@agentcash/discovery 0.1.3 → 0.1.4

package/dist/cli.cjs

@@ -330,7 +330,7 @@ function actionItems(run, options) {
     ];
   }
   return [
-    "Publish canonical OpenAPI discovery metadata with x-agentcash extensions",
+    "Publish canonical OpenAPI discovery metadata with x-payment-info and security schemes",
     `Validate migration path: npx @agentcash/discovery ${target} --compat strict -v --probe`,
     "Keep legacy well-known path only during sunset window"
   ];
@@ -637,7 +637,7 @@ function renderJson(run, options) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "0.1.3".includes("-mmm");
+var isMmmEnabled = () => "0.1.4".includes("-mmm");
 
 // src/core/constants.ts
 var OPENAPI_PATH_CANDIDATES = ["/openapi.json", "/.well-known/openapi.json"];
@@ -807,7 +807,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.instructions as compatibility guidance fallback. Prefer llms.txt.",
         {
           stage: "well-known/x402",
-          hint: "Move guidance to llms.txt and reference via x-agentcash-guidance.llmsTxtUrl."
+          hint: "Move guidance to llms.txt and reference via x-discovery.llmsTxtUrl in OpenAPI."
         }
       )
     );
@@ -820,7 +820,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.ownershipProofs compatibility field. Prefer OpenAPI provenance extension.",
         {
           stage: "well-known/x402",
-          hint: "Move ownership proofs to x-agentcash-provenance.ownershipProofs in OpenAPI."
+          hint: "Move ownership proofs to x-discovery.ownershipProofs in OpenAPI."
         }
       )
     );
@@ -1216,10 +1216,31 @@ function estimateTokenCount(text) {
   return Math.ceil(text.length / 4);
 }
 
-// src/core/openapi.ts
+// src/core/openapi-utils.ts
 function isRecord3(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function hasSecurity(operation, scheme) {
+  const security = operation.security;
+  return Array.isArray(security) && security.some((s) => isRecord3(s) && scheme in s);
+}
+function has402Response(operation) {
+  const responses = operation.responses;
+  if (!isRecord3(responses)) return false;
+  return Boolean(responses["402"]);
+}
+function inferAuthMode(operation) {
+  if (isRecord3(operation["x-payment-info"])) return "paid";
+  if (has402Response(operation)) {
+    if (hasSecurity(operation, "siwx")) return "siwx";
+    return "paid";
+  }
+  if (hasSecurity(operation, "apiKey")) return "apiKey";
+  if (hasSecurity(operation, "siwx")) return "siwx";
+  return void 0;
+}
+
+// src/core/openapi.ts
 function asString(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
@@ -1228,11 +1249,6 @@ function parsePriceValue(value) {
   if (typeof value === "number" && Number.isFinite(value)) return String(value);
   return void 0;
 }
-function require402Response(operation) {
-  const responses = operation.responses;
-  if (!isRecord3(responses)) return false;
-  return Boolean(responses["402"]);
-}
 function parseProtocols(paymentInfo) {
   const protocols = paymentInfo.protocols;
   if (!Array.isArray(protocols)) return [];
@@ -1240,15 +1256,6 @@ function parseProtocols(paymentInfo) {
     (entry) => typeof entry === "string" && entry.length > 0
   );
 }
-function parseAuthMode(operation) {
-  const auth = operation["x-agentcash-auth"];
-  if (!isRecord3(auth)) return void 0;
-  const mode = auth.mode;
-  if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-    return mode;
-  }
-  return void 0;
-}
 async function runOpenApiStage(options) {
   const warnings = [];
   const resources = [];
@@ -1320,10 +1327,9 @@ async function runOpenApiStage(options) {
     };
   }
   const paths = document.paths;
-  const provenance = isRecord3(document["x-agentcash-provenance"]) ? document["x-agentcash-provenance"] : void 0;
-  const ownershipProofs = Array.isArray(provenance?.ownershipProofs) ? provenance.ownershipProofs.filter((entry) => typeof entry === "string") : [];
-  const guidance = isRecord3(document["x-agentcash-guidance"]) ? document["x-agentcash-guidance"] : void 0;
-  const llmsTxtUrl = asString(guidance?.llmsTxtUrl);
+  const discovery = isRecord3(document["x-discovery"]) ? document["x-discovery"] : void 0;
+  const ownershipProofs = Array.isArray(discovery?.ownershipProofs) ? discovery.ownershipProofs.filter((entry) => typeof entry === "string") : [];
+  const llmsTxtUrl = asString(discovery?.llmsTxtUrl);
   if (ownershipProofs.length > 0) {
     warnings.push(
       warning("OPENAPI_OWNERSHIP_PROOFS_PRESENT", "info", "OpenAPI ownership proofs detected", {
@@ -1368,13 +1374,13 @@ async function runOpenApiStage(options) {
           )
         );
       }
-      const authMode = parseAuthMode(operation);
+      const authMode = inferAuthMode(operation);
       if (!authMode) {
         warnings.push(
           warning(
             "OPENAPI_AUTH_MODE_MISSING",
             "error",
-            `${method} ${rawPath} missing x-agentcash-auth.mode`,
+            `${method} ${rawPath} missing auth mode (no x-payment-info, 402 response, or security scheme)`,
             {
               stage: "openapi"
             }
@@ -1382,7 +1388,7 @@ async function runOpenApiStage(options) {
         );
         continue;
       }
-      if ((authMode === "paid" || authMode === "siwx") && !require402Response(operation)) {
+      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) {
         warnings.push(
           warning(
             "OPENAPI_402_MISSING",
@@ -1961,11 +1967,6 @@ async function runDiscovery({
         }
       }
     }
-    if (!stageResult.valid) {
-      continue;
-    }
-    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
-    warnings.push(...mergeWarnings);
     if (includeRaw && stageResult.raw !== void 0) {
       if (stageResult.stage === "openapi" || stageResult.stage === "override") {
         const rawObject = stageResult.raw;
@@ -1985,6 +1986,11 @@ async function runDiscovery({
         rawSources.interopMpp = stageResult.raw;
       }
     }
+    if (!stageResult.valid) {
+      continue;
+    }
+    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
+    warnings.push(...mergeWarnings);
     if (!detailed) {
       selectedStage = selectedStage ?? stageResult.stage;
       break;

package/dist/cli.js

@@ -304,7 +304,7 @@ function actionItems(run, options) {
     ];
   }
   return [
-    "Publish canonical OpenAPI discovery metadata with x-agentcash extensions",
+    "Publish canonical OpenAPI discovery metadata with x-payment-info and security schemes",
     `Validate migration path: npx @agentcash/discovery ${target} --compat strict -v --probe`,
     "Keep legacy well-known path only during sunset window"
   ];
@@ -611,7 +611,7 @@ function renderJson(run, options) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "0.1.3".includes("-mmm");
+var isMmmEnabled = () => "0.1.4".includes("-mmm");
 
 // src/core/constants.ts
 var OPENAPI_PATH_CANDIDATES = ["/openapi.json", "/.well-known/openapi.json"];
@@ -781,7 +781,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.instructions as compatibility guidance fallback. Prefer llms.txt.",
         {
           stage: "well-known/x402",
-          hint: "Move guidance to llms.txt and reference via x-agentcash-guidance.llmsTxtUrl."
+          hint: "Move guidance to llms.txt and reference via x-discovery.llmsTxtUrl in OpenAPI."
         }
       )
     );
@@ -794,7 +794,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.ownershipProofs compatibility field. Prefer OpenAPI provenance extension.",
         {
           stage: "well-known/x402",
-          hint: "Move ownership proofs to x-agentcash-provenance.ownershipProofs in OpenAPI."
+          hint: "Move ownership proofs to x-discovery.ownershipProofs in OpenAPI."
         }
       )
     );
@@ -1190,10 +1190,31 @@ function estimateTokenCount(text) {
   return Math.ceil(text.length / 4);
 }
 
-// src/core/openapi.ts
+// src/core/openapi-utils.ts
 function isRecord3(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function hasSecurity(operation, scheme) {
+  const security = operation.security;
+  return Array.isArray(security) && security.some((s) => isRecord3(s) && scheme in s);
+}
+function has402Response(operation) {
+  const responses = operation.responses;
+  if (!isRecord3(responses)) return false;
+  return Boolean(responses["402"]);
+}
+function inferAuthMode(operation) {
+  if (isRecord3(operation["x-payment-info"])) return "paid";
+  if (has402Response(operation)) {
+    if (hasSecurity(operation, "siwx")) return "siwx";
+    return "paid";
+  }
+  if (hasSecurity(operation, "apiKey")) return "apiKey";
+  if (hasSecurity(operation, "siwx")) return "siwx";
+  return void 0;
+}
+
+// src/core/openapi.ts
 function asString(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
@@ -1202,11 +1223,6 @@ function parsePriceValue(value) {
   if (typeof value === "number" && Number.isFinite(value)) return String(value);
   return void 0;
 }
-function require402Response(operation) {
-  const responses = operation.responses;
-  if (!isRecord3(responses)) return false;
-  return Boolean(responses["402"]);
-}
 function parseProtocols(paymentInfo) {
   const protocols = paymentInfo.protocols;
   if (!Array.isArray(protocols)) return [];
@@ -1214,15 +1230,6 @@ function parseProtocols(paymentInfo) {
     (entry) => typeof entry === "string" && entry.length > 0
   );
 }
-function parseAuthMode(operation) {
-  const auth = operation["x-agentcash-auth"];
-  if (!isRecord3(auth)) return void 0;
-  const mode = auth.mode;
-  if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-    return mode;
-  }
-  return void 0;
-}
 async function runOpenApiStage(options) {
   const warnings = [];
   const resources = [];
@@ -1294,10 +1301,9 @@ async function runOpenApiStage(options) {
     };
   }
   const paths = document.paths;
-  const provenance = isRecord3(document["x-agentcash-provenance"]) ? document["x-agentcash-provenance"] : void 0;
-  const ownershipProofs = Array.isArray(provenance?.ownershipProofs) ? provenance.ownershipProofs.filter((entry) => typeof entry === "string") : [];
-  const guidance = isRecord3(document["x-agentcash-guidance"]) ? document["x-agentcash-guidance"] : void 0;
-  const llmsTxtUrl = asString(guidance?.llmsTxtUrl);
+  const discovery = isRecord3(document["x-discovery"]) ? document["x-discovery"] : void 0;
+  const ownershipProofs = Array.isArray(discovery?.ownershipProofs) ? discovery.ownershipProofs.filter((entry) => typeof entry === "string") : [];
+  const llmsTxtUrl = asString(discovery?.llmsTxtUrl);
   if (ownershipProofs.length > 0) {
     warnings.push(
       warning("OPENAPI_OWNERSHIP_PROOFS_PRESENT", "info", "OpenAPI ownership proofs detected", {
@@ -1342,13 +1348,13 @@ async function runOpenApiStage(options) {
           )
         );
       }
-      const authMode = parseAuthMode(operation);
+      const authMode = inferAuthMode(operation);
       if (!authMode) {
         warnings.push(
           warning(
             "OPENAPI_AUTH_MODE_MISSING",
             "error",
-            `${method} ${rawPath} missing x-agentcash-auth.mode`,
+            `${method} ${rawPath} missing auth mode (no x-payment-info, 402 response, or security scheme)`,
             {
               stage: "openapi"
             }
@@ -1356,7 +1362,7 @@ async function runOpenApiStage(options) {
         );
         continue;
       }
-      if ((authMode === "paid" || authMode === "siwx") && !require402Response(operation)) {
+      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) {
         warnings.push(
           warning(
             "OPENAPI_402_MISSING",
@@ -1935,11 +1941,6 @@ async function runDiscovery({
         }
       }
     }
-    if (!stageResult.valid) {
-      continue;
-    }
-    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
-    warnings.push(...mergeWarnings);
     if (includeRaw && stageResult.raw !== void 0) {
       if (stageResult.stage === "openapi" || stageResult.stage === "override") {
         const rawObject = stageResult.raw;
@@ -1959,6 +1960,11 @@ async function runDiscovery({
         rawSources.interopMpp = stageResult.raw;
       }
     }
+    if (!stageResult.valid) {
+      continue;
+    }
+    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
+    warnings.push(...mergeWarnings);
     if (!detailed) {
       selectedStage = selectedStage ?? stageResult.stage;
       break;

package/dist/index.cjs

@@ -54,7 +54,7 @@ var STRICT_ESCALATION_CODES = [
 ];
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "0.1.3".includes("-mmm");
+var isMmmEnabled = () => "0.1.4".includes("-mmm");
 
 // src/core/constants.ts
 var OPENAPI_PATH_CANDIDATES = ["/openapi.json", "/.well-known/openapi.json"];
@@ -224,7 +224,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.instructions as compatibility guidance fallback. Prefer llms.txt.",
         {
           stage: "well-known/x402",
-          hint: "Move guidance to llms.txt and reference via x-agentcash-guidance.llmsTxtUrl."
+          hint: "Move guidance to llms.txt and reference via x-discovery.llmsTxtUrl in OpenAPI."
         }
       )
     );
@@ -237,7 +237,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.ownershipProofs compatibility field. Prefer OpenAPI provenance extension.",
         {
           stage: "well-known/x402",
-          hint: "Move ownership proofs to x-agentcash-provenance.ownershipProofs in OpenAPI."
+          hint: "Move ownership proofs to x-discovery.ownershipProofs in OpenAPI."
         }
       )
     );
@@ -633,10 +633,31 @@ function estimateTokenCount(text) {
   return Math.ceil(text.length / 4);
 }
 
-// src/core/openapi.ts
+// src/core/openapi-utils.ts
 function isRecord3(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function hasSecurity(operation, scheme) {
+  const security = operation.security;
+  return Array.isArray(security) && security.some((s) => isRecord3(s) && scheme in s);
+}
+function has402Response(operation) {
+  const responses = operation.responses;
+  if (!isRecord3(responses)) return false;
+  return Boolean(responses["402"]);
+}
+function inferAuthMode(operation) {
+  if (isRecord3(operation["x-payment-info"])) return "paid";
+  if (has402Response(operation)) {
+    if (hasSecurity(operation, "siwx")) return "siwx";
+    return "paid";
+  }
+  if (hasSecurity(operation, "apiKey")) return "apiKey";
+  if (hasSecurity(operation, "siwx")) return "siwx";
+  return void 0;
+}
+
+// src/core/openapi.ts
 function asString(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
@@ -645,11 +666,6 @@ function parsePriceValue(value) {
   if (typeof value === "number" && Number.isFinite(value)) return String(value);
   return void 0;
 }
-function require402Response(operation) {
-  const responses = operation.responses;
-  if (!isRecord3(responses)) return false;
-  return Boolean(responses["402"]);
-}
 function parseProtocols(paymentInfo) {
   const protocols = paymentInfo.protocols;
   if (!Array.isArray(protocols)) return [];
@@ -657,15 +673,6 @@ function parseProtocols(paymentInfo) {
     (entry) => typeof entry === "string" && entry.length > 0
   );
 }
-function parseAuthMode(operation) {
-  const auth = operation["x-agentcash-auth"];
-  if (!isRecord3(auth)) return void 0;
-  const mode = auth.mode;
-  if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-    return mode;
-  }
-  return void 0;
-}
 async function runOpenApiStage(options) {
   const warnings = [];
   const resources = [];
@@ -737,10 +744,9 @@ async function runOpenApiStage(options) {
     };
   }
   const paths = document.paths;
-  const provenance = isRecord3(document["x-agentcash-provenance"]) ? document["x-agentcash-provenance"] : void 0;
-  const ownershipProofs = Array.isArray(provenance?.ownershipProofs) ? provenance.ownershipProofs.filter((entry) => typeof entry === "string") : [];
-  const guidance = isRecord3(document["x-agentcash-guidance"]) ? document["x-agentcash-guidance"] : void 0;
-  const llmsTxtUrl = asString(guidance?.llmsTxtUrl);
+  const discovery = isRecord3(document["x-discovery"]) ? document["x-discovery"] : void 0;
+  const ownershipProofs = Array.isArray(discovery?.ownershipProofs) ? discovery.ownershipProofs.filter((entry) => typeof entry === "string") : [];
+  const llmsTxtUrl = asString(discovery?.llmsTxtUrl);
   if (ownershipProofs.length > 0) {
     warnings.push(
       warning("OPENAPI_OWNERSHIP_PROOFS_PRESENT", "info", "OpenAPI ownership proofs detected", {
@@ -785,13 +791,13 @@ async function runOpenApiStage(options) {
           )
         );
       }
-      const authMode = parseAuthMode(operation);
+      const authMode = inferAuthMode(operation);
       if (!authMode) {
         warnings.push(
           warning(
             "OPENAPI_AUTH_MODE_MISSING",
             "error",
-            `${method} ${rawPath} missing x-agentcash-auth.mode`,
+            `${method} ${rawPath} missing auth mode (no x-payment-info, 402 response, or security scheme)`,
             {
               stage: "openapi"
             }
@@ -799,7 +805,7 @@ async function runOpenApiStage(options) {
         );
         continue;
       }
-      if ((authMode === "paid" || authMode === "siwx") && !require402Response(operation)) {
+      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) {
         warnings.push(
           warning(
             "OPENAPI_402_MISSING",
@@ -1378,11 +1384,6 @@ async function runDiscovery({
         }
       }
     }
-    if (!stageResult.valid) {
-      continue;
-    }
-    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
-    warnings.push(...mergeWarnings);
     if (includeRaw && stageResult.raw !== void 0) {
       if (stageResult.stage === "openapi" || stageResult.stage === "override") {
         const rawObject = stageResult.raw;
@@ -1402,6 +1403,11 @@ async function runDiscovery({
         rawSources.interopMpp = stageResult.raw;
       }
     }
+    if (!stageResult.valid) {
+      continue;
+    }
+    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
+    warnings.push(...mergeWarnings);
     if (!detailed) {
       selectedStage = selectedStage ?? stageResult.stage;
       break;
@@ -1919,9 +1925,6 @@ var OPENAPI_METHODS = [
   "OPTIONS",
   "TRACE"
 ];
-function isRecord5(value) {
-  return value != null && typeof value === "object" && !Array.isArray(value);
-}
 function toFiniteNumber(value) {
   if (typeof value === "number" && Number.isFinite(value)) return value;
   if (typeof value === "string" && value.trim().length > 0) {
@@ -1979,7 +1982,7 @@ function inferFailureCause(warnings) {
   return { cause: "not_found" };
 }
 function getOpenApiInfo(document) {
-  if (!isRecord5(document) || !isRecord5(document.info)) return void 0;
+  if (!isRecord3(document) || !isRecord3(document.info)) return void 0;
   if (typeof document.info.title !== "string") return void 0;
   return {
     title: document.info.title,
@@ -2022,15 +2025,15 @@ async function resolveGuidance(options) {
   };
 }
 function extractPathsDocument(document) {
-  if (!isRecord5(document)) return void 0;
-  if (!isRecord5(document.paths)) return void 0;
+  if (!isRecord3(document)) return void 0;
+  if (!isRecord3(document.paths)) return void 0;
   return document.paths;
 }
 function findMatchingOpenApiPath(paths, targetPath) {
   const exact = paths[targetPath];
-  if (isRecord5(exact)) return { matchedPath: targetPath, pathItem: exact };
+  if (isRecord3(exact)) return { matchedPath: targetPath, pathItem: exact };
   for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord5(entry)) continue;
+    if (!isRecord3(entry)) continue;
     const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
     const regex = new RegExp(`^${pattern}$`);
     if (regex.test(targetPath)) {
@@ -2046,11 +2049,11 @@ function resolveRef(document, ref, seen) {
   const parts = ref.slice(2).split("/");
   let current = document;
   for (const part of parts) {
-    if (!isRecord5(current)) return void 0;
+    if (!isRecord3(current)) return void 0;
     current = current[part];
     if (current === void 0) return void 0;
   }
-  if (isRecord5(current)) return resolveRefs(document, current, seen);
+  if (isRecord3(current)) return resolveRefs(document, current, seen);
   return current;
 }
 function resolveRefs(document, obj, seen, depth = 0) {
@@ -2059,20 +2062,20 @@ function resolveRefs(document, obj, seen, depth = 0) {
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
       const deref = resolveRef(document, value, seen);
-      if (isRecord5(deref)) {
+      if (isRecord3(deref)) {
         Object.assign(resolved, deref);
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord5(value)) {
+    if (isRecord3(value)) {
       resolved[key] = resolveRefs(document, value, seen, depth + 1);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord5(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord3(item) ? resolveRefs(document, item, seen, depth + 1) : item
       );
       continue;
     }
@@ -2082,15 +2085,15 @@ function resolveRefs(document, obj, seen, depth = 0) {
 }
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
-  if (!isRecord5(requestBody)) return void 0;
+  if (!isRecord3(requestBody)) return void 0;
   const content = requestBody.content;
-  if (!isRecord5(content)) return void 0;
+  if (!isRecord3(content)) return void 0;
   const jsonMediaType = content["application/json"];
-  if (isRecord5(jsonMediaType) && isRecord5(jsonMediaType.schema)) {
+  if (isRecord3(jsonMediaType) && isRecord3(jsonMediaType.schema)) {
     return jsonMediaType.schema;
   }
   for (const mediaType of Object.values(content)) {
-    if (isRecord5(mediaType) && isRecord5(mediaType.schema)) {
+    if (isRecord3(mediaType) && isRecord3(mediaType.schema)) {
       return mediaType.schema;
     }
   }
@@ -2099,7 +2102,7 @@ function extractRequestBodySchema(operationSchema) {
 function extractParameters(operationSchema) {
   const params = operationSchema.parameters;
   if (!Array.isArray(params)) return [];
-  return params.filter((value) => isRecord5(value));
+  return params.filter((value) => isRecord3(value));
 }
 function extractInputSchema(operationSchema) {
   const requestBody = extractRequestBodySchema(operationSchema);
@@ -2113,7 +2116,7 @@ function extractInputSchema(operationSchema) {
 }
 function parseOperationPrice(operation) {
   const paymentInfo = operation["x-payment-info"];
-  if (!isRecord5(paymentInfo)) return void 0;
+  if (!isRecord3(paymentInfo)) return void 0;
   const fixed = toFiniteNumber(paymentInfo.price);
   if (fixed != null) return `$${String(fixed)}`;
   const min = toFiniteNumber(paymentInfo.minPrice);
@@ -2123,23 +2126,12 @@ function parseOperationPrice(operation) {
 }
 function parseOperationProtocols(operation) {
   const paymentInfo = operation["x-payment-info"];
-  if (!isRecord5(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
+  if (!isRecord3(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
   const protocols = paymentInfo.protocols.filter(
     (protocol) => typeof protocol === "string" && protocol.length > 0
   );
   return protocols.length > 0 ? protocols : void 0;
 }
-function parseOperationAuthMode(operation) {
-  const authExtension = operation["x-agentcash-auth"];
-  if (isRecord5(authExtension)) {
-    const mode = authExtension.mode;
-    if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-      return mode;
-    }
-  }
-  if (isRecord5(operation["x-payment-info"])) return "paid";
-  return void 0;
-}
 function createResourceMap(result) {
   const map = /* @__PURE__ */ new Map();
   for (const resource of result.resources) {
@@ -2231,7 +2223,7 @@ async function inspectEndpointForMcp(options) {
     if (matched) {
       for (const candidate of OPENAPI_METHODS) {
         const operation = matched.pathItem[candidate.toLowerCase()];
-        if (!isRecord5(operation) || !isRecord5(document)) continue;
+        if (!isRecord3(operation) || !isRecord3(document)) continue;
         specMethods.push(candidate);
         const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
         const resource = resourceMap.get(toResourceKey(origin, candidate, matched.matchedPath));
@@ -2239,7 +2231,7 @@ async function inspectEndpointForMcp(options) {
         const operationSummary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
         const operationPrice = parseOperationPrice(resolvedOperation);
         const operationProtocols = parseOperationProtocols(resolvedOperation);
-        const operationAuthMode = parseOperationAuthMode(resolvedOperation);
+        const operationAuthMode = inferAuthMode(resolvedOperation) ?? "unprotected";
         const inputSchema = extractInputSchema(resolvedOperation);
         advisories[candidate] = {
           method: candidate,

package/dist/index.js

@@ -12,7 +12,7 @@ var STRICT_ESCALATION_CODES = [
 ];
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "0.1.3".includes("-mmm");
+var isMmmEnabled = () => "0.1.4".includes("-mmm");
 
 // src/core/constants.ts
 var OPENAPI_PATH_CANDIDATES = ["/openapi.json", "/.well-known/openapi.json"];
@@ -182,7 +182,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.instructions as compatibility guidance fallback. Prefer llms.txt.",
         {
           stage: "well-known/x402",
-          hint: "Move guidance to llms.txt and reference via x-agentcash-guidance.llmsTxtUrl."
+          hint: "Move guidance to llms.txt and reference via x-discovery.llmsTxtUrl in OpenAPI."
         }
       )
     );
@@ -195,7 +195,7 @@ function parseWellKnownPayload(payload, origin, sourceUrl) {
         "Using /.well-known/x402.ownershipProofs compatibility field. Prefer OpenAPI provenance extension.",
         {
           stage: "well-known/x402",
-          hint: "Move ownership proofs to x-agentcash-provenance.ownershipProofs in OpenAPI."
+          hint: "Move ownership proofs to x-discovery.ownershipProofs in OpenAPI."
         }
       )
     );
@@ -591,10 +591,31 @@ function estimateTokenCount(text) {
   return Math.ceil(text.length / 4);
 }
 
-// src/core/openapi.ts
+// src/core/openapi-utils.ts
 function isRecord3(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function hasSecurity(operation, scheme) {
+  const security = operation.security;
+  return Array.isArray(security) && security.some((s) => isRecord3(s) && scheme in s);
+}
+function has402Response(operation) {
+  const responses = operation.responses;
+  if (!isRecord3(responses)) return false;
+  return Boolean(responses["402"]);
+}
+function inferAuthMode(operation) {
+  if (isRecord3(operation["x-payment-info"])) return "paid";
+  if (has402Response(operation)) {
+    if (hasSecurity(operation, "siwx")) return "siwx";
+    return "paid";
+  }
+  if (hasSecurity(operation, "apiKey")) return "apiKey";
+  if (hasSecurity(operation, "siwx")) return "siwx";
+  return void 0;
+}
+
+// src/core/openapi.ts
 function asString(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
@@ -603,11 +624,6 @@ function parsePriceValue(value) {
   if (typeof value === "number" && Number.isFinite(value)) return String(value);
   return void 0;
 }
-function require402Response(operation) {
-  const responses = operation.responses;
-  if (!isRecord3(responses)) return false;
-  return Boolean(responses["402"]);
-}
 function parseProtocols(paymentInfo) {
   const protocols = paymentInfo.protocols;
   if (!Array.isArray(protocols)) return [];
@@ -615,15 +631,6 @@ function parseProtocols(paymentInfo) {
     (entry) => typeof entry === "string" && entry.length > 0
   );
 }
-function parseAuthMode(operation) {
-  const auth = operation["x-agentcash-auth"];
-  if (!isRecord3(auth)) return void 0;
-  const mode = auth.mode;
-  if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-    return mode;
-  }
-  return void 0;
-}
 async function runOpenApiStage(options) {
   const warnings = [];
   const resources = [];
@@ -695,10 +702,9 @@ async function runOpenApiStage(options) {
     };
   }
   const paths = document.paths;
-  const provenance = isRecord3(document["x-agentcash-provenance"]) ? document["x-agentcash-provenance"] : void 0;
-  const ownershipProofs = Array.isArray(provenance?.ownershipProofs) ? provenance.ownershipProofs.filter((entry) => typeof entry === "string") : [];
-  const guidance = isRecord3(document["x-agentcash-guidance"]) ? document["x-agentcash-guidance"] : void 0;
-  const llmsTxtUrl = asString(guidance?.llmsTxtUrl);
+  const discovery = isRecord3(document["x-discovery"]) ? document["x-discovery"] : void 0;
+  const ownershipProofs = Array.isArray(discovery?.ownershipProofs) ? discovery.ownershipProofs.filter((entry) => typeof entry === "string") : [];
+  const llmsTxtUrl = asString(discovery?.llmsTxtUrl);
   if (ownershipProofs.length > 0) {
     warnings.push(
       warning("OPENAPI_OWNERSHIP_PROOFS_PRESENT", "info", "OpenAPI ownership proofs detected", {
@@ -743,13 +749,13 @@ async function runOpenApiStage(options) {
           )
         );
       }
-      const authMode = parseAuthMode(operation);
+      const authMode = inferAuthMode(operation);
       if (!authMode) {
         warnings.push(
           warning(
             "OPENAPI_AUTH_MODE_MISSING",
             "error",
-            `${method} ${rawPath} missing x-agentcash-auth.mode`,
+            `${method} ${rawPath} missing auth mode (no x-payment-info, 402 response, or security scheme)`,
             {
               stage: "openapi"
             }
@@ -757,7 +763,7 @@ async function runOpenApiStage(options) {
         );
         continue;
       }
-      if ((authMode === "paid" || authMode === "siwx") && !require402Response(operation)) {
+      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) {
         warnings.push(
           warning(
             "OPENAPI_402_MISSING",
@@ -1336,11 +1342,6 @@ async function runDiscovery({
         }
       }
     }
-    if (!stageResult.valid) {
-      continue;
-    }
-    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
-    warnings.push(...mergeWarnings);
     if (includeRaw && stageResult.raw !== void 0) {
       if (stageResult.stage === "openapi" || stageResult.stage === "override") {
         const rawObject = stageResult.raw;
@@ -1360,6 +1361,11 @@ async function runDiscovery({
         rawSources.interopMpp = stageResult.raw;
       }
     }
+    if (!stageResult.valid) {
+      continue;
+    }
+    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
+    warnings.push(...mergeWarnings);
     if (!detailed) {
       selectedStage = selectedStage ?? stageResult.stage;
       break;
@@ -1877,9 +1883,6 @@ var OPENAPI_METHODS = [
   "OPTIONS",
   "TRACE"
 ];
-function isRecord5(value) {
-  return value != null && typeof value === "object" && !Array.isArray(value);
-}
 function toFiniteNumber(value) {
   if (typeof value === "number" && Number.isFinite(value)) return value;
   if (typeof value === "string" && value.trim().length > 0) {
@@ -1937,7 +1940,7 @@ function inferFailureCause(warnings) {
   return { cause: "not_found" };
 }
 function getOpenApiInfo(document) {
-  if (!isRecord5(document) || !isRecord5(document.info)) return void 0;
+  if (!isRecord3(document) || !isRecord3(document.info)) return void 0;
   if (typeof document.info.title !== "string") return void 0;
   return {
     title: document.info.title,
@@ -1980,15 +1983,15 @@ async function resolveGuidance(options) {
   };
 }
 function extractPathsDocument(document) {
-  if (!isRecord5(document)) return void 0;
-  if (!isRecord5(document.paths)) return void 0;
+  if (!isRecord3(document)) return void 0;
+  if (!isRecord3(document.paths)) return void 0;
   return document.paths;
 }
 function findMatchingOpenApiPath(paths, targetPath) {
   const exact = paths[targetPath];
-  if (isRecord5(exact)) return { matchedPath: targetPath, pathItem: exact };
+  if (isRecord3(exact)) return { matchedPath: targetPath, pathItem: exact };
   for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord5(entry)) continue;
+    if (!isRecord3(entry)) continue;
     const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
     const regex = new RegExp(`^${pattern}$`);
     if (regex.test(targetPath)) {
@@ -2004,11 +2007,11 @@ function resolveRef(document, ref, seen) {
   const parts = ref.slice(2).split("/");
   let current = document;
   for (const part of parts) {
-    if (!isRecord5(current)) return void 0;
+    if (!isRecord3(current)) return void 0;
     current = current[part];
     if (current === void 0) return void 0;
   }
-  if (isRecord5(current)) return resolveRefs(document, current, seen);
+  if (isRecord3(current)) return resolveRefs(document, current, seen);
   return current;
 }
 function resolveRefs(document, obj, seen, depth = 0) {
@@ -2017,20 +2020,20 @@ function resolveRefs(document, obj, seen, depth = 0) {
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
       const deref = resolveRef(document, value, seen);
-      if (isRecord5(deref)) {
+      if (isRecord3(deref)) {
         Object.assign(resolved, deref);
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord5(value)) {
+    if (isRecord3(value)) {
       resolved[key] = resolveRefs(document, value, seen, depth + 1);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord5(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord3(item) ? resolveRefs(document, item, seen, depth + 1) : item
       );
       continue;
     }
@@ -2040,15 +2043,15 @@ function resolveRefs(document, obj, seen, depth = 0) {
 }
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
-  if (!isRecord5(requestBody)) return void 0;
+  if (!isRecord3(requestBody)) return void 0;
   const content = requestBody.content;
-  if (!isRecord5(content)) return void 0;
+  if (!isRecord3(content)) return void 0;
   const jsonMediaType = content["application/json"];
-  if (isRecord5(jsonMediaType) && isRecord5(jsonMediaType.schema)) {
+  if (isRecord3(jsonMediaType) && isRecord3(jsonMediaType.schema)) {
     return jsonMediaType.schema;
   }
   for (const mediaType of Object.values(content)) {
-    if (isRecord5(mediaType) && isRecord5(mediaType.schema)) {
+    if (isRecord3(mediaType) && isRecord3(mediaType.schema)) {
       return mediaType.schema;
     }
   }
@@ -2057,7 +2060,7 @@ function extractRequestBodySchema(operationSchema) {
 function extractParameters(operationSchema) {
   const params = operationSchema.parameters;
   if (!Array.isArray(params)) return [];
-  return params.filter((value) => isRecord5(value));
+  return params.filter((value) => isRecord3(value));
 }
 function extractInputSchema(operationSchema) {
   const requestBody = extractRequestBodySchema(operationSchema);
@@ -2071,7 +2074,7 @@ function extractInputSchema(operationSchema) {
 }
 function parseOperationPrice(operation) {
   const paymentInfo = operation["x-payment-info"];
-  if (!isRecord5(paymentInfo)) return void 0;
+  if (!isRecord3(paymentInfo)) return void 0;
   const fixed = toFiniteNumber(paymentInfo.price);
   if (fixed != null) return `$${String(fixed)}`;
   const min = toFiniteNumber(paymentInfo.minPrice);
@@ -2081,23 +2084,12 @@ function parseOperationPrice(operation) {
 }
 function parseOperationProtocols(operation) {
   const paymentInfo = operation["x-payment-info"];
-  if (!isRecord5(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
+  if (!isRecord3(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
   const protocols = paymentInfo.protocols.filter(
     (protocol) => typeof protocol === "string" && protocol.length > 0
   );
   return protocols.length > 0 ? protocols : void 0;
 }
-function parseOperationAuthMode(operation) {
-  const authExtension = operation["x-agentcash-auth"];
-  if (isRecord5(authExtension)) {
-    const mode = authExtension.mode;
-    if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-      return mode;
-    }
-  }
-  if (isRecord5(operation["x-payment-info"])) return "paid";
-  return void 0;
-}
 function createResourceMap(result) {
   const map = /* @__PURE__ */ new Map();
   for (const resource of result.resources) {
@@ -2189,7 +2181,7 @@ async function inspectEndpointForMcp(options) {
     if (matched) {
       for (const candidate of OPENAPI_METHODS) {
         const operation = matched.pathItem[candidate.toLowerCase()];
-        if (!isRecord5(operation) || !isRecord5(document)) continue;
+        if (!isRecord3(operation) || !isRecord3(document)) continue;
         specMethods.push(candidate);
         const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
         const resource = resourceMap.get(toResourceKey(origin, candidate, matched.matchedPath));
@@ -2197,7 +2189,7 @@ async function inspectEndpointForMcp(options) {
         const operationSummary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
         const operationPrice = parseOperationPrice(resolvedOperation);
         const operationProtocols = parseOperationProtocols(resolvedOperation);
-        const operationAuthMode = parseOperationAuthMode(resolvedOperation);
+        const operationAuthMode = inferAuthMode(resolvedOperation) ?? "unprotected";
         const inputSchema = extractInputSchema(resolvedOperation);
         advisories[candidate] = {
           method: candidate,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/discovery",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Canonical OpenAPI-first discovery runtime for the agentcash ecosystem",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -72,7 +72,9 @@
     "@changesets/cli": "^2.29.8",
     "@eslint/js": "^10.0.1",
     "@types/node": "^22.18.0",
+    "@vitest/coverage-v8": "^3.2.4",
     "eslint": "^10.0.0",
+    "knip": "^5.85.0",
     "prettier": "^3.8.1",
     "tsup": "^8.5.0",
     "typescript": "^5.9.2",
@@ -90,6 +92,7 @@
     "test:watch": "vitest",
     "audit:registry": "pnpm build && node scripts/audit-registry.mjs",
     "audit:registry:quick": "pnpm build && node scripts/audit-registry.mjs --origin-limit 50 --resource-limit 500",
-    "check": "pnpm format:check && pnpm lint && pnpm typecheck && pnpm build && pnpm test"
+    "knip": "knip",
+    "check": "pnpm format:check && pnpm lint && pnpm knip && pnpm typecheck && pnpm build && pnpm test"
   }
 }