npm - mpp32-mcp-server - Versions diffs - 1.1.2 → 1.1.3 - Mend

mpp32-mcp-server 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,46 @@ All notable changes to `mpp32-mcp-server` are documented here. The format
 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
 project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.1.3] - 2026-05-11
+### Fixed
+* **x402 payments actually work now.** `completeX402Payment` previously
+  dynamically imported `@solana/web3.js`, `bs58`, and `tweetnacl`, but
+  none of those packages were declared in `dependencies`. On a clean
+  `npx mpp32-mcp-server` install they were missing from `node_modules`,
+  the import threw, the catch block returned a misleading "check wallet
+  balance" message, and Claude paraphrased that as "no funded Solana
+  wallet configured" even when `MPP32_SOLANA_PRIVATE_KEY` was set.
+* **Dropped `@solana/web3.js` entirely.** Adding it to `dependencies`
+  uncovered a second, deeper bug: its transitive `rpc-websockets`
+  bundle is CJS and `require()`s a now ESM-only `uuid`, which throws
+  `ERR_REQUIRE_ESM` on Node 20+ the first time the signer loads. We
+  only ever used `Keypair.fromSecretKey` and `publicKey.toBase58()`,
+  both of which are trivial Ed25519/base58 operations. Signing is now
+  done directly with `tweetnacl` + `bs58`, so the failure mode is gone
+  and the install footprint is ~30 MB smaller.
+* **Properly declared signing dependencies.** `bs58` and `tweetnacl`
+  are now real `dependencies` rather than implicit assumptions.
+* **Better error when a payment dependency genuinely fails to load.**
+  The catch around each dynamic import now tells the user the package
+  ships with `mpp32-mcp-server` and directs them to upgrade to
+  `@latest` instead of suggesting a manual `npm install` that won't
+  stick across `npx` runs.
+* **32-byte seed Solana keys now accepted** in addition to 64-byte
+  expanded keys (previously `Keypair.fromSecretKey` rejected seeds).
+### Added
+* **Catalog total surfaced in `list_mpp32_services`.** The federated
+  catalog has 4,500+ external services but the API returns at most 500
+  per call (default 100). The response now includes
+  `data.totalAvailable` and a `truncated`/`hint` pair so the model
+  knows results were paginated and how to drill in with `q`,
+  `category`, `source`, or `protocol`. The MCP client formats the
+  header as `Found N services (of M total available in catalog)` and
+  prints the hint when applicable.
 ## [1.1.2] - 2026-05-10
 ### Fixed

package/dist/index.js CHANGED Viewed

@@ -2,7 +2,7 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
-const SERVER_VERSION = "1.1.2";
+const SERVER_VERSION = "1.1.3";
 // ── Env loading: trim and sanitize aggressively ─────────────────────────────
 // Copy-paste from Claude Desktop / Cursor / Windsurf JSON config UIs frequently
 // adds trailing \n, \r, NBSP, BOM, or wraps the value in literal quotes. Any
@@ -174,7 +174,7 @@ function isHttpCallable(svc) {
     return /^https?:\/\//.test(url);
 }
 // ── Tool 1: list_mpp32_services ─────────────────────────────────────────────
-server.tool("list_mpp32_services", "Browse the MPP32 federated catalog of machine-payable APIs and data services. Includes native MPP32 services (callable end-to-end through this MCP), the x402 Bazaar (USDC on Solana), curated free APIs (DexScreener, Jupiter, CoinGecko health, httpbin, etc.), and the public MCP Registry (npx-installable servers; listing-only). Each result indicates whether it is callable through `call_mpp32_endpoint` or listing-only. Use the `category`, `q`, or `source` filters to narrow down.", {
+server.tool("list_mpp32_services", "Browse the MPP32 federated catalog of 4,500+ machine-payable APIs and data services. Includes native MPP32 services (callable end-to-end through this MCP), the x402 Bazaar (USDC on Solana), curated free APIs (DexScreener, Jupiter, CoinGecko health, httpbin, etc.), and the public MCP Registry (npx-installable servers; listing-only). Each result indicates whether it is callable through `call_mpp32_endpoint` or listing-only. The catalog is large (~4,500 entries) — by default a single call returns up to 100 results and the response will tell you the true total and whether the page was truncated. Use `q` (free-text search), `category`, `source`, or `protocol` to narrow down, or raise `limit` (max 500) for broader pages.", {
     category: z
         .string()
         .optional()
@@ -251,17 +251,24 @@ server.tool("list_mpp32_services", "Browse the MPP32 federated catalog of machin
                 .join("\n");
         });
         const counts = json.data.counts;
+        const totalAvailable = json.data.totalAvailable;
         const callableCount = services.filter(isHttpCallable).length;
+        const sourcesLine = totalAvailable
+            ? `**Sources:** ${counts.native} native + ${counts.external} external (of ${totalAvailable.combined} total available in catalog). **Callable through this MCP:** ${callableCount}.`
+            : `**Sources:** ${counts.native} native + ${counts.external} external. **Callable through this MCP:** ${callableCount}.`;
         const header = [
             `# MPP32 Federated Catalog — ${services.length} result${services.length !== 1 ? "s" : ""}`,
             ``,
-            `**Sources:** ${counts.native} native + ${counts.external} external. **Callable through this MCP:** ${callableCount}.`,
+            sourcesLine,
+            json.data.truncated && json.data.hint ? `\n> ⚠️ ${json.data.hint}` : ``,
             ``,
             AGENT_KEY
                 ? `Calls through \`call_mpp32_endpoint\` are tracked in your dashboard at ${API_URL}/agent-console (your X-Agent-Key is set).`
                 : `**Tip:** set \`MPP32_AGENT_KEY\` in your MCP config to track usage at ${API_URL}/agent-console. Get a key at ${API_URL}/agent-console.`,
             ``,
-        ].join("\n");
+        ]
+            .filter((l) => l !== ``)
+            .join("\n");
         return {
             content: [{ type: "text", text: header + "\n" + lines.join("\n\n") }],
         };
@@ -970,40 +977,70 @@ async function completeX402Payment(paymentRequiredHeader, solanaPrivateKey) {
     catch {
         throw new Error("Could not decode Payment-Required header");
     }
+    // We sign x402 challenges with raw Ed25519 (Solana keys are Ed25519). No
+    // @solana/web3.js needed — it pulls in rpc-websockets which has a
+    // CJS/ESM uuid incompat on Node 20+ that breaks every paid call.
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    let solanaWeb3;
+    let tweetnacl;
     try {
-        const pkg = "@solana/web3.js";
-        solanaWeb3 = await import(pkg);
+        const pkg = "tweetnacl";
+        tweetnacl = await import(pkg);
     }
-    catch {
-        throw new Error("x402 payment requires @solana/web3.js: npm install @solana/web3.js");
+    catch (err) {
+        throw new Error(`x402 signing requires tweetnacl, which ships with mpp32-mcp-server. ` +
+            `If you're seeing this on a clean npx install, upgrade to mpp32-mcp-server@latest. ` +
+            `Underlying error: ${err instanceof Error ? err.message : String(err)}`);
     }
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    let keypair;
+    let bs58;
+    try {
+        const pkg = "bs58";
+        bs58 = await import(pkg);
+    }
+    catch (err) {
+        throw new Error(`x402 signing requires bs58, which ships with mpp32-mcp-server. ` +
+            `Upgrade to mpp32-mcp-server@latest. ` +
+            `Underlying error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const bs58Decode = bs58.default?.decode ?? bs58.decode;
+    const bs58Encode = bs58.default?.encode ?? bs58.encode;
+    const naclSign = tweetnacl.default?.sign ?? tweetnacl.sign;
+    let rawKey;
     try {
         if (solanaPrivateKey.startsWith("[")) {
-            keypair = solanaWeb3.Keypair.fromSecretKey(new Uint8Array(JSON.parse(solanaPrivateKey)));
+            rawKey = new Uint8Array(JSON.parse(solanaPrivateKey));
         }
         else if (/^[0-9a-fA-F]+$/.test(solanaPrivateKey) && solanaPrivateKey.length % 2 === 0) {
-            keypair = solanaWeb3.Keypair.fromSecretKey(new Uint8Array(Buffer.from(solanaPrivateKey, "hex")));
+            rawKey = new Uint8Array(Buffer.from(solanaPrivateKey, "hex"));
         }
         else {
-            const bs58Pkg = "bs58";
-            const bs58 = await import(bs58Pkg);
-            keypair = solanaWeb3.Keypair.fromSecretKey(bs58.default.decode(solanaPrivateKey));
+            rawKey = bs58Decode(solanaPrivateKey);
         }
     }
     catch (err) {
         throw new Error(`Could not decode Solana private key: ${err instanceof Error ? err.message : String(err)}`);
     }
+    let secretKey;
+    let publicKey;
+    if (rawKey.length === 64) {
+        secretKey = rawKey;
+        publicKey = rawKey.slice(32);
+    }
+    else if (rawKey.length === 32) {
+        const kp = naclSign.keyPair.fromSeed(rawKey);
+        secretKey = kp.secretKey;
+        publicKey = kp.publicKey;
+    }
+    else {
+        throw new Error(`Solana private key must be a 32-byte seed or 64-byte expanded key; got ${rawKey.length} bytes.`);
+    }
     const payload = {
         x402Version: 1,
         scheme: requirements.scheme ?? "exact",
         network: requirements.network ?? "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp",
         payload: {
             signature: "",
-            from: keypair.publicKey.toBase58(),
+            from: bs58Encode(publicKey),
             amount: requirements.maxAmountRequired,
             asset: requirements.asset,
             payTo: requirements.payTo,
@@ -1012,17 +1049,7 @@ async function completeX402Payment(paymentRequiredHeader, solanaPrivateKey) {
     };
     const message = JSON.stringify(payload.payload);
     const messageBytes = new TextEncoder().encode(message);
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    let tweetnacl;
-    try {
-        const pkg = "tweetnacl";
-        tweetnacl = await import(pkg);
-    }
-    catch {
-        throw new Error("x402 signing requires tweetnacl: npm install tweetnacl");
-    }
-    const naclSign = tweetnacl.default?.sign ?? tweetnacl.sign;
-    const signed = naclSign.detached(messageBytes, keypair.secretKey);
+    const signed = naclSign.detached(messageBytes, secretKey);
     payload.payload.signature = Buffer.from(signed).toString("base64");
     return Buffer.from(JSON.stringify(payload)).toString("base64");
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mpp32-mcp-server",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "mcpName": "io.github.MPP32/mpp32-mcp-server",
   "description": "Payment layer for AI agents. One MCP, five protocols, thousands of paid APIs your agent can call.",
   "type": "module",
@@ -69,6 +69,8 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0",
+    "bs58": "^6.0.0",
+    "tweetnacl": "^1.0.3",
     "zod": "^3.23.0"
   },
   "peerDependencies": {