x402-trust-layer 5.1.0

package/dist/lib/db.d.ts

@@ -0,0 +1,5 @@
+import { type Database as SqliteDatabase } from "better-sqlite3";
+export declare function resolveDbPath(): string;
+declare let db: SqliteDatabase;
+export { db };
+export declare function dbPath(): string;

package/dist/lib/db.js

@@ -0,0 +1,113 @@
+import Database from "better-sqlite3";
+import path from "node:path";
+import { mkdirSync } from "node:fs";
+import { runMigrations } from "./migrations.js";
+export function resolveDbPath() {
+    const explicit = process.env.DB_PATH?.trim();
+    if (explicit)
+        return explicit;
+    const dataDir = process.env.DATA_DIR?.trim() || path.join(process.cwd(), "data");
+    return path.join(dataDir, "trust-layer.db");
+}
+const DB_PATH = resolveDbPath();
+function ensureDataDirWritable() {
+    const dir = path.dirname(DB_PATH);
+    try {
+        mkdirSync(dir, { recursive: true });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Cannot create data directory ${dir} (${msg}). ` +
+            `On Railway, mount the volume at /app/data and set DATA_DIR=/app/data (or omit DATA_DIR). ` +
+            `SQLITE_CANTOPEN often means the volume is not writable by the app user.`);
+    }
+}
+ensureDataDirWritable();
+let db;
+try {
+    db = new Database(DB_PATH);
+}
+catch (err) {
+    const code = err && typeof err === "object" && "code" in err ? String(err.code) : "";
+    if (code === "SQLITE_CANTOPEN") {
+        throw new Error(`Cannot open SQLite database at ${DB_PATH}. ` +
+            `Check DATA_DIR matches the volume mount (use /app/data). ` +
+            `Redeploy with the docker entrypoint that chowns the volume, or fix volume permissions.`, { cause: err });
+    }
+    throw err;
+}
+export { db };
+db.pragma("journal_mode = WAL");
+db.pragma("foreign_keys = ON");
+db.exec(`
+  CREATE TABLE IF NOT EXISTS attestations (
+    id TEXT PRIMARY KEY,
+    agent_id TEXT NOT NULL,
+    wallet_address TEXT NOT NULL,
+    payload JSON NOT NULL,
+    hmac_signature TEXT NOT NULL,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    expires_at INTEGER,
+    revoked INTEGER NOT NULL DEFAULT 0
+  );
+
+  CREATE TABLE IF NOT EXISTS spend_ledger (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    agent_id TEXT NOT NULL,
+    wallet_address TEXT,
+    endpoint TEXT,
+    amount_usdc REAL NOT NULL,
+    network TEXT,
+    tx_hash TEXT,
+    day_key TEXT NOT NULL,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_spend_day ON spend_ledger(agent_id, day_key);
+
+  CREATE TABLE IF NOT EXISTS mpp_sessions (
+    session_id TEXT PRIMARY KEY,
+    agent_id TEXT NOT NULL,
+    budget_usdc REAL NOT NULL,
+    spent_usdc REAL NOT NULL DEFAULT 0,
+    status TEXT NOT NULL DEFAULT 'open',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    closed_at INTEGER,
+    payload TEXT
+  );
+
+  CREATE TABLE IF NOT EXISTS escrow_records (
+    escrow_id TEXT PRIMARY KEY,
+    buyer_agent_id TEXT NOT NULL,
+    seller_agent_id TEXT NOT NULL,
+    amount_usdc REAL NOT NULL,
+    condition_hash TEXT,
+    status TEXT NOT NULL DEFAULT 'held',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    released_at INTEGER,
+    payload TEXT
+  );
+
+  CREATE TABLE IF NOT EXISTS used_nonces (
+    nonce TEXT PRIMARY KEY,
+    network TEXT NOT NULL,
+    used_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_nonces_time ON used_nonces(used_at);
+`);
+function ensurePayloadColumns() {
+    const mppCols = db.prepare("PRAGMA table_info(mpp_sessions)").all();
+    if (!mppCols.some((c) => c.name === "payload")) {
+        db.exec("ALTER TABLE mpp_sessions ADD COLUMN payload TEXT");
+    }
+    const escCols = db.prepare("PRAGMA table_info(escrow_records)").all();
+    if (!escCols.some((c) => c.name === "payload")) {
+        db.exec("ALTER TABLE escrow_records ADD COLUMN payload TEXT");
+    }
+}
+ensurePayloadColumns();
+runMigrations(db);
+export function dbPath() {
+    return DB_PATH;
+}

package/dist/lib/discovery-page.d.ts

@@ -0,0 +1,2 @@
+/** Human-readable discovery page — avoids sending browsers to raw /.well-known/x402 JSON. */
+export declare function renderDiscoveryPage(manifest: object, baseUrl: string): string;

package/dist/lib/discovery-page.js

@@ -0,0 +1,71 @@
+/** Human-readable discovery page — avoids sending browsers to raw /.well-known/x402 JSON. */
+export function renderDiscoveryPage(manifest, baseUrl) {
+    const json = JSON.stringify(manifest, null, 2)
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;");
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width, initial-scale=1"/>
+<title>x402 Discovery Manifest — x402 Trust Layer</title>
+<meta name="description" content="x402 Trust Layer discovery manifest — 31 verified payable resource URLs for agents and scanners."/>
+<link rel="icon" type="image/svg+xml" href="/assets/x402-trustlayer-logo.svg"/>
+<link rel="stylesheet" href="/landing.css?v=4"/>
+</head>
+<body>
+<div class="grid-bg"></div>
+<header class="nav">
+  <div class="nav-shell">
+    <a class="brand" href="/"><img src="/assets/x402-trustlayer-logo.svg" alt=""/><span class="brand-text">x402<span class="dim">trustlayer</span></span></a>
+    <nav class="nav-menu">
+      <a href="/">Home</a>
+      <a href="/openapi.json">OpenAPI</a>
+      <a href="/health">Status</a>
+    </nav>
+  </div>
+</header>
+<section class="pad" style="padding-top:48px">
+  <div class="wrap" style="max-width:900px">
+    <p class="kicker">Discovery</p>
+    <h2 style="font-size:clamp(24px,4vw,36px);margin-bottom:12px">x402 manifest</h2>
+    <p class="section-desc" style="max-width:100%;margin-bottom:24px">
+      Machine-readable catalog for x402scan, Agentic Market, and OpenDexter.
+      Scanners use <code class="mono">GET /.well-known/x402</code>.
+      In the browser, open <code class="mono">/discovery.json</code> for the same JSON without Chrome warnings.
+    </p>
+    <div class="tag-row" style="margin-bottom:20px">
+      <span class="tag mono">31 resources</span>
+      <span class="tag mono">100% verified</span>
+      <span class="tag mono">Base · Solana</span>
+    </div>
+    <div class="terminal-panel">
+      <div class="term-chrome">
+        <span class="dot r"></span><span class="dot y"></span><span class="dot g"></span>
+        <span class="term-title mono">x402 discovery manifest</span>
+      </div>
+      <pre class="code-block mono" style="margin:0;border:none;border-radius:0;max-height:60vh;overflow:auto">${json}</pre>
+    </div>
+    <div class="hero-actions" style="justify-content:flex-start;margin-top:24px">
+      <button type="button" class="btn solid" id="copy-json">Copy JSON</button>
+      <a class="btn ghost" href="/discovery.json" target="_blank" rel="noopener">Open JSON</a>
+      <a class="btn ghost" href="/x402/api/discover">Full catalog</a>
+    </div>
+    <p class="section-desc" style="margin-top:20px;font-size:12px">
+      Register individual paid URLs from <code>resources[]</code> on x402scan — not this catalog URL.
+    </p>
+  </div>
+</section>
+<script>
+document.getElementById("copy-json")?.addEventListener("click", function () {
+  var text = document.querySelector("pre.code-block")?.textContent || "";
+  navigator.clipboard.writeText(text).then(function () {
+    var b = document.getElementById("copy-json");
+    if (b) { b.textContent = "Copied ✓"; setTimeout(function () { b.textContent = "Copy JSON"; }, 2000); }
+  });
+});
+</script>
+</body>
+</html>`;
+}

package/dist/lib/ecosystem-telemetry.d.ts

@@ -0,0 +1,20 @@
+export type HostTelemetry = {
+    host: string;
+    source: string;
+    washTradePct?: number;
+    observedTxns?: number;
+    observedVolumeUsdc?: number;
+    verifiedResources?: number;
+    totalResources?: number;
+    realVolumePct?: number;
+    fetchedAt: string;
+};
+/**
+ * Best-effort telemetry from x402watch public API (free tier).
+ * Set X402WATCH_API_BASE to override. Falls back gracefully if unreachable.
+ */
+export declare function fetchHostTelemetry(hostInput: string, targetUrl?: string): Promise<HostTelemetry | null>;
+export declare function mergeTelemetryIntoMerchantInput<T extends Record<string, unknown>>(input: T, telemetry: HostTelemetry | null): T & {
+    telemetrySource?: string;
+    telemetryFetchedAt?: string;
+};

package/dist/lib/ecosystem-telemetry.js

@@ -0,0 +1,80 @@
+import { hostOf } from "./probe.js";
+const WATCH_API = (process.env.X402WATCH_API_BASE ?? "https://api.x402.printmoneylab.com/api/v1").replace(/\/$/, "");
+function hostMatches(service, host) {
+    const candidates = [service.domain, service.host, service.url, service.name].filter(Boolean);
+    return candidates.some((c) => {
+        try {
+            const h = (c.includes("://") ? hostOf(c) : c.toLowerCase()) || "";
+            return h.length > 0 && (h === host || h.endsWith(`.${host}`) || host.endsWith(`.${h}`));
+        }
+        catch {
+            return c.toLowerCase().includes(host);
+        }
+    });
+}
+function pickService(services, host) {
+    const exact = services.find((s) => hostMatches(s, host));
+    if (exact)
+        return exact;
+    return services.find((s) => {
+        const d = (s.domain ?? s.host ?? "").toLowerCase();
+        return d && (host.includes(d) || d.includes(host));
+    }) ?? null;
+}
+/**
+ * Best-effort telemetry from x402watch public API (free tier).
+ * Set X402WATCH_API_BASE to override. Falls back gracefully if unreachable.
+ */
+export async function fetchHostTelemetry(hostInput, targetUrl) {
+    const host = (hostInput || hostOf(targetUrl ?? "") || "").toLowerCase();
+    if (!host)
+        return null;
+    const fetchedAt = new Date().toISOString();
+    try {
+        const searchUrl = `${WATCH_API}/services?search=${encodeURIComponent(host)}&limit=20`;
+        const res = await fetch(searchUrl, {
+            signal: AbortSignal.timeout(Number(process.env.TELEMETRY_FETCH_MS ?? 8_000)),
+            headers: { accept: "application/json" },
+        });
+        if (!res.ok)
+            return null;
+        const body = (await res.json());
+        const list = body.data ?? body.services ?? (Array.isArray(body) ? body : []);
+        const svc = pickService(list, host);
+        if (!svc)
+            return { host, source: "x402watch:miss", fetchedAt };
+        const realPct = svc.realVolumePct ?? svc.real_volume_pct;
+        const wash = svc.washPct ??
+            svc.wash_pct ??
+            (typeof realPct === "number" ? Math.max(0, Math.min(100, 100 - realPct)) : undefined);
+        return {
+            host,
+            source: "x402watch",
+            washTradePct: wash,
+            observedTxns: svc.txCount ?? svc.transactionCount,
+            observedVolumeUsdc: svc.volumeUsdc ?? svc.volume_usdc,
+            verifiedResources: svc.verifiedCount,
+            totalResources: svc.resourceCount ?? svc.resources,
+            realVolumePct: realPct,
+            fetchedAt,
+        };
+    }
+    catch {
+        return { host, source: "x402watch:unavailable", fetchedAt };
+    }
+}
+export function mergeTelemetryIntoMerchantInput(input, telemetry) {
+    if (!telemetry || telemetry.source === "x402watch:miss" || telemetry.source === "x402watch:unavailable") {
+        return { ...input, telemetrySource: telemetry?.source ?? "none" };
+    }
+    return {
+        ...input,
+        washTradePct: input.washTradePct ?? telemetry.washTradePct,
+        observedTxns: input.observedTxns ?? telemetry.observedTxns,
+        observedVolumeUsdc: input.observedVolumeUsdc ?? telemetry.observedVolumeUsdc,
+        verifiedResources: input.verifiedResources ?? telemetry.verifiedResources,
+        totalResources: input.totalResources ?? telemetry.totalResources,
+        telemetrySource: telemetry.source,
+        telemetryFetchedAt: telemetry.fetchedAt,
+    };
+}

package/dist/lib/erc8004/agent-card.d.ts

@@ -0,0 +1,34 @@
+export type AgentCardJson = {
+    name?: string;
+    description?: string;
+    active?: boolean;
+    status?: string;
+    x402Support?: boolean;
+    services?: unknown[];
+    endpoints?: unknown[];
+    registrations?: {
+        domain?: string;
+        url?: string;
+    }[];
+    domain?: string;
+    url?: string;
+};
+export type AgentCardScore = {
+    points: number;
+    maxPoints: number;
+    valid: boolean;
+    fields: string[];
+    missing: string[];
+    agentUri: string | null;
+    domain: string | null;
+};
+export type WellKnownScore = {
+    points: number;
+    maxPoints: number;
+    verified: boolean;
+    url: string | null;
+    error: string | null;
+};
+export declare function fetchAgentCard(agentUri: string): Promise<AgentCardJson | null>;
+export declare function scoreAgentCard(card: AgentCardJson | null, agentUri: string | null): AgentCardScore;
+export declare function verifyWellKnown(domain: string | null): Promise<WellKnownScore>;

package/dist/lib/erc8004/agent-card.js

@@ -0,0 +1,151 @@
+import { assertSafeOutboundUrl } from "../ssrf.js";
+import { safeFetch } from "../safe-fetch.js";
+function parseDataUri(uri) {
+    const comma = uri.indexOf(",");
+    if (comma < 0)
+        return null;
+    const payload = uri.slice(comma + 1);
+    try {
+        const text = uri.includes(";base64")
+            ? Buffer.from(payload, "base64").toString("utf8")
+            : decodeURIComponent(payload);
+        return JSON.parse(text);
+    }
+    catch {
+        return null;
+    }
+}
+function ipfsToHttps(uri) {
+    if (uri.startsWith("ipfs://")) {
+        return `https://ipfs.io/ipfs/${uri.slice(7)}`;
+    }
+    return uri;
+}
+export async function fetchAgentCard(agentUri) {
+    if (agentUri.startsWith("data:")) {
+        return parseDataUri(agentUri);
+    }
+    const url = ipfsToHttps(agentUri);
+    if (!url.startsWith("http"))
+        return null;
+    try {
+        assertSafeOutboundUrl(url);
+        const res = await safeFetch(url, {
+            headers: { accept: "application/json" },
+            timeoutMs: 8000,
+        });
+        if (res.status >= 300 && res.status < 400)
+            return null;
+        if (!res.ok)
+            return null;
+        return (await res.json());
+    }
+    catch {
+        return null;
+    }
+}
+function extractDomain(card, agentUri) {
+    if (card.domain && typeof card.domain === "string") {
+        return card.domain.replace(/^https?:\/\//, "").split("/")[0] ?? null;
+    }
+    const reg = card.registrations?.find((r) => r.domain);
+    if (reg?.domain)
+        return reg.domain.replace(/^https?:\/\//, "").split("/")[0] ?? null;
+    try {
+        if (agentUri.startsWith("http")) {
+            return new URL(agentUri).hostname;
+        }
+    }
+    catch {
+        /* ignore */
+    }
+    return null;
+}
+export function scoreAgentCard(card, agentUri) {
+    const maxPoints = 15;
+    if (!card) {
+        return {
+            points: 0,
+            maxPoints,
+            valid: false,
+            fields: [],
+            missing: ["name", "services", "x402Support", "active"],
+            agentUri,
+            domain: null,
+        };
+    }
+    const fields = [];
+    const missing = [];
+    if (card.name && card.name.trim().length > 0)
+        fields.push("name");
+    else
+        missing.push("name");
+    const hasServices = (Array.isArray(card.services) && card.services.length > 0) ||
+        (Array.isArray(card.endpoints) && card.endpoints.length > 0);
+    if (hasServices)
+        fields.push("services");
+    else
+        missing.push("services");
+    const x402 = card.x402Support === true ||
+        (Array.isArray(card.services) &&
+            card.services.some((s) => typeof s === "object" &&
+                s !== null &&
+                ("x402" in s || "payment" in s || "protocol" in s)));
+    if (x402)
+        fields.push("x402Support");
+    else
+        missing.push("x402Support");
+    const active = card.active === true ||
+        card.status === "active" ||
+        card.status === "online";
+    if (active)
+        fields.push("active");
+    else
+        missing.push("active");
+    const completeness = fields.length / 4;
+    const points = Math.round(maxPoints * completeness);
+    const domain = extractDomain(card, agentUri ?? "");
+    return {
+        points,
+        maxPoints,
+        valid: fields.length >= 3,
+        fields,
+        missing,
+        agentUri,
+        domain,
+    };
+}
+export async function verifyWellKnown(domain) {
+    const maxPoints = 10;
+    if (!domain) {
+        return { points: 0, maxPoints, verified: false, url: null, error: "no_domain_in_agent_card" };
+    }
+    const url = `https://${domain}/.well-known/agent-registration.json`;
+    try {
+        assertSafeOutboundUrl(url);
+        const res = await safeFetch(url, {
+            headers: { accept: "application/json" },
+            timeoutMs: 6000,
+        });
+        if (res.status >= 300 && res.status < 400) {
+            return { points: 0, maxPoints, verified: false, url, error: "redirect_not_followed" };
+        }
+        if (!res.ok) {
+            return { points: 0, maxPoints, verified: false, url, error: `HTTP ${res.status}` };
+        }
+        const body = await res.json();
+        if (body && typeof body === "object") {
+            return { points: maxPoints, maxPoints, verified: true, url, error: null };
+        }
+        return { points: 0, maxPoints, verified: false, url, error: "invalid_json" };
+    }
+    catch (err) {
+        return {
+            points: 0,
+            maxPoints,
+            verified: false,
+            url,
+            error: err instanceof Error ? err.message : "fetch_failed",
+        };
+    }
+}

package/dist/lib/erc8004/cache.d.ts

@@ -0,0 +1,3 @@
+export declare function cacheGet<T>(key: string): T | null;
+export declare function cacheSet<T>(key: string, value: T, ttlSec: number): void;
+export declare function cacheKey(parts: (string | number | null | undefined)[]): string;

package/dist/lib/erc8004/cache.js

@@ -0,0 +1,17 @@
+const store = new Map();
+export function cacheGet(key) {
+    const entry = store.get(key);
+    if (!entry)
+        return null;
+    if (Date.now() >= entry.expiresAt) {
+        store.delete(key);
+        return null;
+    }
+    return entry.value;
+}
+export function cacheSet(key, value, ttlSec) {
+    store.set(key, { value, expiresAt: Date.now() + ttlSec * 1000 });
+}
+export function cacheKey(parts) {
+    return parts.map((p) => String(p ?? "")).join(":");
+}

package/dist/lib/erc8004/constants.d.ts

@@ -0,0 +1,22 @@
+/** Official ERC-8004 Base Mainnet — do not use Sepolia addresses in production. */
+export declare const ERC8004_CAIP2: "eip155:8453";
+export declare const ERC8004_CHAIN_ID = 8453;
+export declare const DEFAULT_IDENTITY_REGISTRY: "0x8004A169FB4a3325136EB29fA0ceB6D2e539a432";
+export declare const DEFAULT_REPUTATION_REGISTRY: "0x8004BAa17C55a88189AE136b182e5fdA19dE9b63";
+export declare const TRUST_TIERS: readonly ["PLATINUM", "GOLD", "SILVER", "BRONZE", "UNVERIFIED", "UNKNOWN"];
+export type TrustTier = (typeof TRUST_TIERS)[number];
+export declare const TIER_THRESHOLDS: {
+    tier: Exclude<TrustTier, "UNKNOWN">;
+    minScore: number;
+}[];
+export declare const TRUST_SCORE_WEIGHTS: {
+    readonly onChainRegistration: 30;
+    readonly reputation: 25;
+    readonly walletVerified: 15;
+    readonly agentCard: 15;
+    readonly domainWellKnown: 10;
+    readonly paymentHistory: 5;
+};
+export declare function tierForScore(score: number): Exclude<TrustTier, "UNKNOWN">;
+export declare function tierRank(tier: TrustTier): number;
+export declare function isEvmAddress(addr: string): boolean;

package/dist/lib/erc8004/constants.js

@@ -0,0 +1,35 @@
+/** Official ERC-8004 Base Mainnet — do not use Sepolia addresses in production. */
+export const ERC8004_CAIP2 = "eip155:8453";
+export const ERC8004_CHAIN_ID = 8453;
+export const DEFAULT_IDENTITY_REGISTRY = "0x8004A169FB4a3325136EB29fA0ceB6D2e539a432";
+export const DEFAULT_REPUTATION_REGISTRY = "0x8004BAa17C55a88189AE136b182e5fdA19dE9b63";
+export const TRUST_TIERS = ["PLATINUM", "GOLD", "SILVER", "BRONZE", "UNVERIFIED", "UNKNOWN"];
+export const TIER_THRESHOLDS = [
+    { tier: "PLATINUM", minScore: 85 },
+    { tier: "GOLD", minScore: 70 },
+    { tier: "SILVER", minScore: 50 },
+    { tier: "BRONZE", minScore: 30 },
+    { tier: "UNVERIFIED", minScore: 0 },
+];
+export const TRUST_SCORE_WEIGHTS = {
+    onChainRegistration: 30,
+    reputation: 25,
+    walletVerified: 15,
+    agentCard: 15,
+    domainWellKnown: 10,
+    paymentHistory: 5,
+};
+export function tierForScore(score) {
+    for (const { tier, minScore } of TIER_THRESHOLDS) {
+        if (score >= minScore)
+            return tier;
+    }
+    return "UNVERIFIED";
+}
+export function tierRank(tier) {
+    const order = ["PLATINUM", "GOLD", "SILVER", "BRONZE", "UNVERIFIED", "UNKNOWN"];
+    return order.indexOf(tier);
+}
+export function isEvmAddress(addr) {
+    return /^0x[a-fA-F0-9]{40}$/.test(addr.trim());
+}

package/dist/lib/erc8004/registry.d.ts

@@ -0,0 +1,19 @@
+import { type Address } from "viem";
+export declare function identityRegistryAddress(): Address;
+export declare function reputationRegistryAddress(): Address;
+export declare function readOwnerOf(agentId: bigint): Promise<Address | null>;
+export declare function readTokenUri(agentId: bigint): Promise<string | null>;
+export declare function readAgentWallet(agentId: bigint): Promise<Address | null>;
+export declare function readBalanceOf(wallet: Address): Promise<bigint>;
+export type ReputationSummary = {
+    count: bigint;
+    summaryValue: bigint;
+    summaryValueDecimals: number;
+};
+export declare function readReputationSummary(agentId: bigint): Promise<ReputationSummary | null>;
+export declare function chainMeta(): {
+    caip2: "eip155:8453";
+    chainId: number;
+    identityRegistry: `0x${string}`;
+    reputationRegistry: `0x${string}`;
+};