payid 0.3.2 → 0.3.3

package/dist/index.js

@@ -1,202 +1,41 @@
-// src/evaluate.ts
-import { executeRule } from "payid-rule-engine";
-
-// src/normalize.ts
-function normalizeContext(ctx) {
-  return {
-    ...ctx,
-    tx: {
-      ...ctx.tx,
-      sender: ctx.tx.sender?.toLowerCase(),
-      receiver: ctx.tx.receiver?.toLowerCase(),
-      asset: ctx.tx.asset.toUpperCase()
-    }
-  };
-}
-
-// src/evaluate.ts
-import { preprocessContextV2 } from "payid-rule-engine";
-async function evaluate(wasmBinary, context, ruleConfig, options) {
-  if (!context || typeof context !== "object") {
-    throw new Error("evaluate(): context is required");
-  }
-  if (!context.tx) {
-    throw new Error("evaluate(): context.tx is required");
-  }
-  if (!ruleConfig || typeof ruleConfig !== "object") {
-    throw new Error("evaluate(): ruleConfig is required");
-  }
-  let result;
-  try {
-    const preparedContext = options?.trustedIssuers ? preprocessContextV2(context, ruleConfig, options.trustedIssuers) : context;
-    const normalized = normalizeContext(preparedContext);
-    result = await executeRule(wasmBinary, normalized, ruleConfig);
-  } catch (err) {
-    return {
-      decision: "REJECT",
-      code: "CONTEXT_OR_ENGINE_ERROR",
-      reason: err?.message ?? "rule evaluation failed"
-    };
-  }
-  if (result.decision !== "ALLOW" && result.decision !== "REJECT") {
-    return {
-      decision: "REJECT",
-      code: "INVALID_ENGINE_OUTPUT",
-      reason: "invalid decision value"
-    };
-  }
-  return {
-    decision: result.decision,
-    code: result.code || "UNKNOWN",
-    reason: result.reason
-  };
-}
-
-// src/decision-proof/generate.ts
-import { randomBytes } from "crypto";
-
-// src/decision-proof/hash.ts
-import { keccak256 } from "ethers";
-function stableStringify(obj) {
-  if (Array.isArray(obj)) {
-    return `[${obj.map(stableStringify).join(",")}]`;
-  }
-  if (obj && typeof obj === "object") {
-    return `{${Object.keys(obj).sort().map(
-      (k) => `"${k}":${stableStringify(obj[k])}`
-    ).join(",")}}`;
-  }
-  return JSON.stringify(obj);
-}
-function hashContext(context) {
-  return keccak256(Buffer.from(stableStringify(context)));
-}
-function hashRuleSet(ruleConfig) {
-  return keccak256(Buffer.from(stableStringify(ruleConfig)));
-}
-
-// src/decision-proof/sign.ts
-import "ethers";
-async function signDecision(signer, chainId, verifyingContract, payload) {
-  const domain = {
-    name: "PAY.ID Decision",
-    version: "1",
-    chainId,
-    verifyingContract
-  };
-  const types = {
-    Decision: [
-      { name: "version", type: "string" },
-      { name: "payId", type: "string" },
-      { name: "owner", type: "address" },
-      { name: "decision", type: "uint8" },
-      { name: "contextHash", type: "bytes32" },
-      { name: "ruleSetHash", type: "bytes32" },
-      { name: "issuedAt", type: "uint64" },
-      { name: "expiresAt", type: "uint64" },
-      { name: "nonce", type: "bytes32" }
-    ]
-  };
-  if (typeof signer.signTypedData === "function") {
-    return await signer.signTypedData(domain, types, payload);
-  }
-  if (typeof signer._signTypedData === "function") {
-    return await signer._signTypedData(domain, types, payload);
-  }
-  throw new Error(
-    "Signer does not support EIP-712 signing (signTypedData)"
-  );
-}
-
-// src/decision-proof/generate.ts
-import "ethers";
-async function generateDecisionProof(params) {
-  const issuedAt = Math.floor(Date.now() / 1e3);
-  const expiresAt = issuedAt + (params.ttlSeconds ?? 60);
-  const payload = {
-    version: "payid.decision.v1",
-    payId: params.payId,
-    owner: params.owner,
-    decision: params.decision === "ALLOW" ? 1 : 0,
-    contextHash: hashContext(params.context),
-    ruleSetHash: hashRuleSet(params.ruleConfig),
-    issuedAt,
-    expiresAt,
-    nonce: `0x${randomBytes(32).toString("hex")}`
-  };
-  const signature = await signDecision(
-    params.signer,
-    params.chainId,
-    params.verifyingContract,
-    payload
-  );
-  return { payload, signature };
-}
-
-// src/resolver/utils.ts
-import { keccak256 as keccak2562 } from "ethers";
-function verifyHash(content, expectedHash) {
-  if (!expectedHash) return;
-  const actual = keccak2562(Buffer.from(content));
-  if (actual !== expectedHash) {
-    throw new Error("RULE_HASH_MISMATCH");
-  }
-}
-
-// src/resolver/http.ts
-async function resolveHttpRule(uri, expectedHash) {
-  const res = await fetch(uri);
-  if (!res.ok) {
-    throw new Error(`HTTP_RULE_FETCH_FAILED: ${res.status}`);
-  }
-  const text = await res.text();
-  verifyHash(text, expectedHash);
-  return JSON.parse(text);
-}
-
-// src/resolver/ipfs.ts
-var DEFAULT_GATEWAY = "https://ipfs.io/ipfs/";
-async function resolveIpfsRule(uri, expectedHash, gateway = DEFAULT_GATEWAY) {
-  const cid = uri.replace("ipfs://", "");
-  const url = `${gateway}${cid}`;
-  const res = await fetch(url);
-  if (!res.ok) {
-    throw new Error(`IPFS_RULE_FETCH_FAILED: ${res.status}`);
-  }
-  const text = await res.text();
-  verifyHash(text, expectedHash);
-  return JSON.parse(text);
-}
-
-// src/resolver/resolver.ts
-async function resolveRule(source) {
-  const { uri, hash } = source;
-  let config;
-  if (uri.startsWith("ipfs://")) {
-    config = await resolveIpfsRule(uri, hash);
-  } else if (uri.startsWith("http://") || uri.startsWith("https://")) {
-    config = await resolveHttpRule(uri, hash);
-  } else {
-    throw new Error("UNSUPPORTED_RULE_URI");
-  }
-  return {
-    config,
-    source
-  };
-}
-
-// src/payid.ts
-import "ethers";
-import * as fs from "fs";
+import {
+  context_exports
+} from "./chunk-RCXMRX4F.js";
+import {
+  issuer_exports
+} from "./chunk-AOKLY2QN.js";
+import "./chunk-7U3P7XJE.js";
+import {
+  rule_exports
+} from "./chunk-JRVCGSKK.js";
+import {
+  sessionPolicy_exports
+} from "./chunk-ATWJEWZH.js";
+import {
+  client_exports
+} from "./chunk-XWOB3JVE.js";
+import "./chunk-QYH3FNQ4.js";
+import "./chunk-MXKZJKXE.js";
+import "./chunk-JJEWYFOV.js";
+import {
+  server_exports
+} from "./chunk-FIMJNWJ3.js";
+import {
+  evaluate,
+  generateDecisionProof,
+  resolveRule
+} from "./chunk-4MPVXPLM.js";
+import "./chunk-5ZEKI5Y2.js";
+import "./chunk-R5U7XKVJ.js";
 
 // src/erc4337/build.ts
-import { ethers as ethers3 } from "ethers";
+import { ethers } from "ethers";
 function buildPayCallData(contractAddress, proof) {
-  const iface = new ethers3.Interface([
+  const iface = new ethers.Interface([
     "function pay(bytes payload, bytes signature)"
   ]);
   return iface.encodeFunctionData("pay", [
-    ethers3.toUtf8Bytes(JSON.stringify(proof.payload)),
+    ethers.toUtf8Bytes(JSON.stringify(proof.payload)),
     proof.signature
   ]);
 }
@@ -219,96 +58,246 @@ function buildUserOperation(params) {
   };
 }
 
-// src/payid.ts
+// src/core/payid.ts
+function isRuleSource(rule) {
+  return typeof rule === "object" && rule !== null && "uri" in rule;
+}
 var PayID = class {
-  wasm;
-  constructor(wasmPath) {
-    this.wasm = fs.readFileSync(wasmPath);
+  constructor(wasm, debugTrace, trustedIssuers) {
+    this.wasm = wasm;
+    this.debugTrace = debugTrace;
+    this.trustedIssuers = trustedIssuers;
   }
-  async evaluate(context, ruleConfig) {
-    return evaluate(this.wasm, context, ruleConfig);
+  /**
+   * Evaluate a rule set against a given context using the PayID WASM engine.
+   *
+   * ## Responsibility
+   *
+   * This method performs **pure rule evaluation only**:
+   * - Resolves the rule configuration (inline or via RuleSource)
+   * - Executes the rule engine
+   * - Returns an ALLOW / REJECT decision
+   *
+   * This method does NOT:
+   * - Generate decision proofs
+   * - Interact with on-chain rule registries
+   * - Enforce rule ownership or authority
+   * - Perform any signing
+   *
+   * ## Environment
+   *
+   * This method is **client-safe** and may be called from:
+   * - Browsers
+   * - Mobile apps
+   * - Edge runtimes
+   * - Backend services
+   *
+   * ## Rule source behavior
+   *
+   * - If `rule` is a `RuleConfig`, it is evaluated directly.
+   * - If `rule` is a `RuleSource`, it is resolved off-chain
+   *   before evaluation.
+   *
+   * @param context
+   *   Rule execution context (transaction data, payId, etc.).
+   *
+   * @param rule
+   *   Rule configuration to evaluate, either:
+   *   - An inline `RuleConfig`, or
+   *   - A `RuleSource` that resolves to a `RuleConfig`.
+   *
+   * @returns
+   *   A `RuleResult` indicating whether the rule allows or
+   *   rejects the given context.
+   *
+   * @throws
+   *   May throw if rule resolution or evaluation fails.
+   */
+  async evaluate(context, rule) {
+    const config = isRuleSource(rule) ? (await resolveRule(rule)).config : rule;
+    return evaluate(this.wasm, context, config, { debug: this.debugTrace, trustedIssuers: this.trustedIssuers });
   }
+  /**
+   * Evaluate a payment intent against PayID rules and (if allowed)
+   * generate an off-chain Decision Proof for on-chain verification.
+   *
+   * ## Conceptual model
+   *
+   * - `authorityRule` defines the **authoritative rule set**
+   *   registered on-chain (NFT / combined rule).
+   * - `evaluationRule` (optional) is an **off-chain override**
+   *   used only for evaluation (e.g. QR / session / intent rule).
+   * - On-chain verification ALWAYS references `authorityRule`.
+   *
+   * Invariant:
+   * - Evaluation may use `authorityRule ∧ evaluationRule`
+   * - Proof MUST reference `authorityRule` only
+   *
+   * @param params
+   * @param params.context
+   *   Normalized rule execution context (tx, payId, etc.)
+   *
+   * @param params.authorityRule
+   *   The authoritative rule set owned by the receiver and
+   *   registered in the on-chain rule registry.
+   *   This rule defines on-chain sovereignty.
+   *
+   * @param params.evaluationRule
+   *   Optional evaluation override applied off-chain only
+   *   (e.g. QR rule, ephemeral constraint).
+   *   If omitted, `authorityRule` is used for evaluation.
+   *
+   * @param params.payId
+   *   PayID identifier associated with the receiver.
+   *
+   * @param params.payer
+   *   Address initiating the payment and signing the decision proof.
+   *
+   * @param params.receiver
+   *   Address receiving the payment and owning the authoritative rule.
+   *
+   * @param params.asset
+   *   Asset address to be transferred (address(0) for native ETH).
+   *
+   * @param params.amount
+   *   Amount to be transferred (uint256 semantics).
+   *
+   * @param params.signer
+   *   Signer corresponding to `payer`, used to sign the EIP-712
+   *   decision proof payload.
+   *
+   * @param params.ruleRegistryContract
+   *   Address of the on-chain rule registry / storage contract
+   *   used by the verifier to resolve `ruleSetHash`.
+   *
+   * @param params.ttlSeconds
+   *   Optional proof validity duration (seconds).
+   *   Defaults to implementation-defined TTL.
+   *
+   * @returns
+   *   An object containing:
+   *   - `result`: rule evaluation result (ALLOW / REJECT)
+   *   - `proof`: signed decision proof if allowed, otherwise `null`
+   *
+   * @throws
+   *   May throw if rule resolution, evaluation, or signing fails.
+   */
   async evaluateAndProve(params) {
-    const result = await this.evaluate(params.context, params.ruleConfig);
+    const authorityConfig = isRuleSource(params.authorityRule) ? (await resolveRule(params.authorityRule)).config : params.authorityRule;
+    const evalConfig = params.evaluationRule ?? authorityConfig;
+    const result = await evaluate(
+      this.wasm,
+      params.context,
+      evalConfig,
+      {
+        debug: this.debugTrace,
+        trustedIssuers: this.trustedIssuers
+      }
+    );
+    if (result.decision !== "ALLOW") {
+      return { result, proof: null };
+    }
     const proof = await generateDecisionProof({
       payId: params.payId,
-      owner: params.owner,
-      decision: result.decision,
+      payer: params.payer,
+      receiver: params.receiver,
+      asset: params.asset,
+      amount: params.amount,
       context: params.context,
-      ruleConfig: params.ruleConfig,
+      ruleConfig: authorityConfig,
       signer: params.signer,
-      chainId: params.chainId,
       verifyingContract: params.verifyingContract,
+      ruleRegistryContract: params.ruleRegistryContract,
       ttlSeconds: params.ttlSeconds
     });
     return { result, proof };
   }
-  async evaluateWithRuleSource(context, ruleSource) {
-    try {
-      const { config } = await resolveRule(ruleSource);
-      return await this.evaluate(context, config);
-    } catch (err) {
-      return {
-        decision: "REJECT",
-        code: "RULE_RESOLVE_ERROR",
-        reason: err?.message ?? "failed to resolve rule"
-      };
-    }
-  }
-  async evaluateAndProveFromSource(params) {
-    try {
-      const { config } = await resolveRule(params.ruleSource);
-      const result = await this.evaluate(params.context, config);
-      const proof = await generateDecisionProof({
-        payId: params.payId,
-        owner: params.owner,
-        decision: result.decision,
-        context: params.context,
-        ruleConfig: config,
-        signer: params.signer,
-        chainId: params.chainId,
-        verifyingContract: params.verifyingContract,
-        ttlSeconds: params.ttlSeconds
-      });
-      return { result, proof };
-    } catch (err) {
-      return {
-        result: {
-          decision: "REJECT",
-          code: "RULE_RESOLVE_ERROR",
-          reason: err?.message ?? "rule resolve failed"
-        },
-        proof: null
-      };
-    }
-  }
-  async evaluateProveAndBuildUserOp(params) {
-    const { result, proof } = await this.evaluateAndProveFromSource({
-      context: params.context,
-      ruleSource: params.ruleSource,
-      payId: params.payId,
-      owner: params.owner,
-      signer: params.signer,
-      chainId: params.chainId,
-      verifyingContract: params.verifyingContract
-    });
-    if (result.decision !== "ALLOW" || !proof) {
-      return { result, userOp: null, proof };
+  /**
+   * Build an ERC-4337 UserOperation that executes a PayID payment
+   * using a previously generated Decision Proof.
+   *
+   * ## Responsibility
+   *
+   * This function:
+   * - Encodes the PayID `pay(...)` calldata using the provided proof
+   * - Wraps it into an ERC-4337 UserOperation
+   *
+   * This function does NOT:
+   * - Evaluate rules
+   * - Generate decision proofs
+   * - Perform any signature validation
+   *
+   * ## Environment constraint
+   *
+   * This function is **server-only** and MUST NOT be called in a browser:
+   * - It is intended for bundlers, relayers, or backend services
+   * - Client-side apps should only generate the proof
+   *
+   * A runtime guard is enforced to prevent accidental browser usage.
+   *
+   * @param params
+   * @param params.proof
+   *   A valid Decision Proof generated by `evaluateAndProve`.
+   *
+   * @param params.smartAccount
+   *   The ERC-4337 smart account address that will submit the UserOperation.
+   *
+   * @param params.nonce
+   *   Current nonce of the smart account.
+   *
+   * @param params.gas
+   *   Gas parameters for the UserOperation
+   *   (callGasLimit, verificationGasLimit, preVerificationGas,
+   *    maxFeePerGas, maxPriorityFeePerGas).
+   *
+   * @param params.targetContract
+   *   Address of the PayID-compatible payment contract
+   *   (e.g. PayWithPayID).
+   *
+   * @param params.paymasterAndData
+   *   Optional paymaster data for sponsored transactions.
+   *
+   * @returns
+   *   A fully constructed ERC-4337 UserOperation ready to be
+   *   submitted to a bundler.
+   *
+   * @throws
+   *   Throws if called in a browser environment.
+   */
+  buildUserOperation(params) {
+    if (typeof globalThis !== "undefined" && "document" in globalThis) {
+      throw new Error(
+        "buildUserOperation must not be called in browser"
+      );
     }
     const callData = buildPayCallData(
       params.targetContract,
-      proof
+      params.proof
     );
-    const userOp = buildUserOperation({
+    return buildUserOperation({
       sender: params.smartAccount,
       nonce: params.nonce,
       callData,
       gas: params.gas,
       paymasterAndData: params.paymasterAndData
     });
-    return { result, userOp, proof };
   }
 };
+
+// src/factory.ts
+function createPayID(params) {
+  return new PayID(
+    params.wasm,
+    params.debugTrace ?? false,
+    params.trustedIssuers
+  );
+}
 export {
-  PayID
+  server_exports as client,
+  context_exports as context,
+  createPayID,
+  issuer_exports as issuer,
+  rule_exports as rule,
+  client_exports as server,
+  sessionPolicy_exports as sessionPolicy
 };

package/dist/issuer/index.d.ts

@@ -0,0 +1,3 @@
+export { a as issueEnvContext, b as issueOracleContext, c as issueRiskContext, d as issueStateContext, s as signAttestation } from '../index-2JCvey4-.js';
+import 'payid-types';
+import 'ethers';

package/dist/issuer/index.js

@@ -0,0 +1,16 @@
+import "../chunk-AOKLY2QN.js";
+import {
+  issueEnvContext,
+  issueOracleContext,
+  issueRiskContext,
+  issueStateContext,
+  signAttestation
+} from "../chunk-7U3P7XJE.js";
+import "../chunk-R5U7XKVJ.js";
+export {
+  issueEnvContext,
+  issueOracleContext,
+  issueRiskContext,
+  issueStateContext,
+  signAttestation
+};

package/dist/rule/index.d.ts

@@ -0,0 +1,2 @@
+export { a as canonicalizeRuleSet, c as combineRules, h as hashRuleSet } from '../index-C7vziL_Z.js';
+import 'payid-types';

package/dist/rule/index.js

@@ -0,0 +1,15 @@
+import {
+  hashRuleSet
+} from "../chunk-JRVCGSKK.js";
+import {
+  combineRules
+} from "../chunk-QYH3FNQ4.js";
+import {
+  canonicalizeRuleSet
+} from "../chunk-JJEWYFOV.js";
+import "../chunk-R5U7XKVJ.js";
+export {
+  canonicalizeRuleSet,
+  combineRules,
+  hashRuleSet
+};

package/dist/sessionPolicy/index.d.ts

@@ -0,0 +1,4 @@
+export { c as createSessionPolicyPayload, d as decodeSessionPolicy } from '../index-DuOeYzN2.js';
+export { P as PayIDSessionPolicyPayloadV1 } from '../types-DKt-zH0P.js';
+import 'ethers';
+import 'payid-types';

package/dist/sessionPolicy/index.js

@@ -0,0 +1,13 @@
+import {
+  createSessionPolicyPayload
+} from "../chunk-ATWJEWZH.js";
+import {
+  decodeSessionPolicy
+} from "../chunk-MXKZJKXE.js";
+import "../chunk-JJEWYFOV.js";
+import "../chunk-5ZEKI5Y2.js";
+import "../chunk-R5U7XKVJ.js";
+export {
+  createSessionPolicyPayload,
+  decodeSessionPolicy
+};

package/dist/types-B5dv7L-8.d.ts

@@ -0,0 +1,21 @@
+interface DecisionPayload {
+    version: string;
+    payId: string;
+    payer: string;
+    receiver: string;
+    asset: string;
+    amount: bigint;
+    contextHash: string;
+    ruleSetHash: string;
+    ruleAuthority: string;
+    issuedAt: bigint;
+    expiresAt: bigint;
+    nonce: string;
+    requiresAttestation: boolean;
+}
+interface DecisionProof {
+    payload: DecisionPayload;
+    signature: string;
+}
+
+export type { DecisionProof as D };

package/dist/types-DKt-zH0P.d.ts

@@ -0,0 +1,15 @@
+interface PayIDSessionPolicyPayloadV1 {
+    version: "payid.session.policy.v1" | string;
+    receiver: string;
+    rule: {
+        version: string;
+        logic: "AND" | "OR";
+        rules: any[];
+    };
+    expiresAt: number;
+    nonce: string;
+    issuedAt: number;
+    signature: string;
+}
+
+export type { PayIDSessionPolicyPayloadV1 as P };