@agentcash/router 1.5.0 → 1.5.2

package/dist/index.js

@@ -8,7 +8,65 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
-// src/protocols/evm.ts
+// src/constants.ts
+var BASE_NETWORK, SOLANA_MAINNET_NETWORK, TEMPO_USDC_CURRENCY, ZERO_EVM_ADDRESS;
+var init_constants = __esm({
+  "src/constants.ts"() {
+    "use strict";
+    BASE_NETWORK = "eip155:8453";
+    SOLANA_MAINNET_NETWORK = "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp";
+    TEMPO_USDC_CURRENCY = "0x20c000000000000000000000b9537d11c60e8b50";
+    ZERO_EVM_ADDRESS = "0x0000000000000000000000000000000000000000";
+  }
+});
+
+// src/protocols/x402/accepts.ts
+async function resolvePayToValue(payTo, request, fallback, body) {
+  if (!payTo) return fallback;
+  if (typeof payTo === "string") return payTo;
+  return payTo(request, body);
+}
+function getConfiguredX402Accepts(config) {
+  if (config.x402?.accepts?.length) {
+    return [...config.x402.accepts];
+  }
+  return [
+    {
+      scheme: "exact",
+      network: config.network ?? BASE_NETWORK,
+      payTo: config.payeeAddress
+    }
+  ];
+}
+function getConfiguredX402Networks(config) {
+  return [...new Set(getConfiguredX402Accepts(config).map((accept) => accept.network))];
+}
+async function resolveX402Accepts(request, routeEntry, accepts, fallbackPayTo, body) {
+  return Promise.all(
+    accepts.map(async (accept) => ({
+      network: accept.network,
+      scheme: accept.scheme ?? "exact",
+      payTo: await resolvePayToValue(
+        routeEntry.payTo ?? accept.payTo,
+        request,
+        fallbackPayTo,
+        body
+      ),
+      ...accept.asset ? { asset: accept.asset } : {},
+      ...accept.decimals !== void 0 ? { decimals: accept.decimals } : {},
+      ...accept.maxTimeoutSeconds !== void 0 ? { maxTimeoutSeconds: accept.maxTimeoutSeconds } : {},
+      ...accept.extra ? { extra: accept.extra } : {}
+    }))
+  );
+}
+var init_accepts = __esm({
+  "src/protocols/x402/accepts.ts"() {
+    "use strict";
+    init_constants();
+  }
+});
+
+// src/protocols/x402/evm.ts
 function isEvmNetwork(network) {
   return network.startsWith("eip155:");
 }
@@ -26,12 +84,12 @@ function buildEvmExactOptions(accepts, price) {
   }));
 }
 var init_evm = __esm({
-  "src/protocols/evm.ts"() {
+  "src/protocols/x402/evm.ts"() {
     "use strict";
   }
 });
 
-// src/protocols/solana.ts
+// src/protocols/x402/solana.ts
 function isSolanaNetwork(network) {
   return network.startsWith("solana:");
 }
@@ -81,13 +139,13 @@ function isSolanaRequirement(requirement) {
   return isSolanaNetwork(requirement.network);
 }
 var init_solana = __esm({
-  "src/protocols/solana.ts"() {
+  "src/protocols/x402/solana.ts"() {
     "use strict";
-    init_x402_facilitators();
+    init_facilitators();
   }
 });
 
-// src/x402-facilitators.ts
+// src/protocols/x402/facilitators.ts
 function getResolvedX402Facilitator(config, network, defaultEvmFacilitator) {
   const family = getNetworkFamily(network);
   if (!family) return null;
@@ -157,8 +215,8 @@ function sameFacilitatorConfig(a, b) {
   return a.url === b.url && a.createAuthHeaders === b.createAuthHeaders && a.createAcceptsHeaders === b.createAcceptsHeaders;
 }
 var DEFAULT_SOLANA_FACILITATOR_URL;
-var init_x402_facilitators = __esm({
-  "src/x402-facilitators.ts"() {
+var init_facilitators = __esm({
+  "src/protocols/x402/facilitators.ts"() {
     "use strict";
     init_evm();
     init_solana();
@@ -166,64 +224,6 @@ var init_x402_facilitators = __esm({
   }
 });
 
-// src/constants.ts
-var BASE_NETWORK, SOLANA_MAINNET_NETWORK, TEMPO_USDC_CURRENCY, ZERO_EVM_ADDRESS;
-var init_constants = __esm({
-  "src/constants.ts"() {
-    "use strict";
-    BASE_NETWORK = "eip155:8453";
-    SOLANA_MAINNET_NETWORK = "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp";
-    TEMPO_USDC_CURRENCY = "0x20c000000000000000000000b9537d11c60e8b50";
-    ZERO_EVM_ADDRESS = "0x0000000000000000000000000000000000000000";
-  }
-});
-
-// src/x402-config.ts
-async function resolvePayToValue(payTo, request, fallback, body) {
-  if (!payTo) return fallback;
-  if (typeof payTo === "string") return payTo;
-  return payTo(request, body);
-}
-function getConfiguredX402Accepts(config) {
-  if (config.x402?.accepts?.length) {
-    return [...config.x402.accepts];
-  }
-  return [
-    {
-      scheme: "exact",
-      network: config.network ?? BASE_NETWORK,
-      payTo: config.payeeAddress
-    }
-  ];
-}
-function getConfiguredX402Networks(config) {
-  return [...new Set(getConfiguredX402Accepts(config).map((accept) => accept.network))];
-}
-async function resolveX402Accepts(request, routeEntry, accepts, fallbackPayTo, body) {
-  return Promise.all(
-    accepts.map(async (accept) => ({
-      network: accept.network,
-      scheme: accept.scheme ?? "exact",
-      payTo: await resolvePayToValue(
-        routeEntry.payTo ?? accept.payTo,
-        request,
-        fallbackPayTo,
-        body
-      ),
-      ...accept.asset ? { asset: accept.asset } : {},
-      ...accept.decimals !== void 0 ? { decimals: accept.decimals } : {},
-      ...accept.maxTimeoutSeconds !== void 0 ? { maxTimeoutSeconds: accept.maxTimeoutSeconds } : {},
-      ...accept.extra ? { extra: accept.extra } : {}
-    }))
-  );
-}
-var init_x402_config = __esm({
-  "src/x402-config.ts"() {
-    "use strict";
-    init_constants();
-  }
-});
-
 // src/server.ts
 var server_exports = {};
 __export(server_exports, {
@@ -308,8 +308,8 @@ var init_server = __esm({
     "use strict";
     init_evm();
     init_solana();
-    init_x402_facilitators();
-    init_x402_config();
+    init_facilitators();
+    init_accepts();
   }
 });
 
@@ -415,13 +415,32 @@ var RouteRegistry = class {
   }
 };
 
-// src/orchestrate.ts
-import { NextResponse as NextResponse2 } from "next/server";
-
-// src/auth/normalize-wallet.ts
-function normalizeWalletAddress(address) {
-  return address.startsWith("0x") ? address.toLowerCase() : address;
-}
+// src/headers.ts
+var HEADERS = {
+  // ---- Standard HTTP ----
+  AUTHORIZATION: "Authorization",
+  WWW_AUTHENTICATE: "WWW-Authenticate",
+  // ---- Auth ----
+  API_KEY: "X-API-Key",
+  // ---- Request meta (used by plugin/observability) ----
+  WALLET_ADDRESS: "X-Wallet-Address",
+  CLIENT_ID: "X-Client-ID",
+  SESSION_ID: "X-Session-ID",
+  // ---- SIWX ----
+  SIWX: "SIGN-IN-WITH-X",
+  // ---- x402 (payment) ----
+  X402_PAYMENT_SIGNATURE: "PAYMENT-SIGNATURE",
+  /** Legacy x402 payment header — accepted alongside PAYMENT-SIGNATURE. */
+  X402_PAYMENT_LEGACY: "X-PAYMENT",
+  X402_PAYMENT_REQUIRED: "PAYMENT-REQUIRED",
+  X402_PAYMENT_RESPONSE: "PAYMENT-RESPONSE",
+  // ---- MPP (payment) ----
+  MPP_PAYMENT_RECEIPT: "Payment-Receipt"
+};
+var AUTH_SCHEME = {
+  BEARER: "Bearer ",
+  MPP_PAYMENT: "Payment "
+};
 
 // src/plugin.ts
 function createDefaultContext(meta) {
@@ -498,105 +517,31 @@ function consolePlugin() {
   };
 }
 
-// src/auth/nonce.ts
-var SIWX_CHALLENGE_EXPIRY_MS = 5 * 60 * 1e3;
-var MemoryNonceStore = class {
-  seen = /* @__PURE__ */ new Map();
-  async check(nonce) {
-    this.evict();
-    if (this.seen.has(nonce)) return false;
-    this.seen.set(nonce, Date.now() + SIWX_CHALLENGE_EXPIRY_MS);
-    return true;
-  }
-  evict() {
-    const now = Date.now();
-    for (const [n, exp] of this.seen) {
-      if (exp < now) this.seen.delete(n);
-    }
-  }
-};
-function detectRedisClientType(client) {
-  if (!client || typeof client !== "object") {
-    throw new Error(
-      "createRedisNonceStore requires a Redis client. Supported: @upstash/redis, ioredis. Pass your Redis client instance as the first argument."
-    );
-  }
-  if ("options" in client && "status" in client) {
-    return "ioredis";
-  }
-  const constructor = client.constructor?.name;
-  if (constructor === "Redis" && "url" in client) {
-    return "upstash";
-  }
-  if (typeof client.set === "function") {
-    return "upstash";
-  }
-  throw new Error(
-    "Unrecognized Redis client. Supported: @upstash/redis, ioredis. If using a different client, implement NonceStore interface directly."
-  );
+// src/pipeline/context/preflight.ts
+function preflight(routeEntry, handler, deps, request) {
+  const meta = buildMeta(request, routeEntry);
+  const pluginCtx = firePluginHook(deps.plugin, "onRequest", meta) ?? createDefaultContext(meta);
+  return { routeEntry, handler, deps, request, meta, pluginCtx };
 }
-function createRedisNonceStore(client, opts) {
-  const prefix = opts?.prefix ?? "siwx:nonce:";
-  const ttlSeconds = Math.ceil((opts?.ttlMs ?? SIWX_CHALLENGE_EXPIRY_MS) / 1e3);
-  const clientType = detectRedisClientType(client);
+function buildMeta(request, routeEntry) {
   return {
-    async check(nonce) {
-      const key = `${prefix}${nonce}`;
-      if (clientType === "upstash") {
-        const redis = client;
-        const result = await redis.set(key, "1", { ex: ttlSeconds, nx: true });
-        return result !== null;
-      }
-      if (clientType === "ioredis") {
-        const redis = client;
-        const result = await redis.set(key, "1", "EX", ttlSeconds, "NX");
-        return result === "OK";
-      }
-      throw new Error("Unknown Redis client type");
-    }
+    requestId: crypto.randomUUID(),
+    method: request.method,
+    route: routeEntry.key,
+    origin: request.headers.get("origin") ?? new URL(request.url).origin,
+    referer: request.headers.get("referer"),
+    walletAddress: request.headers.get(HEADERS.WALLET_ADDRESS),
+    clientId: request.headers.get(HEADERS.CLIENT_ID),
+    sessionId: request.headers.get(HEADERS.SESSION_ID),
+    contentType: request.headers.get("content-type"),
+    headers: Object.fromEntries(request.headers.entries()),
+    startTime: Date.now()
   };
 }
 
-// src/protocols/detect.ts
-function detectProtocol(request) {
-  if (request.headers.get("PAYMENT-SIGNATURE") || request.headers.get("X-PAYMENT")) {
-    return "x402";
-  }
-  const auth = request.headers.get("Authorization");
-  if (auth && auth.startsWith("Payment ")) {
-    return "mpp";
-  }
-  if (request.headers.get("SIGN-IN-WITH-X")) {
-    return "siwx";
-  }
-  return null;
-}
-
-// src/handler.ts
+// src/pipeline/context/parse-body.ts
 import { NextResponse } from "next/server";
 
-// src/types.ts
-var HttpError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-    this.name = "HttpError";
-  }
-};
-
-// src/handler.ts
-async function safeCallHandler(handler, ctx) {
-  try {
-    const result = await handler(ctx);
-    if (result instanceof Response) return result;
-    return NextResponse.json(result);
-  } catch (error) {
-    const status = error instanceof HttpError ? error.status : typeof error.status === "number" ? error.status : 500;
-    const message = error instanceof Error ? error.message : "Internal error";
-    return NextResponse.json({ success: false, error: message }, { status });
-  }
-}
-
 // src/body.ts
 async function bufferBody(request) {
   const text = await request.text();
@@ -621,296 +566,329 @@ function validateBody(parsed, schema) {
   };
 }
 
-// src/pricing.ts
-async function resolvePrice(pricing, body) {
-  if (typeof pricing === "string") {
-    return pricing;
-  }
-  if (typeof pricing === "function") {
-    return pricing(body);
-  }
-  const { field, tiers, default: defaultTier } = pricing;
-  const tierKey = body != null ? String(body[field] ?? "") : "";
-  if (tierKey && tiers[tierKey]) {
-    return tiers[tierKey].price;
-  }
-  if (defaultTier && tiers[defaultTier]) {
-    return tiers[defaultTier].price;
-  }
-  if (!tierKey) {
-    throw Object.assign(new Error(`Missing required field '${field}' for tier pricing`), {
-      status: 400
-    });
-  }
-  throw Object.assign(
-    new Error(
-      `Unknown tier '${tierKey}' for field '${field}'. Valid tiers: ${Object.keys(tiers).join(", ")}`
-    ),
-    { status: 400 }
-  );
+// src/pipeline/context/parse-body.ts
+async function parseBody(request, routeEntry) {
+  if (!routeEntry.bodySchema) return { ok: true, data: void 0 };
+  const raw = await bufferBody(request);
+  const result = validateBody(raw, routeEntry.bodySchema);
+  if (result.success) return { ok: true, data: result.data };
+  return {
+    ok: false,
+    response: NextResponse.json(
+      { success: false, error: result.error, issues: result.issues },
+      { status: 400 }
+    )
+  };
 }
-function resolveMaxPrice(pricing) {
-  if (typeof pricing === "string") return pricing;
-  if (typeof pricing === "function") {
-    throw new Error("Dynamic pricing requires maxPrice \u2014 this should be caught at registration");
-  }
-  const { tiers } = pricing;
-  let max = "0";
-  for (const tier of Object.values(tiers)) {
-    if (parseFloat(tier.price) > parseFloat(max)) {
-      max = tier.price;
-    }
-  }
-  return max;
+
+// src/pipeline/context/parse-query.ts
+function parseQuery(request, routeEntry) {
+  if (!routeEntry.querySchema) return void 0;
+  const params = Object.fromEntries(request.nextUrl.searchParams.entries());
+  const result = routeEntry.querySchema.safeParse(params);
+  return result.success ? result.data : params;
 }
 
-// src/orchestrate.ts
-import { Credential as Credential2, Receipt } from "mppx";
-import { call as viemCall } from "viem/actions";
-import { Transaction as TempoTransaction } from "viem/tempo";
-import { isAddress as isAddress2, getAddress as getAddress2 } from "viem";
+// src/pipeline/context/errors.ts
+function errorStatus(error, fallback) {
+  const status = error?.status;
+  return typeof status === "number" ? status : fallback;
+}
+function errorMessage(error, fallback) {
+  return error instanceof Error ? error.message : fallback;
+}
+function handlerFailureError(response) {
+  const message = response.statusText || `Handler returned HTTP ${response.status}`;
+  return Object.assign(new Error(message), { status: response.status });
+}
 
-// src/protocols/x402.ts
-init_x402_facilitators();
-init_evm();
-init_solana();
-async function buildX402Challenge(opts) {
-  const { server, routeEntry, request, price, accepts, facilitatorsByNetwork, extensions } = opts;
-  const { encodePaymentRequiredHeader } = await import("@x402/core/http");
-  const resource = buildChallengeResource(request, routeEntry);
-  const requirements = await buildChallengeRequirements(
-    server,
-    request,
-    price,
-    accepts,
-    resource,
-    facilitatorsByNetwork
-  );
-  const paymentRequired = await server.createPaymentRequiredResponse(
-    requirements,
-    resource,
-    void 0,
-    extensions
-  );
-  const encoded = encodePaymentRequiredHeader(paymentRequired);
-  return { encoded, requirements };
-}
-async function verifyX402Payment(opts) {
-  const { server, request, price, accepts } = opts;
-  const payload = await readPaymentPayload(request);
-  if (!payload) return null;
-  const requirements = await buildExpectedRequirements(server, request, price, accepts);
-  const matching = findVerifiableRequirements(server, requirements, payload);
-  if (!matching) {
-    return invalidPaymentVerification();
+// src/pipeline/context/fail.ts
+import { NextResponse as NextResponse2 } from "next/server";
+
+// src/pipeline/context/fire-plugin-response.ts
+function firePluginResponse(ctx, response, requestBody, responseBody) {
+  firePluginHook(ctx.deps.plugin, "onResponse", ctx.pluginCtx, {
+    statusCode: response.status,
+    statusText: response.statusText,
+    duration: Date.now() - ctx.meta.startTime,
+    contentType: response.headers.get("content-type"),
+    headers: Object.fromEntries(response.headers.entries()),
+    requestBody,
+    responseBody
+  });
+  if (response.status >= 400 && response.status !== 402) {
+    firePluginHook(ctx.deps.plugin, "onError", ctx.pluginCtx, {
+      status: response.status,
+      message: response.statusText || `HTTP ${response.status}`,
+      settled: false
+    });
   }
-  let verify;
+}
+
+// src/pipeline/context/fail.ts
+function fail(ctx, status, message, requestBody) {
+  const response = NextResponse2.json({ success: false, error: message }, { status });
+  firePluginResponse(ctx, response, requestBody);
+  return response;
+}
+
+// src/pipeline/context/run-validate.ts
+async function runValidate(ctx, body) {
+  if (!ctx.routeEntry.validateFn) return null;
   try {
-    verify = await server.verifyPayment(payload, matching);
+    await ctx.routeEntry.validateFn(body);
+    return null;
   } catch (err) {
-    const sc = err.statusCode;
-    if (sc && sc >= 400 && sc < 500) return invalidPaymentVerification();
-    throw err;
+    return fail(ctx, errorStatus(err, 400), errorMessage(err, "Validation failed"), body);
   }
-  if (!verify.isValid) return invalidPaymentVerification();
-  return {
-    valid: true,
-    payer: verify.payer,
-    payload,
-    requirements: matching
-  };
 }
-function findVerifiableRequirements(server, requirements, payload) {
-  const strictMatch = server.findMatchingRequirements(requirements, payload);
-  if (strictMatch) {
-    return payload.x402Version === 2 ? payload.accepted : strictMatch;
+
+// src/handler.ts
+import { NextResponse as NextResponse3 } from "next/server";
+
+// src/types.ts
+var HttpError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+    this.name = "HttpError";
   }
-  if (payload.x402Version !== 2) {
-    return null;
+};
+
+// src/handler.ts
+async function safeCallHandler(handler, ctx, options = {}) {
+  try {
+    const result = await handler(ctx);
+    if (result instanceof Response) return result;
+    return NextResponse3.json(result);
+  } catch (error) {
+    options.onError?.(error);
+    const status = error instanceof HttpError ? error.status : typeof error.status === "number" ? error.status : 500;
+    const message = error instanceof Error ? error.message : "Internal error";
+    return NextResponse3.json({ success: false, error: message }, { status });
   }
-  const stableMatch = requirements.find(
-    (requirement) => matchesStableFields(requirement, payload.accepted)
-  );
-  return stableMatch ? payload.accepted : null;
-}
-function matchesStableFields(requirement, accepted) {
-  return requirement.scheme === accepted.scheme && requirement.network === accepted.network && requirement.payTo === accepted.payTo && requirement.asset === accepted.asset && requirement.amount === accepted.amount && requirement.maxTimeoutSeconds === accepted.maxTimeoutSeconds;
-}
-async function buildExpectedRequirements(server, request, price, accepts) {
-  const exactRequirements = await buildExactRequirements(server, request, price, accepts);
-  const customRequirements = buildCustomRequirements(price, accepts);
-  return [...exactRequirements, ...customRequirements];
 }
-async function buildExactRequirements(server, request, price, accepts) {
-  const exactGroups = [
-    buildEvmExactOptions(accepts, price),
-    buildSolanaExactOptions(accepts, price)
-  ].filter((options) => options.length > 0);
-  if (exactGroups.length === 0) return [];
-  const requirements = [];
-  const failures = [];
-  for (const options of exactGroups) {
-    try {
-      requirements.push(
-        ...await server.buildPaymentRequirementsFromOptions(options, { request })
-      );
-    } catch (error) {
-      const err = error instanceof Error ? error : new Error(String(error));
-      failures.push(err);
-      if (exactGroups.length === 1) {
-        throw err;
+
+// src/pipeline/context/invoke.ts
+async function invoke(ctx, wallet, account, body, payment) {
+  const handlerCtx = {
+    body,
+    query: parseQuery(ctx.request, ctx.routeEntry),
+    request: ctx.request,
+    requestId: ctx.meta.requestId,
+    route: ctx.routeEntry.key,
+    wallet,
+    payment,
+    account,
+    alert(level, message, alertMeta) {
+      firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+        level,
+        message,
+        route: ctx.routeEntry.key,
+        meta: alertMeta
+      });
+    },
+    setVerifiedWallet: (addr) => ctx.pluginCtx.setVerifiedWallet(addr)
+  };
+  let rawResult;
+  let handlerError;
+  const response = await safeCallHandler(
+    async (c) => {
+      rawResult = await ctx.handler(c);
+      return rawResult;
+    },
+    handlerCtx,
+    {
+      onError(error) {
+        handlerError = error;
       }
-      console.warn(
-        `[router] Failed to build x402 exact requirements for ${options[0]?.network}: ${err.message}`
-      );
     }
+  );
+  return { response, rawResult, handlerError };
+}
+
+// src/pipeline/context/fire-provider-quota.ts
+function fireProviderQuota(ctx, response, handlerResult) {
+  const { providerName, providerConfig } = ctx.routeEntry;
+  if (!providerName || !providerConfig?.extractQuota) return;
+  if (response.status >= 400) return;
+  try {
+    const quota = providerConfig.extractQuota(handlerResult, response.headers);
+    if (!quota) return;
+    const level = computeQuotaLevel(quota.remaining, providerConfig.warn, providerConfig.critical);
+    const overage = providerConfig.overage ?? "same-rate";
+    const event = {
+      provider: providerName,
+      route: ctx.routeEntry.key,
+      remaining: quota.remaining,
+      limit: quota.limit,
+      spend: quota.spend,
+      level,
+      overage,
+      message: quota.remaining !== null ? `${providerName}: ${quota.remaining}${quota.limit ? `/${quota.limit}` : ""} remaining` : `${providerName}: quota info unavailable`
+    };
+    firePluginHook(ctx.deps.plugin, "onProviderQuota", ctx.pluginCtx, event);
+  } catch {
   }
-  if (requirements.length > 0) {
-    return requirements;
-  }
-  throw failures[0] ?? new Error("Failed to build x402 exact requirements");
 }
-function buildCustomRequirements(price, accepts) {
-  return accepts.filter((accept) => accept.scheme !== "exact").map((accept) => buildCustomRequirement(price, accept));
+function computeQuotaLevel(remaining, warn, critical) {
+  if (remaining === null) return "healthy";
+  if (critical !== void 0 && remaining <= critical) return "critical";
+  if (warn !== void 0 && remaining <= warn) return "warn";
+  return "healthy";
 }
-async function buildChallengeRequirements(server, request, price, accepts, resource, facilitatorsByNetwork) {
-  const requirements = await buildExpectedRequirements(server, request, price, accepts);
-  if (!needsFacilitatorEnrichment(accepts)) return requirements;
-  return enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork);
+
+// src/pipeline/context/finalize.ts
+function finalize(ctx, response, rawResult, requestBody) {
+  fireProviderQuota(ctx, response, rawResult);
+  firePluginResponse(ctx, response, requestBody, rawResult);
+  return response;
 }
-function needsFacilitatorEnrichment(accepts) {
-  return accepts.some((accept) => accept.scheme !== "exact") || hasSolanaAccepts(accepts);
+
+// src/pipeline/context/run-handler-only.ts
+async function runHandlerOnly(ctx, wallet, account) {
+  const body = await parseBody(ctx.request, ctx.routeEntry);
+  if (!body.ok) {
+    firePluginResponse(ctx, body.response);
+    return body.response;
+  }
+  const validateErr = await runValidate(ctx, body.data);
+  if (validateErr) return validateErr;
+  const result = await invoke(ctx, wallet, account, body.data, null);
+  return finalize(ctx, result.response, result.rawResult, body.data);
 }
-async function enrichGroup(group, resource) {
-  const accepted = await enrichRequirementsWithFacilitatorAccepts(
-    group.facilitator,
-    resource,
-    group.items.map(({ requirement }) => requirement)
-  );
-  if (accepted.length !== group.items.length) {
-    throw new Error(
-      `Facilitator /accepts returned ${accepted.length} requirements for ${group.items.length} inputs on ${group.facilitator.url ?? group.facilitator.network}`
+
+// src/pipeline/context/settlement-context.ts
+function settlementContext(ctx, scope) {
+  return {
+    route: ctx.routeEntry.key,
+    request: ctx.request,
+    body: scope.body,
+    wallet: scope.wallet,
+    account: scope.account,
+    payment: scope.payment,
+    response: scope.response,
+    result: scope.rawResult
+  };
+}
+
+// src/pipeline/context/run-before-settle.ts
+async function runBeforeSettle(ctx, scope) {
+  const hook = ctx.routeEntry.settlement?.beforeSettle;
+  if (!hook) return null;
+  try {
+    await hook(settlementContext(ctx, scope));
+    return null;
+  } catch (error) {
+    return fail(
+      ctx,
+      errorStatus(error, 500),
+      errorMessage(error, "Pre-settlement validation failed"),
+      scope.body
     );
   }
-  return accepted;
 }
-async function enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork) {
-  const groups = collectEnrichmentGroups(requirements, facilitatorsByNetwork);
-  if (groups.length === 0) return requirements;
-  const results = await Promise.all(
-    groups.map(async (group) => {
-      try {
-        return { success: true, group, accepted: await enrichGroup(group, resource) };
-      } catch (err) {
-        const label = group.facilitator.url ?? group.facilitator.network;
-        const reason = err instanceof Error ? err.message : String(err);
-        console.warn(
-          `[router] ${label} /accepts failed, dropping ${group.items.length} requirement(s): ${reason}`
-        );
-        return { success: false, group };
-      }
-    })
-  );
-  const enriched = [...requirements];
-  results.filter((r) => r.success).forEach(({ group, accepted }) => {
-    accepted.forEach((req, offset) => {
-      const index = group.items[offset]?.index;
-      if (index !== void 0) enriched[index] = req;
+
+// src/pipeline/context/run-settlement-error.ts
+async function runSettlementError(ctx, scope, error, phase) {
+  const hook = ctx.routeEntry.settlement?.onSettlementError;
+  if (!hook) return;
+  try {
+    await hook({ ...settlementContext(ctx, scope), error, phase });
+  } catch (hookError) {
+    const message = errorMessage(hookError, "Settlement error hook failed");
+    console.error(`[router] ${ctx.routeEntry.key}: onSettlementError failed: ${message}`);
+    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+      level: "error",
+      message: `Settlement error hook failed: ${message}`,
+      route: ctx.routeEntry.key
     });
-  });
-  const failedIndices = new Set(
-    results.filter((r) => !r.success).flatMap(({ group }) => group.items.map(({ index }) => index))
-  );
-  const remaining = enriched.filter((_, i) => !failedIndices.has(i));
-  if (remaining.length === 0) {
-    throw new Error(
-      "All facilitator enrichments failed; no payment requirements remain for challenge"
-    );
   }
-  return remaining;
 }
-function collectEnrichmentGroups(requirements, facilitatorsByNetwork) {
-  const groups = [];
-  requirements.forEach((requirement, index) => {
-    if (!requiresFacilitatorEnrichment(requirement)) return;
-    const facilitator = getRequiredFacilitator(requirement, facilitatorsByNetwork);
-    const existing = groups.find(
-      (group) => sameResolvedX402Facilitator(group.facilitator, facilitator)
-    );
-    if (existing) {
-      existing.items.push({ index, requirement });
-      return;
-    }
-    groups.push({
-      facilitator,
-      items: [{ index, requirement }]
+
+// src/pipeline/context/run-after-settle.ts
+async function runAfterSettle(ctx, scope) {
+  const hook = ctx.routeEntry.settlement?.afterSettle;
+  if (!hook) return;
+  try {
+    await hook(settlementContext(ctx, scope));
+  } catch (error) {
+    const message = errorMessage(error, "Post-settlement hook failed");
+    console.error(`[router] ${ctx.routeEntry.key}: afterSettle failed: ${message}`);
+    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+      level: "error",
+      message: `Post-settlement hook failed: ${message}`,
+      route: ctx.routeEntry.key
     });
-  });
-  return groups;
+    await runSettlementError(ctx, scope, error, "afterSettle");
+  }
 }
-function getRequiredFacilitator(requirement, facilitatorsByNetwork) {
-  const facilitator = getFacilitatorForRequirement(facilitatorsByNetwork, requirement);
-  if (!facilitator) {
-    throw new Error(
-      `Missing x402 facilitator for ${requirement.scheme} requirement on ${requirement.network}`
-    );
+
+// src/pipeline/context/run-settled-handler-error.ts
+async function runSettledHandlerError(ctx, scope, error = scope.handlerError ?? handlerFailureError(scope.response)) {
+  const hook = ctx.routeEntry.settlement?.onSettledHandlerError;
+  if (!hook) return;
+  try {
+    await hook({ ...settlementContext(ctx, scope), error });
+  } catch (hookError) {
+    const message = errorMessage(hookError, "Settled handler error hook failed");
+    console.error(`[router] ${ctx.routeEntry.key}: onSettledHandlerError failed: ${message}`);
+    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+      level: "error",
+      message: `Settled handler error hook failed: ${message}`,
+      route: ctx.routeEntry.key
+    });
   }
-  return facilitator;
 }
-function requiresFacilitatorEnrichment(requirement) {
-  return requirement.scheme !== "exact" || isSolanaRequirement(requirement);
+
+// src/pipeline/context/grant-entitlement.ts
+async function grantEntitlementIfSiwx(ctx, wallet) {
+  if (!ctx.routeEntry.siwxEnabled) return;
+  try {
+    await ctx.deps.entitlementStore.grant(ctx.routeEntry.key, wallet);
+  } catch (error) {
+    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+      level: "warn",
+      message: `Entitlement grant failed: ${error instanceof Error ? error.message : String(error)}`,
+      route: ctx.routeEntry.key
+    });
+  }
 }
-function buildCustomRequirement(price, accept) {
-  if (!accept.asset) {
-    throw new Error(
-      `Custom x402 accept '${accept.scheme}' on '${accept.network}' is missing asset`
-    );
-  }
-  return {
-    scheme: accept.scheme,
-    network: accept.network,
-    amount: decimalToAtomicUnits(price, accept.decimals ?? 6),
-    asset: accept.asset,
-    payTo: accept.payTo,
-    maxTimeoutSeconds: accept.maxTimeoutSeconds ?? 300,
-    extra: accept.extra ?? {}
-  };
-}
-function buildChallengeResource(request, routeEntry) {
-  return {
-    url: request.url,
-    method: routeEntry.method,
-    description: routeEntry.description,
-    mimeType: "application/json"
-  };
-}
-async function readPaymentPayload(request) {
-  const paymentHeader = request.headers.get("PAYMENT-SIGNATURE") ?? request.headers.get("X-PAYMENT");
-  if (!paymentHeader) return null;
-  const { decodePaymentSignatureHeader } = await import("@x402/core/http");
-  return decodePaymentSignatureHeader(paymentHeader);
-}
-function invalidPaymentVerification() {
-  return { valid: false, payload: null, requirements: null, payer: null };
-}
-function decimalToAtomicUnits(amount, decimals) {
-  const match = /^(?<whole>\d+)(?:\.(?<fraction>\d+))?$/.exec(amount);
-  if (!match?.groups) {
-    throw new Error(`Invalid decimal amount '${amount}'`);
-  }
-  const whole = match.groups.whole;
-  const fraction = match.groups.fraction ?? "";
-  if (fraction.length > decimals) {
-    throw new Error(`Amount '${amount}' exceeds ${decimals} decimal places`);
-  }
-  const normalized = `${whole}${fraction.padEnd(decimals, "0")}`.replace(/^0+(?=\d)/, "");
-  return normalized === "" ? "0" : normalized;
+
+// src/pipeline/context/settle-and-finalize.ts
+async function settleAndFinalize(args) {
+  const { ctx, strategy, verifyOutcome, scope, rawResult, body, onSettleError } = args;
+  const { request, routeEntry, deps } = ctx;
+  const settle = await strategy.settle({
+    request,
+    response: scope.response,
+    payment: verifyOutcome.payment,
+    token: verifyOutcome.token,
+    routeEntry,
+    deps
+  });
+  if (!settle.ok) {
+    if (onSettleError) await onSettleError(settle.error, settle.failMessage);
+    return fail(ctx, settle.failStatus ?? 500, settle.failMessage, body);
+  }
+  await grantEntitlementIfSiwx(ctx, verifyOutcome.wallet);
+  firePluginHook(deps.plugin, "onPaymentSettled", ctx.pluginCtx, {
+    protocol: strategy.protocol,
+    payer: verifyOutcome.wallet,
+    transaction: settle.settledPayment.transaction ?? "",
+    network: settle.settledPayment.network
+  });
+  await runAfterSettle(ctx, {
+    ...scope,
+    payment: settle.settledPayment,
+    response: settle.response
+  });
+  return finalize(ctx, settle.response, rawResult, body);
 }
-async function settleX402Payment(server, payload, requirements) {
-  const { encodePaymentResponseHeader } = await import("@x402/core/http");
-  const result = await server.settlePayment(payload, requirements);
-  const encoded = encodePaymentResponseHeader(result);
-  return { encoded, result };
+
+// src/auth/normalize-wallet.ts
+function normalizeWalletAddress(address) {
+  return /^0x/i.test(address) ? address.toLowerCase() : address;
 }
 
 // src/auth/siwx.ts
@@ -934,7 +912,7 @@ function categorizeValidationError(error) {
 }
 async function verifySIWX(request, _routeEntry, nonceStore) {
   const { parseSIWxHeader, validateSIWxMessage, verifySIWxSignature } = await import("@x402/extensions/sign-in-with-x");
-  const header = request.headers.get("SIGN-IN-WITH-X");
+  const header = request.headers.get(HEADERS.SIWX);
   if (!header) {
     return { valid: false, wallet: null, code: "siwx_missing_header" };
   }
@@ -963,25 +941,52 @@ async function buildSIWXExtension() {
   return declareSIWxExtension();
 }
 
-// src/auth/mpp-siwx.ts
-import { Credential } from "mppx";
-import { isAddress, getAddress } from "viem";
-async function verifyMppSiwx(request, mppx) {
-  const result = await mppx.charge({ amount: "0" })(request);
-  if (result.status === 402) {
-    return { valid: false, challenge: result.challenge };
+// src/pipeline/context/try-siwx-fast-path.ts
+async function trySiwxFastPath(ctx, account) {
+  const { request, routeEntry, deps } = ctx;
+  if (!routeEntry.siwxEnabled) return null;
+  const siwxHeader = request.headers.get(HEADERS.SIWX);
+  if (!siwxHeader) return null;
+  const siwx = await verifySIWX(request, routeEntry, deps.nonceStore);
+  if (!siwx.valid) return null;
+  const wallet = normalizeWalletAddress(siwx.wallet);
+  ctx.pluginCtx.setVerifiedWallet(wallet);
+  const entitled = await deps.entitlementStore.has(routeEntry.key, wallet);
+  if (!entitled) return null;
+  firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
+    authMode: "siwx",
+    wallet,
+    route: routeEntry.key
+  });
+  return runHandlerOnly(ctx, wallet, account);
+}
+
+// src/pipeline/context/should-parse-body-early.ts
+function shouldParseBodyEarly(incomingStrategy, routeEntry, pricing) {
+  if (incomingStrategy) return false;
+  if (!routeEntry.bodySchema) return false;
+  return (pricing?.needsBody ?? false) || !!routeEntry.validateFn;
+}
+
+// src/pipeline/context/protocol-init-error.ts
+function protocolInitError(routeEntry, deps) {
+  if (!routeEntry.pricing) return null;
+  const errors = [];
+  for (const protocol of routeEntry.protocols) {
+    if (protocol === "x402" && deps.x402InitError) {
+      errors.push(`x402: ${deps.x402InitError}`);
+    }
+    if (protocol === "mpp" && deps.mppInitError) {
+      errors.push(`mpp: ${deps.mppInitError}`);
+    }
   }
-  const credential = Credential.fromRequest(request);
-  const rawSource = credential?.source ?? "";
-  const didParts = rawSource.split(":");
-  const lastPart = didParts[didParts.length - 1];
-  const wallet = normalizeWalletAddress(isAddress(lastPart) ? getAddress(lastPart) : rawSource);
-  return { valid: true, wallet, withReceipt: result.withReceipt };
+  if (errors.length === 0) return null;
+  return `Payment protocol initialization failed. ${errors.join("; ")}`;
 }
 
 // src/auth/api-key.ts
 async function verifyApiKey(request, resolver) {
-  const apiKey = request.headers.get("X-API-Key") ?? extractBearerToken(request.headers.get("Authorization"));
+  const apiKey = request.headers.get(HEADERS.API_KEY) ?? extractBearerToken(request.headers.get(HEADERS.AUTHORIZATION));
   if (!apiKey) {
     return { valid: false, account: null };
   }
@@ -993,939 +998,1311 @@ async function verifyApiKey(request, resolver) {
 }
 function extractBearerToken(header) {
   if (!header) return null;
-  if (header.startsWith("Bearer ")) return header.slice(7);
+  if (header.startsWith(AUTH_SCHEME.BEARER)) return header.slice(AUTH_SCHEME.BEARER.length);
   return null;
 }
 
-// src/orchestrate.ts
-init_x402_config();
-function getRequirementNetwork(requirements, fallback) {
-  const network = requirements?.network;
-  return typeof network === "string" ? network : fallback;
-}
-function getRequirementRecipient(requirements) {
-  const payTo = requirements?.payTo;
-  return typeof payTo === "string" ? payTo : void 0;
-}
-function siwxSignatureType(network) {
-  return network.startsWith("solana:") ? "ed25519" : "eip191";
+// src/pipeline/flows/api-key-only.ts
+async function runApiKeyOnlyFlow(ctx) {
+  if (!ctx.routeEntry.apiKeyResolver) {
+    return fail(ctx, 401, "API key resolver not configured");
+  }
+  const result = await verifyApiKey(ctx.request, ctx.routeEntry.apiKeyResolver);
+  if (!result.valid) return fail(ctx, 401, "Invalid or missing API key");
+  firePluginHook(ctx.deps.plugin, "onAuthVerified", ctx.pluginCtx, {
+    authMode: "apiKey",
+    wallet: null,
+    route: ctx.routeEntry.key,
+    account: result.account
+  });
+  return runHandlerOnly(ctx, null, result.account);
 }
-function getSupportedChains(x402Accepts, fallbackNetwork) {
-  const seen = /* @__PURE__ */ new Set();
-  const chains = [];
-  for (const accept of x402Accepts) {
-    if (accept.network && !seen.has(accept.network)) {
-      seen.add(accept.network);
-      chains.push({ chainId: accept.network, type: siwxSignatureType(accept.network) });
+
+// src/pricing/dynamic.ts
+var DynamicPricing = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  needsBody = true;
+  async quote(body) {
+    try {
+      const raw = await this.opts.fn(body);
+      return this.cap(raw, body);
+    } catch (err) {
+      this.alert("error", `Pricing function failed: ${msg(err)}`, {
+        error: err instanceof Error ? err.stack : String(err),
+        body
+      });
+      if (this.opts.maxPrice) {
+        this.alert("warn", `Using maxPrice ${this.opts.maxPrice} as fallback after pricing error`);
+        return this.opts.maxPrice;
+      }
+      throw err;
     }
   }
-  if (chains.length === 0) {
-    chains.push({ chainId: fallbackNetwork, type: siwxSignatureType(fallbackNetwork) });
+  challengeQuote(body) {
+    if (body === void 0) return Promise.resolve(this.opts.maxPrice ?? "0");
+    return this.quote(body);
   }
-  return chains;
-}
-function createRequestHandler(routeEntry, handler, deps) {
-  async function invoke(request, meta, pluginCtx, wallet, account, parsedBody, payment) {
-    const ctx = {
-      body: parsedBody,
-      query: parseQuery(request, routeEntry),
-      request,
-      requestId: meta.requestId,
-      route: routeEntry.key,
-      wallet,
-      payment,
-      account,
-      alert(level, message, alertMeta) {
-        firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-          level,
-          message,
-          route: routeEntry.key,
-          meta: alertMeta
-        });
-      },
-      setVerifiedWallet: (addr) => pluginCtx.setVerifiedWallet(addr)
+  describe() {
+    return {
+      mode: "dynamic",
+      min: this.opts.minPrice ?? "0",
+      max: this.opts.maxPrice ?? "0"
     };
-    let rawResult;
-    const response = await safeCallHandler(async (c) => {
-      rawResult = await handler(c);
-      return rawResult;
-    }, ctx);
-    return { response, rawResult };
   }
-  function finalize(response, rawResult, meta, pluginCtx, requestBody) {
-    fireProviderQuota(routeEntry, response, rawResult, deps, pluginCtx);
-    firePluginResponse(deps, pluginCtx, meta, response, requestBody, rawResult);
-  }
-  function fail(status, message, meta, pluginCtx, requestBody) {
-    const response = NextResponse2.json({ success: false, error: message }, { status });
-    firePluginResponse(deps, pluginCtx, meta, response, requestBody);
-    return response;
-  }
-  return async (request) => {
-    await deps.initPromise;
-    const meta = buildMeta(request, routeEntry);
-    const pluginCtx = firePluginHook(deps.plugin, "onRequest", meta) ?? createDefaultContext(meta);
-    async function handleAuth(wallet, account2) {
-      const body2 = await parseBody(request, routeEntry);
-      if (!body2.ok) {
-        firePluginResponse(deps, pluginCtx, meta, body2.response);
-        return body2.response;
-      }
-      if (routeEntry.validateFn) {
-        try {
-          await routeEntry.validateFn(body2.data);
-        } catch (err) {
-          const status = err.status ?? 400;
-          const message = err instanceof Error ? err.message : "Validation failed";
-          return fail(status, message, meta, pluginCtx, body2.data);
-        }
-      }
-      const { response, rawResult } = await invoke(
-        request,
-        meta,
-        pluginCtx,
-        wallet,
-        account2,
-        body2.data,
-        null
-      );
-      finalize(response, rawResult, meta, pluginCtx, body2.data);
-      return response;
-    }
-    if (routeEntry.authMode === "unprotected") {
-      return handleAuth(null, void 0);
-    }
-    let account;
-    if (routeEntry.authMode === "apiKey" || routeEntry.apiKeyResolver) {
-      if (!routeEntry.apiKeyResolver) {
-        return fail(401, "API key resolver not configured", meta, pluginCtx);
-      }
-      const keyResult = await verifyApiKey(request, routeEntry.apiKeyResolver);
-      if (!keyResult.valid) {
-        return fail(401, "Invalid or missing API key", meta, pluginCtx);
-      }
-      account = keyResult.account;
-      firePluginHook(deps.plugin, "onAuthVerified", pluginCtx, {
-        authMode: "apiKey",
-        wallet: null,
-        route: routeEntry.key,
-        account
+  cap(raw, body) {
+    if (!this.opts.maxPrice) return raw;
+    const n = parseFloat(raw);
+    const max = parseFloat(this.opts.maxPrice);
+    if (!Number.isFinite(n) || n > max) {
+      this.alert("warn", `Price ${raw} exceeds maxPrice ${this.opts.maxPrice}, capping`, {
+        calculated: raw,
+        maxPrice: this.opts.maxPrice,
+        body
       });
-      if (routeEntry.authMode === "apiKey" && !routeEntry.pricing) {
-        return handleAuth(null, account);
-      }
-    }
-    const protocol = detectProtocol(request);
-    let earlyBodyData;
-    const pricingNeedsBody = routeEntry.pricing != null && typeof routeEntry.pricing !== "string";
-    const needsEarlyParse = !protocol && routeEntry.bodySchema && (pricingNeedsBody || routeEntry.validateFn);
-    if (needsEarlyParse) {
-      const requestForPricing = request.clone();
-      const earlyBodyResult = await parseBody(requestForPricing, routeEntry);
-      if (earlyBodyResult.ok) {
-        earlyBodyData = earlyBodyResult.data;
-        if (routeEntry.validateFn) {
-          try {
-            await routeEntry.validateFn(earlyBodyData);
-          } catch (err) {
-            const status = err.status ?? 400;
-            const message = err instanceof Error ? err.message : "Validation failed";
-            return fail(status, message, meta, pluginCtx, earlyBodyData);
-          }
-        }
-      } else {
-        firePluginResponse(deps, pluginCtx, meta, earlyBodyResult.response);
-        return earlyBodyResult.response;
-      }
+      return this.opts.maxPrice;
     }
-    if (routeEntry.authMode === "siwx" || routeEntry.siwxEnabled) {
-      if (routeEntry.validateFn && routeEntry.bodySchema && !request.headers.get("SIGN-IN-WITH-X")) {
-        const requestForValidation = request.clone();
-        const earlyBodyResult = await parseBody(requestForValidation, routeEntry);
-        if (earlyBodyResult.ok) {
-          try {
-            await routeEntry.validateFn(earlyBodyResult.data);
-          } catch (err) {
-            const status = err.status ?? 400;
-            const message = err instanceof Error ? err.message : "Validation failed";
-            return fail(status, message, meta, pluginCtx, earlyBodyResult.data);
-          }
-        }
-      }
-      const siwxHeader = request.headers.get("SIGN-IN-WITH-X");
-      if (!siwxHeader && protocol === "mpp" && routeEntry.authMode === "siwx" && deps.mppx) {
-        let mppSiwxResult;
-        try {
-          mppSiwxResult = await verifyMppSiwx(request, deps.mppx);
-        } catch (err) {
-          const message = err instanceof Error ? err.message : String(err);
-          firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-            level: "critical",
-            message: `MPP SIWX verification failed: ${message}`,
-            route: routeEntry.key
-          });
-          return fail(500, `MPP SIWX verification failed: ${message}`, meta, pluginCtx);
-        }
-        if (mppSiwxResult.valid) {
-          pluginCtx.setVerifiedWallet(mppSiwxResult.wallet);
-          firePluginHook(deps.plugin, "onAuthVerified", pluginCtx, {
-            authMode: "siwx",
-            wallet: mppSiwxResult.wallet,
-            route: routeEntry.key
-          });
-          const authResponse = await handleAuth(mppSiwxResult.wallet, void 0);
-          if (authResponse.status < 400) {
-            return mppSiwxResult.withReceipt(authResponse);
-          }
-          return authResponse;
-        }
-      }
-      if (!siwxHeader && routeEntry.authMode === "siwx") {
-        const url = new URL(request.url);
-        const nonce = crypto.randomUUID().replace(/-/g, "");
-        const supportedChains = getSupportedChains(deps.x402Accepts, deps.network);
-        const primaryChain = supportedChains[0];
-        const siwxInfo = {
-          domain: url.hostname,
-          uri: request.url,
-          version: "1",
-          chainId: primaryChain.chainId,
-          type: primaryChain.type,
-          nonce,
-          issuedAt: (/* @__PURE__ */ new Date()).toISOString(),
-          expirationTime: new Date(Date.now() + SIWX_CHALLENGE_EXPIRY_MS).toISOString(),
-          statement: "Sign in to verify your wallet identity"
-        };
-        let siwxSchema;
-        try {
-          siwxSchema = await buildSIWXExtension();
-        } catch {
-        }
-        const paymentRequired = {
-          x402Version: 2,
-          error: "SIWX authentication required",
-          resource: {
-            url: request.url,
-            description: routeEntry.description ?? "SIWX-protected endpoint",
-            mimeType: "application/json"
-          },
-          accepts: [],
-          extensions: {
-            "sign-in-with-x": {
-              info: siwxInfo,
-              // supportedChains at top level required by MCP tools for chain detection
-              supportedChains,
-              ...siwxSchema ? { schema: siwxSchema } : {}
-            }
-          }
-        };
-        let encoded;
-        try {
-          const { encodePaymentRequiredHeader } = await import("@x402/core/http");
-          encoded = encodePaymentRequiredHeader(paymentRequired);
-        } catch (err) {
-          firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-            level: "warn",
-            message: `SIWX challenge header encoding failed: ${err instanceof Error ? err.message : String(err)}`,
-            route: routeEntry.key
-          });
-        }
-        const response = new NextResponse2(JSON.stringify(paymentRequired), {
-          status: 402,
-          headers: { "Content-Type": "application/json", "Cache-Control": "no-store" }
-        });
-        if (encoded) response.headers.set("PAYMENT-REQUIRED", encoded);
-        if (deps.mppx) {
-          try {
-            const mppChallenge = await deps.mppx.charge({ amount: "0" })(request);
-            if (mppChallenge.status === 402) {
-              const wwwAuth = mppChallenge.challenge.headers.get("WWW-Authenticate");
-              if (wwwAuth) response.headers.set("WWW-Authenticate", wwwAuth);
-            }
-          } catch {
-          }
-        }
-        firePluginResponse(deps, pluginCtx, meta, response);
-        return response;
-      }
-      if (siwxHeader) {
-        const siwx = await verifySIWX(request, routeEntry, deps.nonceStore);
-        if (!siwx.valid) {
-          if (routeEntry.authMode === "siwx") {
-            const response = NextResponse2.json(
-              { error: siwx.code, message: SIWX_ERROR_MESSAGES[siwx.code] },
-              { status: 402 }
-            );
-            firePluginResponse(deps, pluginCtx, meta, response);
-            return response;
-          }
-        } else {
-          const wallet = normalizeWalletAddress(siwx.wallet);
-          pluginCtx.setVerifiedWallet(wallet);
-          if (routeEntry.authMode === "siwx") {
-            firePluginHook(deps.plugin, "onAuthVerified", pluginCtx, {
-              authMode: "siwx",
-              wallet,
-              route: routeEntry.key
-            });
-            return handleAuth(wallet, void 0);
-          }
-          if (routeEntry.siwxEnabled && routeEntry.pricing) {
-            const entitled = await deps.entitlementStore.has(routeEntry.key, wallet);
-            if (entitled) {
-              firePluginHook(deps.plugin, "onAuthVerified", pluginCtx, {
-                authMode: "siwx",
-                wallet,
-                route: routeEntry.key
-              });
-              return handleAuth(wallet, account);
-            }
-          }
-        }
-      }
-    }
-    if (!protocol || protocol === "siwx") {
-      if (routeEntry.pricing) {
-        const initErrors = routeEntry.protocols.map((p) => {
-          if (p === "x402" && deps.x402InitError) return `x402: ${deps.x402InitError}`;
-          if (p === "mpp" && deps.mppInitError) return `mpp: ${deps.mppInitError}`;
-          return null;
-        }).filter(Boolean);
-        if (initErrors.length > 0) {
-          return fail(
-            500,
-            `Payment protocol initialization failed. ${initErrors.join("; ")}`,
-            meta,
-            pluginCtx
-          );
-        }
-      }
-      return await build402(request, routeEntry, deps, meta, pluginCtx, earlyBodyData);
-    }
-    const body = await parseBody(request, routeEntry);
-    if (!body.ok) {
-      firePluginResponse(deps, pluginCtx, meta, body.response);
-      return body.response;
-    }
-    if (routeEntry.validateFn) {
+    return raw;
+  }
+  alert(level, message, meta) {
+    this.opts.alert?.(level, message, meta);
+  }
+};
+function msg(err) {
+  return err instanceof Error ? err.message : String(err);
+}
+
+// src/pricing/fixed.ts
+var FixedPricing = class {
+  constructor(price) {
+    this.price = price;
+  }
+  needsBody = false;
+  quote() {
+    return Promise.resolve(this.price);
+  }
+  challengeQuote() {
+    return Promise.resolve(this.price);
+  }
+  describe() {
+    return { mode: "fixed", amount: this.price };
+  }
+};
+
+// src/pricing/tiered.ts
+var TieredPricing = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  needsBody = true;
+  async quote(body) {
+    const { field, tiers, default: defaultTier } = this.opts;
+    const tierKey = body != null ? String(body[field] ?? "") : "";
+    if (tierKey && tiers[tierKey]) return tiers[tierKey].price;
+    if (defaultTier && tiers[defaultTier]) return tiers[defaultTier].price;
+    if (!tierKey) {
+      throw httpError(400, `Missing required field '${field}' for tier pricing`);
+    }
+    throw httpError(
+      400,
+      `Unknown tier '${tierKey}' for field '${field}'. Valid tiers: ${Object.keys(tiers).join(", ")}`
+    );
+  }
+  challengeQuote(body) {
+    if (body !== void 0) {
       try {
-        await routeEntry.validateFn(body.data);
-      } catch (err) {
-        const status = err.status ?? 400;
-        const message = err instanceof Error ? err.message : "Validation failed";
-        return fail(status, message, meta, pluginCtx, body.data);
+        return this.quote(body);
+      } catch {
       }
     }
-    let price;
+    return Promise.resolve(this.maxTierPrice());
+  }
+  describe() {
+    return {
+      mode: "tiered",
+      tiers: Object.entries(this.opts.tiers).map(([key, tier]) => ({
+        key,
+        price: tier.price,
+        ...tier.label !== void 0 ? { label: tier.label } : {}
+      })),
+      ...this.opts.default !== void 0 ? { default: this.opts.default } : {}
+    };
+  }
+  maxTierPrice() {
+    let max = "0";
+    for (const tier of Object.values(this.opts.tiers)) {
+      if (parseFloat(tier.price) > parseFloat(max)) max = tier.price;
+    }
+    return max;
+  }
+};
+function httpError(status, message) {
+  return Object.assign(new Error(message), { status });
+}
+
+// src/pricing/index.ts
+function selectPricing(raw, deps = {}) {
+  if (raw == null) return null;
+  if (typeof raw === "string") {
+    return new FixedPricing(raw);
+  }
+  if (typeof raw === "function") {
+    return new DynamicPricing({
+      fn: raw,
+      maxPrice: deps.maxPrice,
+      minPrice: deps.minPrice,
+      route: deps.route,
+      alert: deps.alert
+    });
+  }
+  if (typeof raw === "object" && "tiers" in raw) {
+    return new TieredPricing({
+      field: raw.field,
+      tiers: raw.tiers,
+      default: raw.default,
+      maxPrice: deps.maxPrice,
+      minPrice: deps.minPrice
+    });
+  }
+  throw new Error(`Unknown pricing config: ${JSON.stringify(raw)}`);
+}
+
+// src/protocols/mpp/credential.ts
+import { Credential } from "mppx";
+import { getAddress, isAddress } from "viem";
+function readMppCredential(request) {
+  const credential = Credential.fromRequest(request);
+  if (!credential) return null;
+  const wallet = walletFromDid(credential.source ?? "");
+  const rawType = credential.payload?.type;
+  const payloadType = rawType === "transaction" ? "transaction" : rawType === "hash" ? "hash" : "unknown";
+  return { credential, wallet, payloadType };
+}
+function walletFromDid(rawSource) {
+  const parts = rawSource.split(":");
+  const last = parts[parts.length - 1];
+  return normalizeWalletAddress(isAddress(last) ? getAddress(last) : rawSource);
+}
+
+// src/protocols/mpp/transaction-mode.ts
+import { Transaction as TempoTransaction } from "viem/tempo";
+import { call as viemCall } from "viem/actions";
+
+// src/protocols/mpp/receipt.ts
+import { Receipt } from "mppx";
+function extractTxHash(receiptHeader) {
+  if (!receiptHeader) return "";
+  try {
+    return Receipt.deserialize(receiptHeader).reference;
+  } catch {
+    return "";
+  }
+}
+async function readChallengeReason(challenge) {
+  try {
+    const text = await challenge.clone().text();
+    if (!text) return "";
+    const problem = JSON.parse(text);
+    return problem.detail || problem.title || "";
+  } catch {
+    return "";
+  }
+}
+
+// src/protocols/mpp/transaction-mode.ts
+async function verifyTxMode(args, info) {
+  const { deps, price, routeEntry } = args;
+  if (!deps.tempoClient) {
+    return {
+      ok: false,
+      kind: "config",
+      message: "tempoClient not configured for MPP transaction-payload mode"
+    };
+  }
+  try {
+    const serializedTx = info.credential.payload.signature;
+    const transaction = TempoTransaction.deserialize(serializedTx);
+    await viemCall(deps.tempoClient, {
+      ...transaction,
+      account: transaction.from,
+      calls: transaction.calls ?? []
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.warn(`[router] ${routeEntry.key}: MPP simulation failed \u2014 ${message}`);
+    return { ok: false, kind: "invalid" };
+  }
+  const mppRecipient = deps.mppRecipient ?? deps.payeeAddress;
+  const payment = {
+    protocol: "mpp",
+    status: "verified",
+    payer: info.wallet,
+    amount: price,
+    network: "tempo:4217",
+    ...mppRecipient ? { recipient: mppRecipient } : {}
+  };
+  return {
+    ok: true,
+    wallet: info.wallet,
+    payment,
+    token: { mode: "transaction", credential: info.credential },
+    alreadySettled: false
+  };
+}
+async function settleTxMode(args) {
+  const { request, response, payment, deps, routeEntry } = args;
+  if (!deps.mppx) {
+    return {
+      ok: false,
+      error: new Error("mppx unavailable"),
+      failMessage: "MPP not initialized",
+      failStatus: 500
+    };
+  }
+  let result;
+  try {
+    result = await deps.mppx.charge({ amount: payment.amount })(request);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[router] ${routeEntry.key}: MPP broadcast failed after handler: ${message}`);
+    return {
+      ok: false,
+      error: err,
+      failMessage: `MPP payment processing failed: ${message}`,
+      failStatus: 500
+    };
+  }
+  if (result.status === 402) {
+    const reason = await readChallengeReason(result.challenge);
+    const detail = reason || "transaction reverted on-chain after handler execution";
+    const settlementError = Object.assign(new Error(detail), {
+      status: 402,
+      detail,
+      mppResult: result,
+      challenge: result.challenge
+    });
+    console.error(`[router] ${routeEntry.key}: MPP payment failed after handler \u2014 ${detail}`);
+    return {
+      ok: false,
+      error: settlementError,
+      failMessage: `MPP payment failed: ${detail}`,
+      failStatus: 500
+    };
+  }
+  const receiptResponse = result.withReceipt(response);
+  receiptResponse.headers.set("Cache-Control", "private");
+  const receiptHeader = receiptResponse.headers.get(HEADERS.MPP_PAYMENT_RECEIPT) ?? void 0;
+  const txHash = extractTxHash(receiptHeader);
+  const settledPayment = {
+    ...payment,
+    status: "settled",
+    ...txHash ? { transaction: txHash } : {},
+    ...receiptHeader ? { receipt: receiptHeader } : {}
+  };
+  return { ok: true, response: receiptResponse, settledPayment };
+}
+
+// src/protocols/mpp/hash-mode.ts
+async function verifyHashMode(args, info) {
+  const { deps, price, routeEntry, request } = args;
+  if (!deps.mppx) {
+    const reason = deps.mppInitError ? `MPP initialization failed: ${deps.mppInitError}` : "MPP not initialized \u2014 ensure mppx is installed and mpp config (secretKey, currency, recipient) is correct";
+    console.error(`[router] ${routeEntry.key}: ${reason}`);
+    return { ok: false, kind: "config", message: reason };
+  }
+  let chargeResult;
+  try {
+    chargeResult = await deps.mppx.charge({ amount: price })(request);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[router] ${routeEntry.key}: MPP charge failed: ${message}`);
+    return { ok: false, kind: "config", message: `MPP payment processing failed: ${message}` };
+  }
+  if (chargeResult.status === 402) {
+    const reason = await readChallengeReason(chargeResult.challenge);
+    const detail = reason || "credential may be invalid, or check TEMPO_RPC_URL configuration";
+    console.warn(`[router] ${routeEntry.key}: MPP credential rejected \u2014 ${detail}`);
+    return { ok: false, kind: "invalid" };
+  }
+  const receiptHeader = chargeResult.withReceipt(new Response()).headers.get(
+    HEADERS.MPP_PAYMENT_RECEIPT
+  );
+  const txHash = extractTxHash(receiptHeader);
+  const mppRecipient = deps.mppRecipient ?? deps.payeeAddress;
+  const payment = {
+    protocol: "mpp",
+    status: "settled",
+    payer: info.wallet,
+    amount: price,
+    network: "tempo:4217",
+    ...mppRecipient ? { recipient: mppRecipient } : {},
+    ...txHash ? { transaction: txHash } : {},
+    ...receiptHeader ? { receipt: receiptHeader } : {}
+  };
+  return {
+    ok: true,
+    wallet: info.wallet,
+    payment,
+    token: { mode: "hash", charge: chargeResult },
+    alreadySettled: true
+  };
+}
+function settleHashMode(args) {
+  const { response, payment, token } = args;
+  const hashToken = token;
+  const receiptResponse = hashToken.charge.withReceipt(response);
+  receiptResponse.headers.set("Cache-Control", "private");
+  return {
+    ok: true,
+    response: receiptResponse,
+    settledPayment: payment
+  };
+}
+
+// src/protocols/mpp/strategy.ts
+var mppStrategy = {
+  protocol: "mpp",
+  detects(request) {
+    const auth = request.headers.get(HEADERS.AUTHORIZATION);
+    return Boolean(auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT));
+  },
+  async verify(args) {
+    const info = readMppCredential(args.request);
+    if (!info) return { ok: false, kind: "invalid" };
+    if (info.payloadType === "transaction" && args.deps.tempoClient) {
+      return verifyTxMode(args, info);
+    }
+    return verifyHashMode(args, info);
+  },
+  async settle(args) {
+    const token = args.token;
+    if (token.mode === "transaction") return settleTxMode(args);
+    return settleHashMode(args);
+  },
+  async buildChallenge(args) {
+    if (!args.deps.mppx) return {};
     try {
-      price = await resolvePrice(routeEntry.pricing, body.data);
+      const result = await args.deps.mppx.charge({ amount: args.price })(args.request);
+      if (result.status === 402) {
+        const wwwAuth = result.challenge.headers.get(HEADERS.WWW_AUTHENTICATE);
+        if (wwwAuth) return { headers: { [HEADERS.WWW_AUTHENTICATE]: wwwAuth } };
+      }
     } catch (err) {
-      return fail(
-        err.status ?? 500,
-        err instanceof Error ? err.message : "Price resolution failed",
-        meta,
-        pluginCtx,
-        body.data
-      );
-    }
-    if (!routeEntry.protocols.includes(protocol)) {
-      const accepted = routeEntry.protocols.join(", ") || "none";
       console.warn(
-        `[router] ${routeEntry.key}: received ${protocol} payment but route accepts [${accepted}]`
-      );
-      return fail(
-        400,
-        `This route does not accept ${protocol} payments. Accepted protocols: ${accepted}`,
-        meta,
-        pluginCtx,
-        body.data
+        `[router] MPP challenge build failed: ${err instanceof Error ? err.message : String(err)}`
       );
+      throw err;
     }
-    if (protocol === "x402") {
-      if (!deps.x402Server) {
-        const reason = deps.x402InitError ? `x402 facilitator initialization failed: ${deps.x402InitError}` : "x402 server not initialized \u2014 ensure @x402/core, @x402/evm, and @coinbase/x402 are installed";
-        console.error(`[router] ${routeEntry.key}: ${reason}`);
-        return fail(500, reason, meta, pluginCtx, body.data);
-      }
-      const accepts = await resolveX402Accepts(
-        request,
-        routeEntry,
-        deps.x402Accepts,
-        deps.payeeAddress,
-        body.data
-      );
-      const verify = await verifyX402Payment({
-        server: deps.x402Server,
-        request,
-        price,
-        accepts
-      });
-      if (!verify?.valid)
-        return await build402(request, routeEntry, deps, meta, pluginCtx, body.data);
-      const { payload: verifyPayload, requirements: verifyRequirements } = verify;
-      const matchedNetwork = getRequirementNetwork(verifyRequirements, deps.network);
-      const matchedRecipient = getRequirementRecipient(verifyRequirements);
-      const wallet = normalizeWalletAddress(verify.payer);
-      const payment = {
-        protocol: "x402",
-        status: "verified",
-        payer: wallet,
-        amount: price,
-        network: matchedNetwork,
-        ...matchedRecipient ? { recipient: matchedRecipient } : {}
-      };
-      pluginCtx.setVerifiedWallet(wallet);
-      firePluginHook(deps.plugin, "onPaymentVerified", pluginCtx, {
-        protocol: "x402",
-        payer: wallet,
-        amount: price,
-        network: matchedNetwork
-      });
-      const { response, rawResult } = await invoke(
-        request,
-        meta,
-        pluginCtx,
-        wallet,
-        account,
-        body.data,
-        payment
+    return {};
+  }
+};
+
+// src/protocols/x402/strategy.ts
+init_accepts();
+
+// src/protocols/x402/challenge.ts
+init_facilitators();
+init_solana();
+
+// src/protocols/x402/requirements.ts
+init_evm();
+init_solana();
+async function buildExpectedRequirements(server, request, price, accepts) {
+  const exactRequirements = await buildExactRequirements(server, request, price, accepts);
+  const customRequirements = buildCustomRequirements(price, accepts);
+  return [...exactRequirements, ...customRequirements];
+}
+async function buildExactRequirements(server, request, price, accepts) {
+  const exactGroups = [
+    buildEvmExactOptions(accepts, price),
+    buildSolanaExactOptions(accepts, price)
+  ].filter((options) => options.length > 0);
+  if (exactGroups.length === 0) return [];
+  const requirements = [];
+  const failures = [];
+  for (const options of exactGroups) {
+    try {
+      requirements.push(
+        ...await server.buildPaymentRequirementsFromOptions(options, { request })
       );
-      if (response.status < 400) {
-        try {
-          const settle = await settleX402Payment(
-            deps.x402Server,
-            verifyPayload,
-            verifyRequirements
-          );
-          if (!settle.result?.success) {
-            const reason = settle.result?.errorReason || "x402 settlement returned success=false";
-            const error = new Error(reason);
-            error.errorReason = reason;
-            throw error;
-          }
-          if (routeEntry.siwxEnabled) {
-            try {
-              await deps.entitlementStore.grant(routeEntry.key, wallet);
-            } catch (error) {
-              firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-                level: "warn",
-                message: `Entitlement grant failed: ${error instanceof Error ? error.message : String(error)}`,
-                route: routeEntry.key
-              });
-            }
-          }
-          response.headers.set("PAYMENT-RESPONSE", settle.encoded);
-          response.headers.set("Cache-Control", "private");
-          firePluginHook(deps.plugin, "onPaymentSettled", pluginCtx, {
-            protocol: "x402",
-            payer: verify.payer,
-            transaction: String(settle.result?.transaction ?? ""),
-            network: matchedNetwork
-          });
-        } catch (err) {
-          const errObj = err;
-          console.error("Settlement failed", {
-            message: err instanceof Error ? err.message : String(err),
-            route: routeEntry.key,
-            network: matchedNetwork,
-            errorReason: errObj.errorReason,
-            facilitatorStatus: errObj.response?.status,
-            facilitatorBody: errObj.response?.data ?? errObj.response?.body
-          });
-          firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-            level: "critical",
-            message: `Settlement failed: ${err instanceof Error ? err.message : String(err)}`,
-            route: routeEntry.key
-          });
-          return fail(500, "Settlement failed", meta, pluginCtx, body.data);
-        }
-      }
-      finalize(response, rawResult, meta, pluginCtx, body.data);
-      return response;
-    }
-    if (protocol === "mpp") {
-      if (!deps.mppx) {
-        const reason = deps.mppInitError ? `MPP initialization failed: ${deps.mppInitError}` : "MPP not initialized \u2014 ensure mppx is installed and mpp config (secretKey, currency, recipient) is correct";
-        console.error(`[router] ${routeEntry.key}: ${reason}`);
-        return fail(500, reason, meta, pluginCtx, body.data);
-      }
-      const mppCredential = Credential2.fromRequest(request);
-      const rawSource = mppCredential?.source ?? "";
-      const didParts = rawSource.split(":");
-      const lastPart = didParts[didParts.length - 1];
-      const wallet = normalizeWalletAddress(isAddress2(lastPart) ? getAddress2(lastPart) : rawSource);
-      const payloadType = mppCredential?.payload?.type;
-      if (payloadType === "transaction" && deps.tempoClient) {
-        try {
-          const serializedTx = mppCredential.payload.signature;
-          const transaction = TempoTransaction.deserialize(serializedTx);
-          await viemCall(deps.tempoClient, {
-            ...transaction,
-            account: transaction.from,
-            calls: transaction.calls ?? []
-          });
-        } catch (err) {
-          const message = err instanceof Error ? err.message : String(err);
-          console.warn(`[router] ${routeEntry.key}: MPP simulation failed \u2014 ${message}`);
-          firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-            level: "warn",
-            message: `MPP simulation failed: ${message}`,
-            route: routeEntry.key
-          });
-          return await build402(request, routeEntry, deps, meta, pluginCtx, body.data);
-        }
-        pluginCtx.setVerifiedWallet(wallet);
-        firePluginHook(deps.plugin, "onPaymentVerified", pluginCtx, {
-          protocol: "mpp",
-          payer: wallet,
-          amount: price,
-          network: "tempo:4217"
-        });
-        const { response: response2, rawResult: rawResult2 } = await invoke(
-          request,
-          meta,
-          pluginCtx,
-          wallet,
-          account,
-          body.data,
-          {
-            protocol: "mpp",
-            status: "verified",
-            payer: wallet,
-            amount: price,
-            network: "tempo:4217",
-            recipient: deps.payeeAddress
-          }
-        );
-        if (response2.status < 400) {
-          let mppResult2;
-          try {
-            mppResult2 = await deps.mppx.charge({ amount: price })(request);
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            console.error(
-              `[router] ${routeEntry.key}: MPP broadcast failed after handler: ${message}`
-            );
-            firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-              level: "critical",
-              message: `MPP broadcast failed after handler: ${message}`,
-              route: routeEntry.key
-            });
-            return fail(
-              500,
-              `MPP payment processing failed: ${message}`,
-              meta,
-              pluginCtx,
-              body.data
-            );
-          }
-          if (mppResult2.status === 402) {
-            let rejectReason = "";
-            try {
-              const problemBody = await mppResult2.challenge.clone().text();
-              if (problemBody) {
-                const problem = JSON.parse(problemBody);
-                rejectReason = problem.detail || problem.title || "";
-              }
-            } catch {
-            }
-            const detail = rejectReason || "transaction reverted on-chain after handler execution";
-            console.error(
-              `[router] ${routeEntry.key}: MPP payment failed after handler \u2014 ${detail}`
-            );
-            firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-              level: "critical",
-              message: `MPP payment failed after handler: ${detail}`,
-              route: routeEntry.key
-            });
-            return fail(500, `MPP payment failed: ${detail}`, meta, pluginCtx, body.data);
-          }
-          const receiptResponse = mppResult2.withReceipt(response2);
-          receiptResponse.headers.set("Cache-Control", "private");
-          let txHash2 = "";
-          const receiptHeader2 = receiptResponse.headers.get("Payment-Receipt");
-          if (receiptHeader2) {
-            try {
-              txHash2 = Receipt.deserialize(receiptHeader2).reference;
-            } catch {
-            }
-          }
-          if (routeEntry.siwxEnabled) {
-            try {
-              await deps.entitlementStore.grant(routeEntry.key, wallet);
-            } catch (error) {
-              firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-                level: "warn",
-                message: `Entitlement grant failed: ${error instanceof Error ? error.message : String(error)}`,
-                route: routeEntry.key
-              });
-            }
-          }
-          firePluginHook(deps.plugin, "onPaymentSettled", pluginCtx, {
-            protocol: "mpp",
-            payer: wallet,
-            transaction: txHash2,
-            network: "tempo:4217"
-          });
-          finalize(receiptResponse, rawResult2, meta, pluginCtx, body.data);
-          return receiptResponse;
-        }
-        finalize(response2, rawResult2, meta, pluginCtx, body.data);
-        return response2;
+    } catch (error) {
+      const err = error instanceof Error ? error : new Error(String(error));
+      failures.push(err);
+      if (exactGroups.length === 1) {
+        throw err;
       }
-      let mppResult;
+      console.warn(
+        `[router] Failed to build x402 exact requirements for ${options[0]?.network}: ${err.message}`
+      );
+    }
+  }
+  if (requirements.length > 0) {
+    return requirements;
+  }
+  throw failures[0] ?? new Error("Failed to build x402 exact requirements");
+}
+function buildCustomRequirements(price, accepts) {
+  return accepts.filter((accept) => accept.scheme !== "exact").map((accept) => buildCustomRequirement(price, accept));
+}
+function buildCustomRequirement(price, accept) {
+  if (!accept.asset) {
+    throw new Error(
+      `Custom x402 accept '${accept.scheme}' on '${accept.network}' is missing asset`
+    );
+  }
+  return {
+    scheme: accept.scheme,
+    network: accept.network,
+    amount: decimalToAtomicUnits(price, accept.decimals ?? 6),
+    asset: accept.asset,
+    payTo: accept.payTo,
+    maxTimeoutSeconds: accept.maxTimeoutSeconds ?? 300,
+    extra: accept.extra ?? {}
+  };
+}
+function decimalToAtomicUnits(amount, decimals) {
+  const match = /^(?<whole>\d+)(?:\.(?<fraction>\d+))?$/.exec(amount);
+  if (!match?.groups) {
+    throw new Error(`Invalid decimal amount '${amount}'`);
+  }
+  const whole = match.groups.whole;
+  const fraction = match.groups.fraction ?? "";
+  if (fraction.length > decimals) {
+    throw new Error(`Amount '${amount}' exceeds ${decimals} decimal places`);
+  }
+  const normalized = `${whole}${fraction.padEnd(decimals, "0")}`.replace(/^0+(?=\d)/, "");
+  return normalized === "" ? "0" : normalized;
+}
+
+// src/protocols/x402/challenge.ts
+async function buildX402Challenge(opts) {
+  const { server, routeEntry, request, price, accepts, facilitatorsByNetwork, extensions } = opts;
+  const { encodePaymentRequiredHeader } = await import("@x402/core/http");
+  const resource = buildChallengeResource(request, routeEntry);
+  const requirements = await buildChallengeRequirements(
+    server,
+    request,
+    price,
+    accepts,
+    resource,
+    facilitatorsByNetwork
+  );
+  const paymentRequired = await server.createPaymentRequiredResponse(
+    requirements,
+    resource,
+    void 0,
+    extensions
+  );
+  const encoded = encodePaymentRequiredHeader(paymentRequired);
+  return { encoded, requirements };
+}
+async function buildChallengeRequirements(server, request, price, accepts, resource, facilitatorsByNetwork) {
+  const requirements = await buildExpectedRequirements(server, request, price, accepts);
+  if (!needsFacilitatorEnrichment(accepts)) return requirements;
+  return enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork);
+}
+function needsFacilitatorEnrichment(accepts) {
+  return accepts.some((accept) => accept.scheme !== "exact") || hasSolanaAccepts(accepts);
+}
+async function enrichGroup(group, resource) {
+  const accepted = await enrichRequirementsWithFacilitatorAccepts(
+    group.facilitator,
+    resource,
+    group.items.map(({ requirement }) => requirement)
+  );
+  if (accepted.length !== group.items.length) {
+    throw new Error(
+      `Facilitator /accepts returned ${accepted.length} requirements for ${group.items.length} inputs on ${group.facilitator.url ?? group.facilitator.network}`
+    );
+  }
+  return accepted;
+}
+async function enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork) {
+  const groups = collectEnrichmentGroups(requirements, facilitatorsByNetwork);
+  if (groups.length === 0) return requirements;
+  const results = await Promise.all(
+    groups.map(async (group) => {
       try {
-        mppResult = await deps.mppx.charge({ amount: price })(request);
+        return { success: true, group, accepted: await enrichGroup(group, resource) };
       } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        console.error(`[router] ${routeEntry.key}: MPP charge failed: ${message}`);
-        firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-          level: "critical",
-          message: `MPP charge failed: ${message}`,
-          route: routeEntry.key
-        });
-        return fail(500, `MPP payment processing failed: ${message}`, meta, pluginCtx, body.data);
+        const label = group.facilitator.url ?? group.facilitator.network;
+        const reason = err instanceof Error ? err.message : String(err);
+        console.warn(
+          `[router] ${label} /accepts failed, dropping ${group.items.length} requirement(s): ${reason}`
+        );
+        return { success: false, group };
       }
-      if (mppResult.status === 402) {
-        let rejectReason = "";
-        try {
-          const problemBody = await mppResult.challenge.clone().text();
-          if (problemBody) {
-            const problem = JSON.parse(problemBody);
-            rejectReason = problem.detail || problem.title || "";
-          }
-        } catch {
-        }
-        const detail = rejectReason || "credential may be invalid, or check TEMPO_RPC_URL configuration";
-        console.warn(`[router] ${routeEntry.key}: MPP credential rejected \u2014 ${detail}`);
-        firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-          level: "warn",
-          message: `MPP payment rejected: ${detail}`,
-          route: routeEntry.key
-        });
-        return await build402(request, routeEntry, deps, meta, pluginCtx, body.data);
+    })
+  );
+  const enriched = [...requirements];
+  results.filter((r) => r.success).forEach(({ group, accepted }) => {
+    accepted.forEach((req, offset) => {
+      const index = group.items[offset]?.index;
+      if (index !== void 0) enriched[index] = req;
+    });
+  });
+  const failedIndices = new Set(
+    results.filter((r) => !r.success).flatMap(({ group }) => group.items.map(({ index }) => index))
+  );
+  const remaining = enriched.filter((_, i) => !failedIndices.has(i));
+  if (remaining.length === 0) {
+    throw new Error(
+      "All facilitator enrichments failed; no payment requirements remain for challenge"
+    );
+  }
+  return remaining;
+}
+function collectEnrichmentGroups(requirements, facilitatorsByNetwork) {
+  const groups = [];
+  requirements.forEach((requirement, index) => {
+    if (!requiresFacilitatorEnrichment(requirement)) return;
+    const facilitator = getRequiredFacilitator(requirement, facilitatorsByNetwork);
+    const existing = groups.find(
+      (group) => sameResolvedX402Facilitator(group.facilitator, facilitator)
+    );
+    if (existing) {
+      existing.items.push({ index, requirement });
+      return;
+    }
+    groups.push({
+      facilitator,
+      items: [{ index, requirement }]
+    });
+  });
+  return groups;
+}
+function getRequiredFacilitator(requirement, facilitatorsByNetwork) {
+  const facilitator = getFacilitatorForRequirement(facilitatorsByNetwork, requirement);
+  if (!facilitator) {
+    throw new Error(
+      `Missing x402 facilitator for ${requirement.scheme} requirement on ${requirement.network}`
+    );
+  }
+  return facilitator;
+}
+function requiresFacilitatorEnrichment(requirement) {
+  return requirement.scheme !== "exact" || isSolanaRequirement(requirement);
+}
+function buildChallengeResource(request, routeEntry) {
+  return {
+    url: request.url,
+    method: routeEntry.method,
+    description: routeEntry.description,
+    mimeType: "application/json"
+  };
+}
+
+// src/protocols/x402/settle.ts
+async function settleX402Payment(server, payload, requirements) {
+  const { encodePaymentResponseHeader } = await import("@x402/core/http");
+  const result = await server.settlePayment(payload, requirements);
+  const encoded = encodePaymentResponseHeader(result);
+  return { encoded, result };
+}
+
+// src/protocols/x402/verify.ts
+async function verifyX402Payment(opts) {
+  const { server, request, price, accepts } = opts;
+  const payload = await readPaymentPayload(request);
+  if (!payload) return null;
+  const requirements = await buildExpectedRequirements(server, request, price, accepts);
+  const matching = findVerifiableRequirements(server, requirements, payload);
+  if (!matching) {
+    return invalidPaymentVerification();
+  }
+  let verify;
+  try {
+    verify = await server.verifyPayment(payload, matching);
+  } catch (err) {
+    const sc = err.statusCode;
+    if (sc && sc >= 400 && sc < 500) return invalidPaymentVerification();
+    throw err;
+  }
+  if (!verify.isValid) return invalidPaymentVerification();
+  if (typeof verify.payer !== "string" || verify.payer.length === 0) {
+    throw new Error("x402 verification succeeded without a payer address");
+  }
+  return {
+    valid: true,
+    payer: verify.payer,
+    payload,
+    requirements: matching
+  };
+}
+function findVerifiableRequirements(server, requirements, payload) {
+  const strictMatch = server.findMatchingRequirements(requirements, payload);
+  if (strictMatch) {
+    return payload.x402Version === 2 ? payload.accepted : strictMatch;
+  }
+  if (payload.x402Version !== 2) {
+    return null;
+  }
+  const stableMatch = requirements.find(
+    (requirement) => matchesStableFields(requirement, payload.accepted)
+  );
+  return stableMatch ? payload.accepted : null;
+}
+function matchesStableFields(requirement, accepted) {
+  return requirement.scheme === accepted.scheme && requirement.network === accepted.network && requirement.payTo === accepted.payTo && requirement.asset === accepted.asset && requirement.amount === accepted.amount && requirement.maxTimeoutSeconds === accepted.maxTimeoutSeconds;
+}
+async function readPaymentPayload(request) {
+  const paymentHeader = request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY);
+  if (!paymentHeader) return null;
+  const { decodePaymentSignatureHeader } = await import("@x402/core/http");
+  return decodePaymentSignatureHeader(paymentHeader);
+}
+function invalidPaymentVerification() {
+  return { valid: false, payload: null, requirements: null, payer: null };
+}
+
+// src/protocols/x402/strategy.ts
+var x402Strategy = {
+  protocol: "x402",
+  detects(request) {
+    return Boolean(
+      request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)
+    );
+  },
+  async verify(args) {
+    const { request, body, price, routeEntry, deps } = args;
+    if (!deps.x402Server) {
+      const reason = deps.x402InitError ? `x402 facilitator initialization failed: ${deps.x402InitError}` : "x402 server not initialized \u2014 ensure @x402/core, @x402/evm, and @coinbase/x402 are installed";
+      console.error(`[router] ${routeEntry.key}: ${reason}`);
+      return { ok: false, kind: "config", message: reason };
+    }
+    const accepts = await resolveX402Accepts(
+      request,
+      routeEntry,
+      deps.x402Accepts,
+      deps.payeeAddress,
+      body
+    );
+    const verifyResult = await verifyX402Payment({
+      server: deps.x402Server,
+      request,
+      price,
+      accepts
+    });
+    if (!verifyResult?.valid) return { ok: false, kind: "invalid" };
+    const wallet = normalizeWalletAddress(verifyResult.payer);
+    const matchedNetwork = getRequirementNetwork(verifyResult.requirements, deps.network);
+    const matchedRecipient = getRequirementRecipient(verifyResult.requirements);
+    const payment = {
+      protocol: "x402",
+      status: "verified",
+      payer: wallet,
+      amount: price,
+      network: matchedNetwork,
+      ...matchedRecipient ? { recipient: matchedRecipient } : {}
+    };
+    return {
+      ok: true,
+      wallet,
+      payment,
+      token: {
+        payload: verifyResult.payload,
+        requirements: verifyResult.requirements
       }
-      let txHash = "";
-      const receiptHeader = mppResult.withReceipt(new Response()).headers.get(
-        "Payment-Receipt"
+    };
+  },
+  async settle(args) {
+    const { response, payment, token, deps } = args;
+    const x402Token = token;
+    try {
+      const settle = await settleX402Payment(
+        deps.x402Server,
+        x402Token.payload,
+        x402Token.requirements
       );
-      if (receiptHeader) {
-        try {
-          txHash = Receipt.deserialize(receiptHeader).reference;
-        } catch {
-        }
+      if (!settle.result?.success) {
+        const reason = settle.result?.errorReason || "x402 settlement returned success=false";
+        const error = new Error(reason);
+        error.errorReason = reason;
+        throw error;
       }
-      pluginCtx.setVerifiedWallet(wallet);
-      firePluginHook(deps.plugin, "onPaymentVerified", pluginCtx, {
-        protocol: "mpp",
-        payer: wallet,
-        amount: price,
-        network: "tempo:4217"
+      response.headers.set(HEADERS.X402_PAYMENT_RESPONSE, settle.encoded);
+      response.headers.set("Cache-Control", "private");
+      const transaction = String(settle.result?.transaction ?? "");
+      const settledPayment = {
+        ...payment,
+        status: "settled",
+        ...transaction ? { transaction } : {}
+      };
+      return { ok: true, response, settledPayment };
+    } catch (err) {
+      const errObj = err;
+      console.error("Settlement failed", {
+        message: err instanceof Error ? err.message : String(err),
+        route: args.routeEntry.key,
+        network: payment.network,
+        errorReason: errObj.errorReason,
+        facilitatorStatus: errObj.response?.status,
+        facilitatorBody: errObj.response?.data ?? errObj.response?.body
       });
-      const { response, rawResult } = await invoke(
-        request,
-        meta,
-        pluginCtx,
-        wallet,
-        account,
-        body.data,
-        {
-          protocol: "mpp",
-          status: "settled",
-          payer: wallet,
-          amount: price,
-          network: "tempo:4217",
-          recipient: deps.payeeAddress,
-          ...txHash ? { transaction: txHash } : {},
-          ...receiptHeader ? { receipt: receiptHeader } : {}
-        }
-      );
-      if (response.status < 400) {
-        if (routeEntry.siwxEnabled) {
-          try {
-            await deps.entitlementStore.grant(routeEntry.key, wallet);
-          } catch (error) {
-            firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-              level: "warn",
-              message: `Entitlement grant failed: ${error instanceof Error ? error.message : String(error)}`,
-              route: routeEntry.key
-            });
-          }
+      return { ok: false, error: err, failMessage: "Settlement failed" };
+    }
+  },
+  async buildChallenge(args) {
+    const { request, routeEntry, body, price, extensions, deps } = args;
+    if (!deps.x402Server) return {};
+    const accepts = await resolveX402Accepts(
+      request,
+      routeEntry,
+      deps.x402Accepts,
+      deps.payeeAddress,
+      body
+    );
+    const { encoded } = await buildX402Challenge({
+      server: deps.x402Server,
+      routeEntry,
+      request,
+      price,
+      accepts,
+      facilitatorsByNetwork: deps.x402FacilitatorsByNetwork,
+      extensions
+    });
+    return { headers: { [HEADERS.X402_PAYMENT_REQUIRED]: encoded } };
+  }
+};
+function getRequirementNetwork(requirements, fallback) {
+  const network = requirements?.network;
+  return typeof network === "string" ? network : fallback;
+}
+function getRequirementRecipient(requirements) {
+  const payTo = requirements?.payTo;
+  return typeof payTo === "string" ? payTo : void 0;
+}
+
+// src/protocols/detect.ts
+function detectProtocol(request) {
+  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
+    return "x402";
+  }
+  const auth = request.headers.get(HEADERS.AUTHORIZATION);
+  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
+    return "mpp";
+  }
+  if (request.headers.get(HEADERS.SIWX)) {
+    return "siwx";
+  }
+  return null;
+}
+
+// src/protocols/index.ts
+var STRATEGIES = {
+  x402: x402Strategy,
+  mpp: mppStrategy
+};
+function selectIncomingStrategy(request, allowed) {
+  for (const name of allowed) {
+    const strategy = STRATEGIES[name];
+    if (strategy.detects(request)) return strategy;
+  }
+  return null;
+}
+function getAllowedStrategies(allowed) {
+  return allowed.map((name) => STRATEGIES[name]);
+}
+
+// src/pipeline/challenge.ts
+import { NextResponse as NextResponse4 } from "next/server";
+async function build402(ctx, pricing, body) {
+  let challengePrice;
+  try {
+    challengePrice = pricing ? await pricing.challengeQuote(body) : "0";
+  } catch (err) {
+    const message = errorMessage(err, "Price calculation failed");
+    const errorResponse = NextResponse4.json(
+      { success: false, error: message },
+      { status: errorStatus(err, 500) }
+    );
+    firePluginResponse(ctx, errorResponse);
+    return errorResponse;
+  }
+  const extensions = await buildChallengeExtensions(ctx);
+  const response = new NextResponse4(null, {
+    status: 402,
+    headers: {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store"
+    }
+  });
+  for (const strategy of getAllowedStrategies(ctx.routeEntry.protocols)) {
+    try {
+      const contribution = await strategy.buildChallenge({
+        request: ctx.request,
+        routeEntry: ctx.routeEntry,
+        body,
+        price: challengePrice,
+        extensions,
+        deps: ctx.deps
+      });
+      if (contribution.headers) {
+        for (const [name, value] of Object.entries(contribution.headers)) {
+          response.headers.set(name, value);
         }
-        const receiptResponse = mppResult.withReceipt(response);
-        receiptResponse.headers.set("Cache-Control", "private");
-        firePluginHook(deps.plugin, "onPaymentSettled", pluginCtx, {
-          protocol: "mpp",
-          payer: wallet,
-          transaction: txHash,
-          network: "tempo:4217"
-        });
-        finalize(receiptResponse, rawResult, meta, pluginCtx, body.data);
-        return receiptResponse;
       }
-      finalize(response, rawResult, meta, pluginCtx, body.data);
-      return response;
+    } catch (err) {
+      const message = `${strategy.protocol} challenge build failed: ${errorMessage(err, String(err))}`;
+      firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+        level: "critical",
+        message,
+        route: ctx.routeEntry.key
+      });
+      if (strategy.protocol === "x402") {
+        const errorResponse = NextResponse4.json(
+          { success: false, error: message },
+          { status: 500 }
+        );
+        firePluginResponse(ctx, errorResponse);
+        return errorResponse;
+      }
     }
-    return await build402(request, routeEntry, deps, meta, pluginCtx, body.data);
-  };
+  }
+  firePluginResponse(ctx, response);
+  return response;
 }
-async function parseBody(request, routeEntry) {
-  if (!routeEntry.bodySchema) return { ok: true, data: void 0 };
-  const raw = await bufferBody(request);
-  const result = validateBody(raw, routeEntry.bodySchema);
-  if (result.success) return { ok: true, data: result.data };
-  return {
-    ok: false,
-    response: NextResponse2.json(
-      { success: false, error: result.error, issues: result.issues },
-      { status: 400 }
-    )
+async function buildChallengeExtensions(ctx) {
+  const { routeEntry } = ctx;
+  let extensions;
+  try {
+    const { z } = await import("zod");
+    const { declareDiscoveryExtension } = await import("@x402/extensions/bazaar");
+    const toJSON = (schema) => z.toJSONSchema(schema, {
+      target: "draft-2020-12",
+      unrepresentable: "any"
+    });
+    const inputSchema = routeEntry.bodySchema ? toJSON(routeEntry.bodySchema) : routeEntry.querySchema ? toJSON(routeEntry.querySchema) : void 0;
+    const outputSchema = routeEntry.outputSchema ? toJSON(routeEntry.outputSchema) : void 0;
+    if (inputSchema) {
+      const config = {
+        method: routeEntry.method,
+        bodyType: routeEntry.bodySchema ? "json" : void 0,
+        inputSchema
+      };
+      if (routeEntry.inputExample !== void 0) {
+        config.input = routeEntry.inputExample;
+      }
+      if (outputSchema && routeEntry.outputExample !== void 0) {
+        config.output = { schema: outputSchema, example: routeEntry.outputExample };
+      }
+      extensions = declareDiscoveryExtension(config);
+    }
+  } catch (err) {
+    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
+      level: "warn",
+      message: `Bazaar schema generation failed: ${err instanceof Error ? err.message : String(err)}`,
+      route: routeEntry.key
+    });
+  }
+  if (routeEntry.siwxEnabled) {
+    try {
+      const siwxExtension = await buildSIWXExtension();
+      if (siwxExtension && typeof siwxExtension === "object" && !Array.isArray(siwxExtension)) {
+        extensions = {
+          ...extensions ?? {},
+          ...siwxExtension
+        };
+      }
+    } catch {
+    }
+  }
+  return extensions;
+}
+
+// src/pipeline/flows/paid.ts
+async function runPaidFlow(ctx) {
+  const { request, routeEntry, deps } = ctx;
+  let account = void 0;
+  if (routeEntry.apiKeyResolver) {
+    const apiKeyResult = await verifyApiKey(request, routeEntry.apiKeyResolver);
+    if (!apiKeyResult.valid) return fail(ctx, 401, "Invalid or missing API key");
+    account = apiKeyResult.account;
+    firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
+      authMode: "apiKey",
+      wallet: null,
+      route: routeEntry.key,
+      account
+    });
+  }
+  const alertFn = (level, message, meta) => {
+    firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
+      level,
+      message,
+      route: routeEntry.key,
+      meta
+    });
   };
+  const pricing = selectPricing(routeEntry.pricing, {
+    alert: alertFn,
+    maxPrice: routeEntry.maxPrice,
+    minPrice: routeEntry.minPrice,
+    route: routeEntry.key
+  });
+  const incomingStrategy = selectIncomingStrategy(request, routeEntry.protocols);
+  let earlyBody = void 0;
+  if (shouldParseBodyEarly(incomingStrategy, routeEntry, pricing)) {
+    const earlyClone = request.clone();
+    const earlyResult = await parseBody(earlyClone, routeEntry);
+    if (earlyResult.ok) {
+      earlyBody = earlyResult.data;
+      const validateErr2 = await runValidate(ctx, earlyBody);
+      if (validateErr2) return validateErr2;
+    } else {
+      firePluginResponse(ctx, earlyResult.response);
+      return earlyResult.response;
+    }
+  }
+  const siwxFastPath = await trySiwxFastPath(ctx, account);
+  if (siwxFastPath) return siwxFastPath;
+  if (!incomingStrategy) {
+    const initError = protocolInitError(routeEntry, deps);
+    if (initError) return fail(ctx, 500, initError);
+    return build402(ctx, pricing, earlyBody);
+  }
+  const body = await parseBody(request, routeEntry);
+  if (!body.ok) {
+    firePluginResponse(ctx, body.response);
+    return body.response;
+  }
+  const validateErr = await runValidate(ctx, body.data);
+  if (validateErr) return validateErr;
+  if (!pricing) {
+    return fail(ctx, 500, "Pricing not configured", body.data);
+  }
+  let price;
+  try {
+    price = await pricing.quote(body.data);
+  } catch (err) {
+    return fail(
+      ctx,
+      errorStatus(err, 500),
+      errorMessage(err, "Price calculation failed"),
+      body.data
+    );
+  }
+  const verifyOutcome = await incomingStrategy.verify({
+    request,
+    body: body.data,
+    price,
+    routeEntry,
+    deps
+  });
+  if (verifyOutcome.ok === false) {
+    if (verifyOutcome.kind === "config") {
+      return fail(ctx, 500, verifyOutcome.message, body.data);
+    }
+    return build402(ctx, pricing, body.data);
+  }
+  ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
+  firePluginHook(deps.plugin, "onPaymentVerified", ctx.pluginCtx, {
+    protocol: incomingStrategy.protocol,
+    payer: verifyOutcome.wallet,
+    amount: price,
+    network: verifyOutcome.payment.network
+  });
+  const result = await invoke(ctx, verifyOutcome.wallet, account, body.data, verifyOutcome.payment);
+  const settleScope = {
+    wallet: verifyOutcome.wallet,
+    account,
+    body: body.data,
+    payment: verifyOutcome.payment,
+    response: result.response,
+    rawResult: result.rawResult,
+    handlerError: result.handlerError
+  };
+  if (verifyOutcome.alreadySettled) {
+    if (result.response.status >= 400) {
+      const settledScope = settleScope;
+      await runSettledHandlerError(ctx, settledScope);
+      return finalize(ctx, result.response, result.rawResult, body.data);
+    }
+    return settleAndFinalize({
+      ctx,
+      strategy: incomingStrategy,
+      verifyOutcome,
+      scope: settleScope,
+      rawResult: result.rawResult,
+      body: body.data
+    });
+  }
+  if (result.response.status >= 400) {
+    return finalize(ctx, result.response, result.rawResult, body.data);
+  }
+  const beforeErr = await runBeforeSettle(ctx, settleScope);
+  if (beforeErr) return beforeErr;
+  return settleAndFinalize({
+    ctx,
+    strategy: incomingStrategy,
+    verifyOutcome,
+    scope: settleScope,
+    rawResult: result.rawResult,
+    body: body.data,
+    onSettleError: async (error, failMessage) => {
+      await runSettlementError(ctx, settleScope, error, "settle");
+      firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
+        level: "critical",
+        message: `${incomingStrategy.protocol} ${failMessage}: ${errorMessage(error, "unknown")}`,
+        route: routeEntry.key
+      });
+    }
+  });
+}
+
+// src/pipeline/flows/siwx-only.ts
+import { NextResponse as NextResponse5 } from "next/server";
+
+// src/auth/nonce.ts
+var SIWX_CHALLENGE_EXPIRY_MS = 5 * 60 * 1e3;
+var MemoryNonceStore = class {
+  seen = /* @__PURE__ */ new Map();
+  async check(nonce) {
+    this.evict();
+    if (this.seen.has(nonce)) return false;
+    this.seen.set(nonce, Date.now() + SIWX_CHALLENGE_EXPIRY_MS);
+    return true;
+  }
+  evict() {
+    const now = Date.now();
+    for (const [n, exp] of this.seen) {
+      if (exp < now) this.seen.delete(n);
+    }
+  }
+};
+function detectRedisClientType(client) {
+  if (!client || typeof client !== "object") {
+    throw new Error(
+      "createRedisNonceStore requires a Redis client. Supported: @upstash/redis, ioredis. Pass your Redis client instance as the first argument."
+    );
+  }
+  if ("options" in client && "status" in client) {
+    return "ioredis";
+  }
+  const constructor = client.constructor?.name;
+  if (constructor === "Redis" && "url" in client) {
+    return "upstash";
+  }
+  if (typeof client.set === "function") {
+    return "upstash";
+  }
+  throw new Error(
+    "Unrecognized Redis client. Supported: @upstash/redis, ioredis. If using a different client, implement NonceStore interface directly."
+  );
 }
-function buildMeta(request, routeEntry) {
+function createRedisNonceStore(client, opts) {
+  const prefix = opts?.prefix ?? "siwx:nonce:";
+  const ttlSeconds = Math.ceil((opts?.ttlMs ?? SIWX_CHALLENGE_EXPIRY_MS) / 1e3);
+  const clientType = detectRedisClientType(client);
   return {
-    requestId: crypto.randomUUID(),
-    method: request.method,
-    route: routeEntry.key,
-    origin: request.headers.get("origin") ?? new URL(request.url).origin,
-    referer: request.headers.get("referer"),
-    walletAddress: request.headers.get("X-Wallet-Address"),
-    clientId: request.headers.get("X-Client-ID"),
-    sessionId: request.headers.get("X-Session-ID"),
-    contentType: request.headers.get("content-type"),
-    headers: Object.fromEntries(request.headers.entries()),
-    startTime: Date.now()
+    async check(nonce) {
+      const key = `${prefix}${nonce}`;
+      if (clientType === "upstash") {
+        const redis = client;
+        const result = await redis.set(key, "1", { ex: ttlSeconds, nx: true });
+        return result !== null;
+      }
+      if (clientType === "ioredis") {
+        const redis = client;
+        const result = await redis.set(key, "1", "EX", ttlSeconds, "NX");
+        return result === "OK";
+      }
+      throw new Error("Unknown Redis client type");
+    }
   };
 }
-function parseQuery(request, routeEntry) {
-  if (!routeEntry.querySchema) return void 0;
-  const params = Object.fromEntries(request.nextUrl.searchParams.entries());
-  const result = routeEntry.querySchema.safeParse(params);
-  return result.success ? result.data : params;
+
+// src/protocols/mpp/siwx-mode.ts
+import { Credential as Credential2 } from "mppx";
+async function verifyMppSiwx(request, mppx) {
+  const result = await mppx.charge({ amount: "0" })(request);
+  if (result.status === 402) {
+    return { valid: false, challenge: result.challenge };
+  }
+  const credential = Credential2.fromRequest(request);
+  const rawSource = credential?.source ?? "";
+  const wallet = walletFromDid(rawSource);
+  return { valid: true, wallet, withReceipt: result.withReceipt };
 }
-async function resolveDynamicPrice(bodyData, routeEntry, deps, pluginCtx, meta) {
-  try {
-    let price = await resolvePrice(routeEntry.pricing, bodyData);
-    if (routeEntry.maxPrice) {
-      const calculated = parseFloat(price);
-      const max = parseFloat(routeEntry.maxPrice);
-      if (!Number.isFinite(calculated) || calculated > max) {
-        firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-          level: "warn",
-          message: `Price ${price} exceeds maxPrice ${routeEntry.maxPrice}, capping`,
-          route: routeEntry.key,
-          meta: { calculated: price, maxPrice: routeEntry.maxPrice, body: bodyData }
-        });
-        price = routeEntry.maxPrice;
-      }
-    }
-    return { price };
-  } catch (err) {
-    firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-      level: "error",
-      message: `Pricing function failed: ${err instanceof Error ? err.message : String(err)}`,
-      route: routeEntry.key,
-      meta: { error: err instanceof Error ? err.stack : String(err), body: bodyData }
-    });
-    if (routeEntry.maxPrice) {
-      firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-        level: "warn",
-        message: `Using maxPrice ${routeEntry.maxPrice} as fallback after pricing error`,
-        route: routeEntry.key
-      });
-      return { price: routeEntry.maxPrice };
+
+// src/pipeline/flows/siwx-only.ts
+async function runSiwxOnlyFlow(ctx) {
+  const { request, routeEntry, deps } = ctx;
+  if (routeEntry.validateFn && routeEntry.bodySchema && !request.headers.get(HEADERS.SIWX)) {
+    const earlyClone = request.clone();
+    const earlyBody = await parseBody(earlyClone, routeEntry);
+    if (earlyBody.ok) {
+      const validateErr = await runValidate(ctx, earlyBody.data);
+      if (validateErr) return validateErr;
     } else {
-      const errorResponse = NextResponse2.json(
-        { success: false, error: "Price calculation failed" },
-        { status: 500 }
-      );
-      firePluginResponse(deps, pluginCtx, meta, errorResponse);
-      return { error: errorResponse };
+      firePluginResponse(ctx, earlyBody.response);
+      return earlyBody.response;
     }
   }
-}
-async function build402(request, routeEntry, deps, meta, pluginCtx, bodyData) {
-  const response = new NextResponse2(null, {
-    status: 402,
-    headers: {
-      "Content-Type": "application/json",
-      "Cache-Control": "no-store"
-    }
-  });
-  let challengePrice;
-  if (bodyData !== void 0 && typeof routeEntry.pricing !== "string" && routeEntry.pricing != null) {
-    const result = await resolveDynamicPrice(bodyData, routeEntry, deps, pluginCtx, meta);
-    if ("error" in result) return result.error;
-    challengePrice = result.price;
-  } else if (routeEntry.maxPrice) {
-    challengePrice = routeEntry.maxPrice;
-  } else if (routeEntry.pricing) {
+  const siwxHeader = request.headers.get(HEADERS.SIWX);
+  const protocol = detectProtocol(request);
+  if (!siwxHeader && protocol === "mpp" && deps.mppx) {
+    let mppSiwxResult;
     try {
-      challengePrice = resolveMaxPrice(routeEntry.pricing);
-    } catch {
-      challengePrice = "0";
+      mppSiwxResult = await verifyMppSiwx(request, deps.mppx);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
+        level: "critical",
+        message: `MPP SIWX verification failed: ${message}`,
+        route: routeEntry.key
+      });
+      return fail(ctx, 500, `MPP SIWX verification failed: ${message}`);
+    }
+    if (mppSiwxResult.valid) {
+      ctx.pluginCtx.setVerifiedWallet(mppSiwxResult.wallet);
+      firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
+        authMode: "siwx",
+        wallet: mppSiwxResult.wallet,
+        route: routeEntry.key
+      });
+      const authResponse = await runHandlerOnly(ctx, mppSiwxResult.wallet, void 0);
+      if (authResponse.status < 400) {
+        return mppSiwxResult.withReceipt(authResponse);
+      }
+      return authResponse;
     }
-  } else {
-    challengePrice = "0";
   }
-  let extensions;
+  if (!siwxHeader) {
+    return buildSiwxChallenge(ctx);
+  }
+  const siwx = await verifySIWX(request, routeEntry, deps.nonceStore);
+  if (!siwx.valid) {
+    const response = NextResponse5.json(
+      { error: siwx.code, message: SIWX_ERROR_MESSAGES[siwx.code] },
+      { status: 402 }
+    );
+    firePluginResponse(ctx, response);
+    return response;
+  }
+  const wallet = normalizeWalletAddress(siwx.wallet);
+  ctx.pluginCtx.setVerifiedWallet(wallet);
+  firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
+    authMode: "siwx",
+    wallet,
+    route: routeEntry.key
+  });
+  return runHandlerOnly(ctx, wallet, void 0);
+}
+async function buildSiwxChallenge(ctx) {
+  const { request, routeEntry, deps } = ctx;
+  const url = new URL(request.url);
+  const nonce = crypto.randomUUID().replace(/-/g, "");
+  const supportedChains = getSupportedChains(deps.x402Accepts, deps.network);
+  const primaryChain = supportedChains[0];
+  const siwxInfo = {
+    domain: url.hostname,
+    uri: request.url,
+    version: "1",
+    chainId: primaryChain.chainId,
+    type: primaryChain.type,
+    nonce,
+    issuedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    expirationTime: new Date(Date.now() + SIWX_CHALLENGE_EXPIRY_MS).toISOString(),
+    statement: "Sign in to verify your wallet identity"
+  };
+  let siwxSchema;
   try {
-    const { z } = await import("zod");
-    const { declareDiscoveryExtension } = await import("@x402/extensions/bazaar");
-    const toJSON = (schema) => z.toJSONSchema(schema, {
-      target: "draft-2020-12",
-      unrepresentable: "any"
-    });
-    const inputSchema = routeEntry.bodySchema ? toJSON(routeEntry.bodySchema) : routeEntry.querySchema ? toJSON(routeEntry.querySchema) : void 0;
-    const outputSchema = routeEntry.outputSchema ? toJSON(routeEntry.outputSchema) : void 0;
-    if (inputSchema) {
-      const config = {
-        method: routeEntry.method,
-        bodyType: routeEntry.bodySchema ? "json" : void 0,
-        inputSchema
-      };
-      if (routeEntry.inputExample !== void 0) {
-        config.input = routeEntry.inputExample;
-      }
-      if (outputSchema && routeEntry.outputExample !== void 0) {
-        config.output = { schema: outputSchema, example: routeEntry.outputExample };
+    siwxSchema = await buildSIWXExtension();
+  } catch {
+  }
+  const paymentRequired = {
+    x402Version: 2,
+    error: "SIWX authentication required",
+    resource: {
+      url: request.url,
+      description: routeEntry.description ?? "SIWX-protected endpoint",
+      mimeType: "application/json"
+    },
+    accepts: [],
+    extensions: {
+      "sign-in-with-x": {
+        info: siwxInfo,
+        // Required by MCP tools at the top level for chain detection.
+        supportedChains,
+        ...siwxSchema ? { schema: siwxSchema } : {}
       }
-      extensions = declareDiscoveryExtension(config);
     }
+  };
+  let encoded;
+  try {
+    const { encodePaymentRequiredHeader } = await import("@x402/core/http");
+    encoded = encodePaymentRequiredHeader(paymentRequired);
   } catch (err) {
-    firePluginHook(deps.plugin, "onAlert", pluginCtx, {
+    firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
       level: "warn",
-      message: `Bazaar schema generation failed: ${err instanceof Error ? err.message : String(err)}`,
+      message: `SIWX challenge header encoding failed: ${err instanceof Error ? err.message : String(err)}`,
       route: routeEntry.key
     });
   }
-  if (routeEntry.siwxEnabled) {
+  const response = new NextResponse5(JSON.stringify(paymentRequired), {
+    status: 402,
+    headers: { "Content-Type": "application/json", "Cache-Control": "no-store" }
+  });
+  if (encoded) response.headers.set(HEADERS.X402_PAYMENT_REQUIRED, encoded);
+  if (deps.mppx) {
     try {
-      const siwxExtension = await buildSIWXExtension();
-      if (siwxExtension && typeof siwxExtension === "object" && !Array.isArray(siwxExtension)) {
-        extensions = {
-          ...extensions ?? {},
-          ...siwxExtension
-        };
+      const mppChallenge = await deps.mppx.charge({ amount: "0" })(request);
+      if (mppChallenge.status === 402) {
+        const wwwAuth = mppChallenge.challenge.headers.get(HEADERS.WWW_AUTHENTICATE);
+        if (wwwAuth) response.headers.set(HEADERS.WWW_AUTHENTICATE, wwwAuth);
       }
     } catch {
     }
   }
-  if (routeEntry.protocols.includes("x402") && deps.x402Server) {
-    try {
-      const accepts = await resolveX402Accepts(
-        request,
-        routeEntry,
-        deps.x402Accepts,
-        deps.payeeAddress,
-        bodyData
-      );
-      const { encoded } = await buildX402Challenge({
-        server: deps.x402Server,
-        routeEntry,
-        request,
-        price: challengePrice,
-        accepts,
-        facilitatorsByNetwork: deps.x402FacilitatorsByNetwork,
-        extensions
-      });
-      response.headers.set("PAYMENT-REQUIRED", encoded);
-    } catch (err) {
-      const message = `x402 challenge build failed: ${err instanceof Error ? err.message : String(err)}`;
-      firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-        level: "critical",
-        message,
-        route: routeEntry.key
-      });
-      const errorResponse = NextResponse2.json({ success: false, error: message }, { status: 500 });
-      firePluginResponse(deps, pluginCtx, meta, errorResponse);
-      return errorResponse;
-    }
-  }
-  if (routeEntry.protocols.includes("mpp") && deps.mppx) {
-    try {
-      const result = await deps.mppx.charge({ amount: challengePrice })(request);
-      if (result.status === 402) {
-        const wwwAuth = result.challenge.headers.get("WWW-Authenticate");
-        if (wwwAuth) response.headers.set("WWW-Authenticate", wwwAuth);
-      }
-    } catch (err) {
-      firePluginHook(deps.plugin, "onAlert", pluginCtx, {
-        level: "critical",
-        message: `MPP challenge build failed: ${err instanceof Error ? err.message : String(err)}`,
-        route: routeEntry.key
-      });
-    }
-  }
-  firePluginResponse(deps, pluginCtx, meta, response);
+  firePluginResponse(ctx, response);
   return response;
 }
-function firePluginResponse(deps, pluginCtx, meta, response, requestBody, responseBody) {
-  firePluginHook(deps.plugin, "onResponse", pluginCtx, {
-    statusCode: response.status,
-    statusText: response.statusText,
-    duration: Date.now() - meta.startTime,
-    contentType: response.headers.get("content-type"),
-    headers: Object.fromEntries(response.headers.entries()),
-    requestBody,
-    responseBody
-  });
-  if (response.status >= 400 && response.status !== 402) {
-    firePluginHook(deps.plugin, "onError", pluginCtx, {
-      status: response.status,
-      message: response.statusText || `HTTP ${response.status}`,
-      settled: false
-    });
+function siwxSignatureType(network) {
+  return network.startsWith("solana:") ? "ed25519" : "eip191";
+}
+function getSupportedChains(x402Accepts, fallbackNetwork) {
+  const seen = /* @__PURE__ */ new Set();
+  const chains = [];
+  for (const accept of x402Accepts) {
+    if (accept.network && !seen.has(accept.network)) {
+      seen.add(accept.network);
+      chains.push({ chainId: accept.network, type: siwxSignatureType(accept.network) });
+    }
   }
+  if (chains.length === 0) {
+    chains.push({ chainId: fallbackNetwork, type: siwxSignatureType(fallbackNetwork) });
+  }
+  return chains;
 }
-function computeQuotaLevel(remaining, warn, critical) {
-  if (remaining === null) return "healthy";
-  if (critical !== void 0 && remaining <= critical) return "critical";
-  if (warn !== void 0 && remaining <= warn) return "warn";
-  return "healthy";
+
+// src/pipeline/flows/unprotected.ts
+async function runUnprotectedFlow(ctx) {
+  return runHandlerOnly(ctx, null, void 0);
 }
-function fireProviderQuota(routeEntry, response, handlerResult, deps, pluginCtx) {
-  const { providerName, providerConfig } = routeEntry;
-  if (!providerName || !providerConfig?.extractQuota) return;
-  if (response.status >= 400) return;
-  try {
-    const quota = providerConfig.extractQuota(handlerResult, response.headers);
-    if (!quota) return;
-    const level = computeQuotaLevel(quota.remaining, providerConfig.warn, providerConfig.critical);
-    const overage = providerConfig.overage ?? "same-rate";
-    const event = {
-      provider: providerName,
-      route: routeEntry.key,
-      remaining: quota.remaining,
-      limit: quota.limit,
-      spend: quota.spend,
-      level,
-      overage,
-      message: quota.remaining !== null ? `${providerName}: ${quota.remaining}${quota.limit ? `/${quota.limit}` : ""} remaining` : `${providerName}: quota info unavailable`
-    };
-    firePluginHook(deps.plugin, "onProviderQuota", pluginCtx, event);
-  } catch {
-  }
+
+// src/orchestrate.ts
+function createRequestHandler(routeEntry, handler, deps) {
+  return async (request) => {
+    await deps.initPromise;
+    const ctx = preflight(routeEntry, handler, deps, request);
+    if (routeEntry.authMode === "unprotected") return runUnprotectedFlow(ctx);
+    if (routeEntry.authMode === "siwx") return runSiwxOnlyFlow(ctx);
+    if (routeEntry.pricing) return runPaidFlow(ctx);
+    if (routeEntry.apiKeyResolver) return runApiKeyOnlyFlow(ctx);
+    return runUnprotectedFlow(ctx);
+  };
 }
 
 // src/validate-examples.ts
 function validateExamples(key, bodySchema, querySchema, outputSchema, inputExample, hasInputExample, outputExample, hasOutputExample) {
-  if (bodySchema && !hasInputExample) {
-    throw new Error(
-      `route '${key}': .body() requires a matching .inputExample() \u2014 the bazaar discovery extension needs a conforming sample body to advertise.`
-    );
-  }
-  if (querySchema && !hasInputExample) {
-    throw new Error(
-      `route '${key}': .query() requires a matching .inputExample() \u2014 the bazaar discovery extension needs a conforming sample query to advertise.`
-    );
+  const inputSchema = bodySchema ?? querySchema;
+  if (hasInputExample && !inputSchema) {
+    throw new Error(`route '${key}': .inputExample() requires .body() or .query()`);
   }
-  if (outputSchema && !hasOutputExample) {
-    throw new Error(
-      `route '${key}': .output() requires a matching .outputExample() \u2014 the bazaar discovery extension needs a conforming sample response to advertise.`
-    );
+  if (hasOutputExample && !outputSchema) {
+    throw new Error(`route '${key}': .outputExample() requires .output()`);
   }
-  const inputSchema = bodySchema ?? querySchema;
   if (inputSchema && hasInputExample) {
     const result = inputSchema.safeParse(inputExample);
     if (!result.success) {
@@ -1999,6 +2376,8 @@ var RouteBuilder = class {
   /** @internal */
   _validateFn;
   /** @internal */
+  _settlement;
+  /** @internal */
   _mppInfo;
   constructor(key, registry, deps) {
     this._key = key;
@@ -2012,11 +2391,21 @@ var RouteBuilder = class {
     return next;
   }
   paid(pricing, options) {
+    if (this._authMode === "unprotected") {
+      throw new Error(
+        `route '${this._key}': Cannot combine .unprotected() and .paid() on the same route.`
+      );
+    }
+    if (this._pricing !== void 0) {
+      throw new Error(
+        `route '${this._key}': Cannot call .paid() more than once on the same route.`
+      );
+    }
     const next = this.fork();
     next._authMode = "paid";
     next._pricing = pricing;
     if (options?.protocols) {
-      next._protocols = options.protocols;
+      next._protocols = [...options.protocols];
     } else if (next._protocols.length === 0) {
       next._protocols = ["x402"];
     }
@@ -2081,6 +2470,16 @@ var RouteBuilder = class {
     return next;
   }
   unprotected() {
+    if (this._authMode && this._authMode !== "unprotected") {
+      throw new Error(
+        `route '${this._key}': Cannot combine .unprotected() and .${this._authMode}() on the same route.`
+      );
+    }
+    if (this._pricing) {
+      throw new Error(
+        `route '${this._key}': Cannot combine .unprotected() and .paid() on the same route.`
+      );
+    }
     const next = this.fork();
     next._authMode = "unprotected";
     next._protocols = [];
@@ -2095,32 +2494,43 @@ var RouteBuilder = class {
     next._providerConfig = config ?? {};
     return next;
   }
-  // -------------------------------------------------------------------------
-  // Schema methods
-  // -------------------------------------------------------------------------
-  body(schema) {
+  body(schema, example) {
     const next = this.fork();
     next._bodySchema = schema;
+    if (example !== void 0) {
+      next._inputExample = example;
+      next._hasInputExample = true;
+    }
     return next;
   }
-  query(schema) {
+  query(schema, example) {
     const next = this.fork();
     next._querySchema = schema;
+    if (example !== void 0) {
+      next._inputExample = example;
+      next._hasInputExample = true;
+    }
     next._method = "GET";
     return next;
   }
-  output(schema) {
+  output(schema, example) {
     const next = this.fork();
     next._outputSchema = schema;
+    if (example !== void 0) {
+      next._outputExample = example;
+      next._hasOutputExample = true;
+    }
     return next;
   }
   /**
    * Provide a conforming example of the request input (body or query params).
    *
-   * **Required** whenever `.body()` or `.query()` is set — enforced at compile time via
-   * `.handler()` overloads, and at route-registration time via Zod validation of the
-   * example against the schema. The example is embedded in the bazaar discovery extension
-   * so indexers can advertise a working sample call.
+   * Optional. When provided, the example is validated against the request schema
+   * at route registration and embedded in the bazaar discovery extension so
+   * indexers can advertise a working sample call.
+   *
+   * For the common case, pass the example directly to `.body(schema, example)` or
+   * `.query(schema, example)` instead.
    *
    * @example
    * ```ts
@@ -2140,10 +2550,11 @@ var RouteBuilder = class {
   /**
    * Provide a conforming example of the response output.
    *
-   * **Required** whenever `.output()` is set — enforced at compile time via `.handler()`
-   * overloads, and at route-registration time via Zod validation of the example against
-   * the schema. The example is embedded in the bazaar discovery extension so indexers
-   * can advertise the response shape.
+   * Optional. When provided, the example is validated against the output schema
+   * at route registration and embedded in the bazaar discovery extension so
+   * indexers can advertise the response shape.
+   *
+   * For the common case, pass the example directly to `.output(schema, example)` instead.
    *
    * Accepts any JSON value (objects, arrays, or primitives) — top-level array
    * or primitive responses (e.g. `z.array(...)`) are supported alongside the
@@ -2216,15 +2627,39 @@ var RouteBuilder = class {
     return next;
   }
   // -------------------------------------------------------------------------
+  // Settlement lifecycle
+  // -------------------------------------------------------------------------
+  /**
+   * Add route-specific settlement hooks.
+   *
+   * `beforeSettle` runs after a successful handler response but before
+   * router-controlled settlement/broadcast, so it can still prevent the charge
+   * for x402 and MPP transaction-payload flows. `afterSettle` runs after
+   * settlement and is intended for durable ledgers or app-owned refund queues.
+   */
+  settlement(lifecycle) {
+    const next = this.fork();
+    next._settlement = lifecycle;
+    return next;
+  }
+  // -------------------------------------------------------------------------
   // Terminal method
   // -------------------------------------------------------------------------
   handler(fn) {
     const handlerFn = fn;
+    if (!this._authMode) {
+      throw new Error(
+        `route '${this._key}': Select an auth mode: .paid(pricing), .siwx(), .apiKey(resolver), or .unprotected()`
+      );
+    }
     if (this._validateFn && !this._bodySchema) {
       throw new Error(
         `route '${this._key}': .validate() requires .body() \u2014 validation runs on parsed body`
       );
     }
+    if (this._settlement && !this._pricing) {
+      throw new Error(`route '${this._key}': .settlement() requires a paid route`);
+    }
     validateExamples(
       this._key,
       this._bodySchema,
@@ -2256,6 +2691,7 @@ var RouteBuilder = class {
       providerName: this._providerName,
       providerConfig: this._providerConfig,
       validateFn: this._validateFn,
+      settlement: this._settlement,
       mppInfo: this._mppInfo
     };
     this._registry.register(entry);
@@ -2330,7 +2766,7 @@ function createRedisEntitlementStore(client, options) {
 }
 
 // src/discovery/well-known.ts
-import { NextResponse as NextResponse3 } from "next/server";
+import { NextResponse as NextResponse6 } from "next/server";
 
 // src/discovery/utils/guidance.ts
 async function resolveGuidance(discovery) {
@@ -2374,7 +2810,7 @@ function createWellKnownHandler(registry, baseUrl, pricesKeys, discovery) {
     if (instructions) {
       body.instructions = instructions;
     }
-    return NextResponse3.json(body, {
+    return NextResponse6.json(body, {
       headers: {
         "Access-Control-Allow-Origin": "*",
         "Access-Control-Allow-Methods": "GET",
@@ -2391,13 +2827,14 @@ function toDiscoveryResource(method, url, mode) {
 }
 
 // src/discovery/openapi.ts
-import { NextResponse as NextResponse4 } from "next/server";
+init_constants();
+import { NextResponse as NextResponse7 } from "next/server";
 function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
   const normalizedBase = baseUrl.replace(/\/+$/, "");
   let cached = null;
   let validated = false;
   return async (_request) => {
-    if (cached) return NextResponse4.json(cached);
+    if (cached) return NextResponse7.json(cached);
     if (!validated && pricesKeys) {
       registry.validate(pricesKeys);
       validated = true;
@@ -2422,14 +2859,14 @@ function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
       securitySchemes.siwx = {
         type: "apiKey",
         in: "header",
-        name: "SIGN-IN-WITH-X"
+        name: HEADERS.SIWX
       };
     }
     if (requiresApiKeyScheme) {
       securitySchemes.apiKey = {
         type: "apiKey",
         in: "header",
-        name: "X-API-Key"
+        name: HEADERS.API_KEY
       };
     }
     const discoveryMetadata = {};
@@ -2460,7 +2897,7 @@ function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
       paths
     };
     cached = createDocument(openApiDocument);
-    return NextResponse4.json(cached);
+    return NextResponse7.json(cached);
   };
 }
 function deriveTag(routeKey) {
@@ -2533,7 +2970,7 @@ function toProtocolObject(protocol, mppInfo) {
       mpp: {
         method: mppInfo?.method ?? "tempo",
         intent: mppInfo?.intent ?? "charge",
-        currency: mppInfo?.currency ?? "0x20c0000000000000000000000000000000000001"
+        currency: mppInfo?.currency ?? TEMPO_USDC_CURRENCY
       }
     };
   }
@@ -2583,11 +3020,11 @@ function buildPricingInfo(entry) {
 }
 
 // src/discovery/llms-txt.ts
-import { NextResponse as NextResponse5 } from "next/server";
+import { NextResponse as NextResponse8 } from "next/server";
 function createLlmsTxtHandler(discovery) {
   return async (_request) => {
     const guidance = await resolveGuidance(discovery) ?? "";
-    return new NextResponse5(guidance, {
+    return new NextResponse8(guidance, {
       headers: {
         "Content-Type": "text/plain; charset=utf-8",
         "Access-Control-Allow-Origin": "*"
@@ -2597,14 +3034,14 @@ function createLlmsTxtHandler(discovery) {
 }
 
 // src/index.ts
-init_x402_config();
+init_accepts();
 init_constants();
 
 // src/config.ts
 init_constants();
 init_evm();
 init_solana();
-init_x402_config();
+init_accepts();
 var RouterConfigError = class extends Error {
   issues;
   constructor(issues) {
@@ -2648,6 +3085,8 @@ function mppFromEnv(env, options = {}) {
   const secretKey = env.MPP_SECRET_KEY;
   const currency = env.MPP_CURRENCY;
   const rpcUrl = env.TEMPO_RPC_URL;
+  const feePayerKey = options.feePayerKey ?? env.MPP_FEE_PAYER_KEY;
+  const feePayerKeySource = options.feePayerKey !== void 0 ? "feePayerKey" : "MPP_FEE_PAYER_KEY";
   const hasAnyMppEnv = Boolean(secretKey || currency || rpcUrl || options.require);
   if (!hasAnyMppEnv) return void 0;
   const missing = [
@@ -2658,12 +3097,21 @@ function mppFromEnv(env, options = {}) {
   if (missing.length > 0) {
     throw new Error(`MPP env is incomplete. Missing: ${missing.join(", ")}`);
   }
+  if (!isEvmAddress(currency)) {
+    throw new Error("MPP_CURRENCY must be a 0x-prefixed 20-byte Tempo currency address");
+  }
+  if (options.recipient && !isEvmAddress(options.recipient)) {
+    throw new Error("MPP recipient must be a 0x-prefixed EVM address");
+  }
+  if (feePayerKey && !isEvmPrivateKey(feePayerKey)) {
+    throw new Error(`${feePayerKeySource} must be a 0x-prefixed 32-byte EVM private key`);
+  }
   return {
     secretKey,
     currency,
     rpcUrl,
     ...options.recipient ? { recipient: options.recipient } : {},
-    ...options.feePayerKey ? { feePayerKey: options.feePayerKey } : {},
+    ...feePayerKey ? { feePayerKey } : {},
     ...options.useDefaultStore !== void 0 ? { useDefaultStore: options.useDefaultStore } : {}
   };
 }
@@ -2801,13 +3249,26 @@ function validateMppConfig(config, env) {
       protocol: "mpp",
       message: "MPP requires currency. Set MPP_CURRENCY or pass mpp.currency."
     });
+  } else if (!isEvmAddress(mpp.currency)) {
+    issues.push({
+      code: "invalid_mpp_currency",
+      protocol: "mpp",
+      message: "MPP currency must be a 0x-prefixed 20-byte Tempo currency address. Use TEMPO_USDC_CURRENCY for Tempo USDC."
+    });
   }
-  if (!mpp.recipient && !config.payeeAddress) {
+  const mppRecipient = mpp.recipient ?? config.payeeAddress;
+  if (!mppRecipient) {
     issues.push({
       code: "missing_mpp_recipient",
       protocol: "mpp",
       message: "MPP requires a recipient address. Set mpp.recipient or payeeAddress in your router config."
     });
+  } else if (!isEvmAddress(mppRecipient)) {
+    issues.push({
+      code: "invalid_mpp_recipient",
+      protocol: "mpp",
+      message: "MPP recipient must be a 0x-prefixed EVM address. Solana recipients require x402."
+    });
   }
   const placeholder = findPlaceholderPayee([mpp.recipient, config.payeeAddress]);
   if (placeholder) {
@@ -2824,6 +3285,13 @@ function validateMppConfig(config, env) {
       message: "MPP requires an authenticated Tempo RPC URL. Set TEMPO_RPC_URL env var or pass rpcUrl in the mpp config object."
     });
   }
+  if (mpp.feePayerKey && !isEvmPrivateKey(mpp.feePayerKey)) {
+    issues.push({
+      code: "invalid_mpp_fee_payer_key",
+      protocol: "mpp",
+      message: "MPP feePayerKey must be a 0x-prefixed 32-byte EVM private key."
+    });
+  }
   if (mpp.useDefaultStore && !mpp.store && (!env.KV_REST_API_URL || !env.KV_REST_API_TOKEN)) {
     issues.push({
       code: "missing_mpp_default_store_env",
@@ -2841,8 +3309,14 @@ function usesDefaultEvmFacilitator(config) {
 function isSupportedX402Network(network) {
   return isEvmNetwork(network) || isSolanaNetwork(network);
 }
+function isEvmAddress(value) {
+  return /^0x[a-fA-F0-9]{40}$/.test(value);
+}
+function isEvmPrivateKey(value) {
+  return /^0x[a-fA-F0-9]{64}$/.test(value);
+}
 function findPlaceholderPayee(values) {
-  return values.find((value) => value?.toLowerCase() === ZERO_EVM_ADDRESS) ?? null;
+  return values.find((value) => value !== void 0 && /^0x0{40}$/i.test(value)) ?? null;
 }
 
 // src/index.ts
@@ -2891,6 +3365,7 @@ function createRouter(config) {
     nonceStore,
     entitlementStore,
     payeeAddress: config.payeeAddress ?? "",
+    mppRecipient: config.mpp?.recipient ?? config.payeeAddress,
     network,
     x402FacilitatorsByNetwork: void 0,
     x402Accepts,