feat: pay push --confidential / confidential mpp charges

[lgalabru]

Adds a --confidential flag to pay push for Token-2022 confidential (amount-hidden) transfers, settled via the gateway-paid bundle flow in pay-kit PR #181.

Changes

• pay push --confidential CLI flag → StablecoinSendRequest.confidential → ApiSendRequest.confidential (serialized only when set, so normal sends are byte-identical).
• Consume the confidential pay-kit branch (PR Package #181) + solana 4.0 line; point litesvm at the loosen-solana-address-constraint fork.
• Drop the unused multi_delegator session path.
• Tests: serialization coverage for the confidential request flag.

Depends on solana-foundation/pay-kit#181 (the feat/confidential-transfers branch). The git deps + litesvm patch track that branch until it merges.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
payment-debugger	Ready	Preview, Comment	Jun 21, 2026 2:54am

[greptile-apps]

Greptile Summary

This PR adds a --confidential flag to pay push/send for Token-2022 confidential (amount-hidden) transfers, routing through the gateway-paid bundle flow. It also drops the previously unused multi_delegator pull-session code path and bumps the solana-mpp/solana-x402 dependencies to the feat/confidential-transfers branch.

• --confidential CLI flag is threaded from SendCommand → StablecoinSendRequest.confidential → ApiSendRequest.confidential, serialized only when true so normal sends remain byte-identical; covered by a new unit test.
• The multi_delegator session path and its 746-line integration test file are removed; validate_client_voucher_pull_open now explicitly rejects the legacy token-account delegation shape with a migration-hint error.
• Cargo.toml adds a [patch.crates-io] entry for a personal litesvm fork (loosen-solana-address-constraint branch) to allow litesvm 0.13 to coexist with zk-sdk 7 confidential-proof crates.

Confidence Score: 5/5

The confidential flag addition is self-contained and additive; it only changes the serialized request when explicitly set, so all existing send paths are unaffected.

The core feature change — threading a boolean flag from CLI to API — is minimal and well-tested. The multi_delegator removal is a straightforward deletion of unused code. The one issue found (check ordering in validate_client_voucher_pull_open leading to a less-helpful error message for legacy clients) is non-functional and affects only the removed path that was already unused in production.

rust/crates/core/src/server/session.rs — the check order in validate_client_voucher_pull_open gives a confusing error to legacy token-account delegation callers; rust/Cargo.toml — mutable branch pins for solana-mpp/x402 and the personal litesvm fork (noted in prior review threads).

Important Files Changed

Filename	Overview
rust/crates/cli/src/commands/send.rs	Adds --confidential flag to SendCommand and threads it through to send_stablecoin; no logic changes otherwise.
rust/crates/core/src/client/send.rs	Adds confidential: bool to StablecoinSendRequest and ApiSendRequest; serialized only when true to keep normal sends byte-identical. Includes a serialization unit test.
rust/crates/core/src/server/session.rs	Removes the multi-delegator pull-session code path; replaces with validate_client_voucher_pull_open. Check order gives a less-helpful error to legacy token-account delegation clients (see inline comment).
rust/Cargo.toml	Bumps solana-mpp/x402 to the feat/confidential-transfers branch (mutable ref); patches litesvm via a personal fork branch — both already noted in prior review threads.
rust/crates/core/tests/session_surfpool_sdk_tests.rs	File deleted — removes integration tests for the now-removed multi_delegator/pull-session code path.
rust/crates/core/tests/surfpool_tests.rs	No visible logic change; tests continue to cover MPP charge, replay protection, session open/voucher/close, and build_credential flows.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant CLI as CLI (pay push --confidential)
    participant Core as pay-core send
    participant API as pay-api gateway
    participant Chain as Solana (Token-2022)

    CLI->>Core: "StablecoinSendRequest { confidential: true }"
    Core->>API: "POST /v1/send { ..., "confidential": true }"
    API-->>Core: 402 + confidential MPP challenge
    Core->>Core: parse challenge, select by balance, build credential
    Core->>API: POST /v1/send + Authorization header (retry)
    API->>Chain: submit confidential bundle (gateway-paid)
    Chain-->>API: transaction confirmed
    API-->>Core: "{ receipt: { reference: txSig } }"
    Core-->>CLI: "SendResult { signature, amount_raw, ... }"
    CLI->>CLI: print "Sent X USDC to recipient"

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant CLI as CLI (pay push --confidential)
    participant Core as pay-core send
    participant API as pay-api gateway
    participant Chain as Solana (Token-2022)

    CLI->>Core: "StablecoinSendRequest { confidential: true }"
    Core->>API: "POST /v1/send { ..., "confidential": true }"
    API-->>Core: 402 + confidential MPP challenge
    Core->>Core: parse challenge, select by balance, build credential
    Core->>API: POST /v1/send + Authorization header (retry)
    API->>Chain: submit confidential bundle (gateway-paid)
    Chain-->>API: transaction confirmed
    API-->>Core: "{ receipt: { reference: txSig } }"
    Core-->>CLI: "SendResult { signature, amount_raw, ... }"
    CLI->>CLI: print "Sent X USDC to recipient"

Loading

_{Reviews (3): Last reviewed commit: "fix(deps): pull confidential pay-kit (no..." | Re-trigger Greptile}

[greptile-apps]

Mutable branch references for production dependencies

Both solana-mpp and solana-x402 are pinned to branch = "feat/confidential-transfers" rather than a fixed rev =. The Cargo.lock does capture the commit hash at lock time, but any cargo update will silently pull whatever is at the HEAD of that branch at that moment — including force-pushed rewrites or last-minute breaking changes. Given the feature branch is still in review (PR #181), this is a concrete risk window. Consider locking to the current HEAD rev instead, e.g., rev = "abc1234", until the upstream branch stabilises or merges.

[lgalabru]

Intentional and temporary: solana-mpp/solana-x402 track pay-kit PR #181's feature branch until it merges, then move to a pinned release/rev. Noted in the Cargo.toml comment and the dev-shims section of confidential-transfers.md.

[greptile-apps]

Personal fork pinned to a mutable branch in [patch.crates-io]

The litesvm / litesvm-token patch points to lgalabru/litesvm.git on a personal fork with branch = "loosen-solana-address-constraint". Personal forks can be renamed, deleted, or go stale; using a rev = pin would at least guarantee the exact commit is fetched regardless of branch mutations. This affects test builds (surfpool_tests, session_surfpool_sdk_tests).

[lgalabru]

Temporary dev shim: the fork only loosens litesvm's solana-address pin so litesvm can coexist with the zk-sdk 7 proof crates (no newer litesvm release exists). Pending the upstream litesvm PR; documented in confidential-transfers.md §6.1.