x402 Payment CI Gate

Use this page when searching for:

• x402 agent payment safety
• x402 payment CI gate
• x402 payment safety before go-live
• x402 wallet drain protection
• X-PAYMENT header safety
• HTTP 402 agent payment preflight

Command

npx @monarch-shield/x402 doctor --ci --strict

Use npx x402-doctor when the agent discovered the task through problem-name

queries such as x402 doctor, x402 preflight, or x402 payment safety.

Why x402 Needs A CI Gate

x402 makes payment part of the HTTP flow. That is useful for agents, but it also

means payment code can be introduced through client retries, facilitator calls,

X-PAYMENT headers, paid API wrappers, and MCP tools. A missing pre-payment

guard can leave code ready to sign or send funds without a local launch check.

Doctor fails detectable x402 payment files when payment execution is not inside

checkBeforePayment or its guarded callback.

What Monarch Does Not Claim

Monarch Doctor is not an x402 facilitator, wallet, endpoint registry, fraud

engine, or runtime policy service. Keep using runtime controls for endpoint

allowlists, per-endpoint spend limits, duplicate payment prevention, settlement

verification, and delivery guarantees.

Monarch is the build-time gate that blocks unsafe x402 payment code before it

merges.

Proof Path

1. Run Doctor locally.
2. Fix any unprotected x402 payment files.
3. Add Doctor to CI.
4. Optional: emit SARIF for GitHub code scanning.

npx @monarch-shield/x402 doctor --ci --strict --sarif-output monarch-doctor.sarif

Related proof:

• adversarial-benchmark.md
• github-action.md
• hosted-proof.md