@rapay/mcp-server 1.1.11 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/handlers.d.ts +1 -5
- package/dist/handlers.js +0 -54
- package/dist/index.d.ts +1 -1
- package/dist/index.js +2 -2
- package/dist/tools.d.ts +5 -3
- package/dist/tools.js +8 -27
- package/package.json +2 -2
package/dist/handlers.d.ts
CHANGED
|
@@ -26,14 +26,10 @@ export interface SendArgs {
|
|
|
26
26
|
business_purpose: string;
|
|
27
27
|
user_confirmed?: boolean;
|
|
28
28
|
}
|
|
29
|
-
export interface SubscribeArgs {
|
|
30
|
-
price_id: string;
|
|
31
|
-
customer_email: string;
|
|
32
|
-
}
|
|
33
29
|
export interface HistoryArgs {
|
|
34
30
|
limit?: number;
|
|
35
31
|
}
|
|
36
|
-
export type ToolArgs = SendArgs |
|
|
32
|
+
export type ToolArgs = SendArgs | HistoryArgs | Record<string, never>;
|
|
37
33
|
/**
|
|
38
34
|
* Execute a tool and return the result
|
|
39
35
|
*
|
package/dist/handlers.js
CHANGED
|
@@ -37,7 +37,6 @@ const CLI_PATH = (() => {
|
|
|
37
37
|
const MAX_OUTPUT_SIZE = 1024 * 1024; // 1MB
|
|
38
38
|
const RATE_LIMITS = {
|
|
39
39
|
ra_send: { windowMs: 60000, maxCalls: 1 },
|
|
40
|
-
ra_subscribe: { windowMs: 60000, maxCalls: 1 },
|
|
41
40
|
ra_refund: { windowMs: 60000, maxCalls: 5 },
|
|
42
41
|
ra_balance: { windowMs: 60000, maxCalls: 10 },
|
|
43
42
|
ra_history: { windowMs: 60000, maxCalls: 10 },
|
|
@@ -176,11 +175,6 @@ function validateBusinessPurpose(purpose) {
|
|
|
176
175
|
throw new ValidationError("Business purpose appears to be invalid. Please provide a real description of goods or services rendered.");
|
|
177
176
|
}
|
|
178
177
|
}
|
|
179
|
-
/**
|
|
180
|
-
* RFC 5322 simplified email regex (stricter than basic check)
|
|
181
|
-
* Validates common email formats while rejecting edge cases
|
|
182
|
-
*/
|
|
183
|
-
const EMAIL_REGEX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+$/;
|
|
184
178
|
/**
|
|
185
179
|
* Validate ra_send arguments (defense-in-depth)
|
|
186
180
|
* MCP SDK validates schema, this is additional layer
|
|
@@ -223,36 +217,6 @@ function validateSendArgs(args) {
|
|
|
223
217
|
// P2P/Compliance validation (mirrors CLI validation.rs)
|
|
224
218
|
validateBusinessPurpose(args.business_purpose);
|
|
225
219
|
}
|
|
226
|
-
/**
|
|
227
|
-
* Validate ra_subscribe arguments
|
|
228
|
-
*/
|
|
229
|
-
function validateSubscribeArgs(args) {
|
|
230
|
-
// Price ID validation
|
|
231
|
-
if (typeof args.price_id !== "string") {
|
|
232
|
-
throw new ValidationError("Price ID must be a string");
|
|
233
|
-
}
|
|
234
|
-
// Check for ASCII-only to prevent homoglyph attacks
|
|
235
|
-
if (!/^[\x00-\x7F]+$/.test(args.price_id)) {
|
|
236
|
-
throw new ValidationError("Price ID contains invalid characters (ASCII only)");
|
|
237
|
-
}
|
|
238
|
-
if (!/^price_[a-zA-Z0-9]+$/.test(args.price_id)) {
|
|
239
|
-
throw new ValidationError("Invalid price ID format (expected price_xxx)");
|
|
240
|
-
}
|
|
241
|
-
// Email validation (RFC 5322 simplified, Stripe validates further)
|
|
242
|
-
if (typeof args.customer_email !== "string") {
|
|
243
|
-
throw new ValidationError("Customer email must be a string");
|
|
244
|
-
}
|
|
245
|
-
if (args.customer_email.length > 254) {
|
|
246
|
-
throw new ValidationError("Email address too long");
|
|
247
|
-
}
|
|
248
|
-
// Check for ASCII-only to prevent IDN homograph attacks
|
|
249
|
-
if (!/^[\x00-\x7F]+$/.test(args.customer_email)) {
|
|
250
|
-
throw new ValidationError("Email contains invalid characters (ASCII only)");
|
|
251
|
-
}
|
|
252
|
-
if (!EMAIL_REGEX.test(args.customer_email)) {
|
|
253
|
-
throw new ValidationError("Invalid email format");
|
|
254
|
-
}
|
|
255
|
-
}
|
|
256
220
|
/**
|
|
257
221
|
* Validate ra_history arguments
|
|
258
222
|
*/
|
|
@@ -302,9 +266,6 @@ export async function handleToolCall(toolName, args) {
|
|
|
302
266
|
case "ra_send":
|
|
303
267
|
result = await executeSend(args);
|
|
304
268
|
break;
|
|
305
|
-
case "ra_subscribe":
|
|
306
|
-
result = await executeSubscribe(args);
|
|
307
|
-
break;
|
|
308
269
|
case "ra_refund":
|
|
309
270
|
result = await executeRefund();
|
|
310
271
|
break;
|
|
@@ -555,21 +516,6 @@ async function executeSend(args) {
|
|
|
555
516
|
];
|
|
556
517
|
return executeCliCommand(cliArgs);
|
|
557
518
|
}
|
|
558
|
-
/**
|
|
559
|
-
* Execute ra subscribe command
|
|
560
|
-
*/
|
|
561
|
-
async function executeSubscribe(args) {
|
|
562
|
-
// Validate inputs (defense-in-depth, MCP SDK also validates)
|
|
563
|
-
validateSubscribeArgs(args);
|
|
564
|
-
const cliArgs = [
|
|
565
|
-
"subscribe",
|
|
566
|
-
args.price_id,
|
|
567
|
-
args.customer_email,
|
|
568
|
-
"--json",
|
|
569
|
-
"--confirm", // Skip CLI confirmation (MCP client handles approval)
|
|
570
|
-
];
|
|
571
|
-
return executeCliCommand(cliArgs);
|
|
572
|
-
}
|
|
573
519
|
/**
|
|
574
520
|
* Execute ra refund command (opens Stripe Dashboard)
|
|
575
521
|
*/
|
package/dist/index.d.ts
CHANGED
package/dist/index.js
CHANGED
|
@@ -23,7 +23,7 @@ import { checkForUpdates } from "./version-check.js";
|
|
|
23
23
|
* Server metadata
|
|
24
24
|
*/
|
|
25
25
|
const SERVER_NAME = "rapay-mcp";
|
|
26
|
-
export const SERVER_VERSION = "1.
|
|
26
|
+
export const SERVER_VERSION = "1.2.0";
|
|
27
27
|
/**
|
|
28
28
|
* Initialize MCP server
|
|
29
29
|
*/
|
|
@@ -37,7 +37,7 @@ const server = new Server({
|
|
|
37
37
|
});
|
|
38
38
|
/**
|
|
39
39
|
* Handle tools/list request
|
|
40
|
-
* Returns all
|
|
40
|
+
* Returns all 5 MVP tools with their schemas
|
|
41
41
|
*/
|
|
42
42
|
server.setRequestHandler(ListToolsRequestSchema, async () => {
|
|
43
43
|
return {
|
package/dist/tools.d.ts
CHANGED
|
@@ -1,15 +1,17 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Ra Pay MCP Server - Tool Definitions
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* -
|
|
4
|
+
* 5 MVP Tools:
|
|
5
|
+
* - 2 Payment Operations (SENSITIVE)
|
|
6
6
|
* - 3 Query Operations (Read-only)
|
|
7
7
|
*
|
|
8
|
+
* Note: ra_subscribe removed in v1.2.0 for compliance (Session 53)
|
|
9
|
+
*
|
|
8
10
|
* @see MCP-SERVER-PLAN.md for full specification
|
|
9
11
|
*/
|
|
10
12
|
import type { Tool } from "@modelcontextprotocol/sdk/types.js";
|
|
11
13
|
/**
|
|
12
|
-
* All
|
|
14
|
+
* All 5 MVP tools combined
|
|
13
15
|
*/
|
|
14
16
|
export declare const TOOLS: Tool[];
|
|
15
17
|
/**
|
package/dist/tools.js
CHANGED
|
@@ -1,10 +1,12 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Ra Pay MCP Server - Tool Definitions
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* -
|
|
4
|
+
* 5 MVP Tools:
|
|
5
|
+
* - 2 Payment Operations (SENSITIVE)
|
|
6
6
|
* - 3 Query Operations (Read-only)
|
|
7
7
|
*
|
|
8
|
+
* Note: ra_subscribe removed in v1.2.0 for compliance (Session 53)
|
|
9
|
+
*
|
|
8
10
|
* @see MCP-SERVER-PLAN.md for full specification
|
|
9
11
|
*/
|
|
10
12
|
import { createHash } from "crypto";
|
|
@@ -59,27 +61,6 @@ const PAYMENT_TOOLS = [
|
|
|
59
61
|
required: ["amount", "recipient_id", "business_purpose", "user_confirmed"],
|
|
60
62
|
},
|
|
61
63
|
},
|
|
62
|
-
{
|
|
63
|
-
name: "ra_subscribe",
|
|
64
|
-
description: "SENSITIVE: Create a subscription for a customer. Sets up recurring payments using a Stripe price. " +
|
|
65
|
-
"Requires explicit user confirmation. Use 'ra create-price' to create prices first.",
|
|
66
|
-
inputSchema: {
|
|
67
|
-
type: "object",
|
|
68
|
-
properties: {
|
|
69
|
-
price_id: {
|
|
70
|
-
type: "string",
|
|
71
|
-
description: "Stripe price ID (format: price_xxx). Create prices with 'ra create-price' command.",
|
|
72
|
-
pattern: "^price_[a-zA-Z0-9]+$",
|
|
73
|
-
},
|
|
74
|
-
customer_email: {
|
|
75
|
-
type: "string",
|
|
76
|
-
description: "Customer email address for the subscription",
|
|
77
|
-
format: "email",
|
|
78
|
-
},
|
|
79
|
-
},
|
|
80
|
-
required: ["price_id", "customer_email"],
|
|
81
|
-
},
|
|
82
|
-
},
|
|
83
64
|
{
|
|
84
65
|
name: "ra_refund",
|
|
85
66
|
description: "SENSITIVE: Open Stripe Dashboard to process refunds. " +
|
|
@@ -135,13 +116,13 @@ const QUERY_TOOLS = [
|
|
|
135
116
|
},
|
|
136
117
|
];
|
|
137
118
|
/**
|
|
138
|
-
* All
|
|
119
|
+
* All 5 MVP tools combined
|
|
139
120
|
*/
|
|
140
121
|
export const TOOLS = [...PAYMENT_TOOLS, ...QUERY_TOOLS];
|
|
141
122
|
/**
|
|
142
123
|
* Tool names that require user confirmation (SENSITIVE operations)
|
|
143
124
|
*/
|
|
144
|
-
export const SENSITIVE_TOOLS = new Set(["ra_send", "
|
|
125
|
+
export const SENSITIVE_TOOLS = new Set(["ra_send", "ra_refund"]);
|
|
145
126
|
/**
|
|
146
127
|
* Check if a tool is a sensitive payment operation
|
|
147
128
|
*/
|
|
@@ -163,9 +144,9 @@ export function isSensitiveTool(toolName) {
|
|
|
163
144
|
* 2. Run: RAPAY_DEBUG=1 node dist/index.js (will log computed hash)
|
|
164
145
|
* 3. Update this constant with the new hash
|
|
165
146
|
*
|
|
166
|
-
* Last updated: 2026-01
|
|
147
|
+
* Last updated: 2026-02-01 (Session 53 subscription removal)
|
|
167
148
|
*/
|
|
168
|
-
const EXPECTED_TOOL_HASH = "
|
|
149
|
+
const EXPECTED_TOOL_HASH = "c5a4650ce2990d65";
|
|
169
150
|
/**
|
|
170
151
|
* Compute the integrity hash of the tool definitions
|
|
171
152
|
* Hash is based on tool names and their input schemas (deterministic)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@rapay/mcp-server",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.2.0",
|
|
4
4
|
"description": "Ra Pay MCP Server for Claude Desktop and Claude Code - AI Agent Payment Infrastructure",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -38,7 +38,7 @@
|
|
|
38
38
|
"node": ">=18.0.0"
|
|
39
39
|
},
|
|
40
40
|
"peerDependencies": {
|
|
41
|
-
"@rapay/cli": "^1.
|
|
41
|
+
"@rapay/cli": "^1.4.0"
|
|
42
42
|
},
|
|
43
43
|
"peerDependenciesMeta": {
|
|
44
44
|
"@rapay/cli": {
|