x402-surface-check 0.2.17 → 0.2.19

package/README.md

@@ -15,7 +15,7 @@ npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price C
 
 ## What It Checks
 
-- Manifest endpoint discovery from `items[]`, `endpoints[]`, `resources[]`, `x402Endpoints`, category arrays, resource strings, and OpenAPI paths
+- Manifest endpoint discovery from `items[]`, `endpoints[]`, `resources[]`, `x402Endpoints`, category arrays, raw resource URL strings, method-prefixed resource strings, and OpenAPI paths
 - Linked discovery documents via `discovery_url`, `discoveryUrl`, `resources_url`, `resourcesUrl`, or manifest-level OpenAPI links
 - OpenAPI `servers[]` base-path preservation, so `/paths` are probed through the documented gateway rather than the domain root
 - OpenAPI query/path examples, JSON request-body examples, nested request schemas, local `$ref` request schemas, and explicit direct-endpoint bodies for safer no-payment probes
@@ -30,6 +30,7 @@ npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price C
 - Testnet or staging rails such as Base Sepolia and Solana devnet
 - HTTPS resource URLs and stable resource metadata
 - Browser CORS allowance for the requesting origin and `X-PAYMENT`, including the actual 402 challenge response
+- Grouped finding summaries for repeated route-wide issues, so large manifests keep the patch order readable
 - Over-broad public method surfaces
 - Auth, validation, and free/trial responses that appear before a payment challenge, without piling on missing-field findings when no challenge was actually returned
 - Operational health/status endpoints, without treating expected free health checks as paid-route failures

package/bin/x402-surface-check.mjs

@@ -394,8 +394,8 @@ function endpointEntries(document, sourceUrl, limit) {
   for (const resource of document.resources ?? []) {
     if (typeof resource === 'string') {
       const match = resource.match(/^(GET|POST|PUT|PATCH|DELETE)\s+(\S+)/i)
-      if (!match) continue
-      const [, method, rawPath] = match
+      const method = match?.[1] ?? 'GET'
+      const rawPath = match?.[2] ?? resource
       const url = rawPath.startsWith('http')
         ? rawPath
         : new URL(rawPath, document.baseUrl ?? sourceUrl).toString()
@@ -814,6 +814,45 @@ function findingList(documentResult, challengeResults, preflightResults, entries
   return findings
 }
 
+function groupedFindingLabel(finding) {
+  if (/402 challenge response does not allow the requesting origin/.test(finding)) {
+    return 'P1 - Actual 402 challenge responses do not allow the requesting origin; browser clients cannot read payment requirements.'
+  }
+  if (/CORS preflight does not allow the requesting origin/.test(finding)) {
+    return 'P1 - CORS preflight does not allow the requesting origin.'
+  }
+  if (/CORS preflight does not allow X-PAYMENT/.test(finding)) {
+    return 'P1 - CORS preflight does not allow X-PAYMENT.'
+  }
+  if (/challenge does not repeat the resource URL/.test(finding)) {
+    return 'P2 - Challenge accept legs do not repeat the resource URL for reconciliation.'
+  }
+  if (/returned validation HTTP \d+ before a payment challenge/.test(finding)) {
+    return 'P1 - Routes return validation before a payment challenge.'
+  }
+  if (/returned auth HTTP \d+ before a payment challenge/.test(finding)) {
+    return 'P2 - Routes return auth before a payment challenge.'
+  }
+  if (/challenge advertises staging\/test network/.test(finding)) {
+    return 'P2 - Challenges advertise staging or test networks.'
+  }
+  if (/challenge advertises placeholder-looking payTo/.test(finding)) {
+    return 'P1 - Challenges advertise placeholder-looking payTo recipients.'
+  }
+  return null
+}
+
+function groupedFindingSummary(findings) {
+  const counts = new Map()
+  for (const finding of findings) {
+    const label = groupedFindingLabel(finding)
+    if (label) counts.set(label, (counts.get(label) ?? 0) + 1)
+  }
+  return [...counts.entries()]
+    .filter(([, count]) => count > 1)
+    .map(([label, count]) => `- ${count} endpoints: ${label}`)
+}
+
 function formatMarkdown(report) {
   const document = report.document.body.json ?? {}
   const challengeRows = report.challenges.map(result => {
@@ -823,6 +862,7 @@ function formatMarkdown(report) {
   const preflightRows = report.preflights.map(result => {
     return `| ${result.name} | ${result.method ?? 'POST'} | ${result.status} | ${result.headers['access-control-allow-origin'] ?? '-'} | ${result.headers['access-control-allow-headers'] ?? '-'} | ${result.headers['access-control-allow-methods'] ?? '-'} |`
   })
+  const findingSummary = groupedFindingSummary(report.findings)
 
   return [
     '# x402 Public Surface Check',
@@ -856,6 +896,12 @@ function formatMarkdown(report) {
     '| --- | --- | --- | --- | --- | --- |',
     ...(preflightRows.length ? preflightRows : ['| - | - | - | - | - | - |']),
     '',
+    ...(findingSummary.length ? [
+      '## Finding Summary',
+      '',
+      ...findingSummary,
+      '',
+    ] : []),
     '## Findings',
     '',
     ...(report.findings.length ? report.findings.map(item => `- ${item}`) : ['- No obvious launch-readiness findings from the public no-payment probes.']),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.17",
+  "version": "0.2.19",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {