@x402sentinel/x402 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1091 @@
+'use strict';
+
+var chunk7H4FRU7K_cjs = require('./chunk-7H4FRU7K.cjs');
+var crypto = require('crypto');
+var fs = require('fs');
+var path = require('path');
+
+// src/budget/spike-detector.ts
+var SpikeDetector = class {
+  windowSize;
+  threshold;
+  window = [];
+  constructor(threshold = 3, windowSize = 20) {
+    this.threshold = threshold;
+    this.windowSize = windowSize;
+  }
+  /** Record a payment amount into the rolling window */
+  record(amount) {
+    this.window.push(amount);
+    if (this.window.length > this.windowSize) {
+      this.window.shift();
+    }
+  }
+  /**
+   * Check if a proposed amount is a spike relative to the rolling average.
+   * Returns null if no spike, or a description string if spike detected.
+   * Needs at least 3 data points before spike detection activates.
+   */
+  check(amount) {
+    if (this.window.length < 3) return null;
+    const avg = chunk7H4FRU7K_cjs.calculateAverage(this.window);
+    const avgRaw = chunk7H4FRU7K_cjs.parseUSDC(avg);
+    if (avgRaw === 0n) return null;
+    const amountRaw = chunk7H4FRU7K_cjs.parseUSDC(amount);
+    const ratio = Number(amountRaw) / Number(avgRaw);
+    if (ratio > this.threshold) {
+      return `Payment $${amount} is ${ratio.toFixed(1)}x the rolling average $${chunk7H4FRU7K_cjs.formatUSDC(avgRaw)} (threshold: ${this.threshold}x)`;
+    }
+    return null;
+  }
+  /** Get the current rolling average */
+  getAverage() {
+    return chunk7H4FRU7K_cjs.calculateAverage(this.window);
+  }
+  /** Get the current window contents */
+  getWindow() {
+    return [...this.window];
+  }
+  /** Restore state from serialized data */
+  loadWindow(amounts) {
+    this.window.length = 0;
+    for (const a of amounts.slice(-this.windowSize)) {
+      this.window.push(a);
+    }
+  }
+};
+
+// src/budget/policies.ts
+function conservativePolicy() {
+  return {
+    maxPerCall: "0.10",
+    maxPerHour: "5.00",
+    maxPerDay: "50.00",
+    spikeThreshold: 3
+  };
+}
+function standardPolicy() {
+  return {
+    maxPerCall: "1.00",
+    maxPerHour: "25.00",
+    maxPerDay: "200.00",
+    spikeThreshold: 3
+  };
+}
+function liberalPolicy() {
+  return {
+    maxPerCall: "10.00",
+    maxPerHour: "100.00",
+    maxPerDay: "1000.00",
+    spikeThreshold: 5
+  };
+}
+function unlimitedPolicy() {
+  return {};
+}
+function customPolicy(overrides) {
+  return { ...standardPolicy(), ...overrides };
+}
+
+// src/budget/index.ts
+var BudgetManager = class _BudgetManager {
+  state;
+  policy;
+  spikeDetector;
+  constructor(policy) {
+    this.policy = policy;
+    this.spikeDetector = new SpikeDetector(
+      policy.spikeThreshold ?? 3
+    );
+    const now = Date.now();
+    this.state = {
+      totalSpent: "0.000000",
+      hourlySpent: "0.000000",
+      dailySpent: "0.000000",
+      callCount: 0,
+      lastReset: { hourly: chunk7H4FRU7K_cjs.getHourStart(now), daily: chunk7H4FRU7K_cjs.getDayStart(now) },
+      rollingAverage: "0.000000",
+      rollingWindow: []
+    };
+  }
+  /**
+   * Evaluate a proposed payment against the budget policy.
+   * Called BEFORE every payment. Returns allow/deny with reason.
+   */
+  evaluate(context) {
+    this.maybeResetWindows();
+    const warnings = [];
+    if (this.policy.blockedEndpoints?.length) {
+      for (const pattern of this.policy.blockedEndpoints) {
+        if (endpointMatches(context.endpoint, pattern)) {
+          return {
+            allowed: false,
+            violation: this.violation("blocked_endpoint", "0.000000", "0.000000", context)
+          };
+        }
+      }
+    }
+    if (this.policy.allowedEndpoints?.length) {
+      const matched = this.policy.allowedEndpoints.some(
+        (p) => endpointMatches(context.endpoint, p)
+      );
+      if (!matched) {
+        return {
+          allowed: false,
+          violation: this.violation("blocked_endpoint", "0.000000", "0.000000", context)
+        };
+      }
+    }
+    if (this.policy.maxPerCall) {
+      if (chunk7H4FRU7K_cjs.compareUSDC(context.amount, this.policy.maxPerCall) > 0) {
+        return {
+          allowed: false,
+          violation: this.violation("per_call", this.policy.maxPerCall, "0.000000", context)
+        };
+      }
+    }
+    const spikeMsg = this.spikeDetector.check(context.amount);
+    if (spikeMsg) {
+      if (this.policy.spikeThreshold !== void 0) {
+        return {
+          allowed: false,
+          violation: this.violation(
+            "spike",
+            this.spikeDetector.getAverage(),
+            this.state.hourlySpent,
+            context
+          )
+        };
+      }
+      warnings.push(spikeMsg);
+    }
+    if (this.policy.maxPerHour) {
+      const projectedHourly = chunk7H4FRU7K_cjs.addUSDC(this.state.hourlySpent, context.amount);
+      if (chunk7H4FRU7K_cjs.compareUSDC(projectedHourly, this.policy.maxPerHour) > 0) {
+        return {
+          allowed: false,
+          violation: this.violation("hourly", this.policy.maxPerHour, this.state.hourlySpent, context)
+        };
+      }
+    }
+    if (this.policy.maxPerDay) {
+      const projectedDaily = chunk7H4FRU7K_cjs.addUSDC(this.state.dailySpent, context.amount);
+      if (chunk7H4FRU7K_cjs.compareUSDC(projectedDaily, this.policy.maxPerDay) > 0) {
+        return {
+          allowed: false,
+          violation: this.violation("daily", this.policy.maxPerDay, this.state.dailySpent, context)
+        };
+      }
+    }
+    if (this.policy.maxTotal) {
+      const projectedTotal = chunk7H4FRU7K_cjs.addUSDC(this.state.totalSpent, context.amount);
+      if (chunk7H4FRU7K_cjs.compareUSDC(projectedTotal, this.policy.maxTotal) > 0) {
+        return {
+          allowed: false,
+          violation: this.violation("total", this.policy.maxTotal, this.state.totalSpent, context)
+        };
+      }
+    }
+    if (this.policy.requireApproval) {
+      if (chunk7H4FRU7K_cjs.compareUSDC(context.amount, this.policy.requireApproval.above) > 0) {
+        return {
+          allowed: false,
+          violation: this.violation(
+            "approval_required",
+            this.policy.requireApproval.above,
+            this.state.totalSpent,
+            context
+          )
+        };
+      }
+    }
+    return { allowed: true, warnings };
+  }
+  /** Record a completed payment. Called AFTER payment succeeds. */
+  record(amount, _endpoint) {
+    this.maybeResetWindows();
+    this.state.totalSpent = chunk7H4FRU7K_cjs.addUSDC(this.state.totalSpent, amount);
+    this.state.hourlySpent = chunk7H4FRU7K_cjs.addUSDC(this.state.hourlySpent, amount);
+    this.state.dailySpent = chunk7H4FRU7K_cjs.addUSDC(this.state.dailySpent, amount);
+    this.state.callCount++;
+    this.spikeDetector.record(amount);
+    this.state.rollingAverage = this.spikeDetector.getAverage();
+    this.state.rollingWindow = this.spikeDetector.getWindow();
+  }
+  /** Get current budget state (for dashboard/debugging) */
+  getState() {
+    this.maybeResetWindows();
+    return { ...this.state, rollingWindow: [...this.state.rollingWindow] };
+  }
+  /** Reset spending counters for a given scope */
+  reset(scope) {
+    const now = Date.now();
+    switch (scope) {
+      case "hourly":
+        this.state.hourlySpent = "0.000000";
+        this.state.lastReset.hourly = chunk7H4FRU7K_cjs.getHourStart(now);
+        break;
+      case "daily":
+        this.state.dailySpent = "0.000000";
+        this.state.lastReset.daily = chunk7H4FRU7K_cjs.getDayStart(now);
+        break;
+      case "total":
+        this.state.totalSpent = "0.000000";
+        this.state.hourlySpent = "0.000000";
+        this.state.dailySpent = "0.000000";
+        this.state.callCount = 0;
+        break;
+    }
+  }
+  /** Serialize state for persistence */
+  serialize() {
+    return JSON.stringify(this.state);
+  }
+  /** Restore a BudgetManager from serialized state */
+  static deserialize(data, policy) {
+    const mgr = new _BudgetManager(policy);
+    const parsed = JSON.parse(data);
+    mgr.state = parsed;
+    mgr.spikeDetector.loadWindow(parsed.rollingWindow);
+    return mgr;
+  }
+  /** Auto-reset hourly/daily windows when the time window has rolled over */
+  maybeResetWindows() {
+    const now = Date.now();
+    const hourStart = chunk7H4FRU7K_cjs.getHourStart(now);
+    const dayStart = chunk7H4FRU7K_cjs.getDayStart(now);
+    if (hourStart > this.state.lastReset.hourly) {
+      this.state.hourlySpent = "0.000000";
+      this.state.lastReset.hourly = hourStart;
+    }
+    if (dayStart > this.state.lastReset.daily) {
+      this.state.dailySpent = "0.000000";
+      this.state.lastReset.daily = dayStart;
+    }
+  }
+  violation(type, limit, current, context) {
+    return {
+      type,
+      limit,
+      current,
+      attempted: context.amount,
+      agentId: context.agentId,
+      endpoint: context.endpoint,
+      timestamp: Date.now()
+    };
+  }
+};
+function endpointMatches(url, pattern) {
+  const regex = new RegExp(
+    "^" + pattern.replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+  );
+  return regex.test(url);
+}
+
+// src/audit/storage/memory.ts
+var MemoryStorage = class {
+  records = /* @__PURE__ */ new Map();
+  insertOrder = [];
+  maxRecords;
+  constructor(maxRecords = 1e4) {
+    this.maxRecords = maxRecords;
+  }
+  async write(record) {
+    if (this.records.size >= this.maxRecords) {
+      const oldest = this.insertOrder.shift();
+      if (oldest) this.records.delete(oldest);
+    }
+    this.records.set(record.id, record);
+    this.insertOrder.push(record.id);
+  }
+  async query(query) {
+    let results = this.filter(query);
+    results = this.sort(results, query.orderBy, query.order);
+    const offset = query.offset ?? 0;
+    const limit = query.limit ?? results.length;
+    return results.slice(offset, offset + limit);
+  }
+  async summarize(query) {
+    const records = this.filter(query);
+    return buildSummary(records, query);
+  }
+  async count(query) {
+    return this.filter(query).length;
+  }
+  async getById(id) {
+    return this.records.get(id) ?? null;
+  }
+  filter(query) {
+    return [...this.records.values()].filter((r) => matchesQuery(r, query));
+  }
+  sort(records, orderBy, order) {
+    if (!orderBy) return records;
+    const dir = order === "desc" ? -1 : 1;
+    return records.sort((a, b) => {
+      switch (orderBy) {
+        case "created_at":
+          return (a.created_at - b.created_at) * dir;
+        case "amount":
+          return chunk7H4FRU7K_cjs.compareUSDC(a.amount, b.amount) * dir;
+        case "endpoint":
+          return a.endpoint.localeCompare(b.endpoint) * dir;
+        default:
+          return 0;
+      }
+    });
+  }
+};
+function matchesQuery(record, query) {
+  if (query.agentId && record.agent_id !== query.agentId) return false;
+  if (query.team && record.team !== query.team) return false;
+  if (query.endpoint && !record.endpoint.includes(query.endpoint)) return false;
+  if (query.minAmount && chunk7H4FRU7K_cjs.compareUSDC(record.amount, query.minAmount) < 0) return false;
+  if (query.maxAmount && chunk7H4FRU7K_cjs.compareUSDC(record.amount, query.maxAmount) > 0) return false;
+  if (query.startTime && record.created_at < query.startTime) return false;
+  if (query.endTime && record.created_at > query.endTime) return false;
+  if (query.status?.length && !query.status.includes(record.policy_evaluation)) return false;
+  if (query.tags?.length && !query.tags.some((t) => record.tags.includes(t))) return false;
+  return true;
+}
+function buildSummary(records, query) {
+  let totalRaw = 0n;
+  let maxRaw = 0n;
+  const agents = /* @__PURE__ */ new Set();
+  const endpoints = /* @__PURE__ */ new Set();
+  const byAgent = {};
+  const byEndpoint = {};
+  const byTeam = {};
+  let violations = 0;
+  let minTs = Infinity;
+  let maxTs = 0;
+  for (const r of records) {
+    const raw = chunk7H4FRU7K_cjs.parseUSDC(r.amount);
+    totalRaw += raw;
+    if (raw > maxRaw) maxRaw = raw;
+    agents.add(r.agent_id);
+    endpoints.add(r.endpoint);
+    if (r.created_at < minTs) minTs = r.created_at;
+    if (r.created_at > maxTs) maxTs = r.created_at;
+    if (r.policy_evaluation === "blocked") violations++;
+    const agentEntry = byAgent[r.agent_id] ?? { spend: "0.000000", count: 0 };
+    agentEntry.spend = chunk7H4FRU7K_cjs.formatUSDC(chunk7H4FRU7K_cjs.parseUSDC(agentEntry.spend) + raw);
+    agentEntry.count++;
+    byAgent[r.agent_id] = agentEntry;
+    const epEntry = byEndpoint[r.endpoint] ?? { spend: "0.000000", count: 0 };
+    epEntry.spend = chunk7H4FRU7K_cjs.formatUSDC(chunk7H4FRU7K_cjs.parseUSDC(epEntry.spend) + raw);
+    epEntry.count++;
+    byEndpoint[r.endpoint] = epEntry;
+    const teamKey = r.team ?? "(none)";
+    const teamEntry = byTeam[teamKey] ?? { spend: "0.000000", count: 0 };
+    teamEntry.spend = chunk7H4FRU7K_cjs.formatUSDC(chunk7H4FRU7K_cjs.parseUSDC(teamEntry.spend) + raw);
+    teamEntry.count++;
+    byTeam[teamKey] = teamEntry;
+  }
+  const count = records.length;
+  return {
+    total_spend: chunk7H4FRU7K_cjs.formatUSDCHuman(totalRaw),
+    total_transactions: count,
+    unique_endpoints: endpoints.size,
+    unique_agents: agents.size,
+    avg_payment: count > 0 ? chunk7H4FRU7K_cjs.formatUSDCHuman(totalRaw / BigInt(count)) : "0.00",
+    max_payment: chunk7H4FRU7K_cjs.formatUSDCHuman(maxRaw),
+    by_agent: byAgent,
+    by_endpoint: byEndpoint,
+    by_team: byTeam,
+    violations,
+    period: {
+      start: query.startTime ?? (minTs === Infinity ? 0 : minTs),
+      end: query.endTime ?? (maxTs === 0 ? 0 : maxTs)
+    }
+  };
+}
+function generateRecordId(agentId, endpoint, timestamp, amount) {
+  const input = `${agentId}|${endpoint}|${timestamp}|${amount}`;
+  const hash = crypto.createHash("sha256").update(input).digest("hex");
+  return hash.slice(0, 16);
+}
+
+// src/audit/enrichment.ts
+function enrichRecord(input) {
+  const { context, config, statusCode, responseTimeMs, settlement, policyEvaluation, budgetRemaining } = input;
+  const now = Date.now();
+  const id = generateRecordId(context.agentId, context.endpoint, now, context.amount);
+  const tags = computeTags(context, config.audit?.enrichment);
+  return {
+    id,
+    agent_id: context.agentId,
+    team: context.team,
+    human_sponsor: config.humanSponsor ?? null,
+    amount: context.amount,
+    amount_raw: context.amountRaw,
+    asset: context.asset,
+    network: context.network,
+    scheme: context.scheme,
+    tx_hash: settlement?.transaction ?? null,
+    payer_address: settlement?.payer ?? "",
+    payee_address: context.payTo,
+    facilitator: null,
+    endpoint: context.endpoint,
+    method: context.method,
+    status_code: statusCode,
+    response_time_ms: responseTimeMs,
+    policy_id: null,
+    policy_evaluation: policyEvaluation,
+    budget_remaining: budgetRemaining,
+    task_id: context.metadata["task_id"] ?? null,
+    session_id: context.metadata["session_id"] ?? null,
+    metadata: { ...context.metadata, ...config.metadata },
+    created_at: now,
+    settled_at: settlement?.success ? now : null,
+    tags
+  };
+}
+function enrichBlockedRecord(context, config, policyEvaluation) {
+  return enrichRecord({
+    context,
+    config,
+    statusCode: 0,
+    responseTimeMs: 0,
+    settlement: null,
+    policyEvaluation,
+    budgetRemaining: null
+  });
+}
+function computeTags(context, enrichment) {
+  const tags = [];
+  if (enrichment?.staticTags) {
+    tags.push(...enrichment.staticTags);
+  }
+  if (enrichment?.tagRules) {
+    for (const rule of enrichment.tagRules) {
+      const regex = new RegExp(rule.pattern);
+      if (regex.test(context.endpoint)) {
+        tags.push(...rule.tags);
+      }
+    }
+  }
+  return tags;
+}
+
+// src/audit/export.ts
+var CSV_HEADERS = [
+  "id",
+  "agent_id",
+  "team",
+  "human_sponsor",
+  "amount",
+  "amount_raw",
+  "asset",
+  "network",
+  "scheme",
+  "tx_hash",
+  "payer_address",
+  "payee_address",
+  "facilitator",
+  "endpoint",
+  "method",
+  "status_code",
+  "response_time_ms",
+  "policy_id",
+  "policy_evaluation",
+  "budget_remaining",
+  "task_id",
+  "session_id",
+  "created_at",
+  "settled_at"
+];
+function toCSV(records) {
+  const lines = [CSV_HEADERS.join(",")];
+  for (const record of records) {
+    const values = CSV_HEADERS.map((key) => {
+      const val = record[key];
+      if (val === null || val === void 0) return "";
+      const str = String(val);
+      if (str.includes(",") || str.includes('"') || str.includes("\n")) {
+        return `"${str.replace(/"/g, '""')}"`;
+      }
+      return str;
+    });
+    lines.push(values.join(","));
+  }
+  return lines.join("\n") + "\n";
+}
+function toJSON(records, pretty = false) {
+  return JSON.stringify(records, null, pretty ? 2 : void 0);
+}
+
+// src/audit/index.ts
+var AuditLogger = class {
+  storage;
+  enabled;
+  redactFields;
+  constructor(config) {
+    this.enabled = config?.enabled !== false;
+    this.storage = config?.storage ?? new MemoryStorage();
+    this.redactFields = config?.redactFields ?? [];
+  }
+  /** Log a completed payment record */
+  async log(record) {
+    const now = Date.now();
+    const full = {
+      ...record,
+      id: generateRecordId(record.agent_id, record.endpoint, now, record.amount),
+      created_at: now
+    };
+    const redacted = this.redact(full);
+    if (this.enabled) {
+      try {
+        await this.storage.write(redacted);
+      } catch (err) {
+        console.warn("[sentinel] Audit write failed (non-fatal):", err);
+      }
+    }
+    return redacted;
+  }
+  /** Log a blocked payment attempt */
+  async logBlocked(context, violation, config) {
+    const record = enrichBlockedRecord(context, {
+      agentId: context.agentId,
+      ...config
+    }, "blocked");
+    record.metadata["violation_type"] = violation.type;
+    record.metadata["violation_limit"] = violation.limit;
+    if (this.enabled) {
+      try {
+        await this.storage.write(this.redact(record));
+      } catch (err) {
+        console.warn("[sentinel] Audit write failed (non-fatal):", err);
+      }
+    }
+    return record;
+  }
+  /** Query audit records */
+  async query(query) {
+    return this.storage.query(query);
+  }
+  /** Get summary statistics */
+  async summarize(query) {
+    return this.storage.summarize(query ?? {});
+  }
+  /** Export records as CSV */
+  async exportCSV(query) {
+    const records = await this.storage.query(query ?? {});
+    return toCSV(records);
+  }
+  /** Export records as JSON */
+  async exportJSON(query) {
+    const records = await this.storage.query(query ?? {});
+    return toJSON(records, true);
+  }
+  /** Flush pending writes to storage */
+  async flush() {
+    if ("flush" in this.storage && typeof this.storage.flush === "function") {
+      await this.storage.flush();
+    }
+  }
+  /** Get the underlying storage backend (for dashboard integration) */
+  getStorage() {
+    return this.storage;
+  }
+  redact(record) {
+    if (this.redactFields.length === 0) return record;
+    const copy = { ...record, metadata: { ...record.metadata } };
+    for (const field of this.redactFields) {
+      if (field in copy.metadata) {
+        copy.metadata[field] = "[REDACTED]";
+      }
+    }
+    return copy;
+  }
+};
+
+// src/errors.ts
+var SentinelError = class extends Error {
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "SentinelError";
+    this.code = code;
+  }
+};
+var SentinelBudgetError = class extends SentinelError {
+  violation;
+  constructor(violation) {
+    super(buildBudgetMessage(violation), "BUDGET_EXCEEDED");
+    this.name = "SentinelBudgetError";
+    this.violation = violation;
+  }
+};
+var SentinelAuditError = class extends SentinelError {
+  record;
+  constructor(message, record) {
+    super(message, "AUDIT_ERROR");
+    this.name = "SentinelAuditError";
+    this.record = record;
+  }
+};
+var SentinelConfigError = class extends SentinelError {
+  constructor(message) {
+    super(message, "CONFIG_ERROR");
+    this.name = "SentinelConfigError";
+  }
+};
+function buildBudgetMessage(v) {
+  const attempted = `$${v.attempted}`;
+  switch (v.type) {
+    case "per_call":
+      return `Budget exceeded: ${attempted} exceeds per-call limit of $${v.limit} on ${v.agentId}`;
+    case "hourly":
+      return `Budget exceeded: $${v.current} spent of $${v.limit} hourly limit on ${v.agentId} (attempted ${attempted})`;
+    case "daily":
+      return `Budget exceeded: $${v.current} spent of $${v.limit} daily limit on ${v.agentId} (attempted ${attempted})`;
+    case "total":
+      return `Budget exceeded: $${v.current} spent of $${v.limit} total limit on ${v.agentId} (attempted ${attempted})`;
+    case "spike":
+      return `Price spike detected: ${attempted} vs rolling average $${v.limit} on ${v.agentId}`;
+    case "blocked_endpoint":
+      return `Blocked endpoint: ${v.endpoint} is not allowed for ${v.agentId}`;
+    case "approval_required":
+      return `Approval required: ${attempted} exceeds approval threshold $${v.limit} on ${v.agentId}`;
+  }
+}
+function validateConfig(config) {
+  if (!config.agentId || config.agentId.trim() === "") {
+    throw new SentinelConfigError("agentId is required and must be non-empty");
+  }
+  const budget = config.budget;
+  if (!budget) return;
+  const amountFields = ["maxPerCall", "maxPerHour", "maxPerDay", "maxTotal"];
+  for (const field of amountFields) {
+    const value = budget[field];
+    if (value !== void 0) {
+      try {
+        chunk7H4FRU7K_cjs.parseUSDC(value);
+      } catch {
+        throw new SentinelConfigError(
+          `budget.${field} "${value}" is not a valid USDC amount`
+        );
+      }
+    }
+  }
+  if (budget.spikeThreshold !== void 0 && budget.spikeThreshold <= 1) {
+    throw new SentinelConfigError(
+      `budget.spikeThreshold must be > 1.0, got ${budget.spikeThreshold}`
+    );
+  }
+  if (budget.allowedEndpoints?.length && budget.blockedEndpoints?.length) {
+    throw new SentinelConfigError(
+      "Cannot set both allowedEndpoints and blockedEndpoints \u2014 use one or the other"
+    );
+  }
+}
+
+// src/wrapper/headers.ts
+function parsePaymentRequired(header) {
+  const json = Buffer.from(header, "base64").toString("utf-8");
+  return JSON.parse(json);
+}
+function parsePaymentResponse(header) {
+  if (!header) return null;
+  try {
+    const json = Buffer.from(header, "base64").toString("utf-8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+function extractFromPaymentRequired(paymentRequired) {
+  const first = paymentRequired.accepts[0];
+  if (!first) return null;
+  return {
+    amount: first.amount,
+    asset: first.asset,
+    network: first.network,
+    scheme: first.scheme,
+    payTo: first.payTo
+  };
+}
+
+// src/wrapper/interceptor.ts
+function beforeRequest(url, init, deps) {
+  const method = init?.method ?? "GET";
+  const context = {
+    endpoint: url,
+    method: method.toUpperCase(),
+    agentId: deps.config.agentId,
+    team: deps.config.team ?? null,
+    amount: "0.000000",
+    amountRaw: "0",
+    asset: "",
+    network: "",
+    scheme: "",
+    payTo: "",
+    timestamp: Date.now(),
+    metadata: { ...deps.config.metadata ?? {} }
+  };
+  if (deps.budgetManager) {
+    const eval_ = deps.budgetManager.evaluate(context);
+    if (!eval_.allowed && eval_.violation.type === "blocked_endpoint") {
+      return { proceed: false, context, evaluation: eval_ };
+    }
+  }
+  return { proceed: true, context };
+}
+async function afterResponse(response, context, startTime, deps) {
+  const responseTimeMs = Date.now() - startTime;
+  const paymentResponseHeader = response.headers.get("payment-response");
+  if (paymentResponseHeader) {
+    const settlement = parsePaymentResponse(paymentResponseHeader);
+    if (settlement) {
+      context.network = settlement.network ?? context.network;
+      const policyEvaluation = determinePolicyEvaluation(context, deps);
+      let budgetRemaining = null;
+      if (deps.budgetManager && context.amount !== "0.000000") {
+        deps.budgetManager.record(context.amount, context.endpoint);
+        const state = deps.budgetManager.getState();
+        if (deps.config.budget?.maxTotal) {
+          budgetRemaining = chunk7H4FRU7K_cjs.formatUSDCHuman(
+            chunk7H4FRU7K_cjs.parseUSDC(deps.config.budget.maxTotal) - chunk7H4FRU7K_cjs.parseUSDC(state.totalSpent)
+          );
+        }
+      }
+      const record = enrichRecord({
+        context,
+        config: deps.config,
+        statusCode: response.status,
+        responseTimeMs,
+        settlement,
+        policyEvaluation: policyEvaluation ? "allowed" : "flagged",
+        budgetRemaining
+      });
+      try {
+        await deps.auditLogger.log(record);
+      } catch (err) {
+        console.warn("[sentinel] Audit log failed (non-fatal):", err);
+      }
+      if (deps.config.hooks?.afterPayment) {
+        try {
+          await deps.config.hooks.afterPayment(record);
+        } catch {
+        }
+      }
+      return record;
+    }
+  }
+  if (response.status === 402) {
+    const paymentRequiredHeader = response.headers.get("payment-required");
+    if (paymentRequiredHeader) {
+      try {
+        const paymentRequired = parsePaymentRequired(paymentRequiredHeader);
+        const extracted = extractFromPaymentRequired(paymentRequired);
+        if (extracted) {
+          context.amount = extracted.amount;
+          context.asset = extracted.asset;
+          context.network = extracted.network;
+          context.scheme = extracted.scheme;
+          context.payTo = extracted.payTo;
+        }
+      } catch {
+      }
+    }
+    const record = enrichRecord({
+      context,
+      config: deps.config,
+      statusCode: 402,
+      responseTimeMs,
+      settlement: null,
+      policyEvaluation: "flagged",
+      budgetRemaining: null
+    });
+    try {
+      await deps.auditLogger.log(record);
+    } catch (err) {
+      console.warn("[sentinel] Audit log failed (non-fatal):", err);
+    }
+    return record;
+  }
+  return null;
+}
+function determinePolicyEvaluation(context, deps) {
+  if (!deps.budgetManager || context.amount === "0.000000") return true;
+  const eval_ = deps.budgetManager.evaluate(context);
+  return eval_.allowed;
+}
+
+// src/wrapper/index.ts
+function wrapWithSentinel(fetchWithPayment, config) {
+  validateConfig(config);
+  const budgetManager = config.budget ? new BudgetManager(config.budget) : null;
+  const auditLogger = new AuditLogger(config.audit ?? { enabled: true, storage: new MemoryStorage() });
+  const deps = { budgetManager, auditLogger, config };
+  const sentinelFetch = async (input, init) => {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+    const startTime = Date.now();
+    const pre = beforeRequest(url, init, deps);
+    if (!pre.proceed && pre.evaluation && !pre.evaluation.allowed) {
+      const violation = pre.evaluation.violation;
+      try {
+        await auditLogger.logBlocked(pre.context, violation, {
+          humanSponsor: config.humanSponsor,
+          metadata: config.metadata
+        });
+      } catch {
+      }
+      if (config.hooks?.onBudgetExceeded) {
+        try {
+          await config.hooks.onBudgetExceeded(violation);
+        } catch {
+        }
+      }
+      throw new SentinelBudgetError(violation);
+    }
+    let response;
+    try {
+      response = await fetchWithPayment(input, init);
+    } catch (err) {
+      try {
+        const record = {
+          agent_id: pre.context.agentId,
+          team: pre.context.team,
+          human_sponsor: config.humanSponsor ?? null,
+          amount: "0.000000",
+          amount_raw: "0",
+          asset: "",
+          network: "",
+          scheme: "",
+          tx_hash: null,
+          payer_address: "",
+          payee_address: "",
+          facilitator: null,
+          endpoint: url,
+          method: pre.context.method,
+          status_code: 0,
+          response_time_ms: Date.now() - startTime,
+          policy_id: null,
+          policy_evaluation: "flagged",
+          budget_remaining: null,
+          task_id: null,
+          session_id: null,
+          metadata: { error: err instanceof Error ? err.message : String(err) },
+          settled_at: null,
+          tags: ["error", "network_failure"]
+        };
+        await auditLogger.log(record);
+      } catch {
+      }
+      throw err;
+    }
+    await afterResponse(response, pre.context, startTime, deps);
+    return response;
+  };
+  return sentinelFetch;
+}
+var FileStorage = class {
+  filePath;
+  buffer = [];
+  flushThreshold;
+  flushTimer = null;
+  constructor(filePath = ".valeo/audit.jsonl", flushThreshold = 100) {
+    this.filePath = filePath;
+    this.flushThreshold = flushThreshold;
+    this.ensureDir();
+    this.startAutoFlush();
+  }
+  async write(record) {
+    this.buffer.push(record);
+    if (this.buffer.length >= this.flushThreshold) {
+      await this.flush();
+    }
+  }
+  async query(query) {
+    await this.flush();
+    const all = this.readAll();
+    let results = all.filter((r) => matchesQuery(r, query));
+    const offset = query.offset ?? 0;
+    const limit = query.limit ?? results.length;
+    return results.slice(offset, offset + limit);
+  }
+  async summarize(query) {
+    await this.flush();
+    const records = this.readAll().filter((r) => matchesQuery(r, query));
+    return buildSummary(records, query);
+  }
+  async count(query) {
+    await this.flush();
+    return this.readAll().filter((r) => matchesQuery(r, query)).length;
+  }
+  async getById(id) {
+    await this.flush();
+    return this.readAll().find((r) => r.id === id) ?? null;
+  }
+  /** Write buffered records to disk */
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const lines = this.buffer.map((r) => JSON.stringify(r)).join("\n") + "\n";
+    fs.appendFileSync(this.filePath, lines, "utf-8");
+    this.buffer = [];
+  }
+  /** Stop the auto-flush timer (for clean shutdown) */
+  destroy() {
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+  }
+  readAll() {
+    if (!fs.existsSync(this.filePath)) return [];
+    const content = fs.readFileSync(this.filePath, "utf-8");
+    return content.split("\n").filter((line) => line.trim().length > 0).map((line) => JSON.parse(line));
+  }
+  ensureDir() {
+    const dir = path.dirname(this.filePath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+  }
+  startAutoFlush() {
+    this.flushTimer = setInterval(() => {
+      void this.flush();
+    }, 5e3);
+    this.flushTimer.unref();
+  }
+};
+
+// src/audit/storage/api.ts
+var ApiStorage = class {
+  apiKey;
+  baseUrl;
+  batchSize;
+  buffer = [];
+  fallback;
+  flushTimer = null;
+  useFallback = false;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl ?? "https://api.valeo.money/v1";
+    this.batchSize = config.batchSize ?? 50;
+    this.fallback = new MemoryStorage();
+    this.startAutoFlush(config.flushIntervalMs ?? 1e4);
+  }
+  async write(record) {
+    this.buffer.push(record);
+    await this.fallback.write(record);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+  }
+  async query(query) {
+    if (this.useFallback) return this.fallback.query(query);
+    try {
+      return await this.apiRequest("POST", "/audit/query", query);
+    } catch {
+      this.useFallback = true;
+      return this.fallback.query(query);
+    }
+  }
+  async summarize(query) {
+    if (this.useFallback) return this.fallback.summarize(query);
+    try {
+      return await this.apiRequest("POST", "/audit/summarize", query);
+    } catch {
+      this.useFallback = true;
+      return this.fallback.summarize(query);
+    }
+  }
+  async count(query) {
+    if (this.useFallback) return this.fallback.count(query);
+    try {
+      const result = await this.apiRequest("POST", "/audit/count", query);
+      return result.count;
+    } catch {
+      this.useFallback = true;
+      return this.fallback.count(query);
+    }
+  }
+  async getById(id) {
+    if (this.useFallback) return this.fallback.getById(id);
+    try {
+      return await this.apiRequest("GET", `/audit/${id}`);
+    } catch {
+      this.useFallback = true;
+      return this.fallback.getById(id);
+    }
+  }
+  /** Flush buffered records to the remote API */
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const batch = this.buffer.splice(0, this.batchSize);
+    try {
+      await this.apiRequest("POST", "/audit/batch", { records: batch });
+    } catch {
+      this.useFallback = true;
+      console.warn(
+        `[sentinel] API unreachable, falling back to in-memory storage. ${batch.length} records buffered locally.`
+      );
+    }
+  }
+  /** Stop the auto-flush timer */
+  destroy() {
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+  }
+  async apiRequest(method, path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const init = {
+      method,
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`
+      }
+    };
+    if (body) {
+      init.body = JSON.stringify(body);
+    }
+    let lastError;
+    for (let attempt = 0; attempt < 3; attempt++) {
+      try {
+        const response = await fetch(url, init);
+        if (!response.ok) {
+          throw new Error(`API returned ${response.status}: ${response.statusText}`);
+        }
+        return await response.json();
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt < 2) {
+          await sleep(Math.pow(2, attempt) * 1e3);
+        }
+      }
+    }
+    throw lastError;
+  }
+  startAutoFlush(intervalMs) {
+    this.flushTimer = setInterval(() => {
+      void this.flush();
+    }, intervalMs);
+    this.flushTimer.unref();
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+exports.ApiStorage = ApiStorage;
+exports.AuditLogger = AuditLogger;
+exports.BudgetManager = BudgetManager;
+exports.FileStorage = FileStorage;
+exports.MemoryStorage = MemoryStorage;
+exports.SentinelAuditError = SentinelAuditError;
+exports.SentinelBudgetError = SentinelBudgetError;
+exports.SentinelConfigError = SentinelConfigError;
+exports.SentinelError = SentinelError;
+exports.conservativePolicy = conservativePolicy;
+exports.customPolicy = customPolicy;
+exports.liberalPolicy = liberalPolicy;
+exports.standardPolicy = standardPolicy;
+exports.unlimitedPolicy = unlimitedPolicy;
+exports.validateConfig = validateConfig;
+exports.wrapWithSentinel = wrapWithSentinel;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map