@quackai/q402-mcp 0.5.16 → 0.5.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/dist/index.js +7 -6
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -91,8 +91,8 @@ Q402_ENABLE_REAL_PAYMENTS=1
|
|
|
91
91
|
# Default Q402 deployment. Only change for self-hosted.
|
|
92
92
|
Q402_RELAY_BASE_URL=https://q402.quackai.ai/api
|
|
93
93
|
|
|
94
|
-
#
|
|
95
|
-
|
|
94
|
+
# Safety guards (max-amount ships uncommented at $200; lower for tighter caps):
|
|
95
|
+
Q402_MAX_AMOUNT_PER_CALL=200
|
|
96
96
|
# Q402_ALLOWED_RECIPIENTS=0xabc...,0xdef...
|
|
97
97
|
```
|
|
98
98
|
|
|
@@ -202,7 +202,7 @@ Two additional guards run before every payment regardless of mode:
|
|
|
202
202
|
|
|
203
203
|
| Env var | Default | Effect |
|
|
204
204
|
|---|---|---|
|
|
205
|
-
| `Q402_MAX_AMOUNT_PER_CALL` | `
|
|
205
|
+
| `Q402_MAX_AMOUNT_PER_CALL` | `200` | Reject any single call where `amount > N` USD-equivalent. |
|
|
206
206
|
| `Q402_ALLOWED_RECIPIENTS` | (empty = off) | Comma-separated address allowlist. When set, all other recipients are rejected. |
|
|
207
207
|
|
|
208
208
|
Combined with the `confirm: true` argument the tool requires, this means the model needs (a) explicit user OK in chat, (b) amount ≤ cap, (c) recipient on allowlist if one exists, (d) all three live-mode env vars set, before a single wei moves.
|
|
@@ -217,7 +217,7 @@ Combined with the `confirm: true` argument the tool requires, this means the mod
|
|
|
217
217
|
| `Q402_MULTICHAIN_API_KEY` | live-pay (9-chain) | Paid 9-chain key. Get one at https://q402.quackai.ai/payment. Auto-routed for non-BNB chains AND for BNB when no Trial key is set. Cap: 20 recipients per batch. |
|
|
218
218
|
| `Q402_PRIVATE_KEY` | live-pay | Signer for the payer EOA. **Never share. Never paste in chat.** |
|
|
219
219
|
| `Q402_ENABLE_REAL_PAYMENTS` | live-pay | Set to `1` to opt in. Any other value (or unset) → sandbox. |
|
|
220
|
-
| `Q402_MAX_AMOUNT_PER_CALL` | optional | USD-equivalent cap. Defaults to `
|
|
220
|
+
| `Q402_MAX_AMOUNT_PER_CALL` | optional | USD-equivalent cap. Defaults to `200`. Lower for tighter agent blast-radius. |
|
|
221
221
|
| `Q402_ALLOWED_RECIPIENTS` | optional | Comma-separated lowercase addresses. Defaults to no allowlist. |
|
|
222
222
|
| `Q402_RELAY_BASE_URL` | optional | Defaults to `https://q402.quackai.ai/api`. Override for self-hosted Q402. |
|
|
223
223
|
|
package/dist/index.js
CHANGED
|
@@ -96,7 +96,7 @@ var Q402_ENV_FILE_KEYS_ALL = Object.freeze(
|
|
|
96
96
|
new Set(Object.keys(FILE_ENV))
|
|
97
97
|
);
|
|
98
98
|
var DEFAULT_RELAY_BASE = "https://q402.quackai.ai/api";
|
|
99
|
-
var DEFAULT_MAX_AMOUNT =
|
|
99
|
+
var DEFAULT_MAX_AMOUNT = 200;
|
|
100
100
|
function classifyApiKey(k) {
|
|
101
101
|
if (!k) return "missing";
|
|
102
102
|
if (k.startsWith("q402_live_")) return "live";
|
|
@@ -188,7 +188,7 @@ var isValidPrivateKey = (s) => typeof s === "string" && PRIVATE_KEY_RE.test(s);
|
|
|
188
188
|
|
|
189
189
|
// src/version.ts
|
|
190
190
|
var PACKAGE_NAME = "@quackai/q402-mcp";
|
|
191
|
-
var PACKAGE_VERSION = "0.5.
|
|
191
|
+
var PACKAGE_VERSION = "0.5.17";
|
|
192
192
|
|
|
193
193
|
// src/tools/quote.ts
|
|
194
194
|
import { z } from "zod";
|
|
@@ -1702,11 +1702,12 @@ Q402_RELAY_BASE_URL=https://q402.quackai.ai/api
|
|
|
1702
1702
|
|
|
1703
1703
|
|
|
1704
1704
|
# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
|
|
1705
|
-
#
|
|
1705
|
+
# Safety guards
|
|
1706
1706
|
# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
|
|
1707
|
-
# Max USD per single q402_pay call
|
|
1708
|
-
#
|
|
1709
|
-
|
|
1707
|
+
# Max USD per single q402_pay call. Any request above this is rejected
|
|
1708
|
+
# before signing. Lower this if you want a tighter agent blast-radius.
|
|
1709
|
+
Q402_MAX_AMOUNT_PER_CALL=200
|
|
1710
|
+
|
|
1710
1711
|
# Comma-separated lowercase recipient allowlist (unset = any address OK)
|
|
1711
1712
|
# Q402_ALLOWED_RECIPIENTS=0xabc...,0xdef...
|
|
1712
1713
|
`;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@quackai/q402-mcp",
|
|
3
|
-
"version": "0.5.
|
|
3
|
+
"version": "0.5.17",
|
|
4
4
|
"description": "MCP server for Q402 — gasless USDC, USDT, and RLUSD payments across 9 EVM chains, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
|
|
5
5
|
"mcpName": "io.github.bitgett/q402-mcp",
|
|
6
6
|
"keywords": [
|