@agent-score/commerce 1.8.0 → 2.0.0

package/dist/index.mjs

@@ -1,3 +1,1151 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/identity/ucp.ts
+function ucpSigningKeyFromJWKImpl(jwk) {
+  if (!jwk || typeof jwk !== "object") {
+    throw new Error(`UCPSigningKey.fromJWK expected a non-null object; got ${typeof jwk}.`);
+  }
+  if (typeof jwk.kid !== "string" || !jwk.kid) {
+    throw new Error("UCPSigningKey.fromJWK: JWK missing required field `kid` (or non-string).");
+  }
+  if (typeof jwk.kty !== "string" || !jwk.kty) {
+    throw new Error("UCPSigningKey.fromJWK: JWK missing required field `kty` (or non-string).");
+  }
+  if (jwk.kty !== "OKP" && jwk.kty !== "EC" && jwk.kty !== "RSA") {
+    throw new Error(
+      `UCPSigningKey.fromJWK: kty=${JSON.stringify(jwk.kty)} is not a supported asymmetric key type (expected OKP, EC, or RSA). Symmetric \`oct\` keys are rejected because they cannot publicly verify a JWS in the trust-mode UCP flow.`
+    );
+  }
+  if ((jwk.kty === "EC" || jwk.kty === "OKP") && (typeof jwk.crv !== "string" || !jwk.crv)) {
+    throw new Error(`UCPSigningKey.fromJWK: kty=${jwk.kty} requires a non-empty \`crv\` field (e.g., "P-256" for EC, "Ed25519" for OKP).`);
+  }
+  return jwk;
+}
+function buildUCPProfile(input) {
+  for (const [name, bindings] of Object.entries(input.services ?? {})) {
+    for (const binding of bindings) {
+      if ((binding.transport === "rest" || binding.transport === "mcp" || binding.transport === "a2a") && (binding.endpoint === void 0 || binding.endpoint === null || binding.endpoint === "")) {
+        throw new Error(
+          `buildUCPProfile: service "${name}" transport=${binding.transport} requires \`endpoint\`. Per UCP spec service.json business_schema, rest/mcp/a2a bindings MUST carry an endpoint URL.`
+        );
+      }
+    }
+  }
+  const paymentHandlers = {};
+  for (const [name, bindings] of Object.entries(input.payment_handlers ?? {})) {
+    paymentHandlers[name] = bindings.map((binding) => {
+      if (Array.isArray(binding.available_instruments) && binding.available_instruments.length === 0) {
+        const { available_instruments: _drop, ...rest } = binding;
+        return rest;
+      }
+      return binding;
+    });
+  }
+  const capabilities = {};
+  for (const [name, bindings] of Object.entries(input.capabilities ?? {})) {
+    capabilities[name] = [...bindings];
+  }
+  if (input.agentscore_gate) {
+    const gateConfig = { ...input.agentscore_gate };
+    const agentscoreBinding = {
+      version: AGENTSCORE_CAPABILITY_VERSION,
+      spec: input.agentscore_spec_url ?? AGENTSCORE_DEFAULT_SPEC_URL,
+      schema: input.agentscore_schema_url ?? AGENTSCORE_DEFAULT_SCHEMA_URL,
+      extends: AGENTSCORE_EXTENDS
+    };
+    if (Object.keys(gateConfig).length > 0) agentscoreBinding.config = gateConfig;
+    const existing = capabilities[AGENTSCORE_CAPABILITY_NAME];
+    if (existing) existing.push(agentscoreBinding);
+    else capabilities[AGENTSCORE_CAPABILITY_NAME] = [agentscoreBinding];
+  }
+  const ucp = {
+    version: input.version ?? DEFAULT_VERSION,
+    services: input.services ?? {},
+    capabilities,
+    payment_handlers: paymentHandlers
+  };
+  if (input.name !== void 0) ucp.name = input.name;
+  if (input.supported_versions !== void 0) ucp.supported_versions = input.supported_versions;
+  if (input.ucp_extras) {
+    for (const k of Object.keys(input.ucp_extras)) {
+      if (RESERVED_UCP_FIELDS.has(k)) {
+        throw new Error(`buildUCPProfile: ucp_extras key "${k}" collides with a reserved \`ucp\` field; rejected.`);
+      }
+    }
+    Object.assign(ucp, input.ucp_extras);
+  }
+  const profile = {
+    ucp,
+    signing_keys: input.signing_keys
+  };
+  if (input.extras) {
+    for (const k of Object.keys(input.extras)) {
+      if (RESERVED_TOP_LEVEL.has(k)) {
+        throw new Error(`buildUCPProfile: extras key "${k}" collides with a reserved profile field; rejected.`);
+      }
+    }
+    Object.assign(profile, input.extras);
+  }
+  return profile;
+}
+function ucpNetworkName(caip2OrUcp, fallback) {
+  if (caip2OrUcp === void 0) return fallback;
+  return CAIP2_TO_UCP_NETWORK[caip2OrUcp] ?? caip2OrUcp;
+}
+function staticRecipient(r) {
+  return typeof r === "string" && r.length > 0 ? r : void 0;
+}
+function tempoToNetworkEntry(spec) {
+  const entry = {
+    network: spec.testnet ? "tempo-testnet" : spec.network ?? "tempo-mainnet",
+    chain_id: spec.chainId ?? 4217
+  };
+  const recipient = staticRecipient(spec.recipient);
+  if (recipient !== void 0) entry.recipient = recipient;
+  return entry;
+}
+function solanaMppToNetworkEntry(spec) {
+  const entry = {
+    network: ucpNetworkName(spec.network, "solana-mainnet-beta")
+  };
+  const recipient = staticRecipient(spec.recipient);
+  if (recipient !== void 0) entry.recipient = recipient;
+  return entry;
+}
+function tempoSessionToNetworkEntry(spec) {
+  const entry = {
+    network: spec.testnet ? "tempo-testnet" : "tempo-mainnet",
+    escrow_contract: spec.escrowContract
+  };
+  const recipient = staticRecipient(spec.recipient);
+  if (recipient !== void 0) entry.recipient = recipient;
+  return entry;
+}
+function isTempoRailSpec(s) {
+  return !("escrowContract" in s) && !("rpcUrl" in s) && !("tokenProgram" in s);
+}
+function isTempoSessionRailSpec(s) {
+  return "escrowContract" in s && "store" in s;
+}
+function mppRailToNetworkEntry(spec) {
+  if (isTempoSessionRailSpec(spec)) return tempoSessionToNetworkEntry(spec);
+  if ("rpcUrl" in spec || "tokenProgram" in spec || (spec.network?.startsWith("solana:") ?? false)) {
+    return solanaMppToNetworkEntry(spec);
+  }
+  if (isTempoRailSpec(spec)) return tempoToNetworkEntry(spec);
+  return tempoToNetworkEntry(spec);
+}
+function mppPaymentHandler({
+  networks: networks2
+}) {
+  return {
+    "sh.agentscore.payment.mpp": [{
+      id: "mpp",
+      version: HANDLER_VERSION,
+      spec: `${SPEC_BASE}/mpp`,
+      schema: `${SCHEMA_BASE}/mpp.json`,
+      config: { networks: networks2.map(mppRailToNetworkEntry) }
+    }]
+  };
+}
+function x402RailToNetworkEntry(spec) {
+  const entry = {
+    network: ucpNetworkName(spec.network, "base-8453")
+  };
+  const recipient = staticRecipient(spec.recipient);
+  if (recipient !== void 0) entry.recipient = recipient;
+  return entry;
+}
+function x402PaymentHandler({
+  networks: networks2
+}) {
+  return {
+    "sh.agentscore.payment.x402": [{
+      id: "x402",
+      version: HANDLER_VERSION,
+      spec: `${SPEC_BASE}/x402`,
+      schema: `${SCHEMA_BASE}/x402.json`,
+      config: { networks: networks2.map(x402RailToNetworkEntry) }
+    }]
+  };
+}
+function stripeSptPaymentHandler({
+  spec
+}) {
+  return {
+    "sh.agentscore.payment.stripe_spt": [{
+      id: "stripe-spt",
+      version: HANDLER_VERSION,
+      spec: `${SPEC_BASE}/stripe_spt`,
+      schema: `${SCHEMA_BASE}/stripe_spt.json`,
+      config: { rail: "stripe-spt", profile_id: spec.profileId ?? null }
+    }]
+  };
+}
+var UCPSigningKey, DEFAULT_VERSION, AGENTSCORE_CAPABILITY_NAME, AGENTSCORE_CAPABILITY_VERSION, AGENTSCORE_DEFAULT_SPEC_URL, AGENTSCORE_DEFAULT_SCHEMA_URL, AGENTSCORE_EXTENDS, RESERVED_TOP_LEVEL, RESERVED_UCP_FIELDS, AGENTSCORE_UCP_CAPABILITY, HANDLER_VERSION, SPEC_BASE, SCHEMA_BASE, CAIP2_TO_UCP_NETWORK;
+var init_ucp = __esm({
+  "src/identity/ucp.ts"() {
+    "use strict";
+    UCPSigningKey = {
+      fromJWK: ucpSigningKeyFromJWKImpl
+    };
+    DEFAULT_VERSION = "2026-04-08";
+    AGENTSCORE_CAPABILITY_NAME = "sh.agentscore.identity";
+    AGENTSCORE_CAPABILITY_VERSION = "2026-04-08";
+    AGENTSCORE_DEFAULT_SPEC_URL = "https://agentscore.sh/specification/identity";
+    AGENTSCORE_DEFAULT_SCHEMA_URL = "https://agentscore.sh/schemas/ucp/sh-agentscore-identity-v1.json";
+    AGENTSCORE_EXTENDS = ["dev.ucp.shopping.checkout", "dev.ucp.shopping.cart"];
+    RESERVED_TOP_LEVEL = /* @__PURE__ */ new Set([
+      "ucp",
+      "signing_keys",
+      "signature",
+      "__proto__",
+      "constructor",
+      "prototype"
+    ]);
+    RESERVED_UCP_FIELDS = /* @__PURE__ */ new Set([
+      "version",
+      "name",
+      "services",
+      "capabilities",
+      "payment_handlers",
+      "supported_versions",
+      "__proto__",
+      "constructor",
+      "prototype"
+    ]);
+    AGENTSCORE_UCP_CAPABILITY = AGENTSCORE_CAPABILITY_NAME;
+    HANDLER_VERSION = "2026-04-08";
+    SPEC_BASE = "https://agentscore.sh/specification/payment-handlers";
+    SCHEMA_BASE = "https://agentscore.sh/schemas/payment-handlers";
+    CAIP2_TO_UCP_NETWORK = {
+      "eip155:8453": "base-8453",
+      "eip155:84532": "base-84532",
+      "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp": "solana-mainnet-beta",
+      "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1": "solana-devnet"
+    };
+  }
+});
+
+// src/identity/ucp-jwks.ts
+async function loadJose() {
+  try {
+    return await import("jose");
+  } catch (err) {
+    throw new Error(
+      `UCP signing requires the \`jose\` library, which is an optional peer dependency. ${JOSE_INSTALL_HINT}
+Original error: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function canonicalizeProfile(profile) {
+  const stripped = { ...profile };
+  delete stripped.signature;
+  return stableStringify(stripped);
+}
+function stableStringify(value) {
+  if (value === void 0) {
+    throw new Error(
+      "stableStringify: undefined values are not allowed in canonicalized JSON. Object fields with no value must be omitted."
+    );
+  }
+  if (typeof value === "function" || typeof value === "symbol") {
+    throw new Error(`stableStringify: ${typeof value} values are not allowed in canonicalized JSON.`);
+  }
+  if (typeof value === "bigint") {
+    throw new Error("stableStringify: BigInt values are not allowed; use a decimal string.");
+  }
+  if (value instanceof Date) {
+    throw new Error(
+      "stableStringify: Date instances are not allowed; serialize to an ISO string before passing."
+    );
+  }
+  if (value instanceof Map || value instanceof Set || value instanceof WeakMap || value instanceof WeakSet) {
+    throw new Error(
+      `stableStringify: ${value.constructor.name} values are not allowed; convert to a plain object/array first.`
+    );
+  }
+  if (ArrayBuffer.isView(value)) {
+    throw new Error("stableStringify: typed arrays are not allowed; convert to a plain array first.");
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(
+        `UCP profile canonicalization rejects non-finite Number ${value}. Use a decimal string for any value that may be NaN/Infinity.`
+      );
+    }
+    if (!Number.isInteger(value)) {
+      throw new Error(
+        `UCP profile canonicalization rejects non-integer Number ${value}. Use a decimal string (e.g. "9.99") for monetary or fractional fields to preserve cross-language byte-parity.`
+      );
+    }
+    if (!Number.isSafeInteger(value)) {
+      throw new Error(
+        `stableStringify: integer ${value} exceeds Number.MAX_SAFE_INTEGER. For values >2^53, use a decimal string to preserve cross-language byte parity.`
+      );
+    }
+  }
+  if (typeof value === "string") {
+    if (value.includes("\u2028") || value.includes("\u2029")) {
+      throw new Error(
+        "stableStringify: strings containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity requires neither be present (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not)."
+      );
+    }
+    return JSON.stringify(value);
+  }
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return `[${value.map(stableStringify).join(",")}]`;
+  const obj = value;
+  const keys = Object.keys(obj).sort((a, b) => {
+    const aPoints = [...a].map((c) => c.codePointAt(0));
+    const bPoints = [...b].map((c) => c.codePointAt(0));
+    const len = Math.min(aPoints.length, bPoints.length);
+    for (let i = 0; i < len; i += 1) {
+      if (aPoints[i] !== bPoints[i]) return aPoints[i] - bPoints[i];
+    }
+    return aPoints.length - bPoints.length;
+  });
+  for (const k of keys) {
+    if (k.includes("\u2028") || k.includes("\u2029")) {
+      throw new Error(
+        "stableStringify: object keys containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not)."
+      );
+    }
+  }
+  const pairs = keys.map((k) => `${JSON.stringify(k)}:${stableStringify(obj[k])}`);
+  return `{${pairs.join(",")}}`;
+}
+async function generateUCPSigningKey(opts) {
+  const jose = await loadJose();
+  const alg = opts.alg ?? "EdDSA";
+  const { privateKey, publicKey } = await jose.generateKeyPair(alg, { extractable: true });
+  const exportedJwk = await jose.exportJWK(publicKey);
+  const publicJWK = {
+    kid: opts.kid,
+    alg,
+    use: "sig",
+    ...exportedJwk
+  };
+  return { privateKey, publicJWK };
+}
+async function signUCPProfile(profile, {
+  signingKey,
+  kid,
+  alg = "EdDSA"
+}) {
+  const jose = await loadJose();
+  if (!ALLOWED_ALGS.includes(alg)) {
+    throw new Error(
+      `signUCPProfile: alg ${JSON.stringify(alg)} is not in the supported set [${ALLOWED_ALGS.join(", ")}].`
+    );
+  }
+  if (typeof kid !== "string" || !kid) {
+    throw new Error("signUCPProfile: kid must be a non-empty string.");
+  }
+  const kids = (profile.signing_keys ?? []).map((k) => k.kid);
+  if (!kids.includes(kid)) {
+    throw new Error(
+      `signUCPProfile: kid ${JSON.stringify(kid)} is not present in profile.signing_keys[] (declared kids: ${JSON.stringify(kids)}). Verifiers will not find the key.`
+    );
+  }
+  const canonicalBody = canonicalizeProfile(profile);
+  const payloadBytes = new TextEncoder().encode(canonicalBody);
+  const signature = await new jose.CompactSign(payloadBytes).setProtectedHeader({ alg, kid, typ: PROFILE_TYP }).sign(signingKey);
+  return { ...profile, signature };
+}
+async function verifyUCPProfile(profile, jwks) {
+  if (profile === null || typeof profile !== "object" || Array.isArray(profile)) {
+    throw new UCPVerificationError(
+      "no_signature",
+      `UCP profile must be a JSON object; got ${profile === null ? "null" : Array.isArray(profile) ? "array" : typeof profile}.`
+    );
+  }
+  const jose = await loadJose();
+  if (!jwks || typeof jwks !== "object" || !Array.isArray(jwks.keys)) {
+    throw new UCPVerificationError(
+      "malformed_jwks",
+      `UCP verifier expected JWKS shape { keys: [...] }; got ${jwks === null ? "null" : typeof jwks === "object" ? "object without keys[] array" : typeof jwks}.`
+    );
+  }
+  const stripped = { ...profile };
+  const sig = stripped.signature;
+  delete stripped.signature;
+  if (typeof sig !== "string" || !sig) {
+    throw new UCPVerificationError(
+      "no_signature",
+      `UCP profile signature must be a non-empty string; got ${sig === void 0 ? "undefined" : typeof sig}.`
+    );
+  }
+  let header;
+  try {
+    const protectedB64 = sig.split(".")[0];
+    if (!protectedB64) throw new Error("JWS protected header segment is empty.");
+    const headerJson = new TextDecoder().decode(jose.base64url.decode(protectedB64));
+    const parsed = JSON.parse(headerJson);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      throw new Error("JWS protected header is not a JSON object.");
+    }
+    header = parsed;
+  } catch (err) {
+    throw new UCPVerificationError(
+      "malformed_jws",
+      `JWS protected header is not valid base64url-encoded JSON: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (header.typ !== PROFILE_TYP) {
+    throw new UCPVerificationError("wrong_typ", `UCP signature typ must be "${PROFILE_TYP}"; got ${String(header.typ)}.`);
+  }
+  if (!ALLOWED_ALGS.includes(header.alg)) {
+    throw new UCPVerificationError("unsupported_alg", `UCP signing alg must be one of ${ALLOWED_ALGS.join(", ")}; got ${String(header.alg)}.`);
+  }
+  if (typeof header.kid !== "string" || !header.kid) {
+    throw new UCPVerificationError(
+      "missing_kid",
+      `UCP signature header kid must be a non-empty string; got ${header.kid === void 0 ? "undefined" : typeof header.kid}.`
+    );
+  }
+  if ("crit" in header) {
+    const crit = header.crit;
+    if (!Array.isArray(crit) || crit.length === 0 || !crit.every((c) => typeof c === "string")) {
+      throw new UCPVerificationError(
+        "malformed_jws",
+        `JWS protected header crit must be a non-empty array of strings; got ${JSON.stringify(crit)}.`
+      );
+    }
+    throw new UCPVerificationError(
+      "unrecognized_critical_header",
+      `JWS protected header advertises unrecognized crit headers: ${JSON.stringify(crit)}.`
+    );
+  }
+  let signedPayload;
+  try {
+    const verified = await jose.compactVerify(
+      sig,
+      async (h) => {
+        const kid = h.kid;
+        if (typeof kid !== "string" || !kid) {
+          throw new UCPVerificationError(
+            "missing_kid",
+            `UCP signature header kid must be a non-empty string; got ${kid === void 0 ? "undefined" : typeof kid}.`
+          );
+        }
+        const matches = jwks.keys.filter(
+          (k) => k != null && typeof k === "object" && k.kid === kid
+        );
+        if (matches.length === 0) throw new UCPVerificationError("kid_not_found", `No JWK in JWKS matching kid=${JSON.stringify(kid)}.`);
+        if (matches.length > 1) throw new UCPVerificationError("duplicate_kid", `JWKS contains ${matches.length} keys with kid=${JSON.stringify(kid)}; expected exactly one.`);
+        const matchedKey = matches[0];
+        if (matchedKey.use != null && matchedKey.use !== "sig") {
+          throw new UCPVerificationError("unusable_key", `JWK with kid=${kid} has use=${JSON.stringify(matchedKey.use)}; expected "sig".`);
+        }
+        if (matchedKey.alg != null && matchedKey.alg !== h.alg) {
+          throw new UCPVerificationError(
+            "unusable_key",
+            `JWK alg ${JSON.stringify(matchedKey.alg)} does not match JWS header alg ${JSON.stringify(h.alg)}.`
+          );
+        }
+        return jose.importJWK(matches[0], h.alg);
+      }
+    );
+    signedPayload = verified.payload;
+  } catch (err) {
+    if (err instanceof UCPVerificationError) throw err;
+    if (err instanceof Error && err.name === "JOSEAlgNotAllowed") {
+      throw new UCPVerificationError("unsupported_alg", `UCP signing alg not allowed: ${err.message}`);
+    }
+    if (err instanceof Error && err.name === "JWSSignatureVerificationFailed") {
+      throw new UCPVerificationError("signature_invalid", `UCP signature verification failed: ${err.message}`);
+    }
+    if (err instanceof Error && err.name === "JWSInvalid") {
+      throw new UCPVerificationError("malformed_jws", `Malformed JWS: ${err.message}`);
+    }
+    if (err instanceof Error && err.name === "JOSENotSupported") {
+      throw new UCPVerificationError("unrecognized_critical_header", `UCP signing rejected unrecognized critical header: ${err.message}`);
+    }
+    throw err;
+  }
+  let canonicalBody;
+  try {
+    canonicalBody = canonicalizeProfile(stripped);
+  } catch (err) {
+    throw new UCPVerificationError(
+      "body_mismatch",
+      `Failed to canonicalize received profile for verification: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const expectedPayload = new TextEncoder().encode(canonicalBody);
+  if (!constantTimeEqual(signedPayload, expectedPayload)) {
+    throw new UCPVerificationError("body_mismatch", "UCP profile body does not match the signed payload (tampered or non-canonical).");
+  }
+  return true;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i += 1) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
+function buildJWKSResponse(keys) {
+  return { keys };
+}
+function readEnvTrimmed(name) {
+  const raw = process.env[name];
+  if (raw === void 0) return void 0;
+  const trimmed = raw.trim();
+  return trimmed === "" ? void 0 : trimmed;
+}
+function detectAlgFromJwk(jwk) {
+  if (jwk.kty === "OKP" && jwk.crv === "Ed25519") return "EdDSA";
+  if (jwk.kty === "EC" && jwk.crv === "P-256") return "ES256";
+  return null;
+}
+function cacheKey(opts) {
+  return `${opts.envJwkVar}|${opts.envKidVar}|${opts.envAlgVar}|${opts.defaultKid}|${opts.defaultAlg}`;
+}
+async function buildEnvSigningKey(opts) {
+  const kidDefault = readEnvTrimmed(opts.envKidVar) ?? opts.defaultKid;
+  const rawAlg = (readEnvTrimmed(opts.envAlgVar) ?? "").toUpperCase();
+  const algFallback = rawAlg === "ES256" ? "ES256" : opts.defaultAlg;
+  const envJwk = readEnvTrimmed(opts.envJwkVar);
+  if (envJwk) {
+    let jwkDict;
+    try {
+      jwkDict = JSON.parse(envJwk);
+    } catch (err) {
+      throw new Error(
+        `${opts.envJwkVar} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    if (!jwkDict || typeof jwkDict !== "object" || Array.isArray(jwkDict) || Object.keys(jwkDict).length === 0) {
+      throw new Error(`${opts.envJwkVar} must be a non-empty JWK object.`);
+    }
+    const detectedAlg = detectAlgFromJwk(jwkDict);
+    if (!detectedAlg) {
+      throw new Error(
+        `${opts.envJwkVar} has unsupported kty/crv (got kty=${String(jwkDict.kty)} crv=${String(jwkDict.crv)}); expected OKP+Ed25519 or EC+P-256.`
+      );
+    }
+    const canonicalPrivateJwk = detectedAlg === "EdDSA" ? { kty: jwkDict.kty, crv: jwkDict.crv, x: jwkDict.x, d: jwkDict.d } : { kty: jwkDict.kty, crv: jwkDict.crv, x: jwkDict.x, y: jwkDict.y, d: jwkDict.d };
+    const { importJWK } = await import("jose");
+    const { createPublicKey } = await import("crypto");
+    let privateKey;
+    let publicNodeKey;
+    try {
+      privateKey = await importJWK(
+        canonicalPrivateJwk,
+        detectedAlg
+      );
+      publicNodeKey = createPublicKey({ key: canonicalPrivateJwk, format: "jwk" });
+    } catch (err) {
+      const className = err instanceof Error ? err.constructor.name : typeof err;
+      const code = err && typeof err === "object" && "code" in err ? String(err.code) : null;
+      const codeSuffix = code ? ` [${code}]` : "";
+      throw new Error(
+        `${opts.envJwkVar} has malformed key material (${className}${codeSuffix}). Verify the JWK is well-formed and matches the declared kty/crv. Underlying details suppressed to avoid leaking key bytes.`
+      );
+    }
+    const publicJWK = publicNodeKey.export({ format: "jwk" });
+    publicJWK.kid = jwkDict.kid || kidDefault;
+    publicJWK.alg = detectedAlg;
+    publicJWK.use = "sig";
+    return { privateKey, publicJWK };
+  }
+  return generateUCPSigningKey({ kid: kidDefault, alg: algFallback });
+}
+async function loadUCPSigningKeyFromEnv({
+  envJwkVar,
+  envKidVar,
+  envAlgVar,
+  defaultKid,
+  defaultAlg
+} = {}) {
+  const resolved = {
+    ...DEFAULT_LOAD_OPTS,
+    ...envJwkVar !== void 0 && { envJwkVar },
+    ...envKidVar !== void 0 && { envKidVar },
+    ...envAlgVar !== void 0 && { envAlgVar },
+    ...defaultKid !== void 0 && { defaultKid },
+    ...defaultAlg !== void 0 && { defaultAlg }
+  };
+  const key = cacheKey(resolved);
+  let cached = envLoaderCache.get(key);
+  if (cached) return cached;
+  cached = buildEnvSigningKey(resolved).catch((err) => {
+    envLoaderCache.delete(key);
+    throw err;
+  });
+  envLoaderCache.set(key, cached);
+  return cached;
+}
+var JOSE_INSTALL_HINT, ALLOWED_ALGS, PROFILE_TYP, UCPVerificationError, DEFAULT_LOAD_OPTS, envLoaderCache;
+var init_ucp_jwks = __esm({
+  "src/identity/ucp-jwks.ts"() {
+    "use strict";
+    JOSE_INSTALL_HINT = "Install the optional peer dependency: `npm install jose@^6` (or `bun add jose`). Tested against jose v6.x.";
+    ALLOWED_ALGS = ["EdDSA", "ES256"];
+    PROFILE_TYP = "agentscore-profile+jws";
+    UCPVerificationError = class extends Error {
+      constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "UCPVerificationError";
+      }
+      code;
+    };
+    DEFAULT_LOAD_OPTS = {
+      envJwkVar: "UCP_SIGNING_KEY_JWK_PRIVATE",
+      envKidVar: "UCP_SIGNING_KEY_KID",
+      envAlgVar: "UCP_SIGNING_KEY_ALG",
+      defaultKid: "merchant-default",
+      defaultAlg: "EdDSA"
+    };
+    envLoaderCache = /* @__PURE__ */ new Map();
+  }
+});
+
+// src/payment/usdc.ts
+var USDC;
+var init_usdc = __esm({
+  "src/payment/usdc.ts"() {
+    "use strict";
+    USDC = {
+      base: {
+        mainnet: { address: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", decimals: 6 },
+        sepolia: { address: "0x036CbD53842c5426634e7929541eC2318f3dCF7e", decimals: 6 }
+      },
+      solana: {
+        mainnet: { mint: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v", decimals: 6 },
+        devnet: { mint: "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU", decimals: 6 }
+      },
+      tempo: {
+        mainnet: { address: "0x20C000000000000000000000b9537d11c60E8b50", decimals: 6 },
+        testnet: { address: "0x20c0000000000000000000000000000000000000", decimals: 6 }
+      }
+    };
+  }
+});
+
+// src/payment/wwwauthenticate.ts
+function paymentRequiredHeader({
+  x402Version,
+  accepts,
+  resource
+}) {
+  return Buffer.from(JSON.stringify({ x402Version, accepts, ...resource ? { resource } : {} })).toString("base64");
+}
+var init_wwwauthenticate = __esm({
+  "src/payment/wwwauthenticate.ts"() {
+    "use strict";
+  }
+});
+
+// src/payment/networks.ts
+var networks;
+var init_networks = __esm({
+  "src/payment/networks.ts"() {
+    "use strict";
+    networks = {
+      base: {
+        mainnet: { caip2: "eip155:8453", chainId: 8453 },
+        sepolia: { caip2: "eip155:84532", chainId: 84532 }
+      },
+      solana: {
+        mainnet: { caip2: "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp" },
+        devnet: { caip2: "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1" }
+      },
+      tempo: {
+        mainnet: { caip2: "eip155:4217", chainId: 4217 },
+        testnet: { caip2: "eip155:42431", chainId: 42431 }
+      }
+    };
+  }
+});
+
+// src/payment/rails.ts
+function lookupRail(name) {
+  return rails[name];
+}
+var rails;
+var init_rails = __esm({
+  "src/payment/rails.ts"() {
+    "use strict";
+    init_networks();
+    init_usdc();
+    rails = {
+      "tempo-mainnet": {
+        method: "tempo",
+        network: networks.tempo.mainnet.caip2,
+        chainId: networks.tempo.mainnet.chainId,
+        currency: USDC.tempo.mainnet.address,
+        decimals: USDC.tempo.mainnet.decimals,
+        asset: USDC.tempo.mainnet.address
+      },
+      "tempo-testnet": {
+        method: "tempo",
+        network: networks.tempo.testnet.caip2,
+        chainId: networks.tempo.testnet.chainId,
+        currency: USDC.tempo.testnet.address,
+        decimals: USDC.tempo.testnet.decimals,
+        asset: USDC.tempo.testnet.address
+      },
+      "x402-base-mainnet": {
+        method: "x402",
+        network: networks.base.mainnet.caip2,
+        chainId: networks.base.mainnet.chainId,
+        currency: USDC.base.mainnet.address,
+        decimals: USDC.base.mainnet.decimals,
+        asset: USDC.base.mainnet.address
+      },
+      "x402-base-sepolia": {
+        method: "x402",
+        network: networks.base.sepolia.caip2,
+        chainId: networks.base.sepolia.chainId,
+        currency: USDC.base.sepolia.address,
+        decimals: USDC.base.sepolia.decimals,
+        asset: USDC.base.sepolia.address
+      },
+      // Upto rails — pay UP TO a max amount (Permit2-based, vs EIP-3009 for exact). Use for
+      // variable-cost APIs where the actual cost depends on output (LLM tokens, bandwidth, etc.).
+      // Only available on EVM networks; Solana svm doesn't ship an upto scheme yet.
+      "x402-base-mainnet-upto": {
+        method: "x402-upto",
+        network: networks.base.mainnet.caip2,
+        chainId: networks.base.mainnet.chainId,
+        currency: USDC.base.mainnet.address,
+        decimals: USDC.base.mainnet.decimals,
+        asset: USDC.base.mainnet.address
+      },
+      "x402-base-sepolia-upto": {
+        method: "x402-upto",
+        network: networks.base.sepolia.caip2,
+        chainId: networks.base.sepolia.chainId,
+        currency: USDC.base.sepolia.address,
+        decimals: USDC.base.sepolia.decimals,
+        asset: USDC.base.sepolia.address
+      },
+      "mpp-solana-mainnet": {
+        method: "solana",
+        network: networks.solana.mainnet.caip2,
+        currency: USDC.solana.mainnet.mint,
+        decimals: USDC.solana.mainnet.decimals,
+        asset: USDC.solana.mainnet.mint
+      },
+      "mpp-solana-devnet": {
+        method: "solana",
+        network: networks.solana.devnet.caip2,
+        currency: USDC.solana.devnet.mint,
+        decimals: USDC.solana.devnet.decimals,
+        asset: USDC.solana.devnet.mint
+      },
+      "stripe-spt": {
+        method: "stripe",
+        currency: "usd",
+        decimals: 2
+      }
+    };
+  }
+});
+
+// src/payment/directive.ts
+function buildPaymentRequestBlob({
+  rail,
+  amountUsd,
+  currency,
+  decimals,
+  recipient,
+  chainId,
+  networkId
+}) {
+  const railDef = rail ? lookupRail(rail) : void 0;
+  const decimalsResolved = decimals ?? railDef?.decimals ?? 6;
+  const currencyResolved = currency ?? railDef?.currency ?? "usd";
+  const chainIdResolved = chainId ?? railDef?.chainId;
+  const amountNum = typeof amountUsd === "string" ? Number(amountUsd) : amountUsd;
+  const amountRaw = BigInt(Math.round(amountNum * 10 ** decimalsResolved)).toString();
+  const blob = { amount: amountRaw, currency: currencyResolved, decimals: decimalsResolved };
+  if (recipient) blob.recipient = recipient;
+  const methodDetails = {};
+  if (chainIdResolved !== void 0) methodDetails.chainId = chainIdResolved;
+  if (networkId) methodDetails.networkId = networkId;
+  if (Object.keys(methodDetails).length > 0) blob.methodDetails = methodDetails;
+  return Buffer.from(JSON.stringify(blob)).toString("base64url");
+}
+function paymentDirective({
+  rail,
+  id,
+  realm,
+  method,
+  intent,
+  expires,
+  request
+}) {
+  const railDef = rail ? lookupRail(rail) : void 0;
+  const methodResolved = method ?? railDef?.method ?? "unknown";
+  const intentResolved = intent ?? "charge";
+  const expiresResolved = expires ?? new Date(Date.now() + 5 * 60 * 1e3).toISOString();
+  return `Payment id="${id}", realm="${realm}", method="${methodResolved}", intent="${intentResolved}", expires="${expiresResolved}", request="${request}"`;
+}
+var init_directive = __esm({
+  "src/payment/directive.ts"() {
+    "use strict";
+    init_rails();
+  }
+});
+
+// src/discovery/probe.ts
+var probe_exports = {};
+__export(probe_exports, {
+  buildDiscoveryProbeResponse: () => buildDiscoveryProbeResponse,
+  isDiscoveryProbeRequest: () => isDiscoveryProbeRequest,
+  sampleX402AcceptForNetwork: () => sampleX402AcceptForNetwork
+});
+function sampleX402AcceptForNetwork(caip2, amountAtomic = "1000000") {
+  if (caip2 === networks.base.mainnet.caip2) {
+    return {
+      scheme: "exact",
+      network: caip2,
+      amount: amountAtomic,
+      asset: USDC.base.mainnet.address,
+      payTo: ZERO_EVM_PAYTO,
+      maxTimeoutSeconds: 300,
+      // ``extra.name`` mirrors the on-chain USDC contract's ``name()`` because
+      // EIP-712 domain hashes include this string. Wrong name → every signed
+      // payload fails facilitator verify with ``invalid_exact_evm_payload_signature``.
+      // Base mainnet USDC returns "USD Coin"; base sepolia USDC returns "USDC".
+      extra: { name: "USD Coin", version: "2" }
+    };
+  }
+  if (caip2 === networks.base.sepolia.caip2) {
+    return {
+      scheme: "exact",
+      network: caip2,
+      amount: amountAtomic,
+      asset: USDC.base.sepolia.address,
+      payTo: ZERO_EVM_PAYTO,
+      maxTimeoutSeconds: 300,
+      extra: { name: "USDC", version: "2" }
+    };
+  }
+  if (caip2 === networks.solana.mainnet.caip2) {
+    return {
+      scheme: "exact",
+      network: caip2,
+      amount: amountAtomic,
+      asset: USDC.solana.mainnet.mint,
+      payTo: ZERO_SOLANA_PAYTO,
+      maxTimeoutSeconds: 300
+    };
+  }
+  if (caip2 === networks.solana.devnet.caip2) {
+    return {
+      scheme: "exact",
+      network: caip2,
+      amount: amountAtomic,
+      asset: USDC.solana.devnet.mint,
+      payTo: ZERO_SOLANA_PAYTO,
+      maxTimeoutSeconds: 300
+    };
+  }
+  return null;
+}
+function buildDiscoveryProbeResponse(opts) {
+  const probeId = `probe_${Date.now()}`;
+  const expires = new Date(Date.now() + (opts.ttlSeconds ?? 300) * 1e3).toISOString();
+  const request = buildPaymentRequestBlob({
+    rail: opts.sampleRail,
+    amountUsd: opts.sampleAmountUsd,
+    recipient: opts.sampleRecipient
+  });
+  const directive = paymentDirective({
+    rail: opts.sampleRail,
+    id: probeId,
+    realm: opts.realm,
+    intent: opts.intent,
+    expires,
+    request
+  });
+  const bodyObj = {
+    error: {
+      code: "payment_required",
+      message: opts.message ?? "This endpoint requires payment. Send a valid request body to receive a full challenge."
+    },
+    discovery: true,
+    ...opts.docsUrl ? { docs: opts.docsUrl } : {}
+  };
+  const headers = {
+    "content-type": "application/json",
+    "www-authenticate": directive
+  };
+  if (opts.x402Sample) {
+    const x402Version = opts.x402Sample.version ?? 2;
+    const sampleAccepts = opts.x402Sample.accepts ?? (opts.x402Sample.networks ?? []).map((n) => sampleX402AcceptForNetwork(n, opts.x402Sample.amountAtomic ?? "1000000")).filter((e) => e !== null);
+    headers["payment-required"] = paymentRequiredHeader({
+      x402Version,
+      accepts: sampleAccepts,
+      ...opts.x402Sample.resourceUrl ? { resource: { url: opts.x402Sample.resourceUrl, mimeType: "application/json" } } : {}
+    });
+    bodyObj.x402Version = x402Version;
+    const headerJson = JSON.parse(Buffer.from(headers["payment-required"], "base64").toString("utf-8"));
+    bodyObj.accepts = headerJson.accepts;
+  }
+  return {
+    status: 402,
+    headers,
+    body: JSON.stringify(bodyObj)
+  };
+}
+async function isDiscoveryProbeRequest(req) {
+  if (req.method !== "POST") return false;
+  const auth = req.headers.get("authorization");
+  if (auth?.startsWith("Payment ")) return false;
+  const body = await req.clone().text();
+  return !body || body === "{}";
+}
+var ZERO_EVM_PAYTO, ZERO_SOLANA_PAYTO;
+var init_probe = __esm({
+  "src/discovery/probe.ts"() {
+    "use strict";
+    init_directive();
+    init_networks();
+    init_usdc();
+    init_wwwauthenticate();
+    ZERO_EVM_PAYTO = "0x0000000000000000000000000000000000000000";
+    ZERO_SOLANA_PAYTO = "11111111111111111111111111111111";
+  }
+});
+
+// src/discovery/well_known.ts
+var well_known_exports = {};
+__export(well_known_exports, {
+  bootstrapUcpSigningKey: () => bootstrapUcpSigningKey,
+  buildSignedJwksResponse: () => buildSignedJwksResponse,
+  buildSignedUcpResponse: () => buildSignedUcpResponse,
+  defaultA2aServices: () => defaultA2aServices,
+  signedResponseExpress: () => signedResponseExpress,
+  signedResponseFastify: () => signedResponseFastify,
+  signedResponseHono: () => signedResponseHono,
+  signedResponseNextjs: () => signedResponseNextjs,
+  signedResponseWeb: () => signedResponseWeb,
+  wellKnownCorsPreflightHeaders: () => wellKnownCorsPreflightHeaders,
+  wellKnownPreflightResponse: () => wellKnownPreflightResponse
+});
+function requestId(headers) {
+  if (headers === void 0) return void 0;
+  if (headers instanceof Headers) return headers.get("x-request-id") ?? void 0;
+  for (const [k, v] of Object.entries(headers)) {
+    if (k.toLowerCase() === "x-request-id") return v;
+  }
+  return void 0;
+}
+function attachRequestId(headers, requestHeaders) {
+  const rid = requestId(requestHeaders);
+  if (rid !== void 0) headers["X-Request-ID"] = rid;
+}
+function isTempoSession(s) {
+  return "escrowContract" in s && "store" in s;
+}
+function isStripe(s) {
+  return !("recipient" in s);
+}
+function railHasRecipientField(spec) {
+  return Object.hasOwn(spec, "recipient");
+}
+function composeHandlers(checkout) {
+  const handlers = {};
+  const mpp = [];
+  const x402 = [];
+  const stripe = [];
+  for (const spec of Object.values(checkout.rails)) {
+    if (isStripe(spec)) {
+      stripe.push(spec);
+      continue;
+    }
+    if (isTempoSession(spec)) {
+      if (railHasRecipientField(spec)) mpp.push(spec);
+      continue;
+    }
+    const network = spec.network ?? "";
+    if (network.startsWith("eip155:") || "mode" in spec) {
+      if (railHasRecipientField(spec)) x402.push(spec);
+    } else if (network.startsWith("solana:") || "rpcUrl" in spec) {
+      if (railHasRecipientField(spec)) mpp.push(spec);
+    } else {
+      if (railHasRecipientField(spec)) mpp.push(spec);
+    }
+  }
+  if (mpp.length > 0) Object.assign(handlers, mppPaymentHandler({ networks: mpp }));
+  if (x402.length > 0) Object.assign(handlers, x402PaymentHandler({ networks: x402 }));
+  for (const spec of stripe) Object.assign(handlers, stripeSptPaymentHandler({ spec }));
+  return handlers;
+}
+function misconfiguredResponse(requestHeaders) {
+  const body = {
+    error: {
+      code: "ucp_misconfigured",
+      message: "Merchant has no configured payment handlers."
+    },
+    next_steps: {
+      action: "contact_merchant",
+      user_message: "This merchant is temporarily unable to accept agent payments."
+    },
+    agent_instructions: {
+      action: "contact_merchant",
+      steps: [
+        "Surface a transient error to the user.",
+        "Retry later; the merchant operator will repair the configuration."
+      ],
+      user_message: "Merchant temporarily offline for agent payments."
+    }
+  };
+  const headers = {
+    "Access-Control-Allow-Origin": "*",
+    "Cache-Control": `public, max-age=${UCP_CACHE_SECONDS}`
+  };
+  attachRequestId(headers, requestHeaders);
+  return {
+    body: JSON.stringify(body),
+    mediaType: "application/json",
+    headers,
+    status: 503
+  };
+}
+async function buildSignedUcpResponse(opts) {
+  const {
+    checkout,
+    name,
+    wellKnownUcpUrl,
+    services,
+    requestHeaders,
+    signingKid = "merchant-default",
+    agentscoreGate
+  } = opts;
+  const handlers = composeHandlers(checkout);
+  if (Object.keys(handlers).length === 0) {
+    return misconfiguredResponse(requestHeaders);
+  }
+  const key = await loadUCPSigningKeyFromEnv({ defaultKid: signingKid });
+  const signingKeyEntry = UCPSigningKey.fromJWK(key.publicJWK);
+  const profile = buildUCPProfile({
+    name,
+    supported_versions: { "2026-04-08": wellKnownUcpUrl },
+    agentscore_gate: agentscoreGate,
+    services,
+    payment_handlers: handlers,
+    signing_keys: [signingKeyEntry]
+  });
+  const signed = await signUCPProfile(profile, {
+    signingKey: key.privateKey,
+    kid: key.publicJWK.kid,
+    alg: key.publicJWK.alg ?? "EdDSA"
+  });
+  const headers = {
+    "Cache-Control": `public, max-age=${UCP_CACHE_SECONDS}`,
+    "Access-Control-Allow-Origin": "*"
+  };
+  attachRequestId(headers, requestHeaders);
+  return {
+    body: JSON.stringify(signed),
+    mediaType: "application/json",
+    headers,
+    status: 200
+  };
+}
+async function buildSignedJwksResponse(opts) {
+  const { requestHeaders, signingKid = "merchant-default" } = opts ?? {};
+  const key = await loadUCPSigningKeyFromEnv({ defaultKid: signingKid });
+  const jwks = buildJWKSResponse([UCPSigningKey.fromJWK(key.publicJWK)]);
+  const headers = {
+    "Cache-Control": `public, max-age=${JWKS_CACHE_SECONDS}`,
+    "Access-Control-Allow-Origin": "*"
+  };
+  attachRequestId(headers, requestHeaders);
+  return {
+    body: JSON.stringify(jwks),
+    mediaType: "application/jwk-set+json",
+    headers,
+    status: 200
+  };
+}
+function wellKnownCorsPreflightHeaders(requestHeaders) {
+  const headers = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, OPTIONS",
+    "Access-Control-Max-Age": "86400",
+    Vary: "Access-Control-Request-Headers"
+  };
+  if (requestHeaders === void 0) return headers;
+  const acrh = requestHeaders instanceof Headers ? requestHeaders.get("access-control-request-headers") : Object.entries(requestHeaders).find(([k]) => k.toLowerCase() === "access-control-request-headers")?.[1];
+  if (acrh) headers["Access-Control-Allow-Headers"] = acrh;
+  return headers;
+}
+function wellKnownPreflightResponse(requestHeaders) {
+  return new Response(null, {
+    status: 204,
+    headers: wellKnownCorsPreflightHeaders(requestHeaders)
+  });
+}
+function defaultA2aServices(opts) {
+  return {
+    "dev.ucp.shopping": [
+      {
+        version: "2026-04-08",
+        spec: UCP_SHOPPING_SPEC_2026_04_08,
+        transport: "a2a",
+        endpoint: opts.agentCardUrl
+      }
+    ]
+  };
+}
+async function bootstrapUcpSigningKey(opts) {
+  const defaultKid = opts?.defaultKid ?? "merchant-default";
+  await loadUCPSigningKeyFromEnv({ defaultKid });
+}
+function signedResponseHono(resp) {
+  return new Response(resp.body, {
+    status: resp.status,
+    headers: { ...resp.headers, "Content-Type": resp.mediaType }
+  });
+}
+function signedResponseNextjs(resp) {
+  return signedResponseHono(resp);
+}
+function signedResponseWeb(resp) {
+  return signedResponseHono(resp);
+}
+function signedResponseExpress(res, resp) {
+  res.status(resp.status);
+  res.set(resp.headers);
+  res.type(resp.mediaType);
+  res.send(resp.body);
+}
+function signedResponseFastify(reply, resp) {
+  reply.code(resp.status);
+  for (const [k, v] of Object.entries(resp.headers)) reply.header(k, v);
+  reply.type(resp.mediaType);
+  return reply.send(resp.body);
+}
+var UCP_CACHE_SECONDS, JWKS_CACHE_SECONDS, UCP_SHOPPING_SPEC_2026_04_08;
+var init_well_known = __esm({
+  "src/discovery/well_known.ts"() {
+    "use strict";
+    init_ucp();
+    init_ucp_jwks();
+    UCP_CACHE_SECONDS = 60;
+    JWKS_CACHE_SECONDS = 300;
+    UCP_SHOPPING_SPEC_2026_04_08 = "https://ucp.dev/2026-04-08/specification/overview";
+  }
+});
+
 // src/core.ts
 import {
   AgentScore,
@@ -23,13 +1171,16 @@ function denialReasonStatus(reason) {
   if (reason.code === "api_error") return 503;
   return 403;
 }
-function buildSignerMismatchBody(input) {
-  const { result } = input;
+function buildSignerMismatchBody({
+  result,
+  userMessage,
+  learnMoreUrl
+}) {
   if (result.kind === "pass") return null;
-  const learnMoreUrl = input.learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
+  const learnMoreUrlResolved = learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
   if (result.kind === "wallet_signer_mismatch") {
     const linkedWallets = result.linkedWallets ?? [];
-    const userMessage = input.userMessage ?? (linkedWallets.length > 0 ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(", ")}. Then retry.` : "Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.");
+    const userMessageResolved = userMessage ?? (linkedWallets.length > 0 ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(", ")}. Then retry.` : "Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.");
     return {
       error: {
         code: "wallet_signer_mismatch",
@@ -42,8 +1193,8 @@ function buildSignerMismatchBody(input) {
       linked_wallets: linkedWallets,
       next_steps: {
         action: "regenerate_payment_from_linked_wallet",
-        user_message: userMessage,
-        learn_more_url: learnMoreUrl
+        user_message: userMessageResolved,
+        learn_more_url: learnMoreUrlResolved
       }
     };
   }
@@ -54,8 +1205,8 @@ function buildSignerMismatchBody(input) {
     },
     next_steps: {
       action: "switch_to_operator_token",
-      user_message: input.userMessage ?? "Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).",
-      learn_more_url: learnMoreUrl
+      user_message: userMessage ?? "Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).",
+      learn_more_url: learnMoreUrlResolved
     }
   };
 }
@@ -63,27 +1214,35 @@ function buildContactSupportNextSteps(supportEmail, message) {
   return {
     action: "contact_support",
     support_email: supportEmail,
-    user_message: message ?? `If you believe this denial is in error, contact support at ${supportEmail} with your order details.`
+    user_message: message ?? `If you believe this denial is in error, contact support at ${supportEmail} with the details of your request.`
   };
 }
-function verificationAgentInstructions(input = {}) {
+function verificationAgentInstructions({
+  userAction,
+  retryStep,
+  extraSteps,
+  pollIntervalSeconds = 5,
+  timeoutSeconds = 3600,
+  orderTtl,
+  extra
+} = {}) {
   const baseSteps = [
     "Present the verify_url directly to the user \u2014 it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.",
-    `Immediately begin polling poll_url every ${input.pollIntervalSeconds ?? 5} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,
+    `Immediately begin polling poll_url every ${pollIntervalSeconds} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,
     "The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.",
     'When your poll returns status "verified", extract operator_token from the response. This is a one-time value \u2014 save it immediately. Subsequent polls return status "consumed" without the token.',
-    input.retryStep ?? "Retry the original merchant request with header X-Operator-Token set to the operator_token value."
+    retryStep ?? "Retry the original merchant request with header X-Operator-Token set to the operator_token value."
   ];
   return {
     action: "poll_for_credential",
-    user_action: input.userAction ?? "The user must visit verify_url to complete identity verification before this request can proceed",
-    steps: input.extraSteps ? [...baseSteps, ...input.extraSteps] : baseSteps,
-    poll_interval_seconds: input.pollIntervalSeconds ?? 5,
+    user_action: userAction ?? "The user must visit verify_url to complete identity verification before this request can proceed",
+    steps: extraSteps ? [...baseSteps, ...extraSteps] : baseSteps,
+    poll_interval_seconds: pollIntervalSeconds,
     poll_secret_header: "X-Poll-Secret",
     retry_token_header: "X-Operator-Token",
-    timeout_seconds: input.timeoutSeconds ?? 3600,
-    ...input.orderTtl ? { order_ttl: input.orderTtl } : {},
-    ...input.extra ?? {}
+    timeout_seconds: timeoutSeconds,
+    ...orderTtl ? { order_ttl: orderTtl } : {},
+    ...extra ?? {}
   };
 }
 
@@ -204,7 +1363,72 @@ function denialReasonToBody(reason) {
   return body;
 }
 
+// src/address.ts
+var SOLANA_BASE58_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;
+var isSolanaAddress = (address) => SOLANA_BASE58_RE.test(address) && !address.startsWith("0x");
+var normalizeAddress = (address) => {
+  if (isSolanaAddress(address)) {
+    return address;
+  }
+  return address.toLowerCase();
+};
+
+// src/cache.ts
+var TTLCache = class {
+  constructor(defaultTtlMs, maxSize = 1e4) {
+    this.defaultTtlMs = defaultTtlMs;
+    this.maxSize = maxSize;
+  }
+  defaultTtlMs;
+  store = /* @__PURE__ */ new Map();
+  maxSize;
+  get(key) {
+    const entry = this.store.get(key);
+    if (!entry) return void 0;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(key);
+      return void 0;
+    }
+    return entry.value;
+  }
+  set(key, value, ttlMs) {
+    if (this.store.size >= this.maxSize) {
+      this.sweep();
+    }
+    if (this.store.size >= this.maxSize) {
+      this.evictOldest(this.store.size - this.maxSize + 1);
+    }
+    this.store.set(key, {
+      value,
+      expiresAt: Date.now() + (ttlMs ?? this.defaultTtlMs)
+    });
+  }
+  /** Remove all expired entries. */
+  sweep() {
+    const now = Date.now();
+    for (const [k, v] of this.store) {
+      if (now > v.expiresAt) {
+        this.store.delete(k);
+      }
+    }
+  }
+  /** Evict the oldest `count` entries by insertion order. */
+  evictOldest(count) {
+    let removed = 0;
+    for (const key of this.store.keys()) {
+      if (removed >= count) break;
+      this.store.delete(key);
+      removed++;
+    }
+  }
+};
+
 // src/core.ts
+function stripTrailingSlashes(s) {
+  let end = s.length;
+  while (end > 0 && s.charCodeAt(end - 1) === 47) end--;
+  return end === s.length ? s : s.slice(0, end);
+}
 var CANONICAL_AGENTSCORE_API = "https://api.agentscore.sh";
 var WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({
   action: "resign_or_switch_to_operator_token",
@@ -247,6 +1471,317 @@ function buildAgentMemoryHint() {
     persist_in_credential_store: ["operator_token"]
   };
 }
+function createAgentScoreCore(options) {
+  if (!options.apiKey) {
+    throw new Error("AgentScore API key is required. Get one at https://agentscore.sh/sign-up");
+  }
+  const {
+    apiKey,
+    requireKyc,
+    requireSanctionsClear,
+    minAge,
+    blockedJurisdictions,
+    allowedJurisdictions,
+    failOpen = false,
+    cacheSeconds = 300,
+    baseUrl: rawBaseUrl = "https://api.agentscore.sh",
+    chain: gateChain,
+    userAgent,
+    createSessionOnMissing
+  } = options;
+  const baseUrl = stripTrailingSlashes(rawBaseUrl);
+  const agentMemoryHint = buildAgentMemoryHint();
+  const defaultUa = `@agent-score/commerce@${"2.0.0"}`;
+  const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
+  const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
+  const sessionSdkCache = /* @__PURE__ */ new Map();
+  function getSessionSdk(sessionApiKey, sessionBaseUrl) {
+    const key = `${sessionApiKey}|${sessionBaseUrl ?? ""}`;
+    let s = sessionSdkCache.get(key);
+    if (!s) {
+      s = new AgentScore({
+        apiKey: sessionApiKey,
+        baseUrl: sessionBaseUrl ?? baseUrl,
+        userAgent: userAgentHeader
+      });
+      sessionSdkCache.set(key, s);
+    }
+    return s;
+  }
+  const cache = new TTLCache(cacheSeconds * 1e3);
+  async function tryMintSessionDenial(ctx) {
+    if (!createSessionOnMissing) return void 0;
+    try {
+      const sessionBody = {};
+      if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;
+      if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;
+      if (createSessionOnMissing.getSessionOptions && ctx !== void 0) {
+        try {
+          const dynamic = await createSessionOnMissing.getSessionOptions(ctx);
+          if (dynamic?.context != null) sessionBody.context = dynamic.context;
+          if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;
+        } catch (err) {
+          console.warn("[gate] createSessionOnMissing.getSessionOptions hook failed:", err instanceof Error ? err.message : err);
+        }
+      }
+      const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);
+      const data = await sessionSdk.createSession({
+        ...sessionBody.context !== void 0 ? { context: sessionBody.context } : {},
+        ...sessionBody.product_name !== void 0 ? { product_name: sessionBody.product_name } : {}
+      });
+      if (typeof data.session_id !== "string" || typeof data.poll_secret !== "string" || typeof data.verify_url !== "string") {
+        console.warn("[gate] /v1/sessions returned 200 without required fields \u2014 falling back to bare denial");
+        return void 0;
+      }
+      let extra;
+      if (createSessionOnMissing.onBeforeSession && ctx !== void 0) {
+        try {
+          const sessionMeta = {
+            session_id: data.session_id,
+            verify_url: data.verify_url,
+            poll_secret: data.poll_secret,
+            poll_url: data.poll_url,
+            expires_at: data.expires_at
+          };
+          const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);
+          if (result && typeof result === "object") extra = result;
+        } catch (err) {
+          console.warn("[gate] createSessionOnMissing.onBeforeSession hook failed:", err instanceof Error ? err.message : err);
+        }
+      }
+      const apiNextSteps = data.next_steps;
+      return {
+        code: "identity_verification_required",
+        verify_url: data.verify_url,
+        session_id: data.session_id,
+        poll_secret: data.poll_secret,
+        poll_url: data.poll_url,
+        agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : void 0,
+        agent_memory: agentMemoryHint,
+        ...extra && { extra }
+      };
+    } catch (err) {
+      console.warn("[gate] createSessionOnMissing path failed \u2014 falling back to bare denial:", err instanceof Error ? err.message : err);
+      return void 0;
+    }
+  }
+  async function evaluate(identity, ctx, signer) {
+    if (!identity || !identity.address && !identity.operatorToken) {
+      if (failOpen) return { kind: "allow" };
+      const sessionReason = await tryMintSessionDenial(ctx);
+      if (sessionReason) return { kind: "deny", reason: sessionReason };
+      const missingIdentityInstructions = JSON.stringify({
+        action: "probe_identity_then_session",
+        steps: [
+          "If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 \u2014 see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url \u2014 share it with the user to claim the wallet + complete KYC, then retry.",
+          "If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.",
+          "If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body \u2014 share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping \u2014 direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token."
+        ],
+        user_message: "Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap."
+      });
+      return {
+        kind: "deny",
+        reason: {
+          code: "missing_identity",
+          agent_instructions: missingIdentityInstructions,
+          agent_memory: agentMemoryHint
+        }
+      };
+    }
+    const cacheKey2 = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : "");
+    const cached = cache.get(cacheKey2);
+    if (cached) {
+      if (cached.allow) {
+        const cachedRaw = cached.raw;
+        const cachedQuota = cachedRaw?.quota;
+        return {
+          kind: "allow",
+          data: cachedRaw,
+          ...cachedQuota !== void 0 && { quota: cachedQuota }
+        };
+      }
+      if (isFixableDenial(cached.reasons)) {
+        const sessionReason = await tryMintSessionDenial(ctx);
+        if (sessionReason) return { kind: "deny", reason: sessionReason };
+      }
+      return {
+        kind: "deny",
+        reason: {
+          code: "wallet_not_trusted",
+          decision: cached.decision,
+          reasons: cached.reasons,
+          verify_url: cached.raw?.verify_url,
+          data: cached.raw
+        }
+      };
+    }
+    const policy = {};
+    if (requireKyc != null) policy.require_kyc = requireKyc;
+    if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;
+    if (minAge != null) policy.min_age = minAge;
+    if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;
+    if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;
+    let data;
+    try {
+      const opts = {
+        chain: gateChain,
+        ...Object.keys(policy).length > 0 ? { policy } : {},
+        // Pre-extracted payment signer (by the adapter middleware). When present, the API
+        // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet
+        // check) verdicts on the response in one round trip. Under
+        // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.
+        ...signer && { signer: { address: signer.address, network: signer.network } }
+      };
+      const result = identity.address ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken }) : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken });
+      data = result;
+    } catch (err) {
+      if (err instanceof PaymentRequiredError) {
+        if (failOpen) return { kind: "allow" };
+        return { kind: "deny", reason: { code: "payment_required" } };
+      }
+      if (err instanceof TokenExpiredError) {
+        return {
+          kind: "deny",
+          reason: {
+            code: "token_expired",
+            data: err.details,
+            ...err.verifyUrl ? { verify_url: err.verifyUrl } : {},
+            ...err.sessionId ? { session_id: err.sessionId } : {},
+            ...err.pollSecret ? { poll_secret: err.pollSecret } : {},
+            ...err.pollUrl ? { poll_url: err.pollUrl } : {},
+            ...err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {},
+            ...err.agentMemory ? { agent_memory: err.agentMemory } : {}
+          }
+        };
+      }
+      if (err instanceof InvalidCredentialError) {
+        return {
+          kind: "deny",
+          reason: {
+            code: "invalid_credential",
+            agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,
+            agent_memory: agentMemoryHint
+          }
+        };
+      }
+      if (err instanceof QuotaExceededError) {
+        console.warn("[gate] /v1/assess returned 429 quota_exceeded");
+        if (failOpen) return { kind: "allow", degraded: true, infraReason: "quota_exceeded" };
+        return {
+          kind: "deny",
+          reason: { code: "api_error", agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS }
+        };
+      }
+      if (err instanceof SdkTimeoutError) {
+        console.warn("[gate] /v1/assess timed out:", err.message);
+        if (failOpen) return { kind: "allow", degraded: true, infraReason: "network_timeout" };
+        return { kind: "deny", reason: { code: "api_error" } };
+      }
+      const status = err?.status;
+      const errName = err instanceof Error ? err.name : "";
+      if (status === 429) {
+        console.warn("[gate] /v1/assess returned 429 (untyped \u2014 defensive)");
+        if (failOpen) return { kind: "allow", degraded: true, infraReason: "quota_exceeded" };
+        return {
+          kind: "deny",
+          reason: { code: "api_error", agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS }
+        };
+      }
+      if (errName === "TimeoutError" || errName === "AbortError") {
+        console.warn("[gate] /v1/assess timed out (by Error.name):", err instanceof Error ? err.message : err);
+        if (failOpen) return { kind: "allow", degraded: true, infraReason: "network_timeout" };
+        return { kind: "deny", reason: { code: "api_error" } };
+      }
+      const errCode = err?.code;
+      const msg = err instanceof Error ? err.message : String(err);
+      const detail = errCode ? `${errCode}: ${msg}` : msg;
+      console.warn(`[gate] /v1/assess call failed \u2014 surfacing as api_error: ${detail}`);
+      if (failOpen) return { kind: "allow", degraded: true, infraReason: "api_error" };
+      return { kind: "deny", reason: { code: "api_error" } };
+    }
+    const decision = data.decision;
+    const decisionReasons = data.decision_reasons ?? [];
+    const allow = decision === "allow" || decision == null;
+    cache.set(cacheKey2, { allow, decision: decision ?? void 0, reasons: decisionReasons, raw: data });
+    if (allow) {
+      const quota = data.quota;
+      return {
+        kind: "allow",
+        data,
+        ...quota !== void 0 && { quota }
+      };
+    }
+    if (isFixableDenial(decisionReasons)) {
+      const sessionReason = await tryMintSessionDenial(ctx);
+      if (sessionReason) return { kind: "deny", reason: sessionReason };
+    }
+    return {
+      kind: "deny",
+      reason: {
+        code: "wallet_not_trusted",
+        decision: decision ?? void 0,
+        reasons: decisionReasons,
+        verify_url: data.verify_url,
+        data
+      }
+    };
+  }
+  async function captureWallet(options2) {
+    try {
+      await sdk.associateWallet({
+        operatorToken: options2.operatorToken,
+        walletAddress: options2.walletAddress,
+        network: options2.network,
+        ...options2.idempotencyKey ? { idempotencyKey: options2.idempotencyKey } : {}
+      });
+    } catch (err) {
+      console.warn("[agentscore-commerce] captureWallet failed:", err instanceof Error ? err.message : err);
+    }
+  }
+  function projectSignerMatch(sm, claimedNorm, signerNorm) {
+    const kind = sm.kind;
+    if (kind === "pass") {
+      return {
+        kind: "pass",
+        claimedOperator: sm.claimed_operator ?? null,
+        signerOperator: sm.signer_operator ?? null
+      };
+    }
+    if (kind === "wallet_auth_requires_wallet_signing") {
+      return {
+        kind: "wallet_auth_requires_wallet_signing",
+        claimedWallet: sm.claimed_wallet ?? claimedNorm,
+        agentInstructions: sm.agent_instructions ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS
+      };
+    }
+    const linked = sm.linked_wallets;
+    return {
+      kind: "wallet_signer_mismatch",
+      claimedOperator: sm.claimed_operator ?? null,
+      actualSignerOperator: sm.signer_operator ?? null,
+      expectedSigner: sm.expected_signer ?? claimedNorm,
+      actualSigner: sm.actual_signer ?? signerNorm,
+      linkedWallets: Array.isArray(linked) ? linked.filter((w) => typeof w === "string") : [],
+      agentInstructions: sm.agent_instructions ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS
+    };
+  }
+  function getSignerVerdict(claimedAddress) {
+    const claimedNorm = normalizeAddress(claimedAddress);
+    const cached = cache.get(claimedNorm);
+    if (!cached) return void 0;
+    const raw = cached.raw;
+    if (!raw) return void 0;
+    const rawMatch = raw.signer_match;
+    const rawSanctions = raw.signer_sanctions;
+    if (!rawMatch && !rawSanctions) return void 0;
+    const signerNorm = rawMatch?.actual_signer ?? claimedNorm;
+    return {
+      signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,
+      signer_sanctions: rawSanctions ?? null
+    };
+  }
+  return { evaluate, captureWallet, getSignerVerdict };
+}
 
 // src/signer.ts
 var TOKEN_PROGRAM = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
@@ -321,9 +1856,33 @@ async function extractPaymentSigner(request, x402PaymentHeader) {
   }
   return null;
 }
+async function extractPaymentSignerFromAuth(authHeader, x402PaymentHeader) {
+  const request = new Request("http://internal.gate/", {
+    headers: authHeader ? { authorization: authHeader } : {}
+  });
+  return extractPaymentSigner(request, x402PaymentHeader);
+}
 function readX402PaymentHeader(request) {
   return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
 }
+function lowerHeaders(headers) {
+  const out = {};
+  for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;
+  return out;
+}
+async function extractSignerForPrecheck(headers) {
+  const lower = lowerHeaders(headers);
+  const x402 = lower["payment-signature"] ?? lower["x-payment"];
+  if (x402) {
+    const signer = await extractPaymentSignerFromAuth(void 0, x402);
+    if (signer !== null) return signer;
+  }
+  const authorization = lower["authorization"];
+  if (authorization && authorization.toLowerCase().startsWith("payment ")) {
+    return await extractPaymentSignerFromAuth(authorization);
+  }
+  return null;
+}
 
 // src/identity/a2a.ts
 var PROTOCOL_VERSION = "1.0";
@@ -379,434 +1938,2062 @@ function buildA2AAgentCard(input) {
   return card;
 }
 
-// src/identity/ucp.ts
-function ucpSigningKeyFromJWKImpl(jwk) {
-  if (!jwk || typeof jwk !== "object") {
-    throw new Error(`UCPSigningKey.fromJWK expected a non-null object; got ${typeof jwk}.`);
+// src/index.ts
+init_ucp();
+init_ucp_jwks();
+
+// src/checkout.ts
+import { randomUUID } from "crypto";
+
+// src/payment/rail_spec.ts
+init_usdc();
+async function resolveRecipient(r) {
+  if (typeof r === "string") return r;
+  return Promise.resolve(r());
+}
+var RAIL_SPEC_DEFAULTS = {
+  tempo: {
+    network: "tempo-mainnet",
+    chainId: 4217,
+    token: USDC.tempo.mainnet.address,
+    symbol: "USDC.e",
+    decimals: 6,
+    testnet: false,
+    recommend: "both"
+  },
+  x402Base: {
+    network: "eip155:8453",
+    chainId: 8453,
+    token: USDC.base.mainnet.address,
+    symbol: "USDC",
+    decimals: 6,
+    mode: "exact"
+  },
+  solanaMpp: {
+    network: "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp",
+    token: USDC.solana.mainnet.mint,
+    symbol: "USDC",
+    decimals: 6
+  },
+  stripe: {
+    rails: ["card", "link", "shared_payment_token"]
+  },
+  tempoSession: {
+    currency: USDC.tempo.mainnet.address,
+    testnet: false
   }
-  if (typeof jwk.kid !== "string" || !jwk.kid) {
-    throw new Error("UCPSigningKey.fromJWK: JWK missing required field `kid` (or non-string).");
+};
+
+// src/challenge/accepted_methods.ts
+async function buildAcceptedMethods({
+  tempo,
+  x402_base,
+  solana_mpp,
+  stripe
+}) {
+  const out = [];
+  if (tempo) {
+    out.push({
+      method: "tempo/charge",
+      network: tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network,
+      chain_id: tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId,
+      token: tempo.token ?? RAIL_SPEC_DEFAULTS.tempo.token,
+      symbol: tempo.symbol ?? RAIL_SPEC_DEFAULTS.tempo.symbol,
+      decimals: tempo.decimals ?? RAIL_SPEC_DEFAULTS.tempo.decimals,
+      pay_to: await resolveRecipient(tempo.recipient)
+    });
   }
-  if (typeof jwk.kty !== "string" || !jwk.kty) {
-    throw new Error("UCPSigningKey.fromJWK: JWK missing required field `kty` (or non-string).");
+  if (x402_base) {
+    out.push({
+      method: "x402/exact",
+      network: x402_base.network ?? RAIL_SPEC_DEFAULTS.x402Base.network,
+      chain_id: x402_base.chainId ?? RAIL_SPEC_DEFAULTS.x402Base.chainId,
+      token: x402_base.token ?? RAIL_SPEC_DEFAULTS.x402Base.token,
+      symbol: x402_base.symbol ?? RAIL_SPEC_DEFAULTS.x402Base.symbol,
+      decimals: x402_base.decimals ?? RAIL_SPEC_DEFAULTS.x402Base.decimals,
+      pay_to: await resolveRecipient(x402_base.recipient)
+    });
   }
-  if (jwk.kty !== "OKP" && jwk.kty !== "EC" && jwk.kty !== "RSA") {
-    throw new Error(
-      `UCPSigningKey.fromJWK: kty=${JSON.stringify(jwk.kty)} is not a supported asymmetric key type (expected OKP, EC, or RSA). Symmetric \`oct\` keys are rejected because they cannot publicly verify a JWS in the trust-mode UCP flow.`
-    );
+  if (solana_mpp) {
+    out.push({
+      method: "solana/charge",
+      network: solana_mpp.network ?? RAIL_SPEC_DEFAULTS.solanaMpp.network,
+      token: solana_mpp.token ?? RAIL_SPEC_DEFAULTS.solanaMpp.token,
+      symbol: solana_mpp.symbol ?? RAIL_SPEC_DEFAULTS.solanaMpp.symbol,
+      decimals: solana_mpp.decimals ?? RAIL_SPEC_DEFAULTS.solanaMpp.decimals,
+      pay_to: await resolveRecipient(solana_mpp.recipient)
+    });
   }
-  if ((jwk.kty === "EC" || jwk.kty === "OKP") && (typeof jwk.crv !== "string" || !jwk.crv)) {
-    throw new Error(`UCPSigningKey.fromJWK: kty=${jwk.kty} requires a non-empty \`crv\` field (e.g., "P-256" for EC, "Ed25519" for OKP).`);
+  if (stripe) {
+    out.push({
+      method: "stripe/charge",
+      rails: stripe.rails ?? [...RAIL_SPEC_DEFAULTS.stripe.rails],
+      profile_id: stripe.profileId ?? null
+    });
   }
-  return jwk;
+  return out;
 }
-var UCPSigningKey = {
-  fromJWK: ucpSigningKeyFromJWKImpl
+
+// src/challenge/agent_instructions.ts
+var TEMPO_WARNING = "Do NOT use `tempo wallet transfer`. That moves USDC on-chain without completing the protocol handshake, so the request will not complete. Use `tempo request` instead.";
+var X402_WARNING = "Do NOT send USDC manually to the deposit addresses. Use `agentscore-pay pay` so the credential is signed and submitted; otherwise the request will not complete even though the deposit lands.";
+var TEMPO_TOOL = "`tempo request` for Tempo USDC";
+var AGENTSCORE_PAY_TOOL = "`agentscore-pay` \u2014 Base + Solana + Tempo from one CLI";
+var DEFAULT_WALLET_COMPATIBILITY = "Any client that can produce a valid MPP credential (Authorization: Payment) or x402 X-Payment header. Use the CLI commands above; sign-it-yourself is also fine.";
+function defaultRecommendedTools(howToPay) {
+  const tools = [];
+  if (howToPay.tempo) tools.push(TEMPO_TOOL);
+  if (howToPay.tempo || howToPay.x402_base || howToPay.solana_mpp) tools.push(AGENTSCORE_PAY_TOOL);
+  return tools;
+}
+function defaultWarnings(howToPay) {
+  const w = [];
+  if (howToPay.tempo) w.push(TEMPO_WARNING);
+  if (howToPay.x402_base) w.push(X402_WARNING);
+  return w;
+}
+var RAIL_CLIENTS = {
+  tempo_mpp: ["agentscore-pay", "tempo request", "x402-proxy"],
+  x402_base: ["agentscore-pay", "x402-proxy", "purl (omit --network flag)"],
+  solana_mpp: ["agentscore-pay"],
+  stripe: ["link-cli"]
 };
-var DEFAULT_VERSION = "2026-04-08";
-var AGENTSCORE_CAPABILITY_NAME = "sh.agentscore.identity";
-var AGENTSCORE_CAPABILITY_VERSION = "2026-04-08";
-var AGENTSCORE_DEFAULT_SPEC_URL = "https://agentscore.sh/specification/identity";
-var AGENTSCORE_DEFAULT_SCHEMA_URL = "https://agentscore.sh/schemas/ucp/sh-agentscore-identity-v1.json";
-var AGENTSCORE_EXTENDS = ["dev.ucp.shopping.checkout", "dev.ucp.shopping.cart"];
-var RESERVED_TOP_LEVEL = /* @__PURE__ */ new Set([
-  "ucp",
-  "signing_keys",
-  "signature",
-  "__proto__",
-  "constructor",
-  "prototype"
-]);
-var RESERVED_UCP_FIELDS = /* @__PURE__ */ new Set([
-  "version",
-  "name",
-  "services",
-  "capabilities",
-  "payment_handlers",
-  "supported_versions",
-  "__proto__",
-  "constructor",
-  "prototype"
-]);
-function buildUCPProfile(input) {
-  for (const [name, bindings] of Object.entries(input.services ?? {})) {
-    for (const binding of bindings) {
-      if ((binding.transport === "rest" || binding.transport === "mcp" || binding.transport === "a2a") && (binding.endpoint === void 0 || binding.endpoint === null || binding.endpoint === "")) {
-        throw new Error(
-          `buildUCPProfile: service "${name}" transport=${binding.transport} requires \`endpoint\`. Per UCP spec service.json business_schema, rest/mcp/a2a bindings MUST carry an endpoint URL.`
-        );
-      }
+function compatibleClientsByRails(rails2) {
+  const out = {};
+  for (const r of rails2) out[r] = [...RAIL_CLIENTS[r]];
+  return Object.keys(out).length === 0 ? void 0 : out;
+}
+function defaultCompatibleClients(howToPay) {
+  const rails2 = [];
+  if (howToPay.tempo) rails2.push("tempo_mpp");
+  if (howToPay.x402_base) rails2.push("x402_base");
+  if (howToPay.solana_mpp) rails2.push("solana_mpp");
+  if (howToPay.stripe) rails2.push("stripe");
+  return compatibleClientsByRails(rails2);
+}
+function buildAgentInstructions({
+  howToPay,
+  recommendedTools,
+  walletCompatibility,
+  timeoutSeconds,
+  warnings,
+  extraWarnings,
+  recommended,
+  compatibleClients,
+  extra
+}) {
+  const compatibleClientsOut = compatibleClients ?? defaultCompatibleClients(howToPay);
+  return {
+    how_to_pay: howToPay,
+    recommended_tools: recommendedTools ?? defaultRecommendedTools(howToPay),
+    wallet_compatibility: walletCompatibility ?? DEFAULT_WALLET_COMPATIBILITY,
+    timeout_seconds: timeoutSeconds ?? 300,
+    warnings: warnings ?? [...defaultWarnings(howToPay), ...extraWarnings ?? []],
+    ...recommended ? { recommended } : {},
+    ...compatibleClientsOut ? { compatible_clients: compatibleClientsOut } : {},
+    ...extra ?? {}
+  };
+}
+
+// src/challenge/agent_memory.ts
+function firstEncounterAgentMemory({
+  firstEncounter
+}) {
+  if (!firstEncounter) return void 0;
+  return buildAgentMemoryHint();
+}
+
+// src/challenge/body.ts
+function build402Body({
+  acceptedMethods,
+  agentInstructions,
+  identityMetadata,
+  agentMemory,
+  pricing,
+  amountUsd,
+  currency,
+  orderId,
+  product,
+  retryBody,
+  recommended,
+  x402,
+  extra
+}) {
+  const body = {
+    payment_required: true,
+    accepted_methods: acceptedMethods
+  };
+  if (x402) {
+    body.x402Version = x402.version ?? 2;
+    body.accepts = x402.accepts;
+    if (x402.extensions !== void 0 && Object.keys(x402.extensions).length > 0) {
+      body.extensions = x402.extensions;
     }
   }
-  const paymentHandlers = {};
-  for (const [name, bindings] of Object.entries(input.payment_handlers ?? {})) {
-    paymentHandlers[name] = bindings.map((binding) => {
-      if (Array.isArray(binding.available_instruments) && binding.available_instruments.length === 0) {
-        const { available_instruments: _drop, ...rest } = binding;
-        return rest;
-      }
-      return binding;
-    });
+  if (amountUsd !== void 0) body.amount_usd = amountUsd;
+  if (currency) body.currency = currency;
+  if (pricing) body.pricing = pricing;
+  if (orderId !== void 0) body.order_id = orderId;
+  if (product) body.product = product;
+  if (recommended) body.recommended = recommended;
+  if (retryBody !== void 0) body.retry_body = retryBody;
+  if (identityMetadata) {
+    Object.assign(body, identityMetadata);
   }
-  const capabilities = {};
-  for (const [name, bindings] of Object.entries(input.capabilities ?? {})) {
-    capabilities[name] = [...bindings];
+  if (agentInstructions) body.agent_instructions = agentInstructions;
+  if (agentMemory !== void 0) body.agent_memory = agentMemory;
+  if (extra) Object.assign(body, extra);
+  return body;
+}
+
+// src/challenge/how_to_pay.ts
+var TEMPO_SETUP = [
+  "curl -fsSL https://tempo.xyz/install | bash",
+  "tempo wallet login",
+  "tempo wallet whoami",
+  "tempo wallet fund   # if balance is zero"
+];
+var PAY_SETUP_BASE = [
+  "npm install -g @agent-score/pay   # or: brew install agentscore/tap/agentscore-pay",
+  "agentscore-pay wallet create --chain base",
+  "agentscore-pay balance --chain base   # fund the printed address with USDC on Base"
+];
+var PAY_SETUP_SOLANA = [
+  "npm install -g @agent-score/pay   # or: brew install agentscore/tap/agentscore-pay",
+  "agentscore-pay wallet create --chain solana",
+  "agentscore-pay balance --chain solana   # fund the printed address with USDC on Solana"
+];
+function buildHowToPay({
+  url,
+  retryBodyJson,
+  totalUsd,
+  rails: rails2,
+  opTokenPlaceholder,
+  maxSpend
+}) {
+  const totalNum = typeof totalUsd === "string" ? Number(totalUsd) : totalUsd;
+  const maxSpendStr = String(maxSpend ?? (Math.ceil(totalNum) + 1).toFixed(2));
+  const opToken = opTokenPlaceholder ?? "<your_opc_token>";
+  const block = {};
+  if (rails2.tempo) {
+    const networkName = rails2.tempo.testnet ? "tempo-testnet" : rails2.tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network;
+    const chainId = rails2.tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId;
+    const recommend = rails2.tempo.recommend ?? RAIL_SPEC_DEFAULTS.tempo.recommend;
+    const tempoCommand = `tempo request -X POST -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' --json '${retryBodyJson}' --max-spend ${maxSpendStr} ${url}`;
+    const payCommand = `agentscore-pay pay POST ${url} --chain tempo -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`;
+    block.tempo = {
+      setup: TEMPO_SETUP,
+      prerequisite: `Run \`tempo wallet whoami\` and confirm USDC.e balance on ${networkName} (chain ${chainId}) is at least $${maxSpendStr}. If the tempo CLI is not installed, run the setup commands above first.`,
+      command: recommend === "agentscore-pay" ? payCommand : tempoCommand,
+      ...recommend === "both" ? { alternative_command: payCommand } : recommend === "agentscore-pay" ? { alternative_command: tempoCommand } : {},
+      what_it_does: `Pays via Tempo USDC on ${networkName}.`
+    };
   }
-  if (input.agentscore_gate) {
-    const gateConfig = { ...input.agentscore_gate };
-    const agentscoreBinding = {
-      version: AGENTSCORE_CAPABILITY_VERSION,
-      spec: input.agentscore_spec_url ?? AGENTSCORE_DEFAULT_SPEC_URL,
-      schema: input.agentscore_schema_url ?? AGENTSCORE_DEFAULT_SCHEMA_URL,
-      extends: AGENTSCORE_EXTENDS
+  if (rails2.x402_base) {
+    const network = rails2.x402_base.network ?? RAIL_SPEC_DEFAULTS.x402Base.network;
+    block.x402_base = {
+      setup: PAY_SETUP_BASE,
+      prerequisite: `Run \`agentscore-pay balance --chain base\` and confirm USDC balance on Base (${network}) is at least $${maxSpendStr}. If the CLI is not installed, run the setup commands above first.`,
+      command: `agentscore-pay pay POST ${url} --chain base -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,
+      what_it_does: "Pays via USDC on Base."
     };
-    if (Object.keys(gateConfig).length > 0) agentscoreBinding.config = gateConfig;
-    const existing = capabilities[AGENTSCORE_CAPABILITY_NAME];
-    if (existing) existing.push(agentscoreBinding);
-    else capabilities[AGENTSCORE_CAPABILITY_NAME] = [agentscoreBinding];
   }
-  const ucp = {
-    version: input.version ?? DEFAULT_VERSION,
-    services: input.services ?? {},
-    capabilities,
-    payment_handlers: paymentHandlers
-  };
-  if (input.name !== void 0) ucp.name = input.name;
-  if (input.supported_versions !== void 0) ucp.supported_versions = input.supported_versions;
-  if (input.ucp_extras) {
-    for (const k of Object.keys(input.ucp_extras)) {
-      if (RESERVED_UCP_FIELDS.has(k)) {
-        throw new Error(`buildUCPProfile: ucp_extras key "${k}" collides with a reserved \`ucp\` field; rejected.`);
-      }
-    }
-    Object.assign(ucp, input.ucp_extras);
+  if (rails2.solana_mpp) {
+    const network = rails2.solana_mpp.network ?? RAIL_SPEC_DEFAULTS.solanaMpp.network;
+    block.solana_mpp = {
+      setup: PAY_SETUP_SOLANA,
+      prerequisite: `Run \`agentscore-pay balance --chain solana\` and confirm USDC balance on Solana (${network}) is at least $${maxSpendStr}. If the CLI is not installed, run the setup commands above first.`,
+      command: `agentscore-pay pay POST ${url} --chain solana -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,
+      what_it_does: "Pays via USDC on Solana."
+    };
   }
-  const profile = {
-    ucp,
-    signing_keys: input.signing_keys
-  };
-  if (input.extras) {
-    for (const k of Object.keys(input.extras)) {
-      if (RESERVED_TOP_LEVEL.has(k)) {
-        throw new Error(`buildUCPProfile: extras key "${k}" collides with a reserved profile field; rejected.`);
-      }
+  if (rails2.stripe) {
+    const stripeCfg = rails2.stripe;
+    const amountCents = Math.round(totalNum * 100);
+    const linkCliBlocked = amountCents > 5e4;
+    const productName = stripeCfg.productName ?? "this purchase";
+    const sptContext = `Purchasing "${productName}" via the agent commerce API. The user authorized this purchase through their AI agent for $${totalNum}; charge to be settled via shared payment token over the Machine Payments Protocol.`;
+    const stripe = {
+      prerequisite: "Either your own Stripe account with Shared Payment Token acceptance, OR a Stripe Link wallet (any user with link.com).",
+      instructions: "Mint a SharedPaymentToken scoped to the profile_id advertised in accepted_methods, then submit via Authorization: Payment MPP header with method=stripe/charge."
+    };
+    if (stripeCfg.profileId && !linkCliBlocked) {
+      stripe.setup_link_cli = [
+        "npm install -g @stripe/link-cli   # or use npx -y @stripe/link-cli for one-shot",
+        "link-cli auth login   # one-time, opens your Link wallet",
+        "link-cli payment-methods list --output-json   # copy a csmrpd_... id"
+      ];
+      stripe.command_link_cli = [
+        `SPEND_ID=$(link-cli spend-request create --payment-method-id <csmrpd_id_from_payment_methods_list> --credential-type shared_payment_token --network-id ${stripeCfg.profileId} --amount ${amountCents} --context "${sptContext}" --request-approval --output-json | jq -r .id)`,
+        `link-cli mpp pay ${url} --spend-request-id $SPEND_ID --method POST --data '${retryBodyJson}' --header 'X-Operator-Token: ${opToken}' --output-json`
+      ];
+      stripe.what_it_does_link_cli = "Mints a one-time-use SharedPaymentToken scoped to this purchase (user approves in Link wallet), then submits it as the payment credential.";
+    } else if (linkCliBlocked) {
+      stripe.note = `link-cli SPT path not available for this purchase \u2014 Stripe link-cli caps spend requests at $500.00 ($50000 cents); your total is $${totalNum}. Use your own Stripe account with the SharedPaymentToken API instead.`;
     }
-    Object.assign(profile, input.extras);
+    block.stripe = stripe;
   }
-  return profile;
-}
-var AGENTSCORE_UCP_CAPABILITY = AGENTSCORE_CAPABILITY_NAME;
-var HANDLER_VERSION = "2026-04-08";
-var SPEC_BASE = "https://agentscore.sh/specification/payment-handlers";
-var SCHEMA_BASE = "https://agentscore.sh/schemas/payment-handlers";
-function mppPaymentHandler(input) {
-  return {
-    "sh.agentscore.payment.mpp": [{
-      id: "mpp",
-      version: HANDLER_VERSION,
-      spec: `${SPEC_BASE}/mpp`,
-      schema: `${SCHEMA_BASE}/mpp.json`,
-      config: { networks: input.networks }
-    }]
-  };
+  return block;
 }
-function x402PaymentHandler(input) {
-  return {
-    "sh.agentscore.payment.x402": [{
-      id: "x402",
-      version: HANDLER_VERSION,
-      spec: `${SPEC_BASE}/x402`,
-      schema: `${SCHEMA_BASE}/x402.json`,
-      config: { networks: input.networks }
-    }]
-  };
+
+// src/challenge/identity.ts
+function buildIdentityMetadata({
+  mode,
+  wallet,
+  signerMatchResult,
+  linkedWallets,
+  signerConstraint
+}) {
+  const block = { identity_mode: mode };
+  if (mode !== "wallet") return block;
+  if (wallet) {
+    block.required_signer = signerMatchResult?.expectedSigner ?? wallet;
+  }
+  if (linkedWallets && linkedWallets.length > 0) {
+    block.linked_wallets = linkedWallets;
+  }
+  block.signer_constraint = signerConstraint ?? "Payment must be signed with the claimed wallet OR any same-operator linked wallet listed in linked_wallets.";
+  return block;
 }
-function stripeSptPaymentHandler(input) {
-  return {
-    "sh.agentscore.payment.stripe_spt": [{
-      id: "stripe-spt",
-      version: HANDLER_VERSION,
-      spec: `${SPEC_BASE}/stripe_spt`,
-      schema: `${SCHEMA_BASE}/stripe_spt.json`,
-      config: { rail: "stripe-spt", profile_id: input.profile_id }
-    }]
+
+// src/challenge/pricing.ts
+function buildPricingBlock({
+  subtotalCents,
+  taxCents = 0,
+  shippingCents,
+  discountCents,
+  totalCents,
+  taxRate,
+  taxState,
+  currency
+}) {
+  const shipping = shippingCents ?? 0;
+  const discount = discountCents ?? 0;
+  const total = totalCents ?? Math.max(0, subtotalCents + taxCents + shipping - discount);
+  const block = {
+    subtotal: formatCents(subtotalCents),
+    tax: formatCents(taxCents),
+    total: formatCents(total)
   };
+  if (shippingCents !== void 0) block.shipping = formatCents(shipping);
+  if (discountCents !== void 0) block.discount = formatCents(discount);
+  if (taxRate !== void 0) block.tax_rate = taxRate;
+  if (taxState !== void 0) block.tax_state = taxState;
+  if (currency !== void 0) block.currency = currency;
+  return block;
+}
+function formatCents(cents) {
+  return (cents / 100).toFixed(2);
 }
 
-// src/identity/ucp-jwks.ts
-var JOSE_INSTALL_HINT = "Install the optional peer dependency: `npm install jose@^6` (or `bun add jose`). Tested against jose v6.x.";
-var ALLOWED_ALGS = ["EdDSA", "ES256"];
-var PROFILE_TYP = "agentscore-profile+jws";
-var UCPVerificationError = class extends Error {
-  constructor(code, message) {
-    super(message);
-    this.code = code;
-    this.name = "UCPVerificationError";
+// src/challenge/respond_402.ts
+init_wwwauthenticate();
+function respond402({
+  mppxChallengeHeaders,
+  body,
+  x402
+}) {
+  const headers = {};
+  for (const [k, v] of Object.entries(mppxChallengeHeaders)) {
+    headers[k.toLowerCase()] = v;
   }
-  code;
-};
-async function loadJose() {
-  try {
-    return await import("jose");
-  } catch (err) {
-    throw new Error(
-      `UCP signing requires the \`jose\` library, which is an optional peer dependency. ${JOSE_INSTALL_HINT}
-Original error: ${err instanceof Error ? err.message : String(err)}`
-    );
+  headers["content-type"] = "application/json";
+  if (x402) {
+    headers["payment-required"] = paymentRequiredHeader(x402);
   }
+  return { body, headers, status: 402 };
 }
-function canonicalizeProfile(profile) {
-  const stripped = { ...profile };
-  delete stripped.signature;
-  return stableStringify(stripped);
+
+// src/challenge/validation_error.ts
+function buildValidationError({
+  code,
+  message,
+  requiredFields,
+  exampleBody,
+  nextSteps,
+  extra
+}) {
+  const body = {
+    error: { code, message }
+  };
+  if (requiredFields) body.required_fields = requiredFields;
+  if (exampleBody !== void 0) body.example_body = exampleBody;
+  if (nextSteps) body.next_steps = nextSteps;
+  if (extra) Object.assign(body, extra);
+  return body;
 }
-function stableStringify(value) {
-  if (value === void 0) {
+
+// src/stripe-multichain/mppx_stripe.ts
+async function createMppxStripe({
+  profileId,
+  secretKey,
+  paymentMethodTypes
+}) {
+  const moduleName = "mppx/server";
+  const mppx = await import(moduleName).catch(() => null);
+  if (!mppx?.stripe?.charge) {
     throw new Error(
-      "stableStringify: undefined values are not allowed in canonicalized JSON. Object fields with no value must be omitted."
+      "mppx not installed \u2014 install with `npm install mppx` to use createMppxStripe."
     );
   }
-  if (typeof value === "function" || typeof value === "symbol") {
-    throw new Error(`stableStringify: ${typeof value} values are not allowed in canonicalized JSON.`);
+  return mppx.stripe.charge({
+    networkId: profileId,
+    paymentMethodTypes: paymentMethodTypes ?? ["card", "link"],
+    secretKey
+  });
+}
+
+// src/payment/mppx_server.ts
+init_networks();
+init_usdc();
+function isStripeRailSpec(s) {
+  return !("recipient" in s);
+}
+function isTempoSessionRailSpec2(s) {
+  return "escrowContract" in s && "store" in s;
+}
+function isSolanaMppRailSpec(s) {
+  if (!("recipient" in s)) return false;
+  if ("escrowContract" in s) return false;
+  if ("rpcUrl" in s || "tokenProgram" in s) return true;
+  return s.network?.startsWith("solana:") ?? false;
+}
+function solanaNetworkFromCAIP2(caip2) {
+  if (caip2 === networks.solana.devnet.caip2) return "devnet";
+  return "mainnet-beta";
+}
+function solanaDefaultRpcUrl(network) {
+  if (network === "mainnet-beta") return "https://api.mainnet-beta.solana.com";
+  if (network === "devnet") return "https://api.devnet.solana.com";
+  return "http://localhost:8899";
+}
+async function createMppxServer({
+  rails: rails2,
+  methods: extraMethods,
+  secretKey
+}) {
+  const mppx = await dynamicImport("mppx/server");
+  if (!mppx?.Mppx?.create) {
+    throw new Error("mppx not installed \u2014 `npm install mppx` to use createMppxServer.");
   }
-  if (typeof value === "bigint") {
-    throw new Error("stableStringify: BigInt values are not allowed; use a decimal string.");
+  const methods = [...extraMethods ?? []];
+  for (const [name, spec] of Object.entries(rails2 ?? {})) {
+    if (isStripeRailSpec(spec)) {
+      methods.push(await registerStripe(spec));
+      continue;
+    }
+    if (isTempoSessionRailSpec2(spec)) {
+      methods.push(await registerTempoSession(mppx, spec));
+      continue;
+    }
+    if (isSolanaMppRailSpec(spec)) {
+      methods.push(await registerSolana(spec));
+      continue;
+    }
+    methods.push(registerTempo(mppx, spec, name));
   }
-  if (value instanceof Date) {
+  return mppx.Mppx.create({ methods, secretKey });
+}
+function registerTempo(mppx, spec, _name) {
+  if (!mppx.tempo?.charge) {
+    throw new Error("mppx.tempo.charge not available \u2014 check installed mppx version.");
+  }
+  const defaultCurrency = spec.testnet ? USDC.tempo.testnet.address : USDC.tempo.mainnet.address;
+  if (typeof spec.recipient !== "string") {
+    throw new TypeError(
+      "createMppxServer: TempoRailSpec requires a string recipient (per-order factories not supported here)."
+    );
+  }
+  return mppx.tempo.charge({
+    currency: spec.token ?? defaultCurrency,
+    recipient: spec.recipient,
+    testnet: spec.testnet ?? false
+  });
+}
+async function registerTempoSession(mppx, spec) {
+  if (!mppx.tempo?.session) {
     throw new Error(
-      "stableStringify: Date instances are not allowed; serialize to an ISO string before passing."
+      "mppx.tempo.session not available \u2014 your mppx version may not support sessions yet. Upgrade with `npm install mppx@latest`."
     );
   }
-  if (value instanceof Map || value instanceof Set || value instanceof WeakMap || value instanceof WeakSet) {
+  const defaultCurrency = spec.testnet ? USDC.tempo.testnet.address : USDC.tempo.mainnet.address;
+  return mppx.tempo.session({
+    currency: spec.currency ?? defaultCurrency,
+    recipient: await resolveRecipient(spec.recipient),
+    escrowContract: spec.escrowContract,
+    store: spec.store,
+    testnet: spec.testnet ?? false,
+    ...spec.chains ? { chains: spec.chains } : {}
+  });
+}
+async function registerSolana(spec) {
+  const solanaMpp = await dynamicImport("@solana/mpp/server");
+  if (!solanaMpp?.charge) {
     throw new Error(
-      `stableStringify: ${value.constructor.name} values are not allowed; convert to a plain object/array first.`
+      "@solana/mpp not installed \u2014 `npm install @solana/mpp @solana/kit` to use the solana rail."
     );
   }
-  if (ArrayBuffer.isView(value)) {
-    throw new Error("stableStringify: typed arrays are not allowed; convert to a plain array first.");
+  const network = solanaNetworkFromCAIP2(spec.network);
+  const defaultMint = network === "mainnet-beta" ? USDC.solana.mainnet.mint : USDC.solana.devnet.mint;
+  const defaultDecimals = network === "mainnet-beta" ? USDC.solana.mainnet.decimals : USDC.solana.devnet.decimals;
+  if (typeof spec.recipient !== "string") {
+    throw new TypeError(
+      "createMppxServer: SolanaMppRailSpec requires a string recipient (per-order factories not supported here)."
+    );
   }
-  if (typeof value === "number") {
-    if (!Number.isFinite(value)) {
-      throw new Error(
-        `UCP profile canonicalization rejects non-finite Number ${value}. Use a decimal string for any value that may be NaN/Infinity.`
-      );
-    }
-    if (!Number.isInteger(value)) {
-      throw new Error(
-        `UCP profile canonicalization rejects non-integer Number ${value}. Use a decimal string (e.g. "9.99") for monetary or fractional fields to preserve cross-language byte-parity.`
-      );
-    }
-    if (!Number.isSafeInteger(value)) {
-      throw new Error(
-        `stableStringify: integer ${value} exceeds Number.MAX_SAFE_INTEGER. For values >2^53, use a decimal string to preserve cross-language byte parity.`
-      );
+  const baseMethod = solanaMpp.charge({
+    recipient: spec.recipient,
+    currency: spec.token ?? defaultMint,
+    decimals: spec.decimals ?? defaultDecimals,
+    network,
+    ...spec.rpcUrl ? { rpcUrl: spec.rpcUrl } : {},
+    ...spec.signer ? { signer: spec.signer } : {},
+    ...spec.tokenProgram ? { tokenProgram: spec.tokenProgram } : {}
+  });
+  return wrapSolanaChargeWithFinalizedBlockhash(baseMethod, spec.rpcUrl ?? solanaDefaultRpcUrl(network));
+}
+async function registerStripe(spec) {
+  if (!spec.profileId || !spec.secretKey) {
+    throw new Error(
+      "createMppxServer: StripeRailSpec requires both profileId and secretKey."
+    );
+  }
+  return createMppxStripe({
+    profileId: spec.profileId,
+    secretKey: spec.secretKey,
+    paymentMethodTypes: spec.paymentMethodTypes
+  });
+}
+async function dynamicImport(moduleName) {
+  try {
+    return await import(moduleName);
+  } catch {
+    return null;
+  }
+}
+function wrapSolanaChargeWithFinalizedBlockhash(baseMethod, rpcUrl) {
+  return {
+    ...baseMethod,
+    async request(args) {
+      const orig = await baseMethod.request(args);
+      if (args.credential || !orig || typeof orig !== "object") return orig;
+      try {
+        const res = await fetch(rpcUrl, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            id: 1,
+            jsonrpc: "2.0",
+            method: "getLatestBlockhash",
+            params: [{ commitment: "finalized" }]
+          })
+        });
+        const data = await res.json();
+        const finalized = data?.result?.value?.blockhash;
+        if (finalized) {
+          return {
+            ...orig,
+            methodDetails: { ...orig.methodDetails ?? {}, recentBlockhash: finalized }
+          };
+        }
+      } catch {
+      }
+      return orig;
     }
+  };
+}
+
+// src/payment/x402_server.ts
+init_networks();
+
+// src/payment/x402.ts
+function registerX402SchemesV1V2(server, network, scheme) {
+  server.register(network, scheme);
+  if (typeof server.registerV1 === "function") {
+    server.registerV1(network, scheme);
   }
-  if (typeof value === "string") {
-    if (value.includes("\u2028") || value.includes("\u2029")) {
+}
+
+// src/payment/x402_server.ts
+async function createX402Server(opts = {}) {
+  const x402Core = await dynamicImport2("@x402/core/server") ?? null;
+  if (!x402Core) {
+    throw new Error(
+      "@x402/core not installed \u2014 `npm install @x402/core` to use createX402Server."
+    );
+  }
+  let facilitator;
+  const facilitatorChoice = opts.facilitator ?? (process.env.CDP_API_KEY_ID && process.env.CDP_API_KEY_SECRET ? "coinbase" : "http");
+  if (facilitatorChoice === "coinbase") {
+    const cb = await dynamicImport2("@coinbase/x402");
+    if (!cb?.facilitator) {
       throw new Error(
-        "stableStringify: strings containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity requires neither be present (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not)."
+        '@coinbase/x402 not installed \u2014 `npm install @coinbase/x402` for facilitator: "coinbase".'
       );
     }
-    return JSON.stringify(value);
+    facilitator = new x402Core.HTTPFacilitatorClient(cb.facilitator);
+  } else if (facilitatorChoice === "http") {
+    facilitator = new x402Core.HTTPFacilitatorClient();
+  } else {
+    facilitator = facilitatorChoice;
   }
-  if (value === null || typeof value !== "object") return JSON.stringify(value);
-  if (Array.isArray(value)) return `[${value.map(stableStringify).join(",")}]`;
-  const obj = value;
-  const keys = Object.keys(obj).sort((a, b) => {
-    const aPoints = [...a].map((c) => c.codePointAt(0));
-    const bPoints = [...b].map((c) => c.codePointAt(0));
-    const len = Math.min(aPoints.length, bPoints.length);
-    for (let i = 0; i < len; i += 1) {
-      if (aPoints[i] !== bPoints[i]) return aPoints[i] - bPoints[i];
+  const server = new x402Core.x402ResourceServer(facilitator);
+  let evmExactModule = null;
+  let evmUptoModule = null;
+  for (const rail of opts.rails ?? []) {
+    const isUpto = rail.endsWith("-upto");
+    if (rail.startsWith("x402-base")) {
+      const baseRail = isUpto ? rail.slice(0, -5) : rail;
+      const network = baseRail === "x402-base-mainnet" ? networks.base.mainnet.caip2 : networks.base.sepolia.caip2;
+      if (isUpto) {
+        evmUptoModule ??= await dynamicImport2("@x402/evm/upto/server");
+        if (!evmUptoModule?.UptoEvmScheme) {
+          throw new Error("@x402/evm not installed \u2014 `npm install @x402/evm` for x402 base upto rails.");
+        }
+        registerX402SchemesV1V2(server, network, new evmUptoModule.UptoEvmScheme());
+      } else {
+        evmExactModule ??= await dynamicImport2("@x402/evm/exact/server");
+        if (!evmExactModule?.ExactEvmScheme) {
+          throw new Error("@x402/evm not installed \u2014 `npm install @x402/evm` for x402 base rails.");
+        }
+        registerX402SchemesV1V2(server, network, new evmExactModule.ExactEvmScheme());
+      }
     }
-    return aPoints.length - bPoints.length;
-  });
-  for (const k of keys) {
-    if (k.includes("\u2028") || k.includes("\u2029")) {
+  }
+  for (const { network, scheme } of opts.schemes ?? []) {
+    registerX402SchemesV1V2(server, network, scheme);
+  }
+  if (opts.bazaar) {
+    const bazaar = await dynamicImport2("@x402/extensions/bazaar");
+    if (!bazaar?.bazaarResourceServerExtension) {
       throw new Error(
-        "stableStringify: object keys containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not)."
+        "@x402/extensions not installed \u2014 `npm install @x402/extensions` for bazaar discovery."
       );
     }
+    server.registerExtension(bazaar.bazaarResourceServerExtension);
   }
-  const pairs = keys.map((k) => `${JSON.stringify(k)}:${stableStringify(obj[k])}`);
-  return `{${pairs.join(",")}}`;
+  if (opts.initialize !== false) {
+    await server.initialize();
+  }
+  return server;
 }
-async function generateUCPSigningKey(opts) {
-  const jose = await loadJose();
-  const alg = opts.alg ?? "EdDSA";
-  const { privateKey, publicKey } = await jose.generateKeyPair(alg, { extractable: true });
-  const exportedJwk = await jose.exportJWK(publicKey);
-  const publicJWK = {
-    kid: opts.kid,
-    alg,
-    use: "sig",
-    ...exportedJwk
+async function buildX402AcceptsFor402(server, opts) {
+  const requirements = await server.buildPaymentRequirements(
+    {
+      scheme: opts.scheme ?? "exact",
+      network: opts.network,
+      price: opts.price,
+      payTo: opts.payTo,
+      maxTimeoutSeconds: opts.maxTimeoutSeconds ?? 300
+    },
+    opts.extensions
+  );
+  return Array.isArray(requirements) ? requirements : [];
+}
+async function dynamicImport2(moduleName) {
+  try {
+    return await import(moduleName);
+  } catch {
+    return null;
+  }
+}
+
+// src/payment/lazy.ts
+function x402RailName(spec) {
+  const network = spec.network ?? "eip155:8453";
+  if (network === "eip155:8453") return "x402-base-mainnet";
+  if (network === "eip155:84532") return "x402-base-sepolia";
+  throw new Error(
+    `lazyX402Server: unsupported X402BaseRailSpec.network=${JSON.stringify(network)}`
+  );
+}
+function lazyX402Server(opts) {
+  const { spec, cdpApiKeyId, cdpApiKeySecret } = opts;
+  const railName = x402RailName(spec);
+  const useCdp = Boolean(cdpApiKeyId && cdpApiKeySecret);
+  const facilitator = useCdp ? "coinbase" : "http";
+  let cached;
+  let pending;
+  return async () => {
+    if (cached !== void 0) return cached;
+    if (pending !== void 0) return pending;
+    pending = (async () => {
+      const server = await createX402Server({ facilitator, rails: [railName] });
+      cached = server;
+      pending = void 0;
+      return server;
+    })();
+    return pending;
   };
-  return { privateKey, publicJWK };
 }
-async function signUCPProfile(profile, opts) {
-  const jose = await loadJose();
-  const alg = opts.alg ?? "EdDSA";
-  if (!ALLOWED_ALGS.includes(alg)) {
-    throw new Error(
-      `signUCPProfile: alg ${JSON.stringify(opts.alg)} is not in the supported set [${ALLOWED_ALGS.join(", ")}].`
+function lazyMppxServer(opts) {
+  const { rails: rails2, secretKey } = opts;
+  let cached;
+  let pending;
+  return async () => {
+    if (cached !== void 0) return cached;
+    if (pending !== void 0) return pending;
+    pending = (async () => {
+      const server = await createMppxServer({ secretKey, rails: rails2 });
+      cached = server;
+      pending = void 0;
+      return server;
+    })();
+    return pending;
+  };
+}
+
+// src/payment/x402_settle.ts
+function classifyX402SettleResult(result) {
+  if (result.success) return null;
+  switch (result.phase) {
+    case "no_requirements":
+      return {
+        status: 500,
+        code: "payment_internal_error",
+        message: "Failed to build x402 payment requirements for this configuration",
+        nextSteps: {
+          action: "contact_support",
+          user_message: "The merchant could not produce a payment challenge for this request. Try again later or contact support."
+        }
+      };
+    case "verify_failed":
+      return {
+        status: 400,
+        code: "payment_proof_invalid",
+        message: "Payment credential failed verification; regenerate from a fresh 402 challenge",
+        nextSteps: {
+          action: "regenerate_payment_credential",
+          user_message: "The payment credential was rejected at verify time. Discard it, fetch a fresh 402 challenge, and re-sign."
+        }
+      };
+    case "facilitator_error":
+      return {
+        status: 503,
+        code: "payment_provider_unavailable",
+        message: "Payment provider could not process this network configuration",
+        nextSteps: {
+          action: "try_different_rail",
+          user_message: "This rail is currently unavailable. Pick a different rail from the 402 challenge and retry."
+        }
+      };
+    case "settle_failed":
+      return {
+        status: 503,
+        code: "payment_provider_unavailable",
+        message: "Payment credential verified but on-chain settlement failed",
+        nextSteps: {
+          action: "retry_or_swap_method",
+          retry_after_seconds: 10,
+          user_message: "Transient settlement error. Retry in a few seconds, or pick a different rail from the 402 challenge."
+        }
+      };
+  }
+}
+async function processX402Settle({
+  x402Server,
+  payload,
+  resourceConfig,
+  resourceMeta,
+  extension,
+  transportContext
+}) {
+  const server = x402Server;
+  let builtRequirements;
+  try {
+    builtRequirements = await server.buildPaymentRequirements(resourceConfig);
+  } catch (err) {
+    console.warn("[x402_settle] build_requirements failed:", err instanceof Error ? err.message : err);
+    return { success: false, phase: "facilitator_error", step: "build_requirements", error: err };
+  }
+  const matchedRequirement = builtRequirements[0];
+  if (!matchedRequirement) {
+    return { success: false, phase: "no_requirements", reason: "x402Server.buildPaymentRequirements returned empty" };
+  }
+  const resolvedTransportContext = transportContext ?? (() => {
+    const path = new URL(resourceMeta.url).pathname;
+    return { method: "POST", adapter: { getPath: () => path }, routePattern: path };
+  })();
+  let enrichedExt;
+  try {
+    enrichedExt = extension !== void 0 ? server.enrichExtensions(extension, resolvedTransportContext) : void 0;
+  } catch (err) {
+    console.warn("[x402_settle] enrich_extensions failed:", err instanceof Error ? err.message : err);
+    return { success: false, phase: "facilitator_error", step: "enrich_extensions", error: err };
+  }
+  let verifyResult;
+  try {
+    verifyResult = await server.verifyPayment(
+      payload,
+      matchedRequirement,
+      enrichedExt,
+      resolvedTransportContext
     );
+  } catch (err) {
+    console.warn("[x402_settle] verify_payment failed:", err instanceof Error ? err.message : err);
+    return { success: false, phase: "facilitator_error", step: "verify_payment", error: err };
   }
-  if (typeof opts.kid !== "string" || !opts.kid) {
-    throw new Error("signUCPProfile: opts.kid must be a non-empty string.");
+  const verifyOk = verifyResult.isValid === true || verifyResult.success === true;
+  if (!verifyOk) {
+    return { success: false, phase: "verify_failed", verifyResult };
   }
-  const kids = (profile.signing_keys ?? []).map((k) => k.kid);
-  if (!kids.includes(opts.kid)) {
-    throw new Error(
-      `signUCPProfile: kid ${JSON.stringify(opts.kid)} is not present in profile.signing_keys[] (declared kids: ${JSON.stringify(kids)}). Verifiers will not find the key.`
+  try {
+    const settleResult = await server.settlePayment(
+      payload,
+      matchedRequirement,
+      enrichedExt,
+      resolvedTransportContext
     );
+    const paymentResponseHeader = settleResult ? Buffer.from(JSON.stringify(settleResult)).toString("base64") : void 0;
+    return {
+      success: true,
+      matchedRequirement,
+      settleResult,
+      paymentResponseHeader,
+      verifyResult
+    };
+  } catch (err) {
+    return { success: false, phase: "settle_failed", error: err, matchedRequirement };
   }
-  const canonicalBody = canonicalizeProfile(profile);
-  const payloadBytes = new TextEncoder().encode(canonicalBody);
-  const signature = await new jose.CompactSign(payloadBytes).setProtectedHeader({ alg, kid: opts.kid, typ: PROFILE_TYP }).sign(opts.signingKey);
-  return { ...profile, signature };
 }
-async function verifyUCPProfile(profile, jwks) {
-  if (profile === null || typeof profile !== "object" || Array.isArray(profile)) {
-    throw new UCPVerificationError(
-      "no_signature",
-      `UCP profile must be a JSON object; got ${profile === null ? "null" : Array.isArray(profile) ? "array" : typeof profile}.`
-    );
+
+// src/payment/x402_validation.ts
+init_networks();
+var X402_SUPPORTED_BASE_NETWORKS = /* @__PURE__ */ new Set([
+  networks.base.mainnet.caip2,
+  networks.base.sepolia.caip2
+]);
+var EVM_ADDRESS_RE = /^0x[0-9a-fA-F]{40}$/;
+var REGENERATE_WARNING = "Use `agentscore-pay pay --chain base` (or `tempo request` for Tempo USDC) so the credential is signed and submitted via the protocol handshake. Do NOT use `tempo wallet transfer` \u2014 that sends USDC on-chain but does not complete the handshake.";
+function regenerateBody(message, userMessage) {
+  return {
+    error: { code: "payment_proof_invalid", message },
+    next_steps: {
+      action: "regenerate_payment_credential",
+      user_message: userMessage,
+      warning: REGENERATE_WARNING
+    }
+  };
+}
+async function verifyX402Request({
+  request,
+  isCachedAddress,
+  acceptedNetwork
+}) {
+  const headerValue = request.headers.get("payment-signature") ?? request.headers.get("x-payment");
+  if (!headerValue) {
+    return {
+      ok: false,
+      status: 400,
+      body: regenerateBody(
+        "X-Payment header missing",
+        "No X-Payment header was sent. Generate the credential from the 402 challenge and resubmit on the same endpoint."
+      )
+    };
   }
-  const jose = await loadJose();
-  if (!jwks || typeof jwks !== "object" || !Array.isArray(jwks.keys)) {
-    throw new UCPVerificationError(
-      "malformed_jwks",
-      `UCP verifier expected JWKS shape { keys: [...] }; got ${jwks === null ? "null" : typeof jwks === "object" ? "object without keys[] array" : typeof jwks}.`
+  let payload;
+  try {
+    payload = JSON.parse(Buffer.from(headerValue, "base64").toString());
+  } catch {
+    return {
+      ok: false,
+      status: 400,
+      body: regenerateBody(
+        "X-Payment header is not valid base64 JSON",
+        "The payment credential could not be decoded. Reconstruct the credential from the 402 challenge and retry."
+      )
+    };
+  }
+  const signedNetwork = payload.accepted?.network;
+  const signedPayTo = payload.accepted?.payTo;
+  if (!signedNetwork || signedNetwork !== acceptedNetwork) {
+    if (signedNetwork && signedNetwork.toLowerCase().startsWith("solana:")) {
+      return {
+        ok: false,
+        status: 400,
+        body: regenerateBody(
+          `x402 on ${signedNetwork} is not accepted; Solana payments must use the \`solana/charge\` rail advertised in the 402 challenge. This server accepts x402 on ${acceptedNetwork} only.`,
+          "Solana payments are not accepted over x402 at this merchant. Pick the `solana/charge` rail from the 402 challenge and re-sign."
+        )
+      };
+    }
+    return {
+      ok: false,
+      status: 400,
+      body: regenerateBody(
+        `Unsupported x402 network ${signedNetwork ?? "<missing>"}; this server accepts ${acceptedNetwork}.`,
+        "The credential signed for an unsupported network. Pick the accepted network from the 402 challenge and re-sign."
+      )
+    };
+  }
+  const addressShapeOk = typeof signedPayTo === "string" && EVM_ADDRESS_RE.test(signedPayTo);
+  if (!signedPayTo || !addressShapeOk) {
+    return {
+      ok: false,
+      status: 400,
+      body: regenerateBody(
+        `Payment payload missing or malformed accepted.payTo address for network ${signedNetwork}`,
+        "The credential payload is missing or malformed payTo for the signed network. Reconstruct the credential from the 402 challenge."
+      )
+    };
+  }
+  if (!await isCachedAddress(signedPayTo)) {
+    return {
+      ok: false,
+      status: 400,
+      body: regenerateBody(
+        "payTo address not found in cache or expired. Request a fresh 402 challenge and retry.",
+        "The deposit address is unknown or expired on this server. Request a fresh 402 challenge and re-sign against the new payTo."
+      )
+    };
+  }
+  return { ok: true, payload, signedNetwork, signedPayTo };
+}
+
+// src/payment/zero-settle.ts
+var EVM_RE = /^0x[0-9a-fA-F]{40}$/;
+var SOLANA_BASE58_RE2 = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;
+var NULL_RESULT = {
+  signerAddress: null,
+  signerNetwork: null,
+  txHash: null
+};
+function zeroAmountCarveOut({
+  rail,
+  payload,
+  authorizationHeader
+}) {
+  if (rail === "x402-base") {
+    return x402SignerFromPayload(payload);
+  }
+  if (rail === "tempo" || rail === "solana") {
+    return mppSignerFromAuth(authorizationHeader);
+  }
+  return NULL_RESULT;
+}
+function x402SignerFromPayload(payload) {
+  if (!payload || typeof payload !== "object") return NULL_RESULT;
+  const inner = payload.payload;
+  if (!inner || typeof inner !== "object") return NULL_RESULT;
+  const authorization = inner.authorization;
+  if (!authorization || typeof authorization !== "object") return NULL_RESULT;
+  const fromAddr = authorization.from;
+  if (typeof fromAddr !== "string" || !EVM_RE.test(fromAddr)) return NULL_RESULT;
+  return {
+    signerAddress: fromAddr.toLowerCase(),
+    signerNetwork: "evm",
+    txHash: null
+  };
+}
+function mppSignerFromAuth(authorizationHeader) {
+  if (typeof authorizationHeader !== "string") return NULL_RESULT;
+  if (!authorizationHeader.toLowerCase().startsWith("payment ")) return NULL_RESULT;
+  const token = authorizationHeader.slice("payment ".length).trim();
+  if (!token) return NULL_RESULT;
+  let credential;
+  try {
+    credential = JSON.parse(atob(token));
+  } catch {
+    return NULL_RESULT;
+  }
+  if (!credential || typeof credential !== "object") return NULL_RESULT;
+  let source = credential.source;
+  if (typeof source !== "string") {
+    const challenge = credential.challenge;
+    if (challenge && typeof challenge === "object") {
+      source = challenge.source;
+    }
+  }
+  if (typeof source !== "string") return NULL_RESULT;
+  const parts = source.split(":");
+  if (parts.length < 4 || parts[0] !== "did" || parts[1] !== "pkh") return NULL_RESULT;
+  const family = parts[2];
+  const addr = parts[parts.length - 1] ?? "";
+  if (family === "eip155" && EVM_RE.test(addr)) {
+    return { signerAddress: addr.toLowerCase(), signerNetwork: "evm", txHash: null };
+  }
+  if (family === "solana" && SOLANA_BASE58_RE2.test(addr)) {
+    return { signerAddress: addr, signerNetwork: "solana", txHash: null };
+  }
+  return NULL_RESULT;
+}
+
+// src/checkout.ts
+function pricingResult(opts) {
+  const currency = opts.currency ?? "USD";
+  if (opts.subtotalCents !== void 0) {
+    const totalCents = Math.max(
+      0,
+      opts.subtotalCents + (opts.taxCents ?? 0) + (opts.shippingCents ?? 0) - (opts.discountCents ?? 0)
     );
+    const derivedAmount = opts.amountUsd ?? totalCents / 100;
+    const block = buildPricingBlock({
+      subtotalCents: opts.subtotalCents,
+      taxCents: opts.taxCents ?? 0,
+      ...opts.shippingCents !== void 0 && { shippingCents: opts.shippingCents },
+      ...opts.discountCents !== void 0 && { discountCents: opts.discountCents },
+      ...opts.taxRate !== void 0 && { taxRate: opts.taxRate },
+      ...opts.taxState !== void 0 && { taxState: opts.taxState },
+      currency
+    });
+    return {
+      amountUsd: derivedAmount,
+      currency,
+      block,
+      ...opts.product !== void 0 && { product: opts.product },
+      ...opts.bodyExtras !== void 0 && { bodyExtras: opts.bodyExtras }
+    };
+  }
+  if (opts.amountUsd === void 0) {
+    throw new Error("pricingResult requires either `subtotalCents` or `amountUsd`.");
+  }
+  return {
+    amountUsd: opts.amountUsd,
+    currency,
+    ...opts.product !== void 0 && { product: opts.product },
+    ...opts.bodyExtras !== void 0 && { bodyExtras: opts.bodyExtras }
+  };
+}
+function getIdentityStatus(ctx) {
+  const assess = ctx.request.assess;
+  if (assess === null || assess === void 0) return "anonymous";
+  const decision = assess.decision;
+  if (decision === "allow") return "verified";
+  return "unverified";
+}
+var CheckoutValidationError = class extends Error {
+  code;
+  action;
+  status;
+  extra;
+  constructor(opts) {
+    super(opts.message);
+    this.name = "CheckoutValidationError";
+    this.code = opts.code;
+    this.action = opts.action ?? "fix_request";
+    this.status = opts.status ?? 400;
+    this.extra = opts.extra;
+  }
+};
+function lowerHeaders2(headers) {
+  const out = {};
+  for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;
+  return out;
+}
+function hasX402Header(headers) {
+  const h = lowerHeaders2(headers);
+  return Boolean(h["payment-signature"] ?? h["x-payment"]);
+}
+function hasMppxHeader(headers) {
+  const h = lowerHeaders2(headers);
+  return (h["authorization"] ?? "").startsWith("Payment ");
+}
+function resolveIdentityMetadata(ctx) {
+  const h = lowerHeaders2(ctx.request.headers);
+  const wallet = h["x-wallet-address"];
+  if (!wallet) return void 0;
+  let linkedWallets;
+  const assess = ctx.request.assess;
+  if (assess && typeof assess === "object") {
+    const identity = assess["identity"];
+    if (identity && typeof identity === "object") {
+      const lw = identity["linked_wallets"];
+      if (Array.isArray(lw) && lw.every((x) => typeof x === "string")) {
+        linkedWallets = lw;
+      }
+    }
+  }
+  return buildIdentityMetadata({
+    mode: "wallet",
+    wallet,
+    ...linkedWallets !== void 0 ? { linkedWallets } : {}
+  });
+}
+function isStripeRailSpec2(s) {
+  return !("recipient" in s);
+}
+function isTempoSessionRailSpec3(s) {
+  return "escrowContract" in s && "store" in s;
+}
+function specRailKey(spec) {
+  if (isStripeRailSpec2(spec)) return "stripe";
+  if (isTempoSessionRailSpec3(spec)) return "tempo_mpp";
+  const network = spec.network ?? "";
+  if (network.startsWith("eip155:")) return "x402_base";
+  if (network.startsWith("solana:") || "rpcUrl" in spec) return "solana_mpp";
+  return "tempo_mpp";
+}
+function specMethodName(spec) {
+  if (isStripeRailSpec2(spec)) return "stripe/spt";
+  if (isTempoSessionRailSpec3(spec)) return "tempo/charge";
+  const network = spec.network ?? "";
+  if (network.startsWith("eip155:")) return "x402/exact (base)";
+  if (network.startsWith("solana:") || "rpcUrl" in spec) return "solana/charge";
+  return "tempo/charge";
+}
+function makeMppxComposeHook(opts) {
+  return async (ctx) => {
+    if (ctx.pricing === null) return { status: 402 };
+    const mpp = await opts.serverGetter();
+    const lower = lowerHeaders2(ctx.request.headers);
+    const authorization = lower["authorization"];
+    const amountStr = ctx.pricing.amountUsd.toFixed(2);
+    let result;
+    try {
+      result = await mpp.charge({ authorization, amount: amountStr });
+    } catch {
+      return { status: 402 };
+    }
+    if (!Array.isArray(result)) {
+      const challenge = result;
+      const realm = mpp.realm ?? "";
+      const headers = typeof challenge.toWwwAuthenticate === "function" ? { "www-authenticate": challenge.toWwwAuthenticate(realm) } : {};
+      return { status: 402, headers };
+    }
+    const [credential, receipt] = result;
+    const txHash = receipt.reference ?? receipt.transaction ?? null;
+    let signerAddress = null;
+    let signerNetwork = null;
+    const source = credential.source;
+    if (typeof source === "string") {
+      const parts = source.split(":");
+      if (parts.length >= 4 && parts[0] === "did" && parts[1] === "pkh") {
+        const family = parts[2];
+        const addr = parts[parts.length - 1] ?? null;
+        if (family === "eip155" && addr !== null) {
+          signerAddress = addr.toLowerCase();
+          signerNetwork = "evm";
+        } else if (family === "solana" && addr !== null) {
+          signerAddress = addr;
+          signerNetwork = "solana";
+        }
+      }
+    }
+    return {
+      status: 200,
+      txHash,
+      signerAddress,
+      signerNetwork,
+      raw: { credential, receipt }
+    };
+  };
+}
+function applyRecipientOverrides(rails2, overrides) {
+  const out = {};
+  for (const [key, spec] of Object.entries(rails2)) {
+    if (isStripeRailSpec2(spec)) {
+      out[key] = spec;
+      continue;
+    }
+    const override = overrides[key];
+    const finalRecipient = override ?? spec.recipient;
+    if (finalRecipient === "" || finalRecipient === void 0) continue;
+    out[key] = override !== void 0 ? { ...spec, recipient: override } : spec;
+  }
+  return out;
+}
+function pickRail(rails2, key) {
+  const spec = rails2[key];
+  return spec === void 0 ? void 0 : spec;
+}
+var Checkout = class {
+  rails;
+  url;
+  merchantName;
+  computePricing;
+  preValidate;
+  x402Server;
+  composeMppx;
+  mintRecipients;
+  mintReferenceId;
+  onSettled;
+  isCachedAddress;
+  zeroSettleCarveOut;
+  gate;
+  discoveryExtensions;
+  discoveryProbe;
+  _x402ServerGetter;
+  constructor(opts) {
+    const x402Server = opts.x402Server;
+    let x402ServerGetter;
+    if (x402Server === void 0) {
+      const baseSpec = Object.values(opts.rails).find(
+        (s) => !isTempoSessionRailSpec3(s) && !isStripeRailSpec2(s) && "recipient" in s && (s.network ?? "").startsWith("eip155:")
+      );
+      if (baseSpec !== void 0) {
+        x402ServerGetter = lazyX402Server({
+          spec: baseSpec,
+          cdpApiKeyId: opts.cdpApiKeyId,
+          cdpApiKeySecret: opts.cdpApiKeySecret
+        });
+      }
+    } else {
+      const baseSpec = opts.rails["x402_base"];
+      if (baseSpec === void 0 || !("recipient" in baseSpec)) {
+        throw new Error(
+          "Checkout: x402Server requires an X402BaseRailSpec in rails['x402_base'] (the rail's `network` field supplies the CAIP-2)."
+        );
+      }
+    }
+    let composeMppx = opts.composeMppx;
+    if (composeMppx === void 0 && opts.mppxSecretKey !== void 0) {
+      const mppRails = {};
+      for (const [k, v] of Object.entries(opts.rails)) {
+        if (isStripeRailSpec2(v) || isTempoSessionRailSpec3(v) || "recipient" in v) {
+          mppRails[k] = v;
+        }
+      }
+      const getter = lazyMppxServer({
+        rails: mppRails,
+        secretKey: opts.mppxSecretKey
+      });
+      composeMppx = makeMppxComposeHook({ serverGetter: getter });
+    }
+    this.rails = opts.rails;
+    this.url = opts.url;
+    this.merchantName = opts.gate?.merchantName;
+    this.computePricing = opts.computePricing;
+    this.preValidate = opts.preValidate;
+    this.x402Server = x402Server;
+    this._x402ServerGetter = x402ServerGetter;
+    this.composeMppx = composeMppx;
+    this.mintRecipients = opts.mintRecipients;
+    this.mintReferenceId = opts.mintReferenceId;
+    this.onSettled = opts.onSettled;
+    this.isCachedAddress = opts.isCachedAddress;
+    this.zeroSettleCarveOut = opts.zeroSettleCarveOut ?? false;
+    this.gate = opts.gate;
+    this.discoveryExtensions = opts.discoveryExtensions;
+    this.discoveryProbe = opts.discoveryProbe;
   }
-  const stripped = { ...profile };
-  const sig = stripped.signature;
-  delete stripped.signature;
-  if (typeof sig !== "string" || !sig) {
-    throw new UCPVerificationError(
-      "no_signature",
-      `UCP profile signature must be a non-empty string; got ${sig === void 0 ? "undefined" : typeof sig}.`
-    );
+  /** Canonical `RailKey` list derived from the configured rails dict. Each
+   *  `*RailSpec` type maps to one `RailKey` (Tempo and TempoSession both fold
+   *  to `"tempo_mpp"`). Dedupes so listing is per protocol, not per recipient.
+   *  Use in `.well-known/mpp.json`, skill.md / llms.txt discovery responses. */
+  get acceptedRails() {
+    const out = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const spec of Object.values(this.rails)) {
+      const key = specRailKey(spec);
+      if (seen.has(key)) continue;
+      seen.add(key);
+      out.push(key);
+    }
+    return out;
   }
-  let header;
-  try {
-    const protectedB64 = sig.split(".")[0];
-    if (!protectedB64) throw new Error("JWS protected header segment is empty.");
-    const headerJson = new TextDecoder().decode(jose.base64url.decode(protectedB64));
-    const parsed = JSON.parse(headerJson);
-    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
-      throw new Error("JWS protected header is not a JSON object.");
+  /** Protocol-shaped method-name list (`"tempo/charge"`, `"x402/exact (base)"`).
+   *  Suitable for the `methods: [...]` array of `.well-known/mpp.json`. */
+  get acceptedMethodNames() {
+    const out = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const spec of Object.values(this.rails)) {
+      const name = specMethodName(spec);
+      if (seen.has(name)) continue;
+      seen.add(name);
+      out.push(name);
     }
-    header = parsed;
-  } catch (err) {
-    throw new UCPVerificationError(
-      "malformed_jws",
-      `JWS protected header is not valid base64url-encoded JSON: ${err instanceof Error ? err.message : String(err)}`
-    );
+    return out;
   }
-  if (header.typ !== PROFILE_TYP) {
-    throw new UCPVerificationError("wrong_typ", `UCP signature typ must be "${PROFILE_TYP}"; got ${String(header.typ)}.`);
+  /** Resolve the x402 server, awaiting the lazy getter on first use. */
+  async getX402Server() {
+    if (this.x402Server !== void 0) return this.x402Server;
+    if (this._x402ServerGetter === void 0) return void 0;
+    this.x402Server = await this._x402ServerGetter();
+    return this.x402Server;
   }
-  if (!ALLOWED_ALGS.includes(header.alg)) {
-    throw new UCPVerificationError("unsupported_alg", `UCP signing alg must be one of ${ALLOWED_ALGS.join(", ")}; got ${String(header.alg)}.`);
+  x402ServerAvailable() {
+    return this.x402Server !== void 0 || this._x402ServerGetter !== void 0;
   }
-  if (typeof header.kid !== "string" || !header.kid) {
-    throw new UCPVerificationError(
-      "missing_kid",
-      `UCP signature header kid must be a non-empty string; got ${header.kid === void 0 ? "undefined" : typeof header.kid}.`
-    );
+  /** Return the rails-dict key for the X402BaseRailSpec entry. Defaults to
+   *  `"x402_base"` when no match found. */
+  x402RailKey() {
+    for (const [k, v] of Object.entries(this.rails)) {
+      if (!isStripeRailSpec2(v) && !isTempoSessionRailSpec3(v) && (v.network ?? "").startsWith("eip155:")) {
+        return k;
+      }
+    }
+    return "x402_base";
   }
-  if ("crit" in header) {
-    const crit = header.crit;
-    if (!Array.isArray(crit) || crit.length === 0 || !crit.every((c) => typeof c === "string")) {
-      throw new UCPVerificationError(
-        "malformed_jws",
-        `JWS protected header crit must be a non-empty array of strings; got ${JSON.stringify(crit)}.`
-      );
+  /** Return the rails-dict key for the primary MPP rail. */
+  mppRailKey() {
+    for (const [k, v] of Object.entries(this.rails)) {
+      const network = v.network ?? "";
+      if (!isStripeRailSpec2(v) && !network.startsWith("eip155:")) return k;
     }
-    throw new UCPVerificationError(
-      "unrecognized_critical_header",
-      `JWS protected header advertises unrecognized crit headers: ${JSON.stringify(crit)}.`
-    );
+    return "tempo";
   }
-  let signedPayload;
-  try {
-    const verified = await jose.compactVerify(
-      sig,
-      async (h) => {
-        const kid = h.kid;
-        if (typeof kid !== "string" || !kid) {
-          throw new UCPVerificationError(
-            "missing_kid",
-            `UCP signature header kid must be a non-empty string; got ${kid === void 0 ? "undefined" : typeof kid}.`
-          );
+  /** CAIP-2 read from `rails['x402_base'].network` (or its default).
+   *  Defined only when an `X402BaseRailSpec` is present in rails AND a server
+   *  is configured (explicit or auto-derived); otherwise `null`. */
+  get x402BaseNetwork() {
+    if (!this.x402ServerAvailable()) return null;
+    for (const spec of Object.values(this.rails)) {
+      if (!isStripeRailSpec2(spec) && !isTempoSessionRailSpec3(spec) && (spec.network ?? "").startsWith("eip155:")) {
+        return spec.network ?? "eip155:8453";
+      }
+    }
+    return null;
+  }
+  async handle(request) {
+    const referenceId = await this.mintRefId(request);
+    const ctx = {
+      request,
+      referenceId,
+      pricing: null,
+      recipients: {},
+      state: {}
+    };
+    if (this.discoveryProbe !== void 0 && request.method === "POST") {
+      const auth = request.headers["authorization"] ?? request.headers["Authorization"];
+      const isProbe = !auth?.startsWith("Payment ") && !hasX402Header(request.headers) && !hasMppxHeader(request.headers) && (request.body === void 0 || request.body === null || typeof request.body === "object" && Object.keys(request.body).length === 0);
+      if (isProbe) {
+        const { buildDiscoveryProbeResponse: buildDiscoveryProbeResponse2 } = await Promise.resolve().then(() => (init_probe(), probe_exports));
+        const cfg = this.discoveryProbe;
+        const probe = buildDiscoveryProbeResponse2({
+          realm: cfg.realm,
+          sampleRail: cfg.sampleRail,
+          sampleAmountUsd: cfg.sampleAmountUsd,
+          sampleRecipient: cfg.sampleRecipient,
+          ...cfg.intent !== void 0 && { intent: cfg.intent },
+          ...cfg.ttlSeconds !== void 0 && { ttlSeconds: cfg.ttlSeconds },
+          ...cfg.docsUrl !== void 0 && { docsUrl: cfg.docsUrl },
+          ...cfg.message !== void 0 && { message: cfg.message },
+          ...cfg.x402Sample !== void 0 && { x402Sample: cfg.x402Sample }
+        });
+        return {
+          status: probe.status,
+          body: JSON.parse(probe.body),
+          headers: probe.headers,
+          referenceId: ctx.referenceId,
+          settled: false
+        };
+      }
+    }
+    if (this.preValidate !== void 0) {
+      try {
+        const state = await this.preValidate(ctx);
+        if (state && typeof state === "object") Object.assign(ctx.state, state);
+      } catch (err) {
+        if (err instanceof CheckoutValidationError) {
+          return this.validationErrorResult(ctx, err);
         }
-        const matches = jwks.keys.filter(
-          (k) => k != null && typeof k === "object" && k.kid === kid
+        throw err;
+      }
+    }
+    const hasPaymentHeader = hasX402Header(request.headers) || hasMppxHeader(request.headers);
+    if (this.gate !== void 0 && hasPaymentHeader) {
+      const denial = await this.runGate(ctx);
+      if (denial !== null) {
+        return {
+          status: denial.status,
+          body: denial.body,
+          headers: { ...denial.headers ?? {} },
+          referenceId: ctx.referenceId,
+          settled: false
+        };
+      }
+    }
+    ctx.pricing = await this.computePricing(ctx);
+    await this.resolveRecipientsForCtx(ctx);
+    const x402ServerOk = this.x402ServerAvailable() && this.x402BaseNetwork !== null;
+    if (hasX402Header(request.headers) && x402ServerOk) {
+      const zero = await this.handleZeroSettle(ctx, "x402-base");
+      if (zero !== null) return zero;
+      return await this.handleX402(ctx);
+    }
+    if (hasMppxHeader(request.headers) && this.composeMppx !== void 0) {
+      const zero = await this.handleZeroSettle(ctx, "tempo");
+      if (zero !== null) return zero;
+      return await this.handleMppx(ctx);
+    }
+    await this.resolveRecipientsForCtx(ctx);
+    let mppxHeaders = {};
+    if (this.composeMppx !== void 0) {
+      try {
+        const preComposed = await this.composeMppx(ctx);
+        if (preComposed.status === 402) {
+          mppxHeaders = { ...preComposed.headers ?? {} };
+        }
+      } catch {
+      }
+    }
+    return await this.emit402(ctx, mppxHeaders);
+  }
+  validationErrorResult(ctx, err) {
+    const body = buildValidationError({
+      code: err.code,
+      message: err.message,
+      nextSteps: { action: err.action, user_message: err.message },
+      extra: err.extra
+    });
+    return {
+      status: err.status,
+      body,
+      headers: {},
+      referenceId: ctx.referenceId,
+      settled: false
+    };
+  }
+  async runGate(ctx) {
+    const gate = this.gate;
+    if (gate === void 0) return null;
+    if (gate.runGate !== void 0) {
+      const result = await gate.runGate(ctx);
+      if (result === void 0 || result === null) return null;
+      if (typeof result !== "object" || typeof result.status !== "number") {
+        throw new TypeError(
+          "gate.runGate must return null/undefined (allow) or an object { status, body, headers? } (deny)"
         );
-        if (matches.length === 0) throw new UCPVerificationError("kid_not_found", `No JWK in JWKS matching kid=${JSON.stringify(kid)}.`);
-        if (matches.length > 1) throw new UCPVerificationError("duplicate_kid", `JWKS contains ${matches.length} keys with kid=${JSON.stringify(kid)}; expected exactly one.`);
-        const matchedKey = matches[0];
-        if (matchedKey.use != null && matchedKey.use !== "sig") {
-          throw new UCPVerificationError("unusable_key", `JWK with kid=${kid} has use=${JSON.stringify(matchedKey.use)}; expected "sig".`);
+      }
+      return result;
+    }
+    if (gate.apiKey === void 0) return null;
+    let policyOverride;
+    if (gate.perRequestPolicy !== void 0) {
+      policyOverride = await gate.perRequestPolicy(ctx);
+      if (policyOverride === null) return null;
+    }
+    const coreOpts = {
+      apiKey: gate.apiKey,
+      ...gate.baseUrl !== void 0 && { baseUrl: gate.baseUrl },
+      ...gate.userAgent !== void 0 && { userAgent: gate.userAgent },
+      ...gate.requireKyc !== void 0 && { requireKyc: gate.requireKyc },
+      ...gate.requireSanctionsClear !== void 0 && { requireSanctionsClear: gate.requireSanctionsClear },
+      ...gate.minAge !== void 0 && { minAge: gate.minAge },
+      ...gate.blockedJurisdictions !== void 0 && { blockedJurisdictions: gate.blockedJurisdictions },
+      ...gate.allowedJurisdictions !== void 0 && { allowedJurisdictions: gate.allowedJurisdictions },
+      ...gate.failOpen !== void 0 && { failOpen: gate.failOpen },
+      ...gate.cacheSeconds !== void 0 && { cacheSeconds: gate.cacheSeconds },
+      ...gate.chain !== void 0 && { chain: gate.chain },
+      ...gate.createSessionOnMissing !== void 0 && {
+        createSessionOnMissing: gate.createSessionOnMissing
+      },
+      ...policyOverride ?? {}
+    };
+    const core = createAgentScoreCore(coreOpts);
+    const headers = lowerHeaders2(ctx.request.headers);
+    const walletAddress = headers["x-wallet-address"];
+    const operatorToken = headers["x-operator-token"];
+    const identity = walletAddress !== void 0 || operatorToken !== void 0 ? {
+      ...walletAddress !== void 0 && { address: walletAddress },
+      ...operatorToken !== void 0 && { operatorToken }
+    } : void 0;
+    const x402Header = headers["payment-signature"] ?? headers["x-payment"];
+    const signer = await extractPaymentSignerFromAuth(headers["authorization"], x402Header);
+    const outcome = await core.evaluate(identity, ctx, signer);
+    if (outcome.kind === "allow") {
+      if (operatorToken !== void 0) {
+        const opToken = operatorToken;
+        ctx.captureWallet = async (opts) => {
+          await core.captureWallet({
+            operatorToken: opToken,
+            walletAddress: opts.walletAddress,
+            network: opts.network,
+            ...opts.idempotencyKey !== void 0 && { idempotencyKey: opts.idempotencyKey }
+          });
+        };
+      }
+      if (walletAddress !== void 0) {
+        const verdict = core.getSignerVerdict(walletAddress);
+        const sm = verdict?.signer_match;
+        if (sm && sm.kind !== "pass") {
+          const reason2 = sm.kind === "wallet_auth_requires_wallet_signing" ? {
+            code: "wallet_auth_requires_wallet_signing",
+            expected_signer: sm.claimedWallet,
+            agent_instructions: sm.agentInstructions
+          } : {
+            code: "wallet_signer_mismatch",
+            ...sm.claimedOperator !== null && { claimed_operator: sm.claimedOperator },
+            actual_signer_operator: sm.actualSignerOperator,
+            expected_signer: sm.expectedSigner,
+            actual_signer: sm.actualSigner,
+            ...sm.linkedWallets.length > 0 && { linked_wallets: sm.linkedWallets },
+            agent_instructions: sm.agentInstructions
+          };
+          if (gate.onDenied !== void 0) {
+            const custom = await gate.onDenied(ctx, reason2);
+            if (custom !== null) return custom;
+          }
+          const body2 = denialReasonToBody(reason2);
+          return { status: 403, body: body2 };
         }
-        if (matchedKey.alg != null && matchedKey.alg !== h.alg) {
-          throw new UCPVerificationError(
-            "unusable_key",
-            `JWK alg ${JSON.stringify(matchedKey.alg)} does not match JWS header alg ${JSON.stringify(h.alg)}.`
-          );
+      }
+      return null;
+    }
+    const reason = outcome.reason;
+    if (gate.onDenied !== void 0) {
+      const custom = await gate.onDenied(ctx, reason);
+      if (custom !== null) return custom;
+    }
+    const body = denialReasonToBody(reason);
+    const status = reason.code === "token_expired" || reason.code === "invalid_credential" ? 401 : reason.code === "api_error" ? 503 : 403;
+    return { status, body };
+  }
+  async handleZeroSettle(ctx, rail) {
+    if (!this.zeroSettleCarveOut || ctx.pricing === null) return null;
+    const cents = Math.round(ctx.pricing.amountUsd * 100);
+    if (cents !== 0) return null;
+    const headers = lowerHeaders2(ctx.request.headers);
+    let zero;
+    if (rail === "x402-base") {
+      const x402Header = headers["payment-signature"] ?? headers["x-payment"];
+      let payload = null;
+      if (typeof x402Header === "string" && x402Header.length > 0) {
+        try {
+          payload = JSON.parse(atob(x402Header));
+        } catch {
+          payload = null;
         }
-        return jose.importJWK(matches[0], h.alg);
       }
-    );
-    signedPayload = verified.payload;
-  } catch (err) {
-    if (err instanceof UCPVerificationError) throw err;
-    if (err instanceof Error && err.name === "JOSEAlgNotAllowed") {
-      throw new UCPVerificationError("unsupported_alg", `UCP signing alg not allowed: ${err.message}`);
+      zero = zeroAmountCarveOut({ rail, payload });
+    } else {
+      zero = zeroAmountCarveOut({ rail, authorizationHeader: headers["authorization"] });
     }
-    if (err instanceof Error && err.name === "JWSSignatureVerificationFailed") {
-      throw new UCPVerificationError("signature_invalid", `UCP signature verification failed: ${err.message}`);
+    const railKey = rail === "x402-base" ? this.x402RailKey() : this.mppRailKey();
+    const outcome = {
+      rail: rail === "x402-base" ? "x402" : "mpp",
+      paymentResponseHeader: null,
+      raw: zero,
+      txHash: null,
+      signerAddress: zero.signerAddress,
+      signerNetwork: zero.signerNetwork,
+      railKey
+    };
+    return await this.buildSuccess(ctx, outcome);
+  }
+  async mintRefId(request) {
+    if (this.mintReferenceId === void 0) return randomUUID();
+    const seedCtx = { request, referenceId: "", pricing: null, recipients: {}, state: {} };
+    return await this.mintReferenceId(seedCtx);
+  }
+  async resolveRecipientsForCtx(ctx) {
+    if (this.mintRecipients === void 0) return ctx.recipients;
+    if (Object.keys(ctx.recipients).length > 0) return ctx.recipients;
+    ctx.recipients = { ...await this.mintRecipients(ctx) };
+    return ctx.recipients;
+  }
+  async asyncIsCachedAddress(address) {
+    if (this.isCachedAddress === void 0) return true;
+    return Promise.resolve(this.isCachedAddress(address));
+  }
+  async handleX402(ctx) {
+    const x402Server = await this.getX402Server();
+    if (ctx.pricing === null || this.x402BaseNetwork === null || x402Server === void 0) {
+      throw new Error("Checkout.handleX402: missing pricing or x402 rail config");
     }
-    if (err instanceof Error && err.name === "JWSInvalid") {
-      throw new UCPVerificationError("malformed_jws", `Malformed JWS: ${err.message}`);
+    const fakeRequest = new Request(ctx.request.url, {
+      method: ctx.request.method,
+      headers: ctx.request.headers
+    });
+    const verified = await verifyX402Request({
+      request: fakeRequest,
+      isCachedAddress: this.asyncIsCachedAddress.bind(this),
+      acceptedNetwork: this.x402BaseNetwork
+    });
+    if (!verified.ok) {
+      return {
+        status: verified.status,
+        body: verified.body,
+        headers: {},
+        referenceId: ctx.referenceId,
+        settled: false,
+        settlePhase: "verify_failed"
+      };
     }
-    if (err instanceof Error && err.name === "JOSENotSupported") {
-      throw new UCPVerificationError("unrecognized_critical_header", `UCP signing rejected unrecognized critical header: ${err.message}`);
+    const settle = await processX402Settle({
+      x402Server,
+      payload: verified.payload,
+      resourceConfig: {
+        scheme: "exact",
+        network: verified.signedNetwork,
+        price: `$${ctx.pricing.amountUsd.toFixed(2)}`,
+        payTo: verified.signedPayTo,
+        maxTimeoutSeconds: 300
+      },
+      resourceMeta: {
+        url: ctx.request.url,
+        description: "Agent purchase via x402",
+        mimeType: "application/json"
+      }
+    });
+    if (!settle.success) {
+      const classified = classifyX402SettleResult(settle);
+      const responseHeaders = classified !== null && classified.status >= 500 ? { "Cache-Control": "no-store" } : {};
+      if (classified !== null) {
+        return {
+          status: classified.status,
+          body: {
+            error: { code: classified.code, message: classified.message },
+            next_steps: classified.nextSteps
+          },
+          headers: responseHeaders,
+          referenceId: ctx.referenceId,
+          settled: false,
+          settlePhase: settle.phase ?? "settle_failed"
+        };
+      }
+      return {
+        status: 400,
+        body: buildValidationError({
+          code: "payment_proof_invalid",
+          message: `Payment failed during settlement (phase: ${settle.phase ?? "unknown"}).`,
+          nextSteps: { action: "regenerate_payment_credential" },
+          extra: { phase: settle.phase }
+        }),
+        headers: {},
+        referenceId: ctx.referenceId,
+        settled: false,
+        settlePhase: settle.phase ?? "settle_failed"
+      };
     }
-    throw err;
+    const settleRes = settle.settleResult ?? {};
+    const verifiedFrom = verified.payload.payload?.authorization?.from ?? null;
+    const signerAddress = verifiedFrom !== null ? verifiedFrom.toLowerCase() : settleRes.payer ?? null;
+    const outcome = {
+      rail: "x402",
+      paymentResponseHeader: settle.paymentResponseHeader ?? null,
+      raw: settle,
+      txHash: settleRes.transaction ?? null,
+      signerAddress,
+      signerNetwork: signerAddress !== null ? "evm" : null,
+      railKey: this.x402RailKey()
+    };
+    return await this.buildSuccess(ctx, outcome);
   }
-  let canonicalBody;
-  try {
-    canonicalBody = canonicalizeProfile(stripped);
-  } catch (err) {
-    throw new UCPVerificationError(
-      "body_mismatch",
-      `Failed to canonicalize received profile for verification: ${err instanceof Error ? err.message : String(err)}`
-    );
+  async handleMppx(ctx) {
+    if (this.composeMppx === void 0) {
+      throw new Error("Checkout.handleMppx: composeMppx hook not configured");
+    }
+    const composed = await this.composeMppx(ctx);
+    if (composed.status === 200) {
+      const outcome = {
+        rail: "mpp",
+        paymentResponseHeader: composed.paymentResponseHeader ?? null,
+        raw: composed.raw,
+        txHash: composed.txHash ?? null,
+        signerAddress: composed.signerAddress ?? null,
+        signerNetwork: composed.signerNetwork ?? null,
+        railKey: composed.railKey ?? this.mppRailKey()
+      };
+      return await this.buildSuccess(ctx, outcome);
+    }
+    return {
+      status: 400,
+      body: buildValidationError({
+        code: "payment_proof_invalid",
+        message: "MPP credential rejected; regenerate from a fresh 402 challenge.",
+        nextSteps: { action: "regenerate_payment_credential" }
+      }),
+      headers: { ...composed.headers ?? {} },
+      referenceId: ctx.referenceId,
+      settled: false,
+      settlePhase: "verify_failed"
+    };
   }
-  const expectedPayload = new TextEncoder().encode(canonicalBody);
-  if (!constantTimeEqual(signedPayload, expectedPayload)) {
-    throw new UCPVerificationError("body_mismatch", "UCP profile body does not match the signed payload (tampered or non-canonical).");
+  async emit402(ctx, mppxHeaders = {}) {
+    if (ctx.pricing === null) {
+      throw new Error("Checkout.emit402: pricing not computed");
+    }
+    await this.resolveRecipientsForCtx(ctx);
+    const emitRails = applyRecipientOverrides(this.rails, ctx.recipients);
+    const accepted = await buildAcceptedMethods({
+      tempo: pickRail(emitRails, "tempo"),
+      x402_base: pickRail(emitRails, "x402_base"),
+      solana_mpp: pickRail(emitRails, "solana_mpp"),
+      stripe: pickRail(emitRails, "stripe")
+    });
+    const howToPayRails = {};
+    for (const [k, v] of Object.entries(emitRails)) {
+      if (!isTempoSessionRailSpec3(v)) {
+        howToPayRails[k] = v;
+      }
+    }
+    const howToPay = buildHowToPay({
+      url: this.url,
+      retryBodyJson: JSON.stringify(ctx.request.body),
+      totalUsd: ctx.pricing.amountUsd.toFixed(2),
+      rails: howToPayRails
+    });
+    const pricingBlock = ctx.pricing.block ?? buildPricingBlock({
+      subtotalCents: Math.round(ctx.pricing.amountUsd * 100),
+      currency: ctx.pricing.currency ?? "USD"
+    });
+    let x402Accepts = [];
+    let x402Resource;
+    const baseNetwork = this.x402BaseNetwork;
+    const x402Server = await this.getX402Server();
+    if (x402Server !== void 0 && baseNetwork !== null) {
+      const baseSpec = emitRails["x402_base"];
+      if (baseSpec !== void 0) {
+        const recipient = await resolveRecipientValue(baseSpec.recipient);
+        try {
+          x402Accepts = await buildX402AcceptsFor402(x402Server, {
+            network: baseNetwork,
+            price: `$${ctx.pricing.amountUsd.toFixed(2)}`,
+            payTo: recipient,
+            maxTimeoutSeconds: 300
+          });
+          x402Resource = { url: ctx.request.url, mimeType: "application/json" };
+        } catch {
+          x402Accepts = [];
+        }
+      }
+    }
+    const identityMetadata = resolveIdentityMetadata(ctx);
+    const body = build402Body({
+      acceptedMethods: accepted,
+      agentInstructions: buildAgentInstructions({ howToPay }),
+      ...identityMetadata !== void 0 ? { identityMetadata } : {},
+      pricing: pricingBlock,
+      amountUsd: ctx.pricing.amountUsd.toFixed(2),
+      retryBody: ctx.request.body,
+      agentMemory: firstEncounterAgentMemory({ firstEncounter: true }),
+      ...ctx.pricing.product ? { product: ctx.pricing.product } : {},
+      ...ctx.pricing.bodyExtras ? { extra: ctx.pricing.bodyExtras } : {},
+      ...x402Accepts.length > 0 ? {
+        x402: {
+          accepts: x402Accepts,
+          ...this.discoveryExtensions !== void 0 && Object.keys(this.discoveryExtensions).length > 0 ? { extensions: this.discoveryExtensions } : {}
+        }
+      } : {}
+    });
+    let x402Block;
+    if (x402Accepts.length > 0) {
+      x402Block = {
+        x402Version: 2,
+        accepts: x402Accepts,
+        ...x402Resource ? { resource: x402Resource } : {}
+      };
+    }
+    const respond = respond402({
+      mppxChallengeHeaders: mppxHeaders,
+      body,
+      x402: x402Block
+    });
+    return {
+      status: respond.status,
+      body: respond.body,
+      headers: respond.headers,
+      referenceId: ctx.referenceId,
+      settled: false
+    };
   }
-  return true;
+  async buildSuccess(ctx, outcome) {
+    let customBody = null;
+    if (this.onSettled !== void 0) {
+      const result = await this.onSettled(ctx, outcome);
+      if (result !== null && typeof result === "object") customBody = result;
+    }
+    const body = customBody ?? { ok: true };
+    if (!("reference_id" in body)) body.reference_id = ctx.referenceId;
+    const headers = {};
+    if (outcome.paymentResponseHeader) {
+      headers["payment-response"] = outcome.paymentResponseHeader;
+    }
+    return {
+      status: 200,
+      body,
+      headers,
+      referenceId: ctx.referenceId,
+      settled: true
+    };
+  }
+};
+async function resolveRecipientValue(r) {
+  return await resolveRecipient(r);
 }
-function constantTimeEqual(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i += 1) {
-    diff |= a[i] ^ b[i];
+function validationEnvelope(opts) {
+  const action = opts.action ?? "fix_request";
+  return buildValidationError({
+    code: opts.code,
+    message: opts.message,
+    nextSteps: { action, user_message: opts.message },
+    extra: opts.extra
+  });
+}
+function validationResponseHono(input) {
+  const status = input.status ?? 400;
+  const body = validationEnvelope(input);
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function validationResponseExpress(res, input) {
+  const status = input.status ?? 400;
+  const body = validationEnvelope(input);
+  res.status(status);
+  res.json(body);
+}
+function validationResponseFastify(reply, input) {
+  const status = input.status ?? 400;
+  const body = validationEnvelope(input);
+  reply.code(status);
+  return reply.send(body);
+}
+function validationResponseNextjs(input) {
+  return validationResponseHono(input);
+}
+function validationResponseWeb(input) {
+  return validationResponseHono(input);
+}
+function invalidBodyEnvelope() {
+  return validationEnvelope({
+    code: "invalid_body",
+    message: "Request body must be valid JSON."
+  });
+}
+function stripContentType(headers) {
+  const out = {};
+  for (const [k, v] of Object.entries(headers)) {
+    if (k.toLowerCase() !== "content-type") out[k] = v;
   }
-  return diff === 0;
+  return out;
 }
-function buildJWKSResponse(keys) {
-  return { keys };
+function headersToRecord(h) {
+  if (h === void 0) return {};
+  if (h instanceof Headers) {
+    const out = {};
+    h.forEach((v, k) => {
+      out[k] = v;
+    });
+    return out;
+  }
+  return { ...h };
 }
+Checkout.prototype.handleHono = async function(c, body) {
+  let parsedBody;
+  if (body !== void 0) {
+    parsedBody = body;
+  } else {
+    try {
+      parsedBody = await c.req.json();
+    } catch {
+      return new Response(JSON.stringify(invalidBodyEnvelope()), {
+        status: 400,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  }
+  const rawHeaders = c.req.header();
+  const headers = headersToRecord(rawHeaders);
+  const result = await this.handle({
+    method: c.req.method,
+    url: c.req.url,
+    headers,
+    body: parsedBody,
+    assess: null,
+    raw: c.req.raw ?? c
+  });
+  return new Response(JSON.stringify(result.body), {
+    status: result.status,
+    headers: { "Content-Type": "application/json", ...stripContentType(result.headers) }
+  });
+};
+Checkout.prototype.handleExpress = async function(req, res, body) {
+  const parsedBody = body ?? (typeof req.body === "object" && req.body !== null ? req.body : null);
+  if (parsedBody === null) {
+    res.status(400);
+    res.json(invalidBodyEnvelope());
+    return;
+  }
+  const headers = {};
+  for (const [k, v] of Object.entries(req.headers)) {
+    if (typeof v === "string") headers[k] = v;
+    else if (Array.isArray(v) && v[0] !== void 0) headers[k] = v[0];
+  }
+  const url = req.originalUrl ?? req.url ?? "/";
+  const result = await this.handle({
+    method: req.method,
+    url,
+    headers,
+    body: parsedBody,
+    assess: null,
+    raw: req
+  });
+  for (const [k, v] of Object.entries(stripContentType(result.headers))) res.setHeader(k, v);
+  res.status(result.status);
+  res.json(result.body);
+};
+Checkout.prototype.handleFastify = async function(request, reply, body) {
+  const parsedBody = body ?? (typeof request.body === "object" && request.body !== null ? request.body : null);
+  if (parsedBody === null) {
+    reply.code(400);
+    return reply.send(invalidBodyEnvelope());
+  }
+  const headers = {};
+  for (const [k, v] of Object.entries(request.headers)) {
+    if (typeof v === "string") headers[k] = v;
+    else if (Array.isArray(v) && v[0] !== void 0) headers[k] = v[0];
+  }
+  const result = await this.handle({
+    method: request.method,
+    url: request.url,
+    headers,
+    body: parsedBody,
+    assess: null,
+    raw: request
+  });
+  for (const [k, v] of Object.entries(stripContentType(result.headers))) reply.header(k, v);
+  reply.code(result.status);
+  return reply.send(result.body);
+};
+Checkout.prototype.handleNextjs = async function(request, body) {
+  let parsedBody;
+  if (body !== void 0) {
+    parsedBody = body;
+  } else {
+    try {
+      parsedBody = await request.json();
+    } catch {
+      return new Response(JSON.stringify(invalidBodyEnvelope()), {
+        status: 400,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  }
+  const headers = {};
+  request.headers.forEach((v, k) => {
+    headers[k] = v;
+  });
+  const result = await this.handle({
+    method: request.method,
+    url: request.url,
+    headers,
+    body: parsedBody,
+    assess: null,
+    raw: request
+  });
+  return new Response(JSON.stringify(result.body), {
+    status: result.status,
+    headers: { "Content-Type": "application/json", ...stripContentType(result.headers) }
+  });
+};
+Checkout.prototype.handleWeb = Checkout.prototype.handleNextjs;
+async function _ucpSignedResp(checkout, reqHeaders, opts) {
+  const { buildSignedUcpResponse: buildSignedUcpResponse2 } = await Promise.resolve().then(() => (init_well_known(), well_known_exports));
+  return await buildSignedUcpResponse2({
+    checkout,
+    name: opts.name,
+    wellKnownUcpUrl: opts.wellKnownUcpUrl,
+    services: opts.services,
+    requestHeaders: reqHeaders,
+    ...opts.signingKid !== void 0 && { signingKid: opts.signingKid },
+    ...opts.agentscoreGate !== void 0 && {
+      agentscoreGate: opts.agentscoreGate
+    }
+  });
+}
+async function _jwksSignedResp(reqHeaders, opts) {
+  const { buildSignedJwksResponse: buildSignedJwksResponse2 } = await Promise.resolve().then(() => (init_well_known(), well_known_exports));
+  return await buildSignedJwksResponse2({
+    requestHeaders: reqHeaders,
+    ...opts.signingKid !== void 0 && { signingKid: opts.signingKid }
+  });
+}
+function _preflightResp(reqHeaders) {
+  return new Response(null, {
+    status: 204,
+    headers: _preflightHeaders(reqHeaders)
+  });
+}
+function _preflightHeaders(reqHeaders) {
+  const headers = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, OPTIONS",
+    "Access-Control-Max-Age": "86400",
+    Vary: "Access-Control-Request-Headers"
+  };
+  const acrh = reqHeaders.get("access-control-request-headers");
+  if (acrh) headers["Access-Control-Allow-Headers"] = acrh;
+  return headers;
+}
+Checkout.prototype.mountUcpRoutesHono = function(app, opts) {
+  const ucpPath = opts.ucpPath ?? "/.well-known/ucp";
+  const jwksPath = opts.jwksPath ?? "/.well-known/jwks.json";
+  const checkout = this;
+  app.get(ucpPath, async (c) => {
+    const resp = await _ucpSignedResp(checkout, c.req.raw.headers, opts);
+    return new Response(resp.body, {
+      status: resp.status,
+      headers: { ...resp.headers, "Content-Type": resp.mediaType }
+    });
+  });
+  app.get(jwksPath, async (c) => {
+    const resp = await _jwksSignedResp(c.req.raw.headers, opts);
+    return new Response(resp.body, {
+      status: resp.status,
+      headers: { ...resp.headers, "Content-Type": resp.mediaType }
+    });
+  });
+  app.options(ucpPath, (c) => _preflightResp(c.req.raw.headers));
+  app.options(jwksPath, (c) => _preflightResp(c.req.raw.headers));
+};
+function _headersFromExpressLike(raw) {
+  const out = new Headers();
+  for (const [k, v] of Object.entries(raw)) {
+    if (v === void 0) continue;
+    out.set(k, Array.isArray(v) ? v.join(",") : v);
+  }
+  return out;
+}
+Checkout.prototype.mountUcpRoutesExpress = function(app, opts) {
+  const ucpPath = opts.ucpPath ?? "/.well-known/ucp";
+  const jwksPath = opts.jwksPath ?? "/.well-known/jwks.json";
+  const checkout = this;
+  app.get(ucpPath, async (req, res) => {
+    const resp = await _ucpSignedResp(checkout, _headersFromExpressLike(req.headers), opts);
+    res.status(resp.status);
+    res.set(resp.headers);
+    res.type(resp.mediaType);
+    res.send(resp.body);
+  });
+  app.get(jwksPath, async (req, res) => {
+    const resp = await _jwksSignedResp(_headersFromExpressLike(req.headers), opts);
+    res.status(resp.status);
+    res.set(resp.headers);
+    res.type(resp.mediaType);
+    res.send(resp.body);
+  });
+  const preflight = (req, res) => {
+    const reqHeaders = _headersFromExpressLike(req.headers);
+    res.status(204);
+    res.set(_preflightHeaders(reqHeaders));
+    res.send("");
+  };
+  app.options(ucpPath, preflight);
+  app.options(jwksPath, preflight);
+};
+Checkout.prototype.mountUcpRoutesFastify = function(app, opts) {
+  const ucpPath = opts.ucpPath ?? "/.well-known/ucp";
+  const jwksPath = opts.jwksPath ?? "/.well-known/jwks.json";
+  const checkout = this;
+  app.get(ucpPath, async (request, reply) => {
+    const resp = await _ucpSignedResp(checkout, _headersFromExpressLike(request.headers), opts);
+    reply.code(resp.status);
+    for (const [k, v] of Object.entries(resp.headers)) reply.header(k, v);
+    reply.type(resp.mediaType);
+    return reply.send(resp.body);
+  });
+  app.get(jwksPath, async (request, reply) => {
+    const resp = await _jwksSignedResp(_headersFromExpressLike(request.headers), opts);
+    reply.code(resp.status);
+    for (const [k, v] of Object.entries(resp.headers)) reply.header(k, v);
+    reply.type(resp.mediaType);
+    return reply.send(resp.body);
+  });
+  const preflight = (request, reply) => {
+    const reqHeaders = _headersFromExpressLike(request.headers);
+    reply.code(204);
+    for (const [k, v] of Object.entries(_preflightHeaders(reqHeaders))) reply.header(k, v);
+    return reply.send("");
+  };
+  app.options(ucpPath, preflight);
+  app.options(jwksPath, preflight);
+};
 
 // src/identity/policy.ts
-function buildGateOptionsFromPolicy(policy, base) {
+function buildGateFromPolicy(policy, base) {
   if (!policy || !policy.enforcement) return null;
   return {
     apiKey: base.apiKey,
@@ -851,8 +4038,72 @@ function shippingStateAllowed(state, country, policy) {
   const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));
   return allowed.has(state.toUpperCase());
 }
+function validateShippingAgainstPolicy(opts) {
+  const code = opts.errorCode ?? "unsupported_jurisdiction";
+  const action = opts.errorAction ?? "change_shipping_state";
+  const item = opts.productName ? `'${opts.productName}'` : "this item";
+  if (!shippingCountryAllowed(opts.country, opts.policy)) {
+    throw new CheckoutValidationError({
+      code,
+      message: opts.countryMessage ?? `We can't ship ${item} to ${opts.country.toUpperCase() || "<unset>"}.`,
+      action
+    });
+  }
+  if (!shippingStateAllowed(opts.state, opts.country, opts.policy)) {
+    throw new CheckoutValidationError({
+      code,
+      message: opts.stateMessage ?? `We can't ship ${item} to ${opts.state.toUpperCase() || "<unset>"}.`,
+      action
+    });
+  }
+}
+
+// src/identity/tokens.ts
+import { createHash } from "crypto";
+function hashOperatorToken(plaintext) {
+  return createHash("sha256").update(plaintext, "utf8").digest("hex");
+}
+
+// src/payment/index.ts
+init_directive();
+init_networks();
+init_usdc();
+init_rails();
+init_wwwauthenticate();
+
+// src/payment/headers.ts
+init_directive();
+init_wwwauthenticate();
+
+// src/payment/amounts.ts
+function formatUsdCents(cents) {
+  return (cents / 100).toFixed(2);
+}
+
+// src/payment/solana.ts
+async function loadSolanaFeePayer(opts) {
+  const raw = opts.privateKey;
+  if (!raw) return void 0;
+  const moduleName = "@solana/kit";
+  const kit = await import(moduleName).catch(() => null);
+  if (!kit?.createKeyPairSignerFromPrivateKeyBytes || !kit.getBase58Codec) {
+    throw new Error(
+      "@solana/kit not installed \u2014 `npm install @solana/kit` for loadSolanaFeePayer."
+    );
+  }
+  let bytes;
+  if (/^[0-9a-fA-F]{128}$/.test(raw)) {
+    bytes = new Uint8Array(raw.match(/.{2}/g).map((h) => parseInt(h, 16))).slice(0, 32);
+  } else {
+    const decoded = new Uint8Array(kit.getBase58Codec().encode(raw));
+    bytes = decoded.length === 64 ? decoded.slice(0, 32) : decoded;
+  }
+  return kit.createKeyPairSignerFromPrivateKeyBytes(bytes);
+}
 export {
   AGENTSCORE_UCP_CAPABILITY,
+  Checkout,
+  CheckoutValidationError,
   FIXABLE_DENIAL_REASONS,
   UCPSigningKey,
   UCPVerificationError,
@@ -860,16 +4111,25 @@ export {
   buildA2AAgentCard,
   buildAgentMemoryHint,
   buildContactSupportNextSteps,
-  buildGateOptionsFromPolicy,
+  buildGateFromPolicy,
   buildJWKSResponse,
   buildSignerMismatchBody,
   buildUCPProfile,
   denialReasonStatus,
   denialReasonToBody,
   extractPaymentSigner,
+  extractPaymentSignerFromAuth,
+  extractSignerForPrecheck,
+  formatUsdCents,
   generateUCPSigningKey,
+  getIdentityStatus,
+  hashOperatorToken,
   isFixableDenial,
+  loadSolanaFeePayer,
+  loadUCPSigningKeyFromEnv,
+  makeMppxComposeHook,
   mppPaymentHandler,
+  pricingResult,
   readX402PaymentHeader,
   runGateWithEnforcement,
   shippingCountryAllowed,
@@ -877,6 +4137,13 @@ export {
   signUCPProfile,
   stripeSptPaymentHandler,
   ucpA2AExtension,
+  validateShippingAgainstPolicy,
+  validationEnvelope,
+  validationResponseExpress,
+  validationResponseFastify,
+  validationResponseHono,
+  validationResponseNextjs,
+  validationResponseWeb,
   verificationAgentInstructions,
   verifyUCPProfile,
   x402PaymentHandler