feat(obs): apiHelpers on 4 more routes + retire fake x402 charge action (37/44 → 41/44)#173
Merged
operatoruplift merged 1 commit intomasterfrom Apr 27, 2026
Merged
Conversation
Trust-gate 37/44 -> 41/44 (~93%). Includes one residual honesty fix.
## Routes adopted
| Route | What it does |
|---|---|
| app/api/debug/subscription/route.ts | Admin paywall diagnostic |
| app/api/debug/solana-wallet/route.ts | Admin x402 wallet diagnostic |
| app/api/tools/x402/route.ts | x402 fetch proxy + retry-with-proof |
| app/api/audit/publish-root/route.ts | Merkle-root publish to Anchor program |
## Honesty fix: x402 "charge" action retired
While adopting apiHelpers on app/api/tools/x402/route.ts I caught a
residual fabrication in the legacy "charge" action. It was building a
chargeRecord with `tx_signature: \`x402-devnet-${Date.now()}\``, a
fake transaction signature that mimicked a real on-chain identifier,
then logging it as `status: 'approved'`. The same fabrication class as
the council UI (#147), the dashboard widget (#164), and the
dashboard/stats fallback (#167).
Real settlement lives in /api/tools/x402/pay where a genuine ed25519
receipt is produced. Nothing in the codebase calls the legacy charge
action (grep'd to confirm). Replaced the action with a 410 Gone +
nextAction pointing callers at /api/tools/x402/pay.
The "fetch" and "retry_with_proof" actions are unchanged; both are
pure proxies that don't fabricate anything.
## Verified
- pnpm exec tsc --noEmit: clean
- pnpm check: 3 passed, 0 failed
- trust-gate: 41/44 (was 37/44)
- grep for `x402-devnet-`: zero hits
## Rollback
Single git revert. 4 files.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
operatoruplift
added a commit
that referenced
this pull request
Apr 27, 2026
…IDs (#174) The final 3 routes adopt the apiHelpers pattern. Trust-gate now reports 44/44 route files import @/lib/apiHelpers and all call withRequestMeta. | Route | What it does | |---|---| | app/api/tools/tokens/route.ts | Tokens API (search, resolve, asset, price, risk, markets) | | app/api/subscription/route.ts | Subscription GET + POST (create_invoice, dev_simulate, confirm) | | app/api/webhooks/photon/route.ts | iMessage webhook receiver (signature-verified, idempotent) | ## Notable ### subscription Already had a hand-rolled requestId + startedAt + X-Request-Id pattern identical in shape to withRequestMeta. Replaced the local newRequestId() function and the manual header construction with the helper. Behavior identical; structured logs share a single `route` taxonomy. ### webhooks/photon The webhook receiver had no request-id propagation, every response just returned `{ ok: true, ... }`. Adding meta.headers to all 7 response paths (signature-fail, parse-fail, no-supabase, duplicate, insert-error, success, GET-health-probe) and including requestId in each body. Spectrum's webhook retry can now correlate to the server log line. ### tools/tokens Tier-1 tokens lookup tool. Already had a clean honest demo-mode 403 guard from earlier session work; this PR standardizes the error envelope (errorClass, requestId, timestamp, nextAction) and adds X-Request-Id to every response. ## Trust-gate journey 11/44 (25%) -> 16/44 -> 21/44 -> 26/44 -> 30/44 -> 33/44 -> 37/44 -> 41/44 -> 44/44 (100%) across PRs #167-#173 plus this one. ## Verified - pnpm exec tsc --noEmit: clean - pnpm check: 3 passed, 0 failed - trust-gate: 44/44 route files (100%) ## Rollback Single git revert. 3 files.
operatoruplift
added a commit
that referenced
this pull request
Apr 27, 2026
The legacy "confirm" fall-through path on POST /api/subscription was
a real security gap. Any authenticated user posting:
POST /api/subscription
Authorization: Bearer <valid-privy-jwt>
Content-Type: application/json
{ "tx_signature": "anything-here" }
would be marked tier=pro, status=active without any on-chain
verification. The TODO at line 159 admitted it: "Verify the Solana
tx on-chain before activating. For devnet/demo, we trust the
client-provided signature." Same fabrication class as the council
PRs cleaned up (#147, #155, #156, #164, #167, #173).
No code path calls this fall-through (`grep -rn "tx_signature.*\
subscription"` returns zero in app/, src/). The paywall page uses
action="create_invoice" exclusively, and real settlement runs
through /api/access/verify-payment which DOES call verifyPayment()
against the Solana RPC.
Closed the path with HTTP 410 Gone + a nextAction pointing callers
at /api/access/verify-payment, the route that actually verifies the
on-chain tx.
The two known-good actions ("create_invoice" and "dev_simulate")
are unchanged.
## Verified
- pnpm exec tsc --noEmit: clean
- pnpm check: 3 passed, 0 failed
- grep -rn "tx_signature.*subscription" returns 0 callers
## Rollback
Single git revert. One file.
5 tasks
operatoruplift
added a commit
that referenced
this pull request
Apr 28, 2026
…#209) Both routes were serving hardcoded "demo until API key configured" data with zero internal callers: - /api/risk -> lib/webacy-risk.ts returned overall: 87, grade: 'A', flagged: false, sanctions: false for any wallet/contract/transaction. A "your wallet is safe" answer regardless of input. - /api/gold -> lib/oro-grail.ts returned balanceOz: 0.0847, balanceUsd: 278.24 — exactly the values that tests/e2e/dashboard-honesty.spec.ts bans (Gold Agent retired in #164). The dashboard widget was retired but the API + lib survived. Both routes now return 410 Gone with a clear nextAction, mirroring the pattern from #173 (x402 charge) and #182 (subscription confirm). Both libs deleted (no callers). DD.xyz integration entry on /integrations: status updated from "available" to "coming_soon" since the lib backing it returned fake data. Now matches the truth. tests/e2e/request-id-runtime.spec.ts: /api/risk expectStatus updated [400, 401] -> [401, 410]. Added /api/gold probe with [401, 410]. Hermetic spec count stays at 17 (just adds a probe to an existing spec).
6 tasks
operatoruplift
added a commit
that referenced
this pull request
Apr 28, 2026
Adds a fourth grep-guard alongside copy-check, capability-check, and trust-gate. Each rule encodes a fabrication pattern we've explicitly retired and points at the original cleanup PR so a future contributor can read the prior agreement before reintroducing it. 10 rules covering: - Gold Agent fake balances (0.0847 oz, $278.24, $3284.50/oz) retired in #209 - Webacy fake "wallet grade A, not flagged, not sanctioned" risk grades retired in #209 - Fabricated x402-devnet-${Date.now()} tx signature pattern retired in #173 - Random-vector fake (Math.floor(Math.random() * 2000) + 100) on /memory retired in #210 - Fake-Pro confirm fall-through tx_signature pattern retired in #182 - Pre-seeded fake "Operator Uplift Architecture" memory node retired in #210 - "API key generated (expires in 30 days)" toast lie retired in #212 - 2-second setTimeout fake-install alert on /store retired in #216 Comment-line heuristic skips lines starting with //, /*, *, or <!-- so the audit-trail comments documenting these retirements (e.g. the new /api/gold route's comment block explaining why the lib was deleted) don't trigger false positives. Wired into pnpm check via scripts/check.mjs and added a top-level script `pnpm fabrication-rot-check` for direct invocation. Sanity-tested both directions: - Clean state: 197 files scanned, 0 hits - Plant a 'balanceOz: 0.0847' in lib/: guard fires with the rule name and the retiring-PR pointer, exit code 1.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Trust-gate broadening, batch 7
Four more routes adopt the canonical
withRequestMeta/errorResponse/validationErrorpattern. Trust-gate now covers 41/44 (~93%) of/api/*routes.app/api/debug/subscription/route.tsapp/api/debug/solana-wallet/route.tsapp/api/tools/x402/route.tsapp/api/audit/publish-root/route.tsBonus: x402 "charge" action retired (honesty fix)
While adopting apiHelpers on
app/api/tools/x402/route.tsI caught one more residual fabrication in the legacychargeaction. It was building achargeRecordwith:tx_signature: `x402-devnet-${Date.now()}`a synthetic string that mimicked a real on-chain transaction identifier, then logging it as
status: 'approved'. Same fabrication class as the council UI (#147), the dashboard Gold widget (#164), and thedashboard/stats14/12400/47 fallback (#167).Real settlement lives in
/api/tools/x402/paywhere a genuine ed25519 receipt is produced. Nothing in the codebase calls the legacychargeaction (grep -rn '\\"charge\\"'confirms this). The action now returns 410 Gone with anextActionpointing callers at/api/tools/x402/pay.The
fetchandretry_with_proofactions are unchanged — both are pure proxies that don't fabricate anything.Verified
Net diff
Rollback
Single
git revert.