local-model-suitability-mcp 1.1.16 → 1.1.19

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [1.1.19] - 2026-06-18
+- feat: revoke API key on Stripe refund
+
+## [1.1.18] - 2026-06-17
+- fix: Resend fetch now logs HTTP error responses; was silently swallowing non-2xx failures
+
+## [1.1.17] - 2026-06-17
+- fix: Stripe webhook now validates payment_link ID — ignores events not belonging to this server
+
 ## [1.1.16] - 2026-06-16
 - feat: ATO optimisation — purpose verb, usage context, required fields, ToolRank badge
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "local-model-suitability-mcp",
   "mcpName": "io.github.OjasKord/local-model-suitability-mcp",
-  "version": "1.1.16",
+  "version": "1.1.19",
   "description": "AI model router for agents. Checks whether a local model can handle the task before calling cloud inference. LOCAL/CLOUD verdict saves cost on every call.",
   "main": "src/server.js",
   "type": "module",

package/server.json

@@ -1,24 +1,36 @@
-{
-  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
-  "name": "io.github.OjasKord/local-model-suitability-mcp",
-  "title": "Local Model Suitability MCP",
-  "description": "Check if a task runs locally vs cloud. Save money on calls that don't need cloud inference.",
-  "version": "1.1.6",
-  "websiteUrl": "https://kordagencies.com",
-  "repository": {
-    "url": "https://github.com/OjasKord/local-model-suitability-mcp",
-    "source": "github"
-  },
-  "packages": [
-    {
-      "registryType": "npm",
-      "identifier": "local-model-suitability-mcp",
-      "version": "1.1.6",
-      "transport": { "type": "stdio" },
-      "environmentVariables": [
-        { "name": "ANTHROPIC_API_KEY", "description": "Anthropic API key for Claude routing analysis", "isRequired": true, "isSecret": true }
-      ]
-    }
-  ],
-  "remotes": [{ "type": "streamable-http", "url": "https://local-model-suitability-mcp-production.up.railway.app" }]
-}
+{
+  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+  "name": "io.github.OjasKord/local-model-suitability-mcp",
+  "title": "Local Model Suitability MCP",
+  "description": "Check if a task runs locally vs cloud. Save money on calls that don't need cloud inference.",
+  "version": "1.1.16",
+  "websiteUrl": "https://kordagencies.com",
+  "repository": {
+    "url": "https://github.com/OjasKord/local-model-suitability-mcp",
+    "source": "github"
+  },
+  "packages": [
+    {
+      "registryType": "npm",
+      "identifier": "local-model-suitability-mcp",
+      "version": "1.1.16",
+      "transport": {
+        "type": "stdio"
+      },
+      "environmentVariables": [
+        {
+          "name": "ANTHROPIC_API_KEY",
+          "description": "Anthropic API key for Claude routing analysis",
+          "isRequired": true,
+          "isSecret": true
+        }
+      ]
+    }
+  ],
+  "remotes": [
+    {
+      "type": "streamable-http",
+      "url": "https://local-model-suitability-mcp-production.up.railway.app"
+    }
+  ]
+}

package/src/server.js

@@ -3,9 +3,10 @@ import { createHmac, timingSafeEqual } from 'crypto';
 import { readFileSync, writeFileSync } from 'fs';
 import Anthropic from '@anthropic-ai/sdk';
 
-const VERSION = '1.1.16';
+const VERSION = '1.1.19';
 const PRO_UPGRADE_URL = 'https://buy.stripe.com/cNibJ08wd7zf6NS0h2ebu0p';
 const ENTERPRISE_UPGRADE_URL = 'https://buy.stripe.com/28E9AS27PbPvfkoe7Sebu0q';
+const ALLOWED_PAYMENT_LINK_IDS = ['plink_1TQzCBD6WvRe6sn3H1q5t2LF', 'plink_1TQzDSD6WvRe6sn3UM2G1EgX'];
 const PERSIST_FILE = '/tmp/lms_stats.json';
 const LEGAL_DISCLAIMER = 'AI-powered routing analysis. We do not log or store your task content. Results are for cost-optimisation guidance only. Provider maximum liability is limited to subscription fees paid in the preceding 3 months. Full terms: kordagencies.com/terms.html';
 
@@ -160,6 +161,26 @@ async function redisKeys(pattern) {
   } catch(e) { return []; }
 }
 
+async function redisDelete(key) {
+  try {
+    const res = await fetch(
+      `${UPSTASH_URL}/del/${encodeURIComponent(key)}`,
+      { method: 'POST', headers: { Authorization: `Bearer ${UPSTASH_TOKEN}` } }
+    );
+    const data = await res.json();
+    if (data.error) console.error('[Redis] redisDelete error:', data.error, 'key:', key);
+  } catch(e) { console.error('[Redis] redisDelete failed:', e); }
+}
+
+async function findCheckoutSessionEmail(paymentIntentId) {
+  const res = await fetch(
+    `https://api.stripe.com/v1/checkout/sessions?payment_intent=${encodeURIComponent(paymentIntentId)}`,
+    { headers: { Authorization: `Bearer ${process.env.STRIPE_SECRET_KEY}` } }
+  );
+  const data = await res.json();
+  return data.data?.[0]?.customer_details?.email || data.data?.[0]?.customer_email || null;
+}
+
 async function appendSessionLog(ip, tool) {
   try {
     const ipSafe = ip.replace(/:/g, '_').replace(/\s/g, '');
@@ -363,6 +384,11 @@ async function handleStripeWebhook(body, sig) {
 
   if (event.type === 'checkout.session.completed') {
     const session = event.data.object;
+    const paymentLinkId = session.payment_link;
+    if (paymentLinkId && !ALLOWED_PAYMENT_LINK_IDS.includes(paymentLinkId)) {
+      console.log('[lms] Webhook received but payment link ' + paymentLinkId + ' not for this server — ignoring.');
+      return { received: true, ignored: true };
+    }
     const email = session.customer_details?.email;
     const plan = session.metadata?.plan || 'pro';
     const apiKey = 'lms_' + createHmac('sha256', secret).update(email + Date.now()).digest('hex').slice(0, 32);
@@ -400,7 +426,43 @@ async function handleStripeWebhook(body, sig) {
 <p>Questions? Reply to this email.</p>
 <p style="font-size:12px;color:#666;">Results are for cost-optimisation guidance only. Provider maximum liability limited to subscription fees paid in preceding 3 months. Full terms: <a href="https://kordagencies.com/terms.html">kordagencies.com/terms.html</a></p>`
         })
-      }).catch(e => console.error('[lms] Resend error:', e.message));
+      }).then(r => { if (!r.ok) r.text().then(t => console.error('[lms] Resend email failed: HTTP ' + r.status + ' ' + t)); })
+        .catch(e => console.error('[lms] Resend network error:', e.message));
+    }
+  }
+
+  if (event.type === 'charge.refunded') {
+    if (!process.env.STRIPE_SECRET_KEY) {
+      console.error('[lms] STRIPE_SECRET_KEY not set — cannot revoke key on refund');
+      return { received: true, ignored: true, status: 200 };
+    }
+    const paymentIntentId = event.data.object.payment_intent;
+    if (!paymentIntentId) {
+      console.log('[lms] charge.refunded missing payment_intent — ignoring.');
+      return { received: true, ignored: true, status: 200 };
+    }
+    try {
+      const email = await findCheckoutSessionEmail(paymentIntentId);
+      if (!email) {
+        console.log('[lms] No checkout session/email found for refunded payment_intent ' + paymentIntentId);
+        return { received: true, ignored: true, status: 200 };
+      }
+      let revokedKey = null;
+      for (const [key, record] of apiKeys.entries()) {
+        if (record.email === email) { revokedKey = key; break; }
+      }
+      if (!revokedKey) {
+        console.log('[lms] No API key found for ' + email + ' — refund received, nothing to revoke');
+        return { received: true, ignored: true, status: 200 };
+      }
+      apiKeys.delete(revokedKey);
+      await redisDelete(`${REDIS_PREFIX}:key:${revokedKey}`);
+      saveStats();
+      console.log('[Webhook] API key revoked for ' + email + ' — refund received');
+      return { received: true, revoked: true, status: 200 };
+    } catch(e) {
+      console.error('[lms] charge.refunded handling error:', e.message);
+      return { received: true, ignored: true, status: 200 };
     }
   }