docs(readme): x402 SDK status integrating → available (v0.29.0)#318
docs(readme): x402 SDK status integrating → available (v0.29.0)#318jhfnetboy wants to merge 10 commits into
Conversation
131 findings: 3H (all FP) / 46M (15 real) / 79L P0 GA blockers: xPNTsToken div-before-mul, PaymasterFactory CEI, Registry unchecked lowlevel, Chainlink stale-round missing check Invariant suite: 5/5 pass (128k calls each)
- TC1-4 all PASS on Sepolia v5.4.1-rc.1 - RegisterEnduser re-run needed after fresh deploy (SBT reset) - Result: script/gasless-tests/results/2026-06-28_08-58-02_run-all-tests.md
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
clestons
left a comment
clestons
left a comment
There was a problem hiding this comment.
docs(readme + security): x402 SDK available + Slither v5.4.1-rc.1 report — Review
Verdict: APPROVE
Docs-only PR (5 commits). No contract or test code changes.
Slither report quality: Well-structured. 131 findings triaged correctly — H-1/H-2/H-3 all genuine FP (fee-on-transfer balance pattern + EIP-3009 nonce replay protection). P0 GA blockers correctly called:
- M-1
divide-before-mulinxPNTsToken._update— cross-step precision loss is real (mintedAPNTsrounds down, then re-multiplied by rate amplifies error). Fix viaMath.mulDivis correct. - M-2
PaymasterFactoryCEI violation (write mapping before_initAndVerifyexternal call) — fix given. - M-7 Registry
unchecked lowlevelcall —require(ok, ...)fix given. - M-12 Chainlink
latestRoundDataignoresansweredInRound— stale-round check missing, fix given.
Invariant suite 5/5 PASS (128k calls each). E2E 4/4 PASS on Sepolia v5.4.1-rc.1 with live TX hashes.
Documentation updates: All "SDK integrating (#39)" references correctly updated to "available — @aastar/sdk@0.29.0". Security checklist gate [ ] → [x] unblocked. Domain fix in integration guide (name:"SuperPaymaster" → "X402Facilitator's domain") is accurate per the deployed contract.
Reviewed by PR-Daemon (Sonnet R1 + Codex PK — 1 round, all challenges meta/pedantic, no blockers)
- README.md:279: remove 'pending (x402)' from guide link description - sdk-x402-integration.md: add status banner — signing available v0.29.0; CLI/HMAC/E2E TODOs are independent work, not signing blockers - blog/discord/twitter announcements: strike through '#39 integrating' body lines; mark as available @0.29.0 inline All 7 changed files now consistently state x402 SDK is available.
…ema table §8 TODO: mark 3 P0 items as resolved (SDK v0.29.0 + DVT facilitator); remove 'any E2E flow cannot work' claim §9.4 schema mismatch: mark as historical/resolved; DVT facilitator implements x402 v2 spec; live round-trip verified §9.6: update E2E status — live verified, automation script TBD §10: drop reference to deprecated packages/x402-facilitator-node
…ote updated to DVT facilitator, deprecated package fully annotated, Chinese twitter text fixed
clestons
left a comment
clestons
left a comment
There was a problem hiding this comment.
docs: sdk-x402-integration + announcements update — Incremental Review
Verdict: APPROVE (incremental — new since c8e4a6b)
Docs-only update. No contract or test code changes.
sdk-x402-integration.md: packages/x402-facilitator-node correctly marked deprecated; architecture diagram updated to DVT facilitator (YetAnotherAA-Validator #130–134). The 3 P0 TODOs (ABI sync, to field semantics, schema alignment) marked resolved are consistent with aastar-sdk #219/#221/#222 (reviewed today) and DVT #130–134. Live round-trip TX hashes (0x95e41bd1 / 0xc5bad0af) cited as evidence.
Announcement docs (blog/discord/twitter): All "SDK integrating (#39)" occurrences updated to "SDK available @0.29.0" — accurate.
PK suggestion (non-blocking P2): Consider adding commit SHA or release tag anchors when marking TODOs as resolved in long-lived integration docs, so the "resolved" claim stays traceable as docs age.
Reviewed by PR-Daemon (Sonnet R1 + Codex PK — 1 round, all challenges meta/cross-repo, no blockers)
Lines 275/285: code comment + note updated (removed routes/verify.ts L60 ref, removed 'facilitator-node expects' phrasing) Line 372: HMAC settle body comment marked as deprecated flat schema Line 406: prerequisite updated from facilitator-node to DVT facilitator Line 437: TODO comment updated to DVT facilitator Lines 511/545: §9.3 and test-result line marked as historical/废弃 Line 549: 'facilitator-node' replaced with generic 'facilitator 中间层'
clestons
left a comment
clestons
left a comment
There was a problem hiding this comment.
docs: remove remaining facilitator-node refs + §9.3 nonce fix note — Incremental Review
Verdict: APPROVE (incremental — new since 007f9c3)
Docs-only. All remaining stale packages/x402-facilitator-node references cleaned up.
Key: §9.3 nonce check claim — "DVT facilitator 已正确实现三元组 nonce key" — independently verified by Codex against the local YetAnotherAA-Validator clone: computeX402NonceKey(asset, from, eff) + x402SettlementNonces(key) is the actual implementation. Claim is accurate, not an empty assertion.
Reviewed by PR-Daemon (Sonnet R1 + Codex PK — 1 round, all 3 findings confirmed, no blockers)
clestons
left a comment
clestons
left a comment
There was a problem hiding this comment.
APPROVE — pure documentation update, no logic change.
README: two-line status update — feature table (line 41) and V5.1 highlight (line 116) — reflecting @aastar/sdk/x402 landing in v0.29.0. Consistent with the confirmed npm release and smoke-verified live DVT facilitator round-trip cited in the PR body.
2 participants
aastar-sdk v0.29.0 released with
@aastar/sdk/x402(smoke verified + live DVT facilitator round-trip). Update README to reflect:SDK signing integrating → aastar-sdk#39→SDK available — @aastar/sdk@0.29.0No logic change.