globodai-mcp-payment-manager 1.0.1

package/src/lib/pin-manager.ts

@@ -0,0 +1,252 @@
+/**
+ * PIN Manager - Master PIN for card access
+ * 
+ * Security model:
+ * - CVV is encrypted with a key derived from the master PIN
+ * - PIN is stored in memory only (never persisted)
+ * - PIN auto-expires after inactivity timeout
+ * - Without PIN, cards cannot be used for payments
+ * 
+ * Flow:
+ * 1. User sets PIN once (stored as hash for verification)
+ * 2. User unlocks with PIN → PIN held in memory
+ * 3. Payments work while unlocked
+ * 4. After timeout or explicit lock → PIN cleared from memory
+ */
+
+import { createHash, scryptSync, randomBytes } from "crypto";
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+
+const CONFIG_DIR = join(homedir(), ".mcp-ecosystem");
+const PIN_CONFIG_FILE = join(CONFIG_DIR, "pin-config.json");
+
+// In-memory PIN storage (never persisted)
+let currentPin: string | null = null;
+let lastActivity: number = 0;
+const SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+
+interface PinConfig {
+  // Hash of PIN for verification (not the PIN itself)
+  pinHash: string;
+  // Salt for PIN hashing
+  salt: string;
+  // Salt for CVV encryption key derivation
+  cvvKeySalt: string;
+  // When PIN was set
+  createdAt: string;
+}
+
+function ensureConfigDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+}
+
+/**
+ * Hash PIN for storage (verification only)
+ */
+function hashPin(pin: string, salt: string): string {
+  return createHash("sha256")
+    .update(pin + salt)
+    .digest("hex");
+}
+
+/**
+ * Derive encryption key from PIN (for CVV encryption)
+ */
+export function deriveKeyFromPin(pin: string, salt: string): Buffer {
+  return scryptSync(pin, salt, 32);
+}
+
+/**
+ * Check if PIN is configured
+ */
+export function isPinConfigured(): boolean {
+  return existsSync(PIN_CONFIG_FILE);
+}
+
+/**
+ * Get PIN config (without sensitive data)
+ */
+function getPinConfig(): PinConfig | null {
+  if (!existsSync(PIN_CONFIG_FILE)) {
+    return null;
+  }
+  try {
+    return JSON.parse(readFileSync(PIN_CONFIG_FILE, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Set up master PIN (first time)
+ */
+export function setupPin(pin: string): { success: boolean; error?: string } {
+  if (pin.length < 4 || pin.length > 8) {
+    return { success: false, error: "PIN must be 4-8 characters" };
+  }
+  
+  if (isPinConfigured()) {
+    return { success: false, error: "PIN already configured. Use change_pin to modify." };
+  }
+  
+  ensureConfigDir();
+  
+  const salt = randomBytes(16).toString("hex");
+  const cvvKeySalt = randomBytes(16).toString("hex");
+  const pinHash = hashPin(pin, salt);
+  
+  const config: PinConfig = {
+    pinHash,
+    salt,
+    cvvKeySalt,
+    createdAt: new Date().toISOString(),
+  };
+  
+  writeFileSync(PIN_CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+  
+  // Auto-unlock after setup
+  currentPin = pin;
+  lastActivity = Date.now();
+  
+  console.error("[pin-manager] Master PIN configured and unlocked");
+  return { success: true };
+}
+
+/**
+ * Change master PIN (requires current PIN)
+ */
+export function changePin(currentPinInput: string, newPin: string): { success: boolean; error?: string } {
+  const config = getPinConfig();
+  if (!config) {
+    return { success: false, error: "No PIN configured" };
+  }
+  
+  // Verify current PIN
+  if (hashPin(currentPinInput, config.salt) !== config.pinHash) {
+    return { success: false, error: "Current PIN is incorrect" };
+  }
+  
+  if (newPin.length < 4 || newPin.length > 8) {
+    return { success: false, error: "New PIN must be 4-8 characters" };
+  }
+  
+  // Generate new salts
+  const salt = randomBytes(16).toString("hex");
+  const cvvKeySalt = randomBytes(16).toString("hex");
+  const pinHash = hashPin(newPin, salt);
+  
+  const newConfig: PinConfig = {
+    pinHash,
+    salt,
+    cvvKeySalt,
+    createdAt: new Date().toISOString(),
+  };
+  
+  writeFileSync(PIN_CONFIG_FILE, JSON.stringify(newConfig, null, 2), { mode: 0o600 });
+  
+  // Update in-memory PIN
+  currentPin = newPin;
+  lastActivity = Date.now();
+  
+  console.error("[pin-manager] Master PIN changed");
+  return { success: true };
+}
+
+/**
+ * Unlock cards with PIN
+ */
+export function unlock(pin: string): { success: boolean; error?: string; expiresIn?: number } {
+  const config = getPinConfig();
+  if (!config) {
+    return { success: false, error: "No PIN configured. Use setup_pin first." };
+  }
+  
+  if (hashPin(pin, config.salt) !== config.pinHash) {
+    return { success: false, error: "Invalid PIN" };
+  }
+  
+  currentPin = pin;
+  lastActivity = Date.now();
+  
+  console.error("[pin-manager] Cards unlocked");
+  return { 
+    success: true, 
+    expiresIn: SESSION_TIMEOUT_MS / 1000 / 60 // in minutes
+  };
+}
+
+/**
+ * Lock cards (clear PIN from memory)
+ */
+export function lock(): void {
+  currentPin = null;
+  lastActivity = 0;
+  console.error("[pin-manager] Cards locked");
+}
+
+/**
+ * Check if cards are currently unlocked
+ */
+export function isUnlocked(): boolean {
+  if (!currentPin) {
+    return false;
+  }
+  
+  // Check timeout
+  if (Date.now() - lastActivity > SESSION_TIMEOUT_MS) {
+    lock();
+    return false;
+  }
+  
+  return true;
+}
+
+/**
+ * Refresh activity (extend session)
+ */
+export function refreshActivity(): void {
+  if (currentPin) {
+    lastActivity = Date.now();
+  }
+}
+
+/**
+ * Get CVV encryption key (only works when unlocked)
+ */
+export function getCvvEncryptionKey(): Buffer | null {
+  if (!isUnlocked()) {
+    return null;
+  }
+  
+  const config = getPinConfig();
+  if (!config || !currentPin) {
+    return null;
+  }
+  
+  refreshActivity();
+  return deriveKeyFromPin(currentPin, config.cvvKeySalt);
+}
+
+/**
+ * Get status
+ */
+export function getStatus(): { 
+  configured: boolean; 
+  unlocked: boolean; 
+  remainingMinutes?: number;
+} {
+  const configured = isPinConfigured();
+  const unlocked = isUnlocked();
+  
+  let remainingMinutes: number | undefined;
+  if (unlocked && lastActivity > 0) {
+    const elapsed = Date.now() - lastActivity;
+    remainingMinutes = Math.ceil((SESSION_TIMEOUT_MS - elapsed) / 1000 / 60);
+  }
+  
+  return { configured, unlocked, remainingMinutes };
+}

package/src/lib/wallets.ts

@@ -0,0 +1,331 @@
+/**
+ * Crypto Wallet Management
+ * 
+ * Secure storage for crypto wallets with encrypted private keys.
+ * Supports multiple chains and watch-only wallets.
+ * 
+ * Security model:
+ * - Private keys encrypted at rest (same as card numbers)
+ * - Watch-only wallets for balance checking without spending
+ * - Transaction signing requires explicit confirmation
+ * - Support for hardware wallet addresses (no key storage)
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { encrypt, decrypt, isEncrypted } from "./crypto";
+
+// Sensitive fields that must be encrypted
+const SENSITIVE_FIELDS = ["privateKey", "mnemonic"];
+
+export type Chain = 
+  | "ethereum" 
+  | "polygon" 
+  | "arbitrum" 
+  | "optimism"
+  | "base"
+  | "avalanche"
+  | "bsc"
+  | "bitcoin"
+  | "solana"
+  | "starknet";
+
+export type WalletType = "hot" | "watch-only" | "hardware";
+
+export interface CryptoWallet {
+  id: string;
+  nickname: string; // e.g., "ETH principal", "Trading wallet"
+  address: string; // Public address
+  chain: Chain;
+  type: WalletType;
+  // Only for hot wallets (encrypted)
+  privateKey?: string;
+  mnemonic?: string;
+  // Hardware wallet info
+  hardwareType?: "ledger" | "trezor" | "other";
+  derivationPath?: string;
+  // Settings
+  enabled: boolean;
+  allowedOperations: ("send" | "swap" | "approve" | "sign")[];
+  // Spending limits (optional)
+  limits?: {
+    perTransaction?: number;
+    daily?: number;
+    tokenSymbol: string; // e.g., "ETH", "USDC"
+  };
+  // Metadata
+  addedAt: string;
+  lastUsedAt?: string;
+}
+
+export interface CryptoTransaction {
+  id: string;
+  walletId: string;
+  chain: Chain;
+  type: "send" | "swap" | "approve" | "contract";
+  status: "pending" | "signed" | "broadcast" | "confirmed" | "failed";
+  // Transaction details
+  from: string;
+  to: string;
+  value?: string; // In wei/lamports/etc
+  tokenAddress?: string;
+  tokenSymbol?: string;
+  tokenAmount?: string;
+  // Gas/fees
+  gasLimit?: string;
+  gasPrice?: string;
+  maxFeePerGas?: string;
+  maxPriorityFeePerGas?: string;
+  // Result
+  txHash?: string;
+  blockNumber?: number;
+  // Timestamps
+  createdAt: string;
+  signedAt?: string;
+  broadcastAt?: string;
+  confirmedAt?: string;
+  // Description
+  description: string;
+}
+
+const CONFIG_DIR = join(homedir(), ".mcp-ecosystem");
+const WALLETS_FILE = join(CONFIG_DIR, "crypto-wallets.json");
+const CRYPTO_TX_FILE = join(CONFIG_DIR, "crypto-transactions.json");
+
+// Chain configurations
+export const CHAIN_CONFIG: Record<Chain, { name: string; nativeCurrency: string; explorerUrl: string; rpcEnvVar: string }> = {
+  ethereum: { name: "Ethereum", nativeCurrency: "ETH", explorerUrl: "https://etherscan.io", rpcEnvVar: "ETH_RPC_URL" },
+  polygon: { name: "Polygon", nativeCurrency: "MATIC", explorerUrl: "https://polygonscan.com", rpcEnvVar: "POLYGON_RPC_URL" },
+  arbitrum: { name: "Arbitrum", nativeCurrency: "ETH", explorerUrl: "https://arbiscan.io", rpcEnvVar: "ARBITRUM_RPC_URL" },
+  optimism: { name: "Optimism", nativeCurrency: "ETH", explorerUrl: "https://optimistic.etherscan.io", rpcEnvVar: "OPTIMISM_RPC_URL" },
+  base: { name: "Base", nativeCurrency: "ETH", explorerUrl: "https://basescan.org", rpcEnvVar: "BASE_RPC_URL" },
+  avalanche: { name: "Avalanche", nativeCurrency: "AVAX", explorerUrl: "https://snowtrace.io", rpcEnvVar: "AVAX_RPC_URL" },
+  bsc: { name: "BNB Chain", nativeCurrency: "BNB", explorerUrl: "https://bscscan.com", rpcEnvVar: "BSC_RPC_URL" },
+  bitcoin: { name: "Bitcoin", nativeCurrency: "BTC", explorerUrl: "https://mempool.space", rpcEnvVar: "BTC_RPC_URL" },
+  solana: { name: "Solana", nativeCurrency: "SOL", explorerUrl: "https://solscan.io", rpcEnvVar: "SOLANA_RPC_URL" },
+  starknet: { name: "Starknet", nativeCurrency: "ETH", explorerUrl: "https://starkscan.co", rpcEnvVar: "STARKNET_RPC_URL" },
+};
+
+/**
+ * Validate Ethereum-like address
+ */
+export function isValidEvmAddress(address: string): boolean {
+  return /^0x[a-fA-F0-9]{40}$/.test(address);
+}
+
+/**
+ * Validate Bitcoin address (basic check)
+ */
+export function isValidBtcAddress(address: string): boolean {
+  // Supports legacy (1...), SegWit (3...), and native SegWit (bc1...)
+  return /^(1|3)[a-km-zA-HJ-NP-Z1-9]{25,34}$/.test(address) || /^bc1[a-z0-9]{39,59}$/.test(address);
+}
+
+/**
+ * Validate Solana address
+ */
+export function isValidSolanaAddress(address: string): boolean {
+  return /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(address);
+}
+
+/**
+ * Validate address based on chain
+ */
+export function isValidAddress(address: string, chain: Chain): boolean {
+  if (chain === "bitcoin") return isValidBtcAddress(address);
+  if (chain === "solana") return isValidSolanaAddress(address);
+  // All EVM chains
+  return isValidEvmAddress(address);
+}
+
+function ensureConfigDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+}
+
+/**
+ * Decrypt sensitive fields in a wallet
+ */
+async function decryptWallet(wallet: CryptoWallet): Promise<CryptoWallet> {
+  const decrypted = { ...wallet };
+  
+  for (const field of SENSITIVE_FIELDS) {
+    const value = (decrypted as any)[field];
+    if (value && typeof value === "string" && isEncrypted(value)) {
+      try {
+        (decrypted as any)[field] = await decrypt(value);
+      } catch (err) {
+        console.error(`[wallets] Failed to decrypt ${field} for wallet ${wallet.nickname}`);
+      }
+    }
+  }
+  
+  return decrypted;
+}
+
+/**
+ * Encrypt sensitive fields in a wallet
+ */
+async function encryptWallet(wallet: CryptoWallet): Promise<CryptoWallet> {
+  const encrypted = { ...wallet };
+  
+  for (const field of SENSITIVE_FIELDS) {
+    const value = (encrypted as any)[field];
+    if (value && typeof value === "string" && !isEncrypted(value)) {
+      (encrypted as any)[field] = await encrypt(value);
+    }
+  }
+  
+  return encrypted;
+}
+
+// ============================================================================
+// Wallet CRUD
+// ============================================================================
+
+export async function getWallets(): Promise<CryptoWallet[]> {
+  ensureConfigDir();
+  
+  if (!existsSync(WALLETS_FILE)) {
+    return [];
+  }
+
+  try {
+    const data = readFileSync(WALLETS_FILE, "utf-8");
+    const wallets: CryptoWallet[] = JSON.parse(data);
+    return Promise.all(wallets.map(decryptWallet));
+  } catch {
+    return [];
+  }
+}
+
+export async function getWallet(id: string): Promise<CryptoWallet | null> {
+  const wallets = await getWallets();
+  return wallets.find((w) => w.id === id) ?? null;
+}
+
+/**
+ * Get wallets without sensitive data (for listing)
+ */
+export async function getWalletsSafe(): Promise<Omit<CryptoWallet, "privateKey" | "mnemonic">[]> {
+  const wallets = await getWallets();
+  return wallets.map(({ privateKey, mnemonic, ...safe }) => safe);
+}
+
+export async function addWallet(wallet: CryptoWallet): Promise<void> {
+  ensureConfigDir();
+  
+  // Validate address
+  if (!isValidAddress(wallet.address, wallet.chain)) {
+    throw new Error(`Invalid ${wallet.chain} address`);
+  }
+  
+  wallet.addedAt = new Date().toISOString();
+  
+  // Load existing
+  let rawWallets: CryptoWallet[] = [];
+  if (existsSync(WALLETS_FILE)) {
+    try {
+      rawWallets = JSON.parse(readFileSync(WALLETS_FILE, "utf-8"));
+    } catch {
+      rawWallets = [];
+    }
+  }
+  
+  // Encrypt and save
+  const encryptedWallet = await encryptWallet(wallet);
+  
+  const existingIndex = rawWallets.findIndex((w) => w.id === wallet.id);
+  if (existingIndex >= 0) {
+    rawWallets[existingIndex] = encryptedWallet;
+  } else {
+    rawWallets.push(encryptedWallet);
+  }
+  
+  writeFileSync(WALLETS_FILE, JSON.stringify(rawWallets, null, 2), { mode: 0o600 });
+  console.error(`[wallets] Saved wallet ${wallet.nickname} (${wallet.address.slice(0, 8)}...) - ${wallet.type}`);
+}
+
+export async function removeWallet(id: string): Promise<boolean> {
+  if (!existsSync(WALLETS_FILE)) {
+    return false;
+  }
+  
+  let rawWallets: CryptoWallet[] = [];
+  try {
+    rawWallets = JSON.parse(readFileSync(WALLETS_FILE, "utf-8"));
+  } catch {
+    return false;
+  }
+  
+  const filtered = rawWallets.filter((w) => w.id !== id);
+  
+  if (filtered.length === rawWallets.length) {
+    return false;
+  }
+  
+  writeFileSync(WALLETS_FILE, JSON.stringify(filtered, null, 2), { mode: 0o600 });
+  console.error(`[wallets] Removed wallet ${id}`);
+  return true;
+}
+
+// ============================================================================
+// Crypto Transaction Log
+// ============================================================================
+
+export async function getCryptoTransactions(limit = 50): Promise<CryptoTransaction[]> {
+  ensureConfigDir();
+  
+  if (!existsSync(CRYPTO_TX_FILE)) {
+    return [];
+  }
+
+  try {
+    const data = readFileSync(CRYPTO_TX_FILE, "utf-8");
+    const transactions: CryptoTransaction[] = JSON.parse(data);
+    return transactions.slice(-limit);
+  } catch {
+    return [];
+  }
+}
+
+export async function logCryptoTransaction(tx: CryptoTransaction): Promise<void> {
+  ensureConfigDir();
+  
+  let transactions: CryptoTransaction[] = [];
+  if (existsSync(CRYPTO_TX_FILE)) {
+    try {
+      transactions = JSON.parse(readFileSync(CRYPTO_TX_FILE, "utf-8"));
+    } catch {
+      transactions = [];
+    }
+  }
+  
+  transactions.push(tx);
+  
+  // Keep last 1000 transactions
+  if (transactions.length > 1000) {
+    transactions = transactions.slice(-1000);
+  }
+  
+  writeFileSync(CRYPTO_TX_FILE, JSON.stringify(transactions, null, 2), { mode: 0o600 });
+}
+
+export async function updateCryptoTransaction(id: string, updates: Partial<CryptoTransaction>): Promise<void> {
+  if (!existsSync(CRYPTO_TX_FILE)) return;
+  
+  let transactions: CryptoTransaction[] = [];
+  try {
+    transactions = JSON.parse(readFileSync(CRYPTO_TX_FILE, "utf-8"));
+  } catch {
+    return;
+  }
+  
+  const idx = transactions.findIndex((t) => t.id === id);
+  if (idx >= 0) {
+    transactions[idx] = { ...transactions[idx]!, ...updates };
+    writeFileSync(CRYPTO_TX_FILE, JSON.stringify(transactions, null, 2), { mode: 0o600 });
+  }
+}

package/src/tools/add-card.ts

@@ -0,0 +1,108 @@
+/**
+ * Add a new payment card (encrypted storage)
+ */
+
+import { z } from "zod";
+import { randomUUID } from "crypto";
+import { addCard } from "../lib/cards";
+import type { CardUsage } from "../lib/cards";
+import { isUnlocked, isPinConfigured } from "../lib/pin-manager";
+import { encryptCvv } from "../lib/cvv-crypto";
+
+export const name = "add_card";
+
+export const description = "Add a new payment card. Card number and expiration are encrypted. CVV is encrypted with your master PIN (requires unlock).";
+
+export const parameters = z.object({
+  nickname: z.string().describe("Friendly name for the card (e.g., 'Visa perso', 'Amex pro')"),
+  card_number: z.string().describe("Full card number (will be encrypted)"),
+  expiration: z.string().describe("Expiration date in MM/YY format"),
+  cvv: z.string().describe("CVV/CVC (3-4 digits) - encrypted with your PIN, never shown"),
+  cardholder_name: z.string().describe("Name as shown on the card"),
+  allowed_usage: z.array(z.enum(["flight", "train", "hotel", "general", "all"])).optional()
+    .describe("What this card can be used for (default: all)"),
+  billing_street: z.string().optional().describe("Billing address street"),
+  billing_city: z.string().optional().describe("Billing address city"),
+  billing_postal_code: z.string().optional().describe("Billing postal code"),
+  billing_country: z.string().optional().describe("Billing country (2-letter code)"),
+  per_transaction_limit: z.number().optional().describe("Max amount per transaction"),
+  daily_limit: z.number().optional().describe("Max daily spending"),
+  monthly_limit: z.number().optional().describe("Max monthly spending"),
+  limit_currency: z.string().optional().describe("Currency for limits (default: EUR)"),
+});
+
+export async function execute(args: z.infer<typeof parameters>) {
+  try {
+    // Check PIN is configured and unlocked
+    if (!isPinConfigured()) {
+      return {
+        success: false,
+        error: "Master PIN not configured. Use setup_pin first.",
+      };
+    }
+    
+    if (!isUnlocked()) {
+      return {
+        success: false,
+        error: "Cards are locked. Use unlock_cards with your PIN first.",
+      };
+    }
+    
+    // Validate CVV format
+    if (!/^\d{3,4}$/.test(args.cvv)) {
+      return {
+        success: false,
+        error: "Invalid CVV format (must be 3-4 digits)",
+      };
+    }
+    
+    // Encrypt CVV with PIN-derived key
+    const encryptedCvv = encryptCvv(args.cvv);
+    if (!encryptedCvv) {
+      return {
+        success: false,
+        error: "Failed to encrypt CVV. Make sure cards are unlocked.",
+      };
+    }
+    
+    const cardId = randomUUID();
+    
+    await addCard({
+      id: cardId,
+      nickname: args.nickname,
+      cardNumber: args.card_number,
+      expirationDate: args.expiration,
+      cvv: encryptedCvv,
+      cardholderName: args.cardholder_name,
+      cardType: "other", // Will be auto-detected
+      lastFourDigits: "", // Will be set from card number
+      allowedUsage: (args.allowed_usage as CardUsage[]) ?? ["all"],
+      enabled: true,
+      billingAddress: args.billing_street ? {
+        street: args.billing_street,
+        city: args.billing_city ?? "",
+        postalCode: args.billing_postal_code ?? "",
+        country: args.billing_country ?? "FR",
+      } : undefined,
+      limits: args.per_transaction_limit || args.daily_limit || args.monthly_limit ? {
+        perTransaction: args.per_transaction_limit,
+        daily: args.daily_limit,
+        monthly: args.monthly_limit,
+        currency: args.limit_currency ?? "EUR",
+      } : undefined,
+      addedAt: new Date().toISOString(),
+    });
+    
+    return {
+      success: true,
+      message: `Card "${args.nickname}" added successfully`,
+      card_id: cardId,
+      security: "Card number and CVV encrypted. CVV protected by your master PIN.",
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : "Failed to add card",
+    };
+  }
+}