npm - yorck-mcp - Versions diffs - 0.1.0 - Mend

yorck-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md +76 -0
package/bin/yorck.mjs +23 -0
package/package.json +42 -0
package/src/cli.ts +508 -0
package/src/index.ts +408 -0
package/src/lib/ai-stub.ts +3 -0
package/src/lib/ics.ts +37 -0
package/src/lib/jwt.ts +19 -0
package/src/lib/srp.ts +248 -0
package/src/lib/tz.ts +75 -0
package/src/local-mcp.ts +72 -0
package/src/mcp.ts +30 -0
package/src/tool-registration.ts +228 -0
package/src/types.ts +69 -0
package/src/yorck/auth.ts +156 -0
package/src/yorck/booking.ts +442 -0
package/src/yorck/browserAuth.ts +360 -0
package/src/yorck/browserBook.ts +220 -0
package/src/yorck/buildId.ts +46 -0
package/src/yorck/cinemas.ts +64 -0
package/src/yorck/films.ts +249 -0
package/src/yorck/seats.ts +169 -0

package/src/types.ts ADDED Viewed

@@ -0,0 +1,69 @@
+export interface Env {
+  CACHE: KVNamespace;
+  MCP_OBJECT: DurableObjectNamespace;
+  PUBLIC_MCP_OBJECT: DurableObjectNamespace;
+  BROWSER: Fetcher;
+  PREFERRED_CINEMAS: string;
+  DEFAULT_FORMATS: string;
+  COGNITO_USER_POOL: string;
+  COGNITO_CLIENT_ID: string;
+  COGNITO_REGION: string;
+  VISTA_BASE: string;
+  YORCK_AUTH_BASE: string;
+  YORCK_BASE: string;
+  PUBLIC_BASE_URL?: string;
+  YORCK_EMAIL?: string;
+  YORCK_PASSWORD?: string;
+  YORCK_UNLIMITED_CARD?: string;
+  YORCK_MCP_AUTH_TOKEN?: string;
+}
+export interface Showtime {
+  film: string;
+  slug: string;
+  tagline?: string;
+  runtime: number;
+  fsk?: number;
+  genre?: string;
+  yorckPick: boolean;
+  start: string;
+  end: string;
+  cinema: string;
+  cinemaSlug: string;
+  district?: string;
+  format: string;
+  url: string;
+  sessionId: string;
+}
+export interface Cinema {
+  name: string;
+  slug: string;
+  shortName: string;
+  vistaId: string;
+  district: string;
+  address: string;
+  coordinates?: { lat: number; lon: number };
+  numberOfAuditoriums?: number;
+}
+export interface FilmDetail {
+  title: string;
+  slug: string;
+  vistaId: string;
+  runtime: number;
+  fsk?: number;
+  genre?: string;
+  director?: string;
+  cast?: string[];
+  year?: number;
+  countries?: string[];
+  originalLanguage?: string;
+  tagline?: string;
+  about?: string;
+  trailerYouTubeId?: string;
+  poster?: string;
+  url: string;
+}

package/src/yorck/auth.ts ADDED Viewed

@@ -0,0 +1,156 @@
+import type { Env } from "../types.ts";
+import { decodeJwt, jwtExpired } from "../lib/jwt.ts";
+const KV_KEY = "yorck:tokens";
+interface SigninResponse {
+  accessToken: string;
+  idToken: string;
+  refreshToken: string;
+}
+interface CachedSession {
+  accessToken: string;
+  idToken: string;
+  refreshToken: string;
+  cachedAtMs: number;
+}
+interface IdTokenClaims {
+  email: string;
+  given_name?: string;
+  family_name?: string;
+  name?: string;
+  "custom:vistaAccessToken2"?: string;
+  "custom:vistaRefreshToken2"?: string;
+  "custom:vistaMemberId"?: string;
+  exp: number;
+}
+async function signin(env: Env): Promise<CachedSession> {
+  if (!env.YORCK_EMAIL || !env.YORCK_PASSWORD) {
+    throw new Error("YORCK_EMAIL / YORCK_PASSWORD secrets not set");
+  }
+  const r = await fetch(`${env.YORCK_AUTH_BASE}/auth/signin`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      Origin: "https://www.yorck.de",
+      Referer: "https://www.yorck.de/",
+      "User-Agent": "Mozilla/5.0 (yorck-mcp)",
+    },
+    body: JSON.stringify({ email: env.YORCK_EMAIL, password: env.YORCK_PASSWORD }),
+  });
+  if (!r.ok) throw new Error(`signin ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as SigninResponse;
+  if (!j.idToken || !j.accessToken) {
+    throw new Error(`signin: missing tokens in response ${JSON.stringify(j).slice(0, 200)}`);
+  }
+  const session: CachedSession = {
+    accessToken: j.accessToken,
+    idToken: j.idToken,
+    refreshToken: j.refreshToken,
+    cachedAtMs: Date.now(),
+  };
+  // The Cognito access/id tokens are 1h. Cache for ~55 min.
+  await env.CACHE.put(KV_KEY, JSON.stringify(session), { expirationTtl: 55 * 60 });
+  return session;
+}
+async function refreshSession(env: Env, refreshToken: string): Promise<CachedSession> {
+  const r = await fetch(`${env.YORCK_AUTH_BASE}/auth/refresh`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      Origin: "https://www.yorck.de",
+      Referer: "https://www.yorck.de/",
+      "User-Agent": "Mozilla/5.0 (yorck-mcp)",
+    },
+    body: JSON.stringify({ refreshToken }),
+  });
+  if (!r.ok) throw new Error(`refresh ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as SigninResponse;
+  const session: CachedSession = {
+    accessToken: j.accessToken,
+    idToken: j.idToken,
+    refreshToken: j.refreshToken ?? refreshToken,
+    cachedAtMs: Date.now(),
+  };
+  await env.CACHE.put(KV_KEY, JSON.stringify(session), { expirationTtl: 55 * 60 });
+  return session;
+}
+export async function getSession(env: Env, force = false): Promise<CachedSession> {
+  if (!force) {
+    const cached = await env.CACHE.get<CachedSession>(KV_KEY, "json");
+    if (cached && !jwtExpired(cached.idToken, 60)) {
+      return cached;
+    }
+    if (cached?.refreshToken) {
+      try {
+        return await refreshSession(env, cached.refreshToken);
+      } catch {
+        // fall through to fresh signin
+      }
+    }
+  }
+  return signin(env);
+}
+export interface VistaAuthHeaders {
+  "id-token": string;
+  "access-token": string;
+  "refresh-token": string;
+  connectApiToken: string;
+}
+export async function authHeaders(env: Env): Promise<VistaAuthHeaders> {
+  const s = await getSession(env);
+  return {
+    "id-token": s.idToken,
+    "access-token": s.accessToken,
+    "refresh-token": s.refreshToken,
+    connectApiToken: "",
+  };
+}
+// Forces fresh tokens if a call fails with an auth error.
+export async function withFreshAuthRetry<T>(env: Env, fn: (h: VistaAuthHeaders) => Promise<T>): Promise<T> {
+  let h = await authHeaders(env);
+  try {
+    return await fn(h);
+  } catch (e) {
+    const msg = String(e);
+    if (
+      msg.includes("ExpiredLoyaltyToken") ||
+      msg.includes("loyaltySessionToken is expired") ||
+      msg.includes("Invalid credentials") ||
+      msg.includes("ExpiredToken") ||
+      msg.includes("401") ||
+      msg.includes("403")
+    ) {
+      const fresh = await getSession(env, true);
+      h = {
+        "id-token": fresh.idToken,
+        "access-token": fresh.accessToken,
+        "refresh-token": fresh.refreshToken,
+        connectApiToken: "",
+      };
+      return await fn(h);
+    }
+    throw e;
+  }
+}
+export async function whoAmI(env: Env): Promise<{ memberId: string; email: string; name: string }> {
+  const s = await getSession(env);
+  const claims = decodeJwt<IdTokenClaims>(s.idToken);
+  const fullName = `${claims.given_name ?? ""} ${claims.family_name ?? ""}`.trim();
+  return {
+    memberId: claims["custom:vistaMemberId"] ?? "",
+    email: claims.email,
+    name: fullName || claims.name || claims.given_name || "",
+  };
+}

package/src/yorck/booking.ts ADDED Viewed

@@ -0,0 +1,442 @@
+import type { Env } from "../types.ts";
+import { authHeaders, whoAmI, withFreshAuthRetry } from "./auth.ts";
+import { getCinemaBySlug } from "./cinemas.ts";
+import { findSeatByRowAndId, getSeatPlan } from "./seats.ts";
+const BASE_HEADERS = {
+  Accept: "application/json",
+  "Content-Type": "application/json",
+  Origin: "https://www.yorck.de",
+  Referer: "https://www.yorck.de/",
+  "User-Agent": "Mozilla/5.0 (yorck-mcp)",
+};
+// All Vista calls use Yorck's React-app auth chain so the gateway can read
+// the embedded vistaAccessToken2 from the Cognito id-token claim.
+async function vistaCall(env: Env, path: string, init: RequestInit = {}): Promise<Response> {
+  const auth = await authHeaders(env);
+  return fetch(env.VISTA_BASE + path, {
+    ...init,
+    headers: {
+      ...BASE_HEADERS,
+      ...auth,
+      ...(init.headers as Record<string, string> | undefined),
+    },
+  });
+}
+function apiBase(env: Env): string {
+  return env.VISTA_BASE.replace(/\/vista\/?$/, "");
+}
+export interface OrderSeat {
+  areaCategoryCode?: string;
+  areaNumber?: number;
+  rowDisplay?: string;
+  columnDisplay?: string;
+  rowIndex: number;
+  columnIndex: number;
+}
+export interface OrderState {
+  cinemaId: string;
+  userSessionId: string;
+  orderTotalValueInCents: number;
+  expiryDateUtc: string;
+  sessions: Array<{
+    id: number;
+    filmTitle: string;
+    startTime: string;
+    screen?: string;
+    tickets: Array<{
+      ticketDetails?: {
+        ticketId: number;
+        ticketTypeCode: string;
+        description?: string;
+        finalPriceInCents: number;
+        originalPriceInCents: number;
+      } | null;
+      seats: OrderSeat[];
+    }>;
+  }>;
+  customer?: {
+    firstName: string;
+    lastName: string;
+    email: string;
+  };
+}
+export async function createOrder(env: Env, cinemaVistaId: string): Promise<OrderState> {
+  const r = await vistaCall(env, "/orders", {
+    method: "POST",
+    body: JSON.stringify({ cinemaId: cinemaVistaId }),
+  });
+  if (!r.ok) throw new Error(`createOrder ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as { order: OrderState };
+  return j.order;
+}
+export async function getOrder(env: Env, userSessionId: string): Promise<OrderState> {
+  const r = await vistaCall(env, `/orders/${userSessionId}`);
+  if (!r.ok) throw new Error(`getOrder ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as { order: OrderState };
+  return j.order;
+}
+export async function cancelOrder(env: Env, userSessionId: string): Promise<void> {
+  await vistaCall(env, "/RESTTicketing.svc/order/cancel", {
+    method: "POST",
+    body: JSON.stringify({ UserSessionId: userSessionId }),
+  });
+}
+interface RawTicket {
+  TicketTypeCode: string;
+  TicketCode: string;
+  HOPK?: string;
+  HeadOfficeGroupingCode?: string;
+  AreaCategoryCode: string;
+  Description?: string;
+  DescriptionAlt?: string;
+  LongDescription?: string;
+  LongDescriptionAlt?: string;
+  ThirdPartyMembershipName?: string;
+  IsThirdPartyMemberTicket?: boolean;
+  PriceInCents: number;
+}
+async function getTickets(env: Env, cinemaVistaId: string, sessionNum: string, userSessionId: string): Promise<RawTicket[]> {
+  const r = await vistaCall(env, `/RESTData.svc/cinemas/${cinemaVistaId}/sessions/${sessionNum}/tickets?salesChannelFilter=WWW&userSessionId=${userSessionId}`);
+  if (!r.ok) throw new Error(`tickets ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as { Tickets: RawTicket[] };
+  return j.Tickets ?? [];
+}
+async function getUnlimitedTicket(env: Env, cinemaVistaId: string, sessionNum: string, userSessionId: string): Promise<RawTicket> {
+  const tickets = await getTickets(env, cinemaVistaId, sessionNum, userSessionId);
+  const unlimited = tickets.find((t) => {
+    const text = `${t.Description ?? ""} ${t.DescriptionAlt ?? ""} ${t.ThirdPartyMembershipName ?? ""}`.toLowerCase();
+    return text.includes("unlimited") && (t.PriceInCents === 0 || t.IsThirdPartyMemberTicket);
+  }) ?? tickets.find((t) => t.IsThirdPartyMemberTicket && t.PriceInCents === 0);
+  if (!unlimited) {
+    const available = tickets.map((t) => `${t.TicketTypeCode}:${t.DescriptionAlt ?? t.Description ?? "?"}`).join(", ");
+    throw new Error(`no Yorck Unlimited ticket type for this session; available: ${available}`);
+  }
+  return unlimited;
+}
+// Step observed on yorck.de /checkout/seats: first hold the chosen seat with
+// ticketDetails=null. The actual Unlimited ticket is applied after member
+// validation on /checkout/tickets.
+export async function holdSeat(env: Env, args: {
+  userSessionId: string;
+  sessionNum: string;
+  seat: OrderSeat;
+}): Promise<OrderState> {
+  const body = {
+    tickets: [
+      {
+        ticketDetails: null,
+        seats: [args.seat],
+      },
+    ],
+  };
+  const r = await vistaCall(env, `/orders/${args.userSessionId}/sessions/${args.sessionNum}/set-tickets`, {
+    method: "POST",
+    body: JSON.stringify(body),
+  });
+  if (!r.ok) throw new Error(`hold-seat ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as { order: OrderState };
+  return j.order;
+}
+export async function setUnlimitedTicket(env: Env, args: {
+  userSessionId: string;
+  sessionNum: string;
+  ticketTypeCode: string;
+  unlimitedCard: string;
+  seat: OrderSeat;
+}): Promise<OrderState> {
+  const body = {
+    tickets: [
+      {
+        ticketDetails: {
+          ticketTypeCode: args.ticketTypeCode,
+          thirdPartyMemberScheme: { memberCard: args.unlimitedCard },
+        },
+        seats: [args.seat],
+      },
+    ],
+  };
+  const r = await vistaCall(env, `/orders/${args.userSessionId}/sessions/${args.sessionNum}/set-tickets`, {
+    method: "POST",
+    body: JSON.stringify(body),
+  });
+  if (!r.ok) throw new Error(`set-unlimited-ticket ${r.status}: ${await r.text()}`);
+  const j = (await r.json()) as { order: OrderState };
+  return j.order;
+}
+export async function setCustomerDetails(env: Env, args: {
+  userSessionId: string;
+  firstName: string;
+  lastName: string;
+  email: string;
+}): Promise<void> {
+  const r = await vistaCall(env, `/orders/${args.userSessionId}/customer-details`, {
+    method: "POST",
+    body: JSON.stringify({
+      firstName: args.firstName,
+      lastName: args.lastName,
+      email: args.email,
+    }),
+  });
+  if (!r.ok) throw new Error(`customer-details ${r.status}: ${await r.text()}`);
+}
+export async function validateMember(env: Env, args: {
+  userSessionId: string;
+  memberId: string;
+}): Promise<unknown> {
+  return withFreshAuthRetry(env, async (auth) => {
+    const r = await fetch(env.VISTA_BASE + "/RESTLoyalty.svc/member/validate", {
+      method: "POST",
+      headers: { ...BASE_HEADERS, ...auth },
+      body: JSON.stringify({
+        UserSessionId: args.userSessionId,
+        MemberId: args.memberId,
+        ReturnMember: true,
+      }),
+    });
+    const text = await r.text();
+    if (!r.ok) throw new Error(`validate-member ${r.status}: ${text}`);
+    try { return JSON.parse(text); } catch { return { raw: text }; }
+  });
+}
+interface ValidateResponse {
+  Result: number;
+  ErrorDescription: string | null;
+  MemberTicketApprovals: Array<{
+    TicketTypeCode: string;
+    MemberProviderName?: string;
+    CardNumber?: string;
+    ApprovedPriceInCents: number;
+    ApprovedQty?: number;
+  }> | null;
+}
+function parseValidate(text: string): ValidateResponse {
+  return JSON.parse(text) as ValidateResponse;
+}
+function makeValidateBody(args: {
+  userSessionId: string;
+  cinemaVistaId: string;
+  sessionId: number;
+  ticketTypeCode: string;
+  unlimitedCard: string;
+}): string {
+  return JSON.stringify({
+    SessionId: args.sessionId,
+    UserSessionId: args.userSessionId,
+    CinemaId: args.cinemaVistaId,
+    TicketTypes: [
+      {
+        TicketTypeCode: args.ticketTypeCode,
+        Qty: 1,
+        ThirdPartyMemberScheme: { MemberCard: args.unlimitedCard },
+      },
+    ],
+  });
+}
+export async function validateUnlimitedMember(env: Env, args: {
+  userSessionId: string;
+  cinemaVistaId: string;
+  sessionId: number;
+  ticketTypeCode: string;
+  unlimitedCard: string;
+}): Promise<{
+  approved: boolean;
+  ticketTypeCode?: string;
+  approvedPriceInCents?: number;
+  raw: unknown;
+}> {
+  return withFreshAuthRetry(env, async (auth) => {
+    const r = await fetch(env.VISTA_BASE + "/RESTTicketing.svc/order/validate/membertickets", {
+      method: "POST",
+      headers: { ...BASE_HEADERS, ...auth },
+      body: makeValidateBody(args),
+    });
+    const text = await r.text();
+    if (!r.ok) throw new Error(`validate-membertickets ${r.status}: ${text}`);
+    const j = parseValidate(text);
+    if (j.Result !== 0) throw new Error(`validate-membertickets: ${j.ErrorDescription}`);
+    const first = j.MemberTicketApprovals?.[0];
+    return {
+      approved: !!first,
+      ticketTypeCode: first?.TicketTypeCode,
+      approvedPriceInCents: first?.ApprovedPriceInCents,
+      raw: j as unknown,
+    };
+  });
+}
+function splitName(name: string | undefined): { firstName: string; lastName: string; fullName: string } {
+  const fullName = (name || "Yorck Member").trim();
+  const [firstName = "Yorck", ...rest] = fullName.split(/\s+/);
+  return { firstName, lastName: rest.join(" ") || "Member", fullName };
+}
+async function getSessionScreen(env: Env, fullSessionId: string): Promise<string | undefined> {
+  // Public Contentful delivery token embedded in yorck.de's frontend bundle.
+  // confirm-order requires this `screen` value, but Vista's order response
+  // does not include it for every order.
+  const url = `https://cdn.contentful.com/spaces/4mws6uyas4ta/environments/master/entries?sys.id=${encodeURIComponent(fullSessionId)}&locale=en-US`;
+  try {
+    const r = await fetch(url, {
+      headers: {
+        Authorization: "Bearer UNY_7-kVS3UkYxAMEIpyO2g7Lh-8e7645oGt2ksDhE8",
+        Accept: "application/json",
+      },
+    });
+    if (!r.ok) return undefined;
+    const j = await r.json() as { items?: Array<{ fields?: { screenName?: string } }> };
+    return j.items?.[0]?.fields?.screenName;
+  } catch {
+    return undefined;
+  }
+}
+// Full Unlimited booking pipeline up to a validated, zero-cost order.
+// Caller is expected to call commitOrder() to actually finalize, or cancel().
+export async function reserveUnlimited(env: Env, args: {
+  cinemaSlug: string;
+  sessionId: string; // full Yorck session id, e.g. "1009-5995"
+  rowLabel: string; // e.g. "16"
+  seatId: string; // e.g. "17"
+}): Promise<{
+  order: OrderState;
+  approved: boolean;
+  ticketTypeCode?: string;
+  expiresAt: string;
+}> {
+  if (!env.YORCK_UNLIMITED_CARD) throw new Error("YORCK_UNLIMITED_CARD secret not set");
+  if (!env.YORCK_EMAIL) throw new Error("YORCK_EMAIL secret not set");
+  const cinema = await getCinemaBySlug(env, args.cinemaSlug);
+  if (!cinema) throw new Error(`unknown cinema slug: ${args.cinemaSlug}`);
+  const [cidPart, sessionNum] = args.sessionId.split("-");
+  if (cidPart !== cinema.vistaId) {
+    throw new Error(`cinema slug ${args.cinemaSlug} (vista ${cinema.vistaId}) != session prefix ${cidPart}`);
+  }
+  // Resolve seat coordinates.
+  const plan = await getSeatPlan(env, cinema.vistaId, sessionNum);
+  const seat = findSeatByRowAndId(plan, args.rowLabel, args.seatId);
+  if (!seat) throw new Error(`seat Row ${args.rowLabel} Seat ${args.seatId} not found`);
+  if (seat.Status !== 0) throw new Error(`seat is not available (status ${seat.Status})`);
+  const orderInit = await createOrder(env, cinema.vistaId);
+  const usid = orderInit.userSessionId;
+  try {
+    const heldOrder = await holdSeat(env, {
+      userSessionId: usid,
+      sessionNum,
+      seat: {
+        areaNumber: seat.Position.AreaNumber,
+        rowIndex: seat.Position.RowIndex,
+        columnIndex: seat.Position.ColumnIndex,
+      },
+    });
+    const me = await whoAmI(env);
+    if (me.memberId) {
+      await validateMember(env, { userSessionId: usid, memberId: me.memberId });
+    }
+    const unlimited = await getUnlimitedTicket(env, cinema.vistaId, sessionNum, usid);
+    const v = await validateUnlimitedMember(env, {
+      userSessionId: usid,
+      cinemaVistaId: cinema.vistaId,
+      sessionId: parseInt(sessionNum, 10),
+      ticketTypeCode: unlimited.TicketTypeCode,
+      unlimitedCard: env.YORCK_UNLIMITED_CARD,
+    });
+    const heldSeat = heldOrder.sessions[0]?.tickets[0]?.seats[0];
+    const ticketSeat: OrderSeat = {
+      ...(heldSeat ?? {}),
+      areaNumber: heldSeat?.areaNumber ?? seat.Position.AreaNumber,
+      rowIndex: heldSeat?.rowIndex ?? seat.Position.RowIndex,
+      columnIndex: heldSeat?.columnIndex ?? seat.Position.ColumnIndex,
+    };
+    const orderWithTicket = await setUnlimitedTicket(env, {
+      userSessionId: usid,
+      sessionNum,
+      ticketTypeCode: unlimited.TicketTypeCode,
+      unlimitedCard: env.YORCK_UNLIMITED_CARD,
+      seat: ticketSeat,
+    });
+    const name = splitName(me.name);
+    await setCustomerDetails(env, {
+      userSessionId: usid,
+      firstName: name.firstName,
+      lastName: name.lastName,
+      email: me.email || env.YORCK_EMAIL!,
+    });
+    const order = await getOrder(env, usid).catch(() => orderWithTicket);
+    return {
+      order,
+      approved: v.approved,
+      ticketTypeCode: v.ticketTypeCode ?? unlimited.TicketTypeCode,
+      expiresAt: order.expiryDateUtc,
+    };
+  } catch (e) {
+    // Best-effort cancel on failure.
+    await cancelOrder(env, usid).catch(() => {});
+    throw e;
+  }
+}
+// Finalize the validated Unlimited order. The React app uses the payment
+// confirm-order wrapper even for €0 Unlimited orders, so mirror that path.
+export async function commitOrder(env: Env, userSessionId: string): Promise<unknown> {
+  const me = await whoAmI(env);
+  const name = splitName(me.name);
+  await setCustomerDetails(env, {
+    userSessionId,
+    firstName: name.firstName,
+    lastName: name.lastName,
+    email: me.email || env.YORCK_EMAIL || "",
+  });
+  const order = await getOrder(env, userSessionId).catch(() => undefined);
+  const session = order?.sessions?.[0];
+  const fullSessionId = order?.cinemaId && session?.id ? `${order.cinemaId}-${session.id}` : undefined;
+  const screen = session?.screen ?? (fullSessionId ? await getSessionScreen(env, fullSessionId) : undefined) ?? "1";
+  return withFreshAuthRetry(env, async (auth) => {
+    const r = await fetch(apiBase(env) + "/payment/confirm-order", {
+      method: "POST",
+      headers: { ...BASE_HEADERS, ...auth },
+      body: JSON.stringify({
+        userSessionId,
+        screen,
+        locale: "en",
+        name: name.fullName,
+        email: me.email || env.YORCK_EMAIL || "",
+        ics: "",
+      }),
+    });
+    const txt = await r.text();
+    if (!r.ok) throw new Error(`confirm-order ${r.status}: ${txt}`);
+    try { return JSON.parse(txt); } catch { return { raw: txt }; }
+  });
+}