@agentcash/discovery 0.1.3 → 1.0.0

package/dist/cli.js

@@ -1,622 +1,104 @@
-// src/flags.ts
-var DEFAULT_COMPAT_MODE = "on";
-var STRICT_ESCALATION_CODES = [
-  "LEGACY_WELL_KNOWN_USED",
-  "LEGACY_DNS_USED",
-  "LEGACY_DNS_PLAIN_URL",
-  "LEGACY_MISSING_METHOD",
-  "LEGACY_INSTRUCTIONS_USED",
-  "LEGACY_OWNERSHIP_PROOFS_USED",
-  "INTEROP_MPP_USED"
-];
+// src/core/source/openapi/index.ts
+import { okAsync, ResultAsync as ResultAsync2 } from "neverthrow";
 
-// src/cli/args.ts
-var DEFAULT_TIMEOUT_MS = 5e3;
-function parseCompatibilityMode(value) {
-  if (value === "on" || value === "off" || value === "strict") {
-    return value;
-  }
-  return null;
-}
-function parseTimeoutMs(value) {
-  const parsed = Number(value);
-  if (!Number.isFinite(parsed) || parsed <= 0 || !Number.isInteger(parsed)) {
-    return null;
-  }
-  return parsed;
-}
-function parseClient(value) {
-  if (value === "claude-code" || value === "skill-cli" || value === "generic-mcp" || value === "generic") {
-    return value;
-  }
-  return null;
-}
-function parseContextWindowTokens(value) {
-  const parsed = Number(value);
-  if (!Number.isFinite(parsed) || parsed <= 0 || !Number.isInteger(parsed)) {
-    return null;
-  }
-  return parsed;
-}
-function parseCliArgs(argv) {
-  let target;
-  let verbose = false;
-  let json = false;
-  let probe = false;
-  let timeoutMs = DEFAULT_TIMEOUT_MS;
-  let compatMode = DEFAULT_COMPAT_MODE;
-  let color = true;
-  let noTruncate = false;
-  let harness = false;
-  let client = "claude-code";
-  let contextWindowTokens;
-  for (let i = 0; i < argv.length; i += 1) {
-    const arg = argv[i];
-    if (arg === "--help" || arg === "-h") {
-      return { kind: "help" };
-    }
-    if (arg === "--verbose" || arg === "-v") {
-      verbose = true;
-      continue;
-    }
-    if (arg === "--json") {
-      json = true;
-      continue;
-    }
-    if (arg === "--probe") {
-      probe = true;
-      continue;
-    }
-    if (arg === "--no-color") {
-      color = false;
-      continue;
-    }
-    if (arg === "--no-truncate") {
-      noTruncate = true;
-      continue;
-    }
-    if (arg === "--harness") {
-      harness = true;
-      continue;
-    }
-    if (arg === "--compat") {
-      const value = argv[i + 1];
-      if (!value) {
-        return { kind: "error", message: "Missing value for --compat." };
-      }
-      const parsed = parseCompatibilityMode(value);
-      if (!parsed) {
-        return {
-          kind: "error",
-          message: `Invalid --compat value '${value}'. Expected: on | off | strict.`
-        };
-      }
-      compatMode = parsed;
-      i += 1;
-      continue;
-    }
-    if (arg === "--timeout-ms") {
-      const value = argv[i + 1];
-      if (!value) {
-        return { kind: "error", message: "Missing value for --timeout-ms." };
-      }
-      const parsed = parseTimeoutMs(value);
-      if (!parsed) {
-        return {
-          kind: "error",
-          message: `Invalid --timeout-ms value '${value}'. Expected a positive integer.`
-        };
-      }
-      timeoutMs = parsed;
-      i += 1;
-      continue;
-    }
-    if (arg === "--client") {
-      const value = argv[i + 1];
-      if (!value) {
-        return { kind: "error", message: "Missing value for --client." };
-      }
-      const parsed = parseClient(value);
-      if (!parsed) {
-        return {
-          kind: "error",
-          message: "Invalid --client value '" + value + "'. Expected: claude-code | skill-cli | generic-mcp | generic."
-        };
-      }
-      client = parsed;
-      i += 1;
-      continue;
-    }
-    if (arg === "--context-window-tokens") {
-      const value = argv[i + 1];
-      if (!value) {
-        return { kind: "error", message: "Missing value for --context-window-tokens." };
-      }
-      const parsed = parseContextWindowTokens(value);
-      if (!parsed) {
-        return {
-          kind: "error",
-          message: `Invalid --context-window-tokens value '${value}'. Expected a positive integer.`
-        };
-      }
-      contextWindowTokens = parsed;
-      i += 1;
-      continue;
-    }
-    if (arg.startsWith("-")) {
-      return { kind: "error", message: `Unknown flag '${arg}'.` };
-    }
-    if (target) {
-      return {
-        kind: "error",
-        message: `Unexpected extra positional argument '${arg}'. Only one domain/URL is supported.`
-      };
-    }
-    target = arg;
-  }
-  if (!target) {
-    return { kind: "error", message: "Missing required <domain> argument." };
-  }
-  return {
-    kind: "ok",
-    options: {
-      target,
-      verbose,
-      json,
-      compatMode,
-      probe,
-      timeoutMs,
-      color,
-      noTruncate,
-      harness,
-      client,
-      ...contextWindowTokens ? { contextWindowTokens } : {}
-    }
-  };
-}
-function renderHelp() {
-  return [
-    "Usage: npx @agentcash/discovery <domain-or-url> [options]",
-    "",
-    "Options:",
-    "  -v, --verbose          Show full compatibility matrix",
-    "  --json                 Emit JSON output",
-    "  --compat <mode>        Compatibility mode: on | off | strict (default: on)",
-    "  --probe                Re-run with probe candidates from discovered paths",
-    "  --harness              Render L0-L5 context harness audit view",
-    "  --client <id>          Harness client: claude-code | skill-cli | generic-mcp | generic",
-    "  --context-window-tokens <n>",
-    "                         Override client context window for harness budget checks",
-    "  --timeout-ms <ms>      Per-request timeout in milliseconds (default: 5000)",
-    "  --no-color             Disable ANSI colors",
-    "  --no-truncate          Disable output truncation in verbose tables",
-    "  -h, --help             Show help"
-  ].join("\n");
-}
-
-// src/cli/render.ts
-import { getBorderCharacters, table } from "table";
-function createPalette(enabled) {
-  const wrap = (code) => (value) => enabled ? `\x1B[${code}m${value}\x1B[0m` : value;
-  return {
-    dim: wrap(2),
-    bold: wrap(1),
-    red: wrap(31),
-    green: wrap(32),
-    yellow: wrap(33),
-    cyan: wrap(36)
-  };
-}
-function summarizeWarnings(warnings) {
-  const errors = warnings.filter((entry) => entry.severity === "error").length;
-  const warns = warnings.filter((entry) => entry.severity === "warn").length;
-  const infos = warnings.filter((entry) => entry.severity === "info").length;
-  const codeCounts = warnings.filter((entry) => entry.code !== "PROBE_STAGE_SKIPPED").reduce(
-    (acc, entry) => {
-      acc[entry.code] = (acc[entry.code] ?? 0) + 1;
-      return acc;
-    },
-    {}
-  );
-  const codes = Object.entries(codeCounts).sort((a, b) => b[1] - a[1]).map(([code, count]) => ({ code, count }));
-  return {
-    total: warnings.length,
-    errors,
-    warns,
-    infos,
-    codes
-  };
-}
-function asYesNo(value) {
-  return value ? "yes" : "no";
-}
-function truncate(value, max, noTruncate) {
-  if (noTruncate || value.length <= max) {
-    return value;
-  }
-  if (max <= 1) return value.slice(0, max);
-  return `${value.slice(0, Math.max(1, max - 1))}...`;
-}
-function formatPricing(resource) {
-  if (resource.authHint !== "paid") return "-";
-  if (resource.pricing) {
-    if (resource.pricing.pricingMode === "fixed") {
-      return resource.pricing.price ? `fixed ${resource.pricing.price}` : "fixed";
-    }
-    if (resource.pricing.pricingMode === "range") {
-      return `range ${resource.pricing.minPrice ?? "?"}-${resource.pricing.maxPrice ?? "?"}`;
-    }
-    return "quote";
-  }
-  return resource.priceHint ? `hint ${resource.priceHint}` : "-";
-}
-function statusBadge(ok, palette) {
-  return ok ? palette.green("[PASS]") : palette.red("[FAIL]");
-}
-function riskBadge(summary, palette) {
-  if (summary.errors > 0) return palette.red("HIGH");
-  if (summary.warns > 0) return palette.yellow("MEDIUM");
-  return palette.green("LOW");
-}
-function sectionHeader(title, palette) {
-  return `${palette.bold(title)}
-${palette.dim("-".repeat(title.length))}`;
-}
-function introBlock(run, options, palette) {
-  const summary = summarizeWarnings(run.result.warnings);
-  const topCodes = summary.codes.slice(0, 3).map(({ code, count }) => `${code} (${count})`).join(", ");
-  const lines = [
-    `${palette.bold("AGENTCASH DISCOVERY AUDIT")} ${statusBadge(run.result.resources.length > 0, palette)}`,
-    `${palette.dim("=".repeat(74))}`,
-    `Target        ${options.target}`,
-    `Origin        ${run.result.origin}`,
-    `Stage         ${run.result.selectedStage ?? "none"}   Compat: ${run.result.compatMode}`,
-    `Resources     ${run.result.resources.length}   Duration: ${run.durationMs}ms`,
-    `Risk          ${riskBadge(summary, palette)}   Upgrade suggested: ${run.result.upgradeSuggested ? "yes" : "no"}`,
-    `Warnings      error=${summary.errors} warn=${summary.warns} info=${summary.infos}`,
-    `Top signals   ${topCodes || "-"}`
-  ];
-  return lines.join("\n");
-}
-function outcomeLine(run) {
-  const selectedStage = run.result.selectedStage ?? "none";
-  if (run.result.resources.length === 0) {
-    return "No usable discovery metadata was found.";
-  }
-  if (selectedStage === "openapi" || selectedStage === "override") {
-    return `Canonical discovery succeeded via ${selectedStage}.`;
-  }
-  return `Discovery succeeded, but only via legacy stage ${selectedStage}.`;
-}
-function actionItems(run, options) {
-  const target = options.target;
-  if (run.result.resources.length === 0) {
-    return [
-      `Run deeper diagnostics: npx @agentcash/discovery ${target} -v --probe --compat on`,
-      `Check that ${target} serves /openapi.json or /.well-known/x402`,
-      "If endpoint exists, verify it returns parseable JSON and non-empty resources"
-    ];
-  }
-  if (run.result.selectedStage === "openapi" || run.result.selectedStage === "override") {
-    return [
-      `Run strict mode hardening: npx @agentcash/discovery ${target} --compat strict -v`,
-      "Reduce warning count to near-zero and keep pricing/auth hints explicit"
-    ];
-  }
-  return [
-    "Publish canonical OpenAPI discovery metadata with x-agentcash extensions",
-    `Validate migration path: npx @agentcash/discovery ${target} --compat strict -v --probe`,
-    "Keep legacy well-known path only during sunset window"
-  ];
-}
-function buildTable(data, maxColWidths, noTruncate) {
-  const rendered = data.map(
-    (row) => row.map((cell, idx) => {
-      const width = maxColWidths[idx] ?? 120;
-      return noTruncate ? cell : truncate(cell, width, false);
+// src/schemas.ts
+import { z } from "zod";
+var OpenApiPaymentInfoSchema = z.object({
+  pricingMode: z.enum(["fixed", "range", "quote"]),
+  price: z.string().optional(),
+  minPrice: z.string().optional(),
+  maxPrice: z.string().optional(),
+  protocols: z.array(z.string()).optional()
+});
+var OpenApiOperationSchema = z.object({
+  operationId: z.string().optional(),
+  summary: z.string().optional(),
+  description: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  security: z.array(z.record(z.string(), z.array(z.string()))).optional(),
+  parameters: z.array(
+    z.object({
+      in: z.string(),
+      name: z.string(),
+      schema: z.unknown().optional(),
+      required: z.boolean().optional()
     })
-  );
-  return table(rendered, {
-    border: getBorderCharacters("ramac"),
-    columns: maxColWidths.reduce(
-      (acc, width, idx) => {
-        acc[idx] = noTruncate ? { wrapWord: false, alignment: "left" } : { width, truncate: width, wrapWord: false, alignment: "left" };
-        return acc;
-      },
-      {}
-    ),
-    drawHorizontalLine: (index, size) => index === 0 || index === 1 || index === size,
-    columnDefault: {
-      paddingLeft: 1,
-      paddingRight: 1
-    }
-  }).trimEnd();
-}
-function stageMatrixRows(result) {
-  const header = ["stage", "valid", "resources", "duration", "selected", "warning codes"];
-  const rows = result.trace.map((entry) => {
-    const codes = [...new Set(entry.warnings.map((warning2) => warning2.code))].join(", ");
-    return [
-      entry.stage,
-      asYesNo(entry.valid),
-      String(entry.resourceCount),
-      `${entry.durationMs}ms`,
-      result.selectedStage === entry.stage ? "yes" : "-",
-      codes || "-"
-    ];
-  });
-  return [header, ...rows];
-}
-function resourceMatrixRows(result) {
-  const sorted = [...result.resources].sort((a, b) => {
-    if (a.path !== b.path) return a.path.localeCompare(b.path);
-    if (a.method !== b.method) return a.method.localeCompare(b.method);
-    return a.origin.localeCompare(b.origin);
-  });
-  const header = ["method", "path", "auth", "pricing", "source", "verified", "notes"];
-  const rows = sorted.map((resource) => [
-    resource.method,
-    resource.path,
-    resource.authHint ?? "-",
-    formatPricing(resource),
-    resource.source,
-    asYesNo(resource.verified),
-    resource.authHint === "siwx" ? "siwx" : "-"
-  ]);
-  return [header, ...rows];
-}
-function warningRows(summary, result) {
-  const hintByCode = /* @__PURE__ */ new Map();
-  for (const warning2 of result.warnings) {
-    if (!hintByCode.has(warning2.code)) {
-      hintByCode.set(warning2.code, warning2.hint ?? warning2.message);
-    }
-  }
-  const header = ["severity", "code", "count", "hint/message"];
-  const rows = summary.codes.slice(0, 8).map(({ code, count }) => {
-    const sample = hintByCode.get(code) ?? "-";
-    const severity = code.includes("NO_DISCOVERY") ? "error" : code.includes("LEGACY") ? "warn" : "info";
-    return [severity, code, String(count), sample];
-  });
-  return [header, ...rows];
-}
-function harnessBudgetTable(report) {
-  return [
-    ["metric", "value"],
-    ["client", `${report.client.id} (${report.client.surface})`],
-    ["context window tokens", String(report.budget.contextWindowTokens)],
-    ["zero-hop budget tokens", String(report.budget.zeroHopBudgetTokens)],
-    ["estimated L0+L1 tokens", String(report.budget.estimatedZeroHopTokens)],
-    ["within budget", report.budget.withinBudget ? "yes" : "no"]
-  ];
-}
-function harnessLayerSummaryRows(report) {
-  return [
-    ["layer", "what", "primary command", "status"],
-    [
-      "L0",
-      "trigger layer",
-      report.levels.l0.installCommand,
-      `${report.levels.l0.intentTriggers.length} triggers`
-    ],
-    [
-      "L1",
-      "installed domain index",
-      report.levels.l1.fanoutCommands[0] ?? "-",
-      `${report.levels.l1.domainClass}; stage=${report.levels.l1.selectedDiscoveryStage ?? "none"}`
-    ],
-    [
-      "L2",
-      "domain resources",
-      report.levels.l2.command,
-      `${report.levels.l2.resourceCount} resources`
-    ],
-    [
-      "L3",
-      "resource details",
-      report.levels.l3.command,
-      `${report.levels.l3.pricedResourceCount} priced`
-    ],
-    ["L4", "domain guidance", report.levels.l4.llmsTxtUrl ?? "-", report.levels.l4.guidanceStatus],
-    ["L5", "cross-domain composition", "-", report.levels.l5.status]
-  ];
-}
-function harnessL2PreviewRows(report, noTruncate) {
-  const header = ["method", "path", "auth", "source"];
-  const rows = report.levels.l2.resources.slice(0, 15).map((resource) => [
-    resource.method,
-    truncate(resource.path, 54, noTruncate),
-    resource.authMode ?? "-",
-    resource.source
-  ]);
-  return [header, ...rows];
-}
-function renderHarnessSummary(report, options, palette) {
-  const lines = [];
-  lines.push(
-    `${palette.bold("L0-L5 Context Harness")} ${statusBadge(report.levels.l2.resourceCount > 0, palette)}`
-  );
-  lines.push(`${palette.dim("=".repeat(74))}`);
-  lines.push(`Client        ${report.client.label}`);
-  lines.push(`Domain        ${report.levels.l1.domain}`);
-  lines.push(`L2 resources  ${report.levels.l2.resourceCount}`);
-  lines.push(
-    `Budget        ${report.budget.estimatedZeroHopTokens}/${report.budget.zeroHopBudgetTokens} tokens (L0+L1)`
-  );
-  lines.push("");
-  lines.push("Layer map:");
-  lines.push("1. L0 trigger surface -> install and route to agentcash");
-  lines.push(`2. L1 domain index -> ${report.levels.l1.fanoutCommands[0]}`);
-  lines.push(`3. L2 resources -> ${report.levels.l2.command}`);
-  lines.push(`4. L3 details -> ${report.levels.l3.command}`);
-  lines.push(
-    `5. L4 guidance -> ${report.levels.l4.guidanceStatus}${report.levels.l4.llmsTxtUrl ? ` (${report.levels.l4.llmsTxtUrl})` : ""}`
-  );
-  lines.push("6. L5 cross-domain -> out of scope in v1");
-  lines.push("");
-  lines.push(
-    `Next: npx @agentcash/discovery ${options.target} --harness -v --client ${report.client.id}`
-  );
-  return lines.join("\n");
-}
-function renderHarnessVerbose(report, options, palette) {
-  const lines = [];
-  lines.push(
-    `${palette.bold("L0-L5 Context Harness (Verbose)")} ${statusBadge(report.levels.l2.resourceCount > 0, palette)}`
-  );
-  lines.push(`${palette.dim("=".repeat(74))}`);
-  lines.push(`Target ${report.target}`);
-  lines.push(`Origin ${report.origin}`);
-  lines.push(`Client ${report.client.label}`);
-  lines.push("");
-  lines.push(sectionHeader("Budget check", palette));
-  lines.push(buildTable(harnessBudgetTable(report), [30, 42], options.noTruncate));
-  lines.push("");
-  lines.push(sectionHeader("Layer summary", palette));
-  lines.push(buildTable(harnessLayerSummaryRows(report), [8, 24, 44, 28], options.noTruncate));
-  lines.push("");
-  lines.push(sectionHeader("L2 resource preview", palette));
-  if (report.levels.l2.resources.length === 0) {
-    lines.push(palette.dim("(no discovered resources)"));
-  } else {
-    lines.push(
-      buildTable(
-        harnessL2PreviewRows(report, options.noTruncate),
-        [10, 54, 12, 20],
-        options.noTruncate
-      )
-    );
-    if (report.levels.l2.resources.length > 15) {
-      lines.push(
-        palette.dim(
-          `Showing 15/${report.levels.l2.resources.length} resources. Use --json to inspect full L2/L3 payload.`
-        )
-      );
-    }
-  }
-  lines.push("");
-  lines.push(sectionHeader("L4 guidance", palette));
-  lines.push(`status: ${report.levels.l4.guidanceStatus}`);
-  lines.push(`llms.txt url: ${report.levels.l4.llmsTxtUrl ?? "-"}`);
-  lines.push(`llms.txt tokens: ${report.levels.l4.llmsTxtTokenEstimate}`);
-  lines.push(`preview: ${report.levels.l4.guidancePreview ?? "-"}`);
-  lines.push("");
-  lines.push(sectionHeader("Diagnostics", palette));
-  lines.push(
-    `warnings: ${report.diagnostics.warningCount} (errors=${report.diagnostics.errorWarningCount})`
-  );
-  lines.push(`selected stage: ${report.diagnostics.selectedStage ?? "none"}`);
-  lines.push(`upgrade suggested: ${report.diagnostics.upgradeSuggested ? "yes" : "no"}`);
-  lines.push(
-    `upgrade reasons: ${report.diagnostics.upgradeReasons.length > 0 ? report.diagnostics.upgradeReasons.join(", ") : "-"}`
-  );
-  return lines.join("\n");
-}
-function renderSummary(run, options) {
-  const palette = createPalette(options.color);
-  if (options.harness && run.harness) {
-    return renderHarnessSummary(run.harness, options, palette);
-  }
-  const body = [];
-  body.push(introBlock(run, options, palette));
-  body.push("");
-  body.push(`Outcome: ${outcomeLine(run)}`);
-  const items = actionItems(run, options);
-  body.push("Next:");
-  for (let i = 0; i < items.length; i += 1) {
-    body.push(`${i + 1}. ${items[i]}`);
-  }
-  if (options.probe) {
-    body.push(`Probe candidates considered: ${run.probeCandidateCount}`);
-  }
-  return body.join("\n");
+  ).optional(),
+  requestBody: z.object({
+    required: z.boolean().optional(),
+    content: z.record(z.string(), z.object({ schema: z.unknown().optional() }))
+  }).optional(),
+  responses: z.record(z.string(), z.unknown()).optional(),
+  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+});
+var OpenApiPathItemSchema = z.object({
+  get: OpenApiOperationSchema.optional(),
+  post: OpenApiOperationSchema.optional(),
+  put: OpenApiOperationSchema.optional(),
+  delete: OpenApiOperationSchema.optional(),
+  patch: OpenApiOperationSchema.optional(),
+  head: OpenApiOperationSchema.optional(),
+  options: OpenApiOperationSchema.optional(),
+  trace: OpenApiOperationSchema.optional()
+});
+var OpenApiDocSchema = z.object({
+  // TODO(zdql): We should inherit a canonical OpenAPI schema and then extend with our types.
+  openapi: z.string(),
+  info: z.object({
+    title: z.string(),
+    version: z.string(),
+    description: z.string().optional(),
+    guidance: z.string().optional()
+  }),
+  servers: z.array(z.object({ url: z.string() })).optional(),
+  tags: z.array(z.object({ name: z.string() })).optional(),
+  components: z.object({ securitySchemes: z.record(z.string(), z.unknown()).optional() }).optional(),
+  "x-discovery": z.record(z.string(), z.unknown()).optional(),
+  paths: z.record(z.string(), OpenApiPathItemSchema)
+});
+var WellKnownDocSchema = z.object({
+  version: z.number().optional(),
+  resources: z.array(z.string()).default([]),
+  mppResources: z.array(z.string()).optional(),
+  // isMmmEnabled
+  description: z.string().optional(),
+  ownershipProofs: z.array(z.string()).optional(),
+  instructions: z.string().optional()
+});
+var WellKnownParsedSchema = z.object({
+  routes: z.array(
+    z.object({
+      path: z.string(),
+      method: z.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"])
+    })
+  ),
+  instructions: z.string().optional()
+});
+
+// src/core/source/openapi/utils.ts
+function isRecord(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function renderVerbose(run, options) {
-  const palette = createPalette(options.color);
-  if (options.harness && run.harness) {
-    return renderHarnessVerbose(run.harness, options, palette);
-  }
-  const summary = summarizeWarnings(run.result.warnings);
-  const noTruncate = options.noTruncate;
-  const body = [];
-  body.push(introBlock(run, options, palette));
-  body.push("");
-  body.push(sectionHeader("What this means", palette));
-  body.push(outcomeLine(run));
-  body.push("");
-  body.push(sectionHeader("Recommended actions", palette));
-  const items = actionItems(run, options);
-  for (let i = 0; i < items.length; i += 1) {
-    body.push(`${i + 1}. ${items[i]}`);
-  }
-  body.push("");
-  body.push(sectionHeader("Compatibility matrix", palette));
-  body.push(buildTable(stageMatrixRows(run.result), [18, 8, 10, 10, 10, 56], noTruncate));
-  body.push("");
-  body.push(sectionHeader("Resource matrix", palette));
-  if (run.result.resources.length === 0) {
-    body.push(palette.dim("(no discovered resources)"));
-  } else {
-    const allRows = resourceMatrixRows(run.result);
-    const previewRows = allRows.slice(0, 16);
-    body.push(buildTable(previewRows, [8, 44, 10, 24, 18, 10, 10], noTruncate));
-    if (allRows.length > previewRows.length) {
-      body.push(
-        palette.dim(
-          `Showing ${previewRows.length - 1}/${allRows.length - 1} resources. Use --no-truncate or --json for complete output.`
-        )
-      );
-    }
-  }
-  body.push("");
-  body.push(sectionHeader("Warning breakdown", palette));
-  if (summary.codes.length === 0) {
-    body.push(palette.dim("(no warnings)"));
-  } else {
-    body.push(buildTable(warningRows(summary, run.result), [10, 34, 8, 62], noTruncate));
-  }
-  if (run.result.upgradeReasons.length > 0) {
-    body.push("");
-    body.push(sectionHeader("Upgrade guidance", palette));
-    for (const reason of run.result.upgradeReasons) {
-      body.push(`- ${reason}`);
-    }
-  }
-  return body.join("\n");
-}
-function renderJson(run, options) {
-  return JSON.stringify(
-    {
-      ok: run.result.resources.length > 0,
-      target: options.target,
-      origin: run.result.origin,
-      compatMode: run.result.compatMode,
-      selectedStage: run.result.selectedStage ?? null,
-      resources: run.result.resources,
-      trace: run.result.trace,
-      warnings: run.result.warnings,
-      upgradeSuggested: run.result.upgradeSuggested,
-      upgradeReasons: run.result.upgradeReasons,
-      meta: {
-        durationMs: run.durationMs,
-        probeEnabled: options.probe,
-        probeCandidateCount: run.probeCandidateCount,
-        timeoutMs: options.timeoutMs
-      },
-      ...run.harness ? { harness: run.harness } : {}
-    },
-    null,
-    2
-  );
+function hasSecurity(operation, scheme) {
+  return operation.security?.some((s) => scheme in s) ?? false;
+}
+function has402Response(operation) {
+  return Boolean(operation.responses?.["402"]);
+}
+function inferAuthMode(operation) {
+  const hasXPaymentInfo = Boolean(operation["x-payment-info"]);
+  const hasPayment = hasXPaymentInfo || has402Response(operation);
+  const hasApiKey = hasSecurity(operation, "apiKey");
+  const hasSiwx = hasSecurity(operation, "siwx");
+  if (hasPayment && hasApiKey) return "apiKey+paid";
+  if (hasXPaymentInfo) return "paid";
+  if (hasPayment) return hasSiwx ? "siwx" : "paid";
+  if (hasApiKey) return "apiKey";
+  if (hasSiwx) return "siwx";
+  return void 0;
 }
 
-// src/mmm-enabled.ts
-var isMmmEnabled = () => "0.1.3".includes("-mmm");
-
-// src/core/constants.ts
-var OPENAPI_PATH_CANDIDATES = ["/openapi.json", "/.well-known/openapi.json"];
-var WELL_KNOWN_MPP_PATH = "/.well-known/mpp";
-var LLMS_TOKEN_WARNING_THRESHOLD = 2500;
+// src/core/lib/constants.ts
 var HTTP_METHODS = /* @__PURE__ */ new Set([
   "GET",
   "POST",
@@ -627,10 +109,9 @@ var HTTP_METHODS = /* @__PURE__ */ new Set([
   "OPTIONS",
   "TRACE"
 ]);
-var DEFAULT_PROBE_METHODS = ["GET", "POST"];
 var DEFAULT_MISSING_METHOD = "POST";
 
-// src/core/url.ts
+// src/core/lib/url.ts
 function normalizeOrigin(target) {
   const trimmed = target.trim();
   const withProtocol = /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
@@ -648,9 +129,6 @@ function normalizePath(pathname) {
   const normalized = prefixed.replace(/\/+/g, "/");
   return normalized !== "/" ? normalized.replace(/\/$/, "") : "/";
 }
-function toResourceKey(origin, method, path) {
-  return `${origin} ${method} ${normalizePath(path)}`;
-}
 function parseMethod(value) {
   if (!value) return void 0;
   const upper = value.toUpperCase();
@@ -665,895 +143,504 @@ function toAbsoluteUrl(origin, value) {
   }
 }
 
-// src/core/warnings.ts
-function warning(code, severity, message, options) {
-  return {
-    code,
-    severity,
-    message,
-    ...options?.hint ? { hint: options.hint } : {},
-    ...options?.stage ? { stage: options.stage } : {},
-    ...options?.resourceKey ? { resourceKey: options.resourceKey } : {}
-  };
-}
-function applyStrictEscalation(warnings, strict) {
-  if (!strict) return warnings;
-  return warnings.map((entry) => {
-    if (!STRICT_ESCALATION_CODES.includes(entry.code)) {
-      return entry;
-    }
-    if (entry.severity === "error") return entry;
-    return {
-      ...entry,
-      severity: "error",
-      message: `${entry.message} (strict mode escalated)`
-    };
-  });
+// src/core/source/fetch.ts
+import { ResultAsync } from "neverthrow";
+function toFetchError(err) {
+  const cause = err instanceof DOMException && (err.name === "TimeoutError" || err.name === "AbortError") ? "timeout" : "network";
+  return { cause, message: String(err) };
 }
-function dedupeWarnings(warnings) {
-  const seen = /* @__PURE__ */ new Set();
-  const output = [];
-  for (const item of warnings) {
-    const key = `${item.code}|${item.severity}|${item.stage ?? ""}|${item.resourceKey ?? ""}|${item.message}`;
-    if (seen.has(key)) continue;
-    seen.add(key);
-    output.push(item);
-  }
-  return output;
+function fetchSafe(url, init) {
+  return ResultAsync.fromPromise(fetch(url, init), toFetchError);
 }
 
-// src/core/normalize.ts
-function createResource(input, confidence, trustTier) {
-  const normalizedOrigin = normalizeOrigin(input.origin);
-  const normalizedPath = normalizePath(input.path);
-  return {
-    resourceKey: toResourceKey(normalizedOrigin, input.method, normalizedPath),
-    origin: normalizedOrigin,
-    method: input.method,
-    path: normalizedPath,
-    source: input.source,
-    verified: false,
-    ...input.protocolHints?.length ? { protocolHints: [...new Set(input.protocolHints)] } : {},
-    ...input.priceHint ? { priceHint: input.priceHint } : {},
-    ...input.pricing ? { pricing: input.pricing } : {},
-    ...input.authHint ? { authHint: input.authHint } : {},
-    ...input.summary ? { summary: input.summary } : {},
-    confidence,
-    trustTier,
-    ...input.links ? { links: input.links } : {}
-  };
-}
+// src/mmm-enabled.ts
+var isMmmEnabled = () => "1.0.0".includes("-mmm");
 
-// src/compat/legacy-x402scan/wellKnown.ts
-function isRecord(value) {
-  return value !== null && typeof value === "object" && !Array.isArray(value);
-}
-function parseLegacyResourceEntry(entry) {
-  const trimmed = entry.trim();
-  if (!trimmed) return null;
-  const parts = trimmed.split(/\s+/);
-  if (parts.length >= 2) {
-    const maybeMethod = parseMethod(parts[0]);
-    if (maybeMethod) {
-      const target = parts.slice(1).join(" ");
-      return { method: maybeMethod, target };
-    }
-  }
-  if (trimmed.startsWith("/") || /^https?:\/\//i.test(trimmed)) {
-    return { target: trimmed };
-  }
-  return null;
-}
-function parseWellKnownPayload(payload, origin, sourceUrl) {
-  const warnings = [
-    warning(
-      "LEGACY_WELL_KNOWN_USED",
-      "warn",
-      "Using legacy /.well-known/x402 compatibility path. Migrate to OpenAPI-first.",
-      {
-        stage: "well-known/x402"
-      }
-    )
-  ];
-  if (!isRecord(payload)) {
-    warnings.push(
-      warning("PARSE_FAILED", "error", "Legacy well-known payload is not an object", {
-        stage: "well-known/x402"
-      })
-    );
-    return { resources: [], warnings, raw: payload };
-  }
-  const resourcesRaw = Array.isArray(payload.resources) ? payload.resources.filter((entry) => typeof entry === "string") : [];
-  if (resourcesRaw.length === 0) {
-    warnings.push(
-      warning("STAGE_EMPTY", "warn", "Legacy well-known has no valid resources array", {
-        stage: "well-known/x402"
-      })
-    );
-  }
-  const instructions = typeof payload.instructions === "string" ? payload.instructions : void 0;
-  const ownershipProofs = Array.isArray(payload.ownershipProofs) ? payload.ownershipProofs.filter((entry) => typeof entry === "string") : [];
-  if (instructions) {
-    warnings.push(
-      warning(
-        "LEGACY_INSTRUCTIONS_USED",
-        "warn",
-        "Using /.well-known/x402.instructions as compatibility guidance fallback. Prefer llms.txt.",
-        {
-          stage: "well-known/x402",
-          hint: "Move guidance to llms.txt and reference via x-agentcash-guidance.llmsTxtUrl."
-        }
-      )
-    );
-  }
-  if (ownershipProofs.length > 0) {
-    warnings.push(
-      warning(
-        "LEGACY_OWNERSHIP_PROOFS_USED",
-        "warn",
-        "Using /.well-known/x402.ownershipProofs compatibility field. Prefer OpenAPI provenance extension.",
-        {
-          stage: "well-known/x402",
-          hint: "Move ownership proofs to x-agentcash-provenance.ownershipProofs in OpenAPI."
-        }
-      )
-    );
-  }
-  const resources = [];
-  for (const rawEntry of resourcesRaw) {
-    const parsed = parseLegacyResourceEntry(rawEntry);
-    if (!parsed) {
-      warnings.push(
-        warning("PARSE_FAILED", "warn", `Invalid legacy resource entry: ${rawEntry}`, {
-          stage: "well-known/x402"
-        })
-      );
-      continue;
-    }
-    const absolute = toAbsoluteUrl(origin, parsed.target);
-    if (!absolute) {
-      warnings.push(
-        warning("PARSE_FAILED", "warn", `Invalid legacy resource URL: ${rawEntry}`, {
-          stage: "well-known/x402"
-        })
-      );
-      continue;
-    }
-    const method = parsed.method ?? DEFAULT_MISSING_METHOD;
-    if (!parsed.method) {
-      warnings.push(
-        warning(
-          "LEGACY_MISSING_METHOD",
-          "warn",
-          `Legacy resource '${rawEntry}' missing method. Defaulting to ${DEFAULT_MISSING_METHOD}.`,
-          {
-            stage: "well-known/x402"
-          }
-        )
+// src/core/source/openapi/index.ts
+var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
+  const routes = [];
+  for (const [rawPath, pathItem] of Object.entries(doc.paths)) {
+    for (const httpMethod of [...HTTP_METHODS]) {
+      const operation = pathItem[httpMethod.toLowerCase()];
+      if (!operation) continue;
+      const authMode = inferAuthMode(operation) ?? void 0;
+      if (!authMode) continue;
+      const p = operation["x-payment-info"];
+      const protocols = (p?.protocols ?? []).filter(
+        (proto) => proto !== "mpp" || isMmmEnabled()
       );
+      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) continue;
+      if (authMode === "paid" && protocols.length === 0) continue;
+      const pricing = authMode === "paid" && p ? {
+        pricingMode: p.pricingMode,
+        ...p.price ? { price: p.price } : {},
+        ...p.minPrice ? { minPrice: p.minPrice } : {},
+        ...p.maxPrice ? { maxPrice: p.maxPrice } : {}
+      } : void 0;
+      const summary = operation.summary ?? operation.description;
+      routes.push({
+        path: normalizePath(rawPath),
+        method: httpMethod.toUpperCase(),
+        ...summary ? { summary } : {},
+        authMode,
+        ...protocols.length ? { protocols } : {},
+        ...pricing ? { pricing } : {}
+      });
     }
-    const path = normalizePath(absolute.pathname);
-    resources.push(
-      createResource(
-        {
-          origin: absolute.origin,
-          method,
-          path,
-          source: "well-known/x402",
-          summary: `${method} ${path}`,
-          authHint: "paid",
-          protocolHints: ["x402"],
-          links: {
-            wellKnownUrl: sourceUrl,
-            discoveryUrl: sourceUrl
-          }
-        },
-        0.65,
-        ownershipProofs.length > 0 ? "ownership_verified" : "origin_hosted"
-      )
-    );
   }
   return {
-    resources,
-    warnings,
-    raw: payload
+    info: {
+      title: doc.info.title,
+      ...doc.info.description ? { description: doc.info.description } : {},
+      version: doc.info.version
+    },
+    routes,
+    ...doc.info.guidance ? { guidance: doc.info.guidance } : {}
   };
-}
-async function runWellKnownX402Stage(options) {
-  const stageUrl = options.url ?? `${options.origin}/.well-known/x402`;
+});
+async function parseBody(response, url) {
   try {
-    const response = await options.fetcher(stageUrl, {
-      method: "GET",
-      headers: { Accept: "application/json", ...options.headers },
-      signal: options.signal
-    });
-    if (!response.ok) {
-      if (response.status === 404) {
-        return {
-          stage: "well-known/x402",
-          valid: false,
-          resources: [],
-          warnings: [],
-          links: { wellKnownUrl: stageUrl }
-        };
-      }
-      return {
-        stage: "well-known/x402",
-        valid: false,
-        resources: [],
-        warnings: [
-          warning("FETCH_FAILED", "warn", `Legacy well-known fetch failed (${response.status})`, {
-            stage: "well-known/x402"
-          })
-        ],
-        links: { wellKnownUrl: stageUrl }
-      };
-    }
     const payload = await response.json();
-    const parsed = parseWellKnownPayload(payload, options.origin, stageUrl);
-    return {
-      stage: "well-known/x402",
-      valid: parsed.resources.length > 0,
-      resources: parsed.resources,
-      warnings: parsed.warnings,
-      links: { wellKnownUrl: stageUrl },
-      ...options.includeRaw ? { raw: parsed.raw } : {}
-    };
-  } catch (error) {
-    return {
-      stage: "well-known/x402",
-      valid: false,
-      resources: [],
-      warnings: [
-        warning(
-          "FETCH_FAILED",
-          "warn",
-          `Legacy well-known fetch exception: ${error instanceof Error ? error.message : String(error)}`,
-          {
-            stage: "well-known/x402"
-          }
-        )
-      ],
-      links: { wellKnownUrl: stageUrl }
-    };
+    const parsed = OpenApiParsedSchema.safeParse(payload);
+    if (!parsed.success) return null;
+    return { raw: payload, ...parsed.data, fetchedUrl: url };
+  } catch {
+    return null;
   }
 }
-
-// src/compat/legacy-x402scan/dns.ts
-function parseDnsRecord(record) {
-  const trimmed = record.trim();
-  if (!trimmed) return null;
-  if (/^https?:\/\//i.test(trimmed)) {
-    return { url: trimmed, legacyPlainUrl: true };
-  }
-  const parts = trimmed.split(";").map((entry) => entry.trim()).filter(Boolean);
-  const keyValues = /* @__PURE__ */ new Map();
-  for (const part of parts) {
-    const separator = part.indexOf("=");
-    if (separator <= 0) continue;
-    const key = part.slice(0, separator).trim().toLowerCase();
-    const value = part.slice(separator + 1).trim();
-    if (key && value) keyValues.set(key, value);
-  }
-  if (keyValues.get("v") !== "x4021") return null;
-  const url = keyValues.get("url");
-  if (!url || !/^https?:\/\//i.test(url)) return null;
-  return { url, legacyPlainUrl: false };
+function getOpenAPI(origin, headers, signal, specificationOverrideUrl) {
+  const url = specificationOverrideUrl ?? `${origin}/openapi.json`;
+  return fetchSafe(url, {
+    method: "GET",
+    headers: { Accept: "application/json", ...headers },
+    signal
+  }).andThen((response) => {
+    if (!response.ok) return okAsync(null);
+    return ResultAsync2.fromSafePromise(parseBody(response, url));
+  });
 }
-async function runDnsStage(options) {
-  if (!options.txtResolver) {
-    return {
-      stage: "dns/_x402",
-      valid: false,
-      resources: [],
-      warnings: []
-    };
-  }
-  const origin = normalizeOrigin(options.origin);
-  const hostname = new URL(origin).hostname;
-  const fqdn = `_x402.${hostname}`;
-  let records;
-  try {
-    records = await options.txtResolver(fqdn);
-  } catch (error) {
-    return {
-      stage: "dns/_x402",
-      valid: false,
-      resources: [],
-      warnings: [
-        warning(
-          "FETCH_FAILED",
-          "warn",
-          `DNS TXT lookup failed for ${fqdn}: ${error instanceof Error ? error.message : String(error)}`,
-          { stage: "dns/_x402" }
-        )
-      ]
-    };
-  }
-  if (records.length === 0) {
-    return {
-      stage: "dns/_x402",
-      valid: false,
-      resources: [],
-      warnings: []
-    };
-  }
-  const warnings = [
-    warning(
-      "LEGACY_DNS_USED",
-      "warn",
-      "Using DNS _x402 compatibility path. Migrate to OpenAPI-first discovery.",
+
+// src/core/source/wellknown/index.ts
+import { okAsync as okAsync2, ResultAsync as ResultAsync3 } from "neverthrow";
+function toWellKnownParsed(origin, doc) {
+  const routes = doc.resources.flatMap((entry) => {
+    const trimmed = entry.trim();
+    if (!trimmed) return [];
+    const parts = trimmed.split(/\s+/);
+    const maybeMethod = parts.length >= 2 ? parseMethod(parts[0]) : void 0;
+    const target = maybeMethod ? parts.slice(1).join(" ") : trimmed;
+    const absolute = toAbsoluteUrl(origin, target);
+    if (!absolute) return [];
+    return [
       {
-        stage: "dns/_x402"
+        path: normalizePath(absolute.pathname),
+        method: maybeMethod ?? DEFAULT_MISSING_METHOD
       }
-    )
-  ];
-  const urls = [];
-  for (const record of records) {
-    const parsed = parseDnsRecord(record);
-    if (!parsed) {
-      warnings.push(
-        warning("PARSE_FAILED", "warn", `Invalid DNS _x402 TXT record: ${record}`, {
-          stage: "dns/_x402"
-        })
-      );
-      continue;
-    }
-    urls.push(parsed.url);
-    if (parsed.legacyPlainUrl) {
-      warnings.push(
-        warning("LEGACY_DNS_PLAIN_URL", "warn", `Legacy plain URL TXT format used: ${record}`, {
-          stage: "dns/_x402",
-          hint: "Use v=x4021;url=<https-url> format."
-        })
-      );
-    }
-  }
-  if (urls.length === 0) {
-    return {
-      stage: "dns/_x402",
-      valid: false,
-      resources: [],
-      warnings,
-      ...options.includeRaw ? { raw: { dnsRecords: records } } : {}
-    };
-  }
-  const mergedWarnings = [...warnings];
-  const mergedResources = [];
-  const rawDocuments = [];
-  for (const url of urls) {
-    const stageResult = await runWellKnownX402Stage({
-      origin,
-      url,
-      fetcher: options.fetcher,
-      headers: options.headers,
-      signal: options.signal,
-      includeRaw: options.includeRaw
-    });
-    mergedResources.push(...stageResult.resources);
-    mergedWarnings.push(...stageResult.warnings);
-    if (options.includeRaw && stageResult.raw !== void 0) {
-      rawDocuments.push({ url, document: stageResult.raw });
-    }
-  }
-  const deduped = /* @__PURE__ */ new Map();
-  for (const resource of mergedResources) {
-    if (!deduped.has(resource.resourceKey)) {
-      deduped.set(resource.resourceKey, {
-        ...resource,
-        source: "dns/_x402",
-        links: {
-          ...resource.links,
-          discoveryUrl: resource.links?.discoveryUrl
-        }
-      });
-    }
-  }
-  return {
-    stage: "dns/_x402",
-    valid: deduped.size > 0,
-    resources: [...deduped.values()],
-    warnings: mergedWarnings,
-    ...options.includeRaw ? { raw: { dnsRecords: records, documents: rawDocuments } } : {}
-  };
-}
-
-// src/compat/interop-mpp/wellKnownMpp.ts
-function isRecord2(value) {
-  return value !== null && typeof value === "object" && !Array.isArray(value);
+    ];
+  });
+  return { routes, ...doc.instructions ? { instructions: doc.instructions } : {} };
 }
-async function runInteropMppStage(options) {
-  const url = `${options.origin}${WELL_KNOWN_MPP_PATH}`;
+async function parseBody2(response, origin, url) {
   try {
-    const response = await options.fetcher(url, {
-      method: "GET",
-      headers: { Accept: "application/json", ...options.headers },
-      signal: options.signal
-    });
-    if (!response.ok) {
-      return {
-        stage: "interop/mpp",
-        valid: false,
-        resources: [],
-        warnings: []
-      };
-    }
     const payload = await response.json();
-    if (!isRecord2(payload)) {
-      return {
-        stage: "interop/mpp",
-        valid: false,
-        resources: [],
-        warnings: [
-          warning("PARSE_FAILED", "warn", "Interop /.well-known/mpp payload is not an object", {
-            stage: "interop/mpp"
-          })
-        ],
-        ...options.includeRaw ? { raw: payload } : {}
-      };
-    }
-    const warnings = [
-      warning(
-        "INTEROP_MPP_USED",
-        "info",
-        "Using /.well-known/mpp interop adapter. This is additive and non-canonical.",
-        {
-          stage: "interop/mpp",
-          hint: "Use for registry indexing only, not canonical runtime routing."
-        }
-      )
-    ];
-    const resources = [];
-    const fromStringResources = Array.isArray(payload.resources) ? payload.resources.filter((entry) => typeof entry === "string") : [];
-    for (const entry of fromStringResources) {
-      const parts = entry.trim().split(/\s+/);
-      let method = parseMethod(parts[0]);
-      let path = parts.join(" ");
-      if (method) {
-        path = parts.slice(1).join(" ");
-      } else {
-        method = "POST";
-      }
-      const normalizedPath = normalizePath(path);
-      resources.push(
-        createResource(
-          {
-            origin: options.origin,
-            method,
-            path: normalizedPath,
-            source: "interop/mpp",
-            summary: `${method} ${normalizedPath}`,
-            authHint: "paid",
-            protocolHints: ["mpp"],
-            links: { discoveryUrl: url }
-          },
-          0.45,
-          "unverified"
-        )
-      );
-    }
-    const fromServiceObjects = Array.isArray(payload.services) ? payload.services.filter((entry) => isRecord2(entry)) : [];
-    for (const service of fromServiceObjects) {
-      const path = typeof service.path === "string" ? service.path : void 0;
-      const method = parseMethod(typeof service.method === "string" ? service.method : void 0) ?? "POST";
-      if (!path) continue;
-      const normalizedPath = normalizePath(path);
-      resources.push(
-        createResource(
-          {
-            origin: options.origin,
-            method,
-            path: normalizedPath,
-            source: "interop/mpp",
-            summary: typeof service.summary === "string" ? service.summary : `${method} ${normalizedPath}`,
-            authHint: "paid",
-            protocolHints: ["mpp"],
-            links: { discoveryUrl: url }
-          },
-          0.45,
-          "unverified"
-        )
-      );
-    }
-    const deduped = /* @__PURE__ */ new Map();
-    for (const resource of resources) {
-      if (!deduped.has(resource.resourceKey)) deduped.set(resource.resourceKey, resource);
-    }
-    return {
-      stage: "interop/mpp",
-      valid: deduped.size > 0,
-      resources: [...deduped.values()],
-      warnings,
-      ...options.includeRaw ? { raw: payload } : {}
-    };
-  } catch (error) {
-    return {
-      stage: "interop/mpp",
-      valid: false,
-      resources: [],
-      warnings: [
-        warning(
-          "FETCH_FAILED",
-          "warn",
-          `Interop /.well-known/mpp fetch failed: ${error instanceof Error ? error.message : String(error)}`,
-          {
-            stage: "interop/mpp"
-          }
-        )
-      ]
-    };
+    const doc = WellKnownDocSchema.safeParse(payload);
+    if (!doc.success) return null;
+    const parsed = WellKnownParsedSchema.safeParse(toWellKnownParsed(origin, doc.data));
+    if (!parsed.success) return null;
+    return { raw: payload, ...parsed.data, fetchedUrl: url };
+  } catch {
+    return null;
   }
 }
-
-// src/core/token.ts
-function estimateTokenCount(text) {
-  return Math.ceil(text.length / 4);
+function getWellKnown(origin, headers, signal) {
+  const url = `${origin}/.well-known/x402`;
+  return fetchSafe(url, {
+    method: "GET",
+    headers: { Accept: "application/json", ...headers },
+    signal
+  }).andThen((response) => {
+    if (!response.ok) return okAsync2(null);
+    return ResultAsync3.fromSafePromise(parseBody2(response, origin, url));
+  });
 }
 
-// src/core/openapi.ts
-function isRecord3(value) {
-  return value !== null && typeof value === "object" && !Array.isArray(value);
+// src/core/layers/l2.ts
+function formatPrice(pricing) {
+  if (pricing.pricingMode === "fixed") return `$${pricing.price}`;
+  if (pricing.pricingMode === "range") return `$${pricing.minPrice}-$${pricing.maxPrice}`;
+  return pricing.maxPrice ? `up to $${pricing.maxPrice}` : "quote";
+}
+function checkL2ForOpenAPI(openApi) {
+  const routes = openApi.routes.map((route) => ({
+    path: route.path,
+    method: route.method,
+    summary: route.summary ?? `${route.method} ${route.path}`,
+    ...route.authMode ? { authMode: route.authMode } : {},
+    ...route.pricing ? { price: formatPrice(route.pricing) } : {},
+    ...route.protocols?.length ? { protocols: route.protocols } : {}
+  }));
+  return {
+    ...openApi.info.title ? { title: openApi.info.title } : {},
+    ...openApi.info.description ? { description: openApi.info.description } : {},
+    routes,
+    source: "openapi"
+  };
 }
-function asString(value) {
-  return typeof value === "string" && value.length > 0 ? value : void 0;
+function checkL2ForWellknown(wellKnown) {
+  const routes = wellKnown.routes.map((route) => ({
+    path: route.path,
+    method: route.method,
+    summary: `${route.method} ${route.path}`,
+    authMode: "paid",
+    protocols: ["x402"]
+  }));
+  return { routes, source: "well-known/x402" };
 }
-function parsePriceValue(value) {
-  if (typeof value === "string" && value.length > 0) return value;
-  if (typeof value === "number" && Number.isFinite(value)) return String(value);
-  return void 0;
+
+// src/core/layers/l4.ts
+function checkL4ForOpenAPI(openApi) {
+  if (openApi.guidance) {
+    return { guidance: openApi.guidance, source: "openapi" };
+  }
+  return null;
 }
-function require402Response(operation) {
-  const responses = operation.responses;
-  if (!isRecord3(responses)) return false;
-  return Boolean(responses["402"]);
+function checkL4ForWellknown(wellKnown) {
+  if (wellKnown.instructions) {
+    return { guidance: wellKnown.instructions, source: "well-known/x402" };
+  }
+  return null;
 }
-function parseProtocols(paymentInfo) {
-  const protocols = paymentInfo.protocols;
-  if (!Array.isArray(protocols)) return [];
-  return protocols.filter(
-    (entry) => typeof entry === "string" && entry.length > 0
-  );
+
+// src/audit/codes.ts
+var AUDIT_CODES = {
+  // ─── Source presence ─────────────────────────────────────────────────────────
+  OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND",
+  WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND",
+  // ─── OpenAPI quality ─────────────────────────────────────────────────────────
+  OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES",
+  // ─── L2 route-list checks ────────────────────────────────────────────────────
+  L2_NO_ROUTES: "L2_NO_ROUTES",
+  L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH",
+  L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING",
+  L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
+  L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
+  // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
+  L3_NOT_FOUND: "L3_NOT_FOUND",
+  L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
+  L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
+  L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  // ─── L4 guidance checks ──────────────────────────────────────────────────────
+  L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+};
+
+// src/audit/warnings.ts
+var GUIDANCE_TOO_LONG_CHARS = 4e3;
+var ROUTE_COUNT_HIGH = 40;
+function getWarningsForOpenAPI(openApi) {
+  if (openApi === null) {
+    return [
+      {
+        code: AUDIT_CODES.OPENAPI_NOT_FOUND,
+        severity: "info",
+        message: "No OpenAPI specification found at this origin.",
+        hint: "Expose an OpenAPI spec (e.g. /openapi.json) for richer discovery."
+      }
+    ];
+  }
+  const warnings = [];
+  if (openApi.routes.length === 0) {
+    warnings.push({
+      code: AUDIT_CODES.OPENAPI_NO_ROUTES,
+      severity: "warn",
+      message: "OpenAPI spec found but contains no route definitions.",
+      hint: "Add paths to your OpenAPI spec so agents can discover endpoints.",
+      path: "paths"
+    });
+  }
+  return warnings;
 }
-function parseAuthMode(operation) {
-  const auth = operation["x-agentcash-auth"];
-  if (!isRecord3(auth)) return void 0;
-  const mode = auth.mode;
-  if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-    return mode;
+function getWarningsForWellKnown(wellKnown) {
+  if (wellKnown === null) {
+    return [
+      {
+        code: AUDIT_CODES.WELLKNOWN_NOT_FOUND,
+        severity: "info",
+        message: "No /.well-known/x402 resource found at this origin.",
+        hint: "Expose /.well-known/x402 as a fallback for agents that cannot read OpenAPI."
+      }
+    ];
   }
-  return void 0;
+  return [];
 }
-async function runOpenApiStage(options) {
+function getWarningsForL2(l2) {
   const warnings = [];
-  const resources = [];
-  let fetchedUrl;
-  let document;
-  for (const path of OPENAPI_PATH_CANDIDATES) {
-    const url = `${options.origin}${path}`;
-    try {
-      const response = await options.fetcher(url, {
-        method: "GET",
-        headers: { Accept: "application/json", ...options.headers },
-        signal: options.signal
+  if (l2.routes.length === 0) {
+    warnings.push({
+      code: AUDIT_CODES.L2_NO_ROUTES,
+      severity: "warn",
+      message: "No routes found from any discovery source."
+    });
+    return warnings;
+  }
+  if (l2.routes.length > ROUTE_COUNT_HIGH) {
+    warnings.push({
+      code: AUDIT_CODES.L2_ROUTE_COUNT_HIGH,
+      severity: "warn",
+      message: `High route count (${l2.routes.length}) may exceed agent token budgets for zero-hop injection.`,
+      hint: "Consider grouping routes or reducing the advertised surface."
+    });
+  }
+  for (const route of l2.routes) {
+    const loc = `${route.method} ${route.path}`;
+    if (!route.authMode) {
+      warnings.push({
+        code: AUDIT_CODES.L2_AUTH_MODE_MISSING,
+        severity: "warn",
+        message: `Route ${loc} is missing an auth mode declaration.`,
+        hint: "Set x-payment-info.authMode (or securitySchemes) so agents know if payment is required.",
+        path: route.path
       });
-      if (!response.ok) {
-        if (response.status !== 404) {
-          warnings.push(
-            warning("FETCH_FAILED", "warn", `OpenAPI fetch failed (${response.status}) at ${url}`, {
-              stage: "openapi"
-            })
-          );
-        }
-        continue;
+    }
+    if (route.authMode === "paid") {
+      if (!route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
+          severity: "warn",
+          message: `Paid route ${loc} has no price hint.`,
+          hint: "Add x-payment-info.price (or minPrice/maxPrice) so agents can budget before calling.",
+          path: route.path
+        });
       }
-      const payload = await response.json();
-      if (!isRecord3(payload)) {
-        warnings.push(
-          warning("PARSE_FAILED", "error", `OpenAPI payload at ${url} is not a JSON object`, {
-            stage: "openapi"
-          })
-        );
-        continue;
+      if (!route.protocols?.length) {
+        warnings.push({
+          code: AUDIT_CODES.L2_PROTOCOLS_MISSING_ON_PAID,
+          severity: "info",
+          message: `Paid route ${loc} does not declare supported payment protocols.`,
+          hint: "Add x-payment-info.protocols (e.g. ['x402']) to signal which payment flows are accepted.",
+          path: route.path
+        });
       }
-      document = payload;
-      fetchedUrl = url;
-      break;
-    } catch (error) {
-      warnings.push(
-        warning(
-          "FETCH_FAILED",
-          "warn",
-          `OpenAPI fetch exception at ${url}: ${error instanceof Error ? error.message : String(error)}`,
-          { stage: "openapi" }
-        )
-      );
     }
   }
-  if (!document || !fetchedUrl) {
-    return {
-      stage: "openapi",
-      valid: false,
-      resources: [],
-      warnings
-    };
+  return warnings;
+}
+function getWarningsForL3(l3) {
+  if (l3 === null) {
+    return [
+      {
+        code: AUDIT_CODES.L3_NOT_FOUND,
+        severity: "info",
+        message: "No spec data found for this endpoint.",
+        hint: "Ensure the path is defined in your OpenAPI spec or reachable via probe."
+      }
+    ];
   }
-  const hasTopLevel = typeof document.openapi === "string" && isRecord3(document.info) && typeof document.info.title === "string" && typeof document.info.version === "string" && isRecord3(document.paths);
-  if (!hasTopLevel) {
-    warnings.push(
-      warning("OPENAPI_TOP_LEVEL_INVALID", "error", "OpenAPI required fields are missing", {
-        stage: "openapi"
-      })
-    );
-    return {
-      stage: "openapi",
-      valid: false,
-      resources: [],
-      warnings,
-      links: { openapiUrl: fetchedUrl },
-      ...options.includeRaw ? { raw: document } : {}
-    };
+  const warnings = [];
+  if (!l3.authMode) {
+    warnings.push({
+      code: AUDIT_CODES.L3_AUTH_MODE_MISSING,
+      severity: "warn",
+      message: "Endpoint has no auth mode in the spec.",
+      hint: "Declare auth mode via security schemes or x-payment-info so agents can plan payment."
+    });
   }
-  const paths = document.paths;
-  const provenance = isRecord3(document["x-agentcash-provenance"]) ? document["x-agentcash-provenance"] : void 0;
-  const ownershipProofs = Array.isArray(provenance?.ownershipProofs) ? provenance.ownershipProofs.filter((entry) => typeof entry === "string") : [];
-  const guidance = isRecord3(document["x-agentcash-guidance"]) ? document["x-agentcash-guidance"] : void 0;
-  const llmsTxtUrl = asString(guidance?.llmsTxtUrl);
-  if (ownershipProofs.length > 0) {
-    warnings.push(
-      warning("OPENAPI_OWNERSHIP_PROOFS_PRESENT", "info", "OpenAPI ownership proofs detected", {
-        stage: "openapi"
-      })
-    );
+  if (l3.authMode === "paid" && !l3.inputSchema) {
+    warnings.push({
+      code: AUDIT_CODES.L3_INPUT_SCHEMA_MISSING,
+      severity: "warn",
+      message: "Paid endpoint is missing an input schema.",
+      hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
+    });
   }
-  for (const [rawPath, rawPathItem] of Object.entries(paths)) {
-    if (!isRecord3(rawPathItem)) {
-      warnings.push(
-        warning("OPENAPI_OPERATION_INVALID", "warn", `Path item ${rawPath} is not an object`, {
-          stage: "openapi"
-        })
-      );
-      continue;
-    }
-    for (const [rawMethod, rawOperation] of Object.entries(rawPathItem)) {
-      const method = parseMethod(rawMethod);
-      if (!method) continue;
-      if (!isRecord3(rawOperation)) {
-        warnings.push(
-          warning(
-            "OPENAPI_OPERATION_INVALID",
-            "warn",
-            `${rawMethod.toUpperCase()} ${rawPath} is not an object`,
-            {
-              stage: "openapi"
-            }
-          )
-        );
-        continue;
-      }
-      const operation = rawOperation;
-      const summary = asString(operation.summary) ?? asString(operation.description);
-      if (!summary) {
-        warnings.push(
-          warning(
-            "OPENAPI_SUMMARY_MISSING",
-            "warn",
-            `${method} ${rawPath} missing summary/description, using fallback summary`,
-            { stage: "openapi" }
-          )
-        );
-      }
-      const authMode = parseAuthMode(operation);
-      if (!authMode) {
-        warnings.push(
-          warning(
-            "OPENAPI_AUTH_MODE_MISSING",
-            "error",
-            `${method} ${rawPath} missing x-agentcash-auth.mode`,
-            {
-              stage: "openapi"
-            }
-          )
-        );
-        continue;
-      }
-      if ((authMode === "paid" || authMode === "siwx") && !require402Response(operation)) {
-        warnings.push(
-          warning(
-            "OPENAPI_402_MISSING",
-            "error",
-            `${method} ${rawPath} requires 402 response for authMode=${authMode}`,
-            { stage: "openapi" }
-          )
-        );
-        continue;
-      }
-      const paymentInfo = isRecord3(operation["x-payment-info"]) ? operation["x-payment-info"] : void 0;
-      const protocols = paymentInfo ? parseProtocols(paymentInfo) : [];
-      if (authMode === "paid" && protocols.length === 0) {
-        warnings.push(
-          warning(
-            "OPENAPI_PAID_PROTOCOLS_MISSING",
-            "error",
-            `${method} ${rawPath} must define x-payment-info.protocols when authMode=paid`,
-            { stage: "openapi" }
-          )
-        );
-        continue;
-      }
-      let pricing;
-      let priceHint;
-      if (paymentInfo && authMode === "paid") {
-        const pricingModeRaw = asString(paymentInfo.pricingMode);
-        const price = parsePriceValue(paymentInfo.price);
-        const minPrice = parsePriceValue(paymentInfo.minPrice);
-        const maxPrice = parsePriceValue(paymentInfo.maxPrice);
-        const inferredPricingMode = pricingModeRaw ?? (price ? "fixed" : minPrice && maxPrice ? "range" : "quote");
-        if (inferredPricingMode !== "fixed" && inferredPricingMode !== "range" && inferredPricingMode !== "quote") {
-          warnings.push(
-            warning(
-              "OPENAPI_PRICING_INVALID",
-              "error",
-              `${method} ${rawPath} has invalid pricingMode`,
-              {
-                stage: "openapi"
-              }
-            )
-          );
-          continue;
-        }
-        if (inferredPricingMode === "fixed" && !price) {
-          warnings.push(
-            warning(
-              "OPENAPI_PRICING_INVALID",
-              "error",
-              `${method} ${rawPath} fixed pricing requires price`,
-              {
-                stage: "openapi"
-              }
-            )
-          );
-          continue;
-        }
-        if (inferredPricingMode === "range") {
-          if (!minPrice || !maxPrice) {
-            warnings.push(
-              warning(
-                "OPENAPI_PRICING_INVALID",
-                "error",
-                `${method} ${rawPath} range pricing requires minPrice and maxPrice`,
-                { stage: "openapi" }
-              )
-            );
-            continue;
-          }
-          const min = Number(minPrice);
-          const max = Number(maxPrice);
-          if (!Number.isFinite(min) || !Number.isFinite(max) || min > max) {
-            warnings.push(
-              warning(
-                "OPENAPI_PRICING_INVALID",
-                "error",
-                `${method} ${rawPath} range pricing requires numeric minPrice <= maxPrice`,
-                { stage: "openapi" }
-              )
-            );
-            continue;
-          }
-        }
-        pricing = {
-          pricingMode: inferredPricingMode,
-          ...price ? { price } : {},
-          ...minPrice ? { minPrice } : {},
-          ...maxPrice ? { maxPrice } : {}
-        };
-        priceHint = inferredPricingMode === "fixed" ? price : inferredPricingMode === "range" ? `${minPrice}-${maxPrice}` : maxPrice;
+  if (l3.authMode === "paid" && !l3.protocols?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
+      severity: "info",
+      message: "Paid endpoint does not declare supported payment protocols.",
+      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+    });
+  }
+  return warnings;
+}
+function getWarningsForL4(l4) {
+  if (l4 === null) {
+    return [
+      {
+        code: AUDIT_CODES.L4_GUIDANCE_MISSING,
+        severity: "info",
+        message: "No guidance text found (llms.txt or OpenAPI info.guidance).",
+        hint: "Add an info.guidance field to your OpenAPI spec or expose /llms.txt for agent-readable instructions."
       }
-      const resource = createResource(
-        {
-          origin: options.origin,
-          method,
-          path: normalizePath(rawPath),
-          source: "openapi",
-          summary: summary ?? `${method} ${normalizePath(rawPath)}`,
-          authHint: authMode,
-          protocolHints: protocols,
-          ...priceHint ? { priceHint } : {},
-          ...pricing ? { pricing } : {},
-          links: {
-            openapiUrl: fetchedUrl,
-            ...llmsTxtUrl ? { llmsTxtUrl } : {}
-          }
-        },
-        0.95,
-        ownershipProofs.length > 0 ? "ownership_verified" : "origin_hosted"
-      );
-      resources.push(resource);
-    }
+    ];
   }
-  if (llmsTxtUrl) {
-    try {
-      const llmsResponse = await options.fetcher(llmsTxtUrl, {
-        method: "GET",
-        headers: { Accept: "text/plain", ...options.headers },
-        signal: options.signal
-      });
-      if (llmsResponse.ok) {
-        const llmsText = await llmsResponse.text();
-        const tokenCount = estimateTokenCount(llmsText);
-        if (tokenCount > LLMS_TOKEN_WARNING_THRESHOLD) {
-          warnings.push(
-            warning(
-              "LLMSTXT_TOO_LARGE",
-              "warn",
-              `llms.txt estimated ${tokenCount} tokens (threshold ${LLMS_TOKEN_WARNING_THRESHOLD})`,
-              {
-                stage: "openapi",
-                hint: "Keep llms.txt concise and domain-level only."
-              }
-            )
-          );
-        }
-        if (options.includeRaw) {
-          return {
-            stage: "openapi",
-            valid: resources.length > 0,
-            resources,
-            warnings,
-            links: { openapiUrl: fetchedUrl, llmsTxtUrl },
-            raw: {
-              openapi: document,
-              llmsTxt: llmsText
-            }
-          };
-        }
-      } else {
-        warnings.push(
-          warning(
-            "LLMSTXT_FETCH_FAILED",
-            "warn",
-            `llms.txt fetch failed (${llmsResponse.status})`,
-            {
-              stage: "openapi"
-            }
-          )
-        );
+  if (l4.guidance.length > GUIDANCE_TOO_LONG_CHARS) {
+    return [
+      {
+        code: AUDIT_CODES.L4_GUIDANCE_TOO_LONG,
+        severity: "warn",
+        message: `Guidance text is ${l4.guidance.length} characters, which may exceed zero-hop token budgets.`,
+        hint: "Trim guidance to under ~4000 characters for reliable zero-hop context injection."
       }
-    } catch (error) {
-      warnings.push(
-        warning(
-          "LLMSTXT_FETCH_FAILED",
-          "warn",
-          `llms.txt fetch failed: ${error instanceof Error ? error.message : String(error)}`,
-          { stage: "openapi" }
-        )
-      );
-    }
+    ];
   }
+  return [];
+}
+
+// src/core/source/probe/index.ts
+import { ResultAsync as ResultAsync4 } from "neverthrow";
+
+// src/core/protocols/x402/v1/schema.ts
+function extractSchemas(accepts) {
+  const first = accepts[0];
+  if (!isRecord(first)) return {};
+  const outputSchema = isRecord(first.outputSchema) ? first.outputSchema : void 0;
   return {
-    stage: "openapi",
-    valid: resources.length > 0,
-    resources,
-    warnings,
-    links: {
-      openapiUrl: fetchedUrl,
-      ...llmsTxtUrl ? { llmsTxtUrl } : {}
-    },
-    ...options.includeRaw ? { raw: { openapi: document } } : {}
+    ...outputSchema && isRecord(outputSchema.input) ? { inputSchema: outputSchema.input } : {},
+    ...outputSchema && isRecord(outputSchema.output) ? { outputSchema: outputSchema.output } : {}
   };
 }
 
-// src/core/probe.ts
-function detectAuthHintFrom402Payload(payload) {
-  if (payload && typeof payload === "object") {
-    const asRecord = payload;
-    const extensions = asRecord.extensions;
-    if (extensions && typeof extensions === "object") {
-      const extRecord = extensions;
-      if (extRecord["sign-in-with-x"]) return "siwx";
-    }
+// src/core/protocols/x402/shared.ts
+function asNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+function asPositiveNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) && value > 0 ? value : void 0;
+}
+
+// src/core/protocols/x402/v1/payment-options.ts
+function extractPaymentOptions(accepts) {
+  return accepts.flatMap((accept) => {
+    if (!isRecord(accept)) return [];
+    const network = asNonEmptyString(accept.network);
+    const asset = asNonEmptyString(accept.asset);
+    const maxAmountRequired = asNonEmptyString(accept.maxAmountRequired);
+    if (!network || !asset || !maxAmountRequired) return [];
+    const scheme = asNonEmptyString(accept.scheme);
+    const payTo = asNonEmptyString(accept.payTo);
+    const maxTimeoutSeconds = asPositiveNumber(accept.maxTimeoutSeconds);
+    return [
+      {
+        protocol: "x402",
+        version: 1,
+        network,
+        asset,
+        maxAmountRequired,
+        ...scheme ? { scheme } : {},
+        ...payTo ? { payTo } : {},
+        ...maxTimeoutSeconds ? { maxTimeoutSeconds } : {}
+      }
+    ];
+  });
+}
+
+// src/core/protocols/x402/v2/schema.ts
+function extractSchemas2(payload) {
+  if (!isRecord(payload)) return {};
+  const extensions = isRecord(payload.extensions) ? payload.extensions : void 0;
+  const bazaar = extensions && isRecord(extensions.bazaar) ? extensions.bazaar : void 0;
+  const schema = bazaar && isRecord(bazaar.schema) ? bazaar.schema : void 0;
+  if (!schema) return {};
+  const schemaProps = isRecord(schema.properties) ? schema.properties : void 0;
+  if (!schemaProps) return {};
+  const inputProps = isRecord(schemaProps.input) ? schemaProps.input : void 0;
+  const inputProperties = inputProps && isRecord(inputProps.properties) ? inputProps.properties : void 0;
+  const inputSchema = (inputProperties && isRecord(inputProperties.body) ? inputProperties.body : void 0) ?? (inputProperties && isRecord(inputProperties.queryParams) ? inputProperties.queryParams : void 0);
+  const outputProps = isRecord(schemaProps.output) ? schemaProps.output : void 0;
+  const outputProperties = outputProps && isRecord(outputProps.properties) ? outputProps.properties : void 0;
+  const outputSchema = outputProperties && isRecord(outputProperties.example) ? outputProperties.example : void 0;
+  return {
+    ...inputSchema ? { inputSchema } : {},
+    ...outputSchema ? { outputSchema } : {}
+  };
+}
+
+// src/core/protocols/x402/v2/payment-options.ts
+function extractPaymentOptions2(accepts) {
+  return accepts.flatMap((accept) => {
+    if (!isRecord(accept)) return [];
+    const network = asNonEmptyString(accept.network);
+    const asset = asNonEmptyString(accept.asset);
+    const amount = asNonEmptyString(accept.amount);
+    if (!network || !asset || !amount) return [];
+    const scheme = asNonEmptyString(accept.scheme);
+    const payTo = asNonEmptyString(accept.payTo);
+    const maxTimeoutSeconds = asPositiveNumber(accept.maxTimeoutSeconds);
+    return [
+      {
+        protocol: "x402",
+        version: 2,
+        network,
+        asset,
+        amount,
+        ...scheme ? { scheme } : {},
+        ...payTo ? { payTo } : {},
+        ...maxTimeoutSeconds ? { maxTimeoutSeconds } : {}
+      }
+    ];
+  });
+}
+
+// src/core/protocols/x402/index.ts
+function parseVersion(payload) {
+  if (!isRecord(payload)) return void 0;
+  const v = payload.x402Version;
+  if (v === 1 || v === 2) return v;
+  return void 0;
+}
+function detectAuthHint(payload) {
+  if (isRecord(payload) && isRecord(payload.extensions)) {
+    if (payload.extensions["api-key"]) return "apiKey+paid";
+    if (payload.extensions["sign-in-with-x"]) return "siwx";
   }
   return "paid";
 }
+function extractPaymentOptions3(payload) {
+  if (!isRecord(payload)) return [];
+  const version = parseVersion(payload);
+  const accepts = Array.isArray(payload.accepts) ? payload.accepts : [];
+  if (version === 1) return extractPaymentOptions(accepts);
+  if (version === 2) return extractPaymentOptions2(accepts);
+  return [];
+}
+function extractSchemas3(payload) {
+  if (!isRecord(payload)) return {};
+  const version = parseVersion(payload);
+  if (version === 2) return extractSchemas2(payload);
+  if (version === 1) {
+    const accepts = Array.isArray(payload.accepts) ? payload.accepts : [];
+    return extractSchemas(accepts);
+  }
+  return {};
+}
+function parseInputSchema(payload) {
+  return extractSchemas3(payload).inputSchema;
+}
+function parseOutputSchema(payload) {
+  return extractSchemas3(payload).outputSchema;
+}
+
+// src/core/protocols/x402/v1/parse-payment-required.ts
+async function parsePaymentRequiredBody(response) {
+  const payload = await response.clone().json();
+  if (!isRecord(payload) || payload.x402Version !== 1) return null;
+  return payload;
+}
+
+// src/core/protocols/x402/v2/parse-payment-required.ts
+function parsePaymentRequiredBody2(headerValue) {
+  const payload = JSON.parse(atob(headerValue));
+  if (!isRecord(payload) || payload.x402Version !== 2) return null;
+  return payload;
+}
+
+// src/core/source/probe/index.ts
+function isUsableStatus(status) {
+  return status === 402 || status >= 200 && status < 300;
+}
 function detectProtocols(response) {
   const protocols = /* @__PURE__ */ new Set();
   const directHeader = response.headers.get("x-payment-protocol");
@@ -1568,767 +655,548 @@ function detectProtocols(response) {
   if (isMmmEnabled() && authHeader.includes("mpp")) protocols.add("mpp");
   return [...protocols];
 }
-async function runProbeStage(options) {
-  const candidates = options.probeCandidates ?? [];
-  if (candidates.length === 0) {
-    return {
-      stage: "probe",
-      valid: false,
-      resources: [],
-      warnings: [
-        warning(
-          "PROBE_STAGE_SKIPPED",
-          "info",
-          "Probe stage skipped because no probe candidates were provided.",
-          { stage: "probe" }
-        )
-      ]
-    };
+function buildProbeUrl(url, method, inputBody) {
+  if (!inputBody || method !== "GET" && method !== "HEAD") return url;
+  const u = new URL(url);
+  for (const [key, value] of Object.entries(inputBody)) {
+    u.searchParams.set(key, String(value));
   }
-  const resources = [];
-  const warnings = [];
-  for (const candidate of candidates) {
-    const path = normalizePath(candidate.path);
-    const methods = candidate.methods?.length ? candidate.methods : DEFAULT_PROBE_METHODS;
-    for (const method of methods) {
-      const url = `${options.origin}${path}`;
-      try {
-        const response = await options.fetcher(url, {
-          method,
-          headers: {
-            Accept: "application/json, text/plain;q=0.9, */*;q=0.8",
-            ...options.headers
-          },
-          signal: options.signal
-        });
-        if (response.status !== 402 && (response.status < 200 || response.status >= 300)) {
-          continue;
-        }
+  return u.toString();
+}
+function probeMethod(url, method, path, headers, signal, inputBody) {
+  const hasBody = inputBody !== void 0 && method !== "GET" && method !== "HEAD";
+  const probeUrl = buildProbeUrl(url, method, inputBody);
+  return fetchSafe(probeUrl, {
+    method,
+    headers: {
+      Accept: "application/json, text/plain;q=0.9, */*;q=0.8",
+      ...hasBody ? { "Content-Type": "application/json" } : {},
+      ...headers
+    },
+    ...hasBody ? { body: JSON.stringify(inputBody) } : {},
+    signal
+  }).andThen((response) => {
+    if (!isUsableStatus(response.status)) return ResultAsync4.fromSafePromise(Promise.resolve(null));
+    return ResultAsync4.fromSafePromise(
+      (async () => {
         let authHint = response.status === 402 ? "paid" : "unprotected";
+        let paymentRequiredBody;
         if (response.status === 402) {
           try {
-            const payload = await response.clone().json();
-            authHint = detectAuthHintFrom402Payload(payload);
+            const headerValue = response.headers.get("payment-required");
+            const parsed = headerValue !== null ? parsePaymentRequiredBody2(headerValue) : await parsePaymentRequiredBody(response);
+            if (parsed !== null) {
+              paymentRequiredBody = parsed;
+              authHint = detectAuthHint(paymentRequiredBody);
+            }
           } catch {
           }
         }
-        const protocolHints = detectProtocols(response);
-        resources.push(
-          createResource(
-            {
-              origin: options.origin,
-              method,
-              path,
-              source: "probe",
-              summary: `${method} ${path}`,
-              authHint,
-              ...protocolHints.length ? { protocolHints } : {}
-            },
-            0.6,
-            "runtime_verified"
-          )
-        );
-      } catch (error) {
-        warnings.push(
-          warning(
-            "FETCH_FAILED",
-            "info",
-            `Probe ${method} ${path} failed: ${error instanceof Error ? error.message : String(error)}`,
-            { stage: "probe" }
-          )
-        );
-      }
-    }
-  }
-  return {
-    stage: "probe",
-    valid: resources.length > 0,
-    resources,
-    warnings
-  };
+        const protocols = detectProtocols(response);
+        const wwwAuthenticate = response.headers.get("www-authenticate") ?? void 0;
+        return {
+          path,
+          method,
+          authHint,
+          ...protocols.length ? { protocols } : {},
+          ...paymentRequiredBody !== void 0 ? { paymentRequiredBody } : {},
+          ...wwwAuthenticate ? { wwwAuthenticate } : {}
+        };
+      })()
+    );
+  });
 }
-
-// src/core/upgrade.ts
-var UPGRADE_WARNING_CODES = [
-  "LEGACY_WELL_KNOWN_USED",
-  "LEGACY_DNS_USED",
-  "LEGACY_DNS_PLAIN_URL",
-  "LEGACY_INSTRUCTIONS_USED",
-  "LEGACY_OWNERSHIP_PROOFS_USED",
-  "OPENAPI_AUTH_MODE_MISSING",
-  "OPENAPI_TOP_LEVEL_INVALID"
-];
-var UPGRADE_WARNING_CODE_SET = new Set(UPGRADE_WARNING_CODES);
-function computeUpgradeSignal(warnings) {
-  const reasons = warnings.map((entry) => entry.code).filter((code, index, list) => list.indexOf(code) === index).filter((code) => UPGRADE_WARNING_CODE_SET.has(code));
-  return {
-    upgradeSuggested: reasons.length > 0,
-    upgradeReasons: reasons
-  };
+function getProbe(url, headers, signal, inputBody) {
+  const path = normalizePath(new URL(url).pathname || "/");
+  return ResultAsync4.fromSafePromise(
+    Promise.all(
+      [...HTTP_METHODS].map(
+        (method) => probeMethod(url, method, path, headers, signal, inputBody).match(
+          (result) => result,
+          () => null
+        )
+      )
+    ).then((results) => results.filter((r) => r !== null))
+  );
 }
 
-// src/core/discovery.ts
-function mergeResources(target, incoming, resourceWarnings) {
-  const warnings = [];
-  for (const resource of incoming) {
-    const existing = target.get(resource.resourceKey);
-    if (!existing) {
-      target.set(resource.resourceKey, resource);
-      continue;
-    }
-    const conflict = existing.authHint !== resource.authHint || existing.priceHint !== resource.priceHint || JSON.stringify(existing.protocolHints ?? []) !== JSON.stringify(resource.protocolHints ?? []);
-    if (conflict) {
-      const conflictWarning = warning(
-        "CROSS_SOURCE_CONFLICT",
-        "warn",
-        `Resource conflict for ${resource.resourceKey}; keeping higher-precedence source ${existing.source} over ${resource.source}.`,
-        {
-          resourceKey: resource.resourceKey
-        }
-      );
-      warnings.push(conflictWarning);
-      resourceWarnings[resource.resourceKey] = [
-        ...resourceWarnings[resource.resourceKey] ?? [],
-        conflictWarning
-      ];
-      continue;
-    }
-    target.set(resource.resourceKey, {
-      ...existing,
-      summary: existing.summary ?? resource.summary,
-      links: { ...resource.links, ...existing.links },
-      confidence: Math.max(existing.confidence ?? 0, resource.confidence ?? 0)
-    });
-  }
-  return warnings;
-}
-function toTrace(stageResult, startedAt) {
-  return {
-    stage: stageResult.stage,
-    attempted: true,
-    valid: stageResult.valid,
-    resourceCount: stageResult.resources.length,
-    durationMs: Date.now() - startedAt,
-    warnings: stageResult.warnings,
-    ...stageResult.links ? { links: stageResult.links } : {}
-  };
-}
-async function runOverrideStage(options) {
-  const warnings = [];
-  for (const overrideUrl of options.overrideUrls) {
-    const normalized = overrideUrl.trim();
-    if (!normalized) continue;
+// src/core/protocols/mpp/index.ts
+var TEMPO_DEFAULT_CHAIN_ID = 4217;
+function parseAuthParams(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function extractPaymentOptions4(wwwAuthenticate) {
+  if (!isMmmEnabled() || !wwwAuthenticate) return [];
+  const options = [];
+  for (const segment of wwwAuthenticate.split(/,\s*(?=Payment\s)/i)) {
+    const stripped = segment.replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams(stripped);
+    const paymentMethod = params["method"];
+    const intent = params["intent"];
+    const realm = params["realm"];
+    const description = params["description"];
+    const requestStr = params["request"];
+    if (!paymentMethod || !intent || !realm || !requestStr) continue;
+    let request;
     try {
-      const response = await options.fetcher(normalized, {
-        method: "GET",
-        headers: { Accept: "application/json, text/plain;q=0.9", ...options.headers },
-        signal: options.signal
-      });
-      if (!response.ok) {
-        warnings.push(
-          warning(
-            "FETCH_FAILED",
-            "warn",
-            `Override fetch failed (${response.status}) at ${normalized}`,
-            {
-              stage: "override"
-            }
-          )
-        );
-        continue;
-      }
-      const bodyText = await response.text();
-      let parsedJson;
-      try {
-        parsedJson = JSON.parse(bodyText);
-      } catch {
-        parsedJson = void 0;
-      }
-      if (parsedJson && typeof parsedJson === "object" && !Array.isArray(parsedJson) && "openapi" in parsedJson && "paths" in parsedJson) {
-        const openapiResult = await runOpenApiStage({
-          origin: options.origin,
-          fetcher: async (input, init) => {
-            const inputString = String(input);
-            if (inputString === `${options.origin}/openapi.json` || inputString === `${options.origin}/.well-known/openapi.json`) {
-              return new Response(bodyText, {
-                status: 200,
-                headers: { "content-type": "application/json" }
-              });
-            }
-            return options.fetcher(input, init);
-          },
-          headers: options.headers,
-          signal: options.signal,
-          includeRaw: options.includeRaw
-        });
-        return {
-          ...openapiResult,
-          stage: "override",
-          warnings: [
-            warning("OVERRIDE_USED", "info", `Using explicit override source ${normalized}`, {
-              stage: "override"
-            }),
-            ...openapiResult.warnings
-          ]
-        };
-      }
-      if (parsedJson && typeof parsedJson === "object" && !Array.isArray(parsedJson)) {
-        const parsedWellKnown = parseWellKnownPayload(parsedJson, options.origin, normalized);
-        if (parsedWellKnown.resources.length > 0) {
-          return {
-            stage: "override",
-            valid: true,
-            resources: parsedWellKnown.resources,
-            warnings: [
-              warning("OVERRIDE_USED", "info", `Using explicit override source ${normalized}`, {
-                stage: "override"
-              }),
-              ...parsedWellKnown.warnings
-            ],
-            links: { discoveryUrl: normalized },
-            ...options.includeRaw ? { raw: parsedWellKnown.raw } : {}
-          };
-        }
-      }
-    } catch (error) {
-      warnings.push(
-        warning(
-          "FETCH_FAILED",
-          "warn",
-          `Override fetch exception at ${normalized}: ${error instanceof Error ? error.message : String(error)}`,
-          { stage: "override" }
-        )
-      );
+      const parsed = JSON.parse(requestStr);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) continue;
+      request = parsed;
+    } catch {
       continue;
     }
-    const fallbackWellKnownResult = await runWellKnownX402Stage({
-      origin: options.origin,
-      url: normalized,
-      fetcher: options.fetcher,
-      headers: options.headers,
-      signal: options.signal,
-      includeRaw: options.includeRaw
+    const asset = typeof request["currency"] === "string" ? request["currency"] : void 0;
+    const amountRaw = request["amount"];
+    const amount = typeof amountRaw === "string" ? amountRaw : typeof amountRaw === "number" ? String(amountRaw) : void 0;
+    const decimals = typeof request["decimals"] === "number" ? request["decimals"] : void 0;
+    const payTo = typeof request["recipient"] === "string" ? request["recipient"] : void 0;
+    const methodDetails = request["methodDetails"];
+    const chainId = methodDetails !== null && typeof methodDetails === "object" && !Array.isArray(methodDetails) && typeof methodDetails["chainId"] === "number" ? methodDetails["chainId"] : TEMPO_DEFAULT_CHAIN_ID;
+    if (!asset || !amount) continue;
+    options.push({
+      protocol: "mpp",
+      // isMmmEnabled
+      paymentMethod,
+      intent,
+      realm,
+      network: `tempo:${String(chainId)}`,
+      // isMmmEnabled
+      asset,
+      amount,
+      ...decimals != null ? { decimals } : {},
+      ...payTo ? { payTo } : {},
+      ...description ? { description } : {}
     });
-    if (fallbackWellKnownResult.valid) {
-      return {
-        ...fallbackWellKnownResult,
-        stage: "override",
-        warnings: [
-          warning("OVERRIDE_USED", "info", `Using explicit override source ${normalized}`, {
-            stage: "override"
-          }),
-          ...fallbackWellKnownResult.warnings
-        ]
-      };
-    }
-    warnings.push(...fallbackWellKnownResult.warnings);
   }
-  return {
-    stage: "override",
-    valid: false,
-    resources: [],
-    warnings
-  };
+  return options;
 }
-async function runDiscovery({
-  detailed,
-  options
-}) {
-  const fetcher = options.fetcher ?? fetch;
-  const compatMode = options.compatMode ?? DEFAULT_COMPAT_MODE;
-  const strictCompat = compatMode === "strict";
-  const rawView = detailed ? options.rawView ?? "none" : "none";
-  const includeRaw = rawView === "full";
-  const includeInteropMpp = detailed && Boolean(options.includeInteropMpp);
-  const origin = normalizeOrigin(options.target);
-  const warnings = [];
-  const trace = [];
-  const resourceWarnings = {};
-  const rawSources = {};
-  const merged = /* @__PURE__ */ new Map();
-  if (compatMode !== "off") {
-    warnings.push(
-      warning(
-        "COMPAT_MODE_ENABLED",
-        compatMode === "strict" ? "warn" : "info",
-        `Compatibility mode is '${compatMode}'. Legacy adapters are active.`
-      )
-    );
-  }
-  const stages = [];
-  if (options.overrideUrls && options.overrideUrls.length > 0) {
-    stages.push(
-      () => runOverrideStage({
-        origin,
-        overrideUrls: options.overrideUrls ?? [],
-        fetcher,
-        headers: options.headers,
-        signal: options.signal,
-        includeRaw
-      })
-    );
-  }
-  stages.push(
-    () => runOpenApiStage({
-      origin,
-      fetcher,
-      headers: options.headers,
-      signal: options.signal,
-      includeRaw
-    })
-  );
-  if (compatMode !== "off") {
-    stages.push(
-      () => runWellKnownX402Stage({
-        origin,
-        fetcher,
-        headers: options.headers,
-        signal: options.signal,
-        includeRaw
-      })
-    );
-    stages.push(
-      () => runDnsStage({
-        origin,
-        fetcher,
-        txtResolver: options.txtResolver,
-        headers: options.headers,
-        signal: options.signal,
-        includeRaw
-      })
-    );
-    if (includeInteropMpp && isMmmEnabled()) {
-      stages.push(
-        () => runInteropMppStage({
-          origin,
-          fetcher,
-          headers: options.headers,
-          signal: options.signal,
-          includeRaw
-        })
-      );
+
+// src/core/layers/l3.ts
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
     }
   }
-  stages.push(
-    () => runProbeStage({
-      origin,
-      fetcher,
-      headers: options.headers,
-      signal: options.signal,
-      probeCandidates: options.probeCandidates
-    })
-  );
-  let selectedStage;
-  for (const runStage of stages) {
-    const startedAt = Date.now();
-    const stageResult = await runStage();
-    stageResult.warnings = applyStrictEscalation(stageResult.warnings, strictCompat);
-    trace.push(toTrace(stageResult, startedAt));
-    warnings.push(...stageResult.warnings);
-    if (stageResult.resources.length > 0) {
-      for (const stageWarning of stageResult.warnings) {
-        if (stageWarning.resourceKey) {
-          resourceWarnings[stageWarning.resourceKey] = [
-            ...resourceWarnings[stageWarning.resourceKey] ?? [],
-            stageWarning
-          ];
-        }
+  return null;
+}
+function resolveRef(document, ref, seen) {
+  if (!ref.startsWith("#/")) return void 0;
+  if (seen.has(ref)) return { $circular: ref };
+  seen.add(ref);
+  const parts = ref.slice(2).split("/");
+  let current = document;
+  for (const part of parts) {
+    if (!isRecord(current)) return void 0;
+    current = current[part];
+    if (current === void 0) return void 0;
+  }
+  if (isRecord(current)) return resolveRefs(document, current, seen);
+  return current;
+}
+function resolveRefs(document, obj, seen, depth = 0) {
+  if (depth > 4) return obj;
+  const resolved = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (key === "$ref" && typeof value === "string") {
+      const deref = resolveRef(document, value, seen);
+      if (isRecord(deref)) {
+        Object.assign(resolved, deref);
+      } else {
+        resolved[key] = value;
       }
+      continue;
     }
-    if (!stageResult.valid) {
+    if (isRecord(value)) {
+      resolved[key] = resolveRefs(document, value, seen, depth + 1);
       continue;
     }
-    const mergeWarnings = mergeResources(merged, stageResult.resources, resourceWarnings);
-    warnings.push(...mergeWarnings);
-    if (includeRaw && stageResult.raw !== void 0) {
-      if (stageResult.stage === "openapi" || stageResult.stage === "override") {
-        const rawObject = stageResult.raw;
-        if (rawObject.openapi !== void 0) rawSources.openapi = rawObject.openapi;
-        if (typeof rawObject.llmsTxt === "string") rawSources.llmsTxt = rawObject.llmsTxt;
-      }
-      if (stageResult.stage === "well-known/x402" || stageResult.stage === "override") {
-        rawSources.wellKnownX402 = [...rawSources.wellKnownX402 ?? [], stageResult.raw];
-      }
-      if (stageResult.stage === "dns/_x402") {
-        const rawObject = stageResult.raw;
-        if (Array.isArray(rawObject.dnsRecords)) {
-          rawSources.dnsRecords = rawObject.dnsRecords;
-        }
-      }
-      if (stageResult.stage === "interop/mpp") {
-        rawSources.interopMpp = stageResult.raw;
-      }
+    if (Array.isArray(value)) {
+      resolved[key] = value.map(
+        (item) => isRecord(item) ? resolveRefs(document, item, seen, depth + 1) : item
+      );
+      continue;
     }
-    if (!detailed) {
-      selectedStage = selectedStage ?? stageResult.stage;
-      break;
+    resolved[key] = value;
+  }
+  return resolved;
+}
+function extractRequestBodySchema(operationSchema) {
+  const requestBody = operationSchema.requestBody;
+  if (!isRecord(requestBody)) return void 0;
+  const content = requestBody.content;
+  if (!isRecord(content)) return void 0;
+  const jsonMediaType = content["application/json"];
+  if (isRecord(jsonMediaType) && isRecord(jsonMediaType.schema)) {
+    return jsonMediaType.schema;
+  }
+  for (const mediaType of Object.values(content)) {
+    if (isRecord(mediaType) && isRecord(mediaType.schema)) {
+      return mediaType.schema;
     }
   }
-  if (merged.size === 0) {
-    warnings.push(
-      warning(
-        "NO_DISCOVERY_SOURCES",
-        "error",
-        "No discovery stage returned first-valid-non-empty results."
-      )
-    );
-  }
-  const dedupedWarnings = dedupeWarnings(warnings);
-  const upgradeSignal = computeUpgradeSignal(dedupedWarnings);
-  const resources = [...merged.values()];
-  if (!detailed) {
-    return {
-      origin,
-      resources,
-      warnings: dedupedWarnings,
-      compatMode,
-      ...upgradeSignal,
-      ...selectedStage ? { selectedStage } : {}
-    };
-  }
+  return void 0;
+}
+function extractParameters(operationSchema) {
+  const params = operationSchema.parameters;
+  if (!Array.isArray(params)) return [];
+  return params.filter((value) => isRecord(value));
+}
+function extractInputSchema(operationSchema) {
+  const requestBody = extractRequestBodySchema(operationSchema);
+  const parameters = extractParameters(operationSchema);
+  if (!requestBody && parameters.length === 0) return void 0;
+  if (requestBody && parameters.length === 0) return requestBody;
   return {
-    origin,
-    resources,
-    warnings: dedupedWarnings,
-    compatMode,
-    ...upgradeSignal,
-    selectedStage: trace.find((entry) => entry.valid)?.stage,
-    trace,
-    resourceWarnings,
-    ...includeRaw ? { rawSources } : {}
+    ...requestBody ? { requestBody } : {},
+    ...parameters.length > 0 ? { parameters } : {}
   };
 }
-
-// src/validation/payment-required.ts
-import { parsePaymentRequired } from "@x402/core/schemas";
-
-// src/harness.ts
-var INTENT_TRIGGERS = ["x402", "mpp", "pay for", "micropayment", "agentic commerce"];
-var CLIENT_PROFILES = {
-  "claude-code": {
-    id: "claude-code",
-    label: "Claude Code MCP Harness",
-    surface: "mcp",
-    defaultContextWindowTokens: 2e5,
-    zeroHopBudgetPercent: 0.1,
-    notes: "Targets environments where MCP context can use roughly 10% of total context."
-  },
-  "skill-cli": {
-    id: "skill-cli",
-    label: "Skill + CLI Harness",
-    surface: "skill-cli",
-    defaultContextWindowTokens: 2e5,
-    zeroHopBudgetPercent: 0.02,
-    notes: "Targets constrained skill contexts with title/description-heavy routing."
-  },
-  "generic-mcp": {
-    id: "generic-mcp",
-    label: "Generic MCP Harness",
-    surface: "mcp",
-    defaultContextWindowTokens: 128e3,
-    zeroHopBudgetPercent: 0.05,
-    notes: "Conservative MCP profile when specific client budgets are unknown."
-  },
-  generic: {
-    id: "generic",
-    label: "Generic Agent Harness",
-    surface: "generic",
-    defaultContextWindowTokens: 128e3,
-    zeroHopBudgetPercent: 0.03,
-    notes: "Fallback profile for unknown clients."
+function parseOperationPrice(operation) {
+  const paymentInfo = operation["x-payment-info"];
+  if (!isRecord(paymentInfo)) return void 0;
+  function toFiniteNumber(value) {
+    if (typeof value === "number" && Number.isFinite(value)) return value;
+    if (typeof value === "string" && value.trim().length > 0) {
+      const parsed = Number(value);
+      if (Number.isFinite(parsed)) return parsed;
+    }
+    return void 0;
   }
-};
-function isFirstPartyDomain(hostname) {
-  const normalized = hostname.toLowerCase();
-  return normalized.endsWith(".dev") && normalized.startsWith("stable");
+  const fixed = toFiniteNumber(paymentInfo.price);
+  if (fixed != null) return `$${String(fixed)}`;
+  const min = toFiniteNumber(paymentInfo.minPrice);
+  const max = toFiniteNumber(paymentInfo.maxPrice);
+  if (min != null && max != null) return `$${String(min)}-$${String(max)}`;
+  return void 0;
 }
-function safeHostname(origin) {
-  try {
-    return new URL(origin).hostname;
-  } catch {
-    return origin.replace(/^https?:\/\//, "").split("/")[0] ?? origin;
-  }
+function parseOperationProtocols(operation) {
+  const paymentInfo = operation["x-payment-info"];
+  if (!isRecord(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
+  const protocols = paymentInfo.protocols.filter(
+    (protocol) => typeof protocol === "string" && protocol.length > 0 && (protocol !== "mpp" || isMmmEnabled())
+  );
+  return protocols.length > 0 ? protocols : void 0;
+}
+function getL3ForOpenAPI(openApi, path, method) {
+  const document = openApi.raw;
+  const paths = isRecord(document.paths) ? document.paths : void 0;
+  if (!paths) return null;
+  const matched = findMatchingOpenApiPath(paths, path);
+  if (!matched) return null;
+  const operation = matched.pathItem[method.toLowerCase()];
+  if (!isRecord(operation)) return null;
+  const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
+  const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
+  return {
+    source: "openapi",
+    ...summary ? { summary } : {},
+    authMode: inferAuthMode(resolvedOperation) ?? void 0,
+    estimatedPrice: parseOperationPrice(resolvedOperation),
+    protocols: parseOperationProtocols(resolvedOperation),
+    inputSchema: extractInputSchema(resolvedOperation),
+    outputSchema: resolvedOperation
+  };
 }
-function previewText(text) {
-  if (!text) return null;
-  const compact = text.replace(/\s+/g, " ").trim();
-  if (!compact) return null;
-  return compact.length > 220 ? `${compact.slice(0, 217)}...` : compact;
-}
-function toAuthModeCount(resources) {
-  const counts = {
-    paid: 0,
-    siwx: 0,
-    apiKey: 0,
-    unprotected: 0,
-    unknown: 0
+function getL3ForProbe(probe, path, method) {
+  const probeResult = probe.find((r) => r.path === path && r.method === method);
+  if (!probeResult) return null;
+  const inputSchema = probeResult.paymentRequiredBody ? parseInputSchema(probeResult.paymentRequiredBody) : void 0;
+  const outputSchema = probeResult.paymentRequiredBody ? parseOutputSchema(probeResult.paymentRequiredBody) : void 0;
+  const paymentOptions = [
+    ...probeResult.paymentRequiredBody ? extractPaymentOptions3(probeResult.paymentRequiredBody) : [],
+    ...isMmmEnabled() ? extractPaymentOptions4(probeResult.wwwAuthenticate) : []
+    // isMmmEnabled
+  ];
+  return {
+    source: "probe",
+    authMode: probeResult.authHint,
+    ...probeResult.protocols?.length ? { protocols: probeResult.protocols } : {},
+    ...inputSchema ? { inputSchema } : {},
+    ...outputSchema ? { outputSchema } : {},
+    ...paymentOptions.length ? { paymentOptions } : {}
   };
-  for (const resource of resources) {
-    const mode = resource.authHint;
-    if (mode === "paid" || mode === "siwx" || mode === "apiKey" || mode === "unprotected") {
-      counts[mode] += 1;
-    } else {
-      counts.unknown += 1;
-    }
-  }
-  return counts;
 }
-function toSourceCount(resources) {
-  return resources.reduce(
-    (acc, resource) => {
-      acc[resource.source] = (acc[resource.source] ?? 0) + 1;
-      return acc;
-    },
-    {}
-  );
+
+// src/runtime/check-endpoint.ts
+function getAdvisoriesForOpenAPI(openApi, path) {
+  return [...HTTP_METHODS].flatMap((method) => {
+    const l3 = getL3ForOpenAPI(openApi, path, method);
+    return l3 ? [{ method, ...l3 }] : [];
+  });
 }
-function toL2Entries(resources) {
-  return [...resources].sort((a, b) => {
-    if (a.path !== b.path) return a.path.localeCompare(b.path);
-    if (a.method !== b.method) return a.method.localeCompare(b.method);
-    return a.resourceKey.localeCompare(b.resourceKey);
-  }).map((resource) => ({
-    resourceKey: resource.resourceKey,
-    method: resource.method,
-    path: resource.path,
-    source: resource.source,
-    authMode: resource.authHint ?? null
-  }));
+function getAdvisoriesForProbe(probe, path) {
+  return [...HTTP_METHODS].flatMap((method) => {
+    const l3 = getL3ForProbe(probe, path, method);
+    return l3 ? [{ method, ...l3 }] : [];
+  });
 }
-function getLlmsTxtInfo(result) {
-  const llmsTxtUrl = result.trace.find((entry) => entry.links?.llmsTxtUrl)?.links?.llmsTxtUrl ?? result.resources.find((resource) => resource.links?.llmsTxtUrl)?.links?.llmsTxtUrl ?? null;
-  const llmsTxt = result.rawSources?.llmsTxt;
-  if (llmsTxt) {
+async function checkEndpointSchema(options) {
+  const endpoint = new URL(options.url);
+  const origin = normalizeOrigin(endpoint.origin);
+  const path = normalizePath(endpoint.pathname || "/");
+  if (options.sampleInputBody !== void 0) {
+    const probeResult2 = await getProbe(
+      options.url,
+      options.headers,
+      options.signal,
+      options.sampleInputBody
+    );
+    if (probeResult2.isErr()) {
+      return {
+        found: false,
+        origin,
+        path,
+        cause: probeResult2.error.cause,
+        message: probeResult2.error.message
+      };
+    }
+    const advisories2 = getAdvisoriesForProbe(probeResult2.value, path);
+    if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
+    return { found: false, origin, path, cause: "not_found" };
+  }
+  const openApiResult = await getOpenAPI(origin, options.headers, options.signal);
+  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  if (openApi) {
+    const advisories2 = getAdvisoriesForOpenAPI(openApi, path);
+    if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
+    return { found: false, origin, path, cause: "not_found" };
+  }
+  const probeResult = await getProbe(options.url, options.headers, options.signal);
+  if (probeResult.isErr()) {
     return {
-      llmsTxtUrl,
-      llmsTxtTokenEstimate: estimateTokenCount(llmsTxt),
-      guidancePreview: previewText(llmsTxt),
-      guidanceStatus: "present"
+      found: false,
+      origin,
+      path,
+      cause: probeResult.error.cause,
+      message: probeResult.error.message
     };
   }
-  if (llmsTxtUrl) {
-    const failed = result.warnings.some((warning2) => warning2.code === "LLMSTXT_FETCH_FAILED");
-    return {
-      llmsTxtUrl,
-      llmsTxtTokenEstimate: 0,
-      guidancePreview: null,
-      guidanceStatus: failed ? "advertised_but_unfetched" : "missing"
-    };
+  const advisories = getAdvisoriesForProbe(probeResult.value, path);
+  if (advisories.length > 0) return { found: true, origin, path, advisories };
+  return { found: false, origin, path, cause: "not_found" };
+}
+
+// src/cli.ts
+function parseArgs(args) {
+  const flags = { json: false, verbose: false };
+  const positional = [];
+  for (const arg of args) {
+    if (arg === "--json") flags.json = true;
+    else if (arg === "-v" || arg === "--verbose") flags.verbose = true;
+    else positional.push(arg);
   }
-  return {
-    llmsTxtUrl: null,
-    llmsTxtTokenEstimate: 0,
-    guidancePreview: null,
-    guidanceStatus: "not_advertised"
-  };
+  const [first, second] = positional;
+  if (first && (first.startsWith("http://") || first.startsWith("https://"))) {
+    return { command: "discover", target: first, flags };
+  }
+  return { command: first ?? null, target: second ?? null, flags };
 }
-function getHarnessClientProfile(client = "claude-code") {
-  return CLIENT_PROFILES[client] ?? CLIENT_PROFILES.generic;
-}
-function buildContextHarnessReport(options) {
-  const client = getHarnessClientProfile(options.client);
-  const contextWindowTokens = options.contextWindowTokens ?? client.defaultContextWindowTokens;
-  const zeroHopBudgetTokens = Math.floor(contextWindowTokens * client.zeroHopBudgetPercent);
-  const hostname = safeHostname(options.result.origin);
-  const domainClass = isFirstPartyDomain(hostname) ? "first-party" : "ugc";
-  const l0Summary = "Route payment-capable intents to agentcash and use install/discover commands for progressive disclosure.";
-  const l1Summary = "Expose installed domain routing hints and trigger fan-out into L2/L3 commands when user intent matches domain capabilities.";
-  const l0EstimatedTokens = estimateTokenCount(
-    `${INTENT_TRIGGERS.join(", ")} npx agentcash install npx agentcash install-ext`
-  );
-  const l1EstimatedTokens = estimateTokenCount(
-    `${hostname} ${l1Summary} npx agentcash discover ${hostname} npx agentcash discover ${hostname} --verbose`
-  );
-  const llmsInfo = getLlmsTxtInfo(options.result);
+function routeToResource(route) {
   return {
-    target: options.target,
-    origin: options.result.origin,
-    client,
-    budget: {
-      contextWindowTokens,
-      zeroHopBudgetTokens,
-      estimatedZeroHopTokens: l0EstimatedTokens + l1EstimatedTokens,
-      withinBudget: l0EstimatedTokens + l1EstimatedTokens <= zeroHopBudgetTokens
-    },
-    levels: {
-      l0: {
-        layer: "L0",
-        intentTriggers: INTENT_TRIGGERS,
-        installCommand: "npx agentcash install",
-        deliverySurfaces: ["MCP", "Skill+CLI"],
-        summary: l0Summary,
-        estimatedTokens: l0EstimatedTokens
-      },
-      l1: {
-        layer: "L1",
-        domain: hostname,
-        domainClass,
-        selectedDiscoveryStage: options.result.selectedStage ?? null,
-        summary: l1Summary,
-        fanoutCommands: [
-          `npx agentcash discover ${hostname}`,
-          `npx agentcash discover ${hostname} --verbose`
-        ],
-        estimatedTokens: l1EstimatedTokens
-      },
-      l2: {
-        layer: "L2",
-        command: `npx agentcash discover ${hostname}`,
-        tokenLight: true,
-        resourceCount: options.result.resources.length,
-        resources: toL2Entries(options.result.resources)
-      },
-      l3: {
-        layer: "L3",
-        command: `npx agentcash discover ${hostname} --verbose`,
-        detailLevel: "endpoint-schema-and-metadata",
-        countsByAuthMode: toAuthModeCount(options.result.resources),
-        countsBySource: toSourceCount(options.result.resources),
-        pricedResourceCount: options.result.resources.filter(
-          (resource) => resource.authHint === "paid"
-        ).length
-      },
-      l4: {
-        layer: "L4",
-        guidanceSource: llmsInfo.llmsTxtUrl ? "llms.txt" : "none",
-        llmsTxtUrl: llmsInfo.llmsTxtUrl,
-        llmsTxtTokenEstimate: llmsInfo.llmsTxtTokenEstimate,
-        guidancePreview: llmsInfo.guidancePreview,
-        guidanceStatus: llmsInfo.guidanceStatus
-      },
-      l5: {
-        layer: "L5",
-        status: "out_of_scope",
-        note: "Cross-domain composition is intentionally out of scope for discovery v1."
-      }
-    },
-    diagnostics: {
-      warningCount: options.result.warnings.length,
-      errorWarningCount: options.result.warnings.filter((warning2) => warning2.severity === "error").length,
-      selectedStage: options.result.selectedStage ?? null,
-      upgradeSuggested: options.result.upgradeSuggested,
-      upgradeReasons: options.result.upgradeReasons
-    }
+    resourceKey: `${route.method} ${route.path}`,
+    method: route.method,
+    path: route.path,
+    summary: route.summary,
+    ...route.authMode ? { authHint: route.authMode } : {},
+    ...route.price ? { priceHint: route.price } : {},
+    ...route.protocols?.length ? { protocols: route.protocols } : {}
   };
 }
-
-// src/index.ts
-async function discoverDetailed(options) {
-  return await runDiscovery({ detailed: true, options });
-}
-
-// src/cli/run.ts
-var CLI_USER_AGENT = "@agentcash/discovery-cli/0.1";
-function buildProbeCandidates(resources) {
-  const methodsByPath = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const existing = methodsByPath.get(resource.path) ?? /* @__PURE__ */ new Set();
-    existing.add(resource.method);
-    methodsByPath.set(resource.path, existing);
-  }
-  return [...methodsByPath.entries()].sort((a, b) => a[0].localeCompare(b[0])).map(([path, methods]) => ({ path, methods: [...methods].sort() }));
-}
-function createTimeoutFetcher(timeoutMs, fetchImpl) {
-  return async (input, init = {}) => {
-    const controller = new AbortController();
-    const onAbort = () => controller.abort();
-    const timer = setTimeout(() => controller.abort(), timeoutMs);
-    if (init.signal) {
-      if (init.signal.aborted) {
-        clearTimeout(timer);
-        throw new Error("Request aborted");
+async function main(args) {
+  const { command, target, flags } = parseArgs(args);
+  if (command === "discover" && target) return runDiscover(target, flags);
+  if (command === "check" && target) return runCheck(target, flags);
+  console.log("Usage:");
+  console.log("  discovery <origin>            Discover all endpoints at an origin");
+  console.log("  discovery discover <origin>   Discover all endpoints at an origin");
+  console.log("  discovery check <url>         Inspect a specific endpoint URL");
+  console.log("");
+  console.log("Flags:");
+  console.log("  --json   Machine-readable JSON output");
+  console.log("  -v       Verbose output (includes guidance text and warning hints)");
+  return 1;
+}
+async function runDiscover(target, flags) {
+  const origin = normalizeOrigin(target);
+  if (!flags.json) console.log(`
+Discovering ${origin}...
+`);
+  const [openApiResult, wellKnownResult] = await Promise.all([
+    getOpenAPI(origin),
+    getWellKnown(origin)
+  ]);
+  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const wellKnown = wellKnownResult.isOk() ? wellKnownResult.value : null;
+  const warnings = [
+    ...getWarningsForOpenAPI(openApi),
+    ...getWarningsForWellKnown(wellKnown)
+  ];
+  if (openApi) {
+    const l2 = checkL2ForOpenAPI(openApi);
+    const l4 = checkL4ForOpenAPI(openApi);
+    warnings.push(...getWarningsForL2(l2), ...getWarningsForL4(l4));
+    if (flags.json) {
+      const meta = {
+        origin,
+        specUrl: openApi.fetchedUrl,
+        ...l2.title ? { title: l2.title } : {},
+        ...l2.description ? { description: l2.description } : {}
+      };
+      if (l4) {
+        meta.guidanceTokens = Math.ceil(l4.guidance.length / 4);
+        if (flags.verbose) meta.guidance = l4.guidance;
       }
-      init.signal.addEventListener("abort", onAbort, { once: true });
+      console.log(
+        JSON.stringify(
+          {
+            ok: true,
+            selectedStage: "openapi",
+            resources: l2.routes.map(routeToResource),
+            warnings,
+            trace: [],
+            meta
+          },
+          null,
+          2
+        )
+      );
+      return 0;
     }
-    try {
-      return await fetchImpl(input, {
-        ...init,
-        signal: controller.signal
-      });
-    } finally {
-      clearTimeout(timer);
-      init.signal?.removeEventListener("abort", onAbort);
+    console.log(`Source:   openapi`);
+    console.log(`Spec:     ${openApi.fetchedUrl}`);
+    if (l2.title) console.log(`API:      ${l2.title}`);
+    console.log(`Routes:   ${l2.routes.length}
+`);
+    for (const route of l2.routes) {
+      const auth = route.authMode ? `  ${route.authMode}` : "";
+      const price = route.price ? `  ${route.price}` : "";
+      const protocols = route.protocols?.length ? `  [${route.protocols.join(", ")}]` : "";
+      console.log(`  ${route.method.padEnd(7)} ${route.path}${auth}${price}${protocols}`);
     }
-  };
-}
-async function runAudit(options, deps = {}) {
-  const discoverDetailedFn = deps.discoverDetailedFn ?? discoverDetailed;
-  const fetchImpl = deps.fetchImpl ?? fetch;
-  const fetcher = createTimeoutFetcher(options.timeoutMs, fetchImpl);
-  const baseOptions = {
-    target: options.target,
-    compatMode: options.compatMode,
-    fetcher,
-    headers: {
-      "user-agent": CLI_USER_AGENT
-    },
-    rawView: options.harness ? "full" : "none"
-  };
-  const startedAt = Date.now();
-  let result = await discoverDetailedFn(baseOptions);
-  let probeCandidateCount = 0;
-  if (options.probe) {
-    const probeCandidates = buildProbeCandidates(result.resources);
-    probeCandidateCount = probeCandidates.length;
-    if (probeCandidates.length > 0) {
-      result = await discoverDetailedFn({
-        ...baseOptions,
-        probeCandidates
-      });
+    if (l4) {
+      const tokens = Math.ceil(l4.guidance.length / 4);
+      console.log(`
+Guidance: ${tokens} tokens`);
+      if (flags.verbose) console.log(`
+${l4.guidance}`);
     }
-  }
-  return {
-    result,
-    durationMs: Date.now() - startedAt,
-    probeCandidateCount,
-    ...options.harness ? {
-      harness: buildContextHarnessReport({
-        target: options.target,
-        result,
-        client: options.client,
-        contextWindowTokens: options.contextWindowTokens
-      })
-    } : {}
-  };
-}
-
-// src/cli.ts
-function defaultStdout(message) {
-  process.stdout.write(`${message}
+  } else if (wellKnown) {
+    const l2 = checkL2ForWellknown(wellKnown);
+    const l4 = checkL4ForWellknown(wellKnown);
+    warnings.push(...getWarningsForL2(l2), ...getWarningsForL4(l4));
+    if (flags.json) {
+      const meta = { origin, specUrl: wellKnown.fetchedUrl };
+      if (l4 && flags.verbose) meta.guidance = l4.guidance;
+      console.log(
+        JSON.stringify(
+          {
+            ok: true,
+            selectedStage: "well-known/x402",
+            resources: l2.routes.map(routeToResource),
+            warnings,
+            trace: [],
+            meta
+          },
+          null,
+          2
+        )
+      );
+      return 0;
+    }
+    console.log(`Source:   well-known/x402`);
+    console.log(`Spec:     ${wellKnown.fetchedUrl}`);
+    console.log(`Routes:   ${l2.routes.length}
 `);
+    for (const route of l2.routes) {
+      console.log(`  ${route.method.padEnd(7)} ${route.path}  paid  [x402]`);
+    }
+  } else {
+    if (flags.json) {
+      console.log(
+        JSON.stringify(
+          { ok: false, selectedStage: null, resources: [], warnings, trace: [], meta: { origin } },
+          null,
+          2
+        )
+      );
+      return 0;
+    }
+    console.log("Not found \u2014 no OpenAPI spec or /.well-known/x402 at this origin.");
+  }
+  printWarnings(warnings, flags.verbose);
+  return 0;
 }
-function defaultStderr(message) {
-  process.stderr.write(`${message}
+async function runCheck(url, flags) {
+  if (!flags.json) console.log(`
+Checking ${url}...
 `);
-}
-async function main(argv = process.argv.slice(2), deps = {}) {
-  const stdout = deps.stdout ?? defaultStdout;
-  const stderr = deps.stderr ?? defaultStderr;
-  const parsed = parseCliArgs(argv);
-  if (parsed.kind === "help") {
-    stdout(renderHelp());
-    return 0;
-  }
-  if (parsed.kind === "error") {
-    stderr(parsed.message);
-    stderr("");
-    stderr(renderHelp());
-    return 2;
+  const result = await checkEndpointSchema({ url });
+  if (!result.found) {
+    const warnings2 = getWarningsForL3(null);
+    if (flags.json) {
+      console.log(JSON.stringify({ url, found: false, warnings: warnings2 }, null, 2));
+      return 1;
+    }
+    console.log("Not found \u2014 no spec data for this endpoint.");
+    printWarnings(warnings2, flags.verbose);
+    return 1;
   }
-  try {
-    const run = await runAudit(parsed.options, deps);
-    if (parsed.options.json) {
-      stdout(renderJson(run, parsed.options));
-    } else if (parsed.options.verbose) {
-      stdout(renderVerbose(run, parsed.options));
-    } else {
-      stdout(renderSummary(run, parsed.options));
+  const warnings = [];
+  if (flags.json) {
+    for (const advisory of result.advisories) {
+      warnings.push(...getWarningsForL3(advisory));
     }
-    return run.result.resources.length > 0 ? 0 : 1;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    stderr(`Discovery audit failed: ${message}`);
-    return 2;
+    console.log(
+      JSON.stringify(
+        {
+          url,
+          found: true,
+          origin: result.origin,
+          path: result.path,
+          advisories: result.advisories,
+          warnings
+        },
+        null,
+        2
+      )
+    );
+    return 0;
+  }
+  console.log(`Origin:   ${result.origin}`);
+  console.log(`Path:     ${result.path}
+`);
+  for (const advisory of result.advisories) {
+    const auth = advisory.authMode ? `  ${advisory.authMode}` : "";
+    const price = advisory.estimatedPrice ? `  ${advisory.estimatedPrice}` : "";
+    const protocols = advisory.protocols?.length ? `  [${advisory.protocols.join(", ")}]` : "";
+    console.log(`  ${advisory.method.padEnd(7)}${auth}${price}${protocols}`);
+    warnings.push(...getWarningsForL3(advisory));
+  }
+  printWarnings(warnings, flags.verbose);
+  return 0;
+}
+function printWarnings(warnings, verbose) {
+  if (warnings.length === 0) return;
+  console.log(`
+Warnings (${warnings.length}):`);
+  for (const w of warnings) {
+    const loc = w.path ? ` (${w.path})` : "";
+    const hint = verbose && w.hint ? `
+           Hint: ${w.hint}` : "";
+    console.log(`  [${w.severity.padEnd(4)}] ${w.code}${loc}
+           ${w.message}${hint}`);
   }
 }
 export {