payid 0.6.0 → 1.0.0

package/dist/chunk-HKHRYRD6.js

@@ -0,0 +1,752 @@
+import {
+  hashContext,
+  hashRuleSet
+} from "./chunk-X7NYQ47Y.js";
+import {
+  randomHex
+} from "./chunk-KDC67LIN.js";
+
+// src/attestation/verify.ts
+import { ethers, keccak256, toUtf8Bytes, toBeArray } from "ethers";
+function verifyAttestation(payload, proof, trustedIssuers) {
+  const now = Math.floor(Date.now() / 1e3);
+  if (!trustedIssuers.has(proof.issuer)) {
+    throw new Error("UNTRUSTED_ATTESTATION_ISSUER");
+  }
+  if (proof.expiresAt < now) {
+    throw new Error("ATTESTATION_EXPIRED");
+  }
+  if (proof.issuedAt > now) {
+    throw new Error("ATTESTATION_ISSUED_IN_FUTURE");
+  }
+  const payloadHash = keccak256(toUtf8Bytes(JSON.stringify(payload)));
+  const messageHash = ethers.hashMessage(toBeArray(payloadHash));
+  const recovered = ethers.recoverAddress(messageHash, proof.signature);
+  if (recovered.toLowerCase() !== proof.issuer.toLowerCase()) {
+    throw new Error("INVALID_ATTESTATION_SIGNATURE");
+  }
+}
+
+// src/rule/engine/wasm.ts
+var _wasmUrl = "https://gateway.pinata.cloud/ipfs/bafkreigwfxsb7oot7v55x7vxslvj23csxl2fhk2w7hsnboe55o26s2mgfy";
+var _instance = null;
+var _loading = null;
+var wasiStub = {
+  fd_write: () => 8,
+  fd_read: () => 8,
+  fd_close: () => 0,
+  fd_seek: () => 8,
+  fd_fdstat_get: () => 8,
+  fd_prestat_get: () => 8,
+  fd_prestat_dir_name: () => 8,
+  environ_get: () => 0,
+  environ_sizes_get: () => 0,
+  args_get: () => 0,
+  args_sizes_get: () => 0,
+  clock_time_get: () => 0,
+  proc_exit: () => {
+  },
+  random_get: () => 0
+};
+async function compile(binary) {
+  const module = await WebAssembly.compile(binary);
+  const instance = await WebAssembly.instantiate(module, {
+    wasi_snapshot_preview1: wasiStub
+  });
+  const _init = instance.exports._initialize;
+  if (_init) _init();
+  return instance;
+}
+async function loadWasm(binary) {
+  if (binary && binary.length > 0) {
+    return compile(binary instanceof Uint8Array ? binary : new Uint8Array(binary));
+  }
+  if (_instance) return _instance;
+  if (_loading) return _loading;
+  _loading = (async () => {
+    let wasmBinary;
+    if (typeof window === "undefined" && typeof process !== "undefined" && process.versions?.node) {
+      const { readFileSync } = await import(
+        /* webpackIgnore: true */
+        "fs"
+      );
+      const { join, dirname } = await import(
+        /* webpackIgnore: true */
+        "path"
+      );
+      const { fileURLToPath } = await import(
+        /* webpackIgnore: true */
+        "url"
+      );
+      const __dir = dirname(fileURLToPath(import.meta.url));
+      const buf = readFileSync(join(__dir, "rule_engine.wasm"));
+      wasmBinary = new Uint8Array(buf);
+    } else {
+      const res = await fetch(_wasmUrl);
+      if (!res.ok) throw new Error(
+        `[PAY.ID] Failed to fetch WASM from "${_wasmUrl}": HTTP ${res.status}`
+      );
+      wasmBinary = new Uint8Array(await res.arrayBuffer());
+    }
+    const instance = await compile(wasmBinary);
+    _instance = instance;
+    _loading = null;
+    return instance;
+  })();
+  return _loading;
+}
+
+// src/rule/engine/sandbox.ts
+var enc = new TextEncoder();
+var dec = new TextDecoder();
+async function runWasmRule(context, config, wasmBinary) {
+  const instance = await loadWasm(wasmBinary);
+  const memory = instance.exports.memory;
+  const alloc = instance.exports.alloc;
+  const free_ = instance.exports.free;
+  const evaluate2 = instance.exports.evaluate;
+  if (!alloc || !evaluate2) {
+    throw new Error(`WASM missing exports: alloc=${!!alloc} evaluate=${!!evaluate2}`);
+  }
+  const ctxBuf = enc.encode(JSON.stringify(context));
+  const cfgBuf = enc.encode(JSON.stringify(config));
+  const OUT_SIZE = 4096;
+  const ctxPtr = alloc(ctxBuf.length);
+  const cfgPtr = alloc(cfgBuf.length);
+  const outPtr = alloc(OUT_SIZE);
+  new Uint8Array(memory.buffer).set(ctxBuf, ctxPtr);
+  new Uint8Array(memory.buffer).set(cfgBuf, cfgPtr);
+  let rc;
+  try {
+    rc = evaluate2(ctxPtr, ctxBuf.length, cfgPtr, cfgBuf.length, outPtr, OUT_SIZE);
+  } catch (err) {
+    throw new Error(`WASM evaluate threw: ${err}`);
+  }
+  if (rc < 0) throw new Error(`WASM evaluate failed rc=${rc}`);
+  const out = new Uint8Array(memory.buffer).slice(outPtr, outPtr + rc);
+  const result = JSON.parse(dec.decode(out));
+  if (free_) {
+    free_(ctxPtr, ctxBuf.length);
+    free_(cfgPtr, cfgBuf.length);
+    free_(outPtr, OUT_SIZE);
+  }
+  return result;
+}
+
+// src/rule/engine/tsSandbox.ts
+async function runWasmRule2(context, config, _wasmBinary) {
+  return evaluateRule(context, config);
+}
+function evaluateRule(context, config) {
+  const rules = config?.rules;
+  if (!Array.isArray(rules) || rules.length === 0) {
+    return { decision: "ALLOW", code: "NO_RULES", reason: "no rules defined" };
+  }
+  const logic = config?.logic ?? "AND";
+  return evalRules(context, rules, logic);
+}
+function evalRules(context, rules, logic) {
+  for (const rule of rules) {
+    const res = evalOneRule(context, rule);
+    if (res.decision === "REJECT" && logic === "AND") return res;
+    if (res.decision === "ALLOW" && logic === "OR") return res;
+  }
+  if (logic === "AND") return { decision: "ALLOW", code: "OK", reason: "all rules passed" };
+  return { decision: "REJECT", code: "NO_RULE_MATCH", reason: "no rule matched in OR group" };
+}
+function evalOneRule(context, rule) {
+  const ruleId = rule?.id ?? "UNKNOWN_RULE";
+  const message = rule?.message ?? "";
+  if (Array.isArray(rule?.rules)) {
+    const subLogic = rule?.logic ?? "AND";
+    const res = evalRules(context, rule.rules, subLogic);
+    if (res.decision === "REJECT" && message) {
+      return { decision: "REJECT", code: ruleId, reason: message };
+    }
+    return res;
+  }
+  if (Array.isArray(rule?.conditions)) {
+    const inner = rule?.logic ?? "AND";
+    for (const cond of rule.conditions) {
+      const passed = evalCondition(context, cond);
+      if (!passed && inner === "AND") {
+        const reason = message || cond?.field || ruleId;
+        return { decision: "REJECT", code: ruleId, reason };
+      }
+      if (passed && inner === "OR") {
+        return { decision: "ALLOW", code: ruleId };
+      }
+    }
+    if (inner === "AND") return { decision: "ALLOW", code: ruleId };
+    return { decision: "REJECT", code: ruleId, reason: message || "no condition matched in OR" };
+  }
+  if (rule?.if !== void 0) {
+    const passed = evalCondition(context, rule.if);
+    if (!passed) {
+      const reason = message || rule.if?.field || ruleId;
+      return {
+        decision: "REJECT",
+        code: ruleId,
+        reason: interpolate(reason, context)
+      };
+    }
+    return { decision: "ALLOW", code: ruleId };
+  }
+  return { decision: "REJECT", code: ruleId, reason: "rule has no evaluable condition" };
+}
+function evalCondition(context, cond) {
+  const fieldExpr = cond?.field;
+  const op = cond?.op;
+  if (!fieldExpr || !op) return false;
+  const baseField = splitTransform(fieldExpr)[0];
+  if (op === "exists") return resolveField(context, baseField) !== void 0;
+  if (op === "not_exists") return resolveField(context, baseField) === void 0;
+  const actualRaw = resolveField(context, baseField);
+  if (actualRaw === void 0) return false;
+  const actual = applyTransform(actualRaw, fieldExpr);
+  let expected = cond.value;
+  if (typeof expected === "string" && expected.startsWith("$")) {
+    const refField = expected.slice(1);
+    const refBase = splitTransform(refField)[0];
+    const refRaw = resolveField(context, refBase);
+    if (refRaw === void 0) return false;
+    expected = applyTransform(refRaw, refField);
+  }
+  return applyOp(actual, op, expected);
+}
+function resolveField(ctx, path) {
+  const base = splitTransform(path)[0];
+  return base.split(".").reduce((o, k) => o?.[k], ctx);
+}
+function splitTransform(expr) {
+  const i = expr.indexOf("|");
+  if (i === -1) return [expr, null];
+  return [expr.slice(0, i), expr.slice(i + 1)];
+}
+function applyTransform(val, expr) {
+  const transform = splitTransform(expr)[1];
+  if (!transform) return val;
+  const colonIdx = transform.indexOf(":");
+  const name = colonIdx === -1 ? transform : transform.slice(0, colonIdx);
+  const arg = colonIdx === -1 ? null : transform.slice(colonIdx + 1);
+  const n = toU128(val);
+  switch (name) {
+    case "div": {
+      if (n === null) return val;
+      const d = arg ? BigInt(arg) : 1n;
+      if (d === 0n) return val;
+      return Number(n / d);
+    }
+    case "mod": {
+      if (n === null) return val;
+      const m = arg ? BigInt(arg) : 1n;
+      if (m === 0n) return val;
+      return Number(n % m);
+    }
+    case "abs":
+      return n !== null ? Number(n < 0n ? -n : n) : val;
+    case "hour":
+      return n !== null ? Number(n % 86400n / 3600n) : val;
+    case "day":
+      return n !== null ? Number((n / 86400n + 4n) % 7n) : val;
+    case "date":
+      return n !== null ? dayOfMonth(Number(n / 86400n)) : val;
+    case "month":
+      return n !== null ? monthOfYear(Number(n / 86400n)) : val;
+    case "len":
+      return String(val).length;
+    case "lower":
+      return String(val).toLowerCase();
+    case "upper":
+      return String(val).toUpperCase();
+    default:
+      return val;
+  }
+}
+function toU128(v) {
+  try {
+    if (typeof v === "bigint") return v;
+    if (typeof v === "number") return BigInt(Math.trunc(v));
+    if (typeof v === "string" && v !== "") return BigInt(v);
+    return null;
+  } catch {
+    return null;
+  }
+}
+function isLeap(y) {
+  return y % 4 === 0 && y % 100 !== 0 || y % 400 === 0;
+}
+function daysToYMD(days) {
+  let y = 1970;
+  while (true) {
+    const dy = isLeap(y) ? 366 : 365;
+    if (days < dy) break;
+    days -= dy;
+    y++;
+  }
+  const months = [0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];
+  if (isLeap(y)) months[2] = 29;
+  let m = 1;
+  while (true) {
+    if (days < months[m]) break;
+    days -= months[m];
+    m++;
+  }
+  return [y, m, days + 1];
+}
+function dayOfMonth(days) {
+  return daysToYMD(days)[2];
+}
+function monthOfYear(days) {
+  return daysToYMD(days)[1];
+}
+function isSafeRegex(pattern) {
+  if (pattern.length > 200) return false;
+  if (/\([^)]*[+*]\s*[+*]/.test(pattern)) return false;
+  if (/(\([^)]*[+*][^)]*\))[+*{]/.test(pattern)) return false;
+  if (/\((?:[^|)]+\|)+[^)]*\)[+*{]/.test(pattern)) return false;
+  return true;
+}
+function applyOp(actual, op, expected) {
+  const a = toU128(actual);
+  const b = toU128(expected);
+  switch (op) {
+    case ">=":
+      return a !== null && b !== null && a >= b;
+    case "<=":
+      return a !== null && b !== null && a <= b;
+    case ">":
+      return a !== null && b !== null && a > b;
+    case "<":
+      return a !== null && b !== null && a < b;
+    case "==":
+      return String(actual) === String(expected) || actual == expected;
+    case "!=":
+      return String(actual) !== String(expected) && actual != expected;
+    case "in":
+      return Array.isArray(expected) && expected.some((e) => looseEq(actual, e));
+    case "not_in":
+      return Array.isArray(expected) && !expected.some((e) => looseEq(actual, e));
+    case "between":
+      return Array.isArray(expected) && expected.length === 2 && a !== null && toU128(expected[0]) !== null && toU128(expected[1]) !== null && a >= toU128(expected[0]) && a <= toU128(expected[1]);
+    case "not_between":
+      return Array.isArray(expected) && expected.length === 2 && a !== null && (a < toU128(expected[0]) || a > toU128(expected[1]));
+    case "mod_eq":
+      return Array.isArray(expected) && expected.length === 2 && a !== null && toU128(expected[0]) !== null && toU128(expected[0]) > 0n && a % toU128(expected[0]) === toU128(expected[1]);
+    case "mod_ne":
+      return Array.isArray(expected) && expected.length === 2 && a !== null && toU128(expected[0]) !== null && toU128(expected[0]) > 0n && a % toU128(expected[0]) !== toU128(expected[1]);
+    case "contains":
+      return typeof actual === "string" && typeof expected === "string" && actual.includes(expected);
+    case "not_contains":
+      return typeof actual === "string" && typeof expected === "string" && !actual.includes(expected);
+    case "starts_with":
+      return typeof actual === "string" && typeof expected === "string" && actual.startsWith(expected);
+    case "ends_with":
+      return typeof actual === "string" && typeof expected === "string" && actual.endsWith(expected);
+    case "exists":
+      return actual !== void 0 && actual !== null;
+    case "not_exists":
+      return actual === void 0 || actual === null;
+    case "regex": {
+      if (typeof actual !== "string" || typeof expected !== "string") return false;
+      if (!isSafeRegex(expected)) throw new Error(`UNSAFE_REGEX_PATTERN: ${expected.slice(0, 40)}`);
+      return new RegExp(expected).test(actual);
+    }
+    case "not_regex": {
+      if (typeof actual !== "string" || typeof expected !== "string") return false;
+      if (!isSafeRegex(expected)) throw new Error(`UNSAFE_REGEX_PATTERN: ${expected.slice(0, 40)}`);
+      return !new RegExp(expected).test(actual);
+    }
+    default:
+      return false;
+  }
+}
+function looseEq(a, b) {
+  if (a == b) return true;
+  if (String(a) === String(b)) return true;
+  const ba = toU128(a), bb = toU128(b);
+  return ba !== null && bb !== null && ba === bb;
+}
+function interpolate(template, context) {
+  return template.replace(/\{([^}]+)\}/g, (_, key) => {
+    const base = splitTransform(key)[0];
+    const raw = resolveField(context, base);
+    if (raw === void 0) return `{${key}}`;
+    const val = applyTransform(raw, key);
+    return String(val);
+  });
+}
+
+// src/rule/engine/validateRequires.ts
+function getByPath(obj, path) {
+  return path.split(".").reduce((acc, key) => acc?.[key], obj);
+}
+function validateRequiredContext(context, requires) {
+  if (!requires) return;
+  for (const path of requires) {
+    const value = getByPath(context, path);
+    if (value === void 0 || value === null) {
+      throw new Error(`Missing required context field: ${path}`);
+    }
+  }
+}
+
+// src/rule/engine/preprocess.ts
+function preprocessContextV2(context, ruleConfig, trustedIssuers) {
+  validateRequiredContext(context, ruleConfig.requires);
+  if (context.env) {
+    verifyAttestation(
+      { timestamp: context.env.timestamp },
+      context.env.proof,
+      trustedIssuers
+    );
+  }
+  if (context.state) {
+    verifyAttestation(
+      {
+        spentToday: context.state.spentToday,
+        period: context.state.period
+      },
+      context.state.proof,
+      trustedIssuers
+    );
+  }
+  if (context.oracle) {
+    const { proof, ...data } = context.oracle;
+    verifyAttestation(data, proof, trustedIssuers);
+  }
+  if (context.risk) {
+    verifyAttestation(
+      {
+        score: context.risk.score,
+        category: context.risk.category,
+        modelHash: context.risk.proof.modelHash
+      },
+      context.risk.proof,
+      trustedIssuers
+    );
+  }
+  return context;
+}
+
+// src/rule/engine/index.ts
+async function executeRule(context, ruleConfig, wasmBinary) {
+  try {
+    return await runWasmRule(context, ruleConfig, wasmBinary);
+  } catch {
+    return runWasmRule2(context, ruleConfig, wasmBinary);
+  }
+}
+
+// src/normalize.ts
+function normalizeContext(ctx) {
+  return {
+    ...ctx,
+    tx: {
+      ...ctx.tx,
+      sender: ctx.tx.sender,
+      receiver: ctx.tx.receiver,
+      asset: ctx.tx.asset,
+      amountUsd: ctx.tx.amountUsd
+    }
+  };
+}
+
+// src/core/decisionTrace.ts
+function toBigIntSafe(v) {
+  try {
+    if (typeof v === "bigint") return v;
+    if (typeof v === "number" && Number.isFinite(v)) return BigInt(Math.trunc(v));
+    if (typeof v === "string" && v !== "") return BigInt(v);
+    return null;
+  } catch {
+    return null;
+  }
+}
+function resolveField2(obj, fieldExpr) {
+  const [path, ...transforms] = fieldExpr.split("|");
+  let value = path?.split(".").reduce((o, k) => o?.[k], obj);
+  for (const t of transforms) {
+    if (value === void 0 || value === null) break;
+    if (t.startsWith("div:")) {
+      const n = Number(t.slice(4));
+      value = Number(value) / n;
+    } else if (t.startsWith("mod:")) {
+      const n = BigInt(t.slice(4));
+      value = BigInt(value) % n;
+    } else if (t === "abs") {
+      value = Math.abs(Number(value));
+    } else if (t === "hour") {
+      value = new Date(Number(value) * 1e3).getUTCHours();
+    } else if (t === "day") {
+      value = new Date(Number(value) * 1e3).getUTCDay();
+    } else if (t === "date") {
+      value = new Date(Number(value) * 1e3).getUTCDate();
+    } else if (t === "month") {
+      value = new Date(Number(value) * 1e3).getUTCMonth() + 1;
+    } else if (t === "len") {
+      value = String(value).length;
+    } else if (t === "lower") {
+      value = String(value).toLowerCase();
+    } else if (t === "upper") {
+      value = String(value).toUpperCase();
+    }
+  }
+  return value;
+}
+function resolveValue(context, value) {
+  if (typeof value === "string" && value.startsWith("$")) {
+    return resolveField2(context, value.slice(1));
+  }
+  return value;
+}
+function evaluateCondition(actual, op, expected) {
+  switch (op) {
+    case ">=":
+    case "<=":
+    case ">":
+    case "<": {
+      const a = toBigIntSafe(actual);
+      const b = toBigIntSafe(expected);
+      if (a === null || b === null) return false;
+      if (op === ">=") return a >= b;
+      if (op === "<=") return a <= b;
+      if (op === ">") return a > b;
+      if (op === "<") return a < b;
+      return false;
+    }
+    case "==":
+      return actual == expected;
+    case "!=":
+      return actual != expected;
+    case "in":
+      return Array.isArray(expected) && expected.includes(actual);
+    case "not_in":
+      return Array.isArray(expected) && !expected.includes(actual);
+    case "between":
+      return Array.isArray(expected) && actual >= expected[0] && actual <= expected[1];
+    case "not_between":
+      return Array.isArray(expected) && !(actual >= expected[0] && actual <= expected[1]);
+    case "exists":
+      return actual !== void 0 && actual !== null;
+    case "not_exists":
+      return actual === void 0 || actual === null;
+    default:
+      return false;
+  }
+}
+function traceCondition(context, ruleId, cond) {
+  const actual = resolveField2(context, cond.field);
+  const expected = resolveValue(context, cond.value);
+  const pass = evaluateCondition(actual, cond.op, expected);
+  return {
+    ruleId,
+    field: cond.field,
+    op: cond.op,
+    expected: cond.value,
+    actual,
+    result: actual === void 0 ? "FAIL" : pass ? "PASS" : "FAIL"
+  };
+}
+function traceRule(context, rule) {
+  if ("if" in rule) {
+    return [traceCondition(context, rule.id, rule.if)];
+  }
+  if ("conditions" in rule) {
+    return rule.conditions.map((cond) => traceCondition(context, rule.id, cond));
+  }
+  if ("rules" in rule) {
+    return rule.rules.flatMap((child) => traceRule(context, child));
+  }
+  return [];
+}
+function buildDecisionTrace(context, ruleConfig) {
+  return ruleConfig.rules.flatMap((rule) => traceRule(context, rule));
+}
+
+// src/evaluate.ts
+async function evaluate(context, ruleConfig, options, wasmBinary) {
+  if (!context || typeof context !== "object") {
+    throw new Error("evaluate(): context is required");
+  }
+  if (!context.tx) {
+    throw new Error("evaluate(): context.tx is required");
+  }
+  if (!ruleConfig || typeof ruleConfig !== "object") {
+    throw new Error("evaluate(): ruleConfig is required");
+  }
+  let result;
+  try {
+    const preparedContext = options?.trustedIssuers ? preprocessContextV2(context, ruleConfig, options.trustedIssuers) : context;
+    const normalized = normalizeContext(preparedContext);
+    result = await executeRule(normalized, ruleConfig, wasmBinary);
+  } catch (err) {
+    return {
+      decision: "REJECT",
+      code: "CONTEXT_OR_ENGINE_ERROR",
+      reason: err?.message ?? "rule evaluation failed"
+    };
+  }
+  if (result.decision !== "ALLOW" && result.decision !== "REJECT") {
+    return {
+      decision: "REJECT",
+      code: "INVALID_ENGINE_OUTPUT",
+      reason: "invalid decision value"
+    };
+  }
+  const baseResult = {
+    decision: result.decision,
+    code: result.code || "UNKNOWN",
+    reason: result.reason
+  };
+  if (options?.debug) {
+    return {
+      ...baseResult,
+      debug: {
+        trace: buildDecisionTrace(context, ruleConfig)
+      }
+    };
+  }
+  return baseResult;
+}
+
+// src/decision-proof/generate.ts
+import { ethers as ethers2, ZeroAddress } from "ethers";
+var hash = (v) => ethers2.keccak256(ethers2.toUtf8Bytes(v));
+async function generateDecisionProof(params) {
+  if (!ethers2.isAddress(params.payer) || params.payer === ethers2.ZeroAddress) {
+    throw new Error("GENERATE_PROOF: payer address tidak valid atau zero");
+  }
+  if (!ethers2.isAddress(params.receiver) || params.receiver === ethers2.ZeroAddress) {
+    throw new Error("GENERATE_PROOF: receiver address tidak valid atau zero");
+  }
+  if (!ethers2.isAddress(params.verifyingContract) || params.verifyingContract === ethers2.ZeroAddress) {
+    throw new Error("GENERATE_PROOF: verifyingContract tidak valid atau zero");
+  }
+  if (params.amount <= 0n) {
+    throw new Error("GENERATE_PROOF: amount harus > 0");
+  }
+  const now = params.blockTimestamp ?? Math.floor(Date.now() / 1e3);
+  const issuedAt = now - 30;
+  const expiresAt = now + (params.ttlSeconds ?? 300);
+  let chainId = params.chainId;
+  if (!chainId && params.signer.provider) {
+    const network = await params.signer.provider.getNetwork();
+    chainId = Number(network.chainId);
+  }
+  if (!chainId || chainId <= 0 || !Number.isInteger(chainId)) {
+    throw new Error(`GENERATE_PROOF: chainId tidak valid: ${chainId}`);
+  }
+  const requiresAttestation = Array.isArray(params.ruleConfig?.requires) && params.ruleConfig.requires.length > 0;
+  const attestationUIDsHash = params.attestationUIDs ? ethers2.keccak256(ethers2.AbiCoder.defaultAbiCoder().encode(["bytes32[]"], [params.attestationUIDs])) : ethers2.ZeroHash;
+  const payload = {
+    version: hash("2"),
+    payId: hash(params.payId),
+    payer: params.payer,
+    receiver: params.receiver,
+    asset: params.asset,
+    amount: params.amount,
+    contextHash: hashContext(params.context),
+    ruleSetHash: params.ruleSetHashOverride ?? hashRuleSet(params.ruleConfig),
+    ruleAuthority: params.ruleAuthority ?? ZeroAddress,
+    issuedAt: BigInt(issuedAt),
+    expiresAt: BigInt(expiresAt),
+    nonce: randomHex(32),
+    requiresAttestation,
+    attestationUIDsHash
+  };
+  const domain = {
+    name: "PAY.ID Decision",
+    version: "2",
+    chainId,
+    verifyingContract: params.verifyingContract
+  };
+  const types = {
+    Decision: [
+      { name: "version", type: "bytes32" },
+      { name: "payId", type: "bytes32" },
+      { name: "payer", type: "address" },
+      { name: "receiver", type: "address" },
+      { name: "asset", type: "address" },
+      { name: "amount", type: "uint256" },
+      { name: "contextHash", type: "bytes32" },
+      { name: "ruleSetHash", type: "bytes32" },
+      { name: "ruleAuthority", type: "address" },
+      { name: "issuedAt", type: "uint64" },
+      { name: "expiresAt", type: "uint64" },
+      { name: "nonce", type: "bytes32" },
+      { name: "requiresAttestation", type: "bool" },
+      { name: "attestationUIDsHash", type: "bytes32" }
+    ]
+  };
+  const signature = await params.signer.signTypedData(domain, types, payload);
+  const recovered = ethers2.verifyTypedData(domain, types, payload, signature);
+  const signerAddress = await params.signer.getAddress();
+  if (recovered.toLowerCase() !== signerAddress.toLowerCase()) {
+    throw new Error("SIGNATURE_MISMATCH");
+  }
+  return { payload, signature };
+}
+
+// src/utils/subtle.ts
+var subtleCrypto = globalThis.crypto.subtle;
+
+// src/utils/fetchJson.ts
+async function fetchJsonWithHashCheck(url, expectedHash) {
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error("RULE_FETCH_FAILED");
+  }
+  const buffer = await res.arrayBuffer();
+  if (expectedHash) {
+    const digest = await subtleCrypto.digest(
+      "SHA-256",
+      buffer
+    );
+    const actualHash = bufferToHex(digest);
+    if (actualHash !== expectedHash) {
+      throw new Error("RULE_HASH_MISMATCH");
+    }
+  }
+  return JSON.parse(new TextDecoder().decode(buffer));
+}
+function bufferToHex(buffer) {
+  return [...new Uint8Array(buffer)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/resolver/resolver.ts
+var DEFAULT_ZG_INDEXER = "https://indexer-testnet.0g.ai";
+async function resolveRule(source, options) {
+  const { uri, hash: hash2 } = source;
+  if (uri.startsWith("inline://")) {
+    const encoded = uri.replace("inline://", "");
+    const json = JSON.parse(atob(encoded));
+    return { config: json, source };
+  }
+  if (uri.startsWith("ipfs://")) {
+    const cid = uri.replace("ipfs://", "");
+    const url = `https://ipfs.io/ipfs/${cid}`;
+    const config = await fetchJsonWithHashCheck(url, hash2);
+    return { config, source };
+  }
+  if (uri.startsWith("http://") || uri.startsWith("https://")) {
+    const config = await fetchJsonWithHashCheck(uri, hash2);
+    return { config, source };
+  }
+  if (uri.startsWith("0g://")) {
+    const rootHash = uri.replace("0g://", "");
+    const indexerUrl = options?.zgIndexerUrl ?? globalThis.PAYID_ZGS_INDEXER_URL ?? DEFAULT_ZG_INDEXER;
+    const url = `${indexerUrl}/blob/${rootHash}`;
+    const config = await fetchJsonWithHashCheck(url, hash2);
+    return { config, source };
+  }
+  throw new Error("UNSUPPORTED_RULE_URI");
+}
+
+export {
+  loadWasm,
+  verifyAttestation,
+  evaluate,
+  generateDecisionProof,
+  resolveRule
+};