@agent-score/commerce 2.0.1 → 2.1.0

package/dist/identity/express.d.mts

@@ -1,7 +1,6 @@
-export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-BFYN3b6i.mjs';
-export { r as readX402PaymentHeader } from '../signer-3FAit11j.mjs';
 import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, FailOpenInfraReason, GateQuotaInfo, SignerVerdict } from '../core.mjs';
 import { Request, Response, NextFunction } from 'express';
+import '../signer-3FAit11j.mjs';
 
 interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
     /** Custom function to extract agent identity (wallet address and/or operator token). */
@@ -55,5 +54,10 @@ declare function captureWallet(req: Request, options: {
  * only needs to consume this getter for the `signer_match` wallet-binding verdict.
  */
 declare function getSignerVerdict(req: Request): SignerVerdict | undefined;
+/** Wrap `agentscoreGate(...)` so it only fires when a payment credential is
+ *  attached to the request. Discovery legs (no payment header) flow through
+ *  unauthenticated and the handler emits a 402 with all rails; settle legs
+ *  trigger the full gate. */
+declare function conditionalAgentscoreGate(options: AgentScoreGateOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
 
-export { agentscoreGate, captureWallet, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, getSignerVerdict };
+export { agentscoreGate, captureWallet, conditionalAgentscoreGate, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, getSignerVerdict };

package/dist/identity/express.d.ts

@@ -1,7 +1,6 @@
-export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-_iPD5AIj.js';
-export { r as readX402PaymentHeader } from '../signer-3FAit11j.js';
 import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, FailOpenInfraReason, GateQuotaInfo, SignerVerdict } from '../core.js';
 import { Request, Response, NextFunction } from 'express';
+import '../signer-3FAit11j.js';
 
 interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
     /** Custom function to extract agent identity (wallet address and/or operator token). */
@@ -55,5 +54,10 @@ declare function captureWallet(req: Request, options: {
  * only needs to consume this getter for the `signer_match` wallet-binding verdict.
  */
 declare function getSignerVerdict(req: Request): SignerVerdict | undefined;
+/** Wrap `agentscoreGate(...)` so it only fires when a payment credential is
+ *  attached to the request. Discovery legs (no payment header) flow through
+ *  unauthenticated and the handler emits a 402 with all rails; settle legs
+ *  trigger the full gate. */
+declare function conditionalAgentscoreGate(options: AgentScoreGateOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
 
-export { agentscoreGate, captureWallet, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, getSignerVerdict };
+export { agentscoreGate, captureWallet, conditionalAgentscoreGate, getAgentScoreData, getGateDegradedState, getGateQuotaInfo, getSignerVerdict };

package/dist/identity/express.js

@@ -20,20 +20,13 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/identity/express.ts
 var express_exports = {};
 __export(express_exports, {
-  FIXABLE_DENIAL_REASONS: () => FIXABLE_DENIAL_REASONS,
   agentscoreGate: () => agentscoreGate,
-  buildContactSupportNextSteps: () => buildContactSupportNextSteps,
-  buildSignerMismatchBody: () => buildSignerMismatchBody,
   captureWallet: () => captureWallet,
-  denialReasonStatus: () => denialReasonStatus,
-  denialReasonToBody: () => denialReasonToBody,
+  conditionalAgentscoreGate: () => conditionalAgentscoreGate,
   getAgentScoreData: () => getAgentScoreData,
   getGateDegradedState: () => getGateDegradedState,
   getGateQuotaInfo: () => getGateQuotaInfo,
-  getSignerVerdict: () => getSignerVerdict,
-  isFixableDenial: () => isFixableDenial,
-  readX402PaymentHeader: () => readX402PaymentHeader,
-  verificationAgentInstructions: () => verificationAgentInstructions
+  getSignerVerdict: () => getSignerVerdict
 });
 module.exports = __toCommonJS(express_exports);
 
@@ -52,80 +45,6 @@ function denialReasonStatus(reason) {
   if (reason.code === "api_error") return 503;
   return 403;
 }
-function buildSignerMismatchBody({
-  result,
-  userMessage,
-  learnMoreUrl
-}) {
-  if (result.kind === "pass") return null;
-  const learnMoreUrlResolved = learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
-  if (result.kind === "wallet_signer_mismatch") {
-    const linkedWallets = result.linkedWallets ?? [];
-    const userMessageResolved = userMessage ?? (linkedWallets.length > 0 ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(", ")}. Then retry.` : "Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.");
-    return {
-      error: {
-        code: "wallet_signer_mismatch",
-        message: "Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator."
-      },
-      claimed_operator: result.claimedOperator,
-      actual_signer_operator: result.actualSignerOperator ?? null,
-      expected_signer: result.expectedSigner,
-      actual_signer: result.actualSigner,
-      linked_wallets: linkedWallets,
-      next_steps: {
-        action: "regenerate_payment_from_linked_wallet",
-        user_message: userMessageResolved,
-        learn_more_url: learnMoreUrlResolved
-      }
-    };
-  }
-  return {
-    error: {
-      code: "wallet_auth_requires_wallet_signing",
-      message: "Wallet-auth requires a payment rail that carries a wallet signature (Tempo MPP, x402). Stripe SPT and card rails have no wallet signer; switch to X-Operator-Token to use those."
-    },
-    next_steps: {
-      action: "switch_to_operator_token",
-      user_message: userMessage ?? "Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).",
-      learn_more_url: learnMoreUrlResolved
-    }
-  };
-}
-function buildContactSupportNextSteps(supportEmail, message) {
-  return {
-    action: "contact_support",
-    support_email: supportEmail,
-    user_message: message ?? `If you believe this denial is in error, contact support at ${supportEmail} with the details of your request.`
-  };
-}
-function verificationAgentInstructions({
-  userAction,
-  retryStep,
-  extraSteps,
-  pollIntervalSeconds = 5,
-  timeoutSeconds = 3600,
-  orderTtl,
-  extra
-} = {}) {
-  const baseSteps = [
-    "Present the verify_url directly to the user \u2014 it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.",
-    `Immediately begin polling poll_url every ${pollIntervalSeconds} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,
-    "The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.",
-    'When your poll returns status "verified", extract operator_token from the response. This is a one-time value \u2014 save it immediately. Subsequent polls return status "consumed" without the token.',
-    retryStep ?? "Retry the original merchant request with header X-Operator-Token set to the operator_token value."
-  ];
-  return {
-    action: "poll_for_credential",
-    user_action: userAction ?? "The user must visit verify_url to complete identity verification before this request can proceed",
-    steps: extraSteps ? [...baseSteps, ...extraSteps] : baseSteps,
-    poll_interval_seconds: pollIntervalSeconds,
-    poll_secret_header: "X-Poll-Secret",
-    retry_token_header: "X-Operator-Token",
-    timeout_seconds: timeoutSeconds,
-    ...orderTtl ? { order_ttl: orderTtl } : {},
-    ...extra ?? {}
-  };
-}
 
 // src/_response.ts
 var WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({
@@ -375,7 +294,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"2.0.1"}`;
+  const defaultUa = `@agent-score/commerce@${"2.1.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new import_sdk.AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -667,6 +586,30 @@ function createAgentScoreCore(options) {
   return { evaluate, captureWallet: captureWallet2, getSignerVerdict: getSignerVerdict2 };
 }
 
+// src/payment/payment_header.ts
+function toTitleCase(name) {
+  return name.replace(/(^|-)([a-z])/g, (_m, sep, c) => sep + c.toUpperCase());
+}
+function readHeader(headers, name) {
+  if (typeof headers.get === "function") {
+    return headers.get(name);
+  }
+  const rec = headers;
+  const v = rec[name] ?? rec[name.toLowerCase()] ?? rec[toTitleCase(name)];
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return null;
+}
+function asHeaders(input) {
+  return typeof input.headers === "object" && input instanceof Request ? input.headers : input;
+}
+function hasPaymentHeader(input) {
+  const headers = asHeaders(input);
+  return Boolean(
+    readHeader(headers, "payment-signature") || readHeader(headers, "x-payment") || readHeader(headers, "authorization")?.startsWith("Payment ")
+  );
+}
+
 // src/signer.ts
 var TOKEN_PROGRAM = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
 var TOKEN_2022_PROGRAM = "TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb";
@@ -746,9 +689,6 @@ async function extractPaymentSignerFromAuth(authHeader, x402PaymentHeader) {
   });
   return extractPaymentSigner(request, x402PaymentHeader);
 }
-function readX402PaymentHeader(request) {
-  return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
-}
 
 // src/identity/express.ts
 var GATE_STATE_KEY = "__agentscoreGate";
@@ -820,21 +760,24 @@ function getSignerVerdict(req) {
   if (!state?.walletAddress) return void 0;
   return state.core.getSignerVerdict(state.walletAddress);
 }
+function conditionalAgentscoreGate(options) {
+  const gate = agentscoreGate(options);
+  return async function conditionalGateMiddleware(req, res, next) {
+    if (!hasPaymentHeader(req.headers)) {
+      next();
+      return;
+    }
+    return gate(req, res, next);
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  FIXABLE_DENIAL_REASONS,
   agentscoreGate,
-  buildContactSupportNextSteps,
-  buildSignerMismatchBody,
   captureWallet,
-  denialReasonStatus,
-  denialReasonToBody,
+  conditionalAgentscoreGate,
   getAgentScoreData,
   getGateDegradedState,
   getGateQuotaInfo,
-  getSignerVerdict,
-  isFixableDenial,
-  readX402PaymentHeader,
-  verificationAgentInstructions
+  getSignerVerdict
 });
 //# sourceMappingURL=express.js.map