TypeScript reference implementation and canonical protocol SDK for the Machine Payment Control Protocol (MPCP).
Implements: protocol verification engine, artifact schemas, cryptographic signing, on-chain anchoring adapters, golden test vectors, and the full SDK consumed by mpcp-policy-authority, mpcp-wallet-sdk, and mpcp-merchant-sdk.
Stack: Node.js 22 + TypeScript (ESM), Vitest, Zod.
Protocol first — the specification is the source of truth; code conforms to it, not the other way around.
Determinism — all artifacts serialize and hash identically across implementations and runtimes.
Rail agnostic — no dependency on a specific payment rail or ledger.
Verifiable — every payment decision and settlement can be independently verified without contacting a central service.
Small PRs — each feature lands in an isolated PR for safe review and easy rollback.
| PR | Title | Status |
|---|---|---|
| PR1 | Canonical serialization (canonicalJson, SHA-256) |
✓ |
| PR2 | Artifact schemas (Zod — PolicyGrant, SBA, SPA, SettlementIntent, FleetPolicyAuthorization) | ✓ |
| PR3 | SettlementIntentHash implementation |
✓ |
| PR | Title | Status |
|---|---|---|
| PR4 | Core verifier (verifyPolicyGrant, verifyBudgetAuthorization, verifyPaymentAuthorization, verifySettlement) |
✓ |
| PR5 | CLI verifier (npx mpcp verify settlement.json) |
✓ |
| PR5A | CLI explain mode (--explain, --json; DetailedVerificationReport) |
✓ |
| PR6 | Protocol conformance tests | ✓ |
| PR | Title | Status |
|---|---|---|
| PR7 | SDK helpers (createPolicyGrant, createBudgetAuthorization, createSignedPaymentAuthorization, createSettlementIntent, computeIntentHash); policy-core/ evaluation engine (evaluateEntryPolicy, evaluatePaymentPolicy, enforcePayment) |
✓ |
| PR8 | End-to-end parking example + guardrails demo + fleet demo + offline flow | ✓ |
| PR9 | Integration tests — full lifecycle verification | ✓ |
| PR | Title | Status |
|---|---|---|
| PR10 | Intent anchoring — Hedera HCS, XRPL, EVM, mock adapters | ✓ |
| PR11 | Dispute verification (verifyDisputedSettlementAsync) |
✓ |
| PR12 | Fleet operator tooling | ✓ |
| PR12A | Artifact Bundle specification + schema | ✓ |
| PR | Title | Status |
|---|---|---|
| PR13/PR20 | Golden protocol vectors (valid settlement, expired grant, budget exceeded, hash mismatch) | ✓ |
| PR14 | Real ledger anchor adapters (Hedera HCS: hederaHcsAnchorIntentHash, verifyHederaHcsAnchor) |
✓ |
| PR15 | Reference deployment profiles (fleet-offline, parking, charging, hosted-rail) | ✓ |
| PR16 | Compatibility and versioning policy | ✓ |
| PR17 | Reference service API (src/service/) |
✓ |
| PR18 | Protocol documentation site (docs/) |
✓ |
| PR19 | Docs site deployment (MkDocs + GitHub Pages CI) | ✓ |
| PR | Title | Status |
|---|---|---|
| PR21 | Payment profiles expansion (XRPL Stablecoin, RLUSD) | ✓ |
| PR22 | Layer-1 ecosystem evaluation (XRPL, Hedera, Stellar, EVM) | ✓ |
| PR23 | Machine wallet guardrails documentation | ✓ |
| PR24 | Automated fleet payment demo (visual end-to-end) | ✓ |
| PR25 | MPCP conformance badge | ✓ |
| PR26 | Human-to-Agent Delegation Profile (revocationEndpoint, allowedPurposes, TRIP scope, checkRevocation()) |
✓ |
| PR27 | On-Chain Policy Anchoring (anchorRef, resolveXrplDid, hederaHcsAnchorPolicyDocument, checkXrplNftRevocation) |
✓ |
| PR28 | Encrypted Policy Anchoring (submitMode, AES-256-GCM via crypto.subtle, PolicyDocumentCustody, XRPL IPFS prep) |
✓ |
| PR29 | Trust Bundle — types, signing, verification, and key resolution integration | ✓ |
Implement the Trust Bundle specification as defined in the MPCP spec (see mpcp-spec/docs/protocol/trust-bundles.md).
Trust Bundles are pre-distributed signed documents that package trusted issuer public keys for MPCP verifiers operating without network access at verification time.
export interface TrustBundleIssuerEntry {
issuer: string;
keys: JsonWebKey[];
}
export interface TrustBundle {
version: "1.0";
bundleId: string;
bundleIssuer: string;
bundleKeyId: string;
category: string;
geography?: { region?: string; countryCodes?: string[] };
approvedIssuers: string[];
issuers: TrustBundleIssuerEntry[];
expiresAt: string;
signature: string;
}signTrustBundle(bundleWithoutSig, privateKeyPem)— constructs canonical payload ("MPCP:TrustBundle:1.0:" + canonicalJson(bundle)), signs with Ed25519 or ECDSA P-256, returns signed bundleverifyTrustBundle(bundle, rootPublicKeyPem)— verifies the bundle's own signature and expiry before use; returns{ valid: true }or{ valid: false; reason: string }resolveFromTrustBundle(issuer, issuerKeyId, bundles)— step-1 key resolution; searches non-expired loaded bundles in descendingexpiresAtorder; returns matching JWK ornull
verifySignedBudgetAuthorization, verifyPolicyGrant, and related verifiers gain an optional trustBundles?: TrustBundle[] parameter. When provided, key resolution checks bundles before falling back to HTTPS well-known and DID resolution (per the 3-step algorithm in the spec).
All three functions flat-exported from src/sdk/index.ts, consistent with existing SDK exports (checkRevocation, resolveXrplDid, etc.).
signTrustBundle+verifyTrustBundleroundtrip- Expired bundle rejected by
verifyTrustBundle - Tampered bundle signature rejected
resolveFromTrustBundlereturns correct key from matching non-expired bundleresolveFromTrustBundleskips expired bundles; falls through tonullresolveFromTrustBundleprefers bundle with latestexpiresAtwhen multiple matchverifySignedBudgetAuthorizationresolves signing key from Trust Bundle whentrustBundlesprovided (no env var needed)
src/protocol/trustBundle.tssrc/sdk/index.tsupdatedtest/protocol/trustBundle.test.ts
XRPL Stablecoin profile — RLUSD / issued-asset payment constraints, wallet and verifier expectations.
Delivered:
docs/implementation/xrpl-stablecoin-profile.md— full profile doc (asset constraints, policy shape, wallet/verifier expectations, Trust Gateway integration)profiles/xrpl-stablecoin.json— machine-readable profile definitionexamples/xrpl-stablecoin/— example artifact bundle + READMEdocs/implementation/reference-profiles.mdupdated with XRPL Stablecoin entry
Research document comparing XRPL, Stellar, Hedera, and EVM (L2) against MPCP settlement requirements: stablecoin maturity, budget reservation, finality, fees, identity, offline friendliness, tooling.
Delivered:
docs/implementation/l1-ecosystem-evaluation.md— full comparison matrix and recommendation- Recommendation: Stellar (USDC + Claimable Balances) as next rail; EVM L2 second; Hedera continues as anchoring layer
How MPCP acts as a machine wallet guardrail layer: PolicyGrant constraints, SBA session limits, Trust Gateway verification.
Delivered:
docs/implementation/machine-wallet-guardrails.md— guardrail model, Layer 1/2/3 enforcement, threat model, XRPL memo integrationdocs/examples/machine-wallet-guardrails.md— example walkthroughexamples/machine-wallet-guardrails/wallet-integration.mjs— runnable script with allowed/rejected scenarios
End-to-end fleet payment demonstrations with architecture diagrams and runnable scripts.
Delivered:
examples/fleet-trip/— multi-stop robotaxi demo (toll, charging, parking, tamper detection);demo-fleet-trip.mjsexamples/machine-commerce/— fleet spend simulator (simulate.mjs), fleet demo (demo-fleet.mjs), scenarios + policy JSONdocs/examples/fleet.md— architecture diagram (Vehicle Agent → Verifier → Trust Gateway → XRPL), run instructions, key behaviors
Formal conformance tiers (L0–L3), Shields.io badge, package.json claim format, implementer checklist.
Delivered:
docs/implementation/conformance.md— expanded with L0 Hash / L1 Structural / L2 Full-chain / L3 Profile tiers; badge format;package.jsonclaim schema; per-tier implementer checklist- Aligns with
mpcp-spec/test-vectors/CONFORMANCE.md(L0/L1/L2 definitions)
- Multi-SBA batching — verify multiple SBAs in a single call (bulk settlement)
- Streaming payment verification — incremental spend verification for micropayment streams
- Push revocation — WebSocket listener for real-time revocation events
- EVM stablecoin anchor adapter — extend intent anchoring to EVM chains