@agentcash/discovery 1.6.2 → 1.6.4

package/dist/cli.cjs

@@ -13815,8 +13815,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13915,7 +13915,12 @@ function normalizeLegacy(raw) {
 function formatPrice(price) {
   const sym = price.currency ?? "USD";
   if (price.mode === "fixed") return `${price.amount} ${sym}`;
-  return `${price.min}-${price.max} ${sym}`;
+  if (price.min !== void 0 && price.max !== void 0) {
+    return `${price.min}-${price.max} ${sym}`;
+  }
+  if (price.min !== void 0) return `>=${price.min} ${sym}`;
+  if (price.max !== void 0) return `<=${price.max} ${sym}`;
+  return `dynamic ${sym}`;
 }
 function extractProtocolNames(protocols) {
   return protocols.map((p) => {
@@ -13967,10 +13972,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -13980,7 +13988,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),
@@ -14124,20 +14133,27 @@ function fetchSafe(url2, init) {
 }
 
 // src/core/source/openapi/index.ts
-function resolvePricingHint(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function toRecord(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return void 0;
+  return raw;
+}
+function resolvePricingHint(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return void 0;
+  const info = resolvePaymentInfo(record2);
   if (!info) return void 0;
   return {
     pricingMode: info.price.mode,
     ...info.price.mode === "fixed" ? { price: info.price.amount } : {},
-    ...info.price.mode === "dynamic" ? { minPrice: info.price.min, maxPrice: info.price.max } : {},
+    ...info.price.mode === "dynamic" && info.price.min !== void 0 ? { minPrice: info.price.min } : {},
+    ...info.price.mode === "dynamic" && info.price.max !== void 0 ? { maxPrice: info.price.max } : {},
     ...info.price.currency ? { currency: info.price.currency } : {}
   };
 }
-function resolveProtocols(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function resolveProtocols(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return [];
+  const info = resolvePaymentInfo(record2);
   if (!info) return [];
   return extractProtocolNames(info.protocols);
 }
@@ -14150,8 +14166,8 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = resolveProtocols(p ?? {});
-      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? resolvePricingHint(p) : void 0;
+      const protocols = resolveProtocols(p);
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p !== void 0 ? resolvePricingHint(p) : void 0;
       const summary = operation.summary ?? operation.description;
       routes.push({
         path: normalizePath(serverBasePath + rawPath),
@@ -14392,28 +14408,29 @@ function getWellKnown(origin, headers, signal) {
 // src/core/layers/l2.ts
 function formatPrice2(pricing) {
   const sym = pricing.currency ?? "USD";
-  if (pricing.pricingMode === "fixed") return `${pricing.price} ${sym}`;
+  if (pricing.pricingMode === "fixed" && pricing.price) return `${pricing.price} ${sym}`;
   if (pricing.pricingMode === "dynamic") {
     if (pricing.minPrice && pricing.maxPrice)
       return `${pricing.minPrice}-${pricing.maxPrice} ${sym}`;
     if (pricing.maxPrice) return `up to ${pricing.maxPrice} ${sym}`;
-    return "dynamic";
+    if (pricing.minPrice) return `from ${pricing.minPrice} ${sym}`;
   }
-  return `unknown pricing mode: ${pricing.pricingMode}`;
+  return void 0;
 }
 function checkL2ForOpenAPI(openApi) {
-  const routes = openApi.routes.map((route) => ({
-    path: route.path,
-    method: route.method,
-    summary: route.summary ?? `${route.method} ${route.path}`,
-    ...route.authMode ? { authMode: route.authMode } : {},
-    ...route.pricing ? {
-      price: formatPrice2(route.pricing),
-      pricingMode: route.pricing.pricingMode,
-      ...route.pricing.currency ? { currency: route.pricing.currency } : {}
-    } : {},
-    ...route.protocols?.length ? { protocols: route.protocols } : {}
-  }));
+  const routes = openApi.routes.map((route) => {
+    const priceHint = route.pricing ? formatPrice2(route.pricing) : void 0;
+    return {
+      path: route.path,
+      method: route.method,
+      summary: route.summary ?? `${route.method} ${route.path}`,
+      ...route.authMode ? { authMode: route.authMode } : {},
+      ...priceHint ? { price: priceHint } : {},
+      ...route.pricing?.pricingMode ? { pricingMode: route.pricing.pricingMode } : {},
+      ...route.pricing?.currency ? { currency: route.pricing.currency } : {},
+      ...route.protocols?.length ? { protocols: route.protocols } : {}
+    };
+  });
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
@@ -14474,6 +14491,7 @@ var AUDIT_CODES = {
   L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN",
+  L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE",
   L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID",
   L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
@@ -14709,7 +14727,15 @@ function getWarningsForL2(l2) {
       });
     }
     if (route.authMode === "paid") {
-      if (!route.price) {
+      if (route.pricingMode === "dynamic" && !route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_DYNAMIC_PRICE_INCOMPLETE,
+          severity: "warn",
+          message: `Paid route ${loc} declares dynamic pricing but no min/max bounds.`,
+          hint: "Add x-payment-info.price.min and .price.max so agents can budget before calling. Without bounds, agents have no safe upper limit to pre-authorize.",
+          path: route.path
+        });
+      } else if (!route.price) {
         warnings.push({
           code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
           severity: "warn",
@@ -15600,7 +15626,7 @@ function getWarningsForFavicon(origin) {
 }
 
 // src/core/source/probe/index.ts
-var import_neverthrow7 = require("neverthrow");
+var import_neverthrow8 = require("neverthrow");
 
 // src/core/protocols/x402/index.ts
 function parseVersion(payload) {
@@ -15650,11 +15676,36 @@ async function parsePaymentRequiredBody(response) {
   return payload;
 }
 
+// src/core/lib/base64.ts
+var import_neverthrow7 = require("neverthrow");
+function safeBase64DecodeUtf8(encoded) {
+  return import_neverthrow7.Result.fromThrowable(
+    () => {
+      if (typeof Buffer !== "undefined") {
+        return Buffer.from(encoded, "base64").toString("utf8");
+      }
+      const binaryString = atob(encoded);
+      const bytes = new Uint8Array(binaryString.length);
+      for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+      }
+      return new TextDecoder("utf-8").decode(bytes);
+    },
+    (e) => e instanceof Error ? e : new Error(String(e))
+  )();
+}
+
 // src/core/protocols/x402/v2/parse-payment-required.ts
 function parsePaymentRequiredBody2(headerValue) {
-  const payload = JSON.parse(atob(headerValue));
-  if (!isRecord(payload) || payload.x402Version !== 2) return null;
-  return payload;
+  const decoded = safeBase64DecodeUtf8(headerValue);
+  if (decoded.isErr()) return null;
+  try {
+    const payload = JSON.parse(decoded.value);
+    if (!isRecord(payload) || payload.x402Version !== 2) return null;
+    return payload;
+  } catch {
+    return null;
+  }
 }
 
 // src/core/source/probe/index.ts
@@ -15696,8 +15747,8 @@ function probeMethod(url2, method, path, headers, signal, inputBody) {
     ...hasBody ? { body: JSON.stringify(inputBody) } : {},
     signal
   }).andThen((response) => {
-    if (!isUsableStatus(response.status)) return import_neverthrow7.ResultAsync.fromSafePromise(Promise.resolve(null));
-    return import_neverthrow7.ResultAsync.fromSafePromise(
+    if (!isUsableStatus(response.status)) return import_neverthrow8.ResultAsync.fromSafePromise(Promise.resolve(null));
+    return import_neverthrow8.ResultAsync.fromSafePromise(
       (async () => {
         let authHint = response.status === 402 ? "paid" : "unprotected";
         let paymentRequiredBody;
@@ -15728,7 +15779,7 @@ function probeMethod(url2, method, path, headers, signal, inputBody) {
 }
 function getProbe(url2, headers, signal, inputBody) {
   const path = normalizePath(new URL(url2).pathname || "/");
-  return import_neverthrow7.ResultAsync.fromSafePromise(
+  return import_neverthrow8.ResultAsync.fromSafePromise(
     Promise.all(
       [...HTTP_METHODS].map(
         (method) => probeMethod(url2, method, path, headers, signal, inputBody).match(
@@ -15741,12 +15792,13 @@ function getProbe(url2, headers, signal, inputBody) {
 }
 
 // src/core/protocols/mpp/index.ts
-var import_neverthrow8 = require("neverthrow");
+var import_neverthrow9 = require("neverthrow");
 function parseBase64Json(encoded) {
-  return import_neverthrow8.Result.fromThrowable(
+  return import_neverthrow9.Result.fromThrowable(
     () => {
-      const decoded = typeof Buffer !== "undefined" ? Buffer.from(encoded, "base64").toString("utf8") : atob(encoded);
-      const parsed = JSON.parse(decoded);
+      const decoded = safeBase64DecodeUtf8(encoded);
+      if (decoded.isErr()) throw decoded.error;
+      const parsed = JSON.parse(decoded.value);
       if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
         throw new Error("not an object");
       }

package/dist/cli.js

@@ -13785,8 +13785,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13885,7 +13885,12 @@ function normalizeLegacy(raw) {
 function formatPrice(price) {
   const sym = price.currency ?? "USD";
   if (price.mode === "fixed") return `${price.amount} ${sym}`;
-  return `${price.min}-${price.max} ${sym}`;
+  if (price.min !== void 0 && price.max !== void 0) {
+    return `${price.min}-${price.max} ${sym}`;
+  }
+  if (price.min !== void 0) return `>=${price.min} ${sym}`;
+  if (price.max !== void 0) return `<=${price.max} ${sym}`;
+  return `dynamic ${sym}`;
 }
 function extractProtocolNames(protocols) {
   return protocols.map((p) => {
@@ -13937,10 +13942,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -13950,7 +13958,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),
@@ -14094,20 +14103,27 @@ function fetchSafe(url2, init) {
 }
 
 // src/core/source/openapi/index.ts
-function resolvePricingHint(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function toRecord(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return void 0;
+  return raw;
+}
+function resolvePricingHint(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return void 0;
+  const info = resolvePaymentInfo(record2);
   if (!info) return void 0;
   return {
     pricingMode: info.price.mode,
     ...info.price.mode === "fixed" ? { price: info.price.amount } : {},
-    ...info.price.mode === "dynamic" ? { minPrice: info.price.min, maxPrice: info.price.max } : {},
+    ...info.price.mode === "dynamic" && info.price.min !== void 0 ? { minPrice: info.price.min } : {},
+    ...info.price.mode === "dynamic" && info.price.max !== void 0 ? { maxPrice: info.price.max } : {},
     ...info.price.currency ? { currency: info.price.currency } : {}
   };
 }
-function resolveProtocols(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function resolveProtocols(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return [];
+  const info = resolvePaymentInfo(record2);
   if (!info) return [];
   return extractProtocolNames(info.protocols);
 }
@@ -14120,8 +14136,8 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = resolveProtocols(p ?? {});
-      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? resolvePricingHint(p) : void 0;
+      const protocols = resolveProtocols(p);
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p !== void 0 ? resolvePricingHint(p) : void 0;
       const summary = operation.summary ?? operation.description;
       routes.push({
         path: normalizePath(serverBasePath + rawPath),
@@ -14362,28 +14378,29 @@ function getWellKnown(origin, headers, signal) {
 // src/core/layers/l2.ts
 function formatPrice2(pricing) {
   const sym = pricing.currency ?? "USD";
-  if (pricing.pricingMode === "fixed") return `${pricing.price} ${sym}`;
+  if (pricing.pricingMode === "fixed" && pricing.price) return `${pricing.price} ${sym}`;
   if (pricing.pricingMode === "dynamic") {
     if (pricing.minPrice && pricing.maxPrice)
       return `${pricing.minPrice}-${pricing.maxPrice} ${sym}`;
     if (pricing.maxPrice) return `up to ${pricing.maxPrice} ${sym}`;
-    return "dynamic";
+    if (pricing.minPrice) return `from ${pricing.minPrice} ${sym}`;
   }
-  return `unknown pricing mode: ${pricing.pricingMode}`;
+  return void 0;
 }
 function checkL2ForOpenAPI(openApi) {
-  const routes = openApi.routes.map((route) => ({
-    path: route.path,
-    method: route.method,
-    summary: route.summary ?? `${route.method} ${route.path}`,
-    ...route.authMode ? { authMode: route.authMode } : {},
-    ...route.pricing ? {
-      price: formatPrice2(route.pricing),
-      pricingMode: route.pricing.pricingMode,
-      ...route.pricing.currency ? { currency: route.pricing.currency } : {}
-    } : {},
-    ...route.protocols?.length ? { protocols: route.protocols } : {}
-  }));
+  const routes = openApi.routes.map((route) => {
+    const priceHint = route.pricing ? formatPrice2(route.pricing) : void 0;
+    return {
+      path: route.path,
+      method: route.method,
+      summary: route.summary ?? `${route.method} ${route.path}`,
+      ...route.authMode ? { authMode: route.authMode } : {},
+      ...priceHint ? { price: priceHint } : {},
+      ...route.pricing?.pricingMode ? { pricingMode: route.pricing.pricingMode } : {},
+      ...route.pricing?.currency ? { currency: route.pricing.currency } : {},
+      ...route.protocols?.length ? { protocols: route.protocols } : {}
+    };
+  });
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
@@ -14444,6 +14461,7 @@ var AUDIT_CODES = {
   L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN",
+  L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE",
   L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID",
   L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
@@ -14679,7 +14697,15 @@ function getWarningsForL2(l2) {
       });
     }
     if (route.authMode === "paid") {
-      if (!route.price) {
+      if (route.pricingMode === "dynamic" && !route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_DYNAMIC_PRICE_INCOMPLETE,
+          severity: "warn",
+          message: `Paid route ${loc} declares dynamic pricing but no min/max bounds.`,
+          hint: "Add x-payment-info.price.min and .price.max so agents can budget before calling. Without bounds, agents have no safe upper limit to pre-authorize.",
+          path: route.path
+        });
+      } else if (!route.price) {
         warnings.push({
           code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
           severity: "warn",
@@ -15620,11 +15646,36 @@ async function parsePaymentRequiredBody(response) {
   return payload;
 }
 
+// src/core/lib/base64.ts
+import { Result as Result2 } from "neverthrow";
+function safeBase64DecodeUtf8(encoded) {
+  return Result2.fromThrowable(
+    () => {
+      if (typeof Buffer !== "undefined") {
+        return Buffer.from(encoded, "base64").toString("utf8");
+      }
+      const binaryString = atob(encoded);
+      const bytes = new Uint8Array(binaryString.length);
+      for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+      }
+      return new TextDecoder("utf-8").decode(bytes);
+    },
+    (e) => e instanceof Error ? e : new Error(String(e))
+  )();
+}
+
 // src/core/protocols/x402/v2/parse-payment-required.ts
 function parsePaymentRequiredBody2(headerValue) {
-  const payload = JSON.parse(atob(headerValue));
-  if (!isRecord(payload) || payload.x402Version !== 2) return null;
-  return payload;
+  const decoded = safeBase64DecodeUtf8(headerValue);
+  if (decoded.isErr()) return null;
+  try {
+    const payload = JSON.parse(decoded.value);
+    if (!isRecord(payload) || payload.x402Version !== 2) return null;
+    return payload;
+  } catch {
+    return null;
+  }
 }
 
 // src/core/source/probe/index.ts
@@ -15711,12 +15762,13 @@ function getProbe(url2, headers, signal, inputBody) {
 }
 
 // src/core/protocols/mpp/index.ts
-import { Result as Result2 } from "neverthrow";
+import { Result as Result3 } from "neverthrow";
 function parseBase64Json(encoded) {
-  return Result2.fromThrowable(
+  return Result3.fromThrowable(
     () => {
-      const decoded = typeof Buffer !== "undefined" ? Buffer.from(encoded, "base64").toString("utf8") : atob(encoded);
-      const parsed = JSON.parse(decoded);
+      const decoded = safeBase64DecodeUtf8(encoded);
+      if (decoded.isErr()) throw decoded.error;
+      const parsed = JSON.parse(decoded.value);
       if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
         throw new Error("not an object");
       }