docs: add Demo 1 — Agentic joke buyer page (hq-tkzkr)

New page under the MUSD Payments with x402 sidebar group,
alongside Overview and Quickstart. The Quickstart covers the
browser-wallet flow (user clicks Pay now). Demo 1 covers the
complementary flow: a headless Node client pays the same paywall
with no UI and no human click.

Content:

- Intro contrasts the browser-buyer flow with the agentic flow and
  names the shared substrate (same protocol, same facilitator,
  same 0.001 MUSD charge).
- Prereqs reuse Account A from the Quickstart instead of asking
  the reader to re-mint MUSD. Adds an up-front caution about
  pasting a private key into .env (testnet-only; production
  agentic flows use HSM/MPC/KMS signer).
- Step 1 one-time Permit2 approval: cast call to read allowance,
  cast send to grant uint256.max if zero. Aside notes non-Foundry
  alternatives (viem writeContract, any EVM wallet extension).
- Step 2 install: @x402/fetch + @x402/evm + viem + dotenv, plus
  the pnpm.overrides block for the 2.10.x preview tarballs.
- Step 3 client.ts: trimmed version of vativ/mezo-hack/apps/humor/
  client/client.ts — loads private key, checks MUSD balance and
  Permit2 allowance, wraps fetch with wrapFetchWithPayment, GETs
  RESOURCE_URL, prints the joke plus the PAYMENT-RESPONSE header's
  settlement tx hash. Adds the same regex guard used in the
  Quickstart server.ts (0x + 64 hex for the private key, vs 0x
  + 40 hex for the receiving address).
- .env snippet with RESOURCE_URL alternates for local seller vs
  humor.vativ.io and a security note to .gitignore .env.
- Step 4 run + expected output.
- 'How the auto-payment works' explainer: 5-step walk-through of
  the 402 -> sign permit -> retry with X-PAYMENT -> facilitator
  settles -> 200 + PAYMENT-RESPONSE receipt flow.
- Troubleshooting table: missing Permit2 allowance, non-wrapped
  fetch, private-key format issues, empty 200, zero balance,
  insufficient allowance revert.
- Security section: testnet-only key, .gitignore, swappable
  signer interface for production.
- See also: Quickstart, humor repo, Permit2 upstream.

MUSD casing normalized throughout (the upstream client.ts uses
'mUSD' in places; the quickstart convention for this group is
'MUSD' and this page follows that). 'x402' lowercase preserved.

Nav:

- astro.config.mjs: added the new slug to the 'MUSD Payments with
  x402' items array, after x402-quickstart.
- SUMMARY.md: mirror the sidebar entry with the title 'Demo 1 —
  Agentic joke buyer'.

Validation: dev server HTTP fetch returns 200 on
/docs/developers/getting-started/musd-payments-x402/agentic-joke-buyer/
with the expected title ('Demo 1 — Agentic joke buyer | Mezo
Documentation'), H1, and 12 H2s. Sidebar on the quickstart page
now lists the new page 2,817 bytes after the 'MUSD Payments with
x402' group label (peer of Overview and Quickstart).

Pushed back on automation limits in hq-oqyhe still applies here:
I did not add screenshots to this new page. If screenshots are
wanted, the 'terminal showing successful run' and 'explorer view
of the settlement tx' are two automatable candidates for a
follow-up pass.

Author: ryanRfox

astro.config.mjs

@@ -392,7 +392,8 @@ export default defineConfig({
                         collapsed: true,
                         items: [
                               'docs/developers/getting-started/musd-payments-x402',
-                              'docs/developers/getting-started/musd-payments-x402/x402-quickstart'
+                              'docs/developers/getting-started/musd-payments-x402/x402-quickstart',
+                              'docs/developers/getting-started/musd-payments-x402/agentic-joke-buyer'
                         ]
                   },
                   {

src/content/docs/docs/SUMMARY.md

@@ -111,5 +111,6 @@ topic: users
   * [MUSD Payments with x402](developers/getting-started/musd-payments-x402/index.mdx)
     * [Overview](developers/getting-started/musd-payments-x402/index.mdx)
     * [x402 Quickstart](developers/getting-started/musd-payments-x402/x402-quickstart.mdx)
+    * [Demo 1 — Agentic joke buyer](developers/getting-started/musd-payments-x402/agentic-joke-buyer.mdx)
   * [chains](developers/chains/index.md)
   * [subgraphs](developers/subgraphs/index.md)

src/content/docs/docs/developers/getting-started/musd-payments-x402/agentic-joke-buyer.mdx

@@ -0,0 +1,329 @@
+---
+title: Demo 1 — Agentic joke buyer
+description: >-
+  A headless Node client that pays the Mezo x402 joke paywall
+  autonomously using @x402/fetch and a funded testnet wallet — no
+  browser, no Connect wallet button, no human click.
+topic: developers
+---
+
+import { Aside, Steps, Tabs, TabItem } from '@astrojs/starlight/components';
+
+The [Quickstart](./x402-quickstart/) walked through a **buyer-clicks-the-button**
+flow: the paywall renders in a browser, the reader signs with MetaMask,
+the joke appears.
+
+Demo 1 flips that around: a **headless agent** pays the same paywall,
+with no UI and no human in the loop. The agent loads a private key,
+wraps `fetch()` with x402 payment handling, makes one GET request,
+and the `@x402/fetch` helper does the rest — detect `402`, sign a
+permit2 authorization, retry, read the receipt header, print the joke.
+
+Same protocol, same facilitator, same `0.001 MUSD` charge. Different
+end user — code instead of a person.
+
+## What you will build
+
+A single-file Node client (`client.ts`) that:
+
+1. Loads **Account A**'s private key (the account funded with MUSD in
+   the [Quickstart](./x402-quickstart/#step-2-get-testnet-musd-to-pay-with)).
+2. Wraps global `fetch` with `wrapFetchWithPayment` from `@x402/fetch`.
+3. Calls a paywalled URL — either the live `humor.vativ.io/joke` or
+   your own seller from Step 7 of the Quickstart.
+4. Prints the joke to the terminal plus the on-chain settlement
+   transaction hash it paid.
+
+No browser, no wallet extension, no Connect-wallet click.
+
+<Aside type="caution" title="You will paste a private key into an env var">
+The agent signs with a raw private key loaded from `.env`. Use a
+**testnet-only, throwaway key** — never an address that holds real
+funds on any mainnet. For production agentic flows you'd replace the
+private key with a hardware signer, an MPC wallet, or a KMS-backed
+signer (see the x402 specs for the signer interface).
+</Aside>
+
+## Prerequisites
+
+- **Node.js 20+** and **pnpm 9+**. Same as the Quickstart.
+- **Account A (Buyer) from the Quickstart** — already funded with ≥
+  1,800 MUSD and on Mezo Testnet. If you haven't done the Quickstart,
+  do Steps 1 and 2 of it first, then come back here.
+- **Account A's private key.** In MetaMask:
+  account menu → *"Account details"* → *"Show private key"* → type
+  your MetaMask password. Copy the `0x…` private key somewhere you
+  will delete after this demo.
+- A running x402 seller to call. Either:
+  - Your local seller from Quickstart Step 7 (`localhost:3000/paid`),
+    or
+  - The live demo at `https://humor.vativ.io/joke` (no setup needed).
+
+## Step 1: One-time Permit2 approval
+
+The `@x402/fetch` EVM signer moves MUSD via
+[Uniswap's Permit2](https://github.com/Uniswap/permit2) — one allowance
+grant from your wallet to the Permit2 contract, then every subsequent
+payment is a signature, not a new on-chain approval. You only do this
+once per account.
+
+Check whether Account A has already approved Permit2 for MUSD:
+
+```bash
+cast call 0x118917a40FAF1CD7a13dB0Ef56C86De7973Ac503 \
+  "allowance(address,address)(uint256)" \
+  <account-A-address> \
+  0x000000000022D473030F116dDEE9F6B43aC78BA3 \
+  --rpc-url https://rpc.test.mezo.org
+```
+
+(`0x0000…BA3` is the canonical Permit2 contract address, same on every
+EVM chain.)
+
+If the returned allowance is `0`, approve it:
+
+```bash
+cast send 0x118917a40FAF1CD7a13dB0Ef56C86De7973Ac503 \
+  "approve(address,uint256)" \
+  0x000000000022D473030F116dDEE9F6B43aC78BA3 \
+  115792089237316195423570985008687907853269984665640564039457584007913129639935 \
+  --rpc-url https://rpc.test.mezo.org \
+  --private-key $CLIENT_PRIVATE_KEY
+```
+
+(The big number is `type(uint256).max` — grant unlimited approval so
+you never have to re-approve.)
+
+<Aside type="note" title="No cast? Use your preferred tool">
+`cast` is part of [Foundry](https://book.getfoundry.sh/). If you
+prefer Node, you can make the same `approve` call with `viem`'s
+`writeContract`, or run it through any EVM wallet extension by
+sending a token approval transaction to Permit2.
+</Aside>
+
+## Step 2: Install client packages
+
+```bash
+mkdir mezo-x402-joke-buyer && cd mezo-x402-joke-buyer
+pnpm init
+pnpm add @x402/fetch @x402/evm viem dotenv
+pnpm add -D typescript tsx @types/node
+```
+
+The same Mezo-preview override reasoning from Quickstart Step 6
+applies here too: if `pnpm list @x402/fetch` shows `2.10.x` and not
+`2.11.0+`, add the overrides block to `package.json`:
+
+```json
+"pnpm": {
+  "overrides": {
+    "@x402/evm":   "https://github.com/vativ/x402-mezo-preview/releases/download/v2.10.0-mezo.6/x402-evm-2.10.0-mezo.6.tgz",
+    "@x402/fetch": "https://github.com/vativ/x402-mezo-preview/releases/download/v2.10.0-mezo.6/x402-fetch-2.10.0-mezo.6.tgz"
+  }
+}
+```
+
+Then `pnpm install` again.
+
+## Step 3: Write the agent
+
+Create `client.ts`:
+
+```typescript
+import 'dotenv/config';
+import { wrapFetchWithPayment, x402Client, decodePaymentResponseHeader } from '@x402/fetch';
+import { ExactEvmScheme } from '@x402/evm/exact/client';
+import { toClientEvmSigner, PERMIT2_ADDRESS } from '@x402/evm';
+import { createPublicClient, http, erc20Abi } from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+import { mezoTestnet } from 'viem/chains';
+
+const RESOURCE_URL = process.env.RESOURCE_URL || 'http://localhost:3000/paid';
+const RPC_URL      = process.env.RPC_URL      || 'https://rpc.test.mezo.org';
+const MUSD_ADDRESS = '0x118917a40FAF1CD7a13dB0Ef56C86De7973Ac503' as `0x${string}`;
+
+const CLIENT_PRIVATE_KEY = process.env.CLIENT_PRIVATE_KEY as `0x${string}` | undefined;
+if (!CLIENT_PRIVATE_KEY || !/^0x[0-9a-fA-F]{64}$/.test(CLIENT_PRIVATE_KEY)) {
+  throw new Error('CLIENT_PRIVATE_KEY must be set to a 0x-prefixed 64-hex-character private key.');
+}
+
+async function main() {
+  const account = privateKeyToAccount(CLIENT_PRIVATE_KEY);
+  const publicClient = createPublicClient({ chain: mezoTestnet, transport: http(RPC_URL) });
+
+  // Sanity-check MUSD balance and Permit2 allowance before trying to pay.
+  const balanceBefore = await publicClient.readContract({
+    address: MUSD_ADDRESS, abi: erc20Abi, functionName: 'balanceOf', args: [account.address],
+  });
+  const allowance = await publicClient.readContract({
+    address: MUSD_ADDRESS, abi: erc20Abi, functionName: 'allowance',
+    args: [account.address, PERMIT2_ADDRESS as `0x${string}`],
+  });
+  console.log(`Buyer wallet:    ${account.address}`);
+  console.log(`MUSD balance:    ${(Number(balanceBefore) / 1e18).toFixed(6)} MUSD`);
+  console.log(`Permit2 allowance: ${allowance === 0n ? 'MISSING — run Step 1 first' : 'OK'}`);
+
+  // Wrap fetch with x402 payment handling: detects 402, signs, retries.
+  const signer = toClientEvmSigner(account, publicClient);
+  const client = new x402Client();
+  client.register('eip155:*', new ExactEvmScheme(signer));
+  const fetchWithPay = wrapFetchWithPayment(fetch, client);
+
+  console.log(`\nRequesting ${RESOURCE_URL} …`);
+  const response = await fetchWithPay(RESOURCE_URL);
+  if (!response.ok) {
+    console.error(`Request failed: ${response.status} ${response.statusText}`);
+    console.error(await response.text());
+    return;
+  }
+
+  const data = await response.json();
+  console.log('\n=== Payment Successful ===');
+  console.log(JSON.stringify(data, null, 2));
+
+  // Read the settlement receipt the server attached to the 200 response.
+  const rxHeader = response.headers.get('PAYMENT-RESPONSE') || response.headers.get('X-PAYMENT-RESPONSE');
+  if (rxHeader) {
+    const rx = decodePaymentResponseHeader(rxHeader);
+    console.log('\nOn-chain settlement:');
+    console.log(`  tx:       ${rx.transaction}`);
+    console.log(`  network:  ${rx.network}`);
+    console.log(`  success:  ${rx.success}`);
+  }
+
+  const balanceAfter = await publicClient.readContract({
+    address: MUSD_ADDRESS, abi: erc20Abi, functionName: 'balanceOf', args: [account.address],
+  });
+  const delta = balanceBefore - balanceAfter;
+  console.log(`\nMUSD spent: ${(Number(delta) / 1e18).toFixed(6)} MUSD`);
+}
+
+main().catch((err) => { console.error(err); process.exit(1); });
+```
+
+Create `.env`:
+
+```bash
+# Account A's private key — use a testnet-only wallet. Never mainnet.
+CLIENT_PRIVATE_KEY=0xYOUR_ACCOUNT_A_PRIVATE_KEY_HERE
+
+# Target URL. Pick one:
+# RESOURCE_URL=http://localhost:3000/paid        # your local seller from the Quickstart
+# RESOURCE_URL=https://humor.vativ.io/joke       # the live demo
+RESOURCE_URL=https://humor.vativ.io/joke
+```
+
+Add `.env` to `.gitignore` immediately. Private key leakage is how
+test wallets drain.
+
+## Step 4: Run the agent
+
+```bash
+pnpm exec tsx client.ts
+```
+
+Expected output:
+
+```
+Buyer wallet:    0x<account-A>
+MUSD balance:    1800.000000 MUSD
+Permit2 allowance: OK
+
+Requesting https://humor.vativ.io/joke …
+
+=== Payment Successful ===
+{
+  "setup": "Why did the Bitcoin go to therapy?",
+  "punchline": "It had too many forks in its past."
+}
+
+On-chain settlement:
+  tx:       0x<tx-hash>
+  network:  eip155:31611
+  success:  true
+
+MUSD spent: 0.001000 MUSD
+```
+
+The `tx` hash is a real Mezo Testnet transaction — look it up on
+[`explorer.test.mezo.org`](https://explorer.test.mezo.org) to see the
+MUSD flow from Account A (the buyer) to the seller's `payTo` address,
+with gas paid by the facilitator.
+
+## How the auto-payment works
+
+`wrapFetchWithPayment(fetch, client)` returns a drop-in replacement for
+the global `fetch` that runs this sequence automatically on every call:
+
+<Steps>
+
+1. **First GET (unpaid).** The agent calls
+   `fetchWithPay(RESOURCE_URL)`. The server responds `402 Payment
+   Required` with a `PAYMENT-REQUIRED` header carrying a base64 JSON
+   body describing the `accepts` list: scheme `exact`, asset
+   (`0x1189…Ac503` = MUSD), amount (`1000000000000000` wei = `0.001
+   MUSD`), `payTo` address, network (`eip155:31611`), and a
+   `maxTimeoutSeconds` window.
+
+2. **Select and sign.** The wrapped fetcher picks the `accepts` entry
+   it can satisfy (EVM + MUSD), constructs a permit2
+   `SignatureTransferDetails` for the amount and `payTo`, and the
+   signer (`toClientEvmSigner`) signs it with Account A's private key.
+   No on-chain transaction yet — just an off-chain signature.
+
+3. **Retry with X-PAYMENT.** The fetcher resends the original GET with
+   an `X-PAYMENT` header carrying the signed permit.
+
+4. **Facilitator settles.** The server's `paymentMiddleware` forwards
+   the signed permit to the facilitator at `facilitator.vativ.io`. The
+   facilitator submits the on-chain `permitTransferFrom` to Permit2,
+   which moves `0.001 MUSD` from Account A to the seller's `payTo`
+   in a single transaction. The facilitator also pays gas — Account A
+   never needs BTC for this.
+
+5. **200 OK with receipt.** The server waits for settlement, then
+   sends the real response body (the joke) with a `PAYMENT-RESPONSE`
+   header containing the tx hash. `decodePaymentResponseHeader`
+   decodes it for the agent's logs.
+
+</Steps>
+
+From the agent's perspective this is one `await fetchWithPay(url)`.
+Everything else is inside the library.
+
+## Troubleshooting
+
+| Symptom | Cause | Fix |
+|---|---|---|
+| `Permit2 allowance: MISSING` in the log | Account A has not approved Permit2 to spend its MUSD | Run the `cast send approve` command in Step 1 |
+| Request fails with `402` forever (never retries) | The agent is using plain `fetch` instead of `fetchWithPay` | Double-check the import; every call that should auto-pay must go through `fetchWithPay` |
+| `CLIENT_PRIVATE_KEY must be set…` | `.env` not loaded, wrong format, or key is `0x`-less | Confirm the key is `0x` + 64 hex characters; confirm `dotenv/config` is imported first |
+| Settlement succeeds but no joke body | Server responded `200` with an empty body, or the server is not the x402 demo | `curl -s -i <URL>` to confirm the server is up and returning JSON |
+| `MUSD balance: 0.000000` | Account A never received MUSD, or you pasted the wrong key | Check Quickstart Step 2; run `cast call balanceOf` to confirm balance on chain |
+| `insufficient allowance` revert on chain | Permit2 approval was less than the permit amount | Re-run Step 1 with the `type(uint256).max` argument shown |
+
+## Security
+
+- **Never put a real-funds private key in `.env`.** A testnet key that
+  holds only borrowed MUSD and faucet BTC is fine for this demo.
+  Anything else goes in a hardware signer or MPC wallet. Rotate the
+  testnet key after the demo if you shared the repo anywhere.
+- **`.env` must be in `.gitignore`.** The default `pnpm init` does
+  not create one — add it:
+  ```bash
+  echo ".env" >> .gitignore
+  ```
+- The `toClientEvmSigner` interface is swappable — production agentic
+  flows replace it with a signer backed by a KMS, HSM, or threshold
+  wallet. The rest of the pipeline (`wrapFetchWithPayment`, the x402
+  handshake, the facilitator) doesn't change.
+
+## See also
+
+- [Quickstart](./x402-quickstart/). Build the seller side of this flow
+  and pay it with a browser wallet before pointing the agent at it.
+- [`vativ/mezo-hack/apps/humor`](https://github.com/vativ/mezo-hack/tree/main/apps/humor).
+  Full source for the `humor.vativ.io` live demo — server + client
+  both. This page's client is a trimmed version of `apps/humor/client/client.ts`.
+- [Uniswap Permit2](https://github.com/Uniswap/permit2). The allowance
+  contract the EVM x402 scheme uses for token transfers.