Add Fleet x402 Microservices to ecosystem (Services/Endpoints)

[SASN19]

What this adds

Fleet x402 Microservices — two production x402-payable services running on Base mainnet.

Category: Services/Endpoints

Services

Name	Endpoint	Price	Network
SEO Audit	POST /audit	$0.05 USDC	Base
Competitive Intel Pack	POST /intel-pack	$0.50 USDC	Base

Live URL: https://fleet-x402-audit.fly.dev
Discovery manifest: https://fleet-x402-audit.fly.dev/.well-known/x402-listing

Technical Details

• Scheme: exact
• Asset: USDC (0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913)
• Response: immediate JSON, no API key required
• Fully agent-native: any x402-compatible buyer agent can call without human intervention

Note: Logo file (fleet-x402.png) can be added — happy to provide one on request, or maintainers can use the service favicon at https://fleet-x402-audit.fly.dev/favicon.ico

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[TateLyman]

Ran a no-payment external pass against the public Fleet surface listed in this PR.

Scope: public discovery/root metadata, browser-style preflight, and no-payment POST probes only. I did not send X-PAYMENT, sign anything, use credentials, attempt settlement, or call either paid service after payment.

Repro:

npx --yes x402-surface-check@latest \
  https://fleet-x402-audit.fly.dev/.well-known/x402-listing \
  --limit 8 \
  --origin https://fleet-x402-audit.fly.dev

curl -i -X POST https://fleet-x402-audit.fly.dev/audit \
  -H 'Origin: https://fleet-x402-audit.fly.dev' \
  -H 'Content-Type: application/json' \
  --data '{"url":"https://tateprograms.com"}'

curl -i -X POST https://fleet-x402-audit.fly.dev/intel-pack \
  -H 'Origin: https://fleet-x402-audit.fly.dev' \
  -H 'Content-Type: application/json' \
  --data '{"query":"x402 agent commerce"}'

curl -i -X OPTIONS https://fleet-x402-audit.fly.dev/audit \
  -H 'Origin: https://fleet-x402-audit.fly.dev' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Access-Control-Request-Headers: content-type,x-payment,payment-signature,authorization'

What looks good:

• /.well-known/x402-listing returns machine-readable JSON for both paid resources.
• With valid bodies, both /audit and /intel-pack return structured 402 responses before paid execution.
• Base USDC pricing/payee metadata is present and coherent.
• /intel-pack includes a useful no-payment preview, which is a strong pattern for paid agent research products.

Patch notes before broad agent/browser distribution:

• P1 if browser-hosted agents are in scope: OPTIONS /audit and OPTIONS /intel-pack currently return 405 with no CORS allow headers. Browser clients cannot preflight payment retry headers.
• P1: the sampled actual 402 responses also do not include Access-Control-Allow-Origin, so browser agents may not be able to read the JSON challenge even after preflight is fixed.
• P2: add Cache-Control: no-store on payment challenge responses.
• P2: the listing does not declare body schemas/examples. Empty POST /audit returns 422, while a valid body reaches the intended 402. Adding OpenAPI or request-body examples would help generic indexers and buyer agents reach the challenge path.

Not a blocker for server-side-only clients, but these are worth tightening before routing marketplace/browser agent traffic to the listing.

[TateLyman]

Ran a no-payment external pass against the public Fleet x402 surface from this PR.

Repro:

curl -sS https://fleet-x402-audit.fly.dev/.well-known/x402 | jq '.services[] | {name, url, method, price_human, network, payTo}'
curl -i -X POST https://fleet-x402-audit.fly.dev/audit \
  -H 'Origin: https://claude.ai' \
  -H 'Content-Type: application/json' \
  --data '{"url":"https://example.com"}'
curl -i -X POST https://fleet-x402-audit.fly.dev/intel-pack \
  -H 'Origin: https://claude.ai' \
  -H 'Content-Type: application/json' \
  --data '{"query":"huggingface opportunity"}'
curl -i -X OPTIONS https://fleet-x402-audit.fly.dev/intel-pack \
  -H 'Origin: https://claude.ai' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Access-Control-Request-Headers: content-type,x-payment,payment-signature'

What looks good:

• /.well-known/x402, /.well-known/x402-listing, and /openapi.json are public and describe both paid routes.
• Valid no-payment POST /audit returns a structured 402 before execution with $0.05 USDC on Base and resource https://fleet-x402-audit.fly.dev/audit.
• Valid no-payment POST /intel-pack returns a structured 402 before execution with $0.50 USDC on Base and resource https://fleet-x402-audit.fly.dev/intel-pack.
• Payee, asset, resource, and OpenAPI x-payment-info are coherent across the sampled surfaces.

Patch notes before/after ecosystem merge:

• P2: browser-agent preflight currently returns 405 Method Not Allowed on the paid routes. Claude/Cursor/browser MCP-style clients need OPTIONS to return the relevant Access-Control-Allow-Origin, Access-Control-Allow-Methods: POST, OPTIONS, and Access-Control-Allow-Headers including content-type, x-payment, and whichever payment signature/header names the client uses.
• P2: sampled 402 responses do not include CORS expose headers, so browser JS may be unable to read the payment challenge/response headers even though CLI agents can read the JSON body.
• P3: sampled 402 responses do not include Cache-Control: private, no-store; worth adding because these responses contain payment instructions and sometimes previews.

I did not send payment headers, sign requests, use API keys, or attempt paid calls.

[egoriklok]

Free public readiness snapshot for Add Fleet x402 Microservices to ecosystem (Services/Endpoints):

• Public signal: No-payment readiness snapshot draft for Add Fleet x402 Microservices to ecosystem (Services/Endpoints) #181: Add Fleet x402 Microservices to ecosystem (Services/Endpoints). Focus: api, buyer agent, x402.
• R1 fit: api, buyer agent, x402.
• Buyer-agent check I would add before autonomous spend: explicit price/cap unit, policy/version hash, receipt or charge-evidence reference, revocation/dispute path, and allow/caution/block preflight result.
• This separates "interesting paid surface" from "safe for an agent wallet to use".

No invoice, no payment link, no delivery link, no private endpoint; this is only a free public snapshot.