@agentcash/discovery 1.6.1 → 1.6.3

package/dist/cli.cjs

@@ -13815,8 +13815,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13915,7 +13915,12 @@ function normalizeLegacy(raw) {
 function formatPrice(price) {
   const sym = price.currency ?? "USD";
   if (price.mode === "fixed") return `${price.amount} ${sym}`;
-  return `${price.min}-${price.max} ${sym}`;
+  if (price.min !== void 0 && price.max !== void 0) {
+    return `${price.min}-${price.max} ${sym}`;
+  }
+  if (price.min !== void 0) return `>=${price.min} ${sym}`;
+  if (price.max !== void 0) return `<=${price.max} ${sym}`;
+  return `dynamic ${sym}`;
 }
 function extractProtocolNames(protocols) {
   return protocols.map((p) => {
@@ -13967,10 +13972,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -13980,7 +13988,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),
@@ -14124,20 +14133,27 @@ function fetchSafe(url2, init) {
 }
 
 // src/core/source/openapi/index.ts
-function resolvePricingHint(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function toRecord(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return void 0;
+  return raw;
+}
+function resolvePricingHint(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return void 0;
+  const info = resolvePaymentInfo(record2);
   if (!info) return void 0;
   return {
     pricingMode: info.price.mode,
     ...info.price.mode === "fixed" ? { price: info.price.amount } : {},
-    ...info.price.mode === "dynamic" ? { minPrice: info.price.min, maxPrice: info.price.max } : {},
+    ...info.price.mode === "dynamic" && info.price.min !== void 0 ? { minPrice: info.price.min } : {},
+    ...info.price.mode === "dynamic" && info.price.max !== void 0 ? { maxPrice: info.price.max } : {},
     ...info.price.currency ? { currency: info.price.currency } : {}
   };
 }
-function resolveProtocols(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function resolveProtocols(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return [];
+  const info = resolvePaymentInfo(record2);
   if (!info) return [];
   return extractProtocolNames(info.protocols);
 }
@@ -14150,8 +14166,8 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = resolveProtocols(p ?? {});
-      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? resolvePricingHint(p) : void 0;
+      const protocols = resolveProtocols(p);
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p !== void 0 ? resolvePricingHint(p) : void 0;
       const summary = operation.summary ?? operation.description;
       routes.push({
         path: normalizePath(serverBasePath + rawPath),
@@ -14392,28 +14408,29 @@ function getWellKnown(origin, headers, signal) {
 // src/core/layers/l2.ts
 function formatPrice2(pricing) {
   const sym = pricing.currency ?? "USD";
-  if (pricing.pricingMode === "fixed") return `${pricing.price} ${sym}`;
+  if (pricing.pricingMode === "fixed" && pricing.price) return `${pricing.price} ${sym}`;
   if (pricing.pricingMode === "dynamic") {
     if (pricing.minPrice && pricing.maxPrice)
       return `${pricing.minPrice}-${pricing.maxPrice} ${sym}`;
     if (pricing.maxPrice) return `up to ${pricing.maxPrice} ${sym}`;
-    return "dynamic";
+    if (pricing.minPrice) return `from ${pricing.minPrice} ${sym}`;
   }
-  return `unknown pricing mode: ${pricing.pricingMode}`;
+  return void 0;
 }
 function checkL2ForOpenAPI(openApi) {
-  const routes = openApi.routes.map((route) => ({
-    path: route.path,
-    method: route.method,
-    summary: route.summary ?? `${route.method} ${route.path}`,
-    ...route.authMode ? { authMode: route.authMode } : {},
-    ...route.pricing ? {
-      price: formatPrice2(route.pricing),
-      pricingMode: route.pricing.pricingMode,
-      ...route.pricing.currency ? { currency: route.pricing.currency } : {}
-    } : {},
-    ...route.protocols?.length ? { protocols: route.protocols } : {}
-  }));
+  const routes = openApi.routes.map((route) => {
+    const priceHint = route.pricing ? formatPrice2(route.pricing) : void 0;
+    return {
+      path: route.path,
+      method: route.method,
+      summary: route.summary ?? `${route.method} ${route.path}`,
+      ...route.authMode ? { authMode: route.authMode } : {},
+      ...priceHint ? { price: priceHint } : {},
+      ...route.pricing?.pricingMode ? { pricingMode: route.pricing.pricingMode } : {},
+      ...route.pricing?.currency ? { currency: route.pricing.currency } : {},
+      ...route.protocols?.length ? { protocols: route.protocols } : {}
+    };
+  });
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
@@ -14474,9 +14491,12 @@ var AUDIT_CODES = {
   L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN",
+  L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE",
   L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID",
   L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
+  L2_X402_MALFORMED: "L2_X402_MALFORMED",
+  L2_MPP_MALFORMED: "L2_MPP_MALFORMED",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
   L3_NOT_FOUND: "L3_NOT_FOUND",
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
@@ -14525,6 +14545,54 @@ function hasLegacyPaymentInfo(raw) {
   }
   return false;
 }
+function hasImproperMppTag(raw) {
+  const paths = raw.paths;
+  if (typeof paths !== "object" || paths === null) return false;
+  for (const pathItem of Object.values(paths)) {
+    if (typeof pathItem !== "object" || pathItem === null) continue;
+    for (const method of HTTP_METHODS2) {
+      const operation = pathItem[method];
+      if (typeof operation !== "object" || operation === null) continue;
+      const pi = operation["x-payment-info"];
+      if (typeof pi !== "object" || pi === null) continue;
+      const protocols = pi.protocols;
+      if (!Array.isArray(protocols)) continue;
+      for (const entry of protocols) {
+        if (typeof entry !== "object" || entry === null) continue;
+        if (!("mpp" in entry)) continue;
+        const mpp = entry.mpp;
+        if (typeof mpp !== "object" || mpp === null) return true;
+        const mppObj = mpp;
+        if (typeof mppObj.method !== "string" || mppObj.method.length === 0) return true;
+        if (typeof mppObj.intent !== "string" || mppObj.intent.length === 0) return true;
+        if (typeof mppObj.currency !== "string" || mppObj.currency.length === 0) return true;
+      }
+    }
+  }
+  return false;
+}
+function hasImproperX402Tag(raw) {
+  const paths = raw.paths;
+  if (typeof paths !== "object" || paths === null) return false;
+  for (const pathItem of Object.values(paths)) {
+    if (typeof pathItem !== "object" || pathItem === null) continue;
+    for (const method of HTTP_METHODS2) {
+      const operation = pathItem[method];
+      if (typeof operation !== "object" || operation === null) continue;
+      const pi = operation["x-payment-info"];
+      if (typeof pi !== "object" || pi === null) continue;
+      const protocols = pi.protocols;
+      if (!Array.isArray(protocols)) continue;
+      for (const entry of protocols) {
+        if (typeof entry !== "object" || entry === null) continue;
+        if (!("x402" in entry)) continue;
+        const x402 = entry.x402;
+        if (typeof x402 !== "object" || x402 === null || Array.isArray(x402)) return true;
+      }
+    }
+  }
+  return false;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -14566,6 +14634,22 @@ ${details}`,
       hint: "Migrate to the structured format: { price: { mode, amount, currency }, protocols: [{ x402: {} }] }."
     });
   }
+  if (hasImproperX402Tag(openApi.raw)) {
+    warnings.push({
+      code: AUDIT_CODES.L2_X402_MALFORMED,
+      severity: "warn",
+      message: "One or more operations have a malformed x402 protocol entry.",
+      hint: "Canonical shape: { x402: { ...optional config } }."
+    });
+  }
+  if (hasImproperMppTag(openApi.raw)) {
+    warnings.push({
+      code: AUDIT_CODES.L2_MPP_MALFORMED,
+      severity: "warn",
+      message: "One or more operations have a malformed mpp protocol entry.",
+      hint: "Canonical shape: { mpp: { method: string, intent: string, currency: string } }."
+    });
+  }
   return warnings;
 }
 function getWarningsForWellKnown(wellKnown) {
@@ -14643,7 +14727,15 @@ function getWarningsForL2(l2) {
       });
     }
     if (route.authMode === "paid") {
-      if (!route.price) {
+      if (route.pricingMode === "dynamic" && !route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_DYNAMIC_PRICE_INCOMPLETE,
+          severity: "warn",
+          message: `Paid route ${loc} declares dynamic pricing but no min/max bounds.`,
+          hint: "Add x-payment-info.price.min and .price.max so agents can budget before calling. Without bounds, agents have no safe upper limit to pre-authorize.",
+          path: route.path
+        });
+      } else if (!route.price) {
         warnings.push({
           code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
           severity: "warn",

package/dist/cli.js

@@ -13785,8 +13785,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13885,7 +13885,12 @@ function normalizeLegacy(raw) {
 function formatPrice(price) {
   const sym = price.currency ?? "USD";
   if (price.mode === "fixed") return `${price.amount} ${sym}`;
-  return `${price.min}-${price.max} ${sym}`;
+  if (price.min !== void 0 && price.max !== void 0) {
+    return `${price.min}-${price.max} ${sym}`;
+  }
+  if (price.min !== void 0) return `>=${price.min} ${sym}`;
+  if (price.max !== void 0) return `<=${price.max} ${sym}`;
+  return `dynamic ${sym}`;
 }
 function extractProtocolNames(protocols) {
   return protocols.map((p) => {
@@ -13937,10 +13942,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -13950,7 +13958,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),
@@ -14094,20 +14103,27 @@ function fetchSafe(url2, init) {
 }
 
 // src/core/source/openapi/index.ts
-function resolvePricingHint(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function toRecord(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return void 0;
+  return raw;
+}
+function resolvePricingHint(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return void 0;
+  const info = resolvePaymentInfo(record2);
   if (!info) return void 0;
   return {
     pricingMode: info.price.mode,
     ...info.price.mode === "fixed" ? { price: info.price.amount } : {},
-    ...info.price.mode === "dynamic" ? { minPrice: info.price.min, maxPrice: info.price.max } : {},
+    ...info.price.mode === "dynamic" && info.price.min !== void 0 ? { minPrice: info.price.min } : {},
+    ...info.price.mode === "dynamic" && info.price.max !== void 0 ? { maxPrice: info.price.max } : {},
     ...info.price.currency ? { currency: info.price.currency } : {}
   };
 }
-function resolveProtocols(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function resolveProtocols(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return [];
+  const info = resolvePaymentInfo(record2);
   if (!info) return [];
   return extractProtocolNames(info.protocols);
 }
@@ -14120,8 +14136,8 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = resolveProtocols(p ?? {});
-      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? resolvePricingHint(p) : void 0;
+      const protocols = resolveProtocols(p);
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p !== void 0 ? resolvePricingHint(p) : void 0;
       const summary = operation.summary ?? operation.description;
       routes.push({
         path: normalizePath(serverBasePath + rawPath),
@@ -14362,28 +14378,29 @@ function getWellKnown(origin, headers, signal) {
 // src/core/layers/l2.ts
 function formatPrice2(pricing) {
   const sym = pricing.currency ?? "USD";
-  if (pricing.pricingMode === "fixed") return `${pricing.price} ${sym}`;
+  if (pricing.pricingMode === "fixed" && pricing.price) return `${pricing.price} ${sym}`;
   if (pricing.pricingMode === "dynamic") {
     if (pricing.minPrice && pricing.maxPrice)
       return `${pricing.minPrice}-${pricing.maxPrice} ${sym}`;
     if (pricing.maxPrice) return `up to ${pricing.maxPrice} ${sym}`;
-    return "dynamic";
+    if (pricing.minPrice) return `from ${pricing.minPrice} ${sym}`;
   }
-  return `unknown pricing mode: ${pricing.pricingMode}`;
+  return void 0;
 }
 function checkL2ForOpenAPI(openApi) {
-  const routes = openApi.routes.map((route) => ({
-    path: route.path,
-    method: route.method,
-    summary: route.summary ?? `${route.method} ${route.path}`,
-    ...route.authMode ? { authMode: route.authMode } : {},
-    ...route.pricing ? {
-      price: formatPrice2(route.pricing),
-      pricingMode: route.pricing.pricingMode,
-      ...route.pricing.currency ? { currency: route.pricing.currency } : {}
-    } : {},
-    ...route.protocols?.length ? { protocols: route.protocols } : {}
-  }));
+  const routes = openApi.routes.map((route) => {
+    const priceHint = route.pricing ? formatPrice2(route.pricing) : void 0;
+    return {
+      path: route.path,
+      method: route.method,
+      summary: route.summary ?? `${route.method} ${route.path}`,
+      ...route.authMode ? { authMode: route.authMode } : {},
+      ...priceHint ? { price: priceHint } : {},
+      ...route.pricing?.pricingMode ? { pricingMode: route.pricing.pricingMode } : {},
+      ...route.pricing?.currency ? { currency: route.pricing.currency } : {},
+      ...route.protocols?.length ? { protocols: route.protocols } : {}
+    };
+  });
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
@@ -14444,9 +14461,12 @@ var AUDIT_CODES = {
   L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN",
+  L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE",
   L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID",
   L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
+  L2_X402_MALFORMED: "L2_X402_MALFORMED",
+  L2_MPP_MALFORMED: "L2_MPP_MALFORMED",
   // ─── L3 endpoint advisory checks ─────────────────────────────────────────────
   L3_NOT_FOUND: "L3_NOT_FOUND",
   L3_INPUT_SCHEMA_MISSING: "L3_INPUT_SCHEMA_MISSING",
@@ -14495,6 +14515,54 @@ function hasLegacyPaymentInfo(raw) {
   }
   return false;
 }
+function hasImproperMppTag(raw) {
+  const paths = raw.paths;
+  if (typeof paths !== "object" || paths === null) return false;
+  for (const pathItem of Object.values(paths)) {
+    if (typeof pathItem !== "object" || pathItem === null) continue;
+    for (const method of HTTP_METHODS2) {
+      const operation = pathItem[method];
+      if (typeof operation !== "object" || operation === null) continue;
+      const pi = operation["x-payment-info"];
+      if (typeof pi !== "object" || pi === null) continue;
+      const protocols = pi.protocols;
+      if (!Array.isArray(protocols)) continue;
+      for (const entry of protocols) {
+        if (typeof entry !== "object" || entry === null) continue;
+        if (!("mpp" in entry)) continue;
+        const mpp = entry.mpp;
+        if (typeof mpp !== "object" || mpp === null) return true;
+        const mppObj = mpp;
+        if (typeof mppObj.method !== "string" || mppObj.method.length === 0) return true;
+        if (typeof mppObj.intent !== "string" || mppObj.intent.length === 0) return true;
+        if (typeof mppObj.currency !== "string" || mppObj.currency.length === 0) return true;
+      }
+    }
+  }
+  return false;
+}
+function hasImproperX402Tag(raw) {
+  const paths = raw.paths;
+  if (typeof paths !== "object" || paths === null) return false;
+  for (const pathItem of Object.values(paths)) {
+    if (typeof pathItem !== "object" || pathItem === null) continue;
+    for (const method of HTTP_METHODS2) {
+      const operation = pathItem[method];
+      if (typeof operation !== "object" || operation === null) continue;
+      const pi = operation["x-payment-info"];
+      if (typeof pi !== "object" || pi === null) continue;
+      const protocols = pi.protocols;
+      if (!Array.isArray(protocols)) continue;
+      for (const entry of protocols) {
+        if (typeof entry !== "object" || entry === null) continue;
+        if (!("x402" in entry)) continue;
+        const x402 = entry.x402;
+        if (typeof x402 !== "object" || x402 === null || Array.isArray(x402)) return true;
+      }
+    }
+  }
+  return false;
+}
 function getWarningsForOpenAPI(openApi) {
   if (openApi === null) {
     return [
@@ -14536,6 +14604,22 @@ ${details}`,
       hint: "Migrate to the structured format: { price: { mode, amount, currency }, protocols: [{ x402: {} }] }."
     });
   }
+  if (hasImproperX402Tag(openApi.raw)) {
+    warnings.push({
+      code: AUDIT_CODES.L2_X402_MALFORMED,
+      severity: "warn",
+      message: "One or more operations have a malformed x402 protocol entry.",
+      hint: "Canonical shape: { x402: { ...optional config } }."
+    });
+  }
+  if (hasImproperMppTag(openApi.raw)) {
+    warnings.push({
+      code: AUDIT_CODES.L2_MPP_MALFORMED,
+      severity: "warn",
+      message: "One or more operations have a malformed mpp protocol entry.",
+      hint: "Canonical shape: { mpp: { method: string, intent: string, currency: string } }."
+    });
+  }
   return warnings;
 }
 function getWarningsForWellKnown(wellKnown) {
@@ -14613,7 +14697,15 @@ function getWarningsForL2(l2) {
       });
     }
     if (route.authMode === "paid") {
-      if (!route.price) {
+      if (route.pricingMode === "dynamic" && !route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_DYNAMIC_PRICE_INCOMPLETE,
+          severity: "warn",
+          message: `Paid route ${loc} declares dynamic pricing but no min/max bounds.`,
+          hint: "Add x-payment-info.price.min and .price.max so agents can budget before calling. Without bounds, agents have no safe upper limit to pre-authorize.",
+          path: route.path
+        });
+      } else if (!route.price) {
         warnings.push({
           code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
           severity: "warn",