@agent-score/commerce 1.0.3 → 1.2.0

package/dist/index.js

@@ -41,6 +41,9 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 
+// src/core.ts
+var import_sdk = require("@agent-score/sdk");
+
 // src/_denial.ts
 var FIXABLE_DENIAL_REASONS = /* @__PURE__ */ new Set([
   "kyc_required",
@@ -120,6 +123,123 @@ function verificationAgentInstructions(input = {}) {
   };
 }
 
+// src/_response.ts
+var WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({
+  action: "contact_support",
+  steps: [
+    "The wallet's operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won't change the outcome \u2014 the policy denial is structural.",
+    "Surface the denial to the user with the merchant's support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won't fix this code path).",
+    "Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code \u2014 the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user's KYC'd country is in the blocked list \u2014 re-doing KYC won't change the country)."
+  ],
+  user_message: "This purchase is denied by the merchant's compliance policy and cannot be resolved by re-verifying. Contact the merchant's support if you believe this is in error."
+});
+var PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({
+  action: "contact_merchant",
+  steps: [
+    "The merchant's AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap \u2014 there is no agent-side recovery.",
+    "Contact the merchant (their support channel \u2014 typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side."
+  ],
+  user_message: "This merchant's identity gate is misconfigured. Contact the merchant \u2014 there's nothing to fix on the agent side."
+});
+var IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({
+  action: "deliver_verify_url_and_poll",
+  steps: [
+    "Share verify_url with the user \u2014 they complete identity verification on AgentScore.",
+    "If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.",
+    "Retry the original request with header `X-Operator-Token: <opc_...>`."
+  ],
+  user_message: "Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry."
+});
+var API_ERROR_INSTRUCTIONS = JSON.stringify({
+  action: "retry_with_backoff",
+  steps: [
+    "Verification is temporarily unavailable. Retry the request after 5\u201330 seconds with exponential backoff.",
+    "This is NOT a compliance denial \u2014 the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.",
+    "If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant's support contact."
+  ],
+  user_message: "Verification is temporarily unavailable. Please try again in a moment \u2014 this is a transient issue, not a problem with your account."
+});
+var QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({
+  action: "contact_merchant",
+  steps: [
+    "AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.",
+    "Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.",
+    "Surface to the user with the merchant's support contact. The merchant (not the agent) needs to act."
+  ],
+  user_message: "This merchant's identity verification is temporarily unavailable. Try again later, or contact the merchant directly."
+});
+var TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({
+  action: "deliver_verify_url_and_poll",
+  steps: [
+    "The operator token is expired or revoked. AgentScore auto-mints a fresh verification session \u2014 complete it to receive a new opc_...",
+    "Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.",
+    "Retry the original request with header `X-Operator-Token: <new_opc_...>`."
+  ],
+  user_message: "Operator token is expired or revoked. A new verification session has been minted \u2014 visit verify_url to refresh."
+});
+var DEFAULT_AGENT_INSTRUCTIONS = {
+  api_error: API_ERROR_INSTRUCTIONS,
+  wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,
+  payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,
+  identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,
+  token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS
+};
+var DEFAULT_MESSAGES = {
+  missing_identity: "No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).",
+  identity_verification_required: "Identity verification is required to access this resource. Visit verify_url to complete KYC.",
+  wallet_not_trusted: "The wallet does not meet the merchant compliance policy.",
+  api_error: "AgentScore is unreachable. This is transient \u2014 retry in a few seconds.",
+  payment_required: "Assess endpoint not enabled for this merchant. Contact support.",
+  wallet_signer_mismatch: "Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.",
+  wallet_auth_requires_wallet_signing: "X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).",
+  token_expired: "The operator token is expired or revoked. A fresh verification session has been minted \u2014 visit verify_url to mint a new token.",
+  invalid_credential: "The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session."
+};
+var RESERVED_FIELDS = /* @__PURE__ */ new Set([
+  "error",
+  "decision",
+  "reasons",
+  "verify_url",
+  "session_id",
+  "poll_secret",
+  "poll_url",
+  "agent_instructions",
+  "agent_memory",
+  "claimed_operator",
+  "actual_signer_operator",
+  "expected_signer",
+  "actual_signer",
+  "linked_wallets"
+]);
+function denialReasonToBody(reason) {
+  const message = reason.message ?? DEFAULT_MESSAGES[reason.code];
+  const body = { error: { code: reason.code, message } };
+  if (reason.decision) body.decision = reason.decision;
+  if (reason.reasons) body.reasons = reason.reasons;
+  if (reason.verify_url) body.verify_url = reason.verify_url;
+  if (reason.session_id) body.session_id = reason.session_id;
+  if (reason.poll_secret) body.poll_secret = reason.poll_secret;
+  if (reason.poll_url) body.poll_url = reason.poll_url;
+  const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];
+  if (instructions) body.agent_instructions = instructions;
+  if (reason.agent_memory) body.agent_memory = reason.agent_memory;
+  if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;
+  if (reason.code === "wallet_signer_mismatch") body.actual_signer_operator = reason.actual_signer_operator ?? null;
+  if (reason.expected_signer) body.expected_signer = reason.expected_signer;
+  if (reason.actual_signer) body.actual_signer = reason.actual_signer;
+  if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;
+  if (reason.extra) {
+    for (const [key, value] of Object.entries(reason.extra)) {
+      if (RESERVED_FIELDS.has(key)) {
+        console.warn(`[gate] onBeforeSession returned reserved field "${key}" \u2014 ignoring to preserve gate authority`);
+        continue;
+      }
+      body[key] = value;
+    }
+  }
+  return body;
+}
+
 // src/core.ts
 var CANONICAL_AGENTSCORE_API = "https://api.agentscore.sh";
 var WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({
@@ -222,107 +342,6 @@ function readX402PaymentHeader(request) {
   return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
 }
 
-// src/_response.ts
-var WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({
-  action: "contact_support",
-  steps: [
-    "The wallet's operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won't change the outcome \u2014 the policy denial is structural.",
-    "Surface the denial to the user with the merchant's support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won't fix this code path).",
-    "Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code \u2014 the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user's KYC'd country is in the blocked list \u2014 re-doing KYC won't change the country)."
-  ],
-  user_message: "This purchase is denied by the merchant's compliance policy and cannot be resolved by re-verifying. Contact the merchant's support if you believe this is in error."
-});
-var PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({
-  action: "contact_merchant",
-  steps: [
-    "The merchant's AgentScore tier does not include the assess feature, so agent identity cannot be evaluated. This is a merchant-side configuration gap \u2014 there is no agent-side recovery.",
-    "Contact the merchant (their support channel \u2014 typically listed in /llms.txt or the OpenAPI servers metadata) and request they upgrade their AgentScore plan."
-  ],
-  user_message: "This merchant's identity gate is misconfigured (AgentScore tier doesn't support assess). Contact the merchant \u2014 there's nothing to fix on the agent side."
-});
-var IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({
-  action: "deliver_verify_url_and_poll",
-  steps: [
-    "Share verify_url with the user \u2014 they complete identity verification on AgentScore.",
-    "If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.",
-    "Retry the original request with header `X-Operator-Token: <opc_...>`."
-  ],
-  user_message: "Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry."
-});
-var TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({
-  action: "deliver_verify_url_and_poll",
-  steps: [
-    "The operator token is expired or revoked. AgentScore auto-mints a fresh verification session \u2014 complete it to receive a new opc_...",
-    "Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.",
-    "Retry the original request with header `X-Operator-Token: <new_opc_...>`."
-  ],
-  user_message: "Operator token is expired or revoked. A new verification session has been minted \u2014 visit verify_url to refresh."
-});
-var DEFAULT_AGENT_INSTRUCTIONS = {
-  wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,
-  payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,
-  identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,
-  token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS
-};
-var DEFAULT_MESSAGES = {
-  missing_identity: "No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).",
-  identity_verification_required: "Identity verification is required to access this resource. Visit verify_url to complete KYC.",
-  wallet_not_trusted: "The wallet does not meet the merchant compliance policy.",
-  api_error: "AgentScore is unreachable. This is transient \u2014 retry in a few seconds.",
-  payment_required: "AgentScore tier does not support assess. Contact support.",
-  wallet_signer_mismatch: "Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.",
-  wallet_auth_requires_wallet_signing: "X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).",
-  token_expired: "The operator token is expired or revoked. A fresh verification session has been minted \u2014 visit verify_url to mint a new token.",
-  invalid_credential: "The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session."
-};
-var RESERVED_FIELDS = /* @__PURE__ */ new Set([
-  "error",
-  "decision",
-  "reasons",
-  "verify_url",
-  "session_id",
-  "poll_secret",
-  "poll_url",
-  "agent_instructions",
-  "agent_memory",
-  "claimed_operator",
-  "actual_signer_operator",
-  "expected_signer",
-  "actual_signer",
-  "linked_wallets"
-]);
-function denialReasonToBody(reason) {
-  const message = reason.message ?? DEFAULT_MESSAGES[reason.code];
-  const body = { error: { code: reason.code, message } };
-  if (reason.decision) body.decision = reason.decision;
-  if (reason.reasons) body.reasons = reason.reasons;
-  if (reason.verify_url) body.verify_url = reason.verify_url;
-  if (reason.session_id) body.session_id = reason.session_id;
-  if (reason.poll_secret) body.poll_secret = reason.poll_secret;
-  if (reason.poll_url) body.poll_url = reason.poll_url;
-  const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];
-  if (instructions) body.agent_instructions = instructions;
-  if (reason.agent_memory) body.agent_memory = reason.agent_memory;
-  if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;
-  if (reason.code === "wallet_signer_mismatch") body.actual_signer_operator = reason.actual_signer_operator ?? null;
-  if (reason.expected_signer) body.expected_signer = reason.expected_signer;
-  if (reason.actual_signer) body.actual_signer = reason.actual_signer;
-  if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;
-  if (reason.code === "api_error" && !(reason.extra && reason.extra.next_steps)) {
-    body.next_steps = { action: "retry", retry_after_seconds: 5 };
-  }
-  if (reason.extra) {
-    for (const [key, value] of Object.entries(reason.extra)) {
-      if (RESERVED_FIELDS.has(key)) {
-        console.warn(`[gate] onBeforeSession returned reserved field "${key}" \u2014 ignoring to preserve gate authority`);
-        continue;
-      }
-      body[key] = value;
-    }
-  }
-  return body;
-}
-
 // src/identity/a2a.ts
 var PROTOCOL_VERSION = "1.0";
 var CARD_VERSION = 1;