Releases: TateLyman/x402-surface-check
Release list
x402 Surface Check v0.2.27
Adds public registry URL hygiene checks for credential-like query parameters and embedded URL userinfo. Reports redact values before printing, so provider tokens, signatures, sessions, and API keys are not repeated in scan output.\n\nValidation: npm test, npm run pack:dry, GitHub publish workflow 25971799369.
x402-surface-check v0.2.26
Adds attack-aware public no-payment checks inspired by the May 2026 x402 attack-control research: accept-leg resource binding, localhost/private resource URL detection, timeout/expiry metadata checks, and stronger cache severity for payment gates. Verified with npm test and npm pack dry run; published to npm via trusted GitHub Actions.
x402-surface-check v0.2.25
Adds support for object-valued x402 manifest endpoints, including documented query examples for public catalog/discovery GETs and payment-bearing two-phase operations. This improves coverage for production merchant manifests such as Cryptorefills-style endpoint maps.
x402 Surface Check v0.2.24
Adds detection for payment-enforcement headers on 200 responses, so public telemetry or free/trial endpoints do not accidentally advertise enforced x402 while returning content before a 402 challenge. Also runs payment-header preflight checks for those header-advertised payment surfaces.
Validation:
- npm test
- npm run pack:dry
- git diff --check
- published to npm as x402-surface-check@0.2.24
x402 Surface Check v0.2.23
Docs-only distribution update for the May 2026 x402 attack-control map and the latest Agent Trust Bench public builder validation.\n\nVerification:\n- npm test\n- npm pack --dry-run\n- GitHub Trusted Publisher run 25968446848\n- npm view x402-surface-check version => 0.2.23\n- fresh npm exec install returned 0.2.23
x402 Surface Check v0.2.22
Adds optional strict cache-policy mode for payment-gated surfaces. Use --strict-cache or X402_STRICT_CACHE=1 to flag missing Cache-Control on no-payment 402 challenge responses, while the default report remains lower-noise and continues to flag explicitly cacheable payment gates.
x402 Surface Check v0.2.21
Adds contextual reference guides to Markdown reports when CORS, cache policy, Worker gate, resource echo, or validation/auth ordering findings are present. Verified with npm test, npm pack --dry-run, CI run 25952203726, Trusted Publisher run 25952212162, and fresh public npx install returning 0.2.21.
x402-surface-check v0.2.20
Adds cache-policy reporting for no-payment x402 surface checks.\n\n- Adds a Cache Policy Map to Markdown reports.\n- Flags explicitly cacheable payment challenge responses such as public/max-age unless the route uses no-store, private, or no-cache.\n- Keeps checks external and conservative: no X-PAYMENT headers, signatures, wallet access, or paid calls.\n- Verified with npm test, npm pack --dry-run, CI run 25951646271, publish run 25951654990, npm 0.2.20, and a fresh Dexter manifest check.
x402-surface-check v0.2.17
Adds explicit JSON request bodies for direct endpoint probes via --body/--body-file and improves OpenAPI sample generation for nested object and array request schemas. This keeps no-payment checks fair for paid POST routes that require valid sample bodies before returning a 402 challenge.
x402-surface-check 0.2.16
Adds paid OpenAPI operation prioritization so limited scans test monetized routes before public docs/discovery endpoints, plus local $ref request-body schema resolution and stronger generated sample values for OpenAPI request bodies.