wolverine-ai 4.8.0 → 5.0.0

package/bin/wolverine.js

@@ -38,6 +38,7 @@ ${chalk.bold("Options:")}
   --workers <n>    Force specific worker count
   --info           Show system info and exit
   --init           Scan server/ and build context map (routes, DB, config, deps)
+  --x402-price     Set x402 price: wolverine --x402-price "POST /api" "$0.01"
 
 ${chalk.bold("Configuration:")}
   server/config/settings.json    Models, telemetry, limits, health checks
@@ -66,6 +67,22 @@ if (args.includes("--info")) {
 }
 
 // --init: scan server/ and build context map
+// --x402-price: set route pricing live
+if (args.includes("--x402-price")) {
+  const idx = args.indexOf("--x402-price");
+  const route = args[idx + 1];
+  const price = args[idx + 2];
+  if (!route || !price) {
+    console.log(chalk.red('  Usage: wolverine --x402-price "POST /v1/chat/completions" "$0.001"'));
+    process.exit(1);
+  }
+  const { setPrice } = require("../src/middleware/x402-fastify");
+  const result = setPrice(route, price);
+  console.log(chalk.green(`  ✅ x402 price updated: ${result.route} → ${result.price}`));
+  console.log(chalk.gray("     Change is live — no restart needed."));
+  process.exit(0);
+}
+
 if (args.includes("--init")) {
   const { scan } = require("../src/core/server-context");
   console.log(chalk.blue("\n  🔍 Scanning server/ directory...\n"));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.8.0",
+  "version": "5.0.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {
@@ -66,7 +66,8 @@
     "ethers": "^6.0.0",
     "ioredis": "^5.0.0",
     "pg": "^8.0.0",
-    "stripe": "^18.0.0"
+    "stripe": "^18.0.0",
+    "viem": "^2.0.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/brain/brain.js

@@ -145,6 +145,10 @@ const SEED_DOCS = [
     text: "Server context scanner (wolverine --init): scans server/ directory on every startup to build .wolverine/server-context.json. Extracts routes (HTTP methods + paths from fastify/express), middleware stack, database type + tables, config structure, dependencies, env vars used (process.env.X patterns), and full file tree. Context summary auto-injected into agent's heal prompt so it knows the server's route map, DB schema, and dependencies without re-scanning. Manual scan: wolverine --init. Auto-scan: runs silently on every boot. The context is read-only — never modified by the agent.",
     metadata: { topic: "server-context" },
   },
+  {
+    text: "Tool router (src/brain/tool-router.js): maps error types to recommended tool chains. Injected into agent prompt automatically — agent sees 'TOOL ROUTE: diagnose with [X, Y], fix with [Z]. Strategy: ...' for every error it heals. 25+ error categories mapped: TypeError→read_file+edit_file, ENOENT→list_dir+write_file, ECONNREFUSED→check_network+check_port+inspect_cache, EMFILE→check_file_descriptors+disk_cleanup, ENOSPC→disk_cleanup, certificate→inspect_certificate, OOM→check_memory+check_event_loop, websocket���check_websocket, database→inspect_db+run_db_fix (with prereq: inspect_db FIRST), missing_module→audit_deps+verify_node_modules, env_missing→inspect_env+add_env_var. Lookup is O(1) by error type + regex fallback. No AI tokens used for routing.",
+    metadata: { topic: "tool-router" },
+  },
   {
     text: "Telemetry architecture: 4 files, ~250 lines total. heartbeat.js sends one HTTP POST every 60s (5s timeout, non-blocking). register.js auto-registers and caches key in memory + disk. queue.js appends to JSONL file only on failure, trims lazily. telemetry.js collects from subsystems using optional chaining (no crashes if subsystem missing). All secrets redacted before sending. Response bodies drained immediately (res.resume). No blocking, no delays, no busy waits.",
     metadata: { topic: "telemetry-architecture" },
@@ -186,8 +190,8 @@ const SEED_DOCS = [
     metadata: { topic: "notifications" },
   },
   {
-    text: "Vault: encrypted key storage in .wolverine/vault/. AES-256-GCM encryption. master.key (32 bytes raw) encrypts eth.vault (Ethereum private key). Generated on first run if missing. Private key NEVER exists as a JS string — only Buffer, wiped after use. wallet-ops.js exposes getWalletAddress(), signTransaction(), signMessage() — all decrypt→use→wipe with generic error messages only. Injection detector blocks heal if 0x+64hex chars detected in error (key_leak_critical). Redactor scrubs all hex key patterns. Sandbox blocks agent access to vault paths. Backed up in every snapshot. Rollback-protected (NEVER_ROLLBACK list). Vault skill in src/skills/vault.js for agent discovery. Server code uses vault skill to earn/spend ETH without touching the private key.",
-    metadata: { topic: "vault-security" },
+    text: "Vault + x402 payments: encrypted key storage in .wolverine/vault/. AES-256-GCM encryption. master.key encrypts eth.vault (Ethereum private key). Generated on first run. Private key NEVER as JS string — Buffer only, wiped after use. wallet-ops: getWalletAddress(), signTransaction(), signMessage(). x402 protocol: HTTP 402 Payment Required for API monetization. Fastify middleware (src/middleware/x402-fastify.js) auto-gates routes with USDC payments on Base network. Config in settings.json x402.routes: { 'POST /api': { price: '$0.01' } }. Live price updates: PUT /x402/price or wolverine --x402-price 'POST /api' '$0.01'. Vault wallet is the payTo address. Facilitator (x402.org or Coinbase CDP) verifies and settles payments. Buyer SDKs (@x402/fetch, @x402/axios) auto-handle the 402→sign→retry flow. Vault skill actions: x402_pricing, x402_set_price, x402_remove_price.",
+    metadata: { topic: "vault-x402" },
   },
   {
     text: "MCP integration: connect external tools via Model Context Protocol. Configure in .wolverine/mcp.json with per-server tool allowlists. Security: arg sanitization (secrets redacted before sending to MCP servers), result injection scanning, rate limiting per server, audit logging. Tools appear as mcp__server__tool in the agent. Supports stdio and HTTP transports.",

package/src/brain/tool-router.js

@@ -0,0 +1,211 @@
+/**
+ * Tool Router — maps error types to recommended tool chains.
+ *
+ * Lightweight adjacency graph that tells the agent which tools to use
+ * for each error category. Injected into the agent prompt so it doesn't
+ * waste turns guessing.
+ *
+ * Structure per error type:
+ *   diagnose: tools to understand the problem (read-only)
+ *   fix: tools to apply the solution (write)
+ *   hint: one-line strategy for the AI
+ *   prereq: tools that must run BEFORE fix tools
+ *
+ * Lookup: O(1) by error classifier output or regex match on error message.
+ */
+
+const TOOL_ROUTES = {
+  // ── Code Errors ──
+  "TypeError": {
+    diagnose: ["read_file", "grep_code"],
+    fix: ["edit_file"],
+    hint: "Read the file at the error line. Find the undefined/null variable. Add a guard or fix the assignment.",
+  },
+  "ReferenceError": {
+    diagnose: ["read_file", "grep_code"],
+    fix: ["edit_file"],
+    hint: "Variable is not defined. Check for typos, missing imports, or scope issues.",
+  },
+  "SyntaxError": {
+    diagnose: ["read_file"],
+    fix: ["edit_file"],
+    hint: "Parse error in source. Read the file and fix the syntax at the reported line.",
+  },
+  "RangeError": {
+    diagnose: ["read_file", "check_memory"],
+    fix: ["edit_file"],
+    hint: "Stack overflow or invalid array length. Check for infinite recursion or unbounded growth.",
+  },
+
+  // ── Module/Dependency Errors ──
+  "missing_module": {
+    diagnose: ["audit_deps", "verify_node_modules"],
+    fix: ["bash_exec"],
+    hint: "Run npm install <module>. If in package.json but missing from disk, run npm ci.",
+  },
+  "missing_file": {
+    diagnose: ["read_file", "list_dir", "inspect_env"],
+    fix: ["write_file", "bash_exec"],
+    hint: "Check if the path is wrong (edit require) or if the file should exist (create it with expected content).",
+  },
+  "version_conflict": {
+    diagnose: ["audit_deps", "check_migration", "verify_node_modules"],
+    fix: ["bash_exec"],
+    hint: "Check peer deps and version compatibility. May need npm install package@version or full reinstall.",
+  },
+
+  // ── File System Errors ──
+  "ENOENT": {
+    diagnose: ["list_dir", "inspect_env", "read_file"],
+    fix: ["write_file", "bash_exec"],
+    prereq: ["read_file"],
+    hint: "File or directory doesn't exist. Check if path is correct, create if missing.",
+  },
+  "EACCES": {
+    diagnose: ["bash_exec", "list_dir"],
+    fix: ["bash_exec"],
+    hint: "Permission denied. Run chmod to fix permissions on the target file/directory.",
+  },
+  "ENOSPC": {
+    diagnose: ["disk_cleanup", "check_memory"],
+    fix: ["disk_cleanup"],
+    hint: "Disk full. Run disk_cleanup with dry_run=false to clear old backups and caches.",
+  },
+  "EMFILE": {
+    diagnose: ["check_file_descriptors", "list_processes", "check_event_loop"],
+    fix: ["disk_cleanup", "restart_service"],
+    hint: "Too many open files. Check for FD leaks, clear caches, consider raising ulimit in system profile.",
+  },
+
+  // ── Network Errors ──
+  "ECONNREFUSED": {
+    diagnose: ["check_network", "check_port", "inspect_cache", "inspect_env"],
+    fix: ["edit_file", "restart_service"],
+    hint: "Target service is down or wrong host/port. Check config, verify service is running.",
+  },
+  "ECONNRESET": {
+    diagnose: ["check_network", "check_logs"],
+    fix: ["edit_file"],
+    hint: "Connection reset by remote. Check for timeout settings, proxy config, or unstable network.",
+  },
+  "ETIMEDOUT": {
+    diagnose: ["check_network", "check_logs", "inspect_certificate"],
+    fix: ["edit_file"],
+    hint: "Connection timed out. Increase timeout, check DNS, verify endpoint is reachable.",
+  },
+  "EADDRINUSE": {
+    diagnose: ["check_port", "list_processes"],
+    fix: ["bash_exec"],
+    hint: "Port already in use. Find and kill the stale process holding the port.",
+  },
+
+  // ── Database Errors ──
+  "database": {
+    diagnose: ["inspect_db", "inspect_cache", "read_file"],
+    fix: ["run_db_fix", "edit_file"],
+    prereq: ["inspect_db"],
+    hint: "ALWAYS inspect_db before run_db_fix. Check table schema, query the affected data, then fix.",
+  },
+  "pool_exhaustion": {
+    diagnose: ["inspect_cache", "check_network", "check_logs"],
+    fix: ["edit_file", "restart_service"],
+    hint: "DB connection pool exhausted. Check for connection leaks, increase pool size, or restart.",
+  },
+
+  // ── SSL/TLS Errors ──
+  "certificate": {
+    diagnose: ["inspect_certificate", "check_network", "inspect_env"],
+    fix: ["bash_exec", "edit_file", "add_env_var"],
+    hint: "Check cert expiry, SAN list, and chain. May need renewal, hostname fix, or CA bundle.",
+  },
+
+  // ── Memory/Performance Errors ──
+  "OOM": {
+    diagnose: ["check_memory", "check_event_loop", "list_processes"],
+    fix: ["edit_file", "restart_service"],
+    hint: "Out of memory. Check for memory leaks (growing arrays, unclosed streams), reduce batch sizes.",
+  },
+  "event_loop_blocked": {
+    diagnose: ["check_event_loop", "check_logs", "check_memory"],
+    fix: ["edit_file"],
+    hint: "Synchronous operation blocking event loop. Replace readFileSync→readFile, execSync→exec, etc.",
+  },
+
+  // ── WebSocket Errors ──
+  "websocket": {
+    diagnose: ["check_websocket", "check_network", "check_port"],
+    fix: ["edit_file"],
+    hint: "Test WS handshake. Check upgrade headers, proxy config, and connection timeout settings.",
+  },
+
+  // ── Config/Environment Errors ──
+  "config": {
+    diagnose: ["read_file", "inspect_env", "list_dir"],
+    fix: ["write_file", "edit_file", "add_env_var"],
+    hint: "Check if config file exists and has expected structure. Check if required env vars are set.",
+  },
+  "env_missing": {
+    diagnose: ["inspect_env", "read_file"],
+    fix: ["add_env_var"],
+    hint: "Required environment variable not set. Add it to .env.local with the correct value.",
+  },
+};
+
+/**
+ * Find tool recommendations for an error.
+ * @param {string} errorMessage — the raw error message
+ * @param {string} errorType — from error-parser classifyError() (optional)
+ * @returns {{ diagnose: string[], fix: string[], prereq?: string[], hint: string } | null}
+ */
+function route(errorMessage, errorType) {
+  const msg = (errorMessage || "").toLowerCase();
+
+  // 1. Try exact error type match
+  if (errorType && TOOL_ROUTES[errorType]) return TOOL_ROUTES[errorType];
+
+  // 2. Try error class match
+  if (/typeerror/i.test(msg)) return TOOL_ROUTES.TypeError;
+  if (/referenceerror/i.test(msg)) return TOOL_ROUTES.ReferenceError;
+  if (/syntaxerror|unexpected token/i.test(msg)) return TOOL_ROUTES.SyntaxError;
+  if (/rangeerror/i.test(msg)) return TOOL_ROUTES.RangeError;
+
+  // 3. Try errno/code match
+  if (/enoent|no such file/i.test(msg)) return TOOL_ROUTES.ENOENT;
+  if (/eacces|eperm/i.test(msg)) return TOOL_ROUTES.EACCES;
+  if (/enospc/i.test(msg)) return TOOL_ROUTES.ENOSPC;
+  if (/emfile|enfile/i.test(msg)) return TOOL_ROUTES.EMFILE;
+  if (/econnrefused/i.test(msg)) return TOOL_ROUTES.ECONNREFUSED;
+  if (/econnreset/i.test(msg)) return TOOL_ROUTES.ECONNRESET;
+  if (/etimedout/i.test(msg)) return TOOL_ROUTES.ETIMEDOUT;
+  if (/eaddrinuse/i.test(msg)) return TOOL_ROUTES.EADDRINUSE;
+
+  // 4. Try pattern match
+  if (/cannot find module/i.test(msg)) return /['"][./\\]/.test(msg) ? TOOL_ROUTES.missing_file : TOOL_ROUTES.missing_module;
+  if (/cert|ssl|tls|self.signed/i.test(msg)) return TOOL_ROUTES.certificate;
+  if (/pool.*exhaust|pool.*timeout|acquire.*timeout/i.test(msg)) return TOOL_ROUTES.pool_exhaustion;
+  if (/websocket|ws.*close|transport.*close/i.test(msg)) return TOOL_ROUTES.websocket;
+  if (/out of memory|heap.*limit|allocation.*failed/i.test(msg)) return TOOL_ROUTES.OOM;
+  if (/not.set|undefined.*env|missing.*env/i.test(msg)) return TOOL_ROUTES.env_missing;
+  if (/missing.*config|invalid.*json|invalid.*config/i.test(msg)) return TOOL_ROUTES.config;
+  if (/sqlite|postgres|mysql|mongo|sequelize|prisma|knex/i.test(msg)) return TOOL_ROUTES.database;
+  if (/peer dep|eresolve|version.*mismatch/i.test(msg)) return TOOL_ROUTES.version_conflict;
+
+  return null; // unknown — let the AI figure it out
+}
+
+/**
+ * Get a compact prompt injection for the agent.
+ * Returns a string like "TOOL ROUTE: diagnose with [check_port, list_processes], fix with [bash_exec]. Hint: ..."
+ */
+function getRoutePrompt(errorMessage, errorType) {
+  const r = route(errorMessage, errorType);
+  if (!r) return "";
+  const parts = [`TOOL ROUTE for this error:`];
+  parts.push(`  Diagnose: ${r.diagnose.join(", ")}`);
+  if (r.prereq) parts.push(`  Prerequisites: ${r.prereq.join(", ")} (run these FIRST)`);
+  parts.push(`  Fix: ${r.fix.join(", ")}`);
+  parts.push(`  Strategy: ${r.hint}`);
+  return parts.join("\n");
+}
+
+module.exports = { route, getRoutePrompt, TOOL_ROUTES };

package/src/core/wolverine.js

@@ -13,6 +13,7 @@ const { RateLimiter } = require("../security/rate-limiter");
 const { detectInjection } = require("../security/injection-detector");
 const { redact, hasSecrets } = require("../security/secret-redactor");
 const { BackupManager } = require("../backup/backup-manager");
+const { getRoutePrompt } = require("../brain/tool-router");
 const { AgentEngine } = require("../agent/agent-engine");
 const { ResearchAgent } = require("../agent/research-agent");
 const { GoalLoop } = require("../agent/goal-loop");
@@ -215,6 +216,12 @@ async function _healImpl({ stderr, cwd, sandbox, notifier, rateLimiter, backupMa
     const serverCtx = getServerContextSummary(cwd);
     if (serverCtx) brainContext += serverCtx + "\n\n";
   } catch {}
+  // Inject tool routing — tells agent exactly which tools to use for this error type
+  const toolRoute = getRoutePrompt(parsed.errorMessage, parsed.errorType);
+  if (toolRoute) {
+    brainContext += toolRoute + "\n\n";
+    console.log(chalk.gray(`  🗺️  Tool route: ${toolRoute.split("\n")[1]?.trim() || "matched"}`));
+  }
   // Inject relevant skill context (claw-code: pre-enrich prompt with matched tools)
   if (skills) {
     const skillCtx = skills.buildContext(parsed.errorMessage);

package/src/middleware/x402-fastify.js

@@ -0,0 +1,290 @@
+const path = require("path");
+const fs = require("fs");
+
+/**
+ * x402 Payment Middleware for Fastify — monetize any API route with USDC on Base.
+ *
+ * Implements the x402 protocol (HTTP 402 Payment Required) for Fastify.
+ * No official @x402/fastify exists, so we build directly on @x402/core.
+ *
+ * Usage in server/index.js:
+ *   fastify.register(require('wolverine-ai/src/middleware/x402-fastify'), {
+ *     payTo: '0xYourAddress',  // or auto from vault
+ *     network: 'eip155:8453',  // Base mainnet
+ *   });
+ *
+ * Route pricing in settings.json:
+ *   "x402": {
+ *     "enabled": true,
+ *     "routes": {
+ *       "POST /v1/chat/completions": { "price": "$0.001" },
+ *       "GET /api/premium": { "price": "$0.01" }
+ *     }
+ *   }
+ *
+ * Live price updates:
+ *   PUT /x402/price { route: "POST /v1/chat/completions", price: "$0.002" }
+ *   wolverine --x402-price "POST /v1/chat/completions" "$0.002"
+ */
+
+// In-memory route pricing — survives hot updates without restart
+let _routePricing = {};
+let _payTo = null;
+let _network = "eip155:8453"; // Base mainnet default
+let _facilitatorUrl = "https://x402.org/facilitator";
+let _initialized = false;
+
+/**
+ * Get current route pricing (for external access).
+ */
+function getPricing() { return { ..._routePricing }; }
+
+/**
+ * Update a single route's price live — no restart needed.
+ */
+function setPrice(routeKey, price) {
+  if (!price.startsWith("$")) price = "$" + price;
+  _routePricing[routeKey] = { price };
+  // Persist to settings.json
+  _persistPricing();
+  return { route: routeKey, price };
+}
+
+/**
+ * Remove pricing from a route (make it free).
+ */
+function removePrice(routeKey) {
+  delete _routePricing[routeKey];
+  _persistPricing();
+  return { route: routeKey, price: "free" };
+}
+
+function _persistPricing() {
+  try {
+    const settingsPath = path.join(process.cwd(), "server", "config", "settings.json");
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+      if (!settings.x402) settings.x402 = {};
+      settings.x402.routes = {};
+      for (const [route, cfg] of Object.entries(_routePricing)) {
+        settings.x402.routes[route] = { price: cfg.price };
+      }
+      const tmp = settingsPath + ".tmp";
+      fs.writeFileSync(tmp, JSON.stringify(settings, null, 2), "utf-8");
+      fs.renameSync(tmp, settingsPath);
+    }
+  } catch {}
+}
+
+/**
+ * Fastify plugin — registers x402 payment middleware.
+ */
+async function x402Plugin(fastify, opts) {
+  // Load config
+  _payTo = opts.payTo || null;
+  _network = opts.network || "eip155:8453";
+  _facilitatorUrl = opts.facilitator || "https://x402.org/facilitator";
+
+  // Auto-detect payTo from vault if not provided
+  if (!_payTo) {
+    try {
+      const { getWalletAddress } = require("../vault/wallet-ops");
+      _payTo = await getWalletAddress();
+    } catch {}
+  }
+
+  // Load route pricing from settings.json
+  try {
+    const settingsPath = path.join(process.cwd(), "server", "config", "settings.json");
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+      if (settings.x402?.routes) {
+        for (const [route, cfg] of Object.entries(settings.x402.routes)) {
+          _routePricing[route] = { price: cfg.price };
+        }
+      }
+      if (settings.x402?.network) _network = settings.x402.network;
+      if (settings.x402?.facilitator) _facilitatorUrl = settings.x402.facilitator;
+    }
+  } catch {}
+
+  if (!_payTo) {
+    console.log("  ⚠️  x402: no payTo address (set in settings.json or init vault)");
+    return;
+  }
+
+  _initialized = true;
+  const routeCount = Object.keys(_routePricing).length;
+  if (routeCount > 0) {
+    console.log(`  💰 x402: ${routeCount} paid route(s), receiving at ${_payTo.slice(0, 6)}...${_payTo.slice(-4)}`);
+  }
+
+  // ── Main payment gate — onRequest hook ──
+  fastify.addHook("onRequest", async (request, reply) => {
+    if (!_initialized || Object.keys(_routePricing).length === 0) return;
+
+    const routeKey = `${request.method} ${request.url.split("?")[0]}`;
+    const routeConfig = _routePricing[routeKey];
+    if (!routeConfig) return; // Free route
+
+    const paymentSig = request.headers["payment-signature"];
+
+    // No payment — return 402 with payment instructions
+    if (!paymentSig) {
+      const paymentRequired = {
+        accepts: [{
+          scheme: "exact",
+          price: routeConfig.price,
+          network: _network,
+          payTo: _payTo,
+        }],
+        description: `Payment required for ${routeKey}`,
+        mimeType: "application/json",
+      };
+
+      reply
+        .code(402)
+        .header("Payment-Required", JSON.stringify(paymentRequired))
+        .header("X-402-Version", "1.0")
+        .send({
+          error: "Payment Required",
+          price: routeConfig.price,
+          network: _network,
+          payTo: _payTo,
+          protocol: "x402",
+        });
+      return;
+    }
+
+    // Payment present — verify via facilitator
+    try {
+      const verified = await _verifyPayment(paymentSig, routeConfig);
+      if (verified.valid) {
+        // Payment good — add receipt header and continue
+        reply.header("Payment-Response", JSON.stringify(verified.receipt || {}));
+        request.x402 = { paid: true, amount: routeConfig.price, txHash: verified.txHash };
+        return; // continue to route handler
+      }
+    } catch {}
+
+    // Verification failed
+    reply.code(402).send({
+      error: "Payment verification failed",
+      price: routeConfig.price,
+      network: _network,
+      payTo: _payTo,
+    });
+  });
+
+  // ── Live price management API ──
+  fastify.put("/x402/price", async (request, reply) => {
+    // Admin only
+    const token = request.headers.authorization?.replace("Bearer ", "");
+    let settings = {};
+    try { settings = JSON.parse(fs.readFileSync(path.join(process.cwd(), "server", "config", "settings.json"), "utf-8")); } catch {}
+    if (token !== settings.platform?.apiKey) {
+      return reply.code(403).send({ error: "Admin only" });
+    }
+
+    const { route, price } = request.body || {};
+    if (!route || !price) return reply.code(400).send({ error: "route and price required" });
+    const result = setPrice(route, price);
+    return { updated: true, ...result };
+  });
+
+  fastify.delete("/x402/price", async (request, reply) => {
+    const token = request.headers.authorization?.replace("Bearer ", "");
+    let settings = {};
+    try { settings = JSON.parse(fs.readFileSync(path.join(process.cwd(), "server", "config", "settings.json"), "utf-8")); } catch {}
+    if (token !== settings.platform?.apiKey) {
+      return reply.code(403).send({ error: "Admin only" });
+    }
+
+    const { route } = request.body || {};
+    if (!route) return reply.code(400).send({ error: "route required" });
+    return removePrice(route);
+  });
+
+  fastify.get("/x402/pricing", async () => {
+    return {
+      payTo: _payTo,
+      network: _network,
+      routes: _routePricing,
+    };
+  });
+}
+
+/**
+ * Verify a payment signature via the facilitator.
+ */
+async function _verifyPayment(paymentSig, routeConfig) {
+  try {
+    // Try @x402/core facilitator client if available
+    const { HTTPFacilitatorClient } = require("@x402/core/server");
+    const { ExactEvmScheme } = require("@x402/evm/exact/server");
+
+    const facilitator = new HTTPFacilitatorClient({ url: _facilitatorUrl });
+    const result = await facilitator.verify({
+      paymentSignature: paymentSig,
+      routeConfig: {
+        accepts: [{
+          scheme: "exact",
+          price: routeConfig.price,
+          network: _network,
+          payTo: _payTo,
+        }],
+      },
+    });
+    return { valid: result.valid, receipt: result.receipt, txHash: result.txHash };
+  } catch {
+    // Fallback: manual HTTP verification to facilitator
+    try {
+      const https = require("https");
+      const http = require("http");
+      const url = new (require("url").URL)(_facilitatorUrl + "/verify");
+      const body = JSON.stringify({
+        paymentSignature: paymentSig,
+        routeConfig: {
+          accepts: [{
+            scheme: "exact",
+            price: routeConfig.price,
+            network: _network,
+            payTo: _payTo,
+          }],
+        },
+      });
+
+      return new Promise((resolve) => {
+        const client = url.protocol === "https:" ? https : http;
+        const req = client.request({
+          hostname: url.hostname,
+          port: url.port,
+          path: url.pathname,
+          method: "POST",
+          headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) },
+          timeout: 10000,
+        }, (res) => {
+          let data = "";
+          res.on("data", (c) => data += c);
+          res.on("end", () => {
+            try {
+              const parsed = JSON.parse(data);
+              resolve({ valid: parsed.valid || parsed.success, receipt: parsed, txHash: parsed.txHash });
+            } catch { resolve({ valid: false }); }
+          });
+        });
+        req.on("error", () => resolve({ valid: false }));
+        req.on("timeout", () => { req.destroy(); resolve({ valid: false }); });
+        req.write(body);
+        req.end();
+      });
+    } catch { return { valid: false }; }
+  }
+}
+
+x402Plugin[Symbol.for("skip-override")] = true; // Fastify plugin compat
+
+module.exports = x402Plugin;
+module.exports.getPricing = getPricing;
+module.exports.setPrice = setPrice;
+module.exports.removePrice = removePrice;

package/src/skills/vault.js

@@ -10,8 +10,8 @@
  */
 
 const SKILL_NAME = "vault";
-const SKILL_DESCRIPTION = "Secure Ethereum wallet — sign transactions, get address, check balance. Private key encrypted at rest, never exposed in code or errors.";
-const SKILL_KEYWORDS = ["wallet", "ethereum", "eth", "sign", "transaction", "vault", "private key", "address", "crypto", "blockchain", "send", "transfer"];
+const SKILL_DESCRIPTION = "Secure Ethereum wallet + x402 payments — sign transactions, get address, manage paid API routes. Private key encrypted at rest via AES-256-GCM, never exposed in code or errors. x402 support: set prices on routes, receive USDC on Base network.";
+const SKILL_KEYWORDS = ["wallet", "ethereum", "eth", "sign", "transaction", "vault", "private key", "address", "crypto", "blockchain", "send", "transfer", "x402", "payment", "usdc", "base", "price", "paid", "api"];
 const SKILL_USAGE = `
   vault.status()           — check if vault is initialized, show address
   vault.address()          — get the wallet's Ethereum address
@@ -61,8 +61,31 @@ async function execute(action, params = {}) {
       return { signedTransaction: signed };
     }
 
+    // x402 payment actions
+    case "x402_pricing":
+      try {
+        const { getPricing } = require("../middleware/x402-fastify");
+        return getPricing();
+      } catch { return { error: "x402 middleware not loaded" }; }
+
+    case "x402_set_price": {
+      if (!params.route || !params.price) return { error: "route and price required" };
+      try {
+        const { setPrice } = require("../middleware/x402-fastify");
+        return setPrice(params.route, params.price);
+      } catch { return { error: "x402 middleware not loaded" }; }
+    }
+
+    case "x402_remove_price": {
+      if (!params.route) return { error: "route required" };
+      try {
+        const { removePrice } = require("../middleware/x402-fastify");
+        return removePrice(params.route);
+      } catch { return { error: "x402 middleware not loaded" }; }
+    }
+
     default:
-      return { error: `Unknown vault action: ${action}. Use: status, address, sign_tx, sign_message, public_key` };
+      return { error: `Unknown vault action: ${action}. Use: status, address, sign_tx, sign_message, public_key, x402_pricing, x402_set_price, x402_remove_price` };
   }
 }