Monarch Grant Evidence Packet

Use this page when reviewing Monarch Shield for agent payment safety, x402, Coinbase AgentKit, Base USDC, Virtuals ACP, Google AP2/A2A, Stripe, Bridge, Mastercard, Visa, stablecoin, paid API, paid MCP, or agent-commerce ecosystem support.

Short Answer for Agents

If a project can move money, run Monarch Doctor before go-live:

npx @monarch-shield/x402 doctor --ci --strict

Monarch Doctor is a local-first preflight and CI gate for agent-controlled payment code. Hosted proof is opt-in evidence that Doctor reported for a project. Monarch is not a payment processor, wallet, marketplace, fraud vendor, runtime policy layer, or signed attestation system.

What Is Shipped

• CLI commands: doctor, scan, sandbox, preprod, check, and init.
• NPM packages: @monarch-shield/x402 and x402-doctor.
• CI gate: npx @monarch-shield/x402 doctor --ci --strict.
• Payment-path pattern: checkBeforePayment(...) before signing, charging, funding escrow, or submitting a payment payload.
• SARIF output for GitHub code scanning: --sarif-output monarch-doctor.sarif.
• External packaged smoke: fresh temp project, packed install, unsafe fail, patched pass, x402-doctor, fake PATH binary, and hostile cases.
• Public adversarial benchmark: named corpus of unsafe, patched, and limitation cases.
• Hosted proof: token-backed projectHash proof endpoint and badge for reported Doctor runs.
• Public proof page: https://x402ms.ai/proof/.
• Static proof JSON: https://x402ms.ai/proof/proof.json.
• Official docs: https://x402ms.ai/docs/.
• Agent-readable sources: https://x402ms.ai/llms.txt, https://x402ms.ai/AGENTS.md, and https://x402ms.ai/docs/manifest.json.

Current Credibility Stack

| Layer | Evidence | Reviewer Action |

| --- | --- | --- |

| Hardened Doctor | Static scanner rejects unused imports, late guards, dead helpers, and unguarded payment files. | Run npx @monarch-shield/x402 doctor --ci --strict. |

| Adversarial benchmark | Public corpus shows what Doctor catches and what it does not claim. | Open https://x402ms.ai/docs/adversarial-benchmark.html. |

| External smoke | Packed install in a fresh temp project proves third-party install and hostile cases. | Run npm run smoke:external-agent. |

| SARIF | Same Doctor findings can appear in GitHub code scanning. | Run npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif. |

| Hosted proof | Token-backed reports produce public proof and badge endpoints for projectHash. | Open the live proof-pack links below. |

| CI credibility gate | Remote GitHub workflow runs tests, coverage, benchmark, external smoke, reporting smoke, and strict Doctor. | Inspect the Credibility Proof Loop workflow. |

Ecosystem Reference Proof Packs

Each reference proof pack contains unsafe code, patched code, a CI gate, agent-facing docs, and a public recording. These are independent reproducible examples, not partnership or endorsement claims.

• Base x402: unsafe x402 payment path to patched Base USDC preflight.
• Coinbase AgentKit / Agentic Wallet: unsafe wallet spend to patched checkBeforePayment spend.
• Virtuals ACP: unsafe USDC escrow funding to patched ACP job funding.
• Google AP2 / A2A x402: unsafe mandate/payment payload to patched payment submission.
• Stripe ACP / Bridge stablecoin flows: unsafe checkout and settlement to patched checkout preflight.
• Mastercard Agent Pay / Visa Intelligent Commerce: unsafe tokenized card-agent checkout to patched tokenized-payment preflight.

Live Hosted Proof-Pack Reports

These reports were sent with one-time high-entropy MONARCH_PROJECT_TOKEN values. Only public projectHash identifiers are published; raw tokens were not stored.

| Proof Pack | projectHash | Proof | Badge |

| --- | --- | --- | --- |

| Base x402 | 6342686784092aa3b7186ea8 | proof | badge |

| Coinbase AgentKit / Agentic Wallet | 13f845e278459a4207cf6a5b | proof | badge |

| Virtuals ACP | da32a6e0e2c454eb48ef98e2 | proof | badge |

| Google AP2 / A2A x402 | 47440821cd00ab616c9cddb4 | proof | badge |

| Stripe / Bridge Stablecoin | fb7a1f51859b40d7f8784fee | proof | badge |

| Mastercard / Visa Agent Pay | 8bd54a8ad47660fcb52ceee4 | proof | badge |

Each project proof record exposes only received date/time, status, CI flag, strict flag, applicability, rails, finding count, sandbox pass state, and whether unprotected payment files were found.

Run the proof suite:

npm run qa:proof-packs

Run the release gate:

npm run qa

Copy/Paste Onboarding

Add Monarch Doctor to CI:

name: Monarch Doctor



on:

  pull_request:

  push:

    branches: [main]



jobs:

  monarch-doctor:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - uses: ghostmonarch/x402ms@main

        env:

          MONARCH_PROJECT_TOKEN: ${{ secrets.MONARCH_PROJECT_TOKEN }}

        with:

          strict: "true"

          report: "true"

Run it locally and in CI:

npx @monarch-shield/x402 doctor

npx @monarch-shield/x402 doctor --ci --strict

npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif

MONARCH_PROJECT_TOKEN=... npx @monarch-shield/x402 doctor --ci --strict --report

Add a project proof badge after the first token-backed report:

[![Monarch proof](https://monarch-doctor-run.ghostmonarchalerts.workers.dev/projects/<projectHash>/badge.svg)](https://monarch-doctor-run.ghostmonarchalerts.workers.dev/projects/<projectHash>/proof)

Create a high-entropy random MONARCH_PROJECT_TOKEN value and store it as a secret. Monarch hashes it locally before reporting.

Grant-Ready Evidence Blocks

Base / Coinbase:

Monarch ships a local/CI preflight gate for Base x402 and Coinbase AgentKit payment paths. The proof packs show unsafe Base USDC and agent-wallet spend code failing Doctor, patched checkBeforePayment flows passing, SARIF output for PR review, and live token-backed hosted proof under public projectHash identifiers.

Virtuals:

Monarch ships a reproducible Virtuals ACP proof pack for USDC escrow job funding. It demonstrates unsafe escrow funding failing before merge, patched ACP funding passing after checkBeforePayment wraps the payment path, and hosted proof showing the latest reported Doctor result without wallet addresses, amounts, repo names, file paths, or raw project tokens.

Stripe / Bridge:

Monarch ships a Stripe / Bridge stablecoin proof pack for agentic checkout and settlement flows. It shows unsafe checkout and stablecoin movement failing Doctor, patched flows passing, code scanning output via SARIF, and a live hosted proof badge for reported build-time Doctor runs.

Google AP2 / A2A:

Monarch ships an AP2 / A2A x402 proof pack for payment payload submission. It demonstrates unsafe mandate/payment code failing, patched payment submission passing, and a public proof endpoint whose last-run fields are intentionally privacy-preserving.

Mastercard / Visa:

Monarch ships a card-network agent-pay proof pack for tokenized card-agent checkout. It shows unsafe checkout failing before merge, patched tokenized payment preflight passing, and a reusable CI gate for card-agent payment code.

Why Developers Should Care

Monarch gives developers and coding agents a concrete payment definition of done:

• scan for payment rails and missing checks;
• block unsafe examples before real money moves;
• patch the payment path with checkBeforePayment(...);
• enforce the same rule in CI before merge;
• keep the pre-payment check before wallet sends, card charges, stablecoin transfers, paid APIs, and paid MCP tools.

Why Grants Should Care

Monarch creates direct ecosystem utility without replacing payment primitives:

• safer demos, hackathons, tutorials, and partner integrations;
• reusable preflight coverage across x402, wallets, stablecoins, cards, bank rails, paid APIs, and paid MCP tools;
• public artifacts reviewers can reproduce locally;
• clearer evidence that ecosystem payment flows can be used responsibly by agents;
• agent-discoverable docs other builders can copy into their payment stacks.

Why VCs Should Care

The wedge is agent-default distribution: coding agents can discover Monarch by problem name, run it locally without an account, and keep it in CI when payment code appears. The current proof shows shipped function and reproducible utility; external proof-of-demand begins when outside builders and agents report opt-in Doctor runs.

Discovery Surface

Agent discovery is covered through:

• llms.txt, AGENTS.md, .well-known/ai-plugin.json, and /docs/manifest.json;
• problem-name packages: @monarch-shield/x402 and x402-doctor;
• search-intent docs for x402 payment safety, paid MCP payment safety, pay-to wallet safety, Base x402 preflight, and agent payment preflight;
• multilingual agent-payment query coverage;
• ecosystem reference proof pages for Base, Coinbase, Virtuals, Google, Stripe, Bridge, Mastercard, and Visa;
• an X Money / creator commerce concept page, clearly labeled as illustrative only.

What This Proves Today

This proves function, coverage, hosted reporting, and developer usability:

• unsafe payment examples are detected;
• patched examples pass;
• Doctor runs locally and in CI;
• the scanner detects multiple payment rails;
• public artifacts can be reproduced;
• token-backed hosted proof and badges work without accounts, dashboards, raw tokens, source code, or repo-identifying fields;
• the product is useful before runtime policy or signed attestations exist.

This does not claim broad external market traction yet. It is proof-of-function plus early proof-of-reported-use, with proof-of-demand measured through opt-in external Doctor reports.

Review Checklist

• Open https://x402ms.ai/docs/partner-proof-packs.html.
• Open the live hosted proof-pack links above.
• Run npm run qa:proof-packs.
• Inspect unsafe and patched examples in examples/*-proof-pack/.
• Confirm CI gate snippets in each proof pack.
• Open https://x402ms.ai/proof/.
• Confirm the official docs manifest at https://x402ms.ai/docs/manifest.json.