@paybond/kit 0.11.11 → 0.12.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/completion-presets/catalog.json +10 -5
- package/completion-presets/catalog.sha256 +1 -1
- package/dist/agent/evidence.d.ts +10 -0
- package/dist/agent/evidence.js +16 -0
- package/dist/agent/index.d.ts +3 -2
- package/dist/agent/index.js +2 -1
- package/dist/agent/interceptor.d.ts +9 -0
- package/dist/agent/interceptor.js +181 -1
- package/dist/agent/receipt-client.d.ts +64 -0
- package/dist/agent/receipt-client.js +45 -0
- package/dist/agent/registry.js +1 -0
- package/dist/agent/run.d.ts +5 -0
- package/dist/agent/run.js +52 -0
- package/dist/agent/types.d.ts +70 -0
- package/dist/agent-mandate.d.ts +103 -0
- package/dist/agent-mandate.js +423 -0
- package/dist/agent-receipt-external-attestations.d.ts +56 -0
- package/dist/agent-receipt-external-attestations.js +185 -0
- package/dist/agent-receipt-pdf-export.d.ts +43 -0
- package/dist/agent-receipt-pdf-export.js +109 -0
- package/dist/agent-receipt-prevalidate.d.ts +7 -0
- package/dist/agent-receipt-prevalidate.js +63 -0
- package/dist/agent-receipt.d.ts +154 -0
- package/dist/agent-receipt.js +639 -0
- package/dist/audit/exports.d.ts +15 -1
- package/dist/audit/exports.js +55 -8
- package/dist/audit/index.d.ts +2 -2
- package/dist/audit/wire.d.ts +12 -0
- package/dist/audit/wire.js +13 -1
- package/dist/cli/command-spec.js +54 -3
- package/dist/cli/commands/dev.js +10 -3
- package/dist/cli/commands/discovery.js +17 -6
- package/dist/cli/commands/setup.js +19 -1
- package/dist/cli/commands/shopify.d.ts +53 -0
- package/dist/cli/commands/shopify.js +808 -0
- package/dist/cli/help.d.ts +1 -1
- package/dist/cli/help.js +15 -5
- package/dist/cli/router.js +15 -1
- package/dist/commerce-binding.d.ts +59 -0
- package/dist/commerce-binding.js +129 -0
- package/dist/completion-catalog-digest.d.ts +1 -1
- package/dist/completion-catalog-digest.js +1 -1
- package/dist/doctor-completion.d.ts +16 -0
- package/dist/doctor-completion.js +157 -1
- package/dist/index.d.ts +108 -7
- package/dist/index.js +221 -18
- package/dist/mcp-receipt-resource.d.ts +10 -0
- package/dist/mcp-receipt-resource.js +32 -0
- package/dist/mcp-server.d.ts +7 -0
- package/dist/mcp-server.js +81 -1
- package/dist/mpp-commercial.d.ts +19 -0
- package/dist/mpp-commercial.js +34 -0
- package/dist/mpp-funding.d.ts +71 -0
- package/dist/mpp-funding.js +192 -0
- package/dist/payment-transport.d.ts +30 -0
- package/dist/payment-transport.js +56 -0
- package/dist/policy/intent-spec.js +2 -0
- package/dist/policy/presets.d.ts +1 -1
- package/dist/policy/presets.js +1 -0
- package/dist/principal-intent.d.ts +1 -1
- package/dist/principal-intent.js +4 -1
- package/dist/project-init.d.ts +1 -1
- package/dist/project-init.js +1 -0
- package/dist/protocol-receipt.d.ts +129 -0
- package/dist/protocol-receipt.js +620 -0
- package/dist/shopify/checkout.d.ts +29 -0
- package/dist/shopify/checkout.js +79 -0
- package/dist/shopify/evidence.d.ts +13 -0
- package/dist/shopify/evidence.js +85 -0
- package/dist/shopify/index.d.ts +8 -0
- package/dist/shopify/index.js +6 -0
- package/dist/shopify/instrument.d.ts +61 -0
- package/dist/shopify/instrument.js +52 -0
- package/dist/shopify/order.d.ts +8 -0
- package/dist/shopify/order.js +110 -0
- package/dist/shopify/types.d.ts +82 -0
- package/dist/shopify/types.js +4 -0
- package/dist/solutions/catalog.d.ts +1 -1
- package/dist/solutions/catalog.js +1 -1
- package/dist/stripe-commerce/evidence.d.ts +13 -0
- package/dist/stripe-commerce/evidence.js +164 -0
- package/dist/stripe-commerce/index.d.ts +3 -0
- package/dist/stripe-commerce/index.js +2 -0
- package/dist/stripe-commerce/metadata.d.ts +11 -0
- package/dist/stripe-commerce/metadata.js +34 -0
- package/dist/stripe-commerce/types.d.ts +38 -0
- package/dist/stripe-commerce/types.js +1 -0
- package/dist/template-init.d.ts +1 -1
- package/dist/template-init.js +6 -1
- package/package.json +1 -1
- package/policy/presets/stripe-commerce.yaml +19 -0
- package/solutions/stripe-commerce.json +19 -0
- package/templates/manifest.json +82 -10
- package/templates/openai-shopping-agent/package-lock.json +13 -13
- package/templates/openai-shopping-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-aws-operator/package-lock.json +7 -7
- package/templates/paybond-aws-operator/src/paybond.config.ts +1 -1
- package/templates/paybond-claude-agents-demo/package-lock.json +10 -10
- package/templates/paybond-claude-agents-demo/src/paybond.config.ts +1 -1
- package/templates/paybond-mastra-travel-agent/package-lock.json +33 -33
- package/templates/paybond-mastra-travel-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-mcp-coding-agent/package-lock.json +7 -7
- package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-openai-agents-demo/package-lock.json +13 -13
- package/templates/paybond-openai-agents-demo/src/paybond.config.ts +1 -1
- package/templates/paybond-procurement-agent/package-lock.json +7 -7
- package/templates/paybond-procurement-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-shopify-shopping-agent/.env.example +3 -0
- package/templates/paybond-shopify-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-shopify-shopping-agent/LICENSE +201 -0
- package/templates/paybond-shopify-shopping-agent/README.md +29 -0
- package/templates/paybond-shopify-shopping-agent/package-lock.json +223 -0
- package/templates/paybond-shopify-shopping-agent/package.json +20 -0
- package/templates/paybond-shopify-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-shopify-shopping-agent/src/index.ts +54 -0
- package/templates/paybond-shopify-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-shopify-shopping-agent/tsconfig.json +13 -0
- package/templates/paybond-stripe-agent-demo/.env.example +9 -0
- package/templates/paybond-stripe-agent-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-stripe-agent-demo/LICENSE +201 -0
- package/templates/paybond-stripe-agent-demo/README.md +50 -0
- package/templates/paybond-stripe-agent-demo/package-lock.json +223 -0
- package/templates/paybond-stripe-agent-demo/package.json +20 -0
- package/templates/paybond-stripe-agent-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-stripe-agent-demo/src/charge-customer.ts +237 -0
- package/templates/paybond-stripe-agent-demo/src/index.ts +78 -0
- package/templates/paybond-stripe-agent-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-stripe-agent-demo/tsconfig.json +13 -0
- package/templates/paybond-travel-agent/package-lock.json +13 -13
- package/templates/paybond-travel-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-vercel-shopping-agent/package-lock.json +7 -7
- package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +1 -1
package/dist/index.js
CHANGED
|
@@ -4,16 +4,19 @@
|
|
|
4
4
|
*/
|
|
5
5
|
import { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, } from "./principal-intent.js";
|
|
6
6
|
import { signPayeeEvidenceBinding } from "./payee-evidence.js";
|
|
7
|
-
import {
|
|
7
|
+
import { PAYBOND_AGENT_RECEIPT_ATTESTATIONS_HEADER, PAYBOND_AGENT_RECEIPT_SOURCE_RUN_HEADER, } from "./agent-receipt.js";
|
|
8
|
+
import { PaybondAgentRunFacade, createPaybondAgentCallable, PaybondInstrumentBuilder, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondToolRegistry, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, resolveAgentPolicySource, wrapPaybondTools, } from "./agent/index.js";
|
|
8
9
|
import { GatewayAgentRunTraceReporter, } from "./agent/gateway-trace-reporter.js";
|
|
9
10
|
import { fetchWithGatewayRetries, gatewayRetryDelayMs, shouldRetryGatewayResponse, } from "./gateway-retry.js";
|
|
10
11
|
import { PaybondAudit, PaybondAuditExports } from "./audit/index.js";
|
|
12
|
+
import { formatPaymentAuthorizationValue, paymentAuthorizationGatewayHeader, readFundPaymentTransportHeaders, } from "./payment-transport.js";
|
|
11
13
|
import { parsePolicyRemoteValidateResponse, policyValidateQueryString, } from "./policy/validate-remote.js";
|
|
12
14
|
import { parsePolicyEffectiveResolveResponse, } from "./policy/load-effective.js";
|
|
13
15
|
import { paybondPolicyPresets } from "./policy/policy-api.js";
|
|
14
16
|
import { paybondSolutionPresets } from "./solutions/api.js";
|
|
15
17
|
import { requireSecureGatewayUrl } from "./gateway-url.js";
|
|
16
18
|
import { executeFundWithX402, } from "./x402-funding.js";
|
|
19
|
+
import { executeFundWithMppCharge, executeFundWithMppSession, } from "./mpp-funding.js";
|
|
17
20
|
function parseVerifyCapabilityBody(body, expectedTenant, expectedIntentId) {
|
|
18
21
|
const tenant = String(body.tenant ?? "");
|
|
19
22
|
const intentId = String(body.intent_id ?? "");
|
|
@@ -83,6 +86,12 @@ function verifyCapabilityPayload(input) {
|
|
|
83
86
|
payload.approval_token = input.approvalToken.trim();
|
|
84
87
|
if (input.idempotencyKey?.trim())
|
|
85
88
|
payload.idempotency_key = input.idempotencyKey.trim();
|
|
89
|
+
if (input.modelFamily?.trim())
|
|
90
|
+
payload.model_family = input.modelFamily.trim();
|
|
91
|
+
if (input.configHashHex?.trim())
|
|
92
|
+
payload.config_hash_hex = input.configHashHex.trim().toLowerCase();
|
|
93
|
+
if (input.promptHashHex?.trim())
|
|
94
|
+
payload.prompt_hash_hex = input.promptHashHex.trim().toLowerCase();
|
|
86
95
|
return payload;
|
|
87
96
|
}
|
|
88
97
|
export const DEFAULT_PAYBOND_GATEWAY_BASE_URL = "https://api.paybond.ai";
|
|
@@ -469,7 +478,7 @@ export class HarborClient {
|
|
|
469
478
|
}
|
|
470
479
|
throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
|
|
471
480
|
}
|
|
472
|
-
async fetchWithRetries(url, init, { retryBody, retryBodyText, }) {
|
|
481
|
+
async fetchWithRetries(url, init, { retryBody, retryBodyText, appendAuthorization, } = {}) {
|
|
473
482
|
let lastErr;
|
|
474
483
|
for (let attempt = 0; attempt < this.maxRetries; attempt++) {
|
|
475
484
|
let res;
|
|
@@ -479,6 +488,9 @@ export class HarborClient {
|
|
|
479
488
|
for (const [k, v] of Object.entries(auth)) {
|
|
480
489
|
headers.set(k, v);
|
|
481
490
|
}
|
|
491
|
+
for (const value of appendAuthorization ?? []) {
|
|
492
|
+
headers.append("authorization", value);
|
|
493
|
+
}
|
|
482
494
|
res = await fetch(url, { ...init, headers });
|
|
483
495
|
}
|
|
484
496
|
catch (e) {
|
|
@@ -600,11 +612,18 @@ export class HarborClient {
|
|
|
600
612
|
if (options?.paymentSignature?.trim()) {
|
|
601
613
|
headers["payment-signature"] = options.paymentSignature.trim();
|
|
602
614
|
}
|
|
615
|
+
const appendAuthorization = options?.paymentAuthorization?.trim() !== undefined &&
|
|
616
|
+
options.paymentAuthorization.trim() !== ""
|
|
617
|
+
? [formatPaymentAuthorizationValue(options.paymentAuthorization)]
|
|
618
|
+
: undefined;
|
|
603
619
|
const res = await this.fetchWithRetries(url, {
|
|
604
620
|
method: "POST",
|
|
605
621
|
headers,
|
|
606
622
|
body: "",
|
|
607
|
-
}, {
|
|
623
|
+
}, {
|
|
624
|
+
retryBodyText: "",
|
|
625
|
+
appendAuthorization,
|
|
626
|
+
});
|
|
608
627
|
const text = await res.text();
|
|
609
628
|
if (![200, 202, 402].includes(res.status)) {
|
|
610
629
|
throw new HarborHttpError(`Harbor fund intent HTTP ${res.status}: ${text}`, {
|
|
@@ -614,6 +633,7 @@ export class HarborClient {
|
|
|
614
633
|
});
|
|
615
634
|
}
|
|
616
635
|
const body = assertJSONObject(JSON.parse(text));
|
|
636
|
+
const transport = readFundPaymentTransportHeaders(res.headers);
|
|
617
637
|
const tenant = String(body.tenant ?? "");
|
|
618
638
|
if (tenant !== this.tenantId) {
|
|
619
639
|
throw new Error(`fund tenant mismatch: client=${this.tenantId} harbor=${tenant}`);
|
|
@@ -636,6 +656,9 @@ export class HarborClient {
|
|
|
636
656
|
statusCode: res.status,
|
|
637
657
|
paymentRequired: res.headers.get("payment-required") ?? undefined,
|
|
638
658
|
paymentResponse: res.headers.get("payment-response") ?? undefined,
|
|
659
|
+
wwwAuthenticate: transport.wwwAuthenticate,
|
|
660
|
+
paymentReceipt: transport.paymentReceipt,
|
|
661
|
+
cacheControl: transport.cacheControl,
|
|
639
662
|
intentId: echoedIntentId,
|
|
640
663
|
tenant,
|
|
641
664
|
state: body.state,
|
|
@@ -912,6 +935,14 @@ export class GatewayHarborClient {
|
|
|
912
935
|
return gatewayMutationHeaders(proof, {
|
|
913
936
|
...(headers ?? {}),
|
|
914
937
|
...(options?.idempotencyKey?.trim() ? { "idempotency-key": options.idempotencyKey.trim() } : {}),
|
|
938
|
+
...(options?.agentReceiptAttestations !== undefined
|
|
939
|
+
? {
|
|
940
|
+
[PAYBOND_AGENT_RECEIPT_ATTESTATIONS_HEADER]: JSON.stringify(options.agentReceiptAttestations),
|
|
941
|
+
}
|
|
942
|
+
: {}),
|
|
943
|
+
...(options?.agentReceiptSourceRunId?.trim()
|
|
944
|
+
? { [PAYBOND_AGENT_RECEIPT_SOURCE_RUN_HEADER]: options.agentReceiptSourceRunId.trim() }
|
|
945
|
+
: {}),
|
|
915
946
|
});
|
|
916
947
|
}
|
|
917
948
|
async verifyCapability(input) {
|
|
@@ -996,9 +1027,13 @@ export class GatewayHarborClient {
|
|
|
996
1027
|
return JSON.parse(text);
|
|
997
1028
|
}
|
|
998
1029
|
async fundIntent(intentId, options) {
|
|
999
|
-
const
|
|
1030
|
+
const paymentHeaders = {
|
|
1000
1031
|
...(options.paymentSignature?.trim() ? { "payment-signature": options.paymentSignature.trim() } : {}),
|
|
1001
|
-
|
|
1032
|
+
...(options.paymentAuthorization?.trim()
|
|
1033
|
+
? paymentAuthorizationGatewayHeader(options.paymentAuthorization)
|
|
1034
|
+
: {}),
|
|
1035
|
+
};
|
|
1036
|
+
const { res, text, url } = await this.postJSON(`/harbor/intents/${encodeURIComponent(intentId)}/fund`, {}, this.mutationHeaders("fundIntent", options, paymentHeaders));
|
|
1002
1037
|
if (![200, 202, 402].includes(res.status)) {
|
|
1003
1038
|
throw new HarborHttpError(`Gateway Harbor fund intent HTTP ${res.status}: ${text}`, {
|
|
1004
1039
|
statusCode: res.status,
|
|
@@ -1006,12 +1041,16 @@ export class GatewayHarborClient {
|
|
|
1006
1041
|
bodyText: text,
|
|
1007
1042
|
});
|
|
1008
1043
|
}
|
|
1044
|
+
const transport = readFundPaymentTransportHeaders(res.headers);
|
|
1009
1045
|
return parseFundIntentResponse(assertJSONObject(JSON.parse(text)), {
|
|
1010
1046
|
tenantId: this.tenantId,
|
|
1011
1047
|
intentId,
|
|
1012
1048
|
statusCode: res.status,
|
|
1013
1049
|
paymentRequired: res.headers.get("payment-required") ?? undefined,
|
|
1014
1050
|
paymentResponse: res.headers.get("payment-response") ?? undefined,
|
|
1051
|
+
wwwAuthenticate: transport.wwwAuthenticate,
|
|
1052
|
+
paymentReceipt: transport.paymentReceipt,
|
|
1053
|
+
cacheControl: transport.cacheControl,
|
|
1015
1054
|
source: "gateway",
|
|
1016
1055
|
});
|
|
1017
1056
|
}
|
|
@@ -1159,7 +1198,7 @@ export class PaybondGuardrails {
|
|
|
1159
1198
|
}
|
|
1160
1199
|
}
|
|
1161
1200
|
const DEFAULT_PRINCIPAL_PATH = "/v1/auth/principal";
|
|
1162
|
-
const SETTLEMENT_RAIL_VALUES = new Set(["stripe_connect", "stripe_ach_debit", "x402_usdc_base"]);
|
|
1201
|
+
const SETTLEMENT_RAIL_VALUES = new Set(["stripe_connect", "stripe_ach_debit", "stripe_mpp", "x402_usdc_base"]);
|
|
1163
1202
|
const FRAUD_REVIEW_EVENT_TYPES = new Set([
|
|
1164
1203
|
"review_open_requested",
|
|
1165
1204
|
"appeal_requested",
|
|
@@ -1211,6 +1250,9 @@ function parseFundIntentResponse(body, init) {
|
|
|
1211
1250
|
statusCode: init.statusCode,
|
|
1212
1251
|
paymentRequired: init.paymentRequired,
|
|
1213
1252
|
paymentResponse: init.paymentResponse,
|
|
1253
|
+
wwwAuthenticate: init.wwwAuthenticate,
|
|
1254
|
+
paymentReceipt: init.paymentReceipt,
|
|
1255
|
+
cacheControl: init.cacheControl,
|
|
1214
1256
|
intentId: echoedIntentId,
|
|
1215
1257
|
tenant,
|
|
1216
1258
|
state: body.state,
|
|
@@ -1360,6 +1402,9 @@ function parseIntentFundingResult(value) {
|
|
|
1360
1402
|
settlementRail: readSettlementRailValue(body.settlement_rail, "funding.settlement_rail"),
|
|
1361
1403
|
harborFundEndpoint: readOptionalString("harbor_fund_endpoint"),
|
|
1362
1404
|
status: readOptionalString("status"),
|
|
1405
|
+
intent: readOptionalString("intent"),
|
|
1406
|
+
method: readOptionalString("method"),
|
|
1407
|
+
challengeId: readOptionalString("challenge_id"),
|
|
1363
1408
|
paymentSessionId: readOptionalString("payment_session_id"),
|
|
1364
1409
|
paymentUrl: readOptionalString("payment_url"),
|
|
1365
1410
|
stripePaymentIntentId: readOptionalString("stripe_payment_intent_id"),
|
|
@@ -1375,6 +1420,17 @@ function parseIntentFundingResult(value) {
|
|
|
1375
1420
|
bankName: readOptionalString("bank_name"),
|
|
1376
1421
|
asset: readOptionalString("asset"),
|
|
1377
1422
|
network: readOptionalString("network"),
|
|
1423
|
+
settlementAsset: readOptionalString("settlement_asset"),
|
|
1424
|
+
settlementNetwork: readOptionalString("settlement_network"),
|
|
1425
|
+
channelId: readOptionalString("channel_id"),
|
|
1426
|
+
sessionProtocol: readOptionalString("session_protocol"),
|
|
1427
|
+
depositAmountBaseUnits: readOptionalString("deposit_amount_base_units"),
|
|
1428
|
+
acceptedCumulativeBaseUnits: readOptionalString("accepted_cumulative_base_units"),
|
|
1429
|
+
pendingCumulativeBaseUnits: readOptionalString("pending_cumulative_base_units"),
|
|
1430
|
+
descriptorHash: readOptionalString("descriptor_hash"),
|
|
1431
|
+
lastVoucherAt: readOptionalString("last_voucher_at"),
|
|
1432
|
+
lastSettleTxHash: readOptionalString("last_settle_tx_hash"),
|
|
1433
|
+
channelStatus: readOptionalString("channel_status"),
|
|
1378
1434
|
authorizationId: readOptionalString("authorization_id"),
|
|
1379
1435
|
captureId: readOptionalString("capture_id"),
|
|
1380
1436
|
voidId: readOptionalString("void_id"),
|
|
@@ -2050,6 +2106,80 @@ export class GatewayProtocolClient {
|
|
|
2050
2106
|
}
|
|
2051
2107
|
return assertJSONObject(JSON.parse(text));
|
|
2052
2108
|
}
|
|
2109
|
+
async getAgentReceiptV1ByID(receiptId) {
|
|
2110
|
+
const enc = encodeURIComponent(receiptId);
|
|
2111
|
+
const url = `${this.base}protocol/v2/agent-receipts/${enc}`;
|
|
2112
|
+
const res = await this.fetchWithRetries(url, {
|
|
2113
|
+
method: "GET",
|
|
2114
|
+
headers: this.headers(),
|
|
2115
|
+
});
|
|
2116
|
+
const text = await res.text();
|
|
2117
|
+
if (!res.ok) {
|
|
2118
|
+
const parsed = parseGatewayErrorEnvelope(text);
|
|
2119
|
+
throw new ProtocolHttpError(protocolHTTPErrorMessage("agent receipt", res.status, text), {
|
|
2120
|
+
statusCode: res.status,
|
|
2121
|
+
url,
|
|
2122
|
+
bodyText: text,
|
|
2123
|
+
errorCode: parsed.errorCode,
|
|
2124
|
+
errorMessage: parsed.errorMessage,
|
|
2125
|
+
});
|
|
2126
|
+
}
|
|
2127
|
+
const body = assertJSONObject(JSON.parse(text));
|
|
2128
|
+
if (String(body.receipt_id ?? "").trim() !== receiptId) {
|
|
2129
|
+
throw new Error(`agent receipt mismatch: requested=${receiptId} gateway=${String(body.receipt_id ?? "")}`);
|
|
2130
|
+
}
|
|
2131
|
+
if (String(body.tenant_id ?? "").trim() !== this.tenantId) {
|
|
2132
|
+
throw new Error(`agent receipt tenant mismatch: client=${this.tenantId} gateway=${String(body.tenant_id ?? "")}`);
|
|
2133
|
+
}
|
|
2134
|
+
return body;
|
|
2135
|
+
}
|
|
2136
|
+
async getAgentReceiptV1ByIntentToolCall(init) {
|
|
2137
|
+
const params = new URLSearchParams({
|
|
2138
|
+
intent_id: init.intentId,
|
|
2139
|
+
tool_call_id: init.toolCallId,
|
|
2140
|
+
});
|
|
2141
|
+
const url = `${this.base}protocol/v2/agent-receipts?${params.toString()}`;
|
|
2142
|
+
const res = await this.fetchWithRetries(url, {
|
|
2143
|
+
method: "GET",
|
|
2144
|
+
headers: this.headers(),
|
|
2145
|
+
});
|
|
2146
|
+
const text = await res.text();
|
|
2147
|
+
if (!res.ok) {
|
|
2148
|
+
const parsed = parseGatewayErrorEnvelope(text);
|
|
2149
|
+
throw new ProtocolHttpError(protocolHTTPErrorMessage("agent receipt lookup", res.status, text), {
|
|
2150
|
+
statusCode: res.status,
|
|
2151
|
+
url,
|
|
2152
|
+
bodyText: text,
|
|
2153
|
+
errorCode: parsed.errorCode,
|
|
2154
|
+
errorMessage: parsed.errorMessage,
|
|
2155
|
+
});
|
|
2156
|
+
}
|
|
2157
|
+
const body = assertJSONObject(JSON.parse(text));
|
|
2158
|
+
if (String(body.tenant_id ?? "").trim() !== this.tenantId) {
|
|
2159
|
+
throw new Error(`agent receipt tenant mismatch: client=${this.tenantId} gateway=${String(body.tenant_id ?? "")}`);
|
|
2160
|
+
}
|
|
2161
|
+
return body;
|
|
2162
|
+
}
|
|
2163
|
+
async verifyAgentReceiptV1(receipt) {
|
|
2164
|
+
const url = `${this.base}protocol/v2/agent-receipts/verify`;
|
|
2165
|
+
const res = await this.fetchWithRetries(url, {
|
|
2166
|
+
method: "POST",
|
|
2167
|
+
headers: this.headers({ "content-type": "application/json" }),
|
|
2168
|
+
body: JSON.stringify(receipt),
|
|
2169
|
+
});
|
|
2170
|
+
const text = await res.text();
|
|
2171
|
+
if (!res.ok) {
|
|
2172
|
+
const parsed = parseGatewayErrorEnvelope(text);
|
|
2173
|
+
throw new ProtocolHttpError(protocolHTTPErrorMessage("agent receipt verify", res.status, text), {
|
|
2174
|
+
statusCode: res.status,
|
|
2175
|
+
url,
|
|
2176
|
+
bodyText: text,
|
|
2177
|
+
errorCode: parsed.errorCode,
|
|
2178
|
+
errorMessage: parsed.errorMessage,
|
|
2179
|
+
});
|
|
2180
|
+
}
|
|
2181
|
+
return assertJSONObject(JSON.parse(text));
|
|
2182
|
+
}
|
|
2053
2183
|
async createHarborIntent(init) {
|
|
2054
2184
|
return this.postJSON("/harbor/intents", init.body, gatewayMutationHeaders(init.recognitionProof, {
|
|
2055
2185
|
...(init.idempotencyKey?.trim() ? { "idempotency-key": init.idempotencyKey.trim() } : {}),
|
|
@@ -2081,7 +2211,14 @@ function gatewayMutationHeaders(recognitionProof, headers) {
|
|
|
2081
2211
|
function encodeRecognitionProofHeader(proof) {
|
|
2082
2212
|
return Buffer.from(JSON.stringify(proof), "utf8").toString("base64url");
|
|
2083
2213
|
}
|
|
2084
|
-
|
|
2214
|
+
function readPrincipalEnvironment(actualRaw) {
|
|
2215
|
+
const actual = typeof actualRaw === "string" ? actualRaw.trim() : "";
|
|
2216
|
+
if (actual === "live" || actual === "sandbox") {
|
|
2217
|
+
return actual;
|
|
2218
|
+
}
|
|
2219
|
+
return null;
|
|
2220
|
+
}
|
|
2221
|
+
async function resolveGatewayPrincipal(gatewayBaseUrl, apiKey, principalPath, maxRetries, expectedEnvironment) {
|
|
2085
2222
|
const base = normalizeBase(gatewayBaseUrl);
|
|
2086
2223
|
const path = principalPath.startsWith("/") ? principalPath : `/${principalPath}`;
|
|
2087
2224
|
const url = `${base}${path}`;
|
|
@@ -2125,10 +2262,14 @@ async function resolveGatewayTenantId(gatewayBaseUrl, apiKey, principalPath, max
|
|
|
2125
2262
|
});
|
|
2126
2263
|
}
|
|
2127
2264
|
assertExpectedEnvironment("gateway principal", body.environment, expected, text);
|
|
2128
|
-
return tenant;
|
|
2265
|
+
return { tenantId: tenant, environment: readPrincipalEnvironment(body.environment) };
|
|
2129
2266
|
}
|
|
2130
2267
|
throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
|
|
2131
2268
|
}
|
|
2269
|
+
async function resolveGatewayTenantId(gatewayBaseUrl, apiKey, principalPath, maxRetries, expectedEnvironment) {
|
|
2270
|
+
const principal = await resolveGatewayPrincipal(gatewayBaseUrl, apiKey, principalPath, maxRetries, expectedEnvironment);
|
|
2271
|
+
return principal.tenantId;
|
|
2272
|
+
}
|
|
2132
2273
|
/**
|
|
2133
2274
|
* Read-only tenant-bound Signal session for one service-account API key.
|
|
2134
2275
|
*/
|
|
@@ -2217,6 +2358,7 @@ export class PaybondIntents {
|
|
|
2217
2358
|
async fund(params) {
|
|
2218
2359
|
return this.harbor.fundIntent(params.intentId, {
|
|
2219
2360
|
paymentSignature: params.paymentSignature,
|
|
2361
|
+
paymentAuthorization: params.paymentAuthorization,
|
|
2220
2362
|
idempotencyKey: params.idempotencyKey,
|
|
2221
2363
|
recognitionProof: params.recognitionProof,
|
|
2222
2364
|
});
|
|
@@ -2242,6 +2384,52 @@ export class PaybondIntents {
|
|
|
2242
2384
|
}),
|
|
2243
2385
|
});
|
|
2244
2386
|
}
|
|
2387
|
+
/**
|
|
2388
|
+
* One-shot Stripe MPP charge fund flow: create Payment Auth credentials from 402 challenges,
|
|
2389
|
+
* retry with `paymentAuthorization`, and poll until funded.
|
|
2390
|
+
*
|
|
2391
|
+
* MPP wallet and SPT secrets stay app-owned — pass injectable `createPaymentCredential` and
|
|
2392
|
+
* `issueRecognitionProof` callbacks.
|
|
2393
|
+
*/
|
|
2394
|
+
async fundWithMppCharge(params) {
|
|
2395
|
+
const { intentId, recognitionProof, createPaymentCredential, issueRecognitionProof, pollOptions, idempotencyKey, } = params;
|
|
2396
|
+
return executeFundWithMppCharge({
|
|
2397
|
+
intentId,
|
|
2398
|
+
recognitionProof,
|
|
2399
|
+
createPaymentCredential,
|
|
2400
|
+
issueRecognitionProof,
|
|
2401
|
+
pollOptions,
|
|
2402
|
+
fund: ({ recognitionProof: proof, paymentAuthorization }) => this.fund({
|
|
2403
|
+
intentId,
|
|
2404
|
+
recognitionProof: proof,
|
|
2405
|
+
paymentAuthorization,
|
|
2406
|
+
idempotencyKey,
|
|
2407
|
+
}),
|
|
2408
|
+
});
|
|
2409
|
+
}
|
|
2410
|
+
/**
|
|
2411
|
+
* Tempo MPP session fund flow: open a session channel deposit via Payment Auth credentials,
|
|
2412
|
+
* retry with `paymentAuthorization`, and poll until the intent is funded.
|
|
2413
|
+
*
|
|
2414
|
+
* MPP wallet and SPT secrets stay app-owned — pass injectable `createPaymentCredential` and
|
|
2415
|
+
* `issueRecognitionProof` callbacks.
|
|
2416
|
+
*/
|
|
2417
|
+
async fundWithMppSession(params) {
|
|
2418
|
+
const { intentId, recognitionProof, createPaymentCredential, issueRecognitionProof, pollOptions, idempotencyKey, } = params;
|
|
2419
|
+
return executeFundWithMppSession({
|
|
2420
|
+
intentId,
|
|
2421
|
+
recognitionProof,
|
|
2422
|
+
createPaymentCredential,
|
|
2423
|
+
issueRecognitionProof,
|
|
2424
|
+
pollOptions,
|
|
2425
|
+
fund: ({ recognitionProof: proof, paymentAuthorization }) => this.fund({
|
|
2426
|
+
intentId,
|
|
2427
|
+
recognitionProof: proof,
|
|
2428
|
+
paymentAuthorization,
|
|
2429
|
+
idempotencyKey,
|
|
2430
|
+
}),
|
|
2431
|
+
});
|
|
2432
|
+
}
|
|
2245
2433
|
/**
|
|
2246
2434
|
* Sign payee evidence and POST it. `payeeSigningSeed` must be 32 bytes.
|
|
2247
2435
|
*/
|
|
@@ -2277,7 +2465,15 @@ export class Paybond {
|
|
|
2277
2465
|
intents;
|
|
2278
2466
|
audit;
|
|
2279
2467
|
agentRun;
|
|
2280
|
-
|
|
2468
|
+
agent;
|
|
2469
|
+
/**
|
|
2470
|
+
* Deployment environment this session is bound to, as reported by the gateway principal
|
|
2471
|
+
* (`"live"` or `"sandbox"`), or `null` when the gateway did not report one. Server-derived —
|
|
2472
|
+
* prefer this over the client-supplied `expectedEnvironment` hint when gating environment-sensitive
|
|
2473
|
+
* behavior (for example, refusing live Stripe secrets in a sandbox-only demo).
|
|
2474
|
+
*/
|
|
2475
|
+
environment;
|
|
2476
|
+
constructor(harbor, guardrails, signal, fraud, a2a, protocol, audit, environment) {
|
|
2281
2477
|
this.harbor = harbor;
|
|
2282
2478
|
this.guardrails = guardrails;
|
|
2283
2479
|
this.signal = signal;
|
|
@@ -2287,12 +2483,15 @@ export class Paybond {
|
|
|
2287
2483
|
this.intents = new PaybondIntents(harbor);
|
|
2288
2484
|
this.audit = audit;
|
|
2289
2485
|
this.agentRun = new PaybondAgentRunFacade(this);
|
|
2486
|
+
this.agent = createPaybondAgentCallable(protocol, (input) => createPaybondAgent(this, input));
|
|
2487
|
+
this.environment = environment;
|
|
2290
2488
|
}
|
|
2291
2489
|
/** Open a tenant-bound hosted Paybond session from a service-account API key. */
|
|
2292
2490
|
static async open(init) {
|
|
2293
2491
|
const gatewayBaseUrl = defaultGatewayBaseUrl(init.gatewayBaseUrl);
|
|
2294
2492
|
const maxRetries = Math.max(1, init.maxRetries ?? 3);
|
|
2295
|
-
const
|
|
2493
|
+
const principal = await resolveGatewayPrincipal(gatewayBaseUrl, init.apiKey, init.principalPath ?? DEFAULT_PRINCIPAL_PATH, maxRetries, init.expectedEnvironment);
|
|
2494
|
+
const tenantId = principal.tenantId;
|
|
2296
2495
|
const harbor = new GatewayHarborClient(gatewayBaseUrl, tenantId, {
|
|
2297
2496
|
staticGatewayBearerToken: init.apiKey,
|
|
2298
2497
|
maxRetries,
|
|
@@ -2321,7 +2520,7 @@ export class Paybond {
|
|
|
2321
2520
|
staticGatewayBearerToken: init.apiKey,
|
|
2322
2521
|
maxRetries,
|
|
2323
2522
|
}));
|
|
2324
|
-
return new Paybond(harbor, guardrails, signal, fraud, a2a, protocol, audit);
|
|
2523
|
+
return new Paybond(harbor, guardrails, signal, fraud, a2a, protocol, audit, principal.environment);
|
|
2325
2524
|
}
|
|
2326
2525
|
/** Reserved for future HTTP client cleanup; safe to call after work completes. */
|
|
2327
2526
|
async aclose() {
|
|
@@ -2373,13 +2572,6 @@ export class Paybond {
|
|
|
2373
2572
|
instrumentMCP(input) {
|
|
2374
2573
|
return instrumentPaybondMCP(this, input);
|
|
2375
2574
|
}
|
|
2376
|
-
/**
|
|
2377
|
-
* Opinionated quickstart: resolve named policy presets (for example `travel`) or file paths,
|
|
2378
|
-
* then instrument tools for the selected framework.
|
|
2379
|
-
*/
|
|
2380
|
-
agent(input) {
|
|
2381
|
-
return createPaybondAgent(this, input);
|
|
2382
|
-
}
|
|
2383
2575
|
/** Wrap tools for an existing bound run without reloading policy. */
|
|
2384
2576
|
wrapTools(run, tools, options) {
|
|
2385
2577
|
return wrapPaybondTools(run, tools, options);
|
|
@@ -2405,6 +2597,10 @@ export { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBindi
|
|
|
2405
2597
|
export { artifactsDigest, evidenceSignBytesV1, signPayeeEvidenceBinding, } from "./payee-evidence.js";
|
|
2406
2598
|
export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_CREATE, AGENT_RECOGNITION_PURPOSE_FUND, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborCreateRecognitionProof, signHarborFundRecognitionProof, signHarborEvidenceSubmitRecognitionProof, signHarborSettlementConfirmRecognitionProof, } from "./agent-recognition.js";
|
|
2407
2599
|
export { executeFundWithX402, buildX402FundRequestEnvelope, PaybondX402FundingFailedError, PaybondX402FundingPendingError, } from "./x402-funding.js";
|
|
2600
|
+
export { executeFundWithMpp, executeFundWithMppCharge, executeFundWithMppSession, buildMppFundRequestEnvelope, parsePaymentAuthChallenge, selectMppChargeChallenge, selectMppSessionChallenge, PaybondMppFundingFailedError, PaybondMppFundingPendingError, } from "./mpp-funding.js";
|
|
2601
|
+
export { buildPaybondStripeMetadata, assertNotStripeFundingWebhook, mapStripeToolResultToEvidence, STRIPE_COMMERCE_MAPPER_VERSION, PAYBOND_STRIPE_METADATA_TENANT_ID_KEY, PAYBOND_STRIPE_METADATA_INTENT_ID_KEY, PAYBOND_STRIPE_METADATA_RAIL_KEY, } from "./stripe-commerce/index.js";
|
|
2602
|
+
export { PAYBOND_UCP_AGENT_PROFILE_URL, PAYBOND_SHOPIFY_UCP_VERSION, SHOPIFY_COMMERCE_MAPPER_VERSION, assertNotShopifyFundingWebhook, createCheckoutWithBinding, createGuardedShopifyCheckoutHandler, getOrder, instrumentShopifyCheckout, mapShopifyToolResultToEvidence, mergeBindingIntoCheckoutPayload, toUcpCheckoutLineItems, } from "./shopify/index.js";
|
|
2603
|
+
export { normalizeCommerceBinding, encodeCommerceBindingToStripeMetadata, decodeCommerceBindingFromStripeMetadata, encodeCommerceBindingToShopifyNoteAttributes, decodeCommerceBindingFromShopifyNoteAttributes, PAYBOND_COMMERCE_BINDING_TENANT_ID_KEY, PAYBOND_COMMERCE_BINDING_INTENT_ID_KEY, } from "./commerce-binding.js";
|
|
2408
2604
|
export { validateCompletionEvidence, } from "./completion-validate-evidence.js";
|
|
2409
2605
|
export { completionSchemaDigestHex, computeVendorContractDigests, verifyVendorContract, verifyCatalogVendorContracts, } from "./completion-contract-digest.js";
|
|
2410
2606
|
export { contractSnapshotForPreset, mapVendorEvidenceToCanonical, resolveCompletionPreset, } from "./completion-resolve.js";
|
|
@@ -2412,3 +2608,10 @@ export { PaybondAgentRun, PaybondAgentRunBindError, PaybondAgentRunFacade, Paybo
|
|
|
2412
2608
|
export { PaybondAudit, PaybondAuditExports, GatewayAuditExportsClient, parseAuditExportList, parseAuditExportJobGet, verifyAuditManifest, verifyAuditBundleLocal, } from "./audit/index.js";
|
|
2413
2609
|
export { PaybondPolicy, composePolicyLayers, composeBundledPresetDefault, domain, guardrails, paybondPolicyPresets, resolveComposedPresetDocument, } from "./policy/index.js";
|
|
2414
2610
|
export { getSolutionSmokeDefaults, isKnownSolutionId, listSolutionIds, loadSolutionManifest, paybondSolutionPresets, } from "./solutions/index.js";
|
|
2611
|
+
export { appendDirectHarborPaymentAuthorization, formatPaymentAuthorizationValue, PAYBOND_PAYMENT_AUTHORIZATION_HEADER, PAYMENT_TRANSPORT_RESPONSE_HEADERS, paymentAuthorizationGatewayHeader, readFundPaymentTransportHeaders, } from "./payment-transport.js";
|
|
2612
|
+
export { AGENT_RECEIPT_KIND_V1, AGENT_RECEIPT_SCHEMA_VERSION, AGENT_RECEIPT_SCOPE_ACTION, AGENT_RECEIPT_SCOPE_INTENT_TERMINAL, AGENT_RECEIPT_SIGNING_ALGORITHM_ED25519, AGENT_RECEIPT_VERSION_V1, AGENT_RECEIPT_SIGNING_KEYS_WELL_KNOWN_PATH, AGENT_RECEIPT_WELL_KNOWN_PATH, PAYBOND_AGENT_RECEIPT_ATTESTATIONS_HEADER, PAYBOND_AGENT_RECEIPT_SOURCE_RUN_HEADER, actionReceiptId, attachOperatorAttestationV1, canonicalAgentReceiptBytes, configHashSha256Hex, promptHashSha256Hex, valueDigestSha256Hex, verifyAgentReceiptV1, verifyAgentReceiptV1FromJSON, } from "./agent-receipt.js";
|
|
2613
|
+
export { FORBIDDEN_AGENT_RECEIPT_FIELDS, parseAgentReceiptJSON, validateAgentReceiptJSON, } from "./agent-receipt-prevalidate.js";
|
|
2614
|
+
export { AGENT_RECEIPT_EXTERNAL_SOURCE_AP2, AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828, AGENT_RECEIPT_EXTERNAL_SOURCE_X402, partnerRecordDigestSha256Hex, protocolAuthorizationReceiptToExternalAttestations, protocolSettlementReceiptToExternalAttestations, resolveExternalAttestations, sep2828RecordsToExternalAttestations, signedMandateToExternalAttestations, x402ReceiptToExternalAttestations, } from "./agent-receipt-external-attestations.js";
|
|
2615
|
+
export { AGENT_RECEIPT_PDF_EXPORT_DERIVED_VIEW_LABEL, AGENT_RECEIPT_PDF_EXPORT_MANIFEST_KIND, AGENT_RECEIPT_PDF_EXPORT_MANIFEST_SCHEMA_VERSION, FORBIDDEN_PDF_EXPORT_MANIFEST_FIELDS, gateAgentReceiptPDFExport, parseAgentReceiptPDFExportManifestJSON, validateAgentReceiptPDFExportManifestJSON, } from "./agent-receipt-pdf-export.js";
|
|
2616
|
+
export { AGENT_AUTHORIZATION_KIND_PRINCIPAL, AGENT_AUTHORIZATION_KIND_TENANT, AGENT_MANDATE_KIND_V1, AGENT_MANDATE_SCHEMA_VERSION, AGENT_MANDATE_SIGNING_ALGORITHM_ED25519_SHA256, CONSTRAINT_REFERENCE_KIND_POLICY, CONSTRAINT_REFERENCE_KIND_PREDICATE, HUMAN_PRESENCE_MODE_HUMAN_NOT_PRESENT, HUMAN_PRESENCE_MODE_HUMAN_PRESENT, agentMandateDigestSha256Hex, canonicalAgentMandateJsonBytes, normalizeAgentMandateV1, signAgentMandateV1, verifySignedAgentMandateV1, } from "./agent-mandate.js";
|
|
2617
|
+
export { PROTOCOL_AUTHORIZATION_RECEIPT_KIND_V1, PROTOCOL_RECEIPT_SCHEMA_VERSION, PROTOCOL_RECEIPT_SIGNING_ALGORITHM_ED25519_SHA256, PROTOCOL_RECEIPT_STATUS_AUTHORIZED, PROTOCOL_RECEIPT_VERSION_V1, PROTOCOL_SETTLEMENT_RECEIPT_KIND_V1, PROTOCOL_SOURCE_ACP, PROTOCOL_SOURCE_AP2, PROTOCOL_SOURCE_UCP, normalizeProtocolAuthorizationReceiptV1, normalizeProtocolSettlementReceiptV1, signProtocolAuthorizationReceiptV1, signProtocolSettlementReceiptV1, verifyProtocolAuthorizationReceiptV1, verifyProtocolSettlementReceiptV1, } from "./protocol-receipt.js";
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/** MCP resource URI helpers for tenant-bound agent receipt handoff. */
|
|
2
|
+
export declare const MCP_AGENT_RECEIPT_RESOURCE_SCHEME = "paybond";
|
|
3
|
+
export declare const MCP_AGENT_RECEIPT_RESOURCE_HOST = "receipt";
|
|
4
|
+
export declare const MCP_AGENT_RECEIPT_RESOURCE_URI_TEMPLATE = "paybond://receipt/{receipt_id}";
|
|
5
|
+
export declare const MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE = "application/json";
|
|
6
|
+
/** Parse `paybond://receipt/{receipt_id}` into a canonical receipt id. */
|
|
7
|
+
export declare function parseAgentReceiptResourceUri(uri: string): string;
|
|
8
|
+
/** Build the MCP resource URI for one signed agent receipt id. */
|
|
9
|
+
export declare function agentReceiptResourceUri(receiptId: string): string;
|
|
10
|
+
export declare function agentReceiptResourceTemplateDefinition(): Record<string, unknown>;
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
/** MCP resource URI helpers for tenant-bound agent receipt handoff. */
|
|
2
|
+
export const MCP_AGENT_RECEIPT_RESOURCE_SCHEME = "paybond";
|
|
3
|
+
export const MCP_AGENT_RECEIPT_RESOURCE_HOST = "receipt";
|
|
4
|
+
export const MCP_AGENT_RECEIPT_RESOURCE_URI_TEMPLATE = "paybond://receipt/{receipt_id}";
|
|
5
|
+
export const MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE = "application/json";
|
|
6
|
+
const RECEIPT_URI_RE = /^paybond:\/\/receipt\/([0-9a-f]{64}|[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})$/i;
|
|
7
|
+
/** Parse `paybond://receipt/{receipt_id}` into a canonical receipt id. */
|
|
8
|
+
export function parseAgentReceiptResourceUri(uri) {
|
|
9
|
+
const trimmed = uri.trim();
|
|
10
|
+
const match = RECEIPT_URI_RE.exec(trimmed);
|
|
11
|
+
if (!match) {
|
|
12
|
+
throw new Error(`unsupported resource URI ${trimmed}; expected ${MCP_AGENT_RECEIPT_RESOURCE_URI_TEMPLATE}`);
|
|
13
|
+
}
|
|
14
|
+
return match[1].toLowerCase();
|
|
15
|
+
}
|
|
16
|
+
/** Build the MCP resource URI for one signed agent receipt id. */
|
|
17
|
+
export function agentReceiptResourceUri(receiptId) {
|
|
18
|
+
const normalized = receiptId.trim().toLowerCase();
|
|
19
|
+
if (!RECEIPT_URI_RE.test(`paybond://receipt/${normalized}`)) {
|
|
20
|
+
throw new Error("receipt_id must be a lowercase SHA-256 hex digest or canonical UUID");
|
|
21
|
+
}
|
|
22
|
+
return `paybond://receipt/${normalized}`;
|
|
23
|
+
}
|
|
24
|
+
export function agentReceiptResourceTemplateDefinition() {
|
|
25
|
+
return {
|
|
26
|
+
uriTemplate: MCP_AGENT_RECEIPT_RESOURCE_URI_TEMPLATE,
|
|
27
|
+
name: "paybond_agent_receipt",
|
|
28
|
+
title: "Paybond Agent Receipt",
|
|
29
|
+
description: "Signed paybond.agent_receipt_v1 JSON fetched tenant-bound from Gateway GET /protocol/v2/agent-receipts/{receipt_id}.",
|
|
30
|
+
mimeType: MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE,
|
|
31
|
+
};
|
|
32
|
+
}
|
package/dist/mcp-server.d.ts
CHANGED
|
@@ -44,6 +44,13 @@ export declare class PaybondMCPServer {
|
|
|
44
44
|
private readonly toolPolicy;
|
|
45
45
|
private initialized;
|
|
46
46
|
constructor(settings: PaybondMCPSettings);
|
|
47
|
+
listResourceTemplates(): Array<Record<string, unknown>>;
|
|
48
|
+
readResource(uri: string): Promise<{
|
|
49
|
+
uri: string;
|
|
50
|
+
mimeType: string;
|
|
51
|
+
text: string;
|
|
52
|
+
_meta?: Record<string, unknown>;
|
|
53
|
+
}>;
|
|
47
54
|
listTools(): Array<Record<string, unknown>>;
|
|
48
55
|
callTool(name: string, args?: Record<string, unknown>): Promise<MCPCallToolResult>;
|
|
49
56
|
handleMessage(message: JSONRPCRequest): Promise<JSONRPCResponse | null>;
|
package/dist/mcp-server.js
CHANGED
|
@@ -11,9 +11,11 @@ import { MCP_TOOL_ALLOWLIST_ENV, MCP_TOOL_POLICY_ENV, mergeMcpToolPolicy, parseM
|
|
|
11
11
|
import { MCP_EVIDENCE_POLICY_ENV, McpEvidenceValidationGate, completionEvidenceValidationOk, extractHarborEvidenceValidationInput, extractSandboxGuardrailValidationInput, parseMcpEvidencePolicy, } from "./mcp-evidence-policy.js";
|
|
12
12
|
import { McpCapabilityTokenCache, mcpToolStoresCapabilityToken, parseMcpCapabilityTokenCacheConfig, } from "./mcp-capability-token-cache.js";
|
|
13
13
|
import { createMcpPolicyGatewayAdapter, McpPolicyReloadGate, parseMcpPolicyReloadConfig, } from "./mcp-policy-reload.js";
|
|
14
|
+
import { verifyAgentReceiptV1FromJSON } from "./agent-receipt.js";
|
|
15
|
+
import { agentReceiptResourceTemplateDefinition, agentReceiptResourceUri, MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE, parseAgentReceiptResourceUri, } from "./mcp-receipt-resource.js";
|
|
14
16
|
import { DEFAULT_PAYBOND_GATEWAY_BASE_URL, GatewayFraudClient, GatewaySignalClient, } from "./index.js";
|
|
15
17
|
const SERVER_NAME = "Paybond MCP";
|
|
16
|
-
const SERVER_VERSION = "0.
|
|
18
|
+
const SERVER_VERSION = "0.12.1";
|
|
17
19
|
const MCP_PROTOCOL_VERSION = "2025-11-25";
|
|
18
20
|
const DEFAULT_PRINCIPAL_PATH = "/v1/auth/principal";
|
|
19
21
|
const DEFAULT_RECOGNITION_VERIFIER_ID = "paybond-gateway";
|
|
@@ -846,6 +848,22 @@ class PaybondMCPRuntime {
|
|
|
846
848
|
"x-tenant-id": await this.tenantId(),
|
|
847
849
|
});
|
|
848
850
|
}
|
|
851
|
+
async getAgentReceiptV1(receiptId) {
|
|
852
|
+
const normalized = receiptId.trim().toLowerCase();
|
|
853
|
+
const body = await this.gateway.getJSON(`/protocol/v2/agent-receipts/${encodeURIComponent(normalized)}`, {
|
|
854
|
+
"x-tenant-id": await this.tenantId(),
|
|
855
|
+
});
|
|
856
|
+
const expectedTenant = await this.tenantId();
|
|
857
|
+
const echoedTenant = String(body.tenant_id ?? "").trim();
|
|
858
|
+
if (echoedTenant !== expectedTenant) {
|
|
859
|
+
throw new Error(`tenant mismatch: expected=${expectedTenant} gateway=${echoedTenant}`);
|
|
860
|
+
}
|
|
861
|
+
const echoedReceipt = String(body.receipt_id ?? "").trim().toLowerCase();
|
|
862
|
+
if (echoedReceipt !== normalized) {
|
|
863
|
+
throw new Error(`receipt mismatch: requested=${normalized} gateway=${echoedReceipt}`);
|
|
864
|
+
}
|
|
865
|
+
return body;
|
|
866
|
+
}
|
|
849
867
|
async createHarborIntent(init) {
|
|
850
868
|
return this.gateway.postJSON("/harbor/intents", init.body, gatewayMutationHeaders(await this.tenantId(), init.recognitionProof, optionalMutationHeaders(init.idempotencyKey)));
|
|
851
869
|
}
|
|
@@ -896,6 +914,31 @@ export class PaybondMCPServer {
|
|
|
896
914
|
this.runtime = new PaybondMCPRuntime(settings);
|
|
897
915
|
this.tools = this.buildTools(settings).filter((tool) => toolAllowedByPolicy(tool.name, tool.annotations, this.toolPolicy));
|
|
898
916
|
}
|
|
917
|
+
listResourceTemplates() {
|
|
918
|
+
return [agentReceiptResourceTemplateDefinition()];
|
|
919
|
+
}
|
|
920
|
+
async readResource(uri) {
|
|
921
|
+
const receiptId = parseAgentReceiptResourceUri(uri);
|
|
922
|
+
const receipt = await this.runtime.getAgentReceiptV1(receiptId);
|
|
923
|
+
let verified;
|
|
924
|
+
try {
|
|
925
|
+
verified = await verifyAgentReceiptV1FromJSON(receipt);
|
|
926
|
+
}
|
|
927
|
+
catch (err) {
|
|
928
|
+
throw new Error(`agent receipt verification failed for ${receiptId}: ${formatError(err)}`);
|
|
929
|
+
}
|
|
930
|
+
return {
|
|
931
|
+
uri: agentReceiptResourceUri(receiptId),
|
|
932
|
+
mimeType: MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE,
|
|
933
|
+
text: JSON.stringify(receipt, null, 2),
|
|
934
|
+
_meta: {
|
|
935
|
+
verification: {
|
|
936
|
+
valid: true,
|
|
937
|
+
message_digest: verified.message_digest_sha256_hex,
|
|
938
|
+
},
|
|
939
|
+
},
|
|
940
|
+
};
|
|
941
|
+
}
|
|
899
942
|
listTools() {
|
|
900
943
|
return this.tools.map((tool) => ({
|
|
901
944
|
name: tool.name,
|
|
@@ -973,6 +1016,10 @@ export class PaybondMCPServer {
|
|
|
973
1016
|
tools: {
|
|
974
1017
|
listChanged: false,
|
|
975
1018
|
},
|
|
1019
|
+
resources: {
|
|
1020
|
+
subscribe: false,
|
|
1021
|
+
listChanged: false,
|
|
1022
|
+
},
|
|
976
1023
|
},
|
|
977
1024
|
serverInfo: {
|
|
978
1025
|
name: SERVER_NAME,
|
|
@@ -1002,6 +1049,39 @@ export class PaybondMCPServer {
|
|
|
1002
1049
|
tools: this.listTools(),
|
|
1003
1050
|
},
|
|
1004
1051
|
};
|
|
1052
|
+
case "resources/list":
|
|
1053
|
+
return {
|
|
1054
|
+
jsonrpc: "2.0",
|
|
1055
|
+
id: message.id,
|
|
1056
|
+
result: {
|
|
1057
|
+
resources: [],
|
|
1058
|
+
},
|
|
1059
|
+
};
|
|
1060
|
+
case "resources/templates/list":
|
|
1061
|
+
return {
|
|
1062
|
+
jsonrpc: "2.0",
|
|
1063
|
+
id: message.id,
|
|
1064
|
+
result: {
|
|
1065
|
+
resourceTemplates: this.listResourceTemplates(),
|
|
1066
|
+
},
|
|
1067
|
+
};
|
|
1068
|
+
case "resources/read": {
|
|
1069
|
+
const params = ensureObject(message.params, "resources/read params");
|
|
1070
|
+
const uri = stringArg(params.uri, "uri");
|
|
1071
|
+
try {
|
|
1072
|
+
const contents = await this.readResource(uri);
|
|
1073
|
+
return {
|
|
1074
|
+
jsonrpc: "2.0",
|
|
1075
|
+
id: message.id,
|
|
1076
|
+
result: {
|
|
1077
|
+
contents: [contents],
|
|
1078
|
+
},
|
|
1079
|
+
};
|
|
1080
|
+
}
|
|
1081
|
+
catch (err) {
|
|
1082
|
+
return responseError(message.id, -32000, formatError(err));
|
|
1083
|
+
}
|
|
1084
|
+
}
|
|
1005
1085
|
case "tools/call": {
|
|
1006
1086
|
const params = ensureObject(message.params, "tools/call params");
|
|
1007
1087
|
const name = stringArg(params.name, "name");
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* MPP commercial denomination helpers for Paybond MVP.
|
|
3
|
+
*
|
|
4
|
+
* Paybond intent commercial fields remain USD-denominated (`amount_cents`, `currency`).
|
|
5
|
+
* Tempo session deposits use USDC base units (6 decimals): `amount_cents * 10_000`.
|
|
6
|
+
*/
|
|
7
|
+
import type { SettlementRail } from "./principal-intent.js";
|
|
8
|
+
/** USDC uses 6 decimal places; one USD cent maps to 10_000 base units. */
|
|
9
|
+
export declare const USDC_BASE_UNITS_PER_USD_CENT = 10000;
|
|
10
|
+
/** Rails that require USD-denominated commercial intent fields for MVP. */
|
|
11
|
+
export declare const USD_DENOMINATED_SETTLEMENT_RAILS: Set<SettlementRail>;
|
|
12
|
+
/**
|
|
13
|
+
* Rejects non-USD intents on rails that remain USD-denominated for MVP.
|
|
14
|
+
*/
|
|
15
|
+
export declare function validateUsdDenominatedSettlement(settlementRail: SettlementRail, currency: string): void;
|
|
16
|
+
/**
|
|
17
|
+
* Converts Paybond USD cents to Tempo USDC base units.
|
|
18
|
+
*/
|
|
19
|
+
export declare function usdCentsToUsdcBaseUnits(amountCents: number): bigint;
|