@openmobilehub/attestomcp-gate 0.1.0

package/dist/ceremony/dc-payment/page.js

@@ -0,0 +1,195 @@
+// Server-rendered dc-payment gate page. It now drives the REAL OpenID4VP wallet path:
+// the PRIMARY button calls navigator.credentials.get({digital}) synchronously inside
+// the tap (the signed request is PRE-FETCHED from /attestomcp/dc-payment/request so no
+// await sits between the click and get() — iOS WebKit drops the transient user
+// activation across an await; Chrome 141+ renders the cross-device caBLE QR), then POSTs
+// the wallet's encrypted vp_token to /attestomcp/dc-payment/verify in the shape the route's
+// real path reads ({ order, readerContextToken, result:{protocol,data} }) — the route
+// decrypts the JWE, re-checks the device-signed transaction_data_hash against the
+// amount we sealed, runs the four gates, and completes through the shared completeOrder
+// seam. The SECONDARY "instant demo" button is kept as a fallback: it POSTs the
+// canonical disclosed instrument + the catalog-bound amount ({ order, amount, claims })
+// (no wallet round-trip; the tested default). On a browser without the Digital
+// Credentials API the page points the buyer at the instant-demo button. Every surface
+// states trust_level "presence-only-demo" (CT11 / Principle VII / FR-011): the wire
+// crypto is real; the wallet's device/issuer trust anchor is not — never a real safety
+// control. Self-contained: takes the re-priced amount + lines, not a demo Order type.
+import { pageHead, brandHeader, progressRail, orderSummaryCard, trustFooter, settlingBar, completionHandoffBanner } from "../theme.js";
+// The canonical disclosed instrument the instant-demo button presents — it goes
+// through the SAME server-side amount-binding gates as a real wallet presentation.
+const DEMO_CLAIMS = {
+    issuer_name: "Demo Bank",
+    payment_instrument_id: "pi-77AABBCC",
+    masked_account_reference: "•••• 4242",
+    holder_name: "Demo Buyer",
+    expiry_date: "2032-09-01",
+};
+function money(amount, currency) {
+    return new Intl.NumberFormat("en-US", { style: "currency", currency }).format(amount);
+}
+export function renderDcPaymentPage(args) {
+    const { order, total, currency, lines } = args;
+    const returnUrl = args.returnUrl ?? `/checkout?order=${encodeURIComponent(order)}`;
+    // The shared order summary card (line items + bold Total) — same chrome as the hub.
+    const summary = orderSummaryCard({
+        lines: lines.map((l) => ({ name: l.name, quantity: l.quantity, lineTotal: l.lineTotal, currency: l.currency })),
+        total,
+        currency,
+        caption: `Order ${order}`,
+    });
+    // The progress rail with Pay as the current (final) step; the upstream gates are done.
+    const rail = progressRail([{ label: "Age", done: true }, { label: "Membership", done: true }, { label: "Pay" }], 2);
+    // Page-local chrome layered over the shared design system: the verify-progress rows
+    // reuse `.step`; the receipt gate rows + the success card are page-specific.
+    const extraCss = `
+  #receipt { display: none; margin-top: 16px; }
+  .gate { font-size: .82rem; padding: 3px 0; }
+  .gate.pass { color: var(--success); } .gate.fail { color: var(--danger); }`;
+    return `<!doctype html>
+<html lang="en">
+${pageHead(`Authorize payment (cross-device) · ${order}`, extraCss)}
+<body>
+  <div class="wrap">
+  ${brandHeader({ h1: "Authorize payment", tagline: "Authorize from your wallet" })}
+  ${rail}
+  ${summary}
+  <div class="card">
+    <p class="lede">Present a payment credential from your phone wallet. Chrome shows a QR; scanning it uses the cross-device channel (FIDO caBLE). Your wallet signs over this exact amount, then payment settles on-chain via the <strong>x402</strong> protocol — on a <strong>test network</strong>, no real money, a tiny token amount (a fixed demo rate, not the dollar total).</p>
+    <button id="go-dc" class="btn btn-primary">Authorize ${money(total, currency)} with my wallet</button>
+    <button id="go" class="btn btn-secondary">Authorize ${money(total, currency)} (instant demo)</button>
+    <div id="log"></div>
+    ${settlingBar()}
+    <div id="receipt"></div>
+  </div>
+  ${trustFooter()}
+  <script type="module">
+    const ORDER = ${JSON.stringify(order)};
+    const AMOUNT = ${JSON.stringify(total)};
+    const DEMO_CLAIMS = ${JSON.stringify(DEMO_CLAIMS)};
+    const RETURN_URL = ${JSON.stringify(returnUrl)};
+    const DONE_BANNER = ${JSON.stringify(completionHandoffBanner(returnUrl))};
+    const log = document.getElementById("log");
+    const goDc = document.getElementById("go-dc");
+    const btn = document.getElementById("go");
+    const settling = document.getElementById("settling");
+    const step = (t, c = "") => { const d = document.createElement("div"); d.className = "step " + c; d.textContent = t; log.appendChild(d); };
+    function notice(html) { const d = document.createElement("div"); d.className = "notice"; d.innerHTML = html; log.appendChild(d); }
+    // Escape any server-returned value before it goes into innerHTML (txId, accountId,
+    // the settlementError message): they're built server-side but never trusted raw.
+    const esc = (s) => String(s).replace(/[&<>"']/g, (c) => "&#" + c.charCodeAt(0) + ";");
+
+    // Pre-fetch the REAL signed OpenID4VP request so navigator.credentials.get() can be
+    // called SYNCHRONOUSLY inside the tap. iOS WebKit drops the transient user
+    // activation across an await, so we must not fetch between the click and get(). We
+    // keep a fresh pre-fetched request ready at all times. location.search carries the
+    // order this gate is scoped to, so /request re-prices THIS order (amount-bound).
+    let reqData = null;
+    function prefetch() {
+      reqData = null;
+      fetch("/attestomcp/dc-payment/request" + location.search).then((r) => r.json()).then((d) => { reqData = d; }).catch(() => {});
+    }
+
+    if (!("credentials" in navigator) || !window.DigitalCredential) {
+      goDc.disabled = true;
+      notice('This browser does not support <code>navigator.credentials.get({digital})</code> (needs <strong>Chrome 141+</strong>/Android or iOS 18+). Use the <strong>instant demo</strong> button.');
+    } else {
+      prefetch();
+    }
+
+    goDc.addEventListener("click", () => {
+      if (!("credentials" in navigator) || !window.DigitalCredential) {
+        notice('This browser does not support <code>navigator.credentials.get({digital})</code>. Use the instant-demo button.');
+        return;
+      }
+      if (!reqData || !reqData.request) { notice("Preparing the request — tap again in a second."); prefetch(); return; }
+      goDc.disabled = true;
+      const rd = reqData;
+      step("→ navigator.credentials.get({digital}) — Chrome should show a QR…");
+      // Called synchronously (no await before it) to keep the user activation.
+      navigator.credentials.get({ digital: { requests: [{ protocol: "openid4vp-v1-signed", data: { request: rd.request } }] }, mediation: "required" })
+        .then(async (result) => {
+          let data = result && result.data != null ? result.data : null;
+          if (typeof data === "string") { try { data = JSON.parse(data); } catch (e) {} }
+          step("→ verify · Settling via x402 on Hedera testnet (if configured)… can take ~10s");
+          settling.classList.add("on");
+          const out = await fetch("/attestomcp/dc-payment/verify", {
+            method: "POST", headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ order: ORDER, readerContextToken: rd.readerContextToken, result: { protocol: (result && result.protocol) || null, data } }),
+          }).then((r) => r.json()).finally(() => settling.classList.remove("on"));
+          if (!out.mandate) throw new Error(out.error || "authorization failed");
+          step("✓ presentation verified · mandate built (" + out.mandate.trust_level + ")", "ok");
+          renderReceipt(out);
+          // Configured-but-failed settle: authorized, not settled — let the buyer retry.
+          if (out.settlementError) { step("✗ settlement failed — authorized, not settled (retry below)", "err"); goDc.disabled = false; prefetch(); }
+        })
+        .catch((err) => {
+          step("✗ " + ((err && err.message) || String(err)), "err");
+          goDc.disabled = false;
+          prefetch(); // fresh request for the next attempt
+        });
+    });
+
+    btn.addEventListener("click", async () => {
+      btn.disabled = true;
+      try {
+        step("→ verify (presence-only, amount-bound) · Settling via x402 on Hedera testnet (if configured)… can take ~10s");
+        settling.classList.add("on");
+        const out = await fetch("/attestomcp/dc-payment/verify", {
+          method: "POST", headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ order: ORDER, amount: AMOUNT, claims: DEMO_CLAIMS }),
+        }).then((r) => r.json()).finally(() => settling.classList.remove("on"));
+        if (!out.mandate) throw new Error(out.error || "authorization failed");
+        step("✓ presentation verified · mandate built (" + out.mandate.trust_level + ")", "ok");
+        renderReceipt(out);
+        // Configured-but-failed settle: authorized, not settled — let the buyer retry.
+        if (out.settlementError) { step("✗ settlement failed — authorized, not settled (retry below)", "err"); btn.disabled = false; }
+      } catch (err) {
+        step("✗ " + (err?.message ?? String(err)), "err");
+        btn.disabled = false;
+      }
+    });
+
+    function renderReceipt(out) {
+      const el = document.getElementById("receipt");
+      const gates = out.gates.map((g) => '<div class="gate ' + (g.pass ? "pass" : "fail") + '">' + (g.pass ? "✓" : "✗") + " " + g.gate + " — " + g.detail + "</div>").join("");
+      // The x402 on-chain settlement receipt. When the host settled (Hedera/blocky402),
+      // show the actual tinybar amount, payer/merchant, speed, tx, and a PROMINENT
+      // tappable HashScan link — the third-party proof the buyer (on their phone) taps
+      // straight into the live explorer. A configured-but-failed settle is the calm
+      // "authorized, not settled" line (FR-013) — never an alarming wall.
+      const s = out.settlement;
+      const settlement = s
+        ? '<div class="settle"><div class="settle-head">✓ Settled via x402 on Hedera testnet</div>' +
+          '<dl class="kv">' +
+          "<dt>Amount</dt><dd>" + (s.amountTinybar / 1e8) + ' ℏ <span class="dim">(' + esc(s.fxRate) + ")</span></dd>" +
+          "<dt>From</dt><dd>" + esc(s.payer.accountId) + ' <span class="dim">' +
+          (s.payer.kind === "session-wallet"
+            ? "wallet created for this order, " + (s.walletAgeMs / 1000).toFixed(1) + "s old when it paid"
+            : "demo customer") + "</span></dd>" +
+          "<dt>To</dt><dd>" + esc(s.payTo) + ' <span class="dim">merchant</span></dd>' +
+          "<dt>Speed</dt><dd>settled in " + (s.settledInMs / 1000).toFixed(1) + "s</dd>" +
+          '<dt>Tx</dt><dd><span class="mono">' + esc(s.txId) + "</span></dd>" +
+          "</dl>" +
+          '<a class="hashscan" href="' + esc(s.hashscanUrl) + '" target="_blank" rel="noopener">View on HashScan ›</a>' +
+          "</div>"
+        : out.settlementError
+          ? '<div class="settle-failed">✗ Settlement failed — authorized, not settled: ' + esc(out.settlementError) + "</div>"
+          : "";
+      // Every gate + payment is done ⇒ the order is COMPLETE. Lead with the prominent
+      // handoff: close this window and continue in the agent (the MCP host polls
+      // order-status and resumes). No auto-redirect — we don't yank the buyer off the
+      // "you're done" message; the on-chain proof + a secondary return link stay below.
+      const done = out.completed ? DONE_BANNER : "";
+      el.innerHTML = done + '<div class="row-ok">✓ Payment Mandate authorized (amount-bound)</div>' +
+        '<div class="small" style="margin:4px 0 8px;">' + out.mandate.id + "</div>" + gates + settlement;
+      el.style.display = "block";
+      if (out.completed) {
+        goDc.disabled = true;
+        btn.textContent = "Authorized ✓";
+      }
+    }
+  </script>
+  </div>
+</body>
+</html>`;
+}

package/dist/ceremony/dc-payment/request.d.ts

@@ -0,0 +1,17 @@
+import type { CeremonyOrder } from "../types.js";
+import type { Origin } from "../origin.js";
+import type { DcqlQuery } from "../../types.js";
+export interface SignedDcPaymentRequest {
+    protocol: "openid4vp-v1-signed";
+    /** The ES256-signed OpenID4VP request JWT (real). */
+    request: string;
+    /** The DCQL embedded in the signed request (echoed for callers/tests). */
+    dcql_query: DcqlQuery;
+    /** The amount-bound transaction_data entries (base64url) — REAL binding. */
+    transaction_data: string[];
+    /** Sealed reader context (ECDH key + bound transaction_data) carried to /verify. */
+    readerContextToken: string;
+    trust_level: "presence-only-demo";
+}
+/** Build the REAL signed OpenID4VP request for the payment credential. */
+export declare function buildDcPaymentRequest(order: CeremonyOrder, origin: Origin, secret: string): Promise<SignedDcPaymentRequest>;

package/dist/ceremony/dc-payment/request.js

@@ -0,0 +1,50 @@
+// REAL signed OpenID4VP request for the dc-payment rail. Faithfully ported from the
+// demo's payment-gate/dc-payment/request.ts. It mints a reader cert
+// (@peculiar/x509), an ephemeral ECDH response-encryption key, a fresh nonce, embeds
+// the amount-bound `transaction_data` (txData.ts), and ES256-signs the verifier-bound
+// request object (jose.SignJWT). The transaction_data — and the ECDH key — are sealed
+// into a reader context (a JWE) so /verify re-checks the wallet's device-signed
+// transaction_data_hash against SHA-256 of exactly what we sent.
+//
+// The crypto here is REAL (signed request, amount binding, origin/RP binding, sealed
+// key); the issuer TRUST ANCHOR is not (the reader cert is self-signed) — trust_level
+// stays presence-only-demo.
+import * as jose from "jose";
+import { buildDcPaymentDcql } from "./dcql.js";
+import { buildTransactionData, encodeTransactionData } from "./txData.js";
+import { makeReaderCert, makeEncryptionKey } from "../mdoc/reader.js";
+import { sealReaderContext } from "../mdoc/readerContext.js";
+/** Build the REAL signed OpenID4VP request for the payment credential. */
+export async function buildDcPaymentRequest(order, origin, secret) {
+    const { x5c, privateKey } = await makeReaderCert(origin.rpID);
+    const { encJwk, ecdhPrivateJwk } = await makeEncryptionKey();
+    const dcql = buildDcPaymentDcql();
+    const txDataB64 = encodeTransactionData(buildTransactionData(order, origin));
+    const nonce = jose.base64url.encode(crypto.getRandomValues(new Uint8Array(16)));
+    const requestObject = {
+        response_type: "vp_token",
+        response_mode: "dc_api.jwt",
+        client_id: `x509_san_dns:${origin.rpID}`,
+        expected_origins: [origin.origin],
+        nonce,
+        dcql_query: dcql,
+        client_metadata: {
+            vp_formats_supported: { mso_mdoc: { issuerauth_alg_values: [-7], deviceauth_alg_values: [-7] } },
+            jwks: { keys: [encJwk] },
+        },
+        transaction_data: [txDataB64],
+    };
+    const request = await new jose.SignJWT(requestObject)
+        .setProtectedHeader({ alg: "ES256", typ: "oauth-authz-req+jwt", x5c: [x5c] })
+        .setIssuedAt()
+        .sign(privateKey);
+    const readerContextToken = await sealReaderContext({ ecdhPrivateJwk, transactionDataB64: txDataB64, nonce }, secret);
+    return {
+        protocol: "openid4vp-v1-signed",
+        request,
+        dcql_query: dcql,
+        transaction_data: [txDataB64],
+        readerContextToken,
+        trust_level: "presence-only-demo",
+    };
+}

package/dist/ceremony/dc-payment/routes.d.ts

@@ -0,0 +1,2 @@
+import { type RailRegistrar } from "../mount.js";
+export declare const registerDcPaymentGate: RailRegistrar;

package/dist/ceremony/dc-payment/routes.js

@@ -0,0 +1,147 @@
+// The dc-payment rail (Digital Credentials API + OpenID4VP, amount-bound) — US3.
+// Registers its routes onto the host app through the Foundational mount() seam:
+//   GET  /attestomcp/dc-payment?order=<id>          → the payment gate page
+//   GET  /attestomcp/dc-payment/request?order=<id>  → REAL signed OpenID4VP request (+ amount-bound transaction_data)
+//   POST /attestomcp/dc-payment/verify              → instant-demo claims OR a real presentation → SHARED completeOrder
+//
+// Dependency-free (no `express` import — invariant from mount.ts): handlers register
+// against the structural CeremonyApp.get/post, and the verify body is read either
+// from a host-installed body parser (`req.body`) or straight off the request stream.
+//
+// EVERY route resolves the order by id THROUGH `resolveOrder` (catalog re-pricing; a
+// tampered/unknown id is refused — CT3, invariant 2). Completion goes through the
+// injected `ctx.completion` seam — the SAME shared `completeOrder` the passkey rail
+// uses (no second completion path — FR-008, CT8): it re-prices, enforces the age
+// gate, settles (when configured), records idempotently, and clears the cart +
+// per-order verification.
+//
+// Verify has TWO paths feeding ONE set of gates + the SAME completion seam:
+//   • instant-demo — body carries `claims` directly (the tested default; CT6–CT8).
+//   • real presentation — body carries `result` from navigator.credentials.get; the
+//     wallet's JWE response is decrypted, the device-signed transaction_data_hash is
+//     re-checked against what we sealed, and the parsed mdoc drives the gates. The
+//     wire crypto is REAL; the issuer trust anchor is not (presence-only-demo).
+import { resolveOrder } from "../mount.js";
+import { buildDcPaymentRequest } from "./request.js";
+import { buildDcMandate, runDcGates, verifyDcPresentation } from "./verify.js";
+import { renderDcPaymentPage } from "./page.js";
+function firstHeader(value) {
+    return Array.isArray(value) ? value[0] : value;
+}
+function originOf(ctx, req) {
+    const reqLike = { headers: req.headers, host: firstHeader(req.headers.host) ?? "localhost", protocol: req.protocol };
+    return ctx.origin(reqLike);
+}
+// Read the JSON body from a host-installed parser, or straight off the stream when
+// no parser ran (so the rail is self-contained — it doesn't require the host to
+// mount express.json()).
+async function readJsonBody(req) {
+    if (req.body && typeof req.body === "object")
+        return req.body;
+    try {
+        const chunks = [];
+        for await (const chunk of req) {
+            chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+        }
+        if (chunks.length === 0)
+            return {};
+        return JSON.parse(Buffer.concat(chunks).toString("utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+export const registerDcPaymentGate = (app, ctx) => {
+    // The Foundational fail-fast tests mount() with a route-less app shape; only
+    // attach when the host app can actually route (CeremonyApp.get/post are optional).
+    const get = app.get?.bind(app);
+    const post = app.post?.bind(app);
+    if (!get || !post)
+        return;
+    // GET the gate page — re-priced order, presence-only honesty banner.
+    get("/attestomcp/dc-payment", async (req, res) => {
+        const order = await resolveOrder(ctx, typeof req.query.order === "string" ? req.query.order : undefined);
+        if (!order) {
+            res.status(404).type("html").send("<!doctype html><h1>Order not found</h1>");
+            return;
+        }
+        res.status(200).type("html").send(renderDcPaymentPage({
+            order: order.id,
+            total: order.total,
+            currency: order.currency,
+            lines: order.lines.map((l) => ({ name: l.name ?? l.id, quantity: l.quantity, lineTotal: l.lineTotal, currency: l.currency ?? order.currency })),
+        }));
+    });
+    // GET the REAL signed OpenID4VP request for this order — ES256-signed, carrying the
+    // amount-bound transaction_data, with the reader context (ECDH key + bound
+    // transaction_data) sealed for /verify.
+    get("/attestomcp/dc-payment/request", async (req, res) => {
+        const order = await resolveOrder(ctx, typeof req.query.order === "string" ? req.query.order : undefined);
+        if (!order) {
+            res.status(404).json({ error: "order not found" });
+            return;
+        }
+        try {
+            res.json(await buildDcPaymentRequest(order, originOf(ctx, req), ctx.signingKey));
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+    });
+    // POST verify — instant-demo claims OR a real wallet presentation. Resolve +
+    // re-price the order (CT3), build the amount-bound mandate, run the four
+    // deterministic gates, and complete THROUGH the shared completeOrder seam
+    // (FR-008, CT8).
+    post("/attestomcp/dc-payment/verify", async (req, res) => {
+        const body = await readJsonBody(req);
+        const order = await resolveOrder(ctx, typeof body.order === "string" ? body.order : undefined);
+        if (!order) {
+            res.status(400).json({ completed: false, error: "missing or invalid order" });
+            return;
+        }
+        const origin = originOf(ctx, req);
+        let mandate;
+        let gates;
+        try {
+            const result = body.result;
+            if (result && typeof result === "object") {
+                // REAL OpenID4VP presentation — decrypt the wallet's response, re-check the
+                // device-signed transaction_data_hash, and run the gates.
+                if (typeof body.readerContextToken !== "string") {
+                    res.status(400).json({ completed: false, error: "missing readerContextToken for openid4vp presentation" });
+                    return;
+                }
+                const out = await verifyDcPresentation({ order, origin, result, readerContextToken: body.readerContextToken, secret: ctx.signingKey });
+                mandate = out.mandate;
+                gates = out.gates;
+            }
+            else {
+                // Instant-demo claims path (the tested default).
+                const claims = (body.claims && typeof body.claims === "object" ? body.claims : {});
+                const presentedAmount = typeof body.amount === "number" ? body.amount : order.total;
+                mandate = buildDcMandate({ order, origin, claims, presentedAmount });
+                gates = runDcGates(mandate, origin);
+            }
+        }
+        catch (err) {
+            res.status(400).json({ completed: false, error: err.message, trust_level: "presence-only-demo" });
+            return;
+        }
+        // Complete through the SHARED seam (idempotent record + re-price + age gate +
+        // optional settle + clear cart & per-order verification). No second path.
+        const input = {
+            order,
+            mandateId: mandate.id,
+            amount: mandate.payment.amount,
+            currency: mandate.payment.currency,
+            method: "dc-payment",
+            instrument: mandate.payment.instrument,
+            gates,
+        };
+        const result = await ctx.completion(input);
+        // Forward the on-chain settlement (when configured + succeeded) AND the
+        // settlementError (a configured-but-failed settle → authorized-but-not-settled,
+        // FR-013) so the page can render the x402 receipt or the calm refusal line.
+        res.json({ mandate, gates, completed: result.completed, ...(result.reason ? { reason: result.reason } : {}), ...(result.settlement ? { settlement: result.settlement } : {}), ...(result.settlementError ? { settlementError: result.settlementError } : {}) });
+    });
+};

package/dist/ceremony/dc-payment/txData.d.ts

@@ -0,0 +1,19 @@
+import type { CeremonyOrder } from "../types.js";
+import type { Origin } from "../origin.js";
+export interface TransactionData {
+    type: "urn:eudi:sca:payment:1";
+    credential_ids: string[];
+    payload: {
+        transaction_id: string;
+        amount: number;
+        currency: string;
+        payee: {
+            id: string;
+            name: string;
+        };
+    };
+}
+export declare function buildTransactionData(order: CeremonyOrder, origin: Origin): TransactionData;
+export declare function encodeTransactionData(txData: TransactionData): string;
+export declare function hashTransactionData(txDataB64: string): string;
+export declare function decodeTransactionData(txDataB64: string): TransactionData;

package/dist/ceremony/dc-payment/txData.js

@@ -0,0 +1,34 @@
+// Single source of truth for the OpenID4VP transaction_data entry (amount binding).
+// Extracted from the demo's payment-gate/dc-payment/txData.ts, but DEPENDENCY-FREE:
+// `jose.base64url.encode` becomes a Buffer base64url and the SHA-256 stays on
+// node:crypto. Amount + payee come from the order + origin via the shared
+// `buildBindingFields`, so the hash the wallet would sign is derived from the SAME
+// fields Gate 1 (verify.ts#runDcGates) re-checks. The wallet's SIGNATURE over this
+// hash is the PR-in-flight crypto (request.ts scaffolds the signed request); the
+// binding itself is real here.
+import { createHash, randomUUID } from "node:crypto";
+import { buildBindingFields } from "../mandate.js";
+export function buildTransactionData(order, origin) {
+    const b = buildBindingFields(order, origin);
+    return {
+        type: "urn:eudi:sca:payment:1",
+        credential_ids: ["dpc"],
+        payload: {
+            transaction_id: randomUUID(),
+            amount: b.amount,
+            currency: b.currency,
+            payee: b.payee,
+        },
+    };
+}
+export function encodeTransactionData(txData) {
+    return Buffer.from(JSON.stringify(txData), "utf8").toString("base64url");
+}
+// SHA-256 of the base64url transaction_data string, itself base64url. This is the
+// value the wallet signs over (transaction_data_hash) and Gate 1 re-derives.
+export function hashTransactionData(txDataB64) {
+    return createHash("sha256").update(txDataB64).digest("base64url");
+}
+export function decodeTransactionData(txDataB64) {
+    return JSON.parse(Buffer.from(txDataB64, "base64url").toString("utf8"));
+}

package/dist/ceremony/dc-payment/verify.d.ts

@@ -0,0 +1,108 @@
+import type { CeremonyOrder } from "../types.js";
+import type { Origin } from "../origin.js";
+export interface DcInstrument {
+    issuer: string | null;
+    instrumentId: string | null;
+    maskedAccount: string | null;
+    holder: string | null;
+    expiry: string | null;
+}
+export interface DcMandate {
+    type: "ap2.PaymentMandate";
+    version: "0.1-dc-demo";
+    id: string;
+    issuedAt: string;
+    expiresAt: string;
+    issuer: string;
+    subject: {
+        credentialId: string | null;
+    };
+    cart: CeremonyOrder;
+    payment: {
+        instrument: DcInstrument;
+        amount: number;
+        currency: string;
+    };
+    userAuthorization: {
+        type: "openid4vp-dc-api";
+        /** The amount-bound transaction_data the wallet would sign over (base64url). */
+        transactionData: string;
+        /**
+         * The transaction_data_hash Gate 1 re-checks against SHA-256(transactionData).
+         * Instant-demo: the server's own hash (always matches). REAL path: the value
+         * EXTRACTED from the wallet's device-signed DeviceResponse — so Gate 1 verifies
+         * the wallet actually authorized THIS amount/payee.
+         */
+        transactionDataHash: string | null;
+        /** Presence-only: the instrument was disclosed but not cryptographically verified. */
+        presented: boolean;
+        /**
+         * REAL path only — the wallet's raw mdoc vp_token (base64url DeviceResponse) and
+         * the structural issuerAuth/deviceAuth presence Gate 2 reads. Absent on the
+         * instant-demo path (Gate 2 falls back to instrument presence there).
+         */
+        vpToken?: string;
+        authBlocks?: {
+            hasIssuerAuth: boolean;
+            hasDeviceAuth: boolean;
+        };
+    };
+    trust_level: "presence-only-demo";
+}
+/**
+ * Build the presence-only DC payment mandate. The transaction_data is derived from
+ * the (catalog-re-priced) order + this RP's origin, so its amount/payee are the
+ * server's truth; `presentedAmount` is what the caller asserts authorizing (Gate 1
+ * re-checks it equals the re-derived payable — a tampered value is refused).
+ */
+export declare function buildDcMandate(args: {
+    order: CeremonyOrder;
+    origin: Origin;
+    claims: Record<string, unknown>;
+    presentedAmount?: number;
+    issuer?: string;
+}): DcMandate;
+export interface GateResult {
+    gate: string;
+    pass: boolean;
+    detail: string;
+}
+export declare function runDcGates(mandate: DcMandate, origin: Origin, opts?: {
+    loyaltyDiscountPct?: number;
+}): GateResult[];
+/**
+ * Build the DC mandate from a REAL wallet DeviceResponse. Unlike the instant-demo
+ * builder, `transactionDataHash` is the value EXTRACTED from the wallet's
+ * device-signed mdoc (deviceSigned/transaction_data_hash) — Gate 1 then re-checks it
+ * equals SHA-256 of the transaction_data WE sealed (transactionDataB64). The vpToken
+ * + parsed issuerAuth/deviceAuth presence drive Gate 2. The instrument fields come
+ * from the issuer-signed namespaces of the SAME DeviceResponse.
+ */
+export declare function buildDcMandateFromPresentation(args: {
+    order: CeremonyOrder;
+    vpStr: string;
+    transactionDataB64: string;
+    issuer?: string;
+}): DcMandate;
+export interface DcVerification {
+    mandate: DcMandate;
+    gates: GateResult[];
+}
+/**
+ * Verify the wallet's REAL OpenID4VP presentation: open the sealed reader context,
+ * JWE-decrypt the response (jose ECDH-ES compactDecrypt), pull the mdoc vp_token,
+ * build the amount-bound mandate from the device-signed DeviceResponse, and run the
+ * four gates. Faithfully ported from the demo's payment-gate/dc-payment/verify.ts.
+ * The crypto (decryption + the transaction_data hash binding) is REAL; the issuer
+ * trust anchor is not (trust_level presence-only-demo).
+ */
+export declare function verifyDcPresentation(args: {
+    order: CeremonyOrder;
+    origin: Origin;
+    result: {
+        protocol?: string;
+        data?: unknown;
+    };
+    readerContextToken: string;
+    secret: string;
+}): Promise<DcVerification>;