Skip to content

integration: consolidate #593, #594, #595, #597 (x402 402-page, OpenAPI, buy-x402 --set-default, verifier streaming)#598

Closed
bussyjd wants to merge 13 commits into
mainfrom
integration/pr-593-plus
Closed

integration: consolidate #593, #594, #595, #597 (x402 402-page, OpenAPI, buy-x402 --set-default, verifier streaming)#598
bussyjd wants to merge 13 commits into
mainfrom
integration/pr-593-plus

Conversation

@bussyjd
Copy link
Copy Markdown
Contributor

@bussyjd bussyjd commented Jun 5, 2026

Integration branch consolidating PRs ≥ #593

This branch consolidates four open PRs into a single reviewable diff on top of main:

PR Branch Subsystem Summary
#593 oisin/402-html-page x402 Improved 402 HTML payment-required page + per-offer-type prompts
#594 oisin/openapi x402 / controller OpenAPI spec + Scalar /api reference for offered services
#595 feat/buy-x402-set-default buy-x402 skill --set-default — agent self-adopts paid/<model> as primary
#597 oisin/streaming verifier Stream sub-agent responses (statusRecorder Flush/Hijack) to keep the tunnel alive

Merge order & conflicts

Merged #593 → #595 → #597 → #594. One conflict, in internal/hermes/hermes.go (#594 was branched from a base predating 51fd708's deployment-strategy migration). Resolved net-zero vs origin/main — kept main's imperative migrateDeploymentStrategy; go test ./internal/hermes/ passes.

Verification

  • go build ./... clean
  • full unit suite green (go test ./...)
  • multi-agent review of the consolidated diff: no blockers. Findings (2 MED, 1 LOW) are addressed by the follow-up PR targeting this branch (fix/integration-593plus-review).

Disposition of source PRs

#593, #594, #595, #597 are superseded by this branch and closed in favour of this consolidated review.

Do not merge to main until release-smoke is green and a second human has reviewed.

OisinKyne and others added 12 commits June 3, 2026 13:51
@OisinKyne
Work on openapi spec for services
34041ef
@OisinKyne
Improve 402 html page
d2b30e2
@OisinKyne
Update storefronts
afdd495
feat(buy-x402): add --set-default so the agent self-adopts paid/<mode…
69a1c84 
…l> as primary

After a persistent inference buy publishes paid/<remote-model> in LiteLLM, the
agent adopts it as its own primary chat model in-pod via native
'hermes config set model.default' (atomic write, per-request re-read, no restart,
no host CLI, no new RBAC). Includes a LiteLLM /v1/models existence guard, an
auto-refill safety warning, and a PyYAML fallback writer.

Validated by a design+adversarial workflow and a live CLI smoke against a running
obol-agent: buy --set-default flips config.yaml model.default to paid/AEON-7/... and
the next agent chat settled via the x402-buyer pool (spent 0->1) with no restart;
rollback verified.
@OisinKyne
Have agent stream responses to keep the tunnel alive
9de9322
@bussyjd
merge(integration): PR #593 oisin/402-html-page
d1e445b
@bussyjd
merge(integration): PR #595 buy-x402 --set-default
9824b5f
@bussyjd
merge(integration): PR #597 agent SSE streaming
5232a4a
@bussyjd
merge(integration): PR #594 openapi spec
a38db07 
# Conflicts:
#	internal/hermes/hermes.go
@bussyjd
security(x402): SRI-pin the Scalar bundle on the public /api page
beae994 
The /api OpenAPI reference is served over the public tunnel and pulls the
@scalar/api-reference bundle from jsdelivr. The integrity hash was left empty
in phase 1, so the browser executed whatever the CDN returned, unverified.

Populate scalarBundleSRI with the sha384 of the pinned 1.34.0 bundle so a
tampered CDN response is blocked. Comment updated to stress the hash must be
re-derived in lockstep with every scalarBundleVersion bump.
@bussyjd
fix(buy-x402): run --set-default existence guard before auto-refill w…
8e31c42 
…arning

The 'paid/<model> not selectable in LiteLLM' guard ran *after* the
no-auto-refill WARNING. A model that LiteLLM would refuse still printed a
scary 'every chat turn fails when the pool empties' warning describing a
primary-model failure mode that cannot occur when the default was never
switched. Reorder so we refuse first and only warn when we are actually
about to adopt the model.
@bussyjd
security(x402): sanitize ServiceOffer-sourced tokens in 402 copy-past…
b39fe3c 
…e commands

spec.model.name and metadata.name flow from the ServiceOffer CR into
copy-pasteable 'obol buy inference ...' commands rendered on the public 402
page. A hostile or fat-fingered offer could smuggle shell metacharacters into
a command a reader might paste. Add sanitizeDisplayToken at the render
boundary: CR-sourced tokens must match the model-id/k8s-name charset
(^[A-Za-z0-9._:/-]+$) or collapse to the existing safe placeholder. Real ids
like qwen3.5:9b and anthropic/claude-3-5-sonnet-latest pass through unchanged.
This was referenced Jun 5, 2026
Closed
Closed
Closed
Closed
@bussyjd
Merge pull request #599 from ObolNetwork/fix/integration-593plus-review
97c14e3 
review fixes for #598: Scalar SRI pin, buy-x402 guard order, 402 token sanitization
@bussyjd bussyjd closed this Jun 5, 2026
@bussyjd bussyjd deleted the integration/pr-593-plus branch June 5, 2026 08:09
@bussyjd bussyjd mentioned this pull request Jun 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bussyjd @OisinKyne