npm - @scriptmasterlabs/mcp-x402 - Versions diffs - 2.0.0 - Mend

@scriptmasterlabs/mcp-x402 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (304) hide show

package/.env.example +35 -0
package/.github/workflows/ci.yml +59 -0
package/.github/workflows/keepalive.yml +31 -0
package/.well-known/agentcard.json +34 -0
package/CONTRIBUTING.md +76 -0
package/Dockerfile +19 -0
package/LICENSE +21 -0
package/README.md +304 -0
package/agents.json +67 -0
package/dist/lib/chains/base.d.ts +10 -0
package/dist/lib/chains/base.d.ts.map +1 -0
package/dist/lib/chains/base.js +73 -0
package/dist/lib/chains/base.js.map +1 -0
package/dist/lib/chains/solana.d.ts +10 -0
package/dist/lib/chains/solana.d.ts.map +1 -0
package/dist/lib/chains/solana.js +49 -0
package/dist/lib/chains/solana.js.map +1 -0
package/dist/lib/chains/xrpl.d.ts +10 -0
package/dist/lib/chains/xrpl.d.ts.map +1 -0
package/dist/lib/chains/xrpl.js +55 -0
package/dist/lib/chains/xrpl.js.map +1 -0
package/dist/lib/credit/bureau.d.ts +10 -0
package/dist/lib/credit/bureau.d.ts.map +1 -0
package/dist/lib/credit/bureau.js +58 -0
package/dist/lib/credit/bureau.js.map +1 -0
package/dist/lib/sml-api/agentcard.d.ts +17 -0
package/dist/lib/sml-api/agentcard.d.ts.map +1 -0
package/dist/lib/sml-api/agentcard.js +30 -0
package/dist/lib/sml-api/agentcard.js.map +1 -0
package/dist/lib/sml-api/backtest.d.ts +22 -0
package/dist/lib/sml-api/backtest.d.ts.map +1 -0
package/dist/lib/sml-api/backtest.js +28 -0
package/dist/lib/sml-api/backtest.js.map +1 -0
package/dist/lib/sml-api/brokers.d.ts +40 -0
package/dist/lib/sml-api/brokers.d.ts.map +1 -0
package/dist/lib/sml-api/brokers.js +128 -0
package/dist/lib/sml-api/brokers.js.map +1 -0
package/dist/lib/sml-api/copytrader.d.ts +11 -0
package/dist/lib/sml-api/copytrader.d.ts.map +1 -0
package/dist/lib/sml-api/copytrader.js +30 -0
package/dist/lib/sml-api/copytrader.js.map +1 -0
package/dist/lib/sml-api/crawl.d.ts +20 -0
package/dist/lib/sml-api/crawl.d.ts.map +1 -0
package/dist/lib/sml-api/crawl.js +32 -0
package/dist/lib/sml-api/crawl.js.map +1 -0
package/dist/lib/sml-api/echo.d.ts +10 -0
package/dist/lib/sml-api/echo.d.ts.map +1 -0
package/dist/lib/sml-api/echo.js +23 -0
package/dist/lib/sml-api/echo.js.map +1 -0
package/dist/lib/sml-api/forge.d.ts +11 -0
package/dist/lib/sml-api/forge.d.ts.map +1 -0
package/dist/lib/sml-api/forge.js +29 -0
package/dist/lib/sml-api/forge.js.map +1 -0
package/dist/lib/sml-api/ftd.d.ts +18 -0
package/dist/lib/sml-api/ftd.d.ts.map +1 -0
package/dist/lib/sml-api/ftd.js +43 -0
package/dist/lib/sml-api/ftd.js.map +1 -0
package/dist/lib/sml-api/ghost.d.ts +13 -0
package/dist/lib/sml-api/ghost.d.ts.map +1 -0
package/dist/lib/sml-api/ghost.js +29 -0
package/dist/lib/sml-api/ghost.js.map +1 -0
package/dist/lib/sml-api/launchpad.d.ts +20 -0
package/dist/lib/sml-api/launchpad.d.ts.map +1 -0
package/dist/lib/sml-api/launchpad.js +31 -0
package/dist/lib/sml-api/launchpad.js.map +1 -0
package/dist/lib/sml-api/leviathan.d.ts +22 -0
package/dist/lib/sml-api/leviathan.d.ts.map +1 -0
package/dist/lib/sml-api/leviathan.js +33 -0
package/dist/lib/sml-api/leviathan.js.map +1 -0
package/dist/lib/sml-api/nexus.d.ts +18 -0
package/dist/lib/sml-api/nexus.d.ts.map +1 -0
package/dist/lib/sml-api/nexus.js +40 -0
package/dist/lib/sml-api/nexus.js.map +1 -0
package/dist/lib/sml-api/proof402.d.ts +6 -0
package/dist/lib/sml-api/proof402.d.ts.map +1 -0
package/dist/lib/sml-api/proof402.js +30 -0
package/dist/lib/sml-api/proof402.js.map +1 -0
package/dist/lib/sml-api/rails.d.ts +12 -0
package/dist/lib/sml-api/rails.d.ts.map +1 -0
package/dist/lib/sml-api/rails.js +29 -0
package/dist/lib/sml-api/rails.js.map +1 -0
package/dist/lib/sml-api/shadow.d.ts +15 -0
package/dist/lib/sml-api/shadow.d.ts.map +1 -0
package/dist/lib/sml-api/shadow.js +27 -0
package/dist/lib/sml-api/shadow.js.map +1 -0
package/dist/lib/sml-api/squeezeos.d.ts +21 -0
package/dist/lib/sml-api/squeezeos.d.ts.map +1 -0
package/dist/lib/sml-api/squeezeos.js +97 -0
package/dist/lib/sml-api/squeezeos.js.map +1 -0
package/dist/lib/sml-api/xdeo.d.ts +13 -0
package/dist/lib/sml-api/xdeo.d.ts.map +1 -0
package/dist/lib/sml-api/xdeo.js +34 -0
package/dist/lib/sml-api/xdeo.js.map +1 -0
package/dist/lib/sml-api/xmit.d.ts +13 -0
package/dist/lib/sml-api/xmit.d.ts.map +1 -0
package/dist/lib/sml-api/xmit.js +34 -0
package/dist/lib/sml-api/xmit.js.map +1 -0
package/dist/server/health.d.ts +16 -0
package/dist/server/health.d.ts.map +1 -0
package/dist/server/health.js +39 -0
package/dist/server/health.js.map +1 -0
package/dist/server/index.d.ts +3 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +193 -0
package/dist/server/index.js.map +1 -0
package/dist/server/payments/ap2.d.ts +17 -0
package/dist/server/payments/ap2.d.ts.map +1 -0
package/dist/server/payments/ap2.js +75 -0
package/dist/server/payments/ap2.js.map +1 -0
package/dist/server/payments/receipt.d.ts +28 -0
package/dist/server/payments/receipt.d.ts.map +1 -0
package/dist/server/payments/receipt.js +60 -0
package/dist/server/payments/receipt.js.map +1 -0
package/dist/server/payments/router.d.ts +23 -0
package/dist/server/payments/router.d.ts.map +1 -0
package/dist/server/payments/router.js +69 -0
package/dist/server/payments/router.js.map +1 -0
package/dist/server/payments/wallet.d.ts +18 -0
package/dist/server/payments/wallet.d.ts.map +1 -0
package/dist/server/payments/wallet.js +107 -0
package/dist/server/payments/wallet.js.map +1 -0
package/dist/server/payments/x402.d.ts +29 -0
package/dist/server/payments/x402.d.ts.map +1 -0
package/dist/server/payments/x402.js +122 -0
package/dist/server/payments/x402.js.map +1 -0
package/dist/server/registry/catalog.d.ts +12 -0
package/dist/server/registry/catalog.d.ts.map +1 -0
package/dist/server/registry/catalog.js +55 -0
package/dist/server/registry/catalog.js.map +1 -0
package/dist/server/registry/discovery.d.ts +16 -0
package/dist/server/registry/discovery.d.ts.map +1 -0
package/dist/server/registry/discovery.js +33 -0
package/dist/server/registry/discovery.js.map +1 -0
package/dist/server/registry/pricing.d.ts +10 -0
package/dist/server/registry/pricing.d.ts.map +1 -0
package/dist/server/registry/pricing.js +66 -0
package/dist/server/registry/pricing.js.map +1 -0
package/dist/server/security/acl.d.ts +28 -0
package/dist/server/security/acl.d.ts.map +1 -0
package/dist/server/security/acl.js +36 -0
package/dist/server/security/acl.js.map +1 -0
package/dist/server/security/audit.d.ts +15 -0
package/dist/server/security/audit.d.ts.map +1 -0
package/dist/server/security/audit.js +77 -0
package/dist/server/security/audit.js.map +1 -0
package/dist/server/security/rate-limit.d.ts +12 -0
package/dist/server/security/rate-limit.d.ts.map +1 -0
package/dist/server/security/rate-limit.js +72 -0
package/dist/server/security/rate-limit.js.map +1 -0
package/dist/server/security/sandbox.d.ts +7 -0
package/dist/server/security/sandbox.d.ts.map +1 -0
package/dist/server/security/sandbox.js +42 -0
package/dist/server/security/sandbox.js.map +1 -0
package/dist/server/tools/agentcard.d.ts +3 -0
package/dist/server/tools/agentcard.d.ts.map +1 -0
package/dist/server/tools/agentcard.js +118 -0
package/dist/server/tools/agentcard.js.map +1 -0
package/dist/server/tools/backtest.d.ts +3 -0
package/dist/server/tools/backtest.d.ts.map +1 -0
package/dist/server/tools/backtest.js +112 -0
package/dist/server/tools/backtest.js.map +1 -0
package/dist/server/tools/brokers.d.ts +3 -0
package/dist/server/tools/brokers.d.ts.map +1 -0
package/dist/server/tools/brokers.js +223 -0
package/dist/server/tools/brokers.js.map +1 -0
package/dist/server/tools/copytrader.d.ts +3 -0
package/dist/server/tools/copytrader.d.ts.map +1 -0
package/dist/server/tools/copytrader.js +90 -0
package/dist/server/tools/copytrader.js.map +1 -0
package/dist/server/tools/crawl.d.ts +3 -0
package/dist/server/tools/crawl.d.ts.map +1 -0
package/dist/server/tools/crawl.js +60 -0
package/dist/server/tools/crawl.js.map +1 -0
package/dist/server/tools/discovery.d.ts +3 -0
package/dist/server/tools/discovery.d.ts.map +1 -0
package/dist/server/tools/discovery.js +188 -0
package/dist/server/tools/discovery.js.map +1 -0
package/dist/server/tools/echo.d.ts +3 -0
package/dist/server/tools/echo.d.ts.map +1 -0
package/dist/server/tools/echo.js +48 -0
package/dist/server/tools/echo.js.map +1 -0
package/dist/server/tools/forge.d.ts +3 -0
package/dist/server/tools/forge.d.ts.map +1 -0
package/dist/server/tools/forge.js +77 -0
package/dist/server/tools/forge.js.map +1 -0
package/dist/server/tools/ftd.d.ts +3 -0
package/dist/server/tools/ftd.d.ts.map +1 -0
package/dist/server/tools/ftd.js +70 -0
package/dist/server/tools/ftd.js.map +1 -0
package/dist/server/tools/ghost.d.ts +3 -0
package/dist/server/tools/ghost.d.ts.map +1 -0
package/dist/server/tools/ghost.js +83 -0
package/dist/server/tools/ghost.js.map +1 -0
package/dist/server/tools/index.d.ts +3 -0
package/dist/server/tools/index.d.ts.map +1 -0
package/dist/server/tools/index.js +44 -0
package/dist/server/tools/index.js.map +1 -0
package/dist/server/tools/launchpad.d.ts +3 -0
package/dist/server/tools/launchpad.d.ts.map +1 -0
package/dist/server/tools/launchpad.js +151 -0
package/dist/server/tools/launchpad.js.map +1 -0
package/dist/server/tools/leviathan.d.ts +3 -0
package/dist/server/tools/leviathan.d.ts.map +1 -0
package/dist/server/tools/leviathan.js +73 -0
package/dist/server/tools/leviathan.js.map +1 -0
package/dist/server/tools/nexus.d.ts +3 -0
package/dist/server/tools/nexus.d.ts.map +1 -0
package/dist/server/tools/nexus.js +65 -0
package/dist/server/tools/nexus.js.map +1 -0
package/dist/server/tools/proof402.d.ts +3 -0
package/dist/server/tools/proof402.d.ts.map +1 -0
package/dist/server/tools/proof402.js +74 -0
package/dist/server/tools/proof402.js.map +1 -0
package/dist/server/tools/rails.d.ts +3 -0
package/dist/server/tools/rails.d.ts.map +1 -0
package/dist/server/tools/rails.js +82 -0
package/dist/server/tools/rails.js.map +1 -0
package/dist/server/tools/shadow.d.ts +3 -0
package/dist/server/tools/shadow.d.ts.map +1 -0
package/dist/server/tools/shadow.js +114 -0
package/dist/server/tools/shadow.js.map +1 -0
package/dist/server/tools/squeezeos.d.ts +3 -0
package/dist/server/tools/squeezeos.d.ts.map +1 -0
package/dist/server/tools/squeezeos.js +231 -0
package/dist/server/tools/squeezeos.js.map +1 -0
package/dist/server/tools/xdeo.d.ts +3 -0
package/dist/server/tools/xdeo.d.ts.map +1 -0
package/dist/server/tools/xdeo.js +58 -0
package/dist/server/tools/xdeo.js.map +1 -0
package/dist/server/tools/xmit.d.ts +3 -0
package/dist/server/tools/xmit.d.ts.map +1 -0
package/dist/server/tools/xmit.js +59 -0
package/dist/server/tools/xmit.js.map +1 -0
package/docker-compose.yml +50 -0
package/llms.txt +70 -0
package/package.json +77 -0
package/render.yaml +39 -0
package/sdk/mcp-x402-sdk/package.json +18 -0
package/sdk/mcp-x402-sdk/src/index.ts +118 -0
package/sdk/mcp-x402-sdk/tsconfig.json +14 -0
package/server.json +60 -0
package/services/backtest_service.py +176 -0
package/src/lib/chains/base.ts +77 -0
package/src/lib/chains/solana.ts +59 -0
package/src/lib/chains/xrpl.ts +63 -0
package/src/lib/credit/bureau.ts +65 -0
package/src/lib/sml-api/agentcard.ts +40 -0
package/src/lib/sml-api/backtest.ts +47 -0
package/src/lib/sml-api/brokers.ts +160 -0
package/src/lib/sml-api/copytrader.ts +33 -0
package/src/lib/sml-api/crawl.ts +44 -0
package/src/lib/sml-api/echo.ts +28 -0
package/src/lib/sml-api/forge.ts +33 -0
package/src/lib/sml-api/ftd.ts +53 -0
package/src/lib/sml-api/ghost.ts +35 -0
package/src/lib/sml-api/launchpad.ts +43 -0
package/src/lib/sml-api/leviathan.ts +49 -0
package/src/lib/sml-api/nexus.ts +50 -0
package/src/lib/sml-api/proof402.ts +27 -0
package/src/lib/sml-api/rails.ts +34 -0
package/src/lib/sml-api/shadow.ts +35 -0
package/src/lib/sml-api/squeezeos.ts +95 -0
package/src/lib/sml-api/xdeo.ts +40 -0
package/src/lib/sml-api/xmit.ts +40 -0
package/src/server/health.ts +52 -0
package/src/server/index.ts +206 -0
package/src/server/payments/ap2.ts +99 -0
package/src/server/payments/receipt.ts +85 -0
package/src/server/payments/router.ts +110 -0
package/src/server/payments/wallet.ts +123 -0
package/src/server/payments/x402.ts +162 -0
package/src/server/registry/catalog.ts +61 -0
package/src/server/registry/discovery.ts +39 -0
package/src/server/registry/pricing.ts +76 -0
package/src/server/security/acl.ts +42 -0
package/src/server/security/audit.ts +94 -0
package/src/server/security/rate-limit.ts +84 -0
package/src/server/security/sandbox.ts +40 -0
package/src/server/tools/agentcard.ts +134 -0
package/src/server/tools/backtest.ts +119 -0
package/src/server/tools/brokers.ts +250 -0
package/src/server/tools/copytrader.ts +104 -0
package/src/server/tools/crawl.ts +70 -0
package/src/server/tools/discovery.ts +202 -0
package/src/server/tools/echo.ts +58 -0
package/src/server/tools/forge.ts +87 -0
package/src/server/tools/ftd.ts +88 -0
package/src/server/tools/ghost.ts +93 -0
package/src/server/tools/index.ts +42 -0
package/src/server/tools/launchpad.ts +173 -0
package/src/server/tools/leviathan.ts +81 -0
package/src/server/tools/nexus.ts +76 -0
package/src/server/tools/proof402.ts +87 -0
package/src/server/tools/rails.ts +92 -0
package/src/server/tools/shadow.ts +128 -0
package/src/server/tools/squeezeos.ts +312 -0
package/src/server/tools/xdeo.ts +67 -0
package/src/server/tools/xmit.ts +68 -0
package/tests/integration/e2e.test.ts +51 -0
package/tests/unit/payments.test.ts +49 -0
package/tests/unit/security.test.ts +92 -0
package/tests/unit/tools.test.ts +42 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +20 -0

package/src/server/health.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import type { Request, Response } from 'express';
+const startTime = Date.now();
+export interface HealthStatus {
+  status: 'ok' | 'degraded';
+  version: string;
+  transport: string;
+  uptime_seconds: number;
+  uptime_human: string;
+  timestamp: string;
+  checks: {
+    process: 'ok';
+    memory_mb: number;
+    memory_ok: boolean;
+  };
+}
+function formatUptime(ms: number): string {
+  const s = Math.floor(ms / 1000);
+  const m = Math.floor(s / 60);
+  const h = Math.floor(m / 60);
+  const d = Math.floor(h / 24);
+  if (d > 0) return `${d}d ${h % 24}h ${m % 60}m`;
+  if (h > 0) return `${h}h ${m % 60}m ${s % 60}s`;
+  if (m > 0) return `${m}m ${s % 60}s`;
+  return `${s}s`;
+}
+export function healthHandler(_req: Request, res: Response): void {
+  const uptimeMs = Date.now() - startTime;
+  const memMb = Math.round(process.memoryUsage().rss / 1024 / 1024);
+  const memOk = memMb < 450; // warn if approaching 512MB container limit
+  const body: HealthStatus = {
+    status: memOk ? 'ok' : 'degraded',
+    version: process.env['npm_package_version'] ?? '1.0.0',
+    transport: process.env['MCP_TRANSPORT'] ?? 'stdio',
+    uptime_seconds: Math.floor(uptimeMs / 1000),
+    uptime_human: formatUptime(uptimeMs),
+    timestamp: new Date().toISOString(),
+    checks: {
+      process: 'ok',
+      memory_mb: memMb,
+      memory_ok: memOk,
+    },
+  };
+  // Return 200 even if degraded — let the orchestrator decide.
+  // Only return 5xx if the process itself is fundamentally broken.
+  res.status(200).json(body);
+}

package/src/server/index.ts ADDED Viewed

@@ -0,0 +1,206 @@
+#!/usr/bin/env node
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import express from 'express';
+import { randomUUID } from 'crypto';
+import cors from 'cors';
+import { registerTools } from './tools/index.js';
+import { AuditLogger } from './security/audit.js';
+import { RateLimiter } from './security/rate-limit.js';
+import { healthHandler } from './health.js';
+const VERSION = '1.0.0';
+async function createServer(): Promise<McpServer> {
+  const server = new McpServer(
+    { name: 'mcp-x402', version: VERSION },
+    { capabilities: { tools: {} } },
+  );
+  await registerTools(server);
+  return server;
+}
+async function runStdio(): Promise<void> {
+  const server = await createServer();
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  AuditLogger.getInstance().info('server_start', { transport: 'stdio', version: VERSION });
+  const shutdown = async () => {
+    AuditLogger.getInstance().info('server_stop', { transport: 'stdio' });
+    await server.close();
+    process.exit(0);
+  };
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
+  // Keep stdio process alive
+  process.stdin.on('end', () => {
+    AuditLogger.getInstance().warn('stdio_stdin_end', {});
+    process.exit(0);
+  });
+}
+async function runSSE(): Promise<void> {
+  const app = express();
+  const port = parseInt(process.env['MCP_SSE_PORT'] ?? '3402', 10);
+  app.use(cors({ origin: process.env['CORS_ORIGIN'] ?? '*' }));
+  app.use(express.json({ limit: '1mb' }));
+  // Health endpoint
+  app.get('/health', healthHandler);
+  app.get('/agents.json', (_req, res) => {
+    res.sendFile('agents.json', { root: process.cwd() });
+  });
+  app.get('/llms.txt', (_req, res) => {
+    res.sendFile('llms.txt', { root: process.cwd() });
+  });
+  app.get('/.well-known/agentcard.json', (_req, res) => {
+    res.sendFile('.well-known/agentcard.json', { root: process.cwd() });
+  });
+  // FIX: Root handler — was 404, now returns service discovery
+  app.get('/', (_req, res) => {
+    res.json({
+      name: 'mcp-x402',
+      version: VERSION,
+      description: 'The x402 Amazon — 43+ tools, pay-per-call via XRPL. scriptmasterlabs.com',
+      status: 'online',
+      transport: 'streamable-http + sse',
+      endpoints: {
+        mcp_streamable: 'POST /mcp',
+        sse_connect: 'GET /sse',
+        sse_messages: 'POST /messages',
+        health: 'GET /health',
+        agentCard: 'GET /.well-known/agentcard.json',
+        llms: 'GET /llms.txt',
+      },
+      links: {
+        github: 'https://github.com/Timwal78/SML_Portfolio/tree/main/mcp-x402',
+        homepage: 'https://scriptmasterlabs.com',
+      },
+    });
+  });
+  // Streamable HTTP transport — claude.ai web connectors
+  const streamableTransports = new Map<string, StreamableHTTPServerTransport>();
+  app.post('/mcp', async (req, res) => {
+    const sessionId = req.headers['mcp-session-id'] as string | undefined;
+    let transport = sessionId ? streamableTransports.get(sessionId) : undefined;
+    if (!transport) {
+      const newSessionId = randomUUID();
+      transport = new StreamableHTTPServerTransport({ sessionIdGenerator: () => newSessionId });
+      streamableTransports.set(newSessionId, transport);
+      transport.onclose = () => streamableTransports.delete(newSessionId);
+      const server = await createServer();
+      await server.connect(transport);
+      AuditLogger.getInstance().info('mcp_connect', { sessionId: newSessionId });
+    }
+    await transport.handleRequest(req, res, req.body);
+  });
+  // FIX: GET /mcp with no session was 404, now returns service info
+  app.get('/mcp', async (req, res) => {
+    const sessionId = req.headers['mcp-session-id'] as string | undefined;
+    const transport = sessionId ? streamableTransports.get(sessionId) : undefined;
+    if (!transport) {
+      res.json({
+        name: 'mcp-x402',
+        version: VERSION,
+        protocol: 'MCP/streamable-http',
+        status: 'ready',
+        tools: '43+ tools available',
+        how_to_connect: 'POST /mcp with a JSON-RPC initialize request',
+        sse_alternative: 'GET /sse for legacy SSE transport',
+        health: '/health',
+        homepage: 'https://scriptmasterlabs.com',
+      });
+      return;
+    }
+    await transport.handleRequest(req, res);
+  });
+  app.delete('/mcp', async (req, res) => {
+    const sessionId = req.headers['mcp-session-id'] as string | undefined;
+    const transport = sessionId ? streamableTransports.get(sessionId) : undefined;
+    if (!transport) { res.status(404).json({ error: 'session_not_found' }); return; }
+    await transport.handleRequest(req, res);
+  });
+  const transports = new Map<string, SSEServerTransport>();
+  const rateLimiter = RateLimiter.getInstance();
+  app.get('/sse', async (req, res) => {
+    const clientIp = req.ip ?? 'unknown';
+    if (!rateLimiter.checkIp(clientIp)) {
+      res.status(429).json({ error: 'rate_limit_exceeded', retry_after: 60 });
+      return;
+    }
+    const transport = new SSEServerTransport('/messages', res);
+    const sessionId = transport.sessionId;
+    transports.set(sessionId, transport);
+    const server = await createServer();
+    await server.connect(transport);
+    AuditLogger.getInstance().info('sse_connect', { sessionId, clientIp });
+    res.on('close', async () => {
+      transports.delete(sessionId);
+      AuditLogger.getInstance().info('sse_disconnect', { sessionId });
+      await server.close();
+    });
+  });
+  app.post('/messages', async (req, res) => {
+    const sessionId = req.query['sessionId'] as string | undefined;
+    if (!sessionId) { res.status(400).json({ error: 'missing_session_id' }); return; }
+    const transport = transports.get(sessionId);
+    if (!transport) { res.status(404).json({ error: 'session_not_found' }); return; }
+    await transport.handlePostMessage(req, res);
+  });
+  const httpServer = await new Promise<ReturnType<typeof app.listen>>(
+    (resolve) => {
+      const s = app.listen(port, () => resolve(s));
+    },
+  );
+  AuditLogger.getInstance().info('server_start', { transport: 'sse', port, version: VERSION });
+  console.error(`[mcp-x402] listening on :${port} — health: http://localhost:${port}/health`);
+  const shutdown = async () => {
+    AuditLogger.getInstance().info('server_stop', { transport: 'sse' });
+    for (const [id] of transports) {
+      AuditLogger.getInstance().info('sse_force_close', { sessionId: id });
+    }
+    httpServer.close(() => process.exit(0));
+    setTimeout(() => process.exit(1), 10_000).unref();
+  };
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
+  process.on('uncaughtException', (err) => {
+    AuditLogger.getInstance().error('uncaught_exception', { error: String(err), stack: err.stack ?? '' });
+  });
+  process.on('unhandledRejection', (reason) => {
+    AuditLogger.getInstance().error('unhandledRejection', { reason: String(reason) });
+  });
+}
+const transport = process.env['MCP_TRANSPORT'] ?? 'stdio';
+if (transport === 'sse') {
+  runSSE().catch((err) => {
+    console.error('[mcp-x402] fatal:', err);
+    process.exit(1);
+  });
+} else {
+  runStdio().catch((err) => {
+    console.error('[mcp-x402] fatal:', err);
+    process.exit(1);
+  });
+}

package/src/server/payments/ap2.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import { AuditLogger } from '../security/audit.js';
+export interface MandateParams {
+  maxAmount: string;
+  currency: string;
+  toolName: string;
+}
+interface MandateCache {
+  valid: boolean;
+  expiresAt: number;
+}
+// In-memory mandate cache — 5 minute TTL per wallet+tool combination
+const mandateCache = new Map<string, MandateCache>();
+export class AP2Client {
+  private static instance: AP2Client;
+  private readonly baseUrl: string;
+  private constructor() {
+    this.baseUrl = process.env['SML_API_BASE'] ?? 'https://api.scriptmasterlabs.com';
+  }
+  static getInstance(): AP2Client {
+    if (!AP2Client.instance) {
+      AP2Client.instance = new AP2Client();
+    }
+    return AP2Client.instance;
+  }
+  async verifyMandate(wallet: string, params: MandateParams): Promise<boolean> {
+    const cacheKey = `${wallet}:${params.toolName}:${params.currency}`;
+    const cached = mandateCache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.valid;
+    }
+    const audit = AuditLogger.getInstance();
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 5000);
+      const res = await fetch(`${this.baseUrl}/ap2/v1/mandate/verify`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          wallet,
+          max_amount: params.maxAmount,
+          currency: params.currency,
+          tool: params.toolName,
+        }),
+        signal: controller.signal,
+      });
+      clearTimeout(timeout);
+      if (!res.ok) {
+        audit.warn('ap2_mandate_http_error', { status: res.status, wallet });
+        mandateCache.set(cacheKey, { valid: false, expiresAt: Date.now() + 60_000 });
+        return false;
+      }
+      const body = (await res.json()) as { valid: boolean; expires_in?: number };
+      const ttl = (body.expires_in ?? 300) * 1000;
+      mandateCache.set(cacheKey, { valid: body.valid, expiresAt: Date.now() + ttl });
+      return body.valid;
+    } catch (err) {
+      audit.error('ap2_mandate_error', { error: String(err), wallet });
+      // Fail closed — if AP2 is unreachable, deny payment
+      return false;
+    }
+  }
+  async createMandate(
+    wallet: string,
+    params: { dailyCap: string; currency: string },
+  ): Promise<string> {
+    const res = await fetch(`${this.baseUrl}/ap2/v1/mandate/create`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        wallet,
+        daily_cap: params.dailyCap,
+        currency: params.currency,
+      }),
+    });
+    if (!res.ok) {
+      throw new Error(`AP2 mandate creation failed: HTTP ${res.status}`);
+    }
+    const body = (await res.json()) as { mandate_id: string };
+    return body.mandate_id;
+  }
+}

package/src/server/payments/receipt.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import { createHash, randomUUID } from 'crypto';
+import { AuditLogger } from '../security/audit.js';
+export interface ReceiptInput {
+  txHash: string;
+  chain: string;
+  amount: string;
+  currency: string;
+  tool: string;
+  wallet: string;
+}
+export interface Receipt {
+  id: string;
+  txHash: string;
+  chain: string;
+  amount: string;
+  currency: string;
+  tool: string;
+  wallet: string;
+  issuedAt: number;
+  hash: string;
+}
+export class ReceiptStore {
+  private static instance: ReceiptStore;
+  private readonly baseUrl: string;
+  private constructor() {
+    this.baseUrl = process.env['SML_API_BASE'] ?? 'https://api.scriptmasterlabs.com';
+  }
+  static getInstance(): ReceiptStore {
+    if (!ReceiptStore.instance) {
+      ReceiptStore.instance = new ReceiptStore();
+    }
+    return ReceiptStore.instance;
+  }
+  async create(input: ReceiptInput): Promise<Receipt> {
+    const id = randomUUID();
+    const issuedAt = Date.now();
+    // Content hash for tamper detection
+    const hash = createHash('sha256')
+      .update(`${id}:${input.txHash}:${input.chain}:${input.amount}:${input.currency}:${input.tool}:${input.wallet}:${issuedAt}`)
+      .digest('hex');
+    const receipt: Receipt = { id, ...input, issuedAt, hash };
+    // Attempt to register with 402Proof server (N7)
+    try {
+      await this.registerWithProofServer(receipt);
+    } catch (err) {
+      // Log but don't fail — local receipt is still valid
+      AuditLogger.getInstance().warn('proof_server_register_fail', { error: String(err), receiptId: id });
+    }
+    AuditLogger.getInstance().info('receipt_issued', { receiptId: id, tool: input.tool });
+    return receipt;
+  }
+  private async registerWithProofServer(receipt: Receipt): Promise<void> {
+    const proofUrl = process.env['PROOF402_URL'] ?? 'https://four02proof.onrender.com';
+    const res = await fetch(`${proofUrl}/v1/receipt`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        receipt_id: receipt.id,
+        tx_hash: receipt.txHash,
+        chain: receipt.chain,
+        amount: receipt.amount,
+        currency: receipt.currency,
+        tool: receipt.tool,
+        wallet: receipt.wallet,
+        issued_at: receipt.issuedAt,
+        hash: receipt.hash,
+      }),
+    });
+    if (!res.ok) {
+      throw new Error(`402Proof server returned HTTP ${res.status}`);
+    }
+  }
+}

package/src/server/payments/router.ts ADDED Viewed

@@ -0,0 +1,110 @@
+import { AuditLogger } from '../security/audit.js';
+import { BaseChain } from '../../lib/chains/base.js';
+import { XRPLChain } from '../../lib/chains/xrpl.js';
+import { SolanaChain } from '../../lib/chains/solana.js';
+export interface RouteParams {
+  amount: string;
+  currency: 'USDC' | 'RLUSD';
+  from: string;
+  to: string;
+  timeoutMs?: number;
+}
+export interface RouteResult {
+  txHash: string;
+  chain: string;
+  latencyMs: number;
+}
+// Chain preference order: cheapest/fastest first (N13)
+const CHAIN_PREFERENCE = ['base', 'xrpl', 'solana'] as const;
+export class ChainRouter {
+  private static instance: ChainRouter;
+  private constructor(
+    private readonly base = BaseChain.getInstance(),
+    private readonly xrpl = XRPLChain.getInstance(),
+    private readonly solana = SolanaChain.getInstance(),
+  ) {}
+  static getInstance(): ChainRouter {
+    if (!ChainRouter.instance) {
+      ChainRouter.instance = new ChainRouter();
+    }
+    return ChainRouter.instance;
+  }
+  async route(params: RouteParams): Promise<RouteResult> {
+    const audit = AuditLogger.getInstance();
+    const timeout = params.timeoutMs ?? 3000;
+    // For RLUSD, prefer XRPL
+    const ordered =
+      params.currency === 'RLUSD'
+        ? (['xrpl', 'base', 'solana'] as const)
+        : CHAIN_PREFERENCE;
+    const errors: string[] = [];
+    for (const chain of ordered) {
+      try {
+        const start = Date.now();
+        let txHash: string;
+        switch (chain) {
+          case 'base':
+            txHash = await this.withTimeout(
+              this.base.sendPayment(params),
+              timeout,
+              'base',
+            );
+            break;
+          case 'xrpl':
+            txHash = await this.withTimeout(
+              this.xrpl.sendPayment(params),
+              timeout,
+              'xrpl',
+            );
+            break;
+          case 'solana':
+            txHash = await this.withTimeout(
+              this.solana.sendPayment(params),
+              timeout,
+              'solana',
+            );
+            break;
+        }
+        const latencyMs = Date.now() - start;
+        audit.info('chain_route_success', { chain, latencyMs, tx: txHash });
+        return { txHash, chain, latencyMs };
+      } catch (err) {
+        const msg = String(err);
+        errors.push(`${chain}: ${msg}`);
+        audit.warn('chain_route_fail', { chain, error: msg });
+      }
+    }
+    throw new Error(`All chains failed.\n${errors.join('\n')}`);
+  }
+  private withTimeout<T>(
+    promise: Promise<T>,
+    ms: number,
+    chain: string,
+  ): Promise<T> {
+    return new Promise((resolve, reject) => {
+      const t = setTimeout(
+        () => reject(new Error(`${chain} timeout after ${ms}ms`)),
+        ms,
+      );
+      promise.then(
+        (v) => { clearTimeout(t); resolve(v); },
+        (e) => { clearTimeout(t); reject(e); },
+      );
+    });
+  }
+}

package/src/server/payments/wallet.ts ADDED Viewed

@@ -0,0 +1,123 @@
+import { AuditLogger } from '../security/audit.js';
+const KEYCHAIN_SERVICE = 'mcp-x402';
+const KEYCHAIN_ACCOUNT = 'master-seed';
+export interface WalletInfo {
+  address: string;
+  chain: 'base' | 'xrpl' | 'solana';
+}
+export class WalletManager {
+  private static instance: WalletManager;
+  private cachedAddress: string | null = null;
+  private cachedSeed: string | null = null;
+  private constructor() {}
+  static getInstance(): WalletManager {
+    if (!WalletManager.instance) {
+      WalletManager.instance = new WalletManager();
+    }
+    return WalletManager.instance;
+  }
+  // Try OS keychain; returns null if keytar is unavailable (Docker/cloud) or no entry exists.
+  private async keytarGet(): Promise<string | null> {
+    try {
+      const kt = await import('keytar');
+      return await kt.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
+    } catch {
+      return null;
+    }
+  }
+  private async keytarSet(value: string): Promise<void> {
+    try {
+      const kt = await import('keytar');
+      await kt.setPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, value);
+    } catch {
+      // Silently skip — keytar unavailable in this environment
+    }
+  }
+  // Seed resolution priority:
+  // 1. OS keychain (local desktop — most secure)
+  // 2. WALLET_SEED env var (Render secret — cloud/Docker deployment)
+  // 3. CI_WALLET_SEED env var (CI only, never production)
+  // 4. Generate fresh and try to persist in keychain
+  async getSeed(): Promise<string> {
+    if (this.cachedSeed) return this.cachedSeed;
+    const audit = AuditLogger.getInstance();
+    let seed = await this.keytarGet();
+    if (!seed) {
+      const envSeed = process.env['WALLET_SEED'];
+      if (envSeed) {
+        seed = envSeed;
+        audit.warn('wallet_env_seed', { note: 'Using WALLET_SEED env var (cloud deployment).' });
+      } else if (process.env['CI_WALLET_SEED'] && process.env['NODE_ENV'] !== 'production') {
+        seed = process.env['CI_WALLET_SEED'];
+        audit.warn('wallet_ci_fallback', { note: 'Using CI_WALLET_SEED. NEVER do this in production.' });
+      } else {
+        const { generateMnemonic } = await import('bip39');
+        seed = generateMnemonic(256);
+        await this.keytarSet(seed);
+        audit.info('wallet_created', { note: 'New BIP-39 seed generated.' });
+      }
+    }
+    this.cachedSeed = seed;
+    return seed;
+  }
+  async getOrCreateWallet(): Promise<WalletInfo> {
+    if (this.cachedAddress) {
+      return { address: this.cachedAddress, chain: 'base' };
+    }
+    const audit = AuditLogger.getInstance();
+    const seed = await this.getSeed();
+    const address = await this.deriveAddress(seed);
+    this.cachedAddress = address;
+    audit.info('wallet_loaded', { address });
+    return { address, chain: 'base' };
+  }
+  private async deriveAddress(mnemonic: string): Promise<string> {
+    // BIP-44 deterministic derivation: m/44'/60'/0'/0/0 (Base = EVM)
+    const { mnemonicToSeedSync } = await import('bip39');
+    const { default: HDKey } = await import('hdkey');
+    const { privateKeyToAccount } = await import('viem/accounts');
+    const seed = mnemonicToSeedSync(mnemonic);
+    const hdkey = HDKey.fromMasterSeed(seed);
+    const child = hdkey.derive("m/44'/60'/0'/0/0");
+    if (!child.privateKey) {
+      throw new Error('Failed to derive private key from HD path');
+    }
+    const account = privateKeyToAccount(`0x${child.privateKey.toString('hex')}`);
+    return account.address;
+  }
+  async signPayload(payload: string): Promise<string> {
+    const mnemonic = await this.getSeed();
+    const { mnemonicToSeedSync } = await import('bip39');
+    const { default: HDKey } = await import('hdkey');
+    const { privateKeyToAccount } = await import('viem/accounts');
+    const seed = mnemonicToSeedSync(mnemonic);
+    const hdkey = HDKey.fromMasterSeed(seed);
+    const child = hdkey.derive("m/44'/60'/0'/0/0");
+    if (!child.privateKey) throw new Error('Key derivation failed');
+    const account = privateKeyToAccount(`0x${child.privateKey.toString('hex')}`);
+    return account.signMessage({ message: payload });
+  }
+}