@paybond/kit 0.11.11 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/completion-presets/catalog.json +10 -5
  2. package/completion-presets/catalog.sha256 +1 -1
  3. package/dist/agent/index.d.ts +2 -1
  4. package/dist/agent/index.js +1 -0
  5. package/dist/agent/interceptor.d.ts +9 -0
  6. package/dist/agent/interceptor.js +177 -1
  7. package/dist/agent/receipt-client.d.ts +49 -0
  8. package/dist/agent/receipt-client.js +45 -0
  9. package/dist/agent/registry.js +1 -0
  10. package/dist/agent/run.d.ts +2 -0
  11. package/dist/agent/run.js +52 -0
  12. package/dist/agent/types.d.ts +70 -0
  13. package/dist/agent-receipt-external-attestations.d.ts +29 -0
  14. package/dist/agent-receipt-external-attestations.js +124 -0
  15. package/dist/agent-receipt.d.ts +134 -0
  16. package/dist/agent-receipt.js +580 -0
  17. package/dist/audit/exports.d.ts +15 -1
  18. package/dist/audit/exports.js +55 -8
  19. package/dist/audit/index.d.ts +2 -2
  20. package/dist/audit/wire.d.ts +12 -0
  21. package/dist/audit/wire.js +13 -1
  22. package/dist/cli/command-spec.js +4 -2
  23. package/dist/cli/commands/discovery.js +17 -6
  24. package/dist/cli/help.d.ts +1 -1
  25. package/dist/cli/help.js +3 -3
  26. package/dist/completion-catalog-digest.d.ts +1 -1
  27. package/dist/completion-catalog-digest.js +1 -1
  28. package/dist/index.d.ts +83 -7
  29. package/dist/index.js +180 -13
  30. package/dist/mcp-receipt-resource.d.ts +10 -0
  31. package/dist/mcp-receipt-resource.js +32 -0
  32. package/dist/mcp-server.d.ts +6 -0
  33. package/dist/mcp-server.js +62 -1
  34. package/dist/mpp-commercial.d.ts +19 -0
  35. package/dist/mpp-commercial.js +34 -0
  36. package/dist/mpp-funding.d.ts +71 -0
  37. package/dist/mpp-funding.js +192 -0
  38. package/dist/payment-transport.d.ts +30 -0
  39. package/dist/payment-transport.js +56 -0
  40. package/dist/policy/intent-spec.js +2 -0
  41. package/dist/principal-intent.d.ts +1 -1
  42. package/dist/principal-intent.js +4 -1
  43. package/package.json +1 -1
  44. package/templates/openai-shopping-agent/package-lock.json +7 -7
  45. package/templates/paybond-aws-operator/package-lock.json +4 -4
  46. package/templates/paybond-claude-agents-demo/package-lock.json +7 -7
  47. package/templates/paybond-mastra-travel-agent/package-lock.json +10 -10
  48. package/templates/paybond-mcp-coding-agent/package-lock.json +4 -4
  49. package/templates/paybond-openai-agents-demo/package-lock.json +7 -7
  50. package/templates/paybond-procurement-agent/package-lock.json +4 -4
  51. package/templates/paybond-travel-agent/package-lock.json +7 -7
  52. package/templates/paybond-vercel-shopping-agent/package-lock.json +4 -4
@@ -34,22 +34,28 @@ export class GatewayAuditExportsClient {
34
34
  async getJson(path) {
35
35
  return this.requestJSON("GET", path);
36
36
  }
37
+ async postJson(path, body) {
38
+ return this.requestJSON("POST", path, body);
39
+ }
37
40
  async deleteJson(path) {
38
41
  return this.requestJSON("DELETE", path);
39
42
  }
40
- async requestJSON(method, path) {
43
+ async requestJSON(method, path, body) {
41
44
  const url = `${this.base}${path.replace(/^\//, "")}`;
42
45
  let lastErr;
43
46
  for (let attempt = 0; attempt < this.maxRetries; attempt++) {
44
47
  let res;
45
48
  try {
46
- res = await fetch(url, {
47
- method,
48
- headers: {
49
- accept: "application/json",
50
- authorization: `Bearer ${this.bearerToken}`,
51
- },
52
- });
49
+ const headers = {
50
+ accept: "application/json",
51
+ authorization: `Bearer ${this.bearerToken}`,
52
+ };
53
+ const init = { method, headers };
54
+ if (method === "POST") {
55
+ headers["content-type"] = "application/json";
56
+ init.body = JSON.stringify(body ?? {});
57
+ }
58
+ res = await fetch(url, init);
53
59
  }
54
60
  catch (err) {
55
61
  lastErr = err;
@@ -80,6 +86,36 @@ export class GatewayAuditExportsClient {
80
86
  throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
81
87
  }
82
88
  }
89
+ function buildAuditExportCreateBody(params) {
90
+ const filter = {};
91
+ const f = params.filter;
92
+ if (f.time_start?.trim()) {
93
+ filter.time_start = f.time_start.trim();
94
+ }
95
+ if (f.time_end?.trim()) {
96
+ filter.time_end = f.time_end.trim();
97
+ }
98
+ if (f.intent_id?.trim()) {
99
+ filter.intent_id = f.intent_id.trim();
100
+ }
101
+ if (f.case_id?.trim()) {
102
+ filter.case_id = f.case_id.trim();
103
+ }
104
+ if (f.operator_did?.trim()) {
105
+ filter.operator_did = f.operator_did.trim();
106
+ }
107
+ if (f.includes && f.includes.length > 0) {
108
+ filter.includes = [...f.includes];
109
+ }
110
+ const body = {
111
+ filter,
112
+ disclosure_tier: params.disclosureTier ?? "standard",
113
+ };
114
+ if (params.retentionHours != null && params.retentionHours > 0) {
115
+ body.retention_hours = params.retentionHours;
116
+ }
117
+ return body;
118
+ }
83
119
  /**
84
120
  * SDK surface for compliance audit export jobs and local bundle verification.
85
121
  */
@@ -111,6 +147,17 @@ export class PaybondAuditExports {
111
147
  const body = await this.gateway.getJson(`/v1/compliance/audit-exports/${encodeURIComponent(jobId)}${query}`);
112
148
  return parseAuditExportJobGet(body);
113
149
  }
150
+ /**
151
+ * Create a compliance audit export job (`POST /v1/compliance/audit-exports`).
152
+ * Tenant scope comes from the API key — never pass a tenant id.
153
+ */
154
+ async create(params) {
155
+ if (!this.gateway.postJson) {
156
+ throw new Error("audit export create is not supported by this gateway adapter");
157
+ }
158
+ const body = await this.gateway.postJson("/v1/compliance/audit-exports", buildAuditExportCreateBody(params));
159
+ return parseAuditExportJobGet(body);
160
+ }
114
161
  async delete(jobId) {
115
162
  if (!this.gateway.deleteJson) {
116
163
  throw new Error("audit export delete is not supported by this gateway adapter");
@@ -1,3 +1,3 @@
1
- export { GatewayAuditExportsClient, PaybondAudit, PaybondAuditExports, type AuditExportsGateway, type GatewayAuditExportsClientOptions, type PaybondAuditExportsGetParams, type PaybondAuditExportsListParams, } from "./exports.js";
1
+ export { GatewayAuditExportsClient, PaybondAudit, PaybondAuditExports, type AuditExportsGateway, type GatewayAuditExportsClientOptions, type PaybondAuditExportsCreateParams, type PaybondAuditExportsGetParams, type PaybondAuditExportsListParams, } from "./exports.js";
2
2
  export { auditVerifyResult, buildManifestCore, manifestCoreBytes, readManifestFromBundle, verifyAuditBundleLocal, verifyAuditManifest, MANIFEST_CORE_FIELD_ORDER, } from "./verify.js";
3
- export { parseAuditExportJobGet, parseAuditExportList, type AuditExportJobDetail, type AuditExportJobGetResponse, type AuditExportJobSummary, type AuditExportListPage, type AuditVerifyResult, } from "./wire.js";
3
+ export { parseAuditExportJobGet, parseAuditExportList, type AuditExportCreateFilter, type AuditExportJobDetail, type AuditExportJobGetResponse, type AuditExportJobSummary, type AuditExportListPage, type AuditVerifyResult, } from "./wire.js";
@@ -14,6 +14,14 @@ export type AuditExportListPage = Readonly<{
14
14
  jobs: ReadonlyArray<AuditExportJobSummary>;
15
15
  next_cursor?: string;
16
16
  }>;
17
+ export type AuditExportCreateFilter = Readonly<{
18
+ time_start?: string;
19
+ time_end?: string;
20
+ intent_id?: string;
21
+ case_id?: string;
22
+ operator_did?: string;
23
+ includes?: ReadonlyArray<string>;
24
+ }>;
17
25
  export type AuditExportJobDetail = Readonly<{
18
26
  id: string;
19
27
  status: string;
@@ -25,6 +33,10 @@ export type AuditExportJobDetail = Readonly<{
25
33
  manifest_sha256: string;
26
34
  bundle_sha256: string;
27
35
  download_token?: string;
36
+ /** Present on `POST /v1/compliance/audit-exports` create responses. */
37
+ bundle_size_bytes?: number;
38
+ download_token_expires?: string;
39
+ download_path?: string;
28
40
  }>;
29
41
  export type AuditExportJobGetResponse = Readonly<{
30
42
  job: AuditExportJobDetail;
@@ -52,17 +52,29 @@ export function parseAuditExportJobGet(json) {
52
52
  assertJsonObject(json);
53
53
  const jobRaw = json.job ?? json;
54
54
  assertJsonObject(jobRaw);
55
+ const bundleSize = typeof jobRaw.bundle_size_bytes === "number" && Number.isFinite(jobRaw.bundle_size_bytes)
56
+ ? jobRaw.bundle_size_bytes
57
+ : undefined;
58
+ const downloadTokenExpires = typeof jobRaw.download_token_expires === "string" && jobRaw.download_token_expires
59
+ ? jobRaw.download_token_expires
60
+ : typeof jobRaw.download_token_expires_at === "string" && jobRaw.download_token_expires_at
61
+ ? jobRaw.download_token_expires_at
62
+ : undefined;
63
+ const downloadPath = typeof jobRaw.download_path === "string" && jobRaw.download_path ? jobRaw.download_path : undefined;
55
64
  const job = {
56
65
  id: readString(jobRaw.id ?? jobRaw.job_id, "job.id"),
57
66
  status: readString(jobRaw.status, "job.status"),
58
67
  tenant_realm_id: readString(jobRaw.tenant_realm_id, "job.tenant_realm_id"),
59
68
  disclosure_tier: readString(jobRaw.disclosure_tier, "job.disclosure_tier"),
60
- created_at: readString(jobRaw.created_at, "job.created_at"),
69
+ created_at: typeof jobRaw.created_at === "string" ? jobRaw.created_at : "",
61
70
  expires_at: readString(jobRaw.expires_at, "job.expires_at"),
62
71
  error: typeof jobRaw.error === "string" ? jobRaw.error : "",
63
72
  manifest_sha256: typeof jobRaw.manifest_sha256 === "string" ? jobRaw.manifest_sha256 : "",
64
73
  bundle_sha256: typeof jobRaw.bundle_sha256 === "string" ? jobRaw.bundle_sha256 : "",
65
74
  download_token: typeof jobRaw.download_token === "string" && jobRaw.download_token ? jobRaw.download_token : undefined,
75
+ bundle_size_bytes: bundleSize,
76
+ download_token_expires: downloadTokenExpires,
77
+ download_path: downloadPath,
66
78
  };
67
79
  return { job };
68
80
  }
@@ -296,10 +296,12 @@ export const COMMAND_EXAMPLES = {
296
296
  "paybond signal fraud --did did:example:alice"
297
297
  ],
298
298
  "receipts get": [
299
- "paybond receipts get receipt-123"
299
+ "paybond receipts get receipt-123",
300
+ "paybond receipts get sha256:abc... --kind agent --format json"
300
301
  ],
301
302
  "receipts verify": [
302
- "paybond receipts verify receipt-123"
303
+ "paybond receipts verify receipt-123",
304
+ "paybond receipts verify sha256:abc... --kind agent --format json"
303
305
  ],
304
306
  "mandates verify": [
305
307
  "paybond mandates verify --body mandate.json"
@@ -7,10 +7,8 @@ import { consumeBooleanFlag, consumeFlag } from "../globals.js";
7
7
  import { CliError } from "../types.js";
8
8
  export async function handleSignal(ctx, subcommand, argv) {
9
9
  return withGateway(ctx, async (gateway) => {
10
- const principal = await gateway.getJson("/v1/auth/principal");
11
- const tenantId = String(principal.tenant_id ?? "");
12
10
  if (subcommand === "portfolio") {
13
- const body = await gateway.getJson(`/signal/v1/tenants/${encodeURIComponent(tenantId)}/portfolio/summary`);
11
+ const body = await gateway.getJson("/signal/v1/portfolio/summary");
14
12
  return { data: body };
15
13
  }
16
14
  const didFlag = consumeFlag(argv, "--did");
@@ -18,11 +16,11 @@ export async function handleSignal(ctx, subcommand, argv) {
18
16
  throw new CliError(`signal ${subcommand} requires --did`, { category: "usage", code: "cli.usage.missing_did" });
19
17
  }
20
18
  if (subcommand === "reputation") {
21
- const body = await gateway.getJson(`/signal/v1/tenants/${encodeURIComponent(tenantId)}/reputation/${encodeURIComponent(didFlag.value)}`);
19
+ const body = await gateway.getJson(`/reputation/${encodeURIComponent(didFlag.value)}`);
22
20
  return { data: body };
23
21
  }
24
22
  if (subcommand === "fraud") {
25
- const body = await gateway.getJson(`/fraud/v1/tenants/${encodeURIComponent(tenantId)}/assessments/${encodeURIComponent(didFlag.value)}`);
23
+ const body = await gateway.getJson(`/signal/v1/operators/${encodeURIComponent(didFlag.value)}/review-status`);
26
24
  return { data: body };
27
25
  }
28
26
  throw new CliError(`unknown signal subcommand: ${subcommand}`, { category: "usage", code: "cli.usage.unknown_command" });
@@ -30,10 +28,23 @@ export async function handleSignal(ctx, subcommand, argv) {
30
28
  }
31
29
  export async function handleReceipts(ctx, subcommand, argv) {
32
30
  return withGateway(ctx, async (gateway) => {
31
+ const kindFlag = consumeFlag(argv, "--kind");
32
+ const kind = (kindFlag.value ?? "protocol").trim().toLowerCase();
33
33
  const receiptId = argv[0];
34
34
  if (!receiptId) {
35
35
  throw new CliError(`receipts ${subcommand} requires <receipt_id>`, { category: "usage", code: "cli.usage.missing_receipt_id" });
36
36
  }
37
+ if (kind === "agent") {
38
+ if (subcommand === "get") {
39
+ const body = await gateway.getJson(`/protocol/v2/agent-receipts/${encodeURIComponent(receiptId)}`);
40
+ return { data: body };
41
+ }
42
+ if (subcommand === "verify") {
43
+ const fetched = await gateway.getJson(`/protocol/v2/agent-receipts/${encodeURIComponent(receiptId)}`);
44
+ const body = await gateway.postJson("/protocol/v2/agent-receipts/verify", fetched);
45
+ return { data: body };
46
+ }
47
+ }
37
48
  if (subcommand === "get") {
38
49
  const body = await gateway.getJson(`/protocol/v2/receipts/${encodeURIComponent(receiptId)}`);
39
50
  return { data: body };
@@ -55,7 +66,7 @@ export async function handleMandates(ctx, subcommand, argv) {
55
66
  return { data: body };
56
67
  }
57
68
  if (subcommand === "import") {
58
- const body = await gateway.postJson("/protocol/v2/mandates/import", payload);
69
+ const body = await gateway.postJson("/protocol/v2/mandates", payload);
59
70
  return { data: body };
60
71
  }
61
72
  throw new CliError(`unknown mandates subcommand: ${subcommand}`, { category: "usage", code: "cli.usage.unknown_command" });
@@ -1,3 +1,3 @@
1
- export declare const ROOT_HELP = "Usage: paybond [--global-flags] <command> [<subcommand> ...] [args]\n\nGlobal flags:\n --gateway <url> Gateway base URL (default: https://api.paybond.ai)\n --env-file <path> Local secrets file (default: .env.local)\n --format table|json Human table or JSON envelope output (default: table)\n --json <fields> Field-selectable JSON for list/read commands (plain JSON; use --format json for envelope)\n --jq <expr> jq-style filter for list/read command output\n --profile <name> Named credential profile from the Paybond CLI config file\n --request-id <id> Correlation ID for Gateway calls and JSON output\n --yes Skip confirmation for destructive operations\n --no-open Do not open a browser for device login\n --color auto|always|never Colorize human table output and help text (default: auto)\n --no-color Disable color output (also honors NO_COLOR)\n\nCommands:\n onboarding Guided, non-destructive first-run checks\n help Detailed help for a command\n examples Copy-paste examples from the command spec\n completion bash|zsh|fish Shell completion scripts\n login Sandbox device login\n init Interactive first-run scaffold (solution, spend cap, framework, owned policy files)\n init guardrail|completion|agent-middleware\n Scaffold sandbox guardrail, completion evidence, or agent middleware integration files\n mcp serve|install|verify-config|tools MCP server and host configuration\n doctor Validate local runtime, credentials, and optional agent setup\n dev smoke|trace|loop|up\n Local sandbox developer loop: travel smoke, trace dashboard, WireMock up, and guided setup\n version Print package version (use --verbose for runtime details)\n diagnose Emit a redacted support bundle with --redacted\n config get|set|unset|list\n Manage CLI configuration values\n whoami Resolve the authenticated principal and tenant realm\n keys list|create|rotate|revoke\n Manage tenant service-account API keys\n intents list|get|create|fund|evidence|settlement-confirm\n Harbor intent workflows\n guardrails bootstrap|evidence\n Sandbox guardrail helpers\n spend authorize Authorize delegated spend for a tool call\n signal reputation|portfolio|fraud\n Signal summaries and fraud reads\n receipts get|verify\n Protocol settlement receipts\n mandates verify|import\n Agent mandate verification and import\n a2a card|contracts\n Agent card discovery and task contracts\n policy init|init-org|extend|presets list|presets show|validate-tools|templates|preview|import-mcp-receipt|import-x402-receipt|validate-evidence\n Scaffold and validate paybond.policy.yaml (including enterprise org inheritance), browse policy presets and solutions, list completion presets, preview Harbor templates, and import receipts\n agent run bind|status|trace|reload-policy|tool execute|validate|registry validate|sandbox smoke\n Agent middleware: bind runs, reload policy, execute tools, validate registry, sandbox smoke\n audit exports list|get|verify|delete\n Compliance audit export jobs and local bundle verification\n\nGetting started:\n Sandbox setup\n Authenticate, validate the runtime, and confirm tenant context.\n $ paybond login\n $ paybond doctor --format json\n Next: paybond whoami\n Agent + MCP host\n Preview MCP host config and list tools exposed to agents.\n $ paybond mcp install --host claude --scope local\n $ paybond mcp verify-config --host claude\n $ paybond mcp tools\n Next: paybond doctor --agent\n Paid-tool guardrail\n Scaffold a sandbox guardrail integration file for your agent runtime.\n $ paybond init guardrail\n $ paybond guardrails bootstrap --operation paid-tool --requested-spend-cents 100\n Next: paybond spend authorize --help\n Policy-driven agent sandbox\n Validate and smoke-test agent middleware from a versioned paybond.policy.yaml file.\n $ paybond policy init --out paybond.policy.yaml\n $ paybond policy validate-tools --file paybond.policy.yaml\n $ paybond agent sandbox smoke --policy-file paybond.policy.yaml --result-body '{\"status\":\"completed\",\"cost_cents\":18700}' --format json\n Next: paybond policy validate-tools --help\n Agent middleware sandbox\n Bind a sandbox run and execute a guarded tool with auto-evidence.\n $ paybond agent sandbox smoke --operation paid-tool --requested-spend-cents 100 --evidence-preset cost_and_completion --result-body '{\"status\":\"ok\",\"cost_cents\":100}' --format json\n Next: paybond agent run bind --help\n Completion preset\n Scaffold catalog-aligned completion evidence for Harbor release predicates.\n $ paybond init completion --preset api_response_ok\n $ paybond policy templates\n $ paybond policy preview --preset api_response_ok --evidence-file evidence.json\n Next: paybond policy preview --help\n\nDocumentation: https://docs.paybond.ai/kit\n\nLearn more:\n paybond help <command> Detailed help for a command\n paybond examples Copy-paste command examples\n paybond onboarding Guided first-run checks\n paybond completion <shell> Shell completions (bash|zsh|fish)\n\nLegacy aliases: paybond-kit-login, paybond-init, paybond-kit-init, paybond-mcp-server\n";
1
+ export declare const ROOT_HELP = "Usage: paybond [--global-flags] <command> [<subcommand> ...] [args]\n\nGlobal flags:\n --gateway <url> Gateway base URL (default: https://api.paybond.ai)\n --env-file <path> Local secrets file (default: .env.local)\n --format table|json Human table or JSON envelope output (default: table)\n --json <fields> Field-selectable JSON for list/read commands (plain JSON; use --format json for envelope)\n --jq <expr> jq-style filter for list/read command output\n --profile <name> Named credential profile from the Paybond CLI config file\n --request-id <id> Correlation ID for Gateway calls and JSON output\n --yes Skip confirmation for destructive operations\n --no-open Do not open a browser for device login\n --color auto|always|never Colorize human table output and help text (default: auto)\n --no-color Disable color output (also honors NO_COLOR)\n\nCommands:\n onboarding Guided, non-destructive first-run checks\n help Detailed help for a command\n examples Copy-paste examples from the command spec\n completion bash|zsh|fish Shell completion scripts\n login Sandbox device login\n init Interactive first-run scaffold (solution, spend cap, framework, owned policy files)\n init guardrail|completion|agent-middleware\n Scaffold sandbox guardrail, completion evidence, or agent middleware integration files\n mcp serve|install|verify-config|tools MCP server and host configuration\n doctor Validate local runtime, credentials, and optional agent setup\n dev smoke|trace|loop|up\n Local sandbox developer loop: travel smoke, trace dashboard, WireMock up, and guided setup\n version Print package version (use --verbose for runtime details)\n diagnose Emit a redacted support bundle with --redacted\n config get|set|unset|list\n Manage CLI configuration values\n whoami Resolve the authenticated principal and tenant realm\n keys list|create|rotate|revoke\n Manage tenant service-account API keys\n intents list|get|create|fund|evidence|settlement-confirm\n Harbor intent workflows\n guardrails bootstrap|evidence\n Sandbox guardrail helpers\n spend authorize Authorize delegated spend for a tool call\n signal reputation|portfolio|fraud\n Signal summaries and fraud reads\n receipts get|verify\n Protocol settlement and agent action receipts (--kind agent)\n mandates verify|import\n Agent mandate verification and import\n a2a card|contracts\n Agent card discovery and task contracts\n policy init|init-org|extend|presets list|presets show|validate-tools|templates|preview|import-mcp-receipt|import-x402-receipt|validate-evidence\n Scaffold and validate paybond.policy.yaml (including enterprise org inheritance), browse policy presets and solutions, list completion presets, preview Harbor templates, and import receipts\n agent run bind|status|trace|reload-policy|tool execute|validate|registry validate|sandbox smoke\n Agent middleware: bind runs, reload policy, execute tools, validate registry, sandbox smoke\n audit exports list|get|verify|delete\n Compliance audit export jobs and local bundle verification\n\nGetting started:\n Sandbox setup\n Authenticate, validate the runtime, and confirm tenant context.\n $ paybond login\n $ paybond doctor --format json\n Next: paybond whoami\n Agent + MCP host\n Preview MCP host config and list tools exposed to agents.\n $ paybond mcp install --host claude --scope local\n $ paybond mcp verify-config --host claude\n $ paybond mcp tools\n Next: paybond doctor --agent\n Paid-tool guardrail\n Scaffold a sandbox guardrail integration file for your agent runtime.\n $ paybond init guardrail\n $ paybond guardrails bootstrap --operation paid-tool --requested-spend-cents 100\n Next: paybond spend authorize --help\n Policy-driven agent sandbox\n Validate and smoke-test agent middleware from a versioned paybond.policy.yaml file.\n $ paybond policy init --out paybond.policy.yaml\n $ paybond policy validate-tools --file paybond.policy.yaml\n $ paybond agent sandbox smoke --policy-file paybond.policy.yaml --result-body '{\"status\":\"completed\",\"cost_cents\":18700}' --format json\n Next: paybond policy validate-tools --help\n Agent middleware sandbox\n Bind a sandbox run and execute a guarded tool with auto-evidence.\n $ paybond agent sandbox smoke --operation paid-tool --requested-spend-cents 100 --evidence-preset cost_and_completion --result-body '{\"status\":\"ok\",\"cost_cents\":100}' --format json\n Next: paybond agent run bind --help\n Completion preset\n Scaffold catalog-aligned completion evidence for Harbor release predicates.\n $ paybond init completion --preset api_response_ok\n $ paybond policy templates\n $ paybond policy preview --preset api_response_ok --evidence-file evidence.json\n Next: paybond policy preview --help\n\nDocumentation: https://docs.paybond.ai/kit\n\nLearn more:\n paybond help <command> Detailed help for a command\n paybond examples Copy-paste command examples\n paybond onboarding Guided first-run checks\n paybond completion <shell> Shell completions (bash|zsh|fish)\n\nLegacy aliases: paybond-kit-login, paybond-init, paybond-kit-init, paybond-mcp-server\n";
2
2
  export declare const COMMAND_HELP: Record<string, string>;
3
3
  export declare function helpForCommand(path: string): string;
package/dist/cli/help.js CHANGED
@@ -1,5 +1,5 @@
1
1
  // Generated by kit/cli-parity/generate.mjs — do not edit by hand.
2
- export const ROOT_HELP = "Usage: paybond [--global-flags] <command> [<subcommand> ...] [args]\n\nGlobal flags:\n --gateway <url> Gateway base URL (default: https://api.paybond.ai)\n --env-file <path> Local secrets file (default: .env.local)\n --format table|json Human table or JSON envelope output (default: table)\n --json <fields> Field-selectable JSON for list/read commands (plain JSON; use --format json for envelope)\n --jq <expr> jq-style filter for list/read command output\n --profile <name> Named credential profile from the Paybond CLI config file\n --request-id <id> Correlation ID for Gateway calls and JSON output\n --yes Skip confirmation for destructive operations\n --no-open Do not open a browser for device login\n --color auto|always|never Colorize human table output and help text (default: auto)\n --no-color Disable color output (also honors NO_COLOR)\n\nCommands:\n onboarding Guided, non-destructive first-run checks\n help Detailed help for a command\n examples Copy-paste examples from the command spec\n completion bash|zsh|fish Shell completion scripts\n login Sandbox device login\n init Interactive first-run scaffold (solution, spend cap, framework, owned policy files)\n init guardrail|completion|agent-middleware\n Scaffold sandbox guardrail, completion evidence, or agent middleware integration files\n mcp serve|install|verify-config|tools MCP server and host configuration\n doctor Validate local runtime, credentials, and optional agent setup\n dev smoke|trace|loop|up\n Local sandbox developer loop: travel smoke, trace dashboard, WireMock up, and guided setup\n version Print package version (use --verbose for runtime details)\n diagnose Emit a redacted support bundle with --redacted\n config get|set|unset|list\n Manage CLI configuration values\n whoami Resolve the authenticated principal and tenant realm\n keys list|create|rotate|revoke\n Manage tenant service-account API keys\n intents list|get|create|fund|evidence|settlement-confirm\n Harbor intent workflows\n guardrails bootstrap|evidence\n Sandbox guardrail helpers\n spend authorize Authorize delegated spend for a tool call\n signal reputation|portfolio|fraud\n Signal summaries and fraud reads\n receipts get|verify\n Protocol settlement receipts\n mandates verify|import\n Agent mandate verification and import\n a2a card|contracts\n Agent card discovery and task contracts\n policy init|init-org|extend|presets list|presets show|validate-tools|templates|preview|import-mcp-receipt|import-x402-receipt|validate-evidence\n Scaffold and validate paybond.policy.yaml (including enterprise org inheritance), browse policy presets and solutions, list completion presets, preview Harbor templates, and import receipts\n agent run bind|status|trace|reload-policy|tool execute|validate|registry validate|sandbox smoke\n Agent middleware: bind runs, reload policy, execute tools, validate registry, sandbox smoke\n audit exports list|get|verify|delete\n Compliance audit export jobs and local bundle verification\n\nGetting started:\n Sandbox setup\n Authenticate, validate the runtime, and confirm tenant context.\n $ paybond login\n $ paybond doctor --format json\n Next: paybond whoami\n Agent + MCP host\n Preview MCP host config and list tools exposed to agents.\n $ paybond mcp install --host claude --scope local\n $ paybond mcp verify-config --host claude\n $ paybond mcp tools\n Next: paybond doctor --agent\n Paid-tool guardrail\n Scaffold a sandbox guardrail integration file for your agent runtime.\n $ paybond init guardrail\n $ paybond guardrails bootstrap --operation paid-tool --requested-spend-cents 100\n Next: paybond spend authorize --help\n Policy-driven agent sandbox\n Validate and smoke-test agent middleware from a versioned paybond.policy.yaml file.\n $ paybond policy init --out paybond.policy.yaml\n $ paybond policy validate-tools --file paybond.policy.yaml\n $ paybond agent sandbox smoke --policy-file paybond.policy.yaml --result-body '{\"status\":\"completed\",\"cost_cents\":18700}' --format json\n Next: paybond policy validate-tools --help\n Agent middleware sandbox\n Bind a sandbox run and execute a guarded tool with auto-evidence.\n $ paybond agent sandbox smoke --operation paid-tool --requested-spend-cents 100 --evidence-preset cost_and_completion --result-body '{\"status\":\"ok\",\"cost_cents\":100}' --format json\n Next: paybond agent run bind --help\n Completion preset\n Scaffold catalog-aligned completion evidence for Harbor release predicates.\n $ paybond init completion --preset api_response_ok\n $ paybond policy templates\n $ paybond policy preview --preset api_response_ok --evidence-file evidence.json\n Next: paybond policy preview --help\n\nDocumentation: https://docs.paybond.ai/kit\n\nLearn more:\n paybond help <command> Detailed help for a command\n paybond examples Copy-paste command examples\n paybond onboarding Guided first-run checks\n paybond completion <shell> Shell completions (bash|zsh|fish)\n\nLegacy aliases: paybond-kit-login, paybond-init, paybond-kit-init, paybond-mcp-server\n";
2
+ export const ROOT_HELP = "Usage: paybond [--global-flags] <command> [<subcommand> ...] [args]\n\nGlobal flags:\n --gateway <url> Gateway base URL (default: https://api.paybond.ai)\n --env-file <path> Local secrets file (default: .env.local)\n --format table|json Human table or JSON envelope output (default: table)\n --json <fields> Field-selectable JSON for list/read commands (plain JSON; use --format json for envelope)\n --jq <expr> jq-style filter for list/read command output\n --profile <name> Named credential profile from the Paybond CLI config file\n --request-id <id> Correlation ID for Gateway calls and JSON output\n --yes Skip confirmation for destructive operations\n --no-open Do not open a browser for device login\n --color auto|always|never Colorize human table output and help text (default: auto)\n --no-color Disable color output (also honors NO_COLOR)\n\nCommands:\n onboarding Guided, non-destructive first-run checks\n help Detailed help for a command\n examples Copy-paste examples from the command spec\n completion bash|zsh|fish Shell completion scripts\n login Sandbox device login\n init Interactive first-run scaffold (solution, spend cap, framework, owned policy files)\n init guardrail|completion|agent-middleware\n Scaffold sandbox guardrail, completion evidence, or agent middleware integration files\n mcp serve|install|verify-config|tools MCP server and host configuration\n doctor Validate local runtime, credentials, and optional agent setup\n dev smoke|trace|loop|up\n Local sandbox developer loop: travel smoke, trace dashboard, WireMock up, and guided setup\n version Print package version (use --verbose for runtime details)\n diagnose Emit a redacted support bundle with --redacted\n config get|set|unset|list\n Manage CLI configuration values\n whoami Resolve the authenticated principal and tenant realm\n keys list|create|rotate|revoke\n Manage tenant service-account API keys\n intents list|get|create|fund|evidence|settlement-confirm\n Harbor intent workflows\n guardrails bootstrap|evidence\n Sandbox guardrail helpers\n spend authorize Authorize delegated spend for a tool call\n signal reputation|portfolio|fraud\n Signal summaries and fraud reads\n receipts get|verify\n Protocol settlement and agent action receipts (--kind agent)\n mandates verify|import\n Agent mandate verification and import\n a2a card|contracts\n Agent card discovery and task contracts\n policy init|init-org|extend|presets list|presets show|validate-tools|templates|preview|import-mcp-receipt|import-x402-receipt|validate-evidence\n Scaffold and validate paybond.policy.yaml (including enterprise org inheritance), browse policy presets and solutions, list completion presets, preview Harbor templates, and import receipts\n agent run bind|status|trace|reload-policy|tool execute|validate|registry validate|sandbox smoke\n Agent middleware: bind runs, reload policy, execute tools, validate registry, sandbox smoke\n audit exports list|get|verify|delete\n Compliance audit export jobs and local bundle verification\n\nGetting started:\n Sandbox setup\n Authenticate, validate the runtime, and confirm tenant context.\n $ paybond login\n $ paybond doctor --format json\n Next: paybond whoami\n Agent + MCP host\n Preview MCP host config and list tools exposed to agents.\n $ paybond mcp install --host claude --scope local\n $ paybond mcp verify-config --host claude\n $ paybond mcp tools\n Next: paybond doctor --agent\n Paid-tool guardrail\n Scaffold a sandbox guardrail integration file for your agent runtime.\n $ paybond init guardrail\n $ paybond guardrails bootstrap --operation paid-tool --requested-spend-cents 100\n Next: paybond spend authorize --help\n Policy-driven agent sandbox\n Validate and smoke-test agent middleware from a versioned paybond.policy.yaml file.\n $ paybond policy init --out paybond.policy.yaml\n $ paybond policy validate-tools --file paybond.policy.yaml\n $ paybond agent sandbox smoke --policy-file paybond.policy.yaml --result-body '{\"status\":\"completed\",\"cost_cents\":18700}' --format json\n Next: paybond policy validate-tools --help\n Agent middleware sandbox\n Bind a sandbox run and execute a guarded tool with auto-evidence.\n $ paybond agent sandbox smoke --operation paid-tool --requested-spend-cents 100 --evidence-preset cost_and_completion --result-body '{\"status\":\"ok\",\"cost_cents\":100}' --format json\n Next: paybond agent run bind --help\n Completion preset\n Scaffold catalog-aligned completion evidence for Harbor release predicates.\n $ paybond init completion --preset api_response_ok\n $ paybond policy templates\n $ paybond policy preview --preset api_response_ok --evidence-file evidence.json\n Next: paybond policy preview --help\n\nDocumentation: https://docs.paybond.ai/kit\n\nLearn more:\n paybond help <command> Detailed help for a command\n paybond examples Copy-paste command examples\n paybond onboarding Guided first-run checks\n paybond completion <shell> Shell completions (bash|zsh|fish)\n\nLegacy aliases: paybond-kit-login, paybond-init, paybond-kit-init, paybond-mcp-server\n";
3
3
  export const COMMAND_HELP = {
4
4
  "onboarding": "Usage: paybond onboarding [--host claude|codex|openai|generic]\n\nRuns a guided, non-destructive first-run workflow: runtime check, login status, guardrail file status, MCP config preview, and doctor.\n\nExamples:\n $ paybond onboarding\n $ paybond onboarding --host claude --format json\n\nDocs: https://docs.paybond.ai/kit/coding-agent-setup\n\nNext: paybond login",
5
5
  "help": "Usage: paybond help [<command> [<subcommand> ...]]\n\nShows detailed help for a command path. Without arguments, prints root help.\n\nExamples:\n $ paybond help\n $ paybond help login\n $ paybond help mcp install",
@@ -53,8 +53,8 @@ export const COMMAND_HELP = {
53
53
  "signal reputation": "Usage: paybond signal reputation --did <did>\n\nExamples:\n $ paybond signal reputation --did did:example:alice",
54
54
  "signal portfolio": "Usage: paybond signal portfolio\n\nExamples:\n $ paybond signal portfolio",
55
55
  "signal fraud": "Usage: paybond signal fraud --did <did>\n\nExamples:\n $ paybond signal fraud --did did:example:alice",
56
- "receipts get": "Usage: paybond receipts get <receipt_id>\n\nExamples:\n $ paybond receipts get receipt-123",
57
- "receipts verify": "Usage: paybond receipts verify <receipt_id>\n\nExamples:\n $ paybond receipts verify receipt-123",
56
+ "receipts get": "Usage: paybond receipts get <receipt_id> [--kind protocol|agent]\n\nFetch a signed protocol settlement receipt (default) or agent action receipt (--kind agent).\n\nExamples:\n $ paybond receipts get receipt-123\n $ paybond receipts get sha256:abc... --kind agent --format json",
57
+ "receipts verify": "Usage: paybond receipts verify <receipt_id> [--kind protocol|agent]\n\nVerify a protocol settlement receipt (default) or agent action receipt (--kind agent) via Gateway offline verify.\n\nExamples:\n $ paybond receipts verify receipt-123\n $ paybond receipts verify sha256:abc... --kind agent --format json",
58
58
  "mandates verify": "Usage: paybond mandates verify --body <json-file>\n\nExamples:\n $ paybond mandates verify --body mandate.json",
59
59
  "mandates import": "Usage: paybond mandates import --body <json-file>\n\nExamples:\n $ paybond mandates import --body mandate.json",
60
60
  "a2a card": "Usage: paybond a2a card\n\nExamples:\n $ paybond a2a card",
@@ -1,2 +1,2 @@
1
1
  /** Generated by kit/scripts/sync-completion-catalog.mjs — do not edit. */
2
- export declare const BUNDLED_COMPLETION_CATALOG_SHA256_HEX: "df9c8e9ad04e10b682dd7877460528896216d832486e88af6c9039bad402b264";
2
+ export declare const BUNDLED_COMPLETION_CATALOG_SHA256_HEX: "a738febc9ee8b5b66f05991c4582ba24e6857cdc574196b0aeefc5c77e192ea9";
@@ -1,2 +1,2 @@
1
1
  /** Generated by kit/scripts/sync-completion-catalog.mjs — do not edit. */
2
- export const BUNDLED_COMPLETION_CATALOG_SHA256_HEX = "df9c8e9ad04e10b682dd7877460528896216d832486e88af6c9039bad402b264";
2
+ export const BUNDLED_COMPLETION_CATALOG_SHA256_HEX = "a738febc9ee8b5b66f05991c4582ba24e6857cdc574196b0aeefc5c77e192ea9";
package/dist/index.d.ts CHANGED
@@ -4,12 +4,13 @@
4
4
  */
5
5
  import { type BuildSignedCreateIntentParams, type BuildSignedCreateIntentWithPolicyBindingParams, type SettlementRail } from "./principal-intent.js";
6
6
  import { type SignPayeeEvidenceParams } from "./payee-evidence.js";
7
- import { PaybondAgentRunFacade, PaybondInstrumentBuilder, PaybondInstrumentRuntime, PaybondToolRegistry, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type PaybondAgentInput, type PaybondAgentResult, type PaybondInlinePolicy, type PaybondInstrumentAgentOptions, type PaybondInstrumentInput, type PaybondInstrumented, type PaybondToolRegistryConfig, type PaybondWrapToolsOptions } from "./agent/index.js";
7
+ import { PaybondAgentRunFacade, type PaybondAgentCallable, PaybondInstrumentBuilder, PaybondInstrumentRuntime, PaybondToolRegistry, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type PaybondInlinePolicy, type PaybondInstrumentAgentOptions, type PaybondInstrumentInput, type PaybondInstrumented, type PaybondToolRegistryConfig, type PaybondWrapToolsOptions } from "./agent/index.js";
8
8
  import { GatewayAgentRunTraceReporter } from "./agent/gateway-trace-reporter.js";
9
9
  import { PaybondAudit } from "./audit/index.js";
10
10
  import { type PolicyRemoteValidateOptions, type PolicyRemoteValidateResult } from "./policy/validate-remote.js";
11
11
  import { type PolicyEffectiveResolveResult } from "./policy/load-effective.js";
12
12
  import { type FundRequestEnvelope, type PaymentRequired, type X402FundPollOptions } from "./x402-funding.js";
13
+ import { type MppFundPollOptions, type PaymentAuthChallenge } from "./mpp-funding.js";
13
14
  export type SpendScope = {
14
15
  scope_type: string;
15
16
  scope_key: string;
@@ -43,6 +44,13 @@ export type PaybondSpendAuthorizationInput = {
43
44
  agentSubject?: string;
44
45
  approvalToken?: string;
45
46
  idempotencyKey?: string;
47
+ /**
48
+ * Agent Receipt Standard context (Phase 1): forwarded to Gateway `/verify` on every call for
49
+ * audit correlation. See `go/gateway/internal/spendauth/types.go` `VerifyRequest`.
50
+ */
51
+ modelFamily?: string;
52
+ configHashHex?: string;
53
+ promptHashHex?: string;
46
54
  };
47
55
  export type SubmitEvidenceResult = {
48
56
  intentId: string;
@@ -54,6 +62,12 @@ export type IntentFundingResult = {
54
62
  settlementRail: SettlementRail;
55
63
  harborFundEndpoint?: string;
56
64
  status?: string;
65
+ /** MPP Payment Auth challenge `intent` (`charge` or `session`). */
66
+ intent?: string;
67
+ /** MPP Payment Auth challenge `method` (`stripe` or `tempo`). */
68
+ method?: string;
69
+ /** MPP Payment Auth challenge id from `WWW-Authenticate: Payment`. */
70
+ challengeId?: string;
57
71
  paymentSessionId?: string;
58
72
  paymentUrl?: string;
59
73
  stripePaymentIntentId?: string;
@@ -69,6 +83,22 @@ export type IntentFundingResult = {
69
83
  bankName?: string;
70
84
  asset?: string;
71
85
  network?: string;
86
+ /** MPP settlement asset (e.g. `usdc`). */
87
+ settlementAsset?: string;
88
+ /** MPP settlement network (e.g. `tempo`). */
89
+ settlementNetwork?: string;
90
+ /** Tempo session channel id (`stripe_mpp` session funding). */
91
+ channelId?: string;
92
+ /** Tempo session protocol version (e.g. `v2`). */
93
+ sessionProtocol?: string;
94
+ /** Required Tempo deposit in USDC base units. */
95
+ depositAmountBaseUnits?: string;
96
+ acceptedCumulativeBaseUnits?: string;
97
+ pendingCumulativeBaseUnits?: string;
98
+ descriptorHash?: string;
99
+ lastVoucherAt?: string;
100
+ lastSettleTxHash?: string;
101
+ channelStatus?: string;
72
102
  authorizationId?: string;
73
103
  captureId?: string;
74
104
  voidId?: string;
@@ -94,6 +124,12 @@ export type FundIntentResult = {
94
124
  statusCode: 200 | 202 | 402;
95
125
  paymentRequired?: string;
96
126
  paymentResponse?: string;
127
+ /** Payment Auth challenges from `WWW-Authenticate` (MPP charge/session). */
128
+ wwwAuthenticate?: string[];
129
+ /** Payment Auth receipt from `Payment-Receipt` when Harbor confirms payment progress. */
130
+ paymentReceipt?: string;
131
+ /** Cache policy echoed from Harbor (`Cache-Control`). */
132
+ cacheControl?: string;
97
133
  intentId: string;
98
134
  tenant: string;
99
135
  state: string;
@@ -722,6 +758,7 @@ export type VerifyProtocolReceiptV1Result = {
722
758
  tenant_id: string;
723
759
  receipt: ProtocolAuthorizationReceiptV1 | ProtocolSettlementReceiptV1 | Record<string, unknown>;
724
760
  };
761
+ export type { VerifyAgentReceiptV1Result } from "./agent/receipt-client.js";
725
762
  export declare class A2AHttpError extends Error {
726
763
  readonly statusCode: number;
727
764
  readonly url: string;
@@ -900,6 +937,7 @@ export declare class HarborClient {
900
937
  */
901
938
  fundIntent(intentId: string, options?: {
902
939
  paymentSignature?: string;
940
+ paymentAuthorization?: string;
903
941
  idempotencyKey?: string;
904
942
  }): Promise<FundIntentResult>;
905
943
  /**
@@ -1009,6 +1047,7 @@ export declare class GatewayHarborClient {
1009
1047
  createIntent(body: Record<string, unknown>, options: GatewayHarborMutationOptions): Promise<Record<string, unknown>>;
1010
1048
  fundIntent(intentId: string, options: GatewayHarborMutationOptions & {
1011
1049
  paymentSignature?: string;
1050
+ paymentAuthorization?: string;
1012
1051
  }): Promise<FundIntentResult>;
1013
1052
  submitEvidence(intentId: string, evidenceBody: Record<string, unknown>, options: GatewayHarborMutationOptions): Promise<SubmitEvidenceResult>;
1014
1053
  /** Recognition-gated Gateway Harbor settlement confirmation. */
@@ -1127,6 +1166,12 @@ export declare class GatewayProtocolClient {
1127
1166
  }): Promise<ImportAgentMandateV1Result>;
1128
1167
  getSettlementReceiptV1(receiptId: string): Promise<ProtocolSettlementReceiptV1>;
1129
1168
  verifyProtocolReceiptV1(receipt: ProtocolAuthorizationReceiptV1 | ProtocolSettlementReceiptV1 | Record<string, unknown>): Promise<VerifyProtocolReceiptV1Result>;
1169
+ getAgentReceiptV1ByID(receiptId: string): Promise<import("./agent-receipt.js").AgentReceiptV1>;
1170
+ getAgentReceiptV1ByIntentToolCall(init: {
1171
+ intentId: string;
1172
+ toolCallId: string;
1173
+ }): Promise<import("./agent-receipt.js").AgentReceiptV1>;
1174
+ verifyAgentReceiptV1(receipt: import("./agent-receipt.js").AgentReceiptV1 | Record<string, unknown>): Promise<import("./agent/receipt-client.js").VerifyAgentReceiptV1Result>;
1130
1175
  createHarborIntent(init: {
1131
1176
  body: Record<string, unknown>;
1132
1177
  recognitionProof: AgentRecognitionProofV1 | Record<string, unknown>;
@@ -1234,6 +1279,7 @@ export declare class PaybondIntents {
1234
1279
  intentId: string;
1235
1280
  recognitionProof: AgentRecognitionProofV1 | Record<string, unknown>;
1236
1281
  paymentSignature?: string;
1282
+ paymentAuthorization?: string;
1237
1283
  idempotencyKey?: string;
1238
1284
  }): Promise<FundIntentResult>;
1239
1285
  /**
@@ -1249,6 +1295,36 @@ export declare class PaybondIntents {
1249
1295
  pollOptions?: X402FundPollOptions;
1250
1296
  idempotencyKey?: string;
1251
1297
  }): Promise<FundIntentResult>;
1298
+ /**
1299
+ * One-shot Stripe MPP charge fund flow: create Payment Auth credentials from 402 challenges,
1300
+ * retry with `paymentAuthorization`, and poll until funded.
1301
+ *
1302
+ * MPP wallet and SPT secrets stay app-owned — pass injectable `createPaymentCredential` and
1303
+ * `issueRecognitionProof` callbacks.
1304
+ */
1305
+ fundWithMppCharge(params: {
1306
+ intentId: string;
1307
+ recognitionProof: AgentRecognitionProofV1 | Record<string, unknown>;
1308
+ createPaymentCredential: (challenge: PaymentAuthChallenge) => Promise<string>;
1309
+ issueRecognitionProof: (envelope: FundRequestEnvelope) => Promise<AgentRecognitionProofV1 | Record<string, unknown>>;
1310
+ pollOptions?: MppFundPollOptions;
1311
+ idempotencyKey?: string;
1312
+ }): Promise<FundIntentResult>;
1313
+ /**
1314
+ * Tempo MPP session fund flow: open a session channel deposit via Payment Auth credentials,
1315
+ * retry with `paymentAuthorization`, and poll until the intent is funded.
1316
+ *
1317
+ * MPP wallet and SPT secrets stay app-owned — pass injectable `createPaymentCredential` and
1318
+ * `issueRecognitionProof` callbacks.
1319
+ */
1320
+ fundWithMppSession(params: {
1321
+ intentId: string;
1322
+ recognitionProof: AgentRecognitionProofV1 | Record<string, unknown>;
1323
+ createPaymentCredential: (challenge: PaymentAuthChallenge) => Promise<string>;
1324
+ issueRecognitionProof: (envelope: FundRequestEnvelope) => Promise<AgentRecognitionProofV1 | Record<string, unknown>>;
1325
+ pollOptions?: MppFundPollOptions;
1326
+ idempotencyKey?: string;
1327
+ }): Promise<FundIntentResult>;
1252
1328
  /**
1253
1329
  * Sign payee evidence and POST it. `payeeSigningSeed` must be 32 bytes.
1254
1330
  */
@@ -1274,6 +1350,7 @@ export declare class Paybond {
1274
1350
  readonly intents: PaybondIntents;
1275
1351
  readonly audit: PaybondAudit;
1276
1352
  readonly agentRun: PaybondAgentRunFacade;
1353
+ readonly agent: PaybondAgentCallable;
1277
1354
  private constructor();
1278
1355
  /** Open a tenant-bound hosted Paybond session from a service-account API key. */
1279
1356
  static open(init: PaybondOpenOptions): Promise<Paybond>;
@@ -1318,11 +1395,6 @@ export declare class Paybond {
1318
1395
  instrumentMCP<TTools>(input: Omit<PaybondInstrumentInput<TTools>, "framework"> & {
1319
1396
  tools: TTools;
1320
1397
  }): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
1321
- /**
1322
- * Opinionated quickstart: resolve named policy presets (for example `travel`) or file paths,
1323
- * then instrument tools for the selected framework.
1324
- */
1325
- agent<TTools>(input: PaybondAgentInput<TTools>): Promise<PaybondAgentResult<TTools>>;
1326
1398
  /** Wrap tools for an existing bound run without reloading policy. */
1327
1399
  wrapTools(run: import("./agent/run.js").PaybondAgentRun, tools: unknown, options?: PaybondWrapToolsOptions): unknown;
1328
1400
  /**
@@ -1342,10 +1414,14 @@ export { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBindi
1342
1414
  export { artifactsDigest, evidenceSignBytesV1, signPayeeEvidenceBinding, type SignPayeeEvidenceParams, } from "./payee-evidence.js";
1343
1415
  export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_CREATE, AGENT_RECOGNITION_PURPOSE_FUND, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborCreateRecognitionProof, signHarborFundRecognitionProof, signHarborEvidenceSubmitRecognitionProof, signHarborSettlementConfirmRecognitionProof, type SignAgentRecognitionProofV1Params, type SignedAgentRecognitionProofV1, } from "./agent-recognition.js";
1344
1416
  export { executeFundWithX402, buildX402FundRequestEnvelope, PaybondX402FundingFailedError, PaybondX402FundingPendingError, type FundRequestEnvelope, type PaymentRequired, type X402FundPollOptions, } from "./x402-funding.js";
1417
+ export { executeFundWithMpp, executeFundWithMppCharge, executeFundWithMppSession, buildMppFundRequestEnvelope, parsePaymentAuthChallenge, selectMppChargeChallenge, selectMppSessionChallenge, PaybondMppFundingFailedError, PaybondMppFundingPendingError, type MppFundPollOptions, type ParsedPaymentAuthChallenge, type PaymentAuthChallenge, } from "./mpp-funding.js";
1345
1418
  export { validateCompletionEvidence, type CompletionEvidenceValidationReport, } from "./completion-validate-evidence.js";
1346
1419
  export { completionSchemaDigestHex, computeVendorContractDigests, verifyVendorContract, verifyCatalogVendorContracts, type VendorContract, type VendorContractDigests, } from "./completion-contract-digest.js";
1347
1420
  export { contractSnapshotForPreset, mapVendorEvidenceToCanonical, resolveCompletionPreset, } from "./completion-resolve.js";
1348
- export { PaybondAgentRun, PaybondAgentRunBindError, PaybondAgentRunFacade, PaybondEvidenceSubmitError, PaybondFrameworkAdapter, PaybondToolInterceptor, PaybondToolRegistry, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, buildAutoEvidencePayload, createGenericToolExecutor, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondGenericAgentConfig, createPaybondGenericInputGuard, createPaybondToolRegistry, createToolInputGuardAdapter, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, paybondGenericToolExecutorAdapter, paybondToolInputGuardAdapter, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type GuardedAgentFramework, type PaybondAgentHooks, type PaybondAgentInput, type PaybondAgentResult, type PaybondAgentRunBindInput, type PaybondAuthorizeToolCallInput, type PaybondEvidenceMapper, type PaybondGenericAgentConfig, type PaybondGenericToolCall, type PaybondGenericToolDefinition, type PaybondGenericWrappedToolDefinition, type PaybondInlinePolicy, type PaybondAgentInstrumentation, type PaybondInstrumentAgentOptions, type PaybondInstrumentBinding, type PaybondInstrumentContext, type PaybondInstrumentContextInput, type PaybondInstrumentContextProvider, type PaybondInstrumentInput, type PaybondInterceptEvidenceResult, type PaybondInterceptWrapExecuteInput, type PaybondInterceptWrapExecuteResult, type PaybondRunBinding, type PaybondRunBindingAttachInput, type PaybondRunBindingSandboxBootstrapInput, type PaybondRunGuard, type PaybondSideEffectingToolEntry, type PaybondSideEffectingToolPolicy, type PaybondSpendResolver, type PaybondToolCallContext, type PaybondToolInputGuardAllowDecision, type PaybondToolInputGuardApprovalRequiredDecision, type PaybondToolInputGuardDecision, type PaybondToolInputGuardDenyDecision, type PaybondToolInputGuardAdapter, type PaybondToolRegistryConfig, type PaybondToolResolution, type PaybondWrapToolsOptions, } from "./agent/index.js";
1421
+ export { PaybondAgentRun, PaybondAgentRunBindError, PaybondAgentRunFacade, PaybondEvidenceSubmitError, PaybondFrameworkAdapter, PaybondToolInterceptor, PaybondToolRegistry, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, buildAutoEvidencePayload, createGenericToolExecutor, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondGenericAgentConfig, createPaybondGenericInputGuard, createPaybondToolRegistry, createToolInputGuardAdapter, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, paybondGenericToolExecutorAdapter, paybondToolInputGuardAdapter, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type GuardedAgentFramework, type PaybondAgentHooks, type PaybondAgentInput, type PaybondAgentResult, type PaybondAgentRunBindInput, type PaybondAuthorizeToolCallInput, type PaybondEvidenceMapper, type PaybondExternalAttestationMapper, type PaybondGenericAgentConfig, type PaybondGenericToolCall, type PaybondGenericToolDefinition, type PaybondGenericWrappedToolDefinition, type PaybondInlinePolicy, type PaybondAgentInstrumentation, type PaybondInstrumentAgentOptions, type PaybondInstrumentBinding, type PaybondInstrumentContext, type PaybondInstrumentContextInput, type PaybondInstrumentContextProvider, type PaybondInstrumentInput, type PaybondInterceptEvidenceResult, type PaybondInterceptWrapExecuteInput, type PaybondInterceptWrapExecuteResult, type PaybondRunBinding, type PaybondRunBindingAttachInput, type PaybondRunBindingSandboxBootstrapInput, type PaybondRunGuard, type PaybondSideEffectingToolEntry, type PaybondSideEffectingToolPolicy, type PaybondSpendResolver, type PaybondToolCallContext, type PaybondToolInputGuardAllowDecision, type PaybondToolInputGuardApprovalRequiredDecision, type PaybondToolInputGuardDecision, type PaybondToolInputGuardDenyDecision, type PaybondToolInputGuardAdapter, type PaybondToolRegistryConfig, type PaybondToolResolution, type PaybondWrapToolsOptions, } from "./agent/index.js";
1349
1422
  export { PaybondAudit, PaybondAuditExports, GatewayAuditExportsClient, parseAuditExportList, parseAuditExportJobGet, verifyAuditManifest, verifyAuditBundleLocal, type AuditExportJobDetail, type AuditExportJobGetResponse, type AuditExportJobSummary, type AuditExportListPage, type AuditVerifyResult, type AuditExportsGateway, } from "./audit/index.js";
1350
1423
  export { PaybondPolicy, composePolicyLayers, composeBundledPresetDefault, domain, guardrails, paybondPolicyPresets, resolveComposedPresetDocument, type LayeredPolicyPresetId, type PaybondPolicyPresets, type PolicyGuardrailLayer, type PolicyPresetId, type VerticalPolicyOptions, } from "./policy/index.js";
1351
1424
  export { getSolutionSmokeDefaults, isKnownSolutionId, listSolutionIds, loadSolutionManifest, paybondSolutionPresets, type PaybondSolutionBundle, type PaybondSolutionPresets, type SolutionId, type SolutionManifest, type SolutionSmokeDefaults, } from "./solutions/index.js";
1425
+ export { appendDirectHarborPaymentAuthorization, formatPaymentAuthorizationValue, PAYBOND_PAYMENT_AUTHORIZATION_HEADER, PAYMENT_TRANSPORT_RESPONSE_HEADERS, paymentAuthorizationGatewayHeader, readFundPaymentTransportHeaders, type FundPaymentTransportHeaders, } from "./payment-transport.js";
1426
+ export { AGENT_RECEIPT_KIND_V1, AGENT_RECEIPT_SCHEMA_VERSION, AGENT_RECEIPT_SCOPE_ACTION, AGENT_RECEIPT_SCOPE_INTENT_TERMINAL, AGENT_RECEIPT_SIGNING_ALGORITHM_ED25519, AGENT_RECEIPT_VERSION_V1, AGENT_RECEIPT_WELL_KNOWN_PATH, actionReceiptId, canonicalAgentReceiptBytes, configHashSha256Hex, promptHashSha256Hex, valueDigestSha256Hex, verifyAgentReceiptV1, type AgentReceiptAgentV1, type AgentReceiptAuthorizationV1, type AgentReceiptEvidenceV1, type AgentReceiptExecutionV1, type AgentReceiptExternalAttestationV1, type AgentReceiptMerchantV1, type AgentReceiptOutcomeV1, type AgentReceiptPaymentV1, type AgentReceiptPolicyV1, type AgentReceiptReferencesV1, type AgentReceiptV1, type ConfigHashInput, } from "./agent-receipt.js";
1427
+ export { AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828, AGENT_RECEIPT_EXTERNAL_SOURCE_X402, partnerRecordDigestSha256Hex, resolveExternalAttestations, sep2828RecordsToExternalAttestations, x402ReceiptToExternalAttestations, type PaybondExternalAttestationInput, } from "./agent-receipt-external-attestations.js";