@openmobilehub/attestomcp-gate 0.1.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Open Mobile Hub, a series of LF Projects, LLC
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,172 @@
+# @openmobilehub/attestomcp-gate
+
+**The consent layer for AI agents.** An AI agent must prove a verifiable credential
+from the user's phone wallet before a consequential MCP tool completes. **Identity
+leads; payments is one application** — `age.over(21)`, a loyalty membership, a
+prescription, and `payment.in("usd")` are all just credentials in the same policy.
+
+> **Design preview / v0.1.** This package is real and tested, but the broader AttestoMcp
+> SDK is still being extracted from the reference server
+> ([mcp-apps-shopping-demo](https://github.com/openmobilehub/mcp-apps-shopping-demo)).
+> See the repo's `ROADMAP.md` for what's shipping vs. next.
+
+## Install
+
+```bash
+npm install @openmobilehub/attestomcp-gate
+```
+
+Apache-2.0, ESM, ships its own types. Pairs with
+[`@openmobilehub/attestomcp-storefront`](../attestomcp-storefront), but stands alone on any
+Express-shaped host.
+
+## Quickstart
+
+The whole flow in ≤ 10 lines — a credential-gated agentic storefront. `createStorefront()`
+publishes the ceremony seams; `new AttestoMcp().mount(store.app)` wires the real `/attestomcp/*`
+ceremony rails; `store.gate()` resolves your policy on every `checkout` call (copied from
+[`examples/storefront.mjs`](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/examples/storefront.mjs) /
+[`storefront-gate.test.ts`](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/storefront-gate.test.ts)):
+
+```ts
+import { createStorefront } from "@openmobilehub/attestomcp-storefront/server";
+import { AttestoMcp, age, membership, payment, required, optional } from "@openmobilehub/attestomcp-gate";
+
+const store = createStorefront();                  // the storefront — one line
+const attestomcp = new AttestoMcp();                     // zero-config (defaults to http://localhost:3000)
+attestomcp.mount(store.app);                          // wires the real /attestomcp/* ceremony rails
+
+store.gate((order) =>                              // resolved on every checkout (payment settles LAST)
+  attestomcp.requirements(order, [
+    required(age.over(21).when((order) => order.lines.some((l) => l.minimumAge != null))),
+    optional(membership.discount(10)),              // 10% off if a loyalty credential is presented
+    required(payment.in("usd")),                    // amount derived from the order; settles last
+  ]),
+);
+
+const { url } = await store.listen(3005);          // → add http://localhost:3005/mcp to Claude / ChatGPT / Goose
+```
+
+Add the whiskey (21+) to the cart and check out → the tool returns the checkout link **plus**
+a `requires` manifest → the buyer proves age (and optionally membership) → authorizes payment →
+the widget shows the confirmation. Add the headphones instead and the age gate drops — the
+`.when()` predicate receives the **order** and is false.
+
+> `.when((order) => …)` takes the **whole `GateOrder`** (id, total, currency, lines), so a
+> predicate keys off the cart's lines — e.g. `order.lines.some((l) => l.minimumAge != null)`.
+> For a deployment pass your public origin: `new AttestoMcp({ walletOrigin: "https://shop.example" })`.
+
+## The three execution contexts
+
+The split is load-bearing — conflating them is the documented root cause of confusion
+([spec §0](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/specs/001-attesto-sdk/spec.md)). v0.1 is consolidated **Mode A**:
+
+1. **Tool — mints the link + reports requirements.** Your `checkout` handler runs once when
+   checkout is requested. There is no phone in the loop, so it does **not** run a ceremony — it
+   calls `attestomcp.requirements(order, policy)` and surfaces the resulting `requires` manifest.
+2. **Page — runs the gates.** The buyer opens the link once and completes every verification and
+   payment in a single browser session, on the `/attestomcp/*` routes `mount()` serves.
+3. **Poll — reports completion.** The agent polls (MCP has no server→client push) and reports the
+   result. It never performs the ceremony.
+
+`requirements()` is the **code→data boundary** (Principle VI): it runs your `.when()` / `appliesTo`
+predicates server-side, sorts `payment` last, and emits a flat, JSON-safe manifest — **no functions
+cross the wire**. The manifest's `requires[]` is exactly what the agent and the widget receive.
+
+## The credential model
+
+Built-ins, custom credentials, and effects are one shape (`Credential` + `Effect`):
+
+| Builder | Effect | Verifies |
+| :-- | :-- | :-- |
+| `age.over(n)` | `gate()` | the explicit positive `age_over_${n} === true` (an 18+ proof never satisfies a 21+ gate) |
+| `membership.discount(n)` | `discount({ percent: n })` | a non-empty `membership_number`; applies the discount once |
+| `payment.in(cur)` | `authorize()` | `authorized === true`; settles last, amount derived from the order |
+
+Wrap each in `required(c)` or `optional(c)` to build the ordered policy array. Attach a call-site
+conditional with `.when((order) => boolean)` — it returns a fresh `Credential` (non-mutating) whose
+predicate is AND-ed onto any existing `appliesTo`.
+
+**Gate any credential** with `defineCredential` — no registration step, usable by object
+(from [`specs/001-attesto-sdk/quickstart.md`](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/specs/001-attesto-sdk/quickstart.md)):
+
+```ts
+import { defineCredential, dcql, gate } from "@openmobilehub/attestomcp-gate";
+
+const prescription = defineCredential({
+  id: "prescription",
+  request: dcql({ docType: "org.hl7.prescription.1", claims: ["rx_valid"] }),
+  verify: (c) => c.rx_valid === true,
+  effect: gate(),                                   // or discount({ percent }) / authorize()
+  appliesTo: (order) => order.lines.some((l) => l.requiresRx),  // definition-time conditional
+  ui: { label: "Prescription", action: "Verify prescription" },
+});
+// …then drop required(prescription) into the same policy array.
+```
+
+`dcql({ docType, claims })` is concise sugar for a single-mdoc DCQL query (selective disclosure,
+never-retain by default). The three effect builders — `gate()`, `discount({ percent })`,
+`authorize()` — are the only effects the resolver interprets.
+
+## Honest status
+
+Honesty is carried in the **types**, not prose (Principle VII):
+
+- **`enforcedAt: "checkout"`** — v0.1 is consolidated Mode A: every gate runs on the checkout page
+  (Context 2) and is enforced server-side on the completion path. (`"tool"` is the Mode-B blocking
+  shape — roadmap.)
+- **`trust_level: "presence-only-demo"`** — the gate enforces *disclosure* (an explicit positive
+  claim, not token-presence) and *binding* (nonce / ephemeral key), but **not trust** (mdoc
+  issuer / device signatures). A self-crafted mdoc would pass. **This is a flow demo, not a real
+  safety control** — never present it as one. Issuer-trust verification (Multipaz / `@auth0/mdl`,
+  `trust_level: "issuer-verified"`) is roadmap.
+
+The three rails `mount()` serves differ in how much crypto is real today:
+
+| Rail (`/attestomcp/*`) | What it proves | Trust today |
+| :-- | :-- | :-- |
+| `passkey` (same-device + cross-device caBLE) | WebAuthn assertion verified against this server's origin / RP-ID, user-verification required, nonce/replay-bound — **real cryptography** (`@simplewebauthn`) | real WebAuthn crypto |
+| `credential` (age / membership) | OpenID4VP presentation; the explicit positive claim is checked, but the mdoc's issuer/device signatures are **not** verified | `presence-only-demo` |
+| `dc-payment` (Digital Credentials API) | amount-bound mdoc presentation; the JWE vp_token + device signature are taken at face value, **not** cryptographically verified | `presence-only-demo` |
+
+The OpenID4VP plumbing is scaffolded; cryptographic mdoc trust is the integration step, not new
+cryptography. The mandate is AP2-shaped and dev-signed (integrity hash), not key-signed.
+
+> **A refused tool call is a protocol, not a wall.** For a page-less tool, `gated()` returns a typed
+> **`verification_required`** envelope the agent *drives* (which credential, a per-order approve link,
+> the tool to poll) instead of completing — the retained blocking **Mode B** primitive.
+
+## API surface (v0.1)
+
+```ts
+// Client (configure once, then declarative calls)
+class AttestoMcp {
+  constructor(opts?: { walletOrigin?: string; store?: VerificationStore });
+  requirements(order: GateOrder, policy: Step[]): VerificationManifestEntry[];   // Context 1
+  mount(app: ExpressApp, ceremony?: MountCeremony): void;                        // Context 2
+}
+
+// Policy builders + extensibility
+age.over(n)  ·  membership.discount(n)  ·  payment.in(currency)
+required(c)  ·  optional(c)  ·  .when((order) => boolean)
+defineCredential({ id, request, verify, effect, appliesTo?, ui })
+dcql({ docType, claims })  ·  gate()  ·  discount({ percent?, amount? })  ·  authorize()
+
+// Stores + host-side composition seam
+MemoryVerificationStore  ·  completeOrder(input, ctx)
+
+// Retained Mode-B / roadmap blocking primitive
+gated()  ·  buildVerificationRequired()  ·  isVerificationRequired()  ·  envelopeInstruction()
+ageDcql()  ·  ENVELOPE_VERSION  ·  ENVELOPE_SENTINEL
+
+// Types: AttestoMcpOptions, GateOrder, OrderLine, Credential, Step, Effect,
+//        VerificationManifestEntry, VerificationStore, VerificationRecord,
+//        TrustLevel, DcqlQuery, DcqlClaim, DcqlCredentialOption, ExpressApp,
+//        CompletionSeam / SettlementSeam / CeremonyOrder (host composition)
+```
+
+Full, compiler-checked contract: [`specs/001-attesto-sdk/`](https://github.com/openmobilehub/mcp-apps-shopping-demo/tree/main/specs/001-attesto-sdk/) (the
+[quickstart](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/specs/001-attesto-sdk/quickstart.md), [`spec.md`](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/specs/001-attesto-sdk/spec.md),
+and the [mount contract](https://github.com/openmobilehub/mcp-apps-shopping-demo/blob/main/specs/003-gate-ceremony-extraction/contracts/attesto-mount.api.md)).
+
+Apache-2.0 · part of [Open Mobile Hub](https://openmobilehub.org) (Linux Foundation).

package/dist/ceremony/cartMandate.d.ts

@@ -0,0 +1,61 @@
+/** A priced cart line the mandate seals (the fields the gates re-derive from). */
+export interface CartMandateLine {
+    id: string;
+    quantity: number;
+    unitPrice: number;
+    lineTotal: number;
+    minimumAge?: number;
+}
+export interface CartMandate {
+    type: "ap2.CartMandate";
+    /** Stable id (defaults to `cart_<orderId>`); a PaymentMandate can reference it. */
+    id: string;
+    /** The order this cart is bound to — a mandate replayed against another order is refused. */
+    orderId: string;
+    lines: CartMandateLine[];
+    currency: string;
+    /** Cart total in major units — re-derived server-side, sealed here for integrity. */
+    total: number;
+    /** Epoch ms. */
+    issuedAt: number;
+    expiresAt: number;
+    /** Signature suite. v0.1 = server HMAC-SHA256; reserved for a future key-bound variant. */
+    alg: "HS256";
+    trust_level: "presence-only-demo";
+    /** base64url HMAC over the canonical payload. */
+    signature: string;
+}
+/** Default validity window — mirrors the challenge-token TTL policy. */
+export declare const DEFAULT_CART_MANDATE_TTL_MS: number;
+export interface IssueCartMandateArgs {
+    orderId: string;
+    lines: CartMandateLine[];
+    currency: string;
+    total: number;
+    /** Defaults to `cart_<orderId>`. */
+    id?: string;
+    /** Injectable clock (tests); defaults to `Date.now()`. */
+    now?: number;
+    ttlMs?: number;
+}
+/** Issue (sign) a Cart Mandate for a server-priced cart. */
+export declare function issueCartMandate(args: IssueCartMandateArgs, secret: string): CartMandate;
+export type CartMandateRefusal = "malformed" | "signature" | "order-id" | "expired";
+export type CartMandateVerdict = {
+    ok: true;
+    mandate: CartMandate;
+} | {
+    ok: false;
+    reason: CartMandateRefusal;
+};
+/**
+ * Verify a Cart Mandate against the order it should be bound to. Checks, in order:
+ *   1. shape (a malformed/non-mandate object is refused);
+ *   2. SIGNATURE — recompute the HMAC over the canonical payload + constant-time compare,
+ *      so a forged or edited cart fails here first (`signature`);
+ *   3. order-id binding — a valid mandate replayed against a different order (`order-id`);
+ *   4. expiry — a stale mandate, with a DISTINCT reason so a slow buyer sees "expired",
+ *      not "tampered" (`expired`).
+ * Returns the typed verdict; it never throws.
+ */
+export declare function verifyCartMandate(mandate: unknown, expectedOrderId: string, secret: string, now?: number): CartMandateVerdict;

package/dist/ceremony/cartMandate.js

@@ -0,0 +1,76 @@
+// ap2.CartMandate — a signed integrity envelope over the cart the agent/buyer is acting
+// on. The signed sibling of the ap2.PaymentMandate (mandate.ts): it makes the cart
+// TAMPER-EVIDENT so the cart that travels with a request can be checked before it's
+// trusted.
+//
+// ADDITIVE + FAIL-CLOSED, and it does NOT change the price authority: the catalog stays
+// the source of truth (Security invariant 2). A cart mandate proves "THIS SERVER issued
+// this cart"; re-pricing still decides the price. So verification is a fast, explicit
+// pre-check (a tampered/replayed/expired cart is refused with a clear reason BEFORE the
+// re-price step) and defense-in-depth — never a substitute for re-derivation.
+//
+// HONESTY (trust_level "presence-only-demo"): v0.1 signs with the SERVER's HMAC key
+// (the same sealed-HMAC primitive challengeToken.ts uses). That proves the server issued
+// the cart, NOT that the user authorized it. A user/agent-signed Cart Mandate (the true
+// AP2 user-authorization semantic) + issuer trust is the v0.2 line — the `alg` field
+// reserves room for an ES256 / key-bound variant without changing this contract.
+import { createHmac, timingSafeEqual } from "node:crypto";
+/** Default validity window — mirrors the challenge-token TTL policy. */
+export const DEFAULT_CART_MANDATE_TTL_MS = 15 * 60 * 1000;
+// Deterministic canonical payload the signature covers. Fixed field + line order so the
+// same cart re-signs stably and ANY edit (a line qty, a unit price, the total, the
+// currency, the order id, the expiry) changes the bytes and so the signature.
+function canonical(m) {
+    const lines = m.lines
+        .map((l) => `${l.id}:${l.quantity}:${l.unitPrice}:${l.lineTotal}:${l.minimumAge ?? ""}`)
+        .join(",");
+    return [m.type, m.id, m.orderId, m.currency, m.total, m.issuedAt, m.expiresAt, m.alg, m.trust_level, lines].join("|");
+}
+function sign(payload, secret) {
+    return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+/** Issue (sign) a Cart Mandate for a server-priced cart. */
+export function issueCartMandate(args, secret) {
+    const now = args.now ?? Date.now();
+    const base = {
+        type: "ap2.CartMandate",
+        id: args.id ?? `cart_${args.orderId}`,
+        orderId: args.orderId,
+        lines: args.lines,
+        currency: args.currency,
+        total: args.total,
+        issuedAt: now,
+        expiresAt: now + (args.ttlMs ?? DEFAULT_CART_MANDATE_TTL_MS),
+        alg: "HS256",
+        trust_level: "presence-only-demo",
+    };
+    return { ...base, signature: sign(canonical(base), secret) };
+}
+/**
+ * Verify a Cart Mandate against the order it should be bound to. Checks, in order:
+ *   1. shape (a malformed/non-mandate object is refused);
+ *   2. SIGNATURE — recompute the HMAC over the canonical payload + constant-time compare,
+ *      so a forged or edited cart fails here first (`signature`);
+ *   3. order-id binding — a valid mandate replayed against a different order (`order-id`);
+ *   4. expiry — a stale mandate, with a DISTINCT reason so a slow buyer sees "expired",
+ *      not "tampered" (`expired`).
+ * Returns the typed verdict; it never throws.
+ */
+export function verifyCartMandate(mandate, expectedOrderId, secret, now = Date.now()) {
+    if (!mandate || typeof mandate !== "object")
+        return { ok: false, reason: "malformed" };
+    const m = mandate;
+    if (m.type !== "ap2.CartMandate" || typeof m.signature !== "string" || !Array.isArray(m.lines)) {
+        return { ok: false, reason: "malformed" };
+    }
+    const expected = sign(canonical(m), secret);
+    const a = Buffer.from(expected);
+    const b = Buffer.from(m.signature);
+    if (a.length !== b.length || !timingSafeEqual(a, b))
+        return { ok: false, reason: "signature" };
+    if (m.orderId !== expectedOrderId)
+        return { ok: false, reason: "order-id" };
+    if (now > m.expiresAt)
+        return { ok: false, reason: "expired" };
+    return { ok: true, mandate: m };
+}

package/dist/ceremony/challengeToken.d.ts

@@ -0,0 +1,5 @@
+export declare function issueChallenge(secret: string, ttlMs?: number): {
+    challenge: string;
+    token: string;
+};
+export declare function verifyChallenge(token: string, secret: string): string;

package/dist/ceremony/challengeToken.js

@@ -0,0 +1,43 @@
+// Stateless WebAuthn challenge. The challenge rides in a signed token:
+//   base64url(challenge) "." expiryMs "." base64url(HMAC-SHA256(challenge|expiry))
+// so issue and verify need no shared server memory (serverless-correct on a
+// multi-instance deployment where options→verify may hit different instances).
+//
+// The HMAC is keyed by the INJECTED `signingKey` seam (mount() requires a stable
+// one — D6); a forged or tampered token fails the signature check, and a token
+// replayed after its window fails the expiry check. Single-use WITHIN the window
+// is provided by the rail: the challenge is bound into the WebAuthn assertion and
+// the order's completion is idempotent, so a replayed assertion records nothing
+// twice. The token itself is deliberately stateless (no server-side nonce store).
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+const DEFAULT_TTL_MS = 120_000;
+function b64url(buf) {
+    return buf.toString("base64url");
+}
+function sign(challenge, expiry, secret) {
+    return createHmac("sha256", secret).update(`${challenge}|${expiry}`).digest("base64url");
+}
+export function issueChallenge(secret, ttlMs = DEFAULT_TTL_MS) {
+    const challenge = b64url(randomBytes(32));
+    const expiry = Date.now() + ttlMs;
+    const sig = sign(challenge, expiry, secret);
+    return { challenge, token: `${challenge}.${expiry}.${sig}` };
+}
+export function verifyChallenge(token, secret) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        throw new Error("malformed challenge token");
+    const [challenge, expiryStr, sig] = parts;
+    const expiry = Number(expiryStr);
+    if (!Number.isFinite(expiry))
+        throw new Error("malformed challenge token");
+    const expected = sign(challenge, expiry, secret);
+    const a = Buffer.from(sig);
+    const b = Buffer.from(expected);
+    // Constant-time compare — a length mismatch is also a rejection.
+    if (a.length !== b.length || !timingSafeEqual(a, b))
+        throw new Error("bad challenge signature");
+    if (Date.now() > expiry)
+        throw new Error("challenge expired");
+    return challenge;
+}

package/dist/ceremony/checkout-page.d.ts

@@ -0,0 +1,85 @@
+import type { VerificationManifestEntry } from "../types.js";
+/** A priced order line — structurally a demo / storefront `PricedCartLine` (and a
+ *  `CeremonyOrderLine`, whose name/currency are optional). */
+export interface RenderOrderLine {
+    /** Display name; falls back to the product id (or "Item") when absent. */
+    name?: string;
+    /** Product id — the name fallback when a re-priced line carries no name. */
+    id?: string;
+    quantity: number;
+    lineTotal: number;
+    /** ISO 4217; falls back to the order currency when the line omits it. */
+    currency?: string;
+}
+/**
+ * The priced order the page summarizes. Structural superset of both the demo's and
+ * the storefront's `Order`, so either feeds the renderer with no mapping. Totals are
+ * the catalog-re-derived ones (Security invariant 2 — never the token's).
+ */
+export interface RenderOrder {
+    id: string;
+    lines: RenderOrderLine[];
+    /** Total item count; defaults to the summed line quantities when absent. */
+    itemCount?: number;
+    /** Discount in major units; the loyalty row renders only when > 0. */
+    discount: number;
+    total: number;
+    currency: string;
+}
+/** Per-order verification state that drives the live gate status (never global). */
+export interface RenderVerification {
+    ageVerified?: boolean;
+    loyaltyApplied?: boolean;
+}
+/** A recorded completion for THIS order — a revisit shows the paid state. */
+export interface RenderPaid {
+    amount: number;
+    currency: string;
+    method?: string;
+    settlement?: {
+        network: string;
+        payer: {
+            accountId: string;
+        };
+        hashscanUrl: string;
+    } | null;
+}
+/**
+ * One selectable payment method in the locked-until-ready payment group. The host
+ * supplies these so the renderer never hardcodes a route:
+ *   • `href`   — selecting + paying navigates here (a gate page); OR
+ *   • `placeOrder: true` — POSTs the order token to `placeOrderPath` (instant demo).
+ */
+export interface PaymentMethod {
+    value: string;
+    name: string;
+    desc: string;
+    /** Gate-page URL the Pay CTA navigates to when this method is chosen. */
+    href?: string;
+    /** This method completes by POSTing the order token to `placeOrderPath`. */
+    placeOrder?: boolean;
+    /** Selected by default (first method if none flagged). */
+    checked?: boolean;
+}
+export interface PaymentOptions {
+    /** The selectable methods (rendered as a radio group + one Pay CTA). */
+    methods: PaymentMethod[];
+    /** Where a `placeOrder` method POSTs `{ order }`. Default `/checkout/place-order`. */
+    placeOrderPath?: string;
+    /** The encoded order token the instant-demo method binds + POSTs. */
+    orderToken?: string;
+}
+export interface RenderRequirementsOptions {
+    /** Host-supplied payment affordances. Omitted ⇒ derive a single Pay CTA from the
+     *  manifest's `authorize` entry (its `approveUrl`), if any. */
+    payment?: PaymentOptions;
+    /** A recorded completion for THIS order ⇒ render the paid state, not the methods. */
+    paid?: RenderPaid | null;
+}
+/**
+ * Render the unified checkout page: the order summary, the numbered gates (in policy
+ * order, payment LAST) with live status, and the payment section — locked until every
+ * blocking gate passes. The membership discount is reflected in the displayed total
+ * via `order.discount` (the host re-prices server-side and passes the priced order).
+ */
+export declare function renderRequirements(order: RenderOrder, manifest: VerificationManifestEntry[], verification?: RenderVerification, opts?: RenderRequirementsOptions): string;