mcp-server-agentpay 1.0.3 → 1.0.4

package/index.js

@@ -14,11 +14,19 @@ const BASE_URL = (process.env.AGENTPAY_URL || "https://agentpay.metaltorque.dev"
 
 // ── HTTP helper ─────────────────────────────────────────────────────
 
+const MAX_RESPONSE_SIZE = 5 * 1024 * 1024; // 5MB
+
 function request(method, urlPath, body, timeout = 120_000) {
   return new Promise((resolve, reject) => {
     const fullUrl = `${BASE_URL}${urlPath}`;
-    const mod = fullUrl.startsWith("https") ? https : http;
     const parsed = new URL(fullUrl);
+    const isHttps = parsed.protocol === "https:";
+
+    if (!isHttps && GATEWAY_KEY) {
+      return reject(new Error("Refusing to send gateway key over insecure HTTP. Use HTTPS."));
+    }
+
+    const mod = isHttps ? https : http;
 
     const headers = {
       "Content-Type": "application/json",
@@ -28,7 +36,7 @@ function request(method, urlPath, body, timeout = 120_000) {
 
     const opts = {
       hostname: parsed.hostname,
-      port: parsed.port || (parsed.protocol === "https:" ? 443 : 80),
+      port: parsed.port || (isHttps ? 443 : 80),
       path: parsed.pathname + parsed.search,
       method,
       headers,
@@ -37,7 +45,12 @@ function request(method, urlPath, body, timeout = 120_000) {
 
     const req = mod.request(opts, (res) => {
       let data = "";
-      res.on("data", (c) => (data += c));
+      let size = 0;
+      res.on("data", (c) => {
+        size += c.length;
+        if (size > MAX_RESPONSE_SIZE) { req.destroy(); return reject(new Error("Response too large")); }
+        data += c;
+      });
       res.on("end", () => {
         try {
           const json = JSON.parse(data);
@@ -142,7 +155,9 @@ server.tool(
         try { params = JSON.parse(params_json); } catch { return { content: [{ type: "text", text: "Error: params_json must be valid JSON" }] }; }
       }
       const result = await request("POST", "/gateway/call", { tool, method, params }, 600_000);
-      const meta = `[Cost: $${(result.cost || 0).toFixed(2)} | Balance: $${(result.balance || 0).toFixed(2)} | Time: ${result.elapsed || 0}ms]`;
+      const cost = Number(result.cost) || 0;
+      const balance = Number(result.balance) || 0;
+      const meta = `[Cost: $${cost.toFixed(2)} | Balance: $${balance.toFixed(2)} | Time: ${result.elapsed || 0}ms]`;
       return {
         content: [{ type: "text", text: `${meta}\n\n${JSON.stringify(result.result, null, 2)}` }],
       };
@@ -177,7 +192,7 @@ server.tool(
   "get_usage",
   "View your recent tool call history — which tools you called, what methods, how much each cost, and when.",
   {
-    limit: z.number().default(20).describe("Number of recent calls to show (default: 20, max: 200)"),
+    limit: z.number().int().min(1).max(200).default(20).describe("Number of recent calls to show (default: 20, max: 200)"),
   },
   async ({ limit }) => {
     if (!GATEWAY_KEY) return noKeyError();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-agentpay",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "mcpName": "io.github.joepangallo/agent-pay",
   "description": "MCP server for AgentPay — the payment gateway for autonomous AI agents. Lets agents discover, provision, and pay for MCP tool APIs with a single gateway key.",
   "bin": {
@@ -44,7 +44,8 @@
     "url": "https://github.com/joepangallo/agent-pay"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.0"
+    "@modelcontextprotocol/sdk": "^1.27.0",
+    "zod": "^3.23.0"
   },
   "engines": {
     "node": ">=18"

package/server.json

@@ -6,12 +6,12 @@
     "url": "https://github.com/joepangallo/agent-pay",
     "source": "github"
   },
-  "version": "1.0.3",
+  "version": "1.0.4",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "mcp-server-agentpay",
-      "version": "1.0.3",
+      "version": "1.0.4",
       "transport": {
         "type": "stdio"
       },