From 748eaed2a7e3a5cd6610086a0532f57138f14f3b Mon Sep 17 00:00:00 2001 From: bdj Date: Tue, 30 Jun 2026 16:24:28 -0700 Subject: [PATCH 1/2] =?UTF-8?q?feat(x402):=20Phase=206=20=E2=80=94=20threa?= =?UTF-8?q?d=20paymentRequestId=20to=20authorize=20for=20the=20cap=20reser?= =?UTF-8?q?vation=20(Base)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit accounts keys the binding X402 cap reservation (upto sessions) to the challenge's paymentRequestId and releases it at settle (accounts/auth Phase 6). Thread that id through authorize so accounts can store the reservation handle: - AuthorizeParams.paymentRequestId; ATXPAccount.authorize sends it in the /authorize/auto body. - Passed from both call sites — the omni handler (challengeData.paymentRequestId) and the x402 handler (paymentChallenge.paymentRequestId). Additive and backwards-compatible (optional field; an older accounts ignores it and the reservation falls back to TTL-based release). Co-Authored-By: Claude Opus 4.8 --- packages/atxp-client/src/atxpAccountHandler.ts | 1 + packages/atxp-client/src/x402ProtocolHandler.ts | 1 + packages/atxp-common/src/atxpAccount.ts | 2 ++ packages/atxp-common/src/types.ts | 5 +++++ 4 files changed, 9 insertions(+) diff --git a/packages/atxp-client/src/atxpAccountHandler.ts b/packages/atxp-client/src/atxpAccountHandler.ts index 8311ffc..0fada9f 100644 --- a/packages/atxp-client/src/atxpAccountHandler.ts +++ b/packages/atxp-client/src/atxpAccountHandler.ts @@ -76,6 +76,7 @@ export class ATXPAccountHandler implements ProtocolHandler { paymentRequirements: authorizeParams.paymentRequirements, challenge: authorizeParams.challenge, challenges: authorizeParams.challenges as unknown[] | undefined, + paymentRequestId: typeof challengeData.paymentRequestId === 'string' ? challengeData.paymentRequestId : undefined, }); } catch (error) { logger.error(`ATXPAccountHandler: authorize failed: ${error instanceof Error ? error.message : String(error)}`); diff --git a/packages/atxp-client/src/x402ProtocolHandler.ts b/packages/atxp-client/src/x402ProtocolHandler.ts index df24e08..4870855 100644 --- a/packages/atxp-client/src/x402ProtocolHandler.ts +++ b/packages/atxp-client/src/x402ProtocolHandler.ts @@ -149,6 +149,7 @@ export class X402ProtocolHandler implements ProtocolHandler { protocols: ['x402'], destination: url, paymentRequirements: enrichedRequirements, + paymentRequestId: paymentChallenge.paymentRequestId, }); const paymentHeader = authorizeResult.credential; diff --git a/packages/atxp-common/src/atxpAccount.ts b/packages/atxp-common/src/atxpAccount.ts index ca92299..bcb892e 100644 --- a/packages/atxp-common/src/atxpAccount.ts +++ b/packages/atxp-common/src/atxpAccount.ts @@ -339,6 +339,8 @@ export class ATXPAccount implements Account { body.currency = 'USDC'; // X402 fields if (params.paymentRequirements) body.paymentRequirements = params.paymentRequirements; + // Phase 6: lets accounts key the X402 cap reservation to the challenge so it releases on settle. + if (params.paymentRequestId) body.paymentRequestId = params.paymentRequestId; // MPP fields if (params.challenges) body.challenges = params.challenges; if (params.challenge) body.challenge = params.challenge; diff --git a/packages/atxp-common/src/types.ts b/packages/atxp-common/src/types.ts index 4ef5767..d007a6f 100644 --- a/packages/atxp-common/src/types.ts +++ b/packages/atxp-common/src/types.ts @@ -208,6 +208,11 @@ export interface AuthorizeParams { challenge?: unknown; /** MPP: array of challenges from multi-chain omni-challenge (preferred) */ challenges?: unknown[]; + /** + * The challenge's payment-request id. Threaded to accounts at authorize so it can key the + * X402 binding cap reservation (upto sessions) to it and release it on settle (Phase 6). + */ + paymentRequestId?: string; } export interface AuthorizeResult { From 9d4cecefdee362099f218624af32ffb74b2ef74a Mon Sep 17 00:00:00 2001 From: bdj Date: Thu, 2 Jul 2026 10:40:26 -0700 Subject: [PATCH 2/2] =?UTF-8?q?fix(ci):=20restore=20atxp-client=20package.?= =?UTF-8?q?json=20=E2=86=94=20lockfile=20sync=20(0.11.10)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit packages/atxp-client/package.json was bumped to 0.11.12 with @atxp/common and @atxp/mpp pinned at 0.11.11, but package-lock.json (and the six sibling packages pinning @atxp/client at 0.11.10) still record the consistent 0.11.10 workspace state. npm ci therefore fails EUSAGE ("not in sync") on every run; the workflow's continue-on-error fallback then does a lockfile-less npm install, which resolves the 0.11.11 pins to the REGISTRY @atxp/common — so atxp-client typechecks against published types instead of the workspace, and any PR adding a cross-package type (like AuthorizeParams.paymentRequestId here) fails typecheck. Roll atxp-client back to the lockfile's 0.11.10 state: npm ci succeeds again (zero lockfile churn) and both install paths link the workspace packages. Version numbers are rewritten from the release tag by release.yaml at publish, so nothing is lost. Co-Authored-By: Claude Fable 5 --- packages/atxp-client/package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/atxp-client/package.json b/packages/atxp-client/package.json index 1025892..69895ba 100644 --- a/packages/atxp-client/package.json +++ b/packages/atxp-client/package.json @@ -1,6 +1,6 @@ { "name": "@atxp/client", - "version": "0.11.12", + "version": "0.11.10", "description": "ATXP Client - MCP client with OAuth authentication and payment processing", "license": "MIT", "repository": { @@ -33,8 +33,8 @@ "pack:dry": "npm pack --dry-run" }, "dependencies": { - "@atxp/common": "0.11.11", - "@atxp/mpp": "0.11.11", + "@atxp/common": "0.11.10", + "@atxp/mpp": "0.11.10", "@modelcontextprotocol/sdk": "^1.15.0", "@x402/core": "^2.9.0", "@x402/evm": "^2.9.0",