@agent-score/commerce 1.8.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (90) hide show
  1. package/README.md +73 -9
  2. package/dist/{_response-9yp6Fit2.d.mts → _response-BFYN3b6i.d.mts} +17 -19
  3. package/dist/{_response-CC6jNb8q.d.ts → _response-_iPD5AIj.d.ts} +17 -19
  4. package/dist/challenge/index.d.mts +106 -198
  5. package/dist/challenge/index.d.ts +106 -198
  6. package/dist/challenge/index.js +238 -111
  7. package/dist/challenge/index.js.map +1 -1
  8. package/dist/challenge/index.mjs +238 -111
  9. package/dist/challenge/index.mjs.map +1 -1
  10. package/dist/checkout-BoFwnVsj.d.ts +931 -0
  11. package/dist/checkout-DRbQ0Fsh.d.mts +931 -0
  12. package/dist/core.d.mts +2 -2
  13. package/dist/core.d.ts +2 -2
  14. package/dist/core.js +1 -1
  15. package/dist/core.js.map +1 -1
  16. package/dist/core.mjs +1 -1
  17. package/dist/core.mjs.map +1 -1
  18. package/dist/discovery/index.d.mts +453 -51
  19. package/dist/discovery/index.d.ts +453 -51
  20. package/dist/discovery/index.js +1092 -58
  21. package/dist/discovery/index.js.map +1 -1
  22. package/dist/discovery/index.mjs +1060 -57
  23. package/dist/discovery/index.mjs.map +1 -1
  24. package/dist/identity/express.d.mts +3 -3
  25. package/dist/identity/express.d.ts +3 -3
  26. package/dist/identity/express.js +30 -19
  27. package/dist/identity/express.js.map +1 -1
  28. package/dist/identity/express.mjs +30 -19
  29. package/dist/identity/express.mjs.map +1 -1
  30. package/dist/identity/fastify.d.mts +4 -4
  31. package/dist/identity/fastify.d.ts +4 -4
  32. package/dist/identity/fastify.js +30 -19
  33. package/dist/identity/fastify.js.map +1 -1
  34. package/dist/identity/fastify.mjs +30 -19
  35. package/dist/identity/fastify.mjs.map +1 -1
  36. package/dist/identity/hono.d.mts +3 -3
  37. package/dist/identity/hono.d.ts +3 -3
  38. package/dist/identity/hono.js +30 -19
  39. package/dist/identity/hono.js.map +1 -1
  40. package/dist/identity/hono.mjs +30 -19
  41. package/dist/identity/hono.mjs.map +1 -1
  42. package/dist/identity/nextjs.d.mts +6 -7
  43. package/dist/identity/nextjs.d.ts +6 -7
  44. package/dist/identity/nextjs.js +30 -19
  45. package/dist/identity/nextjs.js.map +1 -1
  46. package/dist/identity/nextjs.mjs +30 -19
  47. package/dist/identity/nextjs.mjs.map +1 -1
  48. package/dist/identity/policy.d.mts +41 -4
  49. package/dist/identity/policy.d.ts +41 -4
  50. package/dist/identity/policy.js +3662 -18
  51. package/dist/identity/policy.js.map +1 -1
  52. package/dist/identity/policy.mjs +3648 -3
  53. package/dist/identity/policy.mjs.map +1 -1
  54. package/dist/identity/web.d.mts +3 -3
  55. package/dist/identity/web.d.ts +3 -3
  56. package/dist/identity/web.js +30 -19
  57. package/dist/identity/web.js.map +1 -1
  58. package/dist/identity/web.mjs +30 -19
  59. package/dist/identity/web.mjs.map +1 -1
  60. package/dist/index.d.mts +72 -329
  61. package/dist/index.d.ts +72 -329
  62. package/dist/index.js +3651 -373
  63. package/dist/index.js.map +1 -1
  64. package/dist/index.mjs +3628 -361
  65. package/dist/index.mjs.map +1 -1
  66. package/dist/payment/index.d.mts +256 -265
  67. package/dist/payment/index.d.ts +256 -265
  68. package/dist/payment/index.js +586 -149
  69. package/dist/payment/index.js.map +1 -1
  70. package/dist/payment/index.mjs +573 -148
  71. package/dist/payment/index.mjs.map +1 -1
  72. package/dist/{agent_instructions-DiMSGkdm.d.mts → pricing-CQ9DIFaw.d.ts} +109 -56
  73. package/dist/{agent_instructions-DiMSGkdm.d.ts → pricing-CxzwyiO6.d.mts} +109 -56
  74. package/dist/rail_spec-XP0wKgJV.d.mts +132 -0
  75. package/dist/rail_spec-XP0wKgJV.d.ts +132 -0
  76. package/dist/{signer-CFVQsWjL.d.mts → signer-3FAit11j.d.mts} +27 -1
  77. package/dist/{signer-CFVQsWjL.d.ts → signer-3FAit11j.d.ts} +27 -1
  78. package/dist/solana-Cds87OTu.d.mts +67 -0
  79. package/dist/solana-Cds87OTu.d.ts +67 -0
  80. package/dist/stripe-multichain/index.d.mts +55 -66
  81. package/dist/stripe-multichain/index.d.ts +55 -66
  82. package/dist/stripe-multichain/index.js +68 -42
  83. package/dist/stripe-multichain/index.js.map +1 -1
  84. package/dist/stripe-multichain/index.mjs +68 -41
  85. package/dist/stripe-multichain/index.mjs.map +1 -1
  86. package/dist/{wwwauthenticate-CU1eNvMQ.d.mts → wwwauthenticate-D_FMnPgU.d.mts} +9 -10
  87. package/dist/{wwwauthenticate-CU1eNvMQ.d.ts → wwwauthenticate-D_FMnPgU.d.ts} +9 -10
  88. package/dist/x402_server-hgQzWQwB.d.mts +81 -0
  89. package/dist/x402_server-hgQzWQwB.d.ts +81 -0
  90. package/package.json +9 -7
package/dist/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/core.ts","../src/_denial.ts","../src/_response.ts","../src/signer.ts","../src/identity/a2a.ts","../src/identity/ucp.ts","../src/identity/ucp-jwks.ts","../src/identity/policy.ts"],"sourcesContent":["import {\n AgentScore,\n InvalidCredentialError,\n PaymentRequiredError,\n QuotaExceededError,\n TimeoutError as SdkTimeoutError,\n TokenExpiredError,\n} from '@agent-score/sdk';\nimport { isFixableDenial } from './_denial';\nimport { QUOTA_EXCEEDED_INSTRUCTIONS } from './_response';\nimport { normalizeAddress } from './address';\nimport { TTLCache } from './cache';\nimport type { PaymentSigner } from './signer';\n\n// Character-based trim avoids a CodeQL polynomial-redos false positive on\n// `/\\/+$/` patterns that report library-input strings.\nfunction stripTrailingSlashes(s: string): string {\n let end = s.length;\n while (end > 0 && s.charCodeAt(end - 1) === 47 /* '/' */) end--;\n return end === s.length ? s : s.slice(0, end);\n}\n\ndeclare const __VERSION__: string;\n\n// ---------------------------------------------------------------------------\n// Public types (framework-agnostic)\n// ---------------------------------------------------------------------------\n\nexport interface AgentIdentity {\n address?: string;\n operatorToken?: string;\n}\n\n/**\n * Session metadata returned from `POST /v1/sessions`. Surfaced to the `onBeforeSession`\n * hook so merchants can correlate an AgentScore session with their own resume token\n * (e.g. a pending-order id).\n */\nexport interface SessionMetadata {\n session_id: string;\n verify_url: string;\n poll_secret: string;\n poll_url: string;\n expires_at?: string;\n}\n\n/**\n * Configuration for auto-creating a verification session when no identity is present.\n *\n * The static `context` / `productName` options are sent on every session request. For\n * per-request context (e.g. the specific product the agent was trying to buy), pass\n * a `getSessionOptions` callback that returns dynamic values; its return is merged\n * over the static defaults.\n *\n * `onBeforeSession` is a side-effect hook that runs after the session is minted but\n * before the 403 is built. Use it to pre-create a reservation/draft/pending-order\n * row in your DB so agents can resume via a merchant-specific id. Return value is\n * merged into `DenialReason.extra`, so it surfaces in both the default 403 body and\n * in a custom `onDenied` handler.\n */\nexport interface CreateSessionOnMissing<TCtx = unknown> {\n apiKey: string;\n baseUrl?: string;\n context?: string;\n productName?: string;\n /** Per-request override of `context` / `productName`. Invoked with the framework context. */\n getSessionOptions?: (ctx: TCtx) => Promise<{ context?: string; productName?: string }>\n | { context?: string; productName?: string };\n /** Side-effect hook that runs after the session is minted. Return value is merged\n * into `DenialReason.extra` so custom `onDenied` handlers can include merchant-specific\n * fields (e.g. `order_id`) in the 403 response. Hook errors are logged and swallowed —\n * a failing side effect should not block the 403 from reaching the agent. */\n onBeforeSession?: (ctx: TCtx, session: SessionMetadata) => Promise<Record<string, unknown>>\n | Record<string, unknown>;\n}\n\nexport interface AgentScoreCoreOptions {\n /** AgentScore API key. Required. */\n apiKey: string;\n /** Require KYC verification. */\n requireKyc?: boolean;\n /** Require operator to be clear of sanctions. */\n requireSanctionsClear?: boolean;\n /** Minimum operator age bracket (18 or 21). */\n minAge?: number;\n /** List of blocked jurisdictions (blocklist). */\n blockedJurisdictions?: string[];\n /** List of allowed jurisdictions (allowlist — only these pass). */\n allowedJurisdictions?: string[];\n /** If true, allow the request through when the API is unreachable. Defaults to false. */\n failOpen?: boolean;\n /** How long to cache results, in seconds. Defaults to 300. */\n cacheSeconds?: number;\n /** AgentScore API base URL. Defaults to \"https://api.agentscore.sh\". */\n baseUrl?: string;\n /** Optional chain to filter scoring to. */\n chain?: string;\n /** Prepended to the default User-Agent as `\"{userAgent} (@agent-score/commerce@{version})\"`. Use to attribute API calls to your app. */\n userAgent?: string;\n /** When set and no identity is found, create a verification session instead of denying immediately. */\n createSessionOnMissing?: CreateSessionOnMissing;\n}\n\nexport type DenialCode =\n | 'wallet_not_trusted'\n | 'missing_identity'\n | 'api_error'\n | 'payment_required'\n | 'identity_verification_required'\n // Wallet-signer binding: claimed X-Wallet-Address must resolve to the same operator as\n // the payment signer; wallet-auth is rejected on rails with no wallet signer.\n | 'wallet_signer_mismatch'\n | 'wallet_auth_requires_wallet_signing'\n // Granular credential-state denials passed through from /v1/assess.\n // - `token_expired`: revoked + TTL-expired (the API unifies these). The 401 body carries\n // an auto-minted session, forwarded into DenialReason for one-shot recovery.\n // - `invalid_credential`: the token doesn't exist at all (typo, never minted, fabricated).\n // No auto-session is minted by the API for this case — agents should switch to a\n // different stored token or drop the header to bootstrap a fresh session.\n | 'token_expired'\n | 'invalid_credential';\n\n/**\n * Cross-merchant pattern hint emitted on bootstrap denials and session-create responses.\n * LLM-hosted agents should persist this to long-term memory so future AgentScore encounters skip\n * the cold-start session flow. Contents are the pattern, not secrets.\n */\nexport interface AgentMemoryHint {\n save_for_future_agentscore_gates: true;\n pattern_summary: string;\n quickstart: string;\n identity_check_endpoint: string;\n list_wallets_endpoint?: string;\n identity_paths: { wallet: string; operator_token: string };\n bootstrap: string;\n do_not_persist_in_memory: string[];\n persist_in_credential_store: string[];\n}\n\nexport interface DenialReason {\n code: DenialCode;\n /** Human-readable explanation. When omitted, `denialReasonToBody` substitutes a per-code default. */\n message?: string;\n decision?: string;\n reasons?: string[];\n verify_url?: string;\n session_id?: string;\n poll_secret?: string;\n poll_url?: string;\n agent_instructions?: string;\n /** Cross-merchant memory hint. Emitted on bootstrap denials only by default. */\n agent_memory?: AgentMemoryHint;\n /** Full assess response when the denial came from `/v1/assess`. Lets consumers access fields\n * not promoted to first-class DenialReason properties (e.g., `policy_result`). Undefined for\n * denials that did not originate from an assess call (missing_identity, api_error,\n * payment_required, identity_verification_required). */\n data?: AssessResult;\n /** Extra fields returned from the `createSessionOnMissing.onBeforeSession` hook. Merged\n * into the default 403 body; custom `onDenied` handlers can spread these into their own\n * response shape (e.g. to include a merchant-minted `order_id`). */\n extra?: Record<string, unknown>;\n // ---------------------------------------------------------------------------\n // Wallet-signer-match fields — populated for wallet_signer_mismatch only.\n // ---------------------------------------------------------------------------\n /** Operator id resolved from `X-Wallet-Address`. */\n claimed_operator?: string;\n /** Operator id the actual payment signer resolves to. `null` when the signer wallet isn't\n * linked to any operator (treat as a different identity). */\n actual_signer_operator?: string | null;\n /** The wallet the agent claimed via header. Echoed back for self-correction. */\n expected_signer?: string;\n /** The wallet that actually signed the payment. */\n actual_signer?: string;\n /** Wallets the claimed operator could sign with (if enumerable). Present when non-empty. */\n linked_wallets?: string[];\n}\n\n/** Operator verification details from the assess response. Mirrors python's\n * `OperatorVerification` dataclass. */\nexport interface OperatorVerification {\n level: string;\n operator_type: string | null;\n verified_at: string | null;\n}\n\n/** Account-level KYC facts that apply to every operator under the same account.\n * Populated when the API returns account_verification (post-KYC operator).\n * Mirrors python's account_verification dict shape. */\nexport interface AccountVerification {\n kyc_level?: string;\n sanctions_clear?: boolean;\n age_bracket?: string;\n jurisdiction?: string;\n verified_at?: string | null;\n}\n\n/** A single policy check from the assess response. Mirrors python's `PolicyCheck`. */\nexport interface PolicyCheck {\n rule: string;\n passed: boolean;\n required?: unknown;\n actual?: unknown;\n}\n\n/** Policy evaluation result from the assess response. Mirrors python's `PolicyResult`. */\nexport interface PolicyResult {\n all_passed: boolean;\n checks: PolicyCheck[];\n}\n\nexport interface AssessResult {\n decision: string | null;\n decision_reasons: string[];\n identity_method?: string;\n operator_verification?: OperatorVerification;\n account_verification?: AccountVerification;\n resolved_operator?: string | null;\n /** Wallets linked to the same operator as the resolved identity. Capped at 100 entries\n * by the API. Useful for advertising in 402 challenges so wallet-auth agents know which\n * alt-signers will satisfy `wallet_signer_mismatch`. */\n linked_wallets?: string[];\n verify_url?: string;\n policy_result?: PolicyResult | null;\n}\n\n/**\n * Reason a failOpen allow short-circuited an evaluate call due to AgentScore-side\n * infrastructure issues. Surfaced on `EvaluateOutcome` so merchants can log/alert when\n * their gate is running in degraded mode (compliance not actually enforced this request).\n *\n * - `quota_exceeded` — AgentScore returned 429\n * - `api_error` — AgentScore returned 5xx or non-2xx that isn't 429\n * - `network_timeout` — request to /v1/assess timed out or failed at the network layer\n */\nexport type FailOpenInfraReason = 'quota_exceeded' | 'api_error' | 'network_timeout';\n\n/** Per-account assess quota observability, captured from `X-Quota-*` response headers\n * on the success path. Mirrors the SDK's `QuotaInfo` shape — re-exported from gate state\n * so merchants can monitor approach-to-cap proactively (warn at 80%, alert at 95%). */\nexport interface GateQuotaInfo {\n limit: number | null;\n used: number | null;\n /** ISO-8601 timestamp, or the literal string `\"never\"` for unlimited tiers. */\n reset: string | null;\n}\n\n/**\n * Outcome from `AgentScoreCore.evaluate()`. Adapters map this to framework-specific responses.\n *\n * - `{ kind: 'allow', data }` — the request passed the policy. `data` is present on a normal\n * allow; `undefined` when fail-open short-circuited (identity missing, API unreachable,\n * timeout, or 402 paid-tier required).\n * - When `failOpen: true` and the allow was the result of an AgentScore-side infrastructure\n * failure (429/5xx/timeout), the result also carries `degraded: true` + `infraReason` so\n * merchants can alert/log without parsing console output.\n * - `quota` propagates the SDK's per-request quota observability when the API emits the\n * `X-Quota-*` headers. Optional; absent on Enterprise / unlimited tiers.\n * - `{ kind: 'deny', reason }` — the request was denied. Adapters should render a 403 with the\n * reason, or invoke the caller's custom denial handler.\n */\nexport type EvaluateOutcome =\n | { kind: 'allow'; data?: AssessResult; degraded?: boolean; infraReason?: FailOpenInfraReason; quota?: GateQuotaInfo }\n | { kind: 'deny'; reason: DenialReason };\n\nexport interface CaptureWalletOptions {\n /** Operator credential (`opc_...`) that the agent authenticated with. */\n operatorToken: string;\n /** Signer wallet recovered from the payment payload. */\n walletAddress: string;\n /** Key-derivation family — `\"evm\"` for any EVM chain, `\"solana\"` for Solana. */\n network: 'evm' | 'solana';\n /** Optional stable key for the logical payment (e.g., payment intent id, tx hash). When the\n * same key is seen again for the same (credential, wallet, network), the server no-ops —\n * prevents agent retries from inflating transaction_count. */\n idempotencyKey?: string;\n}\n\n/** Combined wallet-signer verdict surfaced by `getSignerVerdict(c)` — both verdicts come\n * through the gate's primary `/v1/assess` call (single round trip). `signer_match` describes\n * the wallet-binding (claimed wallet's operator ≡ signer wallet's operator); `signer_sanctions`\n * describes the OFAC SDN wallet-address check.\n *\n * `signer_match` is projected to the gate's camelCase `VerifyWalletSignerResult` shape so\n * existing `buildSignerMismatchBody(...)` helpers consume it unchanged. `signer_sanctions`\n * passes through in the API's wire shape (already short and stable). Returned `undefined`\n * from `getSignerVerdict` when the gate didn't run with a signer (operator-token-only\n * paths, discovery legs with no payment header). */\nexport interface SignerVerdict {\n signer_match: VerifyWalletSignerResult | null;\n signer_sanctions:\n | { status: 'clear' }\n | { sanctioned: true; ofac_label: string; sdn_uid: string; listed_at: string | null }\n | { status: 'unavailable' }\n | null;\n}\n\nexport type VerifyWalletSignerResult =\n | { kind: 'pass'; claimedOperator: string | null; signerOperator: string | null }\n | {\n kind: 'wallet_signer_mismatch';\n claimedOperator: string | null;\n actualSignerOperator: string | null;\n expectedSigner: string;\n actualSigner: string;\n linkedWallets: string[];\n /** JSON-encoded action copy (action + steps + user_message). Spread into the 403 body\n * verbatim so agents get a concrete recovery path inside the denial response itself. */\n agentInstructions: string;\n }\n | {\n kind: 'wallet_auth_requires_wallet_signing';\n claimedWallet: string;\n agentInstructions: string;\n };\n\nexport interface AgentScoreCore {\n /**\n * Evaluate the request's identity against the configured policy.\n * @param identity - extracted identity (wallet address and/or operator token)\n * @param ctx - optional framework-specific context (Hono c, Express req, etc.) passed\n * through to `createSessionOnMissing` hooks. Opaque to core.\n */\n evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n /** Pre-extracted payment signer from the inbound request (the adapter middleware\n * extracts it via `extractPaymentSigner`). When provided, the assess call carries\n * it and the response includes `signer_match` + `signer_sanctions` verdicts in one\n * round trip. */\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome>;\n /** Synchronous read of the cached signer verdicts (signer_match + signer_sanctions)\n * populated when the gate's evaluate call was made with a pre-extracted signer. Returns\n * `undefined` when the gate didn't run, the request was operator-token-authenticated,\n * or no signer was extractable (discovery legs). */\n getSignerVerdict(claimedAddress: string): SignerVerdict | undefined;\n /** Report a wallet seen paying under an operator credential. Fire-and-forget; silently\n * swallows non-fatal errors because capture is informational, not on the critical path. */\n captureWallet(options: CaptureWalletOptions): Promise<void>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\n/** Internal cache entry for the gate's per-`(identity, policy)` assess result memo.\n * Distinct from the public `AssessResult` interface (the typed `/v1/assess` response\n * shape returned to merchants); this carries the cached decision plus the per-signer\n * wallet-match sub-cache. */\ninterface CachedAssessResult {\n allow: boolean;\n decision?: string;\n reasons?: string[];\n raw?: unknown;\n}\n\n/**\n * Build the cross-merchant memory hint emitted on bootstrap denials. Base URLs are\n * derived from the gate's AgentScore API base so self-hosted / staging deployments get\n * correct pointers. Contents describe the AgentScore identity substrate in transferable\n * terms; merchant-specific context lives in other `agent_instructions` fields.\n */\n// Canonical production AgentScore API — used as the authoritative source for endpoint pointers\n// emitted to agent memory regardless of how a given merchant configured their gate's baseUrl.\nconst CANONICAL_AGENTSCORE_API = 'https://api.agentscore.sh';\n\n// JSON-encoded action copy emitted on wallet-signer-match denials. Spread into 403 bodies\n// by merchants so agents get a concrete recovery path inside the denial response itself —\n// no discovery-doc round trip required.\nconst WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({\n action: 'resign_or_switch_to_operator_token',\n steps: [\n 'Preferred: re-submit the payment signed by expected_signer (or any entry in linked_wallets — same-operator wallets are fungible) and retry with the same X-Wallet-Address.',\n 'Alternative: drop X-Wallet-Address and retry with X-Operator-Token. Use a stored opc_... if you have one; otherwise retry this request with NO identity header — the merchant will mint a verification session in the 403 body (verify_url + poll_secret). Share verify_url with the user, poll, receive a fresh opc_...',\n ],\n user_message:\n 'The payment signer resolves to a different operator than X-Wallet-Address. Re-sign from expected_signer or any linked_wallets entry, or switch to X-Operator-Token.',\n});\n\nconst WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS = JSON.stringify({\n action: 'switch_to_operator_token',\n steps: [\n 'This payment rail (Stripe SPT, card) carries no wallet signature — X-Wallet-Address cannot be verified against the payment.',\n 'Drop X-Wallet-Address and retry with X-Operator-Token. If you do not have a stored opc_..., retry with no identity header to receive a verification session.',\n ],\n user_message:\n 'Wallet-address identity is only supported on wallet-signing rails (Tempo MPP, x402). On Stripe or card, use X-Operator-Token instead.',\n});\n\n// `invalid_credential` is permanent — the token doesn't exist (typo, never minted, fabricated).\n// Distinct from `token_expired` (which carries an auto-session for one-shot recovery): the\n// API doesn't auto-mint a session here because the client may simply have a different valid\n// token to try. Agents should switch tokens or drop the header to bootstrap a session.\nconst INVALID_CREDENTIAL_INSTRUCTIONS = JSON.stringify({\n action: 'switch_token_or_restart_session',\n steps: [\n 'The X-Operator-Token you sent does not match any credential. This is a permanent state — retrying with the same token will keep failing.',\n 'If you have other stored opc_... credentials, retry with one of them.',\n 'Otherwise drop X-Operator-Token and retry with no identity header — the merchant will mint a fresh verification session in the 403 body (verify_url + poll_secret) so the user can re-verify and you can poll for a new operator_token.',\n ],\n user_message:\n 'The operator_token is not recognized. Use a different stored token, or restart the verification session flow to mint a new one.',\n});\n\nexport function buildAgentMemoryHint(): AgentMemoryHint {\n // Memory pointers always point at the canonical production API — merchants must not be\n // able to redirect the cross-merchant memory surface, since that would be a phishing\n // vector for the verify URL.\n const api = CANONICAL_AGENTSCORE_API;\n return {\n save_for_future_agentscore_gates: true,\n pattern_summary:\n 'AgentScore is a cross-merchant identity substrate for agent commerce. Any endpoint that ' +\n 'returns 403 missing_identity / identity_verification_required or 402 challenges referencing AgentScore uses ' +\n 'the same identity system. One KYC works across all AgentScore merchants — no re-verification ' +\n 'per site. Save this pattern (and the endpoints below) to persistent memory so future ' +\n 'AgentScore encounters skip the cold-start session flow.',\n quickstart: 'https://docs.agentscore.sh/guides/agent-identity',\n identity_check_endpoint: `${api}/v1/credentials`,\n identity_paths: {\n wallet:\n 'If paying from a crypto wallet you have used before on any AgentScore merchant, send ' +\n '`X-Wallet-Address: 0x...`. Shortest path; no token lifecycle to manage.',\n operator_token:\n 'For any rail (Stripe SPT, card, or a wallet you have not linked yet), send ' +\n '`X-Operator-Token: opc_...`. Reusable across merchants until the token expires.',\n },\n bootstrap:\n 'If you have neither a linked wallet nor a valid operator_token, follow the session/verify ' +\n 'flow in the per-request `agent_instructions` block. This happens at most once per agent ' +\n 'identity — after first verification, the operator_token and any subsequently used wallet ' +\n 'are reusable everywhere.',\n do_not_persist_in_memory: ['operator_token', 'poll_secret'],\n persist_in_credential_store: ['operator_token'],\n };\n}\n\n// ---------------------------------------------------------------------------\n// Core factory\n// ---------------------------------------------------------------------------\n\nexport function createAgentScoreCore(options: AgentScoreCoreOptions): AgentScoreCore {\n if (!options.apiKey) {\n throw new Error('AgentScore API key is required. Get one at https://agentscore.sh/sign-up');\n }\n\n const {\n apiKey,\n requireKyc,\n requireSanctionsClear,\n minAge,\n blockedJurisdictions,\n allowedJurisdictions,\n failOpen = false,\n cacheSeconds = 300,\n baseUrl: rawBaseUrl = 'https://api.agentscore.sh',\n chain: gateChain,\n userAgent,\n createSessionOnMissing,\n } = options;\n\n const baseUrl = stripTrailingSlashes(rawBaseUrl);\n const agentMemoryHint = buildAgentMemoryHint();\n\n const defaultUa = `@agent-score/commerce@${__VERSION__}`;\n const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;\n\n // Single shared SDK instance for every API call this gate makes (assess, sessions,\n // credentials/wallets, telemetry). Connection pooling + typed-error classification +\n // X-Quota-* header capture all flow through here. The SDK owns the transport layer\n // (timeouts, retry-on-429); the gate adds policy semantics on top. Pass the\n // merchant-prefixed UA — SDK appends its own default to produce a chain like\n // `<merchant-app> (@agent-score/commerce@<v>) (@agent-score/sdk@<v>)`.\n const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });\n\n // createSessionOnMissing can carry its own apiKey + baseUrl (merchants sometimes wire\n // a session-only key for this hook). Lazily build a separate SDK instance keyed on\n // (apiKey, baseUrl) so we don't construct a new client per request.\n const sessionSdkCache = new Map<string, AgentScore>();\n function getSessionSdk(sessionApiKey: string, sessionBaseUrl?: string): AgentScore {\n const key = `${sessionApiKey}|${sessionBaseUrl ?? ''}`;\n let s = sessionSdkCache.get(key);\n if (!s) {\n s = new AgentScore({\n apiKey: sessionApiKey,\n baseUrl: sessionBaseUrl ?? baseUrl,\n userAgent: userAgentHeader,\n });\n sessionSdkCache.set(key, s);\n }\n return s;\n }\n\n const cache = new TTLCache<CachedAssessResult>(cacheSeconds * 1000);\n\n // Mint a verification session via /v1/sessions and return the resulting\n // identity_verification_required DenialReason — or undefined if the mint failed (network\n // error, non-2xx, missing fields). Used for both the missing-identity path and the\n // fixable-wallet bootstrap path: in both cases the UX is identical (agent polls the\n // returned poll_url until it gets a fresh opc_... and retries).\n async function tryMintSessionDenial(ctx: unknown): Promise<DenialReason | undefined> {\n if (!createSessionOnMissing) return undefined;\n try {\n const sessionBody: { context?: string; product_name?: string } = {};\n if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;\n if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;\n\n if (createSessionOnMissing.getSessionOptions && ctx !== undefined) {\n try {\n const dynamic = await createSessionOnMissing.getSessionOptions(ctx);\n if (dynamic?.context != null) sessionBody.context = dynamic.context;\n if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.getSessionOptions hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // createSessionOnMissing.apiKey may differ from the gate's apiKey (e.g. merchant\n // wires a session-only key for this hook). Build a per-config SDK lazily.\n const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);\n const data = (await sessionSdk.createSession({\n ...(sessionBody.context !== undefined ? { context: sessionBody.context } : {}),\n ...(sessionBody.product_name !== undefined ? { product_name: sessionBody.product_name } : {}),\n })) as unknown as Record<string, unknown>;\n\n // Validate required fields before trusting the response. A misbehaving (or mocked-wrong)\n // API could 200 without session_id/poll_secret/verify_url, which would propagate\n // `undefined` into the 403 body and leave the agent stuck — treat as session-create\n // failure and fall back to the caller's bare denial.\n if (\n typeof data.session_id !== 'string' ||\n typeof data.poll_secret !== 'string' ||\n typeof data.verify_url !== 'string'\n ) {\n console.warn('[gate] /v1/sessions returned 200 without required fields — falling back to bare denial');\n return undefined;\n }\n\n // Run onBeforeSession side-effect hook. Errors are swallowed — a failing DB write\n // (e.g. can't insert pending order) should not block the 403.\n let extra: Record<string, unknown> | undefined;\n if (createSessionOnMissing.onBeforeSession && ctx !== undefined) {\n try {\n const sessionMeta = {\n session_id: data.session_id as string,\n verify_url: data.verify_url as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string,\n expires_at: data.expires_at as string | undefined,\n };\n const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);\n if (result && typeof result === 'object') extra = result;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.onBeforeSession hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // The API emits `next_steps` (structured object) on /v1/sessions success. Stringify it\n // into the gate's `agent_instructions` contract so merchants get the same JSON-encoded\n // {action, steps, user_message} envelope as every other gate-emitted denial.\n const apiNextSteps = data.next_steps as Record<string, unknown> | undefined;\n return {\n code: 'identity_verification_required',\n verify_url: data.verify_url as string,\n session_id: data.session_id as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string | undefined,\n agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : undefined,\n agent_memory: agentMemoryHint,\n ...(extra && { extra }),\n };\n } catch (err) {\n // Session-mint failed (network, /v1/sessions returned non-2xx, body parse error,\n // onBeforeSession threw inside the inner try). Caller falls back to a bare denial —\n // agents still get a 403 with a probe-strategy hint. Log loudly so a persistent\n // /v1/sessions outage isn't masked.\n console.warn('[gate] createSessionOnMissing path failed — falling back to bare denial:', err instanceof Error ? err.message : err);\n return undefined;\n }\n }\n\n async function evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome> {\n // Treat \"returned identity object with no usable fields\" the same as \"no identity at all\" —\n // otherwise a misbehaving custom extractIdentity would send an empty body to /v1/assess.\n if (!identity || (!identity.address && !identity.operatorToken)) {\n // failOpen short-circuits BEFORE the session mint. This branch isn't an infra failure\n // (no AgentScore call has been made yet) so we don't mark the gate state as degraded —\n // missing identity + failOpen is the explicit opt-in pass-through behavior, not a\n // graceful-degradation event. Merchants who need identity-or-deny on a failOpen gate\n // should add a guard at the handler that checks for X-Wallet-Address / X-Operator-Token\n // before reading the gate state.\n if (failOpen) return { kind: 'allow' };\n\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n\n // Bare missing-identity denial (no session was auto-created). Describe the probe\n // strategy so agents without memory can recover: try wallet first on signing rails,\n // fall back to stored opc_..., fall back to session flow (noting that only\n // auto-session merchants return verify_url + poll data on the retry).\n const missingIdentityInstructions = JSON.stringify({\n action: 'probe_identity_then_session',\n steps: [\n 'If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 — see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url — share it with the user to claim the wallet + complete KYC, then retry.',\n 'If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.',\n 'If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body — share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping — direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token.',\n ],\n user_message:\n 'Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap.',\n });\n return {\n kind: 'deny',\n reason: {\n code: 'missing_identity',\n agent_instructions: missingIdentityInstructions,\n agent_memory: agentMemoryHint,\n },\n };\n }\n\n // operator_token is opaque + ASCII-only — lowercasing is safe. Wallet addresses go\n // through normalizeAddress because Solana base58 is case-sensitive and lowercasing\n // would corrupt the cache key (a Solana cache miss every time, plus collision risk\n // with mixed-case variants of the same operator).\n const cacheKey = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : '');\n\n const cached = cache.get(cacheKey);\n if (cached) {\n if (cached.allow) {\n const cachedRaw = cached.raw as Record<string, unknown> | undefined;\n const cachedQuota = cachedRaw?.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: cachedRaw as unknown as AssessResult,\n ...(cachedQuota !== undefined && { quota: cachedQuota }),\n };\n }\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(cached.reasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: cached.decision,\n reasons: cached.reasons,\n verify_url: (cached.raw as Record<string, unknown> | undefined)?.verify_url as string | undefined,\n data: cached.raw as AssessResult | undefined,\n },\n };\n }\n\n const policy: Record<string, unknown> = {};\n if (requireKyc != null) policy.require_kyc = requireKyc;\n if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;\n if (minAge != null) policy.min_age = minAge;\n if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;\n if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;\n\n let data: Record<string, unknown>;\n try {\n // Single SDK call: typed-error subclasses (PaymentRequiredError / TokenExpiredError /\n // InvalidCredentialError / QuotaExceededError / TimeoutError) flow through the\n // catch below; success path captures `quota` from X-Quota-* headers automatically.\n const opts = {\n chain: gateChain,\n ...(Object.keys(policy).length > 0 ? { policy: policy as never } : {}),\n // Pre-extracted payment signer (by the adapter middleware). When present, the API\n // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet\n // check) verdicts on the response in one round trip. Under\n // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.\n ...(signer && { signer: { address: signer.address, network: signer.network } }),\n };\n // SDK has two overloads — narrow by which identity is set so TS picks the right one.\n const result = identity.address\n ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken })\n : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken! });\n data = result as unknown as Record<string, unknown>;\n } catch (err) {\n if (err instanceof PaymentRequiredError) {\n if (failOpen) return { kind: 'allow' };\n return { kind: 'deny', reason: { code: 'payment_required' } };\n }\n if (err instanceof TokenExpiredError) {\n // SDK extracts the auto-minted session fields onto the error instance — no body\n // re-parsing needed here.\n return {\n kind: 'deny',\n reason: {\n code: 'token_expired',\n data: err.details as unknown as AssessResult,\n ...(err.verifyUrl ? { verify_url: err.verifyUrl } : {}),\n ...(err.sessionId ? { session_id: err.sessionId } : {}),\n ...(err.pollSecret ? { poll_secret: err.pollSecret } : {}),\n ...(err.pollUrl ? { poll_url: err.pollUrl } : {}),\n ...(err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {}),\n ...(err.agentMemory ? { agent_memory: err.agentMemory as AgentMemoryHint } : {}),\n },\n };\n }\n if (err instanceof InvalidCredentialError) {\n // Permanent — no auto-session, agent should switch tokens or restart.\n return {\n kind: 'deny',\n reason: {\n code: 'invalid_credential',\n agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,\n agent_memory: agentMemoryHint,\n },\n };\n }\n if (err instanceof QuotaExceededError) {\n console.warn('[gate] /v1/assess returned 429 quota_exceeded');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (err instanceof SdkTimeoutError) {\n console.warn('[gate] /v1/assess timed out:', err.message);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Status-based fallbacks for AgentScoreError instances the SDK couldn't classify\n // into a typed subclass (e.g. 429 with body that lacked error.code, or a fetch\n // rejection whose .name doesn't match AbortError but whose status code is set).\n // The real API always emits error.code on 429, so this is purely defensive.\n const status = (err as { status?: number } | null)?.status;\n const errName = err instanceof Error ? err.name : '';\n if (status === 429) {\n console.warn('[gate] /v1/assess returned 429 (untyped — defensive)');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (errName === 'TimeoutError' || errName === 'AbortError') {\n console.warn('[gate] /v1/assess timed out (by Error.name):', err instanceof Error ? err.message : err);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Generic AgentScoreError (rate_limited, 5xx, network_error, body parse, unknown 4xx)\n // or any non-AgentScoreError unexpected throw — surface as api_error.\n // Include the SDK-classified error code (when available) so ops/dev see\n // schema-drift cases like a new 401 error.code rather than a silent 503.\n const errCode = (err as { code?: string } | null)?.code;\n const msg = err instanceof Error ? err.message : String(err);\n const detail = errCode ? `${errCode}: ${msg}` : msg;\n console.warn(`[gate] /v1/assess call failed — surfacing as api_error: ${detail}`);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'api_error' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n\n const decision = data.decision as string | null | undefined;\n const decisionReasons = (data.decision_reasons as string[]) ?? [];\n const allow = decision === 'allow' || decision == null;\n\n cache.set(cacheKey, { allow, decision: decision ?? undefined, reasons: decisionReasons, raw: data });\n\n if (allow) {\n // SDK populates `quota` on the assess response from X-Quota-* headers when the\n // API emits them. Surface up to the adapter so merchants can monitor approach-to-cap.\n const quota = data.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: data as unknown as AssessResult,\n ...(quota !== undefined && { quota }),\n };\n }\n\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(decisionReasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: decision ?? undefined,\n reasons: decisionReasons,\n verify_url: data.verify_url as string | undefined,\n data: data as unknown as AssessResult,\n },\n };\n }\n\n async function captureWallet(options: CaptureWalletOptions): Promise<void> {\n try {\n await sdk.associateWallet({\n operatorToken: options.operatorToken,\n walletAddress: options.walletAddress,\n network: options.network,\n ...(options.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : {}),\n });\n } catch (err) {\n // Fire-and-forget: don't throw. Log so a persistent capture outage is visible\n // to merchant ops — otherwise wallet↔operator linkage silently stops.\n console.warn('[agentscore-commerce] captureWallet failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // Project the API's signer_match block onto the gate's VerifyWalletSignerResult shape.\n // The API authors agent_instructions, claimed/signer operators, and the linked-wallet\n // set (deny-guarded server-side); the gate just shapes those fields into camelCase.\n function projectSignerMatch(\n sm: Record<string, unknown>,\n claimedNorm: string,\n signerNorm: string,\n ): VerifyWalletSignerResult {\n const kind = sm.kind as string;\n if (kind === 'pass') {\n return {\n kind: 'pass',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n signerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n };\n }\n if (kind === 'wallet_auth_requires_wallet_signing') {\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet: (sm.claimed_wallet as string | undefined) ?? claimedNorm,\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n // Default: wallet_signer_mismatch\n const linked = sm.linked_wallets;\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n actualSignerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n expectedSigner: (sm.expected_signer as string | undefined) ?? claimedNorm,\n actualSigner: (sm.actual_signer as string | undefined) ?? signerNorm,\n linkedWallets: Array.isArray(linked)\n ? (linked as unknown[]).filter((w): w is string => typeof w === 'string')\n : [],\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n /**\n * Synchronous read of the cached signer verdicts. Adapter middleware extracts the\n * signer pre-evaluate and the gate's primary /v1/assess call composes both verdicts\n * (signer_match + signer_sanctions) in one round trip — this getter just reads the\n * cached response. Returns `undefined` for operator-token-only paths, discovery legs\n * with no payment credential, or when the gate didn't run.\n */\n function getSignerVerdict(claimedAddress: string): SignerVerdict | undefined {\n const claimedNorm = normalizeAddress(claimedAddress);\n const cached = cache.get(claimedNorm);\n if (!cached) return undefined;\n const raw = cached.raw as Record<string, unknown> | undefined;\n if (!raw) return undefined;\n const rawMatch = raw.signer_match as Record<string, unknown> | undefined;\n const rawSanctions = raw.signer_sanctions as SignerVerdict['signer_sanctions'] | undefined;\n if (!rawMatch && !rawSanctions) return undefined;\n // The API's signer_match has the actual signer wallet baked in (actual_signer); we\n // didn't track it separately in the cache key (only claimed-side). Pass the API's own\n // actual_signer as signerNorm so the projected shape is consistent.\n const signerNorm = (rawMatch?.actual_signer as string | undefined) ?? claimedNorm;\n return {\n signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,\n signer_sanctions: rawSanctions ?? null,\n };\n }\n\n return { evaluate, captureWallet, getSignerVerdict };\n}\n","/**\n * Universal denial helpers shared across every adapter.\n *\n * What lives here:\n * - `FIXABLE_DENIAL_REASONS` / `isFixableDenial` — classifier for compliance reasons that can\n * be resolved by re-completing KYC (vs sanctions / age failures which are permanent).\n * - `denialReasonStatus` — picks the right HTTP status code per denial code (401 for credential\n * problems, 503 for transient API errors, 403 for everything else).\n * - `buildSignerMismatchBody` — produces the standard 403 body for a non-pass signer_match\n * verdict (read via `getSignerVerdict`).\n * - `buildContactSupportNextSteps` — standard `next_steps.action: \"contact_support\"` shape for\n * unfixable compliance denials.\n * - `verificationAgentInstructions` — the canned `agent_instructions` block for\n * identity-verification 403s. Vendors can override individual fields.\n *\n * Adapters use `denialReasonStatus` inside their default `onDenied` so vendors get the right\n * status code for free. The body builders are exported from each adapter so vendors who write\n * a custom `onDenied` can compose them without copy-paste.\n */\n\nimport type { DenialReason, VerifyWalletSignerResult } from './core';\n\n/**\n * Compliance denial reasons that can be resolved by re-completing KYC. The API emits these\n * when KYC is missing/pending/failed; the user can re-verify and retry.\n *\n * `jurisdiction_restricted` is NOT in this set — the API only emits it AFTER KYC is verified,\n * meaning the user's KYC'd country is in the merchant's blocked list (or absent from the\n * allowed list). Re-doing KYC won't change the country, so it's permanent. Same shape as\n * `sanctions_flagged` and `age_insufficient` — surface contact_support, don't waste a\n * /v1/sessions mint.\n */\nexport const FIXABLE_DENIAL_REASONS: ReadonlySet<string> = new Set([\n 'kyc_required',\n 'kyc_pending',\n 'kyc_failed',\n]);\n\n/**\n * Returns true when a `wallet_not_trusted` denial's reasons are all fixable via KYC\n * re-verification. False when any reason is permanent (sanctions, age, jurisdiction_restricted).\n *\n * Empty reasons returns false — without a known reason we can't promise a fix, so default to\n * the bare denial path (vendors can override via custom onDenied if they want different\n * behavior on empty reasons).\n */\nexport function isFixableDenial(reasons: readonly string[] | undefined): boolean {\n if (!reasons || reasons.length === 0) return false;\n return reasons.every((r) => FIXABLE_DENIAL_REASONS.has(r));\n}\n\n/**\n * The right HTTP status code for a denial. `defaultOnDenied` in every adapter uses this so\n * vendors get correct status codes without writing per-code branches.\n *\n * - 401 for credential problems the agent can recover from (`token_expired`, `invalid_credential`)\n * - 503 for transient `api_error`\n * - 403 for everything else (identity required, compliance fail, signer mismatch, etc.)\n */\nexport function denialReasonStatus(reason: DenialReason): 401 | 403 | 503 {\n if (reason.code === 'token_expired' || reason.code === 'invalid_credential') return 401;\n if (reason.code === 'api_error') return 503;\n return 403;\n}\n\nexport interface SignerMismatchBodyInput {\n /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). Only non-pass\n * kinds produce a body. */\n result: VerifyWalletSignerResult;\n /** Optional override for the human-facing `next_steps.user_message`. */\n userMessage?: string;\n /** Optional override for `next_steps.learn_more_url`. Default: AgentScore agent-identity guide. */\n learnMoreUrl?: string;\n}\n\n/**\n * Standard 403 body for a non-pass signer-match verdict. Returns null for `pass` so vendors\n * can call it unconditionally:\n *\n * const verdict = getSignerVerdict(c);\n * if (verdict?.signer_match) {\n * const mismatchBody = buildSignerMismatchBody({ result: verdict.signer_match });\n * if (mismatchBody) return c.json(mismatchBody, 403);\n * }\n *\n * Body shape mirrors the gate's denial bodies: top-level error.code, all signer-match fields\n * (`claimed_operator`, `actual_signer_operator`, `expected_signer`, `actual_signer`,\n * `linked_wallets`), plus a `next_steps` action describing the recovery path.\n */\nexport function buildSignerMismatchBody(input: SignerMismatchBodyInput): Record<string, unknown> | null {\n const { result } = input;\n if (result.kind === 'pass') return null;\n\n const learnMoreUrl = input.learnMoreUrl ?? 'https://docs.agentscore.sh/guides/agent-identity';\n\n if (result.kind === 'wallet_signer_mismatch') {\n const linkedWallets = result.linkedWallets ?? [];\n const userMessage = input.userMessage ?? (linkedWallets.length > 0\n ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(', ')}. Then retry.`\n : 'Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.');\n return {\n error: {\n code: 'wallet_signer_mismatch',\n message:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n },\n claimed_operator: result.claimedOperator,\n actual_signer_operator: result.actualSignerOperator ?? null,\n expected_signer: result.expectedSigner,\n actual_signer: result.actualSigner,\n linked_wallets: linkedWallets,\n next_steps: {\n action: 'regenerate_payment_from_linked_wallet',\n user_message: userMessage,\n learn_more_url: learnMoreUrl,\n },\n };\n }\n\n // wallet_auth_requires_wallet_signing\n return {\n error: {\n code: 'wallet_auth_requires_wallet_signing',\n message:\n 'Wallet-auth requires a payment rail that carries a wallet signature (Tempo MPP, x402). Stripe SPT and card rails have no wallet signer; switch to X-Operator-Token to use those.',\n },\n next_steps: {\n action: 'switch_to_operator_token',\n user_message:\n input.userMessage ??\n 'Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).',\n learn_more_url: learnMoreUrl,\n },\n };\n}\n\n/**\n * Standard `next_steps` block for unfixable compliance denials (sanctions, age, etc.). Vendors\n * spread this into a 403 body alongside the usual `error`/`reasons` fields.\n *\n * return c.json({\n * error: { code: 'compliance_denied', message: '...' },\n * reasons,\n * next_steps: buildContactSupportNextSteps('support@example.com'),\n * }, 403);\n */\nexport function buildContactSupportNextSteps(\n supportEmail: string,\n message?: string,\n): { action: 'contact_support'; support_email: string; user_message: string } {\n return {\n action: 'contact_support',\n support_email: supportEmail,\n user_message:\n message ??\n `If you believe this denial is in error, contact support at ${supportEmail} with your order details.`,\n };\n}\n\nexport interface VerificationAgentInstructionsInput {\n /** Override the user-facing message. */\n userAction?: string;\n /** Replace the generic \"Retry the original merchant request...\" step with a merchant-specific\n * one (e.g. \"Retry POST /purchase with X-Operator-Token AND include order_id...\"). When set,\n * this REPLACES baseSteps[4] rather than appending — use it instead of `extraSteps[0]` when\n * your retry instruction is a refinement of the canonical retry, not an additional step. */\n retryStep?: string;\n /** Append additional steps after the retry step. Use this for genuinely additional steps\n * (e.g. \"After payment the same call returns 200 with the order\"), not for re-stating the\n * retry — use `retryStep` for that. */\n extraSteps?: string[];\n /** Override the poll cadence. Default 5 seconds. */\n pollIntervalSeconds?: number;\n /** Override how long the agent should keep polling. Default 3600 seconds (1 hour). */\n timeoutSeconds?: number;\n /** Optional `order_ttl` note describing how long pending orders survive. */\n orderTtl?: string;\n /** Arbitrary additional fields merged into the instructions object. */\n extra?: Record<string, unknown>;\n}\n\n/**\n * The canonical `agent_instructions` block for identity-verification 403s. Tells the agent how to\n * present the verify_url, poll for the operator_token, and retry the original request. Universal\n * across every AgentScore-gated merchant — overrides let vendors add merchant-specific steps\n * (e.g. \"include order_id when retrying\").\n */\nexport function verificationAgentInstructions(input: VerificationAgentInstructionsInput = {}): {\n action: 'poll_for_credential';\n user_action: string;\n steps: string[];\n poll_interval_seconds: number;\n poll_secret_header: 'X-Poll-Secret';\n retry_token_header: 'X-Operator-Token';\n timeout_seconds: number;\n order_ttl?: string;\n [key: string]: unknown;\n} {\n const baseSteps = [\n 'Present the verify_url directly to the user — it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.',\n `Immediately begin polling poll_url every ${input.pollIntervalSeconds ?? 5} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,\n 'The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.',\n 'When your poll returns status \"verified\", extract operator_token from the response. This is a one-time value — save it immediately. Subsequent polls return status \"consumed\" without the token.',\n input.retryStep ?? 'Retry the original merchant request with header X-Operator-Token set to the operator_token value.',\n ];\n\n return {\n action: 'poll_for_credential',\n user_action:\n input.userAction ??\n 'The user must visit verify_url to complete identity verification before this request can proceed',\n steps: input.extraSteps ? [...baseSteps, ...input.extraSteps] : baseSteps,\n poll_interval_seconds: input.pollIntervalSeconds ?? 5,\n poll_secret_header: 'X-Poll-Secret',\n retry_token_header: 'X-Operator-Token',\n timeout_seconds: input.timeoutSeconds ?? 3600,\n ...(input.orderTtl ? { order_ttl: input.orderTtl } : {}),\n ...(input.extra ?? {}),\n };\n}\n","/**\n * Shared DenialReason → response body serialization for all adapters.\n *\n * Keeps Hono / Express / Fastify / Web / Next.js defaults aligned — a field added\n * here shows up in every adapter's 403 body automatically, and there's one place\n * to test the marshaling.\n *\n * Body shape: `{ error: { code, message }, ... }` — matches the canonical AgentScore\n * error envelope so downstream agents see one consistent `error.code` +\n * `error.message` pair regardless of which layer produced the denial.\n */\n\nimport type { DenialCode, DenialReason } from './core.js';\n\n/**\n * JSON-encoded canonical agent_instructions per denial code. Auto-injected by\n * `denialReasonToBody` when the gate produces a DenialReason without explicit\n * `agent_instructions` so every denial carries a machine-readable next step.\n *\n * Codes covered:\n * - `wallet_not_trusted` — gate never stamps instructions today (the original gap)\n * - `payment_required` — gate never stamps; merchant tier misconfig, contact-merchant action\n * - `identity_verification_required` — fallback when API didn't return next_steps\n * - `token_expired` — fallback when API didn't return next_steps\n * - `api_error` — `retry_with_backoff` envelope; sole retry channel (no separate\n * next_steps block emitted)\n *\n * Codes already stamped explicitly upstream in core.ts (`missing_identity`,\n * `invalid_credential`) and codes that don't go through DenialReason\n * (`wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing` — handled by\n * `getSignerVerdict` + `buildSignerMismatchBody`) are not in this map.\n */\nconst WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_support',\n steps: [\n 'The wallet\\'s operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won\\'t change the outcome — the policy denial is structural.',\n 'Surface the denial to the user with the merchant\\'s support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won\\'t fix this code path).',\n 'Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code — the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user\\'s KYC\\'d country is in the blocked list — re-doing KYC won\\'t change the country).',\n ],\n user_message:\n 'This purchase is denied by the merchant\\'s compliance policy and cannot be resolved by re-verifying. Contact the merchant\\'s support if you believe this is in error.',\n});\n\nconst PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'The merchant\\'s AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap — there is no agent-side recovery.',\n 'Contact the merchant (their support channel — typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side.',\n ],\n user_message:\n 'This merchant\\'s identity gate is misconfigured. Contact the merchant — there\\'s nothing to fix on the agent side.',\n});\n\nconst IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'Share verify_url with the user — they complete identity verification on AgentScore.',\n 'If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <opc_...>`.',\n ],\n user_message:\n 'Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry.',\n});\n\nconst API_ERROR_INSTRUCTIONS = JSON.stringify({\n action: 'retry_with_backoff',\n steps: [\n 'Verification is temporarily unavailable. Retry the request after 5–30 seconds with exponential backoff.',\n 'This is NOT a compliance denial — the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.',\n 'If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant\\'s support contact.',\n ],\n user_message:\n 'Verification is temporarily unavailable. Please try again in a moment — this is a transient issue, not a problem with your account.',\n});\n\nexport const QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.',\n 'Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.',\n 'Surface to the user with the merchant\\'s support contact. The merchant (not the agent) needs to act.',\n ],\n user_message:\n 'This merchant\\'s identity verification is temporarily unavailable. Try again later, or contact the merchant directly.',\n});\n\nconst TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'The operator token is expired or revoked. AgentScore auto-mints a fresh verification session — complete it to receive a new opc_...',\n 'Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <new_opc_...>`.',\n ],\n user_message:\n 'Operator token is expired or revoked. A new verification session has been minted — visit verify_url to refresh.',\n});\n\nconst DEFAULT_AGENT_INSTRUCTIONS: Partial<Record<DenialCode, string>> = {\n api_error: API_ERROR_INSTRUCTIONS,\n wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,\n payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,\n identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,\n token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS,\n};\n\nconst DEFAULT_MESSAGES: Record<DenialCode, string> = {\n missing_identity:\n 'No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).',\n identity_verification_required:\n 'Identity verification is required to access this resource. Visit verify_url to complete KYC.',\n wallet_not_trusted:\n 'The wallet does not meet the merchant compliance policy.',\n api_error:\n 'AgentScore is unreachable. This is transient — retry in a few seconds.',\n payment_required:\n 'Assess endpoint not enabled for this merchant. Contact support.',\n wallet_signer_mismatch:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n wallet_auth_requires_wallet_signing:\n 'X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).',\n token_expired:\n 'The operator token is expired or revoked. A fresh verification session has been minted — visit verify_url to mint a new token.',\n invalid_credential:\n 'The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session.',\n};\n\n// Field names the gate claims authority over. Merchant-provided `extra` (from the\n// onBeforeSession hook) MUST NOT override these — a buggy or malicious hook could\n// otherwise replace `verify_url` with a phishing URL or drop agent_instructions.\nconst RESERVED_FIELDS = new Set([\n 'error',\n 'decision',\n 'reasons',\n 'verify_url',\n 'session_id',\n 'poll_secret',\n 'poll_url',\n 'agent_instructions',\n 'agent_memory',\n 'claimed_operator',\n 'actual_signer_operator',\n 'expected_signer',\n 'actual_signer',\n 'linked_wallets',\n]);\n\nexport function denialReasonToBody(reason: DenialReason): Record<string, unknown> {\n const message = reason.message ?? DEFAULT_MESSAGES[reason.code];\n const body: Record<string, unknown> = { error: { code: reason.code, message } };\n if (reason.decision) body.decision = reason.decision;\n if (reason.reasons) body.reasons = reason.reasons;\n if (reason.verify_url) body.verify_url = reason.verify_url;\n if (reason.session_id) body.session_id = reason.session_id;\n if (reason.poll_secret) body.poll_secret = reason.poll_secret;\n if (reason.poll_url) body.poll_url = reason.poll_url;\n const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];\n if (instructions) body.agent_instructions = instructions;\n if (reason.agent_memory) body.agent_memory = reason.agent_memory;\n if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;\n if (reason.code === 'wallet_signer_mismatch') body.actual_signer_operator = reason.actual_signer_operator ?? null;\n if (reason.expected_signer) body.expected_signer = reason.expected_signer;\n if (reason.actual_signer) body.actual_signer = reason.actual_signer;\n if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;\n if (reason.extra) {\n for (const [key, value] of Object.entries(reason.extra)) {\n if (RESERVED_FIELDS.has(key)) {\n console.warn(`[gate] onBeforeSession returned reserved field \"${key}\" — ignoring to preserve gate authority`);\n continue;\n }\n body[key] = value;\n }\n }\n return body;\n}\n","/**\n * Payment-signer extraction.\n *\n * Shared between merchants and the gate. Three paths recover a wallet signer:\n *\n * - **Tempo MPP** — `Authorization: Payment <base64>`; credential `source` is a DID of the\n * form `did:pkh:eip155:<chain>:<address>`.\n * - **Solana MPP `solana/charge`** — `Authorization: Payment <base64>`; recovery via either\n * a `did:pkh:solana:<genesis>:<address>` source (when set by the client) or by decoding\n * the credential's signed-tx payload and reading the SPL `TransferChecked` authority\n * (pull mode only — `payload.type === 'transaction'`).\n * - **x402 EIP-3009 (EVM, e.g. Base/Sepolia)** — `payment-signature` / `x-payment`;\n * decoded payload carries `payload.authorization.from`.\n *\n * Optional peer deps: `mppx` for MPP credentials, `@solana/kit` for the Solana tx-decode\n * fallback. Both dynamic-imported; merchants who don't accept that rail don't need them.\n */\n\nexport type SignerNetwork = 'evm' | 'solana';\n\nconst TOKEN_PROGRAM = 'TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA';\nconst TOKEN_2022_PROGRAM = 'TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb';\nconst TRANSFER_CHECKED_DISCRIMINATOR = 12;\n\ninterface SolanaKitMinimal {\n getBase64Codec: () => { encode: (s: string) => Uint8Array };\n getTransactionDecoder: () => { decode: (b: Uint8Array) => { messageBytes: Uint8Array } };\n getCompiledTransactionMessageDecoder: () => {\n decode: (b: Uint8Array) => {\n staticAccounts: ReadonlyArray<string>;\n instructions: ReadonlyArray<{\n programAddressIndex: number;\n accountIndices?: number[];\n data?: Uint8Array;\n }>;\n };\n };\n}\n\n/**\n * Decode a Solana MPP `solana/charge` credential's `payload.transaction` (base64-encoded\n * signed Solana tx) and return the SPL `TransferChecked` authority — the source-ATA owner,\n * which is the buyer's wallet. Pull mode only (`payload.type === 'transaction'`); push mode\n * (`payload.type === 'signature'`) returns null because recovery would require an RPC fetch.\n */\nasync function extractSolanaSignerFromCredential(credential: unknown): Promise<string | null> {\n const payload = (credential as { payload?: { transaction?: string; type?: string } }).payload;\n if (!payload?.transaction || payload.type !== 'transaction') return null;\n\n const moduleName = '@solana/kit';\n const kit = (await import(moduleName).catch(() => null)) as SolanaKitMinimal | null;\n if (!kit?.getBase64Codec || !kit.getTransactionDecoder || !kit.getCompiledTransactionMessageDecoder) {\n return null;\n }\n\n try {\n const txBytes = kit.getBase64Codec().encode(payload.transaction);\n const decoded = kit.getTransactionDecoder().decode(txBytes);\n const message = kit.getCompiledTransactionMessageDecoder().decode(decoded.messageBytes);\n\n // SPL TransferChecked accounts: [source ATA, mint, destination ATA, authority, ...signers].\n // Returns the FIRST matched authority. For multi-recipient `splits` txs, the buyer\n // signs ONE tx with N TransferChecked instructions all sharing the same authority,\n // so first-match is correct; if a tx ever surfaces with mismatched authorities the\n // first one wins (acceptable since both belong to whoever signed the tx).\n for (const ix of message.instructions) {\n const programId = message.staticAccounts[ix.programAddressIndex];\n if (programId !== TOKEN_PROGRAM && programId !== TOKEN_2022_PROGRAM) continue;\n const data = ix.data;\n if (!data || data.length === 0 || data[0] !== TRANSFER_CHECKED_DISCRIMINATOR) continue;\n const accountIndices = ix.accountIndices ?? [];\n const authorityIndex = accountIndices[3];\n if (authorityIndex === undefined) continue;\n // v0 transactions can carry account indices that resolve via address lookup tables;\n // staticAccounts only holds the static set. If the index is out of range, the\n // authority sits in a lookup table we'd need RPC to resolve. Skip cleanly with a\n // warning rather than returning the wrong address.\n if (authorityIndex >= message.staticAccounts.length) {\n console.warn(\n '[gate] Solana TransferChecked authority resolves through an address lookup table; ' +\n 'signer-match recovery requires the static-account form. Skipping.',\n );\n continue;\n }\n const authority = message.staticAccounts[authorityIndex];\n if (authority) return authority;\n }\n return null;\n } catch (err) {\n console.warn('[gate] Solana credential decode failed:', err instanceof Error ? err.message : err);\n return null;\n }\n}\n\nexport interface PaymentSigner {\n /** Recovered wallet address (EVM lowercased; Solana base58 preserved verbatim). */\n address: string;\n /** Network family — used by `captureWallet` and downstream cross-chain attribution. */\n network: SignerNetwork;\n}\n\n/**\n * Recover the signer wallet from the incoming payment credential, including the network\n * family. Returns `null` when no wallet signature is present (e.g. Stripe SPT, card-only\n * payments, or no credential yet).\n *\n * @param request - the inbound `Request`\n * @param x402PaymentHeader - the value of `payment-signature` or `x-payment` header, if any.\n * Extracted separately because some frameworks (Express) don't expose a web `Request` object.\n */\nexport async function extractPaymentSigner(\n request: Request,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n // MPP — Authorization: Payment <base64>\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n try {\n const moduleName = 'mppx';\n const mppx = (await import(moduleName).catch(() => null)) as {\n Credential?: {\n extractPaymentScheme: (h: string) => unknown;\n fromRequest: (r: Request) => unknown;\n };\n } | null;\n if (mppx?.Credential?.extractPaymentScheme(authHeader)) {\n const credential = mppx.Credential.fromRequest(request);\n const source = (credential as { source?: string }).source;\n const evmMatch = source?.match(/^did:pkh:eip155:\\d+:(0x[0-9a-fA-F]{40})$/);\n if (evmMatch) return { address: evmMatch[1]!.toLowerCase(), network: 'evm' };\n // Solana CAIP-10: did:pkh:solana:<genesis-base58>:<address-base58>\n const solMatch = source?.match(/^did:pkh:solana:[1-9A-HJ-NP-Za-km-z]{32,44}:([1-9A-HJ-NP-Za-km-z]{32,44})$/);\n if (solMatch) return { address: solMatch[1]!, network: 'solana' };\n // Fallback: source not set by upstream client. Decode the credential's signed-tx\n // payload to find the SPL TransferChecked authority (= source-ATA owner = buyer\n // wallet). Pull mode only.\n const solanaFromTx = await extractSolanaSignerFromCredential(credential);\n if (solanaFromTx) return { address: solanaFromTx, network: 'solana' };\n }\n } catch (err) {\n console.warn('[gate] MPP signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // x402 — base64 JSON, EIP-3009 only. EVM `payload.authorization.from` is the signer.\n if (x402PaymentHeader) {\n try {\n const decoded = atob(x402PaymentHeader);\n const parsed = JSON.parse(decoded) as {\n payload?: { authorization?: { from?: string } };\n };\n const from = parsed?.payload?.authorization?.from;\n if (typeof from === 'string' && /^0x[0-9a-fA-F]{40}$/.test(from)) {\n return { address: from.toLowerCase(), network: 'evm' };\n }\n } catch (err) {\n console.warn('[gate] x402 signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n return null;\n}\n\n/**\n * Headers-only variant for adapters that don't natively expose a Web Fetch `Request`\n * (Express, Fastify, ASGI-bridged frameworks). Constructs a synthetic Request carrying\n * only the `authorization` header and delegates to {@link extractPaymentSigner}. Works\n * because the MPP and x402 paths only read `request.headers.get('authorization')` and\n * the explicit `x402PaymentHeader` arg — no body, query, or method semantics needed.\n */\nexport async function extractPaymentSignerFromAuth(\n authHeader: string | null | undefined,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n const request = new Request('http://internal.gate/', {\n headers: authHeader ? { authorization: authHeader } : {},\n });\n return extractPaymentSigner(request, x402PaymentHeader);\n}\n\n/**\n * Read the x402 payment header from a `Request`, matching the alternate names merchants might\n * use. Falls back to reading either header directly.\n */\nexport function readX402PaymentHeader(request: Request): string | undefined {\n return (\n request.headers.get('payment-signature') ??\n request.headers.get('x-payment') ??\n undefined\n );\n}\n","/**\n * Google A2A (Agent-to-Agent) v1.0 Agent Card builder.\n *\n * Compose the JSON payload for an A2A v1.0 Agent Card per the canonical proto at\n * https://github.com/a2aproject/A2A/blob/main/specification/a2a.proto. Returned object\n * is the unsigned card body — wrap with an A2A `AgentCardSignature` (RFC 7515 JWS)\n * to sign vendor-side before publishing at /.well-known/agent-card.json.\n *\n * Why publish: A2A is a Linux Foundation standard. Signed Agent Cards let any\n * A2A-compatible reader discover an agent's capabilities + protocol bindings without\n * per-platform integration. Per UCP §A2A binding, agents serving UCP via the A2A\n * transport MUST declare the canonical UCP extension URI in `capabilities.extensions[]`\n * so platforms detect UCP support without re-fetching the profile.\n *\n * Spec reference: https://a2a-protocol.org/latest/\n */\n\nconst PROTOCOL_VERSION = '1.0';\nconst DEFAULT_PROTOCOL_BINDING = 'HTTP+JSON';\nconst DEFAULT_INPUT_MODE = 'application/json';\nconst DEFAULT_OUTPUT_MODE = 'application/json';\n\n/** Canonical UCP A2A extension URI — verifiers look for this exact URI in\n * `capabilities.extensions[]` to detect UCP support on the agent card. Pinned\n * to the 2026-04-08 spec snapshot. */\nexport const UCP_A2A_EXTENSION_URI = 'https://ucp.dev/2026-04-08/specification/reference';\n\n/** Per spec §4.4.6. Each entry advertises one protocol binding the agent supports.\n * `supported_interfaces[0]` is the preferred binding (ordered list). */\nexport interface A2AAgentInterface {\n /** Interface URL (https in production). */\n url: string;\n /** Open string — core values are `JSONRPC`, `GRPC`, `HTTP+JSON`. */\n protocol_binding: string;\n /** A2A protocol version, e.g. `\"1.0\"`. Distinct from the agent's own version. */\n protocol_version: string;\n tenant?: string;\n}\n\n/** Per spec §4.4.2. The org/service that provides the agent. */\nexport interface A2AAgentProvider {\n url: string;\n organization: string;\n}\n\n/** Per spec §4.4.5. A distinct capability or function the agent performs.\n * Lives at the TOP LEVEL of AgentCard (not inside `capabilities`). */\nexport interface A2AAgentSkill {\n id: string;\n name: string;\n description: string;\n tags: string[];\n examples?: string[];\n input_modes?: string[];\n output_modes?: string[];\n}\n\n/** Per spec §4.4.4. A protocol extension the agent supports.\n * Lives in `capabilities.extensions[]`. `description` and `required` are\n * spec-mandated fields, not optional. */\nexport interface A2AAgentCardExtension {\n uri: string;\n description: string;\n required: boolean;\n params?: Record<string, unknown>;\n}\n\n/** Build the canonical UCP entry for an A2A agent card's `capabilities.extensions[]`\n * array.\n *\n * Per UCP §A2A binding: \"Businesses supporting UCP must advertise the extension and\n * any optional capabilities in their A2A Agent Card to allow platforms to activate\n * the extension.\" Pass the `capabilities` map keyed by reverse-DNS service/capability\n * name (e.g. `dev.ucp.shopping.checkout`), each value a list of `{ version }` records.\n * Pass `{}` (or omit) when you serve UCP at the discovery layer but have no formal\n * capability bindings yet.\n *\n * `required: true` declares the platform must understand UCP to interoperate with\n * this agent. Default `false`: UCP is offered but not mandatory.\n */\nexport function ucpA2AExtension(\n capabilities: Record<string, Array<{ version: string }>> = {},\n options: { required?: boolean } = {},\n): A2AAgentCardExtension {\n return {\n uri: UCP_A2A_EXTENSION_URI,\n description: 'UCP support: this agent serves Universal Commerce Protocol bindings via the A2A transport.',\n required: options.required ?? false,\n params: { capabilities },\n };\n}\n\n/** Per spec §4.4.3. Optional capabilities the agent supports.\n *\n * Per the canonical proto, `capabilities` declares: streaming, push_notifications,\n * extensions (the protocol extensions the agent supports), and extended_agent_card.\n * REST-style endpoint metadata does NOT belong here — A2A uses `supported_interfaces`\n * on the AgentCard for protocol bindings, and `skills` (top-level) for capability\n * descriptions. */\nexport interface A2AAgentCardCapabilities {\n streaming?: boolean;\n push_notifications?: boolean;\n extensions?: A2AAgentCardExtension[];\n extended_agent_card?: boolean;\n}\n\n/** Per spec §4.4.7. JWS signature embedded in an Agent Card.\n *\n * Multiple signatures MAY be attached to a single card. Verifiers reconstruct the\n * card body without `signatures` to verify each entry. Format follows RFC 7515 JSON\n * Web Signature (JWS). */\nexport interface A2AAgentCardSignature {\n /** Base64url-encoded JSON of the protected JWS header. REQUIRED. */\n protected: string;\n /** Base64url-encoded computed signature. REQUIRED. */\n signature: string;\n /** Optional unprotected JWS header values. */\n header?: Record<string, unknown>;\n}\n\n/** Per spec §4.4.1. A2A v1.0 Agent Card body.\n *\n * Per spec §4.4.7, JWS signatures may be embedded directly in the card via the\n * `signatures` field; verifiers reconstruct the card body without `signatures` and\n * verify each entry. Per-vendor identity attestation can also be expressed via a\n * vendor extension entry inside `capabilities.extensions[]`. */\nexport interface A2AAgentCard {\n name: string;\n description: string;\n /** Ordered; first entry is preferred. */\n supported_interfaces: A2AAgentInterface[];\n /** Agent's own version, e.g. `\"1.0.0\"`. Distinct from the A2A protocol version,\n * which lives on each `A2AAgentInterface.protocol_version`. */\n version: string;\n capabilities: A2AAgentCardCapabilities;\n default_input_modes: string[];\n default_output_modes: string[];\n /** Per spec §4.4.1 (proto field 12, REQUIRED): the agent must declare ≥1 skill.\n * The convenience builder `buildA2AAgentCard` enforces non-empty. */\n skills: A2AAgentSkill[];\n provider?: A2AAgentProvider;\n documentation_url?: string;\n /** Per spec §4.4.1 (proto field 14, optional): URL to an icon for the agent. */\n icon_url?: string;\n /** Per spec §4.4.1 (proto field 13, optional) + §4.4.7: JWS signatures embedded\n * in the card. Compute over the canonical card body MINUS this field, then attach. */\n signatures?: A2AAgentCardSignature[];\n security_schemes?: Record<string, unknown>;\n security_requirements?: unknown[];\n /** Vendor-specific extras merged at top level. */\n [k: string]: unknown;\n}\n\nexport interface BuildA2AAgentCardInput {\n /** Agent display name. REQUIRED. */\n name: string;\n /** Agent purpose/description. REQUIRED per spec. */\n description: string;\n /** The primary interface URL — becomes `supported_interfaces[0].url` (with\n * `protocol_binding=HTTP+JSON`, `protocol_version=1.0` by default). For\n * multi-binding agents, construct `A2AAgentCard` directly. */\n url: string;\n /** Top-level skill declarations — what the agent can do. REQUIRED per spec\n * (proto field 12 [field_behavior=REQUIRED]); must have ≥1 entry. */\n skills: A2AAgentSkill[];\n /** Agent's own version, e.g. `\"1.0.0\"`. Distinct from the A2A protocol version. */\n version?: string;\n /** A2A v1.0 capability extensions. Build the UCP entry with `ucpA2AExtension()`. */\n extensions?: A2AAgentCardExtension[];\n /** Capability flag: agent supports streaming responses. */\n streaming?: boolean;\n /** Capability flag: agent supports push notifications for async task updates. */\n push_notifications?: boolean;\n /** Capability flag: agent serves an extended (more detailed) card when authenticated. */\n extended_agent_card?: boolean;\n /** Provider org for the agent. */\n provider?: A2AAgentProvider;\n /** URL to additional human-readable documentation. */\n documentation_url?: string;\n /** URL to an icon for the agent. */\n icon_url?: string;\n /** JWS signatures embedded in the card (per spec §4.4.7). */\n signatures?: A2AAgentCardSignature[];\n /** Default input media types (defaults to `[\"application/json\"]`). */\n default_input_modes?: string[];\n /** Default output media types (defaults to `[\"application/json\"]`). */\n default_output_modes?: string[];\n /** Override the protocol binding for the auto-built primary interface (default `\"HTTP+JSON\"`). */\n protocol_binding?: string;\n /** Override the A2A protocol version for the auto-built primary interface (default `\"1.0\"`). */\n a2a_protocol_version?: string;\n /** Per-scheme security details (key = scheme name). */\n security_schemes?: Record<string, unknown>;\n /** Required security requirements for invoking the agent. */\n security_requirements?: unknown[];\n /** Vendor-specific extras merged at the card top level. */\n extras?: Record<string, unknown>;\n}\n\n/**\n * Compose an A2A v1.0 Agent Card body per the canonical proto.\n *\n * Returns the UNSIGNED card. To attach identity claims, sign the serialized body\n * as an RFC 7515 JWS (`AgentCardSignature`). Vendors can also add an identity-flavored\n * extension to `capabilities.extensions[]`.\n *\n * The single `url` argument becomes the primary `supported_interfaces[0].url`\n * (with `protocol_binding=HTTP+JSON`, `protocol_version=1.0` by default).\n *\n * Example:\n * ```ts\n * import { buildA2AAgentCard, ucpA2AExtension } from '@agent-score/commerce';\n *\n * const card = buildA2AAgentCard({\n * name: 'Example Merchant Concierge',\n * description: 'Buy regulated goods via agent payments.',\n * url: 'https://agents.example.com',\n * version: '1.0.0',\n * skills: [\n * { id: 'purchase', name: 'Purchase', description: 'Buy products via agent payments.', tags: ['commerce', 'payment'] },\n * ],\n * extensions: [ucpA2AExtension()],\n * });\n * const signed = await yourJWSSign(card);\n * ```\n */\nexport function buildA2AAgentCard(input: BuildA2AAgentCardInput): A2AAgentCard {\n if (!input.skills || input.skills.length === 0) {\n throw new Error(\n 'buildA2AAgentCard: `skills` MUST be a non-empty list. Per spec §4.4.1 (proto field 12 [field_behavior=REQUIRED]), every Agent Card must declare at least one AgentSkill. Construct A2AAgentCard directly to bypass.',\n );\n }\n\n const capabilities: A2AAgentCardCapabilities = {};\n if (input.streaming !== undefined) capabilities.streaming = input.streaming;\n if (input.push_notifications !== undefined) capabilities.push_notifications = input.push_notifications;\n if (input.extensions && input.extensions.length > 0) capabilities.extensions = input.extensions;\n if (input.extended_agent_card !== undefined) capabilities.extended_agent_card = input.extended_agent_card;\n\n const primaryInterface: A2AAgentInterface = {\n url: input.url,\n protocol_binding: input.protocol_binding ?? DEFAULT_PROTOCOL_BINDING,\n protocol_version: input.a2a_protocol_version ?? PROTOCOL_VERSION,\n };\n\n const card: A2AAgentCard = {\n name: input.name,\n description: input.description,\n supported_interfaces: [primaryInterface],\n version: input.version ?? '1.0.0',\n capabilities,\n default_input_modes: input.default_input_modes ?? [DEFAULT_INPUT_MODE],\n default_output_modes: input.default_output_modes ?? [DEFAULT_OUTPUT_MODE],\n skills: input.skills,\n };\n if (input.provider !== undefined) card.provider = input.provider;\n if (input.documentation_url !== undefined) card.documentation_url = input.documentation_url;\n if (input.icon_url !== undefined) card.icon_url = input.icon_url;\n if (input.signatures !== undefined && input.signatures.length > 0) card.signatures = input.signatures;\n if (input.security_schemes !== undefined) card.security_schemes = input.security_schemes;\n if (input.security_requirements !== undefined) card.security_requirements = input.security_requirements;\n if (input.extras) {\n for (const [k, v] of Object.entries(input.extras)) {\n card[k] = v;\n }\n }\n return card;\n}\n","/**\n * UCP (Universal Commerce Protocol) profile builder.\n *\n * Compose the JSON payload published at `/.well-known/ucp` per the UCP spec.\n * Output shape matches the spec example: top-level `{ ucp: {...}, signing_keys: [...] }`\n * envelope, with `services` / `capabilities` / `payment_handlers` as MAPs keyed by\n * reverse-DNS service / capability / handler name.\n *\n * AgentScore identity claims layer over UCP via the `sh.agentscore.identity` capability\n * (vendor-namespaced; UCP doesn't define KYC/sanctions/age/jurisdiction natively). The\n * capability extends `dev.ucp.shopping.checkout` AND `dev.ucp.shopping.cart` (multi-parent,\n * the standard pattern UCP allows for capabilities that compose multiple parents).\n *\n * The unsigned profile body returned here is what merchants publish; pass it through\n * `signUCPProfile` to attach the `agentscore-profile+jws` signature for trust-mode\n * verifiers (vendor extension; UCP itself doesn't mandate profile-body signing).\n *\n * Spec reference: https://ucp.dev/\n */\n\n\n/**\n * UCP per-element shape note: each binding interface (`UCPServiceBinding`,\n * `UCPCapabilityBinding`, `UCPPaymentHandlerBinding`) carries the canonical UCP fields\n * plus arbitrary vendor extras flat on the same object via `[k: string]: unknown`. The\n * python sibling models these as dataclasses with an explicit `extras: dict` field. Both\n * designs offer equivalent guarantees through different mechanisms.\n */\nexport interface UCPSigningKey {\n /** JWK kid (key id). */\n kid: string;\n /** JWK kty (key type) — `EC`, `RSA`, or `OKP`. */\n kty: string;\n /** JWK alg (signing algorithm) — `ES256`, `RS256`, or `EdDSA`. */\n alg?: string;\n /** JWK use, typically `sig`. */\n use?: string;\n /** JWK crv (curve) for EC / OKP keys. */\n crv?: string;\n /** JWK x / y / n / e / etc. The full key material; passed through verbatim. */\n [k: string]: unknown;\n}\n\n/**\n * Construct a UCPSigningKey from a public JWK dict (e.g. the `publicJWK` returned by\n * `generateUCPSigningKey()`). Validates required fields and rejects symmetric keys that\n * can't publicly verify a JWS in trust-mode UCP. Mirrors python's\n * `UCPSigningKey.from_jwk(public_jwk)` classmethod via the `UCPSigningKey.fromJWK`\n * static-method-style namespace export below.\n */\nfunction ucpSigningKeyFromJWKImpl(jwk: Record<string, unknown>): UCPSigningKey {\n if (!jwk || typeof jwk !== 'object') {\n throw new Error(`UCPSigningKey.fromJWK expected a non-null object; got ${typeof jwk}.`);\n }\n if (typeof jwk.kid !== 'string' || !jwk.kid) {\n throw new Error('UCPSigningKey.fromJWK: JWK missing required field `kid` (or non-string).');\n }\n if (typeof jwk.kty !== 'string' || !jwk.kty) {\n throw new Error('UCPSigningKey.fromJWK: JWK missing required field `kty` (or non-string).');\n }\n if (jwk.kty !== 'OKP' && jwk.kty !== 'EC' && jwk.kty !== 'RSA') {\n throw new Error(\n `UCPSigningKey.fromJWK: kty=${JSON.stringify(jwk.kty)} is not a supported asymmetric key type (expected OKP, EC, or RSA). Symmetric \\`oct\\` keys are rejected because they cannot publicly verify a JWS in the trust-mode UCP flow.`,\n );\n }\n if ((jwk.kty === 'EC' || jwk.kty === 'OKP') && (typeof jwk.crv !== 'string' || !jwk.crv)) {\n throw new Error(`UCPSigningKey.fromJWK: kty=${jwk.kty} requires a non-empty \\`crv\\` field (e.g., \"P-256\" for EC, \"Ed25519\" for OKP).`);\n }\n return jwk as unknown as UCPSigningKey;\n}\n\n/** Static-method-style namespace on the `UCPSigningKey` interface — mirrors python's\n * `UCPSigningKey.from_jwk(jwk)` classmethod. Use as `UCPSigningKey.fromJWK(jwk)`. */\nexport const UCPSigningKey = {\n fromJWK: ucpSigningKeyFromJWKImpl,\n};\n\n/** Transport binding — keyed under a service name (e.g., `dev.ucp.shopping`). */\nexport interface UCPServiceBinding {\n /** Spec version, YYYY-MM-DD per UCP convention. REQUIRED. */\n version: string;\n /** URL to human-readable specification. REQUIRED. */\n spec: string;\n /** Transport — `rest` / `mcp` / `a2a` / `embedded`. REQUIRED. */\n transport: 'rest' | 'mcp' | 'a2a' | 'embedded';\n /** Endpoint URL — required for rest/mcp; A2A points at the agent-card.json URL. */\n endpoint?: string;\n /** URL to JSON Schema — required for rest/mcp/embedded per spec. */\n schema?: string;\n /** Optional id for entity-instance disambiguation. */\n id?: string;\n /** Entity-specific config. */\n config?: Record<string, unknown>;\n /** Vendor-specific extras. */\n [k: string]: unknown;\n}\n\n/** Capability binding — keyed under a capability name (e.g., `dev.ucp.shopping.checkout`). */\nexport interface UCPCapabilityBinding {\n /** Capability version, YYYY-MM-DD. REQUIRED. */\n version: string;\n /** URL to human-readable specification. REQUIRED. */\n spec: string;\n /** URL to JSON Schema. REQUIRED. */\n schema: string;\n /** Optional id for entity-instance disambiguation. */\n id?: string;\n /** Entity-specific config (feature flags, callback URLs, etc). */\n config?: Record<string, unknown>;\n /** Parent capability(ies) extended — single string or array for multi-parent. */\n extends?: string | string[];\n /** Optional version requirements per UCP §6.5. */\n requires?: {\n protocol?: { min: string; max?: string };\n capabilities?: Record<string, { min: string; max?: string }>;\n };\n /** Vendor-specific extras allowed per UCP convention (e.g., the AgentScore identity\n * capability adds a vendor-namespaced policy declaration here). */\n [k: string]: unknown;\n}\n\n/** Payment handler binding — keyed under a handler reverse-DNS name (e.g., `com.google.pay`). */\nexport interface UCPPaymentHandlerBinding {\n /** Handler instance id (short, human-readable, e.g., `gpay`, `tempo`, `x402`). REQUIRED. */\n id: string;\n /** Handler spec version, YYYY-MM-DD. REQUIRED. */\n version: string;\n /** URL to handler spec. REQUIRED. */\n spec: string;\n /** URL to handler config schema. REQUIRED. */\n schema: string;\n /** Available instruments — type + per-type constraints (cards, wallets, etc.). */\n available_instruments?: Array<{ type: string; constraints?: Record<string, unknown>; [k: string]: unknown }>;\n /** Handler config — gateway IDs, merchant IDs, public keys, etc. */\n config?: Record<string, unknown>;\n /** Vendor-specific extras. */\n [k: string]: unknown;\n}\n\n/** UCP body — nested under the `ucp` key of the published profile. */\nexport interface UCPProfileBody {\n /** UCP spec version (YYYY-MM-DD). */\n version: string;\n /** Display name for the merchant / agent surface. */\n name?: string;\n /** Services — keyed by service name (e.g., `dev.ucp.shopping`). Each value is an\n * array of transport bindings (one merchant typically advertises multiple transports\n * under one service name). */\n services: Record<string, UCPServiceBinding[]>;\n /** Capabilities — keyed by capability name (e.g., `dev.ucp.shopping.checkout`). */\n capabilities: Record<string, UCPCapabilityBinding[]>;\n /** Payment handlers — keyed by handler reverse-DNS name (e.g., `com.google.pay`). */\n payment_handlers: Record<string, UCPPaymentHandlerBinding[]>;\n /** Optional `supported_versions` map linking historical version-specific profile URLs.\n * Pattern: `{ \"2026-01-23\": \"https://merchant/.well-known/ucp/2026-01-23\", ... }`. */\n supported_versions?: Record<string, string>;\n /** Vendor-specific extras inside the `ucp` envelope. */\n [k: string]: unknown;\n}\n\n/** Full UCP profile body as published at `/.well-known/ucp`. Top-level shape:\n * `{ ucp: {...}, signing_keys: [...], signature?: \"...\" }`. */\nexport interface UCPProfile {\n /** UCP body. ALL UCP-spec fields nest here per spec. */\n ucp: UCPProfileBody;\n /** JWKS — public keys at the OUTER level per UCP spec. Verifiers fetch this profile,\n * match the kid from a JWS / RFC 9421 signature header against this list, and validate. */\n signing_keys: UCPSigningKey[];\n /** Set when JWS-signed via `signUCPProfile` — JWS Compact Serialization with detached\n * payload (header..signature; payload is the canonicalized body minus this field). */\n signature?: string;\n /** Top-level vendor-specific extras (outside the `ucp` envelope). */\n [k: string]: unknown;\n}\n\nexport interface BuildUCPProfileInput {\n /** UCP spec version. Default `'2026-04-08'` (the latest published UCP spec date). MUST match a published UCP spec version, not a free-form date. */\n version?: string;\n /** Display name for the merchant / agent surface. */\n name?: string;\n /** Services map, keyed by service name. UCP-shopping merchants typically advertise\n * bindings under `'dev.ucp.shopping'`. */\n services?: Record<string, UCPServiceBinding[]>;\n /** Capabilities map, keyed by capability name. The `sh.agentscore.identity` capability\n * is auto-added when `agentscore_gate` is provided. */\n capabilities?: Record<string, UCPCapabilityBinding[]>;\n /** Payment handlers map, keyed by handler reverse-DNS name. */\n payment_handlers?: Record<string, UCPPaymentHandlerBinding[]>;\n /** JWKS — public keys the merchant signs with. REQUIRED by spec. */\n signing_keys: UCPSigningKey[];\n /** Merchant gate policy declaration. When provided, the SDK auto-injects an\n * `sh.agentscore.identity` capability binding into `capabilities`, with the\n * policy as the binding's `config`. Static merchant declaration only — no\n * per-operator data ever ends up on the public profile. Per-operator identity\n * attestation lives on the AP2 risk-signal endpoint, not here. */\n agentscore_gate?: AgentScoreGatePolicy;\n /** Optional override for the AgentScore capability schema URL. Field is snake_cased\n * for cross-language parity with the Python sibling. */\n agentscore_schema_url?: string;\n /** Optional override for the AgentScore capability spec URL. */\n agentscore_spec_url?: string;\n /** `supported_versions` map at the profile root for backwards-compat across\n * spec dates. Pattern: `{ \"<date>\": \"<base>/.well-known/ucp/<date>\" }`. */\n supported_versions?: Record<string, string>;\n /** Vendor-specific extras at the OUTER level (alongside `ucp` + `signing_keys`). */\n extras?: Record<string, unknown>;\n /** Vendor-specific extras INSIDE the `ucp` envelope (alongside `version`, `services`, etc.). */\n ucp_extras?: Record<string, unknown>;\n}\n\nconst DEFAULT_VERSION = '2026-04-08';\n// Reverse-DNS namespacing per UCP convention (`^[a-z][a-z0-9]*(?:\\.[a-z][a-z0-9_]*)+$`).\n// The bare `agentscore-identity` form fails the spec regex; vendor-namespacing under\n// `sh.agentscore` is honest about the capability being our extension, not UCP-canonical.\nconst AGENTSCORE_CAPABILITY_NAME = 'sh.agentscore.identity';\n// Date-format version per UCP convention (matches every other binding's version field).\nconst AGENTSCORE_CAPABILITY_VERSION = '2026-04-08';\n\n/** Merchant gate policy declared on the UCP profile via `sh.agentscore.identity` capability config.\n * All fields optional; merchant declares which AgentScore checks the gate enforces. Snake-case\n * field names match the AgentScore API's `/v1/assess` policy contract verbatim — no conversion\n * layer between this declaration and what the gate actually enforces at runtime. */\nexport interface AgentScoreGatePolicy {\n /** Gate denies if the operator/account behind the agent is not Stripe-Identity-verified. */\n require_kyc?: boolean;\n /** Gate denies if the operator/account is flagged by OpenSanctions screening. */\n require_sanctions_clear?: boolean;\n /** Gate denies if the verified age (from KYC) is below this threshold. Common values: 18, 21. */\n min_age?: number;\n /** ISO-3166-1 alpha-2 country codes the gate accepts. Empty/absent allows any. Mutually exclusive\n * with `blocked_jurisdictions` (set one or the other, not both). */\n allowed_jurisdictions?: string[];\n /** ISO-3166-1 alpha-2 country codes the gate denies. Empty/absent denies none. Mutually exclusive\n * with `allowed_jurisdictions`. */\n blocked_jurisdictions?: string[];\n}\nconst AGENTSCORE_DEFAULT_SPEC_URL = 'https://agentscore.sh/specification/identity';\nconst AGENTSCORE_DEFAULT_SCHEMA_URL = 'https://agentscore.sh/schemas/ucp/sh-agentscore-identity-v1.json';\n// Multi-parent extension — `sh.agentscore.identity` declares merchant policy relevant at\n// both checkout-build (compliance gate) and cart-build (price-gate eligibility, jurisdiction-\n// restricted items in cart) time, so an agent reading either parent capability picks up the\n// policy contract. Mirrors the multi-parent convention in the live ecosystem\n// (Shopify's `dev.shopify.catalog.storefront` extends both `catalog.search` and\n// `catalog.lookup`; UCP-canonical `dev.ucp.shopping.discount` extends both checkout and cart).\nconst AGENTSCORE_EXTENDS = ['dev.ucp.shopping.checkout', 'dev.ucp.shopping.cart'];\n\nconst RESERVED_TOP_LEVEL = new Set([\n 'ucp',\n 'signing_keys',\n 'signature',\n '__proto__',\n 'constructor',\n 'prototype',\n]);\nconst RESERVED_UCP_FIELDS = new Set([\n 'version',\n 'name',\n 'services',\n 'capabilities',\n 'payment_handlers',\n 'supported_versions',\n '__proto__',\n 'constructor',\n 'prototype',\n]);\n\n/**\n * Compose a UCP profile body for `/.well-known/ucp` publication. Returns the spec-\n * compliant shape: `{ ucp: { version, services, capabilities, payment_handlers, ... },\n * signing_keys: [...] }`. Pass through `signUCPProfile` to attach a JWS signature for\n * trust-mode verifiers.\n *\n * Auto-injects `sh.agentscore.identity` as a vendor capability extending both\n * `dev.ucp.shopping.checkout` and `dev.ucp.shopping.cart` when `agentscore_gate`\n * is provided. The capability's `config` carries the merchant's static gate\n * policy declaration (require_kyc / require_sanctions_clear / min_age /\n * allowed_jurisdictions / blocked_jurisdictions). NO per-operator data is ever\n * placed on the public profile — per-operator identity attestation flows through\n * the AP2 risk-signal endpoint, not here.\n *\n * Example:\n * ```ts\n * import { buildUCPProfile } from '@agent-score/commerce';\n *\n * const profile = buildUCPProfile({\n * name: 'Example Merchant',\n * services: {\n * 'dev.ucp.shopping': [\n * { version: '2026-04-08', spec: 'https://ucp.dev/2026-04-08/specification/overview',\n * transport: 'mcp', endpoint: 'https://merchant.example/api/ucp/mcp',\n * schema: 'https://ucp.dev/services/shopping/mcp.openrpc.json' },\n * ],\n * },\n * payment_handlers: {\n * ...mppPaymentHandler({ networks: [{ network: 'tempo-mainnet', chain_id: 4217, recipient: TEMPO_ADDR }] }),\n * },\n * signing_keys: [signingKey],\n * agentscore_gate: { require_kyc: true, min_age: 21, allowed_jurisdictions: ['US'] },\n * });\n * ```\n */\nexport function buildUCPProfile(input: BuildUCPProfileInput): UCPProfile {\n // Per UCP spec service.json: rest/mcp/a2a transports REQUIRE endpoint;\n // embedded does not. Validate caller-supplied services so a misconfigured\n // profile fails locally instead of being rejected by spec-strict platforms.\n for (const [name, bindings] of Object.entries(input.services ?? {})) {\n for (const binding of bindings) {\n if (\n (binding.transport === 'rest' || binding.transport === 'mcp' || binding.transport === 'a2a')\n && (binding.endpoint === undefined || binding.endpoint === null || binding.endpoint === '')\n ) {\n throw new Error(\n `buildUCPProfile: service \"${name}\" transport=${binding.transport} requires \\`endpoint\\`. Per UCP spec service.json business_schema, rest/mcp/a2a bindings MUST carry an endpoint URL.`,\n );\n }\n }\n }\n\n // Per UCP spec payment_handler.json: available_instruments has minItems:1.\n // Deep-copy each binding and drop available_instruments when empty so a caller\n // passing `[]` doesn't ship an invalid profile.\n const paymentHandlers: Record<string, UCPPaymentHandlerBinding[]> = {};\n for (const [name, bindings] of Object.entries(input.payment_handlers ?? {})) {\n paymentHandlers[name] = bindings.map((binding) => {\n if (Array.isArray(binding.available_instruments) && binding.available_instruments.length === 0) {\n const { available_instruments: _drop, ...rest } = binding;\n return rest as UCPPaymentHandlerBinding;\n }\n return binding;\n });\n }\n\n // Deep-clone the capabilities map so we can safely mutate (auto-add the AgentScore\n // identity capability) without altering the caller's input.\n const capabilities: Record<string, UCPCapabilityBinding[]> = {};\n for (const [name, bindings] of Object.entries(input.capabilities ?? {})) {\n capabilities[name] = [...bindings];\n }\n\n // Auto-inject `sh.agentscore.identity` capability when the merchant declares a gate\n // policy. Static merchant-policy declaration only — no per-operator data on the public\n // profile. Per-operator identity attestation flows through the AP2 risk-signal endpoint\n // or per-request 4xx response bodies, not here.\n if (input.agentscore_gate) {\n const gateConfig = { ...input.agentscore_gate };\n const agentscoreBinding: UCPCapabilityBinding = {\n version: AGENTSCORE_CAPABILITY_VERSION,\n spec: input.agentscore_spec_url ?? AGENTSCORE_DEFAULT_SPEC_URL,\n schema: input.agentscore_schema_url ?? AGENTSCORE_DEFAULT_SCHEMA_URL,\n extends: AGENTSCORE_EXTENDS,\n };\n // Omit `config` when empty so node + python emit byte-identical canonical output\n // (python's UCPCapabilityBinding.to_dict already drops empty config).\n if (Object.keys(gateConfig).length > 0) agentscoreBinding.config = gateConfig;\n const existing = capabilities[AGENTSCORE_CAPABILITY_NAME];\n if (existing) existing.push(agentscoreBinding);\n else capabilities[AGENTSCORE_CAPABILITY_NAME] = [agentscoreBinding];\n }\n\n const ucp: UCPProfileBody = {\n version: input.version ?? DEFAULT_VERSION,\n services: input.services ?? {},\n capabilities,\n payment_handlers: paymentHandlers,\n };\n if (input.name !== undefined) ucp.name = input.name;\n if (input.supported_versions !== undefined) ucp.supported_versions = input.supported_versions;\n if (input.ucp_extras) {\n for (const k of Object.keys(input.ucp_extras)) {\n if (RESERVED_UCP_FIELDS.has(k)) {\n throw new Error(`buildUCPProfile: ucp_extras key \"${k}\" collides with a reserved \\`ucp\\` field; rejected.`);\n }\n }\n Object.assign(ucp, input.ucp_extras);\n }\n\n const profile: UCPProfile = {\n ucp,\n signing_keys: input.signing_keys,\n };\n if (input.extras) {\n // `__proto__`, `constructor`, `prototype` reserved so vendor extras can't slip\n // prototype-pollution payloads into the canonical body.\n for (const k of Object.keys(input.extras)) {\n if (RESERVED_TOP_LEVEL.has(k)) {\n throw new Error(`buildUCPProfile: extras key \"${k}\" collides with a reserved profile field; rejected.`);\n }\n }\n Object.assign(profile, input.extras);\n }\n\n return profile;\n}\n\nexport const AGENTSCORE_UCP_CAPABILITY = AGENTSCORE_CAPABILITY_NAME;\n\n// ─── Payment handler builders ─────────────────────────────────────────────\n// Vendors compose UCP `payment_handlers` blocks by spreading these helpers.\n// The helpers fill in id/version/spec/schema/config wrapper so vendors only\n// supply merchant-specific data (networks + recipients + profile_id).\n//\n// payment_handlers: {\n// ...mppPaymentHandler({ networks: [...] }),\n// ...x402PaymentHandler({ networks: [...] }),\n// ...stripeSptPaymentHandler({ profile_id: '...' }),\n// }\n//\n// Each helper returns `{ [reverse-DNS-key]: [binding] }` so spreading into\n// the parent map composes cleanly. The reverse-DNS keys + spec/schema URLs\n// + handler `version` are owned by these constants; bumping a handler spec\n// version is a one-line change here, not 20 lines across consumers.\n\nconst HANDLER_VERSION = '2026-04-08';\nconst SPEC_BASE = 'https://agentscore.sh/specification/payment-handlers';\nconst SCHEMA_BASE = 'https://agentscore.sh/schemas/payment-handlers';\n\ntype MppNetwork =\n | 'tempo-mainnet'\n | 'tempo-testnet'\n | 'mpp-solana-mainnet'\n | 'mpp-solana-devnet'\n | (string & {}); // open for forward-compat (mpp-stellar-pubnet, mpp-lightning-mainnet, …)\n\nexport interface MppNetworkEntry {\n network: MppNetwork;\n /** EVM-style chain id (e.g. 4217 for Tempo mainnet). Omit for non-EVM networks. */\n chain_id?: number;\n /** Static settlement address. Omit for per-order recipients (e.g. Stripe-derived deposits). */\n recipient?: string;\n [k: string]: unknown;\n}\n\nexport interface MppPaymentHandlerInput {\n networks: MppNetworkEntry[];\n}\n\ntype X402Network =\n | `base-${number}`\n | 'solana-mainnet-beta'\n | 'solana-devnet'\n | 'stellar-pubnet'\n | 'stellar-testnet'\n | (string & {});\n\nexport interface X402NetworkEntry {\n network: X402Network;\n /** Static settlement address. Omit for per-order recipients. */\n recipient?: string;\n [k: string]: unknown;\n}\n\nexport interface X402PaymentHandlerInput {\n networks: X402NetworkEntry[];\n}\n\nexport interface StripeSptPaymentHandlerInput {\n /** Stripe profile id (the merchant-side network identifier the agent's SPT is scoped to). */\n profile_id: string;\n}\n\n/**\n * Build the `sh.agentscore.payment.mpp` payment handler block for a UCP profile.\n *\n * @example\n * ```ts\n * buildUCPProfile({\n * ...,\n * payment_handlers: {\n * ...mppPaymentHandler({ networks: [{ network: 'tempo-mainnet', chain_id: 4217 }] }),\n * },\n * });\n * ```\n */\nexport function mppPaymentHandler(input: MppPaymentHandlerInput): Record<string, UCPPaymentHandlerBinding[]> {\n return {\n 'sh.agentscore.payment.mpp': [{\n id: 'mpp',\n version: HANDLER_VERSION,\n spec: `${SPEC_BASE}/mpp`,\n schema: `${SCHEMA_BASE}/mpp.json`,\n config: { networks: input.networks },\n }],\n };\n}\n\n/**\n * Build the `sh.agentscore.payment.x402` payment handler block for a UCP profile.\n *\n * @example\n * ```ts\n * buildUCPProfile({\n * ...,\n * payment_handlers: {\n * ...x402PaymentHandler({ networks: [{ network: 'base-8453', recipient: '0xabc...' }] }),\n * },\n * });\n * ```\n */\nexport function x402PaymentHandler(input: X402PaymentHandlerInput): Record<string, UCPPaymentHandlerBinding[]> {\n return {\n 'sh.agentscore.payment.x402': [{\n id: 'x402',\n version: HANDLER_VERSION,\n spec: `${SPEC_BASE}/x402`,\n schema: `${SCHEMA_BASE}/x402.json`,\n config: { networks: input.networks },\n }],\n };\n}\n\n/**\n * Build the `sh.agentscore.payment.stripe_spt` payment handler block for a UCP profile.\n *\n * @example\n * ```ts\n * buildUCPProfile({\n * ...,\n * payment_handlers: {\n * ...stripeSptPaymentHandler({ profile_id: 'profile_5xKvNqM9BaH' }),\n * },\n * });\n * ```\n */\nexport function stripeSptPaymentHandler(input: StripeSptPaymentHandlerInput): Record<string, UCPPaymentHandlerBinding[]> {\n return {\n 'sh.agentscore.payment.stripe_spt': [{\n id: 'stripe-spt',\n version: HANDLER_VERSION,\n spec: `${SPEC_BASE}/stripe_spt`,\n schema: `${SCHEMA_BASE}/stripe_spt.json`,\n config: { rail: 'stripe-spt', profile_id: input.profile_id },\n }],\n };\n}\n","/**\n * UCP profile signing helpers (JWKS + JWS).\n *\n * UCP §6 (https://ucp.dev/latest/specification/signatures/) requires that profiles\n * published at `/.well-known/ucp` carry a JWKS-backed signature for trust-mode clients\n * (Google AI Mode, Gemini commerce, future ChatGPT app shells). Without a signature,\n * trust-mode clients reject the profile.\n *\n * This module provides:\n * - `generateUCPSigningKey()` — generate an Ed25519 keypair for signing\n * - `signUCPProfile()` — sign a UCP profile body, returning a JWS-attached envelope\n * - `verifyUCPProfile()` — verify a signed profile against a JWKS\n * - `buildJWKSResponse()` — assemble a JWKS document for `/.well-known/jwks.json`\n *\n * Implementation rides on `jose` (peer-dep, optional). Merchants who don't sign their\n * profile (development) skip this module entirely; the unsigned `buildUCPProfile()`\n * path still works.\n *\n * Why Ed25519: smaller signatures (64 bytes vs 256+ for RSA), faster verification, no\n * curve-parameter ceremony. UCP also accepts ES256 (P-256 ECDSA) — pass `alg: 'ES256'`\n * to `signUCPProfile()` if your existing payment signing key is P-256.\n */\n\nimport type { UCPProfile, UCPSigningKey } from './ucp';\n\n/** Output of `generateUCPSigningKey()`. The private key is what you sign with; the\n * public JWK is what you publish at `/.well-known/jwks.json` and reference in the\n * UCP profile's `signing_keys[]`.\n */\nexport interface GeneratedUCPKey {\n /** Private key (KeyLike, opaque) — pass to `signUCPProfile()`. Never publish. */\n privateKey: unknown;\n /** Public key as JWK — publish at `/.well-known/jwks.json` and inline in UCP `signing_keys[]`. */\n publicJWK: UCPSigningKey;\n}\n\n/** A JWKS document — `{ keys: [...] }` per RFC 7517. Serve at `/.well-known/jwks.json`. */\nexport interface JWKSResponse {\n keys: UCPSigningKey[];\n}\n\n/** Options for `signUCPProfile()`. */\nexport interface SignUCPProfileOptions {\n /** Private signing key — opaque KeyLike from `generateUCPSigningKey()` or `importJWK()`. */\n signingKey: unknown;\n /** Key ID (must match a `kid` in the profile's `signing_keys[]`). */\n kid: string;\n /** Signing algorithm — `EdDSA` (default) or `ES256`. */\n alg?: 'EdDSA' | 'ES256';\n}\n\n/** A signed UCP profile envelope. Same shape as `UCPProfile` plus the `signature` field\n * carrying the JWS Compact Serialization over the canonicalized profile body. */\nexport interface SignedUCPProfile extends UCPProfile {\n /** JWS Compact Serialization (`<header>.<payload>.<signature>`) over the profile body\n * with `signature` removed and keys sorted. Verifiers reconstruct the canonical body\n * and validate against the JWK identified by `kid` in the JWS protected header. */\n signature: string;\n}\n\nconst JOSE_INSTALL_HINT = 'Install the optional peer dependency: `npm install jose@^6` (or `bun add jose`). Tested against jose v6.x.';\n\n/** UCP §6 + RFC 8725 §3.1 — restrict accepted JWS algorithms. Anything outside this\n * list (HS, RS, none, etc.) is rejected to prevent alg-confusion attacks where a\n * hostile JWK published in the profile's signing_keys[] is used with an unintended\n * algorithm. */\nconst ALLOWED_ALGS = ['EdDSA', 'ES256'] as const;\ntype AllowedAlg = (typeof ALLOWED_ALGS)[number];\n\n/** JWS protected header `typ` value. Vendor-namespaced because UCP §6 does not define\n * a profile-as-JWS typ; the value advertises that this signed envelope follows the\n * AgentScore extension semantics rather than a UCP-canonical signing convention.\n * Verifiers SHOULD enforce this to prevent cross-protocol token reuse (RFC 8725 §3.11). */\nconst PROFILE_TYP = 'agentscore-profile+jws';\n\n/** Discriminated error class so consumers can branch on failure mode without\n * parsing message strings or importing jose internals. */\nexport class UCPVerificationError extends Error {\n constructor(\n public readonly code:\n | 'no_signature'\n | 'missing_kid'\n | 'kid_not_found'\n | 'duplicate_kid'\n | 'unsupported_alg'\n | 'wrong_typ'\n | 'signature_invalid'\n | 'body_mismatch'\n | 'malformed_jws'\n | 'malformed_jwks'\n | 'unrecognized_critical_header'\n | 'unusable_key',\n message: string,\n ) {\n super(message);\n this.name = 'UCPVerificationError';\n }\n}\n\nasync function loadJose(): Promise<typeof import('jose')> {\n try {\n return await import('jose');\n } catch (err) {\n throw new Error(\n `UCP signing requires the \\`jose\\` library, which is an optional peer dependency. ${JOSE_INSTALL_HINT}\\nOriginal error: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n}\n\n/**\n * Canonicalize a UCP profile for signing. Removes the `signature` field (if present),\n * sorts keys deterministically, and returns the JSON string. Both signer and verifier\n * compute the same bytes.\n *\n * Implementation note: UCP §6.2 specifies \"the JSON-serialized profile body, with\n * `signature` removed and keys ordered lexicographically at every nesting level.\" This\n * is JCS-style canonicalization without the full RFC 8785 numeric handling — UCP\n * profiles don't contain floats so the simpler key-sort is sufficient.\n */\nfunction canonicalizeProfile(profile: UCPProfile): string {\n const stripped = { ...profile } as Record<string, unknown>;\n delete stripped.signature;\n return stableStringify(stripped);\n}\n\n/** Deterministic JSON.stringify with lexicographic key ordering at every level.\n * Rejects ANY non-finite Number (NaN, Infinity, -Infinity) and any Number\n * whose value has a fractional part OR whose JSON representation may diverge\n * cross-language. Cross-language float canonicalization (RFC 8785 §3.2.2.3)\n * is not stable between Node's JSON.stringify and Python's json.dumps\n * (e.g. `1.0` → `1` vs `1.0`, `1e-7` → `1e-7` vs `1e-07`). UCP profiles\n * must use decimal strings for monetary or fractional fields to preserve\n * byte parity with the Python sibling. */\nfunction stableStringify(value: unknown): string {\n if (value === undefined) {\n throw new Error(\n 'stableStringify: undefined values are not allowed in canonicalized JSON. ' +\n 'Object fields with no value must be omitted.',\n );\n }\n if (typeof value === 'function' || typeof value === 'symbol') {\n throw new Error(`stableStringify: ${typeof value} values are not allowed in canonicalized JSON.`);\n }\n if (typeof value === 'bigint') {\n throw new Error('stableStringify: BigInt values are not allowed; use a decimal string.');\n }\n if (value instanceof Date) {\n throw new Error(\n 'stableStringify: Date instances are not allowed; serialize to an ISO string before passing.',\n );\n }\n if (value instanceof Map || value instanceof Set || value instanceof WeakMap || value instanceof WeakSet) {\n throw new Error(\n `stableStringify: ${value.constructor.name} values are not allowed; convert to a plain object/array first.`,\n );\n }\n if (ArrayBuffer.isView(value)) {\n throw new Error('stableStringify: typed arrays are not allowed; convert to a plain array first.');\n }\n if (typeof value === 'number') {\n if (!Number.isFinite(value)) {\n throw new Error(\n `UCP profile canonicalization rejects non-finite Number ${value}. Use a decimal string for any value that may be NaN/Infinity.`,\n );\n }\n if (!Number.isInteger(value)) {\n throw new Error(\n `UCP profile canonicalization rejects non-integer Number ${value}. Use a decimal string (e.g. \"9.99\") for monetary or fractional fields to preserve cross-language byte-parity.`,\n );\n }\n if (!Number.isSafeInteger(value)) {\n throw new Error(\n `stableStringify: integer ${value} exceeds Number.MAX_SAFE_INTEGER. ` +\n 'For values >2^53, use a decimal string to preserve cross-language byte parity.',\n );\n }\n }\n if (typeof value === 'string') {\n // Cross-language byte parity: pre-ES2019 V8 (and any environment whose\n // JSON.stringify still escapes U+2028 / U+2029) emits \\u2028 / \\u2029\n // for these codepoints, while Python's json.dumps with ensure_ascii=False\n // emits them raw. A string carrying either would canonicalize to different\n // bytes across the Node and Python siblings and break signature\n // verification at the language boundary. Mirror the rejection in\n // core/api/src/lib/canonicalize.ts so the contract stays symmetric.\n if (value.includes('\\u2028') || value.includes('\\u2029')) {\n throw new Error(\n 'stableStringify: strings containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity requires neither be present (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not).',\n );\n }\n return JSON.stringify(value);\n }\n if (value === null || typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;\n const obj = value as Record<string, unknown>;\n const keys = Object.keys(obj).sort((a, b) => {\n const aPoints = [...a].map((c) => c.codePointAt(0)!);\n const bPoints = [...b].map((c) => c.codePointAt(0)!);\n const len = Math.min(aPoints.length, bPoints.length);\n for (let i = 0; i < len; i += 1) {\n if (aPoints[i] !== bPoints[i]) return aPoints[i] - bPoints[i];\n }\n return aPoints.length - bPoints.length;\n });\n // Cross-language byte parity: same rejection rationale as the string-value\n // branch above. Object keys flow through JSON.stringify(k) at the pairs line\n // below, so without this check a key carrying U+2028 / U+2029 would pass on\n // modern V8 but Python's _reject_unsafe_numbers (which recurses into dict\n // keys) would throw at verify time.\n for (const k of keys) {\n if (k.includes('
') || k.includes('
')) {\n throw new Error(\n 'stableStringify: object keys containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not).',\n );\n }\n }\n const pairs = keys.map((k) => `${JSON.stringify(k)}:${stableStringify(obj[k])}`);\n return `{${pairs.join(',')}}`;\n}\n\n/**\n * Generate a fresh Ed25519 (default) or ES256 keypair for signing UCP profiles.\n *\n * The `privateKey` is an opaque KeyLike — store it server-side and pass to\n * `signUCPProfile()`. Never log or transmit the private key.\n *\n * The `publicJWK` is what you publish at `/.well-known/jwks.json` and inline in the\n * UCP profile's `signing_keys[]` array.\n *\n * Example:\n * ```ts\n * import { generateUCPSigningKey } from '@agent-score/commerce';\n *\n * const { privateKey, publicJWK } = await generateUCPSigningKey({ kid: 'merchant-2026-05' });\n * // Persist privateKey securely (env var, KMS, secret manager).\n * // Publish publicJWK at /.well-known/jwks.json and reference it in your UCP profile.\n * ```\n */\nexport async function generateUCPSigningKey(opts: {\n /** Key ID (kid). Must be unique per key; you'll reference this in the UCP profile's `signing_keys[]`. */\n kid: string;\n /** Signing algorithm. Default `EdDSA`. */\n alg?: 'EdDSA' | 'ES256';\n}): Promise<GeneratedUCPKey> {\n const jose = await loadJose();\n const alg = opts.alg ?? 'EdDSA';\n const { privateKey, publicKey } = await jose.generateKeyPair(alg, { extractable: true });\n const exportedJwk = await jose.exportJWK(publicKey);\n\n const publicJWK: UCPSigningKey = {\n kid: opts.kid,\n alg,\n use: 'sig',\n ...exportedJwk,\n } as UCPSigningKey;\n\n return { privateKey, publicJWK };\n}\n\n/**\n * Sign a UCP profile, returning a new envelope with the JWS attached as `signature`.\n *\n * The signature covers the canonicalized profile body (everything except `signature`\n * itself, with keys sorted at every level). Trust-mode UCP verifiers reconstruct the\n * canonical body, look up the key referenced by the JWS header's `kid`, and validate.\n *\n * The profile's `signing_keys[]` MUST already include a JWK with the matching `kid`\n * — otherwise verifiers can't find the public key. Add the `publicJWK` from\n * `generateUCPSigningKey()` to your `signing_keys[]` before calling this.\n *\n * Example:\n * ```ts\n * const profile = buildUCPProfile({ ..., signing_keys: [publicJWK] });\n * const signed = await signUCPProfile(profile, { signingKey: privateKey, kid: 'merchant-2026-05' });\n * c.json(signed);\n * ```\n */\nexport async function signUCPProfile(\n profile: UCPProfile,\n opts: SignUCPProfileOptions,\n): Promise<SignedUCPProfile> {\n const jose = await loadJose();\n const alg = opts.alg ?? 'EdDSA';\n\n if (!ALLOWED_ALGS.includes(alg as AllowedAlg)) {\n throw new Error(\n `signUCPProfile: alg ${JSON.stringify(opts.alg)} is not in the supported set [${ALLOWED_ALGS.join(', ')}].`,\n );\n }\n\n // Sign-time kid sanity check: the profile's `signing_keys[]` MUST contain a\n // JWK with the matching kid; otherwise verifiers can't resolve the public\n // key and the profile is dead-on-arrival. Catch this at sign-time rather\n // than at verifier-time in production.\n if (typeof opts.kid !== 'string' || !opts.kid) {\n throw new Error('signUCPProfile: opts.kid must be a non-empty string.');\n }\n const kids = (profile.signing_keys ?? []).map((k) => (k as Record<string, unknown>).kid);\n if (!kids.includes(opts.kid)) {\n throw new Error(\n `signUCPProfile: kid ${JSON.stringify(opts.kid)} is not present in profile.signing_keys[] (declared kids: ${JSON.stringify(kids)}). Verifiers will not find the key.`,\n );\n }\n\n const canonicalBody = canonicalizeProfile(profile);\n const payloadBytes = new TextEncoder().encode(canonicalBody);\n\n const signature = await new jose.CompactSign(payloadBytes)\n .setProtectedHeader({ alg, kid: opts.kid, typ: PROFILE_TYP })\n .sign(opts.signingKey as Parameters<typeof jose.CompactSign.prototype.sign>[0]);\n\n return { ...profile, signature };\n}\n\n/**\n * Verify a signed UCP profile against a JWKS. Returns `true` when the JWS validates\n * against a matching key in `jwks`; throws on signature mismatch, missing key, or\n * canonicalization drift.\n *\n * Round-trip helper for tests and for cross-merchant verification flows. Trust-mode\n * UCP clients use the same algorithm.\n *\n * Example:\n * ```ts\n * const ok = await verifyUCPProfile(signedProfile, { keys: [publicJWK] });\n * ```\n */\nexport async function verifyUCPProfile(\n profile: SignedUCPProfile,\n jwks: JWKSResponse,\n): Promise<boolean> {\n if (profile === null || typeof profile !== 'object' || Array.isArray(profile)) {\n throw new UCPVerificationError(\n 'no_signature',\n `UCP profile must be a JSON object; got ${profile === null ? 'null' : Array.isArray(profile) ? 'array' : typeof profile}.`,\n );\n }\n\n const jose = await loadJose();\n\n // JWKS shape guard so a malformed argument emits a typed UCPVerificationError\n // rather than a raw TypeError on `.filter is not a function`.\n if (!jwks || typeof jwks !== 'object' || !Array.isArray((jwks as { keys?: unknown }).keys)) {\n throw new UCPVerificationError(\n 'malformed_jwks',\n `UCP verifier expected JWKS shape { keys: [...] }; got ${jwks === null ? 'null' : typeof jwks === 'object' ? 'object without keys[] array' : typeof jwks}.`,\n );\n }\n\n const stripped = { ...profile } as Partial<SignedUCPProfile>;\n const sig = stripped.signature;\n delete stripped.signature;\n if (typeof sig !== 'string' || !sig) {\n throw new UCPVerificationError(\n 'no_signature',\n `UCP profile signature must be a non-empty string; got ${sig === undefined ? 'undefined' : typeof sig}.`,\n );\n }\n\n // Pre-decode the protected header so typ → alg → kid → crit checks run BEFORE\n // jose's compactVerify. jose enforces `crit` internally ahead of the key-resolver\n // callback, which would surface `unrecognized_critical_header` on a JWS that\n // also has a wrong typ; the python-commerce sibling's `_peek_jws_header` decodes\n // the header manually and checks typ first. Mirroring that ordering here means\n // a JWS with multiple header faults emits the same `code` in both SDKs.\n let header: { alg?: unknown; kid?: unknown; typ?: unknown; crit?: unknown };\n try {\n const protectedB64 = sig.split('.')[0];\n if (!protectedB64) throw new Error('JWS protected header segment is empty.');\n const headerJson = new TextDecoder().decode(jose.base64url.decode(protectedB64));\n const parsed = JSON.parse(headerJson);\n if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {\n throw new Error('JWS protected header is not a JSON object.');\n }\n header = parsed as { alg?: unknown; kid?: unknown; typ?: unknown; crit?: unknown };\n } catch (err) {\n throw new UCPVerificationError(\n 'malformed_jws',\n `JWS protected header is not valid base64url-encoded JSON: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n\n // Header check order is typ → alg → kid → crit to match the Python sibling's\n // _peek_jws_header. RFC 8725 §3.11: enforce expected typ to prevent\n // cross-protocol token reuse.\n if (header.typ !== PROFILE_TYP) {\n throw new UCPVerificationError('wrong_typ', `UCP signature typ must be \"${PROFILE_TYP}\"; got ${String(header.typ)}.`);\n }\n // RFC 8725 §3.1: restrict to allow-listed algorithms before key resolution\n // so a hostile JWK can never be used with HS256/none/RS256/etc.\n if (!ALLOWED_ALGS.includes(header.alg as AllowedAlg)) {\n throw new UCPVerificationError('unsupported_alg', `UCP signing alg must be one of ${ALLOWED_ALGS.join(', ')}; got ${String(header.alg)}.`);\n }\n // Strict string check: a non-string kid (number/bool/null) could accidentally\n // match a JWK with an equal-typed kid and mask attacks.\n if (typeof header.kid !== 'string' || !header.kid) {\n throw new UCPVerificationError(\n 'missing_kid',\n `UCP signature header kid must be a non-empty string; got ${header.kid === undefined ? 'undefined' : typeof header.kid}.`,\n );\n }\n // RFC 7515 §4.1.11: `crit` MUST be a non-empty array of strings if present.\n // Shape-check first (matches python-commerce's malformed_jws split) so that\n // explicit `crit: null` / `crit: []` / `crit: \"foo\"` / `crit: [42]` aren't\n // silently accepted; only well-formed crit arrays fall through to the\n // unrecognized-extension check (RFC 8725 §3.10 — UCP defines no crit headers).\n if ('crit' in header) {\n const crit = (header as { crit?: unknown }).crit;\n if (!Array.isArray(crit) || crit.length === 0 || !crit.every((c) => typeof c === 'string')) {\n throw new UCPVerificationError(\n 'malformed_jws',\n `JWS protected header crit must be a non-empty array of strings; got ${JSON.stringify(crit)}.`,\n );\n }\n throw new UCPVerificationError(\n 'unrecognized_critical_header',\n `JWS protected header advertises unrecognized crit headers: ${JSON.stringify(crit)}.`,\n );\n }\n\n let signedPayload: Uint8Array;\n try {\n const verified = await jose.compactVerify(\n sig,\n async (h) => {\n // typ/alg/kid/crit were validated up-front against the pre-decoded header;\n // this resolver only handles JWK lookup. Re-checking kid here keeps the\n // jose API satisfied and provides defense-in-depth against any header\n // re-parse divergence between this code path and jose's internals.\n const kid = h.kid;\n if (typeof kid !== 'string' || !kid) {\n throw new UCPVerificationError(\n 'missing_kid',\n `UCP signature header kid must be a non-empty string; got ${kid === undefined ? 'undefined' : typeof kid}.`,\n );\n }\n const matches = jwks.keys.filter(\n (k) => k != null && typeof k === 'object' && (k as Record<string, unknown>).kid === kid,\n );\n if (matches.length === 0) throw new UCPVerificationError('kid_not_found', `No JWK in JWKS matching kid=${JSON.stringify(kid)}.`);\n if (matches.length > 1) throw new UCPVerificationError('duplicate_kid', `JWKS contains ${matches.length} keys with kid=${JSON.stringify(kid)}; expected exactly one.`);\n // RFC 7517 §4.2: reject keys not intended for signature verification.\n // `use` and `alg` are optional per RFC 7517; an explicit JSON null is\n // out-of-spec but treat it as absent (skip-on-null) so a JWK with\n // `\"use\": null` matches Python's `is not None` semantics in\n // ucp_jwks.py and the two languages stay symmetric.\n const matchedKey = matches[0] as Record<string, unknown>;\n if (matchedKey.use != null && matchedKey.use !== 'sig') {\n throw new UCPVerificationError('unusable_key', `JWK with kid=${kid} has use=${JSON.stringify(matchedKey.use)}; expected \"sig\".`);\n }\n // RFC 7517 §4.4: a JWK with a declared `alg` field constrains its use to that algorithm.\n if (matchedKey.alg != null && matchedKey.alg !== h.alg) {\n throw new UCPVerificationError(\n 'unusable_key',\n `JWK alg ${JSON.stringify(matchedKey.alg)} does not match JWS header alg ${JSON.stringify(h.alg)}.`,\n );\n }\n return jose.importJWK(matches[0] as Parameters<typeof jose.importJWK>[0], h.alg);\n },\n );\n signedPayload = verified.payload;\n } catch (err) {\n if (err instanceof UCPVerificationError) throw err;\n if (err instanceof Error && err.name === 'JOSEAlgNotAllowed') {\n throw new UCPVerificationError('unsupported_alg', `UCP signing alg not allowed: ${err.message}`);\n }\n if (err instanceof Error && err.name === 'JWSSignatureVerificationFailed') {\n throw new UCPVerificationError('signature_invalid', `UCP signature verification failed: ${err.message}`);\n }\n if (err instanceof Error && err.name === 'JWSInvalid') {\n throw new UCPVerificationError('malformed_jws', `Malformed JWS: ${err.message}`);\n }\n // RFC 7515 §4.1.11 / RFC 8725 §3.10: a verifier MUST reject any JWS whose\n // `crit` header carries an extension the implementation doesn't understand.\n // jose throws JOSENotSupported; wrap so callers see the typed error.\n if (err instanceof Error && err.name === 'JOSENotSupported') {\n throw new UCPVerificationError('unrecognized_critical_header', `UCP signing rejected unrecognized critical header: ${err.message}`);\n }\n throw err;\n }\n\n let canonicalBody: string;\n try {\n canonicalBody = canonicalizeProfile(stripped as UCPProfile);\n } catch (err) {\n throw new UCPVerificationError(\n 'body_mismatch',\n `Failed to canonicalize received profile for verification: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n const expectedPayload = new TextEncoder().encode(canonicalBody);\n\n // Compare the bytes that were actually signed against the canonical body of the\n // profile we received. `compactVerify` validates the JWS against the bytes embedded\n // in the JWS payload segment, but the profile body could have been swapped after\n // signing while the JWS stayed unchanged. Body-vs-payload comparison closes that\n // gap.\n if (!constantTimeEqual(signedPayload, expectedPayload)) {\n throw new UCPVerificationError('body_mismatch', 'UCP profile body does not match the signed payload (tampered or non-canonical).');\n }\n\n return true;\n}\n\n/** Constant-time byte comparison to avoid leaking length / position info on mismatch. */\nfunction constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i += 1) {\n diff |= a[i] ^ b[i];\n }\n return diff === 0;\n}\n\n/**\n * Build a JWKS document for `/.well-known/jwks.json`.\n *\n * Example:\n * ```ts\n * import { buildJWKSResponse } from '@agent-score/commerce';\n *\n * app.get('/.well-known/jwks.json', (c) =>\n * c.json(buildJWKSResponse([publicJWK]))\n * );\n * ```\n */\nexport function buildJWKSResponse(keys: UCPSigningKey[]): JWKSResponse {\n return { keys };\n}\n","/**\n * Per-product / per-tier compliance policy helpers.\n *\n * A *policy* is a small bag of fields describing what identity the merchant wants\n * verified for a given resource:\n *\n * - `enforcement`: `\"hard\"` (today's wine path — 403 on miss) or `\"soft\"` (gate\n * denial is swallowed; the order completes with a degraded `identity_status`).\n * `null` / absent = no gate at all.\n * - `requireKyc` / `requireSanctionsClear` / `minAge`: passed through to the\n * per-framework `agentscoreGate(...)` factory.\n * - `allowedJurisdictions`: buyer-verified country list (`[\"US\", \"CA\", ...]`).\n * - `allowedShippingCountries` / `allowedShippingStates`: optional shipping\n * allowlists. State list is only enforced for US shipments.\n *\n * This module ships three primitives:\n *\n * 1. {@link PolicyBlock} — the typed shape.\n * 2. {@link buildGateOptionsFromPolicy} — translate a block into the options object the\n * per-framework `agentscoreGate(...)` accepts. Returns `null` when the policy\n * has no enforcement (treat as \"no gate; anonymous OK\").\n * 3. {@link runGateWithEnforcement} — wrap a per-framework middleware in the\n * hard/soft enforcement runner. The middleware is given an `onDenied` shim\n * that captures the denial body and status; the runner returns a structured\n * {@link GateResult} so the vendor decides how to surface it.\n *\n * All three are additive — vendors using `agentscoreGate(...)` directly are\n * unaffected.\n */\n\nimport type { AgentScoreCoreOptions, DenialReason } from '../core.js';\n\n/** Hard = 403 propagates; soft = swallowed + identity_status=\"unverified\". */\nexport type EnforcementMode = 'hard' | 'soft';\n\n/** Per-order trust level captured at settle time. */\nexport type IdentityStatus = 'verified' | 'unverified' | 'anonymous' | 'denied';\n\n/** Compliance fields a merchant attaches per product / per tier. All optional. */\nexport interface PolicyBlock {\n enforcement?: EnforcementMode;\n requireKyc?: boolean;\n requireSanctionsClear?: boolean;\n minAge?: number;\n allowedJurisdictions?: readonly string[];\n allowedShippingCountries?: readonly string[];\n allowedShippingStates?: readonly string[];\n}\n\n/**\n * Outcome of running a gate under an enforcement mode.\n *\n * - `verified`: gate accepted; identity is fully verified for the policy.\n * - `unverified`: soft mode swallowed a gate denial; the agent had *some*\n * identity but didn't meet the policy. Stamp this on the order so\n * ops/analytics can tell apart soft passes from hard passes.\n * - `anonymous`: no gate ran (policy was null / no enforcement).\n * - `denied`: hard mode rejected; the caller must propagate the 403. The\n * `denialBody` and `denialStatus` carry the original gate response so the\n * caller can return it as-is.\n */\nexport interface GateResult {\n status: IdentityStatus;\n denialStatus?: number;\n denialBody?: Record<string, unknown>;\n denialReason?: DenialReason;\n}\n\n/**\n * Translate a {@link PolicyBlock} into the options the per-framework\n * `agentscoreGate(...)` expects. Returns `null` when the block has no\n * `enforcement` set — the caller should treat that as \"no gate; anonymous OK\".\n *\n * Use a fresh gate per request rather than constructing once at module scope\n * when the policy varies per resource (e.g. per product). Each adapter's gate\n * is cheap to instantiate.\n */\nexport function buildGateOptionsFromPolicy(\n policy: PolicyBlock | null | undefined,\n base: { apiKey: string; baseUrl?: string },\n): AgentScoreCoreOptions | null {\n if (!policy || !policy.enforcement) return null;\n return {\n apiKey: base.apiKey,\n ...(base.baseUrl !== undefined && { baseUrl: base.baseUrl }),\n ...(policy.requireKyc !== undefined && { requireKyc: policy.requireKyc }),\n ...(policy.requireSanctionsClear !== undefined && {\n requireSanctionsClear: policy.requireSanctionsClear,\n }),\n ...(policy.minAge !== undefined && { minAge: policy.minAge }),\n ...(policy.allowedJurisdictions !== undefined && {\n allowedJurisdictions: [...policy.allowedJurisdictions],\n }),\n };\n}\n\n/**\n * Run a per-framework gate middleware respecting the enforcement mode.\n *\n * The vendor passes:\n * - `gate`: their framework's middleware (Hono `MiddlewareHandler`, Express\n * `(req, res, next) => void`, etc.) — anything that resolves on accept and\n * throws or returns a `Response` on deny.\n * - `runGate`: a thin adapter that calls the middleware with the framework\n * context and returns either `{ ok: true }` (gate accepted) or\n * `{ ok: false, status, body, reason? }` (gate denied with details).\n *\n * `runGateWithEnforcement` wraps that in the hard/soft split:\n *\n * - `gate=null` or `enforcement=null`: no gate fires; status=\"anonymous\".\n * - `enforcement=\"hard\"` + denied: status=\"denied\"; caller propagates denialStatus + denialBody.\n * - `enforcement=\"soft\"` + denied: swallow; status=\"unverified\".\n * - accepted: status=\"verified\".\n */\nexport async function runGateWithEnforcement(\n enforcement: EnforcementMode | undefined,\n runGate: (() => Promise<{ ok: true } | { ok: false; status: number; body: Record<string, unknown>; reason?: DenialReason }>) | null,\n): Promise<GateResult> {\n if (!runGate || !enforcement) return { status: 'anonymous' };\n\n const outcome = await runGate();\n if (outcome.ok) return { status: 'verified' };\n\n if (enforcement === 'hard') {\n return {\n status: 'denied',\n denialStatus: outcome.status,\n denialBody: outcome.body,\n ...(outcome.reason !== undefined && { denialReason: outcome.reason }),\n };\n }\n return {\n status: 'unverified',\n denialStatus: outcome.status,\n denialBody: outcome.body,\n ...(outcome.reason !== undefined && { denialReason: outcome.reason }),\n };\n}\n\n/** NULL policy / NULL allowlist → ship anywhere. Otherwise country must be in the list. */\nexport function shippingCountryAllowed(country: string, policy: PolicyBlock | null | undefined): boolean {\n if (!policy?.allowedShippingCountries || policy.allowedShippingCountries.length === 0) return true;\n const allowed = new Set(policy.allowedShippingCountries.map((c) => c.toUpperCase()));\n return allowed.has(country.toUpperCase());\n}\n\n/**\n * US-state allowlist (e.g. wine).\n *\n * Only enforced for US shipments — non-US shipments are governed by\n * {@link shippingCountryAllowed} independently.\n */\nexport function shippingStateAllowed(\n state: string,\n country: string,\n policy: PolicyBlock | null | undefined,\n): boolean {\n if (!policy?.allowedShippingStates || policy.allowedShippingStates.length === 0) return true;\n if (country.toUpperCase() !== 'US') return true;\n const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));\n return allowed.has(state.toUpperCase());\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,gBAAgB;AAAA,EAChB;AAAA,OACK;;;ACyBA,IAAM,yBAA8C,oBAAI,IAAI;AAAA,EACjE;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAUM,SAAS,gBAAgB,SAAiD;AAC/E,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAC7C,SAAO,QAAQ,MAAM,CAAC,MAAM,uBAAuB,IAAI,CAAC,CAAC;AAC3D;AAUO,SAAS,mBAAmB,QAAuC;AACxE,MAAI,OAAO,SAAS,mBAAmB,OAAO,SAAS,qBAAsB,QAAO;AACpF,MAAI,OAAO,SAAS,YAAa,QAAO;AACxC,SAAO;AACT;AA0BO,SAAS,wBAAwB,OAAgE;AACtG,QAAM,EAAE,OAAO,IAAI;AACnB,MAAI,OAAO,SAAS,OAAQ,QAAO;AAEnC,QAAM,eAAe,MAAM,gBAAgB;AAE3C,MAAI,OAAO,SAAS,0BAA0B;AAC5C,UAAM,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,UAAM,cAAc,MAAM,gBAAgB,cAAc,SAAS,IAC7D,qEAAqE,cAAc,KAAK,IAAI,CAAC,kBAC7F;AACJ,WAAO;AAAA,MACL,OAAO;AAAA,QACL,MAAM;AAAA,QACN,SACE;AAAA,MACJ;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,wBAAwB,OAAO,wBAAwB;AAAA,MACvD,iBAAiB,OAAO;AAAA,MACxB,eAAe,OAAO;AAAA,MACtB,gBAAgB;AAAA,MAChB,YAAY;AAAA,QACV,QAAQ;AAAA,QACR,cAAc;AAAA,QACd,gBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SACE;AAAA,IACJ;AAAA,IACA,YAAY;AAAA,MACV,QAAQ;AAAA,MACR,cACE,MAAM,eACN;AAAA,MACF,gBAAgB;AAAA,IAClB;AAAA,EACF;AACF;AAYO,SAAS,6BACd,cACA,SAC4E;AAC5E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,eAAe;AAAA,IACf,cACE,WACA,8DAA8D,YAAY;AAAA,EAC9E;AACF;AA8BO,SAAS,8BAA8B,QAA4C,CAAC,GAUzF;AACA,QAAM,YAAY;AAAA,IAChB;AAAA,IACA,4CAA4C,MAAM,uBAAuB,CAAC;AAAA,IAC1E;AAAA,IACA;AAAA,IACA,MAAM,aAAa;AAAA,EACrB;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,aACE,MAAM,cACN;AAAA,IACF,OAAO,MAAM,aAAa,CAAC,GAAG,WAAW,GAAG,MAAM,UAAU,IAAI;AAAA,IAChE,uBAAuB,MAAM,uBAAuB;AAAA,IACpD,oBAAoB;AAAA,IACpB,oBAAoB;AAAA,IACpB,iBAAiB,MAAM,kBAAkB;AAAA,IACzC,GAAI,MAAM,WAAW,EAAE,WAAW,MAAM,SAAS,IAAI,CAAC;AAAA,IACtD,GAAI,MAAM,SAAS,CAAC;AAAA,EACtB;AACF;;;AC3LA,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,gCAAgC,KAAK,UAAU;AAAA,EACnD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,uDAAuD,KAAK,UAAU;AAAA,EAC1E,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,yBAAyB,KAAK,UAAU;AAAA,EAC5C,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,IAAM,8BAA8B,KAAK,UAAU;AAAA,EACxD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,6BAAkE;AAAA,EACtE,WAAW;AAAA,EACX,oBAAoB;AAAA,EACpB,kBAAkB;AAAA,EAClB,gCAAgC;AAAA,EAChC,eAAe;AACjB;AAEA,IAAM,mBAA+C;AAAA,EACnD,kBACE;AAAA,EACF,gCACE;AAAA,EACF,oBACE;AAAA,EACF,WACE;AAAA,EACF,kBACE;AAAA,EACF,wBACE;AAAA,EACF,qCACE;AAAA,EACF,eACE;AAAA,EACF,oBACE;AACJ;AAKA,IAAM,kBAAkB,oBAAI,IAAI;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,mBAAmB,QAA+C;AAChF,QAAM,UAAU,OAAO,WAAW,iBAAiB,OAAO,IAAI;AAC9D,QAAM,OAAgC,EAAE,OAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,EAAE;AAC9E,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,MAAI,OAAO,QAAS,MAAK,UAAU,OAAO;AAC1C,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,YAAa,MAAK,cAAc,OAAO;AAClD,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,QAAM,eAAe,OAAO,sBAAsB,2BAA2B,OAAO,IAAI;AACxF,MAAI,aAAc,MAAK,qBAAqB;AAC5C,MAAI,OAAO,aAAc,MAAK,eAAe,OAAO;AACpD,MAAI,OAAO,iBAAkB,MAAK,mBAAmB,OAAO;AAC5D,MAAI,OAAO,SAAS,yBAA0B,MAAK,yBAAyB,OAAO,0BAA0B;AAC7G,MAAI,OAAO,gBAAiB,MAAK,kBAAkB,OAAO;AAC1D,MAAI,OAAO,cAAe,MAAK,gBAAgB,OAAO;AACtD,MAAI,OAAO,kBAAkB,OAAO,eAAe,SAAS,EAAG,MAAK,iBAAiB,OAAO;AAC5F,MAAI,OAAO,OAAO;AAChB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI,gBAAgB,IAAI,GAAG,GAAG;AAC5B,gBAAQ,KAAK,mDAAmD,GAAG,8CAAyC;AAC5G;AAAA,MACF;AACA,WAAK,GAAG,IAAI;AAAA,IACd;AAAA,EACF;AACA,SAAO;AACT;;;AF+LA,IAAM,2BAA2B;AAKjC,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,mDAAmD,KAAK,UAAU;AAAA,EACtE,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAMD,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,SAAS,uBAAwC;AAItD,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,kCAAkC;AAAA,IAClC,iBACE;AAAA,IAKF,YAAY;AAAA,IACZ,yBAAyB,GAAG,GAAG;AAAA,IAC/B,gBAAgB;AAAA,MACd,QACE;AAAA,MAEF,gBACE;AAAA,IAEJ;AAAA,IACA,WACE;AAAA,IAIF,0BAA0B,CAAC,kBAAkB,aAAa;AAAA,IAC1D,6BAA6B,CAAC,gBAAgB;AAAA,EAChD;AACF;;;AG/ZA,IAAM,gBAAgB;AACtB,IAAM,qBAAqB;AAC3B,IAAM,iCAAiC;AAuBvC,eAAe,kCAAkC,YAA6C;AAC5F,QAAM,UAAW,WAAqE;AACtF,MAAI,CAAC,SAAS,eAAe,QAAQ,SAAS,cAAe,QAAO;AAEpE,QAAM,aAAa;AACnB,QAAM,MAAO,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AACtD,MAAI,CAAC,KAAK,kBAAkB,CAAC,IAAI,yBAAyB,CAAC,IAAI,sCAAsC;AACnG,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,UAAU,IAAI,eAAe,EAAE,OAAO,QAAQ,WAAW;AAC/D,UAAM,UAAU,IAAI,sBAAsB,EAAE,OAAO,OAAO;AAC1D,UAAM,UAAU,IAAI,qCAAqC,EAAE,OAAO,QAAQ,YAAY;AAOtF,eAAW,MAAM,QAAQ,cAAc;AACrC,YAAM,YAAY,QAAQ,eAAe,GAAG,mBAAmB;AAC/D,UAAI,cAAc,iBAAiB,cAAc,mBAAoB;AACrE,YAAM,OAAO,GAAG;AAChB,UAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,KAAK,CAAC,MAAM,+BAAgC;AAC9E,YAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,YAAM,iBAAiB,eAAe,CAAC;AACvC,UAAI,mBAAmB,OAAW;AAKlC,UAAI,kBAAkB,QAAQ,eAAe,QAAQ;AACnD,gBAAQ;AAAA,UACN;AAAA,QAEF;AACA;AAAA,MACF;AACA,YAAM,YAAY,QAAQ,eAAe,cAAc;AACvD,UAAI,UAAW,QAAO;AAAA,IACxB;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,KAAK,2CAA2C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAChG,WAAO;AAAA,EACT;AACF;AAkBA,eAAsB,qBACpB,SACA,mBAC+B;AAE/B,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY;AACd,QAAI;AACF,YAAM,aAAa;AACnB,YAAM,OAAQ,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AAMvD,UAAI,MAAM,YAAY,qBAAqB,UAAU,GAAG;AACtD,cAAM,aAAa,KAAK,WAAW,YAAY,OAAO;AACtD,cAAM,SAAU,WAAmC;AACnD,cAAM,WAAW,QAAQ,MAAM,0CAA0C;AACzE,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,EAAG,YAAY,GAAG,SAAS,MAAM;AAE3E,cAAM,WAAW,QAAQ,MAAM,4EAA4E;AAC3G,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,GAAI,SAAS,SAAS;AAIhE,cAAM,eAAe,MAAM,kCAAkC,UAAU;AACvE,YAAI,aAAc,QAAO,EAAE,SAAS,cAAc,SAAS,SAAS;AAAA,MACtE;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,wCAAwC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAC/F;AAAA,EACF;AAGA,MAAI,mBAAmB;AACrB,QAAI;AACF,YAAM,UAAU,KAAK,iBAAiB;AACtC,YAAM,SAAS,KAAK,MAAM,OAAO;AAGjC,YAAM,OAAO,QAAQ,SAAS,eAAe;AAC7C,UAAI,OAAO,SAAS,YAAY,sBAAsB,KAAK,IAAI,GAAG;AAChE,eAAO,EAAE,SAAS,KAAK,YAAY,GAAG,SAAS,MAAM;AAAA,MACvD;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,yCAAyC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAChG;AAAA,EACF;AAEA,SAAO;AACT;AAuBO,SAAS,sBAAsB,SAAsC;AAC1E,SACE,QAAQ,QAAQ,IAAI,mBAAmB,KACvC,QAAQ,QAAQ,IAAI,WAAW,KAC/B;AAEJ;;;AC7KA,IAAM,mBAAmB;AACzB,IAAM,2BAA2B;AACjC,IAAM,qBAAqB;AAC3B,IAAM,sBAAsB;AAKrB,IAAM,wBAAwB;AAuD9B,SAAS,gBACd,eAA2D,CAAC,GAC5D,UAAkC,CAAC,GACZ;AACvB,SAAO;AAAA,IACL,KAAK;AAAA,IACL,aAAa;AAAA,IACb,UAAU,QAAQ,YAAY;AAAA,IAC9B,QAAQ,EAAE,aAAa;AAAA,EACzB;AACF;AAwIO,SAAS,kBAAkB,OAA6C;AAC7E,MAAI,CAAC,MAAM,UAAU,MAAM,OAAO,WAAW,GAAG;AAC9C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,eAAyC,CAAC;AAChD,MAAI,MAAM,cAAc,OAAW,cAAa,YAAY,MAAM;AAClE,MAAI,MAAM,uBAAuB,OAAW,cAAa,qBAAqB,MAAM;AACpF,MAAI,MAAM,cAAc,MAAM,WAAW,SAAS,EAAG,cAAa,aAAa,MAAM;AACrF,MAAI,MAAM,wBAAwB,OAAW,cAAa,sBAAsB,MAAM;AAEtF,QAAM,mBAAsC;AAAA,IAC1C,KAAK,MAAM;AAAA,IACX,kBAAkB,MAAM,oBAAoB;AAAA,IAC5C,kBAAkB,MAAM,wBAAwB;AAAA,EAClD;AAEA,QAAM,OAAqB;AAAA,IACzB,MAAM,MAAM;AAAA,IACZ,aAAa,MAAM;AAAA,IACnB,sBAAsB,CAAC,gBAAgB;AAAA,IACvC,SAAS,MAAM,WAAW;AAAA,IAC1B;AAAA,IACA,qBAAqB,MAAM,uBAAuB,CAAC,kBAAkB;AAAA,IACrE,sBAAsB,MAAM,wBAAwB,CAAC,mBAAmB;AAAA,IACxE,QAAQ,MAAM;AAAA,EAChB;AACA,MAAI,MAAM,aAAa,OAAW,MAAK,WAAW,MAAM;AACxD,MAAI,MAAM,sBAAsB,OAAW,MAAK,oBAAoB,MAAM;AAC1E,MAAI,MAAM,aAAa,OAAW,MAAK,WAAW,MAAM;AACxD,MAAI,MAAM,eAAe,UAAa,MAAM,WAAW,SAAS,EAAG,MAAK,aAAa,MAAM;AAC3F,MAAI,MAAM,qBAAqB,OAAW,MAAK,mBAAmB,MAAM;AACxE,MAAI,MAAM,0BAA0B,OAAW,MAAK,wBAAwB,MAAM;AAClF,MAAI,MAAM,QAAQ;AAChB,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,MAAM,GAAG;AACjD,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AACA,SAAO;AACT;;;ACzNA,SAAS,yBAAyB,KAA6C;AAC7E,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,yDAAyD,OAAO,GAAG,GAAG;AAAA,EACxF;AACA,MAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,KAAK;AAC3C,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AACA,MAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,KAAK;AAC3C,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AACA,MAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,QAAQ,IAAI,QAAQ,OAAO;AAC9D,UAAM,IAAI;AAAA,MACR,8BAA8B,KAAK,UAAU,IAAI,GAAG,CAAC;AAAA,IACvD;AAAA,EACF;AACA,OAAK,IAAI,QAAQ,QAAQ,IAAI,QAAQ,WAAW,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,MAAM;AACxF,UAAM,IAAI,MAAM,8BAA8B,IAAI,GAAG,gFAAgF;AAAA,EACvI;AACA,SAAO;AACT;AAIO,IAAM,gBAAgB;AAAA,EAC3B,SAAS;AACX;AAuIA,IAAM,kBAAkB;AAIxB,IAAM,6BAA6B;AAEnC,IAAM,gCAAgC;AAoBtC,IAAM,8BAA8B;AACpC,IAAM,gCAAgC;AAOtC,IAAM,qBAAqB,CAAC,6BAA6B,uBAAuB;AAEhF,IAAM,qBAAqB,oBAAI,IAAI;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AACD,IAAM,sBAAsB,oBAAI,IAAI;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAqCM,SAAS,gBAAgB,OAAyC;AAIvE,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,MAAM,YAAY,CAAC,CAAC,GAAG;AACnE,eAAW,WAAW,UAAU;AAC9B,WACG,QAAQ,cAAc,UAAU,QAAQ,cAAc,SAAS,QAAQ,cAAc,WAClF,QAAQ,aAAa,UAAa,QAAQ,aAAa,QAAQ,QAAQ,aAAa,KACxF;AACA,cAAM,IAAI;AAAA,UACR,6BAA6B,IAAI,eAAe,QAAQ,SAAS;AAAA,QACnE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAKA,QAAM,kBAA8D,CAAC;AACrE,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,MAAM,oBAAoB,CAAC,CAAC,GAAG;AAC3E,oBAAgB,IAAI,IAAI,SAAS,IAAI,CAAC,YAAY;AAChD,UAAI,MAAM,QAAQ,QAAQ,qBAAqB,KAAK,QAAQ,sBAAsB,WAAW,GAAG;AAC9F,cAAM,EAAE,uBAAuB,OAAO,GAAG,KAAK,IAAI;AAClD,eAAO;AAAA,MACT;AACA,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AAIA,QAAM,eAAuD,CAAC;AAC9D,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,MAAM,gBAAgB,CAAC,CAAC,GAAG;AACvE,iBAAa,IAAI,IAAI,CAAC,GAAG,QAAQ;AAAA,EACnC;AAMA,MAAI,MAAM,iBAAiB;AACzB,UAAM,aAAa,EAAE,GAAG,MAAM,gBAAgB;AAC9C,UAAM,oBAA0C;AAAA,MAC9C,SAAS;AAAA,MACT,MAAM,MAAM,uBAAuB;AAAA,MACnC,QAAQ,MAAM,yBAAyB;AAAA,MACvC,SAAS;AAAA,IACX;AAGA,QAAI,OAAO,KAAK,UAAU,EAAE,SAAS,EAAG,mBAAkB,SAAS;AACnE,UAAM,WAAW,aAAa,0BAA0B;AACxD,QAAI,SAAU,UAAS,KAAK,iBAAiB;AAAA,QACxC,cAAa,0BAA0B,IAAI,CAAC,iBAAiB;AAAA,EACpE;AAEA,QAAM,MAAsB;AAAA,IAC1B,SAAS,MAAM,WAAW;AAAA,IAC1B,UAAU,MAAM,YAAY,CAAC;AAAA,IAC7B;AAAA,IACA,kBAAkB;AAAA,EACpB;AACA,MAAI,MAAM,SAAS,OAAW,KAAI,OAAO,MAAM;AAC/C,MAAI,MAAM,uBAAuB,OAAW,KAAI,qBAAqB,MAAM;AAC3E,MAAI,MAAM,YAAY;AACpB,eAAW,KAAK,OAAO,KAAK,MAAM,UAAU,GAAG;AAC7C,UAAI,oBAAoB,IAAI,CAAC,GAAG;AAC9B,cAAM,IAAI,MAAM,oCAAoC,CAAC,qDAAqD;AAAA,MAC5G;AAAA,IACF;AACA,WAAO,OAAO,KAAK,MAAM,UAAU;AAAA,EACrC;AAEA,QAAM,UAAsB;AAAA,IAC1B;AAAA,IACA,cAAc,MAAM;AAAA,EACtB;AACA,MAAI,MAAM,QAAQ;AAGhB,eAAW,KAAK,OAAO,KAAK,MAAM,MAAM,GAAG;AACzC,UAAI,mBAAmB,IAAI,CAAC,GAAG;AAC7B,cAAM,IAAI,MAAM,gCAAgC,CAAC,qDAAqD;AAAA,MACxG;AAAA,IACF;AACA,WAAO,OAAO,SAAS,MAAM,MAAM;AAAA,EACrC;AAEA,SAAO;AACT;AAEO,IAAM,4BAA4B;AAkBzC,IAAM,kBAAkB;AACxB,IAAM,YAAY;AAClB,IAAM,cAAc;AA2Db,SAAS,kBAAkB,OAA2E;AAC3G,SAAO;AAAA,IACL,6BAA6B,CAAC;AAAA,MAC5B,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,GAAG,SAAS;AAAA,MAClB,QAAQ,GAAG,WAAW;AAAA,MACtB,QAAQ,EAAE,UAAU,MAAM,SAAS;AAAA,IACrC,CAAC;AAAA,EACH;AACF;AAeO,SAAS,mBAAmB,OAA4E;AAC7G,SAAO;AAAA,IACL,8BAA8B,CAAC;AAAA,MAC7B,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,GAAG,SAAS;AAAA,MAClB,QAAQ,GAAG,WAAW;AAAA,MACtB,QAAQ,EAAE,UAAU,MAAM,SAAS;AAAA,IACrC,CAAC;AAAA,EACH;AACF;AAeO,SAAS,wBAAwB,OAAiF;AACvH,SAAO;AAAA,IACL,oCAAoC,CAAC;AAAA,MACnC,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,GAAG,SAAS;AAAA,MAClB,QAAQ,GAAG,WAAW;AAAA,MACtB,QAAQ,EAAE,MAAM,cAAc,YAAY,MAAM,WAAW;AAAA,IAC7D,CAAC;AAAA,EACH;AACF;;;ACzdA,IAAM,oBAAoB;AAM1B,IAAM,eAAe,CAAC,SAAS,OAAO;AAOtC,IAAM,cAAc;AAIb,IAAM,uBAAN,cAAmC,MAAM;AAAA,EAC9C,YACkB,MAahB,SACA;AACA,UAAM,OAAO;AAfG;AAgBhB,SAAK,OAAO;AAAA,EACd;AAAA,EAjBkB;AAkBpB;AAEA,eAAe,WAA2C;AACxD,MAAI;AACF,WAAO,MAAM,OAAO,MAAM;AAAA,EAC5B,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,oFAAoF,iBAAiB;AAAA,kBAAqB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC5K;AAAA,EACF;AACF;AAYA,SAAS,oBAAoB,SAA6B;AACxD,QAAM,WAAW,EAAE,GAAG,QAAQ;AAC9B,SAAO,SAAS;AAChB,SAAO,gBAAgB,QAAQ;AACjC;AAUA,SAAS,gBAAgB,OAAwB;AAC/C,MAAI,UAAU,QAAW;AACvB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,MAAI,OAAO,UAAU,cAAc,OAAO,UAAU,UAAU;AAC5D,UAAM,IAAI,MAAM,oBAAoB,OAAO,KAAK,gDAAgD;AAAA,EAClG;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,uEAAuE;AAAA,EACzF;AACA,MAAI,iBAAiB,MAAM;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,iBAAiB,OAAO,iBAAiB,OAAO,iBAAiB,WAAW,iBAAiB,SAAS;AACxG,UAAM,IAAI;AAAA,MACR,oBAAoB,MAAM,YAAY,IAAI;AAAA,IAC5C;AAAA,EACF;AACA,MAAI,YAAY,OAAO,KAAK,GAAG;AAC7B,UAAM,IAAI,MAAM,gFAAgF;AAAA,EAClG;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,0DAA0D,KAAK;AAAA,MACjE;AAAA,IACF;AACA,QAAI,CAAC,OAAO,UAAU,KAAK,GAAG;AAC5B,YAAM,IAAI;AAAA,QACR,2DAA2D,KAAK;AAAA,MAClE;AAAA,IACF;AACA,QAAI,CAAC,OAAO,cAAc,KAAK,GAAG;AAChC,YAAM,IAAI;AAAA,QACR,4BAA4B,KAAK;AAAA,MAEnC;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,UAAU,UAAU;AAQ7B,QAAI,MAAM,SAAS,QAAQ,KAAK,MAAM,SAAS,QAAQ,GAAG;AACxD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC5E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,IAAI,MAAM,IAAI,eAAe,EAAE,KAAK,GAAG,CAAC;AACzE,QAAM,MAAM;AACZ,QAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK,CAAC,GAAG,MAAM;AAC3C,UAAM,UAAU,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAE;AACnD,UAAM,UAAU,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAE;AACnD,UAAM,MAAM,KAAK,IAAI,QAAQ,QAAQ,QAAQ,MAAM;AACnD,aAAS,IAAI,GAAG,IAAI,KAAK,KAAK,GAAG;AAC/B,UAAI,QAAQ,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO,QAAQ,CAAC,IAAI,QAAQ,CAAC;AAAA,IAC9D;AACA,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC,CAAC;AAMD,aAAW,KAAK,MAAM;AACpB,QAAI,EAAE,SAAS,QAClB,KAAK,EAAE,SAAS,QAChB,GAAG;AACE,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACA,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAM,GAAG,KAAK,UAAU,CAAC,CAAC,IAAI,gBAAgB,IAAI,CAAC,CAAC,CAAC,EAAE;AAC/E,SAAO,IAAI,MAAM,KAAK,GAAG,CAAC;AAC5B;AAoBA,eAAsB,sBAAsB,MAKf;AAC3B,QAAM,OAAO,MAAM,SAAS;AAC5B,QAAM,MAAM,KAAK,OAAO;AACxB,QAAM,EAAE,YAAY,UAAU,IAAI,MAAM,KAAK,gBAAgB,KAAK,EAAE,aAAa,KAAK,CAAC;AACvF,QAAM,cAAc,MAAM,KAAK,UAAU,SAAS;AAElD,QAAM,YAA2B;AAAA,IAC/B,KAAK,KAAK;AAAA,IACV;AAAA,IACA,KAAK;AAAA,IACL,GAAG;AAAA,EACL;AAEA,SAAO,EAAE,YAAY,UAAU;AACjC;AAoBA,eAAsB,eACpB,SACA,MAC2B;AAC3B,QAAM,OAAO,MAAM,SAAS;AAC5B,QAAM,MAAM,KAAK,OAAO;AAExB,MAAI,CAAC,aAAa,SAAS,GAAiB,GAAG;AAC7C,UAAM,IAAI;AAAA,MACR,uBAAuB,KAAK,UAAU,KAAK,GAAG,CAAC,iCAAiC,aAAa,KAAK,IAAI,CAAC;AAAA,IACzG;AAAA,EACF;AAMA,MAAI,OAAO,KAAK,QAAQ,YAAY,CAAC,KAAK,KAAK;AAC7C,UAAM,IAAI,MAAM,sDAAsD;AAAA,EACxE;AACA,QAAM,QAAQ,QAAQ,gBAAgB,CAAC,GAAG,IAAI,CAAC,MAAO,EAA8B,GAAG;AACvF,MAAI,CAAC,KAAK,SAAS,KAAK,GAAG,GAAG;AAC5B,UAAM,IAAI;AAAA,MACR,uBAAuB,KAAK,UAAU,KAAK,GAAG,CAAC,6DAA6D,KAAK,UAAU,IAAI,CAAC;AAAA,IAClI;AAAA,EACF;AAEA,QAAM,gBAAgB,oBAAoB,OAAO;AACjD,QAAM,eAAe,IAAI,YAAY,EAAE,OAAO,aAAa;AAE3D,QAAM,YAAY,MAAM,IAAI,KAAK,YAAY,YAAY,EACtD,mBAAmB,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,YAAY,CAAC,EAC3D,KAAK,KAAK,UAAmE;AAEhF,SAAO,EAAE,GAAG,SAAS,UAAU;AACjC;AAeA,eAAsB,iBACpB,SACA,MACkB;AAClB,MAAI,YAAY,QAAQ,OAAO,YAAY,YAAY,MAAM,QAAQ,OAAO,GAAG;AAC7E,UAAM,IAAI;AAAA,MACR;AAAA,MACA,0CAA0C,YAAY,OAAO,SAAS,MAAM,QAAQ,OAAO,IAAI,UAAU,OAAO,OAAO;AAAA,IACzH;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,SAAS;AAI5B,MAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAS,KAA4B,IAAI,GAAG;AAC1F,UAAM,IAAI;AAAA,MACR;AAAA,MACA,yDAAyD,SAAS,OAAO,SAAS,OAAO,SAAS,WAAW,gCAAgC,OAAO,IAAI;AAAA,IAC1J;AAAA,EACF;AAEA,QAAM,WAAW,EAAE,GAAG,QAAQ;AAC9B,QAAM,MAAM,SAAS;AACrB,SAAO,SAAS;AAChB,MAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,MACA,yDAAyD,QAAQ,SAAY,cAAc,OAAO,GAAG;AAAA,IACvG;AAAA,EACF;AAQA,MAAI;AACJ,MAAI;AACF,UAAM,eAAe,IAAI,MAAM,GAAG,EAAE,CAAC;AACrC,QAAI,CAAC,aAAc,OAAM,IAAI,MAAM,wCAAwC;AAC3E,UAAM,aAAa,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,YAAY,CAAC;AAC/E,UAAM,SAAS,KAAK,MAAM,UAAU;AACpC,QAAI,OAAO,WAAW,YAAY,WAAW,QAAQ,MAAM,QAAQ,MAAM,GAAG;AAC1E,YAAM,IAAI,MAAM,4CAA4C;AAAA,IAC9D;AACA,aAAS;AAAA,EACX,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR;AAAA,MACA,6DAA6D,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC/G;AAAA,EACF;AAKA,MAAI,OAAO,QAAQ,aAAa;AAC9B,UAAM,IAAI,qBAAqB,aAAa,8BAA8B,WAAW,UAAU,OAAO,OAAO,GAAG,CAAC,GAAG;AAAA,EACtH;AAGA,MAAI,CAAC,aAAa,SAAS,OAAO,GAAiB,GAAG;AACpD,UAAM,IAAI,qBAAqB,mBAAmB,kCAAkC,aAAa,KAAK,IAAI,CAAC,SAAS,OAAO,OAAO,GAAG,CAAC,GAAG;AAAA,EAC3I;AAGA,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,KAAK;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,MACA,4DAA4D,OAAO,QAAQ,SAAY,cAAc,OAAO,OAAO,GAAG;AAAA,IACxH;AAAA,EACF;AAMA,MAAI,UAAU,QAAQ;AACpB,UAAM,OAAQ,OAA8B;AAC5C,QAAI,CAAC,MAAM,QAAQ,IAAI,KAAK,KAAK,WAAW,KAAK,CAAC,KAAK,MAAM,CAAC,MAAM,OAAO,MAAM,QAAQ,GAAG;AAC1F,YAAM,IAAI;AAAA,QACR;AAAA,QACA,uEAAuE,KAAK,UAAU,IAAI,CAAC;AAAA,MAC7F;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR;AAAA,MACA,8DAA8D,KAAK,UAAU,IAAI,CAAC;AAAA,IACpF;AAAA,EACF;AAEA,MAAI;AACJ,MAAI;AACF,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B;AAAA,MACA,OAAO,MAAM;AAKX,cAAM,MAAM,EAAE;AACd,YAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACnC,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,4DAA4D,QAAQ,SAAY,cAAc,OAAO,GAAG;AAAA,UAC1G;AAAA,QACF;AACA,cAAM,UAAU,KAAK,KAAK;AAAA,UACxB,CAAC,MAAM,KAAK,QAAQ,OAAO,MAAM,YAAa,EAA8B,QAAQ;AAAA,QACtF;AACA,YAAI,QAAQ,WAAW,EAAG,OAAM,IAAI,qBAAqB,iBAAiB,+BAA+B,KAAK,UAAU,GAAG,CAAC,GAAG;AAC/H,YAAI,QAAQ,SAAS,EAAG,OAAM,IAAI,qBAAqB,iBAAiB,iBAAiB,QAAQ,MAAM,kBAAkB,KAAK,UAAU,GAAG,CAAC,yBAAyB;AAMrK,cAAM,aAAa,QAAQ,CAAC;AAC5B,YAAI,WAAW,OAAO,QAAQ,WAAW,QAAQ,OAAO;AACtD,gBAAM,IAAI,qBAAqB,gBAAgB,gBAAgB,GAAG,YAAY,KAAK,UAAU,WAAW,GAAG,CAAC,mBAAmB;AAAA,QACjI;AAEA,YAAI,WAAW,OAAO,QAAQ,WAAW,QAAQ,EAAE,KAAK;AACtD,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,WAAW,KAAK,UAAU,WAAW,GAAG,CAAC,kCAAkC,KAAK,UAAU,EAAE,GAAG,CAAC;AAAA,UAClG;AAAA,QACF;AACA,eAAO,KAAK,UAAU,QAAQ,CAAC,GAA2C,EAAE,GAAG;AAAA,MACjF;AAAA,IACF;AACA,oBAAgB,SAAS;AAAA,EAC3B,SAAS,KAAK;AACZ,QAAI,eAAe,qBAAsB,OAAM;AAC/C,QAAI,eAAe,SAAS,IAAI,SAAS,qBAAqB;AAC5D,YAAM,IAAI,qBAAqB,mBAAmB,gCAAgC,IAAI,OAAO,EAAE;AAAA,IACjG;AACA,QAAI,eAAe,SAAS,IAAI,SAAS,kCAAkC;AACzE,YAAM,IAAI,qBAAqB,qBAAqB,sCAAsC,IAAI,OAAO,EAAE;AAAA,IACzG;AACA,QAAI,eAAe,SAAS,IAAI,SAAS,cAAc;AACrD,YAAM,IAAI,qBAAqB,iBAAiB,kBAAkB,IAAI,OAAO,EAAE;AAAA,IACjF;AAIA,QAAI,eAAe,SAAS,IAAI,SAAS,oBAAoB;AAC3D,YAAM,IAAI,qBAAqB,gCAAgC,sDAAsD,IAAI,OAAO,EAAE;AAAA,IACpI;AACA,UAAM;AAAA,EACR;AAEA,MAAI;AACJ,MAAI;AACF,oBAAgB,oBAAoB,QAAsB;AAAA,EAC5D,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR;AAAA,MACA,6DAA6D,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC/G;AAAA,EACF;AACA,QAAM,kBAAkB,IAAI,YAAY,EAAE,OAAO,aAAa;AAO9D,MAAI,CAAC,kBAAkB,eAAe,eAAe,GAAG;AACtD,UAAM,IAAI,qBAAqB,iBAAiB,iFAAiF;AAAA,EACnI;AAEA,SAAO;AACT;AAGA,SAAS,kBAAkB,GAAe,GAAwB;AAChE,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK,GAAG;AACpC,YAAQ,EAAE,CAAC,IAAI,EAAE,CAAC;AAAA,EACpB;AACA,SAAO,SAAS;AAClB;AAcO,SAAS,kBAAkB,MAAqC;AACrE,SAAO,EAAE,KAAK;AAChB;;;ACrcO,SAAS,2BACd,QACA,MAC8B;AAC9B,MAAI,CAAC,UAAU,CAAC,OAAO,YAAa,QAAO;AAC3C,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,GAAI,KAAK,YAAY,UAAa,EAAE,SAAS,KAAK,QAAQ;AAAA,IAC1D,GAAI,OAAO,eAAe,UAAa,EAAE,YAAY,OAAO,WAAW;AAAA,IACvE,GAAI,OAAO,0BAA0B,UAAa;AAAA,MAChD,uBAAuB,OAAO;AAAA,IAChC;AAAA,IACA,GAAI,OAAO,WAAW,UAAa,EAAE,QAAQ,OAAO,OAAO;AAAA,IAC3D,GAAI,OAAO,yBAAyB,UAAa;AAAA,MAC/C,sBAAsB,CAAC,GAAG,OAAO,oBAAoB;AAAA,IACvD;AAAA,EACF;AACF;AAoBA,eAAsB,uBACpB,aACA,SACqB;AACrB,MAAI,CAAC,WAAW,CAAC,YAAa,QAAO,EAAE,QAAQ,YAAY;AAE3D,QAAM,UAAU,MAAM,QAAQ;AAC9B,MAAI,QAAQ,GAAI,QAAO,EAAE,QAAQ,WAAW;AAE5C,MAAI,gBAAgB,QAAQ;AAC1B,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,cAAc,QAAQ;AAAA,MACtB,YAAY,QAAQ;AAAA,MACpB,GAAI,QAAQ,WAAW,UAAa,EAAE,cAAc,QAAQ,OAAO;AAAA,IACrE;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,cAAc,QAAQ;AAAA,IACtB,YAAY,QAAQ;AAAA,IACpB,GAAI,QAAQ,WAAW,UAAa,EAAE,cAAc,QAAQ,OAAO;AAAA,EACrE;AACF;AAGO,SAAS,uBAAuB,SAAiB,QAAiD;AACvG,MAAI,CAAC,QAAQ,4BAA4B,OAAO,yBAAyB,WAAW,EAAG,QAAO;AAC9F,QAAM,UAAU,IAAI,IAAI,OAAO,yBAAyB,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AACnF,SAAO,QAAQ,IAAI,QAAQ,YAAY,CAAC;AAC1C;AAQO,SAAS,qBACd,OACA,SACA,QACS;AACT,MAAI,CAAC,QAAQ,yBAAyB,OAAO,sBAAsB,WAAW,EAAG,QAAO;AACxF,MAAI,QAAQ,YAAY,MAAM,KAAM,QAAO;AAC3C,QAAM,UAAU,IAAI,IAAI,OAAO,sBAAsB,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AAChF,SAAO,QAAQ,IAAI,MAAM,YAAY,CAAC;AACxC;","names":[]}
1
+ {"version":3,"sources":["../src/identity/ucp.ts","../src/identity/ucp-jwks.ts","../src/payment/usdc.ts","../src/payment/wwwauthenticate.ts","../src/payment/networks.ts","../src/payment/rails.ts","../src/payment/directive.ts","../src/discovery/probe.ts","../src/discovery/well_known.ts","../src/core.ts","../src/_denial.ts","../src/_response.ts","../src/address.ts","../src/cache.ts","../src/signer.ts","../src/identity/a2a.ts","../src/index.ts","../src/checkout.ts","../src/payment/rail_spec.ts","../src/challenge/accepted_methods.ts","../src/challenge/agent_instructions.ts","../src/challenge/agent_memory.ts","../src/challenge/body.ts","../src/challenge/how_to_pay.ts","../src/challenge/identity.ts","../src/challenge/pricing.ts","../src/challenge/respond_402.ts","../src/challenge/validation_error.ts","../src/stripe-multichain/mppx_stripe.ts","../src/payment/mppx_server.ts","../src/payment/x402_server.ts","../src/payment/x402.ts","../src/payment/lazy.ts","../src/payment/x402_settle.ts","../src/payment/x402_validation.ts","../src/payment/zero-settle.ts","../src/identity/policy.ts","../src/identity/tokens.ts","../src/payment/index.ts","../src/payment/headers.ts","../src/payment/amounts.ts","../src/payment/solana.ts"],"sourcesContent":["/**\n * UCP (Universal Commerce Protocol) profile builder.\n *\n * Compose the JSON payload published at `/.well-known/ucp` per the UCP spec.\n * Output shape matches the spec example: top-level `{ ucp: {...}, signing_keys: [...] }`\n * envelope, with `services` / `capabilities` / `payment_handlers` as MAPs keyed by\n * reverse-DNS service / capability / handler name.\n *\n * AgentScore identity claims layer over UCP via the `sh.agentscore.identity` capability\n * (vendor-namespaced; UCP doesn't define KYC/sanctions/age/jurisdiction natively). The\n * capability extends `dev.ucp.shopping.checkout` AND `dev.ucp.shopping.cart` (multi-parent,\n * the standard pattern UCP allows for capabilities that compose multiple parents).\n *\n * The unsigned profile body returned here is what merchants publish; pass it through\n * `signUCPProfile` to attach the `agentscore-profile+jws` signature for trust-mode\n * verifiers (vendor extension; UCP itself doesn't mandate profile-body signing).\n *\n * Spec reference: https://ucp.dev/\n */\n\n\n/**\n * UCP per-element shape note: each binding interface (`UCPServiceBinding`,\n * `UCPCapabilityBinding`, `UCPPaymentHandlerBinding`) carries the canonical UCP fields\n * plus arbitrary vendor extras flat on the same object via `[k: string]: unknown`. The\n * python sibling models these as dataclasses with an explicit `extras: dict` field. Both\n * designs offer equivalent guarantees through different mechanisms.\n */\n// ─── Payment handler builders ─────────────────────────────────────────────\n// Vendors compose UCP `payment_handlers` blocks by spreading these helpers.\n// The helpers fill in id/version/spec/schema/config wrapper so vendors only\n// supply merchant-specific data (networks + recipients + profile_id).\n//\n// payment_handlers: {\n// ...mppPaymentHandler({ networks: [...] }),\n// ...x402PaymentHandler({ networks: [...] }),\n// ...stripeSptPaymentHandler({ profile_id: '...' }),\n// }\n//\n// Each helper returns `{ [reverse-DNS-key]: [binding] }` so spreading into\n// the parent map composes cleanly. The reverse-DNS keys + spec/schema URLs\n// + handler `version` are owned by these constants; bumping a handler spec\n// version is a one-line change here, not 20 lines across consumers.\n\nimport {\n type RecipientLike,\n type SolanaMppRailSpec,\n type StripeRailSpec,\n type TempoRailSpec,\n type TempoSessionRailSpec,\n type X402BaseRailSpec,\n} from '../payment/rail_spec';\n\nexport interface UCPSigningKey {\n /** JWK kid (key id). */\n kid: string;\n /** JWK kty (key type) — `EC`, `RSA`, or `OKP`. */\n kty: string;\n /** JWK alg (signing algorithm) — `ES256`, `RS256`, or `EdDSA`. */\n alg?: string;\n /** JWK use, typically `sig`. */\n use?: string;\n /** JWK crv (curve) for EC / OKP keys. */\n crv?: string;\n /** JWK x / y / n / e / etc. The full key material; passed through verbatim. */\n [k: string]: unknown;\n}\n\n/**\n * Construct a UCPSigningKey from a public JWK dict (e.g. the `publicJWK` returned by\n * `generateUCPSigningKey()`). Validates required fields and rejects symmetric keys that\n * can't publicly verify a JWS in trust-mode UCP. Mirrors python's\n * `UCPSigningKey.from_jwk(public_jwk)` classmethod via the `UCPSigningKey.fromJWK`\n * static-method-style namespace export below.\n */\nfunction ucpSigningKeyFromJWKImpl(jwk: Record<string, unknown>): UCPSigningKey {\n if (!jwk || typeof jwk !== 'object') {\n throw new Error(`UCPSigningKey.fromJWK expected a non-null object; got ${typeof jwk}.`);\n }\n if (typeof jwk.kid !== 'string' || !jwk.kid) {\n throw new Error('UCPSigningKey.fromJWK: JWK missing required field `kid` (or non-string).');\n }\n if (typeof jwk.kty !== 'string' || !jwk.kty) {\n throw new Error('UCPSigningKey.fromJWK: JWK missing required field `kty` (or non-string).');\n }\n if (jwk.kty !== 'OKP' && jwk.kty !== 'EC' && jwk.kty !== 'RSA') {\n throw new Error(\n `UCPSigningKey.fromJWK: kty=${JSON.stringify(jwk.kty)} is not a supported asymmetric key type (expected OKP, EC, or RSA). Symmetric \\`oct\\` keys are rejected because they cannot publicly verify a JWS in the trust-mode UCP flow.`,\n );\n }\n if ((jwk.kty === 'EC' || jwk.kty === 'OKP') && (typeof jwk.crv !== 'string' || !jwk.crv)) {\n throw new Error(`UCPSigningKey.fromJWK: kty=${jwk.kty} requires a non-empty \\`crv\\` field (e.g., \"P-256\" for EC, \"Ed25519\" for OKP).`);\n }\n return jwk as unknown as UCPSigningKey;\n}\n\n/** Static-method-style namespace on the `UCPSigningKey` interface — mirrors python's\n * `UCPSigningKey.from_jwk(jwk)` classmethod. Use as `UCPSigningKey.fromJWK(jwk)`. */\nexport const UCPSigningKey = {\n fromJWK: ucpSigningKeyFromJWKImpl,\n};\n\n/** Transport binding — keyed under a service name (e.g., `dev.ucp.shopping`). */\nexport interface UCPServiceBinding {\n /** Spec version, YYYY-MM-DD per UCP convention. REQUIRED. */\n version: string;\n /** URL to human-readable specification. REQUIRED. */\n spec: string;\n /** Transport — `rest` / `mcp` / `a2a` / `embedded`. REQUIRED. */\n transport: 'rest' | 'mcp' | 'a2a' | 'embedded';\n /** Endpoint URL — required for rest/mcp; A2A points at the agent-card.json URL. */\n endpoint?: string;\n /** URL to JSON Schema — required for rest/mcp/embedded per spec. */\n schema?: string;\n /** Optional id for entity-instance disambiguation. */\n id?: string;\n /** Entity-specific config. */\n config?: Record<string, unknown>;\n /** Vendor-specific extras. */\n [k: string]: unknown;\n}\n\n/** Capability binding — keyed under a capability name (e.g., `dev.ucp.shopping.checkout`). */\nexport interface UCPCapabilityBinding {\n /** Capability version, YYYY-MM-DD. REQUIRED. */\n version: string;\n /** URL to human-readable specification. REQUIRED. */\n spec: string;\n /** URL to JSON Schema. REQUIRED. */\n schema: string;\n /** Optional id for entity-instance disambiguation. */\n id?: string;\n /** Entity-specific config (feature flags, callback URLs, etc). */\n config?: Record<string, unknown>;\n /** Parent capability(ies) extended — single string or array for multi-parent. */\n extends?: string | string[];\n /** Optional version requirements per UCP §6.5. */\n requires?: {\n protocol?: { min: string; max?: string };\n capabilities?: Record<string, { min: string; max?: string }>;\n };\n /** Vendor-specific extras allowed per UCP convention (e.g., the AgentScore identity\n * capability adds a vendor-namespaced policy declaration here). */\n [k: string]: unknown;\n}\n\n/** Payment handler binding — keyed under a handler reverse-DNS name (e.g., `com.google.pay`). */\nexport interface UCPPaymentHandlerBinding {\n /** Handler instance id (short, human-readable, e.g., `gpay`, `tempo`, `x402`). REQUIRED. */\n id: string;\n /** Handler spec version, YYYY-MM-DD. REQUIRED. */\n version: string;\n /** URL to handler spec. REQUIRED. */\n spec: string;\n /** URL to handler config schema. REQUIRED. */\n schema: string;\n /** Available instruments — type + per-type constraints (cards, wallets, etc.). */\n available_instruments?: Array<{ type: string; constraints?: Record<string, unknown>; [k: string]: unknown }>;\n /** Handler config — gateway IDs, merchant IDs, public keys, etc. */\n config?: Record<string, unknown>;\n /** Vendor-specific extras. */\n [k: string]: unknown;\n}\n\n/** UCP body — nested under the `ucp` key of the published profile. */\nexport interface UCPProfileBody {\n /** UCP spec version (YYYY-MM-DD). */\n version: string;\n /** Display name for the merchant / agent surface. */\n name?: string;\n /** Services — keyed by service name (e.g., `dev.ucp.shopping`). Each value is an\n * array of transport bindings (one merchant typically advertises multiple transports\n * under one service name). */\n services: Record<string, UCPServiceBinding[]>;\n /** Capabilities — keyed by capability name (e.g., `dev.ucp.shopping.checkout`). */\n capabilities: Record<string, UCPCapabilityBinding[]>;\n /** Payment handlers — keyed by handler reverse-DNS name (e.g., `com.google.pay`). */\n payment_handlers: Record<string, UCPPaymentHandlerBinding[]>;\n /** Optional `supported_versions` map linking historical version-specific profile URLs.\n * Pattern: `{ \"2026-01-23\": \"https://merchant/.well-known/ucp/2026-01-23\", ... }`. */\n supported_versions?: Record<string, string>;\n /** Vendor-specific extras inside the `ucp` envelope. */\n [k: string]: unknown;\n}\n\n/** Full UCP profile body as published at `/.well-known/ucp`. Top-level shape:\n * `{ ucp: {...}, signing_keys: [...], signature?: \"...\" }`. */\nexport interface UCPProfile {\n /** UCP body. ALL UCP-spec fields nest here per spec. */\n ucp: UCPProfileBody;\n /** JWKS — public keys at the OUTER level per UCP spec. Verifiers fetch this profile,\n * match the kid from a JWS / RFC 9421 signature header against this list, and validate. */\n signing_keys: UCPSigningKey[];\n /** Set when JWS-signed via `signUCPProfile` — JWS Compact Serialization with detached\n * payload (header..signature; payload is the canonicalized body minus this field). */\n signature?: string;\n /** Top-level vendor-specific extras (outside the `ucp` envelope). */\n [k: string]: unknown;\n}\n\ninterface BuildUCPProfileInput {\n /** UCP spec version. Default `'2026-04-08'` (the latest published UCP spec date). MUST match a published UCP spec version, not a free-form date. */\n version?: string;\n /** Display name for the merchant / agent surface. */\n name?: string;\n /** Services map, keyed by service name. UCP-shopping merchants typically advertise\n * bindings under `'dev.ucp.shopping'`. */\n services?: Record<string, UCPServiceBinding[]>;\n /** Capabilities map, keyed by capability name. The `sh.agentscore.identity` capability\n * is auto-added when `agentscore_gate` is provided. */\n capabilities?: Record<string, UCPCapabilityBinding[]>;\n /** Payment handlers map, keyed by handler reverse-DNS name. */\n payment_handlers?: Record<string, UCPPaymentHandlerBinding[]>;\n /** JWKS — public keys the merchant signs with. REQUIRED by spec. */\n signing_keys: UCPSigningKey[];\n /** Merchant gate policy declaration. When provided, the SDK auto-injects an\n * `sh.agentscore.identity` capability binding into `capabilities`, with the\n * policy as the binding's `config`. Static merchant declaration only — no\n * per-operator data ever ends up on the public profile. Per-operator identity\n * attestation lives on the AP2 risk-signal endpoint, not here. */\n agentscore_gate?: AgentScoreGatePolicy;\n /** Optional override for the AgentScore capability schema URL. Field is snake_cased\n * for cross-language parity with the Python sibling. */\n agentscore_schema_url?: string;\n /** Optional override for the AgentScore capability spec URL. */\n agentscore_spec_url?: string;\n /** `supported_versions` map at the profile root for backwards-compat across\n * spec dates. Pattern: `{ \"<date>\": \"<base>/.well-known/ucp/<date>\" }`. */\n supported_versions?: Record<string, string>;\n /** Vendor-specific extras at the OUTER level (alongside `ucp` + `signing_keys`). */\n extras?: Record<string, unknown>;\n /** Vendor-specific extras INSIDE the `ucp` envelope (alongside `version`, `services`, etc.). */\n ucp_extras?: Record<string, unknown>;\n}\n\nconst DEFAULT_VERSION = '2026-04-08';\n// Reverse-DNS namespacing per UCP convention (`^[a-z][a-z0-9]*(?:\\.[a-z][a-z0-9_]*)+$`).\n// The bare `agentscore-identity` form fails the spec regex; vendor-namespacing under\n// `sh.agentscore` is honest about the capability being our extension, not UCP-canonical.\nconst AGENTSCORE_CAPABILITY_NAME = 'sh.agentscore.identity';\n// Date-format version per UCP convention (matches every other binding's version field).\nconst AGENTSCORE_CAPABILITY_VERSION = '2026-04-08';\n\n/** Merchant gate policy declared on the UCP profile via `sh.agentscore.identity` capability config.\n * All fields optional; merchant declares which AgentScore checks the gate enforces. Snake-case\n * field names match the AgentScore API's `/v1/assess` policy contract verbatim — no conversion\n * layer between this declaration and what the gate actually enforces at runtime. */\nexport interface AgentScoreGatePolicy {\n /** Gate denies if the operator/account behind the agent is not Stripe-Identity-verified. */\n require_kyc?: boolean;\n /** Gate denies if the operator/account is flagged by OpenSanctions screening. */\n require_sanctions_clear?: boolean;\n /** Gate denies if the verified age (from KYC) is below this threshold. Common values: 18, 21. */\n min_age?: number;\n /** ISO-3166-1 alpha-2 country codes the gate accepts. Empty/absent allows any. Mutually exclusive\n * with `blocked_jurisdictions` (set one or the other, not both). */\n allowed_jurisdictions?: string[];\n /** ISO-3166-1 alpha-2 country codes the gate denies. Empty/absent denies none. Mutually exclusive\n * with `allowed_jurisdictions`. */\n blocked_jurisdictions?: string[];\n}\nconst AGENTSCORE_DEFAULT_SPEC_URL = 'https://agentscore.sh/specification/identity';\nconst AGENTSCORE_DEFAULT_SCHEMA_URL = 'https://agentscore.sh/schemas/ucp/sh-agentscore-identity-v1.json';\n// Multi-parent extension — `sh.agentscore.identity` declares merchant policy relevant at\n// both checkout-build (compliance gate) and cart-build (price-gate eligibility, jurisdiction-\n// restricted items in cart) time, so an agent reading either parent capability picks up the\n// policy contract. Mirrors the multi-parent convention in the live ecosystem\n// (Shopify's `dev.shopify.catalog.storefront` extends both `catalog.search` and\n// `catalog.lookup`; UCP-canonical `dev.ucp.shopping.discount` extends both checkout and cart).\nconst AGENTSCORE_EXTENDS = ['dev.ucp.shopping.checkout', 'dev.ucp.shopping.cart'];\n\nconst RESERVED_TOP_LEVEL = new Set([\n 'ucp',\n 'signing_keys',\n 'signature',\n '__proto__',\n 'constructor',\n 'prototype',\n]);\nconst RESERVED_UCP_FIELDS = new Set([\n 'version',\n 'name',\n 'services',\n 'capabilities',\n 'payment_handlers',\n 'supported_versions',\n '__proto__',\n 'constructor',\n 'prototype',\n]);\n\n/**\n * Compose a UCP profile body for `/.well-known/ucp` publication. Returns the spec-\n * compliant shape: `{ ucp: { version, services, capabilities, payment_handlers, ... },\n * signing_keys: [...] }`. Pass through `signUCPProfile` to attach a JWS signature for\n * trust-mode verifiers.\n *\n * Auto-injects `sh.agentscore.identity` as a vendor capability extending both\n * `dev.ucp.shopping.checkout` and `dev.ucp.shopping.cart` when `agentscore_gate`\n * is provided. The capability's `config` carries the merchant's static gate\n * policy declaration (require_kyc / require_sanctions_clear / min_age /\n * allowed_jurisdictions / blocked_jurisdictions). NO per-operator data is ever\n * placed on the public profile — per-operator identity attestation flows through\n * the AP2 risk-signal endpoint, not here.\n *\n * Example:\n * ```ts\n * import { buildUCPProfile } from '@agent-score/commerce';\n *\n * const profile = buildUCPProfile({\n * name: 'Example Merchant',\n * services: {\n * 'dev.ucp.shopping': [\n * { version: '2026-04-08', spec: 'https://ucp.dev/2026-04-08/specification/overview',\n * transport: 'mcp', endpoint: 'https://merchant.example/api/ucp/mcp',\n * schema: 'https://ucp.dev/services/shopping/mcp.openrpc.json' },\n * ],\n * },\n * payment_handlers: {\n * ...mppPaymentHandler({ networks: [{ network: 'tempo-mainnet', chain_id: 4217, recipient: TEMPO_ADDR }] }),\n * },\n * signing_keys: [signingKey],\n * agentscore_gate: { require_kyc: true, min_age: 21, allowed_jurisdictions: ['US'] },\n * });\n * ```\n */\nexport function buildUCPProfile(input: BuildUCPProfileInput): UCPProfile {\n // Per UCP spec service.json: rest/mcp/a2a transports REQUIRE endpoint;\n // embedded does not. Validate caller-supplied services so a misconfigured\n // profile fails locally instead of being rejected by spec-strict platforms.\n for (const [name, bindings] of Object.entries(input.services ?? {})) {\n for (const binding of bindings) {\n if (\n (binding.transport === 'rest' || binding.transport === 'mcp' || binding.transport === 'a2a')\n && (binding.endpoint === undefined || binding.endpoint === null || binding.endpoint === '')\n ) {\n throw new Error(\n `buildUCPProfile: service \"${name}\" transport=${binding.transport} requires \\`endpoint\\`. Per UCP spec service.json business_schema, rest/mcp/a2a bindings MUST carry an endpoint URL.`,\n );\n }\n }\n }\n\n // Per UCP spec payment_handler.json: available_instruments has minItems:1.\n // Deep-copy each binding and drop available_instruments when empty so a caller\n // passing `[]` doesn't ship an invalid profile.\n const paymentHandlers: Record<string, UCPPaymentHandlerBinding[]> = {};\n for (const [name, bindings] of Object.entries(input.payment_handlers ?? {})) {\n paymentHandlers[name] = bindings.map((binding) => {\n if (Array.isArray(binding.available_instruments) && binding.available_instruments.length === 0) {\n const { available_instruments: _drop, ...rest } = binding;\n return rest as UCPPaymentHandlerBinding;\n }\n return binding;\n });\n }\n\n // Deep-clone the capabilities map so we can safely mutate (auto-add the AgentScore\n // identity capability) without altering the caller's input.\n const capabilities: Record<string, UCPCapabilityBinding[]> = {};\n for (const [name, bindings] of Object.entries(input.capabilities ?? {})) {\n capabilities[name] = [...bindings];\n }\n\n // Auto-inject `sh.agentscore.identity` capability when the merchant declares a gate\n // policy. Static merchant-policy declaration only — no per-operator data on the public\n // profile. Per-operator identity attestation flows through the AP2 risk-signal endpoint\n // or per-request 4xx response bodies, not here.\n if (input.agentscore_gate) {\n const gateConfig = { ...input.agentscore_gate };\n const agentscoreBinding: UCPCapabilityBinding = {\n version: AGENTSCORE_CAPABILITY_VERSION,\n spec: input.agentscore_spec_url ?? AGENTSCORE_DEFAULT_SPEC_URL,\n schema: input.agentscore_schema_url ?? AGENTSCORE_DEFAULT_SCHEMA_URL,\n extends: AGENTSCORE_EXTENDS,\n };\n // Omit `config` when empty so node + python emit byte-identical canonical output\n // (python's UCPCapabilityBinding.to_dict already drops empty config).\n if (Object.keys(gateConfig).length > 0) agentscoreBinding.config = gateConfig;\n const existing = capabilities[AGENTSCORE_CAPABILITY_NAME];\n if (existing) existing.push(agentscoreBinding);\n else capabilities[AGENTSCORE_CAPABILITY_NAME] = [agentscoreBinding];\n }\n\n const ucp: UCPProfileBody = {\n version: input.version ?? DEFAULT_VERSION,\n services: input.services ?? {},\n capabilities,\n payment_handlers: paymentHandlers,\n };\n if (input.name !== undefined) ucp.name = input.name;\n if (input.supported_versions !== undefined) ucp.supported_versions = input.supported_versions;\n if (input.ucp_extras) {\n for (const k of Object.keys(input.ucp_extras)) {\n if (RESERVED_UCP_FIELDS.has(k)) {\n throw new Error(`buildUCPProfile: ucp_extras key \"${k}\" collides with a reserved \\`ucp\\` field; rejected.`);\n }\n }\n Object.assign(ucp, input.ucp_extras);\n }\n\n const profile: UCPProfile = {\n ucp,\n signing_keys: input.signing_keys,\n };\n if (input.extras) {\n // `__proto__`, `constructor`, `prototype` reserved so vendor extras can't slip\n // prototype-pollution payloads into the canonical body.\n for (const k of Object.keys(input.extras)) {\n if (RESERVED_TOP_LEVEL.has(k)) {\n throw new Error(`buildUCPProfile: extras key \"${k}\" collides with a reserved profile field; rejected.`);\n }\n }\n Object.assign(profile, input.extras);\n }\n\n return profile;\n}\n\nexport const AGENTSCORE_UCP_CAPABILITY = AGENTSCORE_CAPABILITY_NAME;\n\nconst HANDLER_VERSION = '2026-04-08';\nconst SPEC_BASE = 'https://agentscore.sh/specification/payment-handlers';\nconst SCHEMA_BASE = 'https://agentscore.sh/schemas/payment-handlers';\n\n// CAIP-2 → UCP-namespace network-name mapping. UCP payment_handler bindings publish\n// network strings in the UCP namespace (`base-8453`, `solana-mainnet-beta`); RailSpecs\n// carry the CAIP-2 form (`eip155:8453`, `solana:5eykt4...`). Unknown values pass\n// through verbatim — vendors who pin a non-standard rail can override the spec's\n// network field directly.\nconst CAIP2_TO_UCP_NETWORK: Record<string, string> = {\n 'eip155:8453': 'base-8453',\n 'eip155:84532': 'base-84532',\n 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp': 'solana-mainnet-beta',\n 'solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1': 'solana-devnet',\n};\n\nfunction ucpNetworkName(caip2OrUcp: string | undefined, fallback: string): string {\n if (caip2OrUcp === undefined) return fallback;\n return CAIP2_TO_UCP_NETWORK[caip2OrUcp] ?? caip2OrUcp;\n}\n\n/**\n * Return the recipient as a string when it's both a string AND non-empty;\n * `undefined` for factory callables OR empty-string sentinels (both signal\n * per-order minting; the authoritative recipient ships in the 402 body at\n * request time, not in the static UCP profile).\n */\nfunction staticRecipient(r: RecipientLike): string | undefined {\n return typeof r === 'string' && r.length > 0 ? r : undefined;\n}\n\nfunction tempoToNetworkEntry(spec: TempoRailSpec): Record<string, unknown> {\n const entry: Record<string, unknown> = {\n network: spec.testnet ? 'tempo-testnet' : (spec.network ?? 'tempo-mainnet'),\n chain_id: spec.chainId ?? 4217,\n };\n const recipient = staticRecipient(spec.recipient);\n if (recipient !== undefined) entry.recipient = recipient;\n return entry;\n}\n\nfunction solanaMppToNetworkEntry(spec: SolanaMppRailSpec): Record<string, unknown> {\n const entry: Record<string, unknown> = {\n network: ucpNetworkName(spec.network, 'solana-mainnet-beta'),\n };\n const recipient = staticRecipient(spec.recipient);\n if (recipient !== undefined) entry.recipient = recipient;\n return entry;\n}\n\nfunction tempoSessionToNetworkEntry(spec: TempoSessionRailSpec): Record<string, unknown> {\n const entry: Record<string, unknown> = {\n network: spec.testnet ? 'tempo-testnet' : 'tempo-mainnet',\n escrow_contract: spec.escrowContract,\n };\n const recipient = staticRecipient(spec.recipient);\n if (recipient !== undefined) entry.recipient = recipient;\n return entry;\n}\n\ntype MppRailSpec = TempoRailSpec | SolanaMppRailSpec | TempoSessionRailSpec;\n\nfunction isTempoRailSpec(s: MppRailSpec): s is TempoRailSpec {\n return !('escrowContract' in s) && !('rpcUrl' in s) && !('tokenProgram' in s);\n}\n\nfunction isTempoSessionRailSpec(s: MppRailSpec): s is TempoSessionRailSpec {\n return 'escrowContract' in s && 'store' in s;\n}\n\nfunction mppRailToNetworkEntry(spec: MppRailSpec): Record<string, unknown> {\n if (isTempoSessionRailSpec(spec)) return tempoSessionToNetworkEntry(spec);\n if ('rpcUrl' in spec || 'tokenProgram' in spec || (spec.network?.startsWith('solana:') ?? false)) {\n return solanaMppToNetworkEntry(spec as SolanaMppRailSpec);\n }\n if (isTempoRailSpec(spec)) return tempoToNetworkEntry(spec);\n // Default: treat as TempoRailSpec — covers the common case where the caller passes\n // a bare `{recipient}` with no network/chain_id override.\n return tempoToNetworkEntry(spec as TempoRailSpec);\n}\n\n/**\n * Build the `sh.agentscore.payment.mpp` payment handler block for a UCP profile.\n *\n * Pass any mix of `TempoRailSpec`, `SolanaMppRailSpec`, and `TempoSessionRailSpec`.\n *\n * @example\n * ```ts\n * buildUCPProfile({\n * ...,\n * payment_handlers: {\n * ...mppPaymentHandler({\n * networks: [\n * { recipient: '0xtempo' }, // TempoRailSpec\n * { recipient: 'solanaaddr', network: 'solana:5eykt4...' }, // SolanaMppRailSpec\n * ],\n * }),\n * },\n * });\n * ```\n */\nexport function mppPaymentHandler({\n networks,\n}: {\n networks: MppRailSpec[];\n}): Record<string, UCPPaymentHandlerBinding[]> {\n return {\n 'sh.agentscore.payment.mpp': [{\n id: 'mpp',\n version: HANDLER_VERSION,\n spec: `${SPEC_BASE}/mpp`,\n schema: `${SCHEMA_BASE}/mpp.json`,\n config: { networks: networks.map(mppRailToNetworkEntry) },\n }],\n };\n}\n\nfunction x402RailToNetworkEntry(spec: X402BaseRailSpec): Record<string, unknown> {\n const entry: Record<string, unknown> = {\n network: ucpNetworkName(spec.network, 'base-8453'),\n };\n const recipient = staticRecipient(spec.recipient);\n if (recipient !== undefined) entry.recipient = recipient;\n return entry;\n}\n\n/**\n * Build the `sh.agentscore.payment.x402` payment handler block for a UCP profile.\n *\n * @example\n * ```ts\n * buildUCPProfile({\n * ...,\n * payment_handlers: {\n * ...x402PaymentHandler({ networks: [{ recipient: '0xabc...' }] }),\n * },\n * });\n * ```\n */\nexport function x402PaymentHandler({\n networks,\n}: {\n networks: X402BaseRailSpec[];\n}): Record<string, UCPPaymentHandlerBinding[]> {\n return {\n 'sh.agentscore.payment.x402': [{\n id: 'x402',\n version: HANDLER_VERSION,\n spec: `${SPEC_BASE}/x402`,\n schema: `${SCHEMA_BASE}/x402.json`,\n config: { networks: networks.map(x402RailToNetworkEntry) },\n }],\n };\n}\n\n/**\n * Build the `sh.agentscore.payment.stripe_spt` payment handler block for a UCP profile.\n *\n * @example\n * ```ts\n * buildUCPProfile({\n * ...,\n * payment_handlers: {\n * ...stripeSptPaymentHandler({ spec: { profileId: 'profile_5xKvNqM9BaH' } }),\n * },\n * });\n * ```\n */\nexport function stripeSptPaymentHandler({\n spec,\n}: {\n spec: StripeRailSpec;\n}): Record<string, UCPPaymentHandlerBinding[]> {\n return {\n 'sh.agentscore.payment.stripe_spt': [{\n id: 'stripe-spt',\n version: HANDLER_VERSION,\n spec: `${SPEC_BASE}/stripe_spt`,\n schema: `${SCHEMA_BASE}/stripe_spt.json`,\n config: { rail: 'stripe-spt', profile_id: spec.profileId ?? null },\n }],\n };\n}\n","/**\n * UCP profile signing helpers (JWKS + JWS).\n *\n * UCP §6 (https://ucp.dev/latest/specification/signatures/) requires that profiles\n * published at `/.well-known/ucp` carry a JWKS-backed signature for trust-mode clients\n * (Google AI Mode, Gemini commerce, future ChatGPT app shells). Without a signature,\n * trust-mode clients reject the profile.\n *\n * This module provides:\n * - `generateUCPSigningKey()` — generate an Ed25519 keypair for signing\n * - `signUCPProfile()` — sign a UCP profile body, returning a JWS-attached envelope\n * - `verifyUCPProfile()` — verify a signed profile against a JWKS\n * - `buildJWKSResponse()` — assemble a JWKS document for `/.well-known/jwks.json`\n *\n * Implementation rides on `jose` (peer-dep, optional). Merchants who don't sign their\n * profile (development) skip this module entirely; the unsigned `buildUCPProfile()`\n * path still works.\n *\n * Why Ed25519: smaller signatures (64 bytes vs 256+ for RSA), faster verification, no\n * curve-parameter ceremony. UCP also accepts ES256 (P-256 ECDSA) — pass `alg: 'ES256'`\n * to `signUCPProfile()` if your existing payment signing key is P-256.\n */\n\nimport type { UCPProfile, UCPSigningKey } from './ucp';\n\n/** Output of `generateUCPSigningKey()`. The private key is what you sign with; the\n * public JWK is what you publish at `/.well-known/jwks.json` and reference in the\n * UCP profile's `signing_keys[]`.\n */\nexport interface GeneratedUCPKey {\n /** Private key (KeyLike, opaque) — pass to `signUCPProfile()`. Never publish. */\n privateKey: unknown;\n /** Public key as JWK — publish at `/.well-known/jwks.json` and inline in UCP `signing_keys[]`. */\n publicJWK: UCPSigningKey;\n}\n\n/** A JWKS document — `{ keys: [...] }` per RFC 7517. Serve at `/.well-known/jwks.json`. */\nexport interface JWKSResponse {\n keys: UCPSigningKey[];\n}\n\n\n/** A signed UCP profile envelope. Same shape as `UCPProfile` plus the `signature` field\n * carrying the JWS Compact Serialization over the canonicalized profile body. */\nexport interface SignedUCPProfile extends UCPProfile {\n /** JWS Compact Serialization (`<header>.<payload>.<signature>`) over the profile body\n * with `signature` removed and keys sorted. Verifiers reconstruct the canonical body\n * and validate against the JWK identified by `kid` in the JWS protected header. */\n signature: string;\n}\n\nconst JOSE_INSTALL_HINT = 'Install the optional peer dependency: `npm install jose@^6` (or `bun add jose`). Tested against jose v6.x.';\n\n/** UCP §6 + RFC 8725 §3.1 — restrict accepted JWS algorithms. Anything outside this\n * list (HS, RS, none, etc.) is rejected to prevent alg-confusion attacks where a\n * hostile JWK published in the profile's signing_keys[] is used with an unintended\n * algorithm. */\nconst ALLOWED_ALGS = ['EdDSA', 'ES256'] as const;\ntype AllowedAlg = (typeof ALLOWED_ALGS)[number];\n\n/** JWS protected header `typ` value. Vendor-namespaced because UCP §6 does not define\n * a profile-as-JWS typ; the value advertises that this signed envelope follows the\n * AgentScore extension semantics rather than a UCP-canonical signing convention.\n * Verifiers SHOULD enforce this to prevent cross-protocol token reuse (RFC 8725 §3.11). */\nconst PROFILE_TYP = 'agentscore-profile+jws';\n\n/** Discriminated error class so consumers can branch on failure mode without\n * parsing message strings or importing jose internals. */\nexport class UCPVerificationError extends Error {\n constructor(\n public readonly code:\n | 'no_signature'\n | 'missing_kid'\n | 'kid_not_found'\n | 'duplicate_kid'\n | 'unsupported_alg'\n | 'wrong_typ'\n | 'signature_invalid'\n | 'body_mismatch'\n | 'malformed_jws'\n | 'malformed_jwks'\n | 'unrecognized_critical_header'\n | 'unusable_key',\n message: string,\n ) {\n super(message);\n this.name = 'UCPVerificationError';\n }\n}\n\nasync function loadJose(): Promise<typeof import('jose')> {\n try {\n return await import('jose');\n } catch (err) {\n throw new Error(\n `UCP signing requires the \\`jose\\` library, which is an optional peer dependency. ${JOSE_INSTALL_HINT}\\nOriginal error: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n}\n\n/**\n * Canonicalize a UCP profile for signing. Removes the `signature` field (if present),\n * sorts keys deterministically, and returns the JSON string. Both signer and verifier\n * compute the same bytes.\n *\n * Implementation note: UCP §6.2 specifies \"the JSON-serialized profile body, with\n * `signature` removed and keys ordered lexicographically at every nesting level.\" This\n * is JCS-style canonicalization without the full RFC 8785 numeric handling — UCP\n * profiles don't contain floats so the simpler key-sort is sufficient.\n */\nfunction canonicalizeProfile(profile: UCPProfile): string {\n const stripped = { ...profile } as Record<string, unknown>;\n delete stripped.signature;\n return stableStringify(stripped);\n}\n\n/** Deterministic JSON.stringify with lexicographic key ordering at every level.\n * Rejects ANY non-finite Number (NaN, Infinity, -Infinity) and any Number\n * whose value has a fractional part OR whose JSON representation may diverge\n * cross-language. Cross-language float canonicalization (RFC 8785 §3.2.2.3)\n * is not stable between Node's JSON.stringify and Python's json.dumps\n * (e.g. `1.0` → `1` vs `1.0`, `1e-7` → `1e-7` vs `1e-07`). UCP profiles\n * must use decimal strings for monetary or fractional fields to preserve\n * byte parity with the Python sibling. */\nfunction stableStringify(value: unknown): string {\n if (value === undefined) {\n throw new Error(\n 'stableStringify: undefined values are not allowed in canonicalized JSON. ' +\n 'Object fields with no value must be omitted.',\n );\n }\n if (typeof value === 'function' || typeof value === 'symbol') {\n throw new Error(`stableStringify: ${typeof value} values are not allowed in canonicalized JSON.`);\n }\n if (typeof value === 'bigint') {\n throw new Error('stableStringify: BigInt values are not allowed; use a decimal string.');\n }\n if (value instanceof Date) {\n throw new Error(\n 'stableStringify: Date instances are not allowed; serialize to an ISO string before passing.',\n );\n }\n if (value instanceof Map || value instanceof Set || value instanceof WeakMap || value instanceof WeakSet) {\n throw new Error(\n `stableStringify: ${value.constructor.name} values are not allowed; convert to a plain object/array first.`,\n );\n }\n if (ArrayBuffer.isView(value)) {\n throw new Error('stableStringify: typed arrays are not allowed; convert to a plain array first.');\n }\n if (typeof value === 'number') {\n if (!Number.isFinite(value)) {\n throw new Error(\n `UCP profile canonicalization rejects non-finite Number ${value}. Use a decimal string for any value that may be NaN/Infinity.`,\n );\n }\n if (!Number.isInteger(value)) {\n throw new Error(\n `UCP profile canonicalization rejects non-integer Number ${value}. Use a decimal string (e.g. \"9.99\") for monetary or fractional fields to preserve cross-language byte-parity.`,\n );\n }\n if (!Number.isSafeInteger(value)) {\n throw new Error(\n `stableStringify: integer ${value} exceeds Number.MAX_SAFE_INTEGER. ` +\n 'For values >2^53, use a decimal string to preserve cross-language byte parity.',\n );\n }\n }\n if (typeof value === 'string') {\n // Cross-language byte parity: pre-ES2019 V8 (and any environment whose\n // JSON.stringify still escapes U+2028 / U+2029) emits \\u2028 / \\u2029\n // for these codepoints, while Python's json.dumps with ensure_ascii=False\n // emits them raw. A string carrying either would canonicalize to different\n // bytes across the Node and Python siblings and break signature\n // verification at the language boundary. Mirror the rejection in\n // core/api/src/lib/canonicalize.ts so the contract stays symmetric.\n if (value.includes('\\u2028') || value.includes('\\u2029')) {\n throw new Error(\n 'stableStringify: strings containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity requires neither be present (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not).',\n );\n }\n return JSON.stringify(value);\n }\n if (value === null || typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;\n const obj = value as Record<string, unknown>;\n const keys = Object.keys(obj).sort((a, b) => {\n const aPoints = [...a].map((c) => c.codePointAt(0)!);\n const bPoints = [...b].map((c) => c.codePointAt(0)!);\n const len = Math.min(aPoints.length, bPoints.length);\n for (let i = 0; i < len; i += 1) {\n if (aPoints[i] !== bPoints[i]) return aPoints[i] - bPoints[i];\n }\n return aPoints.length - bPoints.length;\n });\n // Cross-language byte parity: same rejection rationale as the string-value\n // branch above. Object keys flow through JSON.stringify(k) at the pairs line\n // below, so without this check a key carrying U+2028 / U+2029 would pass on\n // modern V8 but Python's _reject_unsafe_numbers (which recurses into dict\n // keys) would throw at verify time.\n for (const k of keys) {\n if (k.includes('
') || k.includes('
')) {\n throw new Error(\n 'stableStringify: object keys containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language byte parity (Node JSON.stringify on older V8 escapes them; Python json.dumps with ensure_ascii=False does not).',\n );\n }\n }\n const pairs = keys.map((k) => `${JSON.stringify(k)}:${stableStringify(obj[k])}`);\n return `{${pairs.join(',')}}`;\n}\n\n/**\n * Generate a fresh Ed25519 (default) or ES256 keypair for signing UCP profiles.\n *\n * The `privateKey` is an opaque KeyLike — store it server-side and pass to\n * `signUCPProfile()`. Never log or transmit the private key.\n *\n * The `publicJWK` is what you publish at `/.well-known/jwks.json` and inline in the\n * UCP profile's `signing_keys[]` array.\n *\n * Example:\n * ```ts\n * import { generateUCPSigningKey } from '@agent-score/commerce';\n *\n * const { privateKey, publicJWK } = await generateUCPSigningKey({ kid: 'merchant-2026-05' });\n * // Persist privateKey securely (env var, KMS, secret manager).\n * // Publish publicJWK at /.well-known/jwks.json and reference it in your UCP profile.\n * ```\n */\nexport async function generateUCPSigningKey(opts: {\n /** Key ID (kid). Must be unique per key; you'll reference this in the UCP profile's `signing_keys[]`. */\n kid: string;\n /** Signing algorithm. Default `EdDSA`. */\n alg?: 'EdDSA' | 'ES256';\n}): Promise<GeneratedUCPKey> {\n const jose = await loadJose();\n const alg = opts.alg ?? 'EdDSA';\n const { privateKey, publicKey } = await jose.generateKeyPair(alg, { extractable: true });\n const exportedJwk = await jose.exportJWK(publicKey);\n\n const publicJWK: UCPSigningKey = {\n kid: opts.kid,\n alg,\n use: 'sig',\n ...exportedJwk,\n } as UCPSigningKey;\n\n return { privateKey, publicJWK };\n}\n\n/**\n * Sign a UCP profile, returning a new envelope with the JWS attached as `signature`.\n *\n * The signature covers the canonicalized profile body (everything except `signature`\n * itself, with keys sorted at every level). Trust-mode UCP verifiers reconstruct the\n * canonical body, look up the key referenced by the JWS header's `kid`, and validate.\n *\n * The profile's `signing_keys[]` MUST already include a JWK with the matching `kid`\n * — otherwise verifiers can't find the public key. Add the `publicJWK` from\n * `generateUCPSigningKey()` to your `signing_keys[]` before calling this.\n *\n * Example:\n * ```ts\n * const profile = buildUCPProfile({ ..., signing_keys: [publicJWK] });\n * const signed = await signUCPProfile(profile, { signingKey: privateKey, kid: 'merchant-2026-05' });\n * c.json(signed);\n * ```\n */\nexport async function signUCPProfile(\n profile: UCPProfile,\n {\n signingKey,\n kid,\n alg = 'EdDSA',\n }: {\n /** Private signing key — opaque KeyLike from `generateUCPSigningKey()` or `importJWK()`. */\n signingKey: unknown;\n /** Key ID (must match a `kid` in the profile's `signing_keys[]`). */\n kid: string;\n /** Signing algorithm — `EdDSA` (default) or `ES256`. */\n alg?: 'EdDSA' | 'ES256';\n },\n): Promise<SignedUCPProfile> {\n const jose = await loadJose();\n\n if (!ALLOWED_ALGS.includes(alg as AllowedAlg)) {\n throw new Error(\n `signUCPProfile: alg ${JSON.stringify(alg)} is not in the supported set [${ALLOWED_ALGS.join(', ')}].`,\n );\n }\n\n // Sign-time kid sanity check: the profile's `signing_keys[]` MUST contain a\n // JWK with the matching kid; otherwise verifiers can't resolve the public\n // key and the profile is dead-on-arrival. Catch this at sign-time rather\n // than at verifier-time in production.\n if (typeof kid !== 'string' || !kid) {\n throw new Error('signUCPProfile: kid must be a non-empty string.');\n }\n const kids = (profile.signing_keys ?? []).map((k) => (k as Record<string, unknown>).kid);\n if (!kids.includes(kid)) {\n throw new Error(\n `signUCPProfile: kid ${JSON.stringify(kid)} is not present in profile.signing_keys[] (declared kids: ${JSON.stringify(kids)}). Verifiers will not find the key.`,\n );\n }\n\n const canonicalBody = canonicalizeProfile(profile);\n const payloadBytes = new TextEncoder().encode(canonicalBody);\n\n const signature = await new jose.CompactSign(payloadBytes)\n .setProtectedHeader({ alg, kid, typ: PROFILE_TYP })\n .sign(signingKey as Parameters<typeof jose.CompactSign.prototype.sign>[0]);\n\n return { ...profile, signature };\n}\n\n/**\n * Verify a signed UCP profile against a JWKS. Returns `true` when the JWS validates\n * against a matching key in `jwks`; throws on signature mismatch, missing key, or\n * canonicalization drift.\n *\n * Round-trip helper for tests and for cross-merchant verification flows. Trust-mode\n * UCP clients use the same algorithm.\n *\n * Example:\n * ```ts\n * const ok = await verifyUCPProfile(signedProfile, { keys: [publicJWK] });\n * ```\n */\nexport async function verifyUCPProfile(\n profile: SignedUCPProfile,\n jwks: JWKSResponse,\n): Promise<boolean> {\n if (profile === null || typeof profile !== 'object' || Array.isArray(profile)) {\n throw new UCPVerificationError(\n 'no_signature',\n `UCP profile must be a JSON object; got ${profile === null ? 'null' : Array.isArray(profile) ? 'array' : typeof profile}.`,\n );\n }\n\n const jose = await loadJose();\n\n // JWKS shape guard so a malformed argument emits a typed UCPVerificationError\n // rather than a raw TypeError on `.filter is not a function`.\n if (!jwks || typeof jwks !== 'object' || !Array.isArray((jwks as { keys?: unknown }).keys)) {\n throw new UCPVerificationError(\n 'malformed_jwks',\n `UCP verifier expected JWKS shape { keys: [...] }; got ${jwks === null ? 'null' : typeof jwks === 'object' ? 'object without keys[] array' : typeof jwks}.`,\n );\n }\n\n const stripped = { ...profile } as Partial<SignedUCPProfile>;\n const sig = stripped.signature;\n delete stripped.signature;\n if (typeof sig !== 'string' || !sig) {\n throw new UCPVerificationError(\n 'no_signature',\n `UCP profile signature must be a non-empty string; got ${sig === undefined ? 'undefined' : typeof sig}.`,\n );\n }\n\n // Pre-decode the protected header so typ → alg → kid → crit checks run BEFORE\n // jose's compactVerify. jose enforces `crit` internally ahead of the key-resolver\n // callback, which would surface `unrecognized_critical_header` on a JWS that\n // also has a wrong typ; the python-commerce sibling's `_peek_jws_header` decodes\n // the header manually and checks typ first. Mirroring that ordering here means\n // a JWS with multiple header faults emits the same `code` in both SDKs.\n let header: { alg?: unknown; kid?: unknown; typ?: unknown; crit?: unknown };\n try {\n const protectedB64 = sig.split('.')[0];\n if (!protectedB64) throw new Error('JWS protected header segment is empty.');\n const headerJson = new TextDecoder().decode(jose.base64url.decode(protectedB64));\n const parsed = JSON.parse(headerJson);\n if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {\n throw new Error('JWS protected header is not a JSON object.');\n }\n header = parsed as { alg?: unknown; kid?: unknown; typ?: unknown; crit?: unknown };\n } catch (err) {\n throw new UCPVerificationError(\n 'malformed_jws',\n `JWS protected header is not valid base64url-encoded JSON: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n\n // Header check order is typ → alg → kid → crit to match the Python sibling's\n // _peek_jws_header. RFC 8725 §3.11: enforce expected typ to prevent\n // cross-protocol token reuse.\n if (header.typ !== PROFILE_TYP) {\n throw new UCPVerificationError('wrong_typ', `UCP signature typ must be \"${PROFILE_TYP}\"; got ${String(header.typ)}.`);\n }\n // RFC 8725 §3.1: restrict to allow-listed algorithms before key resolution\n // so a hostile JWK can never be used with HS256/none/RS256/etc.\n if (!ALLOWED_ALGS.includes(header.alg as AllowedAlg)) {\n throw new UCPVerificationError('unsupported_alg', `UCP signing alg must be one of ${ALLOWED_ALGS.join(', ')}; got ${String(header.alg)}.`);\n }\n // Strict string check: a non-string kid (number/bool/null) could accidentally\n // match a JWK with an equal-typed kid and mask attacks.\n if (typeof header.kid !== 'string' || !header.kid) {\n throw new UCPVerificationError(\n 'missing_kid',\n `UCP signature header kid must be a non-empty string; got ${header.kid === undefined ? 'undefined' : typeof header.kid}.`,\n );\n }\n // RFC 7515 §4.1.11: `crit` MUST be a non-empty array of strings if present.\n // Shape-check first (matches python-commerce's malformed_jws split) so that\n // explicit `crit: null` / `crit: []` / `crit: \"foo\"` / `crit: [42]` aren't\n // silently accepted; only well-formed crit arrays fall through to the\n // unrecognized-extension check (RFC 8725 §3.10 — UCP defines no crit headers).\n if ('crit' in header) {\n const crit = (header as { crit?: unknown }).crit;\n if (!Array.isArray(crit) || crit.length === 0 || !crit.every((c) => typeof c === 'string')) {\n throw new UCPVerificationError(\n 'malformed_jws',\n `JWS protected header crit must be a non-empty array of strings; got ${JSON.stringify(crit)}.`,\n );\n }\n throw new UCPVerificationError(\n 'unrecognized_critical_header',\n `JWS protected header advertises unrecognized crit headers: ${JSON.stringify(crit)}.`,\n );\n }\n\n let signedPayload: Uint8Array;\n try {\n const verified = await jose.compactVerify(\n sig,\n async (h) => {\n // typ/alg/kid/crit were validated up-front against the pre-decoded header;\n // this resolver only handles JWK lookup. Re-checking kid here keeps the\n // jose API satisfied and provides defense-in-depth against any header\n // re-parse divergence between this code path and jose's internals.\n const kid = h.kid;\n if (typeof kid !== 'string' || !kid) {\n throw new UCPVerificationError(\n 'missing_kid',\n `UCP signature header kid must be a non-empty string; got ${kid === undefined ? 'undefined' : typeof kid}.`,\n );\n }\n const matches = jwks.keys.filter(\n (k) => k != null && typeof k === 'object' && (k as Record<string, unknown>).kid === kid,\n );\n if (matches.length === 0) throw new UCPVerificationError('kid_not_found', `No JWK in JWKS matching kid=${JSON.stringify(kid)}.`);\n if (matches.length > 1) throw new UCPVerificationError('duplicate_kid', `JWKS contains ${matches.length} keys with kid=${JSON.stringify(kid)}; expected exactly one.`);\n // RFC 7517 §4.2: reject keys not intended for signature verification.\n // `use` and `alg` are optional per RFC 7517; an explicit JSON null is\n // out-of-spec but treat it as absent (skip-on-null) so a JWK with\n // `\"use\": null` matches Python's `is not None` semantics in\n // ucp_jwks.py and the two languages stay symmetric.\n const matchedKey = matches[0] as Record<string, unknown>;\n if (matchedKey.use != null && matchedKey.use !== 'sig') {\n throw new UCPVerificationError('unusable_key', `JWK with kid=${kid} has use=${JSON.stringify(matchedKey.use)}; expected \"sig\".`);\n }\n // RFC 7517 §4.4: a JWK with a declared `alg` field constrains its use to that algorithm.\n if (matchedKey.alg != null && matchedKey.alg !== h.alg) {\n throw new UCPVerificationError(\n 'unusable_key',\n `JWK alg ${JSON.stringify(matchedKey.alg)} does not match JWS header alg ${JSON.stringify(h.alg)}.`,\n );\n }\n return jose.importJWK(matches[0] as Parameters<typeof jose.importJWK>[0], h.alg);\n },\n );\n signedPayload = verified.payload;\n } catch (err) {\n if (err instanceof UCPVerificationError) throw err;\n if (err instanceof Error && err.name === 'JOSEAlgNotAllowed') {\n throw new UCPVerificationError('unsupported_alg', `UCP signing alg not allowed: ${err.message}`);\n }\n if (err instanceof Error && err.name === 'JWSSignatureVerificationFailed') {\n throw new UCPVerificationError('signature_invalid', `UCP signature verification failed: ${err.message}`);\n }\n if (err instanceof Error && err.name === 'JWSInvalid') {\n throw new UCPVerificationError('malformed_jws', `Malformed JWS: ${err.message}`);\n }\n // RFC 7515 §4.1.11 / RFC 8725 §3.10: a verifier MUST reject any JWS whose\n // `crit` header carries an extension the implementation doesn't understand.\n // jose throws JOSENotSupported; wrap so callers see the typed error.\n if (err instanceof Error && err.name === 'JOSENotSupported') {\n throw new UCPVerificationError('unrecognized_critical_header', `UCP signing rejected unrecognized critical header: ${err.message}`);\n }\n throw err;\n }\n\n let canonicalBody: string;\n try {\n canonicalBody = canonicalizeProfile(stripped as UCPProfile);\n } catch (err) {\n throw new UCPVerificationError(\n 'body_mismatch',\n `Failed to canonicalize received profile for verification: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n const expectedPayload = new TextEncoder().encode(canonicalBody);\n\n // Compare the bytes that were actually signed against the canonical body of the\n // profile we received. `compactVerify` validates the JWS against the bytes embedded\n // in the JWS payload segment, but the profile body could have been swapped after\n // signing while the JWS stayed unchanged. Body-vs-payload comparison closes that\n // gap.\n if (!constantTimeEqual(signedPayload, expectedPayload)) {\n throw new UCPVerificationError('body_mismatch', 'UCP profile body does not match the signed payload (tampered or non-canonical).');\n }\n\n return true;\n}\n\n/** Constant-time byte comparison to avoid leaking length / position info on mismatch. */\nfunction constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i += 1) {\n diff |= a[i] ^ b[i];\n }\n return diff === 0;\n}\n\n/**\n * Build a JWKS document for `/.well-known/jwks.json`.\n *\n * Example:\n * ```ts\n * import { buildJWKSResponse } from '@agent-score/commerce';\n *\n * app.get('/.well-known/jwks.json', (c) =>\n * c.json(buildJWKSResponse([publicJWK]))\n * );\n * ```\n */\nexport function buildJWKSResponse(keys: UCPSigningKey[]): JWKSResponse {\n return { keys };\n}\n\n// ── env-driven loader (extracted from store + martin + signed_ucp_merchant) ──\n\ninterface ResolvedLoadUCPSigningKeyOpts {\n envJwkVar: string;\n envKidVar: string;\n envAlgVar: string;\n defaultKid: string;\n defaultAlg: 'EdDSA' | 'ES256';\n}\n\nconst DEFAULT_LOAD_OPTS: ResolvedLoadUCPSigningKeyOpts = {\n envJwkVar: 'UCP_SIGNING_KEY_JWK_PRIVATE',\n envKidVar: 'UCP_SIGNING_KEY_KID',\n envAlgVar: 'UCP_SIGNING_KEY_ALG',\n defaultKid: 'merchant-default',\n defaultAlg: 'EdDSA',\n};\n\nfunction readEnvTrimmed(name: string): string | undefined {\n const raw = process.env[name];\n if (raw === undefined) return undefined;\n const trimmed = raw.trim();\n return trimmed === '' ? undefined : trimmed;\n}\n\nfunction detectAlgFromJwk(jwk: Record<string, unknown>): 'EdDSA' | 'ES256' | null {\n if (jwk.kty === 'OKP' && jwk.crv === 'Ed25519') return 'EdDSA';\n if (jwk.kty === 'EC' && jwk.crv === 'P-256') return 'ES256';\n return null;\n}\n\n// Cache entries are keyed by the full resolved opts (so different opts get separate\n// entries) and store the IN-FLIGHT Promise — concurrent first-callers with the same\n// opts await the same key generation rather than racing to produce different ephemeral\n// keys (a losing keypair signing a JWS that the published JWKS then rejects).\nconst envLoaderCache = new Map<string, Promise<GeneratedUCPKey>>();\n\nfunction cacheKey(opts: ResolvedLoadUCPSigningKeyOpts): string {\n return `${opts.envJwkVar}|${opts.envKidVar}|${opts.envAlgVar}|${opts.defaultKid}|${opts.defaultAlg}`;\n}\n\nasync function buildEnvSigningKey(\n opts: ResolvedLoadUCPSigningKeyOpts,\n): Promise<GeneratedUCPKey> {\n const kidDefault = readEnvTrimmed(opts.envKidVar) ?? opts.defaultKid;\n // Case-insensitive env-alg comparison: secret configs commonly carry casing drift\n // (`\"es256\"`, `\" ES256 \"`, `\"eS256\"`). Strict exact-match would silently downgrade\n // to the default and operators would publish a JWKS with the wrong key family.\n const rawAlg = (readEnvTrimmed(opts.envAlgVar) ?? '').toUpperCase();\n const algFallback: 'EdDSA' | 'ES256' = rawAlg === 'ES256' ? 'ES256' : opts.defaultAlg;\n\n const envJwk = readEnvTrimmed(opts.envJwkVar);\n if (envJwk) {\n let jwkDict: Record<string, unknown>;\n try {\n jwkDict = JSON.parse(envJwk) as Record<string, unknown>;\n } catch (err) {\n throw new Error(\n `${opts.envJwkVar} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n if (!jwkDict || typeof jwkDict !== 'object' || Array.isArray(jwkDict) || Object.keys(jwkDict).length === 0) {\n throw new Error(`${opts.envJwkVar} must be a non-empty JWK object.`);\n }\n\n const detectedAlg = detectAlgFromJwk(jwkDict);\n if (!detectedAlg) {\n throw new Error(\n `${opts.envJwkVar} has unsupported kty/crv (got kty=${String(jwkDict.kty)} crv=${String(jwkDict.crv)}); ` +\n 'expected OKP+Ed25519 or EC+P-256.',\n );\n }\n\n // Project the env JWK to its canonical key fields before importing. Unknown\n // env-JWK fields (`key_ops`, `x5c`, `x5t`, `x5u`, etc.) trip Node's\n // createPublicKey with NotSupportedError on some runtimes; canonical-only\n // input is stable across Node + Bun + browser WebCrypto.\n const canonicalPrivateJwk: Record<string, unknown> =\n detectedAlg === 'EdDSA'\n ? { kty: jwkDict.kty, crv: jwkDict.crv, x: jwkDict.x, d: jwkDict.d }\n : { kty: jwkDict.kty, crv: jwkDict.crv, x: jwkDict.x, y: jwkDict.y, d: jwkDict.d };\n\n // Import the private key. Sanitize errors so JWK byte material can never reach logs.\n const { importJWK } = await import('jose');\n const { createPublicKey } = await import('node:crypto');\n let privateKey: Awaited<ReturnType<typeof importJWK>>;\n let publicNodeKey: ReturnType<typeof createPublicKey>;\n try {\n privateKey = await importJWK(\n canonicalPrivateJwk as unknown as Parameters<typeof importJWK>[0],\n detectedAlg,\n );\n publicNodeKey = createPublicKey({ key: canonicalPrivateJwk as never, format: 'jwk' });\n } catch (err) {\n const className = err instanceof Error ? err.constructor.name : typeof err;\n const code =\n err && typeof err === 'object' && 'code' in err\n ? String((err as { code?: unknown }).code)\n : null;\n const codeSuffix = code ? ` [${code}]` : '';\n throw new Error(\n `${opts.envJwkVar} has malformed key material (${className}${codeSuffix}). ` +\n 'Verify the JWK is well-formed and matches the declared kty/crv. ' +\n 'Underlying details suppressed to avoid leaking key bytes.',\n );\n }\n\n // Derive a canonical public JWK from the public node key — drops `d` and any other\n // private-only fields (and unknown env JWK fields like key_ops, x5c, x5t).\n const publicJWK = publicNodeKey.export({ format: 'jwk' }) as unknown as UCPSigningKey;\n // Empty-string kid in env JWK falls through to the configured default —\n // publishing `\"kid\": \"\"` breaks every kid-pinning verifier.\n publicJWK.kid = (jwkDict.kid as string | undefined) || kidDefault;\n publicJWK.alg = detectedAlg;\n publicJWK.use = 'sig';\n\n return { privateKey, publicJWK };\n }\n\n // Ephemeral fallback — generate a fresh keypair.\n return generateUCPSigningKey({ kid: kidDefault, alg: algFallback });\n}\n\n/**\n * Load the merchant's UCP signing key from env, with concurrent-safe caching.\n *\n * On first call (per `opts`): reads `opts.envJwkVar`, parses it as a JWK, validates\n * `kty`/`crv` (OKP+Ed25519 or EC+P-256), and projects to a canonical public JWK.\n * Falls back to an ephemeral keypair when the env var is missing or whitespace-only.\n *\n * Subsequent calls with the same `opts` return the cached key without re-reading env.\n * Concurrent first-callers await the same in-flight Promise so only one key generation\n * runs (preventing the race where two callers each generate an independent ephemeral\n * pair and one signs a JWS the published JWKS then rejects).\n *\n * Different `opts` values get separate cache entries.\n *\n * Env-driven precedence:\n *\n * - Embedded `kid` in the JWK wins over `opts.envKidVar` env value;\n * empty-string `kid` in the env JWK falls through to `opts.defaultKid`.\n * - Structural `kty`+`crv` in the JWK wins over `opts.envAlgVar` env value\n * (which is only consulted in the ephemeral fallback path).\n *\n * @throws Error with a sanitized message for malformed env JWKs; raw exception\n * detail is intentionally suppressed so key bytes can never reach logs.\n */\nexport async function loadUCPSigningKeyFromEnv({\n envJwkVar,\n envKidVar,\n envAlgVar,\n defaultKid,\n defaultAlg,\n}: {\n /** Env var name carrying the JSON-encoded private JWK. Default `UCP_SIGNING_KEY_JWK_PRIVATE`. */\n envJwkVar?: string;\n /** Env var name carrying an explicit kid override. Default `UCP_SIGNING_KEY_KID`. */\n envKidVar?: string;\n /** Env var name carrying the alg in the ephemeral fallback. Default `UCP_SIGNING_KEY_ALG`. */\n envAlgVar?: string;\n /** Kid to publish when neither the env JWK nor `envKidVar` carries one. Default `merchant-default`. */\n defaultKid?: string;\n /** Alg for the ephemeral fallback path. Default `EdDSA`. */\n defaultAlg?: 'EdDSA' | 'ES256';\n} = {}): Promise<GeneratedUCPKey> {\n const resolved: ResolvedLoadUCPSigningKeyOpts = {\n ...DEFAULT_LOAD_OPTS,\n ...(envJwkVar !== undefined && { envJwkVar }),\n ...(envKidVar !== undefined && { envKidVar }),\n ...(envAlgVar !== undefined && { envAlgVar }),\n ...(defaultKid !== undefined && { defaultKid }),\n ...(defaultAlg !== undefined && { defaultAlg }),\n };\n const key = cacheKey(resolved);\n let cached = envLoaderCache.get(key);\n if (cached) return cached;\n // Pin the in-flight Promise so concurrent first-callers await the same generation.\n cached = buildEnvSigningKey(resolved).catch((err) => {\n // Clear on rejection so a transient malformed env doesn't permanently poison\n // every future call — the next caller retries the build.\n envLoaderCache.delete(key);\n throw err;\n });\n envLoaderCache.set(key, cached);\n return cached;\n}\n\n/** Test-only: clear the env-loader cache.\n *\n * Use after stubbing `process.env.UCP_SIGNING_KEY_*` to force the next\n * {@link loadUCPSigningKeyFromEnv} call to re-read the env state. */\nexport function _resetUCPSigningKeyCache(): void {\n envLoaderCache.clear();\n}\n","/**\n * USDC token registry per network. Used by paymentDirective and rail definitions.\n * Lifted from agentscore-pay's constants.\n */\nexport const USDC = {\n base: {\n mainnet: { address: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913' as const, decimals: 6 },\n sepolia: { address: '0x036CbD53842c5426634e7929541eC2318f3dCF7e' as const, decimals: 6 },\n },\n solana: {\n mainnet: { mint: 'EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v', decimals: 6 },\n devnet: { mint: '4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU', decimals: 6 },\n },\n tempo: {\n mainnet: { address: '0x20C000000000000000000000b9537d11c60E8b50' as const, decimals: 6 },\n testnet: { address: '0x20c0000000000000000000000000000000000000' as const, decimals: 6 },\n },\n} as const;\n","/**\n * Joins multiple Payment directives into a single WWW-Authenticate header value.\n * Per RFC 7235, multiple challenges are comma-separated.\n */\nexport function wwwAuthenticateHeader(directives: string[]): string {\n return directives.join(', ');\n}\n\n/**\n * Add the v1↔v2 amount-field alias to each accepts entry. Idempotent. Used by both\n * `paymentRequiredHeader` (header emit) and `build402Body` (body emit) so every\n * x402 entry on the wire carries BOTH `amount` (v2 spec) AND `maxAmountRequired`\n * (v1 spec) — strict v1-only parsers (e.g. Coinbase awal at `payments-mcp.coinbase.com`,\n * which is hardcoded to read `maxAmountRequired`) work alongside strict v2 parsers,\n * which ignore the alias.\n */\nexport function aliasAmountFields(accepts: unknown[]): unknown[] {\n return accepts.map((entry) => {\n if (entry === null || typeof entry !== 'object') return entry;\n const e = entry as Record<string, unknown>;\n const hasAmount = e.amount !== undefined;\n const hasMaxAmount = e.maxAmountRequired !== undefined;\n if (hasAmount && !hasMaxAmount) return { ...e, maxAmountRequired: e.amount };\n if (hasMaxAmount && !hasAmount) return { ...e, amount: e.maxAmountRequired };\n return e;\n });\n}\n\n/**\n * Encode the standard x402 PAYMENT-REQUIRED header (base64-encoded JSON of the\n * PaymentRequired object). Clients that recognize the header (`@x402/fetch`,\n * `@x402/core` HTTPClient, `agentscore-pay`) prefer it over body fields.\n *\n * Note: do NOT add a v1↔v2 amount-field alias here. `@x402/core`'s\n * `findMatchingRequirements` uses `deepEqual` against the agent's signed\n * `accepted` payload — any field present on one side and missing on the other\n * (e.g. `maxAmountRequired` on the wire body but not in `buildPaymentRequirements`'s\n * output) makes the match silently fail at settle time. Keep `accepts` shape\n * identical to whatever `buildPaymentRequirements` produces server-side.\n */\nexport function paymentRequiredHeader({\n x402Version,\n accepts,\n resource,\n}: {\n x402Version: 1 | 2;\n accepts: unknown[];\n resource?: { url: string; mimeType?: string };\n}): string {\n return Buffer.from(JSON.stringify({ x402Version, accepts, ...(resource ? { resource } : {}) })).toString('base64');\n}\n","/**\n * Named network registry. Vendors reference symbolic names (`networks.base.mainnet.caip2`)\n * instead of magic strings. Lifted from agentscore-pay's constants.\n */\nexport const networks = {\n base: {\n mainnet: { caip2: 'eip155:8453' as const, chainId: 8453 },\n sepolia: { caip2: 'eip155:84532' as const, chainId: 84532 },\n },\n solana: {\n mainnet: { caip2: 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp' as const },\n devnet: { caip2: 'solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1' as const },\n },\n tempo: {\n mainnet: { caip2: 'eip155:4217' as const, chainId: 4217 },\n testnet: { caip2: 'eip155:42431' as const, chainId: 42431 },\n },\n} as const;\n\nexport type NetworkFamily = keyof typeof networks;\n\n/**\n * Returns the family name (base/solana/tempo) for a given CAIP-2 network string,\n * or null if the network isn't in the registry. Useful for routing settlement\n * by network.\n */\nexport function networkFamily(caip2: string): NetworkFamily | null {\n if (caip2 === networks.base.mainnet.caip2 || caip2 === networks.base.sepolia.caip2) return 'base';\n if (caip2 === networks.solana.mainnet.caip2 || caip2 === networks.solana.devnet.caip2) return 'solana';\n if (caip2 === networks.tempo.mainnet.caip2 || caip2 === networks.tempo.testnet.caip2) return 'tempo';\n if (caip2.startsWith('solana:')) return 'solana';\n return null;\n}\n","import { networks } from './networks';\nimport { USDC } from './usdc';\n\n/**\n * Symbolic rail names mapped to their protocol details. Vendors pass `rail: 'tempo-mainnet'`\n * to the directive builder and the SDK fills in method/network/decimals/currency from this\n * registry. Custom rails not in this registry can be passed by setting the lower-level\n * fields directly on the directive builder.\n */\nexport const rails = {\n 'tempo-mainnet': {\n method: 'tempo',\n network: networks.tempo.mainnet.caip2,\n chainId: networks.tempo.mainnet.chainId,\n currency: USDC.tempo.mainnet.address,\n decimals: USDC.tempo.mainnet.decimals,\n asset: USDC.tempo.mainnet.address,\n },\n 'tempo-testnet': {\n method: 'tempo',\n network: networks.tempo.testnet.caip2,\n chainId: networks.tempo.testnet.chainId,\n currency: USDC.tempo.testnet.address,\n decimals: USDC.tempo.testnet.decimals,\n asset: USDC.tempo.testnet.address,\n },\n 'x402-base-mainnet': {\n method: 'x402',\n network: networks.base.mainnet.caip2,\n chainId: networks.base.mainnet.chainId,\n currency: USDC.base.mainnet.address,\n decimals: USDC.base.mainnet.decimals,\n asset: USDC.base.mainnet.address,\n },\n 'x402-base-sepolia': {\n method: 'x402',\n network: networks.base.sepolia.caip2,\n chainId: networks.base.sepolia.chainId,\n currency: USDC.base.sepolia.address,\n decimals: USDC.base.sepolia.decimals,\n asset: USDC.base.sepolia.address,\n },\n // Upto rails — pay UP TO a max amount (Permit2-based, vs EIP-3009 for exact). Use for\n // variable-cost APIs where the actual cost depends on output (LLM tokens, bandwidth, etc.).\n // Only available on EVM networks; Solana svm doesn't ship an upto scheme yet.\n 'x402-base-mainnet-upto': {\n method: 'x402-upto',\n network: networks.base.mainnet.caip2,\n chainId: networks.base.mainnet.chainId,\n currency: USDC.base.mainnet.address,\n decimals: USDC.base.mainnet.decimals,\n asset: USDC.base.mainnet.address,\n },\n 'x402-base-sepolia-upto': {\n method: 'x402-upto',\n network: networks.base.sepolia.caip2,\n chainId: networks.base.sepolia.chainId,\n currency: USDC.base.sepolia.address,\n decimals: USDC.base.sepolia.decimals,\n asset: USDC.base.sepolia.address,\n },\n 'mpp-solana-mainnet': {\n method: 'solana',\n network: networks.solana.mainnet.caip2,\n currency: USDC.solana.mainnet.mint,\n decimals: USDC.solana.mainnet.decimals,\n asset: USDC.solana.mainnet.mint,\n },\n 'mpp-solana-devnet': {\n method: 'solana',\n network: networks.solana.devnet.caip2,\n currency: USDC.solana.devnet.mint,\n decimals: USDC.solana.devnet.decimals,\n asset: USDC.solana.devnet.mint,\n },\n 'stripe-spt': {\n method: 'stripe',\n currency: 'usd',\n decimals: 2,\n },\n} as const;\n\nexport type RailName = keyof typeof rails;\n\nexport interface RailDefinition {\n method: string;\n network?: string;\n chainId?: number;\n currency: string;\n decimals: number;\n asset?: string;\n}\n\n/**\n * Lookup a rail definition by symbolic name. Returns undefined if the rail isn't in\n * the registry — vendors with custom rails should pass the low-level fields directly.\n */\nexport function lookupRail(name: string): RailDefinition | undefined {\n return rails[name as RailName] as RailDefinition | undefined;\n}\n","import { lookupRail } from './rails';\n\n/**\n * Build the base64-encoded `request` blob for an MPP Payment directive (per the\n * paymentauth.org spec). Output shape matches what link-cli `mpp decode` expects:\n *\n * { amount: \"<raw_integer>\", currency: \"<token>\", recipient?: \"<addr>\",\n * methodDetails?: { chainId?: number, networkId?: string } }\n */\nexport function buildPaymentRequestBlob({\n rail,\n amountUsd,\n currency,\n decimals,\n recipient,\n chainId,\n networkId,\n}: {\n /** Symbolic rail name (e.g., 'tempo-mainnet', 'x402-base-mainnet') — fills in defaults */\n rail?: string;\n /** Amount in USD as a number or string. Converted to raw integer using `decimals`. */\n amountUsd: string | number;\n /** Token contract address or currency code. Defaults from rail. */\n currency?: string;\n /** Decimal precision for the amount. Defaults from rail (6 for USDC, 2 for USD). */\n decimals?: number;\n /** Recipient address (on-chain). Optional for stripe-style rails. */\n recipient?: string;\n /** EVM chain ID (goes into methodDetails.chainId). Defaults from rail. */\n chainId?: number;\n /** Stripe profile_id or similar (goes into methodDetails.networkId — note camelCase per link-cli's mpp decode validator). */\n networkId?: string;\n}): string {\n const railDef = rail ? lookupRail(rail) : undefined;\n const decimalsResolved = decimals ?? railDef?.decimals ?? 6;\n const currencyResolved = currency ?? railDef?.currency ?? 'usd';\n const chainIdResolved = chainId ?? railDef?.chainId;\n\n const amountNum = typeof amountUsd === 'string' ? Number(amountUsd) : amountUsd;\n const amountRaw = BigInt(Math.round(amountNum * 10 ** decimalsResolved)).toString();\n const blob: Record<string, unknown> = { amount: amountRaw, currency: currencyResolved, decimals: decimalsResolved };\n if (recipient) blob.recipient = recipient;\n const methodDetails: Record<string, unknown> = {};\n if (chainIdResolved !== undefined) methodDetails.chainId = chainIdResolved;\n if (networkId) methodDetails.networkId = networkId;\n if (Object.keys(methodDetails).length > 0) blob.methodDetails = methodDetails;\n return Buffer.from(JSON.stringify(blob)).toString('base64url');\n}\n\n/**\n * Format an MPP Payment directive string for the WWW-Authenticate header.\n * Output shape: `Payment id=\"...\", realm=\"...\", method=\"...\", intent=\"charge\",\n * expires=\"...\", request=\"<base64>\"`\n */\nexport function paymentDirective({\n rail,\n id,\n realm,\n method,\n intent,\n expires,\n request,\n}: {\n /** Symbolic rail name — sets `method` automatically */\n rail?: string;\n /** Challenge id (unique per request, used to correlate retries) */\n id: string;\n /** Realm — the host of the merchant URL (e.g., \"agents.merchant.example\") */\n realm: string;\n /** MPP method name. Defaults from rail (e.g., 'tempo', 'stripe'). */\n method?: string;\n /** MPP intent. Defaults to 'charge'. */\n intent?: string;\n /** ISO-8601 expiry timestamp. Defaults to now + 5 minutes. */\n expires?: string;\n /** Base64-encoded request blob. Pass the result of buildPaymentRequestBlob. */\n request: string;\n}): string {\n const railDef = rail ? lookupRail(rail) : undefined;\n const methodResolved = method ?? railDef?.method ?? 'unknown';\n const intentResolved = intent ?? 'charge';\n const expiresResolved = expires ?? new Date(Date.now() + 5 * 60 * 1000).toISOString();\n return `Payment id=\"${id}\", realm=\"${realm}\", method=\"${methodResolved}\", intent=\"${intentResolved}\", expires=\"${expiresResolved}\", request=\"${request}\"`;\n}\n\n/**\n * Convenience: build the request blob and the directive in one call. Most vendors\n * want this rather than the two-step form.\n */\nexport function buildPaymentDirective({\n rail,\n id,\n realm,\n amountUsd,\n currency,\n decimals,\n recipient,\n chainId,\n networkId,\n method,\n intent,\n expires,\n}: {\n rail: string;\n id: string;\n realm: string;\n amountUsd: string | number;\n currency?: string;\n decimals?: number;\n recipient?: string;\n chainId?: number;\n networkId?: string;\n method?: string;\n intent?: string;\n expires?: string;\n}): string {\n const request = buildPaymentRequestBlob({\n rail,\n amountUsd,\n currency,\n decimals,\n recipient,\n chainId,\n networkId,\n });\n return paymentDirective({\n rail,\n id,\n realm,\n method,\n intent,\n expires,\n request,\n });\n}\n","import { buildPaymentRequestBlob, paymentDirective } from '../payment/directive';\nimport { networks } from '../payment/networks';\nimport { USDC } from '../payment/usdc';\nimport { paymentRequiredHeader } from '../payment/wwwauthenticate';\n\n/** Placeholder payTo for x402 sample accepts in the discovery probe — the probe\n * exists for crawlers to find that we support x402, not for actual payment. The\n * real 402 (returned on a fully-formed request body) carries real deposit\n * addresses minted from a Stripe PaymentIntent. */\nconst ZERO_EVM_PAYTO = '0x0000000000000000000000000000000000000000';\nconst ZERO_SOLANA_PAYTO = '11111111111111111111111111111111';\n\n/**\n * Build a sample x402 accepts entry for a CAIP-2 network. Looks up the USDC asset\n * for the network from the `USDC` registry and uses a placeholder payTo. Used by\n * the discovery probe to advertise x402 support without exposing real deposit\n * addresses.\n *\n * Returns null when the network isn't in the registry — vendors with custom\n * networks should construct accepts entries by hand and pass them via\n * `x402Sample.accepts` directly.\n */\nexport function sampleX402AcceptForNetwork(\n caip2: string,\n amountAtomic: string = '1000000',\n): Record<string, unknown> | null {\n if (caip2 === networks.base.mainnet.caip2) {\n return {\n scheme: 'exact',\n network: caip2,\n amount: amountAtomic,\n asset: USDC.base.mainnet.address,\n payTo: ZERO_EVM_PAYTO,\n maxTimeoutSeconds: 300,\n // ``extra.name`` mirrors the on-chain USDC contract's ``name()`` because\n // EIP-712 domain hashes include this string. Wrong name → every signed\n // payload fails facilitator verify with ``invalid_exact_evm_payload_signature``.\n // Base mainnet USDC returns \"USD Coin\"; base sepolia USDC returns \"USDC\".\n extra: { name: 'USD Coin', version: '2' },\n };\n }\n if (caip2 === networks.base.sepolia.caip2) {\n return {\n scheme: 'exact',\n network: caip2,\n amount: amountAtomic,\n asset: USDC.base.sepolia.address,\n payTo: ZERO_EVM_PAYTO,\n maxTimeoutSeconds: 300,\n extra: { name: 'USDC', version: '2' },\n };\n }\n if (caip2 === networks.solana.mainnet.caip2) {\n return {\n scheme: 'exact',\n network: caip2,\n amount: amountAtomic,\n asset: USDC.solana.mainnet.mint,\n payTo: ZERO_SOLANA_PAYTO,\n maxTimeoutSeconds: 300,\n };\n }\n if (caip2 === networks.solana.devnet.caip2) {\n return {\n scheme: 'exact',\n network: caip2,\n amount: amountAtomic,\n asset: USDC.solana.devnet.mint,\n payTo: ZERO_SOLANA_PAYTO,\n maxTimeoutSeconds: 300,\n };\n }\n return null;\n}\n\ninterface DiscoveryProbeOptions {\n /** Realm — typically the host of your merchant URL (e.g., \"agents.merchant.example\"). */\n realm: string;\n /** Symbolic rail name to advertise in the sample challenge (e.g., 'tempo-mainnet'). */\n sampleRail: string;\n /** Sample amount in USD for the probe (e.g., 1.00). Crawlers use this as an example. */\n sampleAmountUsd: number;\n /** A recipient address to use in the sample directive (your real or zero address is fine). */\n sampleRecipient: string;\n /** MPP intent. Defaults to 'charge'. */\n intent?: string;\n /** TTL for the probe challenge in seconds. Defaults to 300 (5 minutes). */\n ttlSeconds?: number;\n /** Optional URL to include in the body for further docs (e.g., your llms.txt). */\n docsUrl?: string;\n /** Optional human-readable message in the body. */\n message?: string;\n /** Optional sample x402 accepts entries. When provided, the probe response also\n * carries the standard x402 `payment-required` header (base64 PaymentRequired) AND\n * an `accepts` array in the body — so x402 crawlers (e.g. Coinbase awal's\n * `x402 details`/`x402 pay`) can discover the endpoint's x402 support without\n * needing to send a fully-formed business request. Each entry is run through\n * `aliasAmountFields` so v1-only parsers can read `maxAmountRequired` too.\n *\n * Pass `networks` (shorthand) for the common case — the helper looks up USDC\n * per network from the registry and uses placeholder payTo addresses. Or pass\n * `accepts` directly for full control over the sample shape. */\n x402Sample?: {\n /** Spec version to declare. Defaults to 2. */\n version?: 1 | 2;\n /** Shorthand: array of CAIP-2 network strings. Each is mapped to a sample\n * USDC accepts entry via `sampleX402AcceptForNetwork`. Networks not in the\n * USDC registry are silently skipped. Use `accepts` for custom shapes. */\n networks?: string[];\n /** Sample accepts entries. Used when `networks` shorthand isn't enough.\n * Supplied entries are NOT merged with `networks`-derived entries — pick\n * one or the other. */\n accepts?: unknown[];\n /** Sample atomic amount used by the `networks` shorthand. Defaults to\n * `'1000000'` ($1.00 USDC at 6 decimals). Ignored when `accepts` is set. */\n amountAtomic?: string;\n /** Resource URL the probe is responding for. Used in the PAYMENT-REQUIRED header. */\n resourceUrl?: string;\n };\n}\n\nexport interface DiscoveryProbeResponse {\n status: 402;\n headers: Record<string, string>;\n body: string;\n}\n\n/**\n * Build a 402 response advertising a sample Payment challenge. MPP crawlers\n * (mppscan, link-cli mpp decode) probe with empty bodies; merchants need to answer\n * with a properly-formatted Payment directive so the realm can be indexed.\n *\n * Returns a framework-agnostic response shape. Wrap in your framework's response:\n *\n * const probe = buildDiscoveryProbeResponse({...});\n * return new Response(probe.body, { status: probe.status, headers: probe.headers });\n */\nexport function buildDiscoveryProbeResponse(opts: DiscoveryProbeOptions): DiscoveryProbeResponse {\n const probeId = `probe_${Date.now()}`;\n const expires = new Date(Date.now() + (opts.ttlSeconds ?? 300) * 1000).toISOString();\n const request = buildPaymentRequestBlob({\n rail: opts.sampleRail,\n amountUsd: opts.sampleAmountUsd,\n recipient: opts.sampleRecipient,\n });\n const directive = paymentDirective({\n rail: opts.sampleRail,\n id: probeId,\n realm: opts.realm,\n intent: opts.intent,\n expires,\n request,\n });\n\n const bodyObj: Record<string, unknown> = {\n error: {\n code: 'payment_required',\n message: opts.message ?? 'This endpoint requires payment. Send a valid request body to receive a full challenge.',\n },\n discovery: true,\n ...(opts.docsUrl ? { docs: opts.docsUrl } : {}),\n };\n const headers: Record<string, string> = {\n 'content-type': 'application/json',\n 'www-authenticate': directive,\n };\n\n if (opts.x402Sample) {\n const x402Version = opts.x402Sample.version ?? 2;\n const sampleAccepts = opts.x402Sample.accepts\n ?? (opts.x402Sample.networks ?? [])\n .map((n) => sampleX402AcceptForNetwork(n, opts.x402Sample!.amountAtomic ?? '1000000'))\n .filter((e): e is Record<string, unknown> => e !== null);\n // paymentRequiredHeader applies aliasAmountFields internally; do the same for\n // the body's `accepts` so v1-only parsers (Coinbase awal at payments-mcp.coinbase.com)\n // and v2-strict parsers can both read either field name.\n headers['payment-required'] = paymentRequiredHeader({\n x402Version,\n accepts: sampleAccepts,\n ...(opts.x402Sample.resourceUrl\n ? { resource: { url: opts.x402Sample.resourceUrl, mimeType: 'application/json' } }\n : {}),\n });\n // Also embed in body for clients that read body-level accepts (e.g. awal x402 details\n // falls back from header → body when the header isn't present).\n bodyObj.x402Version = x402Version;\n // Reuse the header's already-aliased accepts so the body matches.\n const headerJson = JSON.parse(Buffer.from(headers['payment-required'], 'base64').toString('utf-8'));\n bodyObj.accepts = headerJson.accepts;\n }\n\n return {\n status: 402,\n headers,\n body: JSON.stringify(bodyObj),\n };\n}\n\nexport interface RequestLike {\n method: string;\n headers: { get(name: string): string | null };\n clone(): { text(): Promise<string> };\n}\n\n/**\n * Returns true when the request is an empty-body POST without a payment credential —\n * the canonical MPP discovery probe pattern. Vendors compose this with\n * buildDiscoveryProbeResponse to short-circuit crawler requests before any business\n * logic runs.\n */\nexport async function isDiscoveryProbeRequest(req: RequestLike): Promise<boolean> {\n if (req.method !== 'POST') return false;\n const auth = req.headers.get('authorization');\n if (auth?.startsWith('Payment ')) return false;\n const body = await req.clone().text();\n return !body || body === '{}';\n}\n","/**\n * Spec-rooted helpers for `/.well-known/{ucp,jwks.json}` discovery surfaces.\n *\n * What this module collapses for every UCP-publishing merchant:\n *\n * - Loading + caching the signing key via `loadUCPSigningKeyFromEnv`.\n * - Composing the `payment_handlers` map from the merchant's `Checkout` rails\n * (TempoRailSpec → mppPaymentHandler; X402BaseRailSpec → x402PaymentHandler;\n * StripeRailSpec → stripeSptPaymentHandler).\n * - Building the unsigned profile + signing it.\n * - Cache-Control + CORS + X-Request-ID echo per UCP section 6.\n * - RFC 7517 section 8.5 `application/jwk-set+json` media type on JWKS.\n * - The 503 `ucp_misconfigured` fallback envelope when no handlers can be\n * derived (empty rails dict OR all rails have empty recipients).\n *\n * Each helper returns a framework-neutral `SignedDiscoveryResponse` that\n * merchants wrap in their framework's Response builder (Hono `c.body`, Express\n * `res.set/.status/.send`, Fastify `reply.headers/.code/.send`, Next.js\n * `NextResponse`, Web Fetch `new Response`, etc.).\n */\n\nimport {\n type AgentScoreGatePolicy,\n buildUCPProfile,\n mppPaymentHandler,\n stripeSptPaymentHandler,\n type UCPPaymentHandlerBinding,\n type UCPServiceBinding,\n UCPSigningKey,\n x402PaymentHandler,\n} from '../identity/ucp';\nimport {\n buildJWKSResponse,\n loadUCPSigningKeyFromEnv,\n signUCPProfile,\n} from '../identity/ucp-jwks';\nimport type { Checkout, CheckoutRailSpec } from '../checkout';\nimport type {\n SolanaMppRailSpec,\n StripeRailSpec,\n TempoRailSpec,\n TempoSessionRailSpec,\n X402BaseRailSpec,\n} from '../payment/rail_spec';\n\nconst UCP_CACHE_SECONDS = 60;\nconst JWKS_CACHE_SECONDS = 300;\nconst UCP_SHOPPING_SPEC_2026_04_08 = 'https://ucp.dev/2026-04-08/specification/overview';\n\n/**\n * Framework-neutral response shape for discovery endpoints.\n *\n * Wrap in your framework's response builder. `body` is already JSON-encoded\n * bytes (as a string); do not re-serialize.\n */\nexport interface SignedDiscoveryResponse {\n body: string;\n mediaType: string;\n headers: Record<string, string>;\n status: number;\n}\n\nfunction requestId(headers: Headers | Record<string, string> | undefined): string | undefined {\n if (headers === undefined) return undefined;\n if (headers instanceof Headers) return headers.get('x-request-id') ?? undefined;\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === 'x-request-id') return v;\n }\n return undefined;\n}\n\nfunction attachRequestId(\n headers: Record<string, string>,\n requestHeaders: Headers | Record<string, string> | undefined,\n): void {\n const rid = requestId(requestHeaders);\n if (rid !== undefined) headers['X-Request-ID'] = rid;\n}\n\nfunction isTempoSession(s: CheckoutRailSpec): s is TempoSessionRailSpec {\n return 'escrowContract' in s && 'store' in s;\n}\nfunction isStripe(s: CheckoutRailSpec): s is StripeRailSpec {\n return !('recipient' in s);\n}\n/** A rail spec qualifies for UCP publication when `recipient` is defined —\n * whether concrete (`'0xabc'`), empty-string sentinel (per-order minted by\n * the consumer), or a factory callable (per-order minted on demand). The\n * `tempoToNetworkEntry` / `x402ToNetworkEntry` builders drop the recipient\n * field from the emitted UCP entry when it's not a static address, so per-\n * order-mint merchants advertise the rail without leaking a sentinel. */\nfunction railHasRecipientField(spec: { recipient?: unknown }): boolean {\n return Object.hasOwn(spec, 'recipient');\n}\n\nfunction composeHandlers(checkout: Checkout): Record<string, UCPPaymentHandlerBinding[]> {\n const handlers: Record<string, UCPPaymentHandlerBinding[]> = {};\n const mpp: (TempoRailSpec | SolanaMppRailSpec | TempoSessionRailSpec)[] = [];\n const x402: X402BaseRailSpec[] = [];\n const stripe: StripeRailSpec[] = [];\n\n for (const spec of Object.values(checkout.rails)) {\n if (isStripe(spec)) {\n stripe.push(spec);\n continue;\n }\n if (isTempoSession(spec)) {\n if (railHasRecipientField(spec)) mpp.push(spec);\n continue;\n }\n // Distinguish Tempo (`symbol: 'USDC.e'` or `network: 'tempo-*'`) from x402-Base\n // (CAIP-2 `eip155:*`) and Solana (`network: 'solana:*'`).\n const network = (spec as { network?: string }).network ?? '';\n if (network.startsWith('eip155:') || ('mode' in spec)) {\n if (railHasRecipientField(spec)) x402.push(spec as X402BaseRailSpec);\n } else if (network.startsWith('solana:') || 'rpcUrl' in spec) {\n if (railHasRecipientField(spec)) mpp.push(spec as SolanaMppRailSpec);\n } else {\n // Default to Tempo (network starts with `tempo-` or symbol is `USDC.e`).\n if (railHasRecipientField(spec)) mpp.push(spec as TempoRailSpec);\n }\n }\n\n if (mpp.length > 0) Object.assign(handlers, mppPaymentHandler({ networks: mpp }));\n if (x402.length > 0) Object.assign(handlers, x402PaymentHandler({ networks: x402 }));\n for (const spec of stripe) Object.assign(handlers, stripeSptPaymentHandler({ spec }));\n return handlers;\n}\n\nfunction misconfiguredResponse(\n requestHeaders: Headers | Record<string, string> | undefined,\n): SignedDiscoveryResponse {\n const body = {\n error: {\n code: 'ucp_misconfigured',\n message: 'Merchant has no configured payment handlers.',\n },\n next_steps: {\n action: 'contact_merchant',\n user_message: 'This merchant is temporarily unable to accept agent payments.',\n },\n agent_instructions: {\n action: 'contact_merchant',\n steps: [\n 'Surface a transient error to the user.',\n 'Retry later; the merchant operator will repair the configuration.',\n ],\n user_message: 'Merchant temporarily offline for agent payments.',\n },\n };\n // UCP section 6 forbids `no-store` on profile responses; 60s is the minimum\n // cache age (short enough that recovery is fast once the merchant restores\n // config).\n const headers: Record<string, string> = {\n 'Access-Control-Allow-Origin': '*',\n 'Cache-Control': `public, max-age=${UCP_CACHE_SECONDS}`,\n };\n attachRequestId(headers, requestHeaders);\n return {\n body: JSON.stringify(body),\n mediaType: 'application/json',\n headers,\n status: 503,\n };\n}\n\n/**\n * Build the signed UCP profile response for `/.well-known/ucp`.\n *\n * Composes payment handlers from the Checkout's rails dict, builds the profile\n * via `buildUCPProfile`, signs via `signUCPProfile`, and attaches the UCP\n * section 6-prescribed Cache-Control + CORS + X-Request-ID headers.\n *\n * Returns a 503 `ucp_misconfigured` envelope (still with the section 6-compliant\n * Cache-Control) when no payment handlers can be derived from rails.\n *\n * `services` is the spec-compliant services map (keyed by reverse-DNS service\n * name). `wellKnownUcpUrl` is the canonical URL of this profile, surfaced as\n * the value in `supported_versions`.\n */\nexport async function buildSignedUcpResponse(opts: {\n checkout: Checkout;\n name: string;\n wellKnownUcpUrl: string;\n services: Record<string, UCPServiceBinding[]>;\n requestHeaders?: Headers | Record<string, string>;\n signingKid?: string;\n agentscoreGate?: AgentScoreGatePolicy;\n}): Promise<SignedDiscoveryResponse> {\n const {\n checkout,\n name,\n wellKnownUcpUrl,\n services,\n requestHeaders,\n signingKid = 'merchant-default',\n agentscoreGate,\n } = opts;\n\n const handlers = composeHandlers(checkout);\n if (Object.keys(handlers).length === 0) {\n return misconfiguredResponse(requestHeaders);\n }\n\n const key = await loadUCPSigningKeyFromEnv({ defaultKid: signingKid });\n const signingKeyEntry = UCPSigningKey.fromJWK(key.publicJWK);\n\n const profile = buildUCPProfile({\n name,\n supported_versions: { '2026-04-08': wellKnownUcpUrl },\n agentscore_gate: agentscoreGate,\n services,\n payment_handlers: handlers,\n signing_keys: [signingKeyEntry],\n });\n const signed = await signUCPProfile(profile, {\n signingKey: key.privateKey,\n kid: key.publicJWK.kid as string,\n alg: (key.publicJWK.alg as 'EdDSA' | 'ES256' | undefined) ?? 'EdDSA',\n });\n const headers: Record<string, string> = {\n 'Cache-Control': `public, max-age=${UCP_CACHE_SECONDS}`,\n 'Access-Control-Allow-Origin': '*',\n };\n attachRequestId(headers, requestHeaders);\n return {\n body: JSON.stringify(signed),\n mediaType: 'application/json',\n headers,\n status: 200,\n };\n}\n\n/**\n * Build the JWKS response for `/.well-known/jwks.json`.\n *\n * RFC 7517 section 8.5 prescribes `application/jwk-set+json`. Five-minute\n * Cache-Control balances verifier-side cache hit rate against rotation\n * propagation latency.\n */\nexport async function buildSignedJwksResponse(opts?: {\n requestHeaders?: Headers | Record<string, string>;\n signingKid?: string;\n}): Promise<SignedDiscoveryResponse> {\n const { requestHeaders, signingKid = 'merchant-default' } = opts ?? {};\n const key = await loadUCPSigningKeyFromEnv({ defaultKid: signingKid });\n const jwks = buildJWKSResponse([UCPSigningKey.fromJWK(key.publicJWK)]);\n const headers: Record<string, string> = {\n 'Cache-Control': `public, max-age=${JWKS_CACHE_SECONDS}`,\n 'Access-Control-Allow-Origin': '*',\n };\n attachRequestId(headers, requestHeaders);\n return {\n body: JSON.stringify(jwks),\n mediaType: 'application/jwk-set+json',\n headers,\n status: 200,\n };\n}\n\n/**\n * CORS preflight headers for `/.well-known/*` endpoints.\n *\n * Echoes `Access-Control-Request-Headers` verbatim when present rather than\n * advertising `*` (which browsers reject with credentials in scope). Returns\n * a 204 on the corresponding response via the merchant's framework.\n */\nexport function wellKnownCorsPreflightHeaders(\n requestHeaders?: Headers | Record<string, string>,\n): Record<string, string> {\n const headers: Record<string, string> = {\n 'Access-Control-Allow-Origin': '*',\n 'Access-Control-Allow-Methods': 'GET, OPTIONS',\n 'Access-Control-Max-Age': '86400',\n Vary: 'Access-Control-Request-Headers',\n };\n if (requestHeaders === undefined) return headers;\n const acrh =\n requestHeaders instanceof Headers\n ? requestHeaders.get('access-control-request-headers')\n : Object.entries(requestHeaders).find(([k]) => k.toLowerCase() === 'access-control-request-headers')?.[1];\n if (acrh) headers['Access-Control-Allow-Headers'] = acrh;\n return headers;\n}\n\n/**\n * Build a 204 CORS preflight `Response` for `/.well-known/*` endpoints, wrapping\n * {@link wellKnownCorsPreflightHeaders}. Universal across every UCP-publishing\n * merchant; saves the 4-line `new Response(null, { status: 204, headers: ... })`\n * wrapper every consumer otherwise hand-rolls.\n */\nexport function wellKnownPreflightResponse(\n requestHeaders?: Headers | Record<string, string>,\n): Response {\n return new Response(null, {\n status: 204,\n headers: wellKnownCorsPreflightHeaders(requestHeaders),\n });\n}\n\n/**\n * Canonical UCP services map for a merchant publishing an A2A agent card.\n *\n * Returns `{\"dev.ucp.shopping\": [UCPServiceBinding(version: '2026-04-08',\n * spec: <UCP shopping spec>, transport: 'a2a', endpoint: agentCardUrl)]}`;\n * the binding every UCP-publishing merchant declares when their primary agent\n * surface is the A2A v1.0 `/.well-known/agent-card.json` (versus a UCP MCP or\n * REST endpoint).\n *\n * Merchants who additionally expose a UCP MCP or REST transport append further\n * bindings to the same `dev.ucp.shopping` list.\n */\nexport function defaultA2aServices(opts: {\n agentCardUrl: string;\n}): Record<string, UCPServiceBinding[]> {\n return {\n 'dev.ucp.shopping': [\n {\n version: '2026-04-08',\n spec: UCP_SHOPPING_SPEC_2026_04_08,\n transport: 'a2a',\n endpoint: opts.agentCardUrl,\n },\n ],\n };\n}\n\n/**\n * Eager-load the UCP signing key at startup.\n *\n * A malformed `UCP_SIGNING_KEY_JWK_PRIVATE` env value otherwise surfaces on\n * the first `/.well-known/ucp` hit after deploy, masquerading as a runtime\n * 500. Calling this in the framework's startup hook fails the deploy fast.\n *\n * Wraps `loadUCPSigningKeyFromEnv`; throws (per that helper's contract) on a\n * malformed JWK so the orchestrator marks the task unhealthy.\n */\nexport async function bootstrapUcpSigningKey(opts?: {\n defaultKid?: string;\n}): Promise<void> {\n const defaultKid = opts?.defaultKid ?? 'merchant-default';\n await loadUCPSigningKeyFromEnv({ defaultKid });\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// signedResponse<Framework> wrappers\n//\n// Convert the framework-neutral SignedDiscoveryResponse / Response (preflight)\n// into a framework-specific response. Saves the 4-line per-framework wrapper\n// every UCP-publishing merchant otherwise hand-rolls.\n// ─────────────────────────────────────────────────────────────────────────────\n\n/** Hono / Web Fetch wrapper. Returns a `Response`. */\nexport function signedResponseHono(resp: SignedDiscoveryResponse): Response {\n return new Response(resp.body, {\n status: resp.status,\n headers: { ...resp.headers, 'Content-Type': resp.mediaType },\n });\n}\n\n/** Next.js wrapper. Returns a `Response` (interchangeable with NextResponse). */\nexport function signedResponseNextjs(resp: SignedDiscoveryResponse): Response {\n return signedResponseHono(resp);\n}\n\n/** Web Fetch wrapper. Returns a standard `Response`. */\nexport function signedResponseWeb(resp: SignedDiscoveryResponse): Response {\n return signedResponseHono(resp);\n}\n\n/** Express wrapper. Writes onto `res`; returns `void` to match Express convention. */\nexport function signedResponseExpress(\n res: {\n status: (code: number) => unknown;\n set: (headers: Record<string, string>) => unknown;\n type: (mt: string) => unknown;\n send: (body: string) => unknown;\n },\n resp: SignedDiscoveryResponse,\n): void {\n res.status(resp.status);\n res.set(resp.headers);\n res.type(resp.mediaType);\n res.send(resp.body);\n}\n\n/** Fastify wrapper. Writes onto `reply` and returns it. */\nexport function signedResponseFastify(\n reply: {\n code: (code: number) => unknown;\n header: (k: string, v: string) => unknown;\n type: (mt: string) => unknown;\n send: (body: string) => unknown;\n },\n resp: SignedDiscoveryResponse,\n): unknown {\n reply.code(resp.status);\n for (const [k, v] of Object.entries(resp.headers)) reply.header(k, v);\n reply.type(resp.mediaType);\n return reply.send(resp.body);\n}\n","import {\n AgentScore,\n InvalidCredentialError,\n PaymentRequiredError,\n QuotaExceededError,\n TimeoutError as SdkTimeoutError,\n TokenExpiredError,\n} from '@agent-score/sdk';\nimport { isFixableDenial } from './_denial';\nimport { QUOTA_EXCEEDED_INSTRUCTIONS } from './_response';\nimport { normalizeAddress } from './address';\nimport { TTLCache } from './cache';\nimport type { PaymentSigner } from './signer';\n\n// Character-based trim avoids a CodeQL polynomial-redos false positive on\n// `/\\/+$/` patterns that report library-input strings.\nfunction stripTrailingSlashes(s: string): string {\n let end = s.length;\n while (end > 0 && s.charCodeAt(end - 1) === 47 /* '/' */) end--;\n return end === s.length ? s : s.slice(0, end);\n}\n\ndeclare const __VERSION__: string;\n\n// ---------------------------------------------------------------------------\n// Public types (framework-agnostic)\n// ---------------------------------------------------------------------------\n\nexport interface AgentIdentity {\n address?: string;\n operatorToken?: string;\n}\n\n/**\n * Session metadata returned from `POST /v1/sessions`. Surfaced to the `onBeforeSession`\n * hook so merchants can correlate an AgentScore session with their own resume token\n * (e.g. a pending-order id).\n */\nexport interface SessionMetadata {\n session_id: string;\n verify_url: string;\n poll_secret: string;\n poll_url: string;\n expires_at?: string;\n}\n\n/**\n * Configuration for auto-creating a verification session when no identity is present.\n *\n * The static `context` / `productName` options are sent on every session request. For\n * per-request context (e.g. the specific product the agent was trying to buy), pass\n * a `getSessionOptions` callback that returns dynamic values; its return is merged\n * over the static defaults.\n *\n * `onBeforeSession` is a side-effect hook that runs after the session is minted but\n * before the 403 is built. Use it to pre-create a reservation/draft/pending-order\n * row in your DB so agents can resume via a merchant-specific id. Return value is\n * merged into `DenialReason.extra`, so it surfaces in both the default 403 body and\n * in a custom `onDenied` handler.\n */\nexport interface CreateSessionOnMissing<TCtx = unknown> {\n apiKey: string;\n baseUrl?: string;\n context?: string;\n productName?: string;\n /** Per-request override of `context` / `productName`. Invoked with the framework context. */\n getSessionOptions?: (ctx: TCtx) => Promise<{ context?: string; productName?: string }>\n | { context?: string; productName?: string };\n /** Side-effect hook that runs after the session is minted. Return value is merged\n * into `DenialReason.extra` so custom `onDenied` handlers can include merchant-specific\n * fields (e.g. `order_id`) in the 403 response. Hook errors are logged and swallowed —\n * a failing side effect should not block the 403 from reaching the agent. */\n onBeforeSession?: (ctx: TCtx, session: SessionMetadata) => Promise<Record<string, unknown>>\n | Record<string, unknown>;\n}\n\nexport interface AgentScoreCoreOptions {\n /** AgentScore API key. Required. */\n apiKey: string;\n /** Require KYC verification. */\n requireKyc?: boolean;\n /** Require operator to be clear of sanctions. */\n requireSanctionsClear?: boolean;\n /** Minimum operator age bracket (18 or 21). */\n minAge?: number;\n /** List of blocked jurisdictions (blocklist). */\n blockedJurisdictions?: string[];\n /** List of allowed jurisdictions (allowlist — only these pass). */\n allowedJurisdictions?: string[];\n /** If true, allow the request through when the API is unreachable. Defaults to false. */\n failOpen?: boolean;\n /** How long to cache results, in seconds. Defaults to 300. */\n cacheSeconds?: number;\n /** AgentScore API base URL. Defaults to \"https://api.agentscore.sh\". */\n baseUrl?: string;\n /** Optional chain to filter scoring to. */\n chain?: string;\n /** Prepended to the default User-Agent as `\"{userAgent} (@agent-score/commerce@{version})\"`. Use to attribute API calls to your app. */\n userAgent?: string;\n /** When set and no identity is found, create a verification session instead of denying immediately. */\n createSessionOnMissing?: CreateSessionOnMissing;\n}\n\nexport type DenialCode =\n | 'wallet_not_trusted'\n | 'missing_identity'\n | 'api_error'\n | 'payment_required'\n | 'identity_verification_required'\n // Wallet-signer binding: claimed X-Wallet-Address must resolve to the same operator as\n // the payment signer; wallet-auth is rejected on rails with no wallet signer.\n | 'wallet_signer_mismatch'\n | 'wallet_auth_requires_wallet_signing'\n // Granular credential-state denials passed through from /v1/assess.\n // - `token_expired`: revoked + TTL-expired (the API unifies these). The 401 body carries\n // an auto-minted session, forwarded into DenialReason for one-shot recovery.\n // - `invalid_credential`: the token doesn't exist at all (typo, never minted, fabricated).\n // No auto-session is minted by the API for this case — agents should switch to a\n // different stored token or drop the header to bootstrap a fresh session.\n | 'token_expired'\n | 'invalid_credential';\n\n/**\n * Cross-merchant pattern hint emitted on bootstrap denials and session-create responses.\n * LLM-hosted agents should persist this to long-term memory so future AgentScore encounters skip\n * the cold-start session flow. Contents are the pattern, not secrets.\n */\nexport interface AgentMemoryHint {\n save_for_future_agentscore_gates: true;\n pattern_summary: string;\n quickstart: string;\n identity_check_endpoint: string;\n list_wallets_endpoint?: string;\n identity_paths: { wallet: string; operator_token: string };\n bootstrap: string;\n do_not_persist_in_memory: string[];\n persist_in_credential_store: string[];\n}\n\nexport interface DenialReason {\n code: DenialCode;\n /** Human-readable explanation. When omitted, `denialReasonToBody` substitutes a per-code default. */\n message?: string;\n decision?: string;\n reasons?: string[];\n verify_url?: string;\n session_id?: string;\n poll_secret?: string;\n poll_url?: string;\n agent_instructions?: string;\n /** Cross-merchant memory hint. Emitted on bootstrap denials only by default. */\n agent_memory?: AgentMemoryHint;\n /** Full assess response when the denial came from `/v1/assess`. Lets consumers access fields\n * not promoted to first-class DenialReason properties (e.g., `policy_result`). Undefined for\n * denials that did not originate from an assess call (missing_identity, api_error,\n * payment_required, identity_verification_required). */\n data?: AssessResult;\n /** Extra fields returned from the `createSessionOnMissing.onBeforeSession` hook. Merged\n * into the default 403 body; custom `onDenied` handlers can spread these into their own\n * response shape (e.g. to include a merchant-minted `order_id`). */\n extra?: Record<string, unknown>;\n // ---------------------------------------------------------------------------\n // Wallet-signer-match fields — populated for wallet_signer_mismatch only.\n // ---------------------------------------------------------------------------\n /** Operator id resolved from `X-Wallet-Address`. */\n claimed_operator?: string;\n /** Operator id the actual payment signer resolves to. `null` when the signer wallet isn't\n * linked to any operator (treat as a different identity). */\n actual_signer_operator?: string | null;\n /** The wallet the agent claimed via header. Echoed back for self-correction. */\n expected_signer?: string;\n /** The wallet that actually signed the payment. */\n actual_signer?: string;\n /** Wallets the claimed operator could sign with (if enumerable). Present when non-empty. */\n linked_wallets?: string[];\n}\n\n/** Operator verification details from the assess response. Mirrors python's\n * `OperatorVerification` dataclass. */\nexport interface OperatorVerification {\n level: string;\n operator_type: string | null;\n verified_at: string | null;\n}\n\n/** Account-level KYC facts that apply to every operator under the same account.\n * Populated when the API returns account_verification (post-KYC operator).\n * Mirrors python's account_verification dict shape. */\nexport interface AccountVerification {\n kyc_level?: string;\n sanctions_clear?: boolean;\n age_bracket?: string;\n jurisdiction?: string;\n verified_at?: string | null;\n}\n\n/** A single policy check from the assess response. Mirrors python's `PolicyCheck`. */\nexport interface PolicyCheck {\n rule: string;\n passed: boolean;\n required?: unknown;\n actual?: unknown;\n}\n\n/** Policy evaluation result from the assess response. Mirrors python's `PolicyResult`. */\nexport interface PolicyResult {\n all_passed: boolean;\n checks: PolicyCheck[];\n}\n\nexport interface AssessResult {\n decision: string | null;\n decision_reasons: string[];\n identity_method?: string;\n operator_verification?: OperatorVerification;\n account_verification?: AccountVerification;\n resolved_operator?: string | null;\n /** Wallets linked to the same operator as the resolved identity. Capped at 100 entries\n * by the API. Useful for advertising in 402 challenges so wallet-auth agents know which\n * alt-signers will satisfy `wallet_signer_mismatch`. */\n linked_wallets?: string[];\n verify_url?: string;\n policy_result?: PolicyResult | null;\n}\n\n/**\n * Reason a failOpen allow short-circuited an evaluate call due to AgentScore-side\n * infrastructure issues. Surfaced on `EvaluateOutcome` so merchants can log/alert when\n * their gate is running in degraded mode (compliance not actually enforced this request).\n *\n * - `quota_exceeded` — AgentScore returned 429\n * - `api_error` — AgentScore returned 5xx or non-2xx that isn't 429\n * - `network_timeout` — request to /v1/assess timed out or failed at the network layer\n */\nexport type FailOpenInfraReason = 'quota_exceeded' | 'api_error' | 'network_timeout';\n\n/** Per-account assess quota observability, captured from `X-Quota-*` response headers\n * on the success path. Mirrors the SDK's `QuotaInfo` shape — re-exported from gate state\n * so merchants can monitor approach-to-cap proactively (warn at 80%, alert at 95%). */\nexport interface GateQuotaInfo {\n limit: number | null;\n used: number | null;\n /** ISO-8601 timestamp, or the literal string `\"never\"` for unlimited tiers. */\n reset: string | null;\n}\n\n/**\n * Outcome from `AgentScoreCore.evaluate()`. Adapters map this to framework-specific responses.\n *\n * - `{ kind: 'allow', data }` — the request passed the policy. `data` is present on a normal\n * allow; `undefined` when fail-open short-circuited (identity missing, API unreachable,\n * timeout, or 402 paid-tier required).\n * - When `failOpen: true` and the allow was the result of an AgentScore-side infrastructure\n * failure (429/5xx/timeout), the result also carries `degraded: true` + `infraReason` so\n * merchants can alert/log without parsing console output.\n * - `quota` propagates the SDK's per-request quota observability when the API emits the\n * `X-Quota-*` headers. Optional; absent on Enterprise / unlimited tiers.\n * - `{ kind: 'deny', reason }` — the request was denied. Adapters should render a 403 with the\n * reason, or invoke the caller's custom denial handler.\n */\nexport type EvaluateOutcome =\n | { kind: 'allow'; data?: AssessResult; degraded?: boolean; infraReason?: FailOpenInfraReason; quota?: GateQuotaInfo }\n | { kind: 'deny'; reason: DenialReason };\n\ninterface CaptureWalletOptions {\n /** Operator credential (`opc_...`) that the agent authenticated with. */\n operatorToken: string;\n /** Signer wallet recovered from the payment payload. */\n walletAddress: string;\n /** Key-derivation family — `\"evm\"` for any EVM chain, `\"solana\"` for Solana. */\n network: 'evm' | 'solana';\n /** Optional stable key for the logical payment (e.g., payment intent id, tx hash). When the\n * same key is seen again for the same (credential, wallet, network), the server no-ops —\n * prevents agent retries from inflating transaction_count. */\n idempotencyKey?: string;\n}\n\n/** Combined wallet-signer verdict surfaced by `getSignerVerdict(c)` — both verdicts come\n * through the gate's primary `/v1/assess` call (single round trip). `signer_match` describes\n * the wallet-binding (claimed wallet's operator ≡ signer wallet's operator); `signer_sanctions`\n * describes the OFAC SDN wallet-address check.\n *\n * `signer_match` is projected to the gate's camelCase `VerifyWalletSignerResult` shape so\n * existing `buildSignerMismatchBody(...)` helpers consume it unchanged. `signer_sanctions`\n * passes through in the API's wire shape (already short and stable). Returned `undefined`\n * from `getSignerVerdict` when the gate didn't run with a signer (operator-token-only\n * paths, discovery legs with no payment header). */\nexport interface SignerVerdict {\n signer_match: VerifyWalletSignerResult | null;\n signer_sanctions:\n | { status: 'clear' }\n | { sanctioned: true; ofac_label: string; sdn_uid: string; listed_at: string | null }\n | { status: 'unavailable' }\n | null;\n}\n\nexport type VerifyWalletSignerResult =\n | { kind: 'pass'; claimedOperator: string | null; signerOperator: string | null }\n | {\n kind: 'wallet_signer_mismatch';\n claimedOperator: string | null;\n actualSignerOperator: string | null;\n expectedSigner: string;\n actualSigner: string;\n linkedWallets: string[];\n /** JSON-encoded action copy (action + steps + user_message). Spread into the 403 body\n * verbatim so agents get a concrete recovery path inside the denial response itself. */\n agentInstructions: string;\n }\n | {\n kind: 'wallet_auth_requires_wallet_signing';\n claimedWallet: string;\n agentInstructions: string;\n };\n\nexport interface AgentScoreCore {\n /**\n * Evaluate the request's identity against the configured policy.\n * @param identity - extracted identity (wallet address and/or operator token)\n * @param ctx - optional framework-specific context (Hono c, Express req, etc.) passed\n * through to `createSessionOnMissing` hooks. Opaque to core.\n */\n evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n /** Pre-extracted payment signer from the inbound request (the adapter middleware\n * extracts it via `extractPaymentSigner`). When provided, the assess call carries\n * it and the response includes `signer_match` + `signer_sanctions` verdicts in one\n * round trip. */\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome>;\n /** Synchronous read of the cached signer verdicts (signer_match + signer_sanctions)\n * populated when the gate's evaluate call was made with a pre-extracted signer. Returns\n * `undefined` when the gate didn't run, the request was operator-token-authenticated,\n * or no signer was extractable (discovery legs). */\n getSignerVerdict(claimedAddress: string): SignerVerdict | undefined;\n /** Report a wallet seen paying under an operator credential. Fire-and-forget; silently\n * swallows non-fatal errors because capture is informational, not on the critical path. */\n captureWallet(options: CaptureWalletOptions): Promise<void>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\n/** Internal cache entry for the gate's per-`(identity, policy)` assess result memo.\n * Distinct from the public `AssessResult` interface (the typed `/v1/assess` response\n * shape returned to merchants); this carries the cached decision plus the per-signer\n * wallet-match sub-cache. */\ninterface CachedAssessResult {\n allow: boolean;\n decision?: string;\n reasons?: string[];\n raw?: unknown;\n}\n\n/**\n * Build the cross-merchant memory hint emitted on bootstrap denials. Base URLs are\n * derived from the gate's AgentScore API base so self-hosted / staging deployments get\n * correct pointers. Contents describe the AgentScore identity substrate in transferable\n * terms; merchant-specific context lives in other `agent_instructions` fields.\n */\n// Canonical production AgentScore API — used as the authoritative source for endpoint pointers\n// emitted to agent memory regardless of how a given merchant configured their gate's baseUrl.\nconst CANONICAL_AGENTSCORE_API = 'https://api.agentscore.sh';\n\n// JSON-encoded action copy emitted on wallet-signer-match denials. Spread into 403 bodies\n// by merchants so agents get a concrete recovery path inside the denial response itself —\n// no discovery-doc round trip required.\nconst WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({\n action: 'resign_or_switch_to_operator_token',\n steps: [\n 'Preferred: re-submit the payment signed by expected_signer (or any entry in linked_wallets — same-operator wallets are fungible) and retry with the same X-Wallet-Address.',\n 'Alternative: drop X-Wallet-Address and retry with X-Operator-Token. Use a stored opc_... if you have one; otherwise retry this request with NO identity header — the merchant will mint a verification session in the 403 body (verify_url + poll_secret). Share verify_url with the user, poll, receive a fresh opc_...',\n ],\n user_message:\n 'The payment signer resolves to a different operator than X-Wallet-Address. Re-sign from expected_signer or any linked_wallets entry, or switch to X-Operator-Token.',\n});\n\nconst WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS = JSON.stringify({\n action: 'switch_to_operator_token',\n steps: [\n 'This payment rail (Stripe SPT, card) carries no wallet signature — X-Wallet-Address cannot be verified against the payment.',\n 'Drop X-Wallet-Address and retry with X-Operator-Token. If you do not have a stored opc_..., retry with no identity header to receive a verification session.',\n ],\n user_message:\n 'Wallet-address identity is only supported on wallet-signing rails (Tempo MPP, x402). On Stripe or card, use X-Operator-Token instead.',\n});\n\n// `invalid_credential` is permanent — the token doesn't exist (typo, never minted, fabricated).\n// Distinct from `token_expired` (which carries an auto-session for one-shot recovery): the\n// API doesn't auto-mint a session here because the client may simply have a different valid\n// token to try. Agents should switch tokens or drop the header to bootstrap a session.\nconst INVALID_CREDENTIAL_INSTRUCTIONS = JSON.stringify({\n action: 'switch_token_or_restart_session',\n steps: [\n 'The X-Operator-Token you sent does not match any credential. This is a permanent state — retrying with the same token will keep failing.',\n 'If you have other stored opc_... credentials, retry with one of them.',\n 'Otherwise drop X-Operator-Token and retry with no identity header — the merchant will mint a fresh verification session in the 403 body (verify_url + poll_secret) so the user can re-verify and you can poll for a new operator_token.',\n ],\n user_message:\n 'The operator_token is not recognized. Use a different stored token, or restart the verification session flow to mint a new one.',\n});\n\nexport function buildAgentMemoryHint(): AgentMemoryHint {\n // Memory pointers always point at the canonical production API — merchants must not be\n // able to redirect the cross-merchant memory surface, since that would be a phishing\n // vector for the verify URL.\n const api = CANONICAL_AGENTSCORE_API;\n return {\n save_for_future_agentscore_gates: true,\n pattern_summary:\n 'AgentScore is a cross-merchant identity substrate for agent commerce. Any endpoint that ' +\n 'returns 403 missing_identity / identity_verification_required or 402 challenges referencing AgentScore uses ' +\n 'the same identity system. One KYC works across all AgentScore merchants — no re-verification ' +\n 'per site. Save this pattern (and the endpoints below) to persistent memory so future ' +\n 'AgentScore encounters skip the cold-start session flow.',\n quickstart: 'https://docs.agentscore.sh/guides/agent-identity',\n identity_check_endpoint: `${api}/v1/credentials`,\n identity_paths: {\n wallet:\n 'If paying from a crypto wallet you have used before on any AgentScore merchant, send ' +\n '`X-Wallet-Address: 0x...`. Shortest path; no token lifecycle to manage.',\n operator_token:\n 'For any rail (Stripe SPT, card, or a wallet you have not linked yet), send ' +\n '`X-Operator-Token: opc_...`. Reusable across merchants until the token expires.',\n },\n bootstrap:\n 'If you have neither a linked wallet nor a valid operator_token, follow the session/verify ' +\n 'flow in the per-request `agent_instructions` block. This happens at most once per agent ' +\n 'identity — after first verification, the operator_token and any subsequently used wallet ' +\n 'are reusable everywhere.',\n do_not_persist_in_memory: ['operator_token', 'poll_secret'],\n persist_in_credential_store: ['operator_token'],\n };\n}\n\n// ---------------------------------------------------------------------------\n// Core factory\n// ---------------------------------------------------------------------------\n\nexport function createAgentScoreCore(options: AgentScoreCoreOptions): AgentScoreCore {\n if (!options.apiKey) {\n throw new Error('AgentScore API key is required. Get one at https://agentscore.sh/sign-up');\n }\n\n const {\n apiKey,\n requireKyc,\n requireSanctionsClear,\n minAge,\n blockedJurisdictions,\n allowedJurisdictions,\n failOpen = false,\n cacheSeconds = 300,\n baseUrl: rawBaseUrl = 'https://api.agentscore.sh',\n chain: gateChain,\n userAgent,\n createSessionOnMissing,\n } = options;\n\n const baseUrl = stripTrailingSlashes(rawBaseUrl);\n const agentMemoryHint = buildAgentMemoryHint();\n\n const defaultUa = `@agent-score/commerce@${__VERSION__}`;\n const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;\n\n // Single shared SDK instance for every API call this gate makes (assess, sessions,\n // credentials/wallets, telemetry). Connection pooling + typed-error classification +\n // X-Quota-* header capture all flow through here. The SDK owns the transport layer\n // (timeouts, retry-on-429); the gate adds policy semantics on top. Pass the\n // merchant-prefixed UA — SDK appends its own default to produce a chain like\n // `<merchant-app> (@agent-score/commerce@<v>) (@agent-score/sdk@<v>)`.\n const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });\n\n // createSessionOnMissing can carry its own apiKey + baseUrl (merchants sometimes wire\n // a session-only key for this hook). Lazily build a separate SDK instance keyed on\n // (apiKey, baseUrl) so we don't construct a new client per request.\n const sessionSdkCache = new Map<string, AgentScore>();\n function getSessionSdk(sessionApiKey: string, sessionBaseUrl?: string): AgentScore {\n const key = `${sessionApiKey}|${sessionBaseUrl ?? ''}`;\n let s = sessionSdkCache.get(key);\n if (!s) {\n s = new AgentScore({\n apiKey: sessionApiKey,\n baseUrl: sessionBaseUrl ?? baseUrl,\n userAgent: userAgentHeader,\n });\n sessionSdkCache.set(key, s);\n }\n return s;\n }\n\n const cache = new TTLCache<CachedAssessResult>(cacheSeconds * 1000);\n\n // Mint a verification session via /v1/sessions and return the resulting\n // identity_verification_required DenialReason — or undefined if the mint failed (network\n // error, non-2xx, missing fields). Used for both the missing-identity path and the\n // fixable-wallet bootstrap path: in both cases the UX is identical (agent polls the\n // returned poll_url until it gets a fresh opc_... and retries).\n async function tryMintSessionDenial(ctx: unknown): Promise<DenialReason | undefined> {\n if (!createSessionOnMissing) return undefined;\n try {\n const sessionBody: { context?: string; product_name?: string } = {};\n if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;\n if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;\n\n if (createSessionOnMissing.getSessionOptions && ctx !== undefined) {\n try {\n const dynamic = await createSessionOnMissing.getSessionOptions(ctx);\n if (dynamic?.context != null) sessionBody.context = dynamic.context;\n if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.getSessionOptions hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // createSessionOnMissing.apiKey may differ from the gate's apiKey (e.g. merchant\n // wires a session-only key for this hook). Build a per-config SDK lazily.\n const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);\n const data = (await sessionSdk.createSession({\n ...(sessionBody.context !== undefined ? { context: sessionBody.context } : {}),\n ...(sessionBody.product_name !== undefined ? { product_name: sessionBody.product_name } : {}),\n })) as unknown as Record<string, unknown>;\n\n // Validate required fields before trusting the response. A misbehaving (or mocked-wrong)\n // API could 200 without session_id/poll_secret/verify_url, which would propagate\n // `undefined` into the 403 body and leave the agent stuck — treat as session-create\n // failure and fall back to the caller's bare denial.\n if (\n typeof data.session_id !== 'string' ||\n typeof data.poll_secret !== 'string' ||\n typeof data.verify_url !== 'string'\n ) {\n console.warn('[gate] /v1/sessions returned 200 without required fields — falling back to bare denial');\n return undefined;\n }\n\n // Run onBeforeSession side-effect hook. Errors are swallowed — a failing DB write\n // (e.g. can't insert pending order) should not block the 403.\n let extra: Record<string, unknown> | undefined;\n if (createSessionOnMissing.onBeforeSession && ctx !== undefined) {\n try {\n const sessionMeta = {\n session_id: data.session_id as string,\n verify_url: data.verify_url as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string,\n expires_at: data.expires_at as string | undefined,\n };\n const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);\n if (result && typeof result === 'object') extra = result;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.onBeforeSession hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // The API emits `next_steps` (structured object) on /v1/sessions success. Stringify it\n // into the gate's `agent_instructions` contract so merchants get the same JSON-encoded\n // {action, steps, user_message} envelope as every other gate-emitted denial.\n const apiNextSteps = data.next_steps as Record<string, unknown> | undefined;\n return {\n code: 'identity_verification_required',\n verify_url: data.verify_url as string,\n session_id: data.session_id as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string | undefined,\n agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : undefined,\n agent_memory: agentMemoryHint,\n ...(extra && { extra }),\n };\n } catch (err) {\n // Session-mint failed (network, /v1/sessions returned non-2xx, body parse error,\n // onBeforeSession threw inside the inner try). Caller falls back to a bare denial —\n // agents still get a 403 with a probe-strategy hint. Log loudly so a persistent\n // /v1/sessions outage isn't masked.\n console.warn('[gate] createSessionOnMissing path failed — falling back to bare denial:', err instanceof Error ? err.message : err);\n return undefined;\n }\n }\n\n async function evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome> {\n // Treat \"returned identity object with no usable fields\" the same as \"no identity at all\" —\n // otherwise a misbehaving custom extractIdentity would send an empty body to /v1/assess.\n if (!identity || (!identity.address && !identity.operatorToken)) {\n // failOpen short-circuits BEFORE the session mint. This branch isn't an infra failure\n // (no AgentScore call has been made yet) so we don't mark the gate state as degraded —\n // missing identity + failOpen is the explicit opt-in pass-through behavior, not a\n // graceful-degradation event. Merchants who need identity-or-deny on a failOpen gate\n // should add a guard at the handler that checks for X-Wallet-Address / X-Operator-Token\n // before reading the gate state.\n if (failOpen) return { kind: 'allow' };\n\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n\n // Bare missing-identity denial (no session was auto-created). Describe the probe\n // strategy so agents without memory can recover: try wallet first on signing rails,\n // fall back to stored opc_..., fall back to session flow (noting that only\n // auto-session merchants return verify_url + poll data on the retry).\n const missingIdentityInstructions = JSON.stringify({\n action: 'probe_identity_then_session',\n steps: [\n 'If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 — see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url — share it with the user to claim the wallet + complete KYC, then retry.',\n 'If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.',\n 'If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body — share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping — direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token.',\n ],\n user_message:\n 'Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap.',\n });\n return {\n kind: 'deny',\n reason: {\n code: 'missing_identity',\n agent_instructions: missingIdentityInstructions,\n agent_memory: agentMemoryHint,\n },\n };\n }\n\n // operator_token is opaque + ASCII-only — lowercasing is safe. Wallet addresses go\n // through normalizeAddress because Solana base58 is case-sensitive and lowercasing\n // would corrupt the cache key (a Solana cache miss every time, plus collision risk\n // with mixed-case variants of the same operator).\n const cacheKey = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : '');\n\n const cached = cache.get(cacheKey);\n if (cached) {\n if (cached.allow) {\n const cachedRaw = cached.raw as Record<string, unknown> | undefined;\n const cachedQuota = cachedRaw?.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: cachedRaw as unknown as AssessResult,\n ...(cachedQuota !== undefined && { quota: cachedQuota }),\n };\n }\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(cached.reasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: cached.decision,\n reasons: cached.reasons,\n verify_url: (cached.raw as Record<string, unknown> | undefined)?.verify_url as string | undefined,\n data: cached.raw as AssessResult | undefined,\n },\n };\n }\n\n const policy: Record<string, unknown> = {};\n if (requireKyc != null) policy.require_kyc = requireKyc;\n if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;\n if (minAge != null) policy.min_age = minAge;\n if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;\n if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;\n\n let data: Record<string, unknown>;\n try {\n // Single SDK call: typed-error subclasses (PaymentRequiredError / TokenExpiredError /\n // InvalidCredentialError / QuotaExceededError / TimeoutError) flow through the\n // catch below; success path captures `quota` from X-Quota-* headers automatically.\n const opts = {\n chain: gateChain,\n ...(Object.keys(policy).length > 0 ? { policy: policy as never } : {}),\n // Pre-extracted payment signer (by the adapter middleware). When present, the API\n // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet\n // check) verdicts on the response in one round trip. Under\n // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.\n ...(signer && { signer: { address: signer.address, network: signer.network } }),\n };\n // SDK has two overloads — narrow by which identity is set so TS picks the right one.\n const result = identity.address\n ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken })\n : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken! });\n data = result as unknown as Record<string, unknown>;\n } catch (err) {\n if (err instanceof PaymentRequiredError) {\n if (failOpen) return { kind: 'allow' };\n return { kind: 'deny', reason: { code: 'payment_required' } };\n }\n if (err instanceof TokenExpiredError) {\n // SDK extracts the auto-minted session fields onto the error instance — no body\n // re-parsing needed here.\n return {\n kind: 'deny',\n reason: {\n code: 'token_expired',\n data: err.details as unknown as AssessResult,\n ...(err.verifyUrl ? { verify_url: err.verifyUrl } : {}),\n ...(err.sessionId ? { session_id: err.sessionId } : {}),\n ...(err.pollSecret ? { poll_secret: err.pollSecret } : {}),\n ...(err.pollUrl ? { poll_url: err.pollUrl } : {}),\n ...(err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {}),\n ...(err.agentMemory ? { agent_memory: err.agentMemory as AgentMemoryHint } : {}),\n },\n };\n }\n if (err instanceof InvalidCredentialError) {\n // Permanent — no auto-session, agent should switch tokens or restart.\n return {\n kind: 'deny',\n reason: {\n code: 'invalid_credential',\n agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,\n agent_memory: agentMemoryHint,\n },\n };\n }\n if (err instanceof QuotaExceededError) {\n console.warn('[gate] /v1/assess returned 429 quota_exceeded');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (err instanceof SdkTimeoutError) {\n console.warn('[gate] /v1/assess timed out:', err.message);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Status-based fallbacks for AgentScoreError instances the SDK couldn't classify\n // into a typed subclass (e.g. 429 with body that lacked error.code, or a fetch\n // rejection whose .name doesn't match AbortError but whose status code is set).\n // The real API always emits error.code on 429, so this is purely defensive.\n const status = (err as { status?: number } | null)?.status;\n const errName = err instanceof Error ? err.name : '';\n if (status === 429) {\n console.warn('[gate] /v1/assess returned 429 (untyped — defensive)');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (errName === 'TimeoutError' || errName === 'AbortError') {\n console.warn('[gate] /v1/assess timed out (by Error.name):', err instanceof Error ? err.message : err);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Generic AgentScoreError (rate_limited, 5xx, network_error, body parse, unknown 4xx)\n // or any non-AgentScoreError unexpected throw — surface as api_error.\n // Include the SDK-classified error code (when available) so ops/dev see\n // schema-drift cases like a new 401 error.code rather than a silent 503.\n const errCode = (err as { code?: string } | null)?.code;\n const msg = err instanceof Error ? err.message : String(err);\n const detail = errCode ? `${errCode}: ${msg}` : msg;\n console.warn(`[gate] /v1/assess call failed — surfacing as api_error: ${detail}`);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'api_error' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n\n const decision = data.decision as string | null | undefined;\n const decisionReasons = (data.decision_reasons as string[]) ?? [];\n const allow = decision === 'allow' || decision == null;\n\n cache.set(cacheKey, { allow, decision: decision ?? undefined, reasons: decisionReasons, raw: data });\n\n if (allow) {\n // SDK populates `quota` on the assess response from X-Quota-* headers when the\n // API emits them. Surface up to the adapter so merchants can monitor approach-to-cap.\n const quota = data.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: data as unknown as AssessResult,\n ...(quota !== undefined && { quota }),\n };\n }\n\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(decisionReasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: decision ?? undefined,\n reasons: decisionReasons,\n verify_url: data.verify_url as string | undefined,\n data: data as unknown as AssessResult,\n },\n };\n }\n\n async function captureWallet(options: CaptureWalletOptions): Promise<void> {\n try {\n await sdk.associateWallet({\n operatorToken: options.operatorToken,\n walletAddress: options.walletAddress,\n network: options.network,\n ...(options.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : {}),\n });\n } catch (err) {\n // Fire-and-forget: don't throw. Log so a persistent capture outage is visible\n // to merchant ops — otherwise wallet↔operator linkage silently stops.\n console.warn('[agentscore-commerce] captureWallet failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // Project the API's signer_match block onto the gate's VerifyWalletSignerResult shape.\n // The API authors agent_instructions, claimed/signer operators, and the linked-wallet\n // set (deny-guarded server-side); the gate just shapes those fields into camelCase.\n function projectSignerMatch(\n sm: Record<string, unknown>,\n claimedNorm: string,\n signerNorm: string,\n ): VerifyWalletSignerResult {\n const kind = sm.kind as string;\n if (kind === 'pass') {\n return {\n kind: 'pass',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n signerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n };\n }\n if (kind === 'wallet_auth_requires_wallet_signing') {\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet: (sm.claimed_wallet as string | undefined) ?? claimedNorm,\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n // Default: wallet_signer_mismatch\n const linked = sm.linked_wallets;\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n actualSignerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n expectedSigner: (sm.expected_signer as string | undefined) ?? claimedNorm,\n actualSigner: (sm.actual_signer as string | undefined) ?? signerNorm,\n linkedWallets: Array.isArray(linked)\n ? (linked as unknown[]).filter((w): w is string => typeof w === 'string')\n : [],\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n /**\n * Synchronous read of the cached signer verdicts. Adapter middleware extracts the\n * signer pre-evaluate and the gate's primary /v1/assess call composes both verdicts\n * (signer_match + signer_sanctions) in one round trip — this getter just reads the\n * cached response. Returns `undefined` for operator-token-only paths, discovery legs\n * with no payment credential, or when the gate didn't run.\n */\n function getSignerVerdict(claimedAddress: string): SignerVerdict | undefined {\n const claimedNorm = normalizeAddress(claimedAddress);\n const cached = cache.get(claimedNorm);\n if (!cached) return undefined;\n const raw = cached.raw as Record<string, unknown> | undefined;\n if (!raw) return undefined;\n const rawMatch = raw.signer_match as Record<string, unknown> | undefined;\n const rawSanctions = raw.signer_sanctions as SignerVerdict['signer_sanctions'] | undefined;\n if (!rawMatch && !rawSanctions) return undefined;\n // The API's signer_match has the actual signer wallet baked in (actual_signer); we\n // didn't track it separately in the cache key (only claimed-side). Pass the API's own\n // actual_signer as signerNorm so the projected shape is consistent.\n const signerNorm = (rawMatch?.actual_signer as string | undefined) ?? claimedNorm;\n return {\n signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,\n signer_sanctions: rawSanctions ?? null,\n };\n }\n\n return { evaluate, captureWallet, getSignerVerdict };\n}\n","/**\n * Universal denial helpers shared across every adapter.\n *\n * What lives here:\n * - `FIXABLE_DENIAL_REASONS` / `isFixableDenial` — classifier for compliance reasons that can\n * be resolved by re-completing KYC (vs sanctions / age failures which are permanent).\n * - `denialReasonStatus` — picks the right HTTP status code per denial code (401 for credential\n * problems, 503 for transient API errors, 403 for everything else).\n * - `buildSignerMismatchBody` — produces the standard 403 body for a non-pass signer_match\n * verdict (read via `getSignerVerdict`).\n * - `buildContactSupportNextSteps` — standard `next_steps.action: \"contact_support\"` shape for\n * unfixable compliance denials.\n * - `verificationAgentInstructions` — the canned `agent_instructions` block for\n * identity-verification 403s. Vendors can override individual fields.\n *\n * Adapters use `denialReasonStatus` inside their default `onDenied` so vendors get the right\n * status code for free. The body builders are exported from each adapter so vendors who write\n * a custom `onDenied` can compose them without copy-paste.\n */\n\nimport type { DenialReason, VerifyWalletSignerResult } from './core';\n\n/**\n * Compliance denial reasons that can be resolved by re-completing KYC. The API emits these\n * when KYC is missing/pending/failed; the user can re-verify and retry.\n *\n * `jurisdiction_restricted` is NOT in this set — the API only emits it AFTER KYC is verified,\n * meaning the user's KYC'd country is in the merchant's blocked list (or absent from the\n * allowed list). Re-doing KYC won't change the country, so it's permanent. Same shape as\n * `sanctions_flagged` and `age_insufficient` — surface contact_support, don't waste a\n * /v1/sessions mint.\n */\nexport const FIXABLE_DENIAL_REASONS: ReadonlySet<string> = new Set([\n 'kyc_required',\n 'kyc_pending',\n 'kyc_failed',\n]);\n\n/**\n * Returns true when a `wallet_not_trusted` denial's reasons are all fixable via KYC\n * re-verification. False when any reason is permanent (sanctions, age, jurisdiction_restricted).\n *\n * Empty reasons returns false — without a known reason we can't promise a fix, so default to\n * the bare denial path (vendors can override via custom onDenied if they want different\n * behavior on empty reasons).\n */\nexport function isFixableDenial(reasons: readonly string[] | undefined): boolean {\n if (!reasons || reasons.length === 0) return false;\n return reasons.every((r) => FIXABLE_DENIAL_REASONS.has(r));\n}\n\n/**\n * The right HTTP status code for a denial. `defaultOnDenied` in every adapter uses this so\n * vendors get correct status codes without writing per-code branches.\n *\n * - 401 for credential problems the agent can recover from (`token_expired`, `invalid_credential`)\n * - 503 for transient `api_error`\n * - 403 for everything else (identity required, compliance fail, signer mismatch, etc.)\n */\nexport function denialReasonStatus(reason: DenialReason): 401 | 403 | 503 {\n if (reason.code === 'token_expired' || reason.code === 'invalid_credential') return 401;\n if (reason.code === 'api_error') return 503;\n return 403;\n}\n\n/**\n * Standard 403 body for a non-pass signer-match verdict. Returns null for `pass` so vendors\n * can call it unconditionally:\n *\n * const verdict = getSignerVerdict(c);\n * if (verdict?.signer_match) {\n * const mismatchBody = buildSignerMismatchBody({ result: verdict.signer_match });\n * if (mismatchBody) return c.json(mismatchBody, 403);\n * }\n *\n * Body shape mirrors the gate's denial bodies: top-level error.code, all signer-match fields\n * (`claimed_operator`, `actual_signer_operator`, `expected_signer`, `actual_signer`,\n * `linked_wallets`), plus a `next_steps` action describing the recovery path.\n */\nexport function buildSignerMismatchBody({\n result,\n userMessage,\n learnMoreUrl,\n}: {\n /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). Only non-pass\n * kinds produce a body. */\n result: VerifyWalletSignerResult;\n /** Optional override for the human-facing `next_steps.user_message`. */\n userMessage?: string;\n /** Optional override for `next_steps.learn_more_url`. Default: AgentScore agent-identity guide. */\n learnMoreUrl?: string;\n}): Record<string, unknown> | null {\n if (result.kind === 'pass') return null;\n\n const learnMoreUrlResolved = learnMoreUrl ?? 'https://docs.agentscore.sh/guides/agent-identity';\n\n if (result.kind === 'wallet_signer_mismatch') {\n const linkedWallets = result.linkedWallets ?? [];\n const userMessageResolved = userMessage ?? (linkedWallets.length > 0\n ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(', ')}. Then retry.`\n : 'Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.');\n return {\n error: {\n code: 'wallet_signer_mismatch',\n message:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n },\n claimed_operator: result.claimedOperator,\n actual_signer_operator: result.actualSignerOperator ?? null,\n expected_signer: result.expectedSigner,\n actual_signer: result.actualSigner,\n linked_wallets: linkedWallets,\n next_steps: {\n action: 'regenerate_payment_from_linked_wallet',\n user_message: userMessageResolved,\n learn_more_url: learnMoreUrlResolved,\n },\n };\n }\n\n // wallet_auth_requires_wallet_signing\n return {\n error: {\n code: 'wallet_auth_requires_wallet_signing',\n message:\n 'Wallet-auth requires a payment rail that carries a wallet signature (Tempo MPP, x402). Stripe SPT and card rails have no wallet signer; switch to X-Operator-Token to use those.',\n },\n next_steps: {\n action: 'switch_to_operator_token',\n user_message:\n userMessage ??\n 'Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).',\n learn_more_url: learnMoreUrlResolved,\n },\n };\n}\n\n/**\n * Standard `next_steps` block for unfixable compliance denials (sanctions, age, etc.). Vendors\n * spread this into a 403 body alongside the usual `error`/`reasons` fields.\n *\n * return c.json({\n * error: { code: 'compliance_denied', message: '...' },\n * reasons,\n * next_steps: buildContactSupportNextSteps('support@example.com'),\n * }, 403);\n */\nexport function buildContactSupportNextSteps(\n supportEmail: string,\n message?: string,\n): { action: 'contact_support'; support_email: string; user_message: string } {\n return {\n action: 'contact_support',\n support_email: supportEmail,\n user_message:\n message ??\n `If you believe this denial is in error, contact support at ${supportEmail} with the details of your request.`,\n };\n}\n\n/**\n * The canonical `agent_instructions` block for identity-verification 403s. Tells the agent how to\n * present the verify_url, poll for the operator_token, and retry the original request. Universal\n * across every AgentScore-gated merchant — overrides let vendors add merchant-specific steps\n * (e.g. \"include order_id when retrying\").\n */\nexport function verificationAgentInstructions({\n userAction,\n retryStep,\n extraSteps,\n pollIntervalSeconds = 5,\n timeoutSeconds = 3600,\n orderTtl,\n extra,\n}: {\n /** Override the user-facing message. */\n userAction?: string;\n /** Replace the generic \"Retry the original merchant request...\" step with a merchant-specific\n * one (e.g. \"Retry POST /purchase with X-Operator-Token AND include order_id...\"). When set,\n * this REPLACES baseSteps[4] rather than appending — use it instead of `extraSteps[0]` when\n * your retry instruction is a refinement of the canonical retry, not an additional step. */\n retryStep?: string;\n /** Append additional steps after the retry step. Use this for genuinely additional steps\n * (e.g. \"After payment the same call returns 200 with the order\"), not for re-stating the\n * retry — use `retryStep` for that. */\n extraSteps?: string[];\n /** Override the poll cadence. Default 5 seconds. */\n pollIntervalSeconds?: number;\n /** Override how long the agent should keep polling. Default 3600 seconds (1 hour). */\n timeoutSeconds?: number;\n /** Optional `order_ttl` note describing how long pending orders survive. */\n orderTtl?: string;\n /** Arbitrary additional fields merged into the instructions object. */\n extra?: Record<string, unknown>;\n} = {}): {\n action: 'poll_for_credential';\n user_action: string;\n steps: string[];\n poll_interval_seconds: number;\n poll_secret_header: 'X-Poll-Secret';\n retry_token_header: 'X-Operator-Token';\n timeout_seconds: number;\n order_ttl?: string;\n [key: string]: unknown;\n} {\n const baseSteps = [\n 'Present the verify_url directly to the user — it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.',\n `Immediately begin polling poll_url every ${pollIntervalSeconds} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,\n 'The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.',\n 'When your poll returns status \"verified\", extract operator_token from the response. This is a one-time value — save it immediately. Subsequent polls return status \"consumed\" without the token.',\n retryStep ?? 'Retry the original merchant request with header X-Operator-Token set to the operator_token value.',\n ];\n\n return {\n action: 'poll_for_credential',\n user_action:\n userAction ??\n 'The user must visit verify_url to complete identity verification before this request can proceed',\n steps: extraSteps ? [...baseSteps, ...extraSteps] : baseSteps,\n poll_interval_seconds: pollIntervalSeconds,\n poll_secret_header: 'X-Poll-Secret',\n retry_token_header: 'X-Operator-Token',\n timeout_seconds: timeoutSeconds,\n ...(orderTtl ? { order_ttl: orderTtl } : {}),\n ...(extra ?? {}),\n };\n}\n","/**\n * Shared DenialReason → response body serialization for all adapters.\n *\n * Keeps Hono / Express / Fastify / Web / Next.js defaults aligned — a field added\n * here shows up in every adapter's 403 body automatically, and there's one place\n * to test the marshaling.\n *\n * Body shape: `{ error: { code, message }, ... }` — matches the canonical AgentScore\n * error envelope so downstream agents see one consistent `error.code` +\n * `error.message` pair regardless of which layer produced the denial.\n */\n\nimport type { DenialCode, DenialReason } from './core.js';\n\n/**\n * JSON-encoded canonical agent_instructions per denial code. Auto-injected by\n * `denialReasonToBody` when the gate produces a DenialReason without explicit\n * `agent_instructions` so every denial carries a machine-readable next step.\n *\n * Codes covered:\n * - `wallet_not_trusted` — gate never stamps instructions today (the original gap)\n * - `payment_required` — gate never stamps; merchant tier misconfig, contact-merchant action\n * - `identity_verification_required` — fallback when API didn't return next_steps\n * - `token_expired` — fallback when API didn't return next_steps\n * - `api_error` — `retry_with_backoff` envelope; sole retry channel (no separate\n * next_steps block emitted)\n *\n * Codes already stamped explicitly upstream in core.ts (`missing_identity`,\n * `invalid_credential`) and codes that don't go through DenialReason\n * (`wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing` — handled by\n * `getSignerVerdict` + `buildSignerMismatchBody`) are not in this map.\n */\nconst WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_support',\n steps: [\n 'The wallet\\'s operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won\\'t change the outcome — the policy denial is structural.',\n 'Surface the denial to the user with the merchant\\'s support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won\\'t fix this code path).',\n 'Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code — the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user\\'s KYC\\'d country is in the blocked list — re-doing KYC won\\'t change the country).',\n ],\n user_message:\n 'This purchase is denied by the merchant\\'s compliance policy and cannot be resolved by re-verifying. Contact the merchant\\'s support if you believe this is in error.',\n});\n\nconst PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'The merchant\\'s AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap — there is no agent-side recovery.',\n 'Contact the merchant (their support channel — typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side.',\n ],\n user_message:\n 'This merchant\\'s identity gate is misconfigured. Contact the merchant — there\\'s nothing to fix on the agent side.',\n});\n\nconst IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'Share verify_url with the user — they complete identity verification on AgentScore.',\n 'If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <opc_...>`.',\n ],\n user_message:\n 'Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry.',\n});\n\nconst API_ERROR_INSTRUCTIONS = JSON.stringify({\n action: 'retry_with_backoff',\n steps: [\n 'Verification is temporarily unavailable. Retry the request after 5–30 seconds with exponential backoff.',\n 'This is NOT a compliance denial — the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.',\n 'If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant\\'s support contact.',\n ],\n user_message:\n 'Verification is temporarily unavailable. Please try again in a moment — this is a transient issue, not a problem with your account.',\n});\n\nexport const QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.',\n 'Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.',\n 'Surface to the user with the merchant\\'s support contact. The merchant (not the agent) needs to act.',\n ],\n user_message:\n 'This merchant\\'s identity verification is temporarily unavailable. Try again later, or contact the merchant directly.',\n});\n\nconst TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'The operator token is expired or revoked. AgentScore auto-mints a fresh verification session — complete it to receive a new opc_...',\n 'Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <new_opc_...>`.',\n ],\n user_message:\n 'Operator token is expired or revoked. A new verification session has been minted — visit verify_url to refresh.',\n});\n\nconst DEFAULT_AGENT_INSTRUCTIONS: Partial<Record<DenialCode, string>> = {\n api_error: API_ERROR_INSTRUCTIONS,\n wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,\n payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,\n identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,\n token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS,\n};\n\nconst DEFAULT_MESSAGES: Record<DenialCode, string> = {\n missing_identity:\n 'No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).',\n identity_verification_required:\n 'Identity verification is required to access this resource. Visit verify_url to complete KYC.',\n wallet_not_trusted:\n 'The wallet does not meet the merchant compliance policy.',\n api_error:\n 'AgentScore is unreachable. This is transient — retry in a few seconds.',\n payment_required:\n 'Assess endpoint not enabled for this merchant. Contact support.',\n wallet_signer_mismatch:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n wallet_auth_requires_wallet_signing:\n 'X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).',\n token_expired:\n 'The operator token is expired or revoked. A fresh verification session has been minted — visit verify_url to mint a new token.',\n invalid_credential:\n 'The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session.',\n};\n\n// Field names the gate claims authority over. Merchant-provided `extra` (from the\n// onBeforeSession hook) MUST NOT override these — a buggy or malicious hook could\n// otherwise replace `verify_url` with a phishing URL or drop agent_instructions.\nconst RESERVED_FIELDS = new Set([\n 'error',\n 'decision',\n 'reasons',\n 'verify_url',\n 'session_id',\n 'poll_secret',\n 'poll_url',\n 'agent_instructions',\n 'agent_memory',\n 'claimed_operator',\n 'actual_signer_operator',\n 'expected_signer',\n 'actual_signer',\n 'linked_wallets',\n]);\n\nexport function denialReasonToBody(reason: DenialReason): Record<string, unknown> {\n const message = reason.message ?? DEFAULT_MESSAGES[reason.code];\n const body: Record<string, unknown> = { error: { code: reason.code, message } };\n if (reason.decision) body.decision = reason.decision;\n if (reason.reasons) body.reasons = reason.reasons;\n if (reason.verify_url) body.verify_url = reason.verify_url;\n if (reason.session_id) body.session_id = reason.session_id;\n if (reason.poll_secret) body.poll_secret = reason.poll_secret;\n if (reason.poll_url) body.poll_url = reason.poll_url;\n const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];\n if (instructions) body.agent_instructions = instructions;\n if (reason.agent_memory) body.agent_memory = reason.agent_memory;\n if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;\n if (reason.code === 'wallet_signer_mismatch') body.actual_signer_operator = reason.actual_signer_operator ?? null;\n if (reason.expected_signer) body.expected_signer = reason.expected_signer;\n if (reason.actual_signer) body.actual_signer = reason.actual_signer;\n if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;\n if (reason.extra) {\n for (const [key, value] of Object.entries(reason.extra)) {\n if (RESERVED_FIELDS.has(key)) {\n console.warn(`[gate] onBeforeSession returned reserved field \"${key}\" — ignoring to preserve gate authority`);\n continue;\n }\n body[key] = value;\n }\n }\n return body;\n}\n","// Network-aware address normalization. EVM addresses (0x + 40 hex) are\n// case-insensitive in the protocol — we lowercase them so DB lookups against\n// `address_lower`-style columns work. Solana addresses are base58 and are\n// case-sensitive — we MUST preserve the input verbatim, never lowercase.\n//\n// Must produce identical output to the API normalizer (`core/api/src/lib/address.ts`)\n// so the gate, API, and merchants normalize the same way. If the two ever drift,\n// captured wallets won't resolve and signer-match silently breaks.\n\nconst SOLANA_BASE58_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;\nconst EVM_RE = /^0x[0-9a-fA-F]{40}$/;\n\nexport const isValidEvmAddress = (address: string): boolean => EVM_RE.test(address);\n\nexport const isSolanaAddress = (address: string): boolean =>\n SOLANA_BASE58_RE.test(address) && !address.startsWith('0x');\n\nexport const isValidAddress = (address: string): boolean =>\n isValidEvmAddress(address) || isSolanaAddress(address);\n\nexport const normalizeAddress = (address: string): string => {\n if (isSolanaAddress(address)) { return address; }\n return address.toLowerCase();\n};\n","export class TTLCache<T> {\n private store = new Map<string, { value: T; expiresAt: number }>();\n private maxSize: number;\n\n constructor(private defaultTtlMs: number, maxSize = 10000) {\n this.maxSize = maxSize;\n }\n\n get(key: string): T | undefined {\n const entry = this.store.get(key);\n if (!entry) return undefined;\n if (Date.now() > entry.expiresAt) {\n this.store.delete(key);\n return undefined;\n }\n return entry.value;\n }\n\n set(key: string, value: T, ttlMs?: number): void {\n if (this.store.size >= this.maxSize) {\n this.sweep();\n }\n if (this.store.size >= this.maxSize) {\n this.evictOldest(this.store.size - this.maxSize + 1);\n }\n this.store.set(key, {\n value,\n expiresAt: Date.now() + (ttlMs ?? this.defaultTtlMs),\n });\n }\n\n /** Remove all expired entries. */\n private sweep(): void {\n const now = Date.now();\n for (const [k, v] of this.store) {\n if (now > v.expiresAt) {\n this.store.delete(k);\n }\n }\n }\n\n /** Evict the oldest `count` entries by insertion order. */\n private evictOldest(count: number): void {\n let removed = 0;\n for (const key of this.store.keys()) {\n if (removed >= count) break;\n this.store.delete(key);\n removed++;\n }\n }\n}\n","/**\n * Payment-signer extraction.\n *\n * Shared between merchants and the gate. Three paths recover a wallet signer:\n *\n * - **Tempo MPP** — `Authorization: Payment <base64>`; credential `source` is a DID of the\n * form `did:pkh:eip155:<chain>:<address>`.\n * - **Solana MPP `solana/charge`** — `Authorization: Payment <base64>`; recovery via either\n * a `did:pkh:solana:<genesis>:<address>` source (when set by the client) or by decoding\n * the credential's signed-tx payload and reading the SPL `TransferChecked` authority\n * (pull mode only — `payload.type === 'transaction'`).\n * - **x402 EIP-3009 (EVM, e.g. Base/Sepolia)** — `payment-signature` / `x-payment`;\n * decoded payload carries `payload.authorization.from`.\n *\n * Optional peer deps: `mppx` for MPP credentials, `@solana/kit` for the Solana tx-decode\n * fallback. Both dynamic-imported; merchants who don't accept that rail don't need them.\n */\n\nexport type SignerNetwork = 'evm' | 'solana';\n\nconst TOKEN_PROGRAM = 'TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA';\nconst TOKEN_2022_PROGRAM = 'TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb';\nconst TRANSFER_CHECKED_DISCRIMINATOR = 12;\n\ninterface SolanaKitMinimal {\n getBase64Codec: () => { encode: (s: string) => Uint8Array };\n getTransactionDecoder: () => { decode: (b: Uint8Array) => { messageBytes: Uint8Array } };\n getCompiledTransactionMessageDecoder: () => {\n decode: (b: Uint8Array) => {\n staticAccounts: ReadonlyArray<string>;\n instructions: ReadonlyArray<{\n programAddressIndex: number;\n accountIndices?: number[];\n data?: Uint8Array;\n }>;\n };\n };\n}\n\n/**\n * Decode a Solana MPP `solana/charge` credential's `payload.transaction` (base64-encoded\n * signed Solana tx) and return the SPL `TransferChecked` authority — the source-ATA owner,\n * which is the buyer's wallet. Pull mode only (`payload.type === 'transaction'`); push mode\n * (`payload.type === 'signature'`) returns null because recovery would require an RPC fetch.\n */\nasync function extractSolanaSignerFromCredential(credential: unknown): Promise<string | null> {\n const payload = (credential as { payload?: { transaction?: string; type?: string } }).payload;\n if (!payload?.transaction || payload.type !== 'transaction') return null;\n\n const moduleName = '@solana/kit';\n const kit = (await import(moduleName).catch(() => null)) as SolanaKitMinimal | null;\n if (!kit?.getBase64Codec || !kit.getTransactionDecoder || !kit.getCompiledTransactionMessageDecoder) {\n return null;\n }\n\n try {\n const txBytes = kit.getBase64Codec().encode(payload.transaction);\n const decoded = kit.getTransactionDecoder().decode(txBytes);\n const message = kit.getCompiledTransactionMessageDecoder().decode(decoded.messageBytes);\n\n // SPL TransferChecked accounts: [source ATA, mint, destination ATA, authority, ...signers].\n // Returns the FIRST matched authority. For multi-recipient `splits` txs, the buyer\n // signs ONE tx with N TransferChecked instructions all sharing the same authority,\n // so first-match is correct; if a tx ever surfaces with mismatched authorities the\n // first one wins (acceptable since both belong to whoever signed the tx).\n for (const ix of message.instructions) {\n const programId = message.staticAccounts[ix.programAddressIndex];\n if (programId !== TOKEN_PROGRAM && programId !== TOKEN_2022_PROGRAM) continue;\n const data = ix.data;\n if (!data || data.length === 0 || data[0] !== TRANSFER_CHECKED_DISCRIMINATOR) continue;\n const accountIndices = ix.accountIndices ?? [];\n const authorityIndex = accountIndices[3];\n if (authorityIndex === undefined) continue;\n // v0 transactions can carry account indices that resolve via address lookup tables;\n // staticAccounts only holds the static set. If the index is out of range, the\n // authority sits in a lookup table we'd need RPC to resolve. Skip cleanly with a\n // warning rather than returning the wrong address.\n if (authorityIndex >= message.staticAccounts.length) {\n console.warn(\n '[gate] Solana TransferChecked authority resolves through an address lookup table; ' +\n 'signer-match recovery requires the static-account form. Skipping.',\n );\n continue;\n }\n const authority = message.staticAccounts[authorityIndex];\n if (authority) return authority;\n }\n return null;\n } catch (err) {\n console.warn('[gate] Solana credential decode failed:', err instanceof Error ? err.message : err);\n return null;\n }\n}\n\nexport interface PaymentSigner {\n /** Recovered wallet address (EVM lowercased; Solana base58 preserved verbatim). */\n address: string;\n /** Network family — used by `captureWallet` and downstream cross-chain attribution. */\n network: SignerNetwork;\n}\n\n/**\n * Recover the signer wallet from the incoming payment credential, including the network\n * family. Returns `null` when no wallet signature is present (e.g. Stripe SPT, card-only\n * payments, or no credential yet).\n *\n * @param request - the inbound `Request`\n * @param x402PaymentHeader - the value of `payment-signature` or `x-payment` header, if any.\n * Extracted separately because some frameworks (Express) don't expose a web `Request` object.\n */\nexport async function extractPaymentSigner(\n request: Request,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n // MPP — Authorization: Payment <base64>\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n try {\n const moduleName = 'mppx';\n const mppx = (await import(moduleName).catch(() => null)) as {\n Credential?: {\n extractPaymentScheme: (h: string) => unknown;\n fromRequest: (r: Request) => unknown;\n };\n } | null;\n if (mppx?.Credential?.extractPaymentScheme(authHeader)) {\n const credential = mppx.Credential.fromRequest(request);\n const source = (credential as { source?: string }).source;\n const evmMatch = source?.match(/^did:pkh:eip155:\\d+:(0x[0-9a-fA-F]{40})$/);\n if (evmMatch) return { address: evmMatch[1]!.toLowerCase(), network: 'evm' };\n // Solana CAIP-10: did:pkh:solana:<genesis-base58>:<address-base58>\n const solMatch = source?.match(/^did:pkh:solana:[1-9A-HJ-NP-Za-km-z]{32,44}:([1-9A-HJ-NP-Za-km-z]{32,44})$/);\n if (solMatch) return { address: solMatch[1]!, network: 'solana' };\n // Fallback: source not set by upstream client. Decode the credential's signed-tx\n // payload to find the SPL TransferChecked authority (= source-ATA owner = buyer\n // wallet). Pull mode only.\n const solanaFromTx = await extractSolanaSignerFromCredential(credential);\n if (solanaFromTx) return { address: solanaFromTx, network: 'solana' };\n }\n } catch (err) {\n console.warn('[gate] MPP signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // x402 — base64 JSON, EIP-3009 only. EVM `payload.authorization.from` is the signer.\n if (x402PaymentHeader) {\n try {\n const decoded = atob(x402PaymentHeader);\n const parsed = JSON.parse(decoded) as {\n payload?: { authorization?: { from?: string } };\n };\n const from = parsed?.payload?.authorization?.from;\n if (typeof from === 'string' && /^0x[0-9a-fA-F]{40}$/.test(from)) {\n return { address: from.toLowerCase(), network: 'evm' };\n }\n } catch (err) {\n console.warn('[gate] x402 signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n return null;\n}\n\n/**\n * Headers-only variant for adapters that don't natively expose a Web Fetch `Request`\n * (Express, Fastify, ASGI-bridged frameworks). Constructs a synthetic Request carrying\n * only the `authorization` header and delegates to {@link extractPaymentSigner}. Works\n * because the MPP and x402 paths only read `request.headers.get('authorization')` and\n * the explicit `x402PaymentHeader` arg — no body, query, or method semantics needed.\n */\nexport async function extractPaymentSignerFromAuth(\n authHeader: string | null | undefined,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n const request = new Request('http://internal.gate/', {\n headers: authHeader ? { authorization: authHeader } : {},\n });\n return extractPaymentSigner(request, x402PaymentHeader);\n}\n\n/**\n * Read the x402 payment header from a `Request`, matching the alternate names merchants might\n * use. Falls back to reading either header directly.\n */\nexport function readX402PaymentHeader(request: Request): string | undefined {\n return (\n request.headers.get('payment-signature') ??\n request.headers.get('x-payment') ??\n undefined\n );\n}\n\nfunction lowerHeaders(headers: Record<string, string>): Record<string, string> {\n const out: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;\n return out;\n}\n\n/**\n * One-call signer extraction across both supported credential formats.\n *\n * Tries the x402 `payment-signature` / `x-payment` header first (EIP-3009\n * `payload.authorization.from`), then falls back to the MPP\n * `Authorization: Payment` header DID. Returns the first one that resolves,\n * or `null`.\n *\n * Use this for wallet-cap prechecks and other \"did the agent claim to sign as\n * X?\" checks where you need the signer BEFORE invoking Checkout. Checkout's\n * own settle path runs verification separately and surfaces the verified\n * signer on `SettleOutcome.signerAddress`.\n *\n * Accepts a plain headers dict so it works regardless of which framework the\n * merchant uses (the gate adapters all serialize headers down to a dict by\n * the time they reach the merchant's hooks).\n */\nexport async function extractSignerForPrecheck(\n headers: Record<string, string>,\n): Promise<PaymentSigner | null> {\n const lower = lowerHeaders(headers);\n const x402 = lower['payment-signature'] ?? lower['x-payment'];\n if (x402) {\n const signer = await extractPaymentSignerFromAuth(undefined, x402);\n if (signer !== null) return signer;\n }\n const authorization = lower['authorization'];\n if (authorization && authorization.toLowerCase().startsWith('payment ')) {\n return await extractPaymentSignerFromAuth(authorization);\n }\n return null;\n}\n","/**\n * Google A2A (Agent-to-Agent) v1.0 Agent Card builder.\n *\n * Compose the JSON payload for an A2A v1.0 Agent Card per the canonical proto at\n * https://github.com/a2aproject/A2A/blob/main/specification/a2a.proto. Returned object\n * is the unsigned card body — wrap with an A2A `AgentCardSignature` (RFC 7515 JWS)\n * to sign vendor-side before publishing at /.well-known/agent-card.json.\n *\n * Why publish: A2A is a Linux Foundation standard. Signed Agent Cards let any\n * A2A-compatible reader discover an agent's capabilities + protocol bindings without\n * per-platform integration. Per UCP §A2A binding, agents serving UCP via the A2A\n * transport MUST declare the canonical UCP extension URI in `capabilities.extensions[]`\n * so platforms detect UCP support without re-fetching the profile.\n *\n * Spec reference: https://a2a-protocol.org/latest/\n */\n\nconst PROTOCOL_VERSION = '1.0';\nconst DEFAULT_PROTOCOL_BINDING = 'HTTP+JSON';\nconst DEFAULT_INPUT_MODE = 'application/json';\nconst DEFAULT_OUTPUT_MODE = 'application/json';\n\n/** Canonical UCP A2A extension URI — verifiers look for this exact URI in\n * `capabilities.extensions[]` to detect UCP support on the agent card. Pinned\n * to the 2026-04-08 spec snapshot. */\nexport const UCP_A2A_EXTENSION_URI = 'https://ucp.dev/2026-04-08/specification/reference';\n\n/** Per spec §4.4.6. Each entry advertises one protocol binding the agent supports.\n * `supported_interfaces[0]` is the preferred binding (ordered list). */\nexport interface A2AAgentInterface {\n /** Interface URL (https in production). */\n url: string;\n /** Open string — core values are `JSONRPC`, `GRPC`, `HTTP+JSON`. */\n protocol_binding: string;\n /** A2A protocol version, e.g. `\"1.0\"`. Distinct from the agent's own version. */\n protocol_version: string;\n tenant?: string;\n}\n\n/** Per spec §4.4.2. The org/service that provides the agent. */\nexport interface A2AAgentProvider {\n url: string;\n organization: string;\n}\n\n/** Per spec §4.4.5. A distinct capability or function the agent performs.\n * Lives at the TOP LEVEL of AgentCard (not inside `capabilities`). */\nexport interface A2AAgentSkill {\n id: string;\n name: string;\n description: string;\n tags: string[];\n examples?: string[];\n input_modes?: string[];\n output_modes?: string[];\n}\n\n/** Per spec §4.4.4. A protocol extension the agent supports.\n * Lives in `capabilities.extensions[]`. `description` and `required` are\n * spec-mandated fields, not optional. */\nexport interface A2AAgentCardExtension {\n uri: string;\n description: string;\n required: boolean;\n params?: Record<string, unknown>;\n}\n\n/** Build the canonical UCP entry for an A2A agent card's `capabilities.extensions[]`\n * array.\n *\n * Per UCP §A2A binding: \"Businesses supporting UCP must advertise the extension and\n * any optional capabilities in their A2A Agent Card to allow platforms to activate\n * the extension.\" Pass the `capabilities` map keyed by reverse-DNS service/capability\n * name (e.g. `dev.ucp.shopping.checkout`), each value a list of `{ version }` records.\n * Pass `{}` (or omit) when you serve UCP at the discovery layer but have no formal\n * capability bindings yet.\n *\n * `required: true` declares the platform must understand UCP to interoperate with\n * this agent. Default `false`: UCP is offered but not mandatory.\n */\nexport function ucpA2AExtension(\n capabilities: Record<string, Array<{ version: string }>> = {},\n options: { required?: boolean } = {},\n): A2AAgentCardExtension {\n return {\n uri: UCP_A2A_EXTENSION_URI,\n description: 'UCP support: this agent serves Universal Commerce Protocol bindings via the A2A transport.',\n required: options.required ?? false,\n params: { capabilities },\n };\n}\n\n/** Per spec §4.4.3. Optional capabilities the agent supports.\n *\n * Per the canonical proto, `capabilities` declares: streaming, push_notifications,\n * extensions (the protocol extensions the agent supports), and extended_agent_card.\n * REST-style endpoint metadata does NOT belong here — A2A uses `supported_interfaces`\n * on the AgentCard for protocol bindings, and `skills` (top-level) for capability\n * descriptions. */\nexport interface A2AAgentCardCapabilities {\n streaming?: boolean;\n push_notifications?: boolean;\n extensions?: A2AAgentCardExtension[];\n extended_agent_card?: boolean;\n}\n\n/** Per spec §4.4.7. JWS signature embedded in an Agent Card.\n *\n * Multiple signatures MAY be attached to a single card. Verifiers reconstruct the\n * card body without `signatures` to verify each entry. Format follows RFC 7515 JSON\n * Web Signature (JWS). */\nexport interface A2AAgentCardSignature {\n /** Base64url-encoded JSON of the protected JWS header. REQUIRED. */\n protected: string;\n /** Base64url-encoded computed signature. REQUIRED. */\n signature: string;\n /** Optional unprotected JWS header values. */\n header?: Record<string, unknown>;\n}\n\n/** Per spec §4.4.1. A2A v1.0 Agent Card body.\n *\n * Per spec §4.4.7, JWS signatures may be embedded directly in the card via the\n * `signatures` field; verifiers reconstruct the card body without `signatures` and\n * verify each entry. Per-vendor identity attestation can also be expressed via a\n * vendor extension entry inside `capabilities.extensions[]`. */\nexport interface A2AAgentCard {\n name: string;\n description: string;\n /** Ordered; first entry is preferred. */\n supported_interfaces: A2AAgentInterface[];\n /** Agent's own version, e.g. `\"1.0.0\"`. Distinct from the A2A protocol version,\n * which lives on each `A2AAgentInterface.protocol_version`. */\n version: string;\n capabilities: A2AAgentCardCapabilities;\n default_input_modes: string[];\n default_output_modes: string[];\n /** Per spec §4.4.1 (proto field 12, REQUIRED): the agent must declare ≥1 skill.\n * The convenience builder `buildA2AAgentCard` enforces non-empty. */\n skills: A2AAgentSkill[];\n provider?: A2AAgentProvider;\n documentation_url?: string;\n /** Per spec §4.4.1 (proto field 14, optional): URL to an icon for the agent. */\n icon_url?: string;\n /** Per spec §4.4.1 (proto field 13, optional) + §4.4.7: JWS signatures embedded\n * in the card. Compute over the canonical card body MINUS this field, then attach. */\n signatures?: A2AAgentCardSignature[];\n security_schemes?: Record<string, unknown>;\n security_requirements?: unknown[];\n /** Vendor-specific extras merged at top level. */\n [k: string]: unknown;\n}\n\ninterface BuildA2AAgentCardInput {\n /** Agent display name. REQUIRED. */\n name: string;\n /** Agent purpose/description. REQUIRED per spec. */\n description: string;\n /** The primary interface URL — becomes `supported_interfaces[0].url` (with\n * `protocol_binding=HTTP+JSON`, `protocol_version=1.0` by default). For\n * multi-binding agents, construct `A2AAgentCard` directly. */\n url: string;\n /** Top-level skill declarations — what the agent can do. REQUIRED per spec\n * (proto field 12 [field_behavior=REQUIRED]); must have ≥1 entry. */\n skills: A2AAgentSkill[];\n /** Agent's own version, e.g. `\"1.0.0\"`. Distinct from the A2A protocol version. */\n version?: string;\n /** A2A v1.0 capability extensions. Build the UCP entry with `ucpA2AExtension()`. */\n extensions?: A2AAgentCardExtension[];\n /** Capability flag: agent supports streaming responses. */\n streaming?: boolean;\n /** Capability flag: agent supports push notifications for async task updates. */\n push_notifications?: boolean;\n /** Capability flag: agent serves an extended (more detailed) card when authenticated. */\n extended_agent_card?: boolean;\n /** Provider org for the agent. */\n provider?: A2AAgentProvider;\n /** URL to additional human-readable documentation. */\n documentation_url?: string;\n /** URL to an icon for the agent. */\n icon_url?: string;\n /** JWS signatures embedded in the card (per spec §4.4.7). */\n signatures?: A2AAgentCardSignature[];\n /** Default input media types (defaults to `[\"application/json\"]`). */\n default_input_modes?: string[];\n /** Default output media types (defaults to `[\"application/json\"]`). */\n default_output_modes?: string[];\n /** Override the protocol binding for the auto-built primary interface (default `\"HTTP+JSON\"`). */\n protocol_binding?: string;\n /** Override the A2A protocol version for the auto-built primary interface (default `\"1.0\"`). */\n a2a_protocol_version?: string;\n /** Per-scheme security details (key = scheme name). */\n security_schemes?: Record<string, unknown>;\n /** Required security requirements for invoking the agent. */\n security_requirements?: unknown[];\n /** Vendor-specific extras merged at the card top level. */\n extras?: Record<string, unknown>;\n}\n\n/**\n * Compose an A2A v1.0 Agent Card body per the canonical proto.\n *\n * Returns the UNSIGNED card. To attach identity claims, sign the serialized body\n * as an RFC 7515 JWS (`AgentCardSignature`). Vendors can also add an identity-flavored\n * extension to `capabilities.extensions[]`.\n *\n * The single `url` argument becomes the primary `supported_interfaces[0].url`\n * (with `protocol_binding=HTTP+JSON`, `protocol_version=1.0` by default).\n *\n * Example:\n * ```ts\n * import { buildA2AAgentCard, ucpA2AExtension } from '@agent-score/commerce';\n *\n * const card = buildA2AAgentCard({\n * name: 'Example Merchant Concierge',\n * description: 'Buy regulated goods via agent payments.',\n * url: 'https://agents.example.com',\n * version: '1.0.0',\n * skills: [\n * { id: 'purchase', name: 'Purchase', description: 'Buy products via agent payments.', tags: ['commerce', 'payment'] },\n * ],\n * extensions: [ucpA2AExtension()],\n * });\n * const signed = await yourJWSSign(card);\n * ```\n */\nexport function buildA2AAgentCard(input: BuildA2AAgentCardInput): A2AAgentCard {\n if (!input.skills || input.skills.length === 0) {\n throw new Error(\n 'buildA2AAgentCard: `skills` MUST be a non-empty list. Per spec §4.4.1 (proto field 12 [field_behavior=REQUIRED]), every Agent Card must declare at least one AgentSkill. Construct A2AAgentCard directly to bypass.',\n );\n }\n\n const capabilities: A2AAgentCardCapabilities = {};\n if (input.streaming !== undefined) capabilities.streaming = input.streaming;\n if (input.push_notifications !== undefined) capabilities.push_notifications = input.push_notifications;\n if (input.extensions && input.extensions.length > 0) capabilities.extensions = input.extensions;\n if (input.extended_agent_card !== undefined) capabilities.extended_agent_card = input.extended_agent_card;\n\n const primaryInterface: A2AAgentInterface = {\n url: input.url,\n protocol_binding: input.protocol_binding ?? DEFAULT_PROTOCOL_BINDING,\n protocol_version: input.a2a_protocol_version ?? PROTOCOL_VERSION,\n };\n\n const card: A2AAgentCard = {\n name: input.name,\n description: input.description,\n supported_interfaces: [primaryInterface],\n version: input.version ?? '1.0.0',\n capabilities,\n default_input_modes: input.default_input_modes ?? [DEFAULT_INPUT_MODE],\n default_output_modes: input.default_output_modes ?? [DEFAULT_OUTPUT_MODE],\n skills: input.skills,\n };\n if (input.provider !== undefined) card.provider = input.provider;\n if (input.documentation_url !== undefined) card.documentation_url = input.documentation_url;\n if (input.icon_url !== undefined) card.icon_url = input.icon_url;\n if (input.signatures !== undefined && input.signatures.length > 0) card.signatures = input.signatures;\n if (input.security_schemes !== undefined) card.security_schemes = input.security_schemes;\n if (input.security_requirements !== undefined) card.security_requirements = input.security_requirements;\n if (input.extras) {\n for (const [k, v] of Object.entries(input.extras)) {\n card[k] = v;\n }\n }\n return card;\n}\n","export type {\n AccountVerification,\n AgentIdentity,\n AgentMemoryHint,\n AgentScoreCore,\n AssessResult,\n CreateSessionOnMissing,\n DenialCode,\n DenialReason,\n EvaluateOutcome,\n OperatorVerification,\n PolicyCheck,\n PolicyResult,\n SignerVerdict,\n VerifyWalletSignerResult,\n} from './core';\nexport { buildAgentMemoryHint } from './core';\nexport type { PaymentSigner, SignerNetwork } from './signer';\nexport {\n extractPaymentSigner,\n extractPaymentSignerFromAuth,\n extractSignerForPrecheck,\n readX402PaymentHeader,\n} from './signer';\nexport {\n FIXABLE_DENIAL_REASONS,\n buildContactSupportNextSteps,\n buildSignerMismatchBody,\n denialReasonStatus,\n isFixableDenial,\n verificationAgentInstructions,\n} from './_denial';\nexport { denialReasonToBody } from './_response';\nexport {\n buildA2AAgentCard,\n ucpA2AExtension,\n UCP_A2A_EXTENSION_URI,\n type A2AAgentCard,\n type A2AAgentCardCapabilities,\n type A2AAgentCardExtension,\n type A2AAgentCardSignature,\n type A2AAgentInterface,\n type A2AAgentProvider,\n type A2AAgentSkill,\n} from './identity/a2a';\nexport {\n AGENTSCORE_UCP_CAPABILITY,\n type AgentScoreGatePolicy,\n buildUCPProfile,\n mppPaymentHandler,\n stripeSptPaymentHandler,\n type UCPCapabilityBinding,\n type UCPPaymentHandlerBinding,\n type UCPProfile,\n type UCPProfileBody,\n type UCPServiceBinding,\n UCPSigningKey,\n x402PaymentHandler,\n} from './identity/ucp';\nexport {\n buildJWKSResponse,\n generateUCPSigningKey,\n type GeneratedUCPKey,\n type JWKSResponse,\n loadUCPSigningKeyFromEnv,\n type SignedUCPProfile,\n signUCPProfile,\n UCPVerificationError,\n verifyUCPProfile,\n} from './identity/ucp-jwks';\nexport {\n type EnforcementMode,\n type GateResult,\n type IdentityStatus,\n type PolicyBlock,\n buildGateFromPolicy,\n runGateWithEnforcement,\n shippingCountryAllowed,\n shippingStateAllowed,\n validateShippingAgainstPolicy,\n} from './identity/policy';\nexport { hashOperatorToken } from './identity/tokens';\nexport {\n Checkout,\n type CheckoutContext,\n type CheckoutGateConfig,\n type CheckoutRailSpec,\n type CheckoutRequest,\n type CheckoutResult,\n CheckoutValidationError,\n type ComposeMppxFn,\n type DiscoveryProbeConfig,\n type GateDenial,\n type MountUcpRoutesOptions,\n type IsCachedAddressFn,\n type MppxComposeOutcome,\n type OnSettledFn,\n type PreValidateFn,\n type PricingFn,\n type PricingResult,\n type RecipientsFn,\n type ReferenceIdFn,\n type RunGateFn,\n type SettleOutcome,\n getIdentityStatus,\n makeMppxComposeHook,\n pricingResult,\n validationEnvelope,\n validationResponseExpress,\n validationResponseFastify,\n validationResponseHono,\n validationResponseNextjs,\n validationResponseWeb,\n} from './checkout';\n// RailSpec types + payment helpers re-exported at top-level for cross-language\n// parity with python-commerce. Power users can still import from `./payment`.\nexport {\n formatUsdCents,\n loadSolanaFeePayer,\n type SolanaMppRailSpec,\n type StripeRailSpec,\n type TempoRailSpec,\n type TempoSessionRailSpec,\n type X402BaseRailSpec,\n} from './payment';\n","/**\n * High-level Checkout orchestrator — composes 402-emit + verify+settle.\n *\n * The Checkout primitive collapses the agent-commerce dance (emit 402 →\n * verify+settle on retry → respond) into a single `await checkout.handle(request)`\n * call. It services every merchant shape:\n *\n * - **Goods sellers** wire inventory hooks (`onSettled` persists the order;\n * `mintRecipients` mints per-order Stripe-multichain addresses).\n * - **API sellers** wire per-call billing (`computePricing` returns a fixed\n * amount; `onSettled` returns the inline API response body).\n * - **Self-custody-only merchants** configure chain rails (Tempo / Base / Solana)\n * via `X402BaseRailSpec` / `TempoRailSpec` / `SolanaMppRailSpec`.\n * - **Custodial-only merchants** configure `StripeRailSpec` and skip the chain\n * rails — Stripe SPT settles via the same `composeMppx` hook.\n * - **Multi-rail merchants** configure all of the above; the agent picks the rail.\n *\n * Three flexibility axes — every combination is supported:\n *\n * - **x402 only / MPP only / both** — Checkout works with `x402Server` alone,\n * `composeMppx` alone, or both. Whichever payment header arrives is dispatched\n * to the configured handler; the other path is simply absent.\n * - **Self-custody / Stripe / mixed** — rails dict is the single source of truth.\n * Listing `StripeRailSpec` makes Stripe SPT an acceptable rail; omitting it\n * makes the merchant chain-only. Mixing freely is the default.\n * - **Gated / ungated identity** — `CheckoutRequest.assess` is optional. Merchants\n * who run AgentScoreGate upstream pass its result through; merchants running\n * anonymous leave it `null`.\n *\n * Domain-neutral by design: every per-request value is keyed by `referenceId`\n * (a UUID minted on first contact). Goods merchants persist this as their order\n * id; API merchants treat it as a per-call request id.\n */\n\nimport { randomUUID } from 'node:crypto';\nimport { denialReasonToBody } from './_response';\nimport { buildAcceptedMethods } from './challenge/accepted_methods';\nimport { type RailKey, buildAgentInstructions } from './challenge/agent_instructions';\nimport { firstEncounterAgentMemory } from './challenge/agent_memory';\nimport { build402Body } from './challenge/body';\nimport { buildHowToPay } from './challenge/how_to_pay';\nimport { type IdentityMetadataBlock, buildIdentityMetadata } from './challenge/identity';\nimport { buildPricingBlock, type PricingBlock } from './challenge/pricing';\nimport { respond402 } from './challenge/respond_402';\nimport { buildValidationError } from './challenge/validation_error';\nimport {\n type AgentIdentity,\n type AgentScoreCoreOptions,\n type CreateSessionOnMissing,\n type DenialReason,\n type EvaluateOutcome,\n createAgentScoreCore,\n} from './core';\nimport { lazyMppxServer, lazyX402Server } from './payment/lazy';\nimport { type MppxRailSpec } from './payment/mppx_server';\nimport {\n resolveRecipient,\n type RecipientLike,\n type SolanaMppRailSpec,\n type StripeRailSpec,\n type TempoRailSpec,\n type TempoSessionRailSpec,\n type X402BaseRailSpec,\n} from './payment/rail_spec';\nimport { buildX402AcceptsFor402, type X402Server } from './payment/x402_server';\nimport { classifyX402SettleResult, processX402Settle } from './payment/x402_settle';\nimport { verifyX402Request } from './payment/x402_validation';\nimport { zeroAmountCarveOut, type ZeroSettleRail } from './payment/zero-settle';\nimport { extractPaymentSignerFromAuth } from './signer';\nimport type { SignedDiscoveryResponse } from './discovery/well_known';\n\nexport type CheckoutRailSpec =\n | TempoRailSpec\n | X402BaseRailSpec\n | SolanaMppRailSpec\n | StripeRailSpec\n | TempoSessionRailSpec;\n\n/**\n * Framework-neutral HTTP request input to `Checkout.handle`.\n *\n * Merchants build this from their framework's request object once; the\n * Checkout layer then runs the same flow regardless of Hono / Express / Next /\n * Fastify / raw Web Fetch.\n */\nexport interface CheckoutRequest {\n method: string;\n url: string;\n headers: Record<string, string>;\n /** Parsed JSON body. For non-JSON endpoints, pass `{}` and stash the raw bytes elsewhere. */\n body: Record<string, unknown>;\n /** Optional assess block from the gate (operator/wallet identity, signer verdicts).\n *\n * When present, hooks can branch on identity (e.g. KYC-only pricing). When absent,\n * the merchant is either running pre-gate (anonymous discovery) or chose to skip\n * the gate for this endpoint. */\n assess?: Record<string, unknown> | null;\n /** Optional escape hatch for the framework's native request object. Pass when\n * your `composeMppx` hook needs to call `mppx.compose(...)(rawRequest)` — mppx's\n * compose binds to the raw HTTP request, so the orchestrator forwards this\n * through unchanged. */\n raw?: unknown;\n}\n\n/** Output of `Checkout.computePricing` — per-request pricing. */\nexport interface PricingResult {\n /** Total to charge in USD (or the upper bound, for `mode: 'upto'` rails). */\n amountUsd: number;\n currency?: string;\n /** Optional pre-built `PricingBlock`. When omitted, Checkout builds a minimal\n * block from `amountUsd` so the 402 body always carries pricing metadata. */\n block?: PricingBlock;\n /** Optional product block surfaced in the 402 body's `product` field. Goods\n * merchants populate `{id, name, slug, list_price_usd, ...}`; API sellers leave\n * this absent since per-call billing has no product concept. */\n product?: Record<string, string>;\n /** Optional merchant-specific fields merged into the 402 body alongside the\n * standard `accepted_methods` / `agent_instructions` / `pricing` blocks.\n * Useful for `redemption_code_applied`, coupon hints, or any other field the\n * merchant wants the agent to see in the challenge body. */\n bodyExtras?: Record<string, unknown>;\n}\n\n/**\n * Build a {@link PricingResult} from cents-denominated inputs.\n *\n * Saves the `{ amountUsd: ..., block: buildPricingBlock({...}) }` dance every\n * US-commerce merchant repeats. When `subtotalCents` is set:\n *\n * - `subtotalCents` is the list price (pre-discount). `discountCents` is the\n * deduction applied (redemption code / coupon / promo).\n * - `amountUsd` is derived from `(subtotal + tax + shipping - discount) / 100`\n * (floored at 0) unless explicitly provided.\n * - A {@link PricingBlock} is built via {@link buildPricingBlock} and attached\n * to the result's `block` field. `discount` is surfaced as a dollar-string\n * when `discountCents` is supplied.\n *\n * When `subtotalCents` is omitted, the function passes through to the raw\n * `PricingResult` shape; `amountUsd` is then required.\n *\n * Use this in `computePricing` hooks instead of hand-rolling:\n *\n * @example\n * computePricing: async (ctx) => pricingResult({\n * subtotalCents: 25000,\n * taxCents: 2000,\n * taxRate: 0.08,\n * taxState: 'CA',\n * }),\n *\n * @example\n * // Redemption-code applied (free order, agent sees the savings line):\n * computePricing: async (ctx) => pricingResult({\n * subtotalCents: 7500,\n * discountCents: 7500,\n * }),\n */\nexport function pricingResult(opts: {\n subtotalCents?: number;\n taxCents?: number;\n shippingCents?: number;\n discountCents?: number;\n taxRate?: number;\n taxState?: string;\n currency?: string;\n amountUsd?: number;\n product?: Record<string, string>;\n bodyExtras?: Record<string, unknown>;\n}): PricingResult {\n const currency = opts.currency ?? 'USD';\n if (opts.subtotalCents !== undefined) {\n const totalCents = Math.max(\n 0,\n opts.subtotalCents + (opts.taxCents ?? 0) + (opts.shippingCents ?? 0) - (opts.discountCents ?? 0),\n );\n const derivedAmount = opts.amountUsd ?? totalCents / 100;\n const block = buildPricingBlock({\n subtotalCents: opts.subtotalCents,\n taxCents: opts.taxCents ?? 0,\n ...(opts.shippingCents !== undefined && { shippingCents: opts.shippingCents }),\n ...(opts.discountCents !== undefined && { discountCents: opts.discountCents }),\n ...(opts.taxRate !== undefined && { taxRate: opts.taxRate }),\n ...(opts.taxState !== undefined && { taxState: opts.taxState }),\n currency,\n });\n return {\n amountUsd: derivedAmount,\n currency,\n block,\n ...(opts.product !== undefined && { product: opts.product }),\n ...(opts.bodyExtras !== undefined && { bodyExtras: opts.bodyExtras }),\n };\n }\n if (opts.amountUsd === undefined) {\n throw new Error('pricingResult requires either `subtotalCents` or `amountUsd`.');\n }\n return {\n amountUsd: opts.amountUsd,\n currency,\n ...(opts.product !== undefined && { product: opts.product }),\n ...(opts.bodyExtras !== undefined && { bodyExtras: opts.bodyExtras }),\n };\n}\n\n/**\n * Per-route discovery-probe config. When passed to {@link Checkout}, any\n * empty-body POST without a payment credential short-circuits with a sample\n * 402 advertising the merchant's payment shape — the canonical pattern x402\n * crawlers (`awal x402 details`, `x402-proxy`, `x402scan`) rely on.\n *\n * Mirrors python's `DiscoveryProbeConfig` dataclass.\n */\nexport interface DiscoveryProbeConfig {\n realm: string;\n sampleRail: 'tempo' | 'base' | 'solana' | 'stripe';\n sampleAmountUsd: number;\n sampleRecipient: string;\n intent?: 'charge' | 'authorize' | 'session.open';\n ttlSeconds?: number;\n docsUrl?: string;\n message?: string;\n x402Sample?: {\n version?: 1 | 2;\n networks?: string[];\n accepts?: unknown[];\n amountAtomic?: string;\n resourceUrl?: string;\n };\n}\n\n/** In-flight state passed to every hook in the Checkout flow. */\nexport interface CheckoutContext {\n request: CheckoutRequest;\n /** UUID minted on first contact. Goods merchants persist as order id; API\n * merchants treat as request id. */\n referenceId: string;\n /** Set after `computePricing` runs. */\n pricing: PricingResult | null;\n /** rail-key → recipient address, after `mintRecipients` runs (if provided).\n * Static rails inherit recipients from the RailSpec. */\n recipients: Record<string, string>;\n /** Merchant-supplied per-request state, populated by `preValidate`. Other\n * hooks read from here (e.g. `ctx.state.product` after preValidate\n * resolved it). Stays empty when no `preValidate` is configured. */\n state: Record<string, unknown>;\n /** Capture the signer wallet under the operator credential the gate resolved\n * for this request. Set by Checkout's internal gate after a successful allow\n * when an operator_token is present; `undefined` for wallet-authenticated\n * requests (no operator_token to associate) or anonymous discovery legs.\n * Fire-and-forget — invoke from `onSettled` with the recovered signer. */\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n}\n\n/**\n * Derive a coarse identity status (`'verified' | 'unverified' | 'anonymous'`)\n * from the assess block on a CheckoutContext. Goods merchants persist this on\n * the order row so audit logs distinguish gated buyers from anonymous ones.\n */\nexport function getIdentityStatus(\n ctx: CheckoutContext,\n): 'verified' | 'unverified' | 'anonymous' {\n const assess = ctx.request.assess;\n if (assess === null || assess === undefined) return 'anonymous';\n const decision = (assess as { decision?: string }).decision;\n if (decision === 'allow') return 'verified';\n return 'unverified';\n}\n\n/**\n * Raised from a `preValidate` hook to short-circuit Checkout with a canonical\n * 4xx envelope.\n *\n * Checkout catches this and emits the canonical `{ error, next_steps }` envelope\n * via `buildValidationError` so merchants don't construct response bodies\n * themselves in the pre-validate path.\n */\nexport class CheckoutValidationError extends Error {\n readonly code: string;\n readonly action: string;\n readonly status: number;\n readonly extra: Record<string, unknown> | undefined;\n constructor(opts: {\n code: string;\n message: string;\n action?: string;\n status?: number;\n extra?: Record<string, unknown>;\n }) {\n super(opts.message);\n this.name = 'CheckoutValidationError';\n this.code = opts.code;\n this.action = opts.action ?? 'fix_request';\n this.status = opts.status ?? 400;\n this.extra = opts.extra;\n }\n}\n\n/**\n * Hook that runs once per request before pricing/settle. Returns a state dict\n * that Checkout merges into `ctx.state` so downstream hooks (`computePricing`,\n * `onSettled`) can read merchant-resolved values like the product row,\n * redemption code, post-discount cents, etc.\n *\n * Throw {@link CheckoutValidationError} to short-circuit with a 4xx envelope.\n */\nexport type PreValidateFn = (\n ctx: CheckoutContext,\n) => Record<string, unknown> | Promise<Record<string, unknown>>;\n\n/** Denial returned by a `CheckoutGateConfig.runGate` function. */\nexport interface GateDenial {\n status: number;\n body: Record<string, unknown>;\n headers?: Record<string, string>;\n}\n\n/**\n * Function the merchant supplies (or builds via a Checkout-gate helper) to run\n * the per-request AgentScore gate. Returns `null` on accept, a `GateDenial`\n * on deny.\n */\nexport type RunGateFn = (ctx: CheckoutContext) => Promise<GateDenial | null>;\n\n/**\n * Wires the AgentScore gate into Checkout.\n *\n * The SDK constructs an `AgentScoreCore` from the policy fields (KYC, age,\n * sanctions, jurisdiction allowlist) and evaluates it after `preValidate`\n * populates state. Supports the full `createSessionOnMissing` hook surface so\n * merchants can pre-create pending orders before the verification session is\n * minted (set `onBeforeSession` to upsert state keyed by `ctx.referenceId` or\n * `ctx.state.*`, returning extras that the SDK folds into `reason.extra`).\n *\n * Three customization layers, in order of precedence:\n *\n * 1. ``runGate`` — full escape hatch. Replaces the SDK's gate flow entirely.\n * Merchants implement assess + denial body construction themselves. Useful\n * only for non-standard auth (e.g. shared signing keys, non-AgentScore IdP).\n * 2. ``perRequestPolicy`` — reads `ctx.state` (populated by preValidate) and\n * returns a partial policy override applied per request (e.g. product-level\n * KYC requirement). When omitted, the static fields below apply uniformly.\n * 3. ``onDenied`` — invoked AFTER the SDK builds the canonical DenialReason.\n * Return a `GateDenial` to override the response body shape, or null to\n * fall back to the canonical body from `denialReasonToBody`.\n *\n * Static policy fields mirror `AgentScoreCoreOptions` — see that interface\n * for field semantics.\n */\nexport interface CheckoutGateConfig {\n /** AgentScore API key. Required when `runGate` is omitted. */\n apiKey?: string;\n /** Override the default `https://api.agentscore.sh` base URL. */\n baseUrl?: string;\n /** Prepended to the default User-Agent on API calls. */\n userAgent?: string;\n /** Require KYC verification. */\n requireKyc?: boolean;\n /** Require operator clear of sanctions. */\n requireSanctionsClear?: boolean;\n /** Minimum operator age bracket (18 or 21). */\n minAge?: number;\n /** Blocked jurisdiction list. */\n blockedJurisdictions?: string[];\n /** Allowed jurisdiction allowlist; only these pass. */\n allowedJurisdictions?: string[];\n /** Fail-open posture for AgentScore-side infra failures. Default false. */\n failOpen?: boolean;\n /** How long to cache results in seconds. Default 300. */\n cacheSeconds?: number;\n /** Optional chain filter for scoring. */\n chain?: string;\n /** Session-mint config for missing-identity bootstrap. Hooks receive the\n * CheckoutContext so `getSessionOptions` and `onBeforeSession` can read\n * state populated by `preValidate`. */\n createSessionOnMissing?: CreateSessionOnMissing<CheckoutContext>;\n /** Surfaced in `agent_memory` hints and audit logs. */\n merchantName?: string;\n /** Free-form context label (e.g. `\"purchase\"`, `\"orders\"`). */\n context?: string;\n /** Per-request policy override. Returns the partial fields to merge over\n * the static config above. Return `null` to skip the gate. */\n perRequestPolicy?: (ctx: CheckoutContext) => Partial<AgentScoreCoreOptions> | null | Promise<Partial<AgentScoreCoreOptions> | null>;\n /** Customize the denial response body. Called after the SDK resolves a\n * DenialReason. Return a `GateDenial` to override the canonical body, or\n * null to use `denialReasonToBody`. */\n onDenied?: (ctx: CheckoutContext, reason: DenialReason) => GateDenial | null | Promise<GateDenial | null>;\n /** Full escape hatch — replaces the SDK gate flow. */\n runGate?: RunGateFn;\n}\n\n/** Surface passed to `Checkout.onSettled` after a payment lands. */\nexport interface SettleOutcome {\n /** Protocol family that handled the settle. */\n rail: 'x402' | 'mpp';\n /** The `PAYMENT-RESPONSE` header to echo (x402 success path). `null` for MPP. */\n paymentResponseHeader: string | null;\n /** The underlying settle result for merchants that need to inspect tx hash / etc. */\n raw: unknown;\n /** On-chain transaction hash where applicable; `null` for the zero-settle carve-out\n * (no on-chain settle) and for Stripe SPT. */\n txHash?: string | null;\n /** Verified signer address (EVM lowercased; Solana base58 verbatim). */\n signerAddress?: string | null;\n /** Network family of the signer; `'evm'` or `'solana'`. */\n signerNetwork?: string | null;\n /** The merchant's `rails`-dict key that handled this settle (e.g. `'tempo'`,\n * `'x402_base'`). Use to label rails in audit logs and persisted orders. */\n railKey?: string;\n}\n\n/** Result a `composeMppx` hook returns when handling an MPP credential.\n *\n * `status: 200` means mppx validated the `Authorization: Payment` credential\n * and the settlement landed; Checkout runs `onSettled` and returns success.\n *\n * `status: 402` means mppx emitted a 402 (no credential / invalid credential).\n * Checkout layers its rich body on top of mppx's WWW-Authenticate header and\n * optional x402 PAYMENT-REQUIRED, returning the composed 402.\n */\nexport interface MppxComposeOutcome {\n status: 200 | 402;\n /** For `status: 402`: the WWW-Authenticate (+ any other) headers mppx's compose\n * emitted. Checkout merges these into the final 402 response. */\n headers?: Record<string, string>;\n /** For `status: 200`: optional PAYMENT-RESPONSE header echoed to the agent. */\n paymentResponseHeader?: string | null;\n /** The underlying mppx compose result for `onSettled` introspection. */\n raw?: unknown;\n /** On-chain tx hash from the mppx Receipt (when status=200 and on-chain). */\n txHash?: string | null;\n /** Verified signer recovered from the credential (when status=200). */\n signerAddress?: string | null;\n /** Network family of the signer; `'evm'` or `'solana'`. */\n signerNetwork?: string | null;\n /** The merchant's `rails`-dict key that handled this settle. Defaults to\n * `\"tempo\"` when unset by the hook. */\n railKey?: string;\n}\n\n/** Framework-neutral output of `Checkout.handle`. */\nexport interface CheckoutResult {\n status: number;\n body: Record<string, unknown>;\n headers: Record<string, string>;\n referenceId: string;\n settled: boolean;\n /** `null` on settlement success; otherwise the failure phase\n * (`'verify_failed'`, `'settle_failed'`, ...) for diagnostics. */\n settlePhase?: string | null;\n}\n\nexport type PricingFn = (ctx: CheckoutContext) => PricingResult | Promise<PricingResult>;\nexport type RecipientsFn = (\n ctx: CheckoutContext,\n) => Record<string, string> | Promise<Record<string, string>>;\nexport type ReferenceIdFn = (ctx: CheckoutContext) => string | Promise<string>;\nexport type OnSettledFn = (\n ctx: CheckoutContext,\n outcome: SettleOutcome,\n) => Record<string, unknown> | null | Promise<Record<string, unknown> | null>;\nexport type ComposeMppxFn = (ctx: CheckoutContext) => MppxComposeOutcome | Promise<MppxComposeOutcome>;\nexport type IsCachedAddressFn = (address: string) => boolean | Promise<boolean>;\n\nfunction lowerHeaders(headers: Record<string, string>): Record<string, string> {\n const out: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;\n return out;\n}\n\nfunction hasX402Header(headers: Record<string, string>): boolean {\n const h = lowerHeaders(headers);\n return Boolean(h['payment-signature'] ?? h['x-payment']);\n}\n\nfunction hasMppxHeader(headers: Record<string, string>): boolean {\n const h = lowerHeaders(headers);\n return (h['authorization'] ?? '').startsWith('Payment ');\n}\n\nfunction resolveIdentityMetadata(\n ctx: CheckoutContext,\n): IdentityMetadataBlock | undefined {\n const h = lowerHeaders(ctx.request.headers);\n const wallet = h['x-wallet-address'];\n if (!wallet) return undefined;\n let linkedWallets: string[] | undefined;\n const assess = ctx.request.assess;\n if (assess && typeof assess === 'object') {\n const identity = (assess as Record<string, unknown>)['identity'];\n if (identity && typeof identity === 'object') {\n const lw = (identity as Record<string, unknown>)['linked_wallets'];\n if (Array.isArray(lw) && lw.every((x): x is string => typeof x === 'string')) {\n linkedWallets = lw;\n }\n }\n }\n return buildIdentityMetadata({\n mode: 'wallet',\n wallet,\n ...(linkedWallets !== undefined ? { linkedWallets } : {}),\n });\n}\n\nfunction isStripeRailSpec(s: CheckoutRailSpec): s is StripeRailSpec {\n return !('recipient' in s);\n}\n\nfunction isTempoSessionRailSpec(s: CheckoutRailSpec): s is TempoSessionRailSpec {\n return 'escrowContract' in s && 'store' in s;\n}\n\n/** Map a `*RailSpec` instance to its canonical `RailKey` slug. Tempo charge\n * and Tempo session both speak MPP on Tempo, so they fold to `\"tempo_mpp\"`. */\nfunction specRailKey(spec: CheckoutRailSpec): RailKey {\n if (isStripeRailSpec(spec)) return 'stripe';\n if (isTempoSessionRailSpec(spec)) return 'tempo_mpp';\n const network = (spec as { network?: string }).network ?? '';\n if (network.startsWith('eip155:')) return 'x402_base';\n if (network.startsWith('solana:') || 'rpcUrl' in spec) return 'solana_mpp';\n return 'tempo_mpp';\n}\n\n/** Protocol-shaped method name for the `methods: [...]` discovery array. */\nfunction specMethodName(spec: CheckoutRailSpec): string {\n if (isStripeRailSpec(spec)) return 'stripe/spt';\n if (isTempoSessionRailSpec(spec)) return 'tempo/charge';\n const network = (spec as { network?: string }).network ?? '';\n if (network.startsWith('eip155:')) return 'x402/exact (base)';\n if (network.startsWith('solana:') || 'rpcUrl' in spec) return 'solana/charge';\n return 'tempo/charge';\n}\n\n/**\n * Build the canonical `composeMppx` hook for pympp/mppx-backed MPP rails.\n *\n * Lazily resolves the server via the supplied `serverGetter` (typically the\n * output of `lazyMppxServer`). Forwards the request's `Authorization: Payment`\n * header and the current pricing amount to `mpp.charge`. Maps the three pympp\n * outcomes to `MppxComposeOutcome`:\n *\n * - `Challenge` (no/invalid credential) → `status: 402` with the\n * `www-authenticate` header pympp issued.\n * - `(Credential, Receipt)` tuple → `status: 200` with the tx hash lifted from\n * `receipt.reference` / `receipt.transaction` and the signer lifted from the\n * credential's `did:pkh:...` source.\n * - Any unexpected exception → `status: 402` (no headers; Checkout falls back\n * to its standard 402 emit).\n */\nexport function makeMppxComposeHook(opts: {\n serverGetter: () => Promise<unknown>;\n}): ComposeMppxFn {\n return async (ctx: CheckoutContext): Promise<MppxComposeOutcome> => {\n if (ctx.pricing === null) return { status: 402 };\n const mpp = (await opts.serverGetter()) as {\n realm?: string;\n charge: (args: { authorization?: string; amount: string }) => Promise<unknown>;\n };\n const lower = lowerHeaders(ctx.request.headers);\n const authorization = lower['authorization'];\n const amountStr = ctx.pricing.amountUsd.toFixed(2);\n let result: unknown;\n try {\n result = await mpp.charge({ authorization, amount: amountStr });\n } catch {\n return { status: 402 };\n }\n if (!Array.isArray(result)) {\n const challenge = result as { toWwwAuthenticate?: (realm: string) => string };\n const realm = mpp.realm ?? '';\n const headers: Record<string, string> =\n typeof challenge.toWwwAuthenticate === 'function'\n ? { 'www-authenticate': challenge.toWwwAuthenticate(realm) }\n : {};\n return { status: 402, headers };\n }\n const [credential, receipt] = result as [\n { source?: string },\n { reference?: string; transaction?: string },\n ];\n const txHash = receipt.reference ?? receipt.transaction ?? null;\n let signerAddress: string | null = null;\n let signerNetwork: string | null = null;\n const source = credential.source;\n if (typeof source === 'string') {\n const parts = source.split(':');\n if (parts.length >= 4 && parts[0] === 'did' && parts[1] === 'pkh') {\n const family = parts[2];\n const addr = parts[parts.length - 1] ?? null;\n if (family === 'eip155' && addr !== null) {\n signerAddress = addr.toLowerCase();\n signerNetwork = 'evm';\n } else if (family === 'solana' && addr !== null) {\n signerAddress = addr;\n signerNetwork = 'solana';\n }\n }\n }\n return {\n status: 200,\n txHash,\n signerAddress,\n signerNetwork,\n raw: { credential, receipt },\n };\n };\n}\n\n/**\n * Apply per-call recipient overrides (from `mintRecipients`) to rail specs.\n * Returns a new dict; original rails dict is not mutated. Stripe rails are\n * passed through unchanged (no on-chain recipient — they use `profileId`).\n *\n * When the merchant declares rails with sentinel empty-string recipients\n * (per-order minting pattern) and `mintRecipients` only returns addresses\n * for some rails, drop the rails that resolve to an empty recipient — those\n * weren't actually minted for this request and shouldn't be advertised in\n * the 402.\n */\nfunction applyRecipientOverrides(\n rails: Record<string, CheckoutRailSpec>,\n overrides: Record<string, string>,\n): Record<string, CheckoutRailSpec> {\n const out: Record<string, CheckoutRailSpec> = {};\n for (const [key, spec] of Object.entries(rails)) {\n if (isStripeRailSpec(spec)) {\n out[key] = spec;\n continue;\n }\n const override = overrides[key];\n const finalRecipient = override ?? (spec as { recipient?: unknown }).recipient;\n if (finalRecipient === '' || finalRecipient === undefined) continue;\n out[key] = override !== undefined\n ? ({ ...spec, recipient: override } as CheckoutRailSpec)\n : spec;\n }\n return out;\n}\n\n/** Cast helper: trust the rail-dict key for downcasting to the expected spec type.\n * Returns undefined when the key is absent. */\nfunction pickRail<T>(rails: Record<string, CheckoutRailSpec>, key: string): T | undefined {\n const spec = rails[key];\n return spec === undefined ? undefined : (spec as unknown as T);\n}\n\n/**\n * High-level agent-commerce orchestrator.\n *\n * @example\n * ```ts\n * const checkout = new Checkout({\n * rails: { tempo: ..., x402_base: ..., stripe: ... },\n * url: APP_URL,\n * computePricing: (ctx) => ({ amountUsd: cartTotal(ctx.request.body) }),\n * mintRecipients: (ctx) => stripeMultichainAddressesFor(ctx),\n * onSettled: (ctx, outcome) => persistOrder(ctx.referenceId, ctx.request.body, outcome),\n * composeMppx: (ctx) => mppxCompose(mppx, ctx.request),\n * x402Server: x402,\n * });\n * const result = await checkout.handle(buildCheckoutRequest(request));\n * return new Response(JSON.stringify(result.body), { status: result.status, headers: result.headers });\n * ```\n */\n// eslint-disable-next-line @typescript-eslint/no-unsafe-declaration-merging\nexport class Checkout {\n readonly rails: Record<string, CheckoutRailSpec>;\n readonly url: string;\n readonly merchantName: string | undefined;\n readonly computePricing: PricingFn;\n readonly preValidate: PreValidateFn | undefined;\n x402Server: X402Server | undefined;\n composeMppx: ComposeMppxFn | undefined;\n readonly mintRecipients: RecipientsFn | undefined;\n readonly mintReferenceId: ReferenceIdFn | undefined;\n readonly onSettled: OnSettledFn | undefined;\n readonly isCachedAddress: IsCachedAddressFn | undefined;\n readonly zeroSettleCarveOut: boolean;\n readonly gate: CheckoutGateConfig | undefined;\n readonly discoveryExtensions: Record<string, unknown> | undefined;\n readonly discoveryProbe: DiscoveryProbeConfig | undefined;\n private _x402ServerGetter: (() => Promise<X402Server>) | undefined;\n\n constructor(opts: {\n rails: Record<string, CheckoutRailSpec>;\n url: string;\n computePricing: PricingFn;\n /** Per-request validation hook. Runs before pricing/gate/settle. Throw\n * `CheckoutValidationError` to short-circuit with a 4xx envelope. Returns\n * a state dict merged into `ctx.state` for downstream hooks. */\n preValidate?: PreValidateFn;\n /** Built via `createX402Server`. Pair it with an `X402BaseRailSpec` in\n * `rails['x402_base']`; the CAIP-2 network is read from `rail.network`.\n * When omitted, Checkout auto-derives via `lazyX402Server` from the flat\n * `cdpApiKeyId` / `cdpApiKeySecret` kwargs. */\n x402Server?: X402Server;\n /** Required when the merchant accepts `Authorization: Payment` credentials.\n * When omitted and `mppxSecretKey` is supplied, Checkout auto-derives via\n * `lazyMppxServer` + the canonical compose hook (see `makeMppxComposeHook`). */\n composeMppx?: ComposeMppxFn;\n /** Flat-config: when `x402Server` is omitted and any X402BaseRailSpec is in\n * `rails`, Checkout lazy-builds the x402 server. Pair `cdpApiKeyId` +\n * `cdpApiKeySecret` to use Coinbase's facilitator; omit both for the\n * public HTTP facilitator. */\n cdpApiKeyId?: string;\n cdpApiKeySecret?: string;\n /** Flat-config: when `composeMppx` is omitted and an MPP rail is in `rails`,\n * Checkout lazy-builds the mppx server. */\n mppxSecretKey?: string;\n /** Per-order deposit address minting (e.g. Stripe-multichain). */\n mintRecipients?: RecipientsFn;\n /** Default is `randomUUID()`. */\n mintReferenceId?: ReferenceIdFn;\n /** Runs after a settle lands; can return an inline response body for API sellers. */\n onSettled?: OnSettledFn;\n /** Pass when the merchant mints per-order addresses so `verifyX402Request` can\n * confirm the `payTo` was minted by this merchant. Defaults to permissive. */\n isCachedAddress?: IsCachedAddressFn;\n /** Engage the EIP-3009 value=0 + pympp `proof` carve-out when pricing\n * resolves to $0. Goods merchants offering free redemption codes set this\n * to `true` so the credential parses without an on-chain settle. */\n zeroSettleCarveOut?: boolean;\n /** Per-request gate config. When set, the gate runs after `preValidate`\n * populates `ctx.state` and before pricing/settle. Denials short-circuit\n * with the gate's body verbatim. */\n gate?: CheckoutGateConfig;\n /** Per-endpoint x402 `extensions` block emitted on the 402 body. Merge\n * outputs of `createBazaarDiscovery({...})` (or other extension declarers)\n * here — Checkout forwards verbatim into the 402 response body's\n * `extensions` field so Bazaar crawlers and other spec-compliant clients\n * read the route's declared input/output schema. */\n discoveryExtensions?: Record<string, unknown>;\n /** Optional discovery-probe config: auto-route empty-body POSTs without a\n * payment header to a sample 402 advertising the merchant's shape for\n * crawlers (`awal x402 details`, x402-proxy, x402scan, ...). */\n discoveryProbe?: DiscoveryProbeConfig;\n }) {\n const x402Server = opts.x402Server;\n let x402ServerGetter: (() => Promise<X402Server>) | undefined;\n if (x402Server === undefined) {\n const baseSpec = Object.values(opts.rails).find(\n (s): s is X402BaseRailSpec =>\n !isTempoSessionRailSpec(s) && !isStripeRailSpec(s) && 'recipient' in s &&\n ((s as { network?: string }).network ?? '').startsWith('eip155:'),\n );\n if (baseSpec !== undefined) {\n x402ServerGetter = lazyX402Server({\n spec: baseSpec,\n cdpApiKeyId: opts.cdpApiKeyId,\n cdpApiKeySecret: opts.cdpApiKeySecret,\n });\n }\n } else {\n const baseSpec = opts.rails['x402_base'];\n if (baseSpec === undefined || !('recipient' in baseSpec)) {\n throw new Error(\n \"Checkout: x402Server requires an X402BaseRailSpec in rails['x402_base'] \" +\n \"(the rail's `network` field supplies the CAIP-2).\",\n );\n }\n }\n\n let composeMppx = opts.composeMppx;\n if (composeMppx === undefined && opts.mppxSecretKey !== undefined) {\n const mppRails: Record<string, MppxRailSpec> = {};\n for (const [k, v] of Object.entries(opts.rails)) {\n if (isStripeRailSpec(v) || isTempoSessionRailSpec(v) || 'recipient' in v) {\n mppRails[k] = v as MppxRailSpec;\n }\n }\n const getter = lazyMppxServer({\n rails: mppRails,\n secretKey: opts.mppxSecretKey,\n });\n composeMppx = makeMppxComposeHook({ serverGetter: getter });\n }\n\n this.rails = opts.rails;\n this.url = opts.url;\n this.merchantName = opts.gate?.merchantName;\n this.computePricing = opts.computePricing;\n this.preValidate = opts.preValidate;\n this.x402Server = x402Server;\n this._x402ServerGetter = x402ServerGetter;\n this.composeMppx = composeMppx;\n this.mintRecipients = opts.mintRecipients;\n this.mintReferenceId = opts.mintReferenceId;\n this.onSettled = opts.onSettled;\n this.isCachedAddress = opts.isCachedAddress;\n this.zeroSettleCarveOut = opts.zeroSettleCarveOut ?? false;\n this.gate = opts.gate;\n this.discoveryExtensions = opts.discoveryExtensions;\n this.discoveryProbe = opts.discoveryProbe;\n }\n\n /** Canonical `RailKey` list derived from the configured rails dict. Each\n * `*RailSpec` type maps to one `RailKey` (Tempo and TempoSession both fold\n * to `\"tempo_mpp\"`). Dedupes so listing is per protocol, not per recipient.\n * Use in `.well-known/mpp.json`, skill.md / llms.txt discovery responses. */\n get acceptedRails(): RailKey[] {\n const out: RailKey[] = [];\n const seen = new Set<string>();\n for (const spec of Object.values(this.rails)) {\n const key = specRailKey(spec);\n if (seen.has(key)) continue;\n seen.add(key);\n out.push(key);\n }\n return out;\n }\n\n /** Protocol-shaped method-name list (`\"tempo/charge\"`, `\"x402/exact (base)\"`).\n * Suitable for the `methods: [...]` array of `.well-known/mpp.json`. */\n get acceptedMethodNames(): string[] {\n const out: string[] = [];\n const seen = new Set<string>();\n for (const spec of Object.values(this.rails)) {\n const name = specMethodName(spec);\n if (seen.has(name)) continue;\n seen.add(name);\n out.push(name);\n }\n return out;\n }\n\n /** Resolve the x402 server, awaiting the lazy getter on first use. */\n private async getX402Server(): Promise<X402Server | undefined> {\n if (this.x402Server !== undefined) return this.x402Server;\n if (this._x402ServerGetter === undefined) return undefined;\n this.x402Server = await this._x402ServerGetter();\n return this.x402Server;\n }\n\n private x402ServerAvailable(): boolean {\n return this.x402Server !== undefined || this._x402ServerGetter !== undefined;\n }\n\n /** Return the rails-dict key for the X402BaseRailSpec entry. Defaults to\n * `\"x402_base\"` when no match found. */\n private x402RailKey(): string {\n for (const [k, v] of Object.entries(this.rails)) {\n if (!isStripeRailSpec(v) && !isTempoSessionRailSpec(v) &&\n ((v as { network?: string }).network ?? '').startsWith('eip155:')) {\n return k;\n }\n }\n return 'x402_base';\n }\n\n /** Return the rails-dict key for the primary MPP rail. */\n private mppRailKey(): string {\n for (const [k, v] of Object.entries(this.rails)) {\n const network = (v as { network?: string }).network ?? '';\n if (!isStripeRailSpec(v) && !network.startsWith('eip155:')) return k;\n }\n return 'tempo';\n }\n\n /** CAIP-2 read from `rails['x402_base'].network` (or its default).\n * Defined only when an `X402BaseRailSpec` is present in rails AND a server\n * is configured (explicit or auto-derived); otherwise `null`. */\n get x402BaseNetwork(): string | null {\n if (!this.x402ServerAvailable()) return null;\n for (const spec of Object.values(this.rails)) {\n if (!isStripeRailSpec(spec) && !isTempoSessionRailSpec(spec) &&\n ((spec as { network?: string }).network ?? '').startsWith('eip155:')) {\n return (spec as { network?: string }).network ?? 'eip155:8453';\n }\n }\n return null;\n }\n\n async handle(request: CheckoutRequest): Promise<CheckoutResult> {\n const referenceId = await this.mintRefId(request);\n const ctx: CheckoutContext = {\n request,\n referenceId,\n pricing: null,\n recipients: {},\n state: {},\n };\n\n if (this.discoveryProbe !== undefined && request.method === 'POST') {\n const auth = request.headers['authorization'] ?? request.headers['Authorization'];\n const isProbe =\n !(auth?.startsWith('Payment ')) &&\n !hasX402Header(request.headers) &&\n !hasMppxHeader(request.headers) &&\n (request.body === undefined || request.body === null ||\n (typeof request.body === 'object' && Object.keys(request.body as object).length === 0));\n if (isProbe) {\n const { buildDiscoveryProbeResponse } = await import('./discovery/probe.js');\n const cfg = this.discoveryProbe;\n const probe = buildDiscoveryProbeResponse({\n realm: cfg.realm,\n sampleRail: cfg.sampleRail,\n sampleAmountUsd: cfg.sampleAmountUsd,\n sampleRecipient: cfg.sampleRecipient,\n ...(cfg.intent !== undefined && { intent: cfg.intent }),\n ...(cfg.ttlSeconds !== undefined && { ttlSeconds: cfg.ttlSeconds }),\n ...(cfg.docsUrl !== undefined && { docsUrl: cfg.docsUrl }),\n ...(cfg.message !== undefined && { message: cfg.message }),\n ...(cfg.x402Sample !== undefined && { x402Sample: cfg.x402Sample }),\n });\n return {\n status: probe.status,\n body: JSON.parse(probe.body),\n headers: probe.headers,\n referenceId: ctx.referenceId,\n settled: false,\n };\n }\n }\n\n // 1. Pre-validate (merchant-supplied per-request validation).\n if (this.preValidate !== undefined) {\n try {\n const state = await this.preValidate(ctx);\n if (state && typeof state === 'object') Object.assign(ctx.state, state);\n } catch (err) {\n if (err instanceof CheckoutValidationError) {\n return this.validationErrorResult(ctx, err);\n }\n throw err;\n }\n }\n\n // 2. Per-request gate. Only fires when a payment header is present (so the\n // discovery leg stays anonymous-friendly). Merchants can wrap behavior\n // via `gate.runGate` for full control.\n const hasPaymentHeader =\n hasX402Header(request.headers) || hasMppxHeader(request.headers);\n if (this.gate !== undefined && hasPaymentHeader) {\n const denial = await this.runGate(ctx);\n if (denial !== null) {\n return {\n status: denial.status,\n body: denial.body,\n headers: { ...(denial.headers ?? {}) },\n referenceId: ctx.referenceId,\n settled: false,\n };\n }\n }\n\n // 3. Pricing.\n ctx.pricing = await this.computePricing(ctx);\n\n // Recipients are read by every downstream dispatch (x402 verify+settle,\n // mppx compose, 402 emit). Resolve once here so hooks see ctx.recipients\n // populated. The resolver is idempotent — subsequent calls no-op.\n await this.resolveRecipientsForCtx(ctx);\n\n const x402ServerOk = this.x402ServerAvailable() && this.x402BaseNetwork !== null;\n if (hasX402Header(request.headers) && x402ServerOk) {\n const zero = await this.handleZeroSettle(ctx, 'x402-base');\n if (zero !== null) return zero;\n return await this.handleX402(ctx);\n }\n\n if (hasMppxHeader(request.headers) && this.composeMppx !== undefined) {\n const zero = await this.handleZeroSettle(ctx, 'tempo');\n if (zero !== null) return zero;\n return await this.handleMppx(ctx);\n }\n\n // Discovery leg: mint per-order recipients BEFORE composeMppx so the\n // hook sees ctx.recipients populated. composeMppx mints a fresh\n // WWW-Authenticate challenge that the agent needs to sign on the retry;\n // the hook returns status=402 with mppx-issued headers, which we\n // propagate into the rich 402 emit.\n await this.resolveRecipientsForCtx(ctx);\n let mppxHeaders: Record<string, string> = {};\n if (this.composeMppx !== undefined) {\n try {\n const preComposed = await this.composeMppx(ctx);\n if (preComposed.status === 402) {\n mppxHeaders = { ...(preComposed.headers ?? {}) };\n }\n } catch {\n // Hook errors here only affect the optional MPP challenge; the 402\n // still goes out with whatever rails resolved.\n }\n }\n return await this.emit402(ctx, mppxHeaders);\n }\n\n private validationErrorResult(\n ctx: CheckoutContext,\n err: CheckoutValidationError,\n ): CheckoutResult {\n const body = buildValidationError({\n code: err.code,\n message: err.message,\n nextSteps: { action: err.action, user_message: err.message },\n extra: err.extra,\n });\n return {\n status: err.status,\n body,\n headers: {},\n referenceId: ctx.referenceId,\n settled: false,\n };\n }\n\n private async runGate(ctx: CheckoutContext): Promise<GateDenial | null> {\n const gate = this.gate;\n if (gate === undefined) return null;\n if (gate.runGate !== undefined) {\n const result = await gate.runGate(ctx);\n // Allow merchants to return undefined as an alias for `null` (allow).\n if (result === undefined || result === null) return null;\n if (typeof result !== 'object' || typeof (result as { status?: unknown }).status !== 'number') {\n throw new TypeError(\n 'gate.runGate must return null/undefined (allow) or an object { status, body, headers? } (deny)',\n );\n }\n return result;\n }\n if (gate.apiKey === undefined) return null;\n\n // Merge per-request policy overrides over the static config.\n let policyOverride: Partial<AgentScoreCoreOptions> | null | undefined;\n if (gate.perRequestPolicy !== undefined) {\n policyOverride = await gate.perRequestPolicy(ctx);\n if (policyOverride === null) return null;\n }\n const coreOpts: AgentScoreCoreOptions = {\n apiKey: gate.apiKey,\n ...(gate.baseUrl !== undefined && { baseUrl: gate.baseUrl }),\n ...(gate.userAgent !== undefined && { userAgent: gate.userAgent }),\n ...(gate.requireKyc !== undefined && { requireKyc: gate.requireKyc }),\n ...(gate.requireSanctionsClear !== undefined && { requireSanctionsClear: gate.requireSanctionsClear }),\n ...(gate.minAge !== undefined && { minAge: gate.minAge }),\n ...(gate.blockedJurisdictions !== undefined && { blockedJurisdictions: gate.blockedJurisdictions }),\n ...(gate.allowedJurisdictions !== undefined && { allowedJurisdictions: gate.allowedJurisdictions }),\n ...(gate.failOpen !== undefined && { failOpen: gate.failOpen }),\n ...(gate.cacheSeconds !== undefined && { cacheSeconds: gate.cacheSeconds }),\n ...(gate.chain !== undefined && { chain: gate.chain }),\n ...(gate.createSessionOnMissing !== undefined && {\n createSessionOnMissing: gate.createSessionOnMissing as unknown as CreateSessionOnMissing,\n }),\n ...(policyOverride ?? {}),\n };\n\n const core = createAgentScoreCore(coreOpts);\n const headers = lowerHeaders(ctx.request.headers);\n const walletAddress = headers['x-wallet-address'];\n const operatorToken = headers['x-operator-token'];\n const identity: AgentIdentity | undefined =\n walletAddress !== undefined || operatorToken !== undefined\n ? {\n ...(walletAddress !== undefined && { address: walletAddress }),\n ...(operatorToken !== undefined && { operatorToken }),\n }\n : undefined;\n const x402Header = headers['payment-signature'] ?? headers['x-payment'];\n const signer = await extractPaymentSignerFromAuth(headers['authorization'], x402Header);\n const outcome: EvaluateOutcome = await core.evaluate(identity, ctx, signer);\n\n if (outcome.kind === 'allow') {\n // Stash captureWallet on ctx so onSettled can link the signer wallet to\n // the operator credential without needing a framework-specific Context.\n // No-op for wallet-authenticated requests (no operator_token to bind).\n if (operatorToken !== undefined) {\n const opToken = operatorToken;\n ctx.captureWallet = async (opts) => {\n await core.captureWallet({\n operatorToken: opToken,\n walletAddress: opts.walletAddress,\n network: opts.network,\n ...(opts.idempotencyKey !== undefined && { idempotencyKey: opts.idempotencyKey }),\n });\n };\n }\n // Post-allow signer-match enforcement: the API composed signer_match on\n // the assess call when a signer was extracted; convert non-pass verdicts\n // into wallet_signer_mismatch / wallet_auth_requires_wallet_signing\n // denials so the gate enforces wallet binding inline (no separate hook).\n if (walletAddress !== undefined) {\n const verdict = core.getSignerVerdict(walletAddress);\n const sm = verdict?.signer_match;\n if (sm && sm.kind !== 'pass') {\n const reason: DenialReason = sm.kind === 'wallet_auth_requires_wallet_signing'\n ? {\n code: 'wallet_auth_requires_wallet_signing',\n expected_signer: sm.claimedWallet,\n agent_instructions: sm.agentInstructions,\n }\n : {\n code: 'wallet_signer_mismatch',\n ...(sm.claimedOperator !== null && { claimed_operator: sm.claimedOperator }),\n actual_signer_operator: sm.actualSignerOperator,\n expected_signer: sm.expectedSigner,\n actual_signer: sm.actualSigner,\n ...(sm.linkedWallets.length > 0 && { linked_wallets: sm.linkedWallets }),\n agent_instructions: sm.agentInstructions,\n };\n if (gate.onDenied !== undefined) {\n const custom = await gate.onDenied(ctx, reason);\n if (custom !== null) return custom;\n }\n const body = denialReasonToBody(reason);\n return { status: 403, body: body as Record<string, unknown> };\n }\n }\n return null;\n }\n\n const reason = outcome.reason;\n if (gate.onDenied !== undefined) {\n const custom = await gate.onDenied(ctx, reason);\n if (custom !== null) return custom;\n }\n const body = denialReasonToBody(reason);\n const status =\n reason.code === 'token_expired' || reason.code === 'invalid_credential'\n ? 401\n : reason.code === 'api_error'\n ? 503\n : 403;\n return { status, body: body as Record<string, unknown> };\n }\n\n private async handleZeroSettle(\n ctx: CheckoutContext,\n rail: ZeroSettleRail,\n ): Promise<CheckoutResult | null> {\n if (!this.zeroSettleCarveOut || ctx.pricing === null) return null;\n const cents = Math.round(ctx.pricing.amountUsd * 100);\n if (cents !== 0) return null;\n const headers = lowerHeaders(ctx.request.headers);\n let zero;\n if (rail === 'x402-base') {\n const x402Header = headers['payment-signature'] ?? headers['x-payment'];\n let payload: Record<string, unknown> | null = null;\n if (typeof x402Header === 'string' && x402Header.length > 0) {\n try {\n payload = JSON.parse(atob(x402Header)) as Record<string, unknown>;\n } catch {\n payload = null;\n }\n }\n zero = zeroAmountCarveOut({ rail, payload });\n } else {\n zero = zeroAmountCarveOut({ rail, authorizationHeader: headers['authorization'] });\n }\n const railKey = rail === 'x402-base' ? this.x402RailKey() : this.mppRailKey();\n const outcome: SettleOutcome = {\n rail: rail === 'x402-base' ? 'x402' : 'mpp',\n paymentResponseHeader: null,\n raw: zero,\n txHash: null,\n signerAddress: zero.signerAddress,\n signerNetwork: zero.signerNetwork,\n railKey,\n };\n return await this.buildSuccess(ctx, outcome);\n }\n\n private async mintRefId(request: CheckoutRequest): Promise<string> {\n if (this.mintReferenceId === undefined) return randomUUID();\n const seedCtx: CheckoutContext = { request, referenceId: '', pricing: null, recipients: {}, state: {} };\n return await this.mintReferenceId(seedCtx);\n }\n\n private async resolveRecipientsForCtx(ctx: CheckoutContext): Promise<Record<string, string>> {\n if (this.mintRecipients === undefined) return ctx.recipients;\n // Idempotent: if a prior call (e.g. pre-compose) already minted, skip.\n if (Object.keys(ctx.recipients).length > 0) return ctx.recipients;\n ctx.recipients = { ...(await this.mintRecipients(ctx)) };\n return ctx.recipients;\n }\n\n private async asyncIsCachedAddress(address: string): Promise<boolean> {\n if (this.isCachedAddress === undefined) return true;\n return Promise.resolve(this.isCachedAddress(address));\n }\n\n private async handleX402(ctx: CheckoutContext): Promise<CheckoutResult> {\n const x402Server = await this.getX402Server();\n if (ctx.pricing === null || this.x402BaseNetwork === null || x402Server === undefined) {\n throw new Error('Checkout.handleX402: missing pricing or x402 rail config');\n }\n const fakeRequest = new Request(ctx.request.url, {\n method: ctx.request.method,\n headers: ctx.request.headers,\n });\n const verified = await verifyX402Request({\n request: fakeRequest,\n isCachedAddress: this.asyncIsCachedAddress.bind(this),\n acceptedNetwork: this.x402BaseNetwork,\n });\n if (!verified.ok) {\n return {\n status: verified.status,\n body: verified.body,\n headers: {},\n referenceId: ctx.referenceId,\n settled: false,\n settlePhase: 'verify_failed',\n };\n }\n const settle = await processX402Settle({\n x402Server,\n payload: verified.payload,\n resourceConfig: {\n scheme: 'exact',\n network: verified.signedNetwork,\n price: `$${ctx.pricing.amountUsd.toFixed(2)}`,\n payTo: verified.signedPayTo,\n maxTimeoutSeconds: 300,\n },\n resourceMeta: {\n url: ctx.request.url,\n description: 'Agent purchase via x402',\n mimeType: 'application/json',\n },\n });\n if (!settle.success) {\n // Map each failure phase to its canonical merchant-facing response:\n // verify_failed → 400 payment_proof_invalid, facilitator_error /\n // settle_failed → 503 payment_provider_unavailable, etc.\n const classified = classifyX402SettleResult(settle);\n const responseHeaders: Record<string, string> =\n classified !== null && classified.status >= 500 ? { 'Cache-Control': 'no-store' } : {};\n if (classified !== null) {\n return {\n status: classified.status,\n body: {\n error: { code: classified.code, message: classified.message },\n next_steps: classified.nextSteps,\n },\n headers: responseHeaders,\n referenceId: ctx.referenceId,\n settled: false,\n settlePhase: settle.phase ?? 'settle_failed',\n };\n }\n return {\n status: 400,\n body: buildValidationError({\n code: 'payment_proof_invalid',\n message: `Payment failed during settlement (phase: ${settle.phase ?? 'unknown'}).`,\n nextSteps: { action: 'regenerate_payment_credential' },\n extra: { phase: settle.phase },\n }),\n headers: {},\n referenceId: ctx.referenceId,\n settled: false,\n settlePhase: settle.phase ?? 'settle_failed',\n };\n }\n // Lift the verified signer + tx hash off the settle result so on_settled\n // hooks can persist them without re-parsing the credential.\n const settleRes = (settle as { settleResult?: { transaction?: string; payer?: string } })\n .settleResult ?? {};\n const verifiedFrom = (\n (verified.payload as { payload?: { authorization?: { from?: string } } }).payload\n ?.authorization?.from ?? null\n );\n const signerAddress = verifiedFrom !== null ? verifiedFrom.toLowerCase() : (settleRes.payer ?? null);\n const outcome: SettleOutcome = {\n rail: 'x402',\n paymentResponseHeader: settle.paymentResponseHeader ?? null,\n raw: settle,\n txHash: settleRes.transaction ?? null,\n signerAddress,\n signerNetwork: signerAddress !== null ? 'evm' : null,\n railKey: this.x402RailKey(),\n };\n return await this.buildSuccess(ctx, outcome);\n }\n\n private async handleMppx(ctx: CheckoutContext): Promise<CheckoutResult> {\n if (this.composeMppx === undefined) {\n throw new Error('Checkout.handleMppx: composeMppx hook not configured');\n }\n const composed = await this.composeMppx(ctx);\n if (composed.status === 200) {\n const outcome: SettleOutcome = {\n rail: 'mpp',\n paymentResponseHeader: composed.paymentResponseHeader ?? null,\n raw: composed.raw,\n txHash: composed.txHash ?? null,\n signerAddress: composed.signerAddress ?? null,\n signerNetwork: composed.signerNetwork ?? null,\n railKey: composed.railKey ?? this.mppRailKey(),\n };\n return await this.buildSuccess(ctx, outcome);\n }\n // handleMppx is only invoked when an `Authorization: Payment` header was\n // present, so a 402 here means mppx REJECTED the credential. Surface as\n // 400 payment_proof_invalid (the canonical \"regenerate\" denial), echoing\n // mppx's fresh WWW-Authenticate so the agent's retry signs against the new\n // directive id.\n return {\n status: 400,\n body: buildValidationError({\n code: 'payment_proof_invalid',\n message: 'MPP credential rejected; regenerate from a fresh 402 challenge.',\n nextSteps: { action: 'regenerate_payment_credential' },\n }),\n headers: { ...(composed.headers ?? {}) },\n referenceId: ctx.referenceId,\n settled: false,\n settlePhase: 'verify_failed',\n };\n }\n\n private async emit402(\n ctx: CheckoutContext,\n mppxHeaders: Record<string, string> = {},\n ): Promise<CheckoutResult> {\n if (ctx.pricing === null) {\n throw new Error('Checkout.emit402: pricing not computed');\n }\n await this.resolveRecipientsForCtx(ctx);\n const emitRails = applyRecipientOverrides(this.rails, ctx.recipients);\n\n const accepted = await buildAcceptedMethods({\n tempo: pickRail<TempoRailSpec>(emitRails, 'tempo'),\n x402_base: pickRail<X402BaseRailSpec>(emitRails, 'x402_base'),\n solana_mpp: pickRail<SolanaMppRailSpec>(emitRails, 'solana_mpp'),\n stripe: pickRail<StripeRailSpec>(emitRails, 'stripe'),\n });\n const howToPayRails: Record<\n string,\n TempoRailSpec | X402BaseRailSpec | SolanaMppRailSpec | StripeRailSpec\n > = {};\n for (const [k, v] of Object.entries(emitRails)) {\n if (!isTempoSessionRailSpec(v)) {\n howToPayRails[k] = v as\n | TempoRailSpec\n | X402BaseRailSpec\n | SolanaMppRailSpec\n | StripeRailSpec;\n }\n }\n const howToPay = buildHowToPay({\n url: this.url,\n retryBodyJson: JSON.stringify(ctx.request.body),\n totalUsd: ctx.pricing.amountUsd.toFixed(2),\n rails: howToPayRails,\n });\n const pricingBlock =\n ctx.pricing.block ??\n buildPricingBlock({\n subtotalCents: Math.round(ctx.pricing.amountUsd * 100),\n currency: ctx.pricing.currency ?? 'USD',\n });\n // Build x402 accepts BEFORE the body so they appear both in the rich body\n // (agents read JSON) AND in the PAYMENT-REQUIRED header (x402-spec clients).\n let x402Accepts: unknown[] = [];\n let x402Resource: { url: string; mimeType: string } | undefined;\n const baseNetwork = this.x402BaseNetwork;\n const x402Server = await this.getX402Server();\n if (x402Server !== undefined && baseNetwork !== null) {\n const baseSpec = emitRails['x402_base'] as X402BaseRailSpec | undefined;\n if (baseSpec !== undefined) {\n const recipient = await resolveRecipientValue(baseSpec.recipient);\n try {\n x402Accepts = await buildX402AcceptsFor402(x402Server, {\n network: baseNetwork,\n price: `$${ctx.pricing.amountUsd.toFixed(2)}`,\n payTo: recipient,\n maxTimeoutSeconds: 300,\n });\n x402Resource = { url: ctx.request.url, mimeType: 'application/json' };\n } catch {\n // Facilitator/scheme build failure: drop x402 from accepts but keep\n // other rails in the body. Merchant logs internally.\n x402Accepts = [];\n }\n }\n }\n\n // Pre-advertise wallet-mode signer constraint when the request shows\n // wallet intent. Saves agents a round trip: they learn required_signer +\n // linked_wallets at discovery instead of at the 403 on retry.\n const identityMetadata = resolveIdentityMetadata(ctx);\n\n const body = build402Body({\n acceptedMethods: accepted,\n agentInstructions: buildAgentInstructions({ howToPay }),\n ...(identityMetadata !== undefined ? { identityMetadata } : {}),\n pricing: pricingBlock,\n amountUsd: ctx.pricing.amountUsd.toFixed(2),\n retryBody: ctx.request.body,\n agentMemory: firstEncounterAgentMemory({ firstEncounter: true }),\n ...(ctx.pricing.product ? { product: ctx.pricing.product as { id: string; name: string } } : {}),\n ...(ctx.pricing.bodyExtras ? { extra: ctx.pricing.bodyExtras } : {}),\n ...(x402Accepts.length > 0 ? {\n x402: {\n accepts: x402Accepts,\n ...(this.discoveryExtensions !== undefined && Object.keys(this.discoveryExtensions).length > 0\n ? { extensions: this.discoveryExtensions }\n : {}),\n },\n } : {}),\n });\n\n let x402Block: Parameters<typeof respond402>[0]['x402'];\n if (x402Accepts.length > 0) {\n x402Block = {\n x402Version: 2,\n accepts: x402Accepts,\n ...(x402Resource ? { resource: x402Resource } : {}),\n };\n }\n\n const respond = respond402({\n mppxChallengeHeaders: mppxHeaders,\n body,\n x402: x402Block,\n });\n return {\n status: respond.status,\n body: respond.body,\n headers: respond.headers,\n referenceId: ctx.referenceId,\n settled: false,\n };\n }\n\n private async buildSuccess(\n ctx: CheckoutContext,\n outcome: SettleOutcome,\n ): Promise<CheckoutResult> {\n let customBody: Record<string, unknown> | null = null;\n if (this.onSettled !== undefined) {\n const result = await this.onSettled(ctx, outcome);\n if (result !== null && typeof result === 'object') customBody = result;\n }\n const body: Record<string, unknown> = customBody ?? { ok: true };\n if (!('reference_id' in body)) body.reference_id = ctx.referenceId;\n const headers: Record<string, string> = {};\n if (outcome.paymentResponseHeader) {\n headers['payment-response'] = outcome.paymentResponseHeader;\n }\n return {\n status: 200,\n body,\n headers,\n referenceId: ctx.referenceId,\n settled: true,\n };\n }\n}\n\nasync function resolveRecipientValue(r: RecipientLike): Promise<string> {\n return await resolveRecipient(r);\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Validation-envelope helpers + per-framework wrappers\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Framework-neutral 4xx envelope (`{ error, next_steps, agent_instructions }`).\n *\n * Returns the body dict; merchants wrap in their framework's JSON response.\n * The per-framework `validationResponse*` helpers do this for you.\n */\nexport function validationEnvelope(opts: {\n code: string;\n message: string;\n action?: string;\n extra?: Record<string, unknown>;\n}): Record<string, unknown> {\n const action = opts.action ?? 'fix_request';\n return buildValidationError({\n code: opts.code,\n message: opts.message,\n nextSteps: { action, user_message: opts.message },\n extra: opts.extra,\n });\n}\n\ninterface ValidationResponseInput {\n code: string;\n message: string;\n action?: string;\n status?: number;\n extra?: Record<string, unknown>;\n}\n\n/** Hono one-liner; returns a `Response` via `c.json`-equivalent semantics. */\nexport function validationResponseHono(input: ValidationResponseInput): Response {\n const status = input.status ?? 400;\n const body = validationEnvelope(input);\n return new Response(JSON.stringify(body), {\n status,\n headers: { 'Content-Type': 'application/json' },\n });\n}\n\n/**\n * Express helper; writes the response on the supplied `res`. Returns `void`\n * to match Express convention.\n */\nexport function validationResponseExpress(\n res: { status: (code: number) => unknown; json: (body: unknown) => unknown },\n input: ValidationResponseInput,\n): void {\n const status = input.status ?? 400;\n const body = validationEnvelope(input);\n res.status(status);\n res.json(body);\n}\n\n/** Fastify helper; writes on the supplied `reply` and returns it for chaining. */\nexport function validationResponseFastify(\n reply: { code: (code: number) => unknown; send: (body: unknown) => unknown },\n input: ValidationResponseInput,\n): unknown {\n const status = input.status ?? 400;\n const body = validationEnvelope(input);\n reply.code(status);\n return reply.send(body);\n}\n\n/** Next.js helper; returns a `Response` (interchangeable with NextResponse.json). */\nexport function validationResponseNextjs(input: ValidationResponseInput): Response {\n return validationResponseHono(input);\n}\n\n/** Web Fetch helper; returns a standard `Response`. */\nexport function validationResponseWeb(input: ValidationResponseInput): Response {\n return validationResponseHono(input);\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Per-framework adapters on Checkout\n// ─────────────────────────────────────────────────────────────────────────────\n\nfunction invalidBodyEnvelope(): Record<string, unknown> {\n return validationEnvelope({\n code: 'invalid_body',\n message: 'Request body must be valid JSON.',\n });\n}\n\nfunction stripContentType(headers: Record<string, string>): Record<string, string> {\n const out: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() !== 'content-type') out[k] = v;\n }\n return out;\n}\n\nfunction headersToRecord(h: Headers | Record<string, string> | undefined): Record<string, string> {\n if (h === undefined) return {};\n if (h instanceof Headers) {\n const out: Record<string, string> = {};\n h.forEach((v, k) => {\n out[k] = v;\n });\n return out;\n }\n return { ...h };\n}\n\ndeclare module './checkout' {\n // No-op; module-augmentation placeholder. The handler methods live on the\n // Checkout class via prototype extension below to keep the constructor block\n // readable in this large file.\n}\n\n// Hono adapter: takes a Hono `Context` (loose-typed to avoid hard-importing).\n(Checkout.prototype as unknown as {\n handleHono: (\n this: Checkout,\n c: {\n req: {\n method: string;\n url: string;\n raw?: Request;\n header: (name?: string) => string | Record<string, string> | undefined;\n json: () => Promise<unknown>;\n };\n json: (body: unknown, status?: number, headers?: Record<string, string>) => Response;\n body: (body: string, status?: number, headers?: Record<string, string>) => Response;\n },\n body?: Record<string, unknown>,\n ) => Promise<Response>;\n}).handleHono = async function (c, body) {\n let parsedBody: Record<string, unknown>;\n if (body !== undefined) {\n parsedBody = body;\n } else {\n try {\n parsedBody = (await c.req.json()) as Record<string, unknown>;\n } catch {\n return new Response(JSON.stringify(invalidBodyEnvelope()), {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n });\n }\n }\n const rawHeaders = c.req.header() as Record<string, string> | undefined;\n const headers = headersToRecord(rawHeaders);\n const result = await this.handle({\n method: c.req.method,\n url: c.req.url,\n headers,\n body: parsedBody,\n assess: null,\n raw: c.req.raw ?? c,\n });\n return new Response(JSON.stringify(result.body), {\n status: result.status,\n headers: { 'Content-Type': 'application/json', ...stripContentType(result.headers) },\n });\n};\n\n// Express adapter: takes `req` + `res`. Writes to `res`; returns void.\n(Checkout.prototype as unknown as {\n handleExpress: (\n this: Checkout,\n req: {\n method: string;\n originalUrl?: string;\n url?: string;\n headers: Record<string, string | string[] | undefined>;\n body?: unknown;\n },\n res: {\n status: (code: number) => unknown;\n setHeader: (name: string, value: string) => unknown;\n json: (body: unknown) => unknown;\n },\n body?: Record<string, unknown>,\n ) => Promise<void>;\n}).handleExpress = async function (req, res, body) {\n const parsedBody =\n body ?? (typeof req.body === 'object' && req.body !== null ? (req.body as Record<string, unknown>) : null);\n if (parsedBody === null) {\n res.status(400);\n res.json(invalidBodyEnvelope());\n return;\n }\n const headers: Record<string, string> = {};\n for (const [k, v] of Object.entries(req.headers)) {\n if (typeof v === 'string') headers[k] = v;\n else if (Array.isArray(v) && v[0] !== undefined) headers[k] = v[0];\n }\n const url = req.originalUrl ?? req.url ?? '/';\n const result = await this.handle({\n method: req.method,\n url,\n headers,\n body: parsedBody,\n assess: null,\n raw: req,\n });\n for (const [k, v] of Object.entries(stripContentType(result.headers))) res.setHeader(k, v);\n res.status(result.status);\n res.json(result.body);\n};\n\n// Fastify adapter: takes `request` + `reply`.\n(Checkout.prototype as unknown as {\n handleFastify: (\n this: Checkout,\n request: {\n method: string;\n url: string;\n headers: Record<string, string | string[] | undefined>;\n body?: unknown;\n },\n reply: {\n code: (code: number) => unknown;\n header: (name: string, value: string) => unknown;\n send: (body: unknown) => unknown;\n },\n body?: Record<string, unknown>,\n ) => Promise<unknown>;\n}).handleFastify = async function (request, reply, body) {\n const parsedBody =\n body ?? (typeof request.body === 'object' && request.body !== null\n ? (request.body as Record<string, unknown>)\n : null);\n if (parsedBody === null) {\n reply.code(400);\n return reply.send(invalidBodyEnvelope());\n }\n const headers: Record<string, string> = {};\n for (const [k, v] of Object.entries(request.headers)) {\n if (typeof v === 'string') headers[k] = v;\n else if (Array.isArray(v) && v[0] !== undefined) headers[k] = v[0];\n }\n const result = await this.handle({\n method: request.method,\n url: request.url,\n headers,\n body: parsedBody,\n assess: null,\n raw: request,\n });\n for (const [k, v] of Object.entries(stripContentType(result.headers))) reply.header(k, v);\n reply.code(result.status);\n return reply.send(result.body);\n};\n\n// Next.js / Web Fetch adapter: takes a standard `Request`, returns `Response`.\n(Checkout.prototype as unknown as {\n handleNextjs: (this: Checkout, request: Request, body?: Record<string, unknown>) => Promise<Response>;\n}).handleNextjs = async function (request, body) {\n let parsedBody: Record<string, unknown>;\n if (body !== undefined) {\n parsedBody = body;\n } else {\n try {\n parsedBody = (await request.json()) as Record<string, unknown>;\n } catch {\n return new Response(JSON.stringify(invalidBodyEnvelope()), {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n });\n }\n }\n const headers: Record<string, string> = {};\n request.headers.forEach((v, k) => {\n headers[k] = v;\n });\n const result = await this.handle({\n method: request.method,\n url: request.url,\n headers,\n body: parsedBody,\n assess: null,\n raw: request,\n });\n return new Response(JSON.stringify(result.body), {\n status: result.status,\n headers: { 'Content-Type': 'application/json', ...stripContentType(result.headers) },\n });\n};\n\n// `handleWeb` is an alias for `handleNextjs`; both consume Web Fetch Requests.\n(Checkout.prototype as unknown as {\n handleWeb: (this: Checkout, request: Request, body?: Record<string, unknown>) => Promise<Response>;\n}).handleWeb = (Checkout.prototype as unknown as {\n handleNextjs: (this: Checkout, request: Request, body?: Record<string, unknown>) => Promise<Response>;\n}).handleNextjs;\n\n// Type-declare the new methods so consumers see them through Checkout's interface.\n// eslint-disable-next-line @typescript-eslint/no-unsafe-declaration-merging\nexport interface Checkout {\n handleHono(\n c: {\n req: {\n method: string;\n url: string;\n raw?: Request;\n header: (name?: string) => string | Record<string, string> | undefined;\n json: () => Promise<unknown>;\n };\n json: (body: unknown, status?: number, headers?: Record<string, string>) => Response;\n body: (body: string, status?: number, headers?: Record<string, string>) => Response;\n },\n body?: Record<string, unknown>,\n ): Promise<Response>;\n handleExpress(\n req: {\n method: string;\n originalUrl?: string;\n url?: string;\n headers: Record<string, string | string[] | undefined>;\n body?: unknown;\n },\n res: {\n status: (code: number) => unknown;\n setHeader: (name: string, value: string) => unknown;\n json: (body: unknown) => unknown;\n },\n body?: Record<string, unknown>,\n ): Promise<void>;\n handleFastify(\n request: {\n method: string;\n url: string;\n headers: Record<string, string | string[] | undefined>;\n body?: unknown;\n },\n reply: {\n code: (code: number) => unknown;\n header: (name: string, value: string) => unknown;\n send: (body: unknown) => unknown;\n },\n body?: Record<string, unknown>,\n ): Promise<unknown>;\n handleNextjs(request: Request, body?: Record<string, unknown>): Promise<Response>;\n handleWeb(request: Request, body?: Record<string, unknown>): Promise<Response>;\n mountUcpRoutesHono(\n app: {\n get: (path: string, handler: (c: { req: { raw: Request } }) => Promise<Response> | Response) => unknown;\n options: (path: string, handler: (c: { req: { raw: Request } }) => Promise<Response> | Response) => unknown;\n },\n opts: MountUcpRoutesOptions,\n ): void;\n mountUcpRoutesExpress(\n app: {\n get: (path: string, handler: (req: { headers: Record<string, string | string[] | undefined> }, res: ExpressLikeRes) => Promise<void> | void) => unknown;\n options: (path: string, handler: (req: { headers: Record<string, string | string[] | undefined> }, res: ExpressLikeRes) => Promise<void> | void) => unknown;\n },\n opts: MountUcpRoutesOptions,\n ): void;\n mountUcpRoutesFastify(\n app: {\n get: (path: string, handler: (request: { headers: Record<string, string | string[] | undefined> }, reply: FastifyLikeReply) => Promise<unknown> | unknown) => unknown;\n options: (path: string, handler: (request: { headers: Record<string, string | string[] | undefined> }, reply: FastifyLikeReply) => Promise<unknown> | unknown) => unknown;\n },\n opts: MountUcpRoutesOptions,\n ): void;\n}\n\ninterface ExpressLikeRes {\n status: (code: number) => unknown;\n set: (headers: Record<string, string>) => unknown;\n type: (mt: string) => unknown;\n send: (body: string) => unknown;\n}\n\ninterface FastifyLikeReply {\n code: (code: number) => unknown;\n header: (k: string, v: string) => unknown;\n type: (mt: string) => unknown;\n send: (body: string) => unknown;\n}\n\n/** Options for the `mountUcpRoutes<Framework>` helpers — one shape used by all\n * three adapters. Saves merchants from copy-pasting the same 3-route block\n * (GET ucp + GET jwks + OPTIONS preflights) every time. */\nexport interface MountUcpRoutesOptions {\n name: string;\n wellKnownUcpUrl: string;\n services: Record<string, unknown[]>;\n signingKid?: string;\n agentscoreGate?: unknown;\n ucpPath?: string;\n jwksPath?: string;\n}\n\nasync function _ucpSignedResp(\n checkout: Checkout,\n reqHeaders: Headers,\n opts: MountUcpRoutesOptions,\n): Promise<SignedDiscoveryResponse> {\n const { buildSignedUcpResponse } = await import('./discovery/well_known.js');\n return await buildSignedUcpResponse({\n checkout,\n name: opts.name,\n wellKnownUcpUrl: opts.wellKnownUcpUrl,\n services: opts.services as Parameters<typeof buildSignedUcpResponse>[0]['services'],\n requestHeaders: reqHeaders,\n ...(opts.signingKid !== undefined && { signingKid: opts.signingKid }),\n ...(opts.agentscoreGate !== undefined && {\n agentscoreGate: opts.agentscoreGate as Parameters<typeof buildSignedUcpResponse>[0]['agentscoreGate'],\n }),\n });\n}\n\nasync function _jwksSignedResp(\n reqHeaders: Headers,\n opts: MountUcpRoutesOptions,\n): Promise<SignedDiscoveryResponse> {\n const { buildSignedJwksResponse } = await import('./discovery/well_known.js');\n return await buildSignedJwksResponse({\n requestHeaders: reqHeaders,\n ...(opts.signingKid !== undefined && { signingKid: opts.signingKid }),\n });\n}\n\nfunction _preflightResp(reqHeaders: Headers): Response {\n // Use the existing wellKnownPreflightResponse helper (returns Response).\n // It's a sync function so dynamic import is unnecessary here; we already\n // import the module lazily inside the registered handlers.\n return new Response(null, {\n status: 204,\n headers: _preflightHeaders(reqHeaders),\n });\n}\n\nfunction _preflightHeaders(reqHeaders: Headers): Record<string, string> {\n const headers: Record<string, string> = {\n 'Access-Control-Allow-Origin': '*',\n 'Access-Control-Allow-Methods': 'GET, OPTIONS',\n 'Access-Control-Max-Age': '86400',\n Vary: 'Access-Control-Request-Headers',\n };\n const acrh = reqHeaders.get('access-control-request-headers');\n if (acrh) headers['Access-Control-Allow-Headers'] = acrh;\n return headers;\n}\n\n(Checkout.prototype as unknown as {\n mountUcpRoutesHono: (this: Checkout, app: Parameters<Checkout['mountUcpRoutesHono']>[0], opts: MountUcpRoutesOptions) => void;\n}).mountUcpRoutesHono = function (app, opts) {\n const ucpPath = opts.ucpPath ?? '/.well-known/ucp';\n const jwksPath = opts.jwksPath ?? '/.well-known/jwks.json';\n // eslint-disable-next-line @typescript-eslint/no-this-alias\n const checkout = this;\n app.get(ucpPath, async (c) => {\n const resp = await _ucpSignedResp(checkout, c.req.raw.headers, opts);\n return new Response(resp.body, {\n status: resp.status,\n headers: { ...resp.headers, 'Content-Type': resp.mediaType },\n });\n });\n app.get(jwksPath, async (c) => {\n const resp = await _jwksSignedResp(c.req.raw.headers, opts);\n return new Response(resp.body, {\n status: resp.status,\n headers: { ...resp.headers, 'Content-Type': resp.mediaType },\n });\n });\n app.options(ucpPath, (c) => _preflightResp(c.req.raw.headers));\n app.options(jwksPath, (c) => _preflightResp(c.req.raw.headers));\n};\n\nfunction _headersFromExpressLike(raw: Record<string, string | string[] | undefined>): Headers {\n const out = new Headers();\n for (const [k, v] of Object.entries(raw)) {\n if (v === undefined) continue;\n out.set(k, Array.isArray(v) ? v.join(',') : v);\n }\n return out;\n}\n\n(Checkout.prototype as unknown as {\n mountUcpRoutesExpress: (this: Checkout, app: Parameters<Checkout['mountUcpRoutesExpress']>[0], opts: MountUcpRoutesOptions) => void;\n}).mountUcpRoutesExpress = function (app, opts) {\n const ucpPath = opts.ucpPath ?? '/.well-known/ucp';\n const jwksPath = opts.jwksPath ?? '/.well-known/jwks.json';\n // eslint-disable-next-line @typescript-eslint/no-this-alias\n const checkout = this;\n app.get(ucpPath, async (req, res) => {\n const resp = await _ucpSignedResp(checkout, _headersFromExpressLike(req.headers), opts);\n res.status(resp.status);\n res.set(resp.headers);\n res.type(resp.mediaType);\n res.send(resp.body);\n });\n app.get(jwksPath, async (req, res) => {\n const resp = await _jwksSignedResp(_headersFromExpressLike(req.headers), opts);\n res.status(resp.status);\n res.set(resp.headers);\n res.type(resp.mediaType);\n res.send(resp.body);\n });\n const preflight = (req: { headers: Record<string, string | string[] | undefined> }, res: ExpressLikeRes) => {\n const reqHeaders = _headersFromExpressLike(req.headers);\n res.status(204);\n res.set(_preflightHeaders(reqHeaders));\n res.send('');\n };\n app.options(ucpPath, preflight);\n app.options(jwksPath, preflight);\n};\n\n(Checkout.prototype as unknown as {\n mountUcpRoutesFastify: (this: Checkout, app: Parameters<Checkout['mountUcpRoutesFastify']>[0], opts: MountUcpRoutesOptions) => void;\n}).mountUcpRoutesFastify = function (app, opts) {\n const ucpPath = opts.ucpPath ?? '/.well-known/ucp';\n const jwksPath = opts.jwksPath ?? '/.well-known/jwks.json';\n // eslint-disable-next-line @typescript-eslint/no-this-alias\n const checkout = this;\n app.get(ucpPath, async (request, reply) => {\n const resp = await _ucpSignedResp(checkout, _headersFromExpressLike(request.headers), opts);\n reply.code(resp.status);\n for (const [k, v] of Object.entries(resp.headers)) reply.header(k, v);\n reply.type(resp.mediaType);\n return reply.send(resp.body);\n });\n app.get(jwksPath, async (request, reply) => {\n const resp = await _jwksSignedResp(_headersFromExpressLike(request.headers), opts);\n reply.code(resp.status);\n for (const [k, v] of Object.entries(resp.headers)) reply.header(k, v);\n reply.type(resp.mediaType);\n return reply.send(resp.body);\n });\n const preflight = (request: { headers: Record<string, string | string[] | undefined> }, reply: FastifyLikeReply) => {\n const reqHeaders = _headersFromExpressLike(request.headers);\n reply.code(204);\n for (const [k, v] of Object.entries(_preflightHeaders(reqHeaders))) reply.header(k, v);\n return reply.send('');\n };\n app.options(ucpPath, preflight);\n app.options(jwksPath, preflight);\n};\n","/**\n * Canonical `*RailSpec` types — one shape per rail, consumed by every helper.\n *\n * A merchant accepting Tempo + Base + Solana + Stripe declares one `*RailSpec`\n * per rail and passes it to every helper (`buildAcceptedMethods`,\n * `buildHowToPay`, `mppPaymentHandler`, `createMppxServer`, ...). One canonical\n * shape per rail means the recipient address, network identifier, and token\n * defaults are declared once and reused everywhere.\n *\n * `RecipientLike` is polymorphic over `string | (() => string | Promise<string>)`\n * so per-order recipients (Stripe-multichain mints fresh deposit addresses per\n * PaymentIntent) flow through identically to static-treasury recipients. The\n * factory is called once per helper invocation; callers cache externally.\n */\n\nimport { USDC } from './usdc';\n\nexport type RecipientLike = string | (() => string | Promise<string>);\n\n/**\n * Resolve a `RecipientLike` to a concrete address string. Accepts a string\n * (returned verbatim), a sync callable (called once), or an async callable\n * (awaited once). Helpers call this on every invocation; callers that want\n * once-per-session resolution should cache externally.\n */\nexport async function resolveRecipient(r: RecipientLike): Promise<string> {\n if (typeof r === 'string') return r;\n return Promise.resolve(r());\n}\n\n/** Canonical config for the Tempo MPP rail. */\nexport interface TempoRailSpec {\n recipient: RecipientLike;\n network?: string;\n chainId?: number;\n token?: string;\n symbol?: string;\n decimals?: number;\n testnet?: boolean;\n recommend?: 'tempo' | 'agentscore-pay' | 'both';\n}\n\n/** Canonical config for the x402 EVM (Base) rail. */\nexport interface X402BaseRailSpec {\n recipient: RecipientLike;\n /** CAIP-2 canonical, e.g. `eip155:8453`. */\n network?: string;\n chainId?: number;\n token?: string;\n symbol?: string;\n decimals?: number;\n mode?: 'exact' | 'upto';\n}\n\n/**\n * Canonical config for the Solana MPP rail.\n *\n * `signer` is an optional fee-payer signer for server-side fee sponsorship —\n * typed as `unknown` to avoid hard-importing `@solana/kit` types here. Pass any\n * `TransactionPartialSigner`.\n */\nexport interface SolanaMppRailSpec {\n recipient: RecipientLike;\n network?: string;\n token?: string;\n symbol?: string;\n decimals?: number;\n rpcUrl?: string;\n signer?: unknown;\n tokenProgram?: string;\n}\n\n/**\n * Canonical config for the Stripe SPT rail.\n *\n * `recipient` is intentionally absent — Stripe rails use `profileId` as the\n * merchant-side network identifier the agent's SPT is scoped to; the\n * transaction recipient is the merchant's Stripe account, not an on-chain\n * address.\n */\nexport interface StripeRailSpec {\n profileId?: string | null;\n rails?: ('card' | 'link' | 'shared_payment_token')[];\n paymentMethodTypes?: string[];\n productName?: string;\n secretKey?: string;\n}\n\n/**\n * Canonical config for the Tempo session MPP rail (pay-as-you-go channels).\n *\n * `escrowContract` is the merchant-deployed on-chain escrow that holds channel\n * deposits + pays out cumulative vouchers on settlement. `store` is a\n * `ChannelStore` instance — typed as `unknown` to avoid hard-importing `mppx`'s\n * store interface here.\n */\nexport interface TempoSessionRailSpec {\n recipient: RecipientLike;\n escrowContract: string;\n store: unknown;\n currency?: string;\n testnet?: boolean;\n chains?: unknown;\n}\n\n/**\n * Default field values for each `*RailSpec`. Mirrors python-commerce's\n * `*RailSpec` dataclass defaults — callers can spread these into their spec\n * literal when they want defaults without typing them out. Sourced from the\n * USDC registry so they stay in sync with on-chain reality.\n */\nexport const RAIL_SPEC_DEFAULTS = {\n tempo: {\n network: 'tempo-mainnet',\n chainId: 4217,\n token: USDC.tempo.mainnet.address,\n symbol: 'USDC.e',\n decimals: 6,\n testnet: false,\n recommend: 'both' as const,\n },\n x402Base: {\n network: 'eip155:8453',\n chainId: 8453,\n token: USDC.base.mainnet.address,\n symbol: 'USDC',\n decimals: 6,\n mode: 'exact' as const,\n },\n solanaMpp: {\n network: 'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp',\n token: USDC.solana.mainnet.mint,\n symbol: 'USDC',\n decimals: 6,\n },\n stripe: {\n rails: ['card', 'link', 'shared_payment_token'] as ('card' | 'link' | 'shared_payment_token')[],\n },\n tempoSession: {\n currency: USDC.tempo.mainnet.address,\n testnet: false,\n },\n} as const;\n","import {\n RAIL_SPEC_DEFAULTS,\n type SolanaMppRailSpec,\n type StripeRailSpec,\n type TempoRailSpec,\n type X402BaseRailSpec,\n resolveRecipient,\n} from '../payment/rail_spec';\n\nexport interface TempoMethodEntry {\n method: 'tempo/charge';\n network: string;\n chain_id: number;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface X402MethodEntry {\n method: 'x402/exact';\n network: string;\n chain_id?: number;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface SolanaMppMethodEntry {\n method: 'solana/charge';\n network: string;\n token: string;\n symbol: string;\n decimals: number;\n pay_to: string;\n}\n\nexport interface StripeMethodEntry {\n method: 'stripe/charge';\n rails: ('card' | 'link' | 'shared_payment_token')[];\n profile_id: string | null;\n}\n\nexport type AcceptedMethodEntry =\n | TempoMethodEntry\n | X402MethodEntry\n | SolanaMppMethodEntry\n | StripeMethodEntry;\n\n/**\n * Build the `accepted_methods[]` array for an enriched 402 body. Each rail entry\n * is conditionally included when the vendor passes a `*RailSpec` for that rail.\n * Each spec's `recipient` is resolved via `resolveRecipient` so per-order\n * factories (e.g. Stripe-multichain mints fresh deposits per PaymentIntent)\n * flow through identically to static-treasury strings.\n */\nexport async function buildAcceptedMethods({\n tempo,\n x402_base,\n solana_mpp,\n stripe,\n}: {\n tempo?: TempoRailSpec;\n x402_base?: X402BaseRailSpec;\n solana_mpp?: SolanaMppRailSpec;\n stripe?: StripeRailSpec;\n}): Promise<AcceptedMethodEntry[]> {\n const out: AcceptedMethodEntry[] = [];\n\n if (tempo) {\n out.push({\n method: 'tempo/charge',\n network: tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network,\n chain_id: tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId,\n token: tempo.token ?? RAIL_SPEC_DEFAULTS.tempo.token,\n symbol: tempo.symbol ?? RAIL_SPEC_DEFAULTS.tempo.symbol,\n decimals: tempo.decimals ?? RAIL_SPEC_DEFAULTS.tempo.decimals,\n pay_to: await resolveRecipient(tempo.recipient),\n });\n }\n\n if (x402_base) {\n out.push({\n method: 'x402/exact',\n network: x402_base.network ?? RAIL_SPEC_DEFAULTS.x402Base.network,\n chain_id: x402_base.chainId ?? RAIL_SPEC_DEFAULTS.x402Base.chainId,\n token: x402_base.token ?? RAIL_SPEC_DEFAULTS.x402Base.token,\n symbol: x402_base.symbol ?? RAIL_SPEC_DEFAULTS.x402Base.symbol,\n decimals: x402_base.decimals ?? RAIL_SPEC_DEFAULTS.x402Base.decimals,\n pay_to: await resolveRecipient(x402_base.recipient),\n });\n }\n\n if (solana_mpp) {\n out.push({\n method: 'solana/charge',\n network: solana_mpp.network ?? RAIL_SPEC_DEFAULTS.solanaMpp.network,\n token: solana_mpp.token ?? RAIL_SPEC_DEFAULTS.solanaMpp.token,\n symbol: solana_mpp.symbol ?? RAIL_SPEC_DEFAULTS.solanaMpp.symbol,\n decimals: solana_mpp.decimals ?? RAIL_SPEC_DEFAULTS.solanaMpp.decimals,\n pay_to: await resolveRecipient(solana_mpp.recipient),\n });\n }\n\n if (stripe) {\n out.push({\n method: 'stripe/charge',\n rails: stripe.rails ?? [...RAIL_SPEC_DEFAULTS.stripe.rails],\n profile_id: stripe.profileId ?? null,\n });\n }\n\n return out;\n}\n","import type { HowToPayBlock } from './how_to_pay';\n\n/** Map of rail key (e.g. 'x402_base', 'tempo_mpp', 'stripe') → list of client identifiers\n * that have been smoke-verified by the merchant against the protocol shape they emit.\n * Strings are display labels, not install commands — agents already get install commands\n * via `how_to_pay.<rail>.setup`. Use these as a \"what's known to work\" hint. */\nexport type CompatibleClients = Record<string, string[]>;\n\n\nexport interface AgentInstructions {\n how_to_pay: HowToPayBlock;\n recommended_tools: string[];\n wallet_compatibility: string;\n timeout_seconds: number;\n warnings: string[];\n recommended?: string;\n compatible_clients?: CompatibleClients;\n [key: string]: unknown;\n}\n\nconst TEMPO_WARNING =\n 'Do NOT use `tempo wallet transfer`. That moves USDC on-chain without completing the protocol handshake, so the request will not complete. Use `tempo request` instead.';\n\nconst X402_WARNING =\n 'Do NOT send USDC manually to the deposit addresses. Use `agentscore-pay pay` so the credential is signed and submitted; otherwise the request will not complete even though the deposit lands.';\n\nconst TEMPO_TOOL = '`tempo request` for Tempo USDC';\nconst AGENTSCORE_PAY_TOOL = '`agentscore-pay` — Base + Solana + Tempo from one CLI';\n\nconst DEFAULT_WALLET_COMPATIBILITY =\n 'Any client that can produce a valid MPP credential (Authorization: Payment) or x402 X-Payment header. Use the CLI commands above; sign-it-yourself is also fine.';\n\nfunction defaultRecommendedTools(howToPay: HowToPayBlock): string[] {\n const tools: string[] = [];\n if (howToPay.tempo) tools.push(TEMPO_TOOL);\n if (howToPay.tempo || howToPay.x402_base || howToPay.solana_mpp) tools.push(AGENTSCORE_PAY_TOOL);\n return tools;\n}\n\nfunction defaultWarnings(howToPay: HowToPayBlock): string[] {\n const w: string[] = [];\n if (howToPay.tempo) w.push(TEMPO_WARNING);\n if (howToPay.x402_base) w.push(X402_WARNING);\n return w;\n}\n\n/**\n * Default `compatible_clients` derived from the rails declared in `howToPay`. Lists\n * clients the AgentScore team has smoke-verified end-to-end against an `@agent-score/commerce`\n * merchant; entries appear only for rails the vendor actually offers. Vendors override\n * this in `buildAgentInstructions({compatibleClients: {...}})` to add their own tested\n * clients or remove entries that don't fit their endpoint.\n *\n * Verified state as of the SDK release. The same data is also published as a docs page\n * for humans (rationale, per-rail commands, why some clients don't fully work, last\n * verified date) — this default keeps the merchant-side surface in sync.\n */\n/** Symbolic rail keys agent-facing surfaces use to talk about a rail without spelling out\n * network/scheme details. Same keys as `CompatibleClients` map keys. */\nexport type RailKey = 'tempo_mpp' | 'x402_base' | 'solana_mpp' | 'stripe';\n\nconst RAIL_CLIENTS: Record<RailKey, readonly string[]> = {\n tempo_mpp: ['agentscore-pay', 'tempo request', 'x402-proxy'],\n x402_base: ['agentscore-pay', 'x402-proxy', 'purl (omit --network flag)'],\n solana_mpp: ['agentscore-pay'],\n stripe: ['link-cli'],\n};\n\n/** Returns the smoke-verified client list for a set of rail keys. The single source of\n * truth for \"which CLIs we've verified end-to-end on each rail\" — consumed both by the\n * 402-body builder (`defaultCompatibleClients`) and by discovery surfaces (skill.md,\n * llms.txt, etc.). Update here, every surface inherits. */\nexport function compatibleClientsByRails(rails: readonly RailKey[]): CompatibleClients | undefined {\n const out: CompatibleClients = {};\n for (const r of rails) out[r] = [...RAIL_CLIENTS[r]];\n return Object.keys(out).length === 0 ? undefined : out;\n}\n\nfunction defaultCompatibleClients(howToPay: HowToPayBlock): CompatibleClients | undefined {\n const rails: RailKey[] = [];\n if (howToPay.tempo) rails.push('tempo_mpp');\n if (howToPay.x402_base) rails.push('x402_base');\n if (howToPay.solana_mpp) rails.push('solana_mpp');\n if (howToPay.stripe) rails.push('stripe');\n return compatibleClientsByRails(rails);\n}\n\n/**\n * Build the agent_instructions object for the 402 body. Combines how_to_pay with\n * recommended tools, warnings, wallet-compatibility note, and timeout.\n *\n * Defaults adapt to the rails declared in `howToPay`: only tempo-relevant warnings/tools\n * appear if `howToPay.tempo` is set, only x402-relevant ones if `x402_base` is set.\n * Stripe-only merchants get neither rail-specific warning. Vendors override\n * `warnings`/`recommendedTools` for full control.\n */\nexport function buildAgentInstructions({\n howToPay,\n recommendedTools,\n walletCompatibility,\n timeoutSeconds,\n warnings,\n extraWarnings,\n recommended,\n compatibleClients,\n extra,\n}: {\n /** Per-rail commands. Build with `buildHowToPay`. */\n howToPay: HowToPayBlock;\n /** Tool recommendations as human-readable strings. Defaults to a sensible set covering tempo + agentscore-pay. */\n recommendedTools?: string[];\n /** Wallet-stack compatibility note for the agent. Default: rail-neutral, no specific wallet stack required. */\n walletCompatibility?: string;\n /** How long the merchant will wait for payment after the 402. Default 300 (5 minutes). */\n timeoutSeconds?: number;\n /** Warnings about common footguns. Defaults include tempo wallet transfer + raw on-chain x402 deposits. */\n warnings?: string[];\n /** Additional warnings appended to the default protocol-footgun set. Use this when you want\n * to keep the SDK's protocol warnings AND add merchant-specific notes. Ignored when\n * `warnings` is set explicitly. */\n extraWarnings?: string[];\n /** Recommended rail (e.g., 'tempo', 'x402_base'). Surfaced for agents to default to. */\n recommended?: string;\n /** Per-rail list of client names the merchant has verified work end-to-end. Vendors set\n * this from their own smoke matrix — defaults to none. When omitted, the field is not emitted. */\n compatibleClients?: CompatibleClients;\n /** Arbitrary additional fields the vendor wants merged into the agent_instructions object. */\n extra?: Record<string, unknown>;\n}): AgentInstructions {\n const compatibleClientsOut = compatibleClients ?? defaultCompatibleClients(howToPay);\n return {\n how_to_pay: howToPay,\n recommended_tools: recommendedTools ?? defaultRecommendedTools(howToPay),\n wallet_compatibility: walletCompatibility ?? DEFAULT_WALLET_COMPATIBILITY,\n timeout_seconds: timeoutSeconds ?? 300,\n warnings: warnings ?? [...defaultWarnings(howToPay), ...(extraWarnings ?? [])],\n ...(recommended ? { recommended } : {}),\n ...(compatibleClientsOut ? { compatible_clients: compatibleClientsOut } : {}),\n ...(extra ?? {}),\n };\n}\n","/**\n * Helpers for emitting the cross-merchant `agent_memory` hint on merchant 402 responses.\n *\n * The gate (`@agent-score/commerce/identity/*`) emits `agent_memory` on identity-related\n * responses (sessions, credentials, missing_identity bootstraps). Merchants can ALSO\n * include the hint in their own 402 challenge bodies on first-encounter requests so\n * agents persist the cross-merchant pattern even when entering the ecosystem through a\n * merchant-side endpoint rather than a direct AgentScore API call.\n *\n * Usage pattern:\n * - Merchant tracks per-operator (or per-IP / per-fingerprint) \"have I seen this agent\n * before?\" in their own DB\n * - On first encounter (no prior request from this operator/wallet/IP), include the hint\n * so the agent saves the pattern\n * - On subsequent encounters, skip — the agent already has it (or never will)\n *\n * The hint contents come from `buildAgentMemoryHint` (re-exported here for convenience).\n * Keep it stateless: AgentScore's pattern doesn't depend on the merchant's identity, so\n * every merchant emits the same shape.\n */\n\nimport { buildAgentMemoryHint, type AgentMemoryHint } from '../core';\n\nexport { buildAgentMemoryHint };\nexport type { AgentMemoryHint };\n\n/**\n * Returns the `agent_memory` hint when this is a first encounter, otherwise `undefined`.\n * Use directly with the `agentMemory` field of `build402Body`:\n *\n * ```ts\n * const body = build402Body({\n * acceptedMethods,\n * agentInstructions,\n * pricing,\n * agentMemory: firstEncounterAgentMemory({ firstEncounter: !this.hasSeenOperator(opToken) }),\n * });\n * ```\n *\n * `firstEncounter` is merchant-determined (DB lookup, cache flag, etc.); pass `false` to\n * suppress emission cleanly without wrapping the call in an `if`. Returning `undefined`\n * means `build402Body` cleanly skips the field instead of emitting `agent_memory: null`\n * (which would imply \"I tried but failed\" rather than \"didn't apply\").\n */\nexport function firstEncounterAgentMemory({\n firstEncounter,\n}: {\n firstEncounter: boolean;\n}): AgentMemoryHint | undefined {\n if (!firstEncounter) return undefined;\n return buildAgentMemoryHint();\n}\n","import type { AcceptedMethodEntry } from './accepted_methods';\nimport type { AgentInstructions } from './agent_instructions';\nimport type { IdentityMetadataBlock } from './identity';\nimport type { PricingBlock as _PricingBlock } from './pricing';\n\nexport type { PricingBlock } from './pricing';\n\n/**\n * Assemble the full enriched 402 response body. Combines accepted_methods, agent_instructions,\n * identity metadata, pricing, x402 compliance fields, and any vendor-specific extras into a\n * single object suitable for `JSON.stringify`. Vendors pass only what they have; the builder\n * conditionally includes each section.\n *\n * Pair this with a Response that sets:\n * - 'content-type: application/json'\n * - 'www-authenticate: <wwwAuthenticateHeader([...])>' from `payment/wwwauthenticate`\n * - 'PAYMENT-REQUIRED: <paymentRequiredHeader({...})>' for x402 clients\n */\nexport function build402Body({\n acceptedMethods,\n agentInstructions,\n identityMetadata,\n agentMemory,\n pricing,\n amountUsd,\n currency,\n orderId,\n product,\n retryBody,\n recommended,\n x402,\n extra,\n}: {\n /** From buildAcceptedMethods — list of MPP method entries. */\n acceptedMethods: AcceptedMethodEntry[];\n /** From buildAgentInstructions — wraps how_to_pay + warnings + recommended_tools. */\n agentInstructions?: AgentInstructions;\n /** From buildIdentityMetadata — wallet-mode echoer. Spread into the body when present. */\n identityMetadata?: IdentityMetadataBlock;\n /** Cross-merchant agent_memory hint (from gate). */\n agentMemory?: unknown;\n /** Pricing breakdown. */\n pricing?: _PricingBlock;\n /** Total amount in USD as a string (e.g., '250.00'). */\n amountUsd?: string;\n /** Currency code. Default 'USD'. */\n currency?: string;\n /** Order id for retry correlation. */\n orderId?: string | null;\n /** Product info — surfaced on the 402 so agents can confirm what they're buying. */\n product?: { id: string; name: string };\n /** The body the agent should retry with after payment (e.g., the original request body). */\n retryBody?: unknown;\n /** Recommended rail — agent's default if multiple are listed. */\n recommended?: string;\n /** x402-compliance fields (paired with the PAYMENT-REQUIRED header from `payment/wwwauthenticate`). */\n x402?: {\n accepts: unknown[];\n version?: 1 | 2;\n /** x402 spec `extensions` field. Per-endpoint declared extensions (e.g.\n * `bazaar` discovery schema from `createBazaarDiscovery({...})`). Surfaces\n * on the 402 body as `extensions` so spec-compliant crawlers can read it. */\n extensions?: Record<string, unknown>;\n };\n /** Vendor-specific extra fields merged at the top level. */\n extra?: Record<string, unknown>;\n}): Record<string, unknown> {\n const body: Record<string, unknown> = {\n payment_required: true,\n accepted_methods: acceptedMethods,\n };\n\n if (x402) {\n body.x402Version = x402.version ?? 2;\n body.accepts = x402.accepts;\n if (x402.extensions !== undefined && Object.keys(x402.extensions).length > 0) {\n body.extensions = x402.extensions;\n }\n }\n\n if (amountUsd !== undefined) body.amount_usd = amountUsd;\n if (currency) body.currency = currency;\n if (pricing) body.pricing = pricing;\n if (orderId !== undefined) body.order_id = orderId;\n if (product) body.product = product;\n if (recommended) body.recommended = recommended;\n if (retryBody !== undefined) body.retry_body = retryBody;\n\n if (identityMetadata) {\n Object.assign(body, identityMetadata);\n }\n\n if (agentInstructions) body.agent_instructions = agentInstructions;\n if (agentMemory !== undefined) body.agent_memory = agentMemory;\n\n if (extra) Object.assign(body, extra);\n\n return body;\n}\n","import {\n RAIL_SPEC_DEFAULTS,\n type SolanaMppRailSpec,\n type StripeRailSpec,\n type TempoRailSpec,\n type X402BaseRailSpec,\n} from '../payment/rail_spec';\n\nexport interface HowToPayRailEntry {\n setup?: string[];\n prerequisite?: string;\n command: string;\n alternative_command?: string;\n what_it_does: string;\n}\n\nexport interface HowToPayStripeEntry {\n prerequisite: string;\n instructions: string;\n setup_link_cli?: string[];\n command_link_cli?: string[];\n what_it_does_link_cli?: string;\n note?: string;\n}\n\nexport interface HowToPayBlock {\n tempo?: HowToPayRailEntry;\n x402_base?: HowToPayRailEntry;\n solana_mpp?: HowToPayRailEntry;\n stripe?: HowToPayStripeEntry;\n}\n\nexport interface HowToPayRails {\n tempo?: TempoRailSpec;\n x402_base?: X402BaseRailSpec;\n solana_mpp?: SolanaMppRailSpec;\n stripe?: StripeRailSpec;\n}\n\nconst TEMPO_SETUP = [\n 'curl -fsSL https://tempo.xyz/install | bash',\n 'tempo wallet login',\n 'tempo wallet whoami',\n 'tempo wallet fund # if balance is zero',\n];\n\nconst PAY_SETUP_BASE = [\n 'npm install -g @agent-score/pay # or: brew install agentscore/tap/agentscore-pay',\n 'agentscore-pay wallet create --chain base',\n 'agentscore-pay balance --chain base # fund the printed address with USDC on Base',\n];\n\nconst PAY_SETUP_SOLANA = [\n 'npm install -g @agent-score/pay # or: brew install agentscore/tap/agentscore-pay',\n 'agentscore-pay wallet create --chain solana',\n 'agentscore-pay balance --chain solana # fund the printed address with USDC on Solana',\n];\n\n/**\n * Build the agent_instructions.how_to_pay block. Generates per-rail setup/command/what_it_does\n * boilerplate so agents see concrete commands per rail in the 402 body. Vendors pass the rails\n * they support; the helper produces the right command for each.\n *\n * Tool recommendations (tempo CLI vs agentscore-pay vs link-cli) are configurable per rail.\n */\nexport function buildHowToPay({\n url,\n retryBodyJson,\n totalUsd,\n rails,\n opTokenPlaceholder,\n maxSpend,\n}: {\n /** The merchant's full URL (e.g., 'https://agents.merchant.example/api/buy'). */\n url: string;\n /** JSON string of the body the agent should retry with — typically the original request body. */\n retryBodyJson: string;\n /** Total amount in USD (string or number). Used to compute max-spend defaults and stripe context. */\n totalUsd: string | number;\n /** Per-rail config — each is optional. Pass only the rails you support. */\n rails: HowToPayRails;\n /** Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'. */\n opTokenPlaceholder?: string;\n /** Override max-spend value used in commands. Default: ceil(totalUsd) + 1. */\n maxSpend?: string | number;\n}): HowToPayBlock {\n const totalNum = typeof totalUsd === 'string' ? Number(totalUsd) : totalUsd;\n const maxSpendStr = String(maxSpend ?? (Math.ceil(totalNum) + 1).toFixed(2));\n const opToken = opTokenPlaceholder ?? '<your_opc_token>';\n const block: HowToPayBlock = {};\n\n if (rails.tempo) {\n const networkName = rails.tempo.testnet ? 'tempo-testnet' : (rails.tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network);\n const chainId = rails.tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId;\n const recommend = rails.tempo.recommend ?? RAIL_SPEC_DEFAULTS.tempo.recommend;\n const tempoCommand = `tempo request -X POST -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' --json '${retryBodyJson}' --max-spend ${maxSpendStr} ${url}`;\n const payCommand = `agentscore-pay pay POST ${url} --chain tempo -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`;\n block.tempo = {\n setup: TEMPO_SETUP,\n prerequisite: `Run \\`tempo wallet whoami\\` and confirm USDC.e balance on ${networkName} (chain ${chainId}) is at least $${maxSpendStr}. If the tempo CLI is not installed, run the setup commands above first.`,\n command: recommend === 'agentscore-pay' ? payCommand : tempoCommand,\n ...(recommend === 'both'\n ? { alternative_command: payCommand }\n : recommend === 'agentscore-pay'\n ? { alternative_command: tempoCommand }\n : {}),\n what_it_does: `Pays via Tempo USDC on ${networkName}.`,\n };\n }\n\n if (rails.x402_base) {\n const network = rails.x402_base.network ?? RAIL_SPEC_DEFAULTS.x402Base.network;\n block.x402_base = {\n setup: PAY_SETUP_BASE,\n prerequisite: `Run \\`agentscore-pay balance --chain base\\` and confirm USDC balance on Base (${network}) is at least $${maxSpendStr}. If the CLI is not installed, run the setup commands above first.`,\n command: `agentscore-pay pay POST ${url} --chain base -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,\n what_it_does: 'Pays via USDC on Base.',\n };\n }\n\n if (rails.solana_mpp) {\n const network = rails.solana_mpp.network ?? RAIL_SPEC_DEFAULTS.solanaMpp.network;\n block.solana_mpp = {\n setup: PAY_SETUP_SOLANA,\n prerequisite: `Run \\`agentscore-pay balance --chain solana\\` and confirm USDC balance on Solana (${network}) is at least $${maxSpendStr}. If the CLI is not installed, run the setup commands above first.`,\n command: `agentscore-pay pay POST ${url} --chain solana -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,\n what_it_does: 'Pays via USDC on Solana.',\n };\n }\n\n if (rails.stripe) {\n const stripeCfg = rails.stripe;\n const amountCents = Math.round(totalNum * 100);\n const linkCliBlocked = amountCents > 50000;\n const productName = stripeCfg.productName ?? 'this purchase';\n const sptContext = `Purchasing \"${productName}\" via the agent commerce API. The user authorized this purchase through their AI agent for $${totalNum}; charge to be settled via shared payment token over the Machine Payments Protocol.`;\n const stripe: HowToPayStripeEntry = {\n prerequisite:\n 'Either your own Stripe account with Shared Payment Token acceptance, OR a Stripe Link wallet (any user with link.com).',\n instructions:\n 'Mint a SharedPaymentToken scoped to the profile_id advertised in accepted_methods, then submit via Authorization: Payment MPP header with method=stripe/charge.',\n };\n if (stripeCfg.profileId && !linkCliBlocked) {\n stripe.setup_link_cli = [\n 'npm install -g @stripe/link-cli # or use npx -y @stripe/link-cli for one-shot',\n 'link-cli auth login # one-time, opens your Link wallet',\n 'link-cli payment-methods list --output-json # copy a csmrpd_... id',\n ];\n stripe.command_link_cli = [\n `SPEND_ID=$(link-cli spend-request create --payment-method-id <csmrpd_id_from_payment_methods_list> --credential-type shared_payment_token --network-id ${stripeCfg.profileId} --amount ${amountCents} --context \"${sptContext}\" --request-approval --output-json | jq -r .id)`,\n `link-cli mpp pay ${url} --spend-request-id $SPEND_ID --method POST --data '${retryBodyJson}' --header 'X-Operator-Token: ${opToken}' --output-json`,\n ];\n stripe.what_it_does_link_cli =\n 'Mints a one-time-use SharedPaymentToken scoped to this purchase (user approves in Link wallet), then submits it as the payment credential.';\n } else if (linkCliBlocked) {\n stripe.note = `link-cli SPT path not available for this purchase — Stripe link-cli caps spend requests at $500.00 ($50000 cents); your total is $${totalNum}. Use your own Stripe account with the SharedPaymentToken API instead.`;\n }\n block.stripe = stripe;\n }\n\n return block;\n}\n","export type IdentityMode = 'wallet' | 'operator_token';\n\nexport interface SignerMatchResultLike {\n kind: 'pass' | 'wallet_signer_mismatch' | 'wallet_auth_requires_wallet_signing' | string;\n expectedSigner?: string;\n actualSigner?: string;\n linkedWallets?: string[];\n}\n\nexport interface IdentityMetadataBlock {\n identity_mode: IdentityMode;\n required_signer?: string;\n linked_wallets?: string[];\n signer_constraint?: string;\n}\n\n/**\n * Build the identity-metadata block for an enriched 402 body. Echoes the agent's\n * identity context (wallet vs. operator-token mode) so the agent can self-correct\n * before signing — specifically, on wallet-auth rails the agent MUST sign with one\n * of the wallets in linked_wallets (all resolve to the same operator).\n */\nexport function buildIdentityMetadata({\n mode,\n wallet,\n signerMatchResult,\n linkedWallets,\n signerConstraint,\n}: {\n mode: IdentityMode;\n wallet?: string;\n signerMatchResult?: SignerMatchResultLike;\n linkedWallets?: string[];\n signerConstraint?: string;\n}): IdentityMetadataBlock {\n const block: IdentityMetadataBlock = { identity_mode: mode };\n\n if (mode !== 'wallet') return block;\n\n if (wallet) {\n block.required_signer = signerMatchResult?.expectedSigner ?? wallet;\n }\n if (linkedWallets && linkedWallets.length > 0) {\n block.linked_wallets = linkedWallets;\n }\n block.signer_constraint =\n signerConstraint ??\n 'Payment must be signed with the claimed wallet OR any same-operator linked wallet listed in linked_wallets.';\n\n return block;\n}\n","/**\n * Pricing block builder + canonical type.\n *\n * Composes the cents-denominated price components into the dollar-string shape that\n * 402 challenge bodies advertise. Standardizes the pricing block so every merchant\n * — current and future commerce-platform plugins (Commerce7, WooCommerce, Shopify) —\n * surfaces the same shape to agents.\n *\n * Shipping is included by default because most physical-goods merchants carry it; pass\n * `shippingCents: 0` (or omit) for digital goods / services. Tax is optional for\n * merchants outside taxable jurisdictions.\n */\n\nexport interface PricingBlock {\n /** List-price subtotal as a dollar-string (e.g. `\"250.00\"`), pre-tax, pre-shipping, pre-discount. */\n subtotal: string;\n /** Tax amount as a dollar-string. Always present even if `\"0.00\"`. */\n tax: string;\n /** Shipping cost as a dollar-string. Always present even if `\"0.00\"`. */\n shipping?: string;\n /** Discount deducted from subtotal (redemption code, coupon, promo) as a dollar-string. Omit when no discount applied; agents reading the 402 see `subtotal`/`discount`/`total` and can render the savings line. */\n discount?: string;\n /** Final total = subtotal + tax + shipping - discount, dollar-string. Floored at 0. */\n total: string;\n /** Tax rate as a decimal fraction (e.g. `0.0775` for 7.75%). Optional — omit for tax-free merchants. */\n tax_rate?: number;\n /** ISO-3166-2 state code or jurisdiction name used for tax calc. Optional. */\n tax_state?: string;\n /** ISO-4217 currency code. Default `\"USD\"`. */\n currency?: string;\n}\n\n/**\n * Compose a `PricingBlock` from cents-denominated inputs. Handles the cents → dollar-string\n * conversion (always 2 decimals) and computes the total when not explicitly provided.\n * `subtotalCents` is the list price, pre-discount; `discountCents` is the deduction applied\n * (redemption code, coupon).\n *\n * Example:\n * ```ts\n * const pricing = buildPricingBlock({\n * subtotalCents: 25000,\n * taxCents: 1875,\n * shippingCents: 999,\n * taxRate: 0.075,\n * taxState: 'CA',\n * });\n * // → { subtotal: '250.00', tax: '18.75', shipping: '9.99', total: '278.74', tax_rate: 0.075, tax_state: 'CA' }\n *\n * // Redemption-code applied:\n * buildPricingBlock({ subtotalCents: 7500, discountCents: 7500 });\n * // → { subtotal: '75.00', discount: '75.00', tax: '0.00', total: '0.00' }\n * ```\n *\n * Pass `shippingCents: 0` for digital goods if you want the field present (it's then `\"0.00\"`);\n * omit entirely if you don't want shipping in the response shape at all. Total floors at 0\n * when discount exceeds subtotal + tax + shipping.\n */\nexport function buildPricingBlock({\n subtotalCents,\n taxCents = 0,\n shippingCents,\n discountCents,\n totalCents,\n taxRate,\n taxState,\n currency,\n}: {\n subtotalCents: number;\n taxCents?: number;\n shippingCents?: number;\n discountCents?: number;\n totalCents?: number;\n taxRate?: number;\n taxState?: string;\n currency?: string;\n}): PricingBlock {\n const shipping = shippingCents ?? 0;\n const discount = discountCents ?? 0;\n const total = totalCents ?? Math.max(0, subtotalCents + taxCents + shipping - discount);\n\n const block: PricingBlock = {\n subtotal: formatCents(subtotalCents),\n tax: formatCents(taxCents),\n total: formatCents(total),\n };\n\n if (shippingCents !== undefined) block.shipping = formatCents(shipping);\n if (discountCents !== undefined) block.discount = formatCents(discount);\n if (taxRate !== undefined) block.tax_rate = taxRate;\n if (taxState !== undefined) block.tax_state = taxState;\n if (currency !== undefined) block.currency = currency;\n\n return block;\n}\n\nfunction formatCents(cents: number): string {\n return (cents / 100).toFixed(2);\n}\n","/**\n * `respond402` — single-call 402 emit for merchants who use both `mppx` (for tempo + stripe\n * MPP rails) AND x402 (for Base + Solana).\n *\n * The seam is fiddly enough to get wrong by hand:\n * - mppx's `compose()(req)` returns a 402 Response with WWW-Authenticate directives\n * whose ids mppx's server-side validator REMEMBERS — they round-trip in client\n * credentials. Overwriting that header breaks the round-trip.\n * - x402 needs the binary-friendly `PAYMENT-REQUIRED` header (base64-encoded JSON\n * of `{x402Version, accepts, resource}`) — mppx doesn't emit it.\n * - Merchants want a richer JSON body (pricing, identity metadata, agent_instructions,\n * agent_memory, retry_body, accepted_methods cross-reference) than the bare mppx body.\n *\n * `respond402` composes all three and returns a framework-neutral `Respond402Result`\n * (body + headers + status) that the merchant wraps in their framework's response shape.\n *\n * Usage:\n * ```ts\n * const challenge = await m.compose(['tempo/charge', {...}], ['stripe/charge', {...}])(c.req.raw);\n * if (challenge.status === 402) {\n * const result = respond402({\n * mppxChallengeHeaders: Object.fromEntries(challenge.headers),\n * body: build402Body({ ... }),\n * x402: { x402Version: 2, accepts: x402Accepts, resource: { url: c.req.url, mimeType: 'application/json' } },\n * });\n * return new Response(JSON.stringify(result.body), { status: result.status, headers: result.headers });\n * }\n * ```\n */\n\nimport { paymentRequiredHeader } from '../payment/wwwauthenticate';\n\n/** Framework-neutral 402 response shape — body + headers + status. */\nexport interface Respond402Result {\n body: Record<string, unknown>;\n headers: Record<string, string>;\n status: 402;\n}\n\nexport function respond402({\n mppxChallengeHeaders,\n body,\n x402,\n}: {\n /** Headers from mppx's 402 Response (`Object.fromEntries(challenge.headers)`). The\n * `WWW-Authenticate` directives are preserved verbatim — mppx's server-side validator\n * matches credentials to the ids it generated. */\n mppxChallengeHeaders: Record<string, string>;\n /** The already-built 402 body — call `build402Body({...})` to construct it. */\n body: Record<string, unknown>;\n /** When set, layers on the x402 PAYMENT-REQUIRED header (base64-encoded JSON).\n * Omit for merchants that don't accept x402 (Base/Solana) — mppx-only setups. */\n x402?: Parameters<typeof paymentRequiredHeader>[0];\n}): Respond402Result {\n const headers: Record<string, string> = {};\n for (const [k, v] of Object.entries(mppxChallengeHeaders)) {\n headers[k.toLowerCase()] = v;\n }\n headers['content-type'] = 'application/json';\n if (x402) {\n headers['payment-required'] = paymentRequiredHeader(x402);\n }\n return { body, headers, status: 402 };\n}\n","/**\n * Build a structured 4xx validation-error body that pairs cleanly with the\n * existing 402 / 403 builders. Every commerce merchant returning helpful\n * `bad_request` / `not_found` / `out_of_stock` / etc. errors converges on the\n * same shape: `{ error: {code, message}, ...optional_hints, next_steps? }`.\n *\n * This builder doesn't choose the HTTP status — vendors wrap the returned\n * body in their framework's response (`c.json(body, 400)` in Hono,\n * `Response.json(body, {status: 400})` for the Web Fetch path, etc.). Status\n * stays the merchant's call because the same shape works for 400/404/409/422.\n */\nexport interface ValidationErrorBody {\n error: { code: string; message: string };\n required_fields?: Record<string, string>;\n example_body?: unknown;\n next_steps?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\n/**\n * Compose a 4xx body that vendors return via their framework's response helper.\n * Combine with the merchant's chosen HTTP status (400 for body shape errors,\n * 404 for missing entities, 409 for stock conflicts, 403 for policy denials, etc.).\n *\n * Example:\n * ```ts\n * return c.json(buildValidationError({\n * code: 'bad_request',\n * message: 'product_id, email, and shipping are required',\n * requiredFields: { product_id: 'uuid', email: 'string', shipping: 'object' },\n * nextSteps: { action: 'retry_with_complete_body' },\n * }), 400);\n * ```\n */\nexport function buildValidationError({\n code,\n message,\n requiredFields,\n exampleBody,\n nextSteps,\n extra,\n}: {\n code: string;\n message: string;\n requiredFields?: Record<string, string>;\n exampleBody?: unknown;\n nextSteps?: Record<string, unknown>;\n extra?: Record<string, unknown>;\n}): ValidationErrorBody {\n const body: ValidationErrorBody = {\n error: { code, message },\n };\n if (requiredFields) body.required_fields = requiredFields;\n if (exampleBody !== undefined) body.example_body = exampleBody;\n if (nextSteps) body.next_steps = nextSteps;\n if (extra) Object.assign(body, extra);\n return body;\n}\n","/**\n * Wraps the `mppStripe.charge(...)` boilerplate from `mppx/server`. Returns the value\n * vendors pass into `Mppx.create({ methods: [...] })`. mppx is an OPTIONAL peer dependency —\n * vendors who don't use Stripe SPT don't need to install it.\n *\n * Example:\n *\n * import { Mppx, tempo } from 'mppx/server';\n * import { createMppxStripe } from '@agent-score/commerce/stripe-multichain';\n *\n * const stripeMethod = await createMppxStripe({\n * profileId: process.env.STRIPE_PROFILE_ID!,\n * secretKey: process.env.STRIPE_SECRET_KEY!,\n * });\n *\n * const mppx = Mppx.create({\n * methods: [tempo.charge({...}), stripeMethod],\n * secretKey: process.env.MPP_SECRET_KEY!,\n * });\n *\n * Throws if mppx is not installed.\n */\nexport async function createMppxStripe({\n profileId,\n secretKey,\n paymentMethodTypes,\n}: {\n /** Stripe profile_id / network_id (the value advertised in your `stripe/charge` accepted_methods entry). */\n profileId: string;\n /** Stripe secret key — mppx uses it to validate inbound SharedPaymentTokens. */\n secretKey: string;\n /** Payment method types this stripe rail accepts. Default ['card', 'link']. */\n paymentMethodTypes?: string[];\n}): Promise<unknown> {\n const moduleName = 'mppx/server';\n const mppx = (await import(moduleName).catch(() => null)) as {\n stripe?: {\n charge: (config: {\n networkId: string;\n paymentMethodTypes?: string[];\n secretKey: string;\n }) => unknown;\n };\n } | null;\n /* v8 ignore start -- peer-dep-absence guard; mppx is installed in the test env so this branch can't be exercised without mocking the dynamic import */\n if (!mppx?.stripe?.charge) {\n throw new Error(\n 'mppx not installed — install with `npm install mppx` to use createMppxStripe.',\n );\n }\n /* v8 ignore stop */\n return mppx.stripe.charge({\n networkId: profileId,\n paymentMethodTypes: paymentMethodTypes ?? ['card', 'link'],\n secretKey,\n });\n}\n","import { createMppxStripe } from '../stripe-multichain/mppx_stripe';\nimport { networks } from './networks';\nimport {\n resolveRecipient,\n type SolanaMppRailSpec,\n type StripeRailSpec,\n type TempoRailSpec,\n type TempoSessionRailSpec,\n} from './rail_spec';\nimport { USDC } from './usdc';\n\nexport type MppxRailSpec =\n | TempoRailSpec\n | SolanaMppRailSpec\n | TempoSessionRailSpec\n | StripeRailSpec;\n\ntype SolanaMppNetwork = 'mainnet-beta' | 'devnet' | 'localnet';\n\ninterface MppxModule {\n Mppx?: { create: (opts: { methods: unknown[]; secretKey: string }) => unknown };\n tempo?: {\n charge: (opts: { currency: string; recipient: string; testnet?: boolean }) => unknown;\n session?: (opts: {\n currency: string;\n recipient: string;\n escrowContract: string;\n store: unknown;\n testnet?: boolean;\n chains?: unknown;\n }) => unknown;\n };\n}\n\ninterface SolanaMppModule {\n charge?: (opts: {\n recipient: string;\n currency?: string;\n decimals?: number;\n network?: string;\n rpcUrl?: string;\n signer?: unknown;\n tokenProgram?: string;\n }) => unknown;\n}\n\nfunction isStripeRailSpec(s: MppxRailSpec): s is StripeRailSpec {\n return !('recipient' in s);\n}\n\nfunction isTempoSessionRailSpec(s: MppxRailSpec): s is TempoSessionRailSpec {\n return 'escrowContract' in s && 'store' in s;\n}\n\nfunction isSolanaMppRailSpec(s: MppxRailSpec): s is SolanaMppRailSpec {\n if (!('recipient' in s)) return false;\n if ('escrowContract' in s) return false;\n if ('rpcUrl' in s || 'tokenProgram' in s) return true;\n return (s as { network?: string }).network?.startsWith('solana:') ?? false;\n}\n\nfunction solanaNetworkFromCAIP2(caip2: string | undefined): SolanaMppNetwork {\n if (caip2 === networks.solana.devnet.caip2) return 'devnet';\n return 'mainnet-beta';\n}\n\nfunction solanaDefaultRpcUrl(network: SolanaMppNetwork): string {\n if (network === 'mainnet-beta') return 'https://api.mainnet-beta.solana.com';\n if (network === 'devnet') return 'https://api.devnet.solana.com';\n return 'http://localhost:8899';\n}\n\n/**\n * One-call mppx server setup. Wires `tempo.charge(...)`, `tempo.session(...)`,\n * `@solana/mpp.charge(...)`, and Stripe SPT (via createMppxStripe) from canonical\n * `*RailSpec` configs, replacing the boilerplate of constructing each method by\n * hand.\n *\n * const mppx = await createMppxServer({\n * rails: {\n * tempo: { recipient: TEMPO_ADDR } satisfies TempoRailSpec,\n * solana: { recipient: SOL_ADDR } satisfies SolanaMppRailSpec,\n * stripe: { profileId: STRIPE_PROFILE_ID, secretKey: STRIPE_SECRET_KEY } satisfies StripeRailSpec,\n * },\n * secretKey: MPP_SECRET_KEY,\n * });\n *\n * Keys are rail names (`tempo` / `solana` / `tempo_session` / `stripe`); values\n * are the matching `*RailSpec` types every other helper also consumes.\n *\n * `mppx` is an OPTIONAL peer dependency — install it only if you accept MPP rails.\n */\nexport async function createMppxServer({\n rails,\n methods: extraMethods,\n secretKey,\n}: {\n rails?: Record<string, MppxRailSpec>;\n methods?: unknown[];\n secretKey: string;\n}): Promise<unknown> {\n const mppx = await dynamicImport<MppxModule>('mppx/server');\n /* v8 ignore start -- peer-dep-absence guard; mppx is installed in the test env */\n if (!mppx?.Mppx?.create) {\n throw new Error('mppx not installed — `npm install mppx` to use createMppxServer.');\n }\n /* v8 ignore stop */\n\n const methods: unknown[] = [...(extraMethods ?? [])];\n\n for (const [name, spec] of Object.entries(rails ?? {})) {\n if (isStripeRailSpec(spec)) {\n methods.push(await registerStripe(spec));\n continue;\n }\n if (isTempoSessionRailSpec(spec)) {\n methods.push(await registerTempoSession(mppx, spec));\n continue;\n }\n if (isSolanaMppRailSpec(spec)) {\n methods.push(await registerSolana(spec));\n continue;\n }\n // Default: TempoRailSpec (bare `{recipient, ...}` with no Solana / session markers).\n methods.push(registerTempo(mppx, spec as TempoRailSpec, name));\n }\n\n return mppx.Mppx.create({ methods, secretKey });\n}\n\nfunction registerTempo(mppx: MppxModule, spec: TempoRailSpec, _name: string): unknown {\n /* v8 ignore start -- peer-dep version-mismatch guard; current mppx ships tempo.charge */\n if (!mppx.tempo?.charge) {\n throw new Error('mppx.tempo.charge not available — check installed mppx version.');\n }\n /* v8 ignore stop */\n const defaultCurrency = spec.testnet ? USDC.tempo.testnet.address : USDC.tempo.mainnet.address;\n if (typeof spec.recipient !== 'string') {\n throw new TypeError(\n 'createMppxServer: TempoRailSpec requires a string recipient (per-order factories not supported here).',\n );\n }\n return mppx.tempo.charge({\n currency: spec.token ?? defaultCurrency,\n recipient: spec.recipient,\n testnet: spec.testnet ?? false,\n });\n}\n\nasync function registerTempoSession(mppx: MppxModule, spec: TempoSessionRailSpec): Promise<unknown> {\n /* v8 ignore start -- peer-dep version-mismatch guard; current mppx ships tempo.session */\n if (!mppx.tempo?.session) {\n throw new Error(\n 'mppx.tempo.session not available — your mppx version may not support sessions yet. Upgrade with `npm install mppx@latest`.',\n );\n }\n /* v8 ignore stop */\n const defaultCurrency = spec.testnet ? USDC.tempo.testnet.address : USDC.tempo.mainnet.address;\n return mppx.tempo.session({\n currency: spec.currency ?? defaultCurrency,\n recipient: await resolveRecipient(spec.recipient),\n escrowContract: spec.escrowContract,\n store: spec.store,\n testnet: spec.testnet ?? false,\n ...(spec.chains ? { chains: spec.chains } : {}),\n });\n}\n\nasync function registerSolana(spec: SolanaMppRailSpec): Promise<unknown> {\n const solanaMpp = await dynamicImport<SolanaMppModule>('@solana/mpp/server');\n if (!solanaMpp?.charge) {\n throw new Error(\n '@solana/mpp not installed — `npm install @solana/mpp @solana/kit` to use the solana rail.',\n );\n }\n const network = solanaNetworkFromCAIP2(spec.network);\n const defaultMint =\n network === 'mainnet-beta' ? USDC.solana.mainnet.mint : USDC.solana.devnet.mint;\n const defaultDecimals =\n network === 'mainnet-beta' ? USDC.solana.mainnet.decimals : USDC.solana.devnet.decimals;\n if (typeof spec.recipient !== 'string') {\n throw new TypeError(\n 'createMppxServer: SolanaMppRailSpec requires a string recipient (per-order factories not supported here).',\n );\n }\n const baseMethod = solanaMpp.charge({\n recipient: spec.recipient,\n currency: spec.token ?? defaultMint,\n decimals: spec.decimals ?? defaultDecimals,\n network,\n ...(spec.rpcUrl ? { rpcUrl: spec.rpcUrl } : {}),\n ...(spec.signer ? { signer: spec.signer } : {}),\n ...(spec.tokenProgram ? { tokenProgram: spec.tokenProgram } : {}),\n }) as SolanaChargeMethod;\n return wrapSolanaChargeWithFinalizedBlockhash(baseMethod, spec.rpcUrl ?? solanaDefaultRpcUrl(network));\n}\n\nasync function registerStripe(spec: StripeRailSpec): Promise<unknown> {\n if (!spec.profileId || !spec.secretKey) {\n throw new Error(\n 'createMppxServer: StripeRailSpec requires both profileId and secretKey.',\n );\n }\n return createMppxStripe({\n profileId: spec.profileId,\n secretKey: spec.secretKey,\n paymentMethodTypes: spec.paymentMethodTypes,\n });\n}\n\nasync function dynamicImport<T>(moduleName: string): Promise<T | null> {\n try {\n return (await import(moduleName)) as T;\n } catch {\n return null;\n }\n}\n\ntype SolanaChargeRequestArgs = { credential?: unknown; request?: unknown };\ntype SolanaChargeMethod = {\n request?: (args: SolanaChargeRequestArgs) => Promise<unknown>;\n} & Record<string, unknown>;\n\n/**\n * Wraps `@solana/mpp.charge()`'s Method so the issued challenge carries a\n * `finalized` blockhash instead of `confirmed`.\n *\n * `@solana/mpp` <= 0.5.2 fetches `getLatestBlockhash` with `commitment: 'confirmed'`\n * but its broadcast `sendTransaction` sets `skipPreflight: false` without an\n * overridden `preflightCommitment`. The RPC server's default preflight commitment\n * is `finalized`, which rejects any blockhash that hasn't yet finalized with a\n * \"Blockhash not found\" error. Handing the client a `finalized` blockhash up\n * front sidesteps the mismatch.\n *\n * Trade-off: the signing window shrinks from ~58s (confirmed) to ~46s (finalized).\n * Fine for agent-driven flows; manual signing flows still have plenty of margin.\n */\nexport function wrapSolanaChargeWithFinalizedBlockhash(\n baseMethod: SolanaChargeMethod,\n rpcUrl: string,\n): SolanaChargeMethod {\n return {\n ...baseMethod,\n async request(args: SolanaChargeRequestArgs) {\n const orig = (await baseMethod.request!(args)) as\n | { methodDetails?: Record<string, unknown> }\n | undefined;\n if (args.credential || !orig || typeof orig !== 'object') return orig;\n try {\n const res = await fetch(rpcUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n id: 1,\n jsonrpc: '2.0',\n method: 'getLatestBlockhash',\n params: [{ commitment: 'finalized' }],\n }),\n });\n const data = (await res.json()) as { result?: { value?: { blockhash?: string } } };\n const finalized = data?.result?.value?.blockhash;\n if (finalized) {\n return {\n ...orig,\n methodDetails: { ...(orig.methodDetails ?? {}), recentBlockhash: finalized },\n };\n }\n } catch {\n /* fall back to upstream's confirmed blockhash */\n }\n return orig;\n },\n };\n}\n","import { networks } from './networks';\nimport { registerX402SchemesV1V2 } from './x402';\n\nexport type X402SymbolicRail =\n | 'x402-base-mainnet'\n | 'x402-base-sepolia'\n | 'x402-base-mainnet-upto'\n | 'x402-base-sepolia-upto';\n\nexport type X402FacilitatorChoice = 'coinbase' | 'http' | unknown;\n\nexport interface CreateX402ServerOptions {\n /**\n * Facilitator selection:\n * - 'coinbase' → Coinbase CDP facilitator (requires `@coinbase/x402` installed)\n * - 'http' → HTTP-only public testnet facilitator\n * - any object → custom facilitator instance, used directly\n * - omitted → defaults to 'http'\n */\n facilitator?: X402FacilitatorChoice;\n /**\n * Symbolic rail names to register schemes for. Each gets v1+v2 dual-register applied.\n * Requires `@x402/evm` peer dep installed.\n */\n rails?: X402SymbolicRail[];\n /** Advanced: register custom {network, scheme} pairs (in addition to or instead of `rails`). */\n schemes?: { network: string; scheme: unknown }[];\n /** Register the Bazaar discovery extension. Requires `@x402/extensions` installed. */\n bazaar?: boolean;\n /** Initialize the server immediately (calls facilitator). Default true. */\n initialize?: boolean;\n}\n\n/**\n * Loose type for the x402 resource server. We name the methods commerce calls during\n * setup; everything else (settlePayment, buildPaymentRequirements, processPaymentRequest,\n * enrichExtensions, etc.) is callable via the index signature so vendor code can use the\n * full @x402/core surface without us having to mirror every method signature.\n */\nexport interface X402Server {\n register(network: string, scheme: unknown): void;\n registerV1?(network: string, scheme: unknown): void;\n registerExtension(ext: unknown): void;\n initialize(): Promise<void>;\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n [key: string]: any;\n}\n\ninterface X402CoreModule {\n x402ResourceServer: new (facilitator?: unknown) => X402Server;\n HTTPFacilitatorClient: new (facilitator?: unknown) => unknown;\n}\n\ninterface SchemeModule {\n ExactEvmScheme?: new () => unknown;\n UptoEvmScheme?: new () => unknown;\n}\n\ninterface CoinbaseModule {\n facilitator?: unknown;\n}\n\ninterface BazaarModule {\n bazaarResourceServerExtension?: unknown;\n}\n\n/**\n * One-call x402 server setup. Resolves facilitator, constructs the server, registers\n * schemes per network with v1+v2 dual-register, optionally adds the Bazaar extension,\n * and initializes — replaces ~15 lines of boilerplate with a single config call.\n *\n * x402 packages are peer dependencies — vendors install only the schemes they use.\n * Throws a guiding error if a required peer is missing.\n *\n * const server = await createX402Server({\n * facilitator: 'coinbase',\n * rails: ['x402-base-mainnet'],\n * bazaar: true,\n * });\n */\nexport async function createX402Server(opts: CreateX402ServerOptions = {}): Promise<X402Server> {\n const x402Core = (await dynamicImport<X402CoreModule>('@x402/core/server')) ?? null;\n /* v8 ignore start -- peer-dep-absence guard; @x402/core is installed in test env */\n if (!x402Core) {\n throw new Error(\n '@x402/core not installed — `npm install @x402/core` to use createX402Server.',\n );\n }\n /* v8 ignore stop */\n\n let facilitator: unknown;\n // Auto-select the Coinbase CDP facilitator when both env vars are present.\n // Lets merchants drop `facilitator: process.env.CDP_API_KEY_ID && ... ? 'coinbase' : 'http'`\n // boilerplate. Explicit `facilitator` opt still wins.\n const facilitatorChoice =\n opts.facilitator ??\n (process.env.CDP_API_KEY_ID && process.env.CDP_API_KEY_SECRET ? 'coinbase' : 'http');\n if (facilitatorChoice === 'coinbase') {\n const cb = await dynamicImport<CoinbaseModule>('@coinbase/x402');\n /* v8 ignore start -- peer-dep-absence guard; @coinbase/x402 is installed in test env */\n if (!cb?.facilitator) {\n throw new Error(\n '@coinbase/x402 not installed — `npm install @coinbase/x402` for facilitator: \"coinbase\".',\n );\n }\n /* v8 ignore stop */\n facilitator = new x402Core.HTTPFacilitatorClient(cb.facilitator);\n } else if (facilitatorChoice === 'http') {\n facilitator = new x402Core.HTTPFacilitatorClient();\n } else {\n facilitator = facilitatorChoice;\n }\n\n const server = new x402Core.x402ResourceServer(facilitator);\n\n let evmExactModule: SchemeModule | null = null;\n let evmUptoModule: SchemeModule | null = null;\n for (const rail of opts.rails ?? []) {\n const isUpto = rail.endsWith('-upto');\n if (rail.startsWith('x402-base')) {\n const baseRail = isUpto ? rail.slice(0, -5) : rail;\n const network =\n baseRail === 'x402-base-mainnet' ? networks.base.mainnet.caip2 : networks.base.sepolia.caip2;\n if (isUpto) {\n evmUptoModule ??= await dynamicImport<SchemeModule>('@x402/evm/upto/server');\n /* v8 ignore start -- peer-dep-absence guard; @x402/evm is installed in test env */\n if (!evmUptoModule?.UptoEvmScheme) {\n throw new Error('@x402/evm not installed — `npm install @x402/evm` for x402 base upto rails.');\n }\n /* v8 ignore stop */\n registerX402SchemesV1V2(server, network, new evmUptoModule.UptoEvmScheme());\n } else {\n evmExactModule ??= await dynamicImport<SchemeModule>('@x402/evm/exact/server');\n /* v8 ignore start -- peer-dep-absence guard; @x402/evm is installed in test env */\n if (!evmExactModule?.ExactEvmScheme) {\n throw new Error('@x402/evm not installed — `npm install @x402/evm` for x402 base rails.');\n }\n /* v8 ignore stop */\n registerX402SchemesV1V2(server, network, new evmExactModule.ExactEvmScheme());\n }\n }\n }\n\n for (const { network, scheme } of opts.schemes ?? []) {\n registerX402SchemesV1V2(server, network, scheme);\n }\n\n if (opts.bazaar) {\n const bazaar = await dynamicImport<BazaarModule>('@x402/extensions/bazaar');\n /* v8 ignore start -- peer-dep-absence guard; @x402/extensions is installed in test env */\n if (!bazaar?.bazaarResourceServerExtension) {\n throw new Error(\n '@x402/extensions not installed — `npm install @x402/extensions` for bazaar discovery.',\n );\n }\n /* v8 ignore stop */\n server.registerExtension(bazaar.bazaarResourceServerExtension);\n }\n\n if (opts.initialize !== false) {\n await server.initialize();\n }\n return server;\n}\n\nexport interface BuildX402AcceptsForOptions {\n network: string;\n price: string;\n payTo: string;\n scheme?: string;\n maxTimeoutSeconds?: number;\n extensions?: string[];\n}\n\n/**\n * Build x402 `accepts[]` entries for a 402 challenge body.\n *\n * Wraps `server.buildPaymentRequirements(...)` so merchants don't have to:\n *\n * 1. Construct the resource-config object themselves\n * 2. Remember to serialize each Pydantic-equivalent requirement back to a\n * plain object before stitching it into the 402 body\n * 3. Hardcode `extra` (which differs by the actual on-chain contract — base\n * mainnet USDC has `name: \"USD Coin\"`, base sepolia USDC has `name: \"USDC\"`;\n * EIP-712 domain hashes differ, so getting this wrong silently breaks every\n * signature verify at the facilitator)\n *\n * Returns a list of plain objects in the shape that x402 expects on the wire —\n * drop them straight into the `accepts` field of the 402 challenge body.\n */\nexport async function buildX402AcceptsFor402(\n server: X402Server,\n opts: BuildX402AcceptsForOptions,\n): Promise<unknown[]> {\n const requirements = await server.buildPaymentRequirements(\n {\n scheme: opts.scheme ?? 'exact',\n network: opts.network,\n price: opts.price,\n payTo: opts.payTo,\n maxTimeoutSeconds: opts.maxTimeoutSeconds ?? 300,\n },\n opts.extensions,\n );\n return Array.isArray(requirements) ? requirements : [];\n}\n\nasync function dynamicImport<T>(moduleName: string): Promise<T | null> {\n try {\n return (await import(moduleName)) as T;\n } catch {\n return null;\n }\n}\n","/**\n * Generic x402 server interface. Different versions of @x402/core may expose different\n * shapes; we only require register() and (optionally) registerV1().\n */\nexport interface X402ServerLike {\n register(network: string, scheme: unknown): void;\n registerV1?(network: string, scheme: unknown): void;\n}\n\n/**\n * Registers an x402 scheme on both v1 and v2 of the protocol.\n *\n * Why: the @x402/core HTTP parser hardcodes `x402Version === 1`, while the client's\n * `.register()` defaults to v2. Without registering on both versions, a merchant\n * emitting a v1 response gets \"No client registered for x402 version: 1\" even\n * though the scheme handler is identical between versions. Every merchant trips\n * on this; the helper hides the workaround.\n */\nexport function registerX402SchemesV1V2(\n server: X402ServerLike,\n network: string,\n scheme: unknown,\n): void {\n server.register(network, scheme);\n if (typeof server.registerV1 === 'function') {\n server.registerV1(network, scheme);\n }\n}\n","/**\n * Lazy-init helpers for x402 + mppx servers.\n *\n * Every merchant accepting these rails writes the same singleton-with-lock\n * pattern around `createX402Server` / `createMppxServer`. These helpers collapse\n * the boilerplate to a single call; the returned getter is safe to call from\n * any number of concurrent handlers; only one server instance is ever\n * constructed per merchant.\n *\n * The x402 helper also derives the facilitator choice (`coinbase` vs `http`)\n * from optional CDP credentials so merchants don't repeat the boot-time\n * conditional.\n */\nimport { createMppxServer, type MppxRailSpec } from './mppx_server';\nimport { createX402Server, type X402Server, type X402SymbolicRail } from './x402_server';\nimport type { X402BaseRailSpec } from './rail_spec';\n\nfunction x402RailName(spec: X402BaseRailSpec): X402SymbolicRail {\n const network = spec.network ?? 'eip155:8453';\n if (network === 'eip155:8453') return 'x402-base-mainnet';\n if (network === 'eip155:84532') return 'x402-base-sepolia';\n throw new Error(\n `lazyX402Server: unsupported X402BaseRailSpec.network=${JSON.stringify(network)}`,\n );\n}\n\n/**\n * Build a memoized async getter for an x402 server.\n *\n * First call constructs the server; subsequent calls return the cached\n * instance. Concurrent first-callers serialize on a Promise lock so we never\n * construct two and discard one.\n *\n * When both CDP creds are passed, the server uses Coinbase's facilitator;\n * otherwise it falls back to the public HTTP facilitator. Merchants who only\n * have one of the two creds get the HTTP fallback.\n */\nexport function lazyX402Server(opts: {\n spec: X402BaseRailSpec;\n cdpApiKeyId?: string;\n cdpApiKeySecret?: string;\n}): () => Promise<X402Server> {\n const { spec, cdpApiKeyId, cdpApiKeySecret } = opts;\n const railName = x402RailName(spec);\n const useCdp = Boolean(cdpApiKeyId && cdpApiKeySecret);\n const facilitator: 'coinbase' | 'http' = useCdp ? 'coinbase' : 'http';\n\n let cached: X402Server | undefined;\n let pending: Promise<X402Server> | undefined;\n\n return async (): Promise<X402Server> => {\n if (cached !== undefined) return cached;\n if (pending !== undefined) return pending;\n pending = (async () => {\n const server = await createX402Server({ facilitator, rails: [railName] });\n cached = server;\n pending = undefined;\n return server;\n })();\n return pending;\n };\n}\n\n/**\n * Build a memoized async getter for an mppx server.\n *\n * Same singleton + lock semantics as {@link lazyX402Server}. Forwards `rails`\n * + `secretKey` unchanged to {@link createMppxServer}.\n */\nexport function lazyMppxServer(opts: {\n rails: Record<string, MppxRailSpec>;\n secretKey: string;\n}): () => Promise<unknown> {\n const { rails, secretKey } = opts;\n let cached: unknown;\n let pending: Promise<unknown> | undefined;\n\n return async (): Promise<unknown> => {\n if (cached !== undefined) return cached;\n if (pending !== undefined) return pending;\n pending = (async () => {\n const server = await createMppxServer({ secretKey, rails });\n cached = server;\n pending = undefined;\n return server;\n })();\n return pending;\n };\n}\n","/**\n * `processX402Settle`: single-call x402 verify+settle for merchants.\n *\n * Wraps the four x402-server steps every x402-accepting merchant repeats:\n * 1. `buildPaymentRequirements(resourceConfig)`: builds the requirement entries the\n * facilitator validates against\n * 2. `enrichExtensions(extension, transportContext)`: folds in Bazaar (or other)\n * extensions for the verify step\n * 3. `processPaymentRequest(payload, resourceConfig, resourceMeta, extensions)`:\n * runs verify against the facilitator\n * 4. `settlePayment(payload, matchedRequirement)`: settles on-chain\n *\n * Returns a tagged result so the caller can map errors to merchant-shaped responses\n * without owning the orchestration boilerplate. Use `classifyX402SettleResult` to\n * map the tagged result to a recommended HTTP response.\n */\n\nimport type { X402Server } from './x402_server';\n\nexport type ProcessX402SettleResult =\n | {\n success: true;\n /** The matched requirement passed to `settlePayment`. */\n matchedRequirement: unknown;\n /** The settlement response from the facilitator. */\n settleResult: unknown;\n /** Base64-encoded JSON of `settleResult`, ready to set as the `payment-response`\n * HTTP header on the merchant's success response. x402 clients (`@x402/fetch`,\n * `agentscore-pay`) read this to confirm settlement landed. `undefined` when\n * there's no settle result (shouldn't happen on success path but typed defensively). */\n paymentResponseHeader: string | undefined;\n /** The x402 server's `processPaymentRequest` verify result. */\n verifyResult: { success: true; [key: string]: unknown };\n }\n /** No-requirements branch: `buildPaymentRequirements` returned an empty array, so\n * there is nothing to verify against. Indicates a merchant-side misconfiguration\n * (resource config doesn't match any registered scheme/network).\n * Recommended response: log `reason` server-side; map to a controlled 500 to the\n * consumer via `classifyX402SettleResult`. */\n | { success: false; phase: 'no_requirements'; reason: string }\n /** Verify-failed branch: the facilitator's verify step ran and returned\n * `{ success: false, ... }`. Payload is structurally invalid, expired, signed by\n * the wrong wallet, or otherwise rejected by facilitator policy.\n * Recommended response: log `verifyResult` server-side; map to a controlled 400\n * with `payment_proof_invalid` to the consumer via `classifyX402SettleResult`. */\n | { success: false; phase: 'verify_failed'; verifyResult: unknown }\n /** Settle-failed branch: verify succeeded but `settlePayment` threw (on-chain\n * rejection, RPC outage, facilitator broadcast failure, etc.). The agent's\n * credential was valid; funds did not move.\n * Recommended response: log raw `error` server-side; map to a controlled 503 with\n * `payment_provider_unavailable` to the consumer via `classifyX402SettleResult`. */\n | { success: false; phase: 'settle_failed'; error: unknown; matchedRequirement: unknown }\n | {\n success: false;\n /** Facilitator threw an unexpected error during one of the verify-stage calls\n * (build requirements, extension enrich, or processPaymentRequest). Most common\n * cause: the facilitator client rejects the configured network. Coinbase's CDP\n * facilitator throws on Solana devnet because it only supports mainnet networks;\n * Stripe's SPT facilitator throws on EVM networks; etc.\n * Recommended response: log raw `error` server-side; map to a controlled 503\n * with `payment_provider_unavailable` to the consumer via `classifyX402SettleResult`\n * so the agent can pick a different rail. */\n phase: 'facilitator_error';\n /** Which verify-stage step threw. */\n step: 'build_requirements' | 'enrich_extensions' | 'verify_payment';\n error: unknown;\n };\n\n/**\n * The merchant-shaped response for a non-success `ProcessX402SettleResult`.\n *\n * `status` / `code` / `message` are safe to send back to the consumer. `nextSteps`\n * is the agent-instructions block describing what the agent should do next. Raw\n * facilitator errors stay server-side: do NOT serialize the original `error` /\n * `verifyResult` / `reason` to the consumer; log them yourself.\n */\nexport interface ClassifiedX402Error {\n status: 400 | 500 | 503;\n code:\n | 'payment_proof_invalid'\n | 'payment_provider_unavailable'\n | 'payment_internal_error';\n message: string;\n nextSteps: {\n action: string;\n user_message: string;\n retry_after_seconds?: number;\n };\n}\n\n/**\n * Map a `ProcessX402SettleResult` to the recommended merchant response.\n *\n * Returns `null` for `success: true`. For each error phase, returns a controlled\n * status / code / message / nextSteps tuple. Replaces error-message string-sniffing\n * with a phase-based dispatch so merchants stop coupling to facilitator-specific\n * error text.\n *\n * Phase mapping:\n * - `verify_failed` → 400 `payment_proof_invalid` / `regenerate_payment_credential`\n * - `facilitator_error` → 503 `payment_provider_unavailable` / `try_different_rail`\n * - `settle_failed` → 503 `payment_provider_unavailable` / `retry_or_swap_method`\n * - `no_requirements` → 500 `payment_internal_error` / `contact_support`\n *\n * Always log the raw `result` server-side before responding; the returned object\n * is intentionally facilitator-agnostic and never carries raw error detail.\n */\nexport function classifyX402SettleResult(\n result: ProcessX402SettleResult,\n): ClassifiedX402Error | null {\n if (result.success) return null;\n switch (result.phase) {\n case 'no_requirements':\n return {\n status: 500,\n code: 'payment_internal_error',\n message: 'Failed to build x402 payment requirements for this configuration',\n nextSteps: {\n action: 'contact_support',\n user_message:\n 'The merchant could not produce a payment challenge for this request. Try again later or contact support.',\n },\n };\n case 'verify_failed':\n return {\n status: 400,\n code: 'payment_proof_invalid',\n message: 'Payment credential failed verification; regenerate from a fresh 402 challenge',\n nextSteps: {\n action: 'regenerate_payment_credential',\n user_message:\n 'The payment credential was rejected at verify time. Discard it, fetch a fresh 402 challenge, and re-sign.',\n },\n };\n case 'facilitator_error':\n return {\n status: 503,\n code: 'payment_provider_unavailable',\n message: 'Payment provider could not process this network configuration',\n nextSteps: {\n action: 'try_different_rail',\n user_message:\n 'This rail is currently unavailable. Pick a different rail from the 402 challenge and retry.',\n },\n };\n case 'settle_failed':\n return {\n status: 503,\n code: 'payment_provider_unavailable',\n message: 'Payment credential verified but on-chain settlement failed',\n nextSteps: {\n action: 'retry_or_swap_method',\n retry_after_seconds: 10,\n user_message:\n 'Transient settlement error. Retry in a few seconds, or pick a different rail from the 402 challenge.',\n },\n };\n }\n}\n\n/**\n * Classify a thrown error during the 402 orchestration.\n *\n * Catches errors that escape `processX402Settle` (e.g. raised by `mppx.compose`,\n * a Stripe SDK call, or any other payment-side library code wrapped in a single\n * `try/catch` around the full settle flow). Returns a `ClassifiedX402Error`\n * when the error message matches a known pattern; `null` otherwise.\n *\n * Callers should rethrow on `null` — this helper never swallows unknown errors.\n *\n * Pattern matching is case-insensitive substring on the error message:\n * - `\"x402version\"` / `\"invalid payment\"` / `\"unsupported x402\"` →\n * 400 `payment_proof_invalid` / `regenerate_payment_credential`\n * - `\"stripe\"` / `\"facilitator\"` / `\"cdp\"` →\n * 503 `payment_provider_unavailable` / `retry_or_swap_method`\n * - Anything else → `null` (caller rethrows)\n *\n * Substring matching is intentionally narrow. New error families should land\n * here explicitly rather than have the helper grow opaque heuristics. For\n * tagged failure results that already classify themselves, use\n * `classifyX402SettleResult`.\n */\nexport function classifyOrchestrationError(err: unknown): ClassifiedX402Error | null {\n let msg: string;\n if (err instanceof Error) {\n msg = err.message;\n } else if (typeof err === 'string') {\n msg = err;\n } else {\n return null;\n }\n const msgLower = msg.toLowerCase();\n\n if (\n msgLower.includes('x402version') ||\n msgLower.includes('invalid payment') ||\n msgLower.includes('unsupported x402')\n ) {\n return {\n status: 400,\n code: 'payment_proof_invalid',\n message: 'Payment credential is malformed or uses an unsupported version',\n nextSteps: {\n action: 'regenerate_payment_credential',\n user_message:\n 'The payment credential is malformed or uses an unsupported version. Regenerate from a fresh 402 challenge and re-sign.',\n },\n };\n }\n\n if (\n msgLower.includes('stripe') ||\n msgLower.includes('facilitator') ||\n msgLower.includes('cdp')\n ) {\n return {\n status: 503,\n code: 'payment_provider_unavailable',\n message: 'Payment provider returned an error',\n nextSteps: {\n action: 'retry_or_swap_method',\n retry_after_seconds: 10,\n user_message:\n 'Transient payment-provider error. Retry in a few seconds, or pick a different rail from the 402 challenge.',\n },\n };\n }\n\n return null;\n}\n\nexport async function processX402Settle({\n x402Server,\n payload,\n resourceConfig,\n resourceMeta,\n extension,\n transportContext,\n}: {\n /** The x402 server instance from `createX402Server`. */\n x402Server: X402Server;\n /** The verified x402 payload extracted from the X-Payment header. */\n payload: unknown;\n /** Resource configuration the facilitator validates against (network, price, payTo,\n * asset, maxTimeoutSeconds, etc.). Shape is x402-server-specific. */\n resourceConfig: unknown;\n /** Resource metadata exposed to the facilitator (URL, description, mime type). */\n resourceMeta: { url: string; description: string; mimeType: string };\n /** Optional extension to enrich during verify (e.g. Bazaar). */\n extension?: unknown;\n /** Transport context for the extension enrich step. Defaults to `{ method: 'POST',\n * adapter: { getPath: () => new URL(resourceMeta.url).pathname }, routePattern: <pathname> }`. */\n transportContext?: unknown;\n}): Promise<ProcessX402SettleResult> {\n const server = x402Server as unknown as {\n buildPaymentRequirements: (cfg: unknown) => Promise<unknown[]>;\n enrichExtensions: (ext: unknown, ctx: unknown) => unknown;\n verifyPayment: (\n paymentPayload: unknown,\n requirements: unknown,\n declaredExtensions?: unknown,\n transportContext?: unknown,\n ) => Promise<{ success: boolean; [key: string]: unknown } | { isValid?: boolean; [key: string]: unknown }>;\n settlePayment: (\n paymentPayload: unknown,\n requirements: unknown,\n declaredExtensions?: unknown,\n transportContext?: unknown,\n ) => Promise<unknown>;\n };\n\n let builtRequirements: unknown[];\n try {\n builtRequirements = await server.buildPaymentRequirements(resourceConfig);\n } catch (err) {\n console.warn('[x402_settle] build_requirements failed:', err instanceof Error ? err.message : err);\n return { success: false, phase: 'facilitator_error', step: 'build_requirements', error: err };\n }\n const matchedRequirement = builtRequirements[0];\n if (!matchedRequirement) {\n return { success: false, phase: 'no_requirements', reason: 'x402Server.buildPaymentRequirements returned empty' };\n }\n\n const resolvedTransportContext = transportContext ?? (() => {\n const path = new URL(resourceMeta.url).pathname;\n return { method: 'POST', adapter: { getPath: () => path }, routePattern: path };\n })();\n\n let enrichedExt: unknown;\n try {\n enrichedExt = extension !== undefined\n ? server.enrichExtensions(extension, resolvedTransportContext)\n : undefined;\n } catch (err) {\n console.warn('[x402_settle] enrich_extensions failed:', err instanceof Error ? err.message : err);\n return { success: false, phase: 'facilitator_error', step: 'enrich_extensions', error: err };\n }\n\n let verifyResult: { success?: boolean; isValid?: boolean; [key: string]: unknown };\n try {\n verifyResult = await server.verifyPayment(\n payload,\n matchedRequirement,\n enrichedExt as Record<string, unknown> | undefined,\n resolvedTransportContext,\n );\n } catch (err) {\n console.warn('[x402_settle] verify_payment failed:', err instanceof Error ? err.message : err);\n return { success: false, phase: 'facilitator_error', step: 'verify_payment', error: err };\n }\n\n // x402/core's ResourceVerifyResponse uses `isValid` (per spec). Accept the\n // legacy `success` field too for older facilitator builds.\n const verifyOk = verifyResult.isValid === true || verifyResult.success === true;\n if (!verifyOk) {\n return { success: false, phase: 'verify_failed', verifyResult };\n }\n\n try {\n const settleResult = await server.settlePayment(\n payload,\n matchedRequirement,\n enrichedExt as Record<string, unknown> | undefined,\n resolvedTransportContext,\n );\n const paymentResponseHeader = settleResult\n ? Buffer.from(JSON.stringify(settleResult)).toString('base64')\n : undefined;\n return {\n success: true,\n matchedRequirement,\n settleResult,\n paymentResponseHeader,\n verifyResult: verifyResult as { success: true; [key: string]: unknown },\n };\n } catch (err) {\n return { success: false, phase: 'settle_failed', error: err, matchedRequirement };\n }\n}\n","/**\n * x402 boot-time + per-request validation helpers.\n *\n * Two layers of validation every x402-accepting merchant repeats:\n *\n * - **Boot-time**: validate the configured `X402_BASE_NETWORK` env var is in the\n * supported set. Failing loud at boot is much better than per-request \"unsupported\n * network\" errors after a misconfigured deploy.\n *\n * - **Per-request**: when an x402 X-Payment header arrives, parse the base64 payload,\n * extract the signed network + payTo, validate against the merchant's accepted\n * network, validate the payTo address shape, and check that the payTo was minted by\n * THIS merchant (cache hit). Each step has its own denial code and `next_steps`\n * shape — getting the message right by hand across 4 conditions is fiddly.\n */\n\nimport { networks } from './networks';\n\n/** CAIP-2 networks the commerce SDK supports for x402 Base (EVM USDC). */\nexport const X402_SUPPORTED_BASE_NETWORKS = new Set<string>([\n networks.base.mainnet.caip2,\n networks.base.sepolia.caip2,\n]);\n\n/**\n * Boot-time guard: throws if the base network isn't supported. Call once at module\n * init / server boot.\n *\n * Throws `Error` with a message that names the unsupported value AND lists the valid\n * options — agents tracking down a misconfigured deploy don't need to grep for the\n * supported list.\n */\nexport function validateX402NetworkConfig({ baseNetwork }: { baseNetwork: string }): void {\n if (!X402_SUPPORTED_BASE_NETWORKS.has(baseNetwork)) {\n throw new Error(\n `X402_BASE_NETWORK=${baseNetwork} is not supported. Use one of: ${[...X402_SUPPORTED_BASE_NETWORKS].join(', ')}`,\n );\n }\n}\n\nconst EVM_ADDRESS_RE = /^0x[0-9a-fA-F]{40}$/;\n\nexport type VerifyX402RequestResult =\n | {\n ok: true;\n /** The base64-decoded JSON payload from the X-Payment header. */\n payload: { accepted?: { network?: string; payTo?: string }; [key: string]: unknown };\n /** The CAIP-2 network the agent signed for. */\n signedNetwork: string;\n /** The on-chain pay-to address the agent signed for (already validated). */\n signedPayTo: string;\n }\n | {\n ok: false;\n /** Suitable as a JSON body for the merchant's denial response. Includes\n * `next_steps` with `regenerate_payment_credential` action + a per-condition\n * `user_message` and a footgun `warning` so agents can recover deterministically\n * from the response alone. */\n body: {\n error: { code: string; message: string };\n next_steps: {\n action: 'regenerate_payment_credential';\n user_message: string;\n warning: string;\n };\n };\n /** HTTP status to use for the denial response. */\n status: 400;\n };\n\nconst REGENERATE_WARNING =\n 'Use `agentscore-pay pay --chain base` (or `tempo request` for Tempo USDC) so the credential is signed and submitted via the protocol handshake. Do NOT use `tempo wallet transfer` — that sends USDC on-chain but does not complete the handshake.';\n\nfunction regenerateBody(message: string, userMessage: string) {\n return {\n error: { code: 'payment_proof_invalid' as const, message },\n next_steps: {\n action: 'regenerate_payment_credential' as const,\n user_message: userMessage,\n warning: REGENERATE_WARNING,\n },\n };\n}\n\n/**\n * Per-request: parse the x402 X-Payment header, validate the network + payTo, and\n * confirm the address was minted by this merchant. One call replaces ~45 lines of\n * inline header decode + regex validation + cache lookup.\n *\n * Returns `{ok: true, payload, signedNetwork, signedPayTo}` when valid; the caller\n * passes `payload` straight into `processX402Settle`.\n *\n * Returns `{ok: false, body, status}` when invalid — the merchant just does\n * `return c.json(body, status)` (or framework equivalent).\n *\n * Reads the header from `payment-signature` first, falling back to `x-payment` (both\n * are in the wild as the binary-friendly transport name evolved).\n */\nexport async function verifyX402Request({\n request,\n isCachedAddress,\n acceptedNetwork,\n}: {\n /** The incoming Request — `verifyX402Request` reads the X-Payment / payment-signature header. */\n request: Request;\n /** Async lookup that returns true when the address was minted by this merchant\n * (typically `piCache.hasAddress`). The check validates that the credential's\n * deposit address matches one the merchant actually minted. */\n isCachedAddress: (address: string) => Promise<boolean>;\n /** The merchant's accepted Base network. CAIP-2, e.g. `'eip155:8453'`. */\n acceptedNetwork: string;\n}): Promise<VerifyX402RequestResult> {\n const headerValue =\n request.headers.get('payment-signature')\n ?? request.headers.get('x-payment');\n if (!headerValue) {\n return {\n ok: false,\n status: 400,\n body: regenerateBody(\n 'X-Payment header missing',\n 'No X-Payment header was sent. Generate the credential from the 402 challenge and resubmit on the same endpoint.',\n ),\n };\n }\n\n let payload: { accepted?: { network?: string; payTo?: string }; [key: string]: unknown };\n try {\n payload = JSON.parse(Buffer.from(headerValue, 'base64').toString());\n } catch {\n return {\n ok: false,\n status: 400,\n body: regenerateBody(\n 'X-Payment header is not valid base64 JSON',\n 'The payment credential could not be decoded. Reconstruct the credential from the 402 challenge and retry.',\n ),\n };\n }\n\n const signedNetwork = payload.accepted?.network;\n const signedPayTo = payload.accepted?.payTo;\n\n if (!signedNetwork || signedNetwork !== acceptedNetwork) {\n if (signedNetwork && signedNetwork.toLowerCase().startsWith('solana:')) {\n return {\n ok: false,\n status: 400,\n body: regenerateBody(\n `x402 on ${signedNetwork} is not accepted; Solana payments must use the \\`solana/charge\\` rail advertised in the 402 challenge. This server accepts x402 on ${acceptedNetwork} only.`,\n 'Solana payments are not accepted over x402 at this merchant. Pick the `solana/charge` rail from the 402 challenge and re-sign.',\n ),\n };\n }\n return {\n ok: false,\n status: 400,\n body: regenerateBody(\n `Unsupported x402 network ${signedNetwork ?? '<missing>'}; this server accepts ${acceptedNetwork}.`,\n 'The credential signed for an unsupported network. Pick the accepted network from the 402 challenge and re-sign.',\n ),\n };\n }\n\n const addressShapeOk = typeof signedPayTo === 'string' && EVM_ADDRESS_RE.test(signedPayTo);\n\n if (!signedPayTo || !addressShapeOk) {\n return {\n ok: false,\n status: 400,\n body: regenerateBody(\n `Payment payload missing or malformed accepted.payTo address for network ${signedNetwork}`,\n 'The credential payload is missing or malformed payTo for the signed network. Reconstruct the credential from the 402 challenge.',\n ),\n };\n }\n\n if (!(await isCachedAddress(signedPayTo))) {\n return {\n ok: false,\n status: 400,\n body: regenerateBody(\n 'payTo address not found in cache or expired. Request a fresh 402 challenge and retry.',\n 'The deposit address is unknown or expired on this server. Request a fresh 402 challenge and re-sign against the new payTo.',\n ),\n };\n }\n\n return { ok: true, payload, signedNetwork, signedPayTo };\n}\n","/**\n * Zero-amount carve-out: skip upstream verify+settle for $0 orders.\n *\n * CDP rejects EIP-3009 `transferWithAuthorization` with `value=0` as\n * `invalid_payload`; `mppx`'s tempo intents accept only `hash` and\n * `transaction` payload types (rejecting the `proof` payload that gets\n * emitted for $0 settles). Both upstream verify+settle paths fail when the\n * authorized amount is zero, so merchants that drop the settle to $0 in a\n * redemption-code flow need a way to skip verify+settle entirely while\n * still recovering the signer for wallet-capture attribution.\n *\n * `zeroAmountCarveOut` is that path: parse the credential, lift the\n * signer, return `{ signerAddress, signerNetwork, txHash: null }`. Identity\n * is still authenticated by the merchant's gate above; the redemption code\n * is single-use; nothing on-chain to verify.\n *\n * The MPP path uses inline base64+JSON parsing (no `mppx` dependency at\n * runtime) so the cross-language byte-parity fixtures with the Python\n * sibling resolve to identical results. The full `extractPaymentSigner`\n * path is still mppx-backed for production traffic where the credential\n * is a real mppx-shaped object.\n */\n\nimport type { SignerNetwork } from '../signer';\n\nconst EVM_RE = /^0x[0-9a-fA-F]{40}$/;\nconst SOLANA_BASE58_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;\n\nexport type ZeroSettleRail = 'x402-base' | 'tempo' | 'solana';\n\nexport interface ZeroSettleResult {\n /** Recovered signer address, or `null` when the credential is malformed\n * or shaped wrong for the requested rail. */\n signerAddress: string | null;\n /** `\"evm\"` or `\"solana\"`, matching the recovered signer's key family.\n * `null` when no signer was recoverable. */\n signerNetwork: SignerNetwork | null;\n /** Always `null`. A zero-amount carve-out skips on-chain settlement, so\n * no transaction hash exists. The field is present so callers can use\n * `ZeroSettleResult` interchangeably with the success path of\n * `processX402Settle` etc. without branching on shape. */\n txHash: null;\n}\n\nconst NULL_RESULT: ZeroSettleResult = {\n signerAddress: null,\n signerNetwork: null,\n txHash: null,\n};\n\n/**\n * Skip verify+settle for a zero-amount order; recover the signer from the credential.\n *\n * Returns a `ZeroSettleResult`. `signerAddress` / `signerNetwork` are `null`\n * when the credential is malformed, missing required fields, or shaped wrong\n * for the requested rail. `txHash` is always `null` since no on-chain settle runs.\n */\nexport function zeroAmountCarveOut({\n rail,\n payload,\n authorizationHeader,\n}: {\n rail: ZeroSettleRail;\n /** For `rail: 'x402-base'`: the verified x402 payload (decoded JSON\n * from `verifyX402Request(...).payload`). Reads\n * `payload.payload.authorization.from`. */\n payload?: Record<string, unknown> | null;\n /** For `rail: 'tempo'` / `'solana'`: the full `Authorization: Payment <base64>`\n * header value. Reads the `did:pkh:*` source DID. */\n authorizationHeader?: string | null;\n}): ZeroSettleResult {\n if (rail === 'x402-base') {\n return x402SignerFromPayload(payload);\n }\n if (rail === 'tempo' || rail === 'solana') {\n return mppSignerFromAuth(authorizationHeader);\n }\n return NULL_RESULT;\n}\n\nfunction x402SignerFromPayload(payload: Record<string, unknown> | null | undefined): ZeroSettleResult {\n if (!payload || typeof payload !== 'object') return NULL_RESULT;\n const inner = (payload as { payload?: unknown }).payload;\n if (!inner || typeof inner !== 'object') return NULL_RESULT;\n const authorization = (inner as { authorization?: unknown }).authorization;\n if (!authorization || typeof authorization !== 'object') return NULL_RESULT;\n const fromAddr = (authorization as { from?: unknown }).from;\n if (typeof fromAddr !== 'string' || !EVM_RE.test(fromAddr)) return NULL_RESULT;\n return {\n signerAddress: fromAddr.toLowerCase(),\n signerNetwork: 'evm',\n txHash: null,\n };\n}\n\nfunction mppSignerFromAuth(\n authorizationHeader: string | null | undefined,\n): ZeroSettleResult {\n if (typeof authorizationHeader !== 'string') return NULL_RESULT;\n if (!authorizationHeader.toLowerCase().startsWith('payment ')) return NULL_RESULT;\n const token = authorizationHeader.slice('payment '.length).trim();\n if (!token) return NULL_RESULT;\n\n let credential: unknown;\n try {\n credential = JSON.parse(atob(token));\n } catch {\n return NULL_RESULT;\n }\n if (!credential || typeof credential !== 'object') return NULL_RESULT;\n\n let source = (credential as { source?: unknown }).source;\n if (typeof source !== 'string') {\n const challenge = (credential as { challenge?: unknown }).challenge;\n if (challenge && typeof challenge === 'object') {\n source = (challenge as { source?: unknown }).source;\n }\n }\n if (typeof source !== 'string') return NULL_RESULT;\n\n const parts = source.split(':');\n if (parts.length < 4 || parts[0] !== 'did' || parts[1] !== 'pkh') return NULL_RESULT;\n const family = parts[2];\n const addr = parts[parts.length - 1] ?? '';\n\n if (family === 'eip155' && EVM_RE.test(addr)) {\n return { signerAddress: addr.toLowerCase(), signerNetwork: 'evm', txHash: null };\n }\n if (family === 'solana' && SOLANA_BASE58_RE.test(addr)) {\n return { signerAddress: addr, signerNetwork: 'solana', txHash: null };\n }\n return NULL_RESULT;\n}\n","/**\n * Per-product / per-tier compliance policy helpers.\n *\n * A *policy* is a small bag of fields describing what identity the merchant wants\n * verified for a given resource:\n *\n * - `enforcement`: `\"hard\"` (today's wine path — 403 on miss) or `\"soft\"` (gate\n * denial is swallowed; the order completes with a degraded `identity_status`).\n * `null` / absent = no gate at all.\n * - `requireKyc` / `requireSanctionsClear` / `minAge`: passed through to the\n * per-framework `agentscoreGate(...)` factory.\n * - `allowedJurisdictions`: buyer-verified country list (`[\"US\", \"CA\", ...]`).\n * - `allowedShippingCountries` / `allowedShippingStates`: optional shipping\n * allowlists. State list is only enforced for US shipments.\n *\n * This module ships three primitives:\n *\n * 1. {@link PolicyBlock} — the typed shape.\n * 2. {@link buildGateFromPolicy} — translate a block into the options object the\n * per-framework `agentscoreGate(...)` accepts. Returns `null` when the policy\n * has no enforcement (treat as \"no gate; anonymous OK\").\n * 3. {@link runGateWithEnforcement} — wrap a per-framework middleware in the\n * hard/soft enforcement runner. The middleware is given an `onDenied` shim\n * that captures the denial body and status; the runner returns a structured\n * {@link GateResult} so the vendor decides how to surface it.\n *\n * All three are additive — vendors using `agentscoreGate(...)` directly are\n * unaffected.\n */\n\nimport { CheckoutValidationError } from '../checkout';\nimport type { AgentScoreCoreOptions, DenialReason } from '../core.js';\n\n/** Hard = 403 propagates; soft = swallowed + identity_status=\"unverified\". */\nexport type EnforcementMode = 'hard' | 'soft';\n\n/** Per-order trust level captured at settle time. */\nexport type IdentityStatus = 'verified' | 'unverified' | 'anonymous' | 'denied';\n\n/** Compliance fields a merchant attaches per product / per tier. All optional. */\nexport interface PolicyBlock {\n enforcement?: EnforcementMode;\n requireKyc?: boolean;\n requireSanctionsClear?: boolean;\n minAge?: number;\n allowedJurisdictions?: readonly string[];\n allowedShippingCountries?: readonly string[];\n allowedShippingStates?: readonly string[];\n}\n\n/**\n * Outcome of running a gate under an enforcement mode.\n *\n * - `verified`: gate accepted; identity is fully verified for the policy.\n * - `unverified`: soft mode swallowed a gate denial; the agent had *some*\n * identity but didn't meet the policy. Stamp this on the order so\n * ops/analytics can tell apart soft passes from hard passes.\n * - `anonymous`: no gate ran (policy was null / no enforcement).\n * - `denied`: hard mode rejected; the caller must propagate the 403. The\n * `denialBody` and `denialStatus` carry the original gate response so the\n * caller can return it as-is.\n */\nexport interface GateResult {\n status: IdentityStatus;\n denialStatus?: number;\n denialBody?: Record<string, unknown>;\n denialReason?: DenialReason;\n}\n\n/**\n * Translate a {@link PolicyBlock} into the options the per-framework\n * `agentscoreGate(...)` expects. Returns `null` when the block has no\n * `enforcement` set — the caller should treat that as \"no gate; anonymous OK\".\n *\n * Use a fresh gate per request rather than constructing once at module scope\n * when the policy varies per resource (e.g. per product). Each adapter's gate\n * is cheap to instantiate.\n */\nexport function buildGateFromPolicy(\n policy: PolicyBlock | null | undefined,\n base: { apiKey: string; baseUrl?: string },\n): AgentScoreCoreOptions | null {\n if (!policy || !policy.enforcement) return null;\n return {\n apiKey: base.apiKey,\n ...(base.baseUrl !== undefined && { baseUrl: base.baseUrl }),\n ...(policy.requireKyc !== undefined && { requireKyc: policy.requireKyc }),\n ...(policy.requireSanctionsClear !== undefined && {\n requireSanctionsClear: policy.requireSanctionsClear,\n }),\n ...(policy.minAge !== undefined && { minAge: policy.minAge }),\n ...(policy.allowedJurisdictions !== undefined && {\n allowedJurisdictions: [...policy.allowedJurisdictions],\n }),\n };\n}\n\n/**\n * Run a per-framework gate middleware respecting the enforcement mode.\n *\n * The vendor passes:\n * - `gate`: their framework's middleware (Hono `MiddlewareHandler`, Express\n * `(req, res, next) => void`, etc.) — anything that resolves on accept and\n * throws or returns a `Response` on deny.\n * - `runGate`: a thin adapter that calls the middleware with the framework\n * context and returns either `{ ok: true }` (gate accepted) or\n * `{ ok: false, status, body, reason? }` (gate denied with details).\n *\n * `runGateWithEnforcement` wraps that in the hard/soft split:\n *\n * - `gate=null` or `enforcement=null`: no gate fires; status=\"anonymous\".\n * - `enforcement=\"hard\"` + denied: status=\"denied\"; caller propagates denialStatus + denialBody.\n * - `enforcement=\"soft\"` + denied: swallow; status=\"unverified\".\n * - accepted: status=\"verified\".\n */\nexport async function runGateWithEnforcement(\n enforcement: EnforcementMode | undefined,\n runGate: (() => Promise<{ ok: true } | { ok: false; status: number; body: Record<string, unknown>; reason?: DenialReason }>) | null,\n): Promise<GateResult> {\n if (!runGate || !enforcement) return { status: 'anonymous' };\n\n const outcome = await runGate();\n if (outcome.ok) return { status: 'verified' };\n\n if (enforcement === 'hard') {\n return {\n status: 'denied',\n denialStatus: outcome.status,\n denialBody: outcome.body,\n ...(outcome.reason !== undefined && { denialReason: outcome.reason }),\n };\n }\n return {\n status: 'unverified',\n denialStatus: outcome.status,\n denialBody: outcome.body,\n ...(outcome.reason !== undefined && { denialReason: outcome.reason }),\n };\n}\n\n/** NULL policy / NULL allowlist → ship anywhere. Otherwise country must be in the list. */\nexport function shippingCountryAllowed(country: string, policy: PolicyBlock | null | undefined): boolean {\n if (!policy?.allowedShippingCountries || policy.allowedShippingCountries.length === 0) return true;\n const allowed = new Set(policy.allowedShippingCountries.map((c) => c.toUpperCase()));\n return allowed.has(country.toUpperCase());\n}\n\n/**\n * US-state allowlist (e.g. wine).\n *\n * Only enforced for US shipments — non-US shipments are governed by\n * {@link shippingCountryAllowed} independently.\n */\nexport function shippingStateAllowed(\n state: string,\n country: string,\n policy: PolicyBlock | null | undefined,\n): boolean {\n if (!policy?.allowedShippingStates || policy.allowedShippingStates.length === 0) return true;\n if (country.toUpperCase() !== 'US') return true;\n const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));\n return allowed.has(state.toUpperCase());\n}\n\n/**\n * Throw {@link CheckoutValidationError} when shipping isn't allowed by the policy.\n *\n * One-call replacement for the\n *\n * if (!shippingCountryAllowed(...)) throw new CheckoutValidationError(...);\n * if (!shippingStateAllowed(...)) throw new CheckoutValidationError(...);\n *\n * boilerplate every goods merchant writes in their `preValidate` hook.\n *\n * `policy` is a {@link PolicyBlock} (or `null`/`undefined`); NULL policy means\n * \"ship anywhere\" and the function is a no-op. The reason a location is\n * excluded is **merchant-defined**: it might be regulatory (regulated goods\n * + state allowlist), operational (no fulfillment partner), or commercial\n * (fragility, fraud-rate-by-region, etc.) — the helper doesn't assume.\n *\n * `productName` is the user-facing item name surfaced in the error message\n * (\"Cannot ship 'Wine 2020' to NY ...\"). Omit for a generic message.\n *\n * `errorCode` and `errorAction` let merchants override the canonical denial\n * codes if their consumer agents expect different shapes.\n *\n * `countryMessage` / `stateMessage` override the default messages verbatim\n * (use these when the default phrasing isn't right for your consumer agents\n * — e.g. you want to surface the regulatory reason explicitly, or you want\n * the message in a different language).\n */\nexport function validateShippingAgainstPolicy(opts: {\n country: string;\n state: string;\n policy: PolicyBlock | null | undefined;\n productName?: string;\n errorCode?: string;\n errorAction?: string;\n countryMessage?: string;\n stateMessage?: string;\n}): void {\n const code = opts.errorCode ?? 'unsupported_jurisdiction';\n const action = opts.errorAction ?? 'change_shipping_state';\n const item = opts.productName ? `'${opts.productName}'` : 'this item';\n if (!shippingCountryAllowed(opts.country, opts.policy)) {\n throw new CheckoutValidationError({\n code,\n message:\n opts.countryMessage ??\n `We can't ship ${item} to ${opts.country.toUpperCase() || '<unset>'}.`,\n action,\n });\n }\n if (!shippingStateAllowed(opts.state, opts.country, opts.policy)) {\n throw new CheckoutValidationError({\n code,\n message:\n opts.stateMessage ??\n `We can't ship ${item} to ${opts.state.toUpperCase() || '<unset>'}.`,\n action,\n });\n }\n}\n","/**\n * Operator-token hashing.\n *\n * Plaintext operator tokens (`opc_...`) never persist on disk. Merchants hash\n * them before storing in DB columns and before comparing against persisted\n * hashes. This helper exposes the canonical hash so every consumer agrees on\n * the shape.\n */\n\nimport { createHash } from 'node:crypto';\n\n/**\n * sha256 hex digest of a plaintext operator token.\n *\n * Use at every persistence boundary (INSERT) AND every comparison boundary\n * (SELECT WHERE operator_token_id = ...) so plaintext tokens never land in\n * durable storage.\n */\nexport function hashOperatorToken(plaintext: string): string {\n return createHash('sha256').update(plaintext, 'utf8').digest('hex');\n}\n","export * from './directive';\nexport * from './networks';\nexport * from './usdc';\nexport * from './rails';\nexport * from './rail_spec';\nexport * from './x402';\nexport * from './x402_server';\nexport * from './x402_settle';\nexport * from './x402_validation';\nexport * from './mppx_server';\nexport * from './dispatch';\nexport * from './wwwauthenticate';\nexport * from './headers';\nexport * from './idempotency';\nexport * from './signer';\nexport * from './settlement_override';\nexport * from './amounts';\nexport * from './zero-settle';\nexport * from './lazy';\nexport * from './solana';\n","/**\n * Multi-rail payment header bundle — one call composes both `WWW-Authenticate` (the\n * `paymentauth.org` Payment directives) and the standard x402 `PAYMENT-REQUIRED` header\n * from a single rails declaration. Reduces ~10 lines of merchant boilerplate per 402\n * response.\n *\n * Layered on top of `paymentDirective` / `wwwAuthenticateHeader` / `paymentRequiredHeader`\n * — those primitives stay exposed for vendors who want full control.\n */\n\nimport { buildPaymentDirective } from './directive';\nimport { paymentRequiredHeader, wwwAuthenticateHeader } from './wwwauthenticate';\n\nexport interface PaymentHeadersRail {\n /** Symbolic rail name — `tempo-mainnet`, `x402-base-mainnet`, `stripe`, etc. */\n rail: string;\n /** Amount in USD as a number or string. */\n amountUsd: string | number;\n /** Recipient address (on-chain) — required for crypto rails. */\n recipient?: string;\n /** Stripe profile_id / network_id — required for `stripe` rail. */\n networkId?: string;\n /** EVM chain id override — usually inferred from rail. */\n chainId?: number;\n /** Token contract / currency override — usually inferred from rail. */\n currency?: string;\n /** Decimal precision override — usually inferred from rail (USDC=6, etc.). */\n decimals?: number;\n /** MPP method override — usually inferred from rail. */\n method?: string;\n /** MPP intent. Default `charge`. */\n intent?: string;\n /** ISO-8601 expiry. Default now + 5 min. */\n expires?: string;\n}\n\nexport interface PaymentHeadersResult {\n 'www-authenticate': string;\n 'PAYMENT-REQUIRED'?: string;\n}\n\n/**\n * Compose `WWW-Authenticate` (multi-directive) and `PAYMENT-REQUIRED` (x402 base64) headers\n * from a single rails declaration. Returns an object suitable for spreading into a\n * `Headers` constructor or the `headers` field of a `Response`.\n *\n * Example:\n * ```ts\n * const headers = buildPaymentHeaders({\n * orderId: 'ord_123',\n * realm: 'agents.merchant.example',\n * rails: [\n * { rail: 'tempo-mainnet', amountUsd: 25, recipient: TEMPO_ADDR },\n * { rail: 'x402-base-mainnet', amountUsd: 25, recipient: BASE_ADDR },\n * { rail: 'stripe', amountUsd: 25, networkId: STRIPE_PROFILE_ID },\n * ],\n * x402: { accepts: x402Accepts, version: 1 },\n * });\n * return new Response(JSON.stringify(body), { status: 402, headers });\n * ```\n */\nexport function buildPaymentHeaders({\n rails,\n orderId,\n realm,\n x402,\n}: {\n /** Rails the merchant accepts on this 402. Each becomes one `Payment` directive. */\n rails: PaymentHeadersRail[];\n /** Order id used as the directive challenge id (per-rail it becomes `${orderId}-${rail}`). */\n orderId: string;\n /** Realm — the host of the merchant URL (e.g. `agents.merchant.example`). */\n realm: string;\n /**\n * Optional x402 `accepts` array — included as the standard PAYMENT-REQUIRED header so\n * x402 clients (`@x402/fetch`, `@x402/core` HTTPClient, `agentscore-pay`) can parse the\n * base64-encoded JSON form instead of the WWW-Authenticate text directives. Pass\n * `undefined` (or omit) to skip the PAYMENT-REQUIRED header.\n */\n x402?: { accepts: unknown[]; version?: 1 | 2; resource?: { url: string; mimeType?: string } };\n}): PaymentHeadersResult {\n const directives = rails.map((rail) =>\n buildPaymentDirective({\n id: `${orderId}-${rail.rail}`,\n realm,\n rail: rail.rail,\n amountUsd: rail.amountUsd,\n ...(rail.recipient !== undefined ? { recipient: rail.recipient } : {}),\n ...(rail.networkId !== undefined ? { networkId: rail.networkId } : {}),\n ...(rail.chainId !== undefined ? { chainId: rail.chainId } : {}),\n ...(rail.currency !== undefined ? { currency: rail.currency } : {}),\n ...(rail.decimals !== undefined ? { decimals: rail.decimals } : {}),\n ...(rail.method !== undefined ? { method: rail.method } : {}),\n ...(rail.intent !== undefined ? { intent: rail.intent } : {}),\n ...(rail.expires !== undefined ? { expires: rail.expires } : {}),\n }),\n );\n\n const result: PaymentHeadersResult = {\n 'www-authenticate': wwwAuthenticateHeader(directives),\n };\n\n if (x402) {\n result['PAYMENT-REQUIRED'] = paymentRequiredHeader({\n x402Version: x402.version ?? 2,\n accepts: x402.accepts,\n ...(x402.resource ? { resource: x402.resource } : {}),\n });\n }\n\n return result;\n}\n","/**\n * USD ↔ atomic-unit conversion for token amounts.\n *\n * `usdToAtomic(usd, { decimals: 6 })` returns the bigint atomic value of a USD\n * amount for a token with `decimals` places of precision (USDC is 6). String\n * parsing + bigint arithmetic so the result is exact; ROUND_HALF_UP at the\n * rounding boundary matches the cross-language Python sibling.\n *\n * Rejects negative, NaN, infinite, and unparseable inputs. Fixed-notation only;\n * scientific notation (e.g. `\"1e6\"`) is not parsed (mirrors the locked cross-\n * language fixture corpus, which uses fixed notation exclusively).\n */\n\n/**\n * Convert a USD amount to atomic units for a token with `decimals` places.\n *\n * @param usd USD amount. Strings (`\"1.23\"`) and `number`s (`1.23`) are accepted.\n * `number` is converted via `String(usd)` before parsing, so JS float precision\n * limits apply when the float can't represent the value exactly.\n * @param opts.decimals Number of decimal places in the atomic unit (6 for USDC,\n * 18 for ETH, etc.). Must be a non-negative integer.\n *\n * @returns Integer atomic units as a `bigint`. `\"1.23\"` with `decimals: 6`\n * returns `1_230_000n`.\n *\n * @throws RangeError when `usd` is negative, NaN, infinite, or `decimals` is\n * not a non-negative integer.\n * @throws SyntaxError when `usd` cannot be parsed as a fixed-notation decimal.\n */\nexport function usdToAtomic(usd: string | number, opts: { decimals: number }): bigint {\n const { decimals } = opts;\n if (!Number.isInteger(decimals) || decimals < 0) {\n throw new RangeError(`decimals must be a non-negative integer, got ${decimals}`);\n }\n\n // Reject NaN / Infinity / negative on the typed-number path before stringifying,\n // so the error names the original numeric value rather than the stringified form.\n if (typeof usd === 'number') {\n if (!Number.isFinite(usd)) {\n throw new RangeError(`usd must be finite, got ${usd}`);\n }\n if (usd < 0) {\n throw new RangeError(`usd must be non-negative, got ${usd}`);\n }\n }\n\n const s = (typeof usd === 'number' ? usd.toString() : usd).trim();\n\n if (s.startsWith('-')) {\n throw new RangeError(`usd must be non-negative, got ${s}`);\n }\n if (s === 'NaN' || s === 'Infinity') {\n throw new RangeError(`usd must be finite, got ${s}`);\n }\n\n // Fixed notation only: optional digits, optional `.`, optional digits.\n // Reject empty, lone `.`, and anything containing non-digit/non-dot characters.\n const match = /^(\\d*)(?:\\.(\\d*))?$/.exec(s);\n if (!match || (match[1] === '' && (match[2] === undefined || match[2] === ''))) {\n throw new SyntaxError(`invalid usd value: ${JSON.stringify(usd)}`);\n }\n\n const intPart = match[1] || '0';\n const fracPart = match[2] ?? '';\n\n // Fractional shorter than (or equal to) decimals: pad with trailing zeros, return exact.\n if (fracPart.length <= decimals) {\n return BigInt(intPart + fracPart.padEnd(decimals, '0'));\n }\n\n // Fractional longer than decimals: truncate to `decimals` digits, then round-half-up\n // via the next-position digit. A digit ≥ '5' rounds the combined value up by 1;\n // matches Python's Decimal ROUND_HALF_UP semantics for non-negative inputs.\n const kept = fracPart.slice(0, decimals);\n const roundDigit = fracPart[decimals];\n let result = BigInt(intPart + kept);\n if (roundDigit >= '5') {\n result += 1n;\n }\n return result;\n}\n\n/**\n * Format an integer cent amount as a fixed-2-decimal USD string.\n *\n * `formatUsdCents(500)` returns `\"5.00\"`. Negative values are formatted with a\n * leading minus. Use everywhere a merchant emits `(cents / 100).toFixed(2)`;\n * consistent formatting across catalog rows, order responses, and 402 bodies\n * prevents agent-side string-comparison flakiness.\n */\nexport function formatUsdCents(cents: number): string {\n return (cents / 100).toFixed(2);\n}\n","/**\n * Solana MPP fee-payer signer loader.\n *\n * Buyers paying via Solana MPP USDC don't typically carry SOL for transaction\n * fees, so merchants commonly co-sign the buyer's `solana/charge` tx as the\n * fee payer (~5000 lamports per tx; negligible vs the USDC value moved).\n *\n * `loadSolanaFeePayer({ privateKey })` accepts a Solana keypair in any of the\n * three forms agents commonly export it as:\n *\n * - **base58** (Phantom export format) — 64-byte secret+public, or 32-byte\n * secret-only\n * - **hex** — 128-char string (64 bytes hex: 32-byte secret + 32-byte public)\n *\n * Returns a `KeyPairSigner` from `@solana/kit` ready to pass as the `signer`\n * field on a `SolanaMppRailSpec`. Returns `undefined` when `privateKey` is\n * empty / absent (so consumers can use `process.env.X` directly without\n * null-checks).\n *\n * Requires the `@solana/kit` peer dependency.\n */\nexport async function loadSolanaFeePayer(opts: {\n privateKey: string | undefined;\n}): Promise<unknown | undefined> {\n const raw = opts.privateKey;\n if (!raw) return undefined;\n const moduleName = '@solana/kit';\n const kit = (await import(moduleName).catch(() => null)) as {\n createKeyPairSignerFromPrivateKeyBytes?: (bytes: Uint8Array) => Promise<unknown>;\n getBase58Codec?: () => { encode: (s: string) => Uint8Array };\n } | null;\n if (!kit?.createKeyPairSignerFromPrivateKeyBytes || !kit.getBase58Codec) {\n throw new Error(\n '@solana/kit not installed — `npm install @solana/kit` for loadSolanaFeePayer.',\n );\n }\n let bytes: Uint8Array;\n if (/^[0-9a-fA-F]{128}$/.test(raw)) {\n bytes = new Uint8Array(raw.match(/.{2}/g)!.map((h) => parseInt(h, 16))).slice(0, 32);\n } else {\n const decoded = new Uint8Array(kit.getBase58Codec().encode(raw));\n bytes = decoded.length === 64 ? decoded.slice(0, 32) : decoded;\n }\n return kit.createKeyPairSignerFromPrivateKeyBytes(bytes);\n}\n"],"mappings":";;;;;;;;;;;AA2EA,SAAS,yBAAyB,KAA6C;AAC7E,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,yDAAyD,OAAO,GAAG,GAAG;AAAA,EACxF;AACA,MAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,KAAK;AAC3C,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AACA,MAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,KAAK;AAC3C,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AACA,MAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,QAAQ,IAAI,QAAQ,OAAO;AAC9D,UAAM,IAAI;AAAA,MACR,8BAA8B,KAAK,UAAU,IAAI,GAAG,CAAC;AAAA,IACvD;AAAA,EACF;AACA,OAAK,IAAI,QAAQ,QAAQ,IAAI,QAAQ,WAAW,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,MAAM;AACxF,UAAM,IAAI,MAAM,8BAA8B,IAAI,GAAG,gFAAgF;AAAA,EACvI;AACA,SAAO;AACT;AAwOO,SAAS,gBAAgB,OAAyC;AAIvE,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,MAAM,YAAY,CAAC,CAAC,GAAG;AACnE,eAAW,WAAW,UAAU;AAC9B,WACG,QAAQ,cAAc,UAAU,QAAQ,cAAc,SAAS,QAAQ,cAAc,WAClF,QAAQ,aAAa,UAAa,QAAQ,aAAa,QAAQ,QAAQ,aAAa,KACxF;AACA,cAAM,IAAI;AAAA,UACR,6BAA6B,IAAI,eAAe,QAAQ,SAAS;AAAA,QACnE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAKA,QAAM,kBAA8D,CAAC;AACrE,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,MAAM,oBAAoB,CAAC,CAAC,GAAG;AAC3E,oBAAgB,IAAI,IAAI,SAAS,IAAI,CAAC,YAAY;AAChD,UAAI,MAAM,QAAQ,QAAQ,qBAAqB,KAAK,QAAQ,sBAAsB,WAAW,GAAG;AAC9F,cAAM,EAAE,uBAAuB,OAAO,GAAG,KAAK,IAAI;AAClD,eAAO;AAAA,MACT;AACA,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AAIA,QAAM,eAAuD,CAAC;AAC9D,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,MAAM,gBAAgB,CAAC,CAAC,GAAG;AACvE,iBAAa,IAAI,IAAI,CAAC,GAAG,QAAQ;AAAA,EACnC;AAMA,MAAI,MAAM,iBAAiB;AACzB,UAAM,aAAa,EAAE,GAAG,MAAM,gBAAgB;AAC9C,UAAM,oBAA0C;AAAA,MAC9C,SAAS;AAAA,MACT,MAAM,MAAM,uBAAuB;AAAA,MACnC,QAAQ,MAAM,yBAAyB;AAAA,MACvC,SAAS;AAAA,IACX;AAGA,QAAI,OAAO,KAAK,UAAU,EAAE,SAAS,EAAG,mBAAkB,SAAS;AACnE,UAAM,WAAW,aAAa,0BAA0B;AACxD,QAAI,SAAU,UAAS,KAAK,iBAAiB;AAAA,QACxC,cAAa,0BAA0B,IAAI,CAAC,iBAAiB;AAAA,EACpE;AAEA,QAAM,MAAsB;AAAA,IAC1B,SAAS,MAAM,WAAW;AAAA,IAC1B,UAAU,MAAM,YAAY,CAAC;AAAA,IAC7B;AAAA,IACA,kBAAkB;AAAA,EACpB;AACA,MAAI,MAAM,SAAS,OAAW,KAAI,OAAO,MAAM;AAC/C,MAAI,MAAM,uBAAuB,OAAW,KAAI,qBAAqB,MAAM;AAC3E,MAAI,MAAM,YAAY;AACpB,eAAW,KAAK,OAAO,KAAK,MAAM,UAAU,GAAG;AAC7C,UAAI,oBAAoB,IAAI,CAAC,GAAG;AAC9B,cAAM,IAAI,MAAM,oCAAoC,CAAC,qDAAqD;AAAA,MAC5G;AAAA,IACF;AACA,WAAO,OAAO,KAAK,MAAM,UAAU;AAAA,EACrC;AAEA,QAAM,UAAsB;AAAA,IAC1B;AAAA,IACA,cAAc,MAAM;AAAA,EACtB;AACA,MAAI,MAAM,QAAQ;AAGhB,eAAW,KAAK,OAAO,KAAK,MAAM,MAAM,GAAG;AACzC,UAAI,mBAAmB,IAAI,CAAC,GAAG;AAC7B,cAAM,IAAI,MAAM,gCAAgC,CAAC,qDAAqD;AAAA,MACxG;AAAA,IACF;AACA,WAAO,OAAO,SAAS,MAAM,MAAM;AAAA,EACrC;AAEA,SAAO;AACT;AAoBA,SAAS,eAAe,YAAgC,UAA0B;AAChF,MAAI,eAAe,OAAW,QAAO;AACrC,SAAO,qBAAqB,UAAU,KAAK;AAC7C;AAQA,SAAS,gBAAgB,GAAsC;AAC7D,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;AAEA,SAAS,oBAAoB,MAA8C;AACzE,QAAM,QAAiC;AAAA,IACrC,SAAS,KAAK,UAAU,kBAAmB,KAAK,WAAW;AAAA,IAC3D,UAAU,KAAK,WAAW;AAAA,EAC5B;AACA,QAAM,YAAY,gBAAgB,KAAK,SAAS;AAChD,MAAI,cAAc,OAAW,OAAM,YAAY;AAC/C,SAAO;AACT;AAEA,SAAS,wBAAwB,MAAkD;AACjF,QAAM,QAAiC;AAAA,IACrC,SAAS,eAAe,KAAK,SAAS,qBAAqB;AAAA,EAC7D;AACA,QAAM,YAAY,gBAAgB,KAAK,SAAS;AAChD,MAAI,cAAc,OAAW,OAAM,YAAY;AAC/C,SAAO;AACT;AAEA,SAAS,2BAA2B,MAAqD;AACvF,QAAM,QAAiC;AAAA,IACrC,SAAS,KAAK,UAAU,kBAAkB;AAAA,IAC1C,iBAAiB,KAAK;AAAA,EACxB;AACA,QAAM,YAAY,gBAAgB,KAAK,SAAS;AAChD,MAAI,cAAc,OAAW,OAAM,YAAY;AAC/C,SAAO;AACT;AAIA,SAAS,gBAAgB,GAAoC;AAC3D,SAAO,EAAE,oBAAoB,MAAM,EAAE,YAAY,MAAM,EAAE,kBAAkB;AAC7E;AAEA,SAAS,uBAAuB,GAA2C;AACzE,SAAO,oBAAoB,KAAK,WAAW;AAC7C;AAEA,SAAS,sBAAsB,MAA4C;AACzE,MAAI,uBAAuB,IAAI,EAAG,QAAO,2BAA2B,IAAI;AACxE,MAAI,YAAY,QAAQ,kBAAkB,SAAS,KAAK,SAAS,WAAW,SAAS,KAAK,QAAQ;AAChG,WAAO,wBAAwB,IAAyB;AAAA,EAC1D;AACA,MAAI,gBAAgB,IAAI,EAAG,QAAO,oBAAoB,IAAI;AAG1D,SAAO,oBAAoB,IAAqB;AAClD;AAsBO,SAAS,kBAAkB;AAAA,EAChC,UAAAA;AACF,GAE+C;AAC7C,SAAO;AAAA,IACL,6BAA6B,CAAC;AAAA,MAC5B,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,GAAG,SAAS;AAAA,MAClB,QAAQ,GAAG,WAAW;AAAA,MACtB,QAAQ,EAAE,UAAUA,UAAS,IAAI,qBAAqB,EAAE;AAAA,IAC1D,CAAC;AAAA,EACH;AACF;AAEA,SAAS,uBAAuB,MAAiD;AAC/E,QAAM,QAAiC;AAAA,IACrC,SAAS,eAAe,KAAK,SAAS,WAAW;AAAA,EACnD;AACA,QAAM,YAAY,gBAAgB,KAAK,SAAS;AAChD,MAAI,cAAc,OAAW,OAAM,YAAY;AAC/C,SAAO;AACT;AAeO,SAAS,mBAAmB;AAAA,EACjC,UAAAA;AACF,GAE+C;AAC7C,SAAO;AAAA,IACL,8BAA8B,CAAC;AAAA,MAC7B,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,GAAG,SAAS;AAAA,MAClB,QAAQ,GAAG,WAAW;AAAA,MACtB,QAAQ,EAAE,UAAUA,UAAS,IAAI,sBAAsB,EAAE;AAAA,IAC3D,CAAC;AAAA,EACH;AACF;AAeO,SAAS,wBAAwB;AAAA,EACtC;AACF,GAE+C;AAC7C,SAAO;AAAA,IACL,oCAAoC,CAAC;AAAA,MACnC,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,GAAG,SAAS;AAAA,MAClB,QAAQ,GAAG,WAAW;AAAA,MACtB,QAAQ,EAAE,MAAM,cAAc,YAAY,KAAK,aAAa,KAAK;AAAA,IACnE,CAAC;AAAA,EACH;AACF;AA3lBA,IAkGa,eAyIP,iBAIA,4BAEA,+BAoBA,6BACA,+BAOA,oBAEA,oBAQA,qBA4IO,2BAEP,iBACA,WACA,aAOA;AA9aN;AAAA;AAAA;AAkGO,IAAM,gBAAgB;AAAA,MAC3B,SAAS;AAAA,IACX;AAuIA,IAAM,kBAAkB;AAIxB,IAAM,6BAA6B;AAEnC,IAAM,gCAAgC;AAoBtC,IAAM,8BAA8B;AACpC,IAAM,gCAAgC;AAOtC,IAAM,qBAAqB,CAAC,6BAA6B,uBAAuB;AAEhF,IAAM,qBAAqB,oBAAI,IAAI;AAAA,MACjC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,IAAM,sBAAsB,oBAAI,IAAI;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAkIM,IAAM,4BAA4B;AAEzC,IAAM,kBAAkB;AACxB,IAAM,YAAY;AAClB,IAAM,cAAc;AAOpB,IAAM,uBAA+C;AAAA,MACnD,eAAe;AAAA,MACf,gBAAgB;AAAA,MAChB,2CAA2C;AAAA,MAC3C,2CAA2C;AAAA,IAC7C;AAAA;AAAA;;;ACzVA,eAAe,WAA2C;AACxD,MAAI;AACF,WAAO,MAAM,OAAO,MAAM;AAAA,EAC5B,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,oFAAoF,iBAAiB;AAAA,kBAAqB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC5K;AAAA,EACF;AACF;AAYA,SAAS,oBAAoB,SAA6B;AACxD,QAAM,WAAW,EAAE,GAAG,QAAQ;AAC9B,SAAO,SAAS;AAChB,SAAO,gBAAgB,QAAQ;AACjC;AAUA,SAAS,gBAAgB,OAAwB;AAC/C,MAAI,UAAU,QAAW;AACvB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,MAAI,OAAO,UAAU,cAAc,OAAO,UAAU,UAAU;AAC5D,UAAM,IAAI,MAAM,oBAAoB,OAAO,KAAK,gDAAgD;AAAA,EAClG;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,uEAAuE;AAAA,EACzF;AACA,MAAI,iBAAiB,MAAM;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,iBAAiB,OAAO,iBAAiB,OAAO,iBAAiB,WAAW,iBAAiB,SAAS;AACxG,UAAM,IAAI;AAAA,MACR,oBAAoB,MAAM,YAAY,IAAI;AAAA,IAC5C;AAAA,EACF;AACA,MAAI,YAAY,OAAO,KAAK,GAAG;AAC7B,UAAM,IAAI,MAAM,gFAAgF;AAAA,EAClG;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,0DAA0D,KAAK;AAAA,MACjE;AAAA,IACF;AACA,QAAI,CAAC,OAAO,UAAU,KAAK,GAAG;AAC5B,YAAM,IAAI;AAAA,QACR,2DAA2D,KAAK;AAAA,MAClE;AAAA,IACF;AACA,QAAI,CAAC,OAAO,cAAc,KAAK,GAAG;AAChC,YAAM,IAAI;AAAA,QACR,4BAA4B,KAAK;AAAA,MAEnC;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,UAAU,UAAU;AAQ7B,QAAI,MAAM,SAAS,QAAQ,KAAK,MAAM,SAAS,QAAQ,GAAG;AACxD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC5E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,IAAI,MAAM,IAAI,eAAe,EAAE,KAAK,GAAG,CAAC;AACzE,QAAM,MAAM;AACZ,QAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK,CAAC,GAAG,MAAM;AAC3C,UAAM,UAAU,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAE;AACnD,UAAM,UAAU,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAE;AACnD,UAAM,MAAM,KAAK,IAAI,QAAQ,QAAQ,QAAQ,MAAM;AACnD,aAAS,IAAI,GAAG,IAAI,KAAK,KAAK,GAAG;AAC/B,UAAI,QAAQ,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO,QAAQ,CAAC,IAAI,QAAQ,CAAC;AAAA,IAC9D;AACA,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC,CAAC;AAMD,aAAW,KAAK,MAAM;AACpB,QAAI,EAAE,SAAS,QAClB,KAAK,EAAE,SAAS,QAChB,GAAG;AACE,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACA,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAM,GAAG,KAAK,UAAU,CAAC,CAAC,IAAI,gBAAgB,IAAI,CAAC,CAAC,CAAC,EAAE;AAC/E,SAAO,IAAI,MAAM,KAAK,GAAG,CAAC;AAC5B;AAoBA,eAAsB,sBAAsB,MAKf;AAC3B,QAAM,OAAO,MAAM,SAAS;AAC5B,QAAM,MAAM,KAAK,OAAO;AACxB,QAAM,EAAE,YAAY,UAAU,IAAI,MAAM,KAAK,gBAAgB,KAAK,EAAE,aAAa,KAAK,CAAC;AACvF,QAAM,cAAc,MAAM,KAAK,UAAU,SAAS;AAElD,QAAM,YAA2B;AAAA,IAC/B,KAAK,KAAK;AAAA,IACV;AAAA,IACA,KAAK;AAAA,IACL,GAAG;AAAA,EACL;AAEA,SAAO,EAAE,YAAY,UAAU;AACjC;AAoBA,eAAsB,eACpB,SACA;AAAA,EACE;AAAA,EACA;AAAA,EACA,MAAM;AACR,GAQ2B;AAC3B,QAAM,OAAO,MAAM,SAAS;AAE5B,MAAI,CAAC,aAAa,SAAS,GAAiB,GAAG;AAC7C,UAAM,IAAI;AAAA,MACR,uBAAuB,KAAK,UAAU,GAAG,CAAC,iCAAiC,aAAa,KAAK,IAAI,CAAC;AAAA,IACpG;AAAA,EACF;AAMA,MAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACnC,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AACA,QAAM,QAAQ,QAAQ,gBAAgB,CAAC,GAAG,IAAI,CAAC,MAAO,EAA8B,GAAG;AACvF,MAAI,CAAC,KAAK,SAAS,GAAG,GAAG;AACvB,UAAM,IAAI;AAAA,MACR,uBAAuB,KAAK,UAAU,GAAG,CAAC,6DAA6D,KAAK,UAAU,IAAI,CAAC;AAAA,IAC7H;AAAA,EACF;AAEA,QAAM,gBAAgB,oBAAoB,OAAO;AACjD,QAAM,eAAe,IAAI,YAAY,EAAE,OAAO,aAAa;AAE3D,QAAM,YAAY,MAAM,IAAI,KAAK,YAAY,YAAY,EACtD,mBAAmB,EAAE,KAAK,KAAK,KAAK,YAAY,CAAC,EACjD,KAAK,UAAmE;AAE3E,SAAO,EAAE,GAAG,SAAS,UAAU;AACjC;AAeA,eAAsB,iBACpB,SACA,MACkB;AAClB,MAAI,YAAY,QAAQ,OAAO,YAAY,YAAY,MAAM,QAAQ,OAAO,GAAG;AAC7E,UAAM,IAAI;AAAA,MACR;AAAA,MACA,0CAA0C,YAAY,OAAO,SAAS,MAAM,QAAQ,OAAO,IAAI,UAAU,OAAO,OAAO;AAAA,IACzH;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,SAAS;AAI5B,MAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAS,KAA4B,IAAI,GAAG;AAC1F,UAAM,IAAI;AAAA,MACR;AAAA,MACA,yDAAyD,SAAS,OAAO,SAAS,OAAO,SAAS,WAAW,gCAAgC,OAAO,IAAI;AAAA,IAC1J;AAAA,EACF;AAEA,QAAM,WAAW,EAAE,GAAG,QAAQ;AAC9B,QAAM,MAAM,SAAS;AACrB,SAAO,SAAS;AAChB,MAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,MACA,yDAAyD,QAAQ,SAAY,cAAc,OAAO,GAAG;AAAA,IACvG;AAAA,EACF;AAQA,MAAI;AACJ,MAAI;AACF,UAAM,eAAe,IAAI,MAAM,GAAG,EAAE,CAAC;AACrC,QAAI,CAAC,aAAc,OAAM,IAAI,MAAM,wCAAwC;AAC3E,UAAM,aAAa,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,YAAY,CAAC;AAC/E,UAAM,SAAS,KAAK,MAAM,UAAU;AACpC,QAAI,OAAO,WAAW,YAAY,WAAW,QAAQ,MAAM,QAAQ,MAAM,GAAG;AAC1E,YAAM,IAAI,MAAM,4CAA4C;AAAA,IAC9D;AACA,aAAS;AAAA,EACX,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR;AAAA,MACA,6DAA6D,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC/G;AAAA,EACF;AAKA,MAAI,OAAO,QAAQ,aAAa;AAC9B,UAAM,IAAI,qBAAqB,aAAa,8BAA8B,WAAW,UAAU,OAAO,OAAO,GAAG,CAAC,GAAG;AAAA,EACtH;AAGA,MAAI,CAAC,aAAa,SAAS,OAAO,GAAiB,GAAG;AACpD,UAAM,IAAI,qBAAqB,mBAAmB,kCAAkC,aAAa,KAAK,IAAI,CAAC,SAAS,OAAO,OAAO,GAAG,CAAC,GAAG;AAAA,EAC3I;AAGA,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,KAAK;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,MACA,4DAA4D,OAAO,QAAQ,SAAY,cAAc,OAAO,OAAO,GAAG;AAAA,IACxH;AAAA,EACF;AAMA,MAAI,UAAU,QAAQ;AACpB,UAAM,OAAQ,OAA8B;AAC5C,QAAI,CAAC,MAAM,QAAQ,IAAI,KAAK,KAAK,WAAW,KAAK,CAAC,KAAK,MAAM,CAAC,MAAM,OAAO,MAAM,QAAQ,GAAG;AAC1F,YAAM,IAAI;AAAA,QACR;AAAA,QACA,uEAAuE,KAAK,UAAU,IAAI,CAAC;AAAA,MAC7F;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR;AAAA,MACA,8DAA8D,KAAK,UAAU,IAAI,CAAC;AAAA,IACpF;AAAA,EACF;AAEA,MAAI;AACJ,MAAI;AACF,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B;AAAA,MACA,OAAO,MAAM;AAKX,cAAM,MAAM,EAAE;AACd,YAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACnC,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,4DAA4D,QAAQ,SAAY,cAAc,OAAO,GAAG;AAAA,UAC1G;AAAA,QACF;AACA,cAAM,UAAU,KAAK,KAAK;AAAA,UACxB,CAAC,MAAM,KAAK,QAAQ,OAAO,MAAM,YAAa,EAA8B,QAAQ;AAAA,QACtF;AACA,YAAI,QAAQ,WAAW,EAAG,OAAM,IAAI,qBAAqB,iBAAiB,+BAA+B,KAAK,UAAU,GAAG,CAAC,GAAG;AAC/H,YAAI,QAAQ,SAAS,EAAG,OAAM,IAAI,qBAAqB,iBAAiB,iBAAiB,QAAQ,MAAM,kBAAkB,KAAK,UAAU,GAAG,CAAC,yBAAyB;AAMrK,cAAM,aAAa,QAAQ,CAAC;AAC5B,YAAI,WAAW,OAAO,QAAQ,WAAW,QAAQ,OAAO;AACtD,gBAAM,IAAI,qBAAqB,gBAAgB,gBAAgB,GAAG,YAAY,KAAK,UAAU,WAAW,GAAG,CAAC,mBAAmB;AAAA,QACjI;AAEA,YAAI,WAAW,OAAO,QAAQ,WAAW,QAAQ,EAAE,KAAK;AACtD,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,WAAW,KAAK,UAAU,WAAW,GAAG,CAAC,kCAAkC,KAAK,UAAU,EAAE,GAAG,CAAC;AAAA,UAClG;AAAA,QACF;AACA,eAAO,KAAK,UAAU,QAAQ,CAAC,GAA2C,EAAE,GAAG;AAAA,MACjF;AAAA,IACF;AACA,oBAAgB,SAAS;AAAA,EAC3B,SAAS,KAAK;AACZ,QAAI,eAAe,qBAAsB,OAAM;AAC/C,QAAI,eAAe,SAAS,IAAI,SAAS,qBAAqB;AAC5D,YAAM,IAAI,qBAAqB,mBAAmB,gCAAgC,IAAI,OAAO,EAAE;AAAA,IACjG;AACA,QAAI,eAAe,SAAS,IAAI,SAAS,kCAAkC;AACzE,YAAM,IAAI,qBAAqB,qBAAqB,sCAAsC,IAAI,OAAO,EAAE;AAAA,IACzG;AACA,QAAI,eAAe,SAAS,IAAI,SAAS,cAAc;AACrD,YAAM,IAAI,qBAAqB,iBAAiB,kBAAkB,IAAI,OAAO,EAAE;AAAA,IACjF;AAIA,QAAI,eAAe,SAAS,IAAI,SAAS,oBAAoB;AAC3D,YAAM,IAAI,qBAAqB,gCAAgC,sDAAsD,IAAI,OAAO,EAAE;AAAA,IACpI;AACA,UAAM;AAAA,EACR;AAEA,MAAI;AACJ,MAAI;AACF,oBAAgB,oBAAoB,QAAsB;AAAA,EAC5D,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR;AAAA,MACA,6DAA6D,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC/G;AAAA,EACF;AACA,QAAM,kBAAkB,IAAI,YAAY,EAAE,OAAO,aAAa;AAO9D,MAAI,CAAC,kBAAkB,eAAe,eAAe,GAAG;AACtD,UAAM,IAAI,qBAAqB,iBAAiB,iFAAiF;AAAA,EACnI;AAEA,SAAO;AACT;AAGA,SAAS,kBAAkB,GAAe,GAAwB;AAChE,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK,GAAG;AACpC,YAAQ,EAAE,CAAC,IAAI,EAAE,CAAC;AAAA,EACpB;AACA,SAAO,SAAS;AAClB;AAcO,SAAS,kBAAkB,MAAqC;AACrE,SAAO,EAAE,KAAK;AAChB;AAoBA,SAAS,eAAe,MAAkC;AACxD,QAAM,MAAM,QAAQ,IAAI,IAAI;AAC5B,MAAI,QAAQ,OAAW,QAAO;AAC9B,QAAM,UAAU,IAAI,KAAK;AACzB,SAAO,YAAY,KAAK,SAAY;AACtC;AAEA,SAAS,iBAAiB,KAAwD;AAChF,MAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAW,QAAO;AACvD,MAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,SAAO;AACT;AAQA,SAAS,SAAS,MAA6C;AAC7D,SAAO,GAAG,KAAK,SAAS,IAAI,KAAK,SAAS,IAAI,KAAK,SAAS,IAAI,KAAK,UAAU,IAAI,KAAK,UAAU;AACpG;AAEA,eAAe,mBACb,MAC0B;AAC1B,QAAM,aAAa,eAAe,KAAK,SAAS,KAAK,KAAK;AAI1D,QAAM,UAAU,eAAe,KAAK,SAAS,KAAK,IAAI,YAAY;AAClE,QAAM,cAAiC,WAAW,UAAU,UAAU,KAAK;AAE3E,QAAM,SAAS,eAAe,KAAK,SAAS;AAC5C,MAAI,QAAQ;AACV,QAAI;AACJ,QAAI;AACF,gBAAU,KAAK,MAAM,MAAM;AAAA,IAC7B,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,SAAS,uBAAuB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MAC1F;AAAA,IACF;AACA,QAAI,CAAC,WAAW,OAAO,YAAY,YAAY,MAAM,QAAQ,OAAO,KAAK,OAAO,KAAK,OAAO,EAAE,WAAW,GAAG;AAC1G,YAAM,IAAI,MAAM,GAAG,KAAK,SAAS,kCAAkC;AAAA,IACrE;AAEA,UAAM,cAAc,iBAAiB,OAAO;AAC5C,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,SAAS,qCAAqC,OAAO,QAAQ,GAAG,CAAC,QAAQ,OAAO,QAAQ,GAAG,CAAC;AAAA,MAEtG;AAAA,IACF;AAMA,UAAM,sBACJ,gBAAgB,UACZ,EAAE,KAAK,QAAQ,KAAK,KAAK,QAAQ,KAAK,GAAG,QAAQ,GAAG,GAAG,QAAQ,EAAE,IACjE,EAAE,KAAK,QAAQ,KAAK,KAAK,QAAQ,KAAK,GAAG,QAAQ,GAAG,GAAG,QAAQ,GAAG,GAAG,QAAQ,EAAE;AAGrF,UAAM,EAAE,UAAU,IAAI,MAAM,OAAO,MAAM;AACzC,UAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,QAAa;AACtD,QAAI;AACJ,QAAI;AACJ,QAAI;AACF,mBAAa,MAAM;AAAA,QACjB;AAAA,QACA;AAAA,MACF;AACA,sBAAgB,gBAAgB,EAAE,KAAK,qBAA8B,QAAQ,MAAM,CAAC;AAAA,IACtF,SAAS,KAAK;AACZ,YAAM,YAAY,eAAe,QAAQ,IAAI,YAAY,OAAO,OAAO;AACvE,YAAM,OACJ,OAAO,OAAO,QAAQ,YAAY,UAAU,MACxC,OAAQ,IAA2B,IAAI,IACvC;AACN,YAAM,aAAa,OAAO,KAAK,IAAI,MAAM;AACzC,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,SAAS,gCAAgC,SAAS,GAAG,UAAU;AAAA,MAGzE;AAAA,IACF;AAIA,UAAM,YAAY,cAAc,OAAO,EAAE,QAAQ,MAAM,CAAC;AAGxD,cAAU,MAAO,QAAQ,OAA8B;AACvD,cAAU,MAAM;AAChB,cAAU,MAAM;AAEhB,WAAO,EAAE,YAAY,UAAU;AAAA,EACjC;AAGA,SAAO,sBAAsB,EAAE,KAAK,YAAY,KAAK,YAAY,CAAC;AACpE;AA0BA,eAAsB,yBAAyB;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,IAWI,CAAC,GAA6B;AAChC,QAAM,WAA0C;AAAA,IAC9C,GAAG;AAAA,IACH,GAAI,cAAc,UAAa,EAAE,UAAU;AAAA,IAC3C,GAAI,cAAc,UAAa,EAAE,UAAU;AAAA,IAC3C,GAAI,cAAc,UAAa,EAAE,UAAU;AAAA,IAC3C,GAAI,eAAe,UAAa,EAAE,WAAW;AAAA,IAC7C,GAAI,eAAe,UAAa,EAAE,WAAW;AAAA,EAC/C;AACA,QAAM,MAAM,SAAS,QAAQ;AAC7B,MAAI,SAAS,eAAe,IAAI,GAAG;AACnC,MAAI,OAAQ,QAAO;AAEnB,WAAS,mBAAmB,QAAQ,EAAE,MAAM,CAAC,QAAQ;AAGnD,mBAAe,OAAO,GAAG;AACzB,UAAM;AAAA,EACR,CAAC;AACD,iBAAe,IAAI,KAAK,MAAM;AAC9B,SAAO;AACT;AA9sBA,IAmDM,mBAMA,cAOA,aAIO,sBA2dP,mBAyBA;AAxjBN;AAAA;AAAA;AAmDA,IAAM,oBAAoB;AAM1B,IAAM,eAAe,CAAC,SAAS,OAAO;AAOtC,IAAM,cAAc;AAIb,IAAM,uBAAN,cAAmC,MAAM;AAAA,MAC9C,YACkB,MAahB,SACA;AACA,cAAM,OAAO;AAfG;AAgBhB,aAAK,OAAO;AAAA,MACd;AAAA,MAjBkB;AAAA,IAkBpB;AAucA,IAAM,oBAAmD;AAAA,MACvD,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,YAAY;AAAA,MACZ,YAAY;AAAA,IACd;AAmBA,IAAM,iBAAiB,oBAAI,IAAsC;AAAA;AAAA;;;ACxjBjE,IAIa;AAJb;AAAA;AAAA;AAIO,IAAM,OAAO;AAAA,MAClB,MAAM;AAAA,QACJ,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,QACvF,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,MACzF;AAAA,MACA,QAAQ;AAAA,QACN,SAAS,EAAE,MAAM,gDAAgD,UAAU,EAAE;AAAA,QAC7E,QAAQ,EAAE,MAAM,gDAAgD,UAAU,EAAE;AAAA,MAC9E;AAAA,MACA,OAAO;AAAA,QACL,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,QACvF,SAAS,EAAE,SAAS,8CAAuD,UAAU,EAAE;AAAA,MACzF;AAAA,IACF;AAAA;AAAA;;;ACuBO,SAAS,sBAAsB;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AACF,GAIW;AACT,SAAO,OAAO,KAAK,KAAK,UAAU,EAAE,aAAa,SAAS,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC,EAAG,CAAC,CAAC,EAAE,SAAS,QAAQ;AACnH;AAlDA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAIa;AAJb;AAAA;AAAA;AAIO,IAAM,WAAW;AAAA,MACtB,MAAM;AAAA,QACJ,SAAS,EAAE,OAAO,eAAwB,SAAS,KAAK;AAAA,QACxD,SAAS,EAAE,OAAO,gBAAyB,SAAS,MAAM;AAAA,MAC5D;AAAA,MACA,QAAQ;AAAA,QACN,SAAS,EAAE,OAAO,0CAAmD;AAAA,QACrE,QAAQ,EAAE,OAAO,0CAAmD;AAAA,MACtE;AAAA,MACA,OAAO;AAAA,QACL,SAAS,EAAE,OAAO,eAAwB,SAAS,KAAK;AAAA,QACxD,SAAS,EAAE,OAAO,gBAAyB,SAAS,MAAM;AAAA,MAC5D;AAAA,IACF;AAAA;AAAA;;;ACgFO,SAAS,WAAW,MAA0C;AACnE,SAAO,MAAM,IAAgB;AAC/B;AAnGA,IASa;AATb;AAAA;AAAA;AAAA;AACA;AAQO,IAAM,QAAQ;AAAA,MACnB,iBAAiB;AAAA,QACf,QAAQ;AAAA,QACR,SAAS,SAAS,MAAM,QAAQ;AAAA,QAChC,SAAS,SAAS,MAAM,QAAQ;AAAA,QAChC,UAAU,KAAK,MAAM,QAAQ;AAAA,QAC7B,UAAU,KAAK,MAAM,QAAQ;AAAA,QAC7B,OAAO,KAAK,MAAM,QAAQ;AAAA,MAC5B;AAAA,MACA,iBAAiB;AAAA,QACf,QAAQ;AAAA,QACR,SAAS,SAAS,MAAM,QAAQ;AAAA,QAChC,SAAS,SAAS,MAAM,QAAQ;AAAA,QAChC,UAAU,KAAK,MAAM,QAAQ;AAAA,QAC7B,UAAU,KAAK,MAAM,QAAQ;AAAA,QAC7B,OAAO,KAAK,MAAM,QAAQ;AAAA,MAC5B;AAAA,MACA,qBAAqB;AAAA,QACnB,QAAQ;AAAA,QACR,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,MAC3B;AAAA,MACA,qBAAqB;AAAA,QACnB,QAAQ;AAAA,QACR,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,MAC3B;AAAA;AAAA;AAAA;AAAA,MAIA,0BAA0B;AAAA,QACxB,QAAQ;AAAA,QACR,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,MAC3B;AAAA,MACA,0BAA0B;AAAA,QACxB,QAAQ;AAAA,QACR,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,SAAS,SAAS,KAAK,QAAQ;AAAA,QAC/B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,UAAU,KAAK,KAAK,QAAQ;AAAA,QAC5B,OAAO,KAAK,KAAK,QAAQ;AAAA,MAC3B;AAAA,MACA,sBAAsB;AAAA,QACpB,QAAQ;AAAA,QACR,SAAS,SAAS,OAAO,QAAQ;AAAA,QACjC,UAAU,KAAK,OAAO,QAAQ;AAAA,QAC9B,UAAU,KAAK,OAAO,QAAQ;AAAA,QAC9B,OAAO,KAAK,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA,qBAAqB;AAAA,QACnB,QAAQ;AAAA,QACR,SAAS,SAAS,OAAO,OAAO;AAAA,QAChC,UAAU,KAAK,OAAO,OAAO;AAAA,QAC7B,UAAU,KAAK,OAAO,OAAO;AAAA,QAC7B,OAAO,KAAK,OAAO,OAAO;AAAA,MAC5B;AAAA,MACA,cAAc;AAAA,QACZ,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;;;ACvEO,SAAS,wBAAwB;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAeW;AACT,QAAM,UAAU,OAAO,WAAW,IAAI,IAAI;AAC1C,QAAM,mBAAmB,YAAY,SAAS,YAAY;AAC1D,QAAM,mBAAmB,YAAY,SAAS,YAAY;AAC1D,QAAM,kBAAkB,WAAW,SAAS;AAE5C,QAAM,YAAY,OAAO,cAAc,WAAW,OAAO,SAAS,IAAI;AACtE,QAAM,YAAY,OAAO,KAAK,MAAM,YAAY,MAAM,gBAAgB,CAAC,EAAE,SAAS;AAClF,QAAM,OAAgC,EAAE,QAAQ,WAAW,UAAU,kBAAkB,UAAU,iBAAiB;AAClH,MAAI,UAAW,MAAK,YAAY;AAChC,QAAM,gBAAyC,CAAC;AAChD,MAAI,oBAAoB,OAAW,eAAc,UAAU;AAC3D,MAAI,UAAW,eAAc,YAAY;AACzC,MAAI,OAAO,KAAK,aAAa,EAAE,SAAS,EAAG,MAAK,gBAAgB;AAChE,SAAO,OAAO,KAAK,KAAK,UAAU,IAAI,CAAC,EAAE,SAAS,WAAW;AAC/D;AAOO,SAAS,iBAAiB;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAeW;AACT,QAAM,UAAU,OAAO,WAAW,IAAI,IAAI;AAC1C,QAAM,iBAAiB,UAAU,SAAS,UAAU;AACpD,QAAM,iBAAiB,UAAU;AACjC,QAAM,kBAAkB,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,KAAK,GAAI,EAAE,YAAY;AACpF,SAAO,eAAe,EAAE,aAAa,KAAK,cAAc,cAAc,cAAc,cAAc,eAAe,eAAe,eAAe,OAAO;AACxJ;AAnFA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAsBO,SAAS,2BACd,OACA,eAAuB,WACS;AAChC,MAAI,UAAU,SAAS,KAAK,QAAQ,OAAO;AACzC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,KAAK,QAAQ;AAAA,MACzB,OAAO;AAAA,MACP,mBAAmB;AAAA;AAAA;AAAA;AAAA;AAAA,MAKnB,OAAO,EAAE,MAAM,YAAY,SAAS,IAAI;AAAA,IAC1C;AAAA,EACF;AACA,MAAI,UAAU,SAAS,KAAK,QAAQ,OAAO;AACzC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,KAAK,QAAQ;AAAA,MACzB,OAAO;AAAA,MACP,mBAAmB;AAAA,MACnB,OAAO,EAAE,MAAM,QAAQ,SAAS,IAAI;AAAA,IACtC;AAAA,EACF;AACA,MAAI,UAAU,SAAS,OAAO,QAAQ,OAAO;AAC3C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,OAAO,QAAQ;AAAA,MAC3B,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB;AAAA,EACF;AACA,MAAI,UAAU,SAAS,OAAO,OAAO,OAAO;AAC1C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,OAAO,KAAK,OAAO,OAAO;AAAA,MAC1B,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB;AAAA,EACF;AACA,SAAO;AACT;AAgEO,SAAS,4BAA4B,MAAqD;AAC/F,QAAM,UAAU,SAAS,KAAK,IAAI,CAAC;AACnC,QAAM,UAAU,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,cAAc,OAAO,GAAI,EAAE,YAAY;AACnF,QAAM,UAAU,wBAAwB;AAAA,IACtC,MAAM,KAAK;AAAA,IACX,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK;AAAA,EAClB,CAAC;AACD,QAAM,YAAY,iBAAiB;AAAA,IACjC,MAAM,KAAK;AAAA,IACX,IAAI;AAAA,IACJ,OAAO,KAAK;AAAA,IACZ,QAAQ,KAAK;AAAA,IACb;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,UAAmC;AAAA,IACvC,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS,KAAK,WAAW;AAAA,IAC3B;AAAA,IACA,WAAW;AAAA,IACX,GAAI,KAAK,UAAU,EAAE,MAAM,KAAK,QAAQ,IAAI,CAAC;AAAA,EAC/C;AACA,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,oBAAoB;AAAA,EACtB;AAEA,MAAI,KAAK,YAAY;AACnB,UAAM,cAAc,KAAK,WAAW,WAAW;AAC/C,UAAM,gBAAgB,KAAK,WAAW,YAChC,KAAK,WAAW,YAAY,CAAC,GAC9B,IAAI,CAAC,MAAM,2BAA2B,GAAG,KAAK,WAAY,gBAAgB,SAAS,CAAC,EACpF,OAAO,CAAC,MAAoC,MAAM,IAAI;AAI3D,YAAQ,kBAAkB,IAAI,sBAAsB;AAAA,MAClD;AAAA,MACA,SAAS;AAAA,MACT,GAAI,KAAK,WAAW,cAChB,EAAE,UAAU,EAAE,KAAK,KAAK,WAAW,aAAa,UAAU,mBAAmB,EAAE,IAC/E,CAAC;AAAA,IACP,CAAC;AAGD,YAAQ,cAAc;AAEtB,UAAM,aAAa,KAAK,MAAM,OAAO,KAAK,QAAQ,kBAAkB,GAAG,QAAQ,EAAE,SAAS,OAAO,CAAC;AAClG,YAAQ,UAAU,WAAW;AAAA,EAC/B;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,OAAO;AAAA,EAC9B;AACF;AAcA,eAAsB,wBAAwB,KAAoC;AAChF,MAAI,IAAI,WAAW,OAAQ,QAAO;AAClC,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe;AAC5C,MAAI,MAAM,WAAW,UAAU,EAAG,QAAO;AACzC,QAAM,OAAO,MAAM,IAAI,MAAM,EAAE,KAAK;AACpC,SAAO,CAAC,QAAQ,SAAS;AAC3B;AAxNA,IASM,gBACA;AAVN;AAAA;AAAA;AAAA;AACA;AACA;AACA;AAMA,IAAM,iBAAiB;AACvB,IAAM,oBAAoB;AAAA;AAAA;;;ACV1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA8DA,SAAS,UAAU,SAA2E;AAC5F,MAAI,YAAY,OAAW,QAAO;AAClC,MAAI,mBAAmB,QAAS,QAAO,QAAQ,IAAI,cAAc,KAAK;AACtE,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC5C,QAAI,EAAE,YAAY,MAAM,eAAgB,QAAO;AAAA,EACjD;AACA,SAAO;AACT;AAEA,SAAS,gBACP,SACA,gBACM;AACN,QAAM,MAAM,UAAU,cAAc;AACpC,MAAI,QAAQ,OAAW,SAAQ,cAAc,IAAI;AACnD;AAEA,SAAS,eAAe,GAAgD;AACtE,SAAO,oBAAoB,KAAK,WAAW;AAC7C;AACA,SAAS,SAAS,GAA0C;AAC1D,SAAO,EAAE,eAAe;AAC1B;AAOA,SAAS,sBAAsB,MAAwC;AACrE,SAAO,OAAO,OAAO,MAAM,WAAW;AACxC;AAEA,SAAS,gBAAgB,UAAgE;AACvF,QAAM,WAAuD,CAAC;AAC9D,QAAM,MAAoE,CAAC;AAC3E,QAAM,OAA2B,CAAC;AAClC,QAAM,SAA2B,CAAC;AAElC,aAAW,QAAQ,OAAO,OAAO,SAAS,KAAK,GAAG;AAChD,QAAI,SAAS,IAAI,GAAG;AAClB,aAAO,KAAK,IAAI;AAChB;AAAA,IACF;AACA,QAAI,eAAe,IAAI,GAAG;AACxB,UAAI,sBAAsB,IAAI,EAAG,KAAI,KAAK,IAAI;AAC9C;AAAA,IACF;AAGA,UAAM,UAAW,KAA8B,WAAW;AAC1D,QAAI,QAAQ,WAAW,SAAS,KAAM,UAAU,MAAO;AACrD,UAAI,sBAAsB,IAAI,EAAG,MAAK,KAAK,IAAwB;AAAA,IACrE,WAAW,QAAQ,WAAW,SAAS,KAAK,YAAY,MAAM;AAC5D,UAAI,sBAAsB,IAAI,EAAG,KAAI,KAAK,IAAyB;AAAA,IACrE,OAAO;AAEL,UAAI,sBAAsB,IAAI,EAAG,KAAI,KAAK,IAAqB;AAAA,IACjE;AAAA,EACF;AAEA,MAAI,IAAI,SAAS,EAAG,QAAO,OAAO,UAAU,kBAAkB,EAAE,UAAU,IAAI,CAAC,CAAC;AAChF,MAAI,KAAK,SAAS,EAAG,QAAO,OAAO,UAAU,mBAAmB,EAAE,UAAU,KAAK,CAAC,CAAC;AACnF,aAAW,QAAQ,OAAQ,QAAO,OAAO,UAAU,wBAAwB,EAAE,KAAK,CAAC,CAAC;AACpF,SAAO;AACT;AAEA,SAAS,sBACP,gBACyB;AACzB,QAAM,OAAO;AAAA,IACX,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAAA,IACA,YAAY;AAAA,MACV,QAAQ;AAAA,MACR,cAAc;AAAA,IAChB;AAAA,IACA,oBAAoB;AAAA,MAClB,QAAQ;AAAA,MACR,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MACA,cAAc;AAAA,IAChB;AAAA,EACF;AAIA,QAAM,UAAkC;AAAA,IACtC,+BAA+B;AAAA,IAC/B,iBAAiB,mBAAmB,iBAAiB;AAAA,EACvD;AACA,kBAAgB,SAAS,cAAc;AACvC,SAAO;AAAA,IACL,MAAM,KAAK,UAAU,IAAI;AAAA,IACzB,WAAW;AAAA,IACX;AAAA,IACA,QAAQ;AAAA,EACV;AACF;AAgBA,eAAsB,uBAAuB,MAQR;AACnC,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,QAAM,WAAW,gBAAgB,QAAQ;AACzC,MAAI,OAAO,KAAK,QAAQ,EAAE,WAAW,GAAG;AACtC,WAAO,sBAAsB,cAAc;AAAA,EAC7C;AAEA,QAAM,MAAM,MAAM,yBAAyB,EAAE,YAAY,WAAW,CAAC;AACrE,QAAM,kBAAkB,cAAc,QAAQ,IAAI,SAAS;AAE3D,QAAM,UAAU,gBAAgB;AAAA,IAC9B;AAAA,IACA,oBAAoB,EAAE,cAAc,gBAAgB;AAAA,IACpD,iBAAiB;AAAA,IACjB;AAAA,IACA,kBAAkB;AAAA,IAClB,cAAc,CAAC,eAAe;AAAA,EAChC,CAAC;AACD,QAAM,SAAS,MAAM,eAAe,SAAS;AAAA,IAC3C,YAAY,IAAI;AAAA,IAChB,KAAK,IAAI,UAAU;AAAA,IACnB,KAAM,IAAI,UAAU,OAAyC;AAAA,EAC/D,CAAC;AACD,QAAM,UAAkC;AAAA,IACtC,iBAAiB,mBAAmB,iBAAiB;AAAA,IACrD,+BAA+B;AAAA,EACjC;AACA,kBAAgB,SAAS,cAAc;AACvC,SAAO;AAAA,IACL,MAAM,KAAK,UAAU,MAAM;AAAA,IAC3B,WAAW;AAAA,IACX;AAAA,IACA,QAAQ;AAAA,EACV;AACF;AASA,eAAsB,wBAAwB,MAGT;AACnC,QAAM,EAAE,gBAAgB,aAAa,mBAAmB,IAAI,QAAQ,CAAC;AACrE,QAAM,MAAM,MAAM,yBAAyB,EAAE,YAAY,WAAW,CAAC;AACrE,QAAM,OAAO,kBAAkB,CAAC,cAAc,QAAQ,IAAI,SAAS,CAAC,CAAC;AACrE,QAAM,UAAkC;AAAA,IACtC,iBAAiB,mBAAmB,kBAAkB;AAAA,IACtD,+BAA+B;AAAA,EACjC;AACA,kBAAgB,SAAS,cAAc;AACvC,SAAO;AAAA,IACL,MAAM,KAAK,UAAU,IAAI;AAAA,IACzB,WAAW;AAAA,IACX;AAAA,IACA,QAAQ;AAAA,EACV;AACF;AASO,SAAS,8BACd,gBACwB;AACxB,QAAM,UAAkC;AAAA,IACtC,+BAA+B;AAAA,IAC/B,gCAAgC;AAAA,IAChC,0BAA0B;AAAA,IAC1B,MAAM;AAAA,EACR;AACA,MAAI,mBAAmB,OAAW,QAAO;AACzC,QAAM,OACJ,0BAA0B,UACtB,eAAe,IAAI,gCAAgC,IACnD,OAAO,QAAQ,cAAc,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,MAAM,gCAAgC,IAAI,CAAC;AAC5G,MAAI,KAAM,SAAQ,8BAA8B,IAAI;AACpD,SAAO;AACT;AAQO,SAAS,2BACd,gBACU;AACV,SAAO,IAAI,SAAS,MAAM;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,8BAA8B,cAAc;AAAA,EACvD,CAAC;AACH;AAcO,SAAS,mBAAmB,MAEK;AACtC,SAAO;AAAA,IACL,oBAAoB;AAAA,MAClB;AAAA,QACE,SAAS;AAAA,QACT,MAAM;AAAA,QACN,WAAW;AAAA,QACX,UAAU,KAAK;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AACF;AAYA,eAAsB,uBAAuB,MAE3B;AAChB,QAAM,aAAa,MAAM,cAAc;AACvC,QAAM,yBAAyB,EAAE,WAAW,CAAC;AAC/C;AAWO,SAAS,mBAAmB,MAAyC;AAC1E,SAAO,IAAI,SAAS,KAAK,MAAM;AAAA,IAC7B,QAAQ,KAAK;AAAA,IACb,SAAS,EAAE,GAAG,KAAK,SAAS,gBAAgB,KAAK,UAAU;AAAA,EAC7D,CAAC;AACH;AAGO,SAAS,qBAAqB,MAAyC;AAC5E,SAAO,mBAAmB,IAAI;AAChC;AAGO,SAAS,kBAAkB,MAAyC;AACzE,SAAO,mBAAmB,IAAI;AAChC;AAGO,SAAS,sBACd,KAMA,MACM;AACN,MAAI,OAAO,KAAK,MAAM;AACtB,MAAI,IAAI,KAAK,OAAO;AACpB,MAAI,KAAK,KAAK,SAAS;AACvB,MAAI,KAAK,KAAK,IAAI;AACpB;AAGO,SAAS,sBACd,OAMA,MACS;AACT,QAAM,KAAK,KAAK,MAAM;AACtB,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,OAAO,EAAG,OAAM,OAAO,GAAG,CAAC;AACpE,QAAM,KAAK,KAAK,SAAS;AACzB,SAAO,MAAM,KAAK,KAAK,IAAI;AAC7B;AAhZA,IA6CM,mBACA,oBACA;AA/CN;AAAA;AAAA;AAqBA;AAUA;AAcA,IAAM,oBAAoB;AAC1B,IAAM,qBAAqB;AAC3B,IAAM,+BAA+B;AAAA;AAAA;;;AC/CrC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,gBAAgB;AAAA,EAChB;AAAA,OACK;;;ACyBA,IAAM,yBAA8C,oBAAI,IAAI;AAAA,EACjE;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAUM,SAAS,gBAAgB,SAAiD;AAC/E,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAC7C,SAAO,QAAQ,MAAM,CAAC,MAAM,uBAAuB,IAAI,CAAC,CAAC;AAC3D;AAUO,SAAS,mBAAmB,QAAuC;AACxE,MAAI,OAAO,SAAS,mBAAmB,OAAO,SAAS,qBAAsB,QAAO;AACpF,MAAI,OAAO,SAAS,YAAa,QAAO;AACxC,SAAO;AACT;AAgBO,SAAS,wBAAwB;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AACF,GAQmC;AACjC,MAAI,OAAO,SAAS,OAAQ,QAAO;AAEnC,QAAM,uBAAuB,gBAAgB;AAE7C,MAAI,OAAO,SAAS,0BAA0B;AAC5C,UAAM,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,UAAM,sBAAsB,gBAAgB,cAAc,SAAS,IAC/D,qEAAqE,cAAc,KAAK,IAAI,CAAC,kBAC7F;AACJ,WAAO;AAAA,MACL,OAAO;AAAA,QACL,MAAM;AAAA,QACN,SACE;AAAA,MACJ;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,wBAAwB,OAAO,wBAAwB;AAAA,MACvD,iBAAiB,OAAO;AAAA,MACxB,eAAe,OAAO;AAAA,MACtB,gBAAgB;AAAA,MAChB,YAAY;AAAA,QACV,QAAQ;AAAA,QACR,cAAc;AAAA,QACd,gBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SACE;AAAA,IACJ;AAAA,IACA,YAAY;AAAA,MACV,QAAQ;AAAA,MACR,cACE,eACA;AAAA,MACF,gBAAgB;AAAA,IAClB;AAAA,EACF;AACF;AAYO,SAAS,6BACd,cACA,SAC4E;AAC5E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,eAAe;AAAA,IACf,cACE,WACA,8DAA8D,YAAY;AAAA,EAC9E;AACF;AAQO,SAAS,8BAA8B;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA,sBAAsB;AAAA,EACtB,iBAAiB;AAAA,EACjB;AAAA,EACA;AACF,IAoBI,CAAC,GAUH;AACA,QAAM,YAAY;AAAA,IAChB;AAAA,IACA,4CAA4C,mBAAmB;AAAA,IAC/D;AAAA,IACA;AAAA,IACA,aAAa;AAAA,EACf;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,aACE,cACA;AAAA,IACF,OAAO,aAAa,CAAC,GAAG,WAAW,GAAG,UAAU,IAAI;AAAA,IACpD,uBAAuB;AAAA,IACvB,oBAAoB;AAAA,IACpB,oBAAoB;AAAA,IACpB,iBAAiB;AAAA,IACjB,GAAI,WAAW,EAAE,WAAW,SAAS,IAAI,CAAC;AAAA,IAC1C,GAAI,SAAS,CAAC;AAAA,EAChB;AACF;;;AClMA,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,gCAAgC,KAAK,UAAU;AAAA,EACnD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,uDAAuD,KAAK,UAAU;AAAA,EAC1E,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,yBAAyB,KAAK,UAAU;AAAA,EAC5C,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,IAAM,8BAA8B,KAAK,UAAU;AAAA,EACxD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,6BAAkE;AAAA,EACtE,WAAW;AAAA,EACX,oBAAoB;AAAA,EACpB,kBAAkB;AAAA,EAClB,gCAAgC;AAAA,EAChC,eAAe;AACjB;AAEA,IAAM,mBAA+C;AAAA,EACnD,kBACE;AAAA,EACF,gCACE;AAAA,EACF,oBACE;AAAA,EACF,WACE;AAAA,EACF,kBACE;AAAA,EACF,wBACE;AAAA,EACF,qCACE;AAAA,EACF,eACE;AAAA,EACF,oBACE;AACJ;AAKA,IAAM,kBAAkB,oBAAI,IAAI;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,mBAAmB,QAA+C;AAChF,QAAM,UAAU,OAAO,WAAW,iBAAiB,OAAO,IAAI;AAC9D,QAAM,OAAgC,EAAE,OAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,EAAE;AAC9E,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,MAAI,OAAO,QAAS,MAAK,UAAU,OAAO;AAC1C,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,YAAa,MAAK,cAAc,OAAO;AAClD,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,QAAM,eAAe,OAAO,sBAAsB,2BAA2B,OAAO,IAAI;AACxF,MAAI,aAAc,MAAK,qBAAqB;AAC5C,MAAI,OAAO,aAAc,MAAK,eAAe,OAAO;AACpD,MAAI,OAAO,iBAAkB,MAAK,mBAAmB,OAAO;AAC5D,MAAI,OAAO,SAAS,yBAA0B,MAAK,yBAAyB,OAAO,0BAA0B;AAC7G,MAAI,OAAO,gBAAiB,MAAK,kBAAkB,OAAO;AAC1D,MAAI,OAAO,cAAe,MAAK,gBAAgB,OAAO;AACtD,MAAI,OAAO,kBAAkB,OAAO,eAAe,SAAS,EAAG,MAAK,iBAAiB,OAAO;AAC5F,MAAI,OAAO,OAAO;AAChB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI,gBAAgB,IAAI,GAAG,GAAG;AAC5B,gBAAQ,KAAK,mDAAmD,GAAG,8CAAyC;AAC5G;AAAA,MACF;AACA,WAAK,GAAG,IAAI;AAAA,IACd;AAAA,EACF;AACA,SAAO;AACT;;;ACpKA,IAAM,mBAAmB;AAKlB,IAAM,kBAAkB,CAAC,YAC9B,iBAAiB,KAAK,OAAO,KAAK,CAAC,QAAQ,WAAW,IAAI;AAKrD,IAAM,mBAAmB,CAAC,YAA4B;AAC3D,MAAI,gBAAgB,OAAO,GAAG;AAAE,WAAO;AAAA,EAAS;AAChD,SAAO,QAAQ,YAAY;AAC7B;;;ACvBO,IAAM,WAAN,MAAkB;AAAA,EAIvB,YAAoB,cAAsB,UAAU,KAAO;AAAvC;AAClB,SAAK,UAAU;AAAA,EACjB;AAAA,EAFoB;AAAA,EAHZ,QAAQ,oBAAI,IAA6C;AAAA,EACzD;AAAA,EAMR,IAAI,KAA4B;AAC9B,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAChC,QAAI,CAAC,MAAO,QAAO;AACnB,QAAI,KAAK,IAAI,IAAI,MAAM,WAAW;AAChC,WAAK,MAAM,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AAAA,EACf;AAAA,EAEA,IAAI,KAAa,OAAU,OAAsB;AAC/C,QAAI,KAAK,MAAM,QAAQ,KAAK,SAAS;AACnC,WAAK,MAAM;AAAA,IACb;AACA,QAAI,KAAK,MAAM,QAAQ,KAAK,SAAS;AACnC,WAAK,YAAY,KAAK,MAAM,OAAO,KAAK,UAAU,CAAC;AAAA,IACrD;AACA,SAAK,MAAM,IAAI,KAAK;AAAA,MAClB;AAAA,MACA,WAAW,KAAK,IAAI,KAAK,SAAS,KAAK;AAAA,IACzC,CAAC;AAAA,EACH;AAAA;AAAA,EAGQ,QAAc;AACpB,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,GAAG,CAAC,KAAK,KAAK,OAAO;AAC/B,UAAI,MAAM,EAAE,WAAW;AACrB,aAAK,MAAM,OAAO,CAAC;AAAA,MACrB;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGQ,YAAY,OAAqB;AACvC,QAAI,UAAU;AACd,eAAW,OAAO,KAAK,MAAM,KAAK,GAAG;AACnC,UAAI,WAAW,MAAO;AACtB,WAAK,MAAM,OAAO,GAAG;AACrB;AAAA,IACF;AAAA,EACF;AACF;;;AJlCA,SAAS,qBAAqB,GAAmB;AAC/C,MAAI,MAAM,EAAE;AACZ,SAAO,MAAM,KAAK,EAAE,WAAW,MAAM,CAAC,MAAM,GAAc;AAC1D,SAAO,QAAQ,EAAE,SAAS,IAAI,EAAE,MAAM,GAAG,GAAG;AAC9C;AAwVA,IAAM,2BAA2B;AAKjC,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,mDAAmD,KAAK,UAAU;AAAA,EACtE,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAMD,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,SAAS,uBAAwC;AAItD,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,kCAAkC;AAAA,IAClC,iBACE;AAAA,IAKF,YAAY;AAAA,IACZ,yBAAyB,GAAG,GAAG;AAAA,IAC/B,gBAAgB;AAAA,MACd,QACE;AAAA,MAEF,gBACE;AAAA,IAEJ;AAAA,IACA,WACE;AAAA,IAIF,0BAA0B,CAAC,kBAAkB,aAAa;AAAA,IAC1D,6BAA6B,CAAC,gBAAgB;AAAA,EAChD;AACF;AAMO,SAAS,qBAAqB,SAAgD;AACnF,MAAI,CAAC,QAAQ,QAAQ;AACnB,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX,eAAe;AAAA,IACf,SAAS,aAAa;AAAA,IACtB,OAAO;AAAA,IACP;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,qBAAqB,UAAU;AAC/C,QAAM,kBAAkB,qBAAqB;AAE7C,QAAM,YAAY,yBAAyB,OAAW;AACtD,QAAM,kBAAkB,YAAY,GAAG,SAAS,KAAK,SAAS,MAAM;AAQpE,QAAM,MAAM,IAAI,WAAW,EAAE,QAAQ,SAAS,WAAW,gBAAgB,CAAC;AAK1E,QAAM,kBAAkB,oBAAI,IAAwB;AACpD,WAAS,cAAc,eAAuB,gBAAqC;AACjF,UAAM,MAAM,GAAG,aAAa,IAAI,kBAAkB,EAAE;AACpD,QAAI,IAAI,gBAAgB,IAAI,GAAG;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,IAAI,WAAW;AAAA,QACjB,QAAQ;AAAA,QACR,SAAS,kBAAkB;AAAA,QAC3B,WAAW;AAAA,MACb,CAAC;AACD,sBAAgB,IAAI,KAAK,CAAC;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,IAAI,SAA6B,eAAe,GAAI;AAOlE,iBAAe,qBAAqB,KAAiD;AACnF,QAAI,CAAC,uBAAwB,QAAO;AACpC,QAAI;AACF,YAAM,cAA2D,CAAC;AAClE,UAAI,uBAAuB,WAAW,KAAM,aAAY,UAAU,uBAAuB;AACzF,UAAI,uBAAuB,eAAe,KAAM,aAAY,eAAe,uBAAuB;AAElG,UAAI,uBAAuB,qBAAqB,QAAQ,QAAW;AACjE,YAAI;AACF,gBAAM,UAAU,MAAM,uBAAuB,kBAAkB,GAAG;AAClE,cAAI,SAAS,WAAW,KAAM,aAAY,UAAU,QAAQ;AAC5D,cAAI,SAAS,eAAe,KAAM,aAAY,eAAe,QAAQ;AAAA,QACvE,SAAS,KAAK;AACZ,kBAAQ,KAAK,gEAAgE,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,QACvH;AAAA,MACF;AAIA,YAAM,aAAa,cAAc,uBAAuB,QAAQ,uBAAuB,OAAO;AAC9F,YAAM,OAAQ,MAAM,WAAW,cAAc;AAAA,QAC3C,GAAI,YAAY,YAAY,SAAY,EAAE,SAAS,YAAY,QAAQ,IAAI,CAAC;AAAA,QAC5E,GAAI,YAAY,iBAAiB,SAAY,EAAE,cAAc,YAAY,aAAa,IAAI,CAAC;AAAA,MAC7F,CAAC;AAMD,UACE,OAAO,KAAK,eAAe,YAC3B,OAAO,KAAK,gBAAgB,YAC5B,OAAO,KAAK,eAAe,UAC3B;AACA,gBAAQ,KAAK,6FAAwF;AACrG,eAAO;AAAA,MACT;AAIA,UAAI;AACJ,UAAI,uBAAuB,mBAAmB,QAAQ,QAAW;AAC/D,YAAI;AACF,gBAAM,cAAc;AAAA,YAClB,YAAY,KAAK;AAAA,YACjB,YAAY,KAAK;AAAA,YACjB,aAAa,KAAK;AAAA,YAClB,UAAU,KAAK;AAAA,YACf,YAAY,KAAK;AAAA,UACnB;AACA,gBAAM,SAAS,MAAM,uBAAuB,gBAAgB,KAAK,WAAW;AAC5E,cAAI,UAAU,OAAO,WAAW,SAAU,SAAQ;AAAA,QACpD,SAAS,KAAK;AACZ,kBAAQ,KAAK,8DAA8D,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,QACrH;AAAA,MACF;AAKA,YAAM,eAAe,KAAK;AAC1B,aAAO;AAAA,QACL,MAAM;AAAA,QACN,YAAY,KAAK;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK;AAAA,QACf,oBAAoB,eAAe,KAAK,UAAU,YAAY,IAAI;AAAA,QAClE,cAAc;AAAA,QACd,GAAI,SAAS,EAAE,MAAM;AAAA,MACvB;AAAA,IACF,SAAS,KAAK;AAKZ,cAAQ,KAAK,iFAA4E,eAAe,QAAQ,IAAI,UAAU,GAAG;AACjI,aAAO;AAAA,IACT;AAAA,EACF;AAEA,iBAAe,SACb,UACA,KACA,QAC0B;AAG1B,QAAI,CAAC,YAAa,CAAC,SAAS,WAAW,CAAC,SAAS,eAAgB;AAO/D,UAAI,SAAU,QAAO,EAAE,MAAM,QAAQ;AAErC,YAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,UAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAMhE,YAAM,8BAA8B,KAAK,UAAU;AAAA,QACjD,QAAQ;AAAA,QACR,OAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA,cACE;AAAA,MACJ,CAAC;AACD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,oBAAoB;AAAA,UACpB,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAMA,UAAMC,YAAW,SAAS,eAAe,YAAY,MAAM,SAAS,UAAU,iBAAiB,SAAS,OAAO,IAAI;AAEnH,UAAM,SAAS,MAAM,IAAIA,SAAQ;AACjC,QAAI,QAAQ;AACV,UAAI,OAAO,OAAO;AAChB,cAAM,YAAY,OAAO;AACzB,cAAM,cAAc,WAAW;AAC/B,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,GAAI,gBAAgB,UAAa,EAAE,OAAO,YAAY;AAAA,QACxD;AAAA,MACF;AAQA,UAAI,gBAAgB,OAAO,OAAO,GAAG;AACnC,cAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,YAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAAA,MAClE;AACA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,UAChB,YAAa,OAAO,KAA6C;AAAA,UACjE,MAAM,OAAO;AAAA,QACf;AAAA,MACF;AAAA,IACF;AAEA,UAAM,SAAkC,CAAC;AACzC,QAAI,cAAc,KAAM,QAAO,cAAc;AAC7C,QAAI,yBAAyB,KAAM,QAAO,0BAA0B;AACpE,QAAI,UAAU,KAAM,QAAO,UAAU;AACrC,QAAI,wBAAwB,KAAM,QAAO,wBAAwB;AACjE,QAAI,wBAAwB,KAAM,QAAO,wBAAwB;AAEjE,QAAI;AACJ,QAAI;AAIF,YAAM,OAAO;AAAA,QACX,OAAO;AAAA,QACP,GAAI,OAAO,KAAK,MAAM,EAAE,SAAS,IAAI,EAAE,OAAwB,IAAI,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA,QAKpE,GAAI,UAAU,EAAE,QAAQ,EAAE,SAAS,OAAO,SAAS,SAAS,OAAO,QAAQ,EAAE;AAAA,MAC/E;AAEA,YAAM,SAAS,SAAS,UACpB,MAAM,IAAI,OAAO,SAAS,SAAS,EAAE,GAAG,MAAM,eAAe,SAAS,cAAc,CAAC,IACrF,MAAM,IAAI,OAAO,MAAM,EAAE,GAAG,MAAM,eAAe,SAAS,cAAe,CAAC;AAC9E,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,UAAI,eAAe,sBAAsB;AACvC,YAAI,SAAU,QAAO,EAAE,MAAM,QAAQ;AACrC,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,mBAAmB,EAAE;AAAA,MAC9D;AACA,UAAI,eAAe,mBAAmB;AAGpC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,MAAM,IAAI;AAAA,YACV,GAAI,IAAI,YAAY,EAAE,YAAY,IAAI,UAAU,IAAI,CAAC;AAAA,YACrD,GAAI,IAAI,YAAY,EAAE,YAAY,IAAI,UAAU,IAAI,CAAC;AAAA,YACrD,GAAI,IAAI,aAAa,EAAE,aAAa,IAAI,WAAW,IAAI,CAAC;AAAA,YACxD,GAAI,IAAI,UAAU,EAAE,UAAU,IAAI,QAAQ,IAAI,CAAC;AAAA,YAC/C,GAAI,IAAI,YAAY,EAAE,oBAAoB,KAAK,UAAU,IAAI,SAAS,EAAE,IAAI,CAAC;AAAA,YAC7E,GAAI,IAAI,cAAc,EAAE,cAAc,IAAI,YAA+B,IAAI,CAAC;AAAA,UAChF;AAAA,QACF;AAAA,MACF;AACA,UAAI,eAAe,wBAAwB;AAEzC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,oBAAoB;AAAA,YACpB,cAAc;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AACA,UAAI,eAAe,oBAAoB;AACrC,gBAAQ,KAAK,+CAA+C;AAC5D,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,iBAAiB;AACpF,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,EAAE,MAAM,aAAa,oBAAoB,4BAA4B;AAAA,QAC/E;AAAA,MACF;AACA,UAAI,eAAe,iBAAiB;AAClC,gBAAQ,KAAK,gCAAgC,IAAI,OAAO;AACxD,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,kBAAkB;AACrF,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,MACvD;AAKA,YAAM,SAAU,KAAoC;AACpD,YAAM,UAAU,eAAe,QAAQ,IAAI,OAAO;AAClD,UAAI,WAAW,KAAK;AAClB,gBAAQ,KAAK,2DAAsD;AACnE,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,iBAAiB;AACpF,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,EAAE,MAAM,aAAa,oBAAoB,4BAA4B;AAAA,QAC/E;AAAA,MACF;AACA,UAAI,YAAY,kBAAkB,YAAY,cAAc;AAC1D,gBAAQ,KAAK,gDAAgD,eAAe,QAAQ,IAAI,UAAU,GAAG;AACrG,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,kBAAkB;AACrF,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,MACvD;AAKA,YAAM,UAAW,KAAkC;AACnD,YAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,YAAM,SAAS,UAAU,GAAG,OAAO,KAAK,GAAG,KAAK;AAChD,cAAQ,KAAK,gEAA2D,MAAM,EAAE;AAChF,UAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,YAAY;AAC/E,aAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,IACvD;AAEA,UAAM,WAAW,KAAK;AACtB,UAAM,kBAAmB,KAAK,oBAAiC,CAAC;AAChE,UAAM,QAAQ,aAAa,WAAW,YAAY;AAElD,UAAM,IAAIA,WAAU,EAAE,OAAO,UAAU,YAAY,QAAW,SAAS,iBAAiB,KAAK,KAAK,CAAC;AAEnG,QAAI,OAAO;AAGT,YAAM,QAAQ,KAAK;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN;AAAA,QACA,GAAI,UAAU,UAAa,EAAE,MAAM;AAAA,MACrC;AAAA,IACF;AASA,QAAI,gBAAgB,eAAe,GAAG;AACpC,YAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,UAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAAA,IAClE;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,QAAQ;AAAA,QACN,MAAM;AAAA,QACN,UAAU,YAAY;AAAA,QACtB,SAAS;AAAA,QACT,YAAY,KAAK;AAAA,QACjB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,iBAAe,cAAcC,UAA8C;AACzE,QAAI;AACF,YAAM,IAAI,gBAAgB;AAAA,QACxB,eAAeA,SAAQ;AAAA,QACvB,eAAeA,SAAQ;AAAA,QACvB,SAASA,SAAQ;AAAA,QACjB,GAAIA,SAAQ,iBAAiB,EAAE,gBAAgBA,SAAQ,eAAe,IAAI,CAAC;AAAA,MAC7E,CAAC;AAAA,IACH,SAAS,KAAK;AAGZ,cAAQ,KAAK,+CAA+C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IACtG;AAAA,EACF;AAKA,WAAS,mBACP,IACA,aACA,YAC0B;AAC1B,UAAM,OAAO,GAAG;AAChB,QAAI,SAAS,QAAQ;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN,iBAAkB,GAAG,oBAAkD;AAAA,QACvE,gBAAiB,GAAG,mBAAiD;AAAA,MACvE;AAAA,IACF;AACA,QAAI,SAAS,uCAAuC;AAClD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,eAAgB,GAAG,kBAAyC;AAAA,QAC5D,mBACG,GAAG,sBAA6C;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,SAAS,GAAG;AAClB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAkB,GAAG,oBAAkD;AAAA,MACvE,sBAAuB,GAAG,mBAAiD;AAAA,MAC3E,gBAAiB,GAAG,mBAA0C;AAAA,MAC9D,cAAe,GAAG,iBAAwC;AAAA,MAC1D,eAAe,MAAM,QAAQ,MAAM,IAC9B,OAAqB,OAAO,CAAC,MAAmB,OAAO,MAAM,QAAQ,IACtE,CAAC;AAAA,MACL,mBACG,GAAG,sBAA6C;AAAA,IACrD;AAAA,EACF;AASA,WAAS,iBAAiB,gBAAmD;AAC3E,UAAM,cAAc,iBAAiB,cAAc;AACnD,UAAM,SAAS,MAAM,IAAI,WAAW;AACpC,QAAI,CAAC,OAAQ,QAAO;AACpB,UAAM,MAAM,OAAO;AACnB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,WAAW,IAAI;AACrB,UAAM,eAAe,IAAI;AACzB,QAAI,CAAC,YAAY,CAAC,aAAc,QAAO;AAIvC,UAAM,aAAc,UAAU,iBAAwC;AACtE,WAAO;AAAA,MACL,cAAc,WAAW,mBAAmB,UAAU,aAAa,UAAU,IAAI;AAAA,MACjF,kBAAkB,gBAAgB;AAAA,IACpC;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,eAAe,iBAAiB;AACrD;;;AKt2BA,IAAM,gBAAgB;AACtB,IAAM,qBAAqB;AAC3B,IAAM,iCAAiC;AAuBvC,eAAe,kCAAkC,YAA6C;AAC5F,QAAM,UAAW,WAAqE;AACtF,MAAI,CAAC,SAAS,eAAe,QAAQ,SAAS,cAAe,QAAO;AAEpE,QAAM,aAAa;AACnB,QAAM,MAAO,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AACtD,MAAI,CAAC,KAAK,kBAAkB,CAAC,IAAI,yBAAyB,CAAC,IAAI,sCAAsC;AACnG,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,UAAU,IAAI,eAAe,EAAE,OAAO,QAAQ,WAAW;AAC/D,UAAM,UAAU,IAAI,sBAAsB,EAAE,OAAO,OAAO;AAC1D,UAAM,UAAU,IAAI,qCAAqC,EAAE,OAAO,QAAQ,YAAY;AAOtF,eAAW,MAAM,QAAQ,cAAc;AACrC,YAAM,YAAY,QAAQ,eAAe,GAAG,mBAAmB;AAC/D,UAAI,cAAc,iBAAiB,cAAc,mBAAoB;AACrE,YAAM,OAAO,GAAG;AAChB,UAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,KAAK,CAAC,MAAM,+BAAgC;AAC9E,YAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,YAAM,iBAAiB,eAAe,CAAC;AACvC,UAAI,mBAAmB,OAAW;AAKlC,UAAI,kBAAkB,QAAQ,eAAe,QAAQ;AACnD,gBAAQ;AAAA,UACN;AAAA,QAEF;AACA;AAAA,MACF;AACA,YAAM,YAAY,QAAQ,eAAe,cAAc;AACvD,UAAI,UAAW,QAAO;AAAA,IACxB;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,KAAK,2CAA2C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAChG,WAAO;AAAA,EACT;AACF;AAkBA,eAAsB,qBACpB,SACA,mBAC+B;AAE/B,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY;AACd,QAAI;AACF,YAAM,aAAa;AACnB,YAAM,OAAQ,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AAMvD,UAAI,MAAM,YAAY,qBAAqB,UAAU,GAAG;AACtD,cAAM,aAAa,KAAK,WAAW,YAAY,OAAO;AACtD,cAAM,SAAU,WAAmC;AACnD,cAAM,WAAW,QAAQ,MAAM,0CAA0C;AACzE,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,EAAG,YAAY,GAAG,SAAS,MAAM;AAE3E,cAAM,WAAW,QAAQ,MAAM,4EAA4E;AAC3G,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,GAAI,SAAS,SAAS;AAIhE,cAAM,eAAe,MAAM,kCAAkC,UAAU;AACvE,YAAI,aAAc,QAAO,EAAE,SAAS,cAAc,SAAS,SAAS;AAAA,MACtE;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,wCAAwC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAC/F;AAAA,EACF;AAGA,MAAI,mBAAmB;AACrB,QAAI;AACF,YAAM,UAAU,KAAK,iBAAiB;AACtC,YAAM,SAAS,KAAK,MAAM,OAAO;AAGjC,YAAM,OAAO,QAAQ,SAAS,eAAe;AAC7C,UAAI,OAAO,SAAS,YAAY,sBAAsB,KAAK,IAAI,GAAG;AAChE,eAAO,EAAE,SAAS,KAAK,YAAY,GAAG,SAAS,MAAM;AAAA,MACvD;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,yCAAyC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAChG;AAAA,EACF;AAEA,SAAO;AACT;AASA,eAAsB,6BACpB,YACA,mBAC+B;AAC/B,QAAM,UAAU,IAAI,QAAQ,yBAAyB;AAAA,IACnD,SAAS,aAAa,EAAE,eAAe,WAAW,IAAI,CAAC;AAAA,EACzD,CAAC;AACD,SAAO,qBAAqB,SAAS,iBAAiB;AACxD;AAMO,SAAS,sBAAsB,SAAsC;AAC1E,SACE,QAAQ,QAAQ,IAAI,mBAAmB,KACvC,QAAQ,QAAQ,IAAI,WAAW,KAC/B;AAEJ;AAEA,SAAS,aAAa,SAAyD;AAC7E,QAAM,MAA8B,CAAC;AACrC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,OAAO,EAAG,KAAI,EAAE,YAAY,CAAC,IAAI;AACrE,SAAO;AACT;AAmBA,eAAsB,yBACpB,SAC+B;AAC/B,QAAM,QAAQ,aAAa,OAAO;AAClC,QAAM,OAAO,MAAM,mBAAmB,KAAK,MAAM,WAAW;AAC5D,MAAI,MAAM;AACR,UAAM,SAAS,MAAM,6BAA6B,QAAW,IAAI;AACjE,QAAI,WAAW,KAAM,QAAO;AAAA,EAC9B;AACA,QAAM,gBAAgB,MAAM,eAAe;AAC3C,MAAI,iBAAiB,cAAc,YAAY,EAAE,WAAW,UAAU,GAAG;AACvE,WAAO,MAAM,6BAA6B,aAAa;AAAA,EACzD;AACA,SAAO;AACT;;;ACpNA,IAAM,mBAAmB;AACzB,IAAM,2BAA2B;AACjC,IAAM,qBAAqB;AAC3B,IAAM,sBAAsB;AAKrB,IAAM,wBAAwB;AAuD9B,SAAS,gBACd,eAA2D,CAAC,GAC5D,UAAkC,CAAC,GACZ;AACvB,SAAO;AAAA,IACL,KAAK;AAAA,IACL,aAAa;AAAA,IACb,UAAU,QAAQ,YAAY;AAAA,IAC9B,QAAQ,EAAE,aAAa;AAAA,EACzB;AACF;AAwIO,SAAS,kBAAkB,OAA6C;AAC7E,MAAI,CAAC,MAAM,UAAU,MAAM,OAAO,WAAW,GAAG;AAC9C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,eAAyC,CAAC;AAChD,MAAI,MAAM,cAAc,OAAW,cAAa,YAAY,MAAM;AAClE,MAAI,MAAM,uBAAuB,OAAW,cAAa,qBAAqB,MAAM;AACpF,MAAI,MAAM,cAAc,MAAM,WAAW,SAAS,EAAG,cAAa,aAAa,MAAM;AACrF,MAAI,MAAM,wBAAwB,OAAW,cAAa,sBAAsB,MAAM;AAEtF,QAAM,mBAAsC;AAAA,IAC1C,KAAK,MAAM;AAAA,IACX,kBAAkB,MAAM,oBAAoB;AAAA,IAC5C,kBAAkB,MAAM,wBAAwB;AAAA,EAClD;AAEA,QAAM,OAAqB;AAAA,IACzB,MAAM,MAAM;AAAA,IACZ,aAAa,MAAM;AAAA,IACnB,sBAAsB,CAAC,gBAAgB;AAAA,IACvC,SAAS,MAAM,WAAW;AAAA,IAC1B;AAAA,IACA,qBAAqB,MAAM,uBAAuB,CAAC,kBAAkB;AAAA,IACrE,sBAAsB,MAAM,wBAAwB,CAAC,mBAAmB;AAAA,IACxE,QAAQ,MAAM;AAAA,EAChB;AACA,MAAI,MAAM,aAAa,OAAW,MAAK,WAAW,MAAM;AACxD,MAAI,MAAM,sBAAsB,OAAW,MAAK,oBAAoB,MAAM;AAC1E,MAAI,MAAM,aAAa,OAAW,MAAK,WAAW,MAAM;AACxD,MAAI,MAAM,eAAe,UAAa,MAAM,WAAW,SAAS,EAAG,MAAK,aAAa,MAAM;AAC3F,MAAI,MAAM,qBAAqB,OAAW,MAAK,mBAAmB,MAAM;AACxE,MAAI,MAAM,0BAA0B,OAAW,MAAK,wBAAwB,MAAM;AAClF,MAAI,MAAM,QAAQ;AAChB,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,MAAM,GAAG;AACjD,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AACA,SAAO;AACT;;;AC9NA;AAcA;;;ACzBA,SAAS,kBAAkB;;;ACnB3B;AAUA,eAAsB,iBAAiB,GAAmC;AACxE,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,QAAQ,QAAQ,EAAE,CAAC;AAC5B;AAmFO,IAAM,qBAAqB;AAAA,EAChC,OAAO;AAAA,IACL,SAAS;AAAA,IACT,SAAS;AAAA,IACT,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC1B,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,WAAW;AAAA,EACb;AAAA,EACA,UAAU;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,IACT,OAAO,KAAK,KAAK,QAAQ;AAAA,IACzB,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,EACR;AAAA,EACA,WAAW;AAAA,IACT,SAAS;AAAA,IACT,OAAO,KAAK,OAAO,QAAQ;AAAA,IAC3B,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ;AAAA,EACA,QAAQ;AAAA,IACN,OAAO,CAAC,QAAQ,QAAQ,sBAAsB;AAAA,EAChD;AAAA,EACA,cAAc;AAAA,IACZ,UAAU,KAAK,MAAM,QAAQ;AAAA,IAC7B,SAAS;AAAA,EACX;AACF;;;ACrFA,eAAsB,qBAAqB;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAKmC;AACjC,QAAM,MAA6B,CAAC;AAEpC,MAAI,OAAO;AACT,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,MAAM,WAAW,mBAAmB,MAAM;AAAA,MACnD,UAAU,MAAM,WAAW,mBAAmB,MAAM;AAAA,MACpD,OAAO,MAAM,SAAS,mBAAmB,MAAM;AAAA,MAC/C,QAAQ,MAAM,UAAU,mBAAmB,MAAM;AAAA,MACjD,UAAU,MAAM,YAAY,mBAAmB,MAAM;AAAA,MACrD,QAAQ,MAAM,iBAAiB,MAAM,SAAS;AAAA,IAChD,CAAC;AAAA,EACH;AAEA,MAAI,WAAW;AACb,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,UAAU,WAAW,mBAAmB,SAAS;AAAA,MAC1D,UAAU,UAAU,WAAW,mBAAmB,SAAS;AAAA,MAC3D,OAAO,UAAU,SAAS,mBAAmB,SAAS;AAAA,MACtD,QAAQ,UAAU,UAAU,mBAAmB,SAAS;AAAA,MACxD,UAAU,UAAU,YAAY,mBAAmB,SAAS;AAAA,MAC5D,QAAQ,MAAM,iBAAiB,UAAU,SAAS;AAAA,IACpD,CAAC;AAAA,EACH;AAEA,MAAI,YAAY;AACd,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,SAAS,WAAW,WAAW,mBAAmB,UAAU;AAAA,MAC5D,OAAO,WAAW,SAAS,mBAAmB,UAAU;AAAA,MACxD,QAAQ,WAAW,UAAU,mBAAmB,UAAU;AAAA,MAC1D,UAAU,WAAW,YAAY,mBAAmB,UAAU;AAAA,MAC9D,QAAQ,MAAM,iBAAiB,WAAW,SAAS;AAAA,IACrD,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ;AACV,QAAI,KAAK;AAAA,MACP,QAAQ;AAAA,MACR,OAAO,OAAO,SAAS,CAAC,GAAG,mBAAmB,OAAO,KAAK;AAAA,MAC1D,YAAY,OAAO,aAAa;AAAA,IAClC,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AC9FA,IAAM,gBACJ;AAEF,IAAM,eACJ;AAEF,IAAM,aAAa;AACnB,IAAM,sBAAsB;AAE5B,IAAM,+BACJ;AAEF,SAAS,wBAAwB,UAAmC;AAClE,QAAM,QAAkB,CAAC;AACzB,MAAI,SAAS,MAAO,OAAM,KAAK,UAAU;AACzC,MAAI,SAAS,SAAS,SAAS,aAAa,SAAS,WAAY,OAAM,KAAK,mBAAmB;AAC/F,SAAO;AACT;AAEA,SAAS,gBAAgB,UAAmC;AAC1D,QAAM,IAAc,CAAC;AACrB,MAAI,SAAS,MAAO,GAAE,KAAK,aAAa;AACxC,MAAI,SAAS,UAAW,GAAE,KAAK,YAAY;AAC3C,SAAO;AACT;AAiBA,IAAM,eAAmD;AAAA,EACvD,WAAW,CAAC,kBAAkB,iBAAiB,YAAY;AAAA,EAC3D,WAAW,CAAC,kBAAkB,cAAc,4BAA4B;AAAA,EACxE,YAAY,CAAC,gBAAgB;AAAA,EAC7B,QAAQ,CAAC,UAAU;AACrB;AAMO,SAAS,yBAAyBC,QAA0D;AACjG,QAAM,MAAyB,CAAC;AAChC,aAAW,KAAKA,OAAO,KAAI,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;AACnD,SAAO,OAAO,KAAK,GAAG,EAAE,WAAW,IAAI,SAAY;AACrD;AAEA,SAAS,yBAAyB,UAAwD;AACxF,QAAMA,SAAmB,CAAC;AAC1B,MAAI,SAAS,MAAO,CAAAA,OAAM,KAAK,WAAW;AAC1C,MAAI,SAAS,UAAW,CAAAA,OAAM,KAAK,WAAW;AAC9C,MAAI,SAAS,WAAY,CAAAA,OAAM,KAAK,YAAY;AAChD,MAAI,SAAS,OAAQ,CAAAA,OAAM,KAAK,QAAQ;AACxC,SAAO,yBAAyBA,MAAK;AACvC;AAWO,SAAS,uBAAuB;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAsBsB;AACpB,QAAM,uBAAuB,qBAAqB,yBAAyB,QAAQ;AACnF,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,mBAAmB,oBAAoB,wBAAwB,QAAQ;AAAA,IACvE,sBAAsB,uBAAuB;AAAA,IAC7C,iBAAiB,kBAAkB;AAAA,IACnC,UAAU,YAAY,CAAC,GAAG,gBAAgB,QAAQ,GAAG,GAAI,iBAAiB,CAAC,CAAE;AAAA,IAC7E,GAAI,cAAc,EAAE,YAAY,IAAI,CAAC;AAAA,IACrC,GAAI,uBAAuB,EAAE,oBAAoB,qBAAqB,IAAI,CAAC;AAAA,IAC3E,GAAI,SAAS,CAAC;AAAA,EAChB;AACF;;;AChGO,SAAS,0BAA0B;AAAA,EACxC;AACF,GAEgC;AAC9B,MAAI,CAAC,eAAgB,QAAO;AAC5B,SAAO,qBAAqB;AAC9B;;;ACjCO,SAAS,aAAa;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAkC4B;AAC1B,QAAM,OAAgC;AAAA,IACpC,kBAAkB;AAAA,IAClB,kBAAkB;AAAA,EACpB;AAEA,MAAI,MAAM;AACR,SAAK,cAAc,KAAK,WAAW;AACnC,SAAK,UAAU,KAAK;AACpB,QAAI,KAAK,eAAe,UAAa,OAAO,KAAK,KAAK,UAAU,EAAE,SAAS,GAAG;AAC5E,WAAK,aAAa,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,MAAI,cAAc,OAAW,MAAK,aAAa;AAC/C,MAAI,SAAU,MAAK,WAAW;AAC9B,MAAI,QAAS,MAAK,UAAU;AAC5B,MAAI,YAAY,OAAW,MAAK,WAAW;AAC3C,MAAI,QAAS,MAAK,UAAU;AAC5B,MAAI,YAAa,MAAK,cAAc;AACpC,MAAI,cAAc,OAAW,MAAK,aAAa;AAE/C,MAAI,kBAAkB;AACpB,WAAO,OAAO,MAAM,gBAAgB;AAAA,EACtC;AAEA,MAAI,kBAAmB,MAAK,qBAAqB;AACjD,MAAI,gBAAgB,OAAW,MAAK,eAAe;AAEnD,MAAI,MAAO,QAAO,OAAO,MAAM,KAAK;AAEpC,SAAO;AACT;;;AC3DA,IAAM,cAAc;AAAA,EAClB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,mBAAmB;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AACF;AASO,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA,OAAAC;AAAA,EACA;AAAA,EACA;AACF,GAakB;AAChB,QAAM,WAAW,OAAO,aAAa,WAAW,OAAO,QAAQ,IAAI;AACnE,QAAM,cAAc,OAAO,aAAa,KAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,CAAC,CAAC;AAC3E,QAAM,UAAU,sBAAsB;AACtC,QAAM,QAAuB,CAAC;AAE9B,MAAIA,OAAM,OAAO;AACf,UAAM,cAAcA,OAAM,MAAM,UAAU,kBAAmBA,OAAM,MAAM,WAAW,mBAAmB,MAAM;AAC7G,UAAM,UAAUA,OAAM,MAAM,WAAW,mBAAmB,MAAM;AAChE,UAAM,YAAYA,OAAM,MAAM,aAAa,mBAAmB,MAAM;AACpE,UAAM,eAAe,+CAA+C,OAAO,iDAAiD,aAAa,iBAAiB,WAAW,IAAI,GAAG;AAC5K,UAAM,aAAa,2BAA2B,GAAG,wCAAwC,OAAO,6CAA6C,aAAa,iBAAiB,WAAW;AACtL,UAAM,QAAQ;AAAA,MACZ,OAAO;AAAA,MACP,cAAc,6DAA6D,WAAW,WAAW,OAAO,kBAAkB,WAAW;AAAA,MACrI,SAAS,cAAc,mBAAmB,aAAa;AAAA,MACvD,GAAI,cAAc,SACd,EAAE,qBAAqB,WAAW,IAClC,cAAc,mBACZ,EAAE,qBAAqB,aAAa,IACpC,CAAC;AAAA,MACP,cAAc,0BAA0B,WAAW;AAAA,IACrD;AAAA,EACF;AAEA,MAAIA,OAAM,WAAW;AACnB,UAAM,UAAUA,OAAM,UAAU,WAAW,mBAAmB,SAAS;AACvE,UAAM,YAAY;AAAA,MAChB,OAAO;AAAA,MACP,cAAc,iFAAiF,OAAO,kBAAkB,WAAW;AAAA,MACnI,SAAS,2BAA2B,GAAG,uCAAuC,OAAO,6CAA6C,aAAa,iBAAiB,WAAW;AAAA,MAC3K,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAIA,OAAM,YAAY;AACpB,UAAM,UAAUA,OAAM,WAAW,WAAW,mBAAmB,UAAU;AACzE,UAAM,aAAa;AAAA,MACjB,OAAO;AAAA,MACP,cAAc,qFAAqF,OAAO,kBAAkB,WAAW;AAAA,MACvI,SAAS,2BAA2B,GAAG,yCAAyC,OAAO,6CAA6C,aAAa,iBAAiB,WAAW;AAAA,MAC7K,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAIA,OAAM,QAAQ;AAChB,UAAM,YAAYA,OAAM;AACxB,UAAM,cAAc,KAAK,MAAM,WAAW,GAAG;AAC7C,UAAM,iBAAiB,cAAc;AACrC,UAAM,cAAc,UAAU,eAAe;AAC7C,UAAM,aAAa,eAAe,WAAW,+FAA+F,QAAQ;AACpJ,UAAM,SAA8B;AAAA,MAClC,cACE;AAAA,MACF,cACE;AAAA,IACJ;AACA,QAAI,UAAU,aAAa,CAAC,gBAAgB;AAC1C,aAAO,iBAAiB;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,aAAO,mBAAmB;AAAA,QACxB,0JAA0J,UAAU,SAAS,aAAa,WAAW,eAAe,UAAU;AAAA,QAC9N,oBAAoB,GAAG,uDAAuD,aAAa,iCAAiC,OAAO;AAAA,MACrI;AACA,aAAO,wBACL;AAAA,IACJ,WAAW,gBAAgB;AACzB,aAAO,OAAO,0IAAqI,QAAQ;AAAA,IAC7J;AACA,UAAM,SAAS;AAAA,EACjB;AAEA,SAAO;AACT;;;AC3IO,SAAS,sBAAsB;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAM0B;AACxB,QAAM,QAA+B,EAAE,eAAe,KAAK;AAE3D,MAAI,SAAS,SAAU,QAAO;AAE9B,MAAI,QAAQ;AACV,UAAM,kBAAkB,mBAAmB,kBAAkB;AAAA,EAC/D;AACA,MAAI,iBAAiB,cAAc,SAAS,GAAG;AAC7C,UAAM,iBAAiB;AAAA,EACzB;AACA,QAAM,oBACJ,oBACA;AAEF,SAAO;AACT;;;ACQO,SAAS,kBAAkB;AAAA,EAChC;AAAA,EACA,WAAW;AAAA,EACX;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GASiB;AACf,QAAM,WAAW,iBAAiB;AAClC,QAAM,WAAW,iBAAiB;AAClC,QAAM,QAAQ,cAAc,KAAK,IAAI,GAAG,gBAAgB,WAAW,WAAW,QAAQ;AAEtF,QAAM,QAAsB;AAAA,IAC1B,UAAU,YAAY,aAAa;AAAA,IACnC,KAAK,YAAY,QAAQ;AAAA,IACzB,OAAO,YAAY,KAAK;AAAA,EAC1B;AAEA,MAAI,kBAAkB,OAAW,OAAM,WAAW,YAAY,QAAQ;AACtE,MAAI,kBAAkB,OAAW,OAAM,WAAW,YAAY,QAAQ;AACtE,MAAI,YAAY,OAAW,OAAM,WAAW;AAC5C,MAAI,aAAa,OAAW,OAAM,YAAY;AAC9C,MAAI,aAAa,OAAW,OAAM,WAAW;AAE7C,SAAO;AACT;AAEA,SAAS,YAAY,OAAuB;AAC1C,UAAQ,QAAQ,KAAK,QAAQ,CAAC;AAChC;;;ACpEA;AASO,SAAS,WAAW;AAAA,EACzB;AAAA,EACA;AAAA,EACA;AACF,GAUqB;AACnB,QAAM,UAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,oBAAoB,GAAG;AACzD,YAAQ,EAAE,YAAY,CAAC,IAAI;AAAA,EAC7B;AACA,UAAQ,cAAc,IAAI;AAC1B,MAAI,MAAM;AACR,YAAQ,kBAAkB,IAAI,sBAAsB,IAAI;AAAA,EAC1D;AACA,SAAO,EAAE,MAAM,SAAS,QAAQ,IAAI;AACtC;;;AC7BO,SAAS,qBAAqB;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAOwB;AACtB,QAAM,OAA4B;AAAA,IAChC,OAAO,EAAE,MAAM,QAAQ;AAAA,EACzB;AACA,MAAI,eAAgB,MAAK,kBAAkB;AAC3C,MAAI,gBAAgB,OAAW,MAAK,eAAe;AACnD,MAAI,UAAW,MAAK,aAAa;AACjC,MAAI,MAAO,QAAO,OAAO,MAAM,KAAK;AACpC,SAAO;AACT;;;ACnCA,eAAsB,iBAAiB;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AACF,GAOqB;AACnB,QAAM,aAAa;AACnB,QAAM,OAAQ,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AAUvD,MAAI,CAAC,MAAM,QAAQ,QAAQ;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO,KAAK,OAAO,OAAO;AAAA,IACxB,WAAW;AAAA,IACX,oBAAoB,sBAAsB,CAAC,QAAQ,MAAM;AAAA,IACzD;AAAA,EACF,CAAC;AACH;;;ACvDA;AAQA;AAqCA,SAAS,iBAAiB,GAAsC;AAC9D,SAAO,EAAE,eAAe;AAC1B;AAEA,SAASC,wBAAuB,GAA4C;AAC1E,SAAO,oBAAoB,KAAK,WAAW;AAC7C;AAEA,SAAS,oBAAoB,GAAyC;AACpE,MAAI,EAAE,eAAe,GAAI,QAAO;AAChC,MAAI,oBAAoB,EAAG,QAAO;AAClC,MAAI,YAAY,KAAK,kBAAkB,EAAG,QAAO;AACjD,SAAQ,EAA2B,SAAS,WAAW,SAAS,KAAK;AACvE;AAEA,SAAS,uBAAuB,OAA6C;AAC3E,MAAI,UAAU,SAAS,OAAO,OAAO,MAAO,QAAO;AACnD,SAAO;AACT;AAEA,SAAS,oBAAoB,SAAmC;AAC9D,MAAI,YAAY,eAAgB,QAAO;AACvC,MAAI,YAAY,SAAU,QAAO;AACjC,SAAO;AACT;AAsBA,eAAsB,iBAAiB;AAAA,EACrC,OAAAC;AAAA,EACA,SAAS;AAAA,EACT;AACF,GAIqB;AACnB,QAAM,OAAO,MAAM,cAA0B,aAAa;AAE1D,MAAI,CAAC,MAAM,MAAM,QAAQ;AACvB,UAAM,IAAI,MAAM,uEAAkE;AAAA,EACpF;AAGA,QAAM,UAAqB,CAAC,GAAI,gBAAgB,CAAC,CAAE;AAEnD,aAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQA,UAAS,CAAC,CAAC,GAAG;AACtD,QAAI,iBAAiB,IAAI,GAAG;AAC1B,cAAQ,KAAK,MAAM,eAAe,IAAI,CAAC;AACvC;AAAA,IACF;AACA,QAAID,wBAAuB,IAAI,GAAG;AAChC,cAAQ,KAAK,MAAM,qBAAqB,MAAM,IAAI,CAAC;AACnD;AAAA,IACF;AACA,QAAI,oBAAoB,IAAI,GAAG;AAC7B,cAAQ,KAAK,MAAM,eAAe,IAAI,CAAC;AACvC;AAAA,IACF;AAEA,YAAQ,KAAK,cAAc,MAAM,MAAuB,IAAI,CAAC;AAAA,EAC/D;AAEA,SAAO,KAAK,KAAK,OAAO,EAAE,SAAS,UAAU,CAAC;AAChD;AAEA,SAAS,cAAc,MAAkB,MAAqB,OAAwB;AAEpF,MAAI,CAAC,KAAK,OAAO,QAAQ;AACvB,UAAM,IAAI,MAAM,sEAAiE;AAAA,EACnF;AAEA,QAAM,kBAAkB,KAAK,UAAU,KAAK,MAAM,QAAQ,UAAU,KAAK,MAAM,QAAQ;AACvF,MAAI,OAAO,KAAK,cAAc,UAAU;AACtC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO,KAAK,MAAM,OAAO;AAAA,IACvB,UAAU,KAAK,SAAS;AAAA,IACxB,WAAW,KAAK;AAAA,IAChB,SAAS,KAAK,WAAW;AAAA,EAC3B,CAAC;AACH;AAEA,eAAe,qBAAqB,MAAkB,MAA8C;AAElG,MAAI,CAAC,KAAK,OAAO,SAAS;AACxB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,kBAAkB,KAAK,UAAU,KAAK,MAAM,QAAQ,UAAU,KAAK,MAAM,QAAQ;AACvF,SAAO,KAAK,MAAM,QAAQ;AAAA,IACxB,UAAU,KAAK,YAAY;AAAA,IAC3B,WAAW,MAAM,iBAAiB,KAAK,SAAS;AAAA,IAChD,gBAAgB,KAAK;AAAA,IACrB,OAAO,KAAK;AAAA,IACZ,SAAS,KAAK,WAAW;AAAA,IACzB,GAAI,KAAK,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI,CAAC;AAAA,EAC/C,CAAC;AACH;AAEA,eAAe,eAAe,MAA2C;AACvE,QAAM,YAAY,MAAM,cAA+B,oBAAoB;AAC3E,MAAI,CAAC,WAAW,QAAQ;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,UAAU,uBAAuB,KAAK,OAAO;AACnD,QAAM,cACJ,YAAY,iBAAiB,KAAK,OAAO,QAAQ,OAAO,KAAK,OAAO,OAAO;AAC7E,QAAM,kBACJ,YAAY,iBAAiB,KAAK,OAAO,QAAQ,WAAW,KAAK,OAAO,OAAO;AACjF,MAAI,OAAO,KAAK,cAAc,UAAU;AACtC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,aAAa,UAAU,OAAO;AAAA,IAClC,WAAW,KAAK;AAAA,IAChB,UAAU,KAAK,SAAS;AAAA,IACxB,UAAU,KAAK,YAAY;AAAA,IAC3B;AAAA,IACA,GAAI,KAAK,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI,CAAC;AAAA,IAC7C,GAAI,KAAK,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI,CAAC;AAAA,IAC7C,GAAI,KAAK,eAAe,EAAE,cAAc,KAAK,aAAa,IAAI,CAAC;AAAA,EACjE,CAAC;AACD,SAAO,uCAAuC,YAAY,KAAK,UAAU,oBAAoB,OAAO,CAAC;AACvG;AAEA,eAAe,eAAe,MAAwC;AACpE,MAAI,CAAC,KAAK,aAAa,CAAC,KAAK,WAAW;AACtC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO,iBAAiB;AAAA,IACtB,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK;AAAA,IAChB,oBAAoB,KAAK;AAAA,EAC3B,CAAC;AACH;AAEA,eAAe,cAAiB,YAAuC;AACrE,MAAI;AACF,WAAQ,MAAM,OAAO;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAqBO,SAAS,uCACd,YACA,QACoB;AACpB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,QAAQ,MAA+B;AAC3C,YAAM,OAAQ,MAAM,WAAW,QAAS,IAAI;AAG5C,UAAI,KAAK,cAAc,CAAC,QAAQ,OAAO,SAAS,SAAU,QAAO;AACjE,UAAI;AACF,cAAM,MAAM,MAAM,MAAM,QAAQ;AAAA,UAC9B,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,UAC9C,MAAM,KAAK,UAAU;AAAA,YACnB,IAAI;AAAA,YACJ,SAAS;AAAA,YACT,QAAQ;AAAA,YACR,QAAQ,CAAC,EAAE,YAAY,YAAY,CAAC;AAAA,UACtC,CAAC;AAAA,QACH,CAAC;AACD,cAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,cAAM,YAAY,MAAM,QAAQ,OAAO;AACvC,YAAI,WAAW;AACb,iBAAO;AAAA,YACL,GAAG;AAAA,YACH,eAAe,EAAE,GAAI,KAAK,iBAAiB,CAAC,GAAI,iBAAiB,UAAU;AAAA,UAC7E;AAAA,QACF;AAAA,MACF,QAAQ;AAAA,MAER;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;ACjRA;;;ACkBO,SAAS,wBACd,QACA,SACA,QACM;AACN,SAAO,SAAS,SAAS,MAAM;AAC/B,MAAI,OAAO,OAAO,eAAe,YAAY;AAC3C,WAAO,WAAW,SAAS,MAAM;AAAA,EACnC;AACF;;;ADqDA,eAAsB,iBAAiB,OAAgC,CAAC,GAAwB;AAC9F,QAAM,WAAY,MAAME,eAA8B,mBAAmB,KAAM;AAE/E,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAGA,MAAI;AAIJ,QAAM,oBACJ,KAAK,gBACJ,QAAQ,IAAI,kBAAkB,QAAQ,IAAI,qBAAqB,aAAa;AAC/E,MAAI,sBAAsB,YAAY;AACpC,UAAM,KAAK,MAAMA,eAA8B,gBAAgB;AAE/D,QAAI,CAAC,IAAI,aAAa;AACpB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,kBAAc,IAAI,SAAS,sBAAsB,GAAG,WAAW;AAAA,EACjE,WAAW,sBAAsB,QAAQ;AACvC,kBAAc,IAAI,SAAS,sBAAsB;AAAA,EACnD,OAAO;AACL,kBAAc;AAAA,EAChB;AAEA,QAAM,SAAS,IAAI,SAAS,mBAAmB,WAAW;AAE1D,MAAI,iBAAsC;AAC1C,MAAI,gBAAqC;AACzC,aAAW,QAAQ,KAAK,SAAS,CAAC,GAAG;AACnC,UAAM,SAAS,KAAK,SAAS,OAAO;AACpC,QAAI,KAAK,WAAW,WAAW,GAAG;AAChC,YAAM,WAAW,SAAS,KAAK,MAAM,GAAG,EAAE,IAAI;AAC9C,YAAM,UACJ,aAAa,sBAAsB,SAAS,KAAK,QAAQ,QAAQ,SAAS,KAAK,QAAQ;AACzF,UAAI,QAAQ;AACV,0BAAkB,MAAMA,eAA4B,uBAAuB;AAE3E,YAAI,CAAC,eAAe,eAAe;AACjC,gBAAM,IAAI,MAAM,kFAA6E;AAAA,QAC/F;AAEA,gCAAwB,QAAQ,SAAS,IAAI,cAAc,cAAc,CAAC;AAAA,MAC5E,OAAO;AACL,2BAAmB,MAAMA,eAA4B,wBAAwB;AAE7E,YAAI,CAAC,gBAAgB,gBAAgB;AACnC,gBAAM,IAAI,MAAM,6EAAwE;AAAA,QAC1F;AAEA,gCAAwB,QAAQ,SAAS,IAAI,eAAe,eAAe,CAAC;AAAA,MAC9E;AAAA,IACF;AAAA,EACF;AAEA,aAAW,EAAE,SAAS,OAAO,KAAK,KAAK,WAAW,CAAC,GAAG;AACpD,4BAAwB,QAAQ,SAAS,MAAM;AAAA,EACjD;AAEA,MAAI,KAAK,QAAQ;AACf,UAAM,SAAS,MAAMA,eAA4B,yBAAyB;AAE1E,QAAI,CAAC,QAAQ,+BAA+B;AAC1C,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,WAAO,kBAAkB,OAAO,6BAA6B;AAAA,EAC/D;AAEA,MAAI,KAAK,eAAe,OAAO;AAC7B,UAAM,OAAO,WAAW;AAAA,EAC1B;AACA,SAAO;AACT;AA2BA,eAAsB,uBACpB,QACA,MACoB;AACpB,QAAM,eAAe,MAAM,OAAO;AAAA,IAChC;AAAA,MACE,QAAQ,KAAK,UAAU;AAAA,MACvB,SAAS,KAAK;AAAA,MACd,OAAO,KAAK;AAAA,MACZ,OAAO,KAAK;AAAA,MACZ,mBAAmB,KAAK,qBAAqB;AAAA,IAC/C;AAAA,IACA,KAAK;AAAA,EACP;AACA,SAAO,MAAM,QAAQ,YAAY,IAAI,eAAe,CAAC;AACvD;AAEA,eAAeA,eAAiB,YAAuC;AACrE,MAAI;AACF,WAAQ,MAAM,OAAO;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AEpMA,SAAS,aAAa,MAA0C;AAC9D,QAAM,UAAU,KAAK,WAAW;AAChC,MAAI,YAAY,cAAe,QAAO;AACtC,MAAI,YAAY,eAAgB,QAAO;AACvC,QAAM,IAAI;AAAA,IACR,wDAAwD,KAAK,UAAU,OAAO,CAAC;AAAA,EACjF;AACF;AAaO,SAAS,eAAe,MAID;AAC5B,QAAM,EAAE,MAAM,aAAa,gBAAgB,IAAI;AAC/C,QAAM,WAAW,aAAa,IAAI;AAClC,QAAM,SAAS,QAAQ,eAAe,eAAe;AACrD,QAAM,cAAmC,SAAS,aAAa;AAE/D,MAAI;AACJ,MAAI;AAEJ,SAAO,YAAiC;AACtC,QAAI,WAAW,OAAW,QAAO;AACjC,QAAI,YAAY,OAAW,QAAO;AAClC,eAAW,YAAY;AACrB,YAAM,SAAS,MAAM,iBAAiB,EAAE,aAAa,OAAO,CAAC,QAAQ,EAAE,CAAC;AACxE,eAAS;AACT,gBAAU;AACV,aAAO;AAAA,IACT,GAAG;AACH,WAAO;AAAA,EACT;AACF;AAQO,SAAS,eAAe,MAGJ;AACzB,QAAM,EAAE,OAAAC,QAAO,UAAU,IAAI;AAC7B,MAAI;AACJ,MAAI;AAEJ,SAAO,YAA8B;AACnC,QAAI,WAAW,OAAW,QAAO;AACjC,QAAI,YAAY,OAAW,QAAO;AAClC,eAAW,YAAY;AACrB,YAAM,SAAS,MAAM,iBAAiB,EAAE,WAAW,OAAAA,OAAM,CAAC;AAC1D,eAAS;AACT,gBAAU;AACV,aAAO;AAAA,IACT,GAAG;AACH,WAAO;AAAA,EACT;AACF;;;ACmBO,SAAS,yBACd,QAC4B;AAC5B,MAAI,OAAO,QAAS,QAAO;AAC3B,UAAQ,OAAO,OAAO;AAAA,IACpB,KAAK;AACH,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW;AAAA,UACT,QAAQ;AAAA,UACR,cACE;AAAA,QACJ;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW;AAAA,UACT,QAAQ;AAAA,UACR,cACE;AAAA,QACJ;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW;AAAA,UACT,QAAQ;AAAA,UACR,cACE;AAAA,QACJ;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW;AAAA,UACT,QAAQ;AAAA,UACR,qBAAqB;AAAA,UACrB,cACE;AAAA,QACJ;AAAA,MACF;AAAA,EACJ;AACF;AAyEA,eAAsB,kBAAkB;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAeqC;AACnC,QAAM,SAAS;AAiBf,MAAI;AACJ,MAAI;AACF,wBAAoB,MAAM,OAAO,yBAAyB,cAAc;AAAA,EAC1E,SAAS,KAAK;AACZ,YAAQ,KAAK,4CAA4C,eAAe,QAAQ,IAAI,UAAU,GAAG;AACjG,WAAO,EAAE,SAAS,OAAO,OAAO,qBAAqB,MAAM,sBAAsB,OAAO,IAAI;AAAA,EAC9F;AACA,QAAM,qBAAqB,kBAAkB,CAAC;AAC9C,MAAI,CAAC,oBAAoB;AACvB,WAAO,EAAE,SAAS,OAAO,OAAO,mBAAmB,QAAQ,qDAAqD;AAAA,EAClH;AAEA,QAAM,2BAA2B,qBAAqB,MAAM;AAC1D,UAAM,OAAO,IAAI,IAAI,aAAa,GAAG,EAAE;AACvC,WAAO,EAAE,QAAQ,QAAQ,SAAS,EAAE,SAAS,MAAM,KAAK,GAAG,cAAc,KAAK;AAAA,EAChF,GAAG;AAEH,MAAI;AACJ,MAAI;AACF,kBAAc,cAAc,SACxB,OAAO,iBAAiB,WAAW,wBAAwB,IAC3D;AAAA,EACN,SAAS,KAAK;AACZ,YAAQ,KAAK,2CAA2C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAChG,WAAO,EAAE,SAAS,OAAO,OAAO,qBAAqB,MAAM,qBAAqB,OAAO,IAAI;AAAA,EAC7F;AAEA,MAAI;AACJ,MAAI;AACF,mBAAe,MAAM,OAAO;AAAA,MAC1B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,KAAK,wCAAwC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAC7F,WAAO,EAAE,SAAS,OAAO,OAAO,qBAAqB,MAAM,kBAAkB,OAAO,IAAI;AAAA,EAC1F;AAIA,QAAM,WAAW,aAAa,YAAY,QAAQ,aAAa,YAAY;AAC3E,MAAI,CAAC,UAAU;AACb,WAAO,EAAE,SAAS,OAAO,OAAO,iBAAiB,aAAa;AAAA,EAChE;AAEA,MAAI;AACF,UAAM,eAAe,MAAM,OAAO;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,UAAM,wBAAwB,eAC1B,OAAO,KAAK,KAAK,UAAU,YAAY,CAAC,EAAE,SAAS,QAAQ,IAC3D;AACJ,WAAO;AAAA,MACL,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO,EAAE,SAAS,OAAO,OAAO,iBAAiB,OAAO,KAAK,mBAAmB;AAAA,EAClF;AACF;;;AClUA;AAGO,IAAM,+BAA+B,oBAAI,IAAY;AAAA,EAC1D,SAAS,KAAK,QAAQ;AAAA,EACtB,SAAS,KAAK,QAAQ;AACxB,CAAC;AAkBD,IAAM,iBAAiB;AA8BvB,IAAM,qBACJ;AAEF,SAAS,eAAe,SAAiB,aAAqB;AAC5D,SAAO;AAAA,IACL,OAAO,EAAE,MAAM,yBAAkC,QAAQ;AAAA,IACzD,YAAY;AAAA,MACV,QAAQ;AAAA,MACR,cAAc;AAAA,MACd,SAAS;AAAA,IACX;AAAA,EACF;AACF;AAgBA,eAAsB,kBAAkB;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AACF,GASqC;AACnC,QAAM,cACJ,QAAQ,QAAQ,IAAI,mBAAmB,KACpC,QAAQ,QAAQ,IAAI,WAAW;AACpC,MAAI,CAAC,aAAa;AAChB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,OAAO,KAAK,aAAa,QAAQ,EAAE,SAAS,CAAC;AAAA,EACpE,QAAQ;AACN,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,gBAAgB,QAAQ,UAAU;AACxC,QAAM,cAAc,QAAQ,UAAU;AAEtC,MAAI,CAAC,iBAAiB,kBAAkB,iBAAiB;AACvD,QAAI,iBAAiB,cAAc,YAAY,EAAE,WAAW,SAAS,GAAG;AACtE,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,WAAW,aAAa,sIAAsI,eAAe;AAAA,UAC7K;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ,4BAA4B,iBAAiB,WAAW,yBAAyB,eAAe;AAAA,QAChG;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,OAAO,gBAAgB,YAAY,eAAe,KAAK,WAAW;AAEzF,MAAI,CAAC,eAAe,CAAC,gBAAgB;AACnC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ,2EAA2E,aAAa;AAAA,QACxF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAE,MAAM,gBAAgB,WAAW,GAAI;AACzC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,MAAM,SAAS,eAAe,YAAY;AACzD;;;ACpKA,IAAM,SAAS;AACf,IAAMC,oBAAmB;AAkBzB,IAAM,cAAgC;AAAA,EACpC,eAAe;AAAA,EACf,eAAe;AAAA,EACf,QAAQ;AACV;AASO,SAAS,mBAAmB;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AACF,GASqB;AACnB,MAAI,SAAS,aAAa;AACxB,WAAO,sBAAsB,OAAO;AAAA,EACtC;AACA,MAAI,SAAS,WAAW,SAAS,UAAU;AACzC,WAAO,kBAAkB,mBAAmB;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,SAAuE;AACpG,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,QAAM,QAAS,QAAkC;AACjD,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,gBAAiB,MAAsC;AAC7D,MAAI,CAAC,iBAAiB,OAAO,kBAAkB,SAAU,QAAO;AAChE,QAAM,WAAY,cAAqC;AACvD,MAAI,OAAO,aAAa,YAAY,CAAC,OAAO,KAAK,QAAQ,EAAG,QAAO;AACnE,SAAO;AAAA,IACL,eAAe,SAAS,YAAY;AAAA,IACpC,eAAe;AAAA,IACf,QAAQ;AAAA,EACV;AACF;AAEA,SAAS,kBACP,qBACkB;AAClB,MAAI,OAAO,wBAAwB,SAAU,QAAO;AACpD,MAAI,CAAC,oBAAoB,YAAY,EAAE,WAAW,UAAU,EAAG,QAAO;AACtE,QAAM,QAAQ,oBAAoB,MAAM,WAAW,MAAM,EAAE,KAAK;AAChE,MAAI,CAAC,MAAO,QAAO;AAEnB,MAAI;AACJ,MAAI;AACF,iBAAa,KAAK,MAAM,KAAK,KAAK,CAAC;AAAA,EACrC,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,CAAC,cAAc,OAAO,eAAe,SAAU,QAAO;AAE1D,MAAI,SAAU,WAAoC;AAClD,MAAI,OAAO,WAAW,UAAU;AAC9B,UAAM,YAAa,WAAuC;AAC1D,QAAI,aAAa,OAAO,cAAc,UAAU;AAC9C,eAAU,UAAmC;AAAA,IAC/C;AAAA,EACF;AACA,MAAI,OAAO,WAAW,SAAU,QAAO;AAEvC,QAAM,QAAQ,OAAO,MAAM,GAAG;AAC9B,MAAI,MAAM,SAAS,KAAK,MAAM,CAAC,MAAM,SAAS,MAAM,CAAC,MAAM,MAAO,QAAO;AACzE,QAAM,SAAS,MAAM,CAAC;AACtB,QAAM,OAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AAExC,MAAI,WAAW,YAAY,OAAO,KAAK,IAAI,GAAG;AAC5C,WAAO,EAAE,eAAe,KAAK,YAAY,GAAG,eAAe,OAAO,QAAQ,KAAK;AAAA,EACjF;AACA,MAAI,WAAW,YAAYA,kBAAiB,KAAK,IAAI,GAAG;AACtD,WAAO,EAAE,eAAe,MAAM,eAAe,UAAU,QAAQ,KAAK;AAAA,EACtE;AACA,SAAO;AACT;;;AlByBO,SAAS,cAAc,MAWZ;AAChB,QAAM,WAAW,KAAK,YAAY;AAClC,MAAI,KAAK,kBAAkB,QAAW;AACpC,UAAM,aAAa,KAAK;AAAA,MACtB;AAAA,MACA,KAAK,iBAAiB,KAAK,YAAY,MAAM,KAAK,iBAAiB,MAAM,KAAK,iBAAiB;AAAA,IACjG;AACA,UAAM,gBAAgB,KAAK,aAAa,aAAa;AACrD,UAAM,QAAQ,kBAAkB;AAAA,MAC9B,eAAe,KAAK;AAAA,MACpB,UAAU,KAAK,YAAY;AAAA,MAC3B,GAAI,KAAK,kBAAkB,UAAa,EAAE,eAAe,KAAK,cAAc;AAAA,MAC5E,GAAI,KAAK,kBAAkB,UAAa,EAAE,eAAe,KAAK,cAAc;AAAA,MAC5E,GAAI,KAAK,YAAY,UAAa,EAAE,SAAS,KAAK,QAAQ;AAAA,MAC1D,GAAI,KAAK,aAAa,UAAa,EAAE,UAAU,KAAK,SAAS;AAAA,MAC7D;AAAA,IACF,CAAC;AACD,WAAO;AAAA,MACL,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,GAAI,KAAK,YAAY,UAAa,EAAE,SAAS,KAAK,QAAQ;AAAA,MAC1D,GAAI,KAAK,eAAe,UAAa,EAAE,YAAY,KAAK,WAAW;AAAA,IACrE;AAAA,EACF;AACA,MAAI,KAAK,cAAc,QAAW;AAChC,UAAM,IAAI,MAAM,+DAA+D;AAAA,EACjF;AACA,SAAO;AAAA,IACL,WAAW,KAAK;AAAA,IAChB;AAAA,IACA,GAAI,KAAK,YAAY,UAAa,EAAE,SAAS,KAAK,QAAQ;AAAA,IAC1D,GAAI,KAAK,eAAe,UAAa,EAAE,YAAY,KAAK,WAAW;AAAA,EACrE;AACF;AA4DO,SAAS,kBACd,KACyC;AACzC,QAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,QAAM,WAAY,OAAiC;AACnD,MAAI,aAAa,QAAS,QAAO;AACjC,SAAO;AACT;AAUO,IAAM,0BAAN,cAAsC,MAAM;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,YAAY,MAMT;AACD,UAAM,KAAK,OAAO;AAClB,SAAK,OAAO;AACZ,SAAK,OAAO,KAAK;AACjB,SAAK,SAAS,KAAK,UAAU;AAC7B,SAAK,SAAS,KAAK,UAAU;AAC7B,SAAK,QAAQ,KAAK;AAAA,EACpB;AACF;AAwKA,SAASC,cAAa,SAAyD;AAC7E,QAAM,MAA8B,CAAC;AACrC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,OAAO,EAAG,KAAI,EAAE,YAAY,CAAC,IAAI;AACrE,SAAO;AACT;AAEA,SAAS,cAAc,SAA0C;AAC/D,QAAM,IAAIA,cAAa,OAAO;AAC9B,SAAO,QAAQ,EAAE,mBAAmB,KAAK,EAAE,WAAW,CAAC;AACzD;AAEA,SAAS,cAAc,SAA0C;AAC/D,QAAM,IAAIA,cAAa,OAAO;AAC9B,UAAQ,EAAE,eAAe,KAAK,IAAI,WAAW,UAAU;AACzD;AAEA,SAAS,wBACP,KACmC;AACnC,QAAM,IAAIA,cAAa,IAAI,QAAQ,OAAO;AAC1C,QAAM,SAAS,EAAE,kBAAkB;AACnC,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI;AACJ,QAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,UAAU,OAAO,WAAW,UAAU;AACxC,UAAM,WAAY,OAAmC,UAAU;AAC/D,QAAI,YAAY,OAAO,aAAa,UAAU;AAC5C,YAAM,KAAM,SAAqC,gBAAgB;AACjE,UAAI,MAAM,QAAQ,EAAE,KAAK,GAAG,MAAM,CAAC,MAAmB,OAAO,MAAM,QAAQ,GAAG;AAC5E,wBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AACA,SAAO,sBAAsB;AAAA,IAC3B,MAAM;AAAA,IACN;AAAA,IACA,GAAI,kBAAkB,SAAY,EAAE,cAAc,IAAI,CAAC;AAAA,EACzD,CAAC;AACH;AAEA,SAASC,kBAAiB,GAA0C;AAClE,SAAO,EAAE,eAAe;AAC1B;AAEA,SAASC,wBAAuB,GAAgD;AAC9E,SAAO,oBAAoB,KAAK,WAAW;AAC7C;AAIA,SAAS,YAAY,MAAiC;AACpD,MAAID,kBAAiB,IAAI,EAAG,QAAO;AACnC,MAAIC,wBAAuB,IAAI,EAAG,QAAO;AACzC,QAAM,UAAW,KAA8B,WAAW;AAC1D,MAAI,QAAQ,WAAW,SAAS,EAAG,QAAO;AAC1C,MAAI,QAAQ,WAAW,SAAS,KAAK,YAAY,KAAM,QAAO;AAC9D,SAAO;AACT;AAGA,SAAS,eAAe,MAAgC;AACtD,MAAID,kBAAiB,IAAI,EAAG,QAAO;AACnC,MAAIC,wBAAuB,IAAI,EAAG,QAAO;AACzC,QAAM,UAAW,KAA8B,WAAW;AAC1D,MAAI,QAAQ,WAAW,SAAS,EAAG,QAAO;AAC1C,MAAI,QAAQ,WAAW,SAAS,KAAK,YAAY,KAAM,QAAO;AAC9D,SAAO;AACT;AAkBO,SAAS,oBAAoB,MAElB;AAChB,SAAO,OAAO,QAAsD;AAClE,QAAI,IAAI,YAAY,KAAM,QAAO,EAAE,QAAQ,IAAI;AAC/C,UAAM,MAAO,MAAM,KAAK,aAAa;AAIrC,UAAM,QAAQF,cAAa,IAAI,QAAQ,OAAO;AAC9C,UAAM,gBAAgB,MAAM,eAAe;AAC3C,UAAM,YAAY,IAAI,QAAQ,UAAU,QAAQ,CAAC;AACjD,QAAI;AACJ,QAAI;AACF,eAAS,MAAM,IAAI,OAAO,EAAE,eAAe,QAAQ,UAAU,CAAC;AAAA,IAChE,QAAQ;AACN,aAAO,EAAE,QAAQ,IAAI;AAAA,IACvB;AACA,QAAI,CAAC,MAAM,QAAQ,MAAM,GAAG;AAC1B,YAAM,YAAY;AAClB,YAAM,QAAQ,IAAI,SAAS;AAC3B,YAAM,UACJ,OAAO,UAAU,sBAAsB,aACnC,EAAE,oBAAoB,UAAU,kBAAkB,KAAK,EAAE,IACzD,CAAC;AACP,aAAO,EAAE,QAAQ,KAAK,QAAQ;AAAA,IAChC;AACA,UAAM,CAAC,YAAY,OAAO,IAAI;AAI9B,UAAM,SAAS,QAAQ,aAAa,QAAQ,eAAe;AAC3D,QAAI,gBAA+B;AACnC,QAAI,gBAA+B;AACnC,UAAM,SAAS,WAAW;AAC1B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,QAAQ,OAAO,MAAM,GAAG;AAC9B,UAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,SAAS,MAAM,CAAC,MAAM,OAAO;AACjE,cAAM,SAAS,MAAM,CAAC;AACtB,cAAM,OAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AACxC,YAAI,WAAW,YAAY,SAAS,MAAM;AACxC,0BAAgB,KAAK,YAAY;AACjC,0BAAgB;AAAA,QAClB,WAAW,WAAW,YAAY,SAAS,MAAM;AAC/C,0BAAgB;AAChB,0BAAgB;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK,EAAE,YAAY,QAAQ;AAAA,IAC7B;AAAA,EACF;AACF;AAaA,SAAS,wBACPG,QACA,WACkC;AAClC,QAAM,MAAwC,CAAC;AAC/C,aAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQA,MAAK,GAAG;AAC/C,QAAIF,kBAAiB,IAAI,GAAG;AAC1B,UAAI,GAAG,IAAI;AACX;AAAA,IACF;AACA,UAAM,WAAW,UAAU,GAAG;AAC9B,UAAM,iBAAiB,YAAa,KAAiC;AACrE,QAAI,mBAAmB,MAAM,mBAAmB,OAAW;AAC3D,QAAI,GAAG,IAAI,aAAa,SACnB,EAAE,GAAG,MAAM,WAAW,SAAS,IAChC;AAAA,EACN;AACA,SAAO;AACT;AAIA,SAAS,SAAYE,QAAyC,KAA4B;AACxF,QAAM,OAAOA,OAAM,GAAG;AACtB,SAAO,SAAS,SAAY,SAAa;AAC3C;AAqBO,IAAM,WAAN,MAAe;AAAA,EACX;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA;AAAA,EACS;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACD;AAAA,EAER,YAAY,MAqDT;AACD,UAAM,aAAa,KAAK;AACxB,QAAI;AACJ,QAAI,eAAe,QAAW;AAC5B,YAAM,WAAW,OAAO,OAAO,KAAK,KAAK,EAAE;AAAA,QACzC,CAAC,MACC,CAACD,wBAAuB,CAAC,KAAK,CAACD,kBAAiB,CAAC,KAAK,eAAe,MACnE,EAA2B,WAAW,IAAI,WAAW,SAAS;AAAA,MACpE;AACA,UAAI,aAAa,QAAW;AAC1B,2BAAmB,eAAe;AAAA,UAChC,MAAM;AAAA,UACN,aAAa,KAAK;AAAA,UAClB,iBAAiB,KAAK;AAAA,QACxB,CAAC;AAAA,MACH;AAAA,IACF,OAAO;AACL,YAAM,WAAW,KAAK,MAAM,WAAW;AACvC,UAAI,aAAa,UAAa,EAAE,eAAe,WAAW;AACxD,cAAM,IAAI;AAAA,UACR;AAAA,QAEF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,cAAc,KAAK;AACvB,QAAI,gBAAgB,UAAa,KAAK,kBAAkB,QAAW;AACjE,YAAM,WAAyC,CAAC;AAChD,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,KAAK,GAAG;AAC/C,YAAIA,kBAAiB,CAAC,KAAKC,wBAAuB,CAAC,KAAK,eAAe,GAAG;AACxE,mBAAS,CAAC,IAAI;AAAA,QAChB;AAAA,MACF;AACA,YAAM,SAAS,eAAe;AAAA,QAC5B,OAAO;AAAA,QACP,WAAW,KAAK;AAAA,MAClB,CAAC;AACD,oBAAc,oBAAoB,EAAE,cAAc,OAAO,CAAC;AAAA,IAC5D;AAEA,SAAK,QAAQ,KAAK;AAClB,SAAK,MAAM,KAAK;AAChB,SAAK,eAAe,KAAK,MAAM;AAC/B,SAAK,iBAAiB,KAAK;AAC3B,SAAK,cAAc,KAAK;AACxB,SAAK,aAAa;AAClB,SAAK,oBAAoB;AACzB,SAAK,cAAc;AACnB,SAAK,iBAAiB,KAAK;AAC3B,SAAK,kBAAkB,KAAK;AAC5B,SAAK,YAAY,KAAK;AACtB,SAAK,kBAAkB,KAAK;AAC5B,SAAK,qBAAqB,KAAK,sBAAsB;AACrD,SAAK,OAAO,KAAK;AACjB,SAAK,sBAAsB,KAAK;AAChC,SAAK,iBAAiB,KAAK;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAA2B;AAC7B,UAAM,MAAiB,CAAC;AACxB,UAAM,OAAO,oBAAI,IAAY;AAC7B,eAAW,QAAQ,OAAO,OAAO,KAAK,KAAK,GAAG;AAC5C,YAAM,MAAM,YAAY,IAAI;AAC5B,UAAI,KAAK,IAAI,GAAG,EAAG;AACnB,WAAK,IAAI,GAAG;AACZ,UAAI,KAAK,GAAG;AAAA,IACd;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA,EAIA,IAAI,sBAAgC;AAClC,UAAM,MAAgB,CAAC;AACvB,UAAM,OAAO,oBAAI,IAAY;AAC7B,eAAW,QAAQ,OAAO,OAAO,KAAK,KAAK,GAAG;AAC5C,YAAM,OAAO,eAAe,IAAI;AAChC,UAAI,KAAK,IAAI,IAAI,EAAG;AACpB,WAAK,IAAI,IAAI;AACb,UAAI,KAAK,IAAI;AAAA,IACf;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAc,gBAAiD;AAC7D,QAAI,KAAK,eAAe,OAAW,QAAO,KAAK;AAC/C,QAAI,KAAK,sBAAsB,OAAW,QAAO;AACjD,SAAK,aAAa,MAAM,KAAK,kBAAkB;AAC/C,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,sBAA+B;AACrC,WAAO,KAAK,eAAe,UAAa,KAAK,sBAAsB;AAAA,EACrE;AAAA;AAAA;AAAA,EAIQ,cAAsB;AAC5B,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,KAAK,GAAG;AAC/C,UAAI,CAACD,kBAAiB,CAAC,KAAK,CAACC,wBAAuB,CAAC,MAC/C,EAA2B,WAAW,IAAI,WAAW,SAAS,GAAG;AACrE,eAAO;AAAA,MACT;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,aAAqB;AAC3B,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,KAAK,GAAG;AAC/C,YAAM,UAAW,EAA2B,WAAW;AACvD,UAAI,CAACD,kBAAiB,CAAC,KAAK,CAAC,QAAQ,WAAW,SAAS,EAAG,QAAO;AAAA,IACrE;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,kBAAiC;AACnC,QAAI,CAAC,KAAK,oBAAoB,EAAG,QAAO;AACxC,eAAW,QAAQ,OAAO,OAAO,KAAK,KAAK,GAAG;AAC5C,UAAI,CAACA,kBAAiB,IAAI,KAAK,CAACC,wBAAuB,IAAI,MACrD,KAA8B,WAAW,IAAI,WAAW,SAAS,GAAG;AACxE,eAAQ,KAA8B,WAAW;AAAA,MACnD;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,OAAO,SAAmD;AAC9D,UAAM,cAAc,MAAM,KAAK,UAAU,OAAO;AAChD,UAAM,MAAuB;AAAA,MAC3B;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT,YAAY,CAAC;AAAA,MACb,OAAO,CAAC;AAAA,IACV;AAEA,QAAI,KAAK,mBAAmB,UAAa,QAAQ,WAAW,QAAQ;AAClE,YAAM,OAAO,QAAQ,QAAQ,eAAe,KAAK,QAAQ,QAAQ,eAAe;AAChF,YAAM,UACJ,CAAE,MAAM,WAAW,UAAU,KAC7B,CAAC,cAAc,QAAQ,OAAO,KAC9B,CAAC,cAAc,QAAQ,OAAO,MAC7B,QAAQ,SAAS,UAAa,QAAQ,SAAS,QAC9C,OAAO,QAAQ,SAAS,YAAY,OAAO,KAAK,QAAQ,IAAc,EAAE,WAAW;AACvF,UAAI,SAAS;AACX,cAAM,EAAE,6BAAAE,6BAA4B,IAAI,MAAM;AAC9C,cAAM,MAAM,KAAK;AACjB,cAAM,QAAQA,6BAA4B;AAAA,UACxC,OAAO,IAAI;AAAA,UACX,YAAY,IAAI;AAAA,UAChB,iBAAiB,IAAI;AAAA,UACrB,iBAAiB,IAAI;AAAA,UACrB,GAAI,IAAI,WAAW,UAAa,EAAE,QAAQ,IAAI,OAAO;AAAA,UACrD,GAAI,IAAI,eAAe,UAAa,EAAE,YAAY,IAAI,WAAW;AAAA,UACjE,GAAI,IAAI,YAAY,UAAa,EAAE,SAAS,IAAI,QAAQ;AAAA,UACxD,GAAI,IAAI,YAAY,UAAa,EAAE,SAAS,IAAI,QAAQ;AAAA,UACxD,GAAI,IAAI,eAAe,UAAa,EAAE,YAAY,IAAI,WAAW;AAAA,QACnE,CAAC;AACD,eAAO;AAAA,UACL,QAAQ,MAAM;AAAA,UACd,MAAM,KAAK,MAAM,MAAM,IAAI;AAAA,UAC3B,SAAS,MAAM;AAAA,UACf,aAAa,IAAI;AAAA,UACjB,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,gBAAgB,QAAW;AAClC,UAAI;AACF,cAAM,QAAQ,MAAM,KAAK,YAAY,GAAG;AACxC,YAAI,SAAS,OAAO,UAAU,SAAU,QAAO,OAAO,IAAI,OAAO,KAAK;AAAA,MACxE,SAAS,KAAK;AACZ,YAAI,eAAe,yBAAyB;AAC1C,iBAAO,KAAK,sBAAsB,KAAK,GAAG;AAAA,QAC5C;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAKA,UAAM,mBACJ,cAAc,QAAQ,OAAO,KAAK,cAAc,QAAQ,OAAO;AACjE,QAAI,KAAK,SAAS,UAAa,kBAAkB;AAC/C,YAAM,SAAS,MAAM,KAAK,QAAQ,GAAG;AACrC,UAAI,WAAW,MAAM;AACnB,eAAO;AAAA,UACL,QAAQ,OAAO;AAAA,UACf,MAAM,OAAO;AAAA,UACb,SAAS,EAAE,GAAI,OAAO,WAAW,CAAC,EAAG;AAAA,UACrC,aAAa,IAAI;AAAA,UACjB,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,QAAI,UAAU,MAAM,KAAK,eAAe,GAAG;AAK3C,UAAM,KAAK,wBAAwB,GAAG;AAEtC,UAAM,eAAe,KAAK,oBAAoB,KAAK,KAAK,oBAAoB;AAC5E,QAAI,cAAc,QAAQ,OAAO,KAAK,cAAc;AAClD,YAAM,OAAO,MAAM,KAAK,iBAAiB,KAAK,WAAW;AACzD,UAAI,SAAS,KAAM,QAAO;AAC1B,aAAO,MAAM,KAAK,WAAW,GAAG;AAAA,IAClC;AAEA,QAAI,cAAc,QAAQ,OAAO,KAAK,KAAK,gBAAgB,QAAW;AACpE,YAAM,OAAO,MAAM,KAAK,iBAAiB,KAAK,OAAO;AACrD,UAAI,SAAS,KAAM,QAAO;AAC1B,aAAO,MAAM,KAAK,WAAW,GAAG;AAAA,IAClC;AAOA,UAAM,KAAK,wBAAwB,GAAG;AACtC,QAAI,cAAsC,CAAC;AAC3C,QAAI,KAAK,gBAAgB,QAAW;AAClC,UAAI;AACF,cAAM,cAAc,MAAM,KAAK,YAAY,GAAG;AAC9C,YAAI,YAAY,WAAW,KAAK;AAC9B,wBAAc,EAAE,GAAI,YAAY,WAAW,CAAC,EAAG;AAAA,QACjD;AAAA,MACF,QAAQ;AAAA,MAGR;AAAA,IACF;AACA,WAAO,MAAM,KAAK,QAAQ,KAAK,WAAW;AAAA,EAC5C;AAAA,EAEQ,sBACN,KACA,KACgB;AAChB,UAAM,OAAO,qBAAqB;AAAA,MAChC,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,WAAW,EAAE,QAAQ,IAAI,QAAQ,cAAc,IAAI,QAAQ;AAAA,MAC3D,OAAO,IAAI;AAAA,IACb,CAAC;AACD,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ;AAAA,MACA,SAAS,CAAC;AAAA,MACV,aAAa,IAAI;AAAA,MACjB,SAAS;AAAA,IACX;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,KAAkD;AACtE,UAAM,OAAO,KAAK;AAClB,QAAI,SAAS,OAAW,QAAO;AAC/B,QAAI,KAAK,YAAY,QAAW;AAC9B,YAAM,SAAS,MAAM,KAAK,QAAQ,GAAG;AAErC,UAAI,WAAW,UAAa,WAAW,KAAM,QAAO;AACpD,UAAI,OAAO,WAAW,YAAY,OAAQ,OAAgC,WAAW,UAAU;AAC7F,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,QAAI,KAAK,WAAW,OAAW,QAAO;AAGtC,QAAI;AACJ,QAAI,KAAK,qBAAqB,QAAW;AACvC,uBAAiB,MAAM,KAAK,iBAAiB,GAAG;AAChD,UAAI,mBAAmB,KAAM,QAAO;AAAA,IACtC;AACA,UAAM,WAAkC;AAAA,MACtC,QAAQ,KAAK;AAAA,MACb,GAAI,KAAK,YAAY,UAAa,EAAE,SAAS,KAAK,QAAQ;AAAA,MAC1D,GAAI,KAAK,cAAc,UAAa,EAAE,WAAW,KAAK,UAAU;AAAA,MAChE,GAAI,KAAK,eAAe,UAAa,EAAE,YAAY,KAAK,WAAW;AAAA,MACnE,GAAI,KAAK,0BAA0B,UAAa,EAAE,uBAAuB,KAAK,sBAAsB;AAAA,MACpG,GAAI,KAAK,WAAW,UAAa,EAAE,QAAQ,KAAK,OAAO;AAAA,MACvD,GAAI,KAAK,yBAAyB,UAAa,EAAE,sBAAsB,KAAK,qBAAqB;AAAA,MACjG,GAAI,KAAK,yBAAyB,UAAa,EAAE,sBAAsB,KAAK,qBAAqB;AAAA,MACjG,GAAI,KAAK,aAAa,UAAa,EAAE,UAAU,KAAK,SAAS;AAAA,MAC7D,GAAI,KAAK,iBAAiB,UAAa,EAAE,cAAc,KAAK,aAAa;AAAA,MACzE,GAAI,KAAK,UAAU,UAAa,EAAE,OAAO,KAAK,MAAM;AAAA,MACpD,GAAI,KAAK,2BAA2B,UAAa;AAAA,QAC/C,wBAAwB,KAAK;AAAA,MAC/B;AAAA,MACA,GAAI,kBAAkB,CAAC;AAAA,IACzB;AAEA,UAAM,OAAO,qBAAqB,QAAQ;AAC1C,UAAM,UAAUJ,cAAa,IAAI,QAAQ,OAAO;AAChD,UAAM,gBAAgB,QAAQ,kBAAkB;AAChD,UAAM,gBAAgB,QAAQ,kBAAkB;AAChD,UAAM,WACJ,kBAAkB,UAAa,kBAAkB,SAC7C;AAAA,MACE,GAAI,kBAAkB,UAAa,EAAE,SAAS,cAAc;AAAA,MAC5D,GAAI,kBAAkB,UAAa,EAAE,cAAc;AAAA,IACrD,IACA;AACN,UAAM,aAAa,QAAQ,mBAAmB,KAAK,QAAQ,WAAW;AACtE,UAAM,SAAS,MAAM,6BAA6B,QAAQ,eAAe,GAAG,UAAU;AACtF,UAAM,UAA2B,MAAM,KAAK,SAAS,UAAU,KAAK,MAAM;AAE1E,QAAI,QAAQ,SAAS,SAAS;AAI5B,UAAI,kBAAkB,QAAW;AAC/B,cAAM,UAAU;AAChB,YAAI,gBAAgB,OAAO,SAAS;AAClC,gBAAM,KAAK,cAAc;AAAA,YACvB,eAAe;AAAA,YACf,eAAe,KAAK;AAAA,YACpB,SAAS,KAAK;AAAA,YACd,GAAI,KAAK,mBAAmB,UAAa,EAAE,gBAAgB,KAAK,eAAe;AAAA,UACjF,CAAC;AAAA,QACH;AAAA,MACF;AAKA,UAAI,kBAAkB,QAAW;AAC/B,cAAM,UAAU,KAAK,iBAAiB,aAAa;AACnD,cAAM,KAAK,SAAS;AACpB,YAAI,MAAM,GAAG,SAAS,QAAQ;AAC5B,gBAAMK,UAAuB,GAAG,SAAS,wCACrC;AAAA,YACE,MAAM;AAAA,YACN,iBAAiB,GAAG;AAAA,YACpB,oBAAoB,GAAG;AAAA,UACzB,IACA;AAAA,YACE,MAAM;AAAA,YACN,GAAI,GAAG,oBAAoB,QAAQ,EAAE,kBAAkB,GAAG,gBAAgB;AAAA,YAC1E,wBAAwB,GAAG;AAAA,YAC3B,iBAAiB,GAAG;AAAA,YACpB,eAAe,GAAG;AAAA,YAClB,GAAI,GAAG,cAAc,SAAS,KAAK,EAAE,gBAAgB,GAAG,cAAc;AAAA,YACtE,oBAAoB,GAAG;AAAA,UACzB;AACJ,cAAI,KAAK,aAAa,QAAW;AAC/B,kBAAM,SAAS,MAAM,KAAK,SAAS,KAAKA,OAAM;AAC9C,gBAAI,WAAW,KAAM,QAAO;AAAA,UAC9B;AACA,gBAAMC,QAAO,mBAAmBD,OAAM;AACtC,iBAAO,EAAE,QAAQ,KAAK,MAAMC,MAAgC;AAAA,QAC9D;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,QAAQ;AACvB,QAAI,KAAK,aAAa,QAAW;AAC/B,YAAM,SAAS,MAAM,KAAK,SAAS,KAAK,MAAM;AAC9C,UAAI,WAAW,KAAM,QAAO;AAAA,IAC9B;AACA,UAAM,OAAO,mBAAmB,MAAM;AACtC,UAAM,SACJ,OAAO,SAAS,mBAAmB,OAAO,SAAS,uBAC/C,MACA,OAAO,SAAS,cACd,MACA;AACR,WAAO,EAAE,QAAQ,KAAsC;AAAA,EACzD;AAAA,EAEA,MAAc,iBACZ,KACA,MACgC;AAChC,QAAI,CAAC,KAAK,sBAAsB,IAAI,YAAY,KAAM,QAAO;AAC7D,UAAM,QAAQ,KAAK,MAAM,IAAI,QAAQ,YAAY,GAAG;AACpD,QAAI,UAAU,EAAG,QAAO;AACxB,UAAM,UAAUN,cAAa,IAAI,QAAQ,OAAO;AAChD,QAAI;AACJ,QAAI,SAAS,aAAa;AACxB,YAAM,aAAa,QAAQ,mBAAmB,KAAK,QAAQ,WAAW;AACtE,UAAI,UAA0C;AAC9C,UAAI,OAAO,eAAe,YAAY,WAAW,SAAS,GAAG;AAC3D,YAAI;AACF,oBAAU,KAAK,MAAM,KAAK,UAAU,CAAC;AAAA,QACvC,QAAQ;AACN,oBAAU;AAAA,QACZ;AAAA,MACF;AACA,aAAO,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAAA,IAC7C,OAAO;AACL,aAAO,mBAAmB,EAAE,MAAM,qBAAqB,QAAQ,eAAe,EAAE,CAAC;AAAA,IACnF;AACA,UAAM,UAAU,SAAS,cAAc,KAAK,YAAY,IAAI,KAAK,WAAW;AAC5E,UAAM,UAAyB;AAAA,MAC7B,MAAM,SAAS,cAAc,SAAS;AAAA,MACtC,uBAAuB;AAAA,MACvB,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,eAAe,KAAK;AAAA,MACpB,eAAe,KAAK;AAAA,MACpB;AAAA,IACF;AACA,WAAO,MAAM,KAAK,aAAa,KAAK,OAAO;AAAA,EAC7C;AAAA,EAEA,MAAc,UAAU,SAA2C;AACjE,QAAI,KAAK,oBAAoB,OAAW,QAAO,WAAW;AAC1D,UAAM,UAA2B,EAAE,SAAS,aAAa,IAAI,SAAS,MAAM,YAAY,CAAC,GAAG,OAAO,CAAC,EAAE;AACtG,WAAO,MAAM,KAAK,gBAAgB,OAAO;AAAA,EAC3C;AAAA,EAEA,MAAc,wBAAwB,KAAuD;AAC3F,QAAI,KAAK,mBAAmB,OAAW,QAAO,IAAI;AAElD,QAAI,OAAO,KAAK,IAAI,UAAU,EAAE,SAAS,EAAG,QAAO,IAAI;AACvD,QAAI,aAAa,EAAE,GAAI,MAAM,KAAK,eAAe,GAAG,EAAG;AACvD,WAAO,IAAI;AAAA,EACb;AAAA,EAEA,MAAc,qBAAqB,SAAmC;AACpE,QAAI,KAAK,oBAAoB,OAAW,QAAO;AAC/C,WAAO,QAAQ,QAAQ,KAAK,gBAAgB,OAAO,CAAC;AAAA,EACtD;AAAA,EAEA,MAAc,WAAW,KAA+C;AACtE,UAAM,aAAa,MAAM,KAAK,cAAc;AAC5C,QAAI,IAAI,YAAY,QAAQ,KAAK,oBAAoB,QAAQ,eAAe,QAAW;AACrF,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AACA,UAAM,cAAc,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAAA,MAC/C,QAAQ,IAAI,QAAQ;AAAA,MACpB,SAAS,IAAI,QAAQ;AAAA,IACvB,CAAC;AACD,UAAM,WAAW,MAAM,kBAAkB;AAAA,MACvC,SAAS;AAAA,MACT,iBAAiB,KAAK,qBAAqB,KAAK,IAAI;AAAA,MACpD,iBAAiB,KAAK;AAAA,IACxB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,QAAQ,SAAS;AAAA,QACjB,MAAM,SAAS;AAAA,QACf,SAAS,CAAC;AAAA,QACV,aAAa,IAAI;AAAA,QACjB,SAAS;AAAA,QACT,aAAa;AAAA,MACf;AAAA,IACF;AACA,UAAM,SAAS,MAAM,kBAAkB;AAAA,MACrC;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,gBAAgB;AAAA,QACd,QAAQ;AAAA,QACR,SAAS,SAAS;AAAA,QAClB,OAAO,IAAI,IAAI,QAAQ,UAAU,QAAQ,CAAC,CAAC;AAAA,QAC3C,OAAO,SAAS;AAAA,QAChB,mBAAmB;AAAA,MACrB;AAAA,MACA,cAAc;AAAA,QACZ,KAAK,IAAI,QAAQ;AAAA,QACjB,aAAa;AAAA,QACb,UAAU;AAAA,MACZ;AAAA,IACF,CAAC;AACD,QAAI,CAAC,OAAO,SAAS;AAInB,YAAM,aAAa,yBAAyB,MAAM;AAClD,YAAM,kBACJ,eAAe,QAAQ,WAAW,UAAU,MAAM,EAAE,iBAAiB,WAAW,IAAI,CAAC;AACvF,UAAI,eAAe,MAAM;AACvB,eAAO;AAAA,UACL,QAAQ,WAAW;AAAA,UACnB,MAAM;AAAA,YACJ,OAAO,EAAE,MAAM,WAAW,MAAM,SAAS,WAAW,QAAQ;AAAA,YAC5D,YAAY,WAAW;AAAA,UACzB;AAAA,UACA,SAAS;AAAA,UACT,aAAa,IAAI;AAAA,UACjB,SAAS;AAAA,UACT,aAAa,OAAO,SAAS;AAAA,QAC/B;AAAA,MACF;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM,qBAAqB;AAAA,UACzB,MAAM;AAAA,UACN,SAAS,4CAA4C,OAAO,SAAS,SAAS;AAAA,UAC9E,WAAW,EAAE,QAAQ,gCAAgC;AAAA,UACrD,OAAO,EAAE,OAAO,OAAO,MAAM;AAAA,QAC/B,CAAC;AAAA,QACD,SAAS,CAAC;AAAA,QACV,aAAa,IAAI;AAAA,QACjB,SAAS;AAAA,QACT,aAAa,OAAO,SAAS;AAAA,MAC/B;AAAA,IACF;AAGA,UAAM,YAAa,OAChB,gBAAgB,CAAC;AACpB,UAAM,eACH,SAAS,QAAgE,SACtE,eAAe,QAAQ;AAE7B,UAAM,gBAAgB,iBAAiB,OAAO,aAAa,YAAY,IAAK,UAAU,SAAS;AAC/F,UAAM,UAAyB;AAAA,MAC7B,MAAM;AAAA,MACN,uBAAuB,OAAO,yBAAyB;AAAA,MACvD,KAAK;AAAA,MACL,QAAQ,UAAU,eAAe;AAAA,MACjC;AAAA,MACA,eAAe,kBAAkB,OAAO,QAAQ;AAAA,MAChD,SAAS,KAAK,YAAY;AAAA,IAC5B;AACA,WAAO,MAAM,KAAK,aAAa,KAAK,OAAO;AAAA,EAC7C;AAAA,EAEA,MAAc,WAAW,KAA+C;AACtE,QAAI,KAAK,gBAAgB,QAAW;AAClC,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AACA,UAAM,WAAW,MAAM,KAAK,YAAY,GAAG;AAC3C,QAAI,SAAS,WAAW,KAAK;AAC3B,YAAM,UAAyB;AAAA,QAC7B,MAAM;AAAA,QACN,uBAAuB,SAAS,yBAAyB;AAAA,QACzD,KAAK,SAAS;AAAA,QACd,QAAQ,SAAS,UAAU;AAAA,QAC3B,eAAe,SAAS,iBAAiB;AAAA,QACzC,eAAe,SAAS,iBAAiB;AAAA,QACzC,SAAS,SAAS,WAAW,KAAK,WAAW;AAAA,MAC/C;AACA,aAAO,MAAM,KAAK,aAAa,KAAK,OAAO;AAAA,IAC7C;AAMA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,qBAAqB;AAAA,QACzB,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW,EAAE,QAAQ,gCAAgC;AAAA,MACvD,CAAC;AAAA,MACD,SAAS,EAAE,GAAI,SAAS,WAAW,CAAC,EAAG;AAAA,MACvC,aAAa,IAAI;AAAA,MACjB,SAAS;AAAA,MACT,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,MAAc,QACZ,KACA,cAAsC,CAAC,GACd;AACzB,QAAI,IAAI,YAAY,MAAM;AACxB,YAAM,IAAI,MAAM,wCAAwC;AAAA,IAC1D;AACA,UAAM,KAAK,wBAAwB,GAAG;AACtC,UAAM,YAAY,wBAAwB,KAAK,OAAO,IAAI,UAAU;AAEpE,UAAM,WAAW,MAAM,qBAAqB;AAAA,MAC1C,OAAO,SAAwB,WAAW,OAAO;AAAA,MACjD,WAAW,SAA2B,WAAW,WAAW;AAAA,MAC5D,YAAY,SAA4B,WAAW,YAAY;AAAA,MAC/D,QAAQ,SAAyB,WAAW,QAAQ;AAAA,IACtD,CAAC;AACD,UAAM,gBAGF,CAAC;AACL,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,SAAS,GAAG;AAC9C,UAAI,CAACE,wBAAuB,CAAC,GAAG;AAC9B,sBAAc,CAAC,IAAI;AAAA,MAKrB;AAAA,IACF;AACA,UAAM,WAAW,cAAc;AAAA,MAC7B,KAAK,KAAK;AAAA,MACV,eAAe,KAAK,UAAU,IAAI,QAAQ,IAAI;AAAA,MAC9C,UAAU,IAAI,QAAQ,UAAU,QAAQ,CAAC;AAAA,MACzC,OAAO;AAAA,IACT,CAAC;AACD,UAAM,eACJ,IAAI,QAAQ,SACZ,kBAAkB;AAAA,MAChB,eAAe,KAAK,MAAM,IAAI,QAAQ,YAAY,GAAG;AAAA,MACrD,UAAU,IAAI,QAAQ,YAAY;AAAA,IACpC,CAAC;AAGH,QAAI,cAAyB,CAAC;AAC9B,QAAI;AACJ,UAAM,cAAc,KAAK;AACzB,UAAM,aAAa,MAAM,KAAK,cAAc;AAC5C,QAAI,eAAe,UAAa,gBAAgB,MAAM;AACpD,YAAM,WAAW,UAAU,WAAW;AACtC,UAAI,aAAa,QAAW;AAC1B,cAAM,YAAY,MAAM,sBAAsB,SAAS,SAAS;AAChE,YAAI;AACF,wBAAc,MAAM,uBAAuB,YAAY;AAAA,YACrD,SAAS;AAAA,YACT,OAAO,IAAI,IAAI,QAAQ,UAAU,QAAQ,CAAC,CAAC;AAAA,YAC3C,OAAO;AAAA,YACP,mBAAmB;AAAA,UACrB,CAAC;AACD,yBAAe,EAAE,KAAK,IAAI,QAAQ,KAAK,UAAU,mBAAmB;AAAA,QACtE,QAAQ;AAGN,wBAAc,CAAC;AAAA,QACjB;AAAA,MACF;AAAA,IACF;AAKA,UAAM,mBAAmB,wBAAwB,GAAG;AAEpD,UAAM,OAAO,aAAa;AAAA,MACxB,iBAAiB;AAAA,MACjB,mBAAmB,uBAAuB,EAAE,SAAS,CAAC;AAAA,MACtD,GAAI,qBAAqB,SAAY,EAAE,iBAAiB,IAAI,CAAC;AAAA,MAC7D,SAAS;AAAA,MACT,WAAW,IAAI,QAAQ,UAAU,QAAQ,CAAC;AAAA,MAC1C,WAAW,IAAI,QAAQ;AAAA,MACvB,aAAa,0BAA0B,EAAE,gBAAgB,KAAK,CAAC;AAAA,MAC/D,GAAI,IAAI,QAAQ,UAAU,EAAE,SAAS,IAAI,QAAQ,QAAwC,IAAI,CAAC;AAAA,MAC9F,GAAI,IAAI,QAAQ,aAAa,EAAE,OAAO,IAAI,QAAQ,WAAW,IAAI,CAAC;AAAA,MAClE,GAAI,YAAY,SAAS,IAAI;AAAA,QAC3B,MAAM;AAAA,UACJ,SAAS;AAAA,UACT,GAAI,KAAK,wBAAwB,UAAa,OAAO,KAAK,KAAK,mBAAmB,EAAE,SAAS,IACzF,EAAE,YAAY,KAAK,oBAAoB,IACvC,CAAC;AAAA,QACP;AAAA,MACF,IAAI,CAAC;AAAA,IACP,CAAC;AAED,QAAI;AACJ,QAAI,YAAY,SAAS,GAAG;AAC1B,kBAAY;AAAA,QACV,aAAa;AAAA,QACb,SAAS;AAAA,QACT,GAAI,eAAe,EAAE,UAAU,aAAa,IAAI,CAAC;AAAA,MACnD;AAAA,IACF;AAEA,UAAM,UAAU,WAAW;AAAA,MACzB,sBAAsB;AAAA,MACtB;AAAA,MACA,MAAM;AAAA,IACR,CAAC;AACD,WAAO;AAAA,MACL,QAAQ,QAAQ;AAAA,MAChB,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,aAAa,IAAI;AAAA,MACjB,SAAS;AAAA,IACX;AAAA,EACF;AAAA,EAEA,MAAc,aACZ,KACA,SACyB;AACzB,QAAI,aAA6C;AACjD,QAAI,KAAK,cAAc,QAAW;AAChC,YAAM,SAAS,MAAM,KAAK,UAAU,KAAK,OAAO;AAChD,UAAI,WAAW,QAAQ,OAAO,WAAW,SAAU,cAAa;AAAA,IAClE;AACA,UAAM,OAAgC,cAAc,EAAE,IAAI,KAAK;AAC/D,QAAI,EAAE,kBAAkB,MAAO,MAAK,eAAe,IAAI;AACvD,UAAM,UAAkC,CAAC;AACzC,QAAI,QAAQ,uBAAuB;AACjC,cAAQ,kBAAkB,IAAI,QAAQ;AAAA,IACxC;AACA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,MACA,aAAa,IAAI;AAAA,MACjB,SAAS;AAAA,IACX;AAAA,EACF;AACF;AAEA,eAAe,sBAAsB,GAAmC;AACtE,SAAO,MAAM,iBAAiB,CAAC;AACjC;AAYO,SAAS,mBAAmB,MAKP;AAC1B,QAAM,SAAS,KAAK,UAAU;AAC9B,SAAO,qBAAqB;AAAA,IAC1B,MAAM,KAAK;AAAA,IACX,SAAS,KAAK;AAAA,IACd,WAAW,EAAE,QAAQ,cAAc,KAAK,QAAQ;AAAA,IAChD,OAAO,KAAK;AAAA,EACd,CAAC;AACH;AAWO,SAAS,uBAAuB,OAA0C;AAC/E,QAAM,SAAS,MAAM,UAAU;AAC/B,QAAM,OAAO,mBAAmB,KAAK;AACrC,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG;AAAA,IACxC;AAAA,IACA,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;AAMO,SAAS,0BACd,KACA,OACM;AACN,QAAM,SAAS,MAAM,UAAU;AAC/B,QAAM,OAAO,mBAAmB,KAAK;AACrC,MAAI,OAAO,MAAM;AACjB,MAAI,KAAK,IAAI;AACf;AAGO,SAAS,0BACd,OACA,OACS;AACT,QAAM,SAAS,MAAM,UAAU;AAC/B,QAAM,OAAO,mBAAmB,KAAK;AACrC,QAAM,KAAK,MAAM;AACjB,SAAO,MAAM,KAAK,IAAI;AACxB;AAGO,SAAS,yBAAyB,OAA0C;AACjF,SAAO,uBAAuB,KAAK;AACrC;AAGO,SAAS,sBAAsB,OAA0C;AAC9E,SAAO,uBAAuB,KAAK;AACrC;AAMA,SAAS,sBAA+C;AACtD,SAAO,mBAAmB;AAAA,IACxB,MAAM;AAAA,IACN,SAAS;AAAA,EACX,CAAC;AACH;AAEA,SAAS,iBAAiB,SAAyD;AACjF,QAAM,MAA8B,CAAC;AACrC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC5C,QAAI,EAAE,YAAY,MAAM,eAAgB,KAAI,CAAC,IAAI;AAAA,EACnD;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,GAAyE;AAChG,MAAI,MAAM,OAAW,QAAO,CAAC;AAC7B,MAAI,aAAa,SAAS;AACxB,UAAM,MAA8B,CAAC;AACrC,MAAE,QAAQ,CAAC,GAAG,MAAM;AAClB,UAAI,CAAC,IAAI;AAAA,IACX,CAAC;AACD,WAAO;AAAA,EACT;AACA,SAAO,EAAE,GAAG,EAAE;AAChB;AASC,SAAS,UAgBP,aAAa,eAAgB,GAAG,MAAM;AACvC,MAAI;AACJ,MAAI,SAAS,QAAW;AACtB,iBAAa;AAAA,EACf,OAAO;AACL,QAAI;AACF,mBAAc,MAAM,EAAE,IAAI,KAAK;AAAA,IACjC,QAAQ;AACN,aAAO,IAAI,SAAS,KAAK,UAAU,oBAAoB,CAAC,GAAG;AAAA,QACzD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAChD,CAAC;AAAA,IACH;AAAA,EACF;AACA,QAAM,aAAa,EAAE,IAAI,OAAO;AAChC,QAAM,UAAU,gBAAgB,UAAU;AAC1C,QAAM,SAAS,MAAM,KAAK,OAAO;AAAA,IAC/B,QAAQ,EAAE,IAAI;AAAA,IACd,KAAK,EAAE,IAAI;AAAA,IACX;AAAA,IACA,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK,EAAE,IAAI,OAAO;AAAA,EACpB,CAAC;AACD,SAAO,IAAI,SAAS,KAAK,UAAU,OAAO,IAAI,GAAG;AAAA,IAC/C,QAAQ,OAAO;AAAA,IACf,SAAS,EAAE,gBAAgB,oBAAoB,GAAG,iBAAiB,OAAO,OAAO,EAAE;AAAA,EACrF,CAAC;AACH;AAGC,SAAS,UAiBP,gBAAgB,eAAgB,KAAK,KAAK,MAAM;AACjD,QAAM,aACJ,SAAS,OAAO,IAAI,SAAS,YAAY,IAAI,SAAS,OAAQ,IAAI,OAAmC;AACvG,MAAI,eAAe,MAAM;AACvB,QAAI,OAAO,GAAG;AACd,QAAI,KAAK,oBAAoB,CAAC;AAC9B;AAAA,EACF;AACA,QAAM,UAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,OAAO,GAAG;AAChD,QAAI,OAAO,MAAM,SAAU,SAAQ,CAAC,IAAI;AAAA,aAC/B,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,MAAM,OAAW,SAAQ,CAAC,IAAI,EAAE,CAAC;AAAA,EACnE;AACA,QAAM,MAAM,IAAI,eAAe,IAAI,OAAO;AAC1C,QAAM,SAAS,MAAM,KAAK,OAAO;AAAA,IAC/B,QAAQ,IAAI;AAAA,IACZ;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP,CAAC;AACD,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,iBAAiB,OAAO,OAAO,CAAC,EAAG,KAAI,UAAU,GAAG,CAAC;AACzF,MAAI,OAAO,OAAO,MAAM;AACxB,MAAI,KAAK,OAAO,IAAI;AACtB;AAGC,SAAS,UAgBP,gBAAgB,eAAgB,SAAS,OAAO,MAAM;AACvD,QAAM,aACJ,SAAS,OAAO,QAAQ,SAAS,YAAY,QAAQ,SAAS,OACzD,QAAQ,OACT;AACN,MAAI,eAAe,MAAM;AACvB,UAAM,KAAK,GAAG;AACd,WAAO,MAAM,KAAK,oBAAoB,CAAC;AAAA,EACzC;AACA,QAAM,UAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,QAAQ,OAAO,GAAG;AACpD,QAAI,OAAO,MAAM,SAAU,SAAQ,CAAC,IAAI;AAAA,aAC/B,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,MAAM,OAAW,SAAQ,CAAC,IAAI,EAAE,CAAC;AAAA,EACnE;AACA,QAAM,SAAS,MAAM,KAAK,OAAO;AAAA,IAC/B,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb;AAAA,IACA,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP,CAAC;AACD,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,iBAAiB,OAAO,OAAO,CAAC,EAAG,OAAM,OAAO,GAAG,CAAC;AACxF,QAAM,KAAK,OAAO,MAAM;AACxB,SAAO,MAAM,KAAK,OAAO,IAAI;AAC/B;AAGC,SAAS,UAEP,eAAe,eAAgB,SAAS,MAAM;AAC/C,MAAI;AACJ,MAAI,SAAS,QAAW;AACtB,iBAAa;AAAA,EACf,OAAO;AACL,QAAI;AACF,mBAAc,MAAM,QAAQ,KAAK;AAAA,IACnC,QAAQ;AACN,aAAO,IAAI,SAAS,KAAK,UAAU,oBAAoB,CAAC,GAAG;AAAA,QACzD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAChD,CAAC;AAAA,IACH;AAAA,EACF;AACA,QAAM,UAAkC,CAAC;AACzC,UAAQ,QAAQ,QAAQ,CAAC,GAAG,MAAM;AAChC,YAAQ,CAAC,IAAI;AAAA,EACf,CAAC;AACD,QAAM,SAAS,MAAM,KAAK,OAAO;AAAA,IAC/B,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb;AAAA,IACA,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP,CAAC;AACD,SAAO,IAAI,SAAS,KAAK,UAAU,OAAO,IAAI,GAAG;AAAA,IAC/C,QAAQ,OAAO;AAAA,IACf,SAAS,EAAE,gBAAgB,oBAAoB,GAAG,iBAAiB,OAAO,OAAO,EAAE;AAAA,EACrF,CAAC;AACH;AAGC,SAAS,UAEP,YAAa,SAAS,UAEtB;AAoGH,eAAe,eACb,UACA,YACA,MACkC;AAClC,QAAM,EAAE,wBAAAK,wBAAuB,IAAI,MAAM;AACzC,SAAO,MAAMA,wBAAuB;AAAA,IAClC;AAAA,IACA,MAAM,KAAK;AAAA,IACX,iBAAiB,KAAK;AAAA,IACtB,UAAU,KAAK;AAAA,IACf,gBAAgB;AAAA,IAChB,GAAI,KAAK,eAAe,UAAa,EAAE,YAAY,KAAK,WAAW;AAAA,IACnE,GAAI,KAAK,mBAAmB,UAAa;AAAA,MACvC,gBAAgB,KAAK;AAAA,IACvB;AAAA,EACF,CAAC;AACH;AAEA,eAAe,gBACb,YACA,MACkC;AAClC,QAAM,EAAE,yBAAAC,yBAAwB,IAAI,MAAM;AAC1C,SAAO,MAAMA,yBAAwB;AAAA,IACnC,gBAAgB;AAAA,IAChB,GAAI,KAAK,eAAe,UAAa,EAAE,YAAY,KAAK,WAAW;AAAA,EACrE,CAAC;AACH;AAEA,SAAS,eAAe,YAA+B;AAIrD,SAAO,IAAI,SAAS,MAAM;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,kBAAkB,UAAU;AAAA,EACvC,CAAC;AACH;AAEA,SAAS,kBAAkB,YAA6C;AACtE,QAAM,UAAkC;AAAA,IACtC,+BAA+B;AAAA,IAC/B,gCAAgC;AAAA,IAChC,0BAA0B;AAAA,IAC1B,MAAM;AAAA,EACR;AACA,QAAM,OAAO,WAAW,IAAI,gCAAgC;AAC5D,MAAI,KAAM,SAAQ,8BAA8B,IAAI;AACpD,SAAO;AACT;AAEC,SAAS,UAEP,qBAAqB,SAAU,KAAK,MAAM;AAC3C,QAAM,UAAU,KAAK,WAAW;AAChC,QAAM,WAAW,KAAK,YAAY;AAElC,QAAM,WAAW;AACjB,MAAI,IAAI,SAAS,OAAO,MAAM;AAC5B,UAAM,OAAO,MAAM,eAAe,UAAU,EAAE,IAAI,IAAI,SAAS,IAAI;AACnE,WAAO,IAAI,SAAS,KAAK,MAAM;AAAA,MAC7B,QAAQ,KAAK;AAAA,MACb,SAAS,EAAE,GAAG,KAAK,SAAS,gBAAgB,KAAK,UAAU;AAAA,IAC7D,CAAC;AAAA,EACH,CAAC;AACD,MAAI,IAAI,UAAU,OAAO,MAAM;AAC7B,UAAM,OAAO,MAAM,gBAAgB,EAAE,IAAI,IAAI,SAAS,IAAI;AAC1D,WAAO,IAAI,SAAS,KAAK,MAAM;AAAA,MAC7B,QAAQ,KAAK;AAAA,MACb,SAAS,EAAE,GAAG,KAAK,SAAS,gBAAgB,KAAK,UAAU;AAAA,IAC7D,CAAC;AAAA,EACH,CAAC;AACD,MAAI,QAAQ,SAAS,CAAC,MAAM,eAAe,EAAE,IAAI,IAAI,OAAO,CAAC;AAC7D,MAAI,QAAQ,UAAU,CAAC,MAAM,eAAe,EAAE,IAAI,IAAI,OAAO,CAAC;AAChE;AAEA,SAAS,wBAAwB,KAA6D;AAC5F,QAAM,MAAM,IAAI,QAAQ;AACxB,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AACxC,QAAI,MAAM,OAAW;AACrB,QAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC;AAAA,EAC/C;AACA,SAAO;AACT;AAEC,SAAS,UAEP,wBAAwB,SAAU,KAAK,MAAM;AAC9C,QAAM,UAAU,KAAK,WAAW;AAChC,QAAM,WAAW,KAAK,YAAY;AAElC,QAAM,WAAW;AACjB,MAAI,IAAI,SAAS,OAAO,KAAK,QAAQ;AACnC,UAAM,OAAO,MAAM,eAAe,UAAU,wBAAwB,IAAI,OAAO,GAAG,IAAI;AACtF,QAAI,OAAO,KAAK,MAAM;AACtB,QAAI,IAAI,KAAK,OAAO;AACpB,QAAI,KAAK,KAAK,SAAS;AACvB,QAAI,KAAK,KAAK,IAAI;AAAA,EACpB,CAAC;AACD,MAAI,IAAI,UAAU,OAAO,KAAK,QAAQ;AACpC,UAAM,OAAO,MAAM,gBAAgB,wBAAwB,IAAI,OAAO,GAAG,IAAI;AAC7E,QAAI,OAAO,KAAK,MAAM;AACtB,QAAI,IAAI,KAAK,OAAO;AACpB,QAAI,KAAK,KAAK,SAAS;AACvB,QAAI,KAAK,KAAK,IAAI;AAAA,EACpB,CAAC;AACD,QAAM,YAAY,CAAC,KAAiE,QAAwB;AAC1G,UAAM,aAAa,wBAAwB,IAAI,OAAO;AACtD,QAAI,OAAO,GAAG;AACd,QAAI,IAAI,kBAAkB,UAAU,CAAC;AACrC,QAAI,KAAK,EAAE;AAAA,EACb;AACA,MAAI,QAAQ,SAAS,SAAS;AAC9B,MAAI,QAAQ,UAAU,SAAS;AACjC;AAEC,SAAS,UAEP,wBAAwB,SAAU,KAAK,MAAM;AAC9C,QAAM,UAAU,KAAK,WAAW;AAChC,QAAM,WAAW,KAAK,YAAY;AAElC,QAAM,WAAW;AACjB,MAAI,IAAI,SAAS,OAAO,SAAS,UAAU;AACzC,UAAM,OAAO,MAAM,eAAe,UAAU,wBAAwB,QAAQ,OAAO,GAAG,IAAI;AAC1F,UAAM,KAAK,KAAK,MAAM;AACtB,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,OAAO,EAAG,OAAM,OAAO,GAAG,CAAC;AACpE,UAAM,KAAK,KAAK,SAAS;AACzB,WAAO,MAAM,KAAK,KAAK,IAAI;AAAA,EAC7B,CAAC;AACD,MAAI,IAAI,UAAU,OAAO,SAAS,UAAU;AAC1C,UAAM,OAAO,MAAM,gBAAgB,wBAAwB,QAAQ,OAAO,GAAG,IAAI;AACjF,UAAM,KAAK,KAAK,MAAM;AACtB,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,OAAO,EAAG,OAAM,OAAO,GAAG,CAAC;AACpE,UAAM,KAAK,KAAK,SAAS;AACzB,WAAO,MAAM,KAAK,KAAK,IAAI;AAAA,EAC7B,CAAC;AACD,QAAM,YAAY,CAAC,SAAqE,UAA4B;AAClH,UAAM,aAAa,wBAAwB,QAAQ,OAAO;AAC1D,UAAM,KAAK,GAAG;AACd,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,kBAAkB,UAAU,CAAC,EAAG,OAAM,OAAO,GAAG,CAAC;AACrF,WAAO,MAAM,KAAK,EAAE;AAAA,EACtB;AACA,MAAI,QAAQ,SAAS,SAAS;AAC9B,MAAI,QAAQ,UAAU,SAAS;AACjC;;;AmB73DO,SAAS,oBACd,QACA,MAC8B;AAC9B,MAAI,CAAC,UAAU,CAAC,OAAO,YAAa,QAAO;AAC3C,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,GAAI,KAAK,YAAY,UAAa,EAAE,SAAS,KAAK,QAAQ;AAAA,IAC1D,GAAI,OAAO,eAAe,UAAa,EAAE,YAAY,OAAO,WAAW;AAAA,IACvE,GAAI,OAAO,0BAA0B,UAAa;AAAA,MAChD,uBAAuB,OAAO;AAAA,IAChC;AAAA,IACA,GAAI,OAAO,WAAW,UAAa,EAAE,QAAQ,OAAO,OAAO;AAAA,IAC3D,GAAI,OAAO,yBAAyB,UAAa;AAAA,MAC/C,sBAAsB,CAAC,GAAG,OAAO,oBAAoB;AAAA,IACvD;AAAA,EACF;AACF;AAoBA,eAAsB,uBACpB,aACA,SACqB;AACrB,MAAI,CAAC,WAAW,CAAC,YAAa,QAAO,EAAE,QAAQ,YAAY;AAE3D,QAAM,UAAU,MAAM,QAAQ;AAC9B,MAAI,QAAQ,GAAI,QAAO,EAAE,QAAQ,WAAW;AAE5C,MAAI,gBAAgB,QAAQ;AAC1B,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,cAAc,QAAQ;AAAA,MACtB,YAAY,QAAQ;AAAA,MACpB,GAAI,QAAQ,WAAW,UAAa,EAAE,cAAc,QAAQ,OAAO;AAAA,IACrE;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,cAAc,QAAQ;AAAA,IACtB,YAAY,QAAQ;AAAA,IACpB,GAAI,QAAQ,WAAW,UAAa,EAAE,cAAc,QAAQ,OAAO;AAAA,EACrE;AACF;AAGO,SAAS,uBAAuB,SAAiB,QAAiD;AACvG,MAAI,CAAC,QAAQ,4BAA4B,OAAO,yBAAyB,WAAW,EAAG,QAAO;AAC9F,QAAM,UAAU,IAAI,IAAI,OAAO,yBAAyB,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AACnF,SAAO,QAAQ,IAAI,QAAQ,YAAY,CAAC;AAC1C;AAQO,SAAS,qBACd,OACA,SACA,QACS;AACT,MAAI,CAAC,QAAQ,yBAAyB,OAAO,sBAAsB,WAAW,EAAG,QAAO;AACxF,MAAI,QAAQ,YAAY,MAAM,KAAM,QAAO;AAC3C,QAAM,UAAU,IAAI,IAAI,OAAO,sBAAsB,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AAChF,SAAO,QAAQ,IAAI,MAAM,YAAY,CAAC;AACxC;AA6BO,SAAS,8BAA8B,MASrC;AACP,QAAM,OAAO,KAAK,aAAa;AAC/B,QAAM,SAAS,KAAK,eAAe;AACnC,QAAM,OAAO,KAAK,cAAc,IAAI,KAAK,WAAW,MAAM;AAC1D,MAAI,CAAC,uBAAuB,KAAK,SAAS,KAAK,MAAM,GAAG;AACtD,UAAM,IAAI,wBAAwB;AAAA,MAChC;AAAA,MACA,SACE,KAAK,kBACL,iBAAiB,IAAI,OAAO,KAAK,QAAQ,YAAY,KAAK,SAAS;AAAA,MACrE;AAAA,IACF,CAAC;AAAA,EACH;AACA,MAAI,CAAC,qBAAqB,KAAK,OAAO,KAAK,SAAS,KAAK,MAAM,GAAG;AAChE,UAAM,IAAI,wBAAwB;AAAA,MAChC;AAAA,MACA,SACE,KAAK,gBACL,iBAAiB,IAAI,OAAO,KAAK,MAAM,YAAY,KAAK,SAAS;AAAA,MACnE;AAAA,IACF,CAAC;AAAA,EACH;AACF;;;ACrNA,SAAS,kBAAkB;AASpB,SAAS,kBAAkB,WAA2B;AAC3D,SAAO,WAAW,QAAQ,EAAE,OAAO,WAAW,MAAM,EAAE,OAAO,KAAK;AACpE;;;ACpBA;AACA;AACA;AACA;AAQA;;;ACDA;AACA;;;AC+EO,SAAS,eAAe,OAAuB;AACpD,UAAQ,QAAQ,KAAK,QAAQ,CAAC;AAChC;;;ACvEA,eAAsB,mBAAmB,MAER;AAC/B,QAAM,MAAM,KAAK;AACjB,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,aAAa;AACnB,QAAM,MAAO,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AAItD,MAAI,CAAC,KAAK,0CAA0C,CAAC,IAAI,gBAAgB;AACvE,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI;AACJ,MAAI,qBAAqB,KAAK,GAAG,GAAG;AAClC,YAAQ,IAAI,WAAW,IAAI,MAAM,OAAO,EAAG,IAAI,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,EAAE,MAAM,GAAG,EAAE;AAAA,EACrF,OAAO;AACL,UAAM,UAAU,IAAI,WAAW,IAAI,eAAe,EAAE,OAAO,GAAG,CAAC;AAC/D,YAAQ,QAAQ,WAAW,KAAK,QAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,EACzD;AACA,SAAO,IAAI,uCAAuC,KAAK;AACzD;","names":["networks","cacheKey","options","rails","rails","isTempoSessionRailSpec","rails","dynamicImport","rails","SOLANA_BASE58_RE","lowerHeaders","isStripeRailSpec","isTempoSessionRailSpec","rails","buildDiscoveryProbeResponse","reason","body","buildSignedUcpResponse","buildSignedJwksResponse"]}