@skillauditor/client 0.1.0

package/README.md

@@ -0,0 +1,140 @@
+# @skillauditor/client
+
+Agent SDK for [SkillAuditor](https://skillauditor.xyz) — verify that an AI skill (SKILL.md) is safe before loading it into your agent.
+
+One call. Handles World AgentKit auth, x402 payments, polling, and live terminal logging automatically.
+
+## Install
+
+```bash
+npm install @skillauditor/client
+```
+
+## Usage
+
+### Quick start (dev mode — no keys needed)
+
+```ts
+import { SkillAuditorClient } from '@skillauditor/client'
+
+const client = new SkillAuditorClient()
+const result = await client.verifySkill(skillContent)
+// throws SkillRejectedError if verdict != safe or score < 70
+```
+
+### Production
+
+```ts
+import { SkillAuditorClient } from '@skillauditor/client'
+
+const client = new SkillAuditorClient({
+  privateKey: process.env.AGENT_PRIVATE_KEY, // EVM key for World AgentKit SIWE
+  tier: 'pro',                               // onchain stamp + ENS subname
+  paymentHandler: async (req) => {           // called on HTTP 402 — return X-Payment header
+    return await wallet.payX402(req)
+  },
+})
+
+const result = await client.verifySkill(skillContent)
+console.log(result.verdict)    // "safe" | "unsafe" | "review_required"
+console.log(result.score)      // 0-100
+console.log(result.ensSubname) // "a1b2c3d4.skills.skillauditor.eth"
+```
+
+### Guard pattern
+
+```ts
+if (await client.isSafe(skillContent)) {
+  loadSkill(skillContent)
+}
+```
+
+### Check without submitting
+
+```ts
+const cached = await client.checkVerified(skillContent)
+if (cached.verified) {
+  // already audited — use cached result, no new audit kicked off
+}
+```
+
+## Options
+
+```ts
+new SkillAuditorClient({
+  apiUrl?:         string                      // default: http://localhost:3001
+  privateKey?:     string                      // "dev" skips signing (local only)
+  tier?:           'free' | 'pro'              // default: "free"
+  paymentHandler?: (req) => Promise<string>    // required for tier: "pro" in prod
+  logs?:           true | 'verbose' | false    // default: true
+  onProgress?:     (event) => void             // custom progress handler
+  pollIntervalMs?: number                      // default: 3000
+  timeoutMs?:      number                      // default: 300000 (5 min)
+  rejectOnUnsafe?: boolean                     // default: true
+})
+```
+
+### Terminal logging
+
+```
+▶  Auditing: My GitHub Skill  [audit-abc123]  tier=free
+   ✔  Stage 1 — Structural extraction complete
+   ✔  Stage 2 — Content analysis complete
+   ✔  Stage 3 — Sandbox simulation complete
+   ✔  Stage 4 — Verdict synthesis complete
+✔  SAFE  score=92/100
+```
+
+- `logs: true` (default) — stage transitions only
+- `logs: 'verbose'` — every sandbox tool call included
+- `logs: false` — silent
+
+## Result shape
+
+```ts
+interface VerifyResult {
+  verified:    boolean
+  verdict:     'safe' | 'unsafe' | 'review_required'
+  score:       number           // 0-100
+  auditId:     string
+  skillHash:   string           // 0x-prefixed SHA-256
+  auditedAt:   string           // ISO timestamp
+  ensSubname?: string           // set for Pro tier audits
+  onchainStamp?: {
+    txHash:          string
+    chainId:         number
+    contractAddress: string
+    ensName:         string | null
+    stampedAt:       string
+  }
+}
+```
+
+## Errors
+
+```ts
+import { SkillRejectedError, AuditTimeoutError, PaymentError } from '@skillauditor/client'
+
+try {
+  await client.verifySkill(content)
+} catch (err) {
+  if (err instanceof SkillRejectedError) {
+    console.log(err.verdict, err.score)  // "unsafe", 23
+  }
+  if (err instanceof AuditTimeoutError) {
+    // audit took > timeoutMs
+  }
+  if (err instanceof PaymentError) {
+    // x402 payment failed
+  }
+}
+```
+
+## How it works
+
+1. `POST /v1/verify` — fast path, returns immediately if already audited
+2. `POST /v1/agent/submit` — kicks off 4-stage pipeline (structural → content → sandbox → verdict)
+3. Polls `GET /v1/audits/:id/logs` with live progress events until complete
+4. Returns `VerifyResult` — or throws `SkillRejectedError` if unsafe
+
+The wallet at `privateKey` must be registered in [World AgentBook](https://docs.world.org/agentkit) for production use. In dev mode (`privateKey: 'dev'`), the server bypass is used — no registration needed.

package/dist/agentkit.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Build the `agentkit` header value for a request to a given URL.
+ *
+ * @param privateKey  Hex private key ("0x...") or "dev" for local bypass
+ * @param resourceUrl The full URL of the endpoint being called
+ */
+export declare function buildAgentkitHeader(privateKey: string, resourceUrl: string): Promise<string>;
+//# sourceMappingURL=agentkit.d.ts.map

package/dist/agentkit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentkit.d.ts","sourceRoot":"","sources":["../src/agentkit.ts"],"names":[],"mappings":"AAwCA;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC,CA4CjB"}

package/dist/agentkit.js

@@ -0,0 +1,77 @@
+// Builds the `agentkit` request header required by /v1/agent/submit.
+//
+// In dev mode (privateKey === 'dev' or WORLD_CHAIN_RPC_URL is absent on the server):
+//   header value → "dev:<walletAddress>"
+//   The server accepts this without signature verification.
+//
+// In prod mode (a real hex private key is supplied):
+//   1. Derive the EVM address from the private key
+//   2. Build a SIWE message using @worldcoin/agentkit's formatSIWEMessage
+//   3. Sign the message with viem's signMessage (EIP-191)
+//   4. JSON-encode the AgentkitPayload and base64-encode for the header
+//
+// The wallet must be registered in World AgentBook before prod calls will succeed:
+//   npx @worldcoin/agentkit-cli register <wallet-address>
+import { formatSIWEMessage } from '@worldcoin/agentkit';
+import { privateKeyToAccount, } from 'viem/accounts';
+import { createHash, randomBytes } from 'crypto';
+// CAIP-2 chain ID for World Chain mainnet (chainId 480)
+const WORLD_CHAIN_ID = 'eip155:480';
+function nonce() {
+    return randomBytes(16).toString('hex');
+}
+function isDevKey(privateKey) {
+    return privateKey === 'dev' || privateKey.startsWith('dev:');
+}
+function deriveDevAddress(privateKey) {
+    // Deterministic fake address from the dev key string so the server
+    // gets a stable identity across requests in the same session.
+    const hash = createHash('sha256').update(privateKey).digest('hex');
+    return `0x${hash.slice(0, 40)}`;
+}
+/**
+ * Build the `agentkit` header value for a request to a given URL.
+ *
+ * @param privateKey  Hex private key ("0x...") or "dev" for local bypass
+ * @param resourceUrl The full URL of the endpoint being called
+ */
+export async function buildAgentkitHeader(privateKey, resourceUrl) {
+    if (isDevKey(privateKey)) {
+        const address = deriveDevAddress(privateKey);
+        return `dev:${address}`;
+    }
+    const key = privateKey.startsWith('0x') ? privateKey : `0x${privateKey}`;
+    const account = privateKeyToAccount(key);
+    const url = new URL(resourceUrl);
+    const domain = url.host;
+    const now = new Date();
+    const exp = new Date(now.getTime() + 5 * 60 * 1_000); // 5 minute window
+    // CompleteAgentkitInfo fields expected by formatSIWEMessage
+    const info = {
+        domain,
+        uri: resourceUrl,
+        version: '1',
+        nonce: nonce(),
+        issuedAt: now.toISOString(),
+        expirationTime: exp.toISOString(),
+        chainId: WORLD_CHAIN_ID,
+        type: 'eip191',
+    };
+    const message = formatSIWEMessage(info, account.address);
+    const signature = await account.signMessage({ message });
+    // AgentkitPayload shape that parseAgentkitHeader expects
+    const payload = {
+        domain: info.domain,
+        address: account.address,
+        uri: info.uri,
+        version: info.version,
+        chainId: info.chainId,
+        type: info.type,
+        nonce: info.nonce,
+        issuedAt: info.issuedAt,
+        expirationTime: info.expirationTime,
+        signature,
+    };
+    return Buffer.from(JSON.stringify(payload)).toString('base64');
+}
+//# sourceMappingURL=agentkit.js.map

package/dist/agentkit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentkit.js","sourceRoot":"","sources":["../src/agentkit.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,qFAAqF;AACrF,yCAAyC;AACzC,4DAA4D;AAC5D,EAAE;AACF,qDAAqD;AACrD,mDAAmD;AACnD,0EAA0E;AAC1E,0DAA0D;AAC1D,wEAAwE;AACxE,EAAE;AACF,mFAAmF;AACnF,0DAA0D;AAE1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,EACL,mBAAmB,GAEpB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAA;AAEhD,wDAAwD;AACxD,MAAM,cAAc,GAAG,YAAY,CAAA;AAEnC,SAAS,KAAK;IACZ,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED,SAAS,QAAQ,CAAC,UAAkB;IAClC,OAAO,UAAU,KAAK,KAAK,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,mEAAmE;IACnE,8DAA8D;IAC9D,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAClE,OAAO,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAA;AACjC,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,UAAkB,EAClB,WAAmB;IAEnB,IAAI,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAA;QAC5C,OAAO,OAAO,OAAO,EAAE,CAAA;IACzB,CAAC;IAED,MAAM,GAAG,GAAO,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,UAAU,EAAE,CAAA;IAC5E,MAAM,OAAO,GAAG,mBAAmB,CAAC,GAAoB,CAAC,CAAA;IAEzD,MAAM,GAAG,GAAO,IAAI,GAAG,CAAC,WAAW,CAAC,CAAA;IACpC,MAAM,MAAM,GAAI,GAAG,CAAC,IAAI,CAAA;IACxB,MAAM,GAAG,GAAO,IAAI,IAAI,EAAE,CAAA;IAC1B,MAAM,GAAG,GAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAA,CAAC,kBAAkB;IAE3E,4DAA4D;IAC5D,MAAM,IAAI,GAAG;QACX,MAAM;QACN,GAAG,EAAa,WAAW;QAC3B,OAAO,EAAS,GAAG;QACnB,KAAK,EAAW,KAAK,EAAE;QACvB,QAAQ,EAAQ,GAAG,CAAC,WAAW,EAAE;QACjC,cAAc,EAAE,GAAG,CAAC,WAAW,EAAE;QACjC,OAAO,EAAS,cAAc;QAC9B,IAAI,EAAY,QAAiB;KAClC,CAAA;IAED,MAAM,OAAO,GAAK,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC1D,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;IAExD,yDAAyD;IACzD,MAAM,OAAO,GAAG;QACd,MAAM,EAAU,IAAI,CAAC,MAAM;QAC3B,OAAO,EAAS,OAAO,CAAC,OAAO;QAC/B,GAAG,EAAa,IAAI,CAAC,GAAG;QACxB,OAAO,EAAS,IAAI,CAAC,OAAO;QAC5B,OAAO,EAAS,IAAI,CAAC,OAAO;QAC5B,IAAI,EAAY,IAAI,CAAC,IAAI;QACzB,KAAK,EAAW,IAAI,CAAC,KAAK;QAC1B,QAAQ,EAAQ,IAAI,CAAC,QAAQ;QAC7B,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,SAAS;KACV,CAAA;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AAChE,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,100 @@
+import { type PaymentHandler } from './x402.js';
+import { type VerifyResult, type ProgressEvent } from './poller.js';
+import { type LogsOption } from './logger.js';
+export type { LogsOption };
+export interface SkillAuditorClientOptions {
+    /**
+     * Base URL of the SkillAuditor API.
+     * Defaults to http://localhost:3001 for local development.
+     */
+    apiUrl?: string;
+    /**
+     * EVM private key for World AgentKit SIWE signing ("0x...").
+     * Pass "dev" (or omit) to use the dev bypass — no signing, no AgentBook required.
+     */
+    privateKey?: string;
+    /**
+     * "free" (default) — LLM audit only, no onchain stamp, no payment required.
+     * "pro"            — full audit + onchain stamp + ENS subname, requires $9 USDC payment.
+     */
+    tier?: 'free' | 'pro';
+    /**
+     * Required when tier = "pro". Receives the x402 payment requirements and
+     * must return an X-Payment receipt string. See src/x402.ts for details.
+     */
+    paymentHandler?: PaymentHandler;
+    /**
+     * Controls terminal log output.
+     *
+     *   true (default)  — normal: stage transitions + warnings, no per-tool-call noise
+     *   'verbose'       — everything, including every sandbox tool call
+     *   false           — silent: no terminal output at all
+     *
+     * You can also supply a custom onProgress callback instead for full control.
+     * If both logs and onProgress are provided, onProgress takes precedence.
+     */
+    logs?: LogsOption;
+    /**
+     * Custom progress handler. Overrides the built-in console logger.
+     * Called for each pipeline log entry while the audit is running.
+     */
+    onProgress?: (event: ProgressEvent) => void;
+    /**
+     * How often to check audit status. Default: 3000ms.
+     */
+    pollIntervalMs?: number;
+    /**
+     * Abort and throw AuditTimeoutError after this many ms. Default: 5 minutes.
+     */
+    timeoutMs?: number;
+    /**
+     * When true (default), throw SkillRejectedError if verdict != "safe" or score < 70.
+     * Set to false to receive the result regardless of verdict.
+     */
+    rejectOnUnsafe?: boolean;
+}
+export interface VerifyOptions {
+    /** Override the instance-level tier for this call only. */
+    tier?: 'free' | 'pro';
+    /** Override the instance-level logs setting for this call only. */
+    logs?: LogsOption;
+    /** Override the instance-level onProgress for this call only. */
+    onProgress?: (event: ProgressEvent) => void;
+}
+export declare class SkillAuditorClient {
+    private readonly apiUrl;
+    private readonly privateKey;
+    private readonly tier;
+    private readonly paymentHandler;
+    private readonly logs;
+    private readonly onProgress;
+    private readonly pollIntervalMs;
+    private readonly timeoutMs;
+    private readonly rejectOnUnsafe;
+    constructor(opts?: SkillAuditorClientOptions);
+    /**
+     * Verify a skill is safe before using it.
+     *
+     * Flow:
+     *   1. POST /v1/verify — if already stamped and safe, return immediately (fast path)
+     *   2. POST /v1/agent/submit — kick off the audit pipeline
+     *      - Auto-builds World AgentKit SIWE header from privateKey
+     *      - Auto-handles x402: if 402 received, pays via paymentHandler and retries
+     *   3. Poll /v1/audits/:auditId until complete (with live log streaming to stdout)
+     *   4. Return VerifyResult — or throw SkillRejectedError if verdict is not safe
+     */
+    verifySkill(skillContent: string, opts?: VerifyOptions): Promise<VerifyResult>;
+    /**
+     * Check if a skill has already been audited and verified, without submitting.
+     * Returns verified: false (with null verdict/score) if no audit exists yet.
+     */
+    checkVerified(skillContent: string): Promise<VerifyResult>;
+    /**
+     * Like verifySkill, but returns false instead of throwing when the skill
+     * is unsafe. Useful for conditional loading logic.
+     *
+     *   if (await client.isSafe(skillContent)) { loadSkill() }
+     */
+    isSafe(skillContent: string, opts?: VerifyOptions): Promise<boolean>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAsBA,OAAO,EAAiB,KAAK,cAAc,EAAE,MAA2B,WAAW,CAAA;AACnF,OAAO,EAAqB,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAA;AAEtF,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,aAAa,CAAA;AAEpB,YAAY,EAAE,UAAU,EAAE,CAAA;AAE1B,MAAM,WAAW,yBAAyB;IACxC;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,KAAK,CAAA;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAA;IAE/B;;;;;;;;;OASG;IACH,IAAI,CAAC,EAAE,UAAU,CAAA;IAEjB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAA;IAE3C;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IAEvB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAA;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,2DAA2D;IAC3D,IAAI,CAAC,EAAE,MAAM,GAAG,KAAK,CAAA;IACrB,mEAAmE;IACnE,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,iEAAiE;IACjE,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAA;CAC5C;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAY;IACvC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA0B;IAC/C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA4B;IAC3D,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAsB;IAC3C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA8C;IACzE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAQ;IACvC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAa;IACvC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;gBAE5B,IAAI,GAAE,yBAA8B;IAYhD;;;;;;;;;;OAUG;IACG,WAAW,CACf,YAAY,EAAE,MAAM,EACpB,IAAI,GAAE,aAAkB,GACvB,OAAO,CAAC,YAAY,CAAC;IAkExB;;;OAGG;IACG,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IA2BhE;;;;;OAKG;IACG,MAAM,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,GAAE,aAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;CAS/E"}

package/dist/client.js

@@ -0,0 +1,153 @@
+// SkillAuditorClient — single-call agent SDK for SkillAuditor.
+//
+// Hides all protocol complexity so any agent (Claude Code, custom LLM agent,
+// CI pipeline) can verify a skill with one method call and zero knowledge of
+// World AgentKit, x402, or polling.
+//
+// Usage (dev mode — no real keys needed):
+//   const client = new SkillAuditorClient({ privateKey: 'dev' })
+//   const result = await client.verifySkill(skillContent)
+//
+// Usage (prod mode):
+//   const client = new SkillAuditorClient({
+//     privateKey: process.env.AGENT_PRIVATE_KEY!,
+//     tier: 'pro',
+//     paymentHandler: (req) => getPaymentHeader(req, wallet),
+//   })
+//   const result = await client.verifySkill(skillContent)
+//
+// The wallet at privateKey must be registered in World AgentBook for prod:
+//   npx @worldcoin/agentkit-cli register <wallet-address>
+import { buildAgentkitHeader } from './agentkit.js';
+import { fetchWithX402 } from './x402.js';
+import { pollUntilComplete } from './poller.js';
+import { SkillRejectedError } from './errors.js';
+import { createConsoleLogger, printAuditHeader, printAuditResult, printAuditRejected, } from './logger.js';
+export class SkillAuditorClient {
+    apiUrl;
+    privateKey;
+    tier;
+    paymentHandler;
+    logs;
+    onProgress;
+    pollIntervalMs;
+    timeoutMs;
+    rejectOnUnsafe;
+    constructor(opts = {}) {
+        this.apiUrl = (opts.apiUrl ?? 'http://localhost:3001').replace(/\/$/, '');
+        this.privateKey = opts.privateKey ?? 'dev';
+        this.tier = opts.tier ?? 'free';
+        this.paymentHandler = opts.paymentHandler;
+        this.logs = opts.logs ?? true; // on by default
+        this.onProgress = opts.onProgress;
+        this.pollIntervalMs = opts.pollIntervalMs ?? 3_000;
+        this.timeoutMs = opts.timeoutMs ?? 5 * 60 * 1_000;
+        this.rejectOnUnsafe = opts.rejectOnUnsafe ?? true;
+    }
+    /**
+     * Verify a skill is safe before using it.
+     *
+     * Flow:
+     *   1. POST /v1/verify — if already stamped and safe, return immediately (fast path)
+     *   2. POST /v1/agent/submit — kick off the audit pipeline
+     *      - Auto-builds World AgentKit SIWE header from privateKey
+     *      - Auto-handles x402: if 402 received, pays via paymentHandler and retries
+     *   3. Poll /v1/audits/:auditId until complete (with live log streaming to stdout)
+     *   4. Return VerifyResult — or throw SkillRejectedError if verdict is not safe
+     */
+    async verifySkill(skillContent, opts = {}) {
+        const tier = opts.tier ?? this.tier;
+        const logsLevel = opts.logs ?? this.logs;
+        // Explicit onProgress overrides the built-in logger
+        const onProgress = opts.onProgress ?? this.onProgress ?? createConsoleLogger(logsLevel);
+        const silent = logsLevel === false && !opts.onProgress && !this.onProgress;
+        // ── Fast path: already verified ────────────────────────────────────────────
+        const cached = await this.checkVerified(skillContent);
+        if (cached.verified) {
+            if (!silent)
+                printAuditResult(cached);
+            return cached;
+        }
+        // ── Submit for audit ────────────────────────────────────────────────────────
+        const submitUrl = `${this.apiUrl}/v1/agent/submit`;
+        const agentkit = await buildAgentkitHeader(this.privateKey, submitUrl);
+        const body = JSON.stringify({ skillContent, tier });
+        const submitRes = await fetchWithX402(submitUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'agentkit': agentkit,
+            },
+            body,
+        }, tier === 'pro' ? this.paymentHandler : undefined);
+        if (!submitRes.ok && submitRes.status !== 202) {
+            const err = await submitRes.json().catch(() => ({ error: submitRes.statusText }));
+            throw new Error(`Skill submission failed (${submitRes.status}): ${err.error}`);
+        }
+        const { auditId, skillHash } = await submitRes.json();
+        // ── Print header now that we have auditId + skillHash ──────────────────────
+        // Extract skill name from frontmatter if possible (simple regex — no dep needed)
+        const nameMatch = skillContent.match(/^name\s*:\s*(.+)$/m);
+        const skillName = nameMatch?.[1]?.trim() ?? skillHash.slice(0, 10) + '…';
+        if (!silent)
+            printAuditHeader(skillName, auditId, tier);
+        // ── Poll until done ─────────────────────────────────────────────────────────
+        let result;
+        try {
+            result = await pollUntilComplete(this.apiUrl, auditId, {
+                intervalMs: this.pollIntervalMs,
+                timeoutMs: this.timeoutMs,
+                onProgress,
+                rejectOnUnsafe: this.rejectOnUnsafe,
+            });
+        }
+        catch (err) {
+            if (err instanceof SkillRejectedError && !silent) {
+                printAuditRejected(err.verdict, err.score);
+            }
+            throw err;
+        }
+        if (!silent)
+            printAuditResult(result);
+        return result;
+    }
+    /**
+     * Check if a skill has already been audited and verified, without submitting.
+     * Returns verified: false (with null verdict/score) if no audit exists yet.
+     */
+    async checkVerified(skillContent) {
+        const res = await fetch(`${this.apiUrl}/v1/verify`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ skillContent }),
+        });
+        const data = await res.json();
+        return {
+            verified: data.verified,
+            verdict: (data.verdict ?? 'unsafe'),
+            score: data.score ?? 0,
+            auditId: data.auditId ?? '',
+            skillHash: data.skillHash,
+            auditedAt: data.auditedAt ?? '',
+            ensSubname: data.ensSubname ?? undefined,
+        };
+    }
+    /**
+     * Like verifySkill, but returns false instead of throwing when the skill
+     * is unsafe. Useful for conditional loading logic.
+     *
+     *   if (await client.isSafe(skillContent)) { loadSkill() }
+     */
+    async isSafe(skillContent, opts = {}) {
+        try {
+            const result = await this.verifySkill(skillContent, opts);
+            return result.verified;
+        }
+        catch (err) {
+            if (err instanceof SkillRejectedError)
+                return false;
+            throw err;
+        }
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,EAAE;AACF,6EAA6E;AAC7E,6EAA6E;AAC7E,oCAAoC;AACpC,EAAE;AACF,0CAA0C;AAC1C,iEAAiE;AACjE,0DAA0D;AAC1D,EAAE;AACF,qBAAqB;AACrB,4CAA4C;AAC5C,kDAAkD;AAClD,mBAAmB;AACnB,8DAA8D;AAC9D,OAAO;AACP,0DAA0D;AAC1D,EAAE;AACF,2EAA2E;AAC3E,0DAA0D;AAE1D,OAAO,EAAE,mBAAmB,EAAE,MAA0C,eAAe,CAAA;AACvF,OAAO,EAAE,aAAa,EAAuB,MAA2B,WAAW,CAAA;AACnF,OAAO,EAAE,iBAAiB,EAAyC,MAAM,aAAa,CAAA;AACtF,OAAO,EAAE,kBAAkB,EAAE,MAA2C,aAAa,CAAA;AACrF,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,GAEnB,MAAM,aAAa,CAAA;AAyEpB,MAAM,OAAO,kBAAkB;IACZ,MAAM,CAAgB;IACtB,UAAU,CAAY;IACtB,IAAI,CAA0B;IAC9B,cAAc,CAA4B;IAC1C,IAAI,CAAsB;IAC1B,UAAU,CAA8C;IACxD,cAAc,CAAQ;IACtB,SAAS,CAAa;IACtB,cAAc,CAAS;IAExC,YAAY,OAAkC,EAAE;QAC9C,IAAI,CAAC,MAAM,GAAW,CAAC,IAAI,CAAC,MAAM,IAAI,uBAAuB,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QACjF,IAAI,CAAC,UAAU,GAAO,IAAI,CAAC,UAAU,IAAI,KAAK,CAAA;QAC9C,IAAI,CAAC,IAAI,GAAa,IAAI,CAAC,IAAI,IAAI,MAAM,CAAA;QACzC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,IAAI,GAAa,IAAI,CAAC,IAAI,IAAI,IAAI,CAAA,CAAU,gBAAgB;QACjE,IAAI,CAAC,UAAU,GAAO,IAAI,CAAC,UAAU,CAAA;QACrC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,KAAK,CAAA;QAClD,IAAI,CAAC,SAAS,GAAQ,IAAI,CAAC,SAAS,IAAS,CAAC,GAAG,EAAE,GAAG,KAAK,CAAA;QAC3D,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,IAAI,CAAA;IACnD,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,WAAW,CACf,YAAoB,EACpB,OAAsB,EAAE;QAExB,MAAM,IAAI,GAAS,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAA;QACzC,MAAM,SAAS,GAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAA;QACzC,oDAAoD;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC,SAAS,CAAC,CAAA;QACvF,MAAM,MAAM,GAAO,SAAS,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU,CAAA;QAE9E,8EAA8E;QAC9E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;QACrD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM;gBAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;YACrC,OAAO,MAAM,CAAA;QACf,CAAC;QAED,+EAA+E;QAC/E,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,MAAM,kBAAkB,CAAA;QAClD,MAAM,QAAQ,GAAI,MAAM,mBAAmB,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;QAEvE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAA;QAEnD,MAAM,SAAS,GAAG,MAAM,aAAa,CACnC,SAAS,EACT;YACE,MAAM,EAAG,MAAM;YACf,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,UAAU,EAAM,QAAQ;aACzB;YACD,IAAI;SACL,EACD,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CACjD,CAAA;QAED,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC9C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAsB,CAAA;YACtG,MAAM,IAAI,KAAK,CAAC,4BAA4B,SAAS,CAAC,MAAM,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC,CAAA;QAChF,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,SAAS,CAAC,IAAI,EAA4C,CAAA;QAE/F,8EAA8E;QAC9E,iFAAiF;QACjF,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;QAC1D,MAAM,SAAS,GAAG,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAA;QACxE,IAAI,CAAC,MAAM;YAAE,gBAAgB,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAA;QAEvD,+EAA+E;QAC/E,IAAI,MAAoB,CAAA;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE;gBACrD,UAAU,EAAM,IAAI,CAAC,cAAc;gBACnC,SAAS,EAAO,IAAI,CAAC,SAAS;gBAC9B,UAAU;gBACV,cAAc,EAAE,IAAI,CAAC,cAAc;aACpC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,kBAAkB,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjD,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAA;YAC5C,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;QAED,IAAI,CAAC,MAAM;YAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;QACrC,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,YAAoB;QACtC,MAAM,GAAG,GAAI,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,YAAY,EAAE;YACnD,MAAM,EAAG,MAAM;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAK,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,CAAC;SAC1C,CAAC,CAAA;QACF,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAQ1B,CAAA;QAED,OAAO;YACL,QAAQ,EAAI,IAAI,CAAC,QAAQ;YACzB,OAAO,EAAK,CAAC,IAAI,CAAC,OAAO,IAAI,QAAQ,CAA4B;YACjE,KAAK,EAAO,IAAI,CAAC,KAAK,IAAI,CAAC;YAC3B,OAAO,EAAK,IAAI,CAAC,OAAO,IAAI,EAAE;YAC9B,SAAS,EAAG,IAAI,CAAC,SAAS;YAC1B,SAAS,EAAG,IAAI,CAAC,SAAS,IAAI,EAAE;YAChC,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,SAAS;SACzC,CAAA;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,YAAoB,EAAE,OAAsB,EAAE;QACzD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,CAAC,CAAA;YACzD,OAAO,MAAM,CAAC,QAAQ,CAAA;QACxB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,kBAAkB;gBAAE,OAAO,KAAK,CAAA;YACnD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;CACF"}

package/dist/errors.d.ts

@@ -0,0 +1,15 @@
+export declare class SkillRejectedError extends Error {
+    readonly verdict: string;
+    readonly score: number;
+    readonly auditId: string;
+    constructor(verdict: string, score: number, auditId: string);
+}
+export declare class AuditTimeoutError extends Error {
+    readonly auditId: string;
+    constructor(auditId: string, timeoutMs: number);
+}
+export declare class PaymentError extends Error {
+    readonly statusCode: number;
+    constructor(message: string, statusCode: number);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;gBAEZ,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAO5D;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;gBAEZ,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;CAK/C;AAED,qBAAa,YAAa,SAAQ,KAAK;IACrC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;gBAEf,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD"}

package/dist/errors.js

@@ -0,0 +1,29 @@
+export class SkillRejectedError extends Error {
+    verdict;
+    score;
+    auditId;
+    constructor(verdict, score, auditId) {
+        super(`Skill rejected: verdict=${verdict} score=${score}/100`);
+        this.name = 'SkillRejectedError';
+        this.verdict = verdict;
+        this.score = score;
+        this.auditId = auditId;
+    }
+}
+export class AuditTimeoutError extends Error {
+    auditId;
+    constructor(auditId, timeoutMs) {
+        super(`Audit ${auditId} did not complete within ${timeoutMs / 1000}s`);
+        this.name = 'AuditTimeoutError';
+        this.auditId = auditId;
+    }
+}
+export class PaymentError extends Error {
+    statusCode;
+    constructor(message, statusCode) {
+        super(message);
+        this.name = 'PaymentError';
+        this.statusCode = statusCode;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAClC,OAAO,CAAQ;IACf,KAAK,CAAQ;IACb,OAAO,CAAQ;IAExB,YAAY,OAAe,EAAE,KAAa,EAAE,OAAe;QACzD,KAAK,CAAC,2BAA2B,OAAO,UAAU,KAAK,MAAM,CAAC,CAAA;QAC9D,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;QAChC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAA;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAA;IACxB,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,OAAO,CAAQ;IAExB,YAAY,OAAe,EAAE,SAAiB;QAC5C,KAAK,CAAC,SAAS,OAAO,4BAA4B,SAAS,GAAG,IAAI,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;QAC/B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAA;IACxB,CAAC;CACF;AAED,MAAM,OAAO,YAAa,SAAQ,KAAK;IAC5B,UAAU,CAAQ;IAE3B,YAAY,OAAe,EAAE,UAAkB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,IAAI,GAAG,cAAc,CAAA;QAC1B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;IAC9B,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { SkillAuditorClient } from './client.js';
+export type { SkillAuditorClientOptions, VerifyOptions, LogsOption } from './client.js';
+export type { VerifyResult, ProgressEvent, AuditFinding, OnchainStamp } from './poller.js';
+export type { PaymentHandler, X402PaymentRequirements } from './x402.js';
+export { SkillRejectedError, AuditTimeoutError, PaymentError } from './errors.js';
+export { createConsoleLogger } from './logger.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAyC,aAAa,CAAA;AACnF,YAAY,EAAE,yBAAyB,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACvF,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1F,YAAY,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAe,WAAW,CAAA;AACjF,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAQ,aAAa,CAAA;AACnF,OAAO,EAAE,mBAAmB,EAAE,MAAyC,aAAa,CAAA"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { SkillAuditorClient } from './client.js';
+export { SkillRejectedError, AuditTimeoutError, PaymentError } from './errors.js';
+export { createConsoleLogger } from './logger.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAyC,aAAa,CAAA;AAInF,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAQ,aAAa,CAAA;AACnF,OAAO,EAAE,mBAAmB,EAAE,MAAyC,aAAa,CAAA"}

package/dist/logger.d.ts

@@ -0,0 +1,15 @@
+import type { ProgressEvent, VerifyResult } from './poller.js';
+export declare function printAuditHeader(skillName: string, auditId: string, tier: 'free' | 'pro'): void;
+export declare function printAuditResult(result: VerifyResult): void;
+export declare function printAuditRejected(verdict: string, score: number): void;
+export type LogsOption = boolean | 'verbose';
+/**
+ * Returns an onProgress callback that prints formatted pipeline logs to stdout.
+ *
+ * @param level
+ *   true      — normal: stage transitions + warnings (default)
+ *   'verbose' — everything, including every sandbox tool call
+ *   false     — silent: returns undefined (no callback)
+ */
+export declare function createConsoleLogger(level: LogsOption): ((event: ProgressEvent) => void) | undefined;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AA6E9D,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,KAAK,GAAG,IAAI,CAS/F;AAID,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAqB3D;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAUvE;AA0BD,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,SAAS,CAAA;AAE5C;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,UAAU,GAChB,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,SAAS,CAS9C"}

package/dist/logger.js

@@ -0,0 +1,146 @@
+// Terminal logger for the SkillAuditor audit pipeline.
+//
+// Mirrors the same stage labels, colors, and information hierarchy shown in the
+// web UI's Pipeline Logs panel so agents and terminal users see the same picture.
+//
+// Usage:
+//   new SkillAuditorClient({ logs: true })        // normal (default) — stage transitions + warnings
+//   new SkillAuditorClient({ logs: 'verbose' })   // verbose — every sandbox tool call too
+//   new SkillAuditorClient({ logs: false })        // silent — no output
+//
+// You can also use createConsoleLogger() directly as an onProgress callback:
+//   new SkillAuditorClient({ onProgress: createConsoleLogger('verbose') })
+// ── ANSI color codes ───────────────────────────────────────────────────────────
+// Only applied when stdout is a real TTY (not piped into a file or CI that
+// doesn't support ANSI). Falls back to plain text automatically.
+const tty = typeof process !== 'undefined' && process.stdout?.isTTY === true;
+const c = {
+    reset: tty ? '\x1b[0m' : '',
+    dim: tty ? '\x1b[2m' : '',
+    bold: tty ? '\x1b[1m' : '',
+    red: tty ? '\x1b[31m' : '',
+    green: tty ? '\x1b[32m' : '',
+    yellow: tty ? '\x1b[33m' : '',
+    blue: tty ? '\x1b[34m' : '',
+    cyan: tty ? '\x1b[36m' : '',
+    white: tty ? '\x1b[37m' : '',
+    gray: tty ? '\x1b[90m' : '',
+    // Bright variants
+    bRed: tty ? '\x1b[91m' : '',
+    bGreen: tty ? '\x1b[92m' : '',
+    bYellow: tty ? '\x1b[93m' : '',
+    bBlue: tty ? '\x1b[94m' : '',
+    bCyan: tty ? '\x1b[96m' : '',
+};
+// Stage → ANSI color, mirroring the UI:
+//   structural = sky     → cyan
+//   content    = violet  → blue
+//   sandbox    = orange  → yellow
+//   verdict    = emerald → green
+//   onchain    = blue    → bright blue
+//   pipeline   = zinc    → gray
+const STAGE_COLOR = {
+    structural: c.cyan,
+    content: c.blue,
+    sandbox: c.yellow,
+    verdict: c.bGreen,
+    onchain: c.bBlue,
+    pipeline: c.gray,
+};
+// Pad stage label to a fixed width so message columns align
+const STAGE_WIDTH = 10; // "structural" is the longest
+function stageLabel(stage) {
+    const padded = stage.padEnd(STAGE_WIDTH);
+    const color = STAGE_COLOR[stage] ?? c.gray;
+    return `${color}${padded}${c.reset}`;
+}
+// ── Timestamp ─────────────────────────────────────────────────────────────────
+function fmtTime(ts) {
+    return `${c.gray}${new Date(ts).toISOString().slice(11, 23)}${c.reset}`;
+}
+// ── Filtering ─────────────────────────────────────────────────────────────────
+// In normal mode, skip the noisy per-tool-call sandbox lines.
+// They look like "[run 1/3 · task] → toolName: target" or "  ← result snippet".
+// Warnings (scope violations, exfil attempts) are always shown.
+function isToolCallLine(msg) {
+    return msg.startsWith('[run ') || msg.startsWith('  ←');
+}
+function shouldShow(event, verbose) {
+    if (verbose)
+        return true;
+    if (event.stage === 'sandbox' && event.level === 'info' && isToolCallLine(event.message)) {
+        return false;
+    }
+    return true;
+}
+// ── Header ────────────────────────────────────────────────────────────────────
+export function printAuditHeader(skillName, auditId, tier) {
+    const tierLabel = tier === 'pro'
+        ? `${c.bCyan}pro${c.reset}`
+        : `${c.gray}free${c.reset}`;
+    process.stdout.write(`\n${c.bold}▶  SkillAuditor${c.reset}  auditing ${c.white}"${skillName}"${c.reset} (${tierLabel})\n` +
+        `${c.gray}   audit ${auditId}${c.reset}\n\n`);
+}
+// ── Result footer ─────────────────────────────────────────────────────────────
+export function printAuditResult(result) {
+    const { verdict, score, onchain, ensSubname } = result;
+    const icon = verdict === 'safe' ? `${c.bGreen}✔${c.reset}`
+        : verdict === 'review_required' ? `${c.bYellow}▲${c.reset}`
+            : `${c.bRed}✖${c.reset}`;
+    const verdictText = verdict === 'safe' ? `${c.bGreen}SAFE${c.reset}`
+        : verdict === 'review_required' ? `${c.bYellow}REVIEW REQUIRED${c.reset}`
+            : `${c.bRed}UNSAFE${c.reset}`;
+    const scoreColor = score >= 80 ? c.bGreen : score >= 60 ? c.bYellow : c.bRed;
+    let out = `\n${icon}  ${verdictText}  ${scoreColor}${score}/100${c.reset}\n`;
+    const ens = ensSubname ?? onchain?.ensName;
+    if (ens)
+        out += `   ${c.bBlue}ENS${c.reset}  ${ens}\n`;
+    if (onchain?.txHash)
+        out += `   ${c.gray}tx   ${onchain.txHash}${c.reset}\n`;
+    out += '\n';
+    process.stdout.write(out);
+}
+export function printAuditRejected(verdict, score) {
+    const icon = verdict === 'review_required' ? `${c.bYellow}▲${c.reset}` : `${c.bRed}✖${c.reset}`;
+    const verdictText = verdict === 'review_required'
+        ? `${c.bYellow}REVIEW REQUIRED${c.reset}`
+        : `${c.bRed}UNSAFE${c.reset}`;
+    const scoreColor = score >= 60 ? c.bYellow : c.bRed;
+    process.stdout.write(`\n${icon}  ${verdictText}  ${scoreColor}${score}/100${c.reset}\n\n`);
+}
+// ── Per-event renderer ────────────────────────────────────────────────────────
+function renderEvent(event) {
+    const { stage, level, message, ts } = event;
+    const time = fmtTime(ts);
+    const label = stageLabel(stage);
+    let prefix = '';
+    let msgColor = '';
+    if (level === 'warn') {
+        prefix = `${c.bYellow}⚠ ${c.reset}`;
+        msgColor = c.bYellow;
+    }
+    else if (level === 'error') {
+        prefix = `${c.bRed}✖ ${c.reset}`;
+        msgColor = c.bRed;
+    }
+    process.stdout.write(`   ${time}  ${label}  ${prefix}${msgColor}${message}${c.reset}\n`);
+}
+/**
+ * Returns an onProgress callback that prints formatted pipeline logs to stdout.
+ *
+ * @param level
+ *   true      — normal: stage transitions + warnings (default)
+ *   'verbose' — everything, including every sandbox tool call
+ *   false     — silent: returns undefined (no callback)
+ */
+export function createConsoleLogger(level) {
+    if (level === false)
+        return undefined;
+    const verbose = level === 'verbose';
+    return (event) => {
+        if (!shouldShow(event, verbose))
+            return;
+        renderEvent(event);
+    };
+}
+//# sourceMappingURL=logger.js.map

package/dist/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,EAAE;AACF,gFAAgF;AAChF,kFAAkF;AAClF,EAAE;AACF,SAAS;AACT,qGAAqG;AACrG,2FAA2F;AAC3F,yEAAyE;AACzE,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAI3E,kFAAkF;AAClF,2EAA2E;AAC3E,iEAAiE;AAEjE,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,CAAA;AAE5E,MAAM,CAAC,GAAG;IACR,KAAK,EAAG,GAAG,CAAC,CAAC,CAAC,SAAS,CAAE,CAAC,CAAC,EAAE;IAC7B,GAAG,EAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAE,CAAC,CAAC,EAAE;IAC7B,IAAI,EAAI,GAAG,CAAC,CAAC,CAAC,SAAS,CAAE,CAAC,CAAC,EAAE;IAC7B,GAAG,EAAK,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,KAAK,EAAG,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,IAAI,EAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,IAAI,EAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,KAAK,EAAG,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,IAAI,EAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC7B,kBAAkB;IAClB,IAAI,EAAK,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC9B,MAAM,EAAG,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC9B,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC9B,KAAK,EAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;IAC9B,KAAK,EAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;CAC/B,CAAA;AAED,wCAAwC;AACxC,gCAAgC;AAChC,gCAAgC;AAChC,kCAAkC;AAClC,iCAAiC;AACjC,uCAAuC;AACvC,gCAAgC;AAChC,MAAM,WAAW,GAA2B;IAC1C,UAAU,EAAE,CAAC,CAAC,IAAI;IAClB,OAAO,EAAK,CAAC,CAAC,IAAI;IAClB,OAAO,EAAK,CAAC,CAAC,MAAM;IACpB,OAAO,EAAK,CAAC,CAAC,MAAM;IACpB,OAAO,EAAK,CAAC,CAAC,KAAK;IACnB,QAAQ,EAAI,CAAC,CAAC,IAAI;CACnB,CAAA;AAED,4DAA4D;AAC5D,MAAM,WAAW,GAAG,EAAE,CAAA,CAAG,8BAA8B;AAEvD,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IACxC,MAAM,KAAK,GAAI,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAA;IAC3C,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,CAAC,CAAC,KAAK,EAAE,CAAA;AACtC,CAAC;AAED,iFAAiF;AAEjF,SAAS,OAAO,CAAC,EAAU;IACzB,OAAO,GAAG,CAAC,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAA;AACzE,CAAC;AAED,iFAAiF;AACjF,8DAA8D;AAC9D,gFAAgF;AAChF,gEAAgE;AAEhE,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;AACzD,CAAC;AAED,SAAS,UAAU,CAAC,KAAoB,EAAE,OAAgB;IACxD,IAAI,OAAO;QAAE,OAAO,IAAI,CAAA;IACxB,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,IAAI,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACzF,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,iFAAiF;AAEjF,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,OAAe,EAAE,IAAoB;IACvF,MAAM,SAAS,GAAG,IAAI,KAAK,KAAK;QAC9B,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,KAAK,EAAE;QAC3B,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,KAAK,EAAE,CAAA;IAE7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,CAAC,IAAI,kBAAkB,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC,KAAK,IAAI,SAAS,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,KAAK;QACpG,GAAG,CAAC,CAAC,IAAI,YAAY,OAAO,GAAG,CAAC,CAAC,KAAK,MAAM,CAC7C,CAAA;AACH,CAAC;AAED,iFAAiF;AAEjF,MAAM,UAAU,gBAAgB,CAAC,MAAoB;IACnD,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,CAAA;IAEtD,MAAM,IAAI,GAAI,OAAO,KAAK,MAAM,CAAa,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,EAAE;QAC3D,CAAC,CAAC,OAAO,KAAK,iBAAiB,CAAE,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,KAAK,EAAE;YAC5D,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAA;IAEpC,MAAM,WAAW,GAAG,OAAO,KAAK,MAAM,CAAY,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,KAAK,EAAE;QAC7D,CAAC,CAAC,OAAO,KAAK,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE;YACzE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,KAAK,EAAE,CAAA;IAE/C,MAAM,UAAU,GAAG,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE5E,IAAI,GAAG,GAAG,KAAK,IAAI,KAAK,WAAW,KAAK,UAAU,GAAG,KAAK,OAAO,CAAC,CAAC,KAAK,IAAI,CAAA;IAE5E,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,EAAE,OAAO,CAAA;IAC1C,IAAI,GAAG;QAAgB,GAAG,IAAI,MAAM,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,KAAK,KAAK,GAAG,IAAI,CAAA;IACpE,IAAI,OAAO,EAAE,MAAM;QAAI,GAAG,IAAI,MAAM,CAAC,CAAC,IAAI,QAAQ,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,IAAI,CAAA;IAE9E,GAAG,IAAI,IAAI,CAAA;IACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;AAC3B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,KAAa;IAC/D,MAAM,IAAI,GAAU,OAAO,KAAK,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAA;IACtG,MAAM,WAAW,GAAG,OAAO,KAAK,iBAAiB;QAC/C,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE;QACzC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,KAAK,EAAE,CAAA;IAC/B,MAAM,UAAU,GAAI,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAEpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,IAAI,KAAK,WAAW,KAAK,UAAU,GAAG,KAAK,OAAO,CAAC,CAAC,KAAK,MAAM,CACrE,CAAA;AACH,CAAC;AAED,iFAAiF;AAEjF,SAAS,WAAW,CAAC,KAAoB;IACvC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,KAAK,CAAA;IAE3C,MAAM,IAAI,GAAI,OAAO,CAAC,EAAE,CAAC,CAAA;IACzB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAA;IAE/B,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,IAAI,QAAQ,GAAG,EAAE,CAAA;IAEjB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,GAAK,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,KAAK,EAAE,CAAA;QACrC,QAAQ,GAAG,CAAC,CAAC,OAAO,CAAA;IACtB,CAAC;SAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QAC7B,MAAM,GAAK,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,CAAA;QAClC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAA;IACnB,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,KAAK,KAAK,MAAM,GAAG,QAAQ,GAAG,OAAO,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAA;AAC1F,CAAC;AAMD;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAiB;IAEjB,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,SAAS,CAAA;IAErC,MAAM,OAAO,GAAG,KAAK,KAAK,SAAS,CAAA;IAEnC,OAAO,CAAC,KAAoB,EAAE,EAAE;QAC9B,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC;YAAE,OAAM;QACvC,WAAW,CAAC,KAAK,CAAC,CAAA;IACpB,CAAC,CAAA;AACH,CAAC"}

package/dist/poller.d.ts

@@ -0,0 +1,42 @@
+export interface AuditFinding {
+    severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+    category: string;
+    description: string;
+    evidence?: string;
+}
+export interface OnchainStamp {
+    txHash: string;
+    chainId: number;
+    contractAddress: string;
+    ensName?: string;
+    stampedAt: string;
+}
+export interface VerifyResult {
+    verified: boolean;
+    verdict: 'safe' | 'review_required' | 'unsafe';
+    score: number;
+    auditId: string;
+    skillHash: string;
+    auditedAt: string;
+    onchain?: OnchainStamp;
+    findings?: AuditFinding[];
+    ensSubname?: string;
+}
+export interface ProgressEvent {
+    stage: 'structural' | 'content' | 'sandbox' | 'verdict' | 'onchain' | 'pipeline';
+    level: 'info' | 'warn' | 'error';
+    message: string;
+    ts: number;
+}
+export interface PollOptions {
+    /** How often to check audit status. Default: 3000ms */
+    intervalMs?: number;
+    /** Give up after this many ms. Default: 5 minutes */
+    timeoutMs?: number;
+    /** Called with live pipeline log entries as they arrive */
+    onProgress?: (event: ProgressEvent) => void;
+    /** Throw SkillRejectedError when verdict != 'safe' or score < 70. Default: true */
+    rejectOnUnsafe?: boolean;
+}
+export declare function pollUntilComplete(apiUrl: string, auditId: string, opts?: PollOptions): Promise<VerifyResult>;
+//# sourceMappingURL=poller.d.ts.map

package/dist/poller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"poller.d.ts","sourceRoot":"","sources":["../src/poller.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAA;IACzD,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;IACf,eAAe,EAAE,MAAM,CAAA;IACvB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAA;IACjB,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,QAAQ,CAAA;IAC9C,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,CAAC,EAAE,YAAY,CAAA;IACtB,QAAQ,CAAC,EAAE,YAAY,EAAE,CAAA;IACzB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,YAAY,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,UAAU,CAAA;IAChF,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,EAAE,EAAE,MAAM,CAAA;CACX;AAED,MAAM,WAAW,WAAW;IAC1B,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,2DAA2D;IAC3D,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAA;IAC3C,mFAAmF;IACnF,cAAc,CAAC,EAAE,OAAO,CAAA;CACzB;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,WAAgB,GACrB,OAAO,CAAC,YAAY,CAAC,CA+DvB"}

package/dist/poller.js

@@ -0,0 +1,56 @@
+import { AuditTimeoutError, SkillRejectedError } from './errors.js';
+export async function pollUntilComplete(apiUrl, auditId, opts = {}) {
+    const { intervalMs = 3_000, timeoutMs = 5 * 60 * 1_000, onProgress, rejectOnUnsafe = true, } = opts;
+    const deadline = Date.now() + timeoutMs;
+    let lastLogTs = 0;
+    while (Date.now() < deadline) {
+        // Poll audit status
+        const res = await fetch(`${apiUrl}/v1/audits/${auditId}`);
+        const data = await res.json();
+        if (data.status === 'completed') {
+            const result = data.result;
+            const onchain = data.onchain;
+            const verdict = (result?.verdict ?? 'unsafe');
+            const score = result?.score ?? 0;
+            const verified = verdict === 'safe' && score >= 70;
+            if (rejectOnUnsafe && !verified) {
+                throw new SkillRejectedError(verdict, score, auditId);
+            }
+            return {
+                verified,
+                verdict,
+                score,
+                auditId,
+                skillHash: data.skillHash,
+                auditedAt: data.completedAt,
+                onchain: onchain?.txHash ? onchain : undefined,
+                findings: data.findings,
+                ensSubname: onchain?.ensName,
+            };
+        }
+        if (data.status === 'failed') {
+            throw new Error(`Audit ${auditId} pipeline failed. Try resubmitting.`);
+        }
+        // Stream new log entries to onProgress if provided
+        if (onProgress && (data.status === 'running' || data.status === 'pending')) {
+            try {
+                const logRes = await fetch(`${apiUrl}/v1/audits/${auditId}/logs?since=${lastLogTs}`);
+                const logData = await logRes.json();
+                for (const entry of logData.logs ?? []) {
+                    onProgress(entry);
+                    if (entry.ts > lastLogTs)
+                        lastLogTs = entry.ts;
+                }
+            }
+            catch {
+                // non-fatal — progress streaming is best-effort
+            }
+        }
+        await sleep(intervalMs);
+    }
+    throw new AuditTimeoutError(auditId, timeoutMs);
+}
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=poller.js.map

package/dist/poller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"poller.js","sourceRoot":"","sources":["../src/poller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AA+CnE,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,OAAe,EACf,OAAoB,EAAE;IAEtB,MAAM,EACJ,UAAU,GAAM,KAAK,EACrB,SAAS,GAAO,CAAC,GAAG,EAAE,GAAG,KAAK,EAC9B,UAAU,EACV,cAAc,GAAG,IAAI,GACtB,GAAG,IAAI,CAAA;IAER,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAA;IACvC,IAAI,SAAS,GAAG,CAAC,CAAA;IAEjB,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,oBAAoB;QACpB,MAAM,GAAG,GAAI,MAAM,KAAK,CAAC,GAAG,MAAM,cAAc,OAAO,EAAE,CAAC,CAAA;QAC1D,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QAExD,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAChC,MAAM,MAAM,GAAI,IAAI,CAAC,MAAyD,CAAA;YAC9E,MAAM,OAAO,GAAG,IAAI,CAAC,OAAmC,CAAA;YAExD,MAAM,OAAO,GAAI,CAAC,MAAM,EAAE,OAAO,IAAI,QAAQ,CAA4B,CAAA;YACzE,MAAM,KAAK,GAAM,MAAM,EAAE,KAAK,IAAI,CAAC,CAAA;YACnC,MAAM,QAAQ,GAAG,OAAO,KAAK,MAAM,IAAI,KAAK,IAAI,EAAE,CAAA;YAElD,IAAI,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAChC,MAAM,IAAI,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;YACvD,CAAC;YAED,OAAO;gBACL,QAAQ;gBACR,OAAO;gBACP,KAAK;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,SAAmB;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAqB;gBACrC,OAAO,EAAI,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAChD,QAAQ,EAAG,IAAI,CAAC,QAAsC;gBACtD,UAAU,EAAE,OAAO,EAAE,OAAO;aAC7B,CAAA;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,SAAS,OAAO,qCAAqC,CAAC,CAAA;QACxE,CAAC;QAED,mDAAmD;QACnD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;YAC3E,IAAI,CAAC;gBACH,MAAM,MAAM,GAAI,MAAM,KAAK,CAAC,GAAG,MAAM,cAAc,OAAO,eAAe,SAAS,EAAE,CAAC,CAAA;gBACrF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,IAAI,EAA+B,CAAA;gBAChE,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;oBACvC,UAAU,CAAC,KAAK,CAAC,CAAA;oBACjB,IAAI,KAAK,CAAC,EAAE,GAAG,SAAS;wBAAE,SAAS,GAAG,KAAK,CAAC,EAAE,CAAA;gBAChD,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gDAAgD;YAClD,CAAC;QACH,CAAC;QAED,MAAM,KAAK,CAAC,UAAU,CAAC,CAAA;IACzB,CAAC;IAED,MAAM,IAAI,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;AACjD,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;AACxD,CAAC"}

package/dist/x402.d.ts

@@ -0,0 +1,28 @@
+export interface X402PaymentRequirements {
+    x402Version: number;
+    accepts: Array<{
+        scheme: string;
+        network: string;
+        maxAmountRequired: string;
+        resource: string;
+        description: string;
+        payTo: string;
+        maxTimeoutSeconds: number;
+        asset: string;
+    }>;
+    error: string;
+}
+/**
+ * Called when a 402 is received. Must return the X-Payment header value
+ * (a payment receipt string) for the retry request.
+ */
+export type PaymentHandler = (requirements: X402PaymentRequirements) => Promise<string>;
+/**
+ * Perform a fetch that transparently handles x402 payment for Pro audits.
+ *
+ * On first call, sends the request normally.
+ * If a 402 is received and `paymentHandler` is provided, pays and retries once.
+ * If no `paymentHandler` is provided, throws PaymentError immediately.
+ */
+export declare function fetchWithX402(url: string, init: RequestInit, paymentHandler?: PaymentHandler): Promise<Response>;
+//# sourceMappingURL=x402.d.ts.map

package/dist/x402.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402.d.ts","sourceRoot":"","sources":["../src/x402.ts"],"names":[],"mappings":"AAwBA,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAA;IACnB,OAAO,EAAE,KAAK,CAAC;QACb,MAAM,EAAa,MAAM,CAAA;QACzB,OAAO,EAAY,MAAM,CAAA;QACzB,iBAAiB,EAAE,MAAM,CAAA;QACzB,QAAQ,EAAW,MAAM,CAAA;QACzB,WAAW,EAAQ,MAAM,CAAA;QACzB,KAAK,EAAc,MAAM,CAAA;QACzB,iBAAiB,EAAE,MAAM,CAAA;QACzB,KAAK,EAAc,MAAM,CAAA;KAC1B,CAAC,CAAA;IACF,KAAK,EAAE,MAAM,CAAA;CACd;AAED;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAC3B,YAAY,EAAE,uBAAuB,KAClC,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpB;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,WAAW,EACjB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,QAAQ,CAAC,CA6CnB"}

package/dist/x402.js

@@ -0,0 +1,65 @@
+// x402 payment handling for Pro tier audits.
+//
+// When the server returns HTTP 402, it means the request requires a $9 USDC
+// payment on Base before the audit pipeline will run. This module:
+//   1. Detects the 402 and extracts the payment requirements from the body
+//   2. Invokes a user-supplied `paymentHandler` with those requirements
+//   3. Retries the original request with the `X-Payment` header set to the receipt
+//
+// For free tier audits, this module is never invoked — the server only returns 402
+// when the request body contains `tier: "pro"`.
+//
+// Implementing `paymentHandler`:
+//   The handler receives the payment requirements and must return a payment receipt
+//   string suitable for the X-Payment header. Typical implementations use:
+//   - `x402-fetch` from the x402 npm package (auto-pays from an EVM wallet)
+//   - A Privy embedded wallet signing a USDC TransferWithAuthorization (EIP-3009)
+//   - A Ledger device signing the same EIP-3009 payload for hardware approval
+//
+// Example (x402-fetch):
+//   import { getPaymentHeader } from 'x402-fetch'
+//   const handler: PaymentHandler = async (req) => getPaymentHeader(req, wallet)
+import { PaymentError } from './errors.js';
+/**
+ * Perform a fetch that transparently handles x402 payment for Pro audits.
+ *
+ * On first call, sends the request normally.
+ * If a 402 is received and `paymentHandler` is provided, pays and retries once.
+ * If no `paymentHandler` is provided, throws PaymentError immediately.
+ */
+export async function fetchWithX402(url, init, paymentHandler) {
+    const res = await fetch(url, init);
+    if (res.status !== 402)
+        return res;
+    // Parse payment requirements
+    let requirements;
+    try {
+        requirements = await res.json();
+    }
+    catch {
+        throw new PaymentError('Received 402 but could not parse payment requirements', 402);
+    }
+    if (!paymentHandler) {
+        const amount = requirements.accepts[0]?.maxAmountRequired;
+        const usdcAmt = amount ? `$${(Number(amount) / 1_000_000).toFixed(2)} USDC` : 'USDC';
+        throw new PaymentError(`Pro audit requires a ${usdcAmt} payment on Base. ` +
+            `Provide a paymentHandler in SkillAuditorClient options to enable automatic payment.`, 402);
+    }
+    // Obtain payment receipt from the handler
+    let receipt;
+    try {
+        receipt = await paymentHandler(requirements);
+    }
+    catch (err) {
+        throw new PaymentError(`Payment handler failed: ${err.message}`, 402);
+    }
+    // Retry with payment header
+    const headers = new Headers(init.headers);
+    headers.set('X-Payment', receipt);
+    const retryRes = await fetch(url, { ...init, headers });
+    if (retryRes.status === 402) {
+        throw new PaymentError('Payment was rejected by the server', 402);
+    }
+    return retryRes;
+}
+//# sourceMappingURL=x402.js.map

package/dist/x402.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402.js","sourceRoot":"","sources":["../src/x402.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,EAAE;AACF,4EAA4E;AAC5E,mEAAmE;AACnE,2EAA2E;AAC3E,wEAAwE;AACxE,mFAAmF;AACnF,EAAE;AACF,mFAAmF;AACnF,gDAAgD;AAChD,EAAE;AACF,iCAAiC;AACjC,oFAAoF;AACpF,2EAA2E;AAC3E,4EAA4E;AAC5E,kFAAkF;AAClF,8EAA8E;AAC9E,EAAE;AACF,wBAAwB;AACxB,kDAAkD;AAClD,iFAAiF;AAEjF,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAyB1C;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAW,EACX,IAAiB,EACjB,cAA+B;IAE/B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IAElC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,GAAG,CAAA;IAElC,6BAA6B;IAC7B,IAAI,YAAqC,CAAA;IACzC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,YAAY,CAAC,uDAAuD,EAAE,GAAG,CAAC,CAAA;IACtF,CAAC;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,iBAAiB,CAAA;QACzD,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAA;QACpF,MAAM,IAAI,YAAY,CACpB,wBAAwB,OAAO,oBAAoB;YACnD,qFAAqF,EACrF,GAAG,CACJ,CAAA;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,OAAe,CAAA;IACnB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,cAAc,CAAC,YAAY,CAAC,CAAA;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,YAAY,CACpB,2BAA4B,GAAa,CAAC,OAAO,EAAE,EACnD,GAAG,CACJ,CAAA;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAA;IAEjC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;IAEvD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,IAAI,YAAY,CAAC,oCAAoC,EAAE,GAAG,CAAC,CAAA;IACnE,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@skillauditor/client",
+  "version": "0.1.0",
+  "description": "Agent SDK for SkillAuditor — submit, verify, and check skills onchain in one call",
+  "type": "module",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Arttribute/skillauditor.git",
+    "directory": "packages/skillauditor-client"
+  },
+  "keywords": ["skillauditor", "skill", "agent", "sdk", "ens", "onchain", "worldcoin"],
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@worldcoin/agentkit": "^0.1.6",
+    "viem": "^2.47.10"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.17",
+    "typescript": "^5.8.3"
+  }
+}