@piprail/sdk 1.8.0 → 1.10.0

package/dist/index.js

@@ -10,6 +10,7 @@ import {
   PaymentTimeoutError,
   PipRailError,
   RecipientNotReadyError,
+  SettlementError,
   UnknownTokenError,
   UnsupportedNetworkError,
   WrongChainError,
@@ -20,7 +21,7 @@ import {
   parseUnits,
   rejectForeignToken,
   toInsufficientFundsError
-} from "./chunk-QDS6FBZP.js";
+} from "./chunk-SVMGHASK.js";
 
 // src/drivers/registry.ts
 var byFamily = /* @__PURE__ */ new Map();
@@ -63,7 +64,7 @@ function resolveNetwork(opts) {
 }
 
 // src/drivers/evm/index.ts
-import { BaseError, createPublicClient, erc20Abi as erc20Abi3, getAddress as getAddress2, http as http2, isAddress } from "viem";
+import { BaseError, createPublicClient, erc20Abi as erc20Abi3, getAddress as getAddress3, http as http2, isAddress } from "viem";
 
 // src/drivers/evm/chains.ts
 import { defineChain } from "viem";
@@ -75,6 +76,7 @@ import {
   celo,
   hyperEvm,
   injective,
+  kaia,
   linea,
   mainnet,
   mantle,
@@ -236,6 +238,17 @@ var CHAINS = {
     tokens: {
       USDC: { address: "0x754704Bc059F8C67012fEd69BC8A327a5aafb603", decimals: 6, symbol: "USDC" }
     }
+  },
+  // Kaia (ex-Klaytn, chainId 8217) — Tether-native USD₮ verified on-chain 2026-06-08
+  // (0xd077…4fDb: symbol "USD₮", name "Tether USD", 6 dp, no bridge markers). Circle issues
+  // NO native USDC on Kaia (absent from Circle's list), so USDC is intentionally omitted —
+  // pay native KAIA or USD₮ (or pass a custom { address, decimals }). Asia's stablecoin-
+  // settlement chain, born from Kakao + LINE.
+  kaia: {
+    chain: kaia,
+    tokens: {
+      USDT: { address: "0xd077A400968890Eacc75cdc901F0356c943e4fDb", decimals: 6, symbol: "USDT" }
+    }
   }
 };
 function isViemChain(input) {
@@ -471,20 +484,367 @@ function sumTransfersTo(logs, asset, payTo) {
   return { total, from };
 }
 
+// src/drivers/evm/exact.ts
+import {
+  getAddress as getAddress2,
+  parseSignature,
+  recoverTypedDataAddress
+} from "viem";
+var EXACT_NETWORK_SLUGS = {
+  ethereum: 1,
+  base: 8453,
+  "base-sepolia": 84532,
+  arbitrum: 42161,
+  optimism: 10,
+  polygon: 137,
+  avalanche: 43114
+};
+function chainIdForExactNetwork(slug) {
+  return EXACT_NETWORK_SLUGS[slug] ?? null;
+}
+var EIP3009_TYPES = {
+  TransferWithAuthorization: [
+    { name: "from", type: "address" },
+    { name: "to", type: "address" },
+    { name: "value", type: "uint256" },
+    { name: "validAfter", type: "uint256" },
+    { name: "validBefore", type: "uint256" },
+    { name: "nonce", type: "bytes32" }
+  ]
+};
+function parseExactRequirements(body) {
+  if (!body || typeof body !== "object") return null;
+  const accepts = body.accepts;
+  if (!Array.isArray(accepts)) return null;
+  const out = [];
+  for (const raw of accepts) {
+    if (!raw || typeof raw !== "object") continue;
+    const a = raw;
+    if (a.scheme !== "exact") continue;
+    const amount = a.maxAmountRequired ?? a.amount;
+    if (typeof a.network !== "string" || typeof amount !== "string" || typeof a.asset !== "string" || typeof a.payTo !== "string") {
+      continue;
+    }
+    out.push({
+      scheme: "exact",
+      network: a.network,
+      maxAmountRequired: amount,
+      asset: a.asset,
+      payTo: a.payTo,
+      maxTimeoutSeconds: typeof a.maxTimeoutSeconds === "number" ? a.maxTimeoutSeconds : 600,
+      ...a.extra && typeof a.extra === "object" ? { extra: a.extra } : {},
+      ...typeof a.description === "string" ? { description: a.description } : {},
+      ...typeof a.resource === "string" ? { resource: a.resource } : {}
+    });
+  }
+  return out;
+}
+async function buildExactAuthorization(params) {
+  const { account, accept, chainId, now, nonce } = params;
+  if (!account.signTypedData) {
+    throw new Error("buildExactAuthorization: the account cannot sign EIP-712 typed data.");
+  }
+  const authorization = {
+    from: account.address,
+    to: accept.payTo,
+    value: accept.maxAmountRequired,
+    validAfter: "0",
+    validBefore: String(now + accept.maxTimeoutSeconds),
+    nonce
+  };
+  const signature = await account.signTypedData({
+    domain: {
+      name: accept.extra?.name ?? "USD Coin",
+      version: accept.extra?.version ?? "2",
+      chainId,
+      verifyingContract: accept.asset
+    },
+    types: EIP3009_TYPES,
+    primaryType: "TransferWithAuthorization",
+    message: {
+      from: authorization.from,
+      to: authorization.to,
+      value: BigInt(authorization.value),
+      validAfter: BigInt(authorization.validAfter),
+      validBefore: BigInt(authorization.validBefore),
+      nonce: authorization.nonce
+    }
+  });
+  return { authorization, signature };
+}
+function base64(str) {
+  if (typeof Buffer !== "undefined") return Buffer.from(str, "utf8").toString("base64");
+  if (typeof btoa === "function" && typeof TextEncoder !== "undefined") {
+    const bytes = new TextEncoder().encode(str);
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+    return btoa(binary);
+  }
+  throw new Error("No base64 encoder available in this runtime.");
+}
+function encodeXPaymentHeader(input) {
+  const payload = {
+    x402Version: input.x402Version ?? 1,
+    scheme: "exact",
+    network: input.network,
+    payload: { signature: input.signature, authorization: input.authorization }
+  };
+  return base64(JSON.stringify(payload));
+}
+var eip3009Abi = [
+  {
+    type: "function",
+    name: "transferWithAuthorization",
+    stateMutability: "nonpayable",
+    outputs: [],
+    inputs: [
+      { name: "from", type: "address" },
+      { name: "to", type: "address" },
+      { name: "value", type: "uint256" },
+      { name: "validAfter", type: "uint256" },
+      { name: "validBefore", type: "uint256" },
+      { name: "nonce", type: "bytes32" },
+      { name: "v", type: "uint8" },
+      { name: "r", type: "bytes32" },
+      { name: "s", type: "bytes32" }
+    ]
+  },
+  {
+    type: "function",
+    name: "transferWithAuthorization",
+    stateMutability: "nonpayable",
+    outputs: [],
+    inputs: [
+      { name: "from", type: "address" },
+      { name: "to", type: "address" },
+      { name: "value", type: "uint256" },
+      { name: "validAfter", type: "uint256" },
+      { name: "validBefore", type: "uint256" },
+      { name: "nonce", type: "bytes32" },
+      { name: "signature", type: "bytes" }
+    ]
+  },
+  {
+    type: "function",
+    name: "authorizationState",
+    stateMutability: "view",
+    inputs: [
+      { name: "authorizer", type: "address" },
+      { name: "nonce", type: "bytes32" }
+    ],
+    outputs: [{ type: "bool" }]
+  },
+  { type: "function", name: "name", stateMutability: "view", inputs: [], outputs: [{ type: "string" }] },
+  { type: "function", name: "version", stateMutability: "view", inputs: [], outputs: [{ type: "string" }] }
+];
+var ZERO_ADDR = "0x0000000000000000000000000000000000000000";
+var ZERO_NONCE = `0x${"00".repeat(32)}`;
+async function readExactDomain(publicClient, asset) {
+  if (asset === "native") return null;
+  let token;
+  try {
+    token = getAddress2(asset);
+  } catch {
+    return null;
+  }
+  try {
+    const [name, version] = await Promise.all([
+      publicClient.readContract({ address: token, abi: eip3009Abi, functionName: "name" }),
+      publicClient.readContract({ address: token, abi: eip3009Abi, functionName: "version" }),
+      // The EIP-3009 probe: this view exists only on EIP-3009 tokens; it reverts on
+      // a plain ERC-20 / USDT, marking the token as not exact-payable.
+      publicClient.readContract({
+        address: token,
+        abi: eip3009Abi,
+        functionName: "authorizationState",
+        args: [ZERO_ADDR, ZERO_NONCE]
+      })
+    ]);
+    if (typeof name !== "string" || typeof version !== "string" || !name || !version) return null;
+    return { name, version };
+  } catch {
+    return null;
+  }
+}
+function shorten(msg) {
+  const oneLine = msg.replace(/\s+/g, " ").trim();
+  return oneLine.length > 200 ? `${oneLine.slice(0, 200)}\u2026` : oneLine;
+}
+async function verifyAndSettleExactEvm(input) {
+  const { publicClient, walletClient, account, chain, payload, accept } = input;
+  const token = getAddress2(accept.asset);
+  const payTo = getAddress2(accept.payTo);
+  const requiredAmount = BigInt(accept.amount);
+  let from;
+  let to;
+  let value;
+  let validAfter;
+  let validBefore;
+  let nonce;
+  try {
+    from = getAddress2(payload.authorization.from);
+    to = getAddress2(payload.authorization.to);
+    value = BigInt(payload.authorization.value);
+    validAfter = BigInt(payload.authorization.validAfter);
+    validBefore = BigInt(payload.authorization.validBefore);
+    nonce = payload.authorization.nonce;
+    if (!/^0x[0-9a-fA-F]{64}$/.test(nonce)) throw new Error("nonce must be 32-byte hex");
+    if (!/^0x[0-9a-fA-F]+$/.test(payload.signature)) throw new Error("signature must be hex");
+  } catch (err) {
+    return {
+      ok: false,
+      error: "signature_invalid",
+      detail: `Malformed exact authorization: ${err instanceof Error ? err.message : String(err)}.`
+    };
+  }
+  if (to !== payTo) {
+    return { ok: false, error: "wrong_recipient", detail: `Authorization pays ${to}, not ${payTo}.` };
+  }
+  if (value < requiredAmount) {
+    return { ok: false, error: "amount_too_low", detail: `Authorized ${value}, required ${requiredAmount}.` };
+  }
+  const now = BigInt(Math.floor(Date.now() / 1e3));
+  if (validBefore <= now) {
+    return { ok: false, error: "payment_expired", detail: `Authorization expired: validBefore ${validBefore} <= now ${now}.` };
+  }
+  let fromCode;
+  try {
+    fromCode = await publicClient.getCode({ address: from });
+  } catch {
+    return { ok: false, error: "tx_not_found", detail: `Could not read code at ${from} (transient RPC) \u2014 retry.` };
+  }
+  const isContractWallet = Boolean(fromCode && fromCode !== "0x");
+  if (!isContractWallet) {
+    let recovered;
+    try {
+      recovered = await recoverTypedDataAddress({
+        domain: {
+          name: accept.extra.name,
+          version: accept.extra.version,
+          chainId: chain.id,
+          verifyingContract: token
+        },
+        types: EIP3009_TYPES,
+        primaryType: "TransferWithAuthorization",
+        message: { from, to, value, validAfter, validBefore, nonce },
+        signature: payload.signature
+      });
+    } catch (err) {
+      return { ok: false, error: "signature_invalid", detail: `Not a valid EIP-712 signature: ${shorten(err instanceof Error ? err.message : String(err))}.` };
+    }
+    if (recovered !== from) {
+      return { ok: false, error: "signature_invalid", detail: `Signature recovered to ${recovered}, not the authorizer ${from}.` };
+    }
+  }
+  try {
+    const used = await publicClient.readContract({
+      address: token,
+      abi: eip3009Abi,
+      functionName: "authorizationState",
+      args: [from, nonce]
+    });
+    if (used) {
+      return { ok: false, error: "tx_already_used", detail: `Authorization nonce ${nonce} already used or canceled on-chain.` };
+    }
+  } catch {
+    return { ok: false, error: "tx_not_found", detail: "Could not read authorizationState (transient RPC) \u2014 retry." };
+  }
+  const baseArgs = [from, to, value, validAfter, validBefore, nonce];
+  const isEcdsa = !isContractWallet && payload.signature.length - 2 === 130;
+  let writeArgs;
+  if (isEcdsa) {
+    const { r, s, yParity } = parseSignature(payload.signature);
+    writeArgs = [...baseArgs, BigInt(yParity + 27), r, s];
+  } else {
+    writeArgs = [...baseArgs, payload.signature];
+  }
+  try {
+    await publicClient.simulateContract({
+      account,
+      address: token,
+      abi: eip3009Abi,
+      functionName: "transferWithAuthorization",
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      args: writeArgs
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (/used or canceled/i.test(msg)) return { ok: false, error: "tx_already_used", detail: "Authorization is used or canceled." };
+    if (/expired|not yet valid/i.test(msg)) return { ok: false, error: "payment_expired", detail: shorten(msg) };
+    if (/invalid signature/i.test(msg)) return { ok: false, error: "signature_invalid", detail: shorten(msg) };
+    return { ok: false, error: "tx_reverted", detail: `transferWithAuthorization would revert: ${shorten(msg)}` };
+  }
+  let txHash;
+  try {
+    txHash = await walletClient.writeContract({
+      account,
+      chain,
+      address: token,
+      abi: eip3009Abi,
+      functionName: "transferWithAuthorization",
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      args: writeArgs
+    });
+  } catch (err) {
+    throw new SettlementError(
+      `exact settle: the merchant relayer failed to broadcast transferWithAuthorization (${shorten(err instanceof Error ? err.message : String(err))}). The payer's authorization is still valid and unused \u2014 fund/fix the relayer and the payer can retry.`,
+      { cause: err }
+    );
+  }
+  try {
+    const confirmations = accept.extra.minConfirmations ?? 1;
+    const receipt = await publicClient.waitForTransactionReceipt({ hash: txHash, confirmations });
+    if (receipt.status !== "success") {
+      return { ok: false, error: "tx_reverted", detail: `Settlement tx ${txHash} reverted on-chain.` };
+    }
+  } catch (err) {
+    throw new SettlementError(
+      `exact settle: broadcast ${txHash} but couldn't confirm it (${shorten(err instanceof Error ? err.message : String(err))}).`,
+      { cause: err }
+    );
+  }
+  return {
+    ok: true,
+    receipt: {
+      scheme: "exact",
+      success: true,
+      network: accept.network,
+      transaction: txHash,
+      asset: accept.asset,
+      amount: accept.amount,
+      payer: from,
+      payTo: accept.payTo,
+      verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+
 // src/x402.ts
 var HEADER_REQUIRED = "payment-required";
 var HEADER_SIGNATURE = "payment-signature";
 var HEADER_RESPONSE = "payment-response";
-function decodeBase64(b64) {
-  if (typeof atob === "function") return atob(b64);
-  if (typeof Buffer !== "undefined") return Buffer.from(b64, "base64").toString("utf8");
-  throw new Error("No base64 decoder available in this runtime.");
-}
+var HEADER_SIGNATURE_V1 = "x-payment";
+var HEADER_RESPONSE_V1 = "x-payment-response";
 function encodeBase64(str) {
-  if (typeof btoa === "function") return btoa(str);
   if (typeof Buffer !== "undefined") return Buffer.from(str, "utf8").toString("base64");
+  if (typeof btoa === "function" && typeof TextEncoder !== "undefined") {
+    const bytes = new TextEncoder().encode(str);
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+    return btoa(binary);
+  }
   throw new Error("No base64 encoder available in this runtime.");
 }
+function decodeBase64(b64) {
+  if (typeof Buffer !== "undefined") return Buffer.from(b64, "base64").toString("utf8");
+  if (typeof atob === "function" && typeof TextDecoder !== "undefined") {
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  throw new Error("No base64 decoder available in this runtime.");
+}
 function fromBase64Json(b64) {
   try {
     return JSON.parse(decodeBase64(b64));
@@ -545,6 +905,36 @@ function parseSignatureHeader(value) {
   }
   return parsed;
 }
+function parseExactPaymentHeader(value) {
+  const parsed = fromBase64Json(value);
+  if (!parsed || typeof parsed !== "object") return null;
+  const v = parsed;
+  const accepted = v.accepted ?? null;
+  const scheme = accepted?.scheme ?? v.scheme;
+  if (scheme !== "exact") return null;
+  const network = accepted?.network ?? v.network;
+  if (typeof network !== "string") return null;
+  const payload = v.payload;
+  if (!payload || typeof payload !== "object") return null;
+  const signature = payload.signature;
+  const authorization = payload.authorization;
+  if (typeof signature !== "string" || !authorization || typeof authorization !== "object") return null;
+  for (const k of ["from", "to", "value", "validAfter", "validBefore", "nonce"]) {
+    if (typeof authorization[k] !== "string") return null;
+  }
+  const x402Version = typeof v.x402Version === "number" ? v.x402Version : 2;
+  const asset = accepted && typeof accepted.asset === "string" ? accepted.asset : void 0;
+  return {
+    x402Version,
+    network,
+    ...asset ? { asset } : {},
+    payload: {
+      signature,
+      authorization
+    },
+    raw: v
+  };
+}
 function isValidChallenge(value) {
   if (!value || typeof value !== "object") return false;
   const v = value;
@@ -556,7 +946,7 @@ function isValidChallenge(value) {
 function isValidReceipt(value) {
   if (!value || typeof value !== "object") return false;
   const v = value;
-  if (v.scheme !== "onchain-proof") return false;
+  if (v.scheme !== "onchain-proof" && v.scheme !== "exact") return false;
   if (typeof v.transaction !== "string" && typeof v.txHash !== "string") return false;
   if (typeof v.payer !== "string") return false;
   return true;
@@ -634,12 +1024,12 @@ function makeEvmNetwork(resolved) {
       }
       let normalized;
       try {
-        normalized = getAddress2(asset);
+        normalized = getAddress3(asset);
       } catch {
         return null;
       }
       for (const info of Object.values(resolved.tokens)) {
-        if (getAddress2(info.address) === normalized) {
+        if (getAddress3(info.address) === normalized) {
           return { symbol: info.symbol, decimals: info.decimals };
         }
       }
@@ -723,7 +1113,7 @@ function makeEvmNetwork(resolved) {
       let token = null;
       try {
         token = await publicClient.readContract({
-          address: getAddress2(asset),
+          address: getAddress3(asset),
           abi: erc20Abi3,
           functionName: "balanceOf",
           args: [owner]
@@ -755,6 +1145,21 @@ function makeEvmNetwork(resolved) {
         accept,
         minConfirmations: accept.extra.minConfirmations
       });
+    },
+    // Standard x402 `exact` rail (EIP-3009), seller side — EVM only.
+    async exactDomain(asset) {
+      return readExactDomain(publicClient, asset);
+    },
+    async settleExactSelf({ relayer, payload, accept }) {
+      const a = relayer._native;
+      return verifyAndSettleExactEvm({
+        publicClient,
+        walletClient: a.walletClient,
+        account: a.account,
+        chain: resolved.chain,
+        payload,
+        accept
+      });
     }
   };
 }
@@ -771,7 +1176,7 @@ var loaders = {
   solana: async () => {
     let mod;
     try {
-      mod = await import("./solana-7WJVZGDW.js");
+      mod = await import("./solana-S3UFI3FE.js");
     } catch (cause) {
       throw new MissingDriverError(
         `Solana selected, but its packages aren't installed. Run: npm install @solana/web3.js @solana/spl-token bs58`,
@@ -783,7 +1188,7 @@ var loaders = {
   ton: async () => {
     let mod;
     try {
-      mod = await import("./ton-DGZB7W4U.js");
+      mod = await import("./ton-WPTXGLVK.js");
     } catch (cause) {
       throw new MissingDriverError(
         `TON selected, but its packages aren't installed. Run: npm install @ton/ton @ton/core @ton/crypto`,
@@ -795,7 +1200,7 @@ var loaders = {
   stellar: async () => {
     let mod;
     try {
-      mod = await import("./stellar-HV6VGZX3.js");
+      mod = await import("./stellar-Q5PO23SC.js");
     } catch (cause) {
       throw new MissingDriverError(
         `Stellar selected, but its package isn't installed. Run: npm install @stellar/stellar-sdk`,
@@ -807,7 +1212,7 @@ var loaders = {
   xrpl: async () => {
     let mod;
     try {
-      mod = await import("./xrpl-UEC2GYVV.js");
+      mod = await import("./xrpl-HEAPEXAM.js");
     } catch (cause) {
       throw new MissingDriverError(
         `XRPL selected, but its package isn't installed. Run: npm install xrpl`,
@@ -819,7 +1224,7 @@ var loaders = {
   tron: async () => {
     let mod;
     try {
-      mod = await import("./tron-RLIL2FDI.js");
+      mod = await import("./tron-6GXBXTR4.js");
     } catch (cause) {
       throw new MissingDriverError(
         `Tron selected, but its package isn't installed. Run: npm install tronweb`,
@@ -831,7 +1236,7 @@ var loaders = {
   sui: async () => {
     let mod;
     try {
-      mod = await import("./sui-2WFWVFJX.js");
+      mod = await import("./sui-WOXRKJXS.js");
     } catch (cause) {
       throw new MissingDriverError(
         `Sui selected, but its package isn't installed. Run: npm install @mysten/sui`,
@@ -843,7 +1248,7 @@ var loaders = {
   near: async () => {
     let mod;
     try {
-      mod = await import("./near-7MBBCDUE.js");
+      mod = await import("./near-K6BDBABG.js");
     } catch (cause) {
       throw new MissingDriverError(
         `NEAR selected, but its package isn't installed. Run: npm install near-api-js`,
@@ -855,7 +1260,7 @@ var loaders = {
   aptos: async () => {
     let mod;
     try {
-      mod = await import("./aptos-YQWTGFRZ.js");
+      mod = await import("./aptos-LPBLSEIQ.js");
     } catch (cause) {
       throw new MissingDriverError(
         `Aptos selected, but its package isn't installed. Run: npm install @aptos-labs/ts-sdk`,
@@ -867,7 +1272,7 @@ var loaders = {
   algorand: async () => {
     let mod;
     try {
-      mod = await import("./algorand-B67G4335.js");
+      mod = await import("./algorand-WGVF4KTU.js");
     } catch (cause) {
       throw new MissingDriverError(
         `Algorand selected, but its package isn't installed. Run: npm install algosdk`,
@@ -1651,7 +2056,10 @@ var PipRailClient = class {
     const chosen = priced.find((p) => p.quote.withinPolicy) ?? priced[0];
     return { net, wallet, accept: chosen.accept, challenge, quote: chosen.quote };
   }
-  /** The candidate accepts this client could pay: our scheme, on the bound network. */
+  /** The candidate accepts this client could pay: our scheme, on the bound network.
+   *  A dual-advertised challenge may also carry standard `exact` rails — the PipRail
+   *  client ignores those (it pays the backendless `onchain-proof` rail); the type
+   *  predicate narrows the `X402AnyAccept` union to the rails we settle. */
   gatherCandidates(net, challenge) {
     return challenge.accepts.filter(
       (a) => a.scheme === "onchain-proof" && net.supports(a.network)
@@ -2014,6 +2422,14 @@ function isReplayableBodyInit(value) {
 async function readInvalidReason(response) {
   try {
     const body = await response.clone().json();
+    const ext = body?.extensions;
+    const piprail = ext?.piprail;
+    if (piprail && typeof piprail.code === "string") {
+      return {
+        error: piprail.code,
+        detail: typeof piprail.detail === "string" ? piprail.detail : ""
+      };
+    }
     if (body && (body.status === "invalid" || typeof body.error === "string")) {
       return {
         error: typeof body.error === "string" ? body.error : "no error code",
@@ -2245,6 +2661,100 @@ function paymentTools(client) {
   ];
 }
 
+// src/facilitator.ts
+function safeStringify(value) {
+  return JSON.stringify(value, (_k, v) => typeof v === "bigint" ? v.toString() : v);
+}
+function mapReason(reason) {
+  const r = (reason ?? "").toLowerCase();
+  if (r.includes("signature")) return "signature_invalid";
+  if (r.includes("recipient")) return "wrong_recipient";
+  if (r.includes("value") || r.includes("amount")) return "amount_too_low";
+  if (r.includes("valid_before") || r.includes("valid_after") || r.includes("expired")) return "payment_expired";
+  if (r.includes("used") || r.includes("replay") || r.includes("nonce") || r.includes("transaction_state")) {
+    return "tx_already_used";
+  }
+  return "tx_reverted";
+}
+async function post(url, body, headers) {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "content-type": "application/json", ...headers },
+    body: safeStringify(body)
+  });
+  let json = null;
+  try {
+    json = await res.json();
+  } catch {
+  }
+  return { status: res.status, json };
+}
+async function settleViaFacilitator(input) {
+  const base2 = input.url.replace(/\/+$/, "");
+  const body = {
+    x402Version: input.x402Version,
+    paymentPayload: input.paymentPayload,
+    paymentRequirements: input.paymentRequirements
+  };
+  const auth = input.authHeaders ? await input.authHeaders() : {};
+  let verify;
+  try {
+    verify = await post(`${base2}/verify`, body, auth);
+  } catch (err) {
+    throw new SettlementError(
+      `exact settle (facilitator ${base2}): /verify request failed (${err instanceof Error ? err.message : String(err)}).`,
+      { cause: err }
+    );
+  }
+  if (verify.status !== 200) {
+    throw new SettlementError(
+      `exact settle (facilitator ${base2}): /verify returned HTTP ${verify.status} (transport/auth error).`
+    );
+  }
+  const vr = verify.json ?? {};
+  if (vr.isValid === false) {
+    return {
+      ok: false,
+      error: mapReason(vr.invalidReason),
+      detail: `Facilitator rejected the payment: ${vr.invalidReason ?? "invalid"}${vr.invalidMessage ? ` \u2014 ${vr.invalidMessage}` : ""}.`
+    };
+  }
+  let settle;
+  try {
+    settle = await post(`${base2}/settle`, body, auth);
+  } catch (err) {
+    throw new SettlementError(
+      `exact settle (facilitator ${base2}): /settle request failed (${err instanceof Error ? err.message : String(err)}).`,
+      { cause: err }
+    );
+  }
+  if (settle.status !== 200) {
+    throw new SettlementError(
+      `exact settle (facilitator ${base2}): /settle returned HTTP ${settle.status} (transport/auth error).`
+    );
+  }
+  const sr = settle.json ?? {};
+  if (!sr.success) {
+    return {
+      ok: false,
+      error: mapReason(sr.errorReason),
+      detail: `Facilitator settlement failed: ${sr.errorReason ?? "unknown"}${sr.errorMessage ? ` \u2014 ${sr.errorMessage}` : ""}.`
+    };
+  }
+  const receipt = {
+    scheme: "exact",
+    success: true,
+    network: input.receipt.network,
+    transaction: sr.transaction,
+    asset: input.receipt.asset,
+    amount: input.receipt.amount,
+    payer: sr.payer ?? input.payerHint ?? "",
+    payTo: input.receipt.payTo,
+    verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  return { ok: true, receipt };
+}
+
 // src/server.ts
 function toInvalidBody(result) {
   return { x402Version: 2, status: "invalid", error: result.error, detail: result.detail };
@@ -2271,9 +2781,10 @@ function createPaymentGate(options) {
   const genNonce = options.generateNonce ?? (() => globalThis.crypto.randomUUID());
   let resolved;
   function ready() {
-    return resolved ??= (async () => {
+    if (resolved) return resolved;
+    const p = (async () => {
       const accepts = normaliseAccepts(options);
-      return Promise.all(
+      const specs = await Promise.all(
         accepts.map(async (a) => {
           const net = await resolveNetwork2({ chain: a.chain, rpcUrl: a.rpcUrl ?? options.rpcUrl });
           const payTo = a.payTo ?? options.payTo;
@@ -2285,10 +2796,52 @@ function createPaymentGate(options) {
           net.assertValidPayTo(payTo);
           const { asset, decimals, symbol } = net.resolveToken(a.token);
           const amountBase = parseUnits(a.amount, decimals);
-          return { net, asset, decimals, symbol, amountBase, amountFormatted: a.amount, payTo };
+          const spec = { net, asset, decimals, symbol, amountBase, amountFormatted: a.amount, payTo };
+          if (options.exact) spec.exact = await resolveExactRail(net, asset);
+          return spec;
         })
       );
+      if (options.exact && !specs.some((s) => s.exact)) {
+        throw new Error(
+          "requirePayment: `exact` was requested but none of the offered rails support it. The standard `exact` rail is EVM + EIP-3009 only (USDC / EURC) \u2014 not native coins, not USDT, not non-EVM chains. Offer an EVM EIP-3009 token, or drop `exact`."
+        );
+      }
+      return specs;
     })();
+    p.catch(() => {
+      if (resolved === p) resolved = void 0;
+    });
+    resolved = p;
+    return p;
+  }
+  async function resolveExactRail(net, asset) {
+    const cfg = options.exact;
+    if (net.family !== "evm" || asset === "native" || !net.exactDomain || !net.settleExactSelf) {
+      return void 0;
+    }
+    const domain = await net.exactDomain(asset);
+    if (!domain) {
+      throw new Error(
+        `requirePayment: \`exact\` requested for asset ${asset} on ${net.network}, but it isn't an EIP-3009 token (couldn't read name()/version()/authorizationState). The exact rail supports USDC / EURC and other EIP-3009 tokens \u2014 USDT and native coins need onchain-proof. (Or check your rpcUrl is reachable.)`
+      );
+    }
+    if (cfg.settle === "self") {
+      if (cfg.relayer === void 0) {
+        throw new Error(
+          "requirePayment: exact `settle: 'self'` needs a `relayer` wallet (the gas-paying key that broadcasts transferWithAuthorization), e.g. exact: { settle: 'self', relayer: { privateKey } }."
+        );
+      }
+      const relayer = net.bindWallet(cfg.relayer);
+      return { domain, mode: { kind: "self", relayer } };
+    }
+    return {
+      domain,
+      mode: {
+        kind: "facilitator",
+        url: cfg.settle.facilitator,
+        ...cfg.settle.authHeaders ? { authHeaders: cfg.settle.authHeaders } : {}
+      }
+    };
   }
   const hasCustomStore = Boolean(options.isUsed || options.markUsed);
   const localUsed = /* @__PURE__ */ new Set();
@@ -2325,93 +2878,191 @@ function createPaymentGate(options) {
       }
     };
   }
-  async function challenge(resourceUrl = "") {
+  function buildExactAccept(s) {
+    const d = s.exact.domain;
+    return {
+      scheme: "exact",
+      network: s.net.network,
+      amount: s.amountBase.toString(),
+      asset: s.asset,
+      payTo: s.payTo,
+      maxTimeoutSeconds,
+      extra: {
+        assetTransferMethod: "eip3009",
+        name: d.name,
+        version: d.version,
+        minConfirmations,
+        decimals: s.decimals,
+        amountFormatted: s.amountFormatted,
+        ...s.symbol ? { symbol: s.symbol } : {}
+      }
+    };
+  }
+  function buildAccepts(specs, nonce) {
+    const out = [];
+    for (const s of specs) {
+      if (s.exact) out.push(buildExactAccept(s));
+      out.push(buildAccept(s, nonce));
+    }
+    return out;
+  }
+  async function makeChallenge(resourceUrl, opts) {
     const specs = await ready();
     const nonce = genNonce();
     const challenge2 = {
       x402Version: 2,
-      error: null,
       resource: {
         url: resourceUrl,
         ...options.description ? { description: options.description } : {}
       },
-      accepts: specs.map((s) => buildAccept(s, nonce))
+      accepts: buildAccepts(specs, nonce),
+      ...opts?.error ? { error: opts.error } : {},
+      ...opts?.extensions ? { extensions: opts.extensions } : {}
     };
     return { challenge: challenge2, requiredHeader: buildChallengeHeader(challenge2) };
   }
+  async function challenge(resourceUrl = "") {
+    return makeChallenge(resourceUrl);
+  }
   async function asChallenge() {
-    const { challenge: c, requiredHeader } = await challenge();
+    const { challenge: c, requiredHeader } = await makeChallenge("");
     return { kind: "challenge", challenge: c, requiredHeader, statusCode: 402 };
   }
+  async function rejection(code, detail) {
+    const { challenge: c, requiredHeader } = await makeChallenge("", {
+      error: `${code}: ${detail}`,
+      extensions: { piprail: { code, detail } }
+    });
+    return { kind: "invalid", error: code, detail, challenge: c, requiredHeader, statusCode: 402 };
+  }
+  function fireOnPaid(receipt) {
+    if (options.onPaid) {
+      try {
+        options.onPaid(receipt);
+      } catch {
+      }
+    }
+  }
   async function describe(resourceUrl = "") {
     const specs = await ready();
-    const accepts = specs.map((s) => ({
-      scheme: "onchain-proof",
-      network: s.net.network,
-      asset: s.asset,
-      payTo: s.payTo,
-      amount: s.amountBase.toString(),
-      amountFormatted: s.amountFormatted,
-      decimals: s.decimals,
-      maxTimeoutSeconds,
-      ...s.symbol ? { symbol: s.symbol } : {}
-    }));
+    const accepts = [];
+    for (const s of specs) {
+      const base2 = {
+        network: s.net.network,
+        asset: s.asset,
+        payTo: s.payTo,
+        amount: s.amountBase.toString(),
+        amountFormatted: s.amountFormatted,
+        decimals: s.decimals,
+        maxTimeoutSeconds,
+        ...s.symbol ? { symbol: s.symbol } : {}
+      };
+      if (s.exact) accepts.push({ scheme: "exact", ...base2 });
+      accepts.push({ scheme: "onchain-proof", ...base2 });
+    }
     return {
       url: resourceUrl,
       ...options.description ? { description: options.description } : {},
       accepts
     };
   }
-  async function verify(paymentSignature) {
-    const raw = normaliseHeader(paymentSignature);
-    if (!raw) return asChallenge();
-    const sig = parseSignatureHeader(raw);
-    if (!sig || !sig.accepted || typeof sig.accepted.network !== "string" || typeof sig.accepted.asset !== "string") {
-      return asChallenge();
-    }
+  async function verifyOnchainProof(sig) {
     const specs = await ready();
     const spec = specs.find(
       (s) => s.net.network === sig.accepted.network && s.asset === sig.accepted.asset
     );
     if (!spec) {
-      return {
-        kind: "invalid",
-        error: "transfer_not_found",
-        detail: `Proof claims ${sig.accepted.asset} on ${sig.accepted.network}, which this resource doesn't accept (offered: ${specs.map((s) => `${s.asset}@${s.net.network}`).join(", ")}).`,
-        statusCode: 402
-      };
+      return rejection(
+        "transfer_not_found",
+        `Proof claims ${sig.accepted.asset} on ${sig.accepted.network}, which this resource doesn't accept (offered: ${specs.map((s) => `${s.asset}@${s.net.network}`).join(", ")}).`
+      );
     }
     const ref = sig.payload.txHash;
-    if (await claimTx(ref)) {
-      return {
-        kind: "invalid",
-        error: "tx_already_used",
-        detail: `Proof ${ref} was already redeemed.`,
-        statusCode: 402
-      };
-    }
+    if (await claimTx(ref)) return rejection("tx_already_used", `Proof ${ref} was already redeemed.`);
     const result = await spec.net.verify(ref, buildAccept(spec, sig.payload.nonce));
     if (!result.ok) {
       await settleTx(ref, false);
-      return {
-        kind: "invalid",
-        error: result.error,
-        detail: result.detail,
-        statusCode: 402
-      };
+      return rejection(result.error, result.detail);
     }
     await settleTx(ref, true);
-    if (options.onPaid) {
-      try {
-        options.onPaid(result.receipt);
-      } catch {
+    fireOnPaid(result.receipt);
+    return { kind: "paid", receipt: result.receipt, receiptHeader: buildReceiptHeader(result.receipt) };
+  }
+  async function verifyExact(exact) {
+    const specs = await ready();
+    const exactSpecs = specs.filter((s) => s.exact);
+    if (exactSpecs.length === 0) {
+      return rejection("transfer_not_found", "This resource offers no standard `exact` rail.");
+    }
+    const isCaip = exact.network.startsWith("eip155:");
+    let candidates = isCaip ? exactSpecs.filter((s) => s.net.network === exact.network) : exactSpecs;
+    if (exact.asset) {
+      candidates = candidates.filter((s) => s.asset.toLowerCase() === exact.asset.toLowerCase());
+    }
+    let spec = candidates[0];
+    if (!isCaip && !exact.asset && exactSpecs.length > 1) spec = void 0;
+    if (!spec && !isCaip && !exact.asset && exactSpecs.length === 1) spec = exactSpecs[0];
+    if (!spec || !spec.exact) {
+      return rejection(
+        "transfer_not_found",
+        `No \`exact\` rail offered for ${exact.network}${exact.asset ? `/${exact.asset}` : ""} (offered: ${exactSpecs.map((s) => `${s.asset}@${s.net.network}`).join(", ")}).`
+      );
+    }
+    const nonce = exact.payload.authorization.nonce;
+    if (await claimTx(nonce)) {
+      return rejection("tx_already_used", `Authorization nonce ${nonce} was already redeemed.`);
+    }
+    const accept = buildExactAccept(spec);
+    const mode = spec.exact.mode;
+    let result;
+    try {
+      if (mode.kind === "self") {
+        result = await spec.net.settleExactSelf({ relayer: mode.relayer, payload: exact.payload, accept });
+      } else {
+        result = await settleViaFacilitator({
+          url: mode.url,
+          ...mode.authHeaders ? { authHeaders: mode.authHeaders } : {},
+          // PipRail always builds a v2-shaped paymentRequirements (CAIP-2 network + `amount`),
+          // so force x402Version:2 — echoing a v1 client's version here would hand the facilitator
+          // a self-inconsistent request (v1 envelope, v2 requirements). The inner payload is
+          // byte-identical across versions, so forwarding it verbatim is fine.
+          x402Version: 2,
+          paymentPayload: exact.raw,
+          paymentRequirements: {
+            scheme: "exact",
+            network: accept.network,
+            asset: accept.asset,
+            amount: accept.amount,
+            payTo: accept.payTo,
+            maxTimeoutSeconds: accept.maxTimeoutSeconds,
+            extra: { name: accept.extra.name, version: accept.extra.version }
+          },
+          receipt: { network: accept.network, asset: accept.asset, payTo: accept.payTo, amount: accept.amount },
+          payerHint: exact.payload.authorization.from
+        });
       }
+    } catch (err) {
+      await settleTx(nonce, false);
+      throw err;
     }
-    return {
-      kind: "paid",
-      receipt: result.receipt,
-      receiptHeader: buildReceiptHeader(result.receipt)
-    };
+    if (!result.ok) {
+      await settleTx(nonce, false);
+      return rejection(result.error, result.detail);
+    }
+    await settleTx(nonce, true);
+    fireOnPaid(result.receipt);
+    return { kind: "paid", receipt: result.receipt, receiptHeader: buildReceiptHeader(result.receipt) };
+  }
+  async function verify(paymentSignature) {
+    const raw = normaliseHeader(paymentSignature);
+    if (!raw) return asChallenge();
+    const sig = parseSignatureHeader(raw);
+    if (sig && sig.accepted && typeof sig.accepted.network === "string" && typeof sig.accepted.asset === "string") {
+      return verifyOnchainProof(sig);
+    }
+    const exact = parseExactPaymentHeader(raw);
+    if (exact) return verifyExact(exact);
+    return asChallenge();
   }
   return { challenge, verify, describe };
 }
@@ -2420,14 +3071,20 @@ function requirePayment(options) {
   return async (req, res, next) => {
     let result;
     try {
-      result = await gate.verify(req.headers[HEADER_SIGNATURE]);
+      result = await gate.verify(req.headers[HEADER_SIGNATURE] ?? req.headers[HEADER_SIGNATURE_V1]);
     } catch (err) {
+      if (err instanceof SettlementError) {
+        res.status(502);
+        res.json({ x402Version: 2, error: "settlement_failed", detail: err.message });
+        return;
+      }
       next(err);
       return;
     }
     switch (result.kind) {
       case "paid":
         res.setHeader(HEADER_RESPONSE, result.receiptHeader);
+        res.setHeader(HEADER_RESPONSE_V1, result.receiptHeader);
         return next();
       case "challenge":
         res.setHeader(HEADER_REQUIRED, result.requiredHeader);
@@ -2435,8 +3092,9 @@ function requirePayment(options) {
         res.json(result.challenge);
         return;
       case "invalid":
+        res.setHeader(HEADER_REQUIRED, result.requiredHeader);
         res.status(result.statusCode);
-        res.json(toInvalidBody(result));
+        res.json(result.challenge);
         return;
     }
   };
@@ -2446,104 +3104,6 @@ function normaliseHeader(value) {
   return value;
 }
 
-// src/drivers/evm/exact.ts
-var EXACT_NETWORK_SLUGS = {
-  ethereum: 1,
-  base: 8453,
-  "base-sepolia": 84532,
-  arbitrum: 42161,
-  optimism: 10,
-  polygon: 137,
-  avalanche: 43114
-};
-function chainIdForExactNetwork(slug) {
-  return EXACT_NETWORK_SLUGS[slug] ?? null;
-}
-var EIP3009_TYPES = {
-  TransferWithAuthorization: [
-    { name: "from", type: "address" },
-    { name: "to", type: "address" },
-    { name: "value", type: "uint256" },
-    { name: "validAfter", type: "uint256" },
-    { name: "validBefore", type: "uint256" },
-    { name: "nonce", type: "bytes32" }
-  ]
-};
-function parseExactRequirements(body) {
-  if (!body || typeof body !== "object") return null;
-  const accepts = body.accepts;
-  if (!Array.isArray(accepts)) return null;
-  const out = [];
-  for (const raw of accepts) {
-    if (!raw || typeof raw !== "object") continue;
-    const a = raw;
-    if (a.scheme !== "exact") continue;
-    const amount = a.maxAmountRequired ?? a.amount;
-    if (typeof a.network !== "string" || typeof amount !== "string" || typeof a.asset !== "string" || typeof a.payTo !== "string") {
-      continue;
-    }
-    out.push({
-      scheme: "exact",
-      network: a.network,
-      maxAmountRequired: amount,
-      asset: a.asset,
-      payTo: a.payTo,
-      maxTimeoutSeconds: typeof a.maxTimeoutSeconds === "number" ? a.maxTimeoutSeconds : 600,
-      ...a.extra && typeof a.extra === "object" ? { extra: a.extra } : {},
-      ...typeof a.description === "string" ? { description: a.description } : {},
-      ...typeof a.resource === "string" ? { resource: a.resource } : {}
-    });
-  }
-  return out;
-}
-async function buildExactAuthorization(params) {
-  const { account, accept, chainId, now, nonce } = params;
-  if (!account.signTypedData) {
-    throw new Error("buildExactAuthorization: the account cannot sign EIP-712 typed data.");
-  }
-  const authorization = {
-    from: account.address,
-    to: accept.payTo,
-    value: accept.maxAmountRequired,
-    validAfter: "0",
-    validBefore: String(now + accept.maxTimeoutSeconds),
-    nonce
-  };
-  const signature = await account.signTypedData({
-    domain: {
-      name: accept.extra?.name ?? "USD Coin",
-      version: accept.extra?.version ?? "2",
-      chainId,
-      verifyingContract: accept.asset
-    },
-    types: EIP3009_TYPES,
-    primaryType: "TransferWithAuthorization",
-    message: {
-      from: authorization.from,
-      to: authorization.to,
-      value: BigInt(authorization.value),
-      validAfter: BigInt(authorization.validAfter),
-      validBefore: BigInt(authorization.validBefore),
-      nonce: authorization.nonce
-    }
-  });
-  return { authorization, signature };
-}
-function base64(str) {
-  if (typeof btoa === "function") return btoa(str);
-  if (typeof Buffer !== "undefined") return Buffer.from(str, "utf8").toString("base64");
-  throw new Error("No base64 encoder available in this runtime.");
-}
-function encodeXPaymentHeader(input) {
-  const payload = {
-    x402Version: input.x402Version ?? 1,
-    scheme: "exact",
-    network: input.network,
-    payload: { signature: input.signature, authorization: input.authorization }
-  };
-  return base64(JSON.stringify(payload));
-}
-
 // src/discovery.ts
 var GENERATOR = "@piprail/sdk \xB7 https://piprail.com";
 function pathOf(url) {
@@ -2604,6 +3164,11 @@ export {
   EIP3009_TYPES,
   EXACT_NETWORK_SLUGS,
   GENERATOR,
+  HEADER_REQUIRED,
+  HEADER_RESPONSE,
+  HEADER_RESPONSE_V1,
+  HEADER_SIGNATURE,
+  HEADER_SIGNATURE_V1,
   InsufficientFundsError,
   InvalidEnvelopeError,
   MaxRetriesExceededError,
@@ -2615,6 +3180,7 @@ export {
   PipRailClient,
   PipRailError,
   RecipientNotReadyError,
+  SettlementError,
   UnknownTokenError,
   UnsupportedNetworkError,
   WrongChainError,
@@ -2628,22 +3194,26 @@ export {
   buildX402DnsTxt,
   chainIdForExactNetwork,
   createPaymentGate,
+  eip3009Abi,
   encodeXPaymentHeader,
   evaluatePolicy,
   normalizeNetwork,
   parseChallenge,
+  parseExactPaymentHeader,
   parseExactRequirements,
   parseReceipt,
   parseSignatureHeader,
   paymentTools,
   pickAccept,
   planAcross,
+  readExactDomain,
   register402Index,
   registerDriver,
   registerX402Scan,
   requirePayment,
   resolveChain,
   searchOpenIndexes,
+  settleViaFacilitator,
   toInsufficientFundsError,
   toInvalidBody
 };