14
X402 Secure Operations Runbook
Operational procedures for VI/AP2-aware x402 risk gating
This runbook covers the partner-ready operating model for X402 Secure when it processes Verifiable Intent-style evidence, AP2 mandate context, x402 payment binding, and Trustline risk decisions.
Ownership
| Layer | Owner | Operational responsibility |
|---|---|---|
| XRPL x402 Facilitator | Facilitator team | Public XRPL x402 surface, extension transport, XRPL payment validation, settlement, receipt callback. |
| X402 Secure | X402 Secure team | VI/AP2 parsing, payment binding, policy enforcement, Trustline orchestration, internal facilitator API, gateway headers. |
| Trustline | Trustline team | Evidence sessions, VI-compatible verification adapter, constraint engine, risk decision, receipt storage. |
| Website and partner materials | Product and developer relations | Public positioning, demo guides, partner brief, runbook updates. |
Runtime Modes
| Mode | Use case | Default behavior |
|---|---|---|
| Paid API | Agent developers ask for a VI/AP2-bound risk check before payment. | Return paid-tool response with dashboard_summary. |
| Proxy gateway | Seller routes x402 verify and settle through X402 Secure. | Block deny and blocking-review before upstream facilitator call. |
| Internal facilitator | Hosted facilitators such as XRPL call X402 Secure internally. | Return enforcement-ready decision and receipt correlation fields. |
| Local sandbox | Deterministic demo and development. | Use fixture evidence, stable payment context, and test policy. |
Issuer Key Rotation
- Add the new issuer key or JWKS entry to Trustline configuration.
- Keep the old key active for the overlap window agreed with the issuer.
- Run VI verification tests for:
- current key
- rotated key
- expired key
- unknown issuer
- Confirm X402 Secure still receives
vi.verified=trueonly when Trustline verification succeeds. - Remove the old key only after all active VI presentations signed by the old key have expired.
Rollback:
- Restore the previous Trustline issuer config.
- Set policy
requireVerifiedIntent=falseonly for sandbox or controlled partner demos. - Keep
requireVerifiableIntent=trueif the flow still requires evidence presence.
Trustline Outage
Default production posture should be fail-closed for flows that require VI/AP2 risk enforcement.
| Condition | Gateway behavior | Operator action |
|---|---|---|
| Trustline 5xx or timeout | Return unavailable or block before settlement for required VI policies. | Check Trustline health, retry budget, and incident channel. |
| Trustline slow but available | Preserve request timeout and return a controlled error if exceeded. | Inspect latency, queue depth, and provider dependencies. |
| Non-required VI policy | Follow configured partner policy. | Confirm the flow is allowed to degrade before changing settings. |
Do not bypass Trustline from the XRPL x402 Facilitator. If Trustline is down, the Facilitator should receive a X402 Secure decision or controlled error, not call Trustline directly.
Review Mode
reviewMode controls how X402 Secure treats Trustline review decisions:
reviewMode | Settlement behavior | Use case |
|---|---|---|
block | Block before settlement. | Production default for partner demo and required VI/AP2 policies. |
allow | Continue settlement while retaining review metadata. | Low-value sandbox or explicitly approved partner experiments. |
review | Return review without settlement. | Manual review workflows. |
Acceptance check:
- A
reviewdecision withreviewMode=blockmust not call the upstream facilitator. - Dashboard fields must preserve the review reasons and warning list.
Receipt Retry and Idempotency
Settlement callbacks should include:
{ "decisionId": "dec_123", "evidenceRef": "tl_evd_123", "settlementAttemptId": "settle_attempt_001", "idempotencyKey": "xrpl:dec_123:settle_attempt_001", "payment": { "network": "xrpl-mainnet", "transactionHash": "ABC123", "status": "settled" } }
Rules:
- Retry receipt callbacks on transient X402 Secure or Trustline failures.
- Use a stable
idempotencyKeyfor retries of the same settlement attempt. - Use a new
settlementAttemptIdwhen the payment rail attempts settlement again. - Failed attempts may have
transactionHash=null; do not use transaction hash as the only idempotency key.
Evidence Retention and Privacy
Retain enough metadata for audit and disputes while minimizing sensitive VI claims:
- Store evidence refs, fingerprints, decision ids, policy, binding status, violation codes, and receipt ids.
- Avoid logging full VI presentations or raw disclosed claims unless explicitly required in a controlled audit environment.
- Redact authorization headers, bearer tokens, private keys, and full payment payloads in application logs.
- Keep partner-facing errors useful but narrow: expose violation codes and summary fields, not private credential contents.
XRPL Facilitator Validation
Before partner handoff, validate these XRPL items with the Facilitator team:
| Item | Validation target |
|---|---|
| Extension field shape | extensions.x402Secure carries VI refs, AP2 refs, trace context, policy, and payment hashes. |
| Hash canonicalization | X402 Secure and Facilitator compute identical hashes for payment requirements and payloads. |
| Amount representation | XRP drops and issued-currency decimal strings normalize consistently. |
| Requirement selection | Multiple payment requirements use an explicit selected index or selected hash. |
| Internal auth | Facilitator-to-X402 Secure calls use service token, mTLS, or equivalent internal auth. |
| Receipt semantics | settlementAttemptId and idempotencyKey are present and stable across retries. |
Monitoring
Track:
- Trustline decision latency and error rate.
- X402 Secure allow, deny, review, and unavailable counts.
- VI parse failures and verification failures.
- AP2 mandate missing or mismatch rates.
- Payment binding violation codes.
- Upstream facilitator calls blocked before settlement.
- Receipt callback success, retry, duplicate, and failure counts.
Alert when:
- Required VI flows suddenly allow without evidence.
- Deny or review rates spike for a partner.
- Trustline unavailable errors exceed the partner threshold.
- Receipt callback failures persist beyond the retry window.
Incident Response
- Identify scope: paid API, proxy gateway, XRPL internal facilitator, or Trustline backend.
- Preserve decision ids, evidence refs, trace ids, and receipt attempt ids.
- Confirm whether settlement was attempted.
- If settlement was not attempted, keep the payment blocked until policy is reviewed.
- If settlement was attempted, reconcile receipt status and transaction hash with the payment rail.
- Update partner with decision id and high-level violation codes only.
Release Checklist
| Check | Required |
|---|---|
| Paid tool schema URLs expose VI/AP2 inputs and dashboard outputs. | Yes |
| X402 Secure blocks deny before upstream facilitator call. | Yes |
| XRPL Facilitator calls X402 Secure, not Trustline. | Yes |
| Receipt callbacks are idempotent. | Yes |
| Demo allow and block vectors pass. | Yes |
| Runbook owner and escalation path are assigned. | Yes |