Demo disclaimer & policy

This playfield is a demonstration. Fuse-strike counts and the reset control live in sessionStorage in your browser. They are not a warranty, invoice, or enforcement of a commercial penalty tier. The quoted x402 amount follows the URL you open in your wallet; we do not claim client-side state is tamper-proof.

Acknowledged workarounds in this demo

• Anyone can edit sessionStorage, DevTools, or the strikes= query on the unlock link before paying, to aim for a lower displayed tier—still subject to what the x402 route validates when you pay.
• The paywall overlay and disabled grid are presentation only. They do not cryptographically enforce access.
• Continued access after payment depends on the server-issued httpOnly signed session cookie, not on React state in the page.

Production hardening tips

• Treat penalty tier as server authority: bind it to payment receipts, a signed server payload, wallet identity, or persisted abuse state—not to editable browser storage alone.
• If the unlock price must match a quoted tier, include that tier (or a nonce) inside the signed cookie or token so the client cannot silently downgrade the tier the server will honor.
• Keep your session signing secret long and private; rotate it if leaked; use session TTLs appropriate to risk.
• Protect APIs with the same cookie (or stronger auth); never trust headers or body fields from the client for “is paid” or “tier” without verification.
• Mitigate session theft with httpOnly cookies, tight CSP against XSS, and monitoring—stolen cookies are stolen sessions.