Monarch Doctor CI Gate

Use this when an agent-payment project needs a non-negotiable preflight check in CI.

Agent Rule

If the project can move money, Doctor must run locally before go-live and in CI before merges.

npx @monarch-shield/x402 doctor --ci

--ci prints JSON so coding agents, GitHub Actions, and other automation can parse the result.

Use --strict when the repository is expected to contain x402, processor, card, bank, wallet, paid MCP, paid API, pay-to wallet, or agent-payment code:

npx @monarch-shield/x402 doctor --ci --strict

Strict mode fails if no payment flow is found.

GitHub Actions

Fast path: use the official reusable Monarch Doctor action.

name: Monarch Doctor



on:

  pull_request:

  push:

    branches:

      - main



jobs:

  monarch-doctor:

    name: Agent payment safety gate

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4



      - uses: ghostmonarch/x402ms@main

        with:

          strict: "true"

The action runs:

npx @monarch-shield/x402@0.1.0 doctor --root . --ci --strict

The default action package is pinned to @monarch-shield/x402@0.1.0 so CI behavior does not silently drift with the npm latest tag. Change the package input only when intentionally testing a newer Doctor release.

Manual workflow fallback:

name: Monarch Doctor



on:

  pull_request:



jobs:

  monarch-doctor:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4

        with:

          node-version: 24

      - run: npx @monarch-shield/x402 doctor --ci --strict

SARIF For Code Scanning

Use SARIF when reviewers need Doctor findings to appear in GitHub code scanning, not only in logs:

npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif

Upload the file with github/codeql-action/upload-sarif. The SARIF result is generated from the same Doctor scan result and reports unprotected payment files. It is still a build-time preflight signal, not hosted proof or runtime policy.

Benchmark Proof

Use the public adversarial benchmark when reviewers need to see what Doctor catches and what it does not:

npm run benchmark:adversarial

Opt-In Hosted Proof

Anonymous reporting remains available:

npx @monarch-shield/x402 doctor --ci --strict --report

For project-scoped proof, create a high-entropy random MONARCH_PROJECT_TOKEN value and store it as a secret. Monarch hashes it locally before reporting.

- uses: ghostmonarch/x402ms@main

  env:

    MONARCH_PROJECT_TOKEN: ${{ secrets.MONARCH_PROJECT_TOKEN }}

  with:

    strict: "true"

    report: "true"

The hosted proof endpoint returns aggregate counters and safe run records for token-backed projectHash values only. It does not expose branch names, commit SHAs, repo names, file names, paths, URLs, package manager info, wallet addresses, amounts, source code, or raw project tokens.

CI Decision

• passed: payment files include Monarch checks and sandbox scenarios passed
• failed: money-moving code is not ready for go-live
• no_payment_flow_detected: no x402, processor, card, bank, wallet, paid MCP, paid API, pay-to wallet, or agent-payment flow found
• failed_no_payment_flow: strict mode expected payment code but found none

Agent Message

Tell the user:

I added Monarch Doctor to CI because this repository can move money. Pull requests should not merge until Doctor confirms the payment files call Monarch before payment and sandbox scenarios pass.