auditor-mcp 0.1.0

package/dist/index.js

@@ -0,0 +1,413 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { config as loadEnv } from "dotenv";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+import { readFile } from "fs/promises";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { wrapFetchWithPayment, x402Client, x402HTTPClient } from "@x402/fetch";
+import { Mppx as MppxClient } from "mppx/client";
+import { stellar as stellarMpp } from "@stellar/mpp/charge/client";
+import { z } from "zod";
+
+// src/stellar/constants.ts
+var STELLAR_PUBNET_CAIP2 = "stellar:pubnet";
+var STELLAR_TESTNET_CAIP2 = "stellar:testnet";
+var DEFAULT_TESTNET_RPC_URL = "https://soroban-testnet.stellar.org";
+var STELLAR_DESTINATION_ADDRESS_REGEX = /^(?:[GC][ABCD][A-Z2-7]{54}|M[ABCD][A-Z2-7]{67})$/;
+var STELLAR_ASSET_ADDRESS_REGEX = /^(?:[C][ABCD][A-Z2-7]{54})$/;
+var STELLAR_NETWORK_TO_PASSPHRASE = /* @__PURE__ */ new Map([
+  [STELLAR_PUBNET_CAIP2, "Public Global Stellar Network ; September 2015"],
+  [STELLAR_TESTNET_CAIP2, "Test SDF Network ; September 2015"]
+]);
+
+// src/stellar/exact/client/scheme.ts
+import { nativeToScVal, TransactionBuilder, contract } from "@stellar/stellar-sdk";
+import { Api as Api2 } from "@stellar/stellar-sdk/rpc";
+
+// src/stellar/shared.ts
+import { Address, xdr } from "@stellar/stellar-sdk";
+import { Api, assembleTransaction } from "@stellar/stellar-sdk/rpc";
+function handleSimulationResult(simulation) {
+  if (!simulation) throw new Error("Simulation result is undefined");
+  if (Api.isSimulationRestore(simulation)) {
+    throw new Error(`Stellar simulation result has type "RESTORE"`);
+  }
+  if (Api.isSimulationError(simulation)) {
+    throw new Error(`Stellar simulation failed${simulation.error ? `: ${simulation.error}` : ""}`);
+  }
+}
+
+// src/stellar/utils.ts
+import { rpc } from "@stellar/stellar-sdk";
+var DEFAULT_ESTIMATED_LEDGER_SECONDS = 5;
+var RPC_LEDGERS_SAMPLE_SIZE = 20;
+function isStellarNetwork(network) {
+  return STELLAR_NETWORK_TO_PASSPHRASE.has(network);
+}
+function validateStellarDestinationAddress(address) {
+  return STELLAR_DESTINATION_ADDRESS_REGEX.test(address);
+}
+function validateStellarAssetAddress(address) {
+  return STELLAR_ASSET_ADDRESS_REGEX.test(address);
+}
+function getNetworkPassphrase(network) {
+  const passphrase = STELLAR_NETWORK_TO_PASSPHRASE.get(network);
+  if (!passphrase) throw new Error(`Unknown Stellar network: ${network}`);
+  return passphrase;
+}
+function getRpcUrl(network, rpcConfig) {
+  const custom = rpcConfig?.url;
+  switch (network) {
+    case STELLAR_TESTNET_CAIP2:
+      return custom || DEFAULT_TESTNET_RPC_URL;
+    case STELLAR_PUBNET_CAIP2:
+      if (!custom) throw new Error("Stellar mainnet requires a non-empty rpcUrl.");
+      return custom;
+    default:
+      throw new Error(`Unknown Stellar network: ${network}`);
+  }
+}
+function getRpcClient(network, rpcConfig) {
+  const rpcUrl = getRpcUrl(network, rpcConfig);
+  return new rpc.Server(rpcUrl, { allowHttp: network === STELLAR_TESTNET_CAIP2 });
+}
+async function getEstimatedLedgerCloseTimeSeconds(server2) {
+  try {
+    const latestLedger = await server2.getLatestLedger();
+    const { ledgers } = await server2.getLedgers({
+      startLedger: latestLedger.sequence,
+      pagination: { limit: RPC_LEDGERS_SAMPLE_SIZE }
+    });
+    if (!ledgers || ledgers.length < 2) return DEFAULT_ESTIMATED_LEDGER_SECONDS;
+    const oldestTs = parseInt(ledgers[0].ledgerCloseTime);
+    const newestTs = parseInt(ledgers[ledgers.length - 1].ledgerCloseTime);
+    return Math.ceil((newestTs - oldestTs) / (ledgers.length - 1));
+  } catch {
+    return DEFAULT_ESTIMATED_LEDGER_SECONDS;
+  }
+}
+
+// src/stellar/exact/client/scheme.ts
+var DEFAULT_BASE_FEE_STROOPS = 1e4;
+var ExactStellarScheme = class {
+  constructor(signer2, rpcConfig) {
+    this.signer = signer2;
+    this.rpcConfig = rpcConfig;
+  }
+  signer;
+  rpcConfig;
+  scheme = "exact";
+  async createPaymentPayload(x402Version, paymentRequirements) {
+    try {
+      this.validateInput(paymentRequirements);
+    } catch (error) {
+      throw new Error(`Invalid input for Stellar payment: ${error}`);
+    }
+    const { network, payTo, asset, amount, extra, maxTimeoutSeconds } = paymentRequirements;
+    const networkPassphrase = getNetworkPassphrase(network);
+    const rpcUrl = getRpcUrl(network, this.rpcConfig);
+    if (!extra.areFeesSponsored) {
+      throw new Error("Exact scheme requires areFeesSponsored to be true");
+    }
+    const rpcServer = getRpcClient(network, this.rpcConfig);
+    const latestLedger = await rpcServer.getLatestLedger();
+    const estimatedLedgerSeconds = await getEstimatedLedgerCloseTimeSeconds(rpcServer);
+    const maxLedger = latestLedger.sequence + Math.ceil(maxTimeoutSeconds / estimatedLedgerSeconds);
+    const tx = await contract.AssembledTransaction.build({
+      contractId: asset,
+      method: "transfer",
+      args: [
+        nativeToScVal(this.signer.address, { type: "address" }),
+        nativeToScVal(payTo, { type: "address" }),
+        nativeToScVal(amount, { type: "i128" })
+      ],
+      networkPassphrase,
+      rpcUrl,
+      parseResultXdr: (result) => result
+    });
+    handleSimulationResult(tx.simulation);
+    let missingSigners = tx.needsNonInvokerSigningBy();
+    if (!missingSigners.includes(this.signer.address) || missingSigners.length > 1) {
+      throw new Error(
+        `Expected to sign with [${this.signer.address}], got [${missingSigners.join(", ")}]`
+      );
+    }
+    await tx.signAuthEntries({
+      address: this.signer.address,
+      signAuthEntry: this.signer.signAuthEntry,
+      expiration: maxLedger
+    });
+    await tx.simulate();
+    handleSimulationResult(tx.simulation);
+    missingSigners = tx.needsNonInvokerSigningBy();
+    if (missingSigners.length > 0) {
+      throw new Error(`Unexpected signer(s) still required: [${missingSigners.join(", ")}]`);
+    }
+    const finalTx = tx.simulation && Api2.isSimulationSuccess(tx.simulation) ? TransactionBuilder.cloneFrom(tx.built, {
+      fee: (DEFAULT_BASE_FEE_STROOPS + parseInt(tx.simulation.minResourceFee, 10)).toString(),
+      sorobanData: tx.simulationData.transactionData,
+      networkPassphrase
+    }).build() : tx.built;
+    return {
+      x402Version,
+      payload: { transaction: finalTx.toXDR() }
+    };
+  }
+  validateInput(req) {
+    const { scheme, network, payTo, asset, amount } = req;
+    if (typeof amount !== "string" || !Number.isInteger(Number(amount)) || Number(amount) <= 0) {
+      throw new Error(`Invalid amount: ${amount}`);
+    }
+    if (scheme !== "exact") throw new Error(`Unsupported scheme: ${scheme}`);
+    if (!isStellarNetwork(network)) throw new Error(`Unsupported network: ${network}`);
+    if (!validateStellarDestinationAddress(payTo)) throw new Error(`Invalid payTo: ${payTo}`);
+    if (!validateStellarAssetAddress(asset)) throw new Error(`Invalid asset: ${asset}`);
+  }
+};
+
+// src/stellar/signer.ts
+import { Keypair } from "@stellar/stellar-sdk";
+import { basicNodeSigner } from "@stellar/stellar-sdk/contract";
+function createEd25519Signer(privateKey, defaultNetwork = STELLAR_TESTNET_CAIP2) {
+  const kp = Keypair.fromSecret(privateKey);
+  const networkPassphrase = getNetworkPassphrase(defaultNetwork);
+  const address = kp.publicKey();
+  const { signAuthEntry, signTransaction } = basicNodeSigner(kp, networkPassphrase);
+  return { address, signAuthEntry, signTransaction };
+}
+
+// src/index.ts
+var currentDir = dirname(fileURLToPath(import.meta.url));
+loadEnv({ path: resolve(currentDir, "..", ".env") });
+function requireEnv(name) {
+  const value = process.env[name]?.trim();
+  if (!value) throw new Error(`Missing required env var: ${name}`);
+  return value;
+}
+var STELLAR_SECRET_KEY = requireEnv("STELLAR_SECRET_KEY");
+var AUDIT_GATEWAY_URL = process.env.AUDIT_GATEWAY_URL?.trim() || "https://soroban-node-0.onrender.com/api/audit";
+var MPP_GATEWAY_URL = process.env.MPP_AUDIT_GATEWAY_URL?.trim() || "https://soroban-node-0.onrender.com/api/audit/mpp";
+var rawNetwork = (process.env.STELLAR_NETWORK ?? STELLAR_TESTNET_CAIP2).trim();
+if (rawNetwork !== STELLAR_TESTNET_CAIP2 && rawNetwork !== STELLAR_PUBNET_CAIP2) {
+  throw new Error(`Unsupported STELLAR_NETWORK: ${rawNetwork}`);
+}
+var STELLAR_NETWORK = rawNetwork;
+var signer = createEd25519Signer(STELLAR_SECRET_KEY, STELLAR_NETWORK);
+var paymentClient = new x402Client().register(
+  "stellar:*",
+  new ExactStellarScheme(signer)
+);
+var httpClient = new x402HTTPClient(paymentClient);
+var fetchWithPayment = wrapFetchWithPayment(fetch, httpClient);
+var mppClient = MppxClient.create({
+  methods: [stellarMpp.charge({ secretKey: STELLAR_SECRET_KEY })],
+  polyfill: false
+});
+var server = new McpServer({
+  name: process.env.MCP_SERVER_NAME || "auditor-mcp",
+  version: process.env.MCP_SERVER_VERSION || "0.1.0"
+});
+server.tool(
+  "audit_soroban_contract",
+  [
+    "Reads a local Soroban smart contract (.rs file) and submits it for a paid security audit.",
+    "Charges 0.15 USDC on Stellar Testnet via the x402 protocol.",
+    "Returns a structured audit report with vulnerabilities, warnings, and recommendations."
+  ].join(" "),
+  {
+    file_path: z.string().describe("Absolute or relative path to the Soroban .rs contract file to audit")
+  },
+  async ({ file_path }) => {
+    let code;
+    try {
+      code = await readFile(file_path, "utf8");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [{ type: "text", text: `Failed to read file "${file_path}": ${message}` }],
+        isError: true
+      };
+    }
+    if (code.trim().length === 0) {
+      return {
+        content: [{ type: "text", text: `File "${file_path}" is empty.` }],
+        isError: true
+      };
+    }
+    let response;
+    try {
+      response = await fetchWithPayment(AUDIT_GATEWAY_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ code })
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Payment or network error calling auditor-backend: ${message}`
+          }
+        ],
+        isError: true
+      };
+    }
+    const rawBody = await response.text();
+    if (!response.ok) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Auditor backend returned HTTP ${response.status}:
+${rawBody}`
+          }
+        ],
+        isError: true
+      };
+    }
+    let report = null;
+    try {
+      report = JSON.parse(rawBody);
+    } catch {
+      return {
+        content: [{ type: "text", text: `Audit backend returned non-JSON response:
+${rawBody}` }],
+        isError: true
+      };
+    }
+    const findings = report?.findings ?? [];
+    const counts = {};
+    if (Array.isArray(findings)) {
+      for (const f of findings) {
+        counts[f.severity] = (counts[f.severity] ?? 0) + 1;
+      }
+    }
+    const summary = ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"].filter((s) => counts[s]).map((s) => `${s}: ${counts[s]}`).join(" | ");
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify(
+            {
+              file: file_path,
+              walletAddress: signer.address,
+              model: report?.model,
+              summary: summary || "No vulnerabilities found",
+              findings
+            },
+            null,
+            2
+          )
+        }
+      ]
+    };
+  }
+);
+server.tool(
+  "audit_soroban_contract_mpp",
+  [
+    "Reads a local Soroban smart contract (.rs file) and submits it for a paid security audit.",
+    "Charges 0.15 USDC on Stellar Testnet via the Stripe Machine Payments Protocol (MPP).",
+    "Returns a structured audit report with vulnerabilities, CWE IDs, severity levels, and fixes."
+  ].join(" "),
+  {
+    file_path: z.string().describe("Absolute or relative path to the Soroban .rs contract file to audit")
+  },
+  async ({ file_path }) => {
+    let code;
+    try {
+      code = await readFile(file_path, "utf8");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [{ type: "text", text: `Failed to read file "${file_path}": ${message}` }],
+        isError: true
+      };
+    }
+    if (code.trim().length === 0) {
+      return {
+        content: [{ type: "text", text: `File "${file_path}" is empty.` }],
+        isError: true
+      };
+    }
+    let response;
+    try {
+      response = await mppClient.fetch(MPP_GATEWAY_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ code })
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [
+          {
+            type: "text",
+            text: `MPP payment or network error: ${message}`
+          }
+        ],
+        isError: true
+      };
+    }
+    const rawBody = await response.text();
+    if (!response.ok) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Auditor backend returned HTTP ${response.status}:
+${rawBody}`
+          }
+        ],
+        isError: true
+      };
+    }
+    let report = null;
+    try {
+      report = JSON.parse(rawBody);
+    } catch {
+      return {
+        content: [{ type: "text", text: `Audit backend returned non-JSON:
+${rawBody}` }],
+        isError: true
+      };
+    }
+    const findings = report?.findings ?? [];
+    const counts = {};
+    if (Array.isArray(findings)) {
+      for (const f of findings) {
+        counts[f.severity] = (counts[f.severity] ?? 0) + 1;
+      }
+    }
+    const summary = ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"].filter((s) => counts[s]).map((s) => `${s}: ${counts[s]}`).join(" | ");
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify(
+            {
+              file: file_path,
+              protocol: "Stripe MPP / Stellar Testnet",
+              walletAddress: signer.address,
+              model: report?.model,
+              summary: summary || "No vulnerabilities found",
+              findings
+            },
+            null,
+            2
+          )
+        }
+      ]
+    };
+  }
+);
+var transport = new StdioServerTransport();
+await server.connect(transport);
+console.error("auditor-mcp running over stdio");
+console.error(`wallet : ${signer.address}`);
+console.error(`network: ${STELLAR_NETWORK}`);
+console.error(`gateway: ${AUDIT_GATEWAY_URL}`);

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "auditor-mcp",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "MCP server that audits Soroban smart contracts via autonomous x402 / Stripe MPP payments on Stellar Testnet",
+  "keywords": ["mcp", "soroban", "stellar", "x402", "security", "audit", "smart-contract"],
+  "author": "xaviersharwin10",
+  "license": "MIT",
+  "homepage": "https://github.com/xaviersharwin10/soroban_node_0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/xaviersharwin10/soroban_node_0.git"
+  },
+  "bin": {
+    "auditor-mcp": "./dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format esm",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@stellar/mpp": "^0.4.0",
+    "@stellar/stellar-sdk": "^14.6.1",
+    "@x402/core": "^2.8.0",
+    "@x402/fetch": "^2.8.0",
+    "dotenv": "^17.3.1",
+    "mppx": "^0.4.12",
+    "tsup": "^8.5.1",
+    "typescript": "^5.7.0",
+    "zod": "^3.25.76"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.21.0"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}