO_LONG: "eventName must not exceed 255 characters";
+    readonly CUSTOMER_ID_REQUIRED: "customerId is required";
+    readonly CUSTOMER_ID_TOO_LONG: "customerId must not exceed 255 characters";
+    readonly CUSTOMER_EXTERNAL_ID_REQUIRED: "customerExternalId is required";
+    readonly CUSTOMER_EXTERNAL_ID_TOO_LONG: "customerExternalId must not exceed 255 characters";
+    readonly CUSTOMER_EMAIL_INVALID: "customerEmail must be a valid email";
+    readonly CUSTOMER_EMAIL_TOO_LONG: "customerEmail must not exceed 255 characters";
+    readonly CUSTOMER_AVATAR_INVALID: "customerAvatar must be a valid URL";
+    readonly INVOICE_ID_REQUIRED: "invoiceId is required";
+    readonly INVOICE_ID_TOO_LONG: "invoiceId must not exceed 255 characters";
+    readonly AMOUNT_NEGATIVE: "amount must be non-negative";
+    readonly CURRENCY_INVALID_LENGTH: "currency must be 3-letter code (e.g., USD)";
+    readonly CURRENCY_INVALID_FORMAT: "currency must be uppercase ISO 4217 code";
+    readonly CURRENCY_OPTIONAL_IN_SALE: "currency is optional in sale tracking";
+};
+export declare const HTTP_HEADERS: {
+    /** Content type for all API requests */
+    readonly CONTENT_TYPE: "application/json";
+    /** SDK version header key */
+    readonly SDK_VERSION_HEADER: "X-CMS-SDK-Version";
+    /** SDK runtime detection header key */
+    readonly SDK_RUNTIME_HEADER: "X-CMS-SDK-Runtime";
+    /** SDK runtime value for Node.js */
+    readonly RUNTIME_NODEJS: "nodejs";
+    /** SDK runtime value for browser */
+    readonly RUNTIME_BROWSER: "browser";
+};
+export declare const SENSITIVE_FIELDS: {
+    /** List of field names that should be redacted in logs */
+    readonly PATTERNS: readonly ["apiKey", "accessToken", "token", "password", "secret", "authorization", "x-api-key"];
+    /** Redaction placeholder */
+    readonly REDACTION_PLACEHOLDER: "[REDACTED]";
+    /** API key redaction placeholder */
+    readonly API_KEY_REDACTION: "[REDACTED_API_KEY]";
+};

package/dist/src/constants/constants.js

@@ -0,0 +1,182 @@
+"use strict";
+/**
+ * Centralized constants for the CMS SDK
+ * This single source of truth makes it easy to adjust configuration without updating multiple files
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SENSITIVE_FIELDS = exports.HTTP_HEADERS = exports.ERROR_MESSAGES = exports.VALIDATION_CONSTRAINTS = exports.RETRY_CONFIG = exports.API_CONFIG = exports.SDK_VERSION = void 0;
+// ============================================================================
+// SDK VERSION
+// ============================================================================
+exports.SDK_VERSION = "1.0.14";
+// ============================================================================
+// API CONFIGURATION
+// ============================================================================
+exports.API_CONFIG = {
+    /** Default base URL for the CMS API */
+    BASE_URL: "https://www.cutmeshort.com",
+    /** Default timeout in milliseconds for HTTP requests */
+    TIMEOUT_MS: 10000,
+};
+// ============================================================================
+// RETRY CONFIGURATION
+// ============================================================================
+exports.RETRY_CONFIG = {
+    /** Default maximum number of retry attempts for transient failures */
+    MAX_RETRIES: 2,
+    /** Default base delay (in ms) between retries for transient failures */
+    DELAY_MS: 500,
+    /** Default maximum delay cap (in ms) for retry backoff */
+    MAX_DELAY_MS: 10000,
+    /** HTTP status codes that should be retried by default */
+    ON_STATUSES: [429, 500, 502, 503, 504],
+    /** Whether to retry on network errors (no response / timeout) by default */
+    ON_NETWORK_ERROR: true,
+};
+// ============================================================================
+// VALIDATION CONSTRAINTS
+// ============================================================================
+exports.VALIDATION_CONSTRAINTS = {
+    // API Key validation
+    API_KEY: {
+        /** Regex pattern for valid API keys: must be 20+ alphanumeric chars */
+        PATTERN: /^[a-zA-Z0-9_]{20,}$/,
+    },
+    // Timeout constraints
+    TIMEOUT: {
+        MIN_MS: 1000,
+        MAX_MS: 60000,
+    },
+    // Max retries constraints
+    MAX_RETRIES: {
+        MIN: 0,
+        MAX: 10,
+    },
+    // Retry delay constraints
+    RETRY_DELAY: {
+        MIN_MS: 100,
+        MAX_MS: 30000,
+    },
+    // Retry max delay constraints
+    RETRY_MAX_DELAY: {
+        MIN_MS: 1000,
+        MAX_MS: 120000,
+    },
+    // String field constraints
+    STRING_FIELDS: {
+        CLICK_ID: {
+            MIN: 1,
+            MAX: 255,
+        },
+        CUSTOMER_ID: {
+            MIN: 1,
+            MAX: 255,
+        },
+        CUSTOMER_EXTERNAL_ID: {
+            MIN: 1,
+            MAX: 255,
+        },
+        CUSTOMER_NAME: {
+            MAX: 255,
+        },
+        CUSTOMER_EMAIL: {
+            MAX: 255,
+        },
+        EVENT_NAME: {
+            MIN: 1,
+            MAX: 255,
+        },
+        INVOICE_ID: {
+            MIN: 1,
+            MAX: 255,
+        },
+    },
+    // Currency code constraints (ISO 4217)
+    CURRENCY: {
+        LENGTH: 3,
+        PATTERN: /^[A-Z]{3}$/,
+    },
+    // Amount constraints
+    AMOUNT: {
+        MIN: 0,
+    },
+};
+// ============================================================================
+// ERROR HANDLING
+// ============================================================================
+exports.ERROR_MESSAGES = {
+    // API Key errors
+    API_KEY_REQUIRED: "apiKey is required",
+    API_KEY_INVALID_FORMAT: "apiKey must be a valid API key format",
+    // Base URL errors
+    BASE_URL_INVALID: "baseUrl must be a valid absolute URL",
+    // Timeout errors
+    TIMEOUT_TOO_LOW: `timeout must be at least ${exports.VALIDATION_CONSTRAINTS.TIMEOUT.MIN_MS}ms`,
+    TIMEOUT_TOO_HIGH: `timeout must not exceed ${exports.VALIDATION_CONSTRAINTS.TIMEOUT.MAX_MS}ms`,
+    // Max retries errors
+    MAX_RETRIES_NEGATIVE: "maxRetries must be non-negative",
+    MAX_RETRIES_TOO_HIGH: `maxRetries must not exceed ${exports.VALIDATION_CONSTRAINTS.MAX_RETRIES.MAX}`,
+    // Retry delay errors
+    RETRY_DELAY_TOO_LOW: `retryDelayMs must be at least ${exports.VALIDATION_CONSTRAINTS.RETRY_DELAY.MIN_MS}ms`,
+    RETRY_DELAY_TOO_HIGH: `retryDelayMs must not exceed ${exports.VALIDATION_CONSTRAINTS.RETRY_DELAY.MAX_MS}ms`,
+    // Retry max delay errors
+    RETRY_MAX_DELAY_TOO_LOW: `retryMaxDelayMs must be at least ${exports.VALIDATION_CONSTRAINTS.RETRY_MAX_DELAY.MIN_MS}ms`,
+    RETRY_MAX_DELAY_TOO_HIGH: `retryMaxDelayMs must not exceed ${exports.VALIDATION_CONSTRAINTS.RETRY_MAX_DELAY.MAX_MS}ms`,
+    // Event name errors
+    EVENT_NAME_REQUIRED: "eventName is required",
+    EVENT_NAME_TOO_LONG: `eventName must not exceed ${exports.VALIDATION_CONSTRAINTS.STRING_FIELDS.EVENT_NAME.MAX} characters`,
+    // Customer ID errors
+    CUSTOMER_ID_REQUIRED: "customerId is required",
+    CUSTOMER_ID_TOO_LONG: `customerId must not exceed ${exports.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_ID.MAX} characters`,
+    // Customer external ID errors
+    CUSTOMER_EXTERNAL_ID_REQUIRED: "customerExternalId is required",
+    CUSTOMER_EXTERNAL_ID_TOO_LONG: `customerExternalId must not exceed ${exports.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EXTERNAL_ID.MAX} characters`,
+    // Email errors
+    CUSTOMER_EMAIL_INVALID: "customerEmail must be a valid email",
+    CUSTOMER_EMAIL_TOO_LONG: `customerEmail must not exceed ${exports.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EMAIL.MAX} characters`,
+    // Avatar errors
+    CUSTOMER_AVATAR_INVALID: "customerAvatar must be a valid URL",
+    // Invoice ID errors
+    INVOICE_ID_REQUIRED: "invoiceId is required",
+    INVOICE_ID_TOO_LONG: `invoiceId must not exceed ${exports.VALIDATION_CONSTRAINTS.STRING_FIELDS.INVOICE_ID.MAX} characters`,
+    // Amount errors
+    AMOUNT_NEGATIVE: "amount must be non-negative",
+    // Currency errors
+    CURRENCY_INVALID_LENGTH: `currency must be ${exports.VALIDATION_CONSTRAINTS.CURRENCY.LENGTH}-letter code (e.g., USD)`,
+    CURRENCY_INVALID_FORMAT: "currency must be uppercase ISO 4217 code",
+    CURRENCY_OPTIONAL_IN_SALE: "currency is optional in sale tracking",
+};
+// ============================================================================
+// HTTP HEADERS
+// ============================================================================
+exports.HTTP_HEADERS = {
+    /** Content type for all API requests */
+    CONTENT_TYPE: "application/json",
+    /** SDK version header key */
+    SDK_VERSION_HEADER: "X-CMS-SDK-Version",
+    /** SDK runtime detection header key */
+    SDK_RUNTIME_HEADER: "X-CMS-SDK-Runtime",
+    /** SDK runtime value for Node.js */
+    RUNTIME_NODEJS: "nodejs",
+    /** SDK runtime value for browser */
+    RUNTIME_BROWSER: "browser",
+};
+// ============================================================================
+// SENSITIVE FIELD PATTERNS
+// ============================================================================
+exports.SENSITIVE_FIELDS = {
+    /** List of field names that should be redacted in logs */
+    PATTERNS: [
+        "apiKey",
+        "accessToken",
+        "token",
+        "password",
+        "secret",
+        "authorization",
+        "x-api-key",
+    ],
+    /** Redaction placeholder */
+    REDACTION_PLACEHOLDER: "[REDACTED]",
+    /** API key redaction placeholder */
+    API_KEY_REDACTION: "[REDACTED_API_KEY]",
+};

package/dist/src/errors.d.ts

@@ -4,5 +4,6 @@ export { BadRequestError, UnauthorizedError, ForbiddenError, NotFoundError, Conf
 /**
  * Parses fetch/network errors into a clean CMSAPIError (or specific subclass)
  * Uses specific error types when possible for better type safety
+ * Sanitizes sensitive information before storing
  */
 export declare function handleApiError(error: unknown, request?: unknown, response?: unknown): never;

package/dist/src/errors.js

@@ -23,6 +23,7 @@ Object.defineProperty(exports, "createSpecificError", { enumerable: true, get: f
 /**
  * Parses fetch/network errors into a clean CMSAPIError (or specific subclass)
  * Uses specific error types when possible for better type safety
+ * Sanitizes sensitive information before storing
  */
 function handleApiError(error, request, response) {
     var _a, _b, _c, _d, _e, _f;
@@ -71,14 +72,29 @@ function handleApiError(error, request, response) {
         if (!req || typeof req !== "object")
             return undefined;
         const r = req;
-        return {
+        const sanitized = {
             url: typeof r.url === "string" ? r.url : undefined,
             method: typeof r.method === "string" ? r.method : undefined,
             timeout: typeof r.timeout === "number" ? r.timeout : undefined,
-            headers: typeof r.headers === "object" && r.headers !== null
-                ? r.headers
-                : undefined,
         };
+        // Only include headers if they don't contain sensitive data
+        if (typeof r.headers === "object" && r.headers !== null) {
+            const headersObj = r.headers;
+            const safeHeaders = {};
+            for (const [key, value] of Object.entries(headersObj)) {
+                const lowerKey = key.toLowerCase();
+                // Exclude authorization and api-key headers
+                if (!lowerKey.includes("authorization") &&
+                    !lowerKey.includes("api-key") &&
+                    !lowerKey.includes("token")) {
+                    safeHeaders[key] = value;
+                }
+            }
+            if (Object.keys(safeHeaders).length > 0) {
+                sanitized.headers = safeHeaders;
+            }
+        }
+        return sanitized;
     };
     // Error with response from server
     const errorWithResponse = (_a = error === null || error === void 0 ? void 0 : error.response) !== null && _a !== void 0 ? _a : response;

package/dist/src/{generated → funcs}/base.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.operationServerMap = exports.RequiredError = exports.BaseAPI = exports.COLLECTION_FORMATS = exports.BASE_PATH = void 0;
-exports.BASE_PATH = "https://www.cutmeshort.com".replace(/\/+$/, "");
+const constants_1 = require("../constants/constants");
+exports.BASE_PATH = constants_1.API_CONFIG.BASE_URL.replace(/\/+$/, "");
 exports.COLLECTION_FORMATS = {
     csv: ",",
     ssv: " ",

package/dist/src/index.d.ts

@@ -1,2 +1,7 @@
 export { CMS } from "./client";
+export type { CMSConfig, RequestOptions, LeadPayload, SalePayload } from "./client";
 export { CMSAPIError } from "./errors";
+export { BadRequestError, UnauthorizedError, ForbiddenError, NotFoundError, ConflictError, UnprocessableEntityError, RateLimitError, InternalServerError, BadGatewayError, ServiceUnavailableError, GatewayTimeoutError, createSpecificError, } from "./errors/specific";
+export { validateLeadPayload, validateSalePayload, validateCMSConfig, sanitizeForLogging } from "./validations/validation";
+export type { LeadPayloadInput, SalePayloadInput, CMSConfigInput } from "./validations/validation";
+export { SDK_VERSION, API_CONFIG, RETRY_CONFIG, VALIDATION_CONSTRAINTS, ERROR_MESSAGES, HTTP_HEADERS, SENSITIVE_FIELDS, } from "./constants/constants";

package/dist/src/index.js

@@ -1,7 +1,34 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CMSAPIError = exports.CMS = void 0;
+exports.SENSITIVE_FIELDS = exports.HTTP_HEADERS = exports.ERROR_MESSAGES = exports.VALIDATION_CONSTRAINTS = exports.RETRY_CONFIG = exports.API_CONFIG = exports.SDK_VERSION = exports.sanitizeForLogging = exports.validateCMSConfig = exports.validateSalePayload = exports.validateLeadPayload = exports.createSpecificError = exports.GatewayTimeoutError = exports.ServiceUnavailableError = exports.BadGatewayError = exports.InternalServerError = exports.RateLimitError = exports.UnprocessableEntityError = exports.ConflictError = exports.NotFoundError = exports.ForbiddenError = exports.UnauthorizedError = exports.BadRequestError = exports.CMSAPIError = exports.CMS = void 0;
 var client_1 = require("./client");
 Object.defineProperty(exports, "CMS", { enumerable: true, get: function () { return client_1.CMS; } });
 var errors_1 = require("./errors");
 Object.defineProperty(exports, "CMSAPIError", { enumerable: true, get: function () { return errors_1.CMSAPIError; } });
+var specific_1 = require("./errors/specific");
+Object.defineProperty(exports, "BadRequestError", { enumerable: true, get: function () { return specific_1.BadRequestError; } });
+Object.defineProperty(exports, "UnauthorizedError", { enumerable: true, get: function () { return specific_1.UnauthorizedError; } });
+Object.defineProperty(exports, "ForbiddenError", { enumerable: true, get: function () { return specific_1.ForbiddenError; } });
+Object.defineProperty(exports, "NotFoundError", { enumerable: true, get: function () { return specific_1.NotFoundError; } });
+Object.defineProperty(exports, "ConflictError", { enumerable: true, get: function () { return specific_1.ConflictError; } });
+Object.defineProperty(exports, "UnprocessableEntityError", { enumerable: true, get: function () { return specific_1.UnprocessableEntityError; } });
+Object.defineProperty(exports, "RateLimitError", { enumerable: true, get: function () { return specific_1.RateLimitError; } });
+Object.defineProperty(exports, "InternalServerError", { enumerable: true, get: function () { return specific_1.InternalServerError; } });
+Object.defineProperty(exports, "BadGatewayError", { enumerable: true, get: function () { return specific_1.BadGatewayError; } });
+Object.defineProperty(exports, "ServiceUnavailableError", { enumerable: true, get: function () { return specific_1.ServiceUnavailableError; } });
+Object.defineProperty(exports, "GatewayTimeoutError", { enumerable: true, get: function () { return specific_1.GatewayTimeoutError; } });
+Object.defineProperty(exports, "createSpecificError", { enumerable: true, get: function () { return specific_1.createSpecificError; } });
+var validation_1 = require("./validations/validation");
+Object.defineProperty(exports, "validateLeadPayload", { enumerable: true, get: function () { return validation_1.validateLeadPayload; } });
+Object.defineProperty(exports, "validateSalePayload", { enumerable: true, get: function () { return validation_1.validateSalePayload; } });
+Object.defineProperty(exports, "validateCMSConfig", { enumerable: true, get: function () { return validation_1.validateCMSConfig; } });
+Object.defineProperty(exports, "sanitizeForLogging", { enumerable: true, get: function () { return validation_1.sanitizeForLogging; } });
+// Export constants for advanced configuration
+var constants_1 = require("./constants/constants");
+Object.defineProperty(exports, "SDK_VERSION", { enumerable: true, get: function () { return constants_1.SDK_VERSION; } });
+Object.defineProperty(exports, "API_CONFIG", { enumerable: true, get: function () { return constants_1.API_CONFIG; } });
+Object.defineProperty(exports, "RETRY_CONFIG", { enumerable: true, get: function () { return constants_1.RETRY_CONFIG; } });
+Object.defineProperty(exports, "VALIDATION_CONSTRAINTS", { enumerable: true, get: function () { return constants_1.VALIDATION_CONSTRAINTS; } });
+Object.defineProperty(exports, "ERROR_MESSAGES", { enumerable: true, get: function () { return constants_1.ERROR_MESSAGES; } });
+Object.defineProperty(exports, "HTTP_HEADERS", { enumerable: true, get: function () { return constants_1.HTTP_HEADERS; } });
+Object.defineProperty(exports, "SENSITIVE_FIELDS", { enumerable: true, get: function () { return constants_1.SENSITIVE_FIELDS; } });

package/dist/src/validations/validation.d.ts

@@ -0,0 +1,119 @@
+/**
+ * Input validation schemas using Zod
+ * Ensures all incoming data is sanitized and valid
+ */
+import { z } from "zod";
+export declare const CMSConfigSchema: z.ZodObject<{
+    apiKey: z.ZodEffects<z.ZodString, string, string>;
+    baseUrl: z.ZodOptional<z.ZodString>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    maxRetries: z.ZodOptional<z.ZodNumber>;
+    retryDelayMs: z.ZodOptional<z.ZodNumber>;
+    retryMaxDelayMs: z.ZodOptional<z.ZodNumber>;
+    retryOnStatuses: z.ZodOptional<z.ZodArray<z.ZodNumber, "many">>;
+    retryOnNetworkError: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    apiKey: string;
+    timeout?: number | undefined;
+    baseUrl?: string | undefined;
+    maxRetries?: number | undefined;
+    retryDelayMs?: number | undefined;
+    retryMaxDelayMs?: number | undefined;
+    retryOnStatuses?: number[] | undefined;
+    retryOnNetworkError?: boolean | undefined;
+}, {
+    apiKey: string;
+    timeout?: number | undefined;
+    baseUrl?: string | undefined;
+    maxRetries?: number | undefined;
+    retryDelayMs?: number | undefined;
+    retryMaxDelayMs?: number | undefined;
+    retryOnStatuses?: number[] | undefined;
+    retryOnNetworkError?: boolean | undefined;
+}>;
+export type CMSConfigInput = z.infer<typeof CMSConfigSchema>;
+export declare const LeadPayloadSchema: z.ZodObject<{
+    clickId: z.ZodOptional<z.ZodString>;
+    eventName: z.ZodString;
+    customerExternalId: z.ZodString;
+    timestamp: z.ZodOptional<z.ZodString>;
+    customerId: z.ZodOptional<z.ZodString>;
+    customerName: z.ZodOptional<z.ZodString>;
+    customerEmail: z.ZodOptional<z.ZodString>;
+    customerAvatar: z.ZodOptional<z.ZodString>;
+    mode: z.ZodOptional<z.ZodEnum<["deferred"]>>;
+}, "strip", z.ZodTypeAny, {
+    eventName: string;
+    customerExternalId: string;
+    clickId?: string | undefined;
+    timestamp?: string | undefined;
+    customerId?: string | undefined;
+    customerName?: string | undefined;
+    customerEmail?: string | undefined;
+    customerAvatar?: string | undefined;
+    mode?: "deferred" | undefined;
+}, {
+    eventName: string;
+    customerExternalId: string;
+    clickId?: string | undefined;
+    timestamp?: string | undefined;
+    customerId?: string | undefined;
+    customerName?: string | undefined;
+    customerEmail?: string | undefined;
+    customerAvatar?: string | undefined;
+    mode?: "deferred" | undefined;
+}>;
+export type LeadPayloadInput = z.infer<typeof LeadPayloadSchema>;
+export declare const SalePayloadSchema: z.ZodObject<{
+    clickId: z.ZodOptional<z.ZodString>;
+    eventName: z.ZodOptional<z.ZodString>;
+    invoiceId: z.ZodString;
+    amount: z.ZodNumber;
+    currency: z.ZodOptional<z.ZodString>;
+    timestamp: z.ZodOptional<z.ZodString>;
+    customerId: z.ZodOptional<z.ZodString>;
+    customerExternalId: z.ZodOptional<z.ZodString>;
+    customerName: z.ZodOptional<z.ZodString>;
+    customerEmail: z.ZodOptional<z.ZodString>;
+    mode: z.ZodOptional<z.ZodEnum<["deferred"]>>;
+}, "strip", z.ZodTypeAny, {
+    invoiceId: string;
+    amount: number;
+    clickId?: string | undefined;
+    eventName?: string | undefined;
+    customerExternalId?: string | undefined;
+    timestamp?: string | undefined;
+    customerId?: string | undefined;
+    customerName?: string | undefined;
+    customerEmail?: string | undefined;
+    mode?: "deferred" | undefined;
+    currency?: string | undefined;
+}, {
+    invoiceId: string;
+    amount: number;
+    clickId?: string | undefined;
+    eventName?: string | undefined;
+    customerExternalId?: string | undefined;
+    timestamp?: string | undefined;
+    customerId?: string | undefined;
+    customerName?: string | undefined;
+    customerEmail?: string | undefined;
+    mode?: "deferred" | undefined;
+    currency?: string | undefined;
+}>;
+export type SalePayloadInput = z.infer<typeof SalePayloadSchema>;
+/**
+ * Validates input data and throws detailed error if invalid
+ */
+export declare function validateLeadPayload(data: unknown): LeadPayloadInput;
+export declare function validateSalePayload(data: unknown): SalePayloadInput;
+export declare function validateCMSConfig(data: unknown): CMSConfigInput;
+/**
+ * Sanitizes sensitive data for logging/errors
+ * Removes API keys, tokens, and other credentials
+ */
+export declare function sanitizeForLogging(obj: any): any;
+/**
+ * Redacts API key from error messages
+ */
+export declare function redactApiKey(message: string, apiKey?: string): string;

package/dist/src/validations/validation.js

@@ -0,0 +1,196 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SalePayloadSchema = exports.LeadPayloadSchema = exports.CMSConfigSchema = void 0;
+exports.validateLeadPayload = validateLeadPayload;
+exports.validateSalePayload = validateSalePayload;
+exports.validateCMSConfig = validateCMSConfig;
+exports.sanitizeForLogging = sanitizeForLogging;
+exports.redactApiKey = redactApiKey;
+/**
+ * Input validation schemas using Zod
+ * Ensures all incoming data is sanitized and valid
+ */
+const zod_1 = require("zod");
+const constants_1 = require("../constants/constants");
+exports.CMSConfigSchema = zod_1.z.object({
+    apiKey: zod_1.z
+        .string()
+        .min(1, constants_1.ERROR_MESSAGES.API_KEY_REQUIRED)
+        .refine((key) => constants_1.VALIDATION_CONSTRAINTS.API_KEY.PATTERN.test(key), constants_1.ERROR_MESSAGES.API_KEY_INVALID_FORMAT),
+    baseUrl: zod_1.z
+        .string()
+        .url(constants_1.ERROR_MESSAGES.BASE_URL_INVALID)
+        .optional(),
+    timeout: zod_1.z
+        .number()
+        .int()
+        .min(constants_1.VALIDATION_CONSTRAINTS.TIMEOUT.MIN_MS, constants_1.ERROR_MESSAGES.TIMEOUT_TOO_LOW)
+        .max(constants_1.VALIDATION_CONSTRAINTS.TIMEOUT.MAX_MS, constants_1.ERROR_MESSAGES.TIMEOUT_TOO_HIGH)
+        .optional(),
+    maxRetries: zod_1.z
+        .number()
+        .int()
+        .min(constants_1.VALIDATION_CONSTRAINTS.MAX_RETRIES.MIN, constants_1.ERROR_MESSAGES.MAX_RETRIES_NEGATIVE)
+        .max(constants_1.VALIDATION_CONSTRAINTS.MAX_RETRIES.MAX, constants_1.ERROR_MESSAGES.MAX_RETRIES_TOO_HIGH)
+        .optional(),
+    retryDelayMs: zod_1.z
+        .number()
+        .int()
+        .min(constants_1.VALIDATION_CONSTRAINTS.RETRY_DELAY.MIN_MS, constants_1.ERROR_MESSAGES.RETRY_DELAY_TOO_LOW)
+        .max(constants_1.VALIDATION_CONSTRAINTS.RETRY_DELAY.MAX_MS, constants_1.ERROR_MESSAGES.RETRY_DELAY_TOO_HIGH)
+        .optional(),
+    retryMaxDelayMs: zod_1.z
+        .number()
+        .int()
+        .min(constants_1.VALIDATION_CONSTRAINTS.RETRY_MAX_DELAY.MIN_MS, constants_1.ERROR_MESSAGES.RETRY_MAX_DELAY_TOO_LOW)
+        .max(constants_1.VALIDATION_CONSTRAINTS.RETRY_MAX_DELAY.MAX_MS, constants_1.ERROR_MESSAGES.RETRY_MAX_DELAY_TOO_HIGH)
+        .optional(),
+    retryOnStatuses: zod_1.z
+        .array(zod_1.z.number().int().min(100).max(599))
+        .optional(),
+    retryOnNetworkError: zod_1.z.boolean().optional(),
+});
+// Lead payload validation
+exports.LeadPayloadSchema = zod_1.z.object({
+    clickId: zod_1.z
+        .string()
+        .min(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CLICK_ID.MIN)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CLICK_ID.MAX)
+        .optional(),
+    eventName: zod_1.z
+        .string()
+        .min(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.EVENT_NAME.MIN, constants_1.ERROR_MESSAGES.EVENT_NAME_REQUIRED)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.EVENT_NAME.MAX, constants_1.ERROR_MESSAGES.EVENT_NAME_TOO_LONG),
+    customerExternalId: zod_1.z
+        .string()
+        .min(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EXTERNAL_ID.MIN, constants_1.ERROR_MESSAGES.CUSTOMER_EXTERNAL_ID_REQUIRED)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EXTERNAL_ID.MAX, constants_1.ERROR_MESSAGES.CUSTOMER_EXTERNAL_ID_TOO_LONG),
+    timestamp: zod_1.z
+        .string()
+        .datetime()
+        .optional(),
+    customerId: zod_1.z
+        .string()
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_ID.MAX)
+        .optional(),
+    customerName: zod_1.z
+        .string()
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_NAME.MAX)
+        .optional(),
+    customerEmail: zod_1.z
+        .string()
+        .email(constants_1.ERROR_MESSAGES.CUSTOMER_EMAIL_INVALID)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EMAIL.MAX, constants_1.ERROR_MESSAGES.CUSTOMER_EMAIL_TOO_LONG)
+        .optional(),
+    customerAvatar: zod_1.z
+        .string()
+        .url(constants_1.ERROR_MESSAGES.CUSTOMER_AVATAR_INVALID)
+        .optional(),
+    mode: zod_1.z
+        .enum(["deferred"])
+        .optional(),
+});
+// Sale payload validation
+exports.SalePayloadSchema = zod_1.z.object({
+    clickId: zod_1.z
+        .string()
+        .min(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CLICK_ID.MIN)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CLICK_ID.MAX)
+        .optional(),
+    eventName: zod_1.z
+        .string()
+        .optional(),
+    invoiceId: zod_1.z
+        .string()
+        .min(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.INVOICE_ID.MIN, constants_1.ERROR_MESSAGES.INVOICE_ID_REQUIRED)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.INVOICE_ID.MAX, constants_1.ERROR_MESSAGES.INVOICE_ID_TOO_LONG),
+    amount: zod_1.z
+        .number()
+        .int()
+        .min(constants_1.VALIDATION_CONSTRAINTS.AMOUNT.MIN, constants_1.ERROR_MESSAGES.AMOUNT_NEGATIVE),
+    currency: zod_1.z
+        .string()
+        .length(constants_1.VALIDATION_CONSTRAINTS.CURRENCY.LENGTH, constants_1.ERROR_MESSAGES.CURRENCY_INVALID_LENGTH)
+        .regex(constants_1.VALIDATION_CONSTRAINTS.CURRENCY.PATTERN, constants_1.ERROR_MESSAGES.CURRENCY_INVALID_FORMAT)
+        .optional(),
+    timestamp: zod_1.z
+        .string()
+        .datetime()
+        .optional(),
+    customerId: zod_1.z
+        .string()
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_ID.MAX)
+        .optional(),
+    customerExternalId: zod_1.z
+        .string()
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EXTERNAL_ID.MAX)
+        .optional(),
+    customerName: zod_1.z
+        .string()
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_NAME.MAX)
+        .optional(),
+    customerEmail: zod_1.z
+        .string()
+        .email(constants_1.ERROR_MESSAGES.CUSTOMER_EMAIL_INVALID)
+        .max(constants_1.VALIDATION_CONSTRAINTS.STRING_FIELDS.CUSTOMER_EMAIL.MAX, constants_1.ERROR_MESSAGES.CUSTOMER_EMAIL_TOO_LONG)
+        .optional(),
+    mode: zod_1.z
+        .enum(["deferred"])
+        .optional(),
+});
+/**
+ * Validates input data and throws detailed error if invalid
+ */
+function validateLeadPayload(data) {
+    return exports.LeadPayloadSchema.parse(data);
+}
+function validateSalePayload(data) {
+    return exports.SalePayloadSchema.parse(data);
+}
+function validateCMSConfig(data) {
+    return exports.CMSConfigSchema.parse(data);
+}
+/**
+ * Sanitizes sensitive data for logging/errors
+ * Removes API keys, tokens, and other credentials
+ */
+function sanitizeForLogging(obj) {
+    if (!obj || typeof obj !== "object") {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map((item) => sanitizeForLogging(item));
+    }
+    const sanitized = {};
+    for (const [key, value] of Object.entries(obj)) {
+        const lowerKey = key.toLowerCase();
+        // Mask sensitive field names
+        if (constants_1.SENSITIVE_FIELDS.PATTERNS.some((field) => lowerKey.includes(field))) {
+            sanitized[key] = typeof value === "string" ? constants_1.SENSITIVE_FIELDS.REDACTION_PLACEHOLDER : value;
+        }
+        else if (typeof value === "object" && value !== null) {
+            sanitized[key] = sanitizeForLogging(value);
+        }
+        else {
+            sanitized[key] = value;
+        }
+    }
+    return sanitized;
+}
+/**
+ * Redacts API key from error messages
+ */
+function redactApiKey(message, apiKey) {
+    if (!apiKey)
+        return message;
+    // Replace the full key and common patterns
+    const patterns = [
+        apiKey,
+        apiKey.substring(0, 3) + "***" + apiKey.substring(apiKey.length - 3),
+    ];
+    let result = message;
+    for (const pattern of patterns) {
+        result = result.replace(new RegExp(pattern, "g"), constants_1.SENSITIVE_FIELDS.API_KEY_REDACTION);
+    }
+    return result;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vigneshreddy/cms-sdk",
-  "version": "1.0.14",
+  "version": "1.0.16",
   "description": "Official TypeScript SDK for CutMeShort CMS API",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -17,7 +17,9 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.json",
-    "test": "vitest"
+    "test": "vitest",
+    "audit": "npm audit --audit-level=moderate",
+    "security-check": "npm audit && npm ls"
   },
   "keywords": [
     "cutmeshort",
@@ -42,6 +44,9 @@
   },
   "author": "Vignesh Reddy",
   "license": "MIT",
+  "dependencies": {
+    "zod": "^3.22.0"
+  },
   "devDependencies": {
     "typescript": "^5.7.0",
     "vitest": "^4.0.18"