Skip to content

Releases: TateLyman/x402-surface-check

x402 Surface Check v0.2.27

Choose a tag to compare

@TateLyman TateLyman released this 16 May 20:14

Adds public registry URL hygiene checks for credential-like query parameters and embedded URL userinfo. Reports redact values before printing, so provider tokens, signatures, sessions, and API keys are not repeated in scan output.\n\nValidation: npm test, npm run pack:dry, GitHub publish workflow 25971799369.

x402-surface-check v0.2.26

Choose a tag to compare

@TateLyman TateLyman released this 16 May 19:19

Adds attack-aware public no-payment checks inspired by the May 2026 x402 attack-control research: accept-leg resource binding, localhost/private resource URL detection, timeout/expiry metadata checks, and stronger cache severity for payment gates. Verified with npm test and npm pack dry run; published to npm via trusted GitHub Actions.

x402-surface-check v0.2.25

Choose a tag to compare

@TateLyman TateLyman released this 16 May 19:06

Adds support for object-valued x402 manifest endpoints, including documented query examples for public catalog/discovery GETs and payment-bearing two-phase operations. This improves coverage for production merchant manifests such as Cryptorefills-style endpoint maps.

x402 Surface Check v0.2.24

Choose a tag to compare

@TateLyman TateLyman released this 16 May 18:54

Adds detection for payment-enforcement headers on 200 responses, so public telemetry or free/trial endpoints do not accidentally advertise enforced x402 while returning content before a 402 challenge. Also runs payment-header preflight checks for those header-advertised payment surfaces.

Validation:

  • npm test
  • npm run pack:dry
  • git diff --check
  • published to npm as x402-surface-check@0.2.24

x402 Surface Check v0.2.23

Choose a tag to compare

@TateLyman TateLyman released this 16 May 17:34

Docs-only distribution update for the May 2026 x402 attack-control map and the latest Agent Trust Bench public builder validation.\n\nVerification:\n- npm test\n- npm pack --dry-run\n- GitHub Trusted Publisher run 25968446848\n- npm view x402-surface-check version => 0.2.23\n- fresh npm exec install returned 0.2.23

x402 Surface Check v0.2.22

Choose a tag to compare

@TateLyman TateLyman released this 16 May 04:16

Adds optional strict cache-policy mode for payment-gated surfaces. Use --strict-cache or X402_STRICT_CACHE=1 to flag missing Cache-Control on no-payment 402 challenge responses, while the default report remains lower-noise and continues to flag explicitly cacheable payment gates.

x402 Surface Check v0.2.21

Choose a tag to compare

@TateLyman TateLyman released this 16 May 04:01

Adds contextual reference guides to Markdown reports when CORS, cache policy, Worker gate, resource echo, or validation/auth ordering findings are present. Verified with npm test, npm pack --dry-run, CI run 25952203726, Trusted Publisher run 25952212162, and fresh public npx install returning 0.2.21.

x402-surface-check v0.2.20

Choose a tag to compare

@TateLyman TateLyman released this 16 May 03:36

Adds cache-policy reporting for no-payment x402 surface checks.\n\n- Adds a Cache Policy Map to Markdown reports.\n- Flags explicitly cacheable payment challenge responses such as public/max-age unless the route uses no-store, private, or no-cache.\n- Keeps checks external and conservative: no X-PAYMENT headers, signatures, wallet access, or paid calls.\n- Verified with npm test, npm pack --dry-run, CI run 25951646271, publish run 25951654990, npm 0.2.20, and a fresh Dexter manifest check.

x402-surface-check v0.2.17

Choose a tag to compare

@TateLyman TateLyman released this 16 May 00:57

Adds explicit JSON request bodies for direct endpoint probes via --body/--body-file and improves OpenAPI sample generation for nested object and array request schemas. This keeps no-payment checks fair for paid POST routes that require valid sample bodies before returning a 402 challenge.

x402-surface-check 0.2.16

Choose a tag to compare

@TateLyman TateLyman released this 15 May 01:44

Adds paid OpenAPI operation prioritization so limited scans test monetized routes before public docs/discovery endpoints, plus local $ref request-body schema resolution and stronger generated sample values for OpenAPI request bodies.