x402-surface-check 0.2.22 → 0.2.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -5,6 +5,7 @@ No-payment CLI for checking x402 launch surfaces before a real agent spends.
|
|
|
5
5
|
It accepts an x402 manifest or OpenAPI URL, derives public endpoints, sends no-payment probes, checks browser preflight behavior, and returns a Markdown patch queue. It never sends `X-PAYMENT`, never signs, and never attempts a paid call.
|
|
6
6
|
|
|
7
7
|
npm: https://www.npmjs.com/package/x402-surface-check
|
|
8
|
+
Attack-map field note: https://tateprograms.com/x402-attack-map-2026.html
|
|
8
9
|
|
|
9
10
|
```bash
|
|
10
11
|
npx --yes x402-surface-check https://api.example.com/.well-known/x402
|
|
@@ -33,7 +34,7 @@ npx --yes x402-surface-check --strict-cache https://api.example.com/openapi.json
|
|
|
33
34
|
- Browser CORS allowance for the requesting origin and `X-PAYMENT`, including the actual 402 challenge response
|
|
34
35
|
- Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates and optional strict-cache findings for missing policy headers
|
|
35
36
|
- Grouped finding summaries for repeated route-wide issues, so large manifests keep the patch order readable
|
|
36
|
-
- Contextual reference guides for CORS, cache policy, Worker gates, resource echo, validation/auth ordering, and
|
|
37
|
+
- Contextual reference guides for CORS, cache policy, Worker gates, resource echo, validation/auth ordering, and the May 2026 x402 attack-control map
|
|
37
38
|
- Over-broad public method surfaces
|
|
38
39
|
- Auth, validation, and free/trial responses that appear before a payment challenge, without piling on missing-field findings when no challenge was actually returned
|
|
39
40
|
- Operational health/status endpoints, without treating expected free health checks as paid-route failures
|
|
@@ -49,7 +50,7 @@ Recent public no-payment checks have found and verified real launch fixes:
|
|
|
49
50
|
- UZPROOF: schemes-style Solana x402 challenge and browser payment-header behavior verified clean. https://github.com/solana-foundation/pay-skills/pull/28#issuecomment-4455613892
|
|
50
51
|
- HYRE Agent: OpenAPI-declared prices found 10x below live 402 challenge prices. https://github.com/solana-foundation/pay-skills/pull/19#issuecomment-4455641258
|
|
51
52
|
- anchor-x402: multi-rail x402 challenges verified, with browser preflight blockers isolated before merge. https://github.com/solana-foundation/pay-skills/pull/47#issuecomment-4455678163
|
|
52
|
-
- Agent Trust Bench:
|
|
53
|
+
- Agent Trust Bench: three no-payment passes converged on zero findings after discovery, browser preflight, cache, and resource-echo fixes. https://github.com/solana-foundation/pay-skills/pull/23#issuecomment-4467597309
|
|
53
54
|
- Solrouter: private LLM inference route verified with HTTPS resource-binding and price-alignment notes. https://github.com/solana-foundation/pay-skills/pull/39#issuecomment-4455800060
|
|
54
55
|
- Tetrac: Solana market-data payment gates verified, with browser payment-header preflight blocker isolated. https://github.com/solana-foundation/pay-skills/pull/32#issuecomment-4455923744
|
|
55
56
|
|