agentcash 0.8.1 → 0.8.3

package/dist/cjs/run-server.cjs

@@ -3010,7 +3010,7 @@ var require_compile = __commonJS({
       }
     }
     exports2.compileSchema = compileSchema;
-    function resolveRef3(root, baseId, ref) {
+    function resolveRef2(root, baseId, ref) {
       var _a2;
       ref = (0, resolve_1.resolveUrl)(this.opts.uriResolver, baseId, ref);
       const schOrFunc = root.refs[ref];
@@ -3027,7 +3027,7 @@ var require_compile = __commonJS({
         return;
       return root.refs[ref] = inlineOrCompile.call(this, _sch);
     }
-    exports2.resolveRef = resolveRef3;
+    exports2.resolveRef = resolveRef2;
     function inlineOrCompile(sch) {
       if ((0, resolve_1.inlineRef)(sch.schema, this.opts.inlineRefs))
         return sch.schema;
@@ -6860,12 +6860,12 @@ var require_dist = __commonJS({
         throw new Error(`Unknown format "${name}"`);
       return f;
     };
-    function addFormats(ajv, list2, fs10, exportName) {
+    function addFormats(ajv, list2, fs11, exportName) {
       var _a2;
       var _b;
       (_a2 = (_b = ajv.opts.code).formats) !== null && _a2 !== void 0 ? _a2 : _b.formats = (0, codegen_1._)`require("ajv-formats/dist/formats").${exportName}`;
       for (const f of list2)
-        ajv.addFormat(f, fs10[f]);
+        ajv.addFormat(f, fs11[f]);
     }
     module2.exports = exports2 = formatsPlugin;
     Object.defineProperty(exports2, "__esModule", { value: true });
@@ -47364,7 +47364,7 @@ var require_node_gyp_build = __commonJS({
   "../../../node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node-gyp-build.js"(exports2, module2) {
     "use strict";
     init_cjs_shims();
-    var fs10 = require("fs");
+    var fs11 = require("fs");
     var path2 = require("path");
     var os2 = require("os");
     var runtimeRequire = typeof __webpack_require__ === "function" ? __non_webpack_require__ : require;
@@ -47425,7 +47425,7 @@ var require_node_gyp_build = __commonJS({
     };
     function readdirSync2(dir) {
       try {
-        return fs10.readdirSync(dir);
+        return fs11.readdirSync(dir);
       } catch (err3) {
         return [];
       }
@@ -47519,7 +47519,7 @@ var require_node_gyp_build = __commonJS({
       return typeof window !== "undefined" && window.process && window.process.type === "renderer";
     }
     function isAlpine(platform3) {
-      return platform3 === "linux" && fs10.existsSync("/etc/alpine-release");
+      return platform3 === "linux" && fs11.existsSync("/etc/alpine-release");
     }
     load.parseTags = parseTags;
     load.matchTags = matchTags;
@@ -64749,13 +64749,202 @@ var require_content_type = __commonJS({
   }
 });
 
+// ../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/types.js
+var require_types3 = __commonJS({
+  "../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/types.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", {
+      value: true
+    });
+  }
+});
+
+// ../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/klona.js
+var require_klona = __commonJS({
+  "../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/klona.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", {
+      value: true
+    });
+    Object.defineProperty(exports2, "klona", {
+      enumerable: true,
+      get: function() {
+        return klona;
+      }
+    });
+    function klona(val, seen) {
+      if (!seen) seen = /* @__PURE__ */ new Map();
+      var index2, out, tmp;
+      if (Array.isArray(val)) {
+        if (seen.has(val)) return seen.get(val);
+        out = Array(index2 = val.length);
+        seen.set(val, out);
+        while (index2--) out[index2] = (tmp = val[index2]) && typeof tmp === "object" ? klona(tmp, seen) : tmp;
+        return out;
+      }
+      if (Object.prototype.toString.call(val) === "[object Object]") {
+        if (seen.has(val)) return seen.get(val);
+        out = {};
+        seen.set(val, out);
+        for (index2 in val) {
+          if (index2 === "__proto__") {
+            Object.defineProperty(out, index2, {
+              value: klona(val[index2], seen),
+              configurable: true,
+              enumerable: true,
+              writable: true
+            });
+          } else {
+            out[index2] = (tmp = val[index2]) && typeof tmp === "object" ? klona(tmp, seen) : tmp;
+          }
+        }
+        return out;
+      }
+      return val;
+    }
+  }
+});
+
+// ../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/resolveRef.js
+var require_resolveRef = __commonJS({
+  "../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/resolveRef.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", {
+      value: true
+    });
+    Object.defineProperty(exports2, "resolveRefSync", {
+      enumerable: true,
+      get: function() {
+        return resolveRefSync2;
+      }
+    });
+    var cache = /* @__PURE__ */ new Map();
+    var resolveRefSync2 = function(schema, ref) {
+      if (!cache.has(schema)) {
+        cache.set(schema, /* @__PURE__ */ new Map());
+      }
+      var schemaCache = cache.get(schema);
+      if (schemaCache.has(ref)) {
+        return schemaCache.get(ref);
+      }
+      var path2 = ref.split("/").slice(1);
+      var current = schema;
+      var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = void 0;
+      try {
+        for (var _iterator = path2[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true) {
+          var segment = _step.value;
+          if (!current || typeof current !== "object") {
+            current = null;
+          }
+          var _current_segment;
+          current = (_current_segment = current[segment]) !== null && _current_segment !== void 0 ? _current_segment : null;
+        }
+      } catch (err3) {
+        _didIteratorError = true;
+        _iteratorError = err3;
+      } finally {
+        try {
+          if (!_iteratorNormalCompletion && _iterator.return != null) {
+            _iterator.return();
+          }
+        } finally {
+          if (_didIteratorError) {
+            throw _iteratorError;
+          }
+        }
+      }
+      schemaCache.set(ref, current);
+      return current;
+    };
+  }
+});
+
+// ../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/dereference.js
+var require_dereference = __commonJS({
+  "../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/dereference.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", {
+      value: true
+    });
+    Object.defineProperty(exports2, "dereferenceSync", {
+      enumerable: true,
+      get: function() {
+        return dereferenceSync;
+      }
+    });
+    var _klona = require_klona();
+    var _resolveRef = require_resolveRef();
+    var cache = /* @__PURE__ */ new Map();
+    var dereferenceSync = function(schema) {
+      if (cache.has(schema)) {
+        return cache.get(schema);
+      }
+      var visitedNodes = /* @__PURE__ */ new Set();
+      var cloned = (0, _klona.klona)(schema);
+      var resolve2 = function(current, path2) {
+        if (typeof current === "object" && current !== null) {
+          if (visitedNodes.has(current)) {
+            return current;
+          }
+          visitedNodes.add(current);
+          if (Array.isArray(current)) {
+            for (var index2 = 0; index2 < current.length; index2++) {
+              current[index2] = resolve2(current[index2], "".concat(path2, "/").concat(index2));
+            }
+          } else {
+            if ("$ref" in current && typeof current["$ref"] === "string") {
+              return (0, _resolveRef.resolveRefSync)(cloned, current["$ref"]);
+            }
+            for (var key in current) {
+              current[key] = resolve2(current[key], "".concat(path2, "/").concat(key));
+            }
+          }
+        }
+        return current;
+      };
+      var result = resolve2(cloned, "#");
+      cache.set(schema, result);
+      return result;
+    };
+  }
+});
+
+// ../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/index.js
+var require_dereference_json_schema = __commonJS({
+  "../../../node_modules/.pnpm/dereference-json-schema@0.2.2/node_modules/dereference-json-schema/index.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", {
+      value: true
+    });
+    _exportStar(require_types3(), exports2);
+    _exportStar(require_dereference(), exports2);
+    _exportStar(require_resolveRef(), exports2);
+    function _exportStar(from25, to2) {
+      Object.keys(from25).forEach(function(k) {
+        if (k !== "default" && !Object.prototype.hasOwnProperty.call(to2, k)) Object.defineProperty(to2, k, {
+          enumerable: true,
+          get: function() {
+            return from25[k];
+          }
+        });
+      });
+      return from25;
+    }
+  }
+});
+
 // src/run-server.ts
 init_cjs_shims();
 
 // src/shared/log.ts
 init_cjs_shims();
 
-// ../../internal/neverthrow/dist/index.js
+// ../../internal/neverthrow/src/index.ts
 init_cjs_shims();
 
 // ../../../node_modules/.pnpm/neverthrow@8.2.0/node_modules/neverthrow/dist/index.es.js
@@ -65238,7 +65427,7 @@ var Err = class {
 };
 var fromThrowable = Result.fromThrowable;
 
-// ../../internal/neverthrow/dist/index.js
+// ../../internal/neverthrow/src/index.ts
 function resultFromPromise(type4, surface2, promise3, error48) {
   return ResultAsync.fromPromise(promise3, (e) => ({
     ...error48(e),
@@ -113816,13 +114005,13 @@ var import_path2 = require("path");
 var import_url = require("url");
 function getVersion2() {
   if (true) {
-    return "0.8.1";
+    return "0.8.3";
   }
   const __dirname3 = (0, import_path2.dirname)((0, import_url.fileURLToPath)(importMetaUrl));
-  const pkg = JSON.parse(
+  const pkg2 = JSON.parse(
     (0, import_fs3.readFileSync)((0, import_path2.join)(__dirname3, "../../package.json"), "utf-8")
   );
-  return pkg.version;
+  return pkg2.version;
 }
 var MCP_VERSION = getVersion2();
 var DIST_TAG = MCP_VERSION.includes("-beta") ? "beta" : "latest";
@@ -113979,7 +114168,7 @@ var TEMPO_TOKEN_ADDRESS = "0x20c0000000000000000000000000000000000000";
 
 // src/shared/mpp-enabled.ts
 init_cjs_shims();
-var isMppEnabled = () => "0.8.1".includes("-mpp");
+var isMppEnabled = () => "0.8.3".includes("-mpp");
 
 // src/shared/operations/fetch-with-payment.ts
 init_cjs_shims();
@@ -114848,9 +115037,35 @@ async function getTempoBalance({
   };
 }
 
+// src/shared/settings.ts
+init_cjs_shims();
+var import_fs4 = __toESM(require("fs"), 1);
+var SETTINGS_FILE = configFile("settings.json");
+var settingsSchema = zod_default.looseObject({
+  maxAmount: zod_default.number().positive()
+}).partial();
+var getSettings = () => {
+  if (!import_fs4.default.existsSync(SETTINGS_FILE)) {
+    return {};
+  }
+  const content = import_fs4.default.readFileSync(SETTINGS_FILE, "utf-8");
+  const result = settingsSchema.safeParse(JSON.parse(content));
+  if (!result.success) {
+    return {};
+  }
+  return result.data;
+};
+var setSettings = (settings) => {
+  const existing = getSettings();
+  const newSettings = settingsSchema.parse({ ...existing, ...settings });
+  import_fs4.default.writeFileSync(SETTINGS_FILE, JSON.stringify(newSettings, null, 2));
+};
+
 // src/shared/operations/fetch-with-payment.ts
+var DEFAULT_MAX_AMOUNT = 5;
 function createFetchWithPayment(options) {
-  const { surface: surface2, clients, paymentMethod, beforePayment, timeout } = options;
+  const { surface: surface2, clients, paymentMethod, beforePayment, timeout, maxAmount } = options;
+  const effectiveMaxAmount = maxAmount ?? getSettings().maxAmount ?? DEFAULT_MAX_AMOUNT;
   return async (request) => {
     const clonedRequest = request.clone();
     const fallbackRequest = request.clone();
@@ -114866,7 +115081,13 @@ function createFetchWithPayment(options) {
     const response = probeResult.value;
     if (paymentMethod !== "auto") {
       if (paymentMethod === "mpp") {
-        return handleMppPayment(surface2, response, clonedRequest, options);
+        return handleMppPayment(
+          surface2,
+          response,
+          clonedRequest,
+          options,
+          effectiveMaxAmount
+        );
       }
       return handleX402Payment(
         surface2,
@@ -114874,7 +115095,8 @@ function createFetchWithPayment(options) {
         clonedRequest,
         clients.x402,
         beforePayment,
-        timeout
+        timeout,
+        effectiveMaxAmount
       );
     }
     const available = detectPaymentProtocols(response);
@@ -114885,22 +115107,36 @@ function createFetchWithPayment(options) {
       preferred = await pickByBalance(surface2, response, options);
     }
     const fallback = available.length > 1 ? preferred === "mpp" ? "x402" : "mpp" : null;
-    const result = preferred === "mpp" ? await handleMppPayment(surface2, response, clonedRequest, options) : await handleX402Payment(
+    const result = preferred === "mpp" ? await handleMppPayment(
+      surface2,
+      response,
+      clonedRequest,
+      options,
+      effectiveMaxAmount
+    ) : await handleX402Payment(
       surface2,
       response,
       clonedRequest,
       clients.x402,
       beforePayment,
-      timeout
+      timeout,
+      effectiveMaxAmount
     );
     if (result.isErr() && fallback) {
-      return fallback === "mpp" ? handleMppPayment(surface2, response, fallbackRequest, options) : handleX402Payment(
+      return fallback === "mpp" ? handleMppPayment(
+        surface2,
+        response,
+        fallbackRequest,
+        options,
+        effectiveMaxAmount
+      ) : handleX402Payment(
         surface2,
         response,
         fallbackRequest,
         clients.x402,
         beforePayment,
-        timeout
+        timeout,
+        effectiveMaxAmount
       );
     }
     return result;
@@ -114952,7 +115188,7 @@ async function pickByBalance(surface2, response, options) {
   log.info(`Protocol selection \u2014 x402: $${x402Balance}, mpp: $${mppBalance}`);
   return x402Balance >= mppBalance ? "x402" : "mpp";
 }
-async function handleX402Payment(surface2, response, clonedRequest, client, beforePayment, timeout) {
+async function handleX402Payment(surface2, response, clonedRequest, client, beforePayment, timeout, maxAmount) {
   const paymentRequiredResult = await safeGetPaymentRequired(
     surface2,
     client,
@@ -114962,8 +115198,17 @@ async function handleX402Payment(surface2, response, clonedRequest, client, befo
     return paymentRequiredResult;
   }
   const paymentRequired = paymentRequiredResult.value;
+  const accept = paymentRequired.accepts[0];
+  if (accept) {
+    const amount2 = tokenStringToNumber(accept.amount);
+    if (amount2 > maxAmount) {
+      return x402Err(surface2, {
+        cause: "payment_already_attempted",
+        message: `Endpoint requested $${amount2} which exceeds the maximum allowed amount of $${maxAmount}. Pass a higher maxAmount on this call, or use update_settings to raise the default permanently.`
+      });
+    }
+  }
   if (beforePayment) {
-    const accept = paymentRequired.accepts[0];
     if (accept) {
       const amount2 = tokenStringToNumber(accept.amount);
       const hookResult = await resultFromPromise(
@@ -115036,7 +115281,7 @@ async function handleX402Payment(surface2, response, clonedRequest, client, befo
     }
   );
 }
-async function handleMppPayment(surface2, response, clonedRequest, options) {
+async function handleMppPayment(surface2, response, clonedRequest, options, maxAmount) {
   const { clients, beforePayment, timeout } = options;
   const mppxClient = clients.mpp;
   if (clonedRequest.headers.has("Authorization")) {
@@ -115053,6 +115298,15 @@ async function handleMppPayment(surface2, response, clonedRequest, options) {
   const amount2 = challenge2.request.amount;
   const decimals2 = challenge2.request.decimals ?? 6;
   const currency2 = challenge2.request.currency;
+  if (amount2) {
+    const numericAmount = Number(formatUnits(BigInt(amount2), decimals2));
+    if (numericAmount > maxAmount) {
+      return mppErr(surface2, {
+        cause: "mpp_payment_already_attempted",
+        message: `Endpoint requested $${numericAmount} which exceeds the maximum allowed amount of $${maxAmount}. Pass a higher maxAmount on this call, or use update_settings to raise the default permanently.`
+      });
+    }
+  }
   if (beforePayment && amount2 && currency2) {
     const numericAmount = Number(formatUnits(BigInt(amount2), decimals2));
     const hookResult = await resultFromPromise(
@@ -115393,6 +115647,12 @@ ${PRIMARY_ORIGINS.flatMap((o) => ORIGIN_METADATA[o] ? [`  ${o} \u2014 ${ORIGIN_M
   reportError: {
     mcp: `EMERGENCY ONLY. Report critical MCP tool bugs. Do NOT use for normal errors (balance, network, 4xx) \u2014 those are recoverable.`,
     cli: `Report a critical bug to the agentcash team (emergency only). Do NOT use for normal errors like low balance, network timeouts, or 4xx responses \u2014 those are recoverable without filing a report.`
+  },
+  updateSettings: {
+    mcp: `Update user settings (persisted to ~/.agentcash/settings.json). Currently supports maxAmount \u2014 the maximum USD amount allowed per fetch request. If a fetch response requests more than this, the payment is rejected. Returns the current settings after applying changes.`
+  },
+  getSettings: {
+    mcp: `Get current user settings. Returns persisted values from ~/.agentcash/settings.json with defaults applied.`
   }
 };
 var WORKFLOW = [
@@ -115429,7 +115689,8 @@ var REQUEST_PARAMS = {
 };
 var TOOL_PARAMS = {
   fetch: {
-    paymentMethod: "Payment protocol to use. Defaults to auto-detect."
+    paymentMethod: "Payment protocol to use. Defaults to auto-detect.",
+    maxAmount: "Maximum amount (in USD) to pay per request. Aborts if the endpoint requests more. Defaults to $5. Pass a higher value for known-expensive endpoints."
   },
   checkEndpointSchema: {
     url: "Full URL of the endpoint to inspect",
@@ -115594,7 +115855,8 @@ Insufficient Tempo balance for this payment.`
 var toolName = "fetch";
 var paymentMethodEnum = isMppEnabled() ? external_exports3.enum(["x402", "mpp", "auto"]) : external_exports3.enum(["x402", "auto"]);
 var fetchInputSchema = requestSchema.extend({
-  paymentMethod: paymentMethodEnum.default("auto").optional().describe(TOOL_PARAMS.fetch.paymentMethod)
+  paymentMethod: paymentMethodEnum.default("auto").optional().describe(TOOL_PARAMS.fetch.paymentMethod),
+  maxAmount: external_exports3.number().positive().optional().describe(TOOL_PARAMS.fetch.maxAmount)
 });
 var registerFetchTool = ({
   server,
@@ -115682,7 +115944,8 @@ var registerFetchTool = ({
         account,
         flags,
         beforePayment,
-        timeout: input.timeout ?? DEFAULT_USER_FETCH_TIMEOUT
+        timeout: input.timeout ?? DEFAULT_USER_FETCH_TIMEOUT,
+        maxAmount: input.maxAmount
       })(request);
       if (fetchResult.isErr()) {
         return mcpError(fetchResult);
@@ -115845,18 +116108,18 @@ init_cjs_shims();
 
 // src/shared/state.ts
 init_cjs_shims();
-var import_fs4 = __toESM(require("fs"), 1);
+var import_fs6 = __toESM(require("fs"), 1);
 var STATE_FILE = configFile("state.json");
 var stateSchema = zod_default.looseObject({
   redeemedCodes: zod_default.array(zod_default.string())
 }).partial();
 var getState = () => {
-  const stateFileExists = import_fs4.default.existsSync(STATE_FILE);
+  const stateFileExists = import_fs6.default.existsSync(STATE_FILE);
   if (!stateFileExists) {
-    import_fs4.default.writeFileSync(STATE_FILE, "{}");
+    import_fs6.default.writeFileSync(STATE_FILE, "{}");
     return {};
   }
-  const stateFileContent = import_fs4.default.readFileSync(STATE_FILE, "utf-8");
+  const stateFileContent = import_fs6.default.readFileSync(STATE_FILE, "utf-8");
   const result = stateSchema.safeParse(JSON.parse(stateFileContent));
   if (!result.success) {
     return {};
@@ -115866,7 +116129,7 @@ var getState = () => {
 var setState = (state) => {
   const existing = getState();
   const newState = stateSchema.parse({ ...existing, ...state });
-  import_fs4.default.writeFileSync(STATE_FILE, JSON.stringify(newState, null, 2));
+  import_fs6.default.writeFileSync(STATE_FILE, JSON.stringify(newState, null, 2));
 };
 
 // src/shared/operations/onboarding-cta.ts
@@ -115983,8 +116246,9 @@ init_cjs_shims();
 // src/shared/operations/check-endpoint.ts
 init_cjs_shims();
 
-// ../../../node_modules/.pnpm/@agentcash+discovery@1.0.1/node_modules/@agentcash/discovery/dist/index.js
+// ../../../node_modules/.pnpm/@agentcash+discovery@1.1.0/node_modules/@agentcash/discovery/dist/index.js
 init_cjs_shims();
+var import_dereference_json_schema = __toESM(require_dereference_json_schema(), 1);
 
 // ../../../node_modules/.pnpm/@x402+core@2.6.0/node_modules/@x402/core/dist/esm/schemas/index.mjs
 init_cjs_shims();
@@ -116062,7 +116326,7 @@ var PaymentPayloadSchema = external_exports4.discriminatedUnion("x402Version", [
   PaymentPayloadV2Schema
 ]);
 
-// ../../../node_modules/.pnpm/@agentcash+discovery@1.0.1/node_modules/@agentcash/discovery/dist/index.js
+// ../../../node_modules/.pnpm/@agentcash+discovery@1.1.0/node_modules/@agentcash/discovery/dist/index.js
 var OpenApiPaymentInfoSchema = external_exports3.object({
   pricingMode: external_exports3.enum(["fixed", "range", "quote"]),
   price: external_exports3.string().optional(),
@@ -116110,6 +116374,7 @@ var OpenApiDocSchema = external_exports3.object({
     description: external_exports3.string().optional(),
     guidance: external_exports3.string().optional()
   }),
+  security: external_exports3.array(external_exports3.record(external_exports3.string(), external_exports3.array(external_exports3.string()))).optional(),
   servers: external_exports3.array(external_exports3.object({ url: external_exports3.string() })).optional(),
   tags: external_exports3.array(external_exports3.object({ name: external_exports3.string() })).optional(),
   components: external_exports3.object({ securitySchemes: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional() }).optional(),
@@ -116137,20 +116402,31 @@ var WellKnownParsedSchema = external_exports3.object({
 function isRecord(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function hasSecurity(operation, scheme) {
-  return operation.security?.some((s) => scheme in s) ?? false;
-}
-function has402Response(operation) {
-  return Boolean(operation.responses?.["402"]);
+function resolveSecurityFlags(requirements, securitySchemes) {
+  let hasApiKey = false;
+  let hasSiwx = false;
+  for (const requirement of requirements) {
+    for (const schemeName of Object.keys(requirement)) {
+      if (schemeName === "siwx") {
+        hasSiwx = true;
+        continue;
+      }
+      if (schemeName === "apiKey") {
+        hasApiKey = true;
+        continue;
+      }
+      const def = securitySchemes[schemeName];
+      if (isRecord(def) && def["type"] === "apiKey") hasApiKey = true;
+    }
+  }
+  return { hasApiKey, hasSiwx };
 }
-function inferAuthMode(operation) {
+function inferAuthMode(operation, globalSecurity, securitySchemes) {
   const hasXPaymentInfo = Boolean(operation["x-payment-info"]);
-  const hasPayment = hasXPaymentInfo || has402Response(operation);
-  const hasApiKey = hasSecurity(operation, "apiKey");
-  const hasSiwx = hasSecurity(operation, "siwx");
-  if (hasPayment && hasApiKey) return "apiKey+paid";
+  const effectiveSecurity = operation.security !== void 0 && operation.security.length > 0 ? operation.security : globalSecurity ?? [];
+  const { hasApiKey, hasSiwx } = resolveSecurityFlags(effectiveSecurity, securitySchemes ?? {});
+  if (hasXPaymentInfo && hasApiKey) return "apiKey+paid";
   if (hasXPaymentInfo) return "paid";
-  if (hasPayment) return hasSiwx ? "siwx" : "paid";
   if (hasApiKey) return "apiKey";
   if (hasSiwx) return "siwx";
   return void 0;
@@ -116166,10 +116442,12 @@ var HTTP_METHODS = /* @__PURE__ */ new Set([
   "TRACE"
 ]);
 var DEFAULT_MISSING_METHOD = "POST";
-function normalizeOrigin(target) {
+function ensureProtocol(target) {
   const trimmed = target.trim();
-  const withProtocol = /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
-  const url3 = new URL(withProtocol);
+  return /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
+}
+function normalizeOrigin(target) {
+  const url3 = new URL(ensureProtocol(target));
   url3.pathname = "";
   url3.search = "";
   url3.hash = "";
@@ -116203,22 +116481,20 @@ function toFetchError(err3) {
 function fetchSafe(url3, init) {
   return ResultAsync.fromPromise(fetch(url3, init), toFetchError);
 }
-var isMmmEnabled = () => "1.0.1".includes("-mmm");
+var isMmmEnabled = () => "1.1.0".includes("-mmm");
 var OpenApiParsedSchema = OpenApiDocSchema.transform((doc) => {
   const routes = [];
   for (const [rawPath, pathItem] of Object.entries(doc.paths)) {
     for (const httpMethod of [...HTTP_METHODS]) {
       const operation = pathItem[httpMethod.toLowerCase()];
       if (!operation) continue;
-      const authMode = inferAuthMode(operation) ?? void 0;
+      const authMode = inferAuthMode(operation, doc.security, doc.components?.securitySchemes) ?? void 0;
       if (!authMode) continue;
       const p = operation["x-payment-info"];
       const protocols = (p?.protocols ?? []).filter(
         (proto) => proto !== "mpp" || isMmmEnabled()
       );
-      if ((authMode === "paid" || authMode === "siwx") && !has402Response(operation)) continue;
-      if (authMode === "paid" && protocols.length === 0) continue;
-      const pricing = authMode === "paid" && p ? {
+      const pricing = (authMode === "paid" || authMode === "apiKey+paid") && p ? {
         pricingMode: p.pricingMode,
         ...p.price ? { price: p.price } : {},
         ...p.minPrice ? { minPrice: p.minPrice } : {},
@@ -116681,53 +116957,29 @@ function extractPaymentOptions4(wwwAuthenticate) {
   }
   return options;
 }
-function findMatchingOpenApiPath(paths, targetPath) {
-  const exact = paths[targetPath];
-  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
-  for (const [specPath, entry] of Object.entries(paths)) {
-    if (!isRecord(entry)) continue;
-    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
-    const regex = new RegExp(`^${pattern}$`);
-    if (regex.test(targetPath)) {
-      return { matchedPath: specPath, pathItem: entry };
-    }
-  }
-  return null;
-}
-function resolveRef2(document2, ref, seen) {
-  if (!ref.startsWith("#/")) return void 0;
-  if (seen.has(ref)) return { $circular: ref };
-  seen.add(ref);
-  const parts = ref.slice(2).split("/");
-  let current = document2;
-  for (const part of parts) {
-    if (!isRecord(current)) return void 0;
-    current = current[part];
-    if (current === void 0) return void 0;
-  }
-  if (isRecord(current)) return resolveRefs(document2, current, seen);
-  return current;
+var { resolveRefSync } = import_dereference_json_schema.default;
+function isRecord2(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-function resolveRefs(document2, obj, seen, depth = 0) {
-  if (depth > 4) return obj;
+function deepResolveRefs(document2, obj) {
   const resolved = {};
   for (const [key, value] of Object.entries(obj)) {
     if (key === "$ref" && typeof value === "string") {
-      const deref = resolveRef2(document2, value, seen);
-      if (isRecord(deref)) {
-        Object.assign(resolved, deref);
+      const deref = resolveRefSync(document2, value);
+      if (isRecord2(deref)) {
+        Object.assign(resolved, deepResolveRefs(document2, deref));
       } else {
         resolved[key] = value;
       }
       continue;
     }
-    if (isRecord(value)) {
-      resolved[key] = resolveRefs(document2, value, seen, depth + 1);
+    if (isRecord2(value)) {
+      resolved[key] = deepResolveRefs(document2, value);
       continue;
     }
     if (Array.isArray(value)) {
       resolved[key] = value.map(
-        (item) => isRecord(item) ? resolveRefs(document2, item, seen, depth + 1) : item
+        (item) => isRecord2(item) ? deepResolveRefs(document2, item) : item
       );
       continue;
     }
@@ -116735,6 +116987,22 @@ function resolveRefs(document2, obj, seen, depth = 0) {
   }
   return resolved;
 }
+function resolveRefs(obj, document2) {
+  return deepResolveRefs(document2, obj);
+}
+function findMatchingOpenApiPath(paths, targetPath) {
+  const exact = paths[targetPath];
+  if (isRecord(exact)) return { matchedPath: targetPath, pathItem: exact };
+  for (const [specPath, entry] of Object.entries(paths)) {
+    if (!isRecord(entry)) continue;
+    const pattern = specPath.replace(/\{[^}]+\}/g, "[^/]+");
+    const regex = new RegExp(`^${pattern}$`);
+    if (regex.test(targetPath)) {
+      return { matchedPath: specPath, pathItem: entry };
+    }
+  }
+  return null;
+}
 function extractRequestBodySchema(operationSchema) {
   const requestBody = operationSchema.requestBody;
   if (!isRecord(requestBody)) return void 0;
@@ -116814,7 +117082,7 @@ function getL3ForOpenAPI(openApi, path2, method) {
   if (!matched) return null;
   const operation = matched.pathItem[method.toLowerCase()];
   if (!isRecord(operation)) return null;
-  const resolvedOperation = resolveRefs(document2, operation, /* @__PURE__ */ new Set());
+  const resolvedOperation = resolveRefs(operation, document2);
   const summary = typeof resolvedOperation.summary === "string" ? resolvedOperation.summary : typeof resolvedOperation.description === "string" ? resolvedOperation.description : void 0;
   return {
     source: "openapi",
@@ -116858,12 +117126,12 @@ function getAdvisoriesForProbe(probe, path2) {
   });
 }
 async function checkEndpointSchema(options) {
-  const endpoint = new URL(options.url);
+  const endpoint = new URL(ensureProtocol(options.url));
   const origin = normalizeOrigin(endpoint.origin);
   const path2 = normalizePath(endpoint.pathname || "/");
   if (options.sampleInputBody !== void 0) {
     const probeResult2 = await getProbe(
-      options.url,
+      endpoint.href,
       options.headers,
       options.signal,
       options.sampleInputBody
@@ -116888,7 +117156,7 @@ async function checkEndpointSchema(options) {
     if (advisories2.length > 0) return { found: true, origin, path: path2, advisories: advisories2 };
     return { found: false, origin, path: path2, cause: "not_found" };
   }
-  const probeResult = await getProbe(options.url, options.headers, options.signal);
+  const probeResult = await getProbe(endpoint.href, options.headers, options.signal);
   if (probeResult.isErr()) {
     return {
       found: false,
@@ -117313,6 +117581,61 @@ function registerDiscoveryTools(server) {
   );
 }
 
+// src/server/tools/settings.ts
+init_cjs_shims();
+var registerSettingsTools = ({ server }) => {
+  server.registerTool(
+    "update_settings",
+    {
+      title: "Update Settings",
+      description: DESCRIPTIONS.updateSettings.mcp,
+      inputSchema: external_exports3.object({
+        maxAmount: external_exports3.number().positive().optional().describe(
+          `Maximum amount (USD) to pay per fetch request. Current default: $${DEFAULT_MAX_AMOUNT}.`
+        )
+      }),
+      annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false
+      }
+    },
+    safeHandler((input) => {
+      if (input.maxAmount !== void 0) {
+        setSettings({ maxAmount: input.maxAmount });
+      }
+      const settings = getSettings();
+      return Promise.resolve(
+        mcpSuccessStructuredJson({
+          maxAmount: settings.maxAmount ?? DEFAULT_MAX_AMOUNT
+        })
+      );
+    })
+  );
+  server.registerTool(
+    "get_settings",
+    {
+      title: "Get Settings",
+      description: DESCRIPTIONS.getSettings.mcp,
+      annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false
+      }
+    },
+    safeHandler(() => {
+      const settings = getSettings();
+      return Promise.resolve(
+        mcpSuccessStructuredJson({
+          maxAmount: settings.maxAmount ?? DEFAULT_MAX_AMOUNT
+        })
+      );
+    })
+  );
+};
+
 // src/server/resources/origins.ts
 init_cjs_shims();
 var surface = "registerOrigins";
@@ -117752,25 +118075,25 @@ var registerPrompts = (props) => {
 
 // src/server/lib/version.ts
 init_cjs_shims();
-var import_fs6 = require("fs");
+var import_fs8 = require("fs");
 var import_path3 = require("path");
 var import_url2 = require("url");
 function getVersion3() {
   if (true) {
-    return "0.8.1";
+    return "0.8.3";
   }
   const __dirname3 = (0, import_path3.dirname)((0, import_url2.fileURLToPath)(importMetaUrl));
-  const pkg = JSON.parse(
-    (0, import_fs6.readFileSync)((0, import_path3.join)(__dirname3, "../../../package.json"), "utf-8")
+  const pkg2 = JSON.parse(
+    (0, import_fs8.readFileSync)((0, import_path3.join)(__dirname3, "../../../package.json"), "utf-8")
   );
-  return pkg.version;
+  return pkg2.version;
 }
 var MCP_VERSION2 = getVersion3();
 var DIST_TAG2 = MCP_VERSION2.includes("-beta") ? "beta" : "latest";
 
 // src/shared/wallet.ts
 init_cjs_shims();
-var import_fs7 = require("fs");
+var import_fs9 = require("fs");
 var import_path4 = require("path");
 var WALLET_FILE = configFile("wallet.json");
 var storedWalletSchema = zod_default.object({
@@ -117783,14 +118106,14 @@ var LEGACY_WALLET = (0, import_path4.join)(LEGACY_DIRECTORY, "wallet.json");
 var reconcileSurface = "wallet-reconcile";
 async function reconcileLegacyWallet(current, isNew) {
   const noChange = { account: current, isNew };
-  if (!(0, import_fs7.existsSync)(LEGACY_WALLET)) {
+  if (!(0, import_fs9.existsSync)(LEGACY_WALLET)) {
     return noChange;
   }
   const legacyResult = resultFromThrowable(
     "wallet",
     reconcileSurface,
     () => {
-      const raw = (0, import_fs7.readFileSync)(LEGACY_WALLET, "utf-8");
+      const raw = (0, import_fs9.readFileSync)(LEGACY_WALLET, "utf-8");
       return storedWalletSchema.parse(JSON.parse(raw));
     },
     () => ({
@@ -117874,7 +118197,7 @@ async function getWallet() {
   }
   const readFileResult = await safeReadFile(walletSurface, WALLET_FILE);
   if (!readFileResult.isOk()) {
-    const fileExistsResult = (0, import_fs7.existsSync)(WALLET_FILE);
+    const fileExistsResult = (0, import_fs9.existsSync)(WALLET_FILE);
     if (fileExistsResult) {
       return fsErr(walletSurface, {
         cause: "file_not_readable",
@@ -117927,7 +118250,7 @@ async function getWallet() {
 
 // src/shared/user-origins.ts
 init_cjs_shims();
-var fs9 = __toESM(require("fs"), 1);
+var fs10 = __toESM(require("fs"), 1);
 var ORIGINS_FILE = configFile("origins.json");
 var userOriginSchema = zod_default.object({
   url: zod_default.string(),
@@ -117939,8 +118262,8 @@ var originsFileSchema = zod_default.object({
   added: zod_default.array(userOriginSchema)
 });
 function readOriginsFile() {
-  if (!fs9.existsSync(ORIGINS_FILE)) return [];
-  const raw = fs9.readFileSync(ORIGINS_FILE, "utf-8");
+  if (!fs10.existsSync(ORIGINS_FILE)) return [];
+  const raw = fs10.readFileSync(ORIGINS_FILE, "utf-8");
   const json3 = safeParseJson("user-origins", raw);
   if (!json3.isOk()) return [];
   const parsed = originsFileSchema.safeParse(json3.value);
@@ -118007,6 +118330,7 @@ var startServer = async (flags) => {
   registerRedeemInviteTool(props);
   registerDiscoveryTools(server);
   registerTelemetryTools(props);
+  registerSettingsTools(props);
   registerPrompts(props);
   await registerOrigins({ server, flags });
   const transport = new StdioServerTransport();