|
| 1 | +# x402 Surface Check Action |
| 2 | + |
| 3 | +GitHub Action wrapper for [`x402-surface-check`](https://www.npmjs.com/package/x402-surface-check), a no-payment checker for public x402, MPP, Pay.sh, Cloudflare Worker, AgentCore-style payment, and HTTP `402 Payment Required` launch surfaces. |
| 4 | + |
| 5 | +The action probes manifests, OpenAPI specs, resource catalogs, or direct paid endpoints without sending payment headers, wallet signatures, API keys, or paid calls. It is meant for projects you own or are authorized to review before an agent or wallet can spend real value. |
| 6 | + |
| 7 | +## Usage |
| 8 | + |
| 9 | +```yaml |
| 10 | +name: x402 surface |
| 11 | + |
| 12 | +on: |
| 13 | + pull_request: |
| 14 | + push: |
| 15 | + branches: |
| 16 | + - main |
| 17 | + |
| 18 | +jobs: |
| 19 | + x402-surface: |
| 20 | + runs-on: ubuntu-latest |
| 21 | + steps: |
| 22 | + - uses: actions/checkout@v6 |
| 23 | + - uses: TateLyman/x402-surface-check-action@v1 |
| 24 | + with: |
| 25 | + target: https://api.example.com/.well-known/x402 |
| 26 | + origin: https://app.example.com |
| 27 | + strict-cache: true |
| 28 | + output: x402-surface-report.md |
| 29 | +``` |
| 30 | +
|
| 31 | +For one direct paid endpoint: |
| 32 | +
|
| 33 | +```yaml |
| 34 | +- uses: TateLyman/x402-surface-check-action@v1 |
| 35 | + with: |
| 36 | + endpoint: true |
| 37 | + method: POST |
| 38 | + target: https://api.example.com/api/x402/invoice |
| 39 | + origin: https://app.example.com |
| 40 | + strict-cache: true |
| 41 | +``` |
| 42 | +
|
| 43 | +## Inputs |
| 44 | +
|
| 45 | +| Input | Default | Description | |
| 46 | +| --- | --- | --- | |
| 47 | +| `target` | required | Manifest, OpenAPI spec, resource catalog, or direct paid endpoint URL. | |
| 48 | +| `output` | empty | Optional report path. Writes Markdown by default or JSON when `json: true`. | |
| 49 | +| `endpoint` | `false` | Set to `true` when `target` is one direct paid endpoint. | |
| 50 | +| `method` | `POST` | HTTP method for direct endpoint mode. | |
| 51 | +| `body` | empty | Optional JSON request body for direct endpoint mode. Do not put secrets here. | |
| 52 | +| `origin` | empty | Browser `Origin` used for CORS preflight checks. | |
| 53 | +| `limit` | `6` | Maximum endpoints to probe from a manifest or OpenAPI document. | |
| 54 | +| `strict-cache` | `false` | Flags missing `Cache-Control` on no-payment 402 challenge responses. | |
| 55 | +| `json` | `false` | Prints JSON instead of Markdown. | |
| 56 | +| `version` | `latest` | npm version of `x402-surface-check` to run. | |
| 57 | + |
| 58 | +## What It Checks |
| 59 | + |
| 60 | +- Public manifest, OpenAPI, resource catalog, and direct endpoint shape. |
| 61 | +- No-payment 402 challenge readability and price/network/resource fields. |
| 62 | +- MPP `WWW-Authenticate: Payment` headers and x402 V2 requirements headers. |
| 63 | +- Browser preflight for payment headers such as `X-PAYMENT`. |
| 64 | +- HTTPS resource binding. |
| 65 | +- Declared-price drift between docs and live challenge responses. |
| 66 | +- Placeholder payees, staging rails, and metadata leakage signals. |
| 67 | +- Cache policy maps, including optional strict-cache findings. |
| 68 | + |
| 69 | +## Guardrails |
| 70 | + |
| 71 | +Use this action only on systems you own or are authorized to inspect. |
| 72 | + |
| 73 | +The action does not send: |
| 74 | + |
| 75 | +- `X-PAYMENT` |
| 76 | +- `Payment-Signature` |
| 77 | +- wallet signatures |
| 78 | +- private keys |
| 79 | +- API keys |
| 80 | +- paid retries |
| 81 | + |
| 82 | +## Private Review |
| 83 | + |
| 84 | +For a private payment-agent launch review, use the scope builder: |
| 85 | + |
| 86 | +https://tateprograms.com/agent-payment-launch-review.html |
| 87 | + |
| 88 | +Related free tools: |
| 89 | + |
| 90 | +- Surface checker: https://tateprograms.com/x402-surface-check.html |
| 91 | +- AgentCore payment policy builder: https://tateprograms.com/agentcore-payment-policy.html |
| 92 | +- x402 attack map: https://tateprograms.com/x402-attack-map-2026.html |
| 93 | +- Cache-safe Worker guide: https://tateprograms.com/cloudflare-x402-worker.html |
0 commit comments