feat(sdk): server.payout helper + WS handler + nodeControl wire-up [2/4] (#718)

* feat(sdk): server.payout helper + WS payout handler + nodeControl wire-up

Wire programmaticPayout into the exported nodeControl router, add the
matching control-WS handler in @moneydevkit/checkout, the server.payout()
helper for trusted server-side callers, the ./server subpath export, and
the @moneydevkit/nextjs server re-export. Update README.

* chore(api-contract): bump to 0.1.26 for nodeControl wire-up

* feat(sdk): retryable errors + required idempotencyKey + Edge-friendly server.ts

Address PR #718 review feedback:

- Make `idempotencyKey` required in both api-contract schema and SDK
  options. Optional + auto-UUID at the dispatch layer was a double-pay
  footgun on retry.
- Add `retryable: boolean | undefined` and `reason: string | undefined`
  fields to `MdkError`. SDK classifies known backend codes into
  retryable / not retryable / unclassified and exposes a short
  machine-readable `reason` for branching.
- Decouple `server.ts` from `./mdk` so importing `@moneydevkit/core/server`
  does not eagerly load `@moneydevkit/lightning-js`. The helper is a thin
  oRPC HTTPS call; it only needs `MDK_ACCESS_TOKEN` and
  `MDK_API_BASE_URL`. Inlining the env reads makes the helper Edge-runtime
  compatible.
- Update README with vibecoder-friendly error handling: retry loop with
  backoff, reason-code branching, common gotchas, error reference table.
- Tests cover validation paths, missing access token, idempotency key
  required, retryable / non-retryable / unclassified error classification,
  raw network errors, and a guard that server.ts does not import the
  lightning-js stack.

* docs(payout): fix wrong API key framing, drop speculative codes, mirror to Mintlify

- README: rewrite app_scoped_api_key_required guidance. The error fires
  when the API key isn't tied to a specific app, not because of any
  "org-level vs app-level" distinction (there's no such concept in the
  dashboard - every API key is per-app).
- README: drop the "acceptance vs settlement" gotcha.
- server.ts: align reason mapping with the actual backend codes:
  PROGRAMMATIC_PAYOUTS_DISABLED (plural) and INVALID_PROGRAMMATIC_PAYOUT_AMOUNT.
  Drop speculative codes the backend doesn't emit
  (PROGRAMMATIC_PAYOUT_NODE_OFFLINE, *_TIMEOUT, *_INSUFFICIENT_FEES).
  All transient failures surface as PROGRAMMATIC_PAYOUT_FAILED today;
  the underlying cause is in error.message.
- docs/nextjs.mdx: mirror the Server-side payouts section so the
  Mintlify site documents the helper alongside the README.

Author: martinsaposnic

packages/api-contract/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@moneydevkit/api-contract",
-  "version": "0.1.25",
+  "version": "0.1.26",
   "description": "API Contract for moneydevkit",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

packages/api-contract/src/contracts/checkout.ts

@@ -159,7 +159,7 @@ export const ProgrammaticPayoutInputSchema = z.object({
 		.max(4096)
 		// eslint-disable-next-line no-control-regex
 		.refine((value) => !/[\u0000-\u001f\u007f]/.test(value)),
-	idempotencyKey: z.string().min(1).optional(),
+	idempotencyKey: z.string().min(1),
 });
 export type ProgrammaticPayout = z.infer<
 	typeof ProgrammaticPayoutInputSchema

packages/api-contract/src/contracts/node-control.ts

@@ -41,6 +41,7 @@ export const nodeEventsContract = oc
 
 export const nodeControl = {
 	payout: payoutContract,
+	programmaticPayout: programmaticPayoutContract,
 	invoice: {
 		createBolt11: invoiceCreateBolt11Contract,
 		createBolt12Offer: invoiceCreateBolt12OfferContract,

packages/core/package.json

@@ -28,6 +28,11 @@
       "import": "./dist/route.js",
       "default": "./dist/route.js"
     },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js",
+      "default": "./dist/server.js"
+    },
     "./mdk402": {
       "types": "./dist/mdk402/index.d.ts",
       "import": "./dist/mdk402/index.js",

packages/core/src/control/handlers.ts

@@ -49,7 +49,36 @@ const payoutImpl = impl.payout.handler(({ input, context }) => {
 	}>((resolve, reject) => {
 		context.queue.push({
 			kind: 'payout',
-			destination: destination as string,
+			destination: destination.trim(),
+			amountMsat: input.amountMsat,
+			resolve,
+			reject,
+		})
+	})
+})
+
+/**
+ * Programmatic payout RPC handler for trusted server-supplied destinations.
+ */
+const programmaticPayoutImpl = impl.programmaticPayout.handler(({ input, context }) => {
+	if (!context.sessionState.nodeReady) {
+		rejectWith('NODE_NOT_READY', 'node has not finished startReceiving yet')
+	}
+	if (context.sessionState.draining) {
+		rejectWith('DRAINING', 'node is in drain window; retry on next session')
+	}
+	const destination = input.destination.trim()
+	if (!destination) {
+		rejectWith('PROGRAMMATIC_PAYOUT_DESTINATION_UNSET', 'payout destination is required')
+	}
+	return new Promise<{
+		accepted: true
+		paymentId: string
+		paymentHash: string | null
+	}>((resolve, reject) => {
+		context.queue.push({
+			kind: 'payout',
+			destination,
 			amountMsat: input.amountMsat,
 			resolve,
 			reject,
@@ -115,6 +144,7 @@ const eventsImpl = impl.events.handler(async function* ({ context }) {
 
 export const nodeControlRouter = impl.router({
 	payout: payoutImpl,
+	programmaticPayout: programmaticPayoutImpl,
 	invoice: {
 		createBolt11: createBolt11Impl,
 		createBolt12Offer: createBolt12OfferImpl,

packages/core/src/server.ts

@@ -0,0 +1,178 @@
+import { ORPCError } from '@orpc/client'
+import { createORPCClient } from '@orpc/client'
+import { RPCLink } from '@orpc/client/fetch'
+import type { ContractRouterClient } from '@orpc/contract'
+import { contract, type ProgrammaticPayoutResult } from '@moneydevkit/api-contract'
+
+import { MAINNET_MDK_BASE_URL } from './mdk-config'
+import { failure, success, type MdkError, type Result } from './types'
+
+/**
+ * Options accepted by the server-only programmatic payout helper.
+ */
+export type ProgrammaticPayoutOptions = {
+  /** Amount to send, in sats. */
+  amountSats: number
+  /** Lightning destination to pay from this server-side request. */
+  destination: string
+  /**
+   * Idempotency key used to deduplicate retries of the same logical payout.
+   * Pass the same value on retry to avoid double-pays. Typically your own
+   * orderId / withdrawalId / requestId. Must be a stable string per logical
+   * payout, not a fresh value generated on each call.
+   */
+  idempotencyKey: string
+}
+
+/**
+ * Errors the SDK classifies as definitely-retryable. The same call with the
+ * same idempotency key can safely be sent again; mdk.com will dedupe.
+ */
+const RETRYABLE_CODES = new Set([
+  'PROGRAMMATIC_PAYOUT_FAILED',
+  'PROGRAMMATIC_PAYOUT_DAILY_LIMIT_EXCEEDED',
+])
+
+/**
+ * Errors the SDK classifies as not retryable without changing inputs or config.
+ */
+const NON_RETRYABLE_CODES = new Set([
+  'PROGRAMMATIC_PAYOUT_APP_KEY_REQUIRED',
+  'PROGRAMMATIC_PAYOUTS_DISABLED',
+  'PROGRAMMATIC_PAYOUT_TOO_LARGE',
+  'INVALID_PROGRAMMATIC_PAYOUT_AMOUNT',
+  'VALIDATION_ERROR',
+  'NOT_FOUND',
+])
+
+/**
+ * Map a backend error code to a short, actionable reason string the caller
+ * can branch on. Returns undefined for unrecognized codes.
+ */
+function reasonForCode(code: string | undefined): string | undefined {
+  if (!code) return undefined
+  switch (code) {
+    case 'PROGRAMMATIC_PAYOUT_DAILY_LIMIT_EXCEEDED':
+      return 'daily_limit_exceeded'
+    case 'PROGRAMMATIC_PAYOUT_TOO_LARGE':
+      return 'amount_too_large'
+    case 'PROGRAMMATIC_PAYOUTS_DISABLED':
+      return 'programmatic_payouts_disabled'
+    case 'PROGRAMMATIC_PAYOUT_APP_KEY_REQUIRED':
+      return 'app_scoped_api_key_required'
+    case 'PROGRAMMATIC_PAYOUT_FAILED':
+      return 'payout_dispatch_failed'
+    case 'INVALID_PROGRAMMATIC_PAYOUT_AMOUNT':
+      return 'amount_invalid'
+    default:
+      return undefined
+  }
+}
+
+function classifyOrpcError(err: ORPCError<string, unknown>): MdkError {
+  const data = err.data as { code?: string } | undefined
+  const code = data?.code
+  const retryable = code
+    ? RETRYABLE_CODES.has(code)
+      ? true
+      : NON_RETRYABLE_CODES.has(code)
+        ? false
+        : undefined
+    : undefined
+  return {
+    code: code ?? err.code ?? 'payout_failed',
+    message: err.message,
+    status: err.status,
+    retryable,
+    reason: reasonForCode(code),
+  }
+}
+
+/**
+ * Trigger a payout from a server function through mdk.com's control plane.
+ *
+ * This helper accepts a destination because it is intended for trusted server
+ * functions. Never expose it through a client-controlled route without your
+ * own authorization and business rules.
+ *
+ * The returned result distinguishes retryable failures (e.g. transient
+ * dispatch failures, daily limit) from terminal ones (e.g. app config, validation).
+ * Use `result.error.retryable` and `result.error.reason` to drive retries.
+ */
+export async function programmaticPayout(
+  options: ProgrammaticPayoutOptions,
+): Promise<Result<ProgrammaticPayoutResult>> {
+  if (typeof window !== 'undefined') {
+    return failure({
+      code: 'server_only',
+      message: 'programmaticPayout() can only be called from a server function.',
+      retryable: false,
+    })
+  }
+
+  if (!Number.isInteger(options.amountSats) || options.amountSats <= 0) {
+    return failure({
+      code: 'invalid_amount',
+      message: 'Enter a positive whole-sat amount before triggering a payout.',
+      retryable: false,
+    })
+  }
+  const destination = options.destination.trim()
+  if (!destination || destination.length > 4096) {
+    return failure({
+      code: 'invalid_destination',
+      message: 'Enter a valid Lightning destination before triggering a payout.',
+      retryable: false,
+    })
+  }
+  if (/[\u0000-\u001f\u007f]/.test(destination)) {
+    return failure({
+      code: 'invalid_destination',
+      message: 'Enter a valid Lightning destination before triggering a payout.',
+      retryable: false,
+    })
+  }
+  if (typeof options.idempotencyKey !== 'string' || options.idempotencyKey.length === 0) {
+    return failure({
+      code: 'invalid_idempotency_key',
+      message:
+        'Pass a stable idempotencyKey (e.g. your orderId) so retries do not double-pay.',
+      retryable: false,
+    })
+  }
+
+  const accessToken = process.env.MDK_ACCESS_TOKEN
+  if (!accessToken) {
+    return failure({
+      code: 'missing_access_token',
+      message: 'Set MDK_ACCESS_TOKEN in your environment before triggering a payout.',
+      retryable: false,
+    })
+  }
+  const baseUrl = process.env.MDK_API_BASE_URL ?? MAINNET_MDK_BASE_URL
+
+  try {
+    const link = new RPCLink({
+      url: baseUrl,
+      headers: () => ({
+        'x-api-key': accessToken,
+      }),
+    })
+    const client: ContractRouterClient<typeof contract> = createORPCClient(link)
+    const result = await client.checkout.programmaticPayout({
+      amountSats: options.amountSats,
+      destination,
+      idempotencyKey: options.idempotencyKey,
+    })
+    return success(result)
+  } catch (err) {
+    if (err instanceof ORPCError) {
+      return failure(classifyOrpcError(err))
+    }
+    return failure({
+      code: 'payout_failed',
+      message: err instanceof Error ? err.message : String(err),
+      retryable: true,
+    })
+  }
+}

packages/core/src/types.ts

@@ -4,6 +4,17 @@ export type MdkError = {
   details?: Array<{ message?: string; path?: Array<string | number> }>
   suggestion?: string
   status?: number
+  /**
+   * True when the failure is transient and the same call can be retried later.
+   * False when retrying without changing inputs or configuration will fail again.
+   * Absent when the SDK can't classify the failure; treat as not retryable.
+   */
+  retryable?: boolean
+  /**
+   * Short machine-readable reason for the failure (e.g. 'insufficient_fees',
+   * 'daily_limit_exceeded'). Present for failures the SDK can categorize.
+   */
+  reason?: string
 }
 
 export type Result<T> =

packages/core/tests/control-handlers.test.ts

@@ -35,15 +35,55 @@ test('payout rejects when draining', async () => {
   assert.equal(ctx.queue.size, 0)
 })
 
-test('payout rejects when WITHDRAWAL_DESTINATION is unset', async () => {
+test('payout rejects when neither destination nor WITHDRAWAL_DESTINATION is set', async () => {
   const ctx = makeContext({ env: { WITHDRAWAL_DESTINATION: undefined } })
   await assert.rejects(
     call(nodeControlRouter.payout, { amountMsat: 1000, idempotencyKey: 'k1' }, { context: ctx }),
     /WITHDRAWAL_DESTINATION/,
   )
 })
 
-test('payout enqueues with env-derived destination (NOT from input)', async () => {
+test('payout ignores arbitrary input destination and uses WITHDRAWAL_DESTINATION', async () => {
+  const ctx = makeContext({ env: { WITHDRAWAL_DESTINATION: 'lnurl-pre-configured' } })
+  const pending = call(
+    nodeControlRouter.payout,
+    { amountMsat: 12345, destination: ' lnbc-attacker ', idempotencyKey: 'k1' } as never,
+    { context: ctx },
+  )
+  await new Promise((r) => setImmediate(r))
+  const cmd = ctx.queue.shift()
+  assert.ok(cmd)
+  assert.equal(cmd?.kind, 'payout')
+  if (cmd?.kind === 'payout') {
+    assert.equal(cmd.destination, 'lnurl-pre-configured')
+    assert.equal(cmd.amountMsat, 12345, 'msats round-trip with no 1000x conversion')
+    cmd.resolve({ accepted: true, paymentId: 'pay-id-1', paymentHash: 'hash-1' })
+  }
+  const result = await pending
+  assert.deepEqual(result, { accepted: true, paymentId: 'pay-id-1', paymentHash: 'hash-1' })
+})
+
+test('programmaticPayout enqueues with explicit input destination', async () => {
+  const ctx = makeContext({ env: { WITHDRAWAL_DESTINATION: 'lnurl-pre-configured' } })
+  const pending = call(
+    nodeControlRouter.programmaticPayout,
+    { amountMsat: 12345, destination: ' lnbc-programmatic ', idempotencyKey: 'k1' },
+    { context: ctx },
+  )
+  await new Promise((r) => setImmediate(r))
+  const cmd = ctx.queue.shift()
+  assert.ok(cmd)
+  assert.equal(cmd?.kind, 'payout')
+  if (cmd?.kind === 'payout') {
+    assert.equal(cmd.destination, 'lnbc-programmatic')
+    assert.equal(cmd.amountMsat, 12345, 'msats round-trip with no 1000x conversion')
+    cmd.resolve({ accepted: true, paymentId: 'pay-id-1', paymentHash: 'hash-1' })
+  }
+  const result = await pending
+  assert.deepEqual(result, { accepted: true, paymentId: 'pay-id-1', paymentHash: 'hash-1' })
+})
+
+test('payout falls back to env-derived destination when input omits one', async () => {
   const ctx = makeContext({ env: { WITHDRAWAL_DESTINATION: 'lnurl-pre-configured' } })
   const pending = call(
     nodeControlRouter.payout,
@@ -56,7 +96,7 @@ test('payout enqueues with env-derived destination (NOT from input)', async () =
   assert.ok(cmd)
   assert.equal(cmd?.kind, 'payout')
   if (cmd?.kind === 'payout') {
-    assert.equal(cmd.destination, 'lnurl-pre-configured', 'destination from env, not input')
+    assert.equal(cmd.destination, 'lnurl-pre-configured', 'destination falls back to env')
     assert.equal(cmd.amountMsat, 12345, 'msats round-trip with no 1000x conversion')
     cmd.resolve({ accepted: true, paymentId: 'pay-id-1', paymentHash: 'hash-1' })
   }