@astrasyncai/verification-gateway 2.0.0 → 2.1.0

package/dist/index.mjs

@@ -228,6 +228,7 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
   if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
   if (requestData.createSession) body.createSession = requestData.createSession;
+  if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
   if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
@@ -401,6 +402,24 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
+async function reportUnregisteredAttempt(config, data) {
+  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
+  await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(data)
+  }).catch(() => {
+  });
+}
+async function reportCounterpartyPreCheckFailure(config, data) {
+  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
+  await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(data)
+  }).catch(() => {
+  });
+}
 async function quickVerify(config, credentials) {
   const result = await verify(config, {
     credentials,
@@ -482,6 +501,54 @@ function extractHttpCredentials(headers) {
   return credentials;
 }
 
+// src/pdlss-pre-check.ts
+function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
+  const failures = [];
+  if (routeConfig.allowedPurposes && routeConfig.allowedPurposes.length > 0 && purpose) {
+    if (!routeConfig.allowedPurposes.includes(purpose)) {
+      failures.push({
+        field: "purpose",
+        requested: purpose,
+        limit: routeConfig.allowedPurposes,
+        message: `Purpose "${purpose}" is not in the allowed list: [${routeConfig.allowedPurposes.join(", ")}]`
+      });
+    }
+  }
+  if (routeConfig.requiredPurposes && routeConfig.requiredPurposes.length > 0 && purpose) {
+    if (!routeConfig.requiredPurposes.includes(purpose)) {
+      failures.push({
+        field: "purpose",
+        requested: purpose,
+        limit: routeConfig.requiredPurposes,
+        message: `Purpose "${purpose}" is not in the required list: [${routeConfig.requiredPurposes.join(", ")}]`
+      });
+    }
+  }
+  if (routeConfig.maxDuration && astraCreds?.pdlss?.duration?.maxSessionDuration) {
+    const requested = astraCreds.pdlss.duration.maxSessionDuration;
+    if (requested > routeConfig.maxDuration) {
+      failures.push({
+        field: "duration",
+        requested,
+        limit: routeConfig.maxDuration,
+        message: `Requested duration ${requested}s exceeds maximum ${routeConfig.maxDuration}s`
+      });
+    }
+  }
+  if (routeConfig.allowedJurisdictions && routeConfig.allowedJurisdictions.length > 0 && astraCreds?.pdlss?.scope?.jurisdiction) {
+    const requested = astraCreds.pdlss.scope.jurisdiction;
+    if (!routeConfig.allowedJurisdictions.includes(requested)) {
+      failures.push({
+        field: "jurisdiction",
+        requested,
+        limit: routeConfig.allowedJurisdictions,
+        message: `Jurisdiction "${requested}" is not in the allowed list: [${routeConfig.allowedJurisdictions.join(", ")}]`
+      });
+    }
+  }
+  return failures;
+}
+
 // src/adapters/express.ts
 function defaultExtractCredentials(req) {
   return extractCredentials(
@@ -493,6 +560,12 @@ function extractAstraSyncCredentials(req) {
   return extractHttpCredentials(req.headers);
 }
 function defaultExtractPurpose(req) {
+  const astraPurpose = req.headers["x-astra-purpose"];
+  if (astraPurpose) {
+    const value = Array.isArray(astraPurpose) ? astraPurpose[0] : astraPurpose;
+    const category = value.split(":")[0];
+    return category;
+  }
   const purposeHeader = req.headers["x-purpose"] || req.headers["X-Purpose"];
   if (purposeHeader) {
     return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;
@@ -502,14 +575,14 @@ function defaultExtractPurpose(req) {
   }
   switch (req.method) {
     case "GET":
-      return "read";
+      return "read_data";
     case "POST":
-      return "create";
+      return "write_data";
     case "PUT":
     case "PATCH":
-      return "update";
+      return "write_data";
     case "DELETE":
-      return "delete";
+      return "delete_data";
     default:
       return "general";
   }
@@ -546,6 +619,7 @@ function createMiddleware(options) {
     skipPaths = [],
     onDenied = defaultOnDenied,
     recordDecisions,
+    enableRuntimeChallenge = true,
     ...config
   } = options;
   return async (req, res, next) => {
@@ -563,6 +637,16 @@ function createMiddleware(options) {
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
       if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+        const counterpartyUrl2 = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
+        reportUnregisteredAttempt(config, {
+          counterpartyUrl: counterpartyUrl2,
+          counterpartyType: config.counterpartyType || "api",
+          sourceIp: req.ip,
+          userAgent: req.headers["user-agent"],
+          requestPath: req.path,
+          requestMethod: req.method
+        }).catch(() => {
+        });
         const result2 = {
           verified: false,
           accessLevel: "none",
@@ -579,7 +663,34 @@ function createMiddleware(options) {
         return;
       }
       const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
+      const astraCreds = extractAstraSyncCredentials(req);
       const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
+      const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
+      if (preCheckFailures.length > 0) {
+        const result2 = {
+          verified: false,
+          accessLevel: "none",
+          denialReasons: preCheckFailures.map((f) => f.message),
+          guidance: {
+            message: "Request exceeds counterparty-defined PDLSS limits.",
+            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+            documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+          },
+          verifiedAt: /* @__PURE__ */ new Date()
+        };
+        req.agentVerification = result2;
+        reportCounterpartyPreCheckFailure(config, {
+          agentId: astraCreds?.agentId || credentials.astraId || "unknown",
+          counterpartyUrl,
+          counterpartyType: config.counterpartyType || "api",
+          failures: preCheckFailures,
+          requestPath: req.path,
+          requestMethod: req.method
+        }).catch(() => {
+        });
+        onDenied(result2, req, res);
+        return;
+      }
       const shouldRecordDecisions = recordDecisions !== false;
       const result = await verify(config, {
         credentials,
@@ -590,7 +701,9 @@ function createMiddleware(options) {
         userAgent: req.headers["user-agent"],
         createSession: shouldRecordDecisions,
         counterpartyUrl,
-        counterpartyType: config.counterpartyType || "api"
+        counterpartyType: config.counterpartyType || "api",
+        enableRuntimeChallenge,
+        durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
@@ -685,17 +798,32 @@ function findRouteConfig2(routes, path, method) {
     return methodMatches && pathMatches;
   });
 }
-function inferPurpose(method) {
-  switch (method.toUpperCase()) {
+function extractAstraSyncCredentialsFromNextRequest(request) {
+  const headers = {};
+  request.headers.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return extractHttpCredentials(headers);
+}
+function extractPurpose(request) {
+  const astraPurpose = request.headers.get("x-astra-purpose");
+  if (astraPurpose) {
+    return astraPurpose.split(":")[0];
+  }
+  const purposeHeader = request.headers.get("x-purpose");
+  if (purposeHeader) {
+    return purposeHeader;
+  }
+  switch (request.method.toUpperCase()) {
     case "GET":
-      return "read";
+      return "read_data";
     case "POST":
-      return "create";
+      return "write_data";
     case "PUT":
     case "PATCH":
-      return "update";
+      return "write_data";
     case "DELETE":
-      return "delete";
+      return "delete_data";
     default:
       return "general";
   }
@@ -847,7 +975,7 @@ function generateCommerceShieldHtml(result, options) {
   `.trim();
 }
 function createMiddleware2(options) {
-  const { routes = [], skipPaths = [], showCommerceShield = true, ...config } = options;
+  const { routes = [], skipPaths = [], showCommerceShield = true, enableRuntimeChallenge = true, ...config } = options;
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -864,6 +992,16 @@ function createMiddleware2(options) {
     }
     const credentials = extractCredentialsFromNextRequest(request);
     if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+      const counterpartyUrl2 = config.counterpartyUrl || request.nextUrl.origin;
+      reportUnregisteredAttempt(config, {
+        counterpartyUrl: counterpartyUrl2,
+        counterpartyType: config.counterpartyType || "website",
+        sourceIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
+        userAgent: request.headers.get("user-agent") || void 0,
+        requestPath: pathname,
+        requestMethod: request.method
+      }).catch(() => {
+      });
       const result2 = {
         verified: false,
         accessLevel: "none",
@@ -901,7 +1039,54 @@ function createMiddleware2(options) {
       return NextResponse.redirect(new URL(registerUrl, request.url));
     }
     const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
-    const purpose = request.headers.get("x-purpose") || inferPurpose(request.method);
+    const purpose = extractPurpose(request);
+    const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
+    const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
+    if (preCheckFailures.length > 0) {
+      const preCheckResult = {
+        verified: false,
+        accessLevel: "none",
+        denialReasons: preCheckFailures.map((f) => f.message),
+        guidance: {
+          message: "Request exceeds counterparty-defined PDLSS limits.",
+          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+        },
+        verifiedAt: /* @__PURE__ */ new Date()
+      };
+      reportCounterpartyPreCheckFailure(config, {
+        agentId: astraCreds?.agentId || credentials.astraId || "unknown",
+        counterpartyUrl,
+        counterpartyType: config.counterpartyType || "website",
+        failures: preCheckFailures,
+        requestPath: pathname,
+        requestMethod: request.method
+      }).catch(() => {
+      });
+      if (pathname.startsWith("/api/")) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: {
+              code: "PDLSS_PRE_CHECK_FAILED",
+              message: preCheckResult.denialReasons?.[0] || "PDLSS pre-check failed",
+              guidance: preCheckResult.guidance
+            }
+          },
+          { status: 403 }
+        );
+      }
+      if (showCommerceShield) {
+        return new NextResponse(generateCommerceShieldHtml(preCheckResult, options), {
+          status: 200,
+          headers: {
+            "Content-Type": "text/html",
+            "X-AstraSync-Verification": "commerce-shield"
+          }
+        });
+      }
+      return NextResponse.redirect(new URL("/unauthorized", request.url));
+    }
     const result = await verify(config, {
       credentials,
       purpose,
@@ -910,7 +1095,9 @@ function createMiddleware2(options) {
       clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
       userAgent: request.headers.get("user-agent") || void 0,
       counterpartyUrl,
-      counterpartyType: config.counterpartyType || "website"
+      counterpartyType: config.counterpartyType || "website",
+      enableRuntimeChallenge,
+      durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
     });
     if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
@@ -1089,15 +1276,64 @@ async function verifyOnce(options) {
 // src/transport/index.ts
 var transport_exports = {};
 __export(transport_exports, {
+  STRIPE_WEBHOOK_INFORMATIONAL_EVENTS: () => STRIPE_WEBHOOK_INFORMATIONAL_EVENTS,
   applyCredentials: () => applyCredentials,
+  bindIdentity: () => bindIdentity,
+  claim: () => claim,
+  clearTransportExtractors: () => clearTransportExtractors,
+  createMastercardRegistry: () => createMastercardRegistry,
+  createVisaRegistry: () => createVisaRegistry,
+  createWebBotAuthRegistry: () => createWebBotAuthRegistry,
   detectProtocol: () => detectProtocol,
+  evaluatePaymentMethodAllowlist: () => evaluatePaymentMethodAllowlist,
+  evaluateSpendingLimit: () => evaluateSpendingLimit,
+  evaluateVIConstraints: () => evaluateVIConstraints,
   extractA2ACredentials: () => extractA2ACredentials,
+  extractACPContext: () => extractACPContext,
+  extractACPTransactionValue: () => extractACPTransactionValue,
+  extractAP2Mandate: () => extractAP2Mandate,
+  extractAP2Mandates: () => extractAP2Mandates,
+  extractAP2TransactionValue: () => extractAP2TransactionValue,
   extractCredentialsFromProtocol: () => extractCredentialsFromProtocol,
   extractHttpCredentials: () => extractHttpCredentials,
+  extractMPPContext: () => extractMPPContext,
+  extractMPPFromRequest: () => extractMPPFromRequest,
+  extractMPPFromResponse: () => extractMPPFromResponse,
+  extractMPPTransactionValue: () => extractMPPTransactionValue,
   extractMcpCredentials: () => extractMcpCredentials,
+  extractUCPContext: () => extractUCPContext,
+  extractUCPTransactionValue: () => extractUCPTransactionValue,
+  extractVIClaims: () => extractVIClaims,
+  extractVITransactionValue: () => extractVITransactionValue,
+  extractX402Context: () => extractX402Context,
+  extractX402FromRequest: () => extractX402FromRequest,
+  extractX402FromResponse: () => extractX402FromResponse,
+  extractX402TransactionValue: () => extractX402TransactionValue,
+  fetchUCPManifest: () => fetchUCPManifest,
+  getTransportExtractor: () => getTransportExtractor,
+  getTransportExtractors: () => getTransportExtractors,
+  isStripeWebhookInformational: () => isStripeWebhookInformational,
+  mapACPRequestToPurpose: () => mapACPRequestToPurpose,
+  mapAP2MandateToPurpose: () => mapAP2MandateToPurpose,
+  mapMPPRequestToPurpose: () => mapMPPRequestToPurpose,
+  mapRFC9421TagToPurpose: () => mapRFC9421TagToPurpose,
+  mapUCPRequestToPurpose: () => mapUCPRequestToPurpose,
+  mapVIMandateToPurpose: () => mapVIMandateToPurpose,
+  mapX402RequestToPurpose: () => mapX402RequestToPurpose,
+  parseRFC9421: () => parseRFC9421,
+  registerTransportExtractor: () => registerTransportExtractor,
+  runCommercePipeline: () => runCommercePipeline,
+  runMatchingExtractors: () => runMatchingExtractors,
   setA2AMetadata: () => setA2AMetadata,
   setHttpHeaders: () => setHttpHeaders,
-  setMcpMeta: () => setMcpMeta
+  setMcpMeta: () => setMcpMeta,
+  validateUCPManifest: () => validateUCPManifest,
+  verifyACPSignature: () => verifyACPSignature,
+  verifyAP2Chain: () => verifyAP2Chain,
+  verifyMPP: () => verifyMPP,
+  verifyRFC9421: () => verifyRFC9421,
+  verifyStripeWebhook: () => verifyStripeWebhook,
+  verifyVIChain: () => verifyVIChain
 });
 
 // src/transport/a2a.ts
@@ -1170,6 +1406,2283 @@ function extractMcpCredentials(params) {
   return credentials;
 }
 
+// src/transport/purpose-mapping.ts
+var UCP_ROUTES = [
+  { method: "POST", pattern: /^\/checkout[-_]sessions\/?$/, purpose: "commerce.checkout.create" },
+  {
+    method: "PUT",
+    pattern: /^\/checkout[-_]sessions\/[^/]+\/?$/,
+    purpose: "commerce.checkout.update"
+  },
+  {
+    method: "POST",
+    pattern: /^\/checkout[-_]sessions\/[^/]+\/complete\/?$/,
+    purpose: "commerce.payment.execute"
+  },
+  {
+    method: "POST",
+    pattern: /^\/checkout[-_]sessions\/[^/]+\/cancel\/?$/,
+    purpose: "commerce.checkout.cancel"
+  }
+];
+var ACP_ROUTES = [
+  { method: "POST", pattern: /^\/checkout_sessions\/?$/, purpose: "commerce.checkout.create" },
+  {
+    method: "POST",
+    pattern: /^\/checkout_sessions\/[^/]+\/?$/,
+    purpose: "commerce.checkout.update"
+  },
+  {
+    method: "POST",
+    pattern: /^\/checkout_sessions\/[^/]+\/complete\/?$/,
+    purpose: "commerce.payment.execute"
+  },
+  {
+    method: "POST",
+    pattern: /^\/checkout_sessions\/[^/]+\/cancel\/?$/,
+    purpose: "commerce.checkout.cancel"
+  },
+  {
+    method: "POST",
+    pattern: /^\/agentic_commerce\/delegate_payment\/?$/,
+    purpose: "commerce.delegation.payment"
+  }
+];
+function mapUCPRequestToPurpose(method, path) {
+  const normalizedMethod = method.toUpperCase();
+  const normalizedPath = stripQuery(path);
+  for (const route of UCP_ROUTES) {
+    if (route.method === normalizedMethod && route.pattern.test(normalizedPath)) {
+      return route.purpose;
+    }
+  }
+  return null;
+}
+function mapACPRequestToPurpose(method, path) {
+  const normalizedMethod = method.toUpperCase();
+  const normalizedPath = stripQuery(path);
+  for (const route of ACP_ROUTES) {
+    if (route.method === normalizedMethod && route.pattern.test(normalizedPath)) {
+      return route.purpose;
+    }
+  }
+  return null;
+}
+function mapAP2MandateToPurpose(mandateType) {
+  switch (mandateType) {
+    case "intent_mandate":
+      return "commerce.delegation.intent";
+    case "cart_mandate":
+      return "commerce.checkout.confirm";
+    case "payment_mandate":
+      return "commerce.payment.execute";
+  }
+}
+function mapVIMandateToPurpose(mandateType) {
+  switch (mandateType) {
+    case "checkout":
+      return "commerce.checkout.confirm";
+    case "payment":
+      return "commerce.payment.execute";
+    case "checkout.open":
+      return "commerce.delegation.checkout";
+    case "payment.open":
+      return "commerce.delegation.payment";
+  }
+}
+function mapRFC9421TagToPurpose(tag) {
+  if (tag === "purchase") return "commerce.payment.execute";
+  return "commerce.browsing";
+}
+function mapMPPRequestToPurpose(intent, amount) {
+  if (typeof amount === "number" && amount === 0) return "commerce.identity_probe";
+  if (intent === "session") return "commerce.payment.stream";
+  return "commerce.payment.execute";
+}
+function mapX402RequestToPurpose(amount) {
+  if (typeof amount === "number" && amount === 0) return "commerce.identity_probe";
+  return "commerce.payment.execute";
+}
+function stripQuery(path) {
+  const q = path.indexOf("?");
+  return q === -1 ? path : path.slice(0, q);
+}
+var STRIPE_WEBHOOK_INFORMATIONAL_EVENTS = [
+  "payment_intent.succeeded",
+  "payment_intent.payment_failed",
+  "charge.refunded",
+  "checkout.session.completed",
+  "customer.subscription.created"
+];
+function isStripeWebhookInformational(eventType) {
+  return STRIPE_WEBHOOK_INFORMATIONAL_EVENTS.includes(eventType);
+}
+
+// src/transport/transaction-value.ts
+function extractUCPTransactionValue(input) {
+  const totals = input.totals ?? [];
+  const total = totals.find((t) => t.type === "total") ?? totals[0];
+  if (!total || typeof total.amount !== "number" || !total.currency) return null;
+  return {
+    protocol: "ucp",
+    amount: total.amount / 100,
+    currency: total.currency,
+    source: `totals[type=${total.type ?? "unknown"}].amount`
+  };
+}
+function extractACPTransactionValue(input) {
+  const totals = input.totals ?? [];
+  const total = totals.find((t) => t.type === "total") ?? totals[0];
+  if (!total || typeof total.amount !== "number" || !total.currency) return null;
+  return {
+    protocol: "acp",
+    amount: total.amount / 100,
+    currency: total.currency,
+    source: `totals[type=${total.type ?? "unknown"}].amount`
+  };
+}
+function extractVITransactionValue(claims) {
+  const l3a = claims.l3aPaymentAmount;
+  if (l3a && typeof l3a.amount === "number" && l3a.currency) {
+    return {
+      protocol: "vi",
+      amount: l3a.amount,
+      currency: l3a.currency,
+      source: "L3a.payment.amount"
+    };
+  }
+  const bound = claims.constraints?.paymentAmount;
+  if (bound && typeof bound.max === "number" && bound.currency) {
+    return {
+      protocol: "vi",
+      amount: bound.max,
+      currency: bound.currency,
+      source: "L2.payment.constraints.amount.max"
+    };
+  }
+  return null;
+}
+function extractAP2TransactionValue(mandate) {
+  const amt = mandate?.payment_details_total?.amount;
+  if (!amt || !amt.currency) return null;
+  const n = typeof amt.value === "string" ? Number(amt.value) : amt.value;
+  if (typeof n !== "number" || !Number.isFinite(n)) return null;
+  return {
+    protocol: "ap2",
+    amount: n,
+    currency: amt.currency,
+    source: "payment_mandate.payment_details_total.amount"
+  };
+}
+function extractMPPTransactionValue(challenge) {
+  const req = challenge.request;
+  if (!req || typeof req.amount !== "number" || !req.currency) return null;
+  return {
+    protocol: "mpp",
+    amount: req.amount,
+    currency: req.currency,
+    source: `challenge.request.amount (method=${challenge.method ?? "unknown"})`
+  };
+}
+function extractX402TransactionValue(req) {
+  const amount = req.maxAmountRequired ?? req.amount;
+  const currency = req.currency ?? req.asset;
+  if (typeof amount !== "number" || !currency) return null;
+  return {
+    protocol: "x402",
+    amount,
+    currency,
+    source: req.maxAmountRequired !== void 0 ? "maxAmountRequired" : "amount"
+  };
+}
+
+// src/transport/rfc9421.ts
+import { parseDictionary } from "structured-headers";
+function parseRFC9421(headers) {
+  const sigInput = readHeader(headers, "signature-input");
+  const sig = readHeader(headers, "signature");
+  if (!sigInput || !sig) return null;
+  let inputDict;
+  let sigDict;
+  try {
+    inputDict = parseDictionary(sigInput);
+    sigDict = parseDictionary(sig);
+  } catch {
+    return null;
+  }
+  const signatures = [];
+  for (const [label, entry] of inputDict) {
+    const innerList = Array.isArray(entry) ? entry[0] : entry.value;
+    const params = Array.isArray(entry) ? entry[1] : entry.params;
+    if (!Array.isArray(innerList) || !params) continue;
+    const covered = [];
+    for (const item of innerList) {
+      const [bare] = Array.isArray(item) ? item : [item];
+      if (typeof bare === "string") covered.push(bare);
+      else if (bare && typeof bare === "object" && "toString" in bare) covered.push(String(bare));
+    }
+    const paramsMap = params;
+    const kid = coerceString(paramsMap.get("keyid"));
+    if (!kid) continue;
+    const sigEntry = sigDict.get(label);
+    if (!sigEntry) continue;
+    const sigBare = Array.isArray(sigEntry) ? sigEntry[0] : sigEntry.value;
+    const signatureBase64 = extractBase64(sigBare);
+    if (!signatureBase64) continue;
+    signatures.push({
+      label,
+      kid,
+      alg: coerceString(paramsMap.get("alg")),
+      covered,
+      signatureBase64,
+      created: coerceNumber(paramsMap.get("created")),
+      expires: coerceNumber(paramsMap.get("expires")),
+      nonce: coerceString(paramsMap.get("nonce")),
+      tag: coerceString(paramsMap.get("tag"))
+    });
+  }
+  if (signatures.length === 0) return null;
+  return { signatures };
+}
+function readHeader(headers, name) {
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === name) {
+      const raw = headers[key];
+      if (typeof raw === "string") return raw;
+      if (Array.isArray(raw)) return raw.join(", ");
+      return null;
+    }
+  }
+  return null;
+}
+function coerceString(value) {
+  if (typeof value === "string") return value;
+  if (value == null) return void 0;
+  if (typeof value === "object" && "toString" in value) {
+    const s = String(value);
+    return s.length > 0 ? s : void 0;
+  }
+  return void 0;
+}
+function coerceNumber(value) {
+  if (typeof value === "number" && Number.isFinite(value)) return value;
+  if (typeof value === "bigint") return Number(value);
+  return void 0;
+}
+function extractBase64(value) {
+  if (value instanceof Uint8Array) return bufferToBase64(value);
+  if (value instanceof ArrayBuffer) return bufferToBase64(new Uint8Array(value));
+  if (ArrayBuffer.isView(value)) {
+    const v = value;
+    return bufferToBase64(new Uint8Array(v.buffer, v.byteOffset, v.byteLength));
+  }
+  if (typeof value === "string") {
+    if (value.startsWith(":") && value.endsWith(":")) return value.slice(1, -1);
+    return value;
+  }
+  return null;
+}
+function bufferToBase64(bytes) {
+  return Buffer.from(bytes).toString("base64");
+}
+
+// src/transport/rfc9421-verify.ts
+import { httpbis } from "http-message-signatures";
+async function verifyRFC9421(request, options) {
+  const { resolver } = options;
+  const tolerance = options.clockSkewSec ?? 300;
+  const nowSec = options.now ? options.now() : Math.floor(Date.now() / 1e3);
+  let resolvedKid;
+  let resolvedAlg;
+  const keyLookup = async (parameters) => {
+    const kid = typeof parameters.keyid === "string" ? parameters.keyid : void 0;
+    if (!kid) return null;
+    resolvedKid = kid;
+    const alg = typeof parameters.alg === "string" ? parameters.alg : void 0;
+    if (alg) resolvedAlg = alg;
+    const origin = safeOrigin(request.url);
+    const jwk = await resolver.resolve(kid, { origin, algorithm: alg });
+    if (!jwk) return null;
+    const created = toUnixSeconds(parameters.created);
+    const expires = toUnixSeconds(parameters.expires);
+    if (created !== void 0 && Math.abs(nowSec - created) > tolerance) return null;
+    if (expires !== void 0 && nowSec > expires + tolerance) return null;
+    return jwkToVerifyingKey(kid, jwk, alg);
+  };
+  try {
+    const result = await httpbis.verifyMessage(
+      {
+        keyLookup
+      },
+      normalizeRequest(request)
+    );
+    if (result === true) {
+      return {
+        ok: true,
+        kid: resolvedKid,
+        registry: resolver.name,
+        algorithm: resolvedAlg
+      };
+    }
+    return {
+      ok: false,
+      kid: resolvedKid,
+      registry: resolver.name,
+      algorithm: resolvedAlg,
+      error: result === false ? "signature invalid" : "no signature found"
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      kid: resolvedKid,
+      registry: resolver.name,
+      algorithm: resolvedAlg,
+      error: err instanceof Error ? err.message : "verification error"
+    };
+  }
+}
+function normalizeRequest(request) {
+  return {
+    method: request.method.toUpperCase(),
+    url: request.url,
+    headers: request.headers
+  };
+}
+function safeOrigin(url) {
+  try {
+    return new URL(url).origin;
+  } catch {
+    return void 0;
+  }
+}
+async function jwkToVerifyingKey(id, jwk, alg) {
+  const algorithm = alg ?? inferAlgFromJwk(jwk);
+  const { subtle } = await getCrypto();
+  const importAlg = webCryptoImportAlgFor(algorithm);
+  const verifyAlg = webCryptoAlgFor(algorithm);
+  if (!importAlg || !verifyAlg) {
+    return {
+      id,
+      algs: alg ? [alg] : void 0,
+      verify: async () => false
+    };
+  }
+  const key = await subtle.importKey("jwk", jwk, importAlg, false, ["verify"]);
+  return {
+    id,
+    algs: alg ? [alg] : void 0,
+    verify: async (data, signature) => {
+      try {
+        return await subtle.verify(verifyAlg, key, toArrayBuffer(signature), toArrayBuffer(data));
+      } catch {
+        return false;
+      }
+    }
+  };
+}
+function inferAlgFromJwk(jwk) {
+  if (jwk.kty === "OKP" && jwk.crv === "Ed25519") return "ed25519";
+  if (jwk.kty === "EC" && jwk.crv === "P-256") return "ecdsa-p256-sha256";
+  if (jwk.kty === "EC" && jwk.crv === "P-384") return "ecdsa-p384-sha384";
+  if (jwk.kty === "RSA") return "rsa-v1_5-sha256";
+  return "ecdsa-p256-sha256";
+}
+function webCryptoAlgFor(rfc9421Alg) {
+  switch (rfc9421Alg) {
+    case "ed25519":
+      return { name: "Ed25519" };
+    case "ecdsa-p256-sha256":
+      return { name: "ECDSA", hash: "SHA-256" };
+    case "ecdsa-p384-sha384":
+      return { name: "ECDSA", hash: "SHA-384" };
+    case "rsa-v1_5-sha256":
+      return { name: "RSASSA-PKCS1-v1_5" };
+    case "rsa-pss-sha512":
+      return { name: "RSA-PSS", saltLength: 64 };
+    default:
+      return null;
+  }
+}
+function webCryptoImportAlgFor(rfc9421Alg) {
+  switch (rfc9421Alg) {
+    case "ed25519":
+      return { name: "Ed25519" };
+    case "ecdsa-p256-sha256":
+      return { name: "ECDSA", namedCurve: "P-256" };
+    case "ecdsa-p384-sha384":
+      return { name: "ECDSA", namedCurve: "P-384" };
+    case "rsa-v1_5-sha256":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+    case "rsa-pss-sha512":
+      return { name: "RSA-PSS", hash: "SHA-512" };
+    default:
+      return null;
+  }
+}
+function toArrayBuffer(buf) {
+  const out = new ArrayBuffer(buf.byteLength);
+  new Uint8Array(out).set(buf);
+  return out;
+}
+function toUnixSeconds(v) {
+  if (typeof v === "number" && Number.isFinite(v)) return v;
+  if (v instanceof Date) return Math.floor(v.getTime() / 1e3);
+  if (typeof v === "string") {
+    const parsed = Date.parse(v);
+    if (Number.isFinite(parsed)) return Math.floor(parsed / 1e3);
+  }
+  return void 0;
+}
+async function getCrypto() {
+  if (typeof globalThis.crypto !== "undefined" && globalThis.crypto.subtle) {
+    return { subtle: globalThis.crypto.subtle };
+  }
+  const nodeCrypto = await import("crypto");
+  return { subtle: nodeCrypto.webcrypto.subtle };
+}
+
+// src/transport/ucp.ts
+function extractUCPContext(request) {
+  const { method, url } = request;
+  if (!method || !url) return null;
+  const parsedUrl = safeParseUrl(url);
+  const path = parsedUrl?.pathname ?? url.split("?")[0];
+  const purpose = mapUCPRequestToPurpose(method, path);
+  const endpoint = `${method.toUpperCase()} ${path}`;
+  const sessionId = extractSessionId(path);
+  const body = request.body ?? {};
+  const totals = Array.isArray(body.totals) ? body.totals : void 0;
+  const paymentMethod = coerceString2(body.payment_method ?? body.paymentMethod);
+  const manifestUrl = coerceString2(body.manifest_url ?? body.manifestUrl);
+  const merchantDomain = extractMerchantDomain(body, parsedUrl);
+  return {
+    sessionId,
+    endpoint,
+    purpose,
+    merchantDomain,
+    totals,
+    paymentMethod,
+    manifestUrl
+  };
+}
+async function fetchUCPManifest(manifestUrl, options = {}) {
+  const timeoutMs = options.timeoutMs ?? 3e3;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(manifestUrl, { signal: controller.signal });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function validateUCPManifest(manifest, options = {}) {
+  if (options.validator) return options.validator(manifest);
+  const errors = [];
+  if (!manifest || typeof manifest !== "object") {
+    return { ok: false, errors: ["manifest is not an object"] };
+  }
+  const m = manifest;
+  if (typeof m.version !== "string") errors.push("version is required and must be a string");
+  if (!Array.isArray(m.capabilities)) errors.push("capabilities must be an array");
+  if (!m.endpoints || typeof m.endpoints !== "object") errors.push("endpoints must be an object");
+  return { ok: errors.length === 0, errors };
+}
+function safeParseUrl(url) {
+  try {
+    return new URL(url, "http://placeholder.invalid");
+  } catch {
+    return null;
+  }
+}
+function extractSessionId(path) {
+  const match = path.match(/\/checkout[-_]sessions\/([^/?#]+)/);
+  return match?.[1];
+}
+function extractMerchantDomain(body, parsedUrl) {
+  const explicit = coerceString2(body.merchant_domain ?? body.merchantDomain);
+  if (explicit) return explicit;
+  if (parsedUrl && parsedUrl.hostname !== "placeholder.invalid") return parsedUrl.hostname;
+  return void 0;
+}
+function coerceString2(v) {
+  return typeof v === "string" && v.length > 0 ? v : void 0;
+}
+
+// src/transport/acp.ts
+function extractACPContext(request) {
+  const { method, url } = request;
+  if (!method || !url) return null;
+  const path = stripQuery2(url.startsWith("http") ? new URL(url).pathname : url);
+  const endpoint = classifyEndpoint(method, path);
+  const purpose = mapACPRequestToPurpose(method, path);
+  const sessionId = extractSessionId2(path);
+  const headers = request.headers ?? {};
+  const signatureHeader = readHeader2(headers, "signature");
+  const timestampHeader = readHeader2(headers, "timestamp");
+  const idempotencyKey = readHeader2(headers, "idempotency-key");
+  const apiVersion = readHeader2(headers, "api-version");
+  const bearer = extractBearer(readHeader2(headers, "authorization"));
+  const body = request.body ?? {};
+  const merchantId = coerceString3(body.merchant_id ?? body.merchantId);
+  const totals = Array.isArray(body.totals) ? body.totals : void 0;
+  const fulfillmentOption = extractFulfillmentOption(body);
+  const paymentToken = extractPaymentToken(body);
+  return {
+    endpoint,
+    purpose,
+    sessionId,
+    merchantId,
+    apiVersion,
+    bearer,
+    signatureHeader,
+    timestampHeader,
+    idempotencyKey,
+    paymentToken,
+    totals,
+    fulfillmentOption,
+    rawBody: request.rawBody
+  };
+}
+function classifyEndpoint(method, path) {
+  const m = method.toUpperCase();
+  if (m !== "POST") return "unknown";
+  if (/^\/agentic_commerce\/delegate_payment\/?$/.test(path)) return "delegate_payment";
+  if (/^\/checkout_sessions\/?$/.test(path)) return "checkout_sessions.create";
+  if (/^\/checkout_sessions\/[^/]+\/?$/.test(path)) return "checkout_sessions.update";
+  if (/^\/checkout_sessions\/[^/]+\/complete\/?$/.test(path)) return "checkout_sessions.complete";
+  if (/^\/checkout_sessions\/[^/]+\/cancel\/?$/.test(path)) return "checkout_sessions.cancel";
+  return "unknown";
+}
+function extractSessionId2(path) {
+  const match = path.match(/\/checkout_sessions\/([^/?#]+)/);
+  return match?.[1];
+}
+function extractBearer(authHeader) {
+  if (!authHeader) return void 0;
+  const match = authHeader.match(/^Bearer\s+(.+)$/i);
+  return match ? match[1].trim() : void 0;
+}
+function extractPaymentToken(body) {
+  const paymentData = body.payment_data;
+  if (!paymentData) return void 0;
+  const raw = coerceString3(paymentData.token);
+  const provider = coerceString3(paymentData.provider);
+  if (!raw) return { raw: void 0, type: null, provider };
+  const type = classifyPaymentToken(raw);
+  return { raw, type, provider };
+}
+function classifyPaymentToken(token) {
+  if (token.startsWith("spt_")) return "stripe-spt";
+  if (token.startsWith("vt_")) return "acp-vt";
+  return "other";
+}
+function extractFulfillmentOption(body) {
+  const direct = coerceString3(body.fulfillment_option ?? body.fulfillmentOption);
+  if (direct) return direct;
+  const options = body.fulfillment_options;
+  if (Array.isArray(options) && options.length > 0) {
+    const first = options[0];
+    if (first && typeof first === "object") {
+      const id = coerceString3(first.id);
+      if (id) return id;
+    }
+  }
+  return void 0;
+}
+function readHeader2(headers, name) {
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === name) {
+      const raw = headers[key];
+      if (typeof raw === "string") return raw;
+      if (Array.isArray(raw)) return raw[0];
+    }
+  }
+  return void 0;
+}
+function stripQuery2(path) {
+  const q = path.indexOf("?");
+  return q === -1 ? path : path.slice(0, q);
+}
+function coerceString3(v) {
+  return typeof v === "string" && v.length > 0 ? v : void 0;
+}
+
+// src/transport/vi.ts
+import { splitSdJwt, decodeSdJwtSync } from "@sd-jwt/decode";
+import { createHash } from "crypto";
+function extractVIClaims(sdJwtCompact) {
+  if (!sdJwtCompact || typeof sdJwtCompact !== "string") return null;
+  let decoded;
+  try {
+    decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);
+  } catch {
+    return null;
+  }
+  const split = safeSplit(sdJwtCompact);
+  const payload = decoded.jwt?.payload ?? {};
+  const disclosures = decoded.disclosures ?? [];
+  const claims = applyDisclosures(
+    payload,
+    disclosures
+  );
+  const mandateType = coerceMandateType(
+    claims.mandate_type ?? claims.mandateType ?? payload.mandate_type ?? payload.mandateType
+  );
+  if (!mandateType) return null;
+  const kid = coerceString4(
+    decoded.jwt?.header?.kid ?? claims.kid ?? payload.kid
+  );
+  const executionMode = coerceExecutionMode(claims.execution_mode ?? claims.executionMode);
+  const credentialProvider = coerceString4(claims.iss ?? payload.iss);
+  const constraints = extractConstraints(
+    claims.constraints ?? claims.default_constraints ?? {}
+  );
+  const transactionId = coerceString4(claims.transaction_id ?? claims.transactionId);
+  const checkoutHash = coerceString4(
+    claims.checkout_hash ?? claims.conditional_transaction_id ?? claims.payment_reference?.checkout_hash
+  );
+  return {
+    mandateType,
+    kid,
+    executionMode,
+    credentialProvider,
+    constraints,
+    checkoutHash,
+    transactionId,
+    rawLayers: split
+  };
+}
+function safeSplit(compact) {
+  try {
+    const { jwt, kbJwt } = splitSdJwt(compact);
+    return { l3: jwt, l2: kbJwt };
+  } catch {
+    return {};
+  }
+}
+function applyDisclosures(payload, disclosures) {
+  const result = { ...payload };
+  for (const d of disclosures) {
+    if (d.key && d.value !== void 0 && !(d.key in result)) {
+      result[d.key] = d.value;
+    }
+  }
+  return result;
+}
+function extractConstraints(raw) {
+  return {
+    allowedMerchants: toAllowedPartyArray(raw.allowed_merchants ?? raw.allowedMerchants),
+    allowedPayees: toAllowedPartyArray(raw.allowed_payees ?? raw.allowedPayees),
+    lineItems: toLineItemArray(raw.line_items ?? raw.lineItems),
+    paymentAmount: toPaymentAmount(raw.payment_amount ?? raw.paymentAmount),
+    budgetLimit: toBudgetLimit(raw.budget_limit ?? raw.budgetLimit ?? raw.budget),
+    recurrence: toRecurrence(raw.recurrence),
+    agentRecurrence: toRecurrence(raw.agent_recurrence ?? raw.agentRecurrence)
+  };
+}
+function toAllowedPartyArray(v) {
+  if (!Array.isArray(v)) return void 0;
+  const out = [];
+  for (const item of v) {
+    if (item && typeof item === "object") {
+      const r = item;
+      out.push({
+        id: coerceString4(r.id),
+        name: coerceString4(r.name),
+        website: coerceString4(r.website)
+      });
+    }
+  }
+  return out.length > 0 ? out : void 0;
+}
+function toLineItemArray(v) {
+  if (!Array.isArray(v)) return void 0;
+  const out = [];
+  for (const item of v) {
+    if (item && typeof item === "object") {
+      const r = item;
+      const acc = r.acceptable_items ?? r.acceptableItems;
+      out.push({
+        id: coerceString4(r.id),
+        acceptableItems: Array.isArray(acc) ? acc.filter((a) => typeof a === "string") : void 0,
+        quantity: coerceNumber2(r.quantity)
+      });
+    }
+  }
+  return out.length > 0 ? out : void 0;
+}
+function toPaymentAmount(v) {
+  if (!v || typeof v !== "object") return void 0;
+  const r = v;
+  return {
+    currency: coerceString4(r.currency),
+    min: coerceNumber2(r.min),
+    max: coerceNumber2(r.max)
+  };
+}
+function toBudgetLimit(v) {
+  if (!v || typeof v !== "object") return void 0;
+  const r = v;
+  return {
+    currency: coerceString4(r.currency),
+    max: coerceNumber2(r.max)
+  };
+}
+function toRecurrence(v) {
+  if (!v || typeof v !== "object") return void 0;
+  const r = v;
+  return {
+    frequency: coerceString4(r.frequency),
+    startDate: coerceString4(r.start_date ?? r.startDate),
+    endDate: coerceString4(r.end_date ?? r.endDate),
+    maxOccurrences: coerceNumber2(r.max_occurrences ?? r.maxOccurrences)
+  };
+}
+function coerceMandateType(v) {
+  if (v === "checkout" || v === "payment" || v === "checkout.open" || v === "payment.open") {
+    return v;
+  }
+  return null;
+}
+function coerceExecutionMode(v) {
+  return v === "Immediate" || v === "Autonomous" || v === "Both" ? v : void 0;
+}
+function coerceString4(v) {
+  return typeof v === "string" && v.length > 0 ? v : void 0;
+}
+function coerceNumber2(v) {
+  if (typeof v === "number" && Number.isFinite(v)) return v;
+  if (typeof v === "string") {
+    const n = Number(v);
+    return Number.isFinite(n) ? n : void 0;
+  }
+  return void 0;
+}
+function sha256Sync(data) {
+  const buf = typeof data === "string" ? Buffer.from(data, "utf-8") : Buffer.from(new Uint8Array(data));
+  const hash = createHash("sha256").update(buf).digest();
+  return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);
+}
+
+// src/transport/stripe-webhook.ts
+import { createHmac, timingSafeEqual } from "crypto";
+function verifyStripeWebhook(payload, signatureHeader, secret, options = {}) {
+  if (!signatureHeader) return { ok: false, error: "missing Stripe-Signature header" };
+  if (!secret) return { ok: false, error: "missing webhook secret" };
+  const parsed = parseStripeSignature(signatureHeader);
+  if (!parsed.timestamp) return { ok: false, error: "malformed Stripe-Signature (missing t=)" };
+  if (parsed.v1Signatures.length === 0) {
+    return { ok: false, error: "malformed Stripe-Signature (no v1=)" };
+  }
+  const tolerance = options.toleranceSec ?? 300;
+  const now = options.now ? options.now() : Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - parsed.timestamp) > tolerance) {
+    return {
+      ok: false,
+      timestamp: parsed.timestamp,
+      error: `timestamp outside tolerance (${tolerance}s)`
+    };
+  }
+  const signedPayload = `${parsed.timestamp}.${payload}`;
+  const expected = createHmac("sha256", secret).update(signedPayload).digest();
+  for (const candidateHex of parsed.v1Signatures) {
+    const candidate = hexToBuffer(candidateHex);
+    if (!candidate) continue;
+    if (candidate.length !== expected.length) continue;
+    if (timingSafeEqual(candidate, expected)) {
+      return { ok: true, timestamp: parsed.timestamp };
+    }
+  }
+  return { ok: false, timestamp: parsed.timestamp, error: "signature mismatch" };
+}
+function parseStripeSignature(header) {
+  let timestamp = null;
+  const v1Signatures = [];
+  for (const part of header.split(",")) {
+    const [rawKey, rawValue] = part.split("=");
+    if (!rawKey || !rawValue) continue;
+    const key = rawKey.trim();
+    const value = rawValue.trim();
+    if (key === "t") {
+      const n = Number(value);
+      if (Number.isFinite(n)) timestamp = n;
+    } else if (key === "v1") {
+      v1Signatures.push(value);
+    }
+  }
+  return { timestamp, v1Signatures };
+}
+function hexToBuffer(hex) {
+  if (!/^[0-9a-fA-F]+$/.test(hex) || hex.length % 2 !== 0) return null;
+  return Buffer.from(hex, "hex");
+}
+
+// src/transport/constraint-eval.ts
+function evaluateVIConstraints(input) {
+  const { constraints, transaction } = input;
+  const results = {};
+  if (constraints.allowedMerchants && constraints.allowedMerchants.length > 0) {
+    results.merchant = evaluateAllowlist(
+      "merchant",
+      constraints.allowedMerchants,
+      transaction.merchant
+    );
+  }
+  if (constraints.allowedPayees && constraints.allowedPayees.length > 0) {
+    results.payee = evaluateAllowlist("payee", constraints.allowedPayees, transaction.payee);
+  }
+  if (constraints.lineItems && constraints.lineItems.length > 0) {
+    results.lineItems = evaluateLineItems(constraints.lineItems, transaction.lineItems ?? []);
+  }
+  if (constraints.paymentAmount) {
+    results.amount = evaluatePaymentAmount(constraints.paymentAmount, transaction);
+  }
+  const reasons = [];
+  let ok = true;
+  for (const [key, r] of Object.entries(results)) {
+    if (!r.ok) {
+      ok = false;
+      reasons.push(r.reason ?? `${key} failed`);
+    }
+  }
+  return { ok, results, reasons };
+}
+function evaluatePaymentMethodAllowlist(input) {
+  const allow = input.allowedMethods ?? [];
+  if (allow.length === 0) return { ok: true };
+  if (!input.requestedMethod) {
+    return { ok: false, reason: "no payment method in request; allowlist configured" };
+  }
+  const lowered = input.requestedMethod.toLowerCase();
+  const allowed = allow.some((m) => m.toLowerCase() === lowered);
+  if (!allowed) {
+    return {
+      ok: false,
+      reason: `payment method "${input.requestedMethod}" not in allowlist [${allow.join(", ")}]`
+    };
+  }
+  return { ok: true };
+}
+function evaluateSpendingLimit(input) {
+  const { limit, requested } = input;
+  if (!limit || typeof limit.amount !== "number") return { ok: true };
+  if (!requested || typeof requested.amount !== "number") return { ok: true };
+  if (limit.currency && requested.currency && limit.currency !== requested.currency) {
+    return {
+      ok: false,
+      reason: `currency mismatch: limit ${limit.currency} vs requested ${requested.currency}`
+    };
+  }
+  if (requested.amount > limit.amount) {
+    return {
+      ok: false,
+      reason: `requested ${requested.amount} ${requested.currency ?? ""} exceeds limit ${limit.amount} ${limit.currency ?? ""}`.trim()
+    };
+  }
+  return { ok: true };
+}
+function evaluateAllowlist(kind, allowlist, actual) {
+  if (!actual || !actual.id && !actual.website) {
+    return { ok: false, reason: `no ${kind} in transaction; allowlist configured` };
+  }
+  for (const entry of allowlist) {
+    if (entry.id && actual.id && entry.id === actual.id) return { ok: true };
+    if (entry.website && actual.website && domainsMatch(entry.website, actual.website)) {
+      return { ok: true };
+    }
+  }
+  const allowedDescriptors = allowlist.map(describeParty).join(", ");
+  const actualDescriptor = describeParty(actual);
+  return {
+    ok: false,
+    reason: `${kind} ${actualDescriptor} not in allowlist [${allowedDescriptors}]`
+  };
+}
+function evaluateLineItems(allowlist, actualItems) {
+  if (actualItems.length === 0) {
+    return { ok: false, reason: "no line items in transaction; allowlist configured" };
+  }
+  const reasons = [];
+  for (const item of actualItems) {
+    const match = allowlist.find(
+      (a) => a.id && a.id === item.id || (a.acceptableItems ?? []).includes(item.id ?? "")
+    );
+    if (!match) {
+      reasons.push(`line item "${item.id ?? "(unnamed)"}" not in allowlist`);
+      continue;
+    }
+    if (typeof match.quantity === "number" && typeof item.quantity === "number" && item.quantity > match.quantity) {
+      reasons.push(
+        `line item "${item.id}" quantity ${item.quantity} exceeds allowed ${match.quantity}`
+      );
+    }
+  }
+  return reasons.length === 0 ? { ok: true } : { ok: false, reason: reasons.join("; ") };
+}
+function evaluatePaymentAmount(bound, transaction) {
+  if (typeof transaction.amount !== "number") {
+    return { ok: false, reason: "no amount in transaction; paymentAmount bound configured" };
+  }
+  if (bound.currency && transaction.currency && bound.currency !== transaction.currency) {
+    return {
+      ok: false,
+      reason: `currency mismatch: bound ${bound.currency} vs transaction ${transaction.currency}`
+    };
+  }
+  if (typeof bound.min === "number" && transaction.amount < bound.min) {
+    return {
+      ok: false,
+      reason: `amount ${transaction.amount} below min ${bound.min}`
+    };
+  }
+  if (typeof bound.max === "number" && transaction.amount > bound.max) {
+    return {
+      ok: false,
+      reason: `amount ${transaction.amount} above max ${bound.max}`
+    };
+  }
+  return { ok: true };
+}
+function domainsMatch(allow, actual) {
+  const a = normalizeDomain(allow);
+  const b = normalizeDomain(actual);
+  return a === b || b.endsWith(`.${a}`);
+}
+function normalizeDomain(value) {
+  try {
+    const withScheme = /^https?:\/\//.test(value) ? value : `https://${value}`;
+    return new URL(withScheme).hostname.toLowerCase();
+  } catch {
+    return value.toLowerCase();
+  }
+}
+function describeParty(party) {
+  if (party.id) return `id:${party.id}`;
+  if (party.website) return party.website;
+  if (party.name) return party.name;
+  return "(unnamed)";
+}
+
+// src/transport/identity-binding.ts
+async function bindIdentity(claims, resolver) {
+  const resolutions = [];
+  for (const claim2 of claims) {
+    if (!claim2.value) {
+      resolutions.push({ claim: claim2, agentId: null });
+      continue;
+    }
+    const agentId = await resolver(claim2);
+    resolutions.push({ claim: claim2, agentId });
+  }
+  const resolvedIds = resolutions.map((r) => r.agentId).filter((id) => typeof id === "string" && id.length > 0);
+  const unique = Array.from(new Set(resolvedIds));
+  const mismatchAcrossLayers = unique.length > 1;
+  const mappedAstraSyncAgentId = unique.length === 1 ? unique[0] : void 0;
+  return {
+    claims,
+    mappedAstraSyncAgentId,
+    mismatchAcrossLayers,
+    resolutions
+  };
+}
+var claim = {
+  viKid: (value) => ({ protocol: "vi", field: "kid", value }),
+  ap2AgentId: (value) => ({ protocol: "ap2", field: "agent_id", value }),
+  acpBearer: (value) => ({ protocol: "acp", field: "bearer", value }),
+  mppSource: (value) => ({ protocol: "mpp", field: "source", value }),
+  x402Wallet: (value) => ({ protocol: "x402", field: "wallet", value }),
+  agentPayKid: (value) => ({ protocol: "agentpay", field: "kid", value }),
+  tapKid: (value) => ({ protocol: "tap", field: "kid", value }),
+  webBotAuthKid: (value) => ({
+    protocol: "webbotauth",
+    field: "kid",
+    value
+  })
+};
+
+// src/transport/ap2.ts
+import { decodeSdJwtSync as decodeSdJwtSync2 } from "@sd-jwt/decode";
+import { createHash as createHash2 } from "crypto";
+function extractAP2Mandate(sdJwtCompact) {
+  if (!sdJwtCompact || typeof sdJwtCompact !== "string") return null;
+  let decoded;
+  try {
+    decoded = decodeSdJwtSync2(sdJwtCompact, sha256Sync2);
+  } catch {
+    return null;
+  }
+  const payload = decoded.jwt?.payload ?? {};
+  const disclosures = decoded.disclosures ?? [];
+  const claims = applyDisclosures2(
+    payload,
+    disclosures
+  );
+  const type = coerceMandateType2(claims.type ?? claims.mandate_type ?? claims.mandateType);
+  if (!type) return null;
+  if (type === "intent_mandate") return buildIntent(claims);
+  if (type === "cart_mandate") return buildCart(claims);
+  return buildPayment(claims);
+}
+function extractAP2Mandates(input) {
+  const intent = input.intent ? extractAP2Mandate(input.intent) : null;
+  const cart = input.cart ? extractAP2Mandate(input.cart) : null;
+  const payment = input.payment ? extractAP2Mandate(input.payment) : null;
+  return {
+    intent: intent ?? void 0,
+    cart: cart ?? void 0,
+    payment: payment ?? void 0,
+    rawLayers: {
+      intentJwt: input.intent,
+      cartJwt: input.cart,
+      paymentJwt: input.payment
+    }
+  };
+}
+function buildIntent(claims) {
+  return {
+    type: "intent_mandate",
+    agent_id: coerceString5(claims.agent_id ?? claims.agentId),
+    user_id: coerceString5(claims.user_id ?? claims.userId ?? claims.sub),
+    merchant_category: coerceString5(claims.merchant_category ?? claims.merchantCategory),
+    allowedMerchantDomains: toStringArray(
+      claims.allowed_merchant_domains ?? claims.allowedMerchantDomains
+    ),
+    paymentMethods: toStringArray(claims.payment_methods ?? claims.paymentMethods),
+    expires: coerceString5(claims.expires ?? claims.exp),
+    payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),
+    raw: claims
+  };
+}
+function buildCart(claims) {
+  return {
+    type: "cart_mandate",
+    agent_id: coerceString5(claims.agent_id ?? claims.agentId),
+    intent_mandate_id: coerceString5(claims.intent_mandate_id ?? claims.intentMandateId),
+    merchant_id: coerceString5(claims.merchant_id ?? claims.merchantId),
+    line_items: toLineItems(claims.line_items ?? claims.lineItems),
+    payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),
+    expires: coerceString5(claims.expires ?? claims.exp),
+    raw: claims
+  };
+}
+function buildPayment(claims) {
+  return {
+    type: "payment_mandate",
+    agent_id: coerceString5(claims.agent_id ?? claims.agentId),
+    cart_mandate_id: coerceString5(claims.cart_mandate_id ?? claims.cartMandateId),
+    payment_method: coerceString5(claims.payment_method ?? claims.paymentMethod),
+    payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),
+    credential_provider: coerceString5(claims.credential_provider ?? claims.credentialProvider),
+    raw: claims
+  };
+}
+function toPaymentDetails(v) {
+  if (!v || typeof v !== "object") return void 0;
+  const r = v;
+  const amount = r.amount;
+  return {
+    amount: amount ? {
+      value: coerceStringOrNumber(amount.value),
+      currency: coerceString5(amount.currency)
+    } : void 0,
+    label: coerceString5(r.label)
+  };
+}
+function toLineItems(v) {
+  if (!Array.isArray(v)) return void 0;
+  const items = [];
+  for (const item of v) {
+    if (!item || typeof item !== "object") continue;
+    const r = item;
+    const price = r.price;
+    items.push({
+      id: coerceString5(r.id),
+      quantity: coerceNumber3(r.quantity),
+      price: price ? {
+        value: coerceStringOrNumber(price.value),
+        currency: coerceString5(price.currency)
+      } : void 0
+    });
+  }
+  return items.length > 0 ? items : void 0;
+}
+function toStringArray(v) {
+  if (!Array.isArray(v)) return void 0;
+  const out = v.filter((i) => typeof i === "string" && i.length > 0);
+  return out.length > 0 ? out : void 0;
+}
+function applyDisclosures2(payload, disclosures) {
+  const result = { ...payload };
+  for (const d of disclosures) {
+    if (d.key && d.value !== void 0 && !(d.key in result)) {
+      result[d.key] = d.value;
+    }
+  }
+  return result;
+}
+function coerceMandateType2(v) {
+  if (v === "intent_mandate" || v === "cart_mandate" || v === "payment_mandate") return v;
+  return null;
+}
+function coerceString5(v) {
+  return typeof v === "string" && v.length > 0 ? v : void 0;
+}
+function coerceNumber3(v) {
+  if (typeof v === "number" && Number.isFinite(v)) return v;
+  if (typeof v === "string") {
+    const n = Number(v);
+    return Number.isFinite(n) ? n : void 0;
+  }
+  return void 0;
+}
+function coerceStringOrNumber(v) {
+  if (typeof v === "number" && Number.isFinite(v)) return v;
+  if (typeof v === "string" && v.length > 0) return v;
+  return void 0;
+}
+function sha256Sync2(data) {
+  const buf = typeof data === "string" ? Buffer.from(data, "utf-8") : Buffer.from(new Uint8Array(data));
+  const hash = createHash2("sha256").update(buf).digest();
+  return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);
+}
+
+// src/transport/ap2-verify.ts
+function verifyAP2Chain(input) {
+  const { triple } = input;
+  const errors = [];
+  const intentPresent = triple.intent !== void 0;
+  const cartRefOk = checkCartRef(triple, errors);
+  const paymentRefOk = checkPaymentRef(triple, errors);
+  const { ok: agentIdContinuity, agentId } = checkAgentContinuity(triple, errors);
+  const paymentMethodAllowed = checkPaymentMethod(triple, errors);
+  const totalsConsistent = checkTotals(triple, errors);
+  const expiryOk = checkExpiries(triple, input.clockSkewSec ?? 300, input.now, errors);
+  const ok = cartRefOk && paymentRefOk && agentIdContinuity && paymentMethodAllowed && totalsConsistent && expiryOk;
+  return {
+    ok,
+    checks: {
+      intentPresent,
+      cartRefOk,
+      paymentRefOk,
+      agentIdContinuity,
+      paymentMethodAllowed,
+      totalsConsistent,
+      expiryOk
+    },
+    agentId,
+    errors
+  };
+}
+function checkCartRef(triple, errors) {
+  const cart = triple.cart;
+  if (!cart) return true;
+  if (!cart.intent_mandate_id) return true;
+  const intentId = triple.intent?.raw?.id;
+  if (intentId && cart.intent_mandate_id !== intentId) {
+    errors.push(
+      `cart.intent_mandate_id (${cart.intent_mandate_id}) does not match intent.id (${intentId})`
+    );
+    return false;
+  }
+  return true;
+}
+function checkPaymentRef(triple, errors) {
+  const payment = triple.payment;
+  if (!payment) return true;
+  if (!payment.cart_mandate_id) return true;
+  const cartId = triple.cart?.raw?.id;
+  if (cartId && payment.cart_mandate_id !== cartId) {
+    errors.push(
+      `payment.cart_mandate_id (${payment.cart_mandate_id}) does not match cart.id (${cartId})`
+    );
+    return false;
+  }
+  return true;
+}
+function checkAgentContinuity(triple, errors) {
+  const ids = [triple.intent?.agent_id, triple.cart?.agent_id, triple.payment?.agent_id].filter(
+    (id) => typeof id === "string" && id.length > 0
+  );
+  if (ids.length === 0) return { ok: true };
+  const unique = new Set(ids);
+  if (unique.size > 1) {
+    errors.push(`agent_id mismatch across mandates: ${Array.from(unique).join(", ")}`);
+    return { ok: false, agentId: void 0 };
+  }
+  return { ok: true, agentId: ids[0] };
+}
+function checkPaymentMethod(triple, errors) {
+  const paymentMethod = triple.payment?.payment_method;
+  const allowed = triple.intent?.paymentMethods;
+  if (!paymentMethod || !allowed || allowed.length === 0) return true;
+  if (!allowed.includes(paymentMethod)) {
+    errors.push(
+      `payment_method "${paymentMethod}" not in intent.paymentMethods [${allowed.join(", ")}]`
+    );
+    return false;
+  }
+  return true;
+}
+function checkTotals(triple, errors) {
+  const intentTotal = toNumericAmount(triple.intent?.payment_details_total);
+  const cartTotal = toNumericAmount(triple.cart?.payment_details_total);
+  const paymentTotal = toNumericAmount(triple.payment?.payment_details_total);
+  if (intentTotal && cartTotal && intentTotal.currency === cartTotal.currency) {
+    if (cartTotal.value > intentTotal.value) {
+      errors.push(
+        `cart total ${cartTotal.value} ${cartTotal.currency} exceeds intent cap ${intentTotal.value}`
+      );
+      return false;
+    }
+  }
+  if (cartTotal && paymentTotal && cartTotal.currency === paymentTotal.currency) {
+    if (paymentTotal.value > cartTotal.value) {
+      errors.push(
+        `payment total ${paymentTotal.value} ${paymentTotal.currency} exceeds cart total ${cartTotal.value}`
+      );
+      return false;
+    }
+  }
+  return true;
+}
+function checkExpiries(triple, toleranceSec, nowFn, errors) {
+  const now = nowFn ? nowFn() : Math.floor(Date.now() / 1e3);
+  let ok = true;
+  for (const [name, mandate] of [
+    ["intent", triple.intent],
+    ["cart", triple.cart]
+  ]) {
+    if (!mandate?.expires) continue;
+    const parsed = parseExpiry(mandate.expires);
+    if (parsed === null) {
+      errors.push(`${name}.expires unparseable`);
+      ok = false;
+      continue;
+    }
+    if (now > parsed + toleranceSec) {
+      errors.push(`${name} mandate expired at ${mandate.expires}`);
+      ok = false;
+    }
+  }
+  return ok;
+}
+function toNumericAmount(total) {
+  if (!total?.amount?.value || !total.amount.currency) return null;
+  const n = typeof total.amount.value === "string" ? Number(total.amount.value) : total.amount.value;
+  if (!Number.isFinite(n)) return null;
+  return { value: n, currency: total.amount.currency };
+}
+function parseExpiry(value) {
+  const asInt = Number(value);
+  if (Number.isFinite(asInt) && asInt > 0) {
+    return asInt >= 1e12 ? Math.floor(asInt / 1e3) : Math.floor(asInt);
+  }
+  const parsedDate = Date.parse(value);
+  if (Number.isFinite(parsedDate)) return Math.floor(parsedDate / 1e3);
+  return null;
+}
+
+// src/transport/acp-verify.ts
+async function verifyACPSignature(input) {
+  if (!input.signatureHeader) {
+    return { ok: false, error: "missing Signature header" };
+  }
+  const freshness = checkTimestamp(input.timestampHeader, input.clockSkewSec ?? 300, input.now);
+  if (!freshness.ok) {
+    return { ok: false, error: freshness.error, timestampStale: true };
+  }
+  const signatureBytes = decodeBase64(input.signatureHeader);
+  if (!signatureBytes) {
+    return { ok: false, error: "signature header is not valid base64" };
+  }
+  const bodyBytes = new TextEncoder().encode(input.rawBody);
+  const { subtle } = await getSubtle();
+  for (const candidate of input.candidateKeys) {
+    const declaredAlg = normalizeAlgorithm(candidate.alg);
+    const algsToTry = declaredAlg && declaredAlg !== "unsupported" ? [declaredAlg] : ["ed25519", "es256"];
+    for (const alg of algsToTry) {
+      try {
+        const verified = await tryVerify(subtle, candidate.jwk, signatureBytes, bodyBytes, alg);
+        if (verified) return { ok: true, algorithm: alg };
+      } catch {
+      }
+    }
+  }
+  return {
+    ok: false,
+    algorithm: "unsupported",
+    error: "no candidate key verified the signature under Ed25519 or ES256"
+  };
+}
+async function tryVerify(subtle, jwk, signature, body, alg) {
+  if (alg === "ed25519") {
+    if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") return false;
+    const key = await subtle.importKey("jwk", jwk, { name: "Ed25519" }, false, [
+      "verify"
+    ]);
+    return await subtle.verify({ name: "Ed25519" }, key, toBuf(signature), toBuf(body));
+  }
+  if (alg === "es256") {
+    if (jwk.kty !== "EC" || jwk.crv !== "P-256") return false;
+    const key = await subtle.importKey(
+      "jwk",
+      jwk,
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["verify"]
+    );
+    return await subtle.verify(
+      { name: "ECDSA", hash: "SHA-256" },
+      key,
+      toBuf(signature),
+      toBuf(body)
+    );
+  }
+  return false;
+}
+function toBuf(bytes) {
+  const out = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(out).set(bytes);
+  return out;
+}
+function checkTimestamp(headerValue, toleranceSec, nowFn) {
+  if (!headerValue) return { ok: false, error: "missing Timestamp header" };
+  const ts = parseTimestamp(headerValue);
+  if (ts === null) return { ok: false, error: "unparseable Timestamp header" };
+  const now = nowFn ? nowFn() : Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - ts) > toleranceSec) {
+    return { ok: false, error: `timestamp outside ${toleranceSec}s tolerance` };
+  }
+  return { ok: true };
+}
+function parseTimestamp(value) {
+  const asInt = Number(value);
+  if (Number.isFinite(asInt) && asInt > 0) {
+    return asInt >= 1e12 ? Math.floor(asInt / 1e3) : Math.floor(asInt);
+  }
+  const parsedDate = Date.parse(value);
+  if (Number.isFinite(parsedDate)) return Math.floor(parsedDate / 1e3);
+  return null;
+}
+function normalizeAlgorithm(alg) {
+  if (!alg) return void 0;
+  const lowered = alg.toLowerCase();
+  if (lowered === "ed25519" || lowered === "eddsa") return "ed25519";
+  if (lowered === "es256" || lowered.startsWith("ecdsa-p256")) return "es256";
+  return "unsupported";
+}
+function decodeBase64(value) {
+  try {
+    const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = normalized.length % 4 === 0 ? "" : "=".repeat(4 - normalized.length % 4);
+    return new Uint8Array(Buffer.from(normalized + pad, "base64"));
+  } catch {
+    return null;
+  }
+}
+async function getSubtle() {
+  if (typeof globalThis.crypto !== "undefined" && globalThis.crypto.subtle) {
+    return { subtle: globalThis.crypto.subtle };
+  }
+  const nodeCrypto = await import("crypto");
+  return { subtle: nodeCrypto.webcrypto.subtle };
+}
+
+// src/transport/mpp.ts
+import { Challenge, Credential, Receipt } from "mppx";
+function extractMPPFromRequest(request) {
+  const auth = readHeader3(request.headers, "authorization");
+  if (!auth || !/^\s*Payment\s+/i.test(auth)) return null;
+  try {
+    const credential = Credential.deserialize(auth);
+    return {
+      kind: "credential",
+      credential: {
+        challenge: summarizeChallenge(credential.challenge),
+        source: credential.source,
+        payload: credential.payload
+      },
+      rawBody: request.rawBody
+    };
+  } catch {
+    return { kind: "error", error: { type: "invalid-credential-encoding" } };
+  }
+}
+function extractMPPFromResponse(response) {
+  if (response.status === 402) {
+    const challenges = collectChallenges(response);
+    if (challenges.length === 0) return null;
+    const methods = Array.from(new Set(challenges.map((c) => c.method)));
+    return {
+      kind: "challenge",
+      challenges,
+      offeredMethods: methods
+    };
+  }
+  const receiptHeader = readHeader3(response.headers, "payment-receipt");
+  if (receiptHeader) {
+    try {
+      const parsed = Receipt.deserialize(receiptHeader);
+      const r = parsed;
+      return {
+        kind: "receipt",
+        receipt: {
+          method: coerceString6(r.method),
+          reference: coerceString6(r.reference),
+          externalId: coerceString6(r.externalId ?? r.external_id),
+          status: coerceString6(r.status),
+          timestamp: coerceString6(r.timestamp),
+          raw: r
+        }
+      };
+    } catch {
+      return { kind: "error", error: { type: "invalid-receipt-encoding" } };
+    }
+  }
+  const contentType = readHeader3(response.headers, "content-type");
+  if (contentType && /application\/problem\+json/i.test(contentType)) {
+    const body = typeof response.body === "object" && response.body !== null ? response.body : {};
+    return {
+      kind: "error",
+      error: {
+        type: coerceString6(body.type),
+        title: coerceString6(body.title),
+        detail: coerceString6(body.detail)
+      }
+    };
+  }
+  return null;
+}
+function extractMPPContext(message) {
+  if ("request" in message) return extractMPPFromRequest(message.request);
+  if ("response" in message) return extractMPPFromResponse(message.response);
+  if (typeof message.status === "number") {
+    return extractMPPFromResponse(message);
+  }
+  return extractMPPFromRequest(message);
+}
+function collectChallenges(response) {
+  const wwwAuth = readHeader3(response.headers, "www-authenticate");
+  if (!wwwAuth) return [];
+  const headers = new Headers();
+  headers.set("www-authenticate", wwwAuth);
+  const out = [];
+  try {
+    const list = Challenge.fromHeadersList(headers);
+    for (const ch of list) {
+      out.push(summarizeChallenge(ch));
+    }
+  } catch {
+  }
+  return out;
+}
+function summarizeChallenge(ch) {
+  const raw = ch;
+  return {
+    id: coerceString6(raw.id) ?? "",
+    realm: coerceString6(raw.realm) ?? "",
+    method: coerceString6(raw.method) ?? "",
+    intent: coerceString6(raw.intent) ?? "",
+    request: raw.request ?? {},
+    expires: coerceString6(raw.expires),
+    digest: coerceString6(raw.digest),
+    description: coerceString6(raw.description),
+    opaque: raw.opaque
+  };
+}
+function readHeader3(headers, name) {
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === name) {
+      const raw = headers[key];
+      if (typeof raw === "string") return raw;
+      if (Array.isArray(raw)) return raw.join(", ");
+    }
+  }
+  return void 0;
+}
+function coerceString6(v) {
+  return typeof v === "string" && v.length > 0 ? v : void 0;
+}
+
+// src/transport/mpp-verify.ts
+import { BodyDigest } from "mppx";
+function verifyMPP(input) {
+  const { context } = input;
+  const tolerance = input.clockSkewSec ?? 300;
+  const nowSec = input.now ? input.now() : Math.floor(Date.now() / 1e3);
+  const challenge = context.credential?.challenge ?? (context.challenges && context.challenges[0]);
+  const source = context.credential?.source;
+  const method = challenge?.method;
+  let expiryOk = true;
+  if (challenge?.expires) {
+    const parsedExpiry = Date.parse(challenge.expires);
+    if (!Number.isFinite(parsedExpiry)) {
+      return {
+        ok: false,
+        expiryOk: false,
+        bodyDigestOk: null,
+        source,
+        method,
+        error: "unparseable challenge.expires"
+      };
+    }
+    const expiresSec = Math.floor(parsedExpiry / 1e3);
+    if (nowSec > expiresSec + tolerance) {
+      expiryOk = false;
+    }
+  }
+  let bodyDigestOk = null;
+  if (challenge?.digest && input.rawBody !== void 0) {
+    try {
+      if (!/^sha-256=/.test(challenge.digest)) {
+        bodyDigestOk = false;
+      } else {
+        bodyDigestOk = BodyDigest.verify(challenge.digest, input.rawBody);
+      }
+    } catch {
+      bodyDigestOk = false;
+    }
+  }
+  const ok = expiryOk && (bodyDigestOk === null || bodyDigestOk === true);
+  const errors = [];
+  if (!expiryOk) errors.push("challenge expired");
+  if (bodyDigestOk === false) errors.push("body digest mismatch");
+  return {
+    ok,
+    expiryOk,
+    bodyDigestOk,
+    source,
+    method,
+    error: errors.length > 0 ? errors.join("; ") : void 0
+  };
+}
+
+// src/transport/x402.ts
+import {
+  validatePaymentRequired,
+  validatePaymentPayload
+} from "@x402/core/schemas";
+import { safeBase64Decode } from "@x402/core/utils";
+function extractX402FromRequest(request) {
+  const headerValue = readHeader4(request.headers, "x-payment");
+  if (request.body && typeof request.body === "object") {
+    const parsed = tryParsePayload(request.body);
+    if (parsed) return buildPayloadContext(parsed, "body");
+  }
+  if (headerValue) {
+    try {
+      const decoded = safeBase64Decode(headerValue);
+      if (decoded) {
+        const json = JSON.parse(decoded);
+        const parsed = tryParsePayload(json);
+        if (parsed) return buildPayloadContext(parsed, "header");
+      }
+    } catch {
+      return {
+        kind: "error",
+        version: 1,
+        source: "header",
+        error: { type: "invalid-x402-payload" }
+      };
+    }
+  }
+  return null;
+}
+function extractX402FromResponse(response) {
+  if (response.status !== 402) return null;
+  if (response.body && typeof response.body === "object") {
+    const parsed = tryParseRequired(response.body);
+    if (parsed) return buildRequiredContext(parsed, "body");
+  }
+  const headerValue = readHeader4(response.headers, "x-payment-required");
+  if (headerValue) {
+    try {
+      const decoded = safeBase64Decode(headerValue);
+      if (decoded) {
+        const json = JSON.parse(decoded);
+        const parsed = tryParseRequired(json);
+        if (parsed) return buildRequiredContext(parsed, "header");
+      }
+    } catch {
+      return {
+        kind: "error",
+        version: 1,
+        source: "header",
+        error: { type: "invalid-x402-required" }
+      };
+    }
+  }
+  return null;
+}
+function extractX402Context(message) {
+  if ("request" in message) return extractX402FromRequest(message.request);
+  if ("response" in message) return extractX402FromResponse(message.response);
+  if (typeof message.status === "number") {
+    return extractX402FromResponse(message);
+  }
+  return extractX402FromRequest(message);
+}
+function tryParseRequired(data) {
+  try {
+    return validatePaymentRequired(data);
+  } catch {
+    return null;
+  }
+}
+function tryParsePayload(data) {
+  try {
+    return validatePaymentPayload(data);
+  } catch {
+    return null;
+  }
+}
+function buildRequiredContext(parsed, source) {
+  const asRecord = parsed;
+  const version = coerceVersion(asRecord.x402Version);
+  const accepts = asRecord.accepts ?? [];
+  return {
+    kind: "required",
+    version,
+    source,
+    paymentRequired: {
+      resource: resolveResource(asRecord.resource),
+      accepts: accepts.map(summarizeRequirement),
+      extensions: asRecord.extensions,
+      error: typeof asRecord.error === "string" ? asRecord.error : void 0
+    }
+  };
+}
+function buildPayloadContext(parsed, source) {
+  const asRecord = parsed;
+  const version = coerceVersion(asRecord.x402Version);
+  const accepted = asRecord.accepted;
+  const payload = asRecord.payload ?? {};
+  return {
+    kind: "payload",
+    version,
+    source,
+    paymentPayload: {
+      scheme: accepted?.scheme ?? (typeof asRecord.scheme === "string" ? asRecord.scheme : ""),
+      network: accepted?.network ?? (typeof asRecord.network === "string" ? asRecord.network : ""),
+      payload,
+      extensions: asRecord.extensions
+    }
+  };
+}
+function summarizeRequirement(req) {
+  const r = req;
+  const amount = r.amount ?? r.maxAmountRequired ?? "0";
+  return {
+    scheme: r.scheme ?? "",
+    network: r.network ?? "",
+    asset: r.asset ?? "",
+    amount: String(amount),
+    payTo: r.payTo ?? "",
+    maxTimeoutSeconds: typeof r.maxTimeoutSeconds === "number" ? r.maxTimeoutSeconds : void 0,
+    resource: typeof r.resource === "string" ? r.resource : void 0,
+    description: typeof r.description === "string" ? r.description : void 0
+  };
+}
+function resolveResource(v) {
+  if (typeof v === "string") return v;
+  if (v && typeof v === "object" && "url" in v && typeof v.url === "string") {
+    return v.url;
+  }
+  return "";
+}
+function coerceVersion(v) {
+  if (v === 1 || v === 2) return v;
+  return null;
+}
+function readHeader4(headers, name) {
+  if (!headers) return void 0;
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === name) {
+      const raw = headers[key];
+      if (typeof raw === "string") return raw;
+      if (Array.isArray(raw)) return raw[0];
+    }
+  }
+  return void 0;
+}
+
+// src/transport/vi-verify.ts
+import { createHash as createHash3, webcrypto } from "crypto";
+async function verifyVIChain(input) {
+  const errors = [];
+  const tolerance = input.clockSkewSec ?? 300;
+  const now = input.now ? input.now() : Math.floor(Date.now() / 1e3);
+  const { l1, l2, l3a, l3b } = input.layers;
+  const l1SigOk = l1 ? await input.verifySignature(l1, null) : null;
+  if (l1 && !l1SigOk) errors.push("L1 signature invalid");
+  const l1Cnf = extractCnfJwk(l1?.payload);
+  const l2SigOk = await input.verifySignature(l2, l1Cnf ?? null);
+  if (!l2SigOk) errors.push("L2 signature invalid");
+  const l2Cnf = extractCnfJwk(l2.payload);
+  const l3aSigOk = l3a ? await input.verifySignature(l3a, l2Cnf ?? null) : null;
+  if (l3a && !l3aSigOk) errors.push("L3a signature invalid");
+  const l3bSigOk = l3b ? await input.verifySignature(l3b, l2Cnf ?? null) : null;
+  if (l3b && !l3bSigOk) errors.push("L3b signature invalid");
+  let l1BindsL2 = true;
+  if (l1Cnf) {
+    const l2KeyFromHeader = await jwkForLayer(l2);
+    l1BindsL2 = l2KeyFromHeader ? await thumbprintsMatch(l1Cnf, l2KeyFromHeader) : false;
+    if (!l1BindsL2) errors.push("L1.cnf.jwk does not bind L2 signing key");
+  }
+  let l2BindsL3 = true;
+  if (l2Cnf && (l3a || l3b)) {
+    const l3Layer = l3a ?? l3b;
+    const l3KeyFromHeader = await jwkForLayer(l3Layer);
+    l2BindsL3 = l3KeyFromHeader ? await thumbprintsMatch(l2Cnf, l3KeyFromHeader) : false;
+    if (!l2BindsL3) errors.push("L2.cnf.jwk does not bind L3 signing key");
+  }
+  let l3aL3bTxnIdMatch = null;
+  if (l3a && l3b) {
+    const a = coerceString7(l3a.payload.transaction_id ?? l3a.payload.transactionId);
+    const b = coerceString7(l3b.payload.transaction_id ?? l3b.payload.transactionId);
+    if (a && b) {
+      l3aL3bTxnIdMatch = a === b;
+      if (!l3aL3bTxnIdMatch) {
+        errors.push(`L3a.transaction_id (${a}) does not match L3b.transaction_id (${b})`);
+      }
+    }
+  }
+  let checkoutHashOk = null;
+  if (l3b) {
+    const declaredHash = coerceString7(
+      l3b.payload.checkout_hash ?? l3b.payload.conditional_transaction_id ?? l3b.payload.payment_reference?.checkout_hash
+    );
+    if (declaredHash) {
+      const computed = computeCheckoutHashFromL2(l2);
+      checkoutHashOk = computed ? declaredHash === computed : false;
+      if (!checkoutHashOk) {
+        errors.push("L3b.checkout_hash does not match SHA-256 of L2 checkout disclosure");
+      }
+    }
+  }
+  const expiryOk = checkExpiryAcross([l1, l2, l3a, l3b], tolerance, now, errors);
+  const ok = l1SigOk !== false && l2SigOk && l3aSigOk !== false && l3bSigOk !== false && l1BindsL2 && l2BindsL3 && l3aL3bTxnIdMatch !== false && checkoutHashOk !== false && expiryOk;
+  return {
+    ok,
+    checks: {
+      l1SigOk,
+      l2SigOk,
+      l3aSigOk,
+      l3bSigOk,
+      l1BindsL2,
+      l2BindsL3,
+      l3aL3bTxnIdMatch,
+      checkoutHashOk,
+      expiryOk
+    },
+    errors
+  };
+}
+function extractCnfJwk(payload) {
+  if (!payload) return null;
+  const cnf = payload.cnf;
+  if (!cnf) return null;
+  const jwk = cnf.jwk;
+  return jwk ?? null;
+}
+async function jwkForLayer(layer) {
+  const fromHeader = extractCnfJwk(layer.header);
+  if (fromHeader) return fromHeader;
+  const fromPayload = extractCnfJwk(layer.payload);
+  return fromPayload;
+}
+async function thumbprintsMatch(a, b) {
+  try {
+    const ta = await jwkThumbprint(a);
+    const tb = await jwkThumbprint(b);
+    return ta === tb;
+  } catch {
+    return false;
+  }
+}
+async function jwkThumbprint(jwk) {
+  const canonical = canonicalJwk(jwk);
+  const bytes = new TextEncoder().encode(JSON.stringify(canonical));
+  const subtle = webcrypto.subtle;
+  const buffer = await new Promise((resolve, reject) => {
+    const source = new ArrayBuffer(bytes.byteLength);
+    new Uint8Array(source).set(bytes);
+    subtle.digest("SHA-256", source).then(resolve).catch(reject);
+  });
+  return Buffer.from(new Uint8Array(buffer)).toString("base64url").replace(/=+$/, "");
+}
+function canonicalJwk(jwk) {
+  if (jwk.kty === "EC") {
+    return { crv: jwk.crv ?? "", kty: "EC", x: jwk.x ?? "", y: jwk.y ?? "" };
+  }
+  if (jwk.kty === "OKP") {
+    return { crv: jwk.crv ?? "", kty: "OKP", x: jwk.x ?? "" };
+  }
+  if (jwk.kty === "RSA") {
+    return { e: jwk.e ?? "", kty: "RSA", n: jwk.n ?? "" };
+  }
+  return { kty: jwk.kty ?? "" };
+}
+function computeCheckoutHashFromL2(l2) {
+  const checkoutDisclosure = l2.payload.checkout ?? l2.payload.checkout_mandate;
+  if (!checkoutDisclosure) return null;
+  const canonical = canonicalStringify(checkoutDisclosure);
+  const hash = createHash3("sha256").update(canonical).digest("base64url").replace(/=+$/, "");
+  return hash;
+}
+function canonicalStringify(value) {
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return "[" + value.map(canonicalStringify).join(",") + "]";
+  const entries = Object.entries(value).sort(
+    ([a], [b]) => a < b ? -1 : a > b ? 1 : 0
+  );
+  return "{" + entries.map(([k, v]) => JSON.stringify(k) + ":" + canonicalStringify(v)).join(",") + "}";
+}
+function checkExpiryAcross(layers, toleranceSec, nowSec, errors) {
+  let ok = true;
+  const names = ["L1", "L2", "L3a", "L3b"];
+  layers.forEach((layer, idx) => {
+    if (!layer) return;
+    const exp = toUnixSeconds2(layer.payload.exp ?? layer.payload.expires);
+    if (exp === void 0) return;
+    if (nowSec > exp + toleranceSec) {
+      errors.push(`${names[idx]} mandate expired at ${exp}`);
+      ok = false;
+    }
+  });
+  return ok;
+}
+function toUnixSeconds2(v) {
+  if (typeof v === "number" && Number.isFinite(v)) return v;
+  if (typeof v === "string") {
+    const asInt = Number(v);
+    if (Number.isFinite(asInt) && asInt > 0) {
+      return asInt >= 1e12 ? Math.floor(asInt / 1e3) : Math.floor(asInt);
+    }
+    const parsed = Date.parse(v);
+    if (Number.isFinite(parsed)) return Math.floor(parsed / 1e3);
+  }
+  return void 0;
+}
+function coerceString7(v) {
+  return typeof v === "string" && v.length > 0 ? v : void 0;
+}
+
+// src/transport/commerce-pipeline.ts
+async function runCommercePipeline(input) {
+  const trustSignals = [];
+  const signatures = {};
+  const timings = { extractMs: 0, verifyMs: 0, evalMs: 0 };
+  const extractStart = performance.now();
+  const purpose = resolvePurpose(input);
+  const transactionValue = resolveTransactionValue(input);
+  const identityClaims = collectIdentityClaims(input);
+  const paymentToken = resolvePaymentToken(input);
+  timings.extractMs = Math.round(performance.now() - extractStart);
+  const verifyStart = performance.now();
+  let hardDeny = false;
+  if (input.vi?.verifyInput) {
+    signatures.vi = await verifyVIChain(input.vi.verifyInput);
+    if (!signatures.vi.ok) hardDeny = true;
+  }
+  if (input.ap2) {
+    signatures.ap2 = verifyAP2Chain({
+      triple: input.ap2.triple,
+      clockSkewSec: input.clockSkewSec,
+      now: input.now
+    });
+    if (!signatures.ap2.ok) hardDeny = true;
+  }
+  if (input.acp?.verifyInput) {
+    signatures.acp = await verifyACPSignature(input.acp.verifyInput);
+    if (!signatures.acp.ok && signatures.acp.timestampStale) hardDeny = true;
+    if (signatures.acp.algorithm === "unsupported") {
+      trustSignals.push("acp-signature-algorithm-unsupported");
+    } else if (!signatures.acp.ok) {
+      hardDeny = true;
+    }
+  }
+  if (input.rfc9421) {
+    signatures.rfc9421 = await verifyRFC9421(input.rfc9421.request, input.rfc9421.verifyOptions);
+    if (!signatures.rfc9421.ok) hardDeny = true;
+  }
+  if (input.mpp) {
+    signatures.mpp = verifyMPP({
+      context: input.mpp.context,
+      rawBody: input.mpp.rawBody,
+      clockSkewSec: input.clockSkewSec,
+      now: input.now
+    });
+    if (!signatures.mpp.ok) hardDeny = true;
+    if (input.mpp.context.credential?.source) {
+      trustSignals.push(`mpp-source-${shortSource(input.mpp.context.credential.source)}`);
+    }
+  }
+  if (input.stripeWebhook) {
+    signatures.stripeWebhook = verifyStripeWebhook(
+      input.stripeWebhook.payload,
+      input.stripeWebhook.signatureHeader,
+      input.stripeWebhook.secret,
+      { now: input.now ? () => input.now() : void 0 }
+    );
+    if (!signatures.stripeWebhook.ok) {
+      trustSignals.push("stripe-webhook-hmac-failed");
+    }
+  }
+  timings.verifyMs = Math.round(performance.now() - verifyStart);
+  let identity;
+  if (input.identityResolver && identityClaims.length > 0) {
+    const bound = await bindIdentity(identityClaims, input.identityResolver);
+    identity = {
+      claims: identityClaims,
+      mappedAstraSyncAgentId: bound.mappedAstraSyncAgentId,
+      mismatchAcrossLayers: bound.mismatchAcrossLayers
+    };
+    if (bound.mismatchAcrossLayers) trustSignals.push("identity-mismatch-across-layers");
+  } else if (identityClaims.length > 0) {
+    identity = {
+      claims: identityClaims,
+      mappedAstraSyncAgentId: void 0,
+      mismatchAcrossLayers: false
+    };
+  }
+  const evalStart = performance.now();
+  const constraints = runConstraintEval(input);
+  if (constraints && !constraints.ok) hardDeny = true;
+  timings.evalMs = Math.round(performance.now() - evalStart);
+  if (paymentToken?.type === "stripe-spt") trustSignals.push("stripe-spt-present");
+  if (paymentToken?.type === "acp-vt") trustSignals.push("acp-vault-token-present");
+  if (paymentToken?.type === "tempo-tx") trustSignals.push("tempo-transaction-present");
+  const mppReceipt = input.mpp?.context.receipt;
+  return {
+    protocol: input.protocol,
+    purpose,
+    transactionValue,
+    signatures,
+    identity,
+    paymentToken,
+    mppMethodsOffered: input.mpp?.context.offeredMethods,
+    constraints,
+    receipt: mppReceipt ? {
+      method: mppReceipt.method,
+      reference: mppReceipt.reference,
+      status: mppReceipt.status,
+      timestamp: mppReceipt.timestamp
+    } : void 0,
+    trustSignals,
+    timings,
+    ok: !hardDeny
+  };
+}
+function resolvePurpose(input) {
+  if (input.vi?.claims.mandateType) {
+    return mapVIMandateToPurpose(input.vi.claims.mandateType);
+  }
+  if (input.ap2?.triple.payment) return "commerce.payment.execute";
+  if (input.ap2?.triple.cart) return "commerce.checkout.confirm";
+  if (input.ap2?.triple.intent) return "commerce.delegation.intent";
+  if (input.ucp?.endpoint) {
+    const [method, path] = input.ucp.endpoint.split(" ");
+    return mapUCPRequestToPurpose(method ?? "POST", path ?? "/");
+  }
+  if (input.acp?.context.endpoint) {
+    switch (input.acp.context.endpoint) {
+      case "checkout_sessions.create":
+        return "commerce.checkout.create";
+      case "checkout_sessions.update":
+        return "commerce.checkout.update";
+      case "checkout_sessions.complete":
+        return "commerce.payment.execute";
+      case "checkout_sessions.cancel":
+        return "commerce.checkout.cancel";
+      case "delegate_payment":
+        return "commerce.delegation.payment";
+      default:
+        return mapACPRequestToPurpose("POST", "/checkout_sessions");
+    }
+  }
+  if (input.rfc9421?.tag) {
+    return mapRFC9421TagToPurpose(
+      input.rfc9421.tag === "browse" || input.rfc9421.tag === "purchase" ? input.rfc9421.tag : void 0
+    );
+  }
+  if (input.mpp?.context.credential?.challenge || input.mpp?.context.challenges?.[0]) {
+    const challenge = input.mpp.context.credential?.challenge ?? input.mpp.context.challenges?.[0];
+    const amount = parseFloat(String(challenge?.request?.amount ?? "NaN"));
+    return mapMPPRequestToPurpose(
+      challenge?.intent === "session" ? "session" : "charge",
+      Number.isFinite(amount) ? amount : void 0
+    );
+  }
+  if (input.x402?.paymentRequired) {
+    const amt = input.x402.paymentRequired.accepts[0]?.amount;
+    return mapX402RequestToPurpose(Number(amt));
+  }
+  if (input.x402?.paymentPayload) return "commerce.payment.execute";
+  return null;
+}
+function resolveTransactionValue(input) {
+  if (input.vi?.claims) {
+    const v = extractVITransactionValue({
+      constraints: input.vi.claims.constraints,
+      l3aPaymentAmount: input.vi.claims.constraints.paymentAmount && typeof input.vi.claims.constraints.paymentAmount.max === "number" ? {
+        amount: input.vi.claims.constraints.paymentAmount.max,
+        currency: input.vi.claims.constraints.paymentAmount.currency
+      } : void 0
+    });
+    if (v) return v;
+  }
+  if (input.ucp?.totals) {
+    const v = extractUCPTransactionValue({ totals: input.ucp.totals });
+    if (v) return v;
+  }
+  if (input.acp?.context.totals) {
+    const v = extractACPTransactionValue({ totals: input.acp.context.totals });
+    if (v) return v;
+  }
+  if (input.mpp?.context.credential?.challenge) {
+    const ch = input.mpp.context.credential.challenge;
+    const v = extractMPPTransactionValue({ method: ch.method, request: ch.request });
+    if (v) return v;
+  }
+  if (input.x402?.paymentRequired) {
+    const first = input.x402.paymentRequired.accepts[0];
+    if (first) {
+      const v = extractX402TransactionValue({
+        maxAmountRequired: Number(first.amount),
+        asset: first.asset
+      });
+      if (v) return v;
+    }
+  }
+  return void 0;
+}
+function collectIdentityClaims(input) {
+  const claims = [];
+  if (input.vi?.claims.kid)
+    claims.push({ protocol: "vi", field: "kid", value: input.vi.claims.kid });
+  if (input.ap2?.triple) {
+    const agentId = input.ap2.triple.intent?.agent_id ?? input.ap2.triple.cart?.agent_id ?? input.ap2.triple.payment?.agent_id;
+    if (agentId) claims.push({ protocol: "ap2", field: "agent_id", value: agentId });
+  }
+  if (input.acp?.context.bearer) {
+    claims.push({ protocol: "acp", field: "bearer", value: input.acp.context.bearer });
+  }
+  if (input.mpp?.context.credential?.source) {
+    claims.push({ protocol: "mpp", field: "source", value: input.mpp.context.credential.source });
+  }
+  if (input.rfc9421) {
+  }
+  return claims;
+}
+function resolvePaymentToken(input) {
+  if (input.acp?.context.paymentToken?.type) {
+    return { present: true, type: input.acp.context.paymentToken.type };
+  }
+  const mppMethod = input.mpp?.context.credential?.challenge?.method;
+  if (mppMethod === "tempo") return { present: true, type: "tempo-tx" };
+  if (mppMethod === "stripe") return { present: true, type: "stripe-spt" };
+  return void 0;
+}
+function runConstraintEval(input) {
+  const transaction = input.transaction ?? {};
+  const results = {};
+  const reasons = [];
+  let hasAny = false;
+  if (input.vi?.claims) {
+    const viResult = evaluateVIConstraints({
+      constraints: input.vi.claims.constraints,
+      transaction
+    });
+    for (const [k, v] of Object.entries(viResult.results)) {
+      results[k] = v;
+      if (!v.ok && v.reason) reasons.push(v.reason);
+    }
+    if (Object.keys(viResult.results).length > 0) hasAny = true;
+  }
+  const registered = input.registeredConstraints;
+  if (registered?.allowedPaymentMethods) {
+    const pm = evaluatePaymentMethodAllowlist({
+      allowedMethods: registered.allowedPaymentMethods,
+      requestedMethod: transaction.paymentMethod
+    });
+    results.paymentMethod = pm;
+    if (!pm.ok && pm.reason) reasons.push(pm.reason);
+    hasAny = true;
+  }
+  if (registered?.spendingLimit) {
+    const sp = evaluateSpendingLimit({
+      limit: registered.spendingLimit,
+      requested: { amount: transaction.amount, currency: transaction.currency }
+    });
+    results.spendingLimit = sp;
+    if (!sp.ok && sp.reason) reasons.push(sp.reason);
+    hasAny = true;
+  }
+  if (!hasAny) return void 0;
+  return { ok: reasons.length === 0, results, reasons };
+}
+function shortSource(source) {
+  return source.replace(/^did:[a-z0-9]+:/, "").slice(0, 16);
+}
+
+// src/transport/extractor-registry.ts
+var registry = /* @__PURE__ */ new Map();
+function registerTransportExtractor(extractor) {
+  if (!extractor || typeof extractor.name !== "string" || extractor.name.length === 0) {
+    throw new Error("registerTransportExtractor: extractor must have a non-empty name");
+  }
+  registry.set(extractor.name, extractor);
+}
+function getTransportExtractors() {
+  return Array.from(registry.values());
+}
+function getTransportExtractor(name) {
+  return registry.get(name);
+}
+function clearTransportExtractors() {
+  registry.clear();
+}
+async function runMatchingExtractors(request) {
+  const out = {};
+  for (const extractor of registry.values()) {
+    if (!extractor.match(request)) continue;
+    const result = await extractor.extract(request);
+    if (result !== null && result !== void 0) out[extractor.name] = result;
+  }
+  return out;
+}
+
+// src/transport/registry/visa.ts
+import { createRemoteJWKSet } from "jose";
+var DEFAULT_VISA_JWKS_URL = "https://mcp.visa.com/.well-known/jwks";
+function createVisaRegistry(options = {}) {
+  const url = new URL(options.jwksUrl ?? DEFAULT_VISA_JWKS_URL);
+  const jwks = createRemoteJWKSet(url, {
+    cacheMaxAge: options.cacheMaxAge,
+    cooldownDuration: options.cooldownDuration
+  });
+  return {
+    name: "visa",
+    async resolve(kid, context) {
+      if (!kid) return null;
+      try {
+        const key = await jwks({
+          kid,
+          alg: context?.algorithm ?? "ES256",
+          typ: "JWT"
+        });
+        return exportJwkFromKeyLike(key);
+      } catch {
+        return null;
+      }
+    }
+  };
+}
+async function exportJwkFromKeyLike(keyLike) {
+  if (!keyLike) return null;
+  if (typeof keyLike === "object" && "kty" in keyLike) {
+    return keyLike;
+  }
+  const { exportJWK } = await import("jose");
+  try {
+    return await exportJWK(keyLike);
+  } catch {
+    return null;
+  }
+}
+
+// src/transport/registry/mastercard.ts
+function createMastercardRegistry(options = {}) {
+  const cache = /* @__PURE__ */ new Map();
+  const ttlSec = options.cacheTtlSec ?? 3600;
+  const fetchFn = options.fetch ?? globalThis.fetch;
+  let warned = false;
+  return {
+    name: "mastercard",
+    async resolve(kid) {
+      if (!kid) return null;
+      if (!options.registryUrl) {
+        if (!warned && !options.silent) {
+          warned = true;
+          console.warn(
+            "[mastercard-registry] registryUrl not configured \u2014 key resolution disabled. Kid lookups will return null until a partnership registry is supplied."
+          );
+        }
+        return null;
+      }
+      const cached = cache.get(kid);
+      if (cached && cached.expiresAt > Date.now()) return cached.jwk;
+      try {
+        const res = await fetchFn(options.registryUrl);
+        if (!res.ok) return null;
+        const body = await res.json();
+        const keys = body.keys ?? [];
+        for (const k of keys) {
+          if (k.kid === kid) {
+            cache.set(kid, { jwk: k, expiresAt: Date.now() + ttlSec * 1e3 });
+            return k;
+          }
+        }
+        return null;
+      } catch {
+        return null;
+      }
+    }
+  };
+}
+
+// src/transport/registry/web-bot-auth.ts
+var DIRECTORY_PATH = "/.well-known/http-message-signatures-directory";
+function createWebBotAuthRegistry(options = {}) {
+  const cache = /* @__PURE__ */ new Map();
+  const ttlSec = options.cacheTtlSec ?? 3600;
+  const fetchFn = options.fetch ?? globalThis.fetch;
+  return {
+    name: "web-bot-auth",
+    async resolve(kid, context) {
+      if (!kid) return null;
+      const directoryUrl = resolveDirectoryUrl(options.directoryUrl, context?.origin);
+      if (!directoryUrl) return null;
+      const cached = cache.get(directoryUrl);
+      const now = Date.now();
+      if (cached && cached.expiresAt > now) {
+        return findKeyByKid(cached.keys, kid);
+      }
+      try {
+        const res = await fetchFn(directoryUrl);
+        if (!res.ok) return null;
+        const body = await res.json();
+        const keys = body.keys ?? [];
+        cache.set(directoryUrl, { keys, expiresAt: now + ttlSec * 1e3 });
+        return findKeyByKid(keys, kid);
+      } catch {
+        return null;
+      }
+    }
+  };
+}
+function resolveDirectoryUrl(explicit, origin) {
+  if (explicit) return explicit;
+  if (!origin) return null;
+  try {
+    const url = new URL(origin);
+    return `${url.origin}${DIRECTORY_PATH}`;
+  } catch {
+    return null;
+  }
+}
+function findKeyByKid(keys, kid) {
+  for (const k of keys) {
+    if (k.kid === kid) return k;
+  }
+  return null;
+}
+
 // src/transport/index.ts
 function detectProtocol(context) {
   if (context.metadata && typeof context.metadata === "object") {