npm - mpp32-mcp-server - Versions diffs - 1.2.0 → 1.2.2 - Mend

mpp32-mcp-server 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,47 @@ All notable changes to `mpp32-mcp-server` are documented here. The format
 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
 project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.2.2] - 2026-05-11
+### Fixed
+* **x402 v2 envelope (the whole third-party catalog).** Every third-party
+  x402 provider we tested — Venice (`api.venice.ai`), Exa (`api.exa.ai`),
+  Firecrawl, OpenAI's x402 gateway, etc. — ships the **v2** challenge
+  shape: `{x402Version: 2, accepts: [{scheme, network, asset, payTo,
+  amount, ...}, ...]}`. 1.2.0 and 1.2.1 only understood **v1**
+  (`{scheme, network, asset, payTo, maxAmountRequired, ...}` at the top
+  level), so every third-party call failed with "missing network field"
+  before we ever signed anything. The signer now:
+  - Detects v1 vs v2 by the presence of `accepts: [...]`.
+  - Picks the first `accepts[]` entry it can pay (prefers EVM when
+    `MPP32_PRIVATE_KEY` is set, falls back to SVM when only the Solana
+    key is set, falls back to the first entry so the per-network error
+    surfaces precisely).
+  - Maps v2's `amount` to v1's `maxAmountRequired` internally, so the
+    same signing code handles both.
+  - Echoes the challenge's `x402Version` back in the outgoing envelope
+    so servers that key off it (Venice's facilitator does) accept the
+    response. v1 challenges still get v1 back; v2 challenges get v2.
+  This unblocks paid access to the entire ~4,500-entry federated
+  catalog, which is overwhelmingly v2.
+## [1.2.1] - 2026-05-11
+### Fixed
+* **"Server disconnected" on startup under Claude Desktop's bundled Node.**
+  1.2.0 imported `@solana/kit` (and `@solana-program/*`) at the top of the
+  payment-signer module. Those packages declare `engines.node: ">=20.18.0"`
+  and use Node-20-only WebCrypto Ed25519 APIs at load time. Claude Desktop
+  ships a bundled Node that on many installs is still 18.x, so the import
+  threw before the MCP server could answer the initialize handshake — the
+  process exited and Claude Desktop reported only "Server disconnected"
+  with no further diagnostics. All Solana and EVM crypto deps are now
+  loaded lazily inside the signer functions. The server boots on any Node
+  that supports MCP; only a `solana:*` payment attempt fails on too-old
+  Node, and now with a clear actionable error.
 ## [1.2.0] - 2026-05-11
 This release makes x402 payments actually work end-to-end. Prior versions

package/dist/index.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { signX402Payment } from "./x402-signers.js";
-const SERVER_VERSION = "1.2.0";
+const SERVER_VERSION = "1.2.2";
 // ── Env loading: trim and sanitize aggressively ─────────────────────────────
 // Copy-paste from Claude Desktop / Cursor / Windsurf JSON config UIs frequently
 // adds trailing \n, \r, NBSP, BOM, or wraps the value in literal quotes. Any

package/dist/x402-signers.d.ts CHANGED Viewed

@@ -25,8 +25,8 @@ export interface X402PaymentEnvelope {
 }
 export declare function isSvmNetwork(network: string): boolean;
 export declare function isEvmNetwork(network: string): boolean;
-export declare function signX402PaymentSvm(requirements: X402PaymentRequirements, rawKey: string, rpcUrlOverride?: string): Promise<string>;
-export declare function signX402PaymentEvm(requirements: X402PaymentRequirements, rawKey: string): Promise<string>;
+export declare function signX402PaymentSvm(requirements: X402PaymentRequirements, rawKey: string, rpcUrlOverride?: string, echoedVersion?: number): Promise<string>;
+export declare function signX402PaymentEvm(requirements: X402PaymentRequirements, rawKey: string, echoedVersion?: number): Promise<string>;
 export interface SignX402Args {
     paymentRequiredHeader: string;
     solanaKey?: string;

package/dist/x402-signers.js CHANGED Viewed

@@ -17,12 +17,50 @@
 // In both cases the outer envelope is
 //   { x402Version: 1, scheme: "exact", network, payload: <scheme payload> }
 // base64-encoded into the `X-Payment` HTTP header.
-import { address, createKeyPairSignerFromBytes, createSolanaRpc, createTransactionMessage, setTransactionMessageFeePayer, setTransactionMessageLifetimeUsingBlockhash, appendTransactionMessageInstructions, partiallySignTransactionMessageWithSigners, getBase64EncodedWireTransaction, pipe, } from "@solana/kit";
-import { getTransferCheckedInstruction, findAssociatedTokenPda, TOKEN_PROGRAM_ADDRESS, } from "@solana-program/token";
-import { getSetComputeUnitLimitInstruction, getSetComputeUnitPriceInstruction, } from "@solana-program/compute-budget";
-import { privateKeyToAccount } from "viem/accounts";
-import bs58 from "bs58";
-import nacl from "tweetnacl";
+async function loadSvmDeps() {
+    const [kit, tokenProgram, computeBudgetProgram, bs58Mod, naclMod] = await Promise.all([
+        import("@solana/kit"),
+        import("@solana-program/token"),
+        import("@solana-program/compute-budget"),
+        import("bs58"),
+        import("tweetnacl"),
+    ]).catch((err) => {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Could not load Solana signing libraries: ${msg}. ` +
+            `Solana x402 payments require Node 20.18 or newer (Claude Desktop's bundled Node may be older). ` +
+            `Upgrade Node, or run mpp32-mcp-server under a system Node 20+ via your MCP config's "command".`);
+    });
+    return {
+        address: kit.address,
+        createKeyPairSignerFromBytes: kit.createKeyPairSignerFromBytes,
+        createSolanaRpc: kit.createSolanaRpc,
+        createTransactionMessage: kit.createTransactionMessage,
+        setTransactionMessageFeePayer: kit.setTransactionMessageFeePayer,
+        setTransactionMessageLifetimeUsingBlockhash: kit.setTransactionMessageLifetimeUsingBlockhash,
+        appendTransactionMessageInstructions: kit.appendTransactionMessageInstructions,
+        partiallySignTransactionMessageWithSigners: kit.partiallySignTransactionMessageWithSigners,
+        getBase64EncodedWireTransaction: kit.getBase64EncodedWireTransaction,
+        pipe: kit.pipe,
+        getTransferCheckedInstruction: tokenProgram.getTransferCheckedInstruction,
+        findAssociatedTokenPda: tokenProgram.findAssociatedTokenPda,
+        TOKEN_PROGRAM_ADDRESS: tokenProgram.TOKEN_PROGRAM_ADDRESS,
+        getSetComputeUnitLimitInstruction: computeBudgetProgram.getSetComputeUnitLimitInstruction,
+        getSetComputeUnitPriceInstruction: computeBudgetProgram.getSetComputeUnitPriceInstruction,
+        bs58: bs58Mod.default ?? bs58Mod,
+        nacl: naclMod.default ?? naclMod,
+    };
+}
+async function loadEvmDeps() {
+    try {
+        const viemAccounts = await import("viem/accounts");
+        return { privateKeyToAccount: viemAccounts.privateKeyToAccount };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Could not load EVM signing libraries: ${msg}. ` +
+            `Base / Ethereum x402 payments require Node 18 or newer. Upgrade Node and retry.`);
+    }
+}
 // ── Network classification ──────────────────────────────────────────────────
 const SOLANA_MAINNET = "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp";
 const SOLANA_DEVNET = "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1";
@@ -46,8 +84,7 @@ function chainSpecFor(network) {
     }
     throw new Error(`Unsupported EVM network "${network}". x402 EVM payments currently support: base, base-sepolia, ethereum.`);
 }
-// ── Key decoding ────────────────────────────────────────────────────────────
-function decodeSolanaSecret(raw) {
+function decodeSolanaSecret(raw, deps) {
     if (raw.startsWith("[")) {
         const arr = JSON.parse(raw);
         if (!Array.isArray(arr))
@@ -57,24 +94,24 @@ function decodeSolanaSecret(raw) {
     if (/^[0-9a-fA-F]+$/.test(raw) && raw.length % 2 === 0) {
         return new Uint8Array(Buffer.from(raw, "hex"));
     }
-    return bs58.decode(raw);
+    return deps.bs58.decode(raw);
 }
-async function buildSolanaSigner(rawKey) {
-    let bytes = decodeSolanaSecret(rawKey);
+async function buildSolanaSigner(rawKey, deps) {
+    let bytes = decodeSolanaSecret(rawKey, deps);
     if (bytes.length === 32) {
         // 32-byte seed — kit's createKeyPairSignerFromBytes wants the 64-byte
         // expanded key. Derive via tweetnacl.
-        const kp = nacl.sign.keyPair.fromSeed(bytes);
+        const kp = deps.nacl.sign.keyPair.fromSeed(bytes);
         bytes = kp.secretKey;
     }
     else if (bytes.length !== 64) {
         throw new Error(`Solana private key must be a 32-byte seed or a 64-byte expanded key; got ${bytes.length} bytes.`);
     }
-    return await createKeyPairSignerFromBytes(bytes);
+    return await deps.createKeyPairSignerFromBytes(bytes);
 }
 // ── SVM signer ──────────────────────────────────────────────────────────────
 const DEFAULT_SOLANA_RPC = "https://api.mainnet-beta.solana.com";
-export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride) {
+export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride, echoedVersion = 1) {
     if (requirements.scheme !== "exact") {
         throw new Error(`SVM x402 scheme "${requirements.scheme}" not implemented; only "exact" is supported.`);
     }
@@ -86,33 +123,34 @@ export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride) {
     const amount = BigInt(requirements.maxAmountRequired);
     if (amount <= 0n)
         throw new Error(`Invalid maxAmountRequired: ${requirements.maxAmountRequired}`);
-    const signer = await buildSolanaSigner(rawKey);
+    const deps = await loadSvmDeps();
+    const signer = await buildSolanaSigner(rawKey, deps);
     const payerAddress = signer.address;
-    const mintAddress = address(requirements.asset);
-    const recipientAddress = address(requirements.payTo);
-    const feePayerAddress = address(requirements.extra.feePayer);
+    const mintAddress = deps.address(requirements.asset);
+    const recipientAddress = deps.address(requirements.payTo);
+    const feePayerAddress = deps.address(requirements.extra.feePayer);
     // Derive both sides' associated token accounts (classic SPL Token program).
     const [sourceAtaTuple, destinationAtaTuple] = await Promise.all([
-        findAssociatedTokenPda({
+        deps.findAssociatedTokenPda({
             owner: payerAddress,
             mint: mintAddress,
-            tokenProgram: TOKEN_PROGRAM_ADDRESS,
+            tokenProgram: deps.TOKEN_PROGRAM_ADDRESS,
         }),
-        findAssociatedTokenPda({
+        deps.findAssociatedTokenPda({
             owner: recipientAddress,
             mint: mintAddress,
-            tokenProgram: TOKEN_PROGRAM_ADDRESS,
+            tokenProgram: deps.TOKEN_PROGRAM_ADDRESS,
         }),
     ]);
     const sourceAta = sourceAtaTuple[0];
     const destinationAta = destinationAtaTuple[0];
     const rpcUrl = rpcUrlOverride && rpcUrlOverride.length > 0 ? rpcUrlOverride : DEFAULT_SOLANA_RPC;
-    const rpc = createSolanaRpc(rpcUrl);
+    const rpc = deps.createSolanaRpc(rpcUrl);
     const { value: latestBlockhash } = await rpc.getLatestBlockhash({ commitment: "confirmed" }).send();
     const instructions = [
-        getSetComputeUnitLimitInstruction({ units: 150_000 }),
-        getSetComputeUnitPriceInstruction({ microLamports: 1000n }),
-        getTransferCheckedInstruction({
+        deps.getSetComputeUnitLimitInstruction({ units: 150_000 }),
+        deps.getSetComputeUnitPriceInstruction({ microLamports: 1000n }),
+        deps.getTransferCheckedInstruction({
             source: sourceAta,
             mint: mintAddress,
             destination: destinationAta,
@@ -121,13 +159,13 @@ export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride) {
             decimals,
         }),
     ];
-    const message = pipe(createTransactionMessage({ version: 0 }), (m) => setTransactionMessageFeePayer(feePayerAddress, m), (m) => setTransactionMessageLifetimeUsingBlockhash(latestBlockhash, m), (m) => appendTransactionMessageInstructions(instructions, m));
+    const message = deps.pipe(deps.createTransactionMessage({ version: 0 }), (m) => deps.setTransactionMessageFeePayer(feePayerAddress, m), (m) => deps.setTransactionMessageLifetimeUsingBlockhash(latestBlockhash, m), (m) => deps.appendTransactionMessageInstructions(instructions, m));
     // Partially sign — fills the payer's signature slot, leaves the fee payer's
     // slot empty for the facilitator to fill in at /settle time.
-    const partiallySigned = await partiallySignTransactionMessageWithSigners(message);
-    const base64Tx = getBase64EncodedWireTransaction(partiallySigned);
+    const partiallySigned = await deps.partiallySignTransactionMessageWithSigners(message);
+    const base64Tx = deps.getBase64EncodedWireTransaction(partiallySigned);
     const envelope = {
-        x402Version: 1,
+        x402Version: echoedVersion,
         scheme: "exact",
         network: requirements.network,
         payload: { transaction: base64Tx },
@@ -141,7 +179,7 @@ function randomHex32() {
         buf[i] = Math.floor(Math.random() * 256);
     return ("0x" + buf.toString("hex"));
 }
-export async function signX402PaymentEvm(requirements, rawKey) {
+export async function signX402PaymentEvm(requirements, rawKey, echoedVersion = 1) {
     if (requirements.scheme !== "exact") {
         throw new Error(`EVM x402 scheme "${requirements.scheme}" not implemented; only "exact" is supported.`);
     }
@@ -163,6 +201,7 @@ export async function signX402PaymentEvm(requirements, rawKey) {
     if (!/^0x[0-9a-fA-F]{64}$/.test(keyHex)) {
         throw new Error("MPP32_PRIVATE_KEY must be a 64-character hex EVM private key (0x-prefixed or bare).");
     }
+    const { privateKeyToAccount } = await loadEvmDeps();
     const account = privateKeyToAccount(keyHex);
     const now = Math.floor(Date.now() / 1000);
     const validAfter = BigInt(0);
@@ -199,7 +238,7 @@ export async function signX402PaymentEvm(requirements, rawKey) {
         message: messageObj,
     });
     const envelope = {
-        x402Version: 1,
+        x402Version: echoedVersion,
         scheme: "exact",
         network: requirements.network,
         payload: {
@@ -216,29 +255,93 @@ export async function signX402PaymentEvm(requirements, rawKey) {
     };
     return Buffer.from(JSON.stringify(envelope)).toString("base64");
 }
+function isV2Challenge(decoded) {
+    return (!!decoded &&
+        typeof decoded === "object" &&
+        Array.isArray(decoded.accepts));
+}
+// Normalize a v2 `accepts[i]` to our internal requirements shape. v2 uses
+// `amount`, v1 uses `maxAmountRequired` — we map both into the same field so
+// the downstream signers don't have to know which version produced the input.
+function normalizeRequirements(raw) {
+    const amount = raw.maxAmountRequired ?? raw.amount ?? "";
+    return {
+        scheme: String(raw.scheme ?? "exact"),
+        network: String(raw.network ?? ""),
+        maxAmountRequired: amount,
+        resource: String(raw.resource ?? ""),
+        description: raw.description,
+        mimeType: raw.mimeType,
+        payTo: String(raw.payTo ?? ""),
+        maxTimeoutSeconds: raw.maxTimeoutSeconds,
+        asset: String(raw.asset ?? ""),
+        outputSchema: raw.outputSchema,
+        extra: raw.extra,
+    };
+}
+// Pick the first entry in `accepts` we can actually sign. Preference order:
+//   1. EVM entries when an EVM key is available (Base is the dominant chain).
+//   2. SVM entries when a Solana key is available.
+// If no entry matches the keys we hold, fall back to the first entry and let
+// the per-network signer throw a precise "you need MPP32_X_PRIVATE_KEY" error.
+function pickRequirements(accepts, haveSvm, haveEvm) {
+    if (accepts.length === 0) {
+        throw new Error("x402 v2 challenge has empty `accepts` array — nothing to pay.");
+    }
+    if (haveEvm) {
+        const evm = accepts.find((a) => isEvmNetwork(a.network));
+        if (evm)
+            return evm;
+    }
+    if (haveSvm) {
+        const svm = accepts.find((a) => isSvmNetwork(a.network));
+        if (svm)
+            return svm;
+    }
+    return accepts[0];
+}
 export async function signX402Payment(args) {
-    let requirements;
+    let decoded;
     try {
         const json = Buffer.from(args.paymentRequiredHeader, "base64").toString("utf-8");
-        requirements = JSON.parse(json);
+        decoded = JSON.parse(json);
     }
     catch (err) {
         throw new Error(`Could not decode Payment-Required header as base64 JSON: ${err instanceof Error ? err.message : String(err)}`);
     }
+    // Resolve v1 vs v2. v2's `x402Version` field tells the server which envelope
+    // shape to expect back — we mirror whichever the challenge used.
+    let requirements;
+    let echoedVersion;
+    if (isV2Challenge(decoded)) {
+        const accepts = decoded.accepts
+            .filter((a) => !!a && typeof a === "object")
+            .map(normalizeRequirements);
+        requirements = pickRequirements(accepts, !!args.solanaKey, !!args.evmKey);
+        echoedVersion = decoded.x402Version || 2;
+    }
+    else if (decoded && typeof decoded === "object") {
+        requirements = normalizeRequirements(decoded);
+        echoedVersion = decoded.x402Version || 1;
+    }
+    else {
+        throw new Error("Decoded Payment-Required is not a JSON object.");
+    }
     if (!requirements.network)
         throw new Error("x402 payment requirements missing 'network'");
     if (!requirements.asset)
         throw new Error("x402 payment requirements missing 'asset'");
     if (!requirements.payTo)
         throw new Error("x402 payment requirements missing 'payTo'");
-    if (!requirements.maxAmountRequired)
-        throw new Error("x402 payment requirements missing 'maxAmountRequired'");
+    if (!requirements.maxAmountRequired) {
+        throw new Error("x402 payment requirements missing 'maxAmountRequired'/'amount'");
+    }
     if (isSvmNetwork(requirements.network)) {
         if (!args.solanaKey) {
             throw new Error(`Provider requires SVM payment on ${requirements.network}, but MPP32_SOLANA_PRIVATE_KEY is not configured. ` +
                 `Set it in your MCP config to enable USDC-on-Solana payments.`);
         }
-        const header = await signX402PaymentSvm(requirements, args.solanaKey, args.solanaRpcUrl);
+        const header = await signX402PaymentSvm(requirements, args.solanaKey, args.solanaRpcUrl, echoedVersion);
         return {
             xPaymentHeader: header,
             network: requirements.network,
@@ -251,7 +354,7 @@ export async function signX402Payment(args) {
             throw new Error(`Provider requires EVM payment on ${requirements.network}, but MPP32_PRIVATE_KEY is not configured. ` +
                 `Set it in your MCP config to enable USDC-on-Base payments.`);
         }
-        const header = await signX402PaymentEvm(requirements, args.evmKey);
+        const header = await signX402PaymentEvm(requirements, args.evmKey, echoedVersion);
         return {
             xPaymentHeader: header,
             network: requirements.network,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mpp32-mcp-server",
-  "version": "1.2.0",
+  "version": "1.2.2",
   "mcpName": "io.github.MPP32/mpp32-mcp-server",
   "description": "Payment layer for AI agents. One MCP, five protocols, thousands of paid APIs your agent can call.",
   "type": "module",