AgentGuard^™ Chargeback

Open-source · v1.1.1 · MIT

Stop hand-typing
chargeback evidence
at 3am 3 milliseconds.

Q: Are you submitting evidence to Stripe on the merchant's behalf?

No. Default submit:false on every staging call. The MCP server is read-only and pure-functional. The merchant reviews every packet, calls Stripe's API, and signs off on submission.

Q: What stops merchants from submitting fake or fabricated evidence?

Architecture and stated intent. Typed schemas, no LLM-generated fields, default submit:false staging, and a hash-chained audit log. Submitting falsified evidence may give rise to wire-fraud liability under 18 U.S.C. § 1343.

Q: How is this different from Disputifier, Chargebacks911, or Justt?

Those products are SaaS that assemble and submit on the merchant's behalf. AgentGuard CB is an open-source SDK that does the assembly and stops there. Default submit:false. MIT licensed. Self-hosted.

Q: Is there a hosted or managed version?

Self-hosted only at the moment. Your evidence and customer data stay on your infrastructure. Telemetry is off by default.

Q: Can I drive AgentGuard CB from a local LLM (Ollama, LM Studio, Qwen)?

Yes. The MCP server is compatible with Claude Code, Cursor, Codex, or any local LLM through Ollama, LM Studio, or Qwen-compatible runtimes. The setup is fully air-gappable.

Q: What about customer PII and GDPR compliance?

Self-hosted. The merchant is the GDPR Article 4(7) controller. No telemetry by default. Issue templates and security disclosure paths redact personal data by default.

AgentGuard CB is an open-source, MIT-licensed TypeScript SDK that deterministically compiles structured chargeback evidence from your existing Stripe, Shopify, and CRM data. then stages it in Stripe with submit:false for your team to review and submit.

Hash-chained, Ed25519-signed, GDPR-controller-of-nothing. Runs on your infrastructure. No LLM. No telemetry. Stripe, Visa, and Mastercard are referenced nominatively. this Software is not affiliated with or endorsed by any of them.

View on GitHub ↗ Read the legal posture

deterministic typed hash-chained human-reviewed no LLM no telemetry

~/merchant/agentguard-cb live

Output staged via stripe.disputes.update with submit:false. Your team submits.

01 · The 3am ritual

The current chargeback workflow is five tabs and a Word doc.

A dispute notification fires. The on-call merchant ops person opens five dashboards, copy-pastes screenshots into a Word document, exports a PDF, and uploads it to the Stripe dashboard before the deadline. Every dispute. Every time. The evidence is unsigned, untyped, untracked.

FIG.01: current state · ad-hoc evidence pipeline

unsigned

No cryptographic proof the evidence wasn't tampered with between collection and submission.

untyped

Free-form prose. No schema. Card networks parse it as a blob, not a structured submission.

untracked

Zero audit trail. If someone asks "who edited the screenshot at 3:14am?", the answer is silence.

02 · How it works

Three deterministic steps. Zero LLM.

A typed pipeline that ingests structured data, compiles a hash-chained evidence object, and stages it in Stripe with submit:false. leaving the final submit decision with a human on your team.

STEP 01 ingest

Pull structured data from your sources.

Adapters for Stripe (charges, refunds, 3DS, radar), Shopify (orders, fulfillments, IP), and any HTTPS endpoint that speaks JSON. Each record is fingerprinted with SHA-256 at ingest time.

▸Typed Zod schemas, exhaustive on Stripe v2024-12-18
▸Deterministic. same input ⇒ same hash, byte-for-byte
▸Adapters: Stripe-only at v1.1.1 (intentional)

// 1 · ingest. typed, deterministic, fingerprinted
import { agentguardCb } from '@merchantguard/agentguard-cb';

const dd = agentguardCb({
  stripe: { apiKey: process.env.STRIPE_SECRET_KEY },
  signingKey: process.env.DD_ED25519_KEY,
});

const snapshot = await dd.ingest({
  disputeId: 'dp_3Lk7P9X8nM4',
  sources:   ['stripe', 'shopify', 'carrier', 'auth_log'],
});
// snapshot.contentHash → "sha256:7e4a…c19d"

STEP 02 compile

Compile a typed, hash-chained evidence object.

The compiler walks the snapshot, fills the Stripe evidence schema (receipts, shipping documentation, customer communication, service date), and chains every field's source hash into a verifiable audit log. The output is a single Ed25519-signed envelope.

▸Patent-pending audit primitive
▸Every field traceable to its source record
▸Tamper-evident. break any link, signature fails

// 2 · compile. Merkle-chained, Ed25519-signed
const evidence = await dd.compile(snapshot, {
  reason: 'product_not_received',
  policy: './policies/refund-v3.md',
});

// evidence.envelope = {
//   schema: 'stripe.dispute_evidence/v1',
//   fields: { receipt, shipping_documentation, … },
//   merkleRoot: 'sha256:9c…f2a1',
//   signature:  'ed25519:7c4a…d3e9',
//   signer:     'fp:b1c8…',
//   timestamp:  '2026-04-30T03:14:09Z',
// }

STEP 03 stage

Stage in Stripe with `submit:false`.

The compiled evidence is uploaded to Stripe via disputes.update with submit:false. Your team reviews it in the Stripe dashboard and submits when satisfied. AgentGuard CB never submits on your behalf.

▸Surfaces Stripe-reported eligibility statuses (qualified, requires_action, not_qualified)
▸Final submit decision is always human
▸Audit log records who submitted, when, with what hash

// 3 · stage. submit:false leaves the human in the loop
const staged = await dd.stage(evidence, {
  submit: false,
});

// staged = {
//   stripeDisputeId: 'dp_3Lk7P9X8nM4',
//   evidenceHash:    'sha256:9c…f2a1',
//   stripeStatus:    'requires_action',  // surfaced from Stripe
//   eligibility:     'qualified',         // surfaced from Stripe
//   reviewUrl:       'https://dashboard.stripe.com/disputes/…',
// }

// → human reviewer opens reviewUrl, clicks Submit when satisfied

03 · Posture

What AgentGuard CB is not.

We're explicit about scope. The legal posture lives in LEGAL.md, DISCLAIMER.md, and PATENTS.md in the repo. Read them. Then read them again.

NOT a Visa Third-Party Agent (TPA)

AgentGuard CB is software you install. It does not act on the card networks' behalf, hold merchant credentials, or mediate the merchant–acquirer relationship. Visa is referenced nominatively to identify rules with which the Software is designed to interoperate.

NOT a chargeback-winning service

We make no claim about dispute outcomes. AgentGuard CB stages structured evidence; it does not predict, qualify, or guarantee any decision by the issuer or the card networks.

NOT an LLM dispute writer

There is no language model in the pipeline. Compilation is deterministic. same inputs, same output, byte-for-byte. We do not generate prose. Field values come from your source records, full stop.

NOT a hosted SaaS

AgentGuard CB runs on your infrastructure. Snapshots, signing keys, and audit logs never leave your environment. There is no MerchantGuard-operated control plane. There is no telemetry. We are GDPR-controller-of-nothing by construction.

NOT endorsed by Stripe, Visa, or Mastercard

Third-party trademarks are used nominatively to identify the rules and APIs with which the Software interoperates. No partnership, certification, or endorsement is implied by any such reference.

NOT legal or financial advice

The output of AgentGuard CB is a structured payload. The decision to submit, contest, accept, or escalate any dispute is yours and your counsel's. Read DISCLAIMER.md.

Legal posture

Every doc is in the repo. Read before you ship.

browse the repo →

LICENSE LEGAL.md DISCLAIMER.md PATENTS.md EXPORT.md SECURITY.md DCO.md

04 · Audit trail

Hash-chained, Ed25519-signed.
Step through the log.

Every action (ingest, compile, sign, stage, human submit) is appended to a hash-chained log. Each entry's prevHash binds it to the entry before it. Break any link and the signature over the chain head fails.

Patent-pending audit primitive. Runs on your infrastructure. Verified end-to-end before it touches a single chargeback.

audit.log · dp_3Lk7P9X8nM4

1 / 6

CHAIN HEAD sha256:- SIG ed25519:-

The chain is portable. Export it as a single JSON file, hand it to your auditor, your acquiring bank, or opposing counsel. the signature verifies against the published Ed25519 public key without any MerchantGuard-side service.

05 · Install

Three CTAs. No demos. No forms.

Open-source means every link is a link. There's nothing to schedule, no email to capture, no sandbox to provision. npm install, fork the repo, read the legal docs.

View on GitHub github.com/MerchantGuard/agentguard-cb Read the legal posture LICENSE · LEGAL · DISCLAIMER · PATENTS · EXPORT · SECURITY · DCO

REQUIREMENTS

Runtime

Node ≥ 20.0 · TypeScript ≥ 5.4

PSP

Stripe (v1.1.1)

Signing

Ed25519 keypair (you generate, you hold)

Storage

Anything that speaks read/write: Postgres, S3, fs

License

MIT · DCO sign-off

Telemetry

none · nothing · zero

QUICKSTART

# 1. install
$ npm install @merchantguard/agentguard-cb

# 2. build CE 3.0 evidence in your own code. no LLM, your data stays on your server
import { evaluateVisaCe3Eligibility, buildStripeVisaCe3EnhancedEvidence,
         customerEvidenceBundleSchema } from '@merchantguard/agentguard-cb'

const bundle = customerEvidenceBundleSchema.parse(yourBundle)
const elig   = evaluateVisaCe3Eligibility(bundle)
if (elig.qualified) {
  const payload = buildStripeVisaCe3EnhancedEvidence(bundle, elig.selectedPriors)
  // send to Stripe with submit:false so a human reviews before final submission
}

# or run it as an MCP server for Claude Desktop / Cursor / Cline
$ npx -y @merchantguard/agentguard-cb mcp
→ [agentguard-cb mcp] ready

Read the docs first. AgentGuard CB does not submit chargeback evidence on your behalf. The final submit decision rests with a human reviewer on your team. and with your counsel where the dispute warrants it.

06 · FAQ

Frequently asked questions.

Answers cross-checked against the live LEGAL.md, DISCLAIMER.md, and PATENTS.md in the agentguard-cb repository. Nothing here is legal advice.

ACCEPTANCE & STANDARDS

Will Stripe actually accept evidence packets generated by AgentGuard CB?

Stripe accepts CE 3.0 evidence packets in JSON via their Disputes API. The schema is public and unrelated to which tool produced it. AgentGuard CB produces conformant JSON. Stripe does not care whether you used Disputifier, Justt, an in-house script, or this SDK; it cares that the packet matches the spec. We removed the SaaS rent on the assembly step. Outcome on any specific dispute is determined by Visa Resolve Online (VROL) edits and the issuing bank under the Visa Core Rules, and is not within the SDK's control.

Is this certified by Visa, Stripe, or any acquirer?

No. CE 3.0 is a published standard, not a vendor certification. AgentGuard CB is not a Visa Third Party Agent within the meaning of Visa Core Rules § 10.2.2, is not registered under the Visa TPA Registration Program, and has no contractual or technical relationship with Visa Inc., Stripe, Inc., or any acquirer. Third-party trademarks are used nominatively under the Lanham Act and the doctrine articulated in New Kids on the Block v. News America Publ'g, Inc., 971 F.2d 302 (9th Cir. 1992), and do not imply endorsement.

SUBMISSION & SAFETY

Are you submitting evidence to Stripe on the merchant's behalf?

No. Default submit:false on every staging call. The MCP server is read-only and pure-functional: it never calls the Stripe API, never writes to a database, and never submits a dispute. The merchant reviews every packet, the merchant calls Stripe's API, the merchant signs off on submission. AgentGuard CB assembles the payload. The merchant submits it.

What stops merchants from submitting fake or fabricated evidence?

The architecture and the publisher's stated intent. AgentGuard CB is intended to assemble payloads from data the merchant has independently collected, retained, and verified as truthful. The publisher does not intend the SDK to construct, stage, or transmit evidence that is false, fabricated, or materially misleading. Architecture enforces it: typed evidence schemas, no LLM-generated fields, default submit:false staging, and a hash-chained audit log. Submitting falsified evidence may give rise to wire-fraud liability under 18 U.S.C. § 1343 and analogous state UDAP statutes. That risk is the merchant's.

Have you actually won disputes using this SDK?

The SDK assembles evidence packets in the shape Stripe's Disputes API expects. Winning a dispute depends on whether the underlying events actually happened (signup, terms acceptance, product delivery, prior un-disputed transactions on the same identifiers, and so on). AgentGuard CB does not generate, fabricate, embellish, or modify evidence; it shapes facts into the format Stripe and the issuing bank evaluate. If the merchant can prove what happened, the SDK gets the proof to Stripe in a structured form. If the underlying facts do not support the case, no tool helps. Outcomes are not guaranteed.

PRODUCT COMPARISON

How is this different from Disputifier, Chargebacks911, or Justt?

Those products are SaaS that assemble evidence for the merchant, charge per resolution or monthly subscription, and typically submit on the merchant's behalf. AgentGuard CB is an open-source SDK that does the assembly part and stops there. Default submit:false. The merchant reviews every packet. The merchant submits when ready. Different product, different price (free, MIT licensed), different trust model (audit it yourself, run it on your own infra, no third-party retains your customer data).

How is this different from writing my own script?

You can. We did. The SDK is the script we wrote, productized: typed CustomerEvidenceBundle and CE 3.0 schemas, Ed25519-signed and SHA-256 hash-chained audit log, MCP server for agent integration, default submit:false safety, buyer-readable event log layer. If you want to roll your own, fork it. MIT licensed.

PRACTICAL

Is there a hosted or managed version?

Self-hosted only at the moment. The whole point is that your evidence and customer data stay on your infrastructure. Telemetry is off by default. If there is enterprise demand for a hosted variant we will consider it, but the open-source SDK is the product.

Can I drive AgentGuard CB from a local LLM (Ollama, LM Studio, Qwen)?

Yes. The SDK ships an MCP (Model Context Protocol) server compatible with Claude Code, Cursor, Codex, or any local LLM through Ollama, LM Studio, or Qwen-compatible runtimes. The MCP server is read-only and pure-functional: it never calls Stripe, never writes to a database. AgentGuard CB itself never invokes an LLM in the evidence pipeline. The setup is fully air-gappable.

PRIVACY & SECURITY

What about customer PII and GDPR compliance?

AgentGuard CB is delivered as MIT-licensed source code that the merchant deploys on its own infrastructure. It runs in the merchant's environment, processes the merchant's data, and does not, by default, transmit personal data to the publisher. There is no telemetry by default. The merchant is the controller for all processing of cardholder personal data within the meaning of Article 4(7) of the GDPR, the analogous provision of the UK GDPR, the CCPA as amended by the CPRA, and Panama Law 81 of 26 March 2019. Issue templates and security disclosure paths redact personal data by default.

Why self-host instead of using a managed dispute SaaS?

Centralized dispute SaaS providers hold customer transaction data, IP addresses, support email content, and Stripe API keys for many merchants in one place. That is a single point of failure: one breach exposes every merchant on the platform at once. Self-hosting AgentGuard CB keeps customer data and Stripe credentials inside the merchant's own infrastructure. Audit logs are hash-chained on the merchant's side. The merchant controls subpoena response and notification.

OPEN SOURCE & PATENTS

Why is this open source instead of a paid SaaS?

Three reasons. (1) Regulators worldwide are converging on this exact architecture. Brazil's Resolution 561 (effective October 1, 2026) mandates segregated counterparty accounts and hash-chained audit trails for cross-border crypto settlement. The US CLARITY Act in Senate Banking markup requires the same structure for stablecoin activity-based rewards. The EU MiCA already requires it. Public infrastructure beats SaaS rent on a converging standard. (2) The moat is the patent portfolio (4 U.S. provisional applications filed) covering the architecture, not the SDK code. (3) Open-source builds developer trust faster than any closed product can.

What patents apply, and what is the licensing posture?

Four U.S. provisional patent applications were filed by Dunecrest Ventures Inc. on February 17, 2026: 63/983,615; 63/983,621; 63/983,843; 63/984,626. AgentGuard CB is published under the MIT License with an additional defensive patent pledge (modeled on LOT Network and Open Invention Network): Dunecrest will not initiate offensive patent litigation against any party for practicing those patents through use of this open-source SDK, except in defense against a patent claim first asserted by that party. Until non-provisional applications issue and patent numbers are assigned, the PATENTS.md notice does not satisfy 35 U.S.C. § 287(a) constructive-notice requirements. See PATENTS.md for the full text.

Nothing in this FAQ is legal advice. Outcomes on any specific dispute are determined by Visa Resolve Online and the issuing bank under the Visa Core Rules. Submitting falsified evidence may give rise to civil or criminal liability.

Stop hand-typingchargeback evidenceat 3am 3 milliseconds.