x402-trust-layer 5.1.0

package/dist/agents/dispute-resolver.js

@@ -0,0 +1,124 @@
+import { agentTrustMeta, withAgentTrust } from "../lib/agent-response.js";
+import { config } from "../config.js";
+// Visa-style reason code families (illustrative mapping for card rails).
+const VISA_REASON_CODE = {
+    non_delivery: { code: "13.1", family: "Merchandise/Services Not Received" },
+    quality_mismatch: { code: "13.3", family: "Not as Described or Defective" },
+    overcharge: { code: "12.5", family: "Incorrect Amount" },
+    duplicate: { code: "12.6", family: "Duplicate Processing" },
+    unauthorized: { code: "10.4", family: "Fraud — Card Absent Environment" },
+};
+function isCardRail(rail) {
+    return rail === "visa-cli" || rail === "card";
+}
+/**
+ * Dispute & Chargeback Auto-Resolver.
+ * Visa CLI brings chargeback rights to agentic payments — but nobody automates
+ * the filing. For card rails this builds a Visa chargeback dossier (reason code,
+ * required evidence, filing steps). For final/stablecoin rails (no chargeback)
+ * it routes to an escrow/refund claim instead. Bridges card dispute rules with
+ * on-chain receipts.
+ */
+export function runDisputeResolve(input) {
+    const ev = input.evidence ?? {};
+    const card = isCardRail(input.rail);
+    // Strength of the dispute (0-100) from evidence.
+    let strength = 40;
+    const evidenceItems = [];
+    const requiredEvidence = [];
+    if (input.reason === "non_delivery") {
+        if (ev.actualResponseEmpty) {
+            strength += 35;
+            evidenceItems.push("Empty/absent response captured");
+        }
+        if (ev.receiptValid === false) {
+            strength += 10;
+            evidenceItems.push("Settlement receipt could not be validated");
+        }
+        requiredEvidence.push("Timestamped request/response logs", "Proof endpoint returned no deliverable");
+    }
+    if (input.reason === "quality_mismatch") {
+        if (typeof ev.verificationScore === "number" && ev.verificationScore < 50) {
+            strength += 30;
+            evidenceItems.push(`Verification score ${ev.verificationScore} below threshold`);
+        }
+        if (ev.expectedSchema?.length) {
+            strength += 10;
+            evidenceItems.push(`Expected schema keys: ${ev.expectedSchema.join(", ")}`);
+        }
+        requiredEvidence.push("Published 'good response' profile vs actual response diff");
+    }
+    if (input.reason === "overcharge") {
+        if (ev.chargedUsdc != null && ev.quotedUsdc != null && ev.chargedUsdc > ev.quotedUsdc) {
+            strength += 40;
+            evidenceItems.push(`Charged $${ev.chargedUsdc} vs quoted $${ev.quotedUsdc}`);
+        }
+        requiredEvidence.push("Original 402 quote", "Settlement amount proof");
+    }
+    if (input.reason === "duplicate") {
+        if (ev.duplicateOfTx) {
+            strength += 45;
+            evidenceItems.push(`Duplicate of tx ${ev.duplicateOfTx}`);
+        }
+        requiredEvidence.push("Both transaction hashes with identical merchant + amount");
+    }
+    if (input.reason === "unauthorized") {
+        strength += 20;
+        requiredEvidence.push("Mandate showing payment outside signed scope", "Agent identity attestation");
+    }
+    strength = Math.max(0, Math.min(100, strength));
+    const likelihood = strength >= 70 ? "strong" : strength >= 45 ? "moderate" : "weak";
+    if (card) {
+        const rc = VISA_REASON_CODE[input.reason];
+        return withAgentTrust({
+            path: "card-chargeback",
+            rail: input.rail,
+            merchant: input.merchant,
+            amountUsdc: input.amountUsdc,
+            reason: input.reason,
+            reasonCode: rc.code,
+            reasonFamily: rc.family,
+            disputeStrength: strength,
+            likelihood,
+            autoFileable: strength >= 70,
+            requiredEvidence,
+            evidenceCaptured: evidenceItems,
+            filingSteps: [
+                "Compile evidence bundle (logs + receipt + mandate)",
+                `File chargeback under Visa reason code ${rc.code} (${rc.family})`,
+                "Submit via Visa CLI dispute channel / issuing bank",
+                "Track representment window and respond to merchant compelling evidence",
+            ],
+            nextStep: { method: "POST", path: "/api/compliance/ledger", note: "Log disputed item in audit ledger" },
+        }, agentTrustMeta(["reason_code_map", "evidence_scoring"], {
+            confidence: 0.83,
+            sources: ["dispute-resolver", "visa-dispute-rules"],
+            accuracy_note: "Reason codes are illustrative; confirm current Visa Dispute Resolution code set before filing.",
+        }));
+    }
+    // Stablecoin / final rails: no chargeback — route to escrow/refund claim.
+    return withAgentTrust({
+        path: "onchain-refund-claim",
+        rail: input.rail,
+        merchant: input.merchant,
+        amountUsdc: input.amountUsdc,
+        reason: input.reason,
+        finality: "final (no card chargeback available)",
+        disputeStrength: strength,
+        likelihood,
+        autoFileable: false,
+        requiredEvidence,
+        evidenceCaptured: evidenceItems,
+        recommendedRoute: [
+            "Open/settle via /api/agent-escrow so funds are release-gated next time",
+            "Score eligibility via /api/refund-arbiter/evaluate",
+            "Request merchant refund with receipt proof from /api/receipt-auditor/verify",
+        ],
+        escrowUrl: `${config.publicBaseUrl}/api/agent-escrow`,
+        refundArbiterUrl: `${config.publicBaseUrl}/api/refund-arbiter/evaluate`,
+    }, agentTrustMeta(["finality_check", "evidence_scoring"], {
+        confidence: 0.78,
+        sources: ["dispute-resolver", "x402-settlement"],
+        accuracy_note: "Stablecoin settlements are irreversible; future spend should be escrow-gated. Use card rails (Visa CLI) when dispute rights matter.",
+    }));
+}

package/dist/agents/evidence-locker.d.ts

@@ -0,0 +1,30 @@
+import { type WithAgentTrust } from "../lib/agent-response.js";
+export type SettlementRecord = {
+    transactionHash?: string;
+    endpoint: string;
+    amountUsdc: number;
+    payer?: string;
+    network: string;
+    timestamp?: string;
+};
+export type EvidenceLockerInput = {
+    organizationId: string;
+    records: SettlementRecord[];
+};
+export type EvidenceLockerResult = {
+    ok: boolean;
+    bundleId: string;
+    organizationId: string;
+    generatedAt: string;
+    recordCount: number;
+    totalUsdc: number;
+    checksum: string;
+    bundleSignature: string;
+    tamperEvident: boolean;
+    export: {
+        summary: string;
+        records: SettlementRecord[];
+        complianceNotes: string[];
+    };
+};
+export declare function runEvidenceLocker(input: EvidenceLockerInput): WithAgentTrust<EvidenceLockerResult>;

package/dist/agents/evidence-locker.js

@@ -0,0 +1,47 @@
+import { createHash } from "node:crypto";
+import { agentTrustMeta, withAgentTrust } from "../lib/agent-response.js";
+export function runEvidenceLocker(input) {
+    const total = input.records.reduce((s, r) => s + r.amountUsdc, 0);
+    const payload = JSON.stringify(input.records);
+    const checksum = createHash("sha256").update(payload).digest("hex");
+    const bundleId = createHash("sha256")
+        .update(`${input.organizationId}:${Date.now()}`)
+        .digest("hex")
+        .slice(0, 16);
+    const bundleSignature = createHash("sha256")
+        .update(`${input.organizationId}:${checksum}`)
+        .digest("hex");
+    const checks = [
+        "records_present",
+        "checksum_computed",
+        "bundle_signature_derived",
+        "organization_bound",
+    ];
+    if (input.records.length > 0)
+        checks.push("non_empty_export");
+    return withAgentTrust({
+        ok: true,
+        bundleId,
+        organizationId: input.organizationId,
+        generatedAt: new Date().toISOString(),
+        recordCount: input.records.length,
+        totalUsdc: Number(total.toFixed(6)),
+        checksum,
+        bundleSignature,
+        tamperEvident: true,
+        export: {
+            summary: `${input.records.length} x402 settlements totaling $${total.toFixed(4)} USDC`,
+            records: input.records,
+            complianceNotes: [
+                "Immutable checksum covers record ordering and amounts",
+                "bundleSignature binds organizationId to checksum for tamper detection",
+                "Attach Receipt Auditor verification output per transaction for audit trail",
+                "Suitable for internal finance review — not legal advice",
+            ],
+        },
+    }, agentTrustMeta(checks, {
+        confidence: input.records.length > 0 ? 0.94 : 0.72,
+        sources: ["x402-agent-suite-pro", "evidence-locker"],
+        accuracy_note: "Compliance export bundle — checksum and signature are deterministic; not a legal attestation.",
+    }));
+}

package/dist/agents/facilitator-failover.d.ts

@@ -0,0 +1,15 @@
+import { rankFacilitators } from "../lib/facilitators.js";
+import { probeEndpoint } from "../lib/probe.js";
+export type FailoverInput = {
+    targetUrl: string;
+    preferNetwork?: string;
+    fastProbe?: boolean;
+};
+export type FailoverResult = {
+    targetUrl: string;
+    recommendedFacilitator: string;
+    facilitators: Awaited<ReturnType<typeof rankFacilitators>>;
+    targetProbe: Awaited<ReturnType<typeof probeEndpoint>>;
+    routingNote: string;
+};
+export declare function runFacilitatorFailover(input: FailoverInput): Promise<FailoverResult>;

package/dist/agents/facilitator-failover.js

@@ -0,0 +1,18 @@
+import { rankFacilitators } from "../lib/facilitators.js";
+import { probeEndpoint } from "../lib/probe.js";
+export async function runFacilitatorFailover(input) {
+    const facilitators = await rankFacilitators(input.preferNetwork, input.fastProbe === true);
+    const targetProbe = await probeEndpoint(input.targetUrl, {
+        fastSynthetic: input.fastProbe === true,
+    });
+    const best = facilitators.find((f) => f.healthy) ?? facilitators[0];
+    return {
+        targetUrl: input.targetUrl,
+        recommendedFacilitator: best?.id ?? "dexter",
+        facilitators,
+        targetProbe,
+        routingNote: best?.id === "dexter"
+            ? "Use Dexter facilitator (https://x402.dexter.cash) for settlement. Client should wrapFetch with facilitatorUrl pointing to the recommended host."
+            : `Primary facilitator ${best?.id} is healthy. Fall back to Dexter if settlement fails.`,
+    };
+}

package/dist/agents/identity-gate.d.ts

@@ -0,0 +1,20 @@
+import { type TrustTier } from "../lib/erc8004/constants.js";
+export type IdentityGateInput = {
+    walletAddress: string;
+    maxTierSpendUsdc?: number;
+    requireMainnet?: boolean;
+};
+export type IdentityGateResult = {
+    allowed: boolean;
+    tier: "trusted" | "standard" | "restricted";
+    riskScore: number;
+    maxSpendUsdc: number;
+    reasons: string[];
+    erc8004?: {
+        trustScore: number;
+        tier: TrustTier;
+        agentId: string | null;
+        registered: boolean;
+    };
+};
+export declare function runIdentityGate(input: IdentityGateInput): Promise<IdentityGateResult>;

package/dist/agents/identity-gate.js

@@ -0,0 +1,79 @@
+import { isEvmAddress } from "../lib/erc8004/constants.js";
+import { computeTrustScore } from "../lib/erc8004/trust-score.js";
+const BLOCKED_PATTERNS = ["test", "burn", "11111111111111111111111111111111"];
+const BLOCKED_EXACT = new Set([
+    "0x0000000000000000000000000000000000000000",
+    "11111111111111111111111111111111",
+]);
+function isSolanaAddress(addr) {
+    return /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(addr);
+}
+export async function runIdentityGate(input) {
+    const reasons = [];
+    let riskScore = 10;
+    const addr = input.walletAddress.trim();
+    if (!isSolanaAddress(addr) && !isEvmAddress(addr)) {
+        return {
+            allowed: false,
+            tier: "restricted",
+            riskScore: 100,
+            maxSpendUsdc: 0,
+            reasons: ["Invalid wallet address format"],
+        };
+    }
+    if (BLOCKED_EXACT.has(addr) || BLOCKED_EXACT.has(addr.toLowerCase())) {
+        return {
+            allowed: false,
+            tier: "restricted",
+            riskScore: 100,
+            maxSpendUsdc: 0,
+            reasons: ["Blocked sentinel wallet address"],
+        };
+    }
+    const lower = addr.toLowerCase();
+    for (const p of BLOCKED_PATTERNS) {
+        if (lower.includes(p)) {
+            reasons.push(`Matched blocked pattern: ${p}`);
+            riskScore += 60;
+        }
+    }
+    if (addr.length < 32) {
+        reasons.push("Address suspiciously short");
+        riskScore += 30;
+    }
+    let erc8004;
+    if (isEvmAddress(addr)) {
+        const trust = await computeTrustScore({ walletAddress: addr });
+        erc8004 = {
+            trustScore: trust.trustScore,
+            tier: trust.tier,
+            agentId: trust.agentId,
+            registered: trust.registered,
+        };
+        if (trust.registered && trust.tier !== "UNVERIFIED" && trust.tier !== "UNKNOWN") {
+            riskScore = Math.max(0, riskScore - 15);
+            reasons.push(`ERC-8004 ${trust.tier} (score ${trust.trustScore})`);
+        }
+        else if (!trust.registered) {
+            reasons.push("No ERC-8004 registration — consider POST /api/agent/verify");
+        }
+    }
+    let tier = "standard";
+    if (riskScore < 25)
+        tier = "trusted";
+    if (riskScore >= 50)
+        tier = "restricted";
+    const maxSpend = tier === "trusted"
+        ? (input.maxTierSpendUsdc ?? 50)
+        : tier === "standard"
+            ? Math.min(input.maxTierSpendUsdc ?? 10, 10)
+            : 0;
+    return {
+        allowed: tier !== "restricted",
+        tier,
+        riskScore,
+        maxSpendUsdc: maxSpend,
+        reasons: reasons.length ? reasons : ["Wallet passed baseline checks"],
+        ...(erc8004 ? { erc8004 } : {}),
+    };
+}

package/dist/agents/mandate-compiler.d.ts

@@ -0,0 +1,51 @@
+import { type MandateCheck } from "../lib/mandate.js";
+export type MandateCompileInput = {
+    principal: string;
+    agentId: string;
+    intent: string;
+    maxPerTxUsdc: number;
+    dailyCapUsdc: number;
+    allowedMerchants?: string[];
+    allowedCategories?: string[];
+    allowedRails?: string[];
+    ttlMinutes?: number;
+    mandateVersion?: "ap2/v1";
+    validUntil?: number;
+    currency?: "USDC" | "USDT";
+    network?: string;
+};
+/**
+ * AP2-style Mandate Compiler + Verifiable Intent Notary.
+ * Converts a human intent + guardrails into a cryptographically signed, scoped
+ * mandate (the "tamper-resistant intent" layer that Google AP2 and Visa CLI
+ * governance both require). Agents present the mandate; merchants/fleets verify
+ * the proposed payment fits the signed scope before money moves.
+ */
+export declare function runMandateCompile(input: MandateCompileInput): Promise<{
+    mandate: import("../lib/mandate.js").MandateRecord;
+    verifiableCredential: import("../lib/mandate-vc.js").MandateVC;
+    ap2: {
+        mandateVersion: "ap2/v1";
+        validFrom: number;
+        validUntil: number;
+        currency: "USDC" | "USDT";
+        network: string;
+    };
+    verifyUrl: string;
+    usage: string;
+} & import("../lib/agent-response.js").AgentTrustMeta>;
+export type MandateVerifyInput = {
+    mandateId: string;
+    proposed?: MandateCheck;
+};
+export declare function runMandateVerify(input: MandateVerifyInput): Promise<{
+    ok: boolean;
+    allowed: boolean;
+    valid: boolean;
+    withinScope: boolean;
+    reason: string;
+    record: import("../lib/mandate.js").MandateRecord | null;
+    violations: string[];
+    mandateId: string;
+    proposed: MandateCheck | null;
+} & import("../lib/agent-response.js").AgentTrustMeta>;

package/dist/agents/mandate-compiler.js

@@ -0,0 +1,73 @@
+import { issueMandate, verifyMandate } from "../lib/mandate.js";
+import { mandateToVC } from "../lib/mandate-vc.js";
+import { agentTrustMeta, withAgentTrust } from "../lib/agent-response.js";
+import { config } from "../config.js";
+/**
+ * AP2-style Mandate Compiler + Verifiable Intent Notary.
+ * Converts a human intent + guardrails into a cryptographically signed, scoped
+ * mandate (the "tamper-resistant intent" layer that Google AP2 and Visa CLI
+ * governance both require). Agents present the mandate; merchants/fleets verify
+ * the proposed payment fits the signed scope before money moves.
+ */
+export async function runMandateCompile(input) {
+    const ttl = input.ttlMinutes ?? 1440;
+    const nowSec = Math.floor(Date.now() / 1000);
+    const validUntilSec = input.validUntil ?? nowSec + ttl * 60;
+    const maxExpiry = nowSec + 86400 * 30;
+    if (validUntilSec > maxExpiry) {
+        throw new Error("AP2 mandate cannot exceed 30 days validity");
+    }
+    const scope = {
+        maxPerTxUsdc: input.maxPerTxUsdc,
+        dailyCapUsdc: input.dailyCapUsdc,
+        allowedMerchants: input.allowedMerchants ?? [],
+        allowedCategories: input.allowedCategories ?? [],
+        allowedRails: input.allowedRails ?? [],
+        expiresAt: new Date(validUntilSec * 1000).toISOString(),
+    };
+    const record = await issueMandate({
+        principal: input.principal,
+        agentId: input.agentId,
+        intent: input.intent,
+        scope,
+    });
+    return withAgentTrust({
+        mandate: record,
+        verifiableCredential: mandateToVC(record, input.principal.startsWith("did:") ? input.principal : undefined),
+        ap2: {
+            mandateVersion: input.mandateVersion ?? "ap2/v1",
+            validFrom: nowSec,
+            validUntil: validUntilSec,
+            currency: input.currency ?? "USDC",
+            network: input.network ?? "eip155:8453",
+        },
+        verifyUrl: `${config.publicBaseUrl}/api/mandate/verify`,
+        usage: "Present mandateId to merchants/fleet controllers; they POST it to /api/mandate/verify with the proposed payment to confirm scope.",
+    }, agentTrustMeta(["intent_hashed", "scope_bound", "hmac_signed"], {
+        confidence: 0.92,
+        sources: ["mandate-notary", "ap2-aligned"],
+        accuracy_note: "Mandate is HMAC-signed and tamper-evident; binding to a real cardholder/Visa CLI principal is the integrator's responsibility.",
+    }));
+}
+export async function runMandateVerify(input) {
+    const result = await verifyMandate(input.mandateId, input.proposed);
+    const allowed = result.valid && result.withinScope;
+    return withAgentTrust({
+        ok: true,
+        allowed,
+        valid: result.valid,
+        withinScope: result.withinScope,
+        reason: result.reason,
+        record: result.record,
+        violations: result.violations,
+        mandateId: input.mandateId,
+        proposed: input.proposed ?? null,
+    }, agentTrustMeta(result.valid
+        ? result.withinScope
+            ? ["signature_ok", "scope_ok", "not_expired"]
+            : ["signature_ok", "scope_violation"]
+        : ["signature_or_lookup_failed"], {
+        confidence: result.valid ? 0.93 : 0.6,
+        sources: ["mandate-notary", "hmac-verify"],
+    }));
+}

package/dist/agents/mandate-diff.d.ts

@@ -0,0 +1,41 @@
+import { type MandateCheck } from "../lib/mandate.js";
+export type ToolCallTrace = {
+    name: string;
+    url?: string;
+    amountUsdc?: number;
+    merchant?: string;
+    category?: string;
+    rail?: string;
+    argsSummary?: string;
+};
+export type MandateDiffInput = {
+    mandateId: string;
+    toolCalls: ToolCallTrace[];
+    /** Optional aggregate payment the agent is about to authorize */
+    proposed?: MandateCheck;
+    /** Human-readable task for semantic drift checks */
+    task?: string;
+};
+type DiffViolation = {
+    code: string;
+    severity: "block" | "step_up";
+    message: string;
+    evidence?: string;
+};
+/**
+ * Intent Diff Engine — compares a signed mandate scope to the actual MCP/tool trace
+ * before x402 payment. Rules-first (auditable); complements t54 behavioral risk.
+ */
+export declare function runMandateDiff(input: MandateDiffInput): Promise<{
+    ok: boolean;
+    allowed: boolean;
+    liabilityTier: string;
+    mandateValid: boolean;
+    withinMandateScope: boolean;
+    violations: DiffViolation[];
+    signals: string[];
+    mandateId: string;
+    toolCallCount: number;
+    summary: string;
+} & import("../lib/agent-response.js").AgentTrustMeta>;
+export {};

package/dist/agents/mandate-diff.js

@@ -0,0 +1,170 @@
+import { verifyMandate } from "../lib/mandate.js";
+import { hostOf } from "../lib/probe.js";
+import { agentTrustMeta, withAgentTrust } from "../lib/agent-response.js";
+const AFFILIATE_HINTS = /[?&](aff|ref|utm_|affiliate)=/i;
+const SUSPICIOUS_DOMAINS = /scam|phish|invalid|fake-wallet/i;
+function tierFromViolations(violations) {
+    if (violations.some((v) => v.severity === "block"))
+        return "block";
+    if (violations.length > 0)
+        return "step_up";
+    return "allow";
+}
+/**
+ * Intent Diff Engine — compares a signed mandate scope to the actual MCP/tool trace
+ * before x402 payment. Rules-first (auditable); complements t54 behavioral risk.
+ */
+export async function runMandateDiff(input) {
+    const violations = [];
+    const signals = [];
+    const mandateResult = await verifyMandate(input.mandateId, input.proposed);
+    if (!mandateResult.valid) {
+        violations.push({
+            code: "mandate_invalid",
+            severity: "block",
+            message: mandateResult.reason,
+        });
+        return withAgentTrust({
+            ok: true,
+            allowed: false,
+            liabilityTier: "block",
+            mandateValid: false,
+            withinMandateScope: false,
+            violations,
+            signals,
+            mandateId: input.mandateId,
+            toolCallCount: input.toolCalls.length,
+            summary: "Mandate invalid — do not pay",
+        }, agentTrustMeta(["mandate_invalid"], { confidence: 0.95, sources: ["mandate-diff"] }));
+    }
+    if (!mandateResult.withinScope && input.proposed) {
+        for (const v of mandateResult.violations) {
+            violations.push({ code: "scope_violation", severity: "block", message: v });
+        }
+    }
+    const scope = mandateResult.record?.scope;
+    const allowedMerchants = scope?.allowedMerchants ?? [];
+    const allowedCategories = scope?.allowedCategories ?? [];
+    const allowedRails = scope?.allowedRails ?? [];
+    const maxPerTx = scope?.maxPerTxUsdc ?? Infinity;
+    for (const [i, call] of input.toolCalls.entries()) {
+        const label = `toolCalls[${i}]`;
+        if (call.url) {
+            if (SUSPICIOUS_DOMAINS.test(call.url)) {
+                violations.push({
+                    code: "suspicious_url",
+                    severity: "block",
+                    message: `${label}: URL matches suspicious pattern`,
+                    evidence: call.url,
+                });
+            }
+            if (AFFILIATE_HINTS.test(call.url)) {
+                violations.push({
+                    code: "affiliate_redirect",
+                    severity: "step_up",
+                    message: `${label}: affiliate/tracking params in URL — possible prompt-injected routing`,
+                    evidence: call.url,
+                });
+            }
+            const host = hostOf(call.url);
+            if (allowedMerchants.length > 0 &&
+                host &&
+                !allowedMerchants.some((m) => host.includes(m.toLowerCase()) || call.url.toLowerCase().includes(m.toLowerCase()))) {
+                violations.push({
+                    code: "merchant_not_in_mandate",
+                    severity: "block",
+                    message: `${label}: host ${host} not in allowedMerchants`,
+                    evidence: call.url,
+                });
+            }
+        }
+        if (call.merchant && allowedMerchants.length > 0) {
+            if (!allowedMerchants.some((m) => call.merchant.toLowerCase().includes(m.toLowerCase()))) {
+                violations.push({
+                    code: "merchant_not_in_mandate",
+                    severity: "block",
+                    message: `${label}: merchant ${call.merchant} not in allowedMerchants`,
+                });
+            }
+        }
+        if (call.category && allowedCategories.length > 0 && !allowedCategories.includes(call.category)) {
+            violations.push({
+                code: "category_not_in_mandate",
+                severity: "block",
+                message: `${label}: category ${call.category} not in allowedCategories`,
+            });
+        }
+        if (call.rail && allowedRails.length > 0 && !allowedRails.includes(call.rail)) {
+            violations.push({
+                code: "rail_not_in_mandate",
+                severity: "block",
+                message: `${label}: rail ${call.rail} not in allowedRails`,
+            });
+        }
+        if (typeof call.amountUsdc === "number" && call.amountUsdc > maxPerTx) {
+            violations.push({
+                code: "amount_exceeds_mandate",
+                severity: "block",
+                message: `${label}: amount ${call.amountUsdc} exceeds maxPerTxUsdc ${maxPerTx}`,
+            });
+        }
+        if (call.argsSummary && /prefer store|rewrite url|ignore mandate|override/i.test(call.argsSummary)) {
+            violations.push({
+                code: "instruction_tampering",
+                severity: "block",
+                message: `${label}: tool args suggest non-mandated instruction override`,
+                evidence: call.argsSummary.slice(0, 120),
+            });
+        }
+    }
+    if (input.task && mandateResult.record?.intent) {
+        const intent = mandateResult.record.intent.toLowerCase();
+        const task = input.task.toLowerCase();
+        const intentTokens = intent.split(/\W+/).filter((t) => t.length > 3);
+        const overlap = intentTokens.filter((t) => task.includes(t)).length;
+        if (intentTokens.length >= 3 && overlap < Math.ceil(intentTokens.length * 0.2)) {
+            violations.push({
+                code: "task_intent_drift",
+                severity: "step_up",
+                message: "Current task text diverges from signed mandate intent — human confirm recommended",
+            });
+        }
+        else {
+            signals.push("Task text loosely aligns with mandate intent");
+        }
+    }
+    const liabilityTier = tierFromViolations(violations);
+    const allowed = liabilityTier === "allow";
+    const withinMandateScope = mandateResult.withinScope && violations.every((v) => v.severity !== "block");
+    return withAgentTrust({
+        ok: true,
+        allowed,
+        liabilityTier,
+        mandateValid: true,
+        withinMandateScope,
+        mandateId: input.mandateId,
+        toolCallCount: input.toolCalls.length,
+        violations,
+        signals,
+        mandateIntent: mandateResult.record?.intent ?? null,
+        proposed: input.proposed ?? null,
+        summary: liabilityTier === "allow"
+            ? "Tool trace within mandate scope — proceed to x402 payment"
+            : liabilityTier === "step_up"
+                ? "Non-blocking drift detected — step-up auth before payment"
+                : "Blocking violations — do not pay",
+        nextStep: liabilityTier === "block"
+            ? { method: "POST", path: "/api/mandate/verify", note: "Re-compile mandate or fix tool trace" }
+            : liabilityTier === "step_up"
+                ? { method: "POST", path: "/api/attestation/issue", note: "Issue fresh attestation after human confirm" }
+                : null,
+    }, agentTrustMeta(allowed
+        ? ["mandate_ok", "trace_ok"]
+        : liabilityTier === "step_up"
+            ? ["mandate_ok", "trace_drift"]
+            : ["mandate_ok", "trace_blocked"], {
+        confidence: 0.9,
+        sources: ["mandate-diff", "ap2-aligned"],
+        accuracy_note: "Diff is rules-based on supplied toolCalls; integrator must capture faithful MCP/browser traces.",
+    }));
+}