chore: v2.1.0 — invalid_credential, optional Subject/AccountVerification fields, engines >=20

.claude/CLAUDE.md

@@ -1,6 +1,6 @@
 # @agent-score/sdk
 
-TypeScript client for the AgentScore trust and reputation API.
+TypeScript client for the AgentScore APIs.
 
 ## Identity Model
 

README.md

@@ -3,7 +3,7 @@
 [![npm version](https://img.shields.io/npm/v/@agent-score/sdk.svg)](https://www.npmjs.com/package/@agent-score/sdk)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 
-TypeScript/Node.js client for the [AgentScore](https://agentscore.sh) trust and reputation API.
+TypeScript/Node.js client for the [AgentScore](https://agentscore.sh) APIs.
 
 ## Install
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@agent-score/sdk",
-  "version": "2.0.0",
-  "description": "TypeScript client for the AgentScore trust and reputation API",
+  "version": "2.1.0",
+  "description": "TypeScript client for the AgentScore APIs",
   "main": "./dist/index.cjs",
   "module": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -48,7 +48,7 @@
     "url": "https://github.com/agentscore/node-sdk/issues"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.4",

src/types.ts

@@ -12,7 +12,11 @@ export type ReputationStatus = 'scored' | 'stale' | 'known_unscored';
 
 export interface Subject {
   chains: string[];
-  address: string;
+  /** Wallet-based subject. Present for assess/reputation responses keyed by `address`.
+   *  Absent on credential-based assess (use `credential_prefix` instead). */
+  address?: string;
+  /** Credential-based subject. Present for assess responses keyed by `operator_token`. */
+  credential_prefix?: string;
 }
 
 export interface Classification {
@@ -217,18 +221,25 @@ export interface AgentScoreErrorBody {
  *     until verified, receive a fresh operator_token. Existing account KYC persists.
  */
 export type DenialCode =
-  | 'operator_verification_required'
-  | 'compliance_denied'
-  | 'compliance_error'
-  | 'wallet_not_trusted'
+  // Gate-emitted codes from commerce middleware (canonical 9-element union)
   | 'missing_identity'
   | 'identity_verification_required'
-  | 'payment_required'
-  | 'api_error'
-  | 'kyc_required'
+  | 'token_expired'
+  | 'invalid_credential'
   | 'wallet_signer_mismatch'
   | 'wallet_auth_requires_wallet_signing'
-  | 'token_expired';
+  | 'wallet_not_trusted'
+  | 'api_error'
+  | 'payment_required'
+  // Merchant-emitted convenience codes (e.g. martin-estate's onDenied wraps gate denials
+  // into wine-specific business codes). These are not emitted by the AgentScore API
+  // itself but appear in 4xx bodies the SDK may surface back to callers.
+  | 'operator_verification_required'
+  | 'compliance_denied'
+  | 'compliance_error'
+  // Decision-reason code surfaced in error.code by some merchants — kept for back-compat
+  // with merchants that flatten policy reasons into the error envelope.
+  | 'kyc_required';
 
 /**
  * Recommended agent action encoded in `next_steps.action`. Granular codes let agents pick the
@@ -466,7 +477,10 @@ export interface AccountVerification {
 
 export interface CredentialListResponse {
   credentials: CredentialItem[];
-  account_verification: AccountVerification;
+  /** Account-level KYC facts. Conditionally emitted by the API — only present when the
+   *  account has an associated `account_verifications` row. Absent for accounts that
+   *  have minted credentials but never started KYC. */
+  account_verification?: AccountVerification;
 }
 
 export interface CredentialRevokeResponse {

tests/index.test.ts

@@ -518,7 +518,7 @@ describe('Integration: compliance policy deny with verify_url', () => {
         evidence_summary: { metadata_kind: null, has_a2a_agent_card: false, website_url: null, website_reachable: false, website_mentions_mcp: false, website_mentions_x402: false, github_url: null, github_stars: null },
       }],
       decision: 'deny',
-      decision_reasons: ['kyc_required', 'sanctions_check_pending'],
+      decision_reasons: ['kyc_required', 'sanctions_flagged'],
       on_the_fly: false,
       data_semantics: 'v1',
       caveats: [],
@@ -544,7 +544,7 @@ describe('Integration: compliance policy deny with verify_url', () => {
 
     expect(result.decision).toBe('deny');
     expect(result.decision_reasons).toContain('kyc_required');
-    expect(result.decision_reasons).toContain('sanctions_check_pending');
+    expect(result.decision_reasons).toContain('sanctions_flagged');
     expect(result.verify_url).toBe('https://agentscore.sh/verify/xyz789');
     expect(result.operator_verification).toBeDefined();
     expect(result.operator_verification!.level).toBe('none');

tests/sessions-credentials.test.ts

@@ -199,8 +199,8 @@ describe('AgentScore.pollSession()', () => {
 
 const CREDENTIAL_CREATE_RESPONSE = {
   id: 'cred_abc123',
-  credential: 'opc_live_abc123def456',
-  prefix: 'opc_live_abc',
+  credential: 'opc_test_abc123def456',
+  prefix: 'opc_test_abc',
   label: 'Production API',
   expires_at: '2027-04-09T00:00:00Z',
   created_at: '2026-04-09T00:00:00Z',
@@ -288,15 +288,15 @@ const CREDENTIAL_LIST_RESPONSE = {
   credentials: [
     {
       id: 'cred_abc123',
-      prefix: 'opc_live_abc',
+      prefix: 'opc_test_abc',
       label: 'Production API',
       expires_at: '2027-04-09T00:00:00Z',
       last_used_at: '2026-04-08T12:00:00Z',
       created_at: '2026-04-01T00:00:00Z',
     },
     {
       id: 'cred_def456',
-      prefix: 'opc_live_def',
+      prefix: 'opc_test_def',
       label: 'Staging',
       expires_at: '2026-05-01T00:00:00Z',
       last_used_at: null,