npm - bsv-x402 - Versions diffs - 0.4.1 → 0.5.0 - Mend

bsv-x402 0.4.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -596,6 +596,171 @@ function parseChallenge(header) {
   };
 }
+// src/x402-fetch.ts
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58DecodeCheck(address) {
+  let leadingZeros = 0;
+  for (const c of address) {
+    if (c === "1") leadingZeros++;
+    else break;
+  }
+  let n = BigInt(0);
+  for (const c of address) {
+    const i = BASE58_ALPHABET.indexOf(c);
+    if (i < 0) throw new Error(`Invalid Base58 character: ${c}`);
+    n = n * 58n + BigInt(i);
+  }
+  const hexFromBigint = n === 0n ? "" : n.toString(16);
+  const paddedHex = hexFromBigint.length % 2 ? "0" + hexFromBigint : hexFromBigint;
+  const bigintBytes = [];
+  for (let i = 0; i < paddedHex.length; i += 2) {
+    bigintBytes.push(parseInt(paddedHex.slice(i, i + 2), 16));
+  }
+  const allBytes = new Uint8Array(leadingZeros + bigintBytes.length);
+  allBytes.set(bigintBytes, leadingZeros);
+  if (allBytes.length !== 25) {
+    throw new Error(`Invalid address length: expected 25 bytes, got ${allBytes.length}`);
+  }
+  const body = allBytes.slice(0, 21);
+  const checksum = allBytes.slice(21);
+  const version = allBytes[0];
+  if (version !== 0 && version !== 111) {
+    throw new Error(`Unsupported address version: 0x${version.toString(16).padStart(2, "0")}`);
+  }
+  return { version, payload: body.slice(1) };
+}
+function payeeAddressToLockingScript(address) {
+  const { payload } = base58DecodeCheck(address);
+  if (payload.length !== 20) {
+    throw new Error(`Invalid pubkey hash length: expected 20 bytes, got ${payload.length}`);
+  }
+  const pubkeyHash = Array.from(payload).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `76a914${pubkeyHash}88ac`;
+}
+async function defaultConstructProof(challenge) {
+  const cwi = globalThis.CWI;
+  if (!cwi || typeof cwi.createAction !== "function") {
+    throw new Error(
+      "No BRC-100 wallet detected. Install a CWI-compliant browser extension or provide a custom proofConstructor in X402Config."
+    );
+  }
+  const result = await cwi.createAction({
+    description: `x402 payment: ${challenge.amount} sats to ${challenge.payee}`,
+    outputs: [{
+      satoshis: challenge.amount,
+      lockingScript: payeeAddressToLockingScript(challenge.payee),
+      description: `Payment to ${challenge.payee}`
+    }],
+    labels: ["x402-payment"],
+    options: {
+      returnTXIDOnly: false,
+      noSend: false
+    }
+  });
+  if (!result || !result.txid) {
+    throw new Error("Wallet declined payment or returned invalid result");
+  }
+  if (!result.rawTx || typeof result.rawTx !== "string" || result.rawTx.length === 0) {
+    throw new Error("Wallet did not return raw transaction");
+  }
+  return {
+    txid: result.txid,
+    rawTx: result.rawTx
+  };
+}
+function createX402Fetch(config = {}) {
+  const constructProof = config.proofConstructor ?? defaultConstructProof;
+  const brc105ProofConstructor = config.brc105ProofConstructor;
+  const brc105Wallet = config.brc105Wallet;
+  return async function x402Fetch2(input, init) {
+    const response = await fetch(input, init);
+    if (response.status !== 402) return response;
+    const origin = extractOrigin(input);
+    const challengeHeader = response.headers.get("X402-Challenge");
+    if (challengeHeader) {
+      let challenge;
+      try {
+        challenge = parseChallenge(challengeHeader);
+      } catch {
+        return response;
+      }
+      let proof;
+      try {
+        proof = await constructProof(challenge);
+      } catch (err) {
+        console.error("[x402] Proof construction failed (x402):", err);
+        config.onProofError?.(err, "x402");
+        return response;
+      }
+      const headers = new Headers(init?.headers);
+      headers.set("X402-Proof", JSON.stringify(proof));
+      return fetch(input, { ...init, headers });
+    }
+    const brc105Version = response.headers.get("x-bsv-payment-version");
+    if (brc105Version) {
+      if (!brc105ProofConstructor && !brc105Wallet) return response;
+      let brc105Challenge;
+      try {
+        brc105Challenge = parseBrc105Challenge(response);
+      } catch {
+        return response;
+      }
+      let proof;
+      try {
+        if (brc105ProofConstructor) {
+          proof = await brc105ProofConstructor(brc105Challenge);
+        } else {
+          proof = await constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
+        }
+      } catch (err) {
+        console.error("[x402] Proof construction failed (brc105):", err);
+        config.onProofError?.(err, "brc105");
+        return response;
+      }
+      const headers = new Headers(init?.headers);
+      headers.set("x-bsv-payment", JSON.stringify(proof));
+      headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
+      return fetch(input, { ...init, headers });
+    }
+    return response;
+  };
+}
+var singleton;
+async function x402Fetch(input, init) {
+  if (!singleton) singleton = createX402Fetch();
+  return singleton(input, init);
+}
+function resolveRelativeUrl(url) {
+  const loc = globalThis.location;
+  if (loc?.href) {
+    return new URL(url, loc.href).origin;
+  }
+  return "unknown";
+}
+function extractOrigin(input) {
+  if (input instanceof URL) return input.origin;
+  if (typeof input === "string") {
+    try {
+      return new URL(input).origin;
+    } catch {
+      try {
+        return resolveRelativeUrl(input);
+      } catch {
+        return "unknown";
+      }
+    }
+  }
+  try {
+    return new URL(input.url).origin;
+  } catch {
+    try {
+      return resolveRelativeUrl(input.url);
+    } catch {
+      return "unknown";
+    }
+  }
+}
 // src/limits.ts
 var BFG_DAILY_CEILING_SATOSHIS = 1e10;
 var BFG_PER_TX_CEILING_SATOSHIS = 1e9;
@@ -897,41 +1062,6 @@ var RateLimiter = class {
   }
 };
-// src/site-policy.ts
-var defaultSitePrompt = async (origin) => {
-  if (typeof globalThis.confirm !== "function") return "global";
-  const allow = globalThis.confirm(
-    `First payment to ${origin}.
-Use your global spending limits for this site?
-OK = Use global limits
-Cancel = Block this site`
-  );
-  return allow ? "global" : "block";
-};
-async function resolveSitePolicy(origin, limits, twoFactorProvider, promptFn = defaultSitePrompt) {
-  const existing = limits.sitePolicies[origin];
-  if (existing) return existing;
-  if (!limits.requirePerSitePrompt) {
-    return { origin, action: "global" };
-  }
-  if (limits.require2fa.onNewSiteApproval) {
-    if (!twoFactorProvider) {
-      return { origin, action: "block" };
-    }
-    const verified = await twoFactorProvider.verify({
-      type: "new-site-approval",
-      origin
-    });
-    if (!verified) {
-      return { origin, action: "block" };
-    }
-  }
-  const action = await promptFn(origin);
-  return { origin, action };
-}
 // src/storage.ts
 var STATE_KEY = "x402:limit-state";
 var POLICIES_KEY = "x402:site-policies";
@@ -1006,319 +1136,6 @@ var LocalStorageAdapter = class {
   }
 };
-// src/x402-fetch.ts
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function base58DecodeCheck(address) {
-  let leadingZeros = 0;
-  for (const c of address) {
-    if (c === "1") leadingZeros++;
-    else break;
-  }
-  let n = BigInt(0);
-  for (const c of address) {
-    const i = BASE58_ALPHABET.indexOf(c);
-    if (i < 0) throw new Error(`Invalid Base58 character: ${c}`);
-    n = n * 58n + BigInt(i);
-  }
-  const hexFromBigint = n === 0n ? "" : n.toString(16);
-  const paddedHex = hexFromBigint.length % 2 ? "0" + hexFromBigint : hexFromBigint;
-  const bigintBytes = [];
-  for (let i = 0; i < paddedHex.length; i += 2) {
-    bigintBytes.push(parseInt(paddedHex.slice(i, i + 2), 16));
-  }
-  const allBytes = new Uint8Array(leadingZeros + bigintBytes.length);
-  allBytes.set(bigintBytes, leadingZeros);
-  if (allBytes.length !== 25) {
-    throw new Error(`Invalid address length: expected 25 bytes, got ${allBytes.length}`);
-  }
-  const body = allBytes.slice(0, 21);
-  const checksum = allBytes.slice(21);
-  const version = allBytes[0];
-  if (version !== 0 && version !== 111) {
-    throw new Error(`Unsupported address version: 0x${version.toString(16).padStart(2, "0")}`);
-  }
-  return { version, payload: body.slice(1) };
-}
-function payeeAddressToLockingScript(address) {
-  const { payload } = base58DecodeCheck(address);
-  if (payload.length !== 20) {
-    throw new Error(`Invalid pubkey hash length: expected 20 bytes, got ${payload.length}`);
-  }
-  const pubkeyHash = Array.from(payload).map((b) => b.toString(16).padStart(2, "0")).join("");
-  return `76a914${pubkeyHash}88ac`;
-}
-async function defaultConstructProof(challenge) {
-  const cwi = globalThis.CWI;
-  if (!cwi || typeof cwi.createAction !== "function") {
-    throw new Error(
-      "No BRC-100 wallet detected. Install a CWI-compliant browser extension or provide a custom proofConstructor in X402Config."
-    );
-  }
-  const result = await cwi.createAction({
-    description: `x402 payment: ${challenge.amount} sats to ${challenge.payee}`,
-    outputs: [{
-      satoshis: challenge.amount,
-      lockingScript: payeeAddressToLockingScript(challenge.payee),
-      description: `Payment to ${challenge.payee}`
-    }],
-    labels: ["x402-payment"],
-    options: {
-      returnTXIDOnly: false,
-      noSend: false
-    }
-  });
-  if (!result || !result.txid) {
-    throw new Error("Wallet declined payment or returned invalid result");
-  }
-  if (!result.rawTx || typeof result.rawTx !== "string" || result.rawTx.length === 0) {
-    throw new Error("Wallet did not return raw transaction");
-  }
-  return {
-    txid: result.txid,
-    rawTx: result.rawTx
-  };
-}
-function createMutex() {
-  let chain = Promise.resolve();
-  return (fn) => {
-    const result = chain.then(fn, fn);
-    chain = result.then(() => {
-    }, () => {
-    });
-    return result;
-  };
-}
-function createX402Fetch(config = {}) {
-  const tier = config.tier ?? "Hey, Not Too Rough";
-  const mode = config.mode ?? "interactive";
-  if (tier === "Nightmare!" && config.nightmareConfirmation !== "NIGHTMARE") {
-    throw new Error('Nightmare! tier requires nightmareConfirmation: "NIGHTMARE"');
-  }
-  const limits = resolveSpendLimits(tier, mode, config.limits);
-  const storage = config.storage ?? new LocalStorageAdapter();
-  const twoFactor = config.twoFactorProvider;
-  const constructProof = config.proofConstructor ?? defaultConstructProof;
-  const brc105ProofConstructor = config.brc105ProofConstructor;
-  const brc105Wallet = config.brc105Wallet;
-  const nowFn = config.now ?? Date.now;
-  const mutex = createMutex();
-  const needs2fa = limits.require2fa;
-  if (!twoFactor && (needs2fa.onCircuitBreakerReset || needs2fa.onHighValueTx || needs2fa.onNewSiteApproval || needs2fa.onTierChange)) {
-    console.warn("x402: tier requires 2FA but no twoFactorProvider configured \u2014 2FA-gated actions will be blocked");
-  }
-  let limiter;
-  let initialised = false;
-  async function ensureInitialised() {
-    if (limiter && initialised) return limiter;
-    const state = await storage.load();
-    limiter = new RateLimiter(limits, state ?? void 0, nowFn);
-    const policies = await storage.loadSitePolicies();
-    Object.assign(limits.sitePolicies, policies);
-    initialised = true;
-    return limiter;
-  }
-  async function persist(rl) {
-    await storage.save(rl.getState());
-    await storage.saveSitePolicies(limits.sitePolicies);
-  }
-  async function handlePaymentFlow(originalResponse, input, init, origin, amount, protocol, buildProof, retryWithProof, makeLedgerEntry) {
-    return mutex(async () => {
-      const rl = await ensureInitialised();
-      const sitePolicy = await resolveSitePolicy(origin, limits, twoFactor);
-      if (sitePolicy.action === "block") return originalResponse;
-      if (!limits.sitePolicies[origin]) {
-        limits.sitePolicies[origin] = sitePolicy;
-        await storage.saveSitePolicies(limits.sitePolicies);
-      }
-      const spendCheckable = { amount, origin, protocol };
-      const result = rl.check(spendCheckable, origin);
-      if (result.action === "block") {
-        if (result.severity === "trip") {
-          rl.trip();
-          await persist(rl);
-          config.onLimitReached?.(result.reason);
-          return originalResponse;
-        }
-        if (result.severity === "window" && twoFactor) {
-          config.onLimitReached?.(result.reason);
-          const override = await twoFactor.verify({
-            type: "limit-override",
-            amount,
-            origin,
-            reason: result.reason
-          });
-          if (override) {
-          } else {
-            return originalResponse;
-          }
-        } else {
-          config.onLimitReached?.(result.reason);
-          return originalResponse;
-        }
-      }
-      if (result.action === "yellow-light") {
-        const proceed = config.onYellowLight ? await config.onYellowLight(result.detail) : false;
-        if (!proceed) return originalResponse;
-      }
-      if (limits.require2fa.onHighValueTx && amount > limits.require2fa.highValueThreshold) {
-        if (!twoFactor) return originalResponse;
-        const verified = await twoFactor.verify({
-          type: "high-value-tx",
-          amount,
-          origin
-        });
-        if (!verified) return originalResponse;
-      }
-      let proof;
-      try {
-        proof = await buildProof();
-      } catch (err) {
-        console.error(`[x402] Proof construction failed (${protocol}):`, err);
-        config.onProofError?.(err, protocol);
-        return originalResponse;
-      }
-      rl.record(makeLedgerEntry(proof));
-      await persist(rl);
-      const maxAttempts = 3;
-      for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-        try {
-          return await retryWithProof(proof);
-        } catch (err) {
-          if (attempt >= maxAttempts) {
-            console.error(`[x402] Paid request failed after ${maxAttempts} attempts (${protocol}):`, err);
-            return originalResponse;
-          }
-          await new Promise((r) => setTimeout(r, 250 * Math.pow(2, attempt)));
-        }
-      }
-      return originalResponse;
-    });
-  }
-  const fetchFn = async function x402Fetch2(input, init) {
-    const response = await fetch(input, init);
-    if (response.status !== 402) return response;
-    const origin = extractOrigin(input);
-    const challengeHeader = response.headers.get("X402-Challenge");
-    if (challengeHeader) {
-      let challenge;
-      try {
-        challenge = parseChallenge(challengeHeader);
-      } catch {
-        return response;
-      }
-      return handlePaymentFlow(
-        response,
-        input,
-        init,
-        origin,
-        challenge.amount,
-        "x402",
-        async () => constructProof(challenge),
-        (proof) => {
-          const headers = new Headers(init?.headers);
-          headers.set("X402-Proof", JSON.stringify(proof));
-          return fetch(input, { ...init, headers });
-        },
-        (proof) => ({
-          timestamp: nowFn(),
-          origin,
-          satoshis: challenge.amount,
-          txid: proof.txid
-        })
-      );
-    }
-    const brc105Version = response.headers.get("x-bsv-payment-version");
-    if (brc105Version) {
-      if (!brc105ProofConstructor && !brc105Wallet) return response;
-      let brc105Challenge;
-      try {
-        brc105Challenge = parseBrc105Challenge(response);
-      } catch {
-        return response;
-      }
-      return handlePaymentFlow(
-        response,
-        input,
-        init,
-        origin,
-        brc105Challenge.satoshisRequired,
-        "brc105",
-        async () => {
-          if (brc105ProofConstructor) {
-            return brc105ProofConstructor(brc105Challenge);
-          }
-          return constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
-        },
-        (proof) => {
-          const headers = new Headers(init?.headers);
-          headers.set("x-bsv-payment", JSON.stringify(proof));
-          headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
-          return fetch(input, { ...init, headers });
-        },
-        (proof) => ({
-          timestamp: nowFn(),
-          origin,
-          satoshis: brc105Challenge.satoshisRequired,
-          txid: proof.txid,
-          protocol: "brc105"
-        })
-      );
-    }
-    return response;
-  };
-  fetchFn.resetLimits = async () => {
-    const rl = await ensureInitialised();
-    if (limits.require2fa.onCircuitBreakerReset) {
-      if (!twoFactor) throw new Error("2FA required for circuit breaker reset but no twoFactorProvider configured");
-      const verified = await twoFactor.verify({ type: "circuit-breaker-reset" });
-      if (!verified) throw new Error("2FA verification failed for circuit breaker reset");
-    }
-    rl.reset();
-    await persist(rl);
-  };
-  fetchFn.getState = () => {
-    if (!limiter) return { entries: [], circuitBroken: false };
-    const state = limiter.getState();
-    return { entries: state.entries, circuitBroken: state.circuitBroken };
-  };
-  return fetchFn;
-}
-var singleton;
-async function x402Fetch(input, init) {
-  if (!singleton) singleton = createX402Fetch();
-  return singleton(input, init);
-}
-function resolveRelativeUrl(url) {
-  const loc = globalThis.location;
-  if (loc?.href) {
-    return new URL(url, loc.href).origin;
-  }
-  return "unknown";
-}
-function extractOrigin(input) {
-  if (input instanceof URL) return input.origin;
-  if (typeof input === "string") {
-    try {
-      return new URL(input).origin;
-    } catch {
-      try {
-        return resolveRelativeUrl(input);
-      } catch {
-        return "unknown";
-      }
-    }
-  }
-  try {
-    return new URL(input.url).origin;
-  } catch {
-    try {
-      return resolveRelativeUrl(input.url);
-    } catch {
-      return "unknown";
-    }
-  }
-}
 // src/two-factor.ts
 var WalletTwoFactorProvider = class {
   async verify(action) {
@@ -1361,6 +1178,41 @@ function describeAction(action) {
 Allow this payment of ${action.amount} sats to ${action.origin}?`;
   }
 }
+// src/site-policy.ts
+var defaultSitePrompt = async (origin) => {
+  if (typeof globalThis.confirm !== "function") return "global";
+  const allow = globalThis.confirm(
+    `First payment to ${origin}.
+Use your global spending limits for this site?
+OK = Use global limits
+Cancel = Block this site`
+  );
+  return allow ? "global" : "block";
+};
+async function resolveSitePolicy(origin, limits, twoFactorProvider, promptFn = defaultSitePrompt) {
+  const existing = limits.sitePolicies[origin];
+  if (existing) return existing;
+  if (!limits.requirePerSitePrompt) {
+    return { origin, action: "global" };
+  }
+  if (limits.require2fa.onNewSiteApproval) {
+    if (!twoFactorProvider) {
+      return { origin, action: "block" };
+    }
+    const verified = await twoFactorProvider.verify({
+      type: "new-site-approval",
+      origin
+    });
+    if (!verified) {
+      return { origin, action: "block" };
+    }
+  }
+  const action = await promptFn(origin);
+  return { origin, action };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BFG_DAILY_CEILING_SATOSHIS,

package/dist/index.d.cts CHANGED Viewed

@@ -87,19 +87,10 @@ interface TierPreset {
     programmatic: SpendLimits;
 }
 interface X402Config {
-    tier?: TierName;
-    mode?: SpendMode;
-    limits?: Partial<SpendLimits>;
-    storage?: StorageAdapter;
-    twoFactorProvider?: TwoFactorProvider;
     proofConstructor?: (challenge: Challenge) => Promise<Proof>;
     brc105ProofConstructor?: Brc105ProofConstructor;
     brc105Wallet?: Brc105Wallet;
-    nightmareConfirmation?: string;
-    onLimitReached?: (reason: string) => void;
-    onYellowLight?: (detail: YellowLightEvent) => Promise<boolean>;
     onProofError?: (error: unknown, protocol: PaymentProtocol) => void;
-    now?: () => number;
 }
 interface YellowLightEvent {
     origin: string;
@@ -182,14 +173,7 @@ interface TwoFactorProvider {
     verify(action: TwoFactorAction): Promise<boolean>;
 }
-interface X402FetchFn {
-    (input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
-    resetLimits(): Promise<void>;
-    getState(): {
-        entries: unknown[];
-        circuitBroken: boolean;
-    };
-}
+type X402FetchFn = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
 declare function createX402Fetch(config?: X402Config): X402FetchFn;
 declare function x402Fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/index.d.ts CHANGED Viewed

@@ -87,19 +87,10 @@ interface TierPreset {
     programmatic: SpendLimits;
 }
 interface X402Config {
-    tier?: TierName;
-    mode?: SpendMode;
-    limits?: Partial<SpendLimits>;
-    storage?: StorageAdapter;
-    twoFactorProvider?: TwoFactorProvider;
     proofConstructor?: (challenge: Challenge) => Promise<Proof>;
     brc105ProofConstructor?: Brc105ProofConstructor;
     brc105Wallet?: Brc105Wallet;
-    nightmareConfirmation?: string;
-    onLimitReached?: (reason: string) => void;
-    onYellowLight?: (detail: YellowLightEvent) => Promise<boolean>;
     onProofError?: (error: unknown, protocol: PaymentProtocol) => void;
-    now?: () => number;
 }
 interface YellowLightEvent {
     origin: string;
@@ -182,14 +173,7 @@ interface TwoFactorProvider {
     verify(action: TwoFactorAction): Promise<boolean>;
 }
-interface X402FetchFn {
-    (input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
-    resetLimits(): Promise<void>;
-    getState(): {
-        entries: unknown[];
-        circuitBroken: boolean;
-    };
-}
+type X402FetchFn = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
 declare function createX402Fetch(config?: X402Config): X402FetchFn;
 declare function x402Fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/index.js CHANGED Viewed

@@ -558,6 +558,171 @@ function parseChallenge(header) {
   };
 }
+// src/x402-fetch.ts
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58DecodeCheck(address) {
+  let leadingZeros = 0;
+  for (const c of address) {
+    if (c === "1") leadingZeros++;
+    else break;
+  }
+  let n = BigInt(0);
+  for (const c of address) {
+    const i = BASE58_ALPHABET.indexOf(c);
+    if (i < 0) throw new Error(`Invalid Base58 character: ${c}`);
+    n = n * 58n + BigInt(i);
+  }
+  const hexFromBigint = n === 0n ? "" : n.toString(16);
+  const paddedHex = hexFromBigint.length % 2 ? "0" + hexFromBigint : hexFromBigint;
+  const bigintBytes = [];
+  for (let i = 0; i < paddedHex.length; i += 2) {
+    bigintBytes.push(parseInt(paddedHex.slice(i, i + 2), 16));
+  }
+  const allBytes = new Uint8Array(leadingZeros + bigintBytes.length);
+  allBytes.set(bigintBytes, leadingZeros);
+  if (allBytes.length !== 25) {
+    throw new Error(`Invalid address length: expected 25 bytes, got ${allBytes.length}`);
+  }
+  const body = allBytes.slice(0, 21);
+  const checksum = allBytes.slice(21);
+  const version = allBytes[0];
+  if (version !== 0 && version !== 111) {
+    throw new Error(`Unsupported address version: 0x${version.toString(16).padStart(2, "0")}`);
+  }
+  return { version, payload: body.slice(1) };
+}
+function payeeAddressToLockingScript(address) {
+  const { payload } = base58DecodeCheck(address);
+  if (payload.length !== 20) {
+    throw new Error(`Invalid pubkey hash length: expected 20 bytes, got ${payload.length}`);
+  }
+  const pubkeyHash = Array.from(payload).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `76a914${pubkeyHash}88ac`;
+}
+async function defaultConstructProof(challenge) {
+  const cwi = globalThis.CWI;
+  if (!cwi || typeof cwi.createAction !== "function") {
+    throw new Error(
+      "No BRC-100 wallet detected. Install a CWI-compliant browser extension or provide a custom proofConstructor in X402Config."
+    );
+  }
+  const result = await cwi.createAction({
+    description: `x402 payment: ${challenge.amount} sats to ${challenge.payee}`,
+    outputs: [{
+      satoshis: challenge.amount,
+      lockingScript: payeeAddressToLockingScript(challenge.payee),
+      description: `Payment to ${challenge.payee}`
+    }],
+    labels: ["x402-payment"],
+    options: {
+      returnTXIDOnly: false,
+      noSend: false
+    }
+  });
+  if (!result || !result.txid) {
+    throw new Error("Wallet declined payment or returned invalid result");
+  }
+  if (!result.rawTx || typeof result.rawTx !== "string" || result.rawTx.length === 0) {
+    throw new Error("Wallet did not return raw transaction");
+  }
+  return {
+    txid: result.txid,
+    rawTx: result.rawTx
+  };
+}
+function createX402Fetch(config = {}) {
+  const constructProof = config.proofConstructor ?? defaultConstructProof;
+  const brc105ProofConstructor = config.brc105ProofConstructor;
+  const brc105Wallet = config.brc105Wallet;
+  return async function x402Fetch2(input, init) {
+    const response = await fetch(input, init);
+    if (response.status !== 402) return response;
+    const origin = extractOrigin(input);
+    const challengeHeader = response.headers.get("X402-Challenge");
+    if (challengeHeader) {
+      let challenge;
+      try {
+        challenge = parseChallenge(challengeHeader);
+      } catch {
+        return response;
+      }
+      let proof;
+      try {
+        proof = await constructProof(challenge);
+      } catch (err) {
+        console.error("[x402] Proof construction failed (x402):", err);
+        config.onProofError?.(err, "x402");
+        return response;
+      }
+      const headers = new Headers(init?.headers);
+      headers.set("X402-Proof", JSON.stringify(proof));
+      return fetch(input, { ...init, headers });
+    }
+    const brc105Version = response.headers.get("x-bsv-payment-version");
+    if (brc105Version) {
+      if (!brc105ProofConstructor && !brc105Wallet) return response;
+      let brc105Challenge;
+      try {
+        brc105Challenge = parseBrc105Challenge(response);
+      } catch {
+        return response;
+      }
+      let proof;
+      try {
+        if (brc105ProofConstructor) {
+          proof = await brc105ProofConstructor(brc105Challenge);
+        } else {
+          proof = await constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
+        }
+      } catch (err) {
+        console.error("[x402] Proof construction failed (brc105):", err);
+        config.onProofError?.(err, "brc105");
+        return response;
+      }
+      const headers = new Headers(init?.headers);
+      headers.set("x-bsv-payment", JSON.stringify(proof));
+      headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
+      return fetch(input, { ...init, headers });
+    }
+    return response;
+  };
+}
+var singleton;
+async function x402Fetch(input, init) {
+  if (!singleton) singleton = createX402Fetch();
+  return singleton(input, init);
+}
+function resolveRelativeUrl(url) {
+  const loc = globalThis.location;
+  if (loc?.href) {
+    return new URL(url, loc.href).origin;
+  }
+  return "unknown";
+}
+function extractOrigin(input) {
+  if (input instanceof URL) return input.origin;
+  if (typeof input === "string") {
+    try {
+      return new URL(input).origin;
+    } catch {
+      try {
+        return resolveRelativeUrl(input);
+      } catch {
+        return "unknown";
+      }
+    }
+  }
+  try {
+    return new URL(input.url).origin;
+  } catch {
+    try {
+      return resolveRelativeUrl(input.url);
+    } catch {
+      return "unknown";
+    }
+  }
+}
 // src/limits.ts
 var BFG_DAILY_CEILING_SATOSHIS = 1e10;
 var BFG_PER_TX_CEILING_SATOSHIS = 1e9;
@@ -859,41 +1024,6 @@ var RateLimiter = class {
   }
 };
-// src/site-policy.ts
-var defaultSitePrompt = async (origin) => {
-  if (typeof globalThis.confirm !== "function") return "global";
-  const allow = globalThis.confirm(
-    `First payment to ${origin}.
-Use your global spending limits for this site?
-OK = Use global limits
-Cancel = Block this site`
-  );
-  return allow ? "global" : "block";
-};
-async function resolveSitePolicy(origin, limits, twoFactorProvider, promptFn = defaultSitePrompt) {
-  const existing = limits.sitePolicies[origin];
-  if (existing) return existing;
-  if (!limits.requirePerSitePrompt) {
-    return { origin, action: "global" };
-  }
-  if (limits.require2fa.onNewSiteApproval) {
-    if (!twoFactorProvider) {
-      return { origin, action: "block" };
-    }
-    const verified = await twoFactorProvider.verify({
-      type: "new-site-approval",
-      origin
-    });
-    if (!verified) {
-      return { origin, action: "block" };
-    }
-  }
-  const action = await promptFn(origin);
-  return { origin, action };
-}
 // src/storage.ts
 var STATE_KEY = "x402:limit-state";
 var POLICIES_KEY = "x402:site-policies";
@@ -968,319 +1098,6 @@ var LocalStorageAdapter = class {
   }
 };
-// src/x402-fetch.ts
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function base58DecodeCheck(address) {
-  let leadingZeros = 0;
-  for (const c of address) {
-    if (c === "1") leadingZeros++;
-    else break;
-  }
-  let n = BigInt(0);
-  for (const c of address) {
-    const i = BASE58_ALPHABET.indexOf(c);
-    if (i < 0) throw new Error(`Invalid Base58 character: ${c}`);
-    n = n * 58n + BigInt(i);
-  }
-  const hexFromBigint = n === 0n ? "" : n.toString(16);
-  const paddedHex = hexFromBigint.length % 2 ? "0" + hexFromBigint : hexFromBigint;
-  const bigintBytes = [];
-  for (let i = 0; i < paddedHex.length; i += 2) {
-    bigintBytes.push(parseInt(paddedHex.slice(i, i + 2), 16));
-  }
-  const allBytes = new Uint8Array(leadingZeros + bigintBytes.length);
-  allBytes.set(bigintBytes, leadingZeros);
-  if (allBytes.length !== 25) {
-    throw new Error(`Invalid address length: expected 25 bytes, got ${allBytes.length}`);
-  }
-  const body = allBytes.slice(0, 21);
-  const checksum = allBytes.slice(21);
-  const version = allBytes[0];
-  if (version !== 0 && version !== 111) {
-    throw new Error(`Unsupported address version: 0x${version.toString(16).padStart(2, "0")}`);
-  }
-  return { version, payload: body.slice(1) };
-}
-function payeeAddressToLockingScript(address) {
-  const { payload } = base58DecodeCheck(address);
-  if (payload.length !== 20) {
-    throw new Error(`Invalid pubkey hash length: expected 20 bytes, got ${payload.length}`);
-  }
-  const pubkeyHash = Array.from(payload).map((b) => b.toString(16).padStart(2, "0")).join("");
-  return `76a914${pubkeyHash}88ac`;
-}
-async function defaultConstructProof(challenge) {
-  const cwi = globalThis.CWI;
-  if (!cwi || typeof cwi.createAction !== "function") {
-    throw new Error(
-      "No BRC-100 wallet detected. Install a CWI-compliant browser extension or provide a custom proofConstructor in X402Config."
-    );
-  }
-  const result = await cwi.createAction({
-    description: `x402 payment: ${challenge.amount} sats to ${challenge.payee}`,
-    outputs: [{
-      satoshis: challenge.amount,
-      lockingScript: payeeAddressToLockingScript(challenge.payee),
-      description: `Payment to ${challenge.payee}`
-    }],
-    labels: ["x402-payment"],
-    options: {
-      returnTXIDOnly: false,
-      noSend: false
-    }
-  });
-  if (!result || !result.txid) {
-    throw new Error("Wallet declined payment or returned invalid result");
-  }
-  if (!result.rawTx || typeof result.rawTx !== "string" || result.rawTx.length === 0) {
-    throw new Error("Wallet did not return raw transaction");
-  }
-  return {
-    txid: result.txid,
-    rawTx: result.rawTx
-  };
-}
-function createMutex() {
-  let chain = Promise.resolve();
-  return (fn) => {
-    const result = chain.then(fn, fn);
-    chain = result.then(() => {
-    }, () => {
-    });
-    return result;
-  };
-}
-function createX402Fetch(config = {}) {
-  const tier = config.tier ?? "Hey, Not Too Rough";
-  const mode = config.mode ?? "interactive";
-  if (tier === "Nightmare!" && config.nightmareConfirmation !== "NIGHTMARE") {
-    throw new Error('Nightmare! tier requires nightmareConfirmation: "NIGHTMARE"');
-  }
-  const limits = resolveSpendLimits(tier, mode, config.limits);
-  const storage = config.storage ?? new LocalStorageAdapter();
-  const twoFactor = config.twoFactorProvider;
-  const constructProof = config.proofConstructor ?? defaultConstructProof;
-  const brc105ProofConstructor = config.brc105ProofConstructor;
-  const brc105Wallet = config.brc105Wallet;
-  const nowFn = config.now ?? Date.now;
-  const mutex = createMutex();
-  const needs2fa = limits.require2fa;
-  if (!twoFactor && (needs2fa.onCircuitBreakerReset || needs2fa.onHighValueTx || needs2fa.onNewSiteApproval || needs2fa.onTierChange)) {
-    console.warn("x402: tier requires 2FA but no twoFactorProvider configured \u2014 2FA-gated actions will be blocked");
-  }
-  let limiter;
-  let initialised = false;
-  async function ensureInitialised() {
-    if (limiter && initialised) return limiter;
-    const state = await storage.load();
-    limiter = new RateLimiter(limits, state ?? void 0, nowFn);
-    const policies = await storage.loadSitePolicies();
-    Object.assign(limits.sitePolicies, policies);
-    initialised = true;
-    return limiter;
-  }
-  async function persist(rl) {
-    await storage.save(rl.getState());
-    await storage.saveSitePolicies(limits.sitePolicies);
-  }
-  async function handlePaymentFlow(originalResponse, input, init, origin, amount, protocol, buildProof, retryWithProof, makeLedgerEntry) {
-    return mutex(async () => {
-      const rl = await ensureInitialised();
-      const sitePolicy = await resolveSitePolicy(origin, limits, twoFactor);
-      if (sitePolicy.action === "block") return originalResponse;
-      if (!limits.sitePolicies[origin]) {
-        limits.sitePolicies[origin] = sitePolicy;
-        await storage.saveSitePolicies(limits.sitePolicies);
-      }
-      const spendCheckable = { amount, origin, protocol };
-      const result = rl.check(spendCheckable, origin);
-      if (result.action === "block") {
-        if (result.severity === "trip") {
-          rl.trip();
-          await persist(rl);
-          config.onLimitReached?.(result.reason);
-          return originalResponse;
-        }
-        if (result.severity === "window" && twoFactor) {
-          config.onLimitReached?.(result.reason);
-          const override = await twoFactor.verify({
-            type: "limit-override",
-            amount,
-            origin,
-            reason: result.reason
-          });
-          if (override) {
-          } else {
-            return originalResponse;
-          }
-        } else {
-          config.onLimitReached?.(result.reason);
-          return originalResponse;
-        }
-      }
-      if (result.action === "yellow-light") {
-        const proceed = config.onYellowLight ? await config.onYellowLight(result.detail) : false;
-        if (!proceed) return originalResponse;
-      }
-      if (limits.require2fa.onHighValueTx && amount > limits.require2fa.highValueThreshold) {
-        if (!twoFactor) return originalResponse;
-        const verified = await twoFactor.verify({
-          type: "high-value-tx",
-          amount,
-          origin
-        });
-        if (!verified) return originalResponse;
-      }
-      let proof;
-      try {
-        proof = await buildProof();
-      } catch (err) {
-        console.error(`[x402] Proof construction failed (${protocol}):`, err);
-        config.onProofError?.(err, protocol);
-        return originalResponse;
-      }
-      rl.record(makeLedgerEntry(proof));
-      await persist(rl);
-      const maxAttempts = 3;
-      for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-        try {
-          return await retryWithProof(proof);
-        } catch (err) {
-          if (attempt >= maxAttempts) {
-            console.error(`[x402] Paid request failed after ${maxAttempts} attempts (${protocol}):`, err);
-            return originalResponse;
-          }
-          await new Promise((r) => setTimeout(r, 250 * Math.pow(2, attempt)));
-        }
-      }
-      return originalResponse;
-    });
-  }
-  const fetchFn = async function x402Fetch2(input, init) {
-    const response = await fetch(input, init);
-    if (response.status !== 402) return response;
-    const origin = extractOrigin(input);
-    const challengeHeader = response.headers.get("X402-Challenge");
-    if (challengeHeader) {
-      let challenge;
-      try {
-        challenge = parseChallenge(challengeHeader);
-      } catch {
-        return response;
-      }
-      return handlePaymentFlow(
-        response,
-        input,
-        init,
-        origin,
-        challenge.amount,
-        "x402",
-        async () => constructProof(challenge),
-        (proof) => {
-          const headers = new Headers(init?.headers);
-          headers.set("X402-Proof", JSON.stringify(proof));
-          return fetch(input, { ...init, headers });
-        },
-        (proof) => ({
-          timestamp: nowFn(),
-          origin,
-          satoshis: challenge.amount,
-          txid: proof.txid
-        })
-      );
-    }
-    const brc105Version = response.headers.get("x-bsv-payment-version");
-    if (brc105Version) {
-      if (!brc105ProofConstructor && !brc105Wallet) return response;
-      let brc105Challenge;
-      try {
-        brc105Challenge = parseBrc105Challenge(response);
-      } catch {
-        return response;
-      }
-      return handlePaymentFlow(
-        response,
-        input,
-        init,
-        origin,
-        brc105Challenge.satoshisRequired,
-        "brc105",
-        async () => {
-          if (brc105ProofConstructor) {
-            return brc105ProofConstructor(brc105Challenge);
-          }
-          return constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
-        },
-        (proof) => {
-          const headers = new Headers(init?.headers);
-          headers.set("x-bsv-payment", JSON.stringify(proof));
-          headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
-          return fetch(input, { ...init, headers });
-        },
-        (proof) => ({
-          timestamp: nowFn(),
-          origin,
-          satoshis: brc105Challenge.satoshisRequired,
-          txid: proof.txid,
-          protocol: "brc105"
-        })
-      );
-    }
-    return response;
-  };
-  fetchFn.resetLimits = async () => {
-    const rl = await ensureInitialised();
-    if (limits.require2fa.onCircuitBreakerReset) {
-      if (!twoFactor) throw new Error("2FA required for circuit breaker reset but no twoFactorProvider configured");
-      const verified = await twoFactor.verify({ type: "circuit-breaker-reset" });
-      if (!verified) throw new Error("2FA verification failed for circuit breaker reset");
-    }
-    rl.reset();
-    await persist(rl);
-  };
-  fetchFn.getState = () => {
-    if (!limiter) return { entries: [], circuitBroken: false };
-    const state = limiter.getState();
-    return { entries: state.entries, circuitBroken: state.circuitBroken };
-  };
-  return fetchFn;
-}
-var singleton;
-async function x402Fetch(input, init) {
-  if (!singleton) singleton = createX402Fetch();
-  return singleton(input, init);
-}
-function resolveRelativeUrl(url) {
-  const loc = globalThis.location;
-  if (loc?.href) {
-    return new URL(url, loc.href).origin;
-  }
-  return "unknown";
-}
-function extractOrigin(input) {
-  if (input instanceof URL) return input.origin;
-  if (typeof input === "string") {
-    try {
-      return new URL(input).origin;
-    } catch {
-      try {
-        return resolveRelativeUrl(input);
-      } catch {
-        return "unknown";
-      }
-    }
-  }
-  try {
-    return new URL(input.url).origin;
-  } catch {
-    try {
-      return resolveRelativeUrl(input.url);
-    } catch {
-      return "unknown";
-    }
-  }
-}
 // src/two-factor.ts
 var WalletTwoFactorProvider = class {
   async verify(action) {
@@ -1323,6 +1140,41 @@ function describeAction(action) {
 Allow this payment of ${action.amount} sats to ${action.origin}?`;
   }
 }
+// src/site-policy.ts
+var defaultSitePrompt = async (origin) => {
+  if (typeof globalThis.confirm !== "function") return "global";
+  const allow = globalThis.confirm(
+    `First payment to ${origin}.
+Use your global spending limits for this site?
+OK = Use global limits
+Cancel = Block this site`
+  );
+  return allow ? "global" : "block";
+};
+async function resolveSitePolicy(origin, limits, twoFactorProvider, promptFn = defaultSitePrompt) {
+  const existing = limits.sitePolicies[origin];
+  if (existing) return existing;
+  if (!limits.requirePerSitePrompt) {
+    return { origin, action: "global" };
+  }
+  if (limits.require2fa.onNewSiteApproval) {
+    if (!twoFactorProvider) {
+      return { origin, action: "block" };
+    }
+    const verified = await twoFactorProvider.verify({
+      type: "new-site-approval",
+      origin
+    });
+    if (!verified) {
+      return { origin, action: "block" };
+    }
+  }
+  const action = await promptFn(origin);
+  return { origin, action };
+}
 export {
   BFG_DAILY_CEILING_SATOSHIS,
   BFG_PER_TX_CEILING_SATOSHIS,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bsv-x402",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "description": "x402 payment protocol client — a fetch() wrapper that handles 402 payment flows transparently",
   "type": "module",
   "main": "dist/index.cjs",