npm - settld - Versions diffs - 0.1.2 → 0.2.0 - Mend

settld 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (483) hide show

package/README.md +93 -3
package/SETTLD_VERSION +1 -1
package/bin/settld-mcp +2 -0
package/bin/settld.js +71 -0
package/conformance/kernel-v0/README.md +7 -0
package/conformance/kernel-v0/run.mjs +292 -4
package/docs/ACCESS.md +57 -0
package/docs/ADOPTION_CHECKLIST.md +44 -0
package/docs/ALERTS.md +198 -0
package/docs/ARCHITECTURE.md +69 -0
package/docs/ARCHITECTURE_FOUNDER_GUIDE.md +284 -0
package/docs/ARTIFACTS.md +60 -0
package/docs/CERTIFICATION_CHECKLIST.md +33 -0
package/docs/CIRCLE_SANDBOX_E2E.md +152 -0
package/docs/CONFIG.md +297 -0
package/docs/CONTRACTS_APIS.md +23 -0
package/docs/DEPRECATION.md +31 -0
package/docs/DOMAIN_MODEL.md +92 -0
package/docs/EVENT_ENVELOPE.md +53 -0
package/docs/FINANCE_PACK_FORMAT.md +53 -0
package/docs/INCIDENT_TAXONOMY.md +30 -0
package/docs/JOB_STATE_MACHINE.md +66 -0
package/docs/KERNEL_COMPATIBLE.md +60 -0
package/docs/KERNEL_V0.md +40 -0
package/docs/KEY_ROTATION.md +80 -0
package/docs/LEDGER.md +82 -0
package/docs/LIVENESS.md +76 -0
package/docs/MVP_BUILD_ORDER.md +36 -0
package/docs/ONCALL_PLAYBOOK.md +39 -0
package/docs/OPERATIONS_SIGNING.md +20 -0
package/docs/OVERVIEW.md +190 -0
package/docs/PERF_BASELINE.md +85 -0
package/docs/PRD.md +77 -0
package/docs/QUICKSTART_KERNEL_V0.md +96 -0
package/docs/QUICKSTART_MCP.md +377 -0
package/docs/QUICKSTART_MCP_HOSTS.md +210 -0
package/docs/QUICKSTART_POLICY_PACKS.md +65 -0
package/docs/QUICKSTART_PRODUCE.md +61 -0
package/docs/QUICKSTART_PROFILES.md +198 -0
package/docs/QUICKSTART_RELEASE_VERIFY.md +39 -0
package/docs/QUICKSTART_SDK.md +125 -0
package/docs/QUICKSTART_SDK_PYTHON.md +111 -0
package/docs/QUICKSTART_VERIFY.md +54 -0
package/docs/QUICKSTART_X402_GATEWAY.md +317 -0
package/docs/README.md +33 -0
package/docs/RELEASE_CHECKLIST.md +182 -0
package/docs/RELEASING.md +82 -0
package/docs/REPO_SETTINGS.md +37 -0
package/docs/RUNBOOK.md +86 -0
package/docs/SKILLS.md +42 -0
package/docs/SKILL_BUNDLE_FORMAT.md +48 -0
package/docs/SLO.md +131 -0
package/docs/SUMMARY.md +17 -0
package/docs/SUPPORT.md +31 -0
package/docs/THREAT_MODEL.md +36 -0
package/docs/TRUST.md +59 -0
package/docs/WORKFLOW.md +35 -0
package/docs/X402_BATCH_SETTLEMENT.md +126 -0
package/docs/blog/2026-02-14-your-ai-agent-just-spent-500-where-is-the-receipt.md +73 -0
package/docs/examples/x402-provider-payout-registry.example.json +14 -0
package/docs/gitbook/README.md +64 -0
package/docs/gitbook/SETUP.md +25 -0
package/docs/gitbook/SUMMARY.md +15 -0
package/docs/gitbook/api-reference.md +73 -0
package/docs/gitbook/closepacks.md +55 -0
package/docs/gitbook/conformance.md +59 -0
package/docs/gitbook/core-primitives.md +85 -0
package/docs/gitbook/dispute-lifecycle.md +33 -0
package/docs/gitbook/faq.md +21 -0
package/docs/gitbook/guides.md +49 -0
package/docs/gitbook/operations-runbook.md +36 -0
package/docs/gitbook/quickstart.md +103 -0
package/docs/gitbook/replay-and-audit.md +30 -0
package/docs/gitbook/sdk-reference.md +35 -0
package/docs/gitbook/security-model.md +58 -0
package/docs/integrations/README.md +15 -0
package/docs/integrations/github-actions-verify.yml +31 -0
package/docs/integrations/github-actions.md +34 -0
package/docs/integrations/openclaw/CLAWHUB_PUBLISH_CHECKLIST.md +65 -0
package/docs/integrations/openclaw/PUBLIC_QUICKSTART.md +95 -0
package/docs/integrations/openclaw/settld-mcp-skill/SKILL.md +69 -0
package/docs/integrations/openclaw/settld-mcp-skill/mcp-server.example.json +12 -0
package/docs/kernel-compatible/capabilities.json +36 -0
package/docs/marketing/agent-commerce-substrate.md +78 -0
package/docs/marketing/hn-repost-2026-02-17.md +102 -0
package/docs/marketing/show-hn-post.md +45 -0
package/docs/ops/ARTIFACT_VERIFICATION_STATUS.md +43 -0
package/docs/ops/BILLING_WEBHOOK_REPLAY.md +105 -0
package/docs/ops/CI_FLAKE_BUDGET.md +31 -0
package/docs/ops/DISPUTE_FINANCE_RECONCILIATION_PACKET.md +56 -0
package/docs/ops/GO_LIVE_GATE_S13.md +27 -0
package/docs/ops/HOSTED_BASELINE_R2.md +129 -0
package/docs/ops/KERNEL_V0_SHIP_GATE.md +69 -0
package/docs/ops/LIGHTHOUSE_PRODUCTION_CLOSE.md +51 -0
package/docs/ops/MCP_COMPATIBILITY_MATRIX.md +30 -0
package/docs/ops/MINIMUM_PRODUCTION_TOPOLOGY.md +89 -0
package/docs/ops/P0_BACKEND_PROGRESS.md +150 -0
package/docs/ops/PAYMENTS_ALPHA_R5.md +105 -0
package/docs/ops/PILOT_ONBOARDING_RUNBOOK.md +112 -0
package/docs/ops/PRODUCTION_DEPLOYMENT_CHECKLIST.md +140 -0
package/docs/ops/R1_SLOS.md +66 -0
package/docs/ops/RELEASE_SIGNING_INCIDENT.md +58 -0
package/docs/ops/SELF_SERVE_LAUNCH_AUTOMATION.md +89 -0
package/docs/ops/THROUGHPUT_DRILL_10X.md +48 -0
package/docs/ops/TRUST_CONFIG_WIZARD.md +60 -0
package/docs/ops/X402_PILOT_WEEKLY_METRICS.md +76 -0
package/docs/ops/tool-call-disputes-holdback.md +52 -0
package/docs/pilot-kit/PILOT_PACKAGE_SCORECARD_X402.md +46 -0
package/docs/pilot-kit/README.md +29 -0
package/docs/pilot-kit/architecture-one-pager.md +48 -0
package/docs/pilot-kit/buyer-email.txt +19 -0
package/docs/pilot-kit/buyer-one-pager.md +31 -0
package/docs/pilot-kit/gtm-pilot-playbook.md +182 -0
package/docs/pilot-kit/offline-verify.md +33 -0
package/docs/pilot-kit/procurement-one-pager.md +50 -0
package/docs/pilot-kit/rfp-clause.md +46 -0
package/docs/pilot-kit/roi-calculator-template.csv +2 -0
package/docs/pilot-kit/security-qa.md +153 -0
package/docs/pilot-kit/security-summary.md +35 -0
package/docs/plans/2026-02-13-mcp-spike-design.md +113 -0
package/docs/plans/2026-02-20-trust-os-v1-jira-backlog.md +348 -0
package/docs/plans/2026-02-21-agent-economic-actor-operating-model.md +169 -0
package/docs/plans/2026-02-21-trust-os-v1-strategy.md +241 -0
package/docs/research/2026-02-21-agent-spend-host-landscape.md +57 -0
package/docs/spec/AcceptanceCriteria.v1.md +17 -0
package/docs/spec/AcceptanceEvaluation.v1.md +10 -0
package/docs/spec/AgentEvent.v1.md +47 -0
package/docs/spec/AgentIdentity.v1.md +62 -0
package/docs/spec/AgentPassport.v1.md +95 -0
package/docs/spec/AgentReputation.v1.md +59 -0
package/docs/spec/AgentReputation.v2.md +52 -0
package/docs/spec/AgentRun.v1.md +47 -0
package/docs/spec/AgentRunSettlement.v1.md +52 -0
package/docs/spec/AgentWallet.v1.md +43 -0
package/docs/spec/AgreementDelegation.v1.md +109 -0
package/docs/spec/ArbitrationCase.v1.md +67 -0
package/docs/spec/ArbitrationOutcomeMapping.v1.md +62 -0
package/docs/spec/ArbitrationVerdict.v1.md +60 -0
package/docs/spec/BundleHeadAttestation.v1.md +32 -0
package/docs/spec/CANONICAL_JSON.md +31 -0
package/docs/spec/CRYPTOGRAPHY.md +61 -0
package/docs/spec/ClosePack.v1.md +49 -0
package/docs/spec/ClosePackManifest.v1.md +24 -0
package/docs/spec/DelegationGrant.v1.md +90 -0
package/docs/spec/DisputeCaseLifecycle.v1.md +51 -0
package/docs/spec/DisputeOpenEnvelope.v1.md +43 -0
package/docs/spec/ERRORS.md +76 -0
package/docs/spec/ESCROW_NETTING_INVARIANTS.md +71 -0
package/docs/spec/EvidenceIndex.v1.md +20 -0
package/docs/spec/ExecutionIntent.v1.md +90 -0
package/docs/spec/FinancePackBundleManifest.v1.md +24 -0
package/docs/spec/FundingHold.v1.md +60 -0
package/docs/spec/GovernancePolicy.v1.md +34 -0
package/docs/spec/GovernancePolicy.v2.md +30 -0
package/docs/spec/INVARIANTS.md +389 -0
package/docs/spec/InteractionDirectionMatrix.v1.md +30 -0
package/docs/spec/InvoiceBundleManifest.v1.md +24 -0
package/docs/spec/InvoiceClaim.v1.md +11 -0
package/docs/spec/MONEY_RAIL_STATE_MACHINE.md +58 -0
package/docs/spec/MarketplaceAcceptance.v2.md +46 -0
package/docs/spec/MarketplaceOffer.v2.md +54 -0
package/docs/spec/MeteringReport.v1.md +18 -0
package/docs/spec/OperatorAction.v1.md +90 -0
package/docs/spec/PRODUCER_ERRORS.md +42 -0
package/docs/spec/PolicyDecision.v1.md +83 -0
package/docs/spec/PricingMatrix.v1.md +20 -0
package/docs/spec/PricingMatrixSignatures.v1.md +30 -0
package/docs/spec/PricingMatrixSignatures.v2.md +29 -0
package/docs/spec/ProduceCliOutput.v1.md +46 -0
package/docs/spec/ProofBundleManifest.v1.md +24 -0
package/docs/spec/README.md +109 -0
package/docs/spec/REFERENCE_IMPLEMENTATIONS.md +29 -0
package/docs/spec/REFERENCE_VERIFIER_BEHAVIOR.md +68 -0
package/docs/spec/REMOTE_SIGNER.md +66 -0
package/docs/spec/ReleaseIndex.v1.md +32 -0
package/docs/spec/ReleaseIndexSignatures.v1.md +17 -0
package/docs/spec/ReleaseTrust.v1.md +13 -0
package/docs/spec/ReleaseTrust.v2.md +26 -0
package/docs/spec/RemoteSignerRequest.v1.md +21 -0
package/docs/spec/RemoteSignerResponse.v1.md +16 -0
package/docs/spec/ReputationEvent.v1.md +63 -0
package/docs/spec/RevocationList.v1.md +28 -0
package/docs/spec/SIGNER_PROVIDER_PLUGIN.md +32 -0
package/docs/spec/STRICTNESS.md +68 -0
package/docs/spec/SUPPLY_CHAIN.md +33 -0
package/docs/spec/SettlementAdjustment.v1.md +45 -0
package/docs/spec/SettlementDecisionRecord.v1.md +48 -0
package/docs/spec/SettlementDecisionRecord.v2.md +53 -0
package/docs/spec/SettlementDecisionReport.v1.md +44 -0
package/docs/spec/SettlementKernel.v1.md +59 -0
package/docs/spec/SettlementReceipt.v1.md +63 -0
package/docs/spec/SlaDefinition.v1.md +24 -0
package/docs/spec/SlaEvaluation.v1.md +12 -0
package/docs/spec/THREAT_MODEL.md +113 -0
package/docs/spec/TOOL_PROVENANCE.md +30 -0
package/docs/spec/TRUST_ANCHORS.md +84 -0
package/docs/spec/TenantSettings.v1.md +90 -0
package/docs/spec/TenantSettings.v2.md +99 -0
package/docs/spec/TimestampProof.v1.md +25 -0
package/docs/spec/ToolCallAgreement.v1.md +34 -0
package/docs/spec/ToolCallEvidence.v1.md +47 -0
package/docs/spec/ToolManifest.v1.md +47 -0
package/docs/spec/VERIFIER_ENVIRONMENT.md +38 -0
package/docs/spec/VERSIONING.md +107 -0
package/docs/spec/VerificationReport.v1.md +50 -0
package/docs/spec/VerifyAboutOutput.v1.md +10 -0
package/docs/spec/VerifyCliOutput.v1.md +28 -0
package/docs/spec/WARNINGS.md +83 -0
package/docs/spec/error-codes.v1.txt +285 -0
package/docs/spec/examples/agreement_delegation_v1.example.json +21 -0
package/docs/spec/examples/arbitration_case_v1.example.json +26 -0
package/docs/spec/examples/arbitration_verdict_v1.example.json +32 -0
package/docs/spec/examples/dispute_open_envelope_v1.example.json +18 -0
package/docs/spec/examples/produce_cli_output_v1.example.json +32 -0
package/docs/spec/examples/release_index_signature_v1.example.json +9 -0
package/docs/spec/examples/release_index_signatures_v1.example.json +14 -0
package/docs/spec/examples/release_index_v1.example.json +15 -0
package/docs/spec/examples/release_trust_v1.example.json +7 -0
package/docs/spec/examples/release_trust_v2.example.json +22 -0
package/docs/spec/examples/remote_signer_request_v1.example.json +18 -0
package/docs/spec/examples/remote_signer_response_v1.example.json +8 -0
package/docs/spec/examples/reputation_event_v1.example.json +29 -0
package/docs/spec/examples/verification_report_v1.example.json +24 -0
package/docs/spec/examples/verify_about_output_v1.example.json +29 -0
package/docs/spec/examples/verify_cli_output_v1.example.json +13 -0
package/docs/spec/legacy/MarketplaceAcceptance.v1.md +48 -0
package/docs/spec/legacy/MarketplaceOffer.v1.md +56 -0
package/docs/spec/legacy/schemas/MarketplaceAcceptance.v1.schema.json +53 -0
package/docs/spec/legacy/schemas/MarketplaceOffer.v1.schema.json +61 -0
package/docs/spec/producer-error-codes.v1.txt +14 -0
package/docs/spec/schemas/AcceptanceCriteria.v1.schema.json +24 -0
package/docs/spec/schemas/AcceptanceEvaluation.v1.schema.json +26 -0
package/docs/spec/schemas/AgentEvent.v1.schema.json +49 -0
package/docs/spec/schemas/AgentIdentity.v1.schema.json +129 -0
package/docs/spec/schemas/AgentPassport.v1.schema.json +112 -0
package/docs/spec/schemas/AgentReputation.v1.schema.json +151 -0
package/docs/spec/schemas/AgentReputation.v2.schema.json +120 -0
package/docs/spec/schemas/AgentRun.v1.schema.json +71 -0
package/docs/spec/schemas/AgentRunSettlement.v1.schema.json +75 -0
package/docs/spec/schemas/AgentWallet.v1.schema.json +54 -0
package/docs/spec/schemas/AgreementDelegation.v1.schema.json +50 -0
package/docs/spec/schemas/ArbitrationCase.v1.schema.json +133 -0
package/docs/spec/schemas/ArbitrationVerdict.v1.schema.json +149 -0
package/docs/spec/schemas/BundleHeadAttestation.v1.schema.json +21 -0
package/docs/spec/schemas/ClosePackManifest.v1.schema.json +38 -0
package/docs/spec/schemas/DelegationGrant.v1.schema.json +102 -0
package/docs/spec/schemas/DisputeOpenEnvelope.v1.schema.json +78 -0
package/docs/spec/schemas/EvidenceIndex.v1.schema.json +41 -0
package/docs/spec/schemas/ExecutionIntent.v1.schema.json +85 -0
package/docs/spec/schemas/FinancePackBundleManifest.v1.schema.json +38 -0
package/docs/spec/schemas/FundingHold.v1.schema.json +46 -0
package/docs/spec/schemas/GovernancePolicy.v1.schema.json +45 -0
package/docs/spec/schemas/GovernancePolicy.v2.schema.json +70 -0
package/docs/spec/schemas/InteractionDirectionMatrix.v1.schema.json +43 -0
package/docs/spec/schemas/InvoiceBundleManifest.v1.schema.json +38 -0
package/docs/spec/schemas/InvoiceClaim.v1.schema.json +39 -0
package/docs/spec/schemas/MarketplaceAcceptance.v2.schema.json +53 -0
package/docs/spec/schemas/MarketplaceOffer.v2.schema.json +61 -0
package/docs/spec/schemas/MeteringReport.v1.schema.json +45 -0
package/docs/spec/schemas/OperatorAction.v1.schema.json +113 -0
package/docs/spec/schemas/PolicyDecision.v1.schema.json +74 -0
package/docs/spec/schemas/PricingMatrix.v1.schema.json +24 -0
package/docs/spec/schemas/PricingMatrixSignatures.v1.schema.json +24 -0
package/docs/spec/schemas/PricingMatrixSignatures.v2.schema.json +24 -0
package/docs/spec/schemas/ProduceCliOutput.v1.schema.json +107 -0
package/docs/spec/schemas/ProofBundleManifest.v1.schema.json +37 -0
package/docs/spec/schemas/PublicKeys.v1.schema.json +33 -0
package/docs/spec/schemas/ReleaseIndex.v1.schema.json +45 -0
package/docs/spec/schemas/ReleaseIndexSignature.v1.schema.json +16 -0
package/docs/spec/schemas/ReleaseIndexSignatures.v1.schema.json +16 -0
package/docs/spec/schemas/ReleaseTrust.v1.schema.json +15 -0
package/docs/spec/schemas/ReleaseTrust.v2.schema.json +37 -0
package/docs/spec/schemas/RemoteSignerPublicKeyResponse.v1.schema.json +14 -0
package/docs/spec/schemas/RemoteSignerRequest.v1.schema.json +24 -0
package/docs/spec/schemas/RemoteSignerResponse.v1.schema.json +10 -0
package/docs/spec/schemas/RemoteSignerSignRequest.v1.schema.json +27 -0
package/docs/spec/schemas/RemoteSignerSignResponse.v1.schema.json +16 -0
package/docs/spec/schemas/ReputationEvent.v1.schema.json +164 -0
package/docs/spec/schemas/RevocationList.v1.schema.json +51 -0
package/docs/spec/schemas/SettlementAdjustment.v1.schema.json +44 -0
package/docs/spec/schemas/SettlementDecisionRecord.v1.schema.json +66 -0
package/docs/spec/schemas/SettlementDecisionRecord.v2.schema.json +149 -0
package/docs/spec/schemas/SettlementDecisionReport.v1.schema.json +61 -0
package/docs/spec/schemas/SettlementReceipt.v1.schema.json +135 -0
package/docs/spec/schemas/SlaDefinition.v1.schema.json +33 -0
package/docs/spec/schemas/SlaEvaluation.v1.schema.json +26 -0
package/docs/spec/schemas/TenantSettings.v1.schema.json +90 -0
package/docs/spec/schemas/TenantSettings.v2.schema.json +161 -0
package/docs/spec/schemas/TimestampProof.v1.schema.json +17 -0
package/docs/spec/schemas/ToolCallAgreement.v1.schema.json +34 -0
package/docs/spec/schemas/ToolCallEvidence.v1.schema.json +45 -0
package/docs/spec/schemas/ToolManifest.v1.schema.json +54 -0
package/docs/spec/schemas/VerificationReport.v1.schema.json +83 -0
package/docs/spec/schemas/VerifyAboutOutput.v1.schema.json +54 -0
package/docs/spec/schemas/VerifyCliOutput.v1.schema.json +75 -0
package/docs/spec/schemas/VerifyReleaseOutput.v1.schema.json +47 -0
package/docs/spec/x402-error-codes.v1.txt +35 -0
package/docs/templates/buyer-email.txt +18 -0
package/docs/templates/buyer-one-pager.md +24 -0
package/package.json +53 -6
package/scripts/acceptance/full-stack.mjs +734 -0
package/scripts/acceptance/full-stack.sh +99 -0
package/scripts/audit/build-audit-packet.mjs +242 -0
package/scripts/backup-pg.sh +45 -0
package/scripts/backup-restore/README.md +18 -0
package/scripts/backup-restore/capture-state.mjs +130 -0
package/scripts/backup-restore/client.mjs +97 -0
package/scripts/backup-restore/seed-workload.mjs +235 -0
package/scripts/backup-restore/verify-state.mjs +139 -0
package/scripts/backup-restore-test.sh +217 -0
package/scripts/chaos.js +221 -0
package/scripts/ci/build-launch-cutover-packet.mjs +304 -0
package/scripts/ci/build-self-serve-benchmark-report.mjs +122 -0
package/scripts/ci/changelog-guard.mjs +145 -0
package/scripts/ci/check-kernel-v0-launch-gate.mjs +233 -0
package/scripts/ci/check-secret-hygiene.mjs +78 -0
package/scripts/ci/check-version-consistency.mjs +42 -0
package/scripts/ci/cli-pack-smoke.mjs +160 -0
package/scripts/ci/flake-budget-guard.mjs +68 -0
package/scripts/ci/generate-error-codes.mjs +54 -0
package/scripts/ci/lib/lighthouse-tracker.mjs +90 -0
package/scripts/ci/lib/self-serve-launch-gate.mjs +89 -0
package/scripts/ci/npm-pack-smoke.mjs +454 -0
package/scripts/ci/run-10x-throughput-drill.mjs +318 -0
package/scripts/ci/run-10x-throughput-incident-rehearsal.mjs +368 -0
package/scripts/ci/run-arbitration-workspace-browser-e2e.sh +22 -0
package/scripts/ci/run-circle-sandbox-smoke.mjs +237 -0
package/scripts/ci/run-go-live-gate.mjs +150 -0
package/scripts/ci/run-kernel-v0-ship-gate.mjs +97 -0
package/scripts/ci/run-mcp-host-cert-matrix.mjs +201 -0
package/scripts/ci/run-mcp-host-smoke.mjs +473 -0
package/scripts/ci/run-offline-verification-parity-gate.mjs +762 -0
package/scripts/ci/run-onboarding-host-success-gate.mjs +516 -0
package/scripts/ci/run-onboarding-policy-slo-gate.mjs +537 -0
package/scripts/ci/run-production-cutover-gate.mjs +540 -0
package/scripts/ci/run-public-openclaw-npx-smoke.mjs +148 -0
package/scripts/ci/run-release-promotion-guard.mjs +756 -0
package/scripts/ci/run-self-serve-launch-gate.mjs +56 -0
package/scripts/ci/runtime-import-smoke.mjs +58 -0
package/scripts/ci/update-lighthouse-tracker.mjs +112 -0
package/scripts/closepack/lib.mjs +286 -0
package/scripts/collect-debug.sh +263 -0
package/scripts/demo/compositional-settlement-3hop.mjs +237 -0
package/scripts/demo/delivery-robot/export-ui-fixture.mjs +188 -0
package/scripts/demo/delivery-robot/generate.mjs +377 -0
package/scripts/demo/kernel-agent-goes-shopping.mjs +202 -0
package/scripts/demo/magic-link-first-green.mjs +118 -0
package/scripts/demo/magic-link-kind-smoke.mjs +577 -0
package/scripts/demo/mcp-paid-exa.mjs +1110 -0
package/scripts/dev/billing-doctor.sh +145 -0
package/scripts/dev/billing-smoke-prod.sh +219 -0
package/scripts/dev/billing-webhook-replay.sh +161 -0
package/scripts/dev/env.dev.example +29 -0
package/scripts/dev/env.sh +37 -0
package/scripts/dev/new-sdk-key.sh +81 -0
package/scripts/dev/sdk-first-run.sh +21 -0
package/scripts/dev/smoke-x402-gateway.sh +115 -0
package/scripts/dev/start-api.sh +24 -0
package/scripts/doctor/mcp-host.mjs +120 -0
package/scripts/examples/produce-and-verify-jobproof.mjs +191 -0
package/scripts/examples/sdk-first-paid-rfq.py +105 -0
package/scripts/examples/sdk-first-verified-run.mjs +85 -0
package/scripts/examples/sdk-first-verified-run.py +99 -0
package/scripts/examples/sdk-tenant-analytics.mjs +103 -0
package/scripts/examples/sdk-tenant-analytics.py +118 -0
package/scripts/finance-pack/bundle.mjs +284 -0
package/scripts/fixtures/generate-bundle-fixtures.mjs +877 -0
package/scripts/governance/export.mjs +169 -0
package/scripts/load/delivery-stress.k6.js +183 -0
package/scripts/load/ingest-burst.k6.js +236 -0
package/scripts/load/run-delivery-load.js +66 -0
package/scripts/load/webhook-receiver.js +131 -0
package/scripts/magic-link/migrate-run-records-to-db.mjs +35 -0
package/scripts/mcp/probe.mjs +238 -0
package/scripts/mcp/settld-mcp-http-gateway.mjs +178 -0
package/scripts/mcp/settld-mcp-server.mjs +1511 -0
package/scripts/openapi/write.mjs +13 -0
package/scripts/ops/bootstrap-tenant-conformance.mjs +185 -0
package/scripts/ops/build-x402-pilot-reliability-report.mjs +489 -0
package/scripts/ops/check-x402-receipt-sample.mjs +181 -0
package/scripts/ops/design-partner-run-packet.mjs +466 -0
package/scripts/ops/dispute-finance-reconciliation-packet.mjs +313 -0
package/scripts/ops/hosted-baseline-evidence.mjs +890 -0
package/scripts/ops/money-rails-chargeback-evidence.mjs +509 -0
package/scripts/ops/money-rails-reconcile-evidence.mjs +180 -0
package/scripts/ops/p0-seed-money-rail-operation.mjs +432 -0
package/scripts/ops/run-x402-hitl-smoke.mjs +607 -0
package/scripts/pilot/finance-pack.mjs +495 -0
package/scripts/pilot/fixtures/robot-keypair.json +4 -0
package/scripts/pilot/fixtures/server-signer.json +4 -0
package/scripts/policy/cli.mjs +600 -0
package/scripts/profile/cli.mjs +1324 -0
package/scripts/proof-bundle/job.mjs +109 -0
package/scripts/proof-bundle/lib.mjs +92 -0
package/scripts/proof-bundle/month.mjs +103 -0
package/scripts/provider/conformance-run.mjs +159 -0
package/scripts/provider/keys-generate.mjs +135 -0
package/scripts/provider/publish.mjs +420 -0
package/scripts/quickstart/x402.mjs +334 -0
package/scripts/register-entity-secret.mjs +102 -0
package/scripts/release/build-artifacts.mjs +181 -0
package/scripts/release/generate-release-index.mjs +112 -0
package/scripts/release/release-index-lib.mjs +232 -0
package/scripts/release/sign-release-index.mjs +85 -0
package/scripts/release/validate-release-assets.mjs +170 -0
package/scripts/release/verify-release.mjs +261 -0
package/scripts/restore-pg.sh +34 -0
package/scripts/scaffold/create-settld-paid-tool.mjs +19 -0
package/scripts/sdk/smoke-python.py +30 -0
package/scripts/sdk/smoke.mjs +16 -0
package/scripts/settlement/x402-batch-worker.mjs +1091 -0
package/scripts/setup/circle-bootstrap.mjs +310 -0
package/scripts/setup/host-config.mjs +617 -0
package/scripts/setup/onboard.mjs +1337 -0
package/scripts/setup/openclaw-onboard.mjs +423 -0
package/scripts/setup/wizard.mjs +986 -0
package/scripts/slo/check.mjs +239 -0
package/scripts/smoke/k8s-smoke.mjs +214 -0
package/scripts/spec/generate-protocol-vectors.mjs +1019 -0
package/scripts/test/check-no-generated-artifacts.sh +12 -0
package/scripts/test/run.sh +59 -0
package/scripts/trust/validate-trust-file.mjs +57 -0
package/scripts/trust-config/rotate-settld-pay.mjs +277 -0
package/scripts/trust-config/wizard.mjs +161 -0
package/scripts/vendor-contract-test-lib.mjs +182 -0
package/scripts/vendor-contract-test.mjs +55 -0
package/scripts/vercel/build-mkdocs.sh +9 -0
package/scripts/vercel/ignore-mkdocs.sh +25 -0
package/scripts/vercel/install-mkdocs.sh +6 -0
package/scripts/verify-pg.js +217 -0
package/scripts/x402/receipt-verify.mjs +289 -0
package/services/finance-sink/src/dedupe-store.js +29 -6
package/services/receiver/src/dedupe-store.js +29 -5
package/services/x402-gateway/Dockerfile +13 -0
package/services/x402-gateway/README.md +58 -0
package/services/x402-gateway/examples/upstream-mock.js +337 -0
package/services/x402-gateway/src/server.js +1058 -0
package/src/api/app.js +34658 -16940
package/src/api/maintenance.js +70 -0
package/src/api/middleware/trust-kernel.js +114 -0
package/src/api/openapi.js +1778 -70
package/src/api/persistence.js +456 -0
package/src/api/server.js +81 -5
package/src/api/store.js +1581 -62
package/src/api/workers/deliveries.js +99 -4
package/src/api/workers/insolvency-sweep.js +159 -0
package/src/core/agent-card.js +69 -0
package/src/core/agent-wallets.js +231 -0
package/src/core/agreement-delegation.js +549 -0
package/src/core/billing-plans.js +40 -6
package/src/core/circle-reserve-adapter.js +845 -0
package/src/core/event-policy.js +21 -2
package/src/core/maintenance-locks.js +1 -0
package/src/core/operator-action.js +303 -0
package/src/core/paid-tool-manifest.js +318 -0
package/src/core/policy-decision.js +322 -0
package/src/core/policy-packs.js +207 -0
package/src/core/profile-fingerprint.js +27 -0
package/src/core/profile-simulation-reasons.js +84 -0
package/src/core/profile-templates.js +242 -0
package/src/core/provider-publish-conformance.js +525 -0
package/src/core/provider-publish-proof.js +396 -0
package/src/core/provider-quote-signature.js +170 -0
package/src/core/settld-keys.js +112 -0
package/src/core/settld-pay-token.js +344 -0
package/src/core/settlement-kernel.js +239 -2
package/src/core/settlement-verifier.js +335 -0
package/src/core/tool-call-agreement.js +112 -0
package/src/core/tool-call-evidence.js +144 -0
package/src/core/tool-provider-signature.js +98 -0
package/src/core/wallet-assignment-resolver.js +129 -0
package/src/core/wallet-provider-bootstrap.js +365 -0
package/src/core/x402-escalation-override.js +258 -0
package/src/core/x402-gate.js +118 -0
package/src/core/x402-provider-refund-decision.js +220 -0
package/src/core/x402-receipt-verifier.js +708 -0
package/src/core/x402-reversal-command.js +251 -0
package/src/core/x402-wallet-issuer-decision.js +252 -0
package/src/core/zk-verifier.js +300 -0
package/src/db/migrations/029_reputation_event_index.sql +54 -0
package/src/db/migrations/030_artifacts_source_event_unique_job_only.sql +15 -0
package/src/db/pg.js +18 -7
package/src/db/store-pg.js +1508 -111

package/src/core/provider-publish-conformance.js ADDED Viewed

@@ -0,0 +1,525 @@
+import { canonicalJsonStringify } from "./canonical-json.js";
+import { keyIdFromPublicKeyPem, sha256Hex } from "./crypto.js";
+import { normalizePaidToolManifestV1, validatePaidToolManifestV1 } from "./paid-tool-manifest.js";
+import { buildSettldPayPayloadV1, computeSettldPayRequestBindingSha256V1, mintSettldPayTokenV1 } from "./settld-pay-token.js";
+import { parseX402PaymentRequired } from "./x402-gate.js";
+import { computeToolProviderSignaturePayloadHashV1, verifyToolProviderSignatureV1 } from "./tool-provider-signature.js";
+import { checkUrlSafety } from "./url-safety.js";
+export const PROVIDER_CONFORMANCE_REPORT_SCHEMA_VERSION = "ProviderConformanceReport.v1";
+function normalizeOptionalString(value) {
+  if (value === null || value === undefined || String(value).trim() === "") return null;
+  return String(value).trim();
+}
+function normalizeNonEmptyPem(value) {
+  if (value === null || value === undefined) return null;
+  if (typeof value !== "string") return String(value);
+  return value.trim() === "" ? null : value;
+}
+function requestInitForMethod(method, token = null) {
+  const m = String(method ?? "GET").toUpperCase();
+  const headers = { accept: "application/json" };
+  if (token) headers.authorization = `SettldPay ${token}`;
+  const hasBody = m !== "GET" && m !== "HEAD";
+  if (!hasBody) return { method: m, headers };
+  headers["content-type"] = "application/json";
+  return { method: m, headers, body: "{}" };
+}
+function headerValue(headers, name) {
+  return normalizeOptionalString(headers?.get?.(name));
+}
+function toHeaderObject(headers) {
+  const out = {};
+  for (const [k, v] of headers.entries()) out[k] = String(v);
+  return out;
+}
+function conformanceUrlSafetyOptions() {
+  const allowUnsafe = process.env.NODE_ENV !== "production";
+  return {
+    allowHttp: allowUnsafe,
+    allowPrivate: allowUnsafe,
+    allowLoopback: allowUnsafe,
+    allowedSchemes: ["https"]
+  };
+}
+async function assertConformanceUrlSafe(urlLike, options) {
+  const target = typeof urlLike === "string" ? urlLike : new URL(urlLike).toString();
+  const safe = await checkUrlSafety(target, options);
+  if (!safe.ok) {
+    throw new Error(`unsafe conformance URL (${safe.code}): ${safe.message}`);
+  }
+  return safe;
+}
+async function fetchConformanceUrl({ fetchFn, url, init, safetyOptions }) {
+  await assertConformanceUrlSafe(url, safetyOptions);
+  return fetchFn(url, {
+    ...(init && typeof init === "object" ? init : {}),
+    redirect: "error"
+  });
+}
+async function resolveProviderSigningPublicKeyPem({ providerSigningPublicKeyPem, providerBaseUrl, fetchFn, timeoutMs, safetyOptions }) {
+  const inlinePem = normalizeNonEmptyPem(providerSigningPublicKeyPem);
+  if (inlinePem) {
+    return inlinePem;
+  }
+  const url = new URL("/settld/provider-key", providerBaseUrl);
+  const signal = typeof AbortSignal?.timeout === "function" ? AbortSignal.timeout(timeoutMs) : undefined;
+  const response = await fetchConformanceUrl({
+    fetchFn,
+    url,
+    init: { method: "GET", signal },
+    safetyOptions
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(`provider signing key lookup failed (${response.status}): ${text || "unknown"}`);
+  }
+  const body = await response.json();
+  const pem = normalizeNonEmptyPem(body?.publicKeyPem);
+  if (!pem) throw new Error("provider key endpoint did not return publicKeyPem");
+  return pem;
+}
+function pickConformanceTool({ manifest, toolId = null } = {}) {
+  const tools = Array.isArray(manifest?.tools) ? manifest.tools : [];
+  if (tools.length === 0) return null;
+  if (toolId) {
+    const selected = tools.find((row) => String(row?.toolId ?? "") === String(toolId));
+    if (selected) return selected;
+  }
+  const getTool = tools.find((row) => String(row?.method ?? "GET").toUpperCase() === "GET");
+  return getTool ?? tools[0];
+}
+function parseChallengeFields(unpaidResponseHeaders) {
+  const parsed = parseX402PaymentRequired({
+    "x-payment-required": headerValue(unpaidResponseHeaders, "x-payment-required"),
+    "payment-required": headerValue(unpaidResponseHeaders, "payment-required")
+  });
+  if (!parsed.ok) return { ok: false, code: "PROVIDER_CONFORMANCE_CHALLENGE_PARSE_FAILED", message: parsed.error ?? "invalid challenge" };
+  const fields = parsed.fields && typeof parsed.fields === "object" && !Array.isArray(parsed.fields) ? parsed.fields : {};
+  const rawAmount = fields.amountCents ?? fields.amount_cents ?? fields.priceCents ?? fields.price ?? fields.amount;
+  const amountCents = Number(rawAmount);
+  if (!Number.isSafeInteger(amountCents) || amountCents <= 0) {
+    return { ok: false, code: "PROVIDER_CONFORMANCE_CHALLENGE_INVALID", message: "challenge amountCents missing/invalid" };
+  }
+  const currencyRaw = fields.currency ?? "USD";
+  const currency = String(currencyRaw).trim().toUpperCase();
+  if (!currency) return { ok: false, code: "PROVIDER_CONFORMANCE_CHALLENGE_INVALID", message: "challenge currency missing/invalid" };
+  return { ok: true, parsed, fields, amountCents, currency };
+}
+function buildCheck(id, ok, details = null) {
+  return {
+    id,
+    ok: ok === true,
+    details: details && typeof details === "object" && !Array.isArray(details) ? details : details ?? null
+  };
+}
+function evaluateChecks(checks) {
+  const safe = Array.isArray(checks) ? checks : [];
+  const passed = safe.filter((row) => row && row.ok === true).length;
+  return {
+    ok: safe.length > 0 && passed === safe.length,
+    requiredChecks: safe.length,
+    passedChecks: passed
+  };
+}
+function methodSupportsBody(method) {
+  const m = String(method ?? "GET").toUpperCase();
+  return m !== "GET" && m !== "HEAD";
+}
+function computeConformanceRequestBindingSha256({ method, requestUrl, requestBody }) {
+  const bodyBytes = requestBody === undefined || requestBody === null ? Buffer.from("", "utf8") : Buffer.from(String(requestBody), "utf8");
+  const bodySha256 = sha256Hex(bodyBytes);
+  return computeSettldPayRequestBindingSha256V1({
+    method: String(method ?? "GET").toUpperCase(),
+    host: String(requestUrl?.host ?? "").toLowerCase(),
+    pathWithQuery: `${requestUrl?.pathname ?? "/"}${requestUrl?.search ?? ""}`,
+    bodySha256
+  });
+}
+export async function runProviderConformanceV1({
+  providerBaseUrl,
+  manifest: manifestInput,
+  providerId = null,
+  providerSigningPublicKeyPem = null,
+  conformanceToolId = null,
+  settldSigner,
+  fetchFn = null,
+  ttlSeconds = 300,
+  timeoutMs = 5000
+} = {}) {
+  const reportStartedAt = new Date().toISOString();
+  const checks = [];
+  const fetchImpl = typeof fetchFn === "function" ? fetchFn : globalThis.fetch;
+  if (typeof fetchImpl !== "function") throw new TypeError("fetch implementation is required");
+  const urlSafetyOptions = conformanceUrlSafetyOptions();
+  const signerPublicKeyPem = normalizeOptionalString(settldSigner?.publicKeyPem);
+  const signerKeyId = normalizeOptionalString(settldSigner?.keyId);
+  const signerPrivateKeyPem = normalizeOptionalString(settldSigner?.privateKeyPem);
+  if (!signerPrivateKeyPem || (!signerPublicKeyPem && !signerKeyId)) {
+    throw new TypeError("settldSigner.privateKeyPem and (settldSigner.keyId or settldSigner.publicKeyPem) are required");
+  }
+  const manifestResult = validatePaidToolManifestV1(manifestInput);
+  if (!manifestResult.ok) {
+    const report = {
+      schemaVersion: PROVIDER_CONFORMANCE_REPORT_SCHEMA_VERSION,
+      generatedAt: new Date().toISOString(),
+      startedAt: reportStartedAt,
+      providerBaseUrl: normalizeOptionalString(providerBaseUrl),
+      providerId: normalizeOptionalString(providerId),
+      checks: [buildCheck("manifest_valid", false, { code: manifestResult.code, message: manifestResult.message })]
+    };
+    report.verdict = evaluateChecks(report.checks);
+    return report;
+  }
+  const manifest = manifestResult.manifest;
+  let safeBaseUrl = null;
+  try {
+    safeBaseUrl = new URL(String(providerBaseUrl ?? "").trim()).toString();
+  } catch (err) {
+    const report = {
+      schemaVersion: PROVIDER_CONFORMANCE_REPORT_SCHEMA_VERSION,
+      generatedAt: new Date().toISOString(),
+      startedAt: reportStartedAt,
+      providerBaseUrl: normalizeOptionalString(providerBaseUrl),
+      providerId: normalizeOptionalString(providerId ?? manifest.providerId),
+      checks: [
+        buildCheck("manifest_valid", true),
+        buildCheck("provider_base_url_valid", false, { message: err?.message ?? "invalid providerBaseUrl" })
+      ]
+    };
+    report.verdict = evaluateChecks(report.checks);
+    return report;
+  }
+  let baseUrlSafety = null;
+  try {
+    baseUrlSafety = await checkUrlSafety(safeBaseUrl, urlSafetyOptions);
+  } catch (err) {
+    baseUrlSafety = {
+      ok: false,
+      code: "URL_SAFETY_CHECK_FAILED",
+      message: err?.message ?? String(err ?? "")
+    };
+  }
+  if (!baseUrlSafety?.ok) {
+    const report = {
+      schemaVersion: PROVIDER_CONFORMANCE_REPORT_SCHEMA_VERSION,
+      generatedAt: new Date().toISOString(),
+      startedAt: reportStartedAt,
+      providerBaseUrl: safeBaseUrl,
+      providerId: normalizeOptionalString(providerId ?? manifest.providerId),
+      checks: [
+        buildCheck("manifest_valid", true),
+        buildCheck("provider_base_url_valid", true),
+        buildCheck("provider_base_url_safe", false, {
+          code: baseUrlSafety?.code ?? null,
+          message: baseUrlSafety?.message ?? "unsafe providerBaseUrl"
+        })
+      ]
+    };
+    report.verdict = evaluateChecks(report.checks);
+    return report;
+  }
+  const effectiveProviderId = normalizeOptionalString(providerId) ?? String(manifest.providerId);
+  const tool = pickConformanceTool({ manifest, toolId: conformanceToolId });
+  if (!tool) {
+    const report = {
+      schemaVersion: PROVIDER_CONFORMANCE_REPORT_SCHEMA_VERSION,
+      generatedAt: new Date().toISOString(),
+      startedAt: reportStartedAt,
+      providerBaseUrl: safeBaseUrl,
+      providerId: effectiveProviderId,
+      checks: [
+        buildCheck("manifest_valid", true),
+        buildCheck("provider_base_url_valid", true),
+        buildCheck("conformance_tool_selected", false, { message: "no tool found in manifest" })
+      ]
+    };
+    report.verdict = evaluateChecks(report.checks);
+    return report;
+  }
+  checks.push(buildCheck("manifest_valid", true));
+  checks.push(buildCheck("provider_base_url_valid", true));
+  checks.push(
+    buildCheck("provider_base_url_safe", true, {
+      code: baseUrlSafety?.code ?? null
+    })
+  );
+  checks.push(buildCheck("conformance_tool_selected", true, { toolId: tool.toolId, method: tool.method, paidPath: tool.paidPath }));
+  const requestUrl = new URL(tool.paidPath, safeBaseUrl);
+  const toolIdempotency = typeof tool?.idempotency === "string" ? tool.idempotency.trim().toLowerCase() : "";
+  const toolClass = typeof tool?.toolClass === "string" ? tool.toolClass.trim().toLowerCase() : "";
+  const toolRiskLevel = typeof tool?.riskLevel === "string" ? tool.riskLevel.trim().toLowerCase() : "";
+  const strictRequestBindingRequired =
+    toolIdempotency === "non_idempotent" ||
+    toolIdempotency === "side_effecting" ||
+    toolClass === "action" ||
+    toolRiskLevel === "high";
+  const unpaidReqInit = requestInitForMethod(tool.method);
+  const unpaidSignal = typeof AbortSignal?.timeout === "function" ? AbortSignal.timeout(timeoutMs) : undefined;
+  const unpaidResponse = await fetchConformanceUrl({
+    fetchFn: fetchImpl,
+    url: requestUrl,
+    init: { ...unpaidReqInit, signal: unpaidSignal },
+    safetyOptions: urlSafetyOptions
+  });
+  checks.push(
+    buildCheck("unpaid_returns_402", unpaidResponse.status === 402, {
+      statusCode: unpaidResponse.status
+    })
+  );
+  const challengeHeaderX = headerValue(unpaidResponse.headers, "x-payment-required");
+  const challengeHeaderStd = headerValue(unpaidResponse.headers, "payment-required");
+  checks.push(
+    buildCheck("challenge_headers_present", Boolean(challengeHeaderX) && Boolean(challengeHeaderStd), {
+      hasXPaymentRequired: Boolean(challengeHeaderX),
+      hasPaymentRequired: Boolean(challengeHeaderStd)
+    })
+  );
+  const parsedChallenge = parseChallengeFields(unpaidResponse.headers);
+  checks.push(
+    buildCheck("challenge_header_parseable", parsedChallenge.ok === true, parsedChallenge.ok ? null : { message: parsedChallenge.message, code: parsedChallenge.code })
+  );
+  const expectedAmount = Number(tool?.pricing?.amountCents ?? manifest?.defaults?.amountCents);
+  const expectedCurrency = String(tool?.pricing?.currency ?? manifest?.defaults?.currency ?? "USD").toUpperCase();
+  if (parsedChallenge.ok) {
+    const parsedProviderId = normalizeOptionalString(parsedChallenge.fields?.providerId);
+    const parsedToolId = normalizeOptionalString(parsedChallenge.fields?.toolId);
+    checks.push(
+      buildCheck("challenge_matches_manifest_pricing", parsedChallenge.amountCents === expectedAmount && parsedChallenge.currency === expectedCurrency, {
+        expectedAmountCents: expectedAmount,
+        challengeAmountCents: parsedChallenge.amountCents,
+        expectedCurrency,
+        challengeCurrency: parsedChallenge.currency
+      })
+    );
+    checks.push(
+      buildCheck(
+        "challenge_matches_provider_and_tool",
+        (!parsedProviderId || parsedProviderId === effectiveProviderId) && (!parsedToolId || parsedToolId === tool.toolId),
+        {
+          expectedProviderId: effectiveProviderId,
+          challengeProviderId: parsedProviderId,
+          expectedToolId: tool.toolId,
+          challengeToolId: parsedToolId
+        }
+      )
+    );
+  } else {
+    checks.push(buildCheck("challenge_matches_manifest_pricing", false, { message: "challenge parse failed" }));
+    checks.push(buildCheck("challenge_matches_provider_and_tool", false, { message: "challenge parse failed" }));
+  }
+  const nowUnix = Math.floor(Date.now() / 1000);
+  const authorizationRef = `auth_conformance_${sha256Hex(`${effectiveProviderId}\n${tool.toolId}\n${nowUnix}`).slice(0, 16)}`;
+  const gateId = `gate_conformance_${sha256Hex(`${authorizationRef}\n${requestUrl.toString()}`).slice(0, 16)}`;
+  const tokenKid = signerKeyId ?? keyIdFromPublicKeyPem(signerPublicKeyPem);
+  const conformanceRequestBindingSha256 = strictRequestBindingRequired
+    ? computeConformanceRequestBindingSha256({
+        method: tool.method,
+        requestUrl,
+        requestBody: methodSupportsBody(tool.method) ? "{}" : ""
+      })
+    : null;
+  const payload = buildSettldPayPayloadV1({
+    iss: "settld",
+    aud: effectiveProviderId,
+    gateId,
+    authorizationRef,
+    amountCents: expectedAmount,
+    currency: expectedCurrency,
+    payeeProviderId: effectiveProviderId,
+    ...(strictRequestBindingRequired ? { requestBindingMode: "strict", requestBindingSha256: conformanceRequestBindingSha256 } : {}),
+    iat: nowUnix,
+    exp: nowUnix + Number(ttlSeconds)
+  });
+  const mintArgs = {
+    payload,
+    keyId: tokenKid,
+    privateKeyPem: signerPrivateKeyPem
+  };
+  if (!signerKeyId && signerPublicKeyPem) mintArgs.publicKeyPem = signerPublicKeyPem;
+  const token = mintSettldPayTokenV1(mintArgs).token;
+  const paidSignal = typeof AbortSignal?.timeout === "function" ? AbortSignal.timeout(timeoutMs) : undefined;
+  const paidResponse = await fetchConformanceUrl({
+    fetchFn: fetchImpl,
+    url: requestUrl,
+    init: {
+      ...requestInitForMethod(tool.method, token),
+      signal: paidSignal
+    },
+    safetyOptions: urlSafetyOptions
+  });
+  const paidPaymentError = headerValue(paidResponse.headers, "x-settld-payment-error");
+  checks.push(
+    buildCheck("paid_retry_succeeds", paidResponse.status >= 200 && paidResponse.status < 300, {
+      statusCode: paidResponse.status,
+      paymentError: paidPaymentError,
+      tokenKid
+    })
+  );
+  const requestBindingModeHeader = headerValue(paidResponse.headers, "x-settld-request-binding-mode");
+  const requestBindingSha256Header = headerValue(paidResponse.headers, "x-settld-request-binding-sha256");
+  checks.push(
+    buildCheck(
+      "strict_request_binding_enforced",
+      strictRequestBindingRequired
+        ? requestBindingModeHeader === "strict" && requestBindingSha256Header === conformanceRequestBindingSha256
+        : true,
+      {
+        required: strictRequestBindingRequired,
+        toolClass: toolClass || null,
+        toolRiskLevel: toolRiskLevel || null,
+        observedMode: requestBindingModeHeader,
+        observedSha256Present: Boolean(requestBindingSha256Header),
+        observedSha256: requestBindingSha256Header,
+        expectedSha256: conformanceRequestBindingSha256
+      }
+    )
+  );
+  const paidBytes = Buffer.from(await paidResponse.arrayBuffer());
+  const responseSha256 = sha256Hex(paidBytes);
+  const headerResponseSha256 = headerValue(paidResponse.headers, "x-settld-provider-response-sha256");
+  const providerKeyId = headerValue(paidResponse.headers, "x-settld-provider-key-id");
+  const providerSignedAt = headerValue(paidResponse.headers, "x-settld-provider-signed-at");
+  const providerNonce = headerValue(paidResponse.headers, "x-settld-provider-nonce");
+  const providerSignature = headerValue(paidResponse.headers, "x-settld-provider-signature");
+  checks.push(
+    buildCheck(
+      "provider_signature_headers_present",
+      Boolean(providerKeyId) && Boolean(providerSignedAt) && Boolean(providerNonce) && Boolean(providerSignature) && Boolean(headerResponseSha256),
+      {
+        keyIdPresent: Boolean(providerKeyId),
+        signedAtPresent: Boolean(providerSignedAt),
+        noncePresent: Boolean(providerNonce),
+        signaturePresent: Boolean(providerSignature),
+        responseHashPresent: Boolean(headerResponseSha256)
+      }
+    )
+  );
+  checks.push(
+    buildCheck("provider_response_hash_matches_body", headerResponseSha256 === responseSha256, {
+      headerResponseSha256,
+      computedResponseSha256: responseSha256
+    })
+  );
+  let resolvedProviderPublicKeyPem = null;
+  try {
+    resolvedProviderPublicKeyPem = await resolveProviderSigningPublicKeyPem({
+      providerSigningPublicKeyPem,
+      providerBaseUrl: safeBaseUrl,
+      fetchFn: fetchImpl,
+      timeoutMs,
+      safetyOptions: urlSafetyOptions
+    });
+    checks.push(buildCheck("provider_public_key_resolved", true));
+  } catch (err) {
+    checks.push(buildCheck("provider_public_key_resolved", false, { message: err?.message ?? String(err ?? "") }));
+  }
+  let signatureVerified = false;
+  let signatureVerifyDetails = null;
+  if (resolvedProviderPublicKeyPem && providerSignature && providerNonce && providerSignedAt) {
+    const expectedProviderKeyId = keyIdFromPublicKeyPem(resolvedProviderPublicKeyPem);
+    const payloadHash = computeToolProviderSignaturePayloadHashV1({
+      responseHash: responseSha256,
+      nonce: providerNonce,
+      signedAt: providerSignedAt
+    });
+    const signature = {
+      schemaVersion: "ToolProviderSignature.v1",
+      algorithm: "ed25519",
+      keyId: providerKeyId,
+      signedAt: providerSignedAt,
+      nonce: providerNonce,
+      responseHash: responseSha256,
+      payloadHash,
+      signatureBase64: providerSignature
+    };
+    try {
+      signatureVerified = verifyToolProviderSignatureV1({ signature, publicKeyPem: resolvedProviderPublicKeyPem }) === true;
+      signatureVerifyDetails = {
+        expectedProviderKeyId,
+        providerKeyId,
+        payloadHash
+      };
+    } catch (err) {
+      signatureVerified = false;
+      signatureVerifyDetails = {
+        expectedProviderKeyId,
+        providerKeyId,
+        payloadHash,
+        error: err?.message ?? String(err ?? "")
+      };
+    }
+  }
+  checks.push(buildCheck("provider_signature_verifies", signatureVerified, signatureVerifyDetails));
+  const replaySignal = typeof AbortSignal?.timeout === "function" ? AbortSignal.timeout(timeoutMs) : undefined;
+  const replayResponse = await fetchConformanceUrl({
+    fetchFn: fetchImpl,
+    url: requestUrl,
+    init: {
+      ...requestInitForMethod(tool.method, token),
+      signal: replaySignal
+    },
+    safetyOptions: urlSafetyOptions
+  });
+  const replayHeader = headerValue(replayResponse.headers, "x-settld-provider-replay");
+  const replayPaymentError = headerValue(replayResponse.headers, "x-settld-payment-error");
+  checks.push(
+    buildCheck("replay_dedupe_behavior", replayResponse.status >= 200 && replayResponse.status < 300 && replayHeader === "duplicate", {
+      statusCode: replayResponse.status,
+      replayHeader,
+      paymentError: replayPaymentError,
+      tokenKid
+    })
+  );
+  const report = {
+    schemaVersion: PROVIDER_CONFORMANCE_REPORT_SCHEMA_VERSION,
+    generatedAt: new Date().toISOString(),
+    startedAt: reportStartedAt,
+    settldSignerKeyId: tokenKid,
+    providerId: effectiveProviderId,
+    providerBaseUrl: safeBaseUrl,
+    tool: {
+      toolId: tool.toolId,
+      method: tool.method,
+      paidPath: tool.paidPath
+    },
+    manifestHash: sha256Hex(canonicalJsonStringify(normalizePaidToolManifestV1(manifest))),
+    checks
+  };
+  report.verdict = evaluateChecks(checks);
+  return report;
+}