@scriptmasterlabs/mcp-x402 2.1.1 → 2.1.2

package/dist/server/payments/agent-payment.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Agent-payment enforcement gate — the REAL x402 model.
+ *
+ * Today the gateway "pays itself" (gateway wallet -> SML receiver) and serves paid
+ * tools regardless, so they're effectively free. This gate flips that to the correct
+ * flow: tool call -> 402 challenge (invoice) -> agent pays from ITS wallet -> agent
+ * re-calls with tx_hash -> we VERIFY via 402Proof -> serve.
+ *
+ * Safety: OFF by default (ENFORCE_AGENT_PAYMENT). When off, nothing here runs and
+ * existing behavior is unchanged. When on, each paid tool needs its 402Proof endpoint
+ * UUID (PROOF402_ENDPOINT_<TOOL>); without it the gate fails CLOSED (never serves free).
+ *
+ * NOTE: isVerified() interprets the 402Proof /v1/verify response defensively. Confirm
+ * the exact success contract against the live 402Proof service before going live.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PaymentUnverifiedError = exports.PaymentRequiredError = void 0;
+exports.isAgentPaymentEnforced = isAgentPaymentEnforced;
+exports.resolveEndpointId = resolveEndpointId;
+exports.isVerified = isVerified;
+exports.enforceAgentPayment = enforceAgentPayment;
+const proof402_js_1 = require("../../lib/sml-api/proof402.js");
+const x402_js_1 = require("./x402.js");
+function isAgentPaymentEnforced() {
+    return (process.env['ENFORCE_AGENT_PAYMENT'] ?? '').toLowerCase() === 'true';
+}
+/** Resolve a tool's 402Proof endpoint UUID. Real values come from env. */
+function resolveEndpointId(toolName) {
+    const fromEnv = process.env[`PROOF402_ENDPOINT_${toolName.toUpperCase()}`];
+    if (fromEnv && fromEnv.length > 0)
+        return fromEnv;
+    return ENDPOINT_MAP[toolName];
+}
+/** Built-in endpoint UUIDs. EMPTY by default — fill via env or here once registered. */
+const ENDPOINT_MAP = {
+// squeezeos_council: '<real-402proof-endpoint-uuid>',
+};
+/** Defensive success check for the 402Proof /v1/verify response. */
+function isVerified(resp) {
+    if (resp === null || typeof resp !== 'object')
+        return false;
+    const r = resp;
+    if (r['error'])
+        return false;
+    if (r['verified'] === true || r['valid'] === true || r['ok'] === true)
+        return true;
+    const status = typeof r['status'] === 'string' ? r['status'].toLowerCase() : '';
+    return status === 'confirmed' || status === 'verified' || status === 'paid';
+}
+/**
+ * Enforce agent payment for a tool call. Returns a discriminated result; the caller
+ * (executeX402Payment) translates it into a served response, a 402 challenge, or a
+ * rejection. Never serves on anything but {status:'paid'}.
+ */
+async function enforceAgentPayment(params) {
+    const endpointId = resolveEndpointId(params.toolName);
+    if (!endpointId) {
+        return { status: 'unconfigured', toolName: params.toolName };
+    }
+    // No proof yet -> issue a 402 challenge (invoice is best-effort).
+    if (!params.paymentProof?.txHash) {
+        let invoice;
+        try {
+            invoice = await proof402_js_1.Proof402API.invoice(endpointId);
+        }
+        catch {
+            invoice = undefined;
+        }
+        return {
+            status: 'payment_required',
+            endpointId,
+            payTo: (0, x402_js_1.getPaymentReceiver)(),
+            amount: params.price,
+            invoice,
+            instructions: `Payment required. Pay ${params.price} USDC/RLUSD to ${(0, x402_js_1.getPaymentReceiver)()} (or per the invoice), then re-call this tool with payment_proof.tx_hash set to your payment transaction hash.`,
+        };
+    }
+    // Proof provided -> verify the agent's on-chain payment via 402Proof.
+    let resp;
+    try {
+        resp = await proof402_js_1.Proof402API.verify(params.paymentProof.txHash, endpointId);
+    }
+    catch (err) {
+        return { status: 'payment_invalid', endpointId, detail: { error: String(err) } };
+    }
+    if (isVerified(resp)) {
+        return { status: 'paid', txHash: params.paymentProof.txHash, detail: resp };
+    }
+    return { status: 'payment_invalid', endpointId, detail: resp };
+}
+/** Thrown by executeX402Payment when the agent must pay before the tool runs. */
+class PaymentRequiredError extends Error {
+    gate;
+    constructor(gate) {
+        super('payment_required');
+        this.gate = gate;
+        this.name = 'PaymentRequiredError';
+    }
+}
+exports.PaymentRequiredError = PaymentRequiredError;
+/** Thrown when the agent's payment proof fails 402Proof verification. */
+class PaymentUnverifiedError extends Error {
+    gate;
+    constructor(gate) {
+        super('payment_unverified');
+        this.gate = gate;
+        this.name = 'PaymentUnverifiedError';
+    }
+}
+exports.PaymentUnverifiedError = PaymentUnverifiedError;
+//# sourceMappingURL=agent-payment.js.map

package/dist/server/payments/agent-payment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-payment.js","sourceRoot":"","sources":["../../../src/server/payments/agent-payment.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAKH,wDAEC;AAGD,8CAIC;AAQD,gCAOC;AAiBD,kDAuCC;AAnFD,+DAA4D;AAC5D,uCAA+C;AAE/C,SAAgB,sBAAsB;IACpC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;AAC/E,CAAC;AAED,0EAA0E;AAC1E,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC3E,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IAClD,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED,wFAAwF;AACxF,MAAM,YAAY,GAA2B;AAC3C,sDAAsD;CACvD,CAAC;AAEF,oEAAoE;AACpE,SAAgB,UAAU,CAAC,IAAa;IACtC,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5D,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,IAAI,CAAC,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7B,IAAI,CAAC,CAAC,UAAU,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACnF,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,CAAC,CAAC,QAAQ,CAAY,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5F,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,MAAM,CAAC;AAC9E,CAAC;AAYD;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CAAC,MAIzC;IACC,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;IAC/D,CAAC;IAED,kEAAkE;IAClE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QACjC,IAAI,OAAgB,CAAC;QACrB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,yBAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,SAAS,CAAC;QACtB,CAAC;QACD,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,UAAU;YACV,KAAK,EAAE,IAAA,4BAAkB,GAAE;YAC3B,MAAM,EAAE,MAAM,CAAC,KAAK;YACpB,OAAO;YACP,YAAY,EAAE,yBAAyB,MAAM,CAAC,KAAK,kBAAkB,IAAA,4BAAkB,GAAE,gHAAgH;SAC1M,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,yBAAW,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;IACnF,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC9E,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACjE,CAAC;AAED,iFAAiF;AACjF,MAAa,oBAAqB,SAAQ,KAAK;IACjB;IAA5B,YAA4B,IAAyD;QACnF,KAAK,CAAC,kBAAkB,CAAC,CAAC;QADA,SAAI,GAAJ,IAAI,CAAqD;QAEnF,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AALD,oDAKC;AAED,yEAAyE;AACzE,MAAa,sBAAuB,SAAQ,KAAK;IACnB;IAA5B,YAA4B,IAAwD;QAClF,KAAK,CAAC,oBAAoB,CAAC,CAAC;QADF,SAAI,GAAJ,IAAI,CAAoD;QAElF,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AALD,wDAKC"}

package/dist/server/payments/ap2.d.ts

@@ -0,0 +1,17 @@
+export interface MandateParams {
+    maxAmount: string;
+    currency: string;
+    toolName: string;
+}
+export declare class AP2Client {
+    private static instance;
+    private readonly baseUrl;
+    private constructor();
+    static getInstance(): AP2Client;
+    verifyMandate(wallet: string, params: MandateParams): Promise<boolean>;
+    createMandate(wallet: string, params: {
+        dailyCap: string;
+        currency: string;
+    }): Promise<string>;
+}
+//# sourceMappingURL=ap2.d.ts.map

package/dist/server/payments/ap2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ap2.d.ts","sourceRoot":"","sources":["../../../src/server/payments/ap2.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAUD,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAY;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO;IAIP,MAAM,CAAC,WAAW,IAAI,SAAS;IAOzB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAgDtE,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAC7C,OAAO,CAAC,MAAM,CAAC;CAkBnB"}

package/dist/server/payments/ap2.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AP2Client = void 0;
+const audit_js_1 = require("../security/audit.js");
+// In-memory mandate cache — 5 minute TTL per wallet+tool combination
+const mandateCache = new Map();
+class AP2Client {
+    static instance;
+    baseUrl;
+    constructor() {
+        this.baseUrl = process.env['SML_API_BASE'] ?? 'https://api.scriptmasterlabs.com';
+    }
+    static getInstance() {
+        if (!AP2Client.instance) {
+            AP2Client.instance = new AP2Client();
+        }
+        return AP2Client.instance;
+    }
+    async verifyMandate(wallet, params) {
+        const cacheKey = `${wallet}:${params.toolName}:${params.currency}`;
+        const cached = mandateCache.get(cacheKey);
+        if (cached && cached.expiresAt > Date.now()) {
+            return cached.valid;
+        }
+        const audit = audit_js_1.AuditLogger.getInstance();
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 5000);
+            const res = await fetch(`${this.baseUrl}/ap2/v1/mandate/verify`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    wallet,
+                    max_amount: params.maxAmount,
+                    currency: params.currency,
+                    tool: params.toolName,
+                }),
+                signal: controller.signal,
+            });
+            clearTimeout(timeout);
+            if (!res.ok) {
+                audit.warn('ap2_mandate_http_error', { status: res.status, wallet });
+                mandateCache.set(cacheKey, { valid: false, expiresAt: Date.now() + 60_000 });
+                return false;
+            }
+            const body = (await res.json());
+            const ttl = (body.expires_in ?? 300) * 1000;
+            mandateCache.set(cacheKey, { valid: body.valid, expiresAt: Date.now() + ttl });
+            return body.valid;
+        }
+        catch (err) {
+            audit.error('ap2_mandate_error', { error: String(err), wallet });
+            // Fail open when AP2 service is unreachable — log and allow
+            audit.warn('ap2_mandate_fallback', { wallet, tool: params.toolName, note: 'AP2 unreachable, auto-approving' });
+            mandateCache.set(cacheKey, { valid: true, expiresAt: Date.now() + 60_000 });
+            return true;
+        }
+    }
+    async createMandate(wallet, params) {
+        const res = await fetch(`${this.baseUrl}/ap2/v1/mandate/create`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                wallet,
+                daily_cap: params.dailyCap,
+                currency: params.currency,
+            }),
+        });
+        if (!res.ok) {
+            throw new Error(`AP2 mandate creation failed: HTTP ${res.status}`);
+        }
+        const body = (await res.json());
+        return body.mandate_id;
+    }
+}
+exports.AP2Client = AP2Client;
+//# sourceMappingURL=ap2.js.map

package/dist/server/payments/ap2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ap2.js","sourceRoot":"","sources":["../../../src/server/payments/ap2.ts"],"names":[],"mappings":";;;AAAA,mDAAmD;AAanD,qEAAqE;AACrE,MAAM,YAAY,GAAG,IAAI,GAAG,EAAwB,CAAC;AAErD,MAAa,SAAS;IACZ,MAAM,CAAC,QAAQ,CAAY;IAClB,OAAO,CAAS;IAEjC;QACE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,kCAAkC,CAAC;IACnF,CAAC;IAED,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACxB,SAAS,CAAC,QAAQ,GAAG,IAAI,SAAS,EAAE,CAAC;QACvC,CAAC;QACD,OAAO,SAAS,CAAC,QAAQ,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,MAAc,EAAE,MAAqB;QACvD,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACnE,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE1C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5C,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;QAED,MAAM,KAAK,GAAG,sBAAW,CAAC,WAAW,EAAE,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;YAE3D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,wBAAwB,EAAE;gBAC/D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,MAAM;oBACN,UAAU,EAAE,MAAM,CAAC,SAAS;oBAC5B,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,IAAI,EAAE,MAAM,CAAC,QAAQ;iBACtB,CAAC;gBACF,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,YAAY,CAAC,OAAO,CAAC,CAAC;YAEtB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,KAAK,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;gBACrE,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;gBAC7E,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4C,CAAC;YAC3E,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC;YAE5C,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;YAC/E,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;YACjE,4DAA4D;YAC5D,KAAK,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,iCAAiC,EAAE,CAAC,CAAC;YAC/G,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;YAC5E,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,MAAc,EACd,MAA8C;QAE9C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,wBAAwB,EAAE;YAC/D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,MAAM;gBACN,SAAS,EAAE,MAAM,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA2B,CAAC;QAC1D,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;CACF;AApFD,8BAoFC"}

package/dist/server/payments/receipt.d.ts

@@ -0,0 +1,28 @@
+export interface ReceiptInput {
+    txHash: string;
+    chain: string;
+    amount: string;
+    currency: string;
+    tool: string;
+    wallet: string;
+}
+export interface Receipt {
+    id: string;
+    txHash: string;
+    chain: string;
+    amount: string;
+    currency: string;
+    tool: string;
+    wallet: string;
+    issuedAt: number;
+    hash: string;
+}
+export declare class ReceiptStore {
+    private static instance;
+    private readonly baseUrl;
+    private constructor();
+    static getInstance(): ReceiptStore;
+    create(input: ReceiptInput): Promise<Receipt>;
+    private registerWithProofServer;
+}
+//# sourceMappingURL=receipt.d.ts.map

package/dist/server/payments/receipt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"receipt.d.ts","sourceRoot":"","sources":["../../../src/server/payments/receipt.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAe;IACtC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO;IAIP,MAAM,CAAC,WAAW,IAAI,YAAY;IAO5B,MAAM,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC;YAuBrC,uBAAuB;CAsBtC"}

package/dist/server/payments/receipt.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReceiptStore = void 0;
+const crypto_1 = require("crypto");
+const audit_js_1 = require("../security/audit.js");
+class ReceiptStore {
+    static instance;
+    baseUrl;
+    constructor() {
+        this.baseUrl = process.env['SML_API_BASE'] ?? 'https://api.scriptmasterlabs.com';
+    }
+    static getInstance() {
+        if (!ReceiptStore.instance) {
+            ReceiptStore.instance = new ReceiptStore();
+        }
+        return ReceiptStore.instance;
+    }
+    async create(input) {
+        const id = (0, crypto_1.randomUUID)();
+        const issuedAt = Date.now();
+        // Content hash for tamper detection
+        const hash = (0, crypto_1.createHash)('sha256')
+            .update(`${id}:${input.txHash}:${input.chain}:${input.amount}:${input.currency}:${input.tool}:${input.wallet}:${issuedAt}`)
+            .digest('hex');
+        const receipt = { id, ...input, issuedAt, hash };
+        // Attempt to register with 402Proof server (N7)
+        try {
+            await this.registerWithProofServer(receipt);
+        }
+        catch (err) {
+            // Log but don't fail — local receipt is still valid
+            audit_js_1.AuditLogger.getInstance().warn('proof_server_register_fail', { error: String(err), receiptId: id });
+        }
+        audit_js_1.AuditLogger.getInstance().info('receipt_issued', { receiptId: id, tool: input.tool });
+        return receipt;
+    }
+    async registerWithProofServer(receipt) {
+        const proofUrl = process.env['PROOF402_URL'] ?? 'https://four02proof.onrender.com';
+        const res = await fetch(`${proofUrl}/v1/receipt`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                receipt_id: receipt.id,
+                tx_hash: receipt.txHash,
+                chain: receipt.chain,
+                amount: receipt.amount,
+                currency: receipt.currency,
+                tool: receipt.tool,
+                wallet: receipt.wallet,
+                issued_at: receipt.issuedAt,
+                hash: receipt.hash,
+            }),
+        });
+        if (!res.ok) {
+            throw new Error(`402Proof server returned HTTP ${res.status}`);
+        }
+    }
+}
+exports.ReceiptStore = ReceiptStore;
+//# sourceMappingURL=receipt.js.map

package/dist/server/payments/receipt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"receipt.js","sourceRoot":"","sources":["../../../src/server/payments/receipt.ts"],"names":[],"mappings":";;;AAAA,mCAAgD;AAChD,mDAAmD;AAuBnD,MAAa,YAAY;IACf,MAAM,CAAC,QAAQ,CAAe;IACrB,OAAO,CAAS;IAEjC;QACE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,kCAAkC,CAAC;IACnF,CAAC;IAED,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC3B,YAAY,CAAC,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;QAC7C,CAAC;QACD,OAAO,YAAY,CAAC,QAAQ,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAmB;QAC9B,MAAM,EAAE,GAAG,IAAA,mBAAU,GAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE5B,oCAAoC;QACpC,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC;aAC9B,MAAM,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC;aAC1H,MAAM,CAAC,KAAK,CAAC,CAAC;QAEjB,MAAM,OAAO,GAAY,EAAE,EAAE,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAE1D,gDAAgD;QAChD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,oDAAoD;YACpD,sBAAW,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;QACtG,CAAC;QAED,sBAAW,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACtF,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,uBAAuB,CAAC,OAAgB;QACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,kCAAkC,CAAC;QACnF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,aAAa,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,UAAU,EAAE,OAAO,CAAC,EAAE;gBACtB,OAAO,EAAE,OAAO,CAAC,MAAM;gBACvB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,SAAS,EAAE,OAAO,CAAC,QAAQ;gBAC3B,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;CACF;AA5DD,oCA4DC"}

package/dist/server/payments/router.d.ts

@@ -0,0 +1,23 @@
+export interface RouteParams {
+    amount: string;
+    currency: 'USDC' | 'RLUSD';
+    from: string;
+    to: string;
+    timeoutMs?: number;
+}
+export interface RouteResult {
+    txHash: string;
+    chain: string;
+    latencyMs: number;
+}
+export declare class ChainRouter {
+    private readonly base;
+    private readonly xrpl;
+    private readonly solana;
+    private static instance;
+    private constructor();
+    static getInstance(): ChainRouter;
+    route(params: RouteParams): Promise<RouteResult>;
+    private withTimeout;
+}
+//# sourceMappingURL=router.d.ts.map

package/dist/server/payments/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../../src/server/payments/router.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAKD,qBAAa,WAAW;IAIpB,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM;IALzB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAc;IAErC,OAAO;IAMP,MAAM,CAAC,WAAW,IAAI,WAAW;IAO3B,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAuDtD,OAAO,CAAC,WAAW;CAgBpB"}

package/dist/server/payments/router.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChainRouter = void 0;
+const audit_js_1 = require("../security/audit.js");
+const base_js_1 = require("../../lib/chains/base.js");
+const xrpl_js_1 = require("../../lib/chains/xrpl.js");
+const solana_js_1 = require("../../lib/chains/solana.js");
+// Chain preference order: cheapest/fastest first (N13)
+const CHAIN_PREFERENCE = ['base', 'xrpl', 'solana'];
+class ChainRouter {
+    base;
+    xrpl;
+    solana;
+    static instance;
+    constructor(base = base_js_1.BaseChain.getInstance(), xrpl = xrpl_js_1.XRPLChain.getInstance(), solana = solana_js_1.SolanaChain.getInstance()) {
+        this.base = base;
+        this.xrpl = xrpl;
+        this.solana = solana;
+    }
+    static getInstance() {
+        if (!ChainRouter.instance) {
+            ChainRouter.instance = new ChainRouter();
+        }
+        return ChainRouter.instance;
+    }
+    async route(params) {
+        const audit = audit_js_1.AuditLogger.getInstance();
+        const timeout = params.timeoutMs ?? 3000;
+        // For RLUSD, prefer XRPL
+        const ordered = params.currency === 'RLUSD'
+            ? ['xrpl', 'base', 'solana']
+            : CHAIN_PREFERENCE;
+        const errors = [];
+        for (const chain of ordered) {
+            try {
+                const start = Date.now();
+                let txHash;
+                switch (chain) {
+                    case 'base':
+                        txHash = await this.withTimeout(this.base.sendPayment(params), timeout, 'base');
+                        break;
+                    case 'xrpl':
+                        txHash = await this.withTimeout(this.xrpl.sendPayment(params), timeout, 'xrpl');
+                        break;
+                    case 'solana':
+                        txHash = await this.withTimeout(this.solana.sendPayment(params), timeout, 'solana');
+                        break;
+                }
+                const latencyMs = Date.now() - start;
+                audit.info('chain_route_success', { chain, latencyMs, tx: txHash });
+                return { txHash, chain, latencyMs };
+            }
+            catch (err) {
+                const msg = String(err);
+                errors.push(`${chain}: ${msg}`);
+                audit.warn('chain_route_fail', { chain, error: msg });
+            }
+        }
+        throw new Error(`All chains failed.\n${errors.join('\n')}`);
+    }
+    withTimeout(promise, ms, chain) {
+        return new Promise((resolve, reject) => {
+            const t = setTimeout(() => reject(new Error(`${chain} timeout after ${ms}ms`)), ms);
+            promise.then((v) => { clearTimeout(t); resolve(v); }, (e) => { clearTimeout(t); reject(e); });
+        });
+    }
+}
+exports.ChainRouter = ChainRouter;
+//# sourceMappingURL=router.js.map

package/dist/server/payments/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../../src/server/payments/router.ts"],"names":[],"mappings":";;;AAAA,mDAAmD;AACnD,sDAAqD;AACrD,sDAAqD;AACrD,0DAAyD;AAgBzD,uDAAuD;AACvD,MAAM,gBAAgB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAU,CAAC;AAE7D,MAAa,WAAW;IAIH;IACA;IACA;IALX,MAAM,CAAC,QAAQ,CAAc;IAErC,YACmB,OAAO,mBAAS,CAAC,WAAW,EAAE,EAC9B,OAAO,mBAAS,CAAC,WAAW,EAAE,EAC9B,SAAS,uBAAW,CAAC,WAAW,EAAE;QAFlC,SAAI,GAAJ,IAAI,CAA0B;QAC9B,SAAI,GAAJ,IAAI,CAA0B;QAC9B,WAAM,GAAN,MAAM,CAA4B;IAClD,CAAC;IAEJ,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC1B,WAAW,CAAC,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,WAAW,CAAC,QAAQ,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAmB;QAC7B,MAAM,KAAK,GAAG,sBAAW,CAAC,WAAW,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;QAEzC,yBAAyB;QACzB,MAAM,OAAO,GACX,MAAM,CAAC,QAAQ,KAAK,OAAO;YACzB,CAAC,CAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAW;YACvC,CAAC,CAAC,gBAAgB,CAAC;QAEvB,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACzB,IAAI,MAAc,CAAC;gBAEnB,QAAQ,KAAK,EAAE,CAAC;oBACd,KAAK,MAAM;wBACT,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAC7B,OAAO,EACP,MAAM,CACP,CAAC;wBACF,MAAM;oBACR,KAAK,MAAM;wBACT,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAC7B,OAAO,EACP,MAAM,CACP,CAAC;wBACF,MAAM;oBACR,KAAK,QAAQ;wBACX,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAC7B,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,EAC/B,OAAO,EACP,QAAQ,CACT,CAAC;wBACF,MAAM;gBACV,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;gBACrC,KAAK,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBAEpE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACtC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;gBACxB,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC;gBAChC,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,uBAAuB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;IAEO,WAAW,CACjB,OAAmB,EACnB,EAAU,EACV,KAAa;QAEb,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,CAAC,GAAG,UAAU,CAClB,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,KAAK,kBAAkB,EAAE,IAAI,CAAC,CAAC,EACzD,EAAE,CACH,CAAC;YACF,OAAO,CAAC,IAAI,CACV,CAAC,CAAC,EAAE,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EACvC,CAAC,CAAC,EAAE,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACvC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAvFD,kCAuFC"}

package/dist/server/payments/wallet.d.ts

@@ -0,0 +1,18 @@
+export interface WalletInfo {
+    address: string;
+    chain: 'base' | 'xrpl' | 'solana';
+}
+export declare class WalletManager {
+    private static instance;
+    private cachedAddress;
+    private cachedSeed;
+    private constructor();
+    static getInstance(): WalletManager;
+    private keytarGet;
+    private keytarSet;
+    getSeed(): Promise<string>;
+    getOrCreateWallet(): Promise<WalletInfo>;
+    private deriveAddress;
+    signPayload(payload: string): Promise<string>;
+}
+//# sourceMappingURL=wallet.d.ts.map

package/dist/server/payments/wallet.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet.d.ts","sourceRoot":"","sources":["../../../src/server/payments/wallet.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;CACnC;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAgB;IACvC,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,UAAU,CAAuB;IAEzC,OAAO;IAEP,MAAM,CAAC,WAAW,IAAI,aAAa;YAQrB,SAAS;YAST,SAAS;IAcjB,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC;IA2B1B,iBAAiB,IAAI,OAAO,CAAC,UAAU,CAAC;YAahC,aAAa;IAkBrB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAgBpD"}

package/dist/server/payments/wallet.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WalletManager = void 0;
+const audit_js_1 = require("../security/audit.js");
+const KEYCHAIN_SERVICE = 'mcp-x402';
+const KEYCHAIN_ACCOUNT = 'master-seed';
+class WalletManager {
+    static instance;
+    cachedAddress = null;
+    cachedSeed = null;
+    constructor() { }
+    static getInstance() {
+        if (!WalletManager.instance) {
+            WalletManager.instance = new WalletManager();
+        }
+        return WalletManager.instance;
+    }
+    // Try OS keychain; returns null if keytar is unavailable (Docker/cloud) or no entry exists.
+    async keytarGet() {
+        try {
+            const kt = await import('keytar');
+            return await kt.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
+        }
+        catch {
+            return null;
+        }
+    }
+    async keytarSet(value) {
+        try {
+            const kt = await import('keytar');
+            await kt.setPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, value);
+        }
+        catch {
+            // Silently skip — keytar unavailable in this environment
+        }
+    }
+    // Seed resolution priority:
+    // 1. OS keychain (local desktop — most secure)
+    // 2. WALLET_SEED env var (Render secret — cloud/Docker deployment)
+    // 3. CI_WALLET_SEED env var (CI only, never production)
+    // 4. Generate fresh and try to persist in keychain
+    async getSeed() {
+        if (this.cachedSeed)
+            return this.cachedSeed;
+        const audit = audit_js_1.AuditLogger.getInstance();
+        let seed = await this.keytarGet();
+        if (!seed) {
+            const envSeed = process.env['WALLET_SEED'];
+            if (envSeed) {
+                seed = envSeed;
+                audit.warn('wallet_env_seed', { note: 'Using WALLET_SEED env var (cloud deployment).' });
+            }
+            else if (process.env['CI_WALLET_SEED'] && process.env['NODE_ENV'] !== 'production') {
+                seed = process.env['CI_WALLET_SEED'];
+                audit.warn('wallet_ci_fallback', { note: 'Using CI_WALLET_SEED. NEVER do this in production.' });
+            }
+            else {
+                const { generateMnemonic } = await import('bip39');
+                seed = generateMnemonic(256);
+                await this.keytarSet(seed);
+                audit.info('wallet_created', { note: 'New BIP-39 seed generated.' });
+            }
+        }
+        this.cachedSeed = seed;
+        return seed;
+    }
+    async getOrCreateWallet() {
+        if (this.cachedAddress) {
+            return { address: this.cachedAddress, chain: 'base' };
+        }
+        const audit = audit_js_1.AuditLogger.getInstance();
+        const seed = await this.getSeed();
+        const address = await this.deriveAddress(seed);
+        this.cachedAddress = address;
+        audit.info('wallet_loaded', { address });
+        return { address, chain: 'base' };
+    }
+    async deriveAddress(mnemonic) {
+        // BIP-44 deterministic derivation: m/44'/60'/0'/0/0 (Base = EVM)
+        const { mnemonicToSeedSync } = await import('bip39');
+        const { default: HDKey } = await import('hdkey');
+        const { privateKeyToAccount } = await import('viem/accounts');
+        const seed = mnemonicToSeedSync(mnemonic);
+        const hdkey = HDKey.fromMasterSeed(seed);
+        const child = hdkey.derive("m/44'/60'/0'/0/0");
+        if (!child.privateKey) {
+            throw new Error('Failed to derive private key from HD path');
+        }
+        const account = privateKeyToAccount(`0x${child.privateKey.toString('hex')}`);
+        return account.address;
+    }
+    async signPayload(payload) {
+        const mnemonic = await this.getSeed();
+        const { mnemonicToSeedSync } = await import('bip39');
+        const { default: HDKey } = await import('hdkey');
+        const { privateKeyToAccount } = await import('viem/accounts');
+        const seed = mnemonicToSeedSync(mnemonic);
+        const hdkey = HDKey.fromMasterSeed(seed);
+        const child = hdkey.derive("m/44'/60'/0'/0/0");
+        if (!child.privateKey)
+            throw new Error('Key derivation failed');
+        const account = privateKeyToAccount(`0x${child.privateKey.toString('hex')}`);
+        return account.signMessage({ message: payload });
+    }
+}
+exports.WalletManager = WalletManager;
+//# sourceMappingURL=wallet.js.map

package/dist/server/payments/wallet.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet.js","sourceRoot":"","sources":["../../../src/server/payments/wallet.ts"],"names":[],"mappings":";;;AAAA,mDAAmD;AAEnD,MAAM,gBAAgB,GAAG,UAAU,CAAC;AACpC,MAAM,gBAAgB,GAAG,aAAa,CAAC;AAOvC,MAAa,aAAa;IAChB,MAAM,CAAC,QAAQ,CAAgB;IAC/B,aAAa,GAAkB,IAAI,CAAC;IACpC,UAAU,GAAkB,IAAI,CAAC;IAEzC,gBAAuB,CAAC;IAExB,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5B,aAAa,CAAC,QAAQ,GAAG,IAAI,aAAa,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO,aAAa,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED,4FAA4F;IACpF,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClC,OAAO,MAAM,EAAE,CAAC,WAAW,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,KAAa;QACnC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClC,MAAM,EAAE,CAAC,WAAW,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;QAC3D,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,+CAA+C;IAC/C,mEAAmE;IACnE,wDAAwD;IACxD,mDAAmD;IACnD,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC,UAAU,CAAC;QAE5C,MAAM,KAAK,GAAG,sBAAW,CAAC,WAAW,EAAE,CAAC;QAExC,IAAI,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAElC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC3C,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,GAAG,OAAO,CAAC;gBACf,KAAK,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,+CAA+C,EAAE,CAAC,CAAC;YAC3F,CAAC;iBAAM,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;gBACrF,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBACrC,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,IAAI,EAAE,oDAAoD,EAAE,CAAC,CAAC;YACnG,CAAC;iBAAM,CAAC;gBACN,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;gBACnD,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;gBAC7B,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC,CAAC;YACvE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACxD,CAAC;QAED,MAAM,KAAK,GAAG,sBAAW,CAAC,WAAW,EAAE,CAAC;QACxC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QACzC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,QAAgB;QAC1C,iEAAiE;QACjE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAE9D,MAAM,IAAI,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAE/C,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC7E,OAAO,OAAO,CAAC,OAAO,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAe;QAC/B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAEtC,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAE9D,MAAM,IAAI,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAE/C,IAAI,CAAC,KAAK,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAEhE,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC7E,OAAO,OAAO,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IACnD,CAAC;CACF;AAhHD,sCAgHC"}

package/dist/server/payments/x402.d.ts

@@ -0,0 +1,55 @@
+import { z } from 'zod';
+export declare const PaymentConfigSchema: z.ZodObject<{
+    price: z.ZodString;
+    currency: z.ZodEnum<["USDC", "RLUSD"]>;
+    toolName: z.ZodString;
+    walletAddress: z.ZodOptional<z.ZodString>;
+    paymentProof: z.ZodOptional<z.ZodObject<{
+        txHash: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        txHash: string;
+    }, {
+        txHash: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    currency: "USDC" | "RLUSD";
+    price: string;
+    toolName: string;
+    walletAddress?: string | undefined;
+    paymentProof?: {
+        txHash: string;
+    } | undefined;
+}, {
+    currency: "USDC" | "RLUSD";
+    price: string;
+    toolName: string;
+    walletAddress?: string | undefined;
+    paymentProof?: {
+        txHash: string;
+    } | undefined;
+}>;
+export type PaymentConfig = z.infer<typeof PaymentConfigSchema>;
+export interface PaymentResult {
+    receiptId: string;
+    txHash: string;
+    chain: string;
+    amountPaid: string;
+    currency: string;
+    timestamp: number;
+    walletAddress: string;
+}
+/** Resolve the address that collects USDC for paid tool calls. */
+export declare function getPaymentReceiver(): string;
+export declare function executeX402Payment(config: PaymentConfig): Promise<PaymentResult>;
+/**
+ * Brokered payment for APM-executed tools (apm_execute). The amount is the
+ * price-locked quote value + brokerage; its integrity is guaranteed by the
+ * SML-signed quote verified upstream — NOT by the price registry. Mirrors the
+ * settlement steps of executeX402Payment (cap, credit, AP2, route, receipt).
+ * Never call without a verified, unexpired quote.
+ */
+export declare function executeBrokeredPayment(params: {
+    amount: string;
+    toolName: string;
+}): Promise<PaymentResult>;
+//# sourceMappingURL=x402.d.ts.map

package/dist/server/payments/x402.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402.d.ts","sourceRoot":"","sources":["../../../src/server/payments/x402.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAUxB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQ9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAgBD,kEAAkE;AAClE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAqBD,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,aAAa,CAAC,CAoJxB;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,aAAa,CAAC,CA8DzB"}