Skip to content

Commit c0f0673

Browse files
committed
Initial x402 surface check action
0 parents  commit c0f0673

12 files changed

Lines changed: 480 additions & 0 deletions

File tree

.github/FUNDING.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
custom:
2+
- https://paypal.me/glidelocal
3+
- https://tateprograms.com/agent-payment-launch-review.html
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
name: Bug report
2+
description: Report a problem with the x402 Surface Check Action.
3+
title: "[Bug]: "
4+
labels:
5+
- bug
6+
body:
7+
- type: markdown
8+
attributes:
9+
value: Thanks for reporting a bug. Do not include private keys, payment payloads, API keys, customer data, or secrets.
10+
- type: textarea
11+
id: workflow
12+
attributes:
13+
label: Workflow snippet
14+
description: Paste the relevant workflow step with secrets removed.
15+
render: yaml
16+
validations:
17+
required: true
18+
- type: input
19+
id: action-ref
20+
attributes:
21+
label: Action ref
22+
placeholder: TateLyman/x402-surface-check-action@v1
23+
validations:
24+
required: true
25+
- type: textarea
26+
id: expected
27+
attributes:
28+
label: Expected behavior
29+
validations:
30+
required: true
31+
- type: textarea
32+
id: actual
33+
attributes:
34+
label: Actual behavior
35+
validations:
36+
required: true

.github/ISSUE_TEMPLATE/config.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
blank_issues_enabled: false
2+
contact_links:
3+
- name: Private payment-agent launch review
4+
url: https://tateprograms.com/agent-payment-launch-review.html
5+
about: Scope a private review for an x402, MPP, Pay.sh, Worker, or AgentCore Payments launch you control.
6+
- name: Scope and payment details
7+
url: https://tateprograms.com/payments.html
8+
about: Use only after scope is confirmed by email.

.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
node_modules/
2+
x402-surface-report.md
3+
fixture.pid
4+
.DS_Store

LICENSE

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
MIT License
2+
3+
Copyright (c) 2026 Tate Lyman
4+
5+
Permission is hereby granted, free of charge, to any person obtaining a copy
6+
of this software and associated documentation files (the "Software"), to deal
7+
in the Software without restriction, including without limitation the rights
8+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9+
copies of the Software, and to permit persons to whom the Software is
10+
furnished to do so, subject to the following conditions:
11+
12+
The above copyright notice and this permission notice shall be included in all
13+
copies or substantial portions of the Software.
14+
15+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21+
SOFTWARE.

README.md

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
# x402 Surface Check Action
2+
3+
GitHub Action wrapper for [`x402-surface-check`](https://www.npmjs.com/package/x402-surface-check), a no-payment checker for public x402, MPP, Pay.sh, Cloudflare Worker, AgentCore-style payment, and HTTP `402 Payment Required` launch surfaces.
4+
5+
The action probes manifests, OpenAPI specs, resource catalogs, or direct paid endpoints without sending payment headers, wallet signatures, API keys, or paid calls. It is meant for projects you own or are authorized to review before an agent or wallet can spend real value.
6+
7+
## Usage
8+
9+
```yaml
10+
name: x402 surface
11+
12+
on:
13+
pull_request:
14+
push:
15+
branches:
16+
- main
17+
18+
jobs:
19+
x402-surface:
20+
runs-on: ubuntu-latest
21+
steps:
22+
- uses: actions/checkout@v6
23+
- uses: TateLyman/x402-surface-check-action@v1
24+
with:
25+
target: https://api.example.com/.well-known/x402
26+
origin: https://app.example.com
27+
strict-cache: true
28+
output: x402-surface-report.md
29+
```
30+
31+
For one direct paid endpoint:
32+
33+
```yaml
34+
- uses: TateLyman/x402-surface-check-action@v1
35+
with:
36+
endpoint: true
37+
method: POST
38+
target: https://api.example.com/api/x402/invoice
39+
origin: https://app.example.com
40+
strict-cache: true
41+
```
42+
43+
## Inputs
44+
45+
| Input | Default | Description |
46+
| --- | --- | --- |
47+
| `target` | required | Manifest, OpenAPI spec, resource catalog, or direct paid endpoint URL. |
48+
| `output` | empty | Optional report path. Writes Markdown by default or JSON when `json: true`. |
49+
| `endpoint` | `false` | Set to `true` when `target` is one direct paid endpoint. |
50+
| `method` | `POST` | HTTP method for direct endpoint mode. |
51+
| `body` | empty | Optional JSON request body for direct endpoint mode. Do not put secrets here. |
52+
| `origin` | empty | Browser `Origin` used for CORS preflight checks. |
53+
| `limit` | `6` | Maximum endpoints to probe from a manifest or OpenAPI document. |
54+
| `strict-cache` | `false` | Flags missing `Cache-Control` on no-payment 402 challenge responses. |
55+
| `json` | `false` | Prints JSON instead of Markdown. |
56+
| `version` | `latest` | npm version of `x402-surface-check` to run. |
57+
58+
## What It Checks
59+
60+
- Public manifest, OpenAPI, resource catalog, and direct endpoint shape.
61+
- No-payment 402 challenge readability and price/network/resource fields.
62+
- MPP `WWW-Authenticate: Payment` headers and x402 V2 requirements headers.
63+
- Browser preflight for payment headers such as `X-PAYMENT`.
64+
- HTTPS resource binding.
65+
- Declared-price drift between docs and live challenge responses.
66+
- Placeholder payees, staging rails, and metadata leakage signals.
67+
- Cache policy maps, including optional strict-cache findings.
68+
69+
## Guardrails
70+
71+
Use this action only on systems you own or are authorized to inspect.
72+
73+
The action does not send:
74+
75+
- `X-PAYMENT`
76+
- `Payment-Signature`
77+
- wallet signatures
78+
- private keys
79+
- API keys
80+
- paid retries
81+
82+
## Private Review
83+
84+
For a private payment-agent launch review, use the scope builder:
85+
86+
https://tateprograms.com/agent-payment-launch-review.html
87+
88+
Related free tools:
89+
90+
- Surface checker: https://tateprograms.com/x402-surface-check.html
91+
- AgentCore payment policy builder: https://tateprograms.com/agentcore-payment-policy.html
92+
- x402 attack map: https://tateprograms.com/x402-attack-map-2026.html
93+
- Cache-safe Worker guide: https://tateprograms.com/cloudflare-x402-worker.html

SECURITY.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Security Policy
2+
3+
## Reporting
4+
5+
Report security issues privately by email:
6+
7+
hello@tateprograms.com
8+
9+
Do not open a public issue with private keys, payment payloads, API keys, customer data, logs containing secrets, or exploit details for third-party systems.
10+
11+
## Scope
12+
13+
This repository is a GitHub Action wrapper around `x402-surface-check`. The action is intended for no-payment review of public payment-agent launch surfaces owned or authorized by the workflow operator.
14+
15+
The action should not send payment headers, wallet signatures, private keys, API keys, or paid retries.

SUPPORT.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Support
2+
3+
For action bugs, open a GitHub issue with a workflow snippet and secrets removed.
4+
5+
For private payment-agent launch reviews, use:
6+
7+
https://tateprograms.com/agent-payment-launch-review.html
8+
9+
For the free browser and CLI tool page, use:
10+
11+
https://tateprograms.com/x402-surface-check.html

action.yml

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
name: x402 Surface Check
2+
description: Run a no-payment x402, MPP, or HTTP 402 launch-surface check in GitHub Actions.
3+
author: Tate Lyman
4+
5+
branding:
6+
icon: credit-card
7+
color: green
8+
9+
inputs:
10+
target:
11+
description: Manifest, OpenAPI spec, x402 resource catalog, pasted JSON URL, or direct paid endpoint URL to check.
12+
required: true
13+
output:
14+
description: Optional file path to write the Markdown or JSON report.
15+
required: false
16+
default: ""
17+
endpoint:
18+
description: Set to true when target is one direct paid endpoint instead of a manifest or OpenAPI document.
19+
required: false
20+
default: "false"
21+
method:
22+
description: HTTP method for direct endpoint mode.
23+
required: false
24+
default: "POST"
25+
body:
26+
description: Optional JSON request body for direct endpoint mode. Do not put secrets here.
27+
required: false
28+
default: ""
29+
origin:
30+
description: Optional browser Origin to use for CORS preflight checks.
31+
required: false
32+
default: ""
33+
limit:
34+
description: Maximum endpoints to probe from a manifest or OpenAPI document.
35+
required: false
36+
default: "6"
37+
strict-cache:
38+
description: Set to true to flag missing Cache-Control on no-payment 402 challenge responses.
39+
required: false
40+
default: "false"
41+
json:
42+
description: Set to true to print JSON instead of Markdown.
43+
required: false
44+
default: "false"
45+
version:
46+
description: x402-surface-check npm version to run.
47+
required: false
48+
default: "latest"
49+
50+
runs:
51+
using: composite
52+
steps:
53+
- name: Run x402 Surface Check
54+
shell: bash
55+
env:
56+
X402_TARGET: ${{ inputs.target }}
57+
X402_OUTPUT: ${{ inputs.output }}
58+
X402_ENDPOINT: ${{ inputs.endpoint }}
59+
X402_METHOD: ${{ inputs.method }}
60+
X402_BODY: ${{ inputs.body }}
61+
X402_ORIGIN: ${{ inputs.origin }}
62+
X402_LIMIT: ${{ inputs.limit }}
63+
X402_STRICT_CACHE_INPUT: ${{ inputs.strict-cache }}
64+
X402_JSON: ${{ inputs.json }}
65+
X402_VERSION: ${{ inputs.version }}
66+
run: |
67+
args=()
68+
69+
if [[ "$X402_ENDPOINT" == "true" ]]; then
70+
args+=("--endpoint" "--method" "$X402_METHOD")
71+
fi
72+
73+
if [[ -n "$X402_BODY" ]]; then
74+
args+=("--body" "$X402_BODY")
75+
fi
76+
77+
if [[ -n "$X402_ORIGIN" ]]; then
78+
args+=("--origin" "$X402_ORIGIN")
79+
fi
80+
81+
if [[ -n "$X402_LIMIT" ]]; then
82+
args+=("--limit" "$X402_LIMIT")
83+
fi
84+
85+
if [[ "$X402_STRICT_CACHE_INPUT" == "true" ]]; then
86+
args+=("--strict-cache")
87+
fi
88+
89+
if [[ "$X402_JSON" == "true" ]]; then
90+
args+=("--json")
91+
fi
92+
93+
args+=("$X402_TARGET")
94+
95+
if [[ -n "$X402_OUTPUT" ]]; then
96+
mkdir -p "$(dirname "$X402_OUTPUT")"
97+
args+=("$X402_OUTPUT")
98+
npx --yes "x402-surface-check@$X402_VERSION" "${args[@]}"
99+
cat "$X402_OUTPUT"
100+
exit 0
101+
fi
102+
103+
npx --yes "x402-surface-check@$X402_VERSION" "${args[@]}"

package.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"name": "x402-surface-check-action",
3+
"version": "1.0.0",
4+
"private": true,
5+
"description": "GitHub Action wrapper for no-payment x402, MPP, and HTTP 402 launch-surface checks.",
6+
"scripts": {
7+
"test": "npm run check",
8+
"check": "node --check scripts/smoke.mjs && node --check test-fixtures/x402-server.mjs && node scripts/smoke.mjs"
9+
}
10+
}

0 commit comments

Comments
 (0)