feat(ecosystem): add Crest Deployment Systems -- security audit + crypto data

[andysalvo]

Services

Crest x402 Audit (https://audit.crestsystems.ai)
Smart contract security audit ($1.00), code vulnerability scan ($0.50), and wallet risk profiling ($0.25). AI-powered analysis with OWASP classification and fix recommendations.

Crest x402 Data (https://data.crestsystems.ai)
Crypto market data at $0.01/call. Top 25 prices, token lookups, multi-chain gas oracle, trending tokens, and DeFi TVL per chain.

Details

• Network: Base mainnet
• Token: USDC
• Facilitator: Coinbase CDP
• Discovery: agent.json, x402.json, llms.txt at each domain

Provider

Crest Deployment Systems LLC -- https://crestsystems.ai

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[TateLyman]

Ran a no-payment external pass against the two public Crest surfaces from this listing. No X-PAYMENT, no payment signatures, no API key, and no paid calls.

Repro:

npx --yes x402-surface-check@latest https://data.crestsystems.ai/.well-known/x402 --limit 8 --origin https://data.crestsystems.ai
npx --yes x402-surface-check@latest https://audit.crestsystems.ai/api/openapi.json --limit 8 --origin https://audit.crestsystems.ai

What looks good:

• Data surface returns five structured x402 402 challenges at /bin/zsh.01-/bin/zsh.05 on Base / eip155:8453.
• Audit surface returns three structured x402 402 challenges for contract audit, code scan, and wallet profile at .00, /bin/zsh.50, and /bin/zsh.25.
• Resource URLs are HTTPS and match the public host/path.
• Data preflight allows X-PAYMENT and PAYMENT-SIGNATURE from the tested origin.

Patch notes before/after merge:

• P1: Audit preflight and actual 402 responses do not expose browser-readable CORS for the tested origin or payment headers. If audit is server-to-server only, a short note in docs is enough; if browser agents are intended, add Access-Control-Allow-Origin plus payment headers on OPTIONS and actual 402 responses.
• P2: Both data and audit challenges keep resource.url at challenge level but do not echo it in accept legs. This may be fine for x402 v2, but a client spend map should bind the selected accept leg back to the top-level resource.
• Polish: https://data.crestsystems.ai/ links to /.well-known/agent.json; that agent doc exposes a useful tools map. Some scanners may not follow that shape yet, so keeping /.well-known/x402 linked prominently helps discovery.

Net: the actual paid surfaces are live and structured. Main remaining question is whether browser-agent CORS is in scope for audit, or intentionally server-to-server.

[andysalvo]

Thanks for the thorough surface check @TateLyman. All three items addressed:

P1 (CORS): Audit surface now returns Access-Control-Allow-Origin, Access-Control-Allow-Headers (including X-PAYMENT and PAYMENT-SIGNATURE), and Access-Control-Expose-Headers on both OPTIONS preflight and actual 402 responses. Browser agents are in scope. Both surfaces are consistent.

P2 (resource_url in accept legs): Noted — this is currently at the challenge level per x402 v2 structure. Will add accept-leg binding if the spec formalizes it.

Polish (x402 discovery): /.well-known/x402 is now prominently linked in the audit root response alongside /.well-known/agent.json.

Repro for the CORS fix:

curl -sI -X POST https://audit.crestsystems.ai/audit/contract -H "Origin: https://example.com" | grep access-control

[TateLyman]

Re-ran the no-payment pass after your patch.

Repro:

npx --yes x402-surface-check@latest https://data.crestsystems.ai/.well-known/x402 --limit 8 --origin https://data.crestsystems.ai
npx --yes x402-surface-check@latest https://audit.crestsystems.ai/api/openapi.json --limit 8 --origin https://audit.crestsystems.ai
curl -i https://audit.crestsystems.ai/

Confirmed fixed:

• Audit browser preflight now allows X-PAYMENT / PAYMENT-SIGNATURE and exposes payment response headers, matching the data surface.
• The audit root now advertises discovery links, including /.well-known/x402, /.well-known/agent.json, /api/openapi.json, and /llms.txt.
• The sampled data and audit paid routes still return structured x402 402 responses before paid work at the expected prices.

Remaining note is the one you already called out: the scanner still flags accept-leg resource binding because it expects each accept leg to repeat the canonical resource URL. If your interpretation is challenge-level resource only until the spec formalizes accept-level binding, documenting that in the provider notes is enough for now.

One optional hardening item: the sampled paid 402 responses still do not advertise Cache-Control; no-store is a safer default for payment negotiation responses.

No payment headers, signatures, API keys, or paid calls were sent.