pull in latest upstream#2
Open
TtheBC01 wants to merge 703 commits into
Open
Conversation
github-actions
Bot
added
typescript
python
go
java
sdk
legacy
examples
specs
docs
website
ci
ecosystem
labels
* feat(evm): add Stable mainnet (chain ID 988) network support * chore: add changelog fragments for Stable mainnet support * feat(evm): add Stable mainnet to Go v1 legacy network config
* Add Fastify framework adapter for x402 payment middleware * fix(fastify): preserve settlement response bytes and resource URLs * chore(fastify): regenerate lockfiles for @x402/fastify workspace package The pnpm-lock.yaml files in typescript/ and examples/typescript/ were missing entries for the @x402/fastify package, causing CI to fail with ERR_PNPM_OUTDATED_LOCKFILE on every workflow. * feat(fastify): add e2e test server Adds a Fastify server to the e2e test suite, following the same pattern as Express and Hono. The test framework auto-discovers it via test.config.json. Includes all standard endpoints: /protected (EVM), /protected-svm, /protected-aptos, /protected-permit2, /protected-permit2-erc20, /protected-stellar, /health, /close. * ci(fastify): add npm publishing workflow Adds workflow_dispatch publishing workflow for @x402/fastify, matching the pattern used by @x402/express and @x402/hono.
* feat: improved e2e suite * feat: normalize e2e server paths * feat: refactored path structure to /scheme/implementation/test format
* fix gin streaming * fix e2e and echo/nethttp FacilitatorResponseError
#1790) * Applied monkey-patch on reply.raw write operations and buffered response to prevent content leak from direct raw writes bypassing Fastify's onSend lifecycle * fix e2e tests
* feat(evm): add upto payment scheme TypeScript SDK Implement the upto payment scheme for EVM, enabling usage-based payments where a client authorizes a maximum amount via Permit2 and the server settles for the actual amount used (which may be less). Covers all three roles: - Client: creates Permit2 payloads with max authorized amount - Server: builds payment requirements, forces permit2 transfer method - Facilitator: verifies permitted >= required, settles actual usage, supports zero-settlement path for no-charge responses Key design decisions: - Permit2 only (no EIP-3009, per spec) - Shared Permit2 witness struct with exact scheme - Re-exports shared utilities from exact (approval helpers, extensions, RPC) - V2 protocol only Resolves: CDPAI-714 * chore(evm): add JSDoc descriptions and fix lint errors in upto SDK Add comprehensive JSDoc descriptions, @param, and @returns tags to all upto scheme files to satisfy eslint jsdoc rules. Remove unused imports in facilitator test file. * refactor(evm): extract shared permit2 helpers to reduce duplication between exact and upto facilitators * refactor(evm): consolidate client-side createPermit2Payload into shared helper * refactor(evm): extract shared trySignEip2612Permit and trySignErc20Approval from scheme classes * refactor(evm): split shared/permit2-helpers into permit2.ts and extensions.ts * test(evm): add upto server, register, and types tests; expand client and facilitator coverage Add 3 new test files (server.test.ts, register.test.ts, types.test.ts) covering upto-specific server behaviors (permit2 forcing, facilitator address injection, price parsing), registration helpers for all three roles, and type guard validation. Expand existing client and facilitator tests with additional edge cases. Also includes in-progress source changes: shared permit2 helper refactoring, upto facilitator hardening, spec clarifications, and defaultAssets extraction. * fix(evm): resolve lint errors for CI — add missing JSDoc descriptions and fix unused vars * fix(evm): address PR review — align upto verify flow with exact, update spec, remove createEvmClient * refactor(evm): move shared utils to shared/, remove upto register pattern - Move validateErc20ApprovalForPayment to shared/erc20approval.ts (was in exact/facilitator/, used by both exact and upto) - Move RPC utilities to shared/rpc.ts, rename types to drop Exact prefix (EvmSchemeConfig, EvmSchemeOptions, etc.) with deprecated aliases - Remove registerUptoEvmScheme from client, facilitator, and server (v1 legacy pattern not needed for v2-only upto scheme) - Backward-compat re-exports preserved at original paths * test(e2e): add upto payment scheme e2e test coverage Add full e2e test suite for the upto payment scheme mirroring exact permit2 coverage: direct settle, EIP-2612 gas sponsoring, and ERC-20 approval gas sponsoring endpoints. - Add 3 upto endpoints to Express e2e server with UptoEvmScheme - Register UptoEvmScheme in TypeScript facilitator - Register UptoEvmClientScheme in fetch and axios e2e clients - Add upto Permit2 approve/revoke cycle handling in test runner - Add upto entry points to @x402/evm tsup.config.ts - Update test.config.json files for all components * fix(evm): harden upto type guard, add time window validation, improve settlement comments - Add validAfter check to isUptoPermit2Payload for stricter exact/upto discrimination - Add deadline > validAfter guard in client permit2 payload creation - Default simulateInSettle to true for settlement re-verification - Expand settlement re-verification comment for reviewer clarity - Add no-register.ts comments explaining V1 compat is not needed for upto - Clarify e2e test config description for upto endpoint - Add tests for validAfter type guard and buildUptoPermit2SettleArgs * feat: added SettlementOverride * fix: examples lock * feat: Added upto to hono/next e2e tests * feat: update upto tests * feat: update tests to support fallback facilitator for non-SDK parity testing * fix: format/lint * fix: add linting to upto example --------- Co-authored-by: Fabrice Cheng <fabrice.cheng@coinbase.com>
* feat: added BAZAAR-RESPONSE header to spec * feat: generalized header
…er (#1831) * fix(go): add omitempty to QueryInput/BodyInput.Method to prevent spurious enum validation failure When external JSON omits info.input.method (valid when method is not in the schema's required list), Go zero-initializes the Method field to "" and re-marshaling produces "method":"", which fails the enum constraint in ValidateDiscoveryExtension. Adding omitempty ensures absent method fields remain absent after round-trip serialization. Fixes #1830 Made-with: Cursor * enforce method is required in TS and Python discovery extension schemas Per spec, the method field must always be present in a discovery extension's info.input. Add "method" to the required array in schemas built by the TS and Python resource service builders, so ValidateDiscoveryExtension rejects extensions missing method with a clear error. Also reverts the Go omitempty workaround from the prior commit; the Go SDK was already producing a validation error for absent method (via the enum constraint), and the schema-level required enforcement is the correct fix. Closes #1830 Made-with: Cursor * style: format resourceService.ts type union per Prettier Made-with: Cursor * fix: auto-populate HTTP method from adapter in all SDKs The SDK entry points (processHTTPRequest, requiresPayment, processSettlement) now derive the HTTP method from the adapter when it is not explicitly set on the request context. This ensures direct x402HTTPResourceServer users do not need to manually assign the method field — the SDK computes it at runtime, matching the behavior middleware users already get. Made-with: Cursor * test: add declare → enrich → validate flow tests for bazaar extension Verify the real middleware path: extensions are declared without method, enrichDeclaration injects method from the HTTP context at request time, and the enriched extension passes schema validation. Covers GET and POST in all three SDKs (TypeScript, Go, Python). Made-with: Cursor
Generated-By: mintlify-agent Mintlify-Source: dashboard-editor Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
* Fix race condition in lazy facilitator initialization for FastAPI and Flask middleware Under concurrent requests, multiple coroutines/threads could see init_done=False simultaneously and all call http_server.initialize(), causing redundant init calls and inconsistent error propagation. - FastAPI: guard with asyncio.Lock using double-checked locking pattern - Flask: guard with threading.Lock using double-checked locking pattern - Add concurrency tests proving single-flight initialization for both frameworks - Add tests verifying failed init does not permanently block retries Closes #1584 * fix: remove unused variables to pass ruff lint
* fix: e2e approve bug
* feat: remove new docstring addition
* fix: update Next.js e2e server to /exact/evm/... path structure
The `feat: add upto to typescript sdk` commit reverted proxy.ts and
test.config.json from the improved `/api/exact/evm/...` path structure
back to old `protected-*` paths, without recreating the deleted route
files. Fix this properly by:
- Update proxy.ts route keys and config.matcher to /exact/evm/... paths
- Update test.config.json to /exact/evm/... paths, preserving
coldstart: true on the two permit2 endpoints
- Add missing proxy route files at new paths:
exact/evm/eip3009/proxy, exact/evm/permit2/proxy,
exact/evm/permit2-eip2612GasSponsoring/proxy,
exact/evm/permit2-erc20ApprovalGasSponsoring/proxy,
exact/svm/proxy, exact/stellar/proxy, exact/aptos/proxy
Note: route files are in directories named "proxy" which matches a
root .gitignore pattern, so they are tracked with git add -f.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: flatten non-EVM chain routes to /exact/{chain} base path
SVM, Aptos, and Stellar each have a single transfer mechanism with no
variants, so the /proxy sub-path is unnecessary. Move them to the base
level /exact/{chain} pattern, matching EVM's approach of only adding
sub-paths when there are multiple mechanisms or extensions to test.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: pr cleanup and review
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add upto to go sdk * feat: cleanup PR * feat: added HTTPTransportContext to Go SDK * fix: ai reviewer feedback * fix: typescript tests * fix: header parsing for HTTPTransportContext in Typescript * feat: cleanup pr * feat: pr cleanup * feat: pr review * feat: update e2e go.mod for upto debs * fix: lint
* fix: randomize facilitator signer selection * fix: test
* Update docs/getting-started/quickstart-for-sellers.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/getting-started/quickstart-for-sellers.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/getting-started/quickstart-for-sellers.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
Generated-By: mintlify-agent Mintlify-Source: dashboard-editor Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
* Update docs/sdk-features.md Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/getting-started/quickstart-for-sellers.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
* fix settlementOverrides for next * add changeset * Strip SETTLEMENT_OVERRIDES_HEADER on all exit paths, not just success * pr feedback
* improve client error surfacing * pr feedback
* Update docs/getting-started/quickstart-for-buyers.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/getting-started/quickstart-for-buyers.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
* Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/docs.json Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/overview.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/overview.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/sdk-features.md Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
* fix extension echo * fix tests * add changeset * fix tests * fix tests
* add workflow checking verified commits * fix fmt
* prepare py releases * fix pr resolution * improve changelog * improve changelog * fix fmt * change cron time * fix verified commits action
* mirror TS core + evm changes for builder-code * add builde code extension * add examples * fix signers * fix upto client * fix fmt * add comment for v1 payload
* Update docs/sdk-features.md Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/overview.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
…ct scheme (#829) Document the outcome-based payment model and Sponsor Acceptance Policy for the exact scheme on Solana, aligned with the merged simulation-based smart wallet verification: - Reframe as outcome-based payment semantics with explicit terminology (client, merchant, sponsor, fee payer, smart wallet) - Add normative Exact Payment Outcome Definition, including exactly-one matching transfer and overpayment tolerance (>= required amount) - Add Sponsor Acceptance Policy (fee payer isolation, ALT visibility, compute budget caps, program allowlist, simulation rejection) - Document the two-path reference implementation (static fast path + simulation-based smart wallet path), path selection, and post-settlement TOCTOU verification - Add security invariants table (I1-I7) - Update static path instruction cap from 6 to 7 (third Lighthouse slot)
* prepare go releases * fix fmt * fix uppercase keys * ts releases * fix legacy * fix hedera * add versions check * improve changelog parsing * fix * fix attribution * add tags * remove unused files
Signed-off-by: Piotr Swierzy <piotr.swierzy@blockydevs.com>
Mezo mainnet launched with the canonical x402 contracts (Permit2 + Exact/Upto proxies) deployed at the same CREATE2 addresses as Base and Mezo testnet, so the SDKs can now offer mUSD as the chain's default stablecoin. Adds the eip155:31612 entry to all three SDK registries (TS DEFAULT_STABLECOINS, Go NetworkConfigs + ChainIDMezo, Python NETWORK_CONFIGS), mirroring the existing eip155:31611 testnet entry with only the token address and chain id differing. Field values were confirmed on-chain via ERC-5267 eip712Domain(): name "Mezo USD", version "1", chainId 31612; decimals()=18; EIP-2612 nonces() present (mUSD lacks EIP-3009, so transfers go through Permit2 with gasless EIP-2612 approval). No faucetUrl: mainnet has no faucet and the paywall faucet UI is testnet-gated. The Go constant is named ChainIDMezo (not ChainIDMezoMainnet) to match the unsuffixed-mainnet convention (ChainIDBase, ChainIDStable, ChainIDRadius, ChainIDHPP). Mainnet entries precede their testnet siblings in every registry, matching the other chain families. gen/decimals.ts is the build:paywall output for the new 18-decimal entry (DEFAULT_ASSETS.md step 3). The nine paywall template bundles were deliberately NOT regenerated: a clean-HEAD rebuild already changes all nine (pre-existing drift on main, likely from a dependency bump after the last regen; check_paywall_template is now workflow_dispatch-only so PRs no longer enforce it), and the client bundles do not embed the decimals map, so they have no functional dependency on this change. Including them would mix ~MB of unrelated minifier churn into a 34-line chain addition. Validation: full TS suite (45 turbo tasks), pytest (1651 passed), go test -race, plus lint/format gates for all three languages, green on base and on this change. Tracked by x4-hyn9fv.4; Python display-amount 6-decimal hardcoding found during review filed as x4-4a6mr8.
* fix builds * fix vercel build
* Update docs/core-concepts/network-and-token-support.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/core-concepts/network-and-token-support.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
* validAfter patch * add changelogs * fix fmt
* add daily e2e runs * fix parallel e2e * fix tests * fix next * fix tests * fix env
…ettlements (#2607) The upto EVM spec's Phase 3 step 4 requires `permitted.amount === requirements.amount`, but doesn't distinguish verify-time (where requirements.amount is the ceiling) from settle-time (where requirements.amount is the metered actual). This ambiguity allows facilitator implementations to enforce the equality check at settle time, rejecting all partial settlements — the core upto value proposition. Add an explicit "Settle-Time Verification" subsection to Phase 4 that documents the convention the reference implementation already follows: verify the signature against permitted.amount (the ceiling), validate settlement <= ceiling, then transfer the metered amount on-chain. Include a conformance note, a wire-shape example for the partial settlement case, and a cross-reference from the abstract scheme_upto.md. Add four conformance tests to the EVM facilitator test suite that validate the settle-time verification convention end-to-end: signature verified against ceiling, metered amount transferred on-chain, range of partial ratios, and rejection when exceeding the ceiling. Closes #2437 Co-authored-by: aisling404 <211950534+aisling404@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* add buildercode s array * add changelog * fix
* Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor * Update docs/extensions/builder-code.mdx Generated-By: mintlify-agent Mintlify-Source: dashboard-editor --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Tests
Checklist