@agentcash/discovery 1.0.2 → 1.1.0

package/dist/cli.cjs

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/cli.ts
@@ -194,7 +204,7 @@ function fetchSafe(url, init) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "1.0.2".includes("-mmm");
+var isMmmEnabled = () => "1.1.0".includes("-mmm");
 
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
@@ -360,6 +370,7 @@ var AUDIT_CODES = {
   L2_NO_ROUTES: "L2_NO_ROUTES",
   L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH",
   L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING",
+  L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
@@ -421,6 +432,15 @@ function getWarningsForL2(l2) {
     });
     return warnings;
   }
+  const hasPaidRoute = l2.routes.some((r) => r.authMode === "paid" || r.authMode === "apiKey+paid");
+  if (!hasPaidRoute) {
+    warnings.push({
+      code: AUDIT_CODES.L2_NO_PAID_ROUTES,
+      severity: "info",
+      message: "No endpoints are marked as paid or apiKey+paid.",
+      hint: "Add x-payment-info to operations that require payment so agents know which endpoints are monetized."
+    });
+  }
   if (l2.routes.length > ROUTE_COUNT_HIGH) {
     warnings.push({
       code: AUDIT_CODES.L2_ROUTE_COUNT_HIGH,
@@ -507,8 +527,8 @@ function getWarningsForL4(l4) {
       {
         code: AUDIT_CODES.L4_GUIDANCE_MISSING,
         severity: "info",
-        message: "No guidance text found (llms.txt or OpenAPI info.guidance).",
-        hint: "Add an info.guidance field to your OpenAPI spec or expose /llms.txt for agent-readable instructions."
+        message: "No guidance text found (OpenAPI info.guidance).",
+        hint: "Add an info.guidance field to your OpenAPI spec for agent-readable instructions."
       }
     ];
   }
@@ -817,54 +837,31 @@ function extractPaymentOptions4(wwwAuthenticate) {
   return options;
 }
 
-// src/core/layers/l3.ts
-function findMatchingOpenApiPath(paths, targetPath) {
-  const exact = paths[targetPath];
-  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
-  for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord(entry)) continue;
-    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
-    const regex = new RegExp(`^${pattern}$`);
-    if (regex.test(targetPath)) {
-      return { matchedPath: specPath, pathItem: entry };
-    }
-  }
-  return null;
-}
-function resolveRef(document, ref, seen) {
-  if (!ref.startsWith("#/")) return void 0;
-  if (seen.has(ref)) return { $circular: ref };
-  seen.add(ref);
-  const parts = ref.slice(2).split("/");
-  let current = document;
-  for (const part of parts) {
-    if (!isRecord(current)) return void 0;
-    current = current[part];
-    if (current === void 0) return void 0;
-  }
-  if (isRecord(current)) return resolveRefs(document, current, seen);
-  return current;
+// src/core/lib/resolve-ref.ts
+var import_dereference_json_schema = __toESM(require("dereference-json-schema"), 1);
+var { resolveRefSync } = import_dereference_json_schema.default;
+function isRecord2(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function resolveRefs(document, obj, seen, depth = 0) {
-  if (depth > 4) return obj;
+function deepResolveRefs(document, obj) {
   const resolved = {};
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
-      const deref = resolveRef(document, value, seen);
-      if (isRecord(deref)) {
-        Object.assign(resolved, deref);
+      const deref = resolveRefSync(document, value);
+      if (isRecord2(deref)) {
+        Object.assign(resolved, deepResolveRefs(document, deref));
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord(value)) {
-      resolved[key] = resolveRefs(document, value, seen, depth + 1);
+    if (isRecord2(value)) {
+      resolved[key] = deepResolveRefs(document, value);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord2(item) ? deepResolveRefs(document, item) : item
       );
       continue;
     }
@@ -872,6 +869,24 @@ function resolveRefs(document, obj, seen, depth = 0) {
   }
   return resolved;
 }
+function resolveRefs(obj, document) {
+  return deepResolveRefs(document, obj);
+}
+
+// src/core/layers/l3.ts
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
+    }
+  }
+  return null;
+}
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
   if (!isRecord(requestBody)) return void 0;
@@ -951,7 +966,7 @@ function getL3ForOpenAPI(openApi, path, method) {
   if (!matched) return null;
   const operation = matched.pathItem[method.toLowerCase()];
   if (!isRecord(operation)) return null;
-  const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
+  const resolvedOperation = resolveRefs(operation, document);
   const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
   return {
     source: "openapi",

package/dist/cli.js

@@ -168,7 +168,7 @@ function fetchSafe(url, init) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "1.0.2".includes("-mmm");
+var isMmmEnabled = () => "1.1.0".includes("-mmm");
 
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
@@ -334,6 +334,7 @@ var AUDIT_CODES = {
   L2_NO_ROUTES: "L2_NO_ROUTES",
   L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH",
   L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING",
+  L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
@@ -395,6 +396,15 @@ function getWarningsForL2(l2) {
     });
     return warnings;
   }
+  const hasPaidRoute = l2.routes.some((r) => r.authMode === "paid" || r.authMode === "apiKey+paid");
+  if (!hasPaidRoute) {
+    warnings.push({
+      code: AUDIT_CODES.L2_NO_PAID_ROUTES,
+      severity: "info",
+      message: "No endpoints are marked as paid or apiKey+paid.",
+      hint: "Add x-payment-info to operations that require payment so agents know which endpoints are monetized."
+    });
+  }
   if (l2.routes.length > ROUTE_COUNT_HIGH) {
     warnings.push({
       code: AUDIT_CODES.L2_ROUTE_COUNT_HIGH,
@@ -481,8 +491,8 @@ function getWarningsForL4(l4) {
       {
         code: AUDIT_CODES.L4_GUIDANCE_MISSING,
         severity: "info",
-        message: "No guidance text found (llms.txt or OpenAPI info.guidance).",
-        hint: "Add an info.guidance field to your OpenAPI spec or expose /llms.txt for agent-readable instructions."
+        message: "No guidance text found (OpenAPI info.guidance).",
+        hint: "Add an info.guidance field to your OpenAPI spec for agent-readable instructions."
       }
     ];
   }
@@ -791,54 +801,31 @@ function extractPaymentOptions4(wwwAuthenticate) {
   return options;
 }
 
-// src/core/layers/l3.ts
-function findMatchingOpenApiPath(paths, targetPath) {
-  const exact = paths[targetPath];
-  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
-  for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord(entry)) continue;
-    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
-    const regex = new RegExp(`^${pattern}$`);
-    if (regex.test(targetPath)) {
-      return { matchedPath: specPath, pathItem: entry };
-    }
-  }
-  return null;
-}
-function resolveRef(document, ref, seen) {
-  if (!ref.startsWith("#/")) return void 0;
-  if (seen.has(ref)) return { $circular: ref };
-  seen.add(ref);
-  const parts = ref.slice(2).split("/");
-  let current = document;
-  for (const part of parts) {
-    if (!isRecord(current)) return void 0;
-    current = current[part];
-    if (current === void 0) return void 0;
-  }
-  if (isRecord(current)) return resolveRefs(document, current, seen);
-  return current;
+// src/core/lib/resolve-ref.ts
+import pkg from "dereference-json-schema";
+var { resolveRefSync } = pkg;
+function isRecord2(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function resolveRefs(document, obj, seen, depth = 0) {
-  if (depth > 4) return obj;
+function deepResolveRefs(document, obj) {
   const resolved = {};
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
-      const deref = resolveRef(document, value, seen);
-      if (isRecord(deref)) {
-        Object.assign(resolved, deref);
+      const deref = resolveRefSync(document, value);
+      if (isRecord2(deref)) {
+        Object.assign(resolved, deepResolveRefs(document, deref));
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord(value)) {
-      resolved[key] = resolveRefs(document, value, seen, depth + 1);
+    if (isRecord2(value)) {
+      resolved[key] = deepResolveRefs(document, value);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord2(item) ? deepResolveRefs(document, item) : item
       );
       continue;
     }
@@ -846,6 +833,24 @@ function resolveRefs(document, obj, seen, depth = 0) {
   }
   return resolved;
 }
+function resolveRefs(obj, document) {
+  return deepResolveRefs(document, obj);
+}
+
+// src/core/layers/l3.ts
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
+    }
+  }
+  return null;
+}
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
   if (!isRecord(requestBody)) return void 0;
@@ -925,7 +930,7 @@ function getL3ForOpenAPI(openApi, path, method) {
   if (!matched) return null;
   const operation = matched.pathItem[method.toLowerCase()];
   if (!isRecord(operation)) return null;
-  const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
+  const resolvedOperation = resolveRefs(operation, document);
   const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
   return {
     source: "openapi",

package/dist/index.cjs

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -215,7 +225,7 @@ function fetchSafe(url, init) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "1.0.2".includes("-mmm");
+var isMmmEnabled = () => "1.1.0".includes("-mmm");
 
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
@@ -990,54 +1000,31 @@ function extractPaymentOptions4(wwwAuthenticate) {
   return options;
 }
 
-// src/core/layers/l3.ts
-function findMatchingOpenApiPath(paths, targetPath) {
-  const exact = paths[targetPath];
-  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
-  for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord(entry)) continue;
-    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
-    const regex = new RegExp(`^${pattern}$`);
-    if (regex.test(targetPath)) {
-      return { matchedPath: specPath, pathItem: entry };
-    }
-  }
-  return null;
-}
-function resolveRef(document, ref, seen) {
-  if (!ref.startsWith("#/")) return void 0;
-  if (seen.has(ref)) return { $circular: ref };
-  seen.add(ref);
-  const parts = ref.slice(2).split("/");
-  let current = document;
-  for (const part of parts) {
-    if (!isRecord(current)) return void 0;
-    current = current[part];
-    if (current === void 0) return void 0;
-  }
-  if (isRecord(current)) return resolveRefs(document, current, seen);
-  return current;
+// src/core/lib/resolve-ref.ts
+var import_dereference_json_schema = __toESM(require("dereference-json-schema"), 1);
+var { resolveRefSync } = import_dereference_json_schema.default;
+function isRecord2(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function resolveRefs(document, obj, seen, depth = 0) {
-  if (depth > 4) return obj;
+function deepResolveRefs(document, obj) {
   const resolved = {};
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
-      const deref = resolveRef(document, value, seen);
-      if (isRecord(deref)) {
-        Object.assign(resolved, deref);
+      const deref = resolveRefSync(document, value);
+      if (isRecord2(deref)) {
+        Object.assign(resolved, deepResolveRefs(document, deref));
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord(value)) {
-      resolved[key] = resolveRefs(document, value, seen, depth + 1);
+    if (isRecord2(value)) {
+      resolved[key] = deepResolveRefs(document, value);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord2(item) ? deepResolveRefs(document, item) : item
       );
       continue;
     }
@@ -1045,6 +1032,24 @@ function resolveRefs(document, obj, seen, depth = 0) {
   }
   return resolved;
 }
+function resolveRefs(obj, document) {
+  return deepResolveRefs(document, obj);
+}
+
+// src/core/layers/l3.ts
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
+    }
+  }
+  return null;
+}
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
   if (!isRecord(requestBody)) return void 0;
@@ -1124,7 +1129,7 @@ function getL3ForOpenAPI(openApi, path, method) {
   if (!matched) return null;
   const operation = matched.pathItem[method.toLowerCase()];
   if (!isRecord(operation)) return null;
-  const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
+  const resolvedOperation = resolveRefs(operation, document);
   const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
   return {
     source: "openapi",
@@ -1309,7 +1314,7 @@ var import_schemas3 = require("@x402/core/schemas");
 var DEFAULT_COMPAT_MODE = "on";
 
 // src/x402scan-validation/payment-required.ts
-function isRecord2(value) {
+function isRecord3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function pushIssue2(issues, issue) {
@@ -1363,7 +1368,7 @@ function validatePaymentRequiredDetailed(payload, options = {}) {
   const compatMode = options.compatMode ?? DEFAULT_COMPAT_MODE;
   const requireInputSchema = options.requireInputSchema ?? true;
   const requireOutputSchema = options.requireOutputSchema ?? true;
-  if (!isRecord2(payload)) {
+  if (!isRecord3(payload)) {
     pushIssue2(issues, {
       code: VALIDATION_CODES.X402_NOT_OBJECT,
       severity: "error",
@@ -1482,6 +1487,7 @@ var AUDIT_CODES = {
   L2_NO_ROUTES: "L2_NO_ROUTES",
   L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH",
   L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING",
+  L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
@@ -1543,6 +1549,15 @@ function getWarningsForL2(l2) {
     });
     return warnings;
   }
+  const hasPaidRoute = l2.routes.some((r) => r.authMode === "paid" || r.authMode === "apiKey+paid");
+  if (!hasPaidRoute) {
+    warnings.push({
+      code: AUDIT_CODES.L2_NO_PAID_ROUTES,
+      severity: "info",
+      message: "No endpoints are marked as paid or apiKey+paid.",
+      hint: "Add x-payment-info to operations that require payment so agents know which endpoints are monetized."
+    });
+  }
   if (l2.routes.length > ROUTE_COUNT_HIGH) {
     warnings.push({
       code: AUDIT_CODES.L2_ROUTE_COUNT_HIGH,
@@ -1629,8 +1644,8 @@ function getWarningsForL4(l4) {
       {
         code: AUDIT_CODES.L4_GUIDANCE_MISSING,
         severity: "info",
-        message: "No guidance text found (llms.txt or OpenAPI info.guidance).",
-        hint: "Add an info.guidance field to your OpenAPI spec or expose /llms.txt for agent-readable instructions."
+        message: "No guidance text found (OpenAPI info.guidance).",
+        hint: "Add an info.guidance field to your OpenAPI spec for agent-readable instructions."
       }
     ];
   }

package/dist/index.d.cts

@@ -325,6 +325,7 @@ declare const AUDIT_CODES: {
     readonly L2_NO_ROUTES: "L2_NO_ROUTES";
     readonly L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH";
     readonly L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING";
+    readonly L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES";
     readonly L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID";
     readonly L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID";
     readonly L3_NOT_FOUND: "L3_NOT_FOUND";

package/dist/index.d.ts

@@ -325,6 +325,7 @@ declare const AUDIT_CODES: {
     readonly L2_NO_ROUTES: "L2_NO_ROUTES";
     readonly L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH";
     readonly L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING";
+    readonly L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES";
     readonly L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID";
     readonly L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID";
     readonly L3_NOT_FOUND: "L3_NOT_FOUND";

package/dist/index.js

@@ -168,7 +168,7 @@ function fetchSafe(url, init) {
 }
 
 // src/mmm-enabled.ts
-var isMmmEnabled = () => "1.0.2".includes("-mmm");
+var isMmmEnabled = () => "1.1.0".includes("-mmm");
 
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
@@ -943,54 +943,31 @@ function extractPaymentOptions4(wwwAuthenticate) {
   return options;
 }
 
-// src/core/layers/l3.ts
-function findMatchingOpenApiPath(paths, targetPath) {
-  const exact = paths[targetPath];
-  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
-  for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord(entry)) continue;
-    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
-    const regex = new RegExp(`^${pattern}$`);
-    if (regex.test(targetPath)) {
-      return { matchedPath: specPath, pathItem: entry };
-    }
-  }
-  return null;
-}
-function resolveRef(document, ref, seen) {
-  if (!ref.startsWith("#/")) return void 0;
-  if (seen.has(ref)) return { $circular: ref };
-  seen.add(ref);
-  const parts = ref.slice(2).split("/");
-  let current = document;
-  for (const part of parts) {
-    if (!isRecord(current)) return void 0;
-    current = current[part];
-    if (current === void 0) return void 0;
-  }
-  if (isRecord(current)) return resolveRefs(document, current, seen);
-  return current;
+// src/core/lib/resolve-ref.ts
+import pkg from "dereference-json-schema";
+var { resolveRefSync } = pkg;
+function isRecord2(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function resolveRefs(document, obj, seen, depth = 0) {
-  if (depth > 4) return obj;
+function deepResolveRefs(document, obj) {
   const resolved = {};
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
-      const deref = resolveRef(document, value, seen);
-      if (isRecord(deref)) {
-        Object.assign(resolved, deref);
+      const deref = resolveRefSync(document, value);
+      if (isRecord2(deref)) {
+        Object.assign(resolved, deepResolveRefs(document, deref));
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord(value)) {
-      resolved[key] = resolveRefs(document, value, seen, depth + 1);
+    if (isRecord2(value)) {
+      resolved[key] = deepResolveRefs(document, value);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord(item) ? resolveRefs(document, item, seen, depth + 1) : item
+        (item) => isRecord2(item) ? deepResolveRefs(document, item) : item
       );
       continue;
     }
@@ -998,6 +975,24 @@ function resolveRefs(document, obj, seen, depth = 0) {
   }
   return resolved;
 }
+function resolveRefs(obj, document) {
+  return deepResolveRefs(document, obj);
+}
+
+// src/core/layers/l3.ts
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
+    }
+  }
+  return null;
+}
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
   if (!isRecord(requestBody)) return void 0;
@@ -1077,7 +1072,7 @@ function getL3ForOpenAPI(openApi, path, method) {
   if (!matched) return null;
   const operation = matched.pathItem[method.toLowerCase()];
   if (!isRecord(operation)) return null;
-  const resolvedOperation = resolveRefs(document, operation, /* @__PURE__ */ new Set());
+  const resolvedOperation = resolveRefs(operation, document);
   const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
   return {
     source: "openapi",
@@ -1262,7 +1257,7 @@ import { parsePaymentRequired } from "@x402/core/schemas";
 var DEFAULT_COMPAT_MODE = "on";
 
 // src/x402scan-validation/payment-required.ts
-function isRecord2(value) {
+function isRecord3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function pushIssue2(issues, issue) {
@@ -1316,7 +1311,7 @@ function validatePaymentRequiredDetailed(payload, options = {}) {
   const compatMode = options.compatMode ?? DEFAULT_COMPAT_MODE;
   const requireInputSchema = options.requireInputSchema ?? true;
   const requireOutputSchema = options.requireOutputSchema ?? true;
-  if (!isRecord2(payload)) {
+  if (!isRecord3(payload)) {
     pushIssue2(issues, {
       code: VALIDATION_CODES.X402_NOT_OBJECT,
       severity: "error",
@@ -1435,6 +1430,7 @@ var AUDIT_CODES = {
   L2_NO_ROUTES: "L2_NO_ROUTES",
   L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH",
   L2_AUTH_MODE_MISSING: "L2_AUTH_MODE_MISSING",
+  L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
@@ -1496,6 +1492,15 @@ function getWarningsForL2(l2) {
     });
     return warnings;
   }
+  const hasPaidRoute = l2.routes.some((r) => r.authMode === "paid" || r.authMode === "apiKey+paid");
+  if (!hasPaidRoute) {
+    warnings.push({
+      code: AUDIT_CODES.L2_NO_PAID_ROUTES,
+      severity: "info",
+      message: "No endpoints are marked as paid or apiKey+paid.",
+      hint: "Add x-payment-info to operations that require payment so agents know which endpoints are monetized."
+    });
+  }
   if (l2.routes.length > ROUTE_COUNT_HIGH) {
     warnings.push({
       code: AUDIT_CODES.L2_ROUTE_COUNT_HIGH,
@@ -1582,8 +1587,8 @@ function getWarningsForL4(l4) {
       {
         code: AUDIT_CODES.L4_GUIDANCE_MISSING,
         severity: "info",
-        message: "No guidance text found (llms.txt or OpenAPI info.guidance).",
-        hint: "Add an info.guidance field to your OpenAPI spec or expose /llms.txt for agent-readable instructions."
+        message: "No guidance text found (OpenAPI info.guidance).",
+        hint: "Add an info.guidance field to your OpenAPI spec for agent-readable instructions."
       }
     ];
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/discovery",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Canonical OpenAPI-first discovery runtime for the agentcash ecosystem",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -65,6 +65,7 @@
   },
   "dependencies": {
     "@x402/core": "^2.5.0",
+    "dereference-json-schema": "^0.2.2",
     "neverthrow": "^8.2.0",
     "zod": "^4.0.0"
   },