@agent-score/commerce 2.1.0 → 2.2.0

package/dist/index.mjs

@@ -20059,11 +20059,12 @@ function toClient(method, options) {
   };
 }
 function toServer(method, options) {
-  const { authorize, defaults, html, request, respond, stableBinding, transport, verify: verify3 } = options;
+  const { authorize, defaults, extensions, html, request, respond, stableBinding, transport, verify: verify3 } = options;
   return {
     ...method,
     authorize,
     defaults,
+    extensions,
     html,
     request,
     respond,
@@ -20990,6 +20991,20 @@ var RESERVED_FIELDS = /* @__PURE__ */ new Set([
   "actual_signer",
   "linked_wallets"
 ]);
+function buildVerificationRequiredBody(reason, opts = {}) {
+  const body = denialReasonToBody(reason);
+  body.error = {
+    code: "operator_verification_required",
+    message: opts.message ?? "Identity verification is required."
+  };
+  if (opts.agentInstructions !== void 0) {
+    body.agent_instructions = opts.agentInstructions;
+  }
+  if (opts.extra) {
+    for (const [k, v] of Object.entries(opts.extra)) body[k] = v;
+  }
+  return body;
+}
 function denialReasonToBody(reason) {
   const message = reason.message ?? DEFAULT_MESSAGES[reason.code];
   const body = { error: { code: reason.code, message } };
@@ -21147,7 +21162,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"2.1.0"}`;
+  const defaultUa = `@agent-score/commerce@${"2.2.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();
@@ -21284,8 +21299,9 @@ function createAgentScoreCore(options) {
         ...Object.keys(policy).length > 0 ? { policy } : {},
         // Pre-extracted payment signer (by the adapter middleware). When present, the API
         // composes BOTH signer_match (wallet-binding) and signer_sanctions (OFAC SDN wallet
-        // check) verdicts on the response in one round trip. Under
-        // policy.require_sanctions_clear, a signer_sanctions hit flips decision -> deny inline.
+        // check) verdicts on the response in one round trip. Wallet-OFAC enforcement on the
+        // signer block is unconditional — a signer_sanctions hit flips decision -> deny
+        // regardless of policy.require_sanctions_clear (which gates the separate NAME screen).
         ...signer && { signer: { address: signer.address, network: signer.network } }
       };
       const result = identity.address ? await sdk.assess(identity.address, { ...opts, operatorToken: identity.operatorToken }) : await sdk.assess(null, { ...opts, operatorToken: identity.operatorToken });
@@ -21605,6 +21621,137 @@ var A2A_DEFAULT_TRANSPORT = DEFAULT_TRANSPORT;
 init_ucp();
 init_ucp_jwks();
 
+// src/errors.ts
+var CheckoutValidationError = class extends Error {
+  code;
+  action;
+  status;
+  extra;
+  constructor(opts) {
+    super(opts.message);
+    this.name = "CheckoutValidationError";
+    this.code = opts.code;
+    this.action = opts.action ?? "fix_request";
+    this.status = opts.status ?? 400;
+    this.extra = opts.extra;
+  }
+};
+
+// src/identity/policy.ts
+function buildGateFromPolicy(policy, base) {
+  if (!policy || !policy.enforcement) return null;
+  return {
+    apiKey: base.apiKey,
+    ...base.baseUrl !== void 0 && { baseUrl: base.baseUrl },
+    ...policy.requireKyc !== void 0 && { requireKyc: policy.requireKyc },
+    ...policy.requireSanctionsClear !== void 0 && {
+      requireSanctionsClear: policy.requireSanctionsClear
+    },
+    ...policy.minAge !== void 0 && { minAge: policy.minAge },
+    ...policy.allowedJurisdictions !== void 0 && {
+      allowedJurisdictions: [...policy.allowedJurisdictions]
+    }
+  };
+}
+async function runGateWithEnforcement(enforcement, runGate) {
+  if (!runGate || !enforcement) return { status: "anonymous" };
+  const outcome = await runGate();
+  if (outcome.ok) return { status: "verified" };
+  if (enforcement === "hard") {
+    return {
+      status: "denied",
+      denialStatus: outcome.status,
+      denialBody: outcome.body,
+      ...outcome.reason !== void 0 && { denialReason: outcome.reason }
+    };
+  }
+  return {
+    status: "unverified",
+    denialStatus: outcome.status,
+    denialBody: outcome.body,
+    ...outcome.reason !== void 0 && { denialReason: outcome.reason }
+  };
+}
+function shippingCountryAllowed(country, policy) {
+  if (!policy?.allowedShippingCountries || policy.allowedShippingCountries.length === 0) return true;
+  const allowed = new Set(policy.allowedShippingCountries.map((c) => c.toUpperCase()));
+  return allowed.has(country.toUpperCase());
+}
+function shippingStateAllowed(state, country, policy) {
+  if (!policy?.allowedShippingStates || policy.allowedShippingStates.length === 0) return true;
+  if (country.toUpperCase() !== "US") return true;
+  const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));
+  return allowed.has(state.toUpperCase());
+}
+function validateShippingAgainstPolicy(opts) {
+  const code = opts.errorCode ?? "unsupported_jurisdiction";
+  const action = opts.errorAction ?? "change_shipping_state";
+  const item = opts.productName ? `'${opts.productName}'` : "this item";
+  if (!shippingCountryAllowed(opts.country, opts.policy)) {
+    throw new CheckoutValidationError({
+      code,
+      message: opts.countryMessage ?? `We can't ship ${item} to ${opts.country.toUpperCase() || "<unset>"}.`,
+      action
+    });
+  }
+  if (!shippingStateAllowed(opts.state, opts.country, opts.policy)) {
+    throw new CheckoutValidationError({
+      code,
+      message: opts.stateMessage ?? `We can't ship ${item} to ${opts.state.toUpperCase() || "<unset>"}.`,
+      action
+    });
+  }
+}
+
+// src/identity/tokens.ts
+import { createHash } from "crypto";
+
+// src/payment/payment_header.ts
+function toTitleCase(name) {
+  return name.replace(/(^|-)([a-z])/g, (_m, sep, c) => sep + c.toUpperCase());
+}
+function readHeader(headers, name) {
+  if (typeof headers.get === "function") {
+    return headers.get(name);
+  }
+  const rec = headers;
+  const v = rec[name] ?? rec[name.toLowerCase()] ?? rec[toTitleCase(name)];
+  if (typeof v === "string") return v;
+  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
+  return null;
+}
+function asHeaders(input) {
+  return typeof input.headers === "object" && input instanceof Request ? input.headers : input;
+}
+function hasPaymentHeader(input) {
+  const headers = asHeaders(input);
+  return Boolean(
+    readHeader(headers, "payment-signature") || readHeader(headers, "x-payment") || readHeader(headers, "authorization")?.startsWith("Payment ")
+  );
+}
+function hasX402Header(input) {
+  const headers = asHeaders(input);
+  return Boolean(readHeader(headers, "payment-signature") || readHeader(headers, "x-payment"));
+}
+function hasMppxHeader(input) {
+  const headers = asHeaders(input);
+  return Boolean(readHeader(headers, "authorization")?.startsWith("Payment "));
+}
+
+// src/identity/tokens.ts
+function hashOperatorToken(plaintext) {
+  return createHash("sha256").update(plaintext, "utf8").digest("hex");
+}
+function extractOwnerScope(input) {
+  const headers = asHeaders(input);
+  const walletAddress = readHeader(headers, "x-wallet-address");
+  const operatorToken = readHeader(headers, "x-operator-token");
+  return {
+    ...walletAddress ? { walletAddress } : {},
+    ...operatorToken ? { operatorTokenHash: hashOperatorToken(operatorToken) } : {}
+  };
+}
+
 // src/checkout.ts
 import { randomUUID } from "crypto";
 
@@ -21636,6 +21783,16 @@ async function deriveMppxReceiptMethod(raw) {
   return extractMppxReceiptMethod(header);
 }
 
+// src/_warnings.ts
+var warnedNoApiKey = false;
+function warnMissingApiKeyOnce(label) {
+  if (warnedNoApiKey) return;
+  warnedNoApiKey = true;
+  console.warn(
+    `[${label}] AGENTSCORE_API_KEY is not set \u2014 wallet OFAC SDN sanctions are NOT being enforced. Set the env var to enable strict-liability protection on settle.`
+  );
+}
+
 // src/payment/rail_spec.ts
 init_usdc();
 async function resolveRecipient(r) {
@@ -21867,14 +22024,16 @@ function buildHowToPay({
   const d = decimals ?? 2;
   const defaultMaxSpend = totalNum >= 1 ? (Math.ceil(totalNum) + 1).toFixed(d) : totalNum.toFixed(d);
   const maxSpendStr = String(maxSpend ?? defaultMaxSpend);
+  const gateless = opTokenPlaceholder === null;
   const opToken = opTokenPlaceholder ?? "<your_opc_token>";
+  const opTokenHeaderFlag = gateless ? "" : `-H 'X-Operator-Token: ${opToken}' `;
   const block = {};
   if (rails2.tempo) {
     const networkName = rails2.tempo.testnet ? "tempo-testnet" : rails2.tempo.network ?? RAIL_SPEC_DEFAULTS.tempo.network;
     const chainId = rails2.tempo.chainId ?? RAIL_SPEC_DEFAULTS.tempo.chainId;
     const recommend = rails2.tempo.recommend ?? RAIL_SPEC_DEFAULTS.tempo.recommend;
-    const tempoCommand = `tempo request -X POST -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' --json '${retryBodyJson}' --max-spend ${maxSpendStr} ${url2}`;
-    const payCommand = `agentscore-pay pay POST ${url2} --chain tempo -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`;
+    const tempoCommand = `tempo request -X POST ${opTokenHeaderFlag}-H 'Content-Type: application/json' --json '${retryBodyJson}' --max-spend ${maxSpendStr} ${url2}`;
+    const payCommand = `agentscore-pay pay POST ${url2} --chain tempo ${opTokenHeaderFlag}-H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`;
     block.tempo = {
       setup: TEMPO_SETUP,
       prerequisite: `Run \`tempo wallet whoami\` and confirm USDC.e balance on ${networkName} (chain ${chainId}) is at least $${maxSpendStr}. If the tempo CLI is not installed, run the setup commands above first.`,
@@ -21888,7 +22047,7 @@ function buildHowToPay({
     block.x402_base = {
       setup: PAY_SETUP_BASE,
       prerequisite: `Run \`agentscore-pay balance --chain base\` and confirm USDC balance on Base (${network}) is at least $${maxSpendStr}. If the CLI is not installed, run the setup commands above first.`,
-      command: `agentscore-pay pay POST ${url2} --chain base -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,
+      command: `agentscore-pay pay POST ${url2} --chain base ${opTokenHeaderFlag}-H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,
       what_it_does: "Pays via USDC on Base."
     };
   }
@@ -21897,7 +22056,7 @@ function buildHowToPay({
     block.solana_mpp = {
       setup: PAY_SETUP_SOLANA,
       prerequisite: `Run \`agentscore-pay balance --chain solana\` and confirm USDC balance on Solana (${network}) is at least $${maxSpendStr}. If the CLI is not installed, run the setup commands above first.`,
-      command: `agentscore-pay pay POST ${url2} --chain solana -H 'X-Operator-Token: ${opToken}' -H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,
+      command: `agentscore-pay pay POST ${url2} --chain solana ${opTokenHeaderFlag}-H 'Content-Type: application/json' -d '${retryBodyJson}' --max-spend ${maxSpendStr}`,
       what_it_does: "Pays via USDC on Solana."
     };
   }
@@ -21919,7 +22078,7 @@ function buildHowToPay({
       ];
       stripe.command_link_cli = [
         `SPEND_ID=$(link-cli spend-request create --payment-method-id <csmrpd_id_from_payment_methods_list> --credential-type shared_payment_token --network-id ${stripeCfg.profileId} --amount ${amountCents} --context "${sptContext}" --request-approval --output-json | jq -r .id)`,
-        `link-cli mpp pay ${url2} --spend-request-id $SPEND_ID --method POST --data '${retryBodyJson}' --header 'X-Operator-Token: ${opToken}' --output-json`
+        gateless ? `link-cli mpp pay ${url2} --spend-request-id $SPEND_ID --method POST --data '${retryBodyJson}' --output-json` : `link-cli mpp pay ${url2} --spend-request-id $SPEND_ID --method POST --data '${retryBodyJson}' --header 'X-Operator-Token: ${opToken}' --output-json`
       ];
       stripe.what_it_does_link_cli = "Mints a one-time-use SharedPaymentToken scoped to this purchase (user approves in Link wallet), then submits it as the payment credential.";
     } else if (linkCliBlocked) {
@@ -22014,6 +22173,12 @@ function buildValidationError({
   return body;
 }
 
+// src/payment/constants.ts
+var STRIPE_MIN_CHARGE_USD = 0.5;
+
+// src/payment/mppx_server.ts
+import { AsyncLocalStorage } from "async_hooks";
+
 // src/stripe-multichain/mppx_stripe.ts
 async function createMppxStripe({
   profileId,
@@ -22194,6 +22359,31 @@ function wrapSolanaChargeWithFinalizedBlockhash(baseMethod, rpcUrl) {
     }
   };
 }
+var mppxCapture = new AsyncLocalStorage();
+var consoleErrorPatched = false;
+function ensureConsoleErrorPatch() {
+  if (consoleErrorPatched) return;
+  consoleErrorPatched = true;
+  const original = console.error.bind(console);
+  console.error = function captureMppxInternal(...args) {
+    if (args[0] === "mppx: internal verification error" && args[1] !== void 0) {
+      const ctx = mppxCapture.getStore();
+      if (ctx) {
+        const e = args[1];
+        const reason = typeof e?.shortMessage === "string" ? e.shortMessage : typeof e?.message === "string" ? e.message : String(args[1]);
+        const details = e?.details;
+        ctx.reason = typeof details === "string" && details.length > 0 ? `${reason} (${details})` : reason;
+      }
+    }
+    return original(...args);
+  };
+}
+async function runWithMppxFailureCapture(fn) {
+  ensureConsoleErrorPatch();
+  const ctx = { reason: null };
+  const result = await mppxCapture.run(ctx, fn);
+  return { result, failureReason: ctx.reason };
+}
 
 // src/payment/x402_server.ts
 init_networks();
@@ -22335,40 +22525,28 @@ function lazyMppxServer(opts) {
   };
 }
 
-// src/checkout.ts
-init_network_kind();
-
-// src/payment/payment_header.ts
-function toTitleCase(name) {
-  return name.replace(/(^|-)([a-z])/g, (_m, sep, c) => sep + c.toUpperCase());
-}
-function readHeader(headers, name) {
-  if (typeof headers.get === "function") {
-    return headers.get(name);
+// src/payment/mppx_failures.ts
+var TEMPO_KEY_NOT_REGISTERED = {
+  code: "tempo_key_not_registered",
+  status: 401,
+  message: "Tempo rejected the transaction: signer wallet is not registered with Tempo's keychain.",
+  nextSteps: {
+    action: "register_tempo_key",
+    user_message: "Your wallet is not enrolled with Tempo. Run `tempo wallet login` to complete the one-time WebAuthn enrollment (or use `tempo request` directly), then retry. To skip enrollment, switch to the Base or Solana rail on this 402."
+  },
+  extra: { upstream_error: "KeyNotFound", chain: "tempo" }
+};
+function classifyMppxFailure(reason) {
+  if (!reason) return null;
+  const lower = reason.toLowerCase();
+  if (lower.includes("keychain validation failed") || lower.includes("keynotfound")) {
+    return TEMPO_KEY_NOT_REGISTERED;
   }
-  const rec = headers;
-  const v = rec[name] ?? rec[name.toLowerCase()] ?? rec[toTitleCase(name)];
-  if (typeof v === "string") return v;
-  if (Array.isArray(v) && typeof v[0] === "string") return v[0];
   return null;
 }
-function asHeaders(input) {
-  return typeof input.headers === "object" && input instanceof Request ? input.headers : input;
-}
-function hasPaymentHeader(input) {
-  const headers = asHeaders(input);
-  return Boolean(
-    readHeader(headers, "payment-signature") || readHeader(headers, "x-payment") || readHeader(headers, "authorization")?.startsWith("Payment ")
-  );
-}
-function hasX402Header(input) {
-  const headers = asHeaders(input);
-  return Boolean(readHeader(headers, "payment-signature") || readHeader(headers, "x-payment"));
-}
-function hasMppxHeader(input) {
-  const headers = asHeaders(input);
-  return Boolean(readHeader(headers, "authorization")?.startsWith("Payment "));
-}
+
+// src/checkout.ts
+init_network_kind();
 
 // src/payment/x402_settle.ts
 function classifyX402SettleResult(result) {
@@ -22691,20 +22869,6 @@ function getIdentityStatus(ctx) {
   if (decision === "allow") return "verified";
   return "unverified";
 }
-var CheckoutValidationError = class extends Error {
-  code;
-  action;
-  status;
-  extra;
-  constructor(opts) {
-    super(opts.message);
-    this.name = "CheckoutValidationError";
-    this.code = opts.code;
-    this.action = opts.action ?? "fix_request";
-    this.status = opts.status ?? 400;
-    this.extra = opts.extra;
-  }
-};
 function resolveIdentityMetadata(ctx) {
   const h = normalizeHeadersToLowercase(ctx.request.headers);
   const wallet = h["x-wallet-address"];
@@ -22831,6 +22995,23 @@ var Checkout = class {
   discoveryExtensions;
   discoveryProbe;
   _x402ServerGetter;
+  /**
+   * True when the merchant has configured an identity-bearing policy flag —
+   * `require_kyc`, `require_sanctions_clear` (name screening on the KYC
+   * identity), `min_age`, or jurisdiction lists. Wallet OFAC SDN enforcement
+   * (the always-on default) does NOT count as an identity gate; agents don't
+   * need an AgentScore credential to satisfy it.
+   *
+   * Used to conditionally emit AgentScore identity boilerplate in 402 bodies
+   * (`agent_memory`, `X-Operator-Token` references in per-rail commands).
+   */
+  hasIdentityGate() {
+    const g = this.gate;
+    if (!g) return false;
+    return Boolean(
+      g.requireKyc || g.requireSanctionsClear || g.minAge !== void 0 || g.allowedJurisdictions && g.allowedJurisdictions.length > 0 || g.blockedJurisdictions && g.blockedJurisdictions.length > 0
+    );
+  }
   constructor(opts) {
     const x402Server = opts.x402Server;
     let x402ServerGetter;
@@ -23028,8 +23209,8 @@ var Checkout = class {
       }
     }
     const hasPaymentHeader2 = hasX402Header(request.headers) || hasMppxHeader(request.headers);
-    if (this.gate !== void 0 && hasPaymentHeader2) {
-      const denial = await this.runGate(ctx);
+    if (hasPaymentHeader2) {
+      const denial = this.gate !== void 0 ? await this.runGate(ctx) : await this.runWalletSanctionsOnly(ctx);
       if (denial !== null) {
         return {
           status: denial.status,
@@ -23041,7 +23222,14 @@ var Checkout = class {
       }
     }
     ctx.pricing = await this.computePricing(ctx);
-    await this.resolveRecipientsForCtx(ctx);
+    try {
+      await this.resolveRecipientsForCtx(ctx);
+    } catch (err) {
+      if (err instanceof Error && err.name === "CheckoutValidationError") {
+        return this.validationErrorResult(ctx, err);
+      }
+      throw err;
+    }
     const x402ServerOk = this.x402ServerAvailable() && this.x402BaseNetwork !== null;
     if (hasX402Header(request.headers) && x402ServerOk) {
       const zero = await this.handleZeroSettle(ctx, "x402-base");
@@ -23094,7 +23282,9 @@ var Checkout = class {
       }
       return result;
     }
-    if (gate.apiKey === void 0) return null;
+    if (gate.apiKey === void 0) {
+      return this.runWalletSanctionsOnly(ctx);
+    }
     let policyOverride;
     if (gate.perRequestPolicy !== void 0) {
       policyOverride = await gate.perRequestPolicy(ctx);
@@ -23112,8 +23302,16 @@ var Checkout = class {
       ...gate.failOpen !== void 0 && { failOpen: gate.failOpen },
       ...gate.cacheSeconds !== void 0 && { cacheSeconds: gate.cacheSeconds },
       ...gate.chain !== void 0 && { chain: gate.chain },
-      ...gate.createSessionOnMissing !== void 0 && {
-        createSessionOnMissing: gate.createSessionOnMissing
+      // Auto-default `createSessionOnMissing` from gate config when the merchant
+      // didn't supply one. Matches python-commerce's behavior — every gated route
+      // gets the bootstrap session-mint UX out of the box. Merchants who need
+      // custom session context or onBeforeSession side effects (goods merchants
+      // pre-minting an order_id) supply their own config instead.
+      createSessionOnMissing: gate.createSessionOnMissing ?? {
+        apiKey: gate.apiKey,
+        ...gate.baseUrl !== void 0 && { baseUrl: gate.baseUrl },
+        ...gate.context !== void 0 && { context: gate.context },
+        ...gate.merchantName !== void 0 && { productName: gate.merchantName }
       },
       ...policyOverride ?? {}
     };
@@ -23176,6 +23374,58 @@ var Checkout = class {
     const status = reason.code === "token_expired" || reason.code === "invalid_credential" ? 401 : reason.code === "api_error" ? 503 : 403;
     return { status, body };
   }
+  /**
+   * Wallet OFAC SDN enforcement.
+   *
+   * Runs on settle (payment header present) when either `this.gate` is
+   * undefined OR a gate is configured but has no `apiKey` to reach
+   * `/v1/assess` for full policy enforcement (fallback to the
+   * strict-liability default).
+   *
+   * Env knobs:
+   *   - `AGENTSCORE_API_KEY` — required. No key → one-time warning + skip
+   *     (dev/testnet pattern; production should always configure a key).
+   *   - `AGENTSCORE_BASE_URL` — optional override for staging/dev API
+   *     (e.g. `https://api-dev.agentscore.sh` or `http://localhost:3002`).
+   *
+   * Stripe SPT (no extractable wallet signer) → skip silently; Stripe runs
+   * its own OFAC screen on the buyer's Stripe account at customer creation.
+   *
+   * Calls `/v1/assess` with the signer wallet as both the primary address
+   * and the signer block. The API enforces signer-sanctions unconditionally
+   * when a signer is present (no policy flag needed). Denies on OFAC SDN
+   * hit; fail-closed on unavailable lookup (strict liability — falsely
+   * allowing a sanctioned settle is an OFAC violation, falsely denying a
+   * clean buyer is just bad UX).
+   */
+  async runWalletSanctionsOnly(ctx) {
+    const apiKey = process.env.AGENTSCORE_API_KEY;
+    if (!apiKey) {
+      warnMissingApiKeyOnce("checkout");
+      return null;
+    }
+    const headers = normalizeHeadersToLowercase(ctx.request.headers);
+    const x402Header = headers["payment-signature"] ?? headers["x-payment"];
+    const signer = await extractPaymentSignerFromAuth(headers["authorization"], x402Header);
+    if (!signer) {
+      return null;
+    }
+    const baseUrl = process.env.AGENTSCORE_BASE_URL;
+    const core = createAgentScoreCore({
+      apiKey,
+      ...baseUrl !== void 0 && { baseUrl }
+    });
+    const outcome = await core.evaluate(
+      { address: signer.address },
+      ctx,
+      signer
+    );
+    if (outcome.kind === "allow") return null;
+    const reason = outcome.reason;
+    const body = denialReasonToBody(reason);
+    const status = reason.code === "token_expired" || reason.code === "invalid_credential" ? 401 : reason.code === "api_error" ? 503 : 403;
+    return { status, body };
+  }
   async handleZeroSettle(ctx, rail) {
     if (!this.zeroSettleCarveOut || ctx.pricing === null) return null;
     const cents = Math.round(ctx.pricing.amountUsd * 100);
@@ -23313,7 +23563,9 @@ var Checkout = class {
     if (this.composeMppx === void 0) {
       throw new Error("Checkout.handleMppx: composeMppx hook not configured");
     }
-    const composed = await this.composeMppx(ctx);
+    const { result: composed, failureReason } = await runWithMppxFailureCapture(
+      async () => this.composeMppx(ctx)
+    );
     if (composed.status === 200) {
       const paymentReceiptHeader = composed.paymentReceiptHeader ?? extractMppxReceiptHeaderFromRaw(composed.raw);
       const directMethod = composed.raw?.receipt?.method;
@@ -23332,6 +23584,22 @@ var Checkout = class {
       };
       return await this.buildSuccess(ctx, outcome);
     }
+    const classified = classifyMppxFailure(failureReason);
+    if (classified !== null) {
+      return {
+        status: classified.status,
+        body: buildValidationError({
+          code: classified.code,
+          message: classified.message,
+          nextSteps: classified.nextSteps,
+          ...classified.extra && { extra: classified.extra }
+        }),
+        headers: { ...composed.headers ?? {} },
+        referenceId: ctx.referenceId,
+        settled: false,
+        settlePhase: "verify_failed"
+      };
+    }
     return {
       status: 400,
       body: buildValidationError({
@@ -23350,7 +23618,11 @@ var Checkout = class {
       throw new Error("Checkout.emit402: pricing not computed");
     }
     await this.resolveRecipientsForCtx(ctx);
-    const emitRails = applyRecipientOverrides(this.rails, ctx.recipients);
+    let emitRails = applyRecipientOverrides(this.rails, ctx.recipients);
+    if (ctx.pricing.amountUsd < STRIPE_MIN_CHARGE_USD && emitRails.stripe !== void 0) {
+      const { stripe: _stripe, ...rest } = emitRails;
+      emitRails = rest;
+    }
     const accepted = await buildAcceptedMethods({
       tempo: pickRail(emitRails, "tempo"),
       x402_base: pickRail(emitRails, "x402_base"),
@@ -23369,6 +23641,10 @@ var Checkout = class {
       retryBodyJson: JSON.stringify(ctx.request.body),
       totalUsd: ctx.pricing.amountUsd.toFixed(pricingDecimals),
       rails: howToPayRails,
+      // Merchants without an identity-bearing policy flag get clean commands
+      // without an X-Operator-Token header — agents don't need one to satisfy
+      // wallet OFAC enforcement (the always-on default).
+      ...this.hasIdentityGate() ? {} : { opTokenPlaceholder: null },
       ...ctx.pricing.decimals !== void 0 && { decimals: ctx.pricing.decimals }
     });
     const pricingBlock = ctx.pricing.block ?? buildPricingBlock({
@@ -23405,7 +23681,10 @@ var Checkout = class {
       pricing: pricingBlock,
       amountUsd: ctx.pricing.amountUsd.toFixed(pricingDecimals),
       retryBody: ctx.request.body,
-      agentMemory: firstEncounterAgentMemory({ firstEncounter: true }),
+      // Merchants without an identity-bearing gate get a clean 402: no
+      // AgentScore-identity bootstrap describing a verification flow they
+      // don't run. Wallet OFAC (the always-on default) doesn't need it.
+      agentMemory: firstEncounterAgentMemory({ firstEncounter: this.hasIdentityGate() }),
       ...ctx.pricing.product ? { product: ctx.pricing.product } : {},
       ...ctx.pricing.bodyExtras ? { extra: ctx.pricing.bodyExtras } : {},
       ...x402Accepts.length > 0 ? {
@@ -23753,87 +24032,6 @@ Checkout.prototype.mountUcpRoutesFastify = function(app, opts) {
   app.options(jwksPath, preflight);
 };
 
-// src/identity/policy.ts
-function buildGateFromPolicy(policy, base) {
-  if (!policy || !policy.enforcement) return null;
-  return {
-    apiKey: base.apiKey,
-    ...base.baseUrl !== void 0 && { baseUrl: base.baseUrl },
-    ...policy.requireKyc !== void 0 && { requireKyc: policy.requireKyc },
-    ...policy.requireSanctionsClear !== void 0 && {
-      requireSanctionsClear: policy.requireSanctionsClear
-    },
-    ...policy.minAge !== void 0 && { minAge: policy.minAge },
-    ...policy.allowedJurisdictions !== void 0 && {
-      allowedJurisdictions: [...policy.allowedJurisdictions]
-    }
-  };
-}
-async function runGateWithEnforcement(enforcement, runGate) {
-  if (!runGate || !enforcement) return { status: "anonymous" };
-  const outcome = await runGate();
-  if (outcome.ok) return { status: "verified" };
-  if (enforcement === "hard") {
-    return {
-      status: "denied",
-      denialStatus: outcome.status,
-      denialBody: outcome.body,
-      ...outcome.reason !== void 0 && { denialReason: outcome.reason }
-    };
-  }
-  return {
-    status: "unverified",
-    denialStatus: outcome.status,
-    denialBody: outcome.body,
-    ...outcome.reason !== void 0 && { denialReason: outcome.reason }
-  };
-}
-function shippingCountryAllowed(country, policy) {
-  if (!policy?.allowedShippingCountries || policy.allowedShippingCountries.length === 0) return true;
-  const allowed = new Set(policy.allowedShippingCountries.map((c) => c.toUpperCase()));
-  return allowed.has(country.toUpperCase());
-}
-function shippingStateAllowed(state, country, policy) {
-  if (!policy?.allowedShippingStates || policy.allowedShippingStates.length === 0) return true;
-  if (country.toUpperCase() !== "US") return true;
-  const allowed = new Set(policy.allowedShippingStates.map((s) => s.toUpperCase()));
-  return allowed.has(state.toUpperCase());
-}
-function validateShippingAgainstPolicy(opts) {
-  const code = opts.errorCode ?? "unsupported_jurisdiction";
-  const action = opts.errorAction ?? "change_shipping_state";
-  const item = opts.productName ? `'${opts.productName}'` : "this item";
-  if (!shippingCountryAllowed(opts.country, opts.policy)) {
-    throw new CheckoutValidationError({
-      code,
-      message: opts.countryMessage ?? `We can't ship ${item} to ${opts.country.toUpperCase() || "<unset>"}.`,
-      action
-    });
-  }
-  if (!shippingStateAllowed(opts.state, opts.country, opts.policy)) {
-    throw new CheckoutValidationError({
-      code,
-      message: opts.stateMessage ?? `We can't ship ${item} to ${opts.state.toUpperCase() || "<unset>"}.`,
-      action
-    });
-  }
-}
-
-// src/identity/tokens.ts
-import { createHash } from "crypto";
-function hashOperatorToken(plaintext) {
-  return createHash("sha256").update(plaintext, "utf8").digest("hex");
-}
-function extractOwnerScope(input) {
-  const headers = asHeaders(input);
-  const walletAddress = readHeader(headers, "x-wallet-address");
-  const operatorToken = readHeader(headers, "x-operator-token");
-  return {
-    ...walletAddress ? { walletAddress } : {},
-    ...operatorToken ? { operatorTokenHash: hashOperatorToken(operatorToken) } : {}
-  };
-}
-
 // src/payment/index.ts
 init_directive();
 init_networks();
@@ -23910,6 +24108,7 @@ async function loadSolanaFeePayer(opts) {
 
 // src/payment/compose_rails.ts
 init_usdc();
+var warnedStripeBelowMinimum = false;
 function buildMppxComposeRails(opts) {
   const rails2 = [];
   if (opts.tempoRecipient) {
@@ -23931,7 +24130,17 @@ function buildMppxComposeRails(opts) {
     }]);
   }
   if (opts.includeStripe !== false) {
-    rails2.push(["stripe/charge", { amount: opts.amountUsd, currency: "usd", decimals: 2 }]);
+    const amountUsdNumeric = Number(opts.amountUsd);
+    if (Number.isFinite(amountUsdNumeric) && amountUsdNumeric < STRIPE_MIN_CHARGE_USD) {
+      if (!warnedStripeBelowMinimum) {
+        warnedStripeBelowMinimum = true;
+        console.warn(
+          `[buildMppxComposeRails] Dropping stripe/charge rail: amountUsd=${opts.amountUsd} is below Stripe's $${STRIPE_MIN_CHARGE_USD.toFixed(2)} USD minimum. Stripe's fixed ~$0.30 fee makes sub-50-cent charges unprofitable (and many accounts reject PI creation with amount_too_small below this floor). Pass includeStripe: false to suppress this warning.`
+        );
+      }
+    } else {
+      rails2.push(["stripe/charge", { amount: opts.amountUsd, currency: "usd", decimals: 2 }]);
+    }
   }
   return rails2;
 }
@@ -24122,10 +24331,11 @@ function computeFirstCheckout(opts) {
     const tempoRecipient = recipients.tempo;
     const x402BaseRecipient = recipients.x402_base;
     const solanaRecipient = recipients.solana_mpp;
+    const includeStripeInDiscovery = opts.rails.stripe !== void 0 && Number(totalUsd) >= STRIPE_MIN_CHARGE_USD;
     const accepted = await buildAcceptedMethods({
       ...tempoRecipient && opts.rails.tempo && { tempo: { ...opts.rails.tempo, recipient: tempoRecipient } },
       ...solanaRecipient && opts.rails.solana_mpp && { solana_mpp: { ...opts.rails.solana_mpp, recipient: solanaRecipient } },
-      ...opts.rails.stripe && { stripe: opts.rails.stripe }
+      ...includeStripeInDiscovery && { stripe: opts.rails.stripe }
     });
     if (x402BaseRecipient && opts.rails.x402_base) {
       try {
@@ -24202,6 +24412,36 @@ function computeFirstCheckout(opts) {
     );
     return new Response(JSON.stringify(body402), { status: 402, headers });
   }
+  async function enforceWalletSanctions(req, referenceId) {
+    const apiKey = process.env.AGENTSCORE_API_KEY;
+    if (!apiKey) {
+      warnMissingApiKeyOnce(`${opts.name}.computeFirst`);
+      return null;
+    }
+    const x402Header = readX402PaymentHeader(req);
+    const signer = await extractPaymentSigner(req, x402Header);
+    if (!signer) return null;
+    const baseUrl = process.env.AGENTSCORE_BASE_URL;
+    const core = createAgentScoreCore({
+      apiKey,
+      ...baseUrl !== void 0 && { baseUrl }
+    });
+    const outcome = await core.evaluate({ address: signer.address }, void 0, signer);
+    if (outcome.kind === "allow") return null;
+    const reason = outcome.reason;
+    const body = denialReasonToBody(reason);
+    const status = reason.code === "token_expired" || reason.code === "invalid_credential" ? 401 : reason.code === "api_error" ? 503 : 403;
+    return new Response(
+      JSON.stringify({
+        id: referenceId,
+        endpoint: opts.name,
+        created_at: (/* @__PURE__ */ new Date()).toISOString(),
+        payment_status: "failed",
+        ...body
+      }),
+      { status, headers: { "Content-Type": "application/json" } }
+    );
+  }
   async function handleX402Settle(req, referenceId, cachedBody, priceCents, recipients) {
     const verified = await verifyX402Request({
       request: req,
@@ -24400,6 +24640,8 @@ function computeFirstCheckout(opts) {
           { status: 400, headers: { "Content-Type": "application/json" } }
         );
       }
+      const ofacDenial = await enforceWalletSanctions(req, referenceId);
+      if (ofacDenial !== null) return ofacDenial;
       if (hasX402Header(req.headers)) return handleX402Settle(req, referenceId, quote2.body, quote2.priceCents, quote2.recipients);
       return handleMppSettle(req, referenceId, quote2.body, quote2.priceCents, quote2.recipients);
     }
@@ -24548,6 +24790,7 @@ export {
   buildMppxComposeRails,
   buildSignerMismatchBody,
   buildUCPProfile,
+  buildVerificationRequiredBody,
   computeFirstCheckout,
   createDefaultOnDenied,
   createQuoteCache,