npm - agentpay-mcp - Versions diffs - 4.1.10 → 4.1.16 - Mend

agentpay-mcp 4.1.10 → 4.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/README.md CHANGED Viewed

@@ -3,7 +3,7 @@
 [![npm version](https://img.shields.io/npm/v/agentpay-mcp.svg)](https://www.npmjs.com/package/agentpay-mcp)
 [![Glama MCP Server](https://img.shields.io/badge/glama.ai-MCP%20server-1ee495?logo=githubsponsors&logoColor=1ee495&labelColor=0a0a0a)](https://glama.ai/mcp/servers/up2itnow0822/claw-pay-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
-[![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen.svg)](tests/)
+[![Tests](https://img.shields.io/badge/tests-273%20passing-brightgreen.svg)](tests/)
 [![Patent Pending](https://img.shields.io/badge/patent-pending-orange.svg)](https://uspto.gov)
 **Compatible with x402 V1/V2 + Stripe MPP — protocol-agnostic spend controls.**
@@ -96,12 +96,24 @@ AgentPay MCP is built for enterprise MCP deployments where supply chain security
 - **Directory introspection readiness.** For Glama, Smithery, and other MCP catalogs, use the [directory introspection readiness note](docs/directory-introspection-readiness.md) for verified `npx`, Docker, MCP name, and non-custodial metadata paths.
 - **x402 v2.11 paid MCP compatibility.** Use the [compatibility proof](docs/x402-v211-paid-mcp-compatibility.md) for `Payment-Signature`, `payment-response`, `mcp-session-id`, CORS exposed headers, Streamable HTTP initialize order, receipt links, and Base Sepolia to Base mainnet cutover.
 - **Directory-grade metadata proof.** Use the [registry/listing proof](docs/mcp-registry-listing-proof.md), `docs/mcp-registry-listing.json`, `glama.json`, `smithery.yaml`, and `llms.txt` for catalog crawlers and buyer agents.
+- **Chain-neutral x402 gateway profile.** Use the [chain-neutral gateway profile proof](docs/x402-chain-neutral-gateway-profile.md), schema, and fixture to document supported networks, facilitator/settlement metadata, trial/refund policies, and directory manifests without leaking Base-only assumptions into non-EVM discovery.
+- **Multi-ledger x402 receipt normalization.** Use the [multi-ledger receipt normalization proof](docs/x402-multi-ledger-receipt-normalization.md), schema, and XRPL fixture to normalize ledger labels, assets, settlement targets, `Payment-Signature`, `payment-response`, verification status, non-custodial boundaries, and unsupported-ledger refusals before signing.
+- **Wallet-action preflight profile.** Use the [wallet-action preflight profile](docs/wallet-action-preflight-profile.md) and TRON fixture to require simulation, chain/resource caps, allowlists, recipient and amount confirmation, nonce guidance, and approval copy before irreversible sends, swaps, or resource purchases.
+- **Machine-payment directory listing pack.** Use the [directory listing pack](docs/agentpay-machine-payment-directory-listing-pack.md) and [listing JSON](docs/agentpay-machine-payment-directory-listing.json) for MPP and paid-MCP directories without claiming unsupported non-EVM signing.
+- **Five-tool x402 parity proof.** Use the [five-tool parity proof](docs/agentpay-five-tool-parity-proof.md) and [machine-readable map](docs/agentpay-five-tool-parity-proof.json) to map search, check, fetch, wallet, and pay flows to AgentPay's local-signer, approval-gated controls.
+- **Escrow and reputation boundary.** Use the [escrow/reputation boundary proof](docs/agentpay-escrow-reputation-boundary.md) to keep x402 payment authorization separate from task escrow, identity, reputation, and work proof.
+- **Paid MCP proxy and discovery readiness.** Use the [paid-proxy and discovery readiness pack](docs/paid-mcp-proxy-discovery-readiness.md) plus [listing JSON](docs/agentpay-paid-proxy-discovery-listing.json) for Toolstem/Cinderwright-style proxy and directory submissions.
+- **Dynamic paid MCP manifest drift.** Use the [dynamic manifest drift proof](docs/x402-dynamic-paid-mcp-manifest-drift.md), schema, and Rug Munch fixtures to validate fresh `.well-known/x402` snapshots, stale-metadata warnings, no-trial/pricing clarity, supported networks, and directory endpoint freshness before buyer agents sign.
+- **Smithery paid MCP installation.** Use the [Smithery install proof](docs/smithery-paid-mcp-installation.md) and [`examples/smithery-paid-mcp-installation`](examples/smithery-paid-mcp-installation/) for Smithery CLI, Vercel AI SDK MCP, `@smithery/api`, approval gates, spend-limit defaults, and fresh x402 manifest checks. Do not claim live Smithery verification until the listing is verified.
 - **x402-native vs Stripe-proxy MCP.** For builders comparing AgentPay MCP with emerging Stripe-proxy MCP repos, use the [x402-native vs Stripe-proxy note](docs/x402-native-vs-stripe-proxy.md) to keep approval gates, spend caps, audit rows, and non-custodial signing separate from proxy billing claims.
 - **Hosted x402 proxy verification.** Before an agent pays a hosted x402 MCP gateway, use the [hosted x402 proxy buyer checklist](docs/hosted-x402-proxy-verification.md) to verify `payment-required` headers, non-zero `payTo`, network and asset allowlists, approval state, spend cap, audit correlation, and pooled-token lock-in.
 - **Paid MCP discovery and budget response.** For SettleGrid-style discovery, metering, and budget-platform comparisons, use the [paid MCP discovery and budget response](docs/settlegrid-paid-mcp-discovery-response.md) to separate directory discovery from x402 buyer authorization.
 - **Buyer-flow parity for one-command x402 tools.** For AgentScore Pay-style buyer CLI comparisons, use the [AgentPay buyer-flow parity checklist](docs/agentpay-buyer-flow-parity.md) to prove discover, check, dry-run, pay, spend caps, typed payment errors, quota envelopes, no-charge failures, idempotency, MCP exposure, and audit before signing.
 - **Paid MCP gateway hardening.** For create-mcpay-style Worker scaffolds, use the [paid MCP gateway hardening checklist](docs/paid-mcp-gateway-hardening.md) to test signup, challenge parsing, key minting, atomic billing, scope defaults, no-charge validation failures, and buyer audit rows.
 - **Paid-provider health proof.** For Voidly-style public provider health feeds, use the [paid-provider health proof checklist](docs/paid-provider-health-proof.md) to verify provider success rate, stale streaks, receipt state, x402 network, asset, payTo, and fail-closed routing before signing.
+- **Paid-tool quality thresholds.** For Strale-style scored catalogs, use the [paid-tool quality thresholds proof](docs/paid-tool-quality-thresholds.md) to verify fresh score fields, stale-score warnings, provider-health snapshots, minimum-quality rejection, and approval gates before x402 signing.
+- **Authorized cybersecurity scans.** For AgentAegis-style paid security tools, use the [authorized cybersecurity-scan payment profile](docs/authorized-cybersecurity-scan-profile.md) to require target authorization, allowed-domain binding, per-target spend caps, scan-rate policy, approval prompts, and audit receipt language.
+- **Post-quantum spend-envelope compatibility.** For PQSafe-style buyer questions, use the [post-quantum spend-envelope assessment](docs/post-quantum-spend-envelope-compatibility.md) to map spend limits, allowlists, x402 receipts, approval gates, and audit metadata without claiming ML-DSA implementation.
 - **Payment-critical dependency pins.** For x402 verifier and signing paths, AgentPay pins `viem` exactly at `2.48.7`, enforces the same root override, and runs a clean-install smoke check before release. See the [dependency pin policy](docs/dependency-pin-policy.md).
 - **WhatsApp and SMB agent controls.** For channel-native paid agents, use the [WhatsApp and SMB paid-agent controls recipe](docs/whatsapp-smb-agent-controls.md).
 - **Channel-agent affiliate payout controls.** For Axon-style affiliate and referral revenue shares, use the [channel-agent affiliate controls spec](docs/channel-agent-affiliate-controls.md) to keep payout caps, per-contact approval, audit rows, and optional x402 settlement separate from paid tool spend approval.

package/dist/index.js CHANGED Viewed

@@ -42,7 +42,7 @@ const otel_budget_js_1 = require("./tools/otel-budget.js");
 // ─── Server configuration ──────────────────────────────────────────────────
 const SERVER_INFO = {
     name: 'agentpay-mcp',
-    version: '4.1.10',
+    version: '4.1.15',
 };
 const SERVER_CAPABILITIES = {
     tools: {},
@@ -261,7 +261,7 @@ async function main() {
     });
     await server.connect(transport);
     // Log to stderr (not stdout — stdout is reserved for MCP protocol)
-    process.stderr.write(`AgentPay MCP v4.1.10 started. ` +
+    process.stderr.write(`AgentPay MCP v4.1.15 started. ` +
         `Wallet: ${process.env['AGENT_WALLET_ADDRESS'] ?? '(not configured)'} | ` +
         `Chain: ${process.env['CHAIN_ID'] ?? '8453 (Base Mainnet)'} | ` +
         `Session TTL: ${process.env['SESSION_TTL_SECONDS'] ?? '3600'}s\n`);

package/dist/utils/authorized-cybersecurity-scan-profile.d.ts ADDED Viewed

@@ -0,0 +1,216 @@
+/**
+ * Authorized cybersecurity-scan payment profile helpers.
+ *
+ * Paid security tools need tighter guards than general data APIs. These helpers
+ * require target authorization, allowed-domain binding, per-target spend caps,
+ * scan-rate policy, human approval, and audit receipt language before x402
+ * signing can proceed.
+ */
+import { z } from 'zod';
+export declare const AuthorizedCyberScanProfileSchema: z.ZodObject<{
+    schema: z.ZodLiteral<"agentpay-authorized-cybersecurity-scan-profile/v1">;
+    generated_at: z.ZodEffects<z.ZodString, string, string>;
+    scan: z.ZodObject<{
+        tool_id: z.ZodString;
+        category: z.ZodEnum<["vulnerability_scan", "compliance_check", "threat_intel_lookup", "security_audit"]>;
+        target: z.ZodString;
+        target_domain: z.ZodString;
+        requested_by_agent: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        target: string;
+        tool_id: string;
+        category: "vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit";
+        target_domain: string;
+        requested_by_agent: string;
+    }, {
+        target: string;
+        tool_id: string;
+        category: "vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit";
+        target_domain: string;
+        requested_by_agent: string;
+    }>;
+    authorization: z.ZodObject<{
+        attestation_id: z.ZodString;
+        granted_by: z.ZodString;
+        granted_at: z.ZodEffects<z.ZodString, string, string>;
+        expires_at: z.ZodEffects<z.ZodString, string, string>;
+        allowed_domains: z.ZodArray<z.ZodString, "many">;
+        allowed_scan_categories: z.ZodArray<z.ZodEnum<["vulnerability_scan", "compliance_check", "threat_intel_lookup", "security_audit"]>, "many">;
+        proof_uri: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        attestation_id: string;
+        granted_by: string;
+        granted_at: string;
+        expires_at: string;
+        allowed_domains: string[];
+        allowed_scan_categories: ("vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit")[];
+        proof_uri?: string | undefined;
+    }, {
+        attestation_id: string;
+        granted_by: string;
+        granted_at: string;
+        expires_at: string;
+        allowed_domains: string[];
+        allowed_scan_categories: ("vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit")[];
+        proof_uri?: string | undefined;
+    }>;
+    spend_policy: z.ZodObject<{
+        currency: z.ZodLiteral<"USD">;
+        per_target_cap_usd: z.ZodNumber;
+        spent_for_target_usd: z.ZodNumber;
+        requested_cost_usd: z.ZodNumber;
+        x402_max_amount_required: z.ZodEffects<z.ZodString, string, string>;
+    }, "strip", z.ZodTypeAny, {
+        currency: "USD";
+        per_target_cap_usd: number;
+        spent_for_target_usd: number;
+        requested_cost_usd: number;
+        x402_max_amount_required: string;
+    }, {
+        currency: "USD";
+        per_target_cap_usd: number;
+        spent_for_target_usd: number;
+        requested_cost_usd: number;
+        x402_max_amount_required: string;
+    }>;
+    rate_limit: z.ZodObject<{
+        window_seconds: z.ZodNumber;
+        max_scans_per_window: z.ZodNumber;
+        scans_used_in_window: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        window_seconds: number;
+        max_scans_per_window: number;
+        scans_used_in_window: number;
+    }, {
+        window_seconds: number;
+        max_scans_per_window: number;
+        scans_used_in_window: number;
+    }>;
+    approval_gate: z.ZodObject<{
+        fail_closed: z.ZodLiteral<true>;
+        requires_human_approval: z.ZodLiteral<true>;
+        approved: z.ZodBoolean;
+        prompt: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        approved: boolean;
+        fail_closed: true;
+        requires_human_approval: true;
+        prompt: string;
+    }, {
+        approved: boolean;
+        fail_closed: true;
+        requires_human_approval: true;
+        prompt: string;
+    }>;
+    audit_receipt: z.ZodObject<{
+        receipt_id: z.ZodString;
+        retention_days: z.ZodNumber;
+        language: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        receipt_id: string;
+        retention_days: number;
+        language: string;
+    }, {
+        receipt_id: string;
+        retention_days: number;
+        language: string;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    authorization: {
+        attestation_id: string;
+        granted_by: string;
+        granted_at: string;
+        expires_at: string;
+        allowed_domains: string[];
+        allowed_scan_categories: ("vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit")[];
+        proof_uri?: string | undefined;
+    };
+    schema: "agentpay-authorized-cybersecurity-scan-profile/v1";
+    generated_at: string;
+    scan: {
+        target: string;
+        tool_id: string;
+        category: "vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit";
+        target_domain: string;
+        requested_by_agent: string;
+    };
+    spend_policy: {
+        currency: "USD";
+        per_target_cap_usd: number;
+        spent_for_target_usd: number;
+        requested_cost_usd: number;
+        x402_max_amount_required: string;
+    };
+    rate_limit: {
+        window_seconds: number;
+        max_scans_per_window: number;
+        scans_used_in_window: number;
+    };
+    approval_gate: {
+        approved: boolean;
+        fail_closed: true;
+        requires_human_approval: true;
+        prompt: string;
+    };
+    audit_receipt: {
+        receipt_id: string;
+        retention_days: number;
+        language: string;
+    };
+}, {
+    authorization: {
+        attestation_id: string;
+        granted_by: string;
+        granted_at: string;
+        expires_at: string;
+        allowed_domains: string[];
+        allowed_scan_categories: ("vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit")[];
+        proof_uri?: string | undefined;
+    };
+    schema: "agentpay-authorized-cybersecurity-scan-profile/v1";
+    generated_at: string;
+    scan: {
+        target: string;
+        tool_id: string;
+        category: "vulnerability_scan" | "compliance_check" | "threat_intel_lookup" | "security_audit";
+        target_domain: string;
+        requested_by_agent: string;
+    };
+    spend_policy: {
+        currency: "USD";
+        per_target_cap_usd: number;
+        spent_for_target_usd: number;
+        requested_cost_usd: number;
+        x402_max_amount_required: string;
+    };
+    rate_limit: {
+        window_seconds: number;
+        max_scans_per_window: number;
+        scans_used_in_window: number;
+    };
+    approval_gate: {
+        approved: boolean;
+        fail_closed: true;
+        requires_human_approval: true;
+        prompt: string;
+    };
+    audit_receipt: {
+        receipt_id: string;
+        retention_days: number;
+        language: string;
+    };
+}>;
+export type AuthorizedCyberScanProfile = z.infer<typeof AuthorizedCyberScanProfileSchema>;
+export type AuthorizedCyberScanPolicy = {
+    now?: Date;
+    allowedDomains: string[];
+    maxRequestedCostUsd: number;
+    minReceiptRetentionDays: number;
+};
+export type AuthorizedCyberScanDecision = {
+    ok: boolean;
+    failures: string[];
+    warnings: string[];
+};
+export declare function evaluateAuthorizedCyberScanProfile(profileInput: unknown, policy: AuthorizedCyberScanPolicy): AuthorizedCyberScanDecision;
+//# sourceMappingURL=authorized-cybersecurity-scan-profile.d.ts.map

package/dist/utils/authorized-cybersecurity-scan-profile.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorized-cybersecurity-scan-profile.d.ts","sourceRoot":"","sources":["../../src/utils/authorized-cybersecurity-scan-profile.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAWxB,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA0C3C,CAAC;AAEH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAE1F,MAAM,MAAM,yBAAyB,GAAG;IACtC,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,uBAAuB,EAAE,MAAM,CAAC;CACjC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB,CAAC;AAUF,wBAAgB,kCAAkC,CAChD,YAAY,EAAE,OAAO,EACrB,MAAM,EAAE,yBAAyB,GAChC,2BAA2B,CA0E7B"}

package/dist/utils/authorized-cybersecurity-scan-profile.js ADDED Viewed

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * Authorized cybersecurity-scan payment profile helpers.
+ *
+ * Paid security tools need tighter guards than general data APIs. These helpers
+ * require target authorization, allowed-domain binding, per-target spend caps,
+ * scan-rate policy, human approval, and audit receipt language before x402
+ * signing can proceed.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizedCyberScanProfileSchema = void 0;
+exports.evaluateAuthorizedCyberScanProfile = evaluateAuthorizedCyberScanProfile;
+const zod_1 = require("zod");
+const isoDateString = zod_1.z.string().refine((value) => !Number.isNaN(Date.parse(value)), {
+    message: 'must be an ISO-8601 timestamp',
+});
+const positiveIntegerString = zod_1.z
+    .string()
+    .regex(/^\d+$/)
+    .refine((value) => BigInt(value) > 0n, { message: 'amount must be greater than zero' });
+exports.AuthorizedCyberScanProfileSchema = zod_1.z.object({
+    schema: zod_1.z.literal('agentpay-authorized-cybersecurity-scan-profile/v1'),
+    generated_at: isoDateString,
+    scan: zod_1.z.object({
+        tool_id: zod_1.z.string().min(1),
+        category: zod_1.z.enum(['vulnerability_scan', 'compliance_check', 'threat_intel_lookup', 'security_audit']),
+        target: zod_1.z.string().min(1),
+        target_domain: zod_1.z.string().min(1),
+        requested_by_agent: zod_1.z.string().min(1),
+    }),
+    authorization: zod_1.z.object({
+        attestation_id: zod_1.z.string().min(1),
+        granted_by: zod_1.z.string().min(1),
+        granted_at: isoDateString,
+        expires_at: isoDateString,
+        allowed_domains: zod_1.z.array(zod_1.z.string().min(1)).min(1),
+        allowed_scan_categories: zod_1.z.array(zod_1.z.enum(['vulnerability_scan', 'compliance_check', 'threat_intel_lookup', 'security_audit'])).min(1),
+        proof_uri: zod_1.z.string().url().optional(),
+    }),
+    spend_policy: zod_1.z.object({
+        currency: zod_1.z.literal('USD'),
+        per_target_cap_usd: zod_1.z.number().positive(),
+        spent_for_target_usd: zod_1.z.number().nonnegative(),
+        requested_cost_usd: zod_1.z.number().positive(),
+        x402_max_amount_required: positiveIntegerString,
+    }),
+    rate_limit: zod_1.z.object({
+        window_seconds: zod_1.z.number().int().positive(),
+        max_scans_per_window: zod_1.z.number().int().positive(),
+        scans_used_in_window: zod_1.z.number().int().nonnegative(),
+    }),
+    approval_gate: zod_1.z.object({
+        fail_closed: zod_1.z.literal(true),
+        requires_human_approval: zod_1.z.literal(true),
+        approved: zod_1.z.boolean(),
+        prompt: zod_1.z.string().min(1),
+    }),
+    audit_receipt: zod_1.z.object({
+        receipt_id: zod_1.z.string().min(1),
+        retention_days: zod_1.z.number().int().positive(),
+        language: zod_1.z.string().min(40),
+    }),
+});
+function sameDomain(left, right) {
+    return left.toLowerCase() === right.toLowerCase();
+}
+function includesDomain(domains, targetDomain) {
+    return domains.some((domain) => sameDomain(domain, targetDomain));
+}
+function evaluateAuthorizedCyberScanProfile(profileInput, policy) {
+    const parsed = exports.AuthorizedCyberScanProfileSchema.safeParse(profileInput);
+    const failures = [];
+    const warnings = [];
+    if (!parsed.success) {
+        return {
+            ok: false,
+            failures: parsed.error.issues.map((issue) => `${issue.path.join('.')}: ${issue.message}`),
+            warnings,
+        };
+    }
+    const profile = parsed.data;
+    const now = policy.now ?? new Date();
+    const expiresAt = new Date(profile.authorization.expires_at);
+    const grantedAt = new Date(profile.authorization.granted_at);
+    if (grantedAt.getTime() > now.getTime()) {
+        failures.push('Target authorization is not active yet.');
+    }
+    if (expiresAt.getTime() <= now.getTime()) {
+        failures.push('Target authorization is expired.');
+    }
+    if (!includesDomain(profile.authorization.allowed_domains, profile.scan.target_domain)) {
+        failures.push(`Target domain ${profile.scan.target_domain} is not listed in the authorization attestation.`);
+    }
+    if (!includesDomain(policy.allowedDomains, profile.scan.target_domain)) {
+        failures.push(`Target domain ${profile.scan.target_domain} is not allowed by buyer policy.`);
+    }
+    if (!profile.authorization.allowed_scan_categories.includes(profile.scan.category)) {
+        failures.push(`Scan category ${profile.scan.category} is not authorized for target ${profile.scan.target_domain}.`);
+    }
+    if (profile.spend_policy.requested_cost_usd > policy.maxRequestedCostUsd) {
+        failures.push(`Requested scan cost ${profile.spend_policy.requested_cost_usd} exceeds buyer max ${policy.maxRequestedCostUsd}.`);
+    }
+    if (profile.spend_policy.spent_for_target_usd + profile.spend_policy.requested_cost_usd > profile.spend_policy.per_target_cap_usd) {
+        failures.push('Requested scan would exceed the per-target spend cap.');
+    }
+    if (profile.rate_limit.scans_used_in_window >= profile.rate_limit.max_scans_per_window) {
+        failures.push('Scan rate limit is exhausted for this target window.');
+    }
+    if (!profile.approval_gate.approved) {
+        failures.push('Human approval has not been granted for this paid cybersecurity scan.');
+    }
+    if (!profile.approval_gate.prompt.includes(profile.scan.target_domain)) {
+        warnings.push('Approval prompt does not name the target domain.');
+    }
+    if (profile.audit_receipt.retention_days < policy.minReceiptRetentionDays) {
+        failures.push(`Audit receipt retention ${profile.audit_receipt.retention_days} days is below required ${policy.minReceiptRetentionDays}.`);
+    }
+    const language = profile.audit_receipt.language.toLowerCase();
+    for (const requiredPhrase of ['authorized target', 'spend cap', 'x402 receipt']) {
+        if (!language.includes(requiredPhrase)) {
+            failures.push(`Audit receipt language must include "${requiredPhrase}".`);
+        }
+    }
+    return {
+        ok: failures.length === 0,
+        failures,
+        warnings,
+    };
+}
+//# sourceMappingURL=authorized-cybersecurity-scan-profile.js.map

package/dist/utils/authorized-cybersecurity-scan-profile.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorized-cybersecurity-scan-profile.js","sourceRoot":"","sources":["../../src/utils/authorized-cybersecurity-scan-profile.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAgFH,gFA6EC;AA3JD,6BAAwB;AAExB,MAAM,aAAa,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE;IACnF,OAAO,EAAE,+BAA+B;CACzC,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,OAAC;KAC5B,MAAM,EAAE;KACR,KAAK,CAAC,OAAO,CAAC;KACd,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;AAE7E,QAAA,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IACvD,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,mDAAmD,CAAC;IACtE,YAAY,EAAE,aAAa;IAC3B,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC;QACb,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,gBAAgB,CAAC,CAAC;QACrG,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KACtC,CAAC;IACF,aAAa,EAAE,OAAC,CAAC,MAAM,CAAC;QACtB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACjC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,UAAU,EAAE,aAAa;QACzB,UAAU,EAAE,aAAa;QACzB,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAClD,uBAAuB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACpI,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;KACvC,CAAC;IACF,YAAY,EAAE,OAAC,CAAC,MAAM,CAAC;QACrB,QAAQ,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QAC1B,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACzC,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE;QAC9C,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACzC,wBAAwB,EAAE,qBAAqB;KAChD,CAAC;IACF,UAAU,EAAE,OAAC,CAAC,MAAM,CAAC;QACnB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC3C,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACjD,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;KACrD,CAAC;IACF,aAAa,EAAE,OAAC,CAAC,MAAM,CAAC;QACtB,WAAW,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QAC5B,uBAAuB,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QACxC,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE;QACrB,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC1B,CAAC;IACF,aAAa,EAAE,OAAC,CAAC,MAAM,CAAC;QACtB,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC3C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;KAC7B,CAAC;CACH,CAAC,CAAC;AAiBH,SAAS,UAAU,CAAC,IAAY,EAAE,KAAa;IAC7C,OAAO,IAAI,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,cAAc,CAAC,OAAiB,EAAE,YAAoB;IAC7D,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,SAAgB,kCAAkC,CAChD,YAAqB,EACrB,MAAiC;IAEjC,MAAM,MAAM,GAAG,wCAAgC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACxE,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;YACzF,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;IAC5B,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IAE7D,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QACxC,QAAQ,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,SAAS,CAAC,OAAO,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QACzC,QAAQ,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,aAAa,CAAC,eAAe,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;QACvF,QAAQ,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,IAAI,CAAC,aAAa,kDAAkD,CAAC,CAAC;IAC/G,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,cAAc,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,IAAI,CAAC,aAAa,kCAAkC,CAAC,CAAC;IAC/F,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnF,QAAQ,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,IAAI,CAAC,QAAQ,iCAAiC,OAAO,CAAC,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;IACtH,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,CAAC,kBAAkB,GAAG,MAAM,CAAC,mBAAmB,EAAE,CAAC;QACzE,QAAQ,CAAC,IAAI,CAAC,uBAAuB,OAAO,CAAC,YAAY,CAAC,kBAAkB,sBAAsB,MAAM,CAAC,mBAAmB,GAAG,CAAC,CAAC;IACnI,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,CAAC,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,kBAAkB,GAAG,OAAO,CAAC,YAAY,CAAC,kBAAkB,EAAE,CAAC;QAClI,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,OAAO,CAAC,UAAU,CAAC,oBAAoB,IAAI,OAAO,CAAC,UAAU,CAAC,oBAAoB,EAAE,CAAC;QACvF,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,CAAC,cAAc,GAAG,MAAM,CAAC,uBAAuB,EAAE,CAAC;QAC1E,QAAQ,CAAC,IAAI,CAAC,2BAA2B,OAAO,CAAC,aAAa,CAAC,cAAc,2BAA2B,MAAM,CAAC,uBAAuB,GAAG,CAAC,CAAC;IAC7I,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC9D,KAAK,MAAM,cAAc,IAAI,CAAC,mBAAmB,EAAE,WAAW,EAAE,cAAc,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC,wCAAwC,cAAc,IAAI,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,OAAO;QACL,EAAE,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;QACzB,QAAQ;QACR,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/utils/paid-provider-health-proof.d.ts CHANGED Viewed

@@ -128,10 +128,10 @@ export declare const PaidProviderHealthProofSchema: z.ZodObject<{
         receipt_state: "verified" | "pending_acceptance_verified" | "missing" | "invalid" | "unverified";
         verified: boolean;
         error?: string | undefined;
+        receipt_id?: string | undefined;
         latency_ms?: number | undefined;
         capability?: string | undefined;
         capability_id?: string | undefined;
-        receipt_id?: string | undefined;
         x402_payment?: {
             scheme: "exact";
             network: string;
@@ -149,10 +149,10 @@ export declare const PaidProviderHealthProofSchema: z.ZodObject<{
         receipt_state: "verified" | "pending_acceptance_verified" | "missing" | "invalid" | "unverified";
         verified: boolean;
         error?: string | undefined;
+        receipt_id?: string | undefined;
         latency_ms?: number | undefined;
         capability?: string | undefined;
         capability_id?: string | undefined;
-        receipt_id?: string | undefined;
         x402_payment?: {
             network: string;
             asset: string;
@@ -204,10 +204,10 @@ export declare const PaidProviderHealthProofSchema: z.ZodObject<{
         receipt_state: "verified" | "pending_acceptance_verified" | "missing" | "invalid" | "unverified";
         verified: boolean;
         error?: string | undefined;
+        receipt_id?: string | undefined;
         latency_ms?: number | undefined;
         capability?: string | undefined;
         capability_id?: string | undefined;
-        receipt_id?: string | undefined;
         x402_payment?: {
             scheme: "exact";
             network: string;
@@ -251,10 +251,10 @@ export declare const PaidProviderHealthProofSchema: z.ZodObject<{
         receipt_state: "verified" | "pending_acceptance_verified" | "missing" | "invalid" | "unverified";
         verified: boolean;
         error?: string | undefined;
+        receipt_id?: string | undefined;
         latency_ms?: number | undefined;
         capability?: string | undefined;
         capability_id?: string | undefined;
-        receipt_id?: string | undefined;
         x402_payment?: {
             network: string;
             asset: string;