mpp32-mcp-server 1.2.1 → 1.2.2

package/CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to `mpp32-mcp-server` are documented here. The format
 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
 project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.2] - 2026-05-11
+
+### Fixed
+
+* **x402 v2 envelope (the whole third-party catalog).** Every third-party
+  x402 provider we tested — Venice (`api.venice.ai`), Exa (`api.exa.ai`),
+  Firecrawl, OpenAI's x402 gateway, etc. — ships the **v2** challenge
+  shape: `{x402Version: 2, accepts: [{scheme, network, asset, payTo,
+  amount, ...}, ...]}`. 1.2.0 and 1.2.1 only understood **v1**
+  (`{scheme, network, asset, payTo, maxAmountRequired, ...}` at the top
+  level), so every third-party call failed with "missing network field"
+  before we ever signed anything. The signer now:
+  - Detects v1 vs v2 by the presence of `accepts: [...]`.
+  - Picks the first `accepts[]` entry it can pay (prefers EVM when
+    `MPP32_PRIVATE_KEY` is set, falls back to SVM when only the Solana
+    key is set, falls back to the first entry so the per-network error
+    surfaces precisely).
+  - Maps v2's `amount` to v1's `maxAmountRequired` internally, so the
+    same signing code handles both.
+  - Echoes the challenge's `x402Version` back in the outgoing envelope
+    so servers that key off it (Venice's facilitator does) accept the
+    response. v1 challenges still get v1 back; v2 challenges get v2.
+  This unblocks paid access to the entire ~4,500-entry federated
+  catalog, which is overwhelmingly v2.
+
 ## [1.2.1] - 2026-05-11
 
 ### Fixed

package/dist/index.js

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { signX402Payment } from "./x402-signers.js";
-const SERVER_VERSION = "1.2.1";
+const SERVER_VERSION = "1.2.2";
 // ── Env loading: trim and sanitize aggressively ─────────────────────────────
 // Copy-paste from Claude Desktop / Cursor / Windsurf JSON config UIs frequently
 // adds trailing \n, \r, NBSP, BOM, or wraps the value in literal quotes. Any

package/dist/x402-signers.d.ts

@@ -25,8 +25,8 @@ export interface X402PaymentEnvelope {
 }
 export declare function isSvmNetwork(network: string): boolean;
 export declare function isEvmNetwork(network: string): boolean;
-export declare function signX402PaymentSvm(requirements: X402PaymentRequirements, rawKey: string, rpcUrlOverride?: string): Promise<string>;
-export declare function signX402PaymentEvm(requirements: X402PaymentRequirements, rawKey: string): Promise<string>;
+export declare function signX402PaymentSvm(requirements: X402PaymentRequirements, rawKey: string, rpcUrlOverride?: string, echoedVersion?: number): Promise<string>;
+export declare function signX402PaymentEvm(requirements: X402PaymentRequirements, rawKey: string, echoedVersion?: number): Promise<string>;
 export interface SignX402Args {
     paymentRequiredHeader: string;
     solanaKey?: string;

package/dist/x402-signers.js

@@ -111,7 +111,7 @@ async function buildSolanaSigner(rawKey, deps) {
 }
 // ── SVM signer ──────────────────────────────────────────────────────────────
 const DEFAULT_SOLANA_RPC = "https://api.mainnet-beta.solana.com";
-export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride) {
+export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride, echoedVersion = 1) {
     if (requirements.scheme !== "exact") {
         throw new Error(`SVM x402 scheme "${requirements.scheme}" not implemented; only "exact" is supported.`);
     }
@@ -165,7 +165,7 @@ export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride) {
     const partiallySigned = await deps.partiallySignTransactionMessageWithSigners(message);
     const base64Tx = deps.getBase64EncodedWireTransaction(partiallySigned);
     const envelope = {
-        x402Version: 1,
+        x402Version: echoedVersion,
         scheme: "exact",
         network: requirements.network,
         payload: { transaction: base64Tx },
@@ -179,7 +179,7 @@ function randomHex32() {
         buf[i] = Math.floor(Math.random() * 256);
     return ("0x" + buf.toString("hex"));
 }
-export async function signX402PaymentEvm(requirements, rawKey) {
+export async function signX402PaymentEvm(requirements, rawKey, echoedVersion = 1) {
     if (requirements.scheme !== "exact") {
         throw new Error(`EVM x402 scheme "${requirements.scheme}" not implemented; only "exact" is supported.`);
     }
@@ -238,7 +238,7 @@ export async function signX402PaymentEvm(requirements, rawKey) {
         message: messageObj,
     });
     const envelope = {
-        x402Version: 1,
+        x402Version: echoedVersion,
         scheme: "exact",
         network: requirements.network,
         payload: {
@@ -255,29 +255,93 @@ export async function signX402PaymentEvm(requirements, rawKey) {
     };
     return Buffer.from(JSON.stringify(envelope)).toString("base64");
 }
+function isV2Challenge(decoded) {
+    return (!!decoded &&
+        typeof decoded === "object" &&
+        Array.isArray(decoded.accepts));
+}
+// Normalize a v2 `accepts[i]` to our internal requirements shape. v2 uses
+// `amount`, v1 uses `maxAmountRequired` — we map both into the same field so
+// the downstream signers don't have to know which version produced the input.
+function normalizeRequirements(raw) {
+    const amount = raw.maxAmountRequired ?? raw.amount ?? "";
+    return {
+        scheme: String(raw.scheme ?? "exact"),
+        network: String(raw.network ?? ""),
+        maxAmountRequired: amount,
+        resource: String(raw.resource ?? ""),
+        description: raw.description,
+        mimeType: raw.mimeType,
+        payTo: String(raw.payTo ?? ""),
+        maxTimeoutSeconds: raw.maxTimeoutSeconds,
+        asset: String(raw.asset ?? ""),
+        outputSchema: raw.outputSchema,
+        extra: raw.extra,
+    };
+}
+// Pick the first entry in `accepts` we can actually sign. Preference order:
+//   1. EVM entries when an EVM key is available (Base is the dominant chain).
+//   2. SVM entries when a Solana key is available.
+// If no entry matches the keys we hold, fall back to the first entry and let
+// the per-network signer throw a precise "you need MPP32_X_PRIVATE_KEY" error.
+function pickRequirements(accepts, haveSvm, haveEvm) {
+    if (accepts.length === 0) {
+        throw new Error("x402 v2 challenge has empty `accepts` array — nothing to pay.");
+    }
+    if (haveEvm) {
+        const evm = accepts.find((a) => isEvmNetwork(a.network));
+        if (evm)
+            return evm;
+    }
+    if (haveSvm) {
+        const svm = accepts.find((a) => isSvmNetwork(a.network));
+        if (svm)
+            return svm;
+    }
+    return accepts[0];
+}
 export async function signX402Payment(args) {
-    let requirements;
+    let decoded;
     try {
         const json = Buffer.from(args.paymentRequiredHeader, "base64").toString("utf-8");
-        requirements = JSON.parse(json);
+        decoded = JSON.parse(json);
     }
     catch (err) {
         throw new Error(`Could not decode Payment-Required header as base64 JSON: ${err instanceof Error ? err.message : String(err)}`);
     }
+    // Resolve v1 vs v2. v2's `x402Version` field tells the server which envelope
+    // shape to expect back — we mirror whichever the challenge used.
+    let requirements;
+    let echoedVersion;
+    if (isV2Challenge(decoded)) {
+        const accepts = decoded.accepts
+            .filter((a) => !!a && typeof a === "object")
+            .map(normalizeRequirements);
+        requirements = pickRequirements(accepts, !!args.solanaKey, !!args.evmKey);
+        echoedVersion = decoded.x402Version || 2;
+    }
+    else if (decoded && typeof decoded === "object") {
+        requirements = normalizeRequirements(decoded);
+        echoedVersion = decoded.x402Version || 1;
+    }
+    else {
+        throw new Error("Decoded Payment-Required is not a JSON object.");
+    }
     if (!requirements.network)
         throw new Error("x402 payment requirements missing 'network'");
     if (!requirements.asset)
         throw new Error("x402 payment requirements missing 'asset'");
     if (!requirements.payTo)
         throw new Error("x402 payment requirements missing 'payTo'");
-    if (!requirements.maxAmountRequired)
-        throw new Error("x402 payment requirements missing 'maxAmountRequired'");
+    if (!requirements.maxAmountRequired) {
+        throw new Error("x402 payment requirements missing 'maxAmountRequired'/'amount'");
+    }
     if (isSvmNetwork(requirements.network)) {
         if (!args.solanaKey) {
             throw new Error(`Provider requires SVM payment on ${requirements.network}, but MPP32_SOLANA_PRIVATE_KEY is not configured. ` +
                 `Set it in your MCP config to enable USDC-on-Solana payments.`);
         }
-        const header = await signX402PaymentSvm(requirements, args.solanaKey, args.solanaRpcUrl);
+        const header = await signX402PaymentSvm(requirements, args.solanaKey, args.solanaRpcUrl, echoedVersion);
         return {
             xPaymentHeader: header,
             network: requirements.network,
@@ -290,7 +354,7 @@ export async function signX402Payment(args) {
             throw new Error(`Provider requires EVM payment on ${requirements.network}, but MPP32_PRIVATE_KEY is not configured. ` +
                 `Set it in your MCP config to enable USDC-on-Base payments.`);
         }
-        const header = await signX402PaymentEvm(requirements, args.evmKey);
+        const header = await signX402PaymentEvm(requirements, args.evmKey, echoedVersion);
         return {
             xPaymentHeader: header,
             network: requirements.network,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mpp32-mcp-server",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "mcpName": "io.github.MPP32/mpp32-mcp-server",
   "description": "Payment layer for AI agents. One MCP, five protocols, thousands of paid APIs your agent can call.",
   "type": "module",