npm - kontext-sdk - Versions diffs - 0.5.0 → 0.5.2 - Mend

kontext-sdk 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/index.js CHANGED Viewed

@@ -1,8 +1,8 @@
 'use strict';
 var crypto$1 = require('crypto');
-var fs3 = require('fs');
-var path3 = require('path');
+var fs4 = require('fs');
+var path4 = require('path');
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -22,8 +22,15 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
-var fs3__namespace = /*#__PURE__*/_interopNamespace(fs3);
-var path3__namespace = /*#__PURE__*/_interopNamespace(path3);
+var fs4__namespace = /*#__PURE__*/_interopNamespace(fs4);
+var path4__namespace = /*#__PURE__*/_interopNamespace(path4);
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 // src/utils.ts
 function generateId() {
@@ -142,7 +149,7 @@ var TrustScorer = class {
     const flagged = riskScore >= RISK_FLAG_THRESHOLD;
     const recommendation = riskScore >= RISK_BLOCK_THRESHOLD ? "block" : riskScore >= RISK_REVIEW_THRESHOLD ? "review" : "approve";
     return {
-      txHash: tx.txHash,
+      ...tx.txHash ? { txHash: tx.txHash } : {},
       riskScore,
       riskLevel,
       factors,
@@ -412,7 +419,7 @@ var TrustScorer = class {
     return {
       name: "amount_risk",
       score,
-      description: `Transaction amount ${tx.amount} ${tx.token}`
+      description: `Transaction amount ${tx.amount} ${tx.token ?? tx.currency ?? ""}`
     };
   }
   computeNewDestinationRisk(tx) {
@@ -520,6 +527,9 @@ var TrustScorer = class {
 };
 // src/types.ts
+function isCryptoTransaction(input) {
+  return !!input.txHash && !!input.chain && !!input.token;
+}
 var KontextErrorCode = /* @__PURE__ */ ((KontextErrorCode2) => {
   KontextErrorCode2["INITIALIZATION_ERROR"] = "INITIALIZATION_ERROR";
   KontextErrorCode2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
@@ -725,10 +735,10 @@ var AnomalyDetector = class {
       return this.createAnomaly(
         "unusualAmount",
         amount > threshold * 5 ? "critical" : amount > threshold * 2 ? "high" : "medium",
-        `Transaction amount ${tx.amount} ${tx.token} exceeds threshold of ${this.thresholds.maxAmount}`,
+        `Transaction amount ${tx.amount} ${tx.token ?? tx.currency ?? ""} exceeds threshold of ${this.thresholds.maxAmount}`,
         tx.agentId,
         tx.id,
-        { amount: tx.amount, threshold: this.thresholds.maxAmount, token: tx.token }
+        { amount: tx.amount, threshold: this.thresholds.maxAmount, token: tx.token ?? tx.currency }
       );
     }
     const history = this.store.getTransactionsByAgent(tx.agentId);
@@ -1160,6 +1170,18 @@ var DigestChain = class {
   getTerminalDigest() {
     return this.currentDigest;
   }
+  /**
+   * Restore the terminal digest from persisted state.
+   * Called after loading actions from storage so that new actions
+   * chain correctly from the last stored digest instead of genesis.
+   *
+   * Does NOT reconstruct the links array — in-memory verification
+   * via verify() will not work after restore. Use the stored action
+   * digest/priorDigest fields for cross-process chain verification.
+   */
+  restoreTerminalDigest(digest) {
+    this.currentDigest = digest;
+  }
   /**
    * Get the number of links in the chain.
    */
@@ -1427,6 +1449,7 @@ var ActionLogger = class {
   async logTransaction(input) {
     this.validateTransactionInput(input);
     const correlationId = input.correlationId ?? generateId();
+    const description = input.token && input.chain ? `${input.token} transfer of ${input.amount} on ${input.chain}` : `${input.currency ?? "USD"} payment of ${input.amount}${input.paymentMethod ? ` via ${input.paymentMethod}` : ""}`;
     const record = {
       id: generateId(),
       timestamp: now(),
@@ -1435,16 +1458,19 @@ var ActionLogger = class {
       ...input.sessionId ? { sessionId: input.sessionId } : {},
       correlationId,
       type: "transaction",
-      description: `${input.token} transfer of ${input.amount} on ${input.chain}`,
+      description,
       metadata: {
         ...input.metadata
       },
-      txHash: input.txHash,
-      chain: input.chain,
       amount: input.amount,
-      token: input.token,
       from: input.from,
-      to: input.to
+      to: input.to,
+      ...input.txHash ? { txHash: input.txHash } : {},
+      ...input.chain ? { chain: input.chain } : {},
+      ...input.token ? { token: input.token } : {},
+      ...input.currency ? { currency: input.currency } : {},
+      ...input.paymentMethod ? { paymentMethod: input.paymentMethod } : {},
+      ...input.paymentReference ? { paymentReference: input.paymentReference } : {}
     };
     const link = this.digestChain.append(record);
     record.digest = link.digest;
@@ -1505,6 +1531,13 @@ var ActionLogger = class {
   verifyChain(actions) {
     return this.digestChain.verify(actions);
   }
+  /**
+   * Restore chain state from persisted actions so that new actions
+   * chain correctly across process boundaries.
+   */
+  restoreChainState(terminalDigest) {
+    this.digestChain.restoreTerminalDigest(terminalDigest);
+  }
   // --------------------------------------------------------------------------
   // Private helpers
   // --------------------------------------------------------------------------
@@ -1517,53 +1550,56 @@ var ActionLogger = class {
         { field: "amount", value: input.amount }
       );
     }
-    if (!input.txHash || input.txHash.trim() === "") {
-      throw new KontextError(
-        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
-        "Transaction hash is required",
-        { field: "txHash" }
-      );
-    }
     if (!input.from || input.from.trim() === "") {
       throw new KontextError(
         "VALIDATION_ERROR" /* VALIDATION_ERROR */,
-        "Sender address (from) is required",
+        "Sender (from) is required",
         { field: "from" }
       );
     }
     if (!input.to || input.to.trim() === "") {
       throw new KontextError(
         "VALIDATION_ERROR" /* VALIDATION_ERROR */,
-        "Recipient address (to) is required",
+        "Recipient (to) is required",
         { field: "to" }
       );
     }
-    const validChains = ["ethereum", "base", "polygon", "arbitrum", "optimism", "arc", "avalanche", "solana"];
-    if (!validChains.includes(input.chain)) {
-      throw new KontextError(
-        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
-        `Invalid chain: ${input.chain}. Must be one of: ${validChains.join(", ")}`,
-        { field: "chain", value: input.chain }
-      );
-    }
-    const validTokens = ["USDC", "USDT", "DAI", "EURC"];
-    if (!validTokens.includes(input.token)) {
-      throw new KontextError(
-        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
-        `Invalid token: ${input.token}. Must be one of: ${validTokens.join(", ")}`,
-        { field: "token", value: input.token }
-      );
+    const hasCryptoFields = input.txHash !== void 0 || input.chain !== void 0 || input.token !== void 0;
+    if (hasCryptoFields) {
+      if (!input.txHash || input.txHash.trim() === "") {
+        throw new KontextError(
+          "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+          "Transaction hash is required for crypto transactions",
+          { field: "txHash" }
+        );
+      }
+      const validChains = ["ethereum", "base", "polygon", "arbitrum", "optimism", "arc", "avalanche", "solana"];
+      if (!input.chain || !validChains.includes(input.chain)) {
+        throw new KontextError(
+          "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+          `Invalid chain: ${input.chain}. Must be one of: ${validChains.join(", ")}`,
+          { field: "chain", value: input.chain }
+        );
+      }
+      const validTokens = ["USDC", "USDT", "DAI", "EURC", "USDP", "USDG"];
+      if (!input.token || !validTokens.includes(input.token)) {
+        throw new KontextError(
+          "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+          `Invalid token: ${input.token}. Must be one of: ${validTokens.join(", ")}`,
+          { field: "token", value: input.token }
+        );
+      }
     }
   }
   flushToFile(actions) {
     const outputDir = this.config.localOutputDir ?? ".kontext";
-    const logDir = path3__namespace.join(outputDir, "logs");
+    const logDir = path4__namespace.join(outputDir, "logs");
     try {
-      fs3__namespace.mkdirSync(logDir, { recursive: true });
+      fs4__namespace.mkdirSync(logDir, { recursive: true });
       const filename = `actions-${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.jsonl`;
-      const filePath = path3__namespace.join(logDir, filename);
+      const filePath = path4__namespace.join(logDir, filename);
       const lines = actions.map((a) => JSON.stringify(a)).join("\n") + "\n";
-      fs3__namespace.appendFileSync(filePath, lines, "utf-8");
+      fs4__namespace.appendFileSync(filePath, lines, "utf-8");
     } catch (error) {
       this.emitLog("warn", "Failed to write log file", { error });
     }
@@ -2012,7 +2048,7 @@ var AuditExporter = class {
       if (options.agentIds && !options.agentIds.includes(tx.agentId)) {
         return false;
       }
-      if (options.chains && !options.chains.includes(tx.chain)) {
+      if (options.chains && (!tx.chain || !options.chains.includes(tx.chain))) {
         return false;
       }
       return true;
@@ -2103,8 +2139,6 @@ var AuditExporter = class {
     return sections.join("\n\n");
   }
 };
-// src/integrations/usdc.ts
 var USDC_CONTRACTS = {
   ethereum: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
   base: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
@@ -2165,6 +2199,22 @@ var SANCTIONED_ADDRESSES = [
 var SANCTIONED_SET = new Set(
   SANCTIONED_ADDRESSES.map((addr) => addr.toLowerCase())
 );
+function loadCachedSDN() {
+  try {
+    const dataDir = process.env["KONTEXT_DATA_DIR"] || ".kontext";
+    const cachePath = path4__namespace.join(dataDir, "ofac-sdn-cache.json");
+    if (fs4__namespace.existsSync(cachePath)) {
+      const cache = JSON.parse(fs4__namespace.readFileSync(cachePath, "utf-8"));
+      if (Array.isArray(cache.addresses)) {
+        for (const addr of cache.addresses) {
+          SANCTIONED_SET.add(String(addr).toLowerCase());
+        }
+      }
+    }
+  } catch {
+  }
+}
+loadCachedSDN();
 var ENHANCED_DUE_DILIGENCE_THRESHOLD = 3e3;
 var REPORTING_THRESHOLD = 1e4;
 var LARGE_TRANSACTION_THRESHOLD = 5e4;
@@ -2464,6 +2514,183 @@ var UsdcCompliance = class _UsdcCompliance {
   }
 };
+// src/integrations/payment-compliance.ts
+var ENHANCED_DUE_DILIGENCE_THRESHOLD2 = 3e3;
+var REPORTING_THRESHOLD2 = 1e4;
+var LARGE_TRANSACTION_THRESHOLD2 = 5e4;
+var NAME_MATCH_THRESHOLD = 0.85;
+var _screener = null;
+var _screenerLoaded = false;
+function getScreener() {
+  if (!_screenerLoaded) {
+    _screenerLoaded = true;
+    try {
+      const mod = __require("./ofac-sanctions.js");
+      if (mod.OFACSanctionsScreener) {
+        _screener = new mod.OFACSanctionsScreener();
+      }
+    } catch {
+    }
+  }
+  return _screener;
+}
+var PaymentCompliance = class _PaymentCompliance {
+  /**
+   * Run compliance checks on a general payment.
+   *
+   * @param input - Payment to evaluate
+   * @returns UsdcComplianceCheck with pass/fail results and recommendations
+   */
+  static checkPayment(input) {
+    const checks = [];
+    checks.push(_PaymentCompliance.checkAmountValid(input.amount));
+    checks.push(_PaymentCompliance.checkEntityScreening(input.from, "sender"));
+    checks.push(_PaymentCompliance.checkEntityScreening(input.to, "recipient"));
+    checks.push(_PaymentCompliance.checkEnhancedDueDiligence(input.amount));
+    checks.push(_PaymentCompliance.checkReportingThreshold(input.amount));
+    const failedChecks = checks.filter((c) => !c.passed);
+    const compliant = failedChecks.every((c) => c.severity === "low");
+    const highestSeverity = failedChecks.reduce(
+      (max, c) => {
+        const order = ["low", "medium", "high", "critical"];
+        return order.indexOf(c.severity) > order.indexOf(max) ? c.severity : max;
+      },
+      "low"
+    );
+    const recommendations = _PaymentCompliance.generateRecommendations(checks, input);
+    return {
+      compliant,
+      checks,
+      riskLevel: highestSeverity,
+      recommendations
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Individual checks
+  // --------------------------------------------------------------------------
+  static checkAmountValid(amount) {
+    const parsed = parseAmount(amount);
+    const isValid = !isNaN(parsed) && parsed > 0;
+    return {
+      name: "amount_valid",
+      passed: isValid,
+      description: isValid ? `Payment amount ${amount} is valid` : `Payment amount ${amount} is invalid`,
+      severity: isValid ? "low" : "critical"
+    };
+  }
+  static checkEntityScreening(entity, label) {
+    if (/^0x[a-fA-F0-9]{40}$/.test(entity)) {
+      const sanctioned = UsdcCompliance.isSanctioned(entity);
+      return {
+        name: `entity_screening_${label}`,
+        passed: !sanctioned,
+        description: sanctioned ? `${label} address ${entity} matches OFAC SDN sanctioned address` : `${label} address passed sanctions screening`,
+        severity: sanctioned ? "critical" : "low"
+      };
+    }
+    const screener = getScreener();
+    if (!screener) {
+      return {
+        name: `entity_screening_${label}`,
+        passed: true,
+        description: `${label} "${entity}" \u2014 name-based OFAC screening not available (address screening active)`,
+        severity: "low"
+      };
+    }
+    const rawMatches = screener.searchEntityName(entity, NAME_MATCH_THRESHOLD);
+    const matches = rawMatches.filter(
+      (m) => m.similarity >= NAME_MATCH_THRESHOLD && m.matchedOn.length >= 4
+    );
+    if (matches.length > 0) {
+      const topMatch = matches[0];
+      const isActive = topMatch.entity.list !== "DELISTED";
+      if (isActive) {
+        return {
+          name: `entity_screening_${label}`,
+          passed: false,
+          description: `${label} "${entity}" matches OFAC SDN entity "${topMatch.matchedOn}" (${Math.round(topMatch.similarity * 100)}% match)`,
+          severity: "critical"
+        };
+      }
+      return {
+        name: `entity_screening_${label}`,
+        passed: true,
+        description: `${label} "${entity}" matches delisted entity "${topMatch.matchedOn}" \u2014 enhanced due diligence recommended`,
+        severity: "medium"
+      };
+    }
+    return {
+      name: `entity_screening_${label}`,
+      passed: true,
+      description: `${label} "${entity}" passed OFAC entity screening`,
+      severity: "low"
+    };
+  }
+  static checkEnhancedDueDiligence(amount) {
+    const parsed = parseAmount(amount);
+    const requiresEdd = !isNaN(parsed) && parsed >= ENHANCED_DUE_DILIGENCE_THRESHOLD2;
+    return {
+      name: "enhanced_due_diligence",
+      passed: true,
+      description: requiresEdd ? `Amount ${amount} requires enhanced due diligence (threshold: ${ENHANCED_DUE_DILIGENCE_THRESHOLD2})` : `Amount ${amount} is below enhanced due diligence threshold`,
+      severity: requiresEdd ? "medium" : "low"
+    };
+  }
+  static checkReportingThreshold(amount) {
+    const parsed = parseAmount(amount);
+    const requiresReporting = !isNaN(parsed) && parsed >= REPORTING_THRESHOLD2;
+    const isLarge = !isNaN(parsed) && parsed >= LARGE_TRANSACTION_THRESHOLD2;
+    let description;
+    let severity;
+    if (isLarge) {
+      description = `Amount ${amount} is a large payment (>= ${LARGE_TRANSACTION_THRESHOLD2}) \u2014 requires enhanced monitoring`;
+      severity = "high";
+    } else if (requiresReporting) {
+      description = `Amount ${amount} meets reporting threshold (>= ${REPORTING_THRESHOLD2})`;
+      severity = "medium";
+    } else {
+      description = `Amount ${amount} is below reporting threshold`;
+      severity = "low";
+    }
+    return {
+      name: "reporting_threshold",
+      passed: true,
+      description,
+      severity
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Recommendations
+  // --------------------------------------------------------------------------
+  static generateRecommendations(checks, input) {
+    const recommendations = [];
+    const amount = parseAmount(input.amount);
+    for (const check of checks) {
+      if (!check.passed && check.name.startsWith("entity_screening_")) {
+        recommendations.push(
+          `BLOCK: ${check.description}. Payment is prohibited under OFAC regulations.`
+        );
+      }
+    }
+    if (!isNaN(amount) && amount >= LARGE_TRANSACTION_THRESHOLD2) {
+      recommendations.push(
+        `Enhanced monitoring required for payment of ${input.amount} ${input.currency ?? "USD"} (above ${LARGE_TRANSACTION_THRESHOLD2} threshold).`
+      );
+    }
+    if (!isNaN(amount) && amount >= REPORTING_THRESHOLD2) {
+      recommendations.push(
+        `CTR reporting may be required for payment of ${input.amount} ${input.currency ?? "USD"} (meets ${REPORTING_THRESHOLD2} reporting threshold).`
+      );
+    }
+    if (!isNaN(amount) && amount >= ENHANCED_DUE_DILIGENCE_THRESHOLD2) {
+      recommendations.push(
+        `Enhanced due diligence recommended for payment of ${input.amount} ${input.currency ?? "USD"} (Travel Rule threshold: ${ENHANCED_DUE_DILIGENCE_THRESHOLD2}).`
+      );
+    }
+    return recommendations;
+  }
+};
 // src/plans.ts
 var PLAN_LIMITS = {
   free: 2e4,
@@ -2816,7 +3043,7 @@ var JsonFileExporter = class {
   buffer = [];
   bufferSize;
   constructor(options) {
-    this.outputDir = path3__namespace.resolve(options?.outputDir ?? ".kontext/exports");
+    this.outputDir = path4__namespace.resolve(options?.outputDir ?? ".kontext/exports");
     this.bufferSize = options?.bufferSize ?? 1;
   }
   async export(events) {
@@ -2831,11 +3058,11 @@ var JsonFileExporter = class {
     const toWrite = [...this.buffer];
     this.buffer = [];
     try {
-      fs3__namespace.mkdirSync(this.outputDir, { recursive: true });
+      fs4__namespace.mkdirSync(this.outputDir, { recursive: true });
       const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-      const filePath = path3__namespace.join(this.outputDir, `events-${date}.jsonl`);
+      const filePath = path4__namespace.join(this.outputDir, `events-${date}.jsonl`);
       const lines = toWrite.map((e) => JSON.stringify(e)).join("\n") + "\n";
-      fs3__namespace.appendFileSync(filePath, lines, "utf-8");
+      fs4__namespace.appendFileSync(filePath, lines, "utf-8");
     } catch (error) {
       console.warn("[Kontext JsonFileExporter] Failed to write events:", error);
     }
@@ -3174,7 +3401,7 @@ var Kontext = class _Kontext {
    * @returns The created transaction record
    */
   async logTransaction(input) {
-    if (input.chain !== "base") {
+    if (input.chain && input.chain !== "base") {
       requirePlan("multi-chain", this.planManager.getTier());
     }
     this.validateMetadata(input.metadata);
@@ -3211,10 +3438,22 @@ var Kontext = class _Kontext {
   /**
    * Restore state from the attached storage adapter.
    * Loads previously persisted actions, transactions, tasks, and anomalies.
+   * Also restores the digest chain's terminal digest so that new actions
+   * chain correctly across process boundaries.
    * No-op if no storage adapter is configured.
    */
   async restore() {
     await this.store.restore();
+    const actions = this.store.getActions();
+    if (actions.length > 0) {
+      const sorted = [...actions].sort(
+        (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+      );
+      const lastAction = sorted[sorted.length - 1];
+      if (lastAction.digest) {
+        this.logger.restoreChainState(lastAction.digest);
+      }
+    }
   }
   // --------------------------------------------------------------------------
   // Task Confirmation
@@ -3517,7 +3756,7 @@ var Kontext = class _Kontext {
    */
   async verify(input) {
     const transaction = await this.logTransaction(input);
-    const compliance = UsdcCompliance.checkTransaction(input);
+    const compliance = isCryptoTransaction(input) ? UsdcCompliance.checkTransaction(input) : PaymentCompliance.checkPayment(input);
     let reasoningId;
     if (input.reasoning) {
       const entry = await this.logReasoning({
@@ -3546,18 +3785,22 @@ var Kontext = class _Kontext {
       const threshold = parseAmount(this.config.approvalThreshold);
       if (amount > threshold) {
         requiresApproval = true;
+        const label = input.token ? `${input.token} ${input.amount} transfer` : `${input.currency ?? "USD"} ${input.amount} payment`;
         task = await this.createTask({
-          description: `Approve ${input.token} ${input.amount} transfer from ${input.from} to ${input.to}`,
+          description: `Approve ${label} from ${input.from} to ${input.to}`,
           agentId: input.agentId,
-          requiredEvidence: ["txHash"],
+          requiredEvidence: input.txHash ? ["txHash"] : ["paymentReference"],
           metadata: {
-            txHash: input.txHash,
-            chain: input.chain,
             amount: input.amount,
-            token: input.token,
             from: input.from,
             to: input.to,
-            approvalThreshold: this.config.approvalThreshold
+            approvalThreshold: this.config.approvalThreshold,
+            ...input.txHash ? { txHash: input.txHash } : {},
+            ...input.chain ? { chain: input.chain } : {},
+            ...input.token ? { token: input.token } : {},
+            ...input.currency ? { currency: input.currency } : {},
+            ...input.paymentMethod ? { paymentMethod: input.paymentMethod } : {},
+            ...input.paymentReference ? { paymentReference: input.paymentReference } : {}
           }
         });
       }
@@ -3656,7 +3899,7 @@ var Kontext = class _Kontext {
    * and cryptographically verifies the digest chain integrity.
    *
    * The certificate includes: action/transaction/reasoning counts, digest chain
-   * verification status (Patent US 12,463,819 B1), the agent's current trust
+   * verification status (patented), the agent's current trust
    * score, and an overall compliance status. A SHA-256 content hash of the
    * certificate itself is included for tamper-evidence.
    *
@@ -3894,20 +4137,20 @@ var MemoryStorage = class {
 var FileStorage = class {
   baseDir;
   constructor(baseDir) {
-    this.baseDir = path3__namespace.resolve(baseDir);
+    this.baseDir = path4__namespace.resolve(baseDir);
   }
   async save(key, data) {
-    fs3__namespace.mkdirSync(this.baseDir, { recursive: true });
+    fs4__namespace.mkdirSync(this.baseDir, { recursive: true });
     const filePath = this.keyToPath(key);
-    const dir = path3__namespace.dirname(filePath);
-    fs3__namespace.mkdirSync(dir, { recursive: true });
-    fs3__namespace.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
+    const dir = path4__namespace.dirname(filePath);
+    fs4__namespace.mkdirSync(dir, { recursive: true });
+    fs4__namespace.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
   }
   async load(key) {
     const filePath = this.keyToPath(key);
-    if (!fs3__namespace.existsSync(filePath)) return null;
+    if (!fs4__namespace.existsSync(filePath)) return null;
     try {
-      const raw = fs3__namespace.readFileSync(filePath, "utf-8");
+      const raw = fs4__namespace.readFileSync(filePath, "utf-8");
       return JSON.parse(raw);
     } catch {
       return null;
@@ -3915,12 +4158,12 @@ var FileStorage = class {
   }
   async delete(key) {
     const filePath = this.keyToPath(key);
-    if (fs3__namespace.existsSync(filePath)) {
-      fs3__namespace.unlinkSync(filePath);
+    if (fs4__namespace.existsSync(filePath)) {
+      fs4__namespace.unlinkSync(filePath);
     }
   }
   async list(prefix) {
-    if (!fs3__namespace.existsSync(this.baseDir)) return [];
+    if (!fs4__namespace.existsSync(this.baseDir)) return [];
     return this.listRecursive(this.baseDir, prefix);
   }
   /** Get the base directory path. */
@@ -3932,18 +4175,18 @@ var FileStorage = class {
   // --------------------------------------------------------------------------
   keyToPath(key) {
     const safeName = key.replace(/[<>"|?*]/g, "_");
-    return path3__namespace.join(this.baseDir, `${safeName}.json`);
+    return path4__namespace.join(this.baseDir, `${safeName}.json`);
   }
   pathToKey(filePath) {
-    const relative2 = path3__namespace.relative(this.baseDir, filePath);
+    const relative2 = path4__namespace.relative(this.baseDir, filePath);
     return relative2.replace(/\.json$/, "");
   }
   listRecursive(dir, prefix) {
     const keys = [];
-    if (!fs3__namespace.existsSync(dir)) return keys;
-    const entries = fs3__namespace.readdirSync(dir, { withFileTypes: true });
+    if (!fs4__namespace.existsSync(dir)) return keys;
+    const entries = fs4__namespace.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path3__namespace.join(dir, entry.name);
+      const fullPath = path4__namespace.join(dir, entry.name);
       if (entry.isDirectory()) {
         keys.push(...this.listRecursive(fullPath, prefix));
       } else if (entry.isFile() && entry.name.endsWith(".json")) {
@@ -3957,393 +4200,11 @@ var FileStorage = class {
   }
 };
-// src/storage-firestore.ts
-var FirestoreStorageAdapter = class {
-  config;
-  /** In-memory cache for load() — avoids re-fetching on every store.restore() */
-  cache = /* @__PURE__ */ new Map();
-  /** Token cache: avoid metadata server round-trips on every write */
-  cachedToken = null;
-  tokenExpiresAt = 0;
-  constructor(config) {
-    this.config = {
-      gcpProjectId: config.gcpProjectId,
-      userId: config.userId,
-      accessToken: config.accessToken,
-      databaseId: config.databaseId ?? "(default)",
-      firestoreBaseUrl: config.firestoreBaseUrl ?? "https://firestore.googleapis.com",
-      writeDocumentsIndividually: config.writeDocumentsIndividually ?? true
-    };
-  }
-  // --------------------------------------------------------------------------
-  // StorageAdapter interface
-  // --------------------------------------------------------------------------
-  /**
-   * Save data under a Kontext storage key.
-   *
-   * The flat key space (kontext:actions, kontext:transactions, etc.) is mapped
-   * to structured Firestore paths. List data (actions, transactions) is written
-   * as individual documents under sub-collections for queryability.
-   */
-  async save(key, data) {
-    this.cache.set(key, data);
-    if (key === "kontext:actions" && Array.isArray(data)) {
-      await this.saveActionList(data);
-    } else if (key === "kontext:transactions" && Array.isArray(data)) {
-      await this.saveTransactionList(data);
-    } else if (key === "kontext:tasks" && Array.isArray(data)) {
-      await this.saveTaskList(data);
-    } else if (key === "kontext:anomalies" && Array.isArray(data)) {
-      await this.saveAnomalyList(data);
-    } else {
-      await this.saveDocument(this.keyToPath(key), data);
-    }
-  }
-  /**
-   * Load data for a Kontext storage key.
-   * Returns cached data if available (populated by save()).
-   * Falls back to Firestore fetch for cold starts.
-   */
-  async load(key) {
-    if (this.cache.has(key)) {
-      return this.cache.get(key) ?? null;
-    }
-    if (key === "kontext:actions") {
-      const actions = await this.loadActionList();
-      this.cache.set(key, actions);
-      return actions;
-    } else if (key === "kontext:transactions") {
-      const txs = await this.loadTransactionList();
-      this.cache.set(key, txs);
-      return txs;
-    } else if (key === "kontext:tasks") {
-      const tasks = await this.loadTaskList();
-      this.cache.set(key, tasks);
-      return tasks;
-    } else if (key === "kontext:anomalies") {
-      const anomalies = await this.loadAnomalyList();
-      this.cache.set(key, anomalies);
-      return anomalies;
-    } else {
-      return this.loadDocument(this.keyToPath(key));
-    }
-  }
-  async delete(key) {
-    this.cache.delete(key);
-    await this.deleteDocument(this.keyToPath(key));
-  }
-  async list(prefix) {
-    const all = Array.from(this.cache.keys());
-    if (!prefix) return all;
-    return all.filter((k) => k.startsWith(prefix));
-  }
-  // --------------------------------------------------------------------------
-  // Structured write methods (per-record documents)
-  // --------------------------------------------------------------------------
-  /**
-   * Write a single action log to its canonical Firestore path.
-   * Called by the SDK when `writeDocumentsIndividually` is true.
-   *
-   * Path: users/{userId}/projects/{projectId}/agents/{agentId}/sessions/{sessionId}/actions/{actionId}
-   */
-  async writeAction(action) {
-    if (!this.config.writeDocumentsIndividually) return;
-    const path4 = this.actionPath(action);
-    await this.saveDocument(path4, action);
-  }
-  /**
-   * Write a single transaction record to its canonical Firestore path.
-   *
-   * Path: users/{userId}/projects/{projectId}/agents/{agentId}/sessions/{sessionId}/transactions/{txId}
-   */
-  async writeTransaction(tx) {
-    if (!this.config.writeDocumentsIndividually) return;
-    const path4 = this.transactionPath(tx);
-    await this.saveDocument(path4, tx);
-  }
-  /**
-   * Write a single task to its canonical Firestore path.
-   *
-   * Path: users/{userId}/projects/{projectId}/tasks/{taskId}
-   */
-  async writeTask(task) {
-    if (!this.config.writeDocumentsIndividually) return;
-    const path4 = this.taskPath(task.id);
-    await this.saveDocument(path4, task);
-  }
-  // --------------------------------------------------------------------------
-  // Path builders
-  // --------------------------------------------------------------------------
-  get basePath() {
-    return `users/${this.config.userId}/projects`;
-  }
-  actionPath(action) {
-    const sessionId = action.sessionId ?? "_default";
-    return `${this.basePath}/${action.projectId}/agents/${sanitize(action.agentId)}/sessions/${sanitize(sessionId)}/actions/${action.id}`;
-  }
-  transactionPath(tx) {
-    const sessionId = tx.sessionId ?? "_default";
-    return `${this.basePath}/${tx.projectId}/agents/${sanitize(tx.agentId)}/sessions/${sanitize(sessionId)}/transactions/${tx.id}`;
-  }
-  taskPath(taskId) {
-    return `${this.basePath}/_tasks/${taskId}`;
-  }
-  anomalyPath(anomalyId, agentId) {
-    return `${this.basePath}/_anomalies/agents/${sanitize(agentId)}/${anomalyId}`;
-  }
-  keyToPath(key) {
-    const safe = key.replace(/:/g, "/").replace(/[^a-zA-Z0-9/_-]/g, "_");
-    return `${this.basePath}/_meta/${safe}`;
-  }
-  // --------------------------------------------------------------------------
-  // Bulk save/load (called by KontextStore.flush / restore)
-  // --------------------------------------------------------------------------
-  async saveActionList(actions) {
-    if (!this.config.writeDocumentsIndividually) {
-      await this.saveDocument(`${this.basePath}/_snapshots/actions`, actions);
-      return;
-    }
-    await Promise.allSettled(actions.map((a) => this.saveDocument(this.actionPath(a), a)));
-  }
-  async saveTransactionList(txs) {
-    if (!this.config.writeDocumentsIndividually) {
-      await this.saveDocument(`${this.basePath}/_snapshots/transactions`, txs);
-      return;
-    }
-    await Promise.allSettled(txs.map((tx) => this.saveDocument(this.transactionPath(tx), tx)));
-  }
-  async saveTaskList(entries) {
-    await Promise.allSettled(
-      entries.map(([_id, task]) => this.saveDocument(this.taskPath(task.id), task))
-    );
-  }
-  async saveAnomalyList(anomalies) {
-    if (!this.config.writeDocumentsIndividually) {
-      await this.saveDocument(`${this.basePath}/_snapshots/anomalies`, anomalies);
-      return;
-    }
-    await Promise.allSettled(
-      anomalies.map((a) => this.saveDocument(this.anomalyPath(a.id, a.agentId), a))
-    );
-  }
-  async loadActionList() {
-    if (!this.config.writeDocumentsIndividually) {
-      const snap = await this.loadDocument(`${this.basePath}/_snapshots/actions`);
-      return Array.isArray(snap) ? snap : [];
-    }
-    return this.queryCollectionGroup("actions");
-  }
-  async loadTransactionList() {
-    if (!this.config.writeDocumentsIndividually) {
-      const snap = await this.loadDocument(`${this.basePath}/_snapshots/transactions`);
-      return Array.isArray(snap) ? snap : [];
-    }
-    return this.queryCollectionGroup("transactions");
-  }
-  async loadTaskList() {
-    const tasks = await this.queryCollection(`${this.basePath}/_tasks`);
-    return tasks.map((t) => [t.id, t]);
-  }
-  async loadAnomalyList() {
-    if (!this.config.writeDocumentsIndividually) {
-      const snap = await this.loadDocument(`${this.basePath}/_snapshots/anomalies`);
-      return Array.isArray(snap) ? snap : [];
-    }
-    return this.queryCollectionGroup("anomalies");
-  }
-  // --------------------------------------------------------------------------
-  // Firestore REST API helpers
-  // --------------------------------------------------------------------------
-  firestoreBase() {
-    return `${this.config.firestoreBaseUrl}/v1/projects/${this.config.gcpProjectId}/databases/${this.config.databaseId}/documents`;
-  }
-  /** Save an arbitrary JS object as a Firestore document at the given path. */
-  async saveDocument(fsPath, data) {
-    const url = `${this.firestoreBase()}/${fsPath}`;
-    const token = await this.getToken();
-    const body = JSON.stringify({ fields: toFirestoreFields(data) });
-    const res = await fetch(url, {
-      method: "PATCH",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${token}`
-      },
-      body
-    });
-    if (!res.ok) {
-      const text = await res.text().catch(() => "");
-      throw new Error(`Firestore write failed [${res.status}] ${fsPath}: ${text}`);
-    }
-  }
-  /** Load a document at the given Firestore path. Returns null if not found. */
-  async loadDocument(fsPath) {
-    const url = `${this.firestoreBase()}/${fsPath}`;
-    const token = await this.getToken();
-    const res = await fetch(url, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
-    if (res.status === 404) return null;
-    if (!res.ok) return null;
-    const doc = await res.json();
-    return fromFirestoreFields(doc.fields);
-  }
-  /** Delete a document at the given Firestore path. */
-  async deleteDocument(fsPath) {
-    const url = `${this.firestoreBase()}/${fsPath}`;
-    const token = await this.getToken();
-    await fetch(url, {
-      method: "DELETE",
-      headers: { Authorization: `Bearer ${token}` }
-    });
-  }
-  /**
-   * List all documents in a collection and deserialize them.
-   * Used for tasks (simple flat collection).
-   */
-  async queryCollection(collectionPath) {
-    const url = `${this.firestoreBase()}/${collectionPath}`;
-    const token = await this.getToken();
-    const res = await fetch(url, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
-    if (!res.ok) return [];
-    const body = await res.json();
-    if (!body.documents) return [];
-    return body.documents.map((doc) => fromFirestoreFields(doc.fields));
-  }
-  /**
-   * Run a Firestore collection group query to fetch documents across all
-   * nested sub-collections with the given name (e.g., 'actions' across all
-   * agents and sessions).
-   *
-   * Scoped to the user's project root to prevent cross-tenant reads.
-   */
-  async queryCollectionGroup(collectionId) {
-    const parent = `projects/${this.config.gcpProjectId}/databases/${this.config.databaseId}/documents`;
-    `${this.config.firestoreBaseUrl}/v1/${parent}:runQuery`;
-    const token = await this.getToken();
-    const scopedUrl = `${this.config.firestoreBaseUrl}/v1/projects/${this.config.gcpProjectId}/databases/${this.config.databaseId}/documents/users/${this.config.userId}:runQuery`;
-    const body = {
-      structuredQuery: {
-        from: [{ collectionId, allDescendants: true }],
-        orderBy: [{ field: { fieldPath: "timestamp" }, direction: "ASCENDING" }]
-      }
-    };
-    const res = await fetch(scopedUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${token}`
-      },
-      body: JSON.stringify(body)
-    });
-    if (!res.ok) return [];
-    const results = await res.json();
-    return results.filter((r) => r.document?.fields).map((r) => fromFirestoreFields(r.document.fields));
-  }
-  // --------------------------------------------------------------------------
-  // Auth: GCP metadata server + token caching
-  // --------------------------------------------------------------------------
-  async getToken() {
-    if (this.config.accessToken) {
-      return this.config.accessToken;
-    }
-    const now2 = Date.now();
-    if (this.cachedToken && now2 < this.tokenExpiresAt - 3e5) {
-      return this.cachedToken;
-    }
-    const metadataUrl = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
-    const res = await fetch(metadataUrl, {
-      headers: { "Metadata-Flavor": "Google" }
-    });
-    if (!res.ok) {
-      throw new Error(
-        "FirestoreStorageAdapter: Could not fetch GCP access token. On GCP, ensure the service account has Firestore write access. For local dev, pass accessToken in FirestoreStorageConfig."
-      );
-    }
-    const data = await res.json();
-    this.cachedToken = data.access_token;
-    this.tokenExpiresAt = now2 + data.expires_in * 1e3;
-    return this.cachedToken;
-  }
-};
-function toFirestoreValue(value) {
-  if (value === null || value === void 0) {
-    return { nullValue: null };
-  }
-  if (typeof value === "boolean") {
-    return { booleanValue: value };
-  }
-  if (typeof value === "number") {
-    if (Number.isInteger(value)) {
-      return { integerValue: String(value) };
-    }
-    return { doubleValue: value };
-  }
-  if (typeof value === "string") {
-    if (/^\d{4}-\d{2}-\d{2}T/.test(value)) {
-      return { timestampValue: value };
-    }
-    return { stringValue: value };
-  }
-  if (Array.isArray(value)) {
-    return {
-      arrayValue: {
-        values: value.map(toFirestoreValue)
-      }
-    };
-  }
-  if (typeof value === "object") {
-    return {
-      mapValue: {
-        fields: toFirestoreFields(value)
-      }
-    };
-  }
-  return { stringValue: String(value) };
-}
-function toFirestoreFields(obj) {
-  if (!obj || typeof obj !== "object" || Array.isArray(obj)) {
-    return {};
-  }
-  const result = {};
-  for (const [k, v] of Object.entries(obj)) {
-    result[k] = toFirestoreValue(v);
-  }
-  return result;
-}
-function fromFirestoreValue(value) {
-  if ("nullValue" in value) return null;
-  if ("booleanValue" in value) return value.booleanValue;
-  if ("integerValue" in value) return parseInt(value.integerValue, 10);
-  if ("doubleValue" in value) return value.doubleValue;
-  if ("stringValue" in value) return value.stringValue;
-  if ("timestampValue" in value) return value.timestampValue;
-  if ("arrayValue" in value) {
-    return (value.arrayValue.values ?? []).map(fromFirestoreValue);
-  }
-  if ("mapValue" in value) {
-    return fromFirestoreFields(value.mapValue.fields);
-  }
-  return null;
-}
-function fromFirestoreFields(fields) {
-  const result = {};
-  for (const [k, v] of Object.entries(fields)) {
-    result[k] = fromFirestoreValue(v);
-  }
-  return result;
-}
-function sanitize(id) {
-  return id.replace(/[/.]/g, "_").slice(0, 1500);
-}
 exports.AnomalyDetector = AnomalyDetector;
 exports.ConsoleExporter = ConsoleExporter;
 exports.DigestChain = DigestChain;
 exports.FeatureFlagManager = FeatureFlagManager;
 exports.FileStorage = FileStorage;
-exports.FirestoreStorageAdapter = FirestoreStorageAdapter;
 exports.JsonFileExporter = JsonFileExporter;
 exports.Kontext = Kontext;
 exports.KontextError = KontextError;
@@ -4351,9 +4212,11 @@ exports.KontextErrorCode = KontextErrorCode;
 exports.MemoryStorage = MemoryStorage;
 exports.NoopExporter = NoopExporter;
 exports.PLAN_LIMITS = PLAN_LIMITS;
+exports.PaymentCompliance = PaymentCompliance;
 exports.PlanManager = PlanManager;
 exports.TrustScorer = TrustScorer;
 exports.UsdcCompliance = UsdcCompliance;
+exports.isCryptoTransaction = isCryptoTransaction;
 exports.isFeatureAvailable = isFeatureAvailable;
 exports.requirePlan = requirePlan;
 exports.verifyExportedChain = verifyExportedChain;