@agent-score/commerce 1.5.1 → 1.6.0

package/dist/index.mjs

@@ -330,73 +330,86 @@ function readX402PaymentHeader(request) {
 }
 
 // src/identity/a2a.ts
+var PROTOCOL_VERSION = "1.0";
+var DEFAULT_PROTOCOL_BINDING = "HTTP+JSON";
+var DEFAULT_INPUT_MODE = "application/json";
+var DEFAULT_OUTPUT_MODE = "application/json";
 var UCP_A2A_EXTENSION_URI = "https://ucp.dev/2026-04-08/specification/reference";
-function ucpA2AExtension(capabilities = {}) {
+function ucpA2AExtension(capabilities = {}, options = {}) {
   return {
     uri: UCP_A2A_EXTENSION_URI,
+    description: "UCP support: this agent serves Universal Commerce Protocol bindings via the A2A transport.",
+    required: options.required ?? false,
     params: { capabilities }
   };
 }
-var PROTOCOL_VERSION = "1.0";
-var CARD_VERSION = 1;
 function buildA2AAgentCard(input) {
-  const issuer = input.issuer ?? "https://agentscore.sh";
-  let identity = null;
-  if (input.data) {
-    const operatorId = input.data.resolved_operator ?? null;
-    if (operatorId) {
-      const operatorVerification = input.data.operator_verification;
-      const accountVerification = input.data.account_verification;
-      identity = {
-        issuer,
-        operator_id: operatorId,
-        kyc_level: accountVerification?.kyc_level ?? operatorVerification?.level ?? "none",
-        sanctions_clear: accountVerification?.sanctions_clear === true,
-        age_bracket: accountVerification?.age_bracket ?? "unknown",
-        jurisdiction: accountVerification?.jurisdiction ?? "",
-        verified_at: accountVerification?.verified_at ?? operatorVerification?.verified_at ?? null,
-        verify_url: input.verifyUrl ?? input.data.verify_url ?? `${issuer}/verify`
-      };
-    }
+  if (!input.skills || input.skills.length === 0) {
+    throw new Error(
+      "buildA2AAgentCard: `skills` MUST be a non-empty list. Per spec \xA74.4.1 (proto field 12 [field_behavior=REQUIRED]), every Agent Card must declare at least one AgentSkill. Construct A2AAgentCard directly to bypass."
+    );
   }
+  const capabilities = {};
+  if (input.streaming !== void 0) capabilities.streaming = input.streaming;
+  if (input.push_notifications !== void 0) capabilities.push_notifications = input.push_notifications;
+  if (input.extensions && input.extensions.length > 0) capabilities.extensions = input.extensions;
+  if (input.extended_agent_card !== void 0) capabilities.extended_agent_card = input.extended_agent_card;
+  const primaryInterface = {
+    url: input.url,
+    protocol_binding: input.protocol_binding ?? DEFAULT_PROTOCOL_BINDING,
+    protocol_version: input.a2a_protocol_version ?? PROTOCOL_VERSION
+  };
   const card = {
-    protocol_version: PROTOCOL_VERSION,
-    card_version: CARD_VERSION,
     name: input.name,
-    identity
+    description: input.description,
+    supported_interfaces: [primaryInterface],
+    version: input.version ?? "1.0.0",
+    capabilities,
+    default_input_modes: input.default_input_modes ?? [DEFAULT_INPUT_MODE],
+    default_output_modes: input.default_output_modes ?? [DEFAULT_OUTPUT_MODE],
+    skills: input.skills
   };
-  if (input.description !== void 0) card.description = input.description;
-  if (input.url !== void 0) card.url = input.url;
-  if (input.capabilities !== void 0) card.capabilities = input.capabilities;
-  if (input.extensions && input.extensions.length > 0) card.extensions = input.extensions;
-  if (input.extras !== void 0) card.extras = input.extras;
+  if (input.provider !== void 0) card.provider = input.provider;
+  if (input.documentation_url !== void 0) card.documentation_url = input.documentation_url;
+  if (input.icon_url !== void 0) card.icon_url = input.icon_url;
+  if (input.signatures !== void 0 && input.signatures.length > 0) card.signatures = input.signatures;
+  if (input.security_schemes !== void 0) card.security_schemes = input.security_schemes;
+  if (input.security_requirements !== void 0) card.security_requirements = input.security_requirements;
+  if (input.extras) {
+    for (const [k, v] of Object.entries(input.extras)) {
+      card[k] = v;
+    }
+  }
   return card;
 }
 
 // src/identity/ucp.ts
-function ucpSigningKeyFromJWK(jwk) {
+function ucpSigningKeyFromJWKImpl(jwk) {
   if (!jwk || typeof jwk !== "object") {
-    throw new Error(`ucpSigningKeyFromJWK expected a non-null object; got ${typeof jwk}.`);
+    throw new Error(`UCPSigningKey.fromJWK expected a non-null object; got ${typeof jwk}.`);
   }
   if (typeof jwk.kid !== "string" || !jwk.kid) {
-    throw new Error("ucpSigningKeyFromJWK: JWK missing required field `kid` (or non-string).");
+    throw new Error("UCPSigningKey.fromJWK: JWK missing required field `kid` (or non-string).");
   }
   if (typeof jwk.kty !== "string" || !jwk.kty) {
-    throw new Error("ucpSigningKeyFromJWK: JWK missing required field `kty` (or non-string).");
+    throw new Error("UCPSigningKey.fromJWK: JWK missing required field `kty` (or non-string).");
   }
   if (jwk.kty !== "OKP" && jwk.kty !== "EC" && jwk.kty !== "RSA") {
     throw new Error(
-      `ucpSigningKeyFromJWK: kty=${JSON.stringify(jwk.kty)} is not a supported asymmetric key type (expected OKP, EC, or RSA). Symmetric \`oct\` keys are rejected because they cannot publicly verify a JWS in the trust-mode UCP flow.`
+      `UCPSigningKey.fromJWK: kty=${JSON.stringify(jwk.kty)} is not a supported asymmetric key type (expected OKP, EC, or RSA). Symmetric \`oct\` keys are rejected because they cannot publicly verify a JWS in the trust-mode UCP flow.`
     );
   }
   if ((jwk.kty === "EC" || jwk.kty === "OKP") && (typeof jwk.crv !== "string" || !jwk.crv)) {
-    throw new Error(`ucpSigningKeyFromJWK: kty=${jwk.kty} requires a non-empty \`crv\` field (e.g., "P-256" for EC, "Ed25519" for OKP).`);
+    throw new Error(`UCPSigningKey.fromJWK: kty=${jwk.kty} requires a non-empty \`crv\` field (e.g., "P-256" for EC, "Ed25519" for OKP).`);
   }
   return jwk;
 }
+var UCPSigningKey = {
+  fromJWK: ucpSigningKeyFromJWKImpl
+};
 var DEFAULT_VERSION = "2026-04-08";
 var AGENTSCORE_CAPABILITY_NAME = "sh.agentscore.identity";
-var AGENTSCORE_CAPABILITY_VERSION = "1";
+var AGENTSCORE_CAPABILITY_VERSION = "2026-04-08";
 var AGENTSCORE_DEFAULT_SPEC_URL = "https://agentscore.sh/specification/identity";
 var AGENTSCORE_DEFAULT_SCHEMA_URL = "https://agentscore.sh/schemas/ucp/sh-agentscore-identity-v1.json";
 var AGENTSCORE_EXTENDS = ["dev.ucp.shopping.checkout", "dev.ucp.shopping.cart"];
@@ -420,44 +433,47 @@ var RESERVED_UCP_FIELDS = /* @__PURE__ */ new Set([
   "prototype"
 ]);
 function buildUCPProfile(input) {
+  for (const [name, bindings] of Object.entries(input.services ?? {})) {
+    for (const binding of bindings) {
+      if ((binding.transport === "rest" || binding.transport === "mcp" || binding.transport === "a2a") && (binding.endpoint === void 0 || binding.endpoint === null || binding.endpoint === "")) {
+        throw new Error(
+          `buildUCPProfile: service "${name}" transport=${binding.transport} requires \`endpoint\`. Per UCP spec service.json business_schema, rest/mcp/a2a bindings MUST carry an endpoint URL.`
+        );
+      }
+    }
+  }
+  const paymentHandlers = {};
+  for (const [name, bindings] of Object.entries(input.payment_handlers ?? {})) {
+    paymentHandlers[name] = bindings.map((binding) => {
+      if (Array.isArray(binding.available_instruments) && binding.available_instruments.length === 0) {
+        const { available_instruments: _drop, ...rest } = binding;
+        return rest;
+      }
+      return binding;
+    });
+  }
   const capabilities = {};
   for (const [name, bindings] of Object.entries(input.capabilities ?? {})) {
     capabilities[name] = [...bindings];
   }
-  if (input.data) {
-    const operatorId = input.data.resolved_operator;
-    if (operatorId) {
-      const operatorVerification = input.data.operator_verification;
-      const accountVerification = input.data.account_verification;
-      const claims = {
-        operator_id: operatorId,
-        kyc_level: accountVerification?.kyc_level || operatorVerification?.level || "none",
-        sanctions_clear: accountVerification?.sanctions_clear === true,
-        age_bracket: accountVerification?.age_bracket || "unknown",
-        jurisdiction: accountVerification?.jurisdiction || "",
-        verified_at: accountVerification?.verified_at || operatorVerification?.verified_at || null,
-        verify_url: input.data.verify_url ?? null,
-        issuer: "https://agentscore.sh"
-      };
-      const agentscoreBinding = {
-        version: AGENTSCORE_CAPABILITY_VERSION,
-        spec: input.agentscore_spec_url ?? AGENTSCORE_DEFAULT_SPEC_URL,
-        schema: input.agentscore_schema_url ?? AGENTSCORE_DEFAULT_SCHEMA_URL,
-        extends: AGENTSCORE_EXTENDS,
-        // `claims` is our vendor extra on the binding; allowed per spec via the
-        // `[k: string]: unknown` index signature on UCPCapabilityBinding.
-        claims
-      };
-      const existing = capabilities[AGENTSCORE_CAPABILITY_NAME];
-      if (existing) existing.push(agentscoreBinding);
-      else capabilities[AGENTSCORE_CAPABILITY_NAME] = [agentscoreBinding];
-    }
+  if (input.agentscore_gate) {
+    const gateConfig = { ...input.agentscore_gate };
+    const agentscoreBinding = {
+      version: AGENTSCORE_CAPABILITY_VERSION,
+      spec: input.agentscore_spec_url ?? AGENTSCORE_DEFAULT_SPEC_URL,
+      schema: input.agentscore_schema_url ?? AGENTSCORE_DEFAULT_SCHEMA_URL,
+      extends: AGENTSCORE_EXTENDS
+    };
+    if (Object.keys(gateConfig).length > 0) agentscoreBinding.config = gateConfig;
+    const existing = capabilities[AGENTSCORE_CAPABILITY_NAME];
+    if (existing) existing.push(agentscoreBinding);
+    else capabilities[AGENTSCORE_CAPABILITY_NAME] = [agentscoreBinding];
   }
   const ucp = {
     version: input.version ?? DEFAULT_VERSION,
     services: input.services ?? {},
     capabilities,
-    payment_handlers: input.payment_handlers ?? {}
+    payment_handlers: paymentHandlers
   };
   if (input.name !== void 0) ucp.name = input.name;
   if (input.supported_versions !== void 0) ucp.supported_versions = input.supported_versions;
@@ -758,7 +774,7 @@ function buildJWKSResponse(keys) {
 }
 
 // src/identity/policy.ts
-function policyToGateOptions(policy, base) {
+function buildGateOptionsFromPolicy(policy, base) {
   if (!policy || !policy.enforcement) return null;
   return {
     apiKey: base.apiKey,
@@ -806,11 +822,13 @@ function shippingStateAllowed(state, country, policy) {
 export {
   AGENTSCORE_UCP_CAPABILITY,
   FIXABLE_DENIAL_REASONS,
+  UCPSigningKey,
   UCPVerificationError,
   UCP_A2A_EXTENSION_URI,
   buildA2AAgentCard,
   buildAgentMemoryHint,
   buildContactSupportNextSteps,
+  buildGateOptionsFromPolicy,
   buildJWKSResponse,
   buildSignerMismatchBody,
   buildUCPProfile,
@@ -820,14 +838,12 @@ export {
   extractPaymentSignerAddress,
   generateUCPSigningKey,
   isFixableDenial,
-  policyToGateOptions,
   readX402PaymentHeader,
   runGateWithEnforcement,
   shippingCountryAllowed,
   shippingStateAllowed,
   signUCPProfile,
   ucpA2AExtension,
-  ucpSigningKeyFromJWK,
   verificationAgentInstructions,
   verifyUCPProfile
 };