kontext-sdk 0.8.0 → 0.10.0

package/dist/index.mjs

@@ -1,13 +1,320 @@
 import { createHash } from 'crypto';
-import * as fs4 from 'fs';
-import * as path4 from 'path';
+import * as fs5 from 'fs';
+import * as path5 from 'path';
 
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
 var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
   get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
 }) : x)(function(x) {
   if (typeof require !== "undefined") return require.apply(this, arguments);
   throw Error('Dynamic require of "' + x + '" is not supported');
 });
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/integrations/erc8021.ts
+var erc8021_exports = {};
+__export(erc8021_exports, {
+  KONTEXT_BUILDER_CODE: () => KONTEXT_BUILDER_CODE,
+  encodeERC8021Suffix: () => encodeERC8021Suffix,
+  fetchTransactionAttribution: () => fetchTransactionAttribution,
+  parseERC8021Suffix: () => parseERC8021Suffix
+});
+function encodeERC8021Suffix(codes) {
+  if (codes.length === 0) {
+    throw new Error("ERC-8021: at least one builder code is required");
+  }
+  const codesStr = codes.join(",");
+  let codesHex = "";
+  for (let i = 0; i < codesStr.length; i++) {
+    codesHex += codesStr.charCodeAt(i).toString(16).padStart(2, "0");
+  }
+  const codesLength = codesStr.length;
+  if (codesLength > 255) {
+    throw new Error("ERC-8021: combined codes length exceeds 255 bytes");
+  }
+  const codesLengthHex = codesLength.toString(16).padStart(2, "0");
+  const schemaId = "00";
+  return codesLengthHex + codesHex + schemaId + ERC_8021_MARKER;
+}
+function parseERC8021Suffix(calldata) {
+  const clean = calldata.startsWith("0x") ? calldata.slice(2) : calldata;
+  if (clean.length < 38) return null;
+  const markerStart = clean.length - 32;
+  const marker = clean.slice(markerStart);
+  if (marker !== ERC_8021_MARKER) return null;
+  const schemaIdStart = markerStart - 2;
+  const schemaId = parseInt(clean.slice(schemaIdStart, markerStart), 16);
+  if (isNaN(schemaId)) return null;
+  let codesLength = 0;
+  let codesLengthPos = 0;
+  for (let L = 1; L <= 255; L++) {
+    const candidatePos = schemaIdStart - L * 2 - 2;
+    if (candidatePos < 0) break;
+    const candidate = parseInt(clean.slice(candidatePos, candidatePos + 2), 16);
+    if (candidate === L) {
+      codesLength = L;
+      codesLengthPos = candidatePos;
+      break;
+    }
+  }
+  if (codesLength === 0) return null;
+  const codesHex = clean.slice(codesLengthPos + 2, codesLengthPos + 2 + codesLength * 2);
+  let codesStr = "";
+  for (let i = 0; i < codesHex.length; i += 2) {
+    codesStr += String.fromCharCode(parseInt(codesHex.slice(i, i + 2), 16));
+  }
+  const codes = codesStr.split(",").filter((c) => c.length > 0);
+  if (codes.length === 0) return null;
+  const rawSuffix = "0x" + clean.slice(codesLengthPos);
+  return { codes, schemaId, rawSuffix };
+}
+async function fetchTransactionAttribution(rpcUrl, txHash) {
+  try {
+    const res = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "eth_getTransactionByHash",
+        params: [txHash]
+      })
+    });
+    const json = await res.json();
+    if (json.error || !json.result?.input) return null;
+    return parseERC8021Suffix(json.result.input);
+  } catch {
+    return null;
+  }
+}
+var ERC_8021_MARKER, KONTEXT_BUILDER_CODE;
+var init_erc8021 = __esm({
+  "src/integrations/erc8021.ts"() {
+    ERC_8021_MARKER = "80218021802180218021802180218021";
+    KONTEXT_BUILDER_CODE = "kontext";
+  }
+});
+
+// src/onchain.ts
+var onchain_exports = {};
+__export(onchain_exports, {
+  OnChainExporter: () => OnChainExporter,
+  anchorDigest: () => anchorDigest,
+  getAnchor: () => getAnchor,
+  verifyAnchor: () => verifyAnchor
+});
+async function rpcCall(rpcUrl, method, params) {
+  const res = await fetch(rpcUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params })
+  });
+  const json = await res.json();
+  if (json.error) throw new Error(`RPC error: ${json.error.message}`);
+  return json.result;
+}
+function encodeBytes32(hex) {
+  const clean = hex.startsWith("0x") ? hex.slice(2) : hex;
+  return clean.padStart(64, "0");
+}
+function decodeUint256(hex) {
+  const clean = hex.startsWith("0x") ? hex.slice(2) : hex;
+  return parseInt(clean, 16);
+}
+function decodeAddress(hex) {
+  const clean = hex.startsWith("0x") ? hex.slice(2) : hex;
+  return "0x" + clean.slice(24);
+}
+async function verifyAnchor(rpcUrl, contractAddress, digest) {
+  const calldata = SEL_VERIFY + encodeBytes32(digest);
+  const result = await rpcCall(rpcUrl, "eth_call", [
+    { to: contractAddress, data: calldata },
+    "latest"
+  ]);
+  const anchored = decodeUint256(result) !== 0;
+  return { anchored, digest };
+}
+async function getAnchor(rpcUrl, contractAddress, digest) {
+  const calldata = SEL_GET_ANCHOR + encodeBytes32(digest);
+  try {
+    const result = await rpcCall(rpcUrl, "eth_call", [
+      { to: contractAddress, data: calldata },
+      "latest"
+    ]);
+    const clean = result.startsWith("0x") ? result.slice(2) : result;
+    if (clean.length < 192) return null;
+    const anchorer = decodeAddress(clean.slice(0, 64));
+    const projectHash = "0x" + clean.slice(64, 128);
+    const timestamp = decodeUint256("0x" + clean.slice(128, 192));
+    return { anchorer, projectHash, timestamp };
+  } catch {
+    return null;
+  }
+}
+async function anchorDigest(config, digest, projectId) {
+  let viem;
+  let viemChains;
+  let viemAccounts;
+  try {
+    viem = await import('viem');
+    viemChains = await import('viem/chains');
+    viemAccounts = await import('viem/accounts');
+  } catch {
+    throw new Error(
+      "On-chain anchoring requires viem. Install it: npm install viem"
+    );
+  }
+  if (!config.privateKey) {
+    throw new Error("privateKey is required for on-chain anchoring");
+  }
+  const account = viemAccounts.privateKeyToAccount(config.privateKey);
+  const chain = config.rpcUrl.includes("sepolia") ? viemChains.baseSepolia : viemChains.base;
+  const client = viem.createWalletClient({
+    account,
+    chain,
+    transport: viem.http(config.rpcUrl)
+  });
+  const publicClient = viem.createPublicClient({
+    chain,
+    transport: viem.http(config.rpcUrl)
+  });
+  const projectHash = viem.keccak256(viem.toBytes(projectId));
+  const digestBytes32 = digest.startsWith("0x") ? digest : `0x${digest}`;
+  const abi = [
+    {
+      name: "anchor",
+      type: "function",
+      stateMutability: "nonpayable",
+      inputs: [
+        { name: "digest", type: "bytes32" },
+        { name: "projectHash", type: "bytes32" }
+      ],
+      outputs: []
+    }
+  ];
+  const { encodeERC8021Suffix: encodeERC8021Suffix2, KONTEXT_BUILDER_CODE: KONTEXT_BUILDER_CODE2 } = await Promise.resolve().then(() => (init_erc8021(), erc8021_exports));
+  const calldata = viem.encodeFunctionData({
+    abi,
+    functionName: "anchor",
+    args: [digestBytes32, projectHash]
+  });
+  const builderCode = config.builderCode ?? KONTEXT_BUILDER_CODE2;
+  const suffix = encodeERC8021Suffix2([builderCode]);
+  const txHash = await client.sendTransaction({
+    to: config.contractAddress,
+    data: calldata + suffix
+  });
+  const receipt = await publicClient.waitForTransactionReceipt({ hash: txHash });
+  return {
+    digest,
+    txHash,
+    blockNumber: Number(receipt.blockNumber),
+    timestamp: Math.floor(Date.now() / 1e3),
+    contractAddress: config.contractAddress,
+    chain: chain.name.toLowerCase()
+  };
+}
+var SEL_VERIFY, SEL_GET_ANCHOR, OnChainExporter;
+var init_onchain = __esm({
+  "src/onchain.ts"() {
+    SEL_VERIFY = "0x75e36616";
+    SEL_GET_ANCHOR = "0x7feb51d9";
+    OnChainExporter = class {
+      config;
+      projectId;
+      batchSize;
+      getTerminalDigest;
+      eventCount = 0;
+      constructor(config, projectId, getTerminalDigest) {
+        this.config = config;
+        this.projectId = projectId;
+        this.batchSize = 10;
+        this.getTerminalDigest = getTerminalDigest;
+      }
+      async export(events) {
+        this.eventCount += events.length;
+        if (this.eventCount >= this.batchSize) {
+          const digest = this.getTerminalDigest();
+          await anchorDigest(this.config, digest, this.projectId);
+          this.eventCount = 0;
+        }
+        return { success: true, exportedCount: events.length };
+      }
+      async flush() {
+        if (this.eventCount > 0) {
+          const digest = this.getTerminalDigest();
+          await anchorDigest(this.config, digest, this.projectId);
+          this.eventCount = 0;
+        }
+      }
+      async shutdown() {
+        await this.flush();
+      }
+    };
+  }
+});
+
+// src/attestation.ts
+var attestation_exports = {};
+__export(attestation_exports, {
+  exchangeAttestation: () => exchangeAttestation,
+  fetchAgentCard: () => fetchAgentCard
+});
+async function fetchAgentCard(endpoint, timeoutMs = DEFAULT_TIMEOUT_MS) {
+  const url = `${endpoint.replace(/\/$/, "")}/.well-known/kontext.json`;
+  const response = await fetch(url, {
+    signal: AbortSignal.timeout(timeoutMs),
+    headers: { Accept: "application/json" }
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to fetch agent card from ${url}: ${response.status}`);
+  }
+  return response.json();
+}
+async function exchangeAttestation(config, request) {
+  const timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const card = await fetchAgentCard(config.endpoint, timeoutMs);
+  if (config.agentId && card.agentId !== config.agentId) {
+    throw new Error(
+      `Agent ID mismatch: expected ${config.agentId}, got ${card.agentId}`
+    );
+  }
+  if (!card.capabilities.includes("attest")) {
+    throw new Error(
+      `Counterparty ${card.agentId} does not support attestation`
+    );
+  }
+  const attestUrl = `${config.endpoint.replace(/\/$/, "")}${card.attestEndpoint}`;
+  const response = await fetch(attestUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(request),
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (!response.ok) {
+    throw new Error(`Attestation request failed: ${response.status}`);
+  }
+  const result = await response.json();
+  return {
+    attested: result.attested,
+    digest: result.receiverDigest,
+    agentId: result.receiverAgentId,
+    timestamp: result.timestamp
+  };
+}
+var DEFAULT_TIMEOUT_MS;
+var init_attestation = __esm({
+  "src/attestation.ts"() {
+    DEFAULT_TIMEOUT_MS = 1e4;
+  }
+});
 
 // src/utils.ts
 function generateId() {
@@ -912,13 +1219,17 @@ var STORAGE_KEYS = {
   actions: "kontext:actions",
   transactions: "kontext:transactions",
   tasks: "kontext:tasks",
-  anomalies: "kontext:anomalies"
+  anomalies: "kontext:anomalies",
+  sessions: "kontext:sessions",
+  checkpoints: "kontext:checkpoints"
 };
 var KontextStore = class {
   actions = [];
   transactions = [];
   tasks = /* @__PURE__ */ new Map();
   anomalies = [];
+  sessions = /* @__PURE__ */ new Map();
+  checkpoints = /* @__PURE__ */ new Map();
   storageAdapter = null;
   maxEntries;
   constructor(maxEntries = DEFAULT_MAX_ENTRIES) {
@@ -951,11 +1262,15 @@ var KontextStore = class {
     const transactionsSnapshot = [...this.transactions];
     const tasksSnapshot = Array.from(this.tasks.entries());
     const anomaliesSnapshot = [...this.anomalies];
+    const sessionsSnapshot = Array.from(this.sessions.entries());
+    const checkpointsSnapshot = Array.from(this.checkpoints.entries());
     await Promise.all([
       this.storageAdapter.save(STORAGE_KEYS.actions, actionsSnapshot),
       this.storageAdapter.save(STORAGE_KEYS.transactions, transactionsSnapshot),
       this.storageAdapter.save(STORAGE_KEYS.tasks, tasksSnapshot),
-      this.storageAdapter.save(STORAGE_KEYS.anomalies, anomaliesSnapshot)
+      this.storageAdapter.save(STORAGE_KEYS.anomalies, anomaliesSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.sessions, sessionsSnapshot),
+      this.storageAdapter.save(STORAGE_KEYS.checkpoints, checkpointsSnapshot)
     ]);
   }
   /**
@@ -965,11 +1280,13 @@ var KontextStore = class {
    */
   async restore() {
     if (!this.storageAdapter) return;
-    const [actions, transactions, tasksEntries, anomalies] = await Promise.all([
+    const [actions, transactions, tasksEntries, anomalies, sessionsEntries, checkpointsEntries] = await Promise.all([
       this.storageAdapter.load(STORAGE_KEYS.actions),
       this.storageAdapter.load(STORAGE_KEYS.transactions),
       this.storageAdapter.load(STORAGE_KEYS.tasks),
-      this.storageAdapter.load(STORAGE_KEYS.anomalies)
+      this.storageAdapter.load(STORAGE_KEYS.anomalies),
+      this.storageAdapter.load(STORAGE_KEYS.sessions),
+      this.storageAdapter.load(STORAGE_KEYS.checkpoints)
     ]);
     if (Array.isArray(actions)) {
       this.actions = actions;
@@ -983,6 +1300,12 @@ var KontextStore = class {
     if (Array.isArray(anomalies)) {
       this.anomalies = anomalies;
     }
+    if (Array.isArray(sessionsEntries)) {
+      this.sessions = new Map(sessionsEntries);
+    }
+    if (Array.isArray(checkpointsEntries)) {
+      this.checkpoints = new Map(checkpointsEntries);
+    }
   }
   // --------------------------------------------------------------------------
   // Actions
@@ -1082,6 +1405,60 @@ var KontextStore = class {
     return this.anomalies.filter(predicate);
   }
   // --------------------------------------------------------------------------
+  // Sessions (Provenance Layer 1)
+  // --------------------------------------------------------------------------
+  /** Store a session. */
+  addSession(session) {
+    this.sessions.set(session.sessionId, session);
+  }
+  /** Retrieve a session by ID. */
+  getSession(sessionId) {
+    return this.sessions.get(sessionId);
+  }
+  /** Update a session. */
+  updateSession(sessionId, updates) {
+    const existing = this.sessions.get(sessionId);
+    if (!existing) return void 0;
+    const updated = { ...existing, ...updates };
+    this.sessions.set(sessionId, updated);
+    return updated;
+  }
+  /** Retrieve all sessions. */
+  getSessions() {
+    return Array.from(this.sessions.values());
+  }
+  /** Retrieve sessions filtered by a predicate. */
+  querySessions(predicate) {
+    return Array.from(this.sessions.values()).filter(predicate);
+  }
+  // --------------------------------------------------------------------------
+  // Checkpoints (Provenance Layer 3)
+  // --------------------------------------------------------------------------
+  /** Store a checkpoint. */
+  addCheckpoint(checkpoint) {
+    this.checkpoints.set(checkpoint.id, checkpoint);
+  }
+  /** Retrieve a checkpoint by ID. */
+  getCheckpoint(checkpointId) {
+    return this.checkpoints.get(checkpointId);
+  }
+  /** Update a checkpoint. */
+  updateCheckpoint(checkpointId, updates) {
+    const existing = this.checkpoints.get(checkpointId);
+    if (!existing) return void 0;
+    const updated = { ...existing, ...updates };
+    this.checkpoints.set(checkpointId, updated);
+    return updated;
+  }
+  /** Retrieve all checkpoints. */
+  getCheckpoints() {
+    return Array.from(this.checkpoints.values());
+  }
+  /** Retrieve checkpoints filtered by a predicate. */
+  queryCheckpoints(predicate) {
+    return Array.from(this.checkpoints.values()).filter(predicate);
+  }
+  // --------------------------------------------------------------------------
   // Utilities
   // --------------------------------------------------------------------------
   /** Get total record counts across all stores. */
@@ -1090,7 +1467,9 @@ var KontextStore = class {
       actions: this.actions.length,
       transactions: this.transactions.length,
       tasks: this.tasks.size,
-      anomalies: this.anomalies.length
+      anomalies: this.anomalies.length,
+      sessions: this.sessions.size,
+      checkpoints: this.checkpoints.size
     };
   }
   /** Clear all stored data. Useful for testing. */
@@ -1099,6 +1478,8 @@ var KontextStore = class {
     this.transactions = [];
     this.tasks.clear();
     this.anomalies = [];
+    this.sessions.clear();
+    this.checkpoints.clear();
   }
 };
 var DIGEST_EXCLUDED_FIELDS = /* @__PURE__ */ new Set(["digest", "priorDigest"]);
@@ -1570,13 +1951,13 @@ var ActionLogger = class {
   }
   flushToFile(actions) {
     const outputDir = this.config.localOutputDir ?? ".kontext";
-    const logDir = path4.join(outputDir, "logs");
+    const logDir = path5.join(outputDir, "logs");
     try {
-      fs4.mkdirSync(logDir, { recursive: true });
+      fs5.mkdirSync(logDir, { recursive: true });
       const filename = `actions-${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.jsonl`;
-      const filePath = path4.join(logDir, filename);
+      const filePath = path5.join(logDir, filename);
       const lines = actions.map((a) => JSON.stringify(a)).join("\n") + "\n";
-      fs4.appendFileSync(filePath, lines, "utf-8");
+      fs5.appendFileSync(filePath, lines, "utf-8");
     } catch (error) {
       this.emitLog("warn", "Failed to write log file", { error });
     }
@@ -2116,17 +2497,9 @@ var AuditExporter = class {
     return sections.join("\n\n");
   }
 };
-var USDC_CONTRACTS = {
-  ethereum: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
-  base: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
-  polygon: "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359",
-  arbitrum: "0xaf88d065e77c8cC2239327C5EDb3A432268e5831",
-  optimism: "0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85",
-  // Arc (Circle's stablecoin-native blockchain) -- placeholder address, update when Arc mainnet launches
-  arc: "0xa0c0000000000000000000000000000000000001"
-};
-var SANCTIONED_ADDRESSES = [
-  // --- ACTIVELY SANCTIONED (SDN) ---
+
+// src/integrations/data/ofac-addresses.ts
+var OFAC_SDN_ACTIVE_ADDRESSES = [
   // Lazarus Group / DPRK (Ronin Bridge hack)
   "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
   "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
@@ -2150,8 +2523,9 @@ var SANCTIONED_ADDRESSES = [
   "0x931546D9e66836AbF687d2bc64B30407bAc8C568",
   "0x43fa21d92141BA9db43052492E0DeEE5aa5f0A93",
   // Zedcex / Zedxion (IRGC-linked, sanctioned June 2024)
-  "0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6",
-  // --- DELISTED (formerly sanctioned, retained for backward compat) ---
+  "0xaeAAc358560e11f52454D997AAFF2c5731B6f8a6"
+];
+var OFAC_SDN_DELISTED_ADDRESSES = [
   // Tornado Cash contracts (sanctioned Aug 2022, DELISTED March 21, 2025)
   "0xd90e2f925DA726b50C4Ed8D0Fb90Ad053324F31b",
   "0xd96f2B1c14Db8458374d9Aca76E26c3D18364307",
@@ -2173,15 +2547,29 @@ var SANCTIONED_ADDRESSES = [
   "0x722122dF12D4e14e13Ac3b6895a86e84145b6967"
   // Tornado Cash / Sinbad.io
 ];
+var OFAC_SDN_ADDRESSES = [
+  ...OFAC_SDN_ACTIVE_ADDRESSES,
+  ...OFAC_SDN_DELISTED_ADDRESSES
+];
+var USDC_CONTRACTS = {
+  ethereum: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
+  base: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
+  polygon: "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359",
+  arbitrum: "0xaf88d065e77c8cC2239327C5EDb3A432268e5831",
+  optimism: "0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85",
+  // Arc (Circle's stablecoin-native blockchain) -- placeholder address, update when Arc mainnet launches
+  arc: "0xa0c0000000000000000000000000000000000001"
+};
+var SANCTIONED_ADDRESSES = [...OFAC_SDN_ADDRESSES];
 var SANCTIONED_SET = new Set(
   SANCTIONED_ADDRESSES.map((addr) => addr.toLowerCase())
 );
 function loadCachedSDN() {
   try {
     const dataDir = process.env["KONTEXT_DATA_DIR"] || ".kontext";
-    const cachePath = path4.join(dataDir, "ofac-sdn-cache.json");
-    if (fs4.existsSync(cachePath)) {
-      const cache = JSON.parse(fs4.readFileSync(cachePath, "utf-8"));
+    const cachePath = path5.join(dataDir, "ofac-sdn-cache.json");
+    if (fs5.existsSync(cachePath)) {
+      const cache = JSON.parse(fs5.readFileSync(cachePath, "utf-8"));
       if (Array.isArray(cache.addresses)) {
         for (const addr of cache.addresses) {
           SANCTIONED_SET.add(String(addr).toLowerCase());
@@ -2668,11 +3056,301 @@ var PaymentCompliance = class _PaymentCompliance {
   }
 };
 
+// src/integrations/screening-provider.ts
+var ETH_ADDRESS_RE = /^0x[a-fA-F0-9]{40}$/;
+function isBlockchainAddress(query) {
+  return ETH_ADDRESS_RE.test(query);
+}
+function providerSupportsQuery(provider, query) {
+  const isAddr = isBlockchainAddress(query);
+  if (isAddr) {
+    return provider.queryTypes.includes("address") || provider.queryTypes.includes("both");
+  }
+  return provider.queryTypes.includes("entity_name") || provider.queryTypes.includes("both");
+}
+var TOKEN_REQUIRED_LISTS = {
+  USDC: ["OFAC_SDN"],
+  EURC: ["EU_CONSOLIDATED"],
+  USDT: ["OFAC_SDN", "EU_CONSOLIDATED"],
+  DAI: ["OFAC_SDN", "EU_CONSOLIDATED"],
+  USDP: ["OFAC_SDN"],
+  USDG: ["OFAC_SDN"]
+};
+var CURRENCY_REQUIRED_LISTS = {
+  USD: ["OFAC_SDN"],
+  EUR: ["EU_CONSOLIDATED"],
+  GBP: ["UK_OFSI"],
+  AED: ["UAE_LOCAL", "UN_SECURITY_COUNCIL"],
+  INR: ["UN_SECURITY_COUNCIL", "INDIA_DOMESTIC"],
+  SGD: ["MAS_TFS", "UN_SECURITY_COUNCIL"],
+  CNY: ["UN_SECURITY_COUNCIL"],
+  CNH: ["UN_SECURITY_COUNCIL"],
+  HKD: ["HK_UNSO", "UN_SECURITY_COUNCIL"],
+  NZD: ["UN_SECURITY_COUNCIL", "NZ_DESIGNATED"],
+  KRW: ["UN_SECURITY_COUNCIL", "KOFIU_DOMESTIC"],
+  MYR: ["BNM_DOMESTIC", "UN_SECURITY_COUNCIL"],
+  THB: ["UN_SECURITY_COUNCIL", "AMLO_DOMESTIC"]
+};
+var DEFAULT_REQUIRED_LISTS = [
+  "OFAC_SDN",
+  "EU_CONSOLIDATED",
+  "UN_SECURITY_COUNCIL"
+];
+function getRequiredLists(context) {
+  if (!context) return DEFAULT_REQUIRED_LISTS;
+  if (context.token && typeof context.token === "string") {
+    const tokenLists = TOKEN_REQUIRED_LISTS[context.token];
+    if (tokenLists) return tokenLists;
+  }
+  if (context.currency && typeof context.currency === "string") {
+    const currencyLists = CURRENCY_REQUIRED_LISTS[context.currency];
+    if (currencyLists) return currencyLists;
+  }
+  return DEFAULT_REQUIRED_LISTS;
+}
+
+// src/integrations/screening-aggregator.ts
+var ScreeningAggregator = class {
+  providers;
+  consensus;
+  blocklistSet;
+  allowlistSet;
+  continueOnError;
+  providerTimeoutMs;
+  onEvent;
+  constructor(config) {
+    this.providers = config.providers;
+    this.consensus = config.consensus ?? "ANY_MATCH";
+    this.blocklistSet = new Set(
+      (config.blocklist ?? []).map((s) => s.toLowerCase())
+    );
+    this.allowlistSet = new Set(
+      (config.allowlist ?? []).map((s) => s.toLowerCase())
+    );
+    this.continueOnError = config.continueOnError ?? true;
+    this.providerTimeoutMs = config.providerTimeoutMs;
+    this.onEvent = config.onEvent;
+  }
+  /**
+   * Screen a single query (address or entity name).
+   */
+  async screen(query, context) {
+    const start = Date.now();
+    const queryLower = query.toLowerCase();
+    const queryType = isBlockchainAddress(query) ? "address" : "entity_name";
+    this.onEvent?.();
+    if (this.allowlistSet.has(queryLower)) {
+      return this.buildResult({
+        queryType,
+        start,
+        allowlisted: true,
+        context
+      });
+    }
+    if (this.blocklistSet.has(queryLower)) {
+      return this.buildResult({
+        queryType,
+        start,
+        blocklisted: true,
+        context
+      });
+    }
+    const compatibleProviders = this.providers.filter(
+      (p) => p.isAvailable() && providerSupportsQuery(p, query)
+    );
+    if (compatibleProviders.length === 0) {
+      return this.buildResult({
+        queryType,
+        start,
+        providerResults: [],
+        context
+      });
+    }
+    const results = [];
+    const errors = [];
+    const promises = compatibleProviders.map(async (provider) => {
+      try {
+        const result = await this.runWithTimeout(provider, query, context);
+        return { type: "success", result };
+      } catch (err) {
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        return { type: "error", providerId: provider.id, error: errorMsg };
+      }
+    });
+    const settled = await Promise.all(promises);
+    for (const outcome of settled) {
+      if (outcome.type === "success") {
+        results.push(outcome.result);
+      } else {
+        if (!this.continueOnError) {
+          throw new Error(outcome.error);
+        }
+        errors.push({ providerId: outcome.providerId, error: outcome.error });
+      }
+    }
+    return this.buildResult({
+      queryType,
+      start,
+      providerResults: results,
+      errors,
+      context
+    });
+  }
+  /**
+   * Screen multiple queries in batch.
+   */
+  async screenBatch(queries, context) {
+    const results = /* @__PURE__ */ new Map();
+    const promises = queries.map(async (query) => {
+      const result = await this.screen(query, context);
+      return { query, result };
+    });
+    const settled = await Promise.all(promises);
+    for (const { query, result } of settled) {
+      results.set(query, result);
+    }
+    return results;
+  }
+  /**
+   * Get available providers, optionally filtered by query type.
+   */
+  getAvailableProviders(queryType) {
+    return this.providers.filter((p) => {
+      if (!p.isAvailable()) return false;
+      if (!queryType) return true;
+      return p.queryTypes.includes(queryType) || p.queryTypes.includes("both");
+    });
+  }
+  /**
+   * Get the union of all sanctions lists covered by available providers.
+   */
+  getCoveredLists() {
+    const lists = /* @__PURE__ */ new Set();
+    for (const p of this.providers) {
+      if (p.isAvailable()) {
+        for (const list of p.lists) {
+          lists.add(list);
+        }
+      }
+    }
+    return Array.from(lists);
+  }
+  // --------------------------------------------------------------------------
+  // Private
+  // --------------------------------------------------------------------------
+  async runWithTimeout(provider, query, context) {
+    if (!this.providerTimeoutMs) {
+      return provider.screen(query, context);
+    }
+    return Promise.race([
+      provider.screen(query, context),
+      new Promise(
+        (_, reject) => setTimeout(
+          () => reject(new Error(`Provider ${provider.id} timed out after ${this.providerTimeoutMs}ms`)),
+          this.providerTimeoutMs
+        )
+      )
+    ]);
+  }
+  buildResult(opts) {
+    const {
+      queryType,
+      start,
+      providerResults = [],
+      errors = [],
+      blocklisted = false,
+      allowlisted = false,
+      context
+    } = opts;
+    if (blocklisted) {
+      return {
+        providerId: "aggregator",
+        hit: true,
+        matches: [],
+        listsChecked: [],
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        queryType,
+        totalProviders: 0,
+        hitCount: 0,
+        consensus: this.consensus,
+        blocklisted: true,
+        errors: [],
+        uncoveredLists: [],
+        providerResults: []
+      };
+    }
+    if (allowlisted) {
+      return {
+        providerId: "aggregator",
+        hit: false,
+        matches: [],
+        listsChecked: [],
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        queryType,
+        totalProviders: 0,
+        hitCount: 0,
+        consensus: this.consensus,
+        allowlisted: true,
+        errors: [],
+        uncoveredLists: [],
+        providerResults: []
+      };
+    }
+    const allMatches = [];
+    const allListsChecked = /* @__PURE__ */ new Set();
+    let totalEntries = 0;
+    for (const r of providerResults) {
+      allMatches.push(...r.matches);
+      for (const list of r.listsChecked) {
+        allListsChecked.add(list);
+      }
+      totalEntries += r.entriesSearched;
+    }
+    const hitCount = providerResults.filter((r) => r.hit).length;
+    const totalProviders = providerResults.length;
+    let hit;
+    switch (this.consensus) {
+      case "ALL_MATCH":
+        hit = totalProviders > 0 && hitCount === totalProviders;
+        break;
+      case "MAJORITY":
+        hit = totalProviders > 0 && hitCount > totalProviders / 2;
+        break;
+      case "ANY_MATCH":
+      default:
+        hit = hitCount > 0;
+        break;
+    }
+    const requiredLists = getRequiredLists(context);
+    const coveredLists = allListsChecked;
+    const uncoveredLists = requiredLists.filter(
+      (l) => !coveredLists.has(l)
+    );
+    return {
+      providerId: "aggregator",
+      hit,
+      matches: allMatches,
+      listsChecked: Array.from(allListsChecked),
+      entriesSearched: totalEntries,
+      durationMs: Date.now() - start,
+      queryType,
+      totalProviders,
+      hitCount,
+      consensus: this.consensus,
+      errors,
+      uncoveredLists,
+      providerResults
+    };
+  }
+};
+
 // src/plans.ts
 var PLAN_LIMITS = {
   free: 2e4,
-  pro: 1e5,
-  // per user/seat
+  pro: Infinity,
+  // usage-based: $2/1K events above 20K free
   enterprise: Infinity
 };
 var DEFAULT_WARNING_THRESHOLD = 0.8;
@@ -2719,10 +3397,7 @@ var PlanManager = class _PlanManager {
   }
   /** Get the event limit for the current plan (Pro is multiplied by seats) */
   getLimit() {
-    const base = PLAN_LIMITS[this.tier];
-    if (base === Infinity) return Infinity;
-    if (this.tier === "pro") return base * this.seats;
-    return base;
+    return PLAN_LIMITS[this.tier];
   }
   /** Get the current number of seats */
   getSeats() {
@@ -2927,12 +3602,7 @@ var PlanManager = class _PlanManager {
   logLimitMessage() {
     if (this.tier === "free") {
       console.warn(
-        `You've reached the 20,000 event limit on the Free plan. Upgrade to Pro for 100K events/user/mo and full compliance features \u2192 ${this.upgradeUrl}`
-      );
-    } else if (this.tier === "pro") {
-      const effectiveLimit = (1e5 * this.seats).toLocaleString();
-      console.warn(
-        `You've reached the ${effectiveLimit} event limit on Pro (${this.seats} seat${this.seats !== 1 ? "s" : ""}). Add seats or contact us for Enterprise pricing \u2192 ${this.enterpriseContactUrl}`
+        `You've reached the 20,000 event limit on the Free plan. Upgrade to Pro ($2/1K events above 20K free) \u2192 ${this.upgradeUrl}`
       );
     }
   }
@@ -3020,7 +3690,7 @@ var JsonFileExporter = class {
   buffer = [];
   bufferSize;
   constructor(options) {
-    this.outputDir = path4.resolve(options?.outputDir ?? ".kontext/exports");
+    this.outputDir = path5.resolve(options?.outputDir ?? ".kontext/exports");
     this.bufferSize = options?.bufferSize ?? 1;
   }
   async export(events) {
@@ -3035,11 +3705,11 @@ var JsonFileExporter = class {
     const toWrite = [...this.buffer];
     this.buffer = [];
     try {
-      fs4.mkdirSync(this.outputDir, { recursive: true });
+      fs5.mkdirSync(this.outputDir, { recursive: true });
       const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-      const filePath = path4.join(this.outputDir, `events-${date}.jsonl`);
+      const filePath = path5.join(this.outputDir, `events-${date}.jsonl`);
       const lines = toWrite.map((e) => JSON.stringify(e)).join("\n") + "\n";
-      fs4.appendFileSync(filePath, lines, "utf-8");
+      fs5.appendFileSync(filePath, lines, "utf-8");
     } catch (error) {
       console.warn("[Kontext JsonFileExporter] Failed to write events:", error);
     }
@@ -3209,61 +3879,1820 @@ function extractDocumentId(resourceName) {
   const parts = resourceName.split("/");
   return parts[parts.length - 1] ?? resourceName;
 }
+var CONFIG_FILENAME = "kontext.config.json";
+function loadConfigFile(startDir) {
+  const dir = startDir ?? process.cwd();
+  const filePath = findConfigFile(dir);
+  if (!filePath) return null;
+  try {
+    const raw = fs5.readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.projectId || typeof parsed.projectId !== "string") {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function findConfigFile(dir) {
+  let current = path5.resolve(dir);
+  const root = path5.parse(current).root;
+  while (true) {
+    const candidate = path5.join(current, CONFIG_FILENAME);
+    if (fs5.existsSync(candidate)) {
+      return candidate;
+    }
+    const parent = path5.dirname(current);
+    if (parent === current || current === root) {
+      return null;
+    }
+    current = parent;
+  }
+}
 
-// src/client.ts
-var PLAN_STORAGE_KEY = "kontext:plan";
-var Kontext = class _Kontext {
+// src/integrations/data/stablecoin-contracts.ts
+var STABLECOIN_CONTRACTS = {
+  // USDC (6 decimals)
+  "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48": { token: "USDC", chain: "ethereum", decimals: 6 },
+  "0x833589fcd6edb6e08f4c7c32d4f71b54bda02913": { token: "USDC", chain: "base", decimals: 6 },
+  "0x3c499c542cef5e3811e1192ce70d8cc03d5c3359": { token: "USDC", chain: "polygon", decimals: 6 },
+  "0xaf88d065e77c8cc2239327c5edb3a432268e5831": { token: "USDC", chain: "arbitrum", decimals: 6 },
+  "0x0b2c639c533813f4aa9d7837caf62653d097ff85": { token: "USDC", chain: "optimism", decimals: 6 },
+  "0xb97ef9ef8734c71904d8002f8b6bc66dd9c48a6e": { token: "USDC", chain: "avalanche", decimals: 6 },
+  // USDT (6 decimals)
+  "0xdac17f958d2ee523a2206206994597c13d831ec7": { token: "USDT", chain: "ethereum", decimals: 6 },
+  "0xfd086bc7cd5c481dcc9c85ebe478a1c0b69fcbb9": { token: "USDT", chain: "arbitrum", decimals: 6 },
+  "0x94b008aa00579c1307b0ef2c499ad98a8ce58e58": { token: "USDT", chain: "optimism", decimals: 6 },
+  "0xc2132d05d31c914a87c6611c10748aeb04b58e8f": { token: "USDT", chain: "polygon", decimals: 6 },
+  // DAI (18 decimals)
+  "0x6b175474e89094c44da98b954eedeac495271d0f": { token: "DAI", chain: "ethereum", decimals: 18 },
+  "0x50c5725949a6f0c72e6c4a641f24049a917db0cb": { token: "DAI", chain: "base", decimals: 18 },
+  // EURC (6 decimals)
+  "0x1abaea1f7c830bd89acc67ec4af516284b1bc33c": { token: "EURC", chain: "ethereum", decimals: 6 },
+  "0x60a3e35cc302bfa44cb288bc5a4f316fdb1adb42": { token: "EURC", chain: "base", decimals: 6 }
+};
+new Set(Object.keys(STABLECOIN_CONTRACTS));
+var CHAIN_ID_MAP = {
+  1: "ethereum",
+  8453: "base",
+  137: "polygon",
+  42161: "arbitrum",
+  10: "optimism",
+  43114: "avalanche"
+};
+var TRANSFER_SELECTOR = "0xa9059cbb";
+var TRANSFER_FROM_SELECTOR = "0x23b872dd";
+var TRANSFER_EVENT_ABI = {
+  type: "event",
+  name: "Transfer",
+  inputs: [
+    { type: "address", name: "from", indexed: true },
+    { type: "address", name: "to", indexed: true },
+    { type: "uint256", name: "value", indexed: false }
+  ]
+};
+
+// src/integrations/wallet-monitor.ts
+var WalletMonitor = class {
+  kontext;
   config;
-  store;
-  logger;
-  taskManager;
-  auditExporter;
-  mode;
-  planManager;
-  exporter;
-  featureFlagManager;
-  trustScorer;
-  anomalyDetector;
-  constructor(config) {
+  agentId;
+  tokens;
+  unwatchers = [];
+  running = false;
+  /** Shared dedup set — tracks recently verified txHashes (populated by both layers) */
+  verifiedTxHashes = /* @__PURE__ */ new Set();
+  cleanupTimer = null;
+  txTimestamps = /* @__PURE__ */ new Map();
+  constructor(kontext, config, options) {
+    this.kontext = kontext;
     this.config = config;
-    this.mode = config.apiKey ? "cloud" : "local";
-    this.store = new KontextStore();
-    if (config.metadataSchema && typeof config.metadataSchema.parse !== "function") {
-      throw new KontextError(
-        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
-        "metadataSchema must have a parse() method"
+    this.agentId = options?.agentId ?? "wallet-monitor";
+    this.tokens = options?.tokens ? new Set(options.tokens) : null;
+  }
+  /**
+   * Mark a txHash as already verified (called by the viem interceptor layer).
+   * The monitor will skip this tx if it later sees it on-chain.
+   */
+  markVerified(txHash) {
+    const lower = txHash.toLowerCase();
+    this.verifiedTxHashes.add(lower);
+    this.txTimestamps.set(lower, Date.now());
+  }
+  /**
+   * Start watching all configured chains for stablecoin transfers.
+   * Dynamically imports viem — requires viem as a peer dependency.
+   */
+  async start() {
+    if (this.running) return;
+    let viem;
+    try {
+      viem = await import('viem');
+    } catch {
+      throw new Error(
+        "Wallet monitoring requires viem. Install it: npm install viem"
       );
     }
-    if (config.storage) {
-      this.store.setStorageAdapter(config.storage);
-    }
-    const planTier = config.plan ?? "free";
-    this.planManager = new PlanManager(planTier, void 0, config.seats ?? 1);
-    if (config.upgradeUrl) {
-      this.planManager.upgradeUrl = config.upgradeUrl;
-    }
-    this.exporter = config.exporter ?? new NoopExporter();
-    this.logger = new ActionLogger(config, this.store);
-    this.taskManager = new TaskManager(config, this.store);
-    this.auditExporter = new AuditExporter(config, this.store);
-    this.trustScorer = new TrustScorer(config, this.store);
-    this.anomalyDetector = new AnomalyDetector(config, this.store);
-    this.featureFlagManager = config.featureFlags ? new FeatureFlagManager(config.featureFlags) : null;
-    if (config.anomalyRules && config.anomalyRules.length > 0) {
-      const advancedRules = ["newDestination", "offHoursActivity", "rapidSuccession", "roundAmount"];
-      const hasAdvanced = config.anomalyRules.some((r) => advancedRules.includes(r));
-      if (hasAdvanced) {
-        requirePlan("advanced-anomaly-rules", planTier);
-      }
-      this.anomalyDetector.enableAnomalyDetection({
-        rules: config.anomalyRules,
-        thresholds: config.anomalyThresholds
+    const { createPublicClient, http } = viem;
+    const wallets = this.config.wallets.map((w) => w.toLowerCase());
+    const pollingInterval = this.config.pollingIntervalMs ?? 12e3;
+    const contractsByChain = /* @__PURE__ */ new Map();
+    for (const [address, info] of Object.entries(STABLECOIN_CONTRACTS)) {
+      if (this.tokens && !this.tokens.has(info.token)) continue;
+      const existing = contractsByChain.get(info.chain) ?? [];
+      existing.push({ address, info });
+      contractsByChain.set(info.chain, existing);
+    }
+    for (const [chain, contracts] of contractsByChain) {
+      const rpcUrl = this.config.rpcEndpoints[chain];
+      if (!rpcUrl) continue;
+      const client = createPublicClient({
+        transport: http(rpcUrl)
       });
+      for (const { address, info } of contracts) {
+        const unwatch = client.watchEvent({
+          address,
+          event: TRANSFER_EVENT_ABI,
+          args: { from: wallets.length === 1 ? wallets[0] : wallets },
+          poll: true,
+          pollingInterval,
+          onLogs: (logs) => {
+            for (const log of logs) {
+              this.handleTransferLog(log, info);
+            }
+          }
+        });
+        this.unwatchers.push(unwatch);
+      }
     }
+    this.cleanupTimer = setInterval(() => {
+      const cutoff = Date.now() - 5 * 60 * 1e3;
+      for (const [hash, ts] of this.txTimestamps) {
+        if (ts < cutoff) {
+          this.verifiedTxHashes.delete(hash);
+          this.txTimestamps.delete(hash);
+        }
+      }
+    }, 6e4);
+    this.running = true;
   }
-  /**
-   * Initialize the Kontext SDK.
-   *
+  /** Stop all watchers and cleanup */
+  stop() {
+    for (const unwatch of this.unwatchers) {
+      try {
+        unwatch();
+      } catch {
+      }
+    }
+    this.unwatchers.length = 0;
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+    this.running = false;
+  }
+  isRunning() {
+    return this.running;
+  }
+  handleTransferLog(log, contractInfo) {
+    const txHash = log.transactionHash;
+    if (!txHash) return;
+    const lowerHash = txHash.toLowerCase();
+    if (this.verifiedTxHashes.has(lowerHash)) return;
+    this.markVerified(txHash);
+    const from = log.args?.from?.toLowerCase() ?? "";
+    const to = log.args?.to?.toLowerCase() ?? "";
+    const value = log.args?.value;
+    if (!from || !to || value === void 0) return;
+    const amount = formatTokenAmount(value, contractInfo.decimals);
+    const verifyInput = {
+      txHash,
+      chain: contractInfo.chain,
+      amount,
+      token: contractInfo.token,
+      from,
+      to,
+      agentId: this.agentId,
+      metadata: {
+        source: "wallet-monitor",
+        contractAddress: log.address
+      }
+    };
+    this.kontext.verify(verifyInput).catch(() => {
+    });
+  }
+};
+function formatTokenAmount(amount, decimals) {
+  const divisor = BigInt(10 ** decimals);
+  const whole = amount / divisor;
+  const fraction = amount % divisor;
+  if (fraction === 0n) return whole.toString();
+  const fractionStr = fraction.toString().padStart(decimals, "0").replace(/0+$/, "");
+  return `${whole}.${fractionStr}`;
+}
+var ProvenanceManager = class {
+  store;
+  logger;
+  constructor(store, logger) {
+    this.store = store;
+    this.logger = logger;
+  }
+  // --------------------------------------------------------------------------
+  // Layer 1: Session Delegation
+  // --------------------------------------------------------------------------
+  /**
+   * Create a delegated agent session. Records the delegation in the
+   * tamper-evident digest chain as the session's genesis event.
+   */
+  async createSession(input) {
+    if (!input.agentId) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "agentId is required");
+    }
+    if (!input.delegatedBy) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "delegatedBy is required");
+    }
+    if (!input.scope || input.scope.length === 0) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "scope must contain at least one capability");
+    }
+    const sessionId = generateId();
+    const createdAt = now();
+    const constraints = input.constraints ? {
+      ...input.constraints,
+      ...input.constraints.allowedRecipients ? { allowedRecipients: input.constraints.allowedRecipients.map((a) => a.toLowerCase()) } : {}
+    } : void 0;
+    const session = {
+      sessionId,
+      agentId: input.agentId,
+      delegatedBy: input.delegatedBy,
+      scope: [...input.scope],
+      ...constraints ? { constraints } : {},
+      status: "active",
+      createdAt,
+      ...input.expiresIn ? { expiresAt: new Date(Date.now() + input.expiresIn).toISOString() } : {},
+      metadata: input.metadata ? { ...input.metadata } : {}
+    };
+    const action = await this.logger.log({
+      type: "session-start",
+      description: `Session created: ${input.agentId} delegated by ${input.delegatedBy}`,
+      agentId: input.agentId,
+      sessionId,
+      metadata: {
+        delegatedBy: input.delegatedBy,
+        scope: input.scope,
+        ...constraints ? { constraints } : {}
+      }
+    });
+    session.digest = action.digest;
+    session.priorDigest = action.priorDigest;
+    this.store.addSession(session);
+    return { ...session, scope: [...session.scope] };
+  }
+  /**
+   * Get an agent session by ID. Automatically marks expired sessions.
+   */
+  getSession(sessionId) {
+    const session = this.store.getSession(sessionId);
+    if (!session) return void 0;
+    if (session.status === "active" && session.expiresAt && new Date(session.expiresAt) < /* @__PURE__ */ new Date()) {
+      this.store.updateSession(sessionId, { status: "expired" });
+      return { ...session, status: "expired", scope: [...session.scope] };
+    }
+    return { ...session, scope: [...session.scope] };
+  }
+  /**
+   * Get all agent sessions.
+   */
+  getSessions() {
+    return this.store.getSessions().map((s) => {
+      if (s.status === "active" && s.expiresAt && new Date(s.expiresAt) < /* @__PURE__ */ new Date()) {
+        this.store.updateSession(s.sessionId, { status: "expired" });
+        return { ...s, status: "expired", scope: [...s.scope] };
+      }
+      return { ...s, scope: [...s.scope] };
+    });
+  }
+  /**
+   * End an active agent session. Records the termination in the digest chain.
+   */
+  async endSession(sessionId) {
+    const session = this.store.getSession(sessionId);
+    if (!session) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session not found: ${sessionId}`);
+    }
+    if (session.status !== "active") {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session is already ${session.status}: ${sessionId}`);
+    }
+    const endedAt = now();
+    await this.logger.log({
+      type: "session-end",
+      description: `Session ended: ${session.agentId}`,
+      agentId: session.agentId,
+      sessionId,
+      metadata: { delegatedBy: session.delegatedBy }
+    });
+    const updated = this.store.updateSession(sessionId, { status: "ended", endedAt });
+    if (!updated) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Failed to update session: ${sessionId}`);
+    }
+    return { ...updated, scope: [...updated.scope] };
+  }
+  /**
+   * Check whether an action is within a session's delegated scope.
+   */
+  validateScope(sessionId, action) {
+    const session = this.getSession(sessionId);
+    if (!session || session.status !== "active") return false;
+    return session.scope.includes(action);
+  }
+  /**
+   * Check whether a transaction meets session constraints.
+   */
+  validateConstraints(sessionId, input) {
+    const session = this.getSession(sessionId);
+    if (!session || session.status !== "active") return false;
+    if (!session.constraints) return true;
+    const c = session.constraints;
+    if (c.maxAmount && input.amount) {
+      if (parseAmount(input.amount) > parseAmount(c.maxAmount)) return false;
+    }
+    if (c.allowedChains && input.chain) {
+      if (!c.allowedChains.includes(input.chain)) return false;
+    }
+    if (c.allowedTokens && input.token) {
+      if (!c.allowedTokens.includes(input.token)) return false;
+    }
+    if (c.allowedRecipients && input.to) {
+      if (!c.allowedRecipients.includes(input.to.toLowerCase())) return false;
+    }
+    return true;
+  }
+  // --------------------------------------------------------------------------
+  // Layer 3: Checkpoints & Human Attestation
+  // --------------------------------------------------------------------------
+  /**
+   * Create a provenance checkpoint -- a review point where a human
+   * can attest to a batch of agent actions.
+   */
+  async createCheckpoint(input) {
+    const session = this.getSession(input.sessionId);
+    if (!session) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session not found: ${input.sessionId}`);
+    }
+    if (session.status !== "active") {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session is ${session.status}: ${input.sessionId}`);
+    }
+    if (!input.actionIds || input.actionIds.length === 0) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "actionIds must contain at least one action");
+    }
+    if (!input.summary) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, "summary is required");
+    }
+    const sessionActions = this.store.getActionsBySession(input.sessionId);
+    const sessionActionIds = new Set(sessionActions.map((a) => a.id));
+    for (const actionId of input.actionIds) {
+      if (!sessionActionIds.has(actionId)) {
+        throw new KontextError(
+          "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+          `Action ${actionId} not found in session ${input.sessionId}`
+        );
+      }
+    }
+    const actionDigests = input.actionIds.map((id) => {
+      const action = sessionActions.find((a) => a.id === id);
+      return action?.digest ?? "";
+    }).sort();
+    const hash = createHash("sha256");
+    hash.update(actionDigests.join(""));
+    const actionsDigest = hash.digest("hex");
+    const checkpointId = generateId();
+    const createdAt = now();
+    const checkpoint = {
+      id: checkpointId,
+      sessionId: input.sessionId,
+      actionIds: [...input.actionIds],
+      summary: input.summary,
+      actionsDigest,
+      status: "pending",
+      createdAt,
+      ...input.expiresIn ? { expiresAt: new Date(Date.now() + input.expiresIn).toISOString() } : {}
+    };
+    await this.logger.log({
+      type: "checkpoint-created",
+      description: `Checkpoint created: ${input.summary}`,
+      agentId: session.agentId,
+      sessionId: input.sessionId,
+      metadata: {
+        checkpointId,
+        actionCount: input.actionIds.length,
+        actionsDigest
+      }
+    });
+    this.store.addCheckpoint(checkpoint);
+    return { ...checkpoint, actionIds: [...checkpoint.actionIds] };
+  }
+  /**
+   * Attach an externally-produced human attestation to a checkpoint.
+   * The attestation includes a cryptographic signature that the agent
+   * never touches -- key separation is the critical security property.
+   */
+  async attachAttestation(checkpointId, attestation) {
+    const checkpoint = this.store.getCheckpoint(checkpointId);
+    if (!checkpoint) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Checkpoint not found: ${checkpointId}`);
+    }
+    if (checkpoint.status === "pending" && checkpoint.expiresAt && new Date(checkpoint.expiresAt) < /* @__PURE__ */ new Date()) {
+      this.store.updateCheckpoint(checkpointId, { status: "expired" });
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Checkpoint expired: ${checkpointId}`);
+    }
+    if (checkpoint.status !== "pending") {
+      throw new KontextError(
+        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+        `Checkpoint is already ${checkpoint.status}: ${checkpointId}`
+      );
+    }
+    if (attestation.checkpointId !== checkpointId) {
+      throw new KontextError(
+        "VALIDATION_ERROR" /* VALIDATION_ERROR */,
+        `Attestation checkpointId mismatch: expected ${checkpointId}, got ${attestation.checkpointId}`
+      );
+    }
+    const newStatus = attestation.decision === "approved" ? "attested" : "rejected";
+    const session = this.store.getSession(checkpoint.sessionId);
+    const agentId = session?.agentId ?? "unknown";
+    await this.logger.log({
+      type: `checkpoint-${newStatus}`,
+      description: `Checkpoint ${newStatus} by ${attestation.reviewerId}`,
+      agentId,
+      sessionId: checkpoint.sessionId,
+      metadata: {
+        checkpointId,
+        reviewerId: attestation.reviewerId,
+        decision: attestation.decision,
+        attestationId: attestation.attestationId
+      }
+    });
+    const updated = this.store.updateCheckpoint(checkpointId, {
+      status: newStatus,
+      attestation
+    });
+    if (!updated) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Failed to update checkpoint: ${checkpointId}`);
+    }
+    return { ...updated, actionIds: [...updated.actionIds] };
+  }
+  /**
+   * Get a checkpoint by ID. Automatically marks expired checkpoints.
+   */
+  getCheckpoint(checkpointId) {
+    const cp = this.store.getCheckpoint(checkpointId);
+    if (!cp) return void 0;
+    if (cp.status === "pending" && cp.expiresAt && new Date(cp.expiresAt) < /* @__PURE__ */ new Date()) {
+      this.store.updateCheckpoint(checkpointId, { status: "expired" });
+      return { ...cp, status: "expired", actionIds: [...cp.actionIds] };
+    }
+    return { ...cp, actionIds: [...cp.actionIds] };
+  }
+  /**
+   * Get all checkpoints, optionally filtered by session.
+   */
+  getCheckpoints(sessionId) {
+    const all = sessionId ? this.store.queryCheckpoints((cp) => cp.sessionId === sessionId) : this.store.getCheckpoints();
+    return all.map((cp) => {
+      if (cp.status === "pending" && cp.expiresAt && new Date(cp.expiresAt) < /* @__PURE__ */ new Date()) {
+        this.store.updateCheckpoint(cp.id, { status: "expired" });
+        return { ...cp, status: "expired", actionIds: [...cp.actionIds] };
+      }
+      return { ...cp, actionIds: [...cp.actionIds] };
+    });
+  }
+  // --------------------------------------------------------------------------
+  // Provenance Bundle Export
+  // --------------------------------------------------------------------------
+  /**
+   * Export the full provenance bundle for a session.
+   */
+  getProvenanceBundle(sessionId) {
+    const session = this.getSession(sessionId);
+    if (!session) {
+      throw new KontextError("VALIDATION_ERROR" /* VALIDATION_ERROR */, `Session not found: ${sessionId}`);
+    }
+    const sessionActions = this.store.getActionsBySession(sessionId);
+    const checkpoints = this.getCheckpoints(sessionId);
+    const actions = sessionActions.filter((a) => a.digest && a.priorDigest).map((a) => ({
+      actionId: a.id,
+      type: a.type,
+      digest: a.digest,
+      priorDigest: a.priorDigest,
+      sessionId,
+      timestamp: a.timestamp
+    }));
+    const attestedCheckpoints = checkpoints.filter((cp) => cp.status === "attested");
+    const attestedActionIds = /* @__PURE__ */ new Set();
+    for (const cp of attestedCheckpoints) {
+      for (const actionId of cp.actionIds) {
+        attestedActionIds.add(actionId);
+      }
+    }
+    const userActions = sessionActions.filter(
+      (a) => !a.type.startsWith("session-") && !a.type.startsWith("checkpoint-")
+    );
+    const verification = {
+      digestChainValid: this.logger.verifyChain(this.store.getActions()).valid,
+      totalActions: userActions.length,
+      humanAttested: userActions.filter((a) => attestedActionIds.has(a.id)).length,
+      sessionScoped: userActions.length,
+      unattested: userActions.filter((a) => !attestedActionIds.has(a.id)).length
+    };
+    return {
+      session,
+      actions,
+      checkpoints,
+      verification,
+      generatedAt: now()
+    };
+  }
+};
+
+// src/kya/identity-registry.ts
+var AgentIdentityRegistry = class {
+  /** agentId -> AgentIdentity */
+  identities = /* @__PURE__ */ new Map();
+  /** normalized address -> agentId (reverse index) */
+  walletIndex = /* @__PURE__ */ new Map();
+  /**
+   * Register a new agent identity.
+   */
+  register(input) {
+    if (this.identities.has(input.agentId)) {
+      throw new Error(`Identity already registered for agent: ${input.agentId}`);
+    }
+    const timestamp = now();
+    const wallets = (input.wallets ?? []).map((w) => ({
+      address: w.address.toLowerCase(),
+      chain: w.chain,
+      verified: false,
+      addedAt: timestamp,
+      label: w.label
+    }));
+    const identity = {
+      agentId: input.agentId,
+      displayName: input.displayName,
+      entityType: input.entityType ?? "unknown",
+      wallets,
+      kycReferences: [],
+      contactUri: input.contactUri,
+      metadata: input.metadata ?? {},
+      createdAt: timestamp,
+      updatedAt: timestamp
+    };
+    this.identities.set(input.agentId, identity);
+    for (const wallet of wallets) {
+      this.walletIndex.set(wallet.address, input.agentId);
+    }
+    return { ...identity, wallets: [...wallets] };
+  }
+  /**
+   * Update an existing agent identity.
+   */
+  update(agentId, input) {
+    const existing = this.identities.get(agentId);
+    if (!existing) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    const updated = {
+      ...existing,
+      updatedAt: now()
+    };
+    if (input.displayName !== void 0) updated.displayName = input.displayName;
+    if (input.entityType !== void 0) updated.entityType = input.entityType;
+    if (input.contactUri !== void 0) updated.contactUri = input.contactUri;
+    if (input.metadata !== void 0) {
+      updated.metadata = { ...existing.metadata, ...input.metadata };
+    }
+    this.identities.set(agentId, updated);
+    return { ...updated, wallets: [...updated.wallets] };
+  }
+  /**
+   * Get an agent identity by agent ID.
+   */
+  get(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity) return void 0;
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Remove an agent identity and all wallet index entries.
+   */
+  remove(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity) return false;
+    for (const wallet of identity.wallets) {
+      this.walletIndex.delete(wallet.address);
+    }
+    this.identities.delete(agentId);
+    return true;
+  }
+  /**
+   * Get all registered identities.
+   */
+  getAll() {
+    return Array.from(this.identities.values()).map((id) => ({
+      ...id,
+      wallets: [...id.wallets]
+    }));
+  }
+  // --------------------------------------------------------------------------
+  // Wallet Operations
+  // --------------------------------------------------------------------------
+  /**
+   * Add a wallet to an existing agent identity.
+   */
+  addWallet(agentId, wallet) {
+    const identity = this.identities.get(agentId);
+    if (!identity) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    const normalized = wallet.address.toLowerCase();
+    const existingOwner = this.walletIndex.get(normalized);
+    if (existingOwner && existingOwner !== agentId) {
+      throw new Error(`Wallet ${normalized} is already registered to agent: ${existingOwner}`);
+    }
+    if (identity.wallets.some((w) => w.address === normalized)) {
+      return { ...identity, wallets: [...identity.wallets] };
+    }
+    const mapping = {
+      address: normalized,
+      chain: wallet.chain,
+      verified: false,
+      addedAt: now(),
+      label: wallet.label
+    };
+    identity.wallets.push(mapping);
+    identity.updatedAt = now();
+    this.walletIndex.set(normalized, agentId);
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Remove a wallet from an agent identity.
+   */
+  removeWallet(agentId, address) {
+    const identity = this.identities.get(agentId);
+    if (!identity) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    const normalized = address.toLowerCase();
+    identity.wallets = identity.wallets.filter((w) => w.address !== normalized);
+    identity.updatedAt = now();
+    this.walletIndex.delete(normalized);
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Look up an agent identity by wallet address.
+   */
+  lookupByWallet(address) {
+    const agentId = this.walletIndex.get(address.toLowerCase());
+    if (!agentId) return void 0;
+    return this.get(agentId);
+  }
+  // --------------------------------------------------------------------------
+  // KYC Operations
+  // --------------------------------------------------------------------------
+  /**
+   * Add a KYC provider reference to an agent identity.
+   */
+  addKycReference(agentId, reference) {
+    const identity = this.identities.get(agentId);
+    if (!identity) {
+      throw new Error(`Identity not found for agent: ${agentId}`);
+    }
+    identity.kycReferences.push(reference);
+    identity.updatedAt = now();
+    return { ...identity, wallets: [...identity.wallets] };
+  }
+  /**
+   * Get the overall KYC status for an agent.
+   * Returns the best status from all references.
+   */
+  getKycStatus(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity || identity.kycReferences.length === 0) return "none";
+    const statusPriority = {
+      verified: 4,
+      pending: 3,
+      expired: 2,
+      rejected: 1,
+      none: 0
+    };
+    let best = "none";
+    for (const ref of identity.kycReferences) {
+      if (statusPriority[ref.status] > statusPriority[best]) {
+        best = ref.status;
+      }
+    }
+    return best;
+  }
+  /**
+   * Check if an agent has at least one verified and non-expired KYC reference.
+   */
+  hasVerifiedKyc(agentId) {
+    const identity = this.identities.get(agentId);
+    if (!identity) return false;
+    const currentTime = (/* @__PURE__ */ new Date()).toISOString();
+    return identity.kycReferences.some(
+      (ref) => ref.status === "verified" && (ref.expiresAt === null || ref.expiresAt > currentTime)
+    );
+  }
+};
+
+// src/kya/wallet-clustering.ts
+var UnionFind = class {
+  parent = /* @__PURE__ */ new Map();
+  rank = /* @__PURE__ */ new Map();
+  /**
+   * Find the representative of the set containing x.
+   * Uses path compression for amortized near-constant time.
+   */
+  find(x) {
+    if (!this.parent.has(x)) {
+      this.parent.set(x, x);
+      this.rank.set(x, 0);
+    }
+    let root = x;
+    while (this.parent.get(root) !== root) {
+      root = this.parent.get(root);
+    }
+    let current = x;
+    while (current !== root) {
+      const next = this.parent.get(current);
+      this.parent.set(current, root);
+      current = next;
+    }
+    return root;
+  }
+  /**
+   * Union the sets containing x and y.
+   * Uses union-by-rank for balanced trees.
+   */
+  union(x, y) {
+    const rootX = this.find(x);
+    const rootY = this.find(y);
+    if (rootX === rootY) return;
+    const rankX = this.rank.get(rootX);
+    const rankY = this.rank.get(rootY);
+    if (rankX < rankY) {
+      this.parent.set(rootX, rootY);
+    } else if (rankX > rankY) {
+      this.parent.set(rootY, rootX);
+    } else {
+      this.parent.set(rootY, rootX);
+      this.rank.set(rootX, rankX + 1);
+    }
+  }
+  /**
+   * Check if x and y are in the same set.
+   */
+  connected(x, y) {
+    return this.find(x) === this.find(y);
+  }
+  /**
+   * Get all components as arrays of elements.
+   */
+  getComponents() {
+    const components = /* @__PURE__ */ new Map();
+    for (const key of this.parent.keys()) {
+      const root = this.find(key);
+      if (!components.has(root)) {
+        components.set(root, []);
+      }
+      components.get(root).push(key);
+    }
+    return Array.from(components.values());
+  }
+  /**
+   * Get the component containing x.
+   */
+  getComponentOf(x) {
+    const root = this.find(x);
+    const component = [];
+    for (const key of this.parent.keys()) {
+      if (this.find(key) === root) {
+        component.push(key);
+      }
+    }
+    return component;
+  }
+};
+var WalletClusterer = class {
+  config;
+  cachedClusters = null;
+  constructor(config = {}) {
+    this.config = {
+      temporalWindowSeconds: config.temporalWindowSeconds ?? 60,
+      minDestinationOverlap: config.minDestinationOverlap ?? 0.3,
+      minGasSponsoredWallets: config.minGasSponsoredWallets ?? 3
+    };
+  }
+  /**
+   * Analyze transactions from the store and registry to produce wallet clusters.
+   */
+  analyzeFromStore(store, registry) {
+    const uf = new UnionFind();
+    const evidence = [];
+    const transactions = store.getTransactions();
+    const timestamp = now();
+    for (const tx of transactions) {
+      uf.find(tx.from.toLowerCase());
+      uf.find(tx.to.toLowerCase());
+    }
+    this.applyCommonAgent(store, uf, evidence, timestamp);
+    this.applyFundingChain(store, uf, evidence, timestamp);
+    this.applyGasSponsorship(store, uf, evidence, timestamp);
+    this.applyTemporalCoSpending(store, uf, evidence, timestamp);
+    if (registry) {
+      this.applyDeclaredWallets(registry, uf, evidence, timestamp);
+    }
+    const clusters = this.buildClusters(uf, evidence, store, registry, timestamp);
+    this.cachedClusters = clusters;
+    return clusters;
+  }
+  /**
+   * Get cached clusters (or empty if not analyzed yet).
+   */
+  getClusters() {
+    return this.cachedClusters ?? [];
+  }
+  /**
+   * Invalidate the cached clusters.
+   */
+  invalidateCache() {
+    this.cachedClusters = null;
+  }
+  // --------------------------------------------------------------------------
+  // Heuristics
+  // --------------------------------------------------------------------------
+  /**
+   * Heuristic 1: Common Agent (confidence 0.9)
+   * Same agentId used multiple addresses -> union all from/to per agent.
+   */
+  applyCommonAgent(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    const agentAddresses = /* @__PURE__ */ new Map();
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const agentId = tx.agentId;
+      if (!agentAddresses.has(agentId)) {
+        agentAddresses.set(agentId, /* @__PURE__ */ new Set());
+      }
+      agentAddresses.get(agentId).add(from);
+    }
+    for (const [, addresses] of agentAddresses) {
+      const addrs = Array.from(addresses);
+      for (let i = 1; i < addrs.length; i++) {
+        if (!uf.connected(addrs[0], addrs[i])) {
+          uf.union(addrs[0], addrs[i]);
+          evidence.push({
+            heuristic: "common-agent",
+            confidence: 0.9,
+            addresses: [addrs[0], addrs[i]],
+            detectedAt: timestamp
+          });
+        }
+      }
+    }
+  }
+  /**
+   * Heuristic 2: Funding Chain (confidence 0.7)
+   * If A sends to B, and A is agent-associated -> union A and B.
+   */
+  applyFundingChain(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    const agentAssociated = /* @__PURE__ */ new Set();
+    for (const tx of transactions) {
+      agentAssociated.add(tx.from.toLowerCase());
+    }
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const to = tx.to.toLowerCase();
+      if (agentAssociated.has(from) && !uf.connected(from, to)) {
+        uf.union(from, to);
+        evidence.push({
+          heuristic: "funding-chain",
+          confidence: 0.7,
+          addresses: [from, to],
+          detectedAt: timestamp
+        });
+      }
+    }
+  }
+  /**
+   * Heuristic 3: Gas Sponsorship (confidence 0.75)
+   * If G is from in transfers to 3+ distinct agent wallets -> union G with all.
+   */
+  applyGasSponsorship(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    const agentFromAddresses = /* @__PURE__ */ new Set();
+    for (const tx of transactions) {
+      agentFromAddresses.add(tx.from.toLowerCase());
+    }
+    const senderToRecipients = /* @__PURE__ */ new Map();
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const to = tx.to.toLowerCase();
+      if (!senderToRecipients.has(from)) {
+        senderToRecipients.set(from, /* @__PURE__ */ new Set());
+      }
+      senderToRecipients.get(from).add(to);
+    }
+    for (const [sender, recipients] of senderToRecipients) {
+      const agentRecipients = Array.from(recipients).filter(
+        (r) => agentFromAddresses.has(r)
+      );
+      if (agentRecipients.length >= this.config.minGasSponsoredWallets) {
+        for (const recipient of agentRecipients) {
+          if (!uf.connected(sender, recipient)) {
+            uf.union(sender, recipient);
+            evidence.push({
+              heuristic: "gas-sponsorship",
+              confidence: 0.75,
+              addresses: [sender, recipient],
+              detectedAt: timestamp,
+              detail: `Sender ${sender} sponsors ${agentRecipients.length} agent wallets`
+            });
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Heuristic 4: Temporal Co-Spending (confidence 0.6)
+   * Addresses transacting within a window with destination overlap.
+   */
+  applyTemporalCoSpending(store, uf, evidence, timestamp) {
+    const transactions = store.getTransactions();
+    if (transactions.length < 2) return;
+    const txByFrom = /* @__PURE__ */ new Map();
+    for (const tx of transactions) {
+      const from = tx.from.toLowerCase();
+      const to = tx.to.toLowerCase();
+      if (!txByFrom.has(from)) {
+        txByFrom.set(from, []);
+      }
+      txByFrom.get(from).push({
+        to,
+        time: new Date(tx.timestamp).getTime() / 1e3
+      });
+    }
+    const fromAddresses = Array.from(txByFrom.keys());
+    for (let i = 0; i < fromAddresses.length; i++) {
+      for (let j = i + 1; j < fromAddresses.length; j++) {
+        const addrA = fromAddresses[i];
+        const addrB = fromAddresses[j];
+        const txsA = txByFrom.get(addrA);
+        const txsB = txByFrom.get(addrB);
+        let hasTemporalOverlap = false;
+        for (const a of txsA) {
+          for (const b of txsB) {
+            if (Math.abs(a.time - b.time) <= this.config.temporalWindowSeconds) {
+              hasTemporalOverlap = true;
+              break;
+            }
+          }
+          if (hasTemporalOverlap) break;
+        }
+        if (!hasTemporalOverlap) continue;
+        const destsA = new Set(txsA.map((t) => t.to));
+        const destsB = new Set(txsB.map((t) => t.to));
+        const intersection = new Set([...destsA].filter((d) => destsB.has(d)));
+        const union = /* @__PURE__ */ new Set([...destsA, ...destsB]);
+        const overlapRatio = union.size > 0 ? intersection.size / union.size : 0;
+        if (overlapRatio >= this.config.minDestinationOverlap) {
+          if (!uf.connected(addrA, addrB)) {
+            uf.union(addrA, addrB);
+            evidence.push({
+              heuristic: "temporal-co-spending",
+              confidence: 0.6,
+              addresses: [addrA, addrB],
+              detectedAt: timestamp,
+              detail: `Overlap ratio: ${overlapRatio.toFixed(2)}`
+            });
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Heuristic 5: Declared Wallets (confidence 1.0)
+   * All wallets declared by the same identity are unioned.
+   */
+  applyDeclaredWallets(registry, uf, evidence, timestamp) {
+    const identities = registry.getAll();
+    for (const identity of identities) {
+      const addrs = identity.wallets.map((w) => w.address);
+      for (let i = 1; i < addrs.length; i++) {
+        if (!uf.connected(addrs[0], addrs[i])) {
+          uf.union(addrs[0], addrs[i]);
+          evidence.push({
+            heuristic: "declared-wallets",
+            confidence: 1,
+            addresses: [addrs[0], addrs[i]],
+            detectedAt: timestamp
+          });
+        }
+      }
+    }
+  }
+  // --------------------------------------------------------------------------
+  // Cluster Building
+  // --------------------------------------------------------------------------
+  buildClusters(uf, evidence, store, registry, timestamp) {
+    const components = uf.getComponents();
+    const clusters = [];
+    const evidenceByAddress = /* @__PURE__ */ new Map();
+    for (const e of evidence) {
+      for (const addr of e.addresses) {
+        if (!evidenceByAddress.has(addr)) {
+          evidenceByAddress.set(addr, []);
+        }
+        evidenceByAddress.get(addr).push(e);
+      }
+    }
+    const addressToAgents = /* @__PURE__ */ new Map();
+    for (const tx of store.getTransactions()) {
+      const from = tx.from.toLowerCase();
+      if (!addressToAgents.has(from)) {
+        addressToAgents.set(from, /* @__PURE__ */ new Set());
+      }
+      addressToAgents.get(from).add(tx.agentId);
+    }
+    if (registry) {
+      for (const identity of registry.getAll()) {
+        for (const wallet of identity.wallets) {
+          if (!addressToAgents.has(wallet.address)) {
+            addressToAgents.set(wallet.address, /* @__PURE__ */ new Set());
+          }
+          addressToAgents.get(wallet.address).add(identity.agentId);
+        }
+      }
+    }
+    for (const component of components) {
+      if (component.length < 2) continue;
+      const clusterEvidence = [];
+      const seen = /* @__PURE__ */ new Set();
+      for (const addr of component) {
+        const addrEvidence = evidenceByAddress.get(addr) ?? [];
+        for (const e of addrEvidence) {
+          const key = `${e.heuristic}:${e.addresses[0]}:${e.addresses[1]}`;
+          if (!seen.has(key)) {
+            seen.add(key);
+            clusterEvidence.push(e);
+          }
+        }
+      }
+      const agentIds = /* @__PURE__ */ new Set();
+      for (const addr of component) {
+        const agents = addressToAgents.get(addr);
+        if (agents) {
+          for (const a of agents) agentIds.add(a);
+        }
+      }
+      const maxConfidence = clusterEvidence.length > 0 ? Math.max(...clusterEvidence.map((e) => e.confidence)) : 0;
+      clusters.push({
+        id: generateId(),
+        addresses: component.sort(),
+        agentIds: Array.from(agentIds).sort(),
+        evidence: clusterEvidence,
+        confidence: maxConfidence,
+        createdAt: timestamp
+      });
+    }
+    return clusters;
+  }
+};
+
+// src/kya/behavioral-fingerprint.ts
+var MIN_SAMPLE_SIZE = 5;
+var BehavioralFingerprinter = class {
+  /**
+   * Compute a behavioral embedding for an agent from their transaction history.
+   * Returns null if the agent has fewer than MIN_SAMPLE_SIZE transactions.
+   */
+  computeEmbedding(agentId, store) {
+    const transactions = store.getTransactionsByAgent(agentId);
+    if (transactions.length < MIN_SAMPLE_SIZE) return null;
+    return {
+      agentId,
+      temporal: this.extractTemporalFeatures(transactions),
+      financial: this.extractFinancialFeatures(transactions),
+      network: this.extractNetworkFeatures(transactions),
+      operational: this.extractOperationalFeatures(transactions),
+      sampleSize: transactions.length,
+      computedAt: now()
+    };
+  }
+  /**
+   * Compute cosine similarity between two behavioral embeddings.
+   * Returns a value in [0, 1] where 1 means identical and 0 means orthogonal.
+   */
+  cosineSimilarity(a, b) {
+    const vecA = this.flattenEmbedding(a);
+    const vecB = this.flattenEmbedding(b);
+    let dot = 0;
+    let magA = 0;
+    let magB = 0;
+    for (let i = 0; i < vecA.length; i++) {
+      dot += vecA[i] * vecB[i];
+      magA += vecA[i] * vecA[i];
+      magB += vecB[i] * vecB[i];
+    }
+    const denominator = Math.sqrt(magA) * Math.sqrt(magB);
+    if (denominator === 0) return 0;
+    return dot / denominator;
+  }
+  // --------------------------------------------------------------------------
+  // Feature Extraction
+  // --------------------------------------------------------------------------
+  extractTemporalFeatures(txs) {
+    const sorted = [...txs].sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    const intervals = [];
+    for (let i = 1; i < sorted.length; i++) {
+      const diff = (new Date(sorted[i].timestamp).getTime() - new Date(sorted[i - 1].timestamp).getTime()) / 1e3;
+      intervals.push(diff);
+    }
+    const meanInterval = intervals.length > 0 ? intervals.reduce((s, v) => s + v, 0) / intervals.length : 0;
+    const stddevInterval = intervals.length > 1 ? Math.sqrt(
+      intervals.reduce((s, v) => s + (v - meanInterval) ** 2, 0) / (intervals.length - 1)
+    ) : 0;
+    const hourCounts = new Array(24).fill(0);
+    for (const tx of txs) {
+      const hour = new Date(tx.timestamp).getUTCHours();
+      hourCounts[hour] = (hourCounts[hour] ?? 0) + 1;
+    }
+    const hourTotal = hourCounts.reduce((s, v) => s + v, 0);
+    const hourHistogram = hourTotal > 0 ? hourCounts.map((c) => c / hourTotal) : hourCounts;
+    const dayCounts = new Array(7).fill(0);
+    for (const tx of txs) {
+      const day = new Date(tx.timestamp).getUTCDay();
+      dayCounts[day] = (dayCounts[day] ?? 0) + 1;
+    }
+    const dayTotal = dayCounts.reduce((s, v) => s + v, 0);
+    const dayHistogram = dayTotal > 0 ? dayCounts.map((c) => c / dayTotal) : dayCounts;
+    return {
+      meanIntervalSeconds: meanInterval,
+      stddevIntervalSeconds: stddevInterval,
+      hourHistogram,
+      dayHistogram
+    };
+  }
+  extractFinancialFeatures(txs) {
+    const amounts = txs.map((tx) => parseFloat(tx.amount)).filter((a) => !isNaN(a));
+    if (amounts.length === 0) {
+      return {
+        meanAmount: 0,
+        stddevAmount: 0,
+        medianAmount: 0,
+        roundAmountRatio: 0,
+        percentiles: [0, 0, 0, 0, 0]
+      };
+    }
+    const sorted = [...amounts].sort((a, b) => a - b);
+    const mean = amounts.reduce((s, v) => s + v, 0) / amounts.length;
+    const stddev = amounts.length > 1 ? Math.sqrt(
+      amounts.reduce((s, v) => s + (v - mean) ** 2, 0) / (amounts.length - 1)
+    ) : 0;
+    const median = this.percentile(sorted, 50);
+    const roundCount = amounts.filter((a) => a % 100 === 0).length;
+    return {
+      meanAmount: mean,
+      stddevAmount: stddev,
+      medianAmount: median,
+      roundAmountRatio: amounts.length > 0 ? roundCount / amounts.length : 0,
+      percentiles: [
+        this.percentile(sorted, 10),
+        this.percentile(sorted, 25),
+        this.percentile(sorted, 50),
+        this.percentile(sorted, 75),
+        this.percentile(sorted, 90)
+      ]
+    };
+  }
+  extractNetworkFeatures(txs) {
+    const destinations = txs.map((tx) => tx.to.toLowerCase());
+    const sources = txs.map((tx) => tx.from.toLowerCase());
+    const uniqueDests = new Set(destinations);
+    const uniqueSrcs = new Set(sources);
+    const reuseRatio = destinations.length > 0 ? 1 - uniqueDests.size / destinations.length : 0;
+    const destCounts = /* @__PURE__ */ new Map();
+    for (const d of destinations) {
+      destCounts.set(d, (destCounts.get(d) ?? 0) + 1);
+    }
+    let hhi = 0;
+    for (const count of destCounts.values()) {
+      const share = count / destinations.length;
+      hhi += share * share;
+    }
+    return {
+      uniqueDestinations: uniqueDests.size,
+      reuseRatio,
+      concentrationIndex: hhi,
+      uniqueSources: uniqueSrcs.size
+    };
+  }
+  extractOperationalFeatures(txs) {
+    const chainCounts = /* @__PURE__ */ new Map();
+    const tokenCounts = /* @__PURE__ */ new Map();
+    for (const tx of txs) {
+      const chain = tx.chain ?? "unknown";
+      const token = tx.token ?? "unknown";
+      chainCounts.set(chain, (chainCounts.get(chain) ?? 0) + 1);
+      tokenCounts.set(token, (tokenCounts.get(token) ?? 0) + 1);
+    }
+    const total = txs.length;
+    const chainDistribution = {};
+    for (const [chain, count] of chainCounts) {
+      chainDistribution[chain] = total > 0 ? count / total : 0;
+    }
+    const tokenDistribution = {};
+    for (const [token, count] of tokenCounts) {
+      tokenDistribution[token] = total > 0 ? count / total : 0;
+    }
+    const primaryChain = chainCounts.size > 0 ? Array.from(chainCounts.entries()).sort((a, b) => b[1] - a[1])[0][0] : "";
+    const primaryToken = tokenCounts.size > 0 ? Array.from(tokenCounts.entries()).sort((a, b) => b[1] - a[1])[0][0] : "";
+    return {
+      chainDistribution,
+      tokenDistribution,
+      primaryChain,
+      primaryToken
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Helpers
+  // --------------------------------------------------------------------------
+  percentile(sorted, p) {
+    if (sorted.length === 0) return 0;
+    const idx = p / 100 * (sorted.length - 1);
+    const lower = Math.floor(idx);
+    const upper = Math.ceil(idx);
+    if (lower === upper) return sorted[lower];
+    return sorted[lower] + (sorted[upper] - sorted[lower]) * (idx - lower);
+  }
+  /**
+   * Flatten an embedding into a numeric vector for cosine similarity.
+   * Log-scales magnitude values with log(1+x).
+   */
+  flattenEmbedding(e) {
+    const vec = [];
+    vec.push(Math.log(1 + e.temporal.meanIntervalSeconds));
+    vec.push(Math.log(1 + e.temporal.stddevIntervalSeconds));
+    vec.push(...e.temporal.hourHistogram);
+    vec.push(...e.temporal.dayHistogram);
+    vec.push(Math.log(1 + e.financial.meanAmount));
+    vec.push(Math.log(1 + e.financial.stddevAmount));
+    vec.push(Math.log(1 + e.financial.medianAmount));
+    vec.push(e.financial.roundAmountRatio);
+    vec.push(...e.financial.percentiles.map((p) => Math.log(1 + p)));
+    vec.push(Math.log(1 + e.network.uniqueDestinations));
+    vec.push(e.network.reuseRatio);
+    vec.push(e.network.concentrationIndex);
+    vec.push(Math.log(1 + e.network.uniqueSources));
+    const chainValues = Object.values(e.operational.chainDistribution).sort(
+      (a, b) => b - a
+    );
+    const tokenValues = Object.values(e.operational.tokenDistribution).sort(
+      (a, b) => b - a
+    );
+    for (let i = 0; i < 5; i++) {
+      vec.push(chainValues[i] ?? 0);
+    }
+    for (let i = 0; i < 5; i++) {
+      vec.push(tokenValues[i] ?? 0);
+    }
+    return vec;
+  }
+};
+
+// src/kya/cross-session-linker.ts
+var WALLET_OVERLAP_WEIGHT = 0.4;
+var BEHAVIORAL_SIMILARITY_WEIGHT = 0.35;
+var DECLARED_IDENTITY_WEIGHT = 0.25;
+var CrossSessionLinker = class {
+  config;
+  links = /* @__PURE__ */ new Map();
+  constructor(config = {}) {
+    this.config = {
+      minBehavioralSimilarity: config.minBehavioralSimilarity ?? 0.85,
+      minLinkConfidence: config.minLinkConfidence ?? 0.6
+    };
+  }
+  /**
+   * Analyze all agents and create links between those with sufficient signals.
+   */
+  analyzeAndLink(store, registry, clusterer, fingerprinter) {
+    const newLinks = [];
+    const agentIds = /* @__PURE__ */ new Set();
+    for (const tx of store.getTransactions()) {
+      agentIds.add(tx.agentId);
+    }
+    for (const action of store.getActions()) {
+      agentIds.add(action.agentId);
+    }
+    const agents = Array.from(agentIds);
+    const clusters = clusterer.getClusters();
+    for (let i = 0; i < agents.length; i++) {
+      for (let j = i + 1; j < agents.length; j++) {
+        const agentA = agents[i];
+        const agentB = agents[j];
+        const existingKey = this.getLinkKey(agentA, agentB);
+        if (this.links.has(existingKey)) continue;
+        const signals = [];
+        const walletOverlap = this.computeWalletOverlap(
+          agentA,
+          agentB,
+          clusters
+        );
+        if (walletOverlap > 0) {
+          signals.push({
+            type: "wallet-overlap",
+            strength: walletOverlap,
+            weight: WALLET_OVERLAP_WEIGHT
+          });
+        }
+        const embeddingA = fingerprinter.computeEmbedding(agentA, store);
+        const embeddingB = fingerprinter.computeEmbedding(agentB, store);
+        if (embeddingA && embeddingB) {
+          const similarity = fingerprinter.cosineSimilarity(embeddingA, embeddingB);
+          if (similarity >= this.config.minBehavioralSimilarity) {
+            signals.push({
+              type: "behavioral-similarity",
+              strength: similarity,
+              weight: BEHAVIORAL_SIMILARITY_WEIGHT
+            });
+          }
+        }
+        const declaredStrength = this.computeDeclaredIdentitySignal(
+          agentA,
+          agentB,
+          registry
+        );
+        if (declaredStrength > 0) {
+          signals.push({
+            type: "declared-identity",
+            strength: declaredStrength,
+            weight: DECLARED_IDENTITY_WEIGHT
+          });
+        }
+        if (signals.length === 0) continue;
+        const confidence = signals.reduce((sum, s) => sum + s.strength * s.weight, 0) / signals.reduce((sum, s) => sum + s.weight, 0);
+        if (confidence >= this.config.minLinkConfidence) {
+          const link = {
+            id: generateId(),
+            agentIdA: agentA,
+            agentIdB: agentB,
+            confidence,
+            signals,
+            status: "inferred",
+            createdAt: now()
+          };
+          this.links.set(existingKey, link);
+          newLinks.push(link);
+        }
+      }
+    }
+    return newLinks;
+  }
+  /**
+   * Manually link two agents.
+   */
+  manualLink(agentIdA, agentIdB, reviewedBy) {
+    const key = this.getLinkKey(agentIdA, agentIdB);
+    const existing = this.links.get(key);
+    if (existing) {
+      existing.status = "confirmed";
+      existing.reviewedBy = reviewedBy;
+      existing.reviewedAt = now();
+      return { ...existing };
+    }
+    const link = {
+      id: generateId(),
+      agentIdA,
+      agentIdB,
+      confidence: 1,
+      signals: [
+        {
+          type: "declared-identity",
+          strength: 1,
+          weight: 1,
+          detail: `Manually linked by ${reviewedBy}`
+        }
+      ],
+      status: "confirmed",
+      createdAt: now(),
+      reviewedBy,
+      reviewedAt: now()
+    };
+    this.links.set(key, link);
+    return { ...link };
+  }
+  /**
+   * Review a link (confirm or reject).
+   */
+  reviewLink(linkId, decision, reviewedBy) {
+    for (const link of this.links.values()) {
+      if (link.id === linkId) {
+        link.status = decision;
+        link.reviewedBy = reviewedBy;
+        link.reviewedAt = now();
+        return { ...link };
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Get all agents linked to the given agent.
+   */
+  getLinkedAgents(agentId) {
+    const linked = /* @__PURE__ */ new Set();
+    for (const link of this.links.values()) {
+      if (link.status === "rejected") continue;
+      if (link.agentIdA === agentId) linked.add(link.agentIdB);
+      if (link.agentIdB === agentId) linked.add(link.agentIdA);
+    }
+    return Array.from(linked);
+  }
+  /**
+   * Get all links for a specific agent.
+   */
+  getLinksForAgent(agentId) {
+    const result = [];
+    for (const link of this.links.values()) {
+      if (link.agentIdA === agentId || link.agentIdB === agentId) {
+        result.push({ ...link });
+      }
+    }
+    return result;
+  }
+  /**
+   * Get all links.
+   */
+  getAllLinks() {
+    return Array.from(this.links.values()).map((l) => ({ ...l }));
+  }
+  // --------------------------------------------------------------------------
+  // Private Helpers
+  // --------------------------------------------------------------------------
+  getLinkKey(a, b) {
+    return a < b ? `${a}:${b}` : `${b}:${a}`;
+  }
+  computeWalletOverlap(agentA, agentB, clusters) {
+    const clustersA = /* @__PURE__ */ new Set();
+    const clustersB = /* @__PURE__ */ new Set();
+    for (const cluster of clusters) {
+      if (cluster.agentIds.includes(agentA)) {
+        for (const addr of cluster.addresses) clustersA.add(addr);
+      }
+      if (cluster.agentIds.includes(agentB)) {
+        for (const addr of cluster.addresses) clustersB.add(addr);
+      }
+    }
+    if (clustersA.size === 0 || clustersB.size === 0) return 0;
+    const intersection = new Set([...clustersA].filter((a) => clustersB.has(a)));
+    const union = /* @__PURE__ */ new Set([...clustersA, ...clustersB]);
+    return union.size > 0 ? intersection.size / union.size : 0;
+  }
+  computeDeclaredIdentitySignal(agentA, agentB, registry) {
+    const identityA = registry.get(agentA);
+    const identityB = registry.get(agentB);
+    if (!identityA || !identityB) return 0;
+    const walletsA = new Set(identityA.wallets.map((w) => w.address));
+    const walletsB = new Set(identityB.wallets.map((w) => w.address));
+    const sharedWallets = [...walletsA].filter((w) => walletsB.has(w));
+    if (sharedWallets.length > 0) return 1;
+    const kycRefsA = new Set(
+      identityA.kycReferences.map((r) => `${r.provider}:${r.referenceId}`)
+    );
+    const kycRefsB = new Set(
+      identityB.kycReferences.map((r) => `${r.provider}:${r.referenceId}`)
+    );
+    const sharedKyc = [...kycRefsA].filter((r) => kycRefsB.has(r));
+    if (sharedKyc.length > 0) return 1;
+    return 0;
+  }
+};
+
+// src/kya/confidence-scorer.ts
+var KYAConfidenceScorer = class {
+  weights;
+  constructor(config = {}) {
+    this.weights = {
+      declaredIdentity: config.declaredIdentityWeight ?? 0.2,
+      kycVerification: config.kycVerificationWeight ?? 0.3,
+      walletGraph: config.walletGraphWeight ?? 0.2,
+      behavioralConsistency: config.behavioralConsistencyWeight ?? 0.2,
+      externalEnrichment: config.externalEnrichmentWeight ?? 0.1
+    };
+  }
+  /**
+   * Compute a composite confidence score for an agent.
+   */
+  computeScore(agentId, registry, clusterer, fingerprinter, linker, store) {
+    const components = [];
+    const declaredScore = this.scoreDeclaredIdentity(agentId, registry);
+    components.push({
+      name: "Declared Identity",
+      score: declaredScore.score,
+      weight: this.weights.declaredIdentity,
+      weightedScore: declaredScore.score * this.weights.declaredIdentity,
+      detail: declaredScore.detail
+    });
+    const kycScore = this.scoreKycVerification(agentId, registry);
+    components.push({
+      name: "KYC Verification",
+      score: kycScore.score,
+      weight: this.weights.kycVerification,
+      weightedScore: kycScore.score * this.weights.kycVerification,
+      detail: kycScore.detail
+    });
+    const walletScore = this.scoreWalletGraph(agentId, clusterer);
+    components.push({
+      name: "Wallet Graph",
+      score: walletScore.score,
+      weight: this.weights.walletGraph,
+      weightedScore: walletScore.score * this.weights.walletGraph,
+      detail: walletScore.detail
+    });
+    const behavioralScore = this.scoreBehavioralConsistency(
+      agentId,
+      fingerprinter,
+      linker,
+      store
+    );
+    components.push({
+      name: "Behavioral Consistency",
+      score: behavioralScore.score,
+      weight: this.weights.behavioralConsistency,
+      weightedScore: behavioralScore.score * this.weights.behavioralConsistency,
+      detail: behavioralScore.detail
+    });
+    const externalScore = this.scoreExternalEnrichment(agentId, registry);
+    components.push({
+      name: "External Enrichment",
+      score: externalScore.score,
+      weight: this.weights.externalEnrichment,
+      weightedScore: externalScore.score * this.weights.externalEnrichment,
+      detail: externalScore.detail
+    });
+    const totalWeight = components.reduce((sum, c) => sum + c.weight, 0);
+    const overallScore = totalWeight > 0 ? Math.round(components.reduce((sum, c) => sum + c.weightedScore, 0) / totalWeight) : 0;
+    return {
+      agentId,
+      score: overallScore,
+      level: this.scoreToLevel(overallScore),
+      components,
+      computedAt: now()
+    };
+  }
+  // --------------------------------------------------------------------------
+  // Component Scorers
+  // --------------------------------------------------------------------------
+  scoreDeclaredIdentity(agentId, registry) {
+    const identity = registry.get(agentId);
+    if (!identity) return { score: 0, detail: "No declared identity" };
+    let score = 30;
+    const parts = ["identity registered"];
+    if (identity.displayName) {
+      score += 10;
+      parts.push("displayName set");
+    }
+    if (identity.entityType !== "unknown") {
+      score += 10;
+      parts.push(`entityType: ${identity.entityType}`);
+    }
+    if (identity.wallets.length > 0) {
+      score += 20;
+      parts.push(`${identity.wallets.length} wallet(s)`);
+    }
+    if (identity.contactUri) {
+      score += 10;
+      parts.push("contactUri set");
+    }
+    if (Object.keys(identity.metadata).length > 0) {
+      score += 20;
+      parts.push("metadata provided");
+    }
+    return { score: Math.min(100, score), detail: parts.join(", ") };
+  }
+  scoreKycVerification(agentId, registry) {
+    const identity = registry.get(agentId);
+    if (!identity || identity.kycReferences.length === 0) {
+      return { score: 0, detail: "No KYC verification" };
+    }
+    const refs = identity.kycReferences;
+    const hasRejected = refs.some((r) => r.status === "rejected");
+    const verifiedRefs = refs.filter((r) => r.status === "verified");
+    const pendingRefs = refs.filter((r) => r.status === "pending");
+    const currentTime = (/* @__PURE__ */ new Date()).toISOString();
+    const activeVerified = verifiedRefs.filter(
+      (r) => r.expiresAt === null || r.expiresAt > currentTime
+    );
+    if (hasRejected && verifiedRefs.length === 0) {
+      return { score: 10, detail: "KYC rejected, capped at 10" };
+    }
+    if (pendingRefs.length > 0 && verifiedRefs.length === 0) {
+      return { score: 20, detail: "KYC pending" };
+    }
+    if (verifiedRefs.length > 0) {
+      let score = 90;
+      const parts = [`${verifiedRefs.length} verified`];
+      if (activeVerified.length > 0) {
+        score = 100;
+        parts.push("non-expired");
+      }
+      if (verifiedRefs.length > 1) {
+        score = Math.min(100, score + 10);
+        parts.push("multiple providers");
+      }
+      return { score, detail: parts.join(", ") };
+    }
+    return { score: 0, detail: "No KYC verification" };
+  }
+  scoreWalletGraph(agentId, clusterer) {
+    const clusters = clusterer.getClusters();
+    const agentClusters = clusters.filter((c) => c.agentIds.includes(agentId));
+    if (agentClusters.length === 0) {
+      return { score: 20, detail: "No wallet cluster" };
+    }
+    const totalAddresses = new Set(
+      agentClusters.flatMap((c) => c.addresses)
+    ).size;
+    if (totalAddresses === 1) {
+      return { score: 40, detail: "1 address in cluster" };
+    }
+    const heuristics = new Set(
+      agentClusters.flatMap((c) => c.evidence.map((e) => e.heuristic))
+    );
+    const hasDeclared = heuristics.has("declared-wallets");
+    const hasAuto = heuristics.size > (hasDeclared ? 1 : 0);
+    if (hasDeclared && hasAuto) {
+      return {
+        score: 85,
+        detail: `${totalAddresses} addresses, declared + auto heuristics`
+      };
+    }
+    if (heuristics.size > 1) {
+      return {
+        score: 70,
+        detail: `${totalAddresses} addresses, ${heuristics.size} heuristic types`
+      };
+    }
+    return {
+      score: 50,
+      detail: `${totalAddresses} addresses, single heuristic`
+    };
+  }
+  scoreBehavioralConsistency(agentId, fingerprinter, linker, store) {
+    const embedding = fingerprinter.computeEmbedding(agentId, store);
+    if (!embedding) {
+      return { score: 30, detail: "Insufficient data for embedding" };
+    }
+    const links = linker.getLinksForAgent(agentId);
+    const confirmedLinks = links.filter((l) => l.status === "confirmed");
+    if (confirmedLinks.length === 0 && links.length === 0) {
+      return { score: 50, detail: "Embedding computed, no links" };
+    }
+    let maxSimilarity = 0;
+    for (const link of confirmedLinks) {
+      const behavioralSignal = link.signals.find(
+        (s) => s.type === "behavioral-similarity"
+      );
+      if (behavioralSignal && behavioralSignal.strength > maxSimilarity) {
+        maxSimilarity = behavioralSignal.strength;
+      }
+    }
+    if (maxSimilarity > 0.9) {
+      return { score: 95, detail: `Confirmed link similarity: ${maxSimilarity.toFixed(2)}` };
+    }
+    if (maxSimilarity > 0.8) {
+      return { score: 85, detail: `Confirmed link similarity: ${maxSimilarity.toFixed(2)}` };
+    }
+    if (confirmedLinks.length > 0) {
+      return { score: 70, detail: `${confirmedLinks.length} confirmed link(s)` };
+    }
+    return { score: 50, detail: "Embedding computed, no confirmed links" };
+  }
+  scoreExternalEnrichment(agentId, registry) {
+    const identity = registry.get(agentId);
+    if (!identity) {
+      return { score: 50, detail: "Default (neutral), no identity" };
+    }
+    const riskLevels = identity.kycReferences.filter((r) => r.riskLevel).map((r) => r.riskLevel);
+    if (riskLevels.length === 0) {
+      return { score: 50, detail: "Default (neutral), no risk data" };
+    }
+    if (riskLevels.includes("high")) {
+      return { score: 20, detail: "High risk from external provider" };
+    }
+    if (riskLevels.includes("low")) {
+      return { score: 80, detail: "Low risk from external provider" };
+    }
+    return { score: 50, detail: "Medium risk from external provider" };
+  }
+  // --------------------------------------------------------------------------
+  // Helpers
+  // --------------------------------------------------------------------------
+  scoreToLevel(score) {
+    if (score >= 85) return "verified";
+    if (score >= 65) return "high";
+    if (score >= 40) return "medium";
+    if (score >= 20) return "low";
+    return "unknown";
+  }
+};
+
+// src/client.ts
+var PLAN_STORAGE_KEY = "kontext:plan";
+var Kontext = class _Kontext {
+  config;
+  store;
+  logger;
+  taskManager;
+  auditExporter;
+  mode;
+  planManager;
+  exporter;
+  featureFlagManager;
+  trustScorer;
+  anomalyDetector;
+  screeningAggregator;
+  walletMonitor = null;
+  provenanceManager = null;
+  identityRegistry = null;
+  walletClusterer = null;
+  behavioralFingerprinter = null;
+  crossSessionLinker = null;
+  confidenceScorer = null;
+  constructor(config) {
+    this.config = config;
+    this.mode = config.apiKey ? "cloud" : "local";
+    this.store = new KontextStore();
+    if (config.metadataSchema && typeof config.metadataSchema.parse !== "function") {
+      throw new KontextError(
+        "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
+        "metadataSchema must have a parse() method"
+      );
+    }
+    if (config.storage) {
+      this.store.setStorageAdapter(config.storage);
+    }
+    const planTier = config.plan ?? "free";
+    this.planManager = new PlanManager(planTier, void 0, config.seats ?? 1);
+    if (config.upgradeUrl) {
+      this.planManager.upgradeUrl = config.upgradeUrl;
+    }
+    this.exporter = config.exporter ?? new NoopExporter();
+    this.logger = new ActionLogger(config, this.store);
+    this.taskManager = new TaskManager(config, this.store);
+    this.auditExporter = new AuditExporter(config, this.store);
+    this.trustScorer = new TrustScorer(config, this.store);
+    this.anomalyDetector = new AnomalyDetector(config, this.store);
+    this.featureFlagManager = config.featureFlags ? new FeatureFlagManager(config.featureFlags) : null;
+    this.screeningAggregator = config.screening ? new ScreeningAggregator({
+      providers: config.screening.providers,
+      consensus: config.screening.consensus,
+      blocklist: config.screening.blocklist,
+      allowlist: config.screening.allowlist,
+      providerTimeoutMs: config.screening.providerTimeoutMs,
+      onEvent: () => this.planManager.recordEvent()
+    }) : null;
+    if (config.anomalyRules && config.anomalyRules.length > 0) {
+      const advancedRules = ["newDestination", "offHoursActivity", "rapidSuccession", "roundAmount"];
+      const hasAdvanced = config.anomalyRules.some((r) => advancedRules.includes(r));
+      if (hasAdvanced) {
+        requirePlan("advanced-anomaly-rules", planTier);
+      }
+      this.anomalyDetector.enableAnomalyDetection({
+        rules: config.anomalyRules,
+        thresholds: config.anomalyThresholds
+      });
+    }
+    if (config.walletMonitoring && config.walletMonitoring.wallets.length > 0) {
+      const tokens = config.policy?.allowedTokens;
+      this.walletMonitor = new WalletMonitor(
+        this,
+        config.walletMonitoring,
+        { agentId: config.agentId, tokens: tokens ?? void 0 }
+      );
+      this.walletMonitor.start().catch((err) => {
+        if (config.debug) {
+          console.debug(`[Kontext] Wallet monitor failed to start: ${err}`);
+        }
+      });
+    }
+  }
+  /**
+   * Initialize the Kontext SDK.
+   *
    * @param config - Configuration options
    * @returns Initialized Kontext client instance
    *
@@ -3291,6 +5720,29 @@ var Kontext = class _Kontext {
    * ```
    */
   static init(config) {
+    if (!config) {
+      const fileConfig = loadConfigFile();
+      if (!fileConfig) {
+        throw new KontextError(
+          "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
+          "No config provided and no kontext.config.json found. Run `npx kontext init` to create one, or pass config to Kontext.init()."
+        );
+      }
+      const mapped = {
+        projectId: fileConfig.projectId,
+        environment: fileConfig.environment ?? "production",
+        apiKey: fileConfig.apiKey,
+        agentId: fileConfig.agentId,
+        interceptorMode: fileConfig.mode,
+        policy: {
+          allowedTokens: fileConfig.tokens,
+          corridors: fileConfig.corridors?.from ? { blocked: fileConfig.corridors.to ? [{ from: fileConfig.corridors.from, to: fileConfig.corridors.to }] : void 0 } : void 0,
+          thresholds: fileConfig.thresholds ? { edd: fileConfig.thresholds.alertAmount ? Number(fileConfig.thresholds.alertAmount) : void 0 } : void 0
+        },
+        walletMonitoring: fileConfig.wallets && fileConfig.wallets.length > 0 && fileConfig.rpcEndpoints ? { wallets: fileConfig.wallets, rpcEndpoints: fileConfig.rpcEndpoints } : void 0
+      };
+      return _Kontext.init(mapped);
+    }
     if (!config.projectId || config.projectId.trim() === "") {
       throw new KontextError(
         "INITIALIZATION_ERROR" /* INITIALIZATION_ERROR */,
@@ -3348,6 +5800,147 @@ var Kontext = class _Kontext {
       );
     }
   }
+  /**
+   * Map aggregated screening results into UsdcComplianceCheck format.
+   * Produces the same check/riskLevel/recommendations shape as
+   * UsdcCompliance.checkTransaction() and PaymentCompliance.checkPayment().
+   */
+  buildComplianceFromScreening(input, fromResult, toResult) {
+    const checks = [];
+    const fromHit = fromResult.hit;
+    const fromProviders = fromResult.providerResults.filter((r) => r.hit).map((r) => r.providerId).join(", ");
+    checks.push({
+      name: "sanctions_sender",
+      passed: !fromHit,
+      description: fromHit ? `Sender flagged by: ${fromProviders}` : `Sender cleared (${fromResult.totalProviders} provider${fromResult.totalProviders !== 1 ? "s" : ""} checked)`,
+      severity: fromHit ? "critical" : "low"
+    });
+    const toHit = toResult.hit;
+    const toProviders = toResult.providerResults.filter((r) => r.hit).map((r) => r.providerId).join(", ");
+    checks.push({
+      name: "sanctions_recipient",
+      passed: !toHit,
+      description: toHit ? `Recipient flagged by: ${toProviders}` : `Recipient cleared (${toResult.totalProviders} provider${toResult.totalProviders !== 1 ? "s" : ""} checked)`,
+      severity: toHit ? "critical" : "low"
+    });
+    const allUncovered = [
+      .../* @__PURE__ */ new Set([...fromResult.uncoveredLists, ...toResult.uncoveredLists])
+    ];
+    if (allUncovered.length > 0) {
+      checks.push({
+        name: "jurisdiction_coverage",
+        passed: false,
+        description: `Required lists not covered: ${allUncovered.join(", ")}`,
+        severity: "medium"
+      });
+    }
+    const thresholds = this.config.policy?.thresholds;
+    const eddThreshold = thresholds?.edd ?? 3e3;
+    const reportingThreshold = thresholds?.reporting ?? 1e4;
+    const largeThreshold = thresholds?.largeTransaction ?? 5e4;
+    const amount = parseAmount(input.amount);
+    if (amount >= eddThreshold) {
+      checks.push({
+        name: "enhanced_due_diligence",
+        passed: false,
+        description: `Amount $${amount.toLocaleString()} meets EDD threshold ($${eddThreshold.toLocaleString()})`,
+        severity: "low"
+      });
+    }
+    if (amount >= reportingThreshold) {
+      checks.push({
+        name: "reporting_threshold",
+        passed: false,
+        description: `Amount $${amount.toLocaleString()} meets CTR threshold ($${reportingThreshold.toLocaleString()})`,
+        severity: "low"
+      });
+    }
+    if (amount >= largeThreshold) {
+      checks.push({
+        name: "large_transaction",
+        passed: false,
+        description: `Large transaction: $${amount.toLocaleString()} exceeds $${largeThreshold.toLocaleString()}`,
+        severity: "medium"
+      });
+    }
+    const allErrors = [...fromResult.errors, ...toResult.errors];
+    if (allErrors.length > 0) {
+      checks.push({
+        name: "screening_errors",
+        passed: false,
+        description: `Provider errors: ${allErrors.map((e) => `${e.providerId}: ${e.error}`).join("; ")}`,
+        severity: "medium"
+      });
+    }
+    const failedChecks = checks.filter((c) => !c.passed);
+    const compliant = failedChecks.every((c) => c.severity === "low");
+    const severityOrder = ["low", "medium", "high", "critical"];
+    const highestSeverity = failedChecks.reduce(
+      (max, c) => severityOrder.indexOf(c.severity) > severityOrder.indexOf(max) ? c.severity : max,
+      "low"
+    );
+    const recommendations = [];
+    if (fromHit || toHit) {
+      recommendations.push("Block transaction: sanctions match detected");
+    }
+    if (allUncovered.length > 0) {
+      recommendations.push(`Add providers covering: ${allUncovered.join(", ")}`);
+    }
+    if (amount >= eddThreshold && amount < reportingThreshold) {
+      recommendations.push("Collect enhanced due diligence information");
+    }
+    if (amount >= reportingThreshold) {
+      recommendations.push("File Currency Transaction Report (CTR)");
+    }
+    return {
+      compliant,
+      checks,
+      riskLevel: highestSeverity,
+      recommendations
+    };
+  }
+  /** Lazy-init ProvenanceManager on first use. */
+  getProvenanceManager() {
+    if (!this.provenanceManager) {
+      this.provenanceManager = new ProvenanceManager(this.store, this.logger);
+    }
+    return this.provenanceManager;
+  }
+  /** Lazy-init AgentIdentityRegistry on first use. */
+  getIdentityRegistry() {
+    if (!this.identityRegistry) {
+      this.identityRegistry = new AgentIdentityRegistry();
+    }
+    return this.identityRegistry;
+  }
+  /** Lazy-init WalletClusterer on first use. */
+  getWalletClusterer() {
+    if (!this.walletClusterer) {
+      this.walletClusterer = new WalletClusterer();
+    }
+    return this.walletClusterer;
+  }
+  /** Lazy-init BehavioralFingerprinter on first use. */
+  getBehavioralFingerprinter() {
+    if (!this.behavioralFingerprinter) {
+      this.behavioralFingerprinter = new BehavioralFingerprinter();
+    }
+    return this.behavioralFingerprinter;
+  }
+  /** Lazy-init CrossSessionLinker on first use. */
+  getCrossSessionLinker() {
+    if (!this.crossSessionLinker) {
+      this.crossSessionLinker = new CrossSessionLinker();
+    }
+    return this.crossSessionLinker;
+  }
+  /** Lazy-init KYAConfidenceScorer on first use. */
+  getConfidenceScorer() {
+    if (!this.confidenceScorer) {
+      this.confidenceScorer = new KYAConfidenceScorer();
+    }
+    return this.confidenceScorer;
+  }
   // --------------------------------------------------------------------------
   // Action Logging
   // --------------------------------------------------------------------------
@@ -3378,7 +5971,7 @@ var Kontext = class _Kontext {
    * @returns The created transaction record
    */
   async logTransaction(input) {
-    if (input.chain && input.chain !== "base") {
+    if (input.chain && input.chain !== "base" && input.chain !== "arc") {
       requirePlan("multi-chain", this.planManager.getTier());
     }
     this.validateMetadata(input.metadata);
@@ -3733,7 +6326,28 @@ var Kontext = class _Kontext {
    */
   async verify(input) {
     const transaction = await this.logTransaction(input);
-    const compliance = isCryptoTransaction(input) ? UsdcCompliance.checkTransaction(input) : PaymentCompliance.checkPayment(input);
+    let compliance;
+    if (this.screeningAggregator) {
+      const fromResult = await this.screeningAggregator.screen(input.from, {
+        chain: input.chain,
+        token: input.token,
+        currency: input.currency,
+        amount: input.amount,
+        agentId: input.agentId
+      });
+      const toResult = await this.screeningAggregator.screen(input.to, {
+        chain: input.chain,
+        token: input.token,
+        currency: input.currency,
+        amount: input.amount,
+        agentId: input.agentId
+      });
+      compliance = this.buildComplianceFromScreening(input, fromResult, toResult);
+    } else if (isCryptoTransaction(input)) {
+      compliance = UsdcCompliance.checkTransaction(input);
+    } else {
+      compliance = PaymentCompliance.checkPayment(input);
+    }
     let reasoningId;
     if (input.reasoning) {
       const entry = await this.logReasoning({
@@ -3755,6 +6369,29 @@ var Kontext = class _Kontext {
     const verification = this.verifyDigestChain();
     const chainLength = this.logger.getDigestChain().getChainLength();
     const terminalDigest = this.getTerminalDigest();
+    let anchorProof;
+    if (input.anchor) {
+      const { anchorDigest: anchorDigest2 } = await Promise.resolve().then(() => (init_onchain(), onchain_exports));
+      anchorProof = await anchorDigest2(input.anchor, terminalDigest, this.config.projectId);
+    }
+    let counterpartyResult;
+    if (input.counterparty) {
+      const { exchangeAttestation: exchangeAttestation2 } = await Promise.resolve().then(() => (init_attestation(), attestation_exports));
+      counterpartyResult = await exchangeAttestation2(input.counterparty, {
+        senderDigest: terminalDigest,
+        senderAgentId: input.agentId,
+        txHash: input.txHash,
+        chain: input.chain,
+        amount: input.amount,
+        token: input.token,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    let attribution;
+    if (input.erc8021 && input.txHash) {
+      const { fetchTransactionAttribution: fetchTransactionAttribution2 } = await Promise.resolve().then(() => (init_erc8021(), erc8021_exports));
+      attribution = await fetchTransactionAttribution2(input.erc8021.rpcUrl, input.txHash) ?? void 0;
+    }
     let requiresApproval;
     let task;
     if (this.config.approvalThreshold) {
@@ -3796,7 +6433,10 @@ var Kontext = class _Kontext {
         valid: verification.valid
       },
       ...reasoningId ? { reasoningId } : {},
-      ...requiresApproval ? { requiresApproval, task } : {}
+      ...requiresApproval ? { requiresApproval, task } : {},
+      ...anchorProof ? { anchorProof } : {},
+      ...counterpartyResult ? { counterparty: counterpartyResult } : {},
+      ...attribution ? { attribution } : {}
     };
   }
   // --------------------------------------------------------------------------
@@ -3976,10 +6616,211 @@ var Kontext = class _Kontext {
       actions: actionSummary,
       reasoning: reasoningEntries
     };
-    const hash = createHash("sha256");
-    hash.update(JSON.stringify(certificateContent));
-    const contentHash = hash.digest("hex");
-    return { ...certificateContent, contentHash };
+    const hash = createHash("sha256");
+    hash.update(JSON.stringify(certificateContent));
+    const contentHash = hash.digest("hex");
+    return { ...certificateContent, contentHash };
+  }
+  // --------------------------------------------------------------------------
+  // Agent Provenance
+  // --------------------------------------------------------------------------
+  /**
+   * Create a delegated agent session. Records the delegation in the
+   * tamper-evident digest chain as the session's genesis event.
+   */
+  async createAgentSession(input) {
+    return this.getProvenanceManager().createSession(input);
+  }
+  /**
+   * Get an agent session by ID. Automatically marks expired sessions.
+   */
+  getAgentSession(sessionId) {
+    return this.getProvenanceManager().getSession(sessionId);
+  }
+  /**
+   * Get all agent sessions.
+   */
+  getAgentSessions() {
+    return this.getProvenanceManager().getSessions();
+  }
+  /**
+   * End an active agent session. Records the termination in the digest chain.
+   */
+  async endAgentSession(sessionId) {
+    return this.getProvenanceManager().endSession(sessionId);
+  }
+  /**
+   * Check whether an action is within a session's delegated scope.
+   */
+  validateSessionScope(sessionId, action) {
+    return this.getProvenanceManager().validateScope(sessionId, action);
+  }
+  /**
+   * Get all actions bound to a session (via sessionId on log/verify calls).
+   */
+  getSessionActions(sessionId) {
+    return this.store.getActionsBySession(sessionId);
+  }
+  /**
+   * Create a provenance checkpoint -- a review point where a human
+   * can attest to a batch of agent actions.
+   */
+  async createCheckpoint(input) {
+    return this.getProvenanceManager().createCheckpoint(input);
+  }
+  /**
+   * Attach an externally-produced human attestation to a checkpoint.
+   * The attestation includes a cryptographic signature that the agent
+   * never touches -- key separation is the critical security property.
+   */
+  async attachAttestation(checkpointId, attestation) {
+    return this.getProvenanceManager().attachAttestation(checkpointId, attestation);
+  }
+  /**
+   * Get a checkpoint by ID.
+   */
+  getCheckpoint(checkpointId) {
+    return this.getProvenanceManager().getCheckpoint(checkpointId);
+  }
+  /**
+   * Get all checkpoints, optionally filtered by session.
+   */
+  getCheckpoints(sessionId) {
+    return this.getProvenanceManager().getCheckpoints(sessionId);
+  }
+  /**
+   * Export the full provenance bundle for a session: session record,
+   * all bound actions, all checkpoints, and verification stats.
+   */
+  getProvenanceBundle(sessionId) {
+    return this.getProvenanceManager().getProvenanceBundle(sessionId);
+  }
+  // --------------------------------------------------------------------------
+  // Agent Forensics (KYA)
+  // --------------------------------------------------------------------------
+  /**
+   * Register a new agent identity with optional wallet mappings.
+   * Requires Pro plan.
+   */
+  registerAgentIdentity(input) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().register(input);
+  }
+  /**
+   * Get a registered agent identity by ID.
+   * Requires Pro plan.
+   */
+  getAgentIdentity(agentId) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().get(agentId);
+  }
+  /**
+   * Update an existing agent identity.
+   * Requires Pro plan.
+   */
+  updateAgentIdentity(agentId, input) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().update(agentId, input);
+  }
+  /**
+   * Remove an agent identity.
+   * Requires Pro plan.
+   */
+  removeAgentIdentity(agentId) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().remove(agentId);
+  }
+  /**
+   * Add a wallet to an existing agent identity.
+   * Requires Pro plan.
+   */
+  addAgentWallet(agentId, wallet) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().addWallet(agentId, wallet);
+  }
+  /**
+   * Look up which agent owns a wallet address.
+   * Requires Pro plan.
+   */
+  lookupAgentByWallet(address) {
+    requirePlan("kya-identity", this.planManager.getTier());
+    return this.getIdentityRegistry().lookupByWallet(address);
+  }
+  /**
+   * Compute wallet clusters from transaction patterns and declared identities.
+   * Requires Pro plan.
+   */
+  getWalletClusters() {
+    requirePlan("kya-identity", this.planManager.getTier());
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, this.getIdentityRegistry());
+    return clusterer.getClusters();
+  }
+  /**
+   * Export all KYA data as a single envelope.
+   * Requires Pro plan.
+   */
+  getKYAExport() {
+    requirePlan("kya-identity", this.planManager.getTier());
+    const registry = this.getIdentityRegistry();
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, registry);
+    return {
+      identities: registry.getAll(),
+      clusters: clusterer.getClusters(),
+      embeddings: [],
+      links: [],
+      scores: [],
+      generatedAt: now()
+    };
+  }
+  /**
+   * Compute a behavioral embedding for an agent from transaction history.
+   * Returns null if insufficient data. Requires Enterprise plan.
+   */
+  computeBehavioralEmbedding(agentId) {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    return this.getBehavioralFingerprinter().computeEmbedding(agentId, this.store);
+  }
+  /**
+   * Analyze all agents and create cross-session links.
+   * Requires Enterprise plan.
+   */
+  analyzeAgentLinks() {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, this.getIdentityRegistry());
+    return this.getCrossSessionLinker().analyzeAndLink(
+      this.store,
+      this.getIdentityRegistry(),
+      clusterer,
+      this.getBehavioralFingerprinter()
+    );
+  }
+  /**
+   * Get agents linked to a specific agent.
+   * Requires Enterprise plan.
+   */
+  getLinkedAgents(agentId) {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    return this.getCrossSessionLinker().getLinkedAgents(agentId);
+  }
+  /**
+   * Compute a composite identity confidence score for an agent.
+   * Requires Enterprise plan.
+   */
+  getKYAConfidenceScore(agentId) {
+    requirePlan("kya-behavioral", this.planManager.getTier());
+    const clusterer = this.getWalletClusterer();
+    clusterer.analyzeFromStore(this.store, this.getIdentityRegistry());
+    return this.getConfidenceScorer().computeScore(
+      agentId,
+      this.getIdentityRegistry(),
+      clusterer,
+      this.getBehavioralFingerprinter(),
+      this.getCrossSessionLinker(),
+      this.store
+    );
   }
   // --------------------------------------------------------------------------
   // Plan & Usage Metering
@@ -4082,9 +6923,20 @@ var Kontext = class _Kontext {
   // Lifecycle
   // --------------------------------------------------------------------------
   /**
-   * Gracefully shut down the SDK, flushing any pending data.
+   * Get the wallet monitor instance (or null if not configured).
+   * Used by the viem interceptor for dedup registration.
+   */
+  getWalletMonitor() {
+    return this.walletMonitor;
+  }
+  /**
+   * Gracefully shut down the SDK, flushing any pending data and stopping watchers.
    */
   async destroy() {
+    if (this.walletMonitor) {
+      this.walletMonitor.stop();
+      this.walletMonitor = null;
+    }
     await this.logger.destroy();
     await this.exporter.shutdown();
   }
@@ -4114,20 +6966,20 @@ var MemoryStorage = class {
 var FileStorage = class {
   baseDir;
   constructor(baseDir) {
-    this.baseDir = path4.resolve(baseDir);
+    this.baseDir = path5.resolve(baseDir);
   }
   async save(key, data) {
-    fs4.mkdirSync(this.baseDir, { recursive: true });
+    fs5.mkdirSync(this.baseDir, { recursive: true });
     const filePath = this.keyToPath(key);
-    const dir = path4.dirname(filePath);
-    fs4.mkdirSync(dir, { recursive: true });
-    fs4.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
+    const dir = path5.dirname(filePath);
+    fs5.mkdirSync(dir, { recursive: true });
+    fs5.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
   }
   async load(key) {
     const filePath = this.keyToPath(key);
-    if (!fs4.existsSync(filePath)) return null;
+    if (!fs5.existsSync(filePath)) return null;
     try {
-      const raw = fs4.readFileSync(filePath, "utf-8");
+      const raw = fs5.readFileSync(filePath, "utf-8");
       return JSON.parse(raw);
     } catch {
       return null;
@@ -4135,12 +6987,12 @@ var FileStorage = class {
   }
   async delete(key) {
     const filePath = this.keyToPath(key);
-    if (fs4.existsSync(filePath)) {
-      fs4.unlinkSync(filePath);
+    if (fs5.existsSync(filePath)) {
+      fs5.unlinkSync(filePath);
     }
   }
   async list(prefix) {
-    if (!fs4.existsSync(this.baseDir)) return [];
+    if (!fs5.existsSync(this.baseDir)) return [];
     return this.listRecursive(this.baseDir, prefix);
   }
   /** Get the base directory path. */
@@ -4152,18 +7004,18 @@ var FileStorage = class {
   // --------------------------------------------------------------------------
   keyToPath(key) {
     const safeName = key.replace(/[<>"|?*]/g, "_");
-    return path4.join(this.baseDir, `${safeName}.json`);
+    return path5.join(this.baseDir, `${safeName}.json`);
   }
   pathToKey(filePath) {
-    const relative2 = path4.relative(this.baseDir, filePath);
+    const relative2 = path5.relative(this.baseDir, filePath);
     return relative2.replace(/\.json$/, "");
   }
   listRecursive(dir, prefix) {
     const keys = [];
-    if (!fs4.existsSync(dir)) return keys;
-    const entries = fs4.readdirSync(dir, { withFileTypes: true });
+    if (!fs5.existsSync(dir)) return keys;
+    const entries = fs5.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path4.join(dir, entry.name);
+      const fullPath = path5.join(dir, entry.name);
       if (entry.isDirectory()) {
         keys.push(...this.listRecursive(fullPath, prefix));
       } else if (entry.isFile() && entry.name.endsWith(".json")) {
@@ -4177,6 +7029,906 @@ var FileStorage = class {
   }
 };
 
-export { AnomalyDetector, ConsoleExporter, DigestChain, FeatureFlagManager, FileStorage, JsonFileExporter, Kontext, KontextError, KontextErrorCode, MemoryStorage, NoopExporter, PLAN_LIMITS, PaymentCompliance, PlanManager, TrustScorer, UsdcCompliance, isCryptoTransaction, isFeatureAvailable, requirePlan, verifyExportedChain };
+// src/index.ts
+init_onchain();
+init_erc8021();
+init_attestation();
+
+// src/integrations/provider-treasury-sdn.ts
+var ACTIVE_SET = new Set(
+  OFAC_SDN_ACTIVE_ADDRESSES.map((a) => a.toLowerCase())
+);
+var DELISTED_SET = new Set(
+  OFAC_SDN_DELISTED_ADDRESSES.map((a) => a.toLowerCase())
+);
+var ALL_SET = new Set(
+  OFAC_SDN_ADDRESSES.map((a) => a.toLowerCase())
+);
+var ORIGINAL_CASE = /* @__PURE__ */ new Map();
+for (const addr of OFAC_SDN_ADDRESSES) {
+  ORIGINAL_CASE.set(addr.toLowerCase(), addr);
+}
+var OFACAddressProvider = class {
+  id = "ofac-sdn-address";
+  name = "OFAC SDN Address Screener";
+  lists = ["OFAC_SDN"];
+  requiresApiKey = false;
+  browserCompatible = true;
+  queryTypes = ["address"];
+  async screen(query, _context) {
+    const start = Date.now();
+    const lower = query.toLowerCase();
+    const matches = [];
+    if (ACTIVE_SET.has(lower)) {
+      const originalAddr = ORIGINAL_CASE.get(lower) ?? query;
+      matches.push({
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: originalAddr,
+        entityStatus: "active",
+        program: "SDN"
+      });
+    } else if (DELISTED_SET.has(lower)) {
+      const originalAddr = ORIGINAL_CASE.get(lower) ?? query;
+      matches.push({
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: originalAddr,
+        entityStatus: "delisted",
+        program: "SDN_DELISTED"
+      });
+    }
+    const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+    return {
+      providerId: this.id,
+      hit: hasActiveHit,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: ALL_SET.size,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    return true;
+  }
+  getEntryCount() {
+    return ALL_SET.size;
+  }
+};
+
+// src/integrations/provider-ofac-entity.ts
+var NAME_MATCH_THRESHOLD2 = 0.85;
+var MIN_MATCH_LENGTH = 4;
+var _screener2 = null;
+var _screenerLoaded2 = false;
+function getScreener2() {
+  if (!_screenerLoaded2) {
+    _screenerLoaded2 = true;
+    try {
+      const mod = __require("./ofac-sanctions.js");
+      if (mod.OFACSanctionsScreener) {
+        _screener2 = new mod.OFACSanctionsScreener();
+      }
+    } catch {
+    }
+  }
+  return _screener2;
+}
+var OFACEntityProvider = class {
+  id = "ofac-sdn-entity";
+  name = "OFAC SDN Entity Screener";
+  lists = ["OFAC_SDN"];
+  requiresApiKey = false;
+  browserCompatible = false;
+  queryTypes = ["entity_name"];
+  async screen(query, _context) {
+    const start = Date.now();
+    const screener = getScreener2();
+    if (!screener) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: "OFACSanctionsScreener not available"
+      };
+    }
+    const rawMatches = screener.searchEntityName(query, NAME_MATCH_THRESHOLD2);
+    const filteredMatches = rawMatches.filter(
+      (m) => m.similarity >= NAME_MATCH_THRESHOLD2 && m.matchedOn.length >= MIN_MATCH_LENGTH
+    );
+    const matches = filteredMatches.map((m) => {
+      const isActive = m.entity.list !== "DELISTED";
+      return {
+        list: "OFAC_SDN",
+        matchType: m.similarity >= 0.99 ? "exact_address" : "fuzzy_name",
+        similarity: m.similarity,
+        matchedValue: m.matchedOn,
+        entityStatus: isActive ? "active" : "delisted",
+        entityName: m.entity.name,
+        program: m.entity.programs?.[0]
+      };
+    });
+    const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+    return {
+      providerId: this.id,
+      hit: hasActiveHit,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: screener.getEntityCount?.() ?? 0,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    return getScreener2() !== null;
+  }
+  getEntryCount() {
+    const screener = getScreener2();
+    return screener?.getEntityCount?.() ?? 0;
+  }
+};
+
+// src/integrations/data/uk-ofsi-addresses.ts
+var UK_OFSI_ADDRESSES = [
+  // Garantex (designated under Russia sanctions regime, May 2024)
+  "0x6F1cA141A28907F78Ebaa64f83E4AE6038d3cbe7",
+  // Lazarus Group / DPRK (overlaps with OFAC SDN but independently listed by OFSI)
+  "0x098B716B8Aaf21512996dC57EB0615e2383E2f96",
+  "0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B",
+  "0x3Cffd56B47B7b41c56258D9C7731ABaDc360E460",
+  "0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1",
+  // DPRK-linked addresses (OFSI cyber programme)
+  "0x7F367cC41522cE07553e823bf3be79A889DEbe1B",
+  "0x01e2919679362dFBC9ee1644Ba9C6da6D6245BB1"
+];
+
+// src/integrations/provider-uk-ofsi.ts
+var ADDRESS_SET = new Set(
+  UK_OFSI_ADDRESSES.map((a) => a.toLowerCase())
+);
+var ORIGINAL_CASE2 = /* @__PURE__ */ new Map();
+for (const addr of UK_OFSI_ADDRESSES) {
+  ORIGINAL_CASE2.set(addr.toLowerCase(), addr);
+}
+var UKOFSIProvider = class {
+  id = "uk-ofsi-address";
+  name = "UK OFSI Address Screener";
+  lists = ["UK_OFSI"];
+  requiresApiKey = false;
+  browserCompatible = true;
+  queryTypes = ["address"];
+  async screen(query, _context) {
+    const start = Date.now();
+    const lower = query.toLowerCase();
+    const matches = [];
+    if (ADDRESS_SET.has(lower)) {
+      const originalAddr = ORIGINAL_CASE2.get(lower) ?? query;
+      matches.push({
+        list: "UK_OFSI",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: originalAddr,
+        entityStatus: "active",
+        program: "OFSI_CONSOLIDATED"
+      });
+    }
+    return {
+      providerId: this.id,
+      hit: matches.length > 0,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: ADDRESS_SET.size,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    return true;
+  }
+  getEntryCount() {
+    return ADDRESS_SET.size;
+  }
+};
+
+// src/integrations/provider-opensanctions-local.ts
+var NAME_MATCH_THRESHOLD3 = 0.85;
+var MIN_MATCH_LENGTH2 = 4;
+var DEFAULT_DATA_DIR = ".kontext/sanctions";
+function trigramSimilarity(a, b) {
+  const aNorm = a.toLowerCase().trim();
+  const bNorm = b.toLowerCase().trim();
+  if (aNorm === bNorm) return 1;
+  if (aNorm.length < 2 || bNorm.length < 2) return 0;
+  const trigramsA = /* @__PURE__ */ new Set();
+  const trigramsB = /* @__PURE__ */ new Set();
+  for (let i = 0; i <= aNorm.length - 3; i++) {
+    trigramsA.add(aNorm.slice(i, i + 3));
+  }
+  for (let i = 0; i <= bNorm.length - 3; i++) {
+    trigramsB.add(bNorm.slice(i, i + 3));
+  }
+  if (trigramsA.size === 0 || trigramsB.size === 0) return 0;
+  let intersection = 0;
+  for (const t of trigramsA) {
+    if (trigramsB.has(t)) intersection++;
+  }
+  return 2 * intersection / (trigramsA.size + trigramsB.size);
+}
+var OpenSanctionsLocalProvider = class {
+  id = "opensanctions-local";
+  name = "OpenSanctions (Local Data)";
+  lists = ["OPENSANCTIONS"];
+  requiresApiKey = false;
+  browserCompatible = false;
+  queryTypes = ["both"];
+  dataDir;
+  entities = [];
+  addressSet = /* @__PURE__ */ new Set();
+  addressToEntity = /* @__PURE__ */ new Map();
+  loaded = false;
+  constructor(dataDir) {
+    this.dataDir = dataDir ?? this.resolveDataDir();
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    if (!this.loaded) {
+      this.loadData();
+    }
+    if (this.entities.length === 0) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: "No local OpenSanctions data. Run: kontext sync --lists default"
+      };
+    }
+    const matches = isBlockchainAddress(query) ? this.screenAddress(query) : this.screenEntityName(query);
+    const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+    return {
+      providerId: this.id,
+      hit: hasActiveHit,
+      matches,
+      listsChecked: this.lists,
+      entriesSearched: this.entities.length,
+      durationMs: Date.now() - start
+    };
+  }
+  isAvailable() {
+    if (!this.loaded) {
+      this.loadData();
+    }
+    return this.entities.length > 0;
+  }
+  getEntryCount() {
+    if (!this.loaded) {
+      this.loadData();
+    }
+    return this.entities.length;
+  }
+  async sync() {
+    this.loaded = false;
+    this.loadData();
+    return { updated: true, count: this.entities.length };
+  }
+  // --------------------------------------------------------------------------
+  // Private
+  // --------------------------------------------------------------------------
+  screenAddress(address) {
+    const lower = address.toLowerCase();
+    const entity = this.addressToEntity.get(lower);
+    if (!entity) return [];
+    const entityStatus = this.getEntityStatus(entity);
+    return [
+      {
+        list: "OPENSANCTIONS",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: address,
+        entityStatus,
+        entityName: entity.caption,
+        program: entity.datasets.join(", ")
+      }
+    ];
+  }
+  screenEntityName(query) {
+    const matches = [];
+    const queryLower = query.toLowerCase().trim();
+    for (const entity of this.entities) {
+      const captionSim = trigramSimilarity(queryLower, entity.caption);
+      if (captionSim >= NAME_MATCH_THRESHOLD3 && entity.caption.length >= MIN_MATCH_LENGTH2) {
+        matches.push(this.entityToMatch(entity, entity.caption, captionSim));
+        continue;
+      }
+      const aliases = entity.properties["alias"] ?? [];
+      for (const alias of aliases) {
+        const aliasSim = trigramSimilarity(queryLower, alias);
+        if (aliasSim >= NAME_MATCH_THRESHOLD3 && alias.length >= MIN_MATCH_LENGTH2) {
+          matches.push(this.entityToMatch(entity, alias, aliasSim));
+          break;
+        }
+      }
+    }
+    matches.sort((a, b) => b.similarity - a.similarity);
+    return matches.slice(0, 5);
+  }
+  entityToMatch(entity, matchedValue, similarity) {
+    return {
+      list: "OPENSANCTIONS",
+      matchType: similarity >= 0.99 ? "exact_address" : "fuzzy_name",
+      similarity,
+      matchedValue,
+      entityStatus: this.getEntityStatus(entity),
+      entityName: entity.caption,
+      program: entity.datasets.join(", ")
+    };
+  }
+  getEntityStatus(entity) {
+    return "active";
+  }
+  loadData() {
+    this.loaded = true;
+    this.entities = [];
+    this.addressSet.clear();
+    this.addressToEntity.clear();
+    try {
+      const fs6 = __require("fs");
+      const pathMod = __require("path");
+      const dataPath = pathMod.resolve(this.dataDir);
+      if (!fs6.existsSync(dataPath)) return;
+      const files = fs6.readdirSync(dataPath).filter(
+        (f) => f.endsWith(".json")
+      );
+      for (const file of files) {
+        const filePath = pathMod.join(dataPath, file);
+        const content = fs6.readFileSync(filePath, "utf-8");
+        const lines = content.split("\n").filter((l) => l.trim());
+        for (const line of lines) {
+          try {
+            const entity = JSON.parse(line);
+            this.entities.push(entity);
+            const addresses = entity.properties["cryptoAddress"] ?? [];
+            for (const addr of addresses) {
+              const lower = addr.toLowerCase();
+              this.addressSet.add(lower);
+              this.addressToEntity.set(lower, entity);
+            }
+          } catch {
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  resolveDataDir() {
+    try {
+      const os = __require("os");
+      const pathMod = __require("path");
+      return pathMod.join(os.homedir(), DEFAULT_DATA_DIR);
+    } catch {
+      return DEFAULT_DATA_DIR;
+    }
+  }
+};
+
+// src/integrations/provider-apis.ts
+var OpenSanctionsProvider = class {
+  id = "opensanctions-api";
+  name = "OpenSanctions (API)";
+  lists = ["OPENSANCTIONS"];
+  requiresApiKey = true;
+  browserCompatible = false;
+  queryTypes = ["both"];
+  apiKey;
+  baseUrl;
+  dataset;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl ?? "https://api.opensanctions.org";
+    this.dataset = config.dataset ?? "default";
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    const isAddr = isBlockchainAddress(query);
+    const schema = isAddr ? "CryptoWallet" : "LegalEntity";
+    const properties = isAddr ? { cryptoAddress: [query] } : { name: [query] };
+    const body = {
+      queries: {
+        q: {
+          schema,
+          properties
+        }
+      }
+    };
+    try {
+      const response = await fetch(
+        `${this.baseUrl}/match/${this.dataset}`,
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": `ApiKey ${this.apiKey}`
+          },
+          body: JSON.stringify(body)
+        }
+      );
+      if (!response.ok) {
+        return {
+          providerId: this.id,
+          hit: false,
+          matches: [],
+          listsChecked: this.lists,
+          entriesSearched: 0,
+          durationMs: Date.now() - start,
+          error: `OpenSanctions API error: ${response.status} ${response.statusText}`
+        };
+      }
+      const data = await response.json();
+      const queryResult = data.responses?.["q"];
+      if (!queryResult) {
+        return {
+          providerId: this.id,
+          hit: false,
+          matches: [],
+          listsChecked: this.lists,
+          entriesSearched: 0,
+          durationMs: Date.now() - start
+        };
+      }
+      const matches = queryResult.results.filter((r) => r.match && r.score >= 0.7).map((r) => ({
+        list: "OPENSANCTIONS",
+        matchType: r.score >= 0.99 ? "exact_address" : "fuzzy_name",
+        similarity: r.score,
+        matchedValue: r.caption,
+        entityStatus: "active",
+        entityName: r.caption,
+        program: r.datasets.join(", ")
+      }));
+      const hasActiveHit = matches.some((m) => m.entityStatus === "active");
+      return {
+        providerId: this.id,
+        hit: hasActiveHit,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: queryResult.total?.value ?? 0,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: `OpenSanctions API error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  isAvailable() {
+    return !!this.apiKey;
+  }
+};
+var ChainalysisFreeAPIProvider = class {
+  id = "chainalysis-free-api";
+  name = "Chainalysis Free API";
+  lists = ["CHAINALYSIS"];
+  requiresApiKey = true;
+  browserCompatible = false;
+  queryTypes = ["address"];
+  apiKey;
+  baseUrl;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl ?? "https://public.chainalysis.com/api/v1";
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    try {
+      const response = await fetch(
+        `${this.baseUrl}/address/${query}`,
+        {
+          method: "GET",
+          headers: {
+            "X-API-Key": this.apiKey,
+            "Accept": "application/json"
+          }
+        }
+      );
+      if (!response.ok) {
+        return {
+          providerId: this.id,
+          hit: false,
+          matches: [],
+          listsChecked: this.lists,
+          entriesSearched: 0,
+          durationMs: Date.now() - start,
+          error: `Chainalysis API error: ${response.status} ${response.statusText}`
+        };
+      }
+      const data = await response.json();
+      const identifications = data.identifications ?? [];
+      const matches = identifications.map((id) => ({
+        list: "CHAINALYSIS",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: query,
+        entityStatus: "active",
+        entityName: id.name,
+        program: id.category
+      }));
+      return {
+        providerId: this.id,
+        hit: matches.length > 0,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: 1,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        providerId: this.id,
+        hit: false,
+        matches: [],
+        listsChecked: this.lists,
+        entriesSearched: 0,
+        durationMs: Date.now() - start,
+        error: `Chainalysis API error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  isAvailable() {
+    return !!this.apiKey;
+  }
+};
+
+// src/integrations/provider-ofac.ts
+var ORACLE_CONTRACT = "0x40C57923924B5c5c5455c48D93317139ADDaC8fb";
+var IS_SANCTIONED_SELECTOR = "0xdfb80831";
+var ChainalysisOracleProvider = class {
+  id = "chainalysis-oracle";
+  name = "Chainalysis OFAC Oracle";
+  lists = ["OFAC_SDN", "CHAINALYSIS"];
+  requiresApiKey = true;
+  browserCompatible = false;
+  queryTypes = ["address"];
+  apiKey;
+  rpcUrl;
+  apiBaseUrl;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.rpcUrl = config.rpcUrl;
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://public.chainalysis.com/api/v1";
+  }
+  async screen(query, _context) {
+    const start = Date.now();
+    if (this.rpcUrl) {
+      return this.screenOnChain(query, start);
+    }
+    if (this.apiKey) {
+      return this.screenApi(query, start);
+    }
+    return {
+      providerId: this.id,
+      hit: false,
+      matches: [],
+      listsChecked: this.lists,
+      entriesSearched: 0,
+      durationMs: Date.now() - start,
+      error: "No API key or RPC URL configured"
+    };
+  }
+  isAvailable() {
+    return !!(this.apiKey || this.rpcUrl);
+  }
+  // --------------------------------------------------------------------------
+  // On-chain oracle query
+  // --------------------------------------------------------------------------
+  async screenOnChain(address, start) {
+    try {
+      const paddedAddress = address.toLowerCase().replace("0x", "").padStart(64, "0");
+      const callData = IS_SANCTIONED_SELECTOR + paddedAddress;
+      const response = await fetch(this.rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          id: 1,
+          method: "eth_call",
+          params: [
+            { to: ORACLE_CONTRACT, data: callData },
+            "latest"
+          ]
+        })
+      });
+      if (!response.ok) {
+        return this.errorResult(start, `RPC error: ${response.status}`);
+      }
+      const data = await response.json();
+      if (data.error) {
+        return this.errorResult(start, `RPC error: ${data.error.message}`);
+      }
+      const isSanctioned = data.result ? parseInt(data.result.slice(-2), 16) === 1 : false;
+      const matches = isSanctioned ? [{
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: address,
+        entityStatus: "active",
+        program: "CHAINALYSIS_ORACLE"
+      }] : [];
+      return {
+        providerId: this.id,
+        hit: isSanctioned,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: 1,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return this.errorResult(
+        start,
+        `Oracle query failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  // --------------------------------------------------------------------------
+  // REST API query
+  // --------------------------------------------------------------------------
+  async screenApi(address, start) {
+    try {
+      const response = await fetch(
+        `${this.apiBaseUrl}/address/${address}`,
+        {
+          method: "GET",
+          headers: {
+            "X-API-Key": this.apiKey,
+            "Accept": "application/json"
+          }
+        }
+      );
+      if (!response.ok) {
+        return this.errorResult(
+          start,
+          `Chainalysis API error: ${response.status} ${response.statusText}`
+        );
+      }
+      const data = await response.json();
+      const identifications = data.identifications ?? [];
+      const matches = identifications.map((id) => ({
+        list: "OFAC_SDN",
+        matchType: "exact_address",
+        similarity: 1,
+        matchedValue: address,
+        entityStatus: "active",
+        entityName: id.name,
+        program: id.category
+      }));
+      return {
+        providerId: this.id,
+        hit: matches.length > 0,
+        matches,
+        listsChecked: this.lists,
+        entriesSearched: 1,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return this.errorResult(
+        start,
+        `Chainalysis API error: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  errorResult(start, error) {
+    return {
+      providerId: this.id,
+      hit: false,
+      matches: [],
+      listsChecked: this.lists,
+      entriesSearched: 0,
+      durationMs: Date.now() - start,
+      error
+    };
+  }
+};
+
+// src/integrations/viem-interceptor.ts
+var ViemComplianceError = class extends Error {
+  result;
+  from;
+  to;
+  amount;
+  constructor(message, result, details) {
+    super(message);
+    this.name = "ViemComplianceError";
+    this.result = result;
+    this.from = details.from;
+    this.to = details.to;
+    this.amount = details.amount;
+  }
+};
+function withKontextCompliance(client, kontext, options) {
+  const config = kontext.getConfig();
+  const agentId = options?.agentId ?? config.agentId ?? "viem-agent";
+  const mode = options?.mode ?? config.interceptorMode ?? "post-send";
+  const sessionId = options?.sessionId;
+  const metadata = options?.metadata;
+  const onVerify = options?.onVerify;
+  const onError = options?.onError;
+  const allowedTokens = options?.tokens ? new Set(options.tokens) : config.policy?.allowedTokens ? new Set(config.policy.allowedTokens) : null;
+  const allowedChains = options?.chains ? new Set(options.chains) : null;
+  const allowedContracts = /* @__PURE__ */ new Set();
+  for (const [address, info] of Object.entries(STABLECOIN_CONTRACTS)) {
+    if (allowedTokens && !allowedTokens.has(info.token)) continue;
+    if (allowedChains && !allowedChains.has(info.chain)) continue;
+    allowedContracts.add(address);
+  }
+  const monitor = kontext.getWalletMonitor?.() ?? null;
+  return client.extend((baseClient) => ({
+    async sendTransaction(params) {
+      const target = params.to?.toLowerCase();
+      if (!target || !allowedContracts.has(target)) {
+        return baseClient.sendTransaction(params);
+      }
+      const decoded = params.data ? decodeTransferCalldata(params.data) : null;
+      if (!decoded) {
+        return baseClient.sendTransaction(params);
+      }
+      const contractInfo = STABLECOIN_CONTRACTS[target];
+      const verifyInput = buildVerifyInput(
+        decoded,
+        contractInfo,
+        params,
+        baseClient,
+        agentId,
+        sessionId,
+        metadata
+      );
+      if (mode === "pre-send" || mode === "both") {
+        await runPreSendScreen(kontext, verifyInput);
+      }
+      const txHash = await baseClient.sendTransaction(params);
+      if (mode === "post-send" || mode === "both") {
+        monitor?.markVerified(txHash);
+        runPostSendVerify(kontext, { ...verifyInput, txHash }, txHash, onVerify, onError);
+      }
+      return txHash;
+    },
+    async writeContract(params) {
+      if (!baseClient.writeContract) {
+        throw new Error("writeContract not available on this client");
+      }
+      const target = params.address?.toLowerCase();
+      if (!target || !allowedContracts.has(target)) {
+        return baseClient.writeContract(params);
+      }
+      const fn = params.functionName;
+      if (fn !== "transfer" && fn !== "transferFrom") {
+        return baseClient.writeContract(params);
+      }
+      const decoded = decodeWriteContractArgs(fn, params.args);
+      if (!decoded) {
+        return baseClient.writeContract(params);
+      }
+      const contractInfo = STABLECOIN_CONTRACTS[target];
+      const verifyInput = buildVerifyInput(
+        decoded,
+        contractInfo,
+        params,
+        baseClient,
+        agentId,
+        sessionId,
+        metadata
+      );
+      if (mode === "pre-send" || mode === "both") {
+        await runPreSendScreen(kontext, verifyInput);
+      }
+      const txHash = await baseClient.writeContract(params);
+      if (mode === "post-send" || mode === "both") {
+        monitor?.markVerified(txHash);
+        runPostSendVerify(kontext, { ...verifyInput, txHash }, txHash, onVerify, onError);
+      }
+      return txHash;
+    }
+  }));
+}
+function buildVerifyInput(decoded, contractInfo, params, client, agentId, sessionId, metadata) {
+  const chain = client.chain?.id ? CHAIN_ID_MAP[client.chain.id] ?? contractInfo.chain : contractInfo.chain;
+  const from = (decoded.from ?? params.account?.address ?? client.account?.address ?? params.from ?? "").toLowerCase();
+  return {
+    txHash: "",
+    chain,
+    amount: formatTokenAmount2(decoded.amount, contractInfo.decimals),
+    token: contractInfo.token,
+    from,
+    to: decoded.to.toLowerCase(),
+    agentId,
+    sessionId,
+    metadata: {
+      ...metadata,
+      source: "viem-auto-instrumentation",
+      contractAddress: params.to ?? params.address
+    }
+  };
+}
+function runPostSendVerify(kontext, input, txHash, onVerify, onError) {
+  kontext.verify(input).then(
+    (result) => {
+      if (onVerify) {
+        try {
+          const p = onVerify(result, txHash);
+          if (p && typeof p.catch === "function") {
+            p.catch(() => {
+            });
+          }
+        } catch {
+        }
+      }
+    },
+    (error) => {
+      if (onError) {
+        try {
+          const p = onError(error, txHash);
+          if (p && typeof p.catch === "function") {
+            p.catch(() => {
+            });
+          }
+        } catch {
+        }
+      }
+    }
+  );
+}
+async function runPreSendScreen(kontext, input) {
+  const result = await kontext.verify({ ...input, txHash: "pre-screening" });
+  if (!result.compliant) {
+    throw new ViemComplianceError(
+      `Transaction blocked: ${result.recommendations?.[0] ?? "compliance check failed"}`,
+      result,
+      { from: input.from, to: input.to, amount: input.amount }
+    );
+  }
+}
+function decodeTransferCalldata(data) {
+  if (!data || data.length < 10) return null;
+  const selector = data.slice(0, 10).toLowerCase();
+  if (selector === TRANSFER_SELECTOR && data.length >= 138) {
+    const to = "0x" + data.slice(34, 74);
+    const amount = BigInt("0x" + data.slice(74, 138));
+    return { to, amount };
+  }
+  if (selector === TRANSFER_FROM_SELECTOR && data.length >= 202) {
+    const from = "0x" + data.slice(34, 74);
+    const to = "0x" + data.slice(98, 138);
+    const amount = BigInt("0x" + data.slice(138, 202));
+    return { from, to, amount };
+  }
+  return null;
+}
+function decodeWriteContractArgs(functionName, args) {
+  if (!args || !Array.isArray(args)) return null;
+  if (functionName === "transfer" && args.length >= 2) {
+    return { to: String(args[0]), amount: BigInt(args[1]) };
+  }
+  if (functionName === "transferFrom" && args.length >= 3) {
+    return { from: String(args[0]), to: String(args[1]), amount: BigInt(args[2]) };
+  }
+  return null;
+}
+function formatTokenAmount2(amount, decimals) {
+  const divisor = BigInt(10 ** decimals);
+  const whole = amount / divisor;
+  const fraction = amount % divisor;
+  if (fraction === 0n) return whole.toString();
+  const fractionStr = fraction.toString().padStart(decimals, "0").replace(/0+$/, "");
+  return `${whole}.${fractionStr}`;
+}
+
+export { AgentIdentityRegistry, AnomalyDetector, BehavioralFingerprinter, CHAIN_ID_MAP, CURRENCY_REQUIRED_LISTS, ChainalysisFreeAPIProvider, ChainalysisOracleProvider, ConsoleExporter, CrossSessionLinker, DigestChain, FeatureFlagManager, FileStorage, JsonFileExporter, KONTEXT_BUILDER_CODE, KYAConfidenceScorer, Kontext, KontextError, KontextErrorCode, MemoryStorage, NoopExporter, OFACAddressProvider, OFACEntityProvider, OnChainExporter, OpenSanctionsLocalProvider, OpenSanctionsProvider, PLAN_LIMITS, PaymentCompliance, PlanManager, ProvenanceManager, STABLECOIN_CONTRACTS, ScreeningAggregator, TOKEN_REQUIRED_LISTS, TrustScorer, UKOFSIProvider, UsdcCompliance, ViemComplianceError, WalletClusterer, WalletMonitor, anchorDigest, encodeERC8021Suffix, exchangeAttestation, fetchAgentCard, fetchTransactionAttribution, getAnchor, getRequiredLists, isBlockchainAddress, isCryptoTransaction, isFeatureAvailable, loadConfigFile, parseERC8021Suffix, providerSupportsQuery, requirePlan, verifyAnchor, verifyExportedChain, withKontextCompliance };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map