@quackai/q402-mcp 0.8.13 → 0.8.15

package/README.md

@@ -290,7 +290,7 @@ Single transfers and multi-recipient batches ship today. The next layer — recu
 
 ## Hooks — programmable payment policies
 
-Q402 Hooks 1.0 is a policy engine that attaches rules to the payment lifecycle: OFAC compliance screening, spend caps + recipient allowlists, ERC-8004 reputation gating, Chainlink-oracle conditional settlement ("only when BTC ≥ $80k"), and automatic multi-payee splits — plus human-in-the-loop approval holds. Uniswap v4 brought programmable hooks to DEX liquidity; Q402 brings them to AI-agent payments.
+Q402 Hooks 1.0 is a policy engine that attaches rules to the payment lifecycle: OFAC compliance screening, spend caps + recipient allowlists, ERC-8004 reputation gating, Chainlink-oracle conditional settlement ("only when BTC ≥ $80k"), and automatic multi-payee splits — plus an approval-required soft block for large payments (returns 202 `approval_required`; the caller re-submits out of band, no stored hold in v1). Uniswap v4 brought programmable hooks to DEX liquidity; Q402 brings them to AI-agent payments.
 
 **Developer reference: [docs/HOOKS.md](docs/HOOKS.md)** — lifecycle, the Hook contract, every shipped hook with config + examples.
 

package/dist/index.js

@@ -211,7 +211,7 @@ var isValidPrivateKey = (s) => typeof s === "string" && PRIVATE_KEY_RE.test(s);
 
 // src/version.ts
 var PACKAGE_NAME = "@quackai/q402-mcp";
-var PACKAGE_VERSION = "0.8.13";
+var PACKAGE_VERSION = "0.8.15";
 
 // src/tools/quote.ts
 import { z } from "zod";
@@ -873,7 +873,7 @@ When MORE THAN ONE wallet is configured in the user's environment, you MUST ask
     `Server-managed Agent Wallet only (walletMode="agentic-server"). Lowercased Agent Wallet address selecting which of the user's wallets to spend from when they hold more than one (max 10 per owner). Omit to use the user's default wallet. Ignored for walletMode="eoa" and "agentic-local" since those modes carry their own signing key.`
   ),
   confirm: z2.literal(true).describe(
-    "MUST be true. Prove the user explicitly approved this exact recipient and amount in the conversation right before this tool was called. Setting this to true on behalf of the user without confirmation is a violation of the tool contract."
+    "MUST be true. Prove the user explicitly approved this exact payment in the conversation right before this tool was called. When hookParams is set you MUST confirm what it actually does to the money: the split RECIPIENTS and their shares (funds go to those addresses, not `to`), and any oracle condition gating the settlement \u2014 not just the top-level recipient and amount. Setting this to true on behalf of the user without that confirmation is a violation of the tool contract."
   ),
   hookParams: z2.object({
     recipientAgentId: z2.string().optional().describe("ReputationGate: the recipient's ERC-8004 agent id."),
@@ -1241,7 +1241,7 @@ var PAY_TOOL = {
       confirm: {
         type: "boolean",
         const: true,
-        description: "MUST be true and only set after the user has confirmed recipient + amount in chat."
+        description: "MUST be true and only set after the user has confirmed this exact payment in chat. When hookParams is set, confirm what it does to the money too: the split RECIPIENTS and shares (funds go there, not `to`) and any oracle condition gating settlement \u2014 not just the top-level recipient + amount."
       },
       hookParams: {
         type: "object",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quackai/q402-mcp",
-  "version": "0.8.13",
+  "version": "0.8.15",
   "description": "MCP server for Q402 — gasless USDC/USDT/RLUSD payments on 10 EVM chains + Chainlink CCIP USDC bridge on the eth/avax/arbitrum triangle, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
   "mcpName": "io.github.bitgett/q402-mcp",
   "keywords": [