agentcash 0.8.1 → 0.8.2

package/dist/cjs/run-server.cjs

@@ -6860,12 +6860,12 @@ var require_dist = __commonJS({
         throw new Error(`Unknown format "${name}"`);
       return f;
     };
-    function addFormats(ajv, list2, fs10, exportName) {
+    function addFormats(ajv, list2, fs11, exportName) {
       var _a2;
       var _b;
       (_a2 = (_b = ajv.opts.code).formats) !== null && _a2 !== void 0 ? _a2 : _b.formats = (0, codegen_1._)`require("ajv-formats/dist/formats").${exportName}`;
       for (const f of list2)
-        ajv.addFormat(f, fs10[f]);
+        ajv.addFormat(f, fs11[f]);
     }
     module2.exports = exports2 = formatsPlugin;
     Object.defineProperty(exports2, "__esModule", { value: true });
@@ -47364,7 +47364,7 @@ var require_node_gyp_build = __commonJS({
   "../../../node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node-gyp-build.js"(exports2, module2) {
     "use strict";
     init_cjs_shims();
-    var fs10 = require("fs");
+    var fs11 = require("fs");
     var path2 = require("path");
     var os2 = require("os");
     var runtimeRequire = typeof __webpack_require__ === "function" ? __non_webpack_require__ : require;
@@ -47425,7 +47425,7 @@ var require_node_gyp_build = __commonJS({
     };
     function readdirSync2(dir) {
       try {
-        return fs10.readdirSync(dir);
+        return fs11.readdirSync(dir);
       } catch (err3) {
         return [];
       }
@@ -47519,7 +47519,7 @@ var require_node_gyp_build = __commonJS({
       return typeof window !== "undefined" && window.process && window.process.type === "renderer";
     }
     function isAlpine(platform3) {
-      return platform3 === "linux" && fs10.existsSync("/etc/alpine-release");
+      return platform3 === "linux" && fs11.existsSync("/etc/alpine-release");
     }
     load.parseTags = parseTags;
     load.matchTags = matchTags;
@@ -64755,7 +64755,7 @@ init_cjs_shims();
 // src/shared/log.ts
 init_cjs_shims();
 
-// ../../internal/neverthrow/dist/index.js
+// ../../internal/neverthrow/src/index.ts
 init_cjs_shims();
 
 // ../../../node_modules/.pnpm/neverthrow@8.2.0/node_modules/neverthrow/dist/index.es.js
@@ -65238,7 +65238,7 @@ var Err = class {
 };
 var fromThrowable = Result.fromThrowable;
 
-// ../../internal/neverthrow/dist/index.js
+// ../../internal/neverthrow/src/index.ts
 function resultFromPromise(type4, surface2, promise3, error48) {
   return ResultAsync.fromPromise(promise3, (e) => ({
     ...error48(e),
@@ -113816,7 +113816,7 @@ var import_path2 = require("path");
 var import_url = require("url");
 function getVersion2() {
   if (true) {
-    return "0.8.1";
+    return "0.8.2";
   }
   const __dirname3 = (0, import_path2.dirname)((0, import_url.fileURLToPath)(importMetaUrl));
   const pkg = JSON.parse(
@@ -113979,7 +113979,7 @@ var TEMPO_TOKEN_ADDRESS = "0x20c0000000000000000000000000000000000000";
 
 // src/shared/mpp-enabled.ts
 init_cjs_shims();
-var isMppEnabled = () => "0.8.1".includes("-mpp");
+var isMppEnabled = () => "0.8.2".includes("-mpp");
 
 // src/shared/operations/fetch-with-payment.ts
 init_cjs_shims();
@@ -114848,9 +114848,35 @@ async function getTempoBalance({
   };
 }
 
+// src/shared/settings.ts
+init_cjs_shims();
+var import_fs4 = __toESM(require("fs"), 1);
+var SETTINGS_FILE = configFile("settings.json");
+var settingsSchema = zod_default.looseObject({
+  maxAmount: zod_default.number().positive()
+}).partial();
+var getSettings = () => {
+  if (!import_fs4.default.existsSync(SETTINGS_FILE)) {
+    return {};
+  }
+  const content = import_fs4.default.readFileSync(SETTINGS_FILE, "utf-8");
+  const result = settingsSchema.safeParse(JSON.parse(content));
+  if (!result.success) {
+    return {};
+  }
+  return result.data;
+};
+var setSettings = (settings) => {
+  const existing = getSettings();
+  const newSettings = settingsSchema.parse({ ...existing, ...settings });
+  import_fs4.default.writeFileSync(SETTINGS_FILE, JSON.stringify(newSettings, null, 2));
+};
+
 // src/shared/operations/fetch-with-payment.ts
+var DEFAULT_MAX_AMOUNT = 5;
 function createFetchWithPayment(options) {
-  const { surface: surface2, clients, paymentMethod, beforePayment, timeout } = options;
+  const { surface: surface2, clients, paymentMethod, beforePayment, timeout, maxAmount } = options;
+  const effectiveMaxAmount = maxAmount ?? getSettings().maxAmount ?? DEFAULT_MAX_AMOUNT;
   return async (request) => {
     const clonedRequest = request.clone();
     const fallbackRequest = request.clone();
@@ -114866,7 +114892,13 @@ function createFetchWithPayment(options) {
     const response = probeResult.value;
     if (paymentMethod !== "auto") {
       if (paymentMethod === "mpp") {
-        return handleMppPayment(surface2, response, clonedRequest, options);
+        return handleMppPayment(
+          surface2,
+          response,
+          clonedRequest,
+          options,
+          effectiveMaxAmount
+        );
       }
       return handleX402Payment(
         surface2,
@@ -114874,7 +114906,8 @@ function createFetchWithPayment(options) {
         clonedRequest,
         clients.x402,
         beforePayment,
-        timeout
+        timeout,
+        effectiveMaxAmount
       );
     }
     const available = detectPaymentProtocols(response);
@@ -114885,22 +114918,36 @@ function createFetchWithPayment(options) {
       preferred = await pickByBalance(surface2, response, options);
     }
     const fallback = available.length > 1 ? preferred === "mpp" ? "x402" : "mpp" : null;
-    const result = preferred === "mpp" ? await handleMppPayment(surface2, response, clonedRequest, options) : await handleX402Payment(
+    const result = preferred === "mpp" ? await handleMppPayment(
+      surface2,
+      response,
+      clonedRequest,
+      options,
+      effectiveMaxAmount
+    ) : await handleX402Payment(
       surface2,
       response,
       clonedRequest,
       clients.x402,
       beforePayment,
-      timeout
+      timeout,
+      effectiveMaxAmount
     );
     if (result.isErr() && fallback) {
-      return fallback === "mpp" ? handleMppPayment(surface2, response, fallbackRequest, options) : handleX402Payment(
+      return fallback === "mpp" ? handleMppPayment(
+        surface2,
+        response,
+        fallbackRequest,
+        options,
+        effectiveMaxAmount
+      ) : handleX402Payment(
         surface2,
         response,
         fallbackRequest,
         clients.x402,
         beforePayment,
-        timeout
+        timeout,
+        effectiveMaxAmount
       );
     }
     return result;
@@ -114952,7 +114999,7 @@ async function pickByBalance(surface2, response, options) {
   log.info(`Protocol selection \u2014 x402: $${x402Balance}, mpp: $${mppBalance}`);
   return x402Balance >= mppBalance ? "x402" : "mpp";
 }
-async function handleX402Payment(surface2, response, clonedRequest, client, beforePayment, timeout) {
+async function handleX402Payment(surface2, response, clonedRequest, client, beforePayment, timeout, maxAmount) {
   const paymentRequiredResult = await safeGetPaymentRequired(
     surface2,
     client,
@@ -114962,8 +115009,17 @@ async function handleX402Payment(surface2, response, clonedRequest, client, befo
     return paymentRequiredResult;
   }
   const paymentRequired = paymentRequiredResult.value;
+  const accept = paymentRequired.accepts[0];
+  if (accept) {
+    const amount2 = tokenStringToNumber(accept.amount);
+    if (amount2 > maxAmount) {
+      return x402Err(surface2, {
+        cause: "payment_already_attempted",
+        message: `Endpoint requested $${amount2} which exceeds the maximum allowed amount of $${maxAmount}. Pass a higher maxAmount on this call, or use update_settings to raise the default permanently.`
+      });
+    }
+  }
   if (beforePayment) {
-    const accept = paymentRequired.accepts[0];
     if (accept) {
       const amount2 = tokenStringToNumber(accept.amount);
       const hookResult = await resultFromPromise(
@@ -115036,7 +115092,7 @@ async function handleX402Payment(surface2, response, clonedRequest, client, befo
     }
   );
 }
-async function handleMppPayment(surface2, response, clonedRequest, options) {
+async function handleMppPayment(surface2, response, clonedRequest, options, maxAmount) {
   const { clients, beforePayment, timeout } = options;
   const mppxClient = clients.mpp;
   if (clonedRequest.headers.has("Authorization")) {
@@ -115053,6 +115109,15 @@ async function handleMppPayment(surface2, response, clonedRequest, options) {
   const amount2 = challenge2.request.amount;
   const decimals2 = challenge2.request.decimals ?? 6;
   const currency2 = challenge2.request.currency;
+  if (amount2) {
+    const numericAmount = Number(formatUnits(BigInt(amount2), decimals2));
+    if (numericAmount > maxAmount) {
+      return mppErr(surface2, {
+        cause: "mpp_payment_already_attempted",
+        message: `Endpoint requested $${numericAmount} which exceeds the maximum allowed amount of $${maxAmount}. Pass a higher maxAmount on this call, or use update_settings to raise the default permanently.`
+      });
+    }
+  }
   if (beforePayment && amount2 && currency2) {
     const numericAmount = Number(formatUnits(BigInt(amount2), decimals2));
     const hookResult = await resultFromPromise(
@@ -115393,6 +115458,12 @@ ${PRIMARY_ORIGINS.flatMap((o) => ORIGIN_METADATA[o] ? [`  ${o} \u2014 ${ORIGIN_M
   reportError: {
     mcp: `EMERGENCY ONLY. Report critical MCP tool bugs. Do NOT use for normal errors (balance, network, 4xx) \u2014 those are recoverable.`,
     cli: `Report a critical bug to the agentcash team (emergency only). Do NOT use for normal errors like low balance, network timeouts, or 4xx responses \u2014 those are recoverable without filing a report.`
+  },
+  updateSettings: {
+    mcp: `Update user settings (persisted to ~/.agentcash/settings.json). Currently supports maxAmount \u2014 the maximum USD amount allowed per fetch request. If a fetch response requests more than this, the payment is rejected. Returns the current settings after applying changes.`
+  },
+  getSettings: {
+    mcp: `Get current user settings. Returns persisted values from ~/.agentcash/settings.json with defaults applied.`
   }
 };
 var WORKFLOW = [
@@ -115429,7 +115500,8 @@ var REQUEST_PARAMS = {
 };
 var TOOL_PARAMS = {
   fetch: {
-    paymentMethod: "Payment protocol to use. Defaults to auto-detect."
+    paymentMethod: "Payment protocol to use. Defaults to auto-detect.",
+    maxAmount: "Maximum amount (in USD) to pay per request. Aborts if the endpoint requests more. Defaults to $5. Pass a higher value for known-expensive endpoints."
   },
   checkEndpointSchema: {
     url: "Full URL of the endpoint to inspect",
@@ -115594,7 +115666,8 @@ Insufficient Tempo balance for this payment.`
 var toolName = "fetch";
 var paymentMethodEnum = isMppEnabled() ? external_exports3.enum(["x402", "mpp", "auto"]) : external_exports3.enum(["x402", "auto"]);
 var fetchInputSchema = requestSchema.extend({
-  paymentMethod: paymentMethodEnum.default("auto").optional().describe(TOOL_PARAMS.fetch.paymentMethod)
+  paymentMethod: paymentMethodEnum.default("auto").optional().describe(TOOL_PARAMS.fetch.paymentMethod),
+  maxAmount: external_exports3.number().positive().optional().describe(TOOL_PARAMS.fetch.maxAmount)
 });
 var registerFetchTool = ({
   server,
@@ -115682,7 +115755,8 @@ var registerFetchTool = ({
         account,
         flags,
         beforePayment,
-        timeout: input.timeout ?? DEFAULT_USER_FETCH_TIMEOUT
+        timeout: input.timeout ?? DEFAULT_USER_FETCH_TIMEOUT,
+        maxAmount: input.maxAmount
       })(request);
       if (fetchResult.isErr()) {
         return mcpError(fetchResult);
@@ -115845,18 +115919,18 @@ init_cjs_shims();
 
 // src/shared/state.ts
 init_cjs_shims();
-var import_fs4 = __toESM(require("fs"), 1);
+var import_fs6 = __toESM(require("fs"), 1);
 var STATE_FILE = configFile("state.json");
 var stateSchema = zod_default.looseObject({
   redeemedCodes: zod_default.array(zod_default.string())
 }).partial();
 var getState = () => {
-  const stateFileExists = import_fs4.default.existsSync(STATE_FILE);
+  const stateFileExists = import_fs6.default.existsSync(STATE_FILE);
   if (!stateFileExists) {
-    import_fs4.default.writeFileSync(STATE_FILE, "{}");
+    import_fs6.default.writeFileSync(STATE_FILE, "{}");
     return {};
   }
-  const stateFileContent = import_fs4.default.readFileSync(STATE_FILE, "utf-8");
+  const stateFileContent = import_fs6.default.readFileSync(STATE_FILE, "utf-8");
   const result = stateSchema.safeParse(JSON.parse(stateFileContent));
   if (!result.success) {
     return {};
@@ -115866,7 +115940,7 @@ var getState = () => {
 var setState = (state) => {
   const existing = getState();
   const newState = stateSchema.parse({ ...existing, ...state });
-  import_fs4.default.writeFileSync(STATE_FILE, JSON.stringify(newState, null, 2));
+  import_fs6.default.writeFileSync(STATE_FILE, JSON.stringify(newState, null, 2));
 };
 
 // src/shared/operations/onboarding-cta.ts
@@ -117313,6 +117387,61 @@ function registerDiscoveryTools(server) {
   );
 }
 
+// src/server/tools/settings.ts
+init_cjs_shims();
+var registerSettingsTools = ({ server }) => {
+  server.registerTool(
+    "update_settings",
+    {
+      title: "Update Settings",
+      description: DESCRIPTIONS.updateSettings.mcp,
+      inputSchema: external_exports3.object({
+        maxAmount: external_exports3.number().positive().optional().describe(
+          `Maximum amount (USD) to pay per fetch request. Current default: $${DEFAULT_MAX_AMOUNT}.`
+        )
+      }),
+      annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false
+      }
+    },
+    safeHandler((input) => {
+      if (input.maxAmount !== void 0) {
+        setSettings({ maxAmount: input.maxAmount });
+      }
+      const settings = getSettings();
+      return Promise.resolve(
+        mcpSuccessStructuredJson({
+          maxAmount: settings.maxAmount ?? DEFAULT_MAX_AMOUNT
+        })
+      );
+    })
+  );
+  server.registerTool(
+    "get_settings",
+    {
+      title: "Get Settings",
+      description: DESCRIPTIONS.getSettings.mcp,
+      annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false
+      }
+    },
+    safeHandler(() => {
+      const settings = getSettings();
+      return Promise.resolve(
+        mcpSuccessStructuredJson({
+          maxAmount: settings.maxAmount ?? DEFAULT_MAX_AMOUNT
+        })
+      );
+    })
+  );
+};
+
 // src/server/resources/origins.ts
 init_cjs_shims();
 var surface = "registerOrigins";
@@ -117752,16 +117881,16 @@ var registerPrompts = (props) => {
 
 // src/server/lib/version.ts
 init_cjs_shims();
-var import_fs6 = require("fs");
+var import_fs8 = require("fs");
 var import_path3 = require("path");
 var import_url2 = require("url");
 function getVersion3() {
   if (true) {
-    return "0.8.1";
+    return "0.8.2";
   }
   const __dirname3 = (0, import_path3.dirname)((0, import_url2.fileURLToPath)(importMetaUrl));
   const pkg = JSON.parse(
-    (0, import_fs6.readFileSync)((0, import_path3.join)(__dirname3, "../../../package.json"), "utf-8")
+    (0, import_fs8.readFileSync)((0, import_path3.join)(__dirname3, "../../../package.json"), "utf-8")
   );
   return pkg.version;
 }
@@ -117770,7 +117899,7 @@ var DIST_TAG2 = MCP_VERSION2.includes("-beta") ? "beta" : "latest";
 
 // src/shared/wallet.ts
 init_cjs_shims();
-var import_fs7 = require("fs");
+var import_fs9 = require("fs");
 var import_path4 = require("path");
 var WALLET_FILE = configFile("wallet.json");
 var storedWalletSchema = zod_default.object({
@@ -117783,14 +117912,14 @@ var LEGACY_WALLET = (0, import_path4.join)(LEGACY_DIRECTORY, "wallet.json");
 var reconcileSurface = "wallet-reconcile";
 async function reconcileLegacyWallet(current, isNew) {
   const noChange = { account: current, isNew };
-  if (!(0, import_fs7.existsSync)(LEGACY_WALLET)) {
+  if (!(0, import_fs9.existsSync)(LEGACY_WALLET)) {
     return noChange;
   }
   const legacyResult = resultFromThrowable(
     "wallet",
     reconcileSurface,
     () => {
-      const raw = (0, import_fs7.readFileSync)(LEGACY_WALLET, "utf-8");
+      const raw = (0, import_fs9.readFileSync)(LEGACY_WALLET, "utf-8");
       return storedWalletSchema.parse(JSON.parse(raw));
     },
     () => ({
@@ -117874,7 +118003,7 @@ async function getWallet() {
   }
   const readFileResult = await safeReadFile(walletSurface, WALLET_FILE);
   if (!readFileResult.isOk()) {
-    const fileExistsResult = (0, import_fs7.existsSync)(WALLET_FILE);
+    const fileExistsResult = (0, import_fs9.existsSync)(WALLET_FILE);
     if (fileExistsResult) {
       return fsErr(walletSurface, {
         cause: "file_not_readable",
@@ -117927,7 +118056,7 @@ async function getWallet() {
 
 // src/shared/user-origins.ts
 init_cjs_shims();
-var fs9 = __toESM(require("fs"), 1);
+var fs10 = __toESM(require("fs"), 1);
 var ORIGINS_FILE = configFile("origins.json");
 var userOriginSchema = zod_default.object({
   url: zod_default.string(),
@@ -117939,8 +118068,8 @@ var originsFileSchema = zod_default.object({
   added: zod_default.array(userOriginSchema)
 });
 function readOriginsFile() {
-  if (!fs9.existsSync(ORIGINS_FILE)) return [];
-  const raw = fs9.readFileSync(ORIGINS_FILE, "utf-8");
+  if (!fs10.existsSync(ORIGINS_FILE)) return [];
+  const raw = fs10.readFileSync(ORIGINS_FILE, "utf-8");
   const json3 = safeParseJson("user-origins", raw);
   if (!json3.isOk()) return [];
   const parsed = originsFileSchema.safeParse(json3.value);
@@ -118007,6 +118136,7 @@ var startServer = async (flags) => {
   registerRedeemInviteTool(props);
   registerDiscoveryTools(server);
   registerTelemetryTools(props);
+  registerSettingsTools(props);
   registerPrompts(props);
   await registerOrigins({ server, flags });
   const transport = new StdioServerTransport();

package/dist/esm/{chunk-YQFK4U62.js → chunk-36KCO2CQ.js}

@@ -4,7 +4,7 @@ import {
   ok,
   resultFromPromise,
   resultFromThrowable
-} from "./chunk-6PU3XK6I.js";
+} from "./chunk-CM4BCEDY.js";
 import {
   isVerbose
 } from "./chunk-ISR6DJ53.js";
@@ -227,4 +227,4 @@ export {
   safeChmod,
   log
 };
-//# sourceMappingURL=chunk-YQFK4U62.js.map
+//# sourceMappingURL=chunk-36KCO2CQ.js.map

package/dist/esm/{chunk-X4YQNM7D.js → chunk-3WG74L5Z.js}

@@ -1,28 +1,29 @@
 import {
   REQUEST_PARAMS
-} from "./chunk-W7DAJMFQ.js";
+} from "./chunk-4ALGXM6F.js";
 import {
   getTempoBalance
-} from "./chunk-AVLTYWSD.js";
+} from "./chunk-FFYCYLF4.js";
 import {
   isMppEnabled
-} from "./chunk-YK5LKPBE.js";
+} from "./chunk-I7DEUXBL.js";
 import {
   getBalance
-} from "./chunk-7ZEXMJYJ.js";
+} from "./chunk-B2JUF6FK.js";
 import {
   DEFAULT_USER_FETCH_TIMEOUT,
   fetchErr,
   fetchOk,
   log,
   safeFetch
-} from "./chunk-YQFK4U62.js";
+} from "./chunk-36KCO2CQ.js";
 import {
+  configFile,
   err,
   ok,
   resultFromPromise,
   resultFromThrowable
-} from "./chunk-6PU3XK6I.js";
+} from "./chunk-CM4BCEDY.js";
 
 // src/server/tools/lib/request.ts
 import z from "zod";
@@ -162,6 +163,30 @@ function detectPaymentProtocols(response) {
   return protocols;
 }
 
+// src/shared/settings.ts
+import z2 from "zod";
+import fs from "fs";
+var SETTINGS_FILE = configFile("settings.json");
+var settingsSchema = z2.looseObject({
+  maxAmount: z2.number().positive()
+}).partial();
+var getSettings = () => {
+  if (!fs.existsSync(SETTINGS_FILE)) {
+    return {};
+  }
+  const content = fs.readFileSync(SETTINGS_FILE, "utf-8");
+  const result = settingsSchema.safeParse(JSON.parse(content));
+  if (!result.success) {
+    return {};
+  }
+  return result.data;
+};
+var setSettings = (settings) => {
+  const existing = getSettings();
+  const newSettings = settingsSchema.parse({ ...existing, ...settings });
+  fs.writeFileSync(SETTINGS_FILE, JSON.stringify(newSettings, null, 2));
+};
+
 // src/shared/operations/fetch-with-payment.ts
 import { formatUnits as formatUnits2 } from "viem";
 
@@ -172,8 +197,10 @@ var tokenStringToNumber = (amount, decimals = 6) => {
 };
 
 // src/shared/operations/fetch-with-payment.ts
+var DEFAULT_MAX_AMOUNT = 5;
 function createFetchWithPayment(options) {
-  const { surface, clients, paymentMethod, beforePayment, timeout } = options;
+  const { surface, clients, paymentMethod, beforePayment, timeout, maxAmount } = options;
+  const effectiveMaxAmount = maxAmount ?? getSettings().maxAmount ?? DEFAULT_MAX_AMOUNT;
   return async (request) => {
     const clonedRequest = request.clone();
     const fallbackRequest = request.clone();
@@ -189,7 +216,13 @@ function createFetchWithPayment(options) {
     const response = probeResult.value;
     if (paymentMethod !== "auto") {
       if (paymentMethod === "mpp") {
-        return handleMppPayment(surface, response, clonedRequest, options);
+        return handleMppPayment(
+          surface,
+          response,
+          clonedRequest,
+          options,
+          effectiveMaxAmount
+        );
       }
       return handleX402Payment(
         surface,
@@ -197,7 +230,8 @@ function createFetchWithPayment(options) {
         clonedRequest,
         clients.x402,
         beforePayment,
-        timeout
+        timeout,
+        effectiveMaxAmount
       );
     }
     const available = detectPaymentProtocols(response);
@@ -208,22 +242,36 @@ function createFetchWithPayment(options) {
       preferred = await pickByBalance(surface, response, options);
     }
     const fallback = available.length > 1 ? preferred === "mpp" ? "x402" : "mpp" : null;
-    const result = preferred === "mpp" ? await handleMppPayment(surface, response, clonedRequest, options) : await handleX402Payment(
+    const result = preferred === "mpp" ? await handleMppPayment(
+      surface,
+      response,
+      clonedRequest,
+      options,
+      effectiveMaxAmount
+    ) : await handleX402Payment(
       surface,
       response,
       clonedRequest,
       clients.x402,
       beforePayment,
-      timeout
+      timeout,
+      effectiveMaxAmount
     );
     if (result.isErr() && fallback) {
-      return fallback === "mpp" ? handleMppPayment(surface, response, fallbackRequest, options) : handleX402Payment(
+      return fallback === "mpp" ? handleMppPayment(
+        surface,
+        response,
+        fallbackRequest,
+        options,
+        effectiveMaxAmount
+      ) : handleX402Payment(
         surface,
         response,
         fallbackRequest,
         clients.x402,
         beforePayment,
-        timeout
+        timeout,
+        effectiveMaxAmount
       );
     }
     return result;
@@ -275,7 +323,7 @@ async function pickByBalance(surface, response, options) {
   log.info(`Protocol selection \u2014 x402: $${x402Balance}, mpp: $${mppBalance}`);
   return x402Balance >= mppBalance ? "x402" : "mpp";
 }
-async function handleX402Payment(surface, response, clonedRequest, client, beforePayment, timeout) {
+async function handleX402Payment(surface, response, clonedRequest, client, beforePayment, timeout, maxAmount) {
   const paymentRequiredResult = await safeGetPaymentRequired(
     surface,
     client,
@@ -285,8 +333,17 @@ async function handleX402Payment(surface, response, clonedRequest, client, befor
     return paymentRequiredResult;
   }
   const paymentRequired = paymentRequiredResult.value;
+  const accept = paymentRequired.accepts[0];
+  if (accept) {
+    const amount = tokenStringToNumber(accept.amount);
+    if (amount > maxAmount) {
+      return x402Err(surface, {
+        cause: "payment_already_attempted",
+        message: `Endpoint requested $${amount} which exceeds the maximum allowed amount of $${maxAmount}. Pass a higher maxAmount on this call, or use update_settings to raise the default permanently.`
+      });
+    }
+  }
   if (beforePayment) {
-    const accept = paymentRequired.accepts[0];
     if (accept) {
       const amount = tokenStringToNumber(accept.amount);
       const hookResult = await resultFromPromise(
@@ -359,7 +416,7 @@ async function handleX402Payment(surface, response, clonedRequest, client, befor
     }
   );
 }
-async function handleMppPayment(surface, response, clonedRequest, options) {
+async function handleMppPayment(surface, response, clonedRequest, options, maxAmount) {
   const { clients, beforePayment, timeout } = options;
   const mppxClient = clients.mpp;
   if (clonedRequest.headers.has("Authorization")) {
@@ -376,6 +433,15 @@ async function handleMppPayment(surface, response, clonedRequest, options) {
   const amount = challenge.request.amount;
   const decimals = challenge.request.decimals ?? 6;
   const currency = challenge.request.currency;
+  if (amount) {
+    const numericAmount = Number(formatUnits2(BigInt(amount), decimals));
+    if (numericAmount > maxAmount) {
+      return mppErr(surface, {
+        cause: "mpp_payment_already_attempted",
+        message: `Endpoint requested $${numericAmount} which exceeds the maximum allowed amount of $${maxAmount}. Pass a higher maxAmount on this call, or use update_settings to raise the default permanently.`
+      });
+    }
+  }
   if (beforePayment && amount && currency) {
     const numericAmount = Number(formatUnits2(BigInt(amount), decimals));
     const hookResult = await resultFromPromise(
@@ -514,8 +580,11 @@ export {
   safeGetPaymentRequired,
   safeGetMppChallenge,
   detectPaymentProtocols,
+  getSettings,
+  setSettings,
+  DEFAULT_MAX_AMOUNT,
   createFetchWithPayment,
   getInputSchema,
   createFetchWithAuth
 };
-//# sourceMappingURL=chunk-X4YQNM7D.js.map
+//# sourceMappingURL=chunk-3WG74L5Z.js.map