Skip to content

Follow-up: hono_v2/express_v2 correctness + workspace-only flags #120

New issue
New issue
Open
Open
Follow-up: hono_v2/express_v2 correctness + workspace-only flags#120
@jolestar

Description

@jolestar
jolestar
opened on Dec 17, 2025

Parent: #89

Context

#94 was marked completed and merged via PR #107, adding @x402x/hono_v2 and @x402x/express_v2.

While reviewing main, a few items look either missing vs the original acceptance criteria or potentially risky for real middleware behavior.

Issues to address

  1. Workspace-only requirement not enforced
  • typescript/packages/hono_v2/package.json and typescript/packages/express_v2/package.json currently do not set "private": true.
  1. Potential payment-required flow / security semantics
  • typescript/packages/express_v2/src/index.ts currently calls next() unconditionally, and may also call it inside the official middleware callback.
    • This can lead to handlers executing even when payment is required (or after a response was already sent), which is risky.
  • typescript/packages/hono_v2/src/index.ts contains logic that returns 200 with a requiresPayment JSON payload “for testing purposes” when x402Response.requiresPayment is set.
    • If the official middleware sets x402Response in production, this could accidentally override a proper 402.
  1. Tests do not assert real 402 flow
  • Current integration tests primarily assert 200 responses under mocked behavior and do not validate 402 PAYMENT-REQUIRED semantics, extension echo, or eip155:* wildcard behavior.
  1. Unexpected submodule bump

Goal

Align v2 middleware wrappers with the intended contract:

  • Workspace-only (private: true)
  • Correct PAYMENT-REQUIRED behavior (no handler execution without payment)
  • Tests that assert real 402 responses and required fields

Acceptance Criteria

  • hono_v2 and express_v2 packages are marked private: true.
  • Middleware does not call downstream handlers when payment is required.
  • Integration tests validate:
    • 402 response on missing payment
    • accepts includes settlement extra and required extension (if applicable)
    • No next() leak in Express when payment is required
  • Confirm / document why deps/x402 submodule changed, or revert if accidental.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions