@odatano/x402 0.2.0 → 0.3.0

package/srv/core/validate.d.ts

@@ -5,16 +5,16 @@
  * Cardano-x402-v2:
  *
  *   1. Network validation
- *   2. Recipient verification           — ≥1 output to payTo
- *   3. Amount verification              — sum of payTo outputs for asset ≥ required
- *   4. Asset verification               — exact policy + name match
+ *   2. Recipient verification          , ≥1 output to payTo
+ *   3. Amount verification             , sum of payTo outputs for asset ≥ required
+ *   4. Asset verification              , exact policy + name match
  *   5. Nonce / replay prevention
  *      - 5a. UTxO referenced by `payload.nonce` appears as a tx input
  *      - 5b. that UTxO is still unspent on chain  ← chain-touching, lives in `nonce.ts`
- *   6. TTL / expiry                     — tx.validity_range.upper_bound in future
+ *   6. TTL / expiry                    , tx.validity_range.upper_bound in future
  *
  * This module covers (1), (2), (3), (4), (5a) and (6). The chain-touching
- * part of (5) — checking the UTxO is unspent — and (5b) live in
+ * part of (5), checking the UTxO is unspent, and (5b) live in
  * `facilitator/nonce.ts` and run after this. We also keep a sanity guard
  * for "no vkey witnesses" so an unsigned CBOR is rejected with a precise
  * code rather than blowing up at submit time.
@@ -22,7 +22,7 @@
  * Pure function. No I/O.
  */
 import { type X402Code } from './errors';
-import type { DecodedPayment, PaymentRequirementEntry, PaymentClaim } from './types';
+import type { DecodedPayment, PaymentRequirementEntry, PaymentRequirementsBody, PaymentClaim } from './types';
 export type ValidationResult = {
     ok: true;
     claim: PaymentClaim;
@@ -36,10 +36,34 @@ export interface ValidateOptions {
     currentSlot: number;
     /**
      * If true, allow tx with no `ttl()` set (validity-range upper bound
-     * absent). Default false — v2 spec recommends a TTL. Callers that
+     * absent). Default false, v2 spec recommends a TTL. Callers that
      * want to accept no-TTL txs (e.g. legacy wallets) opt-in.
      */
     allowNoTtl?: boolean;
 }
 export declare function validatePayment(decoded: DecodedPayment, requirements: PaymentRequirementEntry, opts: ValidateOptions): ValidationResult;
+export type PickResult = {
+    ok: true;
+    entry: PaymentRequirementEntry;
+} | {
+    ok: false;
+    code: X402Code;
+    reason: string;
+};
+/**
+ * Select the `accepts[]` entry the buyer actually paid against.
+ *
+ * Algorithm (first-match wins, accepts[] is the seller's preference order):
+ *   1. Filter by network , the buyer's envelope declares one network and
+ *      we discard entries that don't match.
+ *   2. For each remaining entry, look for an output to `entry.payTo`
+ *      containing `entry.asset` with quantity ≥ 1. We don't enforce the
+ *      full `amount` here, that's `validatePayment`'s job, we just need
+ *      enough signal to know *which* entry the buyer chose.
+ *   3. First hit wins. No hit ⇒ `wrong_asset` with a composite reason.
+ *
+ * For a single-entry `accepts[]`, this returns `accepts[0]` if the
+ * network matches, mirroring the pre-multi-accept behaviour exactly.
+ */
+export declare function pickRequirement(decoded: DecodedPayment, body: PaymentRequirementsBody): PickResult;
 //# sourceMappingURL=validate.d.ts.map

package/srv/core/validate.js

@@ -6,16 +6,16 @@
  * Cardano-x402-v2:
  *
  *   1. Network validation
- *   2. Recipient verification           — ≥1 output to payTo
- *   3. Amount verification              — sum of payTo outputs for asset ≥ required
- *   4. Asset verification               — exact policy + name match
+ *   2. Recipient verification          , ≥1 output to payTo
+ *   3. Amount verification             , sum of payTo outputs for asset ≥ required
+ *   4. Asset verification              , exact policy + name match
  *   5. Nonce / replay prevention
  *      - 5a. UTxO referenced by `payload.nonce` appears as a tx input
  *      - 5b. that UTxO is still unspent on chain  ← chain-touching, lives in `nonce.ts`
- *   6. TTL / expiry                     — tx.validity_range.upper_bound in future
+ *   6. TTL / expiry                    , tx.validity_range.upper_bound in future
  *
  * This module covers (1), (2), (3), (4), (5a) and (6). The chain-touching
- * part of (5) — checking the UTxO is unspent — and (5b) live in
+ * part of (5), checking the UTxO is unspent, and (5b) live in
  * `facilitator/nonce.ts` and run after this. We also keep a sanity guard
  * for "no vkey witnesses" so an unsigned CBOR is rejected with a precise
  * code rather than blowing up at submit time.
@@ -24,6 +24,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validatePayment = validatePayment;
+exports.pickRequirement = pickRequirement;
 const errors_1 = require("./errors");
 const network_1 = require("./network");
 const asset_1 = require("./asset");
@@ -69,7 +70,7 @@ function validatePayment(decoded, requirements, opts) {
             reason: `payment network '${decoded.envelope.network}' does not match requirements '${requirements.network}'`,
         };
     }
-    // Parse the asset string once — also normalises the requirement's
+    // Parse the asset string once, also normalises the requirement's
     // unit key for output comparison.
     const parsed = (0, asset_1.parseAsset)(requirements.asset);
     const unit = parsed.unit; // empty when lovelace; checks short-circuit via isLovelace
@@ -101,7 +102,7 @@ function validatePayment(decoded, requirements, opts) {
         };
     }
     // ─── Check 5a: nonce UTxO appears in tx inputs ─────────────────────
-    // (5b — UTxO is unspent — runs in facilitator/nonce.ts after we've
+    // (5b, UTxO is unspent, runs in facilitator/nonce.ts after we've
     // confirmed the buyer's structural intent here.)
     const nonceInInputs = decoded.inputs.some(i => i.txHash === decoded.nonce.txHash && i.outputIndex === decoded.nonce.index);
     if (!nonceInInputs) {
@@ -113,7 +114,7 @@ function validatePayment(decoded, requirements, opts) {
     }
     // ─── Check 6: TTL / expiry ─────────────────────────────────────────
     // Slot semantics: `ttl_bignum` is the FIRST slot at which the tx is
-    // INVALID — so the tx must be submitted before that slot. We require
+    // INVALID, so the tx must be submitted before that slot. We require
     // `currentSlot < ttlSlot`; equality means the window just closed.
     if (decoded.ttlSlot === null) {
         if (!opts.allowNoTtl) {
@@ -132,7 +133,7 @@ function validatePayment(decoded, requirements, opts) {
         };
     }
     // ─── All structural checks pass ────────────────────────────────────
-    // `payerAddr` is intentionally omitted here — we don't have the
+    // `payerAddr` is intentionally omitted here, we don't have the
     // buyer's input addresses without resolving the referenced UTxOs.
     // The facilitator can fill it in via `bridge.getTransactionByHash`
     // on the nonce input, if the caller cares for audit purposes.
@@ -145,8 +146,82 @@ function validatePayment(decoded, requirements, opts) {
             network,
             unit,
             asset: requirements.asset,
+            payTo: requirements.payTo,
             resourceUrl: requirements.resource.url,
             nonceRef: `${decoded.nonce.txHash}#${decoded.nonce.index}`,
         },
     };
 }
+/**
+ * Select the `accepts[]` entry the buyer actually paid against.
+ *
+ * Algorithm (first-match wins, accepts[] is the seller's preference order):
+ *   1. Filter by network , the buyer's envelope declares one network and
+ *      we discard entries that don't match.
+ *   2. For each remaining entry, look for an output to `entry.payTo`
+ *      containing `entry.asset` with quantity ≥ 1. We don't enforce the
+ *      full `amount` here, that's `validatePayment`'s job, we just need
+ *      enough signal to know *which* entry the buyer chose.
+ *   3. First hit wins. No hit ⇒ `wrong_asset` with a composite reason.
+ *
+ * For a single-entry `accepts[]`, this returns `accepts[0]` if the
+ * network matches, mirroring the pre-multi-accept behaviour exactly.
+ */
+function pickRequirement(decoded, body) {
+    if (!body.accepts || body.accepts.length === 0) {
+        return { ok: false, code: errors_1.Codes.WRONG_ASSET, reason: 'PaymentRequirementsBody.accepts is empty' };
+    }
+    const networkOk = body.accepts.filter((e) => (0, network_1.networksMatch)(decoded.envelope.network, e.network));
+    if (networkOk.length === 0) {
+        return {
+            ok: false,
+            code: errors_1.Codes.NETWORK_MISMATCH,
+            reason: `payment network '${decoded.envelope.network}' does not match any accepts[].network`,
+        };
+    }
+    // Single-entry shortcut: hand back the lone matching entry, the
+    // subsequent validatePayment will run the strict per-entry checks
+    // (recipient, amount, asset, ...) just as it did pre-multi-accept.
+    if (networkOk.length === 1) {
+        return { ok: true, entry: networkOk[0] };
+    }
+    // Non-lovelace assets are an unambiguous signal: an output that
+    // carries policy X is paying in policy X. Lovelace is ambiguous,
+    // EVERY native-asset output to the seller also carries min-ADA in
+    // lovelace just to be valid on chain. So we pass over the accepts[]
+    // in two passes:
+    //   - Pass 1: match any entry whose non-lovelace asset appears in a
+    //     payTo output. Strong signal, accept immediately.
+    //   - Pass 2: only if no native-asset entry matched, consider
+    //     lovelace entries, and only against outputs that are pure ADA
+    //     (no native assets). That avoids charging a USDM-paying buyer
+    //     against a lovelace entry just because the min-ADA happened to
+    //     be in the output.
+    for (const entry of networkOk) {
+        const parsed = (0, asset_1.parseAsset)(entry.asset);
+        if (parsed.isLovelace)
+            continue;
+        const hit = decoded.outputs.some((o) => o.address === entry.payTo && o.assets.some((a) => a.unit === parsed.unit));
+        if (hit)
+            return { ok: true, entry };
+    }
+    for (const entry of networkOk) {
+        const parsed = (0, asset_1.parseAsset)(entry.asset);
+        if (!parsed.isLovelace)
+            continue;
+        const hit = decoded.outputs.some((o) => o.address === entry.payTo && o.assets.length === 0 && BigInt(o.lovelace) > 0n);
+        if (hit)
+            return { ok: true, entry };
+    }
+    // No entry matched. Compose a reason listing the (payTo, asset) pairs
+    // we expected, so the buyer's client can diagnose which option they
+    // tried to pay vs. what the server offered.
+    const expected = networkOk
+        .map((e) => `${e.asset}@${e.payTo}`)
+        .join(' | ');
+    return {
+        ok: false,
+        code: errors_1.Codes.WRONG_ASSET,
+        reason: `no accepts[] entry matched the paid (payTo, asset); expected one of: ${expected}`,
+    };
+}

package/srv/facilitator/adapter.d.ts

@@ -2,16 +2,16 @@
  * Facilitator adapter pattern.
  *
  * In v0.1 the verify+settle pipeline was hard-wired into the middlewares
- * — they imported `process()` from `verify.ts` directly. That made it
+ *, they imported `process()` from `verify.ts` directly. That made it
  * impossible to swap the in-process facilitator for a hosted one
  * (the pattern Coinbase uses via `@coinbase/x402`).
  *
  * v0.2 introduces this `Facilitator` interface as the single
  * extension point. Two implementations ship in-box:
  *
- *   - `localFacilitator()`  — runs verify+settle in-process via
+ *   - `localFacilitator()` , runs verify+settle in-process via
  *                             `@odatano/core`. Default everywhere.
- *   - `httpFacilitator()`   — POSTs to a remote service (see
+ *   - `httpFacilitator()`  , POSTs to a remote service (see
  *                             `srv/facilitator/http.ts` for the wire
  *                             format and `docs/facilitator-protocol.md`
  *                             for the protocol reference).
@@ -23,7 +23,7 @@
  *     facilitator: httpFacilitator({ url: 'https://...', apiKey }),
  *   });
  *
- * `verifyAndSettle` is the one mandatory operation — it covers the
+ * `verifyAndSettle` is the one mandatory operation, it covers the
  * entire 1.decode → 2.validate → 3.nonce → 4.settle → 5.onAccepted
  * pipeline. `supported()` is an optional discovery hook used by
  * tooling / health checks (no middleware path consumes it yet).
@@ -41,14 +41,14 @@ export interface FacilitatorVerifyAndSettleArgs {
     allowNoTtl?: boolean;
     /**
      * Best-effort audit callback. Invoked exactly once on `accepted`.
-     * **Not transmittable over HTTP** — the http facilitator wrapper
+     * **Not transmittable over HTTP**, the http facilitator wrapper
      * invokes it locally after the remote call returns.
      */
     onAccepted?: (claim: PaymentClaim) => void | Promise<void>;
 }
-/** Identical to the legacy `ProcessResult` — kept as a type alias for now. */
+/** Identical to the legacy `ProcessResult`, kept as a type alias for now. */
 export type FacilitatorResult = ProcessResult;
-/** Discovery response — what this facilitator can handle. */
+/** Discovery response, what this facilitator can handle. */
 export interface FacilitatorSupportedResult {
     networks: string[];
     assetTransferMethods: AssetTransferMethod[];
@@ -62,7 +62,7 @@ export interface Facilitator {
  * Default in-process facilitator. Verify+settle runs locally using the
  * `@odatano/core` bridge.
  *
- * Stateless — call `localFacilitator()` once per service (or inline per
+ * Stateless, call `localFacilitator()` once per service (or inline per
  * middleware mount); the returned object holds no per-instance state.
  */
 export declare function localFacilitator(): Facilitator;

package/srv/facilitator/adapter.js

@@ -3,16 +3,16 @@
  * Facilitator adapter pattern.
  *
  * In v0.1 the verify+settle pipeline was hard-wired into the middlewares
- * — they imported `process()` from `verify.ts` directly. That made it
+ *, they imported `process()` from `verify.ts` directly. That made it
  * impossible to swap the in-process facilitator for a hosted one
  * (the pattern Coinbase uses via `@coinbase/x402`).
  *
  * v0.2 introduces this `Facilitator` interface as the single
  * extension point. Two implementations ship in-box:
  *
- *   - `localFacilitator()`  — runs verify+settle in-process via
+ *   - `localFacilitator()` , runs verify+settle in-process via
  *                             `@odatano/core`. Default everywhere.
- *   - `httpFacilitator()`   — POSTs to a remote service (see
+ *   - `httpFacilitator()`  , POSTs to a remote service (see
  *                             `srv/facilitator/http.ts` for the wire
  *                             format and `docs/facilitator-protocol.md`
  *                             for the protocol reference).
@@ -24,7 +24,7 @@
  *     facilitator: httpFacilitator({ url: 'https://...', apiKey }),
  *   });
  *
- * `verifyAndSettle` is the one mandatory operation — it covers the
+ * `verifyAndSettle` is the one mandatory operation, it covers the
  * entire 1.decode → 2.validate → 3.nonce → 4.settle → 5.onAccepted
  * pipeline. `supported()` is an optional discovery hook used by
  * tooling / health checks (no middleware path consumes it yet).
@@ -36,7 +36,7 @@ const verify_1 = require("./verify");
  * Default in-process facilitator. Verify+settle runs locally using the
  * `@odatano/core` bridge.
  *
- * Stateless — call `localFacilitator()` once per service (or inline per
+ * Stateless, call `localFacilitator()` once per service (or inline per
  * middleware mount); the returned object holds no per-instance state.
  */
 function localFacilitator() {

package/srv/facilitator/http.d.ts

@@ -1,5 +1,5 @@
 /**
- * `httpFacilitator` — delegates verify+settle to a remote HTTP service.
+ * `httpFacilitator`, delegates verify+settle to a remote HTTP service.
  *
  * Wire format (see `docs/facilitator-protocol.md` for the full reference):
  *
@@ -14,7 +14,7 @@
  * Auth: optional `apiKey` sent as `Authorization: Bearer <key>`. For
  * custom schemes (mTLS, OAuth, HMAC), pass a `headers()` builder.
  *
- * `onAccepted` cannot cross HTTP — the wrapper strips it from the wire
+ * `onAccepted` cannot cross HTTP, the wrapper strips it from the wire
  * payload and invokes it locally after the remote returns `accepted`.
  * This preserves the local-facilitator semantics exactly.
  */
@@ -23,7 +23,7 @@ type FetchFn = typeof globalThis.fetch;
 export interface HttpFacilitatorConfig {
     /** Base URL of the remote facilitator (no trailing slash required). */
     url: string;
-    /** Optional API key — sent as `Authorization: Bearer <apiKey>`. */
+    /** Optional API key, sent as `Authorization: Bearer <apiKey>`. */
     apiKey?: string;
     /**
      * Optional custom header builder, merged onto the defaults. Use for
@@ -33,7 +33,7 @@ export interface HttpFacilitatorConfig {
     /** Override the underlying fetch (testing, custom agents). */
     fetch?: FetchFn;
     /**
-     * Per-request timeout in ms. Default 90_000 — needs to be longer than
+     * Per-request timeout in ms. Default 90_000, needs to be longer than
      * the facilitator's settle-poll budget plus chain-confirmation latency.
      */
     timeoutMs?: number;

package/srv/facilitator/http.js

@@ -1,6 +1,6 @@
 "use strict";
 /**
- * `httpFacilitator` — delegates verify+settle to a remote HTTP service.
+ * `httpFacilitator`, delegates verify+settle to a remote HTTP service.
  *
  * Wire format (see `docs/facilitator-protocol.md` for the full reference):
  *
@@ -15,7 +15,7 @@
  * Auth: optional `apiKey` sent as `Authorization: Bearer <key>`. For
  * custom schemes (mTLS, OAuth, HMAC), pass a `headers()` builder.
  *
- * `onAccepted` cannot cross HTTP — the wrapper strips it from the wire
+ * `onAccepted` cannot cross HTTP, the wrapper strips it from the wire
  * payload and invokes it locally after the remote returns `accepted`.
  * This preserves the local-facilitator semantics exactly.
  */
@@ -56,7 +56,7 @@ function httpFacilitator(config) {
     }
     return {
         async verifyAndSettle(args) {
-            // Strip `onAccepted` — not transmittable. Invoke locally after the
+            // Strip `onAccepted`, not transmittable. Invoke locally after the
             // remote settles, preserving local-facilitator semantics.
             const { onAccepted, ...wire } = args;
             const result = await withTimeout(async (signal) => {
@@ -72,13 +72,13 @@ function httpFacilitator(config) {
                 return (await res.json());
             });
             if (result.kind === 'accepted' && onAccepted) {
-                // Same best-effort semantics as the local facilitator —
+                // Same best-effort semantics as the local facilitator ,
                 // swallow errors so accepted payments are never lost to a
                 // failing audit callback.
                 try {
                     await onAccepted(result.payment);
                 }
-                catch { /* deliberately ignored — payment already on chain */ }
+                catch { /* deliberately ignored, payment already on chain */ }
             }
             return result;
         },

package/srv/facilitator/nonce.d.ts

@@ -1,7 +1,7 @@
 /**
  * Cardano-x402-v2 replay-defense check (mandatory check #5).
  *
- * v1 had a CDS entity `X402PaymentNonces` with a UNIQUE on txHash —
+ * v1 had a CDS entity `X402PaymentNonces` with a UNIQUE on txHash ,
  * replay defense was a DB UNIQUE-constraint race. v2 moves replay
  * defense **on-chain**: the buyer references a specific UTxO in the
  * envelope (`payload.nonce = "<txHash>#<index>"`), that UTxO must
@@ -9,14 +9,14 @@
  * UTxO is permanently consumed. No DB table needed.
  *
  * Check #5 has two parts:
- *   - 5a — the nonce UTxO appears in the tx inputs   (in validate.ts, pure)
- *   - 5b — the nonce UTxO is still unspent on chain  (here, chain-touching)
+ *   - 5a, the nonce UTxO appears in the tx inputs   (in validate.ts, pure)
+ *   - 5b, the nonce UTxO is still unspent on chain  (here, chain-touching)
  *
  * Order in the pipeline: `validate.ts` (which runs 5a) MUST run before
  * `checkNonceUnspent` here. The chain-touching call below is a single
  * `bridge.isUtxoUnspent` round-trip, backed by Blockfrost `consumed_by`
  * / Koios `is_spent` / Ogmios `queryLedgerState/utxo`. Spent and
- * nonexistent UTxOs both surface as `false` — both translate to REPLAY.
+ * nonexistent UTxOs both surface as `false`, both translate to REPLAY.
  */
 import { type X402Code } from '../core/errors';
 export interface NonceCheckArgs {

package/srv/facilitator/nonce.js

@@ -2,7 +2,7 @@
 /**
  * Cardano-x402-v2 replay-defense check (mandatory check #5).
  *
- * v1 had a CDS entity `X402PaymentNonces` with a UNIQUE on txHash —
+ * v1 had a CDS entity `X402PaymentNonces` with a UNIQUE on txHash ,
  * replay defense was a DB UNIQUE-constraint race. v2 moves replay
  * defense **on-chain**: the buyer references a specific UTxO in the
  * envelope (`payload.nonce = "<txHash>#<index>"`), that UTxO must
@@ -10,14 +10,14 @@
  * UTxO is permanently consumed. No DB table needed.
  *
  * Check #5 has two parts:
- *   - 5a — the nonce UTxO appears in the tx inputs   (in validate.ts, pure)
- *   - 5b — the nonce UTxO is still unspent on chain  (here, chain-touching)
+ *   - 5a, the nonce UTxO appears in the tx inputs   (in validate.ts, pure)
+ *   - 5b, the nonce UTxO is still unspent on chain  (here, chain-touching)
  *
  * Order in the pipeline: `validate.ts` (which runs 5a) MUST run before
  * `checkNonceUnspent` here. The chain-touching call below is a single
  * `bridge.isUtxoUnspent` round-trip, backed by Blockfrost `consumed_by`
  * / Koios `is_spent` / Ogmios `queryLedgerState/utxo`. Spent and
- * nonexistent UTxOs both surface as `false` — both translate to REPLAY.
+ * nonexistent UTxOs both surface as `false`, both translate to REPLAY.
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;

package/srv/facilitator/server.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Reference HTTP facilitator, the server side of `httpFacilitator()`.
+ *
+ * `httpFacilitator()` (in `./http.ts`) is the client wrapper that resource
+ * servers wire into their middleware via the `facilitator` option. This
+ * module is the matching server: a thin Express `Router` exposing the
+ * three endpoints documented in `docs/facilitator-protocol.md`:
+ *
+ *   POST /verify-settle , runs the full pipeline through a `Facilitator`
+ *   GET  /supported     , discovery
+ *   GET  /healthz       , orchestrator health check
+ *
+ * The router is composable, consumers mount it under whatever path /
+ * port / TLS / CORS / rate-limiter they prefer, no opinions baked in.
+ * Auth is a single `auth(req)` hook, callers can implement bearer-token,
+ * mTLS, signed-request, OAuth, etc. There is NO default auth, an
+ * unconfigured router is open; document this loudly in deployment.
+ *
+ * The `onAccepted` callback CANNOT cross the HTTP boundary, the matching
+ * client (`httpFacilitator()`) invokes it locally after the remote returns
+ * `accepted`. To cover the facilitator-side audit need, this router
+ * exposes `onRejected` and `onPending` hooks, fired exactly once per
+ * non-accepted outcome, with the request available for context.
+ */
+import { type Router, type Request } from 'express';
+import type { Facilitator, FacilitatorResult } from './adapter';
+export interface FacilitatorServerLogger {
+    warn(message: string, err?: unknown): void;
+    error(message: string, err?: unknown): void;
+}
+export interface CreateFacilitatorRouterOptions {
+    /**
+     * Facilitator implementation. Default `localFacilitator()`, runs the
+     * pipeline in-process via `@odatano/core`. Swap in a custom adapter
+     * for testing or for chained facilitators.
+     */
+    facilitator?: Facilitator;
+    /**
+     * Optional auth gate. Returns truthy to allow, falsy to reject with
+     * 401. Thrown errors are treated as 500. There is no default, an
+     * unset hook means the router is open; configure in production.
+     */
+    auth?: (req: Request) => boolean | Promise<boolean>;
+    /**
+     * Body-size limit for `POST /verify-settle`. Default `'256kb'`,
+     * envelopes are ≤ ~50 kB in practice. Format matches `express.json`.
+     */
+    jsonLimit?: string;
+    /**
+     * Best-effort audit hook fired exactly once per `rejected` outcome,
+     * AFTER the response is sent. Errors are swallowed and logged.
+     * `onAccepted` cannot cross HTTP, this is the rejected-side analog.
+     */
+    onRejected?: (result: Extract<FacilitatorResult, {
+        kind: 'rejected';
+    }>, req: Request) => void | Promise<void>;
+    /**
+     * Best-effort audit hook fired exactly once per `pending` outcome,
+     * AFTER the response is sent. Same semantics as `onRejected`.
+     */
+    onPending?: (result: Extract<FacilitatorResult, {
+        kind: 'pending';
+    }>, req: Request) => void | Promise<void>;
+    /** Custom logger. Default uses `cds.log('x402')`. */
+    logger?: FacilitatorServerLogger;
+}
+export declare function createFacilitatorRouter(opts?: CreateFacilitatorRouterOptions): Router;
+//# sourceMappingURL=server.d.ts.map