payid 0.4.1 → 0.4.2

package/dist/chunk-RCXMRX4F.js

@@ -0,0 +1,54 @@
+import {
+  issueEnvContext,
+  issueOracleContext,
+  issueRiskContext,
+  issueStateContext
+} from "./chunk-7U3P7XJE.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/context/index.ts
+var context_exports = {};
+__export(context_exports, {
+  buildContextV2: () => buildContextV2
+});
+
+// src/context/contextV2.ts
+async function buildContextV2(params) {
+  const ctx = {
+    ...params.baseContext
+  };
+  if (params.env) {
+    ctx.env = await issueEnvContext(
+      params.env.issuer
+    );
+  }
+  if (params.state) {
+    ctx.state = await issueStateContext(
+      params.state.issuer,
+      params.state.spentToday,
+      params.state.period
+    );
+  }
+  if (params.oracle) {
+    ctx.oracle = await issueOracleContext(
+      params.oracle.issuer,
+      params.oracle.data
+    );
+  }
+  if (params.risk) {
+    ctx.risk = await issueRiskContext(
+      params.risk.issuer,
+      params.risk.score,
+      params.risk.category,
+      params.risk.modelHash
+    );
+  }
+  return ctx;
+}
+
+export {
+  buildContextV2,
+  context_exports
+};

package/dist/chunk-Y75PSD7U.js

@@ -0,0 +1,47 @@
+import {
+  decodeSessionPolicy
+} from "./chunk-MXKZJKXE.js";
+import {
+  canonicalizeRuleSet
+} from "./chunk-6VPSJFO4.js";
+import {
+  randomHex
+} from "./chunk-5ZEKI5Y2.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/sessionPolicy/index.ts
+var sessionPolicy_exports = {};
+__export(sessionPolicy_exports, {
+  createSessionPolicyPayload: () => createSessionPolicyPayload,
+  decodeSessionPolicy: () => decodeSessionPolicy
+});
+
+// src/sessionPolicy/create.ts
+import { ethers } from "ethers";
+async function createSessionPolicyPayload(params) {
+  const issuedAt = Math.floor(Date.now() / 1e3);
+  const nonce = randomHex(16);
+  const payload = {
+    version: "payid.session.policy.v1",
+    receiver: params.receiver,
+    rule: canonicalizeRuleSet(params.rule),
+    issuedAt,
+    expiresAt: params.expiresAt,
+    nonce
+  };
+  const message = ethers.keccak256(
+    ethers.toUtf8Bytes(JSON.stringify(payload))
+  );
+  const signature = await params.signer.signMessage(message);
+  return {
+    ...payload,
+    signature
+  };
+}
+
+export {
+  createSessionPolicyPayload,
+  sessionPolicy_exports
+};

package/dist/chunk-YUAYDVGX.js

@@ -0,0 +1,134 @@
+import {
+  evaluate,
+  generateDecisionProof,
+  resolveRule
+} from "./chunk-ANG3SJGI.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/core/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  createPayID: () => createPayID
+});
+
+// src/erc4337/build.ts
+import { ethers } from "ethers";
+var PAY_WITH_PAYID_ABI = [
+  // ETH payment — attestationUIDs adalah EAS UIDs, pass [] jika tidak perlu
+  "function payETH((bytes32 version, bytes32 payId, address payer, address receiver, address asset, uint256 amount, bytes32 contextHash, bytes32 ruleSetHash, address ruleAuthority, uint64 issuedAt, uint64 expiresAt, bytes32 nonce, bool requiresAttestation) d, bytes sig, bytes32[] attestationUIDs) payable",
+  // ERC20 payment
+  "function payERC20((bytes32 version, bytes32 payId, address payer, address receiver, address asset, uint256 amount, bytes32 contextHash, bytes32 ruleSetHash, address ruleAuthority, uint64 issuedAt, uint64 expiresAt, bytes32 nonce, bool requiresAttestation) d, bytes sig, bytes32[] attestationUIDs)"
+];
+function buildPayETHCallData(contractAddress, proof, attestationUIDs = []) {
+  const iface = new ethers.Interface(PAY_WITH_PAYID_ABI);
+  return iface.encodeFunctionData("payETH", [
+    proof.payload,
+    proof.signature,
+    attestationUIDs
+  ]);
+}
+function buildPayERC20CallData(contractAddress, proof, attestationUIDs = []) {
+  const iface = new ethers.Interface(PAY_WITH_PAYID_ABI);
+  return iface.encodeFunctionData("payERC20", [
+    proof.payload,
+    proof.signature,
+    attestationUIDs
+  ]);
+}
+
+// src/erc4337/userop.ts
+function buildUserOperation(params) {
+  return {
+    sender: params.sender,
+    nonce: params.nonce,
+    initCode: params.initCode ?? "0x",
+    callData: params.callData,
+    callGasLimit: params.gas.callGasLimit,
+    verificationGasLimit: params.gas.verificationGasLimit,
+    preVerificationGas: params.gas.preVerificationGas,
+    maxFeePerGas: params.gas.maxFeePerGas,
+    maxPriorityFeePerGas: params.gas.maxPriorityFeePerGas,
+    paymasterAndData: params.paymasterAndData ?? "0x",
+    signature: "0x"
+    // signed later by smart account
+  };
+}
+
+// src/core/server/server.ts
+function isRuleSource(rule) {
+  return typeof rule === "object" && rule !== null && "uri" in rule;
+}
+var PayIDServer = class {
+  constructor(signer, trustedIssuers, debugTrace, wasm) {
+    this.signer = signer;
+    this.trustedIssuers = trustedIssuers;
+    this.debugTrace = debugTrace;
+    this.wasm = wasm;
+  }
+  async evaluateAndProve(params) {
+    const authorityConfig = isRuleSource(params.authorityRule) ? (await resolveRule(params.authorityRule)).config : params.authorityRule;
+    const evalConfig = params.evaluationRule ?? authorityConfig;
+    const result = await evaluate(
+      params.context,
+      evalConfig,
+      {
+        debug: this.debugTrace,
+        trustedIssuers: this.trustedIssuers
+      },
+      this.wasm
+    );
+    if (result.decision !== "ALLOW") {
+      return { result, proof: null };
+    }
+    const proof = await generateDecisionProof({
+      payId: params.payId,
+      payer: params.payer,
+      receiver: params.receiver,
+      asset: params.asset,
+      amount: params.amount,
+      context: params.context,
+      ruleConfig: authorityConfig,
+      signer: this.signer,
+      verifyingContract: params.verifyingContract,
+      ruleAuthority: params.ruleAuthority,
+      chainId: params.chainId ?? params.context?.tx?.chainId,
+      ttlSeconds: params.ttlSeconds,
+      blockTimestamp: params.blockTimestamp
+    });
+    return { result, proof };
+  }
+  buildUserOperation(params) {
+    const callData = buildPayERC20CallData(
+      params.targetContract,
+      params.proof,
+      params.attestationUIDs ?? []
+    );
+    return buildUserOperation({
+      sender: params.smartAccount,
+      nonce: params.nonce,
+      callData,
+      gas: params.gas,
+      paymasterAndData: params.paymasterAndData
+    });
+  }
+};
+
+// src/core/server/index.ts
+function createPayID(params) {
+  return new PayIDServer(
+    params.signer,
+    params.trustedIssuers,
+    params.debugTrace ?? false,
+    params.wasm
+  );
+}
+
+export {
+  buildPayETHCallData,
+  buildPayERC20CallData,
+  buildUserOperation,
+  createPayID,
+  server_exports
+};

package/dist/context/index.d.ts

@@ -0,0 +1,3 @@
+export { b as buildContextV2 } from '../index-BEvnPzzt.js';
+import 'ethers';
+import 'payid-types';

package/dist/context/index.js

@@ -0,0 +1,8 @@
+import {
+  buildContextV2
+} from "../chunk-RCXMRX4F.js";
+import "../chunk-7U3P7XJE.js";
+import "../chunk-R5U7XKVJ.js";
+export {
+  buildContextV2
+};

package/dist/core/client/index.d.ts

@@ -0,0 +1,5 @@
+export { c as createPayID } from '../../index-2O3usHUn.js';
+import 'payid-types';
+import 'ethers';
+import '../../types-B8pJQdMQ.js';
+import '../../types-BmMf7udp.js';

package/dist/core/client/index.js

@@ -0,0 +1,12 @@
+import {
+  createPayID
+} from "../../chunk-GB3FSF7K.js";
+import "../../chunk-GG34PNTF.js";
+import "../../chunk-MXKZJKXE.js";
+import "../../chunk-6VPSJFO4.js";
+import "../../chunk-ANG3SJGI.js";
+import "../../chunk-5ZEKI5Y2.js";
+import "../../chunk-R5U7XKVJ.js";
+export {
+  createPayID
+};

package/dist/core/server/index.d.ts

@@ -0,0 +1,4 @@
+export { c as createPayID } from '../../index-C1DHMQA0.js';
+import 'ethers';
+import 'payid-types';
+import '../../types-B8pJQdMQ.js';

package/dist/core/server/index.js

@@ -0,0 +1,9 @@
+import {
+  createPayID
+} from "../../chunk-YUAYDVGX.js";
+import "../../chunk-ANG3SJGI.js";
+import "../../chunk-5ZEKI5Y2.js";
+import "../../chunk-R5U7XKVJ.js";
+export {
+  createPayID
+};

package/dist/index-2JCvey4-.d.ts

@@ -0,0 +1,23 @@
+import { EnvContext, OracleContext, RiskContext, StateContext, Attestation } from 'payid-types';
+import { Wallet } from 'ethers';
+
+declare function issueEnvContext(wallet: Wallet): Promise<EnvContext>;
+
+declare function issueOracleContext(wallet: Wallet, data: Record<string, string | number>): Promise<OracleContext>;
+
+declare function issueRiskContext(wallet: Wallet, score: number, category: string, modelHash: string): Promise<RiskContext>;
+
+declare function issueStateContext(wallet: Wallet, spentToday: string, period: string): Promise<StateContext>;
+
+declare function signAttestation(issuerWallet: Wallet, payload: object, ttlSeconds?: number): Promise<Attestation>;
+
+declare const index_issueEnvContext: typeof issueEnvContext;
+declare const index_issueOracleContext: typeof issueOracleContext;
+declare const index_issueRiskContext: typeof issueRiskContext;
+declare const index_issueStateContext: typeof issueStateContext;
+declare const index_signAttestation: typeof signAttestation;
+declare namespace index {
+  export { index_issueEnvContext as issueEnvContext, index_issueOracleContext as issueOracleContext, index_issueRiskContext as issueRiskContext, index_issueStateContext as issueStateContext, index_signAttestation as signAttestation };
+}
+
+export { issueEnvContext as a, issueOracleContext as b, issueRiskContext as c, issueStateContext as d, index as i, signAttestation as s };

package/dist/index-2O3usHUn.d.ts

@@ -0,0 +1,109 @@
+import { RuleContext, RuleConfig, RuleResult } from 'payid-types';
+import { ethers } from 'ethers';
+import { R as RuleSource, D as DecisionProof } from './types-B8pJQdMQ.js';
+import { P as PayIDSessionPolicyPayloadV1 } from './types-BmMf7udp.js';
+
+/**
+ * @class PayIDClient
+ * @description Client-side PayID engine.
+ *
+ * Fully serverless — aman dipakai di browser, mobile, edge.
+ * Tidak butuh issuer wallet, tidak butuh server.
+ *
+ * Untuk attestation, gunakan EAS UIDs yang di-fetch via `eas.EASClient`.
+ *
+ * @example
+ * ```ts
+ * const client = new PayIDClient(wasmBinary)
+ *
+ * // 1. Evaluate rule
+ * const result = await client.evaluate(context, ruleConfig)
+ *
+ * // 2. Evaluate + generate proof (payer sign sendiri)
+ * const { result, proof } = await client.evaluateAndProve({
+ *   context,
+ *   authorityRule: ruleConfig,
+ *   payId: "pay.id/merchant",
+ *   payer: await signer.getAddress(),
+ *   receiver: "0xRECEIVER",
+ *   asset: USDT_ADDRESS,
+ *   amount: parseUnits("100", 6),
+ *   signer,
+ *   verifyingContract: PAYID_VERIFIER_ADDRESS,
+ *   ruleAuthority: RULE_AUTHORITY_ADDRESS,
+ * })
+ * ```
+ */
+declare class PayIDClient {
+    private readonly debugTrace?;
+    private readonly wasm?;
+    constructor(debugTrace?: boolean | undefined, wasm?: Uint8Array | undefined);
+    evaluate(context: RuleContext, rule: RuleConfig | RuleSource): Promise<RuleResult>;
+    evaluateAndProve(params: {
+        context: RuleContext;
+        authorityRule: RuleConfig | RuleSource;
+        evaluationRule?: RuleConfig;
+        sessionPolicy?: PayIDSessionPolicyPayloadV1;
+        payId: string;
+        payer: string;
+        receiver: string;
+        asset: string;
+        amount: bigint;
+        signer: ethers.Signer;
+        verifyingContract: string;
+        ruleAuthority: string;
+        ttlSeconds?: number;
+        chainId: number;
+        blockTimestamp: number;
+    }): Promise<{
+        result: RuleResult;
+        proof: DecisionProof | null;
+    }>;
+}
+
+/**
+ * Create a PayID policy engine instance backed by a WASM rule evaluator.
+ *
+ * ## Responsibility
+ *
+ * - Holds the WASM binary used for rule execution
+ * - Defines the trust boundary for context attestation verification
+ * - Acts as the primary entry point for PayID rule evaluation
+ *
+ * ## Trust model
+ *
+ * - If `trustedIssuers` is provided, Context V2 attestation
+ *   verification is ENFORCED.
+ * - If `trustedIssuers` is omitted, the engine runs in
+ *   legacy (Context V1) mode without cryptographic verification.
+ *
+ * ## Environment
+ *
+ * This class is safe to instantiate in:
+ * - Browsers
+ * - Mobile apps
+ * - Edge runtimes
+ * - Backend services
+ *
+ * @param wasm
+ *   Compiled PayID WASM rule engine binary.
+ *
+ * @param debugTrace
+ *   Optional flag to enable decision trace generation for debugging.
+ *   @example
+ *   ```ts
+ *
+ *   const payid = new PayID(wasmBinary, debugTrace);
+ *   ```
+ */
+declare function createPayID(params: {
+    wasm?: Uint8Array;
+    debugTrace?: boolean;
+}): PayIDClient;
+
+declare const index_createPayID: typeof createPayID;
+declare namespace index {
+  export { index_createPayID as createPayID };
+}
+
+export { createPayID as c, index as i };

package/dist/index-BEvnPzzt.d.ts

@@ -0,0 +1,160 @@
+import { Wallet } from 'ethers';
+import { ContextV1, ContextV2 } from 'payid-types';
+
+/**
+ * Build an attested Context V2 object from a base execution context
+ * and a set of optional attestation issuers.
+ *
+ * ## Purpose
+ *
+ * This function assembles **Context V2**, which extends a raw
+ * execution context (Context V1) with **cryptographically attested
+ * facts** such as:
+ * - Environment data (time, runtime conditions)
+ * - Stateful data (daily spend, quotas)
+ * - Oracle data (country, FX rate, KYC attributes)
+ * - Risk signals (ML score, risk category)
+ *
+ * The resulting context is suitable for:
+ * - Deterministic rule evaluation
+ * - Context V2 verification via `preprocessContextV2`
+ * - Off-chain decision proof generation
+ * - On-chain attestation verification
+ *
+ * ## Trust model
+ *
+ * - Each context domain (`env`, `state`, `oracle`, `risk`) MUST be
+ *   issued and signed by a trusted issuer.
+ * - The rule engine does NOT trust raw values; it only trusts
+ *   verified attestations.
+ * - Which domains are required is determined by `ruleConfig.requires`.
+ *
+ * ## Responsibility
+ *
+ * This function:
+ * - Calls the appropriate issuer functions to generate attestations
+ * - Aggregates all issued contexts into a single Context V2 object
+ * - Does NOT evaluate rules
+ * - Does NOT perform attestation verification
+ *
+ * ## Environment
+ *
+ * This function may be called from:
+ * - Backend services
+ * - Relayers / bundlers
+ * - Edge runtimes
+ *
+ * It SHOULD NOT be called directly from untrusted clients unless
+ * issuer keys are properly secured.
+ *
+ * @example
+ * ### Minimal Context V2 (env + state only)
+ *
+ * ```ts
+ * const contextV2 = await buildContextV2({
+ *   baseContext: {
+ *     tx,
+ *     payId
+ *   },
+ *   env: {
+ *     issuer: envIssuer
+ *   },
+ *   state: {
+ *     issuer: stateIssuer,
+ *     spentToday: "2500000",
+ *     period: "DAY"
+ *   }
+ * });
+ * ```
+ *
+ * @example
+ * ### Full Context V2 (env + state + oracle + risk)
+ *
+ * ```ts
+ * const contextV2 = await buildContextV2({
+ *   baseContext: {
+ *     tx,
+ *     payId
+ *   },
+ *   env: {
+ *     issuer: envIssuer
+ *   },
+ *   state: {
+ *     issuer: stateIssuer,
+ *     spentToday: "2500000",
+ *     period: "DAY"
+ *   },
+ *   oracle: {
+ *     issuer: oracleIssuer,
+ *     data: {
+ *       country: "ID",
+ *       fxRate: 15600
+ *     }
+ *   },
+ *   risk: {
+ *     issuer: riskIssuer,
+ *     score: 72,
+ *     category: "MEDIUM",
+ *     modelHash: "0xmodelhash123"
+ *   }
+ * });
+ * ```
+ *
+ * @param params
+ *   Context assembly parameters.
+ *
+ * @param params.baseContext
+ *   Base execution context (Context V1), containing transaction
+ *   and PayID-related fields.
+ *
+ * @param params.env
+ *   Optional environment attestation.
+ *   Typically used for time-based or runtime constraints.
+ *
+ * @param params.state
+ *   Optional state attestation.
+ *   Used for cumulative values such as daily spend or quota tracking.
+ *
+ * @param params.oracle
+ *   Optional oracle attestation.
+ *   Used for external facts such as country, FX rate, or KYC signals.
+ *
+ * @param params.risk
+ *   Optional risk attestation.
+ *   Used for ML-based risk scoring and categorization.
+ *
+ * @returns
+ *   A fully assembled Context V2 object containing the base context
+ *   and all requested attested sub-contexts.
+ *
+ * @throws
+ *   May throw if attestation issuance fails for any domain.
+ */
+declare function buildContextV2(params: {
+    baseContext: ContextV1;
+    env?: {
+        issuer: Wallet;
+    };
+    state?: {
+        issuer: Wallet;
+        spentToday: string;
+        period: string;
+    };
+    oracle?: {
+        issuer: Wallet;
+        data: Record<string, string | number>;
+    };
+    risk?: {
+        issuer: Wallet;
+        score: number;
+        category: string;
+        modelHash: string;
+    };
+}): Promise<ContextV2>;
+
+declare const index_buildContextV2: typeof buildContextV2;
+declare namespace index {
+  export { index_buildContextV2 as buildContextV2 };
+}
+
+export { buildContextV2 as b, index as i };

package/dist/index-BQQnMG2H.d.ts

@@ -0,0 +1,114 @@
+import { ethers } from 'ethers';
+import { RuleConfig } from 'payid-types';
+import { P as PayIDSessionPolicyPayloadV1 } from './types-BmMf7udp.js';
+
+/**
+ * Create and sign an ephemeral PayID session policy payload.
+ *
+ * A session policy represents a **temporary, off-chain consent**
+ * granted by the receiver to apply additional rule constraints
+ * during rule evaluation (e.g. session limits, QR payments,
+ * intent-scoped conditions).
+ *
+ * ## Security model
+ *
+ * - The session policy is signed by the receiver.
+ * - The signature proves **explicit consent** for the included rule.
+ * - This policy does NOT establish on-chain authority and MUST NOT
+ *   be registered or referenced in any on-chain rule registry.
+ *
+ * ## Canonicalization
+ *
+ * - The rule set is canonicalized BEFORE signing to ensure
+ *   deterministic hashing and signature verification.
+ * - The exact payload signed here MUST be used verbatim during
+ *   policy verification.
+ *
+ * ## Lifecycle
+ *
+ * - Session policies are valid only until `expiresAt`.
+ * - Expired policies MUST be rejected by the verifier.
+ *
+ * @param params
+ * @param params.receiver
+ *   Address of the receiver granting the session policy.
+ *
+ * @param params.rule
+ *   Rule configuration to be applied as an **off-chain evaluation
+ *   override** during the session.
+ *
+ * @param params.expiresAt
+ *   UNIX timestamp (seconds) indicating when the session policy
+ *   becomes invalid.
+ *
+ * @param params.signer
+ *   Signer controlling the receiver address, used to sign the
+ *   session policy payload.
+ *
+ * @returns
+ *   A signed `PayIDSessionPolicyPayloadV1` that may be transmitted
+ *   to clients and verified using `decodeSessionPolicy`.
+ *
+ * @throws
+ *   May throw if signing fails or the signer is misconfigured.
+ */
+declare function createSessionPolicyPayload(params: {
+    receiver: string;
+    rule: RuleConfig;
+    expiresAt: number;
+    signer: ethers.Signer;
+}): Promise<PayIDSessionPolicyPayloadV1>;
+
+/**
+ * Decode and verify an ephemeral PayID session policy.
+ *
+ * This function validates that a session policy:
+ * - Uses a supported policy version
+ * - Has not expired
+ * - Was cryptographically signed by the declared receiver
+ *
+ * If all checks pass, the embedded rule configuration is returned
+ * and may be used as an **off-chain evaluation override**
+ * (e.g. combined with an authoritative on-chain rule).
+ *
+ * ## Security model
+ *
+ * - The session policy signature represents **explicit consent**
+ *   from the receiver for temporary rule constraints.
+ * - This policy does NOT establish on-chain authority and MUST NOT
+ *   be used to derive `ruleSetHash` or interact with rule registries.
+ *
+ * ## Invariants
+ *
+ * - The payload verified here MUST match exactly the payload that was signed.
+ * - No canonicalization or mutation is performed during verification.
+ * - Expired or invalidly signed policies are rejected immediately.
+ *
+ * @export
+ *
+ * @param sessionPolicy
+ *   A signed session policy payload created by
+ *   `createSessionPolicyPayload`.
+ *
+ * @param now
+ *   Current UNIX timestamp (seconds) used to validate policy expiry.
+ *
+ * @returns
+ *   A `RuleConfig` representing the session's evaluation rule.
+ *
+ * @throws
+ *   Throws if:
+ *   - The policy version is unsupported
+ *   - The policy has expired
+ *   - The signature does not match the receiver
+ */
+declare function decodeSessionPolicy(sessionPolicy: PayIDSessionPolicyPayloadV1, now: number): RuleConfig;
+
+declare const index_PayIDSessionPolicyPayloadV1: typeof PayIDSessionPolicyPayloadV1;
+declare const index_createSessionPolicyPayload: typeof createSessionPolicyPayload;
+declare const index_decodeSessionPolicy: typeof decodeSessionPolicy;
+declare namespace index {
+  export { index_PayIDSessionPolicyPayloadV1 as PayIDSessionPolicyPayloadV1, index_createSessionPolicyPayload as createSessionPolicyPayload, index_decodeSessionPolicy as decodeSessionPolicy };
+}
+
+export { createSessionPolicyPayload as c, decodeSessionPolicy as d, index as i };