@agent-score/commerce 2.0.2 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (116) hide show
  1. package/README.md +26 -11
  2. package/dist/_core-kI7FRAiZ.d.mts +10 -0
  3. package/dist/_core-kI7FRAiZ.d.ts +10 -0
  4. package/dist/challenge/index.d.mts +3 -3
  5. package/dist/challenge/index.d.ts +3 -3
  6. package/dist/challenge/index.js +21 -14
  7. package/dist/challenge/index.js.map +1 -1
  8. package/dist/challenge/index.mjs +21 -14
  9. package/dist/challenge/index.mjs.map +1 -1
  10. package/dist/{checkout-jNUIql6D.d.mts → checkout-BRw_caGr.d.mts} +13 -33
  11. package/dist/{checkout-DhSj_h94.d.ts → checkout-CuSNUJFX.d.ts} +13 -33
  12. package/dist/core.js +1 -1
  13. package/dist/core.js.map +1 -1
  14. package/dist/core.mjs +1 -1
  15. package/dist/core.mjs.map +1 -1
  16. package/dist/default_rails-C5gKZJMI.d.ts +198 -0
  17. package/dist/default_rails-XFCuRddA.d.mts +198 -0
  18. package/dist/discovery/index.d.mts +5 -5
  19. package/dist/discovery/index.d.ts +5 -5
  20. package/dist/discovery/index.js +14 -1
  21. package/dist/discovery/index.js.map +1 -1
  22. package/dist/discovery/index.mjs +14 -1
  23. package/dist/discovery/index.mjs.map +1 -1
  24. package/dist/identity/express.d.mts +7 -3
  25. package/dist/identity/express.d.ts +7 -3
  26. package/dist/identity/express.js +39 -96
  27. package/dist/identity/express.js.map +1 -1
  28. package/dist/identity/express.mjs +37 -87
  29. package/dist/identity/express.mjs.map +1 -1
  30. package/dist/identity/fastify.d.mts +4 -4
  31. package/dist/identity/fastify.d.ts +4 -4
  32. package/dist/identity/fastify.js +60 -96
  33. package/dist/identity/fastify.js.map +1 -1
  34. package/dist/identity/fastify.mjs +58 -87
  35. package/dist/identity/fastify.mjs.map +1 -1
  36. package/dist/identity/hono.d.mts +11 -3
  37. package/dist/identity/hono.d.ts +11 -3
  38. package/dist/identity/hono.js +39 -93
  39. package/dist/identity/hono.js.map +1 -1
  40. package/dist/identity/hono.mjs +37 -84
  41. package/dist/identity/hono.mjs.map +1 -1
  42. package/dist/identity/nextjs.d.mts +10 -3
  43. package/dist/identity/nextjs.d.ts +10 -3
  44. package/dist/identity/nextjs.js +49 -93
  45. package/dist/identity/nextjs.js.map +1 -1
  46. package/dist/identity/nextjs.mjs +46 -84
  47. package/dist/identity/nextjs.mjs.map +1 -1
  48. package/dist/identity/policy.js +22 -23317
  49. package/dist/identity/policy.js.map +1 -1
  50. package/dist/identity/policy.mjs +1 -23320
  51. package/dist/identity/policy.mjs.map +1 -1
  52. package/dist/identity/web.d.mts +9 -3
  53. package/dist/identity/web.d.ts +9 -3
  54. package/dist/identity/web.js +45 -93
  55. package/dist/identity/web.js.map +1 -1
  56. package/dist/identity/web.mjs +42 -84
  57. package/dist/identity/web.mjs.map +1 -1
  58. package/dist/index.d.mts +621 -90
  59. package/dist/index.d.ts +621 -90
  60. package/dist/index.js +1202 -328
  61. package/dist/index.js.map +1 -1
  62. package/dist/index.mjs +1188 -327
  63. package/dist/index.mjs.map +1 -1
  64. package/dist/middleware/express.d.mts +10 -0
  65. package/dist/middleware/express.d.ts +10 -0
  66. package/dist/middleware/express.js +128 -0
  67. package/dist/middleware/express.js.map +1 -0
  68. package/dist/middleware/express.mjs +91 -0
  69. package/dist/middleware/express.mjs.map +1 -0
  70. package/dist/middleware/fastify.d.mts +10 -0
  71. package/dist/middleware/fastify.d.ts +10 -0
  72. package/dist/middleware/fastify.js +127 -0
  73. package/dist/middleware/fastify.js.map +1 -0
  74. package/dist/middleware/fastify.mjs +90 -0
  75. package/dist/middleware/fastify.mjs.map +1 -0
  76. package/dist/middleware/hono.d.mts +10 -0
  77. package/dist/middleware/hono.d.ts +10 -0
  78. package/dist/middleware/hono.js +122 -0
  79. package/dist/middleware/hono.js.map +1 -0
  80. package/dist/middleware/hono.mjs +85 -0
  81. package/dist/middleware/hono.mjs.map +1 -0
  82. package/dist/middleware/nextjs.d.mts +22 -0
  83. package/dist/middleware/nextjs.d.ts +22 -0
  84. package/dist/middleware/nextjs.js +143 -0
  85. package/dist/middleware/nextjs.js.map +1 -0
  86. package/dist/middleware/nextjs.mjs +105 -0
  87. package/dist/middleware/nextjs.mjs.map +1 -0
  88. package/dist/middleware/web.d.mts +25 -0
  89. package/dist/middleware/web.d.ts +25 -0
  90. package/dist/middleware/web.js +128 -0
  91. package/dist/middleware/web.js.map +1 -0
  92. package/dist/middleware/web.mjs +91 -0
  93. package/dist/middleware/web.mjs.map +1 -0
  94. package/dist/payment/index.d.mts +32 -21
  95. package/dist/payment/index.d.ts +32 -21
  96. package/dist/payment/index.js +215 -12
  97. package/dist/payment/index.js.map +1 -1
  98. package/dist/payment/index.mjs +205 -12
  99. package/dist/payment/index.mjs.map +1 -1
  100. package/dist/{pricing-CxzwyiO6.d.mts → pricing-4n5Ota0D.d.mts} +14 -4
  101. package/dist/{pricing-CQ9DIFaw.d.ts → pricing-DHfH3ogG.d.ts} +14 -4
  102. package/dist/{rail_spec-XP0wKgJV.d.mts → rail_spec-D6qzh3J0.d.mts} +1 -1
  103. package/dist/{rail_spec-XP0wKgJV.d.ts → rail_spec-D6qzh3J0.d.ts} +1 -1
  104. package/dist/stripe-multichain/index.d.mts +150 -47
  105. package/dist/stripe-multichain/index.d.ts +150 -47
  106. package/dist/stripe-multichain/index.js +19799 -43
  107. package/dist/stripe-multichain/index.js.map +1 -1
  108. package/dist/stripe-multichain/index.mjs +19808 -28
  109. package/dist/stripe-multichain/index.mjs.map +1 -1
  110. package/dist/{x402_server-hgQzWQwB.d.mts → x402_server-Ciz2mls2.d.mts} +1 -1
  111. package/dist/{x402_server-hgQzWQwB.d.ts → x402_server-Ciz2mls2.d.ts} +1 -1
  112. package/package.json +43 -5
  113. package/dist/_response-BFYN3b6i.d.mts +0 -142
  114. package/dist/_response-_iPD5AIj.d.ts +0 -142
  115. package/dist/solana-Cds87OTu.d.mts +0 -67
  116. package/dist/solana-Cds87OTu.d.ts +0 -67
package/dist/identity/nextjs.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/_denial.ts","../../src/_response.ts","../../src/core.ts","../../src/address.ts","../../src/cache.ts","../../src/signer.ts","../../src/identity/web.ts","../../src/identity/nextjs.ts"],"sourcesContent":["/**\n * Universal denial helpers shared across every adapter.\n *\n * What lives here:\n * - `FIXABLE_DENIAL_REASONS` / `isFixableDenial` — classifier for compliance reasons that can\n * be resolved by re-completing KYC (vs sanctions / age failures which are permanent).\n * - `denialReasonStatus` — picks the right HTTP status code per denial code (401 for credential\n * problems, 503 for transient API errors, 403 for everything else).\n * - `buildSignerMismatchBody` — produces the standard 403 body for a non-pass signer_match\n * verdict (read via `getSignerVerdict`).\n * - `buildContactSupportNextSteps` — standard `next_steps.action: \"contact_support\"` shape for\n * unfixable compliance denials.\n * - `verificationAgentInstructions` — the canned `agent_instructions` block for\n * identity-verification 403s. Vendors can override individual fields.\n *\n * Adapters use `denialReasonStatus` inside their default `onDenied` so vendors get the right\n * status code for free. The body builders are exported from each adapter so vendors who write\n * a custom `onDenied` can compose them without copy-paste.\n */\n\nimport type { DenialReason, VerifyWalletSignerResult } from './core';\n\n/**\n * Compliance denial reasons that can be resolved by re-completing KYC. The API emits these\n * when KYC is missing/pending/failed; the user can re-verify and retry.\n *\n * `jurisdiction_restricted` is NOT in this set — the API only emits it AFTER KYC is verified,\n * meaning the user's KYC'd country is in the merchant's blocked list (or absent from the\n * allowed list). Re-doing KYC won't change the country, so it's permanent. Same shape as\n * `sanctions_flagged` and `age_insufficient` — surface contact_support, don't waste a\n * /v1/sessions mint.\n */\nexport const FIXABLE_DENIAL_REASONS: ReadonlySet<string> = new Set([\n 'kyc_required',\n 'kyc_pending',\n 'kyc_failed',\n]);\n\n/**\n * Returns true when a `wallet_not_trusted` denial's reasons are all fixable via KYC\n * re-verification. False when any reason is permanent (sanctions, age, jurisdiction_restricted).\n *\n * Empty reasons returns false — without a known reason we can't promise a fix, so default to\n * the bare denial path (vendors can override via custom onDenied if they want different\n * behavior on empty reasons).\n */\nexport function isFixableDenial(reasons: readonly string[] | undefined): boolean {\n if (!reasons || reasons.length === 0) return false;\n return reasons.every((r) => FIXABLE_DENIAL_REASONS.has(r));\n}\n\n/**\n * The right HTTP status code for a denial. `defaultOnDenied` in every adapter uses this so\n * vendors get correct status codes without writing per-code branches.\n *\n * - 401 for credential problems the agent can recover from (`token_expired`, `invalid_credential`)\n * - 503 for transient `api_error`\n * - 403 for everything else (identity required, compliance fail, signer mismatch, etc.)\n */\nexport function denialReasonStatus(reason: DenialReason): 401 | 403 | 503 {\n if (reason.code === 'token_expired' || reason.code === 'invalid_credential') return 401;\n if (reason.code === 'api_error') return 503;\n return 403;\n}\n\n/**\n * Standard 403 body for a non-pass signer-match verdict. Returns null for `pass` so vendors\n * can call it unconditionally:\n *\n * const verdict = getSignerVerdict(c);\n * if (verdict?.signer_match) {\n * const mismatchBody = buildSignerMismatchBody({ result: verdict.signer_match });\n * if (mismatchBody) return c.json(mismatchBody, 403);\n * }\n *\n * Body shape mirrors the gate's denial bodies: top-level error.code, all signer-match fields\n * (`claimed_operator`, `actual_signer_operator`, `expected_signer`, `actual_signer`,\n * `linked_wallets`), plus a `next_steps` action describing the recovery path.\n */\nexport function buildSignerMismatchBody({\n result,\n userMessage,\n learnMoreUrl,\n}: {\n /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). Only non-pass\n * kinds produce a body. */\n result: VerifyWalletSignerResult;\n /** Optional override for the human-facing `next_steps.user_message`. */\n userMessage?: string;\n /** Optional override for `next_steps.learn_more_url`. Default: AgentScore agent-identity guide. */\n learnMoreUrl?: string;\n}): Record<string, unknown> | null {\n if (result.kind === 'pass') return null;\n\n const learnMoreUrlResolved = learnMoreUrl ?? 'https://docs.agentscore.sh/guides/agent-identity';\n\n if (result.kind === 'wallet_signer_mismatch') {\n const linkedWallets = result.linkedWallets ?? [];\n const userMessageResolved = userMessage ?? (linkedWallets.length > 0\n ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(', ')}. Then retry.`\n : 'Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.');\n return {\n error: {\n code: 'wallet_signer_mismatch',\n message:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n },\n claimed_operator: result.claimedOperator,\n actual_signer_operator: result.actualSignerOperator ?? null,\n expected_signer: result.expectedSigner,\n actual_signer: result.actualSigner,\n linked_wallets: linkedWallets,\n next_steps: {\n action: 'regenerate_payment_from_linked_wallet',\n user_message: userMessageResolved,\n learn_more_url: learnMoreUrlResolved,\n },\n };\n }\n\n // wallet_auth_requires_wallet_signing\n return {\n error: {\n code: 'wallet_auth_requires_wallet_signing',\n message:\n 'Wallet-auth requires a payment rail that carries a wallet signature (Tempo MPP, x402). Stripe SPT and card rails have no wallet signer; switch to X-Operator-Token to use those.',\n },\n next_steps: {\n action: 'switch_to_operator_token',\n user_message:\n userMessage ??\n 'Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).',\n learn_more_url: learnMoreUrlResolved,\n },\n };\n}\n\n/**\n * Standard `next_steps` block for unfixable compliance denials (sanctions, age, etc.). Vendors\n * spread this into a 403 body alongside the usual `error`/`reasons` fields.\n *\n * return c.json({\n * error: { code: 'compliance_denied', message: '...' },\n * reasons,\n * next_steps: buildContactSupportNextSteps('support@example.com'),\n * }, 403);\n */\nexport function buildContactSupportNextSteps(\n supportEmail: string,\n message?: string,\n): { action: 'contact_support'; support_email: string; user_message: string } {\n return {\n action: 'contact_support',\n support_email: supportEmail,\n user_message:\n message ??\n `If you believe this denial is in error, contact support at ${supportEmail} with the details of your request.`,\n };\n}\n\n/**\n * The canonical `agent_instructions` block for identity-verification 403s. Tells the agent how to\n * present the verify_url, poll for the operator_token, and retry the original request. Universal\n * across every AgentScore-gated merchant — overrides let vendors add merchant-specific steps\n * (e.g. \"include order_id when retrying\").\n */\nexport function verificationAgentInstructions({\n userAction,\n retryStep,\n extraSteps,\n pollIntervalSeconds = 5,\n timeoutSeconds = 3600,\n orderTtl,\n extra,\n}: {\n /** Override the user-facing message. */\n userAction?: string;\n /** Replace the generic \"Retry the original merchant request...\" step with a merchant-specific\n * one (e.g. \"Retry POST /purchase with X-Operator-Token AND include order_id...\"). When set,\n * this REPLACES baseSteps[4] rather than appending — use it instead of `extraSteps[0]` when\n * your retry instruction is a refinement of the canonical retry, not an additional step. */\n retryStep?: string;\n /** Append additional steps after the retry step. Use this for genuinely additional steps\n * (e.g. \"After payment the same call returns 200 with the order\"), not for re-stating the\n * retry — use `retryStep` for that. */\n extraSteps?: string[];\n /** Override the poll cadence. Default 5 seconds. */\n pollIntervalSeconds?: number;\n /** Override how long the agent should keep polling. Default 3600 seconds (1 hour). */\n timeoutSeconds?: number;\n /** Optional `order_ttl` note describing how long pending orders survive. */\n orderTtl?: string;\n /** Arbitrary additional fields merged into the instructions object. */\n extra?: Record<string, unknown>;\n} = {}): {\n action: 'poll_for_credential';\n user_action: string;\n steps: string[];\n poll_interval_seconds: number;\n poll_secret_header: 'X-Poll-Secret';\n retry_token_header: 'X-Operator-Token';\n timeout_seconds: number;\n order_ttl?: string;\n [key: string]: unknown;\n} {\n const baseSteps = [\n 'Present the verify_url directly to the user — it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.',\n `Immediately begin polling poll_url every ${pollIntervalSeconds} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,\n 'The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.',\n 'When your poll returns status \"verified\", extract operator_token from the response. This is a one-time value — save it immediately. Subsequent polls return status \"consumed\" without the token.',\n retryStep ?? 'Retry the original merchant request with header X-Operator-Token set to the operator_token value.',\n ];\n\n return {\n action: 'poll_for_credential',\n user_action:\n userAction ??\n 'The user must visit verify_url to complete identity verification before this request can proceed',\n steps: extraSteps ? [...baseSteps, ...extraSteps] : baseSteps,\n poll_interval_seconds: pollIntervalSeconds,\n poll_secret_header: 'X-Poll-Secret',\n retry_token_header: 'X-Operator-Token',\n timeout_seconds: timeoutSeconds,\n ...(orderTtl ? { order_ttl: orderTtl } : {}),\n ...(extra ?? {}),\n };\n}\n","/**\n * Shared DenialReason → response body serialization for all adapters.\n *\n * Keeps Hono / Express / Fastify / Web / Next.js defaults aligned — a field added\n * here shows up in every adapter's 403 body automatically, and there's one place\n * to test the marshaling.\n *\n * Body shape: `{ error: { code, message }, ... }` — matches the canonical AgentScore\n * error envelope so downstream agents see one consistent `error.code` +\n * `error.message` pair regardless of which layer produced the denial.\n */\n\nimport type { DenialCode, DenialReason } from './core.js';\n\n/**\n * JSON-encoded canonical agent_instructions per denial code. Auto-injected by\n * `denialReasonToBody` when the gate produces a DenialReason without explicit\n * `agent_instructions` so every denial carries a machine-readable next step.\n *\n * Codes covered:\n * - `wallet_not_trusted` — gate never stamps instructions today (the original gap)\n * - `payment_required` — gate never stamps; merchant tier misconfig, contact-merchant action\n * - `identity_verification_required` — fallback when API didn't return next_steps\n * - `token_expired` — fallback when API didn't return next_steps\n * - `api_error` — `retry_with_backoff` envelope; sole retry channel (no separate\n * next_steps block emitted)\n *\n * Codes already stamped explicitly upstream in core.ts (`missing_identity`,\n * `invalid_credential`) and codes that don't go through DenialReason\n * (`wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing` — handled by\n * `getSignerVerdict` + `buildSignerMismatchBody`) are not in this map.\n */\nconst WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_support',\n steps: [\n 'The wallet\\'s operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won\\'t change the outcome — the policy denial is structural.',\n 'Surface the denial to the user with the merchant\\'s support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won\\'t fix this code path).',\n 'Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code — the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user\\'s KYC\\'d country is in the blocked list — re-doing KYC won\\'t change the country).',\n ],\n user_message:\n 'This purchase is denied by the merchant\\'s compliance policy and cannot be resolved by re-verifying. Contact the merchant\\'s support if you believe this is in error.',\n});\n\nconst PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'The merchant\\'s AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap — there is no agent-side recovery.',\n 'Contact the merchant (their support channel — typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side.',\n ],\n user_message:\n 'This merchant\\'s identity gate is misconfigured. Contact the merchant — there\\'s nothing to fix on the agent side.',\n});\n\nconst IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'Share verify_url with the user — they complete identity verification on AgentScore.',\n 'If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <opc_...>`.',\n ],\n user_message:\n 'Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry.',\n});\n\nconst API_ERROR_INSTRUCTIONS = JSON.stringify({\n action: 'retry_with_backoff',\n steps: [\n 'Verification is temporarily unavailable. Retry the request after 5–30 seconds with exponential backoff.',\n 'This is NOT a compliance denial — the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.',\n 'If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant\\'s support contact.',\n ],\n user_message:\n 'Verification is temporarily unavailable. Please try again in a moment — this is a transient issue, not a problem with your account.',\n});\n\nexport const QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.',\n 'Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.',\n 'Surface to the user with the merchant\\'s support contact. The merchant (not the agent) needs to act.',\n ],\n user_message:\n 'This merchant\\'s identity verification is temporarily unavailable. Try again later, or contact the merchant directly.',\n});\n\nconst TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'The operator token is expired or revoked. AgentScore auto-mints a fresh verification session — complete it to receive a new opc_...',\n 'Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <new_opc_...>`.',\n ],\n user_message:\n 'Operator token is expired or revoked. A new verification session has been minted — visit verify_url to refresh.',\n});\n\nconst DEFAULT_AGENT_INSTRUCTIONS: Partial<Record<DenialCode, string>> = {\n api_error: API_ERROR_INSTRUCTIONS,\n wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,\n payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,\n identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,\n token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS,\n};\n\nconst DEFAULT_MESSAGES: Record<DenialCode, string> = {\n missing_identity:\n 'No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).',\n identity_verification_required:\n 'Identity verification is required to access this resource. Visit verify_url to complete KYC.',\n wallet_not_trusted:\n 'The wallet does not meet the merchant compliance policy.',\n api_error:\n 'AgentScore is unreachable. This is transient — retry in a few seconds.',\n payment_required:\n 'Assess endpoint not enabled for this merchant. Contact support.',\n wallet_signer_mismatch:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n wallet_auth_requires_wallet_signing:\n 'X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).',\n token_expired:\n 'The operator token is expired or revoked. A fresh verification session has been minted — visit verify_url to mint a new token.',\n invalid_credential:\n 'The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session.',\n};\n\n// Field names the gate claims authority over. Merchant-provided `extra` (from the\n// onBeforeSession hook) MUST NOT override these — a buggy or malicious hook could\n// otherwise replace `verify_url` with a phishing URL or drop agent_instructions.\nconst RESERVED_FIELDS = new Set([\n 'error',\n 'decision',\n 'reasons',\n 'verify_url',\n 'session_id',\n 'poll_secret',\n 'poll_url',\n 'agent_instructions',\n 'agent_memory',\n 'claimed_operator',\n 'actual_signer_operator',\n 'expected_signer',\n 'actual_signer',\n 'linked_wallets',\n]);\n\nexport function denialReasonToBody(reason: DenialReason): Record<string, unknown> {\n const message = reason.message ?? DEFAULT_MESSAGES[reason.code];\n const body: Record<string, unknown> = { error: { code: reason.code, message } };\n if (reason.decision) body.decision = reason.decision;\n if (reason.reasons) body.reasons = reason.reasons;\n if (reason.verify_url) body.verify_url = reason.verify_url;\n if (reason.session_id) body.session_id = reason.session_id;\n if (reason.poll_secret) body.poll_secret = reason.poll_secret;\n if (reason.poll_url) body.poll_url = reason.poll_url;\n const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];\n if (instructions) body.agent_instructions = instructions;\n if (reason.agent_memory) body.agent_memory = reason.agent_memory;\n if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;\n if (reason.code === 'wallet_signer_mismatch') body.actual_signer_operator = reason.actual_signer_operator ?? null;\n if (reason.expected_signer) body.expected_signer = reason.expected_signer;\n if (reason.actual_signer) body.actual_signer = reason.actual_signer;\n if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;\n if (reason.extra) {\n for (const [key, value] of Object.entries(reason.extra)) {\n if (RESERVED_FIELDS.has(key)) {\n console.warn(`[gate] onBeforeSession returned reserved field \"${key}\" — ignoring to preserve gate authority`);\n continue;\n }\n body[key] = value;\n }\n }\n return body;\n}\n","import {\n AgentScore,\n InvalidCredentialError,\n PaymentRequiredError,\n QuotaExceededError,\n TimeoutError as SdkTimeoutError,\n TokenExpiredError,\n} from '@agent-score/sdk';\nimport { isFixableDenial } from './_denial';\nimport { QUOTA_EXCEEDED_INSTRUCTIONS } from './_response';\nimport { normalizeAddress } from './address';\nimport { TTLCache } from './cache';\nimport type { PaymentSigner } from './signer';\n\n// Character-based trim avoids a CodeQL polynomial-redos false positive on\n// `/\\/+$/` patterns that report library-input strings.\nfunction stripTrailingSlashes(s: string): string {\n let end = s.length;\n while (end > 0 && s.charCodeAt(end - 1) === 47 /* '/' */) end--;\n return end === s.length ? s : s.slice(0, end);\n}\n\ndeclare const __VERSION__: string;\n\n// ---------------------------------------------------------------------------\n// Public types (framework-agnostic)\n// ---------------------------------------------------------------------------\n\nexport interface AgentIdentity {\n address?: string;\n operatorToken?: string;\n}\n\n/**\n * Session metadata returned from `POST /v1/sessions`. Surfaced to the `onBeforeSession`\n * hook so merchants can correlate an AgentScore session with their own resume token\n * (e.g. a pending-order id).\n */\nexport interface SessionMetadata {\n session_id: string;\n verify_url: string;\n poll_secret: string;\n poll_url: string;\n expires_at?: string;\n}\n\n/**\n * Configuration for auto-creating a verification session when no identity is present.\n *\n * The static `context` / `productName` options are sent on every session request. For\n * per-request context (e.g. the specific product the agent was trying to buy), pass\n * a `getSessionOptions` callback that returns dynamic values; its return is merged\n * over the static defaults.\n *\n * `onBeforeSession` is a side-effect hook that runs after the session is minted but\n * before the 403 is built. Use it to pre-create a reservation/draft/pending-order\n * row in your DB so agents can resume via a merchant-specific id. Return value is\n * merged into `DenialReason.extra`, so it surfaces in both the default 403 body and\n * in a custom `onDenied` handler.\n */\nexport interface CreateSessionOnMissing<TCtx = unknown> {\n apiKey: string;\n baseUrl?: string;\n context?: string;\n productName?: string;\n /** Per-request override of `context` / `productName`. Invoked with the framework context. */\n getSessionOptions?: (ctx: TCtx) => Promise<{ context?: string; productName?: string }>\n | { context?: string; productName?: string };\n /** Side-effect hook that runs after the session is minted. Return value is merged\n * into `DenialReason.extra` so custom `onDenied` handlers can include merchant-specific\n * fields (e.g. `order_id`) in the 403 response. Hook errors are logged and swallowed —\n * a failing side effect should not block the 403 from reaching the agent. */\n onBeforeSession?: (ctx: TCtx, session: SessionMetadata) => Promise<Record<string, unknown>>\n | Record<string, unknown>;\n}\n\nexport interface AgentScoreCoreOptions {\n /** AgentScore API key. Required. */\n apiKey: string;\n /** Require KYC verification. */\n requireKyc?: boolean;\n /** Require operator to be clear of sanctions. */\n requireSanctionsClear?: boolean;\n /** Minimum operator age bracket (18 or 21). */\n minAge?: number;\n /** List of blocked jurisdictions (blocklist). */\n blockedJurisdictions?: string[];\n /** List of allowed jurisdictions (allowlist — only these pass). */\n allowedJurisdictions?: string[];\n /** If true, allow the request through when the API is unreachable. Defaults to false. */\n failOpen?: boolean;\n /** How long to cache results, in seconds. Defaults to 300. */\n cacheSeconds?: number;\n /** AgentScore API base URL. Defaults to \"https://api.agentscore.sh\". */\n baseUrl?: string;\n /** Optional chain to filter scoring to. */\n chain?: string;\n /** Prepended to the default User-Agent as `\"{userAgent} (@agent-score/commerce@{version})\"`. Use to attribute API calls to your app. */\n userAgent?: string;\n /** When set and no identity is found, create a verification session instead of denying immediately. */\n createSessionOnMissing?: CreateSessionOnMissing;\n}\n\nexport type DenialCode =\n | 'wallet_not_trusted'\n | 'missing_identity'\n | 'api_error'\n | 'payment_required'\n | 'identity_verification_required'\n // Wallet-signer binding: claimed X-Wallet-Address must resolve to the same operator as\n // the payment signer; wallet-auth is rejected on rails with no wallet signer.\n | 'wallet_signer_mismatch'\n | 'wallet_auth_requires_wallet_signing'\n // Granular credential-state denials passed through from /v1/assess.\n // - `token_expired`: revoked + TTL-expired (the API unifies these). The 401 body carries\n // an auto-minted session, forwarded into DenialReason for one-shot recovery.\n // - `invalid_credential`: the token doesn't exist at all (typo, never minted, fabricated).\n // No auto-session is minted by the API for this case — agents should switch to a\n // different stored token or drop the header to bootstrap a fresh session.\n | 'token_expired'\n | 'invalid_credential';\n\n/**\n * Cross-merchant pattern hint emitted on bootstrap denials and session-create responses.\n * LLM-hosted agents should persist this to long-term memory so future AgentScore encounters skip\n * the cold-start session flow. Contents are the pattern, not secrets.\n */\nexport interface AgentMemoryHint {\n save_for_future_agentscore_gates: true;\n pattern_summary: string;\n quickstart: string;\n identity_check_endpoint: string;\n list_wallets_endpoint?: string;\n identity_paths: { wallet: string; operator_token: string };\n bootstrap: string;\n do_not_persist_in_memory: string[];\n persist_in_credential_store: string[];\n}\n\nexport interface DenialReason {\n code: DenialCode;\n /** Human-readable explanation. When omitted, `denialReasonToBody` substitutes a per-code default. */\n message?: string;\n decision?: string;\n reasons?: string[];\n verify_url?: string;\n session_id?: string;\n poll_secret?: string;\n poll_url?: string;\n agent_instructions?: string;\n /** Cross-merchant memory hint. Emitted on bootstrap denials only by default. */\n agent_memory?: AgentMemoryHint;\n /** Full assess response when the denial came from `/v1/assess`. Lets consumers access fields\n * not promoted to first-class DenialReason properties (e.g., `policy_result`). Undefined for\n * denials that did not originate from an assess call (missing_identity, api_error,\n * payment_required, identity_verification_required). */\n data?: AssessResult;\n /** Extra fields returned from the `createSessionOnMissing.onBeforeSession` hook. Merged\n * into the default 403 body; custom `onDenied` handlers can spread these into their own\n * response shape (e.g. to include a merchant-minted `order_id`). */\n extra?: Record<string, unknown>;\n // ---------------------------------------------------------------------------\n // Wallet-signer-match fields — populated for wallet_signer_mismatch only.\n // ---------------------------------------------------------------------------\n /** Operator id resolved from `X-Wallet-Address`. */\n claimed_operator?: string;\n /** Operator id the actual payment signer resolves to. `null` when the signer wallet isn't\n * linked to any operator (treat as a different identity). */\n actual_signer_operator?: string | null;\n /** The wallet the agent claimed via header. Echoed back for self-correction. */\n expected_signer?: string;\n /** The wallet that actually signed the payment. */\n actual_signer?: string;\n /** Wallets the claimed operator could sign with (if enumerable). Present when non-empty. */\n linked_wallets?: string[];\n}\n\n/** Operator verification details from the assess response. Mirrors python's\n * `OperatorVerification` dataclass. */\nexport interface OperatorVerification {\n level: string;\n operator_type: string | null;\n verified_at: string | null;\n}\n\n/** Account-level KYC facts that apply to every operator under the same account.\n * Populated when the API returns account_verification (post-KYC operator).\n * Mirrors python's account_verification dict shape. */\nexport interface AccountVerification {\n kyc_level?: string;\n sanctions_clear?: boolean;\n age_bracket?: string;\n jurisdiction?: string;\n verified_at?: string | null;\n}\n\n/** A single policy check from the assess response. Mirrors python's `PolicyCheck`. */\nexport interface PolicyCheck {\n rule: string;\n passed: boolean;\n required?: unknown;\n actual?: unknown;\n}\n\n/** Policy evaluation result from the assess response. Mirrors python's `PolicyResult`. */\nexport interface PolicyResult {\n all_passed: boolean;\n checks: PolicyCheck[];\n}\n\nexport interface AssessResult {\n decision: string | null;\n decision_reasons: string[];\n identity_method?: string;\n operator_verification?: OperatorVerification;\n account_verification?: AccountVerification;\n resolved_operator?: string | null;\n /** Wallets linked to the same operator as the resolved identity. Capped at 100 entries\n * by the API. Useful for advertising in 402 challenges so wallet-auth agents know which\n * alt-signers will satisfy `wallet_signer_mismatch`. */\n linked_wallets?: string[];\n verify_url?: string;\n policy_result?: PolicyResult | null;\n}\n\n/**\n * Reason a failOpen allow short-circuited an evaluate call due to AgentScore-side\n * infrastructure issues. Surfaced on `EvaluateOutcome` so merchants can log/alert when\n * their gate is running in degraded mode (compliance not actually enforced this request).\n *\n * - `quota_exceeded` — AgentScore returned 429\n * - `api_error` — AgentScore returned 5xx or non-2xx that isn't 429\n * - `network_timeout` — request to /v1/assess timed out or failed at the network layer\n */\nexport type FailOpenInfraReason = 'quota_exceeded' | 'api_error' | 'network_timeout';\n\n/** Per-account assess quota observability, captured from `X-Quota-*` response headers\n * on the success path. Mirrors the SDK's `QuotaInfo` shape — re-exported from gate state\n * so merchants can monitor approach-to-cap proactively (warn at 80%, alert at 95%). */\nexport interface GateQuotaInfo {\n limit: number | null;\n used: number | null;\n /** ISO-8601 timestamp, or the literal string `\"never\"` for unlimited tiers. */\n reset: string | null;\n}\n\n/**\n * Outcome from `AgentScoreCore.evaluate()`. Adapters map this to framework-specific responses.\n *\n * - `{ kind: 'allow', data }` — the request passed the policy. `data` is present on a normal\n * allow; `undefined` when fail-open short-circuited (identity missing, API unreachable,\n * timeout, or 402 paid-tier required).\n * - When `failOpen: true` and the allow was the result of an AgentScore-side infrastructure\n * failure (429/5xx/timeout), the result also carries `degraded: true` + `infraReason` so\n * merchants can alert/log without parsing console output.\n * - `quota` propagates the SDK's per-request quota observability when the API emits the\n * `X-Quota-*` headers. Optional; absent on Enterprise / unlimited tiers.\n * - `{ kind: 'deny', reason }` — the request was denied. Adapters should render a 403 with the\n * reason, or invoke the caller's custom denial handler.\n */\nexport type EvaluateOutcome =\n | { kind: 'allow'; data?: AssessResult; degraded?: boolean; infraReason?: FailOpenInfraReason; quota?: GateQuotaInfo }\n | { kind: 'deny'; reason: DenialReason };\n\ninterface CaptureWalletOptions {\n /** Operator credential (`opc_...`) that the agent authenticated with. */\n operatorToken: string;\n /** Signer wallet recovered from the payment payload. */\n walletAddress: string;\n /** Key-derivation family — `\"evm\"` for any EVM chain, `\"solana\"` for Solana. */\n network: 'evm' | 'solana';\n /** Optional stable key for the logical payment (e.g., payment intent id, tx hash). When the\n * same key is seen again for the same (credential, wallet, network), the server no-ops —\n * prevents agent retries from inflating transaction_count. */\n idempotencyKey?: string;\n}\n\n/** Combined wallet-signer verdict surfaced by `getSignerVerdict(c)` — both verdicts come\n * through the gate's primary `/v1/assess` call (single round trip). `signer_match` describes\n * the wallet-binding (claimed wallet's operator ≡ signer wallet's operator); `signer_sanctions`\n * describes the OFAC SDN wallet-address check.\n *\n * `signer_match` is projected to the gate's camelCase `VerifyWalletSignerResult` shape so\n * existing `buildSignerMismatchBody(...)` helpers consume it unchanged. `signer_sanctions`\n * passes through in the API's wire shape (already short and stable). Returned `undefined`\n * from `getSignerVerdict` when the gate didn't run with a signer (operator-token-only\n * paths, discovery legs with no payment header). */\nexport interface SignerVerdict {\n signer_match: VerifyWalletSignerResult | null;\n signer_sanctions:\n | { status: 'clear' }\n | { sanctioned: true; ofac_label: string; sdn_uid: string; listed_at: string | null }\n | { status: 'unavailable' }\n | null;\n}\n\nexport type VerifyWalletSignerResult =\n | { kind: 'pass'; claimedOperator: string | null; signerOperator: string | null }\n | {\n kind: 'wallet_signer_mismatch';\n claimedOperator: string | null;\n actualSignerOperator: string | null;\n expectedSigner: string;\n actualSigner: string;\n linkedWallets: string[];\n /** JSON-encoded action copy (action + steps + user_message). Spread into the 403 body\n * verbatim so agents get a concrete recovery path inside the denial response itself. */\n agentInstructions: string;\n }\n | {\n kind: 'wallet_auth_requires_wallet_signing';\n claimedWallet: string;\n agentInstructions: string;\n };\n\nexport interface AgentScoreCore {\n /**\n * Evaluate the request's identity against the configured policy.\n * @param identity - extracted identity (wallet address and/or operator token)\n * @param ctx - optional framework-specific context (Hono c, Express req, etc.) passed\n * through to `createSessionOnMissing` hooks. Opaque to core.\n */\n evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n /** Pre-extracted payment signer from the inbound request (the adapter middleware\n * extracts it via `extractPaymentSigner`). When provided, the assess call carries\n * it and the response includes `signer_match` + `signer_sanctions` verdicts in one\n * round trip. */\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome>;\n /** Synchronous read of the cached signer verdicts (signer_match + signer_sanctions)\n * populated when the gate's evaluate call was made with a pre-extracted signer. Returns\n * `undefined` when the gate didn't run, the request was operator-token-authenticated,\n * or no signer was extractable (discovery legs). */\n getSignerVerdict(claimedAddress: string): SignerVerdict | undefined;\n /** Report a wallet seen paying under an operator credential. Fire-and-forget; silently\n * swallows non-fatal errors because capture is informational, not on the critical path. */\n captureWallet(options: CaptureWalletOptions): Promise<void>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\n/** Internal cache entry for the gate's per-`(identity, policy)` assess result memo.\n * Distinct from the public `AssessResult` interface (the typed `/v1/assess` response\n * shape returned to merchants); this carries the cached decision plus the per-signer\n * wallet-match sub-cache. */\ninterface CachedAssessResult {\n allow: boolean;\n decision?: string;\n reasons?: string[];\n raw?: unknown;\n}\n\n/**\n * Build the cross-merchant memory hint emitted on bootstrap denials. Base URLs are\n * derived from the gate's AgentScore API base so self-hosted / staging deployments get\n * correct pointers. Contents describe the AgentScore identity substrate in transferable\n * terms; merchant-specific context lives in other `agent_instructions` fields.\n */\n// Canonical production AgentScore API — used as the authoritative source for endpoint pointers\n// emitted to agent memory regardless of how a given merchant configured their gate's baseUrl.\nconst CANONICAL_AGENTSCORE_API = 'https://api.agentscore.sh';\n\n// JSON-encoded action copy emitted on wallet-signer-match denials. Spread into 403 bodies\n// by merchants so agents get a concrete recovery path inside the denial response itself —\n// no discovery-doc round trip required.\nconst WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({\n action: 'resign_or_switch_to_operator_token',\n steps: [\n 'Preferred: re-submit the payment signed by expected_signer (or any entry in linked_wallets — same-operator wallets are fungible) and retry with the same X-Wallet-Address.',\n 'Alternative: drop X-Wallet-Address and retry with X-Operator-Token. Use a stored opc_... if you have one; otherwise retry this request with NO identity header — the merchant will mint a verification session in the 403 body (verify_url + poll_secret). Share verify_url with the user, poll, receive a fresh opc_...',\n ],\n user_message:\n 'The payment signer resolves to a different operator than X-Wallet-Address. Re-sign from expected_signer or any linked_wallets entry, or switch to X-Operator-Token.',\n});\n\nconst WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS = JSON.stringify({\n action: 'switch_to_operator_token',\n steps: [\n 'This payment rail (Stripe SPT, card) carries no wallet signature — X-Wallet-Address cannot be verified against the payment.',\n 'Drop X-Wallet-Address and retry with X-Operator-Token. If you do not have a stored opc_..., retry with no identity header to receive a verification session.',\n ],\n user_message:\n 'Wallet-address identity is only supported on wallet-signing rails (Tempo MPP, x402). On Stripe or card, use X-Operator-Token instead.',\n});\n\n// `invalid_credential` is permanent — the token doesn't exist (typo, never minted, fabricated).\n// Distinct from `token_expired` (which carries an auto-session for one-shot recovery): the\n// API doesn't auto-mint a session here because the client may simply have a different valid\n// token to try. Agents should switch tokens or drop the header to bootstrap a session.\nconst INVALID_CREDENTIAL_INSTRUCTIONS = JSON.stringify({\n action: 'switch_token_or_restart_session',\n steps: [\n 'The X-Operator-Token you sent does not match any credential. This is a permanent state — retrying with the same token will keep failing.',\n 'If you have other stored opc_... credentials, retry with one of them.',\n 'Otherwise drop X-Operator-Token and retry with no identity header — the merchant will mint a fresh verification session in the 403 body (verify_url + poll_secret) so the user can re-verify and you can poll for a new operator_token.',\n ],\n user_message:\n 'The operator_token is not recognized. Use a different stored token, or restart the verification session flow to mint a new one.',\n});\n\nexport function buildAgentMemoryHint(): AgentMemoryHint {\n // Memory pointers always point at the canonical production API — merchants must not be\n // able to redirect the cross-merchant memory surface, since that would be a phishing\n // vector for the verify URL.\n const api = CANONICAL_AGENTSCORE_API;\n return {\n save_for_future_agentscore_gates: true,\n pattern_summary:\n 'AgentScore is a cross-merchant identity substrate for agent commerce. Any endpoint that ' +\n 'returns 403 missing_identity / identity_verification_required or 402 challenges referencing AgentScore uses ' +\n 'the same identity system. One KYC works across all AgentScore merchants — no re-verification ' +\n 'per site. Save this pattern (and the endpoints below) to persistent memory so future ' +\n 'AgentScore encounters skip the cold-start session flow.',\n quickstart: 'https://docs.agentscore.sh/guides/agent-identity',\n identity_check_endpoint: `${api}/v1/credentials`,\n identity_paths: {\n wallet:\n 'If paying from a crypto wallet you have used before on any AgentScore merchant, send ' +\n '`X-Wallet-Address: 0x...`. Shortest path; no token lifecycle to manage.',\n operator_token:\n 'For any rail (Stripe SPT, card, or a wallet you have not linked yet), send ' +\n '`X-Operator-Token: opc_...`. Reusable across merchants until the token expires.',\n },\n bootstrap:\n 'If you have neither a linked wallet nor a valid operator_token, follow the session/verify ' +\n 'flow in the per-request `agent_instructions` block. This happens at most once per agent ' +\n 'identity — after first verification, the operator_token and any subsequently used wallet ' +\n 'are reusable everywhere.',\n do_not_persist_in_memory: ['operator_token', 'poll_secret'],\n persist_in_credential_store: ['operator_token'],\n };\n}\n\n// ---------------------------------------------------------------------------\n// Core factory\n// ---------------------------------------------------------------------------\n\nexport function createAgentScoreCore(options: AgentScoreCoreOptions): AgentScoreCore {\n if (!options.apiKey) {\n throw new Error('AgentScore API key is required. Get one at https://agentscore.sh/sign-up');\n }\n\n const {\n apiKey,\n requireKyc,\n requireSanctionsClear,\n minAge,\n blockedJurisdictions,\n allowedJurisdictions,\n failOpen = false,\n cacheSeconds = 300,\n baseUrl: rawBaseUrl = 'https://api.agentscore.sh',\n chain: gateChain,\n userAgent,\n createSessionOnMissing,\n } = options;\n\n const baseUrl = stripTrailingSlashes(rawBaseUrl);\n const agentMemoryHint = buildAgentMemoryHint();\n\n const defaultUa = `@agent-score/commerce@${__VERSION__}`;\n const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;\n\n // Single shared SDK instance for every API call this gate makes (assess, sessions,\n // credentials/wallets, telemetry). Connection pooling + typed-error classification +\n // X-Quota-* header capture all flow through here. The SDK owns the transport layer\n // (timeouts, retry-on-429); the gate adds policy semantics on top. Pass the\n // merchant-prefixed UA — SDK appends its own default to produce a chain like\n // `<merchant-app> (@agent-score/commerce@<v>) (@agent-score/sdk@<v>)`.\n const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });\n\n // createSessionOnMissing can carry its own apiKey + baseUrl (merchants sometimes wire\n // a session-only key for this hook). Lazily build a separate SDK instance keyed on\n // (apiKey, baseUrl) so we don't construct a new client per request.\n const sessionSdkCache = new Map<string, AgentScore>();\n function getSessionSdk(sessionApiKey: string, sessionBaseUrl?: string): AgentScore {\n const key = `${sessionApiKey}|${sessionBaseUrl ?? ''}`;\n let s = sessionSdkCache.get(key);\n if (!s) {\n s = new AgentScore({\n apiKey: sessionApiKey,\n baseUrl: sessionBaseUrl ?? baseUrl,\n userAgent: userAgentHeader,\n });\n sessionSdkCache.set(key, s);\n }\n return s;\n }\n\n const cache = new TTLCache<CachedAssessResult>(cacheSeconds * 1000);\n\n // Mint a verification session via /v1/sessions and return the resulting\n // identity_verification_required DenialReason — or undefined if the mint failed (network\n // error, non-2xx, missing fields). Used for both the missing-identity path and the\n // fixable-wallet bootstrap path: in both cases the UX is identical (agent polls the\n // returned poll_url until it gets a fresh opc_... and retries).\n async function tryMintSessionDenial(ctx: unknown): Promise<DenialReason | undefined> {\n if (!createSessionOnMissing) return undefined;\n try {\n const sessionBody: { context?: string; product_name?: string } = {};\n if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;\n if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;\n\n if (createSessionOnMissing.getSessionOptions && ctx !== undefined) {\n try {\n const dynamic = await createSessionOnMissing.getSessionOptions(ctx);\n if (dynamic?.context != null) sessionBody.context = dynamic.context;\n if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.getSessionOptions hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // createSessionOnMissing.apiKey may differ from the gate's apiKey (e.g. merchant\n // wires a session-only key for this hook). Build a per-config SDK lazily.\n const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);\n const data = (await sessionSdk.createSession({\n ...(sessionBody.context !== undefined ? { context: sessionBody.context } : {}),\n ...(sessionBody.product_name !== undefined ? { product_name: sessionBody.product_name } : {}),\n })) as unknown as Record<string, unknown>;\n\n // Validate required fields before trusting the response. A misbehaving (or mocked-wrong)\n // API could 200 without session_id/poll_secret/verify_url, which would propagate\n // `undefined` into the 403 body and leave the agent stuck — treat as session-create\n // failure and fall back to the caller's bare denial.\n if (\n typeof data.session_id !== 'string' ||\n typeof data.poll_secret !== 'string' ||\n typeof data.verify_url !== 'string'\n ) {\n console.warn('[gate] /v1/sessions returned 200 without required fields — falling back to bare denial');\n return undefined;\n }\n\n // Run onBeforeSession side-effect hook. Errors are swallowed — a failing DB write\n // (e.g. can't insert pending order) should not block the 403.\n let extra: Record<string, unknown> | undefined;\n if (createSessionOnMissing.onBeforeSession && ctx !== undefined) {\n try {\n const sessionMeta = {\n session_id: data.session_id as string,\n verify_url: data.verify_url as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string,\n expires_at: data.expires_at as string | undefined,\n };\n const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);\n if (result && typeof result === 'object') extra = result;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.onBeforeSession hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // The API emits `next_steps` (structured object) on /v1/sessions success. Stringify it\n // into the gate's `agent_instructions` contract so merchants get the same JSON-encoded\n // {action, steps, user_message} envelope as every other gate-emitted denial.\n const apiNextSteps = data.next_steps as Record<string, unknown> | undefined;\n return {\n code: 'identity_verification_required',\n verify_url: data.verify_url as string,\n session_id: data.session_id as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string | undefined,\n agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : undefined,\n agent_memory: agentMemoryHint,\n ...(extra && { extra }),\n };\n } catch (err) {\n // Session-mint failed (network, /v1/sessions returned non-2xx, body parse error,\n // onBeforeSession threw inside the inner try). Caller falls back to a bare denial —\n // agents still get a 403 with a probe-strategy hint. Log loudly so a persistent\n // /v1/sessions outage isn't masked.\n console.warn('[gate] createSessionOnMissing path failed — falling back to bare denial:', err instanceof Error ? err.message : err);\n return undefined;\n }\n }\n\n async function evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome> {\n // Treat \"returned identity object with no usable fields\" the same as \"no identity at all\" —\n // otherwise a misbehaving custom extractIdentity would send an empty body to /v1/assess.\n if (!identity || (!identity.address && !identity.operatorToken)) {\n // failOpen short-circuits BEFORE the session mint. This branch isn't an infra failure\n // (no AgentScore call has been made yet) so we don't mark the gate state as degraded —\n // missing identity + failOpen is the explicit opt-in pass-through behavior, not a\n // graceful-degradation event. Merchants who need identity-or-deny on a failOpen gate\n // should add a guard at the handler that checks for X-Wallet-Address / X-Operator-Token\n // before reading the gate state.\n if (failOpen) return { kind: 'allow' };\n\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n\n // Bare missing-identity denial (no session was auto-created). Describe the probe\n // strategy so agents without memory can recover: try wallet first on signing rails,\n // fall back to stored opc_..., fall back to session flow (noting that only\n // auto-session merchants return verify_url + poll data on the retry).\n const missingIdentityInstructions = JSON.stringify({\n action: 'probe_identity_then_session',\n steps: [\n 'If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 — see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url — share it with the user to claim the wallet + complete KYC, then retry.',\n 'If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.',\n 'If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body — share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping — direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token.',\n ],\n user_message:\n 'Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap.',\n });\n return {\n kind: 'deny',\n reason: {\n code: 'missing_identity',\n agent_instructions: missingIdentityInstructions,\n agent_memory: agentMemoryHint,\n },\n };\n }\n\n // operator_token is opaque + ASCII-only — lowercasing is safe. Wallet addresses go\n // through normalizeAddress because Solana base58 is case-sensitive and lowercasing\n // would corrupt the cache key (a Solana cache miss every time, plus collision risk\n // with mixed-case variants of the same operator).\n const cacheKey = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : '');\n\n const cached = cache.get(cacheKey);\n if (cached) {\n if (cached.allow) {\n const cachedRaw = cached.raw as Record<string, unknown> | undefined;\n const cachedQuota = cachedRaw?.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: cachedRaw as unknown as AssessResult,\n ...(cachedQuota !== undefined && { quota: cachedQuota }),\n };\n }\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(cached.reasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: cached.decision,\n reasons: cached.reasons,\n verify_url: (cached.raw as Record<string, unknown> | undefined)?.verify_url as string | undefined,\n data: cached.raw as AssessResult | undefined,\n },\n };\n }\n\n const policy: Record<string, unknown> = {};\n if (requireKyc != null) policy.require_kyc = requireKyc;\n if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;\n if (minAge != null) policy.min_age = minAge;\n if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;\n if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;\n\n let data: Record<string, unknown>;\n try {\n // Single SDK call: typed-error subclasses (PaymentRequiredError / TokenExpiredError /\n // InvalidCredentialError / QuotaExceededError / TimeoutError) flow through the\n // catch below; success path captures `quota` from X-Quota-* headers automatically.\n const opts = {\n chain: gateChain,\n ...(Object.keys(policy).length > 0 ? { policy: policy as never } : {}),\n // Pre-extracted payment signer (by the adapter middleware). When present, the API\n // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet\n // check) verdicts on the response in one round trip. Under\n // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.\n ...(signer && { signer: { address: signer.address, network: signer.network } }),\n };\n // SDK has two overloads — narrow by which identity is set so TS picks the right one.\n const result = identity.address\n ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken })\n : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken! });\n data = result as unknown as Record<string, unknown>;\n } catch (err) {\n if (err instanceof PaymentRequiredError) {\n if (failOpen) return { kind: 'allow' };\n return { kind: 'deny', reason: { code: 'payment_required' } };\n }\n if (err instanceof TokenExpiredError) {\n // SDK extracts the auto-minted session fields onto the error instance — no body\n // re-parsing needed here.\n return {\n kind: 'deny',\n reason: {\n code: 'token_expired',\n data: err.details as unknown as AssessResult,\n ...(err.verifyUrl ? { verify_url: err.verifyUrl } : {}),\n ...(err.sessionId ? { session_id: err.sessionId } : {}),\n ...(err.pollSecret ? { poll_secret: err.pollSecret } : {}),\n ...(err.pollUrl ? { poll_url: err.pollUrl } : {}),\n ...(err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {}),\n ...(err.agentMemory ? { agent_memory: err.agentMemory as AgentMemoryHint } : {}),\n },\n };\n }\n if (err instanceof InvalidCredentialError) {\n // Permanent — no auto-session, agent should switch tokens or restart.\n return {\n kind: 'deny',\n reason: {\n code: 'invalid_credential',\n agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,\n agent_memory: agentMemoryHint,\n },\n };\n }\n if (err instanceof QuotaExceededError) {\n console.warn('[gate] /v1/assess returned 429 quota_exceeded');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (err instanceof SdkTimeoutError) {\n console.warn('[gate] /v1/assess timed out:', err.message);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Status-based fallbacks for AgentScoreError instances the SDK couldn't classify\n // into a typed subclass (e.g. 429 with body that lacked error.code, or a fetch\n // rejection whose .name doesn't match AbortError but whose status code is set).\n // The real API always emits error.code on 429, so this is purely defensive.\n const status = (err as { status?: number } | null)?.status;\n const errName = err instanceof Error ? err.name : '';\n if (status === 429) {\n console.warn('[gate] /v1/assess returned 429 (untyped — defensive)');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (errName === 'TimeoutError' || errName === 'AbortError') {\n console.warn('[gate] /v1/assess timed out (by Error.name):', err instanceof Error ? err.message : err);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Generic AgentScoreError (rate_limited, 5xx, network_error, body parse, unknown 4xx)\n // or any non-AgentScoreError unexpected throw — surface as api_error.\n // Include the SDK-classified error code (when available) so ops/dev see\n // schema-drift cases like a new 401 error.code rather than a silent 503.\n const errCode = (err as { code?: string } | null)?.code;\n const msg = err instanceof Error ? err.message : String(err);\n const detail = errCode ? `${errCode}: ${msg}` : msg;\n console.warn(`[gate] /v1/assess call failed — surfacing as api_error: ${detail}`);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'api_error' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n\n const decision = data.decision as string | null | undefined;\n const decisionReasons = (data.decision_reasons as string[]) ?? [];\n const allow = decision === 'allow' || decision == null;\n\n cache.set(cacheKey, { allow, decision: decision ?? undefined, reasons: decisionReasons, raw: data });\n\n if (allow) {\n // SDK populates `quota` on the assess response from X-Quota-* headers when the\n // API emits them. Surface up to the adapter so merchants can monitor approach-to-cap.\n const quota = data.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: data as unknown as AssessResult,\n ...(quota !== undefined && { quota }),\n };\n }\n\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(decisionReasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: decision ?? undefined,\n reasons: decisionReasons,\n verify_url: data.verify_url as string | undefined,\n data: data as unknown as AssessResult,\n },\n };\n }\n\n async function captureWallet(options: CaptureWalletOptions): Promise<void> {\n try {\n await sdk.associateWallet({\n operatorToken: options.operatorToken,\n walletAddress: options.walletAddress,\n network: options.network,\n ...(options.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : {}),\n });\n } catch (err) {\n // Fire-and-forget: don't throw. Log so a persistent capture outage is visible\n // to merchant ops — otherwise wallet↔operator linkage silently stops.\n console.warn('[agentscore-commerce] captureWallet failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // Project the API's signer_match block onto the gate's VerifyWalletSignerResult shape.\n // The API authors agent_instructions, claimed/signer operators, and the linked-wallet\n // set (deny-guarded server-side); the gate just shapes those fields into camelCase.\n function projectSignerMatch(\n sm: Record<string, unknown>,\n claimedNorm: string,\n signerNorm: string,\n ): VerifyWalletSignerResult {\n const kind = sm.kind as string;\n if (kind === 'pass') {\n return {\n kind: 'pass',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n signerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n };\n }\n if (kind === 'wallet_auth_requires_wallet_signing') {\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet: (sm.claimed_wallet as string | undefined) ?? claimedNorm,\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n // Default: wallet_signer_mismatch\n const linked = sm.linked_wallets;\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n actualSignerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n expectedSigner: (sm.expected_signer as string | undefined) ?? claimedNorm,\n actualSigner: (sm.actual_signer as string | undefined) ?? signerNorm,\n linkedWallets: Array.isArray(linked)\n ? (linked as unknown[]).filter((w): w is string => typeof w === 'string')\n : [],\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n /**\n * Synchronous read of the cached signer verdicts. Adapter middleware extracts the\n * signer pre-evaluate and the gate's primary /v1/assess call composes both verdicts\n * (signer_match + signer_sanctions) in one round trip — this getter just reads the\n * cached response. Returns `undefined` for operator-token-only paths, discovery legs\n * with no payment credential, or when the gate didn't run.\n */\n function getSignerVerdict(claimedAddress: string): SignerVerdict | undefined {\n const claimedNorm = normalizeAddress(claimedAddress);\n const cached = cache.get(claimedNorm);\n if (!cached) return undefined;\n const raw = cached.raw as Record<string, unknown> | undefined;\n if (!raw) return undefined;\n const rawMatch = raw.signer_match as Record<string, unknown> | undefined;\n const rawSanctions = raw.signer_sanctions as SignerVerdict['signer_sanctions'] | undefined;\n if (!rawMatch && !rawSanctions) return undefined;\n // The API's signer_match has the actual signer wallet baked in (actual_signer); we\n // didn't track it separately in the cache key (only claimed-side). Pass the API's own\n // actual_signer as signerNorm so the projected shape is consistent.\n const signerNorm = (rawMatch?.actual_signer as string | undefined) ?? claimedNorm;\n return {\n signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,\n signer_sanctions: rawSanctions ?? null,\n };\n }\n\n return { evaluate, captureWallet, getSignerVerdict };\n}\n","// Network-aware address normalization. EVM addresses (0x + 40 hex) are\n// case-insensitive in the protocol — we lowercase them so DB lookups against\n// `address_lower`-style columns work. Solana addresses are base58 and are\n// case-sensitive — we MUST preserve the input verbatim, never lowercase.\n//\n// Must produce identical output to the API normalizer (`core/api/src/lib/address.ts`)\n// so the gate, API, and merchants normalize the same way. If the two ever drift,\n// captured wallets won't resolve and signer-match silently breaks.\n\nconst SOLANA_BASE58_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;\nconst EVM_RE = /^0x[0-9a-fA-F]{40}$/;\n\nexport const isValidEvmAddress = (address: string): boolean => EVM_RE.test(address);\n\nexport const isSolanaAddress = (address: string): boolean =>\n SOLANA_BASE58_RE.test(address) && !address.startsWith('0x');\n\nexport const isValidAddress = (address: string): boolean =>\n isValidEvmAddress(address) || isSolanaAddress(address);\n\nexport const normalizeAddress = (address: string): string => {\n if (isSolanaAddress(address)) { return address; }\n return address.toLowerCase();\n};\n","export class TTLCache<T> {\n private store = new Map<string, { value: T; expiresAt: number }>();\n private maxSize: number;\n\n constructor(private defaultTtlMs: number, maxSize = 10000) {\n this.maxSize = maxSize;\n }\n\n get(key: string): T | undefined {\n const entry = this.store.get(key);\n if (!entry) return undefined;\n if (Date.now() > entry.expiresAt) {\n this.store.delete(key);\n return undefined;\n }\n return entry.value;\n }\n\n set(key: string, value: T, ttlMs?: number): void {\n if (this.store.size >= this.maxSize) {\n this.sweep();\n }\n if (this.store.size >= this.maxSize) {\n this.evictOldest(this.store.size - this.maxSize + 1);\n }\n this.store.set(key, {\n value,\n expiresAt: Date.now() + (ttlMs ?? this.defaultTtlMs),\n });\n }\n\n /** Remove all expired entries. */\n private sweep(): void {\n const now = Date.now();\n for (const [k, v] of this.store) {\n if (now > v.expiresAt) {\n this.store.delete(k);\n }\n }\n }\n\n /** Evict the oldest `count` entries by insertion order. */\n private evictOldest(count: number): void {\n let removed = 0;\n for (const key of this.store.keys()) {\n if (removed >= count) break;\n this.store.delete(key);\n removed++;\n }\n }\n}\n","/**\n * Payment-signer extraction.\n *\n * Shared between merchants and the gate. Three paths recover a wallet signer:\n *\n * - **Tempo MPP** — `Authorization: Payment <base64>`; credential `source` is a DID of the\n * form `did:pkh:eip155:<chain>:<address>`.\n * - **Solana MPP `solana/charge`** — `Authorization: Payment <base64>`; recovery via either\n * a `did:pkh:solana:<genesis>:<address>` source (when set by the client) or by decoding\n * the credential's signed-tx payload and reading the SPL `TransferChecked` authority\n * (pull mode only — `payload.type === 'transaction'`).\n * - **x402 EIP-3009 (EVM, e.g. Base/Sepolia)** — `payment-signature` / `x-payment`;\n * decoded payload carries `payload.authorization.from`.\n *\n * Optional peer deps: `mppx` for MPP credentials, `@solana/kit` for the Solana tx-decode\n * fallback. Both dynamic-imported; merchants who don't accept that rail don't need them.\n */\n\nexport type SignerNetwork = 'evm' | 'solana';\n\nconst TOKEN_PROGRAM = 'TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA';\nconst TOKEN_2022_PROGRAM = 'TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb';\nconst TRANSFER_CHECKED_DISCRIMINATOR = 12;\n\ninterface SolanaKitMinimal {\n getBase64Codec: () => { encode: (s: string) => Uint8Array };\n getTransactionDecoder: () => { decode: (b: Uint8Array) => { messageBytes: Uint8Array } };\n getCompiledTransactionMessageDecoder: () => {\n decode: (b: Uint8Array) => {\n staticAccounts: ReadonlyArray<string>;\n instructions: ReadonlyArray<{\n programAddressIndex: number;\n accountIndices?: number[];\n data?: Uint8Array;\n }>;\n };\n };\n}\n\n/**\n * Decode a Solana MPP `solana/charge` credential's `payload.transaction` (base64-encoded\n * signed Solana tx) and return the SPL `TransferChecked` authority — the source-ATA owner,\n * which is the buyer's wallet. Pull mode only (`payload.type === 'transaction'`); push mode\n * (`payload.type === 'signature'`) returns null because recovery would require an RPC fetch.\n */\nasync function extractSolanaSignerFromCredential(credential: unknown): Promise<string | null> {\n const payload = (credential as { payload?: { transaction?: string; type?: string } }).payload;\n if (!payload?.transaction || payload.type !== 'transaction') return null;\n\n const moduleName = '@solana/kit';\n const kit = (await import(moduleName).catch(() => null)) as SolanaKitMinimal | null;\n if (!kit?.getBase64Codec || !kit.getTransactionDecoder || !kit.getCompiledTransactionMessageDecoder) {\n return null;\n }\n\n try {\n const txBytes = kit.getBase64Codec().encode(payload.transaction);\n const decoded = kit.getTransactionDecoder().decode(txBytes);\n const message = kit.getCompiledTransactionMessageDecoder().decode(decoded.messageBytes);\n\n // SPL TransferChecked accounts: [source ATA, mint, destination ATA, authority, ...signers].\n // Returns the FIRST matched authority. For multi-recipient `splits` txs, the buyer\n // signs ONE tx with N TransferChecked instructions all sharing the same authority,\n // so first-match is correct; if a tx ever surfaces with mismatched authorities the\n // first one wins (acceptable since both belong to whoever signed the tx).\n for (const ix of message.instructions) {\n const programId = message.staticAccounts[ix.programAddressIndex];\n if (programId !== TOKEN_PROGRAM && programId !== TOKEN_2022_PROGRAM) continue;\n const data = ix.data;\n if (!data || data.length === 0 || data[0] !== TRANSFER_CHECKED_DISCRIMINATOR) continue;\n const accountIndices = ix.accountIndices ?? [];\n const authorityIndex = accountIndices[3];\n if (authorityIndex === undefined) continue;\n // v0 transactions can carry account indices that resolve via address lookup tables;\n // staticAccounts only holds the static set. If the index is out of range, the\n // authority sits in a lookup table we'd need RPC to resolve. Skip cleanly with a\n // warning rather than returning the wrong address.\n if (authorityIndex >= message.staticAccounts.length) {\n console.warn(\n '[gate] Solana TransferChecked authority resolves through an address lookup table; ' +\n 'signer-match recovery requires the static-account form. Skipping.',\n );\n continue;\n }\n const authority = message.staticAccounts[authorityIndex];\n if (authority) return authority;\n }\n return null;\n } catch (err) {\n console.warn('[gate] Solana credential decode failed:', err instanceof Error ? err.message : err);\n return null;\n }\n}\n\nexport interface PaymentSigner {\n /** Recovered wallet address (EVM lowercased; Solana base58 preserved verbatim). */\n address: string;\n /** Network family — used by `captureWallet` and downstream cross-chain attribution. */\n network: SignerNetwork;\n}\n\n/**\n * Recover the signer wallet from the incoming payment credential, including the network\n * family. Returns `null` when no wallet signature is present (e.g. Stripe SPT, card-only\n * payments, or no credential yet).\n *\n * @param request - the inbound `Request`\n * @param x402PaymentHeader - the value of `payment-signature` or `x-payment` header, if any.\n * Extracted separately because some frameworks (Express) don't expose a web `Request` object.\n */\nexport async function extractPaymentSigner(\n request: Request,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n // MPP — Authorization: Payment <base64>\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n try {\n const moduleName = 'mppx';\n const mppx = (await import(moduleName).catch(() => null)) as {\n Credential?: {\n extractPaymentScheme: (h: string) => unknown;\n fromRequest: (r: Request) => unknown;\n };\n } | null;\n if (mppx?.Credential?.extractPaymentScheme(authHeader)) {\n const credential = mppx.Credential.fromRequest(request);\n const source = (credential as { source?: string }).source;\n const evmMatch = source?.match(/^did:pkh:eip155:\\d+:(0x[0-9a-fA-F]{40})$/);\n if (evmMatch) return { address: evmMatch[1]!.toLowerCase(), network: 'evm' };\n // Solana CAIP-10: did:pkh:solana:<genesis-base58>:<address-base58>\n const solMatch = source?.match(/^did:pkh:solana:[1-9A-HJ-NP-Za-km-z]{32,44}:([1-9A-HJ-NP-Za-km-z]{32,44})$/);\n if (solMatch) return { address: solMatch[1]!, network: 'solana' };\n // Fallback: source not set by upstream client. Decode the credential's signed-tx\n // payload to find the SPL TransferChecked authority (= source-ATA owner = buyer\n // wallet). Pull mode only.\n const solanaFromTx = await extractSolanaSignerFromCredential(credential);\n if (solanaFromTx) return { address: solanaFromTx, network: 'solana' };\n }\n } catch (err) {\n console.warn('[gate] MPP signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // x402 — base64 JSON, EIP-3009 only. EVM `payload.authorization.from` is the signer.\n if (x402PaymentHeader) {\n try {\n const decoded = atob(x402PaymentHeader);\n const parsed = JSON.parse(decoded) as {\n payload?: { authorization?: { from?: string } };\n };\n const from = parsed?.payload?.authorization?.from;\n if (typeof from === 'string' && /^0x[0-9a-fA-F]{40}$/.test(from)) {\n return { address: from.toLowerCase(), network: 'evm' };\n }\n } catch (err) {\n console.warn('[gate] x402 signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n return null;\n}\n\n/**\n * Headers-only variant for adapters that don't natively expose a Web Fetch `Request`\n * (Express, Fastify, ASGI-bridged frameworks). Constructs a synthetic Request carrying\n * only the `authorization` header and delegates to {@link extractPaymentSigner}. Works\n * because the MPP and x402 paths only read `request.headers.get('authorization')` and\n * the explicit `x402PaymentHeader` arg — no body, query, or method semantics needed.\n */\nexport async function extractPaymentSignerFromAuth(\n authHeader: string | null | undefined,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n const request = new Request('http://internal.gate/', {\n headers: authHeader ? { authorization: authHeader } : {},\n });\n return extractPaymentSigner(request, x402PaymentHeader);\n}\n\n/**\n * Read the x402 payment header from a `Request`, matching the alternate names merchants might\n * use. Falls back to reading either header directly.\n */\nexport function readX402PaymentHeader(request: Request): string | undefined {\n return (\n request.headers.get('payment-signature') ??\n request.headers.get('x-payment') ??\n undefined\n );\n}\n\nfunction lowerHeaders(headers: Record<string, string>): Record<string, string> {\n const out: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;\n return out;\n}\n\n/**\n * One-call signer extraction across both supported credential formats.\n *\n * Tries the x402 `payment-signature` / `x-payment` header first (EIP-3009\n * `payload.authorization.from`), then falls back to the MPP\n * `Authorization: Payment` header DID. Returns the first one that resolves,\n * or `null`.\n *\n * Use this for wallet-cap prechecks and other \"did the agent claim to sign as\n * X?\" checks where you need the signer BEFORE invoking Checkout. Checkout's\n * own settle path runs verification separately and surfaces the verified\n * signer on `SettleOutcome.signerAddress`.\n *\n * Accepts a plain headers dict so it works regardless of which framework the\n * merchant uses (the gate adapters all serialize headers down to a dict by\n * the time they reach the merchant's hooks).\n */\nexport async function extractSignerForPrecheck(\n headers: Record<string, string>,\n): Promise<PaymentSigner | null> {\n const lower = lowerHeaders(headers);\n const x402 = lower['payment-signature'] ?? lower['x-payment'];\n if (x402) {\n const signer = await extractPaymentSignerFromAuth(undefined, x402);\n if (signer !== null) return signer;\n }\n const authorization = lower['authorization'];\n if (authorization && authorization.toLowerCase().startsWith('payment ')) {\n return await extractPaymentSignerFromAuth(authorization);\n }\n return null;\n}\n","import {\n FIXABLE_DENIAL_REASONS,\n buildContactSupportNextSteps,\n buildSignerMismatchBody,\n denialReasonStatus,\n isFixableDenial,\n verificationAgentInstructions,\n} from '../_denial';\nimport { denialReasonToBody } from '../_response';\nimport { createAgentScoreCore } from '../core';\nimport { extractPaymentSigner, readX402PaymentHeader } from '../signer';\nimport type {\n AgentIdentity,\n AgentScoreCoreOptions,\n AssessResult,\n CreateSessionOnMissing,\n DenialReason,\n FailOpenInfraReason,\n GateQuotaInfo,\n SignerVerdict,\n} from '../core';\n\ninterface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {\n /** Custom function to extract agent identity from a Request. */\n extractIdentity?: (req: Request) => AgentIdentity | undefined;\n /** Custom handler invoked when a request is denied. Must return a Response. */\n onDenied?: (req: Request, reason: DenialReason) => Response | Promise<Response>;\n /** Auto-create a verification session on missing identity. Hooks receive the `Request`. */\n createSessionOnMissing?: CreateSessionOnMissing<Request>;\n}\n\n/**\n * Result of a gate check. `allowed: true` means the request passed; forward it to your\n * handler. `allowed: false` means it was denied; return `response` directly to the client.\n *\n * When the request was authenticated via `operator_token`, `captureWallet` is bound to the\n * identity and can be called after payment to report the signer wallet back to AgentScore.\n * When the request was wallet-authenticated (nothing to associate), `captureWallet` is\n * undefined. Always fire-and-forget.\n */\nexport type GuardResult =\n | {\n allowed: true;\n data?: AssessResult;\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n /** Synchronous read of the cached signer verdicts (`signer_match` wallet-binding\n * + `signer_sanctions` OFAC SDN wallet-address check). Both verdicts composed by\n * the gate's primary `/v1/assess` call in one round trip. Bound only on strict\n * wallet-auth requests; `undefined` otherwise (operator-token paths, discovery\n * legs, or routes the gate didn't run on). */\n getSignerVerdict?: () => SignerVerdict | undefined;\n /** Set to `true` only when the gate fail-open'd due to AgentScore-side infra failure\n * (429/5xx/network timeout). Compliance was NOT enforced this request — log/alert. */\n degraded?: boolean;\n /** Why the gate degraded — quota_exceeded / api_error / network_timeout. */\n infraReason?: FailOpenInfraReason;\n /** Per-account assess quota observability from X-Quota-* response headers. */\n quota?: GateQuotaInfo;\n }\n | { allowed: false; response: Response };\n\nfunction defaultExtractIdentity(req: Request): AgentIdentity | undefined {\n const token = req.headers.get('x-operator-token');\n const addr = req.headers.get('x-wallet-address');\n const identity: AgentIdentity = {};\n if (token && token.length > 0) identity.operatorToken = token;\n if (addr && addr.length > 0) identity.address = addr;\n if (identity.operatorToken || identity.address) return identity;\n return undefined;\n}\n\nfunction defaultOnDenied(_req: Request, reason: DenialReason): Response {\n return new Response(JSON.stringify(denialReasonToBody(reason)), {\n status: denialReasonStatus(reason),\n headers: { 'content-type': 'application/json' },\n });\n}\n\n/**\n * Create a Web Fetch-compatible gate. Works with any runtime that speaks the standard\n * Request/Response API: Cloudflare Workers, Deno Deploy, Bun, Next.js App Router, etc.\n *\n * ```ts\n * const guard = createAgentScoreGate({ apiKey: 'as_live_...', requireKyc: true });\n *\n * export default {\n * async fetch(req: Request) {\n * const result = await guard(req);\n * if (!result.allowed) return result.response;\n * return handle(req, result.data);\n * },\n * };\n * ```\n */\nexport function createAgentScoreGate(options: AgentScoreGateOptions): (req: Request) => Promise<GuardResult> {\n const { extractIdentity = defaultExtractIdentity, onDenied = defaultOnDenied, ...coreOptions } = options;\n const core = createAgentScoreCore(coreOptions as AgentScoreCoreOptions);\n\n return async (req: Request): Promise<GuardResult> => {\n const identity = extractIdentity(req);\n // Extract the payment signer pre-evaluate. When present, the API composes\n // signer_match + signer_sanctions verdicts on the primary assess response in one\n // round trip — under policy.require_sanctions_clear, OFAC SDN wallet hits flip\n // decision -> deny inline before the handler runs.\n const signer = await extractPaymentSigner(req, readX402PaymentHeader(req));\n const outcome = await core.evaluate(identity, req, signer);\n\n if (outcome.kind === 'allow') {\n const captureWallet = identity?.operatorToken\n ? (opts: { walletAddress: string; network: 'evm' | 'solana'; idempotencyKey?: string }) =>\n core.captureWallet({ operatorToken: identity.operatorToken!, ...opts })\n : undefined;\n // Synchronous getter — reads the cached verdicts (signer_match + signer_sanctions)\n // composed by the primary assess call above. Returns undefined for operator-token\n // paths or discovery legs where no signer was extractable.\n const getSignerVerdictBound = identity?.address && !identity?.operatorToken\n ? () => core.getSignerVerdict(identity.address!)\n : undefined;\n return {\n allowed: true,\n data: outcome.data,\n captureWallet,\n getSignerVerdict: getSignerVerdictBound,\n ...(outcome.degraded ? { degraded: true, infraReason: outcome.infraReason } : {}),\n ...(outcome.quota ? { quota: outcome.quota } : {}),\n };\n }\n\n const response = await onDenied(req, outcome.reason);\n return { allowed: false, response };\n };\n}\n\n/**\n * Wrap a Web Fetch request handler with the gate. Denied requests are returned directly;\n * allowed requests are passed to `handler` along with the assess data.\n *\n * ```ts\n * export const POST = withAgentScoreGate(\n * { apiKey: 'as_live_...', requireKyc: true },\n * async (req, { data }) => Response.json({ ok: true }),\n * );\n * ```\n */\nexport function withAgentScoreGate<TCtx = unknown>(\n options: AgentScoreGateOptions,\n handler: (\n req: Request,\n gate: {\n data?: AssessResult;\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n /** Synchronous read of the cached signer verdicts. See {@link GuardResult}'s\n * `getSignerVerdict` for the contract. */\n getSignerVerdict?: () => SignerVerdict | undefined;\n /** Set to `true` only when the gate fail-open'd due to AgentScore-side infra failure\n * (429/5xx/network timeout). Compliance was NOT enforced this request — log/alert. */\n degraded?: boolean;\n /** Why the gate degraded — quota_exceeded / api_error / network_timeout. */\n infraReason?: FailOpenInfraReason;\n /** Per-account assess quota observability from X-Quota-* response headers. */\n quota?: GateQuotaInfo;\n },\n ctx?: TCtx,\n ) => Response | Promise<Response>,\n): (req: Request, ctx?: TCtx) => Promise<Response> {\n const guard = createAgentScoreGate(options);\n return async (req, ctx) => {\n const result = await guard(req);\n if (!result.allowed) return result.response;\n return handler(\n req,\n {\n data: result.data,\n captureWallet: result.captureWallet,\n getSignerVerdict: result.getSignerVerdict,\n ...(result.degraded ? { degraded: true, infraReason: result.infraReason } : {}),\n ...(result.quota ? { quota: result.quota } : {}),\n },\n ctx,\n );\n };\n}\n\nexport { readX402PaymentHeader };\nexport {\n FIXABLE_DENIAL_REASONS,\n buildContactSupportNextSteps,\n buildSignerMismatchBody,\n denialReasonStatus,\n isFixableDenial,\n verificationAgentInstructions,\n};\nexport { denialReasonToBody };\n","import { createAgentScoreGate } from './web';\nimport type { AssessResult, FailOpenInfraReason, GateQuotaInfo, SignerVerdict } from '../core';\n\n/**\n * Wrap a Next.js App Router route handler with the gate.\n *\n * Denied requests get a 403 JSON response; allowed requests reach `handler` with the\n * assess data on `gate.data`.\n *\n * ```ts\n * // app/api/purchase/route.ts\n * import { withAgentScoreGate } from '@agent-score/commerce/identity/nextjs';\n *\n * export const POST = withAgentScoreGate(\n * { apiKey: process.env.AGENTSCORE_API_KEY!, requireKyc: true, minAge: 21 },\n * async (req, { data }) => {\n * // ... purchase logic\n * return Response.json({ ok: true });\n * },\n * );\n * ```\n *\n * Works with any Request type, including Next's `NextRequest`.\n */\nexport function withAgentScoreGate<TReq extends Request = Request, TCtx = unknown>(\n options: Parameters<typeof createAgentScoreGate>[0],\n handler: (\n req: TReq,\n gate: {\n data?: AssessResult;\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n /** Synchronous read of the cached signer verdicts (`signer_match` wallet-binding\n * + `signer_sanctions` OFAC SDN wallet-address check). Both composed by the gate's\n * primary `/v1/assess` in one round trip. Bound only on strict wallet-auth\n * requests; `undefined` otherwise. */\n getSignerVerdict?: () => SignerVerdict | undefined;\n /** Set to `true` only when the gate fail-open'd due to AgentScore-side infra failure\n * (429/5xx/network timeout). Compliance was NOT enforced — log/alert in your handler. */\n degraded?: boolean;\n /** Why the gate degraded — quota_exceeded / api_error / network_timeout. */\n infraReason?: FailOpenInfraReason;\n /** Per-account assess quota observability from X-Quota-* response headers. */\n quota?: GateQuotaInfo;\n },\n ctx?: TCtx,\n ) => Response | Promise<Response>,\n): (req: TReq, ctx?: TCtx) => Promise<Response> {\n const guard = createAgentScoreGate(options);\n return async (req, ctx) => {\n const result = await guard(req as Request);\n if (!result.allowed) return result.response;\n return handler(\n req,\n {\n data: result.data,\n captureWallet: result.captureWallet,\n getSignerVerdict: result.getSignerVerdict,\n ...(result.degraded ? { degraded: true, infraReason: result.infraReason } : {}),\n ...(result.quota ? { quota: result.quota } : {}),\n },\n ctx,\n );\n };\n}\n\n/**\n * Build a Next.js middleware function. Returns a `Response` when the request is denied;\n * returns `undefined` when the request should continue down the middleware chain.\n *\n * ```ts\n * // middleware.ts\n * import { NextResponse, type NextRequest } from 'next/server';\n * import { agentscoreMiddleware } from '@agent-score/commerce/identity/nextjs';\n *\n * const gate = agentscoreMiddleware({ apiKey: process.env.AGENTSCORE_API_KEY!, requireKyc: true });\n *\n * export async function middleware(req: NextRequest) {\n * const denied = await gate(req);\n * if (denied) return denied;\n * return NextResponse.next();\n * }\n *\n * export const config = { matcher: '/api/purchase/:path*' };\n * ```\n */\nexport function agentscoreMiddleware(options: Parameters<typeof createAgentScoreGate>[0]): (req: Request) => Promise<Response | undefined> {\n const guard = createAgentScoreGate(options);\n return async (req: Request) => {\n const result = await guard(req);\n return result.allowed ? undefined : result.response;\n };\n}\n\nexport {\n FIXABLE_DENIAL_REASONS,\n buildContactSupportNextSteps,\n buildSignerMismatchBody,\n denialReasonStatus,\n denialReasonToBody,\n\n isFixableDenial,\n readX402PaymentHeader,\n verificationAgentInstructions,\n} from './web';\n"],"mappings":";AAgCO,IAAM,yBAA8C,oBAAI,IAAI;AAAA,EACjE;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAUM,SAAS,gBAAgB,SAAiD;AAC/E,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAC7C,SAAO,QAAQ,MAAM,CAAC,MAAM,uBAAuB,IAAI,CAAC,CAAC;AAC3D;AAUO,SAAS,mBAAmB,QAAuC;AACxE,MAAI,OAAO,SAAS,mBAAmB,OAAO,SAAS,qBAAsB,QAAO;AACpF,MAAI,OAAO,SAAS,YAAa,QAAO;AACxC,SAAO;AACT;AAgBO,SAAS,wBAAwB;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AACF,GAQmC;AACjC,MAAI,OAAO,SAAS,OAAQ,QAAO;AAEnC,QAAM,uBAAuB,gBAAgB;AAE7C,MAAI,OAAO,SAAS,0BAA0B;AAC5C,UAAM,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,UAAM,sBAAsB,gBAAgB,cAAc,SAAS,IAC/D,qEAAqE,cAAc,KAAK,IAAI,CAAC,kBAC7F;AACJ,WAAO;AAAA,MACL,OAAO;AAAA,QACL,MAAM;AAAA,QACN,SACE;AAAA,MACJ;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,wBAAwB,OAAO,wBAAwB;AAAA,MACvD,iBAAiB,OAAO;AAAA,MACxB,eAAe,OAAO;AAAA,MACtB,gBAAgB;AAAA,MAChB,YAAY;AAAA,QACV,QAAQ;AAAA,QACR,cAAc;AAAA,QACd,gBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SACE;AAAA,IACJ;AAAA,IACA,YAAY;AAAA,MACV,QAAQ;AAAA,MACR,cACE,eACA;AAAA,MACF,gBAAgB;AAAA,IAClB;AAAA,EACF;AACF;AAYO,SAAS,6BACd,cACA,SAC4E;AAC5E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,eAAe;AAAA,IACf,cACE,WACA,8DAA8D,YAAY;AAAA,EAC9E;AACF;AAQO,SAAS,8BAA8B;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA,sBAAsB;AAAA,EACtB,iBAAiB;AAAA,EACjB;AAAA,EACA;AACF,IAoBI,CAAC,GAUH;AACA,QAAM,YAAY;AAAA,IAChB;AAAA,IACA,4CAA4C,mBAAmB;AAAA,IAC/D;AAAA,IACA;AAAA,IACA,aAAa;AAAA,EACf;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,aACE,cACA;AAAA,IACF,OAAO,aAAa,CAAC,GAAG,WAAW,GAAG,UAAU,IAAI;AAAA,IACpD,uBAAuB;AAAA,IACvB,oBAAoB;AAAA,IACpB,oBAAoB;AAAA,IACpB,iBAAiB;AAAA,IACjB,GAAI,WAAW,EAAE,WAAW,SAAS,IAAI,CAAC;AAAA,IAC1C,GAAI,SAAS,CAAC;AAAA,EAChB;AACF;;;AClMA,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,gCAAgC,KAAK,UAAU;AAAA,EACnD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,uDAAuD,KAAK,UAAU;AAAA,EAC1E,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,yBAAyB,KAAK,UAAU;AAAA,EAC5C,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,IAAM,8BAA8B,KAAK,UAAU;AAAA,EACxD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,6BAAkE;AAAA,EACtE,WAAW;AAAA,EACX,oBAAoB;AAAA,EACpB,kBAAkB;AAAA,EAClB,gCAAgC;AAAA,EAChC,eAAe;AACjB;AAEA,IAAM,mBAA+C;AAAA,EACnD,kBACE;AAAA,EACF,gCACE;AAAA,EACF,oBACE;AAAA,EACF,WACE;AAAA,EACF,kBACE;AAAA,EACF,wBACE;AAAA,EACF,qCACE;AAAA,EACF,eACE;AAAA,EACF,oBACE;AACJ;AAKA,IAAM,kBAAkB,oBAAI,IAAI;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,mBAAmB,QAA+C;AAChF,QAAM,UAAU,OAAO,WAAW,iBAAiB,OAAO,IAAI;AAC9D,QAAM,OAAgC,EAAE,OAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,EAAE;AAC9E,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,MAAI,OAAO,QAAS,MAAK,UAAU,OAAO;AAC1C,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,YAAa,MAAK,cAAc,OAAO;AAClD,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,QAAM,eAAe,OAAO,sBAAsB,2BAA2B,OAAO,IAAI;AACxF,MAAI,aAAc,MAAK,qBAAqB;AAC5C,MAAI,OAAO,aAAc,MAAK,eAAe,OAAO;AACpD,MAAI,OAAO,iBAAkB,MAAK,mBAAmB,OAAO;AAC5D,MAAI,OAAO,SAAS,yBAA0B,MAAK,yBAAyB,OAAO,0BAA0B;AAC7G,MAAI,OAAO,gBAAiB,MAAK,kBAAkB,OAAO;AAC1D,MAAI,OAAO,cAAe,MAAK,gBAAgB,OAAO;AACtD,MAAI,OAAO,kBAAkB,OAAO,eAAe,SAAS,EAAG,MAAK,iBAAiB,OAAO;AAC5F,MAAI,OAAO,OAAO;AAChB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI,gBAAgB,IAAI,GAAG,GAAG;AAC5B,gBAAQ,KAAK,mDAAmD,GAAG,8CAAyC;AAC5G;AAAA,MACF;AACA,WAAK,GAAG,IAAI;AAAA,IACd;AAAA,EACF;AACA,SAAO;AACT;;;AC7KA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,gBAAgB;AAAA,EAChB;AAAA,OACK;;;ACEP,IAAM,mBAAmB;AAKlB,IAAM,kBAAkB,CAAC,YAC9B,iBAAiB,KAAK,OAAO,KAAK,CAAC,QAAQ,WAAW,IAAI;AAKrD,IAAM,mBAAmB,CAAC,YAA4B;AAC3D,MAAI,gBAAgB,OAAO,GAAG;AAAE,WAAO;AAAA,EAAS;AAChD,SAAO,QAAQ,YAAY;AAC7B;;;ACvBO,IAAM,WAAN,MAAkB;AAAA,EAIvB,YAAoB,cAAsB,UAAU,KAAO;AAAvC;AAClB,SAAK,UAAU;AAAA,EACjB;AAAA,EAFoB;AAAA,EAHZ,QAAQ,oBAAI,IAA6C;AAAA,EACzD;AAAA,EAMR,IAAI,KAA4B;AAC9B,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAChC,QAAI,CAAC,MAAO,QAAO;AACnB,QAAI,KAAK,IAAI,IAAI,MAAM,WAAW;AAChC,WAAK,MAAM,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AAAA,EACf;AAAA,EAEA,IAAI,KAAa,OAAU,OAAsB;AAC/C,QAAI,KAAK,MAAM,QAAQ,KAAK,SAAS;AACnC,WAAK,MAAM;AAAA,IACb;AACA,QAAI,KAAK,MAAM,QAAQ,KAAK,SAAS;AACnC,WAAK,YAAY,KAAK,MAAM,OAAO,KAAK,UAAU,CAAC;AAAA,IACrD;AACA,SAAK,MAAM,IAAI,KAAK;AAAA,MAClB;AAAA,MACA,WAAW,KAAK,IAAI,KAAK,SAAS,KAAK;AAAA,IACzC,CAAC;AAAA,EACH;AAAA;AAAA,EAGQ,QAAc;AACpB,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,GAAG,CAAC,KAAK,KAAK,OAAO;AAC/B,UAAI,MAAM,EAAE,WAAW;AACrB,aAAK,MAAM,OAAO,CAAC;AAAA,MACrB;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGQ,YAAY,OAAqB;AACvC,QAAI,UAAU;AACd,eAAW,OAAO,KAAK,MAAM,KAAK,GAAG;AACnC,UAAI,WAAW,MAAO;AACtB,WAAK,MAAM,OAAO,GAAG;AACrB;AAAA,IACF;AAAA,EACF;AACF;;;AFlCA,SAAS,qBAAqB,GAAmB;AAC/C,MAAI,MAAM,EAAE;AACZ,SAAO,MAAM,KAAK,EAAE,WAAW,MAAM,CAAC,MAAM,GAAc;AAC1D,SAAO,QAAQ,EAAE,SAAS,IAAI,EAAE,MAAM,GAAG,GAAG;AAC9C;AAwVA,IAAM,2BAA2B;AAKjC,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,mDAAmD,KAAK,UAAU;AAAA,EACtE,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAMD,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,SAAS,uBAAwC;AAItD,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,kCAAkC;AAAA,IAClC,iBACE;AAAA,IAKF,YAAY;AAAA,IACZ,yBAAyB,GAAG,GAAG;AAAA,IAC/B,gBAAgB;AAAA,MACd,QACE;AAAA,MAEF,gBACE;AAAA,IAEJ;AAAA,IACA,WACE;AAAA,IAIF,0BAA0B,CAAC,kBAAkB,aAAa;AAAA,IAC1D,6BAA6B,CAAC,gBAAgB;AAAA,EAChD;AACF;AAMO,SAAS,qBAAqB,SAAgD;AACnF,MAAI,CAAC,QAAQ,QAAQ;AACnB,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX,eAAe;AAAA,IACf,SAAS,aAAa;AAAA,IACtB,OAAO;AAAA,IACP;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,qBAAqB,UAAU;AAC/C,QAAM,kBAAkB,qBAAqB;AAE7C,QAAM,YAAY,yBAAyB,OAAW;AACtD,QAAM,kBAAkB,YAAY,GAAG,SAAS,KAAK,SAAS,MAAM;AAQpE,QAAM,MAAM,IAAI,WAAW,EAAE,QAAQ,SAAS,WAAW,gBAAgB,CAAC;AAK1E,QAAM,kBAAkB,oBAAI,IAAwB;AACpD,WAAS,cAAc,eAAuB,gBAAqC;AACjF,UAAM,MAAM,GAAG,aAAa,IAAI,kBAAkB,EAAE;AACpD,QAAI,IAAI,gBAAgB,IAAI,GAAG;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,IAAI,WAAW;AAAA,QACjB,QAAQ;AAAA,QACR,SAAS,kBAAkB;AAAA,QAC3B,WAAW;AAAA,MACb,CAAC;AACD,sBAAgB,IAAI,KAAK,CAAC;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,IAAI,SAA6B,eAAe,GAAI;AAOlE,iBAAe,qBAAqB,KAAiD;AACnF,QAAI,CAAC,uBAAwB,QAAO;AACpC,QAAI;AACF,YAAM,cAA2D,CAAC;AAClE,UAAI,uBAAuB,WAAW,KAAM,aAAY,UAAU,uBAAuB;AACzF,UAAI,uBAAuB,eAAe,KAAM,aAAY,eAAe,uBAAuB;AAElG,UAAI,uBAAuB,qBAAqB,QAAQ,QAAW;AACjE,YAAI;AACF,gBAAM,UAAU,MAAM,uBAAuB,kBAAkB,GAAG;AAClE,cAAI,SAAS,WAAW,KAAM,aAAY,UAAU,QAAQ;AAC5D,cAAI,SAAS,eAAe,KAAM,aAAY,eAAe,QAAQ;AAAA,QACvE,SAAS,KAAK;AACZ,kBAAQ,KAAK,gEAAgE,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,QACvH;AAAA,MACF;AAIA,YAAM,aAAa,cAAc,uBAAuB,QAAQ,uBAAuB,OAAO;AAC9F,YAAM,OAAQ,MAAM,WAAW,cAAc;AAAA,QAC3C,GAAI,YAAY,YAAY,SAAY,EAAE,SAAS,YAAY,QAAQ,IAAI,CAAC;AAAA,QAC5E,GAAI,YAAY,iBAAiB,SAAY,EAAE,cAAc,YAAY,aAAa,IAAI,CAAC;AAAA,MAC7F,CAAC;AAMD,UACE,OAAO,KAAK,eAAe,YAC3B,OAAO,KAAK,gBAAgB,YAC5B,OAAO,KAAK,eAAe,UAC3B;AACA,gBAAQ,KAAK,6FAAwF;AACrG,eAAO;AAAA,MACT;AAIA,UAAI;AACJ,UAAI,uBAAuB,mBAAmB,QAAQ,QAAW;AAC/D,YAAI;AACF,gBAAM,cAAc;AAAA,YAClB,YAAY,KAAK;AAAA,YACjB,YAAY,KAAK;AAAA,YACjB,aAAa,KAAK;AAAA,YAClB,UAAU,KAAK;AAAA,YACf,YAAY,KAAK;AAAA,UACnB;AACA,gBAAM,SAAS,MAAM,uBAAuB,gBAAgB,KAAK,WAAW;AAC5E,cAAI,UAAU,OAAO,WAAW,SAAU,SAAQ;AAAA,QACpD,SAAS,KAAK;AACZ,kBAAQ,KAAK,8DAA8D,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,QACrH;AAAA,MACF;AAKA,YAAM,eAAe,KAAK;AAC1B,aAAO;AAAA,QACL,MAAM;AAAA,QACN,YAAY,KAAK;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK;AAAA,QACf,oBAAoB,eAAe,KAAK,UAAU,YAAY,IAAI;AAAA,QAClE,cAAc;AAAA,QACd,GAAI,SAAS,EAAE,MAAM;AAAA,MACvB;AAAA,IACF,SAAS,KAAK;AAKZ,cAAQ,KAAK,iFAA4E,eAAe,QAAQ,IAAI,UAAU,GAAG;AACjI,aAAO;AAAA,IACT;AAAA,EACF;AAEA,iBAAe,SACb,UACA,KACA,QAC0B;AAG1B,QAAI,CAAC,YAAa,CAAC,SAAS,WAAW,CAAC,SAAS,eAAgB;AAO/D,UAAI,SAAU,QAAO,EAAE,MAAM,QAAQ;AAErC,YAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,UAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAMhE,YAAM,8BAA8B,KAAK,UAAU;AAAA,QACjD,QAAQ;AAAA,QACR,OAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA,cACE;AAAA,MACJ,CAAC;AACD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,oBAAoB;AAAA,UACpB,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAMA,UAAM,WAAW,SAAS,eAAe,YAAY,MAAM,SAAS,UAAU,iBAAiB,SAAS,OAAO,IAAI;AAEnH,UAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,QAAI,QAAQ;AACV,UAAI,OAAO,OAAO;AAChB,cAAM,YAAY,OAAO;AACzB,cAAM,cAAc,WAAW;AAC/B,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,GAAI,gBAAgB,UAAa,EAAE,OAAO,YAAY;AAAA,QACxD;AAAA,MACF;AAQA,UAAI,gBAAgB,OAAO,OAAO,GAAG;AACnC,cAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,YAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAAA,MAClE;AACA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,UAChB,YAAa,OAAO,KAA6C;AAAA,UACjE,MAAM,OAAO;AAAA,QACf;AAAA,MACF;AAAA,IACF;AAEA,UAAM,SAAkC,CAAC;AACzC,QAAI,cAAc,KAAM,QAAO,cAAc;AAC7C,QAAI,yBAAyB,KAAM,QAAO,0BAA0B;AACpE,QAAI,UAAU,KAAM,QAAO,UAAU;AACrC,QAAI,wBAAwB,KAAM,QAAO,wBAAwB;AACjE,QAAI,wBAAwB,KAAM,QAAO,wBAAwB;AAEjE,QAAI;AACJ,QAAI;AAIF,YAAM,OAAO;AAAA,QACX,OAAO;AAAA,QACP,GAAI,OAAO,KAAK,MAAM,EAAE,SAAS,IAAI,EAAE,OAAwB,IAAI,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA,QAKpE,GAAI,UAAU,EAAE,QAAQ,EAAE,SAAS,OAAO,SAAS,SAAS,OAAO,QAAQ,EAAE;AAAA,MAC/E;AAEA,YAAM,SAAS,SAAS,UACpB,MAAM,IAAI,OAAO,SAAS,SAAS,EAAE,GAAG,MAAM,eAAe,SAAS,cAAc,CAAC,IACrF,MAAM,IAAI,OAAO,MAAM,EAAE,GAAG,MAAM,eAAe,SAAS,cAAe,CAAC;AAC9E,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,UAAI,eAAe,sBAAsB;AACvC,YAAI,SAAU,QAAO,EAAE,MAAM,QAAQ;AACrC,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,mBAAmB,EAAE;AAAA,MAC9D;AACA,UAAI,eAAe,mBAAmB;AAGpC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,MAAM,IAAI;AAAA,YACV,GAAI,IAAI,YAAY,EAAE,YAAY,IAAI,UAAU,IAAI,CAAC;AAAA,YACrD,GAAI,IAAI,YAAY,EAAE,YAAY,IAAI,UAAU,IAAI,CAAC;AAAA,YACrD,GAAI,IAAI,aAAa,EAAE,aAAa,IAAI,WAAW,IAAI,CAAC;AAAA,YACxD,GAAI,IAAI,UAAU,EAAE,UAAU,IAAI,QAAQ,IAAI,CAAC;AAAA,YAC/C,GAAI,IAAI,YAAY,EAAE,oBAAoB,KAAK,UAAU,IAAI,SAAS,EAAE,IAAI,CAAC;AAAA,YAC7E,GAAI,IAAI,cAAc,EAAE,cAAc,IAAI,YAA+B,IAAI,CAAC;AAAA,UAChF;AAAA,QACF;AAAA,MACF;AACA,UAAI,eAAe,wBAAwB;AAEzC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,oBAAoB;AAAA,YACpB,cAAc;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AACA,UAAI,eAAe,oBAAoB;AACrC,gBAAQ,KAAK,+CAA+C;AAC5D,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,iBAAiB;AACpF,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,EAAE,MAAM,aAAa,oBAAoB,4BAA4B;AAAA,QAC/E;AAAA,MACF;AACA,UAAI,eAAe,iBAAiB;AAClC,gBAAQ,KAAK,gCAAgC,IAAI,OAAO;AACxD,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,kBAAkB;AACrF,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,MACvD;AAKA,YAAM,SAAU,KAAoC;AACpD,YAAM,UAAU,eAAe,QAAQ,IAAI,OAAO;AAClD,UAAI,WAAW,KAAK;AAClB,gBAAQ,KAAK,2DAAsD;AACnE,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,iBAAiB;AACpF,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,EAAE,MAAM,aAAa,oBAAoB,4BAA4B;AAAA,QAC/E;AAAA,MACF;AACA,UAAI,YAAY,kBAAkB,YAAY,cAAc;AAC1D,gBAAQ,KAAK,gDAAgD,eAAe,QAAQ,IAAI,UAAU,GAAG;AACrG,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,kBAAkB;AACrF,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,MACvD;AAKA,YAAM,UAAW,KAAkC;AACnD,YAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,YAAM,SAAS,UAAU,GAAG,OAAO,KAAK,GAAG,KAAK;AAChD,cAAQ,KAAK,gEAA2D,MAAM,EAAE;AAChF,UAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,YAAY;AAC/E,aAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,IACvD;AAEA,UAAM,WAAW,KAAK;AACtB,UAAM,kBAAmB,KAAK,oBAAiC,CAAC;AAChE,UAAM,QAAQ,aAAa,WAAW,YAAY;AAElD,UAAM,IAAI,UAAU,EAAE,OAAO,UAAU,YAAY,QAAW,SAAS,iBAAiB,KAAK,KAAK,CAAC;AAEnG,QAAI,OAAO;AAGT,YAAM,QAAQ,KAAK;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN;AAAA,QACA,GAAI,UAAU,UAAa,EAAE,MAAM;AAAA,MACrC;AAAA,IACF;AASA,QAAI,gBAAgB,eAAe,GAAG;AACpC,YAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,UAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAAA,IAClE;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,QAAQ;AAAA,QACN,MAAM;AAAA,QACN,UAAU,YAAY;AAAA,QACtB,SAAS;AAAA,QACT,YAAY,KAAK;AAAA,QACjB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,iBAAe,cAAcA,UAA8C;AACzE,QAAI;AACF,YAAM,IAAI,gBAAgB;AAAA,QACxB,eAAeA,SAAQ;AAAA,QACvB,eAAeA,SAAQ;AAAA,QACvB,SAASA,SAAQ;AAAA,QACjB,GAAIA,SAAQ,iBAAiB,EAAE,gBAAgBA,SAAQ,eAAe,IAAI,CAAC;AAAA,MAC7E,CAAC;AAAA,IACH,SAAS,KAAK;AAGZ,cAAQ,KAAK,+CAA+C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IACtG;AAAA,EACF;AAKA,WAAS,mBACP,IACA,aACA,YAC0B;AAC1B,UAAM,OAAO,GAAG;AAChB,QAAI,SAAS,QAAQ;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN,iBAAkB,GAAG,oBAAkD;AAAA,QACvE,gBAAiB,GAAG,mBAAiD;AAAA,MACvE;AAAA,IACF;AACA,QAAI,SAAS,uCAAuC;AAClD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,eAAgB,GAAG,kBAAyC;AAAA,QAC5D,mBACG,GAAG,sBAA6C;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,SAAS,GAAG;AAClB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAkB,GAAG,oBAAkD;AAAA,MACvE,sBAAuB,GAAG,mBAAiD;AAAA,MAC3E,gBAAiB,GAAG,mBAA0C;AAAA,MAC9D,cAAe,GAAG,iBAAwC;AAAA,MAC1D,eAAe,MAAM,QAAQ,MAAM,IAC9B,OAAqB,OAAO,CAAC,MAAmB,OAAO,MAAM,QAAQ,IACtE,CAAC;AAAA,MACL,mBACG,GAAG,sBAA6C;AAAA,IACrD;AAAA,EACF;AASA,WAAS,iBAAiB,gBAAmD;AAC3E,UAAM,cAAc,iBAAiB,cAAc;AACnD,UAAM,SAAS,MAAM,IAAI,WAAW;AACpC,QAAI,CAAC,OAAQ,QAAO;AACpB,UAAM,MAAM,OAAO;AACnB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,WAAW,IAAI;AACrB,UAAM,eAAe,IAAI;AACzB,QAAI,CAAC,YAAY,CAAC,aAAc,QAAO;AAIvC,UAAM,aAAc,UAAU,iBAAwC;AACtE,WAAO;AAAA,MACL,cAAc,WAAW,mBAAmB,UAAU,aAAa,UAAU,IAAI;AAAA,MACjF,kBAAkB,gBAAgB;AAAA,IACpC;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,eAAe,iBAAiB;AACrD;;;AGt2BA,IAAM,gBAAgB;AACtB,IAAM,qBAAqB;AAC3B,IAAM,iCAAiC;AAuBvC,eAAe,kCAAkC,YAA6C;AAC5F,QAAM,UAAW,WAAqE;AACtF,MAAI,CAAC,SAAS,eAAe,QAAQ,SAAS,cAAe,QAAO;AAEpE,QAAM,aAAa;AACnB,QAAM,MAAO,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AACtD,MAAI,CAAC,KAAK,kBAAkB,CAAC,IAAI,yBAAyB,CAAC,IAAI,sCAAsC;AACnG,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,UAAU,IAAI,eAAe,EAAE,OAAO,QAAQ,WAAW;AAC/D,UAAM,UAAU,IAAI,sBAAsB,EAAE,OAAO,OAAO;AAC1D,UAAM,UAAU,IAAI,qCAAqC,EAAE,OAAO,QAAQ,YAAY;AAOtF,eAAW,MAAM,QAAQ,cAAc;AACrC,YAAM,YAAY,QAAQ,eAAe,GAAG,mBAAmB;AAC/D,UAAI,cAAc,iBAAiB,cAAc,mBAAoB;AACrE,YAAM,OAAO,GAAG;AAChB,UAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,KAAK,CAAC,MAAM,+BAAgC;AAC9E,YAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,YAAM,iBAAiB,eAAe,CAAC;AACvC,UAAI,mBAAmB,OAAW;AAKlC,UAAI,kBAAkB,QAAQ,eAAe,QAAQ;AACnD,gBAAQ;AAAA,UACN;AAAA,QAEF;AACA;AAAA,MACF;AACA,YAAM,YAAY,QAAQ,eAAe,cAAc;AACvD,UAAI,UAAW,QAAO;AAAA,IACxB;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,KAAK,2CAA2C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAChG,WAAO;AAAA,EACT;AACF;AAkBA,eAAsB,qBACpB,SACA,mBAC+B;AAE/B,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY;AACd,QAAI;AACF,YAAM,aAAa;AACnB,YAAM,OAAQ,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AAMvD,UAAI,MAAM,YAAY,qBAAqB,UAAU,GAAG;AACtD,cAAM,aAAa,KAAK,WAAW,YAAY,OAAO;AACtD,cAAM,SAAU,WAAmC;AACnD,cAAM,WAAW,QAAQ,MAAM,0CAA0C;AACzE,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,EAAG,YAAY,GAAG,SAAS,MAAM;AAE3E,cAAM,WAAW,QAAQ,MAAM,4EAA4E;AAC3G,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,GAAI,SAAS,SAAS;AAIhE,cAAM,eAAe,MAAM,kCAAkC,UAAU;AACvE,YAAI,aAAc,QAAO,EAAE,SAAS,cAAc,SAAS,SAAS;AAAA,MACtE;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,wCAAwC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAC/F;AAAA,EACF;AAGA,MAAI,mBAAmB;AACrB,QAAI;AACF,YAAM,UAAU,KAAK,iBAAiB;AACtC,YAAM,SAAS,KAAK,MAAM,OAAO;AAGjC,YAAM,OAAO,QAAQ,SAAS,eAAe;AAC7C,UAAI,OAAO,SAAS,YAAY,sBAAsB,KAAK,IAAI,GAAG;AAChE,eAAO,EAAE,SAAS,KAAK,YAAY,GAAG,SAAS,MAAM;AAAA,MACvD;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,yCAAyC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAChG;AAAA,EACF;AAEA,SAAO;AACT;AAuBO,SAAS,sBAAsB,SAAsC;AAC1E,SACE,QAAQ,QAAQ,IAAI,mBAAmB,KACvC,QAAQ,QAAQ,IAAI,WAAW,KAC/B;AAEJ;;;AC7HA,SAAS,uBAAuB,KAAyC;AACvE,QAAM,QAAQ,IAAI,QAAQ,IAAI,kBAAkB;AAChD,QAAM,OAAO,IAAI,QAAQ,IAAI,kBAAkB;AAC/C,QAAM,WAA0B,CAAC;AACjC,MAAI,SAAS,MAAM,SAAS,EAAG,UAAS,gBAAgB;AACxD,MAAI,QAAQ,KAAK,SAAS,EAAG,UAAS,UAAU;AAChD,MAAI,SAAS,iBAAiB,SAAS,QAAS,QAAO;AACvD,SAAO;AACT;AAEA,SAAS,gBAAgB,MAAe,QAAgC;AACtE,SAAO,IAAI,SAAS,KAAK,UAAU,mBAAmB,MAAM,CAAC,GAAG;AAAA,IAC9D,QAAQ,mBAAmB,MAAM;AAAA,IACjC,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;AAkBO,SAAS,qBAAqB,SAAwE;AAC3G,QAAM,EAAE,kBAAkB,wBAAwB,WAAW,iBAAiB,GAAG,YAAY,IAAI;AACjG,QAAM,OAAO,qBAAqB,WAAoC;AAEtE,SAAO,OAAO,QAAuC;AACnD,UAAM,WAAW,gBAAgB,GAAG;AAKpC,UAAM,SAAS,MAAM,qBAAqB,KAAK,sBAAsB,GAAG,CAAC;AACzE,UAAM,UAAU,MAAM,KAAK,SAAS,UAAU,KAAK,MAAM;AAEzD,QAAI,QAAQ,SAAS,SAAS;AAC5B,YAAM,gBAAgB,UAAU,gBAC5B,CAAC,SACC,KAAK,cAAc,EAAE,eAAe,SAAS,eAAgB,GAAG,KAAK,CAAC,IACxE;AAIJ,YAAM,wBAAwB,UAAU,WAAW,CAAC,UAAU,gBAC1D,MAAM,KAAK,iBAAiB,SAAS,OAAQ,IAC7C;AACJ,aAAO;AAAA,QACL,SAAS;AAAA,QACT,MAAM,QAAQ;AAAA,QACd;AAAA,QACA,kBAAkB;AAAA,QAClB,GAAI,QAAQ,WAAW,EAAE,UAAU,MAAM,aAAa,QAAQ,YAAY,IAAI,CAAC;AAAA,QAC/E,GAAI,QAAQ,QAAQ,EAAE,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClD;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,SAAS,KAAK,QAAQ,MAAM;AACnD,WAAO,EAAE,SAAS,OAAO,SAAS;AAAA,EACpC;AACF;;;AC/GO,SAAS,mBACd,SACA,SAwB8C;AAC9C,QAAM,QAAQ,qBAAqB,OAAO;AAC1C,SAAO,OAAO,KAAK,QAAQ;AACzB,UAAM,SAAS,MAAM,MAAM,GAAc;AACzC,QAAI,CAAC,OAAO,QAAS,QAAO,OAAO;AACnC,WAAO;AAAA,MACL;AAAA,MACA;AAAA,QACE,MAAM,OAAO;AAAA,QACb,eAAe,OAAO;AAAA,QACtB,kBAAkB,OAAO;AAAA,QACzB,GAAI,OAAO,WAAW,EAAE,UAAU,MAAM,aAAa,OAAO,YAAY,IAAI,CAAC;AAAA,QAC7E,GAAI,OAAO,QAAQ,EAAE,OAAO,OAAO,MAAM,IAAI,CAAC;AAAA,MAChD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAsBO,SAAS,qBAAqB,SAAsG;AACzI,QAAM,QAAQ,qBAAqB,OAAO;AAC1C,SAAO,OAAO,QAAiB;AAC7B,UAAM,SAAS,MAAM,MAAM,GAAG;AAC9B,WAAO,OAAO,UAAU,SAAY,OAAO;AAAA,EAC7C;AACF;","names":["options"]}
1
+ {"version":3,"sources":["../../src/payment/payment_header.ts","../../src/_denial.ts","../../src/_response.ts","../../src/core.ts","../../src/address.ts","../../src/cache.ts","../../src/signer.ts","../../src/identity/web.ts","../../src/identity/nextjs.ts"],"sourcesContent":["/** Detects whether a request is a \"settle leg\" (carries a payment credential)\n * vs a \"discovery leg\" (no payment credential, expects a 402).\n *\n * Used by the gate-conditional mount pattern documented in CLAUDE.md: mount\n * `agentscoreGate` on a route only when payment is being attempted, so the\n * discovery leg flows through unauthenticated and gets a 402 with all rails.\n *\n * Three credential channels are checked:\n * - `Payment-Signature` — MPP credentials (Tempo, Solana, Stripe SPT)\n * - `X-Payment` — x402 v1 EIP-3009 credentials\n * - `Authorization: Payment <jwt>` — x402 v2 / paymentauth.org credentials\n */\n\ntype WebHeaders = { get(name: string): string | null };\ntype RecordHeaders = Record<string, string | string[] | undefined>;\nexport type HeadersLike = WebHeaders | RecordHeaders | Headers;\n\nfunction toTitleCase(name: string): string {\n return name.replace(/(^|-)([a-z])/g, (_m, sep: string, c: string) => sep + c.toUpperCase());\n}\n\nexport function readHeader(headers: HeadersLike, name: string): string | null {\n if (typeof (headers as Partial<WebHeaders>).get === 'function') {\n return (headers as WebHeaders).get(name);\n }\n const rec = headers as RecordHeaders;\n const v = rec[name] ?? rec[name.toLowerCase()] ?? rec[toTitleCase(name)];\n if (typeof v === 'string') return v;\n if (Array.isArray(v) && typeof v[0] === 'string') return v[0];\n return null;\n}\n\nexport function asHeaders(input: Request | HeadersLike): HeadersLike {\n return typeof (input as Partial<Request>).headers === 'object' && input instanceof Request\n ? input.headers\n : (input as HeadersLike);\n}\n\n/** True when the request carries any of the payment-credential headers we\n * recognize. Accepts a Web Fetch `Headers`, a Web Fetch `Request` (uses\n * `request.headers`), or a plain header record (Express/Fastify-shaped).\n *\n * Use this to gate the `agentscoreGate` middleware so anonymous discovery\n * legs flow through and get a 402 with all rails. See CLAUDE.md\n * \"Anonymous discovery\" pattern.\n */\nexport function hasPaymentHeader(input: Request | HeadersLike): boolean {\n const headers = asHeaders(input);\n return Boolean(\n readHeader(headers, 'payment-signature') ||\n readHeader(headers, 'x-payment') ||\n readHeader(headers, 'authorization')?.startsWith('Payment '),\n );\n}\n\n/** True when the request carries an x402 payment credential (`X-Payment` or\n * `Payment-Signature`). Use to dispatch to the x402 settle path. */\nexport function hasX402Header(input: Request | HeadersLike): boolean {\n const headers = asHeaders(input);\n return Boolean(readHeader(headers, 'payment-signature') || readHeader(headers, 'x-payment'));\n}\n\n/** True when the request carries an mppx payment credential\n * (`Authorization: Payment <jwt>`). Use to dispatch to the MPP settle path. */\nexport function hasMppxHeader(input: Request | HeadersLike): boolean {\n const headers = asHeaders(input);\n return Boolean(readHeader(headers, 'authorization')?.startsWith('Payment '));\n}\n","/**\n * Universal denial helpers shared across every adapter.\n *\n * What lives here:\n * - `FIXABLE_DENIAL_REASONS` / `isFixableDenial` — classifier for compliance reasons that can\n * be resolved by re-completing KYC (vs sanctions / age failures which are permanent).\n * - `denialReasonStatus` — picks the right HTTP status code per denial code (401 for credential\n * problems, 503 for transient API errors, 403 for everything else).\n * - `buildSignerMismatchBody` — produces the standard 403 body for a non-pass signer_match\n * verdict (read via `getSignerVerdict`).\n * - `buildContactSupportNextSteps` — standard `next_steps.action: \"contact_support\"` shape for\n * unfixable compliance denials.\n * - `verificationAgentInstructions` — the canned `agent_instructions` block for\n * identity-verification 403s. Vendors can override individual fields.\n *\n * Adapters use `denialReasonStatus` inside their default `onDenied` so vendors get the right\n * status code for free. The body builders are exported from each adapter so vendors who write\n * a custom `onDenied` can compose them without copy-paste.\n */\n\nimport type { DenialReason, VerifyWalletSignerResult } from './core';\n\n/**\n * Compliance denial reasons that can be resolved by re-completing KYC. The API emits these\n * when KYC is missing/pending/failed; the user can re-verify and retry.\n *\n * `jurisdiction_restricted` is NOT in this set — the API only emits it AFTER KYC is verified,\n * meaning the user's KYC'd country is in the merchant's blocked list (or absent from the\n * allowed list). Re-doing KYC won't change the country, so it's permanent. Same shape as\n * `sanctions_flagged` and `age_insufficient` — surface contact_support, don't waste a\n * /v1/sessions mint.\n */\nexport const FIXABLE_DENIAL_REASONS: ReadonlySet<string> = new Set([\n 'kyc_required',\n 'kyc_pending',\n 'kyc_failed',\n]);\n\n/**\n * Returns true when a `wallet_not_trusted` denial's reasons are all fixable via KYC\n * re-verification. False when any reason is permanent (sanctions, age, jurisdiction_restricted).\n *\n * Empty reasons returns false — without a known reason we can't promise a fix, so default to\n * the bare denial path (vendors can override via custom onDenied if they want different\n * behavior on empty reasons).\n */\nexport function isFixableDenial(reasons: readonly string[] | undefined): boolean {\n if (!reasons || reasons.length === 0) return false;\n return reasons.every((r) => FIXABLE_DENIAL_REASONS.has(r));\n}\n\n/**\n * The right HTTP status code for a denial. `defaultOnDenied` in every adapter uses this so\n * vendors get correct status codes without writing per-code branches.\n *\n * - 401 for credential problems the agent can recover from (`token_expired`, `invalid_credential`)\n * - 503 for transient `api_error`\n * - 403 for everything else (identity required, compliance fail, signer mismatch, etc.)\n */\nexport function denialReasonStatus(reason: DenialReason): 401 | 403 | 503 {\n if (reason.code === 'token_expired' || reason.code === 'invalid_credential') return 401;\n if (reason.code === 'api_error') return 503;\n return 403;\n}\n\n/**\n * Standard 403 body for a non-pass signer-match verdict. Returns null for `pass` so vendors\n * can call it unconditionally:\n *\n * const verdict = getSignerVerdict(c);\n * if (verdict?.signer_match) {\n * const mismatchBody = buildSignerMismatchBody({ result: verdict.signer_match });\n * if (mismatchBody) return c.json(mismatchBody, 403);\n * }\n *\n * Body shape mirrors the gate's denial bodies: top-level error.code, all signer-match fields\n * (`claimed_operator`, `actual_signer_operator`, `expected_signer`, `actual_signer`,\n * `linked_wallets`), plus a `next_steps` action describing the recovery path.\n */\nexport function buildSignerMismatchBody({\n result,\n userMessage,\n learnMoreUrl,\n}: {\n /** Projected signer_match verdict (from `getSignerVerdict(ctx).signer_match`). Only non-pass\n * kinds produce a body. */\n result: VerifyWalletSignerResult;\n /** Optional override for the human-facing `next_steps.user_message`. */\n userMessage?: string;\n /** Optional override for `next_steps.learn_more_url`. Default: AgentScore agent-identity guide. */\n learnMoreUrl?: string;\n}): Record<string, unknown> | null {\n if (result.kind === 'pass') return null;\n\n const learnMoreUrlResolved = learnMoreUrl ?? 'https://docs.agentscore.sh/guides/agent-identity';\n\n if (result.kind === 'wallet_signer_mismatch') {\n const linkedWallets = result.linkedWallets ?? [];\n const userMessageResolved = userMessage ?? (linkedWallets.length > 0\n ? `Sign the payment with one of the wallets linked to this operator: ${linkedWallets.join(', ')}. Then retry.`\n : 'Sign the payment with the same wallet you claimed via X-Wallet-Address, or switch to X-Operator-Token for rail-independent identity.');\n return {\n error: {\n code: 'wallet_signer_mismatch',\n message:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n },\n claimed_operator: result.claimedOperator,\n actual_signer_operator: result.actualSignerOperator ?? null,\n expected_signer: result.expectedSigner,\n actual_signer: result.actualSigner,\n linked_wallets: linkedWallets,\n next_steps: {\n action: 'regenerate_payment_from_linked_wallet',\n user_message: userMessageResolved,\n learn_more_url: learnMoreUrlResolved,\n },\n };\n }\n\n // wallet_auth_requires_wallet_signing\n return {\n error: {\n code: 'wallet_auth_requires_wallet_signing',\n message:\n 'Wallet-auth requires a payment rail that carries a wallet signature (Tempo MPP, x402). Stripe SPT and card rails have no wallet signer; switch to X-Operator-Token to use those.',\n },\n next_steps: {\n action: 'switch_to_operator_token',\n user_message:\n userMessage ??\n 'Drop the X-Wallet-Address header and retry with X-Operator-Token (works on every payment rail).',\n learn_more_url: learnMoreUrlResolved,\n },\n };\n}\n\n/**\n * Standard `next_steps` block for unfixable compliance denials (sanctions, age, etc.). Vendors\n * spread this into a 403 body alongside the usual `error`/`reasons` fields.\n *\n * return c.json({\n * error: { code: 'compliance_denied', message: '...' },\n * reasons,\n * next_steps: buildContactSupportNextSteps('support@example.com'),\n * }, 403);\n */\nexport function buildContactSupportNextSteps(\n supportEmail: string,\n message?: string,\n): { action: 'contact_support'; support_email: string; user_message: string } {\n return {\n action: 'contact_support',\n support_email: supportEmail,\n user_message:\n message ??\n `If you believe this denial is in error, contact support at ${supportEmail} with the details of your request.`,\n };\n}\n\n/**\n * The canonical `agent_instructions` block for identity-verification 403s. Tells the agent how to\n * present the verify_url, poll for the operator_token, and retry the original request. Universal\n * across every AgentScore-gated merchant — overrides let vendors add merchant-specific steps\n * (e.g. \"include order_id when retrying\").\n */\nexport function verificationAgentInstructions({\n userAction,\n retryStep,\n extraSteps,\n pollIntervalSeconds = 5,\n timeoutSeconds = 3600,\n orderTtl,\n extra,\n}: {\n /** Override the user-facing message. */\n userAction?: string;\n /** Replace the generic \"Retry the original merchant request...\" step with a merchant-specific\n * one (e.g. \"Retry POST /purchase with X-Operator-Token AND include order_id...\"). When set,\n * this REPLACES baseSteps[4] rather than appending — use it instead of `extraSteps[0]` when\n * your retry instruction is a refinement of the canonical retry, not an additional step. */\n retryStep?: string;\n /** Append additional steps after the retry step. Use this for genuinely additional steps\n * (e.g. \"After payment the same call returns 200 with the order\"), not for re-stating the\n * retry — use `retryStep` for that. */\n extraSteps?: string[];\n /** Override the poll cadence. Default 5 seconds. */\n pollIntervalSeconds?: number;\n /** Override how long the agent should keep polling. Default 3600 seconds (1 hour). */\n timeoutSeconds?: number;\n /** Optional `order_ttl` note describing how long pending orders survive. */\n orderTtl?: string;\n /** Arbitrary additional fields merged into the instructions object. */\n extra?: Record<string, unknown>;\n} = {}): {\n action: 'poll_for_credential';\n user_action: string;\n steps: string[];\n poll_interval_seconds: number;\n poll_secret_header: 'X-Poll-Secret';\n retry_token_header: 'X-Operator-Token';\n timeout_seconds: number;\n order_ttl?: string;\n [key: string]: unknown;\n} {\n const baseSteps = [\n 'Present the verify_url directly to the user — it is a complete, ready-to-open URL with the session token already embedded (e.g. https://agentscore.sh/verify?session=sess_...). Do NOT modify or construct the URL yourself.',\n `Immediately begin polling poll_url every ${pollIntervalSeconds} seconds with header X-Poll-Secret set to poll_secret. The user will complete verification in their browser while you poll in the background.`,\n 'The user visits the URL, signs in, completes identity verification (photo ID + selfie via Stripe Identity), and closes the tab. They do NOT need to copy or paste anything back to you.',\n 'When your poll returns status \"verified\", extract operator_token from the response. This is a one-time value — save it immediately. Subsequent polls return status \"consumed\" without the token.',\n retryStep ?? 'Retry the original merchant request with header X-Operator-Token set to the operator_token value.',\n ];\n\n return {\n action: 'poll_for_credential',\n user_action:\n userAction ??\n 'The user must visit verify_url to complete identity verification before this request can proceed',\n steps: extraSteps ? [...baseSteps, ...extraSteps] : baseSteps,\n poll_interval_seconds: pollIntervalSeconds,\n poll_secret_header: 'X-Poll-Secret',\n retry_token_header: 'X-Operator-Token',\n timeout_seconds: timeoutSeconds,\n ...(orderTtl ? { order_ttl: orderTtl } : {}),\n ...(extra ?? {}),\n };\n}\n","/**\n * Shared DenialReason → response body serialization for all adapters.\n *\n * Keeps Hono / Express / Fastify / Web / Next.js defaults aligned — a field added\n * here shows up in every adapter's 403 body automatically, and there's one place\n * to test the marshaling.\n *\n * Body shape: `{ error: { code, message }, ... }` — matches the canonical AgentScore\n * error envelope so downstream agents see one consistent `error.code` +\n * `error.message` pair regardless of which layer produced the denial.\n */\n\nimport type { DenialCode, DenialReason } from './core.js';\n\n/**\n * JSON-encoded canonical agent_instructions per denial code. Auto-injected by\n * `denialReasonToBody` when the gate produces a DenialReason without explicit\n * `agent_instructions` so every denial carries a machine-readable next step.\n *\n * Codes covered:\n * - `wallet_not_trusted` — gate never stamps instructions, fallback ensures coverage\n * - `payment_required` — gate never stamps; merchant tier misconfig, contact-merchant action\n * - `identity_verification_required` — fallback when API didn't return next_steps\n * - `token_expired` — fallback when API didn't return next_steps\n * - `api_error` — `retry_with_backoff` envelope; sole retry channel (no separate\n * next_steps block emitted)\n *\n * Codes already stamped explicitly upstream in core.ts (`missing_identity`,\n * `invalid_credential`) and codes that don't go through DenialReason\n * (`wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing` — handled by\n * `getSignerVerdict` + `buildSignerMismatchBody`) are not in this map.\n */\nconst WALLET_NOT_TRUSTED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_support',\n steps: [\n 'The wallet\\'s operator failed an UNFIXABLE compliance check (sanctions, age, or jurisdiction). `reasons` lists which: `sanctions_flagged` / `age_insufficient` / `jurisdiction_restricted`. KYC re-verification won\\'t change the outcome — the policy denial is structural.',\n 'Surface the denial to the user with the merchant\\'s support contact. Do not retry the same merchant request; do not hand the user a verify_url (verification won\\'t fix this code path).',\n 'Fixable compliance reasons (`kyc_required`, `kyc_pending`, `kyc_failed`) do NOT land on this code — the gate auto-mints a verification session for those and returns `identity_verification_required` with poll endpoints, same shape as `missing_identity`. `jurisdiction_restricted` IS in the unfixable bucket because the API only emits it after KYC is verified (the user\\'s KYC\\'d country is in the blocked list — re-doing KYC won\\'t change the country).',\n ],\n user_message:\n 'This purchase is denied by the merchant\\'s compliance policy and cannot be resolved by re-verifying. Contact the merchant\\'s support if you believe this is in error.',\n});\n\nconst PAYMENT_REQUIRED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'The merchant\\'s AgentScore account does not have the assess endpoint enabled, so agent identity cannot be evaluated. This is a merchant-side configuration gap — there is no agent-side recovery.',\n 'Contact the merchant (their support channel — typically listed in /llms.txt or the OpenAPI servers metadata) so they can resolve the configuration on their side.',\n ],\n user_message:\n 'This merchant\\'s identity gate is misconfigured. Contact the merchant — there\\'s nothing to fix on the agent side.',\n});\n\nconst IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'Share verify_url with the user — they complete identity verification on AgentScore.',\n 'If session_id + poll_secret are present in the body, poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <opc_...>`.',\n ],\n user_message:\n 'Identity verification is required. Visit verify_url, then poll poll_url for the operator token and retry.',\n});\n\nconst API_ERROR_INSTRUCTIONS = JSON.stringify({\n action: 'retry_with_backoff',\n steps: [\n 'Verification is temporarily unavailable. Retry the request after 5–30 seconds with exponential backoff.',\n 'This is NOT a compliance denial — the user does not need to re-verify their identity. Send the same identity headers (X-Wallet-Address or X-Operator-Token) on retry.',\n 'If the request continues to fail after 3+ retries (~60 seconds total), surface the error to the user with the merchant\\'s support contact.',\n ],\n user_message:\n 'Verification is temporarily unavailable. Please try again in a moment — this is a transient issue, not a problem with your account.',\n});\n\nexport const QUOTA_EXCEEDED_INSTRUCTIONS = JSON.stringify({\n action: 'contact_merchant',\n steps: [\n 'AgentScore identity verification is unavailable for this merchant. This is a merchant-side issue and is NOT recoverable via retry.',\n 'Do not retry: the same 503 will be returned until the merchant resolves the issue on their side.',\n 'Surface to the user with the merchant\\'s support contact. The merchant (not the agent) needs to act.',\n ],\n user_message:\n 'This merchant\\'s identity verification is temporarily unavailable. Try again later, or contact the merchant directly.',\n});\n\nconst TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS = JSON.stringify({\n action: 'deliver_verify_url_and_poll',\n steps: [\n 'The operator token is expired or revoked. AgentScore auto-mints a fresh verification session — complete it to receive a new opc_...',\n 'Share verify_url with the user, then poll poll_url every 5 seconds with header `X-Poll-Secret: <poll_secret>` until status=verified. The poll returns a fresh one-time operator_token.',\n 'Retry the original request with header `X-Operator-Token: <new_opc_...>`.',\n ],\n user_message:\n 'Operator token is expired or revoked. A new verification session has been minted — visit verify_url to refresh.',\n});\n\nconst DEFAULT_AGENT_INSTRUCTIONS: Partial<Record<DenialCode, string>> = {\n api_error: API_ERROR_INSTRUCTIONS,\n wallet_not_trusted: WALLET_NOT_TRUSTED_INSTRUCTIONS,\n payment_required: PAYMENT_REQUIRED_INSTRUCTIONS,\n identity_verification_required: IDENTITY_VERIFICATION_REQUIRED_FALLBACK_INSTRUCTIONS,\n token_expired: TOKEN_EXPIRED_FALLBACK_INSTRUCTIONS,\n};\n\nconst DEFAULT_MESSAGES: Record<DenialCode, string> = {\n missing_identity:\n 'No identity provided. Send X-Wallet-Address (wallet) or X-Operator-Token (credential).',\n identity_verification_required:\n 'Identity verification is required to access this resource. Visit verify_url to complete KYC.',\n wallet_not_trusted:\n 'The wallet does not meet the merchant compliance policy.',\n api_error:\n 'AgentScore is unreachable. This is transient — retry in a few seconds.',\n payment_required:\n 'Assess endpoint not enabled for this merchant. Contact support.',\n wallet_signer_mismatch:\n 'Payment signer does not match the wallet claimed via X-Wallet-Address. The signer and the claimed wallet must both resolve to the same AgentScore operator.',\n wallet_auth_requires_wallet_signing:\n 'X-Wallet-Address was sent with a rail that has no wallet signature (Stripe SPT / card). Switch to X-Operator-Token, or use a wallet-signing rail (Tempo MPP, x402).',\n token_expired:\n 'The operator token is expired or revoked. A fresh verification session has been minted — visit verify_url to mint a new token.',\n invalid_credential:\n 'The operator token is not recognized. Switch to a different stored token, or drop the header to bootstrap a fresh session.',\n};\n\n// Field names the gate claims authority over. Merchant-provided `extra` (from the\n// onBeforeSession hook) MUST NOT override these — a buggy or malicious hook could\n// otherwise replace `verify_url` with a phishing URL or drop agent_instructions.\nconst RESERVED_FIELDS = new Set([\n 'error',\n 'decision',\n 'reasons',\n 'verify_url',\n 'session_id',\n 'poll_secret',\n 'poll_url',\n 'agent_instructions',\n 'agent_memory',\n 'claimed_operator',\n 'actual_signer_operator',\n 'expected_signer',\n 'actual_signer',\n 'linked_wallets',\n]);\n\n/**\n * Build the canonical 4xx body shape for `identity_verification_required`.\n *\n * Every merchant maps the gate's auto-minted session fields (verify_url,\n * session_id, poll_secret, poll_url, agent_instructions) into their own\n * envelope with a merchant-specific message + error code. This collapses that\n * mapping into one call:\n *\n * ```ts\n * if (reason.code === 'identity_verification_required') {\n * return {\n * status: 403,\n * body: buildVerificationRequiredBody(reason, {\n * message: 'Identity verification is required to call this endpoint.',\n * agentInstructions: VERIFICATION_AGENT_INSTRUCTIONS,\n * }),\n * };\n * }\n * ```\n *\n * Goods merchants that surface an `order_id` (or similar) from\n * `createSessionOnMissing.onBeforeSession` get it for free via\n * `denialReasonToBody(reason)`'s `reason.extra` passthrough — but can also\n * pass `opts.extra` for fallbacks (e.g. when invoked outside the auto-mint\n * path and order_id needs to come from the validated context).\n */\nexport function buildVerificationRequiredBody(\n reason: DenialReason,\n opts: {\n /** Override the `error.message`. Defaults to the canonical copy. */\n message?: string;\n /** Replace `agent_instructions` with merchant-specific copy. When omitted,\n * the gate-supplied or default instructions ride through. */\n agentInstructions?: string;\n /** Additional fields spread into the body (e.g. fallback `order_id`). */\n extra?: Record<string, unknown>;\n } = {},\n): Record<string, unknown> {\n const body = denialReasonToBody(reason);\n body.error = {\n code: 'operator_verification_required',\n message: opts.message ?? 'Identity verification is required.',\n };\n if (opts.agentInstructions !== undefined) {\n body.agent_instructions = opts.agentInstructions;\n }\n if (opts.extra) {\n for (const [k, v] of Object.entries(opts.extra)) body[k] = v;\n }\n return body;\n}\n\nexport function denialReasonToBody(reason: DenialReason): Record<string, unknown> {\n const message = reason.message ?? DEFAULT_MESSAGES[reason.code];\n const body: Record<string, unknown> = { error: { code: reason.code, message } };\n if (reason.decision) body.decision = reason.decision;\n if (reason.reasons) body.reasons = reason.reasons;\n if (reason.verify_url) body.verify_url = reason.verify_url;\n if (reason.session_id) body.session_id = reason.session_id;\n if (reason.poll_secret) body.poll_secret = reason.poll_secret;\n if (reason.poll_url) body.poll_url = reason.poll_url;\n const instructions = reason.agent_instructions ?? DEFAULT_AGENT_INSTRUCTIONS[reason.code];\n if (instructions) body.agent_instructions = instructions;\n if (reason.agent_memory) body.agent_memory = reason.agent_memory;\n if (reason.claimed_operator) body.claimed_operator = reason.claimed_operator;\n if (reason.code === 'wallet_signer_mismatch') body.actual_signer_operator = reason.actual_signer_operator ?? null;\n if (reason.expected_signer) body.expected_signer = reason.expected_signer;\n if (reason.actual_signer) body.actual_signer = reason.actual_signer;\n if (reason.linked_wallets && reason.linked_wallets.length > 0) body.linked_wallets = reason.linked_wallets;\n if (reason.extra) {\n for (const [key, value] of Object.entries(reason.extra)) {\n if (RESERVED_FIELDS.has(key)) {\n console.warn(`[gate] onBeforeSession returned reserved field \"${key}\" — ignoring to preserve gate authority`);\n continue;\n }\n body[key] = value;\n }\n }\n return body;\n}\n","import {\n AgentScore,\n InvalidCredentialError,\n PaymentRequiredError,\n QuotaExceededError,\n TimeoutError as SdkTimeoutError,\n TokenExpiredError,\n} from '@agent-score/sdk';\nimport { isFixableDenial } from './_denial';\nimport { QUOTA_EXCEEDED_INSTRUCTIONS } from './_response';\nimport { normalizeAddress } from './address';\nimport { TTLCache } from './cache';\nimport type { PaymentSigner } from './signer';\n\n// Character-based trim avoids a CodeQL polynomial-redos false positive on\n// `/\\/+$/` patterns that report library-input strings.\nfunction stripTrailingSlashes(s: string): string {\n let end = s.length;\n while (end > 0 && s.charCodeAt(end - 1) === 47 /* '/' */) end--;\n return end === s.length ? s : s.slice(0, end);\n}\n\ndeclare const __VERSION__: string;\n\n// ---------------------------------------------------------------------------\n// Public types (framework-agnostic)\n// ---------------------------------------------------------------------------\n\nexport interface AgentIdentity {\n address?: string;\n operatorToken?: string;\n}\n\n/**\n * Session metadata returned from `POST /v1/sessions`. Surfaced to the `onBeforeSession`\n * hook so merchants can correlate an AgentScore session with their own resume token\n * (e.g. a pending-order id).\n */\nexport interface SessionMetadata {\n session_id: string;\n verify_url: string;\n poll_secret: string;\n poll_url: string;\n expires_at?: string;\n}\n\n/**\n * Configuration for auto-creating a verification session when no identity is present.\n *\n * The static `context` / `productName` options are sent on every session request. For\n * per-request context (e.g. the specific product the agent was trying to buy), pass\n * a `getSessionOptions` callback that returns dynamic values; its return is merged\n * over the static defaults.\n *\n * `onBeforeSession` is a side-effect hook that runs after the session is minted but\n * before the 403 is built. Use it to pre-create a reservation/draft/pending-order\n * row in your DB so agents can resume via a merchant-specific id. Return value is\n * merged into `DenialReason.extra`, so it surfaces in both the default 403 body and\n * in a custom `onDenied` handler.\n */\nexport interface CreateSessionOnMissing<TCtx = unknown> {\n apiKey: string;\n baseUrl?: string;\n context?: string;\n productName?: string;\n /** Per-request override of `context` / `productName`. Invoked with the framework context. */\n getSessionOptions?: (ctx: TCtx) => Promise<{ context?: string; productName?: string }>\n | { context?: string; productName?: string };\n /** Side-effect hook that runs after the session is minted. Return value is merged\n * into `DenialReason.extra` so custom `onDenied` handlers can include merchant-specific\n * fields (e.g. `order_id`) in the 403 response. Hook errors are logged and swallowed —\n * a failing side effect should not block the 403 from reaching the agent. */\n onBeforeSession?: (ctx: TCtx, session: SessionMetadata) => Promise<Record<string, unknown>>\n | Record<string, unknown>;\n}\n\nexport interface AgentScoreCoreOptions {\n /** AgentScore API key. Required. */\n apiKey: string;\n /** Require KYC verification. */\n requireKyc?: boolean;\n /** Require operator to be clear of sanctions. */\n requireSanctionsClear?: boolean;\n /** Minimum operator age bracket (18 or 21). */\n minAge?: number;\n /** List of blocked jurisdictions (blocklist). */\n blockedJurisdictions?: string[];\n /** List of allowed jurisdictions (allowlist — only these pass). */\n allowedJurisdictions?: string[];\n /** If true, allow the request through when the API is unreachable. Defaults to false. */\n failOpen?: boolean;\n /** How long to cache results, in seconds. Defaults to 300. */\n cacheSeconds?: number;\n /** AgentScore API base URL. Defaults to \"https://api.agentscore.sh\". */\n baseUrl?: string;\n /** Optional chain to filter scoring to. */\n chain?: string;\n /** Prepended to the default User-Agent as `\"{userAgent} (@agent-score/commerce@{version})\"`. Use to attribute API calls to your app. */\n userAgent?: string;\n /** When set and no identity is found, create a verification session instead of denying immediately. */\n createSessionOnMissing?: CreateSessionOnMissing;\n}\n\nexport type DenialCode =\n | 'wallet_not_trusted'\n | 'missing_identity'\n | 'api_error'\n | 'payment_required'\n | 'identity_verification_required'\n // Wallet-signer binding: claimed X-Wallet-Address must resolve to the same operator as\n // the payment signer; wallet-auth is rejected on rails with no wallet signer.\n | 'wallet_signer_mismatch'\n | 'wallet_auth_requires_wallet_signing'\n // Granular credential-state denials passed through from /v1/assess.\n // - `token_expired`: revoked + TTL-expired (the API unifies these). The 401 body carries\n // an auto-minted session, forwarded into DenialReason for one-shot recovery.\n // - `invalid_credential`: the token doesn't exist at all (typo, never minted, fabricated).\n // No auto-session is minted by the API for this case — agents should switch to a\n // different stored token or drop the header to bootstrap a fresh session.\n | 'token_expired'\n | 'invalid_credential';\n\n/**\n * Cross-merchant pattern hint emitted on bootstrap denials and session-create responses.\n * LLM-hosted agents should persist this to long-term memory so future AgentScore encounters skip\n * the cold-start session flow. Contents are the pattern, not secrets.\n */\nexport interface AgentMemoryHint {\n save_for_future_agentscore_gates: true;\n pattern_summary: string;\n quickstart: string;\n identity_check_endpoint: string;\n list_wallets_endpoint?: string;\n identity_paths: { wallet: string; operator_token: string };\n bootstrap: string;\n do_not_persist_in_memory: string[];\n persist_in_credential_store: string[];\n}\n\nexport interface DenialReason {\n code: DenialCode;\n /** Human-readable explanation. When omitted, `denialReasonToBody` substitutes a per-code default. */\n message?: string;\n decision?: string;\n reasons?: string[];\n verify_url?: string;\n session_id?: string;\n poll_secret?: string;\n poll_url?: string;\n agent_instructions?: string;\n /** Cross-merchant memory hint. Emitted on bootstrap denials only by default. */\n agent_memory?: AgentMemoryHint;\n /** Full assess response when the denial came from `/v1/assess`. Lets consumers access fields\n * not promoted to first-class DenialReason properties (e.g., `policy_result`). Undefined for\n * denials that did not originate from an assess call (missing_identity, api_error,\n * payment_required, identity_verification_required). */\n data?: AssessResult;\n /** Extra fields returned from the `createSessionOnMissing.onBeforeSession` hook. Merged\n * into the default 403 body; custom `onDenied` handlers can spread these into their own\n * response shape (e.g. to include a merchant-minted `order_id`). */\n extra?: Record<string, unknown>;\n // ---------------------------------------------------------------------------\n // Wallet-signer-match fields — populated for wallet_signer_mismatch only.\n // ---------------------------------------------------------------------------\n /** Operator id resolved from `X-Wallet-Address`. */\n claimed_operator?: string;\n /** Operator id the actual payment signer resolves to. `null` when the signer wallet isn't\n * linked to any operator (treat as a different identity). */\n actual_signer_operator?: string | null;\n /** The wallet the agent claimed via header. Echoed back for self-correction. */\n expected_signer?: string;\n /** The wallet that actually signed the payment. */\n actual_signer?: string;\n /** Wallets the claimed operator could sign with (if enumerable). Present when non-empty. */\n linked_wallets?: string[];\n}\n\n/** Operator verification details from the assess response. Mirrors python's\n * `OperatorVerification` dataclass. */\nexport interface OperatorVerification {\n level: string;\n operator_type: string | null;\n verified_at: string | null;\n}\n\n/** Account-level KYC facts that apply to every operator under the same account.\n * Populated when the API returns account_verification (post-KYC operator).\n * Mirrors python's account_verification dict shape. */\nexport interface AccountVerification {\n kyc_level?: string;\n sanctions_clear?: boolean;\n age_bracket?: string;\n jurisdiction?: string;\n verified_at?: string | null;\n}\n\n/** A single policy check from the assess response. Mirrors python's `PolicyCheck`. */\nexport interface PolicyCheck {\n rule: string;\n passed: boolean;\n required?: unknown;\n actual?: unknown;\n}\n\n/** Policy evaluation result from the assess response. Mirrors python's `PolicyResult`. */\nexport interface PolicyResult {\n all_passed: boolean;\n checks: PolicyCheck[];\n}\n\nexport interface AssessResult {\n decision: string | null;\n decision_reasons: string[];\n identity_method?: string;\n operator_verification?: OperatorVerification;\n account_verification?: AccountVerification;\n resolved_operator?: string | null;\n /** Wallets linked to the same operator as the resolved identity. Capped at 100 entries\n * by the API. Useful for advertising in 402 challenges so wallet-auth agents know which\n * alt-signers will satisfy `wallet_signer_mismatch`. */\n linked_wallets?: string[];\n verify_url?: string;\n policy_result?: PolicyResult | null;\n}\n\n/**\n * Reason a failOpen allow short-circuited an evaluate call due to AgentScore-side\n * infrastructure issues. Surfaced on `EvaluateOutcome` so merchants can log/alert when\n * their gate is running in degraded mode (compliance not actually enforced this request).\n *\n * - `quota_exceeded` — AgentScore returned 429\n * - `api_error` — AgentScore returned 5xx or non-2xx that isn't 429\n * - `network_timeout` — request to /v1/assess timed out or failed at the network layer\n */\nexport type FailOpenInfraReason = 'quota_exceeded' | 'api_error' | 'network_timeout';\n\n/** Per-account assess quota observability, captured from `X-Quota-*` response headers\n * on the success path. Mirrors the SDK's `QuotaInfo` shape — re-exported from gate state\n * so merchants can monitor approach-to-cap proactively (warn at 80%, alert at 95%). */\nexport interface GateQuotaInfo {\n limit: number | null;\n used: number | null;\n /** ISO-8601 timestamp, or the literal string `\"never\"` for unlimited tiers. */\n reset: string | null;\n}\n\n/**\n * Outcome from `AgentScoreCore.evaluate()`. Adapters map this to framework-specific responses.\n *\n * - `{ kind: 'allow', data }` — the request passed the policy. `data` is present on a normal\n * allow; `undefined` when fail-open short-circuited (identity missing, API unreachable,\n * timeout, or 402 paid-tier required).\n * - When `failOpen: true` and the allow was the result of an AgentScore-side infrastructure\n * failure (429/5xx/timeout), the result also carries `degraded: true` + `infraReason` so\n * merchants can alert/log without parsing console output.\n * - `quota` propagates the SDK's per-request quota observability when the API emits the\n * `X-Quota-*` headers. Optional; absent on Enterprise / unlimited tiers.\n * - `{ kind: 'deny', reason }` — the request was denied. Adapters should render a 403 with the\n * reason, or invoke the caller's custom denial handler.\n */\nexport type EvaluateOutcome =\n | { kind: 'allow'; data?: AssessResult; degraded?: boolean; infraReason?: FailOpenInfraReason; quota?: GateQuotaInfo }\n | { kind: 'deny'; reason: DenialReason };\n\ninterface CaptureWalletOptions {\n /** Operator credential (`opc_...`) that the agent authenticated with. */\n operatorToken: string;\n /** Signer wallet recovered from the payment payload. */\n walletAddress: string;\n /** Key-derivation family — `\"evm\"` for any EVM chain, `\"solana\"` for Solana. */\n network: 'evm' | 'solana';\n /** Optional stable key for the logical payment (e.g., payment intent id, tx hash). When the\n * same key is seen again for the same (credential, wallet, network), the server no-ops —\n * prevents agent retries from inflating transaction_count. */\n idempotencyKey?: string;\n}\n\n/** Combined wallet-signer verdict surfaced by `getSignerVerdict(c)` — both verdicts come\n * through the gate's primary `/v1/assess` call (single round trip). `signer_match` describes\n * the wallet-binding (claimed wallet's operator ≡ signer wallet's operator); `signer_sanctions`\n * describes the OFAC SDN wallet-address check.\n *\n * `signer_match` is projected to the gate's camelCase `VerifyWalletSignerResult` shape so\n * existing `buildSignerMismatchBody(...)` helpers consume it unchanged. `signer_sanctions`\n * passes through in the API's wire shape (already short and stable). Returned `undefined`\n * from `getSignerVerdict` when the gate didn't run with a signer (operator-token-only\n * paths, discovery legs with no payment header). */\nexport interface SignerVerdict {\n signer_match: VerifyWalletSignerResult | null;\n signer_sanctions:\n | { status: 'clear' }\n | { sanctioned: true; ofac_label: string; sdn_uid: string; listed_at: string | null }\n | { status: 'unavailable' }\n | null;\n}\n\nexport type VerifyWalletSignerResult =\n | { kind: 'pass'; claimedOperator: string | null; signerOperator: string | null }\n | {\n kind: 'wallet_signer_mismatch';\n claimedOperator: string | null;\n actualSignerOperator: string | null;\n expectedSigner: string;\n actualSigner: string;\n linkedWallets: string[];\n /** JSON-encoded action copy (action + steps + user_message). Spread into the 403 body\n * verbatim so agents get a concrete recovery path inside the denial response itself. */\n agentInstructions: string;\n }\n | {\n kind: 'wallet_auth_requires_wallet_signing';\n claimedWallet: string;\n agentInstructions: string;\n };\n\nexport interface AgentScoreCore {\n /**\n * Evaluate the request's identity against the configured policy.\n * @param identity - extracted identity (wallet address and/or operator token)\n * @param ctx - optional framework-specific context (Hono c, Express req, etc.) passed\n * through to `createSessionOnMissing` hooks. Opaque to core.\n */\n evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n /** Pre-extracted payment signer from the inbound request (the adapter middleware\n * extracts it via `extractPaymentSigner`). When provided, the assess call carries\n * it and the response includes `signer_match` + `signer_sanctions` verdicts in one\n * round trip. */\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome>;\n /** Synchronous read of the cached signer verdicts (signer_match + signer_sanctions)\n * populated when the gate's evaluate call was made with a pre-extracted signer. Returns\n * `undefined` when the gate didn't run, the request was operator-token-authenticated,\n * or no signer was extractable (discovery legs). */\n getSignerVerdict(claimedAddress: string): SignerVerdict | undefined;\n /** Report a wallet seen paying under an operator credential. Fire-and-forget; silently\n * swallows non-fatal errors because capture is informational, not on the critical path. */\n captureWallet(options: CaptureWalletOptions): Promise<void>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\n/** Internal cache entry for the gate's per-`(identity, policy)` assess result memo.\n * Distinct from the public `AssessResult` interface (the typed `/v1/assess` response\n * shape returned to merchants); this carries the cached decision plus the per-signer\n * wallet-match sub-cache. */\ninterface CachedAssessResult {\n allow: boolean;\n decision?: string;\n reasons?: string[];\n raw?: unknown;\n}\n\n/**\n * Build the cross-merchant memory hint emitted on bootstrap denials. Base URLs are\n * derived from the gate's AgentScore API base so self-hosted / staging deployments get\n * correct pointers. Contents describe the AgentScore identity substrate in transferable\n * terms; merchant-specific context lives in other `agent_instructions` fields.\n */\n// Canonical production AgentScore API — used as the authoritative source for endpoint pointers\n// emitted to agent memory regardless of how a given merchant configured their gate's baseUrl.\nconst CANONICAL_AGENTSCORE_API = 'https://api.agentscore.sh';\n\n// JSON-encoded action copy emitted on wallet-signer-match denials. Spread into 403 bodies\n// by merchants so agents get a concrete recovery path inside the denial response itself —\n// no discovery-doc round trip required.\nconst WALLET_SIGNER_MISMATCH_INSTRUCTIONS = JSON.stringify({\n action: 'resign_or_switch_to_operator_token',\n steps: [\n 'Preferred: re-submit the payment signed by expected_signer (or any entry in linked_wallets — same-operator wallets are fungible) and retry with the same X-Wallet-Address.',\n 'Alternative: drop X-Wallet-Address and retry with X-Operator-Token. Use a stored opc_... if you have one; otherwise retry this request with NO identity header — the merchant will mint a verification session in the 403 body (verify_url + poll_secret). Share verify_url with the user, poll, receive a fresh opc_...',\n ],\n user_message:\n 'The payment signer resolves to a different operator than X-Wallet-Address. Re-sign from expected_signer or any linked_wallets entry, or switch to X-Operator-Token.',\n});\n\nconst WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS = JSON.stringify({\n action: 'switch_to_operator_token',\n steps: [\n 'This payment rail (Stripe SPT, card) carries no wallet signature — X-Wallet-Address cannot be verified against the payment.',\n 'Drop X-Wallet-Address and retry with X-Operator-Token. If you do not have a stored opc_..., retry with no identity header to receive a verification session.',\n ],\n user_message:\n 'Wallet-address identity is only supported on wallet-signing rails (Tempo MPP, x402). On Stripe or card, use X-Operator-Token instead.',\n});\n\n// `invalid_credential` is permanent — the token doesn't exist (typo, never minted, fabricated).\n// Distinct from `token_expired` (which carries an auto-session for one-shot recovery): the\n// API doesn't auto-mint a session here because the client may simply have a different valid\n// token to try. Agents should switch tokens or drop the header to bootstrap a session.\nconst INVALID_CREDENTIAL_INSTRUCTIONS = JSON.stringify({\n action: 'switch_token_or_restart_session',\n steps: [\n 'The X-Operator-Token you sent does not match any credential. This is a permanent state — retrying with the same token will keep failing.',\n 'If you have other stored opc_... credentials, retry with one of them.',\n 'Otherwise drop X-Operator-Token and retry with no identity header — the merchant will mint a fresh verification session in the 403 body (verify_url + poll_secret) so the user can re-verify and you can poll for a new operator_token.',\n ],\n user_message:\n 'The operator_token is not recognized. Use a different stored token, or restart the verification session flow to mint a new one.',\n});\n\nexport function buildAgentMemoryHint(): AgentMemoryHint {\n // Memory pointers always point at the canonical production API — merchants must not be\n // able to redirect the cross-merchant memory surface, since that would be a phishing\n // vector for the verify URL.\n const api = CANONICAL_AGENTSCORE_API;\n return {\n save_for_future_agentscore_gates: true,\n pattern_summary:\n 'AgentScore is a cross-merchant identity substrate for agent commerce. Any endpoint that ' +\n 'returns 403 missing_identity / identity_verification_required or 402 challenges referencing AgentScore uses ' +\n 'the same identity system. One KYC works across all AgentScore merchants — no re-verification ' +\n 'per site. Save this pattern (and the endpoints below) to persistent memory so future ' +\n 'AgentScore encounters skip the cold-start session flow.',\n quickstart: 'https://docs.agentscore.sh/guides/agent-identity',\n identity_check_endpoint: `${api}/v1/credentials`,\n identity_paths: {\n wallet:\n 'If paying from a crypto wallet you have used before on any AgentScore merchant, send ' +\n '`X-Wallet-Address: 0x...`. Shortest path; no token lifecycle to manage.',\n operator_token:\n 'For any rail (Stripe SPT, card, or a wallet you have not linked yet), send ' +\n '`X-Operator-Token: opc_...`. Reusable across merchants until the token expires.',\n },\n bootstrap:\n 'If you have neither a linked wallet nor a valid operator_token, follow the session/verify ' +\n 'flow in the per-request `agent_instructions` block. This happens at most once per agent ' +\n 'identity — after first verification, the operator_token and any subsequently used wallet ' +\n 'are reusable everywhere.',\n do_not_persist_in_memory: ['operator_token', 'poll_secret'],\n persist_in_credential_store: ['operator_token'],\n };\n}\n\n// ---------------------------------------------------------------------------\n// Core factory\n// ---------------------------------------------------------------------------\n\nexport function createAgentScoreCore(options: AgentScoreCoreOptions): AgentScoreCore {\n if (!options.apiKey) {\n throw new Error('AgentScore API key is required. Get one at https://agentscore.sh/sign-up');\n }\n\n const {\n apiKey,\n requireKyc,\n requireSanctionsClear,\n minAge,\n blockedJurisdictions,\n allowedJurisdictions,\n failOpen = false,\n cacheSeconds = 300,\n baseUrl: rawBaseUrl = 'https://api.agentscore.sh',\n chain: gateChain,\n userAgent,\n createSessionOnMissing,\n } = options;\n\n const baseUrl = stripTrailingSlashes(rawBaseUrl);\n const agentMemoryHint = buildAgentMemoryHint();\n\n const defaultUa = `@agent-score/commerce@${__VERSION__}`;\n const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;\n\n // Single shared SDK instance for every API call this gate makes (assess, sessions,\n // credentials/wallets, telemetry). Connection pooling + typed-error classification +\n // X-Quota-* header capture all flow through here. The SDK owns the transport layer\n // (timeouts, retry-on-429); the gate adds policy semantics on top. Pass the\n // merchant-prefixed UA — SDK appends its own default to produce a chain like\n // `<merchant-app> (@agent-score/commerce@<v>) (@agent-score/sdk@<v>)`.\n const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });\n\n // createSessionOnMissing can carry its own apiKey + baseUrl (merchants sometimes wire\n // a session-only key for this hook). Lazily build a separate SDK instance keyed on\n // (apiKey, baseUrl) so we don't construct a new client per request.\n const sessionSdkCache = new Map<string, AgentScore>();\n function getSessionSdk(sessionApiKey: string, sessionBaseUrl?: string): AgentScore {\n const key = `${sessionApiKey}|${sessionBaseUrl ?? ''}`;\n let s = sessionSdkCache.get(key);\n if (!s) {\n s = new AgentScore({\n apiKey: sessionApiKey,\n baseUrl: sessionBaseUrl ?? baseUrl,\n userAgent: userAgentHeader,\n });\n sessionSdkCache.set(key, s);\n }\n return s;\n }\n\n const cache = new TTLCache<CachedAssessResult>(cacheSeconds * 1000);\n\n // Mint a verification session via /v1/sessions and return the resulting\n // identity_verification_required DenialReason — or undefined if the mint failed (network\n // error, non-2xx, missing fields). Used for both the missing-identity path and the\n // fixable-wallet bootstrap path: in both cases the UX is identical (agent polls the\n // returned poll_url until it gets a fresh opc_... and retries).\n async function tryMintSessionDenial(ctx: unknown): Promise<DenialReason | undefined> {\n if (!createSessionOnMissing) return undefined;\n try {\n const sessionBody: { context?: string; product_name?: string } = {};\n if (createSessionOnMissing.context != null) sessionBody.context = createSessionOnMissing.context;\n if (createSessionOnMissing.productName != null) sessionBody.product_name = createSessionOnMissing.productName;\n\n if (createSessionOnMissing.getSessionOptions && ctx !== undefined) {\n try {\n const dynamic = await createSessionOnMissing.getSessionOptions(ctx);\n if (dynamic?.context != null) sessionBody.context = dynamic.context;\n if (dynamic?.productName != null) sessionBody.product_name = dynamic.productName;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.getSessionOptions hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // createSessionOnMissing.apiKey may differ from the gate's apiKey (e.g. merchant\n // wires a session-only key for this hook). Build a per-config SDK lazily.\n const sessionSdk = getSessionSdk(createSessionOnMissing.apiKey, createSessionOnMissing.baseUrl);\n const data = (await sessionSdk.createSession({\n ...(sessionBody.context !== undefined ? { context: sessionBody.context } : {}),\n ...(sessionBody.product_name !== undefined ? { product_name: sessionBody.product_name } : {}),\n })) as unknown as Record<string, unknown>;\n\n // Validate required fields before trusting the response. A misbehaving (or mocked-wrong)\n // API could 200 without session_id/poll_secret/verify_url, which would propagate\n // `undefined` into the 403 body and leave the agent stuck — treat as session-create\n // failure and fall back to the caller's bare denial.\n if (\n typeof data.session_id !== 'string' ||\n typeof data.poll_secret !== 'string' ||\n typeof data.verify_url !== 'string'\n ) {\n console.warn('[gate] /v1/sessions returned 200 without required fields — falling back to bare denial');\n return undefined;\n }\n\n // Run onBeforeSession side-effect hook. Errors are swallowed — a failing DB write\n // (e.g. can't insert pending order) should not block the 403.\n let extra: Record<string, unknown> | undefined;\n if (createSessionOnMissing.onBeforeSession && ctx !== undefined) {\n try {\n const sessionMeta = {\n session_id: data.session_id as string,\n verify_url: data.verify_url as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string,\n expires_at: data.expires_at as string | undefined,\n };\n const result = await createSessionOnMissing.onBeforeSession(ctx, sessionMeta);\n if (result && typeof result === 'object') extra = result;\n } catch (err) {\n console.warn('[gate] createSessionOnMissing.onBeforeSession hook failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // The API emits `next_steps` (structured object) on /v1/sessions success. Stringify it\n // into the gate's `agent_instructions` contract so merchants get the same JSON-encoded\n // {action, steps, user_message} envelope as every other gate-emitted denial.\n const apiNextSteps = data.next_steps as Record<string, unknown> | undefined;\n return {\n code: 'identity_verification_required',\n verify_url: data.verify_url as string,\n session_id: data.session_id as string,\n poll_secret: data.poll_secret as string,\n poll_url: data.poll_url as string | undefined,\n agent_instructions: apiNextSteps ? JSON.stringify(apiNextSteps) : undefined,\n agent_memory: agentMemoryHint,\n ...(extra && { extra }),\n };\n } catch (err) {\n // Session-mint failed (network, /v1/sessions returned non-2xx, body parse error,\n // onBeforeSession threw inside the inner try). Caller falls back to a bare denial —\n // agents still get a 403 with a probe-strategy hint. Log loudly so a persistent\n // /v1/sessions outage isn't masked.\n console.warn('[gate] createSessionOnMissing path failed — falling back to bare denial:', err instanceof Error ? err.message : err);\n return undefined;\n }\n }\n\n async function evaluate(\n identity: AgentIdentity | undefined,\n ctx?: unknown,\n signer?: PaymentSigner | null,\n ): Promise<EvaluateOutcome> {\n // Treat \"returned identity object with no usable fields\" the same as \"no identity at all\" —\n // otherwise a misbehaving custom extractIdentity would send an empty body to /v1/assess.\n if (!identity || (!identity.address && !identity.operatorToken)) {\n // failOpen short-circuits BEFORE the session mint. This branch isn't an infra failure\n // (no AgentScore call has been made yet) so we don't mark the gate state as degraded —\n // missing identity + failOpen is the explicit opt-in pass-through behavior, not a\n // graceful-degradation event. Merchants who need identity-or-deny on a failOpen gate\n // should add a guard at the handler that checks for X-Wallet-Address / X-Operator-Token\n // before reading the gate state.\n if (failOpen) return { kind: 'allow' };\n\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n\n // Bare missing-identity denial (no session was auto-created). Describe the probe\n // strategy so agents without memory can recover: try wallet first on signing rails,\n // fall back to stored opc_..., fall back to session flow (noting that only\n // auto-session merchants return verify_url + poll data on the retry).\n const missingIdentityInstructions = JSON.stringify({\n action: 'probe_identity_then_session',\n steps: [\n 'If you have a wallet AND this merchant accepts a wallet-signing rail (Tempo MPP or x402 — see openapi.json x-payment-info): send X-Wallet-Address and retry. If the wallet is already linked to an AgentScore operator (via prior SIWE claim or prior captureWallet), this passes in one round trip. If the wallet is unlinked or the account has no KYC, the 403 will include a verify_url — share it with the user to claim the wallet + complete KYC, then retry.',\n 'If step 1 is denied or you already have a stored operator_token (valid + not expired): send X-Operator-Token: opc_... and retry.',\n 'If neither applies: retry with NO identity header. Merchants that auto-create verification sessions (most AgentScore merchants do) return verify_url + session_id + poll_secret in the 403 body — share verify_url with the user, then poll poll_url every 5s with the X-Poll-Secret header until status=verified (the poll returns a one-time operator_token). If the retry returns the same bare 403, this merchant does not support self-service session bootstrapping — direct the user to https://agentscore.sh/sign-up to create an AgentScore identity and mint an operator_token from their dashboard (https://agentscore.sh/dashboard/verify). The user hands the opc_... to you, and you retry with X-Operator-Token.',\n ],\n user_message:\n 'Try X-Wallet-Address first if you have a wallet and the merchant accepts Tempo/x402; fall back to a stored X-Operator-Token, then to the session/verify flow described in agent_memory.bootstrap.',\n });\n return {\n kind: 'deny',\n reason: {\n code: 'missing_identity',\n agent_instructions: missingIdentityInstructions,\n agent_memory: agentMemoryHint,\n },\n };\n }\n\n // operator_token is opaque + ASCII-only — lowercasing is safe. Wallet addresses go\n // through normalizeAddress because Solana base58 is case-sensitive and lowercasing\n // would corrupt the cache key (a Solana cache miss every time, plus collision risk\n // with mixed-case variants of the same operator).\n const cacheKey = identity.operatorToken?.toLowerCase() ?? (identity.address ? normalizeAddress(identity.address) : '');\n\n const cached = cache.get(cacheKey);\n if (cached) {\n if (cached.allow) {\n const cachedRaw = cached.raw as Record<string, unknown> | undefined;\n const cachedQuota = cachedRaw?.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: cachedRaw as unknown as AssessResult,\n ...(cachedQuota !== undefined && { quota: cachedQuota }),\n };\n }\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(cached.reasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: cached.decision,\n reasons: cached.reasons,\n verify_url: (cached.raw as Record<string, unknown> | undefined)?.verify_url as string | undefined,\n data: cached.raw as AssessResult | undefined,\n },\n };\n }\n\n const policy: Record<string, unknown> = {};\n if (requireKyc != null) policy.require_kyc = requireKyc;\n if (requireSanctionsClear != null) policy.require_sanctions_clear = requireSanctionsClear;\n if (minAge != null) policy.min_age = minAge;\n if (blockedJurisdictions != null) policy.blocked_jurisdictions = blockedJurisdictions;\n if (allowedJurisdictions != null) policy.allowed_jurisdictions = allowedJurisdictions;\n\n let data: Record<string, unknown>;\n try {\n // Single SDK call: typed-error subclasses (PaymentRequiredError / TokenExpiredError /\n // InvalidCredentialError / QuotaExceededError / TimeoutError) flow through the\n // catch below; success path captures `quota` from X-Quota-* headers automatically.\n const opts = {\n chain: gateChain,\n ...(Object.keys(policy).length > 0 ? { policy: policy as never } : {}),\n // Pre-extracted payment signer (by the adapter middleware). When present, the API\n // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet\n // check) verdicts on the response in one round trip. Under\n // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.\n ...(signer && { signer: { address: signer.address, network: signer.network } }),\n };\n // SDK has two overloads — narrow by which identity is set so TS picks the right one.\n const result = identity.address\n ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken })\n : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken! });\n data = result as unknown as Record<string, unknown>;\n } catch (err) {\n if (err instanceof PaymentRequiredError) {\n if (failOpen) return { kind: 'allow' };\n return { kind: 'deny', reason: { code: 'payment_required' } };\n }\n if (err instanceof TokenExpiredError) {\n // SDK extracts the auto-minted session fields onto the error instance — no body\n // re-parsing needed here.\n return {\n kind: 'deny',\n reason: {\n code: 'token_expired',\n data: err.details as unknown as AssessResult,\n ...(err.verifyUrl ? { verify_url: err.verifyUrl } : {}),\n ...(err.sessionId ? { session_id: err.sessionId } : {}),\n ...(err.pollSecret ? { poll_secret: err.pollSecret } : {}),\n ...(err.pollUrl ? { poll_url: err.pollUrl } : {}),\n ...(err.nextSteps ? { agent_instructions: JSON.stringify(err.nextSteps) } : {}),\n ...(err.agentMemory ? { agent_memory: err.agentMemory as AgentMemoryHint } : {}),\n },\n };\n }\n if (err instanceof InvalidCredentialError) {\n // Permanent — no auto-session, agent should switch tokens or restart.\n return {\n kind: 'deny',\n reason: {\n code: 'invalid_credential',\n agent_instructions: INVALID_CREDENTIAL_INSTRUCTIONS,\n agent_memory: agentMemoryHint,\n },\n };\n }\n if (err instanceof QuotaExceededError) {\n console.warn('[gate] /v1/assess returned 429 quota_exceeded');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (err instanceof SdkTimeoutError) {\n console.warn('[gate] /v1/assess timed out:', err.message);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Status-based fallbacks for AgentScoreError instances the SDK couldn't classify\n // into a typed subclass (e.g. 429 with body that lacked error.code, or a fetch\n // rejection whose .name doesn't match AbortError but whose status code is set).\n // The real API always emits error.code on 429, so this is purely defensive.\n const status = (err as { status?: number } | null)?.status;\n const errName = err instanceof Error ? err.name : '';\n if (status === 429) {\n console.warn('[gate] /v1/assess returned 429 (untyped — defensive)');\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'quota_exceeded' };\n return {\n kind: 'deny',\n reason: { code: 'api_error', agent_instructions: QUOTA_EXCEEDED_INSTRUCTIONS },\n };\n }\n if (errName === 'TimeoutError' || errName === 'AbortError') {\n console.warn('[gate] /v1/assess timed out (by Error.name):', err instanceof Error ? err.message : err);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'network_timeout' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n // Generic AgentScoreError (rate_limited, 5xx, network_error, body parse, unknown 4xx)\n // or any non-AgentScoreError unexpected throw — surface as api_error.\n // Include the SDK-classified error code (when available) so ops/dev see\n // schema-drift cases like a new 401 error.code rather than a silent 503.\n const errCode = (err as { code?: string } | null)?.code;\n const msg = err instanceof Error ? err.message : String(err);\n const detail = errCode ? `${errCode}: ${msg}` : msg;\n console.warn(`[gate] /v1/assess call failed — surfacing as api_error: ${detail}`);\n if (failOpen) return { kind: 'allow', degraded: true, infraReason: 'api_error' };\n return { kind: 'deny', reason: { code: 'api_error' } };\n }\n\n const decision = data.decision as string | null | undefined;\n const decisionReasons = (data.decision_reasons as string[]) ?? [];\n const allow = decision === 'allow' || decision == null;\n\n cache.set(cacheKey, { allow, decision: decision ?? undefined, reasons: decisionReasons, raw: data });\n\n if (allow) {\n // SDK populates `quota` on the assess response from X-Quota-* headers when the\n // API emits them. Surface up to the adapter so merchants can monitor approach-to-cap.\n const quota = data.quota as GateQuotaInfo | undefined;\n return {\n kind: 'allow',\n data: data as unknown as AssessResult,\n ...(quota !== undefined && { quota }),\n };\n }\n\n // Fixable compliance denials (kyc_required, kyc_pending, kyc_failed) get the\n // same UX as missing_identity: mint a fresh verification session, agent polls\n // until status=verified, gets a fresh opc_..., retries. Unfixable reasons\n // (sanctions_flagged, age_insufficient, jurisdiction_restricted) keep the bare\n // wallet_not_trusted denial. `jurisdiction_restricted` is unfixable: the API\n // only emits it after KYC is verified (the user's KYC'd country is in the\n // blocked list — re-doing KYC won't change the country).\n if (isFixableDenial(decisionReasons)) {\n const sessionReason = await tryMintSessionDenial(ctx);\n if (sessionReason) return { kind: 'deny', reason: sessionReason };\n }\n\n return {\n kind: 'deny',\n reason: {\n code: 'wallet_not_trusted',\n decision: decision ?? undefined,\n reasons: decisionReasons,\n verify_url: data.verify_url as string | undefined,\n data: data as unknown as AssessResult,\n },\n };\n }\n\n async function captureWallet(options: CaptureWalletOptions): Promise<void> {\n try {\n await sdk.associateWallet({\n operatorToken: options.operatorToken,\n walletAddress: options.walletAddress,\n network: options.network,\n ...(options.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : {}),\n });\n } catch (err) {\n // Fire-and-forget: don't throw. Log so a persistent capture outage is visible\n // to merchant ops — otherwise wallet↔operator linkage silently stops.\n console.warn('[agentscore-commerce] captureWallet failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // Project the API's signer_match block onto the gate's VerifyWalletSignerResult shape.\n // The API authors agent_instructions, claimed/signer operators, and the linked-wallet\n // set (deny-guarded server-side); the gate just shapes those fields into camelCase.\n function projectSignerMatch(\n sm: Record<string, unknown>,\n claimedNorm: string,\n signerNorm: string,\n ): VerifyWalletSignerResult {\n const kind = sm.kind as string;\n if (kind === 'pass') {\n return {\n kind: 'pass',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n signerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n };\n }\n if (kind === 'wallet_auth_requires_wallet_signing') {\n return {\n kind: 'wallet_auth_requires_wallet_signing',\n claimedWallet: (sm.claimed_wallet as string | undefined) ?? claimedNorm,\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_AUTH_REQUIRES_WALLET_SIGNING_INSTRUCTIONS,\n };\n }\n // Default: wallet_signer_mismatch\n const linked = sm.linked_wallets;\n return {\n kind: 'wallet_signer_mismatch',\n claimedOperator: (sm.claimed_operator as string | null | undefined) ?? null,\n actualSignerOperator: (sm.signer_operator as string | null | undefined) ?? null,\n expectedSigner: (sm.expected_signer as string | undefined) ?? claimedNorm,\n actualSigner: (sm.actual_signer as string | undefined) ?? signerNorm,\n linkedWallets: Array.isArray(linked)\n ? (linked as unknown[]).filter((w): w is string => typeof w === 'string')\n : [],\n agentInstructions:\n (sm.agent_instructions as string | undefined) ?? WALLET_SIGNER_MISMATCH_INSTRUCTIONS,\n };\n }\n\n /**\n * Synchronous read of the cached signer verdicts. Adapter middleware extracts the\n * signer pre-evaluate and the gate's primary /v1/assess call composes both verdicts\n * (signer_match + signer_sanctions) in one round trip — this getter just reads the\n * cached response. Returns `undefined` for operator-token-only paths, discovery legs\n * with no payment credential, or when the gate didn't run.\n */\n function getSignerVerdict(claimedAddress: string): SignerVerdict | undefined {\n const claimedNorm = normalizeAddress(claimedAddress);\n const cached = cache.get(claimedNorm);\n if (!cached) return undefined;\n const raw = cached.raw as Record<string, unknown> | undefined;\n if (!raw) return undefined;\n const rawMatch = raw.signer_match as Record<string, unknown> | undefined;\n const rawSanctions = raw.signer_sanctions as SignerVerdict['signer_sanctions'] | undefined;\n if (!rawMatch && !rawSanctions) return undefined;\n // The API's signer_match has the actual signer wallet baked in (actual_signer); we\n // didn't track it separately in the cache key (only claimed-side). Pass the API's own\n // actual_signer as signerNorm so the projected shape is consistent.\n const signerNorm = (rawMatch?.actual_signer as string | undefined) ?? claimedNorm;\n return {\n signer_match: rawMatch ? projectSignerMatch(rawMatch, claimedNorm, signerNorm) : null,\n signer_sanctions: rawSanctions ?? null,\n };\n }\n\n return { evaluate, captureWallet, getSignerVerdict };\n}\n","// Network-aware address normalization. EVM addresses (0x + 40 hex) are\n// case-insensitive in the protocol — we lowercase them so DB lookups against\n// `address_lower`-style columns work. Solana addresses are base58 and are\n// case-sensitive — we MUST preserve the input verbatim, never lowercase.\n//\n// Must produce identical output to the API normalizer (`core/api/src/lib/address.ts`)\n// so the gate, API, and merchants normalize the same way. If the two ever drift,\n// captured wallets won't resolve and signer-match silently breaks.\n\nconst SOLANA_BASE58_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;\nconst EVM_RE = /^0x[0-9a-fA-F]{40}$/;\n\nexport const isValidEvmAddress = (address: string): boolean => EVM_RE.test(address);\n\nexport const isSolanaAddress = (address: string): boolean =>\n SOLANA_BASE58_RE.test(address) && !address.startsWith('0x');\n\nexport const isValidAddress = (address: string): boolean =>\n isValidEvmAddress(address) || isSolanaAddress(address);\n\nexport const normalizeAddress = (address: string): string => {\n if (isSolanaAddress(address)) { return address; }\n return address.toLowerCase();\n};\n","export class TTLCache<T> {\n private store = new Map<string, { value: T; expiresAt: number }>();\n private maxSize: number;\n\n constructor(private defaultTtlMs: number, maxSize = 10000) {\n this.maxSize = maxSize;\n }\n\n get(key: string): T | undefined {\n const entry = this.store.get(key);\n if (!entry) return undefined;\n if (Date.now() > entry.expiresAt) {\n this.store.delete(key);\n return undefined;\n }\n return entry.value;\n }\n\n set(key: string, value: T, ttlMs?: number): void {\n if (this.store.size >= this.maxSize) {\n this.sweep();\n }\n if (this.store.size >= this.maxSize) {\n this.evictOldest(this.store.size - this.maxSize + 1);\n }\n this.store.set(key, {\n value,\n expiresAt: Date.now() + (ttlMs ?? this.defaultTtlMs),\n });\n }\n\n /** Remove all expired entries. */\n private sweep(): void {\n const now = Date.now();\n for (const [k, v] of this.store) {\n if (now > v.expiresAt) {\n this.store.delete(k);\n }\n }\n }\n\n /** Evict the oldest `count` entries by insertion order. */\n private evictOldest(count: number): void {\n let removed = 0;\n for (const key of this.store.keys()) {\n if (removed >= count) break;\n this.store.delete(key);\n removed++;\n }\n }\n}\n","/**\n * Payment-signer extraction.\n *\n * Shared between merchants and the gate. Three paths recover a wallet signer:\n *\n * - **Tempo MPP** — `Authorization: Payment <base64>`; credential `source` is a DID of the\n * form `did:pkh:eip155:<chain>:<address>`.\n * - **Solana MPP `solana/charge`** — `Authorization: Payment <base64>`; recovery via either\n * a `did:pkh:solana:<genesis>:<address>` source (when set by the client) or by decoding\n * the credential's signed-tx payload and reading the SPL `TransferChecked` authority\n * (pull mode only — `payload.type === 'transaction'`).\n * - **x402 EIP-3009 (EVM, e.g. Base/Sepolia)** — `payment-signature` / `x-payment`;\n * decoded payload carries `payload.authorization.from`.\n *\n * Optional peer deps: `mppx` for MPP credentials, `@solana/kit` for the Solana tx-decode\n * fallback. Both dynamic-imported; merchants who don't accept that rail don't need them.\n */\n\nimport { normalizeHeadersToLowercase } from './_headers';\n\nexport type SignerNetwork = 'evm' | 'solana';\n\nconst TOKEN_PROGRAM = 'TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA';\nconst TOKEN_2022_PROGRAM = 'TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb';\nconst TRANSFER_CHECKED_DISCRIMINATOR = 12;\n\ninterface SolanaKitMinimal {\n getBase64Codec: () => { encode: (s: string) => Uint8Array };\n getTransactionDecoder: () => { decode: (b: Uint8Array) => { messageBytes: Uint8Array } };\n getCompiledTransactionMessageDecoder: () => {\n decode: (b: Uint8Array) => {\n staticAccounts: ReadonlyArray<string>;\n instructions: ReadonlyArray<{\n programAddressIndex: number;\n accountIndices?: number[];\n data?: Uint8Array;\n }>;\n };\n };\n}\n\n/**\n * Decode a Solana MPP `solana/charge` credential's `payload.transaction` (base64-encoded\n * signed Solana tx) and return the SPL `TransferChecked` authority — the source-ATA owner,\n * which is the buyer's wallet. Pull mode only (`payload.type === 'transaction'`); push mode\n * (`payload.type === 'signature'`) returns null because recovery would require an RPC fetch.\n */\nasync function extractSolanaSignerFromCredential(credential: unknown): Promise<string | null> {\n const payload = (credential as { payload?: { transaction?: string; type?: string } }).payload;\n if (!payload?.transaction || payload.type !== 'transaction') return null;\n\n const moduleName = '@solana/kit';\n const kit = (await import(moduleName).catch(() => null)) as SolanaKitMinimal | null;\n if (!kit?.getBase64Codec || !kit.getTransactionDecoder || !kit.getCompiledTransactionMessageDecoder) {\n return null;\n }\n\n try {\n const txBytes = kit.getBase64Codec().encode(payload.transaction);\n const decoded = kit.getTransactionDecoder().decode(txBytes);\n const message = kit.getCompiledTransactionMessageDecoder().decode(decoded.messageBytes);\n\n // SPL TransferChecked accounts: [source ATA, mint, destination ATA, authority, ...signers].\n // Returns the FIRST matched authority. For multi-recipient `splits` txs, the buyer\n // signs ONE tx with N TransferChecked instructions all sharing the same authority,\n // so first-match is correct; if a tx ever surfaces with mismatched authorities the\n // first one wins (acceptable since both belong to whoever signed the tx).\n for (const ix of message.instructions) {\n const programId = message.staticAccounts[ix.programAddressIndex];\n if (programId !== TOKEN_PROGRAM && programId !== TOKEN_2022_PROGRAM) continue;\n const data = ix.data;\n if (!data || data.length === 0 || data[0] !== TRANSFER_CHECKED_DISCRIMINATOR) continue;\n const accountIndices = ix.accountIndices ?? [];\n const authorityIndex = accountIndices[3];\n if (authorityIndex === undefined) continue;\n // v0 transactions can carry account indices that resolve via address lookup tables;\n // staticAccounts only holds the static set. If the index is out of range, the\n // authority sits in a lookup table we'd need RPC to resolve. Skip cleanly with a\n // warning rather than returning the wrong address.\n if (authorityIndex >= message.staticAccounts.length) {\n console.warn(\n '[gate] Solana TransferChecked authority resolves through an address lookup table; ' +\n 'signer-match recovery requires the static-account form. Skipping.',\n );\n continue;\n }\n const authority = message.staticAccounts[authorityIndex];\n if (authority) return authority;\n }\n return null;\n } catch (err) {\n console.warn('[gate] Solana credential decode failed:', err instanceof Error ? err.message : err);\n return null;\n }\n}\n\nexport interface PaymentSigner {\n /** Recovered wallet address (EVM lowercased; Solana base58 preserved verbatim). */\n address: string;\n /** Network family — used by `captureWallet` and downstream cross-chain attribution. */\n network: SignerNetwork;\n}\n\n/**\n * Recover the signer wallet from the incoming payment credential, including the network\n * family. Returns `null` when no wallet signature is present (e.g. Stripe SPT, card-only\n * payments, or no credential yet).\n *\n * @param request - the inbound `Request`\n * @param x402PaymentHeader - the value of `payment-signature` or `x-payment` header, if any.\n * Extracted separately because some frameworks (Express) don't expose a web `Request` object.\n */\nexport async function extractPaymentSigner(\n request: Request,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n // MPP — Authorization: Payment <base64>\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n try {\n const moduleName = 'mppx';\n const mppx = (await import(moduleName).catch(() => null)) as {\n Credential?: {\n extractPaymentScheme: (h: string) => unknown;\n fromRequest: (r: Request) => unknown;\n };\n } | null;\n if (mppx?.Credential?.extractPaymentScheme(authHeader)) {\n const credential = mppx.Credential.fromRequest(request);\n const source = (credential as { source?: string }).source;\n const evmMatch = source?.match(/^did:pkh:eip155:\\d+:(0x[0-9a-fA-F]{40})$/);\n if (evmMatch) return { address: evmMatch[1]!.toLowerCase(), network: 'evm' };\n // Solana CAIP-10: did:pkh:solana:<genesis-base58>:<address-base58>\n const solMatch = source?.match(/^did:pkh:solana:[1-9A-HJ-NP-Za-km-z]{32,44}:([1-9A-HJ-NP-Za-km-z]{32,44})$/);\n if (solMatch) return { address: solMatch[1]!, network: 'solana' };\n // Fallback: source not set by upstream client. Decode the credential's signed-tx\n // payload to find the SPL TransferChecked authority (= source-ATA owner = buyer\n // wallet). Pull mode only.\n const solanaFromTx = await extractSolanaSignerFromCredential(credential);\n if (solanaFromTx) return { address: solanaFromTx, network: 'solana' };\n }\n } catch (err) {\n console.warn('[gate] MPP signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n // x402 — base64 JSON, EIP-3009 only. EVM `payload.authorization.from` is the signer.\n if (x402PaymentHeader) {\n try {\n const decoded = atob(x402PaymentHeader);\n const parsed = JSON.parse(decoded) as {\n payload?: { authorization?: { from?: string } };\n };\n const from = parsed?.payload?.authorization?.from;\n if (typeof from === 'string' && /^0x[0-9a-fA-F]{40}$/.test(from)) {\n return { address: from.toLowerCase(), network: 'evm' };\n }\n } catch (err) {\n console.warn('[gate] x402 signer extraction failed:', err instanceof Error ? err.message : err);\n }\n }\n\n return null;\n}\n\n/**\n * Headers-only variant for adapters that don't natively expose a Web Fetch `Request`\n * (Express, Fastify, ASGI-bridged frameworks). Constructs a synthetic Request carrying\n * only the `authorization` header and delegates to {@link extractPaymentSigner}. Works\n * because the MPP and x402 paths only read `request.headers.get('authorization')` and\n * the explicit `x402PaymentHeader` arg — no body, query, or method semantics needed.\n */\nexport async function extractPaymentSignerFromAuth(\n authHeader: string | null | undefined,\n x402PaymentHeader?: string,\n): Promise<PaymentSigner | null> {\n const request = new Request('http://internal.gate/', {\n headers: authHeader ? { authorization: authHeader } : {},\n });\n return extractPaymentSigner(request, x402PaymentHeader);\n}\n\n/**\n * Read the x402 payment header from a `Request`, matching the alternate names merchants might\n * use. Falls back to reading either header directly.\n */\nexport function readX402PaymentHeader(request: Request): string | undefined {\n return (\n request.headers.get('payment-signature') ??\n request.headers.get('x-payment') ??\n undefined\n );\n}\n\n/**\n * One-call signer extraction across both supported credential formats.\n *\n * Tries the x402 `payment-signature` / `x-payment` header first (EIP-3009\n * `payload.authorization.from`), then falls back to the MPP\n * `Authorization: Payment` header DID. Returns the first one that resolves,\n * or `null`.\n *\n * Use this for wallet-cap prechecks and other \"did the agent claim to sign as\n * X?\" checks where you need the signer BEFORE invoking Checkout. Checkout's\n * own settle path runs verification separately and surfaces the verified\n * signer on `SettleOutcome.signerAddress`.\n *\n * Accepts a plain headers dict so it works regardless of which framework the\n * merchant uses (the gate adapters all serialize headers down to a dict by\n * the time they reach the merchant's hooks).\n */\nexport async function extractSignerForPrecheck(\n headers: Record<string, string>,\n): Promise<PaymentSigner | null> {\n const lower = normalizeHeadersToLowercase(headers);\n const x402 = lower['payment-signature'] ?? lower['x-payment'];\n if (x402) {\n const signer = await extractPaymentSignerFromAuth(undefined, x402);\n if (signer !== null) return signer;\n }\n const authorization = lower['authorization'];\n if (authorization && authorization.toLowerCase().startsWith('payment ')) {\n return await extractPaymentSignerFromAuth(authorization);\n }\n return null;\n}\n","import { denialReasonStatus } from '../_denial';\nimport { denialReasonToBody } from '../_response';\nimport { createAgentScoreCore } from '../core';\nimport { hasPaymentHeader } from '../payment/payment_header';\nimport { extractPaymentSigner, readX402PaymentHeader } from '../signer';\nimport type {\n AgentIdentity,\n AgentScoreCoreOptions,\n AssessResult,\n CreateSessionOnMissing,\n DenialReason,\n FailOpenInfraReason,\n GateQuotaInfo,\n SignerVerdict,\n} from '../core';\n\ninterface AgentScoreGateOptions extends Omit<AgentScoreCoreOptions, 'createSessionOnMissing'> {\n /** Custom function to extract agent identity from a Request. */\n extractIdentity?: (req: Request) => AgentIdentity | undefined;\n /** Custom handler invoked when a request is denied. Must return a Response. */\n onDenied?: (req: Request, reason: DenialReason) => Response | Promise<Response>;\n /** Auto-create a verification session on missing identity. Hooks receive the `Request`. */\n createSessionOnMissing?: CreateSessionOnMissing<Request>;\n}\n\n/**\n * Result of a gate check. `allowed: true` means the request passed; forward it to your\n * handler. `allowed: false` means it was denied; return `response` directly to the client.\n *\n * When the request was authenticated via `operator_token`, `captureWallet` is bound to the\n * identity and can be called after payment to report the signer wallet back to AgentScore.\n * When the request was wallet-authenticated (nothing to associate), `captureWallet` is\n * undefined. Always fire-and-forget.\n */\nexport type GuardResult =\n | {\n allowed: true;\n data?: AssessResult;\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n /** Synchronous read of the cached signer verdicts (`signer_match` wallet-binding\n * + `signer_sanctions` OFAC SDN wallet-address check). Both verdicts composed by\n * the gate's primary `/v1/assess` call in one round trip. Bound only on strict\n * wallet-auth requests; `undefined` otherwise (operator-token paths, discovery\n * legs, or routes the gate didn't run on). */\n getSignerVerdict?: () => SignerVerdict | undefined;\n /** Set to `true` only when the gate fail-open'd due to AgentScore-side infra failure\n * (429/5xx/network timeout). Compliance was NOT enforced this request — log/alert. */\n degraded?: boolean;\n /** Why the gate degraded — quota_exceeded / api_error / network_timeout. */\n infraReason?: FailOpenInfraReason;\n /** Per-account assess quota observability from X-Quota-* response headers. */\n quota?: GateQuotaInfo;\n }\n | { allowed: false; response: Response };\n\nfunction defaultExtractIdentity(req: Request): AgentIdentity | undefined {\n const token = req.headers.get('x-operator-token');\n const addr = req.headers.get('x-wallet-address');\n const identity: AgentIdentity = {};\n if (token && token.length > 0) identity.operatorToken = token;\n if (addr && addr.length > 0) identity.address = addr;\n if (identity.operatorToken || identity.address) return identity;\n return undefined;\n}\n\nfunction defaultOnDenied(_req: Request, reason: DenialReason): Response {\n return new Response(JSON.stringify(denialReasonToBody(reason)), {\n status: denialReasonStatus(reason),\n headers: { 'content-type': 'application/json' },\n });\n}\n\n/**\n * Create a Web Fetch-compatible gate. Works with any runtime that speaks the standard\n * Request/Response API: Cloudflare Workers, Deno Deploy, Bun, Next.js App Router, etc.\n *\n * ```ts\n * const guard = createAgentScoreGate({ apiKey: 'as_live_...', requireKyc: true });\n *\n * export default {\n * async fetch(req: Request) {\n * const result = await guard(req);\n * if (!result.allowed) return result.response;\n * return handle(req, result.data);\n * },\n * };\n * ```\n */\nexport function createAgentScoreGate(options: AgentScoreGateOptions): (req: Request) => Promise<GuardResult> {\n const { extractIdentity = defaultExtractIdentity, onDenied = defaultOnDenied, ...coreOptions } = options;\n const core = createAgentScoreCore(coreOptions as AgentScoreCoreOptions);\n\n return async (req: Request): Promise<GuardResult> => {\n const identity = extractIdentity(req);\n // Extract the payment signer pre-evaluate. When present, the API composes\n // signer_match + signer_sanctions verdicts on the primary assess response in one\n // round trip — under policy.require_sanctions_clear, OFAC SDN wallet hits flip\n // decision -> deny inline before the handler runs.\n const signer = await extractPaymentSigner(req, readX402PaymentHeader(req));\n const outcome = await core.evaluate(identity, req, signer);\n\n if (outcome.kind === 'allow') {\n const captureWallet = identity?.operatorToken\n ? (opts: { walletAddress: string; network: 'evm' | 'solana'; idempotencyKey?: string }) =>\n core.captureWallet({ operatorToken: identity.operatorToken!, ...opts })\n : undefined;\n // Synchronous getter — reads the cached verdicts (signer_match + signer_sanctions)\n // composed by the primary assess call above. Returns undefined for operator-token\n // paths or discovery legs where no signer was extractable.\n const getSignerVerdictBound = identity?.address && !identity?.operatorToken\n ? () => core.getSignerVerdict(identity.address!)\n : undefined;\n return {\n allowed: true,\n data: outcome.data,\n captureWallet,\n getSignerVerdict: getSignerVerdictBound,\n ...(outcome.degraded ? { degraded: true, infraReason: outcome.infraReason } : {}),\n ...(outcome.quota ? { quota: outcome.quota } : {}),\n };\n }\n\n const response = await onDenied(req, outcome.reason);\n return { allowed: false, response };\n };\n}\n\n/**\n * Wrap a Web Fetch request handler with the gate. Denied requests are returned directly;\n * allowed requests are passed to `handler` along with the assess data.\n *\n * ```ts\n * export const POST = withAgentScoreGate(\n * { apiKey: 'as_live_...', requireKyc: true },\n * async (req, { data }) => Response.json({ ok: true }),\n * );\n * ```\n */\nexport function withAgentScoreGate<TCtx = unknown>(\n options: AgentScoreGateOptions,\n handler: (\n req: Request,\n gate: {\n data?: AssessResult;\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n /** Synchronous read of the cached signer verdicts. See {@link GuardResult}'s\n * `getSignerVerdict` for the contract. */\n getSignerVerdict?: () => SignerVerdict | undefined;\n /** Set to `true` only when the gate fail-open'd due to AgentScore-side infra failure\n * (429/5xx/network timeout). Compliance was NOT enforced this request — log/alert. */\n degraded?: boolean;\n /** Why the gate degraded — quota_exceeded / api_error / network_timeout. */\n infraReason?: FailOpenInfraReason;\n /** Per-account assess quota observability from X-Quota-* response headers. */\n quota?: GateQuotaInfo;\n },\n ctx?: TCtx,\n ) => Response | Promise<Response>,\n): (req: Request, ctx?: TCtx) => Promise<Response> {\n const guard = createAgentScoreGate(options);\n return async (req, ctx) => {\n const result = await guard(req);\n if (!result.allowed) return result.response;\n return handler(\n req,\n {\n data: result.data,\n captureWallet: result.captureWallet,\n getSignerVerdict: result.getSignerVerdict,\n ...(result.degraded ? { degraded: true, infraReason: result.infraReason } : {}),\n ...(result.quota ? { quota: result.quota } : {}),\n },\n ctx,\n );\n };\n}\n\n/** Wrap `createAgentScoreGate(...)` so it only fires when a payment credential\n * is attached. Discovery legs flow through allowed (with `data: undefined`)\n * and the handler emits a 402 with all rails; settle legs run the full gate. */\nexport function createConditionalAgentScoreGate(options: AgentScoreGateOptions): (req: Request) => Promise<GuardResult> {\n const guard = createAgentScoreGate(options);\n return async (req: Request): Promise<GuardResult> => {\n if (!hasPaymentHeader(req)) return { allowed: true };\n return guard(req);\n };\n}\n\n/** Wrapper variant matching `withAgentScoreGate(opts, handler)` that only\n * invokes the gate when a payment credential is attached. */\nexport function withConditionalAgentScoreGate<TCtx = unknown>(\n options: AgentScoreGateOptions,\n handler: Parameters<typeof withAgentScoreGate<TCtx>>[1],\n): (req: Request, ctx: TCtx) => Promise<Response> {\n const wrapped = withAgentScoreGate<TCtx>(options, handler);\n return async (req: Request, ctx: TCtx): Promise<Response> => {\n if (!hasPaymentHeader(req)) return handler(req, {}, ctx);\n return wrapped(req, ctx);\n };\n}\n","import { hasPaymentHeader } from '../payment/payment_header';\nimport { createAgentScoreGate } from './web';\nimport type { AssessResult, FailOpenInfraReason, GateQuotaInfo, SignerVerdict } from '../core';\n\n\n/**\n * Wrap a Next.js App Router route handler with the gate.\n *\n * Denied requests get a 403 JSON response; allowed requests reach `handler` with the\n * assess data on `gate.data`.\n *\n * ```ts\n * // app/api/purchase/route.ts\n * import { withAgentScoreGate } from '@agent-score/commerce/identity/nextjs';\n *\n * export const POST = withAgentScoreGate(\n * { apiKey: process.env.AGENTSCORE_API_KEY!, requireKyc: true, minAge: 21 },\n * async (req, { data }) => {\n * // ... purchase logic\n * return Response.json({ ok: true });\n * },\n * );\n * ```\n *\n * Works with any Request type, including Next's `NextRequest`.\n */\nexport function withAgentScoreGate<TReq extends Request = Request, TCtx = unknown>(\n options: Parameters<typeof createAgentScoreGate>[0],\n handler: (\n req: TReq,\n gate: {\n data?: AssessResult;\n captureWallet?: (opts: {\n walletAddress: string;\n network: 'evm' | 'solana';\n idempotencyKey?: string;\n }) => Promise<void>;\n /** Synchronous read of the cached signer verdicts (`signer_match` wallet-binding\n * + `signer_sanctions` OFAC SDN wallet-address check). Both composed by the gate's\n * primary `/v1/assess` in one round trip. Bound only on strict wallet-auth\n * requests; `undefined` otherwise. */\n getSignerVerdict?: () => SignerVerdict | undefined;\n /** Set to `true` only when the gate fail-open'd due to AgentScore-side infra failure\n * (429/5xx/network timeout). Compliance was NOT enforced — log/alert in your handler. */\n degraded?: boolean;\n /** Why the gate degraded — quota_exceeded / api_error / network_timeout. */\n infraReason?: FailOpenInfraReason;\n /** Per-account assess quota observability from X-Quota-* response headers. */\n quota?: GateQuotaInfo;\n },\n ctx?: TCtx,\n ) => Response | Promise<Response>,\n): (req: TReq, ctx?: TCtx) => Promise<Response> {\n const guard = createAgentScoreGate(options);\n return async (req, ctx) => {\n const result = await guard(req as Request);\n if (!result.allowed) return result.response;\n return handler(\n req,\n {\n data: result.data,\n captureWallet: result.captureWallet,\n getSignerVerdict: result.getSignerVerdict,\n ...(result.degraded ? { degraded: true, infraReason: result.infraReason } : {}),\n ...(result.quota ? { quota: result.quota } : {}),\n },\n ctx,\n );\n };\n}\n\n/**\n * Build a Next.js middleware function. Returns a `Response` when the request is denied;\n * returns `undefined` when the request should continue down the middleware chain.\n *\n * ```ts\n * // middleware.ts\n * import { NextResponse, type NextRequest } from 'next/server';\n * import { agentscoreMiddleware } from '@agent-score/commerce/identity/nextjs';\n *\n * const gate = agentscoreMiddleware({ apiKey: process.env.AGENTSCORE_API_KEY!, requireKyc: true });\n *\n * export async function middleware(req: NextRequest) {\n * const denied = await gate(req);\n * if (denied) return denied;\n * return NextResponse.next();\n * }\n *\n * export const config = { matcher: '/api/purchase/:path*' };\n * ```\n */\nexport function agentscoreMiddleware(options: Parameters<typeof createAgentScoreGate>[0]): (req: Request) => Promise<Response | undefined> {\n const guard = createAgentScoreGate(options);\n return async (req: Request) => {\n const result = await guard(req);\n return result.allowed ? undefined : result.response;\n };\n}\n\n/** Wrapper variant of `withAgentScoreGate` that only invokes the gate when a\n * payment credential is attached. Discovery legs flow through to `handler`\n * with an empty `gate` arg so the handler emits a 402 with all rails. */\nexport function withConditionalAgentScoreGate<TReq extends Request = Request, TCtx = unknown>(\n options: Parameters<typeof withAgentScoreGate<TReq, TCtx>>[0],\n handler: Parameters<typeof withAgentScoreGate<TReq, TCtx>>[1],\n): (req: TReq, ctx?: TCtx) => Promise<Response> {\n const wrapped = withAgentScoreGate<TReq, TCtx>(options, handler);\n return async (req: TReq, ctx?: TCtx): Promise<Response> => {\n if (!hasPaymentHeader(req as unknown as Request)) {\n const result = handler(req, {}, ctx);\n return result instanceof Promise ? result : Promise.resolve(result);\n }\n return wrapped(req, ctx);\n };\n}\n\n/** Middleware variant: returns a denial Response only when a payment header\n * IS present and the gate denies; otherwise returns undefined so the chain\n * continues. */\nexport function conditionalAgentscoreMiddleware(options: Parameters<typeof createAgentScoreGate>[0]): (req: Request) => Promise<Response | undefined> {\n const guard = createAgentScoreGate(options);\n return async (req: Request) => {\n if (!hasPaymentHeader(req)) return undefined;\n const result = await guard(req);\n return result.allowed ? undefined : result.response;\n };\n}\n\n"],"mappings":";AAiBA,SAAS,YAAY,MAAsB;AACzC,SAAO,KAAK,QAAQ,iBAAiB,CAAC,IAAI,KAAa,MAAc,MAAM,EAAE,YAAY,CAAC;AAC5F;AAEO,SAAS,WAAW,SAAsB,MAA6B;AAC5E,MAAI,OAAQ,QAAgC,QAAQ,YAAY;AAC9D,WAAQ,QAAuB,IAAI,IAAI;AAAA,EACzC;AACA,QAAM,MAAM;AACZ,QAAM,IAAI,IAAI,IAAI,KAAK,IAAI,KAAK,YAAY,CAAC,KAAK,IAAI,YAAY,IAAI,CAAC;AACvE,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,MAAM,QAAQ,CAAC,KAAK,OAAO,EAAE,CAAC,MAAM,SAAU,QAAO,EAAE,CAAC;AAC5D,SAAO;AACT;AAEO,SAAS,UAAU,OAA2C;AACnE,SAAO,OAAQ,MAA2B,YAAY,YAAY,iBAAiB,UAC/E,MAAM,UACL;AACP;AAUO,SAAS,iBAAiB,OAAuC;AACtE,QAAM,UAAU,UAAU,KAAK;AAC/B,SAAO;AAAA,IACL,WAAW,SAAS,mBAAmB,KACvC,WAAW,SAAS,WAAW,KAC/B,WAAW,SAAS,eAAe,GAAG,WAAW,UAAU;AAAA,EAC7D;AACF;;;ACrBO,IAAM,yBAA8C,oBAAI,IAAI;AAAA,EACjE;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAUM,SAAS,gBAAgB,SAAiD;AAC/E,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAC7C,SAAO,QAAQ,MAAM,CAAC,MAAM,uBAAuB,IAAI,CAAC,CAAC;AAC3D;AAUO,SAAS,mBAAmB,QAAuC;AACxE,MAAI,OAAO,SAAS,mBAAmB,OAAO,SAAS,qBAAsB,QAAO;AACpF,MAAI,OAAO,SAAS,YAAa,QAAO;AACxC,SAAO;AACT;;;AC/BA,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,gCAAgC,KAAK,UAAU;AAAA,EACnD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,uDAAuD,KAAK,UAAU;AAAA,EAC1E,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,yBAAyB,KAAK,UAAU;AAAA,EAC5C,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,IAAM,8BAA8B,KAAK,UAAU;AAAA,EACxD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,6BAAkE;AAAA,EACtE,WAAW;AAAA,EACX,oBAAoB;AAAA,EACpB,kBAAkB;AAAA,EAClB,gCAAgC;AAAA,EAChC,eAAe;AACjB;AAEA,IAAM,mBAA+C;AAAA,EACnD,kBACE;AAAA,EACF,gCACE;AAAA,EACF,oBACE;AAAA,EACF,WACE;AAAA,EACF,kBACE;AAAA,EACF,wBACE;AAAA,EACF,qCACE;AAAA,EACF,eACE;AAAA,EACF,oBACE;AACJ;AAKA,IAAM,kBAAkB,oBAAI,IAAI;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAsDM,SAAS,mBAAmB,QAA+C;AAChF,QAAM,UAAU,OAAO,WAAW,iBAAiB,OAAO,IAAI;AAC9D,QAAM,OAAgC,EAAE,OAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,EAAE;AAC9E,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,MAAI,OAAO,QAAS,MAAK,UAAU,OAAO;AAC1C,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,WAAY,MAAK,aAAa,OAAO;AAChD,MAAI,OAAO,YAAa,MAAK,cAAc,OAAO;AAClD,MAAI,OAAO,SAAU,MAAK,WAAW,OAAO;AAC5C,QAAM,eAAe,OAAO,sBAAsB,2BAA2B,OAAO,IAAI;AACxF,MAAI,aAAc,MAAK,qBAAqB;AAC5C,MAAI,OAAO,aAAc,MAAK,eAAe,OAAO;AACpD,MAAI,OAAO,iBAAkB,MAAK,mBAAmB,OAAO;AAC5D,MAAI,OAAO,SAAS,yBAA0B,MAAK,yBAAyB,OAAO,0BAA0B;AAC7G,MAAI,OAAO,gBAAiB,MAAK,kBAAkB,OAAO;AAC1D,MAAI,OAAO,cAAe,MAAK,gBAAgB,OAAO;AACtD,MAAI,OAAO,kBAAkB,OAAO,eAAe,SAAS,EAAG,MAAK,iBAAiB,OAAO;AAC5F,MAAI,OAAO,OAAO;AAChB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI,gBAAgB,IAAI,GAAG,GAAG;AAC5B,gBAAQ,KAAK,mDAAmD,GAAG,8CAAyC;AAC5G;AAAA,MACF;AACA,WAAK,GAAG,IAAI;AAAA,IACd;AAAA,EACF;AACA,SAAO;AACT;;;ACjOA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,gBAAgB;AAAA,EAChB;AAAA,OACK;;;ACEP,IAAM,mBAAmB;AAKlB,IAAM,kBAAkB,CAAC,YAC9B,iBAAiB,KAAK,OAAO,KAAK,CAAC,QAAQ,WAAW,IAAI;AAKrD,IAAM,mBAAmB,CAAC,YAA4B;AAC3D,MAAI,gBAAgB,OAAO,GAAG;AAAE,WAAO;AAAA,EAAS;AAChD,SAAO,QAAQ,YAAY;AAC7B;;;ACvBO,IAAM,WAAN,MAAkB;AAAA,EAIvB,YAAoB,cAAsB,UAAU,KAAO;AAAvC;AAClB,SAAK,UAAU;AAAA,EACjB;AAAA,EAFoB;AAAA,EAHZ,QAAQ,oBAAI,IAA6C;AAAA,EACzD;AAAA,EAMR,IAAI,KAA4B;AAC9B,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAChC,QAAI,CAAC,MAAO,QAAO;AACnB,QAAI,KAAK,IAAI,IAAI,MAAM,WAAW;AAChC,WAAK,MAAM,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AAAA,EACf;AAAA,EAEA,IAAI,KAAa,OAAU,OAAsB;AAC/C,QAAI,KAAK,MAAM,QAAQ,KAAK,SAAS;AACnC,WAAK,MAAM;AAAA,IACb;AACA,QAAI,KAAK,MAAM,QAAQ,KAAK,SAAS;AACnC,WAAK,YAAY,KAAK,MAAM,OAAO,KAAK,UAAU,CAAC;AAAA,IACrD;AACA,SAAK,MAAM,IAAI,KAAK;AAAA,MAClB;AAAA,MACA,WAAW,KAAK,IAAI,KAAK,SAAS,KAAK;AAAA,IACzC,CAAC;AAAA,EACH;AAAA;AAAA,EAGQ,QAAc;AACpB,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,GAAG,CAAC,KAAK,KAAK,OAAO;AAC/B,UAAI,MAAM,EAAE,WAAW;AACrB,aAAK,MAAM,OAAO,CAAC;AAAA,MACrB;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGQ,YAAY,OAAqB;AACvC,QAAI,UAAU;AACd,eAAW,OAAO,KAAK,MAAM,KAAK,GAAG;AACnC,UAAI,WAAW,MAAO;AACtB,WAAK,MAAM,OAAO,GAAG;AACrB;AAAA,IACF;AAAA,EACF;AACF;;;AFlCA,SAAS,qBAAqB,GAAmB;AAC/C,MAAI,MAAM,EAAE;AACZ,SAAO,MAAM,KAAK,EAAE,WAAW,MAAM,CAAC,MAAM,GAAc;AAC1D,SAAO,QAAQ,EAAE,SAAS,IAAI,EAAE,MAAM,GAAG,GAAG;AAC9C;AAwVA,IAAM,2BAA2B;AAKjC,IAAM,sCAAsC,KAAK,UAAU;AAAA,EACzD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAED,IAAM,mDAAmD,KAAK,UAAU;AAAA,EACtE,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAMD,IAAM,kCAAkC,KAAK,UAAU;AAAA,EACrD,QAAQ;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cACE;AACJ,CAAC;AAEM,SAAS,uBAAwC;AAItD,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,kCAAkC;AAAA,IAClC,iBACE;AAAA,IAKF,YAAY;AAAA,IACZ,yBAAyB,GAAG,GAAG;AAAA,IAC/B,gBAAgB;AAAA,MACd,QACE;AAAA,MAEF,gBACE;AAAA,IAEJ;AAAA,IACA,WACE;AAAA,IAIF,0BAA0B,CAAC,kBAAkB,aAAa;AAAA,IAC1D,6BAA6B,CAAC,gBAAgB;AAAA,EAChD;AACF;AAMO,SAAS,qBAAqB,SAAgD;AACnF,MAAI,CAAC,QAAQ,QAAQ;AACnB,UAAM,IAAI,MAAM,0EAA0E;AAAA,EAC5F;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX,eAAe;AAAA,IACf,SAAS,aAAa;AAAA,IACtB,OAAO;AAAA,IACP;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,qBAAqB,UAAU;AAC/C,QAAM,kBAAkB,qBAAqB;AAE7C,QAAM,YAAY,yBAAyB,OAAW;AACtD,QAAM,kBAAkB,YAAY,GAAG,SAAS,KAAK,SAAS,MAAM;AAQpE,QAAM,MAAM,IAAI,WAAW,EAAE,QAAQ,SAAS,WAAW,gBAAgB,CAAC;AAK1E,QAAM,kBAAkB,oBAAI,IAAwB;AACpD,WAAS,cAAc,eAAuB,gBAAqC;AACjF,UAAM,MAAM,GAAG,aAAa,IAAI,kBAAkB,EAAE;AACpD,QAAI,IAAI,gBAAgB,IAAI,GAAG;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,IAAI,WAAW;AAAA,QACjB,QAAQ;AAAA,QACR,SAAS,kBAAkB;AAAA,QAC3B,WAAW;AAAA,MACb,CAAC;AACD,sBAAgB,IAAI,KAAK,CAAC;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,IAAI,SAA6B,eAAe,GAAI;AAOlE,iBAAe,qBAAqB,KAAiD;AACnF,QAAI,CAAC,uBAAwB,QAAO;AACpC,QAAI;AACF,YAAM,cAA2D,CAAC;AAClE,UAAI,uBAAuB,WAAW,KAAM,aAAY,UAAU,uBAAuB;AACzF,UAAI,uBAAuB,eAAe,KAAM,aAAY,eAAe,uBAAuB;AAElG,UAAI,uBAAuB,qBAAqB,QAAQ,QAAW;AACjE,YAAI;AACF,gBAAM,UAAU,MAAM,uBAAuB,kBAAkB,GAAG;AAClE,cAAI,SAAS,WAAW,KAAM,aAAY,UAAU,QAAQ;AAC5D,cAAI,SAAS,eAAe,KAAM,aAAY,eAAe,QAAQ;AAAA,QACvE,SAAS,KAAK;AACZ,kBAAQ,KAAK,gEAAgE,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,QACvH;AAAA,MACF;AAIA,YAAM,aAAa,cAAc,uBAAuB,QAAQ,uBAAuB,OAAO;AAC9F,YAAM,OAAQ,MAAM,WAAW,cAAc;AAAA,QAC3C,GAAI,YAAY,YAAY,SAAY,EAAE,SAAS,YAAY,QAAQ,IAAI,CAAC;AAAA,QAC5E,GAAI,YAAY,iBAAiB,SAAY,EAAE,cAAc,YAAY,aAAa,IAAI,CAAC;AAAA,MAC7F,CAAC;AAMD,UACE,OAAO,KAAK,eAAe,YAC3B,OAAO,KAAK,gBAAgB,YAC5B,OAAO,KAAK,eAAe,UAC3B;AACA,gBAAQ,KAAK,6FAAwF;AACrG,eAAO;AAAA,MACT;AAIA,UAAI;AACJ,UAAI,uBAAuB,mBAAmB,QAAQ,QAAW;AAC/D,YAAI;AACF,gBAAM,cAAc;AAAA,YAClB,YAAY,KAAK;AAAA,YACjB,YAAY,KAAK;AAAA,YACjB,aAAa,KAAK;AAAA,YAClB,UAAU,KAAK;AAAA,YACf,YAAY,KAAK;AAAA,UACnB;AACA,gBAAM,SAAS,MAAM,uBAAuB,gBAAgB,KAAK,WAAW;AAC5E,cAAI,UAAU,OAAO,WAAW,SAAU,SAAQ;AAAA,QACpD,SAAS,KAAK;AACZ,kBAAQ,KAAK,8DAA8D,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,QACrH;AAAA,MACF;AAKA,YAAM,eAAe,KAAK;AAC1B,aAAO;AAAA,QACL,MAAM;AAAA,QACN,YAAY,KAAK;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK;AAAA,QACf,oBAAoB,eAAe,KAAK,UAAU,YAAY,IAAI;AAAA,QAClE,cAAc;AAAA,QACd,GAAI,SAAS,EAAE,MAAM;AAAA,MACvB;AAAA,IACF,SAAS,KAAK;AAKZ,cAAQ,KAAK,iFAA4E,eAAe,QAAQ,IAAI,UAAU,GAAG;AACjI,aAAO;AAAA,IACT;AAAA,EACF;AAEA,iBAAe,SACb,UACA,KACA,QAC0B;AAG1B,QAAI,CAAC,YAAa,CAAC,SAAS,WAAW,CAAC,SAAS,eAAgB;AAO/D,UAAI,SAAU,QAAO,EAAE,MAAM,QAAQ;AAErC,YAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,UAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAMhE,YAAM,8BAA8B,KAAK,UAAU;AAAA,QACjD,QAAQ;AAAA,QACR,OAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA,cACE;AAAA,MACJ,CAAC;AACD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,oBAAoB;AAAA,UACpB,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAMA,UAAM,WAAW,SAAS,eAAe,YAAY,MAAM,SAAS,UAAU,iBAAiB,SAAS,OAAO,IAAI;AAEnH,UAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,QAAI,QAAQ;AACV,UAAI,OAAO,OAAO;AAChB,cAAM,YAAY,OAAO;AACzB,cAAM,cAAc,WAAW;AAC/B,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,GAAI,gBAAgB,UAAa,EAAE,OAAO,YAAY;AAAA,QACxD;AAAA,MACF;AAQA,UAAI,gBAAgB,OAAO,OAAO,GAAG;AACnC,cAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,YAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAAA,MAClE;AACA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,UAChB,YAAa,OAAO,KAA6C;AAAA,UACjE,MAAM,OAAO;AAAA,QACf;AAAA,MACF;AAAA,IACF;AAEA,UAAM,SAAkC,CAAC;AACzC,QAAI,cAAc,KAAM,QAAO,cAAc;AAC7C,QAAI,yBAAyB,KAAM,QAAO,0BAA0B;AACpE,QAAI,UAAU,KAAM,QAAO,UAAU;AACrC,QAAI,wBAAwB,KAAM,QAAO,wBAAwB;AACjE,QAAI,wBAAwB,KAAM,QAAO,wBAAwB;AAEjE,QAAI;AACJ,QAAI;AAIF,YAAM,OAAO;AAAA,QACX,OAAO;AAAA,QACP,GAAI,OAAO,KAAK,MAAM,EAAE,SAAS,IAAI,EAAE,OAAwB,IAAI,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA,QAKpE,GAAI,UAAU,EAAE,QAAQ,EAAE,SAAS,OAAO,SAAS,SAAS,OAAO,QAAQ,EAAE;AAAA,MAC/E;AAEA,YAAM,SAAS,SAAS,UACpB,MAAM,IAAI,OAAO,SAAS,SAAS,EAAE,GAAG,MAAM,eAAe,SAAS,cAAc,CAAC,IACrF,MAAM,IAAI,OAAO,MAAM,EAAE,GAAG,MAAM,eAAe,SAAS,cAAe,CAAC;AAC9E,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,UAAI,eAAe,sBAAsB;AACvC,YAAI,SAAU,QAAO,EAAE,MAAM,QAAQ;AACrC,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,mBAAmB,EAAE;AAAA,MAC9D;AACA,UAAI,eAAe,mBAAmB;AAGpC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,MAAM,IAAI;AAAA,YACV,GAAI,IAAI,YAAY,EAAE,YAAY,IAAI,UAAU,IAAI,CAAC;AAAA,YACrD,GAAI,IAAI,YAAY,EAAE,YAAY,IAAI,UAAU,IAAI,CAAC;AAAA,YACrD,GAAI,IAAI,aAAa,EAAE,aAAa,IAAI,WAAW,IAAI,CAAC;AAAA,YACxD,GAAI,IAAI,UAAU,EAAE,UAAU,IAAI,QAAQ,IAAI,CAAC;AAAA,YAC/C,GAAI,IAAI,YAAY,EAAE,oBAAoB,KAAK,UAAU,IAAI,SAAS,EAAE,IAAI,CAAC;AAAA,YAC7E,GAAI,IAAI,cAAc,EAAE,cAAc,IAAI,YAA+B,IAAI,CAAC;AAAA,UAChF;AAAA,QACF;AAAA,MACF;AACA,UAAI,eAAe,wBAAwB;AAEzC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN,MAAM;AAAA,YACN,oBAAoB;AAAA,YACpB,cAAc;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AACA,UAAI,eAAe,oBAAoB;AACrC,gBAAQ,KAAK,+CAA+C;AAC5D,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,iBAAiB;AACpF,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,EAAE,MAAM,aAAa,oBAAoB,4BAA4B;AAAA,QAC/E;AAAA,MACF;AACA,UAAI,eAAe,iBAAiB;AAClC,gBAAQ,KAAK,gCAAgC,IAAI,OAAO;AACxD,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,kBAAkB;AACrF,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,MACvD;AAKA,YAAM,SAAU,KAAoC;AACpD,YAAM,UAAU,eAAe,QAAQ,IAAI,OAAO;AAClD,UAAI,WAAW,KAAK;AAClB,gBAAQ,KAAK,2DAAsD;AACnE,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,iBAAiB;AACpF,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,EAAE,MAAM,aAAa,oBAAoB,4BAA4B;AAAA,QAC/E;AAAA,MACF;AACA,UAAI,YAAY,kBAAkB,YAAY,cAAc;AAC1D,gBAAQ,KAAK,gDAAgD,eAAe,QAAQ,IAAI,UAAU,GAAG;AACrG,YAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,kBAAkB;AACrF,eAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,MACvD;AAKA,YAAM,UAAW,KAAkC;AACnD,YAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,YAAM,SAAS,UAAU,GAAG,OAAO,KAAK,GAAG,KAAK;AAChD,cAAQ,KAAK,gEAA2D,MAAM,EAAE;AAChF,UAAI,SAAU,QAAO,EAAE,MAAM,SAAS,UAAU,MAAM,aAAa,YAAY;AAC/E,aAAO,EAAE,MAAM,QAAQ,QAAQ,EAAE,MAAM,YAAY,EAAE;AAAA,IACvD;AAEA,UAAM,WAAW,KAAK;AACtB,UAAM,kBAAmB,KAAK,oBAAiC,CAAC;AAChE,UAAM,QAAQ,aAAa,WAAW,YAAY;AAElD,UAAM,IAAI,UAAU,EAAE,OAAO,UAAU,YAAY,QAAW,SAAS,iBAAiB,KAAK,KAAK,CAAC;AAEnG,QAAI,OAAO;AAGT,YAAM,QAAQ,KAAK;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN;AAAA,QACA,GAAI,UAAU,UAAa,EAAE,MAAM;AAAA,MACrC;AAAA,IACF;AASA,QAAI,gBAAgB,eAAe,GAAG;AACpC,YAAM,gBAAgB,MAAM,qBAAqB,GAAG;AACpD,UAAI,cAAe,QAAO,EAAE,MAAM,QAAQ,QAAQ,cAAc;AAAA,IAClE;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,QAAQ;AAAA,QACN,MAAM;AAAA,QACN,UAAU,YAAY;AAAA,QACtB,SAAS;AAAA,QACT,YAAY,KAAK;AAAA,QACjB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,iBAAe,cAAcA,UAA8C;AACzE,QAAI;AACF,YAAM,IAAI,gBAAgB;AAAA,QACxB,eAAeA,SAAQ;AAAA,QACvB,eAAeA,SAAQ;AAAA,QACvB,SAASA,SAAQ;AAAA,QACjB,GAAIA,SAAQ,iBAAiB,EAAE,gBAAgBA,SAAQ,eAAe,IAAI,CAAC;AAAA,MAC7E,CAAC;AAAA,IACH,SAAS,KAAK;AAGZ,cAAQ,KAAK,+CAA+C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IACtG;AAAA,EACF;AAKA,WAAS,mBACP,IACA,aACA,YAC0B;AAC1B,UAAM,OAAO,GAAG;AAChB,QAAI,SAAS,QAAQ;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN,iBAAkB,GAAG,oBAAkD;AAAA,QACvE,gBAAiB,GAAG,mBAAiD;AAAA,MACvE;AAAA,IACF;AACA,QAAI,SAAS,uCAAuC;AAClD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,eAAgB,GAAG,kBAAyC;AAAA,QAC5D,mBACG,GAAG,sBAA6C;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,SAAS,GAAG;AAClB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAkB,GAAG,oBAAkD;AAAA,MACvE,sBAAuB,GAAG,mBAAiD;AAAA,MAC3E,gBAAiB,GAAG,mBAA0C;AAAA,MAC9D,cAAe,GAAG,iBAAwC;AAAA,MAC1D,eAAe,MAAM,QAAQ,MAAM,IAC9B,OAAqB,OAAO,CAAC,MAAmB,OAAO,MAAM,QAAQ,IACtE,CAAC;AAAA,MACL,mBACG,GAAG,sBAA6C;AAAA,IACrD;AAAA,EACF;AASA,WAAS,iBAAiB,gBAAmD;AAC3E,UAAM,cAAc,iBAAiB,cAAc;AACnD,UAAM,SAAS,MAAM,IAAI,WAAW;AACpC,QAAI,CAAC,OAAQ,QAAO;AACpB,UAAM,MAAM,OAAO;AACnB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,WAAW,IAAI;AACrB,UAAM,eAAe,IAAI;AACzB,QAAI,CAAC,YAAY,CAAC,aAAc,QAAO;AAIvC,UAAM,aAAc,UAAU,iBAAwC;AACtE,WAAO;AAAA,MACL,cAAc,WAAW,mBAAmB,UAAU,aAAa,UAAU,IAAI;AAAA,MACjF,kBAAkB,gBAAgB;AAAA,IACpC;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,eAAe,iBAAiB;AACrD;;;AGp2BA,IAAM,gBAAgB;AACtB,IAAM,qBAAqB;AAC3B,IAAM,iCAAiC;AAuBvC,eAAe,kCAAkC,YAA6C;AAC5F,QAAM,UAAW,WAAqE;AACtF,MAAI,CAAC,SAAS,eAAe,QAAQ,SAAS,cAAe,QAAO;AAEpE,QAAM,aAAa;AACnB,QAAM,MAAO,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AACtD,MAAI,CAAC,KAAK,kBAAkB,CAAC,IAAI,yBAAyB,CAAC,IAAI,sCAAsC;AACnG,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,UAAU,IAAI,eAAe,EAAE,OAAO,QAAQ,WAAW;AAC/D,UAAM,UAAU,IAAI,sBAAsB,EAAE,OAAO,OAAO;AAC1D,UAAM,UAAU,IAAI,qCAAqC,EAAE,OAAO,QAAQ,YAAY;AAOtF,eAAW,MAAM,QAAQ,cAAc;AACrC,YAAM,YAAY,QAAQ,eAAe,GAAG,mBAAmB;AAC/D,UAAI,cAAc,iBAAiB,cAAc,mBAAoB;AACrE,YAAM,OAAO,GAAG;AAChB,UAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,KAAK,CAAC,MAAM,+BAAgC;AAC9E,YAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,YAAM,iBAAiB,eAAe,CAAC;AACvC,UAAI,mBAAmB,OAAW;AAKlC,UAAI,kBAAkB,QAAQ,eAAe,QAAQ;AACnD,gBAAQ;AAAA,UACN;AAAA,QAEF;AACA;AAAA,MACF;AACA,YAAM,YAAY,QAAQ,eAAe,cAAc;AACvD,UAAI,UAAW,QAAO;AAAA,IACxB;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,KAAK,2CAA2C,eAAe,QAAQ,IAAI,UAAU,GAAG;AAChG,WAAO;AAAA,EACT;AACF;AAkBA,eAAsB,qBACpB,SACA,mBAC+B;AAE/B,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY;AACd,QAAI;AACF,YAAM,aAAa;AACnB,YAAM,OAAQ,MAAM,OAAO,YAAY,MAAM,MAAM,IAAI;AAMvD,UAAI,MAAM,YAAY,qBAAqB,UAAU,GAAG;AACtD,cAAM,aAAa,KAAK,WAAW,YAAY,OAAO;AACtD,cAAM,SAAU,WAAmC;AACnD,cAAM,WAAW,QAAQ,MAAM,0CAA0C;AACzE,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,EAAG,YAAY,GAAG,SAAS,MAAM;AAE3E,cAAM,WAAW,QAAQ,MAAM,4EAA4E;AAC3G,YAAI,SAAU,QAAO,EAAE,SAAS,SAAS,CAAC,GAAI,SAAS,SAAS;AAIhE,cAAM,eAAe,MAAM,kCAAkC,UAAU;AACvE,YAAI,aAAc,QAAO,EAAE,SAAS,cAAc,SAAS,SAAS;AAAA,MACtE;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,wCAAwC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAC/F;AAAA,EACF;AAGA,MAAI,mBAAmB;AACrB,QAAI;AACF,YAAM,UAAU,KAAK,iBAAiB;AACtC,YAAM,SAAS,KAAK,MAAM,OAAO;AAGjC,YAAM,OAAO,QAAQ,SAAS,eAAe;AAC7C,UAAI,OAAO,SAAS,YAAY,sBAAsB,KAAK,IAAI,GAAG;AAChE,eAAO,EAAE,SAAS,KAAK,YAAY,GAAG,SAAS,MAAM;AAAA,MACvD;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,KAAK,yCAAyC,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,IAChG;AAAA,EACF;AAEA,SAAO;AACT;AAuBO,SAAS,sBAAsB,SAAsC;AAC1E,SACE,QAAQ,QAAQ,IAAI,mBAAmB,KACvC,QAAQ,QAAQ,IAAI,WAAW,KAC/B;AAEJ;;;ACrIA,SAAS,uBAAuB,KAAyC;AACvE,QAAM,QAAQ,IAAI,QAAQ,IAAI,kBAAkB;AAChD,QAAM,OAAO,IAAI,QAAQ,IAAI,kBAAkB;AAC/C,QAAM,WAA0B,CAAC;AACjC,MAAI,SAAS,MAAM,SAAS,EAAG,UAAS,gBAAgB;AACxD,MAAI,QAAQ,KAAK,SAAS,EAAG,UAAS,UAAU;AAChD,MAAI,SAAS,iBAAiB,SAAS,QAAS,QAAO;AACvD,SAAO;AACT;AAEA,SAAS,gBAAgB,MAAe,QAAgC;AACtE,SAAO,IAAI,SAAS,KAAK,UAAU,mBAAmB,MAAM,CAAC,GAAG;AAAA,IAC9D,QAAQ,mBAAmB,MAAM;AAAA,IACjC,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;AAkBO,SAAS,qBAAqB,SAAwE;AAC3G,QAAM,EAAE,kBAAkB,wBAAwB,WAAW,iBAAiB,GAAG,YAAY,IAAI;AACjG,QAAM,OAAO,qBAAqB,WAAoC;AAEtE,SAAO,OAAO,QAAuC;AACnD,UAAM,WAAW,gBAAgB,GAAG;AAKpC,UAAM,SAAS,MAAM,qBAAqB,KAAK,sBAAsB,GAAG,CAAC;AACzE,UAAM,UAAU,MAAM,KAAK,SAAS,UAAU,KAAK,MAAM;AAEzD,QAAI,QAAQ,SAAS,SAAS;AAC5B,YAAM,gBAAgB,UAAU,gBAC5B,CAAC,SACC,KAAK,cAAc,EAAE,eAAe,SAAS,eAAgB,GAAG,KAAK,CAAC,IACxE;AAIJ,YAAM,wBAAwB,UAAU,WAAW,CAAC,UAAU,gBAC1D,MAAM,KAAK,iBAAiB,SAAS,OAAQ,IAC7C;AACJ,aAAO;AAAA,QACL,SAAS;AAAA,QACT,MAAM,QAAQ;AAAA,QACd;AAAA,QACA,kBAAkB;AAAA,QAClB,GAAI,QAAQ,WAAW,EAAE,UAAU,MAAM,aAAa,QAAQ,YAAY,IAAI,CAAC;AAAA,QAC/E,GAAI,QAAQ,QAAQ,EAAE,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClD;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,SAAS,KAAK,QAAQ,MAAM;AACnD,WAAO,EAAE,SAAS,OAAO,SAAS;AAAA,EACpC;AACF;;;ACvGO,SAAS,mBACd,SACA,SAwB8C;AAC9C,QAAM,QAAQ,qBAAqB,OAAO;AAC1C,SAAO,OAAO,KAAK,QAAQ;AACzB,UAAM,SAAS,MAAM,MAAM,GAAc;AACzC,QAAI,CAAC,OAAO,QAAS,QAAO,OAAO;AACnC,WAAO;AAAA,MACL;AAAA,MACA;AAAA,QACE,MAAM,OAAO;AAAA,QACb,eAAe,OAAO;AAAA,QACtB,kBAAkB,OAAO;AAAA,QACzB,GAAI,OAAO,WAAW,EAAE,UAAU,MAAM,aAAa,OAAO,YAAY,IAAI,CAAC;AAAA,QAC7E,GAAI,OAAO,QAAQ,EAAE,OAAO,OAAO,MAAM,IAAI,CAAC;AAAA,MAChD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAsBO,SAAS,qBAAqB,SAAsG;AACzI,QAAM,QAAQ,qBAAqB,OAAO;AAC1C,SAAO,OAAO,QAAiB;AAC7B,UAAM,SAAS,MAAM,MAAM,GAAG;AAC9B,WAAO,OAAO,UAAU,SAAY,OAAO;AAAA,EAC7C;AACF;AAKO,SAAS,8BACd,SACA,SAC8C;AAC9C,QAAM,UAAU,mBAA+B,SAAS,OAAO;AAC/D,SAAO,OAAO,KAAW,QAAkC;AACzD,QAAI,CAAC,iBAAiB,GAAyB,GAAG;AAChD,YAAM,SAAS,QAAQ,KAAK,CAAC,GAAG,GAAG;AACnC,aAAO,kBAAkB,UAAU,SAAS,QAAQ,QAAQ,MAAM;AAAA,IACpE;AACA,WAAO,QAAQ,KAAK,GAAG;AAAA,EACzB;AACF;AAKO,SAAS,gCAAgC,SAAsG;AACpJ,QAAM,QAAQ,qBAAqB,OAAO;AAC1C,SAAO,OAAO,QAAiB;AAC7B,QAAI,CAAC,iBAAiB,GAAG,EAAG,QAAO;AACnC,UAAM,SAAS,MAAM,MAAM,GAAG;AAC9B,WAAO,OAAO,UAAU,SAAY,OAAO;AAAA,EAC7C;AACF;","names":["options"]}