globodai-mcp-payment-manager 1.0.1

package/dist/lib/cli-runner.d.ts

@@ -0,0 +1,31 @@
+/**
+ * CLI Runner - Execute shell commands with secure credential injection
+ */
+export interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+    success: boolean;
+}
+export interface ExecOptions {
+    cwd?: string;
+    env?: Record<string, string>;
+    timeout?: number;
+    stdin?: string;
+}
+/**
+ * Execute a CLI command and return the result
+ */
+export declare function execCommand(command: string, args: string[], options?: ExecOptions): Promise<ExecResult>;
+/**
+ * Execute a git command
+ */
+export declare function execGit(args: string[], options?: ExecOptions): Promise<ExecResult>;
+/**
+ * Execute a heroku command with API key
+ */
+export declare function execHeroku(args: string[], apiKey: string, options?: ExecOptions): Promise<ExecResult>;
+/**
+ * Parse JSON output safely
+ */
+export declare function parseJsonOutput<T>(output: string): T | null;

package/dist/lib/cli-runner.js

@@ -0,0 +1,77 @@
+/**
+ * CLI Runner - Execute shell commands with secure credential injection
+ */
+import { spawn } from "child_process";
+/**
+ * Execute a CLI command and return the result
+ */
+export async function execCommand(command, args, options = {}) {
+    return new Promise((resolve) => {
+        const env = {
+            ...process.env,
+            ...options.env,
+        };
+        const proc = spawn(command, args, {
+            cwd: options.cwd,
+            env,
+            timeout: options.timeout ?? 60000,
+        });
+        let stdout = "";
+        let stderr = "";
+        proc.stdout.on("data", (data) => {
+            stdout += data.toString();
+        });
+        proc.stderr.on("data", (data) => {
+            stderr += data.toString();
+        });
+        if (options.stdin) {
+            proc.stdin.write(options.stdin);
+            proc.stdin.end();
+        }
+        proc.on("close", (code) => {
+            resolve({
+                stdout: stdout.trim(),
+                stderr: stderr.trim(),
+                exitCode: code ?? 0,
+                success: code === 0,
+            });
+        });
+        proc.on("error", (err) => {
+            resolve({
+                stdout: "",
+                stderr: err.message,
+                exitCode: 1,
+                success: false,
+            });
+        });
+    });
+}
+/**
+ * Execute a git command
+ */
+export async function execGit(args, options = {}) {
+    return execCommand("git", args, options);
+}
+/**
+ * Execute a heroku command with API key
+ */
+export async function execHeroku(args, apiKey, options = {}) {
+    return execCommand("heroku", args, {
+        ...options,
+        env: {
+            ...options.env,
+            HEROKU_API_KEY: apiKey,
+        },
+    });
+}
+/**
+ * Parse JSON output safely
+ */
+export function parseJsonOutput(output) {
+    try {
+        return JSON.parse(output);
+    }
+    catch {
+        return null;
+    }
+}

package/dist/lib/crypto.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Encryption for sensitive data with KMS support
+ *
+ * Supports multiple backends:
+ * 1. AWS KMS (recommended for production)
+ * 2. Local AES-256-GCM (for development)
+ *
+ * Configuration via environment:
+ * - MCP_CRYPTO_BACKEND: "aws-kms" | "local" (default: "local")
+ * - AWS_KMS_KEY_ID: ARN or alias of the KMS key
+ * - AWS_REGION: AWS region for KMS
+ * - MCP_MASTER_KEY: Local master key (if using local backend)
+ *
+ * Security model with KMS:
+ * - Even with root access to VPS, attacker needs AWS credentials
+ * - AWS credentials should use IAM role with minimal permissions
+ * - KMS provides audit logs of all decrypt operations
+ */
+type CryptoBackend = "local" | "aws-kms";
+/**
+ * Check if a value is encrypted
+ */
+export declare function isEncrypted(value: string): boolean;
+/**
+ * Encrypt sensitive data using configured backend
+ */
+export declare function encrypt(plaintext: string): Promise<string>;
+/**
+ * Decrypt sensitive data (auto-detects backend from prefix)
+ */
+export declare function decrypt(encrypted: string): Promise<string>;
+/**
+ * Get current crypto backend info
+ */
+export declare function getCryptoInfo(): {
+    backend: CryptoBackend;
+    kmsKeyId?: string;
+};
+export {};

package/dist/lib/crypto.js

@@ -0,0 +1,228 @@
+/**
+ * Encryption for sensitive data with KMS support
+ *
+ * Supports multiple backends:
+ * 1. AWS KMS (recommended for production)
+ * 2. Local AES-256-GCM (for development)
+ *
+ * Configuration via environment:
+ * - MCP_CRYPTO_BACKEND: "aws-kms" | "local" (default: "local")
+ * - AWS_KMS_KEY_ID: ARN or alias of the KMS key
+ * - AWS_REGION: AWS region for KMS
+ * - MCP_MASTER_KEY: Local master key (if using local backend)
+ *
+ * Security model with KMS:
+ * - Even with root access to VPS, attacker needs AWS credentials
+ * - AWS credentials should use IAM role with minimal permissions
+ * - KMS provides audit logs of all decrypt operations
+ */
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { KMSClient, DecryptCommand, GenerateDataKeyCommand } from "@aws-sdk/client-kms";
+// ============================================================================
+// Configuration
+// ============================================================================
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+const CONFIG_DIR = join(homedir(), ".mcp-ecosystem");
+const KEY_FILE = join(CONFIG_DIR, ".master-key");
+const DEK_CACHE_FILE = join(CONFIG_DIR, ".dek-cache");
+// Prefixes to identify encryption version/backend
+const PREFIX_LOCAL = "enc:local:";
+const PREFIX_KMS = "enc:kms:";
+function getBackend() {
+    const backend = process.env.MCP_CRYPTO_BACKEND?.toLowerCase();
+    if (backend === "aws-kms" || backend === "kms")
+        return "aws-kms";
+    return "local";
+}
+// ============================================================================
+// AWS KMS Backend
+// ============================================================================
+let kmsClient = null;
+let cachedDataKey = null;
+let cachedEncryptedDataKey = null;
+function getKMSClient() {
+    if (!kmsClient) {
+        kmsClient = new KMSClient({
+            region: process.env.AWS_REGION || "us-east-1",
+        });
+    }
+    return kmsClient;
+}
+function getKMSKeyId() {
+    const keyId = process.env.AWS_KMS_KEY_ID;
+    if (!keyId) {
+        throw new Error("AWS_KMS_KEY_ID environment variable required for KMS backend");
+    }
+    return keyId;
+}
+/**
+ * Generate or retrieve Data Encryption Key (DEK) from KMS
+ * Uses envelope encryption pattern
+ */
+async function getDataKey() {
+    // Check memory cache first
+    if (cachedDataKey && cachedEncryptedDataKey) {
+        return { plaintext: cachedDataKey, encrypted: cachedEncryptedDataKey };
+    }
+    // Check disk cache (encrypted DEK)
+    if (existsSync(DEK_CACHE_FILE)) {
+        try {
+            const encryptedDek = readFileSync(DEK_CACHE_FILE);
+            const client = getKMSClient();
+            const response = await client.send(new DecryptCommand({
+                CiphertextBlob: encryptedDek,
+                KeyId: getKMSKeyId(),
+            }));
+            if (response.Plaintext) {
+                cachedDataKey = Buffer.from(response.Plaintext);
+                cachedEncryptedDataKey = encryptedDek;
+                return { plaintext: cachedDataKey, encrypted: cachedEncryptedDataKey };
+            }
+        }
+        catch (err) {
+            console.error("[crypto] Failed to decrypt cached DEK, generating new one");
+        }
+    }
+    // Generate new DEK
+    const client = getKMSClient();
+    const response = await client.send(new GenerateDataKeyCommand({
+        KeyId: getKMSKeyId(),
+        KeySpec: "AES_256",
+    }));
+    if (!response.Plaintext || !response.CiphertextBlob) {
+        throw new Error("KMS GenerateDataKey failed");
+    }
+    cachedDataKey = Buffer.from(response.Plaintext);
+    cachedEncryptedDataKey = Buffer.from(response.CiphertextBlob);
+    // Cache encrypted DEK to disk (safe - it's encrypted by KMS)
+    ensureConfigDir();
+    writeFileSync(DEK_CACHE_FILE, cachedEncryptedDataKey, { mode: 0o600 });
+    console.error("[crypto] Generated new Data Encryption Key via KMS");
+    return { plaintext: cachedDataKey, encrypted: cachedEncryptedDataKey };
+}
+async function encryptWithKMS(plaintext) {
+    const { plaintext: dek } = await getDataKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, dek, iv);
+    let encrypted = cipher.update(plaintext, "utf8", "base64");
+    encrypted += cipher.final("base64");
+    const authTag = cipher.getAuthTag();
+    // Format: enc:kms:<iv>:<authTag>:<ciphertext>
+    return `${PREFIX_KMS}${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+async function decryptWithKMS(encrypted) {
+    const { plaintext: dek } = await getDataKey();
+    const parts = encrypted.slice(PREFIX_KMS.length).split(":");
+    if (parts.length !== 3) {
+        throw new Error("Invalid KMS encrypted format");
+    }
+    const iv = Buffer.from(parts[0], "base64");
+    const authTag = Buffer.from(parts[1], "base64");
+    const ciphertext = parts[2];
+    const decipher = createDecipheriv(ALGORITHM, dek, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(ciphertext, "base64", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+}
+// ============================================================================
+// Local Backend (for development)
+// ============================================================================
+function ensureConfigDir() {
+    if (!existsSync(CONFIG_DIR)) {
+        mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+}
+function getLocalMasterKey() {
+    if (process.env.MCP_MASTER_KEY) {
+        return scryptSync(process.env.MCP_MASTER_KEY, "mcp-ecosystem-salt-v1", KEY_LENGTH);
+    }
+    if (existsSync(KEY_FILE)) {
+        const keyData = readFileSync(KEY_FILE, "utf-8").trim();
+        return scryptSync(keyData, "mcp-ecosystem-salt-v1", KEY_LENGTH);
+    }
+    console.error("[crypto] Generating new local master key...");
+    const newKey = randomBytes(32).toString("base64");
+    ensureConfigDir();
+    writeFileSync(KEY_FILE, newKey, { mode: 0o600 });
+    chmodSync(KEY_FILE, 0o600);
+    console.error(`[crypto] Master key saved to ${KEY_FILE}`);
+    return scryptSync(newKey, "mcp-ecosystem-salt-v1", KEY_LENGTH);
+}
+function encryptLocal(plaintext) {
+    const key = getLocalMasterKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(plaintext, "utf8", "base64");
+    encrypted += cipher.final("base64");
+    const authTag = cipher.getAuthTag();
+    return `${PREFIX_LOCAL}${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+function decryptLocal(encrypted) {
+    const key = getLocalMasterKey();
+    const parts = encrypted.slice(PREFIX_LOCAL.length).split(":");
+    if (parts.length !== 3) {
+        throw new Error("Invalid local encrypted format");
+    }
+    const iv = Buffer.from(parts[0], "base64");
+    const authTag = Buffer.from(parts[1], "base64");
+    const ciphertext = parts[2];
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(ciphertext, "base64", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+}
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Check if a value is encrypted
+ */
+export function isEncrypted(value) {
+    return value?.startsWith(PREFIX_LOCAL) || value?.startsWith(PREFIX_KMS) || false;
+}
+/**
+ * Encrypt sensitive data using configured backend
+ */
+export async function encrypt(plaintext) {
+    if (!plaintext || isEncrypted(plaintext)) {
+        return plaintext;
+    }
+    const backend = getBackend();
+    if (backend === "aws-kms") {
+        return encryptWithKMS(plaintext);
+    }
+    return encryptLocal(plaintext);
+}
+/**
+ * Decrypt sensitive data (auto-detects backend from prefix)
+ */
+export async function decrypt(encrypted) {
+    if (!encrypted || !isEncrypted(encrypted)) {
+        return encrypted;
+    }
+    if (encrypted.startsWith(PREFIX_KMS)) {
+        return decryptWithKMS(encrypted);
+    }
+    if (encrypted.startsWith(PREFIX_LOCAL)) {
+        return decryptLocal(encrypted);
+    }
+    throw new Error("Unknown encryption format");
+}
+/**
+ * Get current crypto backend info
+ */
+export function getCryptoInfo() {
+    const backend = getBackend();
+    return {
+        backend,
+        kmsKeyId: backend === "aws-kms" ? process.env.AWS_KMS_KEY_ID : undefined,
+    };
+}

package/dist/lib/cvv-crypto.d.ts

@@ -0,0 +1,23 @@
+/**
+ * CVV-specific encryption using PIN-derived key
+ *
+ * CVV is encrypted with a key derived from the master PIN.
+ * This means:
+ * - CVV is stored encrypted
+ * - Without the PIN, CVV cannot be decrypted
+ * - Even with system access, attacker needs the PIN
+ */
+/**
+ * Check if value is CVV-encrypted
+ */
+export declare function isCvvEncrypted(value: string): boolean;
+/**
+ * Encrypt CVV with PIN-derived key
+ * Requires cards to be unlocked
+ */
+export declare function encryptCvv(cvv: string): string | null;
+/**
+ * Decrypt CVV with PIN-derived key
+ * Requires cards to be unlocked
+ */
+export declare function decryptCvv(encrypted: string): string | null;

package/dist/lib/cvv-crypto.js

@@ -0,0 +1,67 @@
+/**
+ * CVV-specific encryption using PIN-derived key
+ *
+ * CVV is encrypted with a key derived from the master PIN.
+ * This means:
+ * - CVV is stored encrypted
+ * - Without the PIN, CVV cannot be decrypted
+ * - Even with system access, attacker needs the PIN
+ */
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { getCvvEncryptionKey } from "./pin-manager";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+const CVV_PREFIX = "cvv:";
+/**
+ * Check if value is CVV-encrypted
+ */
+export function isCvvEncrypted(value) {
+    return value?.startsWith(CVV_PREFIX) || false;
+}
+/**
+ * Encrypt CVV with PIN-derived key
+ * Requires cards to be unlocked
+ */
+export function encryptCvv(cvv) {
+    const key = getCvvEncryptionKey();
+    if (!key) {
+        return null; // Not unlocked
+    }
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(cvv, "utf8", "base64");
+    encrypted += cipher.final("base64");
+    const authTag = cipher.getAuthTag();
+    // Format: cvv:<iv>:<authTag>:<ciphertext>
+    return `${CVV_PREFIX}${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+/**
+ * Decrypt CVV with PIN-derived key
+ * Requires cards to be unlocked
+ */
+export function decryptCvv(encrypted) {
+    if (!isCvvEncrypted(encrypted)) {
+        return encrypted; // Not encrypted, return as-is
+    }
+    const key = getCvvEncryptionKey();
+    if (!key) {
+        return null; // Not unlocked
+    }
+    const parts = encrypted.slice(CVV_PREFIX.length).split(":");
+    if (parts.length !== 3) {
+        return null; // Invalid format
+    }
+    try {
+        const iv = Buffer.from(parts[0], "base64");
+        const authTag = Buffer.from(parts[1], "base64");
+        const ciphertext = parts[2];
+        const decipher = createDecipheriv(ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(ciphertext, "base64", "utf8");
+        decrypted += decipher.final("utf8");
+        return decrypted;
+    }
+    catch {
+        return null; // Decryption failed (wrong PIN or corrupted)
+    }
+}

package/dist/lib/mcp-core.d.ts

@@ -0,0 +1,46 @@
+/**
+ * MCP Core - Shared utilities for all MCP servers
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+export interface MCPServerConfig {
+    name: string;
+    version: string;
+    description?: string;
+}
+export interface ToolDefinition {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    handler: (args: Record<string, unknown>) => Promise<ToolResult>;
+}
+export interface ToolResult {
+    content: Array<{
+        type: "text";
+        text: string;
+    }>;
+    isError?: boolean;
+    [key: string]: unknown;
+}
+/**
+ * Create and configure an MCP server with tools
+ */
+export declare function createMCPServer(config: MCPServerConfig, tools: ToolDefinition[]): Server;
+/**
+ * Start MCP server with stdio transport
+ */
+export declare function startMCPServer(server: Server): Promise<void>;
+/**
+ * Helper to create a successful tool result
+ */
+export declare function success(text: string): ToolResult;
+/**
+ * Helper to create a JSON tool result
+ */
+export declare function json(data: unknown): ToolResult;
+/**
+ * Helper to create an error tool result
+ */
+export declare function error(message: string): ToolResult;
+export { Server, StdioServerTransport };
+export { execCommand, execGit, execHeroku, parseJsonOutput, type ExecResult, type ExecOptions } from "./cli-runner";

package/dist/lib/mcp-core.js

@@ -0,0 +1,86 @@
+/**
+ * MCP Core - Shared utilities for all MCP servers
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+/**
+ * Create and configure an MCP server with tools
+ */
+export function createMCPServer(config, tools) {
+    const server = new Server({
+        name: config.name,
+        version: config.version,
+    }, {
+        capabilities: {
+            tools: {},
+        },
+    });
+    // Register tool list handler
+    server.setRequestHandler(ListToolsRequestSchema, async () => ({
+        tools: tools.map((t) => ({
+            name: t.name,
+            description: t.description,
+            inputSchema: t.inputSchema,
+        })),
+    }));
+    // Register tool call handler
+    server.setRequestHandler(CallToolRequestSchema, async (request) => {
+        const toolName = request.params.name;
+        const tool = tools.find((t) => t.name === toolName);
+        if (!tool) {
+            return {
+                content: [{ type: "text", text: `Unknown tool: ${toolName}` }],
+                isError: true,
+            };
+        }
+        try {
+            const args = request.params.arguments ?? {};
+            return await tool.handler(args);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Error: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+    return server;
+}
+/**
+ * Start MCP server with stdio transport
+ */
+export async function startMCPServer(server) {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error(`[MCP] Server started`);
+}
+/**
+ * Helper to create a successful tool result
+ */
+export function success(text) {
+    return {
+        content: [{ type: "text", text }],
+    };
+}
+/**
+ * Helper to create a JSON tool result
+ */
+export function json(data) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+    };
+}
+/**
+ * Helper to create an error tool result
+ */
+export function error(message) {
+    return {
+        content: [{ type: "text", text: message }],
+        isError: true,
+    };
+}
+export { Server, StdioServerTransport };
+// CLI execution utilities
+export { execCommand, execGit, execHeroku, parseJsonOutput } from "./cli-runner";

package/dist/lib/pin-manager.d.ts

@@ -0,0 +1,69 @@
+/**
+ * PIN Manager - Master PIN for card access
+ *
+ * Security model:
+ * - CVV is encrypted with a key derived from the master PIN
+ * - PIN is stored in memory only (never persisted)
+ * - PIN auto-expires after inactivity timeout
+ * - Without PIN, cards cannot be used for payments
+ *
+ * Flow:
+ * 1. User sets PIN once (stored as hash for verification)
+ * 2. User unlocks with PIN → PIN held in memory
+ * 3. Payments work while unlocked
+ * 4. After timeout or explicit lock → PIN cleared from memory
+ */
+/**
+ * Derive encryption key from PIN (for CVV encryption)
+ */
+export declare function deriveKeyFromPin(pin: string, salt: string): Buffer;
+/**
+ * Check if PIN is configured
+ */
+export declare function isPinConfigured(): boolean;
+/**
+ * Set up master PIN (first time)
+ */
+export declare function setupPin(pin: string): {
+    success: boolean;
+    error?: string;
+};
+/**
+ * Change master PIN (requires current PIN)
+ */
+export declare function changePin(currentPinInput: string, newPin: string): {
+    success: boolean;
+    error?: string;
+};
+/**
+ * Unlock cards with PIN
+ */
+export declare function unlock(pin: string): {
+    success: boolean;
+    error?: string;
+    expiresIn?: number;
+};
+/**
+ * Lock cards (clear PIN from memory)
+ */
+export declare function lock(): void;
+/**
+ * Check if cards are currently unlocked
+ */
+export declare function isUnlocked(): boolean;
+/**
+ * Refresh activity (extend session)
+ */
+export declare function refreshActivity(): void;
+/**
+ * Get CVV encryption key (only works when unlocked)
+ */
+export declare function getCvvEncryptionKey(): Buffer | null;
+/**
+ * Get status
+ */
+export declare function getStatus(): {
+    configured: boolean;
+    unlocked: boolean;
+    remainingMinutes?: number;
+};