@agent-score/commerce 1.7.0 → 1.8.0

package/dist/identity/hono.d.ts

@@ -1,6 +1,6 @@
-export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-C2yFQoIA.js';
-export { e as extractPaymentSignerAddress, r as readX402PaymentHeader } from '../signer-kCAJUZwp.js';
-import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, FailOpenInfraReason, GateQuotaInfo, VerifyWalletSignerResult } from '../core.js';
+export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-DyJ3mWI3.js';
+export { r as readX402PaymentHeader } from '../signer-CFVQsWjL.js';
+import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, FailOpenInfraReason, GateQuotaInfo, SignerVerdict } from '../core.js';
 import { Context, MiddlewareHandler } from 'hono';
 
 interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
@@ -72,32 +72,17 @@ declare function captureWallet(c: Context, options: {
     idempotencyKey?: string;
 }): Promise<void>;
 /**
- * Verify the payment signer resolves to the same operator as the claimed `X-Wallet-Address`.
+ * Synchronous read of the cached signer verdicts (`signer_match` wallet-binding +
+ * `signer_sanctions` OFAC SDN wallet-address check). Both verdicts were composed by the
+ * gate's primary `/v1/assess` call on this request — single round trip, no extra API call.
  *
- * Call this AFTER the agent submits a payment credential, BEFORE settling. Returns:
+ * Returns `undefined` when the gate didn't run, the request was operator-token-only, or
+ * no payment credential was attached (discovery legs).
  *
- *   - `pass` — signer matches (byte-equal or same-operator)
- *   - `wallet_signer_mismatch` — signer resolves to a different operator (or is unlinked)
- *   - `wallet_auth_requires_wallet_signing` — payment rail has no wallet signer (SPT/card);
- *     agent should switch to `X-Operator-Token`
- *
- * No-ops (returns `pass` with `claimedOperator: null`) when the request was operator-token
- * authenticated — signer-match only applies to wallet-auth.
- *
- * The helper auto-extracts the signer from MPP (`Authorization: Payment`) or x402
- * (`payment-signature` / `x-payment`) headers. Pass `options.signer` explicitly to override.
- *
- * ```ts
- * app.post('/purchase', async (c) => {
- *   const result = await verifyWalletSignerMatch(c);
- *   if (result.kind !== 'pass') return c.json({ error: result.kind, ...result }, 403);
- *   // ... proceed with settlement ...
- * });
- * ```
+ * Under `policy.require_sanctions_clear`, an OFAC SDN hit (or unavailable lookup) is
+ * already enforced by the gate (decision → deny before the handler runs); merchant code
+ * typically only needs this getter for the `signer_match` wallet-binding verdict.
  */
-declare function verifyWalletSignerMatch(c: Context, options?: {
-    signer?: string | null;
-    network?: 'evm' | 'solana';
-}): Promise<VerifyWalletSignerResult>;
+declare function getSignerVerdict(c: Context): SignerVerdict | undefined;
 
-export { type AgentScoreGateOptions, agentscoreGate, captureWallet, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, verifyWalletSignerMatch };
+export { type AgentScoreGateOptions, agentscoreGate, captureWallet, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, getSignerVerdict };

package/dist/identity/hono.js

@@ -27,14 +27,13 @@ __export(hono_exports, {
   captureWallet: () => captureWallet,
   denialReasonStatus: () => denialReasonStatus,
   denialReasonToBody: () => denialReasonToBody,
-  extractPaymentSignerAddress: () => extractPaymentSignerAddress,
   getAgentScoreData: () => getAgentScoreData,
   getGateDegradedState: () => getGateDegradedState,
   getGateQuotaInfo: () => getGateQuotaInfo,
+  getSignerVerdict: () => getSignerVerdict,
   isFixableDenial: () => isFixableDenial,
   readX402PaymentHeader: () => readX402PaymentHeader,
-  verificationAgentInstructions: () => verificationAgentInstructions,
-  verifyWalletSignerMatch: () => verifyWalletSignerMatch
+  verificationAgentInstructions: () => verificationAgentInstructions
 });
 module.exports = __toCommonJS(hono_exports);
 
@@ -55,7 +54,7 @@ function denialReasonStatus(reason) {
 }
 function buildSignerMismatchBody(input) {
   const { result } = input;
-  if (result.kind === "pass" || result.kind === "api_error") return null;
+  if (result.kind === "pass") return null;
   const learnMoreUrl = input.learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
   if (result.kind === "wallet_signer_mismatch") {
     const linkedWallets = result.linkedWallets ?? [];
@@ -365,7 +364,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"1.7.0"}`;
+  const defaultUa = `@agent-score/commerce@${"1.8.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new import_sdk.AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -439,7 +438,7 @@ function createAgentScoreCore(options) {
       return void 0;
     }
   }
-  async function evaluate(identity, ctx) {
+  async function evaluate(identity, ctx, signer) {
     if (!identity || !identity.address && !identity.operatorToken) {
       if (failOpen) return { kind: "allow" };
       const sessionReason = await tryMintSessionDenial(ctx);
@@ -499,7 +498,12 @@ function createAgentScoreCore(options) {
     try {
       const opts = {
         chain: gateChain,
-        ...Object.keys(policy).length > 0 ? { policy } : {}
+        ...Object.keys(policy).length > 0 ? { policy } : {},
+        // Pre-extracted payment signer (by the adapter middleware). When present, the API
+        // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet
+        // check) verdicts on the response in one round trip. Under
+        // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.
+        ...signer && { signer: { address: signer.address, network: signer.network } }
       };
       const result = identity.address ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken }) : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken });
       data = result;
@@ -607,36 +611,6 @@ function createAgentScoreCore(options) {
       console.warn("[agentscore-commerce] captureWallet failed:", err instanceof Error ? err.message : err);
     }
   }
-  async function resolveWalletToOperator(walletAddress) {
-    const wallet = normalizeAddress(walletAddress);
-    const extractFromCached = (raw) => {
-      const op = raw.resolved_operator;
-      const links = raw.linked_wallets;
-      return {
-        operator: typeof op === "string" ? op : null,
-        linkedWallets: Array.isArray(links) ? links.filter((w) => typeof w === "string") : []
-      };
-    };
-    const plainCached = cache.get(wallet);
-    if (plainCached?.raw) {
-      return { ok: true, ...extractFromCached(plainCached.raw) };
-    }
-    const resolveCached = cache.get(`resolve:${wallet}`);
-    if (resolveCached?.raw) {
-      return { ok: true, ...extractFromCached(resolveCached.raw) };
-    }
-    try {
-      const data = await sdk.assess(walletAddress);
-      cache.set(`resolve:${wallet}`, { allow: true, raw: data });
-      return { ok: true, ...extractFromCached(data) };
-    } catch (err) {
-      console.warn("[gate] resolveWalletToOperator failed \u2014 returning { ok:false }:", err instanceof Error ? err.message : err);
-      return { ok: false };
-    }
-  }
-  function reportSignerEvent(kind) {
-    void sdk.telemetrySignerMatch({ kind });
-  }
   function projectSignerMatch(sm, claimedNorm, signerNorm) {
     const kind = sm.kind;
     if (kind === "pass") {
@@ -664,77 +638,22 @@ function createAgentScoreCore(options) {
       agentInstructions: sm.agent_instructions ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS
     };
   }
-  async function verifyWalletSignerMatch2(options2) {
-    const { claimedWallet, signer, network } = options2;
-    if (!signer) {
-      reportSignerEvent("wallet_auth_requires_wallet_signing");
-      return {
-        kind: "wallet_auth_requires_wallet_signing",
-        claimedWallet,
-        agentInstructions: WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS
-      };
-    }
-    const claimedNorm = normalizeAddress(claimedWallet);
-    const signerNorm = normalizeAddress(signer);
-    if (claimedNorm === signerNorm) {
-      reportSignerEvent("pass");
-      return { kind: "pass", claimedOperator: null, signerOperator: null };
-    }
-    const cachedEntry = cache.get(claimedNorm);
-    const cachedMatch = cachedEntry?.signerMatchBySigner?.get(signerNorm);
-    if (cachedMatch) {
-      return projectSignerMatch(cachedMatch, claimedNorm, signerNorm);
-    }
-    const inferredNetwork = network ?? (signerNorm.startsWith("0x") ? "evm" : "solana");
-    let assessResponse;
-    try {
-      assessResponse = await sdk.assess(claimedNorm, {
-        resolveSigner: { address: signerNorm, network: inferredNetwork }
-      });
-    } catch (err) {
-      console.warn("[gate] verifyWalletSignerMatch assess failed:", err instanceof Error ? err.message : err);
-      reportSignerEvent("api_error");
-      return { kind: "api_error", claimedWallet: claimedNorm };
-    }
-    const signerMatch = assessResponse.signer_match;
-    if (signerMatch && typeof signerMatch === "object") {
-      if (cachedEntry) {
-        const map = cachedEntry.signerMatchBySigner ?? /* @__PURE__ */ new Map();
-        map.set(signerNorm, signerMatch);
-        cachedEntry.signerMatchBySigner = map;
-      } else {
-        const entry = { allow: true, raw: assessResponse };
-        entry.signerMatchBySigner = /* @__PURE__ */ new Map([[signerNorm, signerMatch]]);
-        cache.set(claimedNorm, entry);
-      }
-      return projectSignerMatch(signerMatch, claimedNorm, signerNorm);
-    }
-    const [claimedResolve, signerResolve] = await Promise.all([
-      resolveWalletToOperator(claimedNorm),
-      resolveWalletToOperator(signerNorm)
-    ]);
-    if (!claimedResolve.ok || !signerResolve.ok) {
-      reportSignerEvent("api_error");
-      return { kind: "api_error", claimedWallet: claimedNorm };
-    }
-    const claimedOperator = claimedResolve.operator;
-    const signerOperator = signerResolve.operator;
-    if (claimedOperator && signerOperator && claimedOperator === signerOperator) {
-      reportSignerEvent("pass");
-      return { kind: "pass", claimedOperator, signerOperator };
-    }
-    reportSignerEvent("wallet_signer_mismatch");
+  function getSignerVerdict2(claimedAddress) {
+    const claimedNorm = normalizeAddress(claimedAddress);
+    const cached = cache.get(claimedNorm);
+    if (!cached) return void 0;
+    const raw = cached.raw;
+    if (!raw) return void 0;
+    const rawMatch = raw.signer_match;
+    const rawSanctions = raw.signer_sanctions;
+    if (!rawMatch && !rawSanctions) return void 0;
+    const signerNorm = rawMatch?.actual_signer ?? claimedNorm;
     return {
-      kind: "wallet_signer_mismatch",
-      claimedOperator,
-      actualSignerOperator: signerOperator,
-      expectedSigner: claimedNorm,
-      actualSigner: signerNorm,
-      linkedWallets: claimedResolve.linkedWallets,
-      agentInstructions: WALLET_SIGNER_MISMATCH_INSTRUCTIONS
+      signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,
+      signer_sanctions: rawSanctions ?? null
     };
   }
-  return { evaluate, captureWallet: captureWallet2, verifyWalletSignerMatch: verifyWalletSignerMatch2 };
+  return { evaluate, captureWallet: captureWallet2, getSignerVerdict: getSignerVerdict2 };
 }
 
 // src/signer.ts
@@ -810,10 +729,6 @@ async function extractPaymentSigner(request, x402PaymentHeader) {
   }
   return null;
 }
-async function extractPaymentSignerAddress(request, x402PaymentHeader) {
-  const result = await extractPaymentSigner(request, x402PaymentHeader);
-  return result?.address ?? null;
-}
 function readX402PaymentHeader(request) {
   return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
 }
@@ -843,7 +758,8 @@ function agentscoreGate(options) {
       operatorToken: identity?.operatorToken,
       walletAddress: identity?.address
     });
-    const outcome = await core.evaluate(identity, c);
+    const signer = await extractPaymentSigner(c.req.raw, readX402PaymentHeader(c.req.raw));
+    const outcome = await core.evaluate(identity, c, signer);
     if (outcome.kind === "allow") {
       if (outcome.degraded || outcome.quota) {
         const prev = c.get(GATE_STATE_KEY);
@@ -881,17 +797,10 @@ async function captureWallet(c, options) {
     idempotencyKey: options.idempotencyKey
   });
 }
-async function verifyWalletSignerMatch(c, options) {
+function getSignerVerdict(c) {
   const state = c.get(GATE_STATE_KEY);
-  if (!state?.walletAddress || state.operatorToken) {
-    return { kind: "pass", claimedOperator: null, signerOperator: null };
-  }
-  const signer = options?.signer !== void 0 ? options.signer : await extractPaymentSignerAddress(c.req.raw, readX402PaymentHeader(c.req.raw));
-  return state.core.verifyWalletSignerMatch({
-    claimedWallet: state.walletAddress,
-    signer,
-    network: options?.network
-  });
+  if (!state?.walletAddress) return void 0;
+  return state.core.getSignerVerdict(state.walletAddress);
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -902,13 +811,12 @@ async function verifyWalletSignerMatch(c, options) {
   captureWallet,
   denialReasonStatus,
   denialReasonToBody,
-  extractPaymentSignerAddress,
   getAgentScoreData,
   getGateDegradedState,
   getGateQuotaInfo,
+  getSignerVerdict,
   isFixableDenial,
   readX402PaymentHeader,
-  verificationAgentInstructions,
-  verifyWalletSignerMatch
+  verificationAgentInstructions
 });
 //# sourceMappingURL=hono.js.map