fix(buy-x402): unify + extend x402 auth pool expiry (default 1 month, optional never)

[bussyjd]

What

Unifies and extends the x402 pre-signed auth pool expiry — one knob for both payment methods, default 1 month, with an optional non-expiration setting.

Bug

Pre-signed pool auths silently expired ~5 minutes after buy. _presign_auths set the Permit2 (OBOL) deadline = now + max(maxTimeoutSeconds, 300) (= 300 s) — conflating the per-request settle window (maxTimeoutSeconds) with the pool's spendability lifetime. Meanwhile the ERC-3009 (USDC) path hardcoded validBefore = 4294967295 (~never). So OBOL pools became unusable minutes after purchase (the first auth settled, the rest expired) while USDC pools never expired — inconsistent.

Observed live: a pool intended for ongoing use had a Permit2 deadline ~5 min out; later paid requests failed with seller 503 "Payment verification failed" (on-chain block.timestamp <= deadline rejects the expired auth).

Fix

A single _auth_expiry() resolver drives both the Permit2 deadline and the ERC-3009 validBefore:

• OBOL_X402_AUTH_TTL env or --auth-ttl <seconds|never> flag (on buy and pay)
• default 30 days (1 month); floored at 300 s (one settle window)
• 0 / never / none → 4294967295 (~year 2106) = non-expiration — the uint sentinel that both USDC transferWithAuthorization (validBefore <) and the Permit2/x402 contracts (deadline <=) accept without overflow

Both payment methods now expire at the same wall-clock.

Why this is the right (and only) place

The deadline/validBefore is set at sign time in buy.py, carried verbatim through PurchaseRequest → serviceoffer-controller → x402-buyer → seller (the remote-signer signs blindly; nothing downstream re-derives it), and enforced only on-chain at settle. So buy.py's _presign_auths is the single amendment point.

Test

• python3 -m py_compile ✓ · go build ./cmd/obol ✓ (embed intact) · repo pre-commit ✓
• _auth_expiry() verified: default → 30.0 days; never/0 → 4294967295; 3600 → 3600 s; 10 → 300 s (floored)

Notes

• Behavior change: USDC (ERC-3009) pools now default to 30-day expiry instead of never. Set OBOL_X402_AUTH_TTL=never to restore the old behavior; both schemes are now consistent.
• Sequencing vs PR release: v0.10.0-rc12 (consolidate #593/#594/#595/#597 + review hardening) #600 (rc12): release: v0.10.0-rc12 (consolidate #593/#594/#595/#597 + review hardening) #600 keeps the old 5-min Permit2 line and does not touch _presign_auths' deadline, so this applies cleanly on top (different code regions from feat(buy-x402): --set-default — agent self-adopts paid/<model> as its primary model #595's --set-default, which release: v0.10.0-rc12 (consolidate #593/#594/#595/#597 + review hardening) #600 already carries).

Scope

Two files, additive: internal/embed/skills/buy-x402/scripts/buy.py (+42), internal/embed/skills/buy-x402/SKILL.md (+2). No controller, RBAC, or Go changes.

[bussyjd]

Update — test coverage + x402 parity

Test coverage added (8558b55d, tests/test_buy_auth_expiry.py): 6 cases locking the unified expiry contract — default 1 month; never/0/none/-1/aliases → MAX_SAFE_DEADLINE (0xFFFFFFFF); custom seconds; 300s floor; garbage→default; sentinel is facilitator-safe. Passes; existing test_buy_autorefill (13) and test_buy_normalize_endpoint unaffected.

x402 parity (verified against the coinbase/x402 go SDK at the rev we depend on):

• The facilitator imposes no maxTimeoutSeconds upper bound on validBefore/deadline — it only checks not-expired + not-future:
  • ERC-3009 exact/v1/facilitator/scheme.go:166-174 → validBefore >= now+6, validAfter <= now
  • Permit2 exact/facilitator/permit2.go → deadline >= now+buffer, validAfter <= now
  • Our long-lived pool auths (30d / sentinel) pass; validAfter="0" passes.
• maxTimeoutSeconds is the per-request window the reference client uses (deadline = now + maxTimeoutSeconds) — standard x402 is per-request. Our pre-signed pool legitimately extends this with a longer lifetime, which the facilitator accepts.
• The 4294967295 sentinel + far-future validBefore are already exercised in our suite (buy_side_test.go, verifier_test.go, forwardauth_test.go).

Net: spec-aligned; the original 5-min bug produced ErrAuthorizationValidBeforeExpired / ErrPermit2DeadlineExpired (surfaced as seller 503).