# SolSentry x402 enforcement readback

Buyer-specific packet for `solsentry/solsentry-app#2`: <https://github.com/solsentry/solsentry-app/issues/2>

## Revenue offer

- **A$390 no-payment readback:** failing transcript, expected 402 contract, CORS/header table, and regression checklist.
- **A$1,900 implementation sprint:** backend payment gate patch, browser preflight fix, fixture-based tests, and deployment smoke script.
- Settlement after scope confirmation: USDC on Base or Polygon to `0x17D7251A8a8d60ab74d7D2B2d20D2a0389871729`, or invoice.

No wallet signing, no paid call, no funds, no bridge/swap/stake/trade.

## Observed no-payment transcript

```text
GET https://api.solsentry.app/v1/x402/stats
Origin: https://solsentry.app

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, Authorization, X-Client-ID
X-Payment-Required: true
X-Price-USDC: 0.001
X-Payment-Network: solana-mainnet
X-Payment-Protocol: x402
X-Payment-Enforce: true

{ "total_queries": 53622, "total_usdc_billed": 53.622, ... }
```

```text
OPTIONS /v1/x402/stats
Access-Control-Request-Headers: X-PAYMENT, Content-Type

HTTP/1.1 204 No Content
Access-Control-Allow-Headers: Content-Type, Authorization, X-Client-ID
```

## Expected contract

1. No-payment `GET /v1/x402/stats` returns `402 Payment Required`, not `200`.
2. The 402 challenge includes amount, asset, network, payTo, resource, expiry, and timeout.
3. `Access-Control-Allow-Headers` includes `X-PAYMENT`, `Content-Type`, and documented casing variants.
4. `Access-Control-Expose-Headers` includes payment challenge and receipt headers, including `X-Payment-Response`.
5. Accepted paid requests verify/settle before returning ledger JSON.
6. Failed verify/settle paths return non-200 without protected ledger data.
7. Challenge and receipt paths use private/no-store cache headers plus `Vary: Origin, Access-Control-Request-Headers`.

## Regression smoke script

```bash
curl -si https://api.solsentry.app/v1/x402/stats \
  -H 'Origin: https://solsentry.app'
# expect: 402, payment challenge, no ledger JSON

curl -si -X OPTIONS https://api.solsentry.app/v1/x402/stats \
  -H 'Origin: https://solsentry.app' \
  -H 'Access-Control-Request-Method: GET' \
  -H 'Access-Control-Request-Headers: X-PAYMENT, Content-Type'
# expect: 204 and Access-Control-Allow-Headers includes X-PAYMENT
```

## Proof references

- Browser-agent x402 headers: <https://github.com/voidly-ai/voidly-pay/pull/20>
- x402 middleware route smoke: <https://github.com/zalomea/marketplais/pull/23>
- x402 payment response readback: <https://github.com/HathorNetwork/x402-poc/pull/15>