@agentcash/discovery 1.1.3 → 1.2.0

package/dist/cli.cjs

@@ -14146,9 +14146,23 @@ var AUDIT_CODES = {
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
   L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
   L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID",
   // ─── L4 guidance checks ──────────────────────────────────────────────────────
   L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
-  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG",
+  // ─── MPP WWW-Authenticate header checks ──────────────────────────────────────
+  MPP_HEADER_MISSING: "MPP_HEADER_MISSING",
+  MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES",
+  MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING",
+  MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING",
+  MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING",
+  MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING",
+  MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING",
+  MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING",
+  MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID",
+  MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING",
+  MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING",
+  MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING"
 };
 
 // src/audit/warnings/sources.ts
@@ -14727,6 +14741,157 @@ function validateWithCoinbaseSchema2(body) {
   });
 }
 
+// src/audit/warnings/mpp.ts
+function parseAuthParams(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function getWarningsForMppHeader(wwwAuthenticate) {
+  if (!wwwAuthenticate?.trim()) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_HEADER_MISSING,
+        severity: "error",
+        message: "WWW-Authenticate header is absent.",
+        hint: "MPP endpoints must respond to unauthenticated requests with a 402 and a WWW-Authenticate: Payment ... header."
+      }
+    ];
+  }
+  const segments = wwwAuthenticate.split(/,\s*(?=Payment\s)/i).filter((s) => /^Payment\s/i.test(s.trim()));
+  if (segments.length === 0) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_NO_PAYMENT_CHALLENGES,
+        severity: "error",
+        message: "WWW-Authenticate header contains no Payment challenges.",
+        hint: `Add at least one Payment challenge: WWW-Authenticate: Payment method="tempo" intent="charge" realm="..." request='...'`
+      }
+    ];
+  }
+  const warnings = [];
+  for (let i = 0; i < segments.length; i++) {
+    const stripped = segments[i].replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams(stripped);
+    const idx = `WWW-Authenticate[${i}]`;
+    if (!params["id"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ID_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the id parameter.`,
+        hint: "Set id to a unique challenge identifier so clients can correlate credentials to challenges.",
+        path: `${idx}.id`
+      });
+    }
+    if (!params["method"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_METHOD_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the method parameter.`,
+        hint: 'Set method="tempo" (or your payment method identifier) on the Payment challenge.',
+        path: `${idx}.method`
+      });
+    }
+    if (!params["intent"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_INTENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the intent parameter.`,
+        hint: 'Set intent="charge" on the Payment challenge.',
+        path: `${idx}.intent`
+      });
+    }
+    if (!params["realm"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REALM_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the realm parameter.`,
+        hint: "Set realm to a stable server identifier so clients can associate payment credentials.",
+        path: `${idx}.realm`
+      });
+    }
+    if (!params["expires"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_EXPIRES_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the expires parameter.`,
+        hint: "Set expires to an RFC 3339 timestamp so clients know when the challenge lapses.",
+        path: `${idx}.expires`
+      });
+    }
+    const requestStr = params["request"];
+    if (!requestStr) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the request field.`,
+        hint: `Include a base64url-encoded JSON request field: request=base64url('{"currency":"...","amount":"...","recipient":"..."}')`,
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    let request;
+    try {
+      const decoded = Buffer.from(requestStr, "base64url").toString("utf-8");
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      request = parsed;
+    } catch {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_INVALID,
+        severity: "error",
+        message: `Payment challenge ${i} request field is not valid base64url-encoded JSON.`,
+        hint: "The request value must be a base64url-encoded JCS JSON object.",
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    if (!request["currency"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ASSET_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing currency in the request object.`,
+        hint: "Set currency to a TIP-20 token address (e.g. a USDC contract).",
+        path: `${idx}.request.currency`
+      });
+    }
+    const amount = request["amount"];
+    if (amount === void 0 || amount === null) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing amount in the request object.`,
+        hint: 'Set amount to a raw token-unit string (e.g. "1000000" for 1 USDC with 6 decimals).',
+        path: `${idx}.request.amount`
+      });
+    } else if (typeof amount !== "string" && typeof amount !== "number") {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} has an invalid amount type (got ${typeof amount}, expected string or number).`,
+        hint: "Set amount to a raw token-unit string.",
+        path: `${idx}.request.amount`
+      });
+    }
+    if (!request["recipient"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_RECIPIENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing recipient in the request object.`,
+        hint: "Set recipient to the wallet address that should receive payment.",
+        path: `${idx}.request.recipient`
+      });
+    }
+  }
+  return warnings;
+}
+
 // src/audit/warnings/l3.ts
 function getWarningsFor402Body(body) {
   if (!isRecord(body)) {
@@ -14856,17 +15021,28 @@ function getWarningsForL3(l3) {
       hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
     });
   }
-  if (l3.authMode === "paid" && !l3.protocols?.length) {
+  if (l3.authMode === "paid" && l3.source === "openapi" && !l3.protocols?.length) {
     warnings.push({
       code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
       severity: "info",
       message: "Paid endpoint does not declare supported payment protocols.",
-      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+      hint: "Add x-payment-info.protocols (e.g. ['x402', 'mpp']) to the operation."
+    });
+  }
+  if (l3.authMode === "paid" && l3.source === "probe" && !l3.paymentOptions?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PAYMENT_OPTIONS_MISSING_ON_PAID,
+      severity: "warn",
+      message: "Paid endpoint did not return payment options in the 402 response.",
+      hint: "Ensure the 402 response returns a valid payment challenge so clients know how to pay."
     });
   }
   if (l3.paymentRequiredBody !== void 0) {
     warnings.push(...getWarningsFor402Body(l3.paymentRequiredBody));
   }
+  if (l3.wwwAuthenticate !== void 0) {
+    warnings.push(...getWarningsForMppHeader(l3.wwwAuthenticate));
+  }
   return warnings;
 }
 
@@ -15039,7 +15215,7 @@ function getProbe(url2, headers, signal, inputBody) {
 
 // src/core/protocols/mpp/index.ts
 var TEMPO_DEFAULT_CHAIN_ID = 4217;
-function parseAuthParams(segment) {
+function parseAuthParams2(segment) {
   const params = {};
   const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
   let match;
@@ -15053,7 +15229,7 @@ function extractPaymentOptions4(wwwAuthenticate) {
   const options = [];
   for (const segment of wwwAuthenticate.split(/,\s*(?=Payment\s)/i)) {
     const stripped = segment.replace(/^Payment\s+/i, "").trim();
-    const params = parseAuthParams(stripped);
+    const params = parseAuthParams2(stripped);
     const paymentMethod = params["method"];
     const intent = params["intent"];
     const realm = params["realm"];
@@ -15249,7 +15425,8 @@ function getL3ForProbe(probe, path, method) {
     ...inputSchema ? { inputSchema } : {},
     ...outputSchema ? { outputSchema } : {},
     ...paymentOptions.length ? { paymentOptions } : {},
-    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {}
+    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {},
+    ...probeResult.wwwAuthenticate ? { wwwAuthenticate: probeResult.wwwAuthenticate } : {}
   };
 }
 async function attachProbePayload(url2, advisories) {

package/dist/cli.js

@@ -14116,9 +14116,23 @@ var AUDIT_CODES = {
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
   L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
   L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID",
   // ─── L4 guidance checks ──────────────────────────────────────────────────────
   L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
-  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG",
+  // ─── MPP WWW-Authenticate header checks ──────────────────────────────────────
+  MPP_HEADER_MISSING: "MPP_HEADER_MISSING",
+  MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES",
+  MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING",
+  MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING",
+  MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING",
+  MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING",
+  MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING",
+  MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING",
+  MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID",
+  MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING",
+  MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING",
+  MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING"
 };
 
 // src/audit/warnings/sources.ts
@@ -14697,6 +14711,157 @@ function validateWithCoinbaseSchema2(body) {
   });
 }
 
+// src/audit/warnings/mpp.ts
+function parseAuthParams(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function getWarningsForMppHeader(wwwAuthenticate) {
+  if (!wwwAuthenticate?.trim()) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_HEADER_MISSING,
+        severity: "error",
+        message: "WWW-Authenticate header is absent.",
+        hint: "MPP endpoints must respond to unauthenticated requests with a 402 and a WWW-Authenticate: Payment ... header."
+      }
+    ];
+  }
+  const segments = wwwAuthenticate.split(/,\s*(?=Payment\s)/i).filter((s) => /^Payment\s/i.test(s.trim()));
+  if (segments.length === 0) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_NO_PAYMENT_CHALLENGES,
+        severity: "error",
+        message: "WWW-Authenticate header contains no Payment challenges.",
+        hint: `Add at least one Payment challenge: WWW-Authenticate: Payment method="tempo" intent="charge" realm="..." request='...'`
+      }
+    ];
+  }
+  const warnings = [];
+  for (let i = 0; i < segments.length; i++) {
+    const stripped = segments[i].replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams(stripped);
+    const idx = `WWW-Authenticate[${i}]`;
+    if (!params["id"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ID_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the id parameter.`,
+        hint: "Set id to a unique challenge identifier so clients can correlate credentials to challenges.",
+        path: `${idx}.id`
+      });
+    }
+    if (!params["method"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_METHOD_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the method parameter.`,
+        hint: 'Set method="tempo" (or your payment method identifier) on the Payment challenge.',
+        path: `${idx}.method`
+      });
+    }
+    if (!params["intent"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_INTENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the intent parameter.`,
+        hint: 'Set intent="charge" on the Payment challenge.',
+        path: `${idx}.intent`
+      });
+    }
+    if (!params["realm"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REALM_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the realm parameter.`,
+        hint: "Set realm to a stable server identifier so clients can associate payment credentials.",
+        path: `${idx}.realm`
+      });
+    }
+    if (!params["expires"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_EXPIRES_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the expires parameter.`,
+        hint: "Set expires to an RFC 3339 timestamp so clients know when the challenge lapses.",
+        path: `${idx}.expires`
+      });
+    }
+    const requestStr = params["request"];
+    if (!requestStr) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the request field.`,
+        hint: `Include a base64url-encoded JSON request field: request=base64url('{"currency":"...","amount":"...","recipient":"..."}')`,
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    let request;
+    try {
+      const decoded = Buffer.from(requestStr, "base64url").toString("utf-8");
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      request = parsed;
+    } catch {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_INVALID,
+        severity: "error",
+        message: `Payment challenge ${i} request field is not valid base64url-encoded JSON.`,
+        hint: "The request value must be a base64url-encoded JCS JSON object.",
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    if (!request["currency"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ASSET_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing currency in the request object.`,
+        hint: "Set currency to a TIP-20 token address (e.g. a USDC contract).",
+        path: `${idx}.request.currency`
+      });
+    }
+    const amount = request["amount"];
+    if (amount === void 0 || amount === null) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing amount in the request object.`,
+        hint: 'Set amount to a raw token-unit string (e.g. "1000000" for 1 USDC with 6 decimals).',
+        path: `${idx}.request.amount`
+      });
+    } else if (typeof amount !== "string" && typeof amount !== "number") {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} has an invalid amount type (got ${typeof amount}, expected string or number).`,
+        hint: "Set amount to a raw token-unit string.",
+        path: `${idx}.request.amount`
+      });
+    }
+    if (!request["recipient"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_RECIPIENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing recipient in the request object.`,
+        hint: "Set recipient to the wallet address that should receive payment.",
+        path: `${idx}.request.recipient`
+      });
+    }
+  }
+  return warnings;
+}
+
 // src/audit/warnings/l3.ts
 function getWarningsFor402Body(body) {
   if (!isRecord(body)) {
@@ -14826,17 +14991,28 @@ function getWarningsForL3(l3) {
       hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
     });
   }
-  if (l3.authMode === "paid" && !l3.protocols?.length) {
+  if (l3.authMode === "paid" && l3.source === "openapi" && !l3.protocols?.length) {
     warnings.push({
       code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
       severity: "info",
       message: "Paid endpoint does not declare supported payment protocols.",
-      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+      hint: "Add x-payment-info.protocols (e.g. ['x402', 'mpp']) to the operation."
+    });
+  }
+  if (l3.authMode === "paid" && l3.source === "probe" && !l3.paymentOptions?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PAYMENT_OPTIONS_MISSING_ON_PAID,
+      severity: "warn",
+      message: "Paid endpoint did not return payment options in the 402 response.",
+      hint: "Ensure the 402 response returns a valid payment challenge so clients know how to pay."
     });
   }
   if (l3.paymentRequiredBody !== void 0) {
     warnings.push(...getWarningsFor402Body(l3.paymentRequiredBody));
   }
+  if (l3.wwwAuthenticate !== void 0) {
+    warnings.push(...getWarningsForMppHeader(l3.wwwAuthenticate));
+  }
   return warnings;
 }
 
@@ -15009,7 +15185,7 @@ function getProbe(url2, headers, signal, inputBody) {
 
 // src/core/protocols/mpp/index.ts
 var TEMPO_DEFAULT_CHAIN_ID = 4217;
-function parseAuthParams(segment) {
+function parseAuthParams2(segment) {
   const params = {};
   const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
   let match;
@@ -15023,7 +15199,7 @@ function extractPaymentOptions4(wwwAuthenticate) {
   const options = [];
   for (const segment of wwwAuthenticate.split(/,\s*(?=Payment\s)/i)) {
     const stripped = segment.replace(/^Payment\s+/i, "").trim();
-    const params = parseAuthParams(stripped);
+    const params = parseAuthParams2(stripped);
     const paymentMethod = params["method"];
     const intent = params["intent"];
     const realm = params["realm"];
@@ -15219,7 +15395,8 @@ function getL3ForProbe(probe, path, method) {
     ...inputSchema ? { inputSchema } : {},
     ...outputSchema ? { outputSchema } : {},
     ...paymentOptions.length ? { paymentOptions } : {},
-    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {}
+    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {},
+    ...probeResult.wwwAuthenticate ? { wwwAuthenticate: probeResult.wwwAuthenticate } : {}
   };
 }
 async function attachProbePayload(url2, advisories) {

package/dist/index.cjs

@@ -50,6 +50,7 @@ __export(index_exports, {
   getWarningsForL2: () => getWarningsForL2,
   getWarningsForL3: () => getWarningsForL3,
   getWarningsForL4: () => getWarningsForL4,
+  getWarningsForMppHeader: () => getWarningsForMppHeader,
   getWarningsForOpenAPI: () => getWarningsForOpenAPI,
   getWarningsForWellKnown: () => getWarningsForWellKnown,
   getWellKnown: () => getWellKnown,
@@ -14930,7 +14931,8 @@ function getL3ForProbe(probe, path, method) {
     ...inputSchema ? { inputSchema } : {},
     ...outputSchema ? { outputSchema } : {},
     ...paymentOptions.length ? { paymentOptions } : {},
-    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {}
+    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {},
+    ...probeResult.wwwAuthenticate ? { wwwAuthenticate: probeResult.wwwAuthenticate } : {}
   };
 }
 async function attachProbePayload(url2, advisories) {
@@ -15111,9 +15113,23 @@ var AUDIT_CODES = {
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
   L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
   L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID",
   // ─── L4 guidance checks ──────────────────────────────────────────────────────
   L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
-  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG",
+  // ─── MPP WWW-Authenticate header checks ──────────────────────────────────────
+  MPP_HEADER_MISSING: "MPP_HEADER_MISSING",
+  MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES",
+  MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING",
+  MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING",
+  MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING",
+  MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING",
+  MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING",
+  MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING",
+  MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID",
+  MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING",
+  MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING",
+  MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING"
 };
 
 // src/core/protocols/x402/v1/coinbase-schema.ts
@@ -15202,6 +15218,157 @@ function validateWithCoinbaseSchema2(body) {
   });
 }
 
+// src/audit/warnings/mpp.ts
+function parseAuthParams2(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function getWarningsForMppHeader(wwwAuthenticate) {
+  if (!wwwAuthenticate?.trim()) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_HEADER_MISSING,
+        severity: "error",
+        message: "WWW-Authenticate header is absent.",
+        hint: "MPP endpoints must respond to unauthenticated requests with a 402 and a WWW-Authenticate: Payment ... header."
+      }
+    ];
+  }
+  const segments = wwwAuthenticate.split(/,\s*(?=Payment\s)/i).filter((s) => /^Payment\s/i.test(s.trim()));
+  if (segments.length === 0) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_NO_PAYMENT_CHALLENGES,
+        severity: "error",
+        message: "WWW-Authenticate header contains no Payment challenges.",
+        hint: `Add at least one Payment challenge: WWW-Authenticate: Payment method="tempo" intent="charge" realm="..." request='...'`
+      }
+    ];
+  }
+  const warnings = [];
+  for (let i = 0; i < segments.length; i++) {
+    const stripped = segments[i].replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams2(stripped);
+    const idx = `WWW-Authenticate[${i}]`;
+    if (!params["id"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ID_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the id parameter.`,
+        hint: "Set id to a unique challenge identifier so clients can correlate credentials to challenges.",
+        path: `${idx}.id`
+      });
+    }
+    if (!params["method"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_METHOD_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the method parameter.`,
+        hint: 'Set method="tempo" (or your payment method identifier) on the Payment challenge.',
+        path: `${idx}.method`
+      });
+    }
+    if (!params["intent"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_INTENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the intent parameter.`,
+        hint: 'Set intent="charge" on the Payment challenge.',
+        path: `${idx}.intent`
+      });
+    }
+    if (!params["realm"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REALM_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the realm parameter.`,
+        hint: "Set realm to a stable server identifier so clients can associate payment credentials.",
+        path: `${idx}.realm`
+      });
+    }
+    if (!params["expires"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_EXPIRES_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the expires parameter.`,
+        hint: "Set expires to an RFC 3339 timestamp so clients know when the challenge lapses.",
+        path: `${idx}.expires`
+      });
+    }
+    const requestStr = params["request"];
+    if (!requestStr) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the request field.`,
+        hint: `Include a base64url-encoded JSON request field: request=base64url('{"currency":"...","amount":"...","recipient":"..."}')`,
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    let request;
+    try {
+      const decoded = Buffer.from(requestStr, "base64url").toString("utf-8");
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      request = parsed;
+    } catch {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_INVALID,
+        severity: "error",
+        message: `Payment challenge ${i} request field is not valid base64url-encoded JSON.`,
+        hint: "The request value must be a base64url-encoded JCS JSON object.",
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    if (!request["currency"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ASSET_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing currency in the request object.`,
+        hint: "Set currency to a TIP-20 token address (e.g. a USDC contract).",
+        path: `${idx}.request.currency`
+      });
+    }
+    const amount = request["amount"];
+    if (amount === void 0 || amount === null) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing amount in the request object.`,
+        hint: 'Set amount to a raw token-unit string (e.g. "1000000" for 1 USDC with 6 decimals).',
+        path: `${idx}.request.amount`
+      });
+    } else if (typeof amount !== "string" && typeof amount !== "number") {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} has an invalid amount type (got ${typeof amount}, expected string or number).`,
+        hint: "Set amount to a raw token-unit string.",
+        path: `${idx}.request.amount`
+      });
+    }
+    if (!request["recipient"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_RECIPIENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing recipient in the request object.`,
+        hint: "Set recipient to the wallet address that should receive payment.",
+        path: `${idx}.request.recipient`
+      });
+    }
+  }
+  return warnings;
+}
+
 // src/audit/warnings/l3.ts
 function getWarningsFor402Body(body) {
   if (!isRecord(body)) {
@@ -15331,17 +15498,28 @@ function getWarningsForL3(l3) {
       hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
     });
   }
-  if (l3.authMode === "paid" && !l3.protocols?.length) {
+  if (l3.authMode === "paid" && l3.source === "openapi" && !l3.protocols?.length) {
     warnings.push({
       code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
       severity: "info",
       message: "Paid endpoint does not declare supported payment protocols.",
-      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+      hint: "Add x-payment-info.protocols (e.g. ['x402', 'mpp']) to the operation."
+    });
+  }
+  if (l3.authMode === "paid" && l3.source === "probe" && !l3.paymentOptions?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PAYMENT_OPTIONS_MISSING_ON_PAID,
+      severity: "warn",
+      message: "Paid endpoint did not return payment options in the 402 response.",
+      hint: "Ensure the 402 response returns a valid payment challenge so clients know how to pay."
     });
   }
   if (l3.paymentRequiredBody !== void 0) {
     warnings.push(...getWarningsFor402Body(l3.paymentRequiredBody));
   }
+  if (l3.wwwAuthenticate !== void 0) {
+    warnings.push(...getWarningsForMppHeader(l3.wwwAuthenticate));
+  }
   return warnings;
 }
 
@@ -15566,6 +15744,7 @@ function getWarningsForL4(l4) {
   getWarningsForL2,
   getWarningsForL3,
   getWarningsForL4,
+  getWarningsForMppHeader,
   getWarningsForOpenAPI,
   getWarningsForWellKnown,
   getWellKnown,

package/dist/index.d.cts

@@ -137,6 +137,11 @@ interface L3Result {
      * and returned a 402. Used by getWarningsForL3 to run full payment-required validation.
      */
     paymentRequiredBody?: unknown;
+    /**
+     * Raw WWW-Authenticate header value from the 402 response. Present when the endpoint
+     * was probed and returned a 402 with an MPP challenge. Used by getWarningsForMppHeader.
+     */
+    wwwAuthenticate?: string;
 }
 interface L4Result {
     guidance: string;
@@ -361,8 +366,21 @@ declare const AUDIT_CODES: {
     readonly L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING";
     readonly L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING";
     readonly L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID";
+    readonly L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID";
     readonly L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING";
     readonly L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG";
+    readonly MPP_HEADER_MISSING: "MPP_HEADER_MISSING";
+    readonly MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES";
+    readonly MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING";
+    readonly MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING";
+    readonly MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING";
+    readonly MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING";
+    readonly MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING";
+    readonly MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING";
+    readonly MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID";
+    readonly MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING";
+    readonly MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING";
+    readonly MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING";
 };
 type AuditCode = (typeof AUDIT_CODES)[keyof typeof AUDIT_CODES];
 
@@ -392,4 +410,18 @@ declare function getWarningsForL3(l3: L3Result | null): AuditWarning[];
 
 declare function getWarningsForL4(l4: L4Result | null): AuditWarning[];
 
-export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, validatePaymentRequiredDetailed };
+/**
+ * Validates a raw WWW-Authenticate header value from an MPP 402 response and
+ * returns issues as AuditWarnings.
+ *
+ * Checks for:
+ * - Header presence
+ * - At least one Payment challenge
+ * - Required challenge parameters: id, method, intent, realm, expires, request
+ * - Valid base64url-encoded JSON in the request field
+ * - Required request fields: currency (asset), amount
+ * - Recommended request field: recipient (payTo)
+ */
+declare function getWarningsForMppHeader(wwwAuthenticate: string | null | undefined): AuditWarning[];
+
+export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, validatePaymentRequiredDetailed };

package/dist/index.d.ts

@@ -137,6 +137,11 @@ interface L3Result {
      * and returned a 402. Used by getWarningsForL3 to run full payment-required validation.
      */
     paymentRequiredBody?: unknown;
+    /**
+     * Raw WWW-Authenticate header value from the 402 response. Present when the endpoint
+     * was probed and returned a 402 with an MPP challenge. Used by getWarningsForMppHeader.
+     */
+    wwwAuthenticate?: string;
 }
 interface L4Result {
     guidance: string;
@@ -361,8 +366,21 @@ declare const AUDIT_CODES: {
     readonly L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING";
     readonly L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING";
     readonly L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID";
+    readonly L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID";
     readonly L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING";
     readonly L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG";
+    readonly MPP_HEADER_MISSING: "MPP_HEADER_MISSING";
+    readonly MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES";
+    readonly MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING";
+    readonly MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING";
+    readonly MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING";
+    readonly MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING";
+    readonly MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING";
+    readonly MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING";
+    readonly MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID";
+    readonly MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING";
+    readonly MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING";
+    readonly MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING";
 };
 type AuditCode = (typeof AUDIT_CODES)[keyof typeof AUDIT_CODES];
 
@@ -392,4 +410,18 @@ declare function getWarningsForL3(l3: L3Result | null): AuditWarning[];
 
 declare function getWarningsForL4(l4: L4Result | null): AuditWarning[];
 
-export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, validatePaymentRequiredDetailed };
+/**
+ * Validates a raw WWW-Authenticate header value from an MPP 402 response and
+ * returns issues as AuditWarnings.
+ *
+ * Checks for:
+ * - Header presence
+ * - At least one Payment challenge
+ * - Required challenge parameters: id, method, intent, realm, expires, request
+ * - Valid base64url-encoded JSON in the request field
+ * - Required request fields: currency (asset), amount
+ * - Recommended request field: recipient (payTo)
+ */
+declare function getWarningsForMppHeader(wwwAuthenticate: string | null | undefined): AuditWarning[];
+
+export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, validatePaymentRequiredDetailed };

package/dist/index.js

@@ -14877,7 +14877,8 @@ function getL3ForProbe(probe, path, method) {
     ...inputSchema ? { inputSchema } : {},
     ...outputSchema ? { outputSchema } : {},
     ...paymentOptions.length ? { paymentOptions } : {},
-    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {}
+    ...probeResult.paymentRequiredBody !== void 0 ? { paymentRequiredBody: probeResult.paymentRequiredBody } : {},
+    ...probeResult.wwwAuthenticate ? { wwwAuthenticate: probeResult.wwwAuthenticate } : {}
   };
 }
 async function attachProbePayload(url2, advisories) {
@@ -15058,9 +15059,23 @@ var AUDIT_CODES = {
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
   L3_AUTH_MODE_MISSING: "L3_AUTH_MODE_MISSING",
   L3_PROTOCOLS_MISSING_ON_PAID: "L3_PROTOCOLS_MISSING_ON_PAID",
+  L3_PAYMENT_OPTIONS_MISSING_ON_PAID: "L3_PAYMENT_OPTIONS_MISSING_ON_PAID",
   // ─── L4 guidance checks ──────────────────────────────────────────────────────
   L4_GUIDANCE_MISSING: "L4_GUIDANCE_MISSING",
-  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG"
+  L4_GUIDANCE_TOO_LONG: "L4_GUIDANCE_TOO_LONG",
+  // ─── MPP WWW-Authenticate header checks ──────────────────────────────────────
+  MPP_HEADER_MISSING: "MPP_HEADER_MISSING",
+  MPP_NO_PAYMENT_CHALLENGES: "MPP_NO_PAYMENT_CHALLENGES",
+  MPP_CHALLENGE_ID_MISSING: "MPP_CHALLENGE_ID_MISSING",
+  MPP_CHALLENGE_METHOD_MISSING: "MPP_CHALLENGE_METHOD_MISSING",
+  MPP_CHALLENGE_INTENT_MISSING: "MPP_CHALLENGE_INTENT_MISSING",
+  MPP_CHALLENGE_REALM_MISSING: "MPP_CHALLENGE_REALM_MISSING",
+  MPP_CHALLENGE_EXPIRES_MISSING: "MPP_CHALLENGE_EXPIRES_MISSING",
+  MPP_CHALLENGE_REQUEST_MISSING: "MPP_CHALLENGE_REQUEST_MISSING",
+  MPP_CHALLENGE_REQUEST_INVALID: "MPP_CHALLENGE_REQUEST_INVALID",
+  MPP_CHALLENGE_ASSET_MISSING: "MPP_CHALLENGE_ASSET_MISSING",
+  MPP_CHALLENGE_AMOUNT_MISSING: "MPP_CHALLENGE_AMOUNT_MISSING",
+  MPP_CHALLENGE_RECIPIENT_MISSING: "MPP_CHALLENGE_RECIPIENT_MISSING"
 };
 
 // src/core/protocols/x402/v1/coinbase-schema.ts
@@ -15149,6 +15164,157 @@ function validateWithCoinbaseSchema2(body) {
   });
 }
 
+// src/audit/warnings/mpp.ts
+function parseAuthParams2(segment) {
+  const params = {};
+  const re = /(\w+)=(?:"([^"]*)"|'([^']*)')/g;
+  let match;
+  while ((match = re.exec(segment)) !== null) {
+    params[match[1]] = match[2] ?? match[3] ?? "";
+  }
+  return params;
+}
+function getWarningsForMppHeader(wwwAuthenticate) {
+  if (!wwwAuthenticate?.trim()) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_HEADER_MISSING,
+        severity: "error",
+        message: "WWW-Authenticate header is absent.",
+        hint: "MPP endpoints must respond to unauthenticated requests with a 402 and a WWW-Authenticate: Payment ... header."
+      }
+    ];
+  }
+  const segments = wwwAuthenticate.split(/,\s*(?=Payment\s)/i).filter((s) => /^Payment\s/i.test(s.trim()));
+  if (segments.length === 0) {
+    return [
+      {
+        code: AUDIT_CODES.MPP_NO_PAYMENT_CHALLENGES,
+        severity: "error",
+        message: "WWW-Authenticate header contains no Payment challenges.",
+        hint: `Add at least one Payment challenge: WWW-Authenticate: Payment method="tempo" intent="charge" realm="..." request='...'`
+      }
+    ];
+  }
+  const warnings = [];
+  for (let i = 0; i < segments.length; i++) {
+    const stripped = segments[i].replace(/^Payment\s+/i, "").trim();
+    const params = parseAuthParams2(stripped);
+    const idx = `WWW-Authenticate[${i}]`;
+    if (!params["id"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ID_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the id parameter.`,
+        hint: "Set id to a unique challenge identifier so clients can correlate credentials to challenges.",
+        path: `${idx}.id`
+      });
+    }
+    if (!params["method"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_METHOD_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the method parameter.`,
+        hint: 'Set method="tempo" (or your payment method identifier) on the Payment challenge.',
+        path: `${idx}.method`
+      });
+    }
+    if (!params["intent"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_INTENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the intent parameter.`,
+        hint: 'Set intent="charge" on the Payment challenge.',
+        path: `${idx}.intent`
+      });
+    }
+    if (!params["realm"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REALM_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the realm parameter.`,
+        hint: "Set realm to a stable server identifier so clients can associate payment credentials.",
+        path: `${idx}.realm`
+      });
+    }
+    if (!params["expires"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_EXPIRES_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the expires parameter.`,
+        hint: "Set expires to an RFC 3339 timestamp so clients know when the challenge lapses.",
+        path: `${idx}.expires`
+      });
+    }
+    const requestStr = params["request"];
+    if (!requestStr) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing the request field.`,
+        hint: `Include a base64url-encoded JSON request field: request=base64url('{"currency":"...","amount":"...","recipient":"..."}')`,
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    let request;
+    try {
+      const decoded = Buffer.from(requestStr, "base64url").toString("utf-8");
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      request = parsed;
+    } catch {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_REQUEST_INVALID,
+        severity: "error",
+        message: `Payment challenge ${i} request field is not valid base64url-encoded JSON.`,
+        hint: "The request value must be a base64url-encoded JCS JSON object.",
+        path: `${idx}.request`
+      });
+      continue;
+    }
+    if (!request["currency"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_ASSET_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing currency in the request object.`,
+        hint: "Set currency to a TIP-20 token address (e.g. a USDC contract).",
+        path: `${idx}.request.currency`
+      });
+    }
+    const amount = request["amount"];
+    if (amount === void 0 || amount === null) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing amount in the request object.`,
+        hint: 'Set amount to a raw token-unit string (e.g. "1000000" for 1 USDC with 6 decimals).',
+        path: `${idx}.request.amount`
+      });
+    } else if (typeof amount !== "string" && typeof amount !== "number") {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_AMOUNT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} has an invalid amount type (got ${typeof amount}, expected string or number).`,
+        hint: "Set amount to a raw token-unit string.",
+        path: `${idx}.request.amount`
+      });
+    }
+    if (!request["recipient"]) {
+      warnings.push({
+        code: AUDIT_CODES.MPP_CHALLENGE_RECIPIENT_MISSING,
+        severity: "error",
+        message: `Payment challenge ${i} is missing recipient in the request object.`,
+        hint: "Set recipient to the wallet address that should receive payment.",
+        path: `${idx}.request.recipient`
+      });
+    }
+  }
+  return warnings;
+}
+
 // src/audit/warnings/l3.ts
 function getWarningsFor402Body(body) {
   if (!isRecord(body)) {
@@ -15278,17 +15444,28 @@ function getWarningsForL3(l3) {
       hint: "Add a requestBody or parameters schema so agents can construct valid payloads."
     });
   }
-  if (l3.authMode === "paid" && !l3.protocols?.length) {
+  if (l3.authMode === "paid" && l3.source === "openapi" && !l3.protocols?.length) {
     warnings.push({
       code: AUDIT_CODES.L3_PROTOCOLS_MISSING_ON_PAID,
       severity: "info",
       message: "Paid endpoint does not declare supported payment protocols.",
-      hint: "Add x-payment-info.protocols (e.g. ['x402']) to the operation."
+      hint: "Add x-payment-info.protocols (e.g. ['x402', 'mpp']) to the operation."
+    });
+  }
+  if (l3.authMode === "paid" && l3.source === "probe" && !l3.paymentOptions?.length) {
+    warnings.push({
+      code: AUDIT_CODES.L3_PAYMENT_OPTIONS_MISSING_ON_PAID,
+      severity: "warn",
+      message: "Paid endpoint did not return payment options in the 402 response.",
+      hint: "Ensure the 402 response returns a valid payment challenge so clients know how to pay."
     });
   }
   if (l3.paymentRequiredBody !== void 0) {
     warnings.push(...getWarningsFor402Body(l3.paymentRequiredBody));
   }
+  if (l3.wwwAuthenticate !== void 0) {
+    warnings.push(...getWarningsForMppHeader(l3.wwwAuthenticate));
+  }
   return warnings;
 }
 
@@ -15512,6 +15689,7 @@ export {
   getWarningsForL2,
   getWarningsForL3,
   getWarningsForL4,
+  getWarningsForMppHeader,
   getWarningsForOpenAPI,
   getWarningsForWellKnown,
   getWellKnown,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/discovery",
-  "version": "1.1.3",
+  "version": "1.2.0",
   "description": "Canonical OpenAPI-first discovery runtime for the agentcash ecosystem",
   "type": "module",
   "main": "./dist/index.cjs",