@quackai/q402-mcp 0.8.22 → 0.8.23

package/dist/index.js

@@ -211,7 +211,7 @@ var isValidPrivateKey = (s) => typeof s === "string" && PRIVATE_KEY_RE.test(s);
 // package.json
 var package_default = {
   name: "@quackai/q402-mcp",
-  version: "0.8.22",
+  version: "0.8.23",
   description: "MCP server for Q402 \u2014 gasless USDC/USDT/RLUSD payments on 10 EVM chains + Chainlink CCIP USDC bridge on the eth/avax/arbitrum triangle, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
   mcpName: "io.github.bitgett/q402-mcp",
   keywords: [
@@ -262,7 +262,7 @@ var package_default = {
   },
   devDependencies: {
     "@types/node": "^20.11.0",
-    tsup: "^8.3.0",
+    tsup: "^8.5.1",
     typescript: "^5.5.0"
   },
   repository: {
@@ -279,9 +279,7 @@ var package_default = {
     access: "public"
   },
   overrides: {
-    ws: "^8.20.1",
-    qs: "^6.15.2",
-    hono: "^4.12.21"
+    esbuild: "^0.28.1"
   }
 };
 
@@ -927,6 +925,29 @@ function sandboxPay(chain, input) {
   };
 }
 
+// src/consent.ts
+import { sha256, toUtf8Bytes } from "ethers";
+function canonicalIntent(intent) {
+  const sortValue = (v) => {
+    if (Array.isArray(v)) return v.map(sortValue);
+    if (v && typeof v === "object") {
+      const src = v;
+      const out = {};
+      for (const k of Object.keys(src).sort()) out[k] = sortValue(src[k]);
+      return out;
+    }
+    return v;
+  };
+  return JSON.stringify(sortValue(intent));
+}
+function consentTokenFor(intent) {
+  return "ct_" + sha256(toUtf8Bytes(canonicalIntent(intent))).slice(2, 18);
+}
+function checkConsent(intent, provided) {
+  const expected = consentTokenFor(intent);
+  return { ok: provided === expected, expected };
+}
+
 // src/tools/pay.ts
 var PayInputSchema = z2.object({
   chain: z2.enum(["avax", "bnb", "eth", "xlayer", "stable", "mantle", "injective", "monad", "scroll", "arbitrum"]),
@@ -951,6 +972,9 @@ When MORE THAN ONE wallet is configured in the user's environment, you MUST ask
   confirm: z2.literal(true).describe(
     "MUST be true. Prove the user explicitly approved this exact payment in the conversation right before this tool was called. When hookParams is set you MUST confirm what it actually does to the money: the split RECIPIENTS and their shares (funds go to those addresses, not `to`), and any oracle condition gating the settlement \u2014 not just the top-level recipient and amount. Setting this to true on behalf of the user without that confirmation is a violation of the tool contract."
   ),
+  consentToken: z2.string().optional().describe(
+    'Two-phase consent. LEAVE THIS UNSET on the first call: the tool will NOT send \u2014 it returns status="needs_confirmation" with a human-readable `preview` of the exact payment and a `consentToken`. Relay that preview to the user verbatim, get their explicit yes, then call again with the SAME args plus this `consentToken`. The tool re-derives the token from the params it is about to execute and refuses on mismatch, so you cannot preview one payment and execute another. Never fabricate a token.'
+  ),
   hookParams: z2.object({
     recipientAgentId: z2.string().optional().describe("ReputationGate: the recipient's ERC-8004 agent id."),
     condition: z2.object({
@@ -1086,6 +1110,29 @@ async function runPay(input) {
   if (CONFIG.allowedRecipients.length > 0) {
     guardsApplied.push(`recipient_allowlist[${CONFIG.allowedRecipients.length}]`);
   }
+  const consentIntent = {
+    t: "pay",
+    chain: input.chain,
+    to: input.to.toLowerCase(),
+    amount: input.amount,
+    token: input.token,
+    ...input.hookParams?.splits ? { splits: input.hookParams.splits.map((s) => ({ r: s.recipient.toLowerCase(), bps: s.bps })) } : {}
+  };
+  const consent = checkConsent(consentIntent, input.consentToken);
+  if (!consent.ok) {
+    const splitNote = input.hookParams?.splits ? ` \u2014 split ${input.hookParams.splits.length} ways; funds go to the split recipients, not ${input.to}` : "";
+    const fromNote = senderWallet ? ` from ${senderWallet.addressShort}` : "";
+    return {
+      result: failureResult("consent"),
+      guardsApplied: [...guardsApplied, "two_phase_consent"],
+      senderWallet,
+      needsConsent: {
+        status: "needs_confirmation",
+        preview: `Send ${input.amount} ${input.token} to ${input.to} on ${chain.key}${fromNote}${splitNote}. Confirm with the user, then re-call q402_pay with the same args plus consentToken="${consent.expected}".`,
+        consentToken: consent.expected
+      }
+    };
+  }
   const scopeRequest = input.keyScope ?? "auto";
   const resolved = resolveApiKey(input.chain, scopeRequest);
   guardsApplied.push(`scope=${resolved.scope}${resolved.fromLegacyFallback ? "(legacy)" : ""}`);
@@ -1427,9 +1474,13 @@ var BatchPayInputSchema = z3.object({
   ),
   confirm: z3.literal(true).describe(
     "MUST be true. The user must have explicitly approved this exact set of recipients, amounts, chain, and token in the conversation right before this tool was called. Setting confirm=true on behalf of the user without that approval is a violation of the tool contract."
+  ),
+  consentToken: z3.string().optional().describe(
+    'Two-phase consent. LEAVE UNSET on the first call: the tool will NOT send \u2014 it returns status="needs_confirmation" with a `setupHint` preview of every recipient + amount and a `consentToken`. Relay that preview to the user, get an explicit yes, then re-call with the SAME args plus this `consentToken`. The tool re-derives it from the batch it is about to send and refuses on mismatch, so you cannot preview one batch and execute another. Never fabricate a token.'
   )
 });
 function maxAmountGuardBatch(recipients, cap) {
+  let total = 0;
   for (let i = 0; i < recipients.length; i++) {
     const r = recipients[i];
     const numeric = Number(r.amount);
@@ -1441,6 +1492,12 @@ function maxAmountGuardBatch(recipients, cap) {
         `recipients[${i}]: amount $${r.amount} exceeds the per-call cap of $${cap}. Set Q402_MAX_AMOUNT_PER_CALL to a higher value if intentional.`
       );
     }
+    total += numeric;
+  }
+  if (total > cap) {
+    throw new Error(
+      `batch total $${total.toFixed(2)} across ${recipients.length} recipients exceeds the per-call cap of $${cap}. Q402_MAX_AMOUNT_PER_CALL bounds the WHOLE batch, not each row. Raise the cap if this batch is intentional, or split it into smaller batches.`
+    );
   }
 }
 function recipientAllowlistGuardBatch(recipients, allow) {
@@ -1464,11 +1521,31 @@ async function runBatchPay(input) {
   }
   const guardsApplied = [];
   maxAmountGuardBatch(input.recipients, CONFIG.maxAmountPerCallUsd);
-  guardsApplied.push(`max_amount<=${CONFIG.maxAmountPerCallUsd} (per recipient)`);
+  guardsApplied.push(`max_amount<=${CONFIG.maxAmountPerCallUsd} (per row AND batch total)`);
   recipientAllowlistGuardBatch(input.recipients, CONFIG.allowedRecipients);
   if (CONFIG.allowedRecipients.length > 0) {
     guardsApplied.push(`recipient_allowlist[${CONFIG.allowedRecipients.length}]`);
   }
+  const consentIntent = {
+    t: "batch",
+    chain: input.chain,
+    token: input.token,
+    recipients: input.recipients.map((r) => ({ to: r.to.toLowerCase(), amount: r.amount }))
+  };
+  const consent = checkConsent(consentIntent, input.consentToken);
+  if (!consent.ok) {
+    const total = input.recipients.reduce((s, r) => s + Number(r.amount), 0);
+    const lines = input.recipients.map((r, i) => `  ${i + 1}. ${r.amount} ${input.token} -> ${r.to}`).join("\n");
+    return {
+      mode: "none",
+      status: "needs_confirmation",
+      guardsApplied: [...guardsApplied, "two_phase_consent"],
+      consentToken: consent.expected,
+      setupHint: `Batch on ${input.chain}: ${input.recipients.length} recipients, total ${total} ${input.token}.
+${lines}
+Confirm the full list with the user, then re-call q402_batch_pay with the same args plus consentToken="${consent.expected}".`
+    };
+  }
   const modes = detectAgenticModes(CONFIG);
   const available = [];
   if (modes.modeA && CONFIG.privateKey && isValidPrivateKey(CONFIG.privateKey)) {
@@ -1953,7 +2030,7 @@ var BALANCE_TOOL = {
 
 // src/tools/receipt.ts
 import { z as z5 } from "zod";
-import { keccak256, toUtf8Bytes, getBytes, verifyMessage } from "ethers";
+import { keccak256, toUtf8Bytes as toUtf8Bytes2, getBytes, verifyMessage } from "ethers";
 var ReceiptShape = z5.object({
   receiptId: z5.string(),
   createdAt: z5.string(),
@@ -1994,8 +2071,9 @@ function canonicalize(fields) {
   return JSON.stringify(sorted);
 }
 function digest(canonical) {
-  return keccak256(toUtf8Bytes(canonical));
+  return keccak256(toUtf8Bytes2(canonical));
 }
+var RELAYER_SIGNER = "0xfc77ff29178b7286a8ba703d7a70895ca74ff466";
 function verifyReceiptSignature(r) {
   try {
     const fields = {
@@ -2012,7 +2090,7 @@ function verifyReceiptSignature(r) {
       sandbox: r.sandbox
     };
     const recovered = verifyMessage(getBytes(digest(canonicalize(fields))), r.signature).toLowerCase();
-    return recovered === r.signedBy.toLowerCase();
+    return recovered === RELAYER_SIGNER && r.signedBy.toLowerCase() === RELAYER_SIGNER;
   } catch {
     return false;
   }
@@ -3091,6 +3169,9 @@ var BridgeSendInputSchema = z11.object({
   maxFeeRaw: z11.string().regex(/^\d+$/).optional().describe("Optional client-side fee cap in raw 18-dec wei. Server still clamps to its 10% slippage ceiling; clients may LOWER but not RAISE."),
   confirm: z11.boolean().optional().describe(
     "MUST be true to fire a LIVE bridge (ignored in sandbox). Set this only after the user has explicitly approved this exact bridge (src, dst, amount, feeToken) in the conversation. When omitted or false on a live call the tool previews the action and does NOT move any funds. Never set confirm:true on the user's behalf without approval."
+  ),
+  consentToken: z11.string().optional().describe(
+    "Two-phase consent. LEAVE UNSET on the first live call: the tool previews the bridge (without moving funds) and returns a `consentToken`. Relay the preview to the user, get an explicit yes, then re-call with sandbox:false, confirm:true, AND this consentToken. The tool re-derives it from the bridge it is about to execute (src, dst, amount, feeToken) and refuses on mismatch."
   )
 }).refine((d) => d.src !== d.dst, {
   // Local Zod rejection saves a network round-trip + a Q402 backend log
@@ -3141,6 +3222,10 @@ var BRIDGE_SEND_TOOL = {
       confirm: {
         type: "boolean",
         description: "MUST be true to fire a LIVE bridge (ignored in sandbox) \u2014 set only after the user explicitly approved this exact bridge in chat. Omit (or false) on a live call to preview without moving funds."
+      },
+      consentToken: {
+        type: "string",
+        description: "Two-phase consent token. Leave unset on the first live call to get a preview + token; re-call with confirm:true AND this token after the user approves. Bound to (src, dst, amount, feeToken) \u2014 re-derived server-side-of-the-tool and refused on mismatch."
       }
     },
     required: ["src", "dst", "amount"]
@@ -3170,13 +3255,21 @@ async function runBridgeSend(input) {
       }]
     };
   }
-  if (input.confirm !== true) {
+  const consentIntent = {
+    t: "bridge",
+    src: input.src,
+    dst: input.dst,
+    amount: input.amount,
+    feeToken: input.feeToken === "native" ? "native" : "LINK"
+  };
+  const consent = checkConsent(consentIntent, input.consentToken);
+  if (input.confirm !== true || !consent.ok) {
     const walletDesc = typeof input.walletId === "string" && input.walletId.length > 0 ? `wallet ${input.walletId.toLowerCase()}` : "your default Agent Wallet";
     const fee = input.feeToken === "native" ? "native" : "LINK";
     return {
       content: [{
         type: "text",
-        text: `Will bridge ${input.amount} raw USDC units from ${input.src} \u2192 ${input.dst} via Chainlink CCIP from ${walletDesc} (fee paid in ${fee}). This MOVES FUNDS on-chain. Re-call with confirm:true to execute.`
+        text: `Will bridge ${input.amount} raw USDC units from ${input.src} -> ${input.dst} via Chainlink CCIP from ${walletDesc} (fee paid in ${fee}). This MOVES FUNDS on-chain. Confirm with the user, then re-call with sandbox:false, confirm:true, AND consentToken="${consent.expected}".`
       }]
     };
   }
@@ -4007,7 +4100,7 @@ var RecurringCreateInputSchema = z19.object({
 });
 var RECURRING_CREATE_TOOL = {
   name: "q402_recurring_create",
-  description: "Author a new recurring-payment rule on the user's Agent Wallet. Single-recipient (use the dashboard for multi-recipient payroll). Pick a cadence \u2014 hourly:N, daily, weekly:{day}, monthly:N, or monthly:last \u2014 and a recipient + amount + chain + token. Authenticated by the configured Multichain API key; no private key required. Recurring requires the paid Multichain subscription on EVERY chain including bnb \u2014 trial keys are rejected at create time with MULTICHAIN_REQUIRED and should keep using q402_pay for one-shot Trial sends. Each fire is bounded by the wallet's perTxMax (configured on the dashboard) \u2014 the dashboard's dailyLimit cap currently applies to manual sends only, NOT recurring fires, so an attacker with the apiKey could schedule N rules at perTxMax and drain the wallet's USDC balance over time. The user can stop a rule any time via q402_recurring_cancel.",
+  description: "Author a new recurring-payment rule on the user's Agent Wallet. Single-recipient (use the dashboard for multi-recipient payroll). Pick a cadence \u2014 hourly:N, daily, weekly:{day}, monthly:N, or monthly:last \u2014 and a recipient + amount + chain + token. Authenticated by the configured Multichain API key; no private key required. Recurring requires the paid Multichain subscription on EVERY chain including bnb \u2014 trial keys are rejected at create time with MULTICHAIN_REQUIRED and should keep using q402_pay for one-shot Trial sends. Each fire is bounded server-side by BOTH the wallet's perTxMax AND its dailyLimit \u2014 a rule's daily total reserves against the same daily bucket as manual sends (the scheduler skips the fire if the bucket can't cover it), so scheduled rules can't outrun the dashboard caps. This tool also enforces your local Q402_MAX_AMOUNT_PER_CALL + Q402_ALLOWED_RECIPIENTS rails at create time. The user can stop a rule any time via q402_recurring_cancel.",
   inputSchema: {
     type: "object",
     properties: {
@@ -4082,6 +4175,27 @@ async function runRecurringCreate(input) {
       dashboardUrl
     };
   }
+  const amountNum = Number(input.amount);
+  if (Number.isFinite(amountNum) && amountNum > CONFIG.maxAmountPerCallUsd) {
+    return {
+      ok: false,
+      walletId: null,
+      rule: null,
+      error: "AMOUNT_EXCEEDS_CAP",
+      message: `Per-fire amount $${input.amount} exceeds your Q402_MAX_AMOUNT_PER_CALL cap of $${CONFIG.maxAmountPerCallUsd}. Each recurring fire is bounded by the same per-call cap as a one-shot q402_pay \u2014 raise the cap if this schedule is intentional.`,
+      dashboardUrl
+    };
+  }
+  if (CONFIG.allowedRecipients.length > 0 && !CONFIG.allowedRecipients.includes(input.recipient.toLowerCase())) {
+    return {
+      ok: false,
+      walletId: null,
+      rule: null,
+      error: "RECIPIENT_NOT_ALLOWED",
+      message: `Recipient ${input.recipient} is not in Q402_ALLOWED_RECIPIENTS. A recurring rule would send to it on every fire \u2014 add it to the allowlist or unset the env var to disable the guard.`,
+      dashboardUrl
+    };
+  }
   const explicitWalletId = typeof input.walletId === "string" && input.walletId.length > 0 ? input.walletId.toLowerCase() : CONFIG.walletId;
   try {
     const res = await fetch(`${base}/wallet/agentic/recurring-by-key`, {

package/package.json

@@ -1,75 +1,73 @@
-{
-  "name": "@quackai/q402-mcp",
-  "version": "0.8.22",
-  "description": "MCP server for Q402 — gasless USDC/USDT/RLUSD payments on 10 EVM chains + Chainlink CCIP USDC bridge on the eth/avax/arbitrum triangle, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
-  "mcpName": "io.github.bitgett/q402-mcp",
-  "keywords": [
-    "mcp",
-    "model-context-protocol",
-    "claude",
-    "claude-desktop",
-    "claude-code",
-    "codex",
-    "openai-codex",
-    "cline",
-    "q402",
-    "x402",
-    "stablecoin",
-    "usdc",
-    "usdt",
-    "rlusd",
-    "ripple",
-    "gasless",
-    "eip-7702",
-    "payments",
-    "ai-agents"
-  ],
-  "type": "module",
-  "main": "dist/index.js",
-  "bin": {
-    "q402-mcp": "dist/index.js"
-  },
-  "files": [
-    "dist",
-    "README.md",
-    "LICENSE"
-  ],
-  "engines": {
-    "node": ">=18.18"
-  },
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "lint": "tsc --noEmit",
-    "prepublishOnly": "npm run lint && npm run build",
-    "start": "node dist/index.js"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.29.0",
-    "ethers": "^6.16.0",
-    "zod": "^3.23.8"
-  },
-  "devDependencies": {
-    "@types/node": "^20.11.0",
-    "tsup": "^8.3.0",
-    "typescript": "^5.5.0"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/bitgett/q402-mcp.git"
-  },
-  "homepage": "https://q402.quackai.ai/claude",
-  "bugs": {
-    "url": "https://github.com/bitgett/q402-mcp/issues"
-  },
-  "license": "Apache-2.0",
-  "author": "David Lee <davidlee@quackai.ai>",
-  "publishConfig": {
-    "access": "public"
-  },
-  "overrides": {
-    "ws": "^8.20.1",
-    "qs": "^6.15.2",
-    "hono": "^4.12.21"
-  }
-}
+{
+  "name": "@quackai/q402-mcp",
+  "version": "0.8.23",
+  "description": "MCP server for Q402 — gasless USDC/USDT/RLUSD payments on 10 EVM chains + Chainlink CCIP USDC bridge on the eth/avax/arbitrum triangle, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
+  "mcpName": "io.github.bitgett/q402-mcp",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "claude",
+    "claude-desktop",
+    "claude-code",
+    "codex",
+    "openai-codex",
+    "cline",
+    "q402",
+    "x402",
+    "stablecoin",
+    "usdc",
+    "usdt",
+    "rlusd",
+    "ripple",
+    "gasless",
+    "eip-7702",
+    "payments",
+    "ai-agents"
+  ],
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "q402-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.18"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "tsc --noEmit",
+    "prepublishOnly": "npm run lint && npm run build",
+    "start": "node dist/index.js"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "ethers": "^6.16.0",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5.5.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/bitgett/q402-mcp.git"
+  },
+  "homepage": "https://q402.quackai.ai/claude",
+  "bugs": {
+    "url": "https://github.com/bitgett/q402-mcp/issues"
+  },
+  "license": "Apache-2.0",
+  "author": "David Lee <davidlee@quackai.ai>",
+  "publishConfig": {
+    "access": "public"
+  },
+  "overrides": {
+    "esbuild": "^0.28.1"
+  }
+}