x402-surface-check 0.2.40 → 0.2.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/bin/x402-surface-check.mjs +5 -1
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -38,7 +38,7 @@ npx --yes x402-surface-check --strict-proof https://api.example.com/openapi.json
38
38
  - Placeholder recipients such as zero addresses and Solana system-program values
39
39
  - Testnet or staging rails such as Base Sepolia and Solana devnet
40
40
  - HTTPS resource URLs and stable resource metadata
41
- - Resource binding across top-level `resource.url` and every accept leg, including localhost/private-development resource URLs that should not ship in production
41
+ - Resource binding across top-level `resource.url`; legacy/v1 accept-leg resource echoes; and localhost/private-development resource URLs that should not ship in production
42
42
  - Timeout/expiry metadata on challenges, so payment capabilities have an explicit bounded freshness window
43
43
  - Payment-metadata privacy checks for sensitive resource query context, email/SSN/token-like values, prompt/private-context strings, and credential-like URLs in body or header-carried challenges
44
44
  - Browser CORS allowance for the requesting origin, common x402/MPP retry headers, and exposed challenge/session headers on the actual 402 response
package/bin/x402-surface-check.mjs CHANGED
@@ -993,6 +993,10 @@ function challengeResourceValue(challenge) {
993
993
  ?? ''
994
994
  }
995
995
 
996
+ function isX402V2Challenge(challenge) {
997
+ return Number(challenge?.x402Version) === 2
998
+ }
999
+
996
1000
  function hasFreshnessMetadata(challenge, accept) {
997
1001
  return [
998
1002
  challenge?.expires,
@@ -1404,7 +1408,7 @@ function findingList(documentResult, challengeResults, preflightResults, entries
1404
1408
  if (!topResource && populatedAcceptResources.length === 0) {
1405
1409
  findings.push(`P2 - ${result.name} challenge does not expose a signed/intended resource URL at the top level or in any accept leg.`)
1406
1410
  }
1407
- else if (accepts.length > 0 && populatedAcceptResources.length < accepts.length) {
1411
+ else if (!isX402V2Challenge(result.body.json) && accepts.length > 0 && populatedAcceptResources.length < accepts.length) {
1408
1412
  findings.push(`P2 - ${result.name} challenge does not repeat the resource URL in every accept leg for spend-map and replay binding.`)
1409
1413
  }
1410
1414
  if (topResource && populatedAcceptResources.some(resource => resource !== topResource)) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "x402-surface-check",
3
- "version": "0.2.40",
3
+ "version": "0.2.41",
4
4
  "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
5
5
  "type": "module",
6
6
  "bin": {