cyberdyne-mcp 0.4.0

package/dist/smoke.js

@@ -0,0 +1,87 @@
+/**
+ * Live smoke test: drive the MCP server against the REAL platform API like an
+ * agent would. Not shipped.
+ *
+ * Requires both env vars to run for real:
+ *   CYBERDYNE_API_URL        e.g. http://localhost:3000 or https://app.cyberdyne-os.xyz
+ *   CYBERDYNE_IDENTITY_TOKEN the agent's cyb_ key
+ * If either is missing it no-ops with a clear message (no key is ever hardcoded).
+ *
+ * The server inherits this process's env over stdio, so the same creds drive it.
+ */
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+const apiUrl = process.env.CYBERDYNE_API_URL;
+const token = process.env.CYBERDYNE_IDENTITY_TOKEN;
+if (!token) {
+    console.log("smoke: no-op. Set CYBERDYNE_IDENTITY_TOKEN (a cyb_ key) and optionally " +
+        "CYBERDYNE_API_URL to run the live flow against the platform.\n" +
+        "  e.g. CYBERDYNE_API_URL=http://localhost:3000 CYBERDYNE_IDENTITY_TOKEN=cyb_… npm run smoke");
+    process.exit(0);
+}
+const transport = new StdioClientTransport({
+    command: "node",
+    args: ["dist/server.js"],
+    env: { ...process.env },
+});
+const client = new Client({ name: "smoke", version: "0" });
+await client.connect(transport);
+const call = async (name, args = {}) => {
+    const r = await client.callTool({ name, arguments: args });
+    const data = JSON.parse(r.content[0].text);
+    if (r.isError)
+        throw new Error(`${name} → ${data.error}`);
+    return data;
+};
+console.log(`smoke → ${apiUrl ?? "https://app.cyberdyne-os.xyz"}`);
+console.log("tools:", (await client.listTools()).tools.map((t) => t.name).join(", "));
+// 1. Categories (static, no network).
+const cats = await call("list_categories");
+console.log(`list_categories → ${cats.length} categories`);
+// 2. Treasury — ensure it can cover a small task; top up if needed.
+let treasury = await call("get_treasury");
+const balance = Number(treasury.treasury?.balance_usd ?? 0);
+console.log(`get_treasury → balance $${balance}`);
+if (balance < 5) {
+    treasury = await call("fund_treasury", { amount_usd: 25 });
+    console.log(`fund_treasury → balance $${treasury.treasury?.balance_usd}`);
+}
+// 3. Discover a human via the live capability index.
+const found = await call("search_humans", { skills: ["capture"] });
+console.log(`search_humans(capture) → ${found.humans.length} match`);
+const human = found.humans[0];
+// 4. Post a task. reward_usd is the budget; not charged until authorize.
+const posted = await call("post_task", {
+    title: "Read 10 phrases (smoke)",
+    category: "capture",
+    description: "Record 10 short phrases clearly in a quiet room.",
+    reward_usd: 3.5,
+    duration_min: 10,
+    difficulty: "easy",
+});
+const taskId = posted.task.id;
+console.log(`post_task → ${taskId} (status ${posted.task.status})`);
+// 5. If we found a human, assign + authorize (open the escrow hold).
+if (human?.id) {
+    const assigned = await call("assign_task", { task_id: taskId, human_id: human.id });
+    console.log(`assign_task → status ${assigned.task.status}, authIntent ${assigned.authIntent ? "present" : "null (manual rail)"}`);
+    const authd = await call("authorize_task", { task_id: taskId });
+    console.log(`authorize_task → escrow_status ${authd.task?.escrow_status}`);
+}
+// 6. Poll the live task. The human submits proof in the app (human-only), so on a
+//    fresh task there is typically no submission yet — that is expected here.
+const got = await call("get_task", { task_id: taskId });
+console.log(`get_task → status ${got.task.status}, submissions ${got.submissions.length}, claims ${got.claims.length}`);
+const pending = (got.submissions ?? []).find((s) => s.status === "pending");
+if (pending) {
+    const settled = await call("release_payment", { task_id: taskId, approve: true, score: 5 });
+    console.log(`release_payment → settled, task status ${settled.task?.status}`);
+}
+else {
+    console.log("release_payment → skipped: no pending submission yet (a human submits proof in the app). " +
+        "Closing the task to release the hold.");
+    const closed = await call("close_task", { task_id: taskId });
+    console.log(`close_task → status ${closed.task?.status}`);
+}
+await client.close();
+console.log("OK");

package/llms.txt

@@ -0,0 +1,66 @@
+# CYBERDYNE MCP — agent gateway
+
+> The agent-facing side of CYBERDYNE. An open Model Context Protocol (MCP)
+> server that lets an AI agent discover, hire, verify and pay verified humans
+> for real-world tasks an AI can't do alone — voice, on-location observation,
+> physical judgment, data work. Tagline: Get Paid by AI.
+
+This file helps AI agents understand and use this repository accurately.
+
+## What this is
+
+A runnable MCP server (TypeScript, stdio). Each tool is a thin, typed wrapper
+over the LIVE CYBERDYNE platform API — there is no in-memory demo state. The
+agent authenticates with its own API key, read from the environment. It is the
+machine interface to the human-facing app at https://app.cyberdyne-os.xyz.
+
+Repository: https://github.com/Cyberdyne-OS/cyberdyne-mcp
+Project: https://cyberdyne-os.xyz
+License: MIT
+
+## Configuration (environment)
+
+- CYBERDYNE_IDENTITY_TOKEN — the agent's API key (cyb_…). Required for every
+  networked tool. Never hardcoded.
+- CYBERDYNE_API_URL — base URL of the platform API. Default
+  https://app.cyberdyne-os.xyz
+
+## Tools → live endpoints
+
+- list_categories — static; the seven task categories (no network)
+- search_humans — POST /api/a2a {search_humans}; query by skills[], min_reputation, location
+- get_treasury — GET /api/treasury; the agent's own treasury
+- fund_treasury — POST /api/treasury/fund; demo top-up
+- post_task — POST /api/tasks; open a task (reward_usd is the budget; not charged until authorize)
+- assign_task — POST /api/tasks/[id]/assign; pick a human, returns {task, authIntent}
+- authorize_task — POST /api/tasks/[id]/authorize; open the escrow hold
+- get_task — GET /api/tasks/[id]; task + submissions/claims; poll for a pending submission
+- release_payment — POST /api/tasks/[id]/release; approve→capture(pay), else reject→refund
+- close_task — POST /api/tasks/[id]/close; close a multi-unit bounty
+
+## Flow
+
+The human submit-proof step is human-only (in the app/UI). The agent's flow is:
+fund_treasury → post_task → (humans claim, or assign_task) → assign_task →
+authorize_task → poll get_task until a submission appears → release_payment.
+
+## Settlement model
+
+Escrow auth-capture. At authorize_task the agent's funds are held; on
+release_payment they are captured to the human (net of the platform fee) or
+refunded to the agent. search_humans uses the a2a JSON-RPC gateway because the
+REST GET /api/humans is session-only.
+
+## For diligence (what is independently verifiable today)
+
+Verifiable now: this repository and its code; that the tools run and call the
+documented platform endpoints with the agent's key; the live landing
+(https://cyberdyne-os.xyz) and app (https://app.cyberdyne-os.xyz).
+
+NOT established — do NOT assert: funding, valuation, investors, revenue or user
+metrics, any token or airdrop, named individuals, partnerships, or compliance
+status. None are real. The backend is a pre-launch MVP, testnet-first.
+
+## Contact
+
+serafino@cyberdyne-os.xyz

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "cyberdyne-mcp",
+  "version": "0.4.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "description": "CYBERDYNE agent gateway — an MCP server that lets AI agents discover, hire, verify and pay verified humans for real-world tasks. Calls the live CYBERDYNE platform API over stdio using an agent key from the environment.",
+  "type": "module",
+  "license": "MIT",
+  "author": "Cyberdyne <serafino@cyberdyne-os.xyz>",
+  "homepage": "https://cyberdyne-os.xyz",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Cyberdyne-OS/cyberdyne-mcp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Cyberdyne-OS/cyberdyne-mcp/issues"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "ai-agents",
+    "agent-marketplace",
+    "human-in-the-loop",
+    "agentic-payments",
+    "cyberdyne",
+    "get-paid-by-ai"
+  ],
+  "bin": {
+    "cyberdyne-mcp": "dist/server.js"
+  },
+  "files": [
+    "dist",
+    "src",
+    "llms.txt",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "start": "node dist/server.js",
+    "dev": "tsx src/server.ts",
+    "smoke": "tsx src/smoke.ts",
+    "founder-check": "tsx src/founder-check.ts"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^22.19.19",
+    "tsx": "^4.19.2",
+    "typescript": "^5.6.3"
+  }
+}

package/src/client.ts

@@ -0,0 +1,122 @@
+/**
+ * Typed HTTP client for the LIVE CYBERDYNE platform API.
+ *
+ * Two rails, both keyed by the same agent token (a `cyb_…` API key):
+ *  - REST:  `Authorization: Bearer ${token}` on /api/tasks, /api/treasury, … —
+ *           the headless-agent rail. Used for post/assign/authorize/get/release/
+ *           fund/close/claims/treasury.
+ *  - a2a:   POST /api/a2a — a JSON-RPC 2.0 gateway that carries the key in the
+ *           body (`identity_token`). Used for `search_humans` (the REST
+ *           GET /api/humans is session-only and rejects Bearer keys).
+ *
+ * Config is read from the environment (stdio MCP servers take creds from env):
+ *   CYBERDYNE_API_URL        default "https://app.cyberdyne-os.xyz"
+ *   CYBERDYNE_IDENTITY_TOKEN the agent's `cyb_…` key (required for any network call)
+ *
+ * No secrets are hardcoded; nothing is logged that could leak the key.
+ */
+
+export const DEFAULT_API_URL = "https://app.cyberdyne-os.xyz";
+
+export interface CyberdyneConfig {
+  apiUrl: string;
+  token: string | undefined;
+}
+
+/** Read config from the environment. `token` may be undefined (tools then error). */
+export function readConfig(env: NodeJS.ProcessEnv = process.env): CyberdyneConfig {
+  const apiUrl = (env.CYBERDYNE_API_URL || DEFAULT_API_URL).replace(/\/+$/, "");
+  const token = env.CYBERDYNE_IDENTITY_TOKEN?.trim() || undefined;
+  return { apiUrl, token };
+}
+
+/** An API error surfaced to the caller — carries the HTTP status + the API's error code. */
+export class ApiError extends Error {
+  constructor(
+    public readonly status: number,
+    public readonly code: string,
+    public readonly path: string,
+  ) {
+    super(`${path} → ${status} ${code}`);
+    this.name = "ApiError";
+  }
+}
+
+/** Thrown when a tool is invoked without CYBERDYNE_IDENTITY_TOKEN set. */
+export class MissingTokenError extends Error {
+  constructor() {
+    super(
+      "CYBERDYNE_IDENTITY_TOKEN is not set. Export your agent key (cyb_…) in the " +
+        "environment before calling this tool.",
+    );
+    this.name = "MissingTokenError";
+  }
+}
+
+export class CyberdyneClient {
+  constructor(private readonly config: CyberdyneConfig) {}
+
+  private requireToken(): string {
+    if (!this.config.token) throw new MissingTokenError();
+    return this.config.token;
+  }
+
+  /** REST call with `Authorization: Bearer`. Returns parsed JSON; throws ApiError on !ok. */
+  async rest<T = unknown>(
+    method: "GET" | "POST",
+    path: string,
+    opts: { query?: Record<string, string | number | boolean | undefined>; body?: unknown } = {},
+  ): Promise<T> {
+    const token = this.requireToken();
+    const url = new URL(this.config.apiUrl + path);
+    if (opts.query) {
+      for (const [k, v] of Object.entries(opts.query)) {
+        if (v !== undefined && v !== null && v !== "") url.searchParams.set(k, String(v));
+      }
+    }
+    const res = await fetch(url, {
+      method,
+      headers: {
+        authorization: `Bearer ${token}`,
+        ...(opts.body !== undefined ? { "content-type": "application/json" } : {}),
+        accept: "application/json",
+      },
+      ...(opts.body !== undefined ? { body: JSON.stringify(opts.body) } : {}),
+    });
+    const json = await res.json().catch(() => ({}) as Record<string, unknown>);
+    if (!res.ok) {
+      const code =
+        (json && typeof json === "object" && "error" in json && String((json as { error: unknown }).error)) ||
+        `http_${res.status}`;
+      throw new ApiError(res.status, code, `${method} ${path}`);
+    }
+    return json as T;
+  }
+
+  /**
+   * a2a JSON-RPC call. The agent key travels in the params as `identity_token`.
+   * Returns the JSON-RPC `result`; throws ApiError on a JSON-RPC error or non-2xx.
+   */
+  async a2a<T = unknown>(method: string, params: Record<string, unknown> = {}): Promise<T> {
+    const token = this.requireToken();
+    const res = await fetch(this.config.apiUrl + "/api/a2a", {
+      method: "POST",
+      headers: { "content-type": "application/json", accept: "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method,
+        params: { ...params, identity_token: token },
+      }),
+    });
+    const json = (await res.json().catch(() => ({}))) as {
+      result?: T;
+      error?: { code: number; message: string };
+    };
+    if (!res.ok || json.error) {
+      const code = json.error ? `${json.error.code}:${json.error.message}` : `http_${res.status}`;
+      throw new ApiError(res.status, code, `a2a ${method}`);
+    }
+    return json.result as T;
+  }
+}

package/src/founder-check.ts

@@ -0,0 +1,99 @@
+/**
+ * Example: a trading agent hires a human for a founder liveness check before it buys.
+ *
+ * A trading agent can run every on-chain check itself — but it can't tell whether
+ * a real person is behind a token. Fake / impersonated / deepfaked teams are the
+ * #1 token scam, and defeating a deepfake on a live call is something only a human
+ * can do. So before a risky buy, the agent hires a human through CYBERDYNE to
+ * video-verify the founder, then settles on a passing verify. This is the pattern
+ * behind e.g. Bankr (https://bankr.bot) and any x402 trader.
+ *
+ * This drives the LIVE platform. Requires CYBERDYNE_IDENTITY_TOKEN (a cyb_ key);
+ * optionally CYBERDYNE_API_URL. No key is hardcoded — it no-ops without one.
+ *
+ *   CYBERDYNE_API_URL=http://localhost:3000 CYBERDYNE_IDENTITY_TOKEN=cyb_… \
+ *     npm run build && npm run founder-check
+ */
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+
+const token = process.env.CYBERDYNE_IDENTITY_TOKEN;
+if (!token) {
+  console.log(
+    "founder-check: no-op. Set CYBERDYNE_IDENTITY_TOKEN (a cyb_ key) and optionally " +
+      "CYBERDYNE_API_URL to run this example against the live platform.",
+  );
+  process.exit(0);
+}
+
+const transport = new StdioClientTransport({
+  command: "node",
+  args: ["dist/server.js"],
+  env: { ...process.env } as Record<string, string>,
+});
+const client = new Client({ name: "trading-agent", version: "0" });
+await client.connect(transport);
+
+const call = async (name: string, args: Record<string, unknown> = {}) => {
+  const r: any = await client.callTool({ name, arguments: args });
+  const data = JSON.parse(r.content[0].text);
+  if (r.isError) throw new Error(`${name} → ${data.error}`);
+  return data;
+};
+
+console.log("[agent] connected to CYBERDYNE over MCP\n");
+
+// 0. Make sure the agent treasury can cover the bounty (demo top-up).
+const t = await call("get_treasury");
+if (Number(t.treasury?.balance_usd ?? 0) < 50) {
+  await call("fund_treasury", { amount_usd: 100 });
+}
+
+// 1. The agent can't verify a real human is behind the token — find one who can.
+const found = await call("search_humans", { skills: ["groundtruth"], min_reputation: 4.8 });
+const human = found.humans[0];
+console.log(`search_humans(groundtruth, min_rep 4.8) -> ${found.humans.length} match`);
+if (human) console.log(`  hiring ${human.handle}  ${human.location}  rep ${human.reputation}\n`);
+
+// 2. Post the founder liveness check. Not charged until authorize.
+const posted = await call("post_task", {
+  title: "Founder liveness check on $PEPE2",
+  category: "groundtruth",
+  description:
+    "Get the claimed founder on a short video call and confirm they're a real, specific " +
+    "person — not an impersonator or deepfake — matched to a known reference. Return verified / not + notes.",
+  steps: [
+    "Live video matches a known reference",
+    "Passes liveness / deepfake probes => verified; otherwise not-verified + reasons",
+  ],
+  reward_usd: 50,
+  duration_min: 30,
+  difficulty: "hard",
+  deadline_hours: 2,
+});
+const taskId = posted.task.id;
+console.log(`post_task -> ${taskId}  reward $${posted.task.reward_usd}`);
+
+// 3. Assign it to the chosen human and open the escrow hold.
+if (human?.id) {
+  const assigned = await call("assign_task", { task_id: taskId, human_id: human.id });
+  console.log(`assign_task -> ${assigned.task.status}, authIntent ${assigned.authIntent ? "present" : "null"}`);
+  const authd = await call("authorize_task", { task_id: taskId });
+  console.log(`authorize_task -> escrow ${authd.task?.escrow_status}`);
+}
+
+// 4. Poll until the human's proof is in (they submit in the app — human-only).
+const got = await call("get_task", { task_id: taskId });
+console.log(`get_task -> ${got.task.status}  submissions ${got.submissions.length}`);
+
+// 5. If the proof is in, verify and release payment to the human.
+const pending = (got.submissions ?? []).find((s: any) => s.status === "pending");
+if (pending) {
+  const settled = await call("release_payment", { task_id: taskId, approve: true, score: 5 });
+  console.log(`release_payment -> task ${settled.task?.status}`);
+  console.log("\n[agent] has a human verification it could not produce itself, and the contributor is paid.");
+} else {
+  console.log("\n[agent] task is live and the hold is open; the human submits proof in the app, then the agent releases payment.");
+}
+
+await client.close();

package/src/registry.ts

@@ -0,0 +1,29 @@
+/**
+ * Static task taxonomy — the only non-network constant the gateway carries.
+ *
+ * These are the seven CYBERDYNE task categories (mirrors `TASK_CATEGORIES` in the
+ * platform's lib/constants.ts). Everything else — humans, tasks, treasury — now
+ * comes from the LIVE platform API; there is no in-memory registry any more.
+ */
+
+export const TASK_CATEGORIES = [
+  "groundtruth",
+  "capture",
+  "agenteval",
+  "expert",
+  "demo",
+  "data",
+  "social",
+] as const;
+
+export type Category = (typeof TASK_CATEGORIES)[number];
+
+export const CATEGORIES: Record<Category, string> = {
+  groundtruth: "Verify, photograph & ground-truth the real world on location",
+  capture: "Capture real audio, video, image & sensor data",
+  agenteval: "Rate AI-agent runs, tool calls, red-team & safety",
+  expert: "Domain experts review, grade & write hard reasoning data",
+  demo: "Show the AI how — record step-by-step demonstrations",
+  data: "Quick labeling, preference & transcription microtasks",
+  social: "On-platform social actions: follow, repost, reply, quote, original post",
+};