Add ThoughtProof: x402-gated verification for AI agents

[ThoughtProof]

Adds ThoughtProof to the Awesome Agentic Commerce list (3 entries):

Ecosystem:

• ThoughtProof — Decision verification for AI agents with three x402-gated endpoints: reasoning verification (api.thoughtproof.ai), plan-level verification (verify.thoughtproof.ai), and pre-execution checkpoint (sentinel.thoughtproof.ai). Registered as ERC-8004 Agent #37477 on Base.

Open Source & SDKs:

• pot-cli / pot-sdk — Open-source CLI and TypeScript SDK for verifying AI agent reasoning and plans before settlement, with native x402 payment support. Published on npm.
• thoughtproof-mcp — MCP server for adversarial multi-model reasoning verification. x402 micropayment or API key auth. Published on npm and Glama.

ThoughtProof complements the existing x402 ecosystem by adding a verification layer — agents can pay to verify their own decisions before committing to irreversible actions (payments, trades, code execution).

[TateLyman]

Ran a no-payment external readback against the public ThoughtProof surfaces added in this PR. I did not send payment headers, wallet signatures, API keys, or paid calls.

Repro:

npx --yes x402-surface-check@latest \
  https://api.thoughtproof.ai/openapi.json \
  --limit 12 \
  --origin https://thoughtproof.ai

npx --yes x402-surface-check@latest \
  https://verify.thoughtproof.ai/openapi.json \
  --limit 12 \
  --origin https://thoughtproof.ai

for u in \
  https://api.thoughtproof.ai/.well-known/x402 \
  https://verify.thoughtproof.ai/.well-known/x402 \
  https://sentinel.thoughtproof.ai/.well-known/x402 \
  https://api.thoughtproof.ai/v1/health \
  https://verify.thoughtproof.ai/v2/health \
  https://sentinel.thoughtproof.ai/sentinel/health; do
  curl -i -sS --max-time 12 "$u" | sed -n '1,35p'
done

What looks good:

• The main site, api.thoughtproof.ai, verify.thoughtproof.ai, and sentinel.thoughtproof.ai are live.
• https://api.thoughtproof.ai/openapi.json and https://verify.thoughtproof.ai/openapi.json are live OpenAPI documents.
• Health endpoints return structured JSON: api v1.4.0, verify v2.0.0, and Sentinel v0.1.0.
• The API OpenAPI pass finds x402-like 402 challenges for GET/POST /v1/check and POST /v1/verify before paid execution.

Patch notes before merge/listing:

• P1: the PR says Base settlement, but sampled POST /v1/check and POST /v1/verify challenges reported eip155:5042002 while GET /v1/check reported base. If Base mainnet is intended, this should be consistently eip155:8453 or clearly documented as non-Base/test/alternate rail.
• P1: sampled payment challenges use Cache-Control: public, max-age=0, must-revalidate; paid challenge responses should be private, no-store or otherwise bypass shared caches.
• P1: POST /v1/check and POST /v1/verify carry payment requirements in the payment-required response header, but the CORS response did not expose that header, so browser agents may not be able to read the challenge after preflight succeeds.
• P2: the claimed x402 discovery paths are currently missing: /.well-known/x402 on thoughtproof.ai, api.thoughtproof.ai, verify.thoughtproof.ai, and sentinel.thoughtproof.ai returned 404. Because this PR is an ecosystem directory listing, adding at least one canonical discovery URL would make the listing easier for wallets/agents to verify.
• P2: verify.thoughtproof.ai/v2/verify currently returns 401 before a payment challenge for the no-payment POST probe. If the intended order is API-key first and x402 as an alternate path, the README entry should say that clearly.

This is a public-surface/readiness note only, not an assertion about private implementation or paid execution.

[ThoughtProof]

Thanks for the surface check @TateLyman — all findings were valid and have been fixed in production.

Fixes deployed (7fdc795, e7dac48)

P1-1 Chain-ID consistency ✅

• All network fields now use CAIP-2 format (eip155:8453)
• accepts[] reordered: exact (direct USDC on Base) first, GatewayWalletBatched second
• The previous eip155:5042002 in the GatewayWalletBatched scheme was Circle's Arc Testnet chain — correct for Circle's internal settlement, but confusing in the client-facing challenge. Client-facing accepts[] now consistently shows eip155:8453.

P1-2 Cache-Control ✅

• All 402 (and 410) responses now return Cache-Control: private, no-store

P1-3 CORS ✅

• Access-Control-Expose-Headers: payment-required, X-Payment-Intent, X-Payment-Response, X-ThoughtProof-Receipt
• Access-Control-Allow-Headers extended with Payment-Signature, X-Payment-Intent

P2-1 CAIP-2 normalization ✅

• All "base" string references → "eip155:8453" across response bodies, WWW-Authenticate, and payment intents

P2-2 .well-known/x402 ✅

• Discovery endpoint live at api.thoughtproof.ai/.well-known/x402
• Lists paid endpoints, pricing tiers, and accepted schemes

P2-3 verify.thoughtproof.ai (PLV v2) — correct observation. PLV is API-key-gated, not x402-native. The PR description has been left as-is since the listing entry only covers api.thoughtproof.ai (RV), but happy to clarify further if needed.

All fixes are live and verified via curl against production.