@paybond/kit 0.11.10 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (128) hide show
  1. package/README.md +2 -2
  2. package/completion-presets/catalog.json +374 -3
  3. package/completion-presets/catalog.sha256 +1 -1
  4. package/dist/agent/facade.js +13 -0
  5. package/dist/agent/guarded-agent.d.ts +1 -1
  6. package/dist/agent/guarded-agent.js +19 -0
  7. package/dist/agent/index.d.ts +2 -1
  8. package/dist/agent/index.js +1 -0
  9. package/dist/agent/instrument.d.ts +6 -0
  10. package/dist/agent/instrument.js +6 -0
  11. package/dist/agent/interceptor.d.ts +9 -0
  12. package/dist/agent/interceptor.js +177 -1
  13. package/dist/agent/receipt-client.d.ts +49 -0
  14. package/dist/agent/receipt-client.js +45 -0
  15. package/dist/agent/registry.js +1 -0
  16. package/dist/agent/run.d.ts +2 -0
  17. package/dist/agent/run.js +52 -0
  18. package/dist/agent/types.d.ts +70 -0
  19. package/dist/agent-receipt-external-attestations.d.ts +29 -0
  20. package/dist/agent-receipt-external-attestations.js +124 -0
  21. package/dist/agent-receipt.d.ts +134 -0
  22. package/dist/agent-receipt.js +580 -0
  23. package/dist/agent-recognition.d.ts +25 -0
  24. package/dist/agent-recognition.js +36 -0
  25. package/dist/audit/exports.d.ts +72 -0
  26. package/dist/audit/exports.js +185 -0
  27. package/dist/audit/index.d.ts +3 -0
  28. package/dist/audit/index.js +3 -0
  29. package/dist/audit/verify.d.ts +8 -0
  30. package/dist/audit/verify.js +113 -0
  31. package/dist/audit/wire.d.ts +54 -0
  32. package/dist/audit/wire.js +80 -0
  33. package/dist/cli/agent/demo-loaders.d.ts +2 -0
  34. package/dist/cli/agent/demo-loaders.js +24 -0
  35. package/dist/cli/agent/production-evidence.d.ts +11 -0
  36. package/dist/cli/agent/production-evidence.js +17 -0
  37. package/dist/cli/audit-export.d.ts +2 -7
  38. package/dist/cli/audit-export.js +2 -120
  39. package/dist/cli/command-spec.js +43 -10
  40. package/dist/cli/commands/agent.d.ts +3 -0
  41. package/dist/cli/commands/agent.js +143 -1
  42. package/dist/cli/commands/discovery.js +39 -36
  43. package/dist/cli/commands/workflows.js +116 -18
  44. package/dist/cli/help.d.ts +1 -1
  45. package/dist/cli/help.js +12 -8
  46. package/dist/cli/intents-harbor-mutation.d.ts +18 -0
  47. package/dist/cli/intents-harbor-mutation.js +33 -0
  48. package/dist/cli/paybond.d.ts +9 -0
  49. package/dist/cli/paybond.js +23 -0
  50. package/dist/cli/redact.js +3 -0
  51. package/dist/cloudflare-agents/config.d.ts +24 -0
  52. package/dist/cloudflare-agents/config.js +23 -0
  53. package/dist/cloudflare-agents/index.d.ts +3 -0
  54. package/dist/cloudflare-agents/index.js +3 -0
  55. package/dist/cloudflare-agents/peer.d.ts +9 -0
  56. package/dist/cloudflare-agents/peer.js +20 -0
  57. package/dist/cloudflare-agents/sandbox-demo.d.ts +36 -0
  58. package/dist/cloudflare-agents/sandbox-demo.js +89 -0
  59. package/dist/completion-catalog-digest.d.ts +1 -1
  60. package/dist/completion-catalog-digest.js +1 -1
  61. package/dist/completion-init.js +8 -3
  62. package/dist/dev/offline-gateway.d.ts +2 -1
  63. package/dist/dev/offline-gateway.js +34 -3
  64. package/dist/dev/x402-fund-mock.d.ts +28 -0
  65. package/dist/dev/x402-fund-mock.js +124 -0
  66. package/dist/index.d.ts +125 -9
  67. package/dist/index.js +264 -17
  68. package/dist/init.js +113 -2
  69. package/dist/mastra/config.d.ts +30 -0
  70. package/dist/mastra/config.js +58 -0
  71. package/dist/mastra/index.d.ts +2 -0
  72. package/dist/mastra/index.js +2 -0
  73. package/dist/mastra/peer.d.ts +11 -0
  74. package/dist/mastra/peer.js +24 -0
  75. package/dist/mastra/sandbox-demo.d.ts +36 -0
  76. package/dist/mastra/sandbox-demo.js +87 -0
  77. package/dist/mcp/index.d.ts +1 -0
  78. package/dist/mcp/index.js +1 -0
  79. package/dist/mcp/sandbox-demo.d.ts +38 -0
  80. package/dist/mcp/sandbox-demo.js +112 -0
  81. package/dist/mcp-receipt-resource.d.ts +10 -0
  82. package/dist/mcp-receipt-resource.js +32 -0
  83. package/dist/mcp-server.d.ts +6 -0
  84. package/dist/mcp-server.js +124 -1
  85. package/dist/mpp-commercial.d.ts +19 -0
  86. package/dist/mpp-commercial.js +34 -0
  87. package/dist/mpp-funding.d.ts +71 -0
  88. package/dist/mpp-funding.js +192 -0
  89. package/dist/payment-transport.d.ts +30 -0
  90. package/dist/payment-transport.js +56 -0
  91. package/dist/policy/init.js +2 -0
  92. package/dist/policy/intent-spec.js +2 -0
  93. package/dist/principal-intent.d.ts +1 -1
  94. package/dist/principal-intent.js +4 -1
  95. package/dist/project-init.js +8 -0
  96. package/dist/template-init.d.ts +2 -2
  97. package/dist/template-init.js +6 -2
  98. package/dist/x402-funding.d.ts +52 -0
  99. package/dist/x402-funding.js +124 -0
  100. package/package.json +20 -2
  101. package/templates/manifest.json +28 -9
  102. package/templates/openai-shopping-agent/package-lock.json +16 -8
  103. package/templates/openai-shopping-agent/package.json +1 -1
  104. package/templates/paybond-aws-operator/package-lock.json +13 -5
  105. package/templates/paybond-aws-operator/package.json +1 -1
  106. package/templates/paybond-claude-agents-demo/package-lock.json +16 -8
  107. package/templates/paybond-claude-agents-demo/package.json +1 -1
  108. package/templates/paybond-invoice-agent/requirements.txt +1 -1
  109. package/templates/paybond-mastra-travel-agent/.env.example +3 -0
  110. package/templates/paybond-mastra-travel-agent/.github/workflows/smoke.yml +20 -0
  111. package/templates/paybond-mastra-travel-agent/LICENSE +201 -0
  112. package/templates/paybond-mastra-travel-agent/README.md +29 -0
  113. package/templates/paybond-mastra-travel-agent/package-lock.json +3377 -0
  114. package/templates/paybond-mastra-travel-agent/package.json +22 -0
  115. package/templates/paybond-mastra-travel-agent/paybond.policy.yaml +22 -0
  116. package/templates/paybond-mastra-travel-agent/src/index.ts +22 -0
  117. package/templates/paybond-mastra-travel-agent/src/paybond.config.ts +51 -0
  118. package/templates/paybond-mastra-travel-agent/tsconfig.json +13 -0
  119. package/templates/paybond-mcp-coding-agent/package-lock.json +13 -5
  120. package/templates/paybond-mcp-coding-agent/package.json +1 -1
  121. package/templates/paybond-openai-agents-demo/package-lock.json +16 -8
  122. package/templates/paybond-openai-agents-demo/package.json +1 -1
  123. package/templates/paybond-procurement-agent/package-lock.json +13 -5
  124. package/templates/paybond-procurement-agent/package.json +1 -1
  125. package/templates/paybond-travel-agent/package-lock.json +16 -8
  126. package/templates/paybond-travel-agent/package.json +1 -1
  127. package/templates/paybond-vercel-shopping-agent/package-lock.json +13 -5
  128. package/templates/paybond-vercel-shopping-agent/package.json +1 -1
package/dist/index.js CHANGED
@@ -4,14 +4,18 @@
4
4
  */
5
5
  import { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, } from "./principal-intent.js";
6
6
  import { signPayeeEvidenceBinding } from "./payee-evidence.js";
7
- import { PaybondAgentRunFacade, PaybondInstrumentBuilder, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondToolRegistry, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, resolveAgentPolicySource, wrapPaybondTools, } from "./agent/index.js";
7
+ import { PaybondAgentRunFacade, createPaybondAgentCallable, PaybondInstrumentBuilder, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondToolRegistry, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, resolveAgentPolicySource, wrapPaybondTools, } from "./agent/index.js";
8
8
  import { GatewayAgentRunTraceReporter, } from "./agent/gateway-trace-reporter.js";
9
9
  import { fetchWithGatewayRetries, gatewayRetryDelayMs, shouldRetryGatewayResponse, } from "./gateway-retry.js";
10
+ import { PaybondAudit, PaybondAuditExports } from "./audit/index.js";
11
+ import { formatPaymentAuthorizationValue, paymentAuthorizationGatewayHeader, readFundPaymentTransportHeaders, } from "./payment-transport.js";
10
12
  import { parsePolicyRemoteValidateResponse, policyValidateQueryString, } from "./policy/validate-remote.js";
11
13
  import { parsePolicyEffectiveResolveResponse, } from "./policy/load-effective.js";
12
14
  import { paybondPolicyPresets } from "./policy/policy-api.js";
13
15
  import { paybondSolutionPresets } from "./solutions/api.js";
14
16
  import { requireSecureGatewayUrl } from "./gateway-url.js";
17
+ import { executeFundWithX402, } from "./x402-funding.js";
18
+ import { executeFundWithMppCharge, executeFundWithMppSession, } from "./mpp-funding.js";
15
19
  function parseVerifyCapabilityBody(body, expectedTenant, expectedIntentId) {
16
20
  const tenant = String(body.tenant ?? "");
17
21
  const intentId = String(body.intent_id ?? "");
@@ -81,6 +85,12 @@ function verifyCapabilityPayload(input) {
81
85
  payload.approval_token = input.approvalToken.trim();
82
86
  if (input.idempotencyKey?.trim())
83
87
  payload.idempotency_key = input.idempotencyKey.trim();
88
+ if (input.modelFamily?.trim())
89
+ payload.model_family = input.modelFamily.trim();
90
+ if (input.configHashHex?.trim())
91
+ payload.config_hash_hex = input.configHashHex.trim().toLowerCase();
92
+ if (input.promptHashHex?.trim())
93
+ payload.prompt_hash_hex = input.promptHashHex.trim().toLowerCase();
84
94
  return payload;
85
95
  }
86
96
  export const DEFAULT_PAYBOND_GATEWAY_BASE_URL = "https://api.paybond.ai";
@@ -467,7 +477,7 @@ export class HarborClient {
467
477
  }
468
478
  throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
469
479
  }
470
- async fetchWithRetries(url, init, { retryBody, retryBodyText, }) {
480
+ async fetchWithRetries(url, init, { retryBody, retryBodyText, appendAuthorization, } = {}) {
471
481
  let lastErr;
472
482
  for (let attempt = 0; attempt < this.maxRetries; attempt++) {
473
483
  let res;
@@ -477,6 +487,9 @@ export class HarborClient {
477
487
  for (const [k, v] of Object.entries(auth)) {
478
488
  headers.set(k, v);
479
489
  }
490
+ for (const value of appendAuthorization ?? []) {
491
+ headers.append("authorization", value);
492
+ }
480
493
  res = await fetch(url, { ...init, headers });
481
494
  }
482
495
  catch (e) {
@@ -598,11 +611,18 @@ export class HarborClient {
598
611
  if (options?.paymentSignature?.trim()) {
599
612
  headers["payment-signature"] = options.paymentSignature.trim();
600
613
  }
614
+ const appendAuthorization = options?.paymentAuthorization?.trim() !== undefined &&
615
+ options.paymentAuthorization.trim() !== ""
616
+ ? [formatPaymentAuthorizationValue(options.paymentAuthorization)]
617
+ : undefined;
601
618
  const res = await this.fetchWithRetries(url, {
602
619
  method: "POST",
603
620
  headers,
604
621
  body: "",
605
- }, { retryBodyText: "" });
622
+ }, {
623
+ retryBodyText: "",
624
+ appendAuthorization,
625
+ });
606
626
  const text = await res.text();
607
627
  if (![200, 202, 402].includes(res.status)) {
608
628
  throw new HarborHttpError(`Harbor fund intent HTTP ${res.status}: ${text}`, {
@@ -612,6 +632,7 @@ export class HarborClient {
612
632
  });
613
633
  }
614
634
  const body = assertJSONObject(JSON.parse(text));
635
+ const transport = readFundPaymentTransportHeaders(res.headers);
615
636
  const tenant = String(body.tenant ?? "");
616
637
  if (tenant !== this.tenantId) {
617
638
  throw new Error(`fund tenant mismatch: client=${this.tenantId} harbor=${tenant}`);
@@ -634,6 +655,9 @@ export class HarborClient {
634
655
  statusCode: res.status,
635
656
  paymentRequired: res.headers.get("payment-required") ?? undefined,
636
657
  paymentResponse: res.headers.get("payment-response") ?? undefined,
658
+ wwwAuthenticate: transport.wwwAuthenticate,
659
+ paymentReceipt: transport.paymentReceipt,
660
+ cacheControl: transport.cacheControl,
637
661
  intentId: echoedIntentId,
638
662
  tenant,
639
663
  state: body.state,
@@ -684,6 +708,34 @@ export class HarborClient {
684
708
  predicatePassed: body.predicate_passed,
685
709
  };
686
710
  }
711
+ /**
712
+ * POST `/intents/{intentId}/settlement/confirm` — confirms the settlement action implied by
713
+ * stored evidence evaluation (does not choose release vs refund).
714
+ */
715
+ async confirmSettlement(intentId, body = {}, options) {
716
+ const url = `${this.base}intents/${intentId}/settlement/confirm`;
717
+ const headers = {
718
+ "content-type": "application/json",
719
+ "x-tenant-id": this.tenantId,
720
+ };
721
+ if (options?.idempotencyKey?.trim()) {
722
+ headers["idempotency-key"] = options.idempotencyKey.trim();
723
+ }
724
+ const res = await this.fetchWithRetries(url, {
725
+ method: "POST",
726
+ headers,
727
+ body: JSON.stringify(body),
728
+ }, { retryBody: body });
729
+ const text = await res.text();
730
+ if (!res.ok) {
731
+ throw new HarborHttpError(`Harbor settlement confirm HTTP ${res.status}: ${text}`, {
732
+ statusCode: res.status,
733
+ url,
734
+ bodyText: text,
735
+ });
736
+ }
737
+ return JSON.parse(text);
738
+ }
687
739
  /**
688
740
  * `GET /ledger/v1/tip` — latest sequence and entry commitment for the authenticated tenant.
689
741
  *
@@ -966,9 +1018,13 @@ export class GatewayHarborClient {
966
1018
  return JSON.parse(text);
967
1019
  }
968
1020
  async fundIntent(intentId, options) {
969
- const { res, text, url } = await this.postJSON(`/harbor/intents/${encodeURIComponent(intentId)}/fund`, {}, this.mutationHeaders("fundIntent", options, {
1021
+ const paymentHeaders = {
970
1022
  ...(options.paymentSignature?.trim() ? { "payment-signature": options.paymentSignature.trim() } : {}),
971
- }));
1023
+ ...(options.paymentAuthorization?.trim()
1024
+ ? paymentAuthorizationGatewayHeader(options.paymentAuthorization)
1025
+ : {}),
1026
+ };
1027
+ const { res, text, url } = await this.postJSON(`/harbor/intents/${encodeURIComponent(intentId)}/fund`, {}, this.mutationHeaders("fundIntent", options, paymentHeaders));
972
1028
  if (![200, 202, 402].includes(res.status)) {
973
1029
  throw new HarborHttpError(`Gateway Harbor fund intent HTTP ${res.status}: ${text}`, {
974
1030
  statusCode: res.status,
@@ -976,12 +1032,16 @@ export class GatewayHarborClient {
976
1032
  bodyText: text,
977
1033
  });
978
1034
  }
1035
+ const transport = readFundPaymentTransportHeaders(res.headers);
979
1036
  return parseFundIntentResponse(assertJSONObject(JSON.parse(text)), {
980
1037
  tenantId: this.tenantId,
981
1038
  intentId,
982
1039
  statusCode: res.status,
983
1040
  paymentRequired: res.headers.get("payment-required") ?? undefined,
984
1041
  paymentResponse: res.headers.get("payment-response") ?? undefined,
1042
+ wwwAuthenticate: transport.wwwAuthenticate,
1043
+ paymentReceipt: transport.paymentReceipt,
1044
+ cacheControl: transport.cacheControl,
985
1045
  source: "gateway",
986
1046
  });
987
1047
  }
@@ -996,6 +1056,18 @@ export class GatewayHarborClient {
996
1056
  }
997
1057
  return parseSubmitEvidenceResponse(JSON.parse(text));
998
1058
  }
1059
+ /** Recognition-gated Gateway Harbor settlement confirmation. */
1060
+ async confirmSettlement(intentId, body, options) {
1061
+ const { res, text, url } = await this.postJSON(`/harbor/intents/${encodeURIComponent(intentId)}/settlement/confirm`, body, this.mutationHeaders("confirmSettlement", options));
1062
+ if (!res.ok) {
1063
+ throw new HarborHttpError(`Gateway Harbor settlement confirm HTTP ${res.status}: ${text}`, {
1064
+ statusCode: res.status,
1065
+ url,
1066
+ bodyText: text,
1067
+ });
1068
+ }
1069
+ return JSON.parse(text);
1070
+ }
999
1071
  }
1000
1072
  /**
1001
1073
  * Gateway sandbox guardrail helpers.
@@ -1117,7 +1189,7 @@ export class PaybondGuardrails {
1117
1189
  }
1118
1190
  }
1119
1191
  const DEFAULT_PRINCIPAL_PATH = "/v1/auth/principal";
1120
- const SETTLEMENT_RAIL_VALUES = new Set(["stripe_connect", "stripe_ach_debit", "x402_usdc_base"]);
1192
+ const SETTLEMENT_RAIL_VALUES = new Set(["stripe_connect", "stripe_ach_debit", "stripe_mpp", "x402_usdc_base"]);
1121
1193
  const FRAUD_REVIEW_EVENT_TYPES = new Set([
1122
1194
  "review_open_requested",
1123
1195
  "appeal_requested",
@@ -1169,6 +1241,9 @@ function parseFundIntentResponse(body, init) {
1169
1241
  statusCode: init.statusCode,
1170
1242
  paymentRequired: init.paymentRequired,
1171
1243
  paymentResponse: init.paymentResponse,
1244
+ wwwAuthenticate: init.wwwAuthenticate,
1245
+ paymentReceipt: init.paymentReceipt,
1246
+ cacheControl: init.cacheControl,
1172
1247
  intentId: echoedIntentId,
1173
1248
  tenant,
1174
1249
  state: body.state,
@@ -1318,6 +1393,9 @@ function parseIntentFundingResult(value) {
1318
1393
  settlementRail: readSettlementRailValue(body.settlement_rail, "funding.settlement_rail"),
1319
1394
  harborFundEndpoint: readOptionalString("harbor_fund_endpoint"),
1320
1395
  status: readOptionalString("status"),
1396
+ intent: readOptionalString("intent"),
1397
+ method: readOptionalString("method"),
1398
+ challengeId: readOptionalString("challenge_id"),
1321
1399
  paymentSessionId: readOptionalString("payment_session_id"),
1322
1400
  paymentUrl: readOptionalString("payment_url"),
1323
1401
  stripePaymentIntentId: readOptionalString("stripe_payment_intent_id"),
@@ -1333,6 +1411,17 @@ function parseIntentFundingResult(value) {
1333
1411
  bankName: readOptionalString("bank_name"),
1334
1412
  asset: readOptionalString("asset"),
1335
1413
  network: readOptionalString("network"),
1414
+ settlementAsset: readOptionalString("settlement_asset"),
1415
+ settlementNetwork: readOptionalString("settlement_network"),
1416
+ channelId: readOptionalString("channel_id"),
1417
+ sessionProtocol: readOptionalString("session_protocol"),
1418
+ depositAmountBaseUnits: readOptionalString("deposit_amount_base_units"),
1419
+ acceptedCumulativeBaseUnits: readOptionalString("accepted_cumulative_base_units"),
1420
+ pendingCumulativeBaseUnits: readOptionalString("pending_cumulative_base_units"),
1421
+ descriptorHash: readOptionalString("descriptor_hash"),
1422
+ lastVoucherAt: readOptionalString("last_voucher_at"),
1423
+ lastSettleTxHash: readOptionalString("last_settle_tx_hash"),
1424
+ channelStatus: readOptionalString("channel_status"),
1336
1425
  authorizationId: readOptionalString("authorization_id"),
1337
1426
  captureId: readOptionalString("capture_id"),
1338
1427
  voidId: readOptionalString("void_id"),
@@ -2008,6 +2097,80 @@ export class GatewayProtocolClient {
2008
2097
  }
2009
2098
  return assertJSONObject(JSON.parse(text));
2010
2099
  }
2100
+ async getAgentReceiptV1ByID(receiptId) {
2101
+ const enc = encodeURIComponent(receiptId);
2102
+ const url = `${this.base}protocol/v2/agent-receipts/${enc}`;
2103
+ const res = await this.fetchWithRetries(url, {
2104
+ method: "GET",
2105
+ headers: this.headers(),
2106
+ });
2107
+ const text = await res.text();
2108
+ if (!res.ok) {
2109
+ const parsed = parseGatewayErrorEnvelope(text);
2110
+ throw new ProtocolHttpError(protocolHTTPErrorMessage("agent receipt", res.status, text), {
2111
+ statusCode: res.status,
2112
+ url,
2113
+ bodyText: text,
2114
+ errorCode: parsed.errorCode,
2115
+ errorMessage: parsed.errorMessage,
2116
+ });
2117
+ }
2118
+ const body = assertJSONObject(JSON.parse(text));
2119
+ if (String(body.receipt_id ?? "").trim() !== receiptId) {
2120
+ throw new Error(`agent receipt mismatch: requested=${receiptId} gateway=${String(body.receipt_id ?? "")}`);
2121
+ }
2122
+ if (String(body.tenant_id ?? "").trim() !== this.tenantId) {
2123
+ throw new Error(`agent receipt tenant mismatch: client=${this.tenantId} gateway=${String(body.tenant_id ?? "")}`);
2124
+ }
2125
+ return body;
2126
+ }
2127
+ async getAgentReceiptV1ByIntentToolCall(init) {
2128
+ const params = new URLSearchParams({
2129
+ intent_id: init.intentId,
2130
+ tool_call_id: init.toolCallId,
2131
+ });
2132
+ const url = `${this.base}protocol/v2/agent-receipts?${params.toString()}`;
2133
+ const res = await this.fetchWithRetries(url, {
2134
+ method: "GET",
2135
+ headers: this.headers(),
2136
+ });
2137
+ const text = await res.text();
2138
+ if (!res.ok) {
2139
+ const parsed = parseGatewayErrorEnvelope(text);
2140
+ throw new ProtocolHttpError(protocolHTTPErrorMessage("agent receipt lookup", res.status, text), {
2141
+ statusCode: res.status,
2142
+ url,
2143
+ bodyText: text,
2144
+ errorCode: parsed.errorCode,
2145
+ errorMessage: parsed.errorMessage,
2146
+ });
2147
+ }
2148
+ const body = assertJSONObject(JSON.parse(text));
2149
+ if (String(body.tenant_id ?? "").trim() !== this.tenantId) {
2150
+ throw new Error(`agent receipt tenant mismatch: client=${this.tenantId} gateway=${String(body.tenant_id ?? "")}`);
2151
+ }
2152
+ return body;
2153
+ }
2154
+ async verifyAgentReceiptV1(receipt) {
2155
+ const url = `${this.base}protocol/v2/agent-receipts/verify`;
2156
+ const res = await this.fetchWithRetries(url, {
2157
+ method: "POST",
2158
+ headers: this.headers({ "content-type": "application/json" }),
2159
+ body: JSON.stringify(receipt),
2160
+ });
2161
+ const text = await res.text();
2162
+ if (!res.ok) {
2163
+ const parsed = parseGatewayErrorEnvelope(text);
2164
+ throw new ProtocolHttpError(protocolHTTPErrorMessage("agent receipt verify", res.status, text), {
2165
+ statusCode: res.status,
2166
+ url,
2167
+ bodyText: text,
2168
+ errorCode: parsed.errorCode,
2169
+ errorMessage: parsed.errorMessage,
2170
+ });
2171
+ }
2172
+ return assertJSONObject(JSON.parse(text));
2173
+ }
2011
2174
  async createHarborIntent(init) {
2012
2175
  return this.postJSON("/harbor/intents", init.body, gatewayMutationHeaders(init.recognitionProof, {
2013
2176
  ...(init.idempotencyKey?.trim() ? { "idempotency-key": init.idempotencyKey.trim() } : {}),
@@ -2131,7 +2294,8 @@ function nowRfc3339Seconds() {
2131
2294
  return new Date().toISOString().replace(/\.\d{3}Z$/, "Z");
2132
2295
  }
2133
2296
  /**
2134
- * Ergonomic intent helpers: principal-signed intent create, x402 funding, and payee-signed evidence.
2297
+ * Ergonomic intent helpers: principal-signed intent create, x402 funding, payee-signed evidence,
2298
+ * and settlement confirmation.
2135
2299
  */
2136
2300
  export class PaybondIntents {
2137
2301
  harbor;
@@ -2174,10 +2338,78 @@ export class PaybondIntents {
2174
2338
  async fund(params) {
2175
2339
  return this.harbor.fundIntent(params.intentId, {
2176
2340
  paymentSignature: params.paymentSignature,
2341
+ paymentAuthorization: params.paymentAuthorization,
2177
2342
  idempotencyKey: params.idempotencyKey,
2178
2343
  recognitionProof: params.recognitionProof,
2179
2344
  });
2180
2345
  }
2346
+ /**
2347
+ * One-call x402 fund flow: sign 402 challenges, retry with `payment-signature`, and poll until funded.
2348
+ *
2349
+ * Wallet keys stay app-owned — pass injectable `signPayment` and `issueRecognitionProof` callbacks.
2350
+ */
2351
+ async fundWithX402(params) {
2352
+ const { intentId, recognitionProof, signPayment, issueRecognitionProof, pollOptions, idempotencyKey } = params;
2353
+ return executeFundWithX402({
2354
+ intentId,
2355
+ recognitionProof,
2356
+ signPayment,
2357
+ issueRecognitionProof,
2358
+ pollOptions,
2359
+ fund: ({ recognitionProof: proof, paymentSignature }) => this.fund({
2360
+ intentId,
2361
+ recognitionProof: proof,
2362
+ paymentSignature,
2363
+ idempotencyKey,
2364
+ }),
2365
+ });
2366
+ }
2367
+ /**
2368
+ * One-shot Stripe MPP charge fund flow: create Payment Auth credentials from 402 challenges,
2369
+ * retry with `paymentAuthorization`, and poll until funded.
2370
+ *
2371
+ * MPP wallet and SPT secrets stay app-owned — pass injectable `createPaymentCredential` and
2372
+ * `issueRecognitionProof` callbacks.
2373
+ */
2374
+ async fundWithMppCharge(params) {
2375
+ const { intentId, recognitionProof, createPaymentCredential, issueRecognitionProof, pollOptions, idempotencyKey, } = params;
2376
+ return executeFundWithMppCharge({
2377
+ intentId,
2378
+ recognitionProof,
2379
+ createPaymentCredential,
2380
+ issueRecognitionProof,
2381
+ pollOptions,
2382
+ fund: ({ recognitionProof: proof, paymentAuthorization }) => this.fund({
2383
+ intentId,
2384
+ recognitionProof: proof,
2385
+ paymentAuthorization,
2386
+ idempotencyKey,
2387
+ }),
2388
+ });
2389
+ }
2390
+ /**
2391
+ * Tempo MPP session fund flow: open a session channel deposit via Payment Auth credentials,
2392
+ * retry with `paymentAuthorization`, and poll until the intent is funded.
2393
+ *
2394
+ * MPP wallet and SPT secrets stay app-owned — pass injectable `createPaymentCredential` and
2395
+ * `issueRecognitionProof` callbacks.
2396
+ */
2397
+ async fundWithMppSession(params) {
2398
+ const { intentId, recognitionProof, createPaymentCredential, issueRecognitionProof, pollOptions, idempotencyKey, } = params;
2399
+ return executeFundWithMppSession({
2400
+ intentId,
2401
+ recognitionProof,
2402
+ createPaymentCredential,
2403
+ issueRecognitionProof,
2404
+ pollOptions,
2405
+ fund: ({ recognitionProof: proof, paymentAuthorization }) => this.fund({
2406
+ intentId,
2407
+ recognitionProof: proof,
2408
+ paymentAuthorization,
2409
+ idempotencyKey,
2410
+ }),
2411
+ });
2412
+ }
2181
2413
  /**
2182
2414
  * Sign payee evidence and POST it. `payeeSigningSeed` must be 32 bytes.
2183
2415
  */
@@ -2191,6 +2423,14 @@ export class PaybondIntents {
2191
2423
  });
2192
2424
  return this.harbor.submitEvidence(rest.intentId, wire, { idempotencyKey, recognitionProof });
2193
2425
  }
2426
+ /**
2427
+ * Confirm Harbor settlement through Gateway `POST /harbor/intents/{id}/settlement/confirm`.
2428
+ * Confirms the action implied by stored evidence; does not choose release vs refund.
2429
+ */
2430
+ async confirmSettlement(params) {
2431
+ const { intentId, recognitionProof, body = {}, idempotencyKey } = params;
2432
+ return this.harbor.confirmSettlement(intentId, body, { idempotencyKey, recognitionProof });
2433
+ }
2194
2434
  }
2195
2435
  /**
2196
2436
  * High-level Kit entrypoint: tenant-bound Gateway clients plus ergonomic intent helpers.
@@ -2203,8 +2443,10 @@ export class Paybond {
2203
2443
  a2a;
2204
2444
  protocol;
2205
2445
  intents;
2446
+ audit;
2206
2447
  agentRun;
2207
- constructor(harbor, guardrails, signal, fraud, a2a, protocol) {
2448
+ agent;
2449
+ constructor(harbor, guardrails, signal, fraud, a2a, protocol, audit) {
2208
2450
  this.harbor = harbor;
2209
2451
  this.guardrails = guardrails;
2210
2452
  this.signal = signal;
@@ -2212,7 +2454,9 @@ export class Paybond {
2212
2454
  this.a2a = a2a;
2213
2455
  this.protocol = protocol;
2214
2456
  this.intents = new PaybondIntents(harbor);
2457
+ this.audit = audit;
2215
2458
  this.agentRun = new PaybondAgentRunFacade(this);
2459
+ this.agent = createPaybondAgentCallable(protocol, (input) => createPaybondAgent(this, input));
2216
2460
  }
2217
2461
  /** Open a tenant-bound hosted Paybond session from a service-account API key. */
2218
2462
  static async open(init) {
@@ -2243,7 +2487,11 @@ export class Paybond {
2243
2487
  staticGatewayBearerToken: init.apiKey,
2244
2488
  maxRetries,
2245
2489
  });
2246
- return new Paybond(harbor, guardrails, signal, fraud, a2a, protocol);
2490
+ const audit = new PaybondAudit(PaybondAuditExports.open(gatewayBaseUrl, tenantId, {
2491
+ staticGatewayBearerToken: init.apiKey,
2492
+ maxRetries,
2493
+ }));
2494
+ return new Paybond(harbor, guardrails, signal, fraud, a2a, protocol, audit);
2247
2495
  }
2248
2496
  /** Reserved for future HTTP client cleanup; safe to call after work completes. */
2249
2497
  async aclose() {
@@ -2295,13 +2543,6 @@ export class Paybond {
2295
2543
  instrumentMCP(input) {
2296
2544
  return instrumentPaybondMCP(this, input);
2297
2545
  }
2298
- /**
2299
- * Opinionated quickstart: resolve named policy presets (for example `travel`) or file paths,
2300
- * then instrument tools for the selected framework.
2301
- */
2302
- agent(input) {
2303
- return createPaybondAgent(this, input);
2304
- }
2305
2546
  /** Wrap tools for an existing bound run without reloading policy. */
2306
2547
  wrapTools(run, tools, options) {
2307
2548
  return wrapPaybondTools(run, tools, options);
@@ -2325,10 +2566,16 @@ export class Paybond {
2325
2566
  export { normalizeJson, jsonValueDigest } from "./json-digest.js";
2326
2567
  export { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, intentCreationSignBytesRaw, intentCreationSignBytesWithPolicyBinding, } from "./principal-intent.js";
2327
2568
  export { artifactsDigest, evidenceSignBytesV1, signPayeeEvidenceBinding, } from "./payee-evidence.js";
2328
- export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborEvidenceSubmitRecognitionProof, } from "./agent-recognition.js";
2569
+ export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_CREATE, AGENT_RECOGNITION_PURPOSE_FUND, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborCreateRecognitionProof, signHarborFundRecognitionProof, signHarborEvidenceSubmitRecognitionProof, signHarborSettlementConfirmRecognitionProof, } from "./agent-recognition.js";
2570
+ export { executeFundWithX402, buildX402FundRequestEnvelope, PaybondX402FundingFailedError, PaybondX402FundingPendingError, } from "./x402-funding.js";
2571
+ export { executeFundWithMpp, executeFundWithMppCharge, executeFundWithMppSession, buildMppFundRequestEnvelope, parsePaymentAuthChallenge, selectMppChargeChallenge, selectMppSessionChallenge, PaybondMppFundingFailedError, PaybondMppFundingPendingError, } from "./mpp-funding.js";
2329
2572
  export { validateCompletionEvidence, } from "./completion-validate-evidence.js";
2330
2573
  export { completionSchemaDigestHex, computeVendorContractDigests, verifyVendorContract, verifyCatalogVendorContracts, } from "./completion-contract-digest.js";
2331
2574
  export { contractSnapshotForPreset, mapVendorEvidenceToCanonical, resolveCompletionPreset, } from "./completion-resolve.js";
2332
2575
  export { PaybondAgentRun, PaybondAgentRunBindError, PaybondAgentRunFacade, PaybondEvidenceSubmitError, PaybondToolInterceptor, PaybondToolRegistry, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, buildAutoEvidencePayload, createGenericToolExecutor, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondGenericAgentConfig, createPaybondGenericInputGuard, createPaybondToolRegistry, createToolInputGuardAdapter, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, paybondGenericToolExecutorAdapter, paybondToolInputGuardAdapter, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, } from "./agent/index.js";
2576
+ export { PaybondAudit, PaybondAuditExports, GatewayAuditExportsClient, parseAuditExportList, parseAuditExportJobGet, verifyAuditManifest, verifyAuditBundleLocal, } from "./audit/index.js";
2333
2577
  export { PaybondPolicy, composePolicyLayers, composeBundledPresetDefault, domain, guardrails, paybondPolicyPresets, resolveComposedPresetDocument, } from "./policy/index.js";
2334
2578
  export { getSolutionSmokeDefaults, isKnownSolutionId, listSolutionIds, loadSolutionManifest, paybondSolutionPresets, } from "./solutions/index.js";
2579
+ export { appendDirectHarborPaymentAuthorization, formatPaymentAuthorizationValue, PAYBOND_PAYMENT_AUTHORIZATION_HEADER, PAYMENT_TRANSPORT_RESPONSE_HEADERS, paymentAuthorizationGatewayHeader, readFundPaymentTransportHeaders, } from "./payment-transport.js";
2580
+ export { AGENT_RECEIPT_KIND_V1, AGENT_RECEIPT_SCHEMA_VERSION, AGENT_RECEIPT_SCOPE_ACTION, AGENT_RECEIPT_SCOPE_INTENT_TERMINAL, AGENT_RECEIPT_SIGNING_ALGORITHM_ED25519, AGENT_RECEIPT_VERSION_V1, AGENT_RECEIPT_WELL_KNOWN_PATH, actionReceiptId, canonicalAgentReceiptBytes, configHashSha256Hex, promptHashSha256Hex, valueDigestSha256Hex, verifyAgentReceiptV1, } from "./agent-receipt.js";
2581
+ export { AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828, AGENT_RECEIPT_EXTERNAL_SOURCE_X402, partnerRecordDigestSha256Hex, resolveExternalAttestations, sep2828RecordsToExternalAttestations, x402ReceiptToExternalAttestations, } from "./agent-receipt-external-attestations.js";
package/dist/init.js CHANGED
@@ -22,6 +22,9 @@ const AGENT_MIDDLEWARE_FRAMEWORKS = new Set([
22
22
  "openai",
23
23
  "langgraph",
24
24
  "vercel-ai",
25
+ "mastra",
26
+ "cloudflare-agents",
27
+ "mcp",
25
28
  ]);
26
29
  const AGENT_MIDDLEWARE_FRAMEWORK_ALIASES = {
27
30
  "provider-agnostic": "generic",
@@ -31,6 +34,30 @@ const PRESET_DEFAULT_OUT = {
31
34
  "paid-tool-guard": "paybond-paid-tool-guard.ts",
32
35
  "agent-middleware": "paybond-agent-middleware.ts",
33
36
  };
37
+ /** Comment block for production intent create via policy_binding (signing v7). */
38
+ function productionPolicyBindingComments(harborTemplateId) {
39
+ return `// Production (signing v7): publish managed template head for ${harborTemplateId}, then create a funded intent.
40
+ // import { PaybondPolicy } from "@paybond/kit";
41
+ // const policy = await PaybondPolicy.load("./paybond.policy.yaml");
42
+ // const publishedHead = {
43
+ // templateId: "<template_id>",
44
+ // versionSeq: 1,
45
+ // materializedPredicate: { /* from publish response */ },
46
+ // policyContentDigestHex: "<digest_hex>",
47
+ // };
48
+ // const intentInput = policy.toIntentCreateInput({
49
+ // principalDid,
50
+ // principalSigningSeed: principalSeed32,
51
+ // payeeDid,
52
+ // payeeSigningSeed: payeeSeed32,
53
+ // deadlineRfc3339,
54
+ // settlementRail: "stripe_connect",
55
+ // recognitionProof,
56
+ // publishedPolicyHead: publishedHead,
57
+ // });
58
+ // const created = await paybond.intents.createWithPolicyBinding(intentInput);
59
+ // Fund if needed, then attach middleware: paybond.agentRun.bind({ attach: { intentId, capabilityToken, productionEvidence }, registry })`;
60
+ }
34
61
  const FRAMEWORK_NOTES = {
35
62
  generic: "Wrap the returned function around any side-effecting tool handler.",
36
63
  "provider-agnostic": "Use the guarded handler with OpenAI, Gemini, Claude/Anthropic, local models, or any custom runtime.",
@@ -52,7 +79,7 @@ function usage() {
52
79
  " agent-middleware PaybondAgentRun + tool registry middleware",
53
80
  "",
54
81
  "Frameworks (paid-tool-guard): generic|provider-agnostic|openai|claude|anthropic|gemini|google-ai|vercel-ai|langgraph|mcp",
55
- "Frameworks (agent-middleware): generic|claude-agents|openai|langgraph|vercel-ai",
82
+ "Frameworks (agent-middleware): generic|claude-agents|openai|langgraph|vercel-ai|mastra|cloudflare-agents|mcp",
56
83
  ].join("\n");
57
84
  }
58
85
  function normalizeAgentMiddlewareFramework(framework) {
@@ -197,6 +224,24 @@ export async function openPaybondFromEnv(options: OpenPaybondFromEnvOptions = {}
197
224
  });
198
225
  }`;
199
226
  }
227
+ function agentMiddlewareHeaderComments(framework) {
228
+ const smokeCommands = {
229
+ generic: 'paybond agent sandbox smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --result-body \'{"reservation":{"status":"confirmed","price_cents":20000}}\'',
230
+ "claude-agents": "paybond agent demo claude-agents smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
231
+ openai: "paybond agent demo openai smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
232
+ langgraph: "paybond agent demo langgraph smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
233
+ "vercel-ai": "paybond agent demo vercel-ai smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
234
+ mastra: "paybond agent demo mastra smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
235
+ "cloudflare-agents": "paybond agent demo cloudflare-agents smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
236
+ mcp: "paybond agent demo mcp smoke --operation travel.book_hotel --requested-spend-cents 20000 --evidence-preset cost_and_completion --format json",
237
+ };
238
+ return [
239
+ "// Paybond for paid tools; provider-native limits for LLM token caps only.",
240
+ "// Policy: ./paybond.policy.yaml (scaffold with paybond policy init).",
241
+ `// Smoke: ${smokeCommands[framework]}`,
242
+ "// Production: createWithPolicyBinding after publishing the managed template head — see block below.",
243
+ ].join("\n");
244
+ }
200
245
  function agentMiddlewareFrameworkBlock(framework) {
201
246
  switch (framework) {
202
247
  case "claude-agents":
@@ -326,6 +371,66 @@ export async function runGuardedGenerateText(
326
371
  toolApproval: paybondVercelToolApproval(run),
327
372
  prompt,
328
373
  });
374
+ }`;
375
+ case "mastra":
376
+ return `import { createTool } from "@mastra/core/tools";
377
+ import { z } from "zod";
378
+ import { createPaybondMastraConfig } from "@paybond/kit/mastra";
379
+ import type { PaybondAgentRun } from "@paybond/kit/agent";
380
+
381
+ /** Wrap Mastra \`createTool()\` definitions with Paybond middleware on \`execute\`. */
382
+ export function createGuardedMastraTools(run: PaybondAgentRun) {
383
+ const tools = [
384
+ createTool({
385
+ id: "travel.book_hotel",
386
+ description: "Book a hotel room",
387
+ inputSchema: z.object({
388
+ city: z.string(),
389
+ estimatedPriceCents: z.number().int().nonnegative(),
390
+ }),
391
+ execute: async (args) => bookHotel(args),
392
+ }),
393
+ createTool({
394
+ id: "search.web",
395
+ description: "Search the web",
396
+ inputSchema: z.object({ query: z.string() }),
397
+ execute: async (args) => searchWeb(args),
398
+ }),
399
+ ];
400
+ return createPaybondMastraConfig(run, tools).tools;
401
+ }`;
402
+ case "cloudflare-agents":
403
+ return `import { tool } from "ai";
404
+ import { z } from "zod";
405
+ import { createPaybondCloudflareAgentsConfig } from "@paybond/kit/cloudflare-agents";
406
+ import type { PaybondAgentRun } from "@paybond/kit/agent";
407
+
408
+ /** Wrap Cloudflare Agents \`getTools()\` AI SDK tool definitions with Paybond middleware on \`execute\`. */
409
+ export function createGuardedCloudflareAgentTools(run: PaybondAgentRun) {
410
+ const tools = {
411
+ "travel.book_hotel": tool({
412
+ description: "Book a hotel room",
413
+ inputSchema: z.object({
414
+ city: z.string(),
415
+ estimatedPriceCents: z.number().int().nonnegative(),
416
+ }),
417
+ execute: async (args) => bookHotel(args),
418
+ }),
419
+ searchWeb: tool({
420
+ description: "Search the web",
421
+ inputSchema: z.object({ query: z.string() }),
422
+ execute: async (args) => searchWeb(args),
423
+ }),
424
+ };
425
+ return createPaybondCloudflareAgentsConfig(run, tools);
426
+ }`;
427
+ case "mcp":
428
+ return `import { createPaybondMcpToolSurface } from "@paybond/kit/mcp";
429
+ import type { PaybondAgentRun } from "@paybond/kit/agent";
430
+
431
+ /** Stdio MCP host config — bind a run first, then \`paybond mcp install\` for coding-agent hosts. */
432
+ export function createMcpToolSurface(run: PaybondAgentRun) {
433
+ return createPaybondMcpToolSurface(run, { envFile: ".env.local" });
329
434
  }`;
330
435
  default:
331
436
  return `import { createPaybondGenericAgentConfig } from "@paybond/kit/agent";
@@ -360,6 +465,8 @@ import {
360
465
 
361
466
  ${envHelpersBlock()}
362
467
 
468
+ ${agentMiddlewareHeaderComments(framework)}
469
+
363
470
  // Agent middleware preset maps to completion catalog archetype: cost_and_completion (${completionPreset.harbor_template_id}).
364
471
  const COMPLETION_PRESET_ID = "cost_and_completion";
365
472
  const DEFAULT_OPERATION = "travel.book_hotel";
@@ -426,6 +533,8 @@ export async function bindAgentRun(
426
533
  return paybond.agentRun.bind(bindInput);
427
534
  }
428
535
 
536
+ ${productionPolicyBindingComments(completionPreset.harbor_template_id)}
537
+
429
538
  ${agentMiddlewareFrameworkBlock(framework)}
430
539
  `;
431
540
  }
@@ -454,12 +563,14 @@ export function buildCompletionEvidence(fields: CompletionEvidence): Record<stri
454
563
  return { ...fields };
455
564
  }
456
565
 
457
- // Production: use buildSignedCreateIntentBodyWithPolicyBinding from @paybond/kit after publishing ${completionPreset.harbor_template_id}.
458
566
  export const policyBindingStub = {
459
567
  template_id: HARBOR_TEMPLATE_ID,
460
568
  parameters: ${jsonLiteral(completionPreset.parameters, 2)} as const,
569
+ // version_seq and head_digest are assigned after publishing the managed template head.
461
570
  };
462
571
 
572
+ ${productionPolicyBindingComments(completionPreset.harbor_template_id)}
573
+
463
574
  const DEFAULT_OPERATION = "paid_tool.operation";
464
575
  const DEFAULT_REQUESTED_SPEND_CENTS = 500;
465
576
 
@@ -0,0 +1,30 @@
1
+ import type { PaybondAgentRun } from "../agent/run.js";
2
+ /** Minimal Mastra tool shape — matches `createTool()` output without importing `@mastra/core`. */
3
+ export type MastraToolLike = {
4
+ id: string;
5
+ description: string;
6
+ inputSchema?: unknown;
7
+ outputSchema?: unknown;
8
+ suspendSchema?: unknown;
9
+ resumeSchema?: unknown;
10
+ requestContextSchema?: unknown;
11
+ execute?: (inputData: unknown, context?: unknown) => unknown | Promise<unknown>;
12
+ };
13
+ /** Mastra runner config: guarded tools with wrapped `execute` handlers. */
14
+ export type PaybondMastraConfig<TTools extends MastraToolLike[]> = {
15
+ tools: TTools;
16
+ };
17
+ /**
18
+ * Wrap side-effecting Mastra tools with Paybond `wrapExecute` so Harbor verify,
19
+ * spend finalize, and auto-evidence run after successful execution.
20
+ *
21
+ * Read-only tools pass through unchanged.
22
+ */
23
+ export declare function paybondMastraWrapTools<TTools extends MastraToolLike[]>(run: PaybondAgentRun, tools: TTools): TTools;
24
+ /**
25
+ * Framework runner helper for Mastra `createTool({ execute })` definitions.
26
+ *
27
+ * Preserves schema, id, and description; replaces `execute` only on
28
+ * side-effecting registry tools.
29
+ */
30
+ export declare function createPaybondMastraConfig<TTools extends MastraToolLike[]>(run: PaybondAgentRun, tools: TTools): PaybondMastraConfig<TTools>;