npm - @agent-score/commerce - Versions diffs - 1.7.0 → 1.8.1 - Mend

@agent-score/commerce 1.7.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/README.md +3 -3
package/dist/{_response-DpB-cm2c.d.mts → _response-9yp6Fit2.d.mts} +13 -11
package/dist/{_response-C2yFQoIA.d.ts → _response-CC6jNb8q.d.ts} +13 -11
package/dist/challenge/index.d.mts +6 -5
package/dist/challenge/index.d.ts +6 -5
package/dist/challenge/index.js.map +1 -1
package/dist/challenge/index.mjs.map +1 -1
package/dist/core.d.mts +36 -27
package/dist/core.d.ts +36 -27
package/dist/core.js +21 -101
package/dist/core.js.map +1 -1
package/dist/core.mjs +21 -101
package/dist/core.mjs.map +1 -1
package/dist/identity/express.d.mts +12 -13
package/dist/identity/express.d.ts +12 -13
package/dist/identity/express.js +38 -121
package/dist/identity/express.js.map +1 -1
package/dist/identity/express.mjs +36 -118
package/dist/identity/express.mjs.map +1 -1
package/dist/identity/fastify.d.mts +12 -11
package/dist/identity/fastify.d.ts +12 -11
package/dist/identity/fastify.js +38 -121
package/dist/identity/fastify.js.map +1 -1
package/dist/identity/fastify.mjs +36 -118
package/dist/identity/fastify.mjs.map +1 -1
package/dist/identity/hono.d.mts +13 -28
package/dist/identity/hono.d.ts +13 -28
package/dist/identity/hono.js +31 -123
package/dist/identity/hono.js.map +1 -1
package/dist/identity/hono.mjs +29 -120
package/dist/identity/hono.mjs.map +1 -1
package/dist/identity/nextjs.d.mts +8 -7
package/dist/identity/nextjs.d.ts +8 -7
package/dist/identity/nextjs.js +27 -119
package/dist/identity/nextjs.js.map +1 -1
package/dist/identity/nextjs.mjs +27 -118
package/dist/identity/nextjs.mjs.map +1 -1
package/dist/identity/policy.d.mts +1 -0
package/dist/identity/policy.d.ts +1 -0
package/dist/identity/web.d.mts +12 -14
package/dist/identity/web.d.ts +12 -14
package/dist/identity/web.js +27 -119
package/dist/identity/web.js.map +1 -1
package/dist/identity/web.mjs +27 -118
package/dist/identity/web.mjs.map +1 -1
package/dist/index.d.mts +3 -3
package/dist/index.d.ts +3 -3
package/dist/index.js +1 -7
package/dist/index.js.map +1 -1
package/dist/index.mjs +1 -6
package/dist/index.mjs.map +1 -1
package/dist/payment/index.d.mts +2 -2
package/dist/payment/index.d.ts +2 -2
package/dist/payment/index.js.map +1 -1
package/dist/payment/index.mjs.map +1 -1
package/dist/{signer-kCAJUZwp.d.mts → signer-CFVQsWjL.d.mts} +1 -6
package/dist/{signer-kCAJUZwp.d.ts → signer-CFVQsWjL.d.ts} +1 -6
package/dist/stripe-multichain/index.d.mts +1 -1
package/dist/stripe-multichain/index.d.ts +1 -1
package/dist/stripe-multichain/index.js.map +1 -1
package/dist/stripe-multichain/index.mjs.map +1 -1
package/package.json +11 -9

package/dist/identity/fastify.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-C2yFQoIA.js';
-export { e as extractPaymentSignerAddress, r as readX402PaymentHeader } from '../signer-kCAJUZwp.js';
-import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, FailOpenInfraReason, GateQuotaInfo, VerifyWalletSignerResult } from '../core.js';
+export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-CC6jNb8q.js';
+export { r as readX402PaymentHeader } from '../signer-CFVQsWjL.js';
+import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, FailOpenInfraReason, GateQuotaInfo, SignerVerdict } from '../core.js';
 import { FastifyRequest, FastifyReply, FastifyPluginAsync } from 'fastify';
 interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
@@ -64,15 +64,16 @@ declare function captureWallet(request: FastifyRequest, options: {
     idempotencyKey?: string;
 }): Promise<void>;
 /**
- * Verify the payment signer resolves to the same operator as the claimed X-Wallet-Address.
- * Pass `options.signer` explicitly (extracted from the payment credential); no auto-extraction
- * because Fastify's request isn't a Fetch Request.
+ * Synchronous read of the cached signer verdicts (`signer_match` + `signer_sanctions`).
+ * Both composed by the gate's primary /v1/assess in one round trip. Returns `undefined`
+ * for operator-token paths, discovery legs, or routes the gate didn't run on.
+ *
+ * Under `policy.require_sanctions_clear`, OFAC SDN wallet hits are already enforced by
+ * the gate (decision → deny before the handler runs); merchant code typically only needs
+ * this getter for the `signer_match` wallet-binding verdict.
  */
-declare function verifyWalletSignerMatch(request: FastifyRequest, options: {
-    signer: string | null;
-    network?: 'evm' | 'solana';
-}): Promise<VerifyWalletSignerResult>;
+declare function getSignerVerdict(request: FastifyRequest): SignerVerdict | undefined;
 declare const agentscoreGate: FastifyPluginAsync<AgentScoreGateOptions>;
-export { type AgentScoreGateOptions, agentscoreGate, captureWallet, agentscoreGatePlugin as default, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, verifyWalletSignerMatch };
+export { type AgentScoreGateOptions, agentscoreGate, captureWallet, agentscoreGatePlugin as default, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, getSignerVerdict };

package/dist/identity/fastify.js CHANGED Viewed

@@ -28,14 +28,13 @@ __export(fastify_exports, {
   default: () => fastify_default,
   denialReasonStatus: () => denialReasonStatus,
   denialReasonToBody: () => denialReasonToBody,
-  extractPaymentSignerAddress: () => extractPaymentSignerAddress,
   getAgentScoreData: () => getAgentScoreData,
   getGateDegradedState: () => getGateDegradedState,
   getGateQuotaInfo: () => getGateQuotaInfo,
+  getSignerVerdict: () => getSignerVerdict,
   isFixableDenial: () => isFixableDenial,
   readX402PaymentHeader: () => readX402PaymentHeader,
-  verificationAgentInstructions: () => verificationAgentInstructions,
-  verifyWalletSignerMatch: () => verifyWalletSignerMatch
+  verificationAgentInstructions: () => verificationAgentInstructions
 });
 module.exports = __toCommonJS(fastify_exports);
@@ -56,7 +55,7 @@ function denialReasonStatus(reason) {
 }
 function buildSignerMismatchBody(input) {
   const { result } = input;
-  if (result.kind === "pass" || result.kind === "api_error") return null;
+  if (result.kind === "pass") return null;
   const learnMoreUrl = input.learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
   if (result.kind === "wallet_signer_mismatch") {
     const linkedWallets = result.linkedWallets ?? [];
@@ -366,7 +365,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"1.7.0"}`;
+  const defaultUa = `@agent-score/commerce@${"1.8.1"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new import_sdk.AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -440,7 +439,7 @@ function createAgentScoreCore(options) {
       return void 0;
     }
   }
-  async function evaluate(identity, ctx) {
+  async function evaluate(identity, ctx, signer) {
     if (!identity || !identity.address && !identity.operatorToken) {
       if (failOpen) return { kind: "allow" };
       const sessionReason = await tryMintSessionDenial(ctx);
@@ -500,7 +499,12 @@ function createAgentScoreCore(options) {
     try {
       const opts = {
         chain: gateChain,
-        ...Object.keys(policy).length > 0 ? { policy } : {}
+        ...Object.keys(policy).length > 0 ? { policy } : {},
+        // Pre-extracted payment signer (by the adapter middleware). When present, the API
+        // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet
+        // check) verdicts on the response in one round trip. Under
+        // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.
+        ...signer && { signer: { address: signer.address, network: signer.network } }
       };
       const result = identity.address ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken }) : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken });
       data = result;
@@ -608,36 +612,6 @@ function createAgentScoreCore(options) {
       console.warn("[agentscore-commerce] captureWallet failed:", err instanceof Error ? err.message : err);
     }
   }
-  async function resolveWalletToOperator(walletAddress) {
-    const wallet = normalizeAddress(walletAddress);
-    const extractFromCached = (raw) => {
-      const op = raw.resolved_operator;
-      const links = raw.linked_wallets;
-      return {
-        operator: typeof op === "string" ? op : null,
-        linkedWallets: Array.isArray(links) ? links.filter((w) => typeof w === "string") : []
-      };
-    };
-    const plainCached = cache.get(wallet);
-    if (plainCached?.raw) {
-      return { ok: true, ...extractFromCached(plainCached.raw) };
-    }
-    const resolveCached = cache.get(`resolve:${wallet}`);
-    if (resolveCached?.raw) {
-      return { ok: true, ...extractFromCached(resolveCached.raw) };
-    }
-    try {
-      const data = await sdk.assess(walletAddress);
-      cache.set(`resolve:${wallet}`, { allow: true, raw: data });
-      return { ok: true, ...extractFromCached(data) };
-    } catch (err) {
-      console.warn("[gate] resolveWalletToOperator failed \u2014 returning { ok:false }:", err instanceof Error ? err.message : err);
-      return { ok: false };
-    }
-  }
-  function reportSignerEvent(kind) {
-    void sdk.telemetrySignerMatch({ kind });
-  }
   function projectSignerMatch(sm, claimedNorm, signerNorm) {
     const kind = sm.kind;
     if (kind === "pass") {
@@ -665,77 +639,22 @@ function createAgentScoreCore(options) {
       agentInstructions: sm.agent_instructions ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS
     };
   }
-  async function verifyWalletSignerMatch2(options2) {
-    const { claimedWallet, signer, network } = options2;
-    if (!signer) {
-      reportSignerEvent("wallet_auth_requires_wallet_signing");
-      return {
-        kind: "wallet_auth_requires_wallet_signing",
-        claimedWallet,
-        agentInstructions: WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS
-      };
-    }
-    const claimedNorm = normalizeAddress(claimedWallet);
-    const signerNorm = normalizeAddress(signer);
-    if (claimedNorm === signerNorm) {
-      reportSignerEvent("pass");
-      return { kind: "pass", claimedOperator: null, signerOperator: null };
-    }
-    const cachedEntry = cache.get(claimedNorm);
-    const cachedMatch = cachedEntry?.signerMatchBySigner?.get(signerNorm);
-    if (cachedMatch) {
-      return projectSignerMatch(cachedMatch, claimedNorm, signerNorm);
-    }
-    const inferredNetwork = network ?? (signerNorm.startsWith("0x") ? "evm" : "solana");
-    let assessResponse;
-    try {
-      assessResponse = await sdk.assess(claimedNorm, {
-        resolveSigner: { address: signerNorm, network: inferredNetwork }
-      });
-    } catch (err) {
-      console.warn("[gate] verifyWalletSignerMatch assess failed:", err instanceof Error ? err.message : err);
-      reportSignerEvent("api_error");
-      return { kind: "api_error", claimedWallet: claimedNorm };
-    }
-    const signerMatch = assessResponse.signer_match;
-    if (signerMatch && typeof signerMatch === "object") {
-      if (cachedEntry) {
-        const map = cachedEntry.signerMatchBySigner ?? /* @__PURE__ */ new Map();
-        map.set(signerNorm, signerMatch);
-        cachedEntry.signerMatchBySigner = map;
-      } else {
-        const entry = { allow: true, raw: assessResponse };
-        entry.signerMatchBySigner = /* @__PURE__ */ new Map([[signerNorm, signerMatch]]);
-        cache.set(claimedNorm, entry);
-      }
-      return projectSignerMatch(signerMatch, claimedNorm, signerNorm);
-    }
-    const [claimedResolve, signerResolve] = await Promise.all([
-      resolveWalletToOperator(claimedNorm),
-      resolveWalletToOperator(signerNorm)
-    ]);
-    if (!claimedResolve.ok || !signerResolve.ok) {
-      reportSignerEvent("api_error");
-      return { kind: "api_error", claimedWallet: claimedNorm };
-    }
-    const claimedOperator = claimedResolve.operator;
-    const signerOperator = signerResolve.operator;
-    if (claimedOperator && signerOperator && claimedOperator === signerOperator) {
-      reportSignerEvent("pass");
-      return { kind: "pass", claimedOperator, signerOperator };
-    }
-    reportSignerEvent("wallet_signer_mismatch");
+  function getSignerVerdict2(claimedAddress) {
+    const claimedNorm = normalizeAddress(claimedAddress);
+    const cached = cache.get(claimedNorm);
+    if (!cached) return void 0;
+    const raw = cached.raw;
+    if (!raw) return void 0;
+    const rawMatch = raw.signer_match;
+    const rawSanctions = raw.signer_sanctions;
+    if (!rawMatch && !rawSanctions) return void 0;
+    const signerNorm = rawMatch?.actual_signer ?? claimedNorm;
     return {
-      kind: "wallet_signer_mismatch",
-      claimedOperator,
-      actualSignerOperator: signerOperator,
-      expectedSigner: claimedNorm,
-      actualSigner: signerNorm,
-      linkedWallets: claimedResolve.linkedWallets,
-      agentInstructions: WALLET_SIGNER_MISMATCH_INSTRUCTIONS
+      signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,
+      signer_sanctions: rawSanctions ?? null
     };
   }
-  return { evaluate, captureWallet: captureWallet2, verifyWalletSignerMatch: verifyWalletSignerMatch2 };
+  return { evaluate, captureWallet: captureWallet2, getSignerVerdict: getSignerVerdict2 };
 }
 // src/signer.ts
@@ -811,9 +730,11 @@ async function extractPaymentSigner(request, x402PaymentHeader) {
   }
   return null;
 }
-async function extractPaymentSignerAddress(request, x402PaymentHeader) {
-  const result = await extractPaymentSigner(request, x402PaymentHeader);
-  return result?.address ?? null;
+async function extractPaymentSignerFromAuth(authHeader, x402PaymentHeader) {
+  const request = new Request("http://internal.gate/", {
+    headers: authHeader ? { authorization: authHeader } : {}
+  });
+  return extractPaymentSigner(request, x402PaymentHeader);
 }
 function readX402PaymentHeader(request) {
   return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
@@ -843,7 +764,10 @@ var agentscoreGatePlugin = async (fastify, options) => {
       operatorToken: identity?.operatorToken,
       walletAddress: identity?.address
     };
-    const outcome = await core.evaluate(identity, request);
+    const authHeader = request.headers.authorization ?? null;
+    const x402Header = request.headers["payment-signature"] ?? request.headers["x-payment"];
+    const signer = await extractPaymentSignerFromAuth(authHeader, x402Header);
+    const outcome = await core.evaluate(identity, request, signer);
     if (outcome.kind === "allow") {
       const state = request[GATE_STATE_KEY];
       if (state) {
@@ -880,16 +804,10 @@ async function captureWallet(request, options) {
     idempotencyKey: options.idempotencyKey
   });
 }
-async function verifyWalletSignerMatch(request, options) {
+function getSignerVerdict(request) {
   const state = request[GATE_STATE_KEY];
-  if (!state?.walletAddress || state.operatorToken) {
-    return { kind: "pass", claimedOperator: null, signerOperator: null };
-  }
-  return state.core.verifyWalletSignerMatch({
-    claimedWallet: state.walletAddress,
-    signer: options.signer,
-    network: options.network
-  });
+  if (!state?.walletAddress) return void 0;
+  return state.core.getSignerVerdict(state.walletAddress);
 }
 agentscoreGatePlugin[/* @__PURE__ */ Symbol.for("skip-override")] = true;
 var agentscoreGate = agentscoreGatePlugin;
@@ -903,13 +821,12 @@ var fastify_default = agentscoreGatePlugin;
   captureWallet,
   denialReasonStatus,
   denialReasonToBody,
-  extractPaymentSignerAddress,
   getAgentScoreData,
   getGateDegradedState,
   getGateQuotaInfo,
+  getSignerVerdict,
   isFixableDenial,
   readX402PaymentHeader,
-  verificationAgentInstructions,
-  verifyWalletSignerMatch
+  verificationAgentInstructions
 });
 //# sourceMappingURL=fastify.js.map