kontext-sdk 0.7.0 → 0.9.0

package/dist/index.js

@@ -41,6 +41,90 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/integrations/erc8021.ts
+var erc8021_exports = {};
+__export(erc8021_exports, {
+  KONTEXT_BUILDER_CODE: () => exports.KONTEXT_BUILDER_CODE,
+  encodeERC8021Suffix: () => encodeERC8021Suffix,
+  fetchTransactionAttribution: () => fetchTransactionAttribution,
+  parseERC8021Suffix: () => parseERC8021Suffix
+});
+function encodeERC8021Suffix(codes) {
+  if (codes.length === 0) {
+    throw new Error("ERC-8021: at least one builder code is required");
+  }
+  const codesStr = codes.join(",");
+  let codesHex = "";
+  for (let i = 0; i < codesStr.length; i++) {
+    codesHex += codesStr.charCodeAt(i).toString(16).padStart(2, "0");
+  }
+  const codesLength = codesStr.length;
+  if (codesLength > 255) {
+    throw new Error("ERC-8021: combined codes length exceeds 255 bytes");
+  }
+  const codesLengthHex = codesLength.toString(16).padStart(2, "0");
+  const schemaId = "00";
+  return codesLengthHex + codesHex + schemaId + ERC_8021_MARKER;
+}
+function parseERC8021Suffix(calldata) {
+  const clean = calldata.startsWith("0x") ? calldata.slice(2) : calldata;
+  if (clean.length < 38) return null;
+  const markerStart = clean.length - 32;
+  const marker = clean.slice(markerStart);
+  if (marker !== ERC_8021_MARKER) return null;
+  const schemaIdStart = markerStart - 2;
+  const schemaId = parseInt(clean.slice(schemaIdStart, markerStart), 16);
+  if (isNaN(schemaId)) return null;
+  let codesLength = 0;
+  let codesLengthPos = 0;
+  for (let L = 1; L <= 255; L++) {
+    const candidatePos = schemaIdStart - L * 2 - 2;
+    if (candidatePos < 0) break;
+    const candidate = parseInt(clean.slice(candidatePos, candidatePos + 2), 16);
+    if (candidate === L) {
+      codesLength = L;
+      codesLengthPos = candidatePos;
+      break;
+    }
+  }
+  if (codesLength === 0) return null;
+  const codesHex = clean.slice(codesLengthPos + 2, codesLengthPos + 2 + codesLength * 2);
+  let codesStr = "";
+  for (let i = 0; i < codesHex.length; i += 2) {
+    codesStr += String.fromCharCode(parseInt(codesHex.slice(i, i + 2), 16));
+  }
+  const codes = codesStr.split(",").filter((c) => c.length > 0);
+  if (codes.length === 0) return null;
+  const rawSuffix = "0x" + clean.slice(codesLengthPos);
+  return { codes, schemaId, rawSuffix };
+}
+async function fetchTransactionAttribution(rpcUrl, txHash) {
+  try {
+    const res = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "eth_getTransactionByHash",
+        params: [txHash]
+      })
+    });
+    const json = await res.json();
+    if (json.error || !json.result?.input) return null;
+    return parseERC8021Suffix(json.result.input);
+  } catch {
+    return null;
+  }
+}
+var ERC_8021_MARKER; exports.KONTEXT_BUILDER_CODE = void 0;
+var init_erc8021 = __esm({
+  "src/integrations/erc8021.ts"() {
+    ERC_8021_MARKER = "80218021802180218021802180218021";
+    exports.KONTEXT_BUILDER_CODE = "kontext";
+  }
+});
+
 // src/onchain.ts
 var onchain_exports = {};
 __export(onchain_exports, {
@@ -138,12 +222,18 @@ async function anchorDigest(config, digest, projectId) {
       outputs: []
     }
   ];
-  const txHash = await client.writeContract({
-    address: config.contractAddress,
+  const { encodeERC8021Suffix: encodeERC8021Suffix2, KONTEXT_BUILDER_CODE: KONTEXT_BUILDER_CODE2 } = await Promise.resolve().then(() => (init_erc8021(), erc8021_exports));
+  const calldata = viem.encodeFunctionData({
     abi,
     functionName: "anchor",
     args: [digestBytes32, projectHash]
   });
+  const builderCode = config.builderCode ?? KONTEXT_BUILDER_CODE2;
+  const suffix = encodeERC8021Suffix2([builderCode]);
+  const txHash = await client.sendTransaction({
+    to: config.contractAddress,
+    data: calldata + suffix
+  });
   const receipt = await publicClient.waitForTransactionReceipt({ hash: txHash });
   return {
     digest,
@@ -1152,13 +1242,17 @@ var STORAGE_KEYS = {
   actions: "kontext:actions",
   transactions: "kontext:transactions",
   tasks: "kontext:tasks",
-  anomalies: "kontext:anomalies"
+  anomalies: "kontext:anomalies",
+  sessions: "kontext:sessions",
+  checkpoints: "kontext:checkpoints"
 };
 var KontextStore = class {
   actions = [];
   transactions = [];
   tasks = /* @__PURE__ */ new Map();
   anomalies = [];
+  sessions = /* @__PURE__ */ new Map();
+  checkpoints = /* @__PURE__ */ new Map();
   storageAdapter = null;
   maxEntries;
   constructor(maxEntries = DEFAULT_MAX_ENTRIES) {
@@ -1191,11 +1285,15 @@ var KontextStore = class {
     const transactionsSnapshot = [...this.transactions];
     const tasksSnapshot = Array.from(this.tasks.entries());
     const anomaliesSnapshot = [...this.anomalies];
+    const sessionsSnapshot = Array.from(this.sessions.entries());
+    const checkpointsSnapshot = Array.from(this.checkpoints.entries());
     await Promise.all([
       this.storageAdapter.save(STORAGE_KEYS.actions, actionsSnapshot),
       this.storageAdapter.save(STORAGE_KEYS.transactions, transactionsSnapshot),
       this.storageAdapter.save(STORAGE_KEYS.tasks, tasksSnapshot),
-      this.storageAdapter.save(STORAGE_KEYS.anomalies, anomaliesSnapshot)
+      this.storageAdapter.save(STORAGE_KEYS.anomalies, anomaliesSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.sessions, sessionsSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.checkpoints, checkpointsSnapshot)
     ]);
   }
   /**
@@ -1205,11 +1303,13 @@ var KontextStore = class {
    */
   async restore() {
     if (!this.storageAdapter) return;
-    const [actions, transactions, tasksEntries, anomalies] = await Promise.all([
+    const [actions, transactions, tasksEntries, anomalies, sessionsEntries, checkpointsEntries] = await Promise.all([
       this.storageAdapter.load(STORAGE_KEYS.actions),
       this.storageAdapter.load(STORAGE_KEYS.transactions),
       this.storageAdapter.load(STORAGE_KEYS.tasks),
-      this.storageAdapter.load(STORAGE_KEYS.anomalies)
+      this.storageAdapter.load(STORAGE_KEYS.anomalies),
+      this.storageAdapter.load(STORAGE_KEYS.sessions),
+      this.storageAdapter.load(STORAGE_KEYS.checkpoints)
     ]);
     if (Array.isArray(actions)) {
       this.actions = actions;
@@ -1223,6 +1323,12 @@ var KontextStore = class {
     if (Array.isArray(anomalies)) {
       this.anomalies = anomalies;
     }
+    if (Array.isArray(sessionsEntries)) {
+      this.sessions = new Map(sessionsEntries);
+    }
+    if (Array.isArray(checkpointsEntries)) {
+      this.checkpoints = new Map(checkpointsEntries);
+    }
   }
   // --------------------------------------------------------------------------
   // Actions
@@ -1322,6 +1428,60 @@ var KontextStore = class {
     return this.anomalies.filter(predicate);
   }
   // --------------------------------------------------------------------------
+  // Sessions (Provenance Layer 1)
+  // --------------------------------------------------------------------------
+  /** Store a session. */
+  addSession(session) {
+    this.sessions.set(session.sessionId, session);
+  }
+  /** Retrieve a session by ID. */
+  getSession(sessionId) {
+    return this.sessions.get(sessionId);
+  }
+  /** Update a session. */
+  updateSession(sessionId, updates) {
+    const existing = this.sessions.get(sessionId);
+    if (!existing) return void 0;
+    const updated = { ...existing, ...updates };
+    this.sessions.set(sessionId, updated);
+    return updated;
+  }
+  /** Retrieve all sessions. */
+  getSessions() {
+    return Array.from(this.sessions.values());
+  }
+  /** Retrieve sessions filtered by a predicate. */
+  querySessions(predicate) {
+    return Array.from(this.sessions.values()).filter(predicate);
+  }
+  // --------------------------------------------------------------------------
+  // Checkpoints (Provenance Layer 3)
+  // --------------------------------------------------------------------------
+  /** Store a checkpoint. */
+  addCheckpoint(checkpoint) {
+    this.checkpoints.set(checkpoint.id, checkpoint);
+  }
+  /** Retrieve a checkpoint by ID. */
+  getCheckpoint(checkpointId) {
+    return this.checkpoints.get(checkpointId);
+  }
+  /** Update a checkpoint. */
+  updateCheckpoint(checkpointId, updates) {
+    const existing = this.checkpoints.get(checkpointId);
+    if (!existing) return void 0;
+    const updated = { ...existing, ...updates };
+    this.checkpoints.set(checkpointId, updated);
+    return updated;
+  }
+  /** Retrieve all checkpoints. */
+  getCheckpoints() {
+    return Array.from(this.checkpoints.values());
+  }
+  /** Retrieve checkpoints filtered by a predicate. */
+  queryCheckpoints(predicate) {
+    return Array.from(this.checkpoints.values()).filter(predicate);
+  }
+  // --------------------------------------------------------------------------
   // Utilities
   // --------------------------------------------------------------------------
   /** Get total record counts across all stores. */
@@ -1330,7 +1490,9 @@ var KontextStore = class {
       actions: this.actions.length,
       transactions: this.transactions.length,
       tasks: this.tasks.size,
-      anomalies: this.anomalies.length
+      anomalies: this.anomalies.length,
+      sessions: this.sessions.size,
+      checkpoints: this.checkpoints.size
     };
   }
   /** Clear all stored data. Useful for testing. */
@@ -1339,6 +1501,8 @@ var KontextStore = class {
     this.transactions = [];
     this.tasks.clear();
     this.anomalies = [];
+    this.sessions.clear();
+    this.checkpoints.clear();
   }
 };
 var DIGEST_EXCLUDED_FIELDS = /* @__PURE__ */ new Set(["digest", "priorDigest"]);
@@ -2356,17 +2520,9 @@ var AuditExporter = class {
     return sections.join("\n\n");
   }
 };
-var USDC_CONTRACTS = {
-  ethereum: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
-  base: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
-  polygon: "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359",
-  arbitrum: "0xaf88d065e77c8cC2239327C5EDb3A432268e5831",
-  optimism: "0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85",
-  // Arc (Circle's stablecoin-native blockchain) -- placeholder address, update when Arc mainnet launches
-  arc: "0xa0c0000000000000000000000000000000000001"
-};
-var SANCTIONED_ADDRESSES = [
-  // --- ACTIVELY SANCTIONED (SDN) ---
+
+// src/integrations/data/ofac-addresses.ts
+var OFAC_SDN_ACTIVE_ADDRESSES = [
   // Lazarus Group / DPRK (Ronin Bridge hack)
   "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
   "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
@@ -2390,8 +2546,9 @@ var SANCTIONED_ADDRESSES = [
   "0x931546D9e66836AbF687d2bc64B30407bAc8C568",
   "0x43fa21d92141BA9db43052492E0DeEE5aa5f0A93",
   // Zedcex / Zedxion (IRGC-linked, sanctioned June 2024)
-  "0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6",
-  // --- DELISTED (formerly sanctioned, retained for backward compat) ---
+  "0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6"
+];
+var OFAC_SDN_DELISTED_ADDRESSES = [
   // Tornado Cash contracts (sanctioned Aug 2022, DELISTED March 21, 2025)
   "0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b",
   "0xd96f2B1c14Db8458374d9Aca76E26c3D18364307",
@@ -2413,6 +2570,20 @@ var SANCTIONED_ADDRESSES = [
   "0x722122dF12D4e14e13Ac3b6895a86e84145b6967"
   // Tornado Cash / Sinbad.io
 ];
+var OFAC_SDN_ADDRESSES = [
+  ...OFAC_SDN_ACTIVE_ADDRESSES,
+  ...OFAC_SDN_DELISTED_ADDRESSES
+];
+var USDC_CONTRACTS = {
+  ethereum: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
+  base: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
+  polygon: "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359",
+  arbitrum: "0xaf88d065e77c8cC2239327C5EDb3A432268e5831",
+  optimism: "0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85",
+  // Arc (Circle's stablecoin-native blockchain) -- placeholder address, update when Arc mainnet launches
+  arc: "0xa0c0000000000000000000000000000000000001"
+};
+var SANCTIONED_ADDRESSES = [...OFAC_SDN_ADDRESSES];
 var SANCTIONED_SET = new Set(
   SANCTIONED_ADDRESSES.map((addr) => addr.toLowerCase())
 );
@@ -2908,11 +3079,301 @@ var PaymentCompliance = class _PaymentCompliance {
   }
 };
 
+// src/integrations/screening-provider.ts
+var ETH_ADDRESS_RE = /^0x[a-fA-F0-9]{40}$/;
+function isBlockchainAddress(query) {
+  return ETH_ADDRESS_RE.test(query);
+}
+function providerSupportsQuery(provider, query) {
+  const isAddr = isBlockchainAddress(query);
+  if (isAddr) {
+    return provider.queryTypes.includes("address") || provider.queryTypes.includes("both");
+  }
+  return provider.queryTypes.includes("entity_name") || provider.queryTypes.includes("both");
+}
+var TOKEN_REQUIRED_LISTS = {
+  USDC: ["OFAC_SDN"],
+  EURC: ["EU_CONSOLIDATED"],
+  USDT: ["OFAC_SDN", "EU_CONSOLIDATED"],
+  DAI: ["OFAC_SDN", "EU_CONSOLIDATED"],
+  USDP: ["OFAC_SDN"],
+  USDG: ["OFAC_SDN"]
+};
+var CURRENCY_REQUIRED_LISTS = {
+  USD: ["OFAC_SDN"],
+  EUR: ["EU_CONSOLIDATED"],
+  GBP: ["UK_OFSI"],
+  AED: ["UAE_LOCAL", "UN_SECURITY_COUNCIL"],
+  INR: ["UN_SECURITY_COUNCIL", "INDIA_DOMESTIC"],
+  SGD: ["MAS_TFS", "UN_SECURITY_COUNCIL"],
+  CNY: ["UN_SECURITY_COUNCIL"],
+  CNH: ["UN_SECURITY_COUNCIL"],
+  HKD: ["HK_UNSO", "UN_SECURITY_COUNCIL"],
+  NZD: ["UN_SECURITY_COUNCIL", "NZ_DESIGNATED"],
+  KRW: ["UN_SECURITY_COUNCIL", "KOFIU_DOMESTIC"],
+  MYR: ["BNM_DOMESTIC", "UN_SECURITY_COUNCIL"],
+  THB: ["UN_SECURITY_COUNCIL", "AMLO_DOMESTIC"]
+};
+var DEFAULT_REQUIRED_LISTS = [
+  "OFAC_SDN",
+  "EU_CONSOLIDATED",
+  "UN_SECURITY_COUNCIL"
+];
+function getRequiredLists(context) {
+  if (!context) return DEFAULT_REQUIRED_LISTS;
+  if (context.token && typeof context.token === "string") {
+    const tokenLists = TOKEN_REQUIRED_LISTS[context.token];
+    if (tokenLists) return tokenLists;
+  }
+  if (context.currency && typeof context.currency === "string") {
+    const currencyLists = CURRENCY_REQUIRED_LISTS[context.currency];
+    if (currencyLists) return currencyLists;
+  }
+  return DEFAULT_REQUIRED_LISTS;
+}
+
+// src/integrations/screening-aggregator.ts
+var ScreeningAggregator = class {
+  providers;
+  consensus;
+  blocklistSet;
+  allowlistSet;
+  continueOnError;
+  providerTimeoutMs;
+  onEvent;
+  constructor(config) {
+    this.providers = config.providers;
+    this.consensus = config.consensus ?? "ANY_MATCH";
+    this.blocklistSet = new Set(
+      (config.blocklist ?? []).map((s) => s.toLowerCase())
+    );
+    this.allowlistSet = new Set(
+      (config.allowlist ?? []).map((s) => s.toLowerCase())
+    );
+    this.continueOnError = config.continueOnError ?? true;
+    this.providerTimeoutMs = config.providerTimeoutMs;
+    this.onEvent = config.onEvent;
+  }
+  /**
+   * Screen a single query (address or entity name).
+   */
+  async screen(query, context) {
+    const start = Date.now();
+    const queryLower = query.toLowerCase();
+    const queryType = isBlockchainAddress(query) ? "address" : "entity_name";
+    this.onEvent?.();
+    if (this.allowlistSet.has(queryLower)) {
+      return this.buildResult({
+        queryType,
+        start,
+        allowlisted: true,
+        context
+      });
+    }
+    if (this.blocklistSet.has(queryLower)) {
+      return this.buildResult({
+        queryType,
+        start,
+        blocklisted: true,
+        context
+      });
+    }
+    const compatibleProviders = this.providers.filter(
+      (p) => p.isAvailable() && providerSupportsQuery(p, query)
+    );
+    if (compatibleProviders.length === 0) {
+      return this.buildResult({
+        queryType,
+        start,
+        providerResults: [],
+        context
+      });
+    }
+    const results = [];
+    const errors = [];
+    const promises = compatibleProviders.map(async (provider) => {
+      try {
+        const result = await this.runWithTimeout(provider, query, context);
+        return { type: "success", result };
+      } catch (err) {
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        return { type: "error", providerId: provider.id, error: errorMsg };
+      }
+    });
+    const settled = await Promise.all(promises);
+    for (const outcome of settled) {
+      if (outcome.type === "success") {
+        results.push(outcome.result);
+      } else {
+        if (!this.continueOnError) {
+          throw new Error(outcome.error);
+        }
+        errors.push({ providerId: outcome.providerId, error: outcome.error });
+      }
+    }
+    return this.buildResult({
+      queryType,
+      start,
+      providerResults: results,
+      errors,
+      context
+    });
+  }
+  /**
+   * Screen multiple queries in batch.
+   */
+  async screenBatch(queries, context) {
+    const results = /* @__PURE__ */ new Map();
+    const promises = queries.map(async (query) => {
+      const result = await this.screen(query, context);
+      return { query, result };
+    });
+    const settled = await Promise.all(promises);
+    for (const { query, result } of settled) {
+      results.set(query, result);
+    }
+    return results;
+  }
+  /**
+   * Get available providers, optionally filtered by query type.
+   */
+  getAvailableProviders(queryType) {
+    return this.providers.filter((p) => {
+      if (!p.isAvailable()) return false;
+      if (!queryType) return true;
+      return p.queryTypes.includes(queryType) || p.queryTypes.includes("both");
+    });
+  }
+  /**
+   * Get the union of all sanctions lists covered by available providers.
+   */
+  getCoveredLists() {
+    const lists = /* @__PURE__ */ new Set();
+    for (const p of this.providers) {
+      if (p.isAvailable()) {
+        for (const list of p.lists) {
+          lists.add(list);
+        }
+      }
+    }
+    return Array.from(lists);
+  }
+  // --------------------------------------------------------------------------
+  // Private
+  // --------------------------------------------------------------------------
+  async runWithTimeout(provider, query, context) {
+    if (!this.providerTimeoutMs) {
+      return provider.screen(query, context);
+    }
+    return Promise.race([
+      provider.screen(query, context),
+      new Promise(
+        (_, reject) => setTimeout(
+          () => reject(new Error(`Provider ${provider.id} timed out after ${this.providerTimeoutMs}ms`)),
+          this.providerTimeoutMs
+        )
+      )
+    ]);
+  }
+  buildResult(opts) {
+    const {
+      queryType,
+      start,
+      providerResults = [],
+      errors = [],
+      blocklisted = false,
+      allowlisted = false,
+      context
+    } = opts;
+    if (blocklisted) {
+      return {
+        providerId: "aggregator",
+        hit: true,
+        matches: [],
+        listsChecked: [],
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        queryType,
+        totalProviders: 0,
+        hitCount: 0,
+        consensus: this.consensus,
+        blocklisted: true,
+        errors: [],
+        uncoveredLists: [],
+        providerResults: []
+      };
+    }
+    if (allowlisted) {
+      return {
+        providerId: "aggregator",
+        hit: false,
+        matches: [],
+        listsChecked: [],
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        queryType,
+        totalProviders: 0,
+        hitCount: 0,
+        consensus: this.consensus,
+        allowlisted: true,
+        errors: [],
+        uncoveredLists: [],
+        providerResults: []
+      };
+    }
+    const allMatches = [];
+    const allListsChecked = /* @__PURE__ */ new Set();
+    let totalEntries = 0;
+    for (const r of providerResults) {
+      allMatches.push(...r.matches);
+      for (const list of r.listsChecked) {
+        allListsChecked.add(list);
+      }
+      totalEntries += r.entriesSearched;
+    }
+    const hitCount = providerResults.filter((r) => r.hit).length;
+    const totalProviders = providerResults.length;
+    let hit;
+    switch (this.consensus) {
+      case "ALL_MATCH":
+        hit = totalProviders > 0 && hitCount === totalProviders;
+        break;
+      case "MAJORITY":
+        hit = totalProviders > 0 && hitCount > totalProviders / 2;
+        break;
+      case "ANY_MATCH":
+      default:
+        hit = hitCount > 0;
+        break;
+    }
+    const requiredLists = getRequiredLists(context);
+    const coveredLists = allListsChecked;
+    const uncoveredLists = requiredLists.filter(
+      (l) => !coveredLists.has(l)
+    );
+    return {
+      providerId: "aggregator",
+      hit,
+      matches: allMatches,
+      listsChecked: Array.from(allListsChecked),
+      entriesSearched: totalEntries,
+      durationMs: Date.now() - start,
+      queryType,
+      totalProviders,
+      hitCount,
+      consensus: this.consensus,
+      errors,
+      uncoveredLists,
+      providerResults
+    };
+  }
+};
+
 // src/plans.ts
 var PLAN_LIMITS = {
   free: 2e4,
-  pro: 1e5,
-  // per user/seat
+  pro: Infinity,
+  // usage-based: $2/1K events above 20K free
   enterprise: Infinity
 };
 var DEFAULT_WARNING_THRESHOLD = 0.8;
@@ -2959,10 +3420,7 @@ var PlanManager = class _PlanManager {
   }
   /** Get the event limit for the current plan (Pro is multiplied by seats) */
   getLimit() {
-    const base = PLAN_LIMITS[this.tier];
-    if (base === Infinity) return Infinity;
-    if (this.tier === "pro") return base * this.seats;
-    return base;
+    return PLAN_LIMITS[this.tier];
   }
   /** Get the current number of seats */
   getSeats() {
@@ -3167,12 +3625,7 @@ var PlanManager = class _PlanManager {
   logLimitMessage() {
     if (this.tier === "free") {
       console.warn(
-        `You've reached the 20,000 event limit on the Free plan. Upgrade to Pro for 100K events/user/mo and full compliance features \u2192 ${this.upgradeUrl}`
-      );
-    } else if (this.tier === "pro") {
-      const effectiveLimit = (1e5 * this.seats).toLocaleString();
-      console.warn(
-        `You've reached the ${effectiveLimit} event limit on Pro (${this.seats} seat${this.seats !== 1 ? "s" : ""}). Add seats or contact us for Enterprise pricing \u2192 ${this.enterpriseContactUrl}`
+        `You've reached the 20,000 event limit on the Free plan. Upgrade to Pro ($2/1K events above 20K free) \u2192 ${this.upgradeUrl}`
       );
     }
   }
@@ -3449,120 +3902,1653 @@ function extractDocumentId(resourceName) {
   const parts = resourceName.split("/");
   return parts[parts.length - 1] ?? resourceName;
 }
-
-// src/client.ts
-var PLAN_STORAGE_KEY = "kontext:plan";
-var Kontext = class _Kontext {
-  config;
+var ProvenanceManager = class {
   store;
   logger;
-  taskManager;
-  auditExporter;
-  mode;
-  planManager;
-  exporter;
-  featureFlagManager;
-  trustScorer;
-  anomalyDetector;
-  constructor(config) {
-    this.config = config;
-    this.mode = config.apiKey ? "cloud" : "local";
-    this.store = new KontextStore();
-    if (config.metadataSchema && typeof config.metadataSchema.parse !== "function") {
-      throw new KontextError(
-        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
-        "metadataSchema must have a parse() method"
-      );
-    }
-    if (config.storage) {
-      this.store.setStorageAdapter(config.storage);
-    }
-    const planTier = config.plan ?? "free";
-    this.planManager = new PlanManager(planTier, void 0, config.seats ?? 1);
-    if (config.upgradeUrl) {
-      this.planManager.upgradeUrl = config.upgradeUrl;
+  constructor(store, logger) {
+    this.store = store;
+    this.logger = logger;
+  }
+  // --------------------------------------------------------------------------
+  // Layer 1: Session Delegation
+  // --------------------------------------------------------------------------
+  /**
+   * Create a delegated agent session. Records the delegation in the
+   * tamper-evident digest chain as the session's genesis event.
+   */
+  async createSession(input) {
+    if (!input.agentId) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "agentId is required");
+    }
+    if (!input.delegatedBy) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "delegatedBy is required");
+    }
+    if (!input.scope || input.scope.length === 0) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "scope must contain at least one capability");
+    }
+    const sessionId = generateId();
+    const createdAt = now();
+    const constraints = input.constraints ? {
+      ...input.constraints,
+      ...input.constraints.allowedRecipients ? { allowedRecipients: input.constraints.allowedRecipients.map((a) => a.toLowerCase()) } : {}
+    } : void 0;
+    const session = {
+      sessionId,
+      agentId: input.agentId,
+      delegatedBy: input.delegatedBy,
+      scope: [...input.scope],
+      ...constraints ? { constraints } : {},
+      status: "active",
+      createdAt,
+      ...input.expiresIn ? { expiresAt: new Date(Date.now() + input.expiresIn).toISOString() } : {},
+      metadata: input.metadata ? { ...input.metadata } : {}
+    };
+    const action = await this.logger.log({
+      type: "session-start",
+      description: `Session created: ${input.agentId} delegated by ${input.delegatedBy}`,
+      agentId: input.agentId,
+      sessionId,
+      metadata: {
+        delegatedBy: input.delegatedBy,
+        scope: input.scope,
+        ...constraints ? { constraints } : {}
+      }
+    });
+    session.digest = action.digest;
+    session.priorDigest = action.priorDigest;
+    this.store.addSession(session);
+    return { ...session, scope: [...session.scope] };
+  }
+  /**
+   * Get an agent session by ID. Automatically marks expired sessions.
+   */
+  getSession(sessionId) {
+    const session = this.store.getSession(sessionId);
+    if (!session) return void 0;
+    if (session.status === "active" && session.expiresAt && new Date(session.expiresAt) < /* @__PURE__ */ new Date()) {
+      this.store.updateSession(sessionId, { status: "expired" });
+      return { ...session, status: "expired", scope: [...session.scope] };
     }
-    this.exporter = config.exporter ?? new NoopExporter();
-    this.logger = new ActionLogger(config, this.store);
-    this.taskManager = new TaskManager(config, this.store);
-    this.auditExporter = new AuditExporter(config, this.store);
-    this.trustScorer = new TrustScorer(config, this.store);
-    this.anomalyDetector = new AnomalyDetector(config, this.store);
-    this.featureFlagManager = config.featureFlags ? new FeatureFlagManager(config.featureFlags) : null;
-    if (config.anomalyRules && config.anomalyRules.length > 0) {
-      const advancedRules = ["newDestination", "offHoursActivity", "rapidSuccession", "roundAmount"];
-      const hasAdvanced = config.anomalyRules.some((r) => advancedRules.includes(r));
-      if (hasAdvanced) {
-        requirePlan("advanced-anomaly-rules", planTier);
+    return { ...session, scope: [...session.scope] };
+  }
+  /**
+   * Get all agent sessions.
+   */
+  getSessions() {
+    return this.store.getSessions().map((s) => {
+      if (s.status === "active" && s.expiresAt && new Date(s.expiresAt) < /* @__PURE__ */ new Date()) {
+        this.store.updateSession(s.sessionId, { status: "expired" });
+        return { ...s, status: "expired", scope: [...s.scope] };
       }
-      this.anomalyDetector.enableAnomalyDetection({
-        rules: config.anomalyRules,
-        thresholds: config.anomalyThresholds
-      });
+      return { ...s, scope: [...s.scope] };
+    });
+  }
+  /**
+   * End an active agent session. Records the termination in the digest chain.
+   */
+  async endSession(sessionId) {
+    const session = this.store.getSession(sessionId);
+    if (!session) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session not found: ${sessionId}`);
+    }
+    if (session.status !== "active") {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session is already ${session.status}: ${sessionId}`);
+    }
+    const endedAt = now();
+    await this.logger.log({
+      type: "session-end",
+      description: `Session ended: ${session.agentId}`,
+      agentId: session.agentId,
+      sessionId,
+      metadata: { delegatedBy: session.delegatedBy }
+    });
+    const updated = this.store.updateSession(sessionId, { status: "ended", endedAt });
+    if (!updated) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Failed to update session: ${sessionId}`);
     }
+    return { ...updated, scope: [...updated.scope] };
   }
   /**
-   * Initialize the Kontext SDK.
-   *
-   * @param config - Configuration options
-   * @returns Initialized Kontext client instance
-   *
-   * @example
-   * ```typescript
-   * // Local/OSS mode (no API key)
-   * const kontext = Kontext.init({
-   *   projectId: 'my-project',
-   *   environment: 'development',
-   * });
-   *
-   * // Cloud mode (with API key)
-   * const kontext = Kontext.init({
-   *   apiKey: 'sk_live_...',
-   *   projectId: 'my-project',
-   *   environment: 'production',
-   * });
-   *
-   * // With persistent file storage
-   * const kontext = Kontext.init({
-   *   projectId: 'my-project',
-   *   environment: 'development',
-   *   storage: new FileStorage('./kontext-data'),
-   * });
-   * ```
+   * Check whether an action is within a session's delegated scope.
    */
-  static init(config) {
-    if (!config.projectId || config.projectId.trim() === "") {
-      throw new KontextError(
-        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
-        "projectId is required"
-      );
+  validateScope(sessionId, action) {
+    const session = this.getSession(sessionId);
+    if (!session || session.status !== "active") return false;
+    return session.scope.includes(action);
+  }
+  /**
+   * Check whether a transaction meets session constraints.
+   */
+  validateConstraints(sessionId, input) {
+    const session = this.getSession(sessionId);
+    if (!session || session.status !== "active") return false;
+    if (!session.constraints) return true;
+    const c = session.constraints;
+    if (c.maxAmount && input.amount) {
+      if (parseAmount(input.amount) > parseAmount(c.maxAmount)) return false;
     }
-    const validEnvironments = ["development", "staging", "production"];
-    if (!validEnvironments.includes(config.environment)) {
-      throw new KontextError(
-        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
-        `Invalid environment: ${config.environment}. Must be one of: ${validEnvironments.join(", ")}`
-      );
+    if (c.allowedChains && input.chain) {
+      if (!c.allowedChains.includes(input.chain)) return false;
     }
-    if (config.debug) {
-      const mode = config.apiKey ? "cloud" : "local";
-      console.debug(
-        `[Kontext] Initializing in ${mode} mode for project ${config.projectId} (${config.environment})`
-      );
+    if (c.allowedTokens && input.token) {
+      if (!c.allowedTokens.includes(input.token)) return false;
     }
-    return new _Kontext(config);
+    if (c.allowedRecipients && input.to) {
+      if (!c.allowedRecipients.includes(input.to.toLowerCase())) return false;
+    }
+    return true;
   }
   // --------------------------------------------------------------------------
-  // Mode & Config
+  // Layer 3: Checkpoints & Human Attestation
   // --------------------------------------------------------------------------
   /**
-   * Get the current operating mode.
-   */
-  getMode() {
-    return this.mode;
-  }
-  /**
-   * Get the current configuration (API key is masked).
+   * Create a provenance checkpoint -- a review point where a human
+   * can attest to a batch of agent actions.
+   */
+  async createCheckpoint(input) {
+    const session = this.getSession(input.sessionId);
+    if (!session) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session not found: ${input.sessionId}`);
+    }
+    if (session.status !== "active") {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session is ${session.status}: ${input.sessionId}`);
+    }
+    if (!input.actionIds || input.actionIds.length === 0) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "actionIds must contain at least one action");
+    }
+    if (!input.summary) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "summary is required");
+    }
+    const sessionActions = this.store.getActionsBySession(input.sessionId);
+    const sessionActionIds = new Set(sessionActions.map((a) => a.id));
+    for (const actionId of input.actionIds) {
+      if (!sessionActionIds.has(actionId)) {
+        throw new KontextError(
+          "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+          `Action ${actionId} not found in session ${input.sessionId}`
+        );
+      }
+    }
+    const actionDigests = input.actionIds.map((id) => {
+      const action = sessionActions.find((a) => a.id === id);
+      return action?.digest ?? "";
+    }).sort();
+    const hash = crypto$1.createHash("sha256");
+    hash.update(actionDigests.join(""));
+    const actionsDigest = hash.digest("hex");
+    const checkpointId = generateId();
+    const createdAt = now();
+    const checkpoint = {
+      id: checkpointId,
+      sessionId: input.sessionId,
+      actionIds: [...input.actionIds],
+      summary: input.summary,
+      actionsDigest,
+      status: "pending",
+      createdAt,
+      ...input.expiresIn ? { expiresAt: new Date(Date.now() + input.expiresIn).toISOString() } : {}
+    };
+    await this.logger.log({
+      type: "checkpoint-created",
+      description: `Checkpoint created: ${input.summary}`,
+      agentId: session.agentId,
+      sessionId: input.sessionId,
+      metadata: {
+        checkpointId,
+        actionCount: input.actionIds.length,
+        actionsDigest
+      }
+    });
+    this.store.addCheckpoint(checkpoint);
+    return { ...checkpoint, actionIds: [...checkpoint.actionIds] };
+  }
+  /**
+   * Attach an externally-produced human attestation to a checkpoint.
+   * The attestation includes a cryptographic signature that the agent
+   * never touches -- key separation is the critical security property.
+   */
+  async attachAttestation(checkpointId, attestation) {
+    const checkpoint = this.store.getCheckpoint(checkpointId);
+    if (!checkpoint) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Checkpoint not found: ${checkpointId}`);
+    }
+    if (checkpoint.status === "pending" && checkpoint.expiresAt && new Date(checkpoint.expiresAt) < /* @__PURE__ */ new Date()) {
+      this.store.updateCheckpoint(checkpointId, { status: "expired" });
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Checkpoint expired: ${checkpointId}`);
+    }
+    if (checkpoint.status !== "pending") {
+      throw new KontextError(
+        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+        `Checkpoint is already ${checkpoint.status}: ${checkpointId}`
+      );
+    }
+    if (attestation.checkpointId !== checkpointId) {
+      throw new KontextError(
+        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+        `Attestation checkpointId mismatch: expected ${checkpointId}, got ${attestation.checkpointId}`
+      );
+    }
+    const newStatus = attestation.decision === "approved" ? "attested" : "rejected";
+    const session = this.store.getSession(checkpoint.sessionId);
+    const agentId = session?.agentId ?? "unknown";
+    await this.logger.log({
+      type: `checkpoint-${newStatus}`,
+      description: `Checkpoint ${newStatus} by ${attestation.reviewerId}`,
+      agentId,
+      sessionId: checkpoint.sessionId,
+      metadata: {
+        checkpointId,
+        reviewerId: attestation.reviewerId,
+        decision: attestation.decision,
+        attestationId: attestation.attestationId
+      }
+    });
+    const updated = this.store.updateCheckpoint(checkpointId, {
+      status: newStatus,
+      attestation
+    });
+    if (!updated) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Failed to update checkpoint: ${checkpointId}`);
+    }
+    return { ...updated, actionIds: [...updated.actionIds] };
+  }
+  /**
+   * Get a checkpoint by ID. Automatically marks expired checkpoints.
+   */
+  getCheckpoint(checkpointId) {
+    const cp = this.store.getCheckpoint(checkpointId);
+    if (!cp) return void 0;
+    if (cp.status === "pending" && cp.expiresAt && new Date(cp.expiresAt) < /* @__PURE__ */ new Date()) {
+      this.store.updateCheckpoint(checkpointId, { status: "expired" });
+      return { ...cp, status: "expired", actionIds: [...cp.actionIds] };
+    }
+    return { ...cp, actionIds: [...cp.actionIds] };
+  }
+  /**
+   * Get all checkpoints, optionally filtered by session.
+   */
+  getCheckpoints(sessionId) {
+    const all = sessionId ? this.store.queryCheckpoints((cp) => cp.sessionId === sessionId) : this.store.getCheckpoints();
+    return all.map((cp) => {
+      if (cp.status === "pending" && cp.expiresAt && new Date(cp.expiresAt) < /* @__PURE__ */ new Date()) {
+        this.store.updateCheckpoint(cp.id, { status: "expired" });
+        return { ...cp, status: "expired", actionIds: [...cp.actionIds] };
+      }
+      return { ...cp, actionIds: [...cp.actionIds] };
+    });
+  }
+  // --------------------------------------------------------------------------
+  // Provenance Bundle Export
+  // --------------------------------------------------------------------------
+  /**
+   * Export the full provenance bundle for a session.
+   */
+  getProvenanceBundle(sessionId) {
+    const session = this.getSession(sessionId);
+    if (!session) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session not found: ${sessionId}`);
+    }
+    const sessionActions = this.store.getActionsBySession(sessionId);
+    const checkpoints = this.getCheckpoints(sessionId);
+    const actions = sessionActions.filter((a) => a.digest && a.priorDigest).map((a) => ({
+      actionId: a.id,
+      type: a.type,
+      digest: a.digest,
+      priorDigest: a.priorDigest,
+      sessionId,
+      timestamp: a.timestamp
+    }));
+    const attestedCheckpoints = checkpoints.filter((cp) => cp.status === "attested");
+    const attestedActionIds = /* @__PURE__ */ new Set();
+    for (const cp of attestedCheckpoints) {
+      for (const actionId of cp.actionIds) {
+        attestedActionIds.add(actionId);
+      }
+    }
+    const userActions = sessionActions.filter(
+      (a) => !a.type.startsWith("session-") && !a.type.startsWith("checkpoint-")
+    );
+    const verification = {
+      digestChainValid: this.logger.verifyChain(this.store.getActions()).valid,
+      totalActions: userActions.length,
+      humanAttested: userActions.filter((a) => attestedActionIds.has(a.id)).length,
+      sessionScoped: userActions.length,
+      unattested: userActions.filter((a) => !attestedActionIds.has(a.id)).length
+    };
+    return {
+      session,
+      actions,
+      checkpoints,
+      verification,
+      generatedAt: now()
+    };
+  }
+};
+
+// src/kya/identity-registry.ts
+var AgentIdentityRegistry = class {
+  /** agentId -> AgentIdentity */
+  identities = /* @__PURE__ */ new Map();
+  /** normalized address -> agentId (reverse index) */
+  walletIndex = /* @__PURE__ */ new Map();
+  /**
+   * Register a new agent identity.
+   */
+  register(input) {
+    if (this.identities.has(input.agentId)) {
+      throw new Error(`Identity already registered for agent: ${input.agentId}`);
+    }
+    const timestamp = now();
+    const wallets = (input.wallets ?? []).map((w) => ({
+      address: w.address.toLowerCase(),
+      chain: w.chain,
+      verified: false,
+      addedAt: timestamp,
+      label: w.label
+    }));
+    const identity = {
+      agentId: input.agentId,
+      displayName: input.displayName,
+      entityType: input.entityType ?? "unknown",
+      wallets,
+      kycReferences: [],
+      contactUri: input.contactUri,
+      metadata: input.metadata ?? {},
+      createdAt: timestamp,
+      updatedAt: timestamp
+    };
+    this.identities.set(input.agentId, identity);
+    for (const wallet of wallets) {
+      this.walletIndex.set(wallet.address, input.agentId);
+    }
+    return { ...identity, wallets: [...wallets] };
+  }
+  /**
+   * Update an existing agent identity.
+   */
+  update(agentId, input) {
+    const existing = this.identities.get(agentId);
+    if (!existing) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    const updated = {
+      ...existing,
+      updatedAt: now()
+    };
+    if (input.displayName !== void 0) updated.displayName = input.displayName;
+    if (input.entityType !== void 0) updated.entityType = input.entityType;
+    if (input.contactUri !== void 0) updated.contactUri = input.contactUri;
+    if (input.metadata !== void 0) {
+      updated.metadata = { ...existing.metadata, ...input.metadata };
+    }
+    this.identities.set(agentId, updated);
+    return { ...updated, wallets: [...updated.wallets] };
+  }
+  /**
+   * Get an agent identity by agent ID.
+   */
+  get(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity) return void 0;
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Remove an agent identity and all wallet index entries.
+   */
+  remove(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity) return false;
+    for (const wallet of identity.wallets) {
+      this.walletIndex.delete(wallet.address);
+    }
+    this.identities.delete(agentId);
+    return true;
+  }
+  /**
+   * Get all registered identities.
+   */
+  getAll() {
+    return Array.from(this.identities.values()).map((id) => ({
+      ...id,
+      wallets: [...id.wallets]
+    }));
+  }
+  // --------------------------------------------------------------------------
+  // Wallet Operations
+  // --------------------------------------------------------------------------
+  /**
+   * Add a wallet to an existing agent identity.
+   */
+  addWallet(agentId, wallet) {
+    const identity = this.identities.get(agentId);
+    if (!identity) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    const normalized = wallet.address.toLowerCase();
+    const existingOwner = this.walletIndex.get(normalized);
+    if (existingOwner && existingOwner !== agentId) {
+      throw new Error(`Wallet ${normalized} is already registered to agent: ${existingOwner}`);
+    }
+    if (identity.wallets.some((w) => w.address === normalized)) {
+      return { ...identity, wallets: [...identity.wallets] };
+    }
+    const mapping = {
+      address: normalized,
+      chain: wallet.chain,
+      verified: false,
+      addedAt: now(),
+      label: wallet.label
+    };
+    identity.wallets.push(mapping);
+    identity.updatedAt = now();
+    this.walletIndex.set(normalized, agentId);
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Remove a wallet from an agent identity.
+   */
+  removeWallet(agentId, address) {
+    const identity = this.identities.get(agentId);
+    if (!identity) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    const normalized = address.toLowerCase();
+    identity.wallets = identity.wallets.filter((w) => w.address !== normalized);
+    identity.updatedAt = now();
+    this.walletIndex.delete(normalized);
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Look up an agent identity by wallet address.
+   */
+  lookupByWallet(address) {
+    const agentId = this.walletIndex.get(address.toLowerCase());
+    if (!agentId) return void 0;
+    return this.get(agentId);
+  }
+  // --------------------------------------------------------------------------
+  // KYC Operations
+  // --------------------------------------------------------------------------
+  /**
+   * Add a KYC provider reference to an agent identity.
+   */
+  addKycReference(agentId, reference) {
+    const identity = this.identities.get(agentId);
+    if (!identity) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    identity.kycReferences.push(reference);
+    identity.updatedAt = now();
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Get the overall KYC status for an agent.
+   * Returns the best status from all references.
+   */
+  getKycStatus(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity || identity.kycReferences.length === 0) return "none";
+    const statusPriority = {
+      verified: 4,
+      pending: 3,
+      expired: 2,
+      rejected: 1,
+      none: 0
+    };
+    let best = "none";
+    for (const ref of identity.kycReferences) {
+      if (statusPriority[ref.status] > statusPriority[best]) {
+        best = ref.status;
+      }
+    }
+    return best;
+  }
+  /**
+   * Check if an agent has at least one verified and non-expired KYC reference.
+   */
+  hasVerifiedKyc(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity) return false;
+    const currentTime = (/* @__PURE__ */ new Date()).toISOString();
+    return identity.kycReferences.some(
+      (ref) => ref.status === "verified" && (ref.expiresAt === null || ref.expiresAt > currentTime)
+    );
+  }
+};
+
+// src/kya/wallet-clustering.ts
+var UnionFind = class {
+  parent = /* @__PURE__ */ new Map();
+  rank = /* @__PURE__ */ new Map();
+  /**
+   * Find the representative of the set containing x.
+   * Uses path compression for amortized near-constant time.
+   */
+  find(x) {
+    if (!this.parent.has(x)) {
+      this.parent.set(x, x);
+      this.rank.set(x, 0);
+    }
+    let root = x;
+    while (this.parent.get(root) !== root) {
+      root = this.parent.get(root);
+    }
+    let current = x;
+    while (current !== root) {
+      const next = this.parent.get(current);
+      this.parent.set(current, root);
+      current = next;
+    }
+    return root;
+  }
+  /**
+   * Union the sets containing x and y.
+   * Uses union-by-rank for balanced trees.
+   */
+  union(x, y) {
+    const rootX = this.find(x);
+    const rootY = this.find(y);
+    if (rootX === rootY) return;
+    const rankX = this.rank.get(rootX);
+    const rankY = this.rank.get(rootY);
+    if (rankX < rankY) {
+      this.parent.set(rootX, rootY);
+    } else if (rankX > rankY) {
+      this.parent.set(rootY, rootX);
+    } else {
+      this.parent.set(rootY, rootX);
+      this.rank.set(rootX, rankX + 1);
+    }
+  }
+  /**
+   * Check if x and y are in the same set.
+   */
+  connected(x, y) {
+    return this.find(x) === this.find(y);
+  }
+  /**
+   * Get all components as arrays of elements.
+   */
+  getComponents() {
+    const components = /* @__PURE__ */ new Map();
+    for (const key of this.parent.keys()) {
+      const root = this.find(key);
+      if (!components.has(root)) {
+        components.set(root, []);
+      }
+      components.get(root).push(key);
+    }
+    return Array.from(components.values());
+  }
+  /**
+   * Get the component containing x.
+   */
+  getComponentOf(x) {
+    const root = this.find(x);
+    const component = [];
+    for (const key of this.parent.keys()) {
+      if (this.find(key) === root) {
+        component.push(key);
+      }
+    }
+    return component;
+  }
+};
+var WalletClusterer = class {
+  config;
+  cachedClusters = null;
+  constructor(config = {}) {
+    this.config = {
+      temporalWindowSeconds: config.temporalWindowSeconds ?? 60,
+      minDestinationOverlap: config.minDestinationOverlap ?? 0.3,
+      minGasSponsoredWallets: config.minGasSponsoredWallets ?? 3
+    };
+  }
+  /**
+   * Analyze transactions from the store and registry to produce wallet clusters.
+   */
+  analyzeFromStore(store, registry) {
+    const uf = new UnionFind();
+    const evidence = [];
+    const transactions = store.getTransactions();
+    const timestamp = now();
+    for (const tx of transactions) {
+      uf.find(tx.from.toLowerCase());
+      uf.find(tx.to.toLowerCase());
+    }
+    this.applyCommonAgent(store, uf, evidence, timestamp);
+    this.applyFundingChain(store, uf, evidence, timestamp);
+    this.applyGasSponsorship(store, uf, evidence, timestamp);
+    this.applyTemporalCoSpending(store, uf, evidence, timestamp);
+    if (registry) {
+      this.applyDeclaredWallets(registry, uf, evidence, timestamp);
+    }
+    const clusters = this.buildClusters(uf, evidence, store, registry, timestamp);
+    this.cachedClusters = clusters;
+    return clusters;
+  }
+  /**
+   * Get cached clusters (or empty if not analyzed yet).
+   */
+  getClusters() {
+    return this.cachedClusters ?? [];
+  }
+  /**
+   * Invalidate the cached clusters.
+   */
+  invalidateCache() {
+    this.cachedClusters = null;
+  }
+  // --------------------------------------------------------------------------
+  // Heuristics
+  // --------------------------------------------------------------------------
+  /**
+   * Heuristic 1: Common Agent (confidence 0.9)
+   * Same agentId used multiple addresses -> union all from/to per agent.
+   */
+  applyCommonAgent(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    const agentAddresses = /* @__PURE__ */ new Map();
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const agentId = tx.agentId;
+      if (!agentAddresses.has(agentId)) {
+        agentAddresses.set(agentId, /* @__PURE__ */ new Set());
+      }
+      agentAddresses.get(agentId).add(from);
+    }
+    for (const [, addresses] of agentAddresses) {
+      const addrs = Array.from(addresses);
+      for (let i = 1; i < addrs.length; i++) {
+        if (!uf.connected(addrs[0], addrs[i])) {
+          uf.union(addrs[0], addrs[i]);
+          evidence.push({
+            heuristic: "common-agent",
+            confidence: 0.9,
+            addresses: [addrs[0], addrs[i]],
+            detectedAt: timestamp
+          });
+        }
+      }
+    }
+  }
+  /**
+   * Heuristic 2: Funding Chain (confidence 0.7)
+   * If A sends to B, and A is agent-associated -> union A and B.
+   */
+  applyFundingChain(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    const agentAssociated = /* @__PURE__ */ new Set();
+    for (const tx of transactions) {
+      agentAssociated.add(tx.from.toLowerCase());
+    }
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const to = tx.to.toLowerCase();
+      if (agentAssociated.has(from) && !uf.connected(from, to)) {
+        uf.union(from, to);
+        evidence.push({
+          heuristic: "funding-chain",
+          confidence: 0.7,
+          addresses: [from, to],
+          detectedAt: timestamp
+        });
+      }
+    }
+  }
+  /**
+   * Heuristic 3: Gas Sponsorship (confidence 0.75)
+   * If G is from in transfers to 3+ distinct agent wallets -> union G with all.
+   */
+  applyGasSponsorship(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    const agentFromAddresses = /* @__PURE__ */ new Set();
+    for (const tx of transactions) {
+      agentFromAddresses.add(tx.from.toLowerCase());
+    }
+    const senderToRecipients = /* @__PURE__ */ new Map();
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const to = tx.to.toLowerCase();
+      if (!senderToRecipients.has(from)) {
+        senderToRecipients.set(from, /* @__PURE__ */ new Set());
+      }
+      senderToRecipients.get(from).add(to);
+    }
+    for (const [sender, recipients] of senderToRecipients) {
+      const agentRecipients = Array.from(recipients).filter(
+        (r) => agentFromAddresses.has(r)
+      );
+      if (agentRecipients.length >= this.config.minGasSponsoredWallets) {
+        for (const recipient of agentRecipients) {
+          if (!uf.connected(sender, recipient)) {
+            uf.union(sender, recipient);
+            evidence.push({
+              heuristic: "gas-sponsorship",
+              confidence: 0.75,
+              addresses: [sender, recipient],
+              detectedAt: timestamp,
+              detail: `Sender ${sender} sponsors ${agentRecipients.length} agent wallets`
+            });
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Heuristic 4: Temporal Co-Spending (confidence 0.6)
+   * Addresses transacting within a window with destination overlap.
+   */
+  applyTemporalCoSpending(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    if (transactions.length < 2) return;
+    const txByFrom = /* @__PURE__ */ new Map();
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const to = tx.to.toLowerCase();
+      if (!txByFrom.has(from)) {
+        txByFrom.set(from, []);
+      }
+      txByFrom.get(from).push({
+        to,
+        time: new Date(tx.timestamp).getTime() / 1e3
+      });
+    }
+    const fromAddresses = Array.from(txByFrom.keys());
+    for (let i = 0; i < fromAddresses.length; i++) {
+      for (let j = i + 1; j < fromAddresses.length; j++) {
+        const addrA = fromAddresses[i];
+        const addrB = fromAddresses[j];
+        const txsA = txByFrom.get(addrA);
+        const txsB = txByFrom.get(addrB);
+        let hasTemporalOverlap = false;
+        for (const a of txsA) {
+          for (const b of txsB) {
+            if (Math.abs(a.time - b.time) <= this.config.temporalWindowSeconds) {
+              hasTemporalOverlap = true;
+              break;
+            }
+          }
+          if (hasTemporalOverlap) break;
+        }
+        if (!hasTemporalOverlap) continue;
+        const destsA = new Set(txsA.map((t) => t.to));
+        const destsB = new Set(txsB.map((t) => t.to));
+        const intersection = new Set([...destsA].filter((d) => destsB.has(d)));
+        const union = /* @__PURE__ */ new Set([...destsA, ...destsB]);
+        const overlapRatio = union.size > 0 ? intersection.size / union.size : 0;
+        if (overlapRatio >= this.config.minDestinationOverlap) {
+          if (!uf.connected(addrA, addrB)) {
+            uf.union(addrA, addrB);
+            evidence.push({
+              heuristic: "temporal-co-spending",
+              confidence: 0.6,
+              addresses: [addrA, addrB],
+              detectedAt: timestamp,
+              detail: `Overlap ratio: ${overlapRatio.toFixed(2)}`
+            });
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Heuristic 5: Declared Wallets (confidence 1.0)
+   * All wallets declared by the same identity are unioned.
+   */
+  applyDeclaredWallets(registry, uf, evidence, timestamp) {
+    const identities = registry.getAll();
+    for (const identity of identities) {
+      const addrs = identity.wallets.map((w) => w.address);
+      for (let i = 1; i < addrs.length; i++) {
+        if (!uf.connected(addrs[0], addrs[i])) {
+          uf.union(addrs[0], addrs[i]);
+          evidence.push({
+            heuristic: "declared-wallets",
+            confidence: 1,
+            addresses: [addrs[0], addrs[i]],
+            detectedAt: timestamp
+          });
+        }
+      }
+    }
+  }
+  // --------------------------------------------------------------------------
+  // Cluster Building
+  // --------------------------------------------------------------------------
+  buildClusters(uf, evidence, store, registry, timestamp) {
+    const components = uf.getComponents();
+    const clusters = [];
+    const evidenceByAddress = /* @__PURE__ */ new Map();
+    for (const e of evidence) {
+      for (const addr of e.addresses) {
+        if (!evidenceByAddress.has(addr)) {
+          evidenceByAddress.set(addr, []);
+        }
+        evidenceByAddress.get(addr).push(e);
+      }
+    }
+    const addressToAgents = /* @__PURE__ */ new Map();
+    for (const tx of store.getTransactions()) {
+      const from = tx.from.toLowerCase();
+      if (!addressToAgents.has(from)) {
+        addressToAgents.set(from, /* @__PURE__ */ new Set());
+      }
+      addressToAgents.get(from).add(tx.agentId);
+    }
+    if (registry) {
+      for (const identity of registry.getAll()) {
+        for (const wallet of identity.wallets) {
+          if (!addressToAgents.has(wallet.address)) {
+            addressToAgents.set(wallet.address, /* @__PURE__ */ new Set());
+          }
+          addressToAgents.get(wallet.address).add(identity.agentId);
+        }
+      }
+    }
+    for (const component of components) {
+      if (component.length < 2) continue;
+      const clusterEvidence = [];
+      const seen = /* @__PURE__ */ new Set();
+      for (const addr of component) {
+        const addrEvidence = evidenceByAddress.get(addr) ?? [];
+        for (const e of addrEvidence) {
+          const key = `${e.heuristic}:${e.addresses[0]}:${e.addresses[1]}`;
+          if (!seen.has(key)) {
+            seen.add(key);
+            clusterEvidence.push(e);
+          }
+        }
+      }
+      const agentIds = /* @__PURE__ */ new Set();
+      for (const addr of component) {
+        const agents = addressToAgents.get(addr);
+        if (agents) {
+          for (const a of agents) agentIds.add(a);
+        }
+      }
+      const maxConfidence = clusterEvidence.length > 0 ? Math.max(...clusterEvidence.map((e) => e.confidence)) : 0;
+      clusters.push({
+        id: generateId(),
+        addresses: component.sort(),
+        agentIds: Array.from(agentIds).sort(),
+        evidence: clusterEvidence,
+        confidence: maxConfidence,
+        createdAt: timestamp
+      });
+    }
+    return clusters;
+  }
+};
+
+// src/kya/behavioral-fingerprint.ts
+var MIN_SAMPLE_SIZE = 5;
+var BehavioralFingerprinter = class {
+  /**
+   * Compute a behavioral embedding for an agent from their transaction history.
+   * Returns null if the agent has fewer than MIN_SAMPLE_SIZE transactions.
+   */
+  computeEmbedding(agentId, store) {
+    const transactions = store.getTransactionsByAgent(agentId);
+    if (transactions.length < MIN_SAMPLE_SIZE) return null;
+    return {
+      agentId,
+      temporal: this.extractTemporalFeatures(transactions),
+      financial: this.extractFinancialFeatures(transactions),
+      network: this.extractNetworkFeatures(transactions),
+      operational: this.extractOperationalFeatures(transactions),
+      sampleSize: transactions.length,
+      computedAt: now()
+    };
+  }
+  /**
+   * Compute cosine similarity between two behavioral embeddings.
+   * Returns a value in [0, 1] where 1 means identical and 0 means orthogonal.
+   */
+  cosineSimilarity(a, b) {
+    const vecA = this.flattenEmbedding(a);
+    const vecB = this.flattenEmbedding(b);
+    let dot = 0;
+    let magA = 0;
+    let magB = 0;
+    for (let i = 0; i < vecA.length; i++) {
+      dot += vecA[i] * vecB[i];
+      magA += vecA[i] * vecA[i];
+      magB += vecB[i] * vecB[i];
+    }
+    const denominator = Math.sqrt(magA) * Math.sqrt(magB);
+    if (denominator === 0) return 0;
+    return dot / denominator;
+  }
+  // --------------------------------------------------------------------------
+  // Feature Extraction
+  // --------------------------------------------------------------------------
+  extractTemporalFeatures(txs) {
+    const sorted = [...txs].sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    const intervals = [];
+    for (let i = 1; i < sorted.length; i++) {
+      const diff = (new Date(sorted[i].timestamp).getTime() - new Date(sorted[i - 1].timestamp).getTime()) / 1e3;
+      intervals.push(diff);
+    }
+    const meanInterval = intervals.length > 0 ? intervals.reduce((s, v) => s + v, 0) / intervals.length : 0;
+    const stddevInterval = intervals.length > 1 ? Math.sqrt(
+      intervals.reduce((s, v) => s + (v - meanInterval) ** 2, 0) / (intervals.length - 1)
+    ) : 0;
+    const hourCounts = new Array(24).fill(0);
+    for (const tx of txs) {
+      const hour = new Date(tx.timestamp).getUTCHours();
+      hourCounts[hour] = (hourCounts[hour] ?? 0) + 1;
+    }
+    const hourTotal = hourCounts.reduce((s, v) => s + v, 0);
+    const hourHistogram = hourTotal > 0 ? hourCounts.map((c) => c / hourTotal) : hourCounts;
+    const dayCounts = new Array(7).fill(0);
+    for (const tx of txs) {
+      const day = new Date(tx.timestamp).getUTCDay();
+      dayCounts[day] = (dayCounts[day] ?? 0) + 1;
+    }
+    const dayTotal = dayCounts.reduce((s, v) => s + v, 0);
+    const dayHistogram = dayTotal > 0 ? dayCounts.map((c) => c / dayTotal) : dayCounts;
+    return {
+      meanIntervalSeconds: meanInterval,
+      stddevIntervalSeconds: stddevInterval,
+      hourHistogram,
+      dayHistogram
+    };
+  }
+  extractFinancialFeatures(txs) {
+    const amounts = txs.map((tx) => parseFloat(tx.amount)).filter((a) => !isNaN(a));
+    if (amounts.length === 0) {
+      return {
+        meanAmount: 0,
+        stddevAmount: 0,
+        medianAmount: 0,
+        roundAmountRatio: 0,
+        percentiles: [0, 0, 0, 0, 0]
+      };
+    }
+    const sorted = [...amounts].sort((a, b) => a - b);
+    const mean = amounts.reduce((s, v) => s + v, 0) / amounts.length;
+    const stddev = amounts.length > 1 ? Math.sqrt(
+      amounts.reduce((s, v) => s + (v - mean) ** 2, 0) / (amounts.length - 1)
+    ) : 0;
+    const median = this.percentile(sorted, 50);
+    const roundCount = amounts.filter((a) => a % 100 === 0).length;
+    return {
+      meanAmount: mean,
+      stddevAmount: stddev,
+      medianAmount: median,
+      roundAmountRatio: amounts.length > 0 ? roundCount / amounts.length : 0,
+      percentiles: [
+        this.percentile(sorted, 10),
+        this.percentile(sorted, 25),
+        this.percentile(sorted, 50),
+        this.percentile(sorted, 75),
+        this.percentile(sorted, 90)
+      ]
+    };
+  }
+  extractNetworkFeatures(txs) {
+    const destinations = txs.map((tx) => tx.to.toLowerCase());
+    const sources = txs.map((tx) => tx.from.toLowerCase());
+    const uniqueDests = new Set(destinations);
+    const uniqueSrcs = new Set(sources);
+    const reuseRatio = destinations.length > 0 ? 1 - uniqueDests.size / destinations.length : 0;
+    const destCounts = /* @__PURE__ */ new Map();
+    for (const d of destinations) {
+      destCounts.set(d, (destCounts.get(d) ?? 0) + 1);
+    }
+    let hhi = 0;
+    for (const count of destCounts.values()) {
+      const share = count / destinations.length;
+      hhi += share * share;
+    }
+    return {
+      uniqueDestinations: uniqueDests.size,
+      reuseRatio,
+      concentrationIndex: hhi,
+      uniqueSources: uniqueSrcs.size
+    };
+  }
+  extractOperationalFeatures(txs) {
+    const chainCounts = /* @__PURE__ */ new Map();
+    const tokenCounts = /* @__PURE__ */ new Map();
+    for (const tx of txs) {
+      const chain = tx.chain ?? "unknown";
+      const token = tx.token ?? "unknown";
+      chainCounts.set(chain, (chainCounts.get(chain) ?? 0) + 1);
+      tokenCounts.set(token, (tokenCounts.get(token) ?? 0) + 1);
+    }
+    const total = txs.length;
+    const chainDistribution = {};
+    for (const [chain, count] of chainCounts) {
+      chainDistribution[chain] = total > 0 ? count / total : 0;
+    }
+    const tokenDistribution = {};
+    for (const [token, count] of tokenCounts) {
+      tokenDistribution[token] = total > 0 ? count / total : 0;
+    }
+    const primaryChain = chainCounts.size > 0 ? Array.from(chainCounts.entries()).sort((a, b) => b[1] - a[1])[0][0] : "";
+    const primaryToken = tokenCounts.size > 0 ? Array.from(tokenCounts.entries()).sort((a, b) => b[1] - a[1])[0][0] : "";
+    return {
+      chainDistribution,
+      tokenDistribution,
+      primaryChain,
+      primaryToken
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Helpers
+  // --------------------------------------------------------------------------
+  percentile(sorted, p) {
+    if (sorted.length === 0) return 0;
+    const idx = p / 100 * (sorted.length - 1);
+    const lower = Math.floor(idx);
+    const upper = Math.ceil(idx);
+    if (lower === upper) return sorted[lower];
+    return sorted[lower] + (sorted[upper] - sorted[lower]) * (idx - lower);
+  }
+  /**
+   * Flatten an embedding into a numeric vector for cosine similarity.
+   * Log-scales magnitude values with log(1+x).
+   */
+  flattenEmbedding(e) {
+    const vec = [];
+    vec.push(Math.log(1 + e.temporal.meanIntervalSeconds));
+    vec.push(Math.log(1 + e.temporal.stddevIntervalSeconds));
+    vec.push(...e.temporal.hourHistogram);
+    vec.push(...e.temporal.dayHistogram);
+    vec.push(Math.log(1 + e.financial.meanAmount));
+    vec.push(Math.log(1 + e.financial.stddevAmount));
+    vec.push(Math.log(1 + e.financial.medianAmount));
+    vec.push(e.financial.roundAmountRatio);
+    vec.push(...e.financial.percentiles.map((p) => Math.log(1 + p)));
+    vec.push(Math.log(1 + e.network.uniqueDestinations));
+    vec.push(e.network.reuseRatio);
+    vec.push(e.network.concentrationIndex);
+    vec.push(Math.log(1 + e.network.uniqueSources));
+    const chainValues = Object.values(e.operational.chainDistribution).sort(
+      (a, b) => b - a
+    );
+    const tokenValues = Object.values(e.operational.tokenDistribution).sort(
+      (a, b) => b - a
+    );
+    for (let i = 0; i < 5; i++) {
+      vec.push(chainValues[i] ?? 0);
+    }
+    for (let i = 0; i < 5; i++) {
+      vec.push(tokenValues[i] ?? 0);
+    }
+    return vec;
+  }
+};
+
+// src/kya/cross-session-linker.ts
+var WALLET_OVERLAP_WEIGHT = 0.4;
+var BEHAVIORAL_SIMILARITY_WEIGHT = 0.35;
+var DECLARED_IDENTITY_WEIGHT = 0.25;
+var CrossSessionLinker = class {
+  config;
+  links = /* @__PURE__ */ new Map();
+  constructor(config = {}) {
+    this.config = {
+      minBehavioralSimilarity: config.minBehavioralSimilarity ?? 0.85,
+      minLinkConfidence: config.minLinkConfidence ?? 0.6
+    };
+  }
+  /**
+   * Analyze all agents and create links between those with sufficient signals.
+   */
+  analyzeAndLink(store, registry, clusterer, fingerprinter) {
+    const newLinks = [];
+    const agentIds = /* @__PURE__ */ new Set();
+    for (const tx of store.getTransactions()) {
+      agentIds.add(tx.agentId);
+    }
+    for (const action of store.getActions()) {
+      agentIds.add(action.agentId);
+    }
+    const agents = Array.from(agentIds);
+    const clusters = clusterer.getClusters();
+    for (let i = 0; i < agents.length; i++) {
+      for (let j = i + 1; j < agents.length; j++) {
+        const agentA = agents[i];
+        const agentB = agents[j];
+        const existingKey = this.getLinkKey(agentA, agentB);
+        if (this.links.has(existingKey)) continue;
+        const signals = [];
+        const walletOverlap = this.computeWalletOverlap(
+          agentA,
+          agentB,
+          clusters
+        );
+        if (walletOverlap > 0) {
+          signals.push({
+            type: "wallet-overlap",
+            strength: walletOverlap,
+            weight: WALLET_OVERLAP_WEIGHT
+          });
+        }
+        const embeddingA = fingerprinter.computeEmbedding(agentA, store);
+        const embeddingB = fingerprinter.computeEmbedding(agentB, store);
+        if (embeddingA && embeddingB) {
+          const similarity = fingerprinter.cosineSimilarity(embeddingA, embeddingB);
+          if (similarity >= this.config.minBehavioralSimilarity) {
+            signals.push({
+              type: "behavioral-similarity",
+              strength: similarity,
+              weight: BEHAVIORAL_SIMILARITY_WEIGHT
+            });
+          }
+        }
+        const declaredStrength = this.computeDeclaredIdentitySignal(
+          agentA,
+          agentB,
+          registry
+        );
+        if (declaredStrength > 0) {
+          signals.push({
+            type: "declared-identity",
+            strength: declaredStrength,
+            weight: DECLARED_IDENTITY_WEIGHT
+          });
+        }
+        if (signals.length === 0) continue;
+        const confidence = signals.reduce((sum, s) => sum + s.strength * s.weight, 0) / signals.reduce((sum, s) => sum + s.weight, 0);
+        if (confidence >= this.config.minLinkConfidence) {
+          const link = {
+            id: generateId(),
+            agentIdA: agentA,
+            agentIdB: agentB,
+            confidence,
+            signals,
+            status: "inferred",
+            createdAt: now()
+          };
+          this.links.set(existingKey, link);
+          newLinks.push(link);
+        }
+      }
+    }
+    return newLinks;
+  }
+  /**
+   * Manually link two agents.
+   */
+  manualLink(agentIdA, agentIdB, reviewedBy) {
+    const key = this.getLinkKey(agentIdA, agentIdB);
+    const existing = this.links.get(key);
+    if (existing) {
+      existing.status = "confirmed";
+      existing.reviewedBy = reviewedBy;
+      existing.reviewedAt = now();
+      return { ...existing };
+    }
+    const link = {
+      id: generateId(),
+      agentIdA,
+      agentIdB,
+      confidence: 1,
+      signals: [
+        {
+          type: "declared-identity",
+          strength: 1,
+          weight: 1,
+          detail: `Manually linked by ${reviewedBy}`
+        }
+      ],
+      status: "confirmed",
+      createdAt: now(),
+      reviewedBy,
+      reviewedAt: now()
+    };
+    this.links.set(key, link);
+    return { ...link };
+  }
+  /**
+   * Review a link (confirm or reject).
+   */
+  reviewLink(linkId, decision, reviewedBy) {
+    for (const link of this.links.values()) {
+      if (link.id === linkId) {
+        link.status = decision;
+        link.reviewedBy = reviewedBy;
+        link.reviewedAt = now();
+        return { ...link };
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Get all agents linked to the given agent.
+   */
+  getLinkedAgents(agentId) {
+    const linked = /* @__PURE__ */ new Set();
+    for (const link of this.links.values()) {
+      if (link.status === "rejected") continue;
+      if (link.agentIdA === agentId) linked.add(link.agentIdB);
+      if (link.agentIdB === agentId) linked.add(link.agentIdA);
+    }
+    return Array.from(linked);
+  }
+  /**
+   * Get all links for a specific agent.
+   */
+  getLinksForAgent(agentId) {
+    const result = [];
+    for (const link of this.links.values()) {
+      if (link.agentIdA === agentId || link.agentIdB === agentId) {
+        result.push({ ...link });
+      }
+    }
+    return result;
+  }
+  /**
+   * Get all links.
+   */
+  getAllLinks() {
+    return Array.from(this.links.values()).map((l) => ({ ...l }));
+  }
+  // --------------------------------------------------------------------------
+  // Private Helpers
+  // --------------------------------------------------------------------------
+  getLinkKey(a, b) {
+    return a < b ? `${a}:${b}` : `${b}:${a}`;
+  }
+  computeWalletOverlap(agentA, agentB, clusters) {
+    const clustersA = /* @__PURE__ */ new Set();
+    const clustersB = /* @__PURE__ */ new Set();
+    for (const cluster of clusters) {
+      if (cluster.agentIds.includes(agentA)) {
+        for (const addr of cluster.addresses) clustersA.add(addr);
+      }
+      if (cluster.agentIds.includes(agentB)) {
+        for (const addr of cluster.addresses) clustersB.add(addr);
+      }
+    }
+    if (clustersA.size === 0 || clustersB.size === 0) return 0;
+    const intersection = new Set([...clustersA].filter((a) => clustersB.has(a)));
+    const union = /* @__PURE__ */ new Set([...clustersA, ...clustersB]);
+    return union.size > 0 ? intersection.size / union.size : 0;
+  }
+  computeDeclaredIdentitySignal(agentA, agentB, registry) {
+    const identityA = registry.get(agentA);
+    const identityB = registry.get(agentB);
+    if (!identityA || !identityB) return 0;
+    const walletsA = new Set(identityA.wallets.map((w) => w.address));
+    const walletsB = new Set(identityB.wallets.map((w) => w.address));
+    const sharedWallets = [...walletsA].filter((w) => walletsB.has(w));
+    if (sharedWallets.length > 0) return 1;
+    const kycRefsA = new Set(
+      identityA.kycReferences.map((r) => `${r.provider}:${r.referenceId}`)
+    );
+    const kycRefsB = new Set(
+      identityB.kycReferences.map((r) => `${r.provider}:${r.referenceId}`)
+    );
+    const sharedKyc = [...kycRefsA].filter((r) => kycRefsB.has(r));
+    if (sharedKyc.length > 0) return 1;
+    return 0;
+  }
+};
+
+// src/kya/confidence-scorer.ts
+var KYAConfidenceScorer = class {
+  weights;
+  constructor(config = {}) {
+    this.weights = {
+      declaredIdentity: config.declaredIdentityWeight ?? 0.2,
+      kycVerification: config.kycVerificationWeight ?? 0.3,
+      walletGraph: config.walletGraphWeight ?? 0.2,
+      behavioralConsistency: config.behavioralConsistencyWeight ?? 0.2,
+      externalEnrichment: config.externalEnrichmentWeight ?? 0.1
+    };
+  }
+  /**
+   * Compute a composite confidence score for an agent.
+   */
+  computeScore(agentId, registry, clusterer, fingerprinter, linker, store) {
+    const components = [];
+    const declaredScore = this.scoreDeclaredIdentity(agentId, registry);
+    components.push({
+      name: "Declared Identity",
+      score: declaredScore.score,
+      weight: this.weights.declaredIdentity,
+      weightedScore: declaredScore.score * this.weights.declaredIdentity,
+      detail: declaredScore.detail
+    });
+    const kycScore = this.scoreKycVerification(agentId, registry);
+    components.push({
+      name: "KYC Verification",
+      score: kycScore.score,
+      weight: this.weights.kycVerification,
+      weightedScore: kycScore.score * this.weights.kycVerification,
+      detail: kycScore.detail
+    });
+    const walletScore = this.scoreWalletGraph(agentId, clusterer);
+    components.push({
+      name: "Wallet Graph",
+      score: walletScore.score,
+      weight: this.weights.walletGraph,
+      weightedScore: walletScore.score * this.weights.walletGraph,
+      detail: walletScore.detail
+    });
+    const behavioralScore = this.scoreBehavioralConsistency(
+      agentId,
+      fingerprinter,
+      linker,
+      store
+    );
+    components.push({
+      name: "Behavioral Consistency",
+      score: behavioralScore.score,
+      weight: this.weights.behavioralConsistency,
+      weightedScore: behavioralScore.score * this.weights.behavioralConsistency,
+      detail: behavioralScore.detail
+    });
+    const externalScore = this.scoreExternalEnrichment(agentId, registry);
+    components.push({
+      name: "External Enrichment",
+      score: externalScore.score,
+      weight: this.weights.externalEnrichment,
+      weightedScore: externalScore.score * this.weights.externalEnrichment,
+      detail: externalScore.detail
+    });
+    const totalWeight = components.reduce((sum, c) => sum + c.weight, 0);
+    const overallScore = totalWeight > 0 ? Math.round(components.reduce((sum, c) => sum + c.weightedScore, 0) / totalWeight) : 0;
+    return {
+      agentId,
+      score: overallScore,
+      level: this.scoreToLevel(overallScore),
+      components,
+      computedAt: now()
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Component Scorers
+  // --------------------------------------------------------------------------
+  scoreDeclaredIdentity(agentId, registry) {
+    const identity = registry.get(agentId);
+    if (!identity) return { score: 0, detail: "No declared identity" };
+    let score = 30;
+    const parts = ["identity registered"];
+    if (identity.displayName) {
+      score += 10;
+      parts.push("displayName set");
+    }
+    if (identity.entityType !== "unknown") {
+      score += 10;
+      parts.push(`entityType: ${identity.entityType}`);
+    }
+    if (identity.wallets.length > 0) {
+      score += 20;
+      parts.push(`${identity.wallets.length} wallet(s)`);
+    }
+    if (identity.contactUri) {
+      score += 10;
+      parts.push("contactUri set");
+    }
+    if (Object.keys(identity.metadata).length > 0) {
+      score += 20;
+      parts.push("metadata provided");
+    }
+    return { score: Math.min(100, score), detail: parts.join(", ") };
+  }
+  scoreKycVerification(agentId, registry) {
+    const identity = registry.get(agentId);
+    if (!identity || identity.kycReferences.length === 0) {
+      return { score: 0, detail: "No KYC verification" };
+    }
+    const refs = identity.kycReferences;
+    const hasRejected = refs.some((r) => r.status === "rejected");
+    const verifiedRefs = refs.filter((r) => r.status === "verified");
+    const pendingRefs = refs.filter((r) => r.status === "pending");
+    const currentTime = (/* @__PURE__ */ new Date()).toISOString();
+    const activeVerified = verifiedRefs.filter(
+      (r) => r.expiresAt === null || r.expiresAt > currentTime
+    );
+    if (hasRejected && verifiedRefs.length === 0) {
+      return { score: 10, detail: "KYC rejected, capped at 10" };
+    }
+    if (pendingRefs.length > 0 && verifiedRefs.length === 0) {
+      return { score: 20, detail: "KYC pending" };
+    }
+    if (verifiedRefs.length > 0) {
+      let score = 90;
+      const parts = [`${verifiedRefs.length} verified`];
+      if (activeVerified.length > 0) {
+        score = 100;
+        parts.push("non-expired");
+      }
+      if (verifiedRefs.length > 1) {
+        score = Math.min(100, score + 10);
+        parts.push("multiple providers");
+      }
+      return { score, detail: parts.join(", ") };
+    }
+    return { score: 0, detail: "No KYC verification" };
+  }
+  scoreWalletGraph(agentId, clusterer) {
+    const clusters = clusterer.getClusters();
+    const agentClusters = clusters.filter((c) => c.agentIds.includes(agentId));
+    if (agentClusters.length === 0) {
+      return { score: 20, detail: "No wallet cluster" };
+    }
+    const totalAddresses = new Set(
+      agentClusters.flatMap((c) => c.addresses)
+    ).size;
+    if (totalAddresses === 1) {
+      return { score: 40, detail: "1 address in cluster" };
+    }
+    const heuristics = new Set(
+      agentClusters.flatMap((c) => c.evidence.map((e) => e.heuristic))
+    );
+    const hasDeclared = heuristics.has("declared-wallets");
+    const hasAuto = heuristics.size > (hasDeclared ? 1 : 0);
+    if (hasDeclared && hasAuto) {
+      return {
+        score: 85,
+        detail: `${totalAddresses} addresses, declared + auto heuristics`
+      };
+    }
+    if (heuristics.size > 1) {
+      return {
+        score: 70,
+        detail: `${totalAddresses} addresses, ${heuristics.size} heuristic types`
+      };
+    }
+    return {
+      score: 50,
+      detail: `${totalAddresses} addresses, single heuristic`
+    };
+  }
+  scoreBehavioralConsistency(agentId, fingerprinter, linker, store) {
+    const embedding = fingerprinter.computeEmbedding(agentId, store);
+    if (!embedding) {
+      return { score: 30, detail: "Insufficient data for embedding" };
+    }
+    const links = linker.getLinksForAgent(agentId);
+    const confirmedLinks = links.filter((l) => l.status === "confirmed");
+    if (confirmedLinks.length === 0 && links.length === 0) {
+      return { score: 50, detail: "Embedding computed, no links" };
+    }
+    let maxSimilarity = 0;
+    for (const link of confirmedLinks) {
+      const behavioralSignal = link.signals.find(
+        (s) => s.type === "behavioral-similarity"
+      );
+      if (behavioralSignal && behavioralSignal.strength > maxSimilarity) {
+        maxSimilarity = behavioralSignal.strength;
+      }
+    }
+    if (maxSimilarity > 0.9) {
+      return { score: 95, detail: `Confirmed link similarity: ${maxSimilarity.toFixed(2)}` };
+    }
+    if (maxSimilarity > 0.8) {
+      return { score: 85, detail: `Confirmed link similarity: ${maxSimilarity.toFixed(2)}` };
+    }
+    if (confirmedLinks.length > 0) {
+      return { score: 70, detail: `${confirmedLinks.length} confirmed link(s)` };
+    }
+    return { score: 50, detail: "Embedding computed, no confirmed links" };
+  }
+  scoreExternalEnrichment(agentId, registry) {
+    const identity = registry.get(agentId);
+    if (!identity) {
+      return { score: 50, detail: "Default (neutral), no identity" };
+    }
+    const riskLevels = identity.kycReferences.filter((r) => r.riskLevel).map((r) => r.riskLevel);
+    if (riskLevels.length === 0) {
+      return { score: 50, detail: "Default (neutral), no risk data" };
+    }
+    if (riskLevels.includes("high")) {
+      return { score: 20, detail: "High risk from external provider" };
+    }
+    if (riskLevels.includes("low")) {
+      return { score: 80, detail: "Low risk from external provider" };
+    }
+    return { score: 50, detail: "Medium risk from external provider" };
+  }
+  // --------------------------------------------------------------------------
+  // Helpers
+  // --------------------------------------------------------------------------
+  scoreToLevel(score) {
+    if (score >= 85) return "verified";
+    if (score >= 65) return "high";
+    if (score >= 40) return "medium";
+    if (score >= 20) return "low";
+    return "unknown";
+  }
+};
+
+// src/client.ts
+var PLAN_STORAGE_KEY = "kontext:plan";
+var Kontext = class _Kontext {
+  config;
+  store;
+  logger;
+  taskManager;
+  auditExporter;
+  mode;
+  planManager;
+  exporter;
+  featureFlagManager;
+  trustScorer;
+  anomalyDetector;
+  screeningAggregator;
+  provenanceManager = null;
+  identityRegistry = null;
+  walletClusterer = null;
+  behavioralFingerprinter = null;
+  crossSessionLinker = null;
+  confidenceScorer = null;
+  constructor(config) {
+    this.config = config;
+    this.mode = config.apiKey ? "cloud" : "local";
+    this.store = new KontextStore();
+    if (config.metadataSchema && typeof config.metadataSchema.parse !== "function") {
+      throw new KontextError(
+        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
+        "metadataSchema must have a parse() method"
+      );
+    }
+    if (config.storage) {
+      this.store.setStorageAdapter(config.storage);
+    }
+    const planTier = config.plan ?? "free";
+    this.planManager = new PlanManager(planTier, void 0, config.seats ?? 1);
+    if (config.upgradeUrl) {
+      this.planManager.upgradeUrl = config.upgradeUrl;
+    }
+    this.exporter = config.exporter ?? new NoopExporter();
+    this.logger = new ActionLogger(config, this.store);
+    this.taskManager = new TaskManager(config, this.store);
+    this.auditExporter = new AuditExporter(config, this.store);
+    this.trustScorer = new TrustScorer(config, this.store);
+    this.anomalyDetector = new AnomalyDetector(config, this.store);
+    this.featureFlagManager = config.featureFlags ? new FeatureFlagManager(config.featureFlags) : null;
+    this.screeningAggregator = config.screening ? new ScreeningAggregator({
+      providers: config.screening.providers,
+      consensus: config.screening.consensus,
+      blocklist: config.screening.blocklist,
+      allowlist: config.screening.allowlist,
+      providerTimeoutMs: config.screening.providerTimeoutMs,
+      onEvent: () => this.planManager.recordEvent()
+    }) : null;
+    if (config.anomalyRules && config.anomalyRules.length > 0) {
+      const advancedRules = ["newDestination", "offHoursActivity", "rapidSuccession", "roundAmount"];
+      const hasAdvanced = config.anomalyRules.some((r) => advancedRules.includes(r));
+      if (hasAdvanced) {
+        requirePlan("advanced-anomaly-rules", planTier);
+      }
+      this.anomalyDetector.enableAnomalyDetection({
+        rules: config.anomalyRules,
+        thresholds: config.anomalyThresholds
+      });
+    }
+  }
+  /**
+   * Initialize the Kontext SDK.
+   *
+   * @param config - Configuration options
+   * @returns Initialized Kontext client instance
+   *
+   * @example
+   * ```typescript
+   * // Local/OSS mode (no API key)
+   * const kontext = Kontext.init({
+   *   projectId: 'my-project',
+   *   environment: 'development',
+   * });
+   *
+   * // Cloud mode (with API key)
+   * const kontext = Kontext.init({
+   *   apiKey: 'sk_live_...',
+   *   projectId: 'my-project',
+   *   environment: 'production',
+   * });
+   *
+   * // With persistent file storage
+   * const kontext = Kontext.init({
+   *   projectId: 'my-project',
+   *   environment: 'development',
+   *   storage: new FileStorage('./kontext-data'),
+   * });
+   * ```
+   */
+  static init(config) {
+    if (!config.projectId || config.projectId.trim() === "") {
+      throw new KontextError(
+        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
+        "projectId is required"
+      );
+    }
+    const validEnvironments = ["development", "staging", "production"];
+    if (!validEnvironments.includes(config.environment)) {
+      throw new KontextError(
+        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
+        `Invalid environment: ${config.environment}. Must be one of: ${validEnvironments.join(", ")}`
+      );
+    }
+    if (config.debug) {
+      const mode = config.apiKey ? "cloud" : "local";
+      console.debug(
+        `[Kontext] Initializing in ${mode} mode for project ${config.projectId} (${config.environment})`
+      );
+    }
+    return new _Kontext(config);
+  }
+  // --------------------------------------------------------------------------
+  // Mode & Config
+  // --------------------------------------------------------------------------
+  /**
+   * Get the current operating mode.
+   */
+  getMode() {
+    return this.mode;
+  }
+  /**
+   * Get the current configuration (API key is masked).
    */
   getConfig() {
     return {
@@ -3588,6 +5574,147 @@ var Kontext = class _Kontext {
       );
     }
   }
+  /**
+   * Map aggregated screening results into UsdcComplianceCheck format.
+   * Produces the same check/riskLevel/recommendations shape as
+   * UsdcCompliance.checkTransaction() and PaymentCompliance.checkPayment().
+   */
+  buildComplianceFromScreening(input, fromResult, toResult) {
+    const checks = [];
+    const fromHit = fromResult.hit;
+    const fromProviders = fromResult.providerResults.filter((r) => r.hit).map((r) => r.providerId).join(", ");
+    checks.push({
+      name: "sanctions_sender",
+      passed: !fromHit,
+      description: fromHit ? `Sender flagged by: ${fromProviders}` : `Sender cleared (${fromResult.totalProviders} provider${fromResult.totalProviders !== 1 ? "s" : ""} checked)`,
+      severity: fromHit ? "critical" : "low"
+    });
+    const toHit = toResult.hit;
+    const toProviders = toResult.providerResults.filter((r) => r.hit).map((r) => r.providerId).join(", ");
+    checks.push({
+      name: "sanctions_recipient",
+      passed: !toHit,
+      description: toHit ? `Recipient flagged by: ${toProviders}` : `Recipient cleared (${toResult.totalProviders} provider${toResult.totalProviders !== 1 ? "s" : ""} checked)`,
+      severity: toHit ? "critical" : "low"
+    });
+    const allUncovered = [
+      .../* @__PURE__ */ new Set([...fromResult.uncoveredLists, ...toResult.uncoveredLists])
+    ];
+    if (allUncovered.length > 0) {
+      checks.push({
+        name: "jurisdiction_coverage",
+        passed: false,
+        description: `Required lists not covered: ${allUncovered.join(", ")}`,
+        severity: "medium"
+      });
+    }
+    const thresholds = this.config.policy?.thresholds;
+    const eddThreshold = thresholds?.edd ?? 3e3;
+    const reportingThreshold = thresholds?.reporting ?? 1e4;
+    const largeThreshold = thresholds?.largeTransaction ?? 5e4;
+    const amount = parseAmount(input.amount);
+    if (amount >= eddThreshold) {
+      checks.push({
+        name: "enhanced_due_diligence",
+        passed: false,
+        description: `Amount $${amount.toLocaleString()} meets EDD threshold ($${eddThreshold.toLocaleString()})`,
+        severity: "low"
+      });
+    }
+    if (amount >= reportingThreshold) {
+      checks.push({
+        name: "reporting_threshold",
+        passed: false,
+        description: `Amount $${amount.toLocaleString()} meets CTR threshold ($${reportingThreshold.toLocaleString()})`,
+        severity: "low"
+      });
+    }
+    if (amount >= largeThreshold) {
+      checks.push({
+        name: "large_transaction",
+        passed: false,
+        description: `Large transaction: $${amount.toLocaleString()} exceeds $${largeThreshold.toLocaleString()}`,
+        severity: "medium"
+      });
+    }
+    const allErrors = [...fromResult.errors, ...toResult.errors];
+    if (allErrors.length > 0) {
+      checks.push({
+        name: "screening_errors",
+        passed: false,
+        description: `Provider errors: ${allErrors.map((e) => `${e.providerId}: ${e.error}`).join("; ")}`,
+        severity: "medium"
+      });
+    }
+    const failedChecks = checks.filter((c) => !c.passed);
+    const compliant = failedChecks.every((c) => c.severity === "low");
+    const severityOrder = ["low", "medium", "high", "critical"];
+    const highestSeverity = failedChecks.reduce(
+      (max, c) => severityOrder.indexOf(c.severity) > severityOrder.indexOf(max) ? c.severity : max,
+      "low"
+    );
+    const recommendations = [];
+    if (fromHit || toHit) {
+      recommendations.push("Block transaction: sanctions match detected");
+    }
+    if (allUncovered.length > 0) {
+      recommendations.push(`Add providers covering: ${allUncovered.join(", ")}`);
+    }
+    if (amount >= eddThreshold && amount < reportingThreshold) {
+      recommendations.push("Collect enhanced due diligence information");
+    }
+    if (amount >= reportingThreshold) {
+      recommendations.push("File Currency Transaction Report (CTR)");
+    }
+    return {
+      compliant,
+      checks,
+      riskLevel: highestSeverity,
+      recommendations
+    };
+  }
+  /** Lazy-init ProvenanceManager on first use. */
+  getProvenanceManager() {
+    if (!this.provenanceManager) {
+      this.provenanceManager = new ProvenanceManager(this.store, this.logger);
+    }
+    return this.provenanceManager;
+  }
+  /** Lazy-init AgentIdentityRegistry on first use. */
+  getIdentityRegistry() {
+    if (!this.identityRegistry) {
+      this.identityRegistry = new AgentIdentityRegistry();
+    }
+    return this.identityRegistry;
+  }
+  /** Lazy-init WalletClusterer on first use. */
+  getWalletClusterer() {
+    if (!this.walletClusterer) {
+      this.walletClusterer = new WalletClusterer();
+    }
+    return this.walletClusterer;
+  }
+  /** Lazy-init BehavioralFingerprinter on first use. */
+  getBehavioralFingerprinter() {
+    if (!this.behavioralFingerprinter) {
+      this.behavioralFingerprinter = new BehavioralFingerprinter();
+    }
+    return this.behavioralFingerprinter;
+  }
+  /** Lazy-init CrossSessionLinker on first use. */
+  getCrossSessionLinker() {
+    if (!this.crossSessionLinker) {
+      this.crossSessionLinker = new CrossSessionLinker();
+    }
+    return this.crossSessionLinker;
+  }
+  /** Lazy-init KYAConfidenceScorer on first use. */
+  getConfidenceScorer() {
+    if (!this.confidenceScorer) {
+      this.confidenceScorer = new KYAConfidenceScorer();
+    }
+    return this.confidenceScorer;
+  }
   // --------------------------------------------------------------------------
   // Action Logging
   // --------------------------------------------------------------------------
@@ -3618,7 +5745,7 @@ var Kontext = class _Kontext {
    * @returns The created transaction record
    */
   async logTransaction(input) {
-    if (input.chain && input.chain !== "base") {
+    if (input.chain && input.chain !== "base" && input.chain !== "arc") {
       requirePlan("multi-chain", this.planManager.getTier());
     }
     this.validateMetadata(input.metadata);
@@ -3973,7 +6100,28 @@ var Kontext = class _Kontext {
    */
   async verify(input) {
     const transaction = await this.logTransaction(input);
-    const compliance = isCryptoTransaction(input) ? UsdcCompliance.checkTransaction(input) : PaymentCompliance.checkPayment(input);
+    let compliance;
+    if (this.screeningAggregator) {
+      const fromResult = await this.screeningAggregator.screen(input.from, {
+        chain: input.chain,
+        token: input.token,
+        currency: input.currency,
+        amount: input.amount,
+        agentId: input.agentId
+      });
+      const toResult = await this.screeningAggregator.screen(input.to, {
+        chain: input.chain,
+        token: input.token,
+        currency: input.currency,
+        amount: input.amount,
+        agentId: input.agentId
+      });
+      compliance = this.buildComplianceFromScreening(input, fromResult, toResult);
+    } else if (isCryptoTransaction(input)) {
+      compliance = UsdcCompliance.checkTransaction(input);
+    } else {
+      compliance = PaymentCompliance.checkPayment(input);
+    }
     let reasoningId;
     if (input.reasoning) {
       const entry = await this.logReasoning({
@@ -4013,6 +6161,11 @@ var Kontext = class _Kontext {
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
+    let attribution;
+    if (input.erc8021 && input.txHash) {
+      const { fetchTransactionAttribution: fetchTransactionAttribution2 } = await Promise.resolve().then(() => (init_erc8021(), erc8021_exports));
+      attribution = await fetchTransactionAttribution2(input.erc8021.rpcUrl, input.txHash) ?? void 0;
+    }
     let requiresApproval;
     let task;
     if (this.config.approvalThreshold) {
@@ -4056,7 +6209,8 @@ var Kontext = class _Kontext {
       ...reasoningId ? { reasoningId } : {},
       ...requiresApproval ? { requiresApproval, task } : {},
       ...anchorProof ? { anchorProof } : {},
-      ...counterpartyResult ? { counterparty: counterpartyResult } : {}
+      ...counterpartyResult ? { counterparty: counterpartyResult } : {},
+      ...attribution ? { attribution } : {}
     };
   }
   // --------------------------------------------------------------------------
@@ -4236,10 +6390,211 @@ var Kontext = class _Kontext {
       actions: actionSummary,
       reasoning: reasoningEntries
     };
-    const hash = crypto$1.createHash("sha256");
-    hash.update(JSON.stringify(certificateContent));
-    const contentHash = hash.digest("hex");
-    return { ...certificateContent, contentHash };
+    const hash = crypto$1.createHash("sha256");
+    hash.update(JSON.stringify(certificateContent));
+    const contentHash = hash.digest("hex");
+    return { ...certificateContent, contentHash };
+  }
+  // --------------------------------------------------------------------------
+  // Agent Provenance
+  // --------------------------------------------------------------------------
+  /**
+   * Create a delegated agent session. Records the delegation in the
+   * tamper-evident digest chain as the session's genesis event.
+   */
+  async createAgentSession(input) {
+    return this.getProvenanceManager().createSession(input);
+  }
+  /**
+   * Get an agent session by ID. Automatically marks expired sessions.
+   */
+  getAgentSession(sessionId) {
+    return this.getProvenanceManager().getSession(sessionId);
+  }
+  /**
+   * Get all agent sessions.
+   */
+  getAgentSessions() {
+    return this.getProvenanceManager().getSessions();
+  }
+  /**
+   * End an active agent session. Records the termination in the digest chain.
+   */
+  async endAgentSession(sessionId) {
+    return this.getProvenanceManager().endSession(sessionId);
+  }
+  /**
+   * Check whether an action is within a session's delegated scope.
+   */
+  validateSessionScope(sessionId, action) {
+    return this.getProvenanceManager().validateScope(sessionId, action);
+  }
+  /**
+   * Get all actions bound to a session (via sessionId on log/verify calls).
+   */
+  getSessionActions(sessionId) {
+    return this.store.getActionsBySession(sessionId);
+  }
+  /**
+   * Create a provenance checkpoint -- a review point where a human
+   * can attest to a batch of agent actions.
+   */
+  async createCheckpoint(input) {
+    return this.getProvenanceManager().createCheckpoint(input);
+  }
+  /**
+   * Attach an externally-produced human attestation to a checkpoint.
+   * The attestation includes a cryptographic signature that the agent
+   * never touches -- key separation is the critical security property.
+   */
+  async attachAttestation(checkpointId, attestation) {
+    return this.getProvenanceManager().attachAttestation(checkpointId, attestation);
+  }
+  /**
+   * Get a checkpoint by ID.
+   */
+  getCheckpoint(checkpointId) {
+    return this.getProvenanceManager().getCheckpoint(checkpointId);
+  }
+  /**
+   * Get all checkpoints, optionally filtered by session.
+   */
+  getCheckpoints(sessionId) {
+    return this.getProvenanceManager().getCheckpoints(sessionId);
+  }
+  /**
+   * Export the full provenance bundle for a session: session record,
+   * all bound actions, all checkpoints, and verification stats.
+   */
+  getProvenanceBundle(sessionId) {
+    return this.getProvenanceManager().getProvenanceBundle(sessionId);
+  }
+  // --------------------------------------------------------------------------
+  // Agent Forensics (KYA)
+  // --------------------------------------------------------------------------
+  /**
+   * Register a new agent identity with optional wallet mappings.
+   * Requires Pro plan.
+   */
+  registerAgentIdentity(input) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().register(input);
+  }
+  /**
+   * Get a registered agent identity by ID.
+   * Requires Pro plan.
+   */
+  getAgentIdentity(agentId) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().get(agentId);
+  }
+  /**
+   * Update an existing agent identity.
+   * Requires Pro plan.
+   */
+  updateAgentIdentity(agentId, input) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().update(agentId, input);
+  }
+  /**
+   * Remove an agent identity.
+   * Requires Pro plan.
+   */
+  removeAgentIdentity(agentId) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().remove(agentId);
+  }
+  /**
+   * Add a wallet to an existing agent identity.
+   * Requires Pro plan.
+   */
+  addAgentWallet(agentId, wallet) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().addWallet(agentId, wallet);
+  }
+  /**
+   * Look up which agent owns a wallet address.
+   * Requires Pro plan.
+   */
+  lookupAgentByWallet(address) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().lookupByWallet(address);
+  }
+  /**
+   * Compute wallet clusters from transaction patterns and declared identities.
+   * Requires Pro plan.
+   */
+  getWalletClusters() {
+    requirePlan("kya-identity", this.planManager.getTier());
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, this.getIdentityRegistry());
+    return clusterer.getClusters();
+  }
+  /**
+   * Export all KYA data as a single envelope.
+   * Requires Pro plan.
+   */
+  getKYAExport() {
+    requirePlan("kya-identity", this.planManager.getTier());
+    const registry = this.getIdentityRegistry();
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, registry);
+    return {
+      identities: registry.getAll(),
+      clusters: clusterer.getClusters(),
+      embeddings: [],
+      links: [],
+      scores: [],
+      generatedAt: now()
+    };
+  }
+  /**
+   * Compute a behavioral embedding for an agent from transaction history.
+   * Returns null if insufficient data. Requires Enterprise plan.
+   */
+  computeBehavioralEmbedding(agentId) {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    return this.getBehavioralFingerprinter().computeEmbedding(agentId, this.store);
+  }
+  /**
+   * Analyze all agents and create cross-session links.
+   * Requires Enterprise plan.
+   */
+  analyzeAgentLinks() {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, this.getIdentityRegistry());
+    return this.getCrossSessionLinker().analyzeAndLink(
+      this.store,
+      this.getIdentityRegistry(),
+      clusterer,
+      this.getBehavioralFingerprinter()
+    );
+  }
+  /**
+   * Get agents linked to a specific agent.
+   * Requires Enterprise plan.
+   */
+  getLinkedAgents(agentId) {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    return this.getCrossSessionLinker().getLinkedAgents(agentId);
+  }
+  /**
+   * Compute a composite identity confidence score for an agent.
+   * Requires Enterprise plan.
+   */
+  getKYAConfidenceScore(agentId) {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, this.getIdentityRegistry());
+    return this.getConfidenceScorer().computeScore(
+      agentId,
+      this.getIdentityRegistry(),
+      clusterer,
+      this.getBehavioralFingerprinter(),
+      this.getCrossSessionLinker(),
+      this.store
+    );
   }
   // --------------------------------------------------------------------------
   // Plan & Usage Metering
@@ -4439,30 +6794,756 @@ var FileStorage = class {
 
 // src/index.ts
 init_onchain();
+init_erc8021();
 init_attestation();
 
+// src/integrations/provider-treasury-sdn.ts
+var ACTIVE_SET = new Set(
+  OFAC_SDN_ACTIVE_ADDRESSES.map((a) => a.toLowerCase())
+);
+var DELISTED_SET = new Set(
+  OFAC_SDN_DELISTED_ADDRESSES.map((a) => a.toLowerCase())
+);
+var ALL_SET = new Set(
+  OFAC_SDN_ADDRESSES.map((a) => a.toLowerCase())
+);
+var ORIGINAL_CASE = /* @__PURE__ */ new Map();
+for (const addr of OFAC_SDN_ADDRESSES) {
+  ORIGINAL_CASE.set(addr.toLowerCase(), addr);
+}
+var OFACAddressProvider = class {
+  id = "ofac-sdn-address";
+  name = "OFAC SDN Address Screener";
+  lists = ["OFAC_SDN"];
+  requiresApiKey = false;
+  browserCompatible = true;
+  queryTypes = ["address"];
+  async screen(query, _context) {
+    const start = Date.now();
+    const lower = query.toLowerCase();
+    const matches = [];
+    if (ACTIVE_SET.has(lower)) {
+      const originalAddr = ORIGINAL_CASE.get(lower) ?? query;
+      matches.push({
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: originalAddr,
+        entityStatus: "active",
+        program: "SDN"
+      });
+    } else if (DELISTED_SET.has(lower)) {
+      const originalAddr = ORIGINAL_CASE.get(lower) ?? query;
+      matches.push({
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: originalAddr,
+        entityStatus: "delisted",
+        program: "SDN_DELISTED"
+      });
+    }
+    const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+    return {
+      providerId: this.id,
+      hit: hasActiveHit,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: ALL_SET.size,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    return true;
+  }
+  getEntryCount() {
+    return ALL_SET.size;
+  }
+};
+
+// src/integrations/provider-ofac-entity.ts
+var NAME_MATCH_THRESHOLD2 = 0.85;
+var MIN_MATCH_LENGTH = 4;
+var _screener2 = null;
+var _screenerLoaded2 = false;
+function getScreener2() {
+  if (!_screenerLoaded2) {
+    _screenerLoaded2 = true;
+    try {
+      const mod = __require("./ofac-sanctions.js");
+      if (mod.OFACSanctionsScreener) {
+        _screener2 = new mod.OFACSanctionsScreener();
+      }
+    } catch {
+    }
+  }
+  return _screener2;
+}
+var OFACEntityProvider = class {
+  id = "ofac-sdn-entity";
+  name = "OFAC SDN Entity Screener";
+  lists = ["OFAC_SDN"];
+  requiresApiKey = false;
+  browserCompatible = false;
+  queryTypes = ["entity_name"];
+  async screen(query, _context) {
+    const start = Date.now();
+    const screener = getScreener2();
+    if (!screener) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: "OFACSanctionsScreener not available"
+      };
+    }
+    const rawMatches = screener.searchEntityName(query, NAME_MATCH_THRESHOLD2);
+    const filteredMatches = rawMatches.filter(
+      (m) => m.similarity >= NAME_MATCH_THRESHOLD2 && m.matchedOn.length >= MIN_MATCH_LENGTH
+    );
+    const matches = filteredMatches.map((m) => {
+      const isActive = m.entity.list !== "DELISTED";
+      return {
+        list: "OFAC_SDN",
+        matchType: m.similarity >= 0.99 ? "exact_address" : "fuzzy_name",
+        similarity: m.similarity,
+        matchedValue: m.matchedOn,
+        entityStatus: isActive ? "active" : "delisted",
+        entityName: m.entity.name,
+        program: m.entity.programs?.[0]
+      };
+    });
+    const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+    return {
+      providerId: this.id,
+      hit: hasActiveHit,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: screener.getEntityCount?.() ?? 0,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    return getScreener2() !== null;
+  }
+  getEntryCount() {
+    const screener = getScreener2();
+    return screener?.getEntityCount?.() ?? 0;
+  }
+};
+
+// src/integrations/data/uk-ofsi-addresses.ts
+var UK_OFSI_ADDRESSES = [
+  // Garantex (designated under Russia sanctions regime, May 2024)
+  "0x6F1cA141A28907F78Ebaa64f83E4AE6038d3cbe7",
+  // Lazarus Group / DPRK (overlaps with OFAC SDN but independently listed by OFSI)
+  "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
+  "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
+  "0x3Cffd56B47B7b41c56258D9C7731ABaDc360E460",
+  "0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1",
+  // DPRK-linked addresses (OFSI cyber programme)
+  "0x7F367cC41522cE07553e823bf3be79A889DEbe1B",
+  "0x01e2919679362dFBC9ee1644Ba9C6da6D6245BB1"
+];
+
+// src/integrations/provider-uk-ofsi.ts
+var ADDRESS_SET = new Set(
+  UK_OFSI_ADDRESSES.map((a) => a.toLowerCase())
+);
+var ORIGINAL_CASE2 = /* @__PURE__ */ new Map();
+for (const addr of UK_OFSI_ADDRESSES) {
+  ORIGINAL_CASE2.set(addr.toLowerCase(), addr);
+}
+var UKOFSIProvider = class {
+  id = "uk-ofsi-address";
+  name = "UK OFSI Address Screener";
+  lists = ["UK_OFSI"];
+  requiresApiKey = false;
+  browserCompatible = true;
+  queryTypes = ["address"];
+  async screen(query, _context) {
+    const start = Date.now();
+    const lower = query.toLowerCase();
+    const matches = [];
+    if (ADDRESS_SET.has(lower)) {
+      const originalAddr = ORIGINAL_CASE2.get(lower) ?? query;
+      matches.push({
+        list: "UK_OFSI",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: originalAddr,
+        entityStatus: "active",
+        program: "OFSI_CONSOLIDATED"
+      });
+    }
+    return {
+      providerId: this.id,
+      hit: matches.length > 0,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: ADDRESS_SET.size,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    return true;
+  }
+  getEntryCount() {
+    return ADDRESS_SET.size;
+  }
+};
+
+// src/integrations/provider-opensanctions-local.ts
+var NAME_MATCH_THRESHOLD3 = 0.85;
+var MIN_MATCH_LENGTH2 = 4;
+var DEFAULT_DATA_DIR = ".kontext/sanctions";
+function trigramSimilarity(a, b) {
+  const aNorm = a.toLowerCase().trim();
+  const bNorm = b.toLowerCase().trim();
+  if (aNorm === bNorm) return 1;
+  if (aNorm.length < 2 || bNorm.length < 2) return 0;
+  const trigramsA = /* @__PURE__ */ new Set();
+  const trigramsB = /* @__PURE__ */ new Set();
+  for (let i = 0; i <= aNorm.length - 3; i++) {
+    trigramsA.add(aNorm.slice(i, i + 3));
+  }
+  for (let i = 0; i <= bNorm.length - 3; i++) {
+    trigramsB.add(bNorm.slice(i, i + 3));
+  }
+  if (trigramsA.size === 0 || trigramsB.size === 0) return 0;
+  let intersection = 0;
+  for (const t of trigramsA) {
+    if (trigramsB.has(t)) intersection++;
+  }
+  return 2 * intersection / (trigramsA.size + trigramsB.size);
+}
+var OpenSanctionsLocalProvider = class {
+  id = "opensanctions-local";
+  name = "OpenSanctions (Local Data)";
+  lists = ["OPENSANCTIONS"];
+  requiresApiKey = false;
+  browserCompatible = false;
+  queryTypes = ["both"];
+  dataDir;
+  entities = [];
+  addressSet = /* @__PURE__ */ new Set();
+  addressToEntity = /* @__PURE__ */ new Map();
+  loaded = false;
+  constructor(dataDir) {
+    this.dataDir = dataDir ?? this.resolveDataDir();
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    if (!this.loaded) {
+      this.loadData();
+    }
+    if (this.entities.length === 0) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: "No local OpenSanctions data. Run: kontext sync --lists default"
+      };
+    }
+    const matches = isBlockchainAddress(query) ? this.screenAddress(query) : this.screenEntityName(query);
+    const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+    return {
+      providerId: this.id,
+      hit: hasActiveHit,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: this.entities.length,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    if (!this.loaded) {
+      this.loadData();
+    }
+    return this.entities.length > 0;
+  }
+  getEntryCount() {
+    if (!this.loaded) {
+      this.loadData();
+    }
+    return this.entities.length;
+  }
+  async sync() {
+    this.loaded = false;
+    this.loadData();
+    return { updated: true, count: this.entities.length };
+  }
+  // --------------------------------------------------------------------------
+  // Private
+  // --------------------------------------------------------------------------
+  screenAddress(address) {
+    const lower = address.toLowerCase();
+    const entity = this.addressToEntity.get(lower);
+    if (!entity) return [];
+    const entityStatus = this.getEntityStatus(entity);
+    return [
+      {
+        list: "OPENSANCTIONS",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: address,
+        entityStatus,
+        entityName: entity.caption,
+        program: entity.datasets.join(", ")
+      }
+    ];
+  }
+  screenEntityName(query) {
+    const matches = [];
+    const queryLower = query.toLowerCase().trim();
+    for (const entity of this.entities) {
+      const captionSim = trigramSimilarity(queryLower, entity.caption);
+      if (captionSim >= NAME_MATCH_THRESHOLD3 && entity.caption.length >= MIN_MATCH_LENGTH2) {
+        matches.push(this.entityToMatch(entity, entity.caption, captionSim));
+        continue;
+      }
+      const aliases = entity.properties["alias"] ?? [];
+      for (const alias of aliases) {
+        const aliasSim = trigramSimilarity(queryLower, alias);
+        if (aliasSim >= NAME_MATCH_THRESHOLD3 && alias.length >= MIN_MATCH_LENGTH2) {
+          matches.push(this.entityToMatch(entity, alias, aliasSim));
+          break;
+        }
+      }
+    }
+    matches.sort((a, b) => b.similarity - a.similarity);
+    return matches.slice(0, 5);
+  }
+  entityToMatch(entity, matchedValue, similarity) {
+    return {
+      list: "OPENSANCTIONS",
+      matchType: similarity >= 0.99 ? "exact_address" : "fuzzy_name",
+      similarity,
+      matchedValue,
+      entityStatus: this.getEntityStatus(entity),
+      entityName: entity.caption,
+      program: entity.datasets.join(", ")
+    };
+  }
+  getEntityStatus(entity) {
+    return "active";
+  }
+  loadData() {
+    this.loaded = true;
+    this.entities = [];
+    this.addressSet.clear();
+    this.addressToEntity.clear();
+    try {
+      const fs5 = __require("fs");
+      const pathMod = __require("path");
+      const dataPath = pathMod.resolve(this.dataDir);
+      if (!fs5.existsSync(dataPath)) return;
+      const files = fs5.readdirSync(dataPath).filter(
+        (f) => f.endsWith(".json")
+      );
+      for (const file of files) {
+        const filePath = pathMod.join(dataPath, file);
+        const content = fs5.readFileSync(filePath, "utf-8");
+        const lines = content.split("\n").filter((l) => l.trim());
+        for (const line of lines) {
+          try {
+            const entity = JSON.parse(line);
+            this.entities.push(entity);
+            const addresses = entity.properties["cryptoAddress"] ?? [];
+            for (const addr of addresses) {
+              const lower = addr.toLowerCase();
+              this.addressSet.add(lower);
+              this.addressToEntity.set(lower, entity);
+            }
+          } catch {
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  resolveDataDir() {
+    try {
+      const os = __require("os");
+      const pathMod = __require("path");
+      return pathMod.join(os.homedir(), DEFAULT_DATA_DIR);
+    } catch {
+      return DEFAULT_DATA_DIR;
+    }
+  }
+};
+
+// src/integrations/provider-apis.ts
+var OpenSanctionsProvider = class {
+  id = "opensanctions-api";
+  name = "OpenSanctions (API)";
+  lists = ["OPENSANCTIONS"];
+  requiresApiKey = true;
+  browserCompatible = false;
+  queryTypes = ["both"];
+  apiKey;
+  baseUrl;
+  dataset;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl ?? "https://api.opensanctions.org";
+    this.dataset = config.dataset ?? "default";
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    const isAddr = isBlockchainAddress(query);
+    const schema = isAddr ? "CryptoWallet" : "LegalEntity";
+    const properties = isAddr ? { cryptoAddress: [query] } : { name: [query] };
+    const body = {
+      queries: {
+        q: {
+          schema,
+          properties
+        }
+      }
+    };
+    try {
+      const response = await fetch(
+        `${this.baseUrl}/match/${this.dataset}`,
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": `ApiKey ${this.apiKey}`
+          },
+          body: JSON.stringify(body)
+        }
+      );
+      if (!response.ok) {
+        return {
+          providerId: this.id,
+          hit: false,
+          matches: [],
+          listsChecked: this.lists,
+          entriesSearched: 0,
+          durationMs: Date.now() - start,
+          error: `OpenSanctions API error: ${response.status} ${response.statusText}`
+        };
+      }
+      const data = await response.json();
+      const queryResult = data.responses?.["q"];
+      if (!queryResult) {
+        return {
+          providerId: this.id,
+          hit: false,
+          matches: [],
+          listsChecked: this.lists,
+          entriesSearched: 0,
+          durationMs: Date.now() - start
+        };
+      }
+      const matches = queryResult.results.filter((r) => r.match && r.score >= 0.7).map((r) => ({
+        list: "OPENSANCTIONS",
+        matchType: r.score >= 0.99 ? "exact_address" : "fuzzy_name",
+        similarity: r.score,
+        matchedValue: r.caption,
+        entityStatus: "active",
+        entityName: r.caption,
+        program: r.datasets.join(", ")
+      }));
+      const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+      return {
+        providerId: this.id,
+        hit: hasActiveHit,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: queryResult.total?.value ?? 0,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: `OpenSanctions API error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  isAvailable() {
+    return !!this.apiKey;
+  }
+};
+var ChainalysisFreeAPIProvider = class {
+  id = "chainalysis-free-api";
+  name = "Chainalysis Free API";
+  lists = ["CHAINALYSIS"];
+  requiresApiKey = true;
+  browserCompatible = false;
+  queryTypes = ["address"];
+  apiKey;
+  baseUrl;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl ?? "https://public.chainalysis.com/api/v1";
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    try {
+      const response = await fetch(
+        `${this.baseUrl}/address/${query}`,
+        {
+          method: "GET",
+          headers: {
+            "X-API-Key": this.apiKey,
+            "Accept": "application/json"
+          }
+        }
+      );
+      if (!response.ok) {
+        return {
+          providerId: this.id,
+          hit: false,
+          matches: [],
+          listsChecked: this.lists,
+          entriesSearched: 0,
+          durationMs: Date.now() - start,
+          error: `Chainalysis API error: ${response.status} ${response.statusText}`
+        };
+      }
+      const data = await response.json();
+      const identifications = data.identifications ?? [];
+      const matches = identifications.map((id) => ({
+        list: "CHAINALYSIS",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: query,
+        entityStatus: "active",
+        entityName: id.name,
+        program: id.category
+      }));
+      return {
+        providerId: this.id,
+        hit: matches.length > 0,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: 1,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: `Chainalysis API error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  isAvailable() {
+    return !!this.apiKey;
+  }
+};
+
+// src/integrations/provider-ofac.ts
+var ORACLE_CONTRACT = "0x40C57923924B5c5c5455c48D93317139ADDaC8fb";
+var IS_SANCTIONED_SELECTOR = "0xdfb80831";
+var ChainalysisOracleProvider = class {
+  id = "chainalysis-oracle";
+  name = "Chainalysis OFAC Oracle";
+  lists = ["OFAC_SDN", "CHAINALYSIS"];
+  requiresApiKey = true;
+  browserCompatible = false;
+  queryTypes = ["address"];
+  apiKey;
+  rpcUrl;
+  apiBaseUrl;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.rpcUrl = config.rpcUrl;
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://public.chainalysis.com/api/v1";
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    if (this.rpcUrl) {
+      return this.screenOnChain(query, start);
+    }
+    if (this.apiKey) {
+      return this.screenApi(query, start);
+    }
+    return {
+      providerId: this.id,
+      hit: false,
+      matches: [],
+      listsChecked: this.lists,
+      entriesSearched: 0,
+      durationMs: Date.now() - start,
+      error: "No API key or RPC URL configured"
+    };
+  }
+  isAvailable() {
+    return !!(this.apiKey || this.rpcUrl);
+  }
+  // --------------------------------------------------------------------------
+  // On-chain oracle query
+  // --------------------------------------------------------------------------
+  async screenOnChain(address, start) {
+    try {
+      const paddedAddress = address.toLowerCase().replace("0x", "").padStart(64, "0");
+      const callData = IS_SANCTIONED_SELECTOR + paddedAddress;
+      const response = await fetch(this.rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          id: 1,
+          method: "eth_call",
+          params: [
+            { to: ORACLE_CONTRACT, data: callData },
+            "latest"
+          ]
+        })
+      });
+      if (!response.ok) {
+        return this.errorResult(start, `RPC error: ${response.status}`);
+      }
+      const data = await response.json();
+      if (data.error) {
+        return this.errorResult(start, `RPC error: ${data.error.message}`);
+      }
+      const isSanctioned = data.result ? parseInt(data.result.slice(-2), 16) === 1 : false;
+      const matches = isSanctioned ? [{
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: address,
+        entityStatus: "active",
+        program: "CHAINALYSIS_ORACLE"
+      }] : [];
+      return {
+        providerId: this.id,
+        hit: isSanctioned,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: 1,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return this.errorResult(
+        start,
+        `Oracle query failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  // --------------------------------------------------------------------------
+  // REST API query
+  // --------------------------------------------------------------------------
+  async screenApi(address, start) {
+    try {
+      const response = await fetch(
+        `${this.apiBaseUrl}/address/${address}`,
+        {
+          method: "GET",
+          headers: {
+            "X-API-Key": this.apiKey,
+            "Accept": "application/json"
+          }
+        }
+      );
+      if (!response.ok) {
+        return this.errorResult(
+          start,
+          `Chainalysis API error: ${response.status} ${response.statusText}`
+        );
+      }
+      const data = await response.json();
+      const identifications = data.identifications ?? [];
+      const matches = identifications.map((id) => ({
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: address,
+        entityStatus: "active",
+        entityName: id.name,
+        program: id.category
+      }));
+      return {
+        providerId: this.id,
+        hit: matches.length > 0,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: 1,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return this.errorResult(
+        start,
+        `Chainalysis API error: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  errorResult(start, error) {
+    return {
+      providerId: this.id,
+      hit: false,
+      matches: [],
+      listsChecked: this.lists,
+      entriesSearched: 0,
+      durationMs: Date.now() - start,
+      error
+    };
+  }
+};
+
+exports.AgentIdentityRegistry = AgentIdentityRegistry;
 exports.AnomalyDetector = AnomalyDetector;
+exports.BehavioralFingerprinter = BehavioralFingerprinter;
+exports.CURRENCY_REQUIRED_LISTS = CURRENCY_REQUIRED_LISTS;
+exports.ChainalysisFreeAPIProvider = ChainalysisFreeAPIProvider;
+exports.ChainalysisOracleProvider = ChainalysisOracleProvider;
 exports.ConsoleExporter = ConsoleExporter;
+exports.CrossSessionLinker = CrossSessionLinker;
 exports.DigestChain = DigestChain;
 exports.FeatureFlagManager = FeatureFlagManager;
 exports.FileStorage = FileStorage;
 exports.JsonFileExporter = JsonFileExporter;
+exports.KYAConfidenceScorer = KYAConfidenceScorer;
 exports.Kontext = Kontext;
 exports.KontextError = KontextError;
 exports.KontextErrorCode = KontextErrorCode;
 exports.MemoryStorage = MemoryStorage;
 exports.NoopExporter = NoopExporter;
+exports.OFACAddressProvider = OFACAddressProvider;
+exports.OFACEntityProvider = OFACEntityProvider;
+exports.OpenSanctionsLocalProvider = OpenSanctionsLocalProvider;
+exports.OpenSanctionsProvider = OpenSanctionsProvider;
 exports.PLAN_LIMITS = PLAN_LIMITS;
 exports.PaymentCompliance = PaymentCompliance;
 exports.PlanManager = PlanManager;
+exports.ProvenanceManager = ProvenanceManager;
+exports.ScreeningAggregator = ScreeningAggregator;
+exports.TOKEN_REQUIRED_LISTS = TOKEN_REQUIRED_LISTS;
 exports.TrustScorer = TrustScorer;
+exports.UKOFSIProvider = UKOFSIProvider;
 exports.UsdcCompliance = UsdcCompliance;
+exports.WalletClusterer = WalletClusterer;
 exports.anchorDigest = anchorDigest;
+exports.encodeERC8021Suffix = encodeERC8021Suffix;
 exports.exchangeAttestation = exchangeAttestation;
 exports.fetchAgentCard = fetchAgentCard;
+exports.fetchTransactionAttribution = fetchTransactionAttribution;
 exports.getAnchor = getAnchor;
+exports.getRequiredLists = getRequiredLists;
+exports.isBlockchainAddress = isBlockchainAddress;
 exports.isCryptoTransaction = isCryptoTransaction;
 exports.isFeatureAvailable = isFeatureAvailable;
+exports.parseERC8021Suffix = parseERC8021Suffix;
+exports.providerSupportsQuery = providerSupportsQuery;
 exports.requirePlan = requirePlan;
 exports.verifyAnchor = verifyAnchor;
 exports.verifyExportedChain = verifyExportedChain;