Live Testnet Proof Harness
The committed live proof runner is scripts/proof-live-testnet.mjs. It is a separate, opt-in executable for kaspa:testnet-10 only and never requires a hosted facilitator.
The runner validates configuration, calls an operator-provided adapter module, checks that all required evidence is present, and writes an ignored operational report. It does not contain wallet, RPC, signing, broadcast, or per-transaction recovery logic. Those responsibilities belong to the adapter used for a live run. The public summary in docs/live-testnet-report.md is the sanitized committed report.
Current Required Flow
The runner requires live evidence for:
1. exact payment and replay rejection; 2. batch deposit-voucher settlement; 3. batch voucher-only settlement; 4. batch claim construction and broadcast; 5. replay rejection across exact and batch-settlement; 6. batch refund construction and broadcast after timeout.
The live result must state transaction ids, transaction versions, version evidence source, finality for every broadcast transaction, final rejection for the replay attempt, outpoints, charged amounts, top-level settlement amounts, Kaspa extension charged amounts, cumulative charge before/after values, replay outcomes, and refund/claim evidence where applicable. Claim evidence must reconcile the funding input, previous claimed cumulative amount, active charged amount, claim amount, server output, fee, and continuation amount. Refund evidence must reconcile the continuation input, refund amount, and fee. Batch voucher-only evidence must prove it continues the same channel and active outpoint opened by the deposit-voucher flow.
Report And Recovery Files
With --write-report, the runner writes:
.kaspa-x402-live/report.jsonfor successful or blocked check output;.kaspa-x402-live/recovery.jsonfor blocked or failed runner state.
These files are ignored by git because they can contain operational metadata. The committed sanitized summary is docs/live-testnet-report.md.
The runner's recovery file is not a resumable transaction journal. A production or release-candidate live adapter should maintain its own pre-submit recovery record with:
- network;
- template id;
- client public key;
- server public key;
- refund timeout DAA score;
- escrow address;
- active outpoint;
- active script public key;
- funding amount in sompi;
- latest signed cumulative voucher amount in sompi;
- latest voucher signature;
- submitted transaction ids;
- whether the replay attempt was rejected.
Safety Gates
- Refuse to run any network other than
kaspa:testnet-10. - Refuse
--liveunless the operator supplies the required RPC, funding, adapter, network, and confirmation environment variables. - Refuse to accept a live result that omits required flow evidence.
- Refuse to accept missing or inconsistent transaction-version evidence.
- Refuse to accept missing accepted-or-confirmed finality for funding, settlement, claim, or refund transactions.
- Refuse to claim more than the latest voucher amount.
- Refuse to claim when the continuation output would be below
inputAmount - voucherAmount. - Refuse to accept a claim or refund report whose input/output/fee accounting does not reconcile with the active charged amount and continuation amount.
- Refuse to publish if the script public key differs from the fixture-derived value.
- Adapter implementations should refuse to run if their own recovery journal exists and the operator has not chosen resume or reset.