@agent-score/commerce 1.7.0 → 1.8.0

package/dist/identity/web.mjs

@@ -15,7 +15,7 @@ function denialReasonStatus(reason) {
 }
 function buildSignerMismatchBody(input) {
   const { result } = input;
-  if (result.kind === "pass" || result.kind === "api_error") return null;
+  if (result.kind === "pass") return null;
   const learnMoreUrl = input.learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
   if (result.kind === "wallet_signer_mismatch") {
     const linkedWallets = result.linkedWallets ?? [];
@@ -332,7 +332,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"1.7.0"}`;
+  const defaultUa = `@agent-score/commerce@${"1.8.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -406,7 +406,7 @@ function createAgentScoreCore(options) {
       return void 0;
     }
   }
-  async function evaluate(identity, ctx) {
+  async function evaluate(identity, ctx, signer) {
     if (!identity || !identity.address && !identity.operatorToken) {
       if (failOpen) return { kind: "allow" };
       const sessionReason = await tryMintSessionDenial(ctx);
@@ -466,7 +466,12 @@ function createAgentScoreCore(options) {
     try {
       const opts = {
         chain: gateChain,
-        ...Object.keys(policy).length > 0 ? { policy } : {}
+        ...Object.keys(policy).length > 0 ? { policy } : {},
+        // Pre-extracted payment signer (by the adapter middleware). When present, the API
+        // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet
+        // check) verdicts on the response in one round trip. Under
+        // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.
+        ...signer && { signer: { address: signer.address, network: signer.network } }
       };
       const result = identity.address ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken }) : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken });
       data = result;
@@ -574,36 +579,6 @@ function createAgentScoreCore(options) {
       console.warn("[agentscore-commerce] captureWallet failed:", err instanceof Error ? err.message : err);
     }
   }
-  async function resolveWalletToOperator(walletAddress) {
-    const wallet = normalizeAddress(walletAddress);
-    const extractFromCached = (raw) => {
-      const op = raw.resolved_operator;
-      const links = raw.linked_wallets;
-      return {
-        operator: typeof op === "string" ? op : null,
-        linkedWallets: Array.isArray(links) ? links.filter((w) => typeof w === "string") : []
-      };
-    };
-    const plainCached = cache.get(wallet);
-    if (plainCached?.raw) {
-      return { ok: true, ...extractFromCached(plainCached.raw) };
-    }
-    const resolveCached = cache.get(`resolve:${wallet}`);
-    if (resolveCached?.raw) {
-      return { ok: true, ...extractFromCached(resolveCached.raw) };
-    }
-    try {
-      const data = await sdk.assess(walletAddress);
-      cache.set(`resolve:${wallet}`, { allow: true, raw: data });
-      return { ok: true, ...extractFromCached(data) };
-    } catch (err) {
-      console.warn("[gate] resolveWalletToOperator failed \u2014 returning { ok:false }:", err instanceof Error ? err.message : err);
-      return { ok: false };
-    }
-  }
-  function reportSignerEvent(kind) {
-    void sdk.telemetrySignerMatch({ kind });
-  }
   function projectSignerMatch(sm, claimedNorm, signerNorm) {
     const kind = sm.kind;
     if (kind === "pass") {
@@ -631,77 +606,22 @@ function createAgentScoreCore(options) {
       agentInstructions: sm.agent_instructions ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS
     };
   }
-  async function verifyWalletSignerMatch(options2) {
-    const { claimedWallet, signer, network } = options2;
-    if (!signer) {
-      reportSignerEvent("wallet_auth_requires_wallet_signing");
-      return {
-        kind: "wallet_auth_requires_wallet_signing",
-        claimedWallet,
-        agentInstructions: WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS
-      };
-    }
-    const claimedNorm = normalizeAddress(claimedWallet);
-    const signerNorm = normalizeAddress(signer);
-    if (claimedNorm === signerNorm) {
-      reportSignerEvent("pass");
-      return { kind: "pass", claimedOperator: null, signerOperator: null };
-    }
-    const cachedEntry = cache.get(claimedNorm);
-    const cachedMatch = cachedEntry?.signerMatchBySigner?.get(signerNorm);
-    if (cachedMatch) {
-      return projectSignerMatch(cachedMatch, claimedNorm, signerNorm);
-    }
-    const inferredNetwork = network ?? (signerNorm.startsWith("0x") ? "evm" : "solana");
-    let assessResponse;
-    try {
-      assessResponse = await sdk.assess(claimedNorm, {
-        resolveSigner: { address: signerNorm, network: inferredNetwork }
-      });
-    } catch (err) {
-      console.warn("[gate] verifyWalletSignerMatch assess failed:", err instanceof Error ? err.message : err);
-      reportSignerEvent("api_error");
-      return { kind: "api_error", claimedWallet: claimedNorm };
-    }
-    const signerMatch = assessResponse.signer_match;
-    if (signerMatch && typeof signerMatch === "object") {
-      if (cachedEntry) {
-        const map = cachedEntry.signerMatchBySigner ?? /* @__PURE__ */ new Map();
-        map.set(signerNorm, signerMatch);
-        cachedEntry.signerMatchBySigner = map;
-      } else {
-        const entry = { allow: true, raw: assessResponse };
-        entry.signerMatchBySigner = /* @__PURE__ */ new Map([[signerNorm, signerMatch]]);
-        cache.set(claimedNorm, entry);
-      }
-      return projectSignerMatch(signerMatch, claimedNorm, signerNorm);
-    }
-    const [claimedResolve, signerResolve] = await Promise.all([
-      resolveWalletToOperator(claimedNorm),
-      resolveWalletToOperator(signerNorm)
-    ]);
-    if (!claimedResolve.ok || !signerResolve.ok) {
-      reportSignerEvent("api_error");
-      return { kind: "api_error", claimedWallet: claimedNorm };
-    }
-    const claimedOperator = claimedResolve.operator;
-    const signerOperator = signerResolve.operator;
-    if (claimedOperator && signerOperator && claimedOperator === signerOperator) {
-      reportSignerEvent("pass");
-      return { kind: "pass", claimedOperator, signerOperator };
-    }
-    reportSignerEvent("wallet_signer_mismatch");
+  function getSignerVerdict(claimedAddress) {
+    const claimedNorm = normalizeAddress(claimedAddress);
+    const cached = cache.get(claimedNorm);
+    if (!cached) return void 0;
+    const raw = cached.raw;
+    if (!raw) return void 0;
+    const rawMatch = raw.signer_match;
+    const rawSanctions = raw.signer_sanctions;
+    if (!rawMatch && !rawSanctions) return void 0;
+    const signerNorm = rawMatch?.actual_signer ?? claimedNorm;
     return {
-      kind: "wallet_signer_mismatch",
-      claimedOperator,
-      actualSignerOperator: signerOperator,
-      expectedSigner: claimedNorm,
-      actualSigner: signerNorm,
-      linkedWallets: claimedResolve.linkedWallets,
-      agentInstructions: WALLET_SIGNER_MISMATCH_INSTRUCTIONS
+      signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,
+      signer_sanctions: rawSanctions ?? null
     };
   }
-  return { evaluate, captureWallet, verifyWalletSignerMatch };
+  return { evaluate, captureWallet, getSignerVerdict };
 }
 
 // src/signer.ts
@@ -777,10 +697,6 @@ async function extractPaymentSigner(request, x402PaymentHeader) {
   }
   return null;
 }
-async function extractPaymentSignerAddress(request, x402PaymentHeader) {
-  const result = await extractPaymentSigner(request, x402PaymentHeader);
-  return result?.address ?? null;
-}
 function readX402PaymentHeader(request) {
   return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
 }
@@ -806,22 +722,16 @@ function createAgentScoreGate(options) {
   const core = createAgentScoreCore(coreOptions);
   return async (req) => {
     const identity = extractIdentity(req);
-    const outcome = await core.evaluate(identity, req);
+    const signer = await extractPaymentSigner(req, readX402PaymentHeader(req));
+    const outcome = await core.evaluate(identity, req, signer);
     if (outcome.kind === "allow") {
       const captureWallet = identity?.operatorToken ? (opts) => core.captureWallet({ operatorToken: identity.operatorToken, ...opts }) : void 0;
-      const verifyWalletSignerMatchBound = identity?.address && !identity?.operatorToken ? async (opts) => {
-        const signer = opts?.signer !== void 0 ? opts.signer : await extractPaymentSignerAddress(req, readX402PaymentHeader(req));
-        return core.verifyWalletSignerMatch({
-          claimedWallet: identity.address,
-          signer,
-          network: opts?.network
-        });
-      } : void 0;
+      const getSignerVerdictBound = identity?.address && !identity?.operatorToken ? () => core.getSignerVerdict(identity.address) : void 0;
       return {
         allowed: true,
         data: outcome.data,
         captureWallet,
-        verifyWalletSignerMatch: verifyWalletSignerMatchBound,
+        getSignerVerdict: getSignerVerdictBound,
         ...outcome.degraded ? { degraded: true, infraReason: outcome.infraReason } : {},
         ...outcome.quota ? { quota: outcome.quota } : {}
       };
@@ -840,7 +750,7 @@ function withAgentScoreGate(options, handler) {
       {
         data: result.data,
         captureWallet: result.captureWallet,
-        verifyWalletSignerMatch: result.verifyWalletSignerMatch,
+        getSignerVerdict: result.getSignerVerdict,
         ...result.degraded ? { degraded: true, infraReason: result.infraReason } : {},
         ...result.quota ? { quota: result.quota } : {}
       },
@@ -855,7 +765,6 @@ export {
   createAgentScoreGate,
   denialReasonStatus,
   denialReasonToBody,
-  extractPaymentSignerAddress,
   isFixableDenial,
   readX402PaymentHeader,
   verificationAgentInstructions,