x402-surface-check 0.2.23 → 0.2.24

package/README.md

@@ -33,6 +33,7 @@ npx --yes x402-surface-check --strict-cache https://api.example.com/openapi.json
 - HTTPS resource URLs and stable resource metadata
 - Browser CORS allowance for the requesting origin and `X-PAYMENT`, including the actual 402 challenge response
 - Cache-Control posture on no-payment challenge responses, with warnings for explicitly cacheable payment gates and optional strict-cache findings for missing policy headers
+- Payment-enforcement headers on `200` responses, so public telemetry/free-trial endpoints do not accidentally advertise enforced x402 while returning content before a challenge
 - Grouped finding summaries for repeated route-wide issues, so large manifests keep the patch order readable
 - Contextual reference guides for CORS, cache policy, Worker gates, resource echo, validation/auth ordering, and the May 2026 x402 attack-control map
 - Over-broad public method surfaces
@@ -51,6 +52,7 @@ Recent public no-payment checks have found and verified real launch fixes:
 - HYRE Agent: OpenAPI-declared prices found 10x below live 402 challenge prices. https://github.com/solana-foundation/pay-skills/pull/19#issuecomment-4455641258
 - anchor-x402: multi-rail x402 challenges verified, with browser preflight blockers isolated before merge. https://github.com/solana-foundation/pay-skills/pull/47#issuecomment-4455678163
 - Agent Trust Bench: three no-payment passes converged on zero findings after discovery, browser preflight, cache, and resource-echo fixes. https://github.com/solana-foundation/pay-skills/pull/23#issuecomment-4467597309
+- SolSentry: x402 stats endpoint flagged for returning `200` content while headers advertised payment enforcement and browser preflight omitted `X-PAYMENT`. https://github.com/solsentry/solsentry-app/issues/2
 - Solrouter: private LLM inference route verified with HTTPS resource-binding and price-alignment notes. https://github.com/solana-foundation/pay-skills/pull/39#issuecomment-4455800060
 - Tetrac: Solana market-data payment gates verified, with browser payment-header preflight blocker isolated. https://github.com/solana-foundation/pay-skills/pull/32#issuecomment-4455923744
 

package/bin/x402-surface-check.mjs

@@ -710,6 +710,24 @@ function cachePolicy(headers = {}) {
   return headers['cache-control'] ?? headers.cacheControl ?? ''
 }
 
+function paymentSignalHeaders(headers = {}) {
+  return [
+    'x-payment-required',
+    'x-payment-enforce',
+    'x-price-usdc',
+    'x-payment-address',
+    'x-payment-network',
+    'x-payment-token',
+    'x-payment-protocol',
+  ].filter(name => headers[name] !== undefined && headers[name] !== '')
+}
+
+function advertisesPaymentEnforcement(headers = {}) {
+  const required = String(headers['x-payment-required'] ?? '').toLowerCase() === 'true'
+  const enforced = String(headers['x-payment-enforce'] ?? '').toLowerCase() === 'true'
+  return required || enforced || (required && paymentSignalHeaders(headers).length > 1)
+}
+
 function looksExplicitlyCacheable(headers = {}) {
   const policy = cachePolicy(headers)
   if (!policy) return false
@@ -755,6 +773,9 @@ function findingList(documentResult, challengeResults, preflightResults, entries
         if (!looksLikeOperationalHealthEndpoint(result)) {
           findings.push(`P3 - ${result.name} returned ${result.status} without a payment challenge for a no-payment ${result.method ?? 'POST'} probe; document this as free/trial access or move the 402 challenge before content.`)
         }
+        if (advertisesPaymentEnforcement(result.headers)) {
+          findings.push(`P2 - ${result.name} returned ${result.status} content while payment headers advertise enforcement (${paymentSignalHeaders(result.headers).join(', ')}); either return a 402 before content or document this endpoint as public telemetry.`)
+        }
       }
       else if (result.status === 400 || result.status === 422) {
         findings.push(`P1 - ${result.name} returned validation HTTP ${result.status} before a payment challenge for a no-payment ${result.method ?? 'POST'} probe.`)
@@ -807,7 +828,7 @@ function findingList(documentResult, challengeResults, preflightResults, entries
 
   for (const result of preflightResults) {
     const challengeResult = challengesByEntry.get(entryKey(result))
-    if (!challengeResult || !hasPaymentChallenge(challengeResult)) continue
+    if (!challengeResult || (!hasPaymentChallenge(challengeResult) && !advertisesPaymentEnforcement(challengeResult.headers))) continue
     const allowedOrigin = result.headers['access-control-allow-origin'] ?? ''
     if (!allowedOrigin) {
       findings.push(`P1 - ${result.name} CORS preflight does not allow the requesting origin; observed allow-origin: none.`)
@@ -864,6 +885,9 @@ function groupedFindingLabel(finding) {
   if (/payment challenge response did not expose Cache-Control/.test(finding)) {
     return 'P3 - Payment challenge responses do not expose Cache-Control in strict cache mode.'
   }
+  if (/content while payment headers advertise enforcement/.test(finding)) {
+    return 'P2 - Payment headers advertise enforcement on a 200 response.'
+  }
   return null
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.23",
+  "version": "0.2.24",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {