Identity verification and compliance gating (v1.5.0)#16
Merged
vvillait88 merged 10 commits intomainfrom Apr 18, 2026
Merged
Conversation
- assess() accepts operatorToken for non-wallet agents - createSession(), pollSession() for verification bootstrapping - createCredential(), listCredentials(), revokeCredential() - DecisionPolicy: scoring fields removed, allowed_jurisdictions added - 429 retry with Retry-After header - Version bumped to 1.5.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Assess is a compliance gate. Scoring data comes from /v1/reputation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Blacksmith checkout uses cached git mirrors for faster clones. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Session creation uses first-class fields (return_url, payment_methods, product_name) - Remove metadata from session creation - Clean stale test references Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Paired with core removing these from POST /v1/sessions. - Remove return_url and payment_methods from SessionCreateOptions - Remove the now-unused PaymentMethod type export - Drop corresponding tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…nt_verification) SessionPollNextSteps + retry_after_seconds + token_ttl_seconds on SessionPollResponse. PolicyExplanation with how_to_remedy on AssessResponse. AccountVerification on CredentialListResponse. CredentialCreateErrorResponse for 409 kyc_required. All additive/optional — no breaking changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Make account_verification required on CredentialListResponse (API always returns it). typescript 6.0.2→6.0.3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Assess endpoint returns a flat decision response (no subject/chains/score). Use require_kyc policy instead of min_score for deny testing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
4 tasks
vvillait88
added a commit
that referenced
this pull request
Apr 29, 2026
…rgs + drop verifyWebhookSignature (#21) ## Summary `@agent-score/sdk@2.0.0` — wallet-auth hardening types + structured error access + speculative-helper drop. **Breaking** because of the webhook removal. ### New (additive) - `DenialCode` union extended: `wallet_signer_mismatch`, `wallet_auth_requires_wallet_signing`, `token_expired`, `invalid_credential`. - `NextStepsAction` extended: `send_existing_identity`, `mint_new_credential`, `use_operator_token`, `regenerate_payment_from_linked_wallet`, `deliver_verify_url_and_poll`, `switch_token_or_restart_session`. - New types: `AgentMemoryHint`, `WalletSignerMismatchBody`, `WalletAuthRequiresSigningBody` + per-shape `NextSteps` discriminator unions. - `AssessResponse.linked_wallets?: string[]` on allow responses (cap 100). - `SessionCreateResponse.agent_memory?` + `CredentialCreateResponse.agent_memory?` on bootstrap paths. - `CredentialListItem.label` / `.expires_at` are now nullable to match the API. - **`AgentScoreError.details: Record<string, unknown>`** — carries response-body fields beyond `{code, message}` so consumers can branch on `verify_url`, `linked_wallets`, `claimed_operator`, `actual_signer`, `expected_signer`, `reasons`, `agent_memory` without parsing the response a second time. The mcp tools depend on this. - `createSession({address?, operator_token?})` — optional pre-association lets a caller refresh KYC for an existing `opc_...` or pin a session to a known wallet. ### Removed (BREAKING) - `verifyWebhookSignature` removed. Audit found zero outbound webhook emitter in core/api and zero internal consumers. When AgentScore eventually emits events, the right move is the official `standardwebhooks` (Svix) lib, not a hand-rolled HMAC verifier — exporting one preemptively was speculative surface. ### Versioning Bumped to **2.0.0**. The webhook removal is a breaking change in the published surface even though no real consumer exercised it; honest semver. ## Test plan - [x] 115 tests passing - [x] Type compilation (tsc) green - [x] Lint clean - [ ] Tag `v2.0.0` after merge → publish workflow fires (OIDC trusted publishing on npm) ## Coordinated release Plan doc: `core/internal_docs/wallet-auth-hardening-plan.md`. Sibling PRs: `python-sdk` #16 (mirror), `mcp` #24 (consumes this), `martin-estate` #44 (consumes via `@agent-score/commerce`), `core` #190 (server side). Merge order: this + python-sdk + core land first → tag v2.0.0 → publish → commerce 1.0.0 publishes → mcp + martin-estate auto-clear and merge. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code