@agent-score/commerce 2.0.2 → 2.1.1

package/dist/index.mjs

@@ -31,6 +31,27 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// src/payment/network_kind.ts
+function readNetwork(input) {
+  if (typeof input === "string") return input;
+  if (input && typeof input === "object") {
+    const network = input.network;
+    return typeof network === "string" ? network : "";
+  }
+  return "";
+}
+function isEvmNetwork(input) {
+  return readNetwork(input).startsWith("eip155:");
+}
+function isSolanaNetwork(input) {
+  return readNetwork(input).startsWith("solana:");
+}
+var init_network_kind = __esm({
+  "src/payment/network_kind.ts"() {
+    "use strict";
+  }
+});
+
 // src/identity/ucp.ts
 function ucpSigningKeyFromJWKImpl(jwk) {
   if (!jwk || typeof jwk !== "object") {
@@ -160,7 +181,7 @@ function isTempoSessionRailSpec(s) {
 }
 function mppRailToNetworkEntry(spec) {
   if (isTempoSessionRailSpec(spec)) return tempoSessionToNetworkEntry(spec);
-  if ("rpcUrl" in spec || "tokenProgram" in spec || (spec.network?.startsWith("solana:") ?? false)) {
+  if ("rpcUrl" in spec || "tokenProgram" in spec || isSolanaNetwork(spec)) {
     return solanaMppToNetworkEntry(spec);
   }
   if (isTempoRailSpec(spec)) return tempoToNetworkEntry(spec);
@@ -217,6 +238,7 @@ var UCPSigningKey, DEFAULT_VERSION, AGENTSCORE_CAPABILITY_NAME, AGENTSCORE_CAPAB
 var init_ucp = __esm({
   "src/identity/ucp.ts"() {
     "use strict";
+    init_network_kind();
     UCPSigningKey = {
       fromJWK: ucpSigningKeyFromJWKImpl
     };
@@ -636,64 +658,6 @@ var init_ucp_jwks = __esm({
   }
 });
 
-// src/payment/usdc.ts
-var USDC;
-var init_usdc = __esm({
-  "src/payment/usdc.ts"() {
-    "use strict";
-    USDC = {
-      base: {
-        mainnet: { address: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", decimals: 6 },
-        sepolia: { address: "0x036CbD53842c5426634e7929541eC2318f3dCF7e", decimals: 6 }
-      },
-      solana: {
-        mainnet: { mint: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v", decimals: 6 },
-        devnet: { mint: "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU", decimals: 6 }
-      },
-      tempo: {
-        mainnet: { address: "0x20C000000000000000000000b9537d11c60E8b50", decimals: 6 },
-        testnet: { address: "0x20c0000000000000000000000000000000000000", decimals: 6 }
-      }
-    };
-  }
-});
-
-// src/payment/wwwauthenticate.ts
-function paymentRequiredHeader({
-  x402Version,
-  accepts,
-  resource
-}) {
-  return Buffer.from(JSON.stringify({ x402Version, accepts, ...resource ? { resource } : {} })).toString("base64");
-}
-var init_wwwauthenticate = __esm({
-  "src/payment/wwwauthenticate.ts"() {
-    "use strict";
-  }
-});
-
-// src/payment/networks.ts
-var networks;
-var init_networks = __esm({
-  "src/payment/networks.ts"() {
-    "use strict";
-    networks = {
-      base: {
-        mainnet: { caip2: "eip155:8453", chainId: 8453 },
-        sepolia: { caip2: "eip155:84532", chainId: 84532 }
-      },
-      solana: {
-        mainnet: { caip2: "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp" },
-        devnet: { caip2: "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1" }
-      },
-      tempo: {
-        mainnet: { caip2: "eip155:4217", chainId: 4217 },
-        testnet: { caip2: "eip155:42431", chainId: 42431 }
-      }
-    };
-  }
-});
-
 // node_modules/ox/_esm/core/Abi.js
 var init_Abi = __esm({
   "node_modules/ox/_esm/core/Abi.js"() {
@@ -20305,6 +20269,64 @@ var init_dist2 = __esm({
   }
 });
 
+// src/payment/usdc.ts
+var USDC;
+var init_usdc = __esm({
+  "src/payment/usdc.ts"() {
+    "use strict";
+    USDC = {
+      base: {
+        mainnet: { address: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", decimals: 6 },
+        sepolia: { address: "0x036CbD53842c5426634e7929541eC2318f3dCF7e", decimals: 6 }
+      },
+      solana: {
+        mainnet: { mint: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v", decimals: 6 },
+        devnet: { mint: "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU", decimals: 6 }
+      },
+      tempo: {
+        mainnet: { address: "0x20C000000000000000000000b9537d11c60E8b50", decimals: 6 },
+        testnet: { address: "0x20c0000000000000000000000000000000000000", decimals: 6 }
+      }
+    };
+  }
+});
+
+// src/payment/wwwauthenticate.ts
+function paymentRequiredHeader({
+  x402Version,
+  accepts,
+  resource
+}) {
+  return Buffer.from(JSON.stringify({ x402Version, accepts, ...resource ? { resource } : {} })).toString("base64");
+}
+var init_wwwauthenticate = __esm({
+  "src/payment/wwwauthenticate.ts"() {
+    "use strict";
+  }
+});
+
+// src/payment/networks.ts
+var networks;
+var init_networks = __esm({
+  "src/payment/networks.ts"() {
+    "use strict";
+    networks = {
+      base: {
+        mainnet: { caip2: "eip155:8453", chainId: 8453 },
+        sepolia: { caip2: "eip155:84532", chainId: 84532 }
+      },
+      solana: {
+        mainnet: { caip2: "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp" },
+        devnet: { caip2: "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1" }
+      },
+      tempo: {
+        mainnet: { caip2: "eip155:4217", chainId: 4217 },
+        testnet: { caip2: "eip155:42431", chainId: 42431 }
+      }
+    };
+  }
+});
+
 // src/payment/rails.ts
 function lookupRail(name) {
   return rails[name];
@@ -20968,6 +20990,20 @@ var RESERVED_FIELDS = /* @__PURE__ */ new Set([
   "actual_signer",
   "linked_wallets"
 ]);
+function buildVerificationRequiredBody(reason, opts = {}) {
+  const body = denialReasonToBody(reason);
+  body.error = {
+    code: "operator_verification_required",
+    message: opts.message ?? "Identity verification is required."
+  };
+  if (opts.agentInstructions !== void 0) {
+    body.agent_instructions = opts.agentInstructions;
+  }
+  if (opts.extra) {
+    for (const [k, v] of Object.entries(opts.extra)) body[k] = v;
+  }
+  return body;
+}
 function denialReasonToBody(reason) {
   const message = reason.message ?? DEFAULT_MESSAGES[reason.code];
   const body = { error: { code: reason.code, message } };
@@ -21125,7 +21161,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"2.0.2"}`;
+  const defaultUa = `@agent-score/commerce@${"2.1.1"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -21417,6 +21453,13 @@ function createAgentScoreCore(options) {
   return { evaluate, captureWallet, getSignerVerdict };
 }
 
+// src/_headers.ts
+function normalizeHeadersToLowercase(headers) {
+  const out = {};
+  for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;
+  return out;
+}
+
 // src/signer.ts
 var TOKEN_PROGRAM = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
 var TOKEN_2022_PROGRAM = "TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb";
@@ -21499,13 +21542,8 @@ async function extractPaymentSignerFromAuth(authHeader, x402PaymentHeader) {
 function readX402PaymentHeader(request) {
   return request.headers.get("payment-signature") ?? request.headers.get("x-payment") ?? void 0;
 }
-function lowerHeaders(headers) {
-  const out = {};
-  for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;
-  return out;
-}
 async function extractSignerForPrecheck(headers) {
-  const lower = lowerHeaders(headers);
+  const lower = normalizeHeadersToLowercase(headers);
   const x402 = lower["payment-signature"] ?? lower["x-payment"];
   if (x402) {
     const signer = await extractPaymentSignerFromAuth(void 0, x402);
@@ -21520,7 +21558,7 @@ async function extractSignerForPrecheck(headers) {
 
 // src/identity/a2a.ts
 var PROTOCOL_VERSION = "1.0";
-var DEFAULT_PROTOCOL_BINDING = "HTTP+JSON";
+var DEFAULT_TRANSPORT = "JSONRPC";
 var DEFAULT_INPUT_MODE = "application/json";
 var DEFAULT_OUTPUT_MODE = "application/json";
 var UCP_A2A_EXTENSION_URI = "https://ucp.dev/2026-04-08/specification/reference";
@@ -21540,30 +21578,33 @@ function buildA2AAgentCard(input) {
   }
   const capabilities = {};
   if (input.streaming !== void 0) capabilities.streaming = input.streaming;
-  if (input.push_notifications !== void 0) capabilities.push_notifications = input.push_notifications;
+  if (input.pushNotifications !== void 0) capabilities.pushNotifications = input.pushNotifications;
+  if (input.stateTransitionHistory !== void 0) capabilities.stateTransitionHistory = input.stateTransitionHistory;
   if (input.extensions && input.extensions.length > 0) capabilities.extensions = input.extensions;
-  if (input.extended_agent_card !== void 0) capabilities.extended_agent_card = input.extended_agent_card;
-  const primaryInterface = {
-    url: input.url,
-    protocol_binding: input.protocol_binding ?? DEFAULT_PROTOCOL_BINDING,
-    protocol_version: input.a2a_protocol_version ?? PROTOCOL_VERSION
-  };
   const card = {
     name: input.name,
     description: input.description,
-    supported_interfaces: [primaryInterface],
+    url: input.url,
+    preferredTransport: input.preferredTransport ?? "HTTP+JSON",
+    protocolVersion: input.protocolVersion ?? PROTOCOL_VERSION,
     version: input.version ?? "1.0.0",
     capabilities,
-    default_input_modes: input.default_input_modes ?? [DEFAULT_INPUT_MODE],
-    default_output_modes: input.default_output_modes ?? [DEFAULT_OUTPUT_MODE],
+    defaultInputModes: input.defaultInputModes ?? [DEFAULT_INPUT_MODE],
+    defaultOutputModes: input.defaultOutputModes ?? [DEFAULT_OUTPUT_MODE],
     skills: input.skills
   };
+  if (input.additionalInterfaces !== void 0 && input.additionalInterfaces.length > 0) {
+    card.additionalInterfaces = input.additionalInterfaces;
+  }
   if (input.provider !== void 0) card.provider = input.provider;
-  if (input.documentation_url !== void 0) card.documentation_url = input.documentation_url;
-  if (input.icon_url !== void 0) card.icon_url = input.icon_url;
+  if (input.documentationUrl !== void 0) card.documentationUrl = input.documentationUrl;
+  if (input.iconUrl !== void 0) card.iconUrl = input.iconUrl;
+  if (input.supportsAuthenticatedExtendedCard !== void 0) {
+    card.supportsAuthenticatedExtendedCard = input.supportsAuthenticatedExtendedCard;
+  }
   if (input.signatures !== void 0 && input.signatures.length > 0) card.signatures = input.signatures;
-  if (input.security_schemes !== void 0) card.security_schemes = input.security_schemes;
-  if (input.security_requirements !== void 0) card.security_requirements = input.security_requirements;
+  if (input.security !== void 0) card.security = input.security;
+  if (input.securitySchemes !== void 0) card.securitySchemes = input.securitySchemes;
   if (input.extras) {
     for (const [k, v] of Object.entries(input.extras)) {
       card[k] = v;
@@ -21571,89 +21612,250 @@ function buildA2AAgentCard(input) {
   }
   return card;
 }
+var A2A_PROTOCOL_VERSION = PROTOCOL_VERSION;
+var A2A_DEFAULT_TRANSPORT = DEFAULT_TRANSPORT;
 
 // src/index.ts
 init_ucp();
 init_ucp_jwks();
 
-// src/checkout.ts
-import { randomUUID } from "crypto";
-
-// src/payment/rail_spec.ts
-init_usdc();
-async function resolveRecipient(r) {
-  if (typeof r === "string") return r;
-  return Promise.resolve(r());
-}
-var RAIL_SPEC_DEFAULTS = {
-  tempo: {
-    network: "tempo-mainnet",
-    chainId: 4217,
-    token: USDC.tempo.mainnet.address,
-    symbol: "USDC.e",
-    decimals: 6,
-    testnet: false,
-    recommend: "both"
-  },
-  x402Base: {
-    network: "eip155:8453",
-    chainId: 8453,
-    token: USDC.base.mainnet.address,
-    symbol: "USDC",
-    decimals: 6,
-    mode: "exact"
-  },
-  solanaMpp: {
-    network: "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp",
-    token: USDC.solana.mainnet.mint,
-    symbol: "USDC",
-    decimals: 6
-  },
-  stripe: {
-    rails: ["card", "link", "shared_payment_token"]
-  },
-  tempoSession: {
-    currency: USDC.tempo.mainnet.address,
-    testnet: false
+// src/errors.ts
+var CheckoutValidationError = class extends Error {
+  code;
+  action;
+  status;
+  extra;
+  constructor(opts) {
+    super(opts.message);
+    this.name = "CheckoutValidationError";
+    this.code = opts.code;
+    this.action = opts.action ?? "fix_request";
+    this.status = opts.status ?? 400;
+    this.extra = opts.extra;
   }
 };
 
-// src/challenge/accepted_methods.ts
-async function buildAcceptedMethods({
-  tempo,
-  x402_base,
-  solana_mpp,
-  stripe
-}) {
-  const out = [];
-  if (tempo) {
-    out.push({
-      method: "tempo/charge",
-      network: tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network,
-      chain_id: tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId,
-      token: tempo.token ?? RAIL_SPEC_DEFAULTS.tempo.token,
-      symbol: tempo.symbol ?? RAIL_SPEC_DEFAULTS.tempo.symbol,
-      decimals: tempo.decimals ?? RAIL_SPEC_DEFAULTS.tempo.decimals,
-      pay_to: await resolveRecipient(tempo.recipient)
-    });
-  }
-  if (x402_base) {
-    out.push({
-      method: "x402/exact",
-      network: x402_base.network ?? RAIL_SPEC_DEFAULTS.x402Base.network,
-      chain_id: x402_base.chainId ?? RAIL_SPEC_DEFAULTS.x402Base.chainId,
-      token: x402_base.token ?? RAIL_SPEC_DEFAULTS.x402Base.token,
-      symbol: x402_base.symbol ?? RAIL_SPEC_DEFAULTS.x402Base.symbol,
-      decimals: x402_base.decimals ?? RAIL_SPEC_DEFAULTS.x402Base.decimals,
-      pay_to: await resolveRecipient(x402_base.recipient)
-    });
+// src/identity/policy.ts
+function buildGateFromPolicy(policy, base) {
+  if (!policy || !policy.enforcement) return null;
+  return {
+    apiKey: base.apiKey,
+    ...base.baseUrl !== void 0 && { baseUrl: base.baseUrl },
+    ...policy.requireKyc !== void 0 && { requireKyc: policy.requireKyc },
+    ...policy.requireSanctionsClear !== void 0 && {
+      requireSanctionsClear: policy.requireSanctionsClear
+    },
+    ...policy.minAge !== void 0 && { minAge: policy.minAge },
+    ...policy.allowedJurisdictions !== void 0 && {
+      allowedJurisdictions: [...policy.allowedJurisdictions]
+    }
+  };
+}
+async function runGateWithEnforcement(enforcement, runGate) {
+  if (!runGate || !enforcement) return { status: "anonymous" };
+  const outcome = await runGate();
+  if (outcome.ok) return { status: "verified" };
+  if (enforcement === "hard") {
+    return {
+      status: "denied",
+      denialStatus: outcome.status,
+      denialBody: outcome.body,
+      ...outcome.reason !== void 0 && { denialReason: outcome.reason }
+    };
   }
-  if (solana_mpp) {
-    out.push({
-      method: "solana/charge",
-      network: solana_mpp.network ?? RAIL_SPEC_DEFAULTS.solanaMpp.network,
-      token: solana_mpp.token ?? RAIL_SPEC_DEFAULTS.solanaMpp.token,
-      symbol: solana_mpp.symbol ?? RAIL_SPEC_DEFAULTS.solanaMpp.symbol,
+  return {
+    status: "unverified",
+    denialStatus: outcome.status,
+    denialBody: outcome.body,
+    ...outcome.reason !== void 0 && { denialReason: outcome.reason }
+  };
+}
+function shippingCountryAllowed(country, policy) {
+  if (!policy?.allowedShippingCountries || policy.allowedShippingCountries.length === 0) return true;
+  const allowed = new Set(policy.allowedShippingCountries.map((c) => c.toUpperCase()));
+  return allowed.has(country.toUpperCase());
+}
+function shippingStateAllowed(state, country, policy) {
+  if (!policy?.allowedShippingStates || policy.allowedShippingStates.length === 0) return true;
+  if (country.toUpperCase() !== "US") return true;
+  const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));
+  return allowed.has(state.toUpperCase());
+}
+function validateShippingAgainstPolicy(opts) {
+  const code = opts.errorCode ?? "unsupported_jurisdiction";
+  const action = opts.errorAction ?? "change_shipping_state";
+  const item = opts.productName ? `'${opts.productName}'` : "this item";
+  if (!shippingCountryAllowed(opts.country, opts.policy)) {
+    throw new CheckoutValidationError({
+      code,
+      message: opts.countryMessage ?? `We can't ship ${item} to ${opts.country.toUpperCase() || "<unset>"}.`,
+      action
+    });
+  }
+  if (!shippingStateAllowed(opts.state, opts.country, opts.policy)) {
+    throw new CheckoutValidationError({
+      code,
+      message: opts.stateMessage ?? `We can't ship ${item} to ${opts.state.toUpperCase() || "<unset>"}.`,
+      action
+    });
+  }
+}
+
+// src/identity/tokens.ts
+import { createHash } from "crypto";
+
+// src/payment/payment_header.ts
+function toTitleCase(name) {
+  return name.replace(/(^|-)([a-z])/g, (_m, sep, c) => sep + c.toUpperCase());
+}
+function readHeader(headers, name) {
+  if (typeof headers.get === "function") {
+    return headers.get(name);
+  }
+  const rec = headers;
+  const v = rec[name] ?? rec[name.toLowerCase()] ?? rec[toTitleCase(name)];
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return null;
+}
+function asHeaders(input) {
+  return typeof input.headers === "object" && input instanceof Request ? input.headers : input;
+}
+function hasPaymentHeader(input) {
+  const headers = asHeaders(input);
+  return Boolean(
+    readHeader(headers, "payment-signature") || readHeader(headers, "x-payment") || readHeader(headers, "authorization")?.startsWith("Payment ")
+  );
+}
+function hasX402Header(input) {
+  const headers = asHeaders(input);
+  return Boolean(readHeader(headers, "payment-signature") || readHeader(headers, "x-payment"));
+}
+function hasMppxHeader(input) {
+  const headers = asHeaders(input);
+  return Boolean(readHeader(headers, "authorization")?.startsWith("Payment "));
+}
+
+// src/identity/tokens.ts
+function hashOperatorToken(plaintext) {
+  return createHash("sha256").update(plaintext, "utf8").digest("hex");
+}
+function extractOwnerScope(input) {
+  const headers = asHeaders(input);
+  const walletAddress = readHeader(headers, "x-wallet-address");
+  const operatorToken = readHeader(headers, "x-operator-token");
+  return {
+    ...walletAddress ? { walletAddress } : {},
+    ...operatorToken ? { operatorTokenHash: hashOperatorToken(operatorToken) } : {}
+  };
+}
+
+// src/checkout.ts
+import { randomUUID } from "crypto";
+
+// src/_mppx_receipt.ts
+function extractMppxReceiptHeaderFromRaw(raw) {
+  if (!raw || typeof raw !== "object" || !("withReceipt" in raw)) return null;
+  const fn = raw.withReceipt;
+  if (typeof fn !== "function") return null;
+  try {
+    const wrapped = fn.call(raw, new Response());
+    return wrapped.headers.get("Payment-Receipt");
+  } catch {
+    return null;
+  }
+}
+async function extractMppxReceiptMethod(header) {
+  try {
+    const { Receipt } = await Promise.resolve().then(() => (init_dist2(), dist_exports));
+    return Receipt.deserialize(header).method;
+  } catch {
+    return void 0;
+  }
+}
+async function deriveMppxReceiptMethod(raw) {
+  const direct = raw?.receipt?.method;
+  if (direct) return direct;
+  const header = extractMppxReceiptHeaderFromRaw(raw);
+  if (!header) return void 0;
+  return extractMppxReceiptMethod(header);
+}
+
+// src/payment/rail_spec.ts
+init_usdc();
+async function resolveRecipient(r) {
+  if (typeof r === "string") return r;
+  return Promise.resolve(r());
+}
+var RAIL_SPEC_DEFAULTS = {
+  tempo: {
+    network: "tempo-mainnet",
+    chainId: 4217,
+    token: USDC.tempo.mainnet.address,
+    symbol: "USDC.e",
+    decimals: 6,
+    testnet: false,
+    recommend: "both"
+  },
+  x402Base: {
+    network: "eip155:8453",
+    chainId: 8453,
+    token: USDC.base.mainnet.address,
+    symbol: "USDC",
+    decimals: 6,
+    mode: "exact"
+  },
+  solanaMpp: {
+    network: "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp",
+    token: USDC.solana.mainnet.mint,
+    symbol: "USDC",
+    decimals: 6
+  },
+  stripe: {
+    rails: ["card", "link", "shared_payment_token"]
+  },
+  tempoSession: {
+    currency: USDC.tempo.mainnet.address,
+    testnet: false
+  }
+};
+
+// src/challenge/accepted_methods.ts
+async function buildAcceptedMethods({
+  tempo,
+  x402_base,
+  solana_mpp,
+  stripe
+}) {
+  const out = [];
+  if (tempo) {
+    out.push({
+      method: "tempo/charge",
+      network: tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network,
+      chain_id: tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId,
+      token: tempo.token ?? RAIL_SPEC_DEFAULTS.tempo.token,
+      symbol: tempo.symbol ?? RAIL_SPEC_DEFAULTS.tempo.symbol,
+      decimals: tempo.decimals ?? RAIL_SPEC_DEFAULTS.tempo.decimals,
+      pay_to: await resolveRecipient(tempo.recipient)
+    });
+  }
+  if (x402_base) {
+    out.push({
+      method: "x402/exact",
+      network: x402_base.network ?? RAIL_SPEC_DEFAULTS.x402Base.network,
+      chain_id: x402_base.chainId ?? RAIL_SPEC_DEFAULTS.x402Base.chainId,
+      token: x402_base.token ?? RAIL_SPEC_DEFAULTS.x402Base.token,
+      symbol: x402_base.symbol ?? RAIL_SPEC_DEFAULTS.x402Base.symbol,
+      decimals: x402_base.decimals ?? RAIL_SPEC_DEFAULTS.x402Base.decimals,
+      pay_to: await resolveRecipient(x402_base.recipient)
+    });
+  }
+  if (solana_mpp) {
+    out.push({
+      method: "solana/charge",
+      network: solana_mpp.network ?? RAIL_SPEC_DEFAULTS.solanaMpp.network,
+      token: solana_mpp.token ?? RAIL_SPEC_DEFAULTS.solanaMpp.token,
+      symbol: solana_mpp.symbol ?? RAIL_SPEC_DEFAULTS.solanaMpp.symbol,
       decimals: solana_mpp.decimals ?? RAIL_SPEC_DEFAULTS.solanaMpp.decimals,
       pay_to: await resolveRecipient(solana_mpp.recipient)
     });
@@ -21803,10 +22005,13 @@ function buildHowToPay({
   totalUsd,
   rails: rails2,
   opTokenPlaceholder,
-  maxSpend
+  maxSpend,
+  decimals
 }) {
   const totalNum = typeof totalUsd === "string" ? Number(totalUsd) : totalUsd;
-  const maxSpendStr = String(maxSpend ?? (Math.ceil(totalNum) + 1).toFixed(2));
+  const d = decimals ?? 2;
+  const defaultMaxSpend = totalNum >= 1 ? (Math.ceil(totalNum) + 1).toFixed(d) : totalNum.toFixed(d);
+  const maxSpendStr = String(maxSpend ?? defaultMaxSpend);
   const opToken = opTokenPlaceholder ?? "<your_opc_token>";
   const block = {};
   if (rails2.tempo) {
@@ -21899,26 +22104,26 @@ function buildPricingBlock({
   totalCents,
   taxRate,
   taxState,
-  currency
+  currency,
+  decimals
 }) {
   const shipping = shippingCents ?? 0;
   const discount = discountCents ?? 0;
   const total = totalCents ?? Math.max(0, subtotalCents + taxCents + shipping - discount);
+  const d = decimals ?? 2;
+  const fmt = (cents) => (cents / 100).toFixed(d);
   const block = {
-    subtotal: formatCents(subtotalCents),
-    tax: formatCents(taxCents),
-    total: formatCents(total)
+    subtotal: fmt(subtotalCents),
+    tax: fmt(taxCents),
+    total: fmt(total)
   };
-  if (shippingCents !== void 0) block.shipping = formatCents(shipping);
-  if (discountCents !== void 0) block.discount = formatCents(discount);
+  if (shippingCents !== void 0) block.shipping = fmt(shipping);
+  if (discountCents !== void 0) block.discount = fmt(discount);
   if (taxRate !== void 0) block.tax_rate = taxRate;
   if (taxState !== void 0) block.tax_state = taxState;
   if (currency !== void 0) block.currency = currency;
   return block;
 }
-function formatCents(cents) {
-  return (cents / 100).toFixed(2);
-}
 
 // src/challenge/respond_402.ts
 init_wwwauthenticate();
@@ -21927,10 +22132,7 @@ function respond402({
   body,
   x402
 }) {
-  const headers = {};
-  for (const [k, v] of Object.entries(mppxChallengeHeaders)) {
-    headers[k.toLowerCase()] = v;
-  }
+  const headers = normalizeHeadersToLowercase(mppxChallengeHeaders);
   headers["content-type"] = "application/json";
   if (x402) {
     headers["payment-required"] = paymentRequiredHeader(x402);
@@ -21957,6 +22159,12 @@ function buildValidationError({
   return body;
 }
 
+// src/payment/constants.ts
+var STRIPE_MIN_CHARGE_USD = 0.5;
+
+// src/payment/mppx_server.ts
+import { AsyncLocalStorage } from "async_hooks";
+
 // src/stripe-multichain/mppx_stripe.ts
 async function createMppxStripe({
   profileId,
@@ -21993,7 +22201,8 @@ function isSolanaMppRailSpec(s) {
   return s.network?.startsWith("solana:") ?? false;
 }
 function solanaNetworkFromCAIP2(caip2) {
-  if (caip2 === networks.solana.devnet.caip2) return "devnet";
+  if (caip2 === "devnet" || caip2 === networks.solana.devnet.caip2) return "devnet";
+  if (caip2 === "localnet") return "localnet";
   return "mainnet-beta";
 }
 function solanaDefaultRpcUrl(network) {
@@ -22136,6 +22345,31 @@ function wrapSolanaChargeWithFinalizedBlockhash(baseMethod, rpcUrl) {
     }
   };
 }
+var mppxCapture = new AsyncLocalStorage();
+var consoleErrorPatched = false;
+function ensureConsoleErrorPatch() {
+  if (consoleErrorPatched) return;
+  consoleErrorPatched = true;
+  const original = console.error.bind(console);
+  console.error = function captureMppxInternal(...args) {
+    if (args[0] === "mppx: internal verification error" && args[1] !== void 0) {
+      const ctx = mppxCapture.getStore();
+      if (ctx) {
+        const e = args[1];
+        const reason = typeof e?.shortMessage === "string" ? e.shortMessage : typeof e?.message === "string" ? e.message : String(args[1]);
+        const details = e?.details;
+        ctx.reason = typeof details === "string" && details.length > 0 ? `${reason} (${details})` : reason;
+      }
+    }
+    return original(...args);
+  };
+}
+async function runWithMppxFailureCapture(fn) {
+  ensureConsoleErrorPatch();
+  const ctx = { reason: null };
+  const result = await mppxCapture.run(ctx, fn);
+  return { result, failureReason: ctx.reason };
+}
 
 // src/payment/x402_server.ts
 init_networks();
@@ -22277,6 +22511,29 @@ function lazyMppxServer(opts) {
   };
 }
 
+// src/payment/mppx_failures.ts
+var TEMPO_KEY_NOT_REGISTERED = {
+  code: "tempo_key_not_registered",
+  status: 401,
+  message: "Tempo rejected the transaction: signer wallet is not registered with Tempo's keychain.",
+  nextSteps: {
+    action: "register_tempo_key",
+    user_message: "Your wallet is not enrolled with Tempo. Run `tempo wallet login` to complete the one-time WebAuthn enrollment (or use `tempo request` directly), then retry. To skip enrollment, switch to the Base or Solana rail on this 402."
+  },
+  extra: { upstream_error: "KeyNotFound", chain: "tempo" }
+};
+function classifyMppxFailure(reason) {
+  if (!reason) return null;
+  const lower = reason.toLowerCase();
+  if (lower.includes("keychain validation failed") || lower.includes("keynotfound")) {
+    return TEMPO_KEY_NOT_REGISTERED;
+  }
+  return null;
+}
+
+// src/checkout.ts
+init_network_kind();
+
 // src/payment/x402_settle.ts
 function classifyX402SettleResult(result) {
   if (result.success) return null;
@@ -22568,12 +22825,14 @@ function pricingResult(opts) {
       ...opts.discountCents !== void 0 && { discountCents: opts.discountCents },
       ...opts.taxRate !== void 0 && { taxRate: opts.taxRate },
       ...opts.taxState !== void 0 && { taxState: opts.taxState },
-      currency
+      currency,
+      ...opts.decimals !== void 0 && { decimals: opts.decimals }
     });
     return {
       amountUsd: derivedAmount,
       currency,
       block,
+      ...opts.decimals !== void 0 && { decimals: opts.decimals },
       ...opts.product !== void 0 && { product: opts.product },
       ...opts.bodyExtras !== void 0 && { bodyExtras: opts.bodyExtras }
     };
@@ -22584,6 +22843,7 @@ function pricingResult(opts) {
   return {
     amountUsd: opts.amountUsd,
     currency,
+    ...opts.decimals !== void 0 && { decimals: opts.decimals },
     ...opts.product !== void 0 && { product: opts.product },
     ...opts.bodyExtras !== void 0 && { bodyExtras: opts.bodyExtras }
   };
@@ -22595,35 +22855,8 @@ function getIdentityStatus(ctx) {
   if (decision === "allow") return "verified";
   return "unverified";
 }
-var CheckoutValidationError = class extends Error {
-  code;
-  action;
-  status;
-  extra;
-  constructor(opts) {
-    super(opts.message);
-    this.name = "CheckoutValidationError";
-    this.code = opts.code;
-    this.action = opts.action ?? "fix_request";
-    this.status = opts.status ?? 400;
-    this.extra = opts.extra;
-  }
-};
-function lowerHeaders2(headers) {
-  const out = {};
-  for (const [k, v] of Object.entries(headers)) out[k.toLowerCase()] = v;
-  return out;
-}
-function hasX402Header(headers) {
-  const h = lowerHeaders2(headers);
-  return Boolean(h["payment-signature"] ?? h["x-payment"]);
-}
-function hasMppxHeader(headers) {
-  const h = lowerHeaders2(headers);
-  return (h["authorization"] ?? "").startsWith("Payment ");
-}
 function resolveIdentityMetadata(ctx) {
-  const h = lowerHeaders2(ctx.request.headers);
+  const h = normalizeHeadersToLowercase(ctx.request.headers);
   const wallet = h["x-wallet-address"];
   if (!wallet) return void 0;
   let linkedWallets;
@@ -22652,26 +22885,24 @@ function isTempoSessionRailSpec3(s) {
 function specRailKey(spec) {
   if (isStripeRailSpec2(spec)) return "stripe";
   if (isTempoSessionRailSpec3(spec)) return "tempo_mpp";
-  const network = spec.network ?? "";
-  if (network.startsWith("eip155:")) return "x402_base";
-  if (network.startsWith("solana:") || "rpcUrl" in spec) return "solana_mpp";
+  if (isEvmNetwork(spec)) return "x402_base";
+  if (isSolanaNetwork(spec) || "rpcUrl" in spec) return "solana_mpp";
   return "tempo_mpp";
 }
 function specMethodName(spec) {
   if (isStripeRailSpec2(spec)) return "stripe/spt";
   if (isTempoSessionRailSpec3(spec)) return "tempo/charge";
-  const network = spec.network ?? "";
-  if (network.startsWith("eip155:")) return "x402/exact (base)";
-  if (network.startsWith("solana:") || "rpcUrl" in spec) return "solana/charge";
+  if (isEvmNetwork(spec)) return "x402/exact (base)";
+  if (isSolanaNetwork(spec) || "rpcUrl" in spec) return "solana/charge";
   return "tempo/charge";
 }
 function makeMppxComposeHook(opts) {
   return async (ctx) => {
     if (ctx.pricing === null) return { status: 402 };
     const mpp = await opts.serverGetter();
-    const lower = lowerHeaders2(ctx.request.headers);
+    const lower = normalizeHeadersToLowercase(ctx.request.headers);
     const authorization = lower["authorization"];
-    const amountStr = ctx.pricing.amountUsd.toFixed(2);
+    const amountStr = ctx.pricing.amountUsd.toFixed(ctx.pricing.decimals ?? 2);
     let result;
     try {
       result = await mpp.charge({ authorization, amount: amountStr });
@@ -22755,7 +22986,7 @@ var Checkout = class {
     let x402ServerGetter;
     if (x402Server === void 0) {
       const baseSpec = Object.values(opts.rails).find(
-        (s) => !isTempoSessionRailSpec3(s) && !isStripeRailSpec2(s) && "recipient" in s && (s.network ?? "").startsWith("eip155:")
+        (s) => !isTempoSessionRailSpec3(s) && !isStripeRailSpec2(s) && "recipient" in s && isEvmNetwork(s)
       );
       if (baseSpec !== void 0) {
         x402ServerGetter = lazyX402Server({
@@ -22845,7 +23076,7 @@ var Checkout = class {
    *  `"x402_base"` when no match found. */
   x402RailKey() {
     for (const [k, v] of Object.entries(this.rails)) {
-      if (!isStripeRailSpec2(v) && !isTempoSessionRailSpec3(v) && (v.network ?? "").startsWith("eip155:")) {
+      if (!isStripeRailSpec2(v) && !isTempoSessionRailSpec3(v) && isEvmNetwork(v)) {
         return k;
       }
     }
@@ -22854,8 +23085,7 @@ var Checkout = class {
   /** Return the rails-dict key for the primary MPP rail. */
   mppRailKey() {
     for (const [k, v] of Object.entries(this.rails)) {
-      const network = v.network ?? "";
-      if (!isStripeRailSpec2(v) && !network.startsWith("eip155:")) return k;
+      if (!isStripeRailSpec2(v) && !isEvmNetwork(v)) return k;
     }
     return "tempo";
   }
@@ -22874,17 +23104,15 @@ var Checkout = class {
     if (method === "solana") {
       for (const [k, v] of Object.entries(this.rails)) {
         if (isStripeRailSpec2(v) || isTempoSessionRailSpec3(v)) continue;
-        const network = v.network ?? "";
-        if (network.startsWith("solana:") || "rpcUrl" in v || "tokenProgram" in v) return k;
+        if (isSolanaNetwork(v) || "rpcUrl" in v || "tokenProgram" in v) return k;
       }
       return void 0;
     }
     if (method === "tempo") {
       for (const [k, v] of Object.entries(this.rails)) {
         if (isStripeRailSpec2(v)) continue;
-        const network = v.network ?? "";
-        if (network.startsWith("solana:") || "rpcUrl" in v || "tokenProgram" in v) continue;
-        if (network.startsWith("eip155:")) continue;
+        if (isSolanaNetwork(v) || "rpcUrl" in v || "tokenProgram" in v) continue;
+        if (isEvmNetwork(v)) continue;
         return k;
       }
       return void 0;
@@ -22897,7 +23125,7 @@ var Checkout = class {
   get x402BaseNetwork() {
     if (!this.x402ServerAvailable()) return null;
     for (const spec of Object.values(this.rails)) {
-      if (!isStripeRailSpec2(spec) && !isTempoSessionRailSpec3(spec) && (spec.network ?? "").startsWith("eip155:")) {
+      if (!isStripeRailSpec2(spec) && !isTempoSessionRailSpec3(spec) && isEvmNetwork(spec)) {
         return spec.network ?? "eip155:8453";
       }
     }
@@ -22949,8 +23177,8 @@ var Checkout = class {
         throw err;
       }
     }
-    const hasPaymentHeader = hasX402Header(request.headers) || hasMppxHeader(request.headers);
-    if (this.gate !== void 0 && hasPaymentHeader) {
+    const hasPaymentHeader2 = hasX402Header(request.headers) || hasMppxHeader(request.headers);
+    if (this.gate !== void 0 && hasPaymentHeader2) {
       const denial = await this.runGate(ctx);
       if (denial !== null) {
         return {
@@ -22963,7 +23191,14 @@ var Checkout = class {
       }
     }
     ctx.pricing = await this.computePricing(ctx);
-    await this.resolveRecipientsForCtx(ctx);
+    try {
+      await this.resolveRecipientsForCtx(ctx);
+    } catch (err) {
+      if (err instanceof Error && err.name === "CheckoutValidationError") {
+        return this.validationErrorResult(ctx, err);
+      }
+      throw err;
+    }
     const x402ServerOk = this.x402ServerAvailable() && this.x402BaseNetwork !== null;
     if (hasX402Header(request.headers) && x402ServerOk) {
       const zero = await this.handleZeroSettle(ctx, "x402-base");
@@ -23034,13 +23269,21 @@ var Checkout = class {
       ...gate.failOpen !== void 0 && { failOpen: gate.failOpen },
       ...gate.cacheSeconds !== void 0 && { cacheSeconds: gate.cacheSeconds },
       ...gate.chain !== void 0 && { chain: gate.chain },
-      ...gate.createSessionOnMissing !== void 0 && {
-        createSessionOnMissing: gate.createSessionOnMissing
+      // Auto-default `createSessionOnMissing` from gate config when the merchant
+      // didn't supply one. Matches python-commerce's behavior — every gated route
+      // gets the bootstrap session-mint UX out of the box. Merchants who need
+      // custom session context or onBeforeSession side effects (goods merchants
+      // pre-minting an order_id) supply their own config instead.
+      createSessionOnMissing: gate.createSessionOnMissing ?? {
+        apiKey: gate.apiKey,
+        ...gate.baseUrl !== void 0 && { baseUrl: gate.baseUrl },
+        ...gate.context !== void 0 && { context: gate.context },
+        ...gate.merchantName !== void 0 && { productName: gate.merchantName }
       },
       ...policyOverride ?? {}
     };
     const core = createAgentScoreCore(coreOpts);
-    const headers = lowerHeaders2(ctx.request.headers);
+    const headers = normalizeHeadersToLowercase(ctx.request.headers);
     const walletAddress = headers["x-wallet-address"];
     const operatorToken = headers["x-operator-token"];
     const identity = walletAddress !== void 0 || operatorToken !== void 0 ? {
@@ -23102,7 +23345,7 @@ var Checkout = class {
     if (!this.zeroSettleCarveOut || ctx.pricing === null) return null;
     const cents = Math.round(ctx.pricing.amountUsd * 100);
     if (cents !== 0) return null;
-    const headers = lowerHeaders2(ctx.request.headers);
+    const headers = normalizeHeadersToLowercase(ctx.request.headers);
     let zero;
     if (rail === "x402-base") {
       const x402Header = headers["payment-signature"] ?? headers["x-payment"];
@@ -23176,7 +23419,7 @@ var Checkout = class {
       resourceConfig: {
         scheme: "exact",
         network: verified.signedNetwork,
-        price: `$${ctx.pricing.amountUsd.toFixed(2)}`,
+        price: `$${ctx.pricing.amountUsd.toFixed(ctx.pricing.decimals ?? 2)}`,
         payTo: verified.signedPayTo,
         maxTimeoutSeconds: 300
       },
@@ -23235,7 +23478,9 @@ var Checkout = class {
     if (this.composeMppx === void 0) {
       throw new Error("Checkout.handleMppx: composeMppx hook not configured");
     }
-    const composed = await this.composeMppx(ctx);
+    const { result: composed, failureReason } = await runWithMppxFailureCapture(
+      async () => this.composeMppx(ctx)
+    );
     if (composed.status === 200) {
       const paymentReceiptHeader = composed.paymentReceiptHeader ?? extractMppxReceiptHeaderFromRaw(composed.raw);
       const directMethod = composed.raw?.receipt?.method;
@@ -23254,6 +23499,22 @@ var Checkout = class {
       };
       return await this.buildSuccess(ctx, outcome);
     }
+    const classified = classifyMppxFailure(failureReason);
+    if (classified !== null) {
+      return {
+        status: classified.status,
+        body: buildValidationError({
+          code: classified.code,
+          message: classified.message,
+          nextSteps: classified.nextSteps,
+          ...classified.extra && { extra: classified.extra }
+        }),
+        headers: { ...composed.headers ?? {} },
+        referenceId: ctx.referenceId,
+        settled: false,
+        settlePhase: "verify_failed"
+      };
+    }
     return {
       status: 400,
       body: buildValidationError({
@@ -23272,7 +23533,11 @@ var Checkout = class {
       throw new Error("Checkout.emit402: pricing not computed");
     }
     await this.resolveRecipientsForCtx(ctx);
-    const emitRails = applyRecipientOverrides(this.rails, ctx.recipients);
+    let emitRails = applyRecipientOverrides(this.rails, ctx.recipients);
+    if (ctx.pricing.amountUsd < STRIPE_MIN_CHARGE_USD && emitRails.stripe !== void 0) {
+      const { stripe: _stripe, ...rest } = emitRails;
+      emitRails = rest;
+    }
     const accepted = await buildAcceptedMethods({
       tempo: pickRail(emitRails, "tempo"),
       x402_base: pickRail(emitRails, "x402_base"),
@@ -23285,15 +23550,18 @@ var Checkout = class {
         howToPayRails[k] = v;
       }
     }
+    const pricingDecimals = ctx.pricing.decimals ?? 2;
     const howToPay = buildHowToPay({
       url: this.url,
       retryBodyJson: JSON.stringify(ctx.request.body),
-      totalUsd: ctx.pricing.amountUsd.toFixed(2),
-      rails: howToPayRails
+      totalUsd: ctx.pricing.amountUsd.toFixed(pricingDecimals),
+      rails: howToPayRails,
+      ...ctx.pricing.decimals !== void 0 && { decimals: ctx.pricing.decimals }
     });
     const pricingBlock = ctx.pricing.block ?? buildPricingBlock({
-      subtotalCents: Math.round(ctx.pricing.amountUsd * 100),
-      currency: ctx.pricing.currency ?? "USD"
+      subtotalCents: ctx.pricing.amountUsd * 100,
+      currency: ctx.pricing.currency ?? "USD",
+      ...ctx.pricing.decimals !== void 0 && { decimals: ctx.pricing.decimals }
     });
     let x402Accepts = [];
     let x402Resource;
@@ -23306,7 +23574,7 @@ var Checkout = class {
         try {
           x402Accepts = await buildX402AcceptsFor402(x402Server, {
             network: baseNetwork,
-            price: `$${ctx.pricing.amountUsd.toFixed(2)}`,
+            price: `$${ctx.pricing.amountUsd.toFixed(pricingDecimals)}`,
             payTo: recipient,
             maxTimeoutSeconds: 300
           });
@@ -23322,7 +23590,7 @@ var Checkout = class {
       agentInstructions: buildAgentInstructions({ howToPay }),
       ...identityMetadata !== void 0 ? { identityMetadata } : {},
       pricing: pricingBlock,
-      amountUsd: ctx.pricing.amountUsd.toFixed(2),
+      amountUsd: ctx.pricing.amountUsd.toFixed(pricingDecimals),
       retryBody: ctx.request.body,
       agentMemory: firstEncounterAgentMemory({ firstEncounter: true }),
       ...ctx.pricing.product ? { product: ctx.pricing.product } : {},
@@ -23430,25 +23698,6 @@ function stripContentType(headers) {
   }
   return out;
 }
-function extractMppxReceiptHeaderFromRaw(raw) {
-  if (!raw || typeof raw !== "object" || !("withReceipt" in raw)) return null;
-  const fn = raw.withReceipt;
-  if (typeof fn !== "function") return null;
-  try {
-    const wrapped = fn.call(raw, new Response());
-    return wrapped.headers.get("Payment-Receipt");
-  } catch {
-    return null;
-  }
-}
-async function extractMppxReceiptMethod(header) {
-  try {
-    const { Receipt } = await Promise.resolve().then(() => (init_dist2(), dist_exports));
-    return Receipt.deserialize(header).method;
-  } catch {
-    return void 0;
-  }
-}
 function headersToRecord(h) {
   if (h === void 0) return {};
   if (h instanceof Headers) {
@@ -23691,78 +23940,6 @@ Checkout.prototype.mountUcpRoutesFastify = function(app, opts) {
   app.options(jwksPath, preflight);
 };
 
-// src/identity/policy.ts
-function buildGateFromPolicy(policy, base) {
-  if (!policy || !policy.enforcement) return null;
-  return {
-    apiKey: base.apiKey,
-    ...base.baseUrl !== void 0 && { baseUrl: base.baseUrl },
-    ...policy.requireKyc !== void 0 && { requireKyc: policy.requireKyc },
-    ...policy.requireSanctionsClear !== void 0 && {
-      requireSanctionsClear: policy.requireSanctionsClear
-    },
-    ...policy.minAge !== void 0 && { minAge: policy.minAge },
-    ...policy.allowedJurisdictions !== void 0 && {
-      allowedJurisdictions: [...policy.allowedJurisdictions]
-    }
-  };
-}
-async function runGateWithEnforcement(enforcement, runGate) {
-  if (!runGate || !enforcement) return { status: "anonymous" };
-  const outcome = await runGate();
-  if (outcome.ok) return { status: "verified" };
-  if (enforcement === "hard") {
-    return {
-      status: "denied",
-      denialStatus: outcome.status,
-      denialBody: outcome.body,
-      ...outcome.reason !== void 0 && { denialReason: outcome.reason }
-    };
-  }
-  return {
-    status: "unverified",
-    denialStatus: outcome.status,
-    denialBody: outcome.body,
-    ...outcome.reason !== void 0 && { denialReason: outcome.reason }
-  };
-}
-function shippingCountryAllowed(country, policy) {
-  if (!policy?.allowedShippingCountries || policy.allowedShippingCountries.length === 0) return true;
-  const allowed = new Set(policy.allowedShippingCountries.map((c) => c.toUpperCase()));
-  return allowed.has(country.toUpperCase());
-}
-function shippingStateAllowed(state, country, policy) {
-  if (!policy?.allowedShippingStates || policy.allowedShippingStates.length === 0) return true;
-  if (country.toUpperCase() !== "US") return true;
-  const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));
-  return allowed.has(state.toUpperCase());
-}
-function validateShippingAgainstPolicy(opts) {
-  const code = opts.errorCode ?? "unsupported_jurisdiction";
-  const action = opts.errorAction ?? "change_shipping_state";
-  const item = opts.productName ? `'${opts.productName}'` : "this item";
-  if (!shippingCountryAllowed(opts.country, opts.policy)) {
-    throw new CheckoutValidationError({
-      code,
-      message: opts.countryMessage ?? `We can't ship ${item} to ${opts.country.toUpperCase() || "<unset>"}.`,
-      action
-    });
-  }
-  if (!shippingStateAllowed(opts.state, opts.country, opts.policy)) {
-    throw new CheckoutValidationError({
-      code,
-      message: opts.stateMessage ?? `We can't ship ${item} to ${opts.state.toUpperCase() || "<unset>"}.`,
-      action
-    });
-  }
-}
-
-// src/identity/tokens.ts
-import { createHash } from "crypto";
-function hashOperatorToken(plaintext) {
-  return createHash("sha256").update(plaintext, "utf8").digest("hex");
-}
-
 // src/payment/index.ts
 init_directive();
 init_networks();
@@ -23775,8 +23952,45 @@ init_directive();
 init_wwwauthenticate();
 
 // src/payment/amounts.ts
-function formatUsdCents(cents) {
-  return (cents / 100).toFixed(2);
+function usdToAtomic(usd, opts) {
+  const { decimals } = opts;
+  if (!Number.isInteger(decimals) || decimals < 0) {
+    throw new RangeError(`decimals must be a non-negative integer, got ${decimals}`);
+  }
+  if (typeof usd === "number") {
+    if (!Number.isFinite(usd)) {
+      throw new RangeError(`usd must be finite, got ${usd}`);
+    }
+    if (usd < 0) {
+      throw new RangeError(`usd must be non-negative, got ${usd}`);
+    }
+  }
+  const s = (typeof usd === "number" ? usd.toString() : usd).trim();
+  if (s.startsWith("-")) {
+    throw new RangeError(`usd must be non-negative, got ${s}`);
+  }
+  if (s === "NaN" || s === "Infinity") {
+    throw new RangeError(`usd must be finite, got ${s}`);
+  }
+  const match = /^(\d*)(?:\.(\d*))?$/.exec(s);
+  if (!match || match[1] === "" && (match[2] === void 0 || match[2] === "")) {
+    throw new SyntaxError(`invalid usd value: ${JSON.stringify(usd)}`);
+  }
+  const intPart = match[1] || "0";
+  const fracPart = match[2] ?? "";
+  if (fracPart.length <= decimals) {
+    return BigInt(intPart + fracPart.padEnd(decimals, "0"));
+  }
+  const kept = fracPart.slice(0, decimals);
+  const roundDigit = fracPart[decimals];
+  let result = BigInt(intPart + kept);
+  if (roundDigit >= "5") {
+    result += 1n;
+  }
+  return result;
+}
+function formatUsdCents(cents, decimals = 2) {
+  return (cents / 100).toFixed(decimals);
 }
 
 // src/payment/solana.ts
@@ -23799,7 +24013,643 @@ async function loadSolanaFeePayer(opts) {
   }
   return kit.createKeyPairSignerFromPrivateKeyBytes(bytes);
 }
+
+// src/payment/compose_rails.ts
+init_usdc();
+var warnedStripeBelowMinimum = false;
+function buildMppxComposeRails(opts) {
+  const rails2 = [];
+  if (opts.tempoRecipient) {
+    rails2.push(["tempo/charge", {
+      amount: opts.amountUsd,
+      currency: opts.tempoTokenAddress ?? USDC.tempo.mainnet.address,
+      decimals: 6,
+      recipient: opts.tempoRecipient
+    }]);
+  }
+  if (opts.solanaRecipient) {
+    const atomic = usdToAtomic(opts.amountUsd, { decimals: 6 });
+    rails2.push(["solana/charge", {
+      amount: atomic.toString(),
+      currency: opts.solanaTokenMint ?? USDC.solana.mainnet.mint,
+      decimals: 6,
+      recipient: opts.solanaRecipient,
+      network: opts.solanaNetwork ?? "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp"
+    }]);
+  }
+  if (opts.includeStripe !== false) {
+    const amountUsdNumeric = Number(opts.amountUsd);
+    if (Number.isFinite(amountUsdNumeric) && amountUsdNumeric < STRIPE_MIN_CHARGE_USD) {
+      if (!warnedStripeBelowMinimum) {
+        warnedStripeBelowMinimum = true;
+        console.warn(
+          `[buildMppxComposeRails] Dropping stripe/charge rail: amountUsd=${opts.amountUsd} is below Stripe's $${STRIPE_MIN_CHARGE_USD.toFixed(2)} USD minimum. Stripe's fixed ~$0.30 fee makes sub-50-cent charges unprofitable (and many accounts reject PI creation with amount_too_small below this floor). Pass includeStripe: false to suppress this warning.`
+        );
+      }
+    } else {
+      rails2.push(["stripe/charge", { amount: opts.amountUsd, currency: "usd", decimals: 2 }]);
+    }
+  }
+  return rails2;
+}
+
+// src/payment/default_rails.ts
+init_networks();
+init_usdc();
+function buildDefaultCheckoutRails(opts) {
+  const out = {};
+  if (opts.tempo) {
+    out.tempo = { recipient: "", ...RAIL_SPEC_DEFAULTS.tempo, ...opts.tempo };
+  }
+  if (opts.x402Base) {
+    const merged = { recipient: "", ...RAIL_SPEC_DEFAULTS.x402Base, ...opts.x402Base };
+    if (merged.network === networks.base.sepolia.caip2) {
+      if (opts.x402Base.chainId === void 0) merged.chainId = networks.base.sepolia.chainId;
+      if (opts.x402Base.token === void 0) merged.token = USDC.base.sepolia.address;
+    } else if (merged.network === networks.base.mainnet.caip2) {
+      if (opts.x402Base.chainId === void 0) merged.chainId = networks.base.mainnet.chainId;
+      if (opts.x402Base.token === void 0) merged.token = USDC.base.mainnet.address;
+    }
+    out.x402_base = merged;
+  }
+  if (opts.solanaMpp) {
+    const merged = { recipient: "", ...RAIL_SPEC_DEFAULTS.solanaMpp, ...opts.solanaMpp };
+    const isDevnet = merged.network === "devnet" || merged.network === networks.solana.devnet.caip2;
+    if (isDevnet && opts.solanaMpp.token === void 0) {
+      merged.token = USDC.solana.devnet.mint;
+    }
+    out.solana_mpp = merged;
+  }
+  if (opts.stripe) {
+    out.stripe = { ...RAIL_SPEC_DEFAULTS.stripe, ...opts.stripe };
+  }
+  return out;
+}
+
+// src/payment/index.ts
+init_network_kind();
+
+// src/checkout_compute_first.ts
+import { randomUUID as randomUUID2 } from "crypto";
+
+// src/discovery/index.ts
+init_probe();
+
+// src/discovery/agentscore_content.ts
+var PURCHASE_MODE_NOTES = Object.freeze({
+  redemption_only: "Requires a single-use redemption code (printed on a mailer or other out-of-band delivery). Submit the code in the request body as `redemption_code`. Without a valid code the order is rejected.",
+  coupon_applicable: "Codes are optional. Without one, settle at list price. With a valid code the discount is applied automatically (percent_off, fixed_off, or fixed_settle).",
+  paid_only: "Codes are NOT accepted. Settle at the listed price. Submitting a `redemption_code` field returns 400 codes_not_accepted."
+});
+function buildSuccessNextSteps(opts) {
+  const out = {
+    action: "done",
+    user_message: opts.userMessage ?? "Payment complete. Your AgentScore Passport is now active across every AgentScore-gated merchant."
+  };
+  if (opts.orderStatusUrl) out.order_status_url = opts.orderStatusUrl;
+  if (opts.fulfillmentEta !== void 0) out.fulfillment_eta = opts.fulfillmentEta;
+  return out;
+}
+
+// src/discovery/index.ts
+init_well_known();
+
+// src/quote_cache.ts
+import { createHash as createHash2 } from "crypto";
+
+// src/_redis.ts
+async function tryCreateRedis(opts) {
+  const url2 = opts.url ?? process.env.REDIS_URL;
+  if (!url2) return null;
+  try {
+    const mod = await import("ioredis");
+    const client = new mod.default(url2, {
+      connectTimeout: opts.connectTimeout ?? 3e3,
+      maxRetriesPerRequest: opts.maxRetriesPerRequest ?? 1,
+      tls: url2.startsWith("rediss://") ? {} : void 0
+    });
+    client.on("error", (err) => console.error(`[${opts.label}] Redis error:`, err.message));
+    return client;
+  } catch {
+    return null;
+  }
+}
+function memoizedRedis(opts) {
+  let promise2 = null;
+  return () => {
+    if (!promise2) promise2 = tryCreateRedis(opts);
+    return promise2;
+  };
+}
+
+// src/quote_cache.ts
+function canonicalize2(value) {
+  if (Array.isArray(value)) return value.map(canonicalize2);
+  if (value && typeof value === "object") {
+    const sorted = {};
+    for (const key of Object.keys(value).sort()) {
+      sorted[key] = canonicalize2(value[key]);
+    }
+    return sorted;
+  }
+  return value;
+}
+function createQuoteCache(opts = {}) {
+  const ttlMs = opts.ttlMs ?? 5 * 6e4;
+  const keyPrefix = opts.keyPrefix ?? "quote:";
+  const memMap = /* @__PURE__ */ new Map();
+  const getRedis = memoizedRedis({ url: opts.redisUrl, label: "quote-cache" });
+  const evictExpired = () => {
+    const now = Date.now();
+    for (const [k, v] of memMap.entries()) {
+      if (v.expiresAt <= now) memMap.delete(k);
+    }
+  };
+  return {
+    bodyHashKey(prefix, body) {
+      const canonical = JSON.stringify(canonicalize2(body));
+      const hash3 = createHash2("sha256").update(`${prefix}::${canonical}`).digest("hex").slice(0, 24);
+      return `${prefix}::${hash3}`;
+    },
+    async read(key) {
+      const r = await getRedis();
+      if (r) {
+        try {
+          const raw = await r.get(`${keyPrefix}${key}`);
+          if (!raw) return null;
+          return JSON.parse(raw);
+        } catch {
+        }
+      }
+      evictExpired();
+      const entry = memMap.get(key);
+      return entry ? entry.entry : null;
+    },
+    async write(key, body, priceCents, recipients = {}) {
+      const cached2 = { body, priceCents, recipients };
+      const r = await getRedis();
+      if (r) {
+        try {
+          await r.set(`${keyPrefix}${key}`, JSON.stringify(cached2), "PX", ttlMs);
+          return;
+        } catch {
+        }
+      }
+      memMap.set(key, { entry: cached2, expiresAt: Date.now() + ttlMs });
+    },
+    async clear() {
+      memMap.clear();
+      const r = await getRedis();
+      if (r) {
+        try {
+          await r.flushdb();
+        } catch {
+        }
+      }
+    }
+  };
+}
+
+// src/checkout_compute_first.ts
+var DEFAULT_TTL_MS = 5 * 6e4;
+function decimalsForUnit(unitPriceCents) {
+  if (Number.isInteger(unitPriceCents)) return 2;
+  const str = unitPriceCents.toString();
+  const dotIdx = str.indexOf(".");
+  const frac = dotIdx === -1 ? 0 : str.length - dotIdx - 1;
+  return 2 + frac;
+}
+function computeFirstCheckout(opts) {
+  const cache = opts.cache ?? createQuoteCache({ ttlMs: opts.cacheTtlMs ?? DEFAULT_TTL_MS });
+  const decimals = opts.decimals ?? decimalsForUnit(opts.unitPriceCents);
+  const appUrl = opts.appUrl ?? new URL(opts.url).origin;
+  async function mintAndResolveRecipients(req, body, priceCents) {
+    const minted = opts.mintRecipients ? await opts.mintRecipients({ request: req, body, priceCents }) : {};
+    const out = {};
+    const tempo = minted.tempo ?? (opts.rails.tempo ? await resolveRecipient(opts.rails.tempo.recipient) : void 0);
+    const x402Base = minted.x402_base ?? (opts.rails.x402_base ? await resolveRecipient(opts.rails.x402_base.recipient) : void 0);
+    const solana = minted.solana_mpp ?? (opts.rails.solana_mpp ? await resolveRecipient(opts.rails.solana_mpp.recipient) : void 0);
+    if (tempo) out.tempo = tempo;
+    if (x402Base) out.x402_base = x402Base;
+    if (solana) out.solana_mpp = solana;
+    return out;
+  }
+  async function emit402(req, body, priceCents, recipients) {
+    const totalUsd = formatUsdCents(priceCents, decimals);
+    const tempoRecipient = recipients.tempo;
+    const x402BaseRecipient = recipients.x402_base;
+    const solanaRecipient = recipients.solana_mpp;
+    const includeStripeInDiscovery = opts.rails.stripe !== void 0 && Number(totalUsd) >= STRIPE_MIN_CHARGE_USD;
+    const accepted = await buildAcceptedMethods({
+      ...tempoRecipient && opts.rails.tempo && { tempo: { ...opts.rails.tempo, recipient: tempoRecipient } },
+      ...solanaRecipient && opts.rails.solana_mpp && { solana_mpp: { ...opts.rails.solana_mpp, recipient: solanaRecipient } },
+      ...includeStripeInDiscovery && { stripe: opts.rails.stripe }
+    });
+    if (x402BaseRecipient && opts.rails.x402_base) {
+      try {
+        const resolvedX402PayTo = await resolveRecipient(x402BaseRecipient);
+        const x402Entries = await buildX402AcceptsFor402(opts.x402Server, {
+          network: opts.rails.x402_base.network ?? "eip155:8453",
+          price: `$${totalUsd}`,
+          payTo: resolvedX402PayTo,
+          maxTimeoutSeconds: 300
+        });
+        accepted.push(...x402Entries);
+      } catch (err) {
+        console.warn(
+          `[${opts.name}.computeFirst] buildX402AcceptsFor402 failed; dropping x402 from accepts:`,
+          err instanceof Error ? err.message : err
+        );
+      }
+    }
+    const howToPay = buildHowToPay({
+      url: opts.url,
+      retryBodyJson: JSON.stringify(body),
+      totalUsd,
+      decimals,
+      rails: {
+        ...tempoRecipient && opts.rails.tempo && { tempo: { ...opts.rails.tempo, recipient: tempoRecipient } },
+        ...x402BaseRecipient && opts.rails.x402_base && { x402_base: { ...opts.rails.x402_base, recipient: x402BaseRecipient } },
+        ...solanaRecipient && opts.rails.solana_mpp && { solana_mpp: { ...opts.rails.solana_mpp, recipient: solanaRecipient } },
+        ...opts.rails.stripe && { stripe: opts.rails.stripe }
+      }
+    });
+    const pricing = buildPricingBlock({ subtotalCents: priceCents, currency: "USD", decimals });
+    const agentInstructions = buildAgentInstructions({
+      howToPay,
+      warnings: [
+        "The quoted price is exact: it was derived from the actual number of results returned by the work on the probe leg.",
+        "The merchant cached the result against a hash of this request body. Retry with the same body within the quote TTL (default 5 min) to settle and receive the cached results; if the quote expires, re-probe."
+      ]
+    });
+    let mppChallengeHeaders = {};
+    if (opts.composeMppx) {
+      try {
+        const mppResult = await opts.composeMppx({
+          request: req,
+          cachedBody: body,
+          priceCents,
+          priceUsd: totalUsd,
+          recipients
+        });
+        if (mppResult.status === 402 && mppResult.headers) {
+          mppChallengeHeaders = mppResult.headers;
+        }
+      } catch (err) {
+        console.warn(
+          `[${opts.name}.computeFirst] composeMppx probe-leg failed; dropping MPP rails from 402 challenge:`,
+          err instanceof Error ? err.message : err
+        );
+      }
+    }
+    const body402 = build402Body({
+      product: { id: opts.name, name: opts.name },
+      acceptedMethods: accepted,
+      pricing,
+      agentInstructions,
+      amountUsd: totalUsd,
+      currency: "USD",
+      orderId: null,
+      retryBody: body
+    });
+    const headers = new Headers({ "Content-Type": "application/json" });
+    for (const [k, v] of Object.entries(mppChallengeHeaders)) headers.set(k, v);
+    headers.set(
+      "PAYMENT-REQUIRED",
+      paymentRequiredHeader({ x402Version: 2, accepts: accepted, resource: { url: opts.url } })
+    );
+    return new Response(JSON.stringify(body402), { status: 402, headers });
+  }
+  async function handleX402Settle(req, referenceId, cachedBody, priceCents, recipients) {
+    const verified = await verifyX402Request({
+      request: req,
+      isCachedAddress: async () => true,
+      acceptedNetwork: opts.rails.x402_base?.network ?? "eip155:8453"
+    });
+    if (!verified.ok) {
+      return new Response(JSON.stringify(verified.body), {
+        status: verified.status,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    const actualUsd = formatUsdCents(priceCents, decimals);
+    const settle = await processX402Settle({
+      x402Server: opts.x402Server,
+      payload: verified.payload,
+      resourceConfig: {
+        scheme: "exact",
+        network: verified.signedNetwork,
+        price: `$${actualUsd}`,
+        payTo: verified.signedPayTo,
+        maxTimeoutSeconds: 300
+      },
+      resourceMeta: {
+        url: req.url,
+        description: `Agent purchase via x402-exact (${opts.name})`,
+        mimeType: "application/json"
+      }
+    });
+    if (!settle.success) {
+      const detail = settle.error?.message ?? "unknown";
+      return new Response(
+        JSON.stringify({
+          id: referenceId,
+          endpoint: opts.name,
+          created_at: (/* @__PURE__ */ new Date()).toISOString(),
+          payment_status: "failed",
+          charged_usd: "0.00",
+          rail: `x402-base (${verified.signedNetwork})`,
+          error: {
+            code: "settle_failed",
+            message: "Facilitator rejected the exact settle; no on-chain capture occurred.",
+            detail
+          }
+        }),
+        { status: 502, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    const signer = await extractPaymentSigner(req, readX402PaymentHeader(req));
+    const signerInfo = signer ? { address: signer.address, network: signer.network } : void 0;
+    const railLabel = `Base (${verified.signedNetwork})`;
+    if (opts.onSettled) {
+      try {
+        await opts.onSettled({
+          request: req,
+          rail: "x402",
+          cachedBody,
+          priceCents,
+          priceUsd: actualUsd,
+          recipients,
+          ...signerInfo ? { signer: signerInfo } : {}
+        });
+      } catch (err) {
+        console.warn(`[${opts.name}.computeFirst.onSettled] x402 side-effect failed:`, err instanceof Error ? err.message : err);
+      }
+    }
+    const buildBody = opts.buildSuccessBody ?? defaultSuccessBody(appUrl);
+    const body = buildBody({
+      referenceId,
+      endpoint: opts.name,
+      chargedUsd: actualUsd,
+      rail: railLabel,
+      ...signerInfo ? { signer: signerInfo } : {},
+      cachedBody
+    });
+    return new Response(JSON.stringify(body), { status: 200, headers: { "Content-Type": "application/json" } });
+  }
+  function mppRailLabel(method) {
+    const scheme = method?.split("/")[0];
+    if (scheme === "tempo") {
+      const networkName = opts.rails.tempo?.testnet ? "tempo-testnet" : opts.rails.tempo?.network ?? "tempo-mainnet";
+      return `Tempo (${networkName})`;
+    }
+    if (scheme === "solana") {
+      const networkName = opts.rails.solana_mpp?.network ?? "solana";
+      return `Solana (${networkName})`;
+    }
+    if (scheme === "stripe") return "Stripe (card+link)";
+    return "MPP";
+  }
+  async function handleMppSettle(req, referenceId, cachedBody, priceCents, recipients) {
+    if (!opts.composeMppx) {
+      return new Response(
+        JSON.stringify({
+          id: referenceId,
+          endpoint: opts.name,
+          created_at: (/* @__PURE__ */ new Date()).toISOString(),
+          payment_status: "failed",
+          charged_usd: "0.00",
+          error: { code: "mpp_unavailable", message: "MPP settle hook not configured on this endpoint." }
+        }),
+        { status: 503, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    const priceUsd = formatUsdCents(priceCents, decimals);
+    const result = await opts.composeMppx({ request: req, cachedBody, priceCents, priceUsd, recipients });
+    if (result.status !== 200) {
+      const headers = result.headers ?? {};
+      return new Response(
+        JSON.stringify({
+          id: referenceId,
+          endpoint: opts.name,
+          created_at: (/* @__PURE__ */ new Date()).toISOString(),
+          payment_status: "failed",
+          charged_usd: "0.00",
+          error: { code: "mpp_settle_failed", message: "MPP compose did not return 200; credential rejected." }
+        }),
+        { status: 400, headers: { "Content-Type": "application/json", ...headers } }
+      );
+    }
+    const signer = result.signerAddress ? { address: result.signerAddress, network: result.signerNetwork ?? "evm" } : await extractPaymentSigner(req, readX402PaymentHeader(req)).then((s) => s ? { address: s.address, network: s.network } : void 0);
+    const method = await deriveMppxReceiptMethod(result.raw);
+    const railLabel = mppRailLabel(method);
+    if (opts.onSettled) {
+      try {
+        await opts.onSettled({
+          request: req,
+          rail: "mpp",
+          mppMethod: method,
+          cachedBody,
+          priceCents,
+          priceUsd,
+          recipients,
+          ...signer ? { signer } : {},
+          ...result.txHash ? { paymentIntentId: result.txHash } : {}
+        });
+      } catch (err) {
+        console.warn(`[${opts.name}.computeFirst.onSettled] MPP side-effect failed:`, err instanceof Error ? err.message : err);
+      }
+    }
+    const buildBody = opts.buildSuccessBody ?? defaultSuccessBody(appUrl);
+    const body = buildBody({
+      referenceId,
+      endpoint: opts.name,
+      chargedUsd: priceUsd,
+      rail: railLabel,
+      ...result.txHash ? { paymentIntentId: result.txHash } : {},
+      ...signer ? { signer } : {},
+      cachedBody
+    });
+    return new Response(JSON.stringify(body), { status: 200, headers: { "Content-Type": "application/json" } });
+  }
+  async function handle(req) {
+    const referenceId = `${opts.name}_${randomUUID2()}`;
+    let body;
+    try {
+      body = await req.clone().json();
+    } catch {
+      body = {};
+    }
+    try {
+      opts.validateInput?.(body);
+    } catch (err) {
+      if (err instanceof CheckoutValidationError) {
+        return new Response(
+          JSON.stringify({
+            error: { code: err.code, message: err.message },
+            ...err.action ? { next_steps: { action: err.action, user_message: err.message } } : {},
+            ...err.extra
+          }),
+          { status: err.status, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      throw err;
+    }
+    const cacheKey2 = cache.bodyHashKey(opts.name, body);
+    if (hasX402Header(req.headers) || hasMppxHeader(req.headers)) {
+      const quote2 = await cache.read(cacheKey2);
+      if (!quote2) {
+        return new Response(
+          JSON.stringify({
+            id: referenceId,
+            endpoint: opts.name,
+            created_at: (/* @__PURE__ */ new Date()).toISOString(),
+            payment_status: "failed",
+            charged_usd: "0.00",
+            error: {
+              code: "stale_quote",
+              message: "No active quote for this request body. The quote may have expired or the body changed since the probe."
+            },
+            next_steps: {
+              action: "re_probe",
+              suggestion: "Send the same body without a payment header to get a fresh 402 quote, then retry with the payment credential."
+            }
+          }),
+          { status: 400, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      if (hasX402Header(req.headers)) return handleX402Settle(req, referenceId, quote2.body, quote2.priceCents, quote2.recipients);
+      return handleMppSettle(req, referenceId, quote2.body, quote2.priceCents, quote2.recipients);
+    }
+    let quote = await cache.read(cacheKey2);
+    if (!quote) {
+      let outcome;
+      try {
+        outcome = await opts.runWork(body, { request: req });
+      } catch {
+        return new Response(
+          JSON.stringify({
+            id: referenceId,
+            endpoint: opts.name,
+            created_at: (/* @__PURE__ */ new Date()).toISOString(),
+            payment_status: "no_charge",
+            charged_usd: "0.00",
+            result: { matches: [], total: 0 },
+            error: {
+              code: "upstream_failed",
+              message: "The wrapped endpoint failed; no charge was applied."
+            }
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      if (outcome.resultCount === 0) {
+        return new Response(
+          JSON.stringify({
+            id: referenceId,
+            endpoint: opts.name,
+            created_at: (/* @__PURE__ */ new Date()).toISOString(),
+            payment_status: "no_charge",
+            charged_usd: "0.00",
+            result: outcome.body
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      const priceCents = opts.unitPriceCents * outcome.resultCount;
+      const recipients = await mintAndResolveRecipients(req, body, priceCents);
+      await cache.write(cacheKey2, outcome.body, priceCents, recipients);
+      quote = { body: outcome.body, priceCents, recipients };
+    }
+    return emit402(req, body, quote.priceCents, quote.recipients);
+  }
+  return {
+    handleWeb: handle,
+    async handleHono(c) {
+      return handle(c.req.raw);
+    }
+  };
+}
+function defaultSuccessBody(appUrl) {
+  return ({ referenceId, endpoint, chargedUsd, rail, paymentIntentId, signer, cachedBody }) => ({
+    id: referenceId,
+    endpoint,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    payment_status: "completed",
+    charged_usd: chargedUsd,
+    rail,
+    ...paymentIntentId ? { payment_intent_id: paymentIntentId } : {},
+    ...signer ? { signer } : {},
+    result: cachedBody,
+    next_steps: buildSuccessNextSteps({ orderStatusUrl: `${appUrl}/health` }),
+    agent_memory: firstEncounterAgentMemory({ firstEncounter: true })
+  });
+}
+
+// src/identity/default_denied.ts
+function createDefaultOnDenied(opts) {
+  const supportContext = opts.supportContext ?? "Contact support if you believe this denial is in error.";
+  const paymentRequiredMessage = opts.paymentRequiredMessage ?? "AgentScore tier does not support assess. Contact support.";
+  const walletNotTrustedMessage = opts.walletNotTrustedMessage ?? `Identity check did not satisfy policy for ${opts.merchantName}.`;
+  return function defaultOnDenied(reason) {
+    if (reason.code === "wallet_signer_mismatch" || reason.code === "wallet_auth_requires_wallet_signing") {
+      const body = buildSignerMismatchBody({
+        result: {
+          kind: reason.code,
+          claimedOperator: reason.claimed_operator ?? null,
+          actualSignerOperator: reason.actual_signer_operator ?? null,
+          expectedSigner: reason.expected_signer ?? "",
+          actualSigner: reason.actual_signer ?? "",
+          linkedWallets: reason.linked_wallets ?? [],
+          agentInstructions: reason.agent_instructions ?? "",
+          claimedWallet: reason.expected_signer ?? ""
+        }
+      });
+      return { status: 403, body: body ?? denialReasonToBody(reason) };
+    }
+    if (reason.code === "wallet_not_trusted") {
+      return {
+        status: 403,
+        body: {
+          error: { code: "compliance_denied", message: walletNotTrustedMessage },
+          reasons: reason.reasons ?? [],
+          policy_result: reason.data?.policy_result,
+          verify_url: reason.verify_url,
+          next_steps: buildContactSupportNextSteps(opts.supportEmail, supportContext)
+        }
+      };
+    }
+    if (reason.code === "payment_required") {
+      return {
+        status: 403,
+        body: {
+          ...denialReasonToBody(reason),
+          error: { code: "compliance_error", message: paymentRequiredMessage }
+        }
+      };
+    }
+    const status = reason.code === "token_expired" || reason.code === "invalid_credential" ? 401 : reason.code === "api_error" ? 503 : 403;
+    return {
+      status,
+      body: denialReasonToBody(reason),
+      ...status >= 500 && { headers: { "Cache-Control": "no-store" } }
+    };
+  };
+}
+function defaultReadOnlyOnDenied(reason) {
+  const message = reason.code === "missing_identity" ? "X-Wallet-Address or X-Operator-Token header required" : "Invalid identity";
+  return {
+    status: 401,
+    body: {
+      ...denialReasonToBody(reason),
+      error: { code: "unauthorized", message }
+    },
+    headers: { "Cache-Control": "no-store" }
+  };
+}
 export {
+  A2A_DEFAULT_TRANSPORT,
+  A2A_PROTOCOL_VERSION,
   AGENTSCORE_UCP_CAPABILITY,
   Checkout,
   CheckoutValidationError,
@@ -23810,18 +24660,29 @@ export {
   buildA2AAgentCard,
   buildAgentMemoryHint,
   buildContactSupportNextSteps,
+  buildDefaultCheckoutRails,
   buildGateFromPolicy,
   buildJWKSResponse,
+  buildMppxComposeRails,
   buildSignerMismatchBody,
   buildUCPProfile,
+  buildVerificationRequiredBody,
+  computeFirstCheckout,
+  createDefaultOnDenied,
+  createQuoteCache,
+  defaultReadOnlyOnDenied,
   denialReasonStatus,
   denialReasonToBody,
+  extractOwnerScope,
   extractPaymentSigner,
   extractPaymentSignerFromAuth,
   extractSignerForPrecheck,
   formatUsdCents,
   generateUCPSigningKey,
   getIdentityStatus,
+  hasMppxHeader,
+  hasPaymentHeader,
+  hasX402Header,
   hashOperatorToken,
   isFixableDenial,
   loadSolanaFeePayer,