@verivyx/paywall-express 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Verivyx
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,59 @@
+# @verivyx/paywall-express
+
+Express adapter for the Verivyx paywall SDK — gate content from AI bots and charge agents on-chain via x402, with zero-config reverse-DNS crawler verification for SEO safety.
+
+Requires `@verivyx/paywall` (installed automatically as a dependency) and `express` (peer dependency).
+
+## Install
+
+```sh
+npm i @verivyx/paywall-express
+```
+
+## Quickstart
+
+```ts
+import express from "express";
+import { verivyxExpress } from "@verivyx/paywall-express";
+
+const app = express();
+
+// Create an adapter (reads VERIVYX_TOKEN + VERIVYX_DOMAIN from env)
+const vx = verivyxExpress();
+
+// Gate a route — verified/paid requests pass through; bots get a 402
+app.get("/articles/:slug", vx.protect(async (req, res) => {
+  res.json({ content: "..." });
+}));
+
+app.listen(3000);
+```
+
+### With SEO preview
+
+```ts
+app.get("/articles/:slug", vx.protect(myHandler, {
+  seoPreview: ({ slug }) => ({
+    title: "Article title",
+    excerpt: "A short teaser visible to search crawlers.",
+  }),
+}));
+```
+
+## Config
+
+All options can be passed to `verivyxExpress(opts)` or set via environment variables.
+
+| Env var | Required | Description |
+|---|---|---|
+| `VERIVYX_TOKEN` | yes (server-only) | Domain provisioning token from the Verivyx dashboard |
+| `VERIVYX_DOMAIN` | yes | Your site domain, e.g. `example.com` |
+| `VERIVYX_MATCH` | no | Comma-separated glob patterns to gate (e.g. `/articles/**`). Empty = gate all routes. Also accepts `string[]` in code. |
+| `VERIVYX_FAIL_MODE` | no | Behaviour when the Verivyx backend is unreachable: `teaser` (default) \| `open` \| `closed` |
+| `VERIVYX_TIMEOUT_MS` | no | Backend request timeout in milliseconds (default `800`) |
+
+Additional code-only options: `trustProxy` (default `true`), `clientIp`, `advertise` (RSL/AIPREF discovery headers).
+
+## Docs
+
+[https://docs.verivyx.com/docs/sdk](https://docs.verivyx.com/docs/sdk)

package/dist/index.cjs

@@ -0,0 +1,147 @@
+'use strict';
+
+var paywall = require('@verivyx/paywall');
+
+// src/index.ts
+function firstHop(xff) {
+  if (xff === void 0) {
+    return void 0;
+  }
+  const raw = Array.isArray(xff) ? xff[0] : xff;
+  if (!raw) {
+    return void 0;
+  }
+  const first = raw.split(",")[0];
+  return first !== void 0 ? first.trim() || void 0 : void 0;
+}
+function lastPathSegment(path) {
+  const segments = path.split("/").filter((s) => s.length > 0);
+  const last = segments[segments.length - 1];
+  return last !== void 0 ? decodeURIComponent(last) : "";
+}
+function toWebHeaders(nodeHeaders, ip) {
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(nodeHeaders)) {
+    if (value === void 0) {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const v of value) {
+        headers.append(key, v);
+      }
+    } else {
+      headers.set(key, value);
+    }
+  }
+  if (ip !== void 0) {
+    headers.set("x-real-ip", ip);
+  }
+  return headers;
+}
+function resolveIp(req, opts) {
+  if (opts?.clientIp) {
+    return opts.clientIp(req);
+  }
+  if (opts?.trustProxy !== false) {
+    const xff = req.headers["x-forwarded-for"];
+    const hop = firstHop(xff);
+    if (hop) {
+      return hop;
+    }
+    const xri = req.headers["x-real-ip"];
+    if (typeof xri === "string" && xri) {
+      return xri;
+    }
+  }
+  return req.socket.remoteAddress;
+}
+async function readRawBody(req) {
+  const method = req.method.toUpperCase();
+  if (method === "GET" || method === "HEAD" || method === "OPTIONS") {
+    return void 0;
+  }
+  const body = req.body;
+  if (Buffer.isBuffer(body)) {
+    return new Uint8Array(body);
+  }
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve(new Uint8Array(Buffer.concat(chunks))));
+    req.on("error", reject);
+  });
+}
+function attachAdvertiseHeaders(res, advertise) {
+  if (advertise === void 0) {
+    return;
+  }
+  res.append("Link", paywall.rslLinkHeader(advertise));
+  res.setHeader("Content-Usage", paywall.contentUsageHeader(advertise));
+}
+async function sendWebResponse(res, webRes) {
+  res.status(webRes.status);
+  webRes.headers.forEach((value, key) => {
+    if (key.toLowerCase() === "set-cookie") {
+      res.append(key, value);
+    } else {
+      res.setHeader(key, value);
+    }
+  });
+  const buf = Buffer.from(await webRes.arrayBuffer());
+  res.send(buf);
+}
+function verivyxExpress(opts) {
+  const vx = opts?._core ?? paywall.verivyx(opts, {
+    verifyCrawlerDns: opts?.verifyCrawlerDns ?? paywall.createSearchCrawlerVerifier(),
+    ...opts?.verifyWebBotAuth !== void 0 ? { verifyWebBotAuth: opts.verifyWebBotAuth } : {}
+  });
+  return {
+    protect(handler, o) {
+      return async function verivyxGuard(req, res, next) {
+        try {
+          const ip = resolveIp(req, opts);
+          const absoluteUrl = `${req.protocol}://${req.get("host") ?? "localhost"}${req.originalUrl}`;
+          const webHeaders = toWebHeaders(req.headers, ip);
+          let rawBody;
+          try {
+            rawBody = await readRawBody(req);
+          } catch {
+            rawBody = void 0;
+          }
+          const webReq = new Request(absoluteUrl, {
+            method: req.method,
+            headers: webHeaders,
+            body: rawBody !== void 0 ? rawBody : void 0,
+            // duplex required for request bodies in some environments
+            ...rawBody !== void 0 ? { duplex: "half" } : {}
+          });
+          const slug = req.params.slug ?? lastPathSegment(req.path);
+          const decision = await vx.protect(webReq, { slug });
+          if (!decision.allowed) {
+            const isPreviewCandidate = decision.reason === "crawler" || decision.reason === "human-unverified";
+            if (isPreviewCandidate && o?.seoPreview !== void 0) {
+              attachAdvertiseHeaders(res, opts?.advertise);
+              await sendWebResponse(res, paywall.buildSeoPreviewResponse(slug, absoluteUrl, o.seoPreview));
+              return;
+            }
+            attachAdvertiseHeaders(res, opts?.advertise);
+            await sendWebResponse(res, decision.response());
+            return;
+          }
+          if (decision.paymentResponse !== void 0) {
+            res.setHeader("PAYMENT-RESPONSE", decision.paymentResponse);
+          }
+          attachAdvertiseHeaders(res, opts?.advertise);
+          handler(req, res, next);
+        } catch (err) {
+          next(err);
+        }
+      };
+    }
+  };
+}
+
+exports.sendWebResponse = sendWebResponse;
+exports.verivyxExpress = verivyxExpress;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"names":["rslLinkHeader","contentUsageHeader","verivyx","createSearchCrawlerVerifier","buildSeoPreviewResponse"],"mappings":";;;;;AAqGA,SAAS,SAAS,GAAA,EAAwD;AACxE,EAAA,IAAI,QAAQ,MAAA,EAAW;AACrB,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,MAAM,MAAM,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,GAAI,GAAA,CAAI,CAAC,CAAA,GAAI,GAAA;AAC1C,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AAC9B,EAAA,OAAO,KAAA,KAAU,MAAA,GAAY,KAAA,CAAM,IAAA,MAAU,MAAA,GAAY,MAAA;AAC3D;AAMA,SAAS,gBAAgB,IAAA,EAAsB;AAC7C,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA,CAAE,OAAO,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,GAAS,CAAC,CAAA;AAC3D,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,QAAA,CAAS,MAAA,GAAS,CAAC,CAAA;AACzC,EAAA,OAAO,IAAA,KAAS,MAAA,GAAY,kBAAA,CAAmB,IAAI,CAAA,GAAI,EAAA;AACzD;AAOA,SAAS,YAAA,CACP,aACA,EAAA,EACS;AACT,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,WAAW,CAAA,EAAG;AACtD,IAAA,IAAI,UAAU,MAAA,EAAW;AACvB,MAAA;AAAA,IACF;AACA,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,MAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MACvB;AAAA,IACF,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,IACxB;AAAA,EACF;AACA,EAAA,IAAI,OAAO,MAAA,EAAW;AACpB,IAAA,OAAA,CAAQ,GAAA,CAAI,aAAa,EAAE,CAAA;AAAA,EAC7B;AACA,EAAA,OAAO,OAAA;AACT;AAWA,SAAS,SAAA,CACP,KACA,IAAA,EACoB;AACpB,EAAA,IAAI,MAAM,QAAA,EAAU;AAClB,IAAA,OAAO,IAAA,CAAK,SAAS,GAAG,CAAA;AAAA,EAC1B;AACA,EAAA,IAAI,IAAA,EAAM,eAAe,KAAA,EAAO;AAC9B,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA;AACzC,IAAA,MAAM,GAAA,GAAM,SAAS,GAAG,CAAA;AACxB,IAAA,IAAI,GAAA,EAAK;AACP,MAAA,OAAO,GAAA;AAAA,IACT;AACA,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,WAAW,CAAA;AACnC,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,IAAY,GAAA,EAAK;AAClC,MAAA,OAAO,GAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAQ,IAAI,MAAA,CAAkB,aAAA;AAChC;AAQA,eAAe,YACb,GAAA,EACiC;AACjC,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,WAAA,EAAY;AACtC,EAAA,IAAI,MAAA,KAAW,KAAA,IAAS,MAAA,KAAW,MAAA,IAAU,WAAW,SAAA,EAAW;AACjE,IAAA,OAAO,MAAA;AAAA,EACT;AAIA,EAAA,MAAM,OAAiB,GAAA,CAA2B,IAAA;AAClD,EAAA,IAAI,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,EAAG;AACzB,IAAA,OAAO,IAAI,WAAW,IAAI,CAAA;AAAA,EAC5B;AAGA,EAAA,OAAO,IAAI,OAAA,CAAoB,CAAC,OAAA,EAAS,MAAA,KAAW;AAClD,IAAA,MAAM,SAAmB,EAAC;AAC1B,IAAA,GAAA,CAAI,GAAG,MAAA,EAAQ,CAAC,UAAkB,MAAA,CAAO,IAAA,CAAK,KAAK,CAAC,CAAA;AACpD,IAAA,GAAA,CAAI,EAAA,CAAG,KAAA,EAAO,MAAM,OAAA,CAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,MAAM,CAAC,CAAC,CAAC,CAAA;AAClE,IAAA,GAAA,CAAI,EAAA,CAAG,SAAS,MAAM,CAAA;AAAA,EACxB,CAAC,CAAA;AACH;AAOA,SAAS,sBAAA,CACP,KACA,SAAA,EACM;AACN,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA;AAAA,EACF;AACA,EAAA,GAAA,CAAI,MAAA,CAAO,MAAA,EAAQA,qBAAA,CAAc,SAAS,CAAC,CAAA;AAC3C,EAAA,GAAA,CAAI,SAAA,CAAU,eAAA,EAAiBC,0BAAA,CAAmB,SAAS,CAAC,CAAA;AAC9D;AAcA,eAAsB,eAAA,CACpB,KACA,MAAA,EACe;AACf,EAAA,GAAA,CAAI,MAAA,CAAO,OAAO,MAAM,CAAA;AACxB,EAAA,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACrC,IAAA,IAAI,GAAA,CAAI,WAAA,EAAY,KAAM,YAAA,EAAc;AACtC,MAAA,GAAA,CAAI,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,IACvB,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,SAAA,CAAU,KAAK,KAAK,CAAA;AAAA,IAC1B;AAAA,EACF,CAAC,CAAA;AACD,EAAA,MAAM,MAAM,MAAA,CAAO,IAAA,CAAK,MAAM,MAAA,CAAO,aAAa,CAAA;AAClD,EAAA,GAAA,CAAI,KAAK,GAAG,CAAA;AACd;AAiBO,SAAS,eAAe,IAAA,EAK7B;AAIA,EAAA,MAAM,EAAA,GACJ,IAAA,EAAM,KAAA,IACNC,eAAA,CAAQ,IAAA,EAAM;AAAA,IACZ,gBAAA,EACE,IAAA,EAAM,gBAAA,IAAoBC,mCAAA,EAA4B;AAAA,IACxD,GAAI,MAAM,gBAAA,KAAqB,MAAA,GAC3B,EAAE,gBAAA,EAAkB,IAAA,CAAK,gBAAA,EAAiB,GAC1C;AAAC,GACN,CAAA;AAEH,EAAA,OAAO;AAAA,IACL,OAAA,CACE,SACA,CAAA,EACgB;AAEhB,MAAA,OAAO,eAAe,YAAA,CACpB,GAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,QAAA,IAAI;AAEF,UAAA,MAAM,EAAA,GAAK,SAAA,CAAU,GAAA,EAAK,IAAI,CAAA;AAI9B,UAAA,MAAM,WAAA,GAAc,CAAA,EAAG,GAAA,CAAI,QAAQ,CAAA,GAAA,EAAM,GAAA,CAAI,GAAA,CAAI,MAAM,CAAA,IAAK,WAAW,CAAA,EAAG,GAAA,CAAI,WAAW,CAAA,CAAA;AACzF,UAAA,MAAM,UAAA,GAAa,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,EAAE,CAAA;AAE/C,UAAA,IAAI,OAAA;AACJ,UAAA,IAAI;AACF,YAAA,OAAA,GAAU,MAAM,YAAY,GAAG,CAAA;AAAA,UACjC,CAAA,CAAA,MAAQ;AAEN,YAAA,OAAA,GAAU,KAAA,CAAA;AAAA,UACZ;AAEA,UAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,WAAA,EAAa;AAAA,YACtC,QAAQ,GAAA,CAAI,MAAA;AAAA,YACZ,OAAA,EAAS,UAAA;AAAA,YACT,IAAA,EAAM,OAAA,KAAY,KAAA,CAAA,GAAY,OAAA,GAAU,KAAA,CAAA;AAAA;AAAA,YAExC,GAAI,OAAA,KAAY,KAAA,CAAA,GAAY,EAAE,MAAA,EAAQ,MAAA,KAAW;AAAC,WACpC,CAAA;AAGhB,UAAA,MAAM,OACH,GAAA,CAAI,MAAA,CAA8C,IAAA,IACnD,eAAA,CAAgB,IAAI,IAAI,CAAA;AAC1B,UAAA,MAAM,WAAW,MAAM,EAAA,CAAG,QAAQ,MAAA,EAAQ,EAAE,MAAM,CAAA;AAIlD,UAAA,IAAI,CAAC,SAAS,OAAA,EAAS;AACrB,YAAA,MAAM,kBAAA,GACJ,QAAA,CAAS,MAAA,KAAW,SAAA,IAAa,SAAS,MAAA,KAAW,kBAAA;AACvD,YAAA,IAAI,kBAAA,IAAsB,CAAA,EAAG,UAAA,KAAe,KAAA,CAAA,EAAW;AACrD,cAAA,sBAAA,CAAuB,GAAA,EAAK,MAAM,SAAS,CAAA;AAC3C,cAAA,MAAM,gBAAgB,GAAA,EAAKC,+BAAA,CAAwB,MAAM,WAAA,EAAa,CAAA,CAAE,UAAU,CAAC,CAAA;AACnF,cAAA;AAAA,YACF;AACA,YAAA,sBAAA,CAAuB,GAAA,EAAK,MAAM,SAAS,CAAA;AAC3C,YAAA,MAAM,eAAA,CAAgB,GAAA,EAAK,QAAA,CAAS,QAAA,EAAU,CAAA;AAC9C,YAAA;AAAA,UACF;AAGA,UAAA,IAAI,QAAA,CAAS,oBAAoB,KAAA,CAAA,EAAW;AAC1C,YAAA,GAAA,CAAI,SAAA,CAAU,kBAAA,EAAoB,QAAA,CAAS,eAAe,CAAA;AAAA,UAC5D;AACA,UAAA,sBAAA,CAAuB,GAAA,EAAK,MAAM,SAAS,CAAA;AAG3C,UAAA,OAAA,CAAQ,GAAA,EAAK,KAAK,IAAI,CAAA;AAAA,QACxB,SAAS,GAAA,EAAK;AAEZ,UAAA,IAAA,CAAK,GAAG,CAAA;AAAA,QACV;AAAA,MACF,CAAA;AAAA,IACF;AAAA,GACF;AACF","file":"index.cjs","sourcesContent":["/**\n * @verivyx/paywall-express\n *\n * Express adapter for the Verivyx paywall SDK.\n *\n * Thin layer — all gate logic lives in @verivyx/paywall core.\n * This module only handles:\n *   1. IP resolution from Express request.\n *   2. Converting Express IncomingMessage → Web Request.\n *   3. Calling core `protect()` (decision overload).\n *   4. Converting the Web Response back to Express response, OR calling the\n *      original Express handler when the request is allowed through.\n *\n * Mock-injection seam (for Tasks 18/19 to reuse):\n *   Pass `_core: verivyx.mock({...})` in options to bypass network.\n *   In production: omit `_core`; the adapter instantiates `verivyx(opts, deps)`.\n *\n * @example\n * ```ts\n * import { verivyxExpress } from \"@verivyx/paywall-express\";\n * const vx = verivyxExpress({ domain: \"example.com\", token: process.env.VX_TOKEN });\n * app.get(\"/articles/:slug\", vx.protect(myHandler));\n * ```\n */\n\nimport type { Request as ExpressRequest, RequestHandler, Response as ExpressResponse, NextFunction } from \"express\";\nimport {\n  verivyx,\n  createSearchCrawlerVerifier,\n  buildSeoPreviewResponse,\n  rslLinkHeader,\n  contentUsageHeader,\n} from \"@verivyx/paywall\";\nimport type { VerivyxOptions, Verivyx, DiscoveryOptions } from \"@verivyx/paywall\";\nimport type { IncomingHttpHeaders } from \"node:http\";\nimport type { Socket } from \"node:net\";\n\n// ---------------------------------------------------------------------------\n// Public types\n// ---------------------------------------------------------------------------\n\n/**\n * Options for the Express adapter.\n * Extends core VerivyxOptions with Express-specific IP resolution controls.\n */\nexport interface ExpressAdapterOptions extends VerivyxOptions {\n  /**\n   * When true (default), read the client IP from `X-Forwarded-For` /\n   * `X-Real-IP` headers (set by a trusted reverse proxy). Set to false if\n   * the Express app is not behind a proxy, to use the raw socket address.\n   */\n  trustProxy?: boolean;\n\n  /**\n   * Custom IP extractor. When provided, this overrides the built-in\n   * `trustProxy` / `X-Forwarded-For` logic entirely.\n   *\n   * @param req - The Express request object.\n   * @returns The resolved client IP, or undefined to fall back to socket.\n   */\n  clientIp?: (req: ExpressRequest) => string | undefined;\n\n  /**\n   * Override the reverse-DNS search-crawler verifier injected into the core.\n   * When omitted, `createSearchCrawlerVerifier()` is used (the Node.js impl).\n   */\n  verifyCrawlerDns?: (ip: string, ua: string) => Promise<boolean>;\n\n  /**\n   * Override the Web Bot Auth verifier injected into the core.\n   * When omitted, the core's bundled RFC 9421 verifier is used.\n   */\n  verifyWebBotAuth?: (req: Request) => Promise<boolean>;\n\n  /**\n   * @internal\n   * Inject a pre-built `Verivyx` core instance. Used in tests via\n   * `verivyx.mock({...})` to avoid any network access. Production code\n   * should never set this; omit it and the adapter constructs the real core.\n   *\n   * Pattern for Next.js / Hono adapters to reuse:\n   *   `const vx = opts?._core ?? verivyx(opts, { verifyCrawlerDns });`\n   */\n  _core?: Verivyx;\n\n  /**\n   * When set, attach RSL `Link` and AIPREF `Content-Usage` headers to both\n   * the denied (402) and allowed handler responses.\n   * Default undefined = OFF (no headers added; existing behavior unchanged).\n   */\n  advertise?: DiscoveryOptions;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Extract the first (client-most) hop from an `X-Forwarded-For` header.\n * The header may contain a comma-separated list; the leftmost is the client.\n */\nfunction firstHop(xff: string | string[] | undefined): string | undefined {\n  if (xff === undefined) {\n    return undefined;\n  }\n  const raw = Array.isArray(xff) ? xff[0] : xff;\n  if (!raw) {\n    return undefined;\n  }\n  const first = raw.split(\",\")[0];\n  return first !== undefined ? first.trim() || undefined : undefined;\n}\n\n/**\n * Extract the last non-empty path segment from a URL path string.\n * Used as a fallback slug when `req.params.slug` is not available.\n */\nfunction lastPathSegment(path: string): string {\n  const segments = path.split(\"/\").filter((s) => s.length > 0);\n  const last = segments[segments.length - 1];\n  return last !== undefined ? decodeURIComponent(last) : \"\";\n}\n\n/**\n * Build a `Headers` object from Node.js IncomingHttpHeaders, overriding\n * `x-real-ip` with the resolved (trusted) client IP so the core classifier\n * reads a reliable address.\n */\nfunction toWebHeaders(\n  nodeHeaders: IncomingHttpHeaders,\n  ip: string | undefined,\n): Headers {\n  const headers = new Headers();\n  for (const [key, value] of Object.entries(nodeHeaders)) {\n    if (value === undefined) {\n      continue;\n    }\n    if (Array.isArray(value)) {\n      for (const v of value) {\n        headers.append(key, v);\n      }\n    } else {\n      headers.set(key, value);\n    }\n  }\n  if (ip !== undefined) {\n    headers.set(\"x-real-ip\", ip);\n  }\n  return headers;\n}\n\n/**\n * Resolve the client IP from an Express request.\n *\n * Precedence:\n *   1. `opts.clientIp(req)` — caller-supplied extractor (highest precedence).\n *   2. `X-Forwarded-For` first hop (when trustProxy !== false).\n *   3. `X-Real-IP` header (when trustProxy !== false).\n *   4. `req.socket.remoteAddress` — raw TCP peer (lowest precedence).\n */\nfunction resolveIp(\n  req: ExpressRequest,\n  opts: ExpressAdapterOptions | undefined,\n): string | undefined {\n  if (opts?.clientIp) {\n    return opts.clientIp(req);\n  }\n  if (opts?.trustProxy !== false) {\n    const xff = req.headers[\"x-forwarded-for\"];\n    const hop = firstHop(xff);\n    if (hop) {\n      return hop;\n    }\n    const xri = req.headers[\"x-real-ip\"];\n    if (typeof xri === \"string\" && xri) {\n      return xri;\n    }\n  }\n  return (req.socket as Socket).remoteAddress;\n}\n\n/**\n * Collect the raw request body into a Uint8Array.\n * Returns undefined for requests with no body (GET / HEAD / OPTIONS).\n * Express may have already consumed the stream with a body parser — if\n * `req.body` is already populated as a Buffer we use that directly.\n */\nasync function readRawBody(\n  req: ExpressRequest,\n): Promise<Uint8Array | undefined> {\n  const method = req.method.toUpperCase();\n  if (method === \"GET\" || method === \"HEAD\" || method === \"OPTIONS\") {\n    return undefined;\n  }\n\n  // Express body-parser may have already consumed and parsed the stream.\n  // If `req.body` is a Buffer, use it directly.\n  const body: unknown = (req as { body?: unknown }).body;\n  if (Buffer.isBuffer(body)) {\n    return new Uint8Array(body);\n  }\n\n  // Otherwise collect the raw stream.\n  return new Promise<Uint8Array>((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    req.on(\"data\", (chunk: Buffer) => chunks.push(chunk));\n    req.on(\"end\", () => resolve(new Uint8Array(Buffer.concat(chunks))));\n    req.on(\"error\", reject);\n  });\n}\n\n/**\n * Attach RSL + AIPREF discovery headers to an Express response.\n * Appends to any existing `Link` (preserves prior values); sets `Content-Usage`.\n * No-op when `advertise` is undefined.\n */\nfunction attachAdvertiseHeaders(\n  res: ExpressResponse,\n  advertise: DiscoveryOptions | undefined,\n): void {\n  if (advertise === undefined) {\n    return;\n  }\n  res.append(\"Link\", rslLinkHeader(advertise));\n  res.setHeader(\"Content-Usage\", contentUsageHeader(advertise));\n}\n\n/**\n * Convert a Web API `Response` to an Express response.\n * Copies status, all response headers, and the body.\n *\n * @internal Exported for unit-testing the Set-Cookie accumulation fix.\n * Production callers should use the `protect()` middleware instead.\n *\n * Set-Cookie is special: `Headers.forEach` emits each cookie as a separate\n * call with the same key, and `res.setHeader` REPLACES on repeated same-key\n * calls — so all but the last cookie would be silently dropped.\n * `res.append` accumulates values into an array, preserving every cookie.\n */\nexport async function sendWebResponse(\n  res: ExpressResponse,\n  webRes: Response,\n): Promise<void> {\n  res.status(webRes.status);\n  webRes.headers.forEach((value, key) => {\n    if (key.toLowerCase() === \"set-cookie\") {\n      res.append(key, value);\n    } else {\n      res.setHeader(key, value);\n    }\n  });\n  const buf = Buffer.from(await webRes.arrayBuffer());\n  res.send(buf);\n}\n\n// ---------------------------------------------------------------------------\n// Adapter factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a Verivyx Express adapter.\n *\n * Returns an object with a single `protect(handler)` method that wraps an\n * Express `RequestHandler` behind the Verivyx paywall gate.\n *\n * ```ts\n * const vx = verivyxExpress({ domain: \"example.com\", token: \"...\" });\n * app.get(\"/articles/:slug\", vx.protect(myHandler));\n * ```\n */\nexport function verivyxExpress(opts?: ExpressAdapterOptions): {\n  protect(\n    handler: RequestHandler,\n    o?: { seoPreview?: (c: { slug: string }) => { title: string; excerpt: string } },\n  ): RequestHandler;\n} {\n  // Resolve the core: use the injected `_core` (tests) or build the real one.\n  // Only pass `verifyWebBotAuth` to the core deps when the caller overrode it;\n  // the core bundled default is correct otherwise.\n  const vx: Verivyx =\n    opts?._core ??\n    verivyx(opts, {\n      verifyCrawlerDns:\n        opts?.verifyCrawlerDns ?? createSearchCrawlerVerifier(),\n      ...(opts?.verifyWebBotAuth !== undefined\n        ? { verifyWebBotAuth: opts.verifyWebBotAuth }\n        : {}),\n    });\n\n  return {\n    protect(\n      handler: RequestHandler,\n      o?: { seoPreview?: (c: { slug: string }) => { title: string; excerpt: string } },\n    ): RequestHandler {\n      // Return an async Express handler (req, res, next).\n      return async function verivyxGuard(\n        req: ExpressRequest,\n        res: ExpressResponse,\n        next: NextFunction,\n      ): Promise<void> {\n        try {\n          // 1. Resolve trusted client IP.\n          const ip = resolveIp(req, opts);\n\n          // 2. Build a Web Request from the Express request.\n          //    Absolute URL is required for the core's URL-based slug derivation.\n          const absoluteUrl = `${req.protocol}://${req.get(\"host\") ?? \"localhost\"}${req.originalUrl}`;\n          const webHeaders = toWebHeaders(req.headers, ip);\n\n          let rawBody: Uint8Array | undefined;\n          try {\n            rawBody = await readRawBody(req);\n          } catch {\n            // Body read failure — proceed with no body (safe: auth/classify do not need it).\n            rawBody = undefined;\n          }\n\n          const webReq = new Request(absoluteUrl, {\n            method: req.method,\n            headers: webHeaders,\n            body: rawBody !== undefined ? rawBody : undefined,\n            // duplex required for request bodies in some environments\n            ...(rawBody !== undefined ? { duplex: \"half\" } : {}),\n          } as RequestInit);\n\n          // 3. Ask the core to evaluate the request (decision overload).\n          const slug =\n            (req.params as Record<string, string | undefined>).slug ??\n            lastPathSegment(req.path);\n          const decision = await vx.protect(webReq, { slug });\n\n          // 4a. Denied — check if this is a crawler/human-unverified that we can\n          //     serve an SEO preview to instead of a bare 402.\n          if (!decision.allowed) {\n            const isPreviewCandidate =\n              decision.reason === \"crawler\" || decision.reason === \"human-unverified\";\n            if (isPreviewCandidate && o?.seoPreview !== undefined) {\n              attachAdvertiseHeaders(res, opts?.advertise);\n              await sendWebResponse(res, buildSeoPreviewResponse(slug, absoluteUrl, o.seoPreview));\n              return;\n            }\n            attachAdvertiseHeaders(res, opts?.advertise);\n            await sendWebResponse(res, decision.response());\n            return;\n          }\n\n          // 4b. Allowed — if a payment receipt was returned, attach it first.\n          if (decision.paymentResponse !== undefined) {\n            res.setHeader(\"PAYMENT-RESPONSE\", decision.paymentResponse);\n          }\n          attachAdvertiseHeaders(res, opts?.advertise);\n\n          // Delegate to the original Express handler.\n          handler(req, res, next);\n        } catch (err) {\n          // Propagate to Express error-handling middleware.\n          next(err);\n        }\n      };\n    },\n  };\n}\n"]}

package/dist/index.d.cts

@@ -0,0 +1,110 @@
+import { Request as Request$1, Response as Response$1, RequestHandler } from 'express';
+import { VerivyxOptions, Verivyx, DiscoveryOptions } from '@verivyx/paywall';
+
+/**
+ * @verivyx/paywall-express
+ *
+ * Express adapter for the Verivyx paywall SDK.
+ *
+ * Thin layer — all gate logic lives in @verivyx/paywall core.
+ * This module only handles:
+ *   1. IP resolution from Express request.
+ *   2. Converting Express IncomingMessage → Web Request.
+ *   3. Calling core `protect()` (decision overload).
+ *   4. Converting the Web Response back to Express response, OR calling the
+ *      original Express handler when the request is allowed through.
+ *
+ * Mock-injection seam (for Tasks 18/19 to reuse):
+ *   Pass `_core: verivyx.mock({...})` in options to bypass network.
+ *   In production: omit `_core`; the adapter instantiates `verivyx(opts, deps)`.
+ *
+ * @example
+ * ```ts
+ * import { verivyxExpress } from "@verivyx/paywall-express";
+ * const vx = verivyxExpress({ domain: "example.com", token: process.env.VX_TOKEN });
+ * app.get("/articles/:slug", vx.protect(myHandler));
+ * ```
+ */
+
+/**
+ * Options for the Express adapter.
+ * Extends core VerivyxOptions with Express-specific IP resolution controls.
+ */
+interface ExpressAdapterOptions extends VerivyxOptions {
+    /**
+     * When true (default), read the client IP from `X-Forwarded-For` /
+     * `X-Real-IP` headers (set by a trusted reverse proxy). Set to false if
+     * the Express app is not behind a proxy, to use the raw socket address.
+     */
+    trustProxy?: boolean;
+    /**
+     * Custom IP extractor. When provided, this overrides the built-in
+     * `trustProxy` / `X-Forwarded-For` logic entirely.
+     *
+     * @param req - The Express request object.
+     * @returns The resolved client IP, or undefined to fall back to socket.
+     */
+    clientIp?: (req: Request$1) => string | undefined;
+    /**
+     * Override the reverse-DNS search-crawler verifier injected into the core.
+     * When omitted, `createSearchCrawlerVerifier()` is used (the Node.js impl).
+     */
+    verifyCrawlerDns?: (ip: string, ua: string) => Promise<boolean>;
+    /**
+     * Override the Web Bot Auth verifier injected into the core.
+     * When omitted, the core's bundled RFC 9421 verifier is used.
+     */
+    verifyWebBotAuth?: (req: Request) => Promise<boolean>;
+    /**
+     * @internal
+     * Inject a pre-built `Verivyx` core instance. Used in tests via
+     * `verivyx.mock({...})` to avoid any network access. Production code
+     * should never set this; omit it and the adapter constructs the real core.
+     *
+     * Pattern for Next.js / Hono adapters to reuse:
+     *   `const vx = opts?._core ?? verivyx(opts, { verifyCrawlerDns });`
+     */
+    _core?: Verivyx;
+    /**
+     * When set, attach RSL `Link` and AIPREF `Content-Usage` headers to both
+     * the denied (402) and allowed handler responses.
+     * Default undefined = OFF (no headers added; existing behavior unchanged).
+     */
+    advertise?: DiscoveryOptions;
+}
+/**
+ * Convert a Web API `Response` to an Express response.
+ * Copies status, all response headers, and the body.
+ *
+ * @internal Exported for unit-testing the Set-Cookie accumulation fix.
+ * Production callers should use the `protect()` middleware instead.
+ *
+ * Set-Cookie is special: `Headers.forEach` emits each cookie as a separate
+ * call with the same key, and `res.setHeader` REPLACES on repeated same-key
+ * calls — so all but the last cookie would be silently dropped.
+ * `res.append` accumulates values into an array, preserving every cookie.
+ */
+declare function sendWebResponse(res: Response$1, webRes: Response): Promise<void>;
+/**
+ * Create a Verivyx Express adapter.
+ *
+ * Returns an object with a single `protect(handler)` method that wraps an
+ * Express `RequestHandler` behind the Verivyx paywall gate.
+ *
+ * ```ts
+ * const vx = verivyxExpress({ domain: "example.com", token: "..." });
+ * app.get("/articles/:slug", vx.protect(myHandler));
+ * ```
+ */
+declare function verivyxExpress(opts?: ExpressAdapterOptions): {
+    protect(handler: RequestHandler, o?: {
+        seoPreview?: (c: {
+            slug: string;
+        }) => {
+            title: string;
+            excerpt: string;
+        };
+    }): RequestHandler;
+};
+
+export { type ExpressAdapterOptions, sendWebResponse, verivyxExpress };

package/dist/index.d.ts

@@ -0,0 +1,110 @@
+import { Request as Request$1, Response as Response$1, RequestHandler } from 'express';
+import { VerivyxOptions, Verivyx, DiscoveryOptions } from '@verivyx/paywall';
+
+/**
+ * @verivyx/paywall-express
+ *
+ * Express adapter for the Verivyx paywall SDK.
+ *
+ * Thin layer — all gate logic lives in @verivyx/paywall core.
+ * This module only handles:
+ *   1. IP resolution from Express request.
+ *   2. Converting Express IncomingMessage → Web Request.
+ *   3. Calling core `protect()` (decision overload).
+ *   4. Converting the Web Response back to Express response, OR calling the
+ *      original Express handler when the request is allowed through.
+ *
+ * Mock-injection seam (for Tasks 18/19 to reuse):
+ *   Pass `_core: verivyx.mock({...})` in options to bypass network.
+ *   In production: omit `_core`; the adapter instantiates `verivyx(opts, deps)`.
+ *
+ * @example
+ * ```ts
+ * import { verivyxExpress } from "@verivyx/paywall-express";
+ * const vx = verivyxExpress({ domain: "example.com", token: process.env.VX_TOKEN });
+ * app.get("/articles/:slug", vx.protect(myHandler));
+ * ```
+ */
+
+/**
+ * Options for the Express adapter.
+ * Extends core VerivyxOptions with Express-specific IP resolution controls.
+ */
+interface ExpressAdapterOptions extends VerivyxOptions {
+    /**
+     * When true (default), read the client IP from `X-Forwarded-For` /
+     * `X-Real-IP` headers (set by a trusted reverse proxy). Set to false if
+     * the Express app is not behind a proxy, to use the raw socket address.
+     */
+    trustProxy?: boolean;
+    /**
+     * Custom IP extractor. When provided, this overrides the built-in
+     * `trustProxy` / `X-Forwarded-For` logic entirely.
+     *
+     * @param req - The Express request object.
+     * @returns The resolved client IP, or undefined to fall back to socket.
+     */
+    clientIp?: (req: Request$1) => string | undefined;
+    /**
+     * Override the reverse-DNS search-crawler verifier injected into the core.
+     * When omitted, `createSearchCrawlerVerifier()` is used (the Node.js impl).
+     */
+    verifyCrawlerDns?: (ip: string, ua: string) => Promise<boolean>;
+    /**
+     * Override the Web Bot Auth verifier injected into the core.
+     * When omitted, the core's bundled RFC 9421 verifier is used.
+     */
+    verifyWebBotAuth?: (req: Request) => Promise<boolean>;
+    /**
+     * @internal
+     * Inject a pre-built `Verivyx` core instance. Used in tests via
+     * `verivyx.mock({...})` to avoid any network access. Production code
+     * should never set this; omit it and the adapter constructs the real core.
+     *
+     * Pattern for Next.js / Hono adapters to reuse:
+     *   `const vx = opts?._core ?? verivyx(opts, { verifyCrawlerDns });`
+     */
+    _core?: Verivyx;
+    /**
+     * When set, attach RSL `Link` and AIPREF `Content-Usage` headers to both
+     * the denied (402) and allowed handler responses.
+     * Default undefined = OFF (no headers added; existing behavior unchanged).
+     */
+    advertise?: DiscoveryOptions;
+}
+/**
+ * Convert a Web API `Response` to an Express response.
+ * Copies status, all response headers, and the body.
+ *
+ * @internal Exported for unit-testing the Set-Cookie accumulation fix.
+ * Production callers should use the `protect()` middleware instead.
+ *
+ * Set-Cookie is special: `Headers.forEach` emits each cookie as a separate
+ * call with the same key, and `res.setHeader` REPLACES on repeated same-key
+ * calls — so all but the last cookie would be silently dropped.
+ * `res.append` accumulates values into an array, preserving every cookie.
+ */
+declare function sendWebResponse(res: Response$1, webRes: Response): Promise<void>;
+/**
+ * Create a Verivyx Express adapter.
+ *
+ * Returns an object with a single `protect(handler)` method that wraps an
+ * Express `RequestHandler` behind the Verivyx paywall gate.
+ *
+ * ```ts
+ * const vx = verivyxExpress({ domain: "example.com", token: "..." });
+ * app.get("/articles/:slug", vx.protect(myHandler));
+ * ```
+ */
+declare function verivyxExpress(opts?: ExpressAdapterOptions): {
+    protect(handler: RequestHandler, o?: {
+        seoPreview?: (c: {
+            slug: string;
+        }) => {
+            title: string;
+            excerpt: string;
+        };
+    }): RequestHandler;
+};
+
+export { type ExpressAdapterOptions, sendWebResponse, verivyxExpress };

package/dist/index.js

@@ -0,0 +1,144 @@
+import { verivyx, createSearchCrawlerVerifier, buildSeoPreviewResponse, rslLinkHeader, contentUsageHeader } from '@verivyx/paywall';
+
+// src/index.ts
+function firstHop(xff) {
+  if (xff === void 0) {
+    return void 0;
+  }
+  const raw = Array.isArray(xff) ? xff[0] : xff;
+  if (!raw) {
+    return void 0;
+  }
+  const first = raw.split(",")[0];
+  return first !== void 0 ? first.trim() || void 0 : void 0;
+}
+function lastPathSegment(path) {
+  const segments = path.split("/").filter((s) => s.length > 0);
+  const last = segments[segments.length - 1];
+  return last !== void 0 ? decodeURIComponent(last) : "";
+}
+function toWebHeaders(nodeHeaders, ip) {
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(nodeHeaders)) {
+    if (value === void 0) {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const v of value) {
+        headers.append(key, v);
+      }
+    } else {
+      headers.set(key, value);
+    }
+  }
+  if (ip !== void 0) {
+    headers.set("x-real-ip", ip);
+  }
+  return headers;
+}
+function resolveIp(req, opts) {
+  if (opts?.clientIp) {
+    return opts.clientIp(req);
+  }
+  if (opts?.trustProxy !== false) {
+    const xff = req.headers["x-forwarded-for"];
+    const hop = firstHop(xff);
+    if (hop) {
+      return hop;
+    }
+    const xri = req.headers["x-real-ip"];
+    if (typeof xri === "string" && xri) {
+      return xri;
+    }
+  }
+  return req.socket.remoteAddress;
+}
+async function readRawBody(req) {
+  const method = req.method.toUpperCase();
+  if (method === "GET" || method === "HEAD" || method === "OPTIONS") {
+    return void 0;
+  }
+  const body = req.body;
+  if (Buffer.isBuffer(body)) {
+    return new Uint8Array(body);
+  }
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve(new Uint8Array(Buffer.concat(chunks))));
+    req.on("error", reject);
+  });
+}
+function attachAdvertiseHeaders(res, advertise) {
+  if (advertise === void 0) {
+    return;
+  }
+  res.append("Link", rslLinkHeader(advertise));
+  res.setHeader("Content-Usage", contentUsageHeader(advertise));
+}
+async function sendWebResponse(res, webRes) {
+  res.status(webRes.status);
+  webRes.headers.forEach((value, key) => {
+    if (key.toLowerCase() === "set-cookie") {
+      res.append(key, value);
+    } else {
+      res.setHeader(key, value);
+    }
+  });
+  const buf = Buffer.from(await webRes.arrayBuffer());
+  res.send(buf);
+}
+function verivyxExpress(opts) {
+  const vx = opts?._core ?? verivyx(opts, {
+    verifyCrawlerDns: opts?.verifyCrawlerDns ?? createSearchCrawlerVerifier(),
+    ...opts?.verifyWebBotAuth !== void 0 ? { verifyWebBotAuth: opts.verifyWebBotAuth } : {}
+  });
+  return {
+    protect(handler, o) {
+      return async function verivyxGuard(req, res, next) {
+        try {
+          const ip = resolveIp(req, opts);
+          const absoluteUrl = `${req.protocol}://${req.get("host") ?? "localhost"}${req.originalUrl}`;
+          const webHeaders = toWebHeaders(req.headers, ip);
+          let rawBody;
+          try {
+            rawBody = await readRawBody(req);
+          } catch {
+            rawBody = void 0;
+          }
+          const webReq = new Request(absoluteUrl, {
+            method: req.method,
+            headers: webHeaders,
+            body: rawBody !== void 0 ? rawBody : void 0,
+            // duplex required for request bodies in some environments
+            ...rawBody !== void 0 ? { duplex: "half" } : {}
+          });
+          const slug = req.params.slug ?? lastPathSegment(req.path);
+          const decision = await vx.protect(webReq, { slug });
+          if (!decision.allowed) {
+            const isPreviewCandidate = decision.reason === "crawler" || decision.reason === "human-unverified";
+            if (isPreviewCandidate && o?.seoPreview !== void 0) {
+              attachAdvertiseHeaders(res, opts?.advertise);
+              await sendWebResponse(res, buildSeoPreviewResponse(slug, absoluteUrl, o.seoPreview));
+              return;
+            }
+            attachAdvertiseHeaders(res, opts?.advertise);
+            await sendWebResponse(res, decision.response());
+            return;
+          }
+          if (decision.paymentResponse !== void 0) {
+            res.setHeader("PAYMENT-RESPONSE", decision.paymentResponse);
+          }
+          attachAdvertiseHeaders(res, opts?.advertise);
+          handler(req, res, next);
+        } catch (err) {
+          next(err);
+        }
+      };
+    }
+  };
+}
+
+export { sendWebResponse, verivyxExpress };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;AAqGA,SAAS,SAAS,GAAA,EAAwD;AACxE,EAAA,IAAI,QAAQ,MAAA,EAAW;AACrB,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,MAAM,MAAM,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,GAAI,GAAA,CAAI,CAAC,CAAA,GAAI,GAAA;AAC1C,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AAC9B,EAAA,OAAO,KAAA,KAAU,MAAA,GAAY,KAAA,CAAM,IAAA,MAAU,MAAA,GAAY,MAAA;AAC3D;AAMA,SAAS,gBAAgB,IAAA,EAAsB;AAC7C,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA,CAAE,OAAO,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,GAAS,CAAC,CAAA;AAC3D,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,QAAA,CAAS,MAAA,GAAS,CAAC,CAAA;AACzC,EAAA,OAAO,IAAA,KAAS,MAAA,GAAY,kBAAA,CAAmB,IAAI,CAAA,GAAI,EAAA;AACzD;AAOA,SAAS,YAAA,CACP,aACA,EAAA,EACS;AACT,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,WAAW,CAAA,EAAG;AACtD,IAAA,IAAI,UAAU,MAAA,EAAW;AACvB,MAAA;AAAA,IACF;AACA,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,MAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MACvB;AAAA,IACF,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,IACxB;AAAA,EACF;AACA,EAAA,IAAI,OAAO,MAAA,EAAW;AACpB,IAAA,OAAA,CAAQ,GAAA,CAAI,aAAa,EAAE,CAAA;AAAA,EAC7B;AACA,EAAA,OAAO,OAAA;AACT;AAWA,SAAS,SAAA,CACP,KACA,IAAA,EACoB;AACpB,EAAA,IAAI,MAAM,QAAA,EAAU;AAClB,IAAA,OAAO,IAAA,CAAK,SAAS,GAAG,CAAA;AAAA,EAC1B;AACA,EAAA,IAAI,IAAA,EAAM,eAAe,KAAA,EAAO;AAC9B,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA;AACzC,IAAA,MAAM,GAAA,GAAM,SAAS,GAAG,CAAA;AACxB,IAAA,IAAI,GAAA,EAAK;AACP,MAAA,OAAO,GAAA;AAAA,IACT;AACA,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,WAAW,CAAA;AACnC,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,IAAY,GAAA,EAAK;AAClC,MAAA,OAAO,GAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAQ,IAAI,MAAA,CAAkB,aAAA;AAChC;AAQA,eAAe,YACb,GAAA,EACiC;AACjC,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,WAAA,EAAY;AACtC,EAAA,IAAI,MAAA,KAAW,KAAA,IAAS,MAAA,KAAW,MAAA,IAAU,WAAW,SAAA,EAAW;AACjE,IAAA,OAAO,MAAA;AAAA,EACT;AAIA,EAAA,MAAM,OAAiB,GAAA,CAA2B,IAAA;AAClD,EAAA,IAAI,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,EAAG;AACzB,IAAA,OAAO,IAAI,WAAW,IAAI,CAAA;AAAA,EAC5B;AAGA,EAAA,OAAO,IAAI,OAAA,CAAoB,CAAC,OAAA,EAAS,MAAA,KAAW;AAClD,IAAA,MAAM,SAAmB,EAAC;AAC1B,IAAA,GAAA,CAAI,GAAG,MAAA,EAAQ,CAAC,UAAkB,MAAA,CAAO,IAAA,CAAK,KAAK,CAAC,CAAA;AACpD,IAAA,GAAA,CAAI,EAAA,CAAG,KAAA,EAAO,MAAM,OAAA,CAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,MAAM,CAAC,CAAC,CAAC,CAAA;AAClE,IAAA,GAAA,CAAI,EAAA,CAAG,SAAS,MAAM,CAAA;AAAA,EACxB,CAAC,CAAA;AACH;AAOA,SAAS,sBAAA,CACP,KACA,SAAA,EACM;AACN,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA;AAAA,EACF;AACA,EAAA,GAAA,CAAI,MAAA,CAAO,MAAA,EAAQ,aAAA,CAAc,SAAS,CAAC,CAAA;AAC3C,EAAA,GAAA,CAAI,SAAA,CAAU,eAAA,EAAiB,kBAAA,CAAmB,SAAS,CAAC,CAAA;AAC9D;AAcA,eAAsB,eAAA,CACpB,KACA,MAAA,EACe;AACf,EAAA,GAAA,CAAI,MAAA,CAAO,OAAO,MAAM,CAAA;AACxB,EAAA,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACrC,IAAA,IAAI,GAAA,CAAI,WAAA,EAAY,KAAM,YAAA,EAAc;AACtC,MAAA,GAAA,CAAI,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,IACvB,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,SAAA,CAAU,KAAK,KAAK,CAAA;AAAA,IAC1B;AAAA,EACF,CAAC,CAAA;AACD,EAAA,MAAM,MAAM,MAAA,CAAO,IAAA,CAAK,MAAM,MAAA,CAAO,aAAa,CAAA;AAClD,EAAA,GAAA,CAAI,KAAK,GAAG,CAAA;AACd;AAiBO,SAAS,eAAe,IAAA,EAK7B;AAIA,EAAA,MAAM,EAAA,GACJ,IAAA,EAAM,KAAA,IACN,OAAA,CAAQ,IAAA,EAAM;AAAA,IACZ,gBAAA,EACE,IAAA,EAAM,gBAAA,IAAoB,2BAAA,EAA4B;AAAA,IACxD,GAAI,MAAM,gBAAA,KAAqB,MAAA,GAC3B,EAAE,gBAAA,EAAkB,IAAA,CAAK,gBAAA,EAAiB,GAC1C;AAAC,GACN,CAAA;AAEH,EAAA,OAAO;AAAA,IACL,OAAA,CACE,SACA,CAAA,EACgB;AAEhB,MAAA,OAAO,eAAe,YAAA,CACpB,GAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,QAAA,IAAI;AAEF,UAAA,MAAM,EAAA,GAAK,SAAA,CAAU,GAAA,EAAK,IAAI,CAAA;AAI9B,UAAA,MAAM,WAAA,GAAc,CAAA,EAAG,GAAA,CAAI,QAAQ,CAAA,GAAA,EAAM,GAAA,CAAI,GAAA,CAAI,MAAM,CAAA,IAAK,WAAW,CAAA,EAAG,GAAA,CAAI,WAAW,CAAA,CAAA;AACzF,UAAA,MAAM,UAAA,GAAa,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,EAAE,CAAA;AAE/C,UAAA,IAAI,OAAA;AACJ,UAAA,IAAI;AACF,YAAA,OAAA,GAAU,MAAM,YAAY,GAAG,CAAA;AAAA,UACjC,CAAA,CAAA,MAAQ;AAEN,YAAA,OAAA,GAAU,KAAA,CAAA;AAAA,UACZ;AAEA,UAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,WAAA,EAAa;AAAA,YACtC,QAAQ,GAAA,CAAI,MAAA;AAAA,YACZ,OAAA,EAAS,UAAA;AAAA,YACT,IAAA,EAAM,OAAA,KAAY,KAAA,CAAA,GAAY,OAAA,GAAU,KAAA,CAAA;AAAA;AAAA,YAExC,GAAI,OAAA,KAAY,KAAA,CAAA,GAAY,EAAE,MAAA,EAAQ,MAAA,KAAW;AAAC,WACpC,CAAA;AAGhB,UAAA,MAAM,OACH,GAAA,CAAI,MAAA,CAA8C,IAAA,IACnD,eAAA,CAAgB,IAAI,IAAI,CAAA;AAC1B,UAAA,MAAM,WAAW,MAAM,EAAA,CAAG,QAAQ,MAAA,EAAQ,EAAE,MAAM,CAAA;AAIlD,UAAA,IAAI,CAAC,SAAS,OAAA,EAAS;AACrB,YAAA,MAAM,kBAAA,GACJ,QAAA,CAAS,MAAA,KAAW,SAAA,IAAa,SAAS,MAAA,KAAW,kBAAA;AACvD,YAAA,IAAI,kBAAA,IAAsB,CAAA,EAAG,UAAA,KAAe,KAAA,CAAA,EAAW;AACrD,cAAA,sBAAA,CAAuB,GAAA,EAAK,MAAM,SAAS,CAAA;AAC3C,cAAA,MAAM,gBAAgB,GAAA,EAAK,uBAAA,CAAwB,MAAM,WAAA,EAAa,CAAA,CAAE,UAAU,CAAC,CAAA;AACnF,cAAA;AAAA,YACF;AACA,YAAA,sBAAA,CAAuB,GAAA,EAAK,MAAM,SAAS,CAAA;AAC3C,YAAA,MAAM,eAAA,CAAgB,GAAA,EAAK,QAAA,CAAS,QAAA,EAAU,CAAA;AAC9C,YAAA;AAAA,UACF;AAGA,UAAA,IAAI,QAAA,CAAS,oBAAoB,KAAA,CAAA,EAAW;AAC1C,YAAA,GAAA,CAAI,SAAA,CAAU,kBAAA,EAAoB,QAAA,CAAS,eAAe,CAAA;AAAA,UAC5D;AACA,UAAA,sBAAA,CAAuB,GAAA,EAAK,MAAM,SAAS,CAAA;AAG3C,UAAA,OAAA,CAAQ,GAAA,EAAK,KAAK,IAAI,CAAA;AAAA,QACxB,SAAS,GAAA,EAAK;AAEZ,UAAA,IAAA,CAAK,GAAG,CAAA;AAAA,QACV;AAAA,MACF,CAAA;AAAA,IACF;AAAA,GACF;AACF","file":"index.js","sourcesContent":["/**\n * @verivyx/paywall-express\n *\n * Express adapter for the Verivyx paywall SDK.\n *\n * Thin layer — all gate logic lives in @verivyx/paywall core.\n * This module only handles:\n *   1. IP resolution from Express request.\n *   2. Converting Express IncomingMessage → Web Request.\n *   3. Calling core `protect()` (decision overload).\n *   4. Converting the Web Response back to Express response, OR calling the\n *      original Express handler when the request is allowed through.\n *\n * Mock-injection seam (for Tasks 18/19 to reuse):\n *   Pass `_core: verivyx.mock({...})` in options to bypass network.\n *   In production: omit `_core`; the adapter instantiates `verivyx(opts, deps)`.\n *\n * @example\n * ```ts\n * import { verivyxExpress } from \"@verivyx/paywall-express\";\n * const vx = verivyxExpress({ domain: \"example.com\", token: process.env.VX_TOKEN });\n * app.get(\"/articles/:slug\", vx.protect(myHandler));\n * ```\n */\n\nimport type { Request as ExpressRequest, RequestHandler, Response as ExpressResponse, NextFunction } from \"express\";\nimport {\n  verivyx,\n  createSearchCrawlerVerifier,\n  buildSeoPreviewResponse,\n  rslLinkHeader,\n  contentUsageHeader,\n} from \"@verivyx/paywall\";\nimport type { VerivyxOptions, Verivyx, DiscoveryOptions } from \"@verivyx/paywall\";\nimport type { IncomingHttpHeaders } from \"node:http\";\nimport type { Socket } from \"node:net\";\n\n// ---------------------------------------------------------------------------\n// Public types\n// ---------------------------------------------------------------------------\n\n/**\n * Options for the Express adapter.\n * Extends core VerivyxOptions with Express-specific IP resolution controls.\n */\nexport interface ExpressAdapterOptions extends VerivyxOptions {\n  /**\n   * When true (default), read the client IP from `X-Forwarded-For` /\n   * `X-Real-IP` headers (set by a trusted reverse proxy). Set to false if\n   * the Express app is not behind a proxy, to use the raw socket address.\n   */\n  trustProxy?: boolean;\n\n  /**\n   * Custom IP extractor. When provided, this overrides the built-in\n   * `trustProxy` / `X-Forwarded-For` logic entirely.\n   *\n   * @param req - The Express request object.\n   * @returns The resolved client IP, or undefined to fall back to socket.\n   */\n  clientIp?: (req: ExpressRequest) => string | undefined;\n\n  /**\n   * Override the reverse-DNS search-crawler verifier injected into the core.\n   * When omitted, `createSearchCrawlerVerifier()` is used (the Node.js impl).\n   */\n  verifyCrawlerDns?: (ip: string, ua: string) => Promise<boolean>;\n\n  /**\n   * Override the Web Bot Auth verifier injected into the core.\n   * When omitted, the core's bundled RFC 9421 verifier is used.\n   */\n  verifyWebBotAuth?: (req: Request) => Promise<boolean>;\n\n  /**\n   * @internal\n   * Inject a pre-built `Verivyx` core instance. Used in tests via\n   * `verivyx.mock({...})` to avoid any network access. Production code\n   * should never set this; omit it and the adapter constructs the real core.\n   *\n   * Pattern for Next.js / Hono adapters to reuse:\n   *   `const vx = opts?._core ?? verivyx(opts, { verifyCrawlerDns });`\n   */\n  _core?: Verivyx;\n\n  /**\n   * When set, attach RSL `Link` and AIPREF `Content-Usage` headers to both\n   * the denied (402) and allowed handler responses.\n   * Default undefined = OFF (no headers added; existing behavior unchanged).\n   */\n  advertise?: DiscoveryOptions;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Extract the first (client-most) hop from an `X-Forwarded-For` header.\n * The header may contain a comma-separated list; the leftmost is the client.\n */\nfunction firstHop(xff: string | string[] | undefined): string | undefined {\n  if (xff === undefined) {\n    return undefined;\n  }\n  const raw = Array.isArray(xff) ? xff[0] : xff;\n  if (!raw) {\n    return undefined;\n  }\n  const first = raw.split(\",\")[0];\n  return first !== undefined ? first.trim() || undefined : undefined;\n}\n\n/**\n * Extract the last non-empty path segment from a URL path string.\n * Used as a fallback slug when `req.params.slug` is not available.\n */\nfunction lastPathSegment(path: string): string {\n  const segments = path.split(\"/\").filter((s) => s.length > 0);\n  const last = segments[segments.length - 1];\n  return last !== undefined ? decodeURIComponent(last) : \"\";\n}\n\n/**\n * Build a `Headers` object from Node.js IncomingHttpHeaders, overriding\n * `x-real-ip` with the resolved (trusted) client IP so the core classifier\n * reads a reliable address.\n */\nfunction toWebHeaders(\n  nodeHeaders: IncomingHttpHeaders,\n  ip: string | undefined,\n): Headers {\n  const headers = new Headers();\n  for (const [key, value] of Object.entries(nodeHeaders)) {\n    if (value === undefined) {\n      continue;\n    }\n    if (Array.isArray(value)) {\n      for (const v of value) {\n        headers.append(key, v);\n      }\n    } else {\n      headers.set(key, value);\n    }\n  }\n  if (ip !== undefined) {\n    headers.set(\"x-real-ip\", ip);\n  }\n  return headers;\n}\n\n/**\n * Resolve the client IP from an Express request.\n *\n * Precedence:\n *   1. `opts.clientIp(req)` — caller-supplied extractor (highest precedence).\n *   2. `X-Forwarded-For` first hop (when trustProxy !== false).\n *   3. `X-Real-IP` header (when trustProxy !== false).\n *   4. `req.socket.remoteAddress` — raw TCP peer (lowest precedence).\n */\nfunction resolveIp(\n  req: ExpressRequest,\n  opts: ExpressAdapterOptions | undefined,\n): string | undefined {\n  if (opts?.clientIp) {\n    return opts.clientIp(req);\n  }\n  if (opts?.trustProxy !== false) {\n    const xff = req.headers[\"x-forwarded-for\"];\n    const hop = firstHop(xff);\n    if (hop) {\n      return hop;\n    }\n    const xri = req.headers[\"x-real-ip\"];\n    if (typeof xri === \"string\" && xri) {\n      return xri;\n    }\n  }\n  return (req.socket as Socket).remoteAddress;\n}\n\n/**\n * Collect the raw request body into a Uint8Array.\n * Returns undefined for requests with no body (GET / HEAD / OPTIONS).\n * Express may have already consumed the stream with a body parser — if\n * `req.body` is already populated as a Buffer we use that directly.\n */\nasync function readRawBody(\n  req: ExpressRequest,\n): Promise<Uint8Array | undefined> {\n  const method = req.method.toUpperCase();\n  if (method === \"GET\" || method === \"HEAD\" || method === \"OPTIONS\") {\n    return undefined;\n  }\n\n  // Express body-parser may have already consumed and parsed the stream.\n  // If `req.body` is a Buffer, use it directly.\n  const body: unknown = (req as { body?: unknown }).body;\n  if (Buffer.isBuffer(body)) {\n    return new Uint8Array(body);\n  }\n\n  // Otherwise collect the raw stream.\n  return new Promise<Uint8Array>((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    req.on(\"data\", (chunk: Buffer) => chunks.push(chunk));\n    req.on(\"end\", () => resolve(new Uint8Array(Buffer.concat(chunks))));\n    req.on(\"error\", reject);\n  });\n}\n\n/**\n * Attach RSL + AIPREF discovery headers to an Express response.\n * Appends to any existing `Link` (preserves prior values); sets `Content-Usage`.\n * No-op when `advertise` is undefined.\n */\nfunction attachAdvertiseHeaders(\n  res: ExpressResponse,\n  advertise: DiscoveryOptions | undefined,\n): void {\n  if (advertise === undefined) {\n    return;\n  }\n  res.append(\"Link\", rslLinkHeader(advertise));\n  res.setHeader(\"Content-Usage\", contentUsageHeader(advertise));\n}\n\n/**\n * Convert a Web API `Response` to an Express response.\n * Copies status, all response headers, and the body.\n *\n * @internal Exported for unit-testing the Set-Cookie accumulation fix.\n * Production callers should use the `protect()` middleware instead.\n *\n * Set-Cookie is special: `Headers.forEach` emits each cookie as a separate\n * call with the same key, and `res.setHeader` REPLACES on repeated same-key\n * calls — so all but the last cookie would be silently dropped.\n * `res.append` accumulates values into an array, preserving every cookie.\n */\nexport async function sendWebResponse(\n  res: ExpressResponse,\n  webRes: Response,\n): Promise<void> {\n  res.status(webRes.status);\n  webRes.headers.forEach((value, key) => {\n    if (key.toLowerCase() === \"set-cookie\") {\n      res.append(key, value);\n    } else {\n      res.setHeader(key, value);\n    }\n  });\n  const buf = Buffer.from(await webRes.arrayBuffer());\n  res.send(buf);\n}\n\n// ---------------------------------------------------------------------------\n// Adapter factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a Verivyx Express adapter.\n *\n * Returns an object with a single `protect(handler)` method that wraps an\n * Express `RequestHandler` behind the Verivyx paywall gate.\n *\n * ```ts\n * const vx = verivyxExpress({ domain: \"example.com\", token: \"...\" });\n * app.get(\"/articles/:slug\", vx.protect(myHandler));\n * ```\n */\nexport function verivyxExpress(opts?: ExpressAdapterOptions): {\n  protect(\n    handler: RequestHandler,\n    o?: { seoPreview?: (c: { slug: string }) => { title: string; excerpt: string } },\n  ): RequestHandler;\n} {\n  // Resolve the core: use the injected `_core` (tests) or build the real one.\n  // Only pass `verifyWebBotAuth` to the core deps when the caller overrode it;\n  // the core bundled default is correct otherwise.\n  const vx: Verivyx =\n    opts?._core ??\n    verivyx(opts, {\n      verifyCrawlerDns:\n        opts?.verifyCrawlerDns ?? createSearchCrawlerVerifier(),\n      ...(opts?.verifyWebBotAuth !== undefined\n        ? { verifyWebBotAuth: opts.verifyWebBotAuth }\n        : {}),\n    });\n\n  return {\n    protect(\n      handler: RequestHandler,\n      o?: { seoPreview?: (c: { slug: string }) => { title: string; excerpt: string } },\n    ): RequestHandler {\n      // Return an async Express handler (req, res, next).\n      return async function verivyxGuard(\n        req: ExpressRequest,\n        res: ExpressResponse,\n        next: NextFunction,\n      ): Promise<void> {\n        try {\n          // 1. Resolve trusted client IP.\n          const ip = resolveIp(req, opts);\n\n          // 2. Build a Web Request from the Express request.\n          //    Absolute URL is required for the core's URL-based slug derivation.\n          const absoluteUrl = `${req.protocol}://${req.get(\"host\") ?? \"localhost\"}${req.originalUrl}`;\n          const webHeaders = toWebHeaders(req.headers, ip);\n\n          let rawBody: Uint8Array | undefined;\n          try {\n            rawBody = await readRawBody(req);\n          } catch {\n            // Body read failure — proceed with no body (safe: auth/classify do not need it).\n            rawBody = undefined;\n          }\n\n          const webReq = new Request(absoluteUrl, {\n            method: req.method,\n            headers: webHeaders,\n            body: rawBody !== undefined ? rawBody : undefined,\n            // duplex required for request bodies in some environments\n            ...(rawBody !== undefined ? { duplex: \"half\" } : {}),\n          } as RequestInit);\n\n          // 3. Ask the core to evaluate the request (decision overload).\n          const slug =\n            (req.params as Record<string, string | undefined>).slug ??\n            lastPathSegment(req.path);\n          const decision = await vx.protect(webReq, { slug });\n\n          // 4a. Denied — check if this is a crawler/human-unverified that we can\n          //     serve an SEO preview to instead of a bare 402.\n          if (!decision.allowed) {\n            const isPreviewCandidate =\n              decision.reason === \"crawler\" || decision.reason === \"human-unverified\";\n            if (isPreviewCandidate && o?.seoPreview !== undefined) {\n              attachAdvertiseHeaders(res, opts?.advertise);\n              await sendWebResponse(res, buildSeoPreviewResponse(slug, absoluteUrl, o.seoPreview));\n              return;\n            }\n            attachAdvertiseHeaders(res, opts?.advertise);\n            await sendWebResponse(res, decision.response());\n            return;\n          }\n\n          // 4b. Allowed — if a payment receipt was returned, attach it first.\n          if (decision.paymentResponse !== undefined) {\n            res.setHeader(\"PAYMENT-RESPONSE\", decision.paymentResponse);\n          }\n          attachAdvertiseHeaders(res, opts?.advertise);\n\n          // Delegate to the original Express handler.\n          handler(req, res, next);\n        } catch (err) {\n          // Propagate to Express error-handling middleware.\n          next(err);\n        }\n      };\n    },\n  };\n}\n"]}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@verivyx/paywall-express",
+  "version": "0.1.0",
+  "description": "Express adapter for the Verivyx paywall SDK",
+  "type": "module",
+  "license": "MIT",
+  "author": "Verivyx",
+  "sideEffects": false,
+  "keywords": ["paywall", "x402", "ai", "bot", "stellar", "verivyx"],
+  "homepage": "https://docs.verivyx.com/docs/sdk",
+  "bugs": { "url": "https://github.com/VerivyX/verivyx-monorepo/issues" },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/VerivyX/verivyx-monorepo.git",
+    "directory": "services/publisher-sdk/packages/express"
+  },
+  "publishConfig": { "access": "public" },
+  "exports": {
+    ".": {
+      "import": { "types": "./dist/index.d.ts", "default": "./dist/index.js" },
+      "require": { "types": "./dist/index.d.cts", "default": "./dist/index.cjs" }
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.cts",
+  "files": ["dist", "README.md", "LICENSE"],
+  "engines": { "node": ">=18" },
+  "scripts": {
+    "build": "tsup",
+    "prepublishOnly": "npm run build",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "typecheck:test": "tsc -p tsconfig.test.json"
+  },
+  "dependencies": {
+    "@verivyx/paywall": "^0.1.0"
+  },
+  "peerDependencies": {
+    "express": ">=4.18 <6 || ^5"
+  },
+  "devDependencies": {
+    "express": "^5.0.0",
+    "supertest": "^7.0.0",
+    "@types/express": "^5.0.0",
+    "@types/supertest": "^6.0.0",
+    "@types/node": "^20.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0"
+  }
+}