@agentcash/discovery 1.6.4 → 1.7.0

package/AGENTS.md

@@ -6,16 +6,15 @@ This repo implements canonical discovery logic for the agentcash ecosystem.
 
 ## Hard Constraints
 
-1. Keep canonical core and compatibility modules physically separate.
+1. OpenAPI is the only machine discovery source — no legacy parsing.
 2. Avoid legacy conditionals in `src/core/*`.
 3. Preserve stable warning codes.
 4. Keep `discover` token-light and deterministic.
-5. Keep compatibility removable via a single top-level mode.
 
 ## Module Boundaries
 
 - `src/core/*`: canonical OpenAPI-first discovery.
-- `src/compat/legacy-x402scan/*`: `/.well-known/x402` + DNS `_x402` compatibility.
+- `src/audit/legacy-well-known.ts`: shallow presence probe for `/.well-known/x402` and `/.well-known/mpp` that emits a single `LEGACY_WELL_KNOWN_FOUND` migration warning. No parsing.
 
 ## Result Contract
 

package/README.md

@@ -1,36 +1,29 @@
 # @agentcash/discovery
 
-Canonical discovery runtime for the agentcash ecosystem.
+Canonical TypeScript discovery runtime and v1 specification for agent-facing paid APIs.
 
-Use one library for MCP, CLI, router, and audit so discovery behavior is identical everywhere.
+Agentcash Discovery gives agents a small, deterministic way to answer: "What can I call at this
+origin, what auth or payment should I expect, and where do I fetch details only when I need them?"
 
-## Why One Library
+## Status
 
-- Same parsing logic across surfaces: no CLI/server/client drift.
-- Shared Zod schema that the router can test against at compile-time.
-- Same warning codes and precedence rules: fewer integration surprises.
-- Same compatibility adapters in one place: legacy behavior is isolated and removable.
+- Specification: [Agentcash Discovery v1](docs/SPECIFICATION.md)
+- Runtime package: `@agentcash/discovery`
+- Stability: public draft, production-oriented APIs
 
-## L0-L5 Mental Model
+## Why This Exists
 
-- `L0` trigger layer: intents like `x402`, `pay for` should route to agentcash.
-- `L1` installed domain index: which domains are installed and when to fan out.
-- `L2` domain resources: token-light list (`discover <domain>`).
-- `L3` resource details: schema and deep metadata (`discover <domain> --verbose`).
-- `L4` domain guidance: unstructured guidance (`llms.txt`) when available.
-- `L5` cross-domain composition: intentionally out of scope for discovery v1.
+Agentic commerce needs discovery that is boring in the best way: deterministic, typed, inspectable,
+and cheap enough to place in an agent loop.
 
-Design rule: `L0` + `L1` are zero-hop critical. `L2+` should be fetched on demand.
+This package centralizes discovery behavior for the agentcash ecosystem:
 
-In practice, each layer should guide the agent to discover the next:
-
-| Layer  | Surface                                             | What the agent gets                                                                                                                          |
-| ------ | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| **L0** | MCP tool description / `agentcash --help`           | First impression of agentcash. Should encourage the agent to use it and explicitly explain `discoverOriginSchema` and `checkEndpointSchema`. |
-| **L1** | Same location as L0                                 | List of domains available to the agent. Each entry should be descriptive enough for the agent to understand what it does at a high level.    |
-| **L2** | `discoverOriginSchema` result                       | Detailed description of the origin and its supported endpoints.                                                                              |
-| **L3** | `checkEndpointSchema` result                        | Specific guidance for a single endpoint: input/output schema, auth mode, and a detailed description of what the endpoint does.               |
-| **L4** | `discoverOriginSchema` with `includeGuidance: true` | Composition guidance for 2+ resources at an origin. Sourced from the `guidance` field in OpenAPI.                                            |
+- OpenAPI-only resource discovery.
+- Stable resource identity: `origin + method + path`.
+- Advisory auth, pricing, protocol, schema, and guidance metadata.
+- Runtime probes for live 402/payment truth.
+- Stable audit and validation warning codes.
+- Namespaced OpenAPI extensions that can compose with future standards such as Agent Auth.
 
 ## Install
 
@@ -38,112 +31,141 @@ In practice, each layer should guide the agent to discover the next:
 pnpm add @agentcash/discovery
 ```
 
-## CLI
+Node.js 20 or newer is required.
 
-Two commands: `discover` (list endpoints at an origin) and `check` (inspect a specific URL).
+## CLI
 
 ```bash
-# Discover all endpoints at an origin
-npx @agentcash/discovery stabletravel.dev
-npx @agentcash/discovery discover stabletravel.dev
+# Discover token-light resource metadata for an origin
+npx @agentcash/discovery stableenrich.dev
+npx @agentcash/discovery discover stableenrich.dev
+
+# Inspect one endpoint and fetch schemas/payment advisories
+npx @agentcash/discovery check https://stableenrich.dev/api/search
 
-# Inspect a specific endpoint URL
-npx @agentcash/discovery check https://stabletravel.dev/search
+# Machine-readable output
+npx @agentcash/discovery discover stableenrich.dev --json
 ```
 
 Flags:
 
-| Flag     | Description                                        |
-| -------- | -------------------------------------------------- |
-| `--json` | Machine-readable JSON output                       |
-| `-v`     | Verbose — includes guidance text and warning hints |
+| Flag              | Description                             |
+| ----------------- | --------------------------------------- |
+| `--json`          | Machine-readable JSON output            |
+| `-v`, `--verbose` | Include guidance text and warning hints |
 
-JSON output shape (`discover`):
+## Programmatic Usage
 
-```json
-{
-  "ok": true,
-  "selectedStage": "openapi",
-  "resources": [{ "resourceKey": "GET /search", "method": "GET", "path": "/search" }],
-  "warnings": [],
-  "meta": { "origin": "https://stabletravel.dev", "specUrl": "..." }
-}
-```
+```ts
+import { discoverOriginSchema, checkEndpointSchema, GuidanceMode } from '@agentcash/discovery';
 
-JSON output shape (`check`):
+const discovery = await discoverOriginSchema({
+  target: 'stableenrich.dev',
+  guidance: GuidanceMode.Auto,
+});
 
-```json
-{
-  "url": "https://stabletravel.dev/search",
-  "found": true,
-  "origin": "https://stabletravel.dev",
-  "path": "/search",
-  "advisories": [{ "method": "GET", "authMode": "bearer", "estimatedPrice": "$0.01" }],
-  "warnings": []
+if (discovery.found) {
+  for (const endpoint of discovery.endpoints) {
+    console.log(endpoint.resourceKey, endpoint.authMode, endpoint.price);
+  }
 }
+
+const endpoint = await checkEndpointSchema({
+  url: 'https://stableenrich.dev/api/search',
+  probe: true,
+});
 ```
 
-## Programmatic Usage
+`discoverOriginSchema()` is the L2 route-list API. It stays token-light and stops after the first
+valid non-empty source.
 
-```ts
-import { discoverOriginSchema, checkEndpointSchema } from '@agentcash/discovery';
+`checkEndpointSchema()` is the L3 endpoint-detail API. It returns per-method advisories, request
+and response schemas when known, and live payment options when probing is enabled.
 
-// Discover all endpoints at an origin
-const result = await discoverOriginSchema({ target: 'stabletravel.dev' });
-// result.found === true → result.endpoints (L2Route[]), result.guidance?, result.guidanceTokens?
+## Discovery Model
 
-// Inspect a specific endpoint URL
-const check = await checkEndpointSchema({ url: 'https://stabletravel.dev/search' });
-// check.found === true → check.advisories (per-method: authMode, estimatedPrice, protocols, inputSchema)
+Discovery order:
+
+1. Caller-supplied OpenAPI override URL.
+2. `GET /openapi.json`.
+
+If no OpenAPI spec is found, discovery returns `{ found: false, cause: 'not_found' }`. Legacy
+`/.well-known/x402`, `/.well-known/mpp`, and DNS `_x402` records are no longer parsed; call
+`probeLegacyWellKnown()` to detect their presence and emit a single `LEGACY_WELL_KNOWN_FOUND`
+migration warning.
+
+Resource identity is always:
+
+```text
+${origin} ${method} ${path}
 ```
 
-## Exported API
+Example:
+
+```text
+https://api.example.com POST /search
+```
 
-### Core discovery
+Discovery is advisory. Runtime payment/auth facts come from the live endpoint challenge.
 
-| Export                   | Description                                               |
-| ------------------------ | --------------------------------------------------------- |
-| `discoverOriginSchema()` | Progressive discovery — returns endpoints + advisory data |
-| `checkEndpointSchema()`  | Per-endpoint inspection — returns per-method advisories   |
+## OpenAPI Profile
 
-### Layer fetchers (low-level)
+New providers should use OpenAPI `security` for auth and `x-payment-info` for payment:
 
-| Export                     | Layer | Description                           |
-| -------------------------- | ----- | ------------------------------------- |
-| `getOpenAPI(origin)`       | —     | Fetch OpenAPI spec from origin        |
-| `getWellKnown(origin)`     | —     | Fetch `/.well-known/x402` document    |
-| `getProbe(url, body?)`     | —     | Live endpoint probe                   |
-| `checkL2ForOpenAPI(spec)`  | L2    | Extract route list from OpenAPI       |
-| `checkL2ForWellknown(doc)` | L2    | Extract route list from well-known    |
-| `getL3(origin, path)`      | L3    | Get detailed metadata for an endpoint |
-| `checkL4ForOpenAPI(spec)`  | L4    | Extract guidance from OpenAPI         |
-| `checkL4ForWellknown(doc)` | L4    | Extract guidance from well-known      |
+```json
+{
+  "openapi": "3.1.0",
+  "info": { "title": "Example API", "version": "1.0.0" },
+  "paths": {
+    "/search": {
+      "post": {
+        "summary": "Search records",
+        "security": [],
+        "x-payment-info": {
+          "price": { "mode": "fixed", "currency": "USD", "amount": "0.02" },
+          "protocols": [{ "x402": {} }]
+        },
+        "responses": {
+          "200": { "description": "OK" },
+          "402": { "description": "Payment Required" }
+        }
+      }
+    }
+  }
+}
+```
 
-### Validation
+See [docs/SPECIFICATION.md](docs/SPECIFICATION.md) for the normative field rules.
 
-| Export                              | Description                                  |
-| ----------------------------------- | -------------------------------------------- |
-| `validatePaymentRequiredDetailed()` | Full 402 payload validation with diagnostics |
-| `evaluateMetadataCompleteness()`    | Metadata quality score                       |
-| `VALIDATION_CODES`                  | Stable issue code constants                  |
+SIWX is modeled as OpenAPI security too. Mark the security scheme with
+`x-agentcash-auth-kind: "siwx"` so discovery treats it as wallet identity auth rather than a
+generic API key.
 
-### Audit
+## Exported API
 
-| Export                      | Description                    |
-| --------------------------- | ------------------------------ |
-| `getWarningsForOpenAPI()`   | Warnings for OpenAPI source    |
-| `getWarningsForWellKnown()` | Warnings for well-known source |
-| `getWarningsForL2()`        | Warnings for route list        |
-| `getWarningsForL3()`        | Warnings for endpoint metadata |
-| `getWarningsForL4()`        | Warnings for guidance layer    |
-| `AUDIT_CODES`               | Stable audit code constants    |
+| Export                              | Description                                                          |
+| ----------------------------------- | -------------------------------------------------------------------- |
+| `discoverOriginSchema()`            | Token-light origin discovery                                         |
+| `checkEndpointSchema()`             | Per-endpoint schema/payment inspection                               |
+| `getOpenAPI()`                      | Fetch and parse OpenAPI from canonical locations                     |
+| `getProbe()`                        | Probe an endpoint for live auth/payment behavior                     |
+| `validatePaymentRequiredDetailed()` | Canonical x402 payment-required validator                            |
+| `getWarningsForOpenAPI()`           | OpenAPI quality warnings                                             |
+| `probeLegacyWellKnown()`            | Detect presence of legacy `/.well-known/x402` and `/.well-known/mpp` |
+| `getWarningsForLegacyWellKnown()`   | Emit `LEGACY_WELL_KNOWN_FOUND` migration warning                     |
+| `getWarningsForL2()`                | Route-list warnings                                                  |
+| `getWarningsForL3()`                | Endpoint-detail warnings                                             |
+| `AUDIT_CODES`                       | Stable audit warning code constants                                  |
+
+## Development
 
-Ownership boundary:
+```bash
+pnpm install
+pnpm check
+```
 
-- `@agentcash/discovery` owns discovery/advisory contracts.
-- `@agentcash` should own all signing logic, but should be composable with the methods for probing built in this package.
+`pnpm check` runs formatting, linting, dependency checks, typecheck, build, and tests.
 
-Philosophy boundary:
+## License
 
-- Machine-parsable discovery metadata belongs in OpenAPI.
-- Discovery is advisory. Runtime payment challenge/probe is authoritative.
+MIT