npm - @vallum/marketplace - Versions diffs - 0.0.0-prerelease → 0.1.0 - Mend

@vallum/marketplace 0.0.0-prerelease → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -7,3 +7,10 @@ registry profiles, policy compatibility, contract template metadata, receipts,
 manifests, and standards bridge evidence. It does not operate a marketplace,
 onboard providers, settle payments, custody funds, verify providers, moderate
 listings, or contact live IOTA/x402/AP2/A2A services.
+It also exposes a status-only production review snapshot builder. The snapshot
+tracks the required provider, moderation, access-control, settlement, dispute,
+operations, incident-response, and redaction review checks as `pending`,
+`passed`, or `blocked`, with redacted notes and explicit blocker codes. Missing
+operator checks remain pending; a local snapshot is preparation material, not
+production marketplace proof.

package/dist/index.d.ts CHANGED Viewed

@@ -6,6 +6,10 @@ import { type AgentProfileStatus } from "@vallum/registry";
 export type MarketplaceEvidenceLevel = "mock" | "local" | "testnet" | "live";
 export type MarketplaceProfileLabel = AgentProfileStatus | "unverified";
 export type MarketplaceRole = "buyer" | "provider" | "operator" | "reviewer";
+export type MarketplaceProductionEnvironment = "local" | "testnet" | "production";
+export type MarketplaceProductionReviewStatus = "pending" | "passed" | "blocked";
+export type MarketplaceProductionReviewResult = "pending-operator-proof" | "passed" | "blocked";
+export type MarketplaceProductionReviewCheckId = "provider-onboarding-review" | "provider-verification-review" | "provider-capability-review" | "moderation-abuse-review" | "session-auth-review" | "receipt-access-review" | "payment-settlement-review" | "settlement-reconciliation-review" | "dispute-workflow-review" | "operations-incident-review" | "incident-response-review" | "redaction-review";
 export type MarketplaceReceipt = EscrowReceipt | PayPerCallReceipt | DataLicenseReceipt | ServiceBountyReceipt | ReputationReceipt | SubscriptionReceipt;
 export interface MarketplaceViewer {
     readonly principalId: string;
@@ -17,6 +21,17 @@ export interface MarketplaceStandardsEvidence {
     readonly referenceId: string;
     readonly metadata?: Record<string, unknown>;
 }
+export interface MarketplaceProductionReviewCheckInput {
+    readonly id: MarketplaceProductionReviewCheckId;
+    readonly status: MarketplaceProductionReviewStatus;
+    readonly observedAt?: Date | string;
+    readonly note?: string;
+}
+export interface CreateMarketplaceProductionReviewSnapshotInput {
+    readonly environment: MarketplaceProductionEnvironment;
+    readonly checks?: readonly MarketplaceProductionReviewCheckInput[];
+    readonly generatedAt?: Date;
+}
 export interface MarketplaceProviderListingInput {
     readonly providerId: string;
     readonly profile: unknown;
@@ -116,12 +131,35 @@ export interface MarketplaceReadModelDemoResult {
     readonly buyerReceiptAllowed: boolean;
     readonly strangerReceiptAllowed: boolean;
     readonly disputeBundleHash: string;
+    readonly productionReviewResult: MarketplaceProductionReviewResult;
+    readonly productionReviewPendingChecks: readonly MarketplaceProductionReviewCheckId[];
     readonly logLeaksSecretMaterial: boolean;
 }
+export interface MarketplaceProductionReviewSnapshot {
+    readonly schemaVersion: 1;
+    readonly kind: "vallum.marketplace-production-review-snapshot";
+    readonly result: MarketplaceProductionReviewResult;
+    readonly environment: MarketplaceProductionEnvironment;
+    readonly generatedAt: string;
+    readonly requiredCheckIds: readonly MarketplaceProductionReviewCheckId[];
+    readonly passedCheckIds: readonly MarketplaceProductionReviewCheckId[];
+    readonly pendingCheckIds: readonly MarketplaceProductionReviewCheckId[];
+    readonly blockedCheckIds: readonly MarketplaceProductionReviewCheckId[];
+    readonly blockerCodes: readonly string[];
+    readonly checks: readonly MarketplaceProductionReviewCheck[];
+    readonly boundaries: readonly string[];
+}
+export interface MarketplaceProductionReviewCheck {
+    readonly id: MarketplaceProductionReviewCheckId;
+    readonly status: MarketplaceProductionReviewStatus;
+    readonly observedAt?: string;
+    readonly note?: string;
+}
 type MarketplaceWorkflow = "escrow" | "pay_per_call" | "data_license" | "service_bounty" | "reputation_receipt" | "subscription";
 export declare function createMarketplaceProviderListing(input: MarketplaceProviderListingInput): MarketplaceProviderListing;
 export declare function createMarketplaceReceiptView(input: CreateMarketplaceReceiptViewInput): MarketplaceReceiptViewResult;
 export declare function createDisputeEvidenceBundle(input: CreateDisputeEvidenceBundleInput): MarketplaceDisputeEvidenceBundle;
+export declare function createMarketplaceProductionReviewSnapshot(input: CreateMarketplaceProductionReviewSnapshotInput): MarketplaceProductionReviewSnapshot;
 export declare function runMarketplaceReadModelDemo(): MarketplaceReadModelDemoResult;
 export declare function formatMarketplaceReadModelDemoResult(result: MarketplaceReadModelDemoResult): string;
 export declare class MarketplaceAccessError extends Error {

package/dist/index.js CHANGED Viewed

@@ -4,6 +4,25 @@ import { validManifestFixture } from "@vallum/manifest";
 import { evaluateProfileCapabilityPolicy, } from "@vallum/policy-gateway";
 import { approveServiceBountyReceipt, completeServiceBountyReceipt, createServiceBountyReceipt, releaseServiceBountyReceipt, sponsorServiceBountyReceipt, submitServiceBountyReceipt, } from "@vallum/receipts";
 import { validateAgentProfile, validAgentProfileFixture, } from "@vallum/registry";
+const MARKETPLACE_PRODUCTION_REVIEW_CHECKS = [
+    "provider-onboarding-review",
+    "provider-verification-review",
+    "provider-capability-review",
+    "moderation-abuse-review",
+    "session-auth-review",
+    "receipt-access-review",
+    "payment-settlement-review",
+    "settlement-reconciliation-review",
+    "dispute-workflow-review",
+    "operations-incident-review",
+    "incident-response-review",
+    "redaction-review",
+];
+const MARKETPLACE_PRODUCTION_REVIEW_BOUNDARIES = [
+    "This snapshot is status-only and does not prove production marketplace readiness by itself.",
+    "Missing checks stay pending until an operator-approved review supplies passing evidence.",
+    "Do not include provider records, session data, authorization headers, payment credentials, raw payloads, moderation evidence, sensitive prompt text, signatures, or local secret paths.",
+];
 export function createMarketplaceProviderListing(input) {
     const validation = validateAgentProfile(input.profile, { now: input.now });
     const profile = validation.ok ? validation.profile : undefined;
@@ -87,6 +106,41 @@ export function createDisputeEvidenceBundle(input) {
         ...redacted,
     };
 }
+export function createMarketplaceProductionReviewSnapshot(input) {
+    const supplied = new Map();
+    for (const check of input.checks ?? []) {
+        supplied.set(check.id, check);
+    }
+    const checks = MARKETPLACE_PRODUCTION_REVIEW_CHECKS.map((id) => {
+        const check = supplied.get(id);
+        return {
+            id,
+            status: check?.status ?? "pending",
+            ...(check?.observedAt ? { observedAt: isoString(check.observedAt) } : {}),
+            ...(check?.note ? { note: redactString(check.note) } : {}),
+        };
+    });
+    const passedCheckIds = checks.filter((check) => check.status === "passed").map((check) => check.id);
+    const pendingCheckIds = checks.filter((check) => check.status === "pending").map((check) => check.id);
+    const blockedCheckIds = checks.filter((check) => check.status === "blocked").map((check) => check.id);
+    return {
+        schemaVersion: 1,
+        kind: "vallum.marketplace-production-review-snapshot",
+        result: productionReviewResult({ pendingCheckIds, blockedCheckIds }),
+        environment: input.environment,
+        generatedAt: (input.generatedAt ?? new Date()).toISOString(),
+        requiredCheckIds: MARKETPLACE_PRODUCTION_REVIEW_CHECKS,
+        passedCheckIds,
+        pendingCheckIds,
+        blockedCheckIds,
+        blockerCodes: [
+            ...pendingCheckIds.map((id) => `MARKETPLACE_${constantCase(id)}_PENDING`),
+            ...blockedCheckIds.map((id) => `MARKETPLACE_${constantCase(id)}_BLOCKED`),
+        ],
+        checks,
+        boundaries: MARKETPLACE_PRODUCTION_REVIEW_BOUNDARIES,
+    };
+}
 export function runMarketplaceReadModelDemo() {
     const now = new Date("2026-06-10T12:00:00.000Z");
     const receipt = appendMarketplaceDiagnosticEvent(createReleasedServiceBountyReceipt({
@@ -142,13 +196,33 @@ export function runMarketplaceReadModelDemo() {
         standardsEvidence: [{ protocol: "a2a", status: "local", referenceId: "a2a-local-server-smoke" }],
         viewer: { principalId: "operator:demo", role: "operator" },
     });
-    const serialized = JSON.stringify({ listing, buyer, stranger, bundle });
+    const productionReview = createMarketplaceProductionReviewSnapshot({
+        environment: "local",
+        generatedAt: now,
+        checks: [
+            {
+                id: "receipt-access-review",
+                status: "passed",
+                observedAt: now,
+                note: "Local receipt access model passed without session-id=session_secret_123.",
+            },
+            {
+                id: "redaction-review",
+                status: "passed",
+                observedAt: now,
+                note: "Local redaction removed private prompt and Bearer abc.def.ghi values.",
+            },
+        ],
+    });
+    const serialized = JSON.stringify({ listing, buyer, stranger, bundle, productionReview });
     return {
         providerProfileLabel: listing.profileLabel,
         policyAllowed: listing.policyCompatibility.allowed,
         buyerReceiptAllowed: buyer.allowed,
         strangerReceiptAllowed: stranger.allowed,
         disputeBundleHash: bundle.bundleHash,
+        productionReviewResult: productionReview.result,
+        productionReviewPendingChecks: productionReview.pendingCheckIds,
         logLeaksSecretMaterial: responseLeaks(serialized),
     };
 }
@@ -160,6 +234,8 @@ export function formatMarketplaceReadModelDemoResult(result) {
         `buyerReceipt.allowed=${result.buyerReceiptAllowed}`,
         `strangerReceipt.allowed=${result.strangerReceiptAllowed}`,
         `dispute.bundleHash=${result.disputeBundleHash}`,
+        `productionReview.result=${result.productionReviewResult}`,
+        `productionReview.pendingChecks=${result.productionReviewPendingChecks.length}`,
         `logLeaksSecretMaterial=${result.logLeaksSecretMaterial}`,
     ].join("\n");
 }
@@ -326,6 +402,19 @@ function visibility(viewer) {
         return "reviewer";
     return "party";
 }
+function productionReviewResult(input) {
+    if (input.blockedCheckIds.length > 0)
+        return "blocked";
+    if (input.pendingCheckIds.length > 0)
+        return "pending-operator-proof";
+    return "passed";
+}
+function isoString(value) {
+    return value instanceof Date ? value.toISOString() : value;
+}
+function constantCase(value) {
+    return value.replace(/[^a-z0-9]+/gi, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
 function pickString(record, key) {
     const value = stringValue(record[key]);
     return value ? { [key]: value } : {};
@@ -352,12 +441,14 @@ function redactString(value) {
     return value
         .replace(/Bearer\s+[A-Za-z0-9._-]+/gi, "[REDACTED]")
         .replace(/private prompt[^,.]*/gi, "[REDACTED]")
+        .replace(/\bsession[-_ ]?id\s*[:=]\s*[A-Za-z0-9._:-]+/gi, "[REDACTED]")
+        .replace(/\b(token|credential|authorization|payment secret)\s*[:=]\s*[A-Za-z0-9._:-]+/gi, "[REDACTED]")
         .replace(/signer_ref[\w:-]*/gi, "[REDACTED]")
         .replace(/wallet_[\w:-]*/gi, "[REDACTED]")
         .replace(/payment-secret/gi, "[REDACTED]");
 }
 function responseLeaks(text) {
-    return /private prompt|Bearer abc|signer_ref|wallet_demo|payment-secret|secret provider|PRIVATE KEY|BEGIN PRIVATE/i.test(text);
+    return /private prompt|Bearer abc|signer_ref|wallet_demo|payment-secret|session_secret|secret provider|PRIVATE KEY|BEGIN PRIVATE/i.test(text);
 }
 function stableStringify(value) {
     if (Array.isArray(value))

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vallum/marketplace",
-  "version": "0.0.0-prerelease",
+  "version": "0.1.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -12,11 +12,11 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@vallum/contracts-metadata": "0.0.0-prerelease",
-    "@vallum/manifest": "0.0.0-prerelease",
-    "@vallum/policy-gateway": "0.0.0-prerelease",
-    "@vallum/receipts": "0.0.0-prerelease",
-    "@vallum/registry": "0.0.0-prerelease"
+    "@vallum/contracts-metadata": "0.1.0",
+    "@vallum/manifest": "0.1.0",
+    "@vallum/policy-gateway": "0.1.0",
+    "@vallum/receipts": "0.1.0",
+    "@vallum/registry": "0.1.0"
   },
   "description": "Read-only local marketplace evidence views for Vallum.",
   "files": [
@@ -34,6 +34,6 @@
   },
   "publishConfig": {
     "access": "public",
-    "tag": "next"
+    "tag": "latest"
   }
 }