@agent-score/commerce 1.0.0

package/dist/discovery/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/payment/networks.ts","../../src/payment/usdc.ts","../../src/payment/rails.ts","../../src/payment/directive.ts","../../src/payment/wwwauthenticate.ts","../../src/discovery/probe.ts","../../src/discovery/bazaar.ts","../../src/discovery/well_known_mpp.ts","../../src/discovery/llms_txt.ts","../../src/discovery/openapi.ts","../../src/discovery/robots_tag.ts"],"sourcesContent":["/**\n * Named network registry. Vendors reference symbolic names (`networks.base.mainnet.caip2`)\n * instead of magic strings. Lifted from agentscore-pay's constants.\n */\nexport const networks = {\n  base: {\n    mainnet: { caip2: 'eip155:8453' as const, chainId: 8453 },\n    sepolia: { caip2: 'eip155:84532' as const, chainId: 84532 },\n  },\n  solana: {\n    mainnet: { caip2: 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp' as const },\n    devnet: { caip2: 'solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1' as const },\n  },\n  tempo: {\n    mainnet: { caip2: 'eip155:4217' as const, chainId: 4217 },\n    testnet: { caip2: 'eip155:42431' as const, chainId: 42431 },\n  },\n} as const;\n\nexport type NetworkFamily = keyof typeof networks;\n\n/**\n * Returns the family name (base/solana/tempo) for a given CAIP-2 network string,\n * or null if the network isn't in the registry. Useful for routing settlement\n * by network.\n */\nexport function networkFamily(caip2: string): NetworkFamily | null {\n  if (caip2 === networks.base.mainnet.caip2 || caip2 === networks.base.sepolia.caip2) return 'base';\n  if (caip2 === networks.solana.mainnet.caip2 || caip2 === networks.solana.devnet.caip2) return 'solana';\n  if (caip2 === networks.tempo.mainnet.caip2 || caip2 === networks.tempo.testnet.caip2) return 'tempo';\n  if (caip2.startsWith('solana:')) return 'solana';\n  return null;\n}\n","/**\n * USDC token registry per network. Used by paymentDirective and rail definitions.\n * Lifted from agentscore-pay's constants.\n */\nexport const USDC = {\n  base: {\n    mainnet: { address: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913' as const, decimals: 6 },\n    sepolia: { address: '0x036CbD53842c5426634e7929541eC2318f3dCF7e' as const, decimals: 6 },\n  },\n  solana: {\n    mainnet: { mint: 'EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v', decimals: 6 },\n    devnet: { mint: '4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU', decimals: 6 },\n  },\n  tempo: {\n    mainnet: { address: '0x20C000000000000000000000b9537d11c60E8b50' as const, decimals: 6 },\n    testnet: { address: '0x20c0000000000000000000000000000000000000' as const, decimals: 6 },\n  },\n} as const;\n","import { networks } from './networks';\nimport { USDC } from './usdc';\n\n/**\n * Symbolic rail names mapped to their protocol details. Vendors pass `rail: 'tempo-mainnet'`\n * to the directive builder and the SDK fills in method/network/decimals/currency from this\n * registry. Custom rails not in this registry can be passed by setting the lower-level\n * fields directly on the directive builder.\n */\nexport const rails = {\n  'tempo-mainnet': {\n    method: 'tempo',\n    network: networks.tempo.mainnet.caip2,\n    chainId: networks.tempo.mainnet.chainId,\n    currency: USDC.tempo.mainnet.address,\n    decimals: USDC.tempo.mainnet.decimals,\n    asset: USDC.tempo.mainnet.address,\n  },\n  'tempo-testnet': {\n    method: 'tempo',\n    network: networks.tempo.testnet.caip2,\n    chainId: networks.tempo.testnet.chainId,\n    currency: USDC.tempo.testnet.address,\n    decimals: USDC.tempo.testnet.decimals,\n    asset: USDC.tempo.testnet.address,\n  },\n  'x402-base-mainnet': {\n    method: 'x402',\n    network: networks.base.mainnet.caip2,\n    chainId: networks.base.mainnet.chainId,\n    currency: USDC.base.mainnet.address,\n    decimals: USDC.base.mainnet.decimals,\n    asset: USDC.base.mainnet.address,\n  },\n  'x402-base-sepolia': {\n    method: 'x402',\n    network: networks.base.sepolia.caip2,\n    chainId: networks.base.sepolia.chainId,\n    currency: USDC.base.sepolia.address,\n    decimals: USDC.base.sepolia.decimals,\n    asset: USDC.base.sepolia.address,\n  },\n  // Upto rails — pay UP TO a max amount (Permit2-based, vs EIP-3009 for exact). Use for\n  // variable-cost APIs where the actual cost depends on output (LLM tokens, bandwidth, etc.).\n  // Only available on EVM networks; Solana svm doesn't ship an upto scheme yet.\n  'x402-base-mainnet-upto': {\n    method: 'x402-upto',\n    network: networks.base.mainnet.caip2,\n    chainId: networks.base.mainnet.chainId,\n    currency: USDC.base.mainnet.address,\n    decimals: USDC.base.mainnet.decimals,\n    asset: USDC.base.mainnet.address,\n  },\n  'x402-base-sepolia-upto': {\n    method: 'x402-upto',\n    network: networks.base.sepolia.caip2,\n    chainId: networks.base.sepolia.chainId,\n    currency: USDC.base.sepolia.address,\n    decimals: USDC.base.sepolia.decimals,\n    asset: USDC.base.sepolia.address,\n  },\n  'x402-solana-mainnet': {\n    method: 'x402',\n    network: networks.solana.mainnet.caip2,\n    currency: USDC.solana.mainnet.mint,\n    decimals: USDC.solana.mainnet.decimals,\n    asset: USDC.solana.mainnet.mint,\n  },\n  'x402-solana-devnet': {\n    method: 'x402',\n    network: networks.solana.devnet.caip2,\n    currency: USDC.solana.devnet.mint,\n    decimals: USDC.solana.devnet.decimals,\n    asset: USDC.solana.devnet.mint,\n  },\n  'stripe-spt': {\n    method: 'stripe',\n    currency: 'usd',\n    decimals: 2,\n  },\n} as const;\n\nexport type RailName = keyof typeof rails;\n\nexport interface RailDefinition {\n  method: string;\n  network?: string;\n  chainId?: number;\n  currency: string;\n  decimals: number;\n  asset?: string;\n}\n\n/**\n * Lookup a rail definition by symbolic name. Returns undefined if the rail isn't in\n * the registry — vendors with custom rails should pass the low-level fields directly.\n */\nexport function lookupRail(name: string): RailDefinition | undefined {\n  return rails[name as RailName] as RailDefinition | undefined;\n}\n","import { lookupRail } from './rails';\n\nexport interface PaymentRequestInput {\n  /** Symbolic rail name (e.g., 'tempo-mainnet', 'x402-base-mainnet') — fills in defaults */\n  rail?: string;\n  /** Amount in USD as a number or string. Converted to raw integer using `decimals`. */\n  amountUsd: string | number;\n  /** Token contract address or currency code. Defaults from rail. */\n  currency?: string;\n  /** Decimal precision for the amount. Defaults from rail (6 for USDC, 2 for USD). */\n  decimals?: number;\n  /** Recipient address (on-chain). Optional for stripe-style rails. */\n  recipient?: string;\n  /** EVM chain ID (goes into methodDetails.chainId). Defaults from rail. */\n  chainId?: number;\n  /** Stripe profile_id or similar (goes into methodDetails.networkId — note camelCase per link-cli's mpp decode validator). */\n  networkId?: string;\n}\n\n/**\n * Build the base64-encoded `request` blob for an MPP Payment directive (per the\n * paymentauth.org spec). Output shape matches what link-cli `mpp decode` expects:\n *\n *   { amount: \"<raw_integer>\", currency: \"<token>\", recipient?: \"<addr>\",\n *     methodDetails?: { chainId?: number, networkId?: string } }\n */\nexport function buildPaymentRequestBlob(input: PaymentRequestInput): string {\n  const railDef = input.rail ? lookupRail(input.rail) : undefined;\n  const decimals = input.decimals ?? railDef?.decimals ?? 6;\n  const currency = input.currency ?? railDef?.currency ?? 'usd';\n  const chainId = input.chainId ?? railDef?.chainId;\n\n  const amountNum = typeof input.amountUsd === 'string' ? Number(input.amountUsd) : input.amountUsd;\n  const amountRaw = BigInt(Math.round(amountNum * 10 ** decimals)).toString();\n  const blob: Record<string, unknown> = { amount: amountRaw, currency, decimals };\n  if (input.recipient) blob.recipient = input.recipient;\n  const methodDetails: Record<string, unknown> = {};\n  if (chainId !== undefined) methodDetails.chainId = chainId;\n  if (input.networkId) methodDetails.networkId = input.networkId;\n  if (Object.keys(methodDetails).length > 0) blob.methodDetails = methodDetails;\n  return Buffer.from(JSON.stringify(blob)).toString('base64url');\n}\n\nexport interface PaymentDirectiveInput {\n  /** Symbolic rail name — sets `method` automatically */\n  rail?: string;\n  /** Challenge id (unique per request, used to correlate retries) */\n  id: string;\n  /** Realm — the host of the merchant URL (e.g., \"agents.merchant.example\") */\n  realm: string;\n  /** MPP method name. Defaults from rail (e.g., 'tempo', 'stripe'). */\n  method?: string;\n  /** MPP intent. Defaults to 'charge'. */\n  intent?: string;\n  /** ISO-8601 expiry timestamp. Defaults to now + 5 minutes. */\n  expires?: string;\n  /** Base64-encoded request blob. Pass the result of buildPaymentRequestBlob. */\n  request: string;\n}\n\n/**\n * Format an MPP Payment directive string for the WWW-Authenticate header.\n * Output shape: `Payment id=\"...\", realm=\"...\", method=\"...\", intent=\"charge\",\n *                expires=\"...\", request=\"<base64>\"`\n */\nexport function paymentDirective(input: PaymentDirectiveInput): string {\n  const railDef = input.rail ? lookupRail(input.rail) : undefined;\n  const method = input.method ?? railDef?.method ?? 'unknown';\n  const intent = input.intent ?? 'charge';\n  const expires = input.expires ?? new Date(Date.now() + 5 * 60 * 1000).toISOString();\n  return `Payment id=\"${input.id}\", realm=\"${input.realm}\", method=\"${method}\", intent=\"${intent}\", expires=\"${expires}\", request=\"${input.request}\"`;\n}\n\nexport interface BuildPaymentDirectiveInput\n  extends Omit<PaymentRequestInput, 'rail'>,\n    Omit<PaymentDirectiveInput, 'request'> {\n  rail: string;\n}\n\n/**\n * Convenience: build the request blob and the directive in one call. Most vendors\n * want this rather than the two-step form.\n */\nexport function buildPaymentDirective(input: BuildPaymentDirectiveInput): string {\n  const request = buildPaymentRequestBlob({\n    rail: input.rail,\n    amountUsd: input.amountUsd,\n    currency: input.currency,\n    decimals: input.decimals,\n    recipient: input.recipient,\n    chainId: input.chainId,\n    networkId: input.networkId,\n  });\n  return paymentDirective({\n    rail: input.rail,\n    id: input.id,\n    realm: input.realm,\n    method: input.method,\n    intent: input.intent,\n    expires: input.expires,\n    request,\n  });\n}\n","/**\n * Joins multiple Payment directives into a single WWW-Authenticate header value.\n * Per RFC 7235, multiple challenges are comma-separated.\n */\nexport function wwwAuthenticateHeader(directives: string[]): string {\n  return directives.join(', ');\n}\n\nexport interface PaymentRequiredHeaderInput {\n  x402Version: 1 | 2;\n  accepts: unknown[];\n  resource?: { url: string; mimeType?: string };\n}\n\n/**\n * Add the v1↔v2 amount-field alias to each accepts entry. Idempotent. Used by both\n * `paymentRequiredHeader` (header emit) and `build402Body` (body emit) so every\n * x402 entry on the wire carries BOTH `amount` (v2 spec) AND `maxAmountRequired`\n * (v1 spec) — strict v1-only parsers (e.g. Coinbase awal at `payments-mcp.coinbase.com`,\n * which is hardcoded to read `maxAmountRequired`) work alongside strict v2 parsers,\n * which ignore the alias.\n */\nexport function aliasAmountFields(accepts: unknown[]): unknown[] {\n  return accepts.map((entry) => {\n    if (entry === null || typeof entry !== 'object') return entry;\n    const e = entry as Record<string, unknown>;\n    const hasAmount = e.amount !== undefined;\n    const hasMaxAmount = e.maxAmountRequired !== undefined;\n    if (hasAmount && !hasMaxAmount) return { ...e, maxAmountRequired: e.amount };\n    if (hasMaxAmount && !hasAmount) return { ...e, amount: e.maxAmountRequired };\n    return e;\n  });\n}\n\n/**\n * Encode the standard x402 PAYMENT-REQUIRED header (base64-encoded JSON of the\n * PaymentRequired object). Clients that recognize the header (`@x402/fetch`,\n * `@x402/core` HTTPClient, `agentscore-pay`) prefer it over body fields.\n *\n * Note: do NOT add a v1↔v2 amount-field alias here. `@x402/core`'s\n * `findMatchingRequirements` uses `deepEqual` against the agent's signed\n * `accepted` payload — any field present on one side and missing on the other\n * (e.g. `maxAmountRequired` on the wire body but not in `buildPaymentRequirements`'s\n * output) makes the match silently fail at settle time. Keep `accepts` shape\n * identical to whatever `buildPaymentRequirements` produces server-side.\n */\nexport function paymentRequiredHeader(input: PaymentRequiredHeaderInput): string {\n  return Buffer.from(JSON.stringify(input)).toString('base64');\n}\n","import { buildPaymentRequestBlob, paymentDirective } from '../payment/directive';\nimport { networks } from '../payment/networks';\nimport { USDC } from '../payment/usdc';\nimport { paymentRequiredHeader } from '../payment/wwwauthenticate';\n\n/** Placeholder payTo for x402 sample accepts in the discovery probe — the probe\n *  exists for crawlers to find that we support x402, not for actual payment. The\n *  real 402 (returned on a fully-formed request body) carries real deposit\n *  addresses minted from a Stripe PaymentIntent. */\nconst ZERO_EVM_PAYTO = '0x0000000000000000000000000000000000000000';\nconst ZERO_SOLANA_PAYTO = '11111111111111111111111111111111';\n\n/**\n * Build a sample x402 accepts entry for a CAIP-2 network. Looks up the USDC asset\n * for the network from the `USDC` registry and uses a placeholder payTo. Used by\n * the discovery probe to advertise x402 support without exposing real deposit\n * addresses.\n *\n * Returns null when the network isn't in the registry — vendors with custom\n * networks should construct accepts entries by hand and pass them via\n * `x402Sample.accepts` directly.\n */\nexport function sampleX402AcceptForNetwork(\n  caip2: string,\n  amountAtomic: string = '1000000',\n): Record<string, unknown> | null {\n  if (caip2 === networks.base.mainnet.caip2) {\n    return {\n      scheme: 'exact',\n      network: caip2,\n      amount: amountAtomic,\n      asset: USDC.base.mainnet.address,\n      payTo: ZERO_EVM_PAYTO,\n      maxTimeoutSeconds: 300,\n      extra: { name: 'USDC', version: '2' },\n    };\n  }\n  if (caip2 === networks.base.sepolia.caip2) {\n    return {\n      scheme: 'exact',\n      network: caip2,\n      amount: amountAtomic,\n      asset: USDC.base.sepolia.address,\n      payTo: ZERO_EVM_PAYTO,\n      maxTimeoutSeconds: 300,\n      extra: { name: 'USDC', version: '2' },\n    };\n  }\n  if (caip2 === networks.solana.mainnet.caip2) {\n    return {\n      scheme: 'exact',\n      network: caip2,\n      amount: amountAtomic,\n      asset: USDC.solana.mainnet.mint,\n      payTo: ZERO_SOLANA_PAYTO,\n      maxTimeoutSeconds: 300,\n    };\n  }\n  if (caip2 === networks.solana.devnet.caip2) {\n    return {\n      scheme: 'exact',\n      network: caip2,\n      amount: amountAtomic,\n      asset: USDC.solana.devnet.mint,\n      payTo: ZERO_SOLANA_PAYTO,\n      maxTimeoutSeconds: 300,\n    };\n  }\n  return null;\n}\n\nexport interface DiscoveryProbeOptions {\n  /** Realm — typically the host of your merchant URL (e.g., \"agents.merchant.example\"). */\n  realm: string;\n  /** Symbolic rail name to advertise in the sample challenge (e.g., 'tempo-mainnet'). */\n  sampleRail: string;\n  /** Sample amount in USD for the probe (e.g., 1.00). Crawlers use this as an example. */\n  sampleAmountUsd: number;\n  /** A recipient address to use in the sample directive (your real or zero address is fine). */\n  sampleRecipient: string;\n  /** MPP intent. Defaults to 'charge'. */\n  intent?: string;\n  /** TTL for the probe challenge in seconds. Defaults to 300 (5 minutes). */\n  ttlSeconds?: number;\n  /** Optional URL to include in the body for further docs (e.g., your llms.txt). */\n  docsUrl?: string;\n  /** Optional human-readable message in the body. */\n  message?: string;\n  /** Optional sample x402 accepts entries. When provided, the probe response also\n   *  carries the standard x402 `payment-required` header (base64 PaymentRequired) AND\n   *  an `accepts` array in the body — so x402 crawlers (e.g. Coinbase awal's\n   *  `x402 details`/`x402 pay`) can discover the endpoint's x402 support without\n   *  needing to send a fully-formed business request. Each entry is run through\n   *  `aliasAmountFields` so v1-only parsers can read `maxAmountRequired` too.\n   *\n   *  Pass `networks` (shorthand) for the common case — the helper looks up USDC\n   *  per network from the registry and uses placeholder payTo addresses. Or pass\n   *  `accepts` directly for full control over the sample shape. */\n  x402Sample?: {\n    /** Spec version to declare. Defaults to 2. */\n    version?: 1 | 2;\n    /** Shorthand: array of CAIP-2 network strings. Each is mapped to a sample\n     *  USDC accepts entry via `sampleX402AcceptForNetwork`. Networks not in the\n     *  USDC registry are silently skipped. Use `accepts` for custom shapes. */\n    networks?: string[];\n    /** Sample accepts entries. Used when `networks` shorthand isn't enough.\n     *  Supplied entries are NOT merged with `networks`-derived entries — pick\n     *  one or the other. */\n    accepts?: unknown[];\n    /** Sample atomic amount used by the `networks` shorthand. Defaults to\n     *  `'1000000'` ($1.00 USDC at 6 decimals). Ignored when `accepts` is set. */\n    amountAtomic?: string;\n    /** Resource URL the probe is responding for. Used in the PAYMENT-REQUIRED header. */\n    resourceUrl?: string;\n  };\n}\n\nexport interface DiscoveryProbeResponse {\n  status: 402;\n  headers: Record<string, string>;\n  body: string;\n}\n\n/**\n * Build a 402 response advertising a sample Payment challenge. MPP crawlers\n * (mppscan, link-cli mpp decode) probe with empty bodies; merchants need to answer\n * with a properly-formatted Payment directive so the realm can be indexed.\n *\n * Returns a framework-agnostic response shape. Wrap in your framework's response:\n *\n *   const probe = buildDiscoveryProbeResponse({...});\n *   return new Response(probe.body, { status: probe.status, headers: probe.headers });\n */\nexport function buildDiscoveryProbeResponse(opts: DiscoveryProbeOptions): DiscoveryProbeResponse {\n  const probeId = `probe_${Date.now()}`;\n  const expires = new Date(Date.now() + (opts.ttlSeconds ?? 300) * 1000).toISOString();\n  const request = buildPaymentRequestBlob({\n    rail: opts.sampleRail,\n    amountUsd: opts.sampleAmountUsd,\n    recipient: opts.sampleRecipient,\n  });\n  const directive = paymentDirective({\n    rail: opts.sampleRail,\n    id: probeId,\n    realm: opts.realm,\n    intent: opts.intent,\n    expires,\n    request,\n  });\n\n  const bodyObj: Record<string, unknown> = {\n    error: {\n      code: 'payment_required',\n      message: opts.message ?? 'This endpoint requires payment. Send a valid request body to receive a full challenge.',\n    },\n    discovery: true,\n    ...(opts.docsUrl ? { docs: opts.docsUrl } : {}),\n  };\n  const headers: Record<string, string> = {\n    'content-type': 'application/json',\n    'www-authenticate': directive,\n  };\n\n  if (opts.x402Sample) {\n    const x402Version = opts.x402Sample.version ?? 2;\n    const sampleAccepts = opts.x402Sample.accepts\n      ?? (opts.x402Sample.networks ?? [])\n        .map((n) => sampleX402AcceptForNetwork(n, opts.x402Sample!.amountAtomic ?? '1000000'))\n        .filter((e): e is Record<string, unknown> => e !== null);\n    // paymentRequiredHeader applies aliasAmountFields internally; do the same for\n    // the body's `accepts` so v1-only parsers (Coinbase awal at payments-mcp.coinbase.com)\n    // and v2-strict parsers can both read either field name.\n    headers['payment-required'] = paymentRequiredHeader({\n      x402Version,\n      accepts: sampleAccepts,\n      ...(opts.x402Sample.resourceUrl\n        ? { resource: { url: opts.x402Sample.resourceUrl, mimeType: 'application/json' } }\n        : {}),\n    });\n    // Also embed in body for clients that read body-level accepts (e.g. awal x402 details\n    // falls back from header → body when the header isn't present).\n    bodyObj.x402Version = x402Version;\n    // Reuse the header's already-aliased accepts so the body matches.\n    const headerJson = JSON.parse(Buffer.from(headers['payment-required'], 'base64').toString('utf-8'));\n    bodyObj.accepts = headerJson.accepts;\n  }\n\n  return {\n    status: 402,\n    headers,\n    body: JSON.stringify(bodyObj),\n  };\n}\n\nexport interface RequestLike {\n  method: string;\n  headers: { get(name: string): string | null };\n  clone(): { text(): Promise<string> };\n}\n\n/**\n * Returns true when the request is an empty-body POST without a payment credential —\n * the canonical MPP discovery probe pattern. Vendors compose this with\n * buildDiscoveryProbeResponse to short-circuit crawler requests before any business\n * logic runs.\n */\nexport async function isDiscoveryProbeRequest(req: RequestLike): Promise<boolean> {\n  if (req.method !== 'POST') return false;\n  const auth = req.headers.get('authorization');\n  if (auth?.startsWith('Payment ')) return false;\n  const body = await req.clone().text();\n  return !body || body === '{}';\n}\n","/**\n * Bazaar discovery extension wrapper. Vendors pass their merchant config and we wrap\n * `declareDiscoveryExtension` from `@x402/extensions/bazaar`. The returned value is\n * registered on the x402 server (e.g., via `createX402Server({bazaar: true})` or\n * `server.registerExtension(...)`).\n *\n * `@x402/extensions` is an optional peer dependency.\n */\nexport interface BazaarDiscoveryConfig {\n  bodyType?: 'json' | 'form';\n  input?: Record<string, unknown>;\n  output?: Record<string, unknown>;\n  [key: string]: unknown;\n}\n\ninterface BazaarModule {\n  declareDiscoveryExtension?: (config: BazaarDiscoveryConfig) => unknown;\n}\n\nexport async function createBazaarDiscovery(config: BazaarDiscoveryConfig): Promise<unknown> {\n  const bazaar = await dynamicImport<BazaarModule>('@x402/extensions/bazaar');\n  if (!bazaar?.declareDiscoveryExtension) {\n    throw new Error(\n      '@x402/extensions not installed — `npm install @x402/extensions` for createBazaarDiscovery.',\n    );\n  }\n  return bazaar.declareDiscoveryExtension(config);\n}\n\nasync function dynamicImport<T>(moduleName: string): Promise<T | null> {\n  try {\n    return (await import(moduleName)) as T;\n  } catch {\n    return null;\n  }\n}\n","export interface PaymentMethodConfig {\n  /** MPP payment methods accepted, e.g., ['tempo', 'x402', 'stripe']. */\n  methods: string[];\n  /** x402-specific config (when 'x402' is in methods). */\n  x402?: {\n    networks: string[];\n    scheme?: string;\n    asset?: string;\n    facilitator?: string;\n    client_tooling?: string;\n  };\n  /** Identity headers accepted (e.g., ['X-Operator-Token', 'X-Wallet-Address']). */\n  identity?: string[];\n  /** Per-identity-path metadata for agents. */\n  identity_paths?: {\n    wallet?: { header: string; applies_to_rails: string[]; note?: string };\n    operator_token?: { header: string; applies_to_rails: string[]; note?: string };\n  };\n  /** Compliance policy summary for agents to know what they need before purchasing. */\n  compliance?: {\n    require_kyc?: boolean;\n    min_age?: number;\n    allowed_jurisdictions?: string[];\n    require_sanctions_clear?: boolean;\n  };\n  /** Required fields in the request body. */\n  required_fields?: string[];\n  /** Optional fields in the request body. */\n  optional_fields?: string[];\n  /** Vendor-specific extras merged into the purchase block (e.g., gift_note metadata). */\n  extra?: Record<string, unknown>;\n}\n\nexport interface WellKnownMppInput {\n  /** Merchant display name. */\n  name: string;\n  /** Short description (1-2 sentences). */\n  description?: string;\n  /** Canonical merchant URL. */\n  url: string;\n  /** OpenAPI doc URL (typically `${url}/openapi.json`). */\n  openapi?: string;\n  /** Endpoints map: path → {method, url}. */\n  endpoints: Record<string, { method: string; url: string }>;\n  /** Catalog metadata (categories, etc). Optional. */\n  catalog?: Record<string, unknown>;\n  /** Purchase flow details (payment methods, identity, compliance). */\n  purchase: PaymentMethodConfig;\n  /** Shipping policy (countries, restrictions). */\n  shipping?: Record<string, unknown>;\n  /** Vendor-specific extra fields merged at the top level. */\n  extra?: Record<string, unknown>;\n}\n\n/**\n * Build the standard `.well-known/mpp.json` discovery document. Lift the boilerplate\n * (payment.methods, payment.identity_paths, payment.compliance) into a typed config so\n * vendors get spec-compliance \"for free\"; merchant-specific fields (catalog, shipping)\n * pass through.\n *\n * Wire it in your framework like:\n *   app.get('/.well-known/mpp.json', (c) => c.json(buildWellKnownMpp({...})));\n */\nexport function buildWellKnownMpp(input: WellKnownMppInput): Record<string, unknown> {\n  return {\n    name: input.name,\n    ...(input.description ? { description: input.description } : {}),\n    url: input.url,\n    ...(input.openapi ? { openapi: input.openapi } : {}),\n    endpoints: input.endpoints,\n    ...(input.catalog ? { catalog: input.catalog } : {}),\n    purchase: {\n      ...(input.purchase.required_fields ? { required_fields: input.purchase.required_fields } : {}),\n      ...(input.purchase.optional_fields ? { optional_fields: input.purchase.optional_fields } : {}),\n      ...(input.purchase.extra ?? {}),\n      ...(input.purchase.identity ? { identity: input.purchase.identity } : {}),\n      ...(input.purchase.identity_paths ? { identity_paths: input.purchase.identity_paths } : {}),\n      payment_methods: input.purchase.methods,\n      ...(input.purchase.x402 ? { x402: input.purchase.x402 } : {}),\n      ...(input.purchase.compliance ? { compliance: input.purchase.compliance } : {}),\n    },\n    ...(input.shipping ? { shipping: input.shipping } : {}),\n    ...(input.extra ?? {}),\n  };\n}\n","export interface LlmsTxtIdentitySectionInput {\n  /** When true, include the AgentScore identity-paths explanation (wallet vs operator-token). */\n  agentscore?: boolean;\n  /** Compliance policy to mention (KYC, age, jurisdiction). */\n  compliance?: {\n    require_kyc?: boolean;\n    min_age?: number;\n    allowed_jurisdictions?: string[];\n    require_sanctions_clear?: boolean;\n  };\n}\n\n/**\n * Generate the standard \"Choose your identity header\" section for an AgentScore-gated\n * merchant's llms.txt. Explains wallet-auth vs operator-token paths + the cross-merchant\n * memory contract so agents know how to authenticate without reading the API docs.\n */\nexport function llmsTxtIdentitySection(input: LlmsTxtIdentitySectionInput = {}): string {\n  if (!input.agentscore) {\n    return '';\n  }\n  const compliance = input.compliance;\n  const complianceNote = compliance\n    ? `\\n\\nCompliance: ${[\n        compliance.require_kyc ? 'KYC required' : null,\n        compliance.min_age ? `age ${compliance.min_age}+` : null,\n        compliance.allowed_jurisdictions?.length\n          ? `${compliance.allowed_jurisdictions.join('/')} only`\n          : null,\n        compliance.require_sanctions_clear ? 'sanctions clear' : null,\n      ]\n        .filter(Boolean)\n        .join(', ')}.`\n    : '';\n  return `## Choose your identity header\n\nAgentScore provides cross-merchant identity — one KYC works for every AgentScore-gated endpoint, no re-verification per site. Pick the right header based on how you plan to pay:\n\n- **Wallet-auth** (preferred for agents with a stable crypto wallet): send \\`X-Wallet-Address: 0x...\\`. Only works on rails that carry a wallet signature — Tempo MPP and x402 EIP-3009. The wallet you claim MUST sign the payment; we verify that the payment signer resolves to the same operator as the claimed wallet. No TTL, no rotation.\n- **Operator-token** (works for every rail): send \\`X-Operator-Token: opc_...\\`. Required when paying with Stripe SPT or card (those rails have no wallet signer). Reusable across every AgentScore merchant until the token expires.\n- **Neither**: you'll get 403 with \\`verify_url\\` + \\`poll_secret\\` — complete the session flow once, then reuse the credential (or any wallet that pays under it) forever.\n\nIf you reach another AgentScore-gated endpoint in the future, the same credential and/or any linked wallet already works — skip the session flow.\n\n## Memory contract\n\nFirst-encounter 403 responses (and the POST /v1/sessions success body) include an \\`agent_memory\\` block describing how AgentScore identity works across merchants. LLM-hosted agents should persist its contents (the pattern, never secrets) so subsequent AgentScore-gated endpoints become returning-customer encounters.${complianceNote}`;\n}\n\nexport interface LlmsTxtPaymentSectionInput {\n  /** Symbolic rail names supported. */\n  rails: ('tempo-mainnet' | 'tempo-testnet' | 'x402-base-mainnet' | 'x402-base-sepolia' | 'x402-solana-mainnet' | 'x402-solana-devnet' | 'stripe-spt' | string)[];\n  /** Merchant URL — used in the example commands. */\n  appUrl: string;\n  /**\n   * When true, emit the verbose multi-step variant: setup commands per rail, full per-rail\n   * payment-command examples, and warnings about footguns. Default false (one-line bullet per rail).\n   * Use this when llms.txt is the primary integration doc the agent reads.\n   */\n  verbose?: boolean;\n  /** When verbose, the Tempo network name to mention in the prerequisites. Default 'tempo-mainnet'. */\n  tempoNetworkName?: string;\n  /** When verbose, the Tempo chain id to mention in the prerequisites. Default 4217. */\n  tempoChainId?: number;\n}\n\n/**\n * Generate the standard \"## Payment\" section for a merchant's llms.txt. Documents the\n * supported rails with concrete CLI examples (tempo request, agentscore-pay, link-cli)\n * per the configured rail set.\n *\n * Pass `verbose: true` for the rich variant — multi-step setup + multi-line command examples +\n * exact-amount warnings. Default is the compact one-bullet-per-rail form.\n */\nexport function llmsTxtPaymentSection(input: LlmsTxtPaymentSectionInput): string {\n  return input.verbose ? llmsTxtPaymentSectionVerbose(input) : llmsTxtPaymentSectionCompact(input);\n}\n\nfunction hasRailFamily(rails: string[], prefix: string): boolean {\n  return rails.some(r => r.startsWith(prefix));\n}\n\nfunction isTestnetRail(rails: string[], prefix: string): boolean {\n  return rails.some(r => r.startsWith(prefix) && /(sepolia|devnet|moderato|testnet)/.test(r));\n}\n\nfunction llmsTxtPaymentSectionCompact(input: LlmsTxtPaymentSectionInput): string {\n  const lines: string[] = ['## Payment', ''];\n  const rails = input.rails;\n  if (hasRailFamily(rails, 'tempo-')) {\n    lines.push('- **Tempo USDC via MPP** — `tempo request -X POST -H \"X-Operator-Token: opc_...\" --json \\'{...}\\' --max-spend N ' + input.appUrl + '`');\n  }\n  if (hasRailFamily(rails, 'x402-base-')) {\n    lines.push('- **x402 USDC on Base** (EIP-3009) — `agentscore-pay pay POST ' + input.appUrl + ' --chain base -H \"X-Operator-Token: opc_...\" -d \\'{...}\\'`');\n  }\n  if (hasRailFamily(rails, 'x402-solana-')) {\n    lines.push('- **x402 USDC on Solana** (SPL Token) — `agentscore-pay pay POST ' + input.appUrl + ' --chain solana -H \"X-Operator-Token: opc_...\" -d \\'{...}\\'`');\n  }\n  if (rails.includes('stripe-spt')) {\n    lines.push('- **Stripe Shared Payment Token** — agent mints SPT (own Stripe account scoped to networkId, OR `link-cli spend-request create --credential-type shared_payment_token --network-id <profileId> ...`)');\n  }\n  lines.push('');\n  lines.push('IMPORTANT: Do NOT use raw on-chain transfers. Use the CLI commands above so the payment credential is signed and submitted via the protocol handshake.');\n  lines.push('');\n  return lines.join('\\n');\n}\n\nfunction llmsTxtPaymentSectionVerbose(input: LlmsTxtPaymentSectionInput): string {\n  const rails = input.rails;\n  const tempoNetwork = input.tempoNetworkName ?? 'tempo-mainnet';\n  const tempoChain = input.tempoChainId ?? 4217;\n  const hasTempo = hasRailFamily(rails, 'tempo-');\n  const hasBase = hasRailFamily(rails, 'x402-base-');\n  const hasSolana = hasRailFamily(rails, 'x402-solana-');\n  const hasStripe = rails.includes('stripe-spt');\n  const baseNetworkName = isTestnetRail(rails, 'x402-base-') ? 'Base Sepolia' : 'Base';\n  const solanaNetworkName = isTestnetRail(rails, 'x402-solana-') ? 'Solana devnet' : 'Solana';\n\n  const lines: string[] = ['## Payment', ''];\n  lines.push('This is an agent-first API. All payments are initiated and completed by agents. The 402 challenge advertises:');\n  lines.push('');\n  if (hasTempo) lines.push('- **Tempo USDC via MPP** (on-chain stablecoin)');\n  if (hasBase || hasSolana) {\n    const chains = [hasBase && `${baseNetworkName} (EIP-3009)`, hasSolana && `${solanaNetworkName} (SPL Token)`].filter(Boolean).join(' and ');\n    lines.push(`- **x402 USDC** on ${chains}, via the Coinbase facilitator`);\n  }\n  if (hasStripe) lines.push('- **Stripe Shared Payment Token** (agent mints SPT on their Stripe account scoped to our networkId in the challenge, submits it in the credential)');\n  lines.push('');\n\n  if (hasTempo) {\n    lines.push('### How to pay with Tempo');\n    lines.push('');\n    lines.push('1. Install the Tempo CLI: curl -fsSL https://tempo.xyz/install | bash');\n    lines.push('2. Log in to your Tempo Wallet: tempo wallet login (passkey auth in browser)');\n    lines.push(`3. Confirm your balance: tempo wallet whoami (need USDC.e on ${tempoNetwork}, chain ${tempoChain})`);\n    lines.push('4. If balance is zero, fund it: tempo wallet fund');\n    lines.push('');\n    lines.push('Then use `tempo request` to make the paid purchase:');\n    lines.push('');\n    lines.push('tempo request -X POST \\\\');\n    lines.push('  -H \"X-Operator-Token: opc_your_credential\" \\\\');\n    lines.push('  -H \"Content-Type: application/json\" \\\\');\n    lines.push(\"  --json '{...}' \\\\\");\n    lines.push('  --max-spend N \\\\');\n    lines.push(`  ${input.appUrl}`);\n    lines.push('');\n    lines.push(`\\`tempo request\\` handles the full MPP handshake: sends the POST, receives the 402 challenge, signs the payment on ${tempoNetwork}, submits the credential, and returns the completed order.`);\n    lines.push('');\n  }\n\n  if (hasBase || hasSolana) {\n    const chainsLabel = [hasBase && baseNetworkName, hasSolana && solanaNetworkName].filter(Boolean).join(' or ');\n    const flags = [hasBase && '`--chain base`', hasSolana && '`--chain solana`'].filter(Boolean).join(' or ');\n    lines.push(`### How to pay with x402 (${chainsLabel})`);\n    lines.push('');\n    lines.push('1. Install the agentscore-pay CLI: npm install -g @agent-score/pay  (or: brew install agentscore/tap/agentscore-pay)');\n    lines.push(`2. Create a wallet on your chain of choice: agentscore-pay wallet create ${flags}`);\n    lines.push(`3. Fund the printed address with USDC on ${chainsLabel}`);\n    lines.push(`4. Confirm balance: agentscore-pay balance ${flags}`);\n    lines.push('');\n    lines.push('Then submit the paid purchase:');\n    lines.push('');\n    lines.push(`agentscore-pay pay POST ${input.appUrl} \\\\`);\n    lines.push(`  ${hasBase ? '--chain base' : '--chain solana'} \\\\`);\n    lines.push('  -H \"X-Operator-Token: opc_your_credential\" \\\\');\n    lines.push('  -H \"Content-Type: application/json\" \\\\');\n    lines.push(\"  -d '{...}' \\\\\");\n    lines.push('  --max-spend N');\n    lines.push('');\n    const handshakeChains = [hasBase && 'EIP-3009 (Base)', hasSolana && 'SPL Token (Solana)'].filter(Boolean).join(' or ');\n    lines.push(`The CLI handles the full x402 handshake: hits the URL, parses the 402 challenge, signs the ${handshakeChains} transaction, submits via X-Payment header, and returns the completed order.`);\n    lines.push('');\n  }\n\n  if (hasStripe) {\n    lines.push('### How to pay with Stripe SPT');\n    lines.push('');\n    lines.push('Mint a SharedPaymentToken scoped to the profile_id advertised in `accepted_methods.stripe.profile_id`, then submit via `Authorization: Payment` MPP header with `method=stripe/charge`. Either bring your own Stripe account or use `link-cli spend-request create --credential-type shared_payment_token --network-id <profileId> ...` for users with Stripe Link wallets.');\n    lines.push('');\n  }\n\n  lines.push('IMPORTANT: Do NOT use `tempo wallet transfer` or send USDC manually to the x402 deposit addresses — those bypass the payment handshake and your order will stay in pending_identity.');\n  if (hasBase || hasSolana) {\n    lines.push('IMPORTANT: x402 payments must be the exact amount specified in the 402 challenge. Overpayments and underpayments cannot be matched and funds may be unrecoverable.');\n  }\n  lines.push('');\n  return lines.join('\\n');\n}\n\nexport interface BuildLlmsTxtInput {\n  merchantName: string;\n  /** Optional 1-line summary under the title. */\n  tagline?: string;\n  /** Custom merchant-written sections (intro, endpoints, terms, etc.). */\n  sections: { heading: string; content: string }[];\n  /** Append the AgentScore identity section. */\n  agentscoreIdentity?: LlmsTxtIdentitySectionInput;\n  /** Append the standard payment section. */\n  payment?: LlmsTxtPaymentSectionInput;\n}\n\n/**\n * Assemble a complete llms.txt document. Vendor passes their merchant-specific sections\n * (intro, catalog, endpoints, gift orders, shipping, etc.); the helper adds the AgentScore\n * identity + payment boilerplate at the end. Returns the full markdown string.\n */\nexport function buildLlmsTxt(input: BuildLlmsTxtInput): string {\n  const parts: string[] = [`# ${input.merchantName}`];\n  if (input.tagline) {\n    parts.push(`> ${input.tagline}`);\n  }\n  parts.push('');\n  for (const s of input.sections) {\n    parts.push(`## ${s.heading}`);\n    parts.push('');\n    parts.push(s.content);\n    parts.push('');\n  }\n  if (input.agentscoreIdentity) {\n    parts.push(llmsTxtIdentitySection(input.agentscoreIdentity));\n    parts.push('');\n  }\n  if (input.payment) {\n    parts.push(llmsTxtPaymentSection(input.payment));\n  }\n  return parts.join('\\n');\n}\n","/**\n * OpenAPI snippets for AgentScore-related concepts. Vendors plug these into their own\n * OpenAPI 3.1 document (typically /openapi.json) so MPPScan and similar agent registries\n * can validate the merchant's auth + denial schemas correctly.\n *\n * Each helper returns a piece of an OpenAPI document — vendors compose them into their\n * full spec.\n */\n\n/**\n * Standard AgentScore identity security schemes. Plug into `components.securitySchemes`.\n */\nexport function agentscoreSecuritySchemes(): Record<string, unknown> {\n  return {\n    OperatorToken: {\n      type: 'apiKey',\n      in: 'header',\n      name: 'X-Operator-Token',\n      description:\n        'Operator-token-path identity (opc_...). Works on every payment rail; reusable across AgentScore merchants. If both X-Operator-Token and X-Wallet-Address are sent, this one wins.',\n    },\n    WalletAddress: {\n      type: 'apiKey',\n      in: 'header',\n      name: 'X-Wallet-Address',\n      description:\n        'Wallet-path identity (0x... or base58). Only works on rails that carry a wallet signature (Tempo MPP, x402 EIP-3009, x402 SPL Token). The wallet you claim MUST sign the payment.',\n    },\n  };\n}\n\n/**\n * Standard AgentScore denial response schemas. Plug into `components.schemas` so OpenAPI\n * validators understand the 403 body shape across denial codes.\n */\nexport function agentscoreDenialSchemas(): Record<string, unknown> {\n  return {\n    AgentScoreDenialReason: {\n      type: 'string',\n      enum: [\n        'missing_identity',\n        'identity_verification_required',\n        'token_expired',\n        'invalid_credential',\n        'wallet_signer_mismatch',\n        'wallet_auth_requires_wallet_signing',\n        'wallet_not_trusted',\n        'api_error',\n        'payment_required',\n      ],\n      description:\n        \"Denial code emitted by AgentScore's gate middleware in 403 responses. Each comes with a structured agent_instructions block describing recovery actions.\",\n    },\n    AgentScoreDenialBody: {\n      type: 'object',\n      properties: {\n        error: { $ref: '#/components/schemas/AgentScoreDenialReason' },\n        agent_instructions: {\n          type: 'string',\n          description:\n            'JSON-encoded { action, steps, user_message } block. Agents parse this to learn how to recover (e.g., poll a verify_url, switch headers, re-sign).',\n        },\n        verify_url: { type: 'string', format: 'uri', description: 'Present for missing_identity / token_expired denials.' },\n        session_id: { type: 'string' },\n        poll_url: { type: 'string', format: 'uri' },\n        poll_secret: { type: 'string' },\n        agent_memory: { type: 'object', description: 'Cross-merchant pattern hint emitted on first-encounter denials.' },\n      },\n      required: ['error', 'agent_instructions'],\n    },\n  };\n}\n\n/**\n * Standard 402 PaymentRequired body schema (for AgentScore-extended 402 responses).\n * Includes the rails, identity metadata, agent_instructions, pricing, and x402-compliance\n * fields a typical merchant emits via build402Body.\n */\nexport function agentscorePaymentRequiredSchema(): Record<string, unknown> {\n  return {\n    AgentScorePaymentRequired: {\n      type: 'object',\n      properties: {\n        payment_required: { type: 'boolean', enum: [true] },\n        x402Version: { type: 'integer', enum: [1, 2] },\n        accepts: { type: 'array', items: { type: 'object' }, description: 'x402 PaymentRequired.accepts entries.' },\n        accepted_methods: {\n          type: 'array',\n          items: { type: 'object' },\n          description: 'MPP method entries (tempo/charge, x402/exact, stripe/charge, ...).',\n        },\n        amount_usd: { type: 'string' },\n        currency: { type: 'string' },\n        pricing: {\n          type: 'object',\n          properties: {\n            subtotal: { type: 'string' },\n            tax: { type: 'string' },\n            tax_rate: { type: 'number' },\n            tax_state: { type: 'string' },\n            total: { type: 'string' },\n          },\n        },\n        identity_mode: { type: 'string', enum: ['wallet', 'operator_token'] },\n        required_signer: { type: 'string' },\n        linked_wallets: { type: 'array', items: { type: 'string' } },\n        signer_constraint: { type: 'string' },\n        agent_instructions: { type: 'object' },\n        agent_memory: { type: 'object' },\n      },\n    },\n  };\n}\n\nexport interface BuildAgentScoreOpenApiSnippetsInput {\n  /** Include security schemes in the snippet. Default true. */\n  security?: boolean;\n  /** Include denial schemas in the snippet. Default true. */\n  denials?: boolean;\n  /** Include the 402 PaymentRequired schema in the snippet. Default true. */\n  paymentRequired?: boolean;\n}\n\n/**\n * Convenience: returns a `components` snippet ready to merge into an OpenAPI document.\n *\n *   const spec = {\n *     openapi: '3.1.0',\n *     info: { title: 'My Merchant API', version: '1.0' },\n *     paths: {...},\n *     components: { ...agentscoreOpenApiSnippets(), schemas: { ...mySchemas, ...agentscoreOpenApiSnippets().schemas } },\n *   };\n *\n * Or more idiomatically: `Object.assign(spec.components, agentscoreOpenApiSnippets())`.\n */\nexport function agentscoreOpenApiSnippets(\n  opts: BuildAgentScoreOpenApiSnippetsInput = {},\n): { securitySchemes?: Record<string, unknown>; schemas?: Record<string, unknown> } {\n  const out: { securitySchemes?: Record<string, unknown>; schemas?: Record<string, unknown> } = {};\n  if (opts.security !== false) {\n    out.securitySchemes = agentscoreSecuritySchemes();\n  }\n  if (opts.denials !== false || opts.paymentRequired !== false) {\n    out.schemas = {\n      ...(opts.denials !== false ? agentscoreDenialSchemas() : {}),\n      ...(opts.paymentRequired !== false ? agentscorePaymentRequiredSchema() : {}),\n    };\n  }\n  return out;\n}\n","/**\n * Default discovery paths emitted by `@agent-score/commerce` builders. These are\n * the public-by-design endpoints agents and crawlers fetch to learn the\n * merchant's shape: OpenAPI, llms.txt, MPP well-known, A2A agent card, UCP profile.\n * They should NOT carry `X-Robots-Tag: noindex` since the whole point is for\n * agents (and search/discovery crawlers) to find them.\n *\n * Everything else on an agent-only API should noindex by default — there's no\n * human-shaped HTML to surface to general search engines, and accidental\n * indexing leaks transactional endpoints into noisy SERPs.\n */\nexport const defaultDiscoveryPaths: ReadonlySet<string> = new Set([\n  '/openapi.json',\n  '/llms.txt',\n  '/.well-known/mpp.json',\n  '/.well-known/agent-card.json',\n  '/.well-known/ucp',\n  '/favicon.png',\n  '/favicon.ico',\n]);\n\n/**\n * Pure predicate for \"is this path a known discovery surface?\". Compose this\n * into your own framework's middleware when you don't want the bundled Hono\n * wrapper. Custom paths are the union with the defaults — pass `replace: true`\n * to skip the defaults.\n */\nexport function isDiscoveryPath(\n  path: string,\n  options?: { customPaths?: Iterable<string>; replace?: boolean },\n): boolean {\n  if (options?.replace) {\n    return new Set(options.customPaths ?? []).has(path);\n  }\n  if (defaultDiscoveryPaths.has(path)) return true;\n  if (options?.customPaths) {\n    for (const p of options.customPaths) if (p === path) return true;\n  }\n  return false;\n}\n\nexport interface NoindexNonDiscoveryOptions {\n  /** Additional discovery paths beyond the defaults (e.g. `/sitemap.xml`,\n   *  `/.well-known/foo`). Merged with the defaults unless `replacePaths: true`. */\n  customPaths?: Iterable<string>;\n  /** When true, ignore the bundled defaults and only treat `customPaths` as\n   *  discovery surfaces. Use when the merchant deliberately chooses a different\n   *  set (e.g. omits `/openapi.json` from a closed API). */\n  replacePaths?: boolean;\n  /** Override the X-Robots-Tag value applied to non-discovery paths. Defaults to\n   *  the standard \"noindex, nofollow, noarchive, nosnippet\" tuple — change only\n   *  if you have a very specific crawl-shape requirement. */\n  robotsTag?: string;\n}\n\nconst DEFAULT_ROBOTS_TAG = 'noindex, nofollow, noarchive, nosnippet';\n\n/** Predicate the per-framework wrappers share. Pulled out so non-listed frameworks\n *  can compose it directly (`if (!shouldNoindex(path, opts)) ...`). */\nfunction shouldNoindex(path: string, customSet: Set<string> | undefined, replacePaths: boolean | undefined): boolean {\n  const isDiscovery = replacePaths\n    ? (customSet?.has(path) ?? false)\n    : defaultDiscoveryPaths.has(path) || (customSet?.has(path) ?? false);\n  return !isDiscovery;\n}\n\n/**\n * Hono middleware. Mount globally near the top of your middleware stack:\n *\n *   app.use('*', noindexNonDiscoveryPaths());\n *   app.use('*', noindexNonDiscoveryPaths({ customPaths: ['/sitemap.xml'] }));\n *\n * Per-framework variants (`noindexNonDiscoveryPathsExpress`,\n * `noindexNonDiscoveryPathsFastify`, `noindexNonDiscoveryPathsWeb`) ship below.\n * For Next.js Route Handlers, use `applyNoindexHeader(response, path, opts)`\n * inline since route handlers don't have a global mount point.\n */\nexport function noindexNonDiscoveryPaths(options?: NoindexNonDiscoveryOptions) {\n  const customSet = options?.customPaths ? new Set(options.customPaths) : undefined;\n  const robotsTag = options?.robotsTag ?? DEFAULT_ROBOTS_TAG;\n  return async (c: { req: { path: string }; header: (k: string, v: string) => void }, next: () => Promise<void>) => {\n    await next();\n    if (shouldNoindex(c.req.path, customSet, options?.replacePaths)) {\n      c.header('X-Robots-Tag', robotsTag);\n    }\n  };\n}\n\n/** Express middleware. Sets the header before `next()` so route handlers can\n *  override per-response if they need to. */\nexport function noindexNonDiscoveryPathsExpress(options?: NoindexNonDiscoveryOptions) {\n  const customSet = options?.customPaths ? new Set(options.customPaths) : undefined;\n  const robotsTag = options?.robotsTag ?? DEFAULT_ROBOTS_TAG;\n  return (\n    req: { path: string },\n    res: { setHeader: (name: string, value: string) => void },\n    next: () => void,\n  ) => {\n    if (shouldNoindex(req.path, customSet, options?.replacePaths)) {\n      res.setHeader('X-Robots-Tag', robotsTag);\n    }\n    next();\n  };\n}\n\n/** Fastify plugin (use as `app.register(noindexNonDiscoveryPathsFastify, opts)`).\n *  Registers an `onRequest` hook so the header lands on every response. */\ninterface FastifyReqLike { url?: string; routerPath?: string }\ninterface FastifyReplyLike { header: (name: string, value: string) => void }\ninterface FastifyAppLike {\n  addHook(event: 'onRequest', handler: (req: FastifyReqLike, reply: FastifyReplyLike, done: () => void) => void): void;\n}\nexport function noindexNonDiscoveryPathsFastify(\n  app: FastifyAppLike,\n  options: NoindexNonDiscoveryOptions | undefined,\n  done: () => void,\n): void {\n  const customSet = options?.customPaths ? new Set(options.customPaths) : undefined;\n  const robotsTag = options?.robotsTag ?? DEFAULT_ROBOTS_TAG;\n  app.addHook('onRequest', (req, reply, hookDone) => {\n    const path = (req.url ?? req.routerPath ?? '').split('?')[0];\n    if (shouldNoindex(path, customSet, options?.replacePaths)) {\n      reply.header('X-Robots-Tag', robotsTag);\n    }\n    hookDone();\n  });\n  done();\n}\n\n/** Web Fetch / Cloudflare Workers / Deno / Bun helper. Returns a wrapped\n *  Response that carries `X-Robots-Tag` on non-discovery paths. Pair with the\n *  request's URL pathname:\n *\n *    return wrapNoindexResponse(new URL(req.url).pathname, response);\n */\nexport function wrapNoindexResponse(\n  path: string,\n  response: Response,\n  options?: NoindexNonDiscoveryOptions,\n): Response {\n  const customSet = options?.customPaths ? new Set(options.customPaths) : undefined;\n  const robotsTag = options?.robotsTag ?? DEFAULT_ROBOTS_TAG;\n  if (!shouldNoindex(path, customSet, options?.replacePaths)) return response;\n  const headers = new Headers(response.headers);\n  headers.set('X-Robots-Tag', robotsTag);\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n\n/** Next.js Route Handler helper. Call inline before returning the Response:\n *\n *    export async function POST(req: Request) {\n *      const path = new URL(req.url).pathname;\n *      const res = Response.json({...});\n *      return applyNoindexHeader(res, path);\n *    }\n *\n *  Same wrapper shape as the Web Fetch helper — exported separately for clarity\n *  in Next.js docs/examples. */\nexport const applyNoindexHeader = wrapNoindexResponse;\n"],"mappings":";AAIO,IAAM,WAAW;AAAA,EACtB,MAAM;AAAA,IACJ,SAAS,EAAE,OAAO,eAAwB,SAAS,KAAK;AAAA,IACxD,SAAS,EAAE,OAAO,gBAAyB,SAAS,MAAM;AAAA,EAC5D;AAAA,EACA,QAAQ;AAAA,IACN,SAAS,EAAE,OAAO,0CAAmD;AAAA,IACrE,QAAQ,EAAE,OAAO,0CAAmD;AAAA,EACtE;AAAA,EACA,OAAO;AAAA,IACL,SAAS,EAAE,OAAO,eAAwB,SAAS,KAAK;AAAA,IACxD,SAAS,EAAE,OAAO,gBAAyB,SAAS,MAAM;AAAA,EAC5D;AACF;;;ACbO,IAAM,OAAO;AAAA,EAClB,MAAM;AAAA,IACJ,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,IACvF,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,EACzF;AAAA,EACA,QAAQ;AAAA,IACN,SAAS,EAAE,MAAM,gDAAgD,UAAU,EAAE;AAAA,IAC7E,QAAQ,EAAE,MAAM,gDAAgD,UAAU,EAAE;AAAA,EAC9E;AAAA,EACA,OAAO;AAAA,IACL,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,IACvF,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,EACzF;AACF;;;ACRO,IAAM,QAAQ;AAAA,EACnB,iBAAiB;AAAA,IACf,QAAQ;AAAA,IACR,SAAS,SAAS,MAAM,QAAQ;AAAA,IAChC,SAAS,SAAS,MAAM,QAAQ;AAAA,IAChC,UAAU,KAAK,MAAM,QAAQ;AAAA,IAC7B,UAAU,KAAK,MAAM,QAAQ;AAAA,IAC7B,OAAO,KAAK,MAAM,QAAQ;AAAA,EAC5B;AAAA,EACA,iBAAiB;AAAA,IACf,QAAQ;AAAA,IACR,SAAS,SAAS,MAAM,QAAQ;AAAA,IAChC,SAAS,SAAS,MAAM,QAAQ;AAAA,IAChC,UAAU,KAAK,MAAM,QAAQ;AAAA,IAC7B,UAAU,KAAK,MAAM,QAAQ;AAAA,IAC7B,OAAO,KAAK,MAAM,QAAQ;AAAA,EAC5B;AAAA,EACA,qBAAqB;AAAA,IACnB,QAAQ;AAAA,IACR,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,EAC3B;AAAA,EACA,qBAAqB;AAAA,IACnB,QAAQ;AAAA,IACR,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAIA,0BAA0B;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,EAC3B;AAAA,EACA,0BAA0B;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,IAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,IAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,EAC3B;AAAA,EACA,uBAAuB;AAAA,IACrB,QAAQ;AAAA,IACR,SAAS,SAAS,OAAO,QAAQ;AAAA,IACjC,UAAU,KAAK,OAAO,QAAQ;AAAA,IAC9B,UAAU,KAAK,OAAO,QAAQ;AAAA,IAC9B,OAAO,KAAK,OAAO,QAAQ;AAAA,EAC7B;AAAA,EACA,sBAAsB;AAAA,IACpB,QAAQ;AAAA,IACR,SAAS,SAAS,OAAO,OAAO;AAAA,IAChC,UAAU,KAAK,OAAO,OAAO;AAAA,IAC7B,UAAU,KAAK,OAAO,OAAO;AAAA,IAC7B,OAAO,KAAK,OAAO,OAAO;AAAA,EAC5B;AAAA,EACA,cAAc;AAAA,IACZ,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,UAAU;AAAA,EACZ;AACF;AAiBO,SAAS,WAAW,MAA0C;AACnE,SAAO,MAAM,IAAgB;AAC/B;;;ACzEO,SAAS,wBAAwB,OAAoC;AAC1E,QAAM,UAAU,MAAM,OAAO,WAAW,MAAM,IAAI,IAAI;AACtD,QAAM,WAAW,MAAM,YAAY,SAAS,YAAY;AACxD,QAAM,WAAW,MAAM,YAAY,SAAS,YAAY;AACxD,QAAM,UAAU,MAAM,WAAW,SAAS;AAE1C,QAAM,YAAY,OAAO,MAAM,cAAc,WAAW,OAAO,MAAM,SAAS,IAAI,MAAM;AACxF,QAAM,YAAY,OAAO,KAAK,MAAM,YAAY,MAAM,QAAQ,CAAC,EAAE,SAAS;AAC1E,QAAM,OAAgC,EAAE,QAAQ,WAAW,UAAU,SAAS;AAC9E,MAAI,MAAM,UAAW,MAAK,YAAY,MAAM;AAC5C,QAAM,gBAAyC,CAAC;AAChD,MAAI,YAAY,OAAW,eAAc,UAAU;AACnD,MAAI,MAAM,UAAW,eAAc,YAAY,MAAM;AACrD,MAAI,OAAO,KAAK,aAAa,EAAE,SAAS,EAAG,MAAK,gBAAgB;AAChE,SAAO,OAAO,KAAK,KAAK,UAAU,IAAI,CAAC,EAAE,SAAS,WAAW;AAC/D;AAwBO,SAAS,iBAAiB,OAAsC;AACrE,QAAM,UAAU,MAAM,OAAO,WAAW,MAAM,IAAI,IAAI;AACtD,QAAM,SAAS,MAAM,UAAU,SAAS,UAAU;AAClD,QAAM,SAAS,MAAM,UAAU;AAC/B,QAAM,UAAU,MAAM,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,KAAK,GAAI,EAAE,YAAY;AAClF,SAAO,eAAe,MAAM,EAAE,aAAa,MAAM,KAAK,cAAc,MAAM,cAAc,MAAM,eAAe,OAAO,eAAe,MAAM,OAAO;AAClJ;;;ACzBO,SAAS,sBAAsB,OAA2C;AAC/E,SAAO,OAAO,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE,SAAS,QAAQ;AAC7D;;;ACvCA,IAAM,iBAAiB;AACvB,IAAM,oBAAoB;AAYnB,SAAS,2BACd,OACA,eAAuB,WACS;AAChC,MAAI,UAAU,SAAS,KAAK,QAAQ,OAAO;AACzC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,KAAK,QAAQ;AAAA,MACzB,OAAO;AAAA,MACP,mBAAmB;AAAA,MACnB,OAAO,EAAE,MAAM,QAAQ,SAAS,IAAI;AAAA,IACtC;AAAA,EACF;AACA,MAAI,UAAU,SAAS,KAAK,QAAQ,OAAO;AACzC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,KAAK,QAAQ;AAAA,MACzB,OAAO;AAAA,MACP,mBAAmB;AAAA,MACnB,OAAO,EAAE,MAAM,QAAQ,SAAS,IAAI;AAAA,IACtC;AAAA,EACF;AACA,MAAI,UAAU,SAAS,OAAO,QAAQ,OAAO;AAC3C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,OAAO,QAAQ;AAAA,MAC3B,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB;AAAA,EACF;AACA,MAAI,UAAU,SAAS,OAAO,OAAO,OAAO;AAC1C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,OAAO,OAAO;AAAA,MAC1B,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB;AAAA,EACF;AACA,SAAO;AACT;AAgEO,SAAS,4BAA4B,MAAqD;AAC/F,QAAM,UAAU,SAAS,KAAK,IAAI,CAAC;AACnC,QAAM,UAAU,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,cAAc,OAAO,GAAI,EAAE,YAAY;AACnF,QAAM,UAAU,wBAAwB;AAAA,IACtC,MAAM,KAAK;AAAA,IACX,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK;AAAA,EAClB,CAAC;AACD,QAAM,YAAY,iBAAiB;AAAA,IACjC,MAAM,KAAK;AAAA,IACX,IAAI;AAAA,IACJ,OAAO,KAAK;AAAA,IACZ,QAAQ,KAAK;AAAA,IACb;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,UAAmC;AAAA,IACvC,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS,KAAK,WAAW;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,IACX,GAAI,KAAK,UAAU,EAAE,MAAM,KAAK,QAAQ,IAAI,CAAC;AAAA,EAC/C;AACA,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,oBAAoB;AAAA,EACtB;AAEA,MAAI,KAAK,YAAY;AACnB,UAAM,cAAc,KAAK,WAAW,WAAW;AAC/C,UAAM,gBAAgB,KAAK,WAAW,YAChC,KAAK,WAAW,YAAY,CAAC,GAC9B,IAAI,CAAC,MAAM,2BAA2B,GAAG,KAAK,WAAY,gBAAgB,SAAS,CAAC,EACpF,OAAO,CAAC,MAAoC,MAAM,IAAI;AAI3D,YAAQ,kBAAkB,IAAI,sBAAsB;AAAA,MAClD;AAAA,MACA,SAAS;AAAA,MACT,GAAI,KAAK,WAAW,cAChB,EAAE,UAAU,EAAE,KAAK,KAAK,WAAW,aAAa,UAAU,mBAAmB,EAAE,IAC/E,CAAC;AAAA,IACP,CAAC;AAGD,YAAQ,cAAc;AAEtB,UAAM,aAAa,KAAK,MAAM,OAAO,KAAK,QAAQ,kBAAkB,GAAG,QAAQ,EAAE,SAAS,OAAO,CAAC;AAClG,YAAQ,UAAU,WAAW;AAAA,EAC/B;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,OAAO;AAAA,EAC9B;AACF;AAcA,eAAsB,wBAAwB,KAAoC;AAChF,MAAI,IAAI,WAAW,OAAQ,QAAO;AAClC,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe;AAC5C,MAAI,MAAM,WAAW,UAAU,EAAG,QAAO;AACzC,QAAM,OAAO,MAAM,IAAI,MAAM,EAAE,KAAK;AACpC,SAAO,CAAC,QAAQ,SAAS;AAC3B;;;ACjMA,eAAsB,sBAAsB,QAAiD;AAC3F,QAAM,SAAS,MAAM,cAA4B,yBAAyB;AAC1E,MAAI,CAAC,QAAQ,2BAA2B;AACtC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO,OAAO,0BAA0B,MAAM;AAChD;AAEA,eAAe,cAAiB,YAAuC;AACrE,MAAI;AACF,WAAQ,MAAM,OAAO;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC4BO,SAAS,kBAAkB,OAAmD;AACnF,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ,GAAI,MAAM,cAAc,EAAE,aAAa,MAAM,YAAY,IAAI,CAAC;AAAA,IAC9D,KAAK,MAAM;AAAA,IACX,GAAI,MAAM,UAAU,EAAE,SAAS,MAAM,QAAQ,IAAI,CAAC;AAAA,IAClD,WAAW,MAAM;AAAA,IACjB,GAAI,MAAM,UAAU,EAAE,SAAS,MAAM,QAAQ,IAAI,CAAC;AAAA,IAClD,UAAU;AAAA,MACR,GAAI,MAAM,SAAS,kBAAkB,EAAE,iBAAiB,MAAM,SAAS,gBAAgB,IAAI,CAAC;AAAA,MAC5F,GAAI,MAAM,SAAS,kBAAkB,EAAE,iBAAiB,MAAM,SAAS,gBAAgB,IAAI,CAAC;AAAA,MAC5F,GAAI,MAAM,SAAS,SAAS,CAAC;AAAA,MAC7B,GAAI,MAAM,SAAS,WAAW,EAAE,UAAU,MAAM,SAAS,SAAS,IAAI,CAAC;AAAA,MACvE,GAAI,MAAM,SAAS,iBAAiB,EAAE,gBAAgB,MAAM,SAAS,eAAe,IAAI,CAAC;AAAA,MACzF,iBAAiB,MAAM,SAAS;AAAA,MAChC,GAAI,MAAM,SAAS,OAAO,EAAE,MAAM,MAAM,SAAS,KAAK,IAAI,CAAC;AAAA,MAC3D,GAAI,MAAM,SAAS,aAAa,EAAE,YAAY,MAAM,SAAS,WAAW,IAAI,CAAC;AAAA,IAC/E;AAAA,IACA,GAAI,MAAM,WAAW,EAAE,UAAU,MAAM,SAAS,IAAI,CAAC;AAAA,IACrD,GAAI,MAAM,SAAS,CAAC;AAAA,EACtB;AACF;;;ACnEO,SAAS,uBAAuB,QAAqC,CAAC,GAAW;AACtF,MAAI,CAAC,MAAM,YAAY;AACrB,WAAO;AAAA,EACT;AACA,QAAM,aAAa,MAAM;AACzB,QAAM,iBAAiB,aACnB;AAAA;AAAA,cAAmB;AAAA,IACjB,WAAW,cAAc,iBAAiB;AAAA,IAC1C,WAAW,UAAU,OAAO,WAAW,OAAO,MAAM;AAAA,IACpD,WAAW,uBAAuB,SAC9B,GAAG,WAAW,sBAAsB,KAAK,GAAG,CAAC,UAC7C;AAAA,IACJ,WAAW,0BAA0B,oBAAoB;AAAA,EAC3D,EACG,OAAO,OAAO,EACd,KAAK,IAAI,CAAC,MACb;AACJ,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+TAYsT,cAAc;AAC7U;AA2BO,SAAS,sBAAsB,OAA2C;AAC/E,SAAO,MAAM,UAAU,6BAA6B,KAAK,IAAI,6BAA6B,KAAK;AACjG;AAEA,SAAS,cAAcA,QAAiB,QAAyB;AAC/D,SAAOA,OAAM,KAAK,OAAK,EAAE,WAAW,MAAM,CAAC;AAC7C;AAEA,SAAS,cAAcA,QAAiB,QAAyB;AAC/D,SAAOA,OAAM,KAAK,OAAK,EAAE,WAAW,MAAM,KAAK,oCAAoC,KAAK,CAAC,CAAC;AAC5F;AAEA,SAAS,6BAA6B,OAA2C;AAC/E,QAAM,QAAkB,CAAC,cAAc,EAAE;AACzC,QAAMA,SAAQ,MAAM;AACpB,MAAI,cAAcA,QAAO,QAAQ,GAAG;AAClC,UAAM,KAAK,yHAAqH,MAAM,SAAS,GAAG;AAAA,EACpJ;AACA,MAAI,cAAcA,QAAO,YAAY,GAAG;AACtC,UAAM,KAAK,wEAAmE,MAAM,SAAS,2DAA4D;AAAA,EAC3J;AACA,MAAI,cAAcA,QAAO,cAAc,GAAG;AACxC,UAAM,KAAK,2EAAsE,MAAM,SAAS,6DAA8D;AAAA,EAChK;AACA,MAAIA,OAAM,SAAS,YAAY,GAAG;AAChC,UAAM,KAAK,2MAAsM;AAAA,EACnN;AACA,QAAM,KAAK,EAAE;AACb,QAAM,KAAK,wJAAwJ;AACnK,QAAM,KAAK,EAAE;AACb,SAAO,MAAM,KAAK,IAAI;AACxB;AAEA,SAAS,6BAA6B,OAA2C;AAC/E,QAAMA,SAAQ,MAAM;AACpB,QAAM,eAAe,MAAM,oBAAoB;AAC/C,QAAM,aAAa,MAAM,gBAAgB;AACzC,QAAM,WAAW,cAAcA,QAAO,QAAQ;AAC9C,QAAM,UAAU,cAAcA,QAAO,YAAY;AACjD,QAAM,YAAY,cAAcA,QAAO,cAAc;AACrD,QAAM,YAAYA,OAAM,SAAS,YAAY;AAC7C,QAAM,kBAAkB,cAAcA,QAAO,YAAY,IAAI,iBAAiB;AAC9E,QAAM,oBAAoB,cAAcA,QAAO,cAAc,IAAI,kBAAkB;AAEnF,QAAM,QAAkB,CAAC,cAAc,EAAE;AACzC,QAAM,KAAK,+GAA+G;AAC1H,QAAM,KAAK,EAAE;AACb,MAAI,SAAU,OAAM,KAAK,gDAAgD;AACzE,MAAI,WAAW,WAAW;AACxB,UAAM,SAAS,CAAC,WAAW,GAAG,eAAe,eAAe,aAAa,GAAG,iBAAiB,cAAc,EAAE,OAAO,OAAO,EAAE,KAAK,OAAO;AACzI,UAAM,KAAK,sBAAsB,MAAM,gCAAgC;AAAA,EACzE;AACA,MAAI,UAAW,OAAM,KAAK,oJAAoJ;AAC9K,QAAM,KAAK,EAAE;AAEb,MAAI,UAAU;AACZ,UAAM,KAAK,2BAA2B;AACtC,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,uEAAuE;AAClF,UAAM,KAAK,8EAA8E;AACzF,UAAM,KAAK,gEAAgE,YAAY,WAAW,UAAU,GAAG;AAC/G,UAAM,KAAK,mDAAmD;AAC9D,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,qDAAqD;AAChE,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,0BAA0B;AACrC,UAAM,KAAK,iDAAiD;AAC5D,UAAM,KAAK,0CAA0C;AACrD,UAAM,KAAK,qBAAqB;AAChC,UAAM,KAAK,oBAAoB;AAC/B,UAAM,KAAK,KAAK,MAAM,MAAM,EAAE;AAC9B,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,sHAAsH,YAAY,4DAA4D;AACzM,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,WAAW,WAAW;AACxB,UAAM,cAAc,CAAC,WAAW,iBAAiB,aAAa,iBAAiB,EAAE,OAAO,OAAO,EAAE,KAAK,MAAM;AAC5G,UAAM,QAAQ,CAAC,WAAW,kBAAkB,aAAa,kBAAkB,EAAE,OAAO,OAAO,EAAE,KAAK,MAAM;AACxG,UAAM,KAAK,6BAA6B,WAAW,GAAG;AACtD,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,sHAAsH;AACjI,UAAM,KAAK,4EAA4E,KAAK,EAAE;AAC9F,UAAM,KAAK,4CAA4C,WAAW,EAAE;AACpE,UAAM,KAAK,8CAA8C,KAAK,EAAE;AAChE,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,gCAAgC;AAC3C,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,2BAA2B,MAAM,MAAM,KAAK;AACvD,UAAM,KAAK,KAAK,UAAU,iBAAiB,gBAAgB,KAAK;AAChE,UAAM,KAAK,iDAAiD;AAC5D,UAAM,KAAK,0CAA0C;AACrD,UAAM,KAAK,iBAAiB;AAC5B,UAAM,KAAK,iBAAiB;AAC5B,UAAM,KAAK,EAAE;AACb,UAAM,kBAAkB,CAAC,WAAW,mBAAmB,aAAa,oBAAoB,EAAE,OAAO,OAAO,EAAE,KAAK,MAAM;AACrH,UAAM,KAAK,8FAA8F,eAAe,8EAA8E;AACtM,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,WAAW;AACb,UAAM,KAAK,gCAAgC;AAC3C,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,6WAA6W;AACxX,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,QAAM,KAAK,2LAAsL;AACjM,MAAI,WAAW,WAAW;AACxB,UAAM,KAAK,oKAAoK;AAAA,EACjL;AACA,QAAM,KAAK,EAAE;AACb,SAAO,MAAM,KAAK,IAAI;AACxB;AAmBO,SAAS,aAAa,OAAkC;AAC7D,QAAM,QAAkB,CAAC,KAAK,MAAM,YAAY,EAAE;AAClD,MAAI,MAAM,SAAS;AACjB,UAAM,KAAK,KAAK,MAAM,OAAO,EAAE;AAAA,EACjC;AACA,QAAM,KAAK,EAAE;AACb,aAAW,KAAK,MAAM,UAAU;AAC9B,UAAM,KAAK,MAAM,EAAE,OAAO,EAAE;AAC5B,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,EAAE,OAAO;AACpB,UAAM,KAAK,EAAE;AAAA,EACf;AACA,MAAI,MAAM,oBAAoB;AAC5B,UAAM,KAAK,uBAAuB,MAAM,kBAAkB,CAAC;AAC3D,UAAM,KAAK,EAAE;AAAA,EACf;AACA,MAAI,MAAM,SAAS;AACjB,UAAM,KAAK,sBAAsB,MAAM,OAAO,CAAC;AAAA,EACjD;AACA,SAAO,MAAM,KAAK,IAAI;AACxB;;;ACtNO,SAAS,4BAAqD;AACnE,SAAO;AAAA,IACL,eAAe;AAAA,MACb,MAAM;AAAA,MACN,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aACE;AAAA,IACJ;AAAA,IACA,eAAe;AAAA,MACb,MAAM;AAAA,MACN,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aACE;AAAA,IACJ;AAAA,EACF;AACF;AAMO,SAAS,0BAAmD;AACjE,SAAO;AAAA,IACL,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MACA,aACE;AAAA,IACJ;AAAA,IACA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,YAAY;AAAA,QACV,OAAO,EAAE,MAAM,8CAA8C;AAAA,QAC7D,oBAAoB;AAAA,UAClB,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,QACA,YAAY,EAAE,MAAM,UAAU,QAAQ,OAAO,aAAa,wDAAwD;AAAA,QAClH,YAAY,EAAE,MAAM,SAAS;AAAA,QAC7B,UAAU,EAAE,MAAM,UAAU,QAAQ,MAAM;AAAA,QAC1C,aAAa,EAAE,MAAM,SAAS;AAAA,QAC9B,cAAc,EAAE,MAAM,UAAU,aAAa,kEAAkE;AAAA,MACjH;AAAA,MACA,UAAU,CAAC,SAAS,oBAAoB;AAAA,IAC1C;AAAA,EACF;AACF;AAOO,SAAS,kCAA2D;AACzE,SAAO;AAAA,IACL,2BAA2B;AAAA,MACzB,MAAM;AAAA,MACN,YAAY;AAAA,QACV,kBAAkB,EAAE,MAAM,WAAW,MAAM,CAAC,IAAI,EAAE;AAAA,QAClD,aAAa,EAAE,MAAM,WAAW,MAAM,CAAC,GAAG,CAAC,EAAE;AAAA,QAC7C,SAAS,EAAE,MAAM,SAAS,OAAO,EAAE,MAAM,SAAS,GAAG,aAAa,wCAAwC;AAAA,QAC1G,kBAAkB;AAAA,UAChB,MAAM;AAAA,UACN,OAAO,EAAE,MAAM,SAAS;AAAA,UACxB,aAAa;AAAA,QACf;AAAA,QACA,YAAY,EAAE,MAAM,SAAS;AAAA,QAC7B,UAAU,EAAE,MAAM,SAAS;AAAA,QAC3B,SAAS;AAAA,UACP,MAAM;AAAA,UACN,YAAY;AAAA,YACV,UAAU,EAAE,MAAM,SAAS;AAAA,YAC3B,KAAK,EAAE,MAAM,SAAS;AAAA,YACtB,UAAU,EAAE,MAAM,SAAS;AAAA,YAC3B,WAAW,EAAE,MAAM,SAAS;AAAA,YAC5B,OAAO,EAAE,MAAM,SAAS;AAAA,UAC1B;AAAA,QACF;AAAA,QACA,eAAe,EAAE,MAAM,UAAU,MAAM,CAAC,UAAU,gBAAgB,EAAE;AAAA,QACpE,iBAAiB,EAAE,MAAM,SAAS;AAAA,QAClC,gBAAgB,EAAE,MAAM,SAAS,OAAO,EAAE,MAAM,SAAS,EAAE;AAAA,QAC3D,mBAAmB,EAAE,MAAM,SAAS;AAAA,QACpC,oBAAoB,EAAE,MAAM,SAAS;AAAA,QACrC,cAAc,EAAE,MAAM,SAAS;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAuBO,SAAS,0BACd,OAA4C,CAAC,GACqC;AAClF,QAAM,MAAwF,CAAC;AAC/F,MAAI,KAAK,aAAa,OAAO;AAC3B,QAAI,kBAAkB,0BAA0B;AAAA,EAClD;AACA,MAAI,KAAK,YAAY,SAAS,KAAK,oBAAoB,OAAO;AAC5D,QAAI,UAAU;AAAA,MACZ,GAAI,KAAK,YAAY,QAAQ,wBAAwB,IAAI,CAAC;AAAA,MAC1D,GAAI,KAAK,oBAAoB,QAAQ,gCAAgC,IAAI,CAAC;AAAA,IAC5E;AAAA,EACF;AACA,SAAO;AACT;;;AC1IO,IAAM,wBAA6C,oBAAI,IAAI;AAAA,EAChE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAQM,SAAS,gBACd,MACA,SACS;AACT,MAAI,SAAS,SAAS;AACpB,WAAO,IAAI,IAAI,QAAQ,eAAe,CAAC,CAAC,EAAE,IAAI,IAAI;AAAA,EACpD;AACA,MAAI,sBAAsB,IAAI,IAAI,EAAG,QAAO;AAC5C,MAAI,SAAS,aAAa;AACxB,eAAW,KAAK,QAAQ,YAAa,KAAI,MAAM,KAAM,QAAO;AAAA,EAC9D;AACA,SAAO;AACT;AAgBA,IAAM,qBAAqB;AAI3B,SAAS,cAAc,MAAc,WAAoC,cAA4C;AACnH,QAAM,cAAc,eACf,WAAW,IAAI,IAAI,KAAK,QACzB,sBAAsB,IAAI,IAAI,MAAM,WAAW,IAAI,IAAI,KAAK;AAChE,SAAO,CAAC;AACV;AAaO,SAAS,yBAAyB,SAAsC;AAC7E,QAAM,YAAY,SAAS,cAAc,IAAI,IAAI,QAAQ,WAAW,IAAI;AACxE,QAAM,YAAY,SAAS,aAAa;AACxC,SAAO,OAAO,GAAsE,SAA8B;AAChH,UAAM,KAAK;AACX,QAAI,cAAc,EAAE,IAAI,MAAM,WAAW,SAAS,YAAY,GAAG;AAC/D,QAAE,OAAO,gBAAgB,SAAS;AAAA,IACpC;AAAA,EACF;AACF;AAIO,SAAS,gCAAgC,SAAsC;AACpF,QAAM,YAAY,SAAS,cAAc,IAAI,IAAI,QAAQ,WAAW,IAAI;AACxE,QAAM,YAAY,SAAS,aAAa;AACxC,SAAO,CACL,KACA,KACA,SACG;AACH,QAAI,cAAc,IAAI,MAAM,WAAW,SAAS,YAAY,GAAG;AAC7D,UAAI,UAAU,gBAAgB,SAAS;AAAA,IACzC;AACA,SAAK;AAAA,EACP;AACF;AASO,SAAS,gCACd,KACA,SACA,MACM;AACN,QAAM,YAAY,SAAS,cAAc,IAAI,IAAI,QAAQ,WAAW,IAAI;AACxE,QAAM,YAAY,SAAS,aAAa;AACxC,MAAI,QAAQ,aAAa,CAAC,KAAK,OAAO,aAAa;AACjD,UAAM,QAAQ,IAAI,OAAO,IAAI,cAAc,IAAI,MAAM,GAAG,EAAE,CAAC;AAC3D,QAAI,cAAc,MAAM,WAAW,SAAS,YAAY,GAAG;AACzD,YAAM,OAAO,gBAAgB,SAAS;AAAA,IACxC;AACA,aAAS;AAAA,EACX,CAAC;AACD,OAAK;AACP;AAQO,SAAS,oBACd,MACA,UACA,SACU;AACV,QAAM,YAAY,SAAS,cAAc,IAAI,IAAI,QAAQ,WAAW,IAAI;AACxE,QAAM,YAAY,SAAS,aAAa;AACxC,MAAI,CAAC,cAAc,MAAM,WAAW,SAAS,YAAY,EAAG,QAAO;AACnE,QAAM,UAAU,IAAI,QAAQ,SAAS,OAAO;AAC5C,UAAQ,IAAI,gBAAgB,SAAS;AACrC,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;AAYO,IAAM,qBAAqB;","names":["rails"]}

package/dist/identity/express.d.mts

@@ -0,0 +1,44 @@
+export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-DmziuJz6.mjs';
+export { e as extractPaymentSignerAddress, r as readX402PaymentHeader } from '../signer-Cvdwn6Cs.mjs';
+import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AgentScoreData, VerifyWalletSignerResult } from '../core.mjs';
+import { Request, Response, NextFunction } from 'express';
+
+interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
+    /** Custom function to extract agent identity (wallet address and/or operator token). */
+    extractIdentity?: (req: Request) => AgentIdentity | undefined;
+    /** Custom handler invoked when a request is denied. */
+    onDenied?: (req: Request, res: Response, reason: DenialReason) => void;
+    /** Auto-create a verification session on missing identity. Hooks receive the Express `Request`. */
+    createSessionOnMissing?: CreateSessionOnMissing<Request>;
+}
+declare function agentscoreGate(options: AgentScoreGateOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+/**
+ * Retrieve AgentScore assess data attached to an Express request by the gate. Returns
+ * `undefined` if the gate did not run or attached no data (fail-open mode + missing identity,
+ * or a route the middleware was not mounted on).
+ */
+declare function getAgentScoreData(req: Request): AgentScoreData | undefined;
+/**
+ * Report a wallet that paid under the operator_token extracted by the gate on this request.
+ * Fire-and-forget: no-ops silently if the gate didn't run, the request was wallet-authenticated,
+ * or the API call fails.
+ */
+declare function captureWallet(req: Request, options: {
+    walletAddress: string;
+    network: 'evm' | 'solana';
+    idempotencyKey?: string;
+}): Promise<void>;
+/**
+ * Verify the payment signer resolves to the same operator as the claimed X-Wallet-Address.
+ * See hono adapter for the full contract.
+ *
+ * Because Express `Request` isn't a web `Request`, the caller must pass both the original
+ * Fetch-style `Request` (if available — e.g. middleware upstream) and/or the x402 header value.
+ * Simpler pattern: pass `options.signer` directly after extracting it yourself.
+ */
+declare function verifyWalletSignerMatch(req: Request, options: {
+    signer: string | null;
+    network?: 'evm' | 'solana';
+}): Promise<VerifyWalletSignerResult>;
+
+export { type AgentScoreGateOptions, agentscoreGate, captureWallet, getAgentScoreData, verifyWalletSignerMatch };

package/dist/identity/express.d.ts

@@ -0,0 +1,44 @@
+export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-rbK0zM7y.js';
+export { e as extractPaymentSignerAddress, r as readX402PaymentHeader } from '../signer-Cvdwn6Cs.js';
+import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AgentScoreData, VerifyWalletSignerResult } from '../core.js';
+import { Request, Response, NextFunction } from 'express';
+
+interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
+    /** Custom function to extract agent identity (wallet address and/or operator token). */
+    extractIdentity?: (req: Request) => AgentIdentity | undefined;
+    /** Custom handler invoked when a request is denied. */
+    onDenied?: (req: Request, res: Response, reason: DenialReason) => void;
+    /** Auto-create a verification session on missing identity. Hooks receive the Express `Request`. */
+    createSessionOnMissing?: CreateSessionOnMissing<Request>;
+}
+declare function agentscoreGate(options: AgentScoreGateOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+/**
+ * Retrieve AgentScore assess data attached to an Express request by the gate. Returns
+ * `undefined` if the gate did not run or attached no data (fail-open mode + missing identity,
+ * or a route the middleware was not mounted on).
+ */
+declare function getAgentScoreData(req: Request): AgentScoreData | undefined;
+/**
+ * Report a wallet that paid under the operator_token extracted by the gate on this request.
+ * Fire-and-forget: no-ops silently if the gate didn't run, the request was wallet-authenticated,
+ * or the API call fails.
+ */
+declare function captureWallet(req: Request, options: {
+    walletAddress: string;
+    network: 'evm' | 'solana';
+    idempotencyKey?: string;
+}): Promise<void>;
+/**
+ * Verify the payment signer resolves to the same operator as the claimed X-Wallet-Address.
+ * See hono adapter for the full contract.
+ *
+ * Because Express `Request` isn't a web `Request`, the caller must pass both the original
+ * Fetch-style `Request` (if available — e.g. middleware upstream) and/or the x402 header value.
+ * Simpler pattern: pass `options.signer` directly after extracting it yourself.
+ */
+declare function verifyWalletSignerMatch(req: Request, options: {
+    signer: string | null;
+    network?: 'evm' | 'solana';
+}): Promise<VerifyWalletSignerResult>;
+
+export { type AgentScoreGateOptions, agentscoreGate, captureWallet, getAgentScoreData, verifyWalletSignerMatch };