@agent-score/commerce 2.1.1 → 2.3.0

package/dist/{pricing-DHfH3ogG.d.ts → pricing-B3-aKxSz.d.ts}

@@ -1,4 +1,4 @@
-import { T as TempoRailSpec, X as X402BaseRailSpec, S as SolanaMppRailSpec, b as StripeRailSpec } from './rail_spec-D6qzh3J0.js';
+import { T as TempoRailSpec, X as X402BaseRailSpec, S as SolanaMppRailSpec, b as StripeRailSpec } from './rail_spec-B1239jPp.js';
 
 interface HowToPayRailEntry {
     setup?: string[];
@@ -43,8 +43,10 @@ declare function buildHowToPay({ url, retryBodyJson, totalUsd, rails, opTokenPla
     totalUsd: string | number;
     /** Per-rail config — each is optional. Pass only the rails you support. */
     rails: HowToPayRails;
-    /** Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'. */
-    opTokenPlaceholder?: string;
+    /** Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'.
+     *  Pass `null` (gateless merchants) to strip the `-H 'X-Operator-Token: ...'` line entirely
+     *  from each rail command — appropriate when the merchant doesn't run an identity gate. */
+    opTokenPlaceholder?: string | null;
     /** Override max-spend value used in commands. Default: `ceil(totalUsd) + 1`
      *  (for prices ≥ $1) or `totalUsd.toFixed(decimals)` (for sub-dollar prices,
      *  so the command flags reflect the real amount instead of `1.00`). */

package/dist/{pricing-4n5Ota0D.d.mts → pricing-BReyZiqN.d.mts}

@@ -1,4 +1,4 @@
-import { T as TempoRailSpec, X as X402BaseRailSpec, S as SolanaMppRailSpec, b as StripeRailSpec } from './rail_spec-D6qzh3J0.mjs';
+import { T as TempoRailSpec, X as X402BaseRailSpec, S as SolanaMppRailSpec, b as StripeRailSpec } from './rail_spec-B1239jPp.mjs';
 
 interface HowToPayRailEntry {
     setup?: string[];
@@ -43,8 +43,10 @@ declare function buildHowToPay({ url, retryBodyJson, totalUsd, rails, opTokenPla
     totalUsd: string | number;
     /** Per-rail config — each is optional. Pass only the rails you support. */
     rails: HowToPayRails;
-    /** Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'. */
-    opTokenPlaceholder?: string;
+    /** Placeholder text for the operator token in commands. Defaults to '<your_opc_token>'.
+     *  Pass `null` (gateless merchants) to strip the `-H 'X-Operator-Token: ...'` line entirely
+     *  from each rail command — appropriate when the merchant doesn't run an identity gate. */
+    opTokenPlaceholder?: string | null;
     /** Override max-spend value used in commands. Default: `ceil(totalUsd) + 1`
      *  (for prices ≥ $1) or `totalUsd.toFixed(decimals)` (for sub-dollar prices,
      *  so the command flags reflect the real amount instead of `1.00`). */

package/dist/{rail_spec-D6qzh3J0.d.mts → rail_spec-B1239jPp.d.mts}

@@ -58,6 +58,31 @@ interface SolanaMppRailSpec {
     rpcUrl?: string;
     signer?: unknown;
     tokenProgram?: string;
+    /** Whether the recipient's ATA may be auto-created on first payment. **Default `true`.**
+     *
+     *  When `true` (default), the SDK passes
+     *  `splits: [{ recipient, amount: '0', ataCreationRequired: true }]` to
+     *  `solana.charge`, which puts the recipient in the MPP spec §13.6
+     *  `allowedAtaOwners` allow-list. Required on `@solana/mpp >= 0.6.0` with a
+     *  sponsored (fee-payer) setup — without it, every settle that emits a
+     *  `CreateIdempotent` ATA instruction is rejected. On `@solana/mpp 0.5.x`
+     *  the field is unknown and silently ignored, so the default is safe across
+     *  versions.
+     *
+     *  Opt out (`false`) only when every recipient's ATA is guaranteed to exist
+     *  out-of-band — typically when the merchant pre-creates the ATA from an
+     *  external wallet (one-time USDC transfer of any amount) and refuses to
+     *  let the fee-payer fund creation. Rare; mainly useful for low-margin
+     *  endpoints that use a stable merchant-owned recipient via
+     *  `staticRecipients` and want to guarantee zero rent per call.
+     *
+     *  Economic note: with rotating recipients (Stripe-multichain per-PI deposit
+     *  addresses), the sponsor pays ~0.002 SOL (~$0.50) of rent per call into
+     *  accounts the merchant can't close. Acceptable when settle amounts
+     *  dominate ($50+ transactions); not viable for sub-dollar merchants —
+     *  those should pair `ataCreationRequired: false` with a static recipient
+     *  whose ATA has been pre-created (one-time external USDC transfer). */
+    ataCreationRequired?: boolean;
 }
 /**
  * Canonical config for the Stripe SPT rail.

package/dist/{rail_spec-D6qzh3J0.d.ts → rail_spec-B1239jPp.d.ts}

@@ -58,6 +58,31 @@ interface SolanaMppRailSpec {
     rpcUrl?: string;
     signer?: unknown;
     tokenProgram?: string;
+    /** Whether the recipient's ATA may be auto-created on first payment. **Default `true`.**
+     *
+     *  When `true` (default), the SDK passes
+     *  `splits: [{ recipient, amount: '0', ataCreationRequired: true }]` to
+     *  `solana.charge`, which puts the recipient in the MPP spec §13.6
+     *  `allowedAtaOwners` allow-list. Required on `@solana/mpp >= 0.6.0` with a
+     *  sponsored (fee-payer) setup — without it, every settle that emits a
+     *  `CreateIdempotent` ATA instruction is rejected. On `@solana/mpp 0.5.x`
+     *  the field is unknown and silently ignored, so the default is safe across
+     *  versions.
+     *
+     *  Opt out (`false`) only when every recipient's ATA is guaranteed to exist
+     *  out-of-band — typically when the merchant pre-creates the ATA from an
+     *  external wallet (one-time USDC transfer of any amount) and refuses to
+     *  let the fee-payer fund creation. Rare; mainly useful for low-margin
+     *  endpoints that use a stable merchant-owned recipient via
+     *  `staticRecipients` and want to guarantee zero rent per call.
+     *
+     *  Economic note: with rotating recipients (Stripe-multichain per-PI deposit
+     *  addresses), the sponsor pays ~0.002 SOL (~$0.50) of rent per call into
+     *  accounts the merchant can't close. Acceptable when settle amounts
+     *  dominate ($50+ transactions); not viable for sub-dollar merchants —
+     *  those should pair `ataCreationRequired: false` with a static recipient
+     *  whose ATA has been pre-created (one-time external USDC transfer). */
+    ataCreationRequired?: boolean;
 }
 /**
  * Canonical config for the Stripe SPT rail.

package/dist/stripe-multichain/index.d.mts

@@ -112,15 +112,22 @@ declare function createPiCache({ redisUrl, ttlSeconds, keyPrefix, }?: {
  *     the 402 advertises a stable per-order deposit address.
  *   - **Settle leg** (MPP credential attached): reuse the buyer's
  *     signed-against payTo from the credential (after verifying it's in the
- *     local cache) — otherwise the verify leg would compare against a
- *     freshly-rotated address and reject the credential.
+ *     local cache OR matches a configured `staticRecipients` entry) —
+ *     otherwise the verify leg would compare against a freshly-rotated
+ *     address and reject the credential.
  *
  * Stripe SPT and card methods don't carry an on-chain recipient, so the
  * settle leg still mints a fresh PaymentIntent for them.
  *
- * Mirrors the hand-rolled `createPayToAddress` block consumers wrote in
- * `lib/payment.ts`. Lifts the structural branching; merchants keep
- * env-driven config (network list, default network, metadata) at the call site.
+ * Two public entrypoints share the same options and internal helpers:
+ *   - `createPayToAddressFromStripePI` returns a single string (the
+ *     `preferredNetwork`'s address). Convenient when the merchant only needs
+ *     one rail's payTo back.
+ *   - `mintMultichainRecipients` returns the full per-rail map plus the PI
+ *     id. Preferred for multi-rail merchants — avoids the second pi-cache
+ *     lookup to stitch sibling addresses back together.
+ *
+ * Mirrors the python `pay_to_address.py` factoring.
  */
 
 interface CreatePayToAddressFromStripePIOptions {
@@ -132,8 +139,26 @@ interface CreatePayToAddressFromStripePIOptions {
     stripe: StripeClientLike;
     /** Cache backing the merchant's minted addresses + PI lookups. */
     piCache: PiCache;
-    /** Networks to advertise to Stripe `deposit_options`. Default ['tempo', 'base', 'solana']. */
+    /** Networks to advertise to Stripe `deposit_options`. Default ['tempo', 'base', 'solana'].
+     *  Networks present as a key in `staticRecipients` are removed from this list
+     *  automatically — Stripe is not asked to mint a per-PI address for them. */
     networks?: string[];
+    /** Merchant-owned static deposit addresses, keyed by network. Use this to bypass
+     *  Stripe per-PI rotation on chains where a rotating recipient is expensive
+     *  (Solana: each new recipient address costs ~0.002 SOL of ATA rent locked on
+     *  an account the merchant can't close — see MPP spec §13.6 "ATA Rent Drain").
+     *
+     *  The SDK handles everything: (a) excludes these networks from the Stripe mint,
+     *  (b) registers them with `piCache.cacheAddress` on every call (so settle-leg
+     *  `hasAddress` checks pass during the TTL window), (c) merges them into the
+     *  per-PI network map (so `getNetworkDepositAddress(piId, network)` returns the
+     *  static address transparently), and (d) accepts the credential's signed-against
+     *  recipient on the settle leg when it matches a configured static address
+     *  (bypassing the `hasAddress` TTL window since merchant-owned addresses are
+     *  always valid).
+     *
+     *  Example: `{ solana: 'FR96wd96urHJdMnYayFrPYmDeAjKvwi3rQ2wkgXXTSP8' }` */
+    staticRecipients?: Record<string, string>;
     /** Optional Stripe metadata. */
     metadata?: Record<string, string>;
     /** Pending-order id; used as the Stripe idempotency key seed so retries
@@ -143,14 +168,39 @@ interface CreatePayToAddressFromStripePIOptions {
      *  picks `tempo`, falls back to `base`. */
     preferredNetwork?: string;
 }
-/** Returns the on-chain `pay_to` address the agent should be told to pay
- *  (in the 402 challenge or the bound MPP credential).
+/** Structured result for `mintMultichainRecipients` — exposes the full per-network
+ *  deposit map plus the PI id, so merchants can stop guessing "is the returned
+ *  string the tempo address or the solana static". */
+interface MintMultichainRecipientsResult {
+    /** Per-network deposit address map (e.g. `{ tempo: '0x...', base: '0x...', solana: 'FR96...' }`).
+     *  Merges Stripe-minted addresses with any `staticRecipients` overrides. */
+    recipients: Record<string, string>;
+    /** Stripe PaymentIntent id (when a PI was minted on this call) or undefined
+     *  if all networks were covered by staticRecipients. */
+    paymentIntentId?: string;
+    /** True when the settle leg short-circuited to the credential-bound recipient
+     *  instead of minting a new PI. The merchant's downstream sibling-address
+     *  lookups (e.g. for the 402 retry body) should fall back to the PI cache. */
+    reusedFromCredential: boolean;
+}
+/** Returns the on-chain `pay_to` address the agent should be told to pay.
  *
  *  On the settle leg, when the inbound `Authorization: Payment` credential
  *  binds a `tempo` or `solana` recipient, the helper returns THAT address
- *  (after verifying it's still in `piCache`). Otherwise it mints a fresh
- *  `createMultichainPaymentIntent` and caches the addresses + PI mapping. */
+ *  (after verifying it's still in `piCache` OR matches a configured
+ *  `staticRecipients` entry). Otherwise it mints a fresh
+ *  `createMultichainPaymentIntent` and caches the addresses + PI mapping.
+ *
+ *  When `staticRecipients` is configured, prefer `mintMultichainRecipients`
+ *  instead — its structured return avoids the "is this string the tempo or
+ *  the solana static" ambiguity on the settle leg. */
 declare function createPayToAddressFromStripePI(opts: CreatePayToAddressFromStripePIOptions): Promise<string>;
+/** Structured variant of `createPayToAddressFromStripePI`: returns the full
+ *  per-rail map plus the PI id. Preferred when the merchant's `mintRecipients`
+ *  hook needs all rail addresses (typical multi-rail merchant) — saves the
+ *  pi-cache lookups + sidesteps the "returned-string-is-ambiguous" trap on
+ *  the settle leg when `staticRecipients` is configured. */
+declare function mintMultichainRecipients(opts: CreatePayToAddressFromStripePIOptions): Promise<MintMultichainRecipientsResult>;
 
 /**
  * Stripe's documented magic test_helpers transaction hash that resolves the
@@ -310,4 +360,4 @@ interface SimulateDepositForOutcomeOptions {
  *  `simulateDepositIfTestnet` wrapper pattern. */
 declare function simulateDepositForOutcome(opts: SimulateDepositForOutcomeOptions): Promise<void>;
 
-export { type CreatePayToAddressFromStripePIOptions, type MultichainPaymentIntentResult, type PiCache, STRIPE_TEST_TX_HASH_FAILED, STRIPE_TEST_TX_HASH_SUCCESS, type SimulateDepositForOutcomeOptions, type SimulateNetwork, type StripeClientLike, type StripePaymentIntent, createMppxStripe, createMultichainPaymentIntent, createPayToAddressFromStripePI, createPiCache, networkForOutcome, simulateCryptoDeposit, simulateDepositForOutcome, simulateDepositIfTestMode };
+export { type CreatePayToAddressFromStripePIOptions, type MintMultichainRecipientsResult, type MultichainPaymentIntentResult, type PiCache, STRIPE_TEST_TX_HASH_FAILED, STRIPE_TEST_TX_HASH_SUCCESS, type SimulateDepositForOutcomeOptions, type SimulateNetwork, type StripeClientLike, type StripePaymentIntent, createMppxStripe, createMultichainPaymentIntent, createPayToAddressFromStripePI, createPiCache, mintMultichainRecipients, networkForOutcome, simulateCryptoDeposit, simulateDepositForOutcome, simulateDepositIfTestMode };

package/dist/stripe-multichain/index.d.ts

@@ -112,15 +112,22 @@ declare function createPiCache({ redisUrl, ttlSeconds, keyPrefix, }?: {
  *     the 402 advertises a stable per-order deposit address.
  *   - **Settle leg** (MPP credential attached): reuse the buyer's
  *     signed-against payTo from the credential (after verifying it's in the
- *     local cache) — otherwise the verify leg would compare against a
- *     freshly-rotated address and reject the credential.
+ *     local cache OR matches a configured `staticRecipients` entry) —
+ *     otherwise the verify leg would compare against a freshly-rotated
+ *     address and reject the credential.
  *
  * Stripe SPT and card methods don't carry an on-chain recipient, so the
  * settle leg still mints a fresh PaymentIntent for them.
  *
- * Mirrors the hand-rolled `createPayToAddress` block consumers wrote in
- * `lib/payment.ts`. Lifts the structural branching; merchants keep
- * env-driven config (network list, default network, metadata) at the call site.
+ * Two public entrypoints share the same options and internal helpers:
+ *   - `createPayToAddressFromStripePI` returns a single string (the
+ *     `preferredNetwork`'s address). Convenient when the merchant only needs
+ *     one rail's payTo back.
+ *   - `mintMultichainRecipients` returns the full per-rail map plus the PI
+ *     id. Preferred for multi-rail merchants — avoids the second pi-cache
+ *     lookup to stitch sibling addresses back together.
+ *
+ * Mirrors the python `pay_to_address.py` factoring.
  */
 
 interface CreatePayToAddressFromStripePIOptions {
@@ -132,8 +139,26 @@ interface CreatePayToAddressFromStripePIOptions {
     stripe: StripeClientLike;
     /** Cache backing the merchant's minted addresses + PI lookups. */
     piCache: PiCache;
-    /** Networks to advertise to Stripe `deposit_options`. Default ['tempo', 'base', 'solana']. */
+    /** Networks to advertise to Stripe `deposit_options`. Default ['tempo', 'base', 'solana'].
+     *  Networks present as a key in `staticRecipients` are removed from this list
+     *  automatically — Stripe is not asked to mint a per-PI address for them. */
     networks?: string[];
+    /** Merchant-owned static deposit addresses, keyed by network. Use this to bypass
+     *  Stripe per-PI rotation on chains where a rotating recipient is expensive
+     *  (Solana: each new recipient address costs ~0.002 SOL of ATA rent locked on
+     *  an account the merchant can't close — see MPP spec §13.6 "ATA Rent Drain").
+     *
+     *  The SDK handles everything: (a) excludes these networks from the Stripe mint,
+     *  (b) registers them with `piCache.cacheAddress` on every call (so settle-leg
+     *  `hasAddress` checks pass during the TTL window), (c) merges them into the
+     *  per-PI network map (so `getNetworkDepositAddress(piId, network)` returns the
+     *  static address transparently), and (d) accepts the credential's signed-against
+     *  recipient on the settle leg when it matches a configured static address
+     *  (bypassing the `hasAddress` TTL window since merchant-owned addresses are
+     *  always valid).
+     *
+     *  Example: `{ solana: 'FR96wd96urHJdMnYayFrPYmDeAjKvwi3rQ2wkgXXTSP8' }` */
+    staticRecipients?: Record<string, string>;
     /** Optional Stripe metadata. */
     metadata?: Record<string, string>;
     /** Pending-order id; used as the Stripe idempotency key seed so retries
@@ -143,14 +168,39 @@ interface CreatePayToAddressFromStripePIOptions {
      *  picks `tempo`, falls back to `base`. */
     preferredNetwork?: string;
 }
-/** Returns the on-chain `pay_to` address the agent should be told to pay
- *  (in the 402 challenge or the bound MPP credential).
+/** Structured result for `mintMultichainRecipients` — exposes the full per-network
+ *  deposit map plus the PI id, so merchants can stop guessing "is the returned
+ *  string the tempo address or the solana static". */
+interface MintMultichainRecipientsResult {
+    /** Per-network deposit address map (e.g. `{ tempo: '0x...', base: '0x...', solana: 'FR96...' }`).
+     *  Merges Stripe-minted addresses with any `staticRecipients` overrides. */
+    recipients: Record<string, string>;
+    /** Stripe PaymentIntent id (when a PI was minted on this call) or undefined
+     *  if all networks were covered by staticRecipients. */
+    paymentIntentId?: string;
+    /** True when the settle leg short-circuited to the credential-bound recipient
+     *  instead of minting a new PI. The merchant's downstream sibling-address
+     *  lookups (e.g. for the 402 retry body) should fall back to the PI cache. */
+    reusedFromCredential: boolean;
+}
+/** Returns the on-chain `pay_to` address the agent should be told to pay.
  *
  *  On the settle leg, when the inbound `Authorization: Payment` credential
  *  binds a `tempo` or `solana` recipient, the helper returns THAT address
- *  (after verifying it's still in `piCache`). Otherwise it mints a fresh
- *  `createMultichainPaymentIntent` and caches the addresses + PI mapping. */
+ *  (after verifying it's still in `piCache` OR matches a configured
+ *  `staticRecipients` entry). Otherwise it mints a fresh
+ *  `createMultichainPaymentIntent` and caches the addresses + PI mapping.
+ *
+ *  When `staticRecipients` is configured, prefer `mintMultichainRecipients`
+ *  instead — its structured return avoids the "is this string the tempo or
+ *  the solana static" ambiguity on the settle leg. */
 declare function createPayToAddressFromStripePI(opts: CreatePayToAddressFromStripePIOptions): Promise<string>;
+/** Structured variant of `createPayToAddressFromStripePI`: returns the full
+ *  per-rail map plus the PI id. Preferred when the merchant's `mintRecipients`
+ *  hook needs all rail addresses (typical multi-rail merchant) — saves the
+ *  pi-cache lookups + sidesteps the "returned-string-is-ambiguous" trap on
+ *  the settle leg when `staticRecipients` is configured. */
+declare function mintMultichainRecipients(opts: CreatePayToAddressFromStripePIOptions): Promise<MintMultichainRecipientsResult>;
 
 /**
  * Stripe's documented magic test_helpers transaction hash that resolves the
@@ -310,4 +360,4 @@ interface SimulateDepositForOutcomeOptions {
  *  `simulateDepositIfTestnet` wrapper pattern. */
 declare function simulateDepositForOutcome(opts: SimulateDepositForOutcomeOptions): Promise<void>;
 
-export { type CreatePayToAddressFromStripePIOptions, type MultichainPaymentIntentResult, type PiCache, STRIPE_TEST_TX_HASH_FAILED, STRIPE_TEST_TX_HASH_SUCCESS, type SimulateDepositForOutcomeOptions, type SimulateNetwork, type StripeClientLike, type StripePaymentIntent, createMppxStripe, createMultichainPaymentIntent, createPayToAddressFromStripePI, createPiCache, networkForOutcome, simulateCryptoDeposit, simulateDepositForOutcome, simulateDepositIfTestMode };
+export { type CreatePayToAddressFromStripePIOptions, type MintMultichainRecipientsResult, type MultichainPaymentIntentResult, type PiCache, STRIPE_TEST_TX_HASH_FAILED, STRIPE_TEST_TX_HASH_SUCCESS, type SimulateDepositForOutcomeOptions, type SimulateNetwork, type StripeClientLike, type StripePaymentIntent, createMppxStripe, createMultichainPaymentIntent, createPayToAddressFromStripePI, createPiCache, mintMultichainRecipients, networkForOutcome, simulateCryptoDeposit, simulateDepositForOutcome, simulateDepositIfTestMode };

package/dist/stripe-multichain/index.js

@@ -19434,11 +19434,12 @@ function toClient(method, options) {
   };
 }
 function toServer(method, options) {
-  const { authorize, defaults, html, request, respond, stableBinding, transport, verify: verify3 } = options;
+  const { authorize, defaults, extensions, html, request, respond, stableBinding, transport, verify: verify3 } = options;
   return {
     ...method,
     authorize,
     defaults,
+    extensions,
     html,
     request,
     respond,
@@ -19653,6 +19654,7 @@ __export(stripe_multichain_exports, {
   createMultichainPaymentIntent: () => createMultichainPaymentIntent,
   createPayToAddressFromStripePI: () => createPayToAddressFromStripePI,
   createPiCache: () => createPiCache,
+  mintMultichainRecipients: () => mintMultichainRecipients,
   networkForOutcome: () => networkForOutcome,
   simulateCryptoDeposit: () => simulateCryptoDeposit,
   simulateDepositForOutcome: () => simulateDepositForOutcome,
@@ -19719,50 +19721,76 @@ async function createMultichainPaymentIntent({
 }
 
 // src/stripe-multichain/pay_to_address.ts
+var DEFAULT_NETWORKS = ["tempo", "base", "solana"];
 async function createPayToAddressFromStripePI(opts) {
+  const fromCredential = await tryResolveFromCredential(opts);
+  if (fromCredential !== null) return fromCredential;
+  const { preferred } = await mintAndCache(opts);
+  return preferred;
+}
+async function mintMultichainRecipients(opts) {
+  const fromCredential = await tryResolveFromCredential(opts);
+  if (fromCredential !== null) {
+    const piId = opts.piCache.getPaymentIntentId(fromCredential);
+    const networkMap = piId ? readNetworkMapFromCache(opts.piCache, piId) : {};
+    const merged2 = { ...networkMap, ...opts.staticRecipients ?? {} };
+    return {
+      recipients: merged2,
+      ...piId !== void 0 && { paymentIntentId: piId },
+      reusedFromCredential: true
+    };
+  }
+  const { merged, paymentIntentId } = await mintAndCache(opts);
+  return { recipients: merged, paymentIntentId, reusedFromCredential: false };
+}
+async function tryResolveFromCredential(opts) {
   const authHeader = opts.request.headers.get("authorization");
-  if (authHeader) {
-    const { Credential } = await Promise.resolve().then(() => (init_dist2(), dist_exports));
-    if (Credential.extractPaymentScheme(authHeader)) {
-      let credential;
-      try {
-        credential = Credential.fromRequest(opts.request);
-      } catch {
-        throw new CheckoutValidationError({
-          code: "invalid_credential",
-          message: "The Authorization: Payment header is not a valid MPP credential.",
-          action: "retry_without_credential",
-          status: 401
-        });
-      }
-      const method = credential.challenge.method;
-      if (method === "tempo" || method === "solana") {
-        const toAddress = credential.challenge.request.recipient;
-        if (typeof toAddress !== "string" || !toAddress) {
-          throw new CheckoutValidationError({
-            code: "invalid_credential",
-            message: "The MPP credential is missing its recipient field.",
-            action: "retry_without_credential",
-            status: 401
-          });
-        }
-        if (!await opts.piCache.hasAddress(toAddress)) {
-          throw new CheckoutValidationError({
-            code: "invalid_credential",
-            message: "The signed-against payTo recipient is not in this merchant's cache (unknown or expired). Retry without the Authorization: Payment header to receive a fresh 402 challenge.",
-            action: "retry_without_credential",
-            status: 401
-          });
-        }
-        return toAddress;
-      }
-    }
+  if (!authHeader) return null;
+  const { Credential } = await Promise.resolve().then(() => (init_dist2(), dist_exports));
+  if (!Credential.extractPaymentScheme(authHeader)) return null;
+  let credential;
+  try {
+    credential = Credential.fromRequest(opts.request);
+  } catch {
+    throw new CheckoutValidationError({
+      code: "invalid_credential",
+      message: "The Authorization: Payment header is not a valid MPP credential.",
+      action: "retry_without_credential",
+      status: 401
+    });
+  }
+  const method = credential.challenge.method;
+  if (method !== "tempo" && method !== "solana") return null;
+  const toAddress = credential.challenge.request.recipient;
+  if (typeof toAddress !== "string" || !toAddress) {
+    throw new CheckoutValidationError({
+      code: "invalid_credential",
+      message: "The MPP credential is missing its recipient field.",
+      action: "retry_without_credential",
+      status: 401
+    });
+  }
+  const staticForMethod = opts.staticRecipients?.[method];
+  if (staticForMethod && staticForMethod === toAddress) return toAddress;
+  if (!await opts.piCache.hasAddress(toAddress)) {
+    throw new CheckoutValidationError({
+      code: "invalid_credential",
+      message: "The signed-against payTo recipient is not in this merchant's cache (unknown or expired). Retry without the Authorization: Payment header to receive a fresh 402 challenge.",
+      action: "retry_without_credential",
+      status: 401
+    });
   }
+  return toAddress;
+}
+async function mintAndCache(opts) {
+  const staticRecipients = opts.staticRecipients ?? {};
+  const requestedNetworks = opts.networks ?? [...DEFAULT_NETWORKS];
+  const stripeNetworks = requestedNetworks.filter((n) => !(n in staticRecipients));
   const idempotencyKey = opts.orderId ? `pi-${opts.orderId}-${opts.amountCents}` : void 0;
   const { paymentIntentId, depositAddresses } = await createMultichainPaymentIntent({
     stripe: opts.stripe,
     amount: opts.amountCents,
-    networks: opts.networks ?? ["tempo", "base", "solana"],
+    networks: stripeNetworks,
     ...opts.metadata ? { metadata: opts.metadata } : {},
     ...idempotencyKey ? { idempotencyKey } : {}
   });
@@ -19770,10 +19798,14 @@ async function createPayToAddressFromStripePI(opts) {
     await opts.piCache.cacheAddress(address2);
     opts.piCache.cachePaymentIntent(address2, paymentIntentId);
   }
-  opts.piCache.cacheNetworkAddresses(paymentIntentId, depositAddresses);
-  const preferred = opts.preferredNetwork ?? "tempo";
-  const payTo = depositAddresses[preferred] ?? depositAddresses.base ?? depositAddresses.tempo;
-  if (!payTo) {
+  for (const address2 of Object.values(staticRecipients)) {
+    await opts.piCache.cacheAddress(address2);
+  }
+  const merged = { ...depositAddresses, ...staticRecipients };
+  opts.piCache.cacheNetworkAddresses(paymentIntentId, merged);
+  const preferredKey = opts.preferredNetwork ?? "tempo";
+  const preferred = merged[preferredKey] ?? merged.base ?? merged.tempo;
+  if (!preferred) {
     throw new CheckoutValidationError({
       code: "payment_provider_unavailable",
       message: "Stripe returned deposit addresses but none matched the requested network (tempo / base / solana). The account may have only a subset of multichain networks enabled.",
@@ -19781,7 +19813,15 @@ async function createPayToAddressFromStripePI(opts) {
       status: 503
     });
   }
-  return payTo;
+  return { preferred, merged, paymentIntentId };
+}
+function readNetworkMapFromCache(piCache, paymentIntentId) {
+  const entries = [];
+  for (const n of DEFAULT_NETWORKS) {
+    const addr = piCache.getNetworkDepositAddress(paymentIntentId, n);
+    if (addr) entries.push([n, addr]);
+  }
+  return Object.fromEntries(entries);
 }
 
 // src/stripe-multichain/simulate_deposit.ts
@@ -20006,6 +20046,7 @@ async function simulateDepositForOutcome(opts) {
   createMultichainPaymentIntent,
   createPayToAddressFromStripePI,
   createPiCache,
+  mintMultichainRecipients,
   networkForOutcome,
   simulateCryptoDeposit,
   simulateDepositForOutcome,