@heyanon-arp/sdk 0.0.9 → 0.0.11

package/dist/types/body.d.ts

@@ -41,14 +41,6 @@ export interface AssetIdentifier {
     /** Optional UI hint — `USDC`, `SOL`. Never used for protocol logic. */
     symbol?: string;
 }
-/**
- * Closed set of delegation pricing models. `flat` = the locked amount
- * is the agreed total; `usage_based` = the locked amount is a ceiling
- * and the final payout is computed from reported usage at receipt time.
- * Referenced both by `DelegationContent.pricing_model` (the offer's
- * inline term) and by agent accept-prefs (`AcceptPrefs.pricingModels`).
- */
-export type PricingModel = 'flat' | 'usage_based';
 /**
  * Closed enum of machine-readable decline reasons used across the
  * two decline sites in V1:
@@ -129,7 +121,6 @@ export interface DelegationContent {
     amount?: string;
     currency?: AssetIdentifier;
     scope_summary?: string;
-    pricing_model?: PricingModel;
     /** Machine-readable reason — REQUIRED when `action === 'decline'`. See `DeclineReason`. */
     reason?: DeclineReason;
     /** Optional free-text elaboration (e.g. "delegation offer missing required brief.goal field"). */
@@ -206,117 +197,11 @@ export interface DisputeContent {
     evidence_refs?: string[];
     response_text?: string;
 }
-/**
- * `settlement_signature` — payee's settlement-key signature on a
- * release-digest, sent as a STAND-ALONE envelope AFTER the matching
- * receipt-propose envelope is committed.
- *
- * Why a separate envelope (and not an attachment on receipt-propose)?
- * The release digest (`buildReleaseDigest` / `buildPartialReleaseDigest`
- * in `packages/sdk/src/settlement/settlement.ts`) takes `receiptEventHash`
- * as one of its inputs. `receipt_event_hash` is the SERVER-ASSIGNED
- * hash of the receipt envelope — it is computed only AFTER server-side
- * validation completes (it includes server-assigned `prev_server_event_hash`
- * + `server_timestamp` in its canonical input). The payee CANNOT
- * compute the digest at receipt-propose time because the digest input
- * does not yet exist. So the wire flow is necessarily two envelopes:
- *
- *   1. Payee sends `receipt` (propose) — server commits + returns
- *      `IngestResultDto.serverEventHash`.
- *   2. Payee reads `serverEventHash`, computes the release digest,
- *      signs it, and sends THIS `settlement_signature` envelope.
- *   3. Buyer reads the `settlement_signature` envelope from inbox SSE
- *      (sender-recipient routing is standard), then assembles the
- *      `attachments.settlement_signatures` block on the cosign envelope.
- *
- * This body type carries ONLY the payee side. The payer's settlement
- * sig still lands on the cosign envelope's `attachments` block — that
- * stays unchanged. The server's handler for `settlement_signature`
- * also performs Ed25519 verification of the payee sig against the
- * reconstructed digest as defence-in-depth: a bad sig fails loudly on
- * the worker side instead of stranding the buyer's cosign later.
- *
- * Refund flow is NOT served by this body type — `buildRefundDigest`
- * does NOT bind to `receipt_event_hash` (it binds to lock-derived
- * fields only), so refund signatures can be computed independent of
- * any envelope timing and ride their own dedicated paths. The
- * `purpose` field below is intentionally narrowed to RELEASE +
- * PARTIAL_RELEASE for the same reason — REFUND-v1 sigs do not belong
- * on this envelope.
- */
-export interface SettlementSignatureBody extends Body<SettlementSignatureContent> {
-    type: 'settlement_signature';
-}
-export interface SettlementSignatureContent {
-    /** The delegation whose receipt is being settlement-signed. */
-    delegation_id: string;
-    /**
-     * Server-assigned hash of the receipt-propose envelope this signature
-     * settles. Must match `Receipt.receiptEventHash` server-side; that is
-     * the value the server's cosign-validator feeds into the digest
-     * reconstruction as `receiptEventHash`.
-     */
-    receipt_event_hash: Sha256Hex;
-    /**
-     * Which digest the `sig` was computed over. Narrowed to RELEASE +
-     * PARTIAL_RELEASE: REFUND-v1 sigs ride other paths because the
-     * refund digest is independent of `receipt_event_hash` and never
-     * needs this envelope as a transport.
-     */
-    purpose: 'ARP-SOLANA-RELEASE-v1.5' | 'ARP-SOLANA-PARTIAL-RELEASE-v1.5';
-    /**
-     * Payee's settlement-key public key (base58, 32 bytes raw). The
-     * server cross-checks this against the registered settlement key on
-     * the payee's DID document before re-verifying the sig — a sig
-     * signed by an unregistered key is rejected even if it
-     * mathematically verifies.
-     */
-    payee_settlement_pubkey: string;
-    /**
-     * Ed25519 sig over the reconstructed release/partial-release digest,
-     * **raw base64 — NO `ed25519:` prefix.** Wire format intentionally
-     * mismatches the SDK's prefixed `Ed25519Sig` type because the buyer
-     * forwards this exact string verbatim into
-     * `attachments.settlement_signatures.payee.sig` at cosign time, and
-     * the server's `ReceiptCosignValidatorService.parseBase64Sig`
-     * (`apps/arp-server/src/escrow/services/receipt-cosign-validator.service.ts:557-565`)
-     * `Buffer.from(input, 'base64')` directly — no prefix stripping.
-     * Aligns with the CLI's `--payer-settlement-sig <base64>` /
-     * `--payee-settlement-sig <base64>` flags that consumers already
-     * wire to (see `packages/cli/src/commands/receipt.ts:670-673`).
-     *
-     * Server re-builds the same digest from lock + receipt + envelope
-     * content and verifies this sig as defence-in-depth at handler time
-     * — a malformed or wrong-digest sig is rejected pre-projection so
-     * the bad receipt sig never reaches the buyer's cosign attempt.
-     */
-    sig: string;
-    /**
-     * Unix seconds — the `expires_at` value the payee bound into the
-     * digest. Server re-uses it when reconstructing the digest and
-     * cross-checks against `expires_at > now` + `expires_at <=
-     * lock.expiry - DISPUTE_BUFFER_SECONDS`. The payer
-     * echoes the SAME value on the cosign envelope's settlement_signatures
-     * block so both sides sign the same bytes.
-     */
-    expires_at: number;
-    /**
-     * Base-unit decimal-integer string — required when `purpose ===
-     * 'ARP-SOLANA-PARTIAL-RELEASE-v1.5'`, omitted (or undefined) for
-     * full RELEASE. The server cross-checks it against
-     * `receipt.usage.computed_amount` for usage_based delegations before
-     * verifying the digest (same invariant
-     * `ESC_USAGE_COMPUTED_AMOUNT_MISMATCH` already guards on the
-     * propose-time receipt body).
-     */
-    payee_amount?: string;
-    [extra: string]: unknown;
-}
 /**
  * Union over every standard body type. Consumers can narrow on
  * `body.type` via discriminated dispatch.
  */
-export type AnyBody = HandshakeBody | HandshakeResponseBody | DelegationBody | WorkRequestBody | WorkResponseBody | ReceiptBody | DisputeBody | SettlementSignatureBody;
+export type AnyBody = HandshakeBody | HandshakeResponseBody | DelegationBody | WorkRequestBody | WorkResponseBody | ReceiptBody | DisputeBody;
 /** Receipt co-signature payload — what gets `payload_hash`'d in `attachments.co_signature`. */
 export interface ReceiptCosignPayload {
     purpose: 'ARP-RECEIPT-v1';

package/dist/types/envelope.d.ts

@@ -43,16 +43,14 @@ export interface Body<TContent = Record<string, unknown>> {
     content: TContent;
 }
 /**
- * Optional attachments. Three top-level fields are SDK-aware:
- * `co_signature` (semantic intent), `settlement_signatures`
- * (financial authorisation), and `escrow_lock` (`delegation.offer`
- * carries a pre-signed `create_lock` Solana tx). Other body-specific
- * attachments live under their own keys and are passed through
- * opaquely.
+ * Optional attachments. Two top-level fields are SDK-aware:
+ * `co_signature` (semantic intent) and `escrow_lock`
+ * (`delegation.offer` carries a pre-signed `create_lock` Solana tx).
+ * Other body-specific attachments live under their own keys and are
+ * passed through opaquely.
  */
 export interface Attachments {
     co_signature?: CoSignature;
-    settlement_signatures?: SettlementSignatures;
     escrow_lock?: EscrowLockAttachment;
     [other: string]: unknown;
 }
@@ -69,9 +67,11 @@ export interface Attachments {
  *     equal `toBaseUnits(body.content.amount, currency.decimals)`.
  *   - `asset_id` is the CAIP-19 currency the lock holds; must equal
  *     `body.content.currency.asset_id` (defence-in-depth).
- *   - `expiry` is the on-chain unix-seconds expiry; must satisfy the
- *     contract's MIN/MAX windows AND the spec's
- *     `deadline + DISPUTE_BUFFER` constraint.
+ *
+ * There is NO expiry field: the V2 contract's `create_lock` carries no
+ * expiry argument. `Lock.expiry` is a rolling deadline the chain
+ * derives from the Config windows on each state transition
+ * (`accept_lock` → work window, `submit_work` → review window, …).
  *
  * Server validation in `EnvelopeValidator` decodes the tx blob via
  * Anchor IDL and cross-checks every field against the envelope body.
@@ -81,7 +81,6 @@ export interface EscrowLockAttachment {
     lock_id: string;
     amount: string;
     asset_id: string;
-    expiry: number;
 }
 export interface CoSignature {
     agent_did: Did;
@@ -89,31 +88,6 @@ export interface CoSignature {
     payload_hash: Sha256Hex;
     sig: Ed25519Sig;
 }
-export interface SettlementSignatures {
-    purpose: PurposeValue;
-    payer: SettlementParty;
-    payee: SettlementParty;
-    expires_at: number;
-}
-export interface SettlementParty {
-    settlement_pubkey: string;
-    /**
-     * Ed25519 signature, **raw base64 — NO `ed25519:` prefix.** Wire
-     * format intentionally mismatches the prefixed `Ed25519Sig` type
-     * because this block is consumed by the Solana Ed25519Program at
-     * release-tx-builder time, where prefixed strings would break. The
-     * server's `ReceiptCosignValidatorService.parseBase64Sig`
-     * (`apps/arp-server/src/escrow/services/receipt-cosign-validator.service.ts:557-565`)
-     * decodes 64 bytes directly via `Buffer.from(input, 'base64')`
-     * without any prefix stripping. The CLI's
-     * `heyarp wallet sign-settlement-release` already emits raw base64
-     * (`packages/cli/src/commands/wallet.ts:1718-1722`). Matches the
-     * raw-base64 shape of `SettlementSignatureContent.sig` — divergent
-     * types here would leave buyers unable to copy the value verbatim
-     * into the cosign attachment.
-     */
-    sig: string;
-}
 /** Top-level envelope as it appears on the wire. */
 export interface Envelope<TBody extends Body = Body> {
     protected: ProtectedBlock;

package/dist/types/index.d.ts

@@ -1,5 +1,5 @@
-export type { Sha256Hex, Ed25519Sig, Did, ProtectedBlock, Body, Attachments, CoSignature, SettlementSignatures, SettlementParty, EscrowLockAttachment, Envelope, PersistedEvent, } from './envelope';
-export type { HandshakeBody, HandshakeContent, HandshakeResponseBody, HandshakeResponseContent, DelegationBody, DelegationContent, WorkRequestBody, WorkRequestContent, WorkResponseBody, WorkResponseContent, ReceiptBody, ReceiptContent, DisputeBody, DisputeContent, SettlementSignatureBody, SettlementSignatureContent, AnyBody, ReceiptCosignPayload, DisputeResponseCosignPayload, CosignPayload, DeclineReason, AssetIdentifier, PricingModel, } from './body';
+export type { Sha256Hex, Ed25519Sig, Did, ProtectedBlock, Body, Attachments, CoSignature, EscrowLockAttachment, Envelope, PersistedEvent, } from './envelope';
+export type { HandshakeBody, HandshakeContent, HandshakeResponseBody, HandshakeResponseContent, DelegationBody, DelegationContent, WorkRequestBody, WorkRequestContent, WorkResponseBody, WorkResponseContent, ReceiptBody, ReceiptContent, DisputeBody, DisputeContent, AnyBody, ReceiptCosignPayload, DisputeResponseCosignPayload, CosignPayload, DeclineReason, AssetIdentifier, } from './body';
 export { DECLINE_REASONS, isDeclineReason } from './body';
 export type { AcceptPrefs, AcceptCurrency } from './agent';
 export type { OwnerSigningMethod, KeyLinkPayload, ScryptPasswordAttestation } from './identity';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@heyanon-arp/sdk",
-  "version": "0.0.9",
+  "version": "0.0.11",
   "description": "TypeScript SDK for the Agent Relationship Protocol — canonical JSON, Ed25519 envelope sign/verify, did:arp identity, receipt co-signatures, scrypt key attestation, chain-audit helpers.",
   "license": "MIT",
   "keywords": [

package/dist/cosignature/cosign.d.ts

@@ -1,35 +0,0 @@
-import type { CoSignature, CosignPayload, Did } from '../types';
-/**
- * Build the `attachments.co_signature` block over `payload`.
- *
- * The signing input is `sha256(canonical_json(payload))` — same
- * 32-byte digest the verifier reproduces — and the result is wrapped
- * in the protocol's `co_signature` shape. `payload.purpose` is the
- * domain separator; passing a payload whose purpose is not in the
- * allowed cosignature set throws (defence-in-depth against accidental
- * cross-purpose reuse).
- */
-export declare function signCosignature(input: {
-    payload: CosignPayload;
-    signerDid: Did;
-    identitySecretKey: Uint8Array;
-}): CoSignature;
-export type CosignVerifyResult = {
-    ok: true;
-} | {
-    ok: false;
-    reason: 'payload_hash_mismatch' | 'signature_invalid' | 'signature_malformed' | 'purpose_mismatch';
-    detail?: string;
-};
-/**
- * Verify that `cosignature` was produced by `signerIdentityPubkey`
- * over `payload`. Three checks:
- *   1. `cosignature.purpose === payload.purpose` (domain consistency).
- *   2. recomputed `sha256(canonical_json(payload))` matches `payload_hash`.
- *   3. Ed25519 verifies signature over the recomputed digest.
- */
-export declare function verifyCosignature(input: {
-    cosignature: CoSignature;
-    payload: CosignPayload;
-    signerIdentityPubkey: Uint8Array;
-}): CosignVerifyResult;

package/dist/cosignature/index.d.ts

@@ -1,2 +0,0 @@
-export { signCosignature, verifyCosignature } from './cosign';
-export type { CosignVerifyResult } from './cosign';

package/dist/settlement/settlement.d.ts

@@ -1,111 +0,0 @@
-/**
- * Settlement signature builders / verifiers — `ARP-SOLANA-RELEASE-v1.5`,
- * `ARP-SOLANA-PARTIAL-RELEASE-v1.5`, `ARP-SOLANA-REFUND-v1`.
- *
- * Byte layout MUST match the Solang contract's `domain_sep.sol`
- * field-by-field. Any drift here causes Ed25519 verification to fail
- * on-chain, so the digest must be a byte-by-byte recompute of what
- * the contract reconstructs from on-chain state. Test vectors live
- * alongside this module and are exercised by the SDK test suite.
- *
- * On-chain layout (per `domain_sep.sol::buildReleaseDigest`):
- *
- *   sha256(
- *     purpose_bytes
- *     || cluster_tag (1B)
- *     || program_id (32B)
- *     || lock_id (32B)
- *     || payer (32B)
- *     || payee (32B)
- *     || mint (32B)
- *     || amount (u64 LE)
- *     || [partial only: payee_amount (u64 LE)]
- *     || condition_hash (32B)
- *     || delegation_id (16B)
- *     || receipt_event_hash (32B)
- *     || deliverable_hash (32B)
- *     || expires_at (u64 LE)
- *     || fee_bps_at_lock (u16 LE)
- *     || fee_recipient_at_lock (32B)
- *   )
- *
- * The fee fields are denormalized on the Lock at create_lock time so
- * subsequent fee changes by admin cannot retroactively affect an
- * in-flight lock. When fee was disabled at lock creation, bps=0 and
- * recipient is the all-zero address (System Program / NATIVE_SOL_MINT).
- *
- * Refund layout (`buildRefundDigest`) — UNCHANGED at v1 because refund
- * flows never charge a fee:
- *
- *   sha256(
- *     purpose_bytes
- *     || cluster_tag (1B)
- *     || program_id (32B)
- *     || lock_id (32B)
- *     || payer (32B)
- *     || payee (32B)
- *     || mint (32B)
- *     || amount (u64 LE)
- *     || reason_byte (1B)
- *     || expires_at (u64 LE)
- *   )
- */
-export declare const PURPOSE_RELEASE_STRING: "ARP-SOLANA-RELEASE-v1.5";
-export declare const PURPOSE_PARTIAL_RELEASE_STRING: "ARP-SOLANA-PARTIAL-RELEASE-v1.5";
-export declare const PURPOSE_REFUND_STRING: "ARP-SOLANA-REFUND-v1";
-export interface ReleaseDigestInput {
-    clusterTag: 0 | 1;
-    programId: Uint8Array;
-    lockId: Uint8Array;
-    payerSettlementPubkey: Uint8Array;
-    payeeSettlementPubkey: Uint8Array;
-    mint: Uint8Array;
-    amount: bigint;
-    conditionHash: Uint8Array;
-    delegationId: string;
-    receiptEventHash: Uint8Array;
-    deliverableHash: Uint8Array;
-    expiresAt: bigint;
-    /**
-     * Protocol fee bps denormalized on the Lock at create_lock.
-     * Optional with default 0 (no fee). When the lock was created with
-     * fee disabled, the on-chain Lock stores 0 — pass 0 here to match.
-     */
-    feeBpsAtLock?: number;
-    /**
-     * Protocol fee recipient denormalized on the Lock at create_lock.
-     * Optional with default = 32 zero bytes (System Program address).
-     * When fee was disabled at lock creation, the on-chain Lock stores
-     * zero-bytes — pass undefined here to match.
-     */
-    feeRecipientAtLock?: Uint8Array;
-}
-/**
- * Build the canonical 32-byte digest for an `ARP-SOLANA-RELEASE-v1.5`
- * settlement. The bytes are the EXACT input the contract Ed25519Program
- * verifies against.
- */
-export declare function buildReleaseDigest(input: ReleaseDigestInput): Uint8Array;
-export interface PartialReleaseDigestInput extends ReleaseDigestInput {
-    payeeAmount: bigint;
-}
-export declare function buildPartialReleaseDigest(input: PartialReleaseDigestInput): Uint8Array;
-export type RefundReasonByte = 0 | 1 | 2 | 3;
-export declare const REFUND_REASON_BYTES: {
-    readonly expired: 0;
-    readonly dispute_resolution: 1;
-    readonly payer_cancellation: 2;
-    readonly both_parties_agreed: 3;
-};
-export interface RefundDigestInput {
-    clusterTag: 0 | 1;
-    programId: Uint8Array;
-    lockId: Uint8Array;
-    payerSettlementPubkey: Uint8Array;
-    payeeSettlementPubkey: Uint8Array;
-    mint: Uint8Array;
-    amount: bigint;
-    reasonByte: RefundReasonByte;
-    expiresAt: bigint;
-}
-export declare function buildRefundDigest(input: RefundDigestInput): Uint8Array;