@agentcash/discovery 1.6.2 → 1.6.4

package/dist/index.cjs

@@ -13847,8 +13847,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13947,7 +13947,12 @@ function normalizeLegacy(raw) {
 function formatPrice(price) {
   const sym = price.currency ?? "USD";
   if (price.mode === "fixed") return `${price.amount} ${sym}`;
-  return `${price.min}-${price.max} ${sym}`;
+  if (price.min !== void 0 && price.max !== void 0) {
+    return `${price.min}-${price.max} ${sym}`;
+  }
+  if (price.min !== void 0) return `>=${price.min} ${sym}`;
+  if (price.max !== void 0) return `<=${price.max} ${sym}`;
+  return `dynamic ${sym}`;
 }
 function extractProtocolNames(protocols) {
   return protocols.map((p) => {
@@ -13999,10 +14004,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -14012,7 +14020,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),
@@ -14156,20 +14165,27 @@ function fetchSafe(url2, init) {
 }
 
 // src/core/source/openapi/index.ts
-function resolvePricingHint(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function toRecord(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return void 0;
+  return raw;
+}
+function resolvePricingHint(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return void 0;
+  const info = resolvePaymentInfo(record2);
   if (!info) return void 0;
   return {
     pricingMode: info.price.mode,
     ...info.price.mode === "fixed" ? { price: info.price.amount } : {},
-    ...info.price.mode === "dynamic" ? { minPrice: info.price.min, maxPrice: info.price.max } : {},
+    ...info.price.mode === "dynamic" && info.price.min !== void 0 ? { minPrice: info.price.min } : {},
+    ...info.price.mode === "dynamic" && info.price.max !== void 0 ? { maxPrice: info.price.max } : {},
     ...info.price.currency ? { currency: info.price.currency } : {}
   };
 }
-function resolveProtocols(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function resolveProtocols(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return [];
+  const info = resolvePaymentInfo(record2);
   if (!info) return [];
   return extractProtocolNames(info.protocols);
 }
@@ -14182,8 +14198,8 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = resolveProtocols(p ?? {});
-      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? resolvePricingHint(p) : void 0;
+      const protocols = resolveProtocols(p);
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p !== void 0 ? resolvePricingHint(p) : void 0;
       const summary = operation.summary ?? operation.description;
       routes.push({
         path: normalizePath(serverBasePath + rawPath),
@@ -14424,28 +14440,29 @@ function getWellKnown(origin, headers, signal) {
 // src/core/layers/l2.ts
 function formatPrice2(pricing) {
   const sym = pricing.currency ?? "USD";
-  if (pricing.pricingMode === "fixed") return `${pricing.price} ${sym}`;
+  if (pricing.pricingMode === "fixed" && pricing.price) return `${pricing.price} ${sym}`;
   if (pricing.pricingMode === "dynamic") {
     if (pricing.minPrice && pricing.maxPrice)
       return `${pricing.minPrice}-${pricing.maxPrice} ${sym}`;
     if (pricing.maxPrice) return `up to ${pricing.maxPrice} ${sym}`;
-    return "dynamic";
+    if (pricing.minPrice) return `from ${pricing.minPrice} ${sym}`;
   }
-  return `unknown pricing mode: ${pricing.pricingMode}`;
+  return void 0;
 }
 function checkL2ForOpenAPI(openApi) {
-  const routes = openApi.routes.map((route) => ({
-    path: route.path,
-    method: route.method,
-    summary: route.summary ?? `${route.method} ${route.path}`,
-    ...route.authMode ? { authMode: route.authMode } : {},
-    ...route.pricing ? {
-      price: formatPrice2(route.pricing),
-      pricingMode: route.pricing.pricingMode,
-      ...route.pricing.currency ? { currency: route.pricing.currency } : {}
-    } : {},
-    ...route.protocols?.length ? { protocols: route.protocols } : {}
-  }));
+  const routes = openApi.routes.map((route) => {
+    const priceHint = route.pricing ? formatPrice2(route.pricing) : void 0;
+    return {
+      path: route.path,
+      method: route.method,
+      summary: route.summary ?? `${route.method} ${route.path}`,
+      ...route.authMode ? { authMode: route.authMode } : {},
+      ...priceHint ? { price: priceHint } : {},
+      ...route.pricing?.pricingMode ? { pricingMode: route.pricing.pricingMode } : {},
+      ...route.pricing?.currency ? { currency: route.pricing.currency } : {},
+      ...route.protocols?.length ? { protocols: route.protocols } : {}
+    };
+  });
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
@@ -14610,7 +14627,7 @@ async function discoverOriginSchema(options) {
 }
 
 // src/core/source/probe/index.ts
-var import_neverthrow6 = require("neverthrow");
+var import_neverthrow7 = require("neverthrow");
 
 // src/core/protocols/x402/v1/schema.ts
 function extractSchemas(accepts) {
@@ -15014,11 +15031,36 @@ async function parsePaymentRequiredBody(response) {
   return payload;
 }
 
+// src/core/lib/base64.ts
+var import_neverthrow6 = require("neverthrow");
+function safeBase64DecodeUtf8(encoded) {
+  return import_neverthrow6.Result.fromThrowable(
+    () => {
+      if (typeof Buffer !== "undefined") {
+        return Buffer.from(encoded, "base64").toString("utf8");
+      }
+      const binaryString = atob(encoded);
+      const bytes = new Uint8Array(binaryString.length);
+      for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+      }
+      return new TextDecoder("utf-8").decode(bytes);
+    },
+    (e) => e instanceof Error ? e : new Error(String(e))
+  )();
+}
+
 // src/core/protocols/x402/v2/parse-payment-required.ts
 function parsePaymentRequiredBody2(headerValue) {
-  const payload = JSON.parse(atob(headerValue));
-  if (!isRecord(payload) || payload.x402Version !== 2) return null;
-  return payload;
+  const decoded = safeBase64DecodeUtf8(headerValue);
+  if (decoded.isErr()) return null;
+  try {
+    const payload = JSON.parse(decoded.value);
+    if (!isRecord(payload) || payload.x402Version !== 2) return null;
+    return payload;
+  } catch {
+    return null;
+  }
 }
 
 // src/core/source/probe/index.ts
@@ -15060,8 +15102,8 @@ function probeMethod(url2, method, path, headers, signal, inputBody) {
     ...hasBody ? { body: JSON.stringify(inputBody) } : {},
     signal
   }).andThen((response) => {
-    if (!isUsableStatus(response.status)) return import_neverthrow6.ResultAsync.fromSafePromise(Promise.resolve(null));
-    return import_neverthrow6.ResultAsync.fromSafePromise(
+    if (!isUsableStatus(response.status)) return import_neverthrow7.ResultAsync.fromSafePromise(Promise.resolve(null));
+    return import_neverthrow7.ResultAsync.fromSafePromise(
       (async () => {
         let authHint = response.status === 402 ? "paid" : "unprotected";
         let paymentRequiredBody;
@@ -15092,7 +15134,7 @@ function probeMethod(url2, method, path, headers, signal, inputBody) {
 }
 function getProbe(url2, headers, signal, inputBody) {
   const path = normalizePath(new URL(url2).pathname || "/");
-  return import_neverthrow6.ResultAsync.fromSafePromise(
+  return import_neverthrow7.ResultAsync.fromSafePromise(
     Promise.all(
       [...HTTP_METHODS].map(
         (method) => probeMethod(url2, method, path, headers, signal, inputBody).match(
@@ -15105,12 +15147,13 @@ function getProbe(url2, headers, signal, inputBody) {
 }
 
 // src/core/protocols/mpp/index.ts
-var import_neverthrow7 = require("neverthrow");
+var import_neverthrow8 = require("neverthrow");
 function parseBase64Json(encoded) {
-  return import_neverthrow7.Result.fromThrowable(
+  return import_neverthrow8.Result.fromThrowable(
     () => {
-      const decoded = typeof Buffer !== "undefined" ? Buffer.from(encoded, "base64").toString("utf8") : atob(encoded);
-      const parsed = JSON.parse(decoded);
+      const decoded = safeBase64DecodeUtf8(encoded);
+      if (decoded.isErr()) throw decoded.error;
+      const parsed = JSON.parse(decoded.value);
       if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
         throw new Error("not an object");
       }
@@ -15502,6 +15545,7 @@ var AUDIT_CODES = {
   L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN",
+  L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE",
   L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID",
   L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
@@ -16190,7 +16234,15 @@ function getWarningsForL2(l2) {
       });
     }
     if (route.authMode === "paid") {
-      if (!route.price) {
+      if (route.pricingMode === "dynamic" && !route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_DYNAMIC_PRICE_INCOMPLETE,
+          severity: "warn",
+          message: `Paid route ${loc} declares dynamic pricing but no min/max bounds.`,
+          hint: "Add x-payment-info.price.min and .price.max so agents can budget before calling. Without bounds, agents have no safe upper limit to pre-authorize.",
+          path: route.path
+        });
+      } else if (!route.price) {
         warnings.push({
           code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
           severity: "warn",
@@ -16240,7 +16292,7 @@ function getWarningsForL4(l4) {
 }
 
 // src/audit/warnings/favicon.ts
-var import_neverthrow8 = require("neverthrow");
+var import_neverthrow9 = require("neverthrow");
 var COMMON_PATHS = ["/favicon.ico", "/favicon.png", "/favicon.svg"];
 var TIMEOUT = AbortSignal.timeout(5e3);
 function isImage(res) {
@@ -16248,12 +16300,12 @@ function isImage(res) {
 }
 function checkUrl(url2) {
   return fetchSafe(url2, { method: "HEAD", signal: TIMEOUT }).andThen((res) => {
-    if (res.ok) return (0, import_neverthrow8.okAsync)(isImage(res));
+    if (res.ok) return (0, import_neverthrow9.okAsync)(isImage(res));
     if (res.status === 405 || res.status === 403) {
       return fetchSafe(url2, { signal: TIMEOUT }).map((getRes) => getRes.ok && isImage(getRes));
     }
-    return (0, import_neverthrow8.okAsync)(false);
-  }).orElse(() => (0, import_neverthrow8.okAsync)(false));
+    return (0, import_neverthrow9.okAsync)(false);
+  }).orElse(() => (0, import_neverthrow9.okAsync)(false));
 }
 function resolveHref(href, origin) {
   if (href.startsWith("//")) return `https:${href}`;
@@ -16282,15 +16334,15 @@ function extractIconHrefs(html, origin) {
 function getHtmlIconHrefs(origin) {
   return fetchSafe(origin, { signal: TIMEOUT }).andThen((res) => {
     if (!res.ok || !(res.headers.get("content-type") ?? "").includes("text/html"))
-      return (0, import_neverthrow8.okAsync)("");
-    return import_neverthrow8.ResultAsync.fromSafePromise(res.text());
-  }).map((html) => html ? extractIconHrefs(html, origin) : []).orElse(() => (0, import_neverthrow8.okAsync)([]));
+      return (0, import_neverthrow9.okAsync)("");
+    return import_neverthrow9.ResultAsync.fromSafePromise(res.text());
+  }).map((html) => html ? extractIconHrefs(html, origin) : []).orElse(() => (0, import_neverthrow9.okAsync)([]));
 }
 function checkFavicon(origin) {
   const normalizedOrigin = origin.replace(/\/$/, "");
   return getHtmlIconHrefs(normalizedOrigin).andThen((hrefs) => {
     const candidates = [...hrefs, ...COMMON_PATHS.map((p) => `${normalizedOrigin}${p}`)];
-    return import_neverthrow8.ResultAsync.fromSafePromise(
+    return import_neverthrow9.ResultAsync.fromSafePromise(
       Promise.all(candidates.map((url2) => checkUrl(url2).then((r) => r.isOk() && r.value))).then(
         (results) => results.some(Boolean)
       )

package/dist/index.d.cts

@@ -392,8 +392,8 @@ declare const FixedPriceSchema: z.ZodObject<{
 declare const DynamicPriceSchema: z.ZodObject<{
     currency: z.ZodOptional<z.ZodString>;
     mode: z.ZodLiteral<"dynamic">;
-    min: z.ZodString;
-    max: z.ZodString;
+    min: z.ZodOptional<z.ZodString>;
+    max: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const PriceSchema: z.ZodUnion<readonly [z.ZodObject<{
     currency: z.ZodOptional<z.ZodString>;
@@ -402,8 +402,8 @@ declare const PriceSchema: z.ZodUnion<readonly [z.ZodObject<{
 }, z.core.$strip>, z.ZodObject<{
     currency: z.ZodOptional<z.ZodString>;
     mode: z.ZodLiteral<"dynamic">;
-    min: z.ZodString;
-    max: z.ZodString;
+    min: z.ZodOptional<z.ZodString>;
+    max: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>]>;
 declare const X402ProtocolSchema: z.ZodObject<{
     x402: z.ZodRecord<z.ZodString, z.ZodUnknown>;
@@ -424,8 +424,8 @@ declare const PaymentInfoSchema: z.ZodObject<{
     }, z.core.$strip>, z.ZodObject<{
         currency: z.ZodOptional<z.ZodString>;
         mode: z.ZodLiteral<"dynamic">;
-        min: z.ZodString;
-        max: z.ZodString;
+        min: z.ZodOptional<z.ZodString>;
+        max: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>]>;
     protocols: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, z.core.$strip>;
@@ -448,6 +448,7 @@ declare const AUDIT_CODES: {
     readonly L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES";
     readonly L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID";
     readonly L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN";
+    readonly L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE";
     readonly L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID";
     readonly L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY";
     readonly L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID";

package/dist/index.d.ts

@@ -392,8 +392,8 @@ declare const FixedPriceSchema: z.ZodObject<{
 declare const DynamicPriceSchema: z.ZodObject<{
     currency: z.ZodOptional<z.ZodString>;
     mode: z.ZodLiteral<"dynamic">;
-    min: z.ZodString;
-    max: z.ZodString;
+    min: z.ZodOptional<z.ZodString>;
+    max: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const PriceSchema: z.ZodUnion<readonly [z.ZodObject<{
     currency: z.ZodOptional<z.ZodString>;
@@ -402,8 +402,8 @@ declare const PriceSchema: z.ZodUnion<readonly [z.ZodObject<{
 }, z.core.$strip>, z.ZodObject<{
     currency: z.ZodOptional<z.ZodString>;
     mode: z.ZodLiteral<"dynamic">;
-    min: z.ZodString;
-    max: z.ZodString;
+    min: z.ZodOptional<z.ZodString>;
+    max: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>]>;
 declare const X402ProtocolSchema: z.ZodObject<{
     x402: z.ZodRecord<z.ZodString, z.ZodUnknown>;
@@ -424,8 +424,8 @@ declare const PaymentInfoSchema: z.ZodObject<{
     }, z.core.$strip>, z.ZodObject<{
         currency: z.ZodOptional<z.ZodString>;
         mode: z.ZodLiteral<"dynamic">;
-        min: z.ZodString;
-        max: z.ZodString;
+        min: z.ZodOptional<z.ZodString>;
+        max: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>]>;
     protocols: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, z.core.$strip>;
@@ -448,6 +448,7 @@ declare const AUDIT_CODES: {
     readonly L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES";
     readonly L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID";
     readonly L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN";
+    readonly L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE";
     readonly L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID";
     readonly L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY";
     readonly L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID";

package/dist/index.js

@@ -13785,8 +13785,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13885,7 +13885,12 @@ function normalizeLegacy(raw) {
 function formatPrice(price) {
   const sym = price.currency ?? "USD";
   if (price.mode === "fixed") return `${price.amount} ${sym}`;
-  return `${price.min}-${price.max} ${sym}`;
+  if (price.min !== void 0 && price.max !== void 0) {
+    return `${price.min}-${price.max} ${sym}`;
+  }
+  if (price.min !== void 0) return `>=${price.min} ${sym}`;
+  if (price.max !== void 0) return `<=${price.max} ${sym}`;
+  return `dynamic ${sym}`;
 }
 function extractProtocolNames(protocols) {
   return protocols.map((p) => {
@@ -13937,10 +13942,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -13950,7 +13958,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),
@@ -14094,20 +14103,27 @@ function fetchSafe(url2, init) {
 }
 
 // src/core/source/openapi/index.ts
-function resolvePricingHint(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function toRecord(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return void 0;
+  return raw;
+}
+function resolvePricingHint(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return void 0;
+  const info = resolvePaymentInfo(record2);
   if (!info) return void 0;
   return {
     pricingMode: info.price.mode,
     ...info.price.mode === "fixed" ? { price: info.price.amount } : {},
-    ...info.price.mode === "dynamic" ? { minPrice: info.price.min, maxPrice: info.price.max } : {},
+    ...info.price.mode === "dynamic" && info.price.min !== void 0 ? { minPrice: info.price.min } : {},
+    ...info.price.mode === "dynamic" && info.price.max !== void 0 ? { maxPrice: info.price.max } : {},
     ...info.price.currency ? { currency: info.price.currency } : {}
   };
 }
-function resolveProtocols(p) {
-  const raw = p;
-  const info = resolvePaymentInfo(raw);
+function resolveProtocols(raw) {
+  const record2 = toRecord(raw);
+  if (!record2) return [];
+  const info = resolvePaymentInfo(record2);
   if (!info) return [];
   return extractProtocolNames(info.protocols);
 }
@@ -14120,8 +14136,8 @@ var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
       if (!operation) continue;
       const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       const p = operation["x-payment-info"];
-      const protocols = resolveProtocols(p ?? {});
-      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? resolvePricingHint(p) : void 0;
+      const protocols = resolveProtocols(p);
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p !== void 0 ? resolvePricingHint(p) : void 0;
       const summary = operation.summary ?? operation.description;
       routes.push({
         path: normalizePath(serverBasePath + rawPath),
@@ -14362,28 +14378,29 @@ function getWellKnown(origin, headers, signal) {
 // src/core/layers/l2.ts
 function formatPrice2(pricing) {
   const sym = pricing.currency ?? "USD";
-  if (pricing.pricingMode === "fixed") return `${pricing.price} ${sym}`;
+  if (pricing.pricingMode === "fixed" && pricing.price) return `${pricing.price} ${sym}`;
   if (pricing.pricingMode === "dynamic") {
     if (pricing.minPrice && pricing.maxPrice)
       return `${pricing.minPrice}-${pricing.maxPrice} ${sym}`;
     if (pricing.maxPrice) return `up to ${pricing.maxPrice} ${sym}`;
-    return "dynamic";
+    if (pricing.minPrice) return `from ${pricing.minPrice} ${sym}`;
   }
-  return `unknown pricing mode: ${pricing.pricingMode}`;
+  return void 0;
 }
 function checkL2ForOpenAPI(openApi) {
-  const routes = openApi.routes.map((route) => ({
-    path: route.path,
-    method: route.method,
-    summary: route.summary ?? `${route.method} ${route.path}`,
-    ...route.authMode ? { authMode: route.authMode } : {},
-    ...route.pricing ? {
-      price: formatPrice2(route.pricing),
-      pricingMode: route.pricing.pricingMode,
-      ...route.pricing.currency ? { currency: route.pricing.currency } : {}
-    } : {},
-    ...route.protocols?.length ? { protocols: route.protocols } : {}
-  }));
+  const routes = openApi.routes.map((route) => {
+    const priceHint = route.pricing ? formatPrice2(route.pricing) : void 0;
+    return {
+      path: route.path,
+      method: route.method,
+      summary: route.summary ?? `${route.method} ${route.path}`,
+      ...route.authMode ? { authMode: route.authMode } : {},
+      ...priceHint ? { price: priceHint } : {},
+      ...route.pricing?.pricingMode ? { pricingMode: route.pricing.pricingMode } : {},
+      ...route.pricing?.currency ? { currency: route.pricing.currency } : {},
+      ...route.protocols?.length ? { protocols: route.protocols } : {}
+    };
+  });
   return {
     ...openApi.info.title ? { title: openApi.info.title } : {},
     ...openApi.info.description ? { description: openApi.info.description } : {},
@@ -14952,11 +14969,36 @@ async function parsePaymentRequiredBody(response) {
   return payload;
 }
 
+// src/core/lib/base64.ts
+import { Result as Result2 } from "neverthrow";
+function safeBase64DecodeUtf8(encoded) {
+  return Result2.fromThrowable(
+    () => {
+      if (typeof Buffer !== "undefined") {
+        return Buffer.from(encoded, "base64").toString("utf8");
+      }
+      const binaryString = atob(encoded);
+      const bytes = new Uint8Array(binaryString.length);
+      for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+      }
+      return new TextDecoder("utf-8").decode(bytes);
+    },
+    (e) => e instanceof Error ? e : new Error(String(e))
+  )();
+}
+
 // src/core/protocols/x402/v2/parse-payment-required.ts
 function parsePaymentRequiredBody2(headerValue) {
-  const payload = JSON.parse(atob(headerValue));
-  if (!isRecord(payload) || payload.x402Version !== 2) return null;
-  return payload;
+  const decoded = safeBase64DecodeUtf8(headerValue);
+  if (decoded.isErr()) return null;
+  try {
+    const payload = JSON.parse(decoded.value);
+    if (!isRecord(payload) || payload.x402Version !== 2) return null;
+    return payload;
+  } catch {
+    return null;
+  }
 }
 
 // src/core/source/probe/index.ts
@@ -15043,12 +15085,13 @@ function getProbe(url2, headers, signal, inputBody) {
 }
 
 // src/core/protocols/mpp/index.ts
-import { Result as Result2 } from "neverthrow";
+import { Result as Result3 } from "neverthrow";
 function parseBase64Json(encoded) {
-  return Result2.fromThrowable(
+  return Result3.fromThrowable(
     () => {
-      const decoded = typeof Buffer !== "undefined" ? Buffer.from(encoded, "base64").toString("utf8") : atob(encoded);
-      const parsed = JSON.parse(decoded);
+      const decoded = safeBase64DecodeUtf8(encoded);
+      if (decoded.isErr()) throw decoded.error;
+      const parsed = JSON.parse(decoded.value);
       if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
         throw new Error("not an object");
       }
@@ -15440,6 +15483,7 @@ var AUDIT_CODES = {
   L2_NO_PAID_ROUTES: "L2_NO_PAID_ROUTES",
   L2_PRICE_MISSING_ON_PAID: "L2_PRICE_MISSING_ON_PAID",
   L2_PRICING_MODE_UNKNOWN: "L2_PRICING_MODE_UNKNOWN",
+  L2_DYNAMIC_PRICE_INCOMPLETE: "L2_DYNAMIC_PRICE_INCOMPLETE",
   L2_CURRENCY_INVALID: "L2_CURRENCY_INVALID",
   L2_PAYMENT_INFO_LEGACY: "L2_PAYMENT_INFO_LEGACY",
   L2_PROTOCOLS_MISSING_ON_PAID: "L2_PROTOCOLS_MISSING_ON_PAID",
@@ -16128,7 +16172,15 @@ function getWarningsForL2(l2) {
       });
     }
     if (route.authMode === "paid") {
-      if (!route.price) {
+      if (route.pricingMode === "dynamic" && !route.price) {
+        warnings.push({
+          code: AUDIT_CODES.L2_DYNAMIC_PRICE_INCOMPLETE,
+          severity: "warn",
+          message: `Paid route ${loc} declares dynamic pricing but no min/max bounds.`,
+          hint: "Add x-payment-info.price.min and .price.max so agents can budget before calling. Without bounds, agents have no safe upper limit to pre-authorize.",
+          path: route.path
+        });
+      } else if (!route.price) {
         warnings.push({
           code: AUDIT_CODES.L2_PRICE_MISSING_ON_PAID,
           severity: "warn",

package/dist/schemas.cjs

@@ -13809,8 +13809,8 @@ var FixedPriceSchema = external_exports.object({
 var DynamicPriceSchema = external_exports.object({
   currency: Iso4217Schema,
   mode: external_exports.literal("dynamic"),
-  min: external_exports.string(),
-  max: external_exports.string()
+  min: external_exports.string().optional(),
+  max: external_exports.string().optional()
 });
 var PriceSchema = external_exports.union([FixedPriceSchema, DynamicPriceSchema]);
 var X402ProtocolSchema = external_exports.object({
@@ -13857,10 +13857,13 @@ var OpenApiOperationSchema = external_exports.object({
   description: external_exports.string().optional(),
   tags: external_exports.array(external_exports.string()).optional(),
   security: external_exports.array(external_exports.record(external_exports.string(), external_exports.array(external_exports.string()))).optional(),
+  // `in` / `name` are spec-required, but a single malformed parameter must not
+  // abort the whole spec — keep them optional so discovery is resilient to
+  // non-conformant OpenAPI documents in the wild.
   parameters: external_exports.array(
     external_exports.object({
-      in: external_exports.string(),
-      name: external_exports.string(),
+      in: external_exports.string().optional(),
+      name: external_exports.string().optional(),
       schema: external_exports.unknown().optional(),
       required: external_exports.boolean().optional()
     })
@@ -13870,7 +13873,8 @@ var OpenApiOperationSchema = external_exports.object({
     content: external_exports.record(external_exports.string(), external_exports.object({ schema: external_exports.unknown().optional() }))
   }).optional(),
   responses: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
-  "x-payment-info": OpenApiPaymentInfoSchema.optional()
+  // Permissive: vendor extension shape is validated at runtime, never at parse time.
+  "x-payment-info": external_exports.unknown().optional()
 });
 var OpenApiPathItemSchema = external_exports.object({
   get: OpenApiOperationSchema.optional(),