Migrate sellers to native CloudFront + WAF x402 monetization

[arditti]

Front the AI-content + gateway sellers with native CloudFront + WAF x402 monetization

AWS now supports AI-traffic monetization natively in CloudFront + WAF. This PR fronts
both seller surfaces (serverless/ AI-content API and agentic/ payment gateway) with
CloudFront + a WAF WebACL and removes the in-app x402 verify/settle middleware.

Changes

• Native WAF monetization builder (serverless/lib/waf-monetization.ts) + unit tests.
• CloudFront + CLOUDFRONT WebACL on both stacks (Bot Control v6, human-allow, free
  discovery, per-tier Monetize).
• /generate split into /generate-text (×1) and /generate-image (×20) off a $0.002
  base so WAF can price by URI prefix; /estimate stays free.
• Seller Lambdas stripped of x402 verify/settle — content only.
• CDK assertion tests for the serverless WebACL.

IaC support status

AWS WAF AI traffic monetization is GA; the Monetize action + MonetizationConfig
are not yet in the released CloudFormation/CDK (SDK/CFN support expected to follow
shortly). They are applied via L1 addPropertyOverride so both stacks deploy the
WebACL with the monetization fields set verbatim, to be simplified to native props once
they land.

Note

WAF fixed tiers can't reproduce true per-token pricing; text/image tiers are
representative and /estimate remains free for price discovery.

✅ Validated against the official AWS spec

Checked against the AWS WAF AI traffic monetization docs (getting started, pricing):

• MonetizationConfig shape: CryptoConfig.PaymentNetworks[] with Chain / WalletAddress / Prices[{Amount,Currency}] + CurrencyMode — matches.
• Chain = BASE_SEPOLIA and CurrencyMode = TEST are valid test-mode values (production = BASE/SOLANA + REAL).
• Base price ≥ the $0.001 USDC service minimum, decimal string with ≤ 3 dp.
• Monetize is a terminating action gated to bot traffic via Bot Control labels (human-allow runs first), per the docs’ guidance to avoid 402-ing human visitors.
• PriceMultiplier is a per-rule string; effective price = base × multiplier.

⛔ Do not merge yet (gating)

AWS WAF AI traffic monetization is GA, but the Monetize action + MonetizationConfig are not yet exposed by the IaC tooling this repo uses (released CloudFormation/CDK/SDK, or the Terraform AWS provider) — that support is expected to follow shortly. Opened as a draft. Merge only once:

1. the monetization properties are available in that IaC tooling (so the config is set via native props rather than an L1 escape hatch), and
2. the stack has been deployed end-to-end in TEST mode (Base Sepolia) and a 402 → pay → settle round-trip verified.
   Until then this is a reviewable reference; the WebACL deploys, and the monetization fields are set via the supported L1 addPropertyOverride escape hatch.