The BTX RPC client (constructed once at boot).
OptionalenforceEnforce that the redeemed challenge's binding.{resource,subject,purpose}
matches what this request resolves to (audit H-1). Default true.
Without it, a valid proof issued for one binding can be replayed to admit a
different route/tenant (btxd's redeem can't see the request). Resolvers must
be deterministic per request. Set false only for intentional cross-binding reuse.
OptionalisOverride the default "is the proof present?" check. By default it returns
true iff all of x-btx-challenge, x-btx-proof-nonce, x-btx-proof-digest
headers are set.
OptionalissueExtra issue params forwarded to client.issue() (target_solve_time_s, expires_in_s, etc.).
OptionalonOptional hook fired on successful admission. Receives c + the redeem result.
OptionalonOptional hook fired when client.issue() or client.redeem() throws.
Receives the original error + the context. Fires exactly once before
the middleware re-throws to hand off to Hono's onError handler.
Use this for logging/observability. Audit ref: D-1.
Logical purpose label, e.g. 'ai_inference_gate' or 'rate_limit'.
Resource identifier, e.g. (c) => \model:${(await c.req.json()).model}|route:${c.req.path}``.
Subject identifier, e.g. (c) => \tenant:${c.req.header('x-tenant-id')}``.
Options for btxAdmission.