tate@programs ~/services/agent-payment-launch-review x402 / MPP / AgentCore / Workers

agent payment launch review / may 2026

Scope the private review before a paid agent goes live.

AWS AgentCore Payments, Cloudflare Workers, x402, MPP, and Pay.sh are making paid API calls part of the agent runtime. This page turns a launch surface into a concrete review scope: no-payment 402 checks, spend-map controls, cache policy, CORS, replay/idempotency, metadata filtering, receipt evidence, and a patch order.

build review scope run free surface check build spend policy attack map pricing source ledger

entry: $149
mode: private first
output: patch order

payment.review

$ review scope --rail x402 --agentcore
surface: manifest + live 402 routes
checks: CORS, cache, resource, replay
policy: session cap + recipient allowlist
evidence: receipts + denied attempts
deliverable: spend map + patch order

deliverable

What the private review sends back.

sample report

surface

No-payment route map

Manifest, OpenAPI, direct endpoint, 402 challenge, MPP header, browser preflight, and resource-binding notes.

spend

Loss-boundary map

Session cap, per-call cap, recipient allowlist, wallet isolation, approval gates, and denial paths.

http

Cache and CORS pass

Checks for browser-readable payment challenges, `X-PAYMENT` preflight, `Cache-Control`, `Vary`, and paid-response cache hazards.

settle

Replay and settlement notes

Request ids, idempotency, facilitator binding, finality assumptions, failed-payment reconciliation, and receipt proof.

privacy

Metadata boundary

Prompt text, query tokens, user identifiers, resource URLs, and receipt fields are reviewed for unnecessary leakage.

order

Patch order

The output is ranked by launch risk, so the first fix is the one most likely to block trust or break a real buyer flow.

source ledger

Why this scope exists now.

aws

AgentCore Payments preview

AWS describes payment connections through Coinbase and Stripe/Privy wallets, session-level spending limits, and automatic x402 handling when agents hit paid resources.

open AWS note

cloudflare

Workers and MCP paid tools

Cloudflare documents agentic payments through HTTP 402, including x402 and MPP paths for Workers and MCP tools.

open Cloudflare docs

research

x402 attack surface

The May 2026 x402 attack preprint maps practical risks around finality, settlement binding, replay, HTTP cache/proxy behavior, and discovery selection.

open arXiv paper

tooling

Strict cache scan

`x402-surface-check@0.2.22` adds optional strict cache findings for teams that want missing payment-challenge cache policy called out before launch.

open surface checker

Private-first review

Send the generated scope before paying so the review boundary is clear.

Email scope