feat(sdk): conform pending-approval envelope to core wire contract (B1 slice 1) (#105)

Issue #118 — type the sdk's cross-boundary read of the pending-approval envelope
and pin it to paybot-core's wire contract, per
docs/architecture/adr-wire-contract-b1.md (B1 slice 1).

The sdk does NOT import core (core is BUSL-1.1/private, sdk is MIT/public — a
hard license boundary; the repos also run on independent cadences). Instead:
- Add src/wire-contract.ts: a hand-declared `PendingEnvelopeWire` mirror of
  core's `PendingEnvelope`, plus `PENDING_ENVELOPE_WIRE_FIELDS` — a runtime field
  descriptor pinned to the type via `satisfies` (the compile-time lock).
- Type `mapPendingEnvelope(envelope: Readonly<Partial<PendingEnvelopeWire>>)` and
  narrow `verifyData` at the pending branch in `pay()` (client.ts) — replacing the
  untyped `Record<string,unknown>` reads. Stays defensive (never-throws preserved).
- Export the wire types from src/index.ts.

Contract-conformance spine (tests/contract/pending-envelope.conformance.test.ts,
5 tests): vendors core's JSON-Schema snapshot at tests/fixtures/wire-contract.json
and asserts `PendingEnvelopeWire` is structurally equal to it — exact field set,
matching primitive types, and core's `.strict()` (`additionalProperties:false`)
honored. A core field rename + re-vendored snapshot fails this test in CI; that
failure IS the regression shield for #118 (drift caught at build, not in prod).

Follow-up slices (per ADR, NOT in this slice): VerifyResponse, SettleResponse,
the /approvals/{id} poll response, RefundResponse; a CI `test:contract` job.

Gates: tsc clean, eslint src 0 errors, full suite green (544 pass, 0 skipped),
client.ts coverage 95% stmts. wire-contract.ts is type+const only (no
instrumentable lines), mirroring the repo's existing src/types.ts exclusion.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: RBKunnela

src/client.ts

@@ -26,6 +26,7 @@ import {
 import { generateEIP3009Nonce } from './crypto.js';
 import { EIP3009_TYPES, getToken, getEip712Domain, resolveTokenAddress } from './networks.js';
 import { withSpan, type TelemetryConfig } from './telemetry.js';
+import type { PendingEnvelopeWire } from './wire-contract.js';
 import { privateKeyToAccount } from 'viem/accounts';
 
 /** Default maximum number of cached idempotent results per client instance. */
@@ -436,7 +437,14 @@ export class PayBotClient {
           if (verifyData.status === 'pending_approval') {
             paySpan?.setAttribute('success', false);
             paySpan?.setAttribute('status', 'pending_approval');
-            return mapPendingEnvelope(verifyData, request.amount);
+            // Boundary narrow: the wire is untyped JSON (`Record<string,unknown>`);
+            // here we conform it to the typed contract (issue #118, B1 slice 1).
+            // `mapPendingEnvelope` stays defensive about missing/odd fields, so a
+            // single contract type guards every downstream read.
+            return mapPendingEnvelope(
+              verifyData as Readonly<Partial<PendingEnvelopeWire>>,
+              request.amount
+            );
           }
 
           const settlementToken = verifyData.settlementToken as string | undefined;
@@ -1168,14 +1176,21 @@ export function amountToBaseUnitsUsd(amountUsd: unknown): string {
  * fields are populated per the existing pattern: gross/net = the requested amount
  * (in base units), commission `'0'`/`0`.
  *
- * @param envelope - The parsed `/verify` pending envelope
- *   (`{ status, approval_id, poll_url, expires_at, amount_usd, reason, … }`).
+ * The `envelope` parameter is typed against {@link PendingEnvelopeWire} — the
+ * sdk's hand-declared mirror of core's `pendingEnvelopeSchema` (issue #118, B1).
+ * A core-side field rename now breaks this read at compile time, and the
+ * contract-conformance test pins {@link PendingEnvelopeWire} to core's vendored
+ * snapshot. `Partial` is intentional: the wire is untyped JSON at runtime, so the
+ * function stays defensive (a non-conforming server degrades gracefully rather
+ * than throwing) while the field NAMES and TYPES remain contract-checked.
+ *
+ * @param envelope - The parsed `/verify` pending envelope (see {@link PendingEnvelopeWire}).
  * @param requestedAmount - The human-readable USD amount the bot requested,
  *   used as a fallback for gross/net when the envelope omits `amount_usd`.
  * @returns A pending `PaymentResult`.
  */
 export function mapPendingEnvelope(
-  envelope: Record<string, unknown>,
+  envelope: Readonly<Partial<PendingEnvelopeWire>>,
   requestedAmount: string
 ): PaymentResult {
   // Prefer the server's amount_usd (authoritative); fall back to the request.
@@ -1191,9 +1206,9 @@ export function mapPendingEnvelope(
     commissionAmount: '0',
     commissionRate: 0,
     status: 'pending_approval',
-    approvalId: envelope.approval_id as string | undefined,
-    pollUrl: envelope.poll_url as string | undefined,
-    expiresAt: envelope.expires_at as string | undefined,
+    approvalId: envelope.approval_id,
+    pollUrl: envelope.poll_url,
+    expiresAt: envelope.expires_at,
     ...(typeof envelope.reason === 'string' ? { error: envelope.reason } : {}),
   };
 }

src/index.ts

@@ -140,3 +140,8 @@ export type {
   VerifyWebhookSignatureOptions,
   SignWebhookPayloadOptions,
 } from './webhook.js';
+// Wire contract (issue #118, B1 slice 1) — the sdk's typed mirror of core's
+// pending-approval response shape, pinned to core's vendored snapshot by
+// `tests/contract/pending-envelope.conformance.test.ts`.
+export type { PendingEnvelopeWire, WireFieldType } from './wire-contract.js';
+export { PENDING_ENVELOPE_WIRE_FIELDS } from './wire-contract.js';

src/wire-contract.ts

@@ -0,0 +1,74 @@
+/**
+ * @module wire-contract
+ *
+ * The sdk's hand-declared mirror of paybot-core's cross-boundary **response**
+ * shapes (issue #118, B1 slice 1). The sdk CANNOT import core's zod schemas:
+ * core is `BUSL-1.1` + `private`, the sdk is `MIT` + public — a hard license
+ * boundary, and the two repos run on independent cadences. Instead, core emits a
+ * JSON-Schema snapshot (`dist/wire-contract.json`) from its exported schemas; the
+ * sdk vendors that snapshot at `tests/fixtures/wire-contract.json` and a
+ * contract-conformance test (`tests/contract/pending-envelope.conformance.test.ts`)
+ * fails CI when this hand-declared shape and core's snapshot diverge.
+ *
+ * See `paybot-core/docs/architecture/adr-wire-contract-b1.md`.
+ *
+ * Slice 1: the pending-approval envelope only. Later slices add `VerifyResponse`,
+ * `SettleResponse`, the `/approvals/{id}` poll response, etc.
+ *
+ * Dependencies: none (pure types + a runtime field descriptor).
+ * Used by: `client.ts` (`mapPendingEnvelope` input type), and the conformance test.
+ */
+
+/**
+ * The pending-approval wire envelope the sdk reads from `/verify` when a payment
+ * pauses for human approval (core contract §2a). This MUST stay structurally
+ * equal to core's exported `PendingEnvelope` (`pendingEnvelopeSchema`). The
+ * conformance test enforces that equality against core's vendored snapshot.
+ */
+export interface PendingEnvelopeWire {
+  /** Discriminator the sdk keys off (not the HTTP code). */
+  status: 'pending_approval';
+  /** The server-issued approval handle (e.g. `ap_…`). */
+  approval_id: string;
+  /** Relative poll path for this approval (e.g. `/approvals/ap_…`). */
+  poll_url: string;
+  /** ISO-8601 expiry; past expiry the approval is treated as denied. */
+  expires_at: string;
+  /** The authoritative USD amount the server placed in the approval band. */
+  amount_usd: number;
+  /** Human-readable band reason. */
+  reason: string;
+  /** Audit sequence id for the `APPROVAL_REQUESTED` event. */
+  audit_seq_id: number;
+  /** Audit event hash for the `APPROVAL_REQUESTED` event. */
+  audit_hash: string;
+}
+
+/**
+ * JSON-primitive type tags, matching the `type` field a zod → JSON-Schema dump
+ * emits for each property. Used by the conformance test to compare this sdk
+ * mirror against core's vendored snapshot field-by-field.
+ */
+export type WireFieldType = 'string' | 'number' | 'boolean';
+
+/**
+ * Runtime descriptor of {@link PendingEnvelopeWire}: every wire field mapped to
+ * its JSON primitive type. This is the bridge between the compile-time type and
+ * the runtime conformance check — TypeScript types are erased at runtime, so the
+ * test compares THIS descriptor to core's JSON-Schema snapshot.
+ *
+ * The `satisfies Record<keyof PendingEnvelopeWire, WireFieldType>` below pins the
+ * descriptor to the type: add/rename/remove a field in `PendingEnvelopeWire` and
+ * this object fails `tsc` until it is updated in lock-step — which in turn makes
+ * the conformance test re-check against core's snapshot.
+ */
+export const PENDING_ENVELOPE_WIRE_FIELDS = {
+  status: 'string',
+  approval_id: 'string',
+  poll_url: 'string',
+  expires_at: 'string',
+  amount_usd: 'number',
+  reason: 'string',
+  audit_seq_id: 'number',
+  audit_hash: 'string',
+} as const satisfies Record<keyof PendingEnvelopeWire, WireFieldType>;

tests/contract/pending-envelope.conformance.test.ts

@@ -0,0 +1,124 @@
+/**
+ * @module tests/contract/pending-envelope.conformance
+ *
+ * THE CONTRACT-CONFORMANCE SPINE (issue #118, B1 slice 1 — sdk side).
+ *
+ * This is the cross-repo, cross-license bridge. The sdk cannot import core's zod
+ * schema (core is BUSL-1.1/private, the sdk is MIT/public). Instead:
+ *
+ *   1. core emits `dist/wire-contract.json` (a JSON-Schema dump of its exported
+ *      `pendingEnvelopeSchema`) via `npm run build:contract`.
+ *   2. the sdk VENDORS a copy at `tests/fixtures/wire-contract.json`.
+ *   3. THIS test asserts the sdk's hand-declared `PendingEnvelopeWire`
+ *      (via its runtime descriptor `PENDING_ENVELOPE_WIRE_FIELDS`) is structurally
+ *      equal to core's snapshot definition — same field set, same primitive types,
+ *      and core's `.strict()` (`additionalProperties:false`) is honored.
+ *
+ * When core renames/adds/removes a pending-envelope field, regenerating the
+ * snapshot and re-vendoring it makes this test FAIL until the sdk mirror is
+ * updated in lock-step. That CI failure IS the regression shield for #118 — drift
+ * is caught at build time, never in production.
+ *
+ * To refresh the snapshot after an intentional core change:
+ *   (in paybot-core)  npm run build && npm run build:contract
+ *   then copy core's dist/wire-contract.json → this repo's tests/fixtures/.
+ *
+ * Test naming convention: `[CONTRACT] subject — should [behavior] when [condition]`.
+ */
+
+import { describe, it, expect } from 'vitest';
+import wireContract from '../fixtures/wire-contract.json';
+import {
+  PENDING_ENVELOPE_WIRE_FIELDS,
+  type PendingEnvelopeWire,
+  type WireFieldType,
+} from '../../src/wire-contract.js';
+
+/** The shape of one JSON-Schema property entry we care about. */
+interface JsonSchemaProperty {
+  type?: string;
+  const?: unknown;
+}
+
+/** The shape of one contract definition in the vendored snapshot. */
+interface JsonSchemaDefinition {
+  type: string;
+  properties: Record<string, JsonSchemaProperty>;
+  required: string[];
+  additionalProperties: boolean;
+}
+
+const CONTRACT_NAME = 'PendingEnvelope';
+
+function getDefinition(name: string): JsonSchemaDefinition {
+  const defs = (wireContract as { definitions: Record<string, JsonSchemaDefinition> }).definitions;
+  const def = defs[name];
+  if (def === undefined) {
+    throw new Error(
+      `Vendored snapshot has no "${name}" definition. Re-run core \`build:contract\` and re-vendor tests/fixtures/wire-contract.json.`
+    );
+  }
+  return def;
+}
+
+/**
+ * Map a JSON-Schema property to the sdk's primitive type tag, so the two sides
+ * are comparable. A `const` literal (e.g. core's `z.literal('pending_approval')`)
+ * still carries `type:'string'` in the dump, so this stays simple.
+ */
+function jsonSchemaTypeToWireType(prop: JsonSchemaProperty): WireFieldType {
+  switch (prop.type) {
+    case 'string':
+      return 'string';
+    case 'number':
+    case 'integer':
+      return 'number';
+    case 'boolean':
+      return 'boolean';
+    default:
+      throw new Error(`Unhandled JSON-Schema type "${String(prop.type)}" in snapshot.`);
+  }
+}
+
+describe('pending-envelope wire conformance (sdk ⊇⊆ core snapshot)', () => {
+  const def = getDefinition(CONTRACT_NAME);
+  const snapshotFields = Object.keys(def.properties).sort();
+  const sdkFields = Object.keys(PENDING_ENVELOPE_WIRE_FIELDS).sort();
+
+  it('[CONTRACT] PendingEnvelopeWire — should declare EXACTLY core’s field set (happy)', () => {
+    // Bidirectional: no field the sdk forgot, no field the sdk invented.
+    expect(sdkFields).toEqual(snapshotFields);
+  });
+
+  it('[CONTRACT] PendingEnvelopeWire — should match core’s primitive type for every field (happy)', () => {
+    for (const field of snapshotFields) {
+      const expected = jsonSchemaTypeToWireType(def.properties[field]);
+      const actual = PENDING_ENVELOPE_WIRE_FIELDS[field as keyof typeof PENDING_ENVELOPE_WIRE_FIELDS];
+      expect(actual, `field "${field}" type mismatch`).toBe(expected);
+    }
+  });
+
+  it('[CONTRACT] snapshot — should mark every field required AND forbid extras (.strict) (edge)', () => {
+    // core uses `.strict()`; the dump must carry that through so drift fails closed.
+    expect(def.additionalProperties).toBe(false);
+    expect([...def.required].sort()).toEqual(snapshotFields);
+  });
+
+  it('[CONTRACT] snapshot — should be a versioned paybot-core artifact (edge)', () => {
+    // Guard against vendoring an unrelated/garbage JSON by accident.
+    const meta = wireContract as { $contract?: string; version?: number; issue?: number };
+    expect(meta.$contract).toBe('paybot-core wire contract');
+    expect(typeof meta.version).toBe('number');
+    expect(meta.issue).toBe(118);
+  });
+
+  it('[CONTRACT] PendingEnvelopeWire — should keep status as the pending discriminator (happy)', () => {
+    // The one field the sdk semantically depends on at the `pay()` branch.
+    const statusProp = def.properties.status;
+    expect(statusProp.type).toBe('string');
+    expect(statusProp.const).toBe('pending_approval');
+    // Compile-time anchor: a literal value still typed against the wire interface.
+    const probe: Pick<PendingEnvelopeWire, 'status'> = { status: 'pending_approval' };
+    expect(probe.status).toBe('pending_approval');
+  });
+});

tests/fixtures/wire-contract.json

@@ -0,0 +1,50 @@
+{
+  "$contract": "paybot-core wire contract",
+  "version": 1,
+  "issue": 118,
+  "generatedFrom": "paybot-core dist/index.js",
+  "definitions": {
+    "PendingEnvelope": {
+      "$schema": "https://json-schema.org/draft/2020-12/schema",
+      "type": "object",
+      "properties": {
+        "status": {
+          "type": "string",
+          "const": "pending_approval"
+        },
+        "approval_id": {
+          "type": "string"
+        },
+        "poll_url": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string"
+        },
+        "amount_usd": {
+          "type": "number"
+        },
+        "reason": {
+          "type": "string"
+        },
+        "audit_seq_id": {
+          "type": "number"
+        },
+        "audit_hash": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "status",
+        "approval_id",
+        "poll_url",
+        "expires_at",
+        "amount_usd",
+        "reason",
+        "audit_seq_id",
+        "audit_hash"
+      ],
+      "additionalProperties": false
+    }
+  }
+}