feat: register and render the full API catalog (public + API-key endpoints)#1020
Merged
Conversation
The openapi discovery source only classifies an endpoint 'unprotected' when its operation explicitly declares security: [] — the merchant already opted it out. Both registration surfaces still lumped these into the yellow 'unprotected endpoints skipped' warning whose copy tells the merchant to add security: [] to suppress the notice, which they had already done (reported by Telemost for /v1/catalog). registerResourcesFromDiscovery now tags such skips explicitlyPublic, and both the pre-registration form and the bulk-result panel render them as a neutral 'N public endpoints not registered' disclosure, reserving the warning for probe-inferred unprotected and apiKey endpoints.
…nd client The 'authMode unprotected + openapi source' provenance check was encoded independently in register-origin.ts and the register form's skipped-endpoint partition — extract it to lib/discovery/explicitly-public.ts so the two surfaces can't drift. Also rename a test whose name said probe-inferred but exercised the well-known source.
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…oints) Endpoints declared in openapi.json now register as free catalog rows instead of being skipped: security: [] operations get a Public tag, apiKey-scheme operations get an API key tag (SIWX keeps Free). The discovery source gates this — unprotected/apiKey from non-openapi sources still skip with the actionable warning, whose advice (declare security: []) now actually results in registration. Catalog rows never make an origin registrable on their own: they only register alongside at least one paid/SIWX resource or into an origin that already has resources. registerSiwxResource generalizes to registerFreeResource(authMode); rows are Resource records with zero Accepts discriminated by metadata.authMode. upsertResource now strips a stale free authMode when a row re-registers as paid. Read filters (origin lists, search), server-page badges, registration UI, counts, and toasts all understand the two new modes. This supersedes the earlier neutral 'public endpoints not registered' disclosure, which is removed.
mainSucceeded was a global flag — in a multi-origin batch a paid success for one origin would have let catalog rows register for another. Build the set of origins that gained a paid/SIWX resource instead. Also adds tests for the existing-origin gate arm and for a failed free registration landing in failedDetails.
The 'origin already has resources' gate arm was dangerous: an existing origin whose paid probes all failed transiently would still register catalog rows, which set originId and let deprecation wipe every paid row — and since getOriginResourceCount counts free rows, the catalog rows then kept the origin alive as a catalog-only listing forever. The gate is now strictly 'this batch registered a paid/SIWX resource for this origin', with a regression test for the transient-failure path. Also mirrors the gate client-side (a catalog-only origin's endpoints now show as skipped in the register form instead of promising a registration the server refuses) and renders the per-row skip reason in the results panel — skips have three distinct causes now.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Endpoints declared in a merchant's
openapi.jsonnow register and render as part of the full API catalog, tagged by auth mode:security: []operations → registered, tagged Public (sky)Started as a copy fix for Telemost's report (
/v1/catalogshowed a "1 unprotected endpoint skipped — add security: []" warning they had already followed); expanded per team decision (rsproule: "can show and indicate that its apikey auth — openapi should be pretty standard around this") to render the whole catalog. Earlier commits on this branch implemented a neutral disclosure for skipped public endpoints; the final commit supersedes it — those endpoints now actually register.How it works
openapidiscovery source produces catalog rows (lib/discovery/catalog-auth.ts, shared server+client). In @agentcash/discovery 1.7.5 the openapi source assignsunprotectedsolely for an explicitsecurity: []andapiKeysolely for a declared security scheme — verified in the package source;discoverOriginSchema's openapi path does no probe augmentation.unprotected/apiKeyfrom other sources still skip with the yellow warning, whose "declaresecurity: []" advice now results in registration.metadata.authMode(siwx | unprotected | apiKey) — the existing SIWX pattern (registerSiwxResourcegeneralized toregisterFreeResource).originId, and deprecate every existing paid row — with the catalog rows then keeping the origin alive as a self-sustaining catalog-only listing. The client mirrors the gate (catalog-only origins show their endpoints as skipped), the skip panel shows per-row reasons, and a regression test covers the transient-failure path. The tRPCnoValidResourcesgate is unchanged.upsertResource(paid path) strips a pre-existing freeauthModefrom metadata on merge, so a row that later turns paid stops matching free filters;listOriginsWithResourcesadditionally guards with!resource.response.Surfaces updated
displayableResourceWhere,listOrigins,listOriginsWithResources) andsearchResourcesOR-in the three free auth modes (chain-filtered queries still exclude them — no chain to filter on).resource-card.tsxbadges;origin-resources.tsxincludes free rows.RegisterModeResourceListgets Public/API key badges with tooltips.registry-register-originresponse addspublic/apiKeycounts + details (additive;siwxfields unchanged).security: []deprecates on re-registration.Not affected (checked)
Bazaar/agent feeds are accepts/transfer-driven and can't include free rows; chain-filtered listings exclude them;
/api/x402/resourcesserializes them withaccepts: []exactly like SIWX today.