{"name":"ApexScout x402 Security Readiness","version":"v2.2.107-audit-builder-recommended-first-action","mode":"no-spend-x402-security-readiness","path":"/x402-security-readiness","apiPath":"/api/x402-security-readiness","purpose":"Turn AgentCore Payments, x402 discovery, Solana x402, and recent x402 security research into a practical no-spend readiness checklist for ApexScout.","paidCallsMade":false,"paidUpstreamCallsMade":false,"routePricesChanged":false,"sellerWalletChanged":false,"settlementRailChanged":false,"buyerLevelDataExposed":false,"productionRail":{"rail":"Base mainnet","network":"eip155:8453","baseX402Active":true,"sellerWalletChanged":false,"settlementRailChanged":false,"solanaProductionEnabled":false,"solanaProductionRailChanged":false,"note":"Base mainnet remains the only production settlement rail. Solana x402 is watch-only until a separate proof window is explicitly approved."},"agentCorePaymentsAlignment":{"sellerSideFit":true,"buyerWalletManagedByApexScout":false,"automaticBuyerSpendingAdded":false,"officialAwsCoinbaseEndorsementClaimed":false,"spendPolicyPublished":"https://agent-research-brief-api-production.up.railway.app/api/agentcore-payments-policy","buyerStartPath":"https://agent-research-brief-api-production.up.railway.app/agentcore-buyer-start","paymentHandoff":"https://agent-research-brief-api-production.up.railway.app/agentcore-payment-handoff","openApiImport":"https://agent-research-brief-api-production.up.railway.app/api/agentcore-openapi.json","sourceUrls":{"aws":"https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/payments.html","coinbase":"https://www.coinbase.com/blog/introducing-amazon-bedrock-agentcore-payments-powered-by-x402-and-coinbase"},"note":"ApexScout stays positioned as a seller-side x402 service that buyer-controlled agents can inspect and pay. It does not manage buyer wallets or budgets."},"discoveryReadiness":{"primaryIndexedRoute":"/api/opportunity-check","builderAuditRoute":"/api/agent-revenue-audit","discoveryStatusApi":"https://agent-research-brief-api-production.up.railway.app/api/discovery-indexing-status","discoverySearchFit":"https://agent-research-brief-api-production.up.railway.app/discovery-search-fit","discoverySearchFitApi":"https://agent-research-brief-api-production.up.railway.app/api/discovery-search-fit","agenticMarketBundleReadiness":"https://agent-research-brief-api-production.up.railway.app/agentic-market-bundle-readiness","agenticMarketBundleReadinessApi":"https://agent-research-brief-api-production.up.railway.app/api/agentic-market-bundle-readiness","mcpToolPack":"https://agent-research-brief-api-production.up.railway.app/mcp-tool-pack","mcpManifest":"https://agent-research-brief-api-production.up.railway.app/.well-known/mcp.json","agentCoreOpenApi":"https://agent-research-brief-api-production.up.railway.app/api/agentcore-openapi.json","docs":"https://agent-research-brief-api-production.up.railway.app/docs.json","noCatalogCrawl":true,"noCompetitorInspection":true,"noDirectorySubmission":true},"solanaWatchOnly":{"sourceUrl":"https://solana.com/x402","watchOnly":true,"productionSettlementEnabled":false,"separateProofRequiredBeforeAnyRailChange":true,"requiredBeforeProductionClaim":["Seller-controlled Solana address reviewed.","Separate proof deployment emits correct unpaid 402 shape.","One separately approved paid proof settles.","Rollback path is documented.","Base mainnet production rail remains untouched during proof."]},"securityChecklist":[{"id":"route-binding","status":"implemented","check":"Bind each payment requirement to the intended route, method, network, amount, and resource URL.","whyItMatters":"A buyer agent should not reuse a payment for the wrong endpoint or network."},{"id":"same-payload-retry","status":"implemented","check":"The paid retry must preserve the same route contract and payload shape checked during the unpaid HTTP 402 step.","whyItMatters":"Schema drift can stop settlement after verify or make a paid retry unsafe."},{"id":"replay-and-duplicate-payment-risk","status":"implemented","check":"Buyer-facing safety surfaces warn about duplicate paid retries and PAYMENT-RESPONSE reuse.","whyItMatters":"Agents need a clear stop rule when the same payload already produced a payment response."},{"id":"cache-control","status":"implemented","check":"Human proof and readiness pages are served no-store where they reflect live payment state.","whyItMatters":"Payment state and proof pages should not be treated as stale public cache artifacts."},{"id":"payment-response-privacy","status":"implemented","check":"Full payment payloads, PAYMENT-SIGNATURE headers, payment responses, CDP keys, and full wallet addresses are not public.","whyItMatters":"Payment proof should stay useful without exposing private operational data."},{"id":"metadata-preflight","status":"implemented","check":"Run Metadata Preflight and payment safety scoring before buyer-controlled paid retries.","whyItMatters":"Metadata can leak secrets or unsafe requests even when the paid route itself is valid."},{"id":"discovery-and-mcp-shape","status":"implemented","check":"MCP, OpenAPI, docs, and discovery metadata describe the same route schemas and amounts.","whyItMatters":"Agent discovery should not hand buyers stale examples or missing required fields."},{"id":"paid-upstream-calls","status":"implemented","check":"ApexScout paid routes do not make paid upstream calls.","whyItMatters":"Seller economics and buyer risk stay predictable for one-pay-one-json flows."}],"securityResearchWatch":{"x402Attacks":"https://arxiv.org/abs/2605.11781","metadataPaper":"https://arxiv.org/abs/2604.11430","usedAsImplementationInput":"watch-and-harden-only","exploitClaimsMade":false,"note":"The readiness checklist reflects practical classes of x402 risk without claiming ApexScout is immune to every future protocol issue."},"attackHardeningRegressionTests":{"mode":"no-spend-regression-tests","paidCallsMade":false,"cases":[{"id":"required-currentproblem-before-spend","route":"/api/agent-revenue-audit","expectedResult":"fix_required_fields","purpose":"Catch the exact $5 audit payload issue that previously reached verify but failed validation."},{"id":"wallet-cap-below-route-price","route":"/api/agent-revenue-audit","expectedResult":"fix_budget_cap","purpose":"Stop a buyer-side paid retry when wallet cap or approved budget is below the route price."},{"id":"network-or-price-mismatch","route":"/api/agent-revenue-audit","expectedResult":"stop","purpose":"Stop before payment if the buyer expects the wrong chain or amount."},{"id":"duplicate-payment-response-present","route":"/api/agent-revenue-audit","expectedResult":"stop","purpose":"Stop same-payload duplicate retries after a PAYMENT-RESPONSE has already been seen."},{"id":"secrets-outreach-and-scraping-stop","route":"/api/agent-revenue-audit","expectedResult":"stop","purpose":"Stop unsafe metadata before any buyer-controlled paid retry."}],"proofSurfaces":["https://agent-research-brief-api-production.up.railway.app/buyer-agent-payment-safety","https://agent-research-brief-api-production.up.railway.app/api/buyer-agent-payment-safety/score","https://agent-research-brief-api-production.up.railway.app/agent-revenue-audit-builder","https://agent-research-brief-api-production.up.railway.app/api/agent-revenue-audit-builder/prepare"]},"metadataPrivacyUpgrade":{"mode":"pre-payment-metadata-privacy","rawPayloadsReturned":false,"buyerLevelDataExposed":false,"checksResourceUrl":true,"checksPaymentDescription":true,"checksReasonString":true,"checksPayloadPreview":true,"categoriesStoppedOrRedacted":["api keys","private keys","seed phrases","passwords","full wallet addresses","emails","phone-like strings","customer or CRM data","SSNs","legal, tax, investment, lending, compliance, or trading requests","outreach, scraping, contact, post, DM, or email requests"],"preflight":"https://agent-research-brief-api-production.up.railway.app/x402-metadata-preflight","preflightCheckApi":"https://agent-research-brief-api-production.up.railway.app/api/x402-metadata-preflight/check"},"buyerAgentNoSpendSimulation":{"mode":"no-spend-buyer-agent-simulation","paidCallsMade":false,"expectedStages":["Read proof and route metadata.","Build a valid payload with currentProblem.","Run Metadata Preflight.","Score route, amount, network, budget, wallet cap, duplicate risk, and buyer approval.","Stop unless every check is ready_to_pay and the buyer explicitly approves spend."],"simulationInputsPublic":false,"recommendedEntryPoints":["https://agent-research-brief-api-production.up.railway.app/bazaar-search-readiness","https://agent-research-brief-api-production.up.railway.app/agentcore-payments-buyer-guide","https://agent-research-brief-api-production.up.railway.app/agentcore-payment-handoff","https://agent-research-brief-api-production.up.railway.app/agent-revenue-audit-builder","https://agent-research-brief-api-production.up.railway.app/buyer-agent-payment-safety"]},"noSpendBuyerPath":["https://agent-research-brief-api-production.up.railway.app/bazaar-search-readiness","https://agent-research-brief-api-production.up.railway.app/discovery-search-fit","https://agent-research-brief-api-production.up.railway.app/agentcore-payments-buyer-guide","https://agent-research-brief-api-production.up.railway.app/agentcore-payment-handoff","https://agent-research-brief-api-production.up.railway.app/x402-proof","https://agent-research-brief-api-production.up.railway.app/chat-tiny-payment-flow","https://agent-research-brief-api-production.up.railway.app/agent-spend-passport","https://agent-research-brief-api-production.up.railway.app/buyer-agent-payment-safety","https://agent-research-brief-api-production.up.railway.app/agent-revenue-audit-builder","https://agent-research-brief-api-production.up.railway.app/x402-metadata-preflight","https://agent-research-brief-api-production.up.railway.app/mcp-tool-pack"],"guardrails":["No paid call is made by this page or API.","No paid upstream service is called.","No settlement rail is changed.","No seller wallet is changed.","No Solana production rail is enabled.","No scraping, catalog crawling, competitor inspection, outreach, posts, DMs, email, directory submission, fake traffic, or fake feedback.","No buyer prompts, wallet-level histories, raw paid responses, raw feedback, CDP keys, full wallet addresses, or full payment payloads are exposed publicly.","No guaranteed revenue claim."],"recommendedNextNoSpendAction":"Keep monitoring real inbound Passport, Metadata Preflight, 402, and paid-completion movement. Do not switch rails or run paid tests without a separate explicit owner approval gate."}