Add static paid x402 gateway and per-MTok pricing support#262
Merged
Add static paid x402 gateway and per-MTok pricing support#262
Conversation
Adds the full sell→discover→buy BDD test suite and the upstream auth injection mechanism, rebased cleanly on current main. ## BDD Integration Tests (godog/Gherkin) 7 scenarios, 75 steps, following the real user journey: 1. Operator sells inference via CLI + agent reconciles 2. Unpaid request returns 402 with pricing 3. Paid request returns real inference (EIP-712 → verify → Ollama) 4. Full discovery-to-payment cycle 5. Paid request through Cloudflare tunnel 6. Agent discovers registered service through tunnel 7. Operator deletes ServiceOffer + cleanup TestMain bootstrap: obol stack init/up → model setup → sell pricing → agent init → sell http → wait for reconciliation. No kubectl shortcuts. ## Upstream Auth Injection x402-verifier now injects Authorization header on paid requests: - RouteRule.UpstreamAuth field in pricing config - Verifier sets header in 200 response → Traefik copies via authResponseHeaders - monetize.py reads LiteLLM master key → writes upstreamAuth to route - Eliminates manual HTTPRoute RequestHeaderModifier patches ## Tunnel URL Injection `obol tunnel status` auto-sets AGENT_BASE_URL on the obol-agent deployment. monetize.py reads it to publish the tunnel URL in registration JSON. Files: - internal/x402/features/integration_payment_flow.feature (new) - internal/x402/bdd_integration_test.go (new) - internal/x402/bdd_integration_steps_test.go (new) - internal/x402/config.go (UpstreamAuth field) - internal/x402/verifier.go (inject Authorization on 200) - internal/embed/skills/sell/scripts/monetize.py (read master key, upstreamAuth) - internal/tunnel/tunnel.go (InjectBaseURL, auto-inject on status) - internal/embed/infrastructure/.../obol-agent-monetize-rbac.yaml (secrets:get)
The previous commit added secrets:get to the cluster-wide openclaw-monetize-workload ClusterRole, which gave the agent read access to ALL secrets in ALL namespaces. Fix: remove secrets from ClusterRole and add a namespaced Role in the llm namespace scoped to litellm-secrets only via resourceNames restriction. Same pattern as the existing openclaw-x402-pricing Role in the x402 namespace. Verified: - Agent can read litellm-secrets in llm namespace (200 OK) - Agent cannot list kube-system secrets (403 Forbidden) - All 7 BDD scenarios pass with scoped RBAC
…ering
Enriches agent registration with machine-readable metadata for discovery:
## Off-chain (Registration JSON)
- Add OASF service entry with skills[] and domains[] taxonomy paths
Default for inference: skills=["natural_language_processing/text_generation/chat_completion"]
Default for inference: domains=["technology/artificial_intelligence"]
- Build richer description from spec (model name, price, type)
- Always emit supportedTrust field (empty array if none)
- CLI flags: --register-skills, --register-domains for custom taxonomy
## On-chain (setMetadata)
- New _set_metadata_on_chain() in monetize.py — ABI-encodes and signs
setMetadata(uint256, string, bytes) via remote-signer + eRPC
- Sets "x402.supported" = 0x01 and "service.type" = "inference"|"http"
after successful register() — indexed MetadataSet events enable
eth_getLogs topic-based filtering without fetching every JSON
## Discovery
- discovery.py search --x402-only: filter by MetadataSet events where
indexedMetadataKey == keccak256("x402.supported")
- discovery.py search --filter <key>: generic metadata key filter
## Types
- ServiceDef gains Skills/Domains fields (json:"skills/domains,omitempty")
## BDD
- Discover scenario now validates OASF skills and domains in registration
7 scenarios, 77 steps all pass.
OisinKyne
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
per-mtokpricing support with explicitperRequest = perMTok / 1000approximation and surface the source pricing metadata in sell flowspaid/* -> openai/* -> x402-buyerwith buyer-side metrics, hot reload, andbuy.py maintainqwen3.5:9bpaid commerce loopCloses #258.
Testing
go test ./...python3 -m py_compile internal/embed/skills/buy-inference/scripts/buy.py internal/embed/skills/sell/scripts/monetize.pyOBOL_DEVELOPMENT=true OBOL_CONFIG_DIR=$(pwd)/.workspace/config OBOL_BIN_DIR=$(pwd)/.workspace/bin OBOL_DATA_DIR=$(pwd)/.workspace/data go test -tags integration -v -run TestIntegration_Tunnel_SellDiscoverBuySidecar_QuotaAndBalance -timeout 30m ./internal/openclaw