/cc @murrlincoln (per PROJECT-IDEAS.md's documented contact for project inquiries)
Summary
I'd like to propose presidio-hardened-x402 for inclusion in the security/governance category of x402.org/ecosystem, alongside existing entries like x402-secure, Orac, PEAC, MerchantGuard, and AI Security Guard.
What it is
A Python middleware library (MIT, PyPI, GitHub) that sits between an agent's HTTP client and any 402-paywalled endpoint. Before a payment is signed it enforces:
- PII redaction on the metadata fields x402 servers populate (
resource, description, reason, extra) using Microsoft Presidio in regex or NLP mode.
- Per-agent / per-endpoint / per-time-window spending policy, configurable via TOML/JSON against a JSON Schema (
x402_policy_schema.py).
- HMAC-SHA256 replay detection with in-memory and Redis backends; case-canonicalised on
pay_to and currency.
- HMAC-chained JSON-L audit logging with fsync durability.
- n-of-m multi-party authorisation for high-value payments (webhook + crypto modes).
- Per-origin
pay_to allowlist to defend against DNS-poisoning wallet substitution on 402 responses.
- Optional remote screening via the hosted
screen.presidio-group.eu free tier when in-process spaCy is unwanted.
Works against any facilitator. Pluggable PaymentSigner protocol; no hard wallet SDK dependency. v0.4.0 shipped today (2026-05-17), 274 tests pass on Python 3.10–3.13.
Why it might be useful to the ecosystem
Independent empirical work on PII exposure in deployed x402 traffic. Two papers currently under peer review:
- Full research paper "PII Exposure and Pre-Execution Filtering in x402 Agentic Payments: An Empirical Ecosystem Study" — under review at Array (Elsevier), manuscript
ARRAY-S-26-03066. Contributions: an on-chain characterisation of x402 deployment (96 facilitator wallets across 20 projects on 11 blockchains, ≥79M transactions); a 2,000-sample labelled corpus + 42-configuration Presidio precision/recall sweep + a 35-configuration DeBERTa-v3 transformer baseline (Piiranha) showing a recent PII-specific transformer underperforms Presidio NLP by 2.4× on micro-F1 and exceeds the latency budget by 3.2× on this surface; the middleware itself; and a controlled validation against deployed endpoint patterns. Headline metric: micro-F1 = 0.894 / precision 0.972 / p99 5.73 ms.
- Practitioner article "Who Reads Your Agent's Payment Receipts? PII Risks in the x402 Protocol and a Pre-Execution Remedy" — under review at IEEE Security & Privacy magazine. 8 pages, GDPR Art. 5(1)(c) + Art. 28 framing, $600M-annualised-volume context, same empirical core.
- Open release: corpus, sweep results, baseline experiments, and ecosystem dataset are deposited at IEEE DataPort (doi:10.21227/kpsz-nq73) under MIT-licensed open release, and mirrored on Hugging Face as
vstantch/x402-pii-corpus. Earlier v0.2.0 design preprint at arXiv:2604.11430.
Alongside the published library and the deposited dataset, we maintain an 8-chain adversary-attack analysis (3 closed in-tree, 3 mitigation-by-deploy-config, 2 with v0.5.0-deferred residuals) covering threats from supply-chain model poisoning to MPA webhook SSRF and DNS-poisoned wallet substitution. It currently lives in our internal hardening backlog rather than the public repo. If any of it is useful as input to the privacy_class (#2326) or post-settlement-accountability (#2332) proposals already in flight, happy to share the relevant chain(s) directly — let me know.
Suggested listing copy (for the security/governance section)
presidio-hardened-x402 — Pre-execution PII filtering, spending governance, replay detection, and multi-party authorisation for x402 agent payments. Hosted screening tier at screen.presidio-group.eu. Python (MIT). GitHub · PyPI · Hugging Face dataset · IEEE DataPort
Happy to provide categorisation tags, a screenshot, or anything else that helps the entry land cleanly. Also happy to open a separate issue if the threat-model analysis would be more useful as a contribution to #2326 / #2332 than as an ecosystem listing.
— Vladimir Stantchev ([email protected])
/cc @murrlincoln (per
PROJECT-IDEAS.md's documented contact for project inquiries)Summary
I'd like to propose
presidio-hardened-x402for inclusion in the security/governance category of x402.org/ecosystem, alongside existing entries like x402-secure, Orac, PEAC, MerchantGuard, and AI Security Guard.What it is
A Python middleware library (MIT, PyPI, GitHub) that sits between an agent's HTTP client and any 402-paywalled endpoint. Before a payment is signed it enforces:
resource,description,reason,extra) using Microsoft Presidio in regex or NLP mode.x402_policy_schema.py).pay_toandcurrency.pay_toallowlist to defend against DNS-poisoning wallet substitution on 402 responses.screen.presidio-group.eufree tier when in-process spaCy is unwanted.Works against any facilitator. Pluggable
PaymentSignerprotocol; no hard wallet SDK dependency. v0.4.0 shipped today (2026-05-17), 274 tests pass on Python 3.10–3.13.Why it might be useful to the ecosystem
Independent empirical work on PII exposure in deployed x402 traffic. Two papers currently under peer review:
ARRAY-S-26-03066. Contributions: an on-chain characterisation of x402 deployment (96 facilitator wallets across 20 projects on 11 blockchains, ≥79M transactions); a 2,000-sample labelled corpus + 42-configuration Presidio precision/recall sweep + a 35-configuration DeBERTa-v3 transformer baseline (Piiranha) showing a recent PII-specific transformer underperforms Presidio NLP by 2.4× on micro-F1 and exceeds the latency budget by 3.2× on this surface; the middleware itself; and a controlled validation against deployed endpoint patterns. Headline metric: micro-F1 = 0.894 / precision 0.972 / p99 5.73 ms.vstantch/x402-pii-corpus. Earlier v0.2.0 design preprint at arXiv:2604.11430.Alongside the published library and the deposited dataset, we maintain an 8-chain adversary-attack analysis (3 closed in-tree, 3 mitigation-by-deploy-config, 2 with v0.5.0-deferred residuals) covering threats from supply-chain model poisoning to MPA webhook SSRF and DNS-poisoned wallet substitution. It currently lives in our internal hardening backlog rather than the public repo. If any of it is useful as input to the
privacy_class(#2326) or post-settlement-accountability (#2332) proposals already in flight, happy to share the relevant chain(s) directly — let me know.Suggested listing copy (for the security/governance section)
Happy to provide categorisation tags, a screenshot, or anything else that helps the entry land cleanly. Also happy to open a separate issue if the threat-model analysis would be more useful as a contribution to #2326 / #2332 than as an ecosystem listing.
— Vladimir Stantchev ([email protected])