@piprail/sdk 1.9.0 → 1.11.0

package/dist/index.cjs

@@ -20,7 +20,8 @@
 
 
 
-var _chunkIQGT65WScjs = require('./chunk-IQGT65WS.cjs');
+
+var _chunkMDLZJGLYcjs = require('./chunk-MDLZJGLY.cjs');
 
 // src/drivers/registry.ts
 var byFamily = /* @__PURE__ */ new Map();
@@ -49,13 +50,13 @@ function resolveNetwork(opts) {
   const family = familyForChain(opts.chain);
   const driver = byFamily.get(family);
   if (!driver) {
-    throw new (0, _chunkIQGT65WScjs.UnsupportedNetworkError)(
+    throw new (0, _chunkMDLZJGLYcjs.UnsupportedNetworkError)(
       `No driver registered for the "${family}" family \u2014 it may not be mounted yet (use the async resolveNetwork()).`
     );
   }
   const net = driver.resolve(opts);
   if (!net) {
-    throw new (0, _chunkIQGT65WScjs.UnsupportedNetworkError)(
+    throw new (0, _chunkMDLZJGLYcjs.UnsupportedNetworkError)(
       `The ${family} driver didn't recognise this chain input.`
     );
   }
@@ -311,12 +312,12 @@ function createWalletAdapter(config, resolved) {
   }
   const wc = config.walletClient;
   if (!wc.account) {
-    throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
       "chain is EVM; the provided walletClient has no attached account. Use `createWalletClient({ account, chain, transport })`, or pass { privateKey }."
     );
   }
   if (wc.chain && wc.chain.id !== resolved.chainId) {
-    throw new (0, _chunkIQGT65WScjs.WrongChainError)(
+    throw new (0, _chunkMDLZJGLYcjs.WrongChainError)(
       `PipRailClient: walletClient is on chain ${wc.chain.id} but the SDK was configured with chain ${resolved.chainId}. They must match.`
     );
   }
@@ -483,24 +484,371 @@ function sumTransfersTo(logs, asset, payTo) {
   return { total, from };
 }
 
+// src/drivers/evm/exact.ts
+
+
+
+
+
+var EXACT_NETWORK_SLUGS = {
+  ethereum: 1,
+  base: 8453,
+  "base-sepolia": 84532,
+  arbitrum: 42161,
+  optimism: 10,
+  polygon: 137,
+  avalanche: 43114
+};
+function chainIdForExactNetwork(slug) {
+  return _nullishCoalesce(EXACT_NETWORK_SLUGS[slug], () => ( null));
+}
+var EIP3009_TYPES = {
+  TransferWithAuthorization: [
+    { name: "from", type: "address" },
+    { name: "to", type: "address" },
+    { name: "value", type: "uint256" },
+    { name: "validAfter", type: "uint256" },
+    { name: "validBefore", type: "uint256" },
+    { name: "nonce", type: "bytes32" }
+  ]
+};
+function parseExactRequirements(body) {
+  if (!body || typeof body !== "object") return null;
+  const accepts = body.accepts;
+  if (!Array.isArray(accepts)) return null;
+  const out = [];
+  for (const raw of accepts) {
+    if (!raw || typeof raw !== "object") continue;
+    const a = raw;
+    if (a.scheme !== "exact") continue;
+    const amount = _nullishCoalesce(a.maxAmountRequired, () => ( a.amount));
+    if (typeof a.network !== "string" || typeof amount !== "string" || typeof a.asset !== "string" || typeof a.payTo !== "string") {
+      continue;
+    }
+    out.push({
+      scheme: "exact",
+      network: a.network,
+      maxAmountRequired: amount,
+      asset: a.asset,
+      payTo: a.payTo,
+      maxTimeoutSeconds: typeof a.maxTimeoutSeconds === "number" ? a.maxTimeoutSeconds : 600,
+      ...a.extra && typeof a.extra === "object" ? { extra: a.extra } : {},
+      ...typeof a.description === "string" ? { description: a.description } : {},
+      ...typeof a.resource === "string" ? { resource: a.resource } : {}
+    });
+  }
+  return out;
+}
+async function buildExactAuthorization(params) {
+  const { account, accept, chainId, now, nonce } = params;
+  if (!account.signTypedData) {
+    throw new Error("buildExactAuthorization: the account cannot sign EIP-712 typed data.");
+  }
+  const authorization = {
+    from: account.address,
+    to: accept.payTo,
+    value: accept.maxAmountRequired,
+    validAfter: "0",
+    validBefore: String(now + accept.maxTimeoutSeconds),
+    nonce
+  };
+  const signature = await account.signTypedData({
+    domain: {
+      name: _nullishCoalesce(_optionalChain([accept, 'access', _ => _.extra, 'optionalAccess', _2 => _2.name]), () => ( "USD Coin")),
+      version: _nullishCoalesce(_optionalChain([accept, 'access', _3 => _3.extra, 'optionalAccess', _4 => _4.version]), () => ( "2")),
+      chainId,
+      verifyingContract: accept.asset
+    },
+    types: EIP3009_TYPES,
+    primaryType: "TransferWithAuthorization",
+    message: {
+      from: authorization.from,
+      to: authorization.to,
+      value: BigInt(authorization.value),
+      validAfter: BigInt(authorization.validAfter),
+      validBefore: BigInt(authorization.validBefore),
+      nonce: authorization.nonce
+    }
+  });
+  return { authorization, signature };
+}
+function base64(str) {
+  if (typeof Buffer !== "undefined") return Buffer.from(str, "utf8").toString("base64");
+  if (typeof btoa === "function" && typeof TextEncoder !== "undefined") {
+    const bytes = new TextEncoder().encode(str);
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+    return btoa(binary);
+  }
+  throw new Error("No base64 encoder available in this runtime.");
+}
+function encodeXPaymentHeader(input) {
+  const payload = {
+    x402Version: _nullishCoalesce(input.x402Version, () => ( 1)),
+    scheme: "exact",
+    network: input.network,
+    payload: { signature: input.signature, authorization: input.authorization }
+  };
+  return base64(JSON.stringify(payload));
+}
+var eip3009Abi = [
+  {
+    type: "function",
+    name: "transferWithAuthorization",
+    stateMutability: "nonpayable",
+    outputs: [],
+    inputs: [
+      { name: "from", type: "address" },
+      { name: "to", type: "address" },
+      { name: "value", type: "uint256" },
+      { name: "validAfter", type: "uint256" },
+      { name: "validBefore", type: "uint256" },
+      { name: "nonce", type: "bytes32" },
+      { name: "v", type: "uint8" },
+      { name: "r", type: "bytes32" },
+      { name: "s", type: "bytes32" }
+    ]
+  },
+  {
+    type: "function",
+    name: "transferWithAuthorization",
+    stateMutability: "nonpayable",
+    outputs: [],
+    inputs: [
+      { name: "from", type: "address" },
+      { name: "to", type: "address" },
+      { name: "value", type: "uint256" },
+      { name: "validAfter", type: "uint256" },
+      { name: "validBefore", type: "uint256" },
+      { name: "nonce", type: "bytes32" },
+      { name: "signature", type: "bytes" }
+    ]
+  },
+  {
+    type: "function",
+    name: "authorizationState",
+    stateMutability: "view",
+    inputs: [
+      { name: "authorizer", type: "address" },
+      { name: "nonce", type: "bytes32" }
+    ],
+    outputs: [{ type: "bool" }]
+  },
+  { type: "function", name: "name", stateMutability: "view", inputs: [], outputs: [{ type: "string" }] },
+  { type: "function", name: "version", stateMutability: "view", inputs: [], outputs: [{ type: "string" }] }
+];
+var ZERO_ADDR = "0x0000000000000000000000000000000000000000";
+var ZERO_NONCE = `0x${"00".repeat(32)}`;
+async function readExactDomain(publicClient, asset) {
+  if (asset === "native") return null;
+  let token;
+  try {
+    token = _viem.getAddress.call(void 0, asset);
+  } catch (e6) {
+    return null;
+  }
+  try {
+    const [name, version] = await Promise.all([
+      publicClient.readContract({ address: token, abi: eip3009Abi, functionName: "name" }),
+      publicClient.readContract({ address: token, abi: eip3009Abi, functionName: "version" }),
+      // The EIP-3009 probe: this view exists only on EIP-3009 tokens; it reverts on
+      // a plain ERC-20 / USDT, marking the token as not exact-payable.
+      publicClient.readContract({
+        address: token,
+        abi: eip3009Abi,
+        functionName: "authorizationState",
+        args: [ZERO_ADDR, ZERO_NONCE]
+      })
+    ]);
+    if (typeof name !== "string" || typeof version !== "string" || !name || !version) return null;
+    return { name, version };
+  } catch (e7) {
+    return null;
+  }
+}
+function shorten(msg) {
+  const oneLine = msg.replace(/\s+/g, " ").trim();
+  return oneLine.length > 200 ? `${oneLine.slice(0, 200)}\u2026` : oneLine;
+}
+async function verifyAndSettleExactEvm(input) {
+  const { publicClient, walletClient, account, chain, payload, accept } = input;
+  const token = _viem.getAddress.call(void 0, accept.asset);
+  const payTo = _viem.getAddress.call(void 0, accept.payTo);
+  const requiredAmount = BigInt(accept.amount);
+  let from;
+  let to;
+  let value;
+  let validAfter;
+  let validBefore;
+  let nonce;
+  try {
+    from = _viem.getAddress.call(void 0, payload.authorization.from);
+    to = _viem.getAddress.call(void 0, payload.authorization.to);
+    value = BigInt(payload.authorization.value);
+    validAfter = BigInt(payload.authorization.validAfter);
+    validBefore = BigInt(payload.authorization.validBefore);
+    nonce = payload.authorization.nonce;
+    if (!/^0x[0-9a-fA-F]{64}$/.test(nonce)) throw new Error("nonce must be 32-byte hex");
+    if (!/^0x[0-9a-fA-F]+$/.test(payload.signature)) throw new Error("signature must be hex");
+  } catch (err) {
+    return {
+      ok: false,
+      error: "signature_invalid",
+      detail: `Malformed exact authorization: ${err instanceof Error ? err.message : String(err)}.`
+    };
+  }
+  if (to !== payTo) {
+    return { ok: false, error: "wrong_recipient", detail: `Authorization pays ${to}, not ${payTo}.` };
+  }
+  if (value < requiredAmount) {
+    return { ok: false, error: "amount_too_low", detail: `Authorized ${value}, required ${requiredAmount}.` };
+  }
+  const now = BigInt(Math.floor(Date.now() / 1e3));
+  if (validBefore <= now) {
+    return { ok: false, error: "payment_expired", detail: `Authorization expired: validBefore ${validBefore} <= now ${now}.` };
+  }
+  let fromCode;
+  try {
+    fromCode = await publicClient.getCode({ address: from });
+  } catch (e8) {
+    return { ok: false, error: "tx_not_found", detail: `Could not read code at ${from} (transient RPC) \u2014 retry.` };
+  }
+  const isContractWallet = Boolean(fromCode && fromCode !== "0x");
+  if (!isContractWallet) {
+    let recovered;
+    try {
+      recovered = await _viem.recoverTypedDataAddress.call(void 0, {
+        domain: {
+          name: accept.extra.name,
+          version: accept.extra.version,
+          chainId: chain.id,
+          verifyingContract: token
+        },
+        types: EIP3009_TYPES,
+        primaryType: "TransferWithAuthorization",
+        message: { from, to, value, validAfter, validBefore, nonce },
+        signature: payload.signature
+      });
+    } catch (err) {
+      return { ok: false, error: "signature_invalid", detail: `Not a valid EIP-712 signature: ${shorten(err instanceof Error ? err.message : String(err))}.` };
+    }
+    if (recovered !== from) {
+      return { ok: false, error: "signature_invalid", detail: `Signature recovered to ${recovered}, not the authorizer ${from}.` };
+    }
+  }
+  try {
+    const used = await publicClient.readContract({
+      address: token,
+      abi: eip3009Abi,
+      functionName: "authorizationState",
+      args: [from, nonce]
+    });
+    if (used) {
+      return { ok: false, error: "tx_already_used", detail: `Authorization nonce ${nonce} already used or canceled on-chain.` };
+    }
+  } catch (e9) {
+    return { ok: false, error: "tx_not_found", detail: "Could not read authorizationState (transient RPC) \u2014 retry." };
+  }
+  const baseArgs = [from, to, value, validAfter, validBefore, nonce];
+  const isEcdsa = !isContractWallet && payload.signature.length - 2 === 130;
+  let writeArgs;
+  if (isEcdsa) {
+    const { r, s, yParity } = _viem.parseSignature.call(void 0, payload.signature);
+    writeArgs = [...baseArgs, BigInt(yParity + 27), r, s];
+  } else {
+    writeArgs = [...baseArgs, payload.signature];
+  }
+  try {
+    await publicClient.simulateContract({
+      account,
+      address: token,
+      abi: eip3009Abi,
+      functionName: "transferWithAuthorization",
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      args: writeArgs
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (/used or canceled/i.test(msg)) return { ok: false, error: "tx_already_used", detail: "Authorization is used or canceled." };
+    if (/expired|not yet valid/i.test(msg)) return { ok: false, error: "payment_expired", detail: shorten(msg) };
+    if (/invalid signature/i.test(msg)) return { ok: false, error: "signature_invalid", detail: shorten(msg) };
+    return { ok: false, error: "tx_reverted", detail: `transferWithAuthorization would revert: ${shorten(msg)}` };
+  }
+  let txHash;
+  try {
+    txHash = await walletClient.writeContract({
+      account,
+      chain,
+      address: token,
+      abi: eip3009Abi,
+      functionName: "transferWithAuthorization",
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      args: writeArgs
+    });
+  } catch (err) {
+    throw new (0, _chunkMDLZJGLYcjs.SettlementError)(
+      `exact settle: the merchant relayer failed to broadcast transferWithAuthorization (${shorten(err instanceof Error ? err.message : String(err))}). The payer's authorization is still valid and unused \u2014 fund/fix the relayer and the payer can retry.`,
+      { cause: err }
+    );
+  }
+  try {
+    const confirmations = _nullishCoalesce(accept.extra.minConfirmations, () => ( 1));
+    const receipt = await publicClient.waitForTransactionReceipt({ hash: txHash, confirmations });
+    if (receipt.status !== "success") {
+      return { ok: false, error: "tx_reverted", detail: `Settlement tx ${txHash} reverted on-chain.` };
+    }
+  } catch (err) {
+    throw new (0, _chunkMDLZJGLYcjs.SettlementError)(
+      `exact settle: broadcast ${txHash} but couldn't confirm it (${shorten(err instanceof Error ? err.message : String(err))}).`,
+      { cause: err }
+    );
+  }
+  return {
+    ok: true,
+    receipt: {
+      scheme: "exact",
+      success: true,
+      network: accept.network,
+      transaction: txHash,
+      asset: accept.asset,
+      amount: accept.amount,
+      payer: from,
+      payTo: accept.payTo,
+      verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+
 // src/x402.ts
 var HEADER_REQUIRED = "payment-required";
 var HEADER_SIGNATURE = "payment-signature";
 var HEADER_RESPONSE = "payment-response";
-function decodeBase64(b64) {
-  if (typeof atob === "function") return atob(b64);
-  if (typeof Buffer !== "undefined") return Buffer.from(b64, "base64").toString("utf8");
-  throw new Error("No base64 decoder available in this runtime.");
-}
+var HEADER_SIGNATURE_V1 = "x-payment";
+var HEADER_RESPONSE_V1 = "x-payment-response";
 function encodeBase64(str) {
-  if (typeof btoa === "function") return btoa(str);
   if (typeof Buffer !== "undefined") return Buffer.from(str, "utf8").toString("base64");
+  if (typeof btoa === "function" && typeof TextEncoder !== "undefined") {
+    const bytes = new TextEncoder().encode(str);
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+    return btoa(binary);
+  }
   throw new Error("No base64 encoder available in this runtime.");
 }
+function decodeBase64(b64) {
+  if (typeof Buffer !== "undefined") return Buffer.from(b64, "base64").toString("utf8");
+  if (typeof atob === "function" && typeof TextDecoder !== "undefined") {
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  throw new Error("No base64 decoder available in this runtime.");
+}
 function fromBase64Json(b64) {
   try {
     return JSON.parse(decodeBase64(b64));
-  } catch (e6) {
+  } catch (e10) {
     return null;
   }
 }
@@ -534,7 +882,7 @@ async function parseChallenge(response) {
   try {
     const body = await response.clone().json();
     if (isValidChallenge(body)) return body;
-  } catch (e7) {
+  } catch (e11) {
   }
   return null;
 }
@@ -549,7 +897,7 @@ function parseSignatureHeader(value) {
   if (!parsed || typeof parsed !== "object") return null;
   const v = parsed;
   const accepted = v.accepted;
-  const scheme = _nullishCoalesce(_optionalChain([accepted, 'optionalAccess', _ => _.scheme]), () => ( v.scheme));
+  const scheme = _nullishCoalesce(_optionalChain([accepted, 'optionalAccess', _5 => _5.scheme]), () => ( v.scheme));
   if (scheme !== "onchain-proof") return null;
   const payload = v.payload;
   if (!payload || typeof payload.txHash !== "string" || typeof payload.nonce !== "string") {
@@ -557,6 +905,36 @@ function parseSignatureHeader(value) {
   }
   return parsed;
 }
+function parseExactPaymentHeader(value) {
+  const parsed = fromBase64Json(value);
+  if (!parsed || typeof parsed !== "object") return null;
+  const v = parsed;
+  const accepted = _nullishCoalesce(v.accepted, () => ( null));
+  const scheme = _nullishCoalesce(_optionalChain([accepted, 'optionalAccess', _6 => _6.scheme]), () => ( v.scheme));
+  if (scheme !== "exact") return null;
+  const network = _nullishCoalesce(_optionalChain([accepted, 'optionalAccess', _7 => _7.network]), () => ( v.network));
+  if (typeof network !== "string") return null;
+  const payload = v.payload;
+  if (!payload || typeof payload !== "object") return null;
+  const signature = payload.signature;
+  const authorization = payload.authorization;
+  if (typeof signature !== "string" || !authorization || typeof authorization !== "object") return null;
+  for (const k of ["from", "to", "value", "validAfter", "validBefore", "nonce"]) {
+    if (typeof authorization[k] !== "string") return null;
+  }
+  const x402Version = typeof v.x402Version === "number" ? v.x402Version : 2;
+  const asset = accepted && typeof accepted.asset === "string" ? accepted.asset : void 0;
+  return {
+    x402Version,
+    network,
+    ...asset ? { asset } : {},
+    payload: {
+      signature,
+      authorization
+    },
+    raw: v
+  };
+}
 function isValidChallenge(value) {
   if (!value || typeof value !== "object") return false;
   const v = value;
@@ -568,7 +946,7 @@ function isValidChallenge(value) {
 function isValidReceipt(value) {
   if (!value || typeof value !== "object") return false;
   const v = value;
-  if (v.scheme !== "onchain-proof") return false;
+  if (v.scheme !== "onchain-proof" && v.scheme !== "exact") return false;
   if (typeof v.transaction !== "string" && typeof v.txHash !== "string") return false;
   if (typeof v.payer !== "string") return false;
   return true;
@@ -591,7 +969,7 @@ var evmDriver = {
     let resolved;
     try {
       resolved = resolveChain(opts.chain, opts.rpcUrl);
-    } catch (e8) {
+    } catch (e12) {
       return null;
     }
     return makeEvmNetwork(resolved);
@@ -619,15 +997,15 @@ function makeEvmNetwork(resolved) {
         const info = resolved.tokens[token.toUpperCase()];
         if (!info) {
           const known = Object.keys(resolved.tokens).join(", ") || "(none built in)";
-          throw new (0, _chunkIQGT65WScjs.UnknownTokenError)(
+          throw new (0, _chunkMDLZJGLYcjs.UnknownTokenError)(
             `token "${token}" isn't built in for ${resolved.chain.name} (known: ${known}). Pass { address, decimals } instead, or use 'native'.`
           );
         }
         return { asset: info.address, decimals: info.decimals, symbol: info.symbol };
       }
-      _chunkIQGT65WScjs.rejectForeignToken.call(void 0, token, "evm", network);
+      _chunkMDLZJGLYcjs.rejectForeignToken.call(void 0, token, "evm", network);
       if (!("address" in token)) {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is EVM; a custom token must be { address, decimals }.`
         );
       }
@@ -647,7 +1025,7 @@ function makeEvmNetwork(resolved) {
       let normalized;
       try {
         normalized = _viem.getAddress.call(void 0, asset);
-      } catch (e9) {
+      } catch (e13) {
         return null;
       }
       for (const info of Object.values(resolved.tokens)) {
@@ -659,14 +1037,14 @@ function makeEvmNetwork(resolved) {
     },
     assertValidPayTo(payTo) {
       if (!_viem.isAddress.call(void 0, payTo)) {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is EVM, but payTo "${payTo}" is not a valid 0x address.`
         );
       }
     },
     bindWallet(wallet) {
       if (typeof wallet !== "object" || wallet === null || !("privateKey" in wallet) && !("walletClient" in wallet)) {
-        throw new (0, _chunkIQGT65WScjs.WrongFamilyError)(
+        throw new (0, _chunkMDLZJGLYcjs.WrongFamilyError)(
           `chain ${network} is EVM; wallet must be { privateKey } or { walletClient }.`
         );
       }
@@ -683,12 +1061,12 @@ function makeEvmNetwork(resolved) {
         });
       } catch (err) {
         if (isViemInsufficientFunds(err)) {
-          throw new (0, _chunkIQGT65WScjs.InsufficientFundsError)(
+          throw new (0, _chunkMDLZJGLYcjs.InsufficientFundsError)(
             err instanceof Error ? err.message : "Insufficient funds for payment.",
             { cause: err }
           );
         }
-        throw _nullishCoalesce(_chunkIQGT65WScjs.toInsufficientFundsError.call(void 0, err), () => ( err));
+        throw _nullishCoalesce(_chunkMDLZJGLYcjs.toInsufficientFundsError.call(void 0, err), () => ( err));
       }
     },
     async confirm(ref, minConfirmations) {
@@ -699,7 +1077,7 @@ function makeEvmNetwork(resolved) {
         });
         return { height: receipt.blockNumber.toString() };
       } catch (err) {
-        throw new (0, _chunkIQGT65WScjs.ConfirmationTimeoutError)(
+        throw new (0, _chunkMDLZJGLYcjs.ConfirmationTimeoutError)(
           `EVM tx ${ref} did not reach ${minConfirmations} confirmation(s) in time.`,
           { cause: err }
         );
@@ -710,16 +1088,16 @@ function makeEvmNetwork(resolved) {
       const gasLimit = accept.asset === "native" ? 21000n : 65000n;
       try {
         const gasPrice = await publicClient.getGasPrice();
-        return _chunkIQGT65WScjs.nativeCost.call(void 0, {
+        return _chunkMDLZJGLYcjs.nativeCost.call(void 0, {
           symbol,
           decimals,
           fee: gasPrice * gasLimit,
           basis: "estimated",
           detail: `~${gasLimit} gas @ ${gasPrice} wei/gas`
         });
-      } catch (e10) {
+      } catch (e14) {
         const gasPrice = 5000000000n;
-        return _chunkIQGT65WScjs.nativeCost.call(void 0, {
+        return _chunkMDLZJGLYcjs.nativeCost.call(void 0, {
           symbol,
           decimals,
           fee: gasPrice * gasLimit,
@@ -740,7 +1118,7 @@ function makeEvmNetwork(resolved) {
           functionName: "balanceOf",
           args: [owner]
         });
-      } catch (e11) {
+      } catch (e15) {
         token = null;
       }
       return { token, native };
@@ -767,6 +1145,21 @@ function makeEvmNetwork(resolved) {
         accept,
         minConfirmations: accept.extra.minConfirmations
       });
+    },
+    // Standard x402 `exact` rail (EIP-3009), seller side — EVM only.
+    async exactDomain(asset) {
+      return readExactDomain(publicClient, asset);
+    },
+    async settleExactSelf({ relayer, payload, accept }) {
+      const a = relayer._native;
+      return verifyAndSettleExactEvm({
+        publicClient,
+        walletClient: a.walletClient,
+        account: a.account,
+        chain: resolved.chain,
+        payload,
+        accept
+      });
     }
   };
 }
@@ -783,9 +1176,9 @@ var loaders = {
   solana: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./solana-W24TCJV4.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./solana-PU7N2M64.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `Solana selected, but its packages aren't installed. Run: npm install @solana/web3.js @solana/spl-token bs58`,
         { cause }
       );
@@ -795,9 +1188,9 @@ var loaders = {
   ton: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./ton-FIQGV2LC.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./ton-VK6KRJHP.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `TON selected, but its packages aren't installed. Run: npm install @ton/ton @ton/core @ton/crypto`,
         { cause }
       );
@@ -807,9 +1200,9 @@ var loaders = {
   stellar: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./stellar-YMY3K2YB.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./stellar-VDQOFQEO.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `Stellar selected, but its package isn't installed. Run: npm install @stellar/stellar-sdk`,
         { cause }
       );
@@ -819,9 +1212,9 @@ var loaders = {
   xrpl: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./xrpl-2PKP7HOI.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./xrpl-CMNI25BV.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `XRPL selected, but its package isn't installed. Run: npm install xrpl`,
         { cause }
       );
@@ -831,9 +1224,9 @@ var loaders = {
   tron: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./tron-ZSXAPZ2C.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./tron-WLOF5OUV.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `Tron selected, but its package isn't installed. Run: npm install tronweb`,
         { cause }
       );
@@ -843,9 +1236,9 @@ var loaders = {
   sui: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./sui-32KVESR5.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./sui-FKSMLKRF.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `Sui selected, but its package isn't installed. Run: npm install @mysten/sui`,
         { cause }
       );
@@ -855,9 +1248,9 @@ var loaders = {
   near: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./near-GGUHLXAF.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./near-7ZDNISUX.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `NEAR selected, but its package isn't installed. Run: npm install near-api-js`,
         { cause }
       );
@@ -867,9 +1260,9 @@ var loaders = {
   aptos: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./aptos-X3G2UBYW.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./aptos-YT7SXWPF.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `Aptos selected, but its package isn't installed. Run: npm install @aptos-labs/ts-sdk`,
         { cause }
       );
@@ -879,9 +1272,9 @@ var loaders = {
   algorand: async () => {
     let mod;
     try {
-      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./algorand-IJJKE35X.cjs")));
+      mod = await Promise.resolve().then(() => _interopRequireWildcard(require("./algorand-MXUSKX46.cjs")));
     } catch (cause) {
-      throw new (0, _chunkIQGT65WScjs.MissingDriverError)(
+      throw new (0, _chunkMDLZJGLYcjs.MissingDriverError)(
         `Algorand selected, but its package isn't installed. Run: npm install algosdk`,
         { cause }
       );
@@ -912,6 +1305,42 @@ async function resolveNetwork2(opts) {
 }
 
 // src/indexes.ts
+var DIRECTORY_INFO = {
+  "402index": {
+    source: "402index",
+    review: "probe-sync",
+    auth: "none",
+    chains: null,
+    onSuccess: "pending-review",
+    readByDiscover: true,
+    caveat: "402 Index probes your URL on submit, then lists it as PENDING REVIEW \u2014 a self-registered resource is NOT in search until approved. Verify your domain on 402index.io for instant approval; otherwise it appears after manual review, so retry discover() later."
+  },
+  x402scan: {
+    source: "x402scan",
+    review: "probe-sync",
+    auth: "siwx",
+    chains: ["eip155:8453", "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp"],
+    onSuccess: "live",
+    readByDiscover: false,
+    caveat: "x402scan lists Base/Solana only, needs one wallet signature (SIWX), and requires a resolvable input schema (from /openapi.json or the bazaar extension in the 402 body). It goes live on x402scan.com immediately on success \u2014 but discover() does NOT read x402scan, so the listing won't appear in discover() results."
+  },
+  bazaar: {
+    source: "bazaar",
+    review: "settle-coupled",
+    auth: "facilitator-only",
+    chains: null,
+    onSuccess: "not-listable",
+    readByDiscover: true,
+    caveat: "CDP Bazaar has no register endpoint \u2014 it catalogs a resource only when its own facilitator settles a payment. PipRail verifies locally with no facilitator, so a PipRail resource cannot be listed here (you can still READ Bazaar to find others). List on 402 Index or x402scan instead."
+  }
+};
+function getDirectoryInfo(source) {
+  return DIRECTORY_INFO[source];
+}
+function decorateOutcome(o) {
+  const info = DIRECTORY_INFO[o.source];
+  return { ...o, visibility: o.ok ? info.onSuccess : "not-listable", note: info.caveat };
+}
 var BAZAAR_URL = "https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources";
 var INDEX402_SEARCH = "https://402index.io/api/v1/services";
 var INDEX402_REGISTER = "https://402index.io/api/v1/register";
@@ -960,7 +1389,7 @@ async function searchOpenIndexes(opts = {}) {
 async function safeSearch(run) {
   try {
     return await run();
-  } catch (e12) {
+  } catch (e16) {
     return [];
   }
 }
@@ -1064,7 +1493,13 @@ async function register402Index(input) {
       body: JSON.stringify(payload)
     });
     if (res.ok) {
-      return { source: "402index", ok: true, status: res.status, detail: "Listed on 402 Index (searchable at 402index.io)." };
+      const msg = await readIndexMessage(res);
+      return {
+        source: "402index",
+        ok: true,
+        status: res.status,
+        detail: _nullishCoalesce(msg, () => ( "Registered on 402 Index \u2014 pending review (verify your domain on 402index.io for instant approval)."))
+      };
     }
     const why = await readIndexError(res);
     return {
@@ -1077,6 +1512,14 @@ async function register402Index(input) {
     return { source: "402index", ok: false, detail: errMsg(err) };
   }
 }
+async function readIndexMessage(res) {
+  try {
+    const body = await res.json();
+    return typeof body.message === "string" && body.message.length > 0 ? body.message : void 0;
+  } catch (e17) {
+    return void 0;
+  }
+}
 async function readIndexError(res) {
   try {
     const body = await res.json();
@@ -1084,7 +1527,7 @@ async function readIndexError(res) {
       (p) => typeof p === "string" && p.length > 0
     );
     return parts.length ? [...new Set(parts)].join(" \u2014 ") : void 0;
-  } catch (e13) {
+  } catch (e18) {
     return void 0;
   }
 }
@@ -1140,13 +1583,13 @@ async function readSiwxInfo(res) {
   try {
     const body = await res.json();
     const ext = body.extensions;
-    const siwx = _optionalChain([ext, 'optionalAccess', _2 => _2["sign-in-with-x"]]);
-    const info = _nullishCoalesce(_optionalChain([siwx, 'optionalAccess', _3 => _3.info]), () => ( siwx));
+    const siwx = _optionalChain([ext, 'optionalAccess', _8 => _8["sign-in-with-x"]]);
+    const info = _nullishCoalesce(_optionalChain([siwx, 'optionalAccess', _9 => _9.info]), () => ( siwx));
     if (info && typeof info.domain === "string" && info.domain.length > 0 && typeof info.nonce === "string" && info.nonce.length > 0 && typeof info.uri === "string" && info.uri.length > 0) {
       return info;
     }
     return null;
-  } catch (e14) {
+  } catch (e19) {
     return null;
   }
 }
@@ -1194,7 +1637,7 @@ function mapRails(accepts) {
 }
 function matchesQuery(r, query) {
   const q = query.toLowerCase();
-  return r.resource.toLowerCase().includes(q) || (_nullishCoalesce(_optionalChain([r, 'access', _4 => _4.name, 'optionalAccess', _5 => _5.toLowerCase, 'call', _6 => _6(), 'access', _7 => _7.includes, 'call', _8 => _8(q)]), () => ( false))) || (_nullishCoalesce(_optionalChain([r, 'access', _9 => _9.description, 'optionalAccess', _10 => _10.toLowerCase, 'call', _11 => _11(), 'access', _12 => _12.includes, 'call', _13 => _13(q)]), () => ( false)));
+  return r.resource.toLowerCase().includes(q) || (_nullishCoalesce(_optionalChain([r, 'access', _10 => _10.name, 'optionalAccess', _11 => _11.toLowerCase, 'call', _12 => _12(), 'access', _13 => _13.includes, 'call', _14 => _14(q)]), () => ( false))) || (_nullishCoalesce(_optionalChain([r, 'access', _15 => _15.description, 'optionalAccess', _16 => _16.toLowerCase, 'call', _17 => _17(), 'access', _18 => _18.includes, 'call', _19 => _19(q)]), () => ( false)));
 }
 function pickString(o, ...keys) {
   for (const k of keys) {
@@ -1226,7 +1669,7 @@ function firstArray(o, ...keys) {
 function hostOf(url) {
   try {
     return new URL(url).hostname;
-  } catch (e15) {
+  } catch (e20) {
     return url;
   }
 }
@@ -1286,7 +1729,7 @@ function evaluatePolicy(intent, policy, spentForAssetBase) {
     }
   }
   if (policy.maxAmount !== void 0) {
-    const cap = _chunkIQGT65WScjs.floorUnits.call(void 0, policy.maxAmount, intent.decimals);
+    const cap = _chunkMDLZJGLYcjs.floorUnits.call(void 0, policy.maxAmount, intent.decimals);
     if (intent.amountBase > cap) {
       return deny(
         `payment of ${intent.amountBase} base units exceeds policy.maxAmount ` + `(${policy.maxAmount} ${_nullishCoalesce(intent.symbol, () => ( ""))}).`.trimEnd()
@@ -1294,7 +1737,7 @@ function evaluatePolicy(intent, policy, spentForAssetBase) {
     }
   }
   if (policy.maxTotal !== void 0) {
-    const cap = _chunkIQGT65WScjs.floorUnits.call(void 0, policy.maxTotal, intent.decimals);
+    const cap = _chunkMDLZJGLYcjs.floorUnits.call(void 0, policy.maxTotal, intent.decimals);
     if (spentForAssetBase + intent.amountBase > cap) {
       return deny(
         `this payment would push spend on ${_nullishCoalesce(intent.symbol, () => ( intent.asset))} past policy.maxTotal (${policy.maxTotal}); already spent ${spentForAssetBase} base units.`
@@ -1332,7 +1775,7 @@ var SpendLedger = (_class = class {constructor() { _class.prototype.__init.call(
   }
   /** Running total (base units) already spent on this (network, asset). */
   totalFor(network, asset) {
-    return _nullishCoalesce(_optionalChain([this, 'access', _14 => _14.buckets, 'access', _15 => _15.get, 'call', _16 => _16(keyFor(network, asset)), 'optionalAccess', _17 => _17.total]), () => ( 0n));
+    return _nullishCoalesce(_optionalChain([this, 'access', _20 => _20.buckets, 'access', _21 => _21.get, 'call', _22 => _22(keyFor(network, asset)), 'optionalAccess', _23 => _23.total]), () => ( 0n));
   }
   /** An immutable snapshot of all spend so far. */
   summary() {
@@ -1344,7 +1787,7 @@ var SpendLedger = (_class = class {constructor() { _class.prototype.__init.call(
         symbol: b.symbol,
         decimals: b.decimals,
         totalBase: b.total.toString(),
-        totalFormatted: _chunkIQGT65WScjs.formatUnits.call(void 0, b.total, b.decimals),
+        totalFormatted: _chunkMDLZJGLYcjs.formatUnits.call(void 0, b.total, b.decimals),
         count: b.count
       })),
       records: [...this.records]
@@ -1381,7 +1824,7 @@ var PipRailClient = (_class2 = class {
   safeEmit(event) {
     try {
       this.onEvent(event);
-    } catch (e16) {
+    } catch (e21) {
     }
   }
   /** Auto-mount the chain's driver, resolve the network, and bind the wallet — once. */
@@ -1406,7 +1849,7 @@ var PipRailClient = (_class2 = class {
    * as-is) or a plain object (serialised as JSON).
    */
   post(url, body, init) {
-    const headers = new Headers(_optionalChain([init, 'optionalAccess', _18 => _18.headers]));
+    const headers = new Headers(_optionalChain([init, 'optionalAccess', _24 => _24.headers]));
     let payload;
     if (body === void 0 || body === null) {
       payload = void 0;
@@ -1437,7 +1880,7 @@ var PipRailClient = (_class2 = class {
    * "0.05 USDC on Base, within budget → pay it." No funds move.
    */
   async quote(url, init) {
-    const res = await fetch(url, { ..._nullishCoalesce(init, () => ( {})), method: _nullishCoalesce(_optionalChain([init, 'optionalAccess', _19 => _19.method]), () => ( "GET")) });
+    const res = await fetch(url, { ..._nullishCoalesce(init, () => ( {})), method: _nullishCoalesce(_optionalChain([init, 'optionalAccess', _25 => _25.method]), () => ( "GET")) });
     if (res.status !== 402) return null;
     const { quote } = await this.resolveChallenge(url, res);
     return quote;
@@ -1456,7 +1899,7 @@ var PipRailClient = (_class2 = class {
    * on Tron, where a USD₮ transfer can cost real TRX.
    */
   async estimateCost(url, init) {
-    const res = await fetch(url, { ..._nullishCoalesce(init, () => ( {})), method: _nullishCoalesce(_optionalChain([init, 'optionalAccess', _20 => _20.method]), () => ( "GET")) });
+    const res = await fetch(url, { ..._nullishCoalesce(init, () => ( {})), method: _nullishCoalesce(_optionalChain([init, 'optionalAccess', _26 => _26.method]), () => ( "GET")) });
     if (res.status !== 402) return null;
     const { net, accept, quote } = await this.resolveChallenge(url, res);
     const cost = await net.estimateCost(accept);
@@ -1487,11 +1930,11 @@ var PipRailClient = (_class2 = class {
    * the plan yourself. No funds move.
    */
   async planPayment(url, init) {
-    const res = await fetch(url, { ..._nullishCoalesce(init, () => ( {})), method: _nullishCoalesce(_optionalChain([init, 'optionalAccess', _21 => _21.method]), () => ( "GET")) });
+    const res = await fetch(url, { ..._nullishCoalesce(init, () => ( {})), method: _nullishCoalesce(_optionalChain([init, 'optionalAccess', _27 => _27.method]), () => ( "GET")) });
     if (res.status !== 402) return null;
     const challenge = await parseChallenge(res);
     if (!challenge) {
-      throw new (0, _chunkIQGT65WScjs.InvalidEnvelopeError)("402 response did not include a parseable x402 challenge.");
+      throw new (0, _chunkMDLZJGLYcjs.InvalidEnvelopeError)("402 response did not include a parseable x402 challenge.");
     }
     const { net, wallet } = await this.ensure();
     return this.planFromChallenge(net, wallet, challenge, url);
@@ -1515,9 +1958,15 @@ var PipRailClient = (_class2 = class {
    *
    * Nothing PipRail-hosted: these are third-party open directories. Never throws
    * for a read problem — an index that's down or changed simply contributes
-   * nothing. Honest caveat: index results are cross-scheme (mostly the
-   * mainstream `exact` scheme); `fetch()` pays only `onchain-proof` rails
-   * directly (pay `exact` resources with the experimental `drivers/evm/exact.ts`).
+   * nothing. Honest caveats (see {@link DIRECTORY_INFO}):
+   * - Reads **`bazaar` + `402index`** only — **NOT `x402scan`** (its reads are paid). A
+   *   resource you registered on x402scan is live there but will NOT appear here; don't
+   *   read that absence as failure. (Passing `sources:['x402scan']` explicitly yields `[]`.)
+   * - A resource just listed via {@link register} may not appear yet — 402 Index reviews
+   *   before publishing, so retry with a brief backoff if a fresh listing is missing.
+   * - Results are cross-scheme (mostly the mainstream `exact` scheme); `fetch()` pays
+   *   only `onchain-proof` rails directly (pay `exact` resources with the experimental
+   *   `drivers/evm/exact.ts`).
    */
   async discover(opts = {}) {
     const found = await searchOpenIndexes({
@@ -1542,12 +1991,27 @@ var PipRailClient = (_class2 = class {
   }
   /**
    * List a resource you run on the OPEN x402 registries, so agents can find it.
-   * Default target is **402 Index** — one POST, no auth, no signature, no payment
-   * (searchable within seconds). Add `'x402scan'` to also register via SIWX (one
-   * wallet signature; EVM + a Base/Solana rail). Returns one {@link RegisterOutcome}
-   * per target — a target the chain can't satisfy comes back `{ ok:false, detail }`,
-   * never a throw. An explicit, developer-invoked action; it moves no funds, and
-   * nothing is PipRail-hosted — you're listing on third-party open directories.
+   * Default target is **402 Index** — one POST, no auth, no signature, no payment.
+   * Add `'x402scan'` to also register via SIWX (one wallet signature; EVM + a
+   * Base/Solana rail). Returns one {@link RegisterOutcome} per target — a target the
+   * chain can't satisfy comes back `{ ok:false, detail }`, never a throw. An explicit,
+   * developer-invoked action; it moves no funds, and nothing is PipRail-hosted —
+   * you're listing on third-party open directories.
+   *
+   * **Listing is asynchronous — each outcome carries a `visibility` + `note` so an
+   * agent knows when/where the resource is findable (don't assume `ok:true` means
+   * "searchable now"):**
+   * - **402 Index** → `visibility:'pending-review'`. It probes your URL on submit, then lists it
+   *   PENDING REVIEW — not searchable until approved (verify your domain on 402index.io for instant
+   *   approval), so `discover()` returns nothing for a fresh listing until then. Retry later.
+   * - **x402scan** → `visibility:'live'`, but **`discover()` does NOT read x402scan** — the
+   *   listing is real on x402scan.com yet won't show up in `discover()`. Base/Solana only;
+   *   needs a resolvable input schema (`/openapi.json` or the `extensions.bazaar` block).
+   * - **Bazaar** → `visibility:'not-listable'` for PipRail (it lists only what its facilitator
+   *   settles; PipRail uses none). You can still READ Bazaar via {@link discover} to find others.
+   *
+   * The per-source facts live in {@link DIRECTORY_INFO} (importable) if you'd rather branch
+   * on them before calling.
    */
   async register(url, opts = {}) {
     const targets = _nullishCoalesce(opts.targets, () => ( ["402index"]));
@@ -1586,7 +2050,7 @@ var PipRailClient = (_class2 = class {
         });
       }
     }
-    return outcomes;
+    return outcomes.map(decorateOutcome);
   }
   /**
    * The discovery signer for the bound wallet (its address + a message signer),
@@ -1607,9 +2071,9 @@ var PipRailClient = (_class2 = class {
    * streams throw `NonReplayableBodyError`.
    */
   async fetch(url, init) {
-    const body = _optionalChain([init, 'optionalAccess', _22 => _22.body]);
+    const body = _optionalChain([init, 'optionalAccess', _28 => _28.body]);
     if (body !== void 0 && body !== null && !isReplayableBodyInit(body)) {
-      throw new (0, _chunkIQGT65WScjs.NonReplayableBodyError)(
+      throw new (0, _chunkMDLZJGLYcjs.NonReplayableBodyError)(
         "fetch(): init.body is not replayable. Pass a string, FormData, URLSearchParams, ArrayBuffer, or Blob \u2014 not a ReadableStream."
       );
     }
@@ -1619,11 +2083,11 @@ var PipRailClient = (_class2 = class {
     const { net, wallet, challenge } = resolved;
     let accept = resolved.accept;
     let quote = resolved.quote;
-    const autoRoute = _nullishCoalesce(_nullishCoalesce(_optionalChain([init, 'optionalAccess', _23 => _23.autoRoute]), () => ( this.opts.autoRoute)), () => ( false));
+    const autoRoute = _nullishCoalesce(_nullishCoalesce(_optionalChain([init, 'optionalAccess', _29 => _29.autoRoute]), () => ( this.opts.autoRoute)), () => ( false));
     if (autoRoute) {
       const plan = await this.planFromChallenge(net, wallet, challenge, url);
       if (!plan.best) {
-        throw new (0, _chunkIQGT65WScjs.PaymentDeclinedError)(_nullishCoalesce(plan.fundingHint, () => ( "No rail is settleable for this payment.")));
+        throw new (0, _chunkMDLZJGLYcjs.PaymentDeclinedError)(_nullishCoalesce(plan.fundingHint, () => ( "No rail is settleable for this payment.")));
       }
       accept = plan.best.accept;
       quote = plan.best.quote;
@@ -1644,7 +2108,7 @@ var PipRailClient = (_class2 = class {
   async resolveChallenge(url, response) {
     const challenge = await parseChallenge(response);
     if (!challenge) {
-      throw new (0, _chunkIQGT65WScjs.InvalidEnvelopeError)(
+      throw new (0, _chunkMDLZJGLYcjs.InvalidEnvelopeError)(
         "402 response did not include a parseable x402 challenge."
       );
     }
@@ -1652,7 +2116,7 @@ var PipRailClient = (_class2 = class {
     const candidates = this.gatherCandidates(net, challenge);
     if (candidates.length === 0) {
       const networks = challenge.accepts.map((a) => a.network).join(", ");
-      throw new (0, _chunkIQGT65WScjs.NoCompatibleAcceptError)(
+      throw new (0, _chunkMDLZJGLYcjs.NoCompatibleAcceptError)(
         `No accepts[] entry for ${net.network} (challenge offered: ${networks || "none"}).`
       );
     }
@@ -1663,7 +2127,10 @@ var PipRailClient = (_class2 = class {
     const chosen = _nullishCoalesce(priced.find((p) => p.quote.withinPolicy), () => ( priced[0]));
     return { net, wallet, accept: chosen.accept, challenge, quote: chosen.quote };
   }
-  /** The candidate accepts this client could pay: our scheme, on the bound network. */
+  /** The candidate accepts this client could pay: our scheme, on the bound network.
+   *  A dual-advertised challenge may also carry standard `exact` rails — the PipRail
+   *  client ignores those (it pays the backendless `onchain-proof` rail); the type
+   *  predicate narrows the `X402AnyAccept` union to the rails we settle. */
   gatherCandidates(net, challenge) {
     return challenge.accepts.filter(
       (a) => a.scheme === "onchain-proof" && net.supports(a.network)
@@ -1726,16 +2193,16 @@ var PipRailClient = (_class2 = class {
     if (isNative) {
       if (nativeKnown && bal.native < amount + fee) {
         blockers.push("INSUFFICIENT_TOKEN");
-        shortfall.token = _chunkIQGT65WScjs.formatUnits.call(void 0, amount + fee - bal.native, quote.decimals);
+        shortfall.token = _chunkMDLZJGLYcjs.formatUnits.call(void 0, amount + fee - bal.native, quote.decimals);
       }
     } else {
       if (tokenKnown && bal.token < amount) {
         blockers.push("INSUFFICIENT_TOKEN");
-        shortfall.token = _chunkIQGT65WScjs.formatUnits.call(void 0, amount - bal.token, quote.decimals);
+        shortfall.token = _chunkMDLZJGLYcjs.formatUnits.call(void 0, amount - bal.token, quote.decimals);
       }
       if (nativeKnown && bal.native < fee) {
         blockers.push("INSUFFICIENT_GAS");
-        shortfall.native = _chunkIQGT65WScjs.formatUnits.call(void 0, fee - bal.native, cost.feeDecimals);
+        shortfall.native = _chunkMDLZJGLYcjs.formatUnits.call(void 0, fee - bal.native, cost.feeDecimals);
       } else if (nativeKnown && fee > 0n && bal.native < fee * 3n / 2n) {
         warnings.push("THIN_GAS_MARGIN");
       }
@@ -1760,8 +2227,8 @@ var PipRailClient = (_class2 = class {
       blockers,
       warnings,
       balance: {
-        token: bal.token != null ? _chunkIQGT65WScjs.formatUnits.call(void 0, bal.token, quote.decimals) : null,
-        native: bal.native != null ? _chunkIQGT65WScjs.formatUnits.call(void 0, bal.native, cost.feeDecimals) : null
+        token: bal.token != null ? _chunkMDLZJGLYcjs.formatUnits.call(void 0, bal.token, quote.decimals) : null,
+        native: bal.native != null ? _chunkMDLZJGLYcjs.formatUnits.call(void 0, bal.native, cost.feeDecimals) : null
       },
       need: { token: quote.amountFormatted, native: cost.feeFormatted },
       ...shortfall.token || shortfall.native ? { shortfall } : {},
@@ -1772,15 +2239,15 @@ var PipRailClient = (_class2 = class {
    *  driver's describeAsset) + the policy verdict + a symbol-mismatch flag. */
   buildQuote(net, accept, url, description) {
     if (!/^\d+$/.test(accept.amount)) {
-      throw new (0, _chunkIQGT65WScjs.InvalidEnvelopeError)(
+      throw new (0, _chunkMDLZJGLYcjs.InvalidEnvelopeError)(
         `challenge amount "${accept.amount}" is not a base-unit integer.`
       );
     }
     const amountBase = BigInt(accept.amount);
     const described = net.describeAsset(accept.asset);
-    const decimals = _nullishCoalesce(_optionalChain([described, 'optionalAccess', _24 => _24.decimals]), () => ( accept.extra.decimals));
-    const symbol = _nullishCoalesce(_optionalChain([described, 'optionalAccess', _25 => _25.symbol]), () => ( accept.extra.symbol));
-    const amountFormatted = _chunkIQGT65WScjs.formatUnits.call(void 0, amountBase, decimals);
+    const decimals = _nullishCoalesce(_optionalChain([described, 'optionalAccess', _30 => _30.decimals]), () => ( accept.extra.decimals));
+    const symbol = _nullishCoalesce(_optionalChain([described, 'optionalAccess', _31 => _31.symbol]), () => ( accept.extra.symbol));
+    const amountFormatted = _chunkMDLZJGLYcjs.formatUnits.call(void 0, amountBase, decimals);
     const intent = {
       host: hostOf2(url),
       chain: this.opts.chain,
@@ -1820,7 +2287,7 @@ var PipRailClient = (_class2 = class {
    *  throwing PaymentDeclinedError, before any funds move. */
   async authorize(quote) {
     if (!quote.withinPolicy) {
-      throw new (0, _chunkIQGT65WScjs.PaymentDeclinedError)(
+      throw new (0, _chunkMDLZJGLYcjs.PaymentDeclinedError)(
         `Payment refused by policy: ${_nullishCoalesce(quote.policyReason, () => ( "not allowed"))}`
       );
     }
@@ -1830,12 +2297,12 @@ var PipRailClient = (_class2 = class {
     try {
       approved = await hook(quote);
     } catch (err) {
-      throw new (0, _chunkIQGT65WScjs.PaymentDeclinedError)("onBeforePay threw \u2014 refusing to pay.", {
+      throw new (0, _chunkMDLZJGLYcjs.PaymentDeclinedError)("onBeforePay threw \u2014 refusing to pay.", {
         cause: err
       });
     }
     if (!approved) {
-      throw new (0, _chunkIQGT65WScjs.PaymentDeclinedError)(
+      throw new (0, _chunkMDLZJGLYcjs.PaymentDeclinedError)(
         `onBeforePay declined ${quote.amountFormatted} ${_nullishCoalesce(quote.symbol, () => ( ""))}`.trimEnd() + ` on ${quote.network}.`
       );
     }
@@ -1859,7 +2326,7 @@ var PipRailClient = (_class2 = class {
   }
   async payAndConfirm(net, wallet, accept) {
     if (!net.supports(accept.network)) {
-      throw new (0, _chunkIQGT65WScjs.WrongChainError)(
+      throw new (0, _chunkMDLZJGLYcjs.WrongChainError)(
         `Challenge expects ${accept.network} but client is on ${net.network}.`
       );
     }
@@ -1888,7 +2355,7 @@ var PipRailClient = (_class2 = class {
       accepted: accept,
       payload: { nonce: accept.extra.nonce, txHash: ref }
     };
-    const headers = new Headers(_optionalChain([originalInit, 'optionalAccess', _26 => _26.headers]));
+    const headers = new Headers(_optionalChain([originalInit, 'optionalAccess', _32 => _32.headers]));
     headers.set(HEADER_SIGNATURE, buildSignatureHeader(signature));
     let lastResponse = null;
     let lastReason = null;
@@ -1903,7 +2370,7 @@ var PipRailClient = (_class2 = class {
         () => timeoutController.abort(),
         this.retryTimeoutMs
       );
-      const signal = _optionalChain([originalInit, 'optionalAccess', _27 => _27.signal]) && typeof AbortSignal.any === "function" ? AbortSignal.any([timeoutController.signal, originalInit.signal]) : timeoutController.signal;
+      const signal = _optionalChain([originalInit, 'optionalAccess', _33 => _33.signal]) && typeof AbortSignal.any === "function" ? AbortSignal.any([timeoutController.signal, originalInit.signal]) : timeoutController.signal;
       try {
         lastResponse = await fetch(url, {
           ..._nullishCoalesce(originalInit, () => ( {})),
@@ -1912,7 +2379,7 @@ var PipRailClient = (_class2 = class {
         });
       } catch (err) {
         if (timeoutController.signal.aborted) {
-          throw new (0, _chunkIQGT65WScjs.PaymentTimeoutError)(
+          throw new (0, _chunkMDLZJGLYcjs.PaymentTimeoutError)(
             `Server did not respond within ${this.retryTimeoutMs}ms after broadcasting payment ${ref}. Re-verify or re-submit ref=${ref} \u2014 do NOT re-pay.`,
             { cause: err, ref }
           );
@@ -1934,7 +2401,7 @@ var PipRailClient = (_class2 = class {
       kind: "payment-failed",
       reason: `server returned 402 after broadcasting payment ${ref}${unconfirmedNote} (${why})`
     });
-    throw new (0, _chunkIQGT65WScjs.MaxRetriesExceededError)(
+    throw new (0, _chunkMDLZJGLYcjs.MaxRetriesExceededError)(
       `Server still returned 402 after ${attempts} attempt(s) with on-chain proof ref=${ref}${unconfirmedNote}. Last server rejection: ${why}. Re-verify or re-submit ref=${ref} before retrying \u2014 never re-pay (it would double-spend).`,
       { ref }
     );
@@ -1943,7 +2410,7 @@ var PipRailClient = (_class2 = class {
 function safeBig(s) {
   try {
     return BigInt(s);
-  } catch (e17) {
+  } catch (e22) {
     return 0n;
   }
 }
@@ -1976,10 +2443,10 @@ function buildFundingHint(options, chainLabel) {
     return `Couldn't fully read your wallet on ${chainLabel} (RPC throttled) \u2014 retry; you may already be able to pay ${target.quote.amountFormatted} ${sym}.`;
   }
   const parts = [];
-  if (target.blockers.includes("INSUFFICIENT_TOKEN") && _optionalChain([target, 'access', _28 => _28.shortfall, 'optionalAccess', _29 => _29.token])) {
+  if (target.blockers.includes("INSUFFICIENT_TOKEN") && _optionalChain([target, 'access', _34 => _34.shortfall, 'optionalAccess', _35 => _35.token])) {
     parts.push(`top up ${target.shortfall.token} ${sym}`);
   }
-  if (target.blockers.includes("INSUFFICIENT_GAS") && _optionalChain([target, 'access', _30 => _30.shortfall, 'optionalAccess', _31 => _31.native])) {
+  if (target.blockers.includes("INSUFFICIENT_GAS") && _optionalChain([target, 'access', _36 => _36.shortfall, 'optionalAccess', _37 => _37.native])) {
     parts.push(`add ~${target.shortfall.native} ${target.cost.feeSymbol} for gas`);
   }
   return parts.length ? `Can't settle on ${chainLabel}: ${parts.join(" and ")} (to pay ${target.quote.amountFormatted} ${sym}).` : `Can't settle on ${chainLabel} for ${target.quote.amountFormatted} ${sym}.`;
@@ -1993,7 +2460,7 @@ async function planAcross(clients, url, init) {
   const status = best ? "ready" : options.some((o) => o.state === "unknown") ? "unknown" : "blocked";
   return {
     url,
-    network: _nullishCoalesce(_optionalChain([best, 'optionalAccess', _32 => _32.accept, 'access', _33 => _33.network]), () => ( live[0].network)),
+    network: _nullishCoalesce(_optionalChain([best, 'optionalAccess', _38 => _38.accept, 'access', _39 => _39.network]), () => ( live[0].network)),
     status,
     payable: best !== null,
     best,
@@ -2009,7 +2476,7 @@ function railOnNetwork(rail, matches) {
 function hostOf2(url) {
   try {
     return new URL(url).hostname;
-  } catch (e18) {
+  } catch (e23) {
     return url;
   }
 }
@@ -2026,13 +2493,21 @@ function isReplayableBodyInit(value) {
 async function readInvalidReason(response) {
   try {
     const body = await response.clone().json();
+    const ext = _optionalChain([body, 'optionalAccess', _40 => _40.extensions]);
+    const piprail = _optionalChain([ext, 'optionalAccess', _41 => _41.piprail]);
+    if (piprail && typeof piprail.code === "string") {
+      return {
+        error: piprail.code,
+        detail: typeof piprail.detail === "string" ? piprail.detail : ""
+      };
+    }
     if (body && (body.status === "invalid" || typeof body.error === "string")) {
       return {
         error: typeof body.error === "string" ? body.error : "no error code",
         detail: typeof body.detail === "string" ? body.detail : ""
       };
     }
-  } catch (e19) {
+  } catch (e24) {
   }
   return null;
 }
@@ -2043,7 +2518,7 @@ async function readBody(res) {
   if (!text) return null;
   try {
     return JSON.parse(text);
-  } catch (e20) {
+  } catch (e25) {
     return text;
   }
 }
@@ -2214,7 +2689,7 @@ function paymentTools(client) {
             receipt: parseReceipt(res)
           };
         } catch (err) {
-          if (err instanceof _chunkIQGT65WScjs.PaymentDeclinedError) {
+          if (err instanceof _chunkMDLZJGLYcjs.PaymentDeclinedError) {
             return { declined: true, reason: err.message };
           }
           throw err;
@@ -2223,7 +2698,7 @@ function paymentTools(client) {
     },
     {
       name: "piprail_register",
-      description: "List an x402 payment-gated resource YOU run on the open indexes so other agents can discover it. Default target is 402 Index \u2014 no auth, no signature, no payment; searchable within seconds. Returns one outcome per index ({ source, ok, detail }); a step the chain can't satisfy comes back ok:false with the reason. Moves no funds; nothing is PipRail-hosted.",
+      description: "List an x402 payment-gated resource YOU run on the open indexes so other agents can discover it. Default target is 402 Index \u2014 no auth, no signature, no payment; a self-registered listing is pending review (verify your domain on 402index.io for instant approval). Returns one outcome per index ({ source, ok, detail, visibility, note }); a step the chain can't satisfy comes back ok:false with the reason. Moves no funds; nothing is PipRail-hosted.",
       annotations: {
         title: "Register an x402 endpoint",
         readOnlyHint: false,
@@ -2257,6 +2732,100 @@ function paymentTools(client) {
   ];
 }
 
+// src/facilitator.ts
+function safeStringify(value) {
+  return JSON.stringify(value, (_k, v) => typeof v === "bigint" ? v.toString() : v);
+}
+function mapReason(reason) {
+  const r = (_nullishCoalesce(reason, () => ( ""))).toLowerCase();
+  if (r.includes("signature")) return "signature_invalid";
+  if (r.includes("recipient")) return "wrong_recipient";
+  if (r.includes("value") || r.includes("amount")) return "amount_too_low";
+  if (r.includes("valid_before") || r.includes("valid_after") || r.includes("expired")) return "payment_expired";
+  if (r.includes("used") || r.includes("replay") || r.includes("nonce") || r.includes("transaction_state")) {
+    return "tx_already_used";
+  }
+  return "tx_reverted";
+}
+async function post(url, body, headers) {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "content-type": "application/json", ...headers },
+    body: safeStringify(body)
+  });
+  let json = null;
+  try {
+    json = await res.json();
+  } catch (e26) {
+  }
+  return { status: res.status, json };
+}
+async function settleViaFacilitator(input) {
+  const base2 = input.url.replace(/\/+$/, "");
+  const body = {
+    x402Version: input.x402Version,
+    paymentPayload: input.paymentPayload,
+    paymentRequirements: input.paymentRequirements
+  };
+  const auth = input.authHeaders ? await input.authHeaders() : {};
+  let verify;
+  try {
+    verify = await post(`${base2}/verify`, body, auth);
+  } catch (err) {
+    throw new (0, _chunkMDLZJGLYcjs.SettlementError)(
+      `exact settle (facilitator ${base2}): /verify request failed (${err instanceof Error ? err.message : String(err)}).`,
+      { cause: err }
+    );
+  }
+  if (verify.status !== 200) {
+    throw new (0, _chunkMDLZJGLYcjs.SettlementError)(
+      `exact settle (facilitator ${base2}): /verify returned HTTP ${verify.status} (transport/auth error).`
+    );
+  }
+  const vr = _nullishCoalesce(verify.json, () => ( {}));
+  if (vr.isValid === false) {
+    return {
+      ok: false,
+      error: mapReason(vr.invalidReason),
+      detail: `Facilitator rejected the payment: ${_nullishCoalesce(vr.invalidReason, () => ( "invalid"))}${vr.invalidMessage ? ` \u2014 ${vr.invalidMessage}` : ""}.`
+    };
+  }
+  let settle;
+  try {
+    settle = await post(`${base2}/settle`, body, auth);
+  } catch (err) {
+    throw new (0, _chunkMDLZJGLYcjs.SettlementError)(
+      `exact settle (facilitator ${base2}): /settle request failed (${err instanceof Error ? err.message : String(err)}).`,
+      { cause: err }
+    );
+  }
+  if (settle.status !== 200) {
+    throw new (0, _chunkMDLZJGLYcjs.SettlementError)(
+      `exact settle (facilitator ${base2}): /settle returned HTTP ${settle.status} (transport/auth error).`
+    );
+  }
+  const sr = _nullishCoalesce(settle.json, () => ( {}));
+  if (!sr.success) {
+    return {
+      ok: false,
+      error: mapReason(sr.errorReason),
+      detail: `Facilitator settlement failed: ${_nullishCoalesce(sr.errorReason, () => ( "unknown"))}${sr.errorMessage ? ` \u2014 ${sr.errorMessage}` : ""}.`
+    };
+  }
+  const receipt = {
+    scheme: "exact",
+    success: true,
+    network: input.receipt.network,
+    transaction: sr.transaction,
+    asset: input.receipt.asset,
+    amount: input.receipt.amount,
+    payer: _nullishCoalesce(_nullishCoalesce(sr.payer, () => ( input.payerHint)), () => ( "")),
+    payTo: input.receipt.payTo,
+    verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  return { ok: true, receipt };
+}
+
 // src/server.ts
 function toInvalidBody(result) {
   return { x402Version: 2, status: "invalid", error: result.error, detail: result.detail };
@@ -2283,9 +2852,10 @@ function createPaymentGate(options) {
   const genNonce = _nullishCoalesce(options.generateNonce, () => ( (() => globalThis.crypto.randomUUID())));
   let resolved;
   function ready() {
-    return resolved ??= (async () => {
+    if (resolved) return resolved;
+    const p = (async () => {
       const accepts = normaliseAccepts(options);
-      return Promise.all(
+      const specs = await Promise.all(
         accepts.map(async (a) => {
           const net = await resolveNetwork2({ chain: a.chain, rpcUrl: _nullishCoalesce(a.rpcUrl, () => ( options.rpcUrl)) });
           const payTo = _nullishCoalesce(a.payTo, () => ( options.payTo));
@@ -2296,11 +2866,53 @@ function createPaymentGate(options) {
           }
           net.assertValidPayTo(payTo);
           const { asset, decimals, symbol } = net.resolveToken(a.token);
-          const amountBase = _chunkIQGT65WScjs.parseUnits.call(void 0, a.amount, decimals);
-          return { net, asset, decimals, symbol, amountBase, amountFormatted: a.amount, payTo };
+          const amountBase = _chunkMDLZJGLYcjs.parseUnits.call(void 0, a.amount, decimals);
+          const spec = { net, asset, decimals, symbol, amountBase, amountFormatted: a.amount, payTo };
+          if (options.exact) spec.exact = await resolveExactRail(net, asset);
+          return spec;
         })
       );
+      if (options.exact && !specs.some((s) => s.exact)) {
+        throw new Error(
+          "requirePayment: `exact` was requested but none of the offered rails support it. The standard `exact` rail is EVM + EIP-3009 only (USDC / EURC) \u2014 not native coins, not USDT, not non-EVM chains. Offer an EVM EIP-3009 token, or drop `exact`."
+        );
+      }
+      return specs;
     })();
+    p.catch(() => {
+      if (resolved === p) resolved = void 0;
+    });
+    resolved = p;
+    return p;
+  }
+  async function resolveExactRail(net, asset) {
+    const cfg = options.exact;
+    if (net.family !== "evm" || asset === "native" || !net.exactDomain || !net.settleExactSelf) {
+      return void 0;
+    }
+    const domain = await net.exactDomain(asset);
+    if (!domain) {
+      throw new Error(
+        `requirePayment: \`exact\` requested for asset ${asset} on ${net.network}, but it isn't an EIP-3009 token (couldn't read name()/version()/authorizationState). The exact rail supports USDC / EURC and other EIP-3009 tokens \u2014 USDT and native coins need onchain-proof. (Or check your rpcUrl is reachable.)`
+      );
+    }
+    if (cfg.settle === "self") {
+      if (cfg.relayer === void 0) {
+        throw new Error(
+          "requirePayment: exact `settle: 'self'` needs a `relayer` wallet (the gas-paying key that broadcasts transferWithAuthorization), e.g. exact: { settle: 'self', relayer: { privateKey } }."
+        );
+      }
+      const relayer = net.bindWallet(cfg.relayer);
+      return { domain, mode: { kind: "self", relayer } };
+    }
+    return {
+      domain,
+      mode: {
+        kind: "facilitator",
+        url: cfg.settle.facilitator,
+        ...cfg.settle.authHeaders ? { authHeaders: cfg.settle.authHeaders } : {}
+      }
+    };
   }
   const hasCustomStore = Boolean(options.isUsed || options.markUsed);
   const localUsed = /* @__PURE__ */ new Set();
@@ -2337,93 +2949,191 @@ function createPaymentGate(options) {
       }
     };
   }
-  async function challenge(resourceUrl = "") {
+  function buildExactAccept(s) {
+    const d = s.exact.domain;
+    return {
+      scheme: "exact",
+      network: s.net.network,
+      amount: s.amountBase.toString(),
+      asset: s.asset,
+      payTo: s.payTo,
+      maxTimeoutSeconds,
+      extra: {
+        assetTransferMethod: "eip3009",
+        name: d.name,
+        version: d.version,
+        minConfirmations,
+        decimals: s.decimals,
+        amountFormatted: s.amountFormatted,
+        ...s.symbol ? { symbol: s.symbol } : {}
+      }
+    };
+  }
+  function buildAccepts(specs, nonce) {
+    const out = [];
+    for (const s of specs) {
+      if (s.exact) out.push(buildExactAccept(s));
+      out.push(buildAccept(s, nonce));
+    }
+    return out;
+  }
+  async function makeChallenge(resourceUrl, opts) {
     const specs = await ready();
     const nonce = genNonce();
     const challenge2 = {
       x402Version: 2,
-      error: null,
       resource: {
         url: resourceUrl,
         ...options.description ? { description: options.description } : {}
       },
-      accepts: specs.map((s) => buildAccept(s, nonce))
+      accepts: buildAccepts(specs, nonce),
+      ..._optionalChain([opts, 'optionalAccess', _42 => _42.error]) ? { error: opts.error } : {},
+      ..._optionalChain([opts, 'optionalAccess', _43 => _43.extensions]) ? { extensions: opts.extensions } : {}
     };
     return { challenge: challenge2, requiredHeader: buildChallengeHeader(challenge2) };
   }
+  async function challenge(resourceUrl = "") {
+    return makeChallenge(resourceUrl);
+  }
   async function asChallenge() {
-    const { challenge: c, requiredHeader } = await challenge();
+    const { challenge: c, requiredHeader } = await makeChallenge("");
     return { kind: "challenge", challenge: c, requiredHeader, statusCode: 402 };
   }
+  async function rejection(code, detail) {
+    const { challenge: c, requiredHeader } = await makeChallenge("", {
+      error: `${code}: ${detail}`,
+      extensions: { piprail: { code, detail } }
+    });
+    return { kind: "invalid", error: code, detail, challenge: c, requiredHeader, statusCode: 402 };
+  }
+  function fireOnPaid(receipt) {
+    if (options.onPaid) {
+      try {
+        options.onPaid(receipt);
+      } catch (e27) {
+      }
+    }
+  }
   async function describe(resourceUrl = "") {
     const specs = await ready();
-    const accepts = specs.map((s) => ({
-      scheme: "onchain-proof",
-      network: s.net.network,
-      asset: s.asset,
-      payTo: s.payTo,
-      amount: s.amountBase.toString(),
-      amountFormatted: s.amountFormatted,
-      decimals: s.decimals,
-      maxTimeoutSeconds,
-      ...s.symbol ? { symbol: s.symbol } : {}
-    }));
+    const accepts = [];
+    for (const s of specs) {
+      const base2 = {
+        network: s.net.network,
+        asset: s.asset,
+        payTo: s.payTo,
+        amount: s.amountBase.toString(),
+        amountFormatted: s.amountFormatted,
+        decimals: s.decimals,
+        maxTimeoutSeconds,
+        ...s.symbol ? { symbol: s.symbol } : {}
+      };
+      if (s.exact) accepts.push({ scheme: "exact", ...base2 });
+      accepts.push({ scheme: "onchain-proof", ...base2 });
+    }
     return {
       url: resourceUrl,
       ...options.description ? { description: options.description } : {},
       accepts
     };
   }
-  async function verify(paymentSignature) {
-    const raw = normaliseHeader(paymentSignature);
-    if (!raw) return asChallenge();
-    const sig = parseSignatureHeader(raw);
-    if (!sig || !sig.accepted || typeof sig.accepted.network !== "string" || typeof sig.accepted.asset !== "string") {
-      return asChallenge();
-    }
+  async function verifyOnchainProof(sig) {
     const specs = await ready();
     const spec = specs.find(
       (s) => s.net.network === sig.accepted.network && s.asset === sig.accepted.asset
     );
     if (!spec) {
-      return {
-        kind: "invalid",
-        error: "transfer_not_found",
-        detail: `Proof claims ${sig.accepted.asset} on ${sig.accepted.network}, which this resource doesn't accept (offered: ${specs.map((s) => `${s.asset}@${s.net.network}`).join(", ")}).`,
-        statusCode: 402
-      };
+      return rejection(
+        "transfer_not_found",
+        `Proof claims ${sig.accepted.asset} on ${sig.accepted.network}, which this resource doesn't accept (offered: ${specs.map((s) => `${s.asset}@${s.net.network}`).join(", ")}).`
+      );
     }
     const ref = sig.payload.txHash;
-    if (await claimTx(ref)) {
-      return {
-        kind: "invalid",
-        error: "tx_already_used",
-        detail: `Proof ${ref} was already redeemed.`,
-        statusCode: 402
-      };
-    }
+    if (await claimTx(ref)) return rejection("tx_already_used", `Proof ${ref} was already redeemed.`);
     const result = await spec.net.verify(ref, buildAccept(spec, sig.payload.nonce));
     if (!result.ok) {
       await settleTx(ref, false);
-      return {
-        kind: "invalid",
-        error: result.error,
-        detail: result.detail,
-        statusCode: 402
-      };
+      return rejection(result.error, result.detail);
     }
     await settleTx(ref, true);
-    if (options.onPaid) {
-      try {
-        options.onPaid(result.receipt);
-      } catch (e21) {
+    fireOnPaid(result.receipt);
+    return { kind: "paid", receipt: result.receipt, receiptHeader: buildReceiptHeader(result.receipt) };
+  }
+  async function verifyExact(exact) {
+    const specs = await ready();
+    const exactSpecs = specs.filter((s) => s.exact);
+    if (exactSpecs.length === 0) {
+      return rejection("transfer_not_found", "This resource offers no standard `exact` rail.");
+    }
+    const isCaip = exact.network.startsWith("eip155:");
+    let candidates = isCaip ? exactSpecs.filter((s) => s.net.network === exact.network) : exactSpecs;
+    if (exact.asset) {
+      candidates = candidates.filter((s) => s.asset.toLowerCase() === exact.asset.toLowerCase());
+    }
+    let spec = candidates[0];
+    if (!isCaip && !exact.asset && exactSpecs.length > 1) spec = void 0;
+    if (!spec && !isCaip && !exact.asset && exactSpecs.length === 1) spec = exactSpecs[0];
+    if (!spec || !spec.exact) {
+      return rejection(
+        "transfer_not_found",
+        `No \`exact\` rail offered for ${exact.network}${exact.asset ? `/${exact.asset}` : ""} (offered: ${exactSpecs.map((s) => `${s.asset}@${s.net.network}`).join(", ")}).`
+      );
+    }
+    const nonce = exact.payload.authorization.nonce;
+    if (await claimTx(nonce)) {
+      return rejection("tx_already_used", `Authorization nonce ${nonce} was already redeemed.`);
+    }
+    const accept = buildExactAccept(spec);
+    const mode = spec.exact.mode;
+    let result;
+    try {
+      if (mode.kind === "self") {
+        result = await spec.net.settleExactSelf({ relayer: mode.relayer, payload: exact.payload, accept });
+      } else {
+        result = await settleViaFacilitator({
+          url: mode.url,
+          ...mode.authHeaders ? { authHeaders: mode.authHeaders } : {},
+          // PipRail always builds a v2-shaped paymentRequirements (CAIP-2 network + `amount`),
+          // so force x402Version:2 — echoing a v1 client's version here would hand the facilitator
+          // a self-inconsistent request (v1 envelope, v2 requirements). The inner payload is
+          // byte-identical across versions, so forwarding it verbatim is fine.
+          x402Version: 2,
+          paymentPayload: exact.raw,
+          paymentRequirements: {
+            scheme: "exact",
+            network: accept.network,
+            asset: accept.asset,
+            amount: accept.amount,
+            payTo: accept.payTo,
+            maxTimeoutSeconds: accept.maxTimeoutSeconds,
+            extra: { name: accept.extra.name, version: accept.extra.version }
+          },
+          receipt: { network: accept.network, asset: accept.asset, payTo: accept.payTo, amount: accept.amount },
+          payerHint: exact.payload.authorization.from
+        });
       }
+    } catch (err) {
+      await settleTx(nonce, false);
+      throw err;
     }
-    return {
-      kind: "paid",
-      receipt: result.receipt,
-      receiptHeader: buildReceiptHeader(result.receipt)
-    };
+    if (!result.ok) {
+      await settleTx(nonce, false);
+      return rejection(result.error, result.detail);
+    }
+    await settleTx(nonce, true);
+    fireOnPaid(result.receipt);
+    return { kind: "paid", receipt: result.receipt, receiptHeader: buildReceiptHeader(result.receipt) };
+  }
+  async function verify(paymentSignature) {
+    const raw = normaliseHeader(paymentSignature);
+    if (!raw) return asChallenge();
+    const sig = parseSignatureHeader(raw);
+    if (sig && sig.accepted && typeof sig.accepted.network === "string" && typeof sig.accepted.asset === "string") {
+      return verifyOnchainProof(sig);
+    }
+    const exact = parseExactPaymentHeader(raw);
+    if (exact) return verifyExact(exact);
+    return asChallenge();
   }
   return { challenge, verify, describe };
 }
@@ -2432,14 +3142,20 @@ function requirePayment(options) {
   return async (req, res, next) => {
     let result;
     try {
-      result = await gate.verify(req.headers[HEADER_SIGNATURE]);
+      result = await gate.verify(_nullishCoalesce(req.headers[HEADER_SIGNATURE], () => ( req.headers[HEADER_SIGNATURE_V1])));
     } catch (err) {
+      if (err instanceof _chunkMDLZJGLYcjs.SettlementError) {
+        res.status(502);
+        res.json({ x402Version: 2, error: "settlement_failed", detail: err.message });
+        return;
+      }
       next(err);
       return;
     }
     switch (result.kind) {
       case "paid":
         res.setHeader(HEADER_RESPONSE, result.receiptHeader);
+        res.setHeader(HEADER_RESPONSE_V1, result.receiptHeader);
         return next();
       case "challenge":
         res.setHeader(HEADER_REQUIRED, result.requiredHeader);
@@ -2447,8 +3163,9 @@ function requirePayment(options) {
         res.json(result.challenge);
         return;
       case "invalid":
+        res.setHeader(HEADER_REQUIRED, result.requiredHeader);
         res.status(result.statusCode);
-        res.json(toInvalidBody(result));
+        res.json(result.challenge);
         return;
     }
   };
@@ -2458,110 +3175,12 @@ function normaliseHeader(value) {
   return value;
 }
 
-// src/drivers/evm/exact.ts
-var EXACT_NETWORK_SLUGS = {
-  ethereum: 1,
-  base: 8453,
-  "base-sepolia": 84532,
-  arbitrum: 42161,
-  optimism: 10,
-  polygon: 137,
-  avalanche: 43114
-};
-function chainIdForExactNetwork(slug) {
-  return _nullishCoalesce(EXACT_NETWORK_SLUGS[slug], () => ( null));
-}
-var EIP3009_TYPES = {
-  TransferWithAuthorization: [
-    { name: "from", type: "address" },
-    { name: "to", type: "address" },
-    { name: "value", type: "uint256" },
-    { name: "validAfter", type: "uint256" },
-    { name: "validBefore", type: "uint256" },
-    { name: "nonce", type: "bytes32" }
-  ]
-};
-function parseExactRequirements(body) {
-  if (!body || typeof body !== "object") return null;
-  const accepts = body.accepts;
-  if (!Array.isArray(accepts)) return null;
-  const out = [];
-  for (const raw of accepts) {
-    if (!raw || typeof raw !== "object") continue;
-    const a = raw;
-    if (a.scheme !== "exact") continue;
-    const amount = _nullishCoalesce(a.maxAmountRequired, () => ( a.amount));
-    if (typeof a.network !== "string" || typeof amount !== "string" || typeof a.asset !== "string" || typeof a.payTo !== "string") {
-      continue;
-    }
-    out.push({
-      scheme: "exact",
-      network: a.network,
-      maxAmountRequired: amount,
-      asset: a.asset,
-      payTo: a.payTo,
-      maxTimeoutSeconds: typeof a.maxTimeoutSeconds === "number" ? a.maxTimeoutSeconds : 600,
-      ...a.extra && typeof a.extra === "object" ? { extra: a.extra } : {},
-      ...typeof a.description === "string" ? { description: a.description } : {},
-      ...typeof a.resource === "string" ? { resource: a.resource } : {}
-    });
-  }
-  return out;
-}
-async function buildExactAuthorization(params) {
-  const { account, accept, chainId, now, nonce } = params;
-  if (!account.signTypedData) {
-    throw new Error("buildExactAuthorization: the account cannot sign EIP-712 typed data.");
-  }
-  const authorization = {
-    from: account.address,
-    to: accept.payTo,
-    value: accept.maxAmountRequired,
-    validAfter: "0",
-    validBefore: String(now + accept.maxTimeoutSeconds),
-    nonce
-  };
-  const signature = await account.signTypedData({
-    domain: {
-      name: _nullishCoalesce(_optionalChain([accept, 'access', _34 => _34.extra, 'optionalAccess', _35 => _35.name]), () => ( "USD Coin")),
-      version: _nullishCoalesce(_optionalChain([accept, 'access', _36 => _36.extra, 'optionalAccess', _37 => _37.version]), () => ( "2")),
-      chainId,
-      verifyingContract: accept.asset
-    },
-    types: EIP3009_TYPES,
-    primaryType: "TransferWithAuthorization",
-    message: {
-      from: authorization.from,
-      to: authorization.to,
-      value: BigInt(authorization.value),
-      validAfter: BigInt(authorization.validAfter),
-      validBefore: BigInt(authorization.validBefore),
-      nonce: authorization.nonce
-    }
-  });
-  return { authorization, signature };
-}
-function base64(str) {
-  if (typeof btoa === "function") return btoa(str);
-  if (typeof Buffer !== "undefined") return Buffer.from(str, "utf8").toString("base64");
-  throw new Error("No base64 encoder available in this runtime.");
-}
-function encodeXPaymentHeader(input) {
-  const payload = {
-    x402Version: _nullishCoalesce(input.x402Version, () => ( 1)),
-    scheme: "exact",
-    network: input.network,
-    payload: { signature: input.signature, authorization: input.authorization }
-  };
-  return base64(JSON.stringify(payload));
-}
-
 // src/discovery.ts
 var GENERATOR = "@piprail/sdk \xB7 https://piprail.com";
 function pathOf(url) {
   try {
     return new URL(url).pathname || "/";
-  } catch (e22) {
+  } catch (e28) {
     return url.startsWith("/") ? url : `/${url}`;
   }
 }
@@ -2658,4 +3277,17 @@ function buildX402DnsTxt(input) {
 
 
 
-exports.CHAINS = CHAINS; exports.ConfirmationTimeoutError = _chunkIQGT65WScjs.ConfirmationTimeoutError; exports.EIP3009_TYPES = EIP3009_TYPES; exports.EXACT_NETWORK_SLUGS = EXACT_NETWORK_SLUGS; exports.GENERATOR = GENERATOR; exports.InsufficientFundsError = _chunkIQGT65WScjs.InsufficientFundsError; exports.InvalidEnvelopeError = _chunkIQGT65WScjs.InvalidEnvelopeError; exports.MaxRetriesExceededError = _chunkIQGT65WScjs.MaxRetriesExceededError; exports.MissingDriverError = _chunkIQGT65WScjs.MissingDriverError; exports.NoCompatibleAcceptError = _chunkIQGT65WScjs.NoCompatibleAcceptError; exports.NonReplayableBodyError = _chunkIQGT65WScjs.NonReplayableBodyError; exports.PaymentDeclinedError = _chunkIQGT65WScjs.PaymentDeclinedError; exports.PaymentTimeoutError = _chunkIQGT65WScjs.PaymentTimeoutError; exports.PipRailClient = PipRailClient; exports.PipRailError = _chunkIQGT65WScjs.PipRailError; exports.RecipientNotReadyError = _chunkIQGT65WScjs.RecipientNotReadyError; exports.UnknownTokenError = _chunkIQGT65WScjs.UnknownTokenError; exports.UnsupportedNetworkError = _chunkIQGT65WScjs.UnsupportedNetworkError; exports.WrongChainError = _chunkIQGT65WScjs.WrongChainError; exports.WrongFamilyError = _chunkIQGT65WScjs.WrongFamilyError; exports.buildChallengeHeader = buildChallengeHeader; exports.buildExactAuthorization = buildExactAuthorization; exports.buildOpenApi = buildOpenApi; exports.buildReceiptHeader = buildReceiptHeader; exports.buildSignatureHeader = buildSignatureHeader; exports.buildWellKnownX402 = buildWellKnownX402; exports.buildX402DnsTxt = buildX402DnsTxt; exports.chainIdForExactNetwork = chainIdForExactNetwork; exports.createPaymentGate = createPaymentGate; exports.encodeXPaymentHeader = encodeXPaymentHeader; exports.evaluatePolicy = evaluatePolicy; exports.normalizeNetwork = normalizeNetwork; exports.parseChallenge = parseChallenge; exports.parseExactRequirements = parseExactRequirements; exports.parseReceipt = parseReceipt; exports.parseSignatureHeader = parseSignatureHeader; exports.paymentTools = paymentTools; exports.pickAccept = pickAccept; exports.planAcross = planAcross; exports.register402Index = register402Index; exports.registerDriver = registerDriver; exports.registerX402Scan = registerX402Scan; exports.requirePayment = requirePayment; exports.resolveChain = resolveChain; exports.searchOpenIndexes = searchOpenIndexes; exports.toInsufficientFundsError = _chunkIQGT65WScjs.toInsufficientFundsError; exports.toInvalidBody = toInvalidBody;
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.CHAINS = CHAINS; exports.ConfirmationTimeoutError = _chunkMDLZJGLYcjs.ConfirmationTimeoutError; exports.DIRECTORY_INFO = DIRECTORY_INFO; exports.EIP3009_TYPES = EIP3009_TYPES; exports.EXACT_NETWORK_SLUGS = EXACT_NETWORK_SLUGS; exports.GENERATOR = GENERATOR; exports.HEADER_REQUIRED = HEADER_REQUIRED; exports.HEADER_RESPONSE = HEADER_RESPONSE; exports.HEADER_RESPONSE_V1 = HEADER_RESPONSE_V1; exports.HEADER_SIGNATURE = HEADER_SIGNATURE; exports.HEADER_SIGNATURE_V1 = HEADER_SIGNATURE_V1; exports.InsufficientFundsError = _chunkMDLZJGLYcjs.InsufficientFundsError; exports.InvalidEnvelopeError = _chunkMDLZJGLYcjs.InvalidEnvelopeError; exports.MaxRetriesExceededError = _chunkMDLZJGLYcjs.MaxRetriesExceededError; exports.MissingDriverError = _chunkMDLZJGLYcjs.MissingDriverError; exports.NoCompatibleAcceptError = _chunkMDLZJGLYcjs.NoCompatibleAcceptError; exports.NonReplayableBodyError = _chunkMDLZJGLYcjs.NonReplayableBodyError; exports.PaymentDeclinedError = _chunkMDLZJGLYcjs.PaymentDeclinedError; exports.PaymentTimeoutError = _chunkMDLZJGLYcjs.PaymentTimeoutError; exports.PipRailClient = PipRailClient; exports.PipRailError = _chunkMDLZJGLYcjs.PipRailError; exports.RecipientNotReadyError = _chunkMDLZJGLYcjs.RecipientNotReadyError; exports.SettlementError = _chunkMDLZJGLYcjs.SettlementError; exports.UnknownTokenError = _chunkMDLZJGLYcjs.UnknownTokenError; exports.UnsupportedNetworkError = _chunkMDLZJGLYcjs.UnsupportedNetworkError; exports.WrongChainError = _chunkMDLZJGLYcjs.WrongChainError; exports.WrongFamilyError = _chunkMDLZJGLYcjs.WrongFamilyError; exports.buildChallengeHeader = buildChallengeHeader; exports.buildExactAuthorization = buildExactAuthorization; exports.buildOpenApi = buildOpenApi; exports.buildReceiptHeader = buildReceiptHeader; exports.buildSignatureHeader = buildSignatureHeader; exports.buildWellKnownX402 = buildWellKnownX402; exports.buildX402DnsTxt = buildX402DnsTxt; exports.chainIdForExactNetwork = chainIdForExactNetwork; exports.createPaymentGate = createPaymentGate; exports.decorateOutcome = decorateOutcome; exports.eip3009Abi = eip3009Abi; exports.encodeXPaymentHeader = encodeXPaymentHeader; exports.evaluatePolicy = evaluatePolicy; exports.getDirectoryInfo = getDirectoryInfo; exports.normalizeNetwork = normalizeNetwork; exports.parseChallenge = parseChallenge; exports.parseExactPaymentHeader = parseExactPaymentHeader; exports.parseExactRequirements = parseExactRequirements; exports.parseReceipt = parseReceipt; exports.parseSignatureHeader = parseSignatureHeader; exports.paymentTools = paymentTools; exports.pickAccept = pickAccept; exports.planAcross = planAcross; exports.readExactDomain = readExactDomain; exports.register402Index = register402Index; exports.registerDriver = registerDriver; exports.registerX402Scan = registerX402Scan; exports.requirePayment = requirePayment; exports.resolveChain = resolveChain; exports.searchOpenIndexes = searchOpenIndexes; exports.settleViaFacilitator = settleViaFacilitator; exports.toInsufficientFundsError = _chunkMDLZJGLYcjs.toInsufficientFundsError; exports.toInvalidBody = toInvalidBody;