settld 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (483) hide show
  1. package/README.md +93 -3
  2. package/SETTLD_VERSION +1 -1
  3. package/bin/settld-mcp +2 -0
  4. package/bin/settld.js +71 -0
  5. package/conformance/kernel-v0/README.md +7 -0
  6. package/conformance/kernel-v0/run.mjs +292 -4
  7. package/docs/ACCESS.md +57 -0
  8. package/docs/ADOPTION_CHECKLIST.md +44 -0
  9. package/docs/ALERTS.md +198 -0
  10. package/docs/ARCHITECTURE.md +69 -0
  11. package/docs/ARCHITECTURE_FOUNDER_GUIDE.md +284 -0
  12. package/docs/ARTIFACTS.md +60 -0
  13. package/docs/CERTIFICATION_CHECKLIST.md +33 -0
  14. package/docs/CIRCLE_SANDBOX_E2E.md +152 -0
  15. package/docs/CONFIG.md +297 -0
  16. package/docs/CONTRACTS_APIS.md +23 -0
  17. package/docs/DEPRECATION.md +31 -0
  18. package/docs/DOMAIN_MODEL.md +92 -0
  19. package/docs/EVENT_ENVELOPE.md +53 -0
  20. package/docs/FINANCE_PACK_FORMAT.md +53 -0
  21. package/docs/INCIDENT_TAXONOMY.md +30 -0
  22. package/docs/JOB_STATE_MACHINE.md +66 -0
  23. package/docs/KERNEL_COMPATIBLE.md +60 -0
  24. package/docs/KERNEL_V0.md +40 -0
  25. package/docs/KEY_ROTATION.md +80 -0
  26. package/docs/LEDGER.md +82 -0
  27. package/docs/LIVENESS.md +76 -0
  28. package/docs/MVP_BUILD_ORDER.md +36 -0
  29. package/docs/ONCALL_PLAYBOOK.md +39 -0
  30. package/docs/OPERATIONS_SIGNING.md +20 -0
  31. package/docs/OVERVIEW.md +190 -0
  32. package/docs/PERF_BASELINE.md +85 -0
  33. package/docs/PRD.md +77 -0
  34. package/docs/QUICKSTART_KERNEL_V0.md +96 -0
  35. package/docs/QUICKSTART_MCP.md +377 -0
  36. package/docs/QUICKSTART_MCP_HOSTS.md +210 -0
  37. package/docs/QUICKSTART_POLICY_PACKS.md +65 -0
  38. package/docs/QUICKSTART_PRODUCE.md +61 -0
  39. package/docs/QUICKSTART_PROFILES.md +198 -0
  40. package/docs/QUICKSTART_RELEASE_VERIFY.md +39 -0
  41. package/docs/QUICKSTART_SDK.md +125 -0
  42. package/docs/QUICKSTART_SDK_PYTHON.md +111 -0
  43. package/docs/QUICKSTART_VERIFY.md +54 -0
  44. package/docs/QUICKSTART_X402_GATEWAY.md +317 -0
  45. package/docs/README.md +33 -0
  46. package/docs/RELEASE_CHECKLIST.md +182 -0
  47. package/docs/RELEASING.md +82 -0
  48. package/docs/REPO_SETTINGS.md +37 -0
  49. package/docs/RUNBOOK.md +86 -0
  50. package/docs/SKILLS.md +42 -0
  51. package/docs/SKILL_BUNDLE_FORMAT.md +48 -0
  52. package/docs/SLO.md +131 -0
  53. package/docs/SUMMARY.md +17 -0
  54. package/docs/SUPPORT.md +31 -0
  55. package/docs/THREAT_MODEL.md +36 -0
  56. package/docs/TRUST.md +59 -0
  57. package/docs/WORKFLOW.md +35 -0
  58. package/docs/X402_BATCH_SETTLEMENT.md +126 -0
  59. package/docs/blog/2026-02-14-your-ai-agent-just-spent-500-where-is-the-receipt.md +73 -0
  60. package/docs/examples/x402-provider-payout-registry.example.json +14 -0
  61. package/docs/gitbook/README.md +64 -0
  62. package/docs/gitbook/SETUP.md +25 -0
  63. package/docs/gitbook/SUMMARY.md +15 -0
  64. package/docs/gitbook/api-reference.md +73 -0
  65. package/docs/gitbook/closepacks.md +55 -0
  66. package/docs/gitbook/conformance.md +59 -0
  67. package/docs/gitbook/core-primitives.md +85 -0
  68. package/docs/gitbook/dispute-lifecycle.md +33 -0
  69. package/docs/gitbook/faq.md +21 -0
  70. package/docs/gitbook/guides.md +49 -0
  71. package/docs/gitbook/operations-runbook.md +36 -0
  72. package/docs/gitbook/quickstart.md +103 -0
  73. package/docs/gitbook/replay-and-audit.md +30 -0
  74. package/docs/gitbook/sdk-reference.md +35 -0
  75. package/docs/gitbook/security-model.md +58 -0
  76. package/docs/integrations/README.md +15 -0
  77. package/docs/integrations/github-actions-verify.yml +31 -0
  78. package/docs/integrations/github-actions.md +34 -0
  79. package/docs/integrations/openclaw/CLAWHUB_PUBLISH_CHECKLIST.md +65 -0
  80. package/docs/integrations/openclaw/PUBLIC_QUICKSTART.md +95 -0
  81. package/docs/integrations/openclaw/settld-mcp-skill/SKILL.md +69 -0
  82. package/docs/integrations/openclaw/settld-mcp-skill/mcp-server.example.json +12 -0
  83. package/docs/kernel-compatible/capabilities.json +36 -0
  84. package/docs/marketing/agent-commerce-substrate.md +78 -0
  85. package/docs/marketing/hn-repost-2026-02-17.md +102 -0
  86. package/docs/marketing/show-hn-post.md +45 -0
  87. package/docs/ops/ARTIFACT_VERIFICATION_STATUS.md +43 -0
  88. package/docs/ops/BILLING_WEBHOOK_REPLAY.md +105 -0
  89. package/docs/ops/CI_FLAKE_BUDGET.md +31 -0
  90. package/docs/ops/DISPUTE_FINANCE_RECONCILIATION_PACKET.md +56 -0
  91. package/docs/ops/GO_LIVE_GATE_S13.md +27 -0
  92. package/docs/ops/HOSTED_BASELINE_R2.md +129 -0
  93. package/docs/ops/KERNEL_V0_SHIP_GATE.md +69 -0
  94. package/docs/ops/LIGHTHOUSE_PRODUCTION_CLOSE.md +51 -0
  95. package/docs/ops/MCP_COMPATIBILITY_MATRIX.md +30 -0
  96. package/docs/ops/MINIMUM_PRODUCTION_TOPOLOGY.md +89 -0
  97. package/docs/ops/P0_BACKEND_PROGRESS.md +150 -0
  98. package/docs/ops/PAYMENTS_ALPHA_R5.md +105 -0
  99. package/docs/ops/PILOT_ONBOARDING_RUNBOOK.md +112 -0
  100. package/docs/ops/PRODUCTION_DEPLOYMENT_CHECKLIST.md +140 -0
  101. package/docs/ops/R1_SLOS.md +66 -0
  102. package/docs/ops/RELEASE_SIGNING_INCIDENT.md +58 -0
  103. package/docs/ops/SELF_SERVE_LAUNCH_AUTOMATION.md +89 -0
  104. package/docs/ops/THROUGHPUT_DRILL_10X.md +48 -0
  105. package/docs/ops/TRUST_CONFIG_WIZARD.md +60 -0
  106. package/docs/ops/X402_PILOT_WEEKLY_METRICS.md +76 -0
  107. package/docs/ops/tool-call-disputes-holdback.md +52 -0
  108. package/docs/pilot-kit/PILOT_PACKAGE_SCORECARD_X402.md +46 -0
  109. package/docs/pilot-kit/README.md +29 -0
  110. package/docs/pilot-kit/architecture-one-pager.md +48 -0
  111. package/docs/pilot-kit/buyer-email.txt +19 -0
  112. package/docs/pilot-kit/buyer-one-pager.md +31 -0
  113. package/docs/pilot-kit/gtm-pilot-playbook.md +182 -0
  114. package/docs/pilot-kit/offline-verify.md +33 -0
  115. package/docs/pilot-kit/procurement-one-pager.md +50 -0
  116. package/docs/pilot-kit/rfp-clause.md +46 -0
  117. package/docs/pilot-kit/roi-calculator-template.csv +2 -0
  118. package/docs/pilot-kit/security-qa.md +153 -0
  119. package/docs/pilot-kit/security-summary.md +35 -0
  120. package/docs/plans/2026-02-13-mcp-spike-design.md +113 -0
  121. package/docs/plans/2026-02-20-trust-os-v1-jira-backlog.md +348 -0
  122. package/docs/plans/2026-02-21-agent-economic-actor-operating-model.md +169 -0
  123. package/docs/plans/2026-02-21-trust-os-v1-strategy.md +241 -0
  124. package/docs/research/2026-02-21-agent-spend-host-landscape.md +57 -0
  125. package/docs/spec/AcceptanceCriteria.v1.md +17 -0
  126. package/docs/spec/AcceptanceEvaluation.v1.md +10 -0
  127. package/docs/spec/AgentEvent.v1.md +47 -0
  128. package/docs/spec/AgentIdentity.v1.md +62 -0
  129. package/docs/spec/AgentPassport.v1.md +95 -0
  130. package/docs/spec/AgentReputation.v1.md +59 -0
  131. package/docs/spec/AgentReputation.v2.md +52 -0
  132. package/docs/spec/AgentRun.v1.md +47 -0
  133. package/docs/spec/AgentRunSettlement.v1.md +52 -0
  134. package/docs/spec/AgentWallet.v1.md +43 -0
  135. package/docs/spec/AgreementDelegation.v1.md +109 -0
  136. package/docs/spec/ArbitrationCase.v1.md +67 -0
  137. package/docs/spec/ArbitrationOutcomeMapping.v1.md +62 -0
  138. package/docs/spec/ArbitrationVerdict.v1.md +60 -0
  139. package/docs/spec/BundleHeadAttestation.v1.md +32 -0
  140. package/docs/spec/CANONICAL_JSON.md +31 -0
  141. package/docs/spec/CRYPTOGRAPHY.md +61 -0
  142. package/docs/spec/ClosePack.v1.md +49 -0
  143. package/docs/spec/ClosePackManifest.v1.md +24 -0
  144. package/docs/spec/DelegationGrant.v1.md +90 -0
  145. package/docs/spec/DisputeCaseLifecycle.v1.md +51 -0
  146. package/docs/spec/DisputeOpenEnvelope.v1.md +43 -0
  147. package/docs/spec/ERRORS.md +76 -0
  148. package/docs/spec/ESCROW_NETTING_INVARIANTS.md +71 -0
  149. package/docs/spec/EvidenceIndex.v1.md +20 -0
  150. package/docs/spec/ExecutionIntent.v1.md +90 -0
  151. package/docs/spec/FinancePackBundleManifest.v1.md +24 -0
  152. package/docs/spec/FundingHold.v1.md +60 -0
  153. package/docs/spec/GovernancePolicy.v1.md +34 -0
  154. package/docs/spec/GovernancePolicy.v2.md +30 -0
  155. package/docs/spec/INVARIANTS.md +389 -0
  156. package/docs/spec/InteractionDirectionMatrix.v1.md +30 -0
  157. package/docs/spec/InvoiceBundleManifest.v1.md +24 -0
  158. package/docs/spec/InvoiceClaim.v1.md +11 -0
  159. package/docs/spec/MONEY_RAIL_STATE_MACHINE.md +58 -0
  160. package/docs/spec/MarketplaceAcceptance.v2.md +46 -0
  161. package/docs/spec/MarketplaceOffer.v2.md +54 -0
  162. package/docs/spec/MeteringReport.v1.md +18 -0
  163. package/docs/spec/OperatorAction.v1.md +90 -0
  164. package/docs/spec/PRODUCER_ERRORS.md +42 -0
  165. package/docs/spec/PolicyDecision.v1.md +83 -0
  166. package/docs/spec/PricingMatrix.v1.md +20 -0
  167. package/docs/spec/PricingMatrixSignatures.v1.md +30 -0
  168. package/docs/spec/PricingMatrixSignatures.v2.md +29 -0
  169. package/docs/spec/ProduceCliOutput.v1.md +46 -0
  170. package/docs/spec/ProofBundleManifest.v1.md +24 -0
  171. package/docs/spec/README.md +109 -0
  172. package/docs/spec/REFERENCE_IMPLEMENTATIONS.md +29 -0
  173. package/docs/spec/REFERENCE_VERIFIER_BEHAVIOR.md +68 -0
  174. package/docs/spec/REMOTE_SIGNER.md +66 -0
  175. package/docs/spec/ReleaseIndex.v1.md +32 -0
  176. package/docs/spec/ReleaseIndexSignatures.v1.md +17 -0
  177. package/docs/spec/ReleaseTrust.v1.md +13 -0
  178. package/docs/spec/ReleaseTrust.v2.md +26 -0
  179. package/docs/spec/RemoteSignerRequest.v1.md +21 -0
  180. package/docs/spec/RemoteSignerResponse.v1.md +16 -0
  181. package/docs/spec/ReputationEvent.v1.md +63 -0
  182. package/docs/spec/RevocationList.v1.md +28 -0
  183. package/docs/spec/SIGNER_PROVIDER_PLUGIN.md +32 -0
  184. package/docs/spec/STRICTNESS.md +68 -0
  185. package/docs/spec/SUPPLY_CHAIN.md +33 -0
  186. package/docs/spec/SettlementAdjustment.v1.md +45 -0
  187. package/docs/spec/SettlementDecisionRecord.v1.md +48 -0
  188. package/docs/spec/SettlementDecisionRecord.v2.md +53 -0
  189. package/docs/spec/SettlementDecisionReport.v1.md +44 -0
  190. package/docs/spec/SettlementKernel.v1.md +59 -0
  191. package/docs/spec/SettlementReceipt.v1.md +63 -0
  192. package/docs/spec/SlaDefinition.v1.md +24 -0
  193. package/docs/spec/SlaEvaluation.v1.md +12 -0
  194. package/docs/spec/THREAT_MODEL.md +113 -0
  195. package/docs/spec/TOOL_PROVENANCE.md +30 -0
  196. package/docs/spec/TRUST_ANCHORS.md +84 -0
  197. package/docs/spec/TenantSettings.v1.md +90 -0
  198. package/docs/spec/TenantSettings.v2.md +99 -0
  199. package/docs/spec/TimestampProof.v1.md +25 -0
  200. package/docs/spec/ToolCallAgreement.v1.md +34 -0
  201. package/docs/spec/ToolCallEvidence.v1.md +47 -0
  202. package/docs/spec/ToolManifest.v1.md +47 -0
  203. package/docs/spec/VERIFIER_ENVIRONMENT.md +38 -0
  204. package/docs/spec/VERSIONING.md +107 -0
  205. package/docs/spec/VerificationReport.v1.md +50 -0
  206. package/docs/spec/VerifyAboutOutput.v1.md +10 -0
  207. package/docs/spec/VerifyCliOutput.v1.md +28 -0
  208. package/docs/spec/WARNINGS.md +83 -0
  209. package/docs/spec/error-codes.v1.txt +285 -0
  210. package/docs/spec/examples/agreement_delegation_v1.example.json +21 -0
  211. package/docs/spec/examples/arbitration_case_v1.example.json +26 -0
  212. package/docs/spec/examples/arbitration_verdict_v1.example.json +32 -0
  213. package/docs/spec/examples/dispute_open_envelope_v1.example.json +18 -0
  214. package/docs/spec/examples/produce_cli_output_v1.example.json +32 -0
  215. package/docs/spec/examples/release_index_signature_v1.example.json +9 -0
  216. package/docs/spec/examples/release_index_signatures_v1.example.json +14 -0
  217. package/docs/spec/examples/release_index_v1.example.json +15 -0
  218. package/docs/spec/examples/release_trust_v1.example.json +7 -0
  219. package/docs/spec/examples/release_trust_v2.example.json +22 -0
  220. package/docs/spec/examples/remote_signer_request_v1.example.json +18 -0
  221. package/docs/spec/examples/remote_signer_response_v1.example.json +8 -0
  222. package/docs/spec/examples/reputation_event_v1.example.json +29 -0
  223. package/docs/spec/examples/verification_report_v1.example.json +24 -0
  224. package/docs/spec/examples/verify_about_output_v1.example.json +29 -0
  225. package/docs/spec/examples/verify_cli_output_v1.example.json +13 -0
  226. package/docs/spec/legacy/MarketplaceAcceptance.v1.md +48 -0
  227. package/docs/spec/legacy/MarketplaceOffer.v1.md +56 -0
  228. package/docs/spec/legacy/schemas/MarketplaceAcceptance.v1.schema.json +53 -0
  229. package/docs/spec/legacy/schemas/MarketplaceOffer.v1.schema.json +61 -0
  230. package/docs/spec/producer-error-codes.v1.txt +14 -0
  231. package/docs/spec/schemas/AcceptanceCriteria.v1.schema.json +24 -0
  232. package/docs/spec/schemas/AcceptanceEvaluation.v1.schema.json +26 -0
  233. package/docs/spec/schemas/AgentEvent.v1.schema.json +49 -0
  234. package/docs/spec/schemas/AgentIdentity.v1.schema.json +129 -0
  235. package/docs/spec/schemas/AgentPassport.v1.schema.json +112 -0
  236. package/docs/spec/schemas/AgentReputation.v1.schema.json +151 -0
  237. package/docs/spec/schemas/AgentReputation.v2.schema.json +120 -0
  238. package/docs/spec/schemas/AgentRun.v1.schema.json +71 -0
  239. package/docs/spec/schemas/AgentRunSettlement.v1.schema.json +75 -0
  240. package/docs/spec/schemas/AgentWallet.v1.schema.json +54 -0
  241. package/docs/spec/schemas/AgreementDelegation.v1.schema.json +50 -0
  242. package/docs/spec/schemas/ArbitrationCase.v1.schema.json +133 -0
  243. package/docs/spec/schemas/ArbitrationVerdict.v1.schema.json +149 -0
  244. package/docs/spec/schemas/BundleHeadAttestation.v1.schema.json +21 -0
  245. package/docs/spec/schemas/ClosePackManifest.v1.schema.json +38 -0
  246. package/docs/spec/schemas/DelegationGrant.v1.schema.json +102 -0
  247. package/docs/spec/schemas/DisputeOpenEnvelope.v1.schema.json +78 -0
  248. package/docs/spec/schemas/EvidenceIndex.v1.schema.json +41 -0
  249. package/docs/spec/schemas/ExecutionIntent.v1.schema.json +85 -0
  250. package/docs/spec/schemas/FinancePackBundleManifest.v1.schema.json +38 -0
  251. package/docs/spec/schemas/FundingHold.v1.schema.json +46 -0
  252. package/docs/spec/schemas/GovernancePolicy.v1.schema.json +45 -0
  253. package/docs/spec/schemas/GovernancePolicy.v2.schema.json +70 -0
  254. package/docs/spec/schemas/InteractionDirectionMatrix.v1.schema.json +43 -0
  255. package/docs/spec/schemas/InvoiceBundleManifest.v1.schema.json +38 -0
  256. package/docs/spec/schemas/InvoiceClaim.v1.schema.json +39 -0
  257. package/docs/spec/schemas/MarketplaceAcceptance.v2.schema.json +53 -0
  258. package/docs/spec/schemas/MarketplaceOffer.v2.schema.json +61 -0
  259. package/docs/spec/schemas/MeteringReport.v1.schema.json +45 -0
  260. package/docs/spec/schemas/OperatorAction.v1.schema.json +113 -0
  261. package/docs/spec/schemas/PolicyDecision.v1.schema.json +74 -0
  262. package/docs/spec/schemas/PricingMatrix.v1.schema.json +24 -0
  263. package/docs/spec/schemas/PricingMatrixSignatures.v1.schema.json +24 -0
  264. package/docs/spec/schemas/PricingMatrixSignatures.v2.schema.json +24 -0
  265. package/docs/spec/schemas/ProduceCliOutput.v1.schema.json +107 -0
  266. package/docs/spec/schemas/ProofBundleManifest.v1.schema.json +37 -0
  267. package/docs/spec/schemas/PublicKeys.v1.schema.json +33 -0
  268. package/docs/spec/schemas/ReleaseIndex.v1.schema.json +45 -0
  269. package/docs/spec/schemas/ReleaseIndexSignature.v1.schema.json +16 -0
  270. package/docs/spec/schemas/ReleaseIndexSignatures.v1.schema.json +16 -0
  271. package/docs/spec/schemas/ReleaseTrust.v1.schema.json +15 -0
  272. package/docs/spec/schemas/ReleaseTrust.v2.schema.json +37 -0
  273. package/docs/spec/schemas/RemoteSignerPublicKeyResponse.v1.schema.json +14 -0
  274. package/docs/spec/schemas/RemoteSignerRequest.v1.schema.json +24 -0
  275. package/docs/spec/schemas/RemoteSignerResponse.v1.schema.json +10 -0
  276. package/docs/spec/schemas/RemoteSignerSignRequest.v1.schema.json +27 -0
  277. package/docs/spec/schemas/RemoteSignerSignResponse.v1.schema.json +16 -0
  278. package/docs/spec/schemas/ReputationEvent.v1.schema.json +164 -0
  279. package/docs/spec/schemas/RevocationList.v1.schema.json +51 -0
  280. package/docs/spec/schemas/SettlementAdjustment.v1.schema.json +44 -0
  281. package/docs/spec/schemas/SettlementDecisionRecord.v1.schema.json +66 -0
  282. package/docs/spec/schemas/SettlementDecisionRecord.v2.schema.json +149 -0
  283. package/docs/spec/schemas/SettlementDecisionReport.v1.schema.json +61 -0
  284. package/docs/spec/schemas/SettlementReceipt.v1.schema.json +135 -0
  285. package/docs/spec/schemas/SlaDefinition.v1.schema.json +33 -0
  286. package/docs/spec/schemas/SlaEvaluation.v1.schema.json +26 -0
  287. package/docs/spec/schemas/TenantSettings.v1.schema.json +90 -0
  288. package/docs/spec/schemas/TenantSettings.v2.schema.json +161 -0
  289. package/docs/spec/schemas/TimestampProof.v1.schema.json +17 -0
  290. package/docs/spec/schemas/ToolCallAgreement.v1.schema.json +34 -0
  291. package/docs/spec/schemas/ToolCallEvidence.v1.schema.json +45 -0
  292. package/docs/spec/schemas/ToolManifest.v1.schema.json +54 -0
  293. package/docs/spec/schemas/VerificationReport.v1.schema.json +83 -0
  294. package/docs/spec/schemas/VerifyAboutOutput.v1.schema.json +54 -0
  295. package/docs/spec/schemas/VerifyCliOutput.v1.schema.json +75 -0
  296. package/docs/spec/schemas/VerifyReleaseOutput.v1.schema.json +47 -0
  297. package/docs/spec/x402-error-codes.v1.txt +35 -0
  298. package/docs/templates/buyer-email.txt +18 -0
  299. package/docs/templates/buyer-one-pager.md +24 -0
  300. package/package.json +53 -6
  301. package/scripts/acceptance/full-stack.mjs +734 -0
  302. package/scripts/acceptance/full-stack.sh +99 -0
  303. package/scripts/audit/build-audit-packet.mjs +242 -0
  304. package/scripts/backup-pg.sh +45 -0
  305. package/scripts/backup-restore/README.md +18 -0
  306. package/scripts/backup-restore/capture-state.mjs +130 -0
  307. package/scripts/backup-restore/client.mjs +97 -0
  308. package/scripts/backup-restore/seed-workload.mjs +235 -0
  309. package/scripts/backup-restore/verify-state.mjs +139 -0
  310. package/scripts/backup-restore-test.sh +217 -0
  311. package/scripts/chaos.js +221 -0
  312. package/scripts/ci/build-launch-cutover-packet.mjs +304 -0
  313. package/scripts/ci/build-self-serve-benchmark-report.mjs +122 -0
  314. package/scripts/ci/changelog-guard.mjs +145 -0
  315. package/scripts/ci/check-kernel-v0-launch-gate.mjs +233 -0
  316. package/scripts/ci/check-secret-hygiene.mjs +78 -0
  317. package/scripts/ci/check-version-consistency.mjs +42 -0
  318. package/scripts/ci/cli-pack-smoke.mjs +160 -0
  319. package/scripts/ci/flake-budget-guard.mjs +68 -0
  320. package/scripts/ci/generate-error-codes.mjs +54 -0
  321. package/scripts/ci/lib/lighthouse-tracker.mjs +90 -0
  322. package/scripts/ci/lib/self-serve-launch-gate.mjs +89 -0
  323. package/scripts/ci/npm-pack-smoke.mjs +454 -0
  324. package/scripts/ci/run-10x-throughput-drill.mjs +318 -0
  325. package/scripts/ci/run-10x-throughput-incident-rehearsal.mjs +368 -0
  326. package/scripts/ci/run-arbitration-workspace-browser-e2e.sh +22 -0
  327. package/scripts/ci/run-circle-sandbox-smoke.mjs +237 -0
  328. package/scripts/ci/run-go-live-gate.mjs +150 -0
  329. package/scripts/ci/run-kernel-v0-ship-gate.mjs +97 -0
  330. package/scripts/ci/run-mcp-host-cert-matrix.mjs +201 -0
  331. package/scripts/ci/run-mcp-host-smoke.mjs +473 -0
  332. package/scripts/ci/run-offline-verification-parity-gate.mjs +762 -0
  333. package/scripts/ci/run-onboarding-host-success-gate.mjs +516 -0
  334. package/scripts/ci/run-onboarding-policy-slo-gate.mjs +537 -0
  335. package/scripts/ci/run-production-cutover-gate.mjs +540 -0
  336. package/scripts/ci/run-public-openclaw-npx-smoke.mjs +148 -0
  337. package/scripts/ci/run-release-promotion-guard.mjs +756 -0
  338. package/scripts/ci/run-self-serve-launch-gate.mjs +56 -0
  339. package/scripts/ci/runtime-import-smoke.mjs +58 -0
  340. package/scripts/ci/update-lighthouse-tracker.mjs +112 -0
  341. package/scripts/closepack/lib.mjs +286 -0
  342. package/scripts/collect-debug.sh +263 -0
  343. package/scripts/demo/compositional-settlement-3hop.mjs +237 -0
  344. package/scripts/demo/delivery-robot/export-ui-fixture.mjs +188 -0
  345. package/scripts/demo/delivery-robot/generate.mjs +377 -0
  346. package/scripts/demo/kernel-agent-goes-shopping.mjs +202 -0
  347. package/scripts/demo/magic-link-first-green.mjs +118 -0
  348. package/scripts/demo/magic-link-kind-smoke.mjs +577 -0
  349. package/scripts/demo/mcp-paid-exa.mjs +1110 -0
  350. package/scripts/dev/billing-doctor.sh +145 -0
  351. package/scripts/dev/billing-smoke-prod.sh +219 -0
  352. package/scripts/dev/billing-webhook-replay.sh +161 -0
  353. package/scripts/dev/env.dev.example +29 -0
  354. package/scripts/dev/env.sh +37 -0
  355. package/scripts/dev/new-sdk-key.sh +81 -0
  356. package/scripts/dev/sdk-first-run.sh +21 -0
  357. package/scripts/dev/smoke-x402-gateway.sh +115 -0
  358. package/scripts/dev/start-api.sh +24 -0
  359. package/scripts/doctor/mcp-host.mjs +120 -0
  360. package/scripts/examples/produce-and-verify-jobproof.mjs +191 -0
  361. package/scripts/examples/sdk-first-paid-rfq.py +105 -0
  362. package/scripts/examples/sdk-first-verified-run.mjs +85 -0
  363. package/scripts/examples/sdk-first-verified-run.py +99 -0
  364. package/scripts/examples/sdk-tenant-analytics.mjs +103 -0
  365. package/scripts/examples/sdk-tenant-analytics.py +118 -0
  366. package/scripts/finance-pack/bundle.mjs +284 -0
  367. package/scripts/fixtures/generate-bundle-fixtures.mjs +877 -0
  368. package/scripts/governance/export.mjs +169 -0
  369. package/scripts/load/delivery-stress.k6.js +183 -0
  370. package/scripts/load/ingest-burst.k6.js +236 -0
  371. package/scripts/load/run-delivery-load.js +66 -0
  372. package/scripts/load/webhook-receiver.js +131 -0
  373. package/scripts/magic-link/migrate-run-records-to-db.mjs +35 -0
  374. package/scripts/mcp/probe.mjs +238 -0
  375. package/scripts/mcp/settld-mcp-http-gateway.mjs +178 -0
  376. package/scripts/mcp/settld-mcp-server.mjs +1511 -0
  377. package/scripts/openapi/write.mjs +13 -0
  378. package/scripts/ops/bootstrap-tenant-conformance.mjs +185 -0
  379. package/scripts/ops/build-x402-pilot-reliability-report.mjs +489 -0
  380. package/scripts/ops/check-x402-receipt-sample.mjs +181 -0
  381. package/scripts/ops/design-partner-run-packet.mjs +466 -0
  382. package/scripts/ops/dispute-finance-reconciliation-packet.mjs +313 -0
  383. package/scripts/ops/hosted-baseline-evidence.mjs +890 -0
  384. package/scripts/ops/money-rails-chargeback-evidence.mjs +509 -0
  385. package/scripts/ops/money-rails-reconcile-evidence.mjs +180 -0
  386. package/scripts/ops/p0-seed-money-rail-operation.mjs +432 -0
  387. package/scripts/ops/run-x402-hitl-smoke.mjs +607 -0
  388. package/scripts/pilot/finance-pack.mjs +495 -0
  389. package/scripts/pilot/fixtures/robot-keypair.json +4 -0
  390. package/scripts/pilot/fixtures/server-signer.json +4 -0
  391. package/scripts/policy/cli.mjs +600 -0
  392. package/scripts/profile/cli.mjs +1324 -0
  393. package/scripts/proof-bundle/job.mjs +109 -0
  394. package/scripts/proof-bundle/lib.mjs +92 -0
  395. package/scripts/proof-bundle/month.mjs +103 -0
  396. package/scripts/provider/conformance-run.mjs +159 -0
  397. package/scripts/provider/keys-generate.mjs +135 -0
  398. package/scripts/provider/publish.mjs +420 -0
  399. package/scripts/quickstart/x402.mjs +334 -0
  400. package/scripts/register-entity-secret.mjs +102 -0
  401. package/scripts/release/build-artifacts.mjs +181 -0
  402. package/scripts/release/generate-release-index.mjs +112 -0
  403. package/scripts/release/release-index-lib.mjs +232 -0
  404. package/scripts/release/sign-release-index.mjs +85 -0
  405. package/scripts/release/validate-release-assets.mjs +170 -0
  406. package/scripts/release/verify-release.mjs +261 -0
  407. package/scripts/restore-pg.sh +34 -0
  408. package/scripts/scaffold/create-settld-paid-tool.mjs +19 -0
  409. package/scripts/sdk/smoke-python.py +30 -0
  410. package/scripts/sdk/smoke.mjs +16 -0
  411. package/scripts/settlement/x402-batch-worker.mjs +1091 -0
  412. package/scripts/setup/circle-bootstrap.mjs +310 -0
  413. package/scripts/setup/host-config.mjs +617 -0
  414. package/scripts/setup/onboard.mjs +1337 -0
  415. package/scripts/setup/openclaw-onboard.mjs +423 -0
  416. package/scripts/setup/wizard.mjs +986 -0
  417. package/scripts/slo/check.mjs +239 -0
  418. package/scripts/smoke/k8s-smoke.mjs +214 -0
  419. package/scripts/spec/generate-protocol-vectors.mjs +1019 -0
  420. package/scripts/test/check-no-generated-artifacts.sh +12 -0
  421. package/scripts/test/run.sh +59 -0
  422. package/scripts/trust/validate-trust-file.mjs +57 -0
  423. package/scripts/trust-config/rotate-settld-pay.mjs +277 -0
  424. package/scripts/trust-config/wizard.mjs +161 -0
  425. package/scripts/vendor-contract-test-lib.mjs +182 -0
  426. package/scripts/vendor-contract-test.mjs +55 -0
  427. package/scripts/vercel/build-mkdocs.sh +9 -0
  428. package/scripts/vercel/ignore-mkdocs.sh +25 -0
  429. package/scripts/vercel/install-mkdocs.sh +6 -0
  430. package/scripts/verify-pg.js +217 -0
  431. package/scripts/x402/receipt-verify.mjs +289 -0
  432. package/services/finance-sink/src/dedupe-store.js +29 -6
  433. package/services/receiver/src/dedupe-store.js +29 -5
  434. package/services/x402-gateway/Dockerfile +13 -0
  435. package/services/x402-gateway/README.md +58 -0
  436. package/services/x402-gateway/examples/upstream-mock.js +337 -0
  437. package/services/x402-gateway/src/server.js +1058 -0
  438. package/src/api/app.js +34658 -16940
  439. package/src/api/maintenance.js +70 -0
  440. package/src/api/middleware/trust-kernel.js +114 -0
  441. package/src/api/openapi.js +1778 -70
  442. package/src/api/persistence.js +456 -0
  443. package/src/api/server.js +81 -5
  444. package/src/api/store.js +1581 -62
  445. package/src/api/workers/deliveries.js +99 -4
  446. package/src/api/workers/insolvency-sweep.js +159 -0
  447. package/src/core/agent-card.js +69 -0
  448. package/src/core/agent-wallets.js +231 -0
  449. package/src/core/agreement-delegation.js +549 -0
  450. package/src/core/billing-plans.js +40 -6
  451. package/src/core/circle-reserve-adapter.js +845 -0
  452. package/src/core/event-policy.js +21 -2
  453. package/src/core/maintenance-locks.js +1 -0
  454. package/src/core/operator-action.js +303 -0
  455. package/src/core/paid-tool-manifest.js +318 -0
  456. package/src/core/policy-decision.js +322 -0
  457. package/src/core/policy-packs.js +207 -0
  458. package/src/core/profile-fingerprint.js +27 -0
  459. package/src/core/profile-simulation-reasons.js +84 -0
  460. package/src/core/profile-templates.js +242 -0
  461. package/src/core/provider-publish-conformance.js +525 -0
  462. package/src/core/provider-publish-proof.js +396 -0
  463. package/src/core/provider-quote-signature.js +170 -0
  464. package/src/core/settld-keys.js +112 -0
  465. package/src/core/settld-pay-token.js +344 -0
  466. package/src/core/settlement-kernel.js +239 -2
  467. package/src/core/settlement-verifier.js +335 -0
  468. package/src/core/tool-call-agreement.js +112 -0
  469. package/src/core/tool-call-evidence.js +144 -0
  470. package/src/core/tool-provider-signature.js +98 -0
  471. package/src/core/wallet-assignment-resolver.js +129 -0
  472. package/src/core/wallet-provider-bootstrap.js +365 -0
  473. package/src/core/x402-escalation-override.js +258 -0
  474. package/src/core/x402-gate.js +118 -0
  475. package/src/core/x402-provider-refund-decision.js +220 -0
  476. package/src/core/x402-receipt-verifier.js +708 -0
  477. package/src/core/x402-reversal-command.js +251 -0
  478. package/src/core/x402-wallet-issuer-decision.js +252 -0
  479. package/src/core/zk-verifier.js +300 -0
  480. package/src/db/migrations/029_reputation_event_index.sql +54 -0
  481. package/src/db/migrations/030_artifacts_source_event_unique_job_only.sql +15 -0
  482. package/src/db/pg.js +18 -7
  483. package/src/db/store-pg.js +1508 -111
package/scripts/proof-bundle/job.mjs ADDED
@@ -0,0 +1,109 @@
1
+ import path from "node:path";
2
+
3
+ import { createPgStore } from "../../src/db/store-pg.js";
4
+ import { normalizeTenantId, DEFAULT_TENANT_ID } from "../../src/core/tenancy.js";
5
+ import { GOVERNANCE_STREAM_ID } from "../../src/core/governance.js";
6
+ import { buildJobProofBundleV1 } from "../../src/core/proof-bundle.js";
7
+
8
+ import { ensureDir, writeFilesToDir, writeZipFromDir } from "./lib.mjs";
9
+
10
+ function readArg(name) {
11
+ const idx = process.argv.indexOf(name);
12
+ if (idx === -1) return null;
13
+ return process.argv[idx + 1] ?? null;
14
+ }
15
+
16
+ const DATABASE_URL = process.env.DATABASE_URL ?? null;
17
+ if (!DATABASE_URL) throw new Error("DATABASE_URL is required");
18
+
19
+ const tenantId = normalizeTenantId(process.env.TENANT_ID ?? readArg("--tenant") ?? DEFAULT_TENANT_ID);
20
+ const jobId = readArg("--job") ?? readArg("--jobId") ?? null;
21
+ if (!jobId) throw new Error("usage: DATABASE_URL=... node scripts/proof-bundle/job.mjs --job <jobId> [--out <dir>] [--zip]");
22
+
23
+ const outBase = readArg("--out") ?? path.join("demo", "proof-bundles");
24
+ const zipFlag = process.argv.includes("--zip");
25
+
26
+ const store = await createPgStore({ databaseUrl: DATABASE_URL, schema: process.env.PROXY_PG_SCHEMA ?? "public", migrateOnStartup: true });
27
+ try {
28
+ const jobEvents = await store.listAggregateEvents({ tenantId, aggregateType: "job", aggregateId: String(jobId) });
29
+ if (!jobEvents.length) throw new Error("job not found");
30
+ const jobSnapshot = await store.getJob({ tenantId, jobId: String(jobId) });
31
+ if (!jobSnapshot) throw new Error("job snapshot not found");
32
+
33
+ const artifacts = await store.listArtifacts({ tenantId, jobId: String(jobId) });
34
+ const tenantGovernanceEvents = await store.listAggregateEvents({ tenantId, aggregateType: "month", aggregateId: GOVERNANCE_STREAM_ID });
35
+ const tenantGovernanceSnapshot = {
36
+ streamId: GOVERNANCE_STREAM_ID,
37
+ lastChainHash: tenantGovernanceEvents.length ? tenantGovernanceEvents[tenantGovernanceEvents.length - 1]?.chainHash ?? null : null,
38
+ lastEventId: tenantGovernanceEvents.length ? tenantGovernanceEvents[tenantGovernanceEvents.length - 1]?.id ?? null : null
39
+ };
40
+ const governanceEvents = await store.listAggregateEvents({ tenantId: DEFAULT_TENANT_ID, aggregateType: "month", aggregateId: GOVERNANCE_STREAM_ID });
41
+ const governanceSnapshot = {
42
+ streamId: GOVERNANCE_STREAM_ID,
43
+ lastChainHash: governanceEvents.length ? governanceEvents[governanceEvents.length - 1]?.chainHash ?? null : null,
44
+ lastEventId: governanceEvents.length ? governanceEvents[governanceEvents.length - 1]?.id ?? null : null
45
+ };
46
+
47
+ const contractDocsByHash = new Map();
48
+ const customerContractHash = jobSnapshot?.booking?.customerContractHash ?? null;
49
+ const operatorContractHash = jobSnapshot?.operatorContractHash ?? null;
50
+ for (const h of [customerContractHash, operatorContractHash]) {
51
+ if (typeof h !== "string" || !h.trim()) continue;
52
+ if (typeof store.getContractV2ByHash === "function") {
53
+ // eslint-disable-next-line no-await-in-loop
54
+ const rec = await store.getContractV2ByHash({ tenantId, contractHash: String(h) });
55
+ if (rec?.doc) contractDocsByHash.set(String(h), rec.doc);
56
+ }
57
+ }
58
+
59
+ const publicKeyByKeyId = store.publicKeyByKeyId instanceof Map ? store.publicKeyByKeyId : new Map();
60
+ const resolvedSignerKeys = (() => {
61
+ if (typeof store.listSignerKeys !== "function") return Promise.resolve([]);
62
+ return (async () => {
63
+ const tenantKeys = await store.listSignerKeys({ tenantId });
64
+ const defaultKeys = await store.listSignerKeys({ tenantId: DEFAULT_TENANT_ID });
65
+ const all = [...(tenantKeys ?? []), ...(defaultKeys ?? [])];
66
+ const byKeyId = new Map();
67
+ for (const r of all) {
68
+ const keyId = r?.keyId ? String(r.keyId) : null;
69
+ if (!keyId) continue;
70
+ byKeyId.set(keyId, r);
71
+ }
72
+ return Array.from(byKeyId.values());
73
+ })();
74
+ })();
75
+ const signerKeys = await resolvedSignerKeys;
76
+ const generatedAt = store.nowIso ? store.nowIso() : new Date().toISOString();
77
+ const manifestSigner = store?.serverSigner ? { keyId: store.serverSigner.keyId, privateKeyPem: store.serverSigner.privateKeyPem } : null;
78
+
79
+ const { files, bundle } = buildJobProofBundleV1({
80
+ tenantId,
81
+ jobId: String(jobId),
82
+ jobEvents,
83
+ jobSnapshot,
84
+ governanceEvents,
85
+ governanceSnapshot,
86
+ tenantGovernanceEvents,
87
+ tenantGovernanceSnapshot,
88
+ artifacts,
89
+ contractDocsByHash,
90
+ publicKeyByKeyId,
91
+ signerKeys,
92
+ manifestSigner,
93
+ generatedAt
94
+ });
95
+
96
+ const outDir = path.join(outBase, `job_${tenantId}_${String(jobId)}_${bundle.manifestHash.slice(0, 12)}`);
97
+ ensureDir(outDir);
98
+ writeFilesToDir({ files, outDir });
99
+
100
+ if (zipFlag) {
101
+ const zipPath = `${outDir}.zip`;
102
+ await writeZipFromDir({ dir: outDir, outPath: zipPath });
103
+ process.stdout.write(`${zipPath}\n`);
104
+ } else {
105
+ process.stdout.write(`${outDir}\n`);
106
+ }
107
+ } finally {
108
+ await store.close?.();
109
+ }
package/scripts/proof-bundle/lib.mjs ADDED
@@ -0,0 +1,92 @@
1
+ import fs from "node:fs";
2
+ import path from "node:path";
3
+ import { spawn } from "node:child_process";
4
+
5
+ export function ensureDir(dir) {
6
+ fs.mkdirSync(dir, { recursive: true });
7
+ }
8
+
9
+ export function writeFilesToDir({ files, outDir }) {
10
+ if (!(files instanceof Map)) throw new TypeError("files must be a Map");
11
+ if (!outDir) throw new TypeError("outDir is required");
12
+ ensureDir(outDir);
13
+
14
+ // Deterministic: do not depend on Map insertion order.
15
+ const entries = Array.from(files.entries()).sort(([a], [b]) => a.localeCompare(b));
16
+ for (const [name, bytes] of entries) {
17
+ const full = path.join(outDir, name);
18
+ ensureDir(path.dirname(full));
19
+ fs.writeFileSync(full, Buffer.from(bytes));
20
+ }
21
+ }
22
+
23
+ export async function writeZipFromDir({ dir, outPath, mtime = new Date("2000-01-01T00:00:00.000Z") } = {}) {
24
+ if (!dir) throw new Error("dir is required");
25
+ if (!outPath) throw new Error("outPath is required");
26
+
27
+ // Avoid npm dependencies: use Python's stdlib zipfile for deterministic zips.
28
+ // We set a constant timestamp for all entries to keep bytes stable across reruns.
29
+ const mtimeUtc = new Date(mtime);
30
+ if (!Number.isFinite(mtimeUtc.getTime())) throw new Error("mtime must be a valid Date");
31
+ const dt = [
32
+ mtimeUtc.getUTCFullYear(),
33
+ mtimeUtc.getUTCMonth() + 1,
34
+ mtimeUtc.getUTCDate(),
35
+ mtimeUtc.getUTCHours(),
36
+ mtimeUtc.getUTCMinutes(),
37
+ mtimeUtc.getUTCSeconds()
38
+ ];
39
+
40
+ const compression = arguments[0]?.compression ?? "deflated";
41
+ const compressionMode = String(compression).toLowerCase();
42
+ if (compressionMode !== "deflated" && compressionMode !== "stored") {
43
+ throw new Error('compression must be "deflated" or "stored"');
44
+ }
45
+ const zipCompression = compressionMode === "stored" ? "ZIP_STORED" : "ZIP_DEFLATED";
46
+
47
+ const pyCode = `
48
+ import os, sys, zipfile
49
+
50
+ src = sys.argv[1]
51
+ out = sys.argv[2]
52
+ dt = tuple(int(x) for x in sys.argv[3].split(","))
53
+ mode = sys.argv[4]
54
+ compression = zipfile.ZIP_STORED if mode == "ZIP_STORED" else zipfile.ZIP_DEFLATED
55
+
56
+ files = []
57
+ for root, dirs, filenames in os.walk(src):
58
+ dirs.sort()
59
+ for fn in sorted(filenames):
60
+ full = os.path.join(root, fn)
61
+ rel = os.path.relpath(full, src).replace(os.sep, "/")
62
+ files.append((full, rel))
63
+
64
+ zf = zipfile.ZipFile(out, "w", compression=compression)
65
+ try:
66
+ for full, rel in files:
67
+ zi = zipfile.ZipInfo(rel, date_time=dt)
68
+ zi.compress_type = compression
69
+ with open(full, "rb") as f:
70
+ zf.writestr(zi, f.read())
71
+ finally:
72
+ zf.close()
73
+ `.trim();
74
+
75
+ const py = spawn(
76
+ "python3",
77
+ [
78
+ "-c",
79
+ pyCode,
80
+ dir,
81
+ outPath,
82
+ dt.join(","),
83
+ zipCompression
84
+ ],
85
+ { stdio: "inherit" }
86
+ );
87
+
88
+ await new Promise((resolve, reject) => {
89
+ py.on("error", reject);
90
+ py.on("exit", (code) => (code === 0 ? resolve() : reject(new Error(`python3 zip failed with exit code ${code}`))));
91
+ });
92
+ }
package/scripts/proof-bundle/month.mjs ADDED
@@ -0,0 +1,103 @@
1
+ import path from "node:path";
2
+
3
+ import { createPgStore } from "../../src/db/store-pg.js";
4
+ import { normalizeTenantId, DEFAULT_TENANT_ID } from "../../src/core/tenancy.js";
5
+ import { GOVERNANCE_STREAM_ID } from "../../src/core/governance.js";
6
+ import { MONTH_CLOSE_BASIS, makeMonthCloseStreamId } from "../../src/core/month-close.js";
7
+ import { buildMonthProofBundleV1 } from "../../src/core/proof-bundle.js";
8
+
9
+ import { ensureDir, writeFilesToDir, writeZipFromDir } from "./lib.mjs";
10
+
11
+ function readArg(name) {
12
+ const idx = process.argv.indexOf(name);
13
+ if (idx === -1) return null;
14
+ return process.argv[idx + 1] ?? null;
15
+ }
16
+
17
+ const DATABASE_URL = process.env.DATABASE_URL ?? null;
18
+ if (!DATABASE_URL) throw new Error("DATABASE_URL is required");
19
+
20
+ const tenantId = normalizeTenantId(process.env.TENANT_ID ?? readArg("--tenant") ?? DEFAULT_TENANT_ID);
21
+ const period = readArg("--period") ?? readArg("--month") ?? null;
22
+ if (!period) throw new Error("usage: DATABASE_URL=... node scripts/proof-bundle/month.mjs --period YYYY-MM [--out <dir>] [--zip]");
23
+
24
+ const basis = String(readArg("--basis") ?? MONTH_CLOSE_BASIS.SETTLED_AT);
25
+ const outBase = readArg("--out") ?? path.join("demo", "proof-bundles");
26
+ const zipFlag = process.argv.includes("--zip");
27
+
28
+ const store = await createPgStore({ databaseUrl: DATABASE_URL, schema: process.env.PROXY_PG_SCHEMA ?? "public", migrateOnStartup: true });
29
+ try {
30
+ const monthId = makeMonthCloseStreamId({ month: String(period), basis });
31
+ const monthEvents = await store.listAggregateEvents({ tenantId, aggregateType: "month", aggregateId: monthId });
32
+ if (!monthEvents.length) throw new Error("month close stream not found");
33
+
34
+ const artifacts = await store.listArtifacts({ tenantId });
35
+ const monthArtifacts = artifacts.filter((a) => {
36
+ if (!a || typeof a !== "object") return false;
37
+ if (a.period && String(a.period) === String(period)) return true; // GLBatch.v1
38
+ if (a.month && String(a.month) === String(period)) return true; // MonthlyStatement.v1
39
+ if (a.period && String(a.period) === String(period)) return true; // PartyStatement/PayoutInstruction include period
40
+ return false;
41
+ });
42
+
43
+ const publicKeyByKeyId = store.publicKeyByKeyId instanceof Map ? store.publicKeyByKeyId : new Map();
44
+ let signerKeys = [];
45
+ if (typeof store.listSignerKeys === "function") {
46
+ const tenantKeys = await store.listSignerKeys({ tenantId });
47
+ const defaultKeys = await store.listSignerKeys({ tenantId: DEFAULT_TENANT_ID });
48
+ const all = [...(tenantKeys ?? []), ...(defaultKeys ?? [])];
49
+ const byKeyId = new Map();
50
+ for (const r of all) {
51
+ const keyId = r?.keyId ? String(r.keyId) : null;
52
+ if (!keyId) continue;
53
+ byKeyId.set(keyId, r);
54
+ }
55
+ signerKeys = Array.from(byKeyId.values());
56
+ }
57
+ const generatedAt = store.nowIso ? store.nowIso() : new Date().toISOString();
58
+ const manifestSigner = store?.serverSigner ? { keyId: store.serverSigner.keyId, privateKeyPem: store.serverSigner.privateKeyPem } : null;
59
+ const tenantGovernanceEvents = await store.listAggregateEvents({ tenantId, aggregateType: "month", aggregateId: GOVERNANCE_STREAM_ID });
60
+ const tenantGovernanceSnapshot = {
61
+ streamId: GOVERNANCE_STREAM_ID,
62
+ lastChainHash: tenantGovernanceEvents.length ? tenantGovernanceEvents[tenantGovernanceEvents.length - 1]?.chainHash ?? null : null,
63
+ lastEventId: tenantGovernanceEvents.length ? tenantGovernanceEvents[tenantGovernanceEvents.length - 1]?.id ?? null : null
64
+ };
65
+ const governanceEvents = await store.listAggregateEvents({ tenantId: DEFAULT_TENANT_ID, aggregateType: "month", aggregateId: GOVERNANCE_STREAM_ID });
66
+ const governanceSnapshot = {
67
+ streamId: GOVERNANCE_STREAM_ID,
68
+ lastChainHash: governanceEvents.length ? governanceEvents[governanceEvents.length - 1]?.chainHash ?? null : null,
69
+ lastEventId: governanceEvents.length ? governanceEvents[governanceEvents.length - 1]?.id ?? null : null
70
+ };
71
+
72
+ const { files, bundle } = buildMonthProofBundleV1({
73
+ tenantId,
74
+ period: String(period),
75
+ basis,
76
+ monthEvents,
77
+ governanceEvents,
78
+ governanceSnapshot,
79
+ tenantGovernanceEvents,
80
+ tenantGovernanceSnapshot,
81
+ artifacts: monthArtifacts,
82
+ contractDocsByHash: new Map(),
83
+ publicKeyByKeyId,
84
+ signerKeys,
85
+ manifestSigner,
86
+ requireHeadAttestation: true,
87
+ generatedAt
88
+ });
89
+
90
+ const outDir = path.join(outBase, `month_${tenantId}_${String(period)}_${bundle.manifestHash.slice(0, 12)}`);
91
+ ensureDir(outDir);
92
+ writeFilesToDir({ files, outDir });
93
+
94
+ if (zipFlag) {
95
+ const zipPath = `${outDir}.zip`;
96
+ await writeZipFromDir({ dir: outDir, outPath: zipPath });
97
+ process.stdout.write(`${zipPath}\n`);
98
+ } else {
99
+ process.stdout.write(`${outDir}\n`);
100
+ }
101
+ } finally {
102
+ await store.close?.();
103
+ }
package/scripts/provider/conformance-run.mjs ADDED
@@ -0,0 +1,159 @@
1
+ #!/usr/bin/env node
2
+ import fs from "node:fs";
3
+ import path from "node:path";
4
+
5
+ function usage() {
6
+ return [
7
+ "Usage:",
8
+ " node scripts/provider/conformance-run.mjs --manifest <file> --base-url <providerBaseUrl> [options]",
9
+ "",
10
+ "Options:",
11
+ " --api-url <url> Settld API base URL (default: SETTLD_API_URL or http://127.0.0.1:3000)",
12
+ " --api-key <token> Settld API key (default: SETTLD_API_KEY)",
13
+ " --tenant-id <id> Tenant id header (default: SETTLD_TENANT_ID or tenant_default)",
14
+ " --tool-id <toolId> Run conformance against a specific tool id",
15
+ " --provider-id <providerId> Override provider id (must match manifest.providerId)",
16
+ " --provider-key-file <path> Provider signing public key PEM file",
17
+ " --provider-key-pem <pem> Provider signing public key PEM inline",
18
+ " --json-out <file> Write report JSON to file",
19
+ " --allow-fail Exit 0 even when conformance fails",
20
+ " --help Show this help"
21
+ ].join("\n");
22
+ }
23
+
24
+ function parseArgs(argv) {
25
+ const out = {
26
+ apiUrl: process.env.SETTLD_API_URL || "http://127.0.0.1:3000",
27
+ apiKey: process.env.SETTLD_API_KEY || null,
28
+ tenantId: process.env.SETTLD_TENANT_ID || "tenant_default",
29
+ manifestPath: null,
30
+ baseUrl: null,
31
+ toolId: null,
32
+ providerId: null,
33
+ providerKeyFile: null,
34
+ providerKeyPem: null,
35
+ jsonOut: null,
36
+ allowFail: false,
37
+ help: false
38
+ };
39
+ for (let i = 0; i < argv.length; i += 1) {
40
+ const arg = String(argv[i] ?? "");
41
+ if (arg === "--help" || arg === "-h") out.help = true;
42
+ else if (arg === "--allow-fail") out.allowFail = true;
43
+ else if (arg === "--manifest") out.manifestPath = String(argv[++i] ?? "").trim();
44
+ else if (arg === "--base-url") out.baseUrl = String(argv[++i] ?? "").trim();
45
+ else if (arg === "--api-url") out.apiUrl = String(argv[++i] ?? "").trim();
46
+ else if (arg === "--api-key") out.apiKey = String(argv[++i] ?? "").trim();
47
+ else if (arg === "--tenant-id") out.tenantId = String(argv[++i] ?? "").trim();
48
+ else if (arg === "--tool-id") out.toolId = String(argv[++i] ?? "").trim();
49
+ else if (arg === "--provider-id") out.providerId = String(argv[++i] ?? "").trim();
50
+ else if (arg === "--provider-key-file") out.providerKeyFile = String(argv[++i] ?? "").trim();
51
+ else if (arg === "--provider-key-pem") out.providerKeyPem = String(argv[++i] ?? "").trim();
52
+ else if (arg === "--json-out") out.jsonOut = String(argv[++i] ?? "").trim();
53
+ else throw new Error(`unknown argument: ${arg}`);
54
+ }
55
+ if (!out.help) {
56
+ if (!out.manifestPath) throw new Error("--manifest is required");
57
+ if (!out.baseUrl) throw new Error("--base-url is required");
58
+ }
59
+ return out;
60
+ }
61
+
62
+ function readJson(filePath) {
63
+ const resolved = path.resolve(process.cwd(), filePath);
64
+ const raw = fs.readFileSync(resolved, "utf8");
65
+ return JSON.parse(raw);
66
+ }
67
+
68
+ function resolveProviderKeyPem({ inlinePem, filePath }) {
69
+ if (typeof inlinePem === "string" && inlinePem.trim() !== "") return inlinePem;
70
+ if (typeof filePath === "string" && filePath.trim() !== "") {
71
+ const resolved = path.resolve(process.cwd(), filePath);
72
+ return fs.readFileSync(resolved, "utf8");
73
+ }
74
+ return null;
75
+ }
76
+
77
+ function makeCliError(code, message, details = null) {
78
+ const err = new Error(message);
79
+ err.code = code;
80
+ err.details = details;
81
+ return err;
82
+ }
83
+
84
+ function printJson(value) {
85
+ process.stdout.write(`${JSON.stringify(value, null, 2)}\n`);
86
+ }
87
+
88
+ async function main() {
89
+ const args = parseArgs(process.argv.slice(2));
90
+ if (args.help) {
91
+ process.stdout.write(`${usage()}\n`);
92
+ return;
93
+ }
94
+ if (!args.apiKey) throw makeCliError("PROVIDER_CONFORMANCE_MISSING_API_KEY", "SETTLD_API_KEY or --api-key is required");
95
+
96
+ const manifest = readJson(args.manifestPath);
97
+ const providerSigningPublicKeyPem = resolveProviderKeyPem({ inlinePem: args.providerKeyPem, filePath: args.providerKeyFile });
98
+ const response = await fetch(new URL("/marketplace/providers/conformance/run", args.apiUrl), {
99
+ method: "POST",
100
+ headers: {
101
+ authorization: `Bearer ${args.apiKey}`,
102
+ "x-proxy-tenant-id": args.tenantId,
103
+ "content-type": "application/json; charset=utf-8"
104
+ },
105
+ body: JSON.stringify({
106
+ providerId: args.providerId || null,
107
+ baseUrl: args.baseUrl,
108
+ toolId: args.toolId || null,
109
+ providerSigningPublicKeyPem,
110
+ manifest
111
+ })
112
+ });
113
+
114
+ const text = await response.text();
115
+ let json = null;
116
+ try {
117
+ json = text ? JSON.parse(text) : null;
118
+ } catch {
119
+ json = null;
120
+ }
121
+ if (!response.ok) {
122
+ throw makeCliError("PROVIDER_CONFORMANCE_REQUEST_FAILED", "conformance run failed", {
123
+ statusCode: response.status,
124
+ response: json ?? text ?? null
125
+ });
126
+ }
127
+ const report = json?.report ?? null;
128
+ if (!report || typeof report !== "object") {
129
+ throw makeCliError("PROVIDER_CONFORMANCE_INVALID_RESPONSE", "conformance response missing report");
130
+ }
131
+
132
+ if (args.jsonOut) {
133
+ const outPath = path.resolve(process.cwd(), args.jsonOut);
134
+ fs.mkdirSync(path.dirname(outPath), { recursive: true });
135
+ fs.writeFileSync(outPath, `${JSON.stringify(report, null, 2)}\n`, "utf8");
136
+ }
137
+
138
+ const verdictOk = report?.verdict?.ok === true;
139
+ const payload = {
140
+ ok: verdictOk,
141
+ ...(verdictOk ? {} : { code: "PROVIDER_CONFORMANCE_FAILED", message: "provider conformance failed" }),
142
+ allowFailApplied: !verdictOk && args.allowFail === true,
143
+ providerId: report?.providerId ?? null,
144
+ toolId: report?.tool?.toolId ?? null,
145
+ verdict: report?.verdict ?? null
146
+ };
147
+ printJson(payload);
148
+ if (!verdictOk && !args.allowFail) process.exitCode = 1;
149
+ }
150
+
151
+ main().catch((err) => {
152
+ printJson({
153
+ ok: false,
154
+ code: typeof err?.code === "string" && err.code.trim() !== "" ? err.code : "PROVIDER_CONFORMANCE_CLI_ERROR",
155
+ message: err?.message ?? String(err ?? ""),
156
+ details: err?.details ?? null
157
+ });
158
+ process.exit(1);
159
+ });
package/scripts/provider/keys-generate.mjs ADDED
@@ -0,0 +1,135 @@
1
+ #!/usr/bin/env node
2
+ import fs from "node:fs";
3
+ import path from "node:path";
4
+
5
+ import { createEd25519Keypair, keyIdFromPublicKeyPem } from "../../src/core/crypto.js";
6
+ import { buildSettldPayKeysetV1 } from "../../src/core/settld-keys.js";
7
+ import { computeProviderRefFromPublishProofJwk } from "../../src/core/provider-publish-proof.js";
8
+
9
+ function usage() {
10
+ return [
11
+ "Usage:",
12
+ " node scripts/provider/keys-generate.mjs --out-dir <dir> [options]",
13
+ "",
14
+ "Options:",
15
+ " --out-dir <dir> Output directory (required)",
16
+ " --prefix <name> File prefix (default: identity)",
17
+ " --overwrite Allow overwriting existing files",
18
+ " --help Show this help"
19
+ ].join("\n");
20
+ }
21
+
22
+ function parseArgs(argv) {
23
+ const out = {
24
+ outDir: null,
25
+ prefix: "identity",
26
+ overwrite: false,
27
+ help: false
28
+ };
29
+ for (let i = 0; i < argv.length; i += 1) {
30
+ const arg = String(argv[i] ?? "");
31
+ if (arg === "--help" || arg === "-h") out.help = true;
32
+ else if (arg === "--out-dir") out.outDir = String(argv[++i] ?? "").trim();
33
+ else if (arg === "--prefix") out.prefix = String(argv[++i] ?? "").trim();
34
+ else if (arg === "--overwrite") out.overwrite = true;
35
+ else throw new Error(`unknown argument: ${arg}`);
36
+ }
37
+ if (!out.help) {
38
+ if (!out.outDir) throw new Error("--out-dir is required");
39
+ if (!out.prefix) throw new Error("--prefix must be non-empty");
40
+ }
41
+ return out;
42
+ }
43
+
44
+ function assertWritablePath(filePath, { overwrite }) {
45
+ if (!fs.existsSync(filePath)) return;
46
+ if (overwrite) return;
47
+ throw new Error(`file exists (use --overwrite): ${filePath}`);
48
+ }
49
+
50
+ function writeFileSafely(filePath, value, { overwrite, mode = null } = {}) {
51
+ assertWritablePath(filePath, { overwrite });
52
+ fs.writeFileSync(filePath, value, { encoding: "utf8", ...(mode ? { mode } : {}) });
53
+ }
54
+
55
+ function main() {
56
+ const args = parseArgs(process.argv.slice(2));
57
+ if (args.help) {
58
+ process.stdout.write(`${usage()}\n`);
59
+ return;
60
+ }
61
+
62
+ const outDir = path.resolve(process.cwd(), args.outDir);
63
+ fs.mkdirSync(outDir, { recursive: true });
64
+
65
+ const { publicKeyPem, privateKeyPem } = createEd25519Keypair();
66
+ const keyId = keyIdFromPublicKeyPem(publicKeyPem);
67
+ const jwks = buildSettldPayKeysetV1({
68
+ activeKey: {
69
+ keyId,
70
+ publicKeyPem
71
+ },
72
+ refreshedAt: new Date().toISOString()
73
+ });
74
+ const providerRef = computeProviderRefFromPublishProofJwk(jwks.keys[0]);
75
+
76
+ const privateKeyPath = path.join(outDir, `${args.prefix}.ed25519.private.pem`);
77
+ const publicKeyPath = path.join(outDir, `${args.prefix}.ed25519.public.pem`);
78
+ const jwksPath = path.join(outDir, `${args.prefix}.jwks.json`);
79
+ const metadataPath = path.join(outDir, `${args.prefix}.meta.json`);
80
+
81
+ writeFileSafely(privateKeyPath, privateKeyPem, { overwrite: args.overwrite, mode: 0o600 });
82
+ writeFileSafely(publicKeyPath, publicKeyPem, { overwrite: args.overwrite });
83
+ writeFileSafely(jwksPath, `${JSON.stringify(jwks, null, 2)}\n`, { overwrite: args.overwrite });
84
+ writeFileSafely(
85
+ metadataPath,
86
+ `${JSON.stringify(
87
+ {
88
+ schemaVersion: "ProviderIdentityMaterial.v1",
89
+ generatedAt: new Date().toISOString(),
90
+ keyId,
91
+ providerRef,
92
+ files: {
93
+ privateKeyPath,
94
+ publicKeyPath,
95
+ jwksPath
96
+ }
97
+ },
98
+ null,
99
+ 2
100
+ )}\n`,
101
+ { overwrite: args.overwrite }
102
+ );
103
+
104
+ process.stdout.write(
105
+ `${JSON.stringify(
106
+ {
107
+ ok: true,
108
+ keyId,
109
+ providerRef,
110
+ privateKeyPath,
111
+ publicKeyPath,
112
+ jwksPath,
113
+ metadataPath
114
+ },
115
+ null,
116
+ 2
117
+ )}\n`
118
+ );
119
+ }
120
+
121
+ try {
122
+ main();
123
+ } catch (err) {
124
+ process.stdout.write(
125
+ `${JSON.stringify(
126
+ {
127
+ ok: false,
128
+ message: err?.message ?? String(err ?? "")
129
+ },
130
+ null,
131
+ 2
132
+ )}\n`
133
+ );
134
+ process.exit(1);
135
+ }