agent-manifest 3.2.0 → 4.0.0

package/dist/cli.js

@@ -43,7 +43,7 @@ const program = new commander_1.Command();
 program
     .name('agentjson')
     .description('Universal agent manifest compiler — generates agent.json for any web app')
-    .version('3.1.0')
+    .version('4.0.0')
     .option('-p, --path <path>', 'path to the project root', '.')
     .option('-o, --output <output>', 'output path for agent.json', './public/agent.json')
     .option('--author <author>', 'author name or organization')
@@ -51,6 +51,7 @@ program
     .option('--auth-type <type>', 'override detected auth type: none | bearer | api-key | oauth2 | basic | farcaster-frame | cookie')
     .option('--auth-header <header>', 'auth header name (default: Authorization)')
     .option('--auth-docs <url>', 'URL where agents can obtain credentials')
+    .option('--base-url <url>', 'canonical base URL for the app (e.g. https://myapp.com)')
     .action(async (options) => {
     const projectPath = path.resolve(options.path);
     const outputPath = path.resolve(options.output);
@@ -59,18 +60,71 @@ program
     const files = await discovery.findRelevantFiles();
     console.log(`🔍 Found ${files.length} relevant files.`);
     const tsParser = new index_1.TSParser(projectPath);
-    const expressParser = new index_1.ExpressParser(tsParser.getProject());
+    const sharedProject = tsParser.getProject();
+    const expressParser = new index_1.ExpressParser(sharedProject);
+    const socketParser = new index_1.SocketIOParser(sharedProject);
+    const trpcParser = new index_1.TRPCParser(sharedProject);
+    const sseParser = new index_1.SSEParser(sharedProject);
+    const remixParser = new index_1.RemixParser(sharedProject);
+    const wsParser = new index_1.WebSocketParser(sharedProject);
+    const openApiParser = new index_1.OpenAPIParser();
+    const prismaParser = new index_1.PrismaParser();
     const actions = [];
+    const dataModel = {};
+    // Determine which files are OpenAPI / Prisma by extension/name
+    const openApiExts = new Set(['.json', '.yaml', '.yml']);
+    const prismaExt = '.prisma';
     for (const file of files) {
         console.log(`📄 Parsing: ${path.relative(projectPath, file)}`);
-        const fileActions = await tsParser.parseFile(file);
-        actions.push(...fileActions);
-        if (file.endsWith('.ts') || file.endsWith('.js')) {
+        const ext = path.extname(file).toLowerCase();
+        const base = path.basename(file).toLowerCase();
+        // ── OpenAPI spec ──────────────────────────────────────────────────────
+        if (openApiExts.has(ext) && index_1.OPENAPI_PATTERNS.some(p => {
+            const pat = p.replace('**/', '').replace('*', '');
+            return base.includes(pat.split('.')[0]);
+        })) {
+            try {
+                actions.push(...openApiParser.parseFile(file, projectPath));
+            }
+            catch { /* ignore */ }
+            continue;
+        }
+        // ── Prisma schema ─────────────────────────────────────────────────────
+        if (ext === prismaExt || base === 'schema.prisma') {
+            try {
+                const prismaResult = prismaParser.parseFile(file);
+                Object.assign(dataModel, prismaResult.dataModel);
+            }
+            catch { /* ignore */ }
+            continue;
+        }
+        // ── TypeScript / JavaScript source files ──────────────────────────────
+        if (ext === '.ts' || ext === '.tsx' || ext === '.js' || ext === '.jsx') {
+            // Standard TS server-action / contract / annotation parsing
+            try {
+                const fileActions = await tsParser.parseFile(file);
+                actions.push(...fileActions);
+            }
+            catch { /* ignore */ }
             try {
                 const content = fs.readFileSync(file, 'utf8');
                 if ((0, index_1.looksLikeRouteFile)(content)) {
-                    const expressActions = await expressParser.parseFile(file, projectPath);
-                    actions.push(...expressActions);
+                    actions.push(...await expressParser.parseFile(file, projectPath));
+                }
+                if ((0, index_1.looksLikeSocketIOFile)(content)) {
+                    actions.push(...await socketParser.parseFile(file, projectPath));
+                }
+                if ((0, index_1.looksLikeTRPCFile)(content)) {
+                    actions.push(...await trpcParser.parseFile(file, projectPath));
+                }
+                if ((0, index_1.looksLikeSSEFile)(content)) {
+                    actions.push(...await sseParser.parseFile(file, projectPath));
+                }
+                if ((0, index_1.looksLikeRemixRouteFile)(content)) {
+                    actions.push(...await remixParser.parseFile(file, projectPath));
+                }
+                if ((0, index_1.looksLikeWebSocketFile)(content)) {
+                    actions.push(...await wsParser.parseFile(file, projectPath));
                 }
             }
             catch { /* ignore */ }
@@ -80,7 +134,7 @@ program
     const uniqueActions = new Map();
     for (const action of actions) {
         const existing = uniqueActions.get(action.name);
-        if (!existing || Object.keys(action.inputs).length > Object.keys(existing.inputs).length) {
+        if (!existing || Object.keys(action.parameters?.properties ?? {}).length > Object.keys(existing.parameters?.properties ?? {}).length) {
             uniqueActions.set(action.name, action);
         }
     }
@@ -97,11 +151,18 @@ program
         ...(options.authDocs && { docsUrl: options.authDocs }),
     };
     const generator = new index_1.ManifestGenerator();
-    const manifest = generator.generate(Array.from(uniqueActions.values()), appMetadata, tsParser.getCapabilities(), auth);
+    const manifest = generator.generate(Array.from(uniqueActions.values()), appMetadata, tsParser.getCapabilities(), auth, '1.0.0', {
+        baseUrl: options.baseUrl ?? appMetadata.url,
+        dataModel,
+    });
     fs.mkdirSync(path.dirname(outputPath), { recursive: true });
     fs.writeFileSync(outputPath, JSON.stringify(manifest, null, 2));
+    const uiCount = Array.from(uniqueActions.values()).filter(a => a.type === 'ui').length;
+    const modelCount = Object.keys(dataModel).length;
     console.log(`✅ agent.json generated at: ${outputPath}`);
-    console.log(`   ${uniqueActions.size} actions · ${manifest.capabilities.length} capabilities · auth: ${auth.type}`);
+    console.log(`   ${uniqueActions.size} actions${uiCount ? ` · ${uiCount} ui-interactions` : ''} · ${manifest.capabilities.length} capabilities · auth: ${auth.type}`);
+    if (modelCount > 0)
+        console.log(`   dataModel: ${modelCount} models`);
 });
 // ─── validate ────────────────────────────────────────────────────────────────
 program
@@ -135,8 +196,12 @@ program
 });
 // ─── Structural validator ────────────────────────────────────────────────────
 const SAFETY_LEVELS = new Set(['read', 'write', 'financial', 'destructive', 'confidential']);
-const ACTION_TYPES = new Set(['api', 'contract', 'function']);
-const AUTH_TYPES = new Set(['none', 'bearer', 'api-key', 'oauth2', 'basic', 'farcaster-frame', 'cookie']);
+const ACTION_TYPES = new Set(['api', 'contract', 'function', 'socket', 'ui']);
+const AUTH_TYPES = new Set([
+    'none', 'bearer', 'api-key', 'oauth2', 'basic', 'cookie',
+    'siwe', 'farcaster-siwf', 'farcaster-frame',
+    'clerk', 'privy', 'dynamic', 'magic', 'passkey', 'saml', 'supabase',
+]);
 const INTENT_RE = /^[a-z][a-z0-9]*\.[a-z][a-z0-9]*$/;
 function validateManifest(m) {
     const errors = [];
@@ -160,13 +225,19 @@ function validateManifest(m) {
             else if (!INTENT_RE.test(action.intent))
                 errors.push(`${prefix}: \`intent\` must match domain.verb format`);
             if (!ACTION_TYPES.has(action.type))
-                errors.push(`${prefix}: \`type\` must be one of api|contract|function`);
+                errors.push(`${prefix}: \`type\` must be one of api|contract|function|socket|ui`);
             if (!SAFETY_LEVELS.has(action.safety))
                 errors.push(`${prefix}: \`safety\` must be one of read|write|financial|destructive|confidential`);
             if (typeof action.agentSafe !== 'boolean')
                 errors.push(`${prefix}: \`agentSafe\` must be a boolean`);
             if (!action.requiredAuth)
                 errors.push(`${prefix}: \`requiredAuth\` is missing`);
+            else if (!['public', 'required', 'farcaster-signed'].includes(action.requiredAuth.required))
+                errors.push(`${prefix}: \`requiredAuth.required\` must be "public", "required", or "farcaster-signed"`);
+            if (!action.parameters || typeof action.parameters.properties !== 'object')
+                errors.push(`${prefix}: \`parameters.properties\` must be an object`);
+            if (!action.returns || typeof action.returns.type !== 'string')
+                errors.push(`${prefix}: \`returns.type\` must be a string`);
         });
     }
     return errors;

package/dist/discovery/service.js

@@ -39,6 +39,13 @@ const path = __importStar(require("path"));
 const crypto = __importStar(require("crypto"));
 const tinyglobby_1 = require("tinyglobby");
 const express_parser_1 = require("../parser/express-parser");
+const socketio_parser_1 = require("../parser/socketio-parser");
+const trpc_parser_1 = require("../parser/trpc-parser");
+const sse_parser_1 = require("../parser/sse-parser");
+const remix_parser_1 = require("../parser/remix-parser");
+const websocket_parser_1 = require("../parser/websocket-parser");
+const openapi_parser_1 = require("../parser/openapi-parser");
+const prisma_parser_1 = require("../parser/prisma-parser");
 /** SHA-1 of a file's content — used for change detection caching. */
 function fileHash(filePath) {
     try {
@@ -60,12 +67,20 @@ const ALWAYS_EXCLUDE = [
     '!**/out/**',
     '!**/build/**',
     '!**/.vercel/**',
-    // Never scan env files — they may contain secrets
     '!**/.env',
     '!**/.env.*',
     '!**/secrets/**',
     '!**/credentials/**',
 ];
+/**
+ * Checks if a path is strictly within the project directory.
+ * Prevents path traversal via symbolic links or malformed paths.
+ */
+function isPathWithinProject(filePath, projectPath) {
+    const resolved = path.resolve(filePath);
+    const root = path.resolve(projectPath);
+    return resolved.startsWith(root);
+}
 class DiscoveryService {
     projectPath;
     cache = {};
@@ -94,14 +109,14 @@ class DiscoveryService {
     }
     async findRelevantFiles() {
         const relevantFiles = [];
-        // 0. Farcaster manifest (app identity / metadata)
+        // 0. Farcaster manifest
         const manifests = await (0, tinyglobby_1.glob)([
             '.well-known/farcaster.json',
             'public/.well-known/farcaster.json',
             '**/public/.well-known/farcaster.json',
         ], { cwd: this.projectPath, absolute: true });
         relevantFiles.push(...manifests);
-        // 0.5. ABI JSON files (smart contract definitions)
+        // 0.5. ABI JSON files
         const abis = await (0, tinyglobby_1.glob)([
             '**/*ABI.json',
             '**/abi/*.json',
@@ -111,34 +126,50 @@ class DiscoveryService {
             ...ALWAYS_EXCLUDE,
         ], { cwd: this.projectPath, absolute: true });
         relevantFiles.push(...abis);
-        // 1. API routes — support monorepo layouts (apps/*/src/app/api, apps/*/pages/api, etc.)
+        // 0.6. OpenAPI / Swagger specs
+        const openApiFiles = await (0, tinyglobby_1.glob)([
+            ...openapi_parser_1.OPENAPI_PATTERNS,
+            ...ALWAYS_EXCLUDE,
+        ], { cwd: this.projectPath, absolute: true });
+        relevantFiles.push(...openApiFiles);
+        // 0.7. Prisma schema files
+        const prismaFiles = await (0, tinyglobby_1.glob)([
+            ...prisma_parser_1.PRISMA_PATTERNS,
+            ...ALWAYS_EXCLUDE,
+        ], { cwd: this.projectPath, absolute: true });
+        relevantFiles.push(...prismaFiles);
+        // 1. Next.js API routes
         const apiRoutes = await (0, tinyglobby_1.glob)([
-            // Next.js App Router
             '**/app/api/**/*.{ts,js,tsx,jsx}',
-            // Next.js Pages Router
             '**/pages/api/**/*.{ts,js,tsx,jsx}',
-            // Generic api/ folder
             '**/api/**/*.{ts,js,tsx,jsx}',
             ...ALWAYS_EXCLUDE,
         ], { cwd: this.projectPath, absolute: true });
         relevantFiles.push(...apiRoutes);
-        // 2. Scan all TS/TSX files for signal keywords
+        // 2. Remix route files
+        const remixRoutes = await (0, tinyglobby_1.glob)([
+            '**/app/routes/**/*.{ts,js,tsx,jsx}',
+            '**/routes/**/*.{ts,js,tsx,jsx}',
+            ...ALWAYS_EXCLUDE,
+        ], { cwd: this.projectPath, absolute: true });
+        relevantFiles.push(...remixRoutes);
+        // 3. Scan all TS/TSX/JS files for signal keywords
         const allTsFiles = await (0, tinyglobby_1.glob)([
-            '**/*.{ts,tsx}',
+            '**/*.{ts,tsx,js,jsx}',
             ...ALWAYS_EXCLUDE,
         ], { cwd: this.projectPath, absolute: true });
         for (const file of allTsFiles) {
+            if (!isPathWithinProject(file, this.projectPath))
+                continue;
             if (relevantFiles.includes(file))
                 continue;
             const hash = fileHash(file);
             const cached = this.cache[file];
-            // Cache hit: file unchanged, reuse previous relevance decision
             if (cached && cached.hash === hash) {
                 if (cached.relevant)
                     relevantFiles.push(file);
                 continue;
             }
-            // Cache miss: read and classify
             const content = fs.readFileSync(file, 'utf8');
             const relevant = content.includes('@agent-action') ||
                 content.includes('useWriteContract') ||
@@ -146,7 +177,12 @@ class DiscoveryService {
                 content.includes('writeContract') ||
                 content.includes("'use server'") ||
                 content.includes('"use server"') ||
-                (0, express_parser_1.looksLikeRouteFile)(content);
+                (0, express_parser_1.looksLikeRouteFile)(content) ||
+                (0, socketio_parser_1.looksLikeSocketIOFile)(content) ||
+                (0, trpc_parser_1.looksLikeTRPCFile)(content) ||
+                (0, sse_parser_1.looksLikeSSEFile)(content) ||
+                (0, remix_parser_1.looksLikeRemixRouteFile)(content) ||
+                (0, websocket_parser_1.looksLikeWebSocketFile)(content);
             this.cache[file] = { hash, relevant };
             this.cacheModified = true;
             if (relevant)

package/dist/generator/json.js

@@ -2,13 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ManifestGenerator = void 0;
 class ManifestGenerator {
-    generate(actions, metadata = {}, capabilities = [], auth = { type: 'none' }, version = '1.0.0') {
+    generate(actions, metadata = {}, capabilities = [], auth = { type: 'none' }, version = '1.0.0', options = {}) {
         return {
             name: metadata.name ?? 'Web App',
             description: metadata.description ?? 'Auto-generated agent manifest',
             version,
             ...(metadata.author && { author: metadata.author }),
             ...(metadata.url && { url: metadata.url }),
+            ...(options.baseUrl && { baseUrl: options.baseUrl }),
             auth,
             metadata: {
                 ...(metadata.iconUrl && { iconUrl: metadata.iconUrl }),
@@ -19,6 +20,7 @@ class ManifestGenerator {
             },
             capabilities,
             actions,
+            ...(options.dataModel && Object.keys(options.dataModel).length > 0 && { dataModel: options.dataModel }),
         };
     }
 }

package/dist/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CapabilityDetector = exports.AuthDetector = exports.ManifestGenerator = exports.ZodExtractor = exports.ContractParser = exports.looksLikeRouteFile = exports.ExpressParser = exports.TSParser = exports.DiscoveryService = void 0;
+exports.CapabilityDetector = exports.AuthDetector = exports.ManifestGenerator = exports.ZodExtractor = exports.ContractParser = exports.PRISMA_PATTERNS = exports.PrismaParser = exports.OPENAPI_PATTERNS = exports.OpenAPIParser = exports.looksLikeWebSocketFile = exports.WebSocketParser = exports.looksLikeRemixRouteFile = exports.RemixParser = exports.looksLikeSSEFile = exports.SSEParser = exports.looksLikeTRPCFile = exports.TRPCParser = exports.looksLikeSocketIOFile = exports.SocketIOParser = exports.looksLikeRouteFile = exports.ExpressParser = exports.TSParser = exports.DiscoveryService = void 0;
 __exportStar(require("./types"), exports);
 var service_1 = require("./discovery/service");
 Object.defineProperty(exports, "DiscoveryService", { enumerable: true, get: function () { return service_1.DiscoveryService; } });
@@ -23,6 +23,27 @@ Object.defineProperty(exports, "TSParser", { enumerable: true, get: function ()
 var express_parser_1 = require("./parser/express-parser");
 Object.defineProperty(exports, "ExpressParser", { enumerable: true, get: function () { return express_parser_1.ExpressParser; } });
 Object.defineProperty(exports, "looksLikeRouteFile", { enumerable: true, get: function () { return express_parser_1.looksLikeRouteFile; } });
+var socketio_parser_1 = require("./parser/socketio-parser");
+Object.defineProperty(exports, "SocketIOParser", { enumerable: true, get: function () { return socketio_parser_1.SocketIOParser; } });
+Object.defineProperty(exports, "looksLikeSocketIOFile", { enumerable: true, get: function () { return socketio_parser_1.looksLikeSocketIOFile; } });
+var trpc_parser_1 = require("./parser/trpc-parser");
+Object.defineProperty(exports, "TRPCParser", { enumerable: true, get: function () { return trpc_parser_1.TRPCParser; } });
+Object.defineProperty(exports, "looksLikeTRPCFile", { enumerable: true, get: function () { return trpc_parser_1.looksLikeTRPCFile; } });
+var sse_parser_1 = require("./parser/sse-parser");
+Object.defineProperty(exports, "SSEParser", { enumerable: true, get: function () { return sse_parser_1.SSEParser; } });
+Object.defineProperty(exports, "looksLikeSSEFile", { enumerable: true, get: function () { return sse_parser_1.looksLikeSSEFile; } });
+var remix_parser_1 = require("./parser/remix-parser");
+Object.defineProperty(exports, "RemixParser", { enumerable: true, get: function () { return remix_parser_1.RemixParser; } });
+Object.defineProperty(exports, "looksLikeRemixRouteFile", { enumerable: true, get: function () { return remix_parser_1.looksLikeRemixRouteFile; } });
+var websocket_parser_1 = require("./parser/websocket-parser");
+Object.defineProperty(exports, "WebSocketParser", { enumerable: true, get: function () { return websocket_parser_1.WebSocketParser; } });
+Object.defineProperty(exports, "looksLikeWebSocketFile", { enumerable: true, get: function () { return websocket_parser_1.looksLikeWebSocketFile; } });
+var openapi_parser_1 = require("./parser/openapi-parser");
+Object.defineProperty(exports, "OpenAPIParser", { enumerable: true, get: function () { return openapi_parser_1.OpenAPIParser; } });
+Object.defineProperty(exports, "OPENAPI_PATTERNS", { enumerable: true, get: function () { return openapi_parser_1.OPENAPI_PATTERNS; } });
+var prisma_parser_1 = require("./parser/prisma-parser");
+Object.defineProperty(exports, "PrismaParser", { enumerable: true, get: function () { return prisma_parser_1.PrismaParser; } });
+Object.defineProperty(exports, "PRISMA_PATTERNS", { enumerable: true, get: function () { return prisma_parser_1.PRISMA_PATTERNS; } });
 var contract_parser_1 = require("./parser/contract-parser");
 Object.defineProperty(exports, "ContractParser", { enumerable: true, get: function () { return contract_parser_1.ContractParser; } });
 var zod_extractor_1 = require("./parser/zod-extractor");

package/dist/parser/auth-detector.js

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthDetector = void 0;
+exports.AuthFlowInferrer = exports.AuthDetector = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const AUTH_SIGNALS = [
@@ -42,6 +42,15 @@ const AUTH_SIGNALS = [
     { pattern: '@farcaster/frame-node', type: 'farcaster-frame', priority: 100 },
     { pattern: 'validateFrameMessage', type: 'farcaster-frame', priority: 100 },
     { pattern: 'frameActionPayload', type: 'farcaster-frame', priority: 100 },
+    // Farcaster SIWF — must be before SIWE (higher priority)
+    { pattern: '@farcaster/auth-kit', type: 'farcaster-siwf', priority: 98 },
+    { pattern: 'verifySignInMessage', type: 'farcaster-siwf', priority: 98 },
+    { pattern: 'useSignIn', type: 'farcaster-siwf', priority: 95 },
+    // SIWE
+    { pattern: 'SiweMessage', type: 'siwe', priority: 95 },
+    { pattern: "from 'siwe'", type: 'siwe', priority: 95 },
+    { pattern: 'verifySiweMessage', type: 'siwe', priority: 95 },
+    { pattern: 'generateNonce', type: 'siwe', priority: 90 },
     // OAuth2 / NextAuth / Auth.js
     { pattern: 'NextAuth', type: 'oauth2', priority: 90 },
     { pattern: 'next-auth', type: 'oauth2', priority: 90 },
@@ -51,8 +60,14 @@ const AUTH_SIGNALS = [
     { pattern: 'oauth2', type: 'oauth2', priority: 80 },
     { pattern: 'access_token', type: 'oauth2', priority: 75 },
     { pattern: 'refresh_token', type: 'oauth2', priority: 75 },
-    { pattern: 'clerkMiddleware', type: 'bearer', scheme: 'Bearer', priority: 88 },
-    { pattern: 'currentUser', type: 'bearer', scheme: 'Bearer', priority: 70 },
+    // SAML
+    { pattern: 'samlify', type: 'saml', priority: 92 },
+    { pattern: 'passport-saml', type: 'saml', priority: 92 },
+    { pattern: '@node-saml', type: 'saml', priority: 92 },
+    { pattern: 'SAMLResponse', type: 'saml', priority: 88 },
+    // Clerk
+    { pattern: 'clerkMiddleware', type: 'clerk', priority: 88 },
+    { pattern: 'currentUser', type: 'clerk', priority: 70 },
     // JWT / Bearer
     { pattern: 'jwt.verify', type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 70 },
     { pattern: 'jsonwebtoken', type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 70 },
@@ -61,6 +76,25 @@ const AUTH_SIGNALS = [
     { pattern: 'authorization.split', type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 70 },
     { pattern: "headers.get('authorization')", type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 65 },
     { pattern: "req.headers.authorization", type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 65 },
+    // Privy
+    { pattern: '@privy-io/react-auth', type: 'privy', priority: 85 },
+    { pattern: 'usePrivy', type: 'privy', priority: 85 },
+    { pattern: 'PrivyProvider', type: 'privy', priority: 85 },
+    // Dynamic
+    { pattern: '@dynamic-labs/sdk-react-core', type: 'dynamic', priority: 85 },
+    { pattern: 'DynamicContextProvider', type: 'dynamic', priority: 85 },
+    { pattern: 'useDynamicContext', type: 'dynamic', priority: 80 },
+    // Magic
+    { pattern: 'magic-sdk', type: 'magic', priority: 80 },
+    { pattern: '@magic-sdk', type: 'magic', priority: 80 },
+    { pattern: 'new Magic(', type: 'magic', priority: 80 },
+    // Passkey / WebAuthn
+    { pattern: '@simplewebauthn/browser', type: 'passkey', priority: 78 },
+    { pattern: 'startAuthentication', type: 'passkey', priority: 78 },
+    { pattern: 'startRegistration', type: 'passkey', priority: 78 },
+    { pattern: 'navigator.credentials.create', type: 'passkey', priority: 75 },
+    // Supabase
+    { pattern: 'supabase.auth', type: 'supabase', priority: 75 },
     // API key
     { pattern: "'x-api-key'", type: 'api-key', header: 'X-API-Key', priority: 60 },
     { pattern: '"x-api-key"', type: 'api-key', header: 'X-API-Key', priority: 60 },
@@ -80,6 +114,7 @@ const AUTH_SIGNALS = [
 ];
 class AuthDetector {
     best = null;
+    _flowInferrer = new AuthFlowInferrer();
     scanContent(content) {
         for (const signal of AUTH_SIGNALS) {
             if (content.includes(signal.pattern)) {
@@ -88,6 +123,7 @@ class AuthDetector {
                 }
             }
         }
+        this._flowInferrer.addContent(content);
     }
     /** Read package.json to detect auth libraries in dependencies */
     readPackageJson(projectPath) {
@@ -99,8 +135,24 @@ class AuthDetector {
             const deps = { ...pkg.dependencies, ...pkg.devDependencies };
             if (deps['next-auth'] || deps['@auth/core'])
                 this.applySignal({ pattern: 'next-auth', type: 'oauth2', priority: 90 });
+            if (deps['@farcaster/auth-kit'])
+                this.applySignal({ pattern: 'farcaster-siwf', type: 'farcaster-siwf', priority: 98 });
+            if (deps['siwe'])
+                this.applySignal({ pattern: 'siwe', type: 'siwe', priority: 95 });
+            if (deps['samlify'] || deps['passport-saml'])
+                this.applySignal({ pattern: 'saml', type: 'saml', priority: 92 });
             if (deps['@clerk/nextjs'] || deps['@clerk/clerk-sdk-node'])
-                this.applySignal({ pattern: 'clerk', type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 88 });
+                this.applySignal({ pattern: 'clerk', type: 'clerk', priority: 88 });
+            if (deps['@privy-io/react-auth'])
+                this.applySignal({ pattern: 'privy', type: 'privy', priority: 85 });
+            if (deps['@dynamic-labs/sdk-react-core'])
+                this.applySignal({ pattern: 'dynamic', type: 'dynamic', priority: 85 });
+            if (deps['magic-sdk'] || deps['@magic-sdk/admin'])
+                this.applySignal({ pattern: 'magic', type: 'magic', priority: 80 });
+            if (deps['@simplewebauthn/browser'])
+                this.applySignal({ pattern: 'passkey', type: 'passkey', priority: 78 });
+            if (deps['@supabase/supabase-js'])
+                this.applySignal({ pattern: 'supabase', type: 'supabase', priority: 75 });
             if (deps['jsonwebtoken'] || deps['jose'])
                 this.applySignal({ pattern: 'jwt', type: 'bearer', header: 'Authorization', scheme: 'Bearer', priority: 70 });
             if (deps['iron-session'])
@@ -118,14 +170,44 @@ class AuthDetector {
     getAuth() {
         if (!this.best)
             return { type: 'none' };
-        const config = { type: this.best.type };
+        const type = this.best.type;
+        const config = { type };
         if (this.best.header)
             config.header = this.best.header;
         if (this.best.scheme)
             config.scheme = this.best.scheme;
         if (this.best.queryParam)
             config.queryParam = this.best.queryParam;
-        return config;
+        const flowFields = this._flowInferrer.infer(type);
+        return { ...config, ...flowFields };
     }
 }
 exports.AuthDetector = AuthDetector;
+class AuthFlowInferrer {
+    scannedContents = [];
+    addContent(content) {
+        this.scannedContents.push(content);
+    }
+    infer(authType) {
+        const result = {};
+        for (const content of this.scannedContents) {
+            if (!result.nonceUrl && (authType === 'siwe' || authType === 'farcaster-siwf')) {
+                const m = content.match(/['"`](\/api\/auth\/nonce[^'"`\s]*)['"`]/);
+                if (m)
+                    result.nonceUrl = m[1];
+            }
+            if (!result.callbackUrl && authType === 'oauth2') {
+                const m = content.match(/['"`](\/api\/auth\/callback[^'"`\s]*)['"`]/);
+                if (m)
+                    result.callbackUrl = m[1];
+            }
+            if (!result.loginUrl) {
+                const m = content.match(/['"`](\/sign-in|\/login|\/auth\/login)['"`]/);
+                if (m)
+                    result.loginUrl = m[1];
+            }
+        }
+        return result;
+    }
+}
+exports.AuthFlowInferrer = AuthFlowInferrer;

package/dist/parser/contract-parser.js

@@ -93,10 +93,10 @@ class ContractParser {
                     abiFunction: item.name,
                     isReadOnly,
                     safety,
-                    agentSafe: (0, intent_classifier_1.deriveAgentSafe)(safety),
+                    agentSafe: (0, intent_classifier_1.deriveAgentSafe)(safety, item.name),
                     requiredAuth: (0, intent_classifier_1.inferActionAuth)({ safety, isReadOnly, type: 'contract' }),
-                    inputs: this.mapAbiInputs(item.inputs ?? []),
-                    outputs: {
+                    parameters: { properties: this.mapAbiInputs(item.inputs ?? []) },
+                    returns: {
                         type: this.mapAbiOutputs(item.outputs ?? []),
                         description: '',
                     },
@@ -172,10 +172,10 @@ class ContractParser {
                 ...(chainId !== undefined ? { chainId } : {}),
                 ...(contractAddress !== undefined ? { contractAddress } : {}),
                 safety,
-                agentSafe: (0, intent_classifier_1.deriveAgentSafe)(safety),
+                agentSafe: (0, intent_classifier_1.deriveAgentSafe)(safety, functionName),
                 requiredAuth: (0, intent_classifier_1.inferActionAuth)({ safety, isReadOnly: false, type: 'contract' }),
-                inputs: parameters,
-                outputs: { type: 'any' },
+                parameters: { properties: parameters },
+                returns: { type: 'any' },
             });
         });
         return actions;

package/dist/parser/express-parser.js

@@ -113,10 +113,10 @@ class ExpressParser {
                 location: routePath,
                 method: httpMethod,
                 safety,
-                agentSafe: (0, intent_classifier_1.deriveAgentSafe)(safety),
+                agentSafe: (0, intent_classifier_1.deriveAgentSafe)(safety, actionName),
                 requiredAuth: (0, intent_classifier_1.inferActionAuth)({ safety, httpMethod, type: 'api' }),
-                inputs: this.extractRouteParams(routePath),
-                outputs: { type: 'any' },
+                parameters: { properties: this.extractRouteParams(routePath) },
+                returns: { type: 'any' },
             });
         });
         return actions;

package/dist/parser/intent-classifier.js

@@ -9,7 +9,7 @@ const INTENT_RULES = [
     // getUsers don't have a word boundary after the verb segment. Leading \b is kept
     // to avoid matching mid-word (e.g. "undo" matching "do").
     // Game
-    { pattern: /\b(play|flip|roll|spin|bet|guess|draw|move|attack|defend|claim(?:Prize|Reward|Win))/i, intent: 'game.play' },
+    { pattern: /\b(play|flip|roll|spin|bet|guess|draw|move|make(?:Move)?|drop(?:Piece)?|attack|defend|claim(?:Prize|Reward|Win))/i, intent: 'game.play' },
     { pattern: /\b(score|leaderboard|rank|highscore)/i, intent: 'game.score' },
     { pattern: /\b(join(?:Game|Room|Lobby)|create(?:Game|Room)|start(?:Game|Round))/i, intent: 'game.join' },
     // Finance / DeFi
@@ -25,16 +25,16 @@ const INTENT_RULES = [
     { pattern: /\b(listNFT|sellNFT|listFor(?:Sale)?)/i, intent: 'nft.list' },
     { pattern: /\b(buyNFT|purchaseNFT)/i, intent: 'nft.buy' },
     { pattern: /\b(burnNFT|burn)/i, intent: 'nft.burn' },
+    // Governance (must come BEFORE Social so castVote → governance.vote, not social.cast)
+    { pattern: /\b(vote|castVote|submitVote)/i, intent: 'governance.vote' },
+    { pattern: /\b(propose|createProposal|submitProposal)/i, intent: 'governance.propose' },
+    { pattern: /\b(delegate|undelegate)/i, intent: 'governance.delegate' },
     // Social (Farcaster-native)
-    { pattern: /\b(cast|compose(?:Cast)?|post(?:Cast)?)/i, intent: 'social.cast' },
+    { pattern: /\b(cast(?!Vote)|compose(?:Cast)?|post(?:Cast)?)/i, intent: 'social.cast' },
     { pattern: /\b(follow|unfollow|subscribe)/i, intent: 'social.follow' },
     { pattern: /\b(like|react|upvote|downvote)/i, intent: 'social.react' },
     { pattern: /\b(comment|reply)/i, intent: 'social.reply' },
     { pattern: /\b(share|recast|repost)/i, intent: 'social.share' },
-    // Governance
-    { pattern: /\b(vote|castVote|submitVote)/i, intent: 'governance.vote' },
-    { pattern: /\b(propose|createProposal|submitProposal)/i, intent: 'governance.propose' },
-    { pattern: /\b(delegate|undelegate)/i, intent: 'governance.delegate' },
     // Auth
     { pattern: /\b(login|logout|signIn|signOut|connect|disconnect)/i, intent: 'auth.session' },
     { pattern: /\b(register|signup|createAccount)/i, intent: 'auth.register' },
@@ -73,7 +73,9 @@ const DESTRUCTIVE_VERBS = /\b(delete|remove|destroy|burn|archive|purge|wipe|clea
  *           updateSsn, exportPrivateKey, getMedicalRecord.
  */
 // No \b — these nouns appear anywhere in camelCase (resetPassword, submitKyc, getSsn)
-const CONFIDENTIAL_NOUNS = /(password|credential|privateKey|secretKey|biometric|ssn|taxId|pii|kyc|medicalRecord|healthRecord|passport|driverLicense|creditCard|cvv|encryptedData|identityVerif)/i;
+const CONFIDENTIAL_NOUNS = /(password|credential|privateKey|secretKey|biometric|ssn|taxId|tax_id|pii|kyc|medical|health|passport|license|creditCard|cvv|encrypted|identity|dob|birthDate|address|phone|mobile|email)/i;
+/** Verbs that imply high-privilege administrative or sensitive state changes. */
+const SENSITIVE_WRITE_VERBS = /\b(admin|role|permission|password|owner|ban|block|lock|unlock|grant|revoke|delegate|sudo|root|secret)/i;
 /**
  * Classify the safety level of an action.
  *
@@ -97,19 +99,40 @@ function classifySafety(opts) {
             return 'confidential';
         return 'write';
     }
+    // Financial and confidential always win regardless of type
     if (FINANCIAL_VERBS.test(name))
         return 'financial';
     if (CONFIDENTIAL_NOUNS.test(name))
         return 'confidential';
+    if (type === 'function' || type === 'ui') {
+        if (DESTRUCTIVE_VERBS.test(name))
+            return 'destructive';
+        // Auth functions are confidential (handle credentials)
+        if (/\b(login|logout|signIn|signOut|register|signup|createAccount)/i.test(name))
+            return 'confidential';
+        // Social/game → write
+        return 'write';
+    }
     if (httpMethod === 'GET')
         return 'read';
+    if (isReadOnly)
+        return 'read';
     if (DESTRUCTIVE_VERBS.test(name))
         return 'destructive';
     return 'write';
 }
-/** Derive agentSafe from safety level. Non-read/write levels require human confirmation. */
-function deriveAgentSafe(safety) {
-    return safety === 'read' || safety === 'write';
+/**
+ * Derive agentSafe from safety level.
+ * Only 'read' and non-sensitive 'write' actions are safe for autonomous execution.
+ */
+function deriveAgentSafe(safety, name) {
+    if (safety === 'read')
+        return true;
+    if (safety === 'write') {
+        // Narrowing: check if the write action name contains high-privilege keywords
+        return !SENSITIVE_WRITE_VERBS.test(name);
+    }
+    return false;
 }
 /**
  * Infer per-action auth requirement.
@@ -149,8 +172,10 @@ function inferActionAuth(opts) {
     if (safety === 'destructive') {
         return { required: 'required' };
     }
-    // Read-only GET on a public (no-auth) app → public
-    if (httpMethod === 'GET' && safety === 'read' && (appAuthType === 'none' || !appAuthType)) {
+    // No-auth app → read and write actions are public (non-contract only).
+    // Financial/confidential/destructive retain their required auth even on no-auth apps
+    // (those actions handle money or PII and should always require confirmation).
+    if (type !== 'contract' && (appAuthType === 'none' || !appAuthType) && (safety === 'read' || safety === 'write')) {
         return { required: 'public' };
     }
     return { required: 'required' };