@compose-market/sdk 0.1.1 → 0.3.0

package/dist/resources/session-events.js

@@ -0,0 +1,199 @@
+/**
+ * Session-events SSE resource.
+ *
+ * Subscribes to `/api/session/events?userAddress=<address>&chainId=<chainId>`
+ * and yields typed `session-active` / `session-expired` events as they arrive.
+ *
+ * Each event is additionally dispatched to the SDK event bus so application
+ * code can centralise listeners on `sdk.events.on("sessionActive", ...)` and
+ * `sdk.events.on("sessionExpired", ...)` without plumbing the iterator
+ * manually.
+ *
+ * The iterator auto-reconnects transparently on network errors using the
+ * retry policy configured on the HTTP client; callers cancel via the
+ * provided `AbortSignal`.
+ */
+import { ComposeError } from "../errors.js";
+import { parseSSEStream } from "../streaming/sse.js";
+/**
+ * Drive a raw SSE subscription to `/api/session/events` and yield one event
+ * at a time. The generator terminates only when the caller aborts the signal
+ * or when a terminal `session-expired` event is emitted for the requested
+ * `(userAddress, chainId)` tuple (a terminal signal from the server side).
+ */
+export class SessionEventsResource {
+    client;
+    events;
+    constructor(client, events) {
+        this.client = client;
+        this.events = events;
+    }
+    subscribe(opts) {
+        const self = this;
+        return {
+            [Symbol.asyncIterator]() {
+                return self.createIterator(opts);
+            },
+        };
+    }
+    createIterator(opts) {
+        const reconnectMaxDelayMs = Math.max(500, opts.reconnectMaxDelayMs ?? 10_000);
+        let closed = false;
+        let attempt = 0;
+        let pending = null;
+        // Cancellation is routed through `opts.signal` into `parseSSEStream`;
+        // we don't hold a reader handle here, so the iterator just flips the
+        // `closed` flag and lets the in-flight `asResponse()` / parseSSEStream
+        // receive the abort.
+        const abortHandler = () => { closed = true; };
+        opts.signal?.addEventListener("abort", abortHandler, { once: true });
+        const poll = async () => {
+            while (!closed) {
+                try {
+                    const response = await this.client.request({
+                        method: "GET",
+                        path: "/api/session/events",
+                        query: {
+                            userAddress: opts.userAddress,
+                            chainId: opts.chainId,
+                        },
+                        signal: opts.signal,
+                        expectStream: true,
+                        doNotRetry: true,
+                        headers: {
+                            extra: { Accept: "text/event-stream" },
+                        },
+                    }).asResponse();
+                    if (!response.body) {
+                        throw new ComposeError({
+                            code: "upstream_error",
+                            message: "session events stream had no body",
+                        });
+                    }
+                    attempt = 0;
+                    return await this.consumeStream(response.body, opts);
+                }
+                catch (err) {
+                    if (closed)
+                        break;
+                    if (opts.signal?.aborted) {
+                        closed = true;
+                        break;
+                    }
+                    attempt += 1;
+                    const delay = Math.min(500 * (2 ** (attempt - 1)), reconnectMaxDelayMs);
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                    if (closed || opts.signal?.aborted)
+                        break;
+                    // fall through and reconnect
+                }
+            }
+            opts.signal?.removeEventListener("abort", abortHandler);
+            return { done: true, value: undefined };
+        };
+        return {
+            next: async () => {
+                if (pending) {
+                    const result = pending;
+                    pending = null;
+                    return result;
+                }
+                return poll();
+            },
+            return: async () => {
+                closed = true;
+                opts.signal?.removeEventListener("abort", abortHandler);
+                return { done: true, value: undefined };
+            },
+            throw: async (err) => {
+                closed = true;
+                opts.signal?.removeEventListener("abort", abortHandler);
+                throw err;
+            },
+        };
+    }
+    /**
+     * Read until a named event arrives, yield it, emit on the bus, and
+     * return. The outer iterator loops back to re-open the stream, preserving
+     * the read-one-then-reconnect cadence we want for cross-tab event
+     * semantics (no orphaned bytes when the consumer pauses).
+     */
+    async consumeStream(body, opts) {
+        const parser = parseSSEStream(body, { signal: opts.signal });
+        let nextResult = null;
+        try {
+            for await (const frame of parser) {
+                const parsed = parseSessionEventFrame(frame);
+                if (!parsed)
+                    continue;
+                if (parsed.type === "session-active") {
+                    this.events.emit("sessionActive", parsed);
+                }
+                else {
+                    this.events.emit("sessionExpired", parsed);
+                }
+                if (nextResult === null) {
+                    nextResult = { done: false, value: parsed };
+                    return nextResult;
+                }
+            }
+        }
+        finally {
+            try {
+                body.cancel();
+            }
+            catch { /* best-effort */ }
+        }
+        // Stream ended without yielding (e.g. server closed). Signal upstream
+        // to reconnect rather than terminate.
+        throw new ComposeError({ code: "upstream_error", message: "session events stream closed without emitting a frame" });
+    }
+}
+function parseSessionEventFrame(frame) {
+    if (frame.event === "session-active") {
+        try {
+            const data = JSON.parse(frame.data);
+            return {
+                type: "session-active",
+                userAddress: String(data.userAddress ?? ""),
+                chainId: Number(data.chainId ?? 0),
+                expiresAt: typeof data.expiresAt === "number" ? data.expiresAt : undefined,
+                budgetLimit: coerceWeiString(data.budgetLimit),
+                budgetUsed: coerceWeiString(data.budgetUsed),
+                budgetLocked: coerceWeiString(data.budgetLocked),
+                budgetRemaining: coerceWeiString(data.budgetRemaining),
+                timestamp: typeof data.timestamp === "number" ? data.timestamp : undefined,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    if (frame.event === "session-expired") {
+        try {
+            const data = JSON.parse(frame.data);
+            return {
+                type: "session-expired",
+                userAddress: String(data.userAddress ?? ""),
+                chainId: Number(data.chainId ?? 0),
+                reason: typeof data.reason === "string" ? data.reason : undefined,
+                message: typeof data.message === "string" ? data.message : undefined,
+                action: typeof data.action === "string" ? data.action : undefined,
+                expiresAt: typeof data.expiresAt === "number" ? data.expiresAt : undefined,
+                timestamp: typeof data.timestamp === "number" ? data.timestamp : undefined,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+function coerceWeiString(value) {
+    if (typeof value === "string" && value.length > 0)
+        return value;
+    if (typeof value === "number" && Number.isFinite(value))
+        return String(value);
+    return undefined;
+}
+//# sourceMappingURL=session-events.js.map

package/dist/resources/session-events.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-events.js","sourceRoot":"","sources":["../../src/resources/session-events.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AASH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAiB,MAAM,qBAAqB,CAAC;AAUpE;;;;;GAKG;AACH,MAAM,OAAO,qBAAqB;IAET;IACA;IAFrB,YACqB,MAAkB,EAClB,MAAuB;QADvB,WAAM,GAAN,MAAM,CAAY;QAClB,WAAM,GAAN,MAAM,CAAiB;IACzC,CAAC;IAEJ,SAAS,CAAC,IAA0B;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC;QAClB,OAAO;YACH,CAAC,MAAM,CAAC,aAAa,CAAC;gBAClB,OAAO,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;SACJ,CAAC;IACN,CAAC;IAEO,cAAc,CAAC,IAA0B;QAC7C,MAAM,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAAC;QAC9E,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,IAAI,OAAO,GAAwC,IAAI,CAAC;QACxD,sEAAsE;QACtE,qEAAqE;QACrE,uEAAuE;QACvE,qBAAqB;QACrB,MAAM,YAAY,GAAG,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,gBAAgB,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAErE,MAAM,IAAI,GAAG,KAAK,IAA2C,EAAE;YAC3D,OAAO,CAAC,MAAM,EAAE,CAAC;gBACb,IAAI,CAAC;oBACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAU;wBAChD,MAAM,EAAE,KAAK;wBACb,IAAI,EAAE,qBAAqB;wBAC3B,KAAK,EAAE;4BACH,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,OAAO,EAAE,IAAI,CAAC,OAAO;yBACxB;wBACD,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,YAAY,EAAE,IAAI;wBAClB,UAAU,EAAE,IAAI;wBAChB,OAAO,EAAE;4BACL,KAAK,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE;yBACzC;qBACJ,CAAC,CAAC,UAAU,EAAE,CAAC;oBAEhB,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;wBACjB,MAAM,IAAI,YAAY,CAAC;4BACnB,IAAI,EAAE,gBAAgB;4BACtB,OAAO,EAAE,mCAAmC;yBAC/C,CAAC,CAAC;oBACP,CAAC;oBAED,OAAO,GAAG,CAAC,CAAC;oBACZ,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBACzD,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACX,IAAI,MAAM;wBAAE,MAAM;oBAClB,IAAI,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;wBACvB,MAAM,GAAG,IAAI,CAAC;wBACd,MAAM;oBACV,CAAC;oBACD,OAAO,IAAI,CAAC,CAAC;oBACb,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,mBAAmB,CAAC,CAAC;oBACxE,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjE,IAAI,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,OAAO;wBAAE,MAAM;oBAC1C,6BAA6B;gBACjC,CAAC;YACL,CAAC;YACD,IAAI,CAAC,MAAM,EAAE,mBAAmB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YACxD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAC5C,CAAC,CAAC;QAEF,OAAO;YACH,IAAI,EAAE,KAAK,IAA2C,EAAE;gBACpD,IAAI,OAAO,EAAE,CAAC;oBACV,MAAM,MAAM,GAAG,OAAO,CAAC;oBACvB,OAAO,GAAG,IAAI,CAAC;oBACf,OAAO,MAAM,CAAC;gBAClB,CAAC;gBACD,OAAO,IAAI,EAAE,CAAC;YAClB,CAAC;YACD,MAAM,EAAE,KAAK,IAA2C,EAAE;gBACtD,MAAM,GAAG,IAAI,CAAC;gBACd,IAAI,CAAC,MAAM,EAAE,mBAAmB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;gBACxD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YAC5C,CAAC;YACD,KAAK,EAAE,KAAK,EAAE,GAAG,EAAyC,EAAE;gBACxD,MAAM,GAAG,IAAI,CAAC;gBACd,IAAI,CAAC,MAAM,EAAE,mBAAmB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;gBACxD,MAAM,GAAG,CAAC;YACd,CAAC;SACJ,CAAC;IACN,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,aAAa,CACvB,IAAgC,EAChC,IAA0B;QAE1B,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,IAAI,UAAU,GAAwC,IAAI,CAAC;QAE3D,IAAI,CAAC;YACD,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC/B,MAAM,MAAM,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;gBAC7C,IAAI,CAAC,MAAM;oBAAE,SAAS;gBAEtB,IAAI,MAAM,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;gBAC9C,CAAC;qBAAM,CAAC;oBACJ,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;oBACtB,UAAU,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBAC5C,OAAO,UAAU,CAAC;gBACtB,CAAC;YACL,CAAC;QACL,CAAC;gBAAS,CAAC;YACP,IAAI,CAAC;gBAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACtD,CAAC;QAED,sEAAsE;QACtE,sCAAsC;QACtC,MAAM,IAAI,YAAY,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,uDAAuD,EAAE,CAAC,CAAC;IACzH,CAAC;CACJ;AAED,SAAS,sBAAsB,CAAC,KAAe;IAC3C,IAAI,KAAK,CAAC,KAAK,KAAK,gBAAgB,EAAE,CAAC;QACnC,IAAI,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;YAC/D,OAAO;gBACH,IAAI,EAAE,gBAAgB;gBACtB,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBAC3C,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;gBAClC,SAAS,EAAE,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBAC1E,WAAW,EAAE,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC;gBAC9C,UAAU,EAAE,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC;gBAC5C,YAAY,EAAE,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC;gBAChD,eAAe,EAAE,eAAe,CAAC,IAAI,CAAC,eAAe,CAAC;gBACtD,SAAS,EAAE,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aAChD,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED,IAAI,KAAK,CAAC,KAAK,KAAK,iBAAiB,EAAE,CAAC;QACpC,IAAI,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;YAC/D,OAAO;gBACH,IAAI,EAAE,iBAAiB;gBACvB,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBAC3C,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;gBAClC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACjE,OAAO,EAAE,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBACpE,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACjE,SAAS,EAAE,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBAC1E,SAAS,EAAE,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aAC/C,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAChE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9E,OAAO,SAAS,CAAC;AACrB,CAAC"}

package/dist/resources/webhooks.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Webhook signature verification.
+ *
+ * Compose delivery uses a Stripe-style signature header:
+ *   `X-Compose-Signature: t=<unix>,v1=<hex>`
+ * where `v1` is `HMAC-SHA256(timestamp + "." + payload, secret)`.
+ *
+ * `verify()` is a constant-time comparison.
+ */
+export interface ComposeWebhookEvent<T = unknown> {
+    id?: string;
+    type: string;
+    timestamp: number;
+    data: T;
+}
+export interface VerifyWebhookInput {
+    body: string;
+    signature: string;
+    secret: string;
+    /** Max allowed skew between `t` and now, in seconds. Default 300 (5 min). */
+    toleranceSeconds?: number;
+}
+export declare class WebhooksResource {
+    verify(input: VerifyWebhookInput): Promise<boolean>;
+    constructEvent<T = unknown>(input: VerifyWebhookInput): Promise<ComposeWebhookEvent<T>>;
+}
+//# sourceMappingURL=webhooks.d.ts.map

package/dist/resources/webhooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../../src/resources/webhooks.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,mBAAmB,CAAC,CAAC,GAAG,OAAO;IAC5C,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,CAAC,CAAC;CACX;AAED,MAAM,WAAW,kBAAkB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,qBAAa,gBAAgB;IACnB,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBnD,cAAc,CAAC,CAAC,GAAG,OAAO,EAAE,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;CAShG"}

package/dist/resources/webhooks.js

@@ -0,0 +1,78 @@
+/**
+ * Webhook signature verification.
+ *
+ * Compose delivery uses a Stripe-style signature header:
+ *   `X-Compose-Signature: t=<unix>,v1=<hex>`
+ * where `v1` is `HMAC-SHA256(timestamp + "." + payload, secret)`.
+ *
+ * `verify()` is a constant-time comparison.
+ */
+export class WebhooksResource {
+    async verify(input) {
+        const parsed = parseSignatureHeader(input.signature);
+        if (!parsed)
+            return false;
+        const now = Math.floor(Date.now() / 1000);
+        const tolerance = input.toleranceSeconds ?? 300;
+        if (Math.abs(now - parsed.timestamp) > tolerance)
+            return false;
+        const expected = await hmacSha256Hex(input.secret, `${parsed.timestamp}.${input.body}`);
+        return timingSafeEqualHex(expected, parsed.v1);
+    }
+    async constructEvent(input) {
+        const ok = await this.verify(input);
+        if (!ok) {
+            const error = new Error("Invalid webhook signature");
+            error.name = "ComposeWebhookSignatureError";
+            throw error;
+        }
+        return JSON.parse(input.body);
+    }
+}
+function parseSignatureHeader(header) {
+    const parts = header.split(",");
+    let timestamp = null;
+    let v1 = null;
+    for (const part of parts) {
+        const [rawKey, ...rawValue] = part.split("=");
+        const key = rawKey.trim();
+        const value = rawValue.join("=").trim();
+        if (key === "t") {
+            timestamp = parseInt(value, 10);
+        }
+        else if (key === "v1") {
+            v1 = value;
+        }
+    }
+    if (timestamp === null || !Number.isFinite(timestamp) || !v1)
+        return null;
+    return { timestamp, v1 };
+}
+async function hmacSha256Hex(secret, message) {
+    const cryptoObj = globalThis.crypto;
+    const subtle = cryptoObj?.subtle;
+    if (!subtle) {
+        throw new Error("WebCrypto SubtleCrypto is required for webhook verification");
+    }
+    const encoder = new TextEncoder();
+    const key = await subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const signature = await subtle.sign("HMAC", key, encoder.encode(message));
+    return toHex(new Uint8Array(signature));
+}
+function toHex(bytes) {
+    const out = [];
+    for (let i = 0; i < bytes.length; i += 1) {
+        out.push(bytes[i].toString(16).padStart(2, "0"));
+    }
+    return out.join("");
+}
+function timingSafeEqualHex(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i += 1) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+//# sourceMappingURL=webhooks.js.map

package/dist/resources/webhooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../../src/resources/webhooks.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAiBH,MAAM,OAAO,gBAAgB;IACzB,KAAK,CAAC,MAAM,CAAC,KAAyB;QAClC,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,gBAAgB,IAAI,GAAG,CAAC;QAChD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,SAAS;YAAE,OAAO,KAAK,CAAC;QAE/D,MAAM,QAAQ,GAAG,MAAM,aAAa,CAChC,KAAK,CAAC,MAAM,EACZ,GAAG,MAAM,CAAC,SAAS,IAAI,KAAK,CAAC,IAAI,EAAE,CACtC,CAAC;QAEF,OAAO,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,cAAc,CAAc,KAAyB;QACvD,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,CAAC,EAAE,EAAE,CAAC;YACN,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;YACpD,KAA4C,CAAC,IAAI,GAAG,8BAA8B,CAAC;YACpF,MAAM,KAAK,CAAC;QAChB,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAA2B,CAAC;IAC5D,CAAC;CACJ;AAED,SAAS,oBAAoB,CAAC,MAAc;IACxC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,SAAS,GAAkB,IAAI,CAAC;IACpC,IAAI,EAAE,GAAkB,IAAI,CAAC;IAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,CAAC,MAAM,EAAE,GAAG,QAAQ,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACxC,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACd,SAAS,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACpC,CAAC;aAAM,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACtB,EAAE,GAAG,KAAK,CAAC;QACf,CAAC;IACL,CAAC;IACD,IAAI,SAAS,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1E,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AAC7B,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,OAAe;IACxD,MAAM,SAAS,GAAI,UAAqD,CAAC,MAAM,CAAC;IAChF,MAAM,MAAM,GAAG,SAAS,EAAE,MAAM,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAC9B,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACX,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,KAAK,CAAC,KAAiB;IAC5B,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAS,EAAE,CAAS;IAC5C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACxB,CAAC"}

package/dist/resources/x402.d.ts

@@ -0,0 +1,37 @@
+import type { APIPromise, HttpClient } from "../http.js";
+import type { ComposeReceipt, FacilitatorChainsResponse, FacilitatorSupportedResponse, PaymentPayload, PaymentRequired, PaymentRequirements, SettleResponse, VerifyResponse } from "../types/index.js";
+export declare class FacilitatorResource {
+    private readonly client;
+    constructor(client: HttpClient);
+    supported(): APIPromise<FacilitatorSupportedResponse>;
+    chains(): APIPromise<FacilitatorChainsResponse>;
+    verify(body: {
+        x402Version: 2;
+        paymentPayload: PaymentPayload;
+        paymentRequirements: PaymentRequirements;
+    }): APIPromise<VerifyResponse>;
+    settle(body: {
+        x402Version: 2;
+        paymentPayload: PaymentPayload;
+        paymentRequirements: PaymentRequirements;
+    }): APIPromise<SettleResponse>;
+}
+export declare class X402Resource {
+    readonly facilitator: FacilitatorResource;
+    constructor(client: HttpClient);
+    /**
+     * Decode the base64-url PAYMENT-REQUIRED header into a typed
+     * `PaymentRequired` body. Throws on malformed input.
+     */
+    decodePaymentRequired(headerValue: string): PaymentRequired;
+    /**
+     * Decode the base64-url PAYMENT-RESPONSE header into a typed
+     * `SettleResponse` body. Throws on malformed input.
+     */
+    decodePaymentResponse(headerValue: string): SettleResponse;
+    /**
+     * Decode the base64-url X-Compose-Receipt header. Throws on malformed input.
+     */
+    decodeReceipt(headerValue: string): ComposeReceipt;
+}
+//# sourceMappingURL=x402.d.ts.map

package/dist/resources/x402.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402.d.ts","sourceRoot":"","sources":["../../src/resources/x402.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACzD,OAAO,KAAK,EACR,cAAc,EACd,yBAAyB,EACzB,4BAA4B,EAC5B,cAAc,EACd,eAAe,EACf,mBAAmB,EACnB,cAAc,EACd,cAAc,EACjB,MAAM,mBAAmB,CAAC;AAe3B,qBAAa,mBAAmB;IAChB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,UAAU;IAE/C,SAAS,IAAI,UAAU,CAAC,4BAA4B,CAAC;IAOrD,MAAM,IAAI,UAAU,CAAC,yBAAyB,CAAC;IAO/C,MAAM,CAAC,IAAI,EAAE;QAAE,WAAW,EAAE,CAAC,CAAC;QAAC,cAAc,EAAE,cAAc,CAAC;QAAC,mBAAmB,EAAE,mBAAmB,CAAA;KAAE,GAAG,UAAU,CAAC,cAAc,CAAC;IAQtI,MAAM,CAAC,IAAI,EAAE;QAAE,WAAW,EAAE,CAAC,CAAC;QAAC,cAAc,EAAE,cAAc,CAAC;QAAC,mBAAmB,EAAE,mBAAmB,CAAA;KAAE,GAAG,UAAU,CAAC,cAAc,CAAC;CAOzI;AAED,qBAAa,YAAY;IACrB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;gBAE9B,MAAM,EAAE,UAAU;IAI9B;;;OAGG;IACH,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;IAI3D;;;OAGG;IACH,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,cAAc;IAI1D;;OAEG;IACH,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,cAAc;CAGrD"}

package/dist/resources/x402.js

@@ -0,0 +1,72 @@
+import { decodeReceiptHeader } from "../streaming/receipt.js";
+function base64UrlDecode(value) {
+    const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = normalized.length % 4 === 0 ? "" : "=".repeat(4 - (normalized.length % 4));
+    if (typeof globalThis.atob === "function") {
+        const binary = globalThis.atob(normalized + padding);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i += 1)
+            bytes[i] = binary.charCodeAt(i);
+        return new TextDecoder("utf-8").decode(bytes);
+    }
+    return Buffer.from(normalized + padding, "base64").toString("utf-8");
+}
+export class FacilitatorResource {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    supported() {
+        return this.client.request({
+            method: "GET",
+            path: "/api/x402/facilitator/supported",
+        });
+    }
+    chains() {
+        return this.client.request({
+            method: "GET",
+            path: "/api/x402/facilitator/chains",
+        });
+    }
+    verify(body) {
+        return this.client.request({
+            method: "POST",
+            path: "/api/x402/facilitator/verify",
+            body,
+        });
+    }
+    settle(body) {
+        return this.client.request({
+            method: "POST",
+            path: "/api/x402/facilitator/settle",
+            body,
+        });
+    }
+}
+export class X402Resource {
+    facilitator;
+    constructor(client) {
+        this.facilitator = new FacilitatorResource(client);
+    }
+    /**
+     * Decode the base64-url PAYMENT-REQUIRED header into a typed
+     * `PaymentRequired` body. Throws on malformed input.
+     */
+    decodePaymentRequired(headerValue) {
+        return JSON.parse(base64UrlDecode(headerValue));
+    }
+    /**
+     * Decode the base64-url PAYMENT-RESPONSE header into a typed
+     * `SettleResponse` body. Throws on malformed input.
+     */
+    decodePaymentResponse(headerValue) {
+        return JSON.parse(base64UrlDecode(headerValue));
+    }
+    /**
+     * Decode the base64-url X-Compose-Receipt header. Throws on malformed input.
+     */
+    decodeReceipt(headerValue) {
+        return decodeReceiptHeader(headerValue);
+    }
+}
+//# sourceMappingURL=x402.js.map

package/dist/resources/x402.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402.js","sourceRoot":"","sources":["../../src/resources/x402.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAE9D,SAAS,eAAe,CAAC,KAAa;IAClC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC3F,IAAI,OAAO,UAAU,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC3E,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzE,CAAC;AAED,MAAM,OAAO,mBAAmB;IACC;IAA7B,YAA6B,MAAkB;QAAlB,WAAM,GAAN,MAAM,CAAY;IAAG,CAAC;IAEnD,SAAS;QACL,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAA+B;YACrD,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,iCAAiC;SAC1C,CAAC,CAAC;IACP,CAAC;IAED,MAAM;QACF,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAA4B;YAClD,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,8BAA8B;SACvC,CAAC,CAAC;IACP,CAAC;IAED,MAAM,CAAC,IAAkG;QACrG,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAiB;YACvC,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,8BAA8B;YACpC,IAAI;SACP,CAAC,CAAC;IACP,CAAC;IAED,MAAM,CAAC,IAAkG;QACrG,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAiB;YACvC,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,8BAA8B;YACpC,IAAI;SACP,CAAC,CAAC;IACP,CAAC;CACJ;AAED,MAAM,OAAO,YAAY;IACZ,WAAW,CAAsB;IAE1C,YAAY,MAAkB;QAC1B,IAAI,CAAC,WAAW,GAAG,IAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IAED;;;OAGG;IACH,qBAAqB,CAAC,WAAmB;QACrC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAoB,CAAC;IACvE,CAAC;IAED;;;OAGG;IACH,qBAAqB,CAAC,WAAmB;QACrC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAmB,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,WAAmB;QAC7B,OAAO,mBAAmB,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC;CACJ"}

package/dist/storage.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Pluggable storage for persisting the Compose Key JWT across process
+ * restarts (browser reload, serverless cold start, etc).
+ *
+ * The SDK stays framework-agnostic by not importing any browser or Node
+ * storage API directly. Integrators pass a minimal adapter; the SDK
+ * auto-detects `globalThis.localStorage` when none is provided but runs in a
+ * browser, and falls back to an in-memory Map everywhere else.
+ *
+ * Storage is scoped per `(userAddress, chainId)` tuple so multiple wallets /
+ * chains on the same device never collide.
+ */
+export interface ComposeStorage {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
+export declare function resolveStorage(explicit: ComposeStorage | undefined): ComposeStorage | null;
+export declare function createMemoryStorage(): ComposeStorage;
+/**
+ * Build the scoped storage key for a persisted Compose Key token. The shape
+ * `compose.sdk.token:<lower-address>:<chainId>` mirrors the convention already
+ * in use by web/ so multiple SDK instances + the bare web app never collide.
+ */
+export declare function buildTokenStorageKey(tokenScope: string, userAddress: string, chainId: number): string;
+export declare const DEFAULT_TOKEN_SCOPE = "compose.sdk.token";
+//# sourceMappingURL=storage.d.ts.map

package/dist/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../src/storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,cAAc;IAC3B,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACpC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,cAAc,GAAG,SAAS,GAAG,cAAc,GAAG,IAAI,CAgB1F;AAED,wBAAgB,mBAAmB,IAAI,cAAc,CAOpD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAErG;AAED,eAAO,MAAM,mBAAmB,sBAAsB,CAAC"}

package/dist/storage.js

@@ -0,0 +1,46 @@
+/**
+ * Pluggable storage for persisting the Compose Key JWT across process
+ * restarts (browser reload, serverless cold start, etc).
+ *
+ * The SDK stays framework-agnostic by not importing any browser or Node
+ * storage API directly. Integrators pass a minimal adapter; the SDK
+ * auto-detects `globalThis.localStorage` when none is provided but runs in a
+ * browser, and falls back to an in-memory Map everywhere else.
+ *
+ * Storage is scoped per `(userAddress, chainId)` tuple so multiple wallets /
+ * chains on the same device never collide.
+ */
+export function resolveStorage(explicit) {
+    if (explicit)
+        return explicit;
+    // Browser / Deno / Cloudflare Workers with localStorage polyfills.
+    const candidate = globalThis.localStorage;
+    if (candidate && typeof candidate === "object") {
+        const ls = candidate;
+        if (typeof ls.getItem === "function" && typeof ls.setItem === "function" && typeof ls.removeItem === "function") {
+            return ls;
+        }
+    }
+    // Node / server runtimes without a persistent store: return null so the
+    // SDK falls back to in-memory only. Integrators who want cross-restart
+    // persistence in those environments pass an explicit adapter.
+    return null;
+}
+export function createMemoryStorage() {
+    const map = new Map();
+    return {
+        getItem: (key) => map.get(key) ?? null,
+        setItem: (key, value) => { map.set(key, value); },
+        removeItem: (key) => { map.delete(key); },
+    };
+}
+/**
+ * Build the scoped storage key for a persisted Compose Key token. The shape
+ * `compose.sdk.token:<lower-address>:<chainId>` mirrors the convention already
+ * in use by web/ so multiple SDK instances + the bare web app never collide.
+ */
+export function buildTokenStorageKey(tokenScope, userAddress, chainId) {
+    return `${tokenScope}:${userAddress.toLowerCase()}:${chainId}`;
+}
+export const DEFAULT_TOKEN_SCOPE = "compose.sdk.token";
+//# sourceMappingURL=storage.js.map

package/dist/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../src/storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAQH,MAAM,UAAU,cAAc,CAAC,QAAoC;IAC/D,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,mEAAmE;IACnE,MAAM,SAAS,GAAI,UAAyC,CAAC,YAAY,CAAC;IAC1E,IAAI,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC7C,MAAM,EAAE,GAAG,SAA2B,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,UAAU,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,UAAU,IAAI,OAAO,EAAE,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YAC9G,OAAO,EAAE,CAAC;QACd,CAAC;IACL,CAAC;IAED,wEAAwE;IACxE,uEAAuE;IACvE,8DAA8D;IAC9D,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,mBAAmB;IAC/B,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,OAAO;QACH,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;QACtC,OAAO,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;QACjD,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;KAC5C,CAAC;AACN,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB,EAAE,WAAmB,EAAE,OAAe;IACzF,OAAO,GAAG,UAAU,IAAI,WAAW,CAAC,WAAW,EAAE,IAAI,OAAO,EAAE,CAAC;AACnE,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,mBAAmB,CAAC"}

package/dist/streaming/budget.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Extract session-budget state from response headers.
+ *
+ * The api.compose.market gateway emits the live session-budget ledger on every
+ * billable response via these headers:
+ *   - `x-session-budget-limit`      total budget (wei, string)
+ *   - `x-session-budget-used`       spent (wei, string)
+ *   - `x-session-budget-locked`     reserved (wei, string)
+ *   - `x-session-budget-remaining`  remaining (wei, string)
+ *   - `x-compose-session-invalid`   truthy string when the session must be torn
+ *                                   down (e.g. "budget-depleted", "expired")
+ *
+ * This helper converts them into a typed object for the SDK event bus.
+ */
+import type { SessionBudgetSnapshot, SessionInvalidReason } from "../types/index.js";
+export declare function extractSessionBudgetFromResponse(response: {
+    headers: Headers;
+}): {
+    budget: SessionBudgetSnapshot | null;
+    sessionInvalidReason: SessionInvalidReason | null;
+};
+//# sourceMappingURL=budget.d.ts.map

package/dist/streaming/budget.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"budget.d.ts","sourceRoot":"","sources":["../../src/streaming/budget.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAErF,wBAAgB,gCAAgC,CAC5C,QAAQ,EAAE;IAAE,OAAO,EAAE,OAAO,CAAA;CAAE,GAC/B;IAAE,MAAM,EAAE,qBAAqB,GAAG,IAAI,CAAC;IAAC,oBAAoB,EAAE,oBAAoB,GAAG,IAAI,CAAA;CAAE,CA2B7F"}

package/dist/streaming/budget.js

@@ -0,0 +1,40 @@
+/**
+ * Extract session-budget state from response headers.
+ *
+ * The api.compose.market gateway emits the live session-budget ledger on every
+ * billable response via these headers:
+ *   - `x-session-budget-limit`      total budget (wei, string)
+ *   - `x-session-budget-used`       spent (wei, string)
+ *   - `x-session-budget-locked`     reserved (wei, string)
+ *   - `x-session-budget-remaining`  remaining (wei, string)
+ *   - `x-compose-session-invalid`   truthy string when the session must be torn
+ *                                   down (e.g. "budget-depleted", "expired")
+ *
+ * This helper converts them into a typed object for the SDK event bus.
+ */
+export function extractSessionBudgetFromResponse(response) {
+    const limit = response.headers.get("x-session-budget-limit");
+    const used = response.headers.get("x-session-budget-used");
+    const locked = response.headers.get("x-session-budget-locked");
+    const remaining = response.headers.get("x-session-budget-remaining");
+    const invalidRaw = response.headers.get("x-compose-session-invalid");
+    const sessionInvalidReason = typeof invalidRaw === "string" && invalidRaw.length > 0
+        ? invalidRaw
+        : null;
+    // Emit the budget snapshot only when at least one numeric header is
+    // present. Any non-parseable value falls back to null so downstream
+    // consumers see `null` rather than NaN.
+    if (limit === null && used === null && locked === null && remaining === null) {
+        return { budget: null, sessionInvalidReason };
+    }
+    return {
+        budget: {
+            limitWei: limit ?? null,
+            usedWei: used ?? null,
+            lockedWei: locked ?? null,
+            remainingWei: remaining ?? null,
+        },
+        sessionInvalidReason,
+    };
+}
+//# sourceMappingURL=budget.js.map

package/dist/streaming/budget.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"budget.js","sourceRoot":"","sources":["../../src/streaming/budget.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,UAAU,gCAAgC,CAC5C,QAA8B;IAE9B,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAErE,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACrE,MAAM,oBAAoB,GAAG,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAChF,CAAC,CAAE,UAAmC;QACtC,CAAC,CAAC,IAAI,CAAC;IAEX,oEAAoE;IACpE,oEAAoE;IACpE,wCAAwC;IACxC,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,MAAM,KAAK,IAAI,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QAC3E,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,EAAE,CAAC;IAClD,CAAC;IAED,OAAO;QACH,MAAM,EAAE;YACJ,QAAQ,EAAE,KAAK,IAAI,IAAI;YACvB,OAAO,EAAE,IAAI,IAAI,IAAI;YACrB,SAAS,EAAE,MAAM,IAAI,IAAI;YACzB,YAAY,EAAE,SAAS,IAAI,IAAI;SAClC;QACD,oBAAoB;KACvB,CAAC;AACN,CAAC"}

package/dist/streaming/receipt.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Receipt helpers.
+ *
+ * `X-Compose-Receipt` is a url-safe base64 blob carrying an authoritative
+ * settlement breakdown. The same shape is also emitted in streams as an SSE
+ * `event: compose.receipt` frame and echoed as `compose_receipt` in JSON
+ * response bodies.
+ */
+import type { ComposeReceipt } from "../types/index.js";
+export declare const RECEIPT_HEADER_NAMES: readonly ["x-compose-receipt", "X-Compose-Receipt"];
+export declare function decodeReceiptHeader(value: string): ComposeReceipt;
+/**
+ * Extract a receipt from a Fetch `Response`. Preference order:
+ *   1. `X-Compose-Receipt` header (binary truth)
+ *   2. `compose_receipt` field on the JSON body (fallback mirror)
+ */
+export declare function extractReceiptFromResponse(response: {
+    headers: Headers;
+}, body?: Record<string, unknown> | null): ComposeReceipt | null;
+/**
+ * Parse the payload of an SSE `event: compose.receipt` frame. Throws on
+ * malformed JSON so callers can abort the stream consumer.
+ */
+export declare function parseReceiptEvent(data: string): ComposeReceipt;
+//# sourceMappingURL=receipt.d.ts.map

package/dist/streaming/receipt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"receipt.d.ts","sourceRoot":"","sources":["../../src/streaming/receipt.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,eAAO,MAAM,oBAAoB,qDAAsD,CAAC;AAmBxF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,cAAc,CAEjE;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACtC,QAAQ,EAAE;IAAE,OAAO,EAAE,OAAO,CAAA;CAAE,EAC9B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GACtC,cAAc,GAAG,IAAI,CAevB;AAuBD;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,CAoB9D"}