fix(aip18): close legacy-helper budget leak + buyer-link path bug + buyer UX#22
Merged
Conversation
…uyer UX
Three review findings against the v4.4.4 AIP-18 implementation:
1. (Medium) publishAgirailsMd() — the exported legacy helper — uploaded a
pay-only file to IPFS *before* its on-chain pay-only short-circuit, so a
direct caller could still leak a buyer's budget. Intent is now detected up
front; the IPFS/Arweave upload is skipped entirely for intent:pay (cid='',
no config_cid written). The CLI path was already correct; this guards the
helper too.
2. (Medium) The buyer-link marker was written via getActpDir() (cwd/.actp),
not the project root of the published {slug}.md. `actp publish path/to/
buyer.md` from another directory dropped the marker where the runtime
client couldn't find it → client fell back to EOA. buyerLink now accepts an
explicit actpDir; `actp publish` passes the {slug}.md project root
(ACTP_DIR still wins, matching the client).
3. (Low/UX) Pay-only `actp publish` printed "Config published to IPFS" and
"Mainnet activation on first payment" — re-muddying exactly what AIP-18
clarifies. Output now branches by intent: a buyer sees "linked, budget
stays local, no on-chain registration" + buyer next-steps.
Tests: publishPipeline pay-only (no upload, no register, no config_cid) +
buyerLink explicit-actpDir. Full SDK suite green (2315 passed, 0 failed).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
DamirAGI
added a commit
that referenced
this pull request
Jun 6, 2026
Closes the three review findings on top of 4.4.4:
- legacy publishAgirailsMd() no longer uploads a pay-only file to IPFS
- buyer-link marker is written to the {slug}.md project root, not cwd
- pay-only publish output no longer claims IPFS publish / mainnet activation
Source merged in #22. Bump kept separate from in-flight 4.5.0 delivery work.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the three review findings against the v4.4.4 AIP-18 implementation (the items blocking a 'frozen AIP-18' sign-off).
1. (Medium) Legacy helper budget leak
publishAgirailsMd()(exported helper) uploaded a pay-only file to IPFS before its on-chain pay-only short-circuit, so a direct caller could still leak a buyer'sbudget. Intent is now detected up front; the IPFS/Arweave upload is skipped entirely forintent: pay(cid='', noconfig_cidwritten). The CLI path was already correct — this guards the helper too. (publishPipeline.ts)2. (Medium) Buyer-link marker written to the wrong .actp
The marker was written via
getActpDir()(cwd/.actp), not the project root of the published{slug}.md.actp publish path/to/buyer.mdfrom another directory dropped the marker where the runtime client couldn't find it → client fell back to EOA.buyerLinknow accepts an explicitactpDir;actp publishpasses the{slug}.mdproject root (ACTP_DIRstill wins, matching the client). (buyerLink.ts, publish.ts)3. (Low/UX) Buyer publish output muddied the mental model
Pay-only
actp publishprinted "Config published to IPFS" + "Mainnet activation on first payment" — re-muddying exactly what AIP-18 clarifies. Output now branches by intent: a buyer sees "linked, budget stays local, no on-chain registration" + buyer next-steps.Tests
publishPipelinepay-only (no upload, no register, noconfig_cid) +buyerLinkexplicit-actpDir. Full SDK suite green (2315 passed, 0 failed).Builds on #20/#21. With this, AIP-18 is ready to freeze. Implements agirails/aips#3.
🤖 Generated with Claude Code