x402-trust-layer 5.1.0

package/dist/index.js

@@ -0,0 +1,389 @@
+import express from "express";
+import helmet from "helmet";
+import cors from "cors";
+import { readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { assertConfig, config } from "./config.js";
+import { db, dbPath } from "./lib/db.js";
+import "./lib/db.js";
+import { logger } from "./lib/logger.js";
+import { startOtelIfEnabled } from "./lib/otel.js";
+import { sendProblem } from "./lib/problem-detail.js";
+import { telemetryMiddleware, metricsPayload } from "./lib/telemetry.js";
+import { createPaidMiddleware } from "./lib/x402-paid.js";
+import { buildDiscoverCatalog, buildServicesManifest, buildWellKnownX402, } from "./lib/bazaar.js";
+import { buildAgentCashOpenApi, buildWellKnownX402Resources, buildWellKnownX402V2, } from "./lib/openapi-agentcash.js";
+import { registerA2AAgentCard } from "./routes/a2a-agent-card.js";
+import { renderDiscoveryPage } from "./lib/discovery-page.js";
+import { applyVerifierExampleBody } from "./lib/apply-verifier-body.js";
+import { replayBindingMiddleware } from "./lib/replay-middleware.js";
+import { registerAgenticProbes, stripTrailingSlash } from "./lib/agentic-probes.js";
+import { registerWebhookRoutes } from "./lib/webhook-routes.js";
+import { KILLER_SELLER_ENDPOINTS, PRIMARY_ENTRYPOINTS } from "./lib/suite-catalog.js";
+import { listEndpoints, registerRoutes } from "./routes.js";
+import { registerX402gleHostVerification } from "./lib/x402gle-host-verify.js";
+import { ensureVerifierProbeMandate } from "./lib/mandate.js";
+import { ensureVerifierProbeProtocol } from "./lib/verifier-probe-protocol.js";
+import { SUITE_VERSION } from "./lib/version.js";
+import { refreshFacilitatorExtras, startFacilitatorExtrasRefresh } from "./lib/facilitator-extra.js";
+import { rateLimitPerMinute, rateLimitUnpaidProbes, rateLimitAgentLookup } from "./lib/rate-limit.js";
+import { handleAgentLookup } from "./agents/agent-verify.js";
+import { runCertifiedLookup, runCertifiedCatalog } from "./agents/trust-network.js";
+assertConfig();
+void startOtelIfEnabled();
+void refreshFacilitatorExtras().catch((err) => {
+    logger.warn({ err: err instanceof Error ? err.message : String(err) }, "Facilitator /supported preload failed");
+});
+startFacilitatorExtrasRefresh();
+void ensureVerifierProbeMandate().catch((err) => {
+    logger.warn({ err: err instanceof Error ? err.message : err }, "Verifier probe mandate seed skipped");
+});
+void ensureVerifierProbeProtocol().catch((err) => {
+    logger.warn({ err: err instanceof Error ? err.message : err }, "Verifier probe protocol seed skipped");
+});
+const app = express();
+app.set("trust proxy", Number(process.env.TRUST_PROXY_HOPS ?? 1));
+app.disable("x-powered-by");
+app.use(helmet({
+    contentSecurityPolicy: {
+        directives: { defaultSrc: ["'none'"], scriptSrc: ["'none'"] },
+    },
+    crossOriginEmbedderPolicy: false,
+}));
+const corsOrigins = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()).filter(Boolean);
+app.use(cors({ origin: corsOrigins?.length ? corsOrigins : false }));
+app.use((req, res, next) => {
+    res.setHeader("API-Version", "1");
+    const orig = req.originalUrl;
+    if (orig.startsWith("/api/v1/")) {
+        req.url = `/api/${orig.slice("/api/v1/".length)}`;
+    }
+    else if (orig.startsWith("/api/")) {
+        res.setHeader("X-Deprecated", "true");
+    }
+    next();
+});
+app.use(telemetryMiddleware);
+registerA2AAgentCard(app);
+registerX402gleHostVerification(app);
+app.use(stripTrailingSlash);
+app.use(express.json({ limit: "512kb" }));
+/** Unpaid probes → 402 (x402scan). Paid retries capped separately. */
+app.use("/api", rateLimitUnpaidProbes(Number(process.env.RATE_LIMIT_UNPAID_PER_MIN ?? 600)));
+app.use("/api", rateLimitPerMinute(Number(process.env.RATE_LIMIT_PER_MIN ?? 120)));
+/** Canonical example bodies for x402gle / Dexter AI verifier (empty or partial POST) */
+app.use("/api", (req, _res, next) => {
+    applyVerifierExampleBody(req);
+    next();
+});
+app.use("/api", replayBindingMiddleware);
+/** Trust Layer brand landing page — served to browsers at `/`; machines still get JSON. */
+let LANDING_HTML = "";
+try {
+    LANDING_HTML = readFileSync(join(process.cwd(), "public", "index.html"), "utf8");
+}
+catch {
+    LANDING_HTML = "";
+}
+/** Static public files (landing.js, data, assets). index.html served via GET / negotiation. */
+app.use(express.static(join(process.cwd(), "public"), {
+    index: false,
+    maxAge: "1h",
+}));
+const paid = createPaidMiddleware();
+function asyncRoute(handler) {
+    return (req, res, next) => {
+        handler(req, res).catch(next);
+    };
+}
+const GITHUB_REPO = "https://github.com/mimranchohan/x402-trust-layer";
+function healthPayload() {
+    const dataDir = process.env.DATA_DIR?.trim() || "/app/data";
+    return {
+        ok: true,
+        service: "x402-trust-layer",
+        version: SUITE_VERSION,
+        protocol: "agent-trust-protocol-v4",
+        protocolArchitecture: `${config.publicBaseUrl}/api/protocol/architecture`,
+        chains: config.chains,
+        networks: config.networks,
+        facilitator: config.facilitatorUrl,
+        endpointCount: listEndpoints().length,
+        nonceBackend: metricsPayload().nonceBackend,
+        gitCommit: process.env.RAILWAY_GIT_COMMIT_SHA?.slice(0, 7) ?? null,
+        deploy: {
+            platform: process.env.RAILWAY_ENVIRONMENT ? "railway" : null,
+            docker: true,
+            volumeMount: "/app/data",
+            dataDir,
+            sqlitePath: dbPath(),
+            entrypoint: "scripts/docker-entrypoint.sh (chown volume for non-root app user)",
+        },
+        documentation: {
+            github: GITHUB_REPO,
+            railwayDeploy: `${GITHUB_REPO}/blob/main/docs/RAILWAY-DEPLOY.md`,
+            productionHardening: `${GITHUB_REPO}/blob/main/docs/PRODUCTION-HARDENING.md`,
+            npm: "https://www.npmjs.com/package/x402-trust-layer",
+        },
+        agenticGetProbes: true,
+        agenticReady: config.publicBaseUrl.startsWith("https://") &&
+            config.chains.includes("base") &&
+            config.payToEvm.length > 0,
+        agenticHint: !config.payToEvm
+            ? "Set PAY_TO_EVM + NETWORKS=base,solana on Railway for agentic.market"
+            : config.publicBaseUrl.includes("railway.app") &&
+                !process.env.PUBLIC_BASE_URL &&
+                !process.env.CANONICAL_PUBLIC_URL
+                ? `Set PUBLIC_BASE_URL=${config.canonicalOrigin} so discovery URLs match x402trustlayer.xyz`
+                : null,
+        agentCashDiscovery: {
+            openapi: `${config.publicBaseUrl}/openapi.json`,
+            wellKnown: `${config.publicBaseUrl}/.well-known/x402`,
+            ready: config.publicBaseUrl.startsWith("https://") && config.payToEvm.length > 0,
+        },
+    };
+}
+app.get("/llms.txt", (_req, res) => {
+    try {
+        const txt = readFileSync(join(process.cwd(), "public", "llms.txt"), "utf8");
+        res.type("text/plain").send(txt);
+    }
+    catch {
+        res.status(404).type("text/plain").send("llms.txt not found");
+    }
+});
+app.get("/llms-full.txt", (_req, res) => {
+    try {
+        const txt = readFileSync(join(process.cwd(), "public", "llms-full.txt"), "utf8");
+        res.type("text/plain").send(txt);
+    }
+    catch {
+        res.status(404).type("text/plain").send("llms-full.txt not found");
+    }
+});
+app.get("/skill.md", (_req, res) => {
+    try {
+        const md = readFileSync(join(process.cwd(), "public", "skill.md"), "utf8");
+        res.type("text/markdown").send(md);
+    }
+    catch {
+        res.status(404).type("text/plain").send("skill.md not found");
+    }
+});
+app.get("/metrics", (_req, res) => {
+    res.json(metricsPayload());
+});
+app.get("/robots.txt", (_req, res) => {
+    res
+        .type("text/plain")
+        .send("User-agent: *\nAllow: /\nSitemap: /sitemap.xml\n# Agent-friendly: see /llms.txt\n");
+});
+app.get("/.well-known/x402/v2", (_req, res) => {
+    res.json(buildWellKnownX402V2());
+});
+app.get("/health", (_req, res) => {
+    let dbOk = false;
+    let diskOk = false;
+    try {
+        db.prepare("SELECT 1").get();
+        dbOk = true;
+    }
+    catch {
+        /* db down */
+    }
+    try {
+        statSync(process.cwd());
+        diskOk = true;
+    }
+    catch {
+        /* disk */
+    }
+    const status = dbOk && diskOk ? 200 : 503;
+    res.status(status).json({
+        ...healthPayload(),
+        ok: dbOk && diskOk,
+        db: dbOk ? "ok" : "error",
+        disk: diskOk ? "ok" : "error",
+    });
+});
+// Compatibility aliases used by some external quality probes.
+app.get("/api/health", (_req, res) => {
+    let dbOk = false;
+    let diskOk = false;
+    try {
+        db.prepare("SELECT 1").get();
+        dbOk = true;
+    }
+    catch {
+        /* */
+    }
+    try {
+        statSync(process.cwd());
+        diskOk = true;
+    }
+    catch {
+        /* */
+    }
+    const status = dbOk && diskOk ? 200 : 503;
+    res.status(status).json({
+        ...healthPayload(),
+        ok: dbOk && diskOk,
+        db: dbOk ? "ok" : "error",
+        disk: diskOk ? "ok" : "error",
+    });
+});
+app.get("/api/version", (_req, res) => {
+    res.json({ service: "x402-agent-suite-pro", version: SUITE_VERSION });
+});
+app.get("/api/agents", (_req, res) => {
+    res.json({
+        count: listEndpoints().length,
+        endpoints: listEndpoints(),
+    });
+});
+app.get("/openapi.json", (_req, res) => {
+    res.json(buildAgentCashOpenApi());
+});
+/** AgentCash / x402scan discovery fan-out (canonical path) */
+app.get("/.well-known/x402", (_req, res) => {
+    res.json(buildWellKnownX402Resources());
+});
+app.get("/.well-known/x402.json", (_req, res) => {
+    res.json(buildWellKnownX402());
+});
+/** Human-friendly discovery view (landing page links here instead of raw JSON path). */
+app.get("/discovery", (_req, res) => {
+    res.type("html").send(renderDiscoveryPage(buildWellKnownX402Resources(), config.publicBaseUrl));
+});
+/** Same manifest as /.well-known/x402 — free catalog (HTTP 200). Not for agentic.market Validate. */
+app.get("/discovery.json", (_req, res) => {
+    res.json({
+        ...buildWellKnownX402Resources(),
+        agenticValidateNote: "Do not submit this URL to agentic.market Validate. Use paid /api/* URLs from GET /api/agentic/validate-urls instead.",
+    });
+});
+app.get("/x402/api/services.json", (_req, res) => {
+    res.json(buildServicesManifest());
+});
+function sendDiscoverCatalog(_req, res) {
+    res.json(buildDiscoverCatalog());
+}
+app.get("/x402/api/discover", sendDiscoverCatalog);
+/** Redirects — canonical path is /x402/api/discover */
+app.get("/x402/discover", (_req, res) => res.redirect(301, "/x402/api/discover"));
+app.get("/discover", (_req, res) => res.redirect(301, "/x402/api/discover"));
+app.get("/", (req, res) => {
+    const acceptsHtml = (req.headers.accept ?? "").includes("text/html");
+    if (acceptsHtml && LANDING_HTML) {
+        res.type("html").send(LANDING_HTML);
+        return;
+    }
+    const all = listEndpoints();
+    res.json({
+        name: "x402 Trust Layer — Agent Suite",
+        version: SUITE_VERSION,
+        description: `${all.length} paid x402 infrastructure APIs — guard, semantic escrow, mandate diff, certified seller network, Agent Trust Protocol v4`,
+        github: GITHUB_REPO,
+        npm: "https://www.npmjs.com/package/x402-trust-layer",
+        docs: `${config.publicBaseUrl}/openapi.json`,
+        llmsTxt: `${config.publicBaseUrl}/llms.txt`,
+        skillMd: `${config.publicBaseUrl}/skill.md`,
+        discovery: `${config.publicBaseUrl}/x402/api/discover`,
+        bazaar: `${config.publicBaseUrl}/x402/api/services.json`,
+        deployDocs: `${GITHUB_REPO}/blob/main/docs/RAILWAY-DEPLOY.md`,
+        agenticMarket: "https://agentic.market/",
+        agentCash: "https://agentcash.dev/",
+        x402scanRegister: "https://www.x402scan.com/resources/register",
+        dexterSeller: `https://dexter.cash/sellers/${config.payTo}`,
+        pipeline: `${config.publicBaseUrl}/api/pipeline/full`,
+        onboarding: {
+            primary: PRIMARY_ENTRYPOINTS,
+            killerSeller: KILLER_SELLER_ENDPOINTS,
+            advancedCount: all.length - PRIMARY_ENTRYPOINTS.length - KILLER_SELLER_ENDPOINTS.length,
+        },
+        endpoints: all,
+    });
+});
+const postHandlers = registerRoutes(app, paid, asyncRoute);
+registerWebhookRoutes(app);
+/** Free ERC-8004 lookup — rate limited ~30/hr per IP */
+app.get("/api/agent/lookup/:wallet", rateLimitAgentLookup(Number(process.env.RATE_LIMIT_AGENT_LOOKUP_PER_HOUR ?? 30)), asyncRoute(handleAgentLookup));
+/** Free certified seller lookup — rate limited */
+app.get("/api/merchant-trust/certified/:host", rateLimitAgentLookup(Number(process.env.RATE_LIMIT_AGENT_LOOKUP_PER_HOUR ?? 60)), asyncRoute(async (req, res) => {
+    const host = String(req.params.host ?? "").trim();
+    if (!host) {
+        res.status(400).json({ error: "host required" });
+        return;
+    }
+    res.json(await runCertifiedLookup(host));
+}));
+app.get("/api/trust-network/catalog", rateLimitAgentLookup(Number(process.env.RATE_LIMIT_AGENT_LOOKUP_PER_HOUR ?? 60)), asyncRoute(async (req, res) => {
+    const limit = typeof req.query.limit === "string" ? Math.min(100, Math.max(1, Number(req.query.limit) || 50)) : 50;
+    res.json(await runCertifiedCatalog(limit));
+}));
+registerAgenticProbes(app, paid, postHandlers);
+/** Copy-paste URLs for Agentic Validate Endpoint (free) */
+app.get("/api/agentic/validate-urls", (_req, res) => {
+    const base = config.publicBaseUrl;
+    res.json({
+        note: "Paste these exact URLs into agentic.market Validate Endpoint. No trailing slash.",
+        doNotValidate: [
+            `${base}/discovery.json`,
+            `${base}/.well-known/x402`,
+            `${base}/health`,
+            `${base}/x402/api/discover`,
+        ],
+        agenticGetProbes: true,
+        cdpBazaarHint: "For CDP Bazaar auto-index, set USE_CDP_FACILITATOR=1 and FACILITATOR_URL=https://api.cdp.coinbase.com/platform/v2/x402/facilitator with CDP API keys, then complete one settlement per route.",
+        facilitator: config.facilitatorUrl,
+        urls: listEndpoints().map((e) => {
+            const [, path] = e.path.split(" ");
+            return `${base}${path}`;
+        }),
+        example: `${base}/api/x402/proxy`,
+    });
+});
+app.use((err, _req, res, _next) => {
+    if (res.headersSent) {
+        logger.error({ err }, "API error after headers sent");
+        return;
+    }
+    logger.error({ err }, "API error");
+    const expose = process.env.NODE_ENV !== "production" && !process.env.RAILWAY_ENVIRONMENT;
+    if (expose && err instanceof Error) {
+        sendProblem(res, 500, "Internal server error", err.message);
+        return;
+    }
+    sendProblem(res, 500, "Internal server error");
+});
+const host = "0.0.0.0";
+const server = app.listen(config.port, host, () => {
+    logger.info({
+        version: SUITE_VERSION,
+        endpoints: listEndpoints().length,
+        chains: config.chains.join(","),
+        git: process.env.RAILWAY_GIT_COMMIT_SHA?.slice(0, 7) ?? "local",
+        public: config.publicBaseUrl,
+    }, "x402 Trust Layer listening");
+});
+async function shutdown(signal) {
+    logger.info({ signal }, "Shutdown initiated");
+    await new Promise((resolve) => server.close(() => resolve()));
+    try {
+        db.close();
+    }
+    catch {
+        /* ignore */
+    }
+    logger.info({}, "Clean shutdown complete");
+    process.exit(0);
+}
+process.once("SIGTERM", () => void shutdown("SIGTERM"));
+process.once("SIGINT", () => void shutdown("SIGINT"));
+process.on("uncaughtException", (err) => {
+    logger.error({ err }, "Uncaught exception");
+    void shutdown("uncaughtException");
+});
+process.on("unhandledRejection", (err) => {
+    logger.error({ err }, "Unhandled rejection");
+});

package/dist/lib/agent-response.d.ts

@@ -0,0 +1,14 @@
+/** Standard trust fields on paid agent responses (Dexter / fleet integrators). */
+export type AgentTrustMeta = {
+    confidence: number;
+    checks_passed: string[];
+    sources: string[];
+    accuracy_note: string;
+};
+export type WithAgentTrust<T> = T & AgentTrustMeta;
+export declare function agentTrustMeta(checks_passed: string[], options?: {
+    confidence?: number;
+    sources?: string[];
+    accuracy_note?: string;
+}): AgentTrustMeta;
+export declare function withAgentTrust<T extends Record<string, unknown>>(payload: T, meta: AgentTrustMeta): T & AgentTrustMeta;

package/dist/lib/agent-response.js

@@ -0,0 +1,13 @@
+const DEFAULT_NOTE = "Heuristic preflight only — not a guarantee of downstream API quality or settlement success.";
+export function agentTrustMeta(checks_passed, options) {
+    const confidence = Math.max(0, Math.min(1, options?.confidence ?? 0.82));
+    return {
+        confidence,
+        checks_passed,
+        sources: options?.sources ?? ["x402-agent-suite-pro", "dexter-facilitator"],
+        accuracy_note: options?.accuracy_note ?? DEFAULT_NOTE,
+    };
+}
+export function withAgentTrust(payload, meta) {
+    return { ...payload, ...meta };
+}

package/dist/lib/agentic-gateways.d.ts

@@ -0,0 +1,5 @@
+/** Hosts that require SIWE/SIWS before x402 payment (401/403 is expected on bare probes). */
+export declare const KNOWN_AGENTIC_GATEWAY_HOSTS: readonly ["x402.alchemy.com", "api.cdp.coinbase.com", "x402.dexter.cash", "x402.org"];
+export declare function isKnownAgenticGateway(host: string): boolean;
+/** HTTP statuses that mean "auth/payment layer present" for SIWE-first gateways. */
+export declare function isExpectedAgenticGatewayProbeStatus(status: number): boolean;

package/dist/lib/agentic-gateways.js

@@ -0,0 +1,15 @@
+/** Hosts that require SIWE/SIWS before x402 payment (401/403 is expected on bare probes). */
+export const KNOWN_AGENTIC_GATEWAY_HOSTS = [
+    "x402.alchemy.com",
+    "api.cdp.coinbase.com",
+    "x402.dexter.cash",
+    "x402.org",
+];
+export function isKnownAgenticGateway(host) {
+    const h = host.toLowerCase();
+    return KNOWN_AGENTIC_GATEWAY_HOSTS.some((pattern) => h === pattern || h.endsWith(`.${pattern}`));
+}
+/** HTTP statuses that mean "auth/payment layer present" for SIWE-first gateways. */
+export function isExpectedAgenticGatewayProbeStatus(status) {
+    return status === 401 || status === 403 || status === 402;
+}

package/dist/lib/agentic-probes.d.ts

@@ -0,0 +1,10 @@
+import type { Express, Request, Response, RequestHandler } from "express";
+type PaidFn = (amount: string, description: string) => import("express").RequestHandler;
+/** Agentic / Bazaar crawlers often use GET or HEAD; some add a trailing slash. */
+export declare function stripTrailingSlash(req: Request, _res: Response, next: () => void): void;
+/**
+ * x402gle/Dexter often pay for GET after 402. Mount the same core handler as POST
+ * (payment verified on GET only — no second x402 middleware).
+ */
+export declare function registerAgenticProbes(app: Express, paid: PaidFn, postHandlers: Map<string, RequestHandler>): void;
+export {};

package/dist/lib/agentic-probes.js

@@ -0,0 +1,49 @@
+import { listEndpoints } from "../routes.js";
+import { applyVerifierExampleBody } from "./apply-verifier-body.js";
+/** Agentic / Bazaar crawlers often use GET or HEAD; some add a trailing slash. */
+export function stripTrailingSlash(req, _res, next) {
+    if (req.path.length > 1 && req.path.endsWith("/")) {
+        const query = req.url.includes("?") ? req.url.slice(req.url.indexOf("?")) : "";
+        req.url = req.path.slice(0, -1) + query;
+    }
+    next();
+}
+function headWrap(core) {
+    return (req, res, next) => {
+        const origJson = res.json.bind(res);
+        res.json = ((body) => {
+            res.status(200);
+            res.end();
+            return res;
+        });
+        core(req, res, (err) => {
+            res.json = origJson;
+            next(err);
+        });
+    };
+}
+function paidGetProbe(core) {
+    return (req, res, next) => {
+        applyVerifierExampleBody(req);
+        core(req, res, next);
+    };
+}
+/**
+ * x402gle/Dexter often pay for GET after 402. Mount the same core handler as POST
+ * (payment verified on GET only — no second x402 middleware).
+ */
+export function registerAgenticProbes(app, paid, postHandlers) {
+    for (const ep of listEndpoints()) {
+        const [listedMethod, path] = ep.path.split(" ");
+        if (listedMethod === "GET")
+            continue;
+        const core = postHandlers.get(path);
+        if (!core)
+            continue;
+        const amount = ep.price.replace(/^\$/, "");
+        const description = `x402 paid probe for ${path} — GET/HEAD returns same JSON as POST`;
+        const paidMw = paid(amount, description);
+        app.get(path, paidMw, paidGetProbe(core));
+        app.head(path, paidMw, headWrap(paidGetProbe(core)));
+    }
+}

package/dist/lib/alchemy-x402-fetch.d.ts

@@ -0,0 +1,16 @@
+import { paymentResponseFromHeaders } from "./payment-response.js";
+export type AlchemyX402Result = {
+    status: number;
+    body: string;
+    headers: Record<string, string | string[] | undefined>;
+    payment: ReturnType<typeof paymentResponseFromHeaders>;
+    ok: boolean;
+};
+/**
+ * Pay Alchemy x402 gateway via raw HTTPS.
+ * Node fetch rejects some x402 header names (e.g. Payment-Signature); use PAYMENT-SIGNATURE.
+ */
+export declare function alchemyX402Pay(url: string, body: string, privateKey: string, siweToken?: string): Promise<AlchemyX402Result>;
+export declare function alchemyX402Fetch(url: string, init: RequestInit, privateKey: string): Promise<Response>;
+export declare function createAlchemyX402Fetch(privateKey: string): Promise<typeof fetch>;
+export declare const alchemyX402FetchOnce: typeof alchemyX402Fetch;

package/dist/lib/alchemy-x402-fetch.js

@@ -0,0 +1,95 @@
+import { createPayment } from "@alchemy/x402";
+import { request as httpsRequest } from "node:https";
+import { paymentResponseFromHeaders } from "./payment-response.js";
+function rawHttpsPost(url, headers, body) {
+    return new Promise((resolve, reject) => {
+        const u = new URL(url);
+        const req = httpsRequest({
+            hostname: u.hostname,
+            path: `${u.pathname}${u.search}`,
+            method: "POST",
+            headers: {
+                ...headers,
+                "content-length": String(Buffer.byteLength(body)),
+            },
+        }, (res) => {
+            let data = "";
+            res.on("data", (chunk) => {
+                data += chunk;
+            });
+            res.on("end", () => {
+                resolve({ status: res.statusCode ?? 0, headers: res.headers, body: data });
+            });
+        });
+        req.on("error", reject);
+        req.write(body);
+        req.end();
+    });
+}
+function headersToFetchLike(h) {
+    const out = new Headers();
+    for (const [k, v] of Object.entries(h)) {
+        if (typeof v === "string")
+            out.set(k, v);
+        else if (Array.isArray(v))
+            out.set(k, v.join(", "));
+    }
+    return out;
+}
+function paymentRequiredFrom402(headers, bodyText) {
+    const header = (typeof headers["payment-required"] === "string" && headers["payment-required"]) ||
+        (typeof headers["PAYMENT-REQUIRED"] === "string" && headers["PAYMENT-REQUIRED"]);
+    if (header)
+        return header;
+    return Buffer.from(bodyText, "utf8").toString("base64");
+}
+/**
+ * Pay Alchemy x402 gateway via raw HTTPS.
+ * Node fetch rejects some x402 header names (e.g. Payment-Signature); use PAYMENT-SIGNATURE.
+ */
+export async function alchemyX402Pay(url, body, privateKey, siweToken) {
+    const baseHeaders = {
+        "content-type": "application/json",
+        accept: "application/json",
+    };
+    if (siweToken)
+        baseHeaders.authorization = `SIWE ${siweToken}`;
+    const first = await rawHttpsPost(url, baseHeaders, body);
+    if (first.status !== 402) {
+        return {
+            status: first.status,
+            body: first.body,
+            headers: first.headers,
+            payment: paymentResponseFromHeaders(headersToFetchLike(first.headers)),
+            ok: first.status >= 200 && first.status < 300,
+        };
+    }
+    const paymentRequiredHeader = paymentRequiredFrom402(first.headers, first.body);
+    const paymentSig = await createPayment({ privateKey, paymentRequiredHeader });
+    const paid = await rawHttpsPost(url, {
+        ...baseHeaders,
+        "PAYMENT-SIGNATURE": paymentSig,
+    }, body);
+    const payment = paymentResponseFromHeaders(headersToFetchLike(paid.headers));
+    const paidOk = paid.status >= 200 && paid.status < 300;
+    const paymentSettled = payment?.raw != null && payment.raw.success === true;
+    return {
+        status: paid.status,
+        body: paid.body,
+        headers: paid.headers,
+        payment,
+        ok: paidOk || paymentSettled,
+    };
+}
+export async function alchemyX402Fetch(url, init, privateKey) {
+    const body = typeof init.body === "string" ? init.body : "";
+    const result = await alchemyX402Pay(url, body, privateKey);
+    return new Response(result.body, {
+        status: result.status,
+        headers: headersToFetchLike(result.headers),
+    });
+}
+export async function createAlchemyX402Fetch(privateKey) {
+    return async (input, init) => alchemyX402Fetch(String(input), init ?? {}, privateKey);
+}
+export const alchemyX402FetchOnce = alchemyX402Fetch;

package/dist/lib/apply-verifier-body.d.ts

@@ -0,0 +1,7 @@
+import type { Request } from "express";
+/** Normalize grader policy shapes (`[{host:"x.com"}]` → `["x.com"]`). */
+export declare function normalizePolicyHosts(policy: unknown): unknown;
+/** Safe merge for route-level zod fallback (ignore unknown/incompatible grader keys). */
+export declare function mergeCompatibleProbeInput(example: Record<string, unknown>, input: Record<string, unknown>): Record<string, unknown>;
+/** Merge canonical bodies so x402gle / Dexter paid probes get 200 instead of 400 */
+export declare function applyVerifierExampleBody(req: Request): void;