npm - @scriptmasterlabs/mcp-x402 - Versions diffs - 2.0.0 - Mend

@scriptmasterlabs/mcp-x402 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (304) hide show

package/.env.example +35 -0
package/.github/workflows/ci.yml +59 -0
package/.github/workflows/keepalive.yml +31 -0
package/.well-known/agentcard.json +34 -0
package/CONTRIBUTING.md +76 -0
package/Dockerfile +19 -0
package/LICENSE +21 -0
package/README.md +304 -0
package/agents.json +67 -0
package/dist/lib/chains/base.d.ts +10 -0
package/dist/lib/chains/base.d.ts.map +1 -0
package/dist/lib/chains/base.js +73 -0
package/dist/lib/chains/base.js.map +1 -0
package/dist/lib/chains/solana.d.ts +10 -0
package/dist/lib/chains/solana.d.ts.map +1 -0
package/dist/lib/chains/solana.js +49 -0
package/dist/lib/chains/solana.js.map +1 -0
package/dist/lib/chains/xrpl.d.ts +10 -0
package/dist/lib/chains/xrpl.d.ts.map +1 -0
package/dist/lib/chains/xrpl.js +55 -0
package/dist/lib/chains/xrpl.js.map +1 -0
package/dist/lib/credit/bureau.d.ts +10 -0
package/dist/lib/credit/bureau.d.ts.map +1 -0
package/dist/lib/credit/bureau.js +58 -0
package/dist/lib/credit/bureau.js.map +1 -0
package/dist/lib/sml-api/agentcard.d.ts +17 -0
package/dist/lib/sml-api/agentcard.d.ts.map +1 -0
package/dist/lib/sml-api/agentcard.js +30 -0
package/dist/lib/sml-api/agentcard.js.map +1 -0
package/dist/lib/sml-api/backtest.d.ts +22 -0
package/dist/lib/sml-api/backtest.d.ts.map +1 -0
package/dist/lib/sml-api/backtest.js +28 -0
package/dist/lib/sml-api/backtest.js.map +1 -0
package/dist/lib/sml-api/brokers.d.ts +40 -0
package/dist/lib/sml-api/brokers.d.ts.map +1 -0
package/dist/lib/sml-api/brokers.js +128 -0
package/dist/lib/sml-api/brokers.js.map +1 -0
package/dist/lib/sml-api/copytrader.d.ts +11 -0
package/dist/lib/sml-api/copytrader.d.ts.map +1 -0
package/dist/lib/sml-api/copytrader.js +30 -0
package/dist/lib/sml-api/copytrader.js.map +1 -0
package/dist/lib/sml-api/crawl.d.ts +20 -0
package/dist/lib/sml-api/crawl.d.ts.map +1 -0
package/dist/lib/sml-api/crawl.js +32 -0
package/dist/lib/sml-api/crawl.js.map +1 -0
package/dist/lib/sml-api/echo.d.ts +10 -0
package/dist/lib/sml-api/echo.d.ts.map +1 -0
package/dist/lib/sml-api/echo.js +23 -0
package/dist/lib/sml-api/echo.js.map +1 -0
package/dist/lib/sml-api/forge.d.ts +11 -0
package/dist/lib/sml-api/forge.d.ts.map +1 -0
package/dist/lib/sml-api/forge.js +29 -0
package/dist/lib/sml-api/forge.js.map +1 -0
package/dist/lib/sml-api/ftd.d.ts +18 -0
package/dist/lib/sml-api/ftd.d.ts.map +1 -0
package/dist/lib/sml-api/ftd.js +43 -0
package/dist/lib/sml-api/ftd.js.map +1 -0
package/dist/lib/sml-api/ghost.d.ts +13 -0
package/dist/lib/sml-api/ghost.d.ts.map +1 -0
package/dist/lib/sml-api/ghost.js +29 -0
package/dist/lib/sml-api/ghost.js.map +1 -0
package/dist/lib/sml-api/launchpad.d.ts +20 -0
package/dist/lib/sml-api/launchpad.d.ts.map +1 -0
package/dist/lib/sml-api/launchpad.js +31 -0
package/dist/lib/sml-api/launchpad.js.map +1 -0
package/dist/lib/sml-api/leviathan.d.ts +22 -0
package/dist/lib/sml-api/leviathan.d.ts.map +1 -0
package/dist/lib/sml-api/leviathan.js +33 -0
package/dist/lib/sml-api/leviathan.js.map +1 -0
package/dist/lib/sml-api/nexus.d.ts +18 -0
package/dist/lib/sml-api/nexus.d.ts.map +1 -0
package/dist/lib/sml-api/nexus.js +40 -0
package/dist/lib/sml-api/nexus.js.map +1 -0
package/dist/lib/sml-api/proof402.d.ts +6 -0
package/dist/lib/sml-api/proof402.d.ts.map +1 -0
package/dist/lib/sml-api/proof402.js +30 -0
package/dist/lib/sml-api/proof402.js.map +1 -0
package/dist/lib/sml-api/rails.d.ts +12 -0
package/dist/lib/sml-api/rails.d.ts.map +1 -0
package/dist/lib/sml-api/rails.js +29 -0
package/dist/lib/sml-api/rails.js.map +1 -0
package/dist/lib/sml-api/shadow.d.ts +15 -0
package/dist/lib/sml-api/shadow.d.ts.map +1 -0
package/dist/lib/sml-api/shadow.js +27 -0
package/dist/lib/sml-api/shadow.js.map +1 -0
package/dist/lib/sml-api/squeezeos.d.ts +21 -0
package/dist/lib/sml-api/squeezeos.d.ts.map +1 -0
package/dist/lib/sml-api/squeezeos.js +97 -0
package/dist/lib/sml-api/squeezeos.js.map +1 -0
package/dist/lib/sml-api/xdeo.d.ts +13 -0
package/dist/lib/sml-api/xdeo.d.ts.map +1 -0
package/dist/lib/sml-api/xdeo.js +34 -0
package/dist/lib/sml-api/xdeo.js.map +1 -0
package/dist/lib/sml-api/xmit.d.ts +13 -0
package/dist/lib/sml-api/xmit.d.ts.map +1 -0
package/dist/lib/sml-api/xmit.js +34 -0
package/dist/lib/sml-api/xmit.js.map +1 -0
package/dist/server/health.d.ts +16 -0
package/dist/server/health.d.ts.map +1 -0
package/dist/server/health.js +39 -0
package/dist/server/health.js.map +1 -0
package/dist/server/index.d.ts +3 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +193 -0
package/dist/server/index.js.map +1 -0
package/dist/server/payments/ap2.d.ts +17 -0
package/dist/server/payments/ap2.d.ts.map +1 -0
package/dist/server/payments/ap2.js +75 -0
package/dist/server/payments/ap2.js.map +1 -0
package/dist/server/payments/receipt.d.ts +28 -0
package/dist/server/payments/receipt.d.ts.map +1 -0
package/dist/server/payments/receipt.js +60 -0
package/dist/server/payments/receipt.js.map +1 -0
package/dist/server/payments/router.d.ts +23 -0
package/dist/server/payments/router.d.ts.map +1 -0
package/dist/server/payments/router.js +69 -0
package/dist/server/payments/router.js.map +1 -0
package/dist/server/payments/wallet.d.ts +18 -0
package/dist/server/payments/wallet.d.ts.map +1 -0
package/dist/server/payments/wallet.js +107 -0
package/dist/server/payments/wallet.js.map +1 -0
package/dist/server/payments/x402.d.ts +29 -0
package/dist/server/payments/x402.d.ts.map +1 -0
package/dist/server/payments/x402.js +122 -0
package/dist/server/payments/x402.js.map +1 -0
package/dist/server/registry/catalog.d.ts +12 -0
package/dist/server/registry/catalog.d.ts.map +1 -0
package/dist/server/registry/catalog.js +55 -0
package/dist/server/registry/catalog.js.map +1 -0
package/dist/server/registry/discovery.d.ts +16 -0
package/dist/server/registry/discovery.d.ts.map +1 -0
package/dist/server/registry/discovery.js +33 -0
package/dist/server/registry/discovery.js.map +1 -0
package/dist/server/registry/pricing.d.ts +10 -0
package/dist/server/registry/pricing.d.ts.map +1 -0
package/dist/server/registry/pricing.js +66 -0
package/dist/server/registry/pricing.js.map +1 -0
package/dist/server/security/acl.d.ts +28 -0
package/dist/server/security/acl.d.ts.map +1 -0
package/dist/server/security/acl.js +36 -0
package/dist/server/security/acl.js.map +1 -0
package/dist/server/security/audit.d.ts +15 -0
package/dist/server/security/audit.d.ts.map +1 -0
package/dist/server/security/audit.js +77 -0
package/dist/server/security/audit.js.map +1 -0
package/dist/server/security/rate-limit.d.ts +12 -0
package/dist/server/security/rate-limit.d.ts.map +1 -0
package/dist/server/security/rate-limit.js +72 -0
package/dist/server/security/rate-limit.js.map +1 -0
package/dist/server/security/sandbox.d.ts +7 -0
package/dist/server/security/sandbox.d.ts.map +1 -0
package/dist/server/security/sandbox.js +42 -0
package/dist/server/security/sandbox.js.map +1 -0
package/dist/server/tools/agentcard.d.ts +3 -0
package/dist/server/tools/agentcard.d.ts.map +1 -0
package/dist/server/tools/agentcard.js +118 -0
package/dist/server/tools/agentcard.js.map +1 -0
package/dist/server/tools/backtest.d.ts +3 -0
package/dist/server/tools/backtest.d.ts.map +1 -0
package/dist/server/tools/backtest.js +112 -0
package/dist/server/tools/backtest.js.map +1 -0
package/dist/server/tools/brokers.d.ts +3 -0
package/dist/server/tools/brokers.d.ts.map +1 -0
package/dist/server/tools/brokers.js +223 -0
package/dist/server/tools/brokers.js.map +1 -0
package/dist/server/tools/copytrader.d.ts +3 -0
package/dist/server/tools/copytrader.d.ts.map +1 -0
package/dist/server/tools/copytrader.js +90 -0
package/dist/server/tools/copytrader.js.map +1 -0
package/dist/server/tools/crawl.d.ts +3 -0
package/dist/server/tools/crawl.d.ts.map +1 -0
package/dist/server/tools/crawl.js +60 -0
package/dist/server/tools/crawl.js.map +1 -0
package/dist/server/tools/discovery.d.ts +3 -0
package/dist/server/tools/discovery.d.ts.map +1 -0
package/dist/server/tools/discovery.js +188 -0
package/dist/server/tools/discovery.js.map +1 -0
package/dist/server/tools/echo.d.ts +3 -0
package/dist/server/tools/echo.d.ts.map +1 -0
package/dist/server/tools/echo.js +48 -0
package/dist/server/tools/echo.js.map +1 -0
package/dist/server/tools/forge.d.ts +3 -0
package/dist/server/tools/forge.d.ts.map +1 -0
package/dist/server/tools/forge.js +77 -0
package/dist/server/tools/forge.js.map +1 -0
package/dist/server/tools/ftd.d.ts +3 -0
package/dist/server/tools/ftd.d.ts.map +1 -0
package/dist/server/tools/ftd.js +70 -0
package/dist/server/tools/ftd.js.map +1 -0
package/dist/server/tools/ghost.d.ts +3 -0
package/dist/server/tools/ghost.d.ts.map +1 -0
package/dist/server/tools/ghost.js +83 -0
package/dist/server/tools/ghost.js.map +1 -0
package/dist/server/tools/index.d.ts +3 -0
package/dist/server/tools/index.d.ts.map +1 -0
package/dist/server/tools/index.js +44 -0
package/dist/server/tools/index.js.map +1 -0
package/dist/server/tools/launchpad.d.ts +3 -0
package/dist/server/tools/launchpad.d.ts.map +1 -0
package/dist/server/tools/launchpad.js +151 -0
package/dist/server/tools/launchpad.js.map +1 -0
package/dist/server/tools/leviathan.d.ts +3 -0
package/dist/server/tools/leviathan.d.ts.map +1 -0
package/dist/server/tools/leviathan.js +73 -0
package/dist/server/tools/leviathan.js.map +1 -0
package/dist/server/tools/nexus.d.ts +3 -0
package/dist/server/tools/nexus.d.ts.map +1 -0
package/dist/server/tools/nexus.js +65 -0
package/dist/server/tools/nexus.js.map +1 -0
package/dist/server/tools/proof402.d.ts +3 -0
package/dist/server/tools/proof402.d.ts.map +1 -0
package/dist/server/tools/proof402.js +74 -0
package/dist/server/tools/proof402.js.map +1 -0
package/dist/server/tools/rails.d.ts +3 -0
package/dist/server/tools/rails.d.ts.map +1 -0
package/dist/server/tools/rails.js +82 -0
package/dist/server/tools/rails.js.map +1 -0
package/dist/server/tools/shadow.d.ts +3 -0
package/dist/server/tools/shadow.d.ts.map +1 -0
package/dist/server/tools/shadow.js +114 -0
package/dist/server/tools/shadow.js.map +1 -0
package/dist/server/tools/squeezeos.d.ts +3 -0
package/dist/server/tools/squeezeos.d.ts.map +1 -0
package/dist/server/tools/squeezeos.js +231 -0
package/dist/server/tools/squeezeos.js.map +1 -0
package/dist/server/tools/xdeo.d.ts +3 -0
package/dist/server/tools/xdeo.d.ts.map +1 -0
package/dist/server/tools/xdeo.js +58 -0
package/dist/server/tools/xdeo.js.map +1 -0
package/dist/server/tools/xmit.d.ts +3 -0
package/dist/server/tools/xmit.d.ts.map +1 -0
package/dist/server/tools/xmit.js +59 -0
package/dist/server/tools/xmit.js.map +1 -0
package/docker-compose.yml +50 -0
package/llms.txt +70 -0
package/package.json +77 -0
package/render.yaml +39 -0
package/sdk/mcp-x402-sdk/package.json +18 -0
package/sdk/mcp-x402-sdk/src/index.ts +118 -0
package/sdk/mcp-x402-sdk/tsconfig.json +14 -0
package/server.json +60 -0
package/services/backtest_service.py +176 -0
package/src/lib/chains/base.ts +77 -0
package/src/lib/chains/solana.ts +59 -0
package/src/lib/chains/xrpl.ts +63 -0
package/src/lib/credit/bureau.ts +65 -0
package/src/lib/sml-api/agentcard.ts +40 -0
package/src/lib/sml-api/backtest.ts +47 -0
package/src/lib/sml-api/brokers.ts +160 -0
package/src/lib/sml-api/copytrader.ts +33 -0
package/src/lib/sml-api/crawl.ts +44 -0
package/src/lib/sml-api/echo.ts +28 -0
package/src/lib/sml-api/forge.ts +33 -0
package/src/lib/sml-api/ftd.ts +53 -0
package/src/lib/sml-api/ghost.ts +35 -0
package/src/lib/sml-api/launchpad.ts +43 -0
package/src/lib/sml-api/leviathan.ts +49 -0
package/src/lib/sml-api/nexus.ts +50 -0
package/src/lib/sml-api/proof402.ts +27 -0
package/src/lib/sml-api/rails.ts +34 -0
package/src/lib/sml-api/shadow.ts +35 -0
package/src/lib/sml-api/squeezeos.ts +95 -0
package/src/lib/sml-api/xdeo.ts +40 -0
package/src/lib/sml-api/xmit.ts +40 -0
package/src/server/health.ts +52 -0
package/src/server/index.ts +206 -0
package/src/server/payments/ap2.ts +99 -0
package/src/server/payments/receipt.ts +85 -0
package/src/server/payments/router.ts +110 -0
package/src/server/payments/wallet.ts +123 -0
package/src/server/payments/x402.ts +162 -0
package/src/server/registry/catalog.ts +61 -0
package/src/server/registry/discovery.ts +39 -0
package/src/server/registry/pricing.ts +76 -0
package/src/server/security/acl.ts +42 -0
package/src/server/security/audit.ts +94 -0
package/src/server/security/rate-limit.ts +84 -0
package/src/server/security/sandbox.ts +40 -0
package/src/server/tools/agentcard.ts +134 -0
package/src/server/tools/backtest.ts +119 -0
package/src/server/tools/brokers.ts +250 -0
package/src/server/tools/copytrader.ts +104 -0
package/src/server/tools/crawl.ts +70 -0
package/src/server/tools/discovery.ts +202 -0
package/src/server/tools/echo.ts +58 -0
package/src/server/tools/forge.ts +87 -0
package/src/server/tools/ftd.ts +88 -0
package/src/server/tools/ghost.ts +93 -0
package/src/server/tools/index.ts +42 -0
package/src/server/tools/launchpad.ts +173 -0
package/src/server/tools/leviathan.ts +81 -0
package/src/server/tools/nexus.ts +76 -0
package/src/server/tools/proof402.ts +87 -0
package/src/server/tools/rails.ts +92 -0
package/src/server/tools/shadow.ts +128 -0
package/src/server/tools/squeezeos.ts +312 -0
package/src/server/tools/xdeo.ts +67 -0
package/src/server/tools/xmit.ts +68 -0
package/tests/integration/e2e.test.ts +51 -0
package/tests/unit/payments.test.ts +49 -0
package/tests/unit/security.test.ts +92 -0
package/tests/unit/tools.test.ts +42 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +20 -0

package/src/server/payments/x402.ts ADDED Viewed

@@ -0,0 +1,162 @@
+import { z } from 'zod';
+import { AuditLogger } from '../security/audit.js';
+import { AP2Client } from './ap2.js';
+import { WalletManager } from './wallet.js';
+import { ChainRouter } from './router.js';
+import { ReceiptStore } from './receipt.js';
+import { CreditBureau } from '../../lib/credit/bureau.js';
+import { PriceRegistry } from '../registry/pricing.js';
+export const PaymentConfigSchema = z.object({
+  price: z.string().regex(/^\d+(\.\d+)?$/),
+  currency: z.enum(['USDC', 'RLUSD']),
+  toolName: z.string(),
+  walletAddress: z.string().optional(),
+});
+export type PaymentConfig = z.infer<typeof PaymentConfigSchema>;
+export interface PaymentResult {
+  receiptId: string;
+  txHash: string;
+  chain: string;
+  amountPaid: string;
+  currency: string;
+  timestamp: number;
+  walletAddress: string;
+}
+const AUTO_APPROVE_THRESHOLD = parseFloat(
+  process.env['AUTO_APPROVE_THRESHOLD_USD'] ?? '1.0',
+);
+const DAILY_SPEND_CAP = parseFloat(
+  process.env['DAILY_SPEND_CAP_USD'] ?? '50.0',
+);
+const dailySpend = new Map<string, { amount: number; date: string }>();
+function getTodayKey(): string {
+  return new Date().toISOString().slice(0, 10);
+}
+function getDailySpend(wallet: string): number {
+  const today = getTodayKey();
+  const entry = dailySpend.get(wallet);
+  if (!entry || entry.date !== today) return 0;
+  return entry.amount;
+}
+function addDailySpend(wallet: string, amount: number): void {
+  const today = getTodayKey();
+  const current = getDailySpend(wallet);
+  dailySpend.set(wallet, { amount: current + amount, date: today });
+}
+export async function executeX402Payment(
+  config: PaymentConfig,
+): Promise<PaymentResult> {
+  const audit = AuditLogger.getInstance();
+  const wallet = await WalletManager.getInstance().getOrCreateWallet();
+  const walletAddress = wallet.address;
+  // Enforce daily spend cap (N9)
+  const priceNum = parseFloat(config.price);
+  const currentSpend = getDailySpend(walletAddress);
+  if (currentSpend + priceNum > DAILY_SPEND_CAP) {
+    audit.warn('spend_cap_exceeded', {
+      wallet: walletAddress,
+      current: currentSpend,
+      requested: priceNum,
+      cap: DAILY_SPEND_CAP,
+    });
+    throw new Error(
+      `Daily spend cap of $${DAILY_SPEND_CAP} exceeded. Current: $${currentSpend.toFixed(4)}`,
+    );
+  }
+  // Verify price cache freshness (N12)
+  const cachedPrice = await PriceRegistry.getInstance().getPrice(config.toolName);
+  if (!cachedPrice) {
+    throw new Error('Price data stale or unavailable. Rejecting payment.');
+  }
+  if (cachedPrice !== config.price) {
+    throw new Error(
+      `Price mismatch: expected ${cachedPrice}, got ${config.price}. Cache may be stale.`,
+    );
+  }
+  // Credit Bureau check (N8)
+  const score = await CreditBureau.getInstance().getScore(walletAddress);
+  const autoApprove = priceNum <= AUTO_APPROVE_THRESHOLD && score >= 300;
+  audit.info('payment_attempt', {
+    tool: config.toolName,
+    price: config.price,
+    currency: config.currency,
+    wallet: walletAddress,
+    bureauScore: score,
+    autoApprove,
+  });
+  if (!autoApprove && score < 300) {
+    throw new Error(
+      `Credit Bureau score ${score} below minimum 300. Payment requires manual approval.`,
+    );
+  }
+  // AP2 mandate verification (N6)
+  const ap2 = AP2Client.getInstance();
+  const mandateValid = await ap2.verifyMandate(walletAddress, {
+    maxAmount: config.price,
+    currency: config.currency,
+    toolName: config.toolName,
+  });
+  if (!mandateValid) {
+    audit.warn('ap2_mandate_rejected', { wallet: walletAddress, tool: config.toolName });
+    throw new Error(
+      'AP2 mandate verification failed. Agent not authorized for this payment.',
+    );
+  }
+  // Route payment to cheapest/fastest chain (N13)
+  const router = ChainRouter.getInstance();
+  const txResult = await router.route({
+    amount: config.price,
+    currency: config.currency,
+    from: walletAddress,
+    to: process.env['SML_PAYMENT_RECEIVER'] ?? '',
+    timeoutMs: 500,
+  });
+  addDailySpend(walletAddress, priceNum);
+  // Generate 402Proof receipt (N7)
+  const receipt = await ReceiptStore.getInstance().create({
+    txHash: txResult.txHash,
+    chain: txResult.chain,
+    amount: config.price,
+    currency: config.currency,
+    tool: config.toolName,
+    wallet: walletAddress,
+  });
+  audit.info('payment_success', {
+    receiptId: receipt.id,
+    txHash: txResult.txHash,
+    chain: txResult.chain,
+    tool: config.toolName,
+    wallet: walletAddress,
+  });
+  return {
+    receiptId: receipt.id,
+    txHash: txResult.txHash,
+    chain: txResult.chain,
+    amountPaid: config.price,
+    currency: config.currency,
+    timestamp: Date.now(),
+    walletAddress,
+  };
+}

package/src/server/registry/catalog.ts ADDED Viewed

@@ -0,0 +1,61 @@
+export interface ToolMeta {
+  name: string;
+  description: string;
+  price: string;
+  currency: 'USDC' | 'RLUSD';
+  freeTier?: string;
+  ap2Required: boolean;
+  cacheTtl?: number;
+}
+export const CATALOG: ToolMeta[] = [
+  {
+    name: 'leviathan_signal',
+    description: 'Institutional-grade squeeze signals. Multi-engine verdict for any ticker.',
+    price: '0.05',
+    currency: 'USDC',
+    ap2Required: true,
+  },
+  {
+    name: 'xmit_edgar_decode',
+    description: 'Parse SEC DEF 14A / 13F / 13D filings. Raw text never leaves SML servers.',
+    price: '0.02',
+    currency: 'USDC',
+    ap2Required: true,
+  },
+  {
+    name: 'xdeo_earnings_estimate',
+    description: 'Decentralized earnings oracle. +2 bureau_score on success.',
+    price: '0.02',
+    currency: 'USDC',
+    ap2Required: true,
+  },
+  {
+    name: 'ftd_threshold_scan',
+    description: 'SEC Reg SHO FTD data. Alerts free; full data 0.05 USDC. 15-min cache.',
+    price: '0.05',
+    currency: 'USDC',
+    ap2Required: false,
+    freeTier: 'alerts_only',
+    cacheTtl: 900,
+  },
+  {
+    name: 'nexus_agent_hire',
+    description: 'Agent marketplace. Query free; hire charges 5% commission.',
+    price: '0.00',
+    currency: 'USDC',
+    ap2Required: false,
+    freeTier: 'query_only',
+  },
+  {
+    name: 'crawl_paid_fetch',
+    description: 'Pay-per-fetch scraping. Humans bypass free.',
+    price: '0.005',
+    currency: 'USDC',
+    ap2Required: false,
+  },
+];
+export function getToolMeta(name: string): ToolMeta | undefined {
+  return CATALOG.find((t) => t.name === name);
+}

package/src/server/registry/discovery.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { readFileSync } from 'fs';
+import { join } from 'path';
+interface AgentsJson {
+  schema_version: string;
+  name: string;
+  tools: unknown[];
+}
+export class Discovery {
+  private static instance: Discovery;
+  private agentsJson: AgentsJson | null = null;
+  private llmsTxt: string | null = null;
+  private constructor() {}
+  static getInstance(): Discovery {
+    if (!Discovery.instance) {
+      Discovery.instance = new Discovery();
+    }
+    return Discovery.instance;
+  }
+  getAgentsJson(): AgentsJson {
+    if (!this.agentsJson) {
+      const path = join(process.cwd(), 'agents.json');
+      this.agentsJson = JSON.parse(readFileSync(path, 'utf8')) as AgentsJson;
+    }
+    return this.agentsJson;
+  }
+  getLlmsTxt(): string {
+    if (!this.llmsTxt) {
+      const path = join(process.cwd(), 'llms.txt');
+      this.llmsTxt = readFileSync(path, 'utf8');
+    }
+    return this.llmsTxt;
+  }
+}

package/src/server/registry/pricing.ts ADDED Viewed

@@ -0,0 +1,76 @@
+const PRICE_CACHE_TTL = parseInt(process.env['PRICE_CACHE_TTL_MS'] ?? '60000', 10);
+const BASE_PRICES: Record<string, string> = {
+  leviathan_signal: '0.05',
+  xmit_edgar_decode: '0.02',
+  xdeo_earnings_estimate: '0.02',
+  ftd_threshold_scan: '0.05',
+  nexus_agent_hire: '0.00', // commission-based
+  crawl_paid_fetch: '0.005',
+};
+interface CachedPrice {
+  price: string;
+  fetchedAt: number;
+}
+export class PriceRegistry {
+  private static instance: PriceRegistry;
+  private readonly cache = new Map<string, CachedPrice>();
+  private readonly baseUrl: string;
+  private constructor() {
+    this.baseUrl = process.env['SML_API_BASE'] ?? 'https://api.scriptmasterlabs.com';
+  }
+  static getInstance(): PriceRegistry {
+    if (!PriceRegistry.instance) {
+      PriceRegistry.instance = new PriceRegistry();
+    }
+    return PriceRegistry.instance;
+  }
+  async getPrice(toolName: string): Promise<string | null> {
+    const cached = this.cache.get(toolName);
+    const now = Date.now();
+    if (cached && now - cached.fetchedAt < PRICE_CACHE_TTL) {
+      return cached.price;
+    }
+    // Fetch live price from SML pricing API
+    try {
+      const res = await fetch(`${this.baseUrl}/pricing/v1/tool/${toolName}`, {
+        signal: AbortSignal.timeout(3000),
+      });
+      if (res.ok) {
+        const body = (await res.json()) as { price: string };
+        this.cache.set(toolName, { price: body.price, fetchedAt: now });
+        return body.price;
+      }
+    } catch {
+      // Fall through to hardcoded baseline
+    }
+    // Use hardcoded baseline if API unavailable
+    const fallback = BASE_PRICES[toolName];
+    if (fallback !== undefined) {
+      // Cache fallback for 30s (half normal TTL) to retry sooner
+      this.cache.set(toolName, { price: fallback, fetchedAt: now - PRICE_CACHE_TTL / 2 });
+      return fallback;
+    }
+    // Price unknown and cache stale (N12) — reject
+    return null;
+  }
+  seedDefaults(): void {
+    const now = Date.now();
+    for (const [tool, price] of Object.entries(BASE_PRICES)) {
+      if (!this.cache.has(tool)) {
+        this.cache.set(tool, { price, fetchedAt: now });
+      }
+    }
+  }
+}

package/src/server/security/acl.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import { z } from 'zod';
+export const ToolACLSchema = z.object({
+  toolName: z.string(),
+  walletAddress: z.string().optional(),
+  creditScore: z.number().optional(),
+  paidTier: z.boolean().default(false),
+});
+export type ToolACL = z.infer<typeof ToolACLSchema>;
+const FREE_TOOLS = new Set(['ftd_threshold_scan_alerts', 'nexus_agent_hire_query']);
+export class ACL {
+  private static instance: ACL;
+  private constructor() {}
+  static getInstance(): ACL {
+    if (!ACL.instance) {
+      ACL.instance = new ACL();
+    }
+    return ACL.instance;
+  }
+  isFree(toolName: string): boolean {
+    return FREE_TOOLS.has(toolName);
+  }
+  requiresPayment(toolName: string): boolean {
+    return !this.isFree(toolName);
+  }
+  requiresAP2(toolName: string): boolean {
+    // leviathan, xmit, xdeo require AP2 per spec
+    return ['leviathan_signal', 'xmit_edgar_decode', 'xdeo_earnings_estimate'].includes(toolName);
+  }
+  minCreditScore(_toolName: string): number {
+    return 300;
+  }
+}

package/src/server/security/audit.ts ADDED Viewed

@@ -0,0 +1,94 @@
+import { createHash, createHmac } from 'crypto';
+import { appendFileSync } from 'fs';
+type LogLevel = 'info' | 'warn' | 'error';
+interface LogEntry {
+  seq: number;
+  ts: number;
+  level: LogLevel;
+  event: string;
+  data: Record<string, unknown>;
+  prev_hash: string;
+  hash: string;
+}
+// Append-only SHA-256 chained audit log (N5)
+// Each entry includes the hash of the previous entry — tampering breaks the chain.
+export class AuditLogger {
+  private static instance: AuditLogger;
+  private seq = 0;
+  private prevHash = '0000000000000000000000000000000000000000000000000000000000000000';
+  private readonly logPath: string;
+  private readonly hmacSecret: string;
+  private constructor() {
+    this.logPath = process.env['AUDIT_LOG_PATH'] ?? './audit.log';
+    this.hmacSecret = process.env['AUDIT_HMAC_SECRET'] ?? 'mcp-x402-audit-secret';
+  }
+  static getInstance(): AuditLogger {
+    if (!AuditLogger.instance) {
+      AuditLogger.instance = new AuditLogger();
+    }
+    return AuditLogger.instance;
+  }
+  private log(level: LogLevel, event: string, data: Record<string, unknown>): void {
+    const seq = ++this.seq;
+    const ts = Date.now();
+    // Redact PII (N3): hash wallet addresses, never log raw filing content
+    const safeData = this.redact(data);
+    const payload = JSON.stringify({ seq, ts, level, event, data: safeData, prev_hash: this.prevHash });
+    const hash = createHmac('sha256', this.hmacSecret).update(payload).digest('hex');
+    const entry: LogEntry = {
+      seq,
+      ts,
+      level,
+      event,
+      data: safeData,
+      prev_hash: this.prevHash,
+      hash,
+    };
+    this.prevHash = hash;
+    try {
+      appendFileSync(this.logPath, JSON.stringify(entry) + '\n', 'utf8');
+    } catch {
+      // If log write fails, emit to stderr but don't crash
+      process.stderr.write(`[audit-fail] ${JSON.stringify(entry)}\n`);
+    }
+  }
+  private redact(data: Record<string, unknown>): Record<string, unknown> {
+    const out: Record<string, unknown> = {};
+    for (const [k, v] of Object.entries(data)) {
+      if (k === 'wallet' || k === 'address') {
+        // Hash wallet addresses (N3)
+        out[k] = createHash('sha256').update(String(v)).digest('hex').slice(0, 16) + '...';
+      } else if (k === 'content' || k === 'raw_text' || k === 'filing') {
+        // Never log raw filing data (N3)
+        out[k] = '[REDACTED]';
+      } else {
+        out[k] = v;
+      }
+    }
+    return out;
+  }
+  info(event: string, data: Record<string, unknown> = {}): void {
+    this.log('info', event, data);
+  }
+  warn(event: string, data: Record<string, unknown> = {}): void {
+    this.log('warn', event, data);
+  }
+  error(event: string, data: Record<string, unknown> = {}): void {
+    this.log('error', event, data);
+  }
+}

package/src/server/security/rate-limit.ts ADDED Viewed

@@ -0,0 +1,84 @@
+interface BucketState {
+  minute: { count: number; resetAt: number };
+  day: { count: number; resetAt: number };
+}
+const PER_TOOL_MINUTE_LIMIT = 100;
+const PER_WALLET_DAY_LIMIT = 1000;
+const IP_MINUTE_LIMIT = 200;
+function nowMs(): number {
+  return Date.now();
+}
+export class RateLimiter {
+  private static instance: RateLimiter;
+  private readonly toolBuckets = new Map<string, BucketState>();
+  private readonly walletBuckets = new Map<string, BucketState>();
+  private readonly ipBuckets = new Map<string, { count: number; resetAt: number }>();
+  private constructor() {}
+  static getInstance(): RateLimiter {
+    if (!RateLimiter.instance) {
+      RateLimiter.instance = new RateLimiter();
+    }
+    return RateLimiter.instance;
+  }
+  checkTool(toolName: string): boolean {
+    const now = nowMs();
+    let bucket = this.toolBuckets.get(toolName);
+    if (!bucket) {
+      bucket = {
+        minute: { count: 0, resetAt: now + 60_000 },
+        day: { count: 0, resetAt: now + 86_400_000 },
+      };
+      this.toolBuckets.set(toolName, bucket);
+    }
+    if (now > bucket.minute.resetAt) {
+      bucket.minute = { count: 0, resetAt: now + 60_000 };
+    }
+    if (bucket.minute.count >= PER_TOOL_MINUTE_LIMIT) return false;
+    bucket.minute.count++;
+    return true;
+  }
+  checkWallet(wallet: string): boolean {
+    const now = nowMs();
+    let bucket = this.walletBuckets.get(wallet);
+    if (!bucket) {
+      bucket = {
+        minute: { count: 0, resetAt: now + 60_000 },
+        day: { count: 0, resetAt: now + 86_400_000 },
+      };
+      this.walletBuckets.set(wallet, bucket);
+    }
+    if (now > bucket.day.resetAt) {
+      bucket.day = { count: 0, resetAt: now + 86_400_000 };
+    }
+    if (bucket.day.count >= PER_WALLET_DAY_LIMIT) return false;
+    bucket.day.count++;
+    return true;
+  }
+  checkIp(ip: string): boolean {
+    const now = nowMs();
+    let entry = this.ipBuckets.get(ip);
+    if (!entry || now > entry.resetAt) {
+      entry = { count: 0, resetAt: now + 60_000 };
+      this.ipBuckets.set(ip, entry);
+    }
+    if (entry.count >= IP_MINUTE_LIMIT) return false;
+    entry.count++;
+    return true;
+  }
+}

package/src/server/security/sandbox.ts ADDED Viewed

@@ -0,0 +1,40 @@
+import { z } from 'zod';
+// Sandboxed input validation layer — all tool inputs pass through here before execution.
+// No eval(), no dynamic require(), no raw SQL (N4 enforcement at schema layer).
+export class Sandbox {
+  static validate<T>(schema: z.ZodType<T>, input: unknown): T {
+    const result = schema.safeParse(input);
+    if (!result.success) {
+      const issues = result.error.issues
+        .map((i) => `${i.path.join('.')}: ${i.message}`)
+        .join('; ');
+      throw new Error(`Input validation failed: ${issues}`);
+    }
+    return result.data;
+  }
+  // Ensure URL is http/https only — no file://, data://, javascript:
+  static validateUrl(raw: string): URL {
+    let url: URL;
+    try {
+      url = new URL(raw);
+    } catch {
+      throw new Error(`Invalid URL: ${raw}`);
+    }
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+      throw new Error(`Disallowed URL protocol: ${url.protocol}`);
+    }
+    return url;
+  }
+  // Strip any response content that looks like a prompt injection attempt
+  static sanitizeApiResponse(text: string): string {
+    // Remove common injection markers
+    return text
+      .replace(/<\/?system>/gi, '')
+      .replace(/\[INST\]/gi, '')
+      .replace(/\[\/?INST\]/gi, '')
+      .slice(0, 50_000); // Hard cap on returned content size
+  }
+}