x402-surface-check 0.2.20 → 0.2.22

package/README.md

@@ -11,6 +11,7 @@ npx --yes x402-surface-check https://api.example.com/.well-known/x402
 npx --yes x402-surface-check https://api.example.com/openapi.json report.md
 npx --yes x402-surface-check --endpoint --method POST https://x402.rpc.ankr.com/eth
 npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price CPI"}' https://api.example.com/paid-post
+npx --yes x402-surface-check --strict-cache https://api.example.com/openapi.json
 ```
 
 ## What It Checks
@@ -30,8 +31,9 @@ npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price C
 - Testnet or staging rails such as Base Sepolia and Solana devnet
 - HTTPS resource URLs and stable resource metadata
 - Browser CORS allowance for the requesting origin and `X-PAYMENT`, including the actual 402 challenge response
-- Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates
+- Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates and optional strict-cache findings for missing policy headers
 - Grouped finding summaries for repeated route-wide issues, so large manifests keep the patch order readable
+- Contextual reference guides for CORS, cache policy, Worker gates, resource echo, validation/auth ordering, and launch controls
 - Over-broad public method surfaces
 - Auth, validation, and free/trial responses that appear before a payment challenge, without piling on missing-field findings when no challenge was actually returned
 - Operational health/status endpoints, without treating expected free health checks as paid-route failures
@@ -65,6 +67,7 @@ x402-surface-check --endpoint --method POST <paid-endpoint-url> [output.md]
 --body-file <p>  Read JSON request body for direct endpoint mode from a file
 --origin <url>   Origin to use for browser-style CORS preflight
 --limit <n>      Maximum endpoints to probe, default 6
+--strict-cache   Flag missing Cache-Control on no-payment 402 responses
 --json           Print JSON instead of Markdown
 --help           Show usage
 --version        Show package version
@@ -75,6 +78,7 @@ Environment variables are also supported:
 ```bash
 X402_CHECK_ORIGIN=https://example.com x402-surface-check https://api.example.com/openapi.json
 X402_CHECK_LIMIT=12 x402-surface-check https://api.example.com/.well-known/x402
+X402_STRICT_CACHE=1 x402-surface-check https://api.example.com/.well-known/x402
 ```
 
 ## Scope

package/bin/x402-surface-check.mjs

@@ -22,6 +22,7 @@ Options:
   --body-file <p>  Read JSON request body for direct endpoint mode from a file
   --origin <url>   Origin to use for browser-style CORS preflight
   --limit <n>      Maximum endpoints to probe, default ${defaultLimit}
+  --strict-cache   Flag missing Cache-Control on no-payment 402 responses
   --json           Print JSON instead of Markdown
   --help           Show this help
   --version        Show package version
@@ -38,6 +39,7 @@ function parseArgs(argv) {
     body: process.env.X402_CHECK_BODY,
     bodyFile: process.env.X402_CHECK_BODY_FILE,
     outputPath: '',
+    strictCache: process.env.X402_STRICT_CACHE === '1',
     url: '',
   }
 
@@ -55,6 +57,9 @@ function parseArgs(argv) {
     else if (arg === '--endpoint') {
       args.endpoint = true
     }
+    else if (arg === '--strict-cache') {
+      args.strictCache = true
+    }
     else if (arg === '--method') {
       args.method = String(argv[index + 1] ?? '').toUpperCase()
       index += 1
@@ -721,7 +726,7 @@ function looksLikeOperationalHealthEndpoint(result) {
   return /(^|[/_\s-])(health|healthz|ready|readiness|live|liveness|status)([/_\s-]|$)/.test(value)
 }
 
-function findingList(documentResult, challengeResults, preflightResults, entries) {
+function findingList(documentResult, challengeResults, preflightResults, entries, options = {}) {
   const document = documentResult.body.json ?? {}
   const findings = []
   const networks = valueList(document.networks)
@@ -795,6 +800,9 @@ function findingList(documentResult, challengeResults, preflightResults, entries
     if (looksExplicitlyCacheable(result.headers)) {
       findings.push(`P2 - ${result.name} payment challenge response is explicitly cacheable (${cachePolicy(result.headers)}); paid routes should use no-store/private cache policy or bypass shared caches.`)
     }
+    else if (options.strictCache && !cachePolicy(result.headers)) {
+      findings.push(`P3 - ${result.name} payment challenge response did not expose Cache-Control; for payment-gated routes, document or send no-store/private cache policy and confirm paid 200 responses are never shared-cacheable.`)
+    }
   }
 
   for (const result of preflightResults) {
@@ -853,6 +861,9 @@ function groupedFindingLabel(finding) {
   if (/challenge advertises placeholder-looking payTo/.test(finding)) {
     return 'P1 - Challenges advertise placeholder-looking payTo recipients.'
   }
+  if (/payment challenge response did not expose Cache-Control/.test(finding)) {
+    return 'P3 - Payment challenge responses do not expose Cache-Control in strict cache mode.'
+  }
   return null
 }
 
@@ -867,6 +878,29 @@ function groupedFindingSummary(findings) {
     .map(([label, count]) => `- ${count} endpoints: ${label}`)
 }
 
+function referenceGuides(findings) {
+  const guides = []
+  const add = (label, url) => {
+    if (!guides.some(guide => guide.url === url)) guides.push({ label, url })
+  }
+  const text = findings.join('\n')
+  if (/CORS|402 challenge response does not allow the requesting origin|X-PAYMENT/i.test(text)) {
+    add('x402 CORS Fix', 'https://tateprograms.com/x402-cors-fix.html')
+    add('Cloudflare x402 Worker Starter', 'https://tateprograms.com/cloudflare-x402-worker.html')
+  }
+  if (/cacheable|Cache-Control|cache policy|shared caches/i.test(text)) {
+    add('Cloudflare x402 Worker Starter', 'https://tateprograms.com/cloudflare-x402-worker.html')
+    add('x402 Attack Map 2026', 'https://tateprograms.com/x402-attack-map-2026.html')
+  }
+  if (/validation HTTP \d+ before a payment challenge|auth HTTP \d+ before a payment challenge|replay|idempotency/i.test(text)) {
+    add('x402 Launch Checklist', 'https://tateprograms.com/x402-launch-checklist.html')
+  }
+  if (/resource URL|resource echo|accepts\[0\]\.extra\.resource/i.test(text)) {
+    add('x402 Surface Check notes', 'https://tateprograms.com/x402-surface-check.html')
+  }
+  return guides.map(guide => `- ${guide.label}: ${guide.url}`)
+}
+
 function formatMarkdown(report) {
   const document = report.document.body.json ?? {}
   const challengeRows = report.challenges.map(result => {
@@ -880,6 +914,7 @@ function formatMarkdown(report) {
     return `| ${result.name} | ${result.method ?? 'POST'} | ${result.status} | ${cachePolicy(result.headers) || '-'} |`
   })
   const findingSummary = groupedFindingSummary(report.findings)
+  const guides = referenceGuides(report.findings)
 
   return [
     '# x402 Public Surface Check',
@@ -929,6 +964,12 @@ function formatMarkdown(report) {
     '',
     ...(report.findings.length ? report.findings.map(item => `- ${item}`) : ['- No obvious launch-readiness findings from the public no-payment probes.']),
     '',
+    ...(guides.length ? [
+      '## Reference Guides',
+      '',
+      ...guides,
+      '',
+    ] : []),
   ].join('\n')
 }
 
@@ -983,7 +1024,9 @@ async function runCheck(options) {
     preflights,
     sourceDocument,
   }
-  report.findings = findingList(document, challenges, preflights, entries)
+  report.findings = findingList(document, challenges, preflights, entries, {
+    strictCache: options.strictCache,
+  })
   return report
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.20",
+  "version": "0.2.22",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {