@agentcash/discovery 1.1.2 → 1.2.0

package/dist/cli.cjs

@@ -13864,7 +13864,6 @@ var WellKnownDocSchema = external_exports.object({
   version: external_exports.number().optional(),
   resources: external_exports.array(external_exports.string()).default([]),
   mppResources: external_exports.array(external_exports.string()).optional(),
-  // isMmmEnabled
   description: external_exports.string().optional(),
   ownershipProofs: external_exports.array(external_exports.string()).optional(),
   instructions: external_exports.string().optional()
@@ -13974,9 +13973,6 @@ function fetchSafe(url2, init) {
   return import_neverthrow.ResultAsync.fromPromise(fetch(url2, init), toFetchError);
 }
 
-// src/mmm-enabled.ts
-var isMmmEnabled = () => "1.1.2".includes("-mmm");
-
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
   const routes = [];
@@ -13986,9 +13982,7 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = (p?.protocols ?? []).filter(
-        (proto) => proto !== "mpp" || isMmmEnabled()
-      );
+      const protocols = (p?.protocols ?? []).filter((proto) => proto.length > 0);
       const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? {
         pricingMode: p.pricingMode,
         ...p.price ? { price: p.price } : {},
@@ -14102,6 +14096,7 @@ function checkL2ForOpenAPI(openApi) {
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
+    ...openApi.info.version ? { version: openApi.info.version } : {},
     routes,
     source: "openapi"
   };
@@ -14151,9 +14146,23 @@ var AUDIT_CODES = {
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
   L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
   L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID",
   // ─── L4 guidance checks ──────────────────────────────────────────────────────
   L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
-  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG",
+  // ─── MPP WWW-Authenticate header checks ──────────────────────────────────────
+  MPP_HEADER_MISSING: "MPP_HEADER_MISSING",
+  MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES",
+  MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING",
+  MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING",
+  MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING",
+  MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING",
+  MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING",
+  MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING",
+  MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID",
+  MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING",
+  MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING",
+  MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING"
 };
 
 // src/audit/warnings/sources.ts
@@ -14732,6 +14741,157 @@ function validateWithCoinbaseSchema2(body) {
   });
 }
 
+// src/audit/warnings/mpp.ts
+function parseAuthParams(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function getWarningsForMppHeader(wwwAuthenticate) {
+  if (!wwwAuthenticate?.trim()) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_HEADER_MISSING,
+        severity: "error",
+        message: "WWW-Authenticate header is absent.",
+        hint: "MPP endpoints must respond to unauthenticated requests with a 402 and a WWW-Authenticate: Payment ... header."
+      }
+    ];
+  }
+  const segments = wwwAuthenticate.split(/,\s*(?=Payment\s)/i).filter((s) => /^Payment\s/i.test(s.trim()));
+  if (segments.length === 0) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_NO_PAYMENT_CHALLENGES,
+        severity: "error",
+        message: "WWW-Authenticate header contains no Payment challenges.",
+        hint: `Add at least one Payment challenge: WWW-Authenticate: Payment method="tempo" intent="charge" realm="..." request='...'`
+      }
+    ];
+  }
+  const warnings = [];
+  for (let i = 0; i < segments.length; i++) {
+    const stripped = segments[i].replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams(stripped);
+    const idx = `WWW-Authenticate[${i}]`;
+    if (!params["id"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ID_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the id parameter.`,
+        hint: "Set id to a unique challenge identifier so clients can correlate credentials to challenges.",
+        path: `${idx}.id`
+      });
+    }
+    if (!params["method"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_METHOD_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the method parameter.`,
+        hint: 'Set method="tempo" (or your payment method identifier) on the Payment challenge.',
+        path: `${idx}.method`
+      });
+    }
+    if (!params["intent"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_INTENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the intent parameter.`,
+        hint: 'Set intent="charge" on the Payment challenge.',
+        path: `${idx}.intent`
+      });
+    }
+    if (!params["realm"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REALM_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the realm parameter.`,
+        hint: "Set realm to a stable server identifier so clients can associate payment credentials.",
+        path: `${idx}.realm`
+      });
+    }
+    if (!params["expires"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_EXPIRES_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the expires parameter.`,
+        hint: "Set expires to an RFC 3339 timestamp so clients know when the challenge lapses.",
+        path: `${idx}.expires`
+      });
+    }
+    const requestStr = params["request"];
+    if (!requestStr) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the request field.`,
+        hint: `Include a base64url-encoded JSON request field: request=base64url('{"currency":"...","amount":"...","recipient":"..."}')`,
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    let request;
+    try {
+      const decoded = Buffer.from(requestStr, "base64url").toString("utf-8");
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      request = parsed;
+    } catch {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_INVALID,
+        severity: "error",
+        message: `Payment challenge ${i} request field is not valid base64url-encoded JSON.`,
+        hint: "The request value must be a base64url-encoded JCS JSON object.",
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    if (!request["currency"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ASSET_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing currency in the request object.`,
+        hint: "Set currency to a TIP-20 token address (e.g. a USDC contract).",
+        path: `${idx}.request.currency`
+      });
+    }
+    const amount = request["amount"];
+    if (amount === void 0 || amount === null) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing amount in the request object.`,
+        hint: 'Set amount to a raw token-unit string (e.g. "1000000" for 1 USDC with 6 decimals).',
+        path: `${idx}.request.amount`
+      });
+    } else if (typeof amount !== "string" && typeof amount !== "number") {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} has an invalid amount type (got ${typeof amount}, expected string or number).`,
+        hint: "Set amount to a raw token-unit string.",
+        path: `${idx}.request.amount`
+      });
+    }
+    if (!request["recipient"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_RECIPIENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing recipient in the request object.`,
+        hint: "Set recipient to the wallet address that should receive payment.",
+        path: `${idx}.request.recipient`
+      });
+    }
+  }
+  return warnings;
+}
+
 // src/audit/warnings/l3.ts
 function getWarningsFor402Body(body) {
   if (!isRecord(body)) {
@@ -14861,17 +15021,28 @@ function getWarningsForL3(l3) {
       hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
     });
   }
-  if (l3.authMode === "paid" && !l3.protocols?.length) {
+  if (l3.authMode === "paid" && l3.source === "openapi" && !l3.protocols?.length) {
     warnings.push({
       code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
       severity: "info",
       message: "Paid endpoint does not declare supported payment protocols.",
-      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+      hint: "Add x-payment-info.protocols (e.g. ['x402', 'mpp']) to the operation."
+    });
+  }
+  if (l3.authMode === "paid" && l3.source === "probe" && !l3.paymentOptions?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PAYMENT_OPTIONS_MISSING_ON_PAID,
+      severity: "warn",
+      message: "Paid endpoint did not return payment options in the 402 response.",
+      hint: "Ensure the 402 response returns a valid payment challenge so clients know how to pay."
     });
   }
   if (l3.paymentRequiredBody !== void 0) {
     warnings.push(...getWarningsFor402Body(l3.paymentRequiredBody));
   }
+  if (l3.wwwAuthenticate !== void 0) {
+    warnings.push(...getWarningsForMppHeader(l3.wwwAuthenticate));
+  }
   return warnings;
 }
 
@@ -14974,7 +15145,7 @@ function detectProtocols(response) {
   }
   const authHeader = response.headers.get("www-authenticate")?.toLowerCase() ?? "";
   if (authHeader.includes("x402")) protocols.add("x402");
-  if (isMmmEnabled() && authHeader.includes("mpp")) protocols.add("mpp");
+  if (authHeader.includes("mpp")) protocols.add("mpp");
   return [...protocols];
 }
 function buildProbeUrl(url2, method, inputBody) {
@@ -15044,7 +15215,7 @@ function getProbe(url2, headers, signal, inputBody) {
 
 // src/core/protocols/mpp/index.ts
 var TEMPO_DEFAULT_CHAIN_ID = 4217;
-function parseAuthParams(segment) {
+function parseAuthParams2(segment) {
   const params = {};
   const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
   let match;
@@ -15054,11 +15225,11 @@ function parseAuthParams(segment) {
   return params;
 }
 function extractPaymentOptions4(wwwAuthenticate) {
-  if (!isMmmEnabled() || !wwwAuthenticate) return [];
+  if (!wwwAuthenticate) return [];
   const options = [];
   for (const segment of wwwAuthenticate.split(/,\s*(?=Payment\s)/i)) {
     const stripped = segment.replace(/^Payment\s+/i, "").trim();
-    const params = parseAuthParams(stripped);
+    const params = parseAuthParams2(stripped);
     const paymentMethod = params["method"];
     const intent = params["intent"];
     const realm = params["realm"];
@@ -15083,12 +15254,10 @@ function extractPaymentOptions4(wwwAuthenticate) {
     if (!asset || !amount) continue;
     options.push({
       protocol: "mpp",
-      // isMmmEnabled
       paymentMethod,
       intent,
       realm,
       network: `tempo:${String(chainId)}`,
-      // isMmmEnabled
       asset,
       amount,
       ...decimals != null ? { decimals } : {},
@@ -15216,7 +15385,7 @@ function parseOperationProtocols(operation) {
   const paymentInfo = operation["x-payment-info"];
   if (!isRecord(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
   const protocols = paymentInfo.protocols.filter(
-    (protocol) => typeof protocol === "string" && protocol.length > 0 && (protocol !== "mpp" || isMmmEnabled())
+    (protocol) => typeof protocol === "string" && protocol.length > 0
   );
   return protocols.length > 0 ? protocols : void 0;
 }
@@ -15247,8 +15416,7 @@ function getL3ForProbe(probe, path, method) {
   const outputSchema = probeResult.paymentRequiredBody ? parseOutputSchema(probeResult.paymentRequiredBody) : void 0;
   const paymentOptions = [
     ...probeResult.paymentRequiredBody ? extractPaymentOptions3(probeResult.paymentRequiredBody) : [],
-    ...isMmmEnabled() ? extractPaymentOptions4(probeResult.wwwAuthenticate) : []
-    // isMmmEnabled
+    ...extractPaymentOptions4(probeResult.wwwAuthenticate)
   ];
   return {
     source: "probe",
@@ -15257,7 +15425,8 @@ function getL3ForProbe(probe, path, method) {
     ...inputSchema ? { inputSchema } : {},
     ...outputSchema ? { outputSchema } : {},
     ...paymentOptions.length ? { paymentOptions } : {},
-    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {}
+    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {},
+    ...probeResult.wwwAuthenticate ? { wwwAuthenticate: probeResult.wwwAuthenticate } : {}
   };
 }
 async function attachProbePayload(url2, advisories) {
@@ -15288,7 +15457,7 @@ async function checkEndpointSchema(options) {
   const endpoint = new URL(ensureProtocol(options.url));
   const origin = normalizeOrigin(endpoint.origin);
   const path = normalizePath(endpoint.pathname || "/");
-  if (options.sampleInputBody !== void 0) {
+  if (options.probe || options.sampleInputBody !== void 0) {
     const probeResult2 = await getProbe(
       endpoint.href,
       options.headers,

package/dist/cli.js

@@ -13834,7 +13834,6 @@ var WellKnownDocSchema = external_exports.object({
   version: external_exports.number().optional(),
   resources: external_exports.array(external_exports.string()).default([]),
   mppResources: external_exports.array(external_exports.string()).optional(),
-  // isMmmEnabled
   description: external_exports.string().optional(),
   ownershipProofs: external_exports.array(external_exports.string()).optional(),
   instructions: external_exports.string().optional()
@@ -13944,9 +13943,6 @@ function fetchSafe(url2, init) {
   return ResultAsync.fromPromise(fetch(url2, init), toFetchError);
 }
 
-// src/mmm-enabled.ts
-var isMmmEnabled = () => "1.1.2".includes("-mmm");
-
 // src/core/source/openapi/index.ts
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
   const routes = [];
@@ -13956,9 +13952,7 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = (p?.protocols ?? []).filter(
-        (proto) => proto !== "mpp" || isMmmEnabled()
-      );
+      const protocols = (p?.protocols ?? []).filter((proto) => proto.length > 0);
       const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? {
         pricingMode: p.pricingMode,
         ...p.price ? { price: p.price } : {},
@@ -14072,6 +14066,7 @@ function checkL2ForOpenAPI(openApi) {
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
+    ...openApi.info.version ? { version: openApi.info.version } : {},
     routes,
     source: "openapi"
   };
@@ -14121,9 +14116,23 @@ var AUDIT_CODES = {
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
   L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
   L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID",
   // ─── L4 guidance checks ──────────────────────────────────────────────────────
   L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
-  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG",
+  // ─── MPP WWW-Authenticate header checks ──────────────────────────────────────
+  MPP_HEADER_MISSING: "MPP_HEADER_MISSING",
+  MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES",
+  MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING",
+  MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING",
+  MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING",
+  MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING",
+  MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING",
+  MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING",
+  MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID",
+  MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING",
+  MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING",
+  MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING"
 };
 
 // src/audit/warnings/sources.ts
@@ -14702,6 +14711,157 @@ function validateWithCoinbaseSchema2(body) {
   });
 }
 
+// src/audit/warnings/mpp.ts
+function parseAuthParams(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function getWarningsForMppHeader(wwwAuthenticate) {
+  if (!wwwAuthenticate?.trim()) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_HEADER_MISSING,
+        severity: "error",
+        message: "WWW-Authenticate header is absent.",
+        hint: "MPP endpoints must respond to unauthenticated requests with a 402 and a WWW-Authenticate: Payment ... header."
+      }
+    ];
+  }
+  const segments = wwwAuthenticate.split(/,\s*(?=Payment\s)/i).filter((s) => /^Payment\s/i.test(s.trim()));
+  if (segments.length === 0) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_NO_PAYMENT_CHALLENGES,
+        severity: "error",
+        message: "WWW-Authenticate header contains no Payment challenges.",
+        hint: `Add at least one Payment challenge: WWW-Authenticate: Payment method="tempo" intent="charge" realm="..." request='...'`
+      }
+    ];
+  }
+  const warnings = [];
+  for (let i = 0; i < segments.length; i++) {
+    const stripped = segments[i].replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams(stripped);
+    const idx = `WWW-Authenticate[${i}]`;
+    if (!params["id"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ID_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the id parameter.`,
+        hint: "Set id to a unique challenge identifier so clients can correlate credentials to challenges.",
+        path: `${idx}.id`
+      });
+    }
+    if (!params["method"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_METHOD_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the method parameter.`,
+        hint: 'Set method="tempo" (or your payment method identifier) on the Payment challenge.',
+        path: `${idx}.method`
+      });
+    }
+    if (!params["intent"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_INTENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the intent parameter.`,
+        hint: 'Set intent="charge" on the Payment challenge.',
+        path: `${idx}.intent`
+      });
+    }
+    if (!params["realm"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REALM_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the realm parameter.`,
+        hint: "Set realm to a stable server identifier so clients can associate payment credentials.",
+        path: `${idx}.realm`
+      });
+    }
+    if (!params["expires"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_EXPIRES_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the expires parameter.`,
+        hint: "Set expires to an RFC 3339 timestamp so clients know when the challenge lapses.",
+        path: `${idx}.expires`
+      });
+    }
+    const requestStr = params["request"];
+    if (!requestStr) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the request field.`,
+        hint: `Include a base64url-encoded JSON request field: request=base64url('{"currency":"...","amount":"...","recipient":"..."}')`,
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    let request;
+    try {
+      const decoded = Buffer.from(requestStr, "base64url").toString("utf-8");
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      request = parsed;
+    } catch {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_INVALID,
+        severity: "error",
+        message: `Payment challenge ${i} request field is not valid base64url-encoded JSON.`,
+        hint: "The request value must be a base64url-encoded JCS JSON object.",
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    if (!request["currency"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ASSET_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing currency in the request object.`,
+        hint: "Set currency to a TIP-20 token address (e.g. a USDC contract).",
+        path: `${idx}.request.currency`
+      });
+    }
+    const amount = request["amount"];
+    if (amount === void 0 || amount === null) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing amount in the request object.`,
+        hint: 'Set amount to a raw token-unit string (e.g. "1000000" for 1 USDC with 6 decimals).',
+        path: `${idx}.request.amount`
+      });
+    } else if (typeof amount !== "string" && typeof amount !== "number") {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} has an invalid amount type (got ${typeof amount}, expected string or number).`,
+        hint: "Set amount to a raw token-unit string.",
+        path: `${idx}.request.amount`
+      });
+    }
+    if (!request["recipient"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_RECIPIENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing recipient in the request object.`,
+        hint: "Set recipient to the wallet address that should receive payment.",
+        path: `${idx}.request.recipient`
+      });
+    }
+  }
+  return warnings;
+}
+
 // src/audit/warnings/l3.ts
 function getWarningsFor402Body(body) {
   if (!isRecord(body)) {
@@ -14831,17 +14991,28 @@ function getWarningsForL3(l3) {
       hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
     });
   }
-  if (l3.authMode === "paid" && !l3.protocols?.length) {
+  if (l3.authMode === "paid" && l3.source === "openapi" && !l3.protocols?.length) {
     warnings.push({
       code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
       severity: "info",
       message: "Paid endpoint does not declare supported payment protocols.",
-      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+      hint: "Add x-payment-info.protocols (e.g. ['x402', 'mpp']) to the operation."
+    });
+  }
+  if (l3.authMode === "paid" && l3.source === "probe" && !l3.paymentOptions?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PAYMENT_OPTIONS_MISSING_ON_PAID,
+      severity: "warn",
+      message: "Paid endpoint did not return payment options in the 402 response.",
+      hint: "Ensure the 402 response returns a valid payment challenge so clients know how to pay."
     });
   }
   if (l3.paymentRequiredBody !== void 0) {
     warnings.push(...getWarningsFor402Body(l3.paymentRequiredBody));
   }
+  if (l3.wwwAuthenticate !== void 0) {
+    warnings.push(...getWarningsForMppHeader(l3.wwwAuthenticate));
+  }
   return warnings;
 }
 
@@ -14944,7 +15115,7 @@ function detectProtocols(response) {
   }
   const authHeader = response.headers.get("www-authenticate")?.toLowerCase() ?? "";
   if (authHeader.includes("x402")) protocols.add("x402");
-  if (isMmmEnabled() && authHeader.includes("mpp")) protocols.add("mpp");
+  if (authHeader.includes("mpp")) protocols.add("mpp");
   return [...protocols];
 }
 function buildProbeUrl(url2, method, inputBody) {
@@ -15014,7 +15185,7 @@ function getProbe(url2, headers, signal, inputBody) {
 
 // src/core/protocols/mpp/index.ts
 var TEMPO_DEFAULT_CHAIN_ID = 4217;
-function parseAuthParams(segment) {
+function parseAuthParams2(segment) {
   const params = {};
   const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
   let match;
@@ -15024,11 +15195,11 @@ function parseAuthParams(segment) {
   return params;
 }
 function extractPaymentOptions4(wwwAuthenticate) {
-  if (!isMmmEnabled() || !wwwAuthenticate) return [];
+  if (!wwwAuthenticate) return [];
   const options = [];
   for (const segment of wwwAuthenticate.split(/,\s*(?=Payment\s)/i)) {
     const stripped = segment.replace(/^Payment\s+/i, "").trim();
-    const params = parseAuthParams(stripped);
+    const params = parseAuthParams2(stripped);
     const paymentMethod = params["method"];
     const intent = params["intent"];
     const realm = params["realm"];
@@ -15053,12 +15224,10 @@ function extractPaymentOptions4(wwwAuthenticate) {
     if (!asset || !amount) continue;
     options.push({
       protocol: "mpp",
-      // isMmmEnabled
       paymentMethod,
       intent,
       realm,
       network: `tempo:${String(chainId)}`,
-      // isMmmEnabled
       asset,
       amount,
       ...decimals != null ? { decimals } : {},
@@ -15186,7 +15355,7 @@ function parseOperationProtocols(operation) {
   const paymentInfo = operation["x-payment-info"];
   if (!isRecord(paymentInfo) || !Array.isArray(paymentInfo.protocols)) return void 0;
   const protocols = paymentInfo.protocols.filter(
-    (protocol) => typeof protocol === "string" && protocol.length > 0 && (protocol !== "mpp" || isMmmEnabled())
+    (protocol) => typeof protocol === "string" && protocol.length > 0
   );
   return protocols.length > 0 ? protocols : void 0;
 }
@@ -15217,8 +15386,7 @@ function getL3ForProbe(probe, path, method) {
   const outputSchema = probeResult.paymentRequiredBody ? parseOutputSchema(probeResult.paymentRequiredBody) : void 0;
   const paymentOptions = [
     ...probeResult.paymentRequiredBody ? extractPaymentOptions3(probeResult.paymentRequiredBody) : [],
-    ...isMmmEnabled() ? extractPaymentOptions4(probeResult.wwwAuthenticate) : []
-    // isMmmEnabled
+    ...extractPaymentOptions4(probeResult.wwwAuthenticate)
   ];
   return {
     source: "probe",
@@ -15227,7 +15395,8 @@ function getL3ForProbe(probe, path, method) {
     ...inputSchema ? { inputSchema } : {},
     ...outputSchema ? { outputSchema } : {},
     ...paymentOptions.length ? { paymentOptions } : {},
-    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {}
+    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {},
+    ...probeResult.wwwAuthenticate ? { wwwAuthenticate: probeResult.wwwAuthenticate } : {}
   };
 }
 async function attachProbePayload(url2, advisories) {
@@ -15258,7 +15427,7 @@ async function checkEndpointSchema(options) {
   const endpoint = new URL(ensureProtocol(options.url));
   const origin = normalizeOrigin(endpoint.origin);
   const path = normalizePath(endpoint.pathname || "/");
-  if (options.sampleInputBody !== void 0) {
+  if (options.probe || options.sampleInputBody !== void 0) {
     const probeResult2 = await getProbe(
       endpoint.href,
       options.headers,