@agentcash/discovery 1.0.1 → 1.1.0

package/dist/index.js

@@ -50,6 +50,7 @@ var OpenApiDocSchema = z.object({
     description: z.string().optional(),
     guidance: z.string().optional()
   }),
+  security: z.array(z.record(z.string(), z.array(z.string()))).optional(),
   servers: z.array(z.object({ url: z.string() })).optional(),
   tags: z.array(z.object({ name: z.string() })).optional(),
   components: z.object({ securitySchemes: z.record(z.string(), z.unknown()).optional() }).optional(),
@@ -79,20 +80,31 @@ var WellKnownParsedSchema = z.object({
 function isRecord(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function hasSecurity(operation, scheme) {
-  return operation.security?.some((s) => scheme in s) ?? false;
-}
-function has402Response(operation) {
-  return Boolean(operation.responses?.["402"]);
+function resolveSecurityFlags(requirements, securitySchemes) {
+  let hasApiKey = false;
+  let hasSiwx = false;
+  for (const requirement of requirements) {
+    for (const schemeName of Object.keys(requirement)) {
+      if (schemeName === "siwx") {
+        hasSiwx = true;
+        continue;
+      }
+      if (schemeName === "apiKey") {
+        hasApiKey = true;
+        continue;
+      }
+      const def = securitySchemes[schemeName];
+      if (isRecord(def) && def["type"] === "apiKey") hasApiKey = true;
+    }
+  }
+  return { hasApiKey, hasSiwx };
 }
-function inferAuthMode(operation) {
+function inferAuthMode(operation, globalSecurity, securitySchemes) {
   const hasXPaymentInfo = Boolean(operation["x-payment-info"]);
-  const hasPayment = hasXPaymentInfo || has402Response(operation);
-  const hasApiKey = hasSecurity(operation, "apiKey");
-  const hasSiwx = hasSecurity(operation, "siwx");
-  if (hasPayment && hasApiKey) return "apiKey+paid";
+  const effectiveSecurity = operation.security !== void 0 && operation.security.length > 0 ? operation.security : globalSecurity ?? [];
+  const { hasApiKey, hasSiwx } = resolveSecurityFlags(effectiveSecurity, securitySchemes ?? {});
+  if (hasXPaymentInfo && hasApiKey) return "apiKey+paid";
   if (hasXPaymentInfo) return "paid";
-  if (hasPayment) return hasSiwx ? "siwx" : "paid";
   if (hasApiKey) return "apiKey";
   if (hasSiwx) return "siwx";
   return void 0;
@@ -112,10 +124,12 @@ var HTTP_METHODS = /* @__PURE__ */ new Set([
 var DEFAULT_MISSING_METHOD = "POST";
 
 // src/core/lib/url.ts
-function normalizeOrigin(target) {
+function ensureProtocol(target) {
   const trimmed = target.trim();
-  const withProtocol = /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
-  const url = new URL(withProtocol);
+  return /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
+}
+function normalizeOrigin(target) {
+  const url = new URL(ensureProtocol(target));
   url.pathname = "";
   url.search = "";
   url.hash = "";
@@ -154,7 +168,7 @@ function fetchSafe(url, init) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "1.0.1".includes("-mmm");
+var isMmmEnabled = () => "1.1.0".includes("-mmm");
 
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
@@ -163,15 +177,13 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
     for (const httpMethod of [...HTTP_METHODS]) {
       const operation = pathItem[httpMethod.toLowerCase()];
       if (!operation) continue;
-      const authMode = inferAuthMode(operation) ?? void 0;
+      const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       if (!authMode) continue;
       const p = operation["x-payment-info"];
       const protocols = (p?.protocols ?? []).filter(
         (proto) => proto !== "mpp" || isMmmEnabled()
       );
-      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) continue;
-      if (authMode === "paid" && protocols.length === 0) continue;
-      const pricing = authMode === "paid" && p ? {
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? {
         pricingMode: p.pricingMode,
         ...p.price ? { price: p.price } : {},
         ...p.minPrice ? { minPrice: p.minPrice } : {},
@@ -931,54 +943,31 @@ function extractPaymentOptions4(wwwAuthenticate) {
   return options;
 }
 
-// src/core/layers/l3.ts
-function findMatchingOpenApiPath(paths, targetPath) {
-  const exact = paths[targetPath];
-  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
-  for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord(entry)) continue;
-    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
-    const regex = new RegExp(`^${pattern}$`);
-    if (regex.test(targetPath)) {
-      return { matchedPath: specPath, pathItem: entry };
-    }
-  }
-  return null;
-}
-function resolveRef(document, ref, seen) {
-  if (!ref.startsWith("#/")) return void 0;
-  if (seen.has(ref)) return { $circular: ref };
-  seen.add(ref);
-  const parts = ref.slice(2).split("/");
-  let current = document;
-  for (const part of parts) {
-    if (!isRecord(current)) return void 0;
-    current = current[part];
-    if (current === void 0) return void 0;
-  }
-  if (isRecord(current)) return resolveRefs(document, current, seen);
-  return current;
+// src/core/lib/resolve-ref.ts
+import pkg from "dereference-json-schema";
+var { resolveRefSync } = pkg;
+function isRecord2(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function resolveRefs(document, obj, seen, depth = 0) {
-  if (depth > 4) return obj;
+function deepResolveRefs(document, obj) {
   const resolved = {};
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
-      const deref = resolveRef(document, value, seen);
-      if (isRecord(deref)) {
-        Object.assign(resolved, deref);
+      const deref = resolveRefSync(document, value);
+      if (isRecord2(deref)) {
+        Object.assign(resolved, deepResolveRefs(document, deref));
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord(value)) {
-      resolved[key] = resolveRefs(document, value, seen, depth + 1);
+    if (isRecord2(value)) {
+      resolved[key] = deepResolveRefs(document, value);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord2(item) ? deepResolveRefs(document, item) : item
       );
       continue;
     }
@@ -986,6 +975,24 @@ function resolveRefs(document, obj, seen, depth = 0) {
   }
   return resolved;
 }
+function resolveRefs(obj, document) {
+  return deepResolveRefs(document, obj);
+}
+
+// src/core/layers/l3.ts
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
+    }
+  }
+  return null;
+}
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
   if (!isRecord(requestBody)) return void 0;
@@ -1065,7 +1072,7 @@ function getL3ForOpenAPI(openApi, path, method) {
   if (!matched) return null;
   const operation = matched.pathItem[method.toLowerCase()];
   if (!isRecord(operation)) return null;
-  const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
+  const resolvedOperation = resolveRefs(operation, document);
   const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
   return {
     source: "openapi",
@@ -1115,12 +1122,12 @@ function getAdvisoriesForProbe(probe, path) {
   });
 }
 async function checkEndpointSchema(options) {
-  const endpoint = new URL(options.url);
+  const endpoint = new URL(ensureProtocol(options.url));
   const origin = normalizeOrigin(endpoint.origin);
   const path = normalizePath(endpoint.pathname || "/");
   if (options.sampleInputBody !== void 0) {
     const probeResult2 = await getProbe(
-      options.url,
+      endpoint.href,
       options.headers,
       options.signal,
       options.sampleInputBody
@@ -1145,7 +1152,7 @@ async function checkEndpointSchema(options) {
     if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
     return { found: false, origin, path, cause: "not_found" };
   }
-  const probeResult = await getProbe(options.url, options.headers, options.signal);
+  const probeResult = await getProbe(endpoint.href, options.headers, options.signal);
   if (probeResult.isErr()) {
     return {
       found: false,
@@ -1250,7 +1257,7 @@ import { parsePaymentRequired } from "@x402/core/schemas";
 var DEFAULT_COMPAT_MODE = "on";
 
 // src/x402scan-validation/payment-required.ts
-function isRecord2(value) {
+function isRecord3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function pushIssue2(issues, issue) {
@@ -1304,7 +1311,7 @@ function validatePaymentRequiredDetailed(payload, options = {}) {
   const compatMode = options.compatMode ?? DEFAULT_COMPAT_MODE;
   const requireInputSchema = options.requireInputSchema ?? true;
   const requireOutputSchema = options.requireOutputSchema ?? true;
-  if (!isRecord2(payload)) {
+  if (!isRecord3(payload)) {
     pushIssue2(issues, {
       code: VALIDATION_CODES.X402_NOT_OBJECT,
       severity: "error",
@@ -1423,6 +1430,7 @@ var AUDIT_CODES = {
   L2_NO_ROUTES: "L2_NO_ROUTES",
   L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH",
   L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING",
+  L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
@@ -1484,6 +1492,15 @@ function getWarningsForL2(l2) {
     });
     return warnings;
   }
+  const hasPaidRoute = l2.routes.some((r) => r.authMode === "paid" || r.authMode === "apiKey+paid");
+  if (!hasPaidRoute) {
+    warnings.push({
+      code: AUDIT_CODES.L2_NO_PAID_ROUTES,
+      severity: "info",
+      message: "No endpoints are marked as paid or apiKey+paid.",
+      hint: "Add x-payment-info to operations that require payment so agents know which endpoints are monetized."
+    });
+  }
   if (l2.routes.length > ROUTE_COUNT_HIGH) {
     warnings.push({
       code: AUDIT_CODES.L2_ROUTE_COUNT_HIGH,
@@ -1570,8 +1587,8 @@ function getWarningsForL4(l4) {
       {
         code: AUDIT_CODES.L4_GUIDANCE_MISSING,
         severity: "info",
-        message: "No guidance text found (llms.txt or OpenAPI info.guidance).",
-        hint: "Add an info.guidance field to your OpenAPI spec or expose /llms.txt for agent-readable instructions."
+        message: "No guidance text found (OpenAPI info.guidance).",
+        hint: "Add an info.guidance field to your OpenAPI spec for agent-readable instructions."
       }
     ];
   }

package/dist/schemas.cjs

@@ -76,6 +76,7 @@ var OpenApiDocSchema = import_zod.z.object({
     description: import_zod.z.string().optional(),
     guidance: import_zod.z.string().optional()
   }),
+  security: import_zod.z.array(import_zod.z.record(import_zod.z.string(), import_zod.z.array(import_zod.z.string()))).optional(),
   servers: import_zod.z.array(import_zod.z.object({ url: import_zod.z.string() })).optional(),
   tags: import_zod.z.array(import_zod.z.object({ name: import_zod.z.string() })).optional(),
   components: import_zod.z.object({ securitySchemes: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional() }).optional(),

package/dist/schemas.d.cts

@@ -300,6 +300,7 @@ declare const OpenApiDocSchema: z.ZodObject<{
         description: z.ZodOptional<z.ZodString>;
         guidance: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>;
+    security: z.ZodOptional<z.ZodArray<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>>>;
     servers: z.ZodOptional<z.ZodArray<z.ZodObject<{
         url: z.ZodString;
     }, z.core.$strip>>>;

package/dist/schemas.d.ts

@@ -300,6 +300,7 @@ declare const OpenApiDocSchema: z.ZodObject<{
         description: z.ZodOptional<z.ZodString>;
         guidance: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>;
+    security: z.ZodOptional<z.ZodArray<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>>>;
     servers: z.ZodOptional<z.ZodArray<z.ZodObject<{
         url: z.ZodString;
     }, z.core.$strip>>>;

package/dist/schemas.js

@@ -47,6 +47,7 @@ var OpenApiDocSchema = z.object({
     description: z.string().optional(),
     guidance: z.string().optional()
   }),
+  security: z.array(z.record(z.string(), z.array(z.string()))).optional(),
   servers: z.array(z.object({ url: z.string() })).optional(),
   tags: z.array(z.object({ name: z.string() })).optional(),
   components: z.object({ securitySchemes: z.record(z.string(), z.unknown()).optional() }).optional(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/discovery",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Canonical OpenAPI-first discovery runtime for the agentcash ecosystem",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -65,6 +65,7 @@
   },
   "dependencies": {
     "@x402/core": "^2.5.0",
+    "dereference-json-schema": "^0.2.2",
     "neverthrow": "^8.2.0",
     "zod": "^4.0.0"
   },