@odatano/x402 0.3.0 → 0.4.0

package/.github/workflows/test.yaml

@@ -46,4 +46,13 @@ jobs:
         run: npm run build
 
       - name: Run tests
-        run: npm test
+        run: npm run test:coverage
+
+      - name: Upload coverage to Codecov
+        # Only upload once per CI run — pick a single Node version.
+        if: matrix.node == '22.x'
+        uses: codecov/codecov-action@v4
+        with:
+          files: ./coverage/lcov.info
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false

package/CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to `@odatano/x402` are documented here. The format follows [
 
 **Pre-1.0 caveat:** minor versions may include breaking changes until `1.0.0`.
 
+## [0.4.0] - 2026-06-19
+
+### Changed (breaking)
+- **Dropped the direct `@emurgo/cardano-serialization-lib-nodejs` (CSL) dependency.** x402 no longer carries a CBOR/transaction library of its own; all tx parsing and building now go through `@odatano/core`'s Buildooor stack (CSL-free since core `1.8.0`). **The `@odatano/core` peer requirement is now `>=1.9.1`** (was `>=1.7.8`). Upgrade `@odatano/core` in the same step.
+- **`buildUnsignedPaymentTx` now delegates to core's tx-builder.** UTxO selection, change, min-ADA and fee are handled by core (Buildooor `keepRelevant`) instead of x402's own CSL coin-selection. Consequences: the v2 `nonceRef` is now the built tx's first input (was x402's largest-UTxO pick); the validity-range upper bound is derived from a POSIX deadline and read back from the built tx, so `ttlSlot` reflects what the builder set (and may be `null` if unset) rather than a value x402 computed. The result shape (`unsignedTxCborHex`, `txHashHex`, `requiredSignerHex`, `nonceRef`, `inputs`, `ttlSlot`) and the `BuildUnsignedTxArgs` (`buyerBech32`, `requirements`, `ttlSlotsFromNow`) are unchanged. This helper is browser-buyer convenience only; it is not on the facilitator/validation path.
+
+### Added
+- `bech32` runtime dependency, for CSL-free Shelley address introspection (`srv/helpers/address.ts`) used to derive `requiredSignerHex` and validate Base/Enterprise key-cred addresses.
+
+### Internal
+- `srv/core/decode.ts` parses via core's pure `parseTransaction`; `srv/bridge.ts` gained typed `parseTransaction` and `buildUnsignedTransfer` wrappers (single coupling point preserved).
+- Test fixtures (`test/fixtures/{constants,build-tx}.ts`) rebuilt on `@harmoniclabs/buildooor` (dev-only); shared `core-parse-mock` stubs the core barrel down to its pure parser so decode-exercising suites don't load uncompiled `@cds-models` sources. Suite: 317 tests across 25 suites, all green.
+
+## [0.3.1] - 2026-05-15
+
+### Fixed
+- **`gateService` now emits the canonical x402 v2 body on the wire** instead of CAP's OData-wrapped shape. The gate writes `httpRes.status(402).json(body)` directly when an Express response is reachable, then calls `req.reject(402, ...)` as the chain-terminator: the synchronous throw stops CAP's handler pipeline so the gated `on` handler never runs, and CAP's render attempt no-ops on `headersSent`. Non-HTTP transports (event invocations, `$batch` reuse) fall back to plain `req.reject`. Validated against `@sap/cds ^9`. Third-party x402 clients now interop with CAP-gated services without any unwrap shim. Closes the "Known issues" item from 0.3.0.
+
+### Removed (breaking)
+- **`unwrapCapEnvelope`** helper and its calls from `x402Fetch` / `x402Axios`. With the server fix above, the v2 body lands at the top level on the wire and the defensive unwrap is dead code. The export is gone; consumers who pulled it in (e.g. for wrapping the wrappers) should remove the import. **Pair the upgrade**: if you upgrade the `@odatano/x402` client to 0.3.1, upgrade the server in the same step, since 0.3.1 clients no longer unwrap a 0.3.0-style wrapped body.
+
+### Changed
+- `srv/middleware/cap.ts` , new `send402` helper and `getHttpRes` accessor; the one 402 emit site routes through `send402`. The two 500 `req.reject` paths (pricing-resolver throw, facilitator throw) are unchanged.
+- Test suite: 232 tests across 21 suites. CAP middleware tests gained 3 cases (canonical-wire-shape regression, `headersSent` defensive fallback, no-`http.res` transport fallback). Client tests dropped 7 cases tied to `unwrapCapEnvelope`.
+
 ## [0.3.0] - 2026-05-15
 
 ### Added
@@ -16,14 +41,14 @@ All notable changes to `@odatano/x402` are documented here. The format follows [
 - **Browser-buyer example** , `examples/browser-buyer/` Vite scaffold showing CIP-30 wallet + `x402Fetch` wiring. Documents the typical "unsigned-from-server, signed-by-wallet" architecture (server exposes `POST /pay/intent` via `buildUnsignedPaymentTx`; browser signs via CIP-30). Includes CORS notes for cross-origin deployments.
 
 ### Fixed
-- **`x402Fetch` / `x402Axios` now interop with `gateService`** out of the box. CAP's `req.reject(402, body)` wraps the canonical v2 body inside its standard OData error envelope (`{ error: { message: "<json>", code: "402", ... } }`), so previous client wrappers saw `body.x402Version === undefined` and bailed without retrying. Both clients now defensively unwrap the OData envelope before validating shape. Reported by the CHAINFEED team; matches the workaround they were shipping in `scripts/buyer-pay-and-fetch.ts`. New helper `unwrapCapEnvelope` is exported for consumers wrapping the wrappers.
+- **`x402Fetch` / `x402Axios` now interop with `gateService`** out of the box. CAP's `req.reject(402, body)` wraps the canonical v2 body inside its standard OData error envelope (`{ error: { message: "<json>", code: "402", ... } }`), so previous client wrappers saw `body.x402Version === undefined` and bailed without retrying. Both clients now defensively unwrap the OData envelope before validating shape.
 
 ### Known issues
 - The CAP `gateService` still emits 402 responses wrapped in CAP's OData error envelope on the wire (because `req.reject` is the only documented abort path). Third-party x402 clients hitting a CAP-gated server will see the wrapped shape; only `@odatano/x402`'s own clients unwrap it. Direct-write-to-`req.http.res` is the planned symmetric fix but needs validation against `@sap/cds` ^9 internals; tracked for v0.3.1.
 - `PaymentClaim.payTo` , verified recipient address now populated on the claim (was previously only on the requirements entry). Useful for `onAccepted` audit and receipts.
 
 ### Changed
-- Test count: 177 → 230 (HTTP-server round-trips, multi-accept + dynamic-pricing across `requirements`/`validate`/`verify`/`cap`/`express`, 4 receipts cases, 5 grants cases, 13 client-error cases).
+- Test count: 177 → 236 (HTTP-server round-trips, multi-accept + dynamic-pricing across `requirements`/`validate`/`verify`/`cap`/`express`, 4 receipts cases, 5 grants cases, 13 client-error cases).
 - `srv/middleware/{cap,express}.ts` now emit `accepts[]` via `buildPaymentRequirementsMulti()`; single-entry callers are unaffected (one-entry array produces a body byte-identical to v0.2).
 - `srv/facilitator/verify.ts` decodes the envelope BEFORE selecting a requirements entry; multi-accept depends on knowing which `(payTo, asset)` the tx actually credited.
 

package/LICENSE

@@ -1,21 +1,169 @@
-MIT License
-
-Copyright (c) 2026 ODATANO
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   Copyright [16.05.2026] [Maximilian Weber]

package/README.md

@@ -1,9 +1,12 @@
+![PDATANOX402](datano-x402.png)
 # @odatano/x402
 
-[![npm](https://img.shields.io/npm/v/@odatano/x402?color=cb3837&logo=npm)](https://www.npmjs.com/package/@odatano/x402)
-[![tests](https://github.com/ODATANO/x402/actions/workflows/test.yaml/badge.svg)](https://github.com/ODATANO/x402/actions/workflows/test.yaml)
-[![@odatano/core](https://img.shields.io/github/package-json/dependency-version/ODATANO/x402/peer/@odatano/core?label=%40odatano%2Fcore&color=0e7c66)](https://www.npmjs.com/package/@odatano/core)
-[![spec](https://img.shields.io/badge/Cardano--x402-v2-blueviolet)](https://github.com/masumi-network/x402-cardano)
+[![Tests](https://github.com/ODATANO/x402/actions/workflows/test.yaml/badge.svg)](https://github.com/ODATANO/x402/actions/workflows/test.yaml)
+[![Coverage](https://codecov.io/gh/ODATANO/x402/branch/main/graph/badge.svg)](https://codecov.io/gh/ODATANO/x402)
+[![@odatano/core](https://img.shields.io/badge/@odatano/core-1.9.1-blue)](https://www.npmjs.com/package/@odatano/core)
+[![npm](https://img.shields.io/npm/v/@odatano/x402?color=blue&logo=npm)](https://www.npmjs.com/package/@odatano/x402)
+[![npm downloads](https://img.shields.io/npm/dt/@odatano/x402?logo=npm&label=downloads&color=blue)](https://www.npmjs.com/package/@odatano/x402)
+[![License](https://img.shields.io/badge/license-Apache%202.0-yellow)](LICENSE)
 
 x402 payment gating for SAP CAP applications, backed by Cardano.
 
@@ -17,7 +20,7 @@ Implements the **Cardano-x402-v2** spec on top of [`@odatano/core`](https://www.
 npm install @odatano/x402 @odatano/core
 ```
 
-`@odatano/core` (the Cardano bridge) is a peer dependency. Install whichever version meets `>=1.7.8`.
+`@odatano/core` (the Cardano bridge) is a peer dependency. Install whichever version meets `>=1.9.1`.
 
 ## Quick Start
 
@@ -81,7 +84,7 @@ Configure the Cardano backend in `package.json`:
 
 - Node.js 22+
 - `@sap/cds >= 9` (peer)
-- `@odatano/core >= 1.7.8` (peer)
+- `@odatano/core >= 1.9.1` (peer)
 - `express ^4` (peer), only if you use `x402Middleware`
 - A Cardano backend reachable via `@odatano/core` (Blockfrost / Koios / Ogmios)
 
@@ -90,9 +93,9 @@ Configure the Cardano backend in `package.json`:
 ```bash
 npm install                # Workspace install: covers root + examples/*
 npm run build              # tsc, emits .js/.d.ts next to .ts (outDir: .)
-npm test                   # 177 tests, ~13s
+npm test                   # 232 tests, ~13s
 ```
 
 ## License
 
-Apache-2.0.
+Apache-2.0 (see [LICENSE](LICENSE))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@odatano/x402",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "x402 Cardano-v2 payment library for SAP CAP applications",
   "license": "Apache-2.0",
   "main": "srv/index.js",
@@ -23,11 +23,11 @@
     "test:coverage": "jest --coverage"
   },
   "dependencies": {
-    "@emurgo/cardano-serialization-lib-nodejs": "^15.0.3"
+    "bech32": "^2.0.0"
   },
   "peerDependencies": {
     "@cap-js/cds-types": ">=0.15",
-    "@odatano/core": ">=1.7.8",
+    "@odatano/core": ">=1.9.1",
     "@sap/cds": ">=9",
     "express": "^4"
   },
@@ -37,10 +37,11 @@
     }
   },
   "devDependencies": {
+    "@harmoniclabs/buildooor": "^0.2.6",
     "@cap-js/cds-typer": "^0.38.0",
     "@cap-js/cds-types": "^0.15.0",
     "@cap-js/sqlite": "^2",
-    "@odatano/core": "^1.7.8",
+    "@odatano/core": "^1.9.1",
     "@odatano/x402": ".",
     "@sap/cds": "^9",
     "@sap/cds-dk": "^9.4.3",

package/release-0.4.0.md

@@ -0,0 +1,58 @@
+# @odatano/x402 0.4.0
+
+**Drop CSL, route all tx parsing/building through `@odatano/core`.**
+
+x402 no longer carries its own CBOR/transaction library. Both former CSL
+call sites now go through `@odatano/core`'s Buildooor stack (CSL-free since
+core `1.8.0`).
+
+## Highlights
+
+- **`decode.ts`** parses via core's pure `parseTransaction` instead of CSL
+  `Transaction`/`FixedTransaction`. The byte-stable tx hash is preserved.
+- **`buildUnsignedPaymentTx`** delegates UTxO selection, change, min-ADA and
+  fee to core's tx-builder. The v2 `nonceRef` and `ttlSlot` are read back
+  from the built tx rather than computed locally.
+- **New CSL-free Shelley address parser** (`srv/helpers/address.ts`, via
+  `bech32`) derives `requiredSignerHex` and validates Base/Enterprise
+  key-cred addresses.
+- **`bridge.ts`** gains typed `parseTransaction` + `buildUnsignedTransfer`
+  wrappers, keeping the single coupling point to core.
+
+## Breaking changes
+
+- **`@odatano/core` peer requirement raised `>=1.7.8` → `>=1.9.1`.** Upgrade
+  core in the same step.
+- **`buildUnsignedPaymentTx` now uses core's coin-selection.** The nonce is
+  the built tx's first input (was x402's largest-UTxO pick), and `ttlSlot`
+  reflects what the builder set (may be `null`) instead of a value x402
+  computed. The result shape (`unsignedTxCborHex`, `txHashHex`,
+  `requiredSignerHex`, `nonceRef`, `inputs`, `ttlSlot`) and the
+  `BuildUnsignedTxArgs` (`buyerBech32`, `requirements`, `ttlSlotsFromNow`)
+  are unchanged. This helper is browser-buyer convenience only; it is not on
+  the facilitator/validation path.
+
+## Dependencies
+
+- Removed: `@emurgo/cardano-serialization-lib-nodejs` (CSL).
+- Added: `bech32` (runtime), `@harmoniclabs/buildooor` (dev, test fixtures only).
+
+## Internal / tests
+
+- Test fixtures (`test/fixtures/{constants,build-tx}.ts`) rebuilt on
+  `@harmoniclabs/buildooor`. Shared `core-parse-mock` stubs the core barrel
+  down to its pure parser so decode-exercising suites don't load uncompiled
+  `@cds-models` sources.
+- **317 tests across 25 suites pass; `tsc` and `eslint` clean.**
+
+## Upgrade notes
+
+Bump both packages together:
+
+```bash
+npm install @odatano/x402@^0.4.0 @odatano/core@^1.9.1
+```
+
+If you call `buildUnsignedPaymentTx` directly, re-validate the browser-buyer
+signing path on a testnet (preprod): it is the one flow where an external
+wallet re-hashes the tx that core built.

package/srv/bridge.d.ts

@@ -61,5 +61,89 @@ export declare function getCurrentSlot(): Promise<number>;
  * caller's perspective.
  */
 export declare function isUtxoUnspent(txHash: string, outputIndex: number): Promise<boolean>;
-export declare const parseTransaction: ((cborHex: string) => unknown) | undefined;
+/** One output of a parsed tx. `assets[].unit` is `policyId+nameHex`. */
+export interface ParsedTxOutput {
+    address: string;
+    lovelace: string;
+    assets: Array<{
+        unit: string;
+        quantity: string;
+    }>;
+    datumHash: string | null;
+    inlineDatumHex: string | null;
+    referenceScriptHex: string | null;
+}
+/** Structured shape returned by `@odatano/core`'s `parseTransaction`. */
+export interface ParsedTx {
+    txHash: string;
+    network: 'mainnet' | 'testnet' | null;
+    inputs: Array<{
+        txHash: string;
+        outputIndex: number;
+    }>;
+    outputs: ParsedTxOutput[];
+    /** Validity-range lower bound in slots (decimal string) or null. */
+    validityStart: string | null;
+    /** Validity-range upper bound (TTL) in slots (decimal string) or null. */
+    validityEnd: string | null;
+    fee: string;
+    mint: Array<{
+        unit: string;
+        quantity: string;
+    }>;
+    requiredSigners: string[];
+    scriptDataHash: string | null;
+    witnesses: {
+        vkeyCount: number;
+        nativeScripts: number;
+        plutusScripts: number;
+        plutusData: number;
+        redeemers: number;
+    };
+}
+/**
+ * Parse signed-or-unsigned tx CBOR (hex) into structured fields. Pure,
+ * no init / no chain call. Throws `X402Error(INVALID_CBOR)` on malformed
+ * input so callers in the decode path get a precise, surfaceable code.
+ */
+export declare function parseTransaction(cborHex: string): ParsedTx;
+/** Request shape accepted by core's `build{Simple,MultiAsset}Transaction`. */
+export interface CoreTransferReq {
+    /** Buyer's bech32 — UTxO source and default change address. */
+    senderAddress: string;
+    /** Bech32 recipient (`payTo`). */
+    recipientAddress: string;
+    /** Defaults to `senderAddress`. */
+    changeAddress?: string;
+    /** Output ADA in lovelace (decimal string). For token outputs this is the riding min-ADA. */
+    lovelaceAmount: string;
+    /** Native assets on the output. `unit` = `policyId+assetNameHex`. Omit/empty for pure ADA. */
+    assets?: Array<{
+        unit: string;
+        quantity: string;
+    }>;
+    /** Validity-range upper bound as POSIX ms; core converts to a slot. */
+    validityEndMs?: number;
+}
+/** Subset of core's `TxBuildResult` that x402 consumes. */
+export interface CoreTxBuildResult {
+    unsignedTxCbor: string;
+    txBodyHash: string;
+    inputs: Array<{
+        txHash: string;
+        index: number;
+        lovelace: string;
+    }>;
+    outputs: Array<{
+        address: string;
+        lovelace: string;
+    }>;
+    feeLovelace: string;
+}
+/**
+ * Build an unsigned transfer tx via core's Buildooor builder. Routes to
+ * the multi-asset entry point when `assets` is non-empty (it rejects an
+ * empty asset list), otherwise the plain-ADA one.
+ */
+export declare function buildUnsignedTransfer(req: CoreTransferReq): Promise<CoreTxBuildResult>;
 //# sourceMappingURL=bridge.d.ts.map

package/srv/bridge.js

@@ -15,7 +15,6 @@
  * Both are called through directly here; no shim layer remains.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseTransaction = void 0;
 exports.init = init;
 exports.shutdown = shutdown;
 exports.getUtxosAtAddress = getUtxosAtAddress;
@@ -24,6 +23,8 @@ exports.getProtocolParameters = getProtocolParameters;
 exports.submitTransaction = submitTransaction;
 exports.getCurrentSlot = getCurrentSlot;
 exports.isUtxoUnspent = isUtxoUnspent;
+exports.parseTransaction = parseTransaction;
+exports.buildUnsignedTransfer = buildUnsignedTransfer;
 const errors_1 = require("./core/errors");
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const od = require('@odatano/core');
@@ -143,10 +144,35 @@ async function isUtxoUnspent(txHash, outputIndex) {
     await ensureInit();
     return od.getCardanoClient().isUtxoUnspent(txHash, outputIndex);
 }
-// ─── Re-export pure CBOR utilities (no bridge round-trip) ─────────────
-// parseTransaction is exported from @odatano/core's barrel and runs
-// entirely client-side. Re-export so x402 users don't need a second
-// import for tx introspection. We declare the type loosely (unknown
-// CBOR-parsed shape), consumers cast to ODATANO's `ParsedTransaction`
-// from `@odatano/core` directly if they need the structured fields.
-exports.parseTransaction = od ? od.parseTransaction : undefined;
+const odParseTransaction = od.parseTransaction;
+/**
+ * Parse signed-or-unsigned tx CBOR (hex) into structured fields. Pure,
+ * no init / no chain call. Throws `X402Error(INVALID_CBOR)` on malformed
+ * input so callers in the decode path get a precise, surfaceable code.
+ */
+function parseTransaction(cborHex) {
+    if (typeof odParseTransaction !== 'function') {
+        throw new errors_1.X402Error(errors_1.Codes.BRIDGE_UNAVAILABLE, '@odatano/core does not export parseTransaction (need >= 1.9.1)');
+    }
+    try {
+        return odParseTransaction(cborHex);
+    }
+    catch (err) {
+        throw new errors_1.X402Error(errors_1.Codes.INVALID_CBOR, `transaction CBOR did not decode: ${err?.message ?? err}`);
+    }
+}
+/**
+ * Build an unsigned transfer tx via core's Buildooor builder. Routes to
+ * the multi-asset entry point when `assets` is non-empty (it rejects an
+ * empty asset list), otherwise the plain-ADA one.
+ */
+async function buildUnsignedTransfer(req) {
+    await ensureInit();
+    const builder = od.getCardanoTxBuilder();
+    // Core's builder expects core's own protocol-parameter shape, so source
+    // it from the same client rather than re-deriving it here.
+    const params = await od.getCardanoClient().getProtocolParameters();
+    return req.assets && req.assets.length > 0
+        ? builder.buildMultiAssetTransaction(req, params)
+        : builder.buildSimpleAdaTransaction(req, params);
+}

package/srv/client/axios.js

@@ -54,9 +54,7 @@ function x402Axios(instance, opts) {
         }
         const cfg = error.config;
         const retries = Number(cfg[RETRY_KEY] ?? 0);
-        // CAP-style servers wrap the v2 body inside an OData error envelope.
-        // Defensively unwrap before validating shape.
-        const body = (0, errors_1.unwrapCapEnvelope)(error.response.data);
+        const body = error.response.data;
         const status = error.response.status;
         if (retries >= maxRetries) {
             if (opts.errorOnFailure) {

package/srv/client/errors.d.ts

@@ -60,27 +60,6 @@ export declare class X402PaymentError extends Error {
     readonly cause?: unknown;
     constructor(init: X402PaymentErrorInit);
 }
-/**
- * Defensively unwrap a CAP / OData error envelope around a v2 body.
- *
- * Background: `gateService` in this package historically (≤ v0.2)
- * reaches a 402 via `req.reject(402, JSON.stringify(body))`, which
- * CAP wraps into its standard OData error shape, putting the canonical
- * v2 body inside `error.message` as a JSON string:
- *
- *   { "error": { "message": "{\"x402Version\":2, ... }", "code": "402", ... } }
- *
- * The Express middleware emits the v2 body at the top level directly.
- * This helper detects the CAP wrap and returns the unwrapped candidate
- * so client wrappers can validate v2 shape uniformly. Non-CAP bodies
- * pass through untouched.
- *
- * Symmetric server-side fix (emit canonical body even through CAP) is
- * a separate concern, deferred until we can validate the CAP-version
- * specific behaviour. The unwrap below keeps `x402Fetch` /
- * `x402Axios` working against both shapes.
- */
-export declare function unwrapCapEnvelope(parsed: unknown): unknown;
 /**
  * Parse the (server, canonical) error string from a `PaymentRequirementsBody`.
  *

package/srv/client/errors.js

@@ -31,7 +31,6 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.X402PaymentError = void 0;
-exports.unwrapCapEnvelope = unwrapCapEnvelope;
 exports.parseErrorCode = parseErrorCode;
 exports.paymentErrorFromBody = paymentErrorFromBody;
 /**
@@ -71,42 +70,6 @@ class X402PaymentError extends Error {
     }
 }
 exports.X402PaymentError = X402PaymentError;
-/**
- * Defensively unwrap a CAP / OData error envelope around a v2 body.
- *
- * Background: `gateService` in this package historically (≤ v0.2)
- * reaches a 402 via `req.reject(402, JSON.stringify(body))`, which
- * CAP wraps into its standard OData error shape, putting the canonical
- * v2 body inside `error.message` as a JSON string:
- *
- *   { "error": { "message": "{\"x402Version\":2, ... }", "code": "402", ... } }
- *
- * The Express middleware emits the v2 body at the top level directly.
- * This helper detects the CAP wrap and returns the unwrapped candidate
- * so client wrappers can validate v2 shape uniformly. Non-CAP bodies
- * pass through untouched.
- *
- * Symmetric server-side fix (emit canonical body even through CAP) is
- * a separate concern, deferred until we can validate the CAP-version
- * specific behaviour. The unwrap below keeps `x402Fetch` /
- * `x402Axios` working against both shapes.
- */
-function unwrapCapEnvelope(parsed) {
-    if (!parsed || typeof parsed !== 'object')
-        return parsed;
-    const maybeError = parsed.error;
-    if (!maybeError || typeof maybeError !== 'object')
-        return parsed;
-    const msg = maybeError.message;
-    if (typeof msg !== 'string')
-        return parsed;
-    try {
-        return JSON.parse(msg);
-    }
-    catch {
-        return parsed;
-    }
-}
 /**
  * Parse the (server, canonical) error string from a `PaymentRequirementsBody`.
  *