@agentcash/router 1.8.0 → 1.9.1

package/dist/index.js

@@ -563,7 +563,8 @@ function preflight(routeEntry, handler, deps, request) {
     request,
     meta,
     pluginCtx,
-    report: createReporter(deps.plugin, pluginCtx, routeEntry.key)
+    report: createReporter(deps.plugin, pluginCtx, routeEntry.key),
+    query: void 0
   };
 }
 function buildMeta(request, routeEntry) {
@@ -586,13 +587,19 @@ function buildMeta(request, routeEntry) {
 import { NextResponse } from "next/server";
 
 // src/pipeline/body.ts
+var MalformedJsonError = class extends Error {
+  constructor() {
+    super("Invalid JSON");
+    this.name = "MalformedJsonError";
+  }
+};
 async function bufferBody(request) {
   const text = await request.text();
-  if (!text) return void 0;
+  if (!text.trim()) return void 0;
   try {
     return JSON.parse(text);
   } catch {
-    return void 0;
+    throw new MalformedJsonError();
   }
 }
 function validateBody(parsed, schema) {
@@ -673,7 +680,18 @@ function computeQuotaLevel(remaining, warn, critical) {
 // src/pipeline/steps/parse-body.ts
 async function parseBody(ctx, request = ctx.request) {
   if (!ctx.routeEntry.bodySchema) return { ok: true, data: void 0 };
-  const raw = await bufferBody(request);
+  let raw;
+  try {
+    raw = await bufferBody(request);
+  } catch (err) {
+    if (!(err instanceof MalformedJsonError)) throw err;
+    const response2 = NextResponse.json(
+      { success: false, error: "Invalid JSON", issues: [] },
+      { status: 400 }
+    );
+    firePluginResponse(ctx, response2);
+    return { ok: false, response: response2 };
+  }
   const result = validateBody(raw, ctx.routeEntry.bodySchema);
   if (result.success) return { ok: true, data: result.data };
   const response = NextResponse.json(
@@ -684,6 +702,22 @@ async function parseBody(ctx, request = ctx.request) {
   return { ok: false, response };
 }
 
+// src/pipeline/steps/parse-query.ts
+import { NextResponse as NextResponse2 } from "next/server";
+function validateQuery(ctx) {
+  const { querySchema } = ctx.routeEntry;
+  if (!querySchema) return { ok: true, data: void 0 };
+  const params = Object.fromEntries(ctx.request.nextUrl.searchParams.entries());
+  const result = validateBody(params, querySchema);
+  if (result.success) return { ok: true, data: result.data };
+  const response = NextResponse2.json(
+    { success: false, error: result.error, issues: result.issues },
+    { status: 400 }
+  );
+  firePluginResponse(ctx, response);
+  return { ok: false, response };
+}
+
 // src/pipeline/steps/errors.ts
 function errorStatus(error, fallback) {
   const status = error?.status;
@@ -698,9 +732,9 @@ function handlerFailureError(response) {
 }
 
 // src/pipeline/steps/fail.ts
-import { NextResponse as NextResponse2 } from "next/server";
+import { NextResponse as NextResponse3 } from "next/server";
 function fail(ctx, status, message, requestBody) {
-  const response = NextResponse2.json({ success: false, error: message }, { status });
+  const response = NextResponse3.json({ success: false, error: message }, { status });
   firePluginResponse(ctx, response, requestBody);
   return response;
 }
@@ -717,7 +751,7 @@ async function runValidate(ctx, body) {
 }
 
 // src/pipeline/flows/static/static-invoke.ts
-import { NextResponse as NextResponse3 } from "next/server";
+import { NextResponse as NextResponse4 } from "next/server";
 
 // src/types.ts
 var HttpError = class extends Error {
@@ -728,14 +762,6 @@ var HttpError = class extends Error {
   }
 };
 
-// src/pipeline/steps/parse-query.ts
-function parseQuery(request, routeEntry) {
-  if (!routeEntry.querySchema) return void 0;
-  const params = Object.fromEntries(request.nextUrl.searchParams.entries());
-  const result = routeEntry.querySchema.safeParse(params);
-  return result.success ? result.data : params;
-}
-
 // src/pipeline/flows/static/static-invoke.ts
 function invokePaidStatic(ctx, wallet, account, body, payment) {
   return runHandler(ctx, buildHandlerCtx(ctx, wallet, account, body, payment));
@@ -746,7 +772,7 @@ function invokeUnauthed(ctx, wallet, account, body) {
 function buildHandlerCtx(ctx, wallet, account, body, payment) {
   return {
     body,
-    query: parseQuery(ctx.request, ctx.routeEntry),
+    query: ctx.query,
     request: ctx.request,
     requestId: ctx.meta.requestId,
     route: ctx.routeEntry.key,
@@ -775,14 +801,14 @@ async function runHandler(ctx, handlerCtx) {
   } catch (error) {
     return errorResult(error);
   }
-  const response = rawResult instanceof Response ? rawResult : NextResponse3.json(rawResult);
+  const response = rawResult instanceof Response ? rawResult : NextResponse4.json(rawResult);
   return { response, rawResult };
 }
 function errorResult(error) {
   const status = error instanceof HttpError ? error.status : typeof error?.status === "number" ? error.status : 500;
   const message = error instanceof Error ? error.message : "Internal error";
   return {
-    response: NextResponse3.json({ success: false, error: message }, { status }),
+    response: NextResponse4.json({ success: false, error: message }, { status }),
     rawResult: void 0,
     handlerError: error
   };
@@ -1195,9 +1221,10 @@ var DynamicPricing = class {
   }
   needsBody = true;
   async quote(body) {
+    let priced;
     try {
       const raw = await this.opts.fn(body);
-      return this.cap(raw, body);
+      priced = this.cap(raw, body);
     } catch (err) {
       if (err instanceof HttpError) throw err;
       this.alert("error", `Pricing function failed: ${msg(err)}`, {
@@ -1210,6 +1237,13 @@ var DynamicPricing = class {
       }
       throw err;
     }
+    if (!isPositiveDecimal(priced)) {
+      throw new HttpError(
+        `route '${this.opts.route ?? "unknown"}': dynamic pricing returned an invalid amount '${priced}'`,
+        500
+      );
+    }
+    return priced;
   }
   challengeQuote(body) {
     if (body === void 0) return Promise.resolve(this.opts.maxPrice ?? "0");
@@ -1284,14 +1318,14 @@ var TieredPricing = class {
       `Unknown tier '${tierKey}' for field '${field}'. Valid tiers: ${Object.keys(tiers).join(", ")}`
     );
   }
-  challengeQuote(body) {
+  async challengeQuote(body) {
     if (body !== void 0) {
       try {
-        return this.quote(body);
+        return await this.quote(body);
       } catch {
       }
     }
-    return Promise.resolve(this.maxTierPrice());
+    return this.maxTierPrice();
   }
   describe() {
     return {
@@ -2025,7 +2059,7 @@ async function settleX402Payment(server, payload, requirements, amountOverride)
   };
 }
 function tagBareDecimalAsDollars(amount) {
-  if (/^\d+\.\d+$/.test(amount)) return `$${amount}`;
+  if (/^\d+(?:\.\d+)?$/.test(amount)) return `$${amount}`;
   return amount;
 }
 
@@ -2272,8 +2306,8 @@ function getAllowedStrategies(allowed) {
   return allowed.map((name) => STRATEGIES[name]);
 }
 
-// src/pipeline/flows/build402.ts
-import { NextResponse as NextResponse4 } from "next/server";
+// src/pipeline/flows/challenge-response.ts
+import { NextResponse as NextResponse5 } from "next/server";
 
 // src/pipeline/challenge-extensions.ts
 init_evm();
@@ -2289,20 +2323,17 @@ async function buildChallengeExtensions(ctx) {
     });
     const inputSchema = routeEntry.bodySchema ? toJSON(routeEntry.bodySchema) : routeEntry.querySchema ? toJSON(routeEntry.querySchema) : void 0;
     const outputSchema = routeEntry.outputSchema ? toJSON(routeEntry.outputSchema) : void 0;
-    if (inputSchema) {
-      const config = {
-        method: routeEntry.method,
-        bodyType: routeEntry.bodySchema ? "json" : void 0,
-        inputSchema
-      };
-      if (routeEntry.inputExample !== void 0) {
-        config.input = routeEntry.inputExample;
-      }
-      if (outputSchema && routeEntry.outputExample !== void 0) {
-        config.output = { schema: outputSchema, example: routeEntry.outputExample };
-      }
-      extensions = declareDiscoveryExtension(config);
+    const isBodyMethod = routeEntry.method === "POST" || routeEntry.method === "PUT" || routeEntry.method === "PATCH";
+    const config = { method: routeEntry.method };
+    if (isBodyMethod) config.bodyType = "json";
+    if (inputSchema) config.inputSchema = inputSchema;
+    if (routeEntry.inputExample !== void 0) {
+      config.input = routeEntry.inputExample;
+    }
+    if (outputSchema && routeEntry.outputExample !== void 0) {
+      config.output = { schema: outputSchema, example: routeEntry.outputExample };
     }
+    extensions = declareDiscoveryExtension(config);
   } catch (err) {
     ctx.report(
       "warn",
@@ -2339,14 +2370,14 @@ async function buildChallengeExtensions(ctx) {
   return extensions;
 }
 
-// src/pipeline/flows/build402.ts
-async function build402(ctx, pricing, body, failure) {
+// src/pipeline/flows/challenge-response.ts
+async function buildChallengeResponse(ctx, pricing, body, failure) {
   let challengePrice;
   try {
     challengePrice = pricing ? await pricing.challengeQuote(body) : "0";
   } catch (err) {
     const message = errorMessage(err, "Price calculation failed");
-    const errorResponse = NextResponse4.json(
+    const errorResponse = NextResponse5.json(
       { success: false, error: message },
       { status: errorStatus(err, 500) }
     );
@@ -2355,7 +2386,7 @@ async function build402(ctx, pricing, body, failure) {
   }
   const extensions = await buildChallengeExtensions(ctx);
   const responseBody = failure ? JSON.stringify({ error: failure.message ?? null, reason: failure.reason }) : null;
-  const response = new NextResponse4(responseBody, {
+  const response = new NextResponse5(responseBody, {
     status: 402,
     headers: {
       "Content-Type": "application/json",
@@ -2382,7 +2413,7 @@ async function build402(ctx, pricing, body, failure) {
       const message = `${strategy.protocol} challenge build failed: ${errorMessage(err, String(err))}`;
       ctx.report("critical", message);
       if (strategy.protocol === "x402") {
-        const errorResponse = NextResponse4.json(
+        const errorResponse = NextResponse5.json(
           { success: false, error: message },
           { status: 500 }
         );
@@ -2434,7 +2465,7 @@ function surrogatePriceForSkippedBody(routeEntry) {
 }
 
 // src/pipeline/flows/dynamic/dynamic-channel-mgmt.ts
-import { NextResponse as NextResponse5 } from "next/server";
+import { NextResponse as NextResponse6 } from "next/server";
 async function runDynamicChannelMgmtFlow(args) {
   const { ctx, strategy, account, pricing, skipBody } = args;
   const { request, routeEntry, deps, report } = ctx;
@@ -2453,7 +2484,7 @@ async function runDynamicChannelMgmtFlow(args) {
     if (verifyOutcome.kind === "config") {
       return fail(ctx, 500, verifyOutcome.message, parsedBody);
     }
-    return build402(ctx, pricing, parsedBody, verifyOutcome.failure);
+    return buildChallengeResponse(ctx, pricing, parsedBody, verifyOutcome.failure);
   }
   ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
   firePaymentVerified(ctx, {
@@ -2462,7 +2493,7 @@ async function runDynamicChannelMgmtFlow(args) {
     amount: price,
     network: verifyOutcome.payment.network
   });
-  const synthetic = new NextResponse5(null, { status: 200 });
+  const synthetic = new NextResponse6(null, { status: 200 });
   const settleScope = {
     wallet: verifyOutcome.wallet,
     account,
@@ -2524,11 +2555,11 @@ function createChargeContext(args) {
 }
 
 // src/pipeline/flows/dynamic/dynamic-invoke/shared.ts
-import { NextResponse as NextResponse6 } from "next/server";
+import { NextResponse as NextResponse7 } from "next/server";
 function buildBaseHandlerCtx(ctx, wallet, account, body, payment) {
   return {
     body,
-    query: parseQuery(ctx.request, ctx.routeEntry),
+    query: ctx.query,
     request: ctx.request,
     requestId: ctx.meta.requestId,
     route: ctx.routeEntry.key,
@@ -2540,14 +2571,14 @@ function buildBaseHandlerCtx(ctx, wallet, account, body, payment) {
   };
 }
 function toResponse(rawResult) {
-  return rawResult instanceof Response ? rawResult : NextResponse6.json(rawResult);
+  return rawResult instanceof Response ? rawResult : NextResponse7.json(rawResult);
 }
 function errorResult2(error) {
   const status = error instanceof HttpError ? error.status : typeof error?.status === "number" ? error.status : 500;
   const message = error instanceof Error ? error.message : "Internal error";
   return {
     kind: "request",
-    response: NextResponse6.json({ success: false, error: message }, { status }),
+    response: NextResponse7.json({ success: false, error: message }, { status }),
     rawResult: void 0,
     handlerError: error
   };
@@ -2750,7 +2781,7 @@ async function runDynamicPaidFlow(ctx) {
   if (!incomingStrategy) {
     const initError = protocolInitError(routeEntry, deps);
     if (initError) return fail(ctx, 500, initError);
-    return build402(ctx, pricing, earlyBody);
+    return buildChallengeResponse(ctx, pricing, earlyBody);
   }
   const { skipBody, skipHandler } = resolveDynamicPreflight(incomingStrategy, request, routeEntry);
   if (skipHandler) {
@@ -2777,7 +2808,7 @@ async function runDynamicPaidFlow(ctx) {
     if (verifyOutcome.kind === "config") {
       return fail(ctx, 500, verifyOutcome.message, parsedBody);
     }
-    return build402(ctx, pricing, parsedBody, verifyOutcome.failure);
+    return buildChallengeResponse(ctx, pricing, parsedBody, verifyOutcome.failure);
   }
   ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
   firePaymentVerified(ctx, {
@@ -2921,7 +2952,7 @@ async function runStaticPaidFlow(ctx) {
   if (!incomingStrategy) {
     const initError = protocolInitError(routeEntry, deps);
     if (initError) return fail(ctx, 500, initError);
-    return build402(ctx, pricing, earlyBody);
+    return buildChallengeResponse(ctx, pricing, earlyBody);
   }
   const bodyAndPrice = await resolveStaticBodyAndPrice({ ctx, pricing });
   if (!bodyAndPrice.ok) return bodyAndPrice.response;
@@ -2938,7 +2969,7 @@ async function runStaticPaidFlow(ctx) {
     if (verifyOutcome.kind === "config") {
       return fail(ctx, 500, verifyOutcome.message, parsedBody);
     }
-    return build402(ctx, pricing, parsedBody, verifyOutcome.failure);
+    return buildChallengeResponse(ctx, pricing, parsedBody, verifyOutcome.failure);
   }
   ctx.pluginCtx.setVerifiedWallet(verifyOutcome.wallet);
   firePaymentVerified(ctx, {
@@ -2972,7 +3003,7 @@ async function runPaidFlow(ctx) {
 }
 
 // src/pipeline/flows/siwx-only.ts
-import { NextResponse as NextResponse7 } from "next/server";
+import { NextResponse as NextResponse8 } from "next/server";
 
 // src/kv-store/client.ts
 var BIGINT_SUFFIX = "#__bigint";
@@ -3206,7 +3237,7 @@ async function runSiwxOnlyFlow(ctx) {
   }
   const siwx = await verifySIWX(request, routeEntry, deps.nonceStore);
   if (!siwx.valid) {
-    const response = NextResponse7.json(
+    const response = NextResponse8.json(
       { error: siwx.code, message: SIWX_ERROR_MESSAGES[siwx.code] },
       { status: 402 }
     );
@@ -3267,7 +3298,7 @@ async function buildSiwxChallenge(ctx) {
       `SIWX challenge header encoding failed: ${err instanceof Error ? err.message : String(err)}`
     );
   }
-  const response = new NextResponse7(JSON.stringify(paymentRequired), {
+  const response = new NextResponse8(JSON.stringify(paymentRequired), {
     status: 402,
     headers: { "Content-Type": "application/json", "Cache-Control": "no-store" }
   });
@@ -3313,6 +3344,9 @@ function createRequestHandler(routeEntry, handler, deps) {
   return async (request) => {
     await deps.initPromise;
     const ctx = preflight(routeEntry, handler, deps, request);
+    const query = validateQuery(ctx);
+    if (!query.ok) return query.response;
+    ctx.query = query.data;
     if (routeEntry.authMode === "unprotected") return runUnprotectedFlow(ctx);
     if (routeEntry.authMode === "siwx") return runSiwxOnlyFlow(ctx);
     if (routeEntry.pricing) return runPaidFlow(ctx);
@@ -3486,11 +3520,21 @@ var RouteBuilder = class _RouteBuilder {
         }
       }
     }
+    if (billing === "exact" && typeof pricing === "string" && !isPositiveDecimal(pricing)) {
+      throw new Error(
+        `route '${this.#s.key}': price '${pricing}' must be a positive decimal string`
+      );
+    }
     if (next.#s.maxPrice !== void 0 && !isPositiveDecimal(next.#s.maxPrice)) {
       throw new Error(
         `route '${this.#s.key}': maxPrice '${next.#s.maxPrice}' must be a positive decimal string`
       );
     }
+    if (next.#s.minPrice !== void 0 && !isPositiveDecimal(next.#s.minPrice)) {
+      throw new Error(
+        `route '${this.#s.key}': minPrice '${next.#s.minPrice}' must be a positive decimal string`
+      );
+    }
     if (next.#s.tickCost !== void 0 && !isPositiveDecimal(next.#s.tickCost)) {
       throw new Error(
         `route '${this.#s.key}': tickCost '${next.#s.tickCost}' must be a positive decimal string`
@@ -3938,7 +3982,7 @@ function normalizeMeteredArg(routeKey, options) {
 }
 
 // src/discovery/well-known.ts
-import { NextResponse as NextResponse8 } from "next/server";
+import { NextResponse as NextResponse9 } from "next/server";
 
 // src/discovery/utils/guidance.ts
 async function resolveGuidance(discovery) {
@@ -3982,7 +4026,7 @@ function createWellKnownHandler(registry, baseUrl, pricesKeys, discovery) {
     if (instructions) {
       body.instructions = instructions;
     }
-    return NextResponse8.json(body, {
+    return NextResponse9.json(body, {
       headers: {
         "Access-Control-Allow-Origin": "*",
         "Access-Control-Allow-Methods": "GET",
@@ -4000,13 +4044,13 @@ function toDiscoveryResource(method, url, mode) {
 
 // src/discovery/openapi.ts
 init_constants();
-import { NextResponse as NextResponse9 } from "next/server";
+import { NextResponse as NextResponse10 } from "next/server";
 function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
   const normalizedBase = baseUrl.replace(/\/+$/, "");
   let cached = null;
   let validated = false;
   return async (_request) => {
-    if (cached) return NextResponse9.json(cached);
+    if (cached) return NextResponse10.json(cached);
     if (!validated && pricesKeys) {
       registry.validate(pricesKeys);
       validated = true;
@@ -4069,7 +4113,7 @@ function createOpenAPIHandler(registry, baseUrl, pricesKeys, discovery) {
       paths
     };
     cached = createDocument(openApiDocument);
-    return NextResponse9.json(cached);
+    return NextResponse10.json(cached);
   };
 }
 function deriveTag(routeKey) {
@@ -4205,11 +4249,11 @@ function tierExtrema(prices) {
 }
 
 // src/discovery/llms-txt.ts
-import { NextResponse as NextResponse10 } from "next/server";
+import { NextResponse as NextResponse11 } from "next/server";
 function createLlmsTxtHandler(discovery) {
   return async (_request) => {
     const guidance = await resolveGuidance(discovery) ?? "";
-    return new NextResponse10(guidance, {
+    return new NextResponse11(guidance, {
       headers: {
         "Content-Type": "text/plain; charset=utf-8",
         "Access-Control-Allow-Origin": "*"
@@ -4259,10 +4303,14 @@ var isPlaceholderEvm = (v) => ZERO_EVM_ADDRESS_RE.test(v);
 var isSolanaAddress = (v) => SOLANA_ADDRESS_RE.test(v);
 var isX402Network = (v) => v.startsWith("eip155:") || v.startsWith("solana:");
 var canonicalizeEvm = (addr) => addr.toLowerCase();
+function evmAddressFromKey(key) {
+  if (!key || !isEvmPrivateKey(key)) return null;
+  return privateKeyToAccount(key).address.toLowerCase();
+}
 function operatorAddressesCollide(opKey, fpKey) {
-  if (!opKey || !fpKey || !isEvmPrivateKey(opKey) || !isEvmPrivateKey(fpKey)) return null;
-  const op = privateKeyToAccount(opKey).address.toLowerCase();
-  const fp = privateKeyToAccount(fpKey).address.toLowerCase();
+  const op = evmAddressFromKey(opKey);
+  const fp = evmAddressFromKey(fpKey);
+  if (!op || !fp) return null;
   return op === fp ? op : null;
 }
 function trimAll(raw) {
@@ -4424,7 +4472,7 @@ function getConfiguredX402Accepts2(config) {
     }
   ];
 }
-function validateX402Config(config, env, options) {
+function validateX402Config(config, env) {
   const accepts = getConfiguredX402Accepts2(config);
   const issues = [];
   const push = (code, message) => issues.push({ code, protocol: "x402", message });
@@ -4466,23 +4514,21 @@ function validateX402Config(config, env, options) {
       `x402 payee '${placeholder}' is a placeholder address and cannot receive payments.`
     );
   }
-  if (options.requireCdpKeys !== false) {
-    const hasEvm = accepts.some(
-      (a) => typeof a.network === "string" && a.network.startsWith("eip155:")
-    );
-    if (hasEvm) {
-      const missing = ["CDP_API_KEY_ID", "CDP_API_KEY_SECRET"].filter((k) => !env[k]);
-      if (missing.length > 0) {
-        push(
-          "missing_cdp_keys",
-          `x402 EVM facilitator (Coinbase) requires ${missing.join(" and ")}.`
-        );
-      }
+  const hasEvm = accepts.some(
+    (a) => typeof a.network === "string" && a.network.startsWith("eip155:")
+  );
+  if (hasEvm) {
+    const missing = ["CDP_API_KEY_ID", "CDP_API_KEY_SECRET"].filter((k) => !env[k]);
+    if (missing.length > 0) {
+      push(
+        "missing_cdp_keys",
+        `x402 EVM facilitator (Coinbase) requires ${missing.join(" and ")}. Create an API key at https://portal.cdp.coinbase.com and set it via env.`
+      );
     }
   }
   return issues;
 }
-function validateMppConfig(config) {
+function validateMppConfig(config, env) {
   const m = config.mpp;
   if (!m) {
     return [
@@ -4530,7 +4576,7 @@ function validateMppConfig(config) {
       `MPP recipient '${placeholder}' is a placeholder address and cannot receive payments.`
     );
   }
-  if (!m.rpcUrl) {
+  if (!m.rpcUrl && !env.TEMPO_RPC_URL) {
     push(
       "missing_mpp_rpc_url",
       "MPP requires an authenticated Tempo RPC URL. Set TEMPO_RPC_URL env var or pass rpcUrl in the mpp config object."
@@ -4555,6 +4601,15 @@ function validateMppConfig(config) {
       `MPP operatorKey and feePayerKey resolve to the same address (${collision}). Tempo rejects fee-delegated txs with sender === feePayer, so channel close/settle would fail at runtime. Either use two distinct wallets, or omit feePayerKey to disable gas sponsorship (clients then pay their own gas).`
     );
   }
+  if (m.session && recipient && isEvmAddress(recipient)) {
+    const operatorAddress = evmAddressFromKey(m.operatorKey);
+    if (operatorAddress && operatorAddress !== recipient.toLowerCase()) {
+      push(
+        "mpp_operator_recipient_mismatch",
+        `MPP session operatorKey resolves to ${operatorAddress}, which must equal the recipient/payee ${recipient.toLowerCase()}. mppx's channel-close handler asserts sender === payee. Set mpp.operatorKey to the recipient\u2019s private key, or set mpp.recipient/payeeAddress to the operator address.`
+      );
+    }
+  }
   return issues;
 }
 function translateZodIssues(error) {
@@ -4683,8 +4738,8 @@ function getRouterConfigIssues(config, options = {}) {
       message: "RouterConfig.protocols cannot be empty. Omit the field to use default ['x402'] or specify protocols explicitly."
     });
   }
-  if (protocols.includes("x402")) issues.push(...validateX402Config(config, env, options));
-  if (protocols.includes("mpp")) issues.push(...validateMppConfig(config));
+  if (protocols.includes("x402")) issues.push(...validateX402Config(config, env));
+  if (protocols.includes("mpp")) issues.push(...validateMppConfig(config, env));
   return issues;
 }
 
@@ -4769,9 +4824,6 @@ async function initMpp(config, resolvedBaseUrl, kvStore, configError) {
     const getClient = async () => tempoClient;
     const operatorAccount = config.mpp.operatorKey ? privateKeyToAccount2(config.mpp.operatorKey) : void 0;
     const feePayerAccount = config.mpp.feePayerKey ? privateKeyToAccount2(config.mpp.feePayerKey) : void 0;
-    if (config.mpp.session && operatorAccount) {
-      assertOperatorMatchesRecipient(config, operatorAccount.address);
-    }
     const resolvedStore = kvStore ? await createKvMppStore(kvStore) : void 0;
     const realm = new URL(resolvedBaseUrl).host;
     const mppConfig = config.mpp;
@@ -4809,15 +4861,6 @@ async function initMpp(config, resolvedBaseUrl, kvStore, configError) {
     return { initError: err instanceof Error ? err.message : String(err) };
   }
 }
-function assertOperatorMatchesRecipient(config, operatorAddress) {
-  const recipient = (config.mpp?.recipient ?? config.payeeAddress)?.toLowerCase();
-  const opAddr = operatorAddress.toLowerCase();
-  if (recipient && opAddr !== recipient) {
-    throw new Error(
-      `MPP session config mismatch: operator address ${operatorAddress} must equal recipient/payee ${recipient}. mppx's channel-close handler asserts sender === payee. Set mpp.operatorKey to the private key for ${recipient}, or set mpp.recipient/payeeAddress to ${operatorAddress}.`
-    );
-  }
-}
 
 // src/index.ts
 init_constants();
@@ -4828,10 +4871,7 @@ function createRouter(config) {
   const entitlementStore = kvStore ? createKvEntitlementStore(kvStore) : new MemoryEntitlementStore();
   const network = config.network ?? BASE_MAINNET_NETWORK;
   const x402Accepts = getConfiguredX402Accepts(config);
-  const configIssues = getRouterConfigIssues(config, {
-    env: process.env,
-    requireCdpKeys: process.env.NODE_ENV === "production"
-  });
+  const configIssues = getRouterConfigIssues(config, { env: process.env });
   const baseUrlIssue = configIssues.find((issue) => issue.code === "missing_base_url");
   if (baseUrlIssue) throw new RouterConfigError([baseUrlIssue]);
   const emptyProtocolsIssue = configIssues.find((issue) => issue.code === "empty_protocols");
@@ -4844,10 +4884,7 @@ function createRouter(config) {
   const x402ConfigError = x402ConfigIssues.length > 0 ? formatRouterConfigIssues(x402ConfigIssues) : void 0;
   const mppConfigError = mppConfigIssues.length > 0 ? formatRouterConfigIssues(mppConfigIssues) : void 0;
   if (protocolConfigIssues.length > 0) {
-    for (const issue of protocolConfigIssues) console.error(`[router] ${issue.message}`);
-    if (process.env.NODE_ENV === "production") {
-      throw new RouterConfigError(protocolConfigIssues);
-    }
+    throw new RouterConfigError(protocolConfigIssues);
   }
   const resolvedBaseUrl = config.baseUrl.replace(/\/+$/, "");
   if (config.plugin?.init) {