mpp32-mcp-server 1.2.2 → 1.2.4

package/CHANGELOG.md

@@ -4,6 +4,59 @@ All notable changes to `mpp32-mcp-server` are documented here. The format
 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
 project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.4] - 2026-05-11
+
+### Fixed
+
+* **Self-payment now fails fast with a useful error.** When the wallet
+  derived from `MPP32_SOLANA_PRIVATE_KEY` (or `MPP32_PRIVATE_KEY`) is the
+  same address as a challenge's `payTo`, the signer used to construct the
+  transaction anyway and the facilitator surfaced an opaque "transaction
+  failed simulation" error a few seconds later. Both the SVM and EVM
+  signers now detect this case before signing and return:
+  `Refusing to sign an x402 payment to yourself: the wallet derived from
+  MPP32_SOLANA_PRIVATE_KEY (<addr>) is also the payment recipient (payTo)
+  for this service.` This happens most often when an operator uses their
+  own receiving wallet to test a paid endpoint they themselves run.
+
+## [1.2.3] - 2026-05-11
+
+### Fixed
+
+* **Solana-only users were being pushed to EVM and failing.** When a third-
+  party x402 v2 challenge advertised both an EVM and an SVM entry in
+  `accepts[]`, 1.2.2's `pickRequirements` preferred EVM unconditionally —
+  so a user who had only set `MPP32_SOLANA_PRIVATE_KEY` got a "no EVM key
+  set" error instead of a successful Solana payment. The picker now:
+  - Honors `MPP32_PREFERRED_NETWORK` if set (accepts `solana`, `base`,
+    `evm`, `ethereum`, or a full CAIP-2 like `solana:5eykt...`).
+  - Otherwise, if only one key is configured, prefers that network.
+  - Otherwise, when both keys are configured, prefers EVM (Base settles
+    faster and is the dominant chain across providers).
+  - Otherwise falls back to the first `accepts[]` entry so the per-network
+    signer can surface a precise "you need MPP32_X_PRIVATE_KEY" error.
+
+### Added
+
+* **`MPP32_PREFERRED_NETWORK` env var.** Explicit override for the network
+  picker. Useful when both keys are configured but the user wants every
+  payment to go through one specific chain.
+* **`debug_mpp32` tool (alias of `get_mpp32_diagnostics`).** Several
+  external docs and skills already reference this name; the alias keeps
+  them working without a documentation churn.
+
+### Changed
+
+* **`get_mpp32_diagnostics` now probes the API live.** In addition to
+  reporting which env vars the process loaded, it issues a 5-second
+  `GET /api/agent/protocols` against the configured `MPP32_API_URL` and
+  reports `OK / Reachable but {status} / UNREACHABLE: {reason}`. Adds a
+  single `Ready to pay end-to-end: YES/NO` line so users do not need to
+  cross-reference three separate fields to know whether payments will
+  work. Windows-specific guidance (no surrounding quotes inside the JSON
+  string) is now called out explicitly — this tripped multiple users in
+  1.2.1/1.2.2.
+
 ## [1.2.2] - 2026-05-11
 
 ### Fixed

package/README.md

@@ -9,7 +9,18 @@
   </p>
 </p>
 
-One install. Five payment rails. Thousands of paid APIs your agent can reach without you setting up a single account.
+One install. Pay any x402 endpoint on Solana from your agent. Browse a federated index of thousands of machine payable APIs without setting up a single provider account.
+
+## What works today
+
+| Rail | Status | Network | Asset |
+|:-----|:-------|:--------|:------|
+| x402 | Production | Solana (mainnet) | USDC |
+| x402 | Production | Base | USDC |
+| Tempo | Envelope wired, gated off in production until the client flow is verified end to end | Ethereum L2 | pathUSD |
+| ACP / AP2 / AGTP | Envelopes wired, gated off in production | Multi chain | per protocol |
+
+The MCP server ships signers for both Solana and Base out of the box. When a paid call returns a 402, the server picks the network that matches the key you configured and settles the payment in one round trip.
 
 ## Why this beats running your own integrations
 
@@ -25,22 +36,10 @@ MPP32 replaces all of that with one MCP server. Your agent asks for a service by
 * Track every call, every dollar settled, and every protocol used from a dashboard at mpp32.org.
 * Get an automatic 20 percent or 40 percent discount on native services for holding M32 once your wallet is verified.
 
-## Payment rails it speaks natively
-
-| Rail | Settles in | Network |
-|:-----|:-----------|:--------|
-| x402 | USDC | Solana |
-| Tempo | pathUSD | Ethereum L2 |
-| ACP | Checkout session | Multi chain |
-| AP2 | W3C verifiable credentials | Chain agnostic |
-| AGTP | HMAC signed agent certificates | Chain agnostic |
-
-Every native endpoint accepts all five. The server picks whichever your wallet is funded for and falls back gracefully if the first attempt fails.
-
 ## Install
 
 ```bash
-npx mpp32-mcp-server
+npx -y mpp32-mcp-server@latest
 ```
 
 ### Claude Desktop, Claude Code, Cursor, Windsurf
@@ -52,30 +51,56 @@ Drop this into the MCP servers section of your client config.
   "mcpServers": {
     "mpp32": {
       "command": "npx",
-      "args": ["mpp32-mcp-server"],
+      "args": ["-y", "mpp32-mcp-server@latest"],
       "env": {
         "MPP32_AGENT_KEY": "mpp32_agent_…",
-        "MPP32_SOLANA_PRIVATE_KEY": "your_solana_private_key_for_usdc"
+        "MPP32_SOLANA_PRIVATE_KEY": "<your base58 Solana secret key>"
       }
     }
   }
 }
 ```
 
-Get an `MPP32_AGENT_KEY` at [mpp32.org/agent-console](https://mpp32.org/agent-console). No signup, no email, just a session form. With an agent key every call is attributed to your dashboard so you can see spend, success rate, and protocol breakdown. Without it the server still works but you only see native services and the calls stay anonymous.
+Config file locations:
+
+* **Claude Desktop (macOS):** `~/Library/Application Support/Claude/claude_desktop_config.json`
+* **Claude Desktop (Windows):** `%APPDATA%\Claude\claude_desktop_config.json`
+* **Cursor:** `~/.cursor/mcp.json`
+* **Windsurf:** `~/.codeium/windsurf/mcp_config.json`
+
+Fully quit and reopen the client after editing. The MCP child process inherits env vars from this file at launch.
+
+Get an `MPP32_AGENT_KEY` at [mpp32.org/agent-console](https://mpp32.org/agent-console). No signup, no email, just click **Create Agent Session** and the form returns a key plus this exact config snippet ready to copy. With an agent key every call is attributed to your dashboard so you can see spend, success rate, and protocol breakdown. Without it the server still works but you only see native services and the calls stay anonymous.
+
+`MPP32_SOLANA_PRIVATE_KEY` is only needed for paid services. Free services in the catalog work without any payment key.
+
+### What format does `MPP32_SOLANA_PRIVATE_KEY` take?
+
+A base58 encoded 64 byte Solana secret key. The same string that Phantom shows under **export private key** (not the seed phrase). If you have a `keypair.json` (the 64 byte array Solana CLI uses), convert it once with:
+
+```bash
+node -e "console.log(require('bs58').encode(Buffer.from(JSON.parse(require('fs').readFileSync('keypair.json')))))"
+```
+
+Then paste the resulting string into the env block. Treat it like a password. It can spend any USDC and SOL in the wallet.
+
+### Fund the wallet with both USDC and SOL
+
+x402 settles the payment in USDC, but Solana itself charges a tiny native SOL fee on every transaction. A USDC only wallet will fail with `insufficient funds for rent` even though the USDC balance is plentiful. About `0.001 SOL` covers many calls.
 
-`MPP32_SOLANA_PRIVATE_KEY` and `MPP32_PRIVATE_KEY` are only needed for paid services. Free services in the catalog work without any key.
+Tip: call the `get_mpp32_diagnostics` tool from inside Claude. It probes the API, reports which env vars actually reached the MCP process, and prints `Ready to pay: YES` once everything is wired.
 
 ## Configuration
 
 | Variable | When you need it | What it does |
 |:---------|:-----------------|:-------------|
 | `MPP32_AGENT_KEY` | Recommended | Session key from mpp32.org/agent-console. Unlocks the full federated catalog and dashboard tracking. Also accepted as `MPP32_API_KEY`. |
-| `MPP32_SOLANA_PRIVATE_KEY` | Paid x402 calls | Solana key used to sign USDC payments locally. |
-| `MPP32_PRIVATE_KEY` | Paid Tempo calls | EVM key used to sign pathUSD payments locally on Ethereum L2. |
+| `MPP32_SOLANA_PRIVATE_KEY` | Paid x402 calls on Solana | Base58 encoded Solana secret key. Used to sign USDC payments locally. Never leaves your machine. |
+| `MPP32_PRIVATE_KEY` | Paid x402 calls on Base | 0x prefixed EVM private key. Used to sign USDC payments on Base when a provider only accepts EVM. |
+| `MPP32_PREFERRED_NETWORK` | Optional override | When both keys are configured and the challenge advertises multiple networks, force one. Accepts `solana`, `base`, `evm`, or a full CAIP-2 string. |
 | `MPP32_API_URL` | Custom deployments | Override the API base URL. Defaults to `https://mpp32.org`. |
 
-Private keys stay on your machine. They sign payments locally and never travel to MPP32 servers. Provide one or both for paid calls. If both are present, x402 is tried first and Tempo is used as a fallback.
+Private keys stay on your machine. They sign payments locally and never travel to MPP32 servers. Provide either or both for paid calls. If both are present and a challenge advertises both networks, EVM is preferred unless `MPP32_PREFERRED_NETWORK` is set; if only one key is configured, that network wins automatically.
 
 ## Tools your agent will see
 
@@ -111,15 +136,19 @@ Under the hood:
 
 No payment logic in your code. No per provider keys to juggle.
 
+### `get_mpp32_diagnostics`
+
+Reports the MCP server version, which env vars actually reached the child process, the API URL it will hit, and a live API reachability probe. Prints `Ready to pay: YES` only when an agent key plus at least one signing key are detected and the API is reachable. Call this first if anything misbehaves. Also available as `debug_mpp32`.
+
 ### `get_solana_token_intelligence`
 
-Real time analysis of any Solana token. Pulls live data from DexScreener, Jupiter, and CoinGecko and merges it into one report. Returns an alpha score from 0 to 100, rug risk, whale activity, smart money signals, 24 hour pump probability, projected ROI ranges, and full market data. Costs $0.008 per call, paid automatically through x402 or Tempo when a key is set.
+Real time analysis of any Solana token. Pulls live data from DexScreener, Jupiter, and CoinGecko and merges it into one report. Returns an alpha score from 0 to 100, rug risk, whale activity, smart money signals, 24 hour pump probability, projected ROI ranges, and full market data. Costs $0.008 per call, paid automatically through x402 when a Solana key is set.
 
 ```json
 { "token": "BONK" }
 ```
 
-M32 holders get tiered discounts (20 percent at 250k, 40 percent at 1M) the moment their wallet is verified at the agent console.
+M32 holders will get tiered discounts (20 percent at 250k, 40 percent at 1M) once SIWS wallet signature verification ships. The discount path is gated off in production until then so it cannot be claimed by spoofing a wallet header.
 
 ## How discovery works
 
@@ -147,13 +176,13 @@ Sessions are scoped, revocable, and rotate cleanly. The key is hashed at rest on
 
 ## How payment verification actually works
 
-x402 payments are verified on chain through the Solana facilitator. Tempo payments are verified cryptographically through the mppx SDK. ACP sessions are database backed with a real checkout flow. AP2 mandates use ECDSA P-256 signature verification. AGTP uses HMAC SHA256 signed agent certificates with a server held salt so signatures cannot be forged from a public agent id alone.
+x402 payments are verified on chain through the Solana facilitator (for SVM) or the Base facilitator (for EVM). MPP32 never holds custody of funds. Every paid call settles directly from the caller's wallet to the provider's wallet.
 
-Every protocol has its own verification path. None of them are stubbed. MPP32 never holds custody of funds. Every paid call settles directly from the caller's wallet to the provider's wallet.
+Tempo, ACP, AP2, and AGTP envelopes are implemented in the proxy and tested against synthetic challenges, but the corresponding client signing flows are not yet exposed by this MCP. Those rails stay disabled in production until each has a verified end to end client flow. Treat the catalog as an x402 catalog today; the rest will light up as their clients land.
 
 ## For API providers
 
-List your endpoint once and get paid through every protocol automatically. MPP32 handles the payment negotiation, the on chain verification, the discovery listings via OpenAPI and A2A and MCP standards, the 24 hour health re check, and the analytics dashboard. Settlement lands in USDC or pathUSD straight to your wallet.
+List your endpoint once and receive payment over x402. MPP32 handles the payment negotiation, the on chain verification, the discovery listings via OpenAPI and A2A and MCP standards, the periodic health re check, and the analytics dashboard. Settlement lands in USDC on Solana or Base straight to your wallet.
 
 Register at [mpp32.org/build](https://mpp32.org/build).
 

package/dist/index.js

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { signX402Payment } from "./x402-signers.js";
-const SERVER_VERSION = "1.2.2";
+const SERVER_VERSION = "1.2.4";
 // ── Env loading: trim and sanitize aggressively ─────────────────────────────
 // Copy-paste from Claude Desktop / Cursor / Windsurf JSON config UIs frequently
 // adds trailing \n, \r, NBSP, BOM, or wraps the value in literal quotes. Any
@@ -121,6 +121,22 @@ const SOLANA_PRIVATE_KEY = (() => {
     }
     return v;
 })();
+// Optional override: when both an EVM and a Solana key are configured, this
+// decides which network to use for mixed challenges. Accepts:
+//   "solana" (or any "solana:*" CAIP-2), "base", "evm", "ethereum".
+// Defaults to undefined — pickRequirements then falls back to its own rules.
+const PREFERRED_NETWORK = (() => {
+    const v = readEnv("MPP32_PREFERRED_NETWORK");
+    if (!v)
+        return undefined;
+    const lower = v.toLowerCase();
+    const allowed = ["solana", "base", "evm", "ethereum"];
+    if (!allowed.some((a) => lower === a || lower.startsWith(a))) {
+        console.error(`[mpp32] MPP32_PREFERRED_NETWORK="${v}" not recognized. Allowed: ${allowed.join(", ")} (or full CAIP-2 like solana:5eykt...). Ignoring.`);
+        return undefined;
+    }
+    return lower;
+})();
 // Wrap fetch with a default timeout. AbortSignal.timeout exists in Node 20+,
 // but we ship for Node 18+, so we build the signal ourselves.
 async function fetchWithTimeout(url, init) {
@@ -197,12 +213,29 @@ function describeEnvVarStatus(name, value) {
         : `${value.slice(0, 6)}…${value.slice(-4)} (${value.length} chars)`;
     return `${name}: SET (${fingerprint})`;
 }
-server.tool("get_mpp32_diagnostics", "Report what the mpp32-mcp-server detected at startup: version, API URL, and which env vars (MPP32_AGENT_KEY, MPP32_SOLANA_PRIVATE_KEY, MPP32_PRIVATE_KEY) were loaded into this process. Use this FIRST if payments fail with 'no key configured' even though you set one in claude_desktop_config.json — it confirms whether your env vars actually reached the MCP process or got dropped by a typo / wrong file / stale restart.", {}, async () => {
+server.tool("get_mpp32_diagnostics", "Report what the mpp32-mcp-server detected at startup: version, API URL, env vars (MPP32_AGENT_KEY, MPP32_SOLANA_PRIVATE_KEY, MPP32_PRIVATE_KEY, MPP32_PREFERRED_NETWORK), and a live API connectivity check. Use this FIRST if payments fail with 'no key configured' even though you set one in claude_desktop_config.json.", {}, async () => {
+    // Live connectivity probe so the user knows whether the *backend* is
+    // reachable too — not just whether their env loaded.
+    let apiReachable;
+    try {
+        const probe = await fetchWithTimeout(`${API_URL}/api/agent/protocols`, {
+            timeoutMs: 5_000,
+        });
+        apiReachable = probe.ok
+            ? `OK (${probe.status})`
+            : `Reachable but returned ${probe.status}`;
+    }
+    catch (err) {
+        apiReachable = `UNREACHABLE: ${err instanceof Error ? err.message : String(err)}`;
+    }
+    const haveAnyKey = !!(SOLANA_PRIVATE_KEY || PRIVATE_KEY);
+    const readyToPay = !!AGENT_KEY && haveAnyKey;
     const lines = [
         `**mpp32-mcp-server diagnostics**`,
         ``,
         `Version: ${SERVER_VERSION}`,
         `API URL: ${API_URL}`,
+        `API reachable: ${apiReachable}`,
         `Timeout: ${TIMEOUT_MS}ms`,
         `Node: ${process.version} on ${process.platform}/${process.arch}`,
         ``,
@@ -211,26 +244,56 @@ server.tool("get_mpp32_diagnostics", "Report what the mpp32-mcp-server detected
         describeEnvVarStatus("MPP32_AGENT_KEY", AGENT_KEY),
         describeEnvVarStatus("MPP32_SOLANA_PRIVATE_KEY", SOLANA_PRIVATE_KEY),
         describeEnvVarStatus("MPP32_PRIVATE_KEY", PRIVATE_KEY),
+        `MPP32_PREFERRED_NETWORK: ${PREFERRED_NETWORK ?? "not set (auto: prefer the only key you have)"}`,
         ``,
         `**Capabilities:**`,
         `- Catalog browsing: yes (always available)`,
         `- Federated service execution: ${AGENT_KEY ? "yes" : "no — set MPP32_AGENT_KEY"}`,
         `- x402 (USDC on Solana) payment: ${SOLANA_PRIVATE_KEY ? "yes" : "no — set MPP32_SOLANA_PRIVATE_KEY"}`,
-        `- Tempo (pathUSD on Eth L2) payment: ${PRIVATE_KEY ? "yes" : "no — set MPP32_PRIVATE_KEY"}`,
+        `- x402 (USDC on Base/EVM) payment: ${PRIVATE_KEY ? "yes" : "no — set MPP32_PRIVATE_KEY"}`,
+        ``,
+        `**Ready to pay end-to-end:** ${readyToPay ? "YES — try `query_intelligence` with token=\"M32\" to confirm." : "NO — see the missing items above."}`,
         ``,
-        `If a variable shows NOT SET but you put it in claude_desktop_config.json:`,
-        `1. Confirm the file path Claude Desktop actually reads from:`,
-        `   - macOS: ~/Library/Application Support/Claude/claude_desktop_config.json`,
+        `**If a variable shows NOT SET but you set it in claude_desktop_config.json:**`,
+        `1. Confirm the file path Claude Desktop actually reads:`,
+        `   - macOS:   ~/Library/Application Support/Claude/claude_desktop_config.json`,
         `   - Windows: %APPDATA%\\Claude\\claude_desktop_config.json`,
-        `2. The 'env' block must sit INSIDE the server entry, alongside 'command' and 'args' — not at the top level.`,
-        `3. Fully quit Claude Desktop (Cmd+Q on Mac, right-click tray → Quit on Windows). Closing the window is not enough.`,
-        `4. Re-open Claude Desktop. The new MCP process inherits the env from the JSON.`,
-        `5. Call get_mpp32_diagnostics again — if it still shows NOT SET, the JSON did not load (check for a syntax error).`,
+        `2. The 'env' block must sit INSIDE the server entry, beside 'command' and 'args' — not at the top level.`,
+        `3. Validate the JSON: a single missing comma silently throws the whole file out.`,
+        `4. Fully quit Claude Desktop:`,
+        `   - macOS: Cmd+Q (or Claude menu → Quit)`,
+        `   - Windows: right-click the system-tray icon → Quit (closing the window is NOT enough)`,
+        `5. Re-open Claude Desktop. The new MCP child process inherits env from the JSON.`,
+        `6. Call get_mpp32_diagnostics again. If it STILL shows NOT SET, the JSON did not load — check the Claude Desktop log for a parse error.`,
+        ``,
+        `**On Windows specifically:** the value must NOT include surrounding quotes inside the JSON string. Bad: "\\"mpp32_agent_abc...\\"". Good: "mpp32_agent_abc...".`,
     ];
     return {
         content: [{ type: "text", text: lines.join("\n") }],
     };
 });
+// Back-compat alias. Older docs and skills say `debug_mpp32`.
+server.tool("debug_mpp32", "Alias for get_mpp32_diagnostics. Reports env-var detection, API connectivity, and ready-to-pay status.", {}, async () => {
+    let apiReachable;
+    try {
+        const probe = await fetchWithTimeout(`${API_URL}/api/agent/protocols`, { timeoutMs: 5_000 });
+        apiReachable = probe.ok ? `OK (${probe.status})` : `Reachable but returned ${probe.status}`;
+    }
+    catch (err) {
+        apiReachable = `UNREACHABLE: ${err instanceof Error ? err.message : String(err)}`;
+    }
+    const readyToPay = !!AGENT_KEY && !!(SOLANA_PRIVATE_KEY || PRIVATE_KEY);
+    const lines = [
+        `mpp32-mcp-server v${SERVER_VERSION} (${process.platform}/${process.arch}, Node ${process.version})`,
+        `API: ${API_URL} — ${apiReachable}`,
+        describeEnvVarStatus("MPP32_AGENT_KEY", AGENT_KEY),
+        describeEnvVarStatus("MPP32_SOLANA_PRIVATE_KEY", SOLANA_PRIVATE_KEY),
+        describeEnvVarStatus("MPP32_PRIVATE_KEY", PRIVATE_KEY),
+        `MPP32_PREFERRED_NETWORK: ${PREFERRED_NETWORK ?? "not set"}`,
+        `Ready to pay: ${readyToPay ? "YES" : "NO"}`,
+    ];
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+});
 // ── Tool 1: list_mpp32_services ─────────────────────────────────────────────
 server.tool("list_mpp32_services", "Browse the MPP32 federated catalog of 4,500+ machine-payable APIs and data services. Includes native MPP32 services (callable end-to-end through this MCP), the x402 Bazaar (USDC on Solana), curated free APIs (DexScreener, Jupiter, CoinGecko health, httpbin, etc.), and the public MCP Registry (npx-installable servers; listing-only). Each result indicates whether it is callable through `call_mpp32_endpoint` or listing-only. The catalog is large (~4,500 entries) — by default a single call returns up to 100 results and the response will tell you the true total and whether the page was truncated. Use `q` (free-text search), `category`, `source`, or `protocol` to narrow down, or raise `limit` (max 500) for broader pages.", {
     category: z
@@ -1063,6 +1126,7 @@ async function completeX402Payment(paymentRequiredHeader, keys) {
         solanaKey: keys.solana,
         evmKey: keys.evm,
         solanaRpcUrl,
+        preferredNetwork: PREFERRED_NETWORK,
     });
     return {
         xPaymentHeader: result.xPaymentHeader,

package/dist/x402-signers.d.ts

@@ -32,6 +32,7 @@ export interface SignX402Args {
     solanaKey?: string;
     evmKey?: string;
     solanaRpcUrl?: string;
+    preferredNetwork?: string;
 }
 export interface SignX402Result {
     xPaymentHeader: string;

package/dist/x402-signers.js

@@ -129,6 +129,18 @@ export async function signX402PaymentSvm(requirements, rawKey, rpcUrlOverride, e
     const mintAddress = deps.address(requirements.asset);
     const recipientAddress = deps.address(requirements.payTo);
     const feePayerAddress = deps.address(requirements.extra.feePayer);
+    // Self-payment guard. An SPL TransferChecked where source ATA == destination
+    // ATA is a no-op the Solana runtime rejects, and the resulting facilitator
+    // error is opaque ("transaction failed simulation"). This usually means the
+    // user configured the same wallet as both their MPP32_SOLANA_PRIVATE_KEY and
+    // the upstream payTo (e.g. calling their own listed service, or testing
+    // against the MPP32 oracle from the operator wallet). Catch it here with a
+    // clear, actionable message before we burn an RPC round-trip.
+    if (String(payerAddress) === String(recipientAddress)) {
+        throw new Error(`Refusing to sign an x402 payment to yourself: the wallet derived from MPP32_SOLANA_PRIVATE_KEY ` +
+            `(${String(payerAddress)}) is also the payment recipient (payTo) for this service. ` +
+            `Use a different wallet to call this endpoint, or fund a separate payer key.`);
+    }
     // Derive both sides' associated token accounts (classic SPL Token program).
     const [sourceAtaTuple, destinationAtaTuple] = await Promise.all([
         deps.findAssociatedTokenPda({
@@ -203,6 +215,14 @@ export async function signX402PaymentEvm(requirements, rawKey, echoedVersion = 1
     }
     const { privateKeyToAccount } = await loadEvmDeps();
     const account = privateKeyToAccount(keyHex);
+    // Self-payment guard (EVM). EIP-3009 transferWithAuthorization with
+    // from == to is rejected on-chain by USDC. Surfacing this here keeps the
+    // error message useful instead of an opaque facilitator failure.
+    if (account.address.toLowerCase() === recipientAddr.toLowerCase()) {
+        throw new Error(`Refusing to sign an x402 payment to yourself: the wallet derived from MPP32_PRIVATE_KEY ` +
+            `(${account.address}) is also the payment recipient (payTo) for this service. ` +
+            `Use a different wallet to call this endpoint, or fund a separate payer key.`);
+    }
     const now = Math.floor(Date.now() / 1000);
     const validAfter = BigInt(0);
     const validBefore = BigInt(now + (requirements.maxTimeoutSeconds ?? 600));
@@ -279,21 +299,55 @@ function normalizeRequirements(raw) {
         extra: raw.extra,
     };
 }
-// Pick the first entry in `accepts` we can actually sign. Preference order:
-//   1. EVM entries when an EVM key is available (Base is the dominant chain).
-//   2. SVM entries when a Solana key is available.
-// If no entry matches the keys we hold, fall back to the first entry and let
-// the per-network signer throw a precise "you need MPP32_X_PRIVATE_KEY" error.
-function pickRequirements(accepts, haveSvm, haveEvm) {
+// Pick the first entry in `accepts` we can actually sign.
+//
+// Preference rules (in order):
+//   1. If MPP32_PREFERRED_NETWORK env var matches a `network` field, use it.
+//   2. If only one key is configured, prefer that network (this is the most
+//      common real-world case — a Solana-only user offered a mixed challenge
+//      previously got signed EVM and failed with "no EVM key set". Now they
+//      get signed SVM.).
+//   3. If both keys are configured, prefer EVM (Base is the dominant chain
+//      and tends to settle faster).
+//   4. Otherwise fall back to the first accepted entry and let the per-network
+//      signer throw a precise "you need MPP32_X_PRIVATE_KEY" error.
+function pickRequirements(accepts, haveSvm, haveEvm, preferredNetwork) {
     if (accepts.length === 0) {
         throw new Error("x402 v2 challenge has empty `accepts` array — nothing to pay.");
     }
-    if (haveEvm) {
+    // Explicit preference wins.
+    if (preferredNetwork) {
+        const want = preferredNetwork.toLowerCase();
+        const explicit = accepts.find((a) => {
+            const n = a.network.toLowerCase();
+            if (n === want)
+                return true;
+            if (want === "solana" && isSvmNetwork(a.network))
+                return true;
+            if ((want === "base" || want === "evm") && isEvmNetwork(a.network))
+                return true;
+            return false;
+        });
+        if (explicit)
+            return explicit;
+    }
+    // Solana-only user: prefer SVM.
+    if (haveSvm && !haveEvm) {
+        const svm = accepts.find((a) => isSvmNetwork(a.network));
+        if (svm)
+            return svm;
+    }
+    // EVM-only user: prefer EVM.
+    if (haveEvm && !haveSvm) {
         const evm = accepts.find((a) => isEvmNetwork(a.network));
         if (evm)
             return evm;
     }
-    if (haveSvm) {
+    // Both keys configured: prefer EVM (Base is the dominant chain).
+    if (haveEvm && haveSvm) {
+        const evm = accepts.find((a) => isEvmNetwork(a.network));
+        if (evm)
+            return evm;
         const svm = accepts.find((a) => isSvmNetwork(a.network));
         if (svm)
             return svm;
@@ -317,7 +371,7 @@ export async function signX402Payment(args) {
         const accepts = decoded.accepts
             .filter((a) => !!a && typeof a === "object")
             .map(normalizeRequirements);
-        requirements = pickRequirements(accepts, !!args.solanaKey, !!args.evmKey);
+        requirements = pickRequirements(accepts, !!args.solanaKey, !!args.evmKey, args.preferredNetwork);
         echoedVersion = decoded.x402Version || 2;
     }
     else if (decoded && typeof decoded === "object") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mpp32-mcp-server",
-  "version": "1.2.2",
+  "version": "1.2.4",
   "mcpName": "io.github.MPP32/mpp32-mcp-server",
   "description": "Payment layer for AI agents. One MCP, five protocols, thousands of paid APIs your agent can call.",
   "type": "module",