@quackai/q402-mcp 0.8.33 → 0.8.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +19 -0
  2. package/dist/index.js +25 -3
  3. package/package.json +5 -1
package/README.md CHANGED
@@ -27,8 +27,27 @@ Quote → route → (optional) settle stablecoin payments across 10 EVM chains,
27
27
  | **OpenAI Codex CLI** | `codex mcp add q402 -- npx -y @quackai/q402-mcp` (Windows fallback: see below) |
28
28
  | **Cursor** | Add to `~/.cursor/mcp.json`: `{ "mcpServers": { "q402": { "command": "npx", "args": ["-y", "@quackai/q402-mcp"] } } }` |
29
29
  | **Cline** | Cline → Settings → MCP Servers → Edit JSON. Same shape as Cursor. |
30
+ | **GitHub Copilot (VS Code)** | Add to `.vscode/mcp.json` — root key is `servers`, **not** `mcpServers`: `{ "servers": { "q402": { "command": "npx", "args": ["-y", "@quackai/q402-mcp"] } } }`. Reload VS Code, then enable q402 in the Copilot Chat tools picker. |
31
+ | **Hermes Agent (Nous Research)** | YAML, not JSON. Add under `mcp_servers` in `~/.hermes/config.yaml` (see below), then run `/reload-mcp`. |
30
32
  | **Any other stdio MCP client** | Point it at `npx -y @quackai/q402-mcp`. No client-specific code. |
31
33
 
34
+ <details>
35
+ <summary>Hermes Agent — YAML config (<code>~/.hermes/config.yaml</code>)</summary>
36
+
37
+ Hermes reads MCP servers from `~/.hermes/config.yaml` under `mcp_servers` (YAML, not JSON):
38
+
39
+ ```yaml
40
+ mcp_servers:
41
+ q402:
42
+ command: "npx"
43
+ args: ["-y", "@quackai/q402-mcp"]
44
+ enabled: true
45
+ ```
46
+
47
+ After editing, run `/reload-mcp` in Hermes to load the tools. Or use the CLI: `hermes mcp add q402 --command npx --args -y @quackai/q402-mcp`.
48
+
49
+ </details>
50
+
32
51
  > Claude **Code** (the CLI, `claude` binary) and Claude **Desktop** (the macOS / Windows app) are different products. The `claude mcp add` command only exists in the CLI; the Desktop app needs the JSON config above.
33
52
 
34
53
  Secrets are NOT in this config. The server reads them from `~/.q402/mcp.env` (same pattern as AWS / Stripe / gh CLIs).
package/dist/index.js CHANGED
@@ -211,7 +211,7 @@ var isValidPrivateKey = (s) => typeof s === "string" && PRIVATE_KEY_RE.test(s);
211
211
  // package.json
212
212
  var package_default = {
213
213
  name: "@quackai/q402-mcp",
214
- version: "0.8.33",
214
+ version: "0.8.35",
215
215
  description: "MCP server for Q402 \u2014 gasless USDC/USDT/RLUSD payments on 10 EVM chains + Chainlink CCIP USDC bridge on the eth/avax/arbitrum triangle, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
216
216
  mcpName: "io.github.bitgett/q402-mcp",
217
217
  keywords: [
@@ -222,7 +222,11 @@ var package_default = {
222
222
  "claude-code",
223
223
  "codex",
224
224
  "openai-codex",
225
+ "cursor",
225
226
  "cline",
227
+ "copilot",
228
+ "github-copilot",
229
+ "hermes",
226
230
  "q402",
227
231
  "x402",
228
232
  "stablecoin",
@@ -1424,6 +1428,10 @@ var PAY_TOOL = {
1424
1428
  const: true,
1425
1429
  description: "MUST be true and only set after the user has confirmed this exact payment in chat. When hookParams is set, confirm what it does to the money too: the split RECIPIENTS and shares (funds go there, not `to`) and any oracle condition gating settlement \u2014 not just the top-level recipient + amount."
1426
1430
  },
1431
+ consentToken: {
1432
+ type: "string",
1433
+ description: "Two-phase consent. Omit on the FIRST call to get a needs_confirmation preview plus a consentToken (no funds move); re-call with the SAME args plus this token to execute. Re-derived from the payment params, so a previewed payment cannot be swapped for a different one. confirm:true alone does NOT send."
1434
+ },
1427
1435
  hookParams: {
1428
1436
  type: "object",
1429
1437
  description: "Q402 Hook params (server-managed Agent Wallet only). recipientAgentId (ReputationGate), condition (ConditionalOracle price/time gate), or splits (MultiPayeeSplit fan-out, bps sum 10000).",
@@ -1960,6 +1968,10 @@ TWO-PHASE CONSENT: confirm:true alone does NOT send. Call this tool first WITHOU
1960
1968
  type: "boolean",
1961
1969
  const: true,
1962
1970
  description: "MUST be true and only set after the user has confirmed the entire batch in chat."
1971
+ },
1972
+ consentToken: {
1973
+ type: "string",
1974
+ description: "Two-phase consent. Omit on the FIRST call to get a needs_confirmation preview of every recipient + amount plus a consentToken (no funds move); re-call with the SAME args plus this token to execute. Re-derived from the batch, so the previewed batch cannot be swapped. confirm:true alone does NOT send."
1963
1975
  }
1964
1976
  },
1965
1977
  required: ["chain", "token", "recipients", "confirm"],
@@ -4984,10 +4996,16 @@ async function runRequestPay(input) {
4984
4996
  to: req.recipient.toLowerCase(),
4985
4997
  amount: req.amount,
4986
4998
  token: req.token,
4987
- chain: req.chain
4999
+ chain: req.chain,
5000
+ // Bind the funding source too — the user is consenting to pay from THIS
5001
+ // wallet, so swapping walletId after the preview must void consent. Mirrors
5002
+ // q402_pay's consentIntent. Empty string = the server-default Agent Wallet
5003
+ // (resolved at settle time); pinning a specific wallet re-triggers consent.
5004
+ wid: (input.walletId ?? "").toLowerCase()
4988
5005
  };
4989
5006
  const consent = checkConsent(consentIntent, input.consentToken);
4990
5007
  if (!consent.ok) {
5008
+ const fromNote = input.walletId ? ` from wallet ${input.walletId}` : "";
4991
5009
  return {
4992
5010
  ok: false,
4993
5011
  status: "needs_consent",
@@ -4998,7 +5016,7 @@ async function runRequestPay(input) {
4998
5016
  message: "Relay this preview to the user and get an explicit yes, then re-call with the same requestId plus consentToken. No funds moved.",
4999
5017
  needsConsent: {
5000
5018
  status: "needs_confirmation",
5001
- preview: `Pay ${req.amount} ${req.token} to ${req.recipient} on ${req.chain} (request ${req.id}).`,
5019
+ preview: `Pay ${req.amount} ${req.token} to ${req.recipient} on ${req.chain}${fromNote} (request ${req.id}).`,
5002
5020
  consentToken: consent.expected
5003
5021
  }
5004
5022
  };
@@ -5069,6 +5087,10 @@ var REQUEST_PAY_TOOL = {
5069
5087
  walletId: {
5070
5088
  type: "string",
5071
5089
  description: "Optional. Agent Wallet address to pay from. Defaults to the configured / server-default wallet."
5090
+ },
5091
+ consentToken: {
5092
+ type: "string",
5093
+ description: "Two-phase consent. Omit on the FIRST call to get a needs_confirmation preview plus a consentToken (no funds move); re-call with the SAME requestId plus this token to execute. Re-derived from the request terms + funding wallet, so a previewed payment cannot be swapped for a different one."
5072
5094
  }
5073
5095
  },
5074
5096
  required: ["requestId", "confirm"],
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@quackai/q402-mcp",
3
- "version": "0.8.33",
3
+ "version": "0.8.35",
4
4
  "description": "MCP server for Q402 — gasless USDC/USDT/RLUSD payments on 10 EVM chains + Chainlink CCIP USDC bridge on the eth/avax/arbitrum triangle, callable from Claude (Desktop / Code), OpenAI Codex CLI, and any other Model Context Protocol client.",
5
5
  "mcpName": "io.github.bitgett/q402-mcp",
6
6
  "keywords": [
@@ -11,7 +11,11 @@
11
11
  "claude-code",
12
12
  "codex",
13
13
  "openai-codex",
14
+ "cursor",
14
15
  "cline",
16
+ "copilot",
17
+ "github-copilot",
18
+ "hermes",
15
19
  "q402",
16
20
  "x402",
17
21
  "stablecoin",