@piprail/sdk 1.8.0 → 1.10.0

package/CHAINS.md

@@ -13,7 +13,7 @@ read those sections before you ship them.
 
 | Chain(s) | Pay in native coin? | Built-in stablecoins | Receiver needs setup? | Wallet input |
 |---|:--:|---|---|---|
-| **EVM** (Ethereum, Base, Arbitrum, Optimism, Polygon, BNB, Avalanche, Mantle, Sonic, Linea, Scroll, Celo, zkSync, Unichain, World Chain, Sei, Injective, HyperEVM, Monad, + any EVM chain) | ✅ ETH/BNB/POL/… | USDC (all) · USDT (all **except Base, World Chain, Sei, HyperEVM, Monad**) | No | `{ privateKey }` |
+| **EVM** (Ethereum, Base, Arbitrum, Optimism, Polygon, BNB, Avalanche, Mantle, Sonic, Linea, Scroll, Celo, zkSync, Unichain, World Chain, Sei, Injective, HyperEVM, Monad, Kaia, + any EVM chain) | ✅ ETH/BNB/POL/… | USDC (all **except Kaia**) · USDT (all **except Base, World Chain, Sei, HyperEVM, Monad**) | No | `{ privateKey }` |
 | **Solana** | ✅ SOL | USDC · USDT | No (payer creates the recipient's token account) | `{ secretKey }` |
 | **Sui** | ✅ SUI | USDC (no USDT) | No | `{ privateKey }` (`suiprivkey1…`) |
 | **Aptos** | ✅ APT | USDC · USDT | No (primary FA store auto-creates) | `{ privateKey }` (`ed25519-priv-0x…`) |
@@ -45,9 +45,11 @@ read those sections before you ship them.
 
 ### EVM — Ethereum, Base, Arbitrum, Optimism, Polygon, BNB, Avalanche, …
 - **Pay in:** native coin (`'native'`), `'USDC'`, `'USDT'`, or a custom `{ address, decimals }`.
-- **USDT gap:** built in on every preset **except Base, World Chain, Sei, HyperEVM, and Monad** (USDC only there).
+- **USDT gap:** built in on every preset **except Base, World Chain, Sei, HyperEVM, and Monad** (USDC only there). **Kaia** is the inverse — **USD₮ only** (no Circle-native USDC on Kaia).
 - **Decimals:** on **BNB Chain**, Binance-Peg USDC/USDT are **18 decimals**, not 6 (the SDK handles it; don't hardcode 6).
-- **USDT branding:** on **Arbitrum, Polygon, and Unichain** the canonical Tether is the omnichain **USD₮0 / USDT0** (LayerZero), and on **Celo** it's native **USD₮** — all genuine, Tether-issued, 6-decimal USDT at the addresses shipped (verified live on-chain by symbol/decimals/supply). You still ask for it as `token: 'USDT'`; only the on-chain `symbol()` string differs from the plain `USDT` your wallet may show elsewhere.
+- **Stablecoin provenance — issuer-native vs bridged (every shipped address verified on-chain 2026-06-08, incl. bridge markers).** Every address is the correct, canonical, 1:1-redeemable dollar token on its chain; what varies is *who issues it*. You request it as `'USDC'` / `'USDT'` either way — provenance matters only if you specifically require issuer-native settlement.
+  - **USDC** is **Circle-native** on every preset **except** **BNB** (Binance-Peg, 18-dp), **Mantle** (OP canonical-bridge), and **Scroll** (Bridged-USDC-Standard) — the last two are backed 1:1 by Circle USDC on Ethereum but are **not** Circle-issued on that chain (absent from Circle's native-USDC list).
+  - **USDT** is **Tether-native** on **Ethereum, Avalanche, Celo, Kaia** (EVM) and **Solana, Tron, TON, NEAR, Aptos** (non-EVM). Everywhere else it's bridged: **USDT0** (LayerZero omnichain, on-chain `symbol()` = `USD₮0`) on **Arbitrum, Polygon, Unichain**; a **canonical-bridge** token (chain-minted, backed by Tether's Ethereum USDT — not Tether-issued) on **Optimism, zkSync, Sonic, Linea, Injective, Mantle, Scroll**; and **Binance-Peg** (18-dp) on **BNB**. The on-chain `symbol()` may read `USDT`, `USD₮`, `USDt`, or `USD₮0`; all resolve via `token: 'USDT'`.
 - **Receiver setup:** none — any `0x…` address receives ERC-20 or native immediately.
 - **Any other EVM chain:** pass a viem `Chain` or `{ id, rpcUrl }` + `token: { address, decimals }`.
 

package/CHANGELOG.md

@@ -4,6 +4,63 @@ All notable changes to `@piprail/sdk` are documented here. The format
 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
 versions follow [Semantic Versioning](https://semver.org/).
 
+## [1.10.0] — 2026-06-09
+
+### Added — Universal Payments (the standard x402 `exact` rail)
+- **Get paid by ANY standard x402 client.** A gate can now opt into advertising a ratified x402
+  `exact` rail (EIP-3009) **alongside** its backendless `onchain-proof` rail (dual-advertise) —
+  `requirePayment({ …, exact: { settle: 'self', relayer: { privateKey } } })`. A standard client
+  (`x402-fetch`, `@x402/fetch`, …) picks `exact`; a PipRail client picks `onchain-proof`. Opt-in;
+  omitting `exact` leaves the gate byte-identical. EVM + EIP-3009 only (USDC/EURC); USDT, native, and
+  non-EVM chains stay `onchain-proof` (a clear config error if you request `exact` on them).
+- **Two backendless settlement modes.** `settle: 'self'` broadcasts `transferWithAuthorization` from
+  the merchant's own relayer key (payer spends **zero** gas; the merchant pays gas to receive — the
+  signature binds `to`, so no redirect risk). `settle: { facilitator }` delegates verify+settle to a
+  third-party x402 facilitator the merchant chooses (Coinbase CDP, x402.org, …) via the new pure
+  `settleViaFacilitator` — PipRail hosts nothing either way.
+- **EIP-712 domain read from the token.** The exact rail reads `name()`/`version()` from the contract
+  (never assumed from the symbol — USDC's domain name is `"USD Coin"`, EURC's is `"EURC"`, bridged
+  USDC differs), so it's correct across all 18 built-in EVM USDC chains. Proven live: a real
+  `@x402/fetch` reference client settles against a PipRail gate on Base mainnet.
+- New exports: `ExactRailOption`, `SettlementError` (`SETTLEMENT_FAILED`), `signature_invalid`
+  (`VerifyErrorCode`), `settleViaFacilitator` + `FacilitatorConfig`, `parseExactPaymentHeader`,
+  `readExactDomain`, `eip3009Abi`, the `X402ExactAcceptEntry`/`X402AnyAccept`/`ExactPaymentPayload`
+  types, and the v1 header constants `HEADER_SIGNATURE_V1`/`HEADER_RESPONSE_V1`.
+
+### Changed — x402 v2 conformance
+- **A rejected proof is now a conformant 402.** The gate re-issues a full v2 `PaymentRequired`
+  re-challenge on rejection (carries `accepts[]` so a standard client can retry, the human reason in
+  `error`, and the machine code in `extensions.piprail`) instead of the old non-standard
+  `{ status: 'invalid' }` body. The built-in `requirePayment` adapter emits it automatically; the
+  client reads the structured reason. `toInvalidBody` is **deprecated** (kept for back-compat) — prefer
+  the gate's `result.challenge`.
+- **Receive + respond on both header sets.** The gate accepts an inbound payment on `PAYMENT-SIGNATURE`
+  (v2) **or** `X-PAYMENT` (v1), and emits the settlement on both `PAYMENT-RESPONSE` and
+  `X-PAYMENT-RESPONSE`, so deprecated-but-common v1 clients interoperate on the `exact` rail.
+- A fresh challenge now omits `error` (was `error: null`) and may carry `extensions`/`resource.mimeType`.
+
+### Fixed
+- **UTF-8-safe base64 envelope codec.** The wire codec preferred `btoa`/`atob`, which are Latin1-only —
+  and modern Node defines them globally — so a challenge/receipt containing a non-ASCII byte (a chain
+  error `detail`, an `…` in a viem message, a token symbol) threw `InvalidCharacterError`. It now
+  prefers `Buffer` and bridges through `TextEncoder`/`TextDecoder` in the browser.
+
+## [1.9.0] — 2026-06-08
+
+### Added
+- **Kaia** (ex-Klaytn, chainId 8217) — EVM preset for South Korea's stablecoin-settlement chain
+  (born from Kakao + LINE). Pay **native KAIA** or **Tether-native USD₮**
+  (`0xd077A400968890Eacc75cdc901F0356c943e4fDb`, verified on-chain: symbol `USD₮`, name
+  "Tether USD", 6 dp, no bridge markers). Circle issues no native USDC on Kaia, so USDC is
+  intentionally omitted (pass it as a custom token if you need a bridged one). Brings the built-in
+  set to **29 chains across 10 families** (20 EVM mainnets).
+
+### Changed
+- **CHAINS.md — verified stablecoin provenance.** Now documents, per chain, whether the shipped
+  USDC/USDT is issuer-native, **USDT0** (LayerZero), a **canonical-bridge** token, or **Binance-Peg** —
+  every address re-verified on-chain. Documentation only; no code or behaviour change, all tokens
+  unchanged.
+
 ## [1.8.0] — 2026-06-06
 
 ### Added
@@ -492,6 +549,8 @@ straight into your wallet. The API is small and self-contained.
   to your wallet; PipRail never holds funds.
 - `viem ^2.21` is a peer dependency. Node 20+ or a modern browser.
 
+[1.10.0]: https://www.npmjs.com/package/@piprail/sdk
+[1.9.0]: https://www.npmjs.com/package/@piprail/sdk
 [1.8.0]: https://www.npmjs.com/package/@piprail/sdk
 [1.7.0]: https://www.npmjs.com/package/@piprail/sdk
 [1.6.0]: https://www.npmjs.com/package/@piprail/sdk

package/ERRORS.md

@@ -25,9 +25,13 @@ Every failure surfaces through exactly one of two chain-agnostic channels:
   (a stable `SCREAMING_SNAKE` string). They never leak a raw `viem`/`@solana`/`@ton`/
   `@stellar` error for a condition the SDK recognises.
 - **Returned** `VerifyResult` is how a driver's `verify()` reports *why a proof was rejected*
-  without throwing. The gate turns `{ ok: false, error, detail }` into the canonical 402
-  body `{ x402Version: 2, status: 'invalid', error, detail }` (built once by
-  [`toInvalidBody`](src/server.ts)); the client relays it to the agent.
+  without throwing. The gate turns `{ ok: false, error, detail }` into a **conformant v2
+  `PaymentRequired` re-challenge** — a full 402 body with `accepts[]` (so a standard x402 client
+  can retry), the human reason in `error`, and the machine code in `extensions.piprail.{code,detail}`.
+  The built-in `requirePayment` adapter emits it + the `PAYMENT-REQUIRED` header automatically; the
+  client reads the structured reason and relays it to the agent. (The legacy
+  [`toInvalidBody`](src/server.ts) `{ status: 'invalid', … }` helper is **deprecated** — it has no
+  `accepts[]`, so a standard client can't retry; prefer the gate's `result.challenge`.)
 
 Rule of thumb: **config/flow/wallet/registry/affordability → throw; proof-verification
 outcome → return.** Replay (`tx_already_used`) is the one verify-style code emitted by the
@@ -56,6 +60,7 @@ Base class [`PipRailError`](src/errors.ts) (abstract; `.name` = the subclass nam
 | `NON_REPLAYABLE_BODY` | `NonReplayableBodyError` | `init.body` isn't replayable (e.g. a one-shot stream) | client |
 | `MISSING_DRIVER` | `MissingDriverError` | a family's **optional peer deps aren't installed** (the lazy `import()` failed) — message names the exact `npm install` and sets `{ cause }` | registry loaders |
 | `UNSUPPORTED_NETWORK` | `UnsupportedNetworkError` | no driver for the family, or the driver's `resolve()` returned `null` (unrecognised `chain`) | registry |
+| `SETTLEMENT_FAILED` | `SettlementError` | the standard `exact` rail: a payment was VALID (sig recovered, simulated) but **settlement failed server-side** — the merchant's relayer couldn't broadcast, or a Mode-B facilitator returned a transport/auth error. NOT the payer's fault (their authorization stays valid + unused), so the adapter returns **5xx**, never 402 | gate (`exact` rail) |
 
 `MISSING_DRIVER` vs `UNSUPPORTED_NETWORK` is a deliberate split: *deps not installed* vs
 *chain not supported*. Don't reuse one for the other.
@@ -77,8 +82,9 @@ a code, and you must use the same code other drivers use for the same condition.
 | `wrong_recipient` | paid, but not to `payTo` | definitive | EVM / Solana native path |
 | `amount_too_low` | paid to `payTo`, but `< required` | definitive | all |
 | `transfer_not_found` | no matching transfer (asset / amount / nonce) to `payTo` | definitive | all |
-| `payment_expired` | older than `maxTimeoutSeconds` (replay window) | definitive | all |
-| `tx_already_used` | this proof was already redeemed (replay) | definitive | the **gate** (not drivers) |
+| `payment_expired` | older than `maxTimeoutSeconds` (replay window); on `exact`, an expired/not-yet-valid EIP-3009 authorization | definitive | all |
+| `tx_already_used` | this proof was already redeemed (replay); on `exact`, an on-chain-consumed authorization nonce | definitive | the **gate** (+ EVM `exact` via `authorizationState`) |
+| `signature_invalid` | `exact` rail: the EIP-712 authorization signature didn't recover to the payer | definitive | EVM `exact` |
 
 **Family-specificity is structural, not drift.** Account-watch chains (TON, Stellar) scan the
 merchant account and can't tell "wrong recipient" from "no payment", so both collapse to
@@ -95,9 +101,14 @@ the code. A consumer building a custom client may branch on it.
 
 ## 4. What the agent receives
 
-- **Rejected proof →** a `402` with body `{ x402Version: 2, status: 'invalid', error, detail }`.
-  Always build it with [`toInvalidBody(result)`](src/server.ts) so Express, Hono, Fastify,
-  Workers, etc. emit the *identical* envelope.
+- **Rejected proof →** a conformant `402` **re-challenge**: a full v2 `PaymentRequired` body with
+  `accepts[]` (so a standard x402 client can retry), the reason in `error`, and the machine code in
+  `extensions.piprail.{code,detail}`, plus the `PAYMENT-REQUIRED` header. The built-in
+  `requirePayment` adapter emits `result.challenge` automatically; other adapters should do the same
+  (NOT the deprecated bare [`toInvalidBody`](src/server.ts), which omits `accepts[]`).
+- **`exact`-rail settlement failed server-side →** a `5xx` (a thrown `SettlementError`), never a 402:
+  the payer's EIP-3009 authorization is still valid and its nonce unused, so re-presenting it once the
+  merchant fixes their relayer/facilitator settles — re-paying would be wrong.
 - **Client gave up →** `MaxRetriesExceededError` whose message embeds the last server
   `error — detail` (e.g. `… Last server rejection: amount_too_low — Paid 40000, required
   500000.`), and a `payment-failed` event carrying the same reason.
@@ -148,6 +159,8 @@ Every `PaymentDriver` / `ResolvedNetwork` method has a fixed error behaviour:
 | `bindWallet(wallet)` | a foreign / unusable wallet shape → `WrongFamilyError`. |
 | `send(wallet, accept)` | wrap the broadcast; map **sender** affordability → `InsufficientFundsError` (§6) and **recipient** setup → `RecipientNotReadyError` (§6.1); **rethrow everything else unchanged** (never swallow). Every mapped throw carries `{ cause }` = the raw chain error. |
 | `verify(ref, accept)` | **return** a `VerifyResult` with a canonical `VerifyErrorCode`. **Guard every RPC read** so a transient failure returns `tx_not_found` — `verify()` must not throw for an RPC hiccup. Re-derive the watched account from the trusted `accept`, never the client ref. |
+| `exactDomain?(asset)` *(optional, EVM)* | **never throw for a non-EIP-3009 token** — return `null` (the gate raises a clear config error). May throw only on a hard RPC failure at gate setup. |
+| `settleExactSelf?(input)` *(optional, EVM)* | **return** a `VerifyResult` for a CLIENT-fixable fault (`signature_invalid`/`wrong_recipient`/`amount_too_low`/`payment_expired`/`tx_already_used`/`tx_reverted` → 402); **throw `SettlementError`** when a valid+simulated payment fails to BROADCAST (relayer/RPC → 5xx). Re-derive every checked field from the trusted `accept`, never the client echo. |
 | `confirm(ref, n)` | broadcast-but-not-confirmed / timeout → `ConfirmationTimeoutError`. |
 | `estimateCost(accept, opts?)` | **never throw** — guard the RPC read and fall back to a `'heuristic'` constant; always return a valid `CostEstimate`. |
 | `balanceOf(wallet, asset)` | **never throw** — RPC-read-only. A field whose read was unavailable (transient/rate-limit) returns `null`, NOT `0` (a false 0 reads as "broke"). For `asset==='native'`, `token === native`. |

package/README.md

@@ -40,6 +40,25 @@ const data = await res.json()
 
 On a `402`, the client reads the challenge, sends the payment on-chain, waits for confirmation, and retries with proof — all inside `client.fetch`. The same app can **take** payments with `requirePayment` and **make** them with `PipRailClient`. Built for autonomous agents: install, add a wallet, monetize or pay — nothing else to wire up.
 
+## Universal payments — get paid by *any* x402 client
+
+PipRail's envelope is x402 **v2**-conformant, and its default `onchain-proof` scheme is backendless (the payer broadcasts, you verify locally — zero merchant key, zero merchant gas). To **also** be payable by a standard x402 client (Coinbase's `x402-fetch`, `@x402/fetch`, anything speaking the ratified `exact`/EIP-3009 scheme), opt into a standard `exact` rail — advertised **alongside** `onchain-proof` in the same 402:
+
+```ts
+requirePayment({
+  chain: 'base', token: 'USDC', amount: '0.05', payTo: '0xYourWallet…',
+  exact: { settle: 'self', relayer: { privateKey: process.env.RELAYER_KEY } },
+})
+```
+
+Now the gate offers two rails: a standard x402 client picks `exact`; a PipRail client picks `onchain-proof`. The `exact` rail is **self-settled** — your own `relayer` key broadcasts the client's signed EIP-3009 authorization, so the **payer spends no gas** (you do, to receive). The EIP-712 token domain is read from the contract, so it's correct on every chain (USDC's domain name is `"USD Coin"`, not the symbol). Prefer not to run a relayer key? Delegate settlement to a third-party facilitator you choose — PipRail still hosts nothing:
+
+```ts
+exact: { settle: { facilitator: 'https://x402.org/facilitator' } }
+```
+
+EVM + EIP-3009 tokens only (USDC, EURC — not USDT, not native; those stay `onchain-proof`). Omit `exact` and the gate is byte-identical to today. Proven end-to-end: a real `@x402/fetch` reference client settles against a PipRail gate on Base mainnet.
+
 ## Built for agents — spend safely
 
 A funded key loose on the internet needs guardrails. Opt in to a `policy` and the client refuses anything outside it **before any on-chain send** — plus learn a price without paying it, approve each payment, and read back exactly what you spent. All opt-in, all local, no backend; omit it and the client behaves exactly as before.
@@ -272,6 +291,7 @@ Every token address below was verified on-chain (symbol + decimals) before shipp
 | `'injective'` | Injective | USDC, USDT |
 | `'hyperevm'` | HyperEVM (Hyperliquid) | USDC |
 | `'monad'` | Monad | USDC |
+| `'kaia'` | Kaia (ex-Klaytn) | USDT |
 | `'solana'` | Solana | USDC, USDT |
 | `'ton'` | TON | USDT |
 | `'tron'` | Tron | USDT |
@@ -507,6 +527,8 @@ Agent                                  Your server
 
 Verification is local and confirms the transaction **succeeded, is recent, and actually moved the required amount of the right token to `payTo`** — then your handler runs and returns the data. The same proof can't be redeemed twice. **Self-custody throughout:** the payer signs and broadcasts their own transfer straight to your wallet; PipRail never holds funds and never takes a cut of a payment.
 
+It's a **pull** model: the caller hands you the exact tx ref in the `payment-signature` header, so `verify()` does a **targeted lookup on your own RPC** and answers **synchronously, in the same request** — no chain listener, no indexer, no accounts DB, no async notify. Why that matters vs. "just send a raw transfer" — with runnable proof and an honest scorecard — is laid out in [`examples/why-402/`](../examples/why-402/) (and the [root README](../README.md#-why-402-and-not-just-a-raw-transfer)).
+
 ## Receipts — record every payment
 
 Every verified payment produces an `X402Receipt` with exactly what you'd persist — the on-chain tx ref, who paid, the amount, and the token. The SDK stays **database-free**; it hands you the data and you store it however you like.
@@ -656,6 +678,7 @@ The full standard every module follows is **[ERRORS.md](./ERRORS.md)**.
 | `onPaid` | — | `(receipt) => void` on a verified payment (see [Receipts](#receipts--record-every-payment)) |
 | `isUsed` / `markUsed` | in-memory | Replay store hooks — share across instances (e.g. Redis `SET NX`) |
 | `generateNonce` | `crypto.randomUUID()` | Custom per-challenge nonce generator |
+| `exact` | — | Opt in to **also** advertise a standard x402 `exact` rail (EIP-3009) so any standard client can pay: `{ settle: 'self', relayer: { privateKey } }` (your relayer broadcasts) or `{ settle: { facilitator } }` (delegate to a chosen facilitator). EVM + USDC/EURC only — see [Universal payments](#universal-payments--get-paid-by-any-x402-client) |
 
 Provide **either** `chain` + `token` + `amount` (single) **or** a non-empty `accept` array (multi) — not both.
 

package/STANDARDS.md

@@ -15,8 +15,11 @@ zero-config path still read in one line? If a feature can't be opt-in, reconside
 
 - **Opt-in, defaults unchanged.** New capability is a new optional field/method. Omitting it
   leaves behaviour byte-identical. (`policy`, `onBeforePay`, `accept[]`, `quote()` all obey this.)
-- **No backend, no database, no auth, no dashboard, no fee, no hosted facilitator.** Ever. If a
-  feature needs one of those, it's the wrong feature for this SDK.
+- **No backend, no database, no auth, no dashboard, no fee, no PipRail-hosted facilitator.** Ever. If
+  a feature needs one of those, it's the wrong feature for this SDK. (The opt-in standard `exact` rail
+  is consistent with this: settlement is either **merchant-self-hosted** — the merchant's own relayer
+  key broadcasts in-process, which x402 v2 §7 explicitly blesses — or **delegated to a third-party
+  facilitator the merchant chooses**. PipRail still hosts nothing.)
 - **One obvious way.** Prefer one clear API over flags. `token` is required so a gate is never
   ambiguous; `chain` is one word. Don't add a second way to do the same thing.
 

package/dist/{algorand-IJJKE35X.cjs → algorand-MXUSKX46.cjs}

@@ -7,7 +7,7 @@
 
 
 
-var _chunkIQGT65WScjs = require('./chunk-IQGT65WS.cjs');
+var _chunkMDLZJGLYcjs = require('./chunk-MDLZJGLY.cjs');
 
 // src/drivers/algorand/index.ts
 var _algosdk = require('algosdk'); var _algosdk2 = _interopRequireDefault(_algosdk);
@@ -55,13 +55,13 @@ async function payAlgorand(params) {
   } catch (err) {
     const mapped = mapAlgorandError(err, accept.payTo);
     if (mapped) throw mapped;
-    throw _nullishCoalesce(_chunkIQGT65WScjs.toInsufficientFundsError.call(void 0, err), () => ( err));
+    throw _nullishCoalesce(_chunkMDLZJGLYcjs.toInsufficientFundsError.call(void 0, err), () => ( err));
   }
 }
 function mapAlgorandError(err, payTo) {
   const m = err instanceof Error ? err.message : String(err);
   if (/must optin/i.test(m) || /missing from/i.test(m) && m.includes(payTo)) {
-    return new (0, _chunkIQGT65WScjs.RecipientNotReadyError)(
+    return new (0, _chunkMDLZJGLYcjs.RecipientNotReadyError)(
       `Algorand recipient ${payTo} hasn't opted into this asset \u2014 it must opt in (a 0-amount asset transfer to itself) before it can receive. (Algorand: ${firstLine(m)})`,
       { cause: err }
     );
@@ -69,7 +69,7 @@ function mapAlgorandError(err, payTo) {
   if (/overspend|below min|min(imum)? balance|tried to spend|balance \d+ below|asset \d+ missing from|insufficient|underflow/i.test(
     m
   )) {
-    return new (0, _chunkIQGT65WScjs.InsufficientFundsError)(
+    return new (0, _chunkMDLZJGLYcjs.InsufficientFundsError)(
       `Algorand payment failed: the sender can't cover it \u2014 token balance, ALGO for fees, the 0.1-ALGO minimum balance, or a missing asset opt-in on the sender. (Algorand: ${firstLine(m)})`,
       { cause: err }
     );
@@ -157,22 +157,22 @@ function rpcFailed(nonce) {
 
 function assertAlgorandWallet(wallet, network) {
   if (typeof wallet !== "object" || wallet === null) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Algorand; wallet must be { mnemonic } (25 words) or { account }.`
     );
   }
   if ("privateKey" in wallet || "walletClient" in wallet) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Algorand; an EVM/Aptos wallet can't be used \u2014 pass { mnemonic } (25 words) or { account }.`
     );
   }
   if ("secretKey" in wallet || "signer" in wallet || "secret" in wallet || "keypair" in wallet || "keyPair" in wallet || "seed" in wallet || "accountId" in wallet) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Algorand; that looks like another family's wallet \u2014 pass { mnemonic } (25 words) or { account }.`
     );
   }
   if (!("mnemonic" in wallet) && !("account" in wallet)) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Algorand; wallet must be { mnemonic } (25 words) or { account }.`
     );
   }
@@ -187,13 +187,13 @@ function resolveAlgorandWallet(config) {
       const { addr, sk } = _algosdk2.default.mnemonicToSecretKey(config.mnemonic);
       return { addr: addr.toString(), sk };
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+      throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
         "Algorand wallet { mnemonic } is not a valid 25-word Algorand mnemonic.",
         { cause }
       );
     }
   }
-  throw new (0, _chunkIQGT65WScjs.WrongFamilyError)("Algorand wallet needs { mnemonic } (25 words) or { account }.");
+  throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)("Algorand wallet needs { mnemonic } (25 words) or { account }.");
 }
 
 // src/drivers/algorand/index.ts
@@ -248,16 +248,16 @@ function makeAlgorandNetwork(preset, algodUrl) {
         const info = preset.tokens[token.toUpperCase()];
         if (!info) {
           const known = Object.keys(preset.tokens).join(", ") || "(none built in)";
-          throw new (0, _chunkIQGT65WScjs.UnknownTokenError)(
+          throw new (0, _chunkMDLZJGLYcjs.UnknownTokenError)(
             `token "${token}" isn't built in for Algorand (known: ${known}). Pass { assetId, decimals } for a custom ASA, or use 'native'.`
           );
         }
         return { asset: algorandAssetId(info.assetId), decimals: info.decimals, symbol: info.symbol };
       }
-      _chunkIQGT65WScjs.rejectForeignToken.call(void 0, token, "algorand", network);
+      _chunkMDLZJGLYcjs.rejectForeignToken.call(void 0, token, "algorand", network);
       const t = token;
       if (typeof t.assetId !== "number" || typeof t.decimals !== "number") {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is Algorand; a custom token must be { assetId, decimals }.`
         );
       }
@@ -278,12 +278,12 @@ function makeAlgorandNetwork(preset, algodUrl) {
     },
     assertValidPayTo(payTo) {
       if (payTo.startsWith("0x")) {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is Algorand, but payTo "${payTo}" looks like an EVM address.`
         );
       }
       if (!_algosdk2.default.isValidAddress(payTo)) {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is Algorand, but payTo "${payTo}" is not a valid Algorand address.`
         );
       }
@@ -300,13 +300,13 @@ function makeAlgorandNetwork(preset, algodUrl) {
         const info = await _algosdk2.default.waitForConfirmation(algod, ref, 10);
         return { height: String(_nullishCoalesce(info.confirmedRound, () => ( 0))) };
       } catch (err) {
-        throw new (0, _chunkIQGT65WScjs.ConfirmationTimeoutError)(`Algorand tx ${ref} did not confirm in time.`, {
+        throw new (0, _chunkMDLZJGLYcjs.ConfirmationTimeoutError)(`Algorand tx ${ref} did not confirm in time.`, {
           cause: err
         });
       }
     },
     async estimateCost() {
-      return _chunkIQGT65WScjs.nativeCost.call(void 0, {
+      return _chunkMDLZJGLYcjs.nativeCost.call(void 0, {
         symbol: ALGO_SYMBOL,
         decimals: ALGO_DECIMALS,
         fee: 1000n,

package/dist/{algorand-B67G4335.js → algorand-WGVF4KTU.js}

@@ -7,7 +7,7 @@ import {
   nativeCost,
   rejectForeignToken,
   toInsufficientFundsError
-} from "./chunk-QDS6FBZP.js";
+} from "./chunk-SVMGHASK.js";
 
 // src/drivers/algorand/index.ts
 import algosdk2 from "algosdk";

package/dist/{aptos-YQWTGFRZ.js → aptos-LPBLSEIQ.js}

@@ -6,7 +6,7 @@ import {
   nativeCost,
   rejectForeignToken,
   toInsufficientFundsError
-} from "./chunk-QDS6FBZP.js";
+} from "./chunk-SVMGHASK.js";
 
 // src/drivers/aptos/index.ts
 import { Aptos, AptosConfig, Network, AccountAddress } from "@aptos-labs/ts-sdk";

package/dist/{aptos-X3G2UBYW.cjs → aptos-YT7SXWPF.cjs}

@@ -6,7 +6,7 @@
 
 
 
-var _chunkIQGT65WScjs = require('./chunk-IQGT65WS.cjs');
+var _chunkMDLZJGLYcjs = require('./chunk-MDLZJGLY.cjs');
 
 // src/drivers/aptos/index.ts
 var _tssdk = require('@aptos-labs/ts-sdk');
@@ -55,14 +55,14 @@ async function payAptos(params) {
     const res = await client.signSubmit({ signer, transaction });
     return res.hash;
   } catch (err) {
-    if (err instanceof _chunkIQGT65WScjs.InsufficientFundsError) throw err;
+    if (err instanceof _chunkMDLZJGLYcjs.InsufficientFundsError) throw err;
     if (isAptosAffordability(err)) {
-      throw new (0, _chunkIQGT65WScjs.InsufficientFundsError)(
+      throw new (0, _chunkMDLZJGLYcjs.InsufficientFundsError)(
         err instanceof Error ? err.message : "Insufficient APT/token balance for the payment.",
         { cause: err }
       );
     }
-    throw _nullishCoalesce(_chunkIQGT65WScjs.toInsufficientFundsError.call(void 0, err), () => ( err));
+    throw _nullishCoalesce(_chunkMDLZJGLYcjs.toInsufficientFundsError.call(void 0, err), () => ( err));
   }
 }
 function isAptosAffordability(err) {
@@ -146,22 +146,22 @@ function txNotFound(hash) {
 
 function assertAptosWallet(wallet, network) {
   if (typeof wallet !== "object" || wallet === null) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Aptos; wallet must be { privateKey } (ed25519-priv-0x\u2026) or { account }.`
     );
   }
   if ("walletClient" in wallet) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Aptos; a viem { walletClient } can't be used \u2014 pass { privateKey } (ed25519-priv-0x\u2026) or { account }.`
     );
   }
   if ("secretKey" in wallet || "signer" in wallet || "mnemonic" in wallet || "keypair" in wallet || "keyPair" in wallet || "secret" in wallet || "seed" in wallet || "accountId" in wallet) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Aptos; that looks like another family's wallet \u2014 pass { privateKey } (ed25519-priv-0x\u2026) or { account }.`
     );
   }
   if (!("privateKey" in wallet) && !("account" in wallet)) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       `chain ${network} is Aptos; wallet must be { privateKey } (ed25519-priv-0x\u2026) or { account }.`
     );
   }
@@ -173,13 +173,13 @@ function resolveAptosAccount(config) {
     try {
       return _tssdk.Account.fromPrivateKey({ privateKey: new (0, _tssdk.Ed25519PrivateKey)(config.privateKey) });
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+      throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
         "Aptos wallet { privateKey } is not a valid ed25519 secret (ed25519-priv-0x\u2026 or 0x\u2026 hex).",
         { cause }
       );
     }
   }
-  throw new (0, _chunkIQGT65WScjs.WrongFamilyError)("Aptos wallet needs { privateKey } (ed25519-priv-0x\u2026) or { account }.");
+  throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)("Aptos wallet needs { privateKey } (ed25519-priv-0x\u2026) or { account }.");
 }
 
 // src/drivers/aptos/index.ts
@@ -251,16 +251,16 @@ function makeAptosNetwork(preset, rpcUrl) {
         const info = preset.tokens[token.toUpperCase()];
         if (!info) {
           const known = Object.keys(preset.tokens).join(", ") || "(none built in)";
-          throw new (0, _chunkIQGT65WScjs.UnknownTokenError)(
+          throw new (0, _chunkMDLZJGLYcjs.UnknownTokenError)(
             `token "${token}" isn't built in for Aptos (known: ${known}). Pass { metadata, decimals } for a custom Fungible Asset, or use 'native'.`
           );
         }
         return { asset: info.metadata, decimals: info.decimals, symbol: info.symbol };
       }
-      _chunkIQGT65WScjs.rejectForeignToken.call(void 0, token, "aptos", network);
+      _chunkMDLZJGLYcjs.rejectForeignToken.call(void 0, token, "aptos", network);
       const t = token;
       if (!t.metadata || typeof t.decimals !== "number") {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is Aptos; a custom token must be { metadata, decimals }.`
         );
       }
@@ -287,7 +287,7 @@ function makeAptosNetwork(preset, rpcUrl) {
         valid = false;
       }
       if (!valid || evmLike) {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is Aptos, but payTo "${payTo}" is not a valid Aptos address (0x + 32 bytes).`
         );
       }
@@ -309,11 +309,11 @@ function makeAptosNetwork(preset, rpcUrl) {
         const tx = await aptos.waitForTransaction({ transactionHash: ref });
         return { height: String(_nullishCoalesce(tx.version, () => ( "0"))) };
       } catch (err) {
-        throw new (0, _chunkIQGT65WScjs.ConfirmationTimeoutError)(`Aptos tx ${ref} did not finalize in time.`, { cause: err });
+        throw new (0, _chunkMDLZJGLYcjs.ConfirmationTimeoutError)(`Aptos tx ${ref} did not finalize in time.`, { cause: err });
       }
     },
     async estimateCost() {
-      return _chunkIQGT65WScjs.nativeCost.call(void 0, {
+      return _chunkMDLZJGLYcjs.nativeCost.call(void 0, {
         symbol: APT_SYMBOL,
         decimals: APT_DECIMALS,
         fee: 100000n,

package/dist/{chunk-IQGT65WS.cjs → chunk-MDLZJGLY.cjs}

@@ -1,4 +1,4 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; } var _class; var _class2; var _class3; var _class4; var _class5; var _class6; var _class7; var _class8; var _class9; var _class10; var _class11; var _class12; var _class13; var _class14;// src/errors.ts
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; } var _class; var _class2; var _class3; var _class4; var _class5; var _class6; var _class7; var _class8; var _class9; var _class10; var _class11; var _class12; var _class13; var _class14; var _class15;// src/errors.ts
 var PipRailError = class extends Error {
   constructor(message, options) {
     super(message, options);
@@ -50,27 +50,30 @@ var PaymentDeclinedError = (_class6 = class extends PipRailError {constructor(..
 var ConfirmationTimeoutError = (_class7 = class extends PipRailError {constructor(...args5) { super(...args5); _class7.prototype.__init7.call(this); }
   __init7() {this.code = "CONFIRMATION_TIMEOUT"}
 }, _class7);
-var InvalidEnvelopeError = (_class8 = class extends PipRailError {constructor(...args6) { super(...args6); _class8.prototype.__init8.call(this); }
-  __init8() {this.code = "INVALID_ENVELOPE"}
+var SettlementError = (_class8 = class extends PipRailError {constructor(...args6) { super(...args6); _class8.prototype.__init8.call(this); }
+  __init8() {this.code = "SETTLEMENT_FAILED"}
 }, _class8);
-var NoCompatibleAcceptError = (_class9 = class extends PipRailError {constructor(...args7) { super(...args7); _class9.prototype.__init9.call(this); }
-  __init9() {this.code = "NO_COMPATIBLE_ACCEPT"}
+var InvalidEnvelopeError = (_class9 = class extends PipRailError {constructor(...args7) { super(...args7); _class9.prototype.__init9.call(this); }
+  __init9() {this.code = "INVALID_ENVELOPE"}
 }, _class9);
-var NonReplayableBodyError = (_class10 = class extends PipRailError {constructor(...args8) { super(...args8); _class10.prototype.__init10.call(this); }
-  __init10() {this.code = "NON_REPLAYABLE_BODY"}
+var NoCompatibleAcceptError = (_class10 = class extends PipRailError {constructor(...args8) { super(...args8); _class10.prototype.__init10.call(this); }
+  __init10() {this.code = "NO_COMPATIBLE_ACCEPT"}
 }, _class10);
-var WrongFamilyError = (_class11 = class extends PipRailError {constructor(...args9) { super(...args9); _class11.prototype.__init11.call(this); }
-  __init11() {this.code = "WRONG_FAMILY"}
+var NonReplayableBodyError = (_class11 = class extends PipRailError {constructor(...args9) { super(...args9); _class11.prototype.__init11.call(this); }
+  __init11() {this.code = "NON_REPLAYABLE_BODY"}
 }, _class11);
-var UnknownTokenError = (_class12 = class extends PipRailError {constructor(...args10) { super(...args10); _class12.prototype.__init12.call(this); }
-  __init12() {this.code = "UNKNOWN_TOKEN"}
+var WrongFamilyError = (_class12 = class extends PipRailError {constructor(...args10) { super(...args10); _class12.prototype.__init12.call(this); }
+  __init12() {this.code = "WRONG_FAMILY"}
 }, _class12);
-var MissingDriverError = (_class13 = class extends PipRailError {constructor(...args11) { super(...args11); _class13.prototype.__init13.call(this); }
-  __init13() {this.code = "MISSING_DRIVER"}
+var UnknownTokenError = (_class13 = class extends PipRailError {constructor(...args11) { super(...args11); _class13.prototype.__init13.call(this); }
+  __init13() {this.code = "UNKNOWN_TOKEN"}
 }, _class13);
-var UnsupportedNetworkError = (_class14 = class extends PipRailError {constructor(...args12) { super(...args12); _class14.prototype.__init14.call(this); }
-  __init14() {this.code = "UNSUPPORTED_NETWORK"}
+var MissingDriverError = (_class14 = class extends PipRailError {constructor(...args12) { super(...args12); _class14.prototype.__init14.call(this); }
+  __init14() {this.code = "MISSING_DRIVER"}
 }, _class14);
+var UnsupportedNetworkError = (_class15 = class extends PipRailError {constructor(...args13) { super(...args13); _class15.prototype.__init15.call(this); }
+  __init15() {this.code = "UNSUPPORTED_NETWORK"}
+}, _class15);
 
 // src/drivers/shared.ts
 var FAMILY_LABEL = {
@@ -174,4 +177,5 @@ function nativeCost(opts) {
 
 
 
-exports.PipRailError = PipRailError; exports.InsufficientFundsError = InsufficientFundsError; exports.RecipientNotReadyError = RecipientNotReadyError; exports.toInsufficientFundsError = toInsufficientFundsError; exports.WrongChainError = WrongChainError; exports.PaymentTimeoutError = PaymentTimeoutError; exports.MaxRetriesExceededError = MaxRetriesExceededError; exports.PaymentDeclinedError = PaymentDeclinedError; exports.ConfirmationTimeoutError = ConfirmationTimeoutError; exports.InvalidEnvelopeError = InvalidEnvelopeError; exports.NoCompatibleAcceptError = NoCompatibleAcceptError; exports.NonReplayableBodyError = NonReplayableBodyError; exports.WrongFamilyError = WrongFamilyError; exports.UnknownTokenError = UnknownTokenError; exports.MissingDriverError = MissingDriverError; exports.UnsupportedNetworkError = UnsupportedNetworkError; exports.rejectForeignToken = rejectForeignToken; exports.parseUnits = parseUnits; exports.floorUnits = floorUnits; exports.formatUnits = formatUnits; exports.nativeCost = nativeCost;
+
+exports.PipRailError = PipRailError; exports.InsufficientFundsError = InsufficientFundsError; exports.RecipientNotReadyError = RecipientNotReadyError; exports.toInsufficientFundsError = toInsufficientFundsError; exports.WrongChainError = WrongChainError; exports.PaymentTimeoutError = PaymentTimeoutError; exports.MaxRetriesExceededError = MaxRetriesExceededError; exports.PaymentDeclinedError = PaymentDeclinedError; exports.ConfirmationTimeoutError = ConfirmationTimeoutError; exports.SettlementError = SettlementError; exports.InvalidEnvelopeError = InvalidEnvelopeError; exports.NoCompatibleAcceptError = NoCompatibleAcceptError; exports.NonReplayableBodyError = NonReplayableBodyError; exports.WrongFamilyError = WrongFamilyError; exports.UnknownTokenError = UnknownTokenError; exports.MissingDriverError = MissingDriverError; exports.UnsupportedNetworkError = UnsupportedNetworkError; exports.rejectForeignToken = rejectForeignToken; exports.parseUnits = parseUnits; exports.floorUnits = floorUnits; exports.formatUnits = formatUnits; exports.nativeCost = nativeCost;

package/dist/{chunk-QDS6FBZP.js → chunk-SVMGHASK.js}

@@ -50,6 +50,9 @@ var PaymentDeclinedError = class extends PipRailError {
 var ConfirmationTimeoutError = class extends PipRailError {
   code = "CONFIRMATION_TIMEOUT";
 };
+var SettlementError = class extends PipRailError {
+  code = "SETTLEMENT_FAILED";
+};
 var InvalidEnvelopeError = class extends PipRailError {
   code = "INVALID_ENVELOPE";
 };
@@ -162,6 +165,7 @@ export {
   MaxRetriesExceededError,
   PaymentDeclinedError,
   ConfirmationTimeoutError,
+  SettlementError,
   InvalidEnvelopeError,
   NoCompatibleAcceptError,
   NonReplayableBodyError,