@rapay/mcp-server 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/handlers.js +28 -4
  2. package/dist/index.d.ts +1 -1
  3. package/dist/index.js +1 -1
  4. package/package.json +1 -1
package/dist/handlers.js CHANGED
@@ -399,9 +399,33 @@ function parseCliError(error) {
399
399
  */
400
400
  async function executeCliCommand(args, timeoutMs = 30000) {
401
401
  return new Promise((resolve, reject) => {
402
+ // Security: Only pass necessary environment variables to CLI subprocess
403
+ // This prevents leaking secrets from MCP server environment to CLI
404
+ // CLI needs: PATH (to find executables), HOME/USERPROFILE (for config files),
405
+ // RAPAY_* (explicit Ra Pay configuration), and keyring-related vars
406
+ const safeEnv = {
407
+ PATH: process.env.PATH,
408
+ HOME: process.env.HOME,
409
+ USERPROFILE: process.env.USERPROFILE, // Windows equivalent of HOME
410
+ TMPDIR: process.env.TMPDIR,
411
+ TEMP: process.env.TEMP,
412
+ TMP: process.env.TMP,
413
+ // Allow explicit Ra Pay config overrides
414
+ RAPAY_API_URL: process.env.RAPAY_API_URL,
415
+ RAPAY_CONFIG_DIR: process.env.RAPAY_CONFIG_DIR,
416
+ // Keyring access (Linux)
417
+ DBUS_SESSION_BUS_ADDRESS: process.env.DBUS_SESSION_BUS_ADDRESS,
418
+ XDG_RUNTIME_DIR: process.env.XDG_RUNTIME_DIR,
419
+ // Windows credential manager
420
+ APPDATA: process.env.APPDATA,
421
+ LOCALAPPDATA: process.env.LOCALAPPDATA,
422
+ // Windows system variables (required by libuv for spawn)
423
+ SYSTEMROOT: process.env.SYSTEMROOT,
424
+ WINDIR: process.env.WINDIR,
425
+ };
402
426
  const child = spawn(CLI_PATH, args, {
403
427
  stdio: ["pipe", "pipe", "pipe"],
404
- env: { ...process.env }, // Inherit environment for keyring access
428
+ env: safeEnv,
405
429
  // cross-spawn handles Windows .cmd wrappers automatically
406
430
  });
407
431
  let stdout = "";
@@ -474,9 +498,9 @@ async function executeSend(args) {
474
498
  validateSendArgs(args);
475
499
  // Convert cents to dollars for CLI (CLI expects dollar amount)
476
500
  const amountDollars = args.amount / 100;
477
- // Calculate fee breakdown using integer math to avoid floating point errors
478
- // 2% Ra Pay application fee: fee_cents = amount_cents * 2 / 100
479
- const rapayFeeCents = Math.round(args.amount * 0.02);
501
+ // Calculate fee breakdown using true integer math to avoid floating point errors
502
+ // 2% Ra Pay application fee: integer ceiling of (amount_cents * 2 / 100)
503
+ const rapayFeeCents = Math.floor((args.amount * 2 + 99) / 100);
480
504
  const recipientReceivesCents = args.amount - rapayFeeCents;
481
505
  // Convert to dollars for display (after integer calculation)
482
506
  const rapayFee = rapayFeeCents / 100;
package/dist/index.d.ts CHANGED
@@ -13,5 +13,5 @@
13
13
  * - Privacy preserved (dumb pipe model intact)
14
14
  * - No blockers
15
15
  */
16
- export declare const SERVER_VERSION = "1.2.0";
16
+ export declare const SERVER_VERSION = "1.2.2";
17
17
  //# sourceMappingURL=index.d.ts.map
package/dist/index.js CHANGED
@@ -23,7 +23,7 @@ import { checkForUpdates } from "./version-check.js";
23
23
  * Server metadata
24
24
  */
25
25
  const SERVER_NAME = "rapay-mcp";
26
- export const SERVER_VERSION = "1.2.0";
26
+ export const SERVER_VERSION = "1.2.2";
27
27
  /**
28
28
  * Initialize MCP server
29
29
  */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rapay/mcp-server",
3
- "version": "1.2.0",
3
+ "version": "1.2.2",
4
4
  "description": "Ra Pay MCP Server for Claude Desktop and Claude Code - AI Agent Payment Infrastructure",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",