wolverine-ai 5.4.3 → 5.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "5.4.3",
+  "version": "5.5.1",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/brain/brain.js

@@ -190,15 +190,15 @@ const SEED_DOCS = [
     metadata: { topic: "notifications" },
   },
   {
-    text: "x402 paid APIs — turn any route into a paid API with one flag. Register the plugin: fastify.register(require('wolverine-ai/src/middleware/x402-fastify')). Add { config: { x402: { price: '$0.10' } } } to any route. Routes WITHOUT x402 config are unaffected. Two modes: (1) Fixed price: { x402: { price: '$0.10' } }. (2) Variable price: { x402: { variable: true, min: '$1', max: '$10000', priceField: 'dollars' } }. Uses @coinbase/x402 facilitator (built-in, no auth config needed) + x402/verify for payment verification and on-chain settlement. Protocol is x402 v1 — network must be 'base' (NOT 'eip155:8453'). Payment header: X-PAYMENT or payment-signature (base64 JSON). Verify happens in preHandler hook, settle happens in onSend hook (after handler succeeds). Vault wallet auto-detected as payTo. Requires: Node 22+, CDP_API_KEY_ID + CDP_API_KEY_SECRET in .env.local (get free at cdp.coinbase.com), npm packages @coinbase/x402 + x402 + viem. CRITICAL SETUP NOTES: (1) network MUST be 'base' not 'eip155:8453' — the v1 SDK uses human-readable names. (2) Do NOT set a facilitator URL in settings.json — the @coinbase/x402 package has it built-in. (3) paymentRequirements.resource must be a full URL (https://host/path) not 'POST /path'. (4) paymentRequirements.asset must be checksummed via viem's getAddress(). (5) paymentRequirements.extra must be { name: 'USD Coin', version: '2' } for USDC EIP-712 domain. (6) maxAmountRequired must match the user's payment value for variable pricing. (7) Frontend payment payload format: { x402Version: 1, scheme: 'exact', network: 'base', payload: { authorization: { from, to, value (decimal string), validAfter (string), validBefore (string), nonce (0x hex) }, signature } }. Dashboard tracks x402 payments, revenue by route, USDC/ETH balances.",
+    text: "x402 paid APIs — turn any route into a paid API with one flag. Register the plugin: fastify.register(require('wolverine-ai/src/middleware/x402-fastify')). Add { config: { x402: { price: '$0.10' } } } to any route. Routes WITHOUT x402 config are unaffected. Two modes: (1) Fixed price: { x402: { price: '$0.10' } }. (2) Variable price: { x402: { variable: true, min: '$1', max: '$10000', priceField: 'dollars' } }. Uses x402 v2 protocol: @x402/core SDK (x402ResourceServer + ExactEvmScheme) with @coinbase/x402 facilitator for CDP auth. The trick: pass @coinbase/x402's facilitator config to @x402/core's HTTPFacilitatorClient — this gives v2 protocol with working CDP JWT auth. Network is CAIP-2 format 'eip155:8453' (Base mainnet). Payment header: X-PAYMENT or payment-signature (base64 JSON). Verify AND settle both happen in preHandler — handler only runs after USDC moves on-chain. Vault wallet auto-detected as payTo. Requires: Node 22+, CDP_API_KEY_ID + CDP_API_KEY_SECRET in .env.local (free at cdp.coinbase.com), npm packages @coinbase/x402 + @x402/core + @x402/evm + viem. Auto-installed on startup when vault exists. CRITICAL: (1) Do NOT set facilitator URL in settings.json. (2) paymentRequirements uses 'amount' field (v2) not 'maxAmountRequired' (v1). (3) paymentRequirements.extra = { name: 'USD Coin', version: '2' } for EIP-712. (4) Frontend payload: { x402Version: 2, scheme: 'exact', network: 'eip155:8453', payload: { authorization: { from, to, value (decimal string), validAfter (string), validBefore (string), nonce (0x hex) }, signature } }. (5) Values must be decimal strings not hex. Dashboard tracks x402 payments, revenue by route, USDC/ETH balances.",
     metadata: { topic: "x402-paid-apis" },
   },
   {
-    text: "x402 examples — making a paid API is as simple as adding a route. FREE route: fastify.get('/api/data', async (req) => { return getData(); }). PAID route: fastify.get('/api/premium', { config: { x402: { price: '$0.01' } } }, async (req) => { return { data: 'premium', paid: req.x402?.amount }; }). CREDIT PURCHASE: fastify.post('/buy', { config: { x402: { variable: true, min: '$1', max: '$10000', priceField: 'dollars' } } }, async (req) => { const credits = parseFloat(req.x402.amount.replace('$','')) * 100; return { credits }; }). Frontend integration: sign EIP-3009 TransferWithAuthorization with eth_signTypedData_v4, build payload as { x402Version: 1, scheme: 'exact', network: 'base', payload: { authorization: {...}, signature } }, base64 encode, send as X-PAYMENT header. Values MUST be decimal strings ('1000000' for $1) NOT hex ('0xf4240'). validAfter = String(now - 600), validBefore = String(now + 300). The facilitator verifies signature then settles on-chain (calls transferWithAuthorization on USDC contract). Handler only runs after verification passes. Settlement happens after handler returns success (onSend hook). req.x402 = { paid: true, amount: '$5.00', from: '0x...', txHash, settled: true }.",
+    text: "x402 examples — making a paid API is as simple as adding a route. FREE route: fastify.get('/api/data', async (req) => { return getData(); }). PAID route: fastify.get('/api/premium', { config: { x402: { price: '$0.01' } } }, async (req) => { return { data: 'premium', paid: req.x402.amount, txHash: req.x402.txHash }; }). CREDIT PURCHASE: fastify.post('/buy', { config: { x402: { variable: true, min: '$1', max: '$10000', priceField: 'dollars' } } }, async (req) => { const credits = parseFloat(req.x402.amount.replace('$','')) * 100; return { credits, txHash: req.x402.txHash }; }). Frontend integration: sign EIP-3009 TransferWithAuthorization with eth_signTypedData_v4, build v2 payload as { x402Version: 2, scheme: 'exact', network: 'eip155:8453', payload: { authorization: {...}, signature } }, base64 encode, send as X-PAYMENT header. Values MUST be decimal strings ('1000000' for $1) NOT hex. validAfter = String(now - 600), validBefore = String(now + 300). Both verify + settle happen in preHandler BEFORE handler runs. Handler only executes after USDC moves on-chain. req.x402 = { paid: true, amount: '$5.00', from: '0x...', txHash: '0x...', settled: true }.",
     metadata: { topic: "x402-examples" },
   },
   {
-    text: "x402 troubleshooting — common issues and fixes. (1) 'Invalid network': using 'eip155:8453' instead of 'base' — the @coinbase/x402 v1 SDK uses human-readable network names. (2) 'Unauthorized' from facilitator: either wrong CDP_API_KEY_ID/SECRET, or a facilitator URL override in settings.json pointing to api.cdp.coinbase.com (remove it, let the built-in handle auth). (3) '400 Bad Request': payload format mismatch — ensure x402Version:1, scheme:'exact', network:'base'. Don't use exact.evm.decodePayment() on the server, parse the base64 JSON directly. (4) 'invalid_exact_evm_payload_signature': the EIP-712 signature is wrong — check that the frontend signs with the correct domain (name:'USD Coin', version:'2', chainId:8453, verifyingContract:USDC address). (5) USDC not moving: the old middleware only verified signatures without calling the facilitator settle — must use @coinbase/x402 facilitator which handles verify+settle. (6) Frontend value showing as hex (0xf4240): must use decimal strings. (7) SDK not loading: @coinbase/x402 + x402 are ESM packages, need Node 22+. On Node 18 they fail with ERR_REQUIRE_ESM. (8) Packages disappearing after --update: add @coinbase/x402, x402, viem to package.json dependencies so npm install preserves them.",
+    text: "x402 troubleshooting — common issues and fixes. (1) 'Unauthorized' from CDP facilitator: the @coinbase/x402 package handles JWT auth internally using CDP_API_KEY_ID + CDP_API_KEY_SECRET from env vars — do NOT set a facilitator URL in settings.json. (2) '400 Bad Request': payload format mismatch — v2 uses x402Version:2, network:'eip155:8453', amount (not maxAmountRequired). Parse base64 JSON directly, don't use decodePayment(). (3) 'invalid_exact_evm_payload_signature': EIP-712 signature wrong — check domain (name:'USD Coin', version:'2', chainId:8453, verifyingContract:USDC). (4) USDC not moving: old middleware only verified without settling — must use x402ResourceServer.verifyPayment() + settlePayment() which goes through the CDP facilitator. (5) Frontend value as hex (0xf4240): must use decimal strings ('1000000'). (6) ESM errors: @coinbase/x402 needs Node 22+. (7) Packages disappearing after --update: they're in package.json dependencies + auto-installed on startup when vault exists. (8) Credits granted before settlement: verify+settle must both be in preHandler, not onSend. (9) v2 auth trick: pass @coinbase/x402's facilitator config to @x402/core HTTPFacilitatorClient — this gives v2 protocol with CDP auth that actually works.",
     metadata: { topic: "x402-troubleshooting" },
   },
   {

package/src/core/init-server.js

@@ -77,7 +77,7 @@ function ensureX402Deps(cwd) {
   console.log(chalk.blue("  📦 Installing x402 payment dependencies..."));
   try {
     const { execSync } = require("child_process");
-    execSync("npm install @coinbase/x402 x402 viem --no-save --ignore-engines 2>/dev/null", {
+    execSync("npm install @coinbase/x402 @x402/core @x402/evm x402 viem --no-save --ignore-engines 2>/dev/null", {
       cwd,
       stdio: "pipe",
       timeout: 60000,

package/src/middleware/x402-fastify.js

@@ -4,15 +4,16 @@ const path = require("path");
 /**
  * x402 Fastify Plugin — add crypto payments to any route with one flag.
  *
- * Uses @coinbase/x402 facilitator + x402/verify for payment verification
- * and on-chain settlement. Matches the working pattern from blockaid-scanner.
+ * Uses x402 v2 protocol (@x402/core + @x402/evm) with @coinbase/x402
+ * facilitator for CDP authentication. Verify + settle both happen in
+ * preHandler — the route handler only runs after USDC moves on-chain.
  *
- * Two modes:
- *   Fixed price:    { x402: { price: "$0.01" } }
- *   Variable price: { x402: { variable: true, min: "$1", max: "$10000" } }
+ * Setup:
+ *   1. wolverine --init-vault
+ *   2. Set CDP_API_KEY_ID + CDP_API_KEY_SECRET in .env.local
+ *   3. Add { config: { x402: { price: "$0.01" } } } to any route
  */
 
-// Node 18 needs globalThis.crypto
 if (!globalThis.crypto) {
   globalThis.crypto = require("crypto").webcrypto;
 }
@@ -21,8 +22,8 @@ const USDC_ADDRESS = "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913";
 const USDC_EIP712 = { name: "USD Coin", version: "2" };
 
 let _payTo = null;
-let _network = "base"; // v1 format, not CAIP-2
-let _facilitatorClient = null;
+let _network = "eip155:8453";
+let _x402Server = null;
 
 async function x402Plugin(fastify, opts) {
   _payTo = opts.payTo || null;
@@ -43,14 +44,18 @@ async function x402Plugin(fastify, opts) {
     } catch {}
   }
 
-  // Initialize facilitator from @coinbase/x402 (ESM packages, need dynamic import)
+  // Initialize v2 x402 SDK with @coinbase/x402 facilitator auth
   try {
-    const { facilitator } = await import("@coinbase/x402");
-    const { useFacilitator } = await import("x402/verify");
-    _facilitatorClient = useFacilitator(facilitator);
-    console.log(`  💰 x402: facilitator loaded (@coinbase/x402)`);
+    const { facilitator } = require("@coinbase/x402");
+    const { x402ResourceServer, HTTPFacilitatorClient } = require("@x402/core/server");
+    const { ExactEvmScheme } = require("@x402/evm/exact/server");
+
+    const client = new HTTPFacilitatorClient(facilitator);
+    _x402Server = new x402ResourceServer(client);
+    _x402Server.register("eip155:*", new ExactEvmScheme());
+    console.log(`  💰 x402: v2 SDK loaded (ExactEvmScheme + CDP facilitator)`);
   } catch (err) {
-    console.log(`  ⚠️ x402: facilitator init failed (${err.message}) — install @coinbase/x402 x402`);
+    console.log(`  ⚠️ x402: SDK init failed (${err.message})`);
   }
 
   if (_payTo) {
@@ -61,14 +66,8 @@ async function x402Plugin(fastify, opts) {
   fastify.addHook("preHandler", async (request, reply) => {
     const routeConfig = request.routeOptions?.config?.x402 || request.routeConfig?.x402 || request.context?.config?.x402;
     if (!routeConfig) return;
-    if (!_payTo) {
-      reply.code(500).send({ error: "x402 not configured — no wallet address" });
-      return;
-    }
-    if (!_facilitatorClient) {
-      reply.code(500).send({ error: "x402 facilitator not loaded — install @coinbase/x402 x402" });
-      return;
-    }
+    if (!_payTo) { reply.code(500).send({ error: "x402 not configured — run wolverine --init-vault" }); return; }
+    if (!_x402Server) { reply.code(500).send({ error: "x402 SDK not loaded — install @coinbase/x402 @x402/core @x402/evm" }); return; }
 
     // Determine dollar amount
     let dollarAmount;
@@ -91,36 +90,29 @@ async function x402Plugin(fastify, opts) {
       if (!dollarAmount) { reply.code(500).send({ error: "x402 route missing price config" }); return; }
     }
 
-    const usdcAtomicAmount = String(Math.round(dollarAmount * 1e6));
+    const usdcAmount = String(Math.round(dollarAmount * 1e6));
     const price = "$" + dollarAmount.toFixed(2);
-
-    // Check for payment header (X-PAYMENT for v1 compat, payment-signature for v2)
     const paymentHeader = request.headers["x-payment"] || request.headers["payment-signature"];
 
-    // Build payment requirements (v1 format matching @coinbase/x402)
+    // Build v2 payment requirements
     const { getAddress } = await import("viem");
-    // Build full resource URL (required by facilitator)
     const proto = request.headers["x-forwarded-proto"] || "https";
     const host = request.headers["x-forwarded-host"] || request.headers.host || "localhost";
-    const resourceUrl = `${proto}://${host}${request.url}`;
 
     const paymentRequirements = {
       scheme: "exact",
       network: _network,
-      maxAmountRequired: usdcAtomicAmount,
-      resource: resourceUrl,
-      description: routeConfig.description || `Payment of $${dollarAmount.toFixed(2)} USDC`,
-      mimeType: "application/json",
+      amount: usdcAmount,
+      asset: getAddress(USDC_ADDRESS),
       payTo: getAddress(_payTo),
       maxTimeoutSeconds: 60,
-      asset: getAddress(USDC_ADDRESS),
       extra: USDC_EIP712,
     };
 
     // No payment — return 402
     if (!paymentHeader) {
       reply.code(402).send({
-        x402Version: 1,
+        x402Version: 2,
         error: "Payment Required",
         accepts: [paymentRequirements],
         price,
@@ -132,55 +124,52 @@ async function x402Plugin(fastify, opts) {
       return;
     }
 
-    // Decode payment — parse raw payload directly (matching working project pattern)
-    let decodedPayment;
+    // Decode payment
+    let paymentPayload;
     try {
       const raw = JSON.parse(Buffer.from(paymentHeader, "base64").toString("utf-8"));
+      if (!raw.payload?.authorization || !raw.payload?.signature) throw new Error("Missing authorization or signature");
 
-      // Validate required fields
-      if (!raw.payload?.authorization || !raw.payload?.signature) {
-        throw new Error("Missing authorization or signature");
-      }
-
-      decodedPayment = {
-        x402Version: raw.x402Version || 1,
+      paymentPayload = {
+        x402Version: raw.x402Version || 2,
         scheme: raw.scheme || "exact",
         network: raw.network || _network,
         payload: raw.payload,
       };
+      if (raw.accepted) paymentPayload.accepted = raw.accepted;
+      if (raw.resource) paymentPayload.resource = raw.resource;
     } catch (err) {
-      reply.code(402).send({ error: "Invalid payment format: " + err.message, accepts: [paymentRequirements] });
+      reply.code(402).send({ error: "Invalid payment: " + err.message, accepts: [paymentRequirements] });
       return;
     }
 
-    // For variable pricing, use user's actual payment value as maxAmountRequired
-    const userValue = decodedPayment.payload.authorization.value;
-    const actualRequirements = { ...paymentRequirements, maxAmountRequired: userValue };
+    // For variable pricing, match maxAmountRequired to user's payment
+    const userValue = paymentPayload.payload.authorization.value;
+    const actualRequirements = { ...paymentRequirements, amount: userValue };
 
     // Verify via facilitator
     try {
-      console.log(`  💰 x402 verify: from=${decodedPayment.payload?.authorization?.from} value=${decodedPayment.payload?.authorization?.value} network=${decodedPayment.network}`);
-      const verifyResult = await _facilitatorClient.verify(decodedPayment, actualRequirements);
+      console.log(`  💰 x402 verify: from=${paymentPayload.payload?.authorization?.from} value=${userValue} network=${paymentPayload.network}`);
+      const verifyResult = await _x402Server.verifyPayment(paymentPayload, actualRequirements);
       if (!verifyResult.isValid) {
         console.log(`  ⚠️ x402 verify failed: ${verifyResult.invalidReason} ${verifyResult.invalidMessage || ""}`);
-        reply.code(402).send({ error: verifyResult.invalidReason || "Payment verification failed", message: verifyResult.invalidMessage, accepts: [paymentRequirements], payer: verifyResult.payer });
+        reply.code(402).send({ error: verifyResult.invalidReason, message: verifyResult.invalidMessage, payer: verifyResult.payer });
         return;
       }
     } catch (err) {
-      // Extract detailed error from the x402 SDK
       const detail = err.invalidReason || err.invalidMessage || err.cause?.message || "";
       console.log(`  ⚠️ x402 verify error: ${err.message} | ${detail}`);
-      reply.code(402).send({ error: err.invalidReason || err.message, message: err.invalidMessage || detail, accepts: [paymentRequirements] });
+      reply.code(402).send({ error: err.invalidReason || err.message, message: err.invalidMessage || detail });
       return;
     }
 
-    // Settle via facilitator BEFORE handler runs — USDC must move before granting access
-    const payer = decodedPayment.payload.authorization.from;
+    // Settle via facilitator — USDC moves on-chain BEFORE handler runs
+    const payer = paymentPayload.payload.authorization.from;
     try {
-      const settleResult = await _facilitatorClient.settle(decodedPayment, actualRequirements);
+      const settleResult = await _x402Server.settlePayment(paymentPayload, actualRequirements);
       if (!settleResult.success) {
         console.log(`  ⚠️ x402 settle failed: ${settleResult.errorReason || "unknown"}`);
-        reply.code(402).send({ error: "Payment settlement failed", reason: settleResult.errorReason });
+        reply.code(402).send({ error: "Settlement failed", reason: settleResult.errorReason });
         return;
       }
       const txHash = settleResult.transaction || null;
@@ -190,17 +179,15 @@ async function x402Plugin(fastify, opts) {
       _logPayment({ route: request.url, method: request.method, amount: price, from: payer, txHash, verified: true, settled: true, timestamp: Date.now() });
     } catch (err) {
       console.log(`  ⚠️ x402 settle error: ${err.message}`);
-      reply.code(402).send({ error: "Payment settlement failed: " + err.message });
+      reply.code(402).send({ error: "Settlement failed: " + err.message });
       return;
     }
   });
 
-  // No onSend settle needed — settlement happens in preHandler before handler runs
-
   // Public info endpoint
   fastify.get("/x402/info", async () => ({
-    payTo: _payTo, network: _network, protocol: "x402", x402Version: 1,
-    facilitatorLoaded: !!_facilitatorClient,
+    payTo: _payTo, network: _network, protocol: "x402", x402Version: 2,
+    sdkLoaded: !!_x402Server,
     docs: "https://docs.cdp.coinbase.com/x402/welcome",
   }));
 }