Parent: #89
Context
#94 was marked completed and merged via PR #107, adding @x402x/hono_v2 and @x402x/express_v2.
While reviewing main, a few items look either missing vs the original acceptance criteria or potentially risky for real middleware behavior.
Issues to address
- Workspace-only requirement not enforced
typescript/packages/hono_v2/package.json and typescript/packages/express_v2/package.json currently do not set "private": true.
- Potential payment-required flow / security semantics
typescript/packages/express_v2/src/index.ts currently calls next() unconditionally, and may also call it inside the official middleware callback.
- This can lead to handlers executing even when payment is required (or after a response was already sent), which is risky.
typescript/packages/hono_v2/src/index.ts contains logic that returns 200 with a requiresPayment JSON payload “for testing purposes” when x402Response.requiresPayment is set.
- If the official middleware sets
x402Response in production, this could accidentally override a proper 402.
- Tests do not assert real 402 flow
- Current integration tests primarily assert
200 responses under mocked behavior and do not validate 402 PAYMENT-REQUIRED semantics, extension echo, or eip155:* wildcard behavior.
- Unexpected submodule bump
Goal
Align v2 middleware wrappers with the intended contract:
- Workspace-only (
private: true)
- Correct
PAYMENT-REQUIRED behavior (no handler execution without payment)
- Tests that assert real 402 responses and required fields
Acceptance Criteria
hono_v2 and express_v2 packages are marked private: true.- Middleware does not call downstream handlers when payment is required.
- Integration tests validate:
402 response on missing paymentaccepts includes settlement extra and required extension (if applicable)- No
next() leak in Express when payment is required
- Confirm / document why
deps/x402 submodule changed, or revert if accidental.
Parent: #89
Context
#94 was marked completed and merged via PR #107, adding
@x402x/hono_v2and@x402x/express_v2.While reviewing
main, a few items look either missing vs the original acceptance criteria or potentially risky for real middleware behavior.Issues to address
typescript/packages/hono_v2/package.jsonandtypescript/packages/express_v2/package.jsoncurrently do not set"private": true.typescript/packages/express_v2/src/index.tscurrently callsnext()unconditionally, and may also call it inside the official middleware callback.typescript/packages/hono_v2/src/index.tscontains logic that returns 200 with arequiresPaymentJSON payload “for testing purposes” whenx402Response.requiresPaymentis set.x402Responsein production, this could accidentally override a proper 402.200responses under mocked behavior and do not validate402 PAYMENT-REQUIREDsemantics, extension echo, oreip155:*wildcard behavior.deps/x402submodule pointer; confirm if this is intentional.Goal
Align v2 middleware wrappers with the intended contract:
private: true)PAYMENT-REQUIREDbehavior (no handler execution without payment)Acceptance Criteria
hono_v2andexpress_v2packages are markedprivate: true.402response on missing paymentacceptsincludes settlementextraand required extension (if applicable)next()leak in Express when payment is requireddeps/x402submodule changed, or revert if accidental.