@artos-commerce/ucp-client 0.1.0 → 0.2.0

package/README.md

@@ -1,16 +1,17 @@
 # @artos-commerce/ucp-client
 
-**Path B Direct UCP client for Artos.** A typed UCP transport, AP2 mandate
-signing, and checkout orchestration so you can build your own commerce-grade UCP
-client against `api.artos.sh` — without hand-rolling the JSON-RPC envelope, the
-canonical-JSON signing bytes, the AP2 mandates, or the payment-rail rules.
+**Build-track Direct UCP client for Artos.** A typed UCP transport, AP2 mandate
+signing, checkout orchestration, buyer-account tools, and buyer OAuth so you can
+build your own commerce-grade UCP client against `api.artos.sh` — without
+hand-rolling the JSON-RPC envelope, the canonical-JSON signing bytes, the AP2
+mandates, or the payment-rail rules.
 
 This is the reusable core extracted from the hosted Artos MCP bridge. If you just
-want an MCP endpoint for AI agents, point them at the hosted bridge
-(`https://agent.artos.sh/mcp`, **Path A**) and skip this package. Reach for
-`@artos-commerce/ucp-client` when you are building your **own** client/integration
-(**Path B**) and want the hard parts — signing, verification, and rail selection
-— done correctly for you.
+want an MCP endpoint for AI agents, point them at the hosted **Connect** bridge
+(`https://agent.artos.sh/mcp`) and skip this package. Reach for
+`@artos-commerce/ucp-client` when you are building your **own**
+client/integration (the **Build** track) and want the hard parts — signing,
+verification, and rail selection — done correctly for you.
 
 ## What it does for you
 
@@ -25,6 +26,12 @@ want an MCP endpoint for AI agents, point them at the hosted bridge
 - **Checkout orchestration** (`createCheckoutHandlers`): a single
   `confirmPurchase` re-prices, verifies, mints the mandate, routes to the
   `$0` / card / crypto rail, and returns a structured `CheckoutOutcome`.
+- **Buyer-account tools** (`createAccountHandlers`): typed wrappers over the
+  buyer's account MCP (`get_buyer_context`, `list_my_orders`, wallet balances,
+  coupons, …) — all buyer-bound.
+- **Buyer OAuth** (`OAuthClient` + `createPkce`): discover the Authorization
+  Server, build the PKCE authorize URL, and exchange/refresh tokens so a
+  Build-track agent can run buyer sign-in itself.
 
 ## Install
 
@@ -118,6 +125,46 @@ switch (outcome.status) {
 throw `UcpClientError`; an expired buyer bearer throws `UcpAuthError` carrying
 the `WWW-Authenticate` challenge.
 
+### Buyer sign-in (OAuth) and account tools
+
+A Build-track agent can run the buyer-OAuth dance itself instead of relying on
+the hosted Connect bridge:
+
+```ts
+import { OAuthClient, createPkce } from '@artos-commerce/ucp-client';
+
+const oauth = new OAuthClient({ artosBaseUrl: 'https://api.artos.sh' });
+const pkce = createPkce();
+
+// 1. Send the buyer here to sign in + consent (offline_access by default).
+const { url, state } = await oauth.authorizeUrl({
+  clientId: 'https://you.example/well-known/oauth-client.json',
+  redirectUri: 'https://you.example/oauth/callback',
+  codeChallenge: pkce.challenge,
+});
+
+// 2. On the redirect (verify `state`), exchange the code for tokens.
+const tokens = await oauth.exchangeCode({
+  code,
+  codeVerifier: pkce.verifier,
+  clientId: 'https://you.example/well-known/oauth-client.json',
+  redirectUri: 'https://you.example/oauth/callback',
+});
+
+// 3. Later, silently renew with the rotating refresh token.
+const fresh = await oauth.refresh({ refreshToken: tokens.refreshToken! });
+```
+
+With `tokens.accessToken` as the `buyerToken`, the account tools are typed:
+
+```ts
+import { createAccountHandlers } from '@artos-commerce/ucp-client';
+
+const account = createAccountHandlers({ client }); // client carries buyerToken
+const me = await account.getBuyerContext();
+const orders = await account.listOrders({ limit: 10 });
+```
+
 ## The two-credential auth model
 
 The Artos API's identity guard prefers `X-API-Key` over a bearer. `UcpClient`
@@ -139,12 +186,14 @@ Never send both for a buyer-bound call.
 - `Ap2Signer` — `mintCheckoutMandate`, `mintPaymentMandate`.
 - `canonicalJson`, `verifyDetachedJws`, `verifyMerchantAuthorization`.
 - `createCheckoutHandlers` — read tools + `confirmPurchase`.
+- `createAccountHandlers` — typed buyer-account tools (buyer-bound).
+- `OAuthClient`, `createPkce`, `DEFAULT_BUYER_SCOPE` — buyer OAuth (PKCE).
 - `SuiSigner`, `resolveCryptoDeps` (crypto rail; need `@mysten/sui`).
 - Helpers: `toMinorUnits`, `normalizeSearchFilters`, `resolveRail`,
   `grandTotal`, `currencyOf`, `asAllowanceId`, `isUcpError`, `messageOf`.
 
 Subpath entries are also published: `@artos-commerce/ucp-client/ucp`,
-`/ap2`, `/checkout`, `/sui`, `/crypto`.
+`/ap2`, `/checkout`, `/account`, `/oauth`, `/sui`, `/crypto`.
 
 ## Security notes
 

package/dist/account/handlers.d.ts

@@ -0,0 +1,43 @@
+import type { AccountToolSpec, UcpClient } from '../ucp/client.js';
+/** Dependencies the account handlers operate over (injectable for tests). */
+export interface AccountDeps {
+    client: UcpClient;
+}
+/**
+ * Typed convenience wrappers over the buyer-account MCP tools (`POST
+ * /account/mcp`). Every call is **buyer-bound**: the {@link UcpClient} must carry
+ * a buyer OAuth bearer (`buyerToken`) or the API answers 401 (relayed as a
+ * {@link import('../ucp/client.js').UcpAuthError}). The buyer is always resolved
+ * server-side from the bearer — never passed in args. Each method returns the
+ * tool's `structuredContent` payload (a plain JSON resource, possibly a UCP
+ * business-error envelope inspectable via `isUcpError`).
+ *
+ * Mirrors {@link import('../checkout/handlers.js').createCheckoutHandlers}: pure
+ * handlers over an injected client, so a host unit-tests them with a fake.
+ */
+export declare function createAccountHandlers(deps: AccountDeps): {
+    /** Lists the buyer-account tools the API advertises (`tools/list`). */
+    listTools(): Promise<AccountToolSpec[]>;
+    /** The buyer's profile + session context. */
+    getBuyerContext(): Promise<Record<string, unknown>>;
+    /** The buyer's saved shipping/billing addresses. */
+    listAddresses(): Promise<Record<string, unknown>>;
+    /** The buyer's orders across all stores. */
+    listOrders(args?: Record<string, unknown>): Promise<Record<string, unknown>>;
+    /** A single order by id. */
+    getOrder(id: string): Promise<Record<string, unknown>>;
+    /** The buyer's returns. */
+    listReturns(): Promise<Record<string, unknown>>;
+    /** The buyer's on-chain wallet balances. */
+    getWalletBalances(): Promise<Record<string, unknown>>;
+    /** The buyer's available coupons. */
+    listCoupons(): Promise<Record<string, unknown>>;
+    /** The buyer's gift cards. */
+    listGifts(): Promise<Record<string, unknown>>;
+    /** Claims a gift by code. */
+    claimGift(args: Record<string, unknown>): Promise<Record<string, unknown>>;
+    /** Escape hatch: call any account tool by name (future-proof). */
+    call(name: string, args?: Record<string, unknown>): Promise<Record<string, unknown>>;
+};
+/** The handler object returned by {@link createAccountHandlers}. */
+export type AccountHandlers = ReturnType<typeof createAccountHandlers>;

package/dist/account/handlers.js

@@ -0,0 +1,62 @@
+/**
+ * Typed convenience wrappers over the buyer-account MCP tools (`POST
+ * /account/mcp`). Every call is **buyer-bound**: the {@link UcpClient} must carry
+ * a buyer OAuth bearer (`buyerToken`) or the API answers 401 (relayed as a
+ * {@link import('../ucp/client.js').UcpAuthError}). The buyer is always resolved
+ * server-side from the bearer — never passed in args. Each method returns the
+ * tool's `structuredContent` payload (a plain JSON resource, possibly a UCP
+ * business-error envelope inspectable via `isUcpError`).
+ *
+ * Mirrors {@link import('../checkout/handlers.js').createCheckoutHandlers}: pure
+ * handlers over an injected client, so a host unit-tests them with a fake.
+ */
+export function createAccountHandlers(deps) {
+    const { client } = deps;
+    return {
+        /** Lists the buyer-account tools the API advertises (`tools/list`). */
+        listTools() {
+            return client.listAccountTools();
+        },
+        /** The buyer's profile + session context. */
+        getBuyerContext() {
+            return client.callAccountTool('get_buyer_context', {});
+        },
+        /** The buyer's saved shipping/billing addresses. */
+        listAddresses() {
+            return client.callAccountTool('list_my_addresses', {});
+        },
+        /** The buyer's orders across all stores. */
+        listOrders(args = {}) {
+            return client.callAccountTool('list_my_orders', args);
+        },
+        /** A single order by id. */
+        getOrder(id) {
+            return client.callAccountTool('get_my_order', { id });
+        },
+        /** The buyer's returns. */
+        listReturns() {
+            return client.callAccountTool('list_my_returns', {});
+        },
+        /** The buyer's on-chain wallet balances. */
+        getWalletBalances() {
+            return client.callAccountTool('get_wallet_balances', {});
+        },
+        /** The buyer's available coupons. */
+        listCoupons() {
+            return client.callAccountTool('list_my_coupons', {});
+        },
+        /** The buyer's gift cards. */
+        listGifts() {
+            return client.callAccountTool('list_my_gifts', {});
+        },
+        /** Claims a gift by code. */
+        claimGift(args) {
+            return client.callAccountTool('claim_gift', args);
+        },
+        /** Escape hatch: call any account tool by name (future-proof). */
+        call(name, args = {}) {
+            return client.callAccountTool(name, args);
+        },
+    };
+}
+//# sourceMappingURL=handlers.js.map

package/dist/account/handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/account/handlers.ts"],"names":[],"mappings":"AAOA;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAiB;IACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAExB,OAAO;QACL,uEAAuE;QACvE,SAAS;YACP,OAAO,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACnC,CAAC;QAED,6CAA6C;QAC7C,eAAe;YACb,OAAO,MAAM,CAAC,eAAe,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,oDAAoD;QACpD,aAAa;YACX,OAAO,MAAM,CAAC,eAAe,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,4CAA4C;QAC5C,UAAU,CACR,OAAgC,EAAE;YAElC,OAAO,MAAM,CAAC,eAAe,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC;QACxD,CAAC;QAED,4BAA4B;QAC5B,QAAQ,CAAC,EAAU;YACjB,OAAO,MAAM,CAAC,eAAe,CAAC,cAAc,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,2BAA2B;QAC3B,WAAW;YACT,OAAO,MAAM,CAAC,eAAe,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,4CAA4C;QAC5C,iBAAiB;YACf,OAAO,MAAM,CAAC,eAAe,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,qCAAqC;QACrC,WAAW;YACT,OAAO,MAAM,CAAC,eAAe,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,8BAA8B;QAC9B,SAAS;YACP,OAAO,MAAM,CAAC,eAAe,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,6BAA6B;QAC7B,SAAS,CAAC,IAA6B;YACrC,OAAO,MAAM,CAAC,eAAe,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;QAED,kEAAkE;QAClE,IAAI,CACF,IAAY,EACZ,OAAgC,EAAE;YAElC,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC5C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/ap2/canonical-json.d.ts

@@ -1,7 +1,7 @@
 /**
  * Sorted-key canonical JSON serialization, byte-for-byte identical to the
  * artos-api implementation (`src/modules/ucp/crypto/canonical-json.ts`) and the
- * copies in artos-mcp-bridge / artos-my / artos-storefront. Used to recompute
+ * copies in artos-agent / artos-my / artos-storefront. Used to recompute
  * the bytes a store's `merchant_authorization` (and an AP2 mandate) is signed
  * over, so a signature verifies across every repo.
  *

package/dist/ap2/canonical-json.js

@@ -1,7 +1,7 @@
 /**
  * Sorted-key canonical JSON serialization, byte-for-byte identical to the
  * artos-api implementation (`src/modules/ucp/crypto/canonical-json.ts`) and the
- * copies in artos-mcp-bridge / artos-my / artos-storefront. Used to recompute
+ * copies in artos-agent / artos-my / artos-storefront. Used to recompute
  * the bytes a store's `merchant_authorization` (and an AP2 mandate) is signed
  * over, so a signature verifies across every repo.
  *

package/dist/checkout/handlers.js

@@ -115,6 +115,8 @@ export function createCheckoutHandlers(deps) {
             const checkoutId = input.checkoutId;
             const paymentMandateId = asAllowanceId(input.paymentMandateId);
             const paymentMethod = input.paymentMethod;
+            const applyCoupon = input.applyCoupon === true;
+            const stripCoupon = input.applyCoupon === false;
             // Re-price immediately before minting so the mandate total matches the
             // server's quote (else completion fails with mandate_scope_mismatch).
             let fresh = await client.callStoreTool(slug, 'get_checkout', {
@@ -123,6 +125,36 @@ export function createCheckoutHandlers(deps) {
             if (isUcpError(fresh)) {
                 return err('store_error', messageOf(fresh) ?? 'Checkout error.', fresh);
             }
+            // Coupon opt-out (any rail): if the buyer declined a coupon, strip a
+            // previously applied `sh.artos.coupon` claim BEFORE the pricing-dependent
+            // branches. A failed crypto prepare can leave a coupon resolved on the
+            // session, so a re-priced checkout still reflects it; without stripping
+            // first, a fully-covering coupon would short-circuit the $0 branch (and a
+            // card completion would hit the server's eligibility gate). The server
+            // clears the resolved coupon + prepared intent when the claim is removed.
+            if (stripCoupon) {
+                const claims = fresh.context
+                    ?.eligibility ?? [];
+                if (claims.includes(ARTOS_COUPON_CLAIM)) {
+                    const updated = await client.callStoreTool(slug, 'update_checkout', {
+                        id: checkoutId,
+                        checkout: {
+                            context: {
+                                eligibility: claims.filter((c) => c !== ARTOS_COUPON_CLAIM),
+                            },
+                        },
+                    }, { idempotent: true });
+                    if (isUcpError(updated)) {
+                        return err('store_error', messageOf(updated) ?? 'The store returned an error.', updated);
+                    }
+                    fresh = await client.callStoreTool(slug, 'get_checkout', {
+                        id: checkoutId,
+                    });
+                    if (isUcpError(fresh)) {
+                        return err('store_error', messageOf(fresh) ?? 'Checkout error.', fresh);
+                    }
+                }
+            }
             const signingKeys = await client.fetchStoreProfile(slug);
             // Completes the checkout and maps the result. Shared by every rail.
             const finish = async (checkout, auth) => {
@@ -178,12 +210,13 @@ export function createCheckoutHandlers(deps) {
                 if (!client.hasBuyerToken()) {
                     return err('authentication_required', 'Paying with crypto requires the buyer to sign in so their wallet and authorization can be resolved.');
                 }
-                // Opt into on-chain coupon redemption: attach the `sh.artos.coupon`
-                // eligibility claim (merged with any present) so the server applies an
-                // eligible coupon during prepare. Harmless when the buyer has none.
+                // Coupon redemption is buyer opt-in: attach the `sh.artos.coupon`
+                // eligibility claim before prepare when the buyer opted in, so the
+                // server resolves + redeems an eligible coupon (opt-out was already
+                // reconciled before the rail branches above). Harmless when none owned.
                 const existingClaims = fresh.context
                     ?.eligibility ?? [];
-                if (!existingClaims.includes(ARTOS_COUPON_CLAIM)) {
+                if (applyCoupon && !existingClaims.includes(ARTOS_COUPON_CLAIM)) {
                     const updated = await client.callStoreTool(slug, 'update_checkout', {
                         id: checkoutId,
                         checkout: {

package/dist/checkout/handlers.js.map

@@ -1 +1 @@
-{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/checkout/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,SAAS,GAGV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EACL,cAAc,EACd,UAAU,EACV,UAAU,EACV,WAAW,EACX,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,sBAAsB,EAAsB,MAAM,YAAY,CAAC;AASxE;;;;GAIG;AACH,MAAM,oBAAoB,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AAEnD;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;AAE7C,+BAA+B;AAC/B,SAAS,GAAG,CACV,IAAuB,EACvB,OAAe,EACf,QAAsB;IAEtB,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC;AAED,iFAAiF;AACjF,SAAS,kBAAkB,CAAC,IAAiB;IAC3C,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,4BAA4B,CAC/C,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB;IAI1C,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvB,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE;QAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC;KAC1B,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAkB;IACvD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAExC,OAAO;QACL,iEAAiE;QACjE,KAAK,CAAC,cAAc,CAAC,IAMpB;YACC,OAAO,MAAM,CAAC,YAAY,CAAC;gBACzB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,OAAO,EAAE,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAED,0DAA0D;QAC1D,KAAK,CAAC,cAAc,CAAC,IAGpB;YACC,OAAO,MAAM,CAAC,cAAc,CAAC,gBAAgB,EAAE;gBAC7C,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAED,mEAAmE;QACnE,KAAK,CAAC,gBAAgB,CAAC,IAItB;YACC,OAAO,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE;gBAC1C,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAED,kDAAkD;QAClD,KAAK,CAAC,WAAW,CAAC,IAGjB;YACC,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,EAAE;gBACzD,OAAO,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;aACzB,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,IAGhB;YACC,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,aAAa,EACb,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAC/C,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,IAIhB;YACC,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,aAAa,EACb,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAC5D,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,IAGd;YACC,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,IAMpB;YACC,MAAM,QAAQ,GAA4B,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,MAAM;gBAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;YAChD,IAAI,IAAI,CAAC,KAAK;gBAAE,QAAQ,CAAC,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5D,IAAI,IAAI,CAAC,KAAK;gBAAE,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC5C,IAAI,IAAI,CAAC,eAAe;gBACtB,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAC;YACnD,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,iBAAiB,EACjB,EAAE,QAAQ,EAAE,EACZ,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,IAOpB;YACC,MAAM,QAAQ,GAA4B,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,KAAK;gBAAE,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC5C,IAAI,IAAI,CAAC,eAAe;gBACtB,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAC;YACnD,IAAI,IAAI,CAAC,gBAAgB;gBACvB,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,CAAC;YACtD,IAAI,IAAI,CAAC,SAAS;gBAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YACxD,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,iBAAiB,EACjB,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,EACzB,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,IAGd;YACC,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED;;;;;WAKG;QACH,KAAK,CAAC,eAAe,CACnB,KAA2B;YAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC;YAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;YACpC,MAAM,gBAAgB,GAAG,aAAa,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAC/D,MAAM,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;YAE1C,uEAAuE;YACvE,sEAAsE;YACtE,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,EAAE;gBAC3D,EAAE,EAAE,UAAU;aACf,CAAC,CAAC;YACH,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtB,OAAO,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,KAAK,CAAC,IAAI,iBAAiB,EAAE,KAAK,CAAC,CAAC;YAC1E,CAAC;YAED,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAEzD,oEAAoE;YACpE,MAAM,MAAM,GAAG,KAAK,EAClB,QAAiC,EACjC,IAAiB,EACS,EAAE;gBAC5B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,aAAa,CACrC,IAAI,EACJ,mBAAmB,EACnB,EAAE,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,EAC5B,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,CAC3B,CAAC;gBACF,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrB,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,OAAO;4BACL,MAAM,EAAE,4BAA4B;4BACpC,KAAK,EAAE,cAAc,CAAC,KAAK,CAAC;4BAC5B,QAAQ,EAAE,IAAI;yBACf,CAAC;oBACJ,CAAC;oBACD,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,IAAI,CAAC,IAAI,8BAA8B,EACjD,IAAI,CACL,CAAC;gBACJ,CAAC;gBACD,MAAM,WAAW,GAAI,IAAkC,CAAC,YAAY,CAAC;gBACrE,IACG,IAA4B,CAAC,MAAM,KAAK,qBAAqB;oBAC9D,WAAW,EACX,CAAC;oBACD,OAAO;wBACL,MAAM,EAAE,qBAAqB;wBAC7B,WAAW;wBACX,QAAQ,EAAE,IAAI;qBACf,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACjD,CAAC,CAAC;YAEF,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;YAE/C,yEAAyE;YACzE,0EAA0E;YAC1E,mEAAmE;YACnE,IAAI,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,IAAI,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC;oBACrD,OAAO,GAAG,CACR,gCAAgC,EAChC,oFAAoF,CACrF,CAAC;gBACJ,CAAC;gBACD,MAAM,cAAc,GAAgB,MAAM,CAAC,aAAa,EAAE;oBACxD,CAAC,CAAC,OAAO;oBACT,CAAC,CAAC,UAAU,CAAC;gBACf,OAAO,MAAM,CACX;oBACE,GAAG,EAAE;wBACH,gBAAgB,EAAE,MAAM,CAAC,mBAAmB,CAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EACnC,EAAE,gBAAgB,EAAE,CACrB;qBACF;iBACF,EACD,cAAc,CACf,CAAC;YACJ,CAAC;YAED,wEAAwE;YACxE,wEAAwE;YACxE,4EAA4E;YAC5E,6EAA6E;YAC7E,6EAA6E;YAC7E,+EAA+E;YAC/E,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,GAAG,CACR,uBAAuB,EACvB,uGAAuG,CACxG,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,CAAC;oBAC5B,OAAO,GAAG,CACR,yBAAyB,EACzB,qGAAqG,CACtG,CAAC;gBACJ,CAAC;gBAED,oEAAoE;gBACpE,uEAAuE;gBACvE,oEAAoE;gBACpE,MAAM,cAAc,GACjB,KAAkD,CAAC,OAAO;oBACzD,EAAE,WAAW,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,aAAa,CACxC,IAAI,EACJ,iBAAiB,EACjB;wBACE,EAAE,EAAE,UAAU;wBACd,QAAQ,EAAE;4BACR,OAAO,EAAE;gCACP,WAAW,EAAE,CAAC,GAAG,cAAc,EAAE,kBAAkB,CAAC;6BACrD;yBACF;qBACF,EACD,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;oBACF,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;wBACxB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,OAAO,CAAC,IAAI,8BAA8B,EACpD,OAAO,CACR,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,aAAa,CACzC,IAAI,EACJ,0BAA0B,EAC1B;oBACE,EAAE,EAAE,UAAU;oBACd,cAAc,EAAE;wBACd,aAAa,EAAE,oBAAoB;wBACnC,eAAe,EAAE,MAAM,CAAC,aAAa;qBACtC;iBACF,EACD,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CACpC,CAAC;gBACF,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,QAAQ,CAAC,IAAI,8BAA8B,EACrD,QAAQ,CACT,CAAC;gBACJ,CAAC;gBACD,MAAM,UAAU,GACd,QAAQ,CAAC,cACV,EAAE,WAAW,CAAC;gBACf,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,OAAO,GAAG,CACR,wBAAwB,EACxB,qEAAqE,CACtE,CAAC;gBACJ,CAAC;gBAED,mEAAmE;gBACnE,wEAAwE;gBACxE,2CAA2C;gBAC3C,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,EAAE;oBACvD,EAAE,EAAE,UAAU;iBACf,CAAC,CAAC;gBACH,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,KAAK,CAAC,IAAI,iBAAiB,EACrC,KAAK,CACN,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC;oBACrD,OAAO,GAAG,CACR,gCAAgC,EAChC,oFAAoF,CACrF,CAAC;gBACJ,CAAC;gBAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;gBACnC,IACE,MAAM,CAAC,cAAc,KAAK,SAAS;oBACnC,KAAK,GAAG,MAAM,CAAC,cAAc,EAC7B,CAAC;oBACD,OAAO,GAAG,CACR,oBAAoB,EACpB,eAAe,KAAK,IAAI,QAAQ,sCAAsC,MAAM,CAAC,cAAc,oBAAoB,CAChH,CAAC;gBACJ,CAAC;gBAED,kEAAkE;gBAClE,sEAAsE;gBACtE,MAAM,GAAG,GAA4B;oBACnC,gBAAgB,EAAE,MAAM,CAAC,mBAAmB,CAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EACnC,EAAE,gBAAgB,EAAE,CACrB;oBACD,eAAe,EAAE,MAAM,CAAC,kBAAkB,CACxC,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,EAC3C,EAAE,gBAAgB,EAAE,CACrB;iBACF,CAAC;gBAEF,IAAI,MAAc,CAAC;gBACnB,IAAI,CAAC;oBACH,MAAM,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;gBACtD,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,GAAG,CACR,0BAA0B,EAC1B,CAAC,YAAY,KAAK;wBAChB,CAAC,CAAC,CAAC,CAAC,OAAO;wBACX,CAAC,CAAC,yCAAyC,CAC9C,CAAC;gBACJ,CAAC;gBAED,sEAAsE;gBACtE,mEAAmE;gBACnE,OAAO,MAAM,CACX;oBACE,GAAG;oBACH,OAAO,EAAE;wBACP,WAAW,EAAE;4BACX;gCACE,UAAU,EAAE,IAAI,CAAC,SAAS;gCAC1B,IAAI,EAAE,QAAQ;gCACd,QAAQ,EAAE,IAAI;gCACd,UAAU,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;6BAC9B;yBACF;qBACF;iBACF,EACD,OAAO,CACR,CAAC;YACJ,CAAC;YAED,2EAA2E;YAC3E,qEAAqE;YACrE,IAAI,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC;gBACrD,OAAO,GAAG,CACR,gCAAgC,EAChC,oFAAoF,CACrF,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAA4B;gBACxC,GAAG,EAAE;oBACH,gBAAgB,EAAE,MAAM,CAAC,mBAAmB,CAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EACnC,EAAE,gBAAgB,EAAE,CACrB;iBACF;aACF,CAAC;YACF,IAAI,IAAI,EAAE,CAAC;gBACT,+DAA+D;gBAC/D,oEAAoE;gBACpE,0EAA0E;gBAC1E,2DAA2D;gBAC3D,QAAQ,CAAC,OAAO,GAAG;oBACjB,WAAW,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;iBAC9D,CAAC;YACJ,CAAC;YAED,MAAM,cAAc,GAAgB,MAAM,CAAC,aAAa,EAAE;gBACxD,CAAC,CAAC,OAAO;gBACT,CAAC,CAAC,UAAU,CAAC;YACf,OAAO,MAAM,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAC1C,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/checkout/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,SAAS,GAGV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EACL,cAAc,EACd,UAAU,EACV,UAAU,EACV,WAAW,EACX,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,sBAAsB,EAAsB,MAAM,YAAY,CAAC;AASxE;;;;GAIG;AACH,MAAM,oBAAoB,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AAEnD;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;AAE7C,+BAA+B;AAC/B,SAAS,GAAG,CACV,IAAuB,EACvB,OAAe,EACf,QAAsB;IAEtB,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC;AAED,iFAAiF;AACjF,SAAS,kBAAkB,CAAC,IAAiB;IAC3C,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,4BAA4B,CAC/C,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB;IAI1C,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvB,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE;QAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC;KAC1B,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAkB;IACvD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAExC,OAAO;QACL,iEAAiE;QACjE,KAAK,CAAC,cAAc,CAAC,IAMpB;YACC,OAAO,MAAM,CAAC,YAAY,CAAC;gBACzB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,OAAO,EAAE,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAED,0DAA0D;QAC1D,KAAK,CAAC,cAAc,CAAC,IAGpB;YACC,OAAO,MAAM,CAAC,cAAc,CAAC,gBAAgB,EAAE;gBAC7C,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAED,mEAAmE;QACnE,KAAK,CAAC,gBAAgB,CAAC,IAItB;YACC,OAAO,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE;gBAC1C,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAED,kDAAkD;QAClD,KAAK,CAAC,WAAW,CAAC,IAGjB;YACC,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,EAAE;gBACzD,OAAO,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;aACzB,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,IAGhB;YACC,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,aAAa,EACb,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAC/C,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,IAIhB;YACC,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,aAAa,EACb,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAC5D,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,IAGd;YACC,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,IAMpB;YACC,MAAM,QAAQ,GAA4B,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,MAAM;gBAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;YAChD,IAAI,IAAI,CAAC,KAAK;gBAAE,QAAQ,CAAC,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5D,IAAI,IAAI,CAAC,KAAK;gBAAE,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC5C,IAAI,IAAI,CAAC,eAAe;gBACtB,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAC;YACnD,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,iBAAiB,EACjB,EAAE,QAAQ,EAAE,EACZ,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,IAOpB;YACC,MAAM,QAAQ,GAA4B,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,KAAK;gBAAE,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC5C,IAAI,IAAI,CAAC,eAAe;gBACtB,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAC;YACnD,IAAI,IAAI,CAAC,gBAAgB;gBACvB,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,CAAC;YACtD,IAAI,IAAI,CAAC,SAAS;gBAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YACxD,OAAO,MAAM,CAAC,aAAa,CACzB,IAAI,CAAC,SAAS,EACd,iBAAiB,EACjB,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,EACzB,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,IAGd;YACC,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED;;;;;WAKG;QACH,KAAK,CAAC,eAAe,CACnB,KAA2B;YAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC;YAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;YACpC,MAAM,gBAAgB,GAAG,aAAa,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAC/D,MAAM,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;YAC1C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,KAAK,IAAI,CAAC;YAC/C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,KAAK,KAAK,CAAC;YAEhD,uEAAuE;YACvE,sEAAsE;YACtE,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,EAAE;gBAC3D,EAAE,EAAE,UAAU;aACf,CAAC,CAAC;YACH,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtB,OAAO,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,KAAK,CAAC,IAAI,iBAAiB,EAAE,KAAK,CAAC,CAAC;YAC1E,CAAC;YAED,qEAAqE;YACrE,0EAA0E;YAC1E,uEAAuE;YACvE,wEAAwE;YACxE,0EAA0E;YAC1E,uEAAuE;YACvE,0EAA0E;YAC1E,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,MAAM,GACT,KAAkD,CAAC,OAAO;oBACzD,EAAE,WAAW,IAAI,EAAE,CAAC;gBACxB,IAAI,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACxC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,aAAa,CACxC,IAAI,EACJ,iBAAiB,EACjB;wBACE,EAAE,EAAE,UAAU;wBACd,QAAQ,EAAE;4BACR,OAAO,EAAE;gCACP,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,kBAAkB,CAAC;6BAC5D;yBACF;qBACF,EACD,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;oBACF,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;wBACxB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,OAAO,CAAC,IAAI,8BAA8B,EACpD,OAAO,CACR,CAAC;oBACJ,CAAC;oBACD,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,EAAE;wBACvD,EAAE,EAAE,UAAU;qBACf,CAAC,CAAC;oBACH,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;wBACtB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,KAAK,CAAC,IAAI,iBAAiB,EACrC,KAAK,CACN,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAEzD,oEAAoE;YACpE,MAAM,MAAM,GAAG,KAAK,EAClB,QAAiC,EACjC,IAAiB,EACS,EAAE;gBAC5B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,aAAa,CACrC,IAAI,EACJ,mBAAmB,EACnB,EAAE,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,EAC5B,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,CAC3B,CAAC;gBACF,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrB,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,OAAO;4BACL,MAAM,EAAE,4BAA4B;4BACpC,KAAK,EAAE,cAAc,CAAC,KAAK,CAAC;4BAC5B,QAAQ,EAAE,IAAI;yBACf,CAAC;oBACJ,CAAC;oBACD,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,IAAI,CAAC,IAAI,8BAA8B,EACjD,IAAI,CACL,CAAC;gBACJ,CAAC;gBACD,MAAM,WAAW,GAAI,IAAkC,CAAC,YAAY,CAAC;gBACrE,IACG,IAA4B,CAAC,MAAM,KAAK,qBAAqB;oBAC9D,WAAW,EACX,CAAC;oBACD,OAAO;wBACL,MAAM,EAAE,qBAAqB;wBAC7B,WAAW;wBACX,QAAQ,EAAE,IAAI;qBACf,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACjD,CAAC,CAAC;YAEF,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;YAE/C,yEAAyE;YACzE,0EAA0E;YAC1E,mEAAmE;YACnE,IAAI,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,IAAI,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC;oBACrD,OAAO,GAAG,CACR,gCAAgC,EAChC,oFAAoF,CACrF,CAAC;gBACJ,CAAC;gBACD,MAAM,cAAc,GAAgB,MAAM,CAAC,aAAa,EAAE;oBACxD,CAAC,CAAC,OAAO;oBACT,CAAC,CAAC,UAAU,CAAC;gBACf,OAAO,MAAM,CACX;oBACE,GAAG,EAAE;wBACH,gBAAgB,EAAE,MAAM,CAAC,mBAAmB,CAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EACnC,EAAE,gBAAgB,EAAE,CACrB;qBACF;iBACF,EACD,cAAc,CACf,CAAC;YACJ,CAAC;YAED,wEAAwE;YACxE,wEAAwE;YACxE,4EAA4E;YAC5E,6EAA6E;YAC7E,6EAA6E;YAC7E,+EAA+E;YAC/E,IAAI,IAAI,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,GAAG,CACR,uBAAuB,EACvB,uGAAuG,CACxG,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,CAAC;oBAC5B,OAAO,GAAG,CACR,yBAAyB,EACzB,qGAAqG,CACtG,CAAC;gBACJ,CAAC;gBAED,kEAAkE;gBAClE,mEAAmE;gBACnE,oEAAoE;gBACpE,wEAAwE;gBACxE,MAAM,cAAc,GACjB,KAAkD,CAAC,OAAO;oBACzD,EAAE,WAAW,IAAI,EAAE,CAAC;gBACxB,IAAI,WAAW,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBAChE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,aAAa,CACxC,IAAI,EACJ,iBAAiB,EACjB;wBACE,EAAE,EAAE,UAAU;wBACd,QAAQ,EAAE;4BACR,OAAO,EAAE;gCACP,WAAW,EAAE,CAAC,GAAG,cAAc,EAAE,kBAAkB,CAAC;6BACrD;yBACF;qBACF,EACD,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;oBACF,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;wBACxB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,OAAO,CAAC,IAAI,8BAA8B,EACpD,OAAO,CACR,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,aAAa,CACzC,IAAI,EACJ,0BAA0B,EAC1B;oBACE,EAAE,EAAE,UAAU;oBACd,cAAc,EAAE;wBACd,aAAa,EAAE,oBAAoB;wBACnC,eAAe,EAAE,MAAM,CAAC,aAAa;qBACtC;iBACF,EACD,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CACpC,CAAC;gBACF,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,QAAQ,CAAC,IAAI,8BAA8B,EACrD,QAAQ,CACT,CAAC;gBACJ,CAAC;gBACD,MAAM,UAAU,GACd,QAAQ,CAAC,cACV,EAAE,WAAW,CAAC;gBACf,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,OAAO,GAAG,CACR,wBAAwB,EACxB,qEAAqE,CACtE,CAAC;gBACJ,CAAC;gBAED,mEAAmE;gBACnE,wEAAwE;gBACxE,2CAA2C;gBAC3C,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,EAAE;oBACvD,EAAE,EAAE,UAAU;iBACf,CAAC,CAAC;gBACH,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtB,OAAO,GAAG,CACR,aAAa,EACb,SAAS,CAAC,KAAK,CAAC,IAAI,iBAAiB,EACrC,KAAK,CACN,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC;oBACrD,OAAO,GAAG,CACR,gCAAgC,EAChC,oFAAoF,CACrF,CAAC;gBACJ,CAAC;gBAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;gBACnC,IACE,MAAM,CAAC,cAAc,KAAK,SAAS;oBACnC,KAAK,GAAG,MAAM,CAAC,cAAc,EAC7B,CAAC;oBACD,OAAO,GAAG,CACR,oBAAoB,EACpB,eAAe,KAAK,IAAI,QAAQ,sCAAsC,MAAM,CAAC,cAAc,oBAAoB,CAChH,CAAC;gBACJ,CAAC;gBAED,kEAAkE;gBAClE,sEAAsE;gBACtE,MAAM,GAAG,GAA4B;oBACnC,gBAAgB,EAAE,MAAM,CAAC,mBAAmB,CAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EACnC,EAAE,gBAAgB,EAAE,CACrB;oBACD,eAAe,EAAE,MAAM,CAAC,kBAAkB,CACxC,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,EAC3C,EAAE,gBAAgB,EAAE,CACrB;iBACF,CAAC;gBAEF,IAAI,MAAc,CAAC;gBACnB,IAAI,CAAC;oBACH,MAAM,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;gBACtD,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,GAAG,CACR,0BAA0B,EAC1B,CAAC,YAAY,KAAK;wBAChB,CAAC,CAAC,CAAC,CAAC,OAAO;wBACX,CAAC,CAAC,yCAAyC,CAC9C,CAAC;gBACJ,CAAC;gBAED,sEAAsE;gBACtE,mEAAmE;gBACnE,OAAO,MAAM,CACX;oBACE,GAAG;oBACH,OAAO,EAAE;wBACP,WAAW,EAAE;4BACX;gCACE,UAAU,EAAE,IAAI,CAAC,SAAS;gCAC1B,IAAI,EAAE,QAAQ;gCACd,QAAQ,EAAE,IAAI;gCACd,UAAU,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;6BAC9B;yBACF;qBACF;iBACF,EACD,OAAO,CACR,CAAC;YACJ,CAAC;YAED,2EAA2E;YAC3E,qEAAqE;YACrE,IAAI,CAAC,2BAA2B,CAAC,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC;gBACrD,OAAO,GAAG,CACR,gCAAgC,EAChC,oFAAoF,CACrF,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAA4B;gBACxC,GAAG,EAAE;oBACH,gBAAgB,EAAE,MAAM,CAAC,mBAAmB,CAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EACnC,EAAE,gBAAgB,EAAE,CACrB;iBACF;aACF,CAAC;YACF,IAAI,IAAI,EAAE,CAAC;gBACT,+DAA+D;gBAC/D,oEAAoE;gBACpE,0EAA0E;gBAC1E,2DAA2D;gBAC3D,QAAQ,CAAC,OAAO,GAAG;oBACjB,WAAW,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;iBAC9D,CAAC;YACJ,CAAC;YAED,MAAM,cAAc,GAAgB,MAAM,CAAC,aAAa,EAAE;gBACxD,CAAC,CAAC,OAAO;gBACT,CAAC,CAAC,UAAU,CAAC;YACf,OAAO,MAAM,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAC1C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/checkout/types.d.ts

@@ -24,6 +24,13 @@ export interface ConfirmPurchaseInput {
     paymentMethod?: string;
     /** Optional server-side allowance (PaymentMandate) UUID to bind the mandate to. */
     paymentMandateId?: string;
+    /**
+     * When `true`, attach the `sh.artos.coupon` eligibility claim before crypto
+     * prepare so the server redeems the buyer's best eligible coupon. When `false`,
+     * strip any existing claim so the coupon is left untouched. Omit/`undefined`
+     * does not attach or remove a claim.
+     */
+    applyCoupon?: boolean;
 }
 /**
  * Why a `confirmPurchase` could not place the order. These map 1:1 to the inline

package/dist/index.d.ts

@@ -2,5 +2,7 @@ export { UCP_VERSION, normalizeBaseUrl, assertEcP256PrivateJwk, parseSuiNetwork,
 export { UcpClient, UcpClientError, UcpAuthError, messageOf, isUcpError, type UcpResponse, type UcpClientOptions, type UcpAuthMode, type StoreToolOptions, type AccountToolSpec, type ToolAnnotations, } from './ucp/client.js';
 export { canonicalJson, verifyDetachedJws, verifyMerchantAuthorization, Ap2Signer, type CheckoutMandateClaims, type PaymentMandateClaims, } from './ap2/index.js';
 export { createCheckoutHandlers, toMinorUnits, normalizeSearchFilters, availableRails, resolveRail, railKind, grandTotal, currencyOf, asAllowanceId, type CheckoutHandlers, type CheckoutDeps, type CheckoutLineItem, type ConfirmPurchaseInput, type CheckoutErrorCode, type CheckoutOutcome, type SearchFilters, type ResolvedRail, } from './checkout/index.js';
+export { createAccountHandlers, type AccountHandlers, type AccountDeps, } from './account/handlers.js';
+export { OAuthClient, OAuthClientError, createPkce, DEFAULT_BUYER_SCOPE, type AuthorizationServerMetadata, type OAuthTokens, type Pkce, type OAuthClientConfig, type OAuthClientOptions, } from './oauth/client.js';
 export { resolveCryptoDeps, type CryptoDeps } from './crypto/deps.js';
 export { SuiSigner, SuiSignerError } from './sui/signer.js';

package/dist/index.js

@@ -6,6 +6,10 @@ export { UcpClient, UcpClientError, UcpAuthError, messageOf, isUcpError, } from
 export { canonicalJson, verifyDetachedJws, verifyMerchantAuthorization, Ap2Signer, } from './ap2/index.js';
 // Checkout orchestration
 export { createCheckoutHandlers, toMinorUnits, normalizeSearchFilters, availableRails, resolveRail, railKind, grandTotal, currencyOf, asAllowanceId, } from './checkout/index.js';
+// Buyer-account tools
+export { createAccountHandlers, } from './account/handlers.js';
+// Buyer OAuth (PKCE authorize + token exchange/refresh)
+export { OAuthClient, OAuthClientError, createPkce, DEFAULT_BUYER_SCOPE, } from './oauth/client.js';
 // Crypto rail (requires the optional `@mysten/sui` peer dependency)
 export { resolveCryptoDeps } from './crypto/deps.js';
 export { SuiSigner, SuiSignerError } from './sui/signer.js';

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,SAAS;AACT,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,GAMhB,MAAM,aAAa,CAAC;AAErB,YAAY;AACZ,OAAO,EACL,SAAS,EACT,cAAc,EACd,YAAY,EACZ,SAAS,EACT,UAAU,GAOX,MAAM,iBAAiB,CAAC;AAEzB,MAAM;AACN,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,2BAA2B,EAC3B,SAAS,GAGV,MAAM,gBAAgB,CAAC;AAExB,yBAAyB;AACzB,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,QAAQ,EACR,UAAU,EACV,UAAU,EACV,aAAa,GASd,MAAM,qBAAqB,CAAC;AAE7B,oEAAoE;AACpE,OAAO,EAAE,iBAAiB,EAAmB,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,SAAS;AACT,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,GAMhB,MAAM,aAAa,CAAC;AAErB,YAAY;AACZ,OAAO,EACL,SAAS,EACT,cAAc,EACd,YAAY,EACZ,SAAS,EACT,UAAU,GAOX,MAAM,iBAAiB,CAAC;AAEzB,MAAM;AACN,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,2BAA2B,EAC3B,SAAS,GAGV,MAAM,gBAAgB,CAAC;AAExB,yBAAyB;AACzB,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,QAAQ,EACR,UAAU,EACV,UAAU,EACV,aAAa,GASd,MAAM,qBAAqB,CAAC;AAE7B,sBAAsB;AACtB,OAAO,EACL,qBAAqB,GAGtB,MAAM,uBAAuB,CAAC;AAE/B,wDAAwD;AACxD,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,UAAU,EACV,mBAAmB,GAMpB,MAAM,mBAAmB,CAAC;AAE3B,oEAAoE;AACpE,OAAO,EAAE,iBAAiB,EAAmB,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/oauth/client.d.ts

@@ -0,0 +1,96 @@
+/**
+ * The buyer-auth scopes a Build-track agent should request: `purchase:complete`
+ * to place orders, and `offline_access` so the API mints a rotating refresh
+ * token (without it the buyer must re-consent every time the access token
+ * expires).
+ */
+export declare const DEFAULT_BUYER_SCOPE = "purchase:complete offline_access";
+/** RFC 8414 Authorization Server metadata (the fields this client uses). */
+export interface AuthorizationServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    scopes_supported?: string[];
+    code_challenge_methods_supported?: string[];
+    [k: string]: unknown;
+}
+/** A normalized OAuth token response. */
+export interface OAuthTokens {
+    accessToken: string;
+    tokenType: string;
+    /** Access-token lifetime in seconds. */
+    expiresIn: number;
+    /** Present only when `offline_access` was granted. */
+    refreshToken?: string;
+    scope?: string;
+}
+/** A PKCE (RFC 7636) verifier/challenge pair (S256). */
+export interface Pkce {
+    verifier: string;
+    challenge: string;
+    method: 'S256';
+}
+/** Raised for OAuth discovery / token errors (carries the RFC 6749 `error`). */
+export declare class OAuthClientError extends Error {
+    readonly error: string;
+    constructor(error: string, description?: string);
+}
+type FetchLike = typeof fetch;
+/**
+ * Generates a PKCE pair: a high-entropy `verifier` and its S256 `challenge`. Send
+ * the challenge on the authorize request; keep the verifier to redeem the code.
+ */
+export declare function createPkce(): Pkce;
+export interface OAuthClientConfig {
+    /** Artos API base URL / OAuth issuer origin, e.g. `https://api.artos.sh`. */
+    artosBaseUrl: string;
+}
+export interface OAuthClientOptions {
+    fetch?: FetchLike;
+}
+/**
+ * Drives the Artos buyer-OAuth flow (RFC 6749/7636/8414) for a **Build-track**
+ * agent that runs sign-in itself (instead of relying on the hosted Connect
+ * bridge / Claude). It discovers the Authorization Server metadata, builds the
+ * PKCE authorize URL, and exchanges/refreshes tokens against the token endpoint.
+ * AS metadata is fetched once and cached for the client's lifetime.
+ */
+export declare class OAuthClient {
+    private readonly fetchImpl;
+    private readonly baseUrl;
+    private cached?;
+    constructor(cfg: OAuthClientConfig, options?: OAuthClientOptions);
+    /** Fetches RFC 8414 AS metadata (`/.well-known/oauth-authorization-server`). */
+    discover(): Promise<AuthorizationServerMetadata>;
+    /** Cached AS metadata (discovered on first use). */
+    metadata(): Promise<AuthorizationServerMetadata>;
+    /**
+     * Builds the PKCE authorize URL the buyer opens to sign in + consent. Returns
+     * the URL and the `state` (verify it on the redirect to prevent CSRF). Pair
+     * with a {@link createPkce} `challenge`; keep the matching `verifier`.
+     */
+    authorizeUrl(params: {
+        clientId: string;
+        redirectUri: string;
+        codeChallenge: string;
+        scope?: string;
+        state?: string;
+    }): Promise<{
+        url: string;
+        state: string;
+    }>;
+    /** Redeems an authorization code (+ PKCE verifier) for tokens. */
+    exchangeCode(params: {
+        code: string;
+        codeVerifier: string;
+        clientId: string;
+        redirectUri: string;
+    }): Promise<OAuthTokens>;
+    /** Exchanges a refresh token for a fresh access token (rotates the refresh). */
+    refresh(params: {
+        refreshToken: string;
+        clientId?: string;
+    }): Promise<OAuthTokens>;
+    private tokenRequest;
+}
+export {};

package/dist/oauth/client.js

@@ -0,0 +1,123 @@
+import { createHash, randomBytes, randomUUID } from 'node:crypto';
+import { normalizeBaseUrl } from '../config.js';
+/**
+ * The buyer-auth scopes a Build-track agent should request: `purchase:complete`
+ * to place orders, and `offline_access` so the API mints a rotating refresh
+ * token (without it the buyer must re-consent every time the access token
+ * expires).
+ */
+export const DEFAULT_BUYER_SCOPE = 'purchase:complete offline_access';
+/** Raised for OAuth discovery / token errors (carries the RFC 6749 `error`). */
+export class OAuthClientError extends Error {
+    error;
+    constructor(error, description) {
+        super(description ?? error);
+        this.error = error;
+        this.name = 'OAuthClientError';
+    }
+}
+function base64url(buf) {
+    return buf.toString('base64url');
+}
+/**
+ * Generates a PKCE pair: a high-entropy `verifier` and its S256 `challenge`. Send
+ * the challenge on the authorize request; keep the verifier to redeem the code.
+ */
+export function createPkce() {
+    const verifier = base64url(randomBytes(32));
+    const challenge = base64url(createHash('sha256').update(verifier).digest());
+    return { verifier, challenge, method: 'S256' };
+}
+/**
+ * Drives the Artos buyer-OAuth flow (RFC 6749/7636/8414) for a **Build-track**
+ * agent that runs sign-in itself (instead of relying on the hosted Connect
+ * bridge / Claude). It discovers the Authorization Server metadata, builds the
+ * PKCE authorize URL, and exchanges/refreshes tokens against the token endpoint.
+ * AS metadata is fetched once and cached for the client's lifetime.
+ */
+export class OAuthClient {
+    fetchImpl;
+    baseUrl;
+    cached;
+    constructor(cfg, options = {}) {
+        this.baseUrl = normalizeBaseUrl(cfg.artosBaseUrl);
+        this.fetchImpl = options.fetch ?? fetch;
+    }
+    /** Fetches RFC 8414 AS metadata (`/.well-known/oauth-authorization-server`). */
+    async discover() {
+        const res = await this.fetchImpl(`${this.baseUrl}/.well-known/oauth-authorization-server`, { headers: { Accept: 'application/json' } });
+        if (!res.ok) {
+            throw new OAuthClientError('discovery_failed', `Authorization Server metadata fetch failed (${res.status}).`);
+        }
+        const meta = (await res.json());
+        if (!meta.authorization_endpoint || !meta.token_endpoint) {
+            throw new OAuthClientError('discovery_failed', 'Authorization Server metadata is missing authorize/token endpoints.');
+        }
+        return meta;
+    }
+    /** Cached AS metadata (discovered on first use). */
+    async metadata() {
+        return (this.cached ??= await this.discover());
+    }
+    /**
+     * Builds the PKCE authorize URL the buyer opens to sign in + consent. Returns
+     * the URL and the `state` (verify it on the redirect to prevent CSRF). Pair
+     * with a {@link createPkce} `challenge`; keep the matching `verifier`.
+     */
+    async authorizeUrl(params) {
+        const meta = await this.metadata();
+        const state = params.state ?? randomUUID();
+        const url = new URL(meta.authorization_endpoint);
+        url.searchParams.set('response_type', 'code');
+        url.searchParams.set('client_id', params.clientId);
+        url.searchParams.set('redirect_uri', params.redirectUri);
+        url.searchParams.set('code_challenge', params.codeChallenge);
+        url.searchParams.set('code_challenge_method', 'S256');
+        url.searchParams.set('scope', params.scope ?? DEFAULT_BUYER_SCOPE);
+        url.searchParams.set('state', state);
+        return { url: url.toString(), state };
+    }
+    /** Redeems an authorization code (+ PKCE verifier) for tokens. */
+    async exchangeCode(params) {
+        return this.tokenRequest({
+            grant_type: 'authorization_code',
+            code: params.code,
+            code_verifier: params.codeVerifier,
+            client_id: params.clientId,
+            redirect_uri: params.redirectUri,
+        });
+    }
+    /** Exchanges a refresh token for a fresh access token (rotates the refresh). */
+    async refresh(params) {
+        const body = {
+            grant_type: 'refresh_token',
+            refresh_token: params.refreshToken,
+        };
+        if (params.clientId)
+            body.client_id = params.clientId;
+        return this.tokenRequest(body);
+    }
+    async tokenRequest(body) {
+        const meta = await this.metadata();
+        const res = await this.fetchImpl(meta.token_endpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: new URLSearchParams(body).toString(),
+        });
+        const json = (await res.json());
+        if (!res.ok || !json.access_token) {
+            throw new OAuthClientError(json.error ?? 'token_error', json.error_description ?? `Token request failed (${res.status}).`);
+        }
+        return {
+            accessToken: json.access_token,
+            tokenType: json.token_type ?? 'Bearer',
+            expiresIn: json.expires_in ?? 0,
+            refreshToken: json.refresh_token,
+            scope: json.scope,
+        };
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/oauth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/oauth/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,kCAAkC,CAAC;AA8BtE,gFAAgF;AAChF,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAE9B;IADX,YACW,KAAa,EACtB,WAAoB;QAEpB,KAAK,CAAC,WAAW,IAAI,KAAK,CAAC,CAAC;QAHnB,UAAK,GAAL,KAAK,CAAQ;QAItB,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAID,SAAS,SAAS,CAAC,GAAW;IAC5B,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACjD,CAAC;AAWD;;;;;;GAMG;AACH,MAAM,OAAO,WAAW;IACL,SAAS,CAAY;IACrB,OAAO,CAAS;IACzB,MAAM,CAA+B;IAE7C,YAAY,GAAsB,EAAE,UAA8B,EAAE;QAClE,IAAI,CAAC,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IAC1C,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,QAAQ;QACZ,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9B,GAAG,IAAI,CAAC,OAAO,yCAAyC,EACxD,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAC5C,CAAC;QACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,gBAAgB,CACxB,kBAAkB,EAClB,+CAA+C,GAAG,CAAC,MAAM,IAAI,CAC9D,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAgC,CAAC;QAC/D,IAAI,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzD,MAAM,IAAI,gBAAgB,CACxB,kBAAkB,EAClB,qEAAqE,CACtE,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,QAAQ;QACZ,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,MAMlB;QACC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,UAAU,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;QAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,mBAAmB,CAAC,CAAC;QACnE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrC,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC;IACxC,CAAC;IAED,kEAAkE;IAClE,KAAK,CAAC,YAAY,CAAC,MAKlB;QACC,OAAO,IAAI,CAAC,YAAY,CAAC;YACvB,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,aAAa,EAAE,MAAM,CAAC,YAAY;YAClC,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;SACjC,CAAC,CAAC;IACL,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,OAAO,CAAC,MAGb;QACC,MAAM,IAAI,GAA2B;YACnC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,MAAM,CAAC,YAAY;SACnC,CAAC;QACF,IAAI,MAAM,CAAC,QAAQ;YAAE,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC;QACtD,OAAO,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,IAA4B;QAE5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;SAC3C,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAQ7B,CAAC;QACF,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClC,MAAM,IAAI,gBAAgB,CACxB,IAAI,CAAC,KAAK,IAAI,aAAa,EAC3B,IAAI,CAAC,iBAAiB,IAAI,yBAAyB,GAAG,CAAC,MAAM,IAAI,CAClE,CAAC;QACJ,CAAC;QACD,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,QAAQ;YACtC,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,CAAC;YAC/B,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;IACJ,CAAC;CACF"}

package/package.json

@@ -1,30 +1,15 @@
 {
   "name": "@artos-commerce/ucp-client",
-  "version": "0.1.0",
-  "description": "TypeScript SDK for the Universal Commerce Protocol (UCP) on Artos: typed API transport, AP2 mandate signing, optional Sui crypto settlement, and checkout orchestration for building agent-commerce integrations.",
-  "keywords": [
-    "ucp",
-    "universal-commerce-protocol",
-    "agent-commerce",
-    "agentic-commerce",
-    "ap2",
-    "sui",
-    "artos",
-    "commerce",
-    "checkout",
-    "mcp"
-  ],
+  "version": "0.2.0",
+  "description": "Build-track Direct UCP client for Artos: typed UCP transport, AP2 mandate signing, checkout orchestration, buyer-account tools, and buyer OAuth so you can build your own commerce-grade UCP client without hand-rolling the envelope, signing, and credential rules.",
   "type": "module",
-  "sideEffects": false,
   "license": "MIT",
-  "author": "Artos",
   "engines": {
     "node": ">=20"
   },
   "files": [
     "dist",
-    "README.md",
-    "LICENSE"
+    "README.md"
   ],
   "types": "./dist/index.d.ts",
   "exports": {
@@ -32,6 +17,8 @@
     "./ucp": "./dist/ucp/client.js",
     "./ap2": "./dist/ap2/index.js",
     "./checkout": "./dist/checkout/index.js",
+    "./account": "./dist/account/handlers.js",
+    "./oauth": "./dist/oauth/client.js",
     "./sui": "./dist/sui/signer.js",
     "./crypto": "./dist/crypto/deps.js"
   },

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 Artos
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.