npm - mpp32-mcp-server - Versions diffs - 1.4.1 → 1.7.0 - Mend

mpp32-mcp-server 1.4.1 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,107 @@ All notable changes to `mpp32-mcp-server` are documented here. The format
 follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
 project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.7.0] - 2026-06-07
+### Changed
+* **Supply-chain cleanup.** Dropped three direct dependencies that were
+  driving Socket.dev alerts on the published package:
+  * `tweetnacl` (unmaintained since 2020): the 32-byte-seed → 64-byte
+    keypair derivation now uses
+    `@solana/kit`'s `createKeyPairSignerFromPrivateKeyBytes` directly
+    via WebCrypto Ed25519.
+  * `cheerio` (and its 21 transitives, including the deprecated
+    `whatwg-encoding@3.1.1`): `get_pivx_dao_intelligence` now calls the
+    MPP32 backend's `/api/governance` endpoint instead of scraping
+    `pivx.org` client-side. Same payload; the backend has served it since
+    1.4.0.
+  * `bs58` + `base-x`: replaced with the already-in-tree `@scure/base`
+    `base58` codec.
+  Net effect: published install drops from 181 to ~155 transitive
+  packages, zero deprecated, zero unmaintained-since-2020.
+* **All direct dependencies pinned to exact versions** (no `^` ranges).
+* **`engines.node` raised to `>=20.10.0`** (Node 18 reached end-of-life
+  in April 2025; WebCrypto Ed25519 is native on 20.10+).
+### Added
+* **npm provenance.** Releases now ship with an [npm provenance
+  attestation](https://docs.npmjs.com/generating-provenance-statements)
+  linking the tarball to the exact GitHub Actions run that built it.
+  Verify with `npm audit signatures`.
+* **`SECURITY.md` included in the published tarball**, describing
+  runtime behavior, the env vars the server reads, and the egress
+  allow-list.
+* **`docs/EGRESS.md`** (repo) enumerates every outbound host the MCP
+  server reaches and why.
+* **`socket.yml`** (repo) documents the small set of behavior alerts we
+  consciously accept (`envVars`, `networkAccess`, `hasBin`) with links
+  to where each behavior is implemented.
+### Removed
+* `pivx-provider.ts` (the cheerio-based client-side scraper). Replaced
+  by a 25-line wrapper around `${MPP32_API_URL}/api/governance`.
+### Security
+* No code-level vulnerability fixed; this release exists to eliminate
+  supply-chain-risk surface area on the published package.
+## [1.6.0] - 2026-06-02
+### Added
+* **Auto Sign In With Solana (SIWS) at startup.** When both `MPP32_AGENT_KEY`
+  and `MPP32_SOLANA_PRIVATE_KEY` are configured, the MCP server proves wallet
+  ownership to the MPP32 backend on the first run and activates M32 holder
+  pricing on every subsequent paid query for the rest of the process lifetime.
+  The signed message is the canonical SIWS structure (single use nonce, five
+  minute expiry, domain bound to mpp32.org). Holders pay $0.0048 per
+  Intelligence Oracle query at the 1M tier and $0.0064 at the 250K tier with
+  zero extra setup beyond the Solana key already used for x402 payments.
+### Changed
+* **`get_mpp32_diagnostics` output adds an "M32 holder pricing" capability
+  row** showing the verified wallet, the tier, and the active discount once
+  SIWS has run.
+## [1.5.0] - 2026-06-01
+### Added
+* **`try_solana_token_intelligence_free` MCP tool — zero-friction preview.**
+  Hits the backend `/api/intelligence/demo` endpoint. Returns the same alpha
+  score, rug risk, whale activity, smart money signals, pump probability, and
+  market data payload as the paid endpoint, but requires no `MPP32_AGENT_KEY`
+  and no Solana private key. Rate-limited to 10 calls/minute per IP. Intended
+  as the first call new users (and Claude itself) make when evaluating MPP32 —
+  see the data quality, THEN configure paid access. This closes the
+  conversion-funnel gap where new agents previously hit a 402 wall on their
+  very first call before ever seeing the oracle's output.
+### Changed
+* **`get_solana_token_intelligence` description updated** to point new users
+  with no keys configured at `try_solana_token_intelligence_free` first.
+* **`get_mpp32_diagnostics` output updated** to mention the free demo when
+  the user is not yet ready to pay end-to-end.
+### Backend (server-side compatibility, no client action required)
+* MPP32 backend now defaults to PayAI (`https://facilitator.payai.network`)
+  as the x402 facilitator, with Coinbase CDP as a documented fallback. PayAI
+  is the only public facilitator that supports Solana **mainnet**
+  (`solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp`); the previous default
+  (`x402.org/facilitator`) is testnet/devnet-only and was silently failing
+  every mainnet settlement. The backend now refuses to boot in production
+  if no configured facilitator supports the configured network — making this
+  exact regression class impossible. No MCP client change required: the
+  signer's network detection (`x402-signers.ts`) and protocol handling are
+  unchanged.
 ## [1.4.0] - 2026-05-21
 ### Added

package/README.md CHANGED Viewed

@@ -22,6 +22,12 @@ One install. Pay any x402 endpoint on Solana from your agent. Browse a federated
 The MCP server ships signers for both Solana and Base out of the box. When a paid call returns a 402, the server picks the network that matches the key you configured and settles the payment in one round trip.
+## Try it free first (no keys, no setup)
+The MCP server exposes a **`try_solana_token_intelligence_free`** tool that returns the full Intelligence Oracle payload (alpha score, rug risk, whale activity, smart money signals, 24h pump probability, market data) for any Solana token with **zero configuration** — no `MPP32_AGENT_KEY`, no Solana key, no payment. Rate-limited to 10 calls/minute per IP. Use it to evaluate the oracle, then switch to `get_solana_token_intelligence` for unlimited attributed usage at $0.008/query (M32 holders save up to 40%).
+Just install the server and ask your agent: _"Use mpp32 to get a free intelligence preview for SOL."_
 ## Why this beats running your own integrations
 Most agent stacks stop at "the model can call a function." That works until the function costs money. The moment your agent needs premium data, a paid model, a trading signal, or a token analytics call, you are back to building accounts, storing API keys, watching budgets, and writing custom 402 handlers for every provider.

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,77 @@
+# Security Policy — `mpp32-mcp-server`
+## Reporting a vulnerability
+Report security issues privately to **`security@mpp32.org`**.
+Include:
+- A description of the issue, including the affected version of
+  `mpp32-mcp-server`.
+- Steps to reproduce, or a minimal proof of concept.
+- The Node.js version, OS, and MCP host (Claude Desktop, Cursor,
+  Windsurf, …) you tested against.
+- Your name or handle if you'd like credit in the fix release.
+We aim to acknowledge reports within **3 business days** and provide a
+remediation timeline within **10 business days**. Please do not file public
+GitHub issues for security vulnerabilities until a fix has shipped.
+## Supported versions
+| Version  | Supported  |
+|:---------|:-----------|
+| `1.7.x`  | ✅ current  |
+| `1.6.x`  | High-severity only |
+| `< 1.6`  | ❌          |
+## What this package does at runtime
+Understanding the package's behavior is the first step in any audit. The
+MCP server is a stdio process. It:
+1. **Reads three environment variables** for authentication and signing:
+   `MPP32_AGENT_KEY`, `MPP32_PRIVATE_KEY` (EVM), and
+   `MPP32_SOLANA_PRIVATE_KEY`. Values are never logged, transmitted as
+   plaintext to third parties, or written to disk. See
+   `src/index.ts` for the exact validation rules.
+2. **Makes outbound HTTPS requests** to a small, fixed set of hosts
+   needed to discover services and settle x402 payments. The complete
+   egress allow-list is documented in [`docs/EGRESS.md`](../docs/EGRESS.md).
+3. **Signs Solana and EVM payment payloads locally** using
+   `@solana/kit` (WebCrypto Ed25519) and `viem` (secp256k1) inside the
+   user's Node process. Private keys never leave the machine.
+There is no install script, no native code, no filesystem write, no
+shell execution, and no dynamic `require`/`eval` in this package.
+## Provenance
+Starting with `1.7.0`, npm releases are published from a GitHub Actions
+workflow using OIDC and include an [npm provenance attestation][prov]
+linking the published tarball to the exact commit and workflow run that
+produced it. Verify with:
+```sh
+npm audit signatures
+```
+[prov]: https://docs.npmjs.com/generating-provenance-statements
+## Hardening already in place (backend)
+The MCP server depends on a backend at `mpp32.org` for the federated
+catalog and `/api/agent/execute`. Backend-side hardening is documented
+in the [root SECURITY.md](../SECURITY.md):
+- Production refuses to boot when `MPP_SECRET_KEY` is missing or matches
+  a committed default.
+- All outbound URLs from user submissions and agent execute calls run
+  through an SSRF guard.
+- Agent session API keys are hashed at rest with SHA-256.
+## Disclosure
+We follow coordinated disclosure. Reporters who act in good faith and
+follow this policy will not be subject to legal action for their
+research.

package/dist/index.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { signX402Payment } from "./x402-signers.js";
-const SERVER_VERSION = "1.4.1";
+const SERVER_VERSION = "1.7.0";
 // ── Env loading: trim and sanitize aggressively ─────────────────────────────
 // Copy-paste from Claude Desktop / Cursor / Windsurf JSON config UIs frequently
 // adds trailing \n, \r, NBSP, BOM, or wraps the value in literal quotes. Any
@@ -251,8 +251,9 @@ server.tool("get_mpp32_diagnostics", "Report what the mpp32-mcp-server detected
         `- Federated service execution: ${AGENT_KEY ? "yes" : "no — set MPP32_AGENT_KEY"}`,
         `- x402 (USDC on Solana) payment: ${SOLANA_PRIVATE_KEY ? "yes" : "no — set MPP32_SOLANA_PRIVATE_KEY"}`,
         `- x402 (USDC on Base/EVM) payment: ${PRIVATE_KEY ? "yes" : "no — set MPP32_PRIVATE_KEY"}`,
+        `- M32 holder pricing (SIWS verified): ${siwsVerifiedAddress ? `yes — ${siwsTier} tier, ${siwsDiscountPercent}% off every paid query` : (AGENT_KEY && SOLANA_PRIVATE_KEY ? "pending — auto verification runs once at startup" : "no — set MPP32_AGENT_KEY + MPP32_SOLANA_PRIVATE_KEY")}`,
         ``,
-        `**Ready to pay end-to-end:** ${readyToPay ? "YES — try `get_solana_token_intelligence` with token=\"M32\" to confirm." : "NO — see the missing items above."}`,
+        `**Ready to pay end-to-end:** ${readyToPay ? "YES — try `get_solana_token_intelligence` with token=\"M32\" to confirm." : "NO — see the missing items above. Meanwhile, you can still call `try_solana_token_intelligence_free` (10/min/IP, no keys required) to evaluate the oracle."}`,
         ``,
         `**If a variable shows NOT SET but you set it in claude_desktop_config.json:**`,
         `1. Confirm the file path Claude Desktop actually reads:`,
@@ -450,7 +451,7 @@ server.tool("call_mpp32_endpoint", "Call any HTTP-callable service in the MPP32
     return await callViaLegacyProxy(slug, method, parsedBody, query, path);
 });
 // ── Tool 3: get_solana_token_intelligence ───────────────────────────────────
-server.tool("get_solana_token_intelligence", "Get real-time Solana token intelligence from the MPP32 Intelligence Oracle. Returns alpha score (0-100), rug risk assessment, whale activity, smart money signals, 24h pump probability, projected ROI ranges, and aggregated DexScreener/Jupiter/CoinGecko market data. Costs $0.008 per query, paid automatically via x402 (USDC on Solana) or Tempo (pathUSD on Eth L2). M32 token holders receive up to 40% discount once their wallet is signature-verified. Set MPP32_AGENT_KEY in config to attribute calls to your dashboard.", {
+server.tool("get_solana_token_intelligence", "Get real-time Solana token intelligence from the MPP32 Intelligence Oracle. Returns alpha score (0-100), rug risk assessment, whale activity, smart money signals, 24h pump probability, projected ROI ranges, and aggregated DexScreener/Jupiter/CoinGecko market data. Costs $0.008 per query, paid automatically via x402 (USDC on Solana) or Tempo (pathUSD on Eth L2). M32 token holders receive up to 40% discount once their wallet is signature-verified. Set MPP32_AGENT_KEY in config to attribute calls to your dashboard. **New users with no keys configured: call `try_solana_token_intelligence_free` first** — it returns the same payload, rate-limited to 10/min, no payment or key required.", {
     token: z
         .string()
         .describe("Solana token mint address or ticker symbol (e.g. SOL, BONK, JUP, M32, or full base58 address)."),
@@ -466,6 +467,63 @@ server.tool("get_solana_token_intelligence", "Get real-time Solana token intelli
     // Legacy path — direct call to /api/intelligence with manual 402 handling.
     return await legacyIntelligenceCall(token, walletAddress);
 });
+// ── Tool 3b: Free Intelligence Demo ────────────────────────────────────────
+// No payment, no key. Hits /api/intelligence/demo, which is rate-limited per
+// IP. Intended as the first call new users (and Claude itself) make when
+// trying MPP32 — they see real alpha scores and signals BEFORE encountering
+// any payment wall. This is the conversion funnel fix: agents today bounce
+// off the 402, so we let them taste the product first.
+server.tool("try_solana_token_intelligence_free", "FREE preview of the MPP32 Intelligence Oracle. No payment, no agent key, no Solana private key required. Returns the SAME payload as the paid endpoint (alpha score, rug risk, whale activity, smart money signals, pump probability, market data) for any Solana token. Rate-limited to 10 calls/minute per IP. Use this to evaluate the data quality. Once you're convinced, set MPP32_AGENT_KEY + a payment key and switch to `get_solana_token_intelligence` for unlimited, attributed usage and M32-holder discounts.", {
+    token: z
+        .string()
+        .describe("Solana token mint address or ticker symbol (e.g. SOL, BONK, JUP, M32, or full base58 address)."),
+}, async ({ token }) => {
+    try {
+        const res = await fetchWithTimeout(`${API_URL}/api/intelligence/demo`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ token }),
+        });
+        const text = await res.text();
+        let formatted;
+        try {
+            formatted = JSON.stringify(JSON.parse(text), null, 2);
+        }
+        catch {
+            formatted = text;
+        }
+        if (res.status === 429) {
+            return {
+                content: [{
+                        type: "text",
+                        text: `Demo rate limit reached (10 calls/minute per IP). Wait a minute and retry, or set up paid access for unlimited queries:\n\n1. Get an agent key: ${API_URL}/agent-console\n2. Add MPP32_AGENT_KEY + MPP32_SOLANA_PRIVATE_KEY to your MCP config\n3. Call \`get_solana_token_intelligence\` instead — $0.008/query, M32 holders save up to 40%.`,
+                    }],
+            };
+        }
+        if (!res.ok) {
+            return {
+                content: [{
+                        type: "text",
+                        text: `Demo returned HTTP ${res.status}:\n\n\`\`\`json\n${formatted}\n\`\`\``,
+                    }],
+            };
+        }
+        return {
+            content: [{
+                    type: "text",
+                    text: `**MPP32 Intelligence Oracle (FREE DEMO)** — \`${token}\`\n\n${formatted}\n\n---\n_Demo result. Same payload as the paid endpoint. Rate-limited to 10/min/IP. For unlimited usage and dashboard attribution, set MPP32_AGENT_KEY (get one at ${API_URL}/agent-console) and use \`get_solana_token_intelligence\`._`,
+                }],
+        };
+    }
+    catch (err) {
+        return {
+            content: [{
+                    type: "text",
+                    text: `Network error reaching ${API_URL}: ${err instanceof Error ? err.message : String(err)}`,
+                }],
+        };
+    }
+});
 // ── Tool 4: M32-gated Whale Tracker ───────────────────────────────────────
 server.tool("get_m32_whale_tracker", "M32-gated whale analysis for any Solana token. Returns top 20 holders, concentration risk, holder distribution, and buy/sell pressure. Requires the caller to hold 1,000,000+ M32 tokens (balance verified on-chain via X-Wallet-Address header). Free for qualifying holders — no payment required. Returns 403 if the wallet holds insufficient M32.", {
     token: z
@@ -574,11 +632,25 @@ server.tool("scan_portfolio_m32", "M32-gated full wallet portfolio scan. Discove
         return { content: [{ type: "text", text: `Error: ${err instanceof Error ? err.message : String(err)}` }] };
     }
 });
-// ── Tool 7: get_pivx_dao_intelligence ─────────────────────────────────────
-// Self-contained: scrapes pivx.org/proposals + Chainz CryptoID directly.
-// Does NOT depend on any backend endpoint — works for every npm user out of the box.
-import { fetchPivxGovernance } from "./pivx-provider.js";
-server.tool("get_pivx_dao_intelligence", "Get real-time PIVX DAO governance intelligence. Returns active budget proposals with masternode voting tallies (Yes/No counts, net yes percentages), budget allocation status, network deflation metrics (unallocated treasury PIV that are never minted), and masternode network health. PIVX is a fully community-governed cryptocurrency where Masternode owners vote on budget proposals every ~30 days (43,200 blocks per superblock cycle, 432,000 PIV max monthly budget). Data scraped live from pivx.org/proposals and the PIVX blockchain via Chainz CryptoID. Cached for 5 minutes. Free — no payment or API key required.", {
+async function fetchPivxGovernance() {
+    const res = await fetchWithTimeout(`${API_URL}/api/governance`, {
+        timeoutMs: 15_000,
+        headers: { Accept: "application/json" },
+    });
+    if (!res.ok) {
+        throw new Error(`MPP32 governance endpoint returned HTTP ${res.status}`);
+    }
+    const { data } = (await res.json());
+    return {
+        proposals: data.proposals,
+        network: data.network,
+        deflation: data.deflation,
+        timestamp: data.meta.timestamp,
+        source: data.meta.source,
+        cacheHit: data.meta.cacheHit,
+    };
+}
+server.tool("get_pivx_dao_intelligence", "Get real-time PIVX DAO governance intelligence. Returns active budget proposals with masternode voting tallies (Yes/No counts, net yes percentages), budget allocation status, network deflation metrics (unallocated treasury PIV that are never minted), and masternode network health. PIVX is a fully community-governed cryptocurrency where Masternode owners vote on budget proposals every ~30 days (43,200 blocks per superblock cycle, 432,000 PIV max monthly budget). Data is served by the MPP32 backend, which aggregates pivx.org/proposals and the PIVX blockchain via Chainz CryptoID, and caches for 5 minutes. Free — no payment or API key required.", {
     filter: z
         .enum(["all", "passing", "failing"])
         .default("all")
@@ -655,7 +727,7 @@ server.tool("get_pivx_dao_intelligence", "Get real-time PIVX DAO governance inte
         return {
             content: [{
                     type: "text",
-                    text: `Failed to fetch PIVX governance data: ${err instanceof Error ? err.message : String(err)}. The tool scrapes pivx.org/proposals directly — the site may be temporarily unreachable.`,
+                    text: `Failed to fetch PIVX governance data: ${err instanceof Error ? err.message : String(err)}. The tool calls ${API_URL}/api/governance — the MPP32 backend or its upstream sources (pivx.org, chainz.cryptoid.info) may be temporarily unreachable.`,
                 }],
         };
     }
@@ -1464,6 +1536,95 @@ async function completeX402Payment(paymentRequiredHeader, keys) {
         protocolUsed: result.protocolUsed,
     };
 }
+// ── Auto SIWS bootstrap ─────────────────────────────────────────────────────
+// When both MPP32_AGENT_KEY and MPP32_SOLANA_PRIVATE_KEY are configured the
+// MCP server proves wallet ownership to the MPP32 backend at startup, which
+// activates M32 holder pricing on every subsequent paid query for the rest of
+// the process lifetime. No user action required.
+let siwsVerifiedAddress = null;
+let siwsTier = null;
+let siwsDiscountPercent = 0;
+async function tryAutoSiws() {
+    if (!AGENT_KEY || !SOLANA_PRIVATE_KEY)
+        return;
+    try {
+        // Lazy import to keep startup fast when only catalog browsing is needed.
+        const [kitMod, scureBase] = await Promise.all([
+            import("@solana/kit"),
+            import("@scure/base"),
+        ]);
+        const { base58 } = scureBase;
+        const { createKeyPairFromBytes, createKeyPairFromPrivateKeyBytes, getAddressFromPublicKey, signBytes, } = kitMod;
+        // Decode the private key. Supports JSON byte array, hex, and base58.
+        let bytes;
+        if (SOLANA_PRIVATE_KEY.startsWith("[")) {
+            bytes = new Uint8Array(JSON.parse(SOLANA_PRIVATE_KEY));
+        }
+        else if (/^[0-9a-fA-F]+$/.test(SOLANA_PRIVATE_KEY) && SOLANA_PRIVATE_KEY.length % 2 === 0) {
+            bytes = new Uint8Array(Buffer.from(SOLANA_PRIVATE_KEY, "hex"));
+        }
+        else {
+            bytes = base58.decode(SOLANA_PRIVATE_KEY);
+        }
+        let keyPair;
+        if (bytes.length === 32) {
+            keyPair = await createKeyPairFromPrivateKeyBytes(bytes);
+        }
+        else if (bytes.length === 64) {
+            keyPair = await createKeyPairFromBytes(bytes);
+        }
+        else {
+            console.error(`[mpp32] SIWS skipped: Solana key has unexpected length ${bytes.length}`);
+            return;
+        }
+        const walletAddress = await getAddressFromPublicKey(keyPair.publicKey);
+        // Step 1: request a nonce bound to our existing agent session.
+        const nonceRes = await fetchWithTimeout(`${API_URL}/api/auth/siws/nonce`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ wallet: walletAddress, agentKey: AGENT_KEY }),
+            timeoutMs: 8_000,
+        });
+        if (!nonceRes.ok) {
+            const text = await nonceRes.text().catch(() => "");
+            console.error(`[mpp32] SIWS nonce request failed: HTTP ${nonceRes.status} ${text.slice(0, 200)}`);
+            return;
+        }
+        const nonceBody = (await nonceRes.json());
+        const message = nonceBody.data?.message;
+        if (!message) {
+            console.error("[mpp32] SIWS nonce response missing message");
+            return;
+        }
+        // Step 2: sign the canonical message bytes via WebCrypto Ed25519.
+        const signatureBytes = await signBytes(keyPair.privateKey, new TextEncoder().encode(message));
+        const signature = base58.encode(signatureBytes);
+        // Step 3: verify with the backend. Backend marks session walletVerified=true.
+        const verifyRes = await fetchWithTimeout(`${API_URL}/api/auth/siws/verify`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ wallet: walletAddress, signature, agentKey: AGENT_KEY }),
+            timeoutMs: 8_000,
+        });
+        if (!verifyRes.ok) {
+            const text = await verifyRes.text().catch(() => "");
+            console.error(`[mpp32] SIWS verify failed: HTTP ${verifyRes.status} ${text.slice(0, 200)}`);
+            return;
+        }
+        const verifyBody = (await verifyRes.json());
+        siwsVerifiedAddress = verifyBody.data?.walletAddress ?? walletAddress;
+        siwsTier = verifyBody.data?.tier ?? "none";
+        siwsDiscountPercent = verifyBody.data?.discountPercent ?? 0;
+        const tierLabel = siwsDiscountPercent > 0
+            ? `${siwsTier} tier (${siwsDiscountPercent}% off every paid query)`
+            : "no holder tier (wallet holds zero M32, verification still active)";
+        const shortAddr = `${siwsVerifiedAddress.slice(0, 6)}…${siwsVerifiedAddress.slice(-4)}`;
+        console.error(`[mpp32] SIWS verified for ${shortAddr}: ${tierLabel}`);
+    }
+    catch (err) {
+        console.error(`[mpp32] SIWS bootstrap error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
 // ── Start ───────────────────────────────────────────────────────────────────
 async function main() {
     const transport = new StdioServerTransport();
@@ -1476,6 +1637,9 @@ async function main() {
         .filter(Boolean)
         .join(", ") || "no keys (catalog-only legacy mode)";
     console.error(`[mpp32] MCP server v${SERVER_VERSION} on stdio. API ${API_URL}. Configured: ${features}. Timeout ${TIMEOUT_MS}ms.`);
+    // Auto SIWS in the background. Does not block startup — if it fails the user
+    // simply pays the standard rate instead of the holder rate.
+    void tryAutoSiws();
     // Per-variable status so a user staring at this log can immediately see
     // whether their env vars made it through. Values are fingerprinted.
     const fp = (v) => !v ? "NOT SET" : v.length <= 12 ? `SET (${v.length}c)` : `SET (${v.slice(0, 6)}…${v.slice(-4)}, ${v.length}c)`;

package/dist/x402-signers.js CHANGED Viewed

@@ -18,12 +18,11 @@
 //   { x402Version: 1, scheme: "exact", network, payload: <scheme payload> }
 // base64-encoded into the `X-Payment` HTTP header.
 async function loadSvmDeps() {
-    const [kit, tokenProgram, computeBudgetProgram, bs58Mod, naclMod] = await Promise.all([
+    const [kit, tokenProgram, computeBudgetProgram, scureBase] = await Promise.all([
         import("@solana/kit"),
         import("@solana-program/token"),
         import("@solana-program/compute-budget"),
-        import("bs58"),
-        import("tweetnacl"),
+        import("@scure/base"),
     ]).catch((err) => {
         const msg = err instanceof Error ? err.message : String(err);
         throw new Error(`Could not load Solana signing libraries: ${msg}. ` +
@@ -33,6 +32,7 @@ async function loadSvmDeps() {
     return {
         address: kit.address,
         createKeyPairSignerFromBytes: kit.createKeyPairSignerFromBytes,
+        createKeyPairSignerFromPrivateKeyBytes: kit.createKeyPairSignerFromPrivateKeyBytes,
         createSolanaRpc: kit.createSolanaRpc,
         createTransactionMessage: kit.createTransactionMessage,
         setTransactionMessageFeePayer: kit.setTransactionMessageFeePayer,
@@ -46,8 +46,7 @@ async function loadSvmDeps() {
         TOKEN_PROGRAM_ADDRESS: tokenProgram.TOKEN_PROGRAM_ADDRESS,
         getSetComputeUnitLimitInstruction: computeBudgetProgram.getSetComputeUnitLimitInstruction,
         getSetComputeUnitPriceInstruction: computeBudgetProgram.getSetComputeUnitPriceInstruction,
-        bs58: bs58Mod.default ?? bs58Mod,
-        nacl: naclMod.default ?? naclMod,
+        base58: scureBase.base58,
     };
 }
 async function loadEvmDeps() {
@@ -94,20 +93,19 @@ function decodeSolanaSecret(raw, deps) {
     if (/^[0-9a-fA-F]+$/.test(raw) && raw.length % 2 === 0) {
         return new Uint8Array(Buffer.from(raw, "hex"));
     }
-    return deps.bs58.decode(raw);
+    return deps.base58.decode(raw);
 }
 async function buildSolanaSigner(rawKey, deps) {
-    let bytes = decodeSolanaSecret(rawKey, deps);
+    const bytes = decodeSolanaSecret(rawKey, deps);
     if (bytes.length === 32) {
-        // 32-byte seed — kit's createKeyPairSignerFromBytes wants the 64-byte
-        // expanded key. Derive via tweetnacl.
-        const kp = deps.nacl.sign.keyPair.fromSeed(bytes);
-        bytes = kp.secretKey;
+        // 32-byte seed — kit derives the public key via WebCrypto Ed25519.
+        return await deps.createKeyPairSignerFromPrivateKeyBytes(bytes);
     }
-    else if (bytes.length !== 64) {
-        throw new Error(`Solana private key must be a 32-byte seed or a 64-byte expanded key; got ${bytes.length} bytes.`);
+    if (bytes.length === 64) {
+        // 64-byte expanded key (seed || publicKey) — kit's standard path.
+        return await deps.createKeyPairSignerFromBytes(bytes);
     }
-    return await deps.createKeyPairSignerFromBytes(bytes);
+    throw new Error(`Solana private key must be a 32-byte seed or a 64-byte expanded key; got ${bytes.length} bytes.`);
 }
 // ── SVM signer ──────────────────────────────────────────────────────────────
 const DEFAULT_SOLANA_RPC = "https://api.mainnet-beta.solana.com";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mpp32-mcp-server",
-  "version": "1.4.1",
+  "version": "1.7.0",
   "mcpName": "io.github.MPP32/mpp32-mcp-server",
   "description": "Payment layer for AI agents. One MCP, five protocols, thousands of paid APIs your agent can call.",
   "type": "module",
@@ -20,7 +20,8 @@
     "dist/**/*.d.ts",
     "README.md",
     "CHANGELOG.md",
-    "LICENSE"
+    "LICENSE",
+    "SECURITY.md"
   ],
   "sideEffects": false,
   "scripts": {
@@ -67,19 +68,21 @@
   "bugs": {
     "url": "https://github.com/MPP32/MPP32/issues"
   },
+  "funding": "https://mpp32.org",
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.10.0"
+  },
+  "publishConfig": {
+    "access": "public"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.12.0",
-    "@solana-program/compute-budget": "^0.15.0",
-    "@solana-program/token": "^0.13.0",
-    "@solana/kit": "^6.9.0",
-    "bs58": "^6.0.0",
-    "cheerio": "^1.2.0",
-    "tweetnacl": "^1.0.3",
-    "viem": "^2.48.11",
-    "zod": "^3.23.0"
+    "@modelcontextprotocol/sdk": "1.29.0",
+    "@scure/base": "1.2.6",
+    "@solana-program/compute-budget": "0.15.0",
+    "@solana-program/token": "0.13.0",
+    "@solana/kit": "6.9.0",
+    "viem": "2.52.2",
+    "zod": "3.25.76"
   },
   "peerDependencies": {
     "mppx": ">=0.4.0"
@@ -90,7 +93,7 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "typescript": "^5.7.0"
+    "@types/node": "22.19.18",
+    "typescript": "5.9.3"
   }
 }

package/dist/pivx-provider.d.ts DELETED Viewed

@@ -1,42 +0,0 @@
-export interface PivxProposal {
-    name: string;
-    url: string;
-    status: "passing" | "failing";
-    funded: boolean;
-    netYesPercent: number;
-    yesVotes: number;
-    noVotes: number;
-    monthlyPaymentPiv: number;
-    monthlyPaymentUsd: number;
-    totalPaymentPiv: number;
-    installmentsRemaining: number;
-    totalInstallments: number;
-    budgetPercent: number;
-}
-export interface PivxNetworkStats {
-    masternodeCount: number;
-    passingThreshold: number;
-    monthlyBudgetPiv: number;
-    monthlyBudgetUsd: number;
-    budgetAllocatedPiv: number;
-    budgetAllocatedUsd: number;
-    budgetAllocatedPercent: number;
-    blockHeight: number;
-    totalSupply: number;
-    circulatingSupply: number;
-}
-export interface PivxGovernanceData {
-    proposals: PivxProposal[];
-    network: PivxNetworkStats;
-    deflation: {
-        unallocatedPivPerCycle: number;
-        unallocatedPercent: number;
-        annualUnallocatedPiv: number;
-        proposalFeeBurnPiv: number;
-        effectiveInflationReduction: string;
-    };
-    timestamp: string;
-    source: string;
-    cacheHit: boolean;
-}
-export declare function fetchPivxGovernance(): Promise<PivxGovernanceData>;

package/dist/pivx-provider.js DELETED Viewed

@@ -1,232 +0,0 @@
-import * as cheerio from "cheerio";
-// 5-minute cache
-const CACHE_TTL_MS = 5 * 60 * 1000;
-let cachedData = null;
-let cacheTimestamp = 0;
-const CHAINZ_BASE = "https://chainz.cryptoid.info/pivx/api.dws";
-async function chainzFetch(query) {
-    const res = await fetch(`${CHAINZ_BASE}?q=${query}`, {
-        signal: AbortSignal.timeout(8000),
-    });
-    if (!res.ok)
-        throw new Error(`Chainz API ${query}: HTTP ${res.status}`);
-    return (await res.text()).trim();
-}
-async function fetchNetworkStats() {
-    const [masternodeCount, blockHeight, totalSupply, circulating] = await Promise.allSettled([
-        chainzFetch("masternodecount"),
-        chainzFetch("getblockcount"),
-        chainzFetch("totalcoins"),
-        chainzFetch("circulating"),
-    ]);
-    const mn = masternodeCount.status === "fulfilled"
-        ? parseInt(masternodeCount.value, 10)
-        : 0;
-    const bh = blockHeight.status === "fulfilled"
-        ? parseInt(blockHeight.value, 10)
-        : 0;
-    const ts = totalSupply.status === "fulfilled"
-        ? parseFloat(totalSupply.value)
-        : 0;
-    const cs = circulating.status === "fulfilled"
-        ? parseFloat(circulating.value)
-        : 0;
-    return {
-        masternodeCount: isNaN(mn) ? 0 : mn,
-        blockHeight: isNaN(bh) ? 0 : bh,
-        totalSupply: isNaN(ts) ? 0 : ts,
-        circulatingSupply: isNaN(cs) ? 0 : cs,
-        passingThreshold: isNaN(mn) ? 0 : Math.ceil(mn * 0.1),
-    };
-}
-function parseNumber(text) {
-    const cleaned = text.replace(/[^0-9.\-]/g, "");
-    const num = parseFloat(cleaned);
-    return isNaN(num) ? 0 : num;
-}
-async function scrapePivxProposals() {
-    const res = await fetch("https://pivx.org/proposals", {
-        signal: AbortSignal.timeout(15000),
-        headers: {
-            "User-Agent": "MPP32-Governance-Oracle/1.0 (+https://mpp32.org)",
-            Accept: "text/html",
-        },
-    });
-    if (!res.ok)
-        throw new Error(`pivx.org/proposals returned HTTP ${res.status}`);
-    const html = await res.text();
-    const $ = cheerio.load(html);
-    const pageText = $("body").text();
-    let monthlyBudgetPiv = 432000;
-    let monthlyBudgetUsd = 0;
-    let budgetAllocatedPiv = 0;
-    let budgetAllocatedUsd = 0;
-    let masternodeCount = 0;
-    let passingThreshold = 0;
-    const budgetMatch = pageText.match(/Monthly\s*Budget[:\s]*([\d,]+)\s*PIV/i);
-    if (budgetMatch?.[1])
-        monthlyBudgetPiv = parseNumber(budgetMatch[1]);
-    const budgetUsdMatch = pageText.match(/Monthly\s*Budget[^$]*US?\$([\d,.]+)/i);
-    if (budgetUsdMatch?.[1])
-        monthlyBudgetUsd = parseNumber(budgetUsdMatch[1]);
-    const allocatedMatch = pageText.match(/Budget\s*Allocated[:\s]*([\d,]+)\s*PIV/i);
-    if (allocatedMatch?.[1])
-        budgetAllocatedPiv = parseNumber(allocatedMatch[1]);
-    const allocatedUsdMatch = pageText.match(/Budget\s*Allocated[^$]*US?\$([\d,.]+)/i);
-    if (allocatedUsdMatch?.[1])
-        budgetAllocatedUsd = parseNumber(allocatedUsdMatch[1]);
-    const mnMatch = pageText.match(/([\d,]+)\s*masternodes?\s*online/i);
-    if (mnMatch?.[1])
-        masternodeCount = parseNumber(mnMatch[1]);
-    const thresholdMatch = pageText.match(/Positive\s*votes\s*required[^:]*:\s*(\d+)/i);
-    if (thresholdMatch?.[1])
-        passingThreshold = parseInt(thresholdMatch[1], 10);
-    const proposals = [];
-    const seenHashes = new Set();
-    $("table#js_table tbody tr[data-hash]").each((_i, el) => {
-        const $row = $(el);
-        const hash = $row.attr("data-hash") || "";
-        if (!hash || seenHashes.has(hash))
-            return;
-        seenHashes.add(hash);
-        const name = ($row.attr("data-title") || "").trim();
-        if (!name)
-            return;
-        const cells = $row.find("td");
-        if (cells.length < 5)
-            return;
-        const statusCell = $(cells[0]);
-        const statusText = statusCell.text();
-        const isPassing = /passing/i.test(statusText);
-        const funded = /funded/i.test(statusText);
-        let netYesPercent = 0;
-        const netYesMatch = statusText.match(/([-\d.]+)%/);
-        if (netYesMatch?.[1])
-            netYesPercent = parseFloat(netYesMatch[1]);
-        const nameCell = $(cells[1]);
-        const link = nameCell.find("a").first();
-        const url = link.attr("href") || "";
-        const paymentCell = $(cells[2]);
-        const monthlyPaymentPiv = parseNumber(paymentCell.attr("data-piv") || paymentCell.attr("data-order") || "0");
-        const budgetPercent = parseFloat(paymentCell.attr("data-percent") || "0");
-        let monthlyPaymentUsd = 0;
-        const usdSpan = paymentCell.find(".curr-prefix").parent();
-        if (usdSpan.length) {
-            const usdText = usdSpan.text();
-            const usdMatch = usdText.match(/US?\$\s*([\d,]+(?:\.\d+)?)/i);
-            if (usdMatch?.[1])
-                monthlyPaymentUsd = parseNumber(usdMatch[1]);
-        }
-        let installmentsRemaining = 1;
-        const longLine = paymentCell.find(".long-line");
-        if (longLine.length) {
-            const installB = longLine.find("b").first();
-            if (installB.length) {
-                const n = parseInt(installB.text().trim(), 10);
-                if (!isNaN(n))
-                    installmentsRemaining = n;
-            }
-        }
-        let totalPaymentPiv = monthlyPaymentPiv;
-        if (longLine.length) {
-            const totalB = longLine.find("b").last();
-            if (totalB.length) {
-                const totalText = totalB.text();
-                const totalMatch = totalText.match(/([\d,]+(?:\.\d+)?)\s*PIV/i);
-                if (totalMatch?.[1])
-                    totalPaymentPiv = parseNumber(totalMatch[1]);
-            }
-        }
-        const voteCell = $(cells[4]);
-        const voteText = voteCell.text();
-        let yesVotes = 0;
-        let noVotes = 0;
-        const voteMatch = voteText.match(/(\d+)\s*\/\s*(\d+)/);
-        if (voteMatch?.[1] && voteMatch[2]) {
-            yesVotes = parseInt(voteMatch[1], 10);
-            noVotes = parseInt(voteMatch[2], 10);
-        }
-        proposals.push({
-            name,
-            url,
-            status: isPassing ? "passing" : "failing",
-            funded,
-            netYesPercent,
-            yesVotes,
-            noVotes,
-            monthlyPaymentPiv,
-            monthlyPaymentUsd,
-            totalPaymentPiv,
-            installmentsRemaining,
-            totalInstallments: installmentsRemaining,
-            budgetPercent,
-        });
-    });
-    return {
-        proposals,
-        budgetSummary: {
-            monthlyBudgetPiv,
-            monthlyBudgetUsd,
-            budgetAllocatedPiv,
-            budgetAllocatedUsd,
-            masternodeCount,
-            passingThreshold,
-        },
-    };
-}
-export async function fetchPivxGovernance() {
-    if (cachedData && Date.now() - cacheTimestamp < CACHE_TTL_MS) {
-        return { ...cachedData, cacheHit: true };
-    }
-    const [scrapeResult, networkStats] = await Promise.allSettled([
-        scrapePivxProposals(),
-        fetchNetworkStats(),
-    ]);
-    const scraped = scrapeResult.status === "fulfilled" ? scrapeResult.value : null;
-    const chainzStats = networkStats.status === "fulfilled" ? networkStats.value : {};
-    if (!scraped) {
-        throw new Error(`Failed to fetch PIVX governance data: ${scrapeResult.status === "rejected" ? scrapeResult.reason : "unknown"}`);
-    }
-    const budgetAllocatedPercent = scraped.budgetSummary.monthlyBudgetPiv > 0
-        ? Math.round((scraped.budgetSummary.budgetAllocatedPiv /
-            scraped.budgetSummary.monthlyBudgetPiv) *
-            10000) / 100
-        : 0;
-    const network = {
-        masternodeCount: scraped.budgetSummary.masternodeCount ||
-            chainzStats.masternodeCount ||
-            0,
-        passingThreshold: scraped.budgetSummary.passingThreshold ||
-            chainzStats.passingThreshold ||
-            0,
-        monthlyBudgetPiv: scraped.budgetSummary.monthlyBudgetPiv,
-        monthlyBudgetUsd: scraped.budgetSummary.monthlyBudgetUsd,
-        budgetAllocatedPiv: scraped.budgetSummary.budgetAllocatedPiv,
-        budgetAllocatedUsd: scraped.budgetSummary.budgetAllocatedUsd,
-        budgetAllocatedPercent,
-        blockHeight: chainzStats.blockHeight || 0,
-        totalSupply: chainzStats.totalSupply || 0,
-        circulatingSupply: chainzStats.circulatingSupply || 0,
-    };
-    const unallocatedPivPerCycle = network.monthlyBudgetPiv - network.budgetAllocatedPiv;
-    const annualUnallocatedPiv = unallocatedPivPerCycle * 12;
-    const data = {
-        proposals: scraped.proposals,
-        network,
-        deflation: {
-            unallocatedPivPerCycle,
-            unallocatedPercent: 100 - budgetAllocatedPercent,
-            annualUnallocatedPiv,
-            proposalFeeBurnPiv: 50,
-            effectiveInflationReduction: network.totalSupply > 0
-                ? `${((annualUnallocatedPiv / network.totalSupply) * 100).toFixed(3)}%`
-                : "N/A",
-        },
-        timestamp: new Date().toISOString(),
-        source: "pivx.org/proposals + chainz.cryptoid.info",
-        cacheHit: false,
-    };
-    cachedData = data;
-    cacheTimestamp = Date.now();
-    return data;
-}