fix: address bug audit findings

[marcelosalloum]

What

Addresses 6 findings from the Bug Finder Report that apply to our codebase. Each fix is a separate commit:

Finding	Severity	Commit	File	Fix
#5	High	guard against concurrent payment submissions	useStellarPayment.ts	Add useRef(false) synchronous guard to prevent double-click / rapid resubmission of the same payment
#8	Medium	add missing return after insufficient balance error	StellarPaywall.tsx	Add return after setting insufficient-balance error to prevent fall-through into payment submission
#9	Medium	use fresh 402 requirements on payment retry	useStellarPayment.ts	On retry, decode the PAYMENT-REQUIRED header from the 402 response instead of reusing the potentially stale original prop
#12	Medium	add fetch timeout to facilitator validation	env.ts	Add AbortController with 10 s timeout to validateFacilitators() fetch so startup doesn't hang if a facilitator is unresponsive
#13	Medium	copy handler array at build time	builder.ts	Snapshot this.handlers with spread at build() time so later mutations to the builder don't affect already-built providers
#14	Medium	guard parseFloat NaN in paywall amount	stellar-handler.ts	Wrap parseFloat result with Number.isFinite() and fall back to 0 to prevent NaN from propagating into the paywall HTML

Why

An automated security audit (stellar/internal-agents#136) reported 15 findings (7 high, 8 medium). After triaging all 15, 6 are actionable in our code — the rest are either already fixed or require upstream changes to coinbase/x402.

Closes https://github.com/stellar/internal-agents/issues/136

[stellar-jenkins]

x402-stellar PR Preview deployed:
- Client: https://x402-stellar-client-pr30.previews.kube001.services.stellar-ops.com/
- Server: https://x402-stellar-server-pr30.previews.kube001.services.stellar-ops.com/

[Copilot]

Pull request overview

Addresses multiple security-audit findings across the paywall client, paywall builder, and example server startup validation to reduce double-submissions, stale retries, fall-through execution, startup hangs, and NaN propagation.

Changes:

• Add synchronous in-flight guard to prevent concurrent Stellar payment submissions and refresh requirements on retry from the 402 response.
• Fix insufficient-balance flow to stop before attempting payment submission.
• Add fetch timeout for facilitator validation and harden builder/amount handling (snapshot handlers; guard NaN).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
packages/paywall/src/stellar-handler.ts	Prevent NaN paywall amounts by guarding parsed amounts with Number.isFinite.
packages/paywall/src/builder.ts	Snapshot handlers at build-time to prevent later mutations from affecting built providers.
packages/paywall/src/browser/useStellarPayment.ts	Add in-flight ref guard and use fresh payment requirements for retry.
packages/paywall/src/browser/StellarPaywall.tsx	Add missing return after insufficient-balance error to prevent fall-through.
examples/simple-paywall/server/src/config/env.ts	Add AbortController timeout to facilitator validation fetches.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.