From ffa6dc38c8cb658cbe8e6d40df4f3f035ba9baed Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 03:30:06 -0700 Subject: [PATCH 1/7] docs(stripe-multichain): drop infra-specific "ECS Fargate" from pi-cache docstring Generalize to "multi-instance deployments" so the comment describes the constraint (shared cache needed) rather than the AgentScore deployment topology. --- src/stripe-multichain/pi-cache.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/stripe-multichain/pi-cache.ts b/src/stripe-multichain/pi-cache.ts index 73fbed1..fc077bd 100644 --- a/src/stripe-multichain/pi-cache.ts +++ b/src/stripe-multichain/pi-cache.ts @@ -18,9 +18,9 @@ * * All three are TTL-bounded (default 300s — long enough for an agent to retry, short * enough to bound memory). Backed by Redis when `redisUrl` is set, falls back to - * in-process Map otherwise. Single-instance servers can use the in-memory cache; ECS - * Fargate / multi-task deployments need Redis so a deposit lands on whichever task - * settles it. + * in-process Map otherwise. Single-instance servers can use the in-memory cache; + * multi-instance deployments need a shared cache (Redis) so a deposit lands on + * whichever instance settles it. */ // ioredis is an optional peer dep — typed structurally to avoid pulling its types into From 8a41ea04dc9e97a874e2b65c44813192b75a9c19 Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 03:44:23 -0700 Subject: [PATCH 2/7] docs/tests: scrub internal merchant references + private test default - src/identity/policy.ts: drop the "extracted from " attribution paragraph; the helpers stand on their own - examples/per-product-policy-merchant.ts: drop the same attribution - examples/multi-rail-merchant.ts: drop "Martin Estate runs in production, stripped of wine-specific business logic" from the header docstring - CLAUDE.md: drop the " runs this pattern in production" trailing sentence in the gate-mount-posture section - tests/integration.test.ts: integration tests now require both AGENTSCORE_API_KEY and AGENTSCORE_BASE_URL to be set; no default to a private (`*.internal`) endpoint --- CLAUDE.md | 2 +- examples/multi-rail-merchant.ts | 3 +-- examples/per-product-policy-merchant.ts | 3 --- src/identity/policy.ts | 3 +-- tests/integration.test.ts | 4 ++-- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 6801eea..c1eb5b1 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -75,7 +75,7 @@ app.use('/purchase', async (c, next) => { }); ``` -Anonymous POST flows through to the handler unauthenticated and gets a 402 with all rails + per-order pricing. Identity is verified at settle time on the retry leg (when the agent submits `X-Payment` / `Authorization: Payment`); `createSessionOnMissing` still auto-mints a verification session there. The same wrap pattern works identically across all 5 framework adapters (hono, express, fastify, nextjs, web). martin-estate runs this pattern in production. See `examples/multi-rail-merchant.ts` and `examples/compliance-merchant.ts`. +Anonymous POST flows through to the handler unauthenticated and gets a 402 with all rails + per-order pricing. Identity is verified at settle time on the retry leg (when the agent submits `X-Payment` / `Authorization: Payment`); `createSessionOnMissing` still auto-mints a verification session there. The same wrap pattern works identically across all 5 framework adapters (hono, express, fastify, nextjs, web). See `examples/multi-rail-merchant.ts` and `examples/compliance-merchant.ts`. ### `compatible_clients` field on emitted 402s diff --git a/examples/multi-rail-merchant.ts b/examples/multi-rail-merchant.ts index 4868b97..947932b 100644 --- a/examples/multi-rail-merchant.ts +++ b/examples/multi-rail-merchant.ts @@ -2,8 +2,7 @@ * Example: full multi-rail agent commerce merchant * * Scenario: you want to accept agent payments via every rail — Tempo MPP, x402 on - * Base + Solana, AND Stripe SPT. Identity-gated for compliance. This mirrors what - * Martin Estate runs in production, stripped of wine-specific business logic. + * Base + Solana, AND Stripe SPT. Identity-gated for compliance. * * The flow on each /purchase POST: * 1. Identity gate (agentscoreGate): KYC + age + jurisdiction + sanctions diff --git a/examples/per-product-policy-merchant.ts b/examples/per-product-policy-merchant.ts index 6ddab28..53392fc 100644 --- a/examples/per-product-policy-merchant.ts +++ b/examples/per-product-policy-merchant.ts @@ -22,9 +22,6 @@ * - shippingCountryAllowed / shippingStateAllowed * (per-product shipping allowlists; null = ship anywhere) * - * The pattern was extracted from agentscore/store. See its - * store/routes/purchase.py (Python sibling) for the full per-request flow. - * * Peer deps: * bun add @agent-score/commerce hono * diff --git a/src/identity/policy.ts b/src/identity/policy.ts index 36b7b8f..e61e3d4 100644 --- a/src/identity/policy.ts +++ b/src/identity/policy.ts @@ -25,8 +25,7 @@ * {@link GateResult} so the vendor decides how to surface it. * * All three are additive — vendors using `agentscoreGate(...)` directly are - * unaffected. The pattern was extracted from `agentscore/store`; see its - * `store/routes/purchase.py` (Python sibling) for the full per-request flow. + * unaffected. */ import type { AgentScoreCoreOptions, DenialReason } from '../core.js'; diff --git a/tests/integration.test.ts b/tests/integration.test.ts index 186699c..fe59cde 100644 --- a/tests/integration.test.ts +++ b/tests/integration.test.ts @@ -1,10 +1,10 @@ import { describe, expect, it } from 'vitest'; const API_KEY = process.env.AGENTSCORE_API_KEY; -const BASE_URL = process.env.AGENTSCORE_BASE_URL || 'http://api.dev.agentscore.internal'; +const BASE_URL = process.env.AGENTSCORE_BASE_URL; const TEST_ADDRESS = '0x339559a2d1cd15059365fc7bd36b3047bba480e0'; -const describeIf = API_KEY ? describe : describe.skip; +const describeIf = (API_KEY && BASE_URL) ? describe : describe.skip; describeIf('integration: real API assess response shape', () => { it('assess returns correct top-level shape', async () => { From 488b49db338848271b517dcbbc747e8872b5d869 Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 03:46:58 -0700 Subject: [PATCH 3/7] docs(CLAUDE): drop "from production code ()" framing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Every helper lifts directly from working production code (agentscore/martin-estate)" line in this public repo's CLAUDE.md frames a specific reference customer as our internal extraction source. The underlying invariant — extract from real consumers — is what matters. --- CLAUDE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CLAUDE.md b/CLAUDE.md index c1eb5b1..0507486 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -2,7 +2,7 @@ Agent commerce SDK for Node.js. The full merchant-side toolkit: identity gating + payment helpers + 402 builders + discovery + Stripe multichain. One install, subpath imports per concern. -Every helper lifts directly from working production code (`agentscore/martin-estate`) — extract from real consumers, not speculation. +Every helper is extracted from a real consumer, not speculated. ## Subpaths From 980cbe9720bcef79fb95982b8156d62df40e9e90 Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 21:00:01 -0700 Subject: [PATCH 4/7] =?UTF-8?q?chore(deps):=20bun=20update=20=E2=80=94=20h?= =?UTF-8?q?ono=20+=20mppx=20patches?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - hono 4.12.15 → 4.12.16 - mppx 0.6.7 → 0.6.8 (Linux keychain error-handling improvement; no payment-library code change) All 540 tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- bun.lock | 8 ++++---- package.json | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bun.lock b/bun.lock index 990f081..84f5f9b 100644 --- a/bun.lock +++ b/bun.lock @@ -23,9 +23,9 @@ "eslint-plugin-unused-imports": "^4.4.1", "express": "^5.2.1", "fastify": "^5.8.5", - "hono": "^4.12.15", + "hono": "^4.12.16", "lefthook": "^2.1.6", - "mppx": "^0.6.7", + "mppx": "^0.6.8", "tsup": "^8.5.1", "typescript": "^6.0.3", "typescript-eslint": "^8.59.1", @@ -727,7 +727,7 @@ "hasown": ["hasown@2.0.3", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg=="], - "hono": ["hono@4.12.15", "", {}, "sha512-qM0jDhFEaCBb4TxoW7f53Qrpv9RBiayUHo0S52JudprkhvpjIrGoU1mnnr29Fvd1U335ZFPZQY1wlkqgfGXyLg=="], + "hono": ["hono@4.12.16", "", {}, "sha512-jN0ZewiNAWSe5khM3EyCmBb250+b40wWbwNILNfEvq84VREWwOIkuUsFONk/3i3nqkz7Oe1PcpM2mwQEK2L9Kg=="], "html-escaper": ["html-escaper@2.0.2", "", {}, "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg=="], @@ -919,7 +919,7 @@ "mlly": ["mlly@1.8.2", "", { "dependencies": { "acorn": "^8.16.0", "pathe": "^2.0.3", "pkg-types": "^1.3.1", "ufo": "^1.6.3" } }, "sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA=="], - "mppx": ["mppx@0.6.7", "", { "dependencies": { "incur": "^0.3.25", "ox": "0.14.18", "zod": "^4.3.6" }, "peerDependencies": { "@modelcontextprotocol/sdk": ">=1.25.0", "elysia": ">=1", "express": ">=5", "hono": ">=4.12.14", "viem": ">=2.47.5" }, "optionalPeers": ["@modelcontextprotocol/sdk", "elysia", "express", "hono"], "bin": { "mppx": "dist/bin.js", "mppx.src": "src/bin.ts" } }, "sha512-fcq+LS1G+TR+tdbkz+xhqk4w0LMP2b5YwUmznVruw5JXhgbqSy4oeyjx9coqVO5k4DdysUH99zkNOuO62RidyQ=="], + "mppx": ["mppx@0.6.8", "", { "dependencies": { "incur": "^0.3.25", "ox": "0.14.18", "zod": "^4.3.6" }, "peerDependencies": { "@modelcontextprotocol/sdk": ">=1.25.0", "elysia": ">=1", "express": ">=5", "hono": ">=4.12.14", "viem": ">=2.47.5" }, "optionalPeers": ["@modelcontextprotocol/sdk", "elysia", "express", "hono"], "bin": { "mppx": "dist/bin.js", "mppx.src": "src/bin.ts" } }, "sha512-uXe0HyWCtB0MSXAohK5Vazj76/NfONsDxjy7DJHt2OeXj2tcpeNcdfjI3Ozzgq7ILx9unCsA88lrspl6MzxENw=="], "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], diff --git a/package.json b/package.json index 46f70a0..e8451d0 100644 --- a/package.json +++ b/package.json @@ -161,9 +161,9 @@ "eslint-plugin-unused-imports": "^4.4.1", "express": "^5.2.1", "fastify": "^5.8.5", - "hono": "^4.12.15", + "hono": "^4.12.16", "lefthook": "^2.1.6", - "mppx": "^0.6.7", + "mppx": "^0.6.8", "tsup": "^8.5.1", "typescript": "^6.0.3", "typescript-eslint": "^8.59.1", From 2534afbfe91db82f98735683e600605bce12b45c Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 21:00:25 -0700 Subject: [PATCH 5/7] chore: bump to v1.0.2 Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e8451d0..fcf62e8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@agent-score/commerce", - "version": "1.0.1", + "version": "1.0.2", "description": "Agent commerce SDK — identity middleware (Hono, Express, Fastify, Next.js, Web Fetch) + payment helpers + 402 builders + discovery + Stripe multichain. The full merchant-side toolkit for AgentScore-powered agent commerce.", "main": "./dist/index.js", "module": "./dist/index.mjs", From 3dc3da3bc0607c16d1f3272a1a867b1a7fa32f73 Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 21:17:53 -0700 Subject: [PATCH 6/7] =?UTF-8?q?chore(deps):=20bump=20@agent-score/sdk=202.?= =?UTF-8?q?1.0=20=E2=86=92=202.1.1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Picks up the latest published sdk patch. All 540 tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- bun.lock | 4 ++-- package.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bun.lock b/bun.lock index 84f5f9b..c0b4136 100644 --- a/bun.lock +++ b/bun.lock @@ -5,7 +5,7 @@ "": { "name": "@agent-score/gate", "dependencies": { - "@agent-score/sdk": "^2.1.0", + "@agent-score/sdk": "^2.1.1", }, "devDependencies": { "@coinbase/x402": "^2.1.0", @@ -51,7 +51,7 @@ "packages": { "@adraffy/ens-normalize": ["@adraffy/ens-normalize@1.11.1", "", {}, "sha512-nhCBV3quEgesuf7c7KYfperqSS14T8bYuvJ8PcLJp6znkZpFc0AuW4qBtr8eKVyPPe/8RSr7sglCWPU5eaxwKQ=="], - "@agent-score/sdk": ["@agent-score/sdk@2.1.0", "", {}, "sha512-J+m9i0HuO1a3xtfhtnRHDqVx191qyx3QzqZgRtLRqhmez0xwgT6RVWtrzF7wPvo0xMi5WAKKUrvp7fjc6UTsTw=="], + "@agent-score/sdk": ["@agent-score/sdk@2.1.1", "", {}, "sha512-iehoDef32rlDXpCkfFbxa14ANxD11uyIPJY0K2AopVg8dD8iPA/xPlYtvlNlvBjPsfvdgb4954WSxwnyx9n+5g=="], "@babel/helper-string-parser": ["@babel/helper-string-parser@7.27.1", "", {}, "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA=="], diff --git a/package.json b/package.json index fcf62e8..9e0c988 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@agent-score/commerce", - "version": "1.0.2", + "version": "1.0.3", "description": "Agent commerce SDK — identity middleware (Hono, Express, Fastify, Next.js, Web Fetch) + payment helpers + 402 builders + discovery + Stripe multichain. The full merchant-side toolkit for AgentScore-powered agent commerce.", "main": "./dist/index.js", "module": "./dist/index.mjs", @@ -120,7 +120,7 @@ "node": ">=20" }, "dependencies": { - "@agent-score/sdk": "^2.1.0" + "@agent-score/sdk": "^2.1.1" }, "overrides": { "axios": "^1.15.0" From 2b48a5c0b569648add43c9686d8b7806f94649d0 Mon Sep 17 00:00:00 2001 From: vvillait88 Date: Thu, 30 Apr 2026 21:19:11 -0700 Subject: [PATCH 7/7] chore: revert accidental version bump (stay at v1.0.2) Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9e0c988..7044d45 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@agent-score/commerce", - "version": "1.0.3", + "version": "1.0.2", "description": "Agent commerce SDK — identity middleware (Hono, Express, Fastify, Next.js, Web Fetch) + payment helpers + 402 builders + discovery + Stripe multichain. The full merchant-side toolkit for AgentScore-powered agent commerce.", "main": "./dist/index.js", "module": "./dist/index.mjs",