npm - @agent-score/commerce - Versions diffs - 1.5.1 → 1.6.0 - Mend

@agent-score/commerce 1.5.1 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/README.md +22 -8
package/dist/challenge/index.js.map +1 -1
package/dist/challenge/index.mjs.map +1 -1
package/dist/core.d.mts +36 -27
package/dist/core.d.ts +36 -27
package/dist/core.js +1 -1
package/dist/core.js.map +1 -1
package/dist/core.mjs +1 -1
package/dist/core.mjs.map +1 -1
package/dist/identity/express.d.mts +2 -2
package/dist/identity/express.d.ts +2 -2
package/dist/identity/express.js +1 -1
package/dist/identity/express.js.map +1 -1
package/dist/identity/express.mjs +1 -1
package/dist/identity/express.mjs.map +1 -1
package/dist/identity/fastify.d.mts +2 -2
package/dist/identity/fastify.d.ts +2 -2
package/dist/identity/fastify.js +1 -1
package/dist/identity/fastify.js.map +1 -1
package/dist/identity/fastify.mjs +1 -1
package/dist/identity/fastify.mjs.map +1 -1
package/dist/identity/hono.d.mts +2 -2
package/dist/identity/hono.d.ts +2 -2
package/dist/identity/hono.js +1 -1
package/dist/identity/hono.js.map +1 -1
package/dist/identity/hono.mjs +1 -1
package/dist/identity/hono.mjs.map +1 -1
package/dist/identity/nextjs.d.mts +2 -2
package/dist/identity/nextjs.d.ts +2 -2
package/dist/identity/nextjs.js +1 -1
package/dist/identity/nextjs.js.map +1 -1
package/dist/identity/nextjs.mjs +1 -1
package/dist/identity/nextjs.mjs.map +1 -1
package/dist/identity/policy.d.mts +3 -3
package/dist/identity/policy.d.ts +3 -3
package/dist/identity/policy.js +3 -3
package/dist/identity/policy.js.map +1 -1
package/dist/identity/policy.mjs +2 -2
package/dist/identity/policy.mjs.map +1 -1
package/dist/identity/web.d.mts +3 -3
package/dist/identity/web.d.ts +3 -3
package/dist/identity/web.js +1 -1
package/dist/identity/web.js.map +1 -1
package/dist/identity/web.mjs +1 -1
package/dist/identity/web.mjs.map +1 -1
package/dist/index.d.mts +217 -123
package/dist/index.d.ts +217 -123
package/dist/index.js +86 -70
package/dist/index.js.map +1 -1
package/dist/index.mjs +84 -68
package/dist/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/challenge/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/challenge/index.ts","../../src/challenge/accepted_methods.ts","../../src/challenge/identity.ts","../../src/challenge/how_to_pay.ts","../../src/challenge/agent_instructions.ts","../../src/core.ts","../../src/_response.ts","../../src/challenge/agent_memory.ts","../../src/challenge/body.ts","../../src/challenge/pricing.ts","../../src/payment/wwwauthenticate.ts","../../src/challenge/respond_402.ts","../../src/challenge/validation_error.ts"],"sourcesContent":["export * from './accepted_methods';\nexport * from './identity';\nexport * from './how_to_pay';\nexport * from './agent_instructions';\nexport * from './agent_memory';\nexport * from './body';\nexport * from './pricing';\nexport * from './order_receipt';\nexport * from './respond_402';\nexport * from './validation_error';\n","export interface TempoMethodEntry {\n method: 'tempo/charge';\n network: string;\n chain_id: number;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface X402MethodEntry {\n method: 'x402/exact';\n network: string;\n chain_id?: number;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface SolanaMppMethodEntry {\n method: 'solana/charge';\n network: string;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n fee_payer_key?: string;\n}\n\nexport interface StripeMethodEntry {\n method: 'stripe/charge';\n rails: ('card' \| 'link' \| 'shared_payment_token')[];\n profile_id: string \| null;\n}\n\nexport type AcceptedMethodEntry =\n \| TempoMethodEntry\n \| X402MethodEntry\n \| SolanaMppMethodEntry\n \| StripeMethodEntry;\n\nexport interface BuildAcceptedMethodsInput {\n tempo?: {\n recipient: string;\n network?: string;\n chainId?: number;\n token?: string;\n symbol?: string;\n decimals?: number;\n };\n x402_base?: {\n recipient: string;\n network?: string;\n chainId?: number;\n token?: string;\n symbol?: string;\n decimals?: number;\n };\n solana_mpp?: {\n recipient: string;\n network?: string;\n token?: string;\n symbol?: string;\n decimals?: number;\n feePayerKey?: string;\n };\n stripe?: {\n profileId?: string \| null;\n rails?: ('card' \| 'link' \| 'shared_payment_token')[];\n };\n}\n\n/*\n Build the `accepted_methods[]` array for an enriched 402 body. Each rail entry is\n * conditionally included based on whether the vendor passed it. Per-rail shapes follow\n * the conventions established in martin-estate's reference 402.\n /\nexport function buildAcceptedMethods(input: BuildAcceptedMethodsInput): AcceptedMethodEntry[] {\n const out: AcceptedMethodEntry[] = [];\n\n if (input.tempo) {\n out.push({\n method: 'tempo/charge',\n network: input.tempo.network ?? 'tempo-mainnet',\n chain_id: input.tempo.chainId ?? 4217,\n token: input.tempo.token ?? '0x20C000000000000000000000b9537d11c60E8b50',\n symbol: input.tempo.symbol ?? 'USDC.e',\n decimals: input.tempo.decimals ?? 6,\n pay_to: input.tempo.recipient,\n });\n }\n\n if (input.x402_base) {\n out.push({\n method: 'x402/exact',\n network: input.x402_base.network ?? 'eip155:8453',\n chain_id: input.x402_base.chainId ?? 8453,\n token: input.x402_base.token ?? '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913',\n symbol: input.x402_base.symbol ?? 'USDC',\n decimals: input.x402_base.decimals ?? 6,\n pay_to: input.x402_base.recipient,\n });\n }\n\n if (input.solana_mpp) {\n out.push({\n method: 'solana/charge',\n network: input.solana_mpp.network ?? 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp',\n token: input.solana_mpp.token ?? 'EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v',\n symbol: input.solana_mpp.symbol ?? 'USDC',\n decimals: input.solana_mpp.decimals ?? 6,\n pay_to: input.solana_mpp.recipient,\n ...(input.solana_mpp.feePayerKey ? { fee_payer_key: input.solana_mpp.feePayerKey } : {}),\n });\n }\n\n if (input.stripe) {\n out.push({\n method: 'stripe/charge',\n rails: input.stripe.rails ?? ['card', 'link', 'shared_payment_token'],\n profile_id: input.stripe.profileId ?? null,\n });\n }\n\n return out;\n}\n","export type IdentityMode = 'wallet' \| 'operator_token';\n\nexport interface SignerMatchResultLike {\n kind: 'pass' \| 'wallet_signer_mismatch' \| 'wallet_auth_requires_wallet_signing' \| string;\n expectedSigner?: string;\n actualSigner?: string;\n linkedWallets?: string[];\n}\n\nexport interface IdentityMetadataInput {\n /* Current request's identity mode. /\n mode: IdentityMode;\n /* Claimed wallet address (when mode === 'wallet'). /\n wallet?: string;\n /* Result of a prior verifyWalletSignerMatch call. /\n signerMatchResult?: SignerMatchResultLike;\n /* Same-operator linked wallets (from assess response). /\n linkedWallets?: string[];\n /* Optional explicit constraint description (overrides the auto-generated one). /\n signerConstraint?: string;\n}\n\nexport interface IdentityMetadataBlock {\n identity_mode: IdentityMode;\n required_signer?: string;\n linked_wallets?: string[];\n signer_constraint?: string;\n}\n\n/\n Build the identity-metadata block for an enriched 402 body. Echoes the agent's\n * identity context (wallet vs. operator-token mode) so the agent can self-correct\n * before signing — specifically, on wallet-auth rails the agent MUST sign with one\n * of the wallets in linked_wallets (all resolve to the same operator).\n /\nexport function buildIdentityMetadata(input: IdentityMetadataInput): IdentityMetadataBlock {\n const block: IdentityMetadataBlock = { identity_mode: input.mode };\n\n if (input.mode !== 'wallet') return block;\n\n if (input.wallet) {\n block.required_signer = input.signerMatchResult?.expectedSigner ?? input.wallet;\n }\n if (input.linkedWallets && input.linkedWallets.length > 0) {\n block.linked_wallets = input.linkedWallets;\n }\n block.signer_constraint =\n input.signerConstraint ??\n 'Payment must be signed with the claimed wallet OR any same-operator linked wallet listed in linked_wallets.';\n\n return block;\n}\n","export interface HowToPayRailEntry {\n setup?: string[];\n prerequisite?: string;\n command: string;\n alternative_command?: string;\n what_it_does: string;\n}\n\nexport interface HowToPayStripeEntry {\n prerequisite: string;\n instructions: string;\n setup_link_cli?: string[];\n command_link_cli?: string[];\n what_it_does_link_cli?: string;\n note?: string;\n}\n\nexport interface HowToPayBlock {\n tempo?: HowToPayRailEntry;\n x402_base?: HowToPayRailEntry;\n solana_mpp?: HowToPayRailEntry;\n stripe?: HowToPayStripeEntry;\n}\n\nexport interface BuildHowToPayInput {\n /* The merchant's full URL (e.g., 'https://agents.merchant.example/api/buy'). /\n url: string;\n /* JSON string of the body the agent should retry with — typically the original request body. /\n retryBodyJson: string;\n /* Total amount in USD (string or number). Used to compute max-spend defaults and stripe context. /\n totalUsd: string \| number;\n /* Per-rail config — each is optional. Pass only the rails you support. /\n rails: {\n tempo?: { recipient: string; networkName?: string; chainId?: number; recommend?: 'tempo' \| 'agentscore-pay' \| 'both' };\n x402_base?: { recipient: string; network?: string };\n solana_mpp?: { recipient: string; network?: string };\n stripe?: { profileId?: string \| null; productName?: string };\n };\n /* Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'. /\n opTokenPlaceholder?: string;\n /* Override max-spend value used in commands. Default: ceil(totalUsd) + 1. /\n maxSpend?: string \| number;\n}\n\nconst TEMPO_SETUP = [\n 'curl -fsSL https://tempo.xyz/install \| bash',\n 'tempo wallet login',\n 'tempo wallet whoami',\n 'tempo wallet fund # if balance is zero',\n];\n\nconst PAY_SETUP_BASE = [\n 'npm install -g @agent-score/pay # or: brew install agentscore/tap/agentscore-pay',\n 'agentscore-pay wallet create --chain base',\n 'agentscore-pay balance --chain base # fund the printed address with USDC on Base',\n];\n\nconst PAY_SETUP_SOLANA = [\n 'npm install -g @agent-score/pay # or: brew install agentscore/tap/agentscore-pay',\n 'agentscore-pay wallet create --chain solana',\n 'agentscore-pay balance --chain solana # fund the printed address with USDC on Solana',\n];\n\n/\n Build the agent_instructions.how_to_pay block. Generates per-rail setup/command/what_it_does\n * boilerplate so agents see concrete commands per rail in the 402 body. Vendors pass the rails\n * they support; the helper produces the right command for each.\n \n Tool recommendations (tempo CLI vs agentscore-pay vs link-cli) are configurable per rail.\n /\nexport function buildHowToPay(input: BuildHowToPayInput): HowToPayBlock {\n const totalNum = typeof input.totalUsd === 'string' ? Number(input.totalUsd) : input.totalUsd;\n const maxSpend = String(input.maxSpend ?? (Math.ceil(totalNum) + 1).toFixed(2));\n const opToken = input.opTokenPlaceholder ?? '<your_opc_token>';\n const block: HowToPayBlock = {};\n\n if (input.rails.tempo) {\n const networkName = input.rails.tempo.networkName ?? 'tempo-mainnet';\n const chainId = input.rails.tempo.chainId ?? 4217;\n const recommend = input.rails.tempo.recommend ?? 'both';\n const tempoCommand = `tempo request -X POST -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' --json '${input.retryBodyJson}' --max-spend ${maxSpend} ${input.url}`;\n const payCommand = `agentscore-pay pay POST ${input.url} --chain tempo -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${input.retryBodyJson}' --max-spend ${maxSpend}`;\n block.tempo = {\n setup: TEMPO_SETUP,\n prerequisite: `Run \\`tempo wallet whoami\\` and confirm USDC.e balance on ${networkName} (chain ${chainId}) is at least $${maxSpend}. If the tempo CLI is not installed, run the setup commands above first.`,\n command: recommend === 'agentscore-pay' ? payCommand : tempoCommand,\n ...(recommend === 'both'\n ? { alternative_command: payCommand }\n : recommend === 'agentscore-pay'\n ? { alternative_command: tempoCommand }\n : {}),\n what_it_does: `Pays via Tempo USDC on ${networkName}.`,\n };\n }\n\n if (input.rails.x402_base) {\n const network = input.rails.x402_base.network ?? 'eip155:8453';\n block.x402_base = {\n setup: PAY_SETUP_BASE,\n prerequisite: `Run \\`agentscore-pay balance --chain base\\` and confirm USDC balance on Base (${network}) is at least $${maxSpend}. If the CLI is not installed, run the setup commands above first.`,\n command: `agentscore-pay pay POST ${input.url} --chain base -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${input.retryBodyJson}' --max-spend ${maxSpend}`,\n what_it_does: 'Pays via USDC on Base.',\n };\n }\n\n if (input.rails.solana_mpp) {\n const network = input.rails.solana_mpp.network ?? 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp';\n block.solana_mpp = {\n setup: PAY_SETUP_SOLANA,\n prerequisite: `Run \\`agentscore-pay balance --chain solana\\` and confirm USDC balance on Solana (${network}) is at least $${maxSpend}. If the CLI is not installed, run the setup commands above first.`,\n command: `agentscore-pay pay POST ${input.url} --chain solana -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${input.retryBodyJson}' --max-spend ${maxSpend}`,\n what_it_does: 'Pays via USDC on Solana.',\n };\n }\n\n if (input.rails.stripe) {\n const stripeCfg = input.rails.stripe;\n const amountCents = Math.round(totalNum 100);\n const linkCliBlocked = amountCents > 50000;\n const productName = stripeCfg.productName ?? 'this purchase';\n const sptContext = `Purchasing \"${productName}\" via the agent commerce API. The user authorized this purchase through their AI agent for $${totalNum}; charge to be settled via shared payment token over the Machine Payments Protocol.`;\n const stripe: HowToPayStripeEntry = {\n prerequisite:\n 'Either your own Stripe account with Shared Payment Token acceptance, OR a Stripe Link wallet (any user with link.com).',\n instructions:\n 'Mint a SharedPaymentToken scoped to the profile_id advertised in accepted_methods, then submit via Authorization: Payment MPP header with method=stripe/charge.',\n };\n if (stripeCfg.profileId && !linkCliBlocked) {\n stripe.setup_link_cli = [\n 'npm install -g @stripe/link-cli # or use npx -y @stripe/link-cli for one-shot',\n 'link-cli auth login # one-time, opens your Link wallet',\n 'link-cli payment-methods list --output-json # copy a csmrpd_... id',\n ];\n stripe.command_link_cli = [\n `SPEND_ID=$(link-cli spend-request create --payment-method-id <csmrpd_id_from_payment_methods_list> --credential-type shared_payment_token --network-id ${stripeCfg.profileId} --amount ${amountCents} --context \"${sptContext}\" --request-approval --output-json \| jq -r .id)`,\n `link-cli mpp pay ${input.url} --spend-request-id $SPEND_ID --method POST --data '${input.retryBodyJson}' --header 'X-Operator-Token: ${opToken}' --output-json`,\n ];\n stripe.what_it_does_link_cli =\n 'Mints a one-time-use SharedPaymentToken scoped to this purchase (user approves in Link wallet), then submits it as the payment credential.';\n } else if (linkCliBlocked) {\n stripe.note = `link-cli SPT path not available for this purchase — Stripe link-cli caps spend requests at $500.00 ($50000 cents); your total is $${totalNum}. Use your own Stripe account with the SharedPaymentToken API instead.`;\n }\n block.stripe = stripe;\n }\n\n return block;\n}\n","import type { HowToPayBlock } from './how_to_pay';\n\n/** Map of rail key (e.g. 'x402_base', 'tempo_mpp', 'stripe') → list of client identifiers\n * that have been smoke-verified by the merchant against the protocol shape they emit.\n * Strings are display labels, not install commands — agents already get install commands\n * via `how_to_pay.<rail>.setup`. Use these as a \"what's known to work\" hint. /\nexport type CompatibleClients = Record<string, string[]>;\n\nexport interface BuildAgentInstructionsInput {\n /* Per-rail commands. Build with `buildHowToPay`. /\n howToPay: HowToPayBlock;\n /* Tool recommendations as human-readable strings. Defaults to a sensible set covering tempo + agentscore-pay. /\n recommendedTools?: string[];\n /* Wallet-stack compatibility note for the agent. Default: rail-neutral, no specific wallet stack required. /\n walletCompatibility?: string;\n /* How long the merchant will wait for payment after the 402. Default 300 (5 minutes). /\n timeoutSeconds?: number;\n /* Warnings about common footguns. Defaults include tempo wallet transfer + raw on-chain x402 deposits. /\n warnings?: string[];\n /* Additional warnings appended to the default protocol-footgun set. Use this when you want\n * to keep the SDK's protocol warnings AND add merchant-specific notes (e.g., a per-order\n * rail-availability message). Ignored when `warnings` is set explicitly. /\n extraWarnings?: string[];\n /* Recommended rail (e.g., 'tempo', 'x402_base'). Surfaced for agents to default to. /\n recommended?: string;\n /* Per-rail list of client names the merchant has verified work end-to-end. Vendors set\n * this from their own smoke matrix — defaults to none (avoids vouching for clients the\n * merchant has not tested). When omitted, the field is not emitted. /\n compatibleClients?: CompatibleClients;\n /* Arbitrary additional fields the vendor wants merged into the agent_instructions object. /\n extra?: Record<string, unknown>;\n}\n\nexport interface AgentInstructions {\n how_to_pay: HowToPayBlock;\n recommended_tools: string[];\n wallet_compatibility: string;\n timeout_seconds: number;\n warnings: string[];\n recommended?: string;\n compatible_clients?: CompatibleClients;\n [key: string]: unknown;\n}\n\nconst TEMPO_WARNING =\n 'Do NOT use `tempo wallet transfer`. That moves USDC on-chain without completing the protocol handshake, so the order will not complete. Use `tempo request` instead.';\n\nconst X402_WARNING =\n 'Do NOT send USDC manually to the deposit addresses. Use `agentscore-pay pay` so the credential is signed and submitted; otherwise the order will not complete even though the deposit lands.';\n\nconst TEMPO_TOOL = '`tempo request` for Tempo USDC';\nconst AGENTSCORE_PAY_TOOL = '`agentscore-pay` — Base + Solana + Tempo from one CLI';\n\nconst DEFAULT_WALLET_COMPATIBILITY =\n 'Any client that can produce a valid MPP credential (Authorization: Payment) or x402 X-Payment header. Use the CLI commands above; sign-it-yourself is also fine.';\n\nfunction defaultRecommendedTools(howToPay: HowToPayBlock): string[] {\n const tools: string[] = [];\n if (howToPay.tempo) tools.push(TEMPO_TOOL);\n if (howToPay.tempo \|\| howToPay.x402_base \|\| howToPay.solana_mpp) tools.push(AGENTSCORE_PAY_TOOL);\n return tools;\n}\n\nfunction defaultWarnings(howToPay: HowToPayBlock): string[] {\n const w: string[] = [];\n if (howToPay.tempo) w.push(TEMPO_WARNING);\n if (howToPay.x402_base) w.push(X402_WARNING);\n return w;\n}\n\n/\n Default `compatible_clients` derived from the rails declared in `howToPay`. Lists\n * clients the AgentScore team has smoke-verified end-to-end against an `@agent-score/commerce`\n * merchant; entries appear only for rails the vendor actually offers. Vendors override\n * this in `buildAgentInstructions({compatibleClients: {...}})` to add their own tested\n * clients or remove entries that don't fit their endpoint.\n \n Verified state as of the SDK release. The same data is also published as a docs page\n * for humans (rationale, per-rail commands, why some clients don't fully work, last\n * verified date) — this default keeps the merchant-side surface in sync.\n /\n/* Symbolic rail keys agent-facing surfaces use to talk about a rail without spelling out\n * network/scheme details. Same keys as `CompatibleClients` map keys. /\nexport type RailKey = 'tempo_mpp' \| 'x402_base' \| 'solana_mpp' \| 'stripe';\n\nconst RAIL_CLIENTS: Record<RailKey, readonly string[]> = {\n tempo_mpp: ['agentscore-pay', 'tempo request', 'x402-proxy'],\n x402_base: ['agentscore-pay', 'x402-proxy', 'purl (omit --network flag)'],\n solana_mpp: ['agentscore-pay'],\n stripe: ['link-cli'],\n};\n\n/* Returns the smoke-verified client list for a set of rail keys. The single source of\n * truth for \"which CLIs we've verified end-to-end on each rail\" — consumed both by the\n * 402-body builder (`defaultCompatibleClients`) and by discovery surfaces (skill.md,\n * llms.txt, etc.). Update here, every surface inherits. /\nexport function compatibleClientsByRails(rails: readonly RailKey[]): CompatibleClients \| undefined {\n const out: CompatibleClients = {};\n for (const r of rails) out[r] = [...RAIL_CLIENTS[r]];\n return Object.keys(out).length === 0 ? undefined : out;\n}\n\nfunction defaultCompatibleClients(howToPay: HowToPayBlock): CompatibleClients \| undefined {\n const rails: RailKey[] = [];\n if (howToPay.tempo) rails.push('tempo_mpp');\n if (howToPay.x402_base) rails.push('x402_base');\n if (howToPay.solana_mpp) rails.push('solana_mpp');\n if (howToPay.stripe) rails.push('stripe');\n return compatibleClientsByRails(rails);\n}\n\n/\n Build the agent_instructions object for the 402 body. Combines how_to_pay with\n * recommended tools, warnings, wallet-compatibility note, and timeout.\n \n Defaults adapt to the rails declared in `howToPay`: only tempo-relevant warnings/tools\n * appear if `howToPay.tempo` is set, only x402-relevant ones if `x402_base` is set.\n * Stripe-only merchants get neither rail-specific warning. Vendors override\n * `warnings`/`recommendedTools` for full control.\n /\nexport function buildAgentInstructions(input: BuildAgentInstructionsInput): AgentInstructions {\n const compatibleClients = input.compatibleClients ?? defaultCompatibleClients(input.howToPay);\n return {\n how_to_pay: input.howToPay,\n recommended_tools: input.recommendedTools ?? defaultRecommendedTools(input.howToPay),\n wallet_compatibility: input.walletCompatibility ?? DEFAULT_WALLET_COMPATIBILITY,\n timeout_seconds: input.timeoutSeconds ?? 300,\n warnings: input.warnings ?? [...defaultWarnings(input.howToPay), ...(input.extraWarnings ?? [])],\n ...(input.recommended ? { recommended: input.recommended } : {}),\n ...(compatibleClients ? { compatible_clients: compatibleClients } : {}),\n ...(input.extra ?? {}),\n };\n}\n","import {\n AgentScore,\n InvalidCredentialError,\n PaymentRequiredError,\n QuotaExceededError,\n TimeoutError as SdkTimeoutError,\n TokenExpiredError,\n} from '@agent-score/sdk';\nimport { isFixableDenial } from './_denial';\nimport { QUOTA_EXCEEDED_INSTRUCTIONS } from './_response';\nimport { normalizeAddress } from './address';\nimport { TTLCache } from './cache';\n\n// Character-based trim avoids a CodeQL polynomial-redos false positive on\n// `/\\/+$/` patterns that report library-input strings.\nfunction stripTrailingSlashes(s: string): string {\n let end = s.length;\n while (end > 0 && s.charCodeAt(end - 1) === 47 / '/' /) end--;\n return end === s.length ? s : s.slice(0, end);\n}\n\ndeclare const __VERSION__: string;\n\n// ---------------------------------------------------------------------------\n// Public types (framework-agnostic)\n// ---------------------------------------------------------------------------\n\nexport interface AgentIdentity {\n address?: string;\n operatorToken?: string;\n}\n\n/\n Session metadata returned from `POST /v1/sessions`. Surfaced to the `onBeforeSession`\n * hook so merchants can correlate an AgentScore session with their own resume token\n * (e.g. a pending-order id).\n /\nexport interface SessionMetadata {\n session_id: string;\n verify_url: string;\n poll_secret: string;\n poll_url: string;\n expires_at?: string;\n}\n\n/\n Configuration for auto-creating a verification session when no identity is present.\n \n The static `context` / `productName` options are sent on every session request. For\n * per-request context (e.g. the specific product the agent was trying to buy), pass\n * a `getSessionOptions` callback that returns dynamic values; its return is merged\n * over the static defaults.\n \n `onBeforeSession` is a side-effect hook that runs after the session is minted but\n * before the 403 is built. Use it to pre-create a reservation/draft/pending-order\n * row in your DB so agents can resume via a merchant-specific id. Return value is\n * merged into `DenialReason.extra`, so it surfaces in both the default 403 body and\n * in a custom `onDenied` handler.\n /\nexport interface CreateSessionOnMissing<TCtx = unknown> {\n apiKey: string;\n baseUrl?: string;\n context?: string;\n productName?: string;\n /* Per-request override of `context` / `productName`. Invoked with the framework context. /\n getSessionOptions?: (ctx: TCtx) => Promise<{ context?: string; productName?: string }>\n \| { context?: string; productName?: string };\n /* Side-effect hook that runs after the session is minted. Return value is merged\n * into `DenialReason.extra` so custom `onDenied` handlers can include merchant-specific\n * fields (e.g. `order_id`) in the 403 response. Hook errors are logged and swallowed —\n * a failing side effect should not block the 403 from reaching the agent. /\n onBeforeSession?: (ctx: TCtx, session: SessionMetadata) => Promise<Record<string, unknown>>\n \| Record<string, unknown>;\n}\n\nexport interface AgentScoreCoreOptions {\n /* AgentScore API key. Required. /\n apiKey: string;\n /* Require KYC verification. /\n requireKyc?: boolean;\n /* Require operator to be clear of sanctions. /\n requireSanctionsClear?: boolean;\n /* Minimum operator age bracket (18 or 21). /\n minAge?: number;\n /* List of blocked jurisdictions (blocklist). /\n blockedJurisdictions?: string[];\n /* List of allowed jurisdictions (allowlist — only these pass). /\n allowedJurisdictions?: string[];\n /* If true, allow the request through when the API is unreachable. Defaults to false. /\n failOpen?: boolean;\n /* How long to cache results, in seconds. Defaults to 300. /\n cacheSeconds?: number;\n /* AgentScore API base URL. Defaults to \"https://api.agentscore.sh\". /\n baseUrl?: string;\n /* Optional chain to filter scoring to. /\n chain?: string;\n /* Prepended to the default User-Agent as `\"{userAgent} (@agent-score/commerce@{version})\"`. Use to attribute API calls to your app. /\n userAgent?: string;\n /* When set and no identity is found, create a verification session instead of denying immediately. /\n createSessionOnMissing?: CreateSessionOnMissing;\n}\n\nexport type DenialCode =\n \| 'wallet_not_trusted'\n \| 'missing_identity'\n \| 'api_error'\n \| 'payment_required'\n \| 'identity_verification_required'\n // Wallet-signer binding: claimed X-Wallet-Address must resolve to the same operator as\n // the payment signer; wallet-auth is rejected on rails with no wallet signer.\n \| 'wallet_signer_mismatch'\n \| 'wallet_auth_requires_wallet_signing'\n // Granular credential-state denials passed through from /v1/assess.\n // - `token_expired`: revoked + TTL-expired (the API unifies these). The 401 body carries\n // an auto-minted session, forwarded into DenialReason for one-shot recovery.\n // - `invalid_credential`: the token doesn't exist at all (typo, never minted, fabricated).\n // No auto-session is minted by the API for this case — agents should switch to a\n // different stored token or drop the header to bootstrap a fresh session.\n \| 'token_expired'\n \| 'invalid_credential';\n\n/\n Cross-merchant pattern hint emitted on bootstrap denials and session-create responses.\n * LLM-hosted agents should persist this to long-term memory so future AgentScore encounters skip\n * the cold-start session flow. Contents are the pattern, not secrets.\n /\nexport interface AgentMemoryHint {\n save_for_future_agentscore_gates: true;\n pattern_summary: string;\n quickstart: string;\n identity_check_endpoint: string;\n list_wallets_endpoint?: string;\n identity_paths: { wallet: string; operator_token: string };\n bootstrap: string;\n do_not_persist_in_memory: string[];\n persist_in_credential_store: string[];\n}\n\nexport interface DenialReason {\n code: DenialCode;\n /* Human-readable explanation. When omitted, `denialReasonToBody` substitutes a per-code default. /\n message?: string;\n decision?: string;\n reasons?: string[];\n verify_url?: string;\n session_id?: string;\n poll_secret?: string;\n poll_url?: string;\n agent_instructions?: string;\n /* Cross-merchant memory hint. Emitted on bootstrap denials only by default. /\n agent_memory?: AgentMemoryHint;\n /* Full assess response when the denial came from `/v1/assess`. Lets consumers access fields\n * not promoted to first-class DenialReason properties (e.g., `policy_result`). Undefined for\n * denials that did not originate from an assess call (missing_identity, api_error,\n * payment_required, identity_verification_required). /\n data?: AgentScoreData;\n /* Extra fields returned from the `createSessionOnMissing.onBeforeSession` hook. Merged\n * into the default 403 body; custom `onDenied` handlers can spread these into their own\n * response shape (e.g. to include a merchant-minted `order_id`). /\n extra?: Record<string, unknown>;\n // ---------------------------------------------------------------------------\n // Wallet-signer-match fields — populated for wallet_signer_mismatch only.\n // ---------------------------------------------------------------------------\n /* Operator id resolved from `X-Wallet-Address`. /\n claimed_operator?: string;\n /* Operator id the actual payment signer resolves to. `null` when the signer wallet isn't\n * linked to any operator (treat as a different identity). /\n actual_signer_operator?: string \| null;\n /* The wallet the agent claimed via header. Echoed back for self-correction. /\n expected_signer?: string;\n /* The wallet that actually signed the payment. /\n actual_signer?: string;\n /* Wallets the claimed operator could sign with (if enumerable). Present when non-empty. /\n linked_wallets?: string[];\n}\n\nexport interface AgentScoreData {\n decision: string \| null;\n decision_reasons: string[];\n identity_method?: string;\n operator_verification?: {\n level: string;\n operator_type: string \| null;\n verified_at: string \| null;\n };\n /* Account-level KYC facts that apply to every operator under the same account.\n * Populated when the API returns account_verification (post-KYC operator). /\n account_verification?: {\n kyc_level?: string;\n sanctions_clear?: boolean;\n age_bracket?: string;\n jurisdiction?: string;\n verified_at?: string \| null;\n };\n resolved_operator?: string \| null;\n /* Wallets linked to the same operator as the resolved identity. Capped at 100 entries\n * by the API. Useful for advertising in 402 challenges so wallet-auth agents know which\n * alt-signers will satisfy `wallet_signer_mismatch`. /\n linked_wallets?: string[];\n verify_url?: string;\n policy_result?: {\n all_passed: boolean;\n checks: Array<{\n rule: string;\n passed: boolean;\n required?: unknown;\n actual?: unknown;\n }>;\n } \| null;\n}\n\n/\n Reason a failOpen allow short-circuited an evaluate call due to AgentScore-side\n * infrastructure issues. Surfaced on `EvaluateOutcome` so merchants can log/alert when\n * their gate is running in degraded mode (compliance not actually enforced this request).\n \n - `quota_exceeded` — AgentScore returned 429\n * - `api_error` — AgentScore returned 5xx or non-2xx that isn't 429\n * - `network_timeout` — request to /v1/assess timed out or failed at the network layer\n /\nexport type FailOpenInfraReason = 'quota_exceeded' \| 'api_error' \| 'network_timeout';\n\n/* Per-account assess quota observability, captured from `X-Quota-` response headers\n on the success path. Mirrors the SDK's `QuotaInfo` shape — re-exported from gate state\n * so merchants can monitor approach-to-cap proactively (warn at 80%, alert at 95%). /\nexport interface GateQuotaInfo {\n limit: number \| null;\n used: number \| null;\n /* ISO-8601 timestamp, or the literal string `\"never\"` for unlimited tiers. /\n reset: string \| null;\n}\n\n/\n Outcome from `AgentScoreCore.evaluate()`. Adapters map this to framework-specific responses.\n \n - `{ kind: 'allow', data }` — the request passed the policy. `data` is present on a normal\n * allow; `undefined` when fail-open short-circuited (identity missing, API unreachable,\n * timeout, or 402 paid-tier required).\n * - When `failOpen: true` and the allow was the result of an AgentScore-side infrastructure\n * failure (429/5xx/timeout), the result also carries `degraded: true` + `infraReason` so\n * merchants can alert/log without parsing console output.\n * - `quota` propagates the SDK's per-request quota observability when the API emits the\n * `X-Quota-` headers. Optional; absent on Enterprise / unlimited tiers.\n - `{ kind: 'deny', reason }` — the request was denied. Adapters should render a 403 with the\n * reason, or invoke the caller's custom denial handler.\n /\nexport type EvaluateOutcome =\n \| { kind: 'allow'; data?: AgentScoreData; degraded?: boolean; infraReason?: FailOpenInfraReason; quota?: GateQuotaInfo }\n \| { kind: 'deny'; reason: DenialReason };\n\nexport interface CaptureWalletOptions {\n /* Operator credential (`opc_...`) that the agent authenticated with. /\n operatorToken: string;\n /* Signer wallet recovered from the payment payload. /\n walletAddress: string;\n /* Key-derivation family — `\"evm\"` for any EVM chain, `\"solana\"` for Solana. /\n network: 'evm' \| 'solana';\n /* Optional stable key for the logical payment (e.g., payment intent id, tx hash). When the\n * same key is seen again for the same (credential, wallet, network), the server no-ops —\n * prevents agent retries from inflating transaction_count. /\n idempotencyKey?: string;\n}\n\nexport interface VerifyWalletSignerMatchOptions {\n /* The wallet claimed via `X-Wallet-Address`. /\n claimedWallet: string;\n /* The signer wallet recovered from the payment credential. `null` means the rail carries\n * no wallet signer (SPT, card) — the helper returns `wallet_auth_requires_wallet_signing`. /\n signer: string \| null;\n /* Network of the signer. EVM covers every EVM chain; `solana` lives in its own namespace. /\n network?: 'evm' \| 'solana';\n}\n\nexport type VerifyWalletSignerResult =\n \| { kind: 'pass'; claimedOperator: string \| null; signerOperator: string \| null }\n \| {\n kind: 'wallet_signer_mismatch';\n claimedOperator: string \| null;\n actualSignerOperator: string \| null;\n expectedSigner: string;\n actualSigner: string;\n linkedWallets: string[];\n /* JSON-encoded action copy (action + steps + user_message). Spread into the 403 body\n * verbatim so agents get a concrete recovery path inside the denial response itself. /\n agentInstructions: string;\n }\n \| {\n kind: 'wallet_auth_requires_wallet_signing';\n claimedWallet: string;\n agentInstructions: string;\n }\n // Transient — the resolve call to /v1/assess failed or timed out. Caller should\n // retry or surface as 503. Distinct from wallet_signer_mismatch (which is an actual\n // security reject) so legitimate users don't get rejected on network flakes.\n \| { kind: 'api_error'; claimedWallet: string };\n\nexport interface AgentScoreCore {\n /\n Evaluate the request's identity against the configured policy.\n * @param identity - extracted identity (wallet address and/or operator token)\n * @param ctx - optional framework-specific context (Hono c, Express req, etc.) passed\n * through to `createSessionOnMissing` hooks. Opaque to core.\n /\n evaluate(identity: AgentIdentity \| undefined, ctx?: unknown): Promise<EvaluateOutcome>;\n /* Report a wallet seen paying under an operator credential. Fire-and-forget; silently\n * swallows non-fatal errors because capture is informational, not on the critical path. /\n captureWallet(options: CaptureWalletOptions): Promise<void>;\n /\n Verify the payment signer resolves to the same operator as the claimed `X-Wallet-Address`.\n \n Returns `pass` when the signer is linked to the same operator as the claimed wallet\n * (byte-equal wallets pass trivially; other wallets linked to the same operator also pass —\n * multi-wallet agents work without ergonomic pain). Returns `wallet_signer_mismatch` when\n * the signer resolves to a different (or no) operator. Returns `wallet_auth_requires_wallet_signing`\n * when the signer is `null` (SPT, card — rails that carry no wallet signature).\n \n Call this AFTER the gate evaluates (so the claimed wallet's operator is cached) and\n * AFTER the payment credential is parsed (so the signer is known). Merchants should call\n * it before settling payment.\n /\n verifyWalletSignerMatch(options: VerifyWalletSignerMatchOptions): Promise<VerifyWalletSignerResult>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\ninterface AssessResult {\n allow: boolean;\n decision?: string;\n reasons?: string[];\n raw?: unknown;\n // Per-signer wallet-match verdicts cached from prior verifyWalletSignerMatch() calls\n // for this same claimed wallet. Each signer gets its own slot so two payments under\n // the same claimed identity but from different signer wallets don't serve stale\n // verdicts to each other. Verdicts come from the API's `signer_match` response field\n // (populated when the assess request carried `resolve_signer`), so reading a hit\n // skips the round-trip altogether.\n signerMatchBySigner?: Map<string, Record<string, unknown>>;\n}\n\n/\n Build the cross-merchant memory hint emitted on bootstrap denials. Base URLs are\n * derived from the gate's AgentScore API base so self-hosted / staging deployments get\n * correct pointers. Contents describe the AgentScore identity substrate in transferable\n * terms; merchant-specific context lives in other `agent_instructions` fields.\n /\n// Canonical production AgentScore API — used as the authoritative source for endpoint pointers\n// emitted to agent memory regardless of how a given merchant configured their gate's baseUrl.\nconst CANONICAL_AGENTSCORE_API = 'https://api.agentscore.sh';\n\n// JSON-encoded action copy emitted on wallet-signer-match denials. Spread into 403 bodies\n// by merchants so agents get a concrete recovery path inside the denial response itself —\n// no discovery-doc round trip required.\nconst WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({\n action: 'resign_or_switch_to_operator_token',\n steps: [\n 'Preferred: re-submit the payment signed by expected_signer (or any entry in linked_wallets — same-operator wallets are fungible) and retry with the same X-Wallet-Address.',\n 'Alternative: drop X-Wallet-Address and retry with X-Operator-Token. Use a stored opc_... if you have one; otherwise retry this request with NO identity header — the merchant will mint a verification session in the 403 body (verify_url + poll_secret). Share verify_url with the user, poll, receive a fresh opc_...',\n ],\n user_message:\n 'The payment signer resolves to a different operator than X-Wallet-Address. Re-sign from expected_signer or any linked_wallets entry, or switch to X-Operator-Token.',\n});\n\nconst WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS = JSON.stringify({\n action: 'switch_to_operator_token',\n steps: [\n 'This payment rail (Stripe SPT, card) carries no wallet signature — X-Wallet-Address cannot be verified against the payment.',\n 'Drop X-Wallet-Address and retry with X-Operator-Token. If you do not have a stored opc_..., retry with no identity header to receive a verification session.',\n ],\n user_message:\n 'Wallet-address identity is only supported on wallet-signing rails (Tempo MPP, x402). On Stripe or card, use X-Operator-Token instead.',\n});\n\n// `invalid_credential` is permanent — the token doesn't exist (typo, never minted, fabricated).\n// Distinct from `token_expired` (which carries an auto-session for one-shot recovery): the\n// API doesn't auto-mint a session here because the client may simply have a different valid\n// token to try. Agents should switch tokens or drop the header to bootstrap a session.\nconst INVALID_CREDENTIAL_INSTRUCTIONS = JSON.stringify({\n action: 'switch_token_or_restart_session',\n steps: [\n 'The X-Operator-Token you sent does not match any credential. This is a permanent state — retrying with the same token will keep failing.',\n 'If you have other stored opc_... credentials, retry with one of them.',\n 'Otherwise drop X-Operator-Token and retry with no identity header — the merchant will mint a fresh verification session in the 403 body (verify_url + poll_secret) so the user can re-verify and you can poll for a new operator_token.',\n ],\n user_message:\n 'The operator_token is not recognized. Use a different stored token, or restart the verification session flow to mint a new one.',\n});\n\nexport function buildAgentMemoryHint(): AgentMemoryHint {\n // Memory pointers always point at the canonical production API — merchants must not be\n // able to redirect the cross-merchant memory surface, since that would be a phishing\n // vector for the verify URL.\n const api = CANONICAL_AGENTSCORE_API;\n return {\n save_for_future_agentscore_gates: true,\n pattern_summary:\n 'AgentScore is a cross-merchant identity substrate for agent commerce. Any endpoint that ' +\n 'returns 403 missing_identity / identity_verification_required or 402 challenges referencing AgentScore uses ' +\n 'the same identity system. One KYC works across all AgentScore merchants — no re-verification ' +\n 'per site. Save this pattern (and the endpoints below) to persistent memory so future ' +\n 'AgentScore encounters skip the cold-start session flow.',\n quickstart: 'https://docs.agentscore.sh/guides/agent-identity',\n identity_check_endpoint: `${api}/v1/credentials`,\n identity_paths: {\n wallet:\n 'If paying from a crypto wallet you have used before on any AgentScore merchant, send ' +\n '`X-Wallet-Address: 0x...`. Shortest path; no token lifecycle to manage.',\n operator_token:\n 'For any rail (Stripe SPT, card, or a wallet you have not linked yet), send ' +\n '`X-Operator-Token: opc_...`. Reusable across merchants until the token expires.',\n },\n bootstrap:\n 'If you have neither a linked wallet nor a valid operator_token, follow the session/verify ' +\n 'flow in the per-request `agent_instructions` block. This happens at most once per agent ' +\n 'identity — after first verification, the operator_token and any subsequently used wallet ' +\n 'are reusable everywhere.',\n do_not_persist_in_memory: ['operator_token', 'poll_secret'],\n persist_in_credential_store: ['operator_token'],\n };\n}\n\n// ---------------------------------------------------------------------------\n// Core factory\n// ---------------------------------------------------------------------------\n\nexport function createAgentScoreCore(options: AgentScoreCoreOptions): AgentScoreCore {\n if (!options.apiKey) {\n throw new Error('AgentScore API key is required. Get one at https://agentscore.sh/sign-up');\n }\n\n const {\n apiKey,\n requireKyc,\n requireSanctionsClear,\n minAge,\n blockedJurisdictions,\n allowedJurisdictions,\n failOpen = false,\n cacheSeconds = 300,\n baseUrl: rawBaseUrl = 'https://api.agentscore.sh',\n chain: gateChain,\n userAgent,\n createSessionOnMissing,\n } = options;\n\n const baseUrl = stripTrailingSlashes(rawBaseUrl);\n const agentMemoryHint = buildAgentMemoryHint();\n\n const defaultUa = `@agent-score/commerce@${__VERSION__}`;\n const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;\n\n // Single shared SDK instance for every API call this gate makes (assess, sessions,\n // credentials/wallets, telemetry). Connection pooling + typed-error classification +\n // X-Quota- header capture all flow through here. The SDK owns the transport layer\n // (timeouts, retry-on-429); the gate adds policy semantics on top. Pass the\n // merchant-prefixed UA — SDK appends its own default to produce a chain like\n // `<merchant-app> (@agent-score/commerce@<v>) (@agent-score/sdk@<v>)`.\n const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });\n\n // createSessionOnMissing can carry its own apiKey + baseUrl (merchants sometimes wire\n // a session-only key for this hook). Lazily build a separate SDK instance keyed on\n // (apiKey, baseUrl) so we don't construct a new client per request.\n const sessionSdkCache = new Map<string, AgentScore>();\n function getSessionSdk(sessionApiKey: string, sessionBaseUrl?: string): AgentScore {\n const key = `${sessionApiKey}\|${sessionBaseUrl ?? ''}`;\n let s = sessionSdkCache.get(key);\n if (!s) {\n s = new AgentScore({\n apiKey: sessionApiKey,\n baseUrl: sessionBaseUrl ?? baseUrl,\n userAgent: userAgentHeader,\n });\n sessionSdkCache.set(key, s);\n }\n return s;\n }\n\n const cache = new TTLCache<AssessResult>(cacheSeconds * 1000);\n\n // Mint a verification session via /v1/sessions and return the resulting\n // identity_verification_required DenialReason — or undefined if the mint failed (network\n // error, non-2xx, missing fields). Used for both the missing-identity path and the\n // fixable-wallet bootstrap path: in both cases the UX is identical (agent polls the\n // returned poll_url until it gets a fresh opc_... and retries).\n async function tryMintSessionDenial(ctx: unknown): Promise<DenialReason \| undefined> {\n if (!createSessionOnMissing) return undefined;\n try {\n const sessionBody: { context?: string; product_name?: string } = {};\n if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;\n if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;\n\n if (createSessionOnMissing.getSessionOptions && ctx !== undefined) {\n try {\n const dynamic = await createSessionOnMissing.getSessionOptions(ctx);\n if (dynamic?.context != null) sessionBody.context = dynamic.context;\n if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.getSessionOptions hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // createSessionOnMissing.apiKey may differ from the gate's apiKey (e.g. merchant\n // wires a session-only key for this hook). Build a per-config SDK lazily.\n const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);\n const data = (await sessionSdk.createSession({\n ...(sessionBody.context !== undefined ? { context: sessionBody.context } : {}),\n ...(sessionBody.product_name !== undefined ? { product_name: sessionBody.product_name } : {}),\n })) as unknown as Record<string, unknown>;\n\n // Validate required fields before trusting the response. A misbehaving (or mocked-wrong)\n // API could 200 without session_id/poll_secret/verify_url, which would propagate\n // `undefined` into the 403 body and leave the agent stuck — treat as session-create\n // failure and fall back to the caller's bare denial.\n if (\n typeof data.session_id !== 'string' \|\|\n typeof data.poll_secret !== 'string' \|\|\n typeof data.verify_url !== 'string'\n ) {\n console.warn('[gate] /v1/sessions returned 200 without required fields — falling back to bare denial');\n return undefined;\n }\n\n // Run onBeforeSession side-effect hook. Errors are swallowed — a failing DB write\n // (e.g. can't insert pending order) should not block the 403.\n let extra: Record<string, unknown> \| undefined;\n if (createSessionOnMissing.onBeforeSession && ctx !== undefined) {\n try {\n const sessionMeta = {\n session_id: data.session_id as string,\n verify_url: data.verify_url as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string,\n expires_at: data.expires_at as string \| undefined,\n };\n const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);\n if (result && typeof result === 'object') extra = result;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.onBeforeSession hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // The API emits `next_steps` (structured object) on /v1/sessions success. Stringify it\n // into the gate's `agent_instructions` contract so merchants get the same JSON-encoded\n // {action, steps, user_message} envelope as every other gate-emitted denial.\n const apiNextSteps = data.next_steps as Record<string, unknown> \| undefined;\n return {\n code: 'identity_verification_required',\n verify_url: data.verify_url as string,\n session_id: data.session_id as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string \| undefined,\n agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : undefined,\n agent_memory: agentMemoryHint,\n ...(extra && { extra }),\n };\n } catch (err) {\n // Session-mint failed (network, /v1/sessions returned non-2xx, body parse error,\n // onBeforeSession threw inside the inner try). Caller falls back to a bare denial —\n // agents still get a 403 with a probe-strategy hint. Log loudly so a persistent\n // /v1/sessions outage isn't masked.\n console.warn('[gate] createSessionOnMissing path failed — falling back to bare denial:', err instanceof Error ? err.message : err);\n return undefined;\n }\n }\n\n async function evaluate(identity: AgentIdentity \| undefined, ctx?: unknown): Promise<EvaluateOutcome> {\n // Treat \"returned identity object with no usable fields\" the same as \"no identity at all\" —\n // otherwise a misbehaving custom extractIdentity would send an empty body to /v1/assess.\n if (!identity \|\| (!identity.address && !identity.operatorToken)) {\n // failOpen short-circuits BEFORE the session mint. This branch isn't an infra failure\n // (no AgentScore call has been made yet) so we don't mark the gate state as degraded —\n // missing identity + failOpen is the explicit opt-in pass-through behavior, not a\n // graceful-degradation event. Merchants who need identity-or-deny on a failOpen gate\n // should add a guard at the handler that checks for X-Wallet-Address / X-Operator-Token\n // before reading the gate state.\n if (failOpen) return { kind: 'allow' };\n\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n\n // Bare missing-identity denial (no session was auto-created). Describe the probe\n // strategy so agents without memory can recover: try wallet first on signing rails,\n // fall back to stored opc_..., fall back to session flow (noting that only\n // auto-session merchants return verify_url + poll data on the retry).\n const missingIdentityInstructions = JSON.stringify({\n action: 'probe_identity_then_session',\n steps: [\n 'If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 — see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url — share it with the user to claim the wallet + complete KYC, then retry.',\n 'If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.',\n 'If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body — share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping — direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token.',\n ],\n user_message:\n 'Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap.',\n });\n return {\n kind: 'deny',\n reason: {\n code: 'missing_identity',\n agent_instructions: missingIdentityInstructions,\n agent_memory: agentMemoryHint,\n },\n };\n }\n\n // operator_token is opaque + ASCII-only — lowercasing is safe. Wallet addresses go\n // through normalizeAddress because Solana base58 is case-sensitive and lowercasing\n // would corrupt the cache key (a Solana cache miss every time, plus collision risk\n // with mixed-case variants of the same operator).\n const cacheKey = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : '');\n\n const cached = cache.get(cacheKey);\n if (cached) {\n if (cached.allow) {\n const cachedRaw = cached.raw as Record<string, unknown> \| undefined;\n const cachedQuota = cachedRaw?.quota as GateQuotaInfo \| undefined;\n return {\n kind: 'allow',\n data: cachedRaw as unknown as AgentScoreData,\n ...(cachedQuota !== undefined && { quota: cachedQuota }),\n };\n }\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(cached.reasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: cached.decision,\n reasons: cached.reasons,\n verify_url: (cached.raw as Record<string, unknown> \| undefined)?.verify_url as string \| undefined,\n data: cached.raw as AgentScoreData \| undefined,\n },\n };\n }\n\n const policy: Record<string, unknown> = {};\n if (requireKyc != null) policy.require_kyc = requireKyc;\n if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;\n if (minAge != null) policy.min_age = minAge;\n if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;\n if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;\n\n let data: Record<string, unknown>;\n try {\n // Single SDK call: typed-error subclasses (PaymentRequiredError / TokenExpiredError /\n // InvalidCredentialError / QuotaExceededError / TimeoutError) flow through the\n // catch below; success path captures `quota` from X-Quota-* headers automatically.\n const opts = {\n chain: gateChain,\n ...(Object.keys(policy).length > 0 ? { policy: policy as never } : {}),\n };\n // SDK has two overloads — narrow by which identity is set so TS picks the right one.\n const result = identity.address\n ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken })\n : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken! });\n data = result as unknown as Record<string, unknown>;\n } catch (err) {\n if (err instanceof PaymentRequiredError) {\n if (failOpen) return { kind: 'allow' };\n return { kind: 'deny', reason: { code: 'payment_required' } };\n }\n if (err instanceof TokenExpiredError) {\n // SDK extracts the auto-minted session fields onto the error instance — no body\n // re-parsing needed here.\n return {\n kind: 'deny',\n reason: {\n code: 'token_expired',\n data: err.details as unknown as AgentScoreData,\n ...(err.verifyUrl ? { verify_url: err.verifyUrl } : {}),\n ...(err.sessionId ? { session_id: err.sessionId } : {}),\n ...(err.pollSecret ? { poll_secret: err.pollSecret } : {}),\n ...(err.pollUrl ? { poll_url: err.pollUrl } : {}),\n ...(err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {}),\n ...(err.agentMemory ? { agent_memory: err.agentMemory as AgentMemoryHint } : {}),\n },\n };\n }\n if (err instanceof InvalidCredentialError) {\n // Permanent — no auto-session, agent should switch tokens or restart.\n return {\n kind: 'deny',\n reason: {\n code: 'invalid_credential',\n agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,\n agent_memory: agentMemoryHint,\n },\n };\n }\n if (err instanceof QuotaExceededError) {\n console.warn('[gate] /v1/assess returned 429 quota_exceeded');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (err instanceof SdkTimeoutError) {\n console.warn('[gate] /v1/assess timed out:', err.message);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Status-based fallbacks for AgentScoreError instances the SDK couldn't classify\n // into a typed subclass (e.g. 429 with body that lacked error.code, or a fetch\n // rejection whose .name doesn't match AbortError but whose status code is set).\n // The real API always emits error.code on 429, so this is purely defensive.\n const status = (err as { status?: number } \| null)?.status;\n const errName = err instanceof Error ? err.name : '';\n if (status === 429) {\n console.warn('[gate] /v1/assess returned 429 (untyped — defensive)');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (errName === 'TimeoutError' \|\| errName === 'AbortError') {\n console.warn('[gate] /v1/assess timed out (by Error.name):', err instanceof Error ? err.message : err);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Generic AgentScoreError (rate_limited, 5xx, network_error, body parse, unknown 4xx)\n // or any non-AgentScoreError unexpected throw — surface as api_error.\n // Include the SDK-classified error code (when available) so ops/dev see\n // schema-drift cases like a new 401 error.code rather than a silent 503.\n const errCode = (err as { code?: string } \| null)?.code;\n const msg = err instanceof Error ? err.message : String(err);\n const detail = errCode ? `${errCode}: ${msg}` : msg;\n console.warn(`[gate] /v1/assess call failed — surfacing as api_error: ${detail}`);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'api_error' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n\n const decision = data.decision as string \| null \| undefined;\n const decisionReasons = (data.decision_reasons as string[]) ?? [];\n const allow = decision === 'allow' \|\| decision == null;\n\n cache.set(cacheKey, { allow, decision: decision ?? undefined, reasons: decisionReasons, raw: data });\n\n if (allow) {\n // SDK populates `quota` on the assess response from X-Quota-* headers when the\n // API emits them. Surface up to the adapter so merchants can monitor approach-to-cap.\n const quota = data.quota as GateQuotaInfo \| undefined;\n return {\n kind: 'allow',\n data: data as unknown as AgentScoreData,\n ...(quota !== undefined && { quota }),\n };\n }\n\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(decisionReasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: decision ?? undefined,\n reasons: decisionReasons,\n verify_url: data.verify_url as string \| undefined,\n data: data as unknown as AgentScoreData,\n },\n };\n }\n\n async function captureWallet(options: CaptureWalletOptions): Promise<void> {\n try {\n await sdk.associateWallet({\n operatorToken: options.operatorToken,\n walletAddress: options.walletAddress,\n network: options.network,\n ...(options.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : {}),\n });\n } catch (err) {\n // Fire-and-forget: don't throw. Log so a persistent capture outage is visible\n // to merchant ops — otherwise wallet↔operator linkage silently stops.\n console.warn('[agentscore-commerce] captureWallet failed:', err instanceof Error ? err.message : err);\n }\n }\n\n /*\n Resolve a wallet to its operator id via /v1/assess.\n \n Returns:\n * - `{ ok: true, operator: <id> }` — wallet is linked to that operator\n * - `{ ok: true, operator: null }` — wallet is valid but not linked to any operator\n * - `{ ok: false }` — the API call failed (network, timeout, non-2xx). Distinguishable so\n * callers can emit `api_error` instead of falsely asserting \"no operator linked\".\n \n Checks the main evaluate() cache before making a fresh call — if the gate already\n * resolved this wallet during identity evaluation, we have the resolved_operator already.\n /\n async function resolveWalletToOperator(\n walletAddress: string,\n ): Promise<{ ok: true; operator: string \| null; linkedWallets: string[] } \| { ok: false }> {\n // Network-aware: lowercases EVM, preserves Solana base58 case. The DB stores both\n // formats verbatim in operator_credential_wallets.wallet_address; lowercasing a\n // Solana address would never match.\n const wallet = normalizeAddress(walletAddress);\n\n // Cache lookup — first the plain cache (populated by evaluate() for identity-headered wallets).\n // Saves a second /v1/assess call when the gate already looked up this wallet.\n const extractFromCached = (raw: Record<string, unknown>): { operator: string \| null; linkedWallets: string[] } => {\n const op = raw.resolved_operator;\n const links = raw.linked_wallets;\n return {\n operator: typeof op === 'string' ? op : null,\n linkedWallets: Array.isArray(links) ? (links as unknown[]).filter((w): w is string => typeof w === 'string') : [],\n };\n };\n\n const plainCached = cache.get(wallet);\n if (plainCached?.raw) {\n return { ok: true, ...extractFromCached(plainCached.raw as Record<string, unknown>) };\n }\n const resolveCached = cache.get(`resolve:${wallet}`);\n if (resolveCached?.raw) {\n return { ok: true, ...extractFromCached(resolveCached.raw as Record<string, unknown>) };\n }\n\n try {\n const data = (await sdk.assess(walletAddress)) as unknown as Record<string, unknown>;\n cache.set(`resolve:${wallet}`, { allow: true, raw: data });\n return { ok: true, ...extractFromCached(data) };\n } catch (err) {\n // Network/timeout/parse on the wallet→operator resolve path. Caller maps\n // `{ok:false}` to `wallet_signer_mismatch.kind === 'api_error'`, which already\n // surfaces as 503 — but log here too so multi-wallet match failures aren't\n // silently indistinguishable from \"operator simply has no linked wallet\".\n console.warn('[gate] resolveWalletToOperator failed — returning { ok:false }:', err instanceof Error ? err.message : err);\n return { ok: false };\n }\n }\n\n function reportSignerEvent(kind: 'pass' \| 'wallet_signer_mismatch' \| 'wallet_auth_requires_wallet_signing' \| 'api_error'): void {\n // Fire-and-forget: surfaces mismatch-catch rate + api_error SLO on the dashboard.\n // SDK's telemetrySignerMatch already does the catch + warn-log internally; this\n // call must not affect the gate's decision so we don't await.\n void sdk.telemetrySignerMatch({ kind });\n }\n\n // Project the API's signer_match block onto the gate's VerifyWalletSignerResult shape.\n // The API authors agent_instructions, claimed/signer operators, and the linked-wallet\n // set (deny-guarded server-side); the gate just shapes those fields into camelCase.\n function projectSignerMatch(\n sm: Record<string, unknown>,\n claimedNorm: string,\n signerNorm: string,\n ): VerifyWalletSignerResult {\n const kind = sm.kind as string;\n if (kind === 'pass') {\n return {\n kind: 'pass',\n claimedOperator: (sm.claimed_operator as string \| null \| undefined) ?? null,\n signerOperator: (sm.signer_operator as string \| null \| undefined) ?? null,\n };\n }\n if (kind === 'wallet_auth_requires_wallet_signing') {\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet: (sm.claimed_wallet as string \| undefined) ?? claimedNorm,\n agentInstructions:\n (sm.agent_instructions as string \| undefined) ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n // Default: wallet_signer_mismatch\n const linked = sm.linked_wallets;\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator: (sm.claimed_operator as string \| null \| undefined) ?? null,\n actualSignerOperator: (sm.signer_operator as string \| null \| undefined) ?? null,\n expectedSigner: (sm.expected_signer as string \| undefined) ?? claimedNorm,\n actualSigner: (sm.actual_signer as string \| undefined) ?? signerNorm,\n linkedWallets: Array.isArray(linked)\n ? (linked as unknown[]).filter((w): w is string => typeof w === 'string')\n : [],\n agentInstructions:\n (sm.agent_instructions as string \| undefined) ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n async function verifyWalletSignerMatch(\n options: VerifyWalletSignerMatchOptions,\n ): Promise<VerifyWalletSignerResult> {\n const { claimedWallet, signer, network } = options;\n\n if (!signer) {\n reportSignerEvent('wallet_auth_requires_wallet_signing');\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet,\n agentInstructions: WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n\n // Network-aware normalization: lowercase EVM, preserve Solana base58. The byte-equal\n // short-circuit and downstream cache-key derivation MUST match how the DB stores\n // wallets; lowercasing Solana would corrupt both.\n const claimedNorm = normalizeAddress(claimedWallet);\n const signerNorm = normalizeAddress(signer);\n\n // Byte-equal short-circuit — no API lookup; same wallet ≡ same operator by definition.\n if (claimedNorm === signerNorm) {\n reportSignerEvent('pass');\n return { kind: 'pass', claimedOperator: null, signerOperator: null };\n }\n\n // Cache hit — a prior call for this same (claimed, signer) pair already populated\n // signer_match. Skip the round trip + telemetry post (the API recorded it the first\n // time). Subsequent same-pair payments cost zero outbound assess calls.\n const cachedEntry = cache.get(claimedNorm);\n const cachedMatch = cachedEntry?.signerMatchBySigner?.get(signerNorm);\n if (cachedMatch) {\n return projectSignerMatch(cachedMatch, claimedNorm, signerNorm);\n }\n\n // Single fresh assess call carrying resolve_signer. Server-side resolves both wallets\n // against the operator graph and returns a signer_match verdict in the response —\n // collapses the legacy 2 follow-up calls (one per wallet) into one round trip.\n const inferredNetwork: 'evm' \| 'solana' = network ?? (signerNorm.startsWith('0x') ? 'evm' : 'solana');\n let assessResponse: { signer_match?: Record<string, unknown> } & Record<string, unknown>;\n try {\n assessResponse = (await sdk.assess(claimedNorm, {\n resolveSigner: { address: signerNorm, network: inferredNetwork },\n })) as unknown as { signer_match?: Record<string, unknown> } & Record<string, unknown>;\n } catch (err) {\n console.warn('[gate] verifyWalletSignerMatch assess failed:', err instanceof Error ? err.message : err);\n reportSignerEvent('api_error');\n return { kind: 'api_error', claimedWallet: claimedNorm };\n }\n\n const signerMatch = assessResponse.signer_match;\n if (signerMatch && typeof signerMatch === 'object') {\n // Cache for repeat same-pair lookups. Server-side already recorded telemetry for\n // this verdict, so skip the SDK-side reportSignerEvent — avoids double-counting.\n if (cachedEntry) {\n // Mutate the existing entry in place — TTLCache.get() returns a reference, so the\n // store's record sees the new sub-map without a `set()` call. This preserves the\n // gate's original cache TTL window (set() would reset it forward, causing the\n // gate verdict to be served past its intended freshness horizon).\n const map = cachedEntry.signerMatchBySigner ?? new Map<string, Record<string, unknown>>();\n map.set(signerNorm, signerMatch);\n cachedEntry.signerMatchBySigner = map;\n } else {\n // No prior gate cache for this wallet — create a fresh entry with the verdict\n // attached so a subsequent same-pair call hits cache.\n const entry: AssessResult = { allow: true, raw: assessResponse };\n entry.signerMatchBySigner = new Map([[signerNorm, signerMatch]]);\n cache.set(claimedNorm, entry);\n }\n return projectSignerMatch(signerMatch, claimedNorm, signerNorm);\n }\n\n // API response had no signer_match (server didn't compute one). Fall back to the\n // 2-resolve path so the gate still produces a verdict.\n const [claimedResolve, signerResolve] = await Promise.all([\n resolveWalletToOperator(claimedNorm),\n resolveWalletToOperator(signerNorm),\n ]);\n\n if (!claimedResolve.ok \|\| !signerResolve.ok) {\n reportSignerEvent('api_error');\n return { kind: 'api_error', claimedWallet: claimedNorm };\n }\n\n const claimedOperator = claimedResolve.operator;\n const signerOperator = signerResolve.operator;\n\n if (claimedOperator && signerOperator && claimedOperator === signerOperator) {\n reportSignerEvent('pass');\n return { kind: 'pass', claimedOperator, signerOperator };\n }\n\n reportSignerEvent('wallet_signer_mismatch');\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator,\n actualSignerOperator: signerOperator,\n expectedSigner: claimedNorm,\n actualSigner: signerNorm,\n linkedWallets: claimedResolve.linkedWallets,\n agentInstructions: WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n return { evaluate, captureWallet, verifyWalletSignerMatch };\n}\n","/\n Shared DenialReason → response body serialization for all adapters.\n \n Keeps Hono / Express / Fastify / Web / Next.js defaults aligned — a field added\n * here shows up in every adapter's 403 body automatically, and there's one place\n * to test the marshaling.\n \n Body shape: `{ error: { code, message }, ... }` — matches the canonical AgentScore\n * core API response shape (`core/api/src/lib/auth.ts`, `lib/rate-limit.ts`, etc.) and\n * martin-estate's pre-commerce shape, so downstream agents see one consistent\n * `error.code` + `error.message` pair regardless of which layer produced the denial.\n /\n\nimport type { DenialCode, DenialReason } from './core.js';\n\n/\n JSON-encoded canonical agent_instructions per denial code. Auto-injected by\n * `denialReasonToBody` when the gate produces a DenialReason without explicit\n * `agent_instructions` so every denial carries a machine-readable next step.\n \n Codes covered:\n * - `wallet_not_trusted` — gate never stamps instructions today (the original gap)\n * - `payment_required` — gate never stamps; merchant tier misconfig, contact-merchant action\n * - `identity_verification_required` — fallback when API didn't return next_steps\n * - `token_expired` — fallback when API didn't return next_steps\n * - `api_error` — `retry_with_backoff` envelope; sole retry channel (no separate\n * next_steps block emitted)\n \n Codes already stamped explicitly upstream in core.ts (`missing_identity`,\n * `invalid_credential`) and codes that don't go through DenialReason\n * (`wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing` — handled by\n * `verifyWalletSignerMatch` result type) are not in this map.\n /\nconst WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_support',\n steps: [\n 'The wallet\\'s operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won\\'t change the outcome — the policy denial is structural.',\n 'Surface the denial to the user with the merchant\\'s support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won\\'t fix this code path).',\n 'Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code — the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user\\'s KYC\\'d country is in the blocked list — re-doing KYC won\\'t change the country).',\n ],\n user_message:\n 'This purchase is denied by the merchant\\'s compliance policy and cannot be resolved by re-verifying. Contact the merchant\\'s support if you believe this is in error.',\n});\n\nconst PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'The merchant\\'s AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap — there is no agent-side recovery.',\n 'Contact the merchant (their support channel — typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side.',\n ],\n user_message:\n 'This merchant\\'s identity gate is misconfigured. Contact the merchant — there\\'s nothing to fix on the agent side.',\n});\n\nconst IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'Share verify_url with the user — they complete identity verification on AgentScore.',\n 'If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <opc_...>`.',\n ],\n user_message:\n 'Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry.',\n});\n\nconst API_ERROR_INSTRUCTIONS = JSON.stringify({\n action: 'retry_with_backoff',\n steps: [\n 'Verification is temporarily unavailable. Retry the request after 5–30 seconds with exponential backoff.',\n 'This is NOT a compliance denial — the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.',\n 'If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant\\'s support contact.',\n ],\n user_message:\n 'Verification is temporarily unavailable. Please try again in a moment — this is a transient issue, not a problem with your account.',\n});\n\nexport const QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.',\n 'Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.',\n 'Surface to the user with the merchant\\'s support contact. The merchant (not the agent) needs to act.',\n ],\n user_message:\n 'This merchant\\'s identity verification is temporarily unavailable. Try again later, or contact the merchant directly.',\n});\n\nconst TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'The operator token is expired or revoked. AgentScore auto-mints a fresh verification session — complete it to receive a new opc_...',\n 'Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <new_opc_...>`.',\n ],\n user_message:\n 'Operator token is expired or revoked. A new verification session has been minted — visit verify_url to refresh.',\n});\n\nconst DEFAULT_AGENT_INSTRUCTIONS: Partial<Record<DenialCode, string>> = {\n api_error: API_ERROR_INSTRUCTIONS,\n wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,\n payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,\n identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,\n token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS,\n};\n\nconst DEFAULT_MESSAGES: Record<DenialCode, string> = {\n missing_identity:\n 'No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).',\n identity_verification_required:\n 'Identity verification is required to access this resource. Visit verify_url to complete KYC.',\n wallet_not_trusted:\n 'The wallet does not meet the merchant compliance policy.',\n api_error:\n 'AgentScore is unreachable. This is transient — retry in a few seconds.',\n payment_required:\n 'Assess endpoint not enabled for this merchant. Contact support.',\n wallet_signer_mismatch:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n wallet_auth_requires_wallet_signing:\n 'X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).',\n token_expired:\n 'The operator token is expired or revoked. A fresh verification session has been minted — visit verify_url to mint a new token.',\n invalid_credential:\n 'The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session.',\n};\n\n// Field names the gate claims authority over. Merchant-provided `extra` (from the\n// onBeforeSession hook) MUST NOT override these — a buggy or malicious hook could\n// otherwise replace `verify_url` with a phishing URL or drop agent_instructions.\nconst RESERVED_FIELDS = new Set([\n 'error',\n 'decision',\n 'reasons',\n 'verify_url',\n 'session_id',\n 'poll_secret',\n 'poll_url',\n 'agent_instructions',\n 'agent_memory',\n 'claimed_operator',\n 'actual_signer_operator',\n 'expected_signer',\n 'actual_signer',\n 'linked_wallets',\n]);\n\nexport function denialReasonToBody(reason: DenialReason): Record<string, unknown> {\n const message = reason.message ?? DEFAULT_MESSAGES[reason.code];\n const body: Record<string, unknown> = { error: { code: reason.code, message } };\n if (reason.decision) body.decision = reason.decision;\n if (reason.reasons) body.reasons = reason.reasons;\n if (reason.verify_url) body.verify_url = reason.verify_url;\n if (reason.session_id) body.session_id = reason.session_id;\n if (reason.poll_secret) body.poll_secret = reason.poll_secret;\n if (reason.poll_url) body.poll_url = reason.poll_url;\n const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];\n if (instructions) body.agent_instructions = instructions;\n if (reason.agent_memory) body.agent_memory = reason.agent_memory;\n if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;\n if (reason.code === 'wallet_signer_mismatch') body.actual_signer_operator = reason.actual_signer_operator ?? null;\n if (reason.expected_signer) body.expected_signer = reason.expected_signer;\n if (reason.actual_signer) body.actual_signer = reason.actual_signer;\n if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;\n if (reason.extra) {\n for (const [key, value] of Object.entries(reason.extra)) {\n if (RESERVED_FIELDS.has(key)) {\n console.warn(`[gate] onBeforeSession returned reserved field \"${key}\" — ignoring to preserve gate authority`);\n continue;\n }\n body[key] = value;\n }\n }\n return body;\n}\n","/\n Helpers for emitting the cross-merchant `agent_memory` hint on merchant 402 responses.\n \n The gate (`@agent-score/commerce/identity/`) emits `agent_memory` on identity-related\n responses (sessions, credentials, missing_identity bootstraps). Merchants can ALSO\n * include the hint in their own 402 challenge bodies on first-encounter requests so\n * agents persist the cross-merchant pattern even when entering the ecosystem through a\n * merchant-side endpoint rather than a direct AgentScore API call.\n \n Usage pattern:\n * - Merchant tracks per-operator (or per-IP / per-fingerprint) \"have I seen this agent\n * before?\" in their own DB\n * - On first encounter (no prior request from this operator/wallet/IP), include the hint\n * so the agent saves the pattern\n * - On subsequent encounters, skip — the agent already has it (or never will)\n \n The hint contents come from `buildAgentMemoryHint` (re-exported here for convenience).\n * Keep it stateless: AgentScore's pattern doesn't depend on the merchant's identity, so\n * every merchant emits the same shape.\n /\n\nimport { buildAgentMemoryHint, type AgentMemoryHint } from '../core';\n\nexport { buildAgentMemoryHint };\nexport type { AgentMemoryHint };\n\nexport interface FirstEncounterAgentMemoryInput {\n /\n Whether this is a first encounter for this operator/wallet/IP at this merchant.\n * Merchant-determined (DB lookup, cache flag, etc.). Pass `false` to suppress emission\n * cleanly without wrapping the call in an `if`.\n /\n firstEncounter: boolean;\n}\n\n/\n Returns the `agent_memory` hint when this is a first encounter, otherwise `undefined`.\n * Use directly with the `agentMemory` field of `build402Body`:\n \n ```ts\n * const body = build402Body({\n * acceptedMethods,\n * agentInstructions,\n * pricing,\n * agentMemory: firstEncounterAgentMemory({ firstEncounter: !this.hasSeenOperator(opToken) }),\n * });\n * ```\n \n Returning `undefined` means `build402Body` cleanly skips the field instead of emitting\n * `agent_memory: null` (which would imply \"I tried but failed\" rather than \"didn't apply\").\n /\nexport function firstEncounterAgentMemory(\n input: FirstEncounterAgentMemoryInput,\n): AgentMemoryHint \| undefined {\n if (!input.firstEncounter) return undefined;\n return buildAgentMemoryHint();\n}\n","import type { AcceptedMethodEntry } from './accepted_methods';\nimport type { AgentInstructions } from './agent_instructions';\nimport type { IdentityMetadataBlock } from './identity';\nimport type { PricingBlock as _PricingBlock } from './pricing';\n\nexport type { PricingBlock } from './pricing';\n\nexport interface Build402BodyInput {\n /* From buildAcceptedMethods — list of MPP method entries. /\n acceptedMethods: AcceptedMethodEntry[];\n /* From buildAgentInstructions — wraps how_to_pay + warnings + recommended_tools. /\n agentInstructions?: AgentInstructions;\n /* From buildIdentityMetadata — wallet-mode echoer. Spread into the body when present. /\n identityMetadata?: IdentityMetadataBlock;\n /* Cross-merchant agent_memory hint (from gate). /\n agentMemory?: unknown;\n /* Pricing breakdown. /\n pricing?: _PricingBlock;\n /* Total amount in USD as a string (e.g., '250.00'). /\n amountUsd?: string;\n /* Currency code. Default 'USD'. /\n currency?: string;\n /* Order id for retry correlation. /\n orderId?: string \| null;\n /* Product info — surfaced on the 402 so agents can confirm what they're buying. /\n product?: { id: string; name: string };\n /* The body the agent should retry with after payment (e.g., the original request body). /\n retryBody?: unknown;\n /* Recommended rail — agent's default if multiple are listed. /\n recommended?: string;\n /* x402-compliance fields (paired with the PAYMENT-REQUIRED header from `payment/wwwauthenticate`). /\n x402?: {\n accepts: unknown[];\n version?: 1 \| 2;\n };\n /* Vendor-specific extra fields merged at the top level. /\n extra?: Record<string, unknown>;\n}\n\n/\n Assemble the full enriched 402 response body. Combines accepted_methods, agent_instructions,\n * identity metadata, pricing, x402 compliance fields, and any vendor-specific extras into a\n * single object suitable for `JSON.stringify`. Vendors pass only what they have; the builder\n * conditionally includes each section.\n \n Pair this with a Response that sets:\n * - 'content-type: application/json'\n * - 'www-authenticate: <wwwAuthenticateHeader([...])>' from `payment/wwwauthenticate`\n * - 'PAYMENT-REQUIRED: <paymentRequiredHeader({...})>' for x402 clients\n /\nexport function build402Body(input: Build402BodyInput): Record<string, unknown> {\n const body: Record<string, unknown> = {\n payment_required: true,\n accepted_methods: input.acceptedMethods,\n };\n\n if (input.x402) {\n body.x402Version = input.x402.version ?? 2;\n body.accepts = input.x402.accepts;\n }\n\n if (input.amountUsd !== undefined) body.amount_usd = input.amountUsd;\n if (input.currency) body.currency = input.currency;\n if (input.pricing) body.pricing = input.pricing;\n if (input.orderId !== undefined) body.order_id = input.orderId;\n if (input.product) body.product = input.product;\n if (input.recommended) body.recommended = input.recommended;\n if (input.retryBody !== undefined) body.retry_body = input.retryBody;\n\n if (input.identityMetadata) {\n Object.assign(body, input.identityMetadata);\n }\n\n if (input.agentInstructions) body.agent_instructions = input.agentInstructions;\n if (input.agentMemory !== undefined) body.agent_memory = input.agentMemory;\n\n if (input.extra) Object.assign(body, input.extra);\n\n return body;\n}\n","/\n Pricing block builder + canonical type.\n \n Composes the cents-denominated price components into the dollar-string shape that\n * 402 challenge bodies advertise. Lifts the inline pattern from martin-estate's\n * `purchase.ts` so every merchant — current and future commerce-platform plugins\n * (Commerce7, WooCommerce, Shopify) — surfaces the same shape to agents.\n \n Shipping is included by default because most physical-goods merchants carry it; pass\n * `shippingCents: 0` (or omit) for digital goods / services. Tax is optional for\n * merchants outside taxable jurisdictions.\n /\n\nexport interface PricingBlock {\n /* Pre-tax, pre-shipping subtotal as a dollar-string (e.g. `\"250.00\"`). /\n subtotal: string;\n /* Tax amount as a dollar-string. Always present even if `\"0.00\"`. /\n tax: string;\n /* Shipping cost as a dollar-string. Always present even if `\"0.00\"`. /\n shipping?: string;\n /* Final total = subtotal + tax + shipping, dollar-string. /\n total: string;\n /* Tax rate as a decimal fraction (e.g. `0.0775` for 7.75%). Optional — omit for tax-free merchants. /\n tax_rate?: number;\n /* ISO-3166-2 state code or jurisdiction name used for tax calc. Optional. /\n tax_state?: string;\n /* ISO-4217 currency code. Default `\"USD\"`. /\n currency?: string;\n}\n\nexport interface BuildPricingBlockInput {\n /* Pre-tax, pre-shipping subtotal in the smallest currency unit (cents, satoshi, etc.). /\n subtotalCents: number;\n /* Tax amount in the smallest currency unit. Default `0`. /\n taxCents?: number;\n /* Shipping cost in the smallest currency unit. Default `0`. /\n shippingCents?: number;\n /* Override the computed total. By default `subtotalCents + taxCents + shippingCents`. /\n totalCents?: number;\n /* Tax rate as a decimal fraction (e.g. `0.0775`). /\n taxRate?: number;\n /* Tax jurisdiction (state code, country, etc.). /\n taxState?: string;\n /* ISO-4217 currency. Default `\"USD\"`. /\n currency?: string;\n}\n\n/\n Compose a `PricingBlock` from cents-denominated inputs. Handles the cents → dollar-string\n * conversion (always 2 decimals) and computes the total when not explicitly provided.\n \n Example:\n * ```ts\n * const pricing = buildPricingBlock({\n * subtotalCents: 25000,\n * taxCents: 1875,\n * shippingCents: 999,\n * taxRate: 0.075,\n * taxState: 'CA',\n * });\n * // → { subtotal: '250.00', tax: '18.75', shipping: '9.99', total: '278.74', tax_rate: 0.075, tax_state: 'CA' }\n * ```\n \n Pass `shippingCents: 0` for digital goods if you want the field present (it's then `\"0.00\"`);\n * omit entirely if you don't want shipping in the response shape at all.\n /\nexport function buildPricingBlock(input: BuildPricingBlockInput): PricingBlock {\n const tax = input.taxCents ?? 0;\n const shipping = input.shippingCents ?? 0;\n const total = input.totalCents ?? input.subtotalCents + tax + shipping;\n\n const block: PricingBlock = {\n subtotal: formatCents(input.subtotalCents),\n tax: formatCents(tax),\n total: formatCents(total),\n };\n\n if (input.shippingCents !== undefined) block.shipping = formatCents(shipping);\n if (input.taxRate !== undefined) block.tax_rate = input.taxRate;\n if (input.taxState !== undefined) block.tax_state = input.taxState;\n if (input.currency !== undefined) block.currency = input.currency;\n\n return block;\n}\n\nfunction formatCents(cents: number): string {\n return (cents / 100).toFixed(2);\n}\n","/\n Joins multiple Payment directives into a single WWW-Authenticate header value.\n * Per RFC 7235, multiple challenges are comma-separated.\n /\nexport function wwwAuthenticateHeader(directives: string[]): string {\n return directives.join(', ');\n}\n\nexport interface PaymentRequiredHeaderInput {\n x402Version: 1 \| 2;\n accepts: unknown[];\n resource?: { url: string; mimeType?: string };\n}\n\n/\n Add the v1↔v2 amount-field alias to each accepts entry. Idempotent. Used by both\n * `paymentRequiredHeader` (header emit) and `build402Body` (body emit) so every\n * x402 entry on the wire carries BOTH `amount` (v2 spec) AND `maxAmountRequired`\n * (v1 spec) — strict v1-only parsers (e.g. Coinbase awal at `payments-mcp.coinbase.com`,\n * which is hardcoded to read `maxAmountRequired`) work alongside strict v2 parsers,\n * which ignore the alias.\n /\nexport function aliasAmountFields(accepts: unknown[]): unknown[] {\n return accepts.map((entry) => {\n if (entry === null \|\| typeof entry !== 'object') return entry;\n const e = entry as Record<string, unknown>;\n const hasAmount = e.amount !== undefined;\n const hasMaxAmount = e.maxAmountRequired !== undefined;\n if (hasAmount && !hasMaxAmount) return { ...e, maxAmountRequired: e.amount };\n if (hasMaxAmount && !hasAmount) return { ...e, amount: e.maxAmountRequired };\n return e;\n });\n}\n\n/\n Encode the standard x402 PAYMENT-REQUIRED header (base64-encoded JSON of the\n * PaymentRequired object). Clients that recognize the header (`@x402/fetch`,\n * `@x402/core` HTTPClient, `agentscore-pay`) prefer it over body fields.\n \n Note: do NOT add a v1↔v2 amount-field alias here. `@x402/core`'s\n * `findMatchingRequirements` uses `deepEqual` against the agent's signed\n * `accepted` payload — any field present on one side and missing on the other\n * (e.g. `maxAmountRequired` on the wire body but not in `buildPaymentRequirements`'s\n * output) makes the match silently fail at settle time. Keep `accepts` shape\n * identical to whatever `buildPaymentRequirements` produces server-side.\n /\nexport function paymentRequiredHeader(input: PaymentRequiredHeaderInput): string {\n return Buffer.from(JSON.stringify(input)).toString('base64');\n}\n","/\n `respond402` — single-call 402 emit for merchants who use both `mppx` (for tempo + stripe\n * MPP rails) AND x402 (for Base + Solana).\n \n The seam is fiddly enough to get wrong by hand:\n * - mppx's `compose()(req)` returns a 402 Response with WWW-Authenticate directives\n * whose ids mppx's server-side validator REMEMBERS — they round-trip in client\n * credentials. Overwriting that header (e.g. with `buildPaymentHeaders` output)\n * breaks the round-trip.\n * - x402 needs the binary-friendly `PAYMENT-REQUIRED` header (base64-encoded JSON\n * of `{x402Version, accepts, resource}`) — mppx doesn't emit it.\n * - Merchants want a richer JSON body (pricing, identity metadata, agent_instructions,\n * agent_memory, retry_body, accepted_methods cross-reference) than the bare mppx body.\n \n `respond402` composes all three in one call:\n * - PRESERVES mppx's WWW-Authenticate verbatim\n * - ADDS PAYMENT-REQUIRED when x402 entries are present\n * - REPLACES the body with the rich body via `build402Body`\n \n Usage:\n * ```ts\n * const result = await m.compose(['tempo/charge', {...}], ['stripe/charge', {...}])(c.req.raw);\n * if (result.status === 402) {\n * return commerce.respond402({\n * mppxChallenge: result.challenge,\n * x402: { version: 2, accepts: x402Accepts, resource: { url: c.req.url, mimeType: 'application/json' } },\n * body: { acceptedMethods, agentInstructions, identityMetadata, pricing, agentMemory, retryBody, ... },\n * });\n * }\n * ```\n /\n\nimport { paymentRequiredHeader, type PaymentRequiredHeaderInput } from '../payment/wwwauthenticate';\nimport { build402Body, type Build402BodyInput } from './body';\n\nexport interface Respond402Input {\n /* The 402 Response returned by `mppx.compose()(req)`. Its WWW-Authenticate header\n * is preserved verbatim — mppx's server-side validator matches credentials to the\n * directive ids it generated, so overwriting breaks the round-trip. /\n mppxChallenge: Response;\n /* Inputs to `build402Body` — the rich JSON body sent to the agent. /\n body: Build402BodyInput;\n /* When set, layers on the x402 PAYMENT-REQUIRED header (base64-encoded JSON).\n * Omit for merchants that don't accept x402 (Base/Solana) — mppx-only setups. /\n x402?: PaymentRequiredHeaderInput;\n}\n\nexport function respond402(input: Respond402Input): Response {\n const body = build402Body(input.body);\n const headers = new Headers(input.mppxChallenge.headers);\n headers.set('content-type', 'application/json');\n if (input.x402) {\n headers.set('PAYMENT-REQUIRED', paymentRequiredHeader(input.x402));\n }\n return new Response(JSON.stringify(body), { headers, status: 402 });\n}\n","/\n Build a structured 4xx validation-error body that pairs cleanly with the\n * existing 402 / 403 builders. Every commerce merchant returning helpful\n * `bad_request` / `not_found` / `out_of_stock` / etc. errors converges on the\n * same shape: `{ error: {code, message}, ...optional_hints, next_steps? }`.\n \n This builder doesn't choose the HTTP status — vendors wrap the returned\n * body in their framework's response (`c.json(body, 400)` in Hono,\n * `Response.json(body, {status: 400})` for the Web Fetch path, etc.). Status\n * stays the merchant's call because the same shape works for 400/404/409/422.\n /\nexport interface BuildValidationErrorInput {\n /* Machine-readable error code (e.g. 'bad_request', 'not_found', 'out_of_stock'). /\n code: string;\n /* Human-readable message — surfaced directly to the user via the agent. /\n message: string;\n /* Optional schema description of required body fields, keyed by field name. Surfaced\n * so agents can self-correct without fetching docs. /\n requiredFields?: Record<string, string>;\n /* Optional concrete example body. Pairs with `requiredFields` for max self-serve. /\n exampleBody?: unknown;\n /* Optional next-step hint block (`{action, user_message?, ...vendor_extras}`). /\n nextSteps?: Record<string, unknown>;\n /* Vendor-specific top-level fields merged into the body (e.g. `available`,\n * `blocked_states`, `max_length`). /\n extra?: Record<string, unknown>;\n}\n\nexport interface ValidationErrorBody {\n error: { code: string; message: string };\n required_fields?: Record<string, string>;\n example_body?: unknown;\n next_steps?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\n/\n Compose a 4xx body that vendors return via their framework's response helper.\n * Combine with the merchant's chosen HTTP status (400 for body shape errors,\n * 404 for missing entities, 409 for stock conflicts, 403 for policy denials, etc.).\n \n Example:\n * ```ts\n * return c.json(buildValidationError({\n * code: 'bad_request',\n * message: 'product_id, email, and shipping are required',\n * requiredFields: { product_id: 'uuid', email: 'string', shipping: 'object' },\n * nextSteps: { action: 'retry_with_complete_body' },\n * }), 400);\n * ```\n */\nexport function buildValidationError(input: BuildValidationErrorInput): ValidationErrorBody {\n const body: ValidationErrorBody = {\n error: { code: input.code, message: input.message },\n };\n if (input.requiredFields) body.required_fields = input.requiredFields;\n if (input.exampleBody !== undefined) body.example_body = input.exampleBody;\n if (input.nextSteps) body.next_steps = input.nextSteps;\n if (input.extra) Object.assign(body, input.extra);\n return body;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;AC8EO,SAAS,qBAAqB,OAAyD;AAC5F,QAAM,MAA6B,CAAC;AAEpC,MAAI,MAAM,OAAO;AACf,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,MAAM,WAAW;AAAA,MAChC,UAAU,MAAM,MAAM,WAAW;AAAA,MACjC,OAAO,MAAM,MAAM,SAAS;AAAA,MAC5B,QAAQ,MAAM,MAAM,UAAU;AAAA,MAC9B,UAAU,MAAM,MAAM,YAAY;AAAA,MAClC,QAAQ,MAAM,MAAM;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,MAAM,WAAW;AACnB,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,UAAU,WAAW;AAAA,MACpC,UAAU,MAAM,UAAU,WAAW;AAAA,MACrC,OAAO,MAAM,UAAU,SAAS;AAAA,MAChC,QAAQ,MAAM,UAAU,UAAU;AAAA,MAClC,UAAU,MAAM,UAAU,YAAY;AAAA,MACtC,QAAQ,MAAM,UAAU;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,MAAM,YAAY;AACpB,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,WAAW,WAAW;AAAA,MACrC,OAAO,MAAM,WAAW,SAAS;AAAA,MACjC,QAAQ,MAAM,WAAW,UAAU;AAAA,MACnC,UAAU,MAAM,WAAW,YAAY;AAAA,MACvC,QAAQ,MAAM,WAAW;AAAA,MACzB,GAAI,MAAM,WAAW,cAAc,EAAE,eAAe,MAAM,WAAW,YAAY,IAAI,CAAC;AAAA,IACxF,CAAC;AAAA,EACH;AAEA,MAAI,MAAM,QAAQ;AAChB,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,OAAO,MAAM,OAAO,SAAS,CAAC,QAAQ,QAAQ,sBAAsB;AAAA,MACpE,YAAY,MAAM,OAAO,aAAa;AAAA,IACxC,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AC3FO,SAAS,sBAAsB,OAAqD;AACzF,QAAM,QAA+B,EAAE,eAAe,MAAM,KAAK;AAEjE,MAAI,MAAM,SAAS,SAAU,QAAO;AAEpC,MAAI,MAAM,QAAQ;AAChB,UAAM,kBAAkB,MAAM,mBAAmB,kBAAkB,MAAM;AAAA,EAC3E;AACA,MAAI,MAAM,iBAAiB,MAAM,cAAc,SAAS,GAAG;AACzD,UAAM,iBAAiB,MAAM;AAAA,EAC/B;AACA,QAAM,oBACJ,MAAM,oBACN;AAEF,SAAO;AACT;;;ACPA,IAAM,cAAc;AAAA,EAClB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,mBAAmB;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AACF;AASO,SAAS,cAAc,OAA0C;AACtE,QAAM,WAAW,OAAO,MAAM,aAAa,WAAW,OAAO,MAAM,QAAQ,IAAI,MAAM;AACrF,QAAM,WAAW,OAAO,MAAM,aAAa,KAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,CAAC,CAAC;AAC9E,QAAM,UAAU,MAAM,sBAAsB;AAC5C,QAAM,QAAuB,CAAC;AAE9B,MAAI,MAAM,MAAM,OAAO;AACrB,UAAM,cAAc,MAAM,MAAM,MAAM,eAAe;AACrD,UAAM,UAAU,MAAM,MAAM,MAAM,WAAW;AAC7C,UAAM,YAAY,MAAM,MAAM,MAAM,aAAa;AACjD,UAAM,eAAe,+CAA+C,OAAO,iDAAiD,MAAM,aAAa,iBAAiB,QAAQ,IAAI,MAAM,GAAG;AACrL,UAAM,aAAa,2BAA2B,MAAM,GAAG,wCAAwC,OAAO,6CAA6C,MAAM,aAAa,iBAAiB,QAAQ;AAC/L,UAAM,QAAQ;AAAA,MACZ,OAAO;AAAA,MACP,cAAc,6DAA6D,WAAW,WAAW,OAAO,kBAAkB,QAAQ;AAAA,MAClI,SAAS,cAAc,mBAAmB,aAAa;AAAA,MACvD,GAAI,cAAc,SACd,EAAE,qBAAqB,WAAW,IAClC,cAAc,mBACZ,EAAE,qBAAqB,aAAa,IACpC,CAAC;AAAA,MACP,cAAc,0BAA0B,WAAW;AAAA,IACrD;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,WAAW;AACzB,UAAM,UAAU,MAAM,MAAM,UAAU,WAAW;AACjD,UAAM,YAAY;AAAA,MAChB,OAAO;AAAA,MACP,cAAc,iFAAiF,OAAO,kBAAkB,QAAQ;AAAA,MAChI,SAAS,2BAA2B,MAAM,GAAG,uCAAuC,OAAO,6CAA6C,MAAM,aAAa,iBAAiB,QAAQ;AAAA,MACpL,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,YAAY;AAC1B,UAAM,UAAU,MAAM,MAAM,WAAW,WAAW;AAClD,UAAM,aAAa;AAAA,MACjB,OAAO;AAAA,MACP,cAAc,qFAAqF,OAAO,kBAAkB,QAAQ;AAAA,MACpI,SAAS,2BAA2B,MAAM,GAAG,yCAAyC,OAAO,6CAA6C,MAAM,aAAa,iBAAiB,QAAQ;AAAA,MACtL,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,QAAQ;AACtB,UAAM,YAAY,MAAM,MAAM;AAC9B,UAAM,cAAc,KAAK,MAAM,WAAW,GAAG;AAC7C,UAAM,iBAAiB,cAAc;AACrC,UAAM,cAAc,UAAU,eAAe;AAC7C,UAAM,aAAa,eAAe,WAAW,+FAA+F,QAAQ;AACpJ,UAAM,SAA8B;AAAA,MAClC,cACE;AAAA,MACF,cACE;AAAA,IACJ;AACA,QAAI,UAAU,aAAa,CAAC,gBAAgB;AAC1C,aAAO,iBAAiB;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,aAAO,mBAAmB;AAAA,QACxB,0JAA0J,UAAU,SAAS,aAAa,WAAW,eAAe,UAAU;AAAA,QAC9N,oBAAoB,MAAM,GAAG,uDAAuD,MAAM,aAAa,iCAAiC,OAAO;AAAA,MACjJ;AACA,aAAO,wBACL;AAAA,IACJ,WAAW,gBAAgB;AACzB,aAAO,OAAO,0IAAqI,QAAQ;AAAA,IAC7J;AACA,UAAM,SAAS;AAAA,EACjB;AAEA,SAAO;AACT;;;ACtGA,IAAM,gBACJ;AAEF,IAAM,eACJ;AAEF,IAAM,aAAa;AACnB,IAAM,sBAAsB;AAE5B,IAAM,+BACJ;AAEF,SAAS,wBAAwB,UAAmC;AAClE,QAAM,QAAkB,CAAC;AACzB,MAAI,SAAS,MAAO,OAAM,KAAK,UAAU;AACzC,MAAI,SAAS,SAAS,SAAS,aAAa,SAAS,WAAY,OAAM,KAAK,mBAAmB;AAC/F,SAAO;AACT;AAEA,SAAS,gBAAgB,UAAmC;AAC1D,QAAM,IAAc,CAAC;AACrB,MAAI,SAAS,MAAO,GAAE,KAAK,aAAa;AACxC,MAAI,SAAS,UAAW,GAAE,KAAK,YAAY;AAC3C,SAAO;AACT;AAiBA,IAAM,eAAmD;AAAA,EACvD,WAAW,CAAC,kBAAkB,iBAAiB,YAAY;AAAA,EAC3D,WAAW,CAAC,kBAAkB,cAAc,4BAA4B;AAAA,EACxE,YAAY,CAAC,gBAAgB;AAAA,EAC7B,QAAQ,CAAC,UAAU;AACrB;AAMO,SAAS,yBAAyB,OAA0D;AACjG,QAAM,MAAyB,CAAC;AAChC,aAAW,KAAK,MAAO,KAAI,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;AACnD,SAAO,OAAO,KAAK,GAAG,EAAE,WAAW,IAAI,SAAY;AACrD;AAEA,SAAS,yBAAyB,UAAwD;AACxF,QAAM,QAAmB,CAAC;AAC1B,MAAI,SAAS,MAAO,OAAM,KAAK,WAAW;AAC1C,MAAI,SAAS,UAAW,OAAM,KAAK,WAAW;AAC9C,MAAI,SAAS,WAAY,OAAM,KAAK,YAAY;AAChD,MAAI,SAAS,OAAQ,OAAM,KAAK,QAAQ;AACxC,SAAO,yBAAyB,KAAK;AACvC;AAWO,SAAS,uBAAuB,OAAuD;AAC5F,QAAM,oBAAoB,MAAM,qBAAqB,yBAAyB,MAAM,QAAQ;AAC5F,SAAO;AAAA,IACL,YAAY,MAAM;AAAA,IAClB,mBAAmB,MAAM,oBAAoB,wBAAwB,MAAM,QAAQ;AAAA,IACnF,sBAAsB,MAAM,uBAAuB;AAAA,IACnD,iBAAiB,MAAM,kBAAkB;AAAA,IACzC,UAAU,MAAM,YAAY,CAAC,GAAG,gBAAgB,MAAM,QAAQ,GAAG,GAAI,MAAM,iBAAiB,CAAC,CAAE;AAAA,IAC/F,GAAI,MAAM,cAAc,EAAE,aAAa,MAAM,YAAY,IAAI,CAAC;AAAA,IAC9D,GAAI,oBAAoB,EAAE,oBAAoB,kBAAkB,IAAI,CAAC;AAAA,IACrE,GAAI,MAAM,SAAS,CAAC;AAAA,EACtB;AACF;;;ACpIA,iBAOO;;;AC0BP,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,gCAAgC,KAAK,UAAU;AAAA,EACnD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,uDAAuD,KAAK,UAAU;AAAA,EAC1E,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,yBAAyB,KAAK,UAAU;AAAA,EAC5C,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,IAAM,8BAA8B,KAAK,UAAU;AAAA,EACxD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;;;AD6PD,IAAM,2BAA2B;AAKjC,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,mDAAmD,KAAK,UAAU;AAAA,EACtE,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAMD,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,SAAS,uBAAwC;AAItD,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,kCAAkC;AAAA,IAClC,iBACE;AAAA,IAKF,YAAY;AAAA,IACZ,yBAAyB,GAAG,GAAG;AAAA,IAC/B,gBAAgB;AAAA,MACd,QACE;AAAA,MAEF,gBACE;AAAA,IAEJ;AAAA,IACA,WACE;AAAA,IAIF,0BAA0B,CAAC,kBAAkB,aAAa;AAAA,IAC1D,6BAA6B,CAAC,gBAAgB;AAAA,EAChD;AACF;;;AEjXO,SAAS,0BACd,OAC6B;AAC7B,MAAI,CAAC,MAAM,eAAgB,QAAO;AAClC,SAAO,qBAAqB;AAC9B;;;ACNO,SAAS,aAAa,OAAmD;AAC9E,QAAM,OAAgC;AAAA,IACpC,kBAAkB;AAAA,IAClB,kBAAkB,MAAM;AAAA,EAC1B;AAEA,MAAI,MAAM,MAAM;AACd,SAAK,cAAc,MAAM,KAAK,WAAW;AACzC,SAAK,UAAU,MAAM,KAAK;AAAA,EAC5B;AAEA,MAAI,MAAM,cAAc,OAAW,MAAK,aAAa,MAAM;AAC3D,MAAI,MAAM,SAAU,MAAK,WAAW,MAAM;AAC1C,MAAI,MAAM,QAAS,MAAK,UAAU,MAAM;AACxC,MAAI,MAAM,YAAY,OAAW,MAAK,WAAW,MAAM;AACvD,MAAI,MAAM,QAAS,MAAK,UAAU,MAAM;AACxC,MAAI,MAAM,YAAa,MAAK,cAAc,MAAM;AAChD,MAAI,MAAM,cAAc,OAAW,MAAK,aAAa,MAAM;AAE3D,MAAI,MAAM,kBAAkB;AAC1B,WAAO,OAAO,MAAM,MAAM,gBAAgB;AAAA,EAC5C;AAEA,MAAI,MAAM,kBAAmB,MAAK,qBAAqB,MAAM;AAC7D,MAAI,MAAM,gBAAgB,OAAW,MAAK,eAAe,MAAM;AAE/D,MAAI,MAAM,MAAO,QAAO,OAAO,MAAM,MAAM,KAAK;AAEhD,SAAO;AACT;;;ACbO,SAAS,kBAAkB,OAA6C;AAC7E,QAAM,MAAM,MAAM,YAAY;AAC9B,QAAM,WAAW,MAAM,iBAAiB;AACxC,QAAM,QAAQ,MAAM,cAAc,MAAM,gBAAgB,MAAM;AAE9D,QAAM,QAAsB;AAAA,IAC1B,UAAU,YAAY,MAAM,aAAa;AAAA,IACzC,KAAK,YAAY,GAAG;AAAA,IACpB,OAAO,YAAY,KAAK;AAAA,EAC1B;AAEA,MAAI,MAAM,kBAAkB,OAAW,OAAM,WAAW,YAAY,QAAQ;AAC5E,MAAI,MAAM,YAAY,OAAW,OAAM,WAAW,MAAM;AACxD,MAAI,MAAM,aAAa,OAAW,OAAM,YAAY,MAAM;AAC1D,MAAI,MAAM,aAAa,OAAW,OAAM,WAAW,MAAM;AAEzD,SAAO;AACT;AAEA,SAAS,YAAY,OAAuB;AAC1C,UAAQ,QAAQ,KAAK,QAAQ,CAAC;AAChC;;;ACzCO,SAAS,sBAAsB,OAA2C;AAC/E,SAAO,OAAO,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE,SAAS,QAAQ;AAC7D;;;ACDO,SAAS,WAAW,OAAkC;AAC3D,QAAM,OAAO,aAAa,MAAM,IAAI;AACpC,QAAM,UAAU,IAAI,QAAQ,MAAM,cAAc,OAAO;AACvD,UAAQ,IAAI,gBAAgB,kBAAkB;AAC9C,MAAI,MAAM,MAAM;AACd,YAAQ,IAAI,oBAAoB,sBAAsB,MAAM,IAAI,CAAC;AAAA,EACnE;AACA,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG,EAAE,SAAS,QAAQ,IAAI,CAAC;AACpE;;;ACJO,SAAS,qBAAqB,OAAuD;AAC1F,QAAM,OAA4B;AAAA,IAChC,OAAO,EAAE,MAAM,MAAM,MAAM,SAAS,MAAM,QAAQ;AAAA,EACpD;AACA,MAAI,MAAM,eAAgB,MAAK,kBAAkB,MAAM;AACvD,MAAI,MAAM,gBAAgB,OAAW,MAAK,eAAe,MAAM;AAC/D,MAAI,MAAM,UAAW,MAAK,aAAa,MAAM;AAC7C,MAAI,MAAM,MAAO,QAAO,OAAO,MAAM,MAAM,KAAK;AAChD,SAAO;AACT;","names":[]}
1	+ {"version":3,"sources":["../../src/challenge/index.ts","../../src/challenge/accepted_methods.ts","../../src/challenge/identity.ts","../../src/challenge/how_to_pay.ts","../../src/challenge/agent_instructions.ts","../../src/core.ts","../../src/_response.ts","../../src/challenge/agent_memory.ts","../../src/challenge/body.ts","../../src/challenge/pricing.ts","../../src/payment/wwwauthenticate.ts","../../src/challenge/respond_402.ts","../../src/challenge/validation_error.ts"],"sourcesContent":["export * from './accepted_methods';\nexport * from './identity';\nexport * from './how_to_pay';\nexport * from './agent_instructions';\nexport * from './agent_memory';\nexport * from './body';\nexport * from './pricing';\nexport * from './order_receipt';\nexport * from './respond_402';\nexport * from './validation_error';\n","export interface TempoMethodEntry {\n method: 'tempo/charge';\n network: string;\n chain_id: number;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface X402MethodEntry {\n method: 'x402/exact';\n network: string;\n chain_id?: number;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface SolanaMppMethodEntry {\n method: 'solana/charge';\n network: string;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n fee_payer_key?: string;\n}\n\nexport interface StripeMethodEntry {\n method: 'stripe/charge';\n rails: ('card' \| 'link' \| 'shared_payment_token')[];\n profile_id: string \| null;\n}\n\nexport type AcceptedMethodEntry =\n \| TempoMethodEntry\n \| X402MethodEntry\n \| SolanaMppMethodEntry\n \| StripeMethodEntry;\n\nexport interface BuildAcceptedMethodsInput {\n tempo?: {\n recipient: string;\n network?: string;\n chainId?: number;\n token?: string;\n symbol?: string;\n decimals?: number;\n };\n x402_base?: {\n recipient: string;\n network?: string;\n chainId?: number;\n token?: string;\n symbol?: string;\n decimals?: number;\n };\n solana_mpp?: {\n recipient: string;\n network?: string;\n token?: string;\n symbol?: string;\n decimals?: number;\n feePayerKey?: string;\n };\n stripe?: {\n profileId?: string \| null;\n rails?: ('card' \| 'link' \| 'shared_payment_token')[];\n };\n}\n\n/*\n Build the `accepted_methods[]` array for an enriched 402 body. Each rail entry is\n * conditionally included based on whether the vendor passed it. Per-rail shapes follow\n * the conventions established in martin-estate's reference 402.\n /\nexport function buildAcceptedMethods(input: BuildAcceptedMethodsInput): AcceptedMethodEntry[] {\n const out: AcceptedMethodEntry[] = [];\n\n if (input.tempo) {\n out.push({\n method: 'tempo/charge',\n network: input.tempo.network ?? 'tempo-mainnet',\n chain_id: input.tempo.chainId ?? 4217,\n token: input.tempo.token ?? '0x20C000000000000000000000b9537d11c60E8b50',\n symbol: input.tempo.symbol ?? 'USDC.e',\n decimals: input.tempo.decimals ?? 6,\n pay_to: input.tempo.recipient,\n });\n }\n\n if (input.x402_base) {\n out.push({\n method: 'x402/exact',\n network: input.x402_base.network ?? 'eip155:8453',\n chain_id: input.x402_base.chainId ?? 8453,\n token: input.x402_base.token ?? '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913',\n symbol: input.x402_base.symbol ?? 'USDC',\n decimals: input.x402_base.decimals ?? 6,\n pay_to: input.x402_base.recipient,\n });\n }\n\n if (input.solana_mpp) {\n out.push({\n method: 'solana/charge',\n network: input.solana_mpp.network ?? 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp',\n token: input.solana_mpp.token ?? 'EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v',\n symbol: input.solana_mpp.symbol ?? 'USDC',\n decimals: input.solana_mpp.decimals ?? 6,\n pay_to: input.solana_mpp.recipient,\n ...(input.solana_mpp.feePayerKey ? { fee_payer_key: input.solana_mpp.feePayerKey } : {}),\n });\n }\n\n if (input.stripe) {\n out.push({\n method: 'stripe/charge',\n rails: input.stripe.rails ?? ['card', 'link', 'shared_payment_token'],\n profile_id: input.stripe.profileId ?? null,\n });\n }\n\n return out;\n}\n","export type IdentityMode = 'wallet' \| 'operator_token';\n\nexport interface SignerMatchResultLike {\n kind: 'pass' \| 'wallet_signer_mismatch' \| 'wallet_auth_requires_wallet_signing' \| string;\n expectedSigner?: string;\n actualSigner?: string;\n linkedWallets?: string[];\n}\n\nexport interface IdentityMetadataInput {\n /* Current request's identity mode. /\n mode: IdentityMode;\n /* Claimed wallet address (when mode === 'wallet'). /\n wallet?: string;\n /* Result of a prior verifyWalletSignerMatch call. /\n signerMatchResult?: SignerMatchResultLike;\n /* Same-operator linked wallets (from assess response). /\n linkedWallets?: string[];\n /* Optional explicit constraint description (overrides the auto-generated one). /\n signerConstraint?: string;\n}\n\nexport interface IdentityMetadataBlock {\n identity_mode: IdentityMode;\n required_signer?: string;\n linked_wallets?: string[];\n signer_constraint?: string;\n}\n\n/\n Build the identity-metadata block for an enriched 402 body. Echoes the agent's\n * identity context (wallet vs. operator-token mode) so the agent can self-correct\n * before signing — specifically, on wallet-auth rails the agent MUST sign with one\n * of the wallets in linked_wallets (all resolve to the same operator).\n /\nexport function buildIdentityMetadata(input: IdentityMetadataInput): IdentityMetadataBlock {\n const block: IdentityMetadataBlock = { identity_mode: input.mode };\n\n if (input.mode !== 'wallet') return block;\n\n if (input.wallet) {\n block.required_signer = input.signerMatchResult?.expectedSigner ?? input.wallet;\n }\n if (input.linkedWallets && input.linkedWallets.length > 0) {\n block.linked_wallets = input.linkedWallets;\n }\n block.signer_constraint =\n input.signerConstraint ??\n 'Payment must be signed with the claimed wallet OR any same-operator linked wallet listed in linked_wallets.';\n\n return block;\n}\n","export interface HowToPayRailEntry {\n setup?: string[];\n prerequisite?: string;\n command: string;\n alternative_command?: string;\n what_it_does: string;\n}\n\nexport interface HowToPayStripeEntry {\n prerequisite: string;\n instructions: string;\n setup_link_cli?: string[];\n command_link_cli?: string[];\n what_it_does_link_cli?: string;\n note?: string;\n}\n\nexport interface HowToPayBlock {\n tempo?: HowToPayRailEntry;\n x402_base?: HowToPayRailEntry;\n solana_mpp?: HowToPayRailEntry;\n stripe?: HowToPayStripeEntry;\n}\n\nexport interface BuildHowToPayInput {\n /* The merchant's full URL (e.g., 'https://agents.merchant.example/api/buy'). /\n url: string;\n /* JSON string of the body the agent should retry with — typically the original request body. /\n retryBodyJson: string;\n /* Total amount in USD (string or number). Used to compute max-spend defaults and stripe context. /\n totalUsd: string \| number;\n /* Per-rail config — each is optional. Pass only the rails you support. /\n rails: {\n tempo?: { recipient: string; networkName?: string; chainId?: number; recommend?: 'tempo' \| 'agentscore-pay' \| 'both' };\n x402_base?: { recipient: string; network?: string };\n solana_mpp?: { recipient: string; network?: string };\n stripe?: { profileId?: string \| null; productName?: string };\n };\n /* Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'. /\n opTokenPlaceholder?: string;\n /* Override max-spend value used in commands. Default: ceil(totalUsd) + 1. /\n maxSpend?: string \| number;\n}\n\nconst TEMPO_SETUP = [\n 'curl -fsSL https://tempo.xyz/install \| bash',\n 'tempo wallet login',\n 'tempo wallet whoami',\n 'tempo wallet fund # if balance is zero',\n];\n\nconst PAY_SETUP_BASE = [\n 'npm install -g @agent-score/pay # or: brew install agentscore/tap/agentscore-pay',\n 'agentscore-pay wallet create --chain base',\n 'agentscore-pay balance --chain base # fund the printed address with USDC on Base',\n];\n\nconst PAY_SETUP_SOLANA = [\n 'npm install -g @agent-score/pay # or: brew install agentscore/tap/agentscore-pay',\n 'agentscore-pay wallet create --chain solana',\n 'agentscore-pay balance --chain solana # fund the printed address with USDC on Solana',\n];\n\n/\n Build the agent_instructions.how_to_pay block. Generates per-rail setup/command/what_it_does\n * boilerplate so agents see concrete commands per rail in the 402 body. Vendors pass the rails\n * they support; the helper produces the right command for each.\n \n Tool recommendations (tempo CLI vs agentscore-pay vs link-cli) are configurable per rail.\n /\nexport function buildHowToPay(input: BuildHowToPayInput): HowToPayBlock {\n const totalNum = typeof input.totalUsd === 'string' ? Number(input.totalUsd) : input.totalUsd;\n const maxSpend = String(input.maxSpend ?? (Math.ceil(totalNum) + 1).toFixed(2));\n const opToken = input.opTokenPlaceholder ?? '<your_opc_token>';\n const block: HowToPayBlock = {};\n\n if (input.rails.tempo) {\n const networkName = input.rails.tempo.networkName ?? 'tempo-mainnet';\n const chainId = input.rails.tempo.chainId ?? 4217;\n const recommend = input.rails.tempo.recommend ?? 'both';\n const tempoCommand = `tempo request -X POST -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' --json '${input.retryBodyJson}' --max-spend ${maxSpend} ${input.url}`;\n const payCommand = `agentscore-pay pay POST ${input.url} --chain tempo -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${input.retryBodyJson}' --max-spend ${maxSpend}`;\n block.tempo = {\n setup: TEMPO_SETUP,\n prerequisite: `Run \\`tempo wallet whoami\\` and confirm USDC.e balance on ${networkName} (chain ${chainId}) is at least $${maxSpend}. If the tempo CLI is not installed, run the setup commands above first.`,\n command: recommend === 'agentscore-pay' ? payCommand : tempoCommand,\n ...(recommend === 'both'\n ? { alternative_command: payCommand }\n : recommend === 'agentscore-pay'\n ? { alternative_command: tempoCommand }\n : {}),\n what_it_does: `Pays via Tempo USDC on ${networkName}.`,\n };\n }\n\n if (input.rails.x402_base) {\n const network = input.rails.x402_base.network ?? 'eip155:8453';\n block.x402_base = {\n setup: PAY_SETUP_BASE,\n prerequisite: `Run \\`agentscore-pay balance --chain base\\` and confirm USDC balance on Base (${network}) is at least $${maxSpend}. If the CLI is not installed, run the setup commands above first.`,\n command: `agentscore-pay pay POST ${input.url} --chain base -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${input.retryBodyJson}' --max-spend ${maxSpend}`,\n what_it_does: 'Pays via USDC on Base.',\n };\n }\n\n if (input.rails.solana_mpp) {\n const network = input.rails.solana_mpp.network ?? 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp';\n block.solana_mpp = {\n setup: PAY_SETUP_SOLANA,\n prerequisite: `Run \\`agentscore-pay balance --chain solana\\` and confirm USDC balance on Solana (${network}) is at least $${maxSpend}. If the CLI is not installed, run the setup commands above first.`,\n command: `agentscore-pay pay POST ${input.url} --chain solana -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${input.retryBodyJson}' --max-spend ${maxSpend}`,\n what_it_does: 'Pays via USDC on Solana.',\n };\n }\n\n if (input.rails.stripe) {\n const stripeCfg = input.rails.stripe;\n const amountCents = Math.round(totalNum 100);\n const linkCliBlocked = amountCents > 50000;\n const productName = stripeCfg.productName ?? 'this purchase';\n const sptContext = `Purchasing \"${productName}\" via the agent commerce API. The user authorized this purchase through their AI agent for $${totalNum}; charge to be settled via shared payment token over the Machine Payments Protocol.`;\n const stripe: HowToPayStripeEntry = {\n prerequisite:\n 'Either your own Stripe account with Shared Payment Token acceptance, OR a Stripe Link wallet (any user with link.com).',\n instructions:\n 'Mint a SharedPaymentToken scoped to the profile_id advertised in accepted_methods, then submit via Authorization: Payment MPP header with method=stripe/charge.',\n };\n if (stripeCfg.profileId && !linkCliBlocked) {\n stripe.setup_link_cli = [\n 'npm install -g @stripe/link-cli # or use npx -y @stripe/link-cli for one-shot',\n 'link-cli auth login # one-time, opens your Link wallet',\n 'link-cli payment-methods list --output-json # copy a csmrpd_... id',\n ];\n stripe.command_link_cli = [\n `SPEND_ID=$(link-cli spend-request create --payment-method-id <csmrpd_id_from_payment_methods_list> --credential-type shared_payment_token --network-id ${stripeCfg.profileId} --amount ${amountCents} --context \"${sptContext}\" --request-approval --output-json \| jq -r .id)`,\n `link-cli mpp pay ${input.url} --spend-request-id $SPEND_ID --method POST --data '${input.retryBodyJson}' --header 'X-Operator-Token: ${opToken}' --output-json`,\n ];\n stripe.what_it_does_link_cli =\n 'Mints a one-time-use SharedPaymentToken scoped to this purchase (user approves in Link wallet), then submits it as the payment credential.';\n } else if (linkCliBlocked) {\n stripe.note = `link-cli SPT path not available for this purchase — Stripe link-cli caps spend requests at $500.00 ($50000 cents); your total is $${totalNum}. Use your own Stripe account with the SharedPaymentToken API instead.`;\n }\n block.stripe = stripe;\n }\n\n return block;\n}\n","import type { HowToPayBlock } from './how_to_pay';\n\n/** Map of rail key (e.g. 'x402_base', 'tempo_mpp', 'stripe') → list of client identifiers\n * that have been smoke-verified by the merchant against the protocol shape they emit.\n * Strings are display labels, not install commands — agents already get install commands\n * via `how_to_pay.<rail>.setup`. Use these as a \"what's known to work\" hint. /\nexport type CompatibleClients = Record<string, string[]>;\n\nexport interface BuildAgentInstructionsInput {\n /* Per-rail commands. Build with `buildHowToPay`. /\n howToPay: HowToPayBlock;\n /* Tool recommendations as human-readable strings. Defaults to a sensible set covering tempo + agentscore-pay. /\n recommendedTools?: string[];\n /* Wallet-stack compatibility note for the agent. Default: rail-neutral, no specific wallet stack required. /\n walletCompatibility?: string;\n /* How long the merchant will wait for payment after the 402. Default 300 (5 minutes). /\n timeoutSeconds?: number;\n /* Warnings about common footguns. Defaults include tempo wallet transfer + raw on-chain x402 deposits. /\n warnings?: string[];\n /* Additional warnings appended to the default protocol-footgun set. Use this when you want\n * to keep the SDK's protocol warnings AND add merchant-specific notes (e.g., a per-order\n * rail-availability message). Ignored when `warnings` is set explicitly. /\n extraWarnings?: string[];\n /* Recommended rail (e.g., 'tempo', 'x402_base'). Surfaced for agents to default to. /\n recommended?: string;\n /* Per-rail list of client names the merchant has verified work end-to-end. Vendors set\n * this from their own smoke matrix — defaults to none (avoids vouching for clients the\n * merchant has not tested). When omitted, the field is not emitted. /\n compatibleClients?: CompatibleClients;\n /* Arbitrary additional fields the vendor wants merged into the agent_instructions object. /\n extra?: Record<string, unknown>;\n}\n\nexport interface AgentInstructions {\n how_to_pay: HowToPayBlock;\n recommended_tools: string[];\n wallet_compatibility: string;\n timeout_seconds: number;\n warnings: string[];\n recommended?: string;\n compatible_clients?: CompatibleClients;\n [key: string]: unknown;\n}\n\nconst TEMPO_WARNING =\n 'Do NOT use `tempo wallet transfer`. That moves USDC on-chain without completing the protocol handshake, so the order will not complete. Use `tempo request` instead.';\n\nconst X402_WARNING =\n 'Do NOT send USDC manually to the deposit addresses. Use `agentscore-pay pay` so the credential is signed and submitted; otherwise the order will not complete even though the deposit lands.';\n\nconst TEMPO_TOOL = '`tempo request` for Tempo USDC';\nconst AGENTSCORE_PAY_TOOL = '`agentscore-pay` — Base + Solana + Tempo from one CLI';\n\nconst DEFAULT_WALLET_COMPATIBILITY =\n 'Any client that can produce a valid MPP credential (Authorization: Payment) or x402 X-Payment header. Use the CLI commands above; sign-it-yourself is also fine.';\n\nfunction defaultRecommendedTools(howToPay: HowToPayBlock): string[] {\n const tools: string[] = [];\n if (howToPay.tempo) tools.push(TEMPO_TOOL);\n if (howToPay.tempo \|\| howToPay.x402_base \|\| howToPay.solana_mpp) tools.push(AGENTSCORE_PAY_TOOL);\n return tools;\n}\n\nfunction defaultWarnings(howToPay: HowToPayBlock): string[] {\n const w: string[] = [];\n if (howToPay.tempo) w.push(TEMPO_WARNING);\n if (howToPay.x402_base) w.push(X402_WARNING);\n return w;\n}\n\n/\n Default `compatible_clients` derived from the rails declared in `howToPay`. Lists\n * clients the AgentScore team has smoke-verified end-to-end against an `@agent-score/commerce`\n * merchant; entries appear only for rails the vendor actually offers. Vendors override\n * this in `buildAgentInstructions({compatibleClients: {...}})` to add their own tested\n * clients or remove entries that don't fit their endpoint.\n \n Verified state as of the SDK release. The same data is also published as a docs page\n * for humans (rationale, per-rail commands, why some clients don't fully work, last\n * verified date) — this default keeps the merchant-side surface in sync.\n /\n/* Symbolic rail keys agent-facing surfaces use to talk about a rail without spelling out\n * network/scheme details. Same keys as `CompatibleClients` map keys. /\nexport type RailKey = 'tempo_mpp' \| 'x402_base' \| 'solana_mpp' \| 'stripe';\n\nconst RAIL_CLIENTS: Record<RailKey, readonly string[]> = {\n tempo_mpp: ['agentscore-pay', 'tempo request', 'x402-proxy'],\n x402_base: ['agentscore-pay', 'x402-proxy', 'purl (omit --network flag)'],\n solana_mpp: ['agentscore-pay'],\n stripe: ['link-cli'],\n};\n\n/* Returns the smoke-verified client list for a set of rail keys. The single source of\n * truth for \"which CLIs we've verified end-to-end on each rail\" — consumed both by the\n * 402-body builder (`defaultCompatibleClients`) and by discovery surfaces (skill.md,\n * llms.txt, etc.). Update here, every surface inherits. /\nexport function compatibleClientsByRails(rails: readonly RailKey[]): CompatibleClients \| undefined {\n const out: CompatibleClients = {};\n for (const r of rails) out[r] = [...RAIL_CLIENTS[r]];\n return Object.keys(out).length === 0 ? undefined : out;\n}\n\nfunction defaultCompatibleClients(howToPay: HowToPayBlock): CompatibleClients \| undefined {\n const rails: RailKey[] = [];\n if (howToPay.tempo) rails.push('tempo_mpp');\n if (howToPay.x402_base) rails.push('x402_base');\n if (howToPay.solana_mpp) rails.push('solana_mpp');\n if (howToPay.stripe) rails.push('stripe');\n return compatibleClientsByRails(rails);\n}\n\n/\n Build the agent_instructions object for the 402 body. Combines how_to_pay with\n * recommended tools, warnings, wallet-compatibility note, and timeout.\n \n Defaults adapt to the rails declared in `howToPay`: only tempo-relevant warnings/tools\n * appear if `howToPay.tempo` is set, only x402-relevant ones if `x402_base` is set.\n * Stripe-only merchants get neither rail-specific warning. Vendors override\n * `warnings`/`recommendedTools` for full control.\n /\nexport function buildAgentInstructions(input: BuildAgentInstructionsInput): AgentInstructions {\n const compatibleClients = input.compatibleClients ?? defaultCompatibleClients(input.howToPay);\n return {\n how_to_pay: input.howToPay,\n recommended_tools: input.recommendedTools ?? defaultRecommendedTools(input.howToPay),\n wallet_compatibility: input.walletCompatibility ?? DEFAULT_WALLET_COMPATIBILITY,\n timeout_seconds: input.timeoutSeconds ?? 300,\n warnings: input.warnings ?? [...defaultWarnings(input.howToPay), ...(input.extraWarnings ?? [])],\n ...(input.recommended ? { recommended: input.recommended } : {}),\n ...(compatibleClients ? { compatible_clients: compatibleClients } : {}),\n ...(input.extra ?? {}),\n };\n}\n","import {\n AgentScore,\n InvalidCredentialError,\n PaymentRequiredError,\n QuotaExceededError,\n TimeoutError as SdkTimeoutError,\n TokenExpiredError,\n} from '@agent-score/sdk';\nimport { isFixableDenial } from './_denial';\nimport { QUOTA_EXCEEDED_INSTRUCTIONS } from './_response';\nimport { normalizeAddress } from './address';\nimport { TTLCache } from './cache';\n\n// Character-based trim avoids a CodeQL polynomial-redos false positive on\n// `/\\/+$/` patterns that report library-input strings.\nfunction stripTrailingSlashes(s: string): string {\n let end = s.length;\n while (end > 0 && s.charCodeAt(end - 1) === 47 / '/' /) end--;\n return end === s.length ? s : s.slice(0, end);\n}\n\ndeclare const __VERSION__: string;\n\n// ---------------------------------------------------------------------------\n// Public types (framework-agnostic)\n// ---------------------------------------------------------------------------\n\nexport interface AgentIdentity {\n address?: string;\n operatorToken?: string;\n}\n\n/\n Session metadata returned from `POST /v1/sessions`. Surfaced to the `onBeforeSession`\n * hook so merchants can correlate an AgentScore session with their own resume token\n * (e.g. a pending-order id).\n /\nexport interface SessionMetadata {\n session_id: string;\n verify_url: string;\n poll_secret: string;\n poll_url: string;\n expires_at?: string;\n}\n\n/\n Configuration for auto-creating a verification session when no identity is present.\n \n The static `context` / `productName` options are sent on every session request. For\n * per-request context (e.g. the specific product the agent was trying to buy), pass\n * a `getSessionOptions` callback that returns dynamic values; its return is merged\n * over the static defaults.\n \n `onBeforeSession` is a side-effect hook that runs after the session is minted but\n * before the 403 is built. Use it to pre-create a reservation/draft/pending-order\n * row in your DB so agents can resume via a merchant-specific id. Return value is\n * merged into `DenialReason.extra`, so it surfaces in both the default 403 body and\n * in a custom `onDenied` handler.\n /\nexport interface CreateSessionOnMissing<TCtx = unknown> {\n apiKey: string;\n baseUrl?: string;\n context?: string;\n productName?: string;\n /* Per-request override of `context` / `productName`. Invoked with the framework context. /\n getSessionOptions?: (ctx: TCtx) => Promise<{ context?: string; productName?: string }>\n \| { context?: string; productName?: string };\n /* Side-effect hook that runs after the session is minted. Return value is merged\n * into `DenialReason.extra` so custom `onDenied` handlers can include merchant-specific\n * fields (e.g. `order_id`) in the 403 response. Hook errors are logged and swallowed —\n * a failing side effect should not block the 403 from reaching the agent. /\n onBeforeSession?: (ctx: TCtx, session: SessionMetadata) => Promise<Record<string, unknown>>\n \| Record<string, unknown>;\n}\n\nexport interface AgentScoreCoreOptions {\n /* AgentScore API key. Required. /\n apiKey: string;\n /* Require KYC verification. /\n requireKyc?: boolean;\n /* Require operator to be clear of sanctions. /\n requireSanctionsClear?: boolean;\n /* Minimum operator age bracket (18 or 21). /\n minAge?: number;\n /* List of blocked jurisdictions (blocklist). /\n blockedJurisdictions?: string[];\n /* List of allowed jurisdictions (allowlist — only these pass). /\n allowedJurisdictions?: string[];\n /* If true, allow the request through when the API is unreachable. Defaults to false. /\n failOpen?: boolean;\n /* How long to cache results, in seconds. Defaults to 300. /\n cacheSeconds?: number;\n /* AgentScore API base URL. Defaults to \"https://api.agentscore.sh\". /\n baseUrl?: string;\n /* Optional chain to filter scoring to. /\n chain?: string;\n /* Prepended to the default User-Agent as `\"{userAgent} (@agent-score/commerce@{version})\"`. Use to attribute API calls to your app. /\n userAgent?: string;\n /* When set and no identity is found, create a verification session instead of denying immediately. /\n createSessionOnMissing?: CreateSessionOnMissing;\n}\n\nexport type DenialCode =\n \| 'wallet_not_trusted'\n \| 'missing_identity'\n \| 'api_error'\n \| 'payment_required'\n \| 'identity_verification_required'\n // Wallet-signer binding: claimed X-Wallet-Address must resolve to the same operator as\n // the payment signer; wallet-auth is rejected on rails with no wallet signer.\n \| 'wallet_signer_mismatch'\n \| 'wallet_auth_requires_wallet_signing'\n // Granular credential-state denials passed through from /v1/assess.\n // - `token_expired`: revoked + TTL-expired (the API unifies these). The 401 body carries\n // an auto-minted session, forwarded into DenialReason for one-shot recovery.\n // - `invalid_credential`: the token doesn't exist at all (typo, never minted, fabricated).\n // No auto-session is minted by the API for this case — agents should switch to a\n // different stored token or drop the header to bootstrap a fresh session.\n \| 'token_expired'\n \| 'invalid_credential';\n\n/\n Cross-merchant pattern hint emitted on bootstrap denials and session-create responses.\n * LLM-hosted agents should persist this to long-term memory so future AgentScore encounters skip\n * the cold-start session flow. Contents are the pattern, not secrets.\n /\nexport interface AgentMemoryHint {\n save_for_future_agentscore_gates: true;\n pattern_summary: string;\n quickstart: string;\n identity_check_endpoint: string;\n list_wallets_endpoint?: string;\n identity_paths: { wallet: string; operator_token: string };\n bootstrap: string;\n do_not_persist_in_memory: string[];\n persist_in_credential_store: string[];\n}\n\nexport interface DenialReason {\n code: DenialCode;\n /* Human-readable explanation. When omitted, `denialReasonToBody` substitutes a per-code default. /\n message?: string;\n decision?: string;\n reasons?: string[];\n verify_url?: string;\n session_id?: string;\n poll_secret?: string;\n poll_url?: string;\n agent_instructions?: string;\n /* Cross-merchant memory hint. Emitted on bootstrap denials only by default. /\n agent_memory?: AgentMemoryHint;\n /* Full assess response when the denial came from `/v1/assess`. Lets consumers access fields\n * not promoted to first-class DenialReason properties (e.g., `policy_result`). Undefined for\n * denials that did not originate from an assess call (missing_identity, api_error,\n * payment_required, identity_verification_required). /\n data?: AssessResult;\n /* Extra fields returned from the `createSessionOnMissing.onBeforeSession` hook. Merged\n * into the default 403 body; custom `onDenied` handlers can spread these into their own\n * response shape (e.g. to include a merchant-minted `order_id`). /\n extra?: Record<string, unknown>;\n // ---------------------------------------------------------------------------\n // Wallet-signer-match fields — populated for wallet_signer_mismatch only.\n // ---------------------------------------------------------------------------\n /* Operator id resolved from `X-Wallet-Address`. /\n claimed_operator?: string;\n /* Operator id the actual payment signer resolves to. `null` when the signer wallet isn't\n * linked to any operator (treat as a different identity). /\n actual_signer_operator?: string \| null;\n /* The wallet the agent claimed via header. Echoed back for self-correction. /\n expected_signer?: string;\n /* The wallet that actually signed the payment. /\n actual_signer?: string;\n /* Wallets the claimed operator could sign with (if enumerable). Present when non-empty. /\n linked_wallets?: string[];\n}\n\n/* Operator verification details from the assess response. Mirrors python's\n * `OperatorVerification` dataclass. /\nexport interface OperatorVerification {\n level: string;\n operator_type: string \| null;\n verified_at: string \| null;\n}\n\n/* Account-level KYC facts that apply to every operator under the same account.\n * Populated when the API returns account_verification (post-KYC operator).\n * Mirrors python's account_verification dict shape. /\nexport interface AccountVerification {\n kyc_level?: string;\n sanctions_clear?: boolean;\n age_bracket?: string;\n jurisdiction?: string;\n verified_at?: string \| null;\n}\n\n/* A single policy check from the assess response. Mirrors python's `PolicyCheck`. /\nexport interface PolicyCheck {\n rule: string;\n passed: boolean;\n required?: unknown;\n actual?: unknown;\n}\n\n/* Policy evaluation result from the assess response. Mirrors python's `PolicyResult`. /\nexport interface PolicyResult {\n all_passed: boolean;\n checks: PolicyCheck[];\n}\n\nexport interface AssessResult {\n decision: string \| null;\n decision_reasons: string[];\n identity_method?: string;\n operator_verification?: OperatorVerification;\n account_verification?: AccountVerification;\n resolved_operator?: string \| null;\n /* Wallets linked to the same operator as the resolved identity. Capped at 100 entries\n * by the API. Useful for advertising in 402 challenges so wallet-auth agents know which\n * alt-signers will satisfy `wallet_signer_mismatch`. /\n linked_wallets?: string[];\n verify_url?: string;\n policy_result?: PolicyResult \| null;\n}\n\n/\n Reason a failOpen allow short-circuited an evaluate call due to AgentScore-side\n * infrastructure issues. Surfaced on `EvaluateOutcome` so merchants can log/alert when\n * their gate is running in degraded mode (compliance not actually enforced this request).\n \n - `quota_exceeded` — AgentScore returned 429\n * - `api_error` — AgentScore returned 5xx or non-2xx that isn't 429\n * - `network_timeout` — request to /v1/assess timed out or failed at the network layer\n /\nexport type FailOpenInfraReason = 'quota_exceeded' \| 'api_error' \| 'network_timeout';\n\n/* Per-account assess quota observability, captured from `X-Quota-` response headers\n on the success path. Mirrors the SDK's `QuotaInfo` shape — re-exported from gate state\n * so merchants can monitor approach-to-cap proactively (warn at 80%, alert at 95%). /\nexport interface GateQuotaInfo {\n limit: number \| null;\n used: number \| null;\n /* ISO-8601 timestamp, or the literal string `\"never\"` for unlimited tiers. /\n reset: string \| null;\n}\n\n/\n Outcome from `AgentScoreCore.evaluate()`. Adapters map this to framework-specific responses.\n \n - `{ kind: 'allow', data }` — the request passed the policy. `data` is present on a normal\n * allow; `undefined` when fail-open short-circuited (identity missing, API unreachable,\n * timeout, or 402 paid-tier required).\n * - When `failOpen: true` and the allow was the result of an AgentScore-side infrastructure\n * failure (429/5xx/timeout), the result also carries `degraded: true` + `infraReason` so\n * merchants can alert/log without parsing console output.\n * - `quota` propagates the SDK's per-request quota observability when the API emits the\n * `X-Quota-` headers. Optional; absent on Enterprise / unlimited tiers.\n - `{ kind: 'deny', reason }` — the request was denied. Adapters should render a 403 with the\n * reason, or invoke the caller's custom denial handler.\n /\nexport type EvaluateOutcome =\n \| { kind: 'allow'; data?: AssessResult; degraded?: boolean; infraReason?: FailOpenInfraReason; quota?: GateQuotaInfo }\n \| { kind: 'deny'; reason: DenialReason };\n\nexport interface CaptureWalletOptions {\n /* Operator credential (`opc_...`) that the agent authenticated with. /\n operatorToken: string;\n /* Signer wallet recovered from the payment payload. /\n walletAddress: string;\n /* Key-derivation family — `\"evm\"` for any EVM chain, `\"solana\"` for Solana. /\n network: 'evm' \| 'solana';\n /* Optional stable key for the logical payment (e.g., payment intent id, tx hash). When the\n * same key is seen again for the same (credential, wallet, network), the server no-ops —\n * prevents agent retries from inflating transaction_count. /\n idempotencyKey?: string;\n}\n\nexport interface VerifyWalletSignerMatchOptions {\n /* The wallet claimed via `X-Wallet-Address`. /\n claimedWallet: string;\n /* The signer wallet recovered from the payment credential. `null` means the rail carries\n * no wallet signer (SPT, card) — the helper returns `wallet_auth_requires_wallet_signing`. /\n signer: string \| null;\n /* Network of the signer. EVM covers every EVM chain; `solana` lives in its own namespace. /\n network?: 'evm' \| 'solana';\n}\n\nexport type VerifyWalletSignerResult =\n \| { kind: 'pass'; claimedOperator: string \| null; signerOperator: string \| null }\n \| {\n kind: 'wallet_signer_mismatch';\n claimedOperator: string \| null;\n actualSignerOperator: string \| null;\n expectedSigner: string;\n actualSigner: string;\n linkedWallets: string[];\n /* JSON-encoded action copy (action + steps + user_message). Spread into the 403 body\n * verbatim so agents get a concrete recovery path inside the denial response itself. /\n agentInstructions: string;\n }\n \| {\n kind: 'wallet_auth_requires_wallet_signing';\n claimedWallet: string;\n agentInstructions: string;\n }\n // Transient — the resolve call to /v1/assess failed or timed out. Caller should\n // retry or surface as 503. Distinct from wallet_signer_mismatch (which is an actual\n // security reject) so legitimate users don't get rejected on network flakes.\n \| { kind: 'api_error'; claimedWallet: string };\n\nexport interface AgentScoreCore {\n /\n Evaluate the request's identity against the configured policy.\n * @param identity - extracted identity (wallet address and/or operator token)\n * @param ctx - optional framework-specific context (Hono c, Express req, etc.) passed\n * through to `createSessionOnMissing` hooks. Opaque to core.\n /\n evaluate(identity: AgentIdentity \| undefined, ctx?: unknown): Promise<EvaluateOutcome>;\n /* Report a wallet seen paying under an operator credential. Fire-and-forget; silently\n * swallows non-fatal errors because capture is informational, not on the critical path. /\n captureWallet(options: CaptureWalletOptions): Promise<void>;\n /\n Verify the payment signer resolves to the same operator as the claimed `X-Wallet-Address`.\n \n Returns `pass` when the signer is linked to the same operator as the claimed wallet\n * (byte-equal wallets pass trivially; other wallets linked to the same operator also pass —\n * multi-wallet agents work without ergonomic pain). Returns `wallet_signer_mismatch` when\n * the signer resolves to a different (or no) operator. Returns `wallet_auth_requires_wallet_signing`\n * when the signer is `null` (SPT, card — rails that carry no wallet signature).\n \n Call this AFTER the gate evaluates (so the claimed wallet's operator is cached) and\n * AFTER the payment credential is parsed (so the signer is known). Merchants should call\n * it before settling payment.\n /\n verifyWalletSignerMatch(options: VerifyWalletSignerMatchOptions): Promise<VerifyWalletSignerResult>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\n/* Internal cache entry for the gate's per-`(identity, policy)` assess result memo.\n * Distinct from the public `AssessResult` interface (the typed `/v1/assess` response\n * shape returned to merchants); this carries the cached decision plus the per-signer\n * wallet-match sub-cache. /\ninterface CachedAssessResult {\n allow: boolean;\n decision?: string;\n reasons?: string[];\n raw?: unknown;\n // Per-signer wallet-match verdicts cached from prior verifyWalletSignerMatch() calls\n // for this same claimed wallet. Each signer gets its own slot so two payments under\n // the same claimed identity but from different signer wallets don't serve stale\n // verdicts to each other. Verdicts come from the API's `signer_match` response field\n // (populated when the assess request carried `resolve_signer`), so reading a hit\n // skips the round-trip altogether.\n signerMatchBySigner?: Map<string, Record<string, unknown>>;\n}\n\n/\n Build the cross-merchant memory hint emitted on bootstrap denials. Base URLs are\n * derived from the gate's AgentScore API base so self-hosted / staging deployments get\n * correct pointers. Contents describe the AgentScore identity substrate in transferable\n * terms; merchant-specific context lives in other `agent_instructions` fields.\n /\n// Canonical production AgentScore API — used as the authoritative source for endpoint pointers\n// emitted to agent memory regardless of how a given merchant configured their gate's baseUrl.\nconst CANONICAL_AGENTSCORE_API = 'https://api.agentscore.sh';\n\n// JSON-encoded action copy emitted on wallet-signer-match denials. Spread into 403 bodies\n// by merchants so agents get a concrete recovery path inside the denial response itself —\n// no discovery-doc round trip required.\nconst WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({\n action: 'resign_or_switch_to_operator_token',\n steps: [\n 'Preferred: re-submit the payment signed by expected_signer (or any entry in linked_wallets — same-operator wallets are fungible) and retry with the same X-Wallet-Address.',\n 'Alternative: drop X-Wallet-Address and retry with X-Operator-Token. Use a stored opc_... if you have one; otherwise retry this request with NO identity header — the merchant will mint a verification session in the 403 body (verify_url + poll_secret). Share verify_url with the user, poll, receive a fresh opc_...',\n ],\n user_message:\n 'The payment signer resolves to a different operator than X-Wallet-Address. Re-sign from expected_signer or any linked_wallets entry, or switch to X-Operator-Token.',\n});\n\nconst WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS = JSON.stringify({\n action: 'switch_to_operator_token',\n steps: [\n 'This payment rail (Stripe SPT, card) carries no wallet signature — X-Wallet-Address cannot be verified against the payment.',\n 'Drop X-Wallet-Address and retry with X-Operator-Token. If you do not have a stored opc_..., retry with no identity header to receive a verification session.',\n ],\n user_message:\n 'Wallet-address identity is only supported on wallet-signing rails (Tempo MPP, x402). On Stripe or card, use X-Operator-Token instead.',\n});\n\n// `invalid_credential` is permanent — the token doesn't exist (typo, never minted, fabricated).\n// Distinct from `token_expired` (which carries an auto-session for one-shot recovery): the\n// API doesn't auto-mint a session here because the client may simply have a different valid\n// token to try. Agents should switch tokens or drop the header to bootstrap a session.\nconst INVALID_CREDENTIAL_INSTRUCTIONS = JSON.stringify({\n action: 'switch_token_or_restart_session',\n steps: [\n 'The X-Operator-Token you sent does not match any credential. This is a permanent state — retrying with the same token will keep failing.',\n 'If you have other stored opc_... credentials, retry with one of them.',\n 'Otherwise drop X-Operator-Token and retry with no identity header — the merchant will mint a fresh verification session in the 403 body (verify_url + poll_secret) so the user can re-verify and you can poll for a new operator_token.',\n ],\n user_message:\n 'The operator_token is not recognized. Use a different stored token, or restart the verification session flow to mint a new one.',\n});\n\nexport function buildAgentMemoryHint(): AgentMemoryHint {\n // Memory pointers always point at the canonical production API — merchants must not be\n // able to redirect the cross-merchant memory surface, since that would be a phishing\n // vector for the verify URL.\n const api = CANONICAL_AGENTSCORE_API;\n return {\n save_for_future_agentscore_gates: true,\n pattern_summary:\n 'AgentScore is a cross-merchant identity substrate for agent commerce. Any endpoint that ' +\n 'returns 403 missing_identity / identity_verification_required or 402 challenges referencing AgentScore uses ' +\n 'the same identity system. One KYC works across all AgentScore merchants — no re-verification ' +\n 'per site. Save this pattern (and the endpoints below) to persistent memory so future ' +\n 'AgentScore encounters skip the cold-start session flow.',\n quickstart: 'https://docs.agentscore.sh/guides/agent-identity',\n identity_check_endpoint: `${api}/v1/credentials`,\n identity_paths: {\n wallet:\n 'If paying from a crypto wallet you have used before on any AgentScore merchant, send ' +\n '`X-Wallet-Address: 0x...`. Shortest path; no token lifecycle to manage.',\n operator_token:\n 'For any rail (Stripe SPT, card, or a wallet you have not linked yet), send ' +\n '`X-Operator-Token: opc_...`. Reusable across merchants until the token expires.',\n },\n bootstrap:\n 'If you have neither a linked wallet nor a valid operator_token, follow the session/verify ' +\n 'flow in the per-request `agent_instructions` block. This happens at most once per agent ' +\n 'identity — after first verification, the operator_token and any subsequently used wallet ' +\n 'are reusable everywhere.',\n do_not_persist_in_memory: ['operator_token', 'poll_secret'],\n persist_in_credential_store: ['operator_token'],\n };\n}\n\n// ---------------------------------------------------------------------------\n// Core factory\n// ---------------------------------------------------------------------------\n\nexport function createAgentScoreCore(options: AgentScoreCoreOptions): AgentScoreCore {\n if (!options.apiKey) {\n throw new Error('AgentScore API key is required. Get one at https://agentscore.sh/sign-up');\n }\n\n const {\n apiKey,\n requireKyc,\n requireSanctionsClear,\n minAge,\n blockedJurisdictions,\n allowedJurisdictions,\n failOpen = false,\n cacheSeconds = 300,\n baseUrl: rawBaseUrl = 'https://api.agentscore.sh',\n chain: gateChain,\n userAgent,\n createSessionOnMissing,\n } = options;\n\n const baseUrl = stripTrailingSlashes(rawBaseUrl);\n const agentMemoryHint = buildAgentMemoryHint();\n\n const defaultUa = `@agent-score/commerce@${__VERSION__}`;\n const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;\n\n // Single shared SDK instance for every API call this gate makes (assess, sessions,\n // credentials/wallets, telemetry). Connection pooling + typed-error classification +\n // X-Quota- header capture all flow through here. The SDK owns the transport layer\n // (timeouts, retry-on-429); the gate adds policy semantics on top. Pass the\n // merchant-prefixed UA — SDK appends its own default to produce a chain like\n // `<merchant-app> (@agent-score/commerce@<v>) (@agent-score/sdk@<v>)`.\n const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });\n\n // createSessionOnMissing can carry its own apiKey + baseUrl (merchants sometimes wire\n // a session-only key for this hook). Lazily build a separate SDK instance keyed on\n // (apiKey, baseUrl) so we don't construct a new client per request.\n const sessionSdkCache = new Map<string, AgentScore>();\n function getSessionSdk(sessionApiKey: string, sessionBaseUrl?: string): AgentScore {\n const key = `${sessionApiKey}\|${sessionBaseUrl ?? ''}`;\n let s = sessionSdkCache.get(key);\n if (!s) {\n s = new AgentScore({\n apiKey: sessionApiKey,\n baseUrl: sessionBaseUrl ?? baseUrl,\n userAgent: userAgentHeader,\n });\n sessionSdkCache.set(key, s);\n }\n return s;\n }\n\n const cache = new TTLCache<CachedAssessResult>(cacheSeconds * 1000);\n\n // Mint a verification session via /v1/sessions and return the resulting\n // identity_verification_required DenialReason — or undefined if the mint failed (network\n // error, non-2xx, missing fields). Used for both the missing-identity path and the\n // fixable-wallet bootstrap path: in both cases the UX is identical (agent polls the\n // returned poll_url until it gets a fresh opc_... and retries).\n async function tryMintSessionDenial(ctx: unknown): Promise<DenialReason \| undefined> {\n if (!createSessionOnMissing) return undefined;\n try {\n const sessionBody: { context?: string; product_name?: string } = {};\n if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;\n if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;\n\n if (createSessionOnMissing.getSessionOptions && ctx !== undefined) {\n try {\n const dynamic = await createSessionOnMissing.getSessionOptions(ctx);\n if (dynamic?.context != null) sessionBody.context = dynamic.context;\n if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.getSessionOptions hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // createSessionOnMissing.apiKey may differ from the gate's apiKey (e.g. merchant\n // wires a session-only key for this hook). Build a per-config SDK lazily.\n const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);\n const data = (await sessionSdk.createSession({\n ...(sessionBody.context !== undefined ? { context: sessionBody.context } : {}),\n ...(sessionBody.product_name !== undefined ? { product_name: sessionBody.product_name } : {}),\n })) as unknown as Record<string, unknown>;\n\n // Validate required fields before trusting the response. A misbehaving (or mocked-wrong)\n // API could 200 without session_id/poll_secret/verify_url, which would propagate\n // `undefined` into the 403 body and leave the agent stuck — treat as session-create\n // failure and fall back to the caller's bare denial.\n if (\n typeof data.session_id !== 'string' \|\|\n typeof data.poll_secret !== 'string' \|\|\n typeof data.verify_url !== 'string'\n ) {\n console.warn('[gate] /v1/sessions returned 200 without required fields — falling back to bare denial');\n return undefined;\n }\n\n // Run onBeforeSession side-effect hook. Errors are swallowed — a failing DB write\n // (e.g. can't insert pending order) should not block the 403.\n let extra: Record<string, unknown> \| undefined;\n if (createSessionOnMissing.onBeforeSession && ctx !== undefined) {\n try {\n const sessionMeta = {\n session_id: data.session_id as string,\n verify_url: data.verify_url as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string,\n expires_at: data.expires_at as string \| undefined,\n };\n const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);\n if (result && typeof result === 'object') extra = result;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.onBeforeSession hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // The API emits `next_steps` (structured object) on /v1/sessions success. Stringify it\n // into the gate's `agent_instructions` contract so merchants get the same JSON-encoded\n // {action, steps, user_message} envelope as every other gate-emitted denial.\n const apiNextSteps = data.next_steps as Record<string, unknown> \| undefined;\n return {\n code: 'identity_verification_required',\n verify_url: data.verify_url as string,\n session_id: data.session_id as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string \| undefined,\n agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : undefined,\n agent_memory: agentMemoryHint,\n ...(extra && { extra }),\n };\n } catch (err) {\n // Session-mint failed (network, /v1/sessions returned non-2xx, body parse error,\n // onBeforeSession threw inside the inner try). Caller falls back to a bare denial —\n // agents still get a 403 with a probe-strategy hint. Log loudly so a persistent\n // /v1/sessions outage isn't masked.\n console.warn('[gate] createSessionOnMissing path failed — falling back to bare denial:', err instanceof Error ? err.message : err);\n return undefined;\n }\n }\n\n async function evaluate(identity: AgentIdentity \| undefined, ctx?: unknown): Promise<EvaluateOutcome> {\n // Treat \"returned identity object with no usable fields\" the same as \"no identity at all\" —\n // otherwise a misbehaving custom extractIdentity would send an empty body to /v1/assess.\n if (!identity \|\| (!identity.address && !identity.operatorToken)) {\n // failOpen short-circuits BEFORE the session mint. This branch isn't an infra failure\n // (no AgentScore call has been made yet) so we don't mark the gate state as degraded —\n // missing identity + failOpen is the explicit opt-in pass-through behavior, not a\n // graceful-degradation event. Merchants who need identity-or-deny on a failOpen gate\n // should add a guard at the handler that checks for X-Wallet-Address / X-Operator-Token\n // before reading the gate state.\n if (failOpen) return { kind: 'allow' };\n\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n\n // Bare missing-identity denial (no session was auto-created). Describe the probe\n // strategy so agents without memory can recover: try wallet first on signing rails,\n // fall back to stored opc_..., fall back to session flow (noting that only\n // auto-session merchants return verify_url + poll data on the retry).\n const missingIdentityInstructions = JSON.stringify({\n action: 'probe_identity_then_session',\n steps: [\n 'If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 — see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url — share it with the user to claim the wallet + complete KYC, then retry.',\n 'If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.',\n 'If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body — share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping — direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token.',\n ],\n user_message:\n 'Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap.',\n });\n return {\n kind: 'deny',\n reason: {\n code: 'missing_identity',\n agent_instructions: missingIdentityInstructions,\n agent_memory: agentMemoryHint,\n },\n };\n }\n\n // operator_token is opaque + ASCII-only — lowercasing is safe. Wallet addresses go\n // through normalizeAddress because Solana base58 is case-sensitive and lowercasing\n // would corrupt the cache key (a Solana cache miss every time, plus collision risk\n // with mixed-case variants of the same operator).\n const cacheKey = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : '');\n\n const cached = cache.get(cacheKey);\n if (cached) {\n if (cached.allow) {\n const cachedRaw = cached.raw as Record<string, unknown> \| undefined;\n const cachedQuota = cachedRaw?.quota as GateQuotaInfo \| undefined;\n return {\n kind: 'allow',\n data: cachedRaw as unknown as AssessResult,\n ...(cachedQuota !== undefined && { quota: cachedQuota }),\n };\n }\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(cached.reasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: cached.decision,\n reasons: cached.reasons,\n verify_url: (cached.raw as Record<string, unknown> \| undefined)?.verify_url as string \| undefined,\n data: cached.raw as AssessResult \| undefined,\n },\n };\n }\n\n const policy: Record<string, unknown> = {};\n if (requireKyc != null) policy.require_kyc = requireKyc;\n if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;\n if (minAge != null) policy.min_age = minAge;\n if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;\n if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;\n\n let data: Record<string, unknown>;\n try {\n // Single SDK call: typed-error subclasses (PaymentRequiredError / TokenExpiredError /\n // InvalidCredentialError / QuotaExceededError / TimeoutError) flow through the\n // catch below; success path captures `quota` from X-Quota-* headers automatically.\n const opts = {\n chain: gateChain,\n ...(Object.keys(policy).length > 0 ? { policy: policy as never } : {}),\n };\n // SDK has two overloads — narrow by which identity is set so TS picks the right one.\n const result = identity.address\n ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken })\n : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken! });\n data = result as unknown as Record<string, unknown>;\n } catch (err) {\n if (err instanceof PaymentRequiredError) {\n if (failOpen) return { kind: 'allow' };\n return { kind: 'deny', reason: { code: 'payment_required' } };\n }\n if (err instanceof TokenExpiredError) {\n // SDK extracts the auto-minted session fields onto the error instance — no body\n // re-parsing needed here.\n return {\n kind: 'deny',\n reason: {\n code: 'token_expired',\n data: err.details as unknown as AssessResult,\n ...(err.verifyUrl ? { verify_url: err.verifyUrl } : {}),\n ...(err.sessionId ? { session_id: err.sessionId } : {}),\n ...(err.pollSecret ? { poll_secret: err.pollSecret } : {}),\n ...(err.pollUrl ? { poll_url: err.pollUrl } : {}),\n ...(err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {}),\n ...(err.agentMemory ? { agent_memory: err.agentMemory as AgentMemoryHint } : {}),\n },\n };\n }\n if (err instanceof InvalidCredentialError) {\n // Permanent — no auto-session, agent should switch tokens or restart.\n return {\n kind: 'deny',\n reason: {\n code: 'invalid_credential',\n agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,\n agent_memory: agentMemoryHint,\n },\n };\n }\n if (err instanceof QuotaExceededError) {\n console.warn('[gate] /v1/assess returned 429 quota_exceeded');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (err instanceof SdkTimeoutError) {\n console.warn('[gate] /v1/assess timed out:', err.message);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Status-based fallbacks for AgentScoreError instances the SDK couldn't classify\n // into a typed subclass (e.g. 429 with body that lacked error.code, or a fetch\n // rejection whose .name doesn't match AbortError but whose status code is set).\n // The real API always emits error.code on 429, so this is purely defensive.\n const status = (err as { status?: number } \| null)?.status;\n const errName = err instanceof Error ? err.name : '';\n if (status === 429) {\n console.warn('[gate] /v1/assess returned 429 (untyped — defensive)');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (errName === 'TimeoutError' \|\| errName === 'AbortError') {\n console.warn('[gate] /v1/assess timed out (by Error.name):', err instanceof Error ? err.message : err);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Generic AgentScoreError (rate_limited, 5xx, network_error, body parse, unknown 4xx)\n // or any non-AgentScoreError unexpected throw — surface as api_error.\n // Include the SDK-classified error code (when available) so ops/dev see\n // schema-drift cases like a new 401 error.code rather than a silent 503.\n const errCode = (err as { code?: string } \| null)?.code;\n const msg = err instanceof Error ? err.message : String(err);\n const detail = errCode ? `${errCode}: ${msg}` : msg;\n console.warn(`[gate] /v1/assess call failed — surfacing as api_error: ${detail}`);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'api_error' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n\n const decision = data.decision as string \| null \| undefined;\n const decisionReasons = (data.decision_reasons as string[]) ?? [];\n const allow = decision === 'allow' \|\| decision == null;\n\n cache.set(cacheKey, { allow, decision: decision ?? undefined, reasons: decisionReasons, raw: data });\n\n if (allow) {\n // SDK populates `quota` on the assess response from X-Quota-* headers when the\n // API emits them. Surface up to the adapter so merchants can monitor approach-to-cap.\n const quota = data.quota as GateQuotaInfo \| undefined;\n return {\n kind: 'allow',\n data: data as unknown as AssessResult,\n ...(quota !== undefined && { quota }),\n };\n }\n\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(decisionReasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: decision ?? undefined,\n reasons: decisionReasons,\n verify_url: data.verify_url as string \| undefined,\n data: data as unknown as AssessResult,\n },\n };\n }\n\n async function captureWallet(options: CaptureWalletOptions): Promise<void> {\n try {\n await sdk.associateWallet({\n operatorToken: options.operatorToken,\n walletAddress: options.walletAddress,\n network: options.network,\n ...(options.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : {}),\n });\n } catch (err) {\n // Fire-and-forget: don't throw. Log so a persistent capture outage is visible\n // to merchant ops — otherwise wallet↔operator linkage silently stops.\n console.warn('[agentscore-commerce] captureWallet failed:', err instanceof Error ? err.message : err);\n }\n }\n\n /*\n Resolve a wallet to its operator id via /v1/assess.\n \n Returns:\n * - `{ ok: true, operator: <id> }` — wallet is linked to that operator\n * - `{ ok: true, operator: null }` — wallet is valid but not linked to any operator\n * - `{ ok: false }` — the API call failed (network, timeout, non-2xx). Distinguishable so\n * callers can emit `api_error` instead of falsely asserting \"no operator linked\".\n \n Checks the main evaluate() cache before making a fresh call — if the gate already\n * resolved this wallet during identity evaluation, we have the resolved_operator already.\n /\n async function resolveWalletToOperator(\n walletAddress: string,\n ): Promise<{ ok: true; operator: string \| null; linkedWallets: string[] } \| { ok: false }> {\n // Network-aware: lowercases EVM, preserves Solana base58 case. The DB stores both\n // formats verbatim in operator_credential_wallets.wallet_address; lowercasing a\n // Solana address would never match.\n const wallet = normalizeAddress(walletAddress);\n\n // Cache lookup — first the plain cache (populated by evaluate() for identity-headered wallets).\n // Saves a second /v1/assess call when the gate already looked up this wallet.\n const extractFromCached = (raw: Record<string, unknown>): { operator: string \| null; linkedWallets: string[] } => {\n const op = raw.resolved_operator;\n const links = raw.linked_wallets;\n return {\n operator: typeof op === 'string' ? op : null,\n linkedWallets: Array.isArray(links) ? (links as unknown[]).filter((w): w is string => typeof w === 'string') : [],\n };\n };\n\n const plainCached = cache.get(wallet);\n if (plainCached?.raw) {\n return { ok: true, ...extractFromCached(plainCached.raw as Record<string, unknown>) };\n }\n const resolveCached = cache.get(`resolve:${wallet}`);\n if (resolveCached?.raw) {\n return { ok: true, ...extractFromCached(resolveCached.raw as Record<string, unknown>) };\n }\n\n try {\n const data = (await sdk.assess(walletAddress)) as unknown as Record<string, unknown>;\n cache.set(`resolve:${wallet}`, { allow: true, raw: data });\n return { ok: true, ...extractFromCached(data) };\n } catch (err) {\n // Network/timeout/parse on the wallet→operator resolve path. Caller maps\n // `{ok:false}` to `wallet_signer_mismatch.kind === 'api_error'`, which already\n // surfaces as 503 — but log here too so multi-wallet match failures aren't\n // silently indistinguishable from \"operator simply has no linked wallet\".\n console.warn('[gate] resolveWalletToOperator failed — returning { ok:false }:', err instanceof Error ? err.message : err);\n return { ok: false };\n }\n }\n\n function reportSignerEvent(kind: 'pass' \| 'wallet_signer_mismatch' \| 'wallet_auth_requires_wallet_signing' \| 'api_error'): void {\n // Fire-and-forget: surfaces mismatch-catch rate + api_error SLO on the dashboard.\n // SDK's telemetrySignerMatch already does the catch + warn-log internally; this\n // call must not affect the gate's decision so we don't await.\n void sdk.telemetrySignerMatch({ kind });\n }\n\n // Project the API's signer_match block onto the gate's VerifyWalletSignerResult shape.\n // The API authors agent_instructions, claimed/signer operators, and the linked-wallet\n // set (deny-guarded server-side); the gate just shapes those fields into camelCase.\n function projectSignerMatch(\n sm: Record<string, unknown>,\n claimedNorm: string,\n signerNorm: string,\n ): VerifyWalletSignerResult {\n const kind = sm.kind as string;\n if (kind === 'pass') {\n return {\n kind: 'pass',\n claimedOperator: (sm.claimed_operator as string \| null \| undefined) ?? null,\n signerOperator: (sm.signer_operator as string \| null \| undefined) ?? null,\n };\n }\n if (kind === 'wallet_auth_requires_wallet_signing') {\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet: (sm.claimed_wallet as string \| undefined) ?? claimedNorm,\n agentInstructions:\n (sm.agent_instructions as string \| undefined) ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n // Default: wallet_signer_mismatch\n const linked = sm.linked_wallets;\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator: (sm.claimed_operator as string \| null \| undefined) ?? null,\n actualSignerOperator: (sm.signer_operator as string \| null \| undefined) ?? null,\n expectedSigner: (sm.expected_signer as string \| undefined) ?? claimedNorm,\n actualSigner: (sm.actual_signer as string \| undefined) ?? signerNorm,\n linkedWallets: Array.isArray(linked)\n ? (linked as unknown[]).filter((w): w is string => typeof w === 'string')\n : [],\n agentInstructions:\n (sm.agent_instructions as string \| undefined) ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n async function verifyWalletSignerMatch(\n options: VerifyWalletSignerMatchOptions,\n ): Promise<VerifyWalletSignerResult> {\n const { claimedWallet, signer, network } = options;\n\n if (!signer) {\n reportSignerEvent('wallet_auth_requires_wallet_signing');\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet,\n agentInstructions: WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n\n // Network-aware normalization: lowercase EVM, preserve Solana base58. The byte-equal\n // short-circuit and downstream cache-key derivation MUST match how the DB stores\n // wallets; lowercasing Solana would corrupt both.\n const claimedNorm = normalizeAddress(claimedWallet);\n const signerNorm = normalizeAddress(signer);\n\n // Byte-equal short-circuit — no API lookup; same wallet ≡ same operator by definition.\n if (claimedNorm === signerNorm) {\n reportSignerEvent('pass');\n return { kind: 'pass', claimedOperator: null, signerOperator: null };\n }\n\n // Cache hit — a prior call for this same (claimed, signer) pair already populated\n // signer_match. Skip the round trip + telemetry post (the API recorded it the first\n // time). Subsequent same-pair payments cost zero outbound assess calls.\n const cachedEntry = cache.get(claimedNorm);\n const cachedMatch = cachedEntry?.signerMatchBySigner?.get(signerNorm);\n if (cachedMatch) {\n return projectSignerMatch(cachedMatch, claimedNorm, signerNorm);\n }\n\n // Single fresh assess call carrying resolve_signer. Server-side resolves both wallets\n // against the operator graph and returns a signer_match verdict in the response —\n // collapses the legacy 2 follow-up calls (one per wallet) into one round trip.\n const inferredNetwork: 'evm' \| 'solana' = network ?? (signerNorm.startsWith('0x') ? 'evm' : 'solana');\n let assessResponse: { signer_match?: Record<string, unknown> } & Record<string, unknown>;\n try {\n assessResponse = (await sdk.assess(claimedNorm, {\n resolveSigner: { address: signerNorm, network: inferredNetwork },\n })) as unknown as { signer_match?: Record<string, unknown> } & Record<string, unknown>;\n } catch (err) {\n console.warn('[gate] verifyWalletSignerMatch assess failed:', err instanceof Error ? err.message : err);\n reportSignerEvent('api_error');\n return { kind: 'api_error', claimedWallet: claimedNorm };\n }\n\n const signerMatch = assessResponse.signer_match;\n if (signerMatch && typeof signerMatch === 'object') {\n // Cache for repeat same-pair lookups. Server-side already recorded telemetry for\n // this verdict, so skip the SDK-side reportSignerEvent — avoids double-counting.\n if (cachedEntry) {\n // Mutate the existing entry in place — TTLCache.get() returns a reference, so the\n // store's record sees the new sub-map without a `set()` call. This preserves the\n // gate's original cache TTL window (set() would reset it forward, causing the\n // gate verdict to be served past its intended freshness horizon).\n const map = cachedEntry.signerMatchBySigner ?? new Map<string, Record<string, unknown>>();\n map.set(signerNorm, signerMatch);\n cachedEntry.signerMatchBySigner = map;\n } else {\n // No prior gate cache for this wallet — create a fresh entry with the verdict\n // attached so a subsequent same-pair call hits cache.\n const entry: CachedAssessResult = { allow: true, raw: assessResponse };\n entry.signerMatchBySigner = new Map([[signerNorm, signerMatch]]);\n cache.set(claimedNorm, entry);\n }\n return projectSignerMatch(signerMatch, claimedNorm, signerNorm);\n }\n\n // API response had no signer_match (server didn't compute one). Fall back to the\n // 2-resolve path so the gate still produces a verdict.\n const [claimedResolve, signerResolve] = await Promise.all([\n resolveWalletToOperator(claimedNorm),\n resolveWalletToOperator(signerNorm),\n ]);\n\n if (!claimedResolve.ok \|\| !signerResolve.ok) {\n reportSignerEvent('api_error');\n return { kind: 'api_error', claimedWallet: claimedNorm };\n }\n\n const claimedOperator = claimedResolve.operator;\n const signerOperator = signerResolve.operator;\n\n if (claimedOperator && signerOperator && claimedOperator === signerOperator) {\n reportSignerEvent('pass');\n return { kind: 'pass', claimedOperator, signerOperator };\n }\n\n reportSignerEvent('wallet_signer_mismatch');\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator,\n actualSignerOperator: signerOperator,\n expectedSigner: claimedNorm,\n actualSigner: signerNorm,\n linkedWallets: claimedResolve.linkedWallets,\n agentInstructions: WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n return { evaluate, captureWallet, verifyWalletSignerMatch };\n}\n","/\n Shared DenialReason → response body serialization for all adapters.\n \n Keeps Hono / Express / Fastify / Web / Next.js defaults aligned — a field added\n * here shows up in every adapter's 403 body automatically, and there's one place\n * to test the marshaling.\n \n Body shape: `{ error: { code, message }, ... }` — matches the canonical AgentScore\n * core API response shape (`core/api/src/lib/auth.ts`, `lib/rate-limit.ts`, etc.) and\n * martin-estate's pre-commerce shape, so downstream agents see one consistent\n * `error.code` + `error.message` pair regardless of which layer produced the denial.\n /\n\nimport type { DenialCode, DenialReason } from './core.js';\n\n/\n JSON-encoded canonical agent_instructions per denial code. Auto-injected by\n * `denialReasonToBody` when the gate produces a DenialReason without explicit\n * `agent_instructions` so every denial carries a machine-readable next step.\n \n Codes covered:\n * - `wallet_not_trusted` — gate never stamps instructions today (the original gap)\n * - `payment_required` — gate never stamps; merchant tier misconfig, contact-merchant action\n * - `identity_verification_required` — fallback when API didn't return next_steps\n * - `token_expired` — fallback when API didn't return next_steps\n * - `api_error` — `retry_with_backoff` envelope; sole retry channel (no separate\n * next_steps block emitted)\n \n Codes already stamped explicitly upstream in core.ts (`missing_identity`,\n * `invalid_credential`) and codes that don't go through DenialReason\n * (`wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing` — handled by\n * `verifyWalletSignerMatch` result type) are not in this map.\n /\nconst WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_support',\n steps: [\n 'The wallet\\'s operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won\\'t change the outcome — the policy denial is structural.',\n 'Surface the denial to the user with the merchant\\'s support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won\\'t fix this code path).',\n 'Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code — the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user\\'s KYC\\'d country is in the blocked list — re-doing KYC won\\'t change the country).',\n ],\n user_message:\n 'This purchase is denied by the merchant\\'s compliance policy and cannot be resolved by re-verifying. Contact the merchant\\'s support if you believe this is in error.',\n});\n\nconst PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'The merchant\\'s AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap — there is no agent-side recovery.',\n 'Contact the merchant (their support channel — typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side.',\n ],\n user_message:\n 'This merchant\\'s identity gate is misconfigured. Contact the merchant — there\\'s nothing to fix on the agent side.',\n});\n\nconst IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'Share verify_url with the user — they complete identity verification on AgentScore.',\n 'If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <opc_...>`.',\n ],\n user_message:\n 'Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry.',\n});\n\nconst API_ERROR_INSTRUCTIONS = JSON.stringify({\n action: 'retry_with_backoff',\n steps: [\n 'Verification is temporarily unavailable. Retry the request after 5–30 seconds with exponential backoff.',\n 'This is NOT a compliance denial — the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.',\n 'If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant\\'s support contact.',\n ],\n user_message:\n 'Verification is temporarily unavailable. Please try again in a moment — this is a transient issue, not a problem with your account.',\n});\n\nexport const QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.',\n 'Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.',\n 'Surface to the user with the merchant\\'s support contact. The merchant (not the agent) needs to act.',\n ],\n user_message:\n 'This merchant\\'s identity verification is temporarily unavailable. Try again later, or contact the merchant directly.',\n});\n\nconst TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'The operator token is expired or revoked. AgentScore auto-mints a fresh verification session — complete it to receive a new opc_...',\n 'Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <new_opc_...>`.',\n ],\n user_message:\n 'Operator token is expired or revoked. A new verification session has been minted — visit verify_url to refresh.',\n});\n\nconst DEFAULT_AGENT_INSTRUCTIONS: Partial<Record<DenialCode, string>> = {\n api_error: API_ERROR_INSTRUCTIONS,\n wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,\n payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,\n identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,\n token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS,\n};\n\nconst DEFAULT_MESSAGES: Record<DenialCode, string> = {\n missing_identity:\n 'No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).',\n identity_verification_required:\n 'Identity verification is required to access this resource. Visit verify_url to complete KYC.',\n wallet_not_trusted:\n 'The wallet does not meet the merchant compliance policy.',\n api_error:\n 'AgentScore is unreachable. This is transient — retry in a few seconds.',\n payment_required:\n 'Assess endpoint not enabled for this merchant. Contact support.',\n wallet_signer_mismatch:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n wallet_auth_requires_wallet_signing:\n 'X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).',\n token_expired:\n 'The operator token is expired or revoked. A fresh verification session has been minted — visit verify_url to mint a new token.',\n invalid_credential:\n 'The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session.',\n};\n\n// Field names the gate claims authority over. Merchant-provided `extra` (from the\n// onBeforeSession hook) MUST NOT override these — a buggy or malicious hook could\n// otherwise replace `verify_url` with a phishing URL or drop agent_instructions.\nconst RESERVED_FIELDS = new Set([\n 'error',\n 'decision',\n 'reasons',\n 'verify_url',\n 'session_id',\n 'poll_secret',\n 'poll_url',\n 'agent_instructions',\n 'agent_memory',\n 'claimed_operator',\n 'actual_signer_operator',\n 'expected_signer',\n 'actual_signer',\n 'linked_wallets',\n]);\n\nexport function denialReasonToBody(reason: DenialReason): Record<string, unknown> {\n const message = reason.message ?? DEFAULT_MESSAGES[reason.code];\n const body: Record<string, unknown> = { error: { code: reason.code, message } };\n if (reason.decision) body.decision = reason.decision;\n if (reason.reasons) body.reasons = reason.reasons;\n if (reason.verify_url) body.verify_url = reason.verify_url;\n if (reason.session_id) body.session_id = reason.session_id;\n if (reason.poll_secret) body.poll_secret = reason.poll_secret;\n if (reason.poll_url) body.poll_url = reason.poll_url;\n const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];\n if (instructions) body.agent_instructions = instructions;\n if (reason.agent_memory) body.agent_memory = reason.agent_memory;\n if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;\n if (reason.code === 'wallet_signer_mismatch') body.actual_signer_operator = reason.actual_signer_operator ?? null;\n if (reason.expected_signer) body.expected_signer = reason.expected_signer;\n if (reason.actual_signer) body.actual_signer = reason.actual_signer;\n if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;\n if (reason.extra) {\n for (const [key, value] of Object.entries(reason.extra)) {\n if (RESERVED_FIELDS.has(key)) {\n console.warn(`[gate] onBeforeSession returned reserved field \"${key}\" — ignoring to preserve gate authority`);\n continue;\n }\n body[key] = value;\n }\n }\n return body;\n}\n","/\n Helpers for emitting the cross-merchant `agent_memory` hint on merchant 402 responses.\n \n The gate (`@agent-score/commerce/identity/`) emits `agent_memory` on identity-related\n responses (sessions, credentials, missing_identity bootstraps). Merchants can ALSO\n * include the hint in their own 402 challenge bodies on first-encounter requests so\n * agents persist the cross-merchant pattern even when entering the ecosystem through a\n * merchant-side endpoint rather than a direct AgentScore API call.\n \n Usage pattern:\n * - Merchant tracks per-operator (or per-IP / per-fingerprint) \"have I seen this agent\n * before?\" in their own DB\n * - On first encounter (no prior request from this operator/wallet/IP), include the hint\n * so the agent saves the pattern\n * - On subsequent encounters, skip — the agent already has it (or never will)\n \n The hint contents come from `buildAgentMemoryHint` (re-exported here for convenience).\n * Keep it stateless: AgentScore's pattern doesn't depend on the merchant's identity, so\n * every merchant emits the same shape.\n /\n\nimport { buildAgentMemoryHint, type AgentMemoryHint } from '../core';\n\nexport { buildAgentMemoryHint };\nexport type { AgentMemoryHint };\n\nexport interface FirstEncounterAgentMemoryInput {\n /\n Whether this is a first encounter for this operator/wallet/IP at this merchant.\n * Merchant-determined (DB lookup, cache flag, etc.). Pass `false` to suppress emission\n * cleanly without wrapping the call in an `if`.\n /\n firstEncounter: boolean;\n}\n\n/\n Returns the `agent_memory` hint when this is a first encounter, otherwise `undefined`.\n * Use directly with the `agentMemory` field of `build402Body`:\n \n ```ts\n * const body = build402Body({\n * acceptedMethods,\n * agentInstructions,\n * pricing,\n * agentMemory: firstEncounterAgentMemory({ firstEncounter: !this.hasSeenOperator(opToken) }),\n * });\n * ```\n \n Returning `undefined` means `build402Body` cleanly skips the field instead of emitting\n * `agent_memory: null` (which would imply \"I tried but failed\" rather than \"didn't apply\").\n /\nexport function firstEncounterAgentMemory(\n input: FirstEncounterAgentMemoryInput,\n): AgentMemoryHint \| undefined {\n if (!input.firstEncounter) return undefined;\n return buildAgentMemoryHint();\n}\n","import type { AcceptedMethodEntry } from './accepted_methods';\nimport type { AgentInstructions } from './agent_instructions';\nimport type { IdentityMetadataBlock } from './identity';\nimport type { PricingBlock as _PricingBlock } from './pricing';\n\nexport type { PricingBlock } from './pricing';\n\nexport interface Build402BodyInput {\n /* From buildAcceptedMethods — list of MPP method entries. /\n acceptedMethods: AcceptedMethodEntry[];\n /* From buildAgentInstructions — wraps how_to_pay + warnings + recommended_tools. /\n agentInstructions?: AgentInstructions;\n /* From buildIdentityMetadata — wallet-mode echoer. Spread into the body when present. /\n identityMetadata?: IdentityMetadataBlock;\n /* Cross-merchant agent_memory hint (from gate). /\n agentMemory?: unknown;\n /* Pricing breakdown. /\n pricing?: _PricingBlock;\n /* Total amount in USD as a string (e.g., '250.00'). /\n amountUsd?: string;\n /* Currency code. Default 'USD'. /\n currency?: string;\n /* Order id for retry correlation. /\n orderId?: string \| null;\n /* Product info — surfaced on the 402 so agents can confirm what they're buying. /\n product?: { id: string; name: string };\n /* The body the agent should retry with after payment (e.g., the original request body). /\n retryBody?: unknown;\n /* Recommended rail — agent's default if multiple are listed. /\n recommended?: string;\n /* x402-compliance fields (paired with the PAYMENT-REQUIRED header from `payment/wwwauthenticate`). /\n x402?: {\n accepts: unknown[];\n version?: 1 \| 2;\n };\n /* Vendor-specific extra fields merged at the top level. /\n extra?: Record<string, unknown>;\n}\n\n/\n Assemble the full enriched 402 response body. Combines accepted_methods, agent_instructions,\n * identity metadata, pricing, x402 compliance fields, and any vendor-specific extras into a\n * single object suitable for `JSON.stringify`. Vendors pass only what they have; the builder\n * conditionally includes each section.\n \n Pair this with a Response that sets:\n * - 'content-type: application/json'\n * - 'www-authenticate: <wwwAuthenticateHeader([...])>' from `payment/wwwauthenticate`\n * - 'PAYMENT-REQUIRED: <paymentRequiredHeader({...})>' for x402 clients\n /\nexport function build402Body(input: Build402BodyInput): Record<string, unknown> {\n const body: Record<string, unknown> = {\n payment_required: true,\n accepted_methods: input.acceptedMethods,\n };\n\n if (input.x402) {\n body.x402Version = input.x402.version ?? 2;\n body.accepts = input.x402.accepts;\n }\n\n if (input.amountUsd !== undefined) body.amount_usd = input.amountUsd;\n if (input.currency) body.currency = input.currency;\n if (input.pricing) body.pricing = input.pricing;\n if (input.orderId !== undefined) body.order_id = input.orderId;\n if (input.product) body.product = input.product;\n if (input.recommended) body.recommended = input.recommended;\n if (input.retryBody !== undefined) body.retry_body = input.retryBody;\n\n if (input.identityMetadata) {\n Object.assign(body, input.identityMetadata);\n }\n\n if (input.agentInstructions) body.agent_instructions = input.agentInstructions;\n if (input.agentMemory !== undefined) body.agent_memory = input.agentMemory;\n\n if (input.extra) Object.assign(body, input.extra);\n\n return body;\n}\n","/\n Pricing block builder + canonical type.\n \n Composes the cents-denominated price components into the dollar-string shape that\n * 402 challenge bodies advertise. Lifts the inline pattern from martin-estate's\n * `purchase.ts` so every merchant — current and future commerce-platform plugins\n * (Commerce7, WooCommerce, Shopify) — surfaces the same shape to agents.\n \n Shipping is included by default because most physical-goods merchants carry it; pass\n * `shippingCents: 0` (or omit) for digital goods / services. Tax is optional for\n * merchants outside taxable jurisdictions.\n /\n\nexport interface PricingBlock {\n /* Pre-tax, pre-shipping subtotal as a dollar-string (e.g. `\"250.00\"`). /\n subtotal: string;\n /* Tax amount as a dollar-string. Always present even if `\"0.00\"`. /\n tax: string;\n /* Shipping cost as a dollar-string. Always present even if `\"0.00\"`. /\n shipping?: string;\n /* Final total = subtotal + tax + shipping, dollar-string. /\n total: string;\n /* Tax rate as a decimal fraction (e.g. `0.0775` for 7.75%). Optional — omit for tax-free merchants. /\n tax_rate?: number;\n /* ISO-3166-2 state code or jurisdiction name used for tax calc. Optional. /\n tax_state?: string;\n /* ISO-4217 currency code. Default `\"USD\"`. /\n currency?: string;\n}\n\nexport interface BuildPricingBlockInput {\n /* Pre-tax, pre-shipping subtotal in the smallest currency unit (cents, satoshi, etc.). /\n subtotalCents: number;\n /* Tax amount in the smallest currency unit. Default `0`. /\n taxCents?: number;\n /* Shipping cost in the smallest currency unit. Default `0`. /\n shippingCents?: number;\n /* Override the computed total. By default `subtotalCents + taxCents + shippingCents`. /\n totalCents?: number;\n /* Tax rate as a decimal fraction (e.g. `0.0775`). /\n taxRate?: number;\n /* Tax jurisdiction (state code, country, etc.). /\n taxState?: string;\n /* ISO-4217 currency. Default `\"USD\"`. /\n currency?: string;\n}\n\n/\n Compose a `PricingBlock` from cents-denominated inputs. Handles the cents → dollar-string\n * conversion (always 2 decimals) and computes the total when not explicitly provided.\n \n Example:\n * ```ts\n * const pricing = buildPricingBlock({\n * subtotalCents: 25000,\n * taxCents: 1875,\n * shippingCents: 999,\n * taxRate: 0.075,\n * taxState: 'CA',\n * });\n * // → { subtotal: '250.00', tax: '18.75', shipping: '9.99', total: '278.74', tax_rate: 0.075, tax_state: 'CA' }\n * ```\n \n Pass `shippingCents: 0` for digital goods if you want the field present (it's then `\"0.00\"`);\n * omit entirely if you don't want shipping in the response shape at all.\n /\nexport function buildPricingBlock(input: BuildPricingBlockInput): PricingBlock {\n const tax = input.taxCents ?? 0;\n const shipping = input.shippingCents ?? 0;\n const total = input.totalCents ?? input.subtotalCents + tax + shipping;\n\n const block: PricingBlock = {\n subtotal: formatCents(input.subtotalCents),\n tax: formatCents(tax),\n total: formatCents(total),\n };\n\n if (input.shippingCents !== undefined) block.shipping = formatCents(shipping);\n if (input.taxRate !== undefined) block.tax_rate = input.taxRate;\n if (input.taxState !== undefined) block.tax_state = input.taxState;\n if (input.currency !== undefined) block.currency = input.currency;\n\n return block;\n}\n\nfunction formatCents(cents: number): string {\n return (cents / 100).toFixed(2);\n}\n","/\n Joins multiple Payment directives into a single WWW-Authenticate header value.\n * Per RFC 7235, multiple challenges are comma-separated.\n /\nexport function wwwAuthenticateHeader(directives: string[]): string {\n return directives.join(', ');\n}\n\nexport interface PaymentRequiredHeaderInput {\n x402Version: 1 \| 2;\n accepts: unknown[];\n resource?: { url: string; mimeType?: string };\n}\n\n/\n Add the v1↔v2 amount-field alias to each accepts entry. Idempotent. Used by both\n * `paymentRequiredHeader` (header emit) and `build402Body` (body emit) so every\n * x402 entry on the wire carries BOTH `amount` (v2 spec) AND `maxAmountRequired`\n * (v1 spec) — strict v1-only parsers (e.g. Coinbase awal at `payments-mcp.coinbase.com`,\n * which is hardcoded to read `maxAmountRequired`) work alongside strict v2 parsers,\n * which ignore the alias.\n /\nexport function aliasAmountFields(accepts: unknown[]): unknown[] {\n return accepts.map((entry) => {\n if (entry === null \|\| typeof entry !== 'object') return entry;\n const e = entry as Record<string, unknown>;\n const hasAmount = e.amount !== undefined;\n const hasMaxAmount = e.maxAmountRequired !== undefined;\n if (hasAmount && !hasMaxAmount) return { ...e, maxAmountRequired: e.amount };\n if (hasMaxAmount && !hasAmount) return { ...e, amount: e.maxAmountRequired };\n return e;\n });\n}\n\n/\n Encode the standard x402 PAYMENT-REQUIRED header (base64-encoded JSON of the\n * PaymentRequired object). Clients that recognize the header (`@x402/fetch`,\n * `@x402/core` HTTPClient, `agentscore-pay`) prefer it over body fields.\n \n Note: do NOT add a v1↔v2 amount-field alias here. `@x402/core`'s\n * `findMatchingRequirements` uses `deepEqual` against the agent's signed\n * `accepted` payload — any field present on one side and missing on the other\n * (e.g. `maxAmountRequired` on the wire body but not in `buildPaymentRequirements`'s\n * output) makes the match silently fail at settle time. Keep `accepts` shape\n * identical to whatever `buildPaymentRequirements` produces server-side.\n /\nexport function paymentRequiredHeader(input: PaymentRequiredHeaderInput): string {\n return Buffer.from(JSON.stringify(input)).toString('base64');\n}\n","/\n `respond402` — single-call 402 emit for merchants who use both `mppx` (for tempo + stripe\n * MPP rails) AND x402 (for Base + Solana).\n \n The seam is fiddly enough to get wrong by hand:\n * - mppx's `compose()(req)` returns a 402 Response with WWW-Authenticate directives\n * whose ids mppx's server-side validator REMEMBERS — they round-trip in client\n * credentials. Overwriting that header (e.g. with `buildPaymentHeaders` output)\n * breaks the round-trip.\n * - x402 needs the binary-friendly `PAYMENT-REQUIRED` header (base64-encoded JSON\n * of `{x402Version, accepts, resource}`) — mppx doesn't emit it.\n * - Merchants want a richer JSON body (pricing, identity metadata, agent_instructions,\n * agent_memory, retry_body, accepted_methods cross-reference) than the bare mppx body.\n \n `respond402` composes all three in one call:\n * - PRESERVES mppx's WWW-Authenticate verbatim\n * - ADDS PAYMENT-REQUIRED when x402 entries are present\n * - REPLACES the body with the rich body via `build402Body`\n \n Usage:\n * ```ts\n * const result = await m.compose(['tempo/charge', {...}], ['stripe/charge', {...}])(c.req.raw);\n * if (result.status === 402) {\n * return commerce.respond402({\n * mppxChallenge: result.challenge,\n * x402: { version: 2, accepts: x402Accepts, resource: { url: c.req.url, mimeType: 'application/json' } },\n * body: { acceptedMethods, agentInstructions, identityMetadata, pricing, agentMemory, retryBody, ... },\n * });\n * }\n * ```\n /\n\nimport { paymentRequiredHeader, type PaymentRequiredHeaderInput } from '../payment/wwwauthenticate';\nimport { build402Body, type Build402BodyInput } from './body';\n\nexport interface Respond402Input {\n /* The 402 Response returned by `mppx.compose()(req)`. Its WWW-Authenticate header\n * is preserved verbatim — mppx's server-side validator matches credentials to the\n * directive ids it generated, so overwriting breaks the round-trip. /\n mppxChallenge: Response;\n /* Inputs to `build402Body` — the rich JSON body sent to the agent. /\n body: Build402BodyInput;\n /* When set, layers on the x402 PAYMENT-REQUIRED header (base64-encoded JSON).\n * Omit for merchants that don't accept x402 (Base/Solana) — mppx-only setups. /\n x402?: PaymentRequiredHeaderInput;\n}\n\nexport function respond402(input: Respond402Input): Response {\n const body = build402Body(input.body);\n const headers = new Headers(input.mppxChallenge.headers);\n headers.set('content-type', 'application/json');\n if (input.x402) {\n headers.set('PAYMENT-REQUIRED', paymentRequiredHeader(input.x402));\n }\n return new Response(JSON.stringify(body), { headers, status: 402 });\n}\n","/\n Build a structured 4xx validation-error body that pairs cleanly with the\n * existing 402 / 403 builders. Every commerce merchant returning helpful\n * `bad_request` / `not_found` / `out_of_stock` / etc. errors converges on the\n * same shape: `{ error: {code, message}, ...optional_hints, next_steps? }`.\n \n This builder doesn't choose the HTTP status — vendors wrap the returned\n * body in their framework's response (`c.json(body, 400)` in Hono,\n * `Response.json(body, {status: 400})` for the Web Fetch path, etc.). Status\n * stays the merchant's call because the same shape works for 400/404/409/422.\n /\nexport interface BuildValidationErrorInput {\n /* Machine-readable error code (e.g. 'bad_request', 'not_found', 'out_of_stock'). /\n code: string;\n /* Human-readable message — surfaced directly to the user via the agent. /\n message: string;\n /* Optional schema description of required body fields, keyed by field name. Surfaced\n * so agents can self-correct without fetching docs. /\n requiredFields?: Record<string, string>;\n /* Optional concrete example body. Pairs with `requiredFields` for max self-serve. /\n exampleBody?: unknown;\n /* Optional next-step hint block (`{action, user_message?, ...vendor_extras}`). /\n nextSteps?: Record<string, unknown>;\n /* Vendor-specific top-level fields merged into the body (e.g. `available`,\n * `blocked_states`, `max_length`). /\n extra?: Record<string, unknown>;\n}\n\nexport interface ValidationErrorBody {\n error: { code: string; message: string };\n required_fields?: Record<string, string>;\n example_body?: unknown;\n next_steps?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\n/\n Compose a 4xx body that vendors return via their framework's response helper.\n * Combine with the merchant's chosen HTTP status (400 for body shape errors,\n * 404 for missing entities, 409 for stock conflicts, 403 for policy denials, etc.).\n \n Example:\n * ```ts\n * return c.json(buildValidationError({\n * code: 'bad_request',\n * message: 'product_id, email, and shipping are required',\n * requiredFields: { product_id: 'uuid', email: 'string', shipping: 'object' },\n * nextSteps: { action: 'retry_with_complete_body' },\n * }), 400);\n * ```\n */\nexport function buildValidationError(input: BuildValidationErrorInput): ValidationErrorBody {\n const body: ValidationErrorBody = {\n error: { code: input.code, message: input.message },\n };\n if (input.requiredFields) body.required_fields = input.requiredFields;\n if (input.exampleBody !== undefined) body.example_body = input.exampleBody;\n if (input.nextSteps) body.next_steps = input.nextSteps;\n if (input.extra) Object.assign(body, input.extra);\n return body;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;AC8EO,SAAS,qBAAqB,OAAyD;AAC5F,QAAM,MAA6B,CAAC;AAEpC,MAAI,MAAM,OAAO;AACf,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,MAAM,WAAW;AAAA,MAChC,UAAU,MAAM,MAAM,WAAW;AAAA,MACjC,OAAO,MAAM,MAAM,SAAS;AAAA,MAC5B,QAAQ,MAAM,MAAM,UAAU;AAAA,MAC9B,UAAU,MAAM,MAAM,YAAY;AAAA,MAClC,QAAQ,MAAM,MAAM;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,MAAM,WAAW;AACnB,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,UAAU,WAAW;AAAA,MACpC,UAAU,MAAM,UAAU,WAAW;AAAA,MACrC,OAAO,MAAM,UAAU,SAAS;AAAA,MAChC,QAAQ,MAAM,UAAU,UAAU;AAAA,MAClC,UAAU,MAAM,UAAU,YAAY;AAAA,MACtC,QAAQ,MAAM,UAAU;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,MAAM,YAAY;AACpB,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,WAAW,WAAW;AAAA,MACrC,OAAO,MAAM,WAAW,SAAS;AAAA,MACjC,QAAQ,MAAM,WAAW,UAAU;AAAA,MACnC,UAAU,MAAM,WAAW,YAAY;AAAA,MACvC,QAAQ,MAAM,WAAW;AAAA,MACzB,GAAI,MAAM,WAAW,cAAc,EAAE,eAAe,MAAM,WAAW,YAAY,IAAI,CAAC;AAAA,IACxF,CAAC;AAAA,EACH;AAEA,MAAI,MAAM,QAAQ;AAChB,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,OAAO,MAAM,OAAO,SAAS,CAAC,QAAQ,QAAQ,sBAAsB;AAAA,MACpE,YAAY,MAAM,OAAO,aAAa;AAAA,IACxC,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AC3FO,SAAS,sBAAsB,OAAqD;AACzF,QAAM,QAA+B,EAAE,eAAe,MAAM,KAAK;AAEjE,MAAI,MAAM,SAAS,SAAU,QAAO;AAEpC,MAAI,MAAM,QAAQ;AAChB,UAAM,kBAAkB,MAAM,mBAAmB,kBAAkB,MAAM;AAAA,EAC3E;AACA,MAAI,MAAM,iBAAiB,MAAM,cAAc,SAAS,GAAG;AACzD,UAAM,iBAAiB,MAAM;AAAA,EAC/B;AACA,QAAM,oBACJ,MAAM,oBACN;AAEF,SAAO;AACT;;;ACPA,IAAM,cAAc;AAAA,EAClB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,mBAAmB;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AACF;AASO,SAAS,cAAc,OAA0C;AACtE,QAAM,WAAW,OAAO,MAAM,aAAa,WAAW,OAAO,MAAM,QAAQ,IAAI,MAAM;AACrF,QAAM,WAAW,OAAO,MAAM,aAAa,KAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,CAAC,CAAC;AAC9E,QAAM,UAAU,MAAM,sBAAsB;AAC5C,QAAM,QAAuB,CAAC;AAE9B,MAAI,MAAM,MAAM,OAAO;AACrB,UAAM,cAAc,MAAM,MAAM,MAAM,eAAe;AACrD,UAAM,UAAU,MAAM,MAAM,MAAM,WAAW;AAC7C,UAAM,YAAY,MAAM,MAAM,MAAM,aAAa;AACjD,UAAM,eAAe,+CAA+C,OAAO,iDAAiD,MAAM,aAAa,iBAAiB,QAAQ,IAAI,MAAM,GAAG;AACrL,UAAM,aAAa,2BAA2B,MAAM,GAAG,wCAAwC,OAAO,6CAA6C,MAAM,aAAa,iBAAiB,QAAQ;AAC/L,UAAM,QAAQ;AAAA,MACZ,OAAO;AAAA,MACP,cAAc,6DAA6D,WAAW,WAAW,OAAO,kBAAkB,QAAQ;AAAA,MAClI,SAAS,cAAc,mBAAmB,aAAa;AAAA,MACvD,GAAI,cAAc,SACd,EAAE,qBAAqB,WAAW,IAClC,cAAc,mBACZ,EAAE,qBAAqB,aAAa,IACpC,CAAC;AAAA,MACP,cAAc,0BAA0B,WAAW;AAAA,IACrD;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,WAAW;AACzB,UAAM,UAAU,MAAM,MAAM,UAAU,WAAW;AACjD,UAAM,YAAY;AAAA,MAChB,OAAO;AAAA,MACP,cAAc,iFAAiF,OAAO,kBAAkB,QAAQ;AAAA,MAChI,SAAS,2BAA2B,MAAM,GAAG,uCAAuC,OAAO,6CAA6C,MAAM,aAAa,iBAAiB,QAAQ;AAAA,MACpL,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,YAAY;AAC1B,UAAM,UAAU,MAAM,MAAM,WAAW,WAAW;AAClD,UAAM,aAAa;AAAA,MACjB,OAAO;AAAA,MACP,cAAc,qFAAqF,OAAO,kBAAkB,QAAQ;AAAA,MACpI,SAAS,2BAA2B,MAAM,GAAG,yCAAyC,OAAO,6CAA6C,MAAM,aAAa,iBAAiB,QAAQ;AAAA,MACtL,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,QAAQ;AACtB,UAAM,YAAY,MAAM,MAAM;AAC9B,UAAM,cAAc,KAAK,MAAM,WAAW,GAAG;AAC7C,UAAM,iBAAiB,cAAc;AACrC,UAAM,cAAc,UAAU,eAAe;AAC7C,UAAM,aAAa,eAAe,WAAW,+FAA+F,QAAQ;AACpJ,UAAM,SAA8B;AAAA,MAClC,cACE;AAAA,MACF,cACE;AAAA,IACJ;AACA,QAAI,UAAU,aAAa,CAAC,gBAAgB;AAC1C,aAAO,iBAAiB;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,aAAO,mBAAmB;AAAA,QACxB,0JAA0J,UAAU,SAAS,aAAa,WAAW,eAAe,UAAU;AAAA,QAC9N,oBAAoB,MAAM,GAAG,uDAAuD,MAAM,aAAa,iCAAiC,OAAO;AAAA,MACjJ;AACA,aAAO,wBACL;AAAA,IACJ,WAAW,gBAAgB;AACzB,aAAO,OAAO,0IAAqI,QAAQ;AAAA,IAC7J;AACA,UAAM,SAAS;AAAA,EACjB;AAEA,SAAO;AACT;;;ACtGA,IAAM,gBACJ;AAEF,IAAM,eACJ;AAEF,IAAM,aAAa;AACnB,IAAM,sBAAsB;AAE5B,IAAM,+BACJ;AAEF,SAAS,wBAAwB,UAAmC;AAClE,QAAM,QAAkB,CAAC;AACzB,MAAI,SAAS,MAAO,OAAM,KAAK,UAAU;AACzC,MAAI,SAAS,SAAS,SAAS,aAAa,SAAS,WAAY,OAAM,KAAK,mBAAmB;AAC/F,SAAO;AACT;AAEA,SAAS,gBAAgB,UAAmC;AAC1D,QAAM,IAAc,CAAC;AACrB,MAAI,SAAS,MAAO,GAAE,KAAK,aAAa;AACxC,MAAI,SAAS,UAAW,GAAE,KAAK,YAAY;AAC3C,SAAO;AACT;AAiBA,IAAM,eAAmD;AAAA,EACvD,WAAW,CAAC,kBAAkB,iBAAiB,YAAY;AAAA,EAC3D,WAAW,CAAC,kBAAkB,cAAc,4BAA4B;AAAA,EACxE,YAAY,CAAC,gBAAgB;AAAA,EAC7B,QAAQ,CAAC,UAAU;AACrB;AAMO,SAAS,yBAAyB,OAA0D;AACjG,QAAM,MAAyB,CAAC;AAChC,aAAW,KAAK,MAAO,KAAI,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;AACnD,SAAO,OAAO,KAAK,GAAG,EAAE,WAAW,IAAI,SAAY;AACrD;AAEA,SAAS,yBAAyB,UAAwD;AACxF,QAAM,QAAmB,CAAC;AAC1B,MAAI,SAAS,MAAO,OAAM,KAAK,WAAW;AAC1C,MAAI,SAAS,UAAW,OAAM,KAAK,WAAW;AAC9C,MAAI,SAAS,WAAY,OAAM,KAAK,YAAY;AAChD,MAAI,SAAS,OAAQ,OAAM,KAAK,QAAQ;AACxC,SAAO,yBAAyB,KAAK;AACvC;AAWO,SAAS,uBAAuB,OAAuD;AAC5F,QAAM,oBAAoB,MAAM,qBAAqB,yBAAyB,MAAM,QAAQ;AAC5F,SAAO;AAAA,IACL,YAAY,MAAM;AAAA,IAClB,mBAAmB,MAAM,oBAAoB,wBAAwB,MAAM,QAAQ;AAAA,IACnF,sBAAsB,MAAM,uBAAuB;AAAA,IACnD,iBAAiB,MAAM,kBAAkB;AAAA,IACzC,UAAU,MAAM,YAAY,CAAC,GAAG,gBAAgB,MAAM,QAAQ,GAAG,GAAI,MAAM,iBAAiB,CAAC,CAAE;AAAA,IAC/F,GAAI,MAAM,cAAc,EAAE,aAAa,MAAM,YAAY,IAAI,CAAC;AAAA,IAC9D,GAAI,oBAAoB,EAAE,oBAAoB,kBAAkB,IAAI,CAAC;AAAA,IACrE,GAAI,MAAM,SAAS,CAAC;AAAA,EACtB;AACF;;;ACpIA,iBAOO;;;AC0BP,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,gCAAgC,KAAK,UAAU;AAAA,EACnD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,uDAAuD,KAAK,UAAU;AAAA,EAC1E,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,yBAAyB,KAAK,UAAU;AAAA,EAC5C,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,IAAM,8BAA8B,KAAK,UAAU;AAAA,EACxD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;;;AD8QD,IAAM,2BAA2B;AAKjC,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,mDAAmD,KAAK,UAAU;AAAA,EACtE,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAMD,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,SAAS,uBAAwC;AAItD,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,kCAAkC;AAAA,IAClC,iBACE;AAAA,IAKF,YAAY;AAAA,IACZ,yBAAyB,GAAG,GAAG;AAAA,IAC/B,gBAAgB;AAAA,MACd,QACE;AAAA,MAEF,gBACE;AAAA,IAEJ;AAAA,IACA,WACE;AAAA,IAIF,0BAA0B,CAAC,kBAAkB,aAAa;AAAA,IAC1D,6BAA6B,CAAC,gBAAgB;AAAA,EAChD;AACF;;;AElYO,SAAS,0BACd,OAC6B;AAC7B,MAAI,CAAC,MAAM,eAAgB,QAAO;AAClC,SAAO,qBAAqB;AAC9B;;;ACNO,SAAS,aAAa,OAAmD;AAC9E,QAAM,OAAgC;AAAA,IACpC,kBAAkB;AAAA,IAClB,kBAAkB,MAAM;AAAA,EAC1B;AAEA,MAAI,MAAM,MAAM;AACd,SAAK,cAAc,MAAM,KAAK,WAAW;AACzC,SAAK,UAAU,MAAM,KAAK;AAAA,EAC5B;AAEA,MAAI,MAAM,cAAc,OAAW,MAAK,aAAa,MAAM;AAC3D,MAAI,MAAM,SAAU,MAAK,WAAW,MAAM;AAC1C,MAAI,MAAM,QAAS,MAAK,UAAU,MAAM;AACxC,MAAI,MAAM,YAAY,OAAW,MAAK,WAAW,MAAM;AACvD,MAAI,MAAM,QAAS,MAAK,UAAU,MAAM;AACxC,MAAI,MAAM,YAAa,MAAK,cAAc,MAAM;AAChD,MAAI,MAAM,cAAc,OAAW,MAAK,aAAa,MAAM;AAE3D,MAAI,MAAM,kBAAkB;AAC1B,WAAO,OAAO,MAAM,MAAM,gBAAgB;AAAA,EAC5C;AAEA,MAAI,MAAM,kBAAmB,MAAK,qBAAqB,MAAM;AAC7D,MAAI,MAAM,gBAAgB,OAAW,MAAK,eAAe,MAAM;AAE/D,MAAI,MAAM,MAAO,QAAO,OAAO,MAAM,MAAM,KAAK;AAEhD,SAAO;AACT;;;ACbO,SAAS,kBAAkB,OAA6C;AAC7E,QAAM,MAAM,MAAM,YAAY;AAC9B,QAAM,WAAW,MAAM,iBAAiB;AACxC,QAAM,QAAQ,MAAM,cAAc,MAAM,gBAAgB,MAAM;AAE9D,QAAM,QAAsB;AAAA,IAC1B,UAAU,YAAY,MAAM,aAAa;AAAA,IACzC,KAAK,YAAY,GAAG;AAAA,IACpB,OAAO,YAAY,KAAK;AAAA,EAC1B;AAEA,MAAI,MAAM,kBAAkB,OAAW,OAAM,WAAW,YAAY,QAAQ;AAC5E,MAAI,MAAM,YAAY,OAAW,OAAM,WAAW,MAAM;AACxD,MAAI,MAAM,aAAa,OAAW,OAAM,YAAY,MAAM;AAC1D,MAAI,MAAM,aAAa,OAAW,OAAM,WAAW,MAAM;AAEzD,SAAO;AACT;AAEA,SAAS,YAAY,OAAuB;AAC1C,UAAQ,QAAQ,KAAK,QAAQ,CAAC;AAChC;;;ACzCO,SAAS,sBAAsB,OAA2C;AAC/E,SAAO,OAAO,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE,SAAS,QAAQ;AAC7D;;;ACDO,SAAS,WAAW,OAAkC;AAC3D,QAAM,OAAO,aAAa,MAAM,IAAI;AACpC,QAAM,UAAU,IAAI,QAAQ,MAAM,cAAc,OAAO;AACvD,UAAQ,IAAI,gBAAgB,kBAAkB;AAC9C,MAAI,MAAM,MAAM;AACd,YAAQ,IAAI,oBAAoB,sBAAsB,MAAM,IAAI,CAAC;AAAA,EACnE;AACA,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG,EAAE,SAAS,QAAQ,IAAI,CAAC;AACpE;;;ACJO,SAAS,qBAAqB,OAAuD;AAC1F,QAAM,OAA4B;AAAA,IAChC,OAAO,EAAE,MAAM,MAAM,MAAM,SAAS,MAAM,QAAQ;AAAA,EACpD;AACA,MAAI,MAAM,eAAgB,MAAK,kBAAkB,MAAM;AACvD,MAAI,MAAM,gBAAgB,OAAW,MAAK,eAAe,MAAM;AAC/D,MAAI,MAAM,UAAW,MAAK,aAAa,MAAM;AAC7C,MAAI,MAAM,MAAO,QAAO,OAAO,MAAM,MAAM,KAAK;AAChD,SAAO;AACT;","names":[]}