Skip OpenAPI-declared non-paid endpoints instead of probing them#837
Open
fmhall wants to merge 1 commit into
Open
Skip OpenAPI-declared non-paid endpoints instead of probing them#837fmhall wants to merge 1 commit into
fmhall wants to merge 1 commit into
Conversation
When an OpenAPI spec is canonical, the inferred authMode is the truth: a route without `x-payment-info` and without a paid security scheme is not an x402 paid endpoint and shouldn't be probed at all. Today we probe those routes anyway and report them as `failed: "No valid x402 response found"`, which surfaces as a false-positive failure for any origin whose OpenAPI exposes a public/free helper endpoint (seen on stableupload.dev's GET /api/site/domain/preview). When source === 'openapi' and authMode is anything other than `paid` or `apiKey+paid` (and the siwx short-circuit didn't already handle it), return the resource as `skipped` with a clear reason. Well-known/x402 v1 omits authMode and still falls through to the probe. Verified locally: stableupload.dev registered=3 siwx=7 skipped=1 failed=0 (was failed=4) agentcash.honcho.dev registered=2 siwx=14 skipped=0 failed=0 (no regression) stableenrich.dev registered=33 siwx=1 skipped=0 failed=0 (no regression) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
openapiand a route'sauthModeis anything other thanpaidorapiKey+paid(and isn't already short-circuited assiwx), report it asskippedinstead of probing.failed: "No valid x402 response found"for OpenAPI-declared free/public endpoints (e.g.GET /api/site/domain/previewon stableupload.dev).authModeentirely, so well-known sources still fall through to the probe — no behavior change there.Why
Per "OpenAPI is canonical": if the spec has no
x-payment-infoand no paid security scheme, the route is authoritatively not an x402 paid endpoint. The probe will correctly find no 402 challenge — but x402scan currently treats that as a failure rather than a confirmation. This patch trusts the spec.Verification (local)
stableupload.devagentcash.honcho.devstableenrich.devReproduce with
pnpm tsx src/scripts/verify-discovery-gate.ts <origin>.Test plan
POST /api/x402/registry/register-originwith{"origin":"https://stableupload.dev"}→failed: 0,skipped: 1(/api/site/domain/preview)agentcash.honcho.devandstableenrich.dev; counts unchanged🤖 Generated with Claude Code