@paybond/kit 0.12.0 → 0.12.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent/evidence.d.ts +10 -0
- package/dist/agent/evidence.js +16 -0
- package/dist/agent/index.d.ts +1 -1
- package/dist/agent/index.js +1 -1
- package/dist/agent/interceptor.js +4 -0
- package/dist/agent/receipt-client.d.ts +16 -1
- package/dist/agent/run.d.ts +3 -0
- package/dist/agent/run.js +1 -1
- package/dist/agent-mandate.d.ts +103 -0
- package/dist/agent-mandate.js +423 -0
- package/dist/agent-receipt-external-attestations.d.ts +27 -0
- package/dist/agent-receipt-external-attestations.js +61 -0
- package/dist/agent-receipt-pdf-export.d.ts +43 -0
- package/dist/agent-receipt-pdf-export.js +109 -0
- package/dist/agent-receipt-prevalidate.d.ts +7 -0
- package/dist/agent-receipt-prevalidate.js +63 -0
- package/dist/agent-receipt.d.ts +21 -1
- package/dist/agent-receipt.js +63 -4
- package/dist/cli/command-spec.js +50 -1
- package/dist/cli/commands/dev.js +10 -3
- package/dist/cli/commands/setup.js +19 -1
- package/dist/cli/commands/shopify.d.ts +53 -0
- package/dist/cli/commands/shopify.js +808 -0
- package/dist/cli/help.d.ts +1 -1
- package/dist/cli/help.js +13 -3
- package/dist/cli/router.js +15 -1
- package/dist/commerce-binding.d.ts +59 -0
- package/dist/commerce-binding.js +129 -0
- package/dist/doctor-completion.d.ts +16 -0
- package/dist/doctor-completion.js +157 -1
- package/dist/index.d.ts +27 -2
- package/dist/index.js +43 -7
- package/dist/mcp-server.d.ts +1 -0
- package/dist/mcp-server.js +28 -9
- package/dist/policy/presets.d.ts +1 -1
- package/dist/policy/presets.js +1 -0
- package/dist/project-init.d.ts +1 -1
- package/dist/project-init.js +1 -0
- package/dist/protocol-receipt.d.ts +129 -0
- package/dist/protocol-receipt.js +620 -0
- package/dist/shopify/checkout.d.ts +29 -0
- package/dist/shopify/checkout.js +79 -0
- package/dist/shopify/evidence.d.ts +13 -0
- package/dist/shopify/evidence.js +85 -0
- package/dist/shopify/index.d.ts +8 -0
- package/dist/shopify/index.js +6 -0
- package/dist/shopify/instrument.d.ts +61 -0
- package/dist/shopify/instrument.js +52 -0
- package/dist/shopify/order.d.ts +8 -0
- package/dist/shopify/order.js +110 -0
- package/dist/shopify/types.d.ts +82 -0
- package/dist/shopify/types.js +4 -0
- package/dist/solutions/catalog.d.ts +1 -1
- package/dist/solutions/catalog.js +1 -1
- package/dist/stripe-commerce/evidence.d.ts +13 -0
- package/dist/stripe-commerce/evidence.js +164 -0
- package/dist/stripe-commerce/index.d.ts +3 -0
- package/dist/stripe-commerce/index.js +2 -0
- package/dist/stripe-commerce/metadata.d.ts +11 -0
- package/dist/stripe-commerce/metadata.js +34 -0
- package/dist/stripe-commerce/types.d.ts +38 -0
- package/dist/stripe-commerce/types.js +1 -0
- package/dist/template-init.d.ts +1 -1
- package/dist/template-init.js +6 -1
- package/package.json +1 -1
- package/policy/presets/stripe-commerce.yaml +19 -0
- package/solutions/stripe-commerce.json +19 -0
- package/templates/manifest.json +82 -10
- package/templates/openai-shopping-agent/package-lock.json +10 -10
- package/templates/openai-shopping-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-aws-operator/package-lock.json +7 -7
- package/templates/paybond-aws-operator/src/paybond.config.ts +1 -1
- package/templates/paybond-claude-agents-demo/package-lock.json +7 -7
- package/templates/paybond-claude-agents-demo/src/paybond.config.ts +1 -1
- package/templates/paybond-mastra-travel-agent/package-lock.json +30 -30
- package/templates/paybond-mastra-travel-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-mcp-coding-agent/package-lock.json +7 -7
- package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-openai-agents-demo/package-lock.json +10 -10
- package/templates/paybond-openai-agents-demo/src/paybond.config.ts +1 -1
- package/templates/paybond-procurement-agent/package-lock.json +7 -7
- package/templates/paybond-procurement-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-shopify-shopping-agent/.env.example +3 -0
- package/templates/paybond-shopify-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-shopify-shopping-agent/LICENSE +201 -0
- package/templates/paybond-shopify-shopping-agent/README.md +29 -0
- package/templates/paybond-shopify-shopping-agent/package-lock.json +223 -0
- package/templates/paybond-shopify-shopping-agent/package.json +20 -0
- package/templates/paybond-shopify-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-shopify-shopping-agent/src/index.ts +54 -0
- package/templates/paybond-shopify-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-shopify-shopping-agent/tsconfig.json +13 -0
- package/templates/paybond-stripe-agent-demo/.env.example +9 -0
- package/templates/paybond-stripe-agent-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-stripe-agent-demo/LICENSE +201 -0
- package/templates/paybond-stripe-agent-demo/README.md +50 -0
- package/templates/paybond-stripe-agent-demo/package-lock.json +223 -0
- package/templates/paybond-stripe-agent-demo/package.json +20 -0
- package/templates/paybond-stripe-agent-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-stripe-agent-demo/src/charge-customer.ts +237 -0
- package/templates/paybond-stripe-agent-demo/src/index.ts +78 -0
- package/templates/paybond-stripe-agent-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-stripe-agent-demo/tsconfig.json +13 -0
- package/templates/paybond-travel-agent/package-lock.json +13 -13
- package/templates/paybond-travel-agent/src/paybond.config.ts +1 -1
- package/templates/paybond-vercel-shopping-agent/package-lock.json +7 -7
- package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +1 -1
package/dist/index.js
CHANGED
|
@@ -4,6 +4,7 @@
|
|
|
4
4
|
*/
|
|
5
5
|
import { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, } from "./principal-intent.js";
|
|
6
6
|
import { signPayeeEvidenceBinding } from "./payee-evidence.js";
|
|
7
|
+
import { PAYBOND_AGENT_RECEIPT_ATTESTATIONS_HEADER, PAYBOND_AGENT_RECEIPT_SOURCE_RUN_HEADER, } from "./agent-receipt.js";
|
|
7
8
|
import { PaybondAgentRunFacade, createPaybondAgentCallable, PaybondInstrumentBuilder, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondToolRegistry, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, resolveAgentPolicySource, wrapPaybondTools, } from "./agent/index.js";
|
|
8
9
|
import { GatewayAgentRunTraceReporter, } from "./agent/gateway-trace-reporter.js";
|
|
9
10
|
import { fetchWithGatewayRetries, gatewayRetryDelayMs, shouldRetryGatewayResponse, } from "./gateway-retry.js";
|
|
@@ -934,6 +935,14 @@ export class GatewayHarborClient {
|
|
|
934
935
|
return gatewayMutationHeaders(proof, {
|
|
935
936
|
...(headers ?? {}),
|
|
936
937
|
...(options?.idempotencyKey?.trim() ? { "idempotency-key": options.idempotencyKey.trim() } : {}),
|
|
938
|
+
...(options?.agentReceiptAttestations !== undefined
|
|
939
|
+
? {
|
|
940
|
+
[PAYBOND_AGENT_RECEIPT_ATTESTATIONS_HEADER]: JSON.stringify(options.agentReceiptAttestations),
|
|
941
|
+
}
|
|
942
|
+
: {}),
|
|
943
|
+
...(options?.agentReceiptSourceRunId?.trim()
|
|
944
|
+
? { [PAYBOND_AGENT_RECEIPT_SOURCE_RUN_HEADER]: options.agentReceiptSourceRunId.trim() }
|
|
945
|
+
: {}),
|
|
937
946
|
});
|
|
938
947
|
}
|
|
939
948
|
async verifyCapability(input) {
|
|
@@ -2202,7 +2211,14 @@ function gatewayMutationHeaders(recognitionProof, headers) {
|
|
|
2202
2211
|
function encodeRecognitionProofHeader(proof) {
|
|
2203
2212
|
return Buffer.from(JSON.stringify(proof), "utf8").toString("base64url");
|
|
2204
2213
|
}
|
|
2205
|
-
|
|
2214
|
+
function readPrincipalEnvironment(actualRaw) {
|
|
2215
|
+
const actual = typeof actualRaw === "string" ? actualRaw.trim() : "";
|
|
2216
|
+
if (actual === "live" || actual === "sandbox") {
|
|
2217
|
+
return actual;
|
|
2218
|
+
}
|
|
2219
|
+
return null;
|
|
2220
|
+
}
|
|
2221
|
+
async function resolveGatewayPrincipal(gatewayBaseUrl, apiKey, principalPath, maxRetries, expectedEnvironment) {
|
|
2206
2222
|
const base = normalizeBase(gatewayBaseUrl);
|
|
2207
2223
|
const path = principalPath.startsWith("/") ? principalPath : `/${principalPath}`;
|
|
2208
2224
|
const url = `${base}${path}`;
|
|
@@ -2246,10 +2262,14 @@ async function resolveGatewayTenantId(gatewayBaseUrl, apiKey, principalPath, max
|
|
|
2246
2262
|
});
|
|
2247
2263
|
}
|
|
2248
2264
|
assertExpectedEnvironment("gateway principal", body.environment, expected, text);
|
|
2249
|
-
return tenant;
|
|
2265
|
+
return { tenantId: tenant, environment: readPrincipalEnvironment(body.environment) };
|
|
2250
2266
|
}
|
|
2251
2267
|
throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
|
|
2252
2268
|
}
|
|
2269
|
+
async function resolveGatewayTenantId(gatewayBaseUrl, apiKey, principalPath, maxRetries, expectedEnvironment) {
|
|
2270
|
+
const principal = await resolveGatewayPrincipal(gatewayBaseUrl, apiKey, principalPath, maxRetries, expectedEnvironment);
|
|
2271
|
+
return principal.tenantId;
|
|
2272
|
+
}
|
|
2253
2273
|
/**
|
|
2254
2274
|
* Read-only tenant-bound Signal session for one service-account API key.
|
|
2255
2275
|
*/
|
|
@@ -2446,7 +2466,14 @@ export class Paybond {
|
|
|
2446
2466
|
audit;
|
|
2447
2467
|
agentRun;
|
|
2448
2468
|
agent;
|
|
2449
|
-
|
|
2469
|
+
/**
|
|
2470
|
+
* Deployment environment this session is bound to, as reported by the gateway principal
|
|
2471
|
+
* (`"live"` or `"sandbox"`), or `null` when the gateway did not report one. Server-derived —
|
|
2472
|
+
* prefer this over the client-supplied `expectedEnvironment` hint when gating environment-sensitive
|
|
2473
|
+
* behavior (for example, refusing live Stripe secrets in a sandbox-only demo).
|
|
2474
|
+
*/
|
|
2475
|
+
environment;
|
|
2476
|
+
constructor(harbor, guardrails, signal, fraud, a2a, protocol, audit, environment) {
|
|
2450
2477
|
this.harbor = harbor;
|
|
2451
2478
|
this.guardrails = guardrails;
|
|
2452
2479
|
this.signal = signal;
|
|
@@ -2457,12 +2484,14 @@ export class Paybond {
|
|
|
2457
2484
|
this.audit = audit;
|
|
2458
2485
|
this.agentRun = new PaybondAgentRunFacade(this);
|
|
2459
2486
|
this.agent = createPaybondAgentCallable(protocol, (input) => createPaybondAgent(this, input));
|
|
2487
|
+
this.environment = environment;
|
|
2460
2488
|
}
|
|
2461
2489
|
/** Open a tenant-bound hosted Paybond session from a service-account API key. */
|
|
2462
2490
|
static async open(init) {
|
|
2463
2491
|
const gatewayBaseUrl = defaultGatewayBaseUrl(init.gatewayBaseUrl);
|
|
2464
2492
|
const maxRetries = Math.max(1, init.maxRetries ?? 3);
|
|
2465
|
-
const
|
|
2493
|
+
const principal = await resolveGatewayPrincipal(gatewayBaseUrl, init.apiKey, init.principalPath ?? DEFAULT_PRINCIPAL_PATH, maxRetries, init.expectedEnvironment);
|
|
2494
|
+
const tenantId = principal.tenantId;
|
|
2466
2495
|
const harbor = new GatewayHarborClient(gatewayBaseUrl, tenantId, {
|
|
2467
2496
|
staticGatewayBearerToken: init.apiKey,
|
|
2468
2497
|
maxRetries,
|
|
@@ -2491,7 +2520,7 @@ export class Paybond {
|
|
|
2491
2520
|
staticGatewayBearerToken: init.apiKey,
|
|
2492
2521
|
maxRetries,
|
|
2493
2522
|
}));
|
|
2494
|
-
return new Paybond(harbor, guardrails, signal, fraud, a2a, protocol, audit);
|
|
2523
|
+
return new Paybond(harbor, guardrails, signal, fraud, a2a, protocol, audit, principal.environment);
|
|
2495
2524
|
}
|
|
2496
2525
|
/** Reserved for future HTTP client cleanup; safe to call after work completes. */
|
|
2497
2526
|
async aclose() {
|
|
@@ -2569,6 +2598,9 @@ export { artifactsDigest, evidenceSignBytesV1, signPayeeEvidenceBinding, } from
|
|
|
2569
2598
|
export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_CREATE, AGENT_RECOGNITION_PURPOSE_FUND, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborCreateRecognitionProof, signHarborFundRecognitionProof, signHarborEvidenceSubmitRecognitionProof, signHarborSettlementConfirmRecognitionProof, } from "./agent-recognition.js";
|
|
2570
2599
|
export { executeFundWithX402, buildX402FundRequestEnvelope, PaybondX402FundingFailedError, PaybondX402FundingPendingError, } from "./x402-funding.js";
|
|
2571
2600
|
export { executeFundWithMpp, executeFundWithMppCharge, executeFundWithMppSession, buildMppFundRequestEnvelope, parsePaymentAuthChallenge, selectMppChargeChallenge, selectMppSessionChallenge, PaybondMppFundingFailedError, PaybondMppFundingPendingError, } from "./mpp-funding.js";
|
|
2601
|
+
export { buildPaybondStripeMetadata, assertNotStripeFundingWebhook, mapStripeToolResultToEvidence, STRIPE_COMMERCE_MAPPER_VERSION, PAYBOND_STRIPE_METADATA_TENANT_ID_KEY, PAYBOND_STRIPE_METADATA_INTENT_ID_KEY, PAYBOND_STRIPE_METADATA_RAIL_KEY, } from "./stripe-commerce/index.js";
|
|
2602
|
+
export { PAYBOND_UCP_AGENT_PROFILE_URL, PAYBOND_SHOPIFY_UCP_VERSION, SHOPIFY_COMMERCE_MAPPER_VERSION, assertNotShopifyFundingWebhook, createCheckoutWithBinding, createGuardedShopifyCheckoutHandler, getOrder, instrumentShopifyCheckout, mapShopifyToolResultToEvidence, mergeBindingIntoCheckoutPayload, toUcpCheckoutLineItems, } from "./shopify/index.js";
|
|
2603
|
+
export { normalizeCommerceBinding, encodeCommerceBindingToStripeMetadata, decodeCommerceBindingFromStripeMetadata, encodeCommerceBindingToShopifyNoteAttributes, decodeCommerceBindingFromShopifyNoteAttributes, PAYBOND_COMMERCE_BINDING_TENANT_ID_KEY, PAYBOND_COMMERCE_BINDING_INTENT_ID_KEY, } from "./commerce-binding.js";
|
|
2572
2604
|
export { validateCompletionEvidence, } from "./completion-validate-evidence.js";
|
|
2573
2605
|
export { completionSchemaDigestHex, computeVendorContractDigests, verifyVendorContract, verifyCatalogVendorContracts, } from "./completion-contract-digest.js";
|
|
2574
2606
|
export { contractSnapshotForPreset, mapVendorEvidenceToCanonical, resolveCompletionPreset, } from "./completion-resolve.js";
|
|
@@ -2577,5 +2609,9 @@ export { PaybondAudit, PaybondAuditExports, GatewayAuditExportsClient, parseAudi
|
|
|
2577
2609
|
export { PaybondPolicy, composePolicyLayers, composeBundledPresetDefault, domain, guardrails, paybondPolicyPresets, resolveComposedPresetDocument, } from "./policy/index.js";
|
|
2578
2610
|
export { getSolutionSmokeDefaults, isKnownSolutionId, listSolutionIds, loadSolutionManifest, paybondSolutionPresets, } from "./solutions/index.js";
|
|
2579
2611
|
export { appendDirectHarborPaymentAuthorization, formatPaymentAuthorizationValue, PAYBOND_PAYMENT_AUTHORIZATION_HEADER, PAYMENT_TRANSPORT_RESPONSE_HEADERS, paymentAuthorizationGatewayHeader, readFundPaymentTransportHeaders, } from "./payment-transport.js";
|
|
2580
|
-
export { AGENT_RECEIPT_KIND_V1, AGENT_RECEIPT_SCHEMA_VERSION, AGENT_RECEIPT_SCOPE_ACTION, AGENT_RECEIPT_SCOPE_INTENT_TERMINAL, AGENT_RECEIPT_SIGNING_ALGORITHM_ED25519, AGENT_RECEIPT_VERSION_V1, AGENT_RECEIPT_WELL_KNOWN_PATH, actionReceiptId, canonicalAgentReceiptBytes, configHashSha256Hex, promptHashSha256Hex, valueDigestSha256Hex, verifyAgentReceiptV1, } from "./agent-receipt.js";
|
|
2581
|
-
export {
|
|
2612
|
+
export { AGENT_RECEIPT_KIND_V1, AGENT_RECEIPT_SCHEMA_VERSION, AGENT_RECEIPT_SCOPE_ACTION, AGENT_RECEIPT_SCOPE_INTENT_TERMINAL, AGENT_RECEIPT_SIGNING_ALGORITHM_ED25519, AGENT_RECEIPT_VERSION_V1, AGENT_RECEIPT_SIGNING_KEYS_WELL_KNOWN_PATH, AGENT_RECEIPT_WELL_KNOWN_PATH, PAYBOND_AGENT_RECEIPT_ATTESTATIONS_HEADER, PAYBOND_AGENT_RECEIPT_SOURCE_RUN_HEADER, actionReceiptId, attachOperatorAttestationV1, canonicalAgentReceiptBytes, configHashSha256Hex, promptHashSha256Hex, valueDigestSha256Hex, verifyAgentReceiptV1, verifyAgentReceiptV1FromJSON, } from "./agent-receipt.js";
|
|
2613
|
+
export { FORBIDDEN_AGENT_RECEIPT_FIELDS, parseAgentReceiptJSON, validateAgentReceiptJSON, } from "./agent-receipt-prevalidate.js";
|
|
2614
|
+
export { AGENT_RECEIPT_EXTERNAL_SOURCE_AP2, AGENT_RECEIPT_EXTERNAL_SOURCE_SEP2828, AGENT_RECEIPT_EXTERNAL_SOURCE_X402, partnerRecordDigestSha256Hex, protocolAuthorizationReceiptToExternalAttestations, protocolSettlementReceiptToExternalAttestations, resolveExternalAttestations, sep2828RecordsToExternalAttestations, signedMandateToExternalAttestations, x402ReceiptToExternalAttestations, } from "./agent-receipt-external-attestations.js";
|
|
2615
|
+
export { AGENT_RECEIPT_PDF_EXPORT_DERIVED_VIEW_LABEL, AGENT_RECEIPT_PDF_EXPORT_MANIFEST_KIND, AGENT_RECEIPT_PDF_EXPORT_MANIFEST_SCHEMA_VERSION, FORBIDDEN_PDF_EXPORT_MANIFEST_FIELDS, gateAgentReceiptPDFExport, parseAgentReceiptPDFExportManifestJSON, validateAgentReceiptPDFExportManifestJSON, } from "./agent-receipt-pdf-export.js";
|
|
2616
|
+
export { AGENT_AUTHORIZATION_KIND_PRINCIPAL, AGENT_AUTHORIZATION_KIND_TENANT, AGENT_MANDATE_KIND_V1, AGENT_MANDATE_SCHEMA_VERSION, AGENT_MANDATE_SIGNING_ALGORITHM_ED25519_SHA256, CONSTRAINT_REFERENCE_KIND_POLICY, CONSTRAINT_REFERENCE_KIND_PREDICATE, HUMAN_PRESENCE_MODE_HUMAN_NOT_PRESENT, HUMAN_PRESENCE_MODE_HUMAN_PRESENT, agentMandateDigestSha256Hex, canonicalAgentMandateJsonBytes, normalizeAgentMandateV1, signAgentMandateV1, verifySignedAgentMandateV1, } from "./agent-mandate.js";
|
|
2617
|
+
export { PROTOCOL_AUTHORIZATION_RECEIPT_KIND_V1, PROTOCOL_RECEIPT_SCHEMA_VERSION, PROTOCOL_RECEIPT_SIGNING_ALGORITHM_ED25519_SHA256, PROTOCOL_RECEIPT_STATUS_AUTHORIZED, PROTOCOL_RECEIPT_VERSION_V1, PROTOCOL_SETTLEMENT_RECEIPT_KIND_V1, PROTOCOL_SOURCE_ACP, PROTOCOL_SOURCE_AP2, PROTOCOL_SOURCE_UCP, normalizeProtocolAuthorizationReceiptV1, normalizeProtocolSettlementReceiptV1, signProtocolAuthorizationReceiptV1, signProtocolSettlementReceiptV1, verifyProtocolAuthorizationReceiptV1, verifyProtocolSettlementReceiptV1, } from "./protocol-receipt.js";
|
package/dist/mcp-server.d.ts
CHANGED
|
@@ -49,6 +49,7 @@ export declare class PaybondMCPServer {
|
|
|
49
49
|
uri: string;
|
|
50
50
|
mimeType: string;
|
|
51
51
|
text: string;
|
|
52
|
+
_meta?: Record<string, unknown>;
|
|
52
53
|
}>;
|
|
53
54
|
listTools(): Array<Record<string, unknown>>;
|
|
54
55
|
callTool(name: string, args?: Record<string, unknown>): Promise<MCPCallToolResult>;
|
package/dist/mcp-server.js
CHANGED
|
@@ -11,10 +11,11 @@ import { MCP_TOOL_ALLOWLIST_ENV, MCP_TOOL_POLICY_ENV, mergeMcpToolPolicy, parseM
|
|
|
11
11
|
import { MCP_EVIDENCE_POLICY_ENV, McpEvidenceValidationGate, completionEvidenceValidationOk, extractHarborEvidenceValidationInput, extractSandboxGuardrailValidationInput, parseMcpEvidencePolicy, } from "./mcp-evidence-policy.js";
|
|
12
12
|
import { McpCapabilityTokenCache, mcpToolStoresCapabilityToken, parseMcpCapabilityTokenCacheConfig, } from "./mcp-capability-token-cache.js";
|
|
13
13
|
import { createMcpPolicyGatewayAdapter, McpPolicyReloadGate, parseMcpPolicyReloadConfig, } from "./mcp-policy-reload.js";
|
|
14
|
+
import { verifyAgentReceiptV1FromJSON } from "./agent-receipt.js";
|
|
14
15
|
import { agentReceiptResourceTemplateDefinition, agentReceiptResourceUri, MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE, parseAgentReceiptResourceUri, } from "./mcp-receipt-resource.js";
|
|
15
16
|
import { DEFAULT_PAYBOND_GATEWAY_BASE_URL, GatewayFraudClient, GatewaySignalClient, } from "./index.js";
|
|
16
17
|
const SERVER_NAME = "Paybond MCP";
|
|
17
|
-
const SERVER_VERSION = "0.12.
|
|
18
|
+
const SERVER_VERSION = "0.12.1";
|
|
18
19
|
const MCP_PROTOCOL_VERSION = "2025-11-25";
|
|
19
20
|
const DEFAULT_PRINCIPAL_PATH = "/v1/auth/principal";
|
|
20
21
|
const DEFAULT_RECOGNITION_VERIFIER_ID = "paybond-gateway";
|
|
@@ -919,10 +920,23 @@ export class PaybondMCPServer {
|
|
|
919
920
|
async readResource(uri) {
|
|
920
921
|
const receiptId = parseAgentReceiptResourceUri(uri);
|
|
921
922
|
const receipt = await this.runtime.getAgentReceiptV1(receiptId);
|
|
923
|
+
let verified;
|
|
924
|
+
try {
|
|
925
|
+
verified = await verifyAgentReceiptV1FromJSON(receipt);
|
|
926
|
+
}
|
|
927
|
+
catch (err) {
|
|
928
|
+
throw new Error(`agent receipt verification failed for ${receiptId}: ${formatError(err)}`);
|
|
929
|
+
}
|
|
922
930
|
return {
|
|
923
931
|
uri: agentReceiptResourceUri(receiptId),
|
|
924
932
|
mimeType: MCP_AGENT_RECEIPT_RESOURCE_MIME_TYPE,
|
|
925
933
|
text: JSON.stringify(receipt, null, 2),
|
|
934
|
+
_meta: {
|
|
935
|
+
verification: {
|
|
936
|
+
valid: true,
|
|
937
|
+
message_digest: verified.message_digest_sha256_hex,
|
|
938
|
+
},
|
|
939
|
+
},
|
|
926
940
|
};
|
|
927
941
|
}
|
|
928
942
|
listTools() {
|
|
@@ -1054,14 +1068,19 @@ export class PaybondMCPServer {
|
|
|
1054
1068
|
case "resources/read": {
|
|
1055
1069
|
const params = ensureObject(message.params, "resources/read params");
|
|
1056
1070
|
const uri = stringArg(params.uri, "uri");
|
|
1057
|
-
|
|
1058
|
-
|
|
1059
|
-
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1071
|
+
try {
|
|
1072
|
+
const contents = await this.readResource(uri);
|
|
1073
|
+
return {
|
|
1074
|
+
jsonrpc: "2.0",
|
|
1075
|
+
id: message.id,
|
|
1076
|
+
result: {
|
|
1077
|
+
contents: [contents],
|
|
1078
|
+
},
|
|
1079
|
+
};
|
|
1080
|
+
}
|
|
1081
|
+
catch (err) {
|
|
1082
|
+
return responseError(message.id, -32000, formatError(err));
|
|
1083
|
+
}
|
|
1065
1084
|
}
|
|
1066
1085
|
case "tools/call": {
|
|
1067
1086
|
const params = ensureObject(message.params, "tools/call params");
|
package/dist/policy/presets.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import type { LayeredPolicyPresetId } from "./compose.js";
|
|
2
2
|
import { type PaybondPolicyDocumentV1 } from "./schema.js";
|
|
3
3
|
export type { LayeredPolicyPresetId };
|
|
4
|
-
declare const KNOWN_POLICY_PRESET_IDS: readonly ["travel", "shopping", "saas", "aws", "read-only", "strict"];
|
|
4
|
+
declare const KNOWN_POLICY_PRESET_IDS: readonly ["travel", "shopping", "saas", "aws", "stripe-commerce", "read-only", "strict"];
|
|
5
5
|
export type PolicyPresetId = (typeof KNOWN_POLICY_PRESET_IDS)[number];
|
|
6
6
|
/** True when `value` is a bundled vertical policy preset id (not a file path). */
|
|
7
7
|
export declare function isKnownPolicyPresetId(value: string): value is PolicyPresetId;
|
package/dist/policy/presets.js
CHANGED
package/dist/project-init.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import type { PolicyPresetId } from "./policy/presets.js";
|
|
2
2
|
import { type SolutionId } from "./solutions/catalog.js";
|
|
3
3
|
export type ProjectInitSolution = SolutionId | "mcp-server";
|
|
4
|
-
export type ProjectInitFramework = "openai" | "langgraph" | "mcp" | "generic";
|
|
4
|
+
export type ProjectInitFramework = "openai" | "langgraph" | "mcp" | "generic" | "shopify";
|
|
5
5
|
export type ProjectInitLanguage = "typescript" | "python";
|
|
6
6
|
export type ProjectInitOptions = {
|
|
7
7
|
cwd: string;
|
package/dist/project-init.js
CHANGED
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Local verification for protocol-v2 authorization and settlement receipts.
|
|
3
|
+
*
|
|
4
|
+
* Canonical JSON matches the Go gateway `protocolAuthorizationReceiptCanonicalV1` /
|
|
5
|
+
* `protocolSettlementReceiptCanonicalV1` marshalers (fixed struct field order, signing
|
|
6
|
+
* fields stripped, RFC3339Nano UTC timestamps, HTML-safe `\u` escapes), not Kit's generic
|
|
7
|
+
* JCS-style `normalizeJson`. Ported from `go/gateway/internal/protocolv2/receipt.go`.
|
|
8
|
+
*/
|
|
9
|
+
import { type AgentMandateAgentIdentity, type AgentMandateAuthorization, type AgentMandateConstraintReference, type AgentMandateSettlementRailPolicy, type AgentMandateSpendCeiling } from "./agent-mandate.js";
|
|
10
|
+
export declare const PROTOCOL_RECEIPT_SCHEMA_VERSION = 1;
|
|
11
|
+
export declare const PROTOCOL_RECEIPT_VERSION_V1 = "1";
|
|
12
|
+
export declare const PROTOCOL_RECEIPT_SIGNING_ALGORITHM_ED25519_SHA256 = "ed25519-sha256-json-v1";
|
|
13
|
+
export declare const PROTOCOL_AUTHORIZATION_RECEIPT_KIND_V1 = "paybond.protocol_authorization_receipt_v1";
|
|
14
|
+
export declare const PROTOCOL_SETTLEMENT_RECEIPT_KIND_V1 = "paybond.protocol_settlement_receipt_v1";
|
|
15
|
+
export declare const PROTOCOL_RECEIPT_STATUS_AUTHORIZED = "authorized";
|
|
16
|
+
/** Default protocol source (AP2-aligned) for imported mandates and exported receipts. */
|
|
17
|
+
export declare const PROTOCOL_SOURCE_AP2 = "ap2";
|
|
18
|
+
/** Stripe Agentic Commerce Protocol (ACP) source identifier for partner receipts. */
|
|
19
|
+
export declare const PROTOCOL_SOURCE_ACP = "acp";
|
|
20
|
+
/** Stripe Unified Commerce Protocol (UCP) source identifier for partner receipts. */
|
|
21
|
+
export declare const PROTOCOL_SOURCE_UCP = "ucp";
|
|
22
|
+
/** Partner transport metadata for imported mandates and exported receipts. */
|
|
23
|
+
export type ProtocolTransportBindingV1 = {
|
|
24
|
+
source_protocol: string;
|
|
25
|
+
partner_platform?: string;
|
|
26
|
+
external_authorization_id?: string;
|
|
27
|
+
request_id?: string;
|
|
28
|
+
};
|
|
29
|
+
/** Signed acknowledgement emitted after accepting a partner mandate binding. */
|
|
30
|
+
export type ProtocolAuthorizationReceiptV1 = {
|
|
31
|
+
schema_version: number;
|
|
32
|
+
kind: string;
|
|
33
|
+
receipt_version: string;
|
|
34
|
+
receipt_id: string;
|
|
35
|
+
issued_at: string;
|
|
36
|
+
status: string;
|
|
37
|
+
intent_id: string;
|
|
38
|
+
tenant_id: string;
|
|
39
|
+
verifier_id: string;
|
|
40
|
+
transport_binding: ProtocolTransportBindingV1;
|
|
41
|
+
mandate_digest_sha256_hex: string;
|
|
42
|
+
imported_mandate_signing_public_key_ed25519_hex: string;
|
|
43
|
+
authorization: AgentMandateAuthorization;
|
|
44
|
+
agent: AgentMandateAgentIdentity;
|
|
45
|
+
allowed_actions: string[];
|
|
46
|
+
allowed_tools: string[];
|
|
47
|
+
spend_ceiling: AgentMandateSpendCeiling;
|
|
48
|
+
settlement: AgentMandateSettlementRailPolicy;
|
|
49
|
+
constraint: AgentMandateConstraintReference;
|
|
50
|
+
expires_at: string;
|
|
51
|
+
nonce: string;
|
|
52
|
+
human_presence_mode: string;
|
|
53
|
+
signing_algorithm: string;
|
|
54
|
+
message_digest_sha256_hex: string;
|
|
55
|
+
signing_public_key_ed25519_hex: string;
|
|
56
|
+
ed25519_signature_hex: string;
|
|
57
|
+
};
|
|
58
|
+
/** Signed terminal outcome artifact for a Harbor intent bound to a partner mandate. */
|
|
59
|
+
export type ProtocolSettlementReceiptV1 = {
|
|
60
|
+
schema_version: number;
|
|
61
|
+
kind: string;
|
|
62
|
+
receipt_version: string;
|
|
63
|
+
receipt_id: string;
|
|
64
|
+
issued_at: string;
|
|
65
|
+
intent_id: string;
|
|
66
|
+
tenant_id: string;
|
|
67
|
+
verifier_id: string;
|
|
68
|
+
transport_binding: ProtocolTransportBindingV1;
|
|
69
|
+
authorization_receipt_id: string;
|
|
70
|
+
mandate_digest_sha256_hex: string;
|
|
71
|
+
harbor_state: string;
|
|
72
|
+
predicate_passed?: boolean;
|
|
73
|
+
settlement_rail: string;
|
|
74
|
+
settlement_mode: string;
|
|
75
|
+
principal_did: string;
|
|
76
|
+
payee_did: string;
|
|
77
|
+
currency: string;
|
|
78
|
+
amount_cents: number;
|
|
79
|
+
terminal_observed_at: string;
|
|
80
|
+
signing_algorithm: string;
|
|
81
|
+
message_digest_sha256_hex: string;
|
|
82
|
+
signing_public_key_ed25519_hex: string;
|
|
83
|
+
ed25519_signature_hex: string;
|
|
84
|
+
};
|
|
85
|
+
type ProtocolAuthorizationReceiptInput = ProtocolAuthorizationReceiptV1 | Record<string, unknown>;
|
|
86
|
+
type ProtocolSettlementReceiptInput = ProtocolSettlementReceiptV1 | Record<string, unknown>;
|
|
87
|
+
/**
|
|
88
|
+
* Validates and canonicalizes an authorization receipt for hashing and signing.
|
|
89
|
+
*
|
|
90
|
+
* Signing fields are lower/trim-normalized but not recomputed here.
|
|
91
|
+
*
|
|
92
|
+
* @throws When structure or field values are invalid.
|
|
93
|
+
*/
|
|
94
|
+
export declare function normalizeProtocolAuthorizationReceiptV1(input: ProtocolAuthorizationReceiptInput): ProtocolAuthorizationReceiptV1;
|
|
95
|
+
/**
|
|
96
|
+
* Validates and canonicalizes a settlement receipt for hashing and signing.
|
|
97
|
+
*
|
|
98
|
+
* @throws When structure or field values are invalid.
|
|
99
|
+
*/
|
|
100
|
+
export declare function normalizeProtocolSettlementReceiptV1(input: ProtocolSettlementReceiptInput): ProtocolSettlementReceiptV1;
|
|
101
|
+
/**
|
|
102
|
+
* Validates, canonicalizes, and signs an authorization receipt with
|
|
103
|
+
* Ed25519-over-SHA-256(canonical JSON).
|
|
104
|
+
*
|
|
105
|
+
* @param signingSeed - 32-byte Ed25519 seed (noble private key).
|
|
106
|
+
*/
|
|
107
|
+
export declare function signProtocolAuthorizationReceiptV1(signingSeed: Uint8Array, input: ProtocolAuthorizationReceiptInput): ProtocolAuthorizationReceiptV1;
|
|
108
|
+
/**
|
|
109
|
+
* Validates, canonicalizes, and signs a settlement receipt with
|
|
110
|
+
* Ed25519-over-SHA-256(canonical JSON).
|
|
111
|
+
*
|
|
112
|
+
* @param signingSeed - 32-byte Ed25519 seed (noble private key).
|
|
113
|
+
*/
|
|
114
|
+
export declare function signProtocolSettlementReceiptV1(signingSeed: Uint8Array, input: ProtocolSettlementReceiptInput): ProtocolSettlementReceiptV1;
|
|
115
|
+
/**
|
|
116
|
+
* Checks structure, canonical digest recompute, and detached Ed25519 signature.
|
|
117
|
+
*
|
|
118
|
+
* @returns The normalized authorization receipt on success.
|
|
119
|
+
* @throws When structure, digest, or signature verification fails.
|
|
120
|
+
*/
|
|
121
|
+
export declare function verifyProtocolAuthorizationReceiptV1(input: ProtocolAuthorizationReceiptInput): ProtocolAuthorizationReceiptV1;
|
|
122
|
+
/**
|
|
123
|
+
* Checks structure, canonical digest recompute, and detached Ed25519 signature.
|
|
124
|
+
*
|
|
125
|
+
* @returns The normalized settlement receipt on success.
|
|
126
|
+
* @throws When structure, digest, or signature verification fails.
|
|
127
|
+
*/
|
|
128
|
+
export declare function verifyProtocolSettlementReceiptV1(input: ProtocolSettlementReceiptInput): ProtocolSettlementReceiptV1;
|
|
129
|
+
export {};
|