x402 Payload now returns the root delegator, instead of the leaf delegator

[jeffsmale90]

📝 Description

The x402DelegationProvider was incorrectly returning the leaf delegator, instead of the root delegator.

This PR fixes that.

🔄 What Changed?

List the specific changes made:

🚀 Why?

Explain the motivation behind these changes:

🧪 How to Test?

Describe how to test these changes:

• Manual testing steps:

• Automated tests added/updated
• All existing tests pass

⚠️ Breaking Changes

List any breaking changes:

• No breaking changes
• Breaking changes (describe below):

📋 Checklist

Check off completed items:

• Code follows the project's coding standards
• Self-review completed
• Documentation updated (if needed)
• Tests added/updated
• Changelog updated (if needed)
• All CI checks pass

🔗 Related Issues

Link to related issues:
Closes #
Related to #

📚 Additional Notes

Any additional information, concerns, or context:

---

Note

Medium Risk
Changes the semantics of the experimental x402 delegator field (breaking for callers) and adds a hard error when no parent delegation chain exists to derive a root delegator.

Overview
Fixes the experimental x402 delegation provider so payment payloads identify the root delegator in the parent permission chain, not the newly signed leaf delegation’s delegator.

resolveDelegationCreationContext now derives rootDelegator from the last entry in decoded parentPermissionContext delegations and fails with Root delegator not found when that chain is empty. createx402DelegationProvider returns that address in the payload’s delegator field. Tests and the changelog entry for createx402DelegationProvider are updated accordingly.

Breaking for integrators: any consumer that assumed delegator was the leaf signer must switch to the root account; flows without a valid parent permission context will now error at resolution time.

^{Reviewed by Cursor Bugbot for commit a823df6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 37e110f. Configure here.}

[cursor]

Function always throws when optional parentPermissionContext is absent

High Severity

When parentPermissionContext is not provided (it's optional in x402DelegationProviderConfig), existingDelegations is set to []. Then existingDelegations[existingDelegations.length - 1] evaluates to existingDelegations[-1] which is undefined, causing the rootDelegator check to unconditionally throw 'Root delegator not found'. This makes the else branch at line 546–553 unreachable dead code and effectively makes parentPermissionContext required at runtime despite being typed as optional.

Additional Locations (1)

• packages/smart-accounts-kit/src/experimental/x402DelegationProviderUtils.ts#L545-L554

 

^{Reviewed by Cursor Bugbot for commit 37e110f. Configure here.}