@paybond/kit 0.11.10 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (128) hide show
  1. package/README.md +2 -2
  2. package/completion-presets/catalog.json +374 -3
  3. package/completion-presets/catalog.sha256 +1 -1
  4. package/dist/agent/facade.js +13 -0
  5. package/dist/agent/guarded-agent.d.ts +1 -1
  6. package/dist/agent/guarded-agent.js +19 -0
  7. package/dist/agent/index.d.ts +2 -1
  8. package/dist/agent/index.js +1 -0
  9. package/dist/agent/instrument.d.ts +6 -0
  10. package/dist/agent/instrument.js +6 -0
  11. package/dist/agent/interceptor.d.ts +9 -0
  12. package/dist/agent/interceptor.js +177 -1
  13. package/dist/agent/receipt-client.d.ts +49 -0
  14. package/dist/agent/receipt-client.js +45 -0
  15. package/dist/agent/registry.js +1 -0
  16. package/dist/agent/run.d.ts +2 -0
  17. package/dist/agent/run.js +52 -0
  18. package/dist/agent/types.d.ts +70 -0
  19. package/dist/agent-receipt-external-attestations.d.ts +29 -0
  20. package/dist/agent-receipt-external-attestations.js +124 -0
  21. package/dist/agent-receipt.d.ts +134 -0
  22. package/dist/agent-receipt.js +580 -0
  23. package/dist/agent-recognition.d.ts +25 -0
  24. package/dist/agent-recognition.js +36 -0
  25. package/dist/audit/exports.d.ts +72 -0
  26. package/dist/audit/exports.js +185 -0
  27. package/dist/audit/index.d.ts +3 -0
  28. package/dist/audit/index.js +3 -0
  29. package/dist/audit/verify.d.ts +8 -0
  30. package/dist/audit/verify.js +113 -0
  31. package/dist/audit/wire.d.ts +54 -0
  32. package/dist/audit/wire.js +80 -0
  33. package/dist/cli/agent/demo-loaders.d.ts +2 -0
  34. package/dist/cli/agent/demo-loaders.js +24 -0
  35. package/dist/cli/agent/production-evidence.d.ts +11 -0
  36. package/dist/cli/agent/production-evidence.js +17 -0
  37. package/dist/cli/audit-export.d.ts +2 -7
  38. package/dist/cli/audit-export.js +2 -120
  39. package/dist/cli/command-spec.js +43 -10
  40. package/dist/cli/commands/agent.d.ts +3 -0
  41. package/dist/cli/commands/agent.js +143 -1
  42. package/dist/cli/commands/discovery.js +39 -36
  43. package/dist/cli/commands/workflows.js +116 -18
  44. package/dist/cli/help.d.ts +1 -1
  45. package/dist/cli/help.js +12 -8
  46. package/dist/cli/intents-harbor-mutation.d.ts +18 -0
  47. package/dist/cli/intents-harbor-mutation.js +33 -0
  48. package/dist/cli/paybond.d.ts +9 -0
  49. package/dist/cli/paybond.js +23 -0
  50. package/dist/cli/redact.js +3 -0
  51. package/dist/cloudflare-agents/config.d.ts +24 -0
  52. package/dist/cloudflare-agents/config.js +23 -0
  53. package/dist/cloudflare-agents/index.d.ts +3 -0
  54. package/dist/cloudflare-agents/index.js +3 -0
  55. package/dist/cloudflare-agents/peer.d.ts +9 -0
  56. package/dist/cloudflare-agents/peer.js +20 -0
  57. package/dist/cloudflare-agents/sandbox-demo.d.ts +36 -0
  58. package/dist/cloudflare-agents/sandbox-demo.js +89 -0
  59. package/dist/completion-catalog-digest.d.ts +1 -1
  60. package/dist/completion-catalog-digest.js +1 -1
  61. package/dist/completion-init.js +8 -3
  62. package/dist/dev/offline-gateway.d.ts +2 -1
  63. package/dist/dev/offline-gateway.js +34 -3
  64. package/dist/dev/x402-fund-mock.d.ts +28 -0
  65. package/dist/dev/x402-fund-mock.js +124 -0
  66. package/dist/index.d.ts +125 -9
  67. package/dist/index.js +264 -17
  68. package/dist/init.js +113 -2
  69. package/dist/mastra/config.d.ts +30 -0
  70. package/dist/mastra/config.js +58 -0
  71. package/dist/mastra/index.d.ts +2 -0
  72. package/dist/mastra/index.js +2 -0
  73. package/dist/mastra/peer.d.ts +11 -0
  74. package/dist/mastra/peer.js +24 -0
  75. package/dist/mastra/sandbox-demo.d.ts +36 -0
  76. package/dist/mastra/sandbox-demo.js +87 -0
  77. package/dist/mcp/index.d.ts +1 -0
  78. package/dist/mcp/index.js +1 -0
  79. package/dist/mcp/sandbox-demo.d.ts +38 -0
  80. package/dist/mcp/sandbox-demo.js +112 -0
  81. package/dist/mcp-receipt-resource.d.ts +10 -0
  82. package/dist/mcp-receipt-resource.js +32 -0
  83. package/dist/mcp-server.d.ts +6 -0
  84. package/dist/mcp-server.js +124 -1
  85. package/dist/mpp-commercial.d.ts +19 -0
  86. package/dist/mpp-commercial.js +34 -0
  87. package/dist/mpp-funding.d.ts +71 -0
  88. package/dist/mpp-funding.js +192 -0
  89. package/dist/payment-transport.d.ts +30 -0
  90. package/dist/payment-transport.js +56 -0
  91. package/dist/policy/init.js +2 -0
  92. package/dist/policy/intent-spec.js +2 -0
  93. package/dist/principal-intent.d.ts +1 -1
  94. package/dist/principal-intent.js +4 -1
  95. package/dist/project-init.js +8 -0
  96. package/dist/template-init.d.ts +2 -2
  97. package/dist/template-init.js +6 -2
  98. package/dist/x402-funding.d.ts +52 -0
  99. package/dist/x402-funding.js +124 -0
  100. package/package.json +20 -2
  101. package/templates/manifest.json +28 -9
  102. package/templates/openai-shopping-agent/package-lock.json +16 -8
  103. package/templates/openai-shopping-agent/package.json +1 -1
  104. package/templates/paybond-aws-operator/package-lock.json +13 -5
  105. package/templates/paybond-aws-operator/package.json +1 -1
  106. package/templates/paybond-claude-agents-demo/package-lock.json +16 -8
  107. package/templates/paybond-claude-agents-demo/package.json +1 -1
  108. package/templates/paybond-invoice-agent/requirements.txt +1 -1
  109. package/templates/paybond-mastra-travel-agent/.env.example +3 -0
  110. package/templates/paybond-mastra-travel-agent/.github/workflows/smoke.yml +20 -0
  111. package/templates/paybond-mastra-travel-agent/LICENSE +201 -0
  112. package/templates/paybond-mastra-travel-agent/README.md +29 -0
  113. package/templates/paybond-mastra-travel-agent/package-lock.json +3377 -0
  114. package/templates/paybond-mastra-travel-agent/package.json +22 -0
  115. package/templates/paybond-mastra-travel-agent/paybond.policy.yaml +22 -0
  116. package/templates/paybond-mastra-travel-agent/src/index.ts +22 -0
  117. package/templates/paybond-mastra-travel-agent/src/paybond.config.ts +51 -0
  118. package/templates/paybond-mastra-travel-agent/tsconfig.json +13 -0
  119. package/templates/paybond-mcp-coding-agent/package-lock.json +13 -5
  120. package/templates/paybond-mcp-coding-agent/package.json +1 -1
  121. package/templates/paybond-openai-agents-demo/package-lock.json +16 -8
  122. package/templates/paybond-openai-agents-demo/package.json +1 -1
  123. package/templates/paybond-procurement-agent/package-lock.json +13 -5
  124. package/templates/paybond-procurement-agent/package.json +1 -1
  125. package/templates/paybond-travel-agent/package-lock.json +16 -8
  126. package/templates/paybond-travel-agent/package.json +1 -1
  127. package/templates/paybond-vercel-shopping-agent/package-lock.json +13 -5
  128. package/templates/paybond-vercel-shopping-agent/package.json +1 -1
@@ -0,0 +1,124 @@
1
+ /**
2
+ * Maps partner attestation artifacts into Agent Receipt `external_attestations` entries.
3
+ *
4
+ * Partner digests are SHA-256 of canonical JSON (signature fields stripped for SEP-2828).
5
+ * These entries are never canonical inside Paybond; they provide interop hooks only.
6
+ */
7
+ import { createHash } from "node:crypto";
8
+ import { normalizeJson } from "./json-digest.js";
9
+ import { stripDigestPrefix } from "./mcp-sep2828-evidence.js";
10
+ import { verifySep2828ReceiptPair } from "./sep2828-signature.js";
11
+ import { buildX402ReceiptDigestPayload, } from "./x402-receipt-evidence.js";
12
+ import { extractSignedX402Receipt, verifySignedX402Receipt } from "./x402-receipt-signature.js";
13
+ export const AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828 = "sep2828_mcp";
14
+ export const AGENT_RECEIPT_EXTERNAL_SOURCE_X402 = "x402";
15
+ const SEP2828_SIGNATURE_KEYS = new Set([
16
+ "signature",
17
+ "ed25519_signature_hex",
18
+ "message_digest_sha256_hex",
19
+ "signing_public_key_ed25519_hex",
20
+ ]);
21
+ const SEP2828_ASSERTED_BLOCKS = ["issuerAsserted", "receiptAsserted"];
22
+ function readObject(value) {
23
+ if (value !== null && typeof value === "object" && !Array.isArray(value)) {
24
+ return value;
25
+ }
26
+ return undefined;
27
+ }
28
+ function canonicalJsonBytes(value) {
29
+ return new TextEncoder().encode(JSON.stringify(normalizeJson(value)));
30
+ }
31
+ /** SHA-256 hex digest of canonical JSON bytes. */
32
+ export function partnerRecordDigestSha256Hex(record) {
33
+ return createHash("sha256").update(Buffer.from(canonicalJsonBytes(record))).digest("hex");
34
+ }
35
+ function stripSep2828SignatureFields(record) {
36
+ const out = {};
37
+ for (const [key, value] of Object.entries(record)) {
38
+ if (SEP2828_SIGNATURE_KEYS.has(key)) {
39
+ continue;
40
+ }
41
+ if (SEP2828_ASSERTED_BLOCKS.includes(key)) {
42
+ const asserted = readObject(value);
43
+ if (!asserted) {
44
+ continue;
45
+ }
46
+ const stripped = {};
47
+ for (const [innerKey, innerValue] of Object.entries(asserted)) {
48
+ if (!SEP2828_SIGNATURE_KEYS.has(innerKey)) {
49
+ stripped[innerKey] = innerValue;
50
+ }
51
+ }
52
+ if (Object.keys(stripped).length > 0) {
53
+ out[key] = stripped;
54
+ }
55
+ continue;
56
+ }
57
+ out[key] = value;
58
+ }
59
+ return out;
60
+ }
61
+ function sep2828RecordDigest(record) {
62
+ return partnerRecordDigestSha256Hex(stripSep2828SignatureFields(record));
63
+ }
64
+ function x402PayloadDigestSha256Hex(payload) {
65
+ return partnerRecordDigestSha256Hex(payload);
66
+ }
67
+ /**
68
+ * Converts verified SEP-2828 decision/outcome records into external attestation entries.
69
+ */
70
+ export function sep2828RecordsToExternalAttestations(decisionInput, outcomeInput) {
71
+ verifySep2828ReceiptPair(decisionInput, outcomeInput);
72
+ const decisionBackLink = readObject(decisionInput.backLink);
73
+ const referenceID = typeof decisionBackLink?.attestationDigest === "string"
74
+ ? stripDigestPrefix(decisionBackLink.attestationDigest)
75
+ : undefined;
76
+ return [
77
+ {
78
+ source: AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828,
79
+ kind: "decision_record",
80
+ digest_sha256_hex: sep2828RecordDigest(decisionInput),
81
+ reference_id: referenceID,
82
+ },
83
+ {
84
+ source: AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828,
85
+ kind: "outcome_record",
86
+ digest_sha256_hex: sep2828RecordDigest(outcomeInput),
87
+ reference_id: referenceID,
88
+ },
89
+ ];
90
+ }
91
+ /**
92
+ * Converts a verified x402 signed delivery receipt into one external attestation entry.
93
+ */
94
+ export function x402ReceiptToExternalAttestations(receiptInput) {
95
+ const signed = extractSignedX402Receipt(receiptInput);
96
+ const verifiedPayload = verifySignedX402Receipt(signed);
97
+ const payload = buildX402ReceiptDigestPayload(verifiedPayload);
98
+ return [
99
+ {
100
+ source: AGENT_RECEIPT_EXTERNAL_SOURCE_X402,
101
+ kind: "delivery_receipt_v1",
102
+ digest_sha256_hex: x402PayloadDigestSha256Hex(payload),
103
+ reference_id: payload.resourceUrl,
104
+ },
105
+ ];
106
+ }
107
+ /** Resolves pre-built or partner-native attestation inputs into normalized receipt entries. */
108
+ export function resolveExternalAttestations(inputs) {
109
+ const out = [];
110
+ for (const input of inputs) {
111
+ if ("source" in input && "digest_sha256_hex" in input) {
112
+ out.push(input);
113
+ continue;
114
+ }
115
+ if (input.kind === "sep2828") {
116
+ out.push(...sep2828RecordsToExternalAttestations(input.decision, input.outcome));
117
+ continue;
118
+ }
119
+ if (input.kind === "x402") {
120
+ out.push(...x402ReceiptToExternalAttestations(input.receipt));
121
+ }
122
+ }
123
+ return out;
124
+ }
@@ -0,0 +1,134 @@
1
+ export declare const AGENT_RECEIPT_SCHEMA_VERSION = 1;
2
+ export declare const AGENT_RECEIPT_KIND_V1 = "paybond.agent_receipt_v1";
3
+ export declare const AGENT_RECEIPT_VERSION_V1 = "1";
4
+ export declare const AGENT_RECEIPT_SIGNING_ALGORITHM_ED25519 = "ed25519-sha256-json-v1";
5
+ export declare const AGENT_RECEIPT_SCOPE_ACTION = "action";
6
+ export declare const AGENT_RECEIPT_SCOPE_INTENT_TERMINAL = "intent_terminal";
7
+ export declare const AGENT_RECEIPT_WELL_KNOWN_PATH = "/.well-known/agent-receipt-v1.json";
8
+ export type AgentReceiptAgentV1 = {
9
+ operator_did: string;
10
+ model_family: string;
11
+ model_instance_id?: string;
12
+ config_hash_sha256_hex: string;
13
+ prompt_hash_sha256_hex: string;
14
+ deployment_epoch?: number;
15
+ };
16
+ export type AgentReceiptPolicyV1 = {
17
+ template_id: string;
18
+ version_seq?: number;
19
+ content_digest_sha256_hex: string;
20
+ spend_policy_version?: number;
21
+ };
22
+ export type AgentReceiptAuthorizationV1 = {
23
+ principal_did: string;
24
+ actor_subject: string;
25
+ agent: AgentReceiptAgentV1;
26
+ decision_id: string;
27
+ audit_id?: string;
28
+ policy: AgentReceiptPolicyV1;
29
+ authorized_at: string;
30
+ requested_spend_cents: number;
31
+ currency: string;
32
+ reason_codes?: string[];
33
+ };
34
+ export type AgentReceiptExecutionV1 = {
35
+ run_id: string;
36
+ tool_call_id: string;
37
+ tool_name: string;
38
+ operation: string;
39
+ arguments_digest_sha256_hex: string;
40
+ result_digest_sha256_hex?: string;
41
+ outcome: "executed" | "denied" | "skipped" | "failed";
42
+ started_at: string;
43
+ completed_at: string;
44
+ duration_ms?: number;
45
+ };
46
+ export type AgentReceiptMerchantV1 = {
47
+ payee_did: string;
48
+ vendor_id?: string;
49
+ vendor_ref_id?: string;
50
+ };
51
+ export type AgentReceiptEvidenceV1 = {
52
+ completion_preset_id: string;
53
+ payload_digest_sha256_hex: string;
54
+ artifacts_digest_sha256_hex?: string;
55
+ predicate_passed: boolean;
56
+ payee_did: string;
57
+ payee_signature_digest_sha256_hex?: string;
58
+ };
59
+ export type AgentReceiptPaymentV1 = {
60
+ intent_id: string;
61
+ settlement_rail: string;
62
+ funding_method?: string;
63
+ funding_reference?: string;
64
+ funding_receipt_digest_sha256_hex?: string;
65
+ };
66
+ export type AgentReceiptOutcomeV1 = {
67
+ harbor_state: string;
68
+ spend_reservation_outcome?: "consumed" | "released" | "pending" | "none";
69
+ predicate_passed?: boolean;
70
+ };
71
+ export type AgentReceiptReferencesV1 = {
72
+ intent_id: string;
73
+ ledger_seq?: number;
74
+ settlement_receipt_id?: string | null;
75
+ };
76
+ export type AgentReceiptExternalAttestationV1 = {
77
+ source: string;
78
+ kind: string;
79
+ digest_sha256_hex: string;
80
+ reference_id?: string;
81
+ };
82
+ export type AgentReceiptOperatorAttestationV1 = {
83
+ operator_did: string;
84
+ signing_public_key_ed25519_hex: string;
85
+ message_digest_sha256_hex: string;
86
+ ed25519_signature_hex: string;
87
+ };
88
+ export type AgentReceiptV1 = {
89
+ schema_version: number;
90
+ kind: string;
91
+ receipt_version: string;
92
+ scope: typeof AGENT_RECEIPT_SCOPE_ACTION | typeof AGENT_RECEIPT_SCOPE_INTENT_TERMINAL;
93
+ receipt_id: string;
94
+ issued_at: string;
95
+ tenant_id: string;
96
+ authorization: AgentReceiptAuthorizationV1;
97
+ execution?: AgentReceiptExecutionV1;
98
+ merchant?: AgentReceiptMerchantV1;
99
+ evidence?: AgentReceiptEvidenceV1;
100
+ payment?: AgentReceiptPaymentV1;
101
+ outcome: AgentReceiptOutcomeV1;
102
+ references: AgentReceiptReferencesV1;
103
+ external_attestations: AgentReceiptExternalAttestationV1[];
104
+ operator_attestation?: AgentReceiptOperatorAttestationV1;
105
+ signing_algorithm: string;
106
+ message_digest_sha256_hex: string;
107
+ signing_public_key_ed25519_hex: string;
108
+ ed25519_signature_hex: string;
109
+ };
110
+ export type ConfigHashInput = {
111
+ system_prompt: string;
112
+ tools_manifest: unknown;
113
+ policy_snapshot_id: string;
114
+ };
115
+ /** Returns sha256(JCS({ system_prompt, tools_manifest, policy_snapshot_id })). */
116
+ export declare function configHashSha256Hex(input: ConfigHashInput): string;
117
+ /** Returns sha256(normalized_user_prompt). */
118
+ export declare function promptHashSha256Hex(normalizedUserPrompt: string): string;
119
+ /** Returns sha256(JCS(value)). */
120
+ export declare function valueDigestSha256Hex(value: unknown): string;
121
+ /** Returns sha256(intent_id + "\\x00" + tool_call_id) as lowercase hex. */
122
+ export declare function actionReceiptId(intentId: string, toolCallId: string): string;
123
+ /** Returns canonical signing bytes for a normalized receipt body. */
124
+ export declare function canonicalAgentReceiptBytes(receipt: AgentReceiptV1): Uint8Array;
125
+ /**
126
+ * Returns sha256(canonical receipt bytes) as lowercase hex, ignoring any existing
127
+ * `message_digest_sha256_hex` on the input. Used to compose unsigned receipt drafts
128
+ * (Agent Receipt Standard Phase 1) and to compute the digest signers must sign over.
129
+ */
130
+ export declare function agentReceiptMessageDigestSha256Hex(receipt: AgentReceiptV1): string;
131
+ /** Validates structure, receipt_id derivation, digest, and detached Ed25519 signature. */
132
+ export declare function verifyAgentReceiptV1(receipt: AgentReceiptV1): Promise<AgentReceiptV1>;
133
+ /** Attach an optional operator counter-signature over the Gateway message digest. */
134
+ export declare function attachOperatorAttestationV1(receipt: AgentReceiptV1, operatorPrivateKeyHex: string, operatorDid: string): Promise<AgentReceiptV1>;