x402-surface-check 0.2.38 → 0.2.40

package/README.md

@@ -20,7 +20,7 @@ npx --yes x402-surface-check --strict-proof https://api.example.com/openapi.json
 
 ## What It Checks
 
-- Manifest endpoint discovery from `items[]`, `endpoints[]`, object-valued `endpoints`, string-valued endpoint maps, `tools` maps, `resources[]`, `x402Endpoints`, category arrays, raw resource URL strings, method-prefixed resource strings, and OpenAPI paths
+- Manifest endpoint discovery from `items[]`, `endpoints[]`, marketplace `skills[]` / `catalog.skills[]`, `agents[].tools[]` resource URLs, object-valued `endpoints`, string-valued endpoint maps, `tools` maps, `resources[]`, `x402Endpoints`, category arrays, raw resource URL strings, method-prefixed resource strings, and OpenAPI paths
 - Streamable HTTP MCP tool catalogs via safe JSON-RPC `tools/list` probes with `Accept: application/json, text/event-stream`
 - Object-valued manifest endpoint query examples, public catalog/discovery GETs, and payment-bearing two-phase operations without treating expected public catalog reads as failed payment gates
 - Linked discovery documents via `discovery_url`, `discoveryUrl`, `resources_url`, `resourcesUrl`, string `discovery` links, nested `discovery.x402_json` / OpenAPI links, or manifest-level OpenAPI links

package/bin/x402-surface-check.mjs

@@ -358,6 +358,40 @@ function manifestEndpointBody(endpoint, document) {
   return exampleValue(body, document)
 }
 
+function marketplaceSkillBody(skill) {
+  return skill?.example?.input
+    ?? skill?.exampleInput
+    ?? skill?.input?.example
+    ?? skill?.input?.safe_example
+    ?? skill?.input?.safeExample
+    ?? manifestEndpointBody(skill, {})
+}
+
+function marketplaceSkillPriceUsd(skill) {
+  const value = skill?.price?.amount
+    ?? skill?.price?.usd
+    ?? skill?.priceUsd
+    ?? skill?.price_usd
+    ?? skill?.pricePerCall
+  return numberFromDecimal(value)
+}
+
+function endpointRawPath(endpoint) {
+  if (!endpoint || typeof endpoint !== 'object') return undefined
+  const values = [
+    endpoint.url,
+    endpoint.endpoint,
+    endpoint.resourceUrl,
+    endpoint.resourceURL,
+    endpoint.resource_url,
+    endpoint.resource?.url,
+    endpoint.resource?.uri,
+    endpoint.resource,
+    endpoint.path,
+  ]
+  return values.find(value => typeof value === 'string' && value.trim())
+}
+
 function manifestEndpointUrl(rawPath, endpoint, baseUrl, sourceUrl) {
   const url = new URL(endpointUrl(rawPath, baseUrl, sourceUrl))
   const parameters = endpoint?.parameters
@@ -404,9 +438,64 @@ function endpointEntries(document, sourceUrl, limit) {
     }
   }
 
+  const marketplaceSkillLists = [
+    document.skills,
+    document.services,
+    document.catalog?.skills,
+    document.catalog?.services,
+  ].filter(Array.isArray)
+
+  for (const skillList of marketplaceSkillLists) {
+    for (const skill of skillList) {
+      if (!skill || typeof skill !== 'object') continue
+      const rawPath = endpointRawPath(skill)
+      if (!rawPath) continue
+      if (redactedCredentialUrl(rawPath)) continue
+      entries.push({
+        name: skill.slug ?? skill.id ?? skill.name ?? String(rawPath).split('/').filter(Boolean).at(-1) ?? String(rawPath),
+        url: endpointUrl(rawPath, baseUrl, sourceUrl),
+        method: String(skill.method ?? 'POST').toUpperCase(),
+        expectedPriceUsd: marketplaceSkillPriceUsd(skill),
+        requestBody: marketplaceSkillBody(skill),
+      })
+    }
+  }
+
+  const agentCatalogLists = [
+    document.agents,
+    document.catalog?.agents,
+    document.marketplace?.agents,
+  ].filter(Array.isArray)
+
+  for (const agentList of agentCatalogLists) {
+    for (const agent of agentList) {
+      if (!agent || typeof agent !== 'object' || !Array.isArray(agent.tools)) continue
+      const agentName = agent.agentId ?? agent.agent_id ?? agent.slug ?? agent.id ?? agent.name
+      for (const tool of agent.tools) {
+        if (!tool || typeof tool !== 'object') continue
+        const rawPath = endpointRawPath(tool)
+        if (!rawPath) continue
+        if (redactedCredentialUrl(rawPath)) continue
+        const method = String(tool.method ?? 'POST').toUpperCase()
+        const paymentSignal = Math.max(manifestEndpointPaymentSignal(agent), manifestEndpointPaymentSignal(tool))
+        const hasPathParameters = /\{[^}]+\}/.test(String(rawPath))
+        if (paymentSignal === 0 && (method !== 'GET' || hasPathParameters)) continue
+        const toolName = tool.slug ?? tool.id ?? tool.name ?? String(rawPath).split('/').filter(Boolean).at(-1)
+        entries.push({
+          name: agentName && toolName ? `${agentName}/${toolName}` : toolName ?? agentName ?? String(rawPath),
+          url: manifestEndpointUrl(rawPath, tool, baseUrl, sourceUrl),
+          method,
+          expectedPriceUsd: marketplaceSkillPriceUsd(tool) ?? marketplaceSkillPriceUsd(agent),
+          requestBody: marketplaceSkillBody(tool) ?? marketplaceSkillBody(agent),
+          publicDiscovery: paymentSignal === 0,
+        })
+      }
+    }
+  }
+
   if (Array.isArray(document.endpoints)) {
     for (const endpoint of document.endpoints) {
-      const rawPath = endpoint?.url ?? endpoint?.endpoint ?? endpoint?.path
+      const rawPath = endpointRawPath(endpoint)
       if (!rawPath) continue
       entries.push({
         name: endpoint.id ?? endpoint.name ?? String(rawPath).split('/').filter(Boolean).at(-1) ?? String(rawPath),
@@ -446,7 +535,7 @@ function endpointEntries(document, sourceUrl, limit) {
   if (Array.isArray(document.tools)) {
     for (const tool of document.tools) {
       if (!tool || typeof tool !== 'object') continue
-      const rawPath = tool.url ?? tool.endpoint ?? tool.path
+      const rawPath = endpointRawPath(tool)
       if (!rawPath) continue
       const method = String(tool.method ?? 'POST').toUpperCase()
       const paymentSignal = manifestEndpointPaymentSignal(tool)
@@ -475,7 +564,7 @@ function endpointEntries(document, sourceUrl, limit) {
       }
       if (!endpoint || typeof endpoint !== 'object') continue
       const keyPath = key.match(/^(GET|POST|PUT|PATCH|DELETE)\s+(\S+)/i)?.[2] ?? key
-      const rawPath = endpoint.url ?? endpoint.endpoint ?? endpoint.path ?? keyPath
+      const rawPath = endpointRawPath(endpoint) ?? keyPath
       if (!rawPath) continue
       const method = String(endpoint.method ?? 'POST').toUpperCase()
       const paymentSignal = manifestEndpointPaymentSignal(endpoint)
@@ -494,7 +583,7 @@ function endpointEntries(document, sourceUrl, limit) {
   if (Array.isArray(document.items)) {
     for (const item of document.items) {
       if (item?.type && item.type !== 'http') continue
-      const rawPath = item?.resource ?? item?.url ?? item?.endpoint ?? item?.path
+      const rawPath = endpointRawPath(item)
       if (!rawPath) continue
       entries.push({
         name: item.metadata?.name ?? item.id ?? item.name ?? String(rawPath).split('/').filter(Boolean).at(-1) ?? String(rawPath),
@@ -547,7 +636,7 @@ function endpointEntries(document, sourceUrl, limit) {
     }
 
     if (!resource || typeof resource !== 'object') continue
-    const rawPath = resource.url ?? resource.endpoint ?? resource.resource ?? resource.path
+    const rawPath = endpointRawPath(resource)
     if (!rawPath) continue
     entries.push({
       name: resource.id

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "x402-surface-check",
-  "version": "0.2.38",
+  "version": "0.2.40",
   "description": "No-payment x402 public-surface checker for manifests, OpenAPI specs, and HTTP 402 challenges.",
   "type": "module",
   "bin": {