@agentcash/discovery 1.2.0 → 1.4.0

package/dist/index.d.ts

@@ -78,6 +78,15 @@ interface OpenApiSource {
     guidance?: string;
     fetchedUrl: string;
 }
+/** Returned when the spec was fetched successfully but failed schema validation. */
+interface OpenApiParseFailure {
+    parseFailure: true;
+    fetchedUrl: string;
+    issues: Array<{
+        path: (string | number | symbol)[];
+        message: string;
+    }>;
+}
 interface OpenApiRoute {
     path: string;
     method: HttpMethod;
@@ -89,12 +98,18 @@ interface OpenApiRoute {
 interface WellKnownSource {
     raw: Record<string, unknown>;
     routes: WellKnownRoute[];
+    title?: string;
+    description?: string;
     instructions?: string;
     fetchedUrl: string;
+    /** Which well-known document(s) this source was built from. */
+    protocol: 'x402' | 'mpp' | 'x402+mpp';
 }
 interface WellKnownRoute {
     path: string;
     method: HttpMethod;
+    /** Raw price hint from the well-known document (e.g. MPP `payment.amount`). */
+    price?: string;
 }
 interface ProbeResult {
     path: string;
@@ -111,7 +126,7 @@ interface L2Result {
     description?: string;
     version?: string;
     routes: L2Route[];
-    source: 'openapi' | 'well-known/x402' | null;
+    source: 'openapi' | 'well-known/x402' | 'well-known/mpp' | 'well-known/x402+mpp' | null;
 }
 interface L2Route {
     path: string;
@@ -145,7 +160,7 @@ interface L3Result {
 }
 interface L4Result {
     guidance: string;
-    source: 'openapi' | 'well-known/x402';
+    source: 'openapi' | 'well-known/x402' | 'well-known/mpp' | 'well-known/x402+mpp';
 }
 
 declare enum GuidanceMode {
@@ -182,6 +197,8 @@ interface DiscoverOriginSchemaSuccess {
     guidanceTokens?: number;
     /** Guidance text. Included when short enough (auto mode) or guidance='always'. */
     guidance?: string;
+    /** Ownership proof strings collected from the discovery document, if any. */
+    ownershipProofs?: string[];
 }
 interface DiscoverOriginSchemaNotFound {
     found: false;
@@ -239,10 +256,23 @@ interface FetchError {
     message: string;
 }
 
-declare function getOpenAPI(origin: string, headers?: Record<string, string>, signal?: AbortSignal, specificationOverrideUrl?: string): ResultAsync<OpenApiSource | null, FetchError>;
+declare function getOpenAPI(origin: string, headers?: Record<string, string>, signal?: AbortSignal, specificationOverrideUrl?: string): ResultAsync<OpenApiSource | OpenApiParseFailure | null, FetchError>;
 
+/**
+ * Fetches both `/.well-known/x402` and `/.well-known/mpp` in parallel and merges results.
+ *
+ * In practice these are mutually exclusive, but if both exist their routes are combined
+ * (deduplicated by method+path). x402 wins on instruction/fetchedUrl conflicts.
+ *
+ * Individual leg failures are treated as "not found" for that leg so valid data from
+ * the other is never suppressed. Returns Err(FetchError) only when both legs hard-fail.
+ */
 declare function getWellKnown(origin: string, headers?: Record<string, string>, signal?: AbortSignal): ResultAsync<WellKnownSource | null, FetchError>;
 
+declare function getX402WellKnown(origin: string, headers?: Record<string, string>, signal?: AbortSignal): ResultAsync<WellKnownSource | null, FetchError>;
+
+declare function getMppWellKnown(origin: string, headers?: Record<string, string>, signal?: AbortSignal): ResultAsync<WellKnownSource | null, FetchError>;
+
 declare function getProbe(url: string, headers?: Record<string, string>, signal?: AbortSignal, inputBody?: Record<string, unknown>): ResultAsync<ProbeResult[], FetchError>;
 
 declare function checkL2ForOpenAPI(openApi: OpenApiSource): L2Result;
@@ -354,6 +384,7 @@ declare function validatePaymentRequiredDetailed(payload: unknown, options?: Val
 declare const AUDIT_CODES: {
     readonly OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND";
     readonly WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND";
+    readonly OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR";
     readonly OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES";
     readonly L2_NO_ROUTES: "L2_NO_ROUTES";
     readonly L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH";
@@ -394,7 +425,9 @@ interface AuditWarning {
     path?: string;
 }
 
-declare function getWarningsForOpenAPI(openApi: OpenApiSource | null): AuditWarning[];
+/** Type guard: true when the value is a parse-failure sentinel (spec fetched but invalid). */
+declare function isOpenApiParseFailure(value: OpenApiSource | OpenApiParseFailure | null): value is OpenApiParseFailure;
+declare function getWarningsForOpenAPI(openApi: OpenApiSource | OpenApiParseFailure | null): AuditWarning[];
 declare function getWarningsForWellKnown(wellKnown: WellKnownSource | null): AuditWarning[];
 
 declare function getWarningsForL2(l2: L2Result): AuditWarning[];
@@ -424,4 +457,4 @@ declare function getWarningsForL4(l4: L4Result | null): AuditWarning[];
  */
 declare function getWarningsForMppHeader(wwwAuthenticate: string | null | undefined): AuditWarning[];
 
-export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, validatePaymentRequiredDetailed };
+export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiParseFailure, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getMppWellKnown, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, getX402WellKnown, isOpenApiParseFailure, validatePaymentRequiredDetailed };

package/dist/index.js

@@ -13842,7 +13842,8 @@ var WellKnownParsedSchema = external_exports.object({
   routes: external_exports.array(
     external_exports.object({
       path: external_exports.string(),
-      method: external_exports.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"])
+      method: external_exports.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"]),
+      price: external_exports.string().optional()
     })
   ),
   instructions: external_exports.string().optional()
@@ -13935,9 +13936,9 @@ function toAbsoluteUrl(origin, value) {
 
 // src/core/source/fetch.ts
 import { ResultAsync } from "neverthrow";
-function toFetchError(err) {
-  const cause = err instanceof DOMException && (err.name === "TimeoutError" || err.name === "AbortError") ? "timeout" : "network";
-  return { cause, message: String(err) };
+function toFetchError(err2) {
+  const cause = err2 instanceof DOMException && (err2.name === "TimeoutError" || err2.name === "AbortError") ? "timeout" : "network";
+  return { cause, message: String(err2) };
 }
 function fetchSafe(url2, init) {
   return ResultAsync.fromPromise(fetch(url2, init), toFetchError);
@@ -13984,7 +13985,13 @@ async function parseBody(response, url2) {
   try {
     const payload = await response.json();
     const parsed = OpenApiParsedSchema.safeParse(payload);
-    if (!parsed.success) return null;
+    if (!parsed.success) {
+      return {
+        parseFailure: true,
+        fetchedUrl: url2,
+        issues: parsed.error.issues.map((i) => ({ path: i.path, message: i.message }))
+      };
+    }
     return { raw: payload, ...parsed.data, fetchedUrl: url2 };
   } catch {
     return null;
@@ -14003,6 +14010,9 @@ function getOpenAPI(origin, headers, signal, specificationOverrideUrl) {
 }
 
 // src/core/source/wellknown/index.ts
+import { ok, err, ResultAsync as ResultAsync5 } from "neverthrow";
+
+// src/core/source/wellknown/x402.ts
 import { okAsync as okAsync2, ResultAsync as ResultAsync3 } from "neverthrow";
 function toWellKnownParsed(origin, doc) {
   const routes = doc.resources.flatMap((entry) => {
@@ -14029,12 +14039,17 @@ async function parseBody2(response, origin, url2) {
     if (!doc.success) return null;
     const parsed = WellKnownParsedSchema.safeParse(toWellKnownParsed(origin, doc.data));
     if (!parsed.success) return null;
-    return { raw: payload, ...parsed.data, fetchedUrl: url2 };
+    return {
+      raw: payload,
+      ...parsed.data,
+      protocol: "x402",
+      fetchedUrl: url2
+    };
   } catch {
     return null;
   }
 }
-function getWellKnown(origin, headers, signal) {
+function getX402WellKnown(origin, headers, signal) {
   const url2 = `${origin}/.well-known/x402`;
   return fetchSafe(url2, {
     method: "GET",
@@ -14046,6 +14061,127 @@ function getWellKnown(origin, headers, signal) {
   });
 }
 
+// src/core/source/wellknown/mpp.ts
+import { okAsync as okAsync3, ResultAsync as ResultAsync4 } from "neverthrow";
+var MppEndpointSchema = external_exports.object({
+  method: external_exports.string(),
+  path: external_exports.string(),
+  description: external_exports.string().optional(),
+  payment: external_exports.object({
+    intent: external_exports.string().optional(),
+    method: external_exports.string().optional(),
+    amount: external_exports.string().optional(),
+    currency: external_exports.string().optional()
+  }).optional()
+});
+var MppWellKnownDocSchema = external_exports.object({
+  version: external_exports.number().optional(),
+  name: external_exports.string().optional(),
+  description: external_exports.string().optional(),
+  categories: external_exports.array(external_exports.string()).optional(),
+  methods: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
+  endpoints: external_exports.array(MppEndpointSchema).default([]),
+  docs: external_exports.object({
+    homepage: external_exports.string().optional(),
+    apiReference: external_exports.string().optional()
+  }).optional()
+});
+var MPP_DECIMALS = 6;
+function formatMppAmount(raw) {
+  if (!raw) return void 0;
+  const n = Number(raw);
+  if (!Number.isFinite(n)) return void 0;
+  return `$${(n / 10 ** MPP_DECIMALS).toFixed(MPP_DECIMALS)}`;
+}
+function toWellKnownParsed2(doc) {
+  const routes = doc.endpoints.flatMap((entry) => {
+    const method = parseMethod(entry.method);
+    if (!method) return [];
+    const path = normalizePath(entry.path);
+    if (!path) return [];
+    const price = formatMppAmount(entry.payment?.amount);
+    return [{ path, method, ...price ? { price } : {} }];
+  });
+  return {
+    routes,
+    ...doc.description ? { instructions: doc.description } : {}
+  };
+}
+async function parseBody3(response, url2) {
+  try {
+    const payload = await response.json();
+    const doc = MppWellKnownDocSchema.safeParse(payload);
+    if (!doc.success) return null;
+    const parsed = WellKnownParsedSchema.safeParse(toWellKnownParsed2(doc.data));
+    if (!parsed.success) return null;
+    return {
+      raw: payload,
+      ...parsed.data,
+      ...doc.data.name ? { title: doc.data.name } : {},
+      ...doc.data.description ? { description: doc.data.description } : {},
+      protocol: "mpp",
+      fetchedUrl: url2
+    };
+  } catch {
+    return null;
+  }
+}
+function getMppWellKnown(origin, headers, signal) {
+  const url2 = `${origin}/.well-known/mpp`;
+  return fetchSafe(url2, {
+    method: "GET",
+    headers: { Accept: "application/json", ...headers },
+    signal
+  }).andThen((response) => {
+    if (!response.ok) return okAsync3(null);
+    return ResultAsync4.fromSafePromise(parseBody3(response, url2));
+  });
+}
+
+// src/core/source/wellknown/index.ts
+function mergeError(a, b) {
+  return {
+    cause: a.cause === "network" || b.cause === "network" ? "network" : "timeout",
+    message: `x402: ${a.message} | mpp: ${b.message}`
+  };
+}
+function merge2(x402, mpp) {
+  const seen = /* @__PURE__ */ new Set();
+  const routes = [...x402.routes, ...mpp.routes].filter((r) => {
+    const key = `${r.method} ${r.path}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+  return {
+    raw: { ...mpp.raw, ...x402.raw },
+    routes,
+    protocol: "x402+mpp",
+    // Prefer x402 instructions; fall back to mpp
+    ...x402.instructions || mpp.instructions ? { instructions: x402.instructions ?? mpp.instructions } : {},
+    fetchedUrl: x402.fetchedUrl
+  };
+}
+function getWellKnown(origin, headers, signal) {
+  return new ResultAsync5(
+    Promise.all([
+      getX402WellKnown(origin, headers, signal),
+      getMppWellKnown(origin, headers, signal)
+    ]).then(([x402Result, mppResult]) => {
+      const x402 = x402Result.isOk() ? x402Result.value : null;
+      const mpp = mppResult.isOk() ? mppResult.value : null;
+      if (x402 && mpp) return ok(merge2(x402, mpp));
+      if (x402) return ok(x402);
+      if (mpp) return ok(mpp);
+      if (x402Result.isErr() && mppResult.isErr())
+        return err(mergeError(x402Result.error, mppResult.error));
+      if (x402Result.isErr()) return err(x402Result.error);
+      if (mppResult.isErr()) return err(mppResult.error);
+      return ok(null);
+    })
+  );
+}
+
 // src/core/layers/l2.ts
 function formatPrice(pricing) {
   if (pricing.pricingMode === "fixed") return `$${pricing.price}`;
@@ -14071,15 +14207,27 @@ function checkL2ForOpenAPI(openApi) {
     source: "openapi"
   };
 }
+var WELL_KNOWN_PROTOCOLS = {
+  x402: ["x402"],
+  mpp: ["mpp"],
+  "x402+mpp": ["x402", "mpp"]
+};
 function checkL2ForWellknown(wellKnown) {
+  const protocols = WELL_KNOWN_PROTOCOLS[wellKnown.protocol];
   const routes = wellKnown.routes.map((route) => ({
     path: route.path,
     method: route.method,
     summary: `${route.method} ${route.path}`,
     authMode: "paid",
-    protocols: ["x402"]
+    protocols,
+    ...route.price ? { price: route.price } : {}
   }));
-  return { routes, source: "well-known/x402" };
+  return {
+    ...wellKnown.title ? { title: wellKnown.title } : {},
+    ...wellKnown.description ? { description: wellKnown.description } : {},
+    routes,
+    source: `well-known/${wellKnown.protocol}`
+  };
 }
 
 // src/core/layers/l4.ts
@@ -14091,7 +14239,7 @@ function checkL4ForOpenAPI(openApi) {
 }
 function checkL4ForWellknown(wellKnown) {
   if (wellKnown.instructions) {
-    return { guidance: wellKnown.instructions, source: "well-known/x402" };
+    return { guidance: wellKnown.instructions, source: `well-known/${wellKnown.protocol}` };
   }
   return null;
 }
@@ -14109,8 +14257,41 @@ var GuidanceMode = /* @__PURE__ */ ((GuidanceMode2) => {
   return GuidanceMode2;
 })(GuidanceMode || {});
 
+// src/core/types/sources.ts
+function isOpenApiSource(raw) {
+  return raw !== null && !("parseFailure" in raw);
+}
+
 // src/runtime/discover.ts
 var GUIDANCE_AUTO_INCLUDE_MAX_TOKENS_LENGTH = 1e3;
+function extractFromWellknown(raw) {
+  if (Array.isArray(raw["ownershipProofs"])) {
+    const proofs = raw["ownershipProofs"].filter(
+      (p) => typeof p === "string"
+    );
+    if (proofs.length > 0) return proofs;
+  }
+  return void 0;
+}
+function extractFromOpenapi(raw) {
+  const xDiscovery = raw["x-discovery"];
+  if (xDiscovery && typeof xDiscovery === "object" && !Array.isArray(xDiscovery)) {
+    const proofs = xDiscovery["ownershipProofs"];
+    if (Array.isArray(proofs)) {
+      const filtered = proofs.filter((p) => typeof p === "string");
+      if (filtered.length > 0) return filtered;
+    }
+  }
+  const legacy = raw["x-agentcash-provenance"];
+  if (legacy && typeof legacy === "object" && !Array.isArray(legacy)) {
+    const proofs = legacy["ownershipProofs"];
+    if (Array.isArray(proofs)) {
+      const filtered = proofs.filter((p) => typeof p === "string");
+      if (filtered.length > 0) return filtered;
+    }
+  }
+  return void 0;
+}
 function withGuidance(base, l4, guidanceMode) {
   if (guidanceMode === "never" /* Never */) return { ...base, guidanceAvailable: !!l4 };
   if (!l4) return { ...base, guidanceAvailable: false };
@@ -14129,10 +14310,12 @@ async function discoverOriginSchema(options) {
     options.signal,
     options.specificationOverrideUrl
   );
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const l22 = checkL2ForOpenAPI(openApi);
     const l42 = checkL4ForOpenAPI(openApi);
+    const ownershipProofs2 = extractFromOpenapi(openApi.raw);
     const base2 = {
       found: true,
       origin,
@@ -14144,7 +14327,8 @@ async function discoverOriginSchema(options) {
           ...l22.version ? { version: l22.version } : {}
         }
       } : {},
-      endpoints: l22.routes
+      endpoints: l22.routes,
+      ...ownershipProofs2 ? { ownershipProofs: ownershipProofs2 } : {}
     };
     return withGuidance(base2, l42, guidanceMode);
   }
@@ -14161,17 +14345,25 @@ async function discoverOriginSchema(options) {
   if (!wellKnown) return { found: false, origin, cause: "not_found" };
   const l2 = checkL2ForWellknown(wellKnown);
   const l4 = checkL4ForWellknown(wellKnown);
+  const ownershipProofs = extractFromWellknown(wellKnown.raw);
   const base = {
     found: true,
     origin,
-    source: "well-known/x402",
-    endpoints: l2.routes
+    source: l2.source,
+    ...l2.title ? {
+      info: {
+        title: l2.title,
+        ...l2.description ? { description: l2.description } : {}
+      }
+    } : {},
+    endpoints: l2.routes,
+    ...ownershipProofs ? { ownershipProofs } : {}
   };
   return withGuidance(base, l4, guidanceMode);
 }
 
 // src/core/source/probe/index.ts
-import { ResultAsync as ResultAsync4 } from "neverthrow";
+import { ResultAsync as ResultAsync6 } from "neverthrow";
 
 // src/core/protocols/x402/v1/schema.ts
 function extractSchemas(accepts) {
@@ -14621,8 +14813,8 @@ function probeMethod(url2, method, path, headers, signal, inputBody) {
     ...hasBody ? { body: JSON.stringify(inputBody) } : {},
     signal
   }).andThen((response) => {
-    if (!isUsableStatus(response.status)) return ResultAsync4.fromSafePromise(Promise.resolve(null));
-    return ResultAsync4.fromSafePromise(
+    if (!isUsableStatus(response.status)) return ResultAsync6.fromSafePromise(Promise.resolve(null));
+    return ResultAsync6.fromSafePromise(
       (async () => {
         let authHint = response.status === 402 ? "paid" : "unprotected";
         let paymentRequiredBody;
@@ -14653,7 +14845,7 @@ function probeMethod(url2, method, path, headers, signal, inputBody) {
 }
 function getProbe(url2, headers, signal, inputBody) {
   const path = normalizePath(new URL(url2).pathname || "/");
-  return ResultAsync4.fromSafePromise(
+  return ResultAsync6.fromSafePromise(
     Promise.all(
       [...HTTP_METHODS].map(
         (method) => probeMethod(url2, method, path, headers, signal, inputBody).match(
@@ -14666,6 +14858,20 @@ function getProbe(url2, headers, signal, inputBody) {
 }
 
 // src/core/protocols/mpp/index.ts
+import { Result } from "neverthrow";
+function parseBase64Json(encoded) {
+  return Result.fromThrowable(
+    () => {
+      const decoded = typeof Buffer !== "undefined" ? Buffer.from(encoded, "base64").toString("utf8") : atob(encoded);
+      const parsed = JSON.parse(decoded);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("not an object");
+      }
+      return parsed;
+    },
+    (e) => e
+  )();
+}
 var TEMPO_DEFAULT_CHAIN_ID = 4217;
 function parseAuthParams(segment) {
   const params = {};
@@ -14688,14 +14894,9 @@ function extractPaymentOptions4(wwwAuthenticate) {
     const description = params["description"];
     const requestStr = params["request"];
     if (!paymentMethod || !intent || !realm || !requestStr) continue;
-    let request;
-    try {
-      const parsed = JSON.parse(requestStr);
-      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) continue;
-      request = parsed;
-    } catch {
-      continue;
-    }
+    const requestResult = parseBase64Json(requestStr);
+    if (requestResult.isErr()) continue;
+    const request = requestResult.value;
     const asset = typeof request["currency"] === "string" ? request["currency"] : void 0;
     const amountRaw = request["amount"];
     const amount = typeof amountRaw === "string" ? amountRaw : typeof amountRaw === "number" ? String(amountRaw) : void 0;
@@ -14934,7 +15135,8 @@ async function checkEndpointSchema(options) {
     return { found: false, origin, path, cause: "not_found" };
   }
   const openApiResult = await getOpenAPI(origin, options.headers, options.signal);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const advisories2 = getAdvisoriesForOpenAPI(openApi, path);
     if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
@@ -15045,6 +15247,7 @@ var AUDIT_CODES = {
   OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND",
   WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND",
   // ─── OpenAPI quality ─────────────────────────────────────────────────────────
+  OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR",
   OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES",
   // ─── L2 route-list checks ────────────────────────────────────────────────────
   L2_NO_ROUTES: "L2_NO_ROUTES",
@@ -15532,6 +15735,9 @@ function validatePaymentRequiredDetailed(payload, options = {}) {
 }
 
 // src/audit/warnings/sources.ts
+function isOpenApiParseFailure(value) {
+  return value !== null && "parseFailure" in value;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -15543,6 +15749,18 @@ function getWarningsForOpenAPI(openApi) {
       }
     ];
   }
+  if (isOpenApiParseFailure(openApi)) {
+    const details = openApi.issues.map((i) => `  ${i.path.map(String).join(".")}: ${i.message}`).join("\n");
+    return [
+      {
+        code: AUDIT_CODES.OPENAPI_PARSE_ERROR,
+        severity: "warn",
+        message: `OpenAPI spec found at ${openApi.fetchedUrl} but failed schema validation:
+${details}`,
+        hint: "Fix the schema issues above so discovery can read the spec."
+      }
+    ];
+  }
   const warnings = [];
   if (openApi.routes.length === 0) {
     warnings.push({
@@ -15683,6 +15901,7 @@ export {
   getL3,
   getL3ForOpenAPI,
   getL3ForProbe,
+  getMppWellKnown,
   getOpenAPI,
   getProbe,
   getWarningsFor402Body,
@@ -15693,5 +15912,7 @@ export {
   getWarningsForOpenAPI,
   getWarningsForWellKnown,
   getWellKnown,
+  getX402WellKnown,
+  isOpenApiParseFailure,
   validatePaymentRequiredDetailed
 };

package/dist/schemas.cjs

@@ -13864,7 +13864,8 @@ var WellKnownParsedSchema = external_exports.object({
   routes: external_exports.array(
     external_exports.object({
       path: external_exports.string(),
-      method: external_exports.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"])
+      method: external_exports.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"]),
+      price: external_exports.string().optional()
     })
   ),
   instructions: external_exports.string().optional()

package/dist/schemas.d.cts

@@ -517,6 +517,7 @@ declare const WellKnownParsedSchema: z.ZodObject<{
             OPTIONS: "OPTIONS";
             TRACE: "TRACE";
         }>;
+        price: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>>;
     instructions: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;

package/dist/schemas.d.ts

@@ -517,6 +517,7 @@ declare const WellKnownParsedSchema: z.ZodObject<{
             OPTIONS: "OPTIONS";
             TRACE: "TRACE";
         }>;
+        price: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>>;
     instructions: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;

package/dist/schemas.js

@@ -13839,7 +13839,8 @@ var WellKnownParsedSchema = external_exports.object({
   routes: external_exports.array(
     external_exports.object({
       path: external_exports.string(),
-      method: external_exports.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"])
+      method: external_exports.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE"]),
+      price: external_exports.string().optional()
     })
   ),
   instructions: external_exports.string().optional()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/discovery",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Canonical OpenAPI-first discovery runtime for the agentcash ecosystem",
   "type": "module",
   "main": "./dist/index.cjs",