@agentcash/router 1.5.2 → 1.7.0

package/dist/index.cjs

@@ -31,14 +31,18 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/constants.ts
-var BASE_NETWORK, SOLANA_MAINNET_NETWORK, TEMPO_USDC_CURRENCY, ZERO_EVM_ADDRESS;
+var BASE_MAINNET_NETWORK, SOLANA_MAINNET_NETWORK, TEMPO_USDC_ADDRESS, TEMPO_USDC_DECIMALS, BASE_USDC_ADDRESS, BASE_USDC_DECIMALS, ZERO_EVM_ADDRESS, DEFAULT_SOLANA_FACILITATOR_URL;
 var init_constants = __esm({
   "src/constants.ts"() {
     "use strict";
-    BASE_NETWORK = "eip155:8453";
+    BASE_MAINNET_NETWORK = "eip155:8453";
     SOLANA_MAINNET_NETWORK = "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp";
-    TEMPO_USDC_CURRENCY = "0x20c000000000000000000000b9537d11c60e8b50";
+    TEMPO_USDC_ADDRESS = "0x20c000000000000000000000b9537d11c60e8b50";
+    TEMPO_USDC_DECIMALS = 6;
+    BASE_USDC_ADDRESS = "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913";
+    BASE_USDC_DECIMALS = 6;
     ZERO_EVM_ADDRESS = "0x0000000000000000000000000000000000000000";
+    DEFAULT_SOLANA_FACILITATOR_URL = "https://facilitator.corbits.dev";
   }
 });
 
@@ -55,7 +59,7 @@ function getConfiguredX402Accepts(config) {
   return [
     {
       scheme: "exact",
-      network: config.network ?? BASE_NETWORK,
+      network: config.network ?? BASE_MAINNET_NETWORK,
       payTo: config.payeeAddress
     }
   ];
@@ -105,6 +109,18 @@ function buildEvmExactOptions(accepts, price) {
     payTo
   }));
 }
+function buildEvmUptoOptions(accepts, price) {
+  return accepts.filter(
+    (accept) => accept.scheme === "upto" && isEvmNetwork(accept.network)
+  ).map((accept) => ({
+    scheme: "upto",
+    network: accept.network,
+    payTo: accept.payTo,
+    price,
+    ...accept.maxTimeoutSeconds !== void 0 ? { maxTimeoutSeconds: accept.maxTimeoutSeconds } : {},
+    ...accept.extra ? { extra: accept.extra } : {}
+  }));
+}
 var init_evm = __esm({
   "src/protocols/x402/evm.ts"() {
     "use strict";
@@ -223,7 +239,10 @@ async function getAcceptsHeadersForFacilitator(facilitator) {
   return {};
 }
 function resolveX402FacilitatorTarget(config, network, defaultEvmFacilitator) {
-  return (isSolanaNetwork(network) ? config.x402?.facilitators?.solana : void 0) ?? (isEvmNetwork(network) ? config.x402?.facilitators?.evm : void 0) ?? (isSolanaNetwork(network) ? DEFAULT_SOLANA_FACILITATOR_URL : defaultEvmFacilitator);
+  if (isSolanaNetwork(network)) {
+    return config.x402?.facilitators?.solana ?? DEFAULT_SOLANA_FACILITATOR_URL;
+  }
+  return defaultEvmFacilitator;
 }
 function normalizeFacilitatorTarget(target) {
   return typeof target === "string" ? { url: target } : target;
@@ -236,19 +255,18 @@ function getNetworkFamily(network) {
 function sameFacilitatorConfig(a, b) {
   return a.url === b.url && a.createAuthHeaders === b.createAuthHeaders && a.createAcceptsHeaders === b.createAcceptsHeaders;
 }
-var DEFAULT_SOLANA_FACILITATOR_URL;
 var init_facilitators = __esm({
   "src/protocols/x402/facilitators.ts"() {
     "use strict";
     init_evm();
     init_solana();
-    DEFAULT_SOLANA_FACILITATOR_URL = "https://facilitator.corbits.dev";
+    init_constants();
   }
 });
 
-// src/server.ts
-var server_exports = {};
-__export(server_exports, {
+// src/init/x402-server.ts
+var x402_server_exports = {};
+__export(x402_server_exports, {
   createX402Server: () => createX402Server
 });
 async function createX402Server(config) {
@@ -289,44 +307,44 @@ async function createX402Server(config) {
     facilitatorsByNetwork
   };
 }
-function cachedClient(inner, kinds) {
+function createFacilitatorClients(facilitatorsByNetwork, HTTPFacilitatorClient) {
+  const groups = getResolvedX402FacilitatorGroups(facilitatorsByNetwork);
+  return groups.map((group) => {
+    const inner = new HTTPFacilitatorClient(group.config);
+    const kinds = buildSupportedKinds(group);
+    return hardcodedSupportedClient(inner, kinds);
+  });
+}
+function hardcodedSupportedClient(inner, kinds) {
   return {
     verify: inner.verify.bind(inner),
     settle: inner.settle.bind(inner),
-    getSupported: async () => ({
-      kinds,
-      extensions: [],
-      signers: {}
-    })
+    getSupported: async () => ({ kinds, extensions: [], signers: {} })
   };
 }
-function createFacilitatorClients(facilitatorsByNetwork, HTTPFacilitatorClient) {
-  const groups = getResolvedX402FacilitatorGroups(facilitatorsByNetwork);
-  return groups.map((group) => {
-    const inner = new HTTPFacilitatorClient(group.config);
-    const kinds = group.networks.flatMap((network) => {
-      const exactKind = {
-        x402Version: 2,
-        scheme: "exact",
-        network,
-        ...group.family === "solana" ? {
-          extra: {
-            features: {
-              xSettlementAccountSupported: true
-            }
+function buildSupportedKinds(group) {
+  return group.networks.flatMap((network) => {
+    const exactKind = {
+      x402Version: 2,
+      scheme: "exact",
+      network,
+      ...group.family === "solana" ? {
+        extra: {
+          features: {
+            xSettlementAccountSupported: true
           }
-        } : {}
-      };
-      if (group.family === "evm") {
-        return [exactKind, { x402Version: 2, scheme: "upto", network }];
-      }
-      return [exactKind];
-    });
-    return cachedClient(inner, kinds);
+        }
+      } : {}
+    };
+    const uptoKind = { x402Version: 2, scheme: "upto", network };
+    if (group.family === "evm") {
+      return [exactKind, uptoKind];
+    }
+    return [exactKind, uptoKind];
   });
 }
-var init_server = __esm({
-  "src/server.ts"() {
+var init_x402_server = __esm({
+  "src/init/x402-server.ts"() {
     "use strict";
     init_evm();
     init_solana();
@@ -335,93 +353,28 @@ var init_server = __esm({
   }
 });
 
-// src/upstash-rest.ts
-var upstash_rest_exports = {};
-__export(upstash_rest_exports, {
-  createUpstashRest: () => createUpstashRest
-});
-function createUpstashRest(url, token) {
-  const base = url.replace(/\/+$/, "");
-  const headers = { Authorization: `Bearer ${token}` };
-  async function get(key) {
-    const res = await fetch(`${base}/get/${key}`, { headers });
-    if (!res.ok) throw new Error(`[upstash-rest] GET ${key}: ${res.status}`);
-    const { result } = await res.json();
-    return result ?? null;
-  }
-  async function set(key, value) {
-    const res = await fetch(`${base}`, {
-      method: "POST",
-      headers: { ...headers, "Content-Type": "application/json" },
-      body: JSON.stringify(["SET", key, JSON.stringify(value)])
-    });
-    if (!res.ok) throw new Error(`[upstash-rest] SET ${key}: ${res.status}`);
-    return await res.json();
-  }
-  async function del(key) {
-    const res = await fetch(`${base}`, {
-      method: "POST",
-      headers: { ...headers, "Content-Type": "application/json" },
-      body: JSON.stringify(["DEL", key])
-    });
-    if (!res.ok) throw new Error(`[upstash-rest] DEL ${key}: ${res.status}`);
-    return await res.json();
-  }
-  return {
-    get,
-    set,
-    del,
-    async update(key, fn) {
-      const current = await get(key);
-      const change = fn(current);
-      if (change.op === "set") await set(key, change.value);
-      if (change.op === "delete") await del(key);
-      return change.result;
-    }
-  };
-}
-var init_upstash_rest = __esm({
-  "src/upstash-rest.ts"() {
-    "use strict";
-  }
-});
-
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  BASE_NETWORK: () => BASE_NETWORK,
+  BASE_MAINNET_NETWORK: () => BASE_MAINNET_NETWORK,
+  BASE_USDC_ADDRESS: () => BASE_USDC_ADDRESS,
+  BASE_USDC_DECIMALS: () => BASE_USDC_DECIMALS,
+  DEFAULT_SOLANA_FACILITATOR_URL: () => DEFAULT_SOLANA_FACILITATOR_URL,
   HttpError: () => HttpError,
-  MemoryEntitlementStore: () => MemoryEntitlementStore,
-  MemoryNonceStore: () => MemoryNonceStore,
-  RouteBuilder: () => RouteBuilder,
-  RouteRegistry: () => RouteRegistry,
   RouterConfigError: () => RouterConfigError,
-  SIWX_CHALLENGE_EXPIRY_MS: () => SIWX_CHALLENGE_EXPIRY_MS,
-  SIWX_ERROR_MESSAGES: () => SIWX_ERROR_MESSAGES,
   SOLANA_MAINNET_NETWORK: () => SOLANA_MAINNET_NETWORK,
-  TEMPO_USDC_CURRENCY: () => TEMPO_USDC_CURRENCY,
+  TEMPO_USDC_ADDRESS: () => TEMPO_USDC_ADDRESS,
+  TEMPO_USDC_DECIMALS: () => TEMPO_USDC_DECIMALS,
   ZERO_EVM_ADDRESS: () => ZERO_EVM_ADDRESS,
-  consolePlugin: () => consolePlugin,
-  createRedisEntitlementStore: () => createRedisEntitlementStore,
-  createRedisNonceStore: () => createRedisNonceStore,
   createRouter: () => createRouter,
-  formatRouterConfigIssues: () => formatRouterConfigIssues,
-  getRouterConfigIssues: () => getRouterConfigIssues,
-  mppFromEnv: () => mppFromEnv,
-  paidOptionsForProtocols: () => paidOptionsForProtocols,
-  validateRouterConfig: () => validateRouterConfig,
-  x402AcceptsFromEnv: () => x402AcceptsFromEnv
+  createRouterFromEnv: () => createRouterFromEnv,
+  routerConfigFromEnv: () => routerConfigFromEnv
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/registry.ts
 var RouteRegistry = class {
   routes = /* @__PURE__ */ new Map();
-  // Internal map key includes the HTTP method so that POST and DELETE on the
-  // same path coexist. Within the same path+method, last-write-wins is still
-  // intentional — Next.js module loading order is non-deterministic during
-  // build and discovery stubs may register the same route in either order.
-  // Prior art: ElysiaJS uses the same pattern (silent overwrite in router.history).
   mapKey(entry) {
     return `${entry.key}:${entry.method}`;
   }
@@ -434,8 +387,6 @@ var RouteRegistry = class {
     }
     this.routes.set(k, entry);
   }
-  // Accepts either a compound key ("site/domain:DELETE") or a path-only key
-  // ("site/domain") — path-only returns the first registered method for that path.
   get(key) {
     const direct = this.routes.get(key);
     if (direct) return direct;
@@ -467,24 +418,17 @@ var RouteRegistry = class {
 
 // src/headers.ts
 var HEADERS = {
-  // ---- Standard HTTP ----
   AUTHORIZATION: "Authorization",
   WWW_AUTHENTICATE: "WWW-Authenticate",
-  // ---- Auth ----
   API_KEY: "X-API-Key",
-  // ---- Request meta (used by plugin/observability) ----
   WALLET_ADDRESS: "X-Wallet-Address",
   CLIENT_ID: "X-Client-ID",
   SESSION_ID: "X-Session-ID",
-  // ---- SIWX ----
   SIWX: "SIGN-IN-WITH-X",
-  // ---- x402 (payment) ----
   X402_PAYMENT_SIGNATURE: "PAYMENT-SIGNATURE",
-  /** Legacy x402 payment header — accepted alongside PAYMENT-SIGNATURE. */
   X402_PAYMENT_LEGACY: "X-PAYMENT",
   X402_PAYMENT_REQUIRED: "PAYMENT-REQUIRED",
   X402_PAYMENT_RESPONSE: "PAYMENT-RESPONSE",
-  // ---- MPP (payment) ----
   MPP_PAYMENT_RECEIPT: "Payment-Receipt"
 };
 var AUTH_SCHEME = {
@@ -492,7 +436,7 @@ var AUTH_SCHEME = {
   MPP_PAYMENT: "Payment "
 };
 
-// src/plugin.ts
+// src/plugin/index.ts
 function createDefaultContext(meta) {
   const ctx = {
     requestId: meta.requestId,
@@ -528,50 +472,32 @@ function firePluginHook(plugin, method, ...args) {
     return void 0;
   }
 }
-function consolePlugin() {
-  return {
-    onRequest(meta) {
-      const ctx = createDefaultContext(meta);
-      return ctx;
-    },
-    onAuthVerified(_ctx, auth) {
-      const wallet = auth.wallet ? ` wallet=${auth.wallet}` : "";
-      console.log(`[router] AUTH ${auth.authMode} ${auth.route}${wallet}`);
-    },
-    onPaymentVerified(_ctx, payment) {
-      console.log(`[router] VERIFIED ${payment.protocol} ${payment.payer} ${payment.amount}`);
-    },
-    onPaymentSettled(_ctx, settlement) {
-      console.log(`[router] SETTLED ${settlement.protocol} tx=${settlement.transaction}`);
-    },
-    onResponse(ctx, response) {
-      const wallet = ctx.verifiedWallet ? ` wallet=${ctx.verifiedWallet}` : "";
-      console.log(
-        `[router] ${ctx.route} \u2192 ${response.statusCode} (${response.duration}ms)${wallet}`
-      );
-    },
-    onError(_ctx, error) {
-      console.error(`[router] ERROR ${error.status}: ${error.message}`);
-    },
-    onAlert(_ctx, alert) {
-      const logFn = alert.level === "critical" || alert.level === "error" ? console.error : alert.level === "warn" ? console.warn : console.log;
-      logFn(
-        `[router] ${alert.level.toUpperCase()} ${alert.route}: ${alert.message}`,
-        alert.meta ?? ""
-      );
-    },
-    onProviderQuota(_ctx, event) {
-      const logFn = event.level === "critical" ? console.error : event.level === "warn" ? console.warn : console.log;
-      logFn(`[router] QUOTA ${event.level.toUpperCase()} ${event.provider}: ${event.message}`);
-    }
+
+// src/plugin/reporter.ts
+function createReporter(plugin, pluginCtx, route) {
+  return (level, message, meta) => {
+    firePluginHook(plugin, "onAlert", pluginCtx, {
+      level,
+      message,
+      route,
+      ...meta ? { meta } : {}
+    });
   };
 }
 
-// src/pipeline/context/preflight.ts
+// src/pipeline/steps/preflight.ts
 function preflight(routeEntry, handler, deps, request) {
   const meta = buildMeta(request, routeEntry);
   const pluginCtx = firePluginHook(deps.plugin, "onRequest", meta) ?? createDefaultContext(meta);
-  return { routeEntry, handler, deps, request, meta, pluginCtx };
+  return {
+    routeEntry,
+    handler,
+    deps,
+    request,
+    meta,
+    pluginCtx,
+    report: createReporter(deps.plugin, pluginCtx, routeEntry.key)
+  };
 }
 function buildMeta(request, routeEntry) {
   return {
@@ -589,10 +515,10 @@ function buildMeta(request, routeEntry) {
   };
 }
 
-// src/pipeline/context/parse-body.ts
+// src/pipeline/steps/parse-body.ts
 var import_server = require("next/server");
 
-// src/body.ts
+// src/pipeline/body.ts
 async function bufferBody(request) {
   const text = await request.text();
   if (!text) return void 0;
@@ -616,46 +542,19 @@ function validateBody(parsed, schema) {
   };
 }
 
-// src/pipeline/context/parse-body.ts
-async function parseBody(request, routeEntry) {
-  if (!routeEntry.bodySchema) return { ok: true, data: void 0 };
-  const raw = await bufferBody(request);
-  const result = validateBody(raw, routeEntry.bodySchema);
-  if (result.success) return { ok: true, data: result.data };
-  return {
-    ok: false,
-    response: import_server.NextResponse.json(
-      { success: false, error: result.error, issues: result.issues },
-      { status: 400 }
-    )
-  };
-}
-
-// src/pipeline/context/parse-query.ts
-function parseQuery(request, routeEntry) {
-  if (!routeEntry.querySchema) return void 0;
-  const params = Object.fromEntries(request.nextUrl.searchParams.entries());
-  const result = routeEntry.querySchema.safeParse(params);
-  return result.success ? result.data : params;
-}
-
-// src/pipeline/context/errors.ts
-function errorStatus(error, fallback) {
-  const status = error?.status;
-  return typeof status === "number" ? status : fallback;
+// src/plugin/events.ts
+function fireAuthVerified(ctx, event) {
+  firePluginHook(ctx.deps.plugin, "onAuthVerified", ctx.pluginCtx, {
+    ...event,
+    route: ctx.routeEntry.key
+  });
 }
-function errorMessage(error, fallback) {
-  return error instanceof Error ? error.message : fallback;
+function firePaymentVerified(ctx, event) {
+  firePluginHook(ctx.deps.plugin, "onPaymentVerified", ctx.pluginCtx, event);
 }
-function handlerFailureError(response) {
-  const message = response.statusText || `Handler returned HTTP ${response.status}`;
-  return Object.assign(new Error(message), { status: response.status });
+function firePaymentSettled(ctx, event) {
+  firePluginHook(ctx.deps.plugin, "onPaymentSettled", ctx.pluginCtx, event);
 }
-
-// src/pipeline/context/fail.ts
-var import_server2 = require("next/server");
-
-// src/pipeline/context/fire-plugin-response.ts
 function firePluginResponse(ctx, response, requestBody, responseBody) {
   firePluginHook(ctx.deps.plugin, "onResponse", ctx.pluginCtx, {
     statusCode: response.status,
@@ -674,15 +573,72 @@ function firePluginResponse(ctx, response, requestBody, responseBody) {
     });
   }
 }
+function fireProviderQuota(ctx, response, handlerResult) {
+  const { providerName, providerConfig } = ctx.routeEntry;
+  if (!providerName || !providerConfig?.extractQuota) return;
+  if (response.status >= 400) return;
+  try {
+    const quota = providerConfig.extractQuota(handlerResult, response.headers);
+    if (!quota) return;
+    const level = computeQuotaLevel(quota.remaining, providerConfig.warn, providerConfig.critical);
+    const overage = providerConfig.overage ?? "same-rate";
+    const event = {
+      provider: providerName,
+      route: ctx.routeEntry.key,
+      remaining: quota.remaining,
+      limit: quota.limit,
+      spend: quota.spend,
+      level,
+      overage,
+      message: quota.remaining !== null ? `${providerName}: ${quota.remaining}${quota.limit ? `/${quota.limit}` : ""} remaining` : `${providerName}: quota info unavailable`
+    };
+    firePluginHook(ctx.deps.plugin, "onProviderQuota", ctx.pluginCtx, event);
+  } catch {
+  }
+}
+function computeQuotaLevel(remaining, warn, critical) {
+  if (remaining === null) return "healthy";
+  if (critical !== void 0 && remaining <= critical) return "critical";
+  if (warn !== void 0 && remaining <= warn) return "warn";
+  return "healthy";
+}
+
+// src/pipeline/steps/parse-body.ts
+async function parseBody(ctx, request = ctx.request) {
+  if (!ctx.routeEntry.bodySchema) return { ok: true, data: void 0 };
+  const raw = await bufferBody(request);
+  const result = validateBody(raw, ctx.routeEntry.bodySchema);
+  if (result.success) return { ok: true, data: result.data };
+  const response = import_server.NextResponse.json(
+    { success: false, error: result.error, issues: result.issues },
+    { status: 400 }
+  );
+  firePluginResponse(ctx, response);
+  return { ok: false, response };
+}
+
+// src/pipeline/steps/errors.ts
+function errorStatus(error, fallback) {
+  const status = error?.status;
+  return typeof status === "number" ? status : fallback;
+}
+function errorMessage(error, fallback) {
+  return error instanceof Error ? error.message : fallback;
+}
+function handlerFailureError(response) {
+  const message = response.statusText || `Handler returned HTTP ${response.status}`;
+  return Object.assign(new Error(message), { status: response.status });
+}
 
-// src/pipeline/context/fail.ts
+// src/pipeline/steps/fail.ts
+var import_server2 = require("next/server");
 function fail(ctx, status, message, requestBody) {
   const response = import_server2.NextResponse.json({ success: false, error: message }, { status });
   firePluginResponse(ctx, response, requestBody);
   return response;
 }
 
-// src/pipeline/context/run-validate.ts
+// src/pipeline/steps/run-validate.ts
 async function runValidate(ctx, body) {
   if (!ctx.routeEntry.validateFn) return null;
   try {
@@ -693,7 +649,7 @@ async function runValidate(ctx, body) {
   }
 }
 
-// src/handler.ts
+// src/pipeline/flows/static/static-invoke.ts
 var import_server3 = require("next/server");
 
 // src/types.ts
@@ -705,23 +661,23 @@ var HttpError = class extends Error {
   }
 };
 
-// src/handler.ts
-async function safeCallHandler(handler, ctx, options = {}) {
-  try {
-    const result = await handler(ctx);
-    if (result instanceof Response) return result;
-    return import_server3.NextResponse.json(result);
-  } catch (error) {
-    options.onError?.(error);
-    const status = error instanceof HttpError ? error.status : typeof error.status === "number" ? error.status : 500;
-    const message = error instanceof Error ? error.message : "Internal error";
-    return import_server3.NextResponse.json({ success: false, error: message }, { status });
-  }
+// src/pipeline/steps/parse-query.ts
+function parseQuery(request, routeEntry) {
+  if (!routeEntry.querySchema) return void 0;
+  const params = Object.fromEntries(request.nextUrl.searchParams.entries());
+  const result = routeEntry.querySchema.safeParse(params);
+  return result.success ? result.data : params;
 }
 
-// src/pipeline/context/invoke.ts
-async function invoke(ctx, wallet, account, body, payment) {
-  const handlerCtx = {
+// src/pipeline/flows/static/static-invoke.ts
+function invokePaidStatic(ctx, wallet, account, body, payment) {
+  return runHandler(ctx, buildHandlerCtx(ctx, wallet, account, body, payment));
+}
+function invokeUnauthed(ctx, wallet, account, body) {
+  return runHandler(ctx, buildHandlerCtx(ctx, wallet, account, body, null));
+}
+function buildHandlerCtx(ctx, wallet, account, body, payment) {
+  return {
     body,
     query: parseQuery(ctx.request, ctx.routeEntry),
     request: ctx.request,
@@ -730,85 +686,71 @@ async function invoke(ctx, wallet, account, body, payment) {
     wallet,
     payment,
     account,
-    alert(level, message, alertMeta) {
-      firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-        level,
-        message,
-        route: ctx.routeEntry.key,
-        meta: alertMeta
-      });
-    },
+    alert: ctx.report,
     setVerifiedWallet: (addr) => ctx.pluginCtx.setVerifiedWallet(addr)
   };
-  let rawResult;
-  let handlerError;
-  const response = await safeCallHandler(
-    async (c) => {
-      rawResult = await ctx.handler(c);
-      return rawResult;
-    },
-    handlerCtx,
-    {
-      onError(error) {
-        handlerError = error;
-      }
-    }
-  );
-  return { response, rawResult, handlerError };
 }
-
-// src/pipeline/context/fire-provider-quota.ts
-function fireProviderQuota(ctx, response, handlerResult) {
-  const { providerName, providerConfig } = ctx.routeEntry;
-  if (!providerName || !providerConfig?.extractQuota) return;
-  if (response.status >= 400) return;
+async function runHandler(ctx, handlerCtx) {
+  let returned;
   try {
-    const quota = providerConfig.extractQuota(handlerResult, response.headers);
-    if (!quota) return;
-    const level = computeQuotaLevel(quota.remaining, providerConfig.warn, providerConfig.critical);
-    const overage = providerConfig.overage ?? "same-rate";
-    const event = {
-      provider: providerName,
-      route: ctx.routeEntry.key,
-      remaining: quota.remaining,
-      limit: quota.limit,
-      spend: quota.spend,
-      level,
-      overage,
-      message: quota.remaining !== null ? `${providerName}: ${quota.remaining}${quota.limit ? `/${quota.limit}` : ""} remaining` : `${providerName}: quota info unavailable`
-    };
-    firePluginHook(ctx.deps.plugin, "onProviderQuota", ctx.pluginCtx, event);
-  } catch {
+    returned = ctx.handler(handlerCtx);
+  } catch (error) {
+    return errorResult(error);
+  }
+  if (isAsyncIterable(returned) && !isThenable(returned)) {
+    return errorResult(
+      new HttpError(
+        `route '${ctx.routeEntry.key}': streaming handlers require .paid({ dynamic: true })`,
+        500
+      )
+    );
+  }
+  let rawResult;
+  try {
+    rawResult = await returned;
+  } catch (error) {
+    return errorResult(error);
   }
+  const response = rawResult instanceof Response ? rawResult : import_server3.NextResponse.json(rawResult);
+  return { response, rawResult };
 }
-function computeQuotaLevel(remaining, warn, critical) {
-  if (remaining === null) return "healthy";
-  if (critical !== void 0 && remaining <= critical) return "critical";
-  if (warn !== void 0 && remaining <= warn) return "warn";
-  return "healthy";
+function errorResult(error) {
+  const status = error instanceof HttpError ? error.status : typeof error?.status === "number" ? error.status : 500;
+  const message = error instanceof Error ? error.message : "Internal error";
+  return {
+    response: import_server3.NextResponse.json({ success: false, error: message }, { status }),
+    rawResult: void 0,
+    handlerError: error
+  };
+}
+function isAsyncIterable(value) {
+  return value != null && typeof value === "object" && Symbol.asyncIterator in value;
+}
+function isThenable(value) {
+  return value != null && (typeof value === "object" || typeof value === "function") && typeof value.then === "function";
 }
 
-// src/pipeline/context/finalize.ts
+// src/pipeline/steps/finalize/response.ts
 function finalize(ctx, response, rawResult, requestBody) {
   fireProviderQuota(ctx, response, rawResult);
   firePluginResponse(ctx, response, requestBody, rawResult);
   return response;
 }
 
-// src/pipeline/context/run-handler-only.ts
-async function runHandlerOnly(ctx, wallet, account) {
-  const body = await parseBody(ctx.request, ctx.routeEntry);
-  if (!body.ok) {
-    firePluginResponse(ctx, body.response);
-    return body.response;
+// src/pipeline/steps/grant-entitlement.ts
+async function grantEntitlementIfSiwx(ctx, wallet) {
+  if (!ctx.routeEntry.siwxEnabled) return;
+  try {
+    await ctx.deps.entitlementStore.grant(ctx.routeEntry.key, wallet);
+  } catch (error) {
+    ctx.report(
+      "warn",
+      `Entitlement grant failed: ${error instanceof Error ? error.message : String(error)}`
+    );
   }
-  const validateErr = await runValidate(ctx, body.data);
-  if (validateErr) return validateErr;
-  const result = await invoke(ctx, wallet, account, body.data, null);
-  return finalize(ctx, result.response, result.rawResult, body.data);
 }
 
-// src/pipeline/context/settlement-context.ts
+// src/pipeline/steps/settlement-context.ts
 function settlementContext(ctx, scope) {
   return {
     route: ctx.routeEntry.key,
@@ -822,24 +764,7 @@ function settlementContext(ctx, scope) {
   };
 }
 
-// src/pipeline/context/run-before-settle.ts
-async function runBeforeSettle(ctx, scope) {
-  const hook = ctx.routeEntry.settlement?.beforeSettle;
-  if (!hook) return null;
-  try {
-    await hook(settlementContext(ctx, scope));
-    return null;
-  } catch (error) {
-    return fail(
-      ctx,
-      errorStatus(error, 500),
-      errorMessage(error, "Pre-settlement validation failed"),
-      scope.body
-    );
-  }
-}
-
-// src/pipeline/context/run-settlement-error.ts
+// src/pipeline/steps/run-settlement-error.ts
 async function runSettlementError(ctx, scope, error, phase) {
   const hook = ctx.routeEntry.settlement?.onSettlementError;
   if (!hook) return;
@@ -847,16 +772,11 @@ async function runSettlementError(ctx, scope, error, phase) {
     await hook({ ...settlementContext(ctx, scope), error, phase });
   } catch (hookError) {
     const message = errorMessage(hookError, "Settlement error hook failed");
-    console.error(`[router] ${ctx.routeEntry.key}: onSettlementError failed: ${message}`);
-    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-      level: "error",
-      message: `Settlement error hook failed: ${message}`,
-      route: ctx.routeEntry.key
-    });
+    ctx.report("error", `Settlement error hook failed: ${message}`);
   }
 }
 
-// src/pipeline/context/run-after-settle.ts
+// src/pipeline/steps/run-after-settle.ts
 async function runAfterSettle(ctx, scope) {
   const hook = ctx.routeEntry.settlement?.afterSettle;
   if (!hook) return;
@@ -864,81 +784,145 @@ async function runAfterSettle(ctx, scope) {
     await hook(settlementContext(ctx, scope));
   } catch (error) {
     const message = errorMessage(error, "Post-settlement hook failed");
-    console.error(`[router] ${ctx.routeEntry.key}: afterSettle failed: ${message}`);
-    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-      level: "error",
-      message: `Post-settlement hook failed: ${message}`,
-      route: ctx.routeEntry.key
-    });
+    ctx.report("error", `Post-settlement hook failed: ${message}`);
     await runSettlementError(ctx, scope, error, "afterSettle");
   }
 }
 
-// src/pipeline/context/run-settled-handler-error.ts
-async function runSettledHandlerError(ctx, scope, error = scope.handlerError ?? handlerFailureError(scope.response)) {
-  const hook = ctx.routeEntry.settlement?.onSettledHandlerError;
-  if (!hook) return;
-  try {
-    await hook({ ...settlementContext(ctx, scope), error });
-  } catch (hookError) {
-    const message = errorMessage(hookError, "Settled handler error hook failed");
-    console.error(`[router] ${ctx.routeEntry.key}: onSettledHandlerError failed: ${message}`);
-    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-      level: "error",
-      message: `Settled handler error hook failed: ${message}`,
-      route: ctx.routeEntry.key
-    });
-  }
-}
-
-// src/pipeline/context/grant-entitlement.ts
-async function grantEntitlementIfSiwx(ctx, wallet) {
-  if (!ctx.routeEntry.siwxEnabled) return;
-  try {
-    await ctx.deps.entitlementStore.grant(ctx.routeEntry.key, wallet);
-  } catch (error) {
-    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-      level: "warn",
-      message: `Entitlement grant failed: ${error instanceof Error ? error.message : String(error)}`,
-      route: ctx.routeEntry.key
-    });
-  }
+// src/pipeline/steps/finalize/epilogue.ts
+async function runPostSettleEpilogue(args) {
+  const { ctx, strategy, wallet, settle, afterSettleScope, rawResult, body } = args;
+  await grantEntitlementIfSiwx(ctx, wallet);
+  firePaymentSettled(ctx, {
+    protocol: strategy.protocol,
+    payer: wallet,
+    transaction: settle.settledPayment.transaction ?? "",
+    network: settle.settledPayment.network
+  });
+  await runAfterSettle(ctx, afterSettleScope);
+  return finalize(ctx, settle.response, rawResult, body);
 }
 
-// src/pipeline/context/settle-and-finalize.ts
-async function settleAndFinalize(args) {
-  const { ctx, strategy, verifyOutcome, scope, rawResult, body, onSettleError } = args;
-  const { request, routeEntry, deps } = ctx;
+// src/pipeline/steps/finalize/request.ts
+async function settleAndFinalizeRequest(args) {
+  const { ctx, strategy, verifyOutcome, scope, rawResult, body, billedAmount, onSettleError } = args;
+  const { request, routeEntry, deps, report } = ctx;
   const settle = await strategy.settle({
     request,
     response: scope.response,
     payment: verifyOutcome.payment,
     token: verifyOutcome.token,
     routeEntry,
-    deps
+    deps,
+    billedAmount,
+    report
   });
   if (!settle.ok) {
     if (onSettleError) await onSettleError(settle.error, settle.failMessage);
     return fail(ctx, settle.failStatus ?? 500, settle.failMessage, body);
   }
-  await grantEntitlementIfSiwx(ctx, verifyOutcome.wallet);
-  firePluginHook(deps.plugin, "onPaymentSettled", ctx.pluginCtx, {
-    protocol: strategy.protocol,
-    payer: verifyOutcome.wallet,
-    transaction: settle.settledPayment.transaction ?? "",
-    network: settle.settledPayment.network
-  });
-  await runAfterSettle(ctx, {
-    ...scope,
-    payment: settle.settledPayment,
-    response: settle.response
+  return runPostSettleEpilogue({
+    ctx,
+    strategy,
+    wallet: verifyOutcome.wallet,
+    settle,
+    afterSettleScope: {
+      ...scope,
+      payment: settle.settledPayment,
+      response: settle.response
+    },
+    rawResult,
+    body
   });
-  return finalize(ctx, settle.response, rawResult, body);
+}
+
+// src/pipeline/steps/finalize/stream.ts
+async function settleAndFinalizeStream(args) {
+  const { ctx, strategy, verifyOutcome, source, account, body, bindChannelCharge } = args;
+  const { request, routeEntry, deps, report } = ctx;
+  if (!strategy.settleStream) {
+    return fail(ctx, 500, `${strategy.protocol} does not support streaming handlers`, body);
+  }
+  const settle = await strategy.settleStream({
+    request,
+    source,
+    payment: verifyOutcome.payment,
+    token: verifyOutcome.token,
+    routeEntry,
+    deps,
+    bindChannelCharge,
+    report
+  });
+  if (!settle.ok) {
+    return fail(ctx, settle.failStatus ?? 500, settle.failMessage, body);
+  }
+  return runPostSettleEpilogue({
+    ctx,
+    strategy,
+    wallet: verifyOutcome.wallet,
+    settle,
+    afterSettleScope: {
+      wallet: verifyOutcome.wallet,
+      account,
+      body,
+      payment: settle.settledPayment,
+      response: settle.response,
+      rawResult: void 0
+    },
+    rawResult: void 0,
+    body
+  });
+}
+
+// src/pipeline/steps/run-handler-only.ts
+async function runHandlerOnly(ctx, wallet, account) {
+  const body = await parseBody(ctx);
+  if (!body.ok) return body.response;
+  const validateErr = await runValidate(ctx, body.data);
+  if (validateErr) return validateErr;
+  const result = await invokeUnauthed(ctx, wallet, account, body.data);
+  return finalize(ctx, result.response, result.rawResult, body.data);
+}
+
+// src/pipeline/steps/run-before-settle.ts
+async function runBeforeSettle(ctx, scope) {
+  const hook = ctx.routeEntry.settlement?.beforeSettle;
+  if (!hook) return null;
+  try {
+    await hook(settlementContext(ctx, scope));
+    return null;
+  } catch (error) {
+    return fail(
+      ctx,
+      errorStatus(error, 500),
+      errorMessage(error, "Pre-settlement validation failed"),
+      scope.body
+    );
+  }
+}
+
+// src/pipeline/steps/run-settled-handler-error.ts
+async function runSettledHandlerError(ctx, scope, error = scope.handlerError ?? handlerFailureError(scope.response)) {
+  const hook = ctx.routeEntry.settlement?.onSettledHandlerError;
+  if (!hook) return;
+  try {
+    await hook({ ...settlementContext(ctx, scope), error });
+  } catch (hookError) {
+    const message = errorMessage(hookError, "Settled handler error hook failed");
+    ctx.report("error", `Settled handler error hook failed: ${message}`);
+  }
 }
 
 // src/auth/normalize-wallet.ts
 function normalizeWalletAddress(address) {
-  return /^0x/i.test(address) ? address.toLowerCase() : address;
+  const isEvm = /^0x/i.test(address);
+  return isEvm ? normalizeEvmWalletAddress(address) : normalizeSolanaWalletAddress(address);
+}
+function normalizeEvmWalletAddress(address) {
+  return address.toLowerCase();
+}
+function normalizeSolanaWalletAddress(address) {
+  return address;
 }
 
 // src/auth/siwx.ts
@@ -991,7 +975,7 @@ async function buildSIWXExtension() {
   return declareSIWxExtension();
 }
 
-// src/pipeline/context/try-siwx-fast-path.ts
+// src/pipeline/steps/try-siwx-fast-path.ts
 async function trySiwxFastPath(ctx, account) {
   const { request, routeEntry, deps } = ctx;
   if (!routeEntry.siwxEnabled) return null;
@@ -1003,35 +987,29 @@ async function trySiwxFastPath(ctx, account) {
   ctx.pluginCtx.setVerifiedWallet(wallet);
   const entitled = await deps.entitlementStore.has(routeEntry.key, wallet);
   if (!entitled) return null;
-  firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
-    authMode: "siwx",
-    wallet,
-    route: routeEntry.key
-  });
+  fireAuthVerified(ctx, { authMode: "siwx", wallet });
   return runHandlerOnly(ctx, wallet, account);
 }
 
-// src/pipeline/context/should-parse-body-early.ts
+// src/pipeline/steps/should-parse-body-early.ts
 function shouldParseBodyEarly(incomingStrategy, routeEntry, pricing) {
   if (incomingStrategy) return false;
   if (!routeEntry.bodySchema) return false;
   return (pricing?.needsBody ?? false) || !!routeEntry.validateFn;
 }
 
-// src/pipeline/context/protocol-init-error.ts
-function protocolInitError(routeEntry, deps) {
-  if (!routeEntry.pricing) return null;
-  const errors = [];
-  for (const protocol of routeEntry.protocols) {
-    if (protocol === "x402" && deps.x402InitError) {
-      errors.push(`x402: ${deps.x402InitError}`);
-    }
-    if (protocol === "mpp" && deps.mppInitError) {
-      errors.push(`mpp: ${deps.mppInitError}`);
-    }
-  }
-  if (errors.length === 0) return null;
-  return `Payment protocol initialization failed. ${errors.join("; ")}`;
+// src/pipeline/steps/resolve-early-body.ts
+async function resolveEarlyBody(args) {
+  const { ctx, pricing, incomingStrategy } = args;
+  if (!shouldParseBodyEarly(incomingStrategy, ctx.routeEntry, pricing)) {
+    return { ok: true, earlyBody: void 0 };
+  }
+  const earlyClone = ctx.request.clone();
+  const earlyResult = await parseBody(ctx, earlyClone);
+  if (!earlyResult.ok) return { ok: false, response: earlyResult.response };
+  const validateErr = await runValidate(ctx, earlyResult.data);
+  if (validateErr) return { ok: false, response: validateErr };
+  return { ok: true, earlyBody: earlyResult.data };
 }
 
 // src/auth/api-key.ts
@@ -1052,6 +1030,34 @@ function extractBearerToken(header) {
   return null;
 }
 
+// src/pipeline/steps/run-api-key-gate.ts
+async function runApiKeyGate(ctx) {
+  const { request, routeEntry } = ctx;
+  if (!routeEntry.apiKeyResolver) return { ok: true, account: void 0 };
+  const apiKeyResult = await verifyApiKey(request, routeEntry.apiKeyResolver);
+  if (!apiKeyResult.valid) {
+    return { ok: false, response: fail(ctx, 401, "Invalid or missing API key") };
+  }
+  fireAuthVerified(ctx, { authMode: "apiKey", wallet: null, account: apiKeyResult.account });
+  return { ok: true, account: apiKeyResult.account };
+}
+
+// src/pipeline/steps/protocol-init-error.ts
+function protocolInitError(routeEntry, deps) {
+  if (!routeEntry.pricing) return null;
+  const errors = [];
+  for (const protocol of routeEntry.protocols) {
+    if (protocol === "x402" && deps.x402InitError) {
+      errors.push(`x402: ${deps.x402InitError}`);
+    }
+    if (protocol === "mpp" && deps.mppInitError) {
+      errors.push(`mpp: ${deps.mppInitError}`);
+    }
+  }
+  if (errors.length === 0) return null;
+  return `Payment protocol initialization failed. ${errors.join("; ")}`;
+}
+
 // src/pipeline/flows/api-key-only.ts
 async function runApiKeyOnlyFlow(ctx) {
   if (!ctx.routeEntry.apiKeyResolver) {
@@ -1059,12 +1065,7 @@ async function runApiKeyOnlyFlow(ctx) {
   }
   const result = await verifyApiKey(ctx.request, ctx.routeEntry.apiKeyResolver);
   if (!result.valid) return fail(ctx, 401, "Invalid or missing API key");
-  firePluginHook(ctx.deps.plugin, "onAuthVerified", ctx.pluginCtx, {
-    authMode: "apiKey",
-    wallet: null,
-    route: ctx.routeEntry.key,
-    account: result.account
-  });
+  fireAuthVerified(ctx, { authMode: "apiKey", wallet: null, account: result.account });
   return runHandlerOnly(ctx, null, result.account);
 }
 
@@ -1221,13 +1222,22 @@ function selectPricing(raw, deps = {}) {
 // src/protocols/mpp/credential.ts
 var import_mppx = require("mppx");
 var import_viem = require("viem");
+var SESSION_ACTIONS = /* @__PURE__ */ new Set(["open", "topUp", "voucher", "close"]);
 function readMppCredential(request) {
   const credential = import_mppx.Credential.fromRequest(request);
   if (!credential) return null;
   const wallet = walletFromDid(credential.source ?? "");
-  const rawType = credential.payload?.type;
+  const payload = credential.payload;
+  const rawType = payload?.type;
   const payloadType = rawType === "transaction" ? "transaction" : rawType === "hash" ? "hash" : "unknown";
-  return { credential, wallet, payloadType };
+  const rawAction = payload?.action;
+  const sessionAction = typeof rawAction === "string" && SESSION_ACTIONS.has(rawAction) ? rawAction : void 0;
+  return {
+    credential,
+    wallet,
+    payloadType,
+    ...sessionAction ? { sessionAction } : {}
+  };
 }
 function walletFromDid(rawSource) {
   const parts = rawSource.split(":");
@@ -1235,6 +1245,168 @@ function walletFromDid(rawSource) {
   return normalizeWalletAddress((0, import_viem.isAddress)(last) ? (0, import_viem.getAddress)(last) : rawSource);
 }
 
+// src/protocols/mpp/session-mode.ts
+async function verifySessionMode(args, info) {
+  const { request, deps, price, routeEntry } = args;
+  if (!deps.mppx?.sessionRequest || !deps.mppx?.sessionStream || !deps.mppSessionConfig) {
+    return {
+      ok: false,
+      kind: "config",
+      message: "MPP sessions not configured on this server (set RouterConfig.mpp.session)"
+    };
+  }
+  const tickCost = routeEntry.tickCost;
+  const unitType = routeEntry.unitType;
+  const streaming = routeEntry.streaming === true;
+  const middleware = streaming ? deps.mppx.sessionStream : deps.mppx.sessionRequest;
+  const middlewareRequest = isChannelOnlyAction(info, request) ? new Request(request.url, { method: request.method, headers: request.headers }) : request;
+  let result;
+  try {
+    result = await middleware({
+      amount: tickCost,
+      unitType,
+      suggestedDeposit: price,
+      ...streaming ? { meta: { streaming: "true" } } : {}
+    })(middlewareRequest);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      kind: "config",
+      message: `MPP session verify failed: ${message}`
+    };
+  }
+  if (result.status === 402) {
+    const failure = await readMppxProblemDetails(result.challenge);
+    return { ok: false, kind: "invalid", failure };
+  }
+  const mppRecipient = deps.mppRecipient ?? deps.payeeAddress;
+  const payment = {
+    protocol: "mpp",
+    status: "verified",
+    payer: info.wallet,
+    amount: price,
+    network: "tempo:4217",
+    ...mppRecipient ? { recipient: mppRecipient } : {}
+  };
+  const token = {
+    mode: "session",
+    streaming,
+    sessionResult: result,
+    info,
+    tickCost
+  };
+  return {
+    ok: true,
+    wallet: info.wallet,
+    payment,
+    token,
+    alreadySettled: false
+  };
+}
+async function settleSessionMode(args) {
+  const { request, response, payment, token, billedAmount } = args;
+  const sessionToken = token;
+  if (isChannelOnlyAction(sessionToken.info, request)) {
+    const wrapped2 = sessionToken.sessionResult.withReceipt(
+      new Response(null, { status: 200 })
+    );
+    return {
+      ok: true,
+      response: wrapped2,
+      settledPayment: { ...payment, status: "settled", amount: billedAmount }
+    };
+  }
+  if (sessionToken.streaming) {
+    return {
+      ok: false,
+      error: new Error("streaming session content settled via request path"),
+      failMessage: "streaming session content settled via request path",
+      failStatus: 500
+    };
+  }
+  const wrapped = sessionToken.sessionResult.withReceipt(
+    response
+  );
+  wrapped.headers.set("Cache-Control", "private");
+  const receiptHeader = wrapped.headers.get(HEADERS.MPP_PAYMENT_RECEIPT) ?? void 0;
+  const settledPayment = {
+    ...payment,
+    status: "settled",
+    amount: billedAmount,
+    ...receiptHeader ? { receipt: receiptHeader } : {}
+  };
+  return { ok: true, response: wrapped, settledPayment };
+}
+async function buildSessionChallenge(args) {
+  const { request, deps, suggestedDeposit, routeEntry, report } = args;
+  if (!deps.mppSessionConfig) return {};
+  const streaming = routeEntry.streaming === true;
+  const middleware = streaming ? deps.mppx?.sessionStream : deps.mppx?.sessionRequest;
+  if (!middleware) return {};
+  const tickCost = routeEntry.tickCost;
+  const unitType = routeEntry.unitType;
+  try {
+    const result = await middleware({
+      amount: tickCost,
+      unitType,
+      suggestedDeposit,
+      ...streaming ? { meta: { streaming: "true" } } : {}
+    })(request);
+    if (result.status === 402) {
+      const wwwAuth = result.challenge.headers.get(HEADERS.WWW_AUTHENTICATE);
+      if (wwwAuth) return { headers: { [HEADERS.WWW_AUTHENTICATE]: wwwAuth } };
+    }
+  } catch (err) {
+    report(
+      "warn",
+      `MPP session challenge build failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+    throw err;
+  }
+  return {};
+}
+function isChannelOnlyAction(info, request) {
+  const action = info.sessionAction;
+  if (!action) return false;
+  if (action === "close" || action === "topUp") return true;
+  if ((action === "open" || action === "voucher") && !hasRequestBody(request)) return true;
+  return false;
+}
+async function readMppxProblemDetails(challenge) {
+  let body;
+  try {
+    body = await challenge.clone().text();
+  } catch {
+    return { reason: "mpp_session_invalid" };
+  }
+  if (!body) return { reason: "mpp_session_invalid" };
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return { reason: "mpp_session_invalid", message: body.slice(0, 500) };
+  }
+  if (!parsed || typeof parsed !== "object") {
+    return { reason: "mpp_session_invalid" };
+  }
+  const details = parsed;
+  const typeUri = typeof details.type === "string" ? details.type : void 0;
+  const slug = typeUri ? typeUri.split("/").pop() : void 0;
+  const reason = slug ? slug.replace(/-/g, "_") : "mpp_session_invalid";
+  const message = typeof details.detail === "string" && details.detail.length > 0 ? details.detail : typeof details.title === "string" ? details.title : void 0;
+  return message ? { reason, message } : { reason };
+}
+function hasRequestBody(request) {
+  const cl = request.headers.get("content-length");
+  if (cl !== null) {
+    const n = Number.parseInt(cl.trim(), 10);
+    return Number.isFinite(n) && n > 0;
+  }
+  if (request.headers.get("transfer-encoding") !== null) return true;
+  return false;
+}
+
 // src/protocols/mpp/transaction-mode.ts
 var import_tempo = require("viem/tempo");
 var import_actions = require("viem/actions");
@@ -1262,7 +1434,7 @@ async function readChallengeReason(challenge) {
 
 // src/protocols/mpp/transaction-mode.ts
 async function verifyTxMode(args, info) {
-  const { deps, price, routeEntry } = args;
+  const { deps, price, report } = args;
   if (!deps.tempoClient) {
     return {
       ok: false,
@@ -1280,7 +1452,7 @@ async function verifyTxMode(args, info) {
     });
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    console.warn(`[router] ${routeEntry.key}: MPP simulation failed \u2014 ${message}`);
+    report("warn", `MPP simulation failed: ${message}`);
     return { ok: false, kind: "invalid" };
   }
   const mppRecipient = deps.mppRecipient ?? deps.payeeAddress;
@@ -1301,7 +1473,7 @@ async function verifyTxMode(args, info) {
   };
 }
 async function settleTxMode(args) {
-  const { request, response, payment, deps, routeEntry } = args;
+  const { request, response, payment, deps, report } = args;
   if (!deps.mppx) {
     return {
       ok: false,
@@ -1315,7 +1487,7 @@ async function settleTxMode(args) {
     result = await deps.mppx.charge({ amount: payment.amount })(request);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    console.error(`[router] ${routeEntry.key}: MPP broadcast failed after handler: ${message}`);
+    report("error", `MPP broadcast failed after handler: ${message}`);
     return {
       ok: false,
       error: err,
@@ -1332,7 +1504,7 @@ async function settleTxMode(args) {
       mppResult: result,
       challenge: result.challenge
     });
-    console.error(`[router] ${routeEntry.key}: MPP payment failed after handler \u2014 ${detail}`);
+    report("error", `MPP payment failed after handler: ${detail}`);
     return {
       ok: false,
       error: settlementError,
@@ -1355,10 +1527,10 @@ async function settleTxMode(args) {
 
 // src/protocols/mpp/hash-mode.ts
 async function verifyHashMode(args, info) {
-  const { deps, price, routeEntry, request } = args;
+  const { deps, price, request, report } = args;
   if (!deps.mppx) {
     const reason = deps.mppInitError ? `MPP initialization failed: ${deps.mppInitError}` : "MPP not initialized \u2014 ensure mppx is installed and mpp config (secretKey, currency, recipient) is correct";
-    console.error(`[router] ${routeEntry.key}: ${reason}`);
+    report("error", reason);
     return { ok: false, kind: "config", message: reason };
   }
   let chargeResult;
@@ -1366,13 +1538,13 @@ async function verifyHashMode(args, info) {
     chargeResult = await deps.mppx.charge({ amount: price })(request);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    console.error(`[router] ${routeEntry.key}: MPP charge failed: ${message}`);
+    report("error", `MPP charge failed: ${message}`);
     return { ok: false, kind: "config", message: `MPP payment processing failed: ${message}` };
   }
   if (chargeResult.status === 402) {
     const reason = await readChallengeReason(chargeResult.challenge);
     const detail = reason || "credential may be invalid, or check TEMPO_RPC_URL configuration";
-    console.warn(`[router] ${routeEntry.key}: MPP credential rejected \u2014 ${detail}`);
+    report("warn", `MPP credential rejected: ${detail}`);
     return { ok: false, kind: "invalid" };
   }
   const receiptHeader = chargeResult.withReceipt(new Response()).headers.get(
@@ -1417,9 +1589,20 @@ var mppStrategy = {
     const auth = request.headers.get(HEADERS.AUTHORIZATION);
     return Boolean(auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT));
   },
+  preflight(request, _routeEntry) {
+    const info = readMppCredential(request);
+    if (!info?.sessionAction) return null;
+    if (!isChannelOnlyAction(info, request)) return null;
+    return { skipBody: true, skipHandler: true };
+  },
   async verify(args) {
     const info = readMppCredential(args.request);
     if (!info) return { ok: false, kind: "invalid" };
+    if (args.routeEntry.dynamicPrice) {
+      if (!info.sessionAction) return { ok: false, kind: "invalid" };
+      return verifySessionMode(args, info);
+    }
+    if (info.sessionAction) return { ok: false, kind: "invalid" };
     if (info.payloadType === "transaction" && args.deps.tempoClient) {
       return verifyTxMode(args, info);
     }
@@ -1427,28 +1610,88 @@ var mppStrategy = {
   },
   async settle(args) {
     const token = args.token;
+    if (token.mode === "session") return settleSessionMode(args);
     if (token.mode === "transaction") return settleTxMode(args);
     return settleHashMode(args);
   },
+  async settleStream(args) {
+    const token = args.token;
+    if (token.mode !== "session" || !token.streaming) {
+      return {
+        ok: false,
+        error: new Error("streaming requires a streaming-mode MPP session credential"),
+        failMessage: "streaming requires a streaming-mode MPP session credential",
+        failStatus: 400
+      };
+    }
+    const sessionToken = token;
+    const sseResult = sessionToken.sessionResult;
+    const { bindChannelCharge, source: handlerStream } = args;
+    async function* forwardHandlerStreamWithChannelDebit(channel) {
+      bindChannelCharge(channel.charge);
+      try {
+        for await (const chunk of handlerStream) {
+          yield typeof chunk === "string" ? chunk : JSON.stringify(chunk);
+        }
+      } finally {
+        bindChannelCharge(null);
+      }
+    }
+    const sse = sseResult.withReceipt(forwardHandlerStreamWithChannelDebit);
+    sse.headers.set("Cache-Control", "private");
+    const settledPayment = {
+      ...args.payment,
+      status: "settled",
+      amount: args.payment.amount
+    };
+    return { ok: true, response: sse, settledPayment };
+  },
   async buildChallenge(args) {
     if (!args.deps.mppx) return {};
-    try {
-      const result = await args.deps.mppx.charge({ amount: args.price })(args.request);
-      if (result.status === 402) {
-        const wwwAuth = result.challenge.headers.get(HEADERS.WWW_AUTHENTICATE);
-        if (wwwAuth) return { headers: { [HEADERS.WWW_AUTHENTICATE]: wwwAuth } };
-      }
-    } catch (err) {
-      console.warn(
-        `[router] MPP challenge build failed: ${err instanceof Error ? err.message : String(err)}`
-      );
-      throw err;
+    const sessionsConfigured = args.deps.mppSessionConfig && (args.deps.mppx.sessionRequest || args.deps.mppx.sessionStream);
+    if (args.routeEntry.dynamicPrice && sessionsConfigured) {
+      const tickCost = args.routeEntry.tickCost;
+      const computedDeposit = tickCost !== void 0 ? multiplyDecimal(tickCost, args.deps.mppSessionConfig.depositMultiplier) : void 0;
+      const suggestedDeposit = args.routeEntry.maxPrice ?? computedDeposit ?? args.price;
+      return buildSessionChallenge({
+        ...args,
+        suggestedDeposit
+      });
     }
-    return {};
+    return buildChargeChallenge(args);
   }
 };
+function multiplyDecimal(decimal, factor) {
+  if (!Number.isFinite(factor) || factor <= 0) return decimal;
+  const [whole, fraction = ""] = decimal.split(".");
+  const scaled = (BigInt(whole + fraction) * BigInt(factor)).toString();
+  const decimals = fraction.length;
+  if (decimals === 0) return scaled;
+  const padded = scaled.padStart(decimals + 1, "0");
+  const intPart = padded.slice(0, padded.length - decimals);
+  const fracPart = padded.slice(padded.length - decimals).replace(/0+$/, "");
+  return fracPart ? `${intPart}.${fracPart}` : intPart;
+}
+async function buildChargeChallenge(args) {
+  if (!args.deps.mppx) return {};
+  try {
+    const result = await args.deps.mppx.charge({ amount: args.price })(args.request);
+    if (result.status === 402) {
+      const wwwAuth = result.challenge.headers.get(HEADERS.WWW_AUTHENTICATE);
+      if (wwwAuth) return { headers: { [HEADERS.WWW_AUTHENTICATE]: wwwAuth } };
+    }
+  } catch (err) {
+    args.report(
+      "warn",
+      `MPP challenge build failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+    throw err;
+  }
+  return {};
+}
 
 // src/protocols/x402/strategy.ts
+var import_evm3 = require("@x402/evm");
 init_accepts();
 
 // src/protocols/x402/challenge.ts
@@ -1458,20 +1701,27 @@ init_solana();
 // src/protocols/x402/requirements.ts
 init_evm();
 init_solana();
-async function buildExpectedRequirements(server, request, price, accepts) {
-  const exactRequirements = await buildExactRequirements(server, request, price, accepts);
+async function buildExpectedRequirements(server, request, price, accepts, report) {
+  const sdkRequirements = await buildSdkHandledRequirements(
+    server,
+    request,
+    price,
+    accepts,
+    report
+  );
   const customRequirements = buildCustomRequirements(price, accepts);
-  return [...exactRequirements, ...customRequirements];
+  return [...sdkRequirements, ...customRequirements];
 }
-async function buildExactRequirements(server, request, price, accepts) {
-  const exactGroups = [
+async function buildSdkHandledRequirements(server, request, price, accepts, report) {
+  const groups = [
     buildEvmExactOptions(accepts, price),
+    buildEvmUptoOptions(accepts, price),
     buildSolanaExactOptions(accepts, price)
   ].filter((options) => options.length > 0);
-  if (exactGroups.length === 0) return [];
+  if (groups.length === 0) return [];
   const requirements = [];
   const failures = [];
-  for (const options of exactGroups) {
+  for (const options of groups) {
     try {
       requirements.push(
         ...await server.buildPaymentRequirementsFromOptions(options, { request })
@@ -1479,21 +1729,31 @@ async function buildExactRequirements(server, request, price, accepts) {
     } catch (error) {
       const err = error instanceof Error ? error : new Error(String(error));
       failures.push(err);
-      if (exactGroups.length === 1) {
+      if (groups.length === 1) {
         throw err;
       }
-      console.warn(
-        `[router] Failed to build x402 exact requirements for ${options[0]?.network}: ${err.message}`
+      report?.(
+        "warn",
+        `Failed to build x402 ${options[0]?.scheme} requirements for ${options[0]?.network}: ${err.message}`
       );
     }
   }
   if (requirements.length > 0) {
     return requirements;
   }
-  throw failures[0] ?? new Error("Failed to build x402 exact requirements");
+  throw failures[0] ?? new Error("Failed to build x402 SDK-handled requirements");
 }
 function buildCustomRequirements(price, accepts) {
-  return accepts.filter((accept) => accept.scheme !== "exact").map((accept) => buildCustomRequirement(price, accept));
+  return accepts.filter((accept) => !isSdkHandled(accept)).map((accept) => buildCustomRequirement(price, accept));
+}
+function isSdkHandled(accept) {
+  if (isEvmNetwork(accept.network)) {
+    return accept.scheme === "exact" || accept.scheme === "upto";
+  }
+  if (isSolanaRequirement({ network: accept.network })) {
+    return accept.scheme === "exact";
+  }
+  return false;
 }
 function buildCustomRequirement(price, accept) {
   if (!accept.asset) {
@@ -1527,7 +1787,7 @@ function decimalToAtomicUnits(amount, decimals) {
 
 // src/protocols/x402/challenge.ts
 async function buildX402Challenge(opts) {
-  const { server, routeEntry, request, price, accepts, facilitatorsByNetwork, extensions } = opts;
+  const { server, routeEntry, request, price, accepts, facilitatorsByNetwork, extensions, report } = opts;
   const { encodePaymentRequiredHeader } = await import("@x402/core/http");
   const resource = buildChallengeResource(request, routeEntry);
   const requirements = await buildChallengeRequirements(
@@ -1536,7 +1796,8 @@ async function buildX402Challenge(opts) {
     price,
     accepts,
     resource,
-    facilitatorsByNetwork
+    facilitatorsByNetwork,
+    report
   );
   const paymentRequired = await server.createPaymentRequiredResponse(
     requirements,
@@ -1547,13 +1808,13 @@ async function buildX402Challenge(opts) {
   const encoded = encodePaymentRequiredHeader(paymentRequired);
   return { encoded, requirements };
 }
-async function buildChallengeRequirements(server, request, price, accepts, resource, facilitatorsByNetwork) {
-  const requirements = await buildExpectedRequirements(server, request, price, accepts);
+async function buildChallengeRequirements(server, request, price, accepts, resource, facilitatorsByNetwork, report) {
+  const requirements = await buildExpectedRequirements(server, request, price, accepts, report);
   if (!needsFacilitatorEnrichment(accepts)) return requirements;
-  return enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork);
+  return enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork, report);
 }
 function needsFacilitatorEnrichment(accepts) {
-  return accepts.some((accept) => accept.scheme !== "exact") || hasSolanaAccepts(accepts);
+  return hasSolanaAccepts(accepts);
 }
 async function enrichGroup(group, resource) {
   const accepted = await enrichRequirementsWithFacilitatorAccepts(
@@ -1568,7 +1829,7 @@ async function enrichGroup(group, resource) {
   }
   return accepted;
 }
-async function enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork) {
+async function enrichChallengeRequirements(requirements, resource, facilitatorsByNetwork, report) {
   const groups = collectEnrichmentGroups(requirements, facilitatorsByNetwork);
   if (groups.length === 0) return requirements;
   const results = await Promise.all(
@@ -1578,8 +1839,9 @@ async function enrichChallengeRequirements(requirements, resource, facilitatorsB
       } catch (err) {
         const label = group.facilitator.url ?? group.facilitator.network;
         const reason = err instanceof Error ? err.message : String(err);
-        console.warn(
-          `[router] ${label} /accepts failed, dropping ${group.items.length} requirement(s): ${reason}`
+        report?.(
+          "warn",
+          `${label} /accepts failed, dropping ${group.items.length} requirement(s): ${reason}`
         );
         return { success: false, group };
       }
@@ -1632,7 +1894,7 @@ function getRequiredFacilitator(requirement, facilitatorsByNetwork) {
   return facilitator;
 }
 function requiresFacilitatorEnrichment(requirement) {
-  return requirement.scheme !== "exact" || isSolanaRequirement(requirement);
+  return isSolanaRequirement(requirement);
 }
 function buildChallengeResource(request, routeEntry) {
   return {
@@ -1644,33 +1906,68 @@ function buildChallengeResource(request, routeEntry) {
 }
 
 // src/protocols/x402/settle.ts
-async function settleX402Payment(server, payload, requirements) {
+async function settleX402Payment(server, payload, requirements, amountOverride) {
   const { encodePaymentResponseHeader } = await import("@x402/core/http");
+  if (amountOverride?.amount !== void 0) {
+    const upstreamTaggedAmount = tagBareDecimalAsDollars(amountOverride.amount);
+    const result2 = await server.settlePayment(payload, requirements, void 0, void 0, {
+      amount: upstreamTaggedAmount
+    });
+    return {
+      encoded: encodePaymentResponseHeader(result2),
+      result: result2
+    };
+  }
   const result = await server.settlePayment(payload, requirements);
-  const encoded = encodePaymentResponseHeader(result);
-  return { encoded, result };
+  return {
+    encoded: encodePaymentResponseHeader(result),
+    result
+  };
+}
+function tagBareDecimalAsDollars(amount) {
+  if (/^\d+\.\d+$/.test(amount)) return `$${amount}`;
+  return amount;
 }
 
 // src/protocols/x402/verify.ts
+var import_types2 = require("@x402/core/types");
 async function verifyX402Payment(opts) {
-  const { server, request, price, accepts } = opts;
+  const { server, request, price, accepts, report } = opts;
   const payload = await readPaymentPayload(request);
   if (!payload) return null;
-  const requirements = await buildExpectedRequirements(server, request, price, accepts);
+  const requirements = await buildExpectedRequirements(server, request, price, accepts, report);
   const matching = findVerifiableRequirements(server, requirements, payload);
+  const accepted = payload.x402Version === 2 ? payload.accepted : void 0;
   if (!matching) {
-    return invalidPaymentVerification();
+    return invalidPaymentVerification({
+      reason: "requirements_mismatch",
+      message: "Signed payment requirements did not match any server-built requirement",
+      ...accepted ? { accepted } : {}
+    });
   }
   let verify;
   try {
     verify = await server.verifyPayment(payload, matching);
   } catch (err) {
-    const sc = err.statusCode;
-    if (sc && sc >= 400 && sc < 500) return invalidPaymentVerification();
+    if (err instanceof import_types2.VerifyError && err.statusCode >= 400 && err.statusCode < 500) {
+      return invalidPaymentVerification({
+        reason: err.invalidReason ?? "verify_error",
+        ...err.invalidMessage ? { message: err.invalidMessage } : {},
+        ...err.payer ? { payer: err.payer } : {},
+        ...accepted ? { accepted } : {}
+      });
+    }
     throw err;
   }
-  if (!verify.isValid) return invalidPaymentVerification();
-  if (typeof verify.payer !== "string" || verify.payer.length === 0) {
+  if (!verify.isValid) {
+    return invalidPaymentVerification({
+      reason: verify.invalidReason ?? "unknown",
+      ...verify.invalidMessage ? { message: verify.invalidMessage } : {},
+      ...verify.payer ? { payer: verify.payer } : {},
+      ...accepted ? { accepted } : {}
+    });
+  }
+  if (!verify.payer) {
     throw new Error("x402 verification succeeded without a payer address");
   }
   return {
@@ -1702,11 +1999,36 @@ async function readPaymentPayload(request) {
   const { decodePaymentSignatureHeader } = await import("@x402/core/http");
   return decodePaymentSignatureHeader(paymentHeader);
 }
-function invalidPaymentVerification() {
-  return { valid: false, payload: null, requirements: null, payer: null };
+function invalidPaymentVerification(failure) {
+  return {
+    valid: false,
+    payload: null,
+    requirements: null,
+    payer: null,
+    ...failure ? { failure } : {}
+  };
 }
 
 // src/protocols/x402/strategy.ts
+function formatVerifyFailureMessage(failure) {
+  if (failure.reason === "permit2_allowance_required") {
+    const wallet = failure.payer ?? "<the payer wallet>";
+    const asset = failure.accepted?.asset ?? "<the asset>";
+    const amount = failure.accepted?.amount ?? "<the required amount>";
+    const network = failure.accepted?.network ?? "<the payment network>";
+    return [
+      `Payment rejected: In order for Upto to charge, the wallet ${wallet} MUST approve Permit2 to spend ${asset} on ${network}.`,
+      `Required call (one-time, on-chain): ${asset}.approve(${import_evm3.PERMIT2_ADDRESS}, MAX_UINT256) from ${wallet}.`,
+      `Permit2 contract address: ${import_evm3.PERMIT2_ADDRESS}.`,
+      `Minimum allowance for this request: ${amount} (smallest units of ${asset}); use MAX_UINT256 to avoid re-approving on every future call.`,
+      `Alternative without an on-chain transaction: the merchant can adopt the EIP-2612 gas-sponsoring extension (https://docs.x402.org/extensions/eip2612-gas-sponsoring).`
+    ].join(" ");
+  }
+  if (failure.message) {
+    return `Payment rejected (${failure.reason}): ${failure.message}`;
+  }
+  return `Payment rejected: ${failure.reason}`;
+}
 var x402Strategy = {
   protocol: "x402",
   detects(request) {
@@ -1714,129 +2036,123 @@ var x402Strategy = {
       request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)
     );
   },
-  async verify(args) {
-    const { request, body, price, routeEntry, deps } = args;
-    if (!deps.x402Server) {
-      const reason = deps.x402InitError ? `x402 facilitator initialization failed: ${deps.x402InitError}` : "x402 server not initialized \u2014 ensure @x402/core, @x402/evm, and @coinbase/x402 are installed";
-      console.error(`[router] ${routeEntry.key}: ${reason}`);
-      return { ok: false, kind: "config", message: reason };
-    }
-    const accepts = await resolveX402Accepts(
-      request,
-      routeEntry,
-      deps.x402Accepts,
-      deps.payeeAddress,
-      body
-    );
-    const verifyResult = await verifyX402Payment({
-      server: deps.x402Server,
-      request,
-      price,
-      accepts
-    });
-    if (!verifyResult?.valid) return { ok: false, kind: "invalid" };
-    const wallet = normalizeWalletAddress(verifyResult.payer);
-    const matchedNetwork = getRequirementNetwork(verifyResult.requirements, deps.network);
-    const matchedRecipient = getRequirementRecipient(verifyResult.requirements);
-    const payment = {
-      protocol: "x402",
-      status: "verified",
-      payer: wallet,
-      amount: price,
-      network: matchedNetwork,
-      ...matchedRecipient ? { recipient: matchedRecipient } : {}
-    };
-    return {
-      ok: true,
-      wallet,
-      payment,
-      token: {
-        payload: verifyResult.payload,
-        requirements: verifyResult.requirements
-      }
-    };
-  },
-  async settle(args) {
-    const { response, payment, token, deps } = args;
-    const x402Token = token;
-    try {
-      const settle = await settleX402Payment(
-        deps.x402Server,
-        x402Token.payload,
-        x402Token.requirements
-      );
-      if (!settle.result?.success) {
-        const reason = settle.result?.errorReason || "x402 settlement returned success=false";
-        const error = new Error(reason);
-        error.errorReason = reason;
-        throw error;
-      }
-      response.headers.set(HEADERS.X402_PAYMENT_RESPONSE, settle.encoded);
-      response.headers.set("Cache-Control", "private");
-      const transaction = String(settle.result?.transaction ?? "");
-      const settledPayment = {
-        ...payment,
-        status: "settled",
-        ...transaction ? { transaction } : {}
+  verify: (args) => verifyX402(args),
+  settle: (args) => settleX402(args),
+  buildChallenge: (args) => buildX402ChallengeContribution(args)
+};
+async function verifyX402(args) {
+  const { request, body, price, routeEntry, deps, report } = args;
+  if (!deps.x402Server) {
+    const reason = deps.x402InitError ? `x402 facilitator initialization failed: ${deps.x402InitError}` : "x402 server not initialized \u2014 ensure @x402/core, @x402/evm, and @coinbase/x402 are installed";
+    report("error", reason);
+    return { ok: false, kind: "config", message: reason };
+  }
+  const accepts = await resolveX402Accepts(
+    request,
+    routeEntry,
+    deps.x402Accepts,
+    deps.payeeAddress,
+    body
+  );
+  const verifyResult = await verifyX402Payment({
+    server: deps.x402Server,
+    request,
+    price,
+    accepts,
+    report
+  });
+  if (!verifyResult?.valid) {
+    const failure = verifyResult?.failure;
+    if (failure) {
+      return {
+        ok: false,
+        kind: "invalid",
+        failure: {
+          reason: failure.reason,
+          message: formatVerifyFailureMessage(failure)
+        }
       };
-      return { ok: true, response, settledPayment };
-    } catch (err) {
-      const errObj = err;
-      console.error("Settlement failed", {
-        message: err instanceof Error ? err.message : String(err),
-        route: args.routeEntry.key,
-        network: payment.network,
-        errorReason: errObj.errorReason,
-        facilitatorStatus: errObj.response?.status,
-        facilitatorBody: errObj.response?.data ?? errObj.response?.body
-      });
-      return { ok: false, error: err, failMessage: "Settlement failed" };
     }
-  },
-  async buildChallenge(args) {
-    const { request, routeEntry, body, price, extensions, deps } = args;
-    if (!deps.x402Server) return {};
-    const accepts = await resolveX402Accepts(
-      request,
-      routeEntry,
-      deps.x402Accepts,
-      deps.payeeAddress,
-      body
-    );
-    const { encoded } = await buildX402Challenge({
-      server: deps.x402Server,
-      routeEntry,
-      request,
-      price,
-      accepts,
-      facilitatorsByNetwork: deps.x402FacilitatorsByNetwork,
-      extensions
-    });
-    return { headers: { [HEADERS.X402_PAYMENT_REQUIRED]: encoded } };
+    return { ok: false, kind: "invalid" };
   }
-};
-function getRequirementNetwork(requirements, fallback) {
-  const network = requirements?.network;
-  return typeof network === "string" ? network : fallback;
-}
-function getRequirementRecipient(requirements) {
-  const payTo = requirements?.payTo;
-  return typeof payTo === "string" ? payTo : void 0;
-}
-
-// src/protocols/detect.ts
-function detectProtocol(request) {
-  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
-    return "x402";
-  }
-  const auth = request.headers.get(HEADERS.AUTHORIZATION);
-  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
-    return "mpp";
-  }
-  if (request.headers.get(HEADERS.SIWX)) {
-    return "siwx";
+  const wallet = normalizeWalletAddress(verifyResult.payer);
+  const { network, payTo } = verifyResult.requirements;
+  const payment = {
+    protocol: "x402",
+    status: "verified",
+    payer: wallet,
+    amount: price,
+    network,
+    ...payTo ? { recipient: payTo } : {}
+  };
+  return {
+    ok: true,
+    wallet,
+    payment,
+    token: {
+      payload: verifyResult.payload,
+      requirements: verifyResult.requirements
+    }
+  };
+}
+async function settleX402(args) {
+  const { response, payment, token, deps, routeEntry, billedAmount, report } = args;
+  const { payload, requirements } = token;
+  const override = routeEntry.dynamicPrice ? { amount: billedAmount } : void 0;
+  try {
+    const settle = await settleX402Payment(deps.x402Server, payload, requirements, override);
+    if (!settle.result?.success) {
+      throw Object.assign(
+        new Error(settle.result?.errorReason ?? "x402 settlement returned success=false"),
+        { errorReason: settle.result?.errorReason }
+      );
+    }
+    response.headers.set(HEADERS.X402_PAYMENT_RESPONSE, settle.encoded);
+    response.headers.set("Cache-Control", "private");
+    const transaction = String(settle.result.transaction ?? "");
+    const settledPayment = {
+      ...payment,
+      status: "settled",
+      amount: billedAmount,
+      ...transaction ? { transaction } : {}
+    };
+    return { ok: true, response, settledPayment };
+  } catch (err) {
+    reportSettleFailure(report, err, payment.network);
+    return { ok: false, error: err, failMessage: "Settlement failed" };
   }
-  return null;
+}
+async function buildX402ChallengeContribution(args) {
+  const { request, routeEntry, body, price, extensions, deps, report } = args;
+  if (!deps.x402Server) return {};
+  const accepts = await resolveX402Accepts(
+    request,
+    routeEntry,
+    deps.x402Accepts,
+    deps.payeeAddress,
+    body
+  );
+  const { encoded } = await buildX402Challenge({
+    server: deps.x402Server,
+    routeEntry,
+    request,
+    price,
+    accepts,
+    facilitatorsByNetwork: deps.x402FacilitatorsByNetwork,
+    extensions,
+    report
+  });
+  return { headers: { [HEADERS.X402_PAYMENT_REQUIRED]: encoded } };
+}
+function reportSettleFailure(report, err, network) {
+  const facilitator = err ?? {};
+  report("error", "Settlement failed", {
+    error: err instanceof Error ? err.message : String(err),
+    network,
+    errorReason: facilitator.errorReason,
+    facilitatorStatus: facilitator.response?.status,
+    facilitatorBody: facilitator.response?.data ?? facilitator.response?.body
+  });
 }
 
 // src/protocols/index.ts
@@ -1855,9 +2171,59 @@ function getAllowedStrategies(allowed) {
   return allowed.map((name) => STRATEGIES[name]);
 }
 
-// src/pipeline/challenge.ts
+// src/pipeline/flows/build402.ts
 var import_server4 = require("next/server");
-async function build402(ctx, pricing, body) {
+
+// src/pipeline/challenge-extensions.ts
+async function buildChallengeExtensions(ctx) {
+  const { routeEntry } = ctx;
+  let extensions;
+  try {
+    const { z: z2 } = await import("zod");
+    const { declareDiscoveryExtension } = await import("@x402/extensions/bazaar");
+    const toJSON = (schema) => z2.toJSONSchema(schema, {
+      target: "draft-2020-12",
+      unrepresentable: "any"
+    });
+    const inputSchema = routeEntry.bodySchema ? toJSON(routeEntry.bodySchema) : routeEntry.querySchema ? toJSON(routeEntry.querySchema) : void 0;
+    const outputSchema = routeEntry.outputSchema ? toJSON(routeEntry.outputSchema) : void 0;
+    if (inputSchema) {
+      const config = {
+        method: routeEntry.method,
+        bodyType: routeEntry.bodySchema ? "json" : void 0,
+        inputSchema
+      };
+      if (routeEntry.inputExample !== void 0) {
+        config.input = routeEntry.inputExample;
+      }
+      if (outputSchema && routeEntry.outputExample !== void 0) {
+        config.output = { schema: outputSchema, example: routeEntry.outputExample };
+      }
+      extensions = declareDiscoveryExtension(config);
+    }
+  } catch (err) {
+    ctx.report(
+      "warn",
+      `Bazaar schema generation failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (routeEntry.siwxEnabled) {
+    try {
+      const siwxExtension = await buildSIWXExtension();
+      if (siwxExtension && typeof siwxExtension === "object" && !Array.isArray(siwxExtension)) {
+        extensions = {
+          ...extensions ?? {},
+          ...siwxExtension
+        };
+      }
+    } catch {
+    }
+  }
+  return extensions;
+}
+
+// src/pipeline/flows/build402.ts
+async function build402(ctx, pricing, body, failure) {
   let challengePrice;
   try {
     challengePrice = pricing ? await pricing.challengeQuote(body) : "0";
@@ -1871,7 +2237,8 @@ async function build402(ctx, pricing, body) {
     return errorResponse;
   }
   const extensions = await buildChallengeExtensions(ctx);
-  const response = new import_server4.NextResponse(null, {
+  const responseBody = failure ? JSON.stringify({ error: failure.message ?? null, reason: failure.reason }) : null;
+  const response = new import_server4.NextResponse(responseBody, {
     status: 402,
     headers: {
       "Content-Type": "application/json",
@@ -1886,7 +2253,8 @@ async function build402(ctx, pricing, body) {
         body,
         price: challengePrice,
         extensions,
-        deps: ctx.deps
+        deps: ctx.deps,
+        report: ctx.report
       });
       if (contribution.headers) {
         for (const [name, value] of Object.entries(contribution.headers)) {
@@ -1895,11 +2263,7 @@ async function build402(ctx, pricing, body) {
       }
     } catch (err) {
       const message = `${strategy.protocol} challenge build failed: ${errorMessage(err, String(err))}`;
-      firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-        level: "critical",
-        message,
-        route: ctx.routeEntry.key
-      });
+      ctx.report("critical", message);
       if (strategy.protocol === "x402") {
         const errorResponse = import_server4.NextResponse.json(
           { success: false, error: message },
@@ -1913,97 +2277,470 @@ async function build402(ctx, pricing, body) {
   firePluginResponse(ctx, response);
   return response;
 }
-async function buildChallengeExtensions(ctx) {
-  const { routeEntry } = ctx;
-  let extensions;
+
+// src/pipeline/flows/dynamic/dynamic-body-and-price.ts
+async function resolveDynamicBodyAndPrice(args) {
+  const { ctx, pricing, skipBody } = args;
+  if (skipBody) {
+    return {
+      ok: true,
+      parsedBody: void 0,
+      price: surrogatePriceForSkippedBody(ctx.routeEntry)
+    };
+  }
+  const body = await parseBody(ctx);
+  if (!body.ok) return { ok: false, response: body.response };
+  const validateErr = await runValidate(ctx, body.data);
+  if (validateErr) {
+    return { ok: false, response: validateErr };
+  }
+  if (!pricing) {
+    return { ok: false, response: fail(ctx, 500, "Pricing not configured", body.data) };
+  }
   try {
-    const { z } = await import("zod");
-    const { declareDiscoveryExtension } = await import("@x402/extensions/bazaar");
-    const toJSON = (schema) => z.toJSONSchema(schema, {
-      target: "draft-2020-12",
-      unrepresentable: "any"
-    });
-    const inputSchema = routeEntry.bodySchema ? toJSON(routeEntry.bodySchema) : routeEntry.querySchema ? toJSON(routeEntry.querySchema) : void 0;
-    const outputSchema = routeEntry.outputSchema ? toJSON(routeEntry.outputSchema) : void 0;
-    if (inputSchema) {
-      const config = {
-        method: routeEntry.method,
-        bodyType: routeEntry.bodySchema ? "json" : void 0,
-        inputSchema
-      };
-      if (routeEntry.inputExample !== void 0) {
-        config.input = routeEntry.inputExample;
-      }
-      if (outputSchema && routeEntry.outputExample !== void 0) {
-        config.output = { schema: outputSchema, example: routeEntry.outputExample };
-      }
-      extensions = declareDiscoveryExtension(config);
-    }
+    const price = await pricing.quote(body.data);
+    return { ok: true, parsedBody: body.data, price };
   } catch (err) {
-    firePluginHook(ctx.deps.plugin, "onAlert", ctx.pluginCtx, {
-      level: "warn",
-      message: `Bazaar schema generation failed: ${err instanceof Error ? err.message : String(err)}`,
-      route: routeEntry.key
-    });
+    return {
+      ok: false,
+      response: fail(
+        ctx,
+        errorStatus(err, 500),
+        errorMessage(err, "Price calculation failed"),
+        body.data
+      )
+    };
   }
-  if (routeEntry.siwxEnabled) {
-    try {
-      const siwxExtension = await buildSIWXExtension();
-      if (siwxExtension && typeof siwxExtension === "object" && !Array.isArray(siwxExtension)) {
-        extensions = {
-          ...extensions ?? {},
-          ...siwxExtension
-        };
-      }
-    } catch {
+}
+function surrogatePriceForSkippedBody(routeEntry) {
+  return routeEntry.maxPrice ?? routeEntry.minPrice ?? "0";
+}
+
+// src/pipeline/flows/dynamic/dynamic-channel-mgmt.ts
+var import_server5 = require("next/server");
+async function runDynamicChannelMgmtFlow(args) {
+  const { ctx, strategy, account, pricing, skipBody } = args;
+  const { request, routeEntry, deps, report } = ctx;
+  const bodyAndPrice = await resolveDynamicBodyAndPrice({ ctx, pricing, skipBody });
+  if (!bodyAndPrice.ok) return bodyAndPrice.response;
+  const { parsedBody, price } = bodyAndPrice;
+  const verifyOutcome = await strategy.verify({
+    request,
+    body: parsedBody,
+    price,
+    routeEntry,
+    deps,
+    report
+  });
+  if (verifyOutcome.ok === false) {
+    if (verifyOutcome.kind === "config") {
+      return fail(ctx, 500, verifyOutcome.message, parsedBody);
     }
+    return build402(ctx, pricing, parsedBody, verifyOutcome.failure);
   }
-  return extensions;
+  ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
+  firePaymentVerified(ctx, {
+    protocol: strategy.protocol,
+    payer: verifyOutcome.wallet,
+    amount: price,
+    network: verifyOutcome.payment.network
+  });
+  const synthetic = new import_server5.NextResponse(null, { status: 200 });
+  const settleScope = {
+    wallet: verifyOutcome.wallet,
+    account,
+    body: parsedBody,
+    payment: verifyOutcome.payment,
+    response: synthetic,
+    rawResult: void 0
+  };
+  const beforeErr = await runBeforeSettle(ctx, settleScope);
+  if (beforeErr) return beforeErr;
+  return settleAndFinalizeRequest({
+    ctx,
+    strategy,
+    verifyOutcome,
+    scope: settleScope,
+    rawResult: void 0,
+    body: parsedBody,
+    billedAmount: "0",
+    onSettleError: async (error, failMessage) => {
+      await runSettlementError(ctx, settleScope, error, "settle");
+      report("critical", `${strategy.protocol} ${failMessage}: ${errorMessage(error, "unknown")}`);
+    }
+  });
 }
 
-// src/pipeline/flows/paid.ts
-async function runPaidFlow(ctx) {
-  const { request, routeEntry, deps } = ctx;
-  let account = void 0;
-  if (routeEntry.apiKeyResolver) {
-    const apiKeyResult = await verifyApiKey(request, routeEntry.apiKeyResolver);
-    if (!apiKeyResult.valid) return fail(ctx, 401, "Invalid or missing API key");
-    account = apiKeyResult.account;
-    firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
-      authMode: "apiKey",
-      wallet: null,
-      route: routeEntry.key,
-      account
+// src/pipeline/flows/dynamic/dynamic-invoke.ts
+var import_server6 = require("next/server");
+
+// src/pricing/atomic.ts
+var USDC_DECIMALS = 6;
+function decimalToAtomic(amount) {
+  const m = /^(\d+)(?:\.(\d+))?$/.exec(amount.trim());
+  if (!m) {
+    throw Object.assign(new Error(`'${amount}' is not a valid decimal-dollar string`), {
+      status: 400
     });
   }
-  const alertFn = (level, message, meta) => {
-    firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
-      level,
-      message,
-      route: routeEntry.key,
-      meta
+  const whole = m[1];
+  const fraction = (m[2] ?? "").slice(0, USDC_DECIMALS).padEnd(USDC_DECIMALS, "0");
+  return BigInt(`${whole}${fraction}`.replace(/^0+(?=\d)/, "") || "0");
+}
+function atomicToDecimal(atomic) {
+  const whole = atomic / 10n ** BigInt(USDC_DECIMALS);
+  const fraction = atomic % 10n ** BigInt(USDC_DECIMALS);
+  if (fraction === 0n) return whole.toString();
+  const fractionStr = fraction.toString().padStart(USDC_DECIMALS, "0").replace(/0+$/, "");
+  return `${whole}.${fractionStr}`;
+}
+
+// src/pricing/charge-context.ts
+function createChargeContext(args) {
+  const { tickCost, maxPrice, route } = args;
+  const tickAtomic = decimalToAtomic(tickCost);
+  if (tickAtomic <= 0n) {
+    throw new Error(`route '${route}': tickCost '${tickCost}' must be a positive decimal string`);
+  }
+  const capAtomic = maxPrice !== void 0 ? decimalToAtomic(maxPrice) : null;
+  let ticks = 0;
+  let atomic = 0n;
+  let channelCharge = null;
+  const charge = async () => {
+    const nextAtomic = atomic + tickAtomic;
+    if (capAtomic !== null && nextAtomic > capAtomic) {
+      throw Object.assign(
+        new Error(
+          `route '${route}': charge() running total ($${atomicToDecimal(nextAtomic)}) exceeds maxPrice ($${atomicToDecimal(capAtomic)})`
+        ),
+        { status: 400, code: "CHARGE_OVER_CAP" }
+      );
+    }
+    ticks += 1;
+    atomic = nextAtomic;
+    if (channelCharge) await channelCharge();
+  };
+  return {
+    charge,
+    bindChannelCharge: (fn) => {
+      channelCharge = fn;
+    },
+    tickCount: () => ticks,
+    atomicTotal: () => atomic
+  };
+}
+
+// src/pipeline/flows/dynamic/dynamic-invoke.ts
+async function invokeDynamic(ctx, wallet, account, body, payment) {
+  const streaming = ctx.routeEntry.streaming === true;
+  const chargeContext = streaming ? createChargeContext({
+    tickCost: ctx.routeEntry.tickCost,
+    maxPrice: ctx.routeEntry.maxPrice,
+    route: ctx.routeEntry.key
+  }) : null;
+  const baseHandlerCtx = {
+    body,
+    query: parseQuery(ctx.request, ctx.routeEntry),
+    request: ctx.request,
+    requestId: ctx.meta.requestId,
+    route: ctx.routeEntry.key,
+    wallet,
+    payment,
+    account,
+    alert: ctx.report,
+    setVerifiedWallet: (addr) => ctx.pluginCtx.setVerifiedWallet(addr)
+  };
+  const handlerCtx = chargeContext !== null ? { ...baseHandlerCtx, charge: chargeContext.charge } : baseHandlerCtx;
+  let returned;
+  try {
+    returned = ctx.handler(handlerCtx);
+  } catch (error) {
+    return errorResult2(error, chargeContext);
+  }
+  if (isAsyncIterable2(returned) && !isThenable2(returned)) {
+    if (!chargeContext) {
+      return errorResult2(
+        new HttpError(
+          "route returned an async iterable from a non-streaming handler \u2014 use .stream(async function*(...)) instead of .handler() to opt into streaming",
+          500
+        ),
+        null
+      );
+    }
+    return {
+      kind: "stream",
+      source: returned,
+      chargeContext
+    };
+  }
+  let rawResult;
+  try {
+    rawResult = await returned;
+  } catch (error) {
+    return errorResult2(error, chargeContext);
+  }
+  const response = rawResult instanceof Response ? rawResult : import_server6.NextResponse.json(rawResult);
+  return { kind: "request", response, rawResult };
+}
+function errorResult2(error, chargeContext) {
+  const status = error instanceof HttpError ? error.status : typeof error?.status === "number" ? error.status : 500;
+  const message = error instanceof Error ? error.message : "Internal error";
+  void chargeContext;
+  return {
+    kind: "request",
+    response: import_server6.NextResponse.json({ success: false, error: message }, { status }),
+    rawResult: void 0,
+    handlerError: error
+  };
+}
+function isAsyncIterable2(value) {
+  return value != null && typeof value === "object" && Symbol.asyncIterator in value;
+}
+function isThenable2(value) {
+  return value != null && (typeof value === "object" || typeof value === "function") && typeof value.then === "function";
+}
+
+// src/pipeline/flows/dynamic/dynamic-preflight.ts
+function resolveDynamicPreflight(strategy, request, routeEntry) {
+  const outcome = strategy.preflight?.(request, routeEntry) ?? null;
+  return {
+    skipBody: outcome?.skipBody ?? false,
+    skipHandler: outcome?.skipHandler ?? false
+  };
+}
+
+// src/pipeline/flows/dynamic/dynamic-request.ts
+async function runDynamicRequestFlow(args) {
+  const { ctx, strategy, verifyOutcome, account, body, result } = args;
+  const { routeEntry } = ctx;
+  const settleScope = {
+    wallet: verifyOutcome.wallet,
+    account,
+    body,
+    payment: verifyOutcome.payment,
+    response: result.response,
+    rawResult: result.rawResult,
+    handlerError: result.handlerError
+  };
+  if (result.response.status >= 400) {
+    return finalize(ctx, result.response, result.rawResult, body);
+  }
+  const beforeErr = await runBeforeSettle(ctx, settleScope);
+  if (beforeErr) return beforeErr;
+  const billedAmount = routeEntry.tickCost;
+  return settleAndFinalizeRequest({
+    ctx,
+    strategy,
+    verifyOutcome,
+    scope: settleScope,
+    rawResult: result.rawResult,
+    body,
+    billedAmount,
+    onSettleError: async (error, failMessage) => {
+      await runSettlementError(ctx, settleScope, error, "settle");
+      ctx.report(
+        "critical",
+        `${strategy.protocol} ${failMessage}: ${errorMessage(error, "unknown")}`
+      );
+    }
+  });
+}
+
+// src/pipeline/flows/dynamic/dynamic-stream.ts
+async function runDynamicStreamFlow(args) {
+  const { ctx, strategy, verifyOutcome, account, body, result } = args;
+  return settleAndFinalizeStream({
+    ctx,
+    strategy,
+    verifyOutcome,
+    source: result.source,
+    account,
+    body,
+    bindChannelCharge: result.chargeContext.bindChannelCharge
+  });
+}
+
+// src/pipeline/flows/dynamic/dynamic-paid.ts
+async function runDynamicPaidFlow(ctx) {
+  const { request, routeEntry, deps, report } = ctx;
+  const apiKeyGate = await runApiKeyGate(ctx);
+  if (!apiKeyGate.ok) return apiKeyGate.response;
+  const { account } = apiKeyGate;
+  const pricing = selectPricing(routeEntry.pricing, {
+    alert: report,
+    maxPrice: routeEntry.maxPrice,
+    minPrice: routeEntry.minPrice,
+    route: routeEntry.key
+  });
+  const incomingStrategy = selectIncomingStrategy(request, routeEntry.protocols);
+  const earlyResolution = await resolveEarlyBody({ ctx, pricing, incomingStrategy });
+  if (!earlyResolution.ok) return earlyResolution.response;
+  const { earlyBody } = earlyResolution;
+  const siwxFastPath = await trySiwxFastPath(ctx, account);
+  if (siwxFastPath) return siwxFastPath;
+  if (!incomingStrategy) {
+    const initError = protocolInitError(routeEntry, deps);
+    if (initError) return fail(ctx, 500, initError);
+    return build402(ctx, pricing, earlyBody);
+  }
+  const { skipBody, skipHandler } = resolveDynamicPreflight(incomingStrategy, request, routeEntry);
+  if (skipHandler) {
+    return runDynamicChannelMgmtFlow({
+      ctx,
+      strategy: incomingStrategy,
+      account,
+      pricing,
+      skipBody
     });
+  }
+  const bodyAndPrice = await resolveDynamicBodyAndPrice({ ctx, pricing, skipBody });
+  if (!bodyAndPrice.ok) return bodyAndPrice.response;
+  const { parsedBody, price } = bodyAndPrice;
+  const verifyOutcome = await incomingStrategy.verify({
+    request,
+    body: parsedBody,
+    price,
+    routeEntry,
+    deps,
+    report
+  });
+  if (verifyOutcome.ok === false) {
+    if (verifyOutcome.kind === "config") {
+      return fail(ctx, 500, verifyOutcome.message, parsedBody);
+    }
+    return build402(ctx, pricing, parsedBody, verifyOutcome.failure);
+  }
+  ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
+  firePaymentVerified(ctx, {
+    protocol: incomingStrategy.protocol,
+    payer: verifyOutcome.wallet,
+    amount: price,
+    network: verifyOutcome.payment.network
+  });
+  const result = await invokeDynamic(
+    ctx,
+    verifyOutcome.wallet,
+    account,
+    parsedBody,
+    verifyOutcome.payment
+  );
+  switch (result.kind) {
+    case "stream":
+      return runDynamicStreamFlow({
+        ctx,
+        strategy: incomingStrategy,
+        verifyOutcome,
+        account,
+        body: parsedBody,
+        result
+      });
+    case "request":
+      return runDynamicRequestFlow({
+        ctx,
+        strategy: incomingStrategy,
+        verifyOutcome,
+        account,
+        body: parsedBody,
+        result
+      });
+  }
+}
+
+// src/pipeline/flows/static/static-body-and-price.ts
+async function resolveStaticBodyAndPrice(args) {
+  const { ctx, pricing } = args;
+  const body = await parseBody(ctx);
+  if (!body.ok) return { ok: false, response: body.response };
+  const validateErr = await runValidate(ctx, body.data);
+  if (validateErr) {
+    return { ok: false, response: validateErr };
+  }
+  if (!pricing) {
+    return { ok: false, response: fail(ctx, 500, "Pricing not configured", body.data) };
+  }
+  try {
+    const price = await pricing.quote(body.data);
+    return { ok: true, parsedBody: body.data, price };
+  } catch (err) {
+    return {
+      ok: false,
+      response: fail(
+        ctx,
+        errorStatus(err, 500),
+        errorMessage(err, "Price calculation failed"),
+        body.data
+      )
+    };
+  }
+}
+
+// src/pipeline/flows/static/static-request.ts
+async function runStaticRequestFlow(args) {
+  const { ctx, strategy, verifyOutcome, account, body, price, result } = args;
+  const settleScope = {
+    wallet: verifyOutcome.wallet,
+    account,
+    body,
+    payment: verifyOutcome.payment,
+    response: result.response,
+    rawResult: result.rawResult,
+    handlerError: result.handlerError
   };
+  if (verifyOutcome.alreadySettled) {
+    if (result.response.status >= 400) {
+      const settledScope = settleScope;
+      await runSettledHandlerError(ctx, settledScope);
+      return finalize(ctx, result.response, result.rawResult, body);
+    }
+    return settleAndFinalizeRequest({
+      ctx,
+      strategy,
+      verifyOutcome,
+      scope: settleScope,
+      rawResult: result.rawResult,
+      body,
+      billedAmount: price
+    });
+  }
+  if (result.response.status >= 400) {
+    return finalize(ctx, result.response, result.rawResult, body);
+  }
+  const beforeErr = await runBeforeSettle(ctx, settleScope);
+  if (beforeErr) return beforeErr;
+  return settleAndFinalizeRequest({
+    ctx,
+    strategy,
+    verifyOutcome,
+    scope: settleScope,
+    rawResult: result.rawResult,
+    body,
+    billedAmount: price,
+    onSettleError: async (error, failMessage) => {
+      await runSettlementError(ctx, settleScope, error, "settle");
+      ctx.report(
+        "critical",
+        `${strategy.protocol} ${failMessage}: ${errorMessage(error, "unknown")}`
+      );
+    }
+  });
+}
+
+// src/pipeline/flows/static/static-paid.ts
+async function runStaticPaidFlow(ctx) {
+  const { request, routeEntry, deps, report } = ctx;
+  const apiKeyGate = await runApiKeyGate(ctx);
+  if (!apiKeyGate.ok) return apiKeyGate.response;
+  const { account } = apiKeyGate;
   const pricing = selectPricing(routeEntry.pricing, {
-    alert: alertFn,
+    alert: report,
     maxPrice: routeEntry.maxPrice,
     minPrice: routeEntry.minPrice,
     route: routeEntry.key
   });
   const incomingStrategy = selectIncomingStrategy(request, routeEntry.protocols);
-  let earlyBody = void 0;
-  if (shouldParseBodyEarly(incomingStrategy, routeEntry, pricing)) {
-    const earlyClone = request.clone();
-    const earlyResult = await parseBody(earlyClone, routeEntry);
-    if (earlyResult.ok) {
-      earlyBody = earlyResult.data;
-      const validateErr2 = await runValidate(ctx, earlyBody);
-      if (validateErr2) return validateErr2;
-    } else {
-      firePluginResponse(ctx, earlyResult.response);
-      return earlyResult.response;
-    }
-  }
+  const earlyResolution = await resolveEarlyBody({ ctx, pricing, incomingStrategy });
+  if (!earlyResolution.ok) return earlyResolution.response;
+  const { earlyBody } = earlyResolution;
   const siwxFastPath = await trySiwxFastPath(ctx, account);
   if (siwxFastPath) return siwxFastPath;
   if (!incomingStrategy) {
@@ -2011,99 +2748,139 @@ async function runPaidFlow(ctx) {
     if (initError) return fail(ctx, 500, initError);
     return build402(ctx, pricing, earlyBody);
   }
-  const body = await parseBody(request, routeEntry);
-  if (!body.ok) {
-    firePluginResponse(ctx, body.response);
-    return body.response;
-  }
-  const validateErr = await runValidate(ctx, body.data);
-  if (validateErr) return validateErr;
-  if (!pricing) {
-    return fail(ctx, 500, "Pricing not configured", body.data);
-  }
-  let price;
-  try {
-    price = await pricing.quote(body.data);
-  } catch (err) {
-    return fail(
-      ctx,
-      errorStatus(err, 500),
-      errorMessage(err, "Price calculation failed"),
-      body.data
-    );
-  }
+  const bodyAndPrice = await resolveStaticBodyAndPrice({ ctx, pricing });
+  if (!bodyAndPrice.ok) return bodyAndPrice.response;
+  const { parsedBody, price } = bodyAndPrice;
   const verifyOutcome = await incomingStrategy.verify({
     request,
-    body: body.data,
+    body: parsedBody,
     price,
     routeEntry,
-    deps
+    deps,
+    report
   });
   if (verifyOutcome.ok === false) {
     if (verifyOutcome.kind === "config") {
-      return fail(ctx, 500, verifyOutcome.message, body.data);
+      return fail(ctx, 500, verifyOutcome.message, parsedBody);
     }
-    return build402(ctx, pricing, body.data);
+    return build402(ctx, pricing, parsedBody, verifyOutcome.failure);
   }
   ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
-  firePluginHook(deps.plugin, "onPaymentVerified", ctx.pluginCtx, {
+  firePaymentVerified(ctx, {
     protocol: incomingStrategy.protocol,
     payer: verifyOutcome.wallet,
     amount: price,
     network: verifyOutcome.payment.network
   });
-  const result = await invoke(ctx, verifyOutcome.wallet, account, body.data, verifyOutcome.payment);
-  const settleScope = {
-    wallet: verifyOutcome.wallet,
+  const result = await invokePaidStatic(
+    ctx,
+    verifyOutcome.wallet,
     account,
-    body: body.data,
-    payment: verifyOutcome.payment,
-    response: result.response,
-    rawResult: result.rawResult,
-    handlerError: result.handlerError
-  };
-  if (verifyOutcome.alreadySettled) {
-    if (result.response.status >= 400) {
-      const settledScope = settleScope;
-      await runSettledHandlerError(ctx, settledScope);
-      return finalize(ctx, result.response, result.rawResult, body.data);
-    }
-    return settleAndFinalize({
-      ctx,
-      strategy: incomingStrategy,
-      verifyOutcome,
-      scope: settleScope,
-      rawResult: result.rawResult,
-      body: body.data
-    });
-  }
-  if (result.response.status >= 400) {
-    return finalize(ctx, result.response, result.rawResult, body.data);
-  }
-  const beforeErr = await runBeforeSettle(ctx, settleScope);
-  if (beforeErr) return beforeErr;
-  return settleAndFinalize({
+    parsedBody,
+    verifyOutcome.payment
+  );
+  return runStaticRequestFlow({
     ctx,
     strategy: incomingStrategy,
     verifyOutcome,
-    scope: settleScope,
-    rawResult: result.rawResult,
-    body: body.data,
-    onSettleError: async (error, failMessage) => {
-      await runSettlementError(ctx, settleScope, error, "settle");
-      firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
-        level: "critical",
-        message: `${incomingStrategy.protocol} ${failMessage}: ${errorMessage(error, "unknown")}`,
-        route: routeEntry.key
-      });
-    }
+    account,
+    body: parsedBody,
+    price,
+    result
   });
 }
 
+// src/pipeline/flows/paid.ts
+async function runPaidFlow(ctx) {
+  const dynamicPrice = ctx.routeEntry.dynamicPrice ?? false;
+  switch (dynamicPrice) {
+    case true:
+      return runDynamicPaidFlow(ctx);
+    case false:
+      return runStaticPaidFlow(ctx);
+  }
+}
+
 // src/pipeline/flows/siwx-only.ts
-var import_server5 = require("next/server");
+var import_server7 = require("next/server");
+
+// src/kv-store/client.ts
+function restKvStore(url, token) {
+  const base = url.replace(/\/+$/, "");
+  const authHeader = { Authorization: `Bearer ${token}` };
+  const jsonHeaders = { ...authHeader, "Content-Type": "application/json" };
+  async function exec(command) {
+    const res = await fetch(base, {
+      method: "POST",
+      headers: jsonHeaders,
+      body: JSON.stringify(command)
+    });
+    if (!res.ok) {
+      throw new Error(`[kv-store] ${command[0]} ${command[1] ?? ""}: ${res.status}`);
+    }
+    const body = await res.json();
+    if (body.error) throw new Error(`[kv-store] ${command[0]}: ${body.error}`);
+    return body.result ?? null;
+  }
+  async function get(key) {
+    const res = await fetch(`${base}/get/${encodeURIComponent(key)}`, { headers: authHeader });
+    if (!res.ok) throw new Error(`[kv-store] GET ${key}: ${res.status}`);
+    const { result } = await res.json();
+    return result ?? null;
+  }
+  async function set(key, value) {
+    await exec(["SET", key, JSON.stringify(value)]);
+  }
+  async function del(key) {
+    await exec(["DEL", key]);
+  }
+  async function setNxEx(key, value, ttlSeconds) {
+    const result = await exec(["SET", key, JSON.stringify(value), "EX", ttlSeconds, "NX"]);
+    return result === "OK";
+  }
+  async function sadd(key, member) {
+    await exec(["SADD", key, member]);
+  }
+  async function sismember(key, member) {
+    const result = await exec(["SISMEMBER", key, member]);
+    return result === 1;
+  }
+  async function update(key, fn) {
+    const current = await get(key);
+    const change = fn(current);
+    if (change.op === "set") await set(key, change.value);
+    if (change.op === "delete") await del(key);
+    return change.result;
+  }
+  return { get, set, del, setNxEx, sadd, sismember, update };
+}
+function isRestConfig(input) {
+  return typeof input === "object" && input !== null && typeof input.url === "string" && typeof input.token === "string" && typeof input.get !== "function";
+}
+function resolveKvStore(input, env = process.env) {
+  if (input) {
+    if (isRestConfig(input)) return restKvStore(input.url, input.token);
+    return input;
+  }
+  const url = env.KV_REST_API_URL;
+  const token = env.KV_REST_API_TOKEN;
+  if (url && token) return restKvStore(url, token);
+  return void 0;
+}
+function withPrefix(kv, prefix) {
+  const k = (key) => `${prefix}${key}`;
+  return {
+    get: (key) => kv.get(k(key)),
+    set: (key, value) => kv.set(k(key), value),
+    del: (key) => kv.del(k(key)),
+    setNxEx: (key, value, ttl) => kv.setNxEx(k(key), value, ttl),
+    sadd: (key, member) => kv.sadd(k(key), member),
+    sismember: (key, member) => kv.sismember(k(key), member),
+    update: (key, fn) => kv.update(k(key), fn)
+  };
+}
 
-// src/auth/nonce.ts
+// src/kv-store/nonce.ts
 var SIWX_CHALLENGE_EXPIRY_MS = 5 * 60 * 1e3;
 var MemoryNonceStore = class {
   seen = /* @__PURE__ */ new Map();
@@ -2120,48 +2897,74 @@ var MemoryNonceStore = class {
     }
   }
 };
-function detectRedisClientType(client) {
-  if (!client || typeof client !== "object") {
-    throw new Error(
-      "createRedisNonceStore requires a Redis client. Supported: @upstash/redis, ioredis. Pass your Redis client instance as the first argument."
-    );
-  }
-  if ("options" in client && "status" in client) {
-    return "ioredis";
-  }
-  const constructor = client.constructor?.name;
-  if (constructor === "Redis" && "url" in client) {
-    return "upstash";
+function createKvNonceStore(kv, options) {
+  const prefix = options?.prefix ?? "siwx:nonce:";
+  const ttlSeconds = Math.ceil((options?.ttlMs ?? SIWX_CHALLENGE_EXPIRY_MS) / 1e3);
+  return {
+    async check(nonce) {
+      return kv.setNxEx(`${prefix}${nonce}`, 1, ttlSeconds);
+    }
+  };
+}
+
+// src/kv-store/entitlement.ts
+var MemoryEntitlementStore = class {
+  routeToWallets = /* @__PURE__ */ new Map();
+  async has(route, wallet) {
+    const wallets = this.routeToWallets.get(route);
+    if (!wallets) return false;
+    return wallets.has(normalizeWalletAddress(wallet));
   }
-  if (typeof client.set === "function") {
-    return "upstash";
+  async grant(route, wallet) {
+    const normalized = normalizeWalletAddress(wallet);
+    let wallets = this.routeToWallets.get(route);
+    if (!wallets) {
+      wallets = /* @__PURE__ */ new Set();
+      this.routeToWallets.set(route, wallets);
+    }
+    wallets.add(normalized);
   }
-  throw new Error(
-    "Unrecognized Redis client. Supported: @upstash/redis, ioredis. If using a different client, implement NonceStore interface directly."
-  );
-}
-function createRedisNonceStore(client, opts) {
-  const prefix = opts?.prefix ?? "siwx:nonce:";
-  const ttlSeconds = Math.ceil((opts?.ttlMs ?? SIWX_CHALLENGE_EXPIRY_MS) / 1e3);
-  const clientType = detectRedisClientType(client);
+};
+function createKvEntitlementStore(kv, options) {
+  const prefix = options?.prefix ?? "siwx:ent:";
   return {
-    async check(nonce) {
-      const key = `${prefix}${nonce}`;
-      if (clientType === "upstash") {
-        const redis = client;
-        const result = await redis.set(key, "1", { ex: ttlSeconds, nx: true });
-        return result !== null;
-      }
-      if (clientType === "ioredis") {
-        const redis = client;
-        const result = await redis.set(key, "1", "EX", ttlSeconds, "NX");
-        return result === "OK";
-      }
-      throw new Error("Unknown Redis client type");
+    async has(route, wallet) {
+      return kv.sismember(`${prefix}${route}`, normalizeWalletAddress(wallet));
+    },
+    async grant(route, wallet) {
+      await kv.sadd(`${prefix}${route}`, normalizeWalletAddress(wallet));
     }
   };
 }
 
+// src/kv-store/mpp.ts
+async function createKvMppStore(kv, options) {
+  const prefix = options?.prefix ?? "mpp:";
+  const namespaced = withPrefix(kv, prefix);
+  const { Store: StoreNs } = await import("mppx");
+  return StoreNs.upstash({
+    get: (key) => namespaced.get(key),
+    set: (key, value) => namespaced.set(key, value),
+    del: (key) => namespaced.del(key),
+    update: (key, fn) => namespaced.update(key, fn)
+  });
+}
+
+// src/protocols/detect.ts
+function detectProtocol(request) {
+  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
+    return "x402";
+  }
+  const auth = request.headers.get(HEADERS.AUTHORIZATION);
+  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
+    return "mpp";
+  }
+  if (request.headers.get(HEADERS.SIWX)) {
+    return "siwx";
+  }
+  return null;
+}
+
 // src/protocols/mpp/siwx-mode.ts
 var import_mppx3 = require("mppx");
 async function verifyMppSiwx(request, mppx) {
@@ -2180,12 +2983,11 @@ async function runSiwxOnlyFlow(ctx) {
   const { request, routeEntry, deps } = ctx;
   if (routeEntry.validateFn && routeEntry.bodySchema && !request.headers.get(HEADERS.SIWX)) {
     const earlyClone = request.clone();
-    const earlyBody = await parseBody(earlyClone, routeEntry);
+    const earlyBody = await parseBody(ctx, earlyClone);
     if (earlyBody.ok) {
       const validateErr = await runValidate(ctx, earlyBody.data);
       if (validateErr) return validateErr;
     } else {
-      firePluginResponse(ctx, earlyBody.response);
       return earlyBody.response;
     }
   }
@@ -2197,20 +2999,12 @@ async function runSiwxOnlyFlow(ctx) {
       mppSiwxResult = await verifyMppSiwx(request, deps.mppx);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
-      firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
-        level: "critical",
-        message: `MPP SIWX verification failed: ${message}`,
-        route: routeEntry.key
-      });
+      ctx.report("critical", `MPP SIWX verification failed: ${message}`);
       return fail(ctx, 500, `MPP SIWX verification failed: ${message}`);
     }
     if (mppSiwxResult.valid) {
       ctx.pluginCtx.setVerifiedWallet(mppSiwxResult.wallet);
-      firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
-        authMode: "siwx",
-        wallet: mppSiwxResult.wallet,
-        route: routeEntry.key
-      });
+      fireAuthVerified(ctx, { authMode: "siwx", wallet: mppSiwxResult.wallet });
       const authResponse = await runHandlerOnly(ctx, mppSiwxResult.wallet, void 0);
       if (authResponse.status < 400) {
         return mppSiwxResult.withReceipt(authResponse);
@@ -2223,7 +3017,7 @@ async function runSiwxOnlyFlow(ctx) {
   }
   const siwx = await verifySIWX(request, routeEntry, deps.nonceStore);
   if (!siwx.valid) {
-    const response = import_server5.NextResponse.json(
+    const response = import_server7.NextResponse.json(
       { error: siwx.code, message: SIWX_ERROR_MESSAGES[siwx.code] },
       { status: 402 }
     );
@@ -2232,11 +3026,7 @@ async function runSiwxOnlyFlow(ctx) {
   }
   const wallet = normalizeWalletAddress(siwx.wallet);
   ctx.pluginCtx.setVerifiedWallet(wallet);
-  firePluginHook(deps.plugin, "onAuthVerified", ctx.pluginCtx, {
-    authMode: "siwx",
-    wallet,
-    route: routeEntry.key
-  });
+  fireAuthVerified(ctx, { authMode: "siwx", wallet });
   return runHandlerOnly(ctx, wallet, void 0);
 }
 async function buildSiwxChallenge(ctx) {
@@ -2273,7 +3063,6 @@ async function buildSiwxChallenge(ctx) {
     extensions: {
       "sign-in-with-x": {
         info: siwxInfo,
-        // Required by MCP tools at the top level for chain detection.
         supportedChains,
         ...siwxSchema ? { schema: siwxSchema } : {}
       }
@@ -2284,13 +3073,12 @@ async function buildSiwxChallenge(ctx) {
     const { encodePaymentRequiredHeader } = await import("@x402/core/http");
     encoded = encodePaymentRequiredHeader(paymentRequired);
   } catch (err) {
-    firePluginHook(deps.plugin, "onAlert", ctx.pluginCtx, {
-      level: "warn",
-      message: `SIWX challenge header encoding failed: ${err instanceof Error ? err.message : String(err)}`,
-      route: routeEntry.key
-    });
+    ctx.report(
+      "warn",
+      `SIWX challenge header encoding failed: ${err instanceof Error ? err.message : String(err)}`
+    );
   }
-  const response = new import_server5.NextResponse(JSON.stringify(paymentRequired), {
+  const response = new import_server7.NextResponse(JSON.stringify(paymentRequired), {
     status: 402,
     headers: { "Content-Type": "application/json", "Cache-Control": "no-store" }
   });
@@ -2331,7 +3119,7 @@ async function runUnprotectedFlow(ctx) {
   return runHandlerOnly(ctx, null, void 0);
 }
 
-// src/orchestrate.ts
+// src/pipeline/orchestrate.ts
 function createRequestHandler(routeEntry, handler, deps) {
   return async (request) => {
     await deps.initPromise;
@@ -2396,6 +3184,12 @@ var RouteBuilder = class {
   /** @internal */
   _minPrice;
   /** @internal */
+  _dynamicPrice = false;
+  /** @internal */
+  _tickCost;
+  /** @internal */
+  _unitType;
+  /** @internal */
   _payTo;
   /** @internal */
   _bodySchema;
@@ -2440,7 +3234,8 @@ var RouteBuilder = class {
     next._protocols = [...this._protocols];
     return next;
   }
-  paid(pricing, options) {
+  paid(pricingOrOptions, options) {
+    const { pricing, resolvedOptions } = resolvePaidArgs(this._key, pricingOrOptions, options);
     if (this._authMode === "unprotected") {
       throw new Error(
         `route '${this._key}': Cannot combine .unprotected() and .paid() on the same route.`
@@ -2454,16 +3249,24 @@ var RouteBuilder = class {
     const next = this.fork();
     next._authMode = "paid";
     next._pricing = pricing;
-    if (options?.protocols) {
-      next._protocols = [...options.protocols];
+    if (resolvedOptions?.protocols) {
+      next._protocols = [...resolvedOptions.protocols];
     } else if (next._protocols.length === 0) {
       next._protocols = ["x402"];
     }
-    if (options?.maxPrice) next._maxPrice = options.maxPrice;
-    if (options?.minPrice) next._minPrice = options.minPrice;
-    if (options?.payTo) next._payTo = options.payTo;
-    if (options?.mpp) next._mppInfo = options.mpp;
+    if (resolvedOptions?.maxPrice) next._maxPrice = resolvedOptions.maxPrice;
+    if (resolvedOptions?.minPrice) next._minPrice = resolvedOptions.minPrice;
+    if (resolvedOptions?.payTo) next._payTo = resolvedOptions.payTo;
+    if (resolvedOptions?.mpp) next._mppInfo = resolvedOptions.mpp;
+    if (resolvedOptions?.dynamic) next._dynamicPrice = true;
+    if (resolvedOptions?.tickCost) next._tickCost = resolvedOptions.tickCost;
+    if (resolvedOptions?.unitType) next._unitType = resolvedOptions.unitType;
     if (typeof pricing === "object" && "tiers" in pricing) {
+      if (next._dynamicPrice) {
+        throw new Error(
+          `route '${this._key}': .paid({ dynamic: true }) is incompatible with tiered pricing`
+        );
+      }
       for (const [tierKey, tierConfig] of Object.entries(pricing.tiers)) {
         if (!tierKey) {
           throw new Error(`route '${this._key}': tier key cannot be empty`);
@@ -2476,16 +3279,40 @@ var RouteBuilder = class {
         }
       }
     }
-    if (options?.maxPrice !== void 0) {
-      const parsed = parseFloat(options.maxPrice);
+    if (resolvedOptions?.maxPrice !== void 0) {
+      const parsed = parseFloat(resolvedOptions.maxPrice);
+      if (isNaN(parsed) || parsed <= 0) {
+        throw new Error(
+          `route '${this._key}': maxPrice '${resolvedOptions.maxPrice}' must be a positive decimal string`
+        );
+      }
+    }
+    if (resolvedOptions?.tickCost !== void 0) {
+      const parsed = parseFloat(resolvedOptions.tickCost);
       if (isNaN(parsed) || parsed <= 0) {
         throw new Error(
-          `route '${this._key}': maxPrice '${options.maxPrice}' must be a positive decimal string`
+          `route '${this._key}': tickCost '${resolvedOptions.tickCost}' must be a positive decimal string`
         );
       }
     }
+    if (next._dynamicPrice && !next._maxPrice) {
+      throw new Error(`route '${this._key}': .paid({ dynamic: true }) requires maxPrice`);
+    }
+    if (next._dynamicPrice && !next._tickCost) {
+      throw new Error(`route '${this._key}': .paid({ dynamic: true }) requires tickCost`);
+    }
     return next;
   }
+  /**
+   * Require Sign-In-with-X wallet identity on this route — clients prove
+   * control of a wallet via a signed challenge. Combine with `.paid()` to gate
+   * a paid route on a verified wallet identity.
+   *
+   * @example
+   * ```ts
+   * router.route('profile').siwx().handler(async ({ wallet }) => getProfile(wallet));
+   * ```
+   */
   siwx() {
     if (this._authMode === "unprotected") {
       throw new Error(
@@ -2508,6 +3335,19 @@ var RouteBuilder = class {
     next._protocols = [];
     return next;
   }
+  /**
+   * Require an `X-API-Key` header (or `Authorization: Bearer <key>`); the
+   * resolver returns the account record, or `null` for 401. Composes with
+   * `.paid()` — key is checked first, payment second.
+   *
+   * @example
+   * ```ts
+   * router
+   *   .route('admin/users')
+   *   .apiKey(async (key) => db.admin.findByKey(key))
+   *   .handler(async ({ account }) => db.user.list(account.orgId));
+   * ```
+   */
   apiKey(resolver) {
     if (this._siwxEnabled) {
       throw new Error(
@@ -2519,6 +3359,15 @@ var RouteBuilder = class {
     next._apiKeyResolver = resolver;
     return next;
   }
+  /**
+   * Mark the route as public — no auth, no payment, no SIWX. The handler
+   * receives `null` for `wallet`, `payment`, and `account`.
+   *
+   * @example
+   * ```ts
+   * router.route('health').unprotected().handler(async () => ({ status: 'ok' }));
+   * ```
+   */
   unprotected() {
     if (this._authMode && this._authMode !== "unprotected") {
       throw new Error(
@@ -2535,60 +3384,82 @@ var RouteBuilder = class {
     next._protocols = [];
     return next;
   }
-  // -------------------------------------------------------------------------
-  // Provider monitoring
-  // -------------------------------------------------------------------------
+  /**
+   * Tag the route with an upstream provider for discovery and provider-side
+   * monitoring. The provider name and config surface in `well-known` and
+   * OpenAPI output.
+   *
+   * @example
+   * ```ts
+   * router
+   *   .route('search')
+   *   .paid('0.01')
+   *   .provider('exa', { quotaPerMonth: 1000 })
+   *   .handler(handler);
+   * ```
+   */
   provider(name, config) {
     const next = this.fork();
     next._providerName = name;
     next._providerConfig = config ?? {};
     return next;
   }
-  body(schema, example) {
+  /**
+   * Declare the request body's Zod schema. Parsed body is typed as `ctx.body`
+   * in the handler. Use `.inputExample()` to attach a discovery example.
+   *
+   * @example
+   * ```ts
+   * .body(z.object({ query: z.string() }))
+   *   .handler(async ({ body }) => search(body.query));
+   * ```
+   */
+  body(schema) {
     const next = this.fork();
     next._bodySchema = schema;
-    if (example !== void 0) {
-      next._inputExample = example;
-      next._hasInputExample = true;
-    }
     return next;
   }
-  query(schema, example) {
+  /**
+   * Declare a query-string Zod schema and switch the route to `GET`. Parsed
+   * query is typed as `ctx.query` in the handler. Use `.inputExample()` to
+   * attach a discovery example.
+   *
+   * @example
+   * ```ts
+   * .query(z.object({ id: z.string() }))
+   *   .handler(async ({ query }) => getById(query.id));
+   * ```
+   */
+  query(schema) {
     const next = this.fork();
     next._querySchema = schema;
-    if (example !== void 0) {
-      next._inputExample = example;
-      next._hasInputExample = true;
-    }
     next._method = "GET";
     return next;
   }
-  output(schema, example) {
+  /**
+   * Declare the response output's Zod schema for OpenAPI generation. The
+   * runtime does not validate handler return values — use Zod's `.parse()`
+   * inside the handler if strict output validation is required. Use
+   * `.outputExample()` to attach a discovery example.
+   *
+   * @example
+   * ```ts
+   * .output(z.object({ result: z.string() }))
+   *   .handler(async () => ({ result: 'ok' }));
+   * ```
+   */
+  output(schema) {
     const next = this.fork();
     next._outputSchema = schema;
-    if (example !== void 0) {
-      next._outputExample = example;
-      next._hasOutputExample = true;
-    }
     return next;
   }
   /**
-   * Provide a conforming example of the request input (body or query params).
-   *
-   * Optional. When provided, the example is validated against the request schema
-   * at route registration and embedded in the bazaar discovery extension so
-   * indexers can advertise a working sample call.
-   *
-   * For the common case, pass the example directly to `.body(schema, example)` or
-   * `.query(schema, example)` instead.
+   * Attach an example of the request body or query for discovery output,
+   * validated against the registered schema at registration.
    *
    * @example
    * ```ts
-   * router.route('search')
-   *   .paid('0.01')
-   *   .body(z.object({ q: z.string() }))
-   *   .inputExample({ q: 'hello world' })
-   *   .handler(async ({ body }) => { ... });
+   * .body(searchSchema).inputExample({ query: 'cats' });
    * ```
    */
   inputExample(example) {
@@ -2598,32 +3469,12 @@ var RouteBuilder = class {
     return next;
   }
   /**
-   * Provide a conforming example of the response output.
-   *
-   * Optional. When provided, the example is validated against the output schema
-   * at route registration and embedded in the bazaar discovery extension so
-   * indexers can advertise the response shape.
-   *
-   * For the common case, pass the example directly to `.output(schema, example)` instead.
-   *
-   * Accepts any JSON value (objects, arrays, or primitives) — top-level array
-   * or primitive responses (e.g. `z.array(...)`) are supported alongside the
-   * common object case.
+   * Attach an example response for discovery output, validated against the
+   * registered output schema at registration.
    *
    * @example
    * ```ts
-   * router.route('search')
-   *   .paid('0.01')
-   *   .output(z.object({ results: z.array(z.string()) }))
-   *   .outputExample({ results: ['a', 'b'] })
-   *   .handler(async () => { ... });
-   *
-   * // Top-level array response
-   * router.route('chains')
-   *   .paid('0.01')
-   *   .output(z.array(z.object({ name: z.string() })))
-   *   .outputExample([{ name: 'Ethereum' }])
-   *   .handler(async () => { ... });
+   * .output(resultSchema).outputExample({ result: 'ok' });
    * ```
    */
   outputExample(example) {
@@ -2632,71 +3483,125 @@ var RouteBuilder = class {
     next._hasOutputExample = true;
     return next;
   }
+  /**
+   * Set a human-readable summary of the route. Surfaces in OpenAPI,
+   * `well-known`, and `llms.txt` discovery output.
+   *
+   * @example
+   * ```ts
+   * .description('Search indexed web pages by full-text query');
+   * ```
+   */
   description(text) {
     const next = this.fork();
     next._description = text;
     return next;
   }
+  /**
+   * Override the URL path advertised in discovery output. Defaults to the
+   * registry key passed to `.route()`.
+   *
+   * @example
+   * ```ts
+   * router.route('search').path('/v2/search').handler(handler);
+   * ```
+   */
   path(p) {
     const next = this.fork();
     next._path = p;
     return next;
   }
+  /**
+   * Override the HTTP method advertised in discovery. Defaults to `POST`, or
+   * `GET` when `.query()` has been called.
+   *
+   * @example
+   * ```ts
+   * router.route('items/delete').method('DELETE').handler(handler);
+   * ```
+   */
   method(m) {
     const next = this.fork();
     next._method = m;
     return next;
   }
-  // -------------------------------------------------------------------------
-  // Pre-payment validation
-  // -------------------------------------------------------------------------
   /**
-   * Add pre-payment validation that runs after body parsing but before the 402
-   * challenge is shown. Use this for async business logic like "is this resource
-   * available?" or "has this user hit their rate limit?".
+   * Run validation against the parsed body before the 402 challenge. Throw
+   * `Object.assign(new Error('...'), { status })` to reject with a custom
+   * status code; defaults to 400. Requires `.body()` to be called first.
+   *
+   * @example
+   * ```ts
+   * .body(RegisterSchema).validate(async (body) => {
+   *   if (await isTaken(body.name)) {
+   *     throw Object.assign(new Error('taken'), { status: 409 });
+   *   }
+   * });
+   * ```
+   */
+  validate(fn) {
+    const next = this.fork();
+    next._validateFn = fn;
+    return next;
+  }
+  /**
+   * Hook into the settlement lifecycle. `beforeSettle` runs after the handler
+   * succeeds but before on-chain settlement and can cancel the charge;
+   * `afterSettle` runs after settlement completes (success or failure).
    *
-   * Requires `.body()` — call `.body()` before `.validate()` for type inference.
+   * @example
+   * ```ts
+   * .settlement({
+   *   beforeSettle: ({ result }) => (result.refund ? 'skip' : 'continue'),
+   *   afterSettle: ({ tx }) => analytics.track('settled', { tx }),
+   * });
+   * ```
+   */
+  settlement(lifecycle) {
+    const next = this.fork();
+    next._settlement = lifecycle;
+    return next;
+  }
+  /**
+   * Register the request handler and return the Next.js route function. The
+   * handler receives a typed context and may return a value (serialized to
+   * JSON), a raw `Response`, or throw an `HttpError` for a non-2xx status.
    *
    * @example
-   * ```typescript
-   * router
-   *   .route('domain/register')
-   *   .paid(calculatePrice)
-   *   .body(RegisterSchema)  // .body() first for type inference
-   *   .validate(async (body) => {
-   *     if (await isDomainTaken(body.domain)) {
-   *       throw Object.assign(new Error('Domain taken'), { status: 409 });
-   *     }
-   *   })
-   *   .handler(async ({ body }) => { ... });
+   * ```ts
+   * export const POST = router
+   *   .route('search')
+   *   .paid('0.01')
+   *   .body(schema)
+   *   .handler(async ({ body, wallet }) => searchService(body, wallet));
    * ```
    */
-  validate(fn) {
-    const next = this.fork();
-    next._validateFn = fn;
-    return next;
+  handler(fn) {
+    return this.register(fn, false);
   }
-  // -------------------------------------------------------------------------
-  // Settlement lifecycle
-  // -------------------------------------------------------------------------
   /**
-   * Add route-specific settlement hooks.
+   * Register a streaming handler (`async function*`) and return the Next.js
+   * route function. Each `charge()` call bills one tick (`tickCost` USDC) up
+   * to `maxPrice`; requires `.paid({ dynamic: true, ... })` and MPP session mode.
    *
-   * `beforeSettle` runs after a successful handler response but before
-   * router-controlled settlement/broadcast, so it can still prevent the charge
-   * for x402 and MPP transaction-payload flows. `afterSettle` runs after
-   * settlement and is intended for durable ledgers or app-owned refund queues.
+   * @example
+   * ```ts
+   * export const POST = router
+   *   .route('llm/stream')
+   *   .paid({ dynamic: true, tickCost: '0.0001', unitType: 'token', maxPrice: '0.05' })
+   *   .body(schema)
+   *   .stream(async function* ({ body, charge }) {
+   *     for await (const token of streamLLM(body.prompt)) {
+   *       await charge();
+   *       yield token;
+   *     }
+   *   });
+   * ```
    */
-  settlement(lifecycle) {
-    const next = this.fork();
-    next._settlement = lifecycle;
-    return next;
+  stream(fn) {
+    return this.register(fn, true);
   }
-  // -------------------------------------------------------------------------
-  // Terminal method
-  // -------------------------------------------------------------------------
-  handler(fn) {
-    const handlerFn = fn;
+  register(handlerFn, streaming) {
     if (!this._authMode) {
       throw new Error(
         `route '${this._key}': Select an auth mode: .paid(pricing), .siwx(), .apiKey(resolver), or .unprotected()`
@@ -2710,6 +3615,26 @@ var RouteBuilder = class {
     if (this._settlement && !this._pricing) {
       throw new Error(`route '${this._key}': .settlement() requires a paid route`);
     }
+    if (this._dynamicPrice && this._protocols.includes("x402")) {
+      const hasUpto = this._deps.x402Accepts.some((accept) => accept.scheme === "upto");
+      if (!hasUpto) {
+        throw new Error(
+          `route '${this._key}': .paid({ dynamic: true }) on an x402 route requires an 'upto' accept on at least one configured network. Add { scheme: 'upto', network, asset } to RouterConfig.x402.accepts.`
+        );
+      }
+    }
+    if (this._dynamicPrice && this._protocols.includes("mpp")) {
+      if (!this._deps.mppSessionConfig) {
+        throw new Error(
+          `route '${this._key}': .paid({ dynamic: true }) on an MPP route requires session mode. Set RouterConfig.mpp.session = {} and provide mpp.operatorKey.`
+        );
+      }
+    }
+    if (streaming && !this._dynamicPrice) {
+      throw new Error(
+        `route '${this._key}': .stream() requires .paid({ dynamic: true }) \u2014 static/free routes can't meter per-chunk billing.`
+      );
+    }
     validateExamples(
       this._key,
       this._bodySchema,
@@ -2725,6 +3650,8 @@ var RouteBuilder = class {
       authMode: this._authMode,
       siwxEnabled: this._siwxEnabled,
       pricing: this._pricing,
+      dynamicPrice: this._dynamicPrice ? true : void 0,
+      streaming: streaming ? true : void 0,
       protocols: this._protocols,
       bodySchema: this._bodySchema,
       querySchema: this._querySchema,
@@ -2742,81 +3669,28 @@ var RouteBuilder = class {
       providerConfig: this._providerConfig,
       validateFn: this._validateFn,
       settlement: this._settlement,
-      mppInfo: this._mppInfo
+      mppInfo: this._mppInfo,
+      tickCost: this._tickCost,
+      unitType: this._unitType
     };
     this._registry.register(entry);
-    return createRequestHandler(
-      entry,
-      handlerFn,
-      this._deps
-    );
+    return createRequestHandler(entry, handlerFn, this._deps);
   }
 };
-
-// src/auth/entitlement.ts
-var MemoryEntitlementStore = class {
-  routeToWallets = /* @__PURE__ */ new Map();
-  async has(route, wallet) {
-    const wallets = this.routeToWallets.get(route);
-    if (!wallets) return false;
-    return wallets.has(normalizeWalletAddress(wallet));
-  }
-  async grant(route, wallet) {
-    const normalized = normalizeWalletAddress(wallet);
-    let wallets = this.routeToWallets.get(route);
-    if (!wallets) {
-      wallets = /* @__PURE__ */ new Set();
-      this.routeToWallets.set(route, wallets);
+function resolvePaidArgs(routeKey, pricingOrOptions, options) {
+  const isHandlerDynamicShape = typeof pricingOrOptions === "object" && pricingOrOptions !== null && typeof pricingOrOptions !== "function" && !("tiers" in pricingOrOptions) && "dynamic" in pricingOrOptions && pricingOrOptions.dynamic;
+  if (isHandlerDynamicShape) {
+    const opts = pricingOrOptions;
+    if (!opts.maxPrice) {
+      throw new Error(`route '${routeKey}': .paid({ dynamic: true }) requires maxPrice`);
     }
-    wallets.add(normalized);
-  }
-};
-function detectRedisClientType2(client) {
-  if (!client || typeof client !== "object") {
-    throw new Error(
-      "createRedisEntitlementStore requires a Redis client. Supported: @upstash/redis, ioredis."
-    );
+    return { pricing: opts.maxPrice, resolvedOptions: opts };
   }
-  if ("options" in client && "status" in client) return "ioredis";
-  const constructor = client.constructor?.name;
-  if (constructor === "Redis" && "url" in client) return "upstash";
-  if (typeof client.sadd === "function" && typeof client.sismember === "function") {
-    return "upstash";
-  }
-  throw new Error("Unrecognized Redis client for entitlement store.");
-}
-function createRedisEntitlementStore(client, options) {
-  const clientType = detectRedisClientType2(client);
-  const prefix = options?.prefix ?? "siwx:entitlement:";
-  return {
-    async has(route, wallet) {
-      const key = `${prefix}${route}`;
-      const normalized = normalizeWalletAddress(wallet);
-      if (clientType === "upstash") {
-        const redis2 = client;
-        const result2 = await redis2.sismember(key, normalized);
-        return result2 === 1 || result2 === true;
-      }
-      const redis = client;
-      const result = await redis.sismember(key, normalized);
-      return result === 1;
-    },
-    async grant(route, wallet) {
-      const key = `${prefix}${route}`;
-      const normalized = normalizeWalletAddress(wallet);
-      if (clientType === "upstash") {
-        const redis2 = client;
-        await redis2.sadd(key, normalized);
-        return;
-      }
-      const redis = client;
-      await redis.sadd(key, normalized);
-    }
-  };
+  return { pricing: pricingOrOptions, resolvedOptions: options };
 }
 
 // src/discovery/well-known.ts
-var import_server6 = require("next/server");
+var import_server8 = require("next/server");
 
 // src/discovery/utils/guidance.ts
 async function resolveGuidance(discovery) {
@@ -2860,7 +3734,7 @@ function createWellKnownHandler(registry, baseUrl, pricesKeys, discovery) {
     if (instructions) {
       body.instructions = instructions;
     }
-    return import_server6.NextResponse.json(body, {
+    return import_server8.NextResponse.json(body, {
       headers: {
         "Access-Control-Allow-Origin": "*",
         "Access-Control-Allow-Methods": "GET",
@@ -2877,14 +3751,14 @@ function toDiscoveryResource(method, url, mode) {
 }
 
 // src/discovery/openapi.ts
-var import_server7 = require("next/server");
+var import_server9 = require("next/server");
 init_constants();
 function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
   const normalizedBase = baseUrl.replace(/\/+$/, "");
   let cached = null;
   let validated = false;
   return async (_request) => {
-    if (cached) return import_server7.NextResponse.json(cached);
+    if (cached) return import_server9.NextResponse.json(cached);
     if (!validated && pricesKeys) {
       registry.validate(pricesKeys);
       validated = true;
@@ -2947,7 +3821,7 @@ function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
       paths
     };
     cached = createDocument(openApiDocument);
-    return import_server7.NextResponse.json(cached);
+    return import_server9.NextResponse.json(cached);
   };
 }
 function deriveTag(routeKey) {
@@ -3020,7 +3894,7 @@ function toProtocolObject(protocol, mppInfo) {
       mpp: {
         method: mppInfo?.method ?? "tempo",
         intent: mppInfo?.intent ?? "charge",
-        currency: mppInfo?.currency ?? TEMPO_USDC_CURRENCY
+        currency: mppInfo?.currency ?? TEMPO_USDC_ADDRESS
       }
     };
   }
@@ -3070,11 +3944,11 @@ function buildPricingInfo(entry) {
 }
 
 // src/discovery/llms-txt.ts
-var import_server8 = require("next/server");
+var import_server10 = require("next/server");
 function createLlmsTxtHandler(discovery) {
   return async (_request) => {
     const guidance = await resolveGuidance(discovery) ?? "";
-    return new import_server8.NextResponse(guidance, {
+    return new import_server10.NextResponse(guidance, {
       headers: {
         "Content-Type": "text/plain; charset=utf-8",
         "Access-Control-Allow-Origin": "*"
@@ -3087,11 +3961,7 @@ function createLlmsTxtHandler(discovery) {
 init_accepts();
 init_constants();
 
-// src/config.ts
-init_constants();
-init_evm();
-init_solana();
-init_accepts();
+// src/config/error.ts
 var RouterConfigError = class extends Error {
   issues;
   constructor(issues) {
@@ -3100,184 +3970,260 @@ var RouterConfigError = class extends Error {
     this.issues = issues;
   }
 };
-function validateRouterConfig(config, options = {}) {
-  const issues = getRouterConfigIssues(config, options);
-  if (issues.length > 0) throw new RouterConfigError(issues);
+function formatRouterConfigIssues(issues) {
+  return issues.map((issue) => issue.message).join("\n");
 }
-function getRouterConfigIssues(config, options = {}) {
-  const env = options.env ?? process.env;
-  const issues = [];
-  const protocols = config.protocols ?? ["x402"];
-  if (!config.baseUrl) {
-    issues.push({
-      code: "missing_base_url",
-      message: '[router] baseUrl is required in RouterConfig. Set it to your production domain (e.g., "https://api.example.com"). The realm is used for payment matching and must be correct.'
-    });
+
+// src/config/schema.ts
+var import_zod = require("zod");
+init_constants();
+
+// src/config/utils.ts
+var import_accounts = require("viem/accounts");
+var EVM_ADDRESS_RE = /^0x[a-fA-F0-9]{40}$/;
+var EVM_PRIVATE_KEY_RE = /^0x[a-fA-F0-9]{64}$/;
+var SOLANA_ADDRESS_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;
+var ZERO_EVM_ADDRESS_RE = /^0x0{40}$/i;
+function isUrl(value) {
+  try {
+    new URL(value);
+    return true;
+  } catch {
+    return false;
+  }
+}
+var isEvmAddress = (v) => EVM_ADDRESS_RE.test(v);
+var isEvmPrivateKey = (v) => EVM_PRIVATE_KEY_RE.test(v);
+var isPlaceholderEvm = (v) => ZERO_EVM_ADDRESS_RE.test(v);
+var isSolanaAddress = (v) => SOLANA_ADDRESS_RE.test(v);
+var isX402Network = (v) => v.startsWith("eip155:") || v.startsWith("solana:");
+var canonicalizeEvm = (addr) => addr.toLowerCase();
+function operatorAddressesCollide(opKey, fpKey) {
+  if (!opKey || !fpKey || !isEvmPrivateKey(opKey) || !isEvmPrivateKey(fpKey)) return null;
+  const op = (0, import_accounts.privateKeyToAccount)(opKey).address.toLowerCase();
+  const fp = (0, import_accounts.privateKeyToAccount)(fpKey).address.toLowerCase();
+  return op === fp ? op : null;
+}
+function trimAll(raw) {
+  const out = {};
+  for (const [k, v] of Object.entries(raw)) {
+    if (typeof v !== "string") {
+      out[k] = void 0;
+      continue;
+    }
+    const trimmed = v.trim();
+    out[k] = trimmed.length > 0 ? trimmed : void 0;
   }
-  if (config.protocols && config.protocols.length === 0) {
-    issues.push({
-      code: "empty_protocols",
-      message: "RouterConfig.protocols cannot be empty. Omit the field to use default ['x402'] or specify protocols explicitly."
-    });
+  return out;
+}
+
+// src/config/schema.ts
+function addIssue(ctx, params, message, path = []) {
+  ctx.addIssue({ code: "custom", path, params, message });
+}
+var x402 = { protocol: "x402" };
+var mpp = { protocol: "mpp" };
+var envShape = {
+  BASE_URL: import_zod.z.string().refine(isUrl, {
+    params: { code: "invalid_base_url" },
+    message: "BASE_URL must be a valid URL \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Must match the public domain."
+  }).optional(),
+  EVM_PAYEE_ADDRESS: import_zod.z.string().refine(isEvmAddress, {
+    params: { code: "invalid_x402_payee", ...x402 },
+    message: "EVM_PAYEE_ADDRESS must be a 0x-prefixed 20-byte EVM address \u2014 the wallet that receives x402 and MPP payments."
+  }).refine((v) => !isPlaceholderEvm(v), {
+    params: { code: "placeholder_payee", ...x402 },
+    message: "EVM_PAYEE_ADDRESS is the zero address (0x000\u2026000) \u2014 payments to this address are unrecoverable. Set it to a wallet you control."
+  }).optional(),
+  CDP_API_KEY_ID: import_zod.z.string().optional(),
+  CDP_API_KEY_SECRET: import_zod.z.string().optional(),
+  SOLANA_PAYEE_ADDRESS: import_zod.z.string().refine(isSolanaAddress, {
+    params: { code: "invalid_solana_payee", ...x402 },
+    message: "SOLANA_PAYEE_ADDRESS must be a base58 Solana address (32\u201344 chars). When set, the router also accepts Solana payments."
+  }).optional(),
+  SOLANA_FACILITATOR_URL: import_zod.z.string().refine(isUrl, {
+    params: { code: "invalid_solana_facilitator_url", ...x402 },
+    message: "SOLANA_FACILITATOR_URL must be a valid URL \u2014 override for the Solana x402 facilitator. Defaults to DEFAULT_SOLANA_FACILITATOR_URL."
+  }).optional(),
+  MPP_SECRET_KEY: import_zod.z.string().optional(),
+  MPP_CURRENCY: import_zod.z.string().refine(isEvmAddress, {
+    params: { code: "invalid_mpp_currency", ...mpp },
+    message: "MPP_CURRENCY must be a 0x-prefixed 20-byte Tempo currency address \u2014 the token contract MPP charges in. Use TEMPO_USDC_ADDRESS for Tempo USDC."
+  }).optional(),
+  TEMPO_RPC_URL: import_zod.z.string().refine(isUrl, {
+    params: { code: "invalid_mpp_rpc_url", ...mpp },
+    message: "TEMPO_RPC_URL must be a valid URL \u2014 authenticated Tempo JSON-RPC endpoint. Public rpc.tempo.xyz returns 401."
+  }).optional(),
+  MPP_OPERATOR_KEY: import_zod.z.string().refine(isEvmPrivateKey, {
+    params: { code: "invalid_mpp_operator_key", ...mpp },
+    message: "MPP_OPERATOR_KEY must be a 0x-prefixed 32-byte EVM private key \u2014 signs server-side close/settle; presence enables MPP session mode."
+  }).optional(),
+  MPP_FEE_PAYER_KEY: import_zod.z.string().refine(isEvmPrivateKey, {
+    params: { code: "invalid_mpp_fee_payer_key", ...mpp },
+    message: "MPP_FEE_PAYER_KEY must be a 0x-prefixed 32-byte EVM private key \u2014 sponsors client gas for channel open/topUp. Must resolve to a different address than MPP_OPERATOR_KEY."
+  }).optional(),
+  KV_REST_API_URL: import_zod.z.string().optional(),
+  KV_REST_API_TOKEN: import_zod.z.string().optional(),
+  NODE_ENV: import_zod.z.string().optional()
+};
+var ENV_KEYS = Object.keys(envShape);
+var EnvInputSchema = import_zod.z.object(envShape).passthrough().superRefine((env, ctx) => {
+  if (env.BASE_URL === void 0) {
+    addIssue(
+      ctx,
+      { code: "missing_base_url" },
+      "BASE_URL is required \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Set it to your production domain.",
+      ["BASE_URL"]
+    );
+  }
+  if (env.EVM_PAYEE_ADDRESS === void 0) {
+    addIssue(
+      ctx,
+      { code: "missing_x402_payee", ...x402 },
+      "EVM_PAYEE_ADDRESS is required \u2014 the EVM address that receives x402 and MPP payments.",
+      ["EVM_PAYEE_ADDRESS"]
+    );
   }
-  if (protocols.includes("x402")) {
-    issues.push(...validateX402Config(config, env, options));
+  if (env.MPP_SECRET_KEY) {
+    if (env.MPP_CURRENCY === void 0) {
+      addIssue(
+        ctx,
+        { code: "missing_mpp_currency", ...mpp },
+        "MPP_CURRENCY is required when MPP is enabled \u2014 the Tempo currency address MPP charges in. Use TEMPO_USDC_ADDRESS for Tempo USDC.",
+        ["MPP_CURRENCY"]
+      );
+    }
+    if (env.TEMPO_RPC_URL === void 0) {
+      addIssue(
+        ctx,
+        { code: "missing_mpp_rpc_url", ...mpp },
+        "TEMPO_RPC_URL is required when MPP is enabled \u2014 authenticated Tempo JSON-RPC endpoint. Public rpc.tempo.xyz returns 401.",
+        ["TEMPO_RPC_URL"]
+      );
+    }
   }
-  if (protocols.includes("mpp")) {
-    issues.push(...validateMppConfig(config, env));
+  const collision = operatorAddressesCollide(env.MPP_OPERATOR_KEY, env.MPP_FEE_PAYER_KEY);
+  if (collision) {
+    addIssue(
+      ctx,
+      { code: "mpp_operator_equals_fee_payer", ...mpp },
+      `MPP_OPERATOR_KEY and MPP_FEE_PAYER_KEY resolve to the same address (${collision}). Tempo rejects fee-delegated txs with sender === feePayer. Use two distinct wallets, or unset MPP_FEE_PAYER_KEY to let clients pay their own gas.`,
+      ["MPP_FEE_PAYER_KEY"]
+    );
   }
-  return issues;
-}
-function formatRouterConfigIssues(issues) {
-  return issues.map((issue) => issue.message).join("\n");
-}
-function mppFromEnv(env, options = {}) {
-  const secretKey = env.MPP_SECRET_KEY;
-  const currency = env.MPP_CURRENCY;
-  const rpcUrl = env.TEMPO_RPC_URL;
-  const feePayerKey = options.feePayerKey ?? env.MPP_FEE_PAYER_KEY;
-  const feePayerKeySource = options.feePayerKey !== void 0 ? "feePayerKey" : "MPP_FEE_PAYER_KEY";
-  const hasAnyMppEnv = Boolean(secretKey || currency || rpcUrl || options.require);
-  if (!hasAnyMppEnv) return void 0;
-  const missing = [
-    secretKey ? null : "MPP_SECRET_KEY",
-    currency ? null : "MPP_CURRENCY",
-    rpcUrl ? null : "TEMPO_RPC_URL"
-  ].filter(Boolean);
-  if (missing.length > 0) {
-    throw new Error(`MPP env is incomplete. Missing: ${missing.join(", ")}`);
-  }
-  if (!isEvmAddress(currency)) {
-    throw new Error("MPP_CURRENCY must be a 0x-prefixed 20-byte Tempo currency address");
-  }
-  if (options.recipient && !isEvmAddress(options.recipient)) {
-    throw new Error("MPP recipient must be a 0x-prefixed EVM address");
-  }
-  if (feePayerKey && !isEvmPrivateKey(feePayerKey)) {
-    throw new Error(`${feePayerKeySource} must be a 0x-prefixed 32-byte EVM private key`);
+});
+function collectKvWarnings(env, kvStoreOptionProvided) {
+  if (kvStoreOptionProvided) return [];
+  const warn = (code, message) => ({
+    code,
+    severity: "warning",
+    message
+  });
+  if (env.KV_REST_API_URL && !env.KV_REST_API_TOKEN) {
+    return [
+      warn(
+        "kv_url_without_token",
+        "KV_REST_API_URL is set but KV_REST_API_TOKEN is missing \u2014 falling back to in-memory KV (unsafe in serverless production)."
+      )
+    ];
   }
-  return {
-    secretKey,
-    currency,
-    rpcUrl,
-    ...options.recipient ? { recipient: options.recipient } : {},
-    ...feePayerKey ? { feePayerKey } : {},
-    ...options.useDefaultStore !== void 0 ? { useDefaultStore: options.useDefaultStore } : {}
-  };
-}
-function x402AcceptsFromEnv(env, options = {}) {
-  const payeeEnv = options.payeeEnv ?? "X402_WALLET_ADDRESS";
-  const solanaPayeeEnv = options.solanaPayeeEnv ?? "SOLANA_PAYEE_ADDRESS";
-  const payeeAddress = options.payeeAddress ?? env[payeeEnv];
-  if (!payeeAddress) {
-    throw new Error(`${payeeEnv} is required to build x402 accepts`);
+  if (env.KV_REST_API_TOKEN && !env.KV_REST_API_URL) {
+    return [
+      warn(
+        "kv_token_without_url",
+        "KV_REST_API_TOKEN is set but KV_REST_API_URL is missing \u2014 falling back to in-memory KV (unsafe in serverless production)."
+      )
+    ];
   }
-  const accepts = [
+  if (env.KV_REST_API_URL && env.KV_REST_API_TOKEN && !isUrl(env.KV_REST_API_URL)) {
+    return [
+      warn(
+        "invalid_kv_url",
+        `KV_REST_API_URL is not a valid URL \u2014 KV calls will fail at request time. Got: ${env.KV_REST_API_URL}`
+      )
+    ];
+  }
+  if (!env.KV_REST_API_URL && !env.KV_REST_API_TOKEN && env.NODE_ENV === "production") {
+    return [
+      warn(
+        "missing_kv_in_production",
+        "No KV_REST_API_URL/KV_REST_API_TOKEN set in production \u2014 using the in-memory KV store. SIWX nonce, SIWX entitlement, and MPP replay state will be lost across instances. Configure Upstash/Vercel KV or pass a custom kvStore."
+      )
+    ];
+  }
+  return [];
+}
+function getConfiguredX402Accepts2(config) {
+  if (config.x402?.accepts?.length) return [...config.x402.accepts];
+  return [
     {
       scheme: "exact",
-      network: options.network ?? BASE_NETWORK,
-      payTo: payeeAddress
+      network: config.network ?? BASE_MAINNET_NETWORK,
+      payTo: config.payeeAddress
     }
   ];
-  const solanaPayeeAddress = options.solanaPayeeAddress ?? env[solanaPayeeEnv];
-  if (solanaPayeeAddress) {
-    accepts.push({
-      scheme: "exact",
-      network: SOLANA_MAINNET_NETWORK,
-      payTo: solanaPayeeAddress
-    });
-  }
-  return accepts;
-}
-function paidOptionsForProtocols(protocols) {
-  return { protocols: [...protocols] };
 }
 function validateX402Config(config, env, options) {
+  const accepts = getConfiguredX402Accepts2(config);
   const issues = [];
-  const accepts = getConfiguredX402Accepts(config);
+  const push = (code, message) => issues.push({ code, protocol: "x402", message });
   if (accepts.length === 0) {
-    issues.push({
-      code: "missing_x402_accepts",
-      protocol: "x402",
-      message: "x402 requires at least one accept configuration."
-    });
+    push("missing_x402_accepts", "x402 requires at least one accept configuration.");
     return issues;
   }
-  const acceptWithoutNetwork = accepts.find((accept) => !accept.network);
-  if (acceptWithoutNetwork) {
-    issues.push({
-      code: "missing_x402_network",
-      protocol: "x402",
-      message: "x402 accepts require a network."
-    });
+  if (accepts.some((a) => !a.network)) {
+    push("missing_x402_network", "x402 accepts require a network.");
   }
-  const unsupported = accepts.find(
-    (accept) => accept.network && !isSupportedX402Network(accept.network)
-  );
+  const unsupported = accepts.find((a) => a.network && !isX402Network(a.network));
   if (unsupported) {
-    issues.push({
-      code: "unsupported_x402_network",
-      protocol: "x402",
-      message: `unsupported x402 network '${unsupported.network}'. Use eip155:* or solana:*.`
-    });
+    push(
+      "unsupported_x402_network",
+      `unsupported x402 network '${unsupported.network}'. Use eip155:* or solana:*.`
+    );
   }
-  const missingAsset = accepts.find(
-    (accept) => (accept.scheme ?? "exact") !== "exact" && !accept.asset
-  );
-  if (missingAsset) {
-    issues.push({
-      code: "missing_x402_asset",
-      protocol: "x402",
-      message: "non-exact x402 accepts require an asset."
-    });
+  if (accepts.some((a) => (a.scheme ?? "exact") !== "exact" && !a.asset)) {
+    push("missing_x402_asset", "non-exact x402 accepts require an asset.");
   }
-  const invalidDecimals = accepts.find(
-    (accept) => accept.decimals !== void 0 && (!Number.isInteger(accept.decimals) || accept.decimals < 0)
-  );
-  if (invalidDecimals) {
-    issues.push({
-      code: "invalid_x402_decimals",
-      protocol: "x402",
-      message: "x402 accept decimals must be a non-negative integer."
-    });
+  if (accepts.some(
+    (a) => a.decimals !== void 0 && (!Number.isInteger(a.decimals) || a.decimals < 0)
+  )) {
+    push("invalid_x402_decimals", "x402 accept decimals must be a non-negative integer.");
   }
-  if (accepts.some((accept) => !accept.payTo) && !config.payeeAddress) {
-    issues.push({
-      code: "missing_x402_payee",
-      protocol: "x402",
-      message: "x402 requires payeeAddress in router config or payTo on every x402 accept."
-    });
+  if (!config.payeeAddress && accepts.some((a) => !a.payTo)) {
+    push(
+      "missing_x402_payee",
+      "x402 requires payeeAddress in router config or payTo on every x402 accept."
+    );
   }
-  const placeholder = findPlaceholderPayee([
+  const placeholder = [
     config.payeeAddress,
-    ...accepts.map((accept) => typeof accept.payTo === "string" ? accept.payTo : void 0)
-  ]);
+    ...accepts.map((a) => typeof a.payTo === "string" ? a.payTo : void 0)
+  ].find((v) => v !== void 0 && isPlaceholderEvm(v));
   if (placeholder) {
-    issues.push({
-      code: "placeholder_payee",
-      protocol: "x402",
-      message: `x402 payee '${placeholder}' is a placeholder address and cannot receive payments.`
-    });
+    push(
+      "placeholder_payee",
+      `x402 payee '${placeholder}' is a placeholder address and cannot receive payments.`
+    );
   }
-  if (options.requireCdpKeys !== false && usesDefaultEvmFacilitator(config)) {
-    const missing = [
-      env.CDP_API_KEY_ID ? null : "CDP_API_KEY_ID",
-      env.CDP_API_KEY_SECRET ? null : "CDP_API_KEY_SECRET"
-    ].filter(Boolean);
-    if (missing.length > 0) {
-      issues.push({
-        code: "missing_cdp_keys",
-        protocol: "x402",
-        message: `default EVM x402 facilitator requires ${missing.join(" and ")}.`
-      });
+  if (options.requireCdpKeys !== false) {
+    const hasEvm = accepts.some(
+      (a) => typeof a.network === "string" && a.network.startsWith("eip155:")
+    );
+    if (hasEvm) {
+      const missing = ["CDP_API_KEY_ID", "CDP_API_KEY_SECRET"].filter((k) => !env[k]);
+      if (missing.length > 0) {
+        push(
+          "missing_cdp_keys",
+          `x402 EVM facilitator (Coinbase) requires ${missing.join(" and ")}.`
+        );
+      }
     }
   }
   return issues;
 }
-function validateMppConfig(config, env) {
-  const issues = [];
-  const mpp = config.mpp;
-  if (!mpp) {
+function validateMppConfig(config) {
+  const m = config.mpp;
+  if (!m) {
     return [
       {
         code: "missing_mpp_config",
@@ -3286,98 +4232,343 @@ function validateMppConfig(config, env) {
       }
     ];
   }
-  if (!mpp.secretKey) {
-    issues.push({
-      code: "missing_mpp_secret_key",
-      protocol: "mpp",
-      message: "MPP requires secretKey. Set MPP_SECRET_KEY or pass mpp.secretKey."
-    });
+  const issues = [];
+  const push = (code, message) => issues.push({ code, protocol: "mpp", message });
+  if (!m.secretKey) {
+    push(
+      "missing_mpp_secret_key",
+      "MPP requires secretKey. Set MPP_SECRET_KEY or pass mpp.secretKey."
+    );
   }
-  if (!mpp.currency) {
-    issues.push({
-      code: "missing_mpp_currency",
-      protocol: "mpp",
-      message: "MPP requires currency. Set MPP_CURRENCY or pass mpp.currency."
-    });
-  } else if (!isEvmAddress(mpp.currency)) {
-    issues.push({
-      code: "invalid_mpp_currency",
-      protocol: "mpp",
-      message: "MPP currency must be a 0x-prefixed 20-byte Tempo currency address. Use TEMPO_USDC_CURRENCY for Tempo USDC."
+  if (!m.currency) {
+    push("missing_mpp_currency", "MPP requires currency. Set MPP_CURRENCY or pass mpp.currency.");
+  } else if (!isEvmAddress(m.currency)) {
+    push(
+      "invalid_mpp_currency",
+      "MPP currency must be a 0x-prefixed 20-byte Tempo currency address. Use TEMPO_USDC_ADDRESS for Tempo USDC."
+    );
+  }
+  const recipient = m.recipient ?? config.payeeAddress;
+  if (!recipient) {
+    push(
+      "missing_mpp_recipient",
+      "MPP requires a recipient address. Set mpp.recipient or payeeAddress in your router config."
+    );
+  } else if (!isEvmAddress(recipient)) {
+    push(
+      "invalid_mpp_recipient",
+      "MPP recipient must be a 0x-prefixed EVM address. Solana recipients require x402."
+    );
+  }
+  const placeholder = [m.recipient, config.payeeAddress].find(
+    (v) => typeof v === "string" && isPlaceholderEvm(v)
+  );
+  if (placeholder) {
+    push(
+      "placeholder_payee",
+      `MPP recipient '${placeholder}' is a placeholder address and cannot receive payments.`
+    );
+  }
+  if (!m.rpcUrl) {
+    push(
+      "missing_mpp_rpc_url",
+      "MPP requires an authenticated Tempo RPC URL. Set TEMPO_RPC_URL env var or pass rpcUrl in the mpp config object."
+    );
+  }
+  if (m.feePayerKey && !isEvmPrivateKey(m.feePayerKey)) {
+    push(
+      "invalid_mpp_fee_payer_key",
+      "MPP feePayerKey must be a 0x-prefixed 32-byte EVM private key."
+    );
+  }
+  if (m.operatorKey && !isEvmPrivateKey(m.operatorKey)) {
+    push(
+      "invalid_mpp_operator_key",
+      "MPP operatorKey must be a 0x-prefixed 32-byte EVM private key."
+    );
+  }
+  const collision = operatorAddressesCollide(m.operatorKey, m.feePayerKey);
+  if (collision) {
+    push(
+      "mpp_operator_equals_fee_payer",
+      `MPP operatorKey and feePayerKey resolve to the same address (${collision}). Tempo rejects fee-delegated txs with sender === feePayer, so channel close/settle would fail at runtime. Either use two distinct wallets, or omit feePayerKey to disable gas sponsorship (clients then pay their own gas).`
+    );
+  }
+  return issues;
+}
+function translateZodIssues(error) {
+  return error.issues.map((issue) => {
+    const params = issue.params;
+    if (!params?.code) {
+      throw new Error(
+        `[router] schema issue missing params.code (path=${issue.path.join(".")}, message=${issue.message}). Every refinement / addIssue call must set params.code.`
+      );
+    }
+    return {
+      code: params.code,
+      message: issue.message,
+      ...params.protocol ? { protocol: params.protocol } : {},
+      ...params.severity ? { severity: params.severity } : {}
+    };
+  });
+}
+function routerConfigFromEnv(options) {
+  const rawEnv = options.env ?? process.env;
+  const env = trimAll(rawEnv);
+  const optionIssues = [];
+  if (!options.title?.trim()) {
+    optionIssues.push({
+      code: "missing_discovery_title",
+      message: "discovery `title` is required. Pass a short product name."
     });
   }
-  const mppRecipient = mpp.recipient ?? config.payeeAddress;
-  if (!mppRecipient) {
-    issues.push({
-      code: "missing_mpp_recipient",
-      protocol: "mpp",
-      message: "MPP requires a recipient address. Set mpp.recipient or payeeAddress in your router config."
+  if (!options.description?.trim()) {
+    optionIssues.push({
+      code: "missing_discovery_description",
+      message: "discovery `description` is required. One sentence is enough."
     });
-  } else if (!isEvmAddress(mppRecipient)) {
-    issues.push({
-      code: "invalid_mpp_recipient",
-      protocol: "mpp",
-      message: "MPP recipient must be a 0x-prefixed EVM address. Solana recipients require x402."
+  }
+  if (options.guidance === void 0) {
+    optionIssues.push({
+      code: "missing_discovery_guidance",
+      message: "discovery `guidance` is required. Provide an empty string to opt out of `/llms.txt`."
     });
   }
-  const placeholder = findPlaceholderPayee([mpp.recipient, config.payeeAddress]);
-  if (placeholder) {
-    issues.push({
-      code: "placeholder_payee",
-      protocol: "mpp",
-      message: `MPP recipient '${placeholder}' is a placeholder address and cannot receive payments.`
+  if (options.serverUrl !== void 0 && !isUrl(options.serverUrl)) {
+    optionIssues.push({
+      code: "invalid_server_url",
+      message: `discovery \`serverUrl\` must be a valid URL. Got: ${options.serverUrl}`
     });
   }
-  if (!(mpp.rpcUrl ?? env.TEMPO_RPC_URL)) {
-    issues.push({
-      code: "missing_mpp_rpc_url",
-      protocol: "mpp",
-      message: "MPP requires an authenticated Tempo RPC URL. Set TEMPO_RPC_URL env var or pass rpcUrl in the mpp config object."
+  const parsed = EnvInputSchema.safeParse(env);
+  const envIssues = parsed.success ? [] : translateZodIssues(parsed.error);
+  const issues = [...envIssues, ...optionIssues];
+  if (issues.length > 0) throw new RouterConfigError(issues);
+  for (const warning of collectKvWarnings(env, options.kvStore !== void 0)) {
+    console.warn(`[router] ${warning.message}`);
+  }
+  const payeeAddress = canonicalizeEvm(env.EVM_PAYEE_ADDRESS);
+  const accepts = [
+    { scheme: "exact", network: BASE_MAINNET_NETWORK, payTo: payeeAddress },
+    {
+      scheme: "upto",
+      network: BASE_MAINNET_NETWORK,
+      payTo: payeeAddress,
+      asset: BASE_USDC_ADDRESS,
+      decimals: BASE_USDC_DECIMALS
+    }
+  ];
+  if (env.SOLANA_PAYEE_ADDRESS) {
+    accepts.push({
+      scheme: "exact",
+      network: SOLANA_MAINNET_NETWORK,
+      payTo: env.SOLANA_PAYEE_ADDRESS
     });
   }
-  if (mpp.feePayerKey && !isEvmPrivateKey(mpp.feePayerKey)) {
+  const configuredSolanaFacilitator = options.x402Facilitators?.solana;
+  const solanaFacilitator = typeof configuredSolanaFacilitator === "string" ? configuredSolanaFacilitator : configuredSolanaFacilitator ?? env.SOLANA_FACILITATOR_URL ?? DEFAULT_SOLANA_FACILITATOR_URL;
+  const mppEnabled = options.protocols?.includes("mpp") ?? Boolean(env.MPP_SECRET_KEY);
+  const protocols = options.protocols ? [...options.protocols] : mppEnabled ? ["x402", "mpp"] : ["x402"];
+  const mppConfig = mppEnabled ? {
+    secretKey: env.MPP_SECRET_KEY,
+    currency: canonicalizeEvm(env.MPP_CURRENCY),
+    rpcUrl: env.TEMPO_RPC_URL,
+    recipient: payeeAddress,
+    ...env.MPP_FEE_PAYER_KEY ? { feePayerKey: env.MPP_FEE_PAYER_KEY } : {},
+    ...env.MPP_OPERATOR_KEY ? { operatorKey: env.MPP_OPERATOR_KEY, session: {} } : {}
+  } : void 0;
+  return {
+    payeeAddress,
+    baseUrl: env.BASE_URL,
+    network: BASE_MAINNET_NETWORK,
+    protocols,
+    x402: {
+      accepts,
+      facilitators: {
+        ...options.x402Facilitators,
+        solana: solanaFacilitator
+      }
+    },
+    ...mppConfig ? { mpp: mppConfig } : {},
+    discovery: {
+      title: options.title,
+      version: options.version ?? "1.0.0",
+      description: options.description,
+      guidance: options.guidance,
+      ...options.contact ? { contact: options.contact } : {},
+      ...options.ownershipProofs ? { ownershipProofs: options.ownershipProofs } : {},
+      ...options.methodHints ? { methodHints: options.methodHints } : {},
+      ...options.serverUrl ? { serverUrl: options.serverUrl } : {}
+    },
+    ...options.prices ? { prices: options.prices } : {},
+    ...options.plugin ? { plugin: options.plugin } : {},
+    ...options.kvStore ? { kvStore: options.kvStore } : {},
+    strictRoutes: options.strictRoutes ?? false
+  };
+}
+function getRouterConfigIssues(config, options = {}) {
+  const env = options.env ?? {};
+  const protocols = config.protocols ?? ["x402"];
+  const issues = [];
+  if (!config.baseUrl) {
     issues.push({
-      code: "invalid_mpp_fee_payer_key",
-      protocol: "mpp",
-      message: "MPP feePayerKey must be a 0x-prefixed 32-byte EVM private key."
+      code: "missing_base_url",
+      message: '[router] baseUrl is required in RouterConfig. Set it to your production domain (e.g., "https://api.example.com"). The realm is used for payment matching and must be correct.'
     });
   }
-  if (mpp.useDefaultStore && !mpp.store && (!env.KV_REST_API_URL || !env.KV_REST_API_TOKEN)) {
+  if (config.protocols && config.protocols.length === 0) {
     issues.push({
-      code: "missing_mpp_default_store_env",
-      protocol: "mpp",
-      message: "mpp.useDefaultStore requires KV_REST_API_URL and KV_REST_API_TOKEN environment variables. These are automatically set by Vercel KV."
+      code: "empty_protocols",
+      message: "RouterConfig.protocols cannot be empty. Omit the field to use default ['x402'] or specify protocols explicitly."
     });
   }
+  if (protocols.includes("x402")) issues.push(...validateX402Config(config, env, options));
+  if (protocols.includes("mpp")) issues.push(...validateMppConfig(config));
   return issues;
 }
-function usesDefaultEvmFacilitator(config) {
-  return getConfiguredX402Networks(config).some(
-    (network) => typeof network === "string" && isEvmNetwork(network)
-  ) && config.x402?.facilitators?.evm === void 0;
-}
-function isSupportedX402Network(network) {
-  return isEvmNetwork(network) || isSolanaNetwork(network);
+
+// src/init/x402.ts
+async function initX402(config, configError) {
+  if (configError) return { initError: configError };
+  try {
+    const { createX402Server: createX402Server2 } = await Promise.resolve().then(() => (init_x402_server(), x402_server_exports));
+    const result = await createX402Server2(config);
+    await result.initPromise;
+    return {
+      server: result.server,
+      facilitatorsByNetwork: result.facilitatorsByNetwork
+    };
+  } catch (err) {
+    return { initError: err instanceof Error ? err.message : String(err) };
+  }
 }
-function isEvmAddress(value) {
-  return /^0x[a-fA-F0-9]{40}$/.test(value);
+
+// src/init/mppx.ts
+function getMppxRequestContext(args) {
+  const {
+    Mppx,
+    tempo,
+    mppConfig,
+    payeeAddress,
+    getClient,
+    feePayerAccount,
+    resolvedStore,
+    sessionEnabled,
+    sharedSessionParams,
+    realm
+  } = args;
+  const instance = Mppx.create({
+    methods: [
+      tempo.charge({
+        currency: mppConfig.currency,
+        recipient: mppConfig.recipient ?? payeeAddress,
+        getClient,
+        ...feePayerAccount ? { feePayer: feePayerAccount } : {},
+        ...resolvedStore ? { store: resolvedStore } : {}
+      }),
+      ...sessionEnabled ? [
+        tempo.session({
+          ...sharedSessionParams,
+          sse: false
+        })
+      ] : []
+    ],
+    secretKey: mppConfig.secretKey,
+    realm
+  });
+  return instance;
+}
+function getMppxStreamingContext(args) {
+  if (!args.sessionEnabled) return null;
+  const { Mppx, tempo, mppConfig, sharedSessionParams, realm } = args;
+  const instance = Mppx.create({
+    methods: [
+      tempo.session({
+        ...sharedSessionParams,
+        sse: true
+      })
+    ],
+    secretKey: mppConfig.secretKey,
+    realm
+  });
+  return instance;
 }
-function isEvmPrivateKey(value) {
-  return /^0x[a-fA-F0-9]{64}$/.test(value);
+
+// src/init/mpp.ts
+async function initMpp(config, resolvedBaseUrl, kvStore, configError) {
+  if (configError) return { initError: configError };
+  if (!config.mpp) return {};
+  try {
+    const { Mppx, tempo } = await import("mppx/server");
+    const { createClient, http } = await import("viem");
+    const { tempo: tempoChain } = await import("viem/chains");
+    const { privateKeyToAccount: privateKeyToAccount2 } = await import("viem/accounts");
+    const rpcUrl = config.mpp.rpcUrl ?? process.env.TEMPO_RPC_URL;
+    const tempoClient = createClient({ chain: tempoChain, transport: http(rpcUrl) });
+    const getClient = async () => tempoClient;
+    const operatorAccount = config.mpp.operatorKey ? privateKeyToAccount2(config.mpp.operatorKey) : void 0;
+    const feePayerAccount = config.mpp.feePayerKey ? privateKeyToAccount2(config.mpp.feePayerKey) : void 0;
+    if (config.mpp.session && operatorAccount) {
+      assertOperatorMatchesRecipient(config, operatorAccount.address);
+    }
+    const resolvedStore = kvStore ? await createKvMppStore(kvStore) : void 0;
+    const realm = new URL(resolvedBaseUrl).host;
+    const mppConfig = config.mpp;
+    const sessionEnabled = !!(mppConfig.session && operatorAccount);
+    const sharedSessionParams = {
+      currency: mppConfig.currency,
+      decimals: 6,
+      recipient: mppConfig.recipient ?? config.payeeAddress,
+      getClient,
+      ...operatorAccount ? { account: operatorAccount } : {},
+      ...feePayerAccount ? { feePayer: feePayerAccount } : {},
+      ...resolvedStore ? { store: resolvedStore } : {}
+    };
+    const mppxArgs = {
+      Mppx,
+      tempo,
+      mppConfig,
+      payeeAddress: config.payeeAddress ?? "",
+      getClient,
+      feePayerAccount,
+      resolvedStore,
+      sessionEnabled,
+      sharedSessionParams,
+      realm
+    };
+    const primary = getMppxRequestContext(mppxArgs);
+    const streaming = getMppxStreamingContext(mppxArgs);
+    const mppx = {
+      charge: primary.charge,
+      ...primary.session ? { sessionRequest: primary.session } : {},
+      ...streaming?.session ? { sessionStream: streaming.session } : {}
+    };
+    return { mppx, tempoClient };
+  } catch (err) {
+    return { initError: err instanceof Error ? err.message : String(err) };
+  }
 }
-function findPlaceholderPayee(values) {
-  return values.find((value) => value !== void 0 && /^0x0{40}$/i.test(value)) ?? null;
+function assertOperatorMatchesRecipient(config, operatorAddress) {
+  const recipient = (config.mpp?.recipient ?? config.payeeAddress)?.toLowerCase();
+  const opAddr = operatorAddress.toLowerCase();
+  if (recipient && opAddr !== recipient) {
+    throw new Error(
+      `MPP session config mismatch: operator address ${operatorAddress} must equal recipient/payee ${recipient}. mppx's channel-close handler asserts sender === payee. Set mpp.operatorKey to the private key for ${recipient}, or set mpp.recipient/payeeAddress to ${operatorAddress}.`
+    );
+  }
 }
 
 // src/index.ts
 init_constants();
 function createRouter(config) {
   const registry = new RouteRegistry();
-  const nonceStore = config.siwx?.nonceStore ?? new MemoryNonceStore();
-  const entitlementStore = config.siwx?.entitlementStore ?? new MemoryEntitlementStore();
-  const network = config.network ?? BASE_NETWORK;
+  const kvStore = resolveKvStore(config.kvStore);
+  const nonceStore = kvStore ? createKvNonceStore(kvStore) : new MemoryNonceStore();
+  const entitlementStore = kvStore ? createKvEntitlementStore(kvStore) : new MemoryEntitlementStore();
+  const network = config.network ?? BASE_MAINNET_NETWORK;
   const x402Accepts = getConfiguredX402Accepts(config);
   const configIssues = getRouterConfigIssues(config, {
+    env: process.env,
     requireCdpKeys: process.env.NODE_ENV === "production"
   });
   const baseUrlIssue = configIssues.find((issue) => issue.code === "missing_base_url");
@@ -3420,69 +4611,20 @@ function createRouter(config) {
     x402FacilitatorsByNetwork: void 0,
     x402Accepts,
     mppx: null,
-    tempoClient: null
+    tempoClient: null,
+    mppSessionConfig: config.mpp?.session ? { depositMultiplier: config.mpp.session.depositMultiplier ?? 10 } : null
   };
   deps.initPromise = (async () => {
-    if (x402ConfigError) {
-      deps.x402InitError = x402ConfigError;
-    } else {
-      try {
-        const { createX402Server: createX402Server2 } = await Promise.resolve().then(() => (init_server(), server_exports));
-        const result = await createX402Server2(config);
-        deps.x402Server = result.server;
-        deps.x402FacilitatorsByNetwork = result.facilitatorsByNetwork;
-        await result.initPromise;
-      } catch (err) {
-        deps.x402Server = null;
-        deps.x402InitError = err instanceof Error ? err.message : String(err);
-      }
-    }
-    if (mppConfigError) {
-      deps.mppInitError = mppConfigError;
-    } else if (config.mpp) {
-      try {
-        const { Mppx, tempo } = await import("mppx/server");
-        const rpcUrl = config.mpp.rpcUrl ?? process.env.TEMPO_RPC_URL;
-        const { createClient, http } = await import("viem");
-        const { tempo: tempoChain } = await import("viem/chains");
-        deps.tempoClient = createClient({ chain: tempoChain, transport: http(rpcUrl) });
-        const getClient = async () => deps.tempoClient;
-        let feePayerAccount;
-        if (config.mpp.feePayerKey) {
-          const { privateKeyToAccount } = await import("viem/accounts");
-          feePayerAccount = privateKeyToAccount(config.mpp.feePayerKey);
-        }
-        let resolvedStore = config.mpp.store;
-        if (!resolvedStore && config.mpp.useDefaultStore) {
-          const kvUrl = process.env.KV_REST_API_URL;
-          const kvToken = process.env.KV_REST_API_TOKEN;
-          if (!kvUrl || !kvToken) {
-            throw new Error(
-              "mpp.useDefaultStore requires KV_REST_API_URL and KV_REST_API_TOKEN environment variables. These are automatically set by Vercel KV."
-            );
-          }
-          const { Store } = await import("mppx");
-          const { createUpstashRest: createUpstashRest2 } = await Promise.resolve().then(() => (init_upstash_rest(), upstash_rest_exports));
-          resolvedStore = Store.upstash(createUpstashRest2(kvUrl, kvToken));
-        }
-        deps.mppx = Mppx.create({
-          methods: [
-            tempo.charge({
-              currency: config.mpp.currency,
-              recipient: config.mpp.recipient ?? config.payeeAddress,
-              getClient,
-              ...feePayerAccount ? { feePayer: feePayerAccount } : {},
-              ...resolvedStore ? { store: resolvedStore } : {}
-            })
-          ],
-          secretKey: config.mpp.secretKey,
-          realm: new URL(resolvedBaseUrl).host
-        });
-      } catch (err) {
-        deps.mppx = null;
-        deps.mppInitError = err instanceof Error ? err.message : String(err);
-        console.error(`[router] MPP initialization failed: ${deps.mppInitError}`);
-      }
+    const x402Result = await initX402(config, x402ConfigError);
+    deps.x402Server = x402Result.server ?? null;
+    deps.x402FacilitatorsByNetwork = x402Result.facilitatorsByNetwork;
+    if (x402Result.initError) deps.x402InitError = x402Result.initError;
+    const mppResult = await initMpp(config, resolvedBaseUrl, kvStore, mppConfigError);
+    deps.mppx = mppResult.mppx ?? null;
+    deps.tempoClient = mppResult.tempoClient ?? null;
+    if (mppResult.initError) {
+      deps.mppInitError = mppResult.initError;
+      console.error(`[router] MPP initialization failed: ${mppResult.initError}`);
     }
   })();
   const pricesKeys = config.prices ? Object.keys(config.prices) : void 0;
@@ -3549,28 +4691,22 @@ function normalizePath(path) {
   normalized = normalized.replace(/^api\/+/, "");
   return normalized.replace(/\/+$/, "");
 }
+function createRouterFromEnv(options) {
+  return createRouter(routerConfigFromEnv(options));
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  BASE_NETWORK,
+  BASE_MAINNET_NETWORK,
+  BASE_USDC_ADDRESS,
+  BASE_USDC_DECIMALS,
+  DEFAULT_SOLANA_FACILITATOR_URL,
   HttpError,
-  MemoryEntitlementStore,
-  MemoryNonceStore,
-  RouteBuilder,
-  RouteRegistry,
   RouterConfigError,
-  SIWX_CHALLENGE_EXPIRY_MS,
-  SIWX_ERROR_MESSAGES,
   SOLANA_MAINNET_NETWORK,
-  TEMPO_USDC_CURRENCY,
+  TEMPO_USDC_ADDRESS,
+  TEMPO_USDC_DECIMALS,
   ZERO_EVM_ADDRESS,
-  consolePlugin,
-  createRedisEntitlementStore,
-  createRedisNonceStore,
   createRouter,
-  formatRouterConfigIssues,
-  getRouterConfigIssues,
-  mppFromEnv,
-  paidOptionsForProtocols,
-  validateRouterConfig,
-  x402AcceptsFromEnv
+  createRouterFromEnv,
+  routerConfigFromEnv
 });