blockchain0x 0.0.1.alpha.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ef9ababb8a0e13928f13336087fc2fb9ea8762aeb4f18077f3574e1cddf491db
+  data.tar.gz: 833a4fab94699de66bc561c011cf4a9ceebf77a692175ea7b3594ffce11c5656
+SHA512:
+  metadata.gz: f7646672e245cdbaebb3fcd45bbc1d216bdaa1538b7c58763f4d860a36413d851e498fb677ec8df6e5a081931b5f5a2802511e340b5b525718ed9c3bd3e8236e
+  data.tar.gz: 7a9c2d95eb3c8f5b1ea1fa7e5192a0528f3bc4b23eca2529e46ec6f22a782578dd035af4cf671efc9b5a23c5722a68fb6c70a8f9d0aee9a0ad0c7a0ef0c3d491

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Support. While redistributing the Work or
+      Derivative Works thereof, You may choose to offer, and charge a
+      fee for, acceptance of support, warranty, indemnity, or other
+      liability obligations and/or rights consistent with this License.
+      However, in accepting such obligations, You may act only on Your
+      own behalf and on Your sole responsibility, not on behalf of any
+      other Contributor, and only if You agree to indemnify, defend,
+      and hold each Contributor harmless for any liability incurred by,
+      or claims asserted against, such Contributor by reason of your
+      accepting any such warranty or support.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Tosh Labs
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied. See the License for the specific language governing
+   permissions and limitations under the License.

data/README.md

@@ -0,0 +1,195 @@
+# blockchain0x
+
+[![Gem Version](https://badge.fury.io/rb/blockchain0x.svg)](https://rubygems.org/gems/blockchain0x)
+[![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)
+[![Ruby ≥ 3.0](https://img.shields.io/badge/ruby-%E2%89%A53.0-brightgreen.svg)](#requirements)
+
+**Official Ruby SDK for [Blockchain0x](https://blockchain0x.com)** -
+the non-custodial AI-agent wallet platform on Base.
+
+> Pre-release: `0.0.1.alpha.0` ships the operational essentials -
+> HTTP transport, `api_keys` resource, and `Webhooks.verify`. The full
+> surface (every resource + x402 client) lands in sub-plan 21.3 Phase
+> C follow-up rows.
+
+## Install
+
+```bash
+gem install blockchain0x --pre
+```
+
+Or in a `Gemfile`:
+
+```ruby
+gem 'blockchain0x', '~> 0.0.1.alpha'
+```
+
+Requires Ruby 3.0 or newer.
+
+## Quick start
+
+```ruby
+require 'blockchain0x'
+
+client = Blockchain0x::Client.new(api_key: ENV.fetch('BLOCKCHAIN0X_API_KEY'))
+page = client.api_keys.list
+page['data'].each { |k| puts "#{k['id']}\t#{k['prefix']}" }
+```
+
+The client pins the network from the API-key prefix (`sk_test_*` →
+testnet, `sk_live_*` → mainnet). Override with
+`Blockchain0x::Client.new(api_key: ..., network: 'mainnet')` when
+running mixed-mode tests.
+
+## Verify webhook signatures
+
+The single most important utility this SDK ships - drop it into the
+top of your webhook controller BEFORE touching the body.
+
+```ruby
+# Rails example. Adapt for Sinatra / Hanami / Roda - the only
+# requirement is the raw request body, NOT a parsed JSON hash.
+class WebhooksController < ApplicationController
+  skip_before_action :verify_authenticity_token, only: :receive
+
+  def receive
+    result = Blockchain0x::Webhooks.verify(
+      headers: request.headers,
+      raw_body: request.raw_post,
+      secret: ENV.fetch('BLOCKCHAIN0X_WEBHOOK_SECRET'),
+    )
+    return head(:bad_request) unless result.ok?
+
+    # result.event_type / result.event_id / result.delivery_id populated.
+    Sidekiq.redis do |r|
+      r.lpush("events:#{result.event_type}", request.raw_post)
+    end
+    head :no_content
+  end
+end
+```
+
+The verifier:
+
+- Reads `X-Blockchain0x-Signature` in either `t=<ts>,v1=<hex>` or
+  bare-hex form (some load balancers strip commas).
+- Falls back to `X-Blockchain0x-Timestamp` when the signature is bare.
+- Rejects with `webhook.timestamp_outside_window` when drift exceeds
+  300 seconds.
+- Constant-time compares via `OpenSSL.fixed_length_secure_compare`
+  (or a manual byte-XOR fallback for older OpenSSL builds).
+
+For exception-based flows pass `raise_on_fail: true`:
+
+```ruby
+begin
+  result = Blockchain0x::Webhooks.verify(
+    headers: request.headers,
+    raw_body: request.raw_post,
+    secret: ENV.fetch('BLOCKCHAIN0X_WEBHOOK_SECRET'),
+    raise_on_fail: true,
+  )
+rescue Blockchain0x::WebhookSignatureError => e
+  return render json: { code: e.code }, status: :bad_request
+end
+```
+
+## Errors
+
+Two classes:
+
+- `Blockchain0x::Error` - base class; every SDK error inherits.
+- `Blockchain0x::APIKeyError` - subclass for HTTP 401 / 403 envelopes
+  whose `error.code` starts with `apikey.` (e.g.
+  `apikey.scope_insufficient`, `apikey.wallet_not_assigned`).
+
+Always branch on `.code`, never regex-match `.message`:
+
+```ruby
+begin
+  client.api_keys.list
+rescue Blockchain0x::APIKeyError => e
+  if e.code == 'apikey.scope_insufficient'
+    # mint a fresh key with more scope
+  end
+end
+```
+
+The module helper `Blockchain0x.apikey_error?(error)` returns true
+when the exception's code begins with `apikey.` regardless of
+subclass.
+
+## Retry behaviour
+
+The transport retries on `429` and `5xx` with exponential backoff
+(0.5s → 1s → 2s → … → 30s cap, 3 retries by default).
+`Retry-After` is honoured when the server sends it.
+
+`POST` / `PATCH` / `DELETE` requests carry an `Idempotency-Key`
+header - the SDK mints a UUID v4 if you do not supply one. Pass
+`idempotency_key: '...'` to thread a stable key across SDK retries OR
+across processes (e.g. a cron job that hashes its input
+deterministically).
+
+## Workspace keys (sub-plan 21.3)
+
+Two key shapes exist (see
+[docs/concept-api-key-types.md](https://github.com/Tosh-Labs/blockchain0x-app/blob/dev/docs/concept-api-key-types.md)
+for the full decision tree):
+
+- **Wallet-only** - bound to ONE agent. Right shape for an autonomous AI agent that IS one wallet.
+- **Workspace** - human-operator key that can carry workspace-level scopes AND assignments to N specific wallets.
+
+The Ruby SDK forwards both shapes through `client.api_keys`. Once
+the C-2-style `create` method lands beyond the alpha scaffold:
+
+```ruby
+key = client.api_keys.create(
+  label: 'Treasury reconciliation',
+  workspace_scopes: ['read_workspace'],
+  wallet_assignments: [
+    { agent_id: 'agt_trading', scopes: ['read_wallet_metadata'] },
+    { agent_id: 'agt_settlement', scopes: ['read_wallet_metadata'] },
+  ],
+  expires_in_days: 30,
+)
+puts key['secret']  # shown ONCE
+```
+
+Server-side RBAC: the minter cannot grant a scope they do not have
+themselves. Over-grants reject with `apikey.role_insufficient_for_grants`
+which is surfaced as a `Blockchain0x::APIKeyError`.
+
+## x402 (Phase C-7)
+
+The sibling gem `blockchain0x-x402` (Ruby port of
+[`@blockchain0x/x402`](https://www.npmjs.com/package/@blockchain0x/x402))
+will ship the x402 client + Rack middleware in sub-plan 21.3 row C-7.
+The wire format is identical across languages so a Ruby service can
+accept payments from a Node client and vice-versa.
+
+## Codegen
+
+Model classes are generated from
+`apps/backend/openapi/openapi.yaml` via
+[openapi-generator-cli](https://github.com/OpenAPITools/openapi-generator)
+with `-g ruby --global-property=models,supportingFiles=false` - see
+[codegen/README.md](./codegen/README.md) for the decision
+rationale.
+
+## Source-of-truth + distribution
+
+Source-of-truth: this directory in
+[Tosh-Labs/blockchain0x-app](https://github.com/Tosh-Labs/blockchain0x-app)
+under `packages/sdk-ruby/`.
+
+Public mirror: [Tosh-Labs/blockchain0x-ruby](https://github.com/Tosh-Labs/blockchain0x-ruby)
+(receives merges from this directory on dispatch of the
+`mirror-sdk-ruby` workflow).
+
+Distribution: [rubygems](https://rubygems.org/gems/blockchain0x) via
+Trusted Publisher OIDC.
+
+## License
+
+Apache-2.0.

data/lib/blockchain0x/client.rb

@@ -0,0 +1,194 @@
+# Sub-plan 21.3 row C-4: Ruby HTTP client.
+#
+# Behaviour mirrors the @blockchain0x/node + Python + Go SDKs:
+#
+#   - injects Bearer + X-Network headers on every request,
+#   - mints an Idempotency-Key on POST/PATCH/DELETE unless caller
+#     supplies one,
+#   - retries 5xx + 429 with exponential backoff (Retry-After
+#     honoured),
+#   - converts the canonical error envelope into APIKeyError / Error.
+#
+# Network selection:
+#   - `sk_test_*` keys force testnet,
+#   - `sk_live_*` keys force mainnet,
+#   - explicit `network:` kwarg overrides the prefix when the SDK is
+#     used in mixed-mode tests.
+
+# frozen_string_literal: true
+
+require 'faraday'
+require 'json'
+require 'securerandom'
+require_relative 'errors'
+require_relative 'version'
+
+module Blockchain0x
+  class Client
+    DEFAULT_BASE_URL = 'https://api.blockchain0x.com'
+    DEFAULT_TIMEOUT = 30
+    DEFAULT_MAX_RETRIES = 3
+    USER_AGENT = "blockchain0x-ruby/#{VERSION}"
+
+    # @param api_key      [String] required; sk_test_... or sk_live_...
+    # @param base_url     [String] override the default API host
+    # @param network      [Symbol,String] :mainnet / :testnet override
+    # @param timeout      [Integer] per-request wall-clock seconds
+    # @param max_retries  [Integer] retry budget on 5xx + 429
+    # @param adapter      [Symbol] Faraday adapter (default :net_http)
+    # @param connection   [Faraday::Connection] override for tests
+    def initialize(api_key:, base_url: DEFAULT_BASE_URL, network: nil, timeout: DEFAULT_TIMEOUT,
+                   max_retries: DEFAULT_MAX_RETRIES, adapter: :net_http, connection: nil)
+      raise ArgumentError, 'api_key is required' if api_key.nil? || api_key.empty?
+
+      @api_key = api_key
+      @network = (network || network_from_key(api_key)).to_s
+      @max_retries = max_retries
+      @connection = connection || build_connection(base_url, timeout, adapter)
+    end
+
+    def api_keys
+      @api_keys ||= begin
+        require_relative 'resources/api_keys'
+        Resources::APIKeys.new(self)
+      end
+    end
+
+    def payment_requests
+      @payment_requests ||= begin
+        require_relative 'resources/payment_requests'
+        Resources::PaymentRequests.new(self)
+      end
+    end
+
+    def payments
+      @payments ||= begin
+        require_relative 'resources/payments'
+        Resources::Payments.new(self)
+      end
+    end
+
+    def transactions
+      @transactions ||= begin
+        require_relative 'resources/transactions'
+        Resources::Transactions.new(self)
+      end
+    end
+
+    # ---- low-level verb helpers --------------------------------------
+    def get(path, params: nil)
+      request(:get, path, params: params)
+    end
+
+    def post(path, body: nil, idempotency_key: nil)
+      request(:post, path, body: body, idempotency_key: idempotency_key)
+    end
+
+    def patch(path, body: nil, idempotency_key: nil)
+      request(:patch, path, body: body, idempotency_key: idempotency_key)
+    end
+
+    def delete(path, idempotency_key: nil)
+      request(:delete, path, idempotency_key: idempotency_key)
+    end
+
+    private
+
+    def request(method, path, params: nil, body: nil, idempotency_key: nil)
+      headers = {
+        'Authorization' => "Bearer #{@api_key}",
+        'Accept' => 'application/json',
+        'User-Agent' => USER_AGENT,
+        'X-Network' => @network,
+      }
+      headers['Content-Type'] = 'application/json' if body
+      if %i[post patch delete].include?(method)
+        headers['Idempotency-Key'] = idempotency_key || SecureRandom.uuid
+      end
+
+      payload = body.nil? ? nil : JSON.generate(body)
+
+      attempt = 0
+      loop do
+        attempt += 1
+        begin
+          response = @connection.run_request(method, path, payload, headers) do |req|
+            req.params.update(params) if params
+          end
+        rescue Faraday::TimeoutError, Faraday::ConnectionFailed => e
+          raise Error.new(code: 'network.unavailable', message: e.message) if attempt > @max_retries
+
+          sleep(backoff(attempt))
+          next
+        end
+
+        if response.status < 400
+          return parse_success(response)
+        end
+
+        if response.status == 429 || response.status >= 500
+          if attempt > @max_retries
+            raise build_error(response)
+          end
+
+          wait = response.headers['Retry-After']&.to_i
+          sleep(wait || backoff(attempt))
+          next
+        end
+
+        raise build_error(response)
+      end
+    end
+
+    def parse_success(response)
+      return nil if response.status == 204 || response.body.nil? || response.body.empty?
+
+      JSON.parse(response.body)
+    rescue JSON::ParserError
+      raise Error.new(code: 'response.invalid_envelope', message: 'non-JSON response body')
+    end
+
+    def build_error(response)
+      request_id = response.headers['x-request-id']
+      payload = begin
+        JSON.parse(response.body || '')
+      rescue JSON::ParserError
+        nil
+      end
+      err = payload.is_a?(Hash) ? payload['error'] : nil
+      unless err.is_a?(Hash) && err['code']
+        return Error.new(
+          code: 'response.invalid_envelope',
+          message: "non-canonical error body (status=#{response.status})",
+          http_status: response.status,
+          request_id: request_id,
+        )
+      end
+
+      code = err['code'].to_s
+      message = err['message'].to_s
+      # The canonical error envelope carries the request id in the body
+      # (`error.requestId`); the `x-request-id` response header is a
+      # fallback for transports that surface it there instead.
+      request_id = err['requestId'] || request_id
+      klass = code.start_with?('apikey.') ? APIKeyError : Error
+      klass.new(code: code, message: message, http_status: response.status, request_id: request_id)
+    end
+
+    def backoff(attempt)
+      [0.5 * (2**(attempt - 1)), 30.0].min
+    end
+
+    def network_from_key(api_key)
+      api_key.start_with?('sk_live_') ? 'mainnet' : 'testnet'
+    end
+
+    def build_connection(base_url, timeout, adapter)
+      Faraday.new(url: base_url) do |f|
+        f.options.timeout = timeout
+        f.options.open_timeout = timeout
+        f.adapter adapter
+      end
+    end
+  end
+end

data/lib/blockchain0x/errors.rb

@@ -0,0 +1,85 @@
+# Sub-plan 21.3 C-4 + C-6 (Ruby). Mirrors the @blockchain0x/node +
+# Python + Go SDK error hierarchies so consumers branch on stable
+# wire `code` strings instead of regex-matching messages.
+#
+#   Blockchain0x::Error                    (every SDK error)
+#     Blockchain0x::APIKeyError            (HTTP 401/403 with apikey.*)
+#     Blockchain0x::WebhookSignatureError  (raised only by
+#                                           Webhooks.verify(..., raise_on_fail: true);
+#                                           default verify returns a Result struct)
+#
+# Every error carries:
+#   code         stable wire-level code from the openapi catalog
+#   message      human-readable description
+#   http_status  the HTTP status that produced this error (nil for
+#                client-side raises like WebhookSignatureError)
+#   request_id   server-issued request id (nil on local-only errors)
+
+# frozen_string_literal: true
+
+module Blockchain0x
+  class Error < StandardError
+    attr_reader :code, :http_status, :request_id
+
+    def initialize(code:, message:, http_status: nil, request_id: nil)
+      super("#{code}: #{message}")
+      @code = code
+      @http_status = http_status
+      @request_id = request_id
+    end
+  end
+
+  # Subclass for HTTP 401 / 403 envelopes whose `error.code` starts
+  # with `apikey.`. Catch this to handle apikey-related failures:
+  #
+  #   begin
+  #     client.api_keys.list
+  #   rescue Blockchain0x::APIKeyError => e
+  #     if e.code == 'apikey.scope_insufficient'
+  #       # mint a fresh key with more scope
+  #     end
+  #   end
+  class APIKeyError < Error
+  end
+
+  # Raised by Webhooks.verify(..., raise_on_fail: true). The default
+  # `verify` path returns a discriminated-union Result; this exists
+  # for integrations that prefer exceptions over branching on
+  # `result.ok?`.
+  class WebhookSignatureError < Error
+  end
+
+  # @return [Boolean] true when the exception's code begins with
+  # `apikey.` (regardless of which subclass it is).
+  def self.apikey_error?(error)
+    return false unless error.respond_to?(:code) && error.code.is_a?(String)
+
+    error.code.start_with?('apikey.')
+  end
+
+  # Stable apikey.* failure-mode catalog (sub-plan 21.3 row C-8). The
+  # backend emits these codes verbatim in the wire envelope; SDK
+  # consumers branch on them via APIKeyError#code. Splits into four
+  # groups: identity-bound, agent-flavor binding, surface-restriction,
+  # and the four 21.3-introduced workspace-flavor codes.
+  module APIKeyCodes
+    # Identity-bound (the key itself is invalid).
+    INVALID = 'apikey.invalid'
+    REVOKED = 'apikey.revoked'
+    EXPIRED = 'apikey.expired'
+    # Agent-flavor binding errors (sub-plan 21.1).
+    AGENT_REVOKED = 'apikey.agent_revoked'
+    AGENT_MISMATCH = 'apikey.agent_mismatch'
+    # Surface-restriction errors.
+    WORKSPACE_ENDPOINT_BLOCKED = 'apikey.workspace_endpoint_blocked'
+    UNSUPPORTED_ENDPOINT = 'apikey.unsupported_endpoint'
+    # Network + scope.
+    NETWORK_MISMATCH = 'apikey.network_mismatch'
+    SCOPE_INSUFFICIENT = 'apikey.scope_insufficient'
+    # Workspace-flavor errors (sub-plan 21.3).
+    WALLET_NOT_ASSIGNED = 'apikey.wallet_not_assigned'
+    WORKSPACE_SCOPE_INSUFFICIENT = 'apikey.workspace_scope_insufficient'
+    ROLE_INSUFFICIENT_FOR_GRANTS = 'apikey.role_insufficient_for_grants'
+    NO_GRANTS_REMAINING = 'apikey.no_grants_remaining'
+  end
+end

data/lib/blockchain0x/resources/api_keys.rb

@@ -0,0 +1,129 @@
+# Sub-plan 21.3 row C-4 first resource: api_keys.
+#
+# Thin wrapper over the wire shape. Until codegen lands
+# (codegen/regenerate.sh per the C-1 decision), the response is a
+# plain Hash mirroring the openapi `ApiKey` schema verbatim:
+#
+#   { 'id' => ..., 'prefix' => ..., 'scopes' => [...],
+#     'workspaceScopes' => [...], 'walletAssignments' => [...] }
+#
+# Once codegen ships, this resource returns typed model classes.
+#
+# C-4 follow-up: typed `create_workspace_key` + `create_agent_key`
+# close the sdk-parity-matrix "Workspace-flavor `create` body" 🟡
+# drift for Ruby. Mirrors the Python `create_workspace_key` +
+# Go `CreateWorkspaceKey` signatures.
+
+# frozen_string_literal: true
+
+module Blockchain0x
+  module Resources
+    # WalletAssignment is the typed per-wallet entry for the
+    # workspace-flavor create body. Splits an `agent_id` + `scopes`
+    # array. The 4 valid scopes are `read_wallet_metadata`,
+    # `manage_wallet_metadata`, `pay_bills`, `receive_money`.
+    WalletAssignment = Struct.new(:agent_id, :scopes, keyword_init: true) do
+      def to_h_wire
+        { 'agentId' => agent_id, 'scopes' => Array(scopes) }
+      end
+    end
+
+    class APIKeys
+      def initialize(client)
+        @client = client
+      end
+
+      # @return [Hash] cursor-paginated page envelope
+      def list
+        @client.get('/v1/api-keys')
+      end
+
+      # @param api_key_id [String]
+      # @return [Hash]
+      def get(api_key_id)
+        raise ArgumentError, 'api_key_id is required' if api_key_id.nil? || api_key_id.empty?
+
+        @client.get("/v1/api-keys/#{api_key_id}")
+      end
+
+      # Revoke an API key. Returns nil (204 No Content).
+      def revoke(api_key_id)
+        raise ArgumentError, 'api_key_id is required' if api_key_id.nil? || api_key_id.empty?
+
+        @client.delete("/v1/api-keys/#{api_key_id}")
+      end
+
+      # Mint a sub-plan 21.3 workspace-flavor API key.
+      #
+      # At least one of `workspace_scopes` or `wallet_assignments`
+      # MUST be non-empty - a workspace-flavor key with neither
+      # rejects at the server with `request.invalid`. The client
+      # raises ArgumentError before issuing the wire call so the
+      # mistake is caught locally.
+      #
+      # @param label [String] human-readable label shown in the dashboard.
+      # @param workspace_scopes [Array<String>, nil] zero or more workspace-level scopes.
+      # @param wallet_assignments [Array<WalletAssignment>, nil] zero or more per-wallet grants.
+      # @param expires_in_days [Integer, nil] optional rotation hint (7/30/60/90).
+      # @param idempotency_key [String, nil] explicit override; otherwise the client mints a fresh uuid4.
+      # @return [Hash] the raw envelope `{ 'id', 'secret', 'prefix', ... }`. The `secret` field is the
+      #   plaintext key returned ONCE; persist it now.
+      # @raise [APIKeyError] when the RBAC ceiling rejects the grant
+      #   (`apikey.role_insufficient_for_grants`).
+      def create_workspace_key(
+        label:,
+        workspace_scopes: nil,
+        wallet_assignments: nil,
+        expires_in_days: nil,
+        idempotency_key: nil
+      )
+        raise ArgumentError, 'label is required' if label.nil? || label.empty?
+
+        ws = Array(workspace_scopes)
+        wa = Array(wallet_assignments)
+        if ws.empty? && wa.empty?
+          raise ArgumentError,
+                'workspace-flavor key needs at least one workspace_scope OR wallet_assignment'
+        end
+
+        body = { 'label' => label }
+        body['workspaceScopes'] = ws unless ws.empty?
+        body['walletAssignments'] = wa.map { |a| a.respond_to?(:to_h_wire) ? a.to_h_wire : a } unless wa.empty?
+        body['expiresInDays'] = expires_in_days unless expires_in_days.nil?
+
+        @client.post('/v1/api-keys', body: body, idempotency_key: idempotency_key)
+      end
+
+      # Mint a legacy 21.1 agent-bound API key.
+      #
+      # @param agent_id [String] the agent the key is bound to.
+      # @param label [String] human-readable label.
+      # @param scopes [Array<String>] one or more wallet-scoped permissions.
+      # @param expires_in_days [Integer, nil] optional rotation hint.
+      # @param idempotency_key [String, nil] explicit override.
+      # @return [Hash] the raw envelope `{ 'id', 'secret', 'prefix', ... }`.
+      def create_agent_key(
+        agent_id:,
+        label:,
+        scopes:,
+        expires_in_days: nil,
+        idempotency_key: nil
+      )
+        raise ArgumentError, 'agent_id is required' if agent_id.nil? || agent_id.empty?
+        raise ArgumentError, 'label is required' if label.nil? || label.empty?
+
+        sc = Array(scopes)
+        raise ArgumentError, 'at least one scope is required' if sc.empty?
+
+        body = {
+          'agentId' => agent_id,
+          'label' => label,
+          'scopes' => sc,
+        }
+        body['expiresInDays'] = expires_in_days unless expires_in_days.nil?
+
+        @client.post('/v1/api-keys', body: body, idempotency_key: idempotency_key)
+      end
+    end
+  end
+end

data/lib/blockchain0x/resources/payment_requests.rb

@@ -0,0 +1,73 @@
+# Sub-plan 21.2 row A-3 / B-3 (Ruby port).
+#
+# `client.payment_requests.settle` is the path the x402 server adapter
+# calls after verifying an X-Payment header. The request body carries
+# the on-chain proof tuple (txHash + payerAddress + amountUsdcVerified);
+# the backend re-verifies it against the canonical `transactions`
+# table before flipping the invoice to `settled`. Trust model: the
+# SDK is a thin wrapper, the server is the trust anchor.
+#
+# No idempotency_key mint here - settle is naturally idempotent
+# server-side: an invoice already in `settled` state returns 409
+# `payment_request.not_settleable`, never a duplicate event.
+
+# frozen_string_literal: true
+
+module Blockchain0x
+  module Resources
+    # PaymentRequestSettleBody is the typed proof-tuple. Snake_case
+    # on the Ruby side, camelCase on the wire (the `#to_h_wire`
+    # serialiser handles the rename). Mirrors the Python
+    # PaymentRequestSettleBody dataclass + Go PaymentRequestSettleBody
+    # struct.
+    PaymentRequestSettleBody = Struct.new(
+      :tx_hash,
+      :payer_address,
+      :amount_usdc_verified,
+      keyword_init: true,
+    ) do
+      def to_h_wire
+        {
+          'txHash' => tx_hash,
+          'payerAddress' => payer_address,
+          'amountUsdcVerified' => amount_usdc_verified,
+        }
+      end
+    end
+
+    # PaymentRequestsResource is `client.payment_requests.*`.
+    class PaymentRequests
+      def initialize(client)
+        @client = client
+      end
+
+      # Settle a payment request with the on-chain proof tuple.
+      #
+      # @param payment_request_id [String] the `pr_*` id from the 402
+      #   `accepts[].paymentRequestId` field.
+      # @param body [PaymentRequestSettleBody, Hash] either the typed
+      #   Struct OR a plain hash with the canonical camelCase shape -
+      #   the x402 server adapter already passes the dict directly.
+      # @return [Hash] the raw envelope
+      #   `{ 'id', 'status' => 'settled', 'settledTxHash', 'settledAt' }`.
+      # @raise [ArgumentError] when payment_request_id is empty.
+      # @raise [Blockchain0x::Error] on any non-2xx envelope.
+      def settle(payment_request_id, body)
+        if payment_request_id.nil? || payment_request_id.to_s.empty?
+          raise ArgumentError, 'payment_request_id is required'
+        end
+
+        wire_body =
+          if body.respond_to?(:to_h_wire)
+            body.to_h_wire
+          else
+            # Accept the canonical camelCase shape verbatim - the
+            # x402 server adapter already passes this exact shape.
+            body.to_h.transform_keys(&:to_s)
+          end
+
+        @client.post("/v1/payment-requests/#{payment_request_id}/settle", body: wire_body)
+      end
+    end
+  end
+end

data/lib/blockchain0x/resources/payments.rb

@@ -0,0 +1,82 @@
+# Sub-plan 21.1 row B-4 (Ruby port).
+#
+# `client.payments.create` is the agent's outbound-spend path. Two
+# safety differences from every other SDK call:
+#
+#   1. **Auto Idempotency-Key.** The underlying `Client#post` already
+#      mints a uuid4 on every POST; this resource exposes an explicit
+#      `idempotency_key:` knob so consumers can thread a stable value
+#      across retries.
+#   2. **Retry stays at the global Client setting.** A payment retry
+#      without a matching idempotency key could double-submit. The
+#      Ruby SDK does not yet expose a per-call retry override (the
+#      Node SDK's `retry: 'off' | 'default'` switch is a future
+#      extension); consumers control retry via the Client's
+#      `max_retries:` argument.
+
+# frozen_string_literal: true
+
+module Blockchain0x
+  module Resources
+    # PaymentCreateBody is the typed body for POST /v1/payments.
+    # Snake_case on the Ruby side; camelCase on the wire (via
+    # `#to_h_wire`). Mirrors the Python PaymentCreateBody dataclass +
+    # Go PaymentCreateRequest struct.
+    PaymentCreateBody = Struct.new(
+      :agent_id,
+      :to,
+      :amount_wei,
+      :token,
+      :metadata,
+      keyword_init: true,
+    ) do
+      def initialize(agent_id:, to:, amount_wei:, token: nil, metadata: nil)
+        super
+      end
+
+      def to_h_wire
+        h = {
+          'agentId' => agent_id,
+          'to' => to,
+          'amountWei' => amount_wei,
+        }
+        h['token'] = token unless token.nil?
+        h['metadata'] = metadata.to_h unless metadata.nil?
+        h
+      end
+    end
+
+    # `client.payments.*` resource.
+    class Payments
+      def initialize(client)
+        @client = client
+      end
+
+      # Submit an outbound payment.
+      #
+      # @param body [PaymentCreateBody, Hash] either the typed Struct
+      #   OR a plain hash with the canonical camelCase shape - the
+      #   x402 client wrapper passes a hash directly so it just works.
+      # @param idempotency_key [String, nil] explicit override;
+      #   otherwise the underlying Client mints a uuid4.
+      # @return [Hash] raw envelope
+      #   `{ 'id', 'agentId', 'status', 'txHash'?, 'amountWei', 'network', ... }`.
+      # @raise [ArgumentError] when any required field is empty.
+      # @raise [Blockchain0x::Error] on any non-2xx envelope.
+      def create(body:, idempotency_key: nil)
+        wire =
+          if body.respond_to?(:to_h_wire)
+            body.to_h_wire
+          else
+            body.to_h.transform_keys(&:to_s)
+          end
+
+        raise ArgumentError, 'agentId is required' if wire['agentId'].nil? || wire['agentId'].empty?
+        raise ArgumentError, 'to is required' if wire['to'].nil? || wire['to'].empty?
+        raise ArgumentError, 'amountWei is required' if wire['amountWei'].nil? || wire['amountWei'].empty?
+
+        @client.post('/v1/payments', body: wire, idempotency_key: idempotency_key)
+      end
+    end
+  end
+end

data/lib/blockchain0x/resources/transactions.rb

@@ -0,0 +1,32 @@
+# Sub-plan 21.2 row B-3 (Ruby port).
+#
+# Read-only handle on the `transactions` table. The x402 client polls
+# `client.transactions.get` to find out when a freshly broadcast
+# `payments.create` has confirmed on-chain (status flips to
+# `confirmed`). Scope: `read_wallet_metadata`.
+
+# frozen_string_literal: true
+
+module Blockchain0x
+  module Resources
+    class Transactions
+      def initialize(client)
+        @client = client
+      end
+
+      # Fetch one transaction by id.
+      #
+      # @param transaction_id [String] the `tx_*` id returned from
+      #   `payments.create` (or a chain webhook).
+      # @return [Hash] raw envelope.
+      # @raise [ArgumentError] when transaction_id is empty.
+      def get(transaction_id)
+        if transaction_id.nil? || transaction_id.to_s.empty?
+          raise ArgumentError, 'transaction_id is required'
+        end
+
+        @client.get("/v1/transactions/#{transaction_id}")
+      end
+    end
+  end
+end

data/lib/blockchain0x/version.rb

@@ -0,0 +1,8 @@
+# Sub-plan 21.3 C-4: gem version constant. Single source of truth for
+# blockchain0x.gemspec and the user-visible Blockchain0x::VERSION.
+
+# frozen_string_literal: true
+
+module Blockchain0x
+  VERSION = '0.0.1.alpha.0'
+end

data/lib/blockchain0x/webhooks.rb

@@ -0,0 +1,206 @@
+# Sub-plan 21.3 row C-6 (Ruby). Ports the @blockchain0x/node + Python
+# + Go `webhooks.verify` byte-for-byte.
+#
+# Wire format (mirrors apps/worker/src/adapters/webhook.ts):
+#
+#   X-Blockchain0x-Timestamp: <unix seconds>
+#   X-Blockchain0x-Signature: t=<ts>,v1=<hex>
+#   X-Blockchain0x-Event-Type: <slug>
+#   X-Blockchain0x-Event-Id: <ulid>
+#   X-Blockchain0x-Delivery-Id: webhook_<id>
+#
+# Algorithm:
+#
+#   want = OpenSSL::HMAC.hexdigest('SHA256', secret, "#{ts}.#{raw_body}")
+#   ok   = OpenSSL.fixed_length_secure_compare(want, sig) &&
+#          (Time.now.to_i - ts).abs <= tolerance_seconds
+#
+# Discriminated-union return so callers branch on `result.ok?`:
+#
+#   result = Blockchain0x::Webhooks.verify(
+#     headers: request.headers, raw_body: request.raw_post,
+#     secret: ENV['BLOCKCHAIN0X_WEBHOOK_SECRET'],
+#   )
+#   return head(:bad_request) unless result.ok?
+#
+# The verifier accepts EITHER the structured `t=<ts>,v1=<hex>` value
+# OR a bare hex signature (some load balancers strip comma-delimited
+# values); when bare-hex, the `t` value is read from the
+# X-Blockchain0x-Timestamp header.
+
+# frozen_string_literal: true
+
+require 'openssl'
+require_relative 'errors'
+
+module Blockchain0x
+  module Webhooks
+    SIG_HEADER = 'X-Blockchain0x-Signature'
+    TS_HEADER  = 'X-Blockchain0x-Timestamp'
+    TYPE_HEADER = 'X-Blockchain0x-Event-Type'
+    EVENT_ID_HEADER = 'X-Blockchain0x-Event-Id'
+    DELIVERY_ID_HEADER = 'X-Blockchain0x-Delivery-Id'
+
+    DEFAULT_TOLERANCE_SECONDS = 300
+
+    # Failure-code constants mirror @blockchain0x/node + Python + Go.
+    SIGNATURE_MISSING       = 'webhook.signature_missing'
+    SIGNATURE_MALFORMED     = 'webhook.signature_malformed'
+    TIMESTAMP_OUTSIDE_WINDOW = 'webhook.timestamp_outside_window'
+    SIGNATURE_MISMATCH      = 'webhook.signature_mismatch'
+    SECRET_MISSING          = 'webhook.secret_missing'
+    TIMESTAMP_MISSING       = 'webhook.timestamp_missing'
+    TIMESTAMP_INVALID       = 'webhook.timestamp_invalid'
+
+    # Result returned by `verify`. Use `result.ok?` to branch.
+    #
+    # On success, `event_type`, `event_id`, `delivery_id` are
+    # populated (may be nil if the framework dropped the header but
+    # the signature verified).
+    #
+    # On failure, `code` is one of the constants above and the
+    # event-detail fields are nil.
+    Result = Struct.new(:ok, :code, :event_type, :event_id, :delivery_id, keyword_init: true) do
+      def ok?
+        ok == true
+      end
+    end
+
+    class << self
+      # @param headers     [Hash] case-insensitive header bag (a plain
+      #                          Hash works, ActionController headers work)
+      # @param raw_body    [String] request body EXACTLY as it arrived;
+      #                          do not pre-parse JSON
+      # @param secret      [String] webhook signing secret
+      # @param tolerance_seconds [Integer] override the 5-minute default
+      # @param now         [Integer] override `Time.now.to_i` for tests
+      # @param raise_on_fail [Boolean] when true, raise
+      #                          WebhookSignatureError on any failure
+      # @return [Result] discriminated-union result (default path)
+      # @raise [WebhookSignatureError] when raise_on_fail: true and verify fails
+      def verify(headers:, raw_body:, secret:, tolerance_seconds: DEFAULT_TOLERANCE_SECONDS, now: nil, raise_on_fail: false)
+        if secret.nil? || secret.empty?
+          return fail_result(SECRET_MISSING, 'missing webhook secret', raise_on_fail)
+        end
+
+        raw_sig = pick_header(headers, SIG_HEADER)
+        if raw_sig.nil?
+          return fail_result(SIGNATURE_MISSING, 'missing X-Blockchain0x-Signature header', raise_on_fail)
+        end
+
+        parsed = parse_signature(raw_sig)
+        return fail_result(SIGNATURE_MALFORMED, 'malformed signature header', raise_on_fail) if parsed.nil?
+
+        ts_from_header, sig_hex = parsed
+        ts = ts_from_header
+        if ts.nil?
+          raw_ts = pick_header(headers, TS_HEADER)
+          return fail_result(TIMESTAMP_MISSING, 'missing X-Blockchain0x-Timestamp header', raise_on_fail) if raw_ts.nil?
+
+          begin
+            ts = Integer(raw_ts)
+          rescue ArgumentError, TypeError
+            return fail_result(TIMESTAMP_INVALID, 'invalid X-Blockchain0x-Timestamp value', raise_on_fail)
+          end
+        end
+
+        current = now || Time.now.to_i
+        if (current - ts).abs > tolerance_seconds
+          return fail_result(TIMESTAMP_OUTSIDE_WINDOW, 'timestamp outside tolerance window', raise_on_fail)
+        end
+
+        want = OpenSSL::HMAC.hexdigest('SHA256', secret, "#{ts}.#{raw_body}")
+        unless secure_compare(want, sig_hex.downcase)
+          return fail_result(SIGNATURE_MISMATCH, 'signature mismatch', raise_on_fail)
+        end
+
+        Result.new(
+          ok: true,
+          code: nil,
+          event_type: pick_header(headers, TYPE_HEADER),
+          event_id: pick_header(headers, EVENT_ID_HEADER),
+          delivery_id: pick_header(headers, DELIVERY_ID_HEADER),
+        )
+      end
+
+      private
+
+      def pick_header(headers, name)
+        return nil if headers.nil?
+
+        # Try the canonical name first (works for ActionDispatch::Headers
+        # and most middleware bags), then fall back to a case-insensitive
+        # lookup on plain Hash inputs.
+        if headers.respond_to?(:[])
+          v = headers[name]
+          return v if !v.nil? && !v.to_s.empty?
+
+          v = headers[name.downcase]
+          return v if !v.nil? && !v.to_s.empty?
+        end
+        return nil unless headers.respond_to?(:each)
+
+        target = name.downcase
+        headers.each do |k, v|
+          return v if k.to_s.downcase == target && !v.to_s.empty?
+        end
+        nil
+      end
+
+      # Parses `t=<ts>,v1=<hex>` OR a bare hex string.
+      # Returns [ts_or_nil, sig_hex] on success; nil on malformed input.
+      def parse_signature(raw)
+        unless raw.include?('=')
+          cleaned = raw.strip
+          return nil unless cleaned =~ /\A[0-9a-fA-F]+\z/
+
+          return [nil, cleaned.downcase]
+        end
+        ts = nil
+        sig = nil
+        raw.split(',').each do |part|
+          key, _eq, value = part.strip.partition('=')
+          case key
+          when 't'
+            begin
+              ts = Integer(value)
+            rescue ArgumentError, TypeError
+              return nil
+            end
+          when 'v1'
+            sig = value.strip.downcase
+          end
+        end
+        return nil if sig.nil?
+
+        [ts, sig]
+      end
+
+      # Constant-time compare. Ruby 3.0+ with a modern openssl gem
+      # exposes OpenSSL.fixed_length_secure_compare; older stdlib
+      # builds (e.g. some minimal docker images) ship without it, so
+      # fall back to a manual byte XOR-and-OR that scans the full
+      # input regardless of where the mismatch is. Either path
+      # short-circuits on a length mismatch BEFORE the constant-time
+      # compare; signatures are sized by the algorithm, not by the
+      # caller, so the length is not user-secret.
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        if OpenSSL.respond_to?(:fixed_length_secure_compare)
+          OpenSSL.fixed_length_secure_compare(a, b)
+        else
+          diff = 0
+          a.bytes.zip(b.bytes) { |x, y| diff |= x ^ y }
+          diff.zero?
+        end
+      end
+
+      def fail_result(code, message, raise_on_fail)
+        raise WebhookSignatureError.new(code: code, message: message) if raise_on_fail
+
+        Result.new(ok: false, code: code)
+      end
+    end
+  end
+end

data/lib/blockchain0x.rb

@@ -0,0 +1,33 @@
+# Sub-plan 21.3 row C-4: top-level module + autoload setup.
+#
+# Public surface:
+#   Blockchain0x::Client                  HTTP client (client.api_keys.*)
+#   Blockchain0x::Webhooks                webhook signature verifier
+#   Blockchain0x::Error                   base exception class
+#   Blockchain0x::APIKeyError             401/403 apikey.* envelope subclass
+#   Blockchain0x::APIKeyCodes             13 stable apikey.* failure codes (sub-plan 21.3 C-8)
+#   Blockchain0x::WebhookSignatureError   raised by Webhooks.verify(raise_on_fail: true)
+#   Blockchain0x::Resources::WalletAssignment  typed per-wallet entry for create_workspace_key
+#   Blockchain0x::Resources::PaymentRequestSettleBody  typed proof tuple for payment_requests.settle
+#   Blockchain0x::Resources::PaymentCreateBody  typed body for payments.create
+#   Blockchain0x::VERSION                 gem version string
+
+# frozen_string_literal: true
+
+require_relative 'blockchain0x/version'
+require_relative 'blockchain0x/errors'
+require_relative 'blockchain0x/webhooks'
+# Client is required lazily so consumers who only use Webhooks do not
+# pay the Faraday load cost.
+
+module Blockchain0x
+  # @return [Class] Blockchain0x::Client (lazy-loaded)
+  def self.const_missing(name)
+    if name == :Client
+      require_relative 'blockchain0x/client'
+      const_get(:Client)
+    else
+      super
+    end
+  end
+end

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: blockchain0x
+version: !ruby/object:Gem::Version
+  version: 0.0.1.alpha.0
+platform: ruby
+authors:
+- Blockchain0x
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-05-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.23'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.23'
+description: Non-custodial AI-agent wallet platform on Base - authenticate, read balances
+  + transactions, send + receive payments, and verify webhook signatures.
+email:
+- support@blockchain0x.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/blockchain0x.rb
+- lib/blockchain0x/client.rb
+- lib/blockchain0x/errors.rb
+- lib/blockchain0x/resources/api_keys.rb
+- lib/blockchain0x/resources/payment_requests.rb
+- lib/blockchain0x/resources/payments.rb
+- lib/blockchain0x/resources/transactions.rb
+- lib/blockchain0x/version.rb
+- lib/blockchain0x/webhooks.rb
+homepage: https://blockchain0x.com
+licenses:
+- Apache-2.0
+metadata:
+  homepage_uri: https://blockchain0x.com
+  source_code_uri: https://github.com/Tosh-Labs/blockchain0x-app/tree/dev/packages/sdk-ruby
+  bug_tracker_uri: https://github.com/Tosh-Labs/blockchain0x-app/issues
+  documentation_uri: https://docs.blockchain0x.com
+  changelog_uri: https://github.com/Tosh-Labs/blockchain0x-ruby/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Official Ruby SDK for Blockchain0x
+test_files: []