Skip to content

Add x402 provider verification abstraction for paid-action endpoint#324

Merged
GsCommand merged 1 commit into
mainfrom
codex/add-x402-provider-verification-abstraction
May 24, 2026
Merged

Add x402 provider verification abstraction for paid-action endpoint#324
GsCommand merged 1 commit into
mainfrom
codex/add-x402-provider-verification-abstraction

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 24, 2026

Motivation

  • Prepare the POST /api/examples/x402-paid-action endpoint for real x402 provider verification while preserving the existing demo accepted-envelope behavior.
  • Ensure the service never claims real settlement unless a server-side provider verification flow is configured and avoid exposing secrets in responses.

Description

  • Add lib/x402ProviderVerification.js which selects verification mode (demo_accepted_envelope or provider_verified) based on X402_PROVIDER_VERIFICATION_URL and implements server-side POST verification including optional Authorization: Bearer <X402_PROVIDER_API_KEY>.
  • Update api/examples/x402-paid-action.js to call verifyWithProvider server-side before signing, to map provider failures to 400/402/503 as specified, and to include payment_verification_mode plus safe provider metadata in receipts.
  • Extend tests/api-x402-paid-action.test.js to cover demo mode, provider success, provider rejection, provider unavailable/malformed responses, non-leakage of the provider API key, and local receipt verification after provider success.
  • Update docs/integrations/x402-commandlayer-receipts.md to document the two verification modes, required env vars, failure mappings, and the trust boundary between payment verification and CommandLayer execution receipts.

Testing

  • Ran npm test, all automated tests passed (existing and new paid-action tests succeeded).
  • Ran npm run check:links, all local links resolved successfully.
  • New tests specifically validate demo_accepted_envelope output, provider_verified flow and metadata exposure, provider rejection mappings, provider unavailability handling, and that X402_PROVIDER_API_KEY is not leaked in responses.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 24, 2026 12:40am
commandlayer-org Ready Ready Preview, Comment May 24, 2026 12:40am
commandlayer-org111 Ready Ready Preview, Comment May 24, 2026 12:40am

Request Review

@GsCommand GsCommand merged commit c9596c4 into main May 24, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand