x402 stats endpoint returns data without payment and preflight omits X-PAYMENT

[TateLyman]

I ran a no-payment public check against the x402 stats endpoint advertised in the app.

Scope:

• public repo copy in src/app/api/page.tsx marks GET /v1/x402/stats as tier: "x402";
• public x402 page says clients should set the X-PAYMENT header;
• live endpoint: https://api.solsentry.app/v1/x402/stats.

Repro, with no payment headers, no wallet signatures, and no paid call:

npx --yes x402-surface-check@latest --endpoint --method GET https://api.solsentry.app/v1/x402/stats --origin https://solsentry.app

curl -si https://api.solsentry.app/v1/x402/stats \
  -H 'Origin: https://solsentry.app'

curl -si -X OPTIONS https://api.solsentry.app/v1/x402/stats \
  -H 'Origin: https://solsentry.app' \
  -H 'Access-Control-Request-Method: GET' \
  -H 'Access-Control-Request-Headers: X-PAYMENT, Content-Type'

Observed:

• the no-payment GET returns 200 OK with ledger data;
• the same response advertises X-Payment-Required: true, X-Price-USDC: 0.001, X-Payment-Enforce: true, treasury wallet, network, token, and protocol headers;
• browser preflight returns 204, but Access-Control-Allow-Headers is only Content-Type, Authorization, X-Client-ID, so a browser client following the page copy and sending X-PAYMENT would fail preflight.

This may be intentional if /v1/x402/stats is meant to stay public as a live ledger. If so, I would make the docs and headers say that clearly, for example "public ledger endpoint; payment headers describe the paid API family." If it is meant to be paid, the 402 challenge should happen before returning the stats payload, and preflight should allow the payment header documented by the page.

Main launch-readiness mismatch:

1. docs and headers say x402/enforced;
2. live no-payment response returns the data;
3. browser preflight does not allow the documented payment header.

[peterxing]

I did a fresh no-payment readback and packaged the concrete enforcement/CORS gap into a short checklist here:

• Readback page: https://farmbot-platform-mvp.pages.dev/hire-agent/solsentry-x402-enforcement-readback/
• Markdown: https://farmbot-platform-mvp.pages.dev/hire-agent/solsentry-x402-enforcement-readback.md

Current observed behavior, still with no wallet/signature/paid call:

GET /v1/x402/stats
=> 200 OK with ledger JSON
=> X-Payment-Required: true
=> X-Payment-Enforce: true

OPTIONS /v1/x402/stats
Access-Control-Request-Headers: X-PAYMENT, Content-Type
=> 204, but Access-Control-Allow-Headers omits X-PAYMENT

The small fix contract I’d use is:

1. no-payment GET /v1/x402/stats returns 402 Payment Required, not ledger JSON;
2. 402 includes a machine-readable x402 challenge;
3. preflight allows X-PAYMENT and exposes payment/receipt headers;
4. paid success returns ledger JSON only after verify/settle and emits the payment response header;
5. regression smoke covers both no-payment and OPTIONS paths.

If useful, I can turn this into either a A$390 no-payment readback packet or a A$1,900 implementation PR with fixture-based tests. No live payment or wallet signing needed for the first pass.