x402-surface-check 0.2.15 → 0.2.17

package/README.md

@@ -10,6 +10,7 @@ npm: https://www.npmjs.com/package/x402-surface-check
 npx --yes x402-surface-check https://api.example.com/.well-known/x402
 npx --yes x402-surface-check https://api.example.com/openapi.json report.md
 npx --yes x402-surface-check --endpoint --method POST https://x402.rpc.ankr.com/eth
+npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price CPI"}' https://api.example.com/paid-post
 ```
 
 ## What It Checks
@@ -17,7 +18,8 @@ npx --yes x402-surface-check --endpoint --method POST https://x402.rpc.ankr.com/
 - Manifest endpoint discovery from `items[]`, `endpoints[]`, `resources[]`, `x402Endpoints`, category arrays, resource strings, and OpenAPI paths
 - Linked discovery documents via `discovery_url`, `discoveryUrl`, `resources_url`, `resourcesUrl`, or manifest-level OpenAPI links
 - OpenAPI `servers[]` base-path preservation, so `/paths` are probed through the documented gateway rather than the domain root
-- OpenAPI query/path examples and JSON request-body examples for safer no-payment probes
+- OpenAPI query/path examples, JSON request-body examples, nested request schemas, local `$ref` request schemas, and explicit direct-endpoint bodies for safer no-payment probes
+- OpenAPI paid-operation prioritization, so docs and discovery routes do not consume the probe limit before payment-bearing operations
 - No-payment HTTP 402 challenge shape
 - x402 v1 and v2 price fields, including `accepts[]` and `schemes[]` challenge arrays
 - MPP `WWW-Authenticate: Payment` and x402 V2 `WWW-Authenticate: X402 requirements=...` challenges
@@ -57,6 +59,8 @@ x402-surface-check --endpoint --method POST <paid-endpoint-url> [output.md]
 
 --endpoint       Treat the URL as one paid endpoint instead of a discovery document
 --method <verb>  HTTP method for direct endpoint mode, default POST
+--body <json>    JSON request body for direct endpoint mode
+--body-file <p>  Read JSON request body for direct endpoint mode from a file
 --origin <url>   Origin to use for browser-style CORS preflight
 --limit <n>      Maximum endpoints to probe, default 6
 --json           Print JSON instead of Markdown

package/bin/x402-surface-check.mjs

@@ -18,6 +18,8 @@ Usage:
 Options:
   --endpoint       Treat the URL as one paid endpoint instead of a discovery document
   --method <verb>  HTTP method for direct endpoint mode, default POST
+  --body <json>    JSON request body for direct endpoint mode
+  --body-file <p>  Read JSON request body for direct endpoint mode from a file
   --origin <url>   Origin to use for browser-style CORS preflight
   --limit <n>      Maximum endpoints to probe, default ${defaultLimit}
   --json           Print JSON instead of Markdown
@@ -33,6 +35,8 @@ function parseArgs(argv) {
     limit: Number(process.env.X402_CHECK_LIMIT ?? defaultLimit),
     method: 'POST',
     origin: process.env.X402_CHECK_ORIGIN,
+    body: process.env.X402_CHECK_BODY,
+    bodyFile: process.env.X402_CHECK_BODY_FILE,
     outputPath: '',
     url: '',
   }
@@ -55,6 +59,14 @@ function parseArgs(argv) {
       args.method = String(argv[index + 1] ?? '').toUpperCase()
       index += 1
     }
+    else if (arg === '--body') {
+      args.body = argv[index + 1]
+      index += 1
+    }
+    else if (arg === '--body-file') {
+      args.bodyFile = argv[index + 1]
+      index += 1
+    }
     else if (arg === '--origin') {
       args.origin = argv[index + 1]
       index += 1
@@ -77,6 +89,23 @@ function parseArgs(argv) {
   return args
 }
 
+async function directEndpointRequestBody(options) {
+  if (!options.endpoint) return undefined
+  if (options.body && options.bodyFile) {
+    throw new Error('Use either --body or --body-file, not both.')
+  }
+  const raw = options.bodyFile
+    ? await readFile(options.bodyFile, 'utf8')
+    : options.body
+  if (!raw) return undefined
+  try {
+    return JSON.parse(raw)
+  }
+  catch (error) {
+    throw new Error(`Request body must be valid JSON: ${error.message}`)
+  }
+}
+
 function moneyFromAtomic(amount, decimals = 6) {
   if (amount === '' || amount === null || amount === undefined) return ''
   const numeric = Number(amount)
@@ -157,21 +186,71 @@ function operationExpectedPrice(operation) {
   return numeric === null ? null : numeric
 }
 
-function exampleValue(schemaOrParameter) {
+function resolveLocalRef(ref, document) {
+  if (typeof ref !== 'string' || !ref.startsWith('#/')) return undefined
+  return ref
+    .slice(2)
+    .split('/')
+    .map(part => part.replaceAll('~1', '/').replaceAll('~0', '~'))
+    .reduce((value, part) => value?.[part], document)
+}
+
+function resolveSchema(schema, document, seen = new Set()) {
+  if (!schema || typeof schema !== 'object') return schema
+  if (!schema.$ref) return schema
+  if (seen.has(schema.$ref)) return schema
+  const resolved = resolveLocalRef(schema.$ref, document)
+  if (!resolved) return schema
+  seen.add(schema.$ref)
+  return resolveSchema(resolved, document, seen)
+}
+
+function exampleValue(schemaOrParameter, document, depth = 0) {
   if (!schemaOrParameter || typeof schemaOrParameter !== 'object') return undefined
-  const schema = schemaOrParameter.schema ?? schemaOrParameter
+  const schema = resolveSchema(schemaOrParameter.schema ?? schemaOrParameter, document)
+  const composite = schema.oneOf ?? schema.anyOf ?? schema.allOf
+  if (Array.isArray(composite) && composite.length > 0) {
+    return exampleValue(composite[0], document, depth + 1)
+  }
   const value = schemaOrParameter.example
+    ?? schema.const
     ?? schema.example
     ?? schema.default
     ?? (Array.isArray(schema.enum) ? schema.enum[0] : undefined)
   if (value !== undefined) return value
-  if (schema.type === 'string') return ''
-  if (schema.type === 'number' || schema.type === 'integer') return 0
+  if (schema.type === 'string') {
+    if (schema.format === 'uri') return 'https://example.com'
+    if (schema.format === 'date-time') return '2026-01-01T00:00:00.000Z'
+    if (schema.format === 'date') return '2026-01-01'
+    if (Number(schema.minLength) > 0) return 'example'
+    return ''
+  }
+  if (schema.type === 'integer') return Number.isFinite(Number(schema.minimum)) ? Number(schema.minimum) : 1
+  if (schema.type === 'number') return Number.isFinite(Number(schema.minimum)) ? Number(schema.minimum) : 1
   if (schema.type === 'boolean') return false
+  if (schema.type === 'array') {
+    if (depth > 4) return []
+    const item = exampleValue(schema.items ?? {}, document, depth + 1)
+    return item === undefined ? [] : [item]
+  }
+  if (schema.type === 'object') {
+    if (depth > 4) return {}
+    const properties = schema.properties && typeof schema.properties === 'object'
+      ? schema.properties
+      : {}
+    const required = new Set(Array.isArray(schema.required) ? schema.required : Object.keys(properties))
+    const result = {}
+    for (const [key, property] of Object.entries(properties)) {
+      if (!required.has(key)) continue
+      const nestedValue = exampleValue(property, document, depth + 1)
+      if (nestedValue !== undefined) result[key] = nestedValue
+    }
+    return result
+  }
   return undefined
 }
 
-function mediaExample(media) {
+function mediaExample(media, document) {
   if (!media || typeof media !== 'object') return undefined
   if (media.example !== undefined) return media.example
   const examples = media.examples && typeof media.examples === 'object'
@@ -181,7 +260,7 @@ function mediaExample(media) {
   if (firstExample?.value !== undefined) return firstExample.value
   if (firstExample?.externalValue) return undefined
 
-  const schema = media.schema
+  const schema = resolveSchema(media.schema, document)
   if (!schema || typeof schema !== 'object' || schema.type !== 'object') return undefined
   const body = {}
   const properties = schema.properties && typeof schema.properties === 'object'
@@ -191,29 +270,35 @@ function mediaExample(media) {
 
   for (const [name, property] of Object.entries(properties)) {
     if (!required.has(name)) continue
-    const value = exampleValue(property)
+    const value = exampleValue(property, document)
     if (value !== undefined) body[name] = value
   }
 
   return Object.keys(body).length ? body : undefined
 }
 
-function operationRequestBody(operation) {
+function operationRequestBody(operation, document) {
   const content = operation?.requestBody?.content
   if (!content || typeof content !== 'object') return undefined
   const media = content['application/json']
     ?? content['application/*+json']
     ?? Object.entries(content).find(([type]) => /json/i.test(type))?.[1]
-  return mediaExample(media)
+  return mediaExample(media, document)
+}
+
+function operationPaymentSignal(operation) {
+  if (operation?.['x-payment-info'] || operation?.['x-payment'] || operation?.['x-x402'] || operation?.payment) return 2
+  if (operation?.responses && Object.hasOwn(operation.responses, '402')) return 1
+  return 0
 }
 
-function openApiProbeUrl(path, operation, baseUrl) {
+function openApiProbeUrl(path, operation, baseUrl, document) {
   const parameters = Array.isArray(operation?.parameters) ? operation.parameters : []
   let resolvedPath = path
   const searchParams = new URLSearchParams()
 
   for (const parameter of parameters) {
-    const value = exampleValue(parameter)
+    const value = exampleValue(parameter, document)
     if (value === undefined || value === '') continue
     if (parameter.in === 'path') {
       resolvedPath = resolvedPath.replaceAll(`{${parameter.name}}`, encodeURIComponent(String(value)))
@@ -282,22 +367,28 @@ function endpointEntries(document, sourceUrl, limit) {
 
   if (document.openapi && document.paths && typeof document.paths === 'object') {
     const baseUrl = openApiServerBaseUrl(document, sourceUrl)
+    const openApiEntries = []
 
     for (const [path, operations] of Object.entries(document.paths)) {
       if (!operations || typeof operations !== 'object') continue
       for (const method of methods) {
         const operation = operations[method]
         if (!operation || typeof operation !== 'object') continue
-        const url = openApiProbeUrl(path, operation, baseUrl)
-        entries.push({
+        const url = openApiProbeUrl(path, operation, baseUrl, document)
+        openApiEntries.push({
           name: operation.operationId ?? `${method.toUpperCase()} ${path}`,
           url,
           method: method.toUpperCase(),
           expectedPriceUsd: operationExpectedPrice(operation),
-          requestBody: operationRequestBody(operation),
+          requestBody: operationRequestBody(operation, document),
+          paymentSignal: operationPaymentSignal(operation),
         })
       }
     }
+
+    entries.push(...openApiEntries
+      .sort((a, b) => b.paymentSignal - a.paymentSignal)
+      .map(({ paymentSignal, ...entry }) => entry))
   }
 
   for (const resource of document.resources ?? []) {
@@ -773,6 +864,7 @@ function formatMarkdown(report) {
 }
 
 async function runCheck(options) {
+  const directRequestBody = await directEndpointRequestBody(options)
   let sourceDocument = null
   let document = options.endpoint
     ? {
@@ -784,7 +876,7 @@ async function runCheck(options) {
       }
     : await fetchDocument(options.url)
   let entries = options.endpoint
-    ? [{ name: new URL(options.url).pathname.split('/').filter(Boolean).at(-1) ?? options.url, url: options.url, method: options.method || 'POST' }]
+    ? [{ name: new URL(options.url).pathname.split('/').filter(Boolean).at(-1) ?? options.url, url: options.url, method: options.method || 'POST', requestBody: directRequestBody }]
     : (document.body.json ? endpointEntries(document.body.json, document.url, options.limit) : [])
 
   if (!options.endpoint && entries.length === 0 && document.body.json) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.15",
+  "version": "0.2.17",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {