feat(x402): add SKALE network settings to X402Settings

[Subhajitdas99]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: Bindu’s X402Settings did not expose a clean SKALE-specific configuration surface, so SKALE payment setup required ad hoc values or broader branch changes.
• Why it matters: A minimal settings-layer addition makes SKALE/x402 integration easier to configure without mixing in middleware or payment-validation changes.
• What changed: Added SKALE-specific x402 settings in bindu/settings.py for facilitator URL, network identifier, token metadata, default amount, and SKALE RPC mappings.
• What did NOT change (scope boundary): No middleware behavior changes, no facilitator logic changes, no payment validation changes, and no unrelated settings refactors.

Change Type (select all that apply)

• Bug fix
• Feature
• Refactor
• Documentation
• Security hardening
• Tests
• Chore/infra

Scope (select all touched areas)

• Server / API endpoints
• Extensions (DID, x402, etc.)
• Storage backends
• Scheduler backends
• Observability / monitoring
• Authentication / authorization
• CLI / utilities
• Tests
• Documentation
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related feat(x402): add SKALE network support to X402Settings #507

User-Visible / Behavior Changes

Added new optional X402Settings fields:

• skale_facilitator_url
• skale_network
• skale_payment_token
• skale_payment_token_name
• skale_default_amount

Also added SKALE RPC mappings for:

• eip155:2046399126
• skale-europa

No default behavior changed for existing non-SKALE users.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/credentials handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Database schema/migration changes? (Yes/No) No
• Authentication/authorization changes? (Yes/No) No
• If any Yes, explain risk + mitigation: None

Verification

Environment

• OS: Windows 11
• Python version: 3.12.9
• Storage backend: Not applicable
• Scheduler backend: Not applicable

Steps to Test

1. Start from main and apply this branch.
2. Confirm bindu/settings.py loads with the new SKALE x402 fields present in X402Settings.
3. Confirm rpc_urls_by_network contains entries for eip155:2046399126 and skale-europa.

Expected Behavior

• X402Settings exposes the new SKALE configuration fields.
• SKALE network RPC mapping is available without affecting existing Base/Ethereum mappings.

Actual Behavior

• Verified the new SKALE settings fields and RPC mappings are present in bindu/settings.py.
• Existing x402 settings structure remains unchanged outside the new SKALE additions.

Evidence (attach at least one)

• Failing test before + passing after
• Test output / logs
• Screenshot / recording
• Performance metrics (if relevant)

Human Verification (required)

What you personally verified (not just CI):

• Verified scenarios: Verified the branch contains only the intended X402Settings SKALE additions in bindu/settings.py.
• Edge cases checked: Checked that existing settings outside the SKALE-specific additions were not modified in this clean branch.
• What you did NOT verify: Did not verify live facilitator interaction or end-to-end SKALE payment flow in this PR, since this change is settings-surface only.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) Yes
• Database migration needed? (Yes/No) No
• If yes, exact upgrade steps: Existing users do not need to change anything. SKALE users can optionally configure the new X402Settings fields.

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert this PR or stop using the new SKALE-specific settings.
• Files/config to restore: bindu/settings.py
• Known bad symptoms reviewers should watch for: Unexpected settings-loading issues in X402Settings if downstream code assumes only the older field set.

Risks and Mitigations

List only real risks for this PR. If none, write None.

• Risk: SKALE metadata values (network identifier / RPC URL / token address) may need future adjustment if upstream ecosystem details change.
  • Mitigation: Kept the PR narrowly scoped to settings so updates can be made easily without touching middleware or payment logic.

Checklist

• Tests pass (uv run pytest)
• Pre-commit hooks pass (uv run pre-commit run --all-files)
• Documentation updated (if needed)
• Security impact assessed
• Human verification completed
• Backward compatibility considered

Summary by CodeRabbit

• New Features
  • Added SKALE network integration with configurable facilitator endpoint, network identifier, payment token and token name, and a default payment amount. Includes input validation and sanitization to ensure valid formats and secure URLs.
• Tests
  • Adjusted unit tests to skip file-permission assertions on Windows for cross-platform compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds SKALE-specific X402 settings and validators, extends RPC mappings for SKALE Europa, changes Hydra agent registration flow (Vault/Local/Hydra handling and file-permission persistence), adjusts tests to be platform-aware for file permissions, updates pre-commit pytest invocation, and rewrites .secrets.baseline paths and timestamp.

Changes

SKALE Configuration

Layer / File(s)	Summary
Data Shape / Defaults bindu/settings.py	Adds skale_facilitator_url, skale_network, skale_payment_token, skale_payment_token_name, and skale_default_amount to X402Settings.
RPC Mapping bindu/settings.py	Adds eip155:2046399126 and skale-europa keys to X402Settings.rpc_urls_by_network pointing to SKALE RPC endpoints.
Validation bindu/settings.py	Adds Pydantic field_validator methods enforcing skale_network pattern, HTTPS-only skale_facilitator_url, skale_payment_token 0x+40-hex format, and trimmed/non-empty/≤100-char skale_payment_token_name.

Hydra Agent Registration & Persistence

Layer / File(s)	Summary
Imports / Helpers bindu/auth/hydra/registration.py	Adds import os and updates docstrings.
Credential Persistence bindu/auth/hydra/registration.py	Writes merged credentials JSON and attempts os.chmod(..., 0o600); permission errors are ignored.
Control Flow / Registration bindu/auth/hydra/registration.py	Simplifies decision tree for existing Vault/Local/Hydra credentials: returns local or Vault creds when present, may delete Hydra client for recreation, sets client_secret from Vault when required, and constructs client_data with hybrid_auth: True. Errors during public-key extraction or Vault storage are silently ignored. Outer errors log and return None; vault_client closed in finally.
Tests tests/unit/auth/test_hydra_registration.py	Adds import os; makes restrictive-permissions assertion conditional on non-Windows platforms (os.name != "nt").

Pre-commit Pytest Hook

Layer / File(s)	Summary
Hook Config .pre-commit-config.yaml	Replaces local pytest hook command: now runs python -m pytest --cov=bindu --cov-report= instead of the previous uv run pytest -n auto ... plus separate coverage report --fail-under=60 invocation (removes parallelization and fail-under enforcement).

Secrets Baseline Normalization

Layer / File(s)	Summary
Baseline Entries .secrets.baseline	Rewrites results filenames to use Windows-style paths (backslashes) for listed test findings and updates generated_at timestamp.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor TestRunner as "Caller"
    participant FS as "Local FS (creds file)"
    participant Hydra as "Hydra Admin API"
    participant Vault as "Vault (optional)"
    Note over Caller,Hydra: register_agent_in_hydra flow (high-level)
    Caller->>Vault: fetch credentials (if configured)
    Vault-->>Caller: return vault_creds / none
    Caller->>Hydra: query client by client_id
    alt Hydra client exists
        Hydra-->>Caller: client present
        Caller->>FS: check local creds
        alt local creds present
            FS-->>Caller: return local_creds (prefer local)
        else vault_creds present
            Caller->>Caller: set client_secret from vault_creds
        end
    else Hydra client missing
        Caller->>Hydra: create client with client_data (hybrid_auth: True)
        Hydra-->>Caller: created_client
        Caller->>FS: save credentials (json dump)
        Caller->>FS: try os.chmod(..., 0o600)
        Caller->>Vault: attempt to store creds (ignore failures)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through settings, added Europa's key,
Tokens trimmed and checked, secured with secrecy,
Saved creds with care (permissions tried to keep),
Tests now skip Windows checks while vaults sleep —
A tiny hop, a careful tweak, and off I leap!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: adding SKALE network settings to X402Settings.
Description check	✅ Passed	The PR description follows the template well, covering summary, change type, scope, security impact, verification, compatibility, and checklists comprehensively.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch feat/skale-x402-settings-clean

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindu/settings.py`:
- Around line 358-363: The SKALE entries in settings.py only list a single RPC
URL for the keys "eip155:2046399126" and "skale-europa", which prevents
X402Middleware._get_web3_connection from having a real fallback; update the
settings by adding at least one secondary SKALE RPC endpoint to each of those
arrays (or refactor those arrays to load from env vars so they are configurable
at deploy time) so _get_web3_connection can iterate through multiple URLs for
failover—modify the "eip155:2046399126" and "skale-europa" lists in
bindu/settings.py accordingly and ensure any new env-driven config parsing is
used by X402Middleware._get_web3_connection.
- Around line 296-310: The new SKALE config fields (skale_facilitator_url,
skale_network, skale_payment_token, skale_payment_token_name,
skale_default_amount) currently accept any string; add validation so malformed
values fail at settings load: validate skale_facilitator_url as a well-formed
HTTPS URL (reject non-https or invalid parse), enforce skale_network matches the
"eip155:<numeric>" pattern, validate skale_payment_token is a 0x-prefixed
40-hex-character Ethereum address (optionally checksum-validate), ensure
skale_payment_token_name is non-empty and reasonably short, and ensure
skale_default_amount parses to a positive integer (or change its type to int)
and is within expected bounds; implement these checks in the settings
loader/constructor (or convert settings to a Pydantic/BaseModel with field
validators) so invalid config raises immediately.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cf256bef-eaa9-47d0-9567-4a6adeee5fa2

📥 Commits

Reviewing files that changed from the base of the PR and between bd5ac18 and 817300a.

📒 Files selected for processing (1)

• bindu/settings.py

[Subhajitdas99]

Addressed the latest review on #526:

• added validation for the new SKALE x402 settings fields at settings load time
• added a secondary SKALE RPC endpoint so the existing fallback logic can actually fail over

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindu/settings.py`:
- Around line 298-299: The default for skale_facilitator_url is currently a
plain string but typed as HttpUrl; change the default to an actual HttpUrl
instance by constructing it (e.g. skale_facilitator_url: HttpUrl =
HttpUrl("https://facilitator.dirtroad.dev")) and ensure HttpUrl is imported
where settings.py declares skale_facilitator_url so static type checkers accept
the default value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ef6bf529-b0f8-43d7-9798-6b6960aaf495

📥 Commits

Reviewing files that changed from the base of the PR and between 817300a and 8f4d9a1.

📒 Files selected for processing (1)

• bindu/settings.py

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindu/auth/hydra/registration.py`:
- Around line 184-188: The current silent except around
vault_client.store_hydra_credentials(credentials) hides failures and allows
registration to succeed even when Vault persistence fails; change this so
failures are propagated and cause the registration to fail: catch Exception as
e, log the error with details (including exception message and context like
credentials or client id), and re-raise or return an error response from the
registration handler so that the overall registration flow (the function
containing vault_client.store_hydra_credentials) does not report success when
Vault storage fails.
- Around line 43-50: The code currently writes oauth_credentials.json with
default umask then tightens permissions, leaving a brief window where the file
can be world-readable; fix by creating the file with explicit POSIX permissions
using os.open(creds_file, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600) and then
wrap the returned fd with os.fdopen to json.dump existing_creds into it (and
close the fd), while on Windows detect os.name == "nt" and perform the normal
open/write then set appropriate ACLs or leave default behavior; update the code
paths around creds_file and existing_creds to use this atomic write-with-mode
approach and remove the separate os.chmod try/except.

In `@bindu/settings.py`:
- Around line 368-384: The current validate_skale_network only checks format;
change it to validate that the provided skale_network is one of the supported
keys in rpc_urls_by_network (and accept defined aliases like "skale-europa");
inside validate_skale_network(cls, value: str) use the class mapping (e.g.,
cls.rpc_urls_by_network) to check membership, allow either an exact key or a
known alias that maps to a supported key, and raise ValueError listing the
supported keys when invalid; keep the signature/type hint and return the
validated value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 45228b0d-d2b4-424f-bfcd-1d41e6d3e9ab

📥 Commits

Reviewing files that changed from the base of the PR and between 8f4d9a1 and b3fa27d.

📒 Files selected for processing (5)

• .pre-commit-config.yaml
• .secrets.baseline
• bindu/auth/hydra/registration.py
• bindu/settings.py
• tests/unit/auth/test_hydra_registration.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Create the credentials file with 0o600 from the start.

Lines 44-49 create oauth_credentials.json with the process umask and only tighten it afterward. On a common 022 umask that briefly creates a world-readable file containing the OAuth client_secret, so the hardening is still bypassable on POSIX.

Proposed fix

-    with open(creds_file, "w") as f:
-        json.dump(existing_creds, f, indent=2)
-
-    try:
-        os.chmod(creds_file, 0o600)
-    except Exception:
-        pass
+    if os.name == "nt":
+        with open(creds_file, "w") as f:
+            json.dump(existing_creds, f, indent=2)
+    else:
+        fd = os.open(creds_file, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+        with os.fdopen(fd, "w") as f:
+            json.dump(existing_creds, f, indent=2)

As per coding guidelines, "Use os.open() on POSIX systems and direct write on Windows for DID private key permissions to ensure cross-platform compatibility".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# ✅ SIMPLE + CORRECT WRITE
	with open(creds_file, "w") as f:
	json.dump(existing_creds, f, indent=2)
	# Set restrictive permissions (owner read/write only)
	creds_file.chmod(0o600)
	# 🔐 FORCE PERMISSIONS (this is the only addition)
	try:
	os.chmod(creds_file, 0o600)
	except Exception:
	if os.name == "nt":
	with open(creds_file, "w") as f:
	json.dump(existing_creds, f, indent=2)
	else:
	fd = os.open(creds_file, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
	with os.fdopen(fd, "w") as f:
	json.dump(existing_creds, f, indent=2)

🧰 Tools

🪛 Ruff (0.15.12)

[warning] 50-50: Do not catch blind exception: Exception

(BLE001)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindu/auth/hydra/registration.py` around lines 43 - 50, The code currently
writes oauth_credentials.json with default umask then tightens permissions,
leaving a brief window where the file can be world-readable; fix by creating the
file with explicit POSIX permissions using os.open(creds_file, os.O_WRONLY |
os.O_CREAT | os.O_TRUNC, 0o600) and then wrap the returned fd with os.fdopen to
json.dump existing_creds into it (and close the fd), while on Windows detect
os.name == "nt" and perform the normal open/write then set appropriate ACLs or
leave default behavior; update the code paths around creds_file and
existing_creds to use this atomic write-with-mode approach and remove the
separate os.chmod try/except.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't report success when Vault persistence fails.

When Vault is enabled, Lines 184-188 can still return a successful registration after store_hydra_credentials() fails. That leaves Hydra with a live client whose secret may exist only on local disk, which is a bad failure mode for ephemeral deployments and very hard to diagnose with the current silent except.

🧰 Tools

🪛 Ruff (0.15.12)

[error] 187-188: try-except-pass detected, consider logging the exception

(S110)

---

[warning] 187-187: Do not catch blind exception: Exception

(BLE001)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindu/auth/hydra/registration.py` around lines 184 - 188, The current silent
except around vault_client.store_hydra_credentials(credentials) hides failures
and allows registration to succeed even when Vault persistence fails; change
this so failures are propagated and cause the registration to fail: catch
Exception as e, log the error with details (including exception message and
context like credentials or client id), and re-raise or return an error response
from the registration handler so that the overall registration flow (the
function containing vault_client.store_hydra_credentials) does not report
success when Vault storage fails.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Validate skale_network against the supported mappings.

validate_skale_network() only checks the eip155:<digits> shape, so values like eip155:1 pass settings load even though rpc_urls_by_network has no SKALE entry for them. At the same time, the alias you just mapped (skale-europa) is rejected outright. Make this validator enforce the actual supported key set so misconfiguration fails at startup.

Proposed fix

     `@field_validator`("skale_network")
     `@classmethod`
     def validate_skale_network(cls, value: str) -> str:
         """Validate the SKALE network identifier format."""
-        if not re.fullmatch(r"eip155:\d+", value):
-            raise ValueError("skale_network must match the format 'eip155:<numeric>'")
+        allowed_networks = {"eip155:2046399126", "skale-europa"}
+        if value not in allowed_networks:
+            raise ValueError(
+                "skale_network must be one of: eip155:2046399126, skale-europa"
+            )
         return value

As per coding guidelines, "Validate all external input and use type hints for input validation in Python files".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"eip155:2046399126": [
	"https://mainnet.skalenodes.com/v1/elated-tan-skat",
	"https://2046399126.rpc.thirdweb.com",
	],
	"skale-europa": [
	"https://mainnet.skalenodes.com/v1/elated-tan-skat",
	"https://2046399126.rpc.thirdweb.com",
	],
	}
	@field_validator("skale_network")
	@classmethod
	def validate_skale_network(cls, value: str) -> str:
	"""Validate the SKALE network identifier format."""
	if not re.fullmatch(r"eip155:\d+", value):
	raise ValueError("skale_network must match the format 'eip155:<numeric>'")
	return value
	"eip155:2046399126": [
	"https://mainnet.skalenodes.com/v1/elated-tan-skat",
	"https://2046399126.rpc.thirdweb.com",
	],
	"skale-europa": [
	"https://mainnet.skalenodes.com/v1/elated-tan-skat",
	"https://2046399126.rpc.thirdweb.com",
	],
	}
	`@field_validator`("skale_network")
	`@classmethod`
	def validate_skale_network(cls, value: str) -> str:
	"""Validate the SKALE network identifier format."""
	allowed_networks = {"eip155:2046399126", "skale-europa"}
	if value not in allowed_networks:
	raise ValueError(
	"skale_network must be one of: eip155:2046399126, skale-europa"
	)
	return value

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindu/settings.py` around lines 368 - 384, The current validate_skale_network
only checks format; change it to validate that the provided skale_network is one
of the supported keys in rpc_urls_by_network (and accept defined aliases like
"skale-europa"); inside validate_skale_network(cls, value: str) use the class
mapping (e.g., cls.rpc_urls_by_network) to check membership, allow either an
exact key or a known alias that maps to a supported key, and raise ValueError
listing the supported keys when invalid; keep the signature/type hint and return
the validated value.