{
  "ok": true,
  "schema": "wisely.x402.native-facilitator-security.v1",
  "title": "Wisely native x402 facilitator security boundary",
  "contact": "paul@wiselyenterprisesllc.com",
  "publicEndpoints": {
    "status": "https://payments.wiselyenterprisesllc.com/x402/facilitator/status",
    "proof": "https://payments.wiselyenterprisesllc.com/x402/facilitator/proof",
    "reconciliation": "https://payments.wiselyenterprisesllc.com/x402/facilitator/reconciliation",
    "supported": "https://payments.wiselyenterprisesllc.com/x402/facilitator/supported",
    "guide": "https://payments.wiselyenterprisesllc.com/guides/x402-facilitator-security"
  },
  "nativeRail": [
    {
      "scheme": "exact",
      "network": "eip155:8453",
      "asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
      "assetSymbol": "USDC",
      "assetTransferMethod": "eip3009",
      "eip712": {
        "name": "USD Coin",
        "version": "2"
      },
      "settlement": "enabled"
    }
  ],
  "signerGateway": {
    "provider": "managed_http_signer",
    "gatewayConfigured": true,
    "gatewayHost": "wisely-managed-evm-signer:4021",
    "swapPath": "Set WISELY_FACILITATOR_SIGNER_PROVIDER plus WISELY_FACILITATOR_SIGNER_URL/TOKEN to point at a KMS/HSM signer gateway that implements GET /status and POST /settle.",
    "requiredGatewayContract": {
      "status": "GET /status returns ok, custody, signerProvider, address, chainId, balanceWei, needsBaseEthForGas",
      "settle": "POST /settle accepts chainId, rpcUrls, asset, EIP-3009 transferWithAuthorization args, confirmations, timeoutMs and returns transaction/block/gas/relayer/custody"
    }
  },
  "endpointSecrets": {
    "configured": true,
    "devFallbackAllowed": false,
    "note": "Hosted endpoint secrets require a configured encryption seed in production. Secret values are never returned here."
  },
  "protections": [
    "Every native payment must include an accepted x402 requirement copied from the challenged resource.",
    "The accepted requirement must match the exact resource URL, HTTP method, payload hash, amount, payTo, network, and asset.",
    "The accepted requirement must include a short-lived Wisely challenge nonce/hash, preventing stale cached 402 challenges from being reused after expiry.",
    "Exact EIP-3009 payments require exact amount equality, not at-least payment.",
    "EIP-3009 authorization fields are verified locally before settlement: from, to, value, validAfter, validBefore, nonce, and signature.",
    "USDC authorizationState is checked before settlement and reconciled after settlement.",
    "The on-chain transfer is executed by a dedicated relayer; the buyer never shares a private key or seed phrase with Wisely.",
    "The current capped-launch relayer uses a separate signer service with encrypted-at-rest key material rather than carrying the relayer private key in the public payment API process.",
    "Local blocklist/KYT hooks run before settlement; a configured KYT provider can fail closed.",
    "Per-buyer and per-seller velocity limits run before settlement.",
    "Receipts store public-safe payment, binding, result, block, and reconciliation hashes."
  ],
  "knownLimits": [
    "Current self-facilitated production proof is Base USDC EIP-3009. Other rails may be compatibility or handoff paths.",
    "The local sealed signer reduces plain-env hot-key exposure at minimal cost, but it is not a formal cloud KMS/HSM and does not replace legal, compliance, or security review.",
    "Relayer custody reports its configured mode at /x402/facilitator/status; high-value processing should move to KMS/HSM/Vault or equivalent managed signer custody.",
    "High-value production processing should add an external security audit, KYT provider, and formal incident runbook before raising caps."
  ],
  "headers": {
    "payment": "X-PAYMENT",
    "response": "X-PAYMENT-RESPONSE / PAYMENT-RESPONSE"
  }
}