fix(x402): fail-closed when URI is under a paid prefix but no rule matches

[bussyjd]

Why

HandleVerify returns 200 whenever matchPaidRoute returns nil. Traefik ForwardAuth treats 200 as "allow". So a misconfigured Middleware on a paid route, or a code bug where the route was supposed to match but didn't, silently makes the route FREE — revenue loss with no signal.

Before

   X-Forwarded-Uri: /services/known/expensive-llm-call
        |
        v
   verifier.matchPaidRoute(cfg, uri)
        |
        v  (rule was supposed to match but didn't — config drift, code bug, etc.)
   returns nil
        |
        v
   HandleVerify returns 200
        |
        v
   Traefik ForwardAuth: 200 = allow
        |
        v
   Request proceeds upstream -> operator's expensive LLM pays for it; no charge

After

   X-Forwarded-Uri: /services/known/expensive-llm-call
        |
        v
   verifier.matchPaidRoute(cfg, uri)
        |
        v  rule still doesn't match
   returns nil
        |
        v
   verifier.isUnderPaidPrefix(uri)
        |
        v  "/services/known/" IS in paidPrefixes (loaded from cfg.Routes)
   returns true
        |
        v
   HandleVerify returns 403
        |
        v
   Traefik ForwardAuth: 403 = deny, request blocked
   Log line: "no rule matches; route appears to be a paid prefix with stale or missing rule"

What changed

• Verifier.paidPrefixes (atomic.Pointer to []string) — derived from cfg.Routes patterns on each load()
• Verifier.load() computes prefixes (sorted by length descending)
• Verifier.isUnderPaidPrefix(uri) — strings.HasPrefix lookup
• HandleVerify — when matchRoute returns nil, check prefix; fail-closed (403) if matched, 200 if not
• New patternToPrefix(pattern) helper — strips * suffix, keeps trailing slash so /services/foo/ doesn't false-match /services/foobar/
• Unit tests for patternToPrefix, the fail-closed path, the free-route unchanged-behavior path, and the prefix-boundary case

Complementary to PR #519

• PR fix(x402): gate verifier /readyz on informer cache sync #519 (readyz informer-sync gate): pod isn't Ready until routes loaded — closes bootstrap-window leak
• This PR: even after Ready, any tracked-prefix URI without a matching rule is fail-closed — closes steady-state-bug leak

Together they cover the "rule should match but doesn't" gap.

What this does NOT catch

• Net-new paid prefix the operator hasn't yet created an offer for. The verifier doesn't know about it -> treats as free. This is correct behavior — the operator hasn't told the verifier this prefix should be paid.
• Free routes outside /services/* are still free. The prefix tracker is derived from what's IN the route table, not what theoretically COULD be paid.

Test plan

• go build ./... clean
• go test ./internal/x402/... green (no existing tests needed adjustment — none were passing a URI under a tracked paid prefix)
• Unit test asserts manually-injected paid prefix produces 403 on unmatched URI
• Unit test asserts URI outside all prefixes still returns 200
• Unit test asserts sibling-path boundary (/services/foobar/x does NOT match /services/foo/* prefix)
• patternToPrefix unit test covers /foo/*, exact patterns (returns ""), /*, empty

Stacks on

PR #513 / feat/x402-marketplace-metrics. Complements PR #519. Rebase onto main after both merge.

[bussyjd]

Superseded by bundle PR #536 — closing in favor of the consolidated merge target. Original branch and history preserved.