npm - 402-mcp - Versions diffs - 3.0.0 → 3.1.0 - Mend

402-mcp 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +108 -1
package/build/tools/nostr-subscribe.d.ts +5 -0
package/build/tools/nostr-subscribe.js +7 -2
package/build/tools/nostr-subscribe.js.map +1 -1
package/build/tools/search.d.ts +2 -1
package/build/tools/search.js +8 -11
package/build/tools/search.js.map +1 -1
package/llms-full.txt +399 -0
package/llms.txt +148 -0
package/package.json +4 -2

package/README.md CHANGED Viewed

@@ -9,6 +9,72 @@ L402 + x402 client MCP that gives AI agents economic agency. Discover, pay for,
 Works with **any L402-compliant server** (toll-booth, Aperture, or any future implementation), with bonus features when talking to a [toll-booth](https://github.com/TheCryptoDonkey/toll-booth) instance.
+## Architecture
+```mermaid
+graph TB
+    Agent["AI Agent<br/>(Claude, Cursor, etc.)"]
+    MCP["402-mcp<br/>MCP Server"]
+    subgraph Wallets["Payment Rails"]
+        NWC["NWC<br/>(Lightning)"]
+        Cashu["Cashu<br/>(Ecash)"]
+        Human["Human-in-the-loop<br/>(QR code)"]
+    end
+    subgraph Storage["Local Storage"]
+        Creds["Credential Store<br/>(AES-256-GCM)"]
+        Tokens["Cashu Token Store"]
+    end
+    subgraph Servers["Any L402 Server"]
+        TB["toll-booth"]
+        Aperture["Aperture"]
+        Other["Any L402<br/>implementation"]
+    end
+    Nostr["Nostr Relays<br/>(Service Discovery)"]
+    Agent <-->|"MCP protocol<br/>(stdio / HTTP)"| MCP
+    MCP --> NWC
+    MCP --> Cashu
+    MCP --> Human
+    MCP <--> Creds
+    MCP <--> Tokens
+    MCP <-->|"HTTP + L402"| TB
+    MCP <-->|"HTTP + L402"| Aperture
+    MCP <-->|"HTTP + L402"| Other
+    MCP <-->|"kind 31402"| Nostr
+```
+## Payment flow
+```mermaid
+sequenceDiagram
+    participant Agent as AI Agent
+    participant MCP as 402-mcp
+    participant API as L402 API
+    participant Wallet as Wallet (NWC/Cashu)
+    Agent->>MCP: l402_discover(url)
+    MCP->>API: GET /endpoint
+    API-->>MCP: 402 + invoice + macaroon
+    MCP-->>Agent: price: 10 sats, server: toll-booth
+    Agent->>Agent: Reason about pricing
+    Agent->>MCP: l402_fetch(url)
+    MCP->>API: GET /endpoint
+    API-->>MCP: 402 + invoice + macaroon
+    MCP->>MCP: Amount ≤ MAX_AUTO_PAY_SATS?
+    MCP->>Wallet: Pay invoice
+    Wallet-->>MCP: preimage
+    MCP->>MCP: Store credential
+    MCP->>API: GET /endpoint + Authorization: L402
+    API-->>MCP: 200 OK + data
+    MCP-->>Agent: Response data + balance
+```
 ## Quick start
 ```bash
@@ -57,6 +123,7 @@ Add to your MCP configuration:
 | `l402_pay` | Pay a specific invoice (NWC, Cashu, or human-in-the-loop) |
 | `l402_credentials` | List stored credentials and cached balances |
 | `l402_balance` | Check cached credit balance for a server |
+| `l402_search` | Discover L402 services on Nostr relays (kind 31402 announcements) |
 ### toll-booth extensions
@@ -65,8 +132,36 @@ Add to your MCP configuration:
 | `l402_buy_credits` | Browse and purchase volume discount tiers |
 | `l402_redeem_cashu` | Redeem Cashu tokens directly (avoids Lightning round-trip) |
+## Service discovery
+Agents can discover paid APIs without knowing URLs upfront. `l402_search` queries Nostr relays for kind 31402 service announcements — the decentralised registry for L402 services.
+```mermaid
+sequenceDiagram
+    participant Agent as AI Agent
+    participant MCP as 402-mcp
+    participant Relay as Nostr Relays
+    Agent->>MCP: l402_search("routing")
+    MCP->>Relay: Subscribe kind 31402
+    Relay-->>MCP: Matching service events
+    MCP-->>Agent: Services with URLs, pricing, capabilities
+    Agent->>MCP: l402_discover(service_url)
+    Note over Agent: Continue with payment flow...
+```
 ## Payment methods
+```mermaid
+graph TD
+    Pay["Pay Invoice"]
+    Pay --> NWC{"NWC configured?"}
+    NWC -->|Yes| NWCPay["Pay via Lightning wallet<br/>(fully autonomous)"]
+    NWC -->|No| CashuQ{"Cashu tokens<br/>available?"}
+    CashuQ -->|Yes| CashuPay["Melt ecash tokens<br/>(fully autonomous)"]
+    CashuQ -->|No| HumanPay["Present QR code<br/>(human pays)"]
+```
 Three payment rails, tried in priority order:
 1. **NWC** (Nostr Wallet Connect) - fully autonomous; pays from your connected wallet
@@ -77,6 +172,17 @@ The agent can override the method per-call, or you can configure only the method
 ## How it works
+```mermaid
+graph LR
+    A["1. l402_config()"] --> B["2. l402_discover(url)"]
+    B --> C["3. Agent reasons<br/>about pricing"]
+    C --> D["4. l402_buy_credits()<br/>or l402_fetch()"]
+    D --> E["5. l402_fetch(url)<br/>with credentials"]
+    E --> F["6. Data returned<br/>+ balance cached"]
+```
+**Example session:**
 ```
 Agent: "I need routing data from routing.trotters.cc"
@@ -125,7 +231,8 @@ Use Lightning Labs' tools if you want agents that **run their own Lightning node
 |---------|------|
 | [toll-booth](https://github.com/TheCryptoDonkey/toll-booth) | Payment-rail agnostic HTTP 402 middleware |
 | [satgate](https://github.com/TheCryptoDonkey/satgate) | Pay-per-token AI inference proxy (built on toll-booth) |
-| **[402-mcp](https://github.com/TheCryptoDonkey/402-mcp)** | **MCP client - AI agents discover, pay, and consume L402 + x402 APIs** |
+| **[402-mcp](https://github.com/TheCryptoDonkey/402-mcp)** | **MCP client — AI agents discover, pay, and consume L402 + x402 APIs** |
+| [402-announce](https://github.com/TheCryptoDonkey/402-announce) | Publish L402 services on Nostr for decentralised discovery |
 ---

package/build/tools/nostr-subscribe.d.ts CHANGED Viewed

@@ -1,2 +1,7 @@
 import type { SearchDeps } from './search.js';
+/** Optional tag filters to pass to relays, reducing bandwidth by filtering server-side. */
+export interface SubscribeFilters {
+    '#t'?: string[];
+    '#pmi'?: string[];
+}
 export declare function createNostrSubscriber(): SearchDeps['subscribeEvents'];

package/build/tools/nostr-subscribe.js CHANGED Viewed

@@ -5,7 +5,7 @@
  */
 const MAX_EVENTS = 1000;
 export function createNostrSubscriber() {
-    return async (relays, kinds, timeout) => {
+    return async (relays, kinds, timeout, filters) => {
         const { Relay } = await import('nostr-tools/relay');
         const { verifyEvent } = await import('nostr-tools/pure');
         const events = [];
@@ -21,7 +21,12 @@ export function createNostrSubscriber() {
                 ]);
                 connections.push(relay);
                 return new Promise((resolve) => {
-                    const sub = relay.subscribe([{ kinds }], {
+                    const filter = { kinds };
+                    if (filters?.['#t']?.length)
+                        filter['#t'] = filters['#t'];
+                    if (filters?.['#pmi']?.length)
+                        filter['#pmi'] = filters['#pmi'];
+                    const sub = relay.subscribe([filter], {
                         onevent: (event) => {
                             if (events.length < MAX_EVENTS && verifyEvent(event)) {
                                 events.push(event);

package/build/tools/nostr-subscribe.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"nostr-subscribe.js","sourceRoot":"","sources":["../../src/tools/nostr-subscribe.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,MAAM,UAAU,GAAG,IAAI,CAAA;~~AAEvB~~,MAAM,UAAU,qBAAqB;IACnC,OAAO,KAAK,EAAE,MAAgB,EAAE,KAAe,EAAE,OAAe,EAAyB,EAAE;~~QACzF~~,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;QACnD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAA;QACxD,MAAM,MAAM,GAAiB,EAAE,CAAA;QAC/B,MAAM,WAAW,GAA6B,EAAE,CAAA;QAEhD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACvB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1D,OAAM;YACR,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAC/B,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;oBAClB,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,CACvD;iBACF,CAAC,CAAA;gBACF,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBAEvB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;oBACnC,MAAM,~~GAAG~~,~~GAAG~~,KAAK,CAAC,~~SAAS~~,~~CACzB~~,CAAC,EAAE,~~KAAK~~,EAAE,CAAC,~~EACX~~;wBACE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;4BACjB,IAAI,MAAM,CAAC,MAAM,GAAG,UAAU,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;gCACrD,MAAM,CAAC,IAAI,CAAC,KAAmB,CAAC,CAAA;4BAClC,CAAC;wBACH,CAAC;wBACD,MAAM,EAAE,GAAG,EAAE;4BACX,GAAG,CAAC,KAAK,EAAE,CAAA;4BACX,OAAO,EAAE,CAAA;wBACX,CAAC;qBACF,CACF,CAAA;oBAED,+CAA+C;oBAC/C,UAAU,CAAC,GAAG,EAAE;wBACd,GAAG,CAAC,KAAK,EAAE,CAAA;wBACX,OAAO,EAAE,CAAA;oBACX,CAAC,EAAE,OAAO,CAAC,CAAA;gBACb,CAAC,CAAC,CAAA;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;YACrC,CAAC;QACH,CAAC,CAAC,CACH,CAAA;QAED,8BAA8B;QAC9B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,IAAI,CAAC,KAAK,EAAE,CAAA;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;QAC9B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACzB,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAE,OAAO,KAAK,CAAA;YAChC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;YACd,OAAO,IAAI,CAAA;QACb,CAAC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}
1	+ {"version":3,"file":"nostr-subscribe.js","sourceRoot":"","sources":["../../src/tools/nostr-subscribe.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,MAAM,UAAU,GAAG,IAAI,CAAA;AAQvB,MAAM,UAAU,qBAAqB;IACnC,OAAO,KAAK,EAAE,MAAgB,EAAE,KAAe,EAAE,OAAe,EAAE,OAA0B,EAAyB,EAAE;QACrH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;QACnD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAA;QACxD,MAAM,MAAM,GAAiB,EAAE,CAAA;QAC/B,MAAM,WAAW,GAA6B,EAAE,CAAA;QAEhD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACvB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1D,OAAM;YACR,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAC/B,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;oBAClB,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,CACvD;iBACF,CAAC,CAAA;gBACF,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBAEvB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;oBACnC,MAAM,MAAM,GAA4B,EAAE,KAAK,EAAE,CAAA;oBACjD,IAAI,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM;wBAAE,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;oBACzD,IAAI,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM;wBAAE,MAAM,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;oBAE/D,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CACzB,CAAC,MAAkD,CAAC,EACpD;wBACE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;4BACjB,IAAI,MAAM,CAAC,MAAM,GAAG,UAAU,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;gCACrD,MAAM,CAAC,IAAI,CAAC,KAAmB,CAAC,CAAA;4BAClC,CAAC;wBACH,CAAC;wBACD,MAAM,EAAE,GAAG,EAAE;4BACX,GAAG,CAAC,KAAK,EAAE,CAAA;4BACX,OAAO,EAAE,CAAA;wBACX,CAAC;qBACF,CACF,CAAA;oBAED,+CAA+C;oBAC/C,UAAU,CAAC,GAAG,EAAE;wBACd,GAAG,CAAC,KAAK,EAAE,CAAA;wBACX,OAAO,EAAE,CAAA;oBACX,CAAC,EAAE,OAAO,CAAC,CAAA;gBACb,CAAC,CAAC,CAAA;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;YACrC,CAAC;QACH,CAAC,CAAC,CACH,CAAA;QAED,8BAA8B;QAC9B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,IAAI,CAAC,KAAK,EAAE,CAAA;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;QAC9B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACzB,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAE,OAAO,KAAK,CAAA;YAChC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;YACd,OAAO,IAAI,CAAA;QACb,CAAC,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}

package/build/tools/search.d.ts CHANGED Viewed

@@ -1,7 +1,8 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { NostrEvent } from 'nostr-tools/core';
+import type { SubscribeFilters } from './nostr-subscribe.js';
 export interface SearchDeps {
-    subscribeEvents: (relays: string[], kinds: number[], timeout: number) => Promise<NostrEvent[]>;
+    subscribeEvents: (relays: string[], kinds: number[], timeout: number, filters?: SubscribeFilters) => Promise<NostrEvent[]>;
 }
 export interface ParsedService {
     name: string | undefined;

package/build/tools/search.js CHANGED Viewed

@@ -50,9 +50,15 @@ export async function handleSearch(args, deps) {
     const timeout = args.timeout ?? 5000;
     const maxResults = args.maxResults ?? 20;
     const queryLower = args.query.toLowerCase();
-    const events = await deps.subscribeEvents(relays, [KIND_L402_ANNOUNCE], timeout);
+    // Build relay-side tag filters — relays handle topic and payment method filtering
+    const relayFilters = {};
+    if (args.topics?.length)
+        relayFilters['#t'] = args.topics;
+    if (args.paymentMethod)
+        relayFilters['#pmi'] = [args.paymentMethod];
+    const events = await deps.subscribeEvents(relays, [KIND_L402_ANNOUNCE], timeout, relayFilters);
     let services = events.map(parseAnnounceEvent);
-    // Filter by query text — match against name, about, and capability descriptions
+    // Filter by query text — relays cannot do substring search so this remains client-side
     if (queryLower) {
         services = services.filter(svc => {
             const searchable = [
@@ -64,15 +70,6 @@ export async function handleSearch(args, deps) {
             return searchable.includes(queryLower);
         });
     }
-    // Filter by payment method
-    if (args.paymentMethod) {
-        services = services.filter(svc => svc.paymentMethods.includes(args.paymentMethod));
-    }
-    // Filter by topics — service must have at least one matching topic
-    if (args.topics && args.topics.length > 0) {
-        const topicSet = new Set(args.topics.map(t => t.toLowerCase()));
-        services = services.filter(svc => svc.topics.some(t => topicSet.has(t.toLowerCase())));
-    }
     // Limit results
     const results = services.slice(0, maxResults);
     return {

package/build/tools/search.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"search.js","sourceRoot":"","sources":["../../src/tools/search.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;~~AAIvB~~,MAAM,cAAc,GAAG;IACrB,sBAAsB;IACtB,wBAAwB;IACxB,eAAe;CAChB,CAAA;AAED,MAAM,kBAAkB,GAAG,KAAK,CAAA;AAiBhC,8DAA8D;AAC9D,MAAM,UAAU,kBAAkB,CAAC,KAAiB;IAClD,MAAM,MAAM,GAAG,CAAC,GAAW,EAAsB,EAAE,CACjD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAEzC,MAAM,UAAU,GAAG,CAAC,GAAW,EAAc,EAAE,CAC7C,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAA;IAEtC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IACvE,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAE7D,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5C,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;KACjB,CAAC,CAAC,CAAA;IAEH,IAAI,YAAY,GAA4C,EAAE,CAAA;IAC9D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACxC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC;YACxC,YAAY,GAAG,MAAM,CAAC,YAAY;iBAC/B,MAAM,CAAC,CAAC,CAAU,EAA8C,EAAE,CACjE,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI;gBACnC,OAAQ,CAA6B,CAAC,IAAI,KAAK,QAAQ;gBACvD,OAAQ,CAA6B,CAAC,WAAW,KAAK,QAAQ,CAC/D;iBACA,GAAG,CAAC,CAAC,CAAwC,EAAE,EAAE,CAAC,CAAC;gBAClD,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC1B,WAAW,EAAE,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC;aAC1C,CAAC,CAAC,CAAA;QACP,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2CAA2C;IAC7C,CAAC;IAED,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc;QACd,OAAO;QACP,MAAM;QACN,YAAY;KACb,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAA4H,EAC5H,IAAgB;IAEhB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,cAAc,CAAA;IAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAA;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAA;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAA;IAE3C,~~MAAM~~,MAAM,~~GAAG~~,~~MAAM~~,~~IAAI,CAAC,eAAe,CAAC,MAAM,~~EAAE,~~CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC,~~CAAA;~~IAEhF~~,IAAI,~~QAAQ~~,~~GAAG~~,MAAM,~~CAAC~~,~~GAAG~~,~~CAAC~~,~~kBAAkB,~~CAAC,~~CAAA;IAE7C,gFAAgF;IAChF,~~IAAI,~~UAAU,EAAE,~~CAAC~~;QACf~~,~~QAAQ,~~GAAG,~~QAAQ~~,CAAC,MAAM,~~CAAC,GAAG,CAAC,EAAE~~;~~YAC/B~~,~~MAAM,UAAU,GAAG;gBACjB,GAAG,CAAC,~~IAAI,IAAI,~~EAAE;gBACd,GAAG,~~CAAC,~~KAAK,IAAI,EAAE~~;~~gBACf~~,~~GAAG~~,~~GAAG,~~CAAC,MAAM~~;gBACb~~,~~GAAG~~,GAAG,CAAC,~~YAAY~~,CAAC,~~GAAG~~,CAAC,~~CAAC~~,~~CAAC~~,~~EAAE~~,~~CAAC,~~GAAG,~~CAAC~~,~~CAAC,~~IAAI,~~IAAI,~~CAAC,CAAC,~~WAAW~~,EAAE,CAAC~~;aAC3D~~,CAAC,~~IAAI~~,~~CAAC~~,~~GAAG~~,~~CAAC~~,CAAC,~~WAAW,EAAE,~~CAAA;~~YAEzB~~,~~OAAO~~,~~UAAU~~,~~CAAC~~,~~QAAQ~~,CAAC,~~UAAU~~,CAAC,~~CAAA;QACxC~~,CAAC,~~CAAC,~~CAAA;~~IACJ~~,~~CAAC~~;~~IAED~~,~~2BAA2B;IAC3B,~~IAAI,~~IAAI~~,~~CAAC,aAAa,~~EAAE,CAAC;~~QACvB~~,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE~~,CAC~~/B,~~GAAG~~,~~CAAC~~,~~cAAc~~,~~CAAC~~,~~QAAQ,~~CAAC,IAAI,~~CAAC~~,~~aAAc,CAAC,CACjD,CAAA~~;~~IACH~~,~~CAAC;IAED~~,~~mEAAmE;IACnE,IAAI,IAAI,~~CAAC,~~MAAM~~,IAAI,~~IAAI~~,~~CAAC~~,~~MAAM~~,CAAC,MAAM,GAAG,CAAC,~~EAAE~~,CAAC~~;QAC1C~~,~~MAAM,QAAQ,~~GAAG,~~IAAI~~,~~GAAG,~~CAAC,~~IAAI,~~CAAC,~~MAAM~~,CAAC,GAAG,CAAC,CAAC,~~CAAC~~,~~EAAE~~,CAAC,CAAC,~~CAAC,~~WAAW,EAAE,CAAC~~,CAAC,CAAA~~;~~QAC/D~~,~~QAAQ,GAAG,QAAQ,~~CAAC,~~MAAM~~,CAAC,GAAG,CAAC,~~EAAE,CAC/B,GAAG,~~CAAC,~~MAAM~~,~~CAAC~~,~~IAAI~~,~~CAAC~~,~~CAAC~~,CAAC,~~EAAE,CAAC,~~QAAQ,CAAC,~~GAAG~~,CAAC,~~CAAC~~,CAAC,~~WAAW,EAAE,~~CAAC,~~CAAC,CACpD,~~CAAA;~~IACH~~,CAAC;IAED,gBAAgB;IAChB,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;IAE7C,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;KAC7E,CAAA;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAiB,EAAE,IAAgB;IACpE,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,WAAW,EAAE,2NAA2N;QACxO,WAAW,EAAE;YACX,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,6EAA6E,CAAC;YAClH,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+DAA+D,CAAC;YACrH,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;YAC7G,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,6EAA6E,CAAC;YACrI,UAAU,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kDAAkD,CAAC;YAC3G,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,2DAA2D,CAAC;SACvH;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,CACzC,CAAA;AACH,CAAC"}
1	+ {"version":3,"file":"search.js","sourceRoot":"","sources":["../../src/tools/search.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,MAAM,cAAc,GAAG;IACrB,sBAAsB;IACtB,wBAAwB;IACxB,eAAe;CAChB,CAAA;AAED,MAAM,kBAAkB,GAAG,KAAK,CAAA;AAiBhC,8DAA8D;AAC9D,MAAM,UAAU,kBAAkB,CAAC,KAAiB;IAClD,MAAM,MAAM,GAAG,CAAC,GAAW,EAAsB,EAAE,CACjD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAEzC,MAAM,UAAU,GAAG,CAAC,GAAW,EAAc,EAAE,CAC7C,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAA;IAEtC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IACvE,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAE7D,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5C,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;KACjB,CAAC,CAAC,CAAA;IAEH,IAAI,YAAY,GAA4C,EAAE,CAAA;IAC9D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACxC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC;YACxC,YAAY,GAAG,MAAM,CAAC,YAAY;iBAC/B,MAAM,CAAC,CAAC,CAAU,EAA8C,EAAE,CACjE,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI;gBACnC,OAAQ,CAA6B,CAAC,IAAI,KAAK,QAAQ;gBACvD,OAAQ,CAA6B,CAAC,WAAW,KAAK,QAAQ,CAC/D;iBACA,GAAG,CAAC,CAAC,CAAwC,EAAE,EAAE,CAAC,CAAC;gBAClD,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC1B,WAAW,EAAE,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC;aAC1C,CAAC,CAAC,CAAA;QACP,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2CAA2C;IAC7C,CAAC;IAED,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc;QACd,OAAO;QACP,MAAM;QACN,YAAY;KACb,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAA4H,EAC5H,IAAgB;IAEhB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,cAAc,CAAA;IAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAA;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAA;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAA;IAE3C,kFAAkF;IAClF,MAAM,YAAY,GAAqB,EAAE,CAAA;IACzC,IAAI,IAAI,CAAC,MAAM,EAAE,MAAM;QAAE,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,CAAA;IACzD,IAAI,IAAI,CAAC,aAAa;QAAE,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;IAEnE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,kBAAkB,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAA;IAE9F,IAAI,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IAE7C,uFAAuF;IACvF,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC/B,MAAM,UAAU,GAAG;gBACjB,GAAG,CAAC,IAAI,IAAI,EAAE;gBACd,GAAG,CAAC,KAAK,IAAI,EAAE;gBACf,GAAG,GAAG,CAAC,MAAM;gBACb,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;aAC3D,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAA;YAEzB,OAAO,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;QACxC,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,gBAAgB;IAChB,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;IAE7C,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;KAC7E,CAAA;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAiB,EAAE,IAAgB;IACpE,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,WAAW,EAAE,2NAA2N;QACxO,WAAW,EAAE;YACX,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,6EAA6E,CAAC;YAClH,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+DAA+D,CAAC;YACrH,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;YAC7G,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,6EAA6E,CAAC;YACrI,UAAU,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kDAAkD,CAAC;YAC3G,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,2DAA2D,CAAC;SACvH;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,CACzC,CAAA;AACH,CAAC"}

package/llms-full.txt ADDED Viewed

@@ -0,0 +1,399 @@
+# 402-mcp — Full Technical Reference
+> For a concise overview, see [llms.txt](llms.txt). This document provides the complete technical reference for integrating with, building on, or contributing to 402-mcp.
+## What is 402-mcp?
+402-mcp is an MCP (Model Context Protocol) server that gives AI agents economic agency — the ability to discover, pay for, and consume any L402 or x402 payment-gated API without human registration, API keys, or middlemen.
+It implements the client side of the L402 protocol: when an API responds with HTTP 402 (Payment Required), 402-mcp automatically parses the challenge, pays the Lightning invoice, stores the credential, and retries the request — all within a single tool call from the agent's perspective.
+## Architecture Overview
+```
+┌─────────────────────────────────────────────────────────────┐
+│  AI Agent (Claude, Cursor, GPT, custom)                     │
+│  Communicates via MCP protocol (stdio or HTTP transport)     │
+└──────────────────────┬──────────────────────────────────────┘
+                       │ MCP tool calls
+┌──────────────────────▼──────────────────────────────────────┐
+│  402-mcp MCP Server                                          │
+│                                                              │
+│  ┌──────────┐  ┌──────────┐  ┌─────────────┐               │
+│  │ Tools    │  │ Wallets  │  │ Stores      │               │
+│  │          │  │          │  │             │               │
+│  │ config   │  │ NWC      │  │ Credentials │               │
+│  │ discover │  │ Cashu    │  │ (AES-256)   │               │
+│  │ fetch    │  │ Human    │  │             │               │
+│  │ pay      │  │          │  │ Cashu       │               │
+│  │ creds    │  │          │  │ Tokens      │               │
+│  │ balance  │  │          │  │             │               │
+│  │ search   │  │          │  │             │               │
+│  │ buy_cred │  │          │  │             │               │
+│  │ redeem   │  │          │  │             │               │
+│  └──────────┘  └──────────┘  └─────────────┘               │
+│                                                              │
+│  ┌──────────────┐  ┌──────────────┐  ┌───────────────┐     │
+│  │ L402 Protocol│  │ Resilient    │  │ Spend         │     │
+│  │ parse, detect│  │ Fetch        │  │ Tracker       │     │
+│  │ cache, bolt11│  │ SSRF, retry  │  │ atomic caps   │     │
+│  └──────────────┘  └──────────────┘  └───────────────┘     │
+└──────────────────────┬──────────────────────────────────────┘
+                       │ HTTP + L402 / Nostr
+         ┌─────────────┼─────────────┐
+         ▼             ▼             ▼
+    ┌─────────┐  ┌──────────┐  ┌──────────┐
+    │toll-booth│  │ Aperture │  │  Nostr   │
+    │ server  │  │  server  │  │  Relays  │
+    └─────────┘  └──────────┘  └──────────┘
+```
+## Source Structure
+```
+src/
+  index.ts                 # Entry point: config, wiring, transport setup
+  config.ts                # Environment variable parsing with validation
+  spend-tracker.ts         # Atomic rolling-window spend limiter
+  tools/
+    config.ts              # l402_config — introspect capabilities
+    discover.ts            # l402_discover — probe pricing without paying
+    fetch.ts               # l402_fetch — full L402 payment flow
+    pay.ts                 # l402_pay — explicit invoice payment
+    credentials.ts         # l402_credentials — list stored credentials
+    balance.ts             # l402_balance — check cached credit balance
+    search.ts              # l402_search — discover services on Nostr
+    buy-credits.ts         # l402_buy_credits — toll-booth credit tiers
+    redeem-cashu.ts        # l402_redeem_cashu — direct ecash redemption
+    nostr-subscribe.ts     # Nostr relay subscription for search
+    safe-error.ts          # Error sanitisation (strips internal details)
+    safe-headers.ts        # Header sanitisation (strips auth tokens)
+  wallet/
+    types.ts               # WalletProvider interface
+    resolve.ts             # Priority-ordered wallet resolution
+    nwc.ts                 # NWC (Nostr Wallet Connect) implementation
+    cashu.ts               # Cashu ecash melt implementation
+    human.ts               # Human-in-the-loop (QR code + polling)
+  l402/
+    parse.ts               # Parse WWW-Authenticate L402 challenges
+    detect.ts              # Detect toll-booth vs generic L402 servers
+    bolt11.ts              # Decode BOLT11 invoices (amount extraction)
+    challenge-cache.ts     # Cache parsed challenges for l402_pay
+  store/
+    credentials.ts         # Encrypted credential persistence (JSON)
+    cashu-tokens.ts        # Cashu token store (add/remove/balance)
+    encryption.ts          # AES-256-GCM encryption (keychain or file key)
+  fetch/
+    resilient-fetch.ts     # Timeout, retry, response size limits
+    ssrf-guard.ts          # Block requests to private/internal IPs
+    errors.ts              # Fetch error types
+tests/                     # Mirrors src/ structure
+  e2e/                     # Integration tests against in-process toll-booth
+```
+## Complete Tool Reference
+### l402_config
+**Purpose:** Introspect the agent's payment capabilities and current configuration.
+**Parameters:** None.
+**Returns:**
+- `nwcConfigured` (boolean) — whether an NWC wallet URI is set
+- `cashuConfigured` (boolean) — whether Cashu tokens are loaded with balance > 0
+- `cashuBalanceSats` (number) — total Cashu token balance in satoshis
+- `maxAutoPaySats` (number) — per-payment safety cap
+- `credentialCount` (number) — number of stored L402 credentials
+**When to use:** Call first in any session to understand what the agent can do autonomously.
+---
+### l402_discover
+**Purpose:** Probe an endpoint to discover pricing without paying.
+**Parameters:**
+- `url` (string, required) — the endpoint to probe
+- `method` (string, optional) — HTTP method (default: GET)
+- `headers` (object, optional) — additional headers
+**Returns:**
+- `amountSats` (number) — price in satoshis
+- `server` (string) — detected server type ("toll-booth" or null)
+- `hasTiers` (boolean) — whether credit tiers are available
+- `challenge` — cached for subsequent `l402_pay`
+**When to use:** Before committing to a purchase, so the agent can reason about value.
+---
+### l402_fetch
+**Purpose:** Make an HTTP request with automatic L402 payment handling.
+**Parameters:**
+- `url` (string, required) — the endpoint to fetch
+- `method` (string, optional) — HTTP method (default: GET)
+- `headers` (object, optional) — additional headers
+- `body` (string, optional) — request body
+- `paymentMethod` (string, optional) — force a specific payment rail
+**Behaviour:**
+1. Checks for existing credential for the origin
+2. Makes the HTTP request (with credential if available)
+3. If 402 received: parses challenge, checks amount against `MAX_AUTO_PAY_SATS` and rolling spend cap
+4. If within budget: pays invoice, stores credential, retries request
+5. If over budget: returns the price and asks for human approval
+6. Returns response body, status, headers, and remaining credit balance
+**When to use:** Primary tool for consuming L402 APIs. Handles the entire flow.
+---
+### l402_pay
+**Purpose:** Pay a specific Lightning invoice.
+**Parameters:**
+- `invoice` (string, required) — BOLT11 invoice to pay
+- `paymentMethod` (string, optional) — force a specific payment rail
+- `challengeId` (string, optional) — ID from a previous `l402_discover` to associate the payment
+**Returns:**
+- `paid` (boolean)
+- `preimage` (string) — payment proof
+- `method` (string) — which wallet paid
+**When to use:** When you have an invoice from a non-L402 source, or want explicit control.
+---
+### l402_credentials
+**Purpose:** List all stored L402 credentials.
+**Parameters:** None.
+**Returns:** Array of credentials with:
+- `origin` — server origin
+- `creditBalance` — cached balance (if known)
+- `server` — detected server type
+- `storedAt` / `lastUsed` — timestamps
+**When to use:** Auditing spend, checking which servers have been paid.
+---
+### l402_balance
+**Purpose:** Check cached credit balance for a server.
+**Parameters:**
+- `url` (string, required) — server URL to check
+**Returns:**
+- `balance` (number | null) — credits remaining, or null if unknown
+**When to use:** Before calling `l402_fetch` to confirm sufficient balance.
+---
+### l402_search
+**Purpose:** Discover L402 services on Nostr relays.
+**Parameters:**
+- `query` (string, required) — search text to match against service names, descriptions, capabilities
+- `relays` (string[], optional) — Nostr relay URLs (defaults to damus, primal, nos.lol)
+- `topics` (string[], optional) — filter by topic tags (e.g. ["ai", "data"])
+- `paymentMethod` (string, optional) — filter by payment method (e.g. "bitcoin-lightning-bolt11")
+- `maxResults` (number, optional) — max results (default 20)
+- `timeout` (number, optional) — relay timeout in ms (default 5000)
+**Returns:** Array of services with:
+- `name`, `url`, `about` — service metadata
+- `pricing` — array of `{ capability, amount, unit }`
+- `paymentMethods` — supported payment methods
+- `topics` — topic tags
+- `capabilities` — array of `{ name, description }`
+**When to use:** When the agent needs a paid API but doesn't know the URL. Searches the decentralised Nostr network for kind 31402 service announcements.
+---
+### l402_buy_credits (toll-booth only)
+**Purpose:** Browse and purchase volume discount credit tiers.
+**Parameters:**
+- `url` (string, required) — toll-booth server URL
+- `amountSats` (number, optional) — specific tier to purchase
+- `paymentMethod` (string, optional) — force a specific payment rail
+**Behaviour:** Fetches available tiers, purchases the specified tier, stores the credential with the credit balance.
+**When to use:** When multiple requests are needed — buying a tier upfront is cheaper than paying per-request.
+---
+### l402_redeem_cashu (toll-booth only)
+**Purpose:** Redeem Cashu ecash tokens directly with the server.
+**Parameters:**
+- `url` (string, required) — toll-booth server URL
+- `token` (string, required) — Cashu token to redeem
+**Behaviour:** Sends the raw Cashu token to the toll-booth's redemption endpoint. The server credits the balance immediately without a Lightning round-trip.
+**When to use:** When both agent and server support Cashu — faster and cheaper than melting tokens to pay an invoice.
+## L402 Protocol Flow
+The L402 protocol is an extension of HTTP 402 (Payment Required):
+1. **Client** sends a request to a protected endpoint
+2. **Server** responds with `402 Payment Required` and headers:
+   - `WWW-Authenticate: L402 macaroon="<base64>", invoice="<bolt11>"`
+3. **Client** decodes the BOLT11 invoice, pays it via Lightning, receives a preimage
+4. **Client** retries the request with:
+   - `Authorization: L402 <base64-macaroon>:<hex-preimage>`
+5. **Server** validates the macaroon + preimage and returns the data
+402-mcp handles steps 2–5 automatically within `l402_fetch`.
+## Wallet Priority and Resolution
+Wallets are tried in order: NWC → Cashu → Human. The first wallet that succeeds is used.
+| Wallet | Autonomy | Requirements | Speed |
+|--------|----------|-------------|-------|
+| NWC | Fully autonomous | `NWC_URI` env var pointing to a Lightning wallet | ~2-5 seconds |
+| Cashu | Fully autonomous | `CASHU_TOKENS` file with ecash tokens | ~3-8 seconds |
+| Human | Requires human | None — always available as fallback | Minutes |
+The agent can force a specific method per-call using the `paymentMethod` parameter.
+## Safety and Spend Limits
+### Per-payment cap
+`MAX_AUTO_PAY_SATS` (default: 1000) caps any single payment. If an invoice exceeds this:
+- The agent is told the price and asked to seek human approval
+- The human wallet (QR code) is used for the actual payment
+- The credential is stored normally after payment
+### Rolling spend cap
+`MAX_SPEND_PER_MINUTE_SATS` (default: 10000) caps total spend in any 60-second window. This prevents:
+- Rapid successive small payments exceeding a total budget
+- Runaway loops where the agent keeps buying credits
+- Both caps use atomic `tryRecord()` to prevent TOCTOU race conditions
+### SSRF Protection
+All outbound HTTP requests pass through an SSRF guard:
+- Blocks requests to private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, ::1)
+- Blocks requests to link-local, loopback, and metadata service IPs
+- `SSRF_ALLOW_PRIVATE=true` disables this for local development only
+### Credential Security
+- Credentials encrypted with AES-256-GCM
+- Encryption key stored in OS keychain (macOS Keychain, Windows Credential Vault, Linux Secret Service) when available
+- Falls back to file-based key at `~/.402-mcp/encryption.key` with a console warning
+- Preimages validated as hex before storage to prevent header injection
+- Credential store path must be within the home directory (path traversal protection)
+## Transport Modes
+### stdio (default)
+Standard MCP transport — used by Claude Desktop, Cursor, and most MCP clients. The server reads JSON-RPC from stdin and writes to stdout.
+```bash
+npx 402-mcp
+```
+### HTTP
+StreamableHTTP transport for network access. Useful for remote agents, multi-client setups, or deployment behind a reverse proxy.
+```bash
+TRANSPORT=http PORT=3402 npx 402-mcp
+```
+HTTP transport includes:
+- Rate limiting: 100 requests per 60 seconds per IP
+- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Cache-Control
+- Loopback-only binding by default (`BIND_ADDRESS=127.0.0.1`)
+- Health endpoint at `GET /health`
+- Graceful shutdown on SIGTERM/SIGINT
+## Configuration Reference
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NWC_URI` | — | Nostr Wallet Connect URI for autonomous Lightning payments. Cleared from env after reading. |
+| `CASHU_TOKENS` | — | Path to Cashu token store file. Must be within home directory. |
+| `MAX_AUTO_PAY_SATS` | 1000 | Per-payment safety cap (satoshis). 0 disables autonomous payments. |
+| `MAX_SPEND_PER_MINUTE_SATS` | 10000 | Rolling 60-second spend cap (satoshis). |
+| `CREDENTIAL_STORE` | `~/.402-mcp/credentials.json` | Path to encrypted credential store. Must be within home directory. |
+| `TRANSPORT` | `stdio` | Transport mode: `stdio` or `http`. |
+| `PORT` | 3402 | HTTP server port (when `TRANSPORT=http`). |
+| `BIND_ADDRESS` | `127.0.0.1` | HTTP bind address. Warning emitted for non-loopback addresses. |
+| `CORS_ORIGIN` | disabled | CORS origin for HTTP transport. |
+| `FETCH_TIMEOUT_MS` | 30000 | HTTP request timeout in milliseconds. |
+| `FETCH_MAX_RETRIES` | 2 | Maximum retry attempts for failed requests. Money-mutating POSTs use 0. |
+| `FETCH_MAX_RESPONSE_BYTES` | 10485760 | Maximum response body size (10 MB). |
+| `HUMAN_PAY_TIMEOUT_S` | 600 | Timeout for human payment (seconds). |
+| `HUMAN_PAY_POLL_S` | 3 | Initial polling interval for human payment (seconds). |
+| `SSRF_ALLOW_PRIVATE` | false | Allow requests to private IP ranges. Local development only. |
+| `NODE_TLS_REJECT_UNAUTHORIZED` | — | Warning emitted if set to "0" (disables TLS validation). |
+## Ecosystem
+| Project | Role | URL |
+|---------|------|-----|
+| **402-mcp** | MCP client — AI agents discover, pay, and consume L402 APIs | https://github.com/TheCryptoDonkey/402-mcp |
+| **toll-booth** | L402 payment middleware for any Node.js server | https://github.com/TheCryptoDonkey/toll-booth |
+| **satgate** | Pay-per-token AI inference proxy (built on toll-booth) | https://github.com/TheCryptoDonkey/satgate |
+| **402-announce** | Publish L402 services on Nostr for decentralised discovery | https://github.com/TheCryptoDonkey/402-announce |
+## Integration Patterns
+### Agent discovers and consumes a paid API
+```
+1. l402_config()                    → Understand capabilities
+2. l402_search("routing")           → Find services on Nostr
+3. l402_discover(service_url)       → Check pricing
+4. l402_fetch(service_url, ...)     → Pay and consume
+```
+### Agent buys credits for repeated access
+```
+1. l402_discover(url)               → Detect toll-booth, check tiers
+2. l402_buy_credits(url, 500)       → Buy 500-sat tier (555 credits)
+3. l402_fetch(url, ...) × N         → Use credits (no payment per-request)
+4. l402_balance(url)                → Check remaining credits
+```
+### Agent redeems Cashu tokens directly
+```
+1. l402_discover(url)               → Confirm toll-booth server
+2. l402_redeem_cashu(url, token)    → Direct ecash redemption
+3. l402_fetch(url, ...)             → Use credits from redemption
+```
+### Agent with no wallet (human-in-the-loop)
+```
+1. l402_fetch(url)                  → 402 received, amount shown
+2. Agent presents QR code to user   → Human pays via wallet app
+3. Poll detects payment             → Credential stored, data returned
+```

package/llms.txt ADDED Viewed

@@ -0,0 +1,148 @@
+# 402-mcp
+> 402-mcp is an MCP server that gives AI agents economic agency — the ability to discover, pay for, and consume any L402 or x402 payment-gated API without human registration, API keys, or middlemen. It speaks the L402 protocol natively, carries its own payment methods, and makes autonomous purchasing decisions within human-set safety limits.
+402-mcp is protocol-loyal: it works with any L402-compliant server (toll-booth, Aperture, or any conforming implementation), not just a specific vendor's stack. Bonus features activate automatically when talking to a toll-booth server. Three payment rails are supported — NWC (Nostr Wallet Connect), Cashu ecash, and human-in-the-loop — tried in that priority order so the agent picks the most autonomous option available.
+Agents can also discover paid APIs without knowing URLs upfront. The `l402_search` tool queries Nostr relays for kind 31402 service announcements — a decentralised registry of L402-enabled services.
+## Getting Started
+Run instantly with no configuration required:
+```bash
+npx 402-mcp
+```
+For HTTP transport (useful for remote agents or multi-client setups):
+```bash
+TRANSPORT=http npx 402-mcp
+```
+### Claude Desktop / Cursor
+Add to your MCP configuration:
+```json
+{
+  "mcpServers": {
+    "l402": {
+      "command": "npx",
+      "args": ["402-mcp"],
+      "env": {
+        "NWC_URI": "nostr+walletconnect://...",
+        "MAX_AUTO_PAY_SATS": "1000"
+      }
+    }
+  }
+}
+```
+### Configuration
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NWC_URI` | — | Nostr Wallet Connect URI for autonomous Lightning payments |
+| `CASHU_TOKENS` | — | Path to Cashu token store file |
+| `MAX_AUTO_PAY_SATS` | 1000 | Safety cap; payments above this require human confirmation |
+| `MAX_SPEND_PER_MINUTE_SATS` | 10000 | Rolling 60-second spend cap across all payments |
+| `CREDENTIAL_STORE` | `~/.402-mcp/credentials.json` | Persistent macaroon/credential storage |
+| `TRANSPORT` | `stdio` | Transport mode: `stdio` or `http` |
+| `PORT` | 3402 | HTTP server port (when `TRANSPORT=http`) |
+## Key Concepts
+- **L402** — an HTTP payment protocol where a server responds to unauthenticated requests with HTTP 402, a Lightning invoice, and a macaroon. The client pays the invoice, then sends `Authorization: L402 <macaroon>:<preimage>` to access the API.
+- **Economic agency** — the agent discovers a service, reads the price, pays the invoice, and retrieves the data, all within a single tool call. No human registration required.
+- **Safety cap** — `MAX_AUTO_PAY_SATS` sets the maximum any single autonomous payment can be. Above this limit, the agent asks for human approval. A rolling 60-second spend cap (`MAX_SPEND_PER_MINUTE_SATS`) prevents runaway spending.
+- **Credential store** — paid macaroons are persisted locally and encrypted with AES-256-GCM. Subsequent requests to the same server reuse credentials rather than paying again.
+- **Credit balance** — many L402 servers (including toll-booth) grant a credit balance after payment. 402-mcp tracks and caches that balance so the agent can reason about remaining capacity.
+- **Service discovery** — agents can search for L402 services on Nostr relays by querying kind 31402 announcements, finding paid APIs by topic, capability, or payment method.
+## Core L402 Tools
+These tools work with any L402-compliant server.
+### `l402_config`
+Introspect the agent's payment capabilities and current configuration. Returns wallet status (NWC connected, Cashu tokens loaded), the `MAX_AUTO_PAY_SATS` limit, and the number of stored credentials. Call this first so the agent knows what it can do autonomously.
+### `l402_discover`
+Probe an endpoint to discover its pricing without making a payment. Returns the invoice amount in satoshis, the macaroon challenge, and whether the server is a toll-booth instance (which enables extension tools). Use this before committing to a purchase so the agent can reason about value.
+### `l402_fetch`
+Make an HTTP request to an L402-protected endpoint. Handles the full payment flow automatically: detects 402 responses, pays the invoice if the amount is within the `MAX_AUTO_PAY_SATS` budget and the rolling spend cap, stores the credential, and retries the request. Returns the response body on success. This is the primary tool for consuming L402 APIs.
+### `l402_pay`
+Pay a specific Lightning invoice directly. Tries payment methods in priority order: NWC, Cashu, human-in-the-loop. Use this when you have an invoice from a source other than `l402_fetch`, or when you want explicit control over the payment step.
+### `l402_credentials`
+List all stored L402 credentials and their cached credit balances. Shows which servers the agent has already paid and what capacity remains. Useful for auditing spend and avoiding redundant payments.
+### `l402_balance`
+Check the cached credit balance for a specific server URL. Returns the number of credits remaining without making a network request. Use this before calling `l402_fetch` to confirm there is sufficient balance before consuming credits.
+### `l402_search`
+Search for L402 services on Nostr relays. Queries kind 31402 announcement events and returns matching services with their names, URLs, pricing, capabilities, and supported payment methods. Filter by query text, topics (e.g. "ai", "data"), or payment method. Use the returned URL with `l402_discover` or `l402_fetch` to interact with the service. This enables agents to find paid APIs without knowing URLs upfront — a decentralised alternative to API directories.
+## toll-booth Extension Tools
+These tools activate automatically when the target server is a toll-booth instance (detected via `l402_discover`).
+### `l402_buy_credits`
+Browse and purchase volume discount credit tiers offered by the server. toll-booth servers can expose multiple tiers (e.g. 100 sats for 110 credits, 500 sats for 555 credits). The agent can inspect the tiers, reason about how many requests it needs, and buy the best-value tier upfront rather than paying per-request.
+### `l402_redeem_cashu`
+Redeem Cashu ecash tokens directly with the toll-booth server, bypassing the Lightning round-trip. toll-booth accepts raw ecash tokens and credits the balance immediately. This is faster and cheaper than melting tokens to pay a Lightning invoice when both sides support Cashu.
+## Payment Methods
+Three payment rails are tried in priority order:
+1. **NWC (Nostr Wallet Connect)** — fully autonomous. The agent pays invoices directly from a connected Lightning wallet via the NWC protocol. Configure with `NWC_URI`. No human interaction required.
+2. **Cashu** — fully autonomous. The agent melts ecash tokens to pay invoices. Configure with `CASHU_TOKENS` pointing to a token store file. No Lightning node required on the agent side.
+3. **Human-in-the-loop** — fallback when no autonomous payment method is configured or when a payment exceeds the `MAX_AUTO_PAY_SATS` cap. The agent presents a payment QR code and polls for settlement. Control returns to the agent once the human has paid.
+The agent can override the payment method per-call, or you can configure only the methods you want available.
+## Safety Model
+Two safety primitives protect against runaway spending:
+1. **`MAX_AUTO_PAY_SATS`** — caps any single autonomous payment. Above this threshold, the agent must ask for human approval.
+2. **`MAX_SPEND_PER_MINUTE_SATS`** — rolling 60-second window cap across all payments. Prevents rapid successive payments from exceeding a total budget even if each individual payment is below the per-payment cap.
+The human stays in control of three things: the safety caps, which payment methods are available, and credential visibility. The agent operates within those boundaries, not around them.
+## Security
+- **SSRF protection** — all outbound requests pass through an SSRF guard that blocks private/internal IP ranges by default. Set `SSRF_ALLOW_PRIVATE=true` only for local development.
+- **Credential encryption** — stored credentials are encrypted with AES-256-GCM. The encryption key is stored in the OS keychain when available, falling back to a file-based key with a warning.
+- **Preimage validation** — preimages are validated as hex before storage to prevent header injection.
+- **Spend tracking** — atomic `tryRecord()` prevents TOCTOU race conditions in concurrent spend checks.
+- **HTTP transport hardening** — rate limiting (100 req/60s per IP), security headers (CSP, X-Frame-Options, nosniff), and loopback-only binding by default.
+## Ecosystem
+**toll-booth** is the server counterpart to 402-mcp. It is L402 payment middleware that embeds into any Node.js application (Express 5, Deno, Bun, Cloudflare Workers), gates endpoints behind Lightning or Cashu payments, and supports credit tiers and free tiers. Any server protected by toll-booth automatically gets the full set of 402-mcp tools including the extension tools.
+https://github.com/TheCryptoDonkey/toll-booth
+**satgate** demonstrates the AI inference use case: a proxy that gates access to AI model endpoints (Ollama, vLLM, llama.cpp) behind L402 payments. Agents use 402-mcp to discover pricing, pay per-request or buy credit tiers, and consume inference capacity without pre-provisioned API keys.
+https://github.com/TheCryptoDonkey/satgate
+**402-announce** publishes HTTP 402 services on Nostr as kind 31402 events, making them discoverable by `l402_search`. Operators run it alongside their L402 server to announce capabilities, pricing, and payment methods to the decentralised network.
+https://github.com/TheCryptoDonkey/402-announce

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "402-mcp",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "L402 + x402 client MCP - AI agents discover, pay for, and consume any payment-gated API",
   "type": "module",
   "bin": {
@@ -71,7 +71,9 @@
   "files": [
     "build",
     "LICENSE",
-    "README.md"
+    "README.md",
+    "llms.txt",
+    "llms-full.txt"
   ],
   "license": "MIT"
 }