@dexterai/x402 3.8.1 → 3.9.1

package/dist/types-DIrmhiD-.d.cts

@@ -0,0 +1,234 @@
+/**
+ * @dexterai/x402/tab — type contract for the OTS-backed streaming payment module.
+ *
+ * Peer of `batch-settlement`. Where `batch-settlement` is for N discrete paid
+ * requests against one escrow channel, `tab` is for *continuous metered
+ * consumption* — tokens, bytes, frames, seconds — settled on close.
+ *
+ * Full design: see `docs/DESIGN-tab-streaming.md`. This file is the contract
+ * lock for Phase 1: the public types and option shapes that downstream phases
+ * must implement against without drift.
+ */
+/**
+ * CAIP-2-style network identifier. The buyer-side `openTab` accepts a string
+ * here so future networks (EVM L2s) require no API change — only a new
+ * VaultAdapter implementation.
+ */
+type TabNetworkId = 'solana:mainnet' | (string & {});
+/**
+ * Atomic-unit cumulative amount the seller is asking the buyer to authorize
+ * for a single voucher. Strings to avoid bigint JSON-serialization headaches
+ * across language boundaries.
+ */
+type AtomicAmount = string;
+/**
+ * Human-readable amount (e.g. "0.001" USDC). Used at SDK boundaries; converted
+ * to atomic units internally per the vault's token decimals.
+ */
+type HumanAmount = string;
+/**
+ * Scope of a session key — the limits the passkey embeds into its
+ * registration signature. The on-chain program (via Swig) and the seller's
+ * middleware (locally) both enforce these.
+ */
+interface SessionScope {
+    /** The specific tab this session is bound to. */
+    channelId: string;
+    /** Cumulative cap, atomic units. The session-key cannot sign beyond this. */
+    maxAmountAtomic: AtomicAmount;
+    /** Wall-clock expiry (unix seconds). Hard deadline regardless of usage. */
+    expiresAtUnix: number;
+    /** Counterparty restriction — typically the seller's address. */
+    allowedCounterparty: string;
+}
+/**
+ * In-memory session key. NEVER persisted to disk. A crashed process forfeits
+ * the session and re-prompts the passkey on the next attempt — this is the
+ * right default because a session key on disk is a real attack surface.
+ */
+interface SessionKey {
+    /** Public key the seller verifies signatures against. */
+    publicKey: Uint8Array;
+    /** Private key — in-memory only. */
+    privateKey: Uint8Array;
+    /** Limits this session may operate within. */
+    scope: SessionScope;
+    /** The passkey signature authorizing this session. The seller verifies it
+     *  against the vault's registered passkey on every voucher. */
+    registration: Uint8Array;
+}
+/**
+ * What the buyer signs per stream chunk, and what the seller verifies before
+ * delivering. Cumulative-amount semantics: each voucher represents the TOTAL
+ * owed so far, not the incremental amount. Replay-resistant because vouchers
+ * monotonically increase.
+ */
+interface VoucherPayload {
+    channelId: string;
+    /** Total owed so far, atomic units. Must strictly exceed the prior voucher. */
+    cumulativeAmount: AtomicAmount;
+    /** Monotonic sequence number. Replay protection within a tab. */
+    sequenceNumber: number;
+}
+/**
+ * The full voucher as sent over the wire: payload + session signature +
+ * the registration that authorizes the signing session key. The seller's
+ * middleware verifies the registration's passkey signature once per session,
+ * caches the result, and verifies only the session-key signature per chunk.
+ */
+interface SignedVoucher {
+    payload: VoucherPayload;
+    sessionPublicKey: Uint8Array;
+    sessionRegistration: Uint8Array;
+    sessionSignature: Uint8Array;
+}
+/**
+ * Adapter for a specific chain's OTS vault implementation. The SDK calls into
+ * `authorizeSession()` ONCE per tab and `signWithSession()` many times. The
+ * adapter owns the chain-specific wiring (Solana passkey via WebAuthn or
+ * noble-curves, EVM passkey via 7212-aware smart account, etc.).
+ *
+ * IMPORTANT: this interface must remain stable across vault chains. New
+ * chains add adapters; the SDK call site does not change.
+ */
+interface VaultAdapter {
+    /** Which chain this adapter operates on. */
+    network: TabNetworkId;
+    /** Wallet holding the buyer's funds. */
+    swigAddress: string;
+    /** Program/contract account holding the OTS gate state. */
+    vaultPda: string;
+    /**
+     * Use the ROOT signer (passkey) to authorize a fresh session key. This is
+     * the only call that prompts the user. Returns a session that can be passed
+     * to `signWithSession` freely until the scope's cap or expiry is reached.
+     */
+    authorizeSession(scope: SessionScope): Promise<SessionKey>;
+    /**
+     * Use the session key to sign a voucher. Cheap. Never prompts. The seller
+     * verifies against the session's registration; the session's registration
+     * was passkey-signed by `authorizeSession`.
+     */
+    signWithSession(session: SessionKey, payload: VoucherPayload): Promise<SignedVoucher>;
+    /**
+     * Authorize tab open on chain. Posted through the facilitator, which calls
+     * `settle_voucher(amount: 0, increment: true)` with the recorded authority.
+     */
+    signOpenTab(session: SessionKey, channelId: string): Promise<Uint8Array>;
+    /**
+     * Authorize tab close on chain. Carries the final cumulative amount; the
+     * facilitator settles via `settle_voucher(amount, increment: false)`.
+     */
+    signCloseTab(session: SessionKey, channelId: string, cumulativeAmount: AtomicAmount): Promise<Uint8Array>;
+}
+/** Live state of a buyer's tab. All amounts human units. */
+interface TabState {
+    /** Whether the tab is currently open (on chain) and accepting vouchers. */
+    isOpen: boolean;
+    /** Cumulative amount spent against this tab so far. */
+    spent: HumanAmount;
+    /** Remaining headroom under the session's cap. */
+    remaining: HumanAmount;
+    /** Seconds until session expiry. May be 0 even if isOpen — close ASAP. */
+    expiresInSec: number;
+}
+/**
+ * The buyer's handle to an open tab. Returned by `openTab`; the buyer drives
+ * one or more `stream()` calls against it, then `close()`.
+ *
+ * Mental model: this is to `tab` what `BatchSettlementChannel` is to
+ * `batch-settlement` — a per-session live object that owns the buyer's
+ * accounting and exposes a streaming I/O primitive.
+ */
+interface Tab {
+    /** Deterministic channel id derived from buyer/seller/scope/salt. */
+    readonly channelId: string;
+    /** Which network the underlying vault lives on. */
+    readonly network: TabNetworkId;
+    /** Live state. Re-reads after every voucher exchange. */
+    readonly state: TabState;
+    /**
+     * Streamed paid request. Returns an async iterable of chunks. Voucher
+     * signing is internal: the seller demands a fresh session-signed voucher
+     * before delivering each chunk, so the buyer is paid up exactly to what
+     * they've received.
+     *
+     * The async iterable break-on-throw on cap-exceeded, expiry, or signature
+     * rejection — the SDK never silently keeps streaming after a failure.
+     */
+    stream(input: string | URL | Request, init?: RequestInit): Promise<AsyncIterable<Uint8Array>>;
+    /**
+     * Close the tab. Posts the cumulative voucher through the facilitator;
+     * facilitator calls `settle_voucher(amount, increment: false)` on chain.
+     * The session key is discarded after this resolves.
+     *
+     * After close(), the buyer's vault `request_withdrawal` is unblocked (the
+     * on-chain gate sees pending_voucher_count return to 0).
+     */
+    close(): Promise<TabCloseResult>;
+}
+/** Result of `Tab.close()`. */
+interface TabCloseResult {
+    /** Cumulative human amount settled on chain. */
+    settledAmount: HumanAmount;
+    /** Facilitator's on-chain settlement signature. */
+    settleTx: string;
+}
+/**
+ * Options for `openTab` — the buyer's session-opening call.
+ *
+ * The shape deliberately mirrors `openBatchChannel` so users coming from
+ * `batch-settlement` need only learn the new fields (`perUnitCap`,
+ * `sessionDuration`).
+ */
+interface OpenTabOptions {
+    /** OTS vault adapter — Solana adapter ships first; future EVM adapter slots in here. */
+    vault: VaultAdapter;
+    /** CAIP-2-style network the vault lives on; cross-checked against vault.network. */
+    network: TabNetworkId;
+    /** Seller's endpoint host (used for the counterparty binding + voucher routing). */
+    seller: string;
+    /** Max amount per voucher — caps how aggressive a single charge can be. */
+    perUnitCap: HumanAmount;
+    /** Max cumulative for the WHOLE tab — the session-key cap. */
+    totalCap: HumanAmount;
+    /** Session expiry, seconds from now. Default: 3600 (1 hour). */
+    sessionDuration?: number;
+    /** Facilitator base URL. Default: https://facilitator.dexter.cash, overridable. */
+    facilitatorUrl?: string;
+}
+/**
+ * Options for `resumeTab` — open a handle to a tab that was opened by a
+ * previous process. Recovery surface for crashed buyers.
+ *
+ * NOTE: a resumed tab requires a fresh session key, because session keys are
+ * memory-only by design. The first call after resume prompts the passkey
+ * once to authorize a new session bound to the same channelId.
+ */
+interface ResumeTabOptions {
+    vault: VaultAdapter;
+    network: TabNetworkId;
+    seller: string;
+    channelId: string;
+    perUnitCap: HumanAmount;
+    totalCap: HumanAmount;
+    sessionDuration?: number;
+    facilitatorUrl?: string;
+}
+/** Thrown when the SDK is invoked against a chain it does not yet support. */
+declare class UnsupportedNetworkError extends Error {
+    readonly network: string;
+    constructor(network: string);
+}
+/** Thrown by a buyer call when the session-key cap or expiry would be exceeded. */
+declare class SessionScopeExceededError extends Error {
+    readonly reason: 'cap_exceeded' | 'expired' | 'wrong_counterparty';
+    constructor(reason: 'cap_exceeded' | 'expired' | 'wrong_counterparty', detail?: string);
+}
+/** Thrown when the buyer tries to operate against a tab that has been closed. */
+declare class TabClosedError extends Error {
+    readonly channelId: string;
+    constructor(channelId: string);
+}
+
+export { type AtomicAmount as A, type HumanAmount as H, type OpenTabOptions as O, type ResumeTabOptions as R, type SessionScope as S, type Tab as T, UnsupportedNetworkError as U, type VoucherPayload as V, type TabState as a, type TabCloseResult as b, type TabNetworkId as c, type SessionKey as d, type SignedVoucher as e, type VaultAdapter as f, SessionScopeExceededError as g, TabClosedError as h };

package/dist/types-DIrmhiD-.d.ts

@@ -0,0 +1,234 @@
+/**
+ * @dexterai/x402/tab — type contract for the OTS-backed streaming payment module.
+ *
+ * Peer of `batch-settlement`. Where `batch-settlement` is for N discrete paid
+ * requests against one escrow channel, `tab` is for *continuous metered
+ * consumption* — tokens, bytes, frames, seconds — settled on close.
+ *
+ * Full design: see `docs/DESIGN-tab-streaming.md`. This file is the contract
+ * lock for Phase 1: the public types and option shapes that downstream phases
+ * must implement against without drift.
+ */
+/**
+ * CAIP-2-style network identifier. The buyer-side `openTab` accepts a string
+ * here so future networks (EVM L2s) require no API change — only a new
+ * VaultAdapter implementation.
+ */
+type TabNetworkId = 'solana:mainnet' | (string & {});
+/**
+ * Atomic-unit cumulative amount the seller is asking the buyer to authorize
+ * for a single voucher. Strings to avoid bigint JSON-serialization headaches
+ * across language boundaries.
+ */
+type AtomicAmount = string;
+/**
+ * Human-readable amount (e.g. "0.001" USDC). Used at SDK boundaries; converted
+ * to atomic units internally per the vault's token decimals.
+ */
+type HumanAmount = string;
+/**
+ * Scope of a session key — the limits the passkey embeds into its
+ * registration signature. The on-chain program (via Swig) and the seller's
+ * middleware (locally) both enforce these.
+ */
+interface SessionScope {
+    /** The specific tab this session is bound to. */
+    channelId: string;
+    /** Cumulative cap, atomic units. The session-key cannot sign beyond this. */
+    maxAmountAtomic: AtomicAmount;
+    /** Wall-clock expiry (unix seconds). Hard deadline regardless of usage. */
+    expiresAtUnix: number;
+    /** Counterparty restriction — typically the seller's address. */
+    allowedCounterparty: string;
+}
+/**
+ * In-memory session key. NEVER persisted to disk. A crashed process forfeits
+ * the session and re-prompts the passkey on the next attempt — this is the
+ * right default because a session key on disk is a real attack surface.
+ */
+interface SessionKey {
+    /** Public key the seller verifies signatures against. */
+    publicKey: Uint8Array;
+    /** Private key — in-memory only. */
+    privateKey: Uint8Array;
+    /** Limits this session may operate within. */
+    scope: SessionScope;
+    /** The passkey signature authorizing this session. The seller verifies it
+     *  against the vault's registered passkey on every voucher. */
+    registration: Uint8Array;
+}
+/**
+ * What the buyer signs per stream chunk, and what the seller verifies before
+ * delivering. Cumulative-amount semantics: each voucher represents the TOTAL
+ * owed so far, not the incremental amount. Replay-resistant because vouchers
+ * monotonically increase.
+ */
+interface VoucherPayload {
+    channelId: string;
+    /** Total owed so far, atomic units. Must strictly exceed the prior voucher. */
+    cumulativeAmount: AtomicAmount;
+    /** Monotonic sequence number. Replay protection within a tab. */
+    sequenceNumber: number;
+}
+/**
+ * The full voucher as sent over the wire: payload + session signature +
+ * the registration that authorizes the signing session key. The seller's
+ * middleware verifies the registration's passkey signature once per session,
+ * caches the result, and verifies only the session-key signature per chunk.
+ */
+interface SignedVoucher {
+    payload: VoucherPayload;
+    sessionPublicKey: Uint8Array;
+    sessionRegistration: Uint8Array;
+    sessionSignature: Uint8Array;
+}
+/**
+ * Adapter for a specific chain's OTS vault implementation. The SDK calls into
+ * `authorizeSession()` ONCE per tab and `signWithSession()` many times. The
+ * adapter owns the chain-specific wiring (Solana passkey via WebAuthn or
+ * noble-curves, EVM passkey via 7212-aware smart account, etc.).
+ *
+ * IMPORTANT: this interface must remain stable across vault chains. New
+ * chains add adapters; the SDK call site does not change.
+ */
+interface VaultAdapter {
+    /** Which chain this adapter operates on. */
+    network: TabNetworkId;
+    /** Wallet holding the buyer's funds. */
+    swigAddress: string;
+    /** Program/contract account holding the OTS gate state. */
+    vaultPda: string;
+    /**
+     * Use the ROOT signer (passkey) to authorize a fresh session key. This is
+     * the only call that prompts the user. Returns a session that can be passed
+     * to `signWithSession` freely until the scope's cap or expiry is reached.
+     */
+    authorizeSession(scope: SessionScope): Promise<SessionKey>;
+    /**
+     * Use the session key to sign a voucher. Cheap. Never prompts. The seller
+     * verifies against the session's registration; the session's registration
+     * was passkey-signed by `authorizeSession`.
+     */
+    signWithSession(session: SessionKey, payload: VoucherPayload): Promise<SignedVoucher>;
+    /**
+     * Authorize tab open on chain. Posted through the facilitator, which calls
+     * `settle_voucher(amount: 0, increment: true)` with the recorded authority.
+     */
+    signOpenTab(session: SessionKey, channelId: string): Promise<Uint8Array>;
+    /**
+     * Authorize tab close on chain. Carries the final cumulative amount; the
+     * facilitator settles via `settle_voucher(amount, increment: false)`.
+     */
+    signCloseTab(session: SessionKey, channelId: string, cumulativeAmount: AtomicAmount): Promise<Uint8Array>;
+}
+/** Live state of a buyer's tab. All amounts human units. */
+interface TabState {
+    /** Whether the tab is currently open (on chain) and accepting vouchers. */
+    isOpen: boolean;
+    /** Cumulative amount spent against this tab so far. */
+    spent: HumanAmount;
+    /** Remaining headroom under the session's cap. */
+    remaining: HumanAmount;
+    /** Seconds until session expiry. May be 0 even if isOpen — close ASAP. */
+    expiresInSec: number;
+}
+/**
+ * The buyer's handle to an open tab. Returned by `openTab`; the buyer drives
+ * one or more `stream()` calls against it, then `close()`.
+ *
+ * Mental model: this is to `tab` what `BatchSettlementChannel` is to
+ * `batch-settlement` — a per-session live object that owns the buyer's
+ * accounting and exposes a streaming I/O primitive.
+ */
+interface Tab {
+    /** Deterministic channel id derived from buyer/seller/scope/salt. */
+    readonly channelId: string;
+    /** Which network the underlying vault lives on. */
+    readonly network: TabNetworkId;
+    /** Live state. Re-reads after every voucher exchange. */
+    readonly state: TabState;
+    /**
+     * Streamed paid request. Returns an async iterable of chunks. Voucher
+     * signing is internal: the seller demands a fresh session-signed voucher
+     * before delivering each chunk, so the buyer is paid up exactly to what
+     * they've received.
+     *
+     * The async iterable break-on-throw on cap-exceeded, expiry, or signature
+     * rejection — the SDK never silently keeps streaming after a failure.
+     */
+    stream(input: string | URL | Request, init?: RequestInit): Promise<AsyncIterable<Uint8Array>>;
+    /**
+     * Close the tab. Posts the cumulative voucher through the facilitator;
+     * facilitator calls `settle_voucher(amount, increment: false)` on chain.
+     * The session key is discarded after this resolves.
+     *
+     * After close(), the buyer's vault `request_withdrawal` is unblocked (the
+     * on-chain gate sees pending_voucher_count return to 0).
+     */
+    close(): Promise<TabCloseResult>;
+}
+/** Result of `Tab.close()`. */
+interface TabCloseResult {
+    /** Cumulative human amount settled on chain. */
+    settledAmount: HumanAmount;
+    /** Facilitator's on-chain settlement signature. */
+    settleTx: string;
+}
+/**
+ * Options for `openTab` — the buyer's session-opening call.
+ *
+ * The shape deliberately mirrors `openBatchChannel` so users coming from
+ * `batch-settlement` need only learn the new fields (`perUnitCap`,
+ * `sessionDuration`).
+ */
+interface OpenTabOptions {
+    /** OTS vault adapter — Solana adapter ships first; future EVM adapter slots in here. */
+    vault: VaultAdapter;
+    /** CAIP-2-style network the vault lives on; cross-checked against vault.network. */
+    network: TabNetworkId;
+    /** Seller's endpoint host (used for the counterparty binding + voucher routing). */
+    seller: string;
+    /** Max amount per voucher — caps how aggressive a single charge can be. */
+    perUnitCap: HumanAmount;
+    /** Max cumulative for the WHOLE tab — the session-key cap. */
+    totalCap: HumanAmount;
+    /** Session expiry, seconds from now. Default: 3600 (1 hour). */
+    sessionDuration?: number;
+    /** Facilitator base URL. Default: https://facilitator.dexter.cash, overridable. */
+    facilitatorUrl?: string;
+}
+/**
+ * Options for `resumeTab` — open a handle to a tab that was opened by a
+ * previous process. Recovery surface for crashed buyers.
+ *
+ * NOTE: a resumed tab requires a fresh session key, because session keys are
+ * memory-only by design. The first call after resume prompts the passkey
+ * once to authorize a new session bound to the same channelId.
+ */
+interface ResumeTabOptions {
+    vault: VaultAdapter;
+    network: TabNetworkId;
+    seller: string;
+    channelId: string;
+    perUnitCap: HumanAmount;
+    totalCap: HumanAmount;
+    sessionDuration?: number;
+    facilitatorUrl?: string;
+}
+/** Thrown when the SDK is invoked against a chain it does not yet support. */
+declare class UnsupportedNetworkError extends Error {
+    readonly network: string;
+    constructor(network: string);
+}
+/** Thrown by a buyer call when the session-key cap or expiry would be exceeded. */
+declare class SessionScopeExceededError extends Error {
+    readonly reason: 'cap_exceeded' | 'expired' | 'wrong_counterparty';
+    constructor(reason: 'cap_exceeded' | 'expired' | 'wrong_counterparty', detail?: string);
+}
+/** Thrown when the buyer tries to operate against a tab that has been closed. */
+declare class TabClosedError extends Error {
+    readonly channelId: string;
+    constructor(channelId: string);
+}
+
+export { type AtomicAmount as A, type HumanAmount as H, type OpenTabOptions as O, type ResumeTabOptions as R, type SessionScope as S, type Tab as T, UnsupportedNetworkError as U, type VoucherPayload as V, type TabState as a, type TabCloseResult as b, type TabNetworkId as c, type SessionKey as d, type SignedVoucher as e, type VaultAdapter as f, SessionScopeExceededError as g, TabClosedError as h };

package/dist/{types-htvWHuW3.d.cts → types-RxdlGPaG.d.cts}

@@ -302,6 +302,25 @@ declare class EvmAdapter implements ChainAdapter {
     private getChainId;
     getBalance(accept: PaymentAccept, wallet: unknown, rpcUrl?: string): Promise<number>;
     private encodeBalanceOf;
+    /**
+     * Confirm an EVM payment settled on-chain, after a post-payment timeout.
+     *
+     * EIP-3009 (`exact`): calls the token contract's
+     * `authorizationState(authorizer, nonce)` view — `true` means our exact
+     * signed authorization was consumed, i.e. the transfer settled. The nonce
+     * is the 32-byte value the SDK itself generated, so this is a definitive,
+     * surgical yes/no.
+     *
+     * Permit2: calls `Permit2.nonceBitmap(owner, wordPos)` and tests the bit
+     * for our nonce. A set bit means the Permit2 transfer was executed.
+     *
+     * For any other scheme (e.g. exact-approval) there is no clean
+     * nonce-consumed check — this throws, which the strategy reads as
+     * "unknown" and maps to `payment_unconfirmed`.
+     */
+    confirmSettlement(probe: SettlementProbe, rpcUrl: string): Promise<SettlementConfirmation>;
+    /** Raw `eth_call` returning the result hex word. Throws on RPC error. */
+    private ethCall;
     buildTransaction(accept: PaymentAccept, wallet: unknown, rpcUrl?: string): Promise<SignedTransaction>;
     /**
      * Build a payment transaction for chains that use the approval-based scheme.
@@ -392,6 +411,26 @@ declare class SolanaAdapter implements ChainAdapter {
     isConnected(wallet: unknown): boolean;
     getBalance(accept: PaymentAccept, wallet: unknown, rpcUrl?: string): Promise<number>;
     buildTransaction(accept: PaymentAccept, wallet: unknown, rpcUrl?: string): Promise<SignedTransaction>;
+    /**
+     * Confirm a Solana payment settled on-chain, after a post-payment timeout.
+     *
+     * Solana has no EIP-3009-style "was this nonce consumed" view. Instead we
+     * scan recent signatures on the merchant's destination ATA and look for a
+     * transfer of exactly the expected amount. The window is naturally bounded:
+     * the payment transaction is only valid for ~150 slots (~60s) after the
+     * blockhash it was built against, so a settling transfer — if it happened —
+     * is among the most recent signatures on that account. We cap the scan at
+     * the 25 most recent signatures.
+     *
+     * This is strong but not surgical: it matches on (destination ATA, amount),
+     * not a unique nonce. A same-amount transfer to the same merchant inside
+     * the window from an unrelated payer could in principle match. In practice
+     * the blockhash window makes that vanishingly unlikely, and a false
+     * positive here only means we tell the caller "paid" when they were not —
+     * which is the safe direction (it discourages a retry; the caller verifies
+     * against their own wallet). A false negative maps to `payment_unconfirmed`.
+     */
+    confirmSettlement(probe: SettlementProbe, rpcUrl: string): Promise<SettlementConfirmation>;
 }
 /**
  * Create a Solana adapter instance
@@ -408,6 +447,50 @@ interface GenericWallet {
     /** Whether the wallet is connected and ready */
     connected: boolean;
 }
+/**
+ * Everything an adapter needs to ask the chain "did this exact payment
+ * settle?" after the fact — without trusting the facilitator or the merchant.
+ *
+ * `buildTransaction` populates this on the {@link SignedTransaction} it
+ * returns. If a post-payment timeout fires, the strategy hands it back to
+ * {@link ChainAdapter.confirmSettlement}. A scheme that has no clean on-chain
+ * "was this consumed" check (e.g. EVM exact-approval) leaves it `undefined`,
+ * and the strategy falls back to reporting `payment_unconfirmed`.
+ */
+type SettlementProbe = {
+    /** EVM EIP-3009 `transferWithAuthorization` — the default `exact` scheme. */
+    kind: 'eip3009';
+    /** The authorizer (payer) address — `authorization.from`. */
+    from: string;
+    /** The 32-byte authorization nonce the SDK generated. The unique key. */
+    nonce: string;
+    /** The token contract (USDC) — also the EIP-3009 contract exposing `authorizationState`. */
+    asset: string;
+    /** EVM chain id, decimal. */
+    chainId: number;
+} | {
+    /** EVM Permit2 `permitWitnessTransferFrom`. */
+    kind: 'permit2';
+    /** The payer address — Permit2 nonces are namespaced per owner. */
+    from: string;
+    /** The Permit2 nonce (256-bit, decimal string). */
+    nonce: string;
+    /** EVM chain id, decimal. */
+    chainId: number;
+} | {
+    /** Solana SPL transfer. No nonce-consumed view — confirmed by a windowed scan. */
+    kind: 'solana';
+    /** The buyer's source associated-token-account. */
+    sourceAta: string;
+    /** The merchant's destination associated-token-account — the address we scan. */
+    destinationAta: string;
+    /** The token mint. */
+    asset: string;
+    /** Atomic amount, as a string. */
+    amount: string;
+    /** The transaction's recent blockhash — bounds how far back the scan need look. */
+    blockhash: string;
+};
 /**
  * Result of building and signing a transaction.
  *
@@ -423,6 +506,21 @@ interface SignedTransaction {
     signature?: string;
     /** Protocol extensions (e.g., erc20ApprovalGasSponsoring) to attach to the payment payload */
     extensions?: Record<string, unknown>;
+    /**
+     * Data needed to confirm settlement on-chain after a post-payment timeout.
+     * `undefined` for schemes with no clean on-chain confirmation check.
+     * See {@link SettlementProbe} and {@link ChainAdapter.confirmSettlement}.
+     */
+    settlementProbe?: SettlementProbe;
+}
+/**
+ * Outcome of an on-chain settlement check.
+ */
+interface SettlementConfirmation {
+    /** True if the payment is confirmed settled on-chain. */
+    settled: boolean;
+    /** The settling transaction hash, when the check can recover it. */
+    txSignature?: string;
 }
 /**
  * Chain adapter interface - each chain implements this
@@ -476,6 +574,29 @@ interface ChainAdapter {
      * @param network - CAIP-2 network identifier
      */
     getDefaultRpcUrl(network: string): string;
+    /**
+     * Ask the chain whether a specific payment settled.
+     *
+     * Called after a post-payment timeout: the SDK sent the payment
+     * authorization, the merchant never responded, and we need to know whether
+     * the money actually moved before deciding what to tell the caller. This
+     * consults the chain directly via `rpcUrl` — it does not trust the
+     * facilitator or the merchant.
+     *
+     * Optional: an adapter that cannot confirm a given scheme may omit this
+     * method (or return `{ settled: false }` is wrong — see below). When the
+     * method is absent, or the {@link SettlementProbe} was `undefined`, the
+     * strategy falls back to reporting `payment_unconfirmed`.
+     *
+     * @param probe - The {@link SettlementProbe} captured at build time.
+     * @param rpcUrl - The RPC endpoint to query.
+     * @returns settled true/false, plus the tx hash when recoverable. An
+     *   implementation that genuinely cannot tell should THROW rather than
+     *   return `{ settled: false }` — a thrown error is treated as "unknown"
+     *   (→ `payment_unconfirmed`), whereas `{ settled: false }` is treated as
+     *   a definitive "the money did not move."
+     */
+    confirmSettlement?(probe: SettlementProbe, rpcUrl: string): Promise<SettlementConfirmation>;
 }
 /**
  * Configuration for creating a chain adapter
@@ -514,4 +635,4 @@ interface BalanceInfo {
     asset: string;
 }
 
-export { type AccessPassClientConfig as A, type BalanceInfo as B, type ChainAdapter as C, type EvmWallet as E, type GenericWallet as G, type PaymentAccept as P, type SolanaWallet as S, type VerifyResponse as V, type WalletSet as W, X402Error as X, createEvmAdapter as a, type AccessPassTier as b, createSolanaAdapter as c, type AccessPassInfo as d, type SettleResponse as e, type PayToProvider as f, type PaymentRequired as g, type PayToContext as h, type PayToProviderDefaults as i, type AccessPassClaims as j, SolanaAdapter as k, EvmAdapter as l, type AdapterConfig as m, type SignedTransaction as n, isSolanaWallet as o, isEvmWallet as p };
+export { type AccessPassClientConfig as A, type BalanceInfo as B, type ChainAdapter as C, type EvmWallet as E, type GenericWallet as G, type PaymentAccept as P, type SettlementProbe as S, type VerifyResponse as V, type WalletSet as W, X402Error as X, type SolanaWallet as a, createEvmAdapter as b, createSolanaAdapter as c, type AccessPassTier as d, type AccessPassInfo as e, type SettleResponse as f, type PayToProvider as g, type PaymentRequired as h, type PayToContext as i, type PayToProviderDefaults as j, type AccessPassClaims as k, SolanaAdapter as l, EvmAdapter as m, type AdapterConfig as n, type SignedTransaction as o, isSolanaWallet as p, isEvmWallet as q };