@agent-score/commerce 1.6.0 → 1.8.0

package/README.md

@@ -23,11 +23,12 @@ npm install hono mppx @x402/core @x402/evm @solana/mpp @solana/kit stripe   # wh
 
 | Subpath | What it provides |
 |---|---|
-| `/identity/{hono,express,fastify}` | Trust gate middleware: KYC, sanctions, age, jurisdiction. Context-getter pattern: `agentscoreGate(opts)` middleware + `getAgentScoreData(ctx)` / `getGateDegradedState(ctx)` / `getGateQuotaInfo(ctx)` accessors, `captureWallet(...)`, `verifyWalletSignerMatch(...)`. Plus shared denial helpers: `denialReasonStatus`, `denialReasonToBody`, `buildSignerMismatchBody`, `buildContactSupportNextSteps`, `verificationAgentInstructions`, `isFixableDenial`, `FIXABLE_DENIAL_REASONS`. |
-| `/identity/{nextjs,web}` | Same gate, wrapper pattern: `withAgentScoreGate(opts, handler)` / `createAgentScoreGate(opts) => guard(req)`. The `data` + `degraded` + `infraReason` fields land directly on the handler arg / guard result (no separate getter). Plus shared `captureWallet`, `verifyWalletSignerMatch`. |
+| `/identity/{hono,express,fastify}` | Trust gate middleware: KYC, sanctions (account name + signer wallet), age, jurisdiction. Context-getter pattern: `agentscoreGate(opts)` middleware + `getAgentScoreData(ctx)` / `getGateDegradedState(ctx)` / `getGateQuotaInfo(ctx)` / `getSignerVerdict(ctx)` accessors, `captureWallet(...)`. Plus shared denial helpers: `denialReasonStatus`, `denialReasonToBody`, `buildSignerMismatchBody`, `buildContactSupportNextSteps`, `verificationAgentInstructions`, `isFixableDenial`, `FIXABLE_DENIAL_REASONS`. |
+| `/identity/policy` | Per-product compliance helpers for multi-product merchants (each product carries its own policy: hard gate vs soft vs none, per-product shipping allowlists): `PolicyBlock`, `GateResult`, `EnforcementMode`, `IdentityStatus`, `buildGateOptionsFromPolicy`, `runGateWithEnforcement`, `shippingCountryAllowed`, `shippingStateAllowed`. |
+| `/identity/{nextjs,web}` | Same gate, wrapper pattern: `withAgentScoreGate(opts, handler)` / `createAgentScoreGate(opts) => guard(req)`. The `data` + `degraded` + `infraReason` + `getSignerVerdict` fields land directly on the handler arg / guard result (no separate getter). Plus shared `captureWallet`. |
 | `/payment` | `networks`, `USDC`, `rails` registries; `paymentDirective`, `buildPaymentDirective`, `wwwAuthenticateHeader`, `paymentRequiredHeader`, `aliasAmountFields` (v1↔v2 amount field shim: emits both `amount` and `maxAmountRequired` so v1-only x402 parsers like Coinbase awal can read v2 bodies), `settlementOverrideHeader`, `dispatchSettlementByNetwork`, `extractPaymentSigner` (returns `{address, network}`); `createX402Server`, `createMppxServer`; drop-in x402 helpers: `validateX402NetworkConfig` (boot-time guard), `verifyX402Request` (parse + validate inbound X-Payment), `processX402Settle` (verify-then-settle with one call), `classifyX402SettleResult` (maps the tagged settle result to a recommended HTTP status / code / nextSteps so merchants get a controlled envelope without coupling to facilitator-specific error text). |
 | `/discovery` | `isDiscoveryProbeRequest`, `buildDiscoveryProbeResponse` (with optional `x402Sample` for x402-aware crawlers, e.g. `awal x402 details`), `sampleX402AcceptForNetwork` (USDC sample-accept builder for known CAIP-2 networks), `buildWellKnownMpp`, `buildLlmsTxt` + `llmsTxtIdentitySection` + `llmsTxtPaymentSection` (compact + verbose modes), `buildSkillMd` (Claude-Skill-compatible `/skill.md` agent-discovery manifest; strictly agent-facing data only, no internal posture), `agentscoreOpenApiSnippets`, `createBazaarDiscovery`, `noindexNonDiscoveryPaths` (Hono middleware that emits `X-Robots-Tag: noindex` on every path except the agent-discovery surfaces; defaults cover `/openapi.json`, `/llms.txt`, `/skill.md`, `/.well-known/{mpp.json,agent-card.json,ucp,jwks.json}`, `/favicon.{png,ico}`; pure helpers `isDiscoveryPath` + `defaultDiscoveryPaths` for non-Hono frameworks). |
-| `/challenge` | `build402Body`, `buildAcceptedMethods`, `buildIdentityMetadata`, `buildHowToPay`, `buildAgentInstructions` (auto-emits per-rail `compatible_clients`: smoke-verified CLIs the agent should use; vendor override supported), `buildPricingBlock`, `firstEncounterAgentMemory`, `OrderReceipt`; `respond402`, a drop-in 402 emit that preserves mppx's `WWW-Authenticate` and layers x402's `PAYMENT-REQUIRED`. `buildValidationError`: structured 4xx body builder (`{error: {code, message}, required_fields?, example_body?, next_steps?, ...extra}`) so vendors compose body shapes by name instead of inlining at every validation site. |
+| `/challenge` | `build402Body`, `buildAcceptedMethods`, `buildIdentityMetadata`, `buildHowToPay`, `buildAgentInstructions` (auto-emits per-rail `compatible_clients`: smoke-verified CLIs the agent should use; vendor override supported; pure helper `compatibleClientsByRails(rails)` returns the same map for vendors building custom 402s), `buildPricingBlock`, `firstEncounterAgentMemory`, `OrderReceipt`; `respond402`, a drop-in 402 emit that preserves mppx's `WWW-Authenticate` and layers x402's `PAYMENT-REQUIRED`. `buildValidationError`: structured 4xx body builder (`{error: {code, message}, required_fields?, example_body?, next_steps?, ...extra}`) so vendors compose body shapes by name instead of inlining at every validation site. |
 | `/stripe-multichain` | `createMultichainPaymentIntent`, `getDepositAddress`, `simulateCryptoDeposit`, `createMppxStripe`; `createPiCache` (TTL'd PI / deposit-address cache, Redis-backed when `redisUrl` set, in-memory otherwise), `simulateDepositIfTestMode` (gates on `sk_test_` and looks up the PI for you), `STRIPE_TEST_TX_HASH_SUCCESS` / `STRIPE_TEST_TX_HASH_FAILED` constants. Peer dep on `stripe`. |
 | `/api` | Everything from `@agent-score/sdk` re-exported in one place: `AgentScore` + `AgentScoreError`, `AGENTSCORE_TEST_ADDRESSES` + `isAgentScoreTestAddress`. **Don't add `@agent-score/sdk` as a separate dep**; the two can drift versions and cause subtle type mismatches. |
 
@@ -41,7 +42,7 @@ import {
   agentscoreGate,
   captureWallet,
   getAgentScoreData,
-  verifyWalletSignerMatch,
+  getSignerVerdict,
 } from "@agent-score/commerce/identity/hono";
 
 const app = new Hono();
@@ -223,12 +224,9 @@ const profile = buildUCPProfile({
     ],
   },
   payment_handlers: {
-    'sh.agentscore.payment.tempo': [{
-      id: 'tempo', version: '2026-04-08',
-      spec: 'https://agentscore.sh/specification/payment-handlers/tempo',
-      schema: 'https://agentscore.sh/schemas/payment-handlers/tempo.json',
-      config: { recipient: TEMPO_ADDR },
-    }],
+    ...mppPaymentHandler({ networks: [{ network: 'tempo-mainnet', chain_id: 4217, recipient: TEMPO_ADDR }] }),
+    ...x402PaymentHandler({ networks: [{ network: 'base-8453', recipient: BASE_ADDR }] }),
+    ...stripeSptPaymentHandler({ profile_id: 'profile_5xKvNqM9BaH' }),
   },
   signing_keys,
   // Optional: declare the merchant's gate policy as an `sh.agentscore.identity` capability

package/dist/{_response-DpB-cm2c.d.mts → _response-BMt2y4Or.d.mts}

@@ -8,8 +8,8 @@ import { VerifyWalletSignerResult, DenialReason } from './core.mjs';
  *     be resolved by re-completing KYC (vs sanctions / age failures which are permanent).
  *   - `denialReasonStatus` — picks the right HTTP status code per denial code (401 for credential
  *     problems, 503 for transient API errors, 403 for everything else).
- *   - `buildSignerMismatchBody` — produces the standard 403 body for a `verifyWalletSignerMatch`
- *     non-pass result.
+ *   - `buildSignerMismatchBody` — produces the standard 403 body for a non-pass signer_match
+ *     verdict (read via `getSignerVerdict`).
  *   - `buildContactSupportNextSteps` — standard `next_steps.action: "contact_support"` shape for
  *     unfixable compliance denials.
  *   - `verificationAgentInstructions` — the canned `agent_instructions` block for
@@ -50,7 +50,8 @@ declare function isFixableDenial(reasons: readonly string[] | undefined): boolea
  */
 declare function denialReasonStatus(reason: DenialReason): 401 | 403 | 503;
 interface SignerMismatchBodyInput {
-    /** Result from `verifyWalletSignerMatch`. The function only emits a body for non-pass results. */
+    /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). Only non-pass
+     *  kinds produce a body. */
     result: VerifyWalletSignerResult;
     /** Optional override for the human-facing `next_steps.user_message`. */
     userMessage?: string;
@@ -58,12 +59,14 @@ interface SignerMismatchBodyInput {
     learnMoreUrl?: string;
 }
 /**
- * Standard 403 body for a non-pass `verifyWalletSignerMatch` result. Returns null for `pass` /
- * `api_error` so vendors can call it unconditionally:
+ * Standard 403 body for a non-pass signer-match verdict. Returns null for `pass` so vendors
+ * can call it unconditionally:
  *
- *   const result = await verifyWalletSignerMatch(c);
- *   const mismatchBody = buildSignerMismatchBody({ result });
- *   if (mismatchBody) return c.json(mismatchBody, 403);
+ *   const verdict = getSignerVerdict(c);
+ *   if (verdict?.signer_match) {
+ *     const mismatchBody = buildSignerMismatchBody({ result: verdict.signer_match });
+ *     if (mismatchBody) return c.json(mismatchBody, 403);
+ *   }
  *
  * Body shape mirrors the gate's denial bodies: top-level error.code, all signer-match fields
  * (`claimed_operator`, `actual_signer_operator`, `expected_signer`, `actual_signer`,

package/dist/{_response-C2yFQoIA.d.ts → _response-DyJ3mWI3.d.ts}

@@ -8,8 +8,8 @@ import { VerifyWalletSignerResult, DenialReason } from './core.js';
  *     be resolved by re-completing KYC (vs sanctions / age failures which are permanent).
  *   - `denialReasonStatus` — picks the right HTTP status code per denial code (401 for credential
  *     problems, 503 for transient API errors, 403 for everything else).
- *   - `buildSignerMismatchBody` — produces the standard 403 body for a `verifyWalletSignerMatch`
- *     non-pass result.
+ *   - `buildSignerMismatchBody` — produces the standard 403 body for a non-pass signer_match
+ *     verdict (read via `getSignerVerdict`).
  *   - `buildContactSupportNextSteps` — standard `next_steps.action: "contact_support"` shape for
  *     unfixable compliance denials.
  *   - `verificationAgentInstructions` — the canned `agent_instructions` block for
@@ -50,7 +50,8 @@ declare function isFixableDenial(reasons: readonly string[] | undefined): boolea
  */
 declare function denialReasonStatus(reason: DenialReason): 401 | 403 | 503;
 interface SignerMismatchBodyInput {
-    /** Result from `verifyWalletSignerMatch`. The function only emits a body for non-pass results. */
+    /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). Only non-pass
+     *  kinds produce a body. */
     result: VerifyWalletSignerResult;
     /** Optional override for the human-facing `next_steps.user_message`. */
     userMessage?: string;
@@ -58,12 +59,14 @@ interface SignerMismatchBodyInput {
     learnMoreUrl?: string;
 }
 /**
- * Standard 403 body for a non-pass `verifyWalletSignerMatch` result. Returns null for `pass` /
- * `api_error` so vendors can call it unconditionally:
+ * Standard 403 body for a non-pass signer-match verdict. Returns null for `pass` so vendors
+ * can call it unconditionally:
  *
- *   const result = await verifyWalletSignerMatch(c);
- *   const mismatchBody = buildSignerMismatchBody({ result });
- *   if (mismatchBody) return c.json(mismatchBody, 403);
+ *   const verdict = getSignerVerdict(c);
+ *   if (verdict?.signer_match) {
+ *     const mismatchBody = buildSignerMismatchBody({ result: verdict.signer_match });
+ *     if (mismatchBody) return c.json(mismatchBody, 403);
+ *   }
  *
  * Body shape mirrors the gate's denial bodies: top-level error.code, all signer-match fields
  * (`claimed_operator`, `actual_signer_operator`, `expected_signer`, `actual_signer`,

package/dist/challenge/index.d.mts

@@ -3,6 +3,7 @@ export { B as BuildAgentInstructionsInput, a as BuildHowToPayInput, C as Compati
 import { AgentMemoryHint } from '../core.mjs';
 export { buildAgentMemoryHint } from '../core.mjs';
 import { P as PaymentRequiredHeaderInput } from '../wwwauthenticate-CU1eNvMQ.mjs';
+import '../signer-CFVQsWjL.mjs';
 
 interface TempoMethodEntry {
     method: 'tempo/charge';
@@ -86,7 +87,7 @@ interface IdentityMetadataInput {
     mode: IdentityMode;
     /** Claimed wallet address (when mode === 'wallet'). */
     wallet?: string;
-    /** Result of a prior verifyWalletSignerMatch call. */
+    /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). */
     signerMatchResult?: SignerMatchResultLike;
     /** Same-operator linked wallets (from assess response). */
     linkedWallets?: string[];

package/dist/challenge/index.d.ts

@@ -3,6 +3,7 @@ export { B as BuildAgentInstructionsInput, a as BuildHowToPayInput, C as Compati
 import { AgentMemoryHint } from '../core.js';
 export { buildAgentMemoryHint } from '../core.js';
 import { P as PaymentRequiredHeaderInput } from '../wwwauthenticate-CU1eNvMQ.js';
+import '../signer-CFVQsWjL.js';
 
 interface TempoMethodEntry {
     method: 'tempo/charge';
@@ -86,7 +87,7 @@ interface IdentityMetadataInput {
     mode: IdentityMode;
     /** Claimed wallet address (when mode === 'wallet'). */
     wallet?: string;
-    /** Result of a prior verifyWalletSignerMatch call. */
+    /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). */
     signerMatchResult?: SignerMatchResultLike;
     /** Same-operator linked wallets (from assess response). */
     linkedWallets?: string[];