@agent-score/commerce 2.0.1 → 2.1.0

package/dist/identity/web.d.mts

@@ -1,6 +1,5 @@
-export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-BFYN3b6i.mjs';
-export { r as readX402PaymentHeader } from '../signer-3FAit11j.mjs';
 import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, SignerVerdict, FailOpenInfraReason, GateQuotaInfo } from '../core.mjs';
+import '../signer-3FAit11j.mjs';
 
 interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
     /** Custom function to extract agent identity from a Request. */
@@ -90,5 +89,12 @@ declare function withAgentScoreGate<TCtx = unknown>(options: AgentScoreGateOptio
     /** Per-account assess quota observability from X-Quota-* response headers. */
     quota?: GateQuotaInfo;
 }, ctx?: TCtx) => Response | Promise<Response>): (req: Request, ctx?: TCtx) => Promise<Response>;
+/** Wrap `createAgentScoreGate(...)` so it only fires when a payment credential
+ *  is attached. Discovery legs flow through allowed (with `data: undefined`)
+ *  and the handler emits a 402 with all rails; settle legs run the full gate. */
+declare function createConditionalAgentScoreGate(options: AgentScoreGateOptions): (req: Request) => Promise<GuardResult>;
+/** Wrapper variant matching `withAgentScoreGate(opts, handler)` that only
+ *  invokes the gate when a payment credential is attached. */
+declare function withConditionalAgentScoreGate<TCtx = unknown>(options: AgentScoreGateOptions, handler: Parameters<typeof withAgentScoreGate<TCtx>>[1]): (req: Request, ctx: TCtx) => Promise<Response>;
 
-export { type GuardResult, createAgentScoreGate, withAgentScoreGate };
+export { type GuardResult, createAgentScoreGate, createConditionalAgentScoreGate, withAgentScoreGate, withConditionalAgentScoreGate };

package/dist/identity/web.d.ts

@@ -1,6 +1,5 @@
-export { F as FIXABLE_DENIAL_REASONS, b as buildContactSupportNextSteps, a as buildSignerMismatchBody, d as denialReasonStatus, c as denialReasonToBody, i as isFixableDenial, v as verificationAgentInstructions } from '../_response-_iPD5AIj.js';
-export { r as readX402PaymentHeader } from '../signer-3FAit11j.js';
 import { AgentScoreCoreOptions, AgentIdentity, DenialReason, CreateSessionOnMissing, AssessResult, SignerVerdict, FailOpenInfraReason, GateQuotaInfo } from '../core.js';
+import '../signer-3FAit11j.js';
 
 interface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {
     /** Custom function to extract agent identity from a Request. */
@@ -90,5 +89,12 @@ declare function withAgentScoreGate<TCtx = unknown>(options: AgentScoreGateOptio
     /** Per-account assess quota observability from X-Quota-* response headers. */
     quota?: GateQuotaInfo;
 }, ctx?: TCtx) => Response | Promise<Response>): (req: Request, ctx?: TCtx) => Promise<Response>;
+/** Wrap `createAgentScoreGate(...)` so it only fires when a payment credential
+ *  is attached. Discovery legs flow through allowed (with `data: undefined`)
+ *  and the handler emits a 402 with all rails; settle legs run the full gate. */
+declare function createConditionalAgentScoreGate(options: AgentScoreGateOptions): (req: Request) => Promise<GuardResult>;
+/** Wrapper variant matching `withAgentScoreGate(opts, handler)` that only
+ *  invokes the gate when a payment credential is attached. */
+declare function withConditionalAgentScoreGate<TCtx = unknown>(options: AgentScoreGateOptions, handler: Parameters<typeof withAgentScoreGate<TCtx>>[1]): (req: Request, ctx: TCtx) => Promise<Response>;
 
-export { type GuardResult, createAgentScoreGate, withAgentScoreGate };
+export { type GuardResult, createAgentScoreGate, createConditionalAgentScoreGate, withAgentScoreGate, withConditionalAgentScoreGate };

package/dist/identity/web.js

@@ -20,16 +20,10 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/identity/web.ts
 var web_exports = {};
 __export(web_exports, {
-  FIXABLE_DENIAL_REASONS: () => FIXABLE_DENIAL_REASONS,
-  buildContactSupportNextSteps: () => buildContactSupportNextSteps,
-  buildSignerMismatchBody: () => buildSignerMismatchBody,
   createAgentScoreGate: () => createAgentScoreGate,
-  denialReasonStatus: () => denialReasonStatus,
-  denialReasonToBody: () => denialReasonToBody,
-  isFixableDenial: () => isFixableDenial,
-  readX402PaymentHeader: () => readX402PaymentHeader,
-  verificationAgentInstructions: () => verificationAgentInstructions,
-  withAgentScoreGate: () => withAgentScoreGate
+  createConditionalAgentScoreGate: () => createConditionalAgentScoreGate,
+  withAgentScoreGate: () => withAgentScoreGate,
+  withConditionalAgentScoreGate: () => withConditionalAgentScoreGate
 });
 module.exports = __toCommonJS(web_exports);
 
@@ -48,80 +42,6 @@ function denialReasonStatus(reason) {
   if (reason.code === "api_error") return 503;
   return 403;
 }
-function buildSignerMismatchBody({
-  result,
-  userMessage,
-  learnMoreUrl
-}) {
-  if (result.kind === "pass") return null;
-  const learnMoreUrlResolved = learnMoreUrl ?? "https://docs.agentscore.sh/guides/agent-identity";
-  if (result.kind === "wallet_signer_mismatch") {
-    const linkedWallets = result.linkedWallets ?? [];
-    const userMessageResolved = userMessage ?? (linkedWallets.length > 0 ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(", ")}. Then retry.` : "Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.");
-    return {
-      error: {
-        code: "wallet_signer_mismatch",
-        message: "Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator."
-      },
-      claimed_operator: result.claimedOperator,
-      actual_signer_operator: result.actualSignerOperator ?? null,
-      expected_signer: result.expectedSigner,
-      actual_signer: result.actualSigner,
-      linked_wallets: linkedWallets,
-      next_steps: {
-        action: "regenerate_payment_from_linked_wallet",
-        user_message: userMessageResolved,
-        learn_more_url: learnMoreUrlResolved
-      }
-    };
-  }
-  return {
-    error: {
-      code: "wallet_auth_requires_wallet_signing",
-      message: "Wallet-auth requires a payment rail that carries a wallet signature (Tempo MPP, x402). Stripe SPT and card rails have no wallet signer; switch to X-Operator-Token to use those."
-    },
-    next_steps: {
-      action: "switch_to_operator_token",
-      user_message: userMessage ?? "Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).",
-      learn_more_url: learnMoreUrlResolved
-    }
-  };
-}
-function buildContactSupportNextSteps(supportEmail, message) {
-  return {
-    action: "contact_support",
-    support_email: supportEmail,
-    user_message: message ?? `If you believe this denial is in error, contact support at ${supportEmail} with the details of your request.`
-  };
-}
-function verificationAgentInstructions({
-  userAction,
-  retryStep,
-  extraSteps,
-  pollIntervalSeconds = 5,
-  timeoutSeconds = 3600,
-  orderTtl,
-  extra
-} = {}) {
-  const baseSteps = [
-    "Present the verify_url directly to the user \u2014 it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.",
-    `Immediately begin polling poll_url every ${pollIntervalSeconds} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,
-    "The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.",
-    'When your poll returns status "verified", extract operator_token from the response. This is a one-time value \u2014 save it immediately. Subsequent polls return status "consumed" without the token.',
-    retryStep ?? "Retry the original merchant request with header X-Operator-Token set to the operator_token value."
-  ];
-  return {
-    action: "poll_for_credential",
-    user_action: userAction ?? "The user must visit verify_url to complete identity verification before this request can proceed",
-    steps: extraSteps ? [...baseSteps, ...extraSteps] : baseSteps,
-    poll_interval_seconds: pollIntervalSeconds,
-    poll_secret_header: "X-Poll-Secret",
-    retry_token_header: "X-Operator-Token",
-    timeout_seconds: timeoutSeconds,
-    ...orderTtl ? { order_ttl: orderTtl } : {},
-    ...extra ?? {}
-  };
-}
 
 // src/_response.ts
 var WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({
@@ -371,7 +291,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"2.0.1"}`;
+  const defaultUa = `@agent-score/commerce@${"2.1.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new import_sdk.AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -663,6 +583,30 @@ function createAgentScoreCore(options) {
   return { evaluate, captureWallet, getSignerVerdict };
 }
 
+// src/payment/payment_header.ts
+function toTitleCase(name) {
+  return name.replace(/(^|-)([a-z])/g, (_m, sep, c) => sep + c.toUpperCase());
+}
+function readHeader(headers, name) {
+  if (typeof headers.get === "function") {
+    return headers.get(name);
+  }
+  const rec = headers;
+  const v = rec[name] ?? rec[name.toLowerCase()] ?? rec[toTitleCase(name)];
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return null;
+}
+function asHeaders(input) {
+  return typeof input.headers === "object" && input instanceof Request ? input.headers : input;
+}
+function hasPaymentHeader(input) {
+  const headers = asHeaders(input);
+  return Boolean(
+    readHeader(headers, "payment-signature") || readHeader(headers, "x-payment") || readHeader(headers, "authorization")?.startsWith("Payment ")
+  );
+}
+
 // src/signer.ts
 var TOKEN_PROGRAM = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
 var TOKEN_2022_PROGRAM = "TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb";
@@ -797,17 +741,25 @@ function withAgentScoreGate(options, handler) {
     );
   };
 }
+function createConditionalAgentScoreGate(options) {
+  const guard = createAgentScoreGate(options);
+  return async (req) => {
+    if (!hasPaymentHeader(req)) return { allowed: true };
+    return guard(req);
+  };
+}
+function withConditionalAgentScoreGate(options, handler) {
+  const wrapped = withAgentScoreGate(options, handler);
+  return async (req, ctx) => {
+    if (!hasPaymentHeader(req)) return handler(req, {}, ctx);
+    return wrapped(req, ctx);
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  FIXABLE_DENIAL_REASONS,
-  buildContactSupportNextSteps,
-  buildSignerMismatchBody,
   createAgentScoreGate,
-  denialReasonStatus,
-  denialReasonToBody,
-  isFixableDenial,
-  readX402PaymentHeader,
-  verificationAgentInstructions,
-  withAgentScoreGate
+  createConditionalAgentScoreGate,
+  withAgentScoreGate,
+  withConditionalAgentScoreGate
 });
 //# sourceMappingURL=web.js.map