chore: add git hooks, ESLint/Prettier, and commitlint

.changeset/hip-bags-end.md

@@ -0,0 +1,2 @@
+---
+---

.eslintignore

@@ -0,0 +1,6 @@
+dist/
+coverage/
+node_modules/
+packages/**/dist/
+packages/**/coverage/
+

.eslintrc.cjs

@@ -0,0 +1,29 @@
+/** @type {import("eslint").Linter.Config} */
+module.exports = {
+  root: true,
+  parser: "@typescript-eslint/parser",
+  parserOptions: {
+    project: ["./packages/api/tsconfig.build.json"],
+    tsconfigRootDir: __dirname,
+    sourceType: "module",
+  },
+  env: {
+    node: true,
+    es2022: true,
+  },
+  plugins: ["@typescript-eslint"],
+  extends: [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:@typescript-eslint/recommended-requiring-type-checking",
+    "prettier",
+  ],
+  ignorePatterns: [
+    "dist/",
+    "coverage/",
+    "node_modules/",
+    "packages/**/dist/",
+    "packages/**/coverage/",
+  ],
+};
+

.github/workflows/ci.yml

@@ -7,7 +7,33 @@
     branches: [main, develop]
 
 jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node.js 18.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint commit history with commitlint
+        run: pnpm commitlint --from origin/main --to HEAD
+
   build-and-test:
     runs-on: ubuntu-latest
 
     strategy:
@@ -34,6 +60,9 @@
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      - name: Type-check (tsc --noEmit)
+        run: pnpm typecheck
+
       - name: Calculate next versions from changesets
         run: pnpm changeset:status
 

.husky/commit-msg

@@ -0,0 +1,2 @@
+pnpm commitlint --edit "$1"
+

.husky/pre-commit

@@ -0,0 +1,2 @@
+pnpm lint-staged
+

.prettierignore

@@ -0,0 +1,6 @@
+dist/
+coverage/
+node_modules/
+packages/**/dist/
+packages/**/coverage/
+

README.md

@@ -21,10 +21,10 @@ CLIENT_SECRET=your-client-secret
 
 Install `dotenv` to load these automatically: `pnpm add dotenv`, then add `import 'dotenv/config'` at the top of your entry file.
 
-| Variable | Required | Description |
-|---|---|---|
-| `CLIENT_ID` | Yes | Your merchant client ID |
-| `CLIENT_SECRET` | Yes | Your merchant client secret |
+| Variable        | Required | Description                 |
+| --------------- | -------- | --------------------------- |
+| `CLIENT_ID`     | Yes      | Your merchant client ID     |
+| `CLIENT_SECRET` | Yes      | Your merchant client secret |
 
 > Use different credentials for sandbox and production. Never commit `.env` files or log secrets.
 
@@ -75,18 +75,18 @@ if (result.ok) {
 
 The SDK ships 10 service modules. Import the factory function for each service you need.
 
-| Service | Factory | What it does |
-|---|---|---|
-| [Customers](https://www.oaknetwork.org/docs/sdk/api-sdk/customers) | `createCustomerService(client)` | Create, get, list, update, sync, and check balances |
-| [Payments](https://www.oaknetwork.org/docs/sdk/api-sdk/payments) | `createPaymentService(client)` | Create, confirm, cancel payments |
-| [Payment Methods](https://www.oaknetwork.org/docs/sdk/api-sdk/payment-methods) | `createPaymentMethodService(client)` | Add, list, get, delete payment methods |
-| [Webhooks](https://www.oaknetwork.org/docs/sdk/api-sdk/webhooks) | `createWebhookService(client)` | Register, manage, and monitor webhooks |
-| [Transactions](https://www.oaknetwork.org/docs/sdk/api-sdk/transactions) | `createTransactionService(client)` | List, get, and settle transactions |
-| [Transfers](https://www.oaknetwork.org/docs/sdk/api-sdk/transfers) | `createTransferService(client)` | Create provider transfers (Stripe, PagarMe, BRLA) |
-| [Plans](https://www.oaknetwork.org/docs/sdk/api-sdk/plans) | `createPlanService(client)` | CRUD subscription plans |
-| [Refunds](https://www.oaknetwork.org/docs/sdk/api-sdk/refunds) | `createRefundService(client)` | Refund a payment (full or partial) |
-| [Buy](https://www.oaknetwork.org/docs/sdk/api-sdk/buy-and-sell) | `createBuyService(client)` | Crypto on-ramp via Bridge |
-| [Sell](https://www.oaknetwork.org/docs/sdk/api-sdk/buy-and-sell) | `createSellService(client)` | Crypto off-ramp via Avenia |
+| Service                                                                        | Factory                              | What it does                                        |
+| ------------------------------------------------------------------------------ | ------------------------------------ | --------------------------------------------------- |
+| [Customers](https://www.oaknetwork.org/docs/sdk/api-sdk/customers)             | `createCustomerService(client)`      | Create, get, list, update, sync, and check balances |
+| [Payments](https://www.oaknetwork.org/docs/sdk/api-sdk/payments)               | `createPaymentService(client)`       | Create, confirm, cancel payments                    |
+| [Payment Methods](https://www.oaknetwork.org/docs/sdk/api-sdk/payment-methods) | `createPaymentMethodService(client)` | Add, list, get, delete payment methods              |
+| [Webhooks](https://www.oaknetwork.org/docs/sdk/api-sdk/webhooks)               | `createWebhookService(client)`       | Register, manage, and monitor webhooks              |
+| [Transactions](https://www.oaknetwork.org/docs/sdk/api-sdk/transactions)       | `createTransactionService(client)`   | List, get, and settle transactions                  |
+| [Transfers](https://www.oaknetwork.org/docs/sdk/api-sdk/transfers)             | `createTransferService(client)`      | Create provider transfers (Stripe, PagarMe, BRLA)   |
+| [Plans](https://www.oaknetwork.org/docs/sdk/api-sdk/plans)                     | `createPlanService(client)`          | CRUD subscription plans                             |
+| [Refunds](https://www.oaknetwork.org/docs/sdk/api-sdk/refunds)                 | `createRefundService(client)`        | Refund a payment (full or partial)                  |
+| [Buy](https://www.oaknetwork.org/docs/sdk/api-sdk/buy-and-sell)                | `createBuyService(client)`           | Crypto on-ramp via Bridge                           |
+| [Sell](https://www.oaknetwork.org/docs/sdk/api-sdk/buy-and-sell)               | `createSellService(client)`          | Crypto off-ramp via Avenia                          |
 
 ---
 
@@ -346,7 +346,10 @@ app.post('/webhooks/oak', express.raw({ type: 'application/json' }), (req, res)
 Every method returns `Result<T, OakError>` — no uncaught exceptions. Check `result.ok` to branch on success or failure.
 
 ```typescript
-const result = await customers.create({ email: 'user@example.com', first_name: 'John' });
+const result = await customers.create({
+  email: 'user@example.com',
+  first_name: 'John',
+});
 
 if (result.ok) {
   const customer = result.value.data;
@@ -358,12 +361,12 @@ if (result.ok) {
 }
 ```
 
-| Error type | Description |
-|---|---|
-| `ApiError` | HTTP errors from the API (4xx, 5xx) |
-| `NetworkError` | Network failures, timeouts |
-| `ParseError` | Invalid JSON responses |
-| `AbortError` | Request aborted |
+| Error type                  | Description                              |
+| --------------------------- | ---------------------------------------- |
+| `ApiError`                  | HTTP errors from the API (4xx, 5xx)      |
+| `NetworkError`              | Network failures, timeouts               |
+| `ParseError`                | Invalid JSON responses                   |
+| `AbortError`                | Request aborted                          |
 | `EnvironmentViolationError` | Sandbox-only method called in production |
 
 > Full error handling guide — [oaknetwork.org/docs/sdk/api-sdk/error-handling](https://www.oaknetwork.org/docs/sdk/api-sdk/error-handling)
@@ -374,10 +377,10 @@ if (result.ok) {
 
 ### Environments
 
-| Environment | API Base URL | Description |
-|---|---|---|
-| `sandbox` | `https://api-stage.usecrowdpay.xyz` | Testing — all operations allowed |
-| `production` | `https://app.usecrowdpay.xyz` | Live — test operations blocked |
+| Environment  | API Base URL                        | Description                      |
+| ------------ | ----------------------------------- | -------------------------------- |
+| `sandbox`    | `https://api-stage.usecrowdpay.xyz` | Testing — all operations allowed |
+| `production` | `https://app.usecrowdpay.xyz`       | Live — test operations blocked   |
 
 ```typescript
 const client = createOakClient({
@@ -430,9 +433,10 @@ This project uses **pnpm** exclusively:
 
 ```bash
 pnpm install          # Install dependencies
-pnpm build            # Build all packages
-pnpm test             # Run tests
-pnpm lint             # Lint code
+pnpm build           # Build all packages
+pnpm test            # Run tests
+pnpm lint            # Lint code
+pnpm typecheck       # Run TypeScript type-checking in all workspaces
 ```
 
 **Do not** use npm or yarn. The repository enforces pnpm >= 10.0.0.
@@ -450,10 +454,67 @@ pnpm test:watch         # Watch mode
 
 We use Changesets to manage versions and changelogs:
 
-1. After making changes, run `pnpm changeset`
-2. Select impact (Major / Minor / Patch) for affected packages
-3. Commit the generated file in `.changeset/`
-4. CI automatically calculates versions, generates changelogs, and creates a release PR
+1. **After making changes**, run:
+
+   ```bash
+   pnpm changeset
+   ```
+
+2. **Select impact** (Major/Minor/Patch) for affected packages
+
+3. **Commit** the generated file in `.changeset/`
+
+4. **CI automatically**:
+   - Calculates next versions
+   - Generates changelogs
+   - Creates release PR
+
+### Git hooks & conventional commits
+
+This repository uses Git hooks (via `husky`) and conventional commits (via `commitlint`) to keep history clean and enforce quality checks.
+
+- **Pre-commit hook**:
+  - Runs `lint-staged` on staged files.
+  - For TypeScript/JavaScript files, runs ESLint with `--fix` and then Prettier with `--write` on the staged files only.
+  - Does **not** run `tsc --noEmit` locally, keeping commits fast while still auto-fixing issues.
+
+- **Commit message hook**:
+  - Uses `commitlint` with `@commitlint/config-conventional` to enforce [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/).
+  - Example messages:
+    - `feat(api): add refunds service`
+    - `fix(ci): correct codecov token handling`
+    - `chore(release): prepare v0.2.0`
+
+CI also runs:
+
+- `commitlint` against the branch history to ensure all commits in a PR follow the convention, even if local hooks are bypassed.
+- `pnpm typecheck` (TypeScript `tsc --noEmit` in workspaces) and `pnpm lint` (ESLint-based linting) as part of the main CI workflow.
+
+### Running Tests
+
+```bash
+# Unit tests
+pnpm test:unit
+
+# Integration tests (requires credentials)
+pnpm test:integration
+
+# All tests with coverage
+pnpm test:all
+
+# Watch mode
+pnpm test:watch
+```
+
+### Environment Variables for Testing
+
+Create `.env` file in `packages/api`:
+
+```env
+CLIENT_ID=your_sandbox_client_id
+CLIENT_SECRET=your_sandbox_client_secret
+OAK_ENVIRONMENT=sandbox
+```
 
 ### Code coverage
 
@@ -479,6 +540,7 @@ See [CLAUDE.md](./CLAUDE.md) for coding standards including architecture princip
 - **Quickstart** — [oaknetwork.org/docs/sdk/api-sdk/quickstart](https://www.oaknetwork.org/docs/sdk/api-sdk/quickstart)
 - **API package README** — [packages/api/README.md](./packages/api/README.md)
 - **Changelog** — [CHANGELOG.md](./CHANGELOG.md)
+
 ---
 
 ## License

SECURITY.md

@@ -4,9 +4,9 @@
 
 We actively maintain and provide security updates for the following versions of `@oaknetwork/api`:
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.x     | ✅ Active support  |
+| Version | Supported         |
+| ------- | ----------------- |
+| 1.x     | ✅ Active support |
 
 ## Reporting a Vulnerability
 
@@ -30,12 +30,12 @@ When reporting, please include as much detail as possible:
 
 ### What to Expect
 
-| Timeline | Action |
-| -------- | ------ |
-| **Within 48 hours** | Acknowledgment of your report |
-| **Within 7 days** | Initial severity assessment and triage |
-| **Within 30 days** | A patch or mitigation plan for confirmed vulnerabilities |
-| **Within 90 days** | Public disclosure (coordinated with reporter) |
+| Timeline            | Action                                                   |
+| ------------------- | -------------------------------------------------------- |
+| **Within 48 hours** | Acknowledgment of your report                            |
+| **Within 7 days**   | Initial severity assessment and triage                   |
+| **Within 30 days**  | A patch or mitigation plan for confirmed vulnerabilities |
+| **Within 90 days**  | Public disclosure (coordinated with reporter)            |
 
 We follow **coordinated vulnerability disclosure (CVD)** principles. We will keep you informed throughout the process and aim to resolve confirmed vulnerabilities within 30 days. For complex issues, we may request an extension and will communicate transparently about the timeline.
 

commitlint.config.cjs

@@ -0,0 +1,4 @@
+module.exports = {
+  extends: ["@commitlint/config-conventional"],
+};
+

eslint.config.cjs

@@ -0,0 +1,70 @@
+// Flat ESLint config for ESLint v9+
+const eslintJs = require("@eslint/js");
+const tseslint = require("@typescript-eslint/eslint-plugin");
+const tsParser = require("@typescript-eslint/parser");
+const eslintConfigPrettier = require("eslint-config-prettier");
+const globals = require("globals");
+
+/** @type {import("eslint").Linter.FlatConfig[]} */
+module.exports = [
+  {
+    ignores: [
+      "dist/**",
+      "coverage/**",
+      "node_modules/**",
+      "packages/**/dist/**",
+      "packages/**/coverage/**",
+    ],
+  },
+  {
+    files: ["packages/api/src/**/*.{ts,tsx}"],
+    languageOptions: {
+      parser: tsParser,
+      parserOptions: {
+        tsconfigRootDir: __dirname,
+        sourceType: "module",
+      },
+      ecmaVersion: 2022,
+      sourceType: "module",
+      globals: {
+        ...globals.node,
+        RequestInit: "readonly",
+        Response: "readonly",
+      },
+    },
+    plugins: {
+      "@typescript-eslint": tseslint,
+    },
+    rules: {
+      ...eslintJs.configs.recommended.rules,
+      ...tseslint.configs.recommended.rules,
+      ...eslintConfigPrettier.rules,
+      "@typescript-eslint/no-namespace": "off",
+    },
+  },
+  {
+    files: ["packages/api/__tests__/**/*.{ts,tsx}"],
+    languageOptions: {
+      parser: tsParser,
+      parserOptions: {
+        tsconfigRootDir: __dirname,
+        sourceType: "module",
+      },
+      ecmaVersion: 2022,
+      sourceType: "module",
+      globals: {
+        ...globals.node,
+        ...globals.jest,
+      },
+    },
+    plugins: {
+      "@typescript-eslint": tseslint,
+    },
+    rules: {
+      ...eslintJs.configs.recommended.rules,
+      ...tseslint.configs.recommended.rules,
+      ...eslintConfigPrettier.rules,
+    },
+  },
+];
+