apps/humor: move preview tarballs to pnpm.overrides only

[ryanRfox]

Summary

Clean up apps/humor's `package.json` files so the two preview tarballs live only in `pnpm.overrides`, not in `dependencies`. Dependencies now use canonical `^2.10.0` semvers.

Addresses the redundancy flagged by docscrew during the x402-quickstart doc coordination (hq-wisp-1ldam) and tracked as `hq-svt48` / `me-e02`.

What changed

• `apps/humor/server/package.json`: `@x402/paywall` and `@x402/evm` moved from tarball URLs in `dependencies` to canonical `^2.10.0`; also alphabetized the `@x402/*` block for consistency.
• `apps/humor/client/package.json`: `@x402/evm` tarball URL replaced with `^2.10.0` in `dependencies`.
• `pnpm.overrides` blocks untouched — still pin the tarball URLs.

Why

pnpm's override resolution forces the tarball URL regardless of what `dependencies` declares, so the duplicate tarball entries in `dependencies` were redundant churn. Keeping them as canonical semvers:

• Makes the `dependencies` block read like a normal canonical `@x402/*` consumer.
• Collapses the eventual v2.11 migration to a single-step "delete the overrides block" with zero changes to `dependencies`.
• Matches the pattern docscrew is now using in the x402-quickstart doc.

Verification

• `pnpm install` resolution is unchanged (override wins over dependency range).
• Diff is intentionally tiny (2 files, 3 ins / 3 del).

Test plan

• `cd apps/humor/server && pnpm install` resolves `@x402/paywall` and `@x402/evm` to the tarball URLs from overrides (check `pnpm-lock.yaml`).
• `cd apps/humor/client && pnpm install` resolves `@x402/evm` to the tarball URL from overrides.
• Smoke-test humor server + client still run against the live testnet facilitator.

[ryanRfox]

Verification report — install is NOT broken

Quick clarification on the concern raised: the pnpm.overrides block IS present in both apps/humor/server/package.json and apps/humor/client/package.json — it was already there in the initial import (#1), and this PR just removed the redundant tarball entries from dependencies. The diff only shows deletions from dependencies because the overrides block was unchanged.

Full post-merge state on pkg-overrides-only:

apps/humor/server/package.json:

"dependencies": {
  "@x402/core": "^2.10.0",
  "@x402/evm": "^2.10.0",
  "@x402/express": "^2.10.0",
  "@x402/paywall": "^2.10.0",
  ...
},
"pnpm": {
  "overrides": {
    "@x402/paywall": "https://github.com/vativ/x402-mezo-preview/releases/download/v2.10.0-mezo.6/x402-paywall-2.10.0-mezo.6.tgz",
    "@x402/evm": "https://github.com/vativ/x402-mezo-preview/releases/download/v2.10.0-mezo.6/x402-evm-2.10.0-mezo.6.tgz"
  }
}

apps/humor/client/package.json:

"dependencies": {
  "@x402/evm": "^2.10.0",
  "@x402/fetch": "^2.10.0",
  ...
},
"pnpm": {
  "overrides": {
    "@x402/evm": "https://github.com/vativ/x402-mezo-preview/releases/download/v2.10.0-mezo.6/x402-evm-2.10.0-mezo.6.tgz"
  }
}

Each of apps/humor/server and apps/humor/client is its own install root (no workspace, no root package.json, no pnpm-workspace.yaml), so pnpm.overrides applies at the root where pnpm install runs.

Verification results

Just ran all three checks on a clean tree at this branch:

1. Fresh pnpm install succeeds

Server:

$ rm -rf node_modules pnpm-lock.yaml && pnpm install
...
dependencies:
+ @x402/core 2.10.0
+ @x402/evm 2.10.0-mezo.6
+ @x402/express 2.10.0
+ @x402/paywall 2.10.0-mezo.6
...
Done in 20.5s using pnpm v10.7.0

Client:

$ rm -rf node_modules pnpm-lock.yaml && pnpm install
...
dependencies:
+ @x402/evm 2.10.0-mezo.6
+ @x402/fetch 2.10.0
...
Done in 4.1s using pnpm v10.7.0

2. Installed @x402/paywall version is 2.10.0-mezo.6 (NOT canonical npm)

Confirmed in the install output above:

• @x402/paywall 2.10.0-mezo.6 — preview tarball (would have been 2.10.0 if override wasn't applied)
• @x402/evm 2.10.0-mezo.6 — preview tarball

The -mezo.6 suffix proves pnpm resolved through the overrides block, not npm.

3. humor:dev still builds

• npx tsc --noEmit on server — clean (exit 0)
• Server boots via npx tsx humor-server.ts:

  Mezo x402 Humor Server on port 39999
    GET /joke — 0.001 mUSD (x402 paywalled)
    Facilitator: https://facilitator.vativ.io
  

• GET /health → 200
• GET /joke (no payment) → 402 (paywall behavior intact)

TL;DR

PR#2 is install-safe. No force-push needed — the overrides block was never dropped; the diff is deletion-only because pnpm.overrides was already at its target state before this PR. Ready for Ryan's review when mayor is.

[ryanRfox]

@ryanRfox — cleared by mayor for your review/merge. Install-safe verification in the previous comment. Feel free to squash or merge-commit; no merge-order dependency with any other branch.