npm - settld - Versions diffs - 0.1.5 → 0.2.0 - Mend

settld 0.1.5 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (82) hide show

package/README.md +32 -0
package/SETTLD_VERSION +1 -1
package/bin/settld.js +58 -0
package/docs/CIRCLE_SANDBOX_E2E.md +12 -0
package/docs/QUICKSTART_MCP.md +41 -1
package/docs/QUICKSTART_MCP_HOSTS.md +156 -89
package/docs/QUICKSTART_POLICY_PACKS.md +65 -0
package/docs/QUICKSTART_PROFILES.md +198 -0
package/docs/README.md +18 -0
package/docs/RELEASE_CHECKLIST.md +26 -0
package/docs/RELEASING.md +1 -0
package/docs/SLO.md +62 -1
package/docs/SUMMARY.md +1 -0
package/docs/gitbook/README.md +13 -1
package/docs/gitbook/quickstart.md +57 -58
package/docs/integrations/README.md +1 -0
package/docs/integrations/openclaw/PUBLIC_QUICKSTART.md +95 -0
package/docs/ops/DISPUTE_FINANCE_RECONCILIATION_PACKET.md +56 -0
package/docs/ops/KERNEL_V0_SHIP_GATE.md +3 -1
package/docs/ops/MCP_COMPATIBILITY_MATRIX.md +8 -6
package/docs/ops/PRODUCTION_DEPLOYMENT_CHECKLIST.md +46 -9
package/docs/ops/TRUST_CONFIG_WIZARD.md +37 -24
package/docs/plans/2026-02-20-trust-os-v1-jira-backlog.md +348 -0
package/docs/plans/2026-02-21-agent-economic-actor-operating-model.md +169 -0
package/docs/plans/2026-02-21-trust-os-v1-strategy.md +241 -0
package/docs/research/2026-02-21-agent-spend-host-landscape.md +57 -0
package/docs/spec/ArbitrationOutcomeMapping.v1.md +62 -0
package/docs/spec/DisputeCaseLifecycle.v1.md +51 -0
package/docs/spec/OperatorAction.v1.md +90 -0
package/docs/spec/PolicyDecision.v1.md +83 -0
package/docs/spec/README.md +5 -0
package/docs/spec/SettlementDecisionRecord.v2.md +2 -0
package/docs/spec/schemas/OperatorAction.v1.schema.json +113 -0
package/docs/spec/schemas/PolicyDecision.v1.schema.json +74 -0
package/docs/spec/schemas/SettlementDecisionRecord.v2.schema.json +1 -0
package/docs/spec/x402-error-codes.v1.txt +14 -0
package/package.json +14 -1
package/scripts/ci/build-launch-cutover-packet.mjs +177 -21
package/scripts/ci/run-10x-throughput-drill.mjs +76 -4
package/scripts/ci/run-10x-throughput-incident-rehearsal.mjs +49 -6
package/scripts/ci/run-mcp-host-cert-matrix.mjs +201 -0
package/scripts/ci/run-mcp-host-smoke.mjs +203 -5
package/scripts/ci/run-offline-verification-parity-gate.mjs +762 -0
package/scripts/ci/run-onboarding-host-success-gate.mjs +516 -0
package/scripts/ci/run-onboarding-policy-slo-gate.mjs +537 -0
package/scripts/ci/run-production-cutover-gate.mjs +540 -0
package/scripts/ci/run-public-openclaw-npx-smoke.mjs +148 -0
package/scripts/ci/run-release-promotion-guard.mjs +756 -0
package/scripts/doctor/mcp-host.mjs +120 -0
package/scripts/mcp/settld-mcp-server.mjs +330 -20
package/scripts/ops/dispute-finance-reconciliation-packet.mjs +313 -0
package/scripts/ops/hosted-baseline-evidence.mjs +286 -77
package/scripts/ops/run-x402-hitl-smoke.mjs +607 -0
package/scripts/policy/cli.mjs +600 -0
package/scripts/profile/cli.mjs +1324 -0
package/scripts/register-entity-secret.mjs +102 -0
package/scripts/setup/circle-bootstrap.mjs +310 -0
package/scripts/setup/host-config.mjs +617 -0
package/scripts/setup/onboard.mjs +1337 -0
package/scripts/setup/openclaw-onboard.mjs +423 -0
package/scripts/setup/wizard.mjs +986 -0
package/scripts/slo/check.mjs +123 -62
package/scripts/spec/generate-protocol-vectors.mjs +88 -0
package/scripts/test/run.sh +23 -9
package/services/x402-gateway/src/server.js +147 -36
package/src/api/app.js +2345 -267
package/src/api/middleware/trust-kernel.js +114 -0
package/src/api/openapi.js +598 -3
package/src/api/persistence.js +184 -0
package/src/api/store.js +277 -0
package/src/core/agent-wallets.js +134 -0
package/src/core/event-policy.js +21 -2
package/src/core/operator-action.js +303 -0
package/src/core/policy-decision.js +322 -0
package/src/core/policy-packs.js +207 -0
package/src/core/profile-fingerprint.js +27 -0
package/src/core/profile-simulation-reasons.js +84 -0
package/src/core/profile-templates.js +242 -0
package/src/core/settlement-kernel.js +27 -1
package/src/core/wallet-assignment-resolver.js +129 -0
package/src/core/wallet-provider-bootstrap.js +365 -0
package/src/db/store-pg.js +631 -0

package/src/api/middleware/trust-kernel.js ADDED Viewed

@@ -0,0 +1,114 @@
+import { authorize } from "./authz.js";
+const HIGH_RISK_WRITE_ROUTES = Object.freeze([
+  { id: "x402_wallet_authorize", method: "POST", path: /^\/x402\/wallets\/[^/]+\/authorize$/, requiredScopes: ["FINANCE_WRITE"] },
+  { id: "x402_gate_create", method: "POST", path: /^\/x402\/gate\/create$/, requiredScopes: ["FINANCE_WRITE"] },
+  { id: "x402_gate_quote", method: "POST", path: /^\/x402\/gate\/quote$/, requiredScopes: ["FINANCE_WRITE"] },
+  { id: "x402_gate_authorize_payment", method: "POST", path: /^\/x402\/gate\/authorize-payment$/, requiredScopes: ["FINANCE_WRITE"] },
+  { id: "x402_gate_verify", method: "POST", path: /^\/x402\/gate\/verify$/, requiredScopes: ["FINANCE_WRITE"] },
+  { id: "x402_gate_reversal", method: "POST", path: /^\/x402\/gate\/reversal$/, requiredScopes: ["FINANCE_WRITE"] },
+  {
+    id: "x402_gate_escalation_resolve",
+    method: "POST",
+    path: /^\/x402\/gate\/escalations\/[^/]+\/resolve$/,
+    requiredScopes: ["FINANCE_WRITE"]
+  },
+  { id: "x402_gate_wind_down", method: "POST", path: /^\/x402\/gate\/agents\/[^/]+\/wind-down$/, requiredScopes: ["OPS_WRITE"] }
+]);
+function normalizeMethod(value) {
+  return typeof value === "string" ? value.trim().toUpperCase() : "";
+}
+function normalizePath(value) {
+  return typeof value === "string" ? value.trim() : "";
+}
+function normalizeSha256(value) {
+  const text = typeof value === "string" ? value.trim().toLowerCase() : "";
+  return /^[0-9a-f]{64}$/.test(text) ? text : null;
+}
+function fail({ code, message, details = null, statusCode = 409 } = {}) {
+  return { ok: false, code, message, details, statusCode };
+}
+export function resolveTrustKernelHighRiskWriteRoute({ method, path } = {}) {
+  const normalizedMethod = normalizeMethod(method);
+  const normalizedPath = normalizePath(path);
+  for (const route of HIGH_RISK_WRITE_ROUTES) {
+    if (route.method !== normalizedMethod) continue;
+    if (!route.path.test(normalizedPath)) continue;
+    return route;
+  }
+  return null;
+}
+export function guardHighRiskTrustKernelWrite({ method, path, auth, opsScopes } = {}) {
+  const route = resolveTrustKernelHighRiskWriteRoute({ method, path });
+  if (!route) return { ok: true, routeId: null };
+  if (!auth || auth.ok !== true) {
+    return fail({ statusCode: 403, code: "FORBIDDEN", message: "forbidden", details: { routeId: route.id } });
+  }
+  const requiredScopes = [];
+  for (const scopeName of route.requiredScopes) {
+    const scopeValue = opsScopes && typeof opsScopes === "object" ? opsScopes[scopeName] : null;
+    if (typeof scopeValue === "string" && scopeValue.trim() !== "") requiredScopes.push(scopeValue.trim());
+  }
+  if (!requiredScopes.length) {
+    return fail({ statusCode: 403, code: "FORBIDDEN", message: "forbidden", details: { routeId: route.id } });
+  }
+  const allowed = authorize({ scopes: auth.scopes, requiredScopes, mode: "any" });
+  if (!allowed) {
+    return fail({ statusCode: 403, code: "FORBIDDEN", message: "forbidden", details: { routeId: route.id } });
+  }
+  return { ok: true, routeId: route.id };
+}
+export function guardExecutionIntentRequestBindingConsistency({
+  executionIntent,
+  requestBindingMode,
+  requestBindingSha256
+} = {}) {
+  if (!executionIntent || typeof executionIntent !== "object" || Array.isArray(executionIntent)) {
+    return { ok: true, expectedRequestSha256: null };
+  }
+  const intentRequestSha256 = normalizeSha256(executionIntent?.requestFingerprint?.requestSha256);
+  if (!intentRequestSha256) {
+    return fail({
+      code: "X402_EXECUTION_INTENT_REQUEST_MISMATCH",
+      message: "execution intent request fingerprint does not match request binding",
+      details: { expectedRequestSha256: null, requestBindingSha256: normalizeSha256(requestBindingSha256) }
+    });
+  }
+  const mode = typeof requestBindingMode === "string" ? requestBindingMode.trim().toLowerCase() : null;
+  if (mode !== "strict") {
+    return fail({
+      code: "X402_EXECUTION_INTENT_REQUEST_BINDING_REQUIRED",
+      message: "execution intent requires strict request binding",
+      details: { expectedRequestSha256: intentRequestSha256, requestBindingMode: mode }
+    });
+  }
+  const normalizedBindingSha256 = normalizeSha256(requestBindingSha256);
+  if (!normalizedBindingSha256) {
+    return fail({
+      code: "X402_EXECUTION_INTENT_REQUEST_BINDING_REQUIRED",
+      message: "execution intent requires strict request binding",
+      details: { expectedRequestSha256: intentRequestSha256, requestBindingMode: mode, requestBindingSha256: null }
+    });
+  }
+  if (intentRequestSha256 !== normalizedBindingSha256) {
+    return fail({
+      code: "X402_EXECUTION_INTENT_REQUEST_MISMATCH",
+      message: "execution intent request fingerprint does not match request binding",
+      details: { expectedRequestSha256: intentRequestSha256, requestBindingSha256: normalizedBindingSha256 }
+    });
+  }
+  return { ok: true, expectedRequestSha256: intentRequestSha256 };
+}