StartRaw agent sources are listed in /docs/manifest.json

Hosted Proof

Hosted proof is an opt-in reporting path for teams that want public evidence that Monarch Doctor runs in their project. It is not an account system, dashboard, runtime policy layer, signed attestation, billing product, or enforcement service.

Anonymous Reporting

Anonymous reporting stays low-friction:


npx @monarch-shield/x402 doctor --report

Without MONARCH_PROJECT_TOKEN, Doctor sends anonymous aggregate metadata only. This keeps the existing adoption proof path working.

Project-Scoped Proof

Create a high-entropy random MONARCH_PROJECT_TOKEN value and store it as a secret. Monarch hashes it locally before reporting.

In GitHub Actions:


name: Monarch Doctor



on:

  pull_request:

  push:

    branches: [main]



jobs:

  monarch-doctor:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - uses: ghostmonarch/x402ms@main

        env:

          MONARCH_PROJECT_TOKEN: ${{ secrets.MONARCH_PROJECT_TOKEN }}

        with:

          strict: "true"

          report: "true"

With MONARCH_PROJECT_TOKEN set, Doctor sends project-scoped proof using projectHash. The raw token never leaves the runner.

Proof Endpoint

Project proof is available only for token-backed projectHash values:


GET https://monarch-doctor-run.ghostmonarchalerts.workers.dev/projects/:projectHash/proof

The endpoint returns aggregate counters plus the last 100 safe run records. A run record includes only:

received date/time
status
ci
strict
applicable
rails
finding count
sandbox passed
has unprotected payment files

It does not include package manager info, raw branch, commit SHA, repo name, file names, file paths, URLs, wallet addresses, amounts, API keys, source code, or raw project tokens.

Badge Endpoint

Use the badge when a README or grant page needs a compact signal for the latest reported project state:


GET https://monarch-doctor-run.ghostmonarchalerts.workers.dev/projects/:projectHash/badge.svg

The badge reflects the latest token-backed Doctor report for the project.

Boundary

Hosted proof says: this projectHash reported build-time Monarch Doctor results.

Doctor is a local/CI build-time preflight gate today. It does not say: runtime payments are enforced, wallets are safe, providers are verified, settlement succeeded, fraud is prevented, signed attestations exist, or the project passed legal/compliance review.

Related Proof

Use the public adversarial benchmark to inspect what Doctor catches and what it does not:


npm run benchmark:adversarial

Use SARIF when reviewers need findings in GitHub code scanning:


npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif