Add Fleet x402 Microservices to ecosystem (Services/Endpoints)

[SASN19]

What this adds

Fleet x402 Microservices — two production x402-payable services running on Base mainnet.

Category: Services/Endpoints

Services

Name	Endpoint	Price	Network
SEO Audit	POST /audit	$0.05 USDC	Base
Competitive Intel Pack	POST /intel-pack	$0.50 USDC	Base

Live URL: https://fleet-x402-audit.fly.dev
Discovery manifest: https://fleet-x402-audit.fly.dev/.well-known/x402-listing

Technical Details

• Scheme: exact
• Asset: USDC (0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913)
• Response: immediate JSON, no API key required
• Fully agent-native: any x402-compatible buyer agent can call without human intervention

Note: Logo file (fleet-x402.png) can be added — happy to provide one on request, or maintainers can use the service favicon at https://fleet-x402-audit.fly.dev/favicon.ico

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[TateLyman]

Ran a no-payment external pass against the public Fleet surface listed in this PR.

Scope: public discovery/root metadata, browser-style preflight, and no-payment POST probes only. I did not send X-PAYMENT, sign anything, use credentials, attempt settlement, or call either paid service after payment.

Repro:

npx --yes x402-surface-check@latest \
  https://fleet-x402-audit.fly.dev/.well-known/x402-listing \
  --limit 8 \
  --origin https://fleet-x402-audit.fly.dev

curl -i -X POST https://fleet-x402-audit.fly.dev/audit \
  -H 'Origin: https://fleet-x402-audit.fly.dev' \
  -H 'Content-Type: application/json' \
  --data '{"url":"https://tateprograms.com"}'

curl -i -X POST https://fleet-x402-audit.fly.dev/intel-pack \
  -H 'Origin: https://fleet-x402-audit.fly.dev' \
  -H 'Content-Type: application/json' \
  --data '{"query":"x402 agent commerce"}'

curl -i -X OPTIONS https://fleet-x402-audit.fly.dev/audit \
  -H 'Origin: https://fleet-x402-audit.fly.dev' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Access-Control-Request-Headers: content-type,x-payment,payment-signature,authorization'

What looks good:

• /.well-known/x402-listing returns machine-readable JSON for both paid resources.
• With valid bodies, both /audit and /intel-pack return structured 402 responses before paid execution.
• Base USDC pricing/payee metadata is present and coherent.
• /intel-pack includes a useful no-payment preview, which is a strong pattern for paid agent research products.

Patch notes before broad agent/browser distribution:

• P1 if browser-hosted agents are in scope: OPTIONS /audit and OPTIONS /intel-pack currently return 405 with no CORS allow headers. Browser clients cannot preflight payment retry headers.
• P1: the sampled actual 402 responses also do not include Access-Control-Allow-Origin, so browser agents may not be able to read the JSON challenge even after preflight is fixed.
• P2: add Cache-Control: no-store on payment challenge responses.
• P2: the listing does not declare body schemas/examples. Empty POST /audit returns 422, while a valid body reaches the intended 402. Adding OpenAPI or request-body examples would help generic indexers and buyer agents reach the challenge path.

Not a blocker for server-side-only clients, but these are worth tightening before routing marketplace/browser agent traffic to the listing.