@agentcash/discovery 1.3.0 → 1.4.0

package/dist/cli.cjs

@@ -14015,7 +14015,13 @@ async function parseBody(response, url2) {
   try {
     const payload = await response.json();
     const parsed = OpenApiParsedSchema.safeParse(payload);
-    if (!parsed.success) return null;
+    if (!parsed.success) {
+      return {
+        parseFailure: true,
+        fetchedUrl: url2,
+        issues: parsed.error.issues.map((i) => ({ path: i.path, message: i.message }))
+      };
+    }
     return { raw: payload, ...parsed.data, fetchedUrl: url2 };
   } catch {
     return null;
@@ -14274,6 +14280,7 @@ var AUDIT_CODES = {
   OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND",
   WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND",
   // ─── OpenAPI quality ─────────────────────────────────────────────────────────
+  OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR",
   OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES",
   // ─── L2 route-list checks ────────────────────────────────────────────────────
   L2_NO_ROUTES: "L2_NO_ROUTES",
@@ -14308,6 +14315,9 @@ var AUDIT_CODES = {
 };
 
 // src/audit/warnings/sources.ts
+function isOpenApiParseFailure(value) {
+  return value !== null && "parseFailure" in value;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -14319,6 +14329,18 @@ function getWarningsForOpenAPI(openApi) {
       }
     ];
   }
+  if (isOpenApiParseFailure(openApi)) {
+    const details = openApi.issues.map((i) => `  ${i.path.map(String).join(".")}: ${i.message}`).join("\n");
+    return [
+      {
+        code: AUDIT_CODES.OPENAPI_PARSE_ERROR,
+        severity: "warn",
+        message: `OpenAPI spec found at ${openApi.fetchedUrl} but failed schema validation:
+${details}`,
+        hint: "Fix the schema issues above so discovery can read the spec."
+      }
+    ];
+  }
   const warnings = [];
   if (openApi.routes.length === 0) {
     warnings.push({
@@ -15591,6 +15613,11 @@ async function attachProbePayload(url2, advisories) {
   }
 }
 
+// src/core/types/sources.ts
+function isOpenApiSource(raw) {
+  return raw !== null && !("parseFailure" in raw);
+}
+
 // src/runtime/check-endpoint.ts
 function getAdvisoriesForOpenAPI(openApi, path) {
   return [...HTTP_METHODS].flatMap((method) => {
@@ -15629,7 +15656,8 @@ async function checkEndpointSchema(options) {
     return { found: false, origin, path, cause: "not_found" };
   }
   const openApiResult = await getOpenAPI(origin, options.headers, options.signal);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const advisories2 = getAdvisoriesForOpenAPI(openApi, path);
     if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
@@ -15699,10 +15727,11 @@ Discovering ${origin}...
     getOpenAPI(origin),
     getWellKnown(origin)
   ]);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
   const wellKnown = wellKnownResult.isOk() ? wellKnownResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   const warnings = [
-    ...getWarningsForOpenAPI(openApi),
+    ...getWarningsForOpenAPI(openApiRaw),
     ...getWarningsForWellKnown(wellKnown)
   ];
   if (openApi) {

package/dist/cli.js

@@ -13985,7 +13985,13 @@ async function parseBody(response, url2) {
   try {
     const payload = await response.json();
     const parsed = OpenApiParsedSchema.safeParse(payload);
-    if (!parsed.success) return null;
+    if (!parsed.success) {
+      return {
+        parseFailure: true,
+        fetchedUrl: url2,
+        issues: parsed.error.issues.map((i) => ({ path: i.path, message: i.message }))
+      };
+    }
     return { raw: payload, ...parsed.data, fetchedUrl: url2 };
   } catch {
     return null;
@@ -14244,6 +14250,7 @@ var AUDIT_CODES = {
   OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND",
   WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND",
   // ─── OpenAPI quality ─────────────────────────────────────────────────────────
+  OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR",
   OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES",
   // ─── L2 route-list checks ────────────────────────────────────────────────────
   L2_NO_ROUTES: "L2_NO_ROUTES",
@@ -14278,6 +14285,9 @@ var AUDIT_CODES = {
 };
 
 // src/audit/warnings/sources.ts
+function isOpenApiParseFailure(value) {
+  return value !== null && "parseFailure" in value;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -14289,6 +14299,18 @@ function getWarningsForOpenAPI(openApi) {
       }
     ];
   }
+  if (isOpenApiParseFailure(openApi)) {
+    const details = openApi.issues.map((i) => `  ${i.path.map(String).join(".")}: ${i.message}`).join("\n");
+    return [
+      {
+        code: AUDIT_CODES.OPENAPI_PARSE_ERROR,
+        severity: "warn",
+        message: `OpenAPI spec found at ${openApi.fetchedUrl} but failed schema validation:
+${details}`,
+        hint: "Fix the schema issues above so discovery can read the spec."
+      }
+    ];
+  }
   const warnings = [];
   if (openApi.routes.length === 0) {
     warnings.push({
@@ -15561,6 +15583,11 @@ async function attachProbePayload(url2, advisories) {
   }
 }
 
+// src/core/types/sources.ts
+function isOpenApiSource(raw) {
+  return raw !== null && !("parseFailure" in raw);
+}
+
 // src/runtime/check-endpoint.ts
 function getAdvisoriesForOpenAPI(openApi, path) {
   return [...HTTP_METHODS].flatMap((method) => {
@@ -15599,7 +15626,8 @@ async function checkEndpointSchema(options) {
     return { found: false, origin, path, cause: "not_found" };
   }
   const openApiResult = await getOpenAPI(origin, options.headers, options.signal);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const advisories2 = getAdvisoriesForOpenAPI(openApi, path);
     if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
@@ -15669,10 +15697,11 @@ Discovering ${origin}...
     getOpenAPI(origin),
     getWellKnown(origin)
   ]);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
   const wellKnown = wellKnownResult.isOk() ? wellKnownResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   const warnings = [
-    ...getWarningsForOpenAPI(openApi),
+    ...getWarningsForOpenAPI(openApiRaw),
     ...getWarningsForWellKnown(wellKnown)
   ];
   if (openApi) {

package/dist/index.cjs

@@ -56,6 +56,7 @@ __export(index_exports, {
   getWarningsForWellKnown: () => getWarningsForWellKnown,
   getWellKnown: () => getWellKnown,
   getX402WellKnown: () => getX402WellKnown,
+  isOpenApiParseFailure: () => isOpenApiParseFailure,
   validatePaymentRequiredDetailed: () => validatePaymentRequiredDetailed
 });
 module.exports = __toCommonJS(index_exports);
@@ -14041,7 +14042,13 @@ async function parseBody(response, url2) {
   try {
     const payload = await response.json();
     const parsed = OpenApiParsedSchema.safeParse(payload);
-    if (!parsed.success) return null;
+    if (!parsed.success) {
+      return {
+        parseFailure: true,
+        fetchedUrl: url2,
+        issues: parsed.error.issues.map((i) => ({ path: i.path, message: i.message }))
+      };
+    }
     return { raw: payload, ...parsed.data, fetchedUrl: url2 };
   } catch {
     return null;
@@ -14307,8 +14314,41 @@ var GuidanceMode = /* @__PURE__ */ ((GuidanceMode2) => {
   return GuidanceMode2;
 })(GuidanceMode || {});
 
+// src/core/types/sources.ts
+function isOpenApiSource(raw) {
+  return raw !== null && !("parseFailure" in raw);
+}
+
 // src/runtime/discover.ts
 var GUIDANCE_AUTO_INCLUDE_MAX_TOKENS_LENGTH = 1e3;
+function extractFromWellknown(raw) {
+  if (Array.isArray(raw["ownershipProofs"])) {
+    const proofs = raw["ownershipProofs"].filter(
+      (p) => typeof p === "string"
+    );
+    if (proofs.length > 0) return proofs;
+  }
+  return void 0;
+}
+function extractFromOpenapi(raw) {
+  const xDiscovery = raw["x-discovery"];
+  if (xDiscovery && typeof xDiscovery === "object" && !Array.isArray(xDiscovery)) {
+    const proofs = xDiscovery["ownershipProofs"];
+    if (Array.isArray(proofs)) {
+      const filtered = proofs.filter((p) => typeof p === "string");
+      if (filtered.length > 0) return filtered;
+    }
+  }
+  const legacy = raw["x-agentcash-provenance"];
+  if (legacy && typeof legacy === "object" && !Array.isArray(legacy)) {
+    const proofs = legacy["ownershipProofs"];
+    if (Array.isArray(proofs)) {
+      const filtered = proofs.filter((p) => typeof p === "string");
+      if (filtered.length > 0) return filtered;
+    }
+  }
+  return void 0;
+}
 function withGuidance(base, l4, guidanceMode) {
   if (guidanceMode === "never" /* Never */) return { ...base, guidanceAvailable: !!l4 };
   if (!l4) return { ...base, guidanceAvailable: false };
@@ -14327,10 +14367,12 @@ async function discoverOriginSchema(options) {
     options.signal,
     options.specificationOverrideUrl
   );
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const l22 = checkL2ForOpenAPI(openApi);
     const l42 = checkL4ForOpenAPI(openApi);
+    const ownershipProofs2 = extractFromOpenapi(openApi.raw);
     const base2 = {
       found: true,
       origin,
@@ -14342,7 +14384,8 @@ async function discoverOriginSchema(options) {
           ...l22.version ? { version: l22.version } : {}
         }
       } : {},
-      endpoints: l22.routes
+      endpoints: l22.routes,
+      ...ownershipProofs2 ? { ownershipProofs: ownershipProofs2 } : {}
     };
     return withGuidance(base2, l42, guidanceMode);
   }
@@ -14359,6 +14402,7 @@ async function discoverOriginSchema(options) {
   if (!wellKnown) return { found: false, origin, cause: "not_found" };
   const l2 = checkL2ForWellknown(wellKnown);
   const l4 = checkL4ForWellknown(wellKnown);
+  const ownershipProofs = extractFromWellknown(wellKnown.raw);
   const base = {
     found: true,
     origin,
@@ -14369,7 +14413,8 @@ async function discoverOriginSchema(options) {
         ...l2.description ? { description: l2.description } : {}
       }
     } : {},
-    endpoints: l2.routes
+    endpoints: l2.routes,
+    ...ownershipProofs ? { ownershipProofs } : {}
   };
   return withGuidance(base, l4, guidanceMode);
 }
@@ -15147,7 +15192,8 @@ async function checkEndpointSchema(options) {
     return { found: false, origin, path, cause: "not_found" };
   }
   const openApiResult = await getOpenAPI(origin, options.headers, options.signal);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const advisories2 = getAdvisoriesForOpenAPI(openApi, path);
     if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
@@ -15258,6 +15304,7 @@ var AUDIT_CODES = {
   OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND",
   WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND",
   // ─── OpenAPI quality ─────────────────────────────────────────────────────────
+  OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR",
   OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES",
   // ─── L2 route-list checks ────────────────────────────────────────────────────
   L2_NO_ROUTES: "L2_NO_ROUTES",
@@ -15745,6 +15792,9 @@ function validatePaymentRequiredDetailed(payload, options = {}) {
 }
 
 // src/audit/warnings/sources.ts
+function isOpenApiParseFailure(value) {
+  return value !== null && "parseFailure" in value;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -15756,6 +15806,18 @@ function getWarningsForOpenAPI(openApi) {
       }
     ];
   }
+  if (isOpenApiParseFailure(openApi)) {
+    const details = openApi.issues.map((i) => `  ${i.path.map(String).join(".")}: ${i.message}`).join("\n");
+    return [
+      {
+        code: AUDIT_CODES.OPENAPI_PARSE_ERROR,
+        severity: "warn",
+        message: `OpenAPI spec found at ${openApi.fetchedUrl} but failed schema validation:
+${details}`,
+        hint: "Fix the schema issues above so discovery can read the spec."
+      }
+    ];
+  }
   const warnings = [];
   if (openApi.routes.length === 0) {
     warnings.push({
@@ -15909,5 +15971,6 @@ function getWarningsForL4(l4) {
   getWarningsForWellKnown,
   getWellKnown,
   getX402WellKnown,
+  isOpenApiParseFailure,
   validatePaymentRequiredDetailed
 });

package/dist/index.d.cts

@@ -78,6 +78,15 @@ interface OpenApiSource {
     guidance?: string;
     fetchedUrl: string;
 }
+/** Returned when the spec was fetched successfully but failed schema validation. */
+interface OpenApiParseFailure {
+    parseFailure: true;
+    fetchedUrl: string;
+    issues: Array<{
+        path: (string | number | symbol)[];
+        message: string;
+    }>;
+}
 interface OpenApiRoute {
     path: string;
     method: HttpMethod;
@@ -188,6 +197,8 @@ interface DiscoverOriginSchemaSuccess {
     guidanceTokens?: number;
     /** Guidance text. Included when short enough (auto mode) or guidance='always'. */
     guidance?: string;
+    /** Ownership proof strings collected from the discovery document, if any. */
+    ownershipProofs?: string[];
 }
 interface DiscoverOriginSchemaNotFound {
     found: false;
@@ -245,7 +256,7 @@ interface FetchError {
     message: string;
 }
 
-declare function getOpenAPI(origin: string, headers?: Record<string, string>, signal?: AbortSignal, specificationOverrideUrl?: string): ResultAsync<OpenApiSource | null, FetchError>;
+declare function getOpenAPI(origin: string, headers?: Record<string, string>, signal?: AbortSignal, specificationOverrideUrl?: string): ResultAsync<OpenApiSource | OpenApiParseFailure | null, FetchError>;
 
 /**
  * Fetches both `/.well-known/x402` and `/.well-known/mpp` in parallel and merges results.
@@ -373,6 +384,7 @@ declare function validatePaymentRequiredDetailed(payload: unknown, options?: Val
 declare const AUDIT_CODES: {
     readonly OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND";
     readonly WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND";
+    readonly OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR";
     readonly OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES";
     readonly L2_NO_ROUTES: "L2_NO_ROUTES";
     readonly L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH";
@@ -413,7 +425,9 @@ interface AuditWarning {
     path?: string;
 }
 
-declare function getWarningsForOpenAPI(openApi: OpenApiSource | null): AuditWarning[];
+/** Type guard: true when the value is a parse-failure sentinel (spec fetched but invalid). */
+declare function isOpenApiParseFailure(value: OpenApiSource | OpenApiParseFailure | null): value is OpenApiParseFailure;
+declare function getWarningsForOpenAPI(openApi: OpenApiSource | OpenApiParseFailure | null): AuditWarning[];
 declare function getWarningsForWellKnown(wellKnown: WellKnownSource | null): AuditWarning[];
 
 declare function getWarningsForL2(l2: L2Result): AuditWarning[];
@@ -443,4 +457,4 @@ declare function getWarningsForL4(l4: L4Result | null): AuditWarning[];
  */
 declare function getWarningsForMppHeader(wwwAuthenticate: string | null | undefined): AuditWarning[];
 
-export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getMppWellKnown, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, getX402WellKnown, validatePaymentRequiredDetailed };
+export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiParseFailure, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getMppWellKnown, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, getX402WellKnown, isOpenApiParseFailure, validatePaymentRequiredDetailed };

package/dist/index.d.ts

@@ -78,6 +78,15 @@ interface OpenApiSource {
     guidance?: string;
     fetchedUrl: string;
 }
+/** Returned when the spec was fetched successfully but failed schema validation. */
+interface OpenApiParseFailure {
+    parseFailure: true;
+    fetchedUrl: string;
+    issues: Array<{
+        path: (string | number | symbol)[];
+        message: string;
+    }>;
+}
 interface OpenApiRoute {
     path: string;
     method: HttpMethod;
@@ -188,6 +197,8 @@ interface DiscoverOriginSchemaSuccess {
     guidanceTokens?: number;
     /** Guidance text. Included when short enough (auto mode) or guidance='always'. */
     guidance?: string;
+    /** Ownership proof strings collected from the discovery document, if any. */
+    ownershipProofs?: string[];
 }
 interface DiscoverOriginSchemaNotFound {
     found: false;
@@ -245,7 +256,7 @@ interface FetchError {
     message: string;
 }
 
-declare function getOpenAPI(origin: string, headers?: Record<string, string>, signal?: AbortSignal, specificationOverrideUrl?: string): ResultAsync<OpenApiSource | null, FetchError>;
+declare function getOpenAPI(origin: string, headers?: Record<string, string>, signal?: AbortSignal, specificationOverrideUrl?: string): ResultAsync<OpenApiSource | OpenApiParseFailure | null, FetchError>;
 
 /**
  * Fetches both `/.well-known/x402` and `/.well-known/mpp` in parallel and merges results.
@@ -373,6 +384,7 @@ declare function validatePaymentRequiredDetailed(payload: unknown, options?: Val
 declare const AUDIT_CODES: {
     readonly OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND";
     readonly WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND";
+    readonly OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR";
     readonly OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES";
     readonly L2_NO_ROUTES: "L2_NO_ROUTES";
     readonly L2_ROUTE_COUNT_HIGH: "L2_ROUTE_COUNT_HIGH";
@@ -413,7 +425,9 @@ interface AuditWarning {
     path?: string;
 }
 
-declare function getWarningsForOpenAPI(openApi: OpenApiSource | null): AuditWarning[];
+/** Type guard: true when the value is a parse-failure sentinel (spec fetched but invalid). */
+declare function isOpenApiParseFailure(value: OpenApiSource | OpenApiParseFailure | null): value is OpenApiParseFailure;
+declare function getWarningsForOpenAPI(openApi: OpenApiSource | OpenApiParseFailure | null): AuditWarning[];
 declare function getWarningsForWellKnown(wellKnown: WellKnownSource | null): AuditWarning[];
 
 declare function getWarningsForL2(l2: L2Result): AuditWarning[];
@@ -443,4 +457,4 @@ declare function getWarningsForL4(l4: L4Result | null): AuditWarning[];
  */
 declare function getWarningsForMppHeader(wwwAuthenticate: string | null | undefined): AuditWarning[];
 
-export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getMppWellKnown, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, getX402WellKnown, validatePaymentRequiredDetailed };
+export { AUDIT_CODES, type AuditCode, type AuditSeverity, type AuditWarning, type AuthMode, type CheckEndpointNotFound, type CheckEndpointOptions, type CheckEndpointResult, type CheckEndpointSuccess, type DiscoverOriginSchemaNotFound, type DiscoverOriginSchemaOptions, type DiscoverOriginSchemaResult, type DiscoverOriginSchemaSuccess, type EndpointMethodAdvisory, GuidanceMode, type HttpMethod, type L2Result, type L2Route, type L3Result, type L4Result, type MetadataPreview, type MppPaymentOption, type NormalizedAccept, type NormalizedPaymentRequired, type OpenApiParseFailure, type OpenApiRoute, type OpenApiSource, type PaymentOption, type PricingMode, type ProbeResult, type TrustTier, VALIDATION_CODES, type ValidatePaymentRequiredDetailedResult, type ValidatePaymentRequiredOptions, type ValidationIssue, type ValidationSeverity, type ValidationStage, type ValidationSummary, type WellKnownRoute, type WellKnownSource, type X402PaymentOption, type X402V1PaymentOption, type X402V2PaymentOption, attachProbePayload, checkEndpointSchema, checkL2ForOpenAPI, checkL2ForWellknown, checkL4ForOpenAPI, checkL4ForWellknown, discoverOriginSchema, evaluateMetadataCompleteness, getL3, getL3ForOpenAPI, getL3ForProbe, getMppWellKnown, getOpenAPI, getProbe, getWarningsFor402Body, getWarningsForL2, getWarningsForL3, getWarningsForL4, getWarningsForMppHeader, getWarningsForOpenAPI, getWarningsForWellKnown, getWellKnown, getX402WellKnown, isOpenApiParseFailure, validatePaymentRequiredDetailed };

package/dist/index.js

@@ -13985,7 +13985,13 @@ async function parseBody(response, url2) {
   try {
     const payload = await response.json();
     const parsed = OpenApiParsedSchema.safeParse(payload);
-    if (!parsed.success) return null;
+    if (!parsed.success) {
+      return {
+        parseFailure: true,
+        fetchedUrl: url2,
+        issues: parsed.error.issues.map((i) => ({ path: i.path, message: i.message }))
+      };
+    }
     return { raw: payload, ...parsed.data, fetchedUrl: url2 };
   } catch {
     return null;
@@ -14251,8 +14257,41 @@ var GuidanceMode = /* @__PURE__ */ ((GuidanceMode2) => {
   return GuidanceMode2;
 })(GuidanceMode || {});
 
+// src/core/types/sources.ts
+function isOpenApiSource(raw) {
+  return raw !== null && !("parseFailure" in raw);
+}
+
 // src/runtime/discover.ts
 var GUIDANCE_AUTO_INCLUDE_MAX_TOKENS_LENGTH = 1e3;
+function extractFromWellknown(raw) {
+  if (Array.isArray(raw["ownershipProofs"])) {
+    const proofs = raw["ownershipProofs"].filter(
+      (p) => typeof p === "string"
+    );
+    if (proofs.length > 0) return proofs;
+  }
+  return void 0;
+}
+function extractFromOpenapi(raw) {
+  const xDiscovery = raw["x-discovery"];
+  if (xDiscovery && typeof xDiscovery === "object" && !Array.isArray(xDiscovery)) {
+    const proofs = xDiscovery["ownershipProofs"];
+    if (Array.isArray(proofs)) {
+      const filtered = proofs.filter((p) => typeof p === "string");
+      if (filtered.length > 0) return filtered;
+    }
+  }
+  const legacy = raw["x-agentcash-provenance"];
+  if (legacy && typeof legacy === "object" && !Array.isArray(legacy)) {
+    const proofs = legacy["ownershipProofs"];
+    if (Array.isArray(proofs)) {
+      const filtered = proofs.filter((p) => typeof p === "string");
+      if (filtered.length > 0) return filtered;
+    }
+  }
+  return void 0;
+}
 function withGuidance(base, l4, guidanceMode) {
   if (guidanceMode === "never" /* Never */) return { ...base, guidanceAvailable: !!l4 };
   if (!l4) return { ...base, guidanceAvailable: false };
@@ -14271,10 +14310,12 @@ async function discoverOriginSchema(options) {
     options.signal,
     options.specificationOverrideUrl
   );
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const l22 = checkL2ForOpenAPI(openApi);
     const l42 = checkL4ForOpenAPI(openApi);
+    const ownershipProofs2 = extractFromOpenapi(openApi.raw);
     const base2 = {
       found: true,
       origin,
@@ -14286,7 +14327,8 @@ async function discoverOriginSchema(options) {
           ...l22.version ? { version: l22.version } : {}
         }
       } : {},
-      endpoints: l22.routes
+      endpoints: l22.routes,
+      ...ownershipProofs2 ? { ownershipProofs: ownershipProofs2 } : {}
     };
     return withGuidance(base2, l42, guidanceMode);
   }
@@ -14303,6 +14345,7 @@ async function discoverOriginSchema(options) {
   if (!wellKnown) return { found: false, origin, cause: "not_found" };
   const l2 = checkL2ForWellknown(wellKnown);
   const l4 = checkL4ForWellknown(wellKnown);
+  const ownershipProofs = extractFromWellknown(wellKnown.raw);
   const base = {
     found: true,
     origin,
@@ -14313,7 +14356,8 @@ async function discoverOriginSchema(options) {
         ...l2.description ? { description: l2.description } : {}
       }
     } : {},
-    endpoints: l2.routes
+    endpoints: l2.routes,
+    ...ownershipProofs ? { ownershipProofs } : {}
   };
   return withGuidance(base, l4, guidanceMode);
 }
@@ -15091,7 +15135,8 @@ async function checkEndpointSchema(options) {
     return { found: false, origin, path, cause: "not_found" };
   }
   const openApiResult = await getOpenAPI(origin, options.headers, options.signal);
-  const openApi = openApiResult.isOk() ? openApiResult.value : null;
+  const openApiRaw = openApiResult.isOk() ? openApiResult.value : null;
+  const openApi = isOpenApiSource(openApiRaw) ? openApiRaw : null;
   if (openApi) {
     const advisories2 = getAdvisoriesForOpenAPI(openApi, path);
     if (advisories2.length > 0) return { found: true, origin, path, advisories: advisories2 };
@@ -15202,6 +15247,7 @@ var AUDIT_CODES = {
   OPENAPI_NOT_FOUND: "OPENAPI_NOT_FOUND",
   WELLKNOWN_NOT_FOUND: "WELLKNOWN_NOT_FOUND",
   // ─── OpenAPI quality ─────────────────────────────────────────────────────────
+  OPENAPI_PARSE_ERROR: "OPENAPI_PARSE_ERROR",
   OPENAPI_NO_ROUTES: "OPENAPI_NO_ROUTES",
   // ─── L2 route-list checks ────────────────────────────────────────────────────
   L2_NO_ROUTES: "L2_NO_ROUTES",
@@ -15689,6 +15735,9 @@ function validatePaymentRequiredDetailed(payload, options = {}) {
 }
 
 // src/audit/warnings/sources.ts
+function isOpenApiParseFailure(value) {
+  return value !== null && "parseFailure" in value;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -15700,6 +15749,18 @@ function getWarningsForOpenAPI(openApi) {
       }
     ];
   }
+  if (isOpenApiParseFailure(openApi)) {
+    const details = openApi.issues.map((i) => `  ${i.path.map(String).join(".")}: ${i.message}`).join("\n");
+    return [
+      {
+        code: AUDIT_CODES.OPENAPI_PARSE_ERROR,
+        severity: "warn",
+        message: `OpenAPI spec found at ${openApi.fetchedUrl} but failed schema validation:
+${details}`,
+        hint: "Fix the schema issues above so discovery can read the spec."
+      }
+    ];
+  }
   const warnings = [];
   if (openApi.routes.length === 0) {
     warnings.push({
@@ -15852,5 +15913,6 @@ export {
   getWarningsForWellKnown,
   getWellKnown,
   getX402WellKnown,
+  isOpenApiParseFailure,
   validatePaymentRequiredDetailed
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/discovery",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Canonical OpenAPI-first discovery runtime for the agentcash ecosystem",
   "type": "module",
   "main": "./dist/index.cjs",