payid 1.0.5 → 2.0.3

package/README.md

@@ -1,15 +1,478 @@
-# sdk-core
-
-To install dependencies:
-
-```bash
-bun install
-```
-
-To run:
-
-```bash
-bun run src/index.ts
-```
-
-This project was created using `bun init` in bun v1.2.21. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.
+# PayID SDK — `payid`
+
+Policy-driven payment engine for EVM chains. Define **rules** that evaluate payment context off-chain, then submit a cryptographic **Decision Proof** on-chain for verification.
+
+## Installation
+
+```bash
+bun add payid ethers
+# or
+npm install payid ethers
+```
+
+---
+
+## Quick Start
+
+```typescript
+import { PayIDClient } from "payid/client";
+import { ethers } from "ethers";
+
+const client = new PayIDClient();
+
+const result = await client.evaluateAndProve({
+  context: {
+    tx: {
+      sender: "0xSender...",
+      receiver: "0xReceiver...",
+      asset: "0x0000000000000000000000000000000000000000", // native token
+      amount: "1000000000000000000", // 1 ETH in wei
+      chainId: 42161, // Arbitrum
+    },
+  },
+  authorityRule: myRuleConfig,
+  payId: "user@pay.id",
+  payer: "0xSender...",
+  receiver: "0xReceiver...",
+  asset: "0x0000000000000000000000000000000000000000",
+  amount: 1_000_000_000_000_000_000n,
+  signer: wallet,
+  verifyingContract: "0xPayWithPayID...",
+  ruleAuthority: "0xRuleAuthority...",
+  chainId: 42161,
+  blockTimestamp: Math.floor(Date.now() / 1000),
+});
+
+if (result.result.decision === "ALLOW") {
+  // submit result.proof to PayWithPayID.payNative() on-chain
+}
+```
+
+---
+
+## Rule Language
+
+Rules define **what conditions must be true** for a payment to be allowed. They are evaluated off-chain, and the outcome is signed into a Decision Proof that the smart contract verifies.
+
+### Rule Config
+
+Every rule set starts with a `RuleConfig`:
+
+```typescript
+interface RuleConfig {
+  logic: "AND" | "OR"; // how top-level rules are combined
+  rules: AnyRule[];    // list of rules
+  requires?: string[]; // required context namespaces (e.g. ["state", "risk"])
+  message?: string;    // custom message on root rejection
+}
+```
+
+- **`AND`** — all rules must pass
+- **`OR`** — at least one rule must pass
+- Max nesting depth: **10 levels**
+
+---
+
+### Rule Formats
+
+There are three rule formats that can be mixed freely.
+
+#### Format A — Simple Rule
+
+One condition, one rule.
+
+```typescript
+{
+  id: "min-amount",
+  if: { field: "tx.amount", op: ">=", value: "100000000000000000" },
+  message: "Minimum transfer is 0.1 ETH"
+}
+```
+
+#### Format B — Multi-Condition Rule
+
+Multiple conditions combined with `AND` / `OR`.
+
+```typescript
+{
+  id: "business-hours",
+  logic: "AND",
+  conditions: [
+    { field: "env.timestamp|hour", op: ">=", value: "9" },
+    { field: "env.timestamp|hour", op: "<",  value: "17" },
+  ],
+  message: "Transfers only allowed during business hours (9–17 UTC)"
+}
+```
+
+#### Format C — Nested Rule
+
+Groups of rules combined with `AND` / `OR`. Can be nested up to 10 levels deep.
+
+```typescript
+{
+  id: "whitelist-or-small",
+  logic: "OR",
+  rules: [
+    { id: "in-whitelist", if: { field: "tx.sender", op: "in", value: ["0xAlice", "0xBob"] } },
+    { id: "small-amount", if: { field: "tx.amount", op: "<=", value: "50000000000000000" } }
+  ]
+}
+```
+
+---
+
+### Conditions
+
+```typescript
+interface RuleCondition {
+  field: string;  // dot-notation path into the context
+  op: string;     // operator
+  value: any;     // literal value or "$field.reference"
+}
+```
+
+---
+
+### Fields (Context Paths)
+
+Fields use dot-notation to navigate the payment context.
+
+#### Core Context (`tx`)
+
+| Field | Type | Description |
+|---|---|---|
+| `tx.amount` | `string` (wei) | Transfer amount in smallest unit |
+| `tx.amountUsd` | `string` | USD equivalent (if oracle provided) |
+| `tx.asset` | `string` | Token contract address; `0x000...000` for native |
+| `tx.sender` | `string` | Sender address |
+| `tx.receiver` | `string` | Receiver address |
+| `tx.chainId` | `number` | EVM chain ID |
+
+#### Pay.ID Context (`payId`)
+
+| Field | Type | Description |
+|---|---|---|
+| `payId.id` | `string` | The Pay.ID handle (e.g. `user@pay.id`) |
+| `payId.owner` | `string` | Address that owns this Pay.ID |
+
+#### Intent Context (`intent`)
+
+| Field | Type | Description |
+|---|---|---|
+| `intent.type` | `"QR" \| "DIRECT" \| "API"` | How payment was initiated |
+| `intent.expiresAt` | `number` | Unix timestamp when intent expires |
+| `intent.issuer` | `string` | Who issued the intent |
+
+#### Environment Context (`env`) — V2
+
+| Field | Type | Description |
+|---|---|---|
+| `env.timestamp` | `number` | Current block timestamp (Unix seconds) |
+
+#### State Context (`state`) — V2
+
+| Field | Type | Description |
+|---|---|---|
+| `state.spentToday` | `string` | Total amount spent today (wei) |
+| `state.period` | `string` | Current period identifier |
+
+#### Oracle Context (`oracle`) — V2
+
+Custom key-value data from an off-chain oracle. Example: `oracle.ethPrice`, `oracle.gasPrice`.
+
+#### Risk Context (`risk`) — V2
+
+| Field | Type | Description |
+|---|---|---|
+| `risk.score` | `number` | Risk score 0–1000 |
+| `risk.category` | `string` | Risk category label |
+
+---
+
+### Field Transforms
+
+Append `|transform` to a field to transform its value before comparison.
+
+```
+"env.timestamp|hour"   → hour of day (0–23)
+"tx.amount|div:1e18"   → amount divided by 1e18
+```
+
+| Transform | Syntax | Description |
+|---|---|---|
+| `div` | `field\|div:N` | Divide by N (integer) |
+| `mod` | `field\|mod:N` | Modulo N |
+| `abs` | `field\|abs` | Absolute value |
+| `hour` | `field\|hour` | Hour of day from Unix timestamp (0–23) |
+| `day` | `field\|day` | Day of week from Unix timestamp (0=Mon, 6=Sun) |
+| `date` | `field\|date` | Day of month (1–31) |
+| `month` | `field\|month` | Month of year (1–12) |
+| `len` | `field\|len` | String length |
+| `lower` | `field\|lower` | Lowercase string |
+| `upper` | `field\|upper` | Uppercase string |
+
+---
+
+### Operators
+
+#### Numeric
+
+| Operator | Description | Example |
+|---|---|---|
+| `>=` | Greater than or equal | `amount >= 1000` |
+| `<=` | Less than or equal | `amount <= 50000` |
+| `>` | Greater than | `amount > 0` |
+| `<` | Less than | `risk.score < 700` |
+| `between` | Inclusive range `[min, max]` | `value: ["100", "5000"]` |
+| `not_between` | Outside range | `value: ["100", "5000"]` |
+| `mod_eq` | `field % divisor == remainder` | `value: ["7", "0"]` (divisible by 7) |
+| `mod_ne` | `field % divisor != remainder` | |
+
+#### Equality
+
+| Operator | Description |
+|---|---|
+| `==` | Loose equality (string + numeric coercion) |
+| `!=` | Not equal |
+| `in` | Value is in array |
+| `not_in` | Value is not in array |
+
+#### String
+
+| Operator | Description |
+|---|---|
+| `contains` | String contains substring |
+| `not_contains` | String does not contain substring |
+| `starts_with` | String starts with prefix |
+| `ends_with` | String ends with suffix |
+| `regex` | Matches regex pattern (ReDoS-safe, max 200 chars) |
+| `not_regex` | Does not match regex |
+
+#### Existence
+
+| Operator | Description |
+|---|---|
+| `exists` | Field is present and not null |
+| `not_exists` | Field is absent or null |
+
+---
+
+### Cross-Field References
+
+Prefix a value with `$` to compare against another field in the context.
+
+```typescript
+// Reject if spending more than today's limit
+{ field: "tx.amount", op: "<=", value: "$state.dailyLimit" }
+
+// Only allow if sender equals the Pay.ID owner
+{ field: "tx.sender", op: "==", value: "$payId.owner" }
+```
+
+---
+
+### Message Interpolation
+
+Rule messages support `{field}` interpolation using the same dot-notation and transforms.
+
+```typescript
+{
+  id: "amount-cap",
+  if: { field: "tx.amount", op: "<=", value: "1000000000000000000" },
+  message: "Rejected: amount {tx.amount} exceeds 1 ETH cap"
+}
+```
+
+---
+
+## Complete Examples
+
+### 1. Simple Amount Cap
+
+```typescript
+const rule: RuleConfig = {
+  logic: "AND",
+  rules: [
+    {
+      id: "max-per-tx",
+      if: { field: "tx.amount", op: "<=", value: "5000000000000000000" },
+      message: "Max 5 ETH per transaction"
+    }
+  ]
+};
+```
+
+### 2. Daily Spending Limit
+
+```typescript
+const rule: RuleConfig = {
+  logic: "AND",
+  requires: ["state"],
+  rules: [
+    {
+      id: "daily-limit",
+      if: { field: "state.spentToday", op: "<=", value: "10000000000000000000" },
+      message: "Daily limit of 10 ETH exceeded"
+    }
+  ]
+};
+```
+
+### 3. Business Hours Only
+
+```typescript
+const rule: RuleConfig = {
+  logic: "AND",
+  requires: ["env"],
+  rules: [
+    {
+      id: "business-hours",
+      logic: "AND",
+      conditions: [
+        { field: "env.timestamp|hour", op: ">=", value: "9" },
+        { field: "env.timestamp|hour", op: "<",  value: "17" }
+      ],
+      message: "Transfers only allowed 09:00–17:00 UTC"
+    }
+  ]
+};
+```
+
+### 4. Whitelist OR Small Amount
+
+```typescript
+const rule: RuleConfig = {
+  logic: "AND",
+  rules: [
+    {
+      id: "whitelist-or-small",
+      logic: "OR",
+      rules: [
+        {
+          id: "is-whitelisted",
+          if: {
+            field: "tx.sender",
+            op: "in",
+            value: ["0xAlice...", "0xBob...", "0xCharlie..."]
+          }
+        },
+        {
+          id: "small-amount",
+          if: { field: "tx.amount", op: "<=", value: "100000000000000000" }
+        }
+      ],
+      message: "Sender not whitelisted and amount exceeds 0.1 ETH"
+    }
+  ]
+};
+```
+
+### 5. Multi-Condition Risk Gate
+
+```typescript
+const rule: RuleConfig = {
+  logic: "AND",
+  requires: ["risk"],
+  rules: [
+    {
+      id: "risk-gate",
+      logic: "AND",
+      conditions: [
+        { field: "risk.score",    op: "<",  value: "700" },
+        { field: "risk.category", op: "!=", value: "SANCTIONED" }
+      ],
+      message: "Payment blocked: risk score too high or sender sanctioned"
+    }
+  ]
+};
+```
+
+### 6. Recurring Payment (Weekdays Only)
+
+```typescript
+const rule: RuleConfig = {
+  logic: "AND",
+  requires: ["env"],
+  rules: [
+    {
+      id: "weekday-only",
+      // day transform: 0=Mon, 4=Fri, 5=Sat, 6=Sun
+      logic: "AND",
+      conditions: [
+        { field: "env.timestamp|day", op: ">=", value: "0" },
+        { field: "env.timestamp|day", op: "<=", value: "4" }
+      ],
+      message: "Only weekday payments allowed"
+    }
+  ]
+};
+```
+
+---
+
+## Evaluate Only (No Proof)
+
+```typescript
+import { evaluate } from "payid";
+
+const result = await evaluate(context, ruleConfig);
+// result.decision === "ALLOW" | "REJECT"
+// result.code     — rule ID that triggered the decision
+// result.reason   — human-readable message
+```
+
+---
+
+## Server-Side Usage
+
+```typescript
+import { PayIDServer } from "payid/server";
+import { ethers } from "ethers";
+
+const server = new PayIDServer(
+  new ethers.Wallet(process.env.SIGNER_KEY!),
+  new Set(["0xTrustedIssuer..."])  // trusted attestation issuers
+);
+
+const { result, proof } = await server.evaluateAndProve({
+  context,
+  authorityRule: ruleConfig,
+  payId: "merchant@pay.id",
+  payer: "0xPayer...",
+  receiver: "0xMerchant...",
+  asset: "0x0000000000000000000000000000000000000000",
+  amount: 1_000_000_000_000_000_000n,
+  verifyingContract: "0xPayWithPayID...",
+  ruleAuthority: "0xRuleAuthority...",
+  chainId: 42161,
+  blockTimestamp: Math.floor(Date.now() / 1000),
+});
+```
+
+---
+
+## Exports
+
+| Import path | Contents |
+|---|---|
+| `payid` | `evaluate()` |
+| `payid/client` | `PayIDClient` |
+| `payid/server` | `PayIDServer` |
+| `payid/decision-proof` | `generateDecisionProof()` |
+| `payid/rule` | `combineRules()`, `canonicalizeRuleSet()` |
+| `payid/issuer` | `signAttestation()` |
+| `payid/context` | Context types |
+| `payid/sessionPolicy` | `decodeSessionPolicy()`, `decodeSessionPolicyV2()` |
+
+---
+
+## Limits
+
+| Constraint | Value |
+|---|---|
+| Max rule nesting depth | 10 levels |
+| Max regex pattern length | 200 chars |
+| Nested quantifiers in regex | Rejected (ReDoS protection) |
+| Decision Proof TTL (default) | 300 seconds |
+| Decision Proof TTL (max recommended) | 3600 seconds |

package/dist/chunk-AXLZUAYL.js

@@ -0,0 +1,104 @@
+import {
+  hashContext,
+  hashRuleSet
+} from "./chunk-X7NYQ47Y.js";
+import {
+  randomHex
+} from "./chunk-KDC67LIN.js";
+
+// src/decision-proof/generate.ts
+import { ethers, ZeroAddress } from "ethers";
+var hash = (v) => ethers.keccak256(ethers.toUtf8Bytes(v));
+async function generateDecisionProof(params) {
+  if (!params.payId || typeof params.payId !== "string" || params.payId.trim() === "") {
+    throw new Error("payId must not be empty");
+  }
+  if (!ethers.isAddress(params.payer) || params.payer === ethers.ZeroAddress) {
+    throw new Error("GENERATE_PROOF: payer address is invalid or zero");
+  }
+  if (!ethers.isAddress(params.receiver) || params.receiver === ethers.ZeroAddress) {
+    throw new Error("GENERATE_PROOF: receiver address is invalid or zero");
+  }
+  if (!ethers.isAddress(params.verifyingContract) || params.verifyingContract === ethers.ZeroAddress) {
+    throw new Error("GENERATE_PROOF: verifyingContract is invalid or zero");
+  }
+  if (!ethers.isAddress(params.ruleAuthority)) {
+    throw new Error("GENERATE_PROOF: ruleAuthority is not a valid address");
+  }
+  if (params.asset !== void 0 && !ethers.isAddress(params.asset)) {
+    throw new Error("GENERATE_PROOF: asset is not a valid address");
+  }
+  if (params.amount <= 0n) {
+    throw new Error("amount must be > 0");
+  }
+  if (params.ttlSeconds !== void 0 && (params.ttlSeconds <= 0 || !Number.isInteger(params.ttlSeconds))) {
+    throw new Error("GENERATE_PROOF: ttlSeconds must be a positive integer");
+  }
+  if (params.blockTimestamp !== void 0 && params.blockTimestamp <= 0) {
+    throw new Error("GENERATE_PROOF: blockTimestamp is invalid");
+  }
+  const now = params.blockTimestamp ?? Math.floor(Date.now() / 1e3);
+  const issuedAt = now - 30;
+  const expiresAt = now + (params.ttlSeconds ?? 300);
+  let chainId = params.chainId;
+  if (!chainId && params.signer.provider) {
+    const network = await params.signer.provider.getNetwork();
+    chainId = Number(network.chainId);
+  }
+  if (!chainId || chainId <= 0 || !Number.isInteger(chainId)) {
+    throw new Error(`GENERATE_PROOF: chainId is invalid: ${chainId}`);
+  }
+  const requiresAttestation = Array.isArray(params.ruleConfig?.requires) && params.ruleConfig.requires.length > 0;
+  const attestationUIDsHash = params.attestationUIDs ? ethers.keccak256(ethers.AbiCoder.defaultAbiCoder().encode(["bytes32[]"], [params.attestationUIDs])) : ethers.ZeroHash;
+  const payload = {
+    version: hash("2"),
+    payId: hash(params.payId),
+    payer: params.payer,
+    receiver: params.receiver,
+    asset: params.asset,
+    amount: params.amount,
+    contextHash: hashContext(params.context),
+    ruleSetHash: params.ruleSetHashOverride ?? hashRuleSet(params.ruleConfig),
+    ruleAuthority: params.ruleAuthority ?? ZeroAddress,
+    issuedAt: BigInt(issuedAt),
+    expiresAt: BigInt(expiresAt),
+    nonce: randomHex(32),
+    requiresAttestation,
+    attestationUIDsHash
+  };
+  const domain = {
+    name: "PAY.ID Decision",
+    version: "2",
+    chainId,
+    verifyingContract: params.verifyingContract
+  };
+  const types = {
+    Decision: [
+      { name: "version", type: "bytes32" },
+      { name: "payId", type: "bytes32" },
+      { name: "payer", type: "address" },
+      { name: "receiver", type: "address" },
+      { name: "asset", type: "address" },
+      { name: "amount", type: "uint256" },
+      { name: "contextHash", type: "bytes32" },
+      { name: "ruleSetHash", type: "bytes32" },
+      { name: "ruleAuthority", type: "address" },
+      { name: "issuedAt", type: "uint64" },
+      { name: "expiresAt", type: "uint64" },
+      { name: "nonce", type: "bytes32" },
+      { name: "requiresAttestation", type: "bool" },
+      { name: "attestationUIDsHash", type: "bytes32" }
+    ]
+  };
+  const signature = await params.signer.signTypedData(domain, types, payload);
+  const recovered = ethers.verifyTypedData(domain, types, payload, signature);
+  const signerAddress = await params.signer.getAddress();
+  if (recovered.toLowerCase() !== signerAddress.toLowerCase()) {
+    throw new Error("SIGNATURE_MISMATCH");
+  }
+  return { payload, signature };
+}
+
+export {
+  generateDecisionProof
+};

package/dist/{chunk-HKHRYRD6.js → chunk-F2KQGW76.js}

@@ -1,11 +1,3 @@
-import {
-  hashContext,
-  hashRuleSet
-} from "./chunk-X7NYQ47Y.js";
-import {
-  randomHex
-} from "./chunk-KDC67LIN.js";
-
 // src/attestation/verify.ts
 import { ethers, keccak256, toUtf8Bytes, toBeArray } from "ethers";
 function verifyAttestation(payload, proof, trustedIssuers) {
@@ -137,29 +129,33 @@ async function runWasmRule(context, config, wasmBinary) {
 async function runWasmRule2(context, config, _wasmBinary) {
   return evaluateRule(context, config);
 }
+var MAX_RULE_DEPTH = 10;
 function evaluateRule(context, config) {
   const rules = config?.rules;
   if (!Array.isArray(rules) || rules.length === 0) {
     return { decision: "ALLOW", code: "NO_RULES", reason: "no rules defined" };
   }
   const logic = config?.logic ?? "AND";
-  return evalRules(context, rules, logic);
+  return evalRules(context, rules, logic, 0);
 }
-function evalRules(context, rules, logic) {
+function evalRules(context, rules, logic, depth) {
+  if (depth > MAX_RULE_DEPTH) {
+    return { decision: "REJECT", code: "MAX_DEPTH_EXCEEDED", reason: `rule nesting exceeds the limit of ${MAX_RULE_DEPTH}` };
+  }
   for (const rule of rules) {
-    const res = evalOneRule(context, rule);
+    const res = evalOneRule(context, rule, depth);
     if (res.decision === "REJECT" && logic === "AND") return res;
     if (res.decision === "ALLOW" && logic === "OR") return res;
   }
   if (logic === "AND") return { decision: "ALLOW", code: "OK", reason: "all rules passed" };
   return { decision: "REJECT", code: "NO_RULE_MATCH", reason: "no rule matched in OR group" };
 }
-function evalOneRule(context, rule) {
+function evalOneRule(context, rule, depth) {
   const ruleId = rule?.id ?? "UNKNOWN_RULE";
   const message = rule?.message ?? "";
   if (Array.isArray(rule?.rules)) {
     const subLogic = rule?.logic ?? "AND";
-    const res = evalRules(context, rule.rules, subLogic);
+    const res = evalRules(context, rule.rules, subLogic, depth + 1);
     if (res.decision === "REJECT" && message) {
       return { decision: "REJECT", code: ruleId, reason: message };
     }
@@ -572,9 +568,22 @@ async function evaluate(context, ruleConfig, options, wasmBinary) {
   if (!context.tx) {
     throw new Error("evaluate(): context.tx is required");
   }
+  if (context.tx.chainId !== void 0 && (!Number.isInteger(context.tx.chainId) || context.tx.chainId <= 0)) {
+    throw new Error(`chainId is invalid: ${context.tx.chainId}`);
+  }
+  if (context.tx.amount !== void 0) {
+    const amt = BigInt(context.tx.amount);
+    if (amt <= 0n) throw new Error("amount must be > 0");
+  }
   if (!ruleConfig || typeof ruleConfig !== "object") {
     throw new Error("evaluate(): ruleConfig is required");
   }
+  if (ruleConfig.logic !== "AND" && ruleConfig.logic !== "OR") {
+    throw new Error(`ruleConfig.logic must be "AND" or "OR", got: ${ruleConfig.logic}`);
+  }
+  if (!Array.isArray(ruleConfig.rules) || ruleConfig.rules.length === 0) {
+    throw new Error("ruleConfig.rules must be a non-empty array");
+  }
   let result;
   try {
     const preparedContext = options?.trustedIssuers ? preprocessContextV2(context, ruleConfig, options.trustedIssuers) : context;
@@ -610,84 +619,6 @@ async function evaluate(context, ruleConfig, options, wasmBinary) {
   return baseResult;
 }
 
-// src/decision-proof/generate.ts
-import { ethers as ethers2, ZeroAddress } from "ethers";
-var hash = (v) => ethers2.keccak256(ethers2.toUtf8Bytes(v));
-async function generateDecisionProof(params) {
-  if (!ethers2.isAddress(params.payer) || params.payer === ethers2.ZeroAddress) {
-    throw new Error("GENERATE_PROOF: payer address tidak valid atau zero");
-  }
-  if (!ethers2.isAddress(params.receiver) || params.receiver === ethers2.ZeroAddress) {
-    throw new Error("GENERATE_PROOF: receiver address tidak valid atau zero");
-  }
-  if (!ethers2.isAddress(params.verifyingContract) || params.verifyingContract === ethers2.ZeroAddress) {
-    throw new Error("GENERATE_PROOF: verifyingContract tidak valid atau zero");
-  }
-  if (params.amount <= 0n) {
-    throw new Error("GENERATE_PROOF: amount harus > 0");
-  }
-  const now = params.blockTimestamp ?? Math.floor(Date.now() / 1e3);
-  const issuedAt = now - 30;
-  const expiresAt = now + (params.ttlSeconds ?? 300);
-  let chainId = params.chainId;
-  if (!chainId && params.signer.provider) {
-    const network = await params.signer.provider.getNetwork();
-    chainId = Number(network.chainId);
-  }
-  if (!chainId || chainId <= 0 || !Number.isInteger(chainId)) {
-    throw new Error(`GENERATE_PROOF: chainId tidak valid: ${chainId}`);
-  }
-  const requiresAttestation = Array.isArray(params.ruleConfig?.requires) && params.ruleConfig.requires.length > 0;
-  const attestationUIDsHash = params.attestationUIDs ? ethers2.keccak256(ethers2.AbiCoder.defaultAbiCoder().encode(["bytes32[]"], [params.attestationUIDs])) : ethers2.ZeroHash;
-  const payload = {
-    version: hash("2"),
-    payId: hash(params.payId),
-    payer: params.payer,
-    receiver: params.receiver,
-    asset: params.asset,
-    amount: params.amount,
-    contextHash: hashContext(params.context),
-    ruleSetHash: params.ruleSetHashOverride ?? hashRuleSet(params.ruleConfig),
-    ruleAuthority: params.ruleAuthority ?? ZeroAddress,
-    issuedAt: BigInt(issuedAt),
-    expiresAt: BigInt(expiresAt),
-    nonce: randomHex(32),
-    requiresAttestation,
-    attestationUIDsHash
-  };
-  const domain = {
-    name: "PAY.ID Decision",
-    version: "2",
-    chainId,
-    verifyingContract: params.verifyingContract
-  };
-  const types = {
-    Decision: [
-      { name: "version", type: "bytes32" },
-      { name: "payId", type: "bytes32" },
-      { name: "payer", type: "address" },
-      { name: "receiver", type: "address" },
-      { name: "asset", type: "address" },
-      { name: "amount", type: "uint256" },
-      { name: "contextHash", type: "bytes32" },
-      { name: "ruleSetHash", type: "bytes32" },
-      { name: "ruleAuthority", type: "address" },
-      { name: "issuedAt", type: "uint64" },
-      { name: "expiresAt", type: "uint64" },
-      { name: "nonce", type: "bytes32" },
-      { name: "requiresAttestation", type: "bool" },
-      { name: "attestationUIDsHash", type: "bytes32" }
-    ]
-  };
-  const signature = await params.signer.signTypedData(domain, types, payload);
-  const recovered = ethers2.verifyTypedData(domain, types, payload, signature);
-  const signerAddress = await params.signer.getAddress();
-  if (recovered.toLowerCase() !== signerAddress.toLowerCase()) {
-    throw new Error("SIGNATURE_MISMATCH");
-  }
-  return { payload, signature };
-}
-
 // src/utils/subtle.ts
 var subtleCrypto = globalThis.crypto.subtle;
 
@@ -717,7 +648,7 @@ function bufferToHex(buffer) {
 // src/resolver/resolver.ts
 var DEFAULT_ZG_INDEXER = "https://indexer-testnet.0g.ai";
 async function resolveRule(source, options) {
-  const { uri, hash: hash2 } = source;
+  const { uri, hash } = source;
   if (uri.startsWith("inline://")) {
     const encoded = uri.replace("inline://", "");
     const json = JSON.parse(atob(encoded));
@@ -726,18 +657,18 @@ async function resolveRule(source, options) {
   if (uri.startsWith("ipfs://")) {
     const cid = uri.replace("ipfs://", "");
     const url = `https://ipfs.io/ipfs/${cid}`;
-    const config = await fetchJsonWithHashCheck(url, hash2);
+    const config = await fetchJsonWithHashCheck(url, hash);
     return { config, source };
   }
   if (uri.startsWith("http://") || uri.startsWith("https://")) {
-    const config = await fetchJsonWithHashCheck(uri, hash2);
+    const config = await fetchJsonWithHashCheck(uri, hash);
     return { config, source };
   }
   if (uri.startsWith("0g://")) {
     const rootHash = uri.replace("0g://", "");
     const indexerUrl = options?.zgIndexerUrl ?? globalThis.PAYID_ZGS_INDEXER_URL ?? DEFAULT_ZG_INDEXER;
     const url = `${indexerUrl}/blob/${rootHash}`;
-    const config = await fetchJsonWithHashCheck(url, hash2);
+    const config = await fetchJsonWithHashCheck(url, hash);
     return { config, source };
   }
   throw new Error("UNSUPPORTED_RULE_URI");
@@ -747,6 +678,5 @@ export {
   loadWasm,
   verifyAttestation,
   evaluate,
-  generateDecisionProof,
   resolveRule
 };

package/dist/{chunk-4UQKUVO5.js → chunk-K2B5UHYA.js}

@@ -7,10 +7,12 @@ import {
 } from "./chunk-BC77BLFK.js";
 import {
   evaluate,
-  generateDecisionProof,
   loadWasm,
   resolveRule
-} from "./chunk-HKHRYRD6.js";
+} from "./chunk-F2KQGW76.js";
+import {
+  generateDecisionProof
+} from "./chunk-AXLZUAYL.js";
 import {
   __export
 } from "./chunk-MLKGABMK.js";

package/dist/{chunk-ESTGPUEQ.js → chunk-WQEZYX4X.js}

@@ -1,8 +1,10 @@
 import {
   evaluate,
-  generateDecisionProof,
   resolveRule
-} from "./chunk-HKHRYRD6.js";
+} from "./chunk-F2KQGW76.js";
+import {
+  generateDecisionProof
+} from "./chunk-AXLZUAYL.js";
 import {
   __export
 } from "./chunk-MLKGABMK.js";

package/dist/core/client/index.d.ts

@@ -1,6 +1,7 @@
-export { P as PayIDClient, c as createPayID, c as createPayIDClient } from '../../index-CsynGAGv.js';
+export { P as PayIDClient, c as createPayID, c as createPayIDClient } from '../../index-IjgtzYO2.js';
 import '../../rule-a_5ed-93.js';
 import '../../context.v1-C1m-tz0o.js';
-import '../../types-i4eTkhWa.js';
+import '../../types-cnCPtnaV.js';
 import 'ethers';
+import '../../types-CSZ5F9J7.js';
 import '../../types-D2o6XS7a.js';

package/dist/core/client/index.js

@@ -1,11 +1,12 @@
 import {
   PayIDClient,
   createPayIDClient
-} from "../../chunk-4UQKUVO5.js";
+} from "../../chunk-K2B5UHYA.js";
 import "../../chunk-GG34PNTF.js";
 import "../../chunk-BC77BLFK.js";
 import "../../chunk-6VPSJFO4.js";
-import "../../chunk-HKHRYRD6.js";
+import "../../chunk-F2KQGW76.js";
+import "../../chunk-AXLZUAYL.js";
 import "../../chunk-X7NYQ47Y.js";
 import "../../chunk-KDC67LIN.js";
 import "../../chunk-MLKGABMK.js";

package/dist/core/server/index.d.ts

@@ -1,5 +1,6 @@
-export { P as PayIDServer, c as createPayIDServer } from '../../index-DSxDlF9J.js';
+export { P as PayIDServer, c as createPayIDServer } from '../../index-DpGIg0Hu.js';
 import 'ethers';
 import '../../rule-a_5ed-93.js';
 import '../../context.v1-C1m-tz0o.js';
-import '../../types-i4eTkhWa.js';
+import '../../types-cnCPtnaV.js';
+import '../../types-CSZ5F9J7.js';

package/dist/core/server/index.js

@@ -1,8 +1,9 @@
 import {
   PayIDServer,
   createPayIDServer
-} from "../../chunk-ESTGPUEQ.js";
-import "../../chunk-HKHRYRD6.js";
+} from "../../chunk-WQEZYX4X.js";
+import "../../chunk-F2KQGW76.js";
+import "../../chunk-AXLZUAYL.js";
 import "../../chunk-X7NYQ47Y.js";
 import "../../chunk-KDC67LIN.js";
 import "../../chunk-MLKGABMK.js";

package/dist/decision-proof/index.d.ts

@@ -0,0 +1,23 @@
+import { a as DecisionProof } from '../types-CSZ5F9J7.js';
+export { D as DecisionPayload, b as DecisionValue } from '../types-CSZ5F9J7.js';
+import { ethers } from 'ethers';
+
+declare function generateDecisionProof(params: {
+    payId: string;
+    payer: string;
+    receiver: string;
+    asset: string;
+    amount: bigint;
+    context: any;
+    ruleConfig: any;
+    ruleSetHashOverride?: string;
+    signer: ethers.Signer;
+    ruleAuthority: string;
+    verifyingContract: string;
+    ttlSeconds?: number;
+    chainId?: number;
+    blockTimestamp?: number;
+    attestationUIDs?: string[];
+}): Promise<DecisionProof>;
+
+export { DecisionProof, generateDecisionProof };

package/dist/decision-proof/index.js

@@ -0,0 +1,9 @@
+import {
+  generateDecisionProof
+} from "../chunk-AXLZUAYL.js";
+import "../chunk-X7NYQ47Y.js";
+import "../chunk-KDC67LIN.js";
+import "../chunk-MLKGABMK.js";
+export {
+  generateDecisionProof
+};

package/dist/{index-DSxDlF9J.d.ts → index-DpGIg0Hu.d.ts}

@@ -1,7 +1,8 @@
 import { ethers } from 'ethers';
 import { b as RuleConfig } from './rule-a_5ed-93.js';
 import { R as RuleContext } from './context.v1-C1m-tz0o.js';
-import { R as ResolverOptions, e as RuleSource, c as RuleResult, a as DecisionProof } from './types-i4eTkhWa.js';
+import { R as ResolverOptions, d as RuleSource, b as RuleResult } from './types-cnCPtnaV.js';
+import { a as DecisionProof } from './types-CSZ5F9J7.js';
 
 interface UserOperation {
     sender: string;

package/dist/{index-CsynGAGv.d.ts → index-IjgtzYO2.d.ts}

@@ -1,7 +1,8 @@
 import { b as RuleConfig } from './rule-a_5ed-93.js';
 import { R as RuleContext } from './context.v1-C1m-tz0o.js';
-import { R as ResolverOptions, e as RuleSource, c as RuleResult, a as DecisionProof } from './types-i4eTkhWa.js';
+import { R as ResolverOptions, d as RuleSource, b as RuleResult } from './types-cnCPtnaV.js';
 import { ethers } from 'ethers';
+import { a as DecisionProof } from './types-CSZ5F9J7.js';
 import { P as PayIDSessionPolicyPayloadV1, S as SessionPolicyV2 } from './types-D2o6XS7a.js';
 
 declare class PayIDClient {

package/dist/index.d.ts

@@ -1,15 +1,18 @@
-import { P as PayIDClient$1 } from './index-CsynGAGv.js';
-export { i as client } from './index-CsynGAGv.js';
-import { Z as ZGStorage, P as PayIDServer$1, U as UserOperation } from './index-DSxDlF9J.js';
-export { i as server, z as storage } from './index-DSxDlF9J.js';
+import { P as PayIDClient$1 } from './index-IjgtzYO2.js';
+export { i as client } from './index-IjgtzYO2.js';
+import { Z as ZGStorage, P as PayIDServer$1, U as UserOperation } from './index-DpGIg0Hu.js';
+export { i as server, z as storage } from './index-DpGIg0Hu.js';
 import { ethers } from 'ethers';
-import { R as ResolverOptions, e as RuleSource, c as RuleResult, a as DecisionProof } from './types-i4eTkhWa.js';
-export { D as DecisionPayload, b as RuleDecisionDebug, d as RuleResultDebug, f as RuleTraceEntry } from './types-i4eTkhWa.js';
+import { R as ResolverOptions, d as RuleSource, b as RuleResult } from './types-cnCPtnaV.js';
+export { a as RuleDecisionDebug, c as RuleResultDebug, e as RuleTraceEntry } from './types-cnCPtnaV.js';
 import { b as RuleConfig } from './rule-a_5ed-93.js';
 export { A as AnyRule, M as MultiConditionRule, N as NestedRule, R as Rule, a as RuleCondition, S as SimpleRule, i as isMultiConditionRule, c as isNestedRule, d as isSimpleRule } from './rule-a_5ed-93.js';
 import { R as RuleContext } from './context.v1-C1m-tz0o.js';
 export { C as ContextV1, P as PayIdContext, T as TxContext } from './context.v1-C1m-tz0o.js';
+import { a as DecisionProof } from './types-CSZ5F9J7.js';
+export { D as DecisionPayload } from './types-CSZ5F9J7.js';
 import { S as SessionPolicyV2 } from './types-D2o6XS7a.js';
+export { generateDecisionProof } from './decision-proof/index.js';
 import { A as Attestation } from './context.v2-DIzPotmW.js';
 export { C as ContextV2, E as EnvContext, O as OracleContext, R as RiskContext, S as StateContext } from './context.v2-DIzPotmW.js';
 export { i as sessionPolicy } from './index-G_1SiZJo.js';

package/dist/index.js

@@ -1,30 +1,33 @@
 import {
   context_exports
 } from "./chunk-BFCPKJ46.js";
-import {
-  issuer_exports
-} from "./chunk-E6VQETBC.js";
-import "./chunk-YKCMGGYB.js";
 import {
   rule_exports
 } from "./chunk-FZNMDGVK.js";
-import {
-  sessionPolicy_exports
-} from "./chunk-R674DZJS.js";
 import {
   PayIDClient,
   client_exports
-} from "./chunk-4UQKUVO5.js";
+} from "./chunk-K2B5UHYA.js";
 import "./chunk-GG34PNTF.js";
+import {
+  sessionPolicy_exports
+} from "./chunk-R674DZJS.js";
 import "./chunk-BC77BLFK.js";
 import "./chunk-6VPSJFO4.js";
+import {
+  issuer_exports
+} from "./chunk-E6VQETBC.js";
+import "./chunk-YKCMGGYB.js";
 import {
   PayIDServer,
   server_exports
-} from "./chunk-ESTGPUEQ.js";
+} from "./chunk-WQEZYX4X.js";
 import {
   verifyAttestation
-} from "./chunk-HKHRYRD6.js";
+} from "./chunk-F2KQGW76.js";
+import {
+  generateDecisionProof
+} from "./chunk-AXLZUAYL.js";
 import "./chunk-X7NYQ47Y.js";
 import "./chunk-KDC67LIN.js";
 import {
@@ -696,6 +699,7 @@ export {
   draftCache,
   eas_exports as eas,
   formatUsdValue,
+  generateDecisionProof,
   getCacheStats,
   historyCache,
   isMultiConditionRule,

package/dist/types-CSZ5F9J7.d.ts

@@ -0,0 +1,23 @@
+type DecisionValue = 0 | 1;
+interface DecisionPayload {
+    version: string;
+    payId: string;
+    payer: string;
+    receiver: string;
+    asset: string;
+    amount: bigint;
+    contextHash: string;
+    ruleSetHash: string;
+    ruleAuthority: string;
+    issuedAt: bigint;
+    expiresAt: bigint;
+    nonce: string;
+    requiresAttestation: boolean;
+    attestationUIDsHash: string;
+}
+interface DecisionProof {
+    payload: DecisionPayload;
+    signature: string;
+}
+
+export type { DecisionPayload as D, DecisionProof as a, DecisionValue as b };

package/dist/types-cnCPtnaV.d.ts

@@ -0,0 +1,29 @@
+interface RuleResult {
+    decision: "ALLOW" | "REJECT";
+    code: string;
+    reason?: string;
+}
+interface RuleTraceEntry {
+    ruleId: string;
+    field: string;
+    op: string;
+    expected: any;
+    actual: any;
+    result: "PASS" | "FAIL";
+}
+interface RuleDecisionDebug {
+    trace: RuleTraceEntry[];
+}
+interface RuleResultDebug extends RuleResult {
+    debug?: RuleDecisionDebug;
+}
+
+interface RuleSource {
+    uri: string;
+    hash?: string;
+}
+interface ResolverOptions {
+    zgIndexerUrl?: string;
+}
+
+export type { ResolverOptions as R, RuleDecisionDebug as a, RuleResult as b, RuleResultDebug as c, RuleSource as d, RuleTraceEntry as e };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "payid",
-  "version": "1.0.5",
+  "version": "2.0.3",
   "private": false,
   "type": "module",
   "main": "./dist/index.js",
@@ -47,6 +47,12 @@
       "import": "./dist/core/server/index.js",
       "require": "./dist/core/server/index.js",
       "default": "./dist/core/server/index.js"
+    },
+    "./decision-proof": {
+      "types": "./dist/decision-proof/index.d.ts",
+      "import": "./dist/decision-proof/index.js",
+      "require": "./dist/decision-proof/index.js",
+      "default": "./dist/decision-proof/index.js"
     }
   },
   "files": [
@@ -56,7 +62,7 @@
   "scripts": {
     "build": "tsup",
     "type-check": "tsc --noEmit",
-    "test": "echo 'No unit tests — add test files to run with bun test'",
+    "test": "bun test",
     "prepublishOnly": "bun run type-check && bun run test && bun run build",
     "release": "release-it",
     "release:dry": "release-it --dry-run",
@@ -74,8 +80,12 @@
   },
   "devDependencies": {
     "@types/bun": "latest",
+    "@wagmi/core": "^3.4.12",
+    "react": "^19.2.6",
     "release-it": "^20.0.1",
-    "tsup": "^8.5.1"
+    "tsup": "^8.5.1",
+    "viem": "^2.49.3",
+    "wagmi": "^3.6.15"
   },
   "description": "PAY.ID policy engine — evaluate payment rules and generate EIP-712 Decision Proofs",
   "repository": {

package/dist/types-i4eTkhWa.d.ts

@@ -1,50 +0,0 @@
-interface RuleResult {
-    decision: "ALLOW" | "REJECT";
-    code: string;
-    reason?: string;
-}
-interface RuleTraceEntry {
-    ruleId: string;
-    field: string;
-    op: string;
-    expected: any;
-    actual: any;
-    result: "PASS" | "FAIL";
-}
-interface RuleDecisionDebug {
-    trace: RuleTraceEntry[];
-}
-interface RuleResultDebug extends RuleResult {
-    debug?: RuleDecisionDebug;
-}
-
-interface DecisionPayload {
-    version: string;
-    payId: string;
-    payer: string;
-    receiver: string;
-    asset: string;
-    amount: bigint;
-    contextHash: string;
-    ruleSetHash: string;
-    ruleAuthority: string;
-    issuedAt: bigint;
-    expiresAt: bigint;
-    nonce: string;
-    requiresAttestation: boolean;
-    attestationUIDsHash: string;
-}
-interface DecisionProof {
-    payload: DecisionPayload;
-    signature: string;
-}
-
-interface RuleSource {
-    uri: string;
-    hash?: string;
-}
-interface ResolverOptions {
-    zgIndexerUrl?: string;
-}
-
-export type { DecisionPayload as D, ResolverOptions as R, DecisionProof as a, RuleDecisionDebug as b, RuleResult as c, RuleResultDebug as d, RuleSource as e, RuleTraceEntry as f };