fix(helpers)!: require explicit name/version domain in x402rDefaults

[vraspar]

What

x402rDefaults no longer silently defaults the EIP-712 token domain to name:'USDC'/version:'2'. Both name and version are now required inputs (enforced at the type level, with a runtime ValidationError guard for JS consumers).

Why

x402rDefaults never receives the token address, so it cannot know the correct EIP-712 domain. The silent USDC/2 default was a latent footgun: for any token whose domain differs — including USDC on Base mainnet, whose canonical name() is USD Coin (not USDC) — the wrong domain produces a signature the contract rejects, causing a silent on-chain settle revert discovered only at settlement time. Making the fields required surfaces the decision at construction, where it's cheap to get right.

This does not change verify-time behavior (payer and facilitator both read the signed extra.name/version); it removes the on-chain settle-revert class of bug.

Changes

• name/version are required on X402rDefaultsInput; DEFAULT_TOKEN_NAME/DEFAULT_TOKEN_VERSION removed.
• Runtime guard throws ValidationError for empty/missing name or version.
• JSDoc updated (field docs + function-level) to drop the removed defaults.
• Tests: passthrough of an explicit non-USDC domain (USD Coin/1) + guard coverage for empty name/version.
• Changeset (@x402r/helpers, minor — 0.x breaking).

Breaking change & migration

Callers must pass the token's EIP-712 domain explicitly. For the testnet USDC used in the SDK examples: name: 'USDC', version: '2'. For mainnet USDC: name: 'USD Coin', version: '2'.

Testing

• pnpm typecheck (repo-wide): 6/6 clean — confirms no un-updated caller.
• pnpm --filter @x402r/helpers test: green.
• pnpm --filter @x402r/helpers build: clean (attw + publint).

Part of the authCapture upstream-alignment Phase 3 work.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!