npm - x402-surface-check - Versions diffs - 0.2.19 → 0.2.21 - Mend

x402-surface-check 0.2.19 → 0.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +2 -0
package/bin/x402-surface-check.mjs +53 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -30,7 +30,9 @@ npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price C
 - Testnet or staging rails such as Base Sepolia and Solana devnet
 - HTTPS resource URLs and stable resource metadata
 - Browser CORS allowance for the requesting origin and `X-PAYMENT`, including the actual 402 challenge response
+- Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates
 - Grouped finding summaries for repeated route-wide issues, so large manifests keep the patch order readable
+- Contextual reference guides for CORS, cache policy, Worker gates, resource echo, validation/auth ordering, and launch controls
 - Over-broad public method surfaces
 - Auth, validation, and free/trial responses that appear before a payment challenge, without piling on missing-field findings when no challenge was actually returned
 - Operational health/status endpoints, without treating expected free health checks as paid-route failures

package/bin/x402-surface-check.mjs CHANGED Viewed

@@ -701,6 +701,17 @@ function looksLikePlaceholderPayTo(payTo) {
   return false
 }
+function cachePolicy(headers = {}) {
+  return headers['cache-control'] ?? headers.cacheControl ?? ''
+}
+function looksExplicitlyCacheable(headers = {}) {
+  const policy = cachePolicy(headers)
+  if (!policy) return false
+  if (/\b(no-store|private|no-cache)\b/i.test(policy)) return false
+  return /\b(public|s-maxage|max-age\s*=)\b/i.test(policy)
+}
 function entryKey(entry) {
   return `${entry.method ?? 'POST'} ${entry.url}`
 }
@@ -781,6 +792,9 @@ function findingList(documentResult, challengeResults, preflightResults, entries
     if (!summary.resourceUrl || !summary.extraResource) {
       findings.push(`P2 - ${result.name} challenge does not repeat the resource URL in both resource.url and accepts[0].extra.resource/resource.`)
     }
+    if (looksExplicitlyCacheable(result.headers)) {
+      findings.push(`P2 - ${result.name} payment challenge response is explicitly cacheable (${cachePolicy(result.headers)}); paid routes should use no-store/private cache policy or bypass shared caches.`)
+    }
   }
   for (const result of preflightResults) {
@@ -853,6 +867,29 @@ function groupedFindingSummary(findings) {
     .map(([label, count]) => `- ${count} endpoints: ${label}`)
 }
+function referenceGuides(findings) {
+  const guides = []
+  const add = (label, url) => {
+    if (!guides.some(guide => guide.url === url)) guides.push({ label, url })
+  }
+  const text = findings.join('\n')
+  if (/CORS|402 challenge response does not allow the requesting origin|X-PAYMENT/i.test(text)) {
+    add('x402 CORS Fix', 'https://tateprograms.com/x402-cors-fix.html')
+    add('Cloudflare x402 Worker Starter', 'https://tateprograms.com/cloudflare-x402-worker.html')
+  }
+  if (/cacheable|Cache-Control|cache policy|shared caches/i.test(text)) {
+    add('Cloudflare x402 Worker Starter', 'https://tateprograms.com/cloudflare-x402-worker.html')
+    add('x402 Attack Map 2026', 'https://tateprograms.com/x402-attack-map-2026.html')
+  }
+  if (/validation HTTP \d+ before a payment challenge|auth HTTP \d+ before a payment challenge|replay|idempotency/i.test(text)) {
+    add('x402 Launch Checklist', 'https://tateprograms.com/x402-launch-checklist.html')
+  }
+  if (/resource URL|resource echo|accepts\[0\]\.extra\.resource/i.test(text)) {
+    add('x402 Surface Check notes', 'https://tateprograms.com/x402-surface-check.html')
+  }
+  return guides.map(guide => `- ${guide.label}: ${guide.url}`)
+}
 function formatMarkdown(report) {
   const document = report.document.body.json ?? {}
   const challengeRows = report.challenges.map(result => {
@@ -862,7 +899,11 @@ function formatMarkdown(report) {
   const preflightRows = report.preflights.map(result => {
     return `| ${result.name} | ${result.method ?? 'POST'} | ${result.status} | ${result.headers['access-control-allow-origin'] ?? '-'} | ${result.headers['access-control-allow-headers'] ?? '-'} | ${result.headers['access-control-allow-methods'] ?? '-'} |`
   })
+  const cacheRows = report.challenges.map(result => {
+    return `| ${result.name} | ${result.method ?? 'POST'} | ${result.status} | ${cachePolicy(result.headers) || '-'} |`
+  })
   const findingSummary = groupedFindingSummary(report.findings)
+  const guides = referenceGuides(report.findings)
   return [
     '# x402 Public Surface Check',
@@ -896,6 +937,12 @@ function formatMarkdown(report) {
     '| --- | --- | --- | --- | --- | --- |',
     ...(preflightRows.length ? preflightRows : ['| - | - | - | - | - | - |']),
     '',
+    '## Cache Policy Map',
+    '',
+    '| Endpoint | Method | HTTP | Cache-Control |',
+    '| --- | --- | --- | --- |',
+    ...(cacheRows.length ? cacheRows : ['| - | - | - | - |']),
+    '',
     ...(findingSummary.length ? [
       '## Finding Summary',
       '',
@@ -906,6 +953,12 @@ function formatMarkdown(report) {
     '',
     ...(report.findings.length ? report.findings.map(item => `- ${item}`) : ['- No obvious launch-readiness findings from the public no-payment probes.']),
     '',
+    ...(guides.length ? [
+      '## Reference Guides',
+      '',
+      ...guides,
+      '',
+    ] : []),
   ].join('\n')
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.19",
+  "version": "0.2.21",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {