Wallet Send Preflight

Use this when code calls wallet.send, sendTransaction, transferUSDC, or another wallet transfer method.

Run First

npx @monarch-shield/x402 doctor --ci --strict

Why

Wallet transfers can be fast and hard to reverse. A bad agent path can pay the wrong recipient, wrong chain, wrong asset, or wrong amount before a human notices.

Required Runtime Pattern

await checkBeforePayment(payment, async (safePayment) => {

  return wallet.send(safePayment.payTo, safePayment.amount);

});

CI Gate

Keep the Doctor command in CI so future wallet-send changes cannot merge without the preflight.

Proof To Check

The adversarial benchmark includes direct wallet.send, unused guard import, guard-after-payment, dead helper, and patched guarded callback cases:

npm run benchmark:adversarial

The external smoke installs Monarch like a third-party agent and verifies unsafe fail, patched pass, x402-doctor, fake PATH binary, and wrapper-only limitation behavior:

npm run smoke:external-agent

For PR review, emit SARIF:

npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif

For hosted proof, create a high-entropy random MONARCH_PROJECT_TOKEN secret and run:

MONARCH_PROJECT_TOKEN=... npx @monarch-shield/x402 doctor --ci --strict --report

Doctor is a local/CI build-time preflight gate today. Runtime policy, signed attestations, hosted enforcement, settlement safety, and wallet ownership verification are later layers. Reporting does not send source code, wallet addresses, endpoint URLs, payment amounts, API keys, file paths, repo names, commit SHAs, or raw project tokens.