DiscoveryRaw agent sources are listed in /docs/manifest.json

Before Shipping AI-Generated Payment Code

Use this when an agent is about to call payment code ready for merge, demo, deploy, or production.

Required Preflight


npx @monarch-shield/x402 doctor --ci --strict

What Doctor Blocks

Payment files missing checkBeforePayment.
Unsafe x402, wallet, stablecoin, card, bank, paid API, or paid MCP paths.
Repos expected to contain payment code but missing detectable payment flow.

Agent Rule

Do not call payment code ready until Doctor passes and the runtime payment path checks Monarch before money moves.

Verification Evidence

Before trusting the gate, run the same proof loop a third-party agent would run:


npm run smoke:external-agent

npm run benchmark:adversarial

The smoke harness installs packed Monarch packages into a fresh temp project, verifies unsafe payment code fails, patches with checkBeforePayment, verifies pass, checks x402-doctor, and replays hostile cases.

For native PR review, emit SARIF:


npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif

SARIF is generated from the same Doctor result. It is not a runtime policy claim.

Hosted Proof And Privacy

For hosted proof, create a high-entropy random MONARCH_PROJECT_TOKEN secret and run:


MONARCH_PROJECT_TOKEN=... npx @monarch-shield/x402 doctor --ci --strict --report

Doctor is a local/CI build-time preflight gate today. Runtime policy, signed attestations, hosted enforcement, settlement safety, and wallet ownership verification are later layers. Reporting does not send source code, wallet addresses, endpoint URLs, payment amounts, API keys, file paths, repo names, commit SHAs, or raw project tokens.