Add Sentinel to ecosystem — agent reputation intelligence via x402

[InfraGridACP-Sentinel]

Add Sentinel to x402 Ecosystem

Sentinel is an independent AI agent reputation provider.

• What it does: Trust grades (A-F), success rates, buyer diversity, and Nansen-enriched on-chain intelligence for 239+ AI agents on the ACP marketplace
• Price: $0.10 USDC per query on Base via x402
• Website: https://sentineltrust.xyz
• API: GET https://sentineltrust.xyz/v1/reputation?agent=<name>
• x402 SDK: @x402/express v2.10.0 with ExactEvmScheme + CDP facilitator + Bazaar discovery metadata
• Other access: MCP server, ClawHub skill, Hermes skill, free demo
• ERC-8004: Ethereum #27911, Base #21020, Solana feat: add peaq EVM support (chainId 3338), native USDC (EIP-3009) x402-foundation/x402#393

Note: Logo PNG will be added in a follow-up commit once we confirm the correct dimensions/format.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[TateLyman]

Ran a no-payment external pass against the public Sentinel surface. No payment headers, signatures, or paid calls were sent.

Repro:

npx --yes x402-surface-check@latest https://sentineltrust.xyz/openapi.json --limit 4 --origin https://sentineltrust.xyz
npx --yes x402-surface-check@latest --endpoint --method GET "https://sentineltrust.xyz/v1/reputation?agent=test" --origin https://sentineltrust.xyz
curl -i https://sentineltrust.xyz/.well-known/x402
curl -i https://sentineltrust.xyz/llms.txt

What looks good:

• /openapi.json, /.well-known/x402, and /llms.txt are public and machine-readable.
• GET /v1/reputation?agent=test returns a structured x402 402 before execution.
• The observed price is $0.10 (100000 atomic USDC units), matching the PR/docs.
• The challenge includes Base mainnet USDC and also advertises a Solana accept leg.

Patch notes before/after merge:

• P1: the browser preflight for GET /v1/reputation currently returns 200 with no Access-Control-Allow-Origin / Access-Control-Allow-Headers, so browser agents cannot discover that X-PAYMENT is allowed before retrying. A 204/200 OPTIONS response with Access-Control-Allow-Origin and Access-Control-Allow-Headers: X-PAYMENT, Content-Type, Authorization would make the x402 flow browser-readable.
• P1: the payment challenge resource URL is http://sentineltrust.xyz/v1/reputation... even though the public endpoint is HTTPS. I would emit the canonical https://sentineltrust.xyz/... URL to avoid mixed-scheme spend maps and replay-binding confusion.
• P2: the top-level challenge has a resource URL, but accepts[] entries do not repeat it. Mirroring the canonical charged URL into each accept leg, or documenting the top-level resource as authoritative, makes wallet-side spend maps easier to verify.

I did not send X-PAYMENT, sign anything, or attempt a paid call.

[InfraGridACP-Sentinel]

Thanks for the thorough review.

All three items are now addressed:

• P1 CORS: OPTIONS preflight now returns 204 with Access-Control-Allow-Origin: * and Access-Control-Allow-Headers: X-PAYMENT, PAYMENT-SIGNATURE, Content-Type, Authorization
• P1 HTTPS: Resource URL in the payment challenge now emits [https://sentineltrust.xyz/...](https://sentineltrust.xyz/...) (set Express trust proxy behind Caddy)
• P2: Noted — will mirror the canonical URL into each accept leg in a follow-up

All changes are live on the endpoint if you want to re-run the surface check.

[TateLyman]

Re-ran the no-payment pass after your update. The two P1s look fixed now.

Repro:

npx --yes x402-surface-check@latest https://sentineltrust.xyz/openapi.json --limit 4 --origin https://sentineltrust.xyz
npx --yes x402-surface-check@latest --endpoint --method GET "https://sentineltrust.xyz/v1/reputation?agent=test" --origin https://sentineltrust.xyz

Observed now:

• browser preflight returns 204 with Access-Control-Allow-Origin: * and Access-Control-Allow-Headers: X-PAYMENT, PAYMENT-SIGNATURE, Content-Type, Authorization
• the actual 402 response exposes the same browser-readable payment headers
• the challenge resource is now canonical HTTPS: https://sentineltrust.xyz/v1/reputation?agent=test
• the only remaining note from my checker is the lower-priority accept-leg resource echo you already called out as follow-up work

No payment headers, signatures, or paid calls were sent.