npm - x402-surface-check - Versions diffs - 0.2.21 → 0.2.22 - Mend

x402-surface-check 0.2.21 → 0.2.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +4 -1
package/bin/x402-surface-check.mjs +15 -2
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -11,6 +11,7 @@ npx --yes x402-surface-check https://api.example.com/.well-known/x402
 npx --yes x402-surface-check https://api.example.com/openapi.json report.md
 npx --yes x402-surface-check --endpoint --method POST https://x402.rpc.ankr.com/eth
 npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price CPI"}' https://api.example.com/paid-post
+npx --yes x402-surface-check --strict-cache https://api.example.com/openapi.json
 ```
 ## What It Checks
@@ -30,7 +31,7 @@ npx --yes x402-surface-check --endpoint --method POST --body '{"prompt":"price C
 - Testnet or staging rails such as Base Sepolia and Solana devnet
 - HTTPS resource URLs and stable resource metadata
 - Browser CORS allowance for the requesting origin and `X-PAYMENT`, including the actual 402 challenge response
-- Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates
+- Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates and optional strict-cache findings for missing policy headers
 - Grouped finding summaries for repeated route-wide issues, so large manifests keep the patch order readable
 - Contextual reference guides for CORS, cache policy, Worker gates, resource echo, validation/auth ordering, and launch controls
 - Over-broad public method surfaces
@@ -66,6 +67,7 @@ x402-surface-check --endpoint --method POST <paid-endpoint-url> [output.md]
 --body-file <p>  Read JSON request body for direct endpoint mode from a file
 --origin <url>   Origin to use for browser-style CORS preflight
 --limit <n>      Maximum endpoints to probe, default 6
+--strict-cache   Flag missing Cache-Control on no-payment 402 responses
 --json           Print JSON instead of Markdown
 --help           Show usage
 --version        Show package version
@@ -76,6 +78,7 @@ Environment variables are also supported:
 ```bash
 X402_CHECK_ORIGIN=https://example.com x402-surface-check https://api.example.com/openapi.json
 X402_CHECK_LIMIT=12 x402-surface-check https://api.example.com/.well-known/x402
+X402_STRICT_CACHE=1 x402-surface-check https://api.example.com/.well-known/x402
 ```
 ## Scope

package/bin/x402-surface-check.mjs CHANGED Viewed

@@ -22,6 +22,7 @@ Options:
   --body-file <p>  Read JSON request body for direct endpoint mode from a file
   --origin <url>   Origin to use for browser-style CORS preflight
   --limit <n>      Maximum endpoints to probe, default ${defaultLimit}
+  --strict-cache   Flag missing Cache-Control on no-payment 402 responses
   --json           Print JSON instead of Markdown
   --help           Show this help
   --version        Show package version
@@ -38,6 +39,7 @@ function parseArgs(argv) {
     body: process.env.X402_CHECK_BODY,
     bodyFile: process.env.X402_CHECK_BODY_FILE,
     outputPath: '',
+    strictCache: process.env.X402_STRICT_CACHE === '1',
     url: '',
   }
@@ -55,6 +57,9 @@ function parseArgs(argv) {
     else if (arg === '--endpoint') {
       args.endpoint = true
     }
+    else if (arg === '--strict-cache') {
+      args.strictCache = true
+    }
     else if (arg === '--method') {
       args.method = String(argv[index + 1] ?? '').toUpperCase()
       index += 1
@@ -721,7 +726,7 @@ function looksLikeOperationalHealthEndpoint(result) {
   return /(^|[/_\s-])(health|healthz|ready|readiness|live|liveness|status)([/_\s-]|$)/.test(value)
 }
-function findingList(documentResult, challengeResults, preflightResults, entries) {
+function findingList(documentResult, challengeResults, preflightResults, entries, options = {}) {
   const document = documentResult.body.json ?? {}
   const findings = []
   const networks = valueList(document.networks)
@@ -795,6 +800,9 @@ function findingList(documentResult, challengeResults, preflightResults, entries
     if (looksExplicitlyCacheable(result.headers)) {
       findings.push(`P2 - ${result.name} payment challenge response is explicitly cacheable (${cachePolicy(result.headers)}); paid routes should use no-store/private cache policy or bypass shared caches.`)
     }
+    else if (options.strictCache && !cachePolicy(result.headers)) {
+      findings.push(`P3 - ${result.name} payment challenge response did not expose Cache-Control; for payment-gated routes, document or send no-store/private cache policy and confirm paid 200 responses are never shared-cacheable.`)
+    }
   }
   for (const result of preflightResults) {
@@ -853,6 +861,9 @@ function groupedFindingLabel(finding) {
   if (/challenge advertises placeholder-looking payTo/.test(finding)) {
     return 'P1 - Challenges advertise placeholder-looking payTo recipients.'
   }
+  if (/payment challenge response did not expose Cache-Control/.test(finding)) {
+    return 'P3 - Payment challenge responses do not expose Cache-Control in strict cache mode.'
+  }
   return null
 }
@@ -1013,7 +1024,9 @@ async function runCheck(options) {
     preflights,
     sourceDocument,
   }
-  report.findings = findingList(document, challenges, preflights, entries)
+  report.findings = findingList(document, challenges, preflights, entries, {
+    strictCache: options.strictCache,
+  })
   return report
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.21",
+  "version": "0.2.22",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {