bsv-x402 0.4.1 → 0.6.0

package/dist/index.cjs

@@ -20,18 +20,18 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  BFG_DAILY_CEILING_SATOSHIS: () => BFG_DAILY_CEILING_SATOSHIS,
-  BFG_PER_TX_CEILING_SATOSHIS: () => BFG_PER_TX_CEILING_SATOSHIS,
-  LocalStorageAdapter: () => LocalStorageAdapter,
-  RateLimiter: () => RateLimiter,
-  TIER_PRESETS: () => TIER_PRESETS,
-  WalletTwoFactorProvider: () => WalletTwoFactorProvider,
+  PICKUP_PERCENTAGES: () => PICKUP_PERCENTAGES,
+  TIER_CAPS: () => TIER_CAPS,
+  WEAPON_CAPS: () => WEAPON_CAPS,
+  applyPickup: () => applyPickup,
+  checkPayment: () => checkPayment,
+  clampBalanceToTier: () => clampBalanceToTier,
   constructBrc105Proof: () => constructBrc105Proof,
   createX402Fetch: () => createX402Fetch,
+  initialState: () => initialState,
   parseBrc105Challenge: () => parseBrc105Challenge,
   parseChallenge: () => parseChallenge,
-  resolveSitePolicy: () => resolveSitePolicy,
-  resolveSpendLimits: () => resolveSpendLimits,
+  recordPayment: () => recordPayment,
   x402Fetch: () => x402Fetch
 });
 module.exports = __toCommonJS(index_exports);
@@ -596,416 +596,6 @@ function parseChallenge(header) {
   };
 }
 
-// src/limits.ts
-var BFG_DAILY_CEILING_SATOSHIS = 1e10;
-var BFG_PER_TX_CEILING_SATOSHIS = 1e9;
-var WINDOW_MS = {
-  minute: 6e4,
-  hour: 36e5,
-  day: 864e5,
-  week: 6048e5
-};
-function windowToMs(window2) {
-  return WINDOW_MS[window2];
-}
-function makeLimits(windows, perTxMaxSatoshis, opts = {}) {
-  return {
-    windows,
-    perTxMaxSatoshis,
-    yellowLightThreshold: 0.8,
-    requirePerSitePrompt: false,
-    sitePolicies: {},
-    require2fa: {
-      onCircuitBreakerReset: true,
-      onTierChange: true,
-      onHighValueTx: false,
-      highValueThreshold: 0,
-      onNewSiteApproval: false
-    },
-    ...opts
-  };
-}
-var TOO_YOUNG_TO_DIE = {
-  interactive: makeLimits(
-    [{ window: "day", maxSatoshis: 1e8, maxTransactions: Infinity }],
-    1e8
-  ),
-  programmatic: makeLimits(
-    [{ window: "day", maxSatoshis: 1e8, maxTransactions: Infinity }],
-    1e6
-  )
-};
-var HEY_NOT_TOO_ROUGH = {
-  interactive: makeLimits(
-    [
-      { window: "day", maxSatoshis: 1e8, maxTransactions: 100 },
-      { window: "week", maxSatoshis: 5e8, maxTransactions: 500 }
-    ],
-    1e7,
-    {
-      requirePerSitePrompt: true,
-      require2fa: {
-        onCircuitBreakerReset: true,
-        onTierChange: true,
-        onHighValueTx: true,
-        highValueThreshold: 5e7,
-        onNewSiteApproval: true
-      }
-    }
-  ),
-  programmatic: makeLimits(
-    [
-      { window: "day", maxSatoshis: 1e8, maxTransactions: 1e4 },
-      { window: "week", maxSatoshis: 5e8, maxTransactions: 5e4 }
-    ],
-    1e5,
-    {
-      requirePerSitePrompt: true,
-      require2fa: {
-        onCircuitBreakerReset: true,
-        onTierChange: true,
-        onHighValueTx: true,
-        highValueThreshold: 5e7,
-        onNewSiteApproval: true
-      }
-    }
-  )
-};
-var HURT_ME_PLENTY = {
-  interactive: makeLimits(
-    [
-      { window: "minute", maxSatoshis: 5e6, maxTransactions: 10 },
-      { window: "hour", maxSatoshis: 5e7, maxTransactions: 60 },
-      { window: "day", maxSatoshis: 2e8, maxTransactions: 200 },
-      { window: "week", maxSatoshis: 1e9, maxTransactions: 1e3 }
-    ],
-    2e7,
-    {
-      requirePerSitePrompt: true,
-      require2fa: {
-        onCircuitBreakerReset: true,
-        onTierChange: true,
-        onHighValueTx: true,
-        highValueThreshold: 1e8,
-        onNewSiteApproval: true
-      }
-    }
-  ),
-  programmatic: makeLimits(
-    [
-      { window: "minute", maxSatoshis: 5e6, maxTransactions: 1e3 },
-      { window: "hour", maxSatoshis: 5e7, maxTransactions: 6e3 },
-      { window: "day", maxSatoshis: 2e8, maxTransactions: 2e4 },
-      { window: "week", maxSatoshis: 1e9, maxTransactions: 1e5 }
-    ],
-    2e5,
-    {
-      requirePerSitePrompt: true,
-      require2fa: {
-        onCircuitBreakerReset: true,
-        onTierChange: true,
-        onHighValueTx: true,
-        highValueThreshold: 1e8,
-        onNewSiteApproval: true
-      }
-    }
-  )
-};
-var ULTRA_VIOLENCE = {
-  interactive: makeLimits(
-    [...HURT_ME_PLENTY.interactive.windows],
-    HURT_ME_PLENTY.interactive.perTxMaxSatoshis,
-    {
-      requirePerSitePrompt: true,
-      require2fa: {
-        onCircuitBreakerReset: true,
-        onTierChange: true,
-        onHighValueTx: false,
-        highValueThreshold: 0,
-        onNewSiteApproval: true
-      }
-    }
-  ),
-  programmatic: makeLimits(
-    [...HURT_ME_PLENTY.programmatic.windows],
-    HURT_ME_PLENTY.programmatic.perTxMaxSatoshis,
-    {
-      requirePerSitePrompt: true,
-      require2fa: {
-        onCircuitBreakerReset: true,
-        onTierChange: true,
-        onHighValueTx: false,
-        highValueThreshold: 0,
-        onNewSiteApproval: true
-      }
-    }
-  )
-};
-var NIGHTMARE = {
-  interactive: makeLimits([], BFG_PER_TX_CEILING_SATOSHIS),
-  programmatic: makeLimits([], BFG_PER_TX_CEILING_SATOSHIS)
-};
-var TIER_PRESETS = {
-  "I'm Too Young to Die": TOO_YOUNG_TO_DIE,
-  "Hey, Not Too Rough": HEY_NOT_TOO_ROUGH,
-  "Hurt Me Plenty": HURT_ME_PLENTY,
-  "Ultra-Violence": ULTRA_VIOLENCE,
-  "Nightmare!": NIGHTMARE
-};
-function cloneSpendLimits(preset) {
-  return {
-    ...preset,
-    windows: preset.windows.map((w) => ({ ...w })),
-    require2fa: { ...preset.require2fa },
-    sitePolicies: { ...preset.sitePolicies }
-  };
-}
-function resolveSpendLimits(tier = "Hey, Not Too Rough", mode = "interactive", overrides) {
-  const preset = TIER_PRESETS[tier][mode];
-  const base = cloneSpendLimits(preset);
-  if (!overrides) return base;
-  return {
-    ...base,
-    ...overrides,
-    // Deep-merge require2fa if provided
-    require2fa: overrides.require2fa ? { ...base.require2fa, ...overrides.require2fa } : base.require2fa,
-    // Deep-merge sitePolicies if provided
-    sitePolicies: overrides.sitePolicies ? { ...base.sitePolicies, ...overrides.sitePolicies } : base.sitePolicies
-  };
-}
-var RateLimiter = class {
-  constructor(limits, state, now) {
-    this.limits = limits;
-    this.entries = state?.entries ?? [];
-    this.broken = state?.circuitBroken ?? false;
-    this.now = now ?? Date.now;
-  }
-  check(request, origin) {
-    if (this.broken) {
-      return { action: "block", reason: "Circuit breaker tripped \u2014 call resetLimits() to clear", severity: "trip" };
-    }
-    const amount = request.amount;
-    if (!Number.isFinite(amount) || !Number.isInteger(amount) || amount <= 0) {
-      return { action: "block", reason: "Invalid transaction amount rejected", severity: "reject" };
-    }
-    if (amount > BFG_PER_TX_CEILING_SATOSHIS) {
-      return { action: "block", reason: `Exceeds BFG per-tx ceiling (${BFG_PER_TX_CEILING_SATOSHIS} sats)`, severity: "reject" };
-    }
-    const dayAgo = this.now() - WINDOW_MS.day;
-    const dailyTotal = this.sumSatoshis(dayAgo);
-    if (dailyTotal + amount > BFG_DAILY_CEILING_SATOSHIS) {
-      return { action: "block", reason: `Exceeds BFG daily ceiling (${BFG_DAILY_CEILING_SATOSHIS} sats)`, severity: "trip" };
-    }
-    if (amount > this.limits.perTxMaxSatoshis) {
-      return { action: "block", reason: `Exceeds per-tx limit (${this.limits.perTxMaxSatoshis} sats)`, severity: "reject" };
-    }
-    const isCustomSite = this.hasCustomPolicy(origin);
-    const effectiveLimits = this.effectiveWindows(origin);
-    const effectivePerTx = this.effectivePerTxMax(origin);
-    if (effectivePerTx !== void 0 && amount > effectivePerTx) {
-      return { action: "block", reason: `Exceeds per-tx limit for ${origin} (${effectivePerTx} sats)`, severity: "reject" };
-    }
-    let yellowLight;
-    for (const wl of effectiveLimits) {
-      const cutoff = this.now() - windowToMs(wl.window);
-      const windowEntries = this.entriesInWindow(cutoff, isCustomSite ? origin : void 0);
-      const totalSats = windowEntries.reduce((sum, e) => sum + e.satoshis, 0);
-      const totalTx = windowEntries.length;
-      if (totalSats + amount > wl.maxSatoshis) {
-        return { action: "block", reason: `Exceeds ${wl.window} sats limit (${wl.maxSatoshis})`, severity: "window" };
-      }
-      if (totalTx + 1 > wl.maxTransactions) {
-        return { action: "block", reason: `Exceeds ${wl.window} tx count limit (${wl.maxTransactions})`, severity: "window" };
-      }
-      if (this.limits.yellowLightThreshold < 1 && !yellowLight && totalSats + amount > wl.maxSatoshis * this.limits.yellowLightThreshold) {
-        yellowLight = {
-          origin,
-          currentSpend: totalSats,
-          limit: wl.maxSatoshis,
-          window: wl.window,
-          challenge: request
-        };
-      }
-    }
-    if (yellowLight) {
-      return { action: "yellow-light", detail: yellowLight };
-    }
-    return { action: "allow" };
-  }
-  record(entry) {
-    this.entries.push(entry);
-    this.prune();
-  }
-  trip() {
-    this.broken = true;
-  }
-  reset() {
-    this.broken = false;
-  }
-  isBroken() {
-    return this.broken;
-  }
-  getState() {
-    return {
-      entries: [...this.entries],
-      circuitBroken: this.broken,
-      hmac: ""
-    };
-  }
-  hasCustomPolicy(origin) {
-    const policy = this.limits.sitePolicies[origin];
-    return policy?.action === "custom" && !!policy.limits;
-  }
-  effectiveWindows(origin) {
-    const policy = this.limits.sitePolicies[origin];
-    if (policy?.action === "custom" && policy.limits) {
-      return policy.limits;
-    }
-    return this.limits.windows;
-  }
-  effectivePerTxMax(origin) {
-    const policy = this.limits.sitePolicies[origin];
-    if (policy?.action === "custom" && policy.perTxMaxSatoshis !== void 0) {
-      return policy.perTxMaxSatoshis;
-    }
-    return void 0;
-  }
-  entriesInWindow(cutoff, filterOrigin) {
-    return this.entries.filter(
-      (e) => e.timestamp >= cutoff && (filterOrigin === void 0 || e.origin === filterOrigin)
-    );
-  }
-  sumSatoshis(cutoff) {
-    return this.entries.filter((e) => e.timestamp >= cutoff).reduce((sum, e) => sum + e.satoshis, 0);
-  }
-  prune() {
-    let longestWindow = WINDOW_MS.day;
-    for (const wl of this.limits.windows) {
-      longestWindow = Math.max(longestWindow, windowToMs(wl.window));
-    }
-    if (this.limits.sitePolicies) {
-      for (const policy of Object.values(this.limits.sitePolicies)) {
-        if (policy?.action === "custom" && Array.isArray(policy.limits)) {
-          for (const wl of policy.limits) {
-            longestWindow = Math.max(longestWindow, windowToMs(wl.window));
-          }
-        }
-      }
-    }
-    const cutoff = this.now() - longestWindow;
-    this.entries = this.entries.filter((e) => e.timestamp >= cutoff);
-  }
-};
-
-// src/site-policy.ts
-var defaultSitePrompt = async (origin) => {
-  if (typeof globalThis.confirm !== "function") return "global";
-  const allow = globalThis.confirm(
-    `First payment to ${origin}.
-
-Use your global spending limits for this site?
-
-OK = Use global limits
-Cancel = Block this site`
-  );
-  return allow ? "global" : "block";
-};
-async function resolveSitePolicy(origin, limits, twoFactorProvider, promptFn = defaultSitePrompt) {
-  const existing = limits.sitePolicies[origin];
-  if (existing) return existing;
-  if (!limits.requirePerSitePrompt) {
-    return { origin, action: "global" };
-  }
-  if (limits.require2fa.onNewSiteApproval) {
-    if (!twoFactorProvider) {
-      return { origin, action: "block" };
-    }
-    const verified = await twoFactorProvider.verify({
-      type: "new-site-approval",
-      origin
-    });
-    if (!verified) {
-      return { origin, action: "block" };
-    }
-  }
-  const action = await promptFn(origin);
-  return { origin, action };
-}
-
-// src/storage.ts
-var STATE_KEY = "x402:limit-state";
-var POLICIES_KEY = "x402:site-policies";
-async function computeHmac(data, key) {
-  const cryptoKey = await crypto.subtle.importKey(
-    "raw",
-    key,
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const encoded = new TextEncoder().encode(data);
-  const sig = await crypto.subtle.sign("HMAC", cryptoKey, encoded);
-  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function serializeForHmac(state) {
-  return JSON.stringify({
-    entries: state.entries,
-    circuitBroken: state.circuitBroken
-  });
-}
-var LocalStorageAdapter = class {
-  constructor(keyDeriver, storage) {
-    this.keyDeriver = keyDeriver;
-    this.storage = storage ?? globalThis.localStorage;
-  }
-  async load() {
-    const raw = this.storage.getItem(STATE_KEY);
-    if (!raw) return null;
-    let state;
-    try {
-      state = JSON.parse(raw);
-    } catch {
-      console.warn("x402: limit state JSON parse failed \u2014 treating as tampered");
-      return { entries: [], circuitBroken: true, hmac: "" };
-    }
-    if (this.keyDeriver) {
-      if (!state.hmac) {
-        console.warn("x402: limit state missing HMAC \u2014 treating as tampered");
-        return { entries: [], circuitBroken: true, hmac: "" };
-      }
-      const key = await this.keyDeriver();
-      const expected = await computeHmac(serializeForHmac(state), key);
-      if (expected !== state.hmac) {
-        console.warn("x402: limit state HMAC mismatch \u2014 state may have been tampered with");
-        return { entries: [], circuitBroken: true, hmac: "" };
-      }
-    }
-    state.entries = (Array.isArray(state.entries) ? state.entries : []).filter(
-      (e) => e != null && typeof e.origin === "string" && typeof e.txid === "string" && typeof e.satoshis === "number" && Number.isFinite(e.satoshis) && e.satoshis >= 0 && typeof e.timestamp === "number" && Number.isFinite(e.timestamp) && e.timestamp > 0
-    );
-    return state;
-  }
-  async save(state) {
-    if (this.keyDeriver) {
-      const key = await this.keyDeriver();
-      state.hmac = await computeHmac(serializeForHmac(state), key);
-    }
-    this.storage.setItem(STATE_KEY, JSON.stringify(state));
-  }
-  async loadSitePolicies() {
-    const raw = this.storage.getItem(POLICIES_KEY);
-    if (!raw) return {};
-    try {
-      return JSON.parse(raw);
-    } catch {
-      return {};
-    }
-  }
-  async saveSitePolicies(policies) {
-    this.storage.setItem(POLICIES_KEY, JSON.stringify(policies));
-  }
-};
-
 // src/x402-fetch.ts
 var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
 function base58DecodeCheck(address) {
@@ -1078,123 +668,11 @@ async function defaultConstructProof(challenge) {
     rawTx: result.rawTx
   };
 }
-function createMutex() {
-  let chain = Promise.resolve();
-  return (fn) => {
-    const result = chain.then(fn, fn);
-    chain = result.then(() => {
-    }, () => {
-    });
-    return result;
-  };
-}
 function createX402Fetch(config = {}) {
-  const tier = config.tier ?? "Hey, Not Too Rough";
-  const mode = config.mode ?? "interactive";
-  if (tier === "Nightmare!" && config.nightmareConfirmation !== "NIGHTMARE") {
-    throw new Error('Nightmare! tier requires nightmareConfirmation: "NIGHTMARE"');
-  }
-  const limits = resolveSpendLimits(tier, mode, config.limits);
-  const storage = config.storage ?? new LocalStorageAdapter();
-  const twoFactor = config.twoFactorProvider;
   const constructProof = config.proofConstructor ?? defaultConstructProof;
   const brc105ProofConstructor = config.brc105ProofConstructor;
   const brc105Wallet = config.brc105Wallet;
-  const nowFn = config.now ?? Date.now;
-  const mutex = createMutex();
-  const needs2fa = limits.require2fa;
-  if (!twoFactor && (needs2fa.onCircuitBreakerReset || needs2fa.onHighValueTx || needs2fa.onNewSiteApproval || needs2fa.onTierChange)) {
-    console.warn("x402: tier requires 2FA but no twoFactorProvider configured \u2014 2FA-gated actions will be blocked");
-  }
-  let limiter;
-  let initialised = false;
-  async function ensureInitialised() {
-    if (limiter && initialised) return limiter;
-    const state = await storage.load();
-    limiter = new RateLimiter(limits, state ?? void 0, nowFn);
-    const policies = await storage.loadSitePolicies();
-    Object.assign(limits.sitePolicies, policies);
-    initialised = true;
-    return limiter;
-  }
-  async function persist(rl) {
-    await storage.save(rl.getState());
-    await storage.saveSitePolicies(limits.sitePolicies);
-  }
-  async function handlePaymentFlow(originalResponse, input, init, origin, amount, protocol, buildProof, retryWithProof, makeLedgerEntry) {
-    return mutex(async () => {
-      const rl = await ensureInitialised();
-      const sitePolicy = await resolveSitePolicy(origin, limits, twoFactor);
-      if (sitePolicy.action === "block") return originalResponse;
-      if (!limits.sitePolicies[origin]) {
-        limits.sitePolicies[origin] = sitePolicy;
-        await storage.saveSitePolicies(limits.sitePolicies);
-      }
-      const spendCheckable = { amount, origin, protocol };
-      const result = rl.check(spendCheckable, origin);
-      if (result.action === "block") {
-        if (result.severity === "trip") {
-          rl.trip();
-          await persist(rl);
-          config.onLimitReached?.(result.reason);
-          return originalResponse;
-        }
-        if (result.severity === "window" && twoFactor) {
-          config.onLimitReached?.(result.reason);
-          const override = await twoFactor.verify({
-            type: "limit-override",
-            amount,
-            origin,
-            reason: result.reason
-          });
-          if (override) {
-          } else {
-            return originalResponse;
-          }
-        } else {
-          config.onLimitReached?.(result.reason);
-          return originalResponse;
-        }
-      }
-      if (result.action === "yellow-light") {
-        const proceed = config.onYellowLight ? await config.onYellowLight(result.detail) : false;
-        if (!proceed) return originalResponse;
-      }
-      if (limits.require2fa.onHighValueTx && amount > limits.require2fa.highValueThreshold) {
-        if (!twoFactor) return originalResponse;
-        const verified = await twoFactor.verify({
-          type: "high-value-tx",
-          amount,
-          origin
-        });
-        if (!verified) return originalResponse;
-      }
-      let proof;
-      try {
-        proof = await buildProof();
-      } catch (err) {
-        console.error(`[x402] Proof construction failed (${protocol}):`, err);
-        config.onProofError?.(err, protocol);
-        return originalResponse;
-      }
-      rl.record(makeLedgerEntry(proof));
-      await persist(rl);
-      const maxAttempts = 3;
-      for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-        try {
-          return await retryWithProof(proof);
-        } catch (err) {
-          if (attempt >= maxAttempts) {
-            console.error(`[x402] Paid request failed after ${maxAttempts} attempts (${protocol}):`, err);
-            return originalResponse;
-          }
-          await new Promise((r) => setTimeout(r, 250 * Math.pow(2, attempt)));
-        }
-      }
-      return originalResponse;
-    });
-  }
-  const fetchFn = async function x402Fetch2(input, init) {
+  return async function x402Fetch2(input, init) {
     const response = await fetch(input, init);
     if (response.status !== 402) return response;
     const origin = extractOrigin(input);
@@ -1206,26 +684,17 @@ function createX402Fetch(config = {}) {
       } catch {
         return response;
       }
-      return handlePaymentFlow(
-        response,
-        input,
-        init,
-        origin,
-        challenge.amount,
-        "x402",
-        async () => constructProof(challenge),
-        (proof) => {
-          const headers = new Headers(init?.headers);
-          headers.set("X402-Proof", JSON.stringify(proof));
-          return fetch(input, { ...init, headers });
-        },
-        (proof) => ({
-          timestamp: nowFn(),
-          origin,
-          satoshis: challenge.amount,
-          txid: proof.txid
-        })
-      );
+      let proof;
+      try {
+        proof = await constructProof(challenge);
+      } catch (err) {
+        console.error("[x402] Proof construction failed (x402):", err);
+        config.onProofError?.(err, "x402");
+        return response;
+      }
+      const headers = new Headers(init?.headers);
+      headers.set("X402-Proof", JSON.stringify(proof));
+      return fetch(input, { ...init, headers });
     }
     const brc105Version = response.headers.get("x-bsv-payment-version");
     if (brc105Version) {
@@ -1236,52 +705,25 @@ function createX402Fetch(config = {}) {
       } catch {
         return response;
       }
-      return handlePaymentFlow(
-        response,
-        input,
-        init,
-        origin,
-        brc105Challenge.satoshisRequired,
-        "brc105",
-        async () => {
-          if (brc105ProofConstructor) {
-            return brc105ProofConstructor(brc105Challenge);
-          }
-          return constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
-        },
-        (proof) => {
-          const headers = new Headers(init?.headers);
-          headers.set("x-bsv-payment", JSON.stringify(proof));
-          headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
-          return fetch(input, { ...init, headers });
-        },
-        (proof) => ({
-          timestamp: nowFn(),
-          origin,
-          satoshis: brc105Challenge.satoshisRequired,
-          txid: proof.txid,
-          protocol: "brc105"
-        })
-      );
+      let proof;
+      try {
+        if (brc105ProofConstructor) {
+          proof = await brc105ProofConstructor(brc105Challenge);
+        } else {
+          proof = await constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
+        }
+      } catch (err) {
+        console.error("[x402] Proof construction failed (brc105):", err);
+        config.onProofError?.(err, "brc105");
+        return response;
+      }
+      const headers = new Headers(init?.headers);
+      headers.set("x-bsv-payment", JSON.stringify(proof));
+      headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
+      return fetch(input, { ...init, headers });
     }
     return response;
   };
-  fetchFn.resetLimits = async () => {
-    const rl = await ensureInitialised();
-    if (limits.require2fa.onCircuitBreakerReset) {
-      if (!twoFactor) throw new Error("2FA required for circuit breaker reset but no twoFactorProvider configured");
-      const verified = await twoFactor.verify({ type: "circuit-breaker-reset" });
-      if (!verified) throw new Error("2FA verification failed for circuit breaker reset");
-    }
-    rl.reset();
-    await persist(rl);
-  };
-  fetchFn.getState = () => {
-    if (!limiter) return { entries: [], circuitBroken: false };
-    const state = limiter.getState();
-    return { entries: state.entries, circuitBroken: state.circuitBroken };
-  };
-  return fetchFn;
 }
 var singleton;
 async function x402Fetch(input, init) {
@@ -1319,61 +761,80 @@ function extractOrigin(input) {
   }
 }
 
-// src/two-factor.ts
-var WalletTwoFactorProvider = class {
-  async verify(action) {
-    if (typeof window === "undefined" || !window.CWI) {
-      return this.promptFallback(action);
-    }
-    const challengeData = `x402-2fa:${JSON.stringify(action)}:${Date.now()}`;
-    try {
-      const sig = await window.CWI.createSignature({
-        data: new TextEncoder().encode(challengeData),
-        protocolID: [1, "x402-2fa"],
-        keyID: "spending-limits"
-      });
-      return sig !== null;
-    } catch {
-      return false;
-    }
-  }
-  promptFallback(action) {
-    if (typeof window === "undefined" || !window.prompt) return false;
-    const message = describeAction(action);
-    const result = window.prompt(`${message}
-
-Type CONFIRM to proceed:`);
-    return result === "CONFIRM";
-  }
+// src/autospend.ts
+var TIER_CAPS = {
+  "I'm Too Young to Die": 1e6,
+  // 0.01 BSV
+  "Hey, Not Too Rough": 1e7,
+  // 0.1 BSV
+  "Hurt Me Plenty": 1e8,
+  // 1 BSV
+  "Ultra-Violence": 1e9,
+  // 10 BSV
+  "Nightmare!": 1e11
+  // 100 BSV
 };
-function describeAction(action) {
-  switch (action.type) {
-    case "circuit-breaker-reset":
-      return "Reset spending circuit breaker? This re-enables automated payments.";
-    case "tier-change":
-      return `Change spending tier from "${action.from}" to "${action.to}"?`;
-    case "high-value-tx":
-      return `Approve high-value payment of ${action.amount} sats to ${action.origin}?`;
-    case "new-site-approval":
-      return `Allow automated payments to ${action.origin}?`;
-    case "limit-override":
-      return `Spending limit reached: ${action.reason}
-Allow this payment of ${action.amount} sats to ${action.origin}?`;
-  }
+var WEAPON_CAPS = {
+  "Fists": 1e5,
+  "Chainsaw": 25e4,
+  "Pistol": 5e5,
+  "Shotgun": 1e6,
+  "Super Shotgun": 1e7,
+  "Chaingun": 5e7,
+  "Rocket Launcher": 25e7,
+  "Plasma Rifle": 1e9,
+  "BFG9000": Infinity
+};
+var PICKUP_PERCENTAGES = {
+  "Medkit": 0.1,
+  "Stimpak": 0.25,
+  "Soul Sphere": 1,
+  "New Game": 1
+  // hard-set to 100% (not additive)
+};
+function isValidAmount(amount) {
+  return Number.isFinite(amount) && amount > 0;
+}
+function checkPayment(amount, state, config) {
+  if (!isValidAmount(amount)) return "confirm";
+  const perTxMax = WEAPON_CAPS[config.weapon];
+  const effectiveMax = Math.min(perTxMax, state.balance);
+  return amount <= effectiveMax ? "auto" : "confirm";
+}
+function recordPayment(amount, state) {
+  if (!isValidAmount(amount)) return state;
+  return { balance: Math.max(0, state.balance - amount) };
+}
+function applyPickup(pickup, state, config, walletBalance) {
+  const tierCap = TIER_CAPS[config.tier];
+  const cap = Math.min(tierCap, walletBalance);
+  if (pickup === "New Game") {
+    return { balance: cap };
+  }
+  const bonus = Math.floor(tierCap * PICKUP_PERCENTAGES[pickup]);
+  return { balance: Math.min(cap, state.balance + bonus) };
+}
+function clampBalanceToTier(state, config, walletBalance) {
+  const cap = Math.min(TIER_CAPS[config.tier], walletBalance);
+  return { balance: Math.min(state.balance, cap) };
+}
+function initialState(config, walletBalance) {
+  const cap = Math.min(TIER_CAPS[config.tier], walletBalance);
+  return { balance: cap };
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  BFG_DAILY_CEILING_SATOSHIS,
-  BFG_PER_TX_CEILING_SATOSHIS,
-  LocalStorageAdapter,
-  RateLimiter,
-  TIER_PRESETS,
-  WalletTwoFactorProvider,
+  PICKUP_PERCENTAGES,
+  TIER_CAPS,
+  WEAPON_CAPS,
+  applyPickup,
+  checkPayment,
+  clampBalanceToTier,
   constructBrc105Proof,
   createX402Fetch,
+  initialState,
   parseBrc105Challenge,
   parseChallenge,
-  resolveSitePolicy,
-  resolveSpendLimits,
+  recordPayment,
   x402Fetch
 });