@oobe-protocol-labs/sap-mcp-server 0.1.0

package/docs/06_PAYMENTS_X402_AND_PAYSH.md

@@ -0,0 +1,162 @@
+# 06. Payments, x402, And pay.sh
+
+## 06.1 Payment Principles
+
+SAP MCP monetization is remote-only by default. Local stdio remains a local developer/operator experience.
+
+The server does not charge for connecting. Payment is evaluated per MCP request, primarily for `tools/call`.
+
+## 06.2 Initial Pricing Model
+
+| Tier | Examples | Price |
+| --- | --- | --- |
+| Free | `tools/list`, `prompts/list`, `resources/list`, `sap_profile_current`, base overview | Free |
+| Premium read | `sap_list_all_agents`, enriched network stats, indexed discovery | `$0.007` to `$0.01` |
+| Builder or batch | complex builders, SNS/domain batch checks, enriched analytics | `$0.01` to `$0.10` |
+| Value action | settlement-like or value-linked operations where appropriate | fixed `$0.20` plus optional `0.5%` |
+
+Do not apply percentage fees blindly to swaps or financial routing. Those workflows may create compliance, custody, and routing implications.
+
+## 06.3 x402 Role
+
+x402 is the native payment gate used by SAP MCP for paid hosted requests.
+
+For hosted users, the x402/pay.sh payment authorization is signed by the user's wizard-created SAP profile wallet or external signer. The hosted MCP server verifies and settles payments; it does not hold or receive customer keypair bytes.
+
+Flow:
+
+1. Client sends a JSON-RPC request to `POST /mcp`.
+2. SAP MCP parses the request and resolves the tool pricing tier.
+3. Free requests execute without payment.
+4. Paid requests return payment requirements when no valid payment is provided.
+5. The client signs the payment with the user's configured local wallet or external signer.
+6. Client retries with `PAYMENT-SIGNATURE` or `X-PAYMENT`.
+7. SAP MCP verifies the payment with the configured facilitator.
+8. Tool executes.
+9. SAP MCP settles or cancels the payment based on handler result.
+
+SAP MCP accepts both header names:
+
+```text
+PAYMENT-SIGNATURE: <x402 payment payload>
+X-PAYMENT: <x402 payment payload>
+```
+
+## 06.4 Payment Test Matrix
+
+Before mainnet launch, verify these cases on devnet:
+
+| Case | Expected result |
+| --- | --- |
+| `initialize` | Free, no payment challenge. |
+| `tools/list` | Free, no payment challenge. |
+| Free tool such as `sap_profile_current` | Free, no payment challenge. |
+| Paid tool without payment | HTTP payment-required response with x402 instructions. |
+| Paid tool with no user signer configured | Client cannot produce a valid payment signature; run the wizard or configure an external signer. |
+| Paid tool with valid payment | Tool executes, facilitator verifies, settlement is attempted. |
+| Paid tool with handler failure | Payment is canceled and tool error is returned. |
+| Paid batch call | Price is aggregated and route is bound to request hash. |
+| Facilitator unavailable | Paid call fails closed, not free. |
+| pay.sh checkout configured | 402 body includes checkout URL, but SAP MCP remains pricing authority. |
+
+## 06.5 pay.sh Role
+
+pay.sh is useful as a provider/catalog/proxy layer for public distribution and checkout UX.
+
+Important distinction:
+
+1. pay.sh can expose and route the hosted SAP MCP endpoint.
+2. pay.sh can provide a checkout or provider YAML surface.
+3. SAP MCP still performs per-tool x402 pricing internally.
+4. A raw endpoint-level pay.sh charge on `/mcp` can accidentally charge free protocol calls if the proxy is not body-aware.
+
+For that reason, SAP MCP should remain the pricing source of truth for MCP `tools/call` requests.
+
+## 06.6 Enable Monetization
+
+Configure monetization through a private environment store. Public docs should not include live facilitator URLs, auth tokens, payment recipients, RPC credentials, or signer paths.
+
+Required categories:
+
+```bash
+SAP_MCP_MONETIZATION_ENABLED=true
+SAP_MCP_MONETIZATION_PROVIDER=x402
+SAP_MCP_MONETIZATION_PAY_TO=<revenue-recipient>
+SAP_MCP_MONETIZATION_NETWORK=<x402-network-id>
+SAP_MCP_X402_FACILITATOR_URL=<private-or-hosted-facilitator-url>
+SAP_MCP_X402_FACILITATOR_AUTH_TOKEN=<private-facilitator-auth-token>
+SAP_MCP_X402_MAX_TIMEOUT_SECONDS=<timeout-seconds>
+SAP_MCP_PAY_SH_CHECKOUT_URL=<optional-pay-sh-checkout-url>
+```
+
+`SAP_MCP_MONETIZATION_PAY_TO` is the revenue recipient. It is not the facilitator signer, not a customer payment signer, and not an agent wallet.
+
+## 06.7 Facilitator Keypair
+
+The facilitator needs its own dedicated signer. Initialize it:
+
+```bash
+npx sap-mcp-facilitator init
+```
+
+Then fund the printed facilitator public key with SOL on the configured network. Store the facilitator signer path in private deployment config, not in public docs.
+
+```text
+<private-facilitator-signer-path>
+```
+
+The facilitator signer is used for facilitator operations. It must be separate from:
+
+1. SAP agent profile wallets.
+2. Solana CLI `id.json`.
+3. Revenue recipient wallet.
+4. Customer wallets.
+
+## 06.8 Start Facilitator
+
+Start the facilitator through PM2, systemd, or a container supervisor with private environment injection:
+
+```bash
+npx sap-mcp-facilitator start
+```
+
+If the facilitator binds to a non-loopback host or is reachable across a network boundary, an auth token is required.
+
+## 06.9 Generate pay.sh Provider YAML
+
+```bash
+npx sap-mcp-pay-sh-spec \
+  --out sap-mcp-pay-sh.yml \
+  --upstream-url https://mcp.sap.oobeprotocol.ai \
+  --network mainnet \
+  --recipient YOUR_SOLANA_USDC_RECIPIENT \
+  --subdomain oobe-sap-mcp \
+  --title "OOBE SAP MCP Server"
+```
+
+Options:
+
+| Option | Meaning |
+| --- | --- |
+| `--config <path>` | Load a specific SAP MCP config JSON. |
+| `--out <path>` | Write YAML to a file. |
+| `--upstream-url <url>` | Hosted SAP MCP base URL. |
+| `--network <name>` | `mainnet`, `devnet`, or `localnet`. |
+| `--recipient <pubkey>` | Revenue wallet override. |
+| `--rpc-url <url>` | pay.sh operator RPC URL. |
+| `--signer-path <path>` | pay.sh operator signer file. |
+| `--subdomain <slug>` | pay.sh provider slug. |
+| `--title <text>` | pay.sh provider title. |
+| `--no-fee-payer` | Disable operator fee-payer sponsorship. |
+
+## 06.10 Usage Ledger
+
+Payment decisions are written to the usage ledger. The ledger should store:
+
+1. Request hash.
+2. Tool name.
+3. Pricing decision.
+4. Verification status.
+5. Settlement or cancellation state.
+
+It must not store raw keypair bytes, raw private keys, raw payment secrets, or sensitive full request payloads.

package/docs/07_ENDPOINTS_AND_CLIENTS.md

@@ -0,0 +1,114 @@
+# 07. Endpoints And Clients
+
+## 07.1 Remote MCP Endpoints
+
+| Method | Path | Purpose | Auth |
+| --- | --- | --- | --- |
+| `GET` | `/health` | Health check. | No, unless reverse proxy requires it. |
+| `GET` | `/.well-known/agent-card.json` | A2A-compatible discovery card. | Usually public. |
+| `GET` | `/.well-known/sap-mcp-wizard.json` | Machine-readable wizard install metadata for agents that cannot see local config. | Public. |
+| `GET` | `/wizard/install.sh` | Small shell launcher that runs the npm-hosted SAP MCP wizard. | Public. |
+| `POST` | `/mcp` | MCP JSON-RPC requests. | Public in `SAP_MCP_AUTH_TYPE=none`; Bearer in private modes. Paid tools require x402. |
+| `GET` | `/mcp` | Streamable HTTP session stream. | Same as `POST /mcp`. |
+| `DELETE` | `/mcp` | Streamable HTTP session cleanup. | Same as `POST /mcp`. |
+
+## 07.2 Facilitator Endpoints
+
+| Method | Path | Purpose |
+| --- | --- | --- |
+| `GET` | `/facilitator/health` | Facilitator health. |
+| `GET` | `/facilitator/supported` | Supported x402 payment schemes and networks. |
+| `POST` | `/facilitator/verify` | Verify a payment payload. |
+| `POST` | `/facilitator/settle` | Settle a verified payment. |
+
+Protect facilitator endpoints with `SAP_MCP_FACILITATOR_AUTH_TOKEN` outside local-only development.
+
+## 07.3 Required Remote Headers
+
+Public hosted agent-facing mode:
+
+```text
+Content-Type: application/json
+Accept: application/json, text/event-stream
+```
+
+Private API key/JWT mode adds:
+
+```text
+Authorization: Bearer <api-key-or-jwt>
+```
+
+For paid requests, add one of:
+
+```text
+PAYMENT-SIGNATURE: <x402 payment payload>
+X-PAYMENT: <x402 payment payload>
+```
+
+## 07.4 Initialize Smoke Test
+
+```bash
+curl -i https://mcp.sap.oobeprotocol.ai/mcp \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  --data '{
+    "jsonrpc":"2.0",
+    "id":1,
+    "method":"initialize",
+    "params":{
+      "protocolVersion":"2025-06-18",
+      "capabilities":{},
+      "clientInfo":{"name":"smoke","version":"1.0.0"}
+    }
+  }'
+```
+
+## 07.5 Tool List Smoke Test
+
+```bash
+curl -i https://mcp.sap.oobeprotocol.ai/mcp \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  --data '{
+    "jsonrpc":"2.0",
+    "id":2,
+    "method":"tools/list",
+    "params":{}
+  }'
+```
+
+## 07.6 Local Client Config
+
+```json
+{
+  "mcpServers": {
+    "sap": {
+      "command": "sap-mcp-server",
+      "env": {
+        "SAP_MCP_ALLOW_ENV_CONFIG_OVERRIDE": "false",
+        "SAP_LOG_LEVEL": "info"
+      }
+    }
+  }
+}
+```
+
+## 07.7 Remote Client Config
+
+```yaml
+mcp_servers:
+  sap:
+    url: https://mcp.sap.oobeprotocol.ai/mcp
+    transport: streamable-http
+```
+
+## 07.8 MCP Client Behavior
+
+Clients should:
+
+1. Use the server's language behavior when responding to users.
+2. Not assume devnet or mainnet from old local environment variables.
+3. Read the profile/context tools before making network claims.
+4. Treat keypair files as secret material.
+5. Retry paid calls with x402 headers only when the server returns payment requirements.
+6. If local `~/.config/mcp-sap` config is missing or inaccessible, send the user to `/.well-known/sap-mcp-wizard.json` or `/wizard/install.sh` instead of asking for keypair bytes.

package/docs/08_SECURITY_POLICY_AND_SIGNING.md

@@ -0,0 +1,134 @@
+# 08. Security, Policy, And Signing
+
+## 08.1 Key Material Rules
+
+1. Never expose keypair byte arrays to agents.
+2. Never print private keys in logs, CLI output, MCP resources, MCP prompts, or errors.
+3. Never inject keypair bytes into Claude, Hermes, Codex, OpenClaw, or other client config.
+4. Never use the Solana CLI keypair as an implicit SAP MCP wallet.
+5. Use dedicated SAP MCP profile keypairs under `~/.config/mcp-sap/keypairs/`.
+6. Use a separate facilitator signer for x402 facilitator operations.
+
+## 08.2 Signer Modes
+
+| Mode | Signing behavior |
+| --- | --- |
+| `readonly` | No signing. Safe for public read-only hosted deployments. |
+| `local-dev-keypair` | Uses a dedicated local SAP MCP keypair. Best for local development. |
+| `external-signer` | Delegates signing to an external signer service or local signing proxy. |
+| `hosted-api` | Hosted server mode for API workflows where raw customer keys do not live in process. |
+
+## 08.3 External Signing Protocol
+
+Use external signing when a remote MCP workflow needs user-controlled signatures without uploading the user's keypair to the hosted server.
+
+The local signing proxy exposes:
+
+```text
+GET  /sign/<profile>
+POST /sign/<profile>
+GET  /health
+```
+
+Set the same bearer token on both sides:
+
+```bash
+SAP_SIGNING_AUTH_TOKEN=replace-with-local-token
+SAP_EXTERNAL_SIGNER_AUTH_TOKEN=replace-with-local-token
+SAP_EXTERNAL_SIGNER_URL=http://127.0.0.1:8765/sign/<profile>
+```
+
+`GET /sign/<profile>` returns:
+
+```json
+{
+  "publicKey": "..."
+}
+```
+
+`POST /sign/<profile>` accepts:
+
+```json
+{
+  "transaction": "base64-serialized-transaction",
+  "sessionId": "optional-session-id"
+}
+```
+
+The `<profile>` is resolved through the SAP MCP profile manager first, then through canonical keypair filenames under `~/.config/mcp-sap/keypairs/`. The signing proxy intentionally does not fall back to legacy `agents/` directories.
+
+Recommended flow:
+
+1. User runs `npx sap-mcp-config wizard` locally.
+2. User starts `sap-signing-proxy` on `127.0.0.1`.
+3. Remote workflow prepares an unsigned transaction or payload.
+4. Local signer signs through `POST /sign/<profile>`.
+5. The signed transaction returns to the caller without exposing keypair bytes.
+
+## 08.4 Policy Layers
+
+SAP MCP supports:
+
+1. Local policy engine.
+2. Bento policy engine.
+3. Hybrid policy engine.
+4. Spending limits.
+5. Tool permission mapping.
+6. Approval workflow for sensitive config changes.
+7. Unsafe action guard.
+8. Private-key guard.
+
+## 08.5 Bento Policy
+
+Bento can be enabled by profile:
+
+```json
+{
+  "bento": {
+    "enabled": true,
+    "agentId": "sap-agent"
+  },
+  "policy": {
+    "mode": "hybrid",
+    "failOpen": false,
+    "logging": true
+  }
+}
+```
+
+Production recommendation:
+
+1. Use `failOpen=false`.
+2. Keep local policy as a fallback boundary.
+3. Log policy decisions without logging secrets.
+4. Test denied, allowed, and degraded Bento paths before launch.
+
+## 08.6 Transaction Safety
+
+Before signing or submitting transactions, enforce:
+
+1. Tool permission.
+2. Profile mode.
+3. Daily limit.
+4. Max transaction value.
+5. Approval threshold.
+6. Network consistency.
+7. Private-key guard.
+8. Audit log.
+
+Agents must ask for approval before value-moving operations when policy requires it.
+
+## 08.7 Remote Hosted Safety
+
+For `mcp.sap.oobeprotocol.ai`:
+
+1. Use TLS at the reverse proxy.
+2. Use `SAP_MCP_AUTH_TYPE=none` for public agent-facing MCP when x402 monetization is enabled.
+3. Keep hosted payment and value-moving signatures user-controlled through the wizard-created local profile or an external signer.
+4. Never ask hosted users to paste keypair bytes into an MCP client config or upload wallet files to the hosted server.
+5. Keep the Node server behind `127.0.0.1` unless intentionally public.
+6. Use API keys or JWTs with rotation for private beta, enterprise, admin, or non-public deployments.
+7. Rate-limit abusive clients.
+8. Enable x402 only after facilitator health and settlement tests pass.
+9. Keep facilitator auth token private.
+10. Keep facilitator signer funded only to the level required for operation.

package/docs/09_TOOLS_SKILLS_AND_AGENT_GUIDE.md

@@ -0,0 +1,72 @@
+# 09. Tools, Skills, And Agent Guide
+
+## 09.1 Tool Families
+
+SAP MCP exposes several tool families:
+
+1. SAP SDK registry, discovery, reputation, escrow, memory, capability, SNS, and protocol tools.
+2. Synapse AgentKit tools.
+3. Solana RPC, token, NFT, DAS, transaction, network, and Jupiter tools.
+4. Profile tools such as current profile, switch profile, list profiles, and public key inspection.
+5. Skill-pack tools for installing SAP MCP usage context into agent runtimes.
+6. x402 tools for estimating, preparing, verifying, and settling paid workflows.
+
+## 09.2 Agent Context Rules
+
+Agents should:
+
+1. Call profile/context tools before claiming the current network.
+2. Respect the active profile's `rpcUrl`, `programId`, and `mode`.
+3. Prefer SAP SDK docs and skills when explaining SAP Protocol semantics.
+4. Answer in the user's language unless the user asks otherwise.
+5. Avoid showing internal thinking, keypair bytes, raw request secrets, or private config.
+6. Ask for approval before signing or value-moving operations when required by policy.
+
+## 09.3 Skills Directory
+
+The repo may include a `skills/` directory for client-installable SAP MCP operating instructions.
+
+Recommended skill topics:
+
+1. SAP MCP overview and safety rules.
+2. Solana protocol tool routing.
+3. SAP registry and discovery workflows.
+4. SNS identity workflows.
+5. x402 payment and settlement workflows.
+6. Transaction signing and approval workflows.
+7. Troubleshooting network/profile mismatch.
+
+## 09.4 Upstream SDK References
+
+Use upstream SAP SDK docs and skills as the source of protocol behavior:
+
+1. `https://github.com/OOBE-PROTOCOL/synapse-sap-sdk/tree/main/docs`
+2. `https://github.com/OOBE-PROTOCOL/synapse-sap-sdk/tree/main/skills`
+3. `https://github.com/OOBE-PROTOCOL/synapse-sap-sdk/tree/v0.21.0/skills`
+
+SAP MCP wrappers should map to real SDK imports and types from:
+
+1. `@oobe-protocol-labs/synapse-sap-sdk`
+2. `@oobe-protocol-labs/synapse-client-sdk`
+3. `@modelcontextprotocol/sdk`
+
+## 09.5 Tool Documentation Standard
+
+Each exported tool should include:
+
+1. Stable tool name.
+2. Clear title.
+3. Operational description.
+4. JSON schema or Zod schema that serializes correctly through MCP `tools/list`.
+5. Typed handler input.
+6. Typed handler output.
+7. Policy metadata.
+8. Payment tier when hosted monetization is enabled.
+9. Error behavior.
+
+Avoid stubs, fake compatibility wrappers, `any`, TODO-only handlers, and undocumented low-code glue.
+
+## 09.6 Language Behavior
+
+If a user asks in English, the agent should answer in English. If a user asks in Italian, the agent should answer in Italian. SAP MCP prompts and skills should reinforce this behavior because tool output may contain multilingual metadata.
+

package/docs/10_OPERATIONS_RELEASE_AND_PM2.md

@@ -0,0 +1,90 @@
+# 10. Operations, Release, And PM2
+
+## 10.1 Required Quality Gates
+
+Before release:
+
+```bash
+pnpm run typecheck
+pnpm run lint
+pnpm test -- --run
+pnpm run build
+npm pack --dry-run
+```
+
+or run the aggregate release gate:
+
+```bash
+pnpm run verify:release
+```
+
+For remote deployments, also run MCP smoke tests against `/mcp`.
+
+## 10.2 Process Manager Policy
+
+The repo ships `ecosystem.config.example.cjs` as a shape reference without live secrets. Do not publish the real production ecosystem file, host paths, listener ports, signer paths, RPC credentials, payment recipient, or facilitator auth values.
+
+Production process definitions should live in a private infrastructure repository or host-level secret manager.
+
+## 10.3 PM2 Commands
+
+```bash
+pm2 start <private-ecosystem-file>
+pm2 status
+pm2 logs <process-name>
+pm2 restart <process-name> --update-env
+pm2 save
+pm2 startup
+```
+
+## 10.4 Secrets
+
+Do not commit:
+
+1. `.env` files with live secrets.
+2. API keys.
+3. JWT secrets.
+4. Facilitator auth tokens.
+5. Keypair JSON files.
+6. PM2 ecosystem files containing production secrets.
+7. Customer configuration files.
+
+Use server-side secret management or private deployment files outside the public repo.
+
+## 10.5 Release Packaging
+
+Recommended release model:
+
+1. Public GitHub repository for source and docs.
+2. npm package for CLI, wizard, and local server installation.
+3. GitHub releases for signed artifacts and changelog.
+4. Private infrastructure repo or private environment store for production secrets.
+
+## 10.6 Changelog Discipline
+
+Each release should document:
+
+1. Runtime tool count.
+2. SDK versions.
+3. Transport changes.
+4. Config and wizard changes.
+5. Security changes.
+6. Payment changes.
+7. Breaking changes.
+8. Migration notes.
+9. Verification commands and results.
+
+## 10.7 Current Release Notes
+
+Version `0.1.0` includes:
+
+1. Local stdio and remote Streamable HTTP MCP modes.
+2. Profile-managed config under `~/.config/mcp-sap`.
+3. Dedicated SAP MCP wallet isolation.
+4. Optional client config injection for local agents.
+5. x402 monetization gate for paid hosted tool calls.
+6. OOBE self-hosted x402 SVM facilitator.
+7. pay.sh provider YAML generation.
+8. SAP SDK, SNS, Synapse AgentKit, Solana, profile, transaction, skill, and payment tools.
+9. Policy engine support with local, Bento, and hybrid modes.
+10. Security guardrails for private key exposure and unsafe actions.

package/docs/11_CODE_QUALITY_AUDIT.md

@@ -0,0 +1,49 @@
+# 11. Code Quality Audit
+
+This audit records the current engineering posture for SAP MCP Server `0.1.0`.
+
+## 11.1 Result
+
+| Area | Status | Notes |
+| --- | --- | --- |
+| Type safety | Pass | `tsc --noEmit --skipLibCheck` exits cleanly. No production `any` types were found in the audited source paths. |
+| Lint | Pass | `eslint src/` exits cleanly. |
+| Tests | Pass | `vitest --run` passes all current tests. |
+| Build | Pass | `tsc` plus the TUI build complete successfully. |
+| Package dry run | Pass | `npm pack --dry-run` includes the runtime, docs, skills, binaries, and PM2 example. |
+| Documentation surface | Pass | Public docs are numbered and current. Legacy root docs were removed to avoid conflicting setup instructions. |
+| Secret handling | Pass | Agent-facing context and injected MCP client config avoid keypair bytes and hard-coded wallet paths. |
+
+Overall assessment: production-ready for staging and public review, with the remaining validation focused on live infrastructure rather than local code hygiene.
+
+## 11.2 Engineering Standards
+
+The repository should keep these rules:
+
+1. Use native `@modelcontextprotocol/sdk` transports and server APIs.
+2. Wrap `@oobe-protocol-labs/synapse-sap-sdk` and `@oobe-protocol-labs/synapse-client-sdk` directly, without fake compatibility stubs.
+3. Keep profile-owned wallet and RPC settings under `~/.config/mcp-sap`.
+4. Do not expose keypair bytes in tools, prompts, resources, logs, tests, docs, or injected client config.
+5. Require local policy checks before signing or submitting transactions.
+6. Keep hosted public mode bearerless only when x402 monetization, rate limits, and facilitator auth are configured deliberately.
+7. Keep every exported class, function, interface, type, and enum documented with JSDoc when it is part of the production source surface.
+8. Keep generated files, OS metadata, old docs, temporary caches, and dead examples out of the public repository surface.
+
+## 11.3 Current Residual Risks
+
+| Risk | Severity | Mitigation |
+| --- | --- | --- |
+| Live x402 settlement behavior depends on the deployed facilitator and Solana RPC reliability. | Medium | Run devnet and mainnet payment smoke tests before public launch. |
+| Hosted remote deployment still needs TLS, process monitoring, and log shipping outside the Node process. | Medium | Use Caddy or nginx in front of PM2 and monitor auth, rate-limit, and payment failure metrics. |
+| `synapse-client-sdk` emits missing sourcemap warnings during tests. | Low | Non-blocking; track upstream package packaging quality. |
+| Local keypair mode remains powerful by design. | Medium | Keep approval thresholds, daily limits, and external signer mode available for production operators. |
+
+## 11.4 Verification Command
+
+Run the full local release gate before publishing or deploying:
+
+```bash
+pnpm run verify:release
+```
+
+This command runs typecheck, lint, tests, build, and npm package dry-run.

package/ecosystem.config.example.cjs

@@ -0,0 +1,55 @@
+/**
+ * SAP MCP Server PM2 ecosystem shape example.
+ *
+ * This file is intentionally non-production and uses placeholders. Copy it into a
+ * private infrastructure repository before adding real paths, ports, recipients,
+ * RPC providers, auth tokens, or signer locations.
+ */
+module.exports = {
+  apps: [
+    {
+      name: 'sap-mcp-remote',
+      script: 'dist/remote/server.js',
+      cwd: '<repo-root>',
+      instances: 1,
+      exec_mode: 'fork',
+      max_memory_restart: '1G',
+      env: {
+        NODE_ENV: 'production',
+        SAP_MCP_HOST: '<private-listener-host>',
+        SAP_MCP_PORT: '<private-listener-port>',
+        SAP_MCP_AUTH_TYPE: 'none',
+        SAP_MCP_PROFILE: '<hosted-profile-name>',
+        SAP_MCP_ALLOW_ENV_CONFIG_OVERRIDE: 'false',
+        SAP_MCP_LOG_LEVEL: 'info',
+        SAP_MCP_LOG_FORMAT: 'json',
+        SAP_MCP_MONETIZATION_ENABLED: 'true',
+        SAP_MCP_MONETIZATION_PROVIDER: 'x402',
+        SAP_MCP_MONETIZATION_PAY_TO: '<revenue-recipient>',
+        SAP_MCP_X402_FACILITATOR_URL: '<private-or-hosted-facilitator-url>',
+        SAP_MCP_X402_FACILITATOR_AUTH_TOKEN: '<private-facilitator-auth-token>',
+      },
+    },
+    {
+      name: 'sap-mcp-facilitator',
+      script: 'dist/payments/oobe-facilitator-server.js',
+      args: 'start',
+      cwd: '<repo-root>',
+      instances: 1,
+      exec_mode: 'fork',
+      max_memory_restart: '512M',
+      env: {
+        NODE_ENV: 'production',
+        SAP_MCP_FACILITATOR_HOST: '<private-listener-host>',
+        SAP_MCP_FACILITATOR_PORT: '<private-listener-port>',
+        SAP_MCP_FACILITATOR_PATH_PREFIX: '<facilitator-path-prefix>',
+        SAP_MCP_FACILITATOR_NETWORKS: '<enabled-networks>',
+        SAP_MCP_FACILITATOR_RPC_URL: '<private-rpc-url>',
+        SAP_MCP_FACILITATOR_SIGNER_PATH: '<private-facilitator-signer-path>',
+        SAP_MCP_FACILITATOR_AUTH_TOKEN: '<private-facilitator-auth-token>',
+        SAP_MCP_LOG_LEVEL: 'info',
+        SAP_MCP_LOG_FORMAT: 'json',
+      },
+    },
+  ],
+};