# Heurist x402 EIP-3009 nonce readback

Buyer-specific packet for: https://github.com/heurist-network/heurist-mesh-x402/issues/2

## Offer

- A$390 readback: live no-wallet transcript, payment contract findings, payTo drift note, and regression checklist.
- A$1,900 implementation sprint: fixture test for 65/66/67-char nonce paths, docs/client example update, header/CORS contract smoke script, and PR-ready patch.

Contact: info@transhumanism.com.au  
Settlement after scope confirmation: USDC on Base or Polygon to `0x17D7251A8a8d60ab74d7D2B2d20D2a0389871729`.

## Fresh no-wallet readback

Endpoint: `POST https://mesh.heurist.xyz/x402/agents/TrendingTokenAgent/get_trending_tokens`

Three invalid-signature `X-PAYMENT` headers were generated from the issue sample. The only changed field was `payload.authorization.nonce` length.

| Nonce length | JSON length | Base64 length | Fresh result |
| --- | ---: | ---: | --- |
| 65 chars | 347 | 464 | HTTP 402, structured Zod nonce regex error |
| 66 chars | 348 | 464 | HTTP 402, `invalid_exact_evm_payload_recipient_mismatch` |
| 67 chars | 349 | 468 | HTTP 402, structured Zod nonce regex error |

Key finding: the valid EIP-3009 bytes32 shape (`0x` + 64 hex chars = 66 chars) no longer reproduces the original `Failed to parse JSON` failure. It parses and reaches payment verification / requirement matching.

## Current gaps surfaced

1. The issue sample uses `to=0x7d9d1821d15B9e0b8Ab98A058361233E255E405D`, while the live 402 accepts body now advertises `payTo=0xA112c9C8BF655c678c768B6fD42a1C6FbfeD7D60` for the tested route. Example payloads should align to current `accepts[0].payTo`.
2. The fresh 402 smoke response included the JSON accepts body, but did not expose a `Payment-Required` or `X-Payment-Required` header. Generic x402/browser agents may need that header contract in addition to the body.
3. A regression test should lock the fixed parser behavior so a future middleware/facilitator change cannot reintroduce the 348-byte/no-padding base64 edge case.

## Acceptance checklist

- Add a no-spend fixture test for 65, 66, and 67-character nonce payloads through the same `X-PAYMENT` decode path.
- Assert the 66-character nonce does not produce `Failed to parse JSON`.
- Update examples to derive `to` from current route accepts/payTo rather than stale issue text.
- Return/expose machine-readable challenge headers alongside the existing 402 JSON body.
- Keep tests invalid-signature/no-wallet so they verify parser and requirement matching without signing or moving funds.

## Related proof

- x402 route smoke / headers / verify-settle: https://github.com/zalomea/marketplais/pull/23
- browser-agent x402 headers: https://github.com/voidly-ai/voidly-pay/pull/20
- x402 payment response readback: https://github.com/HathorNetwork/x402-poc/pull/15

This readback made no paid x402 call, used no private key, signed nothing, and moved no funds.