npm - shabaaspay-mcp-server - Versions diffs - 1.0.1 → 1.0.2 - Mend

shabaaspay-mcp-server 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/config/index.js +2 -2
package/dist/server/http-server.js +39 -3
package/dist/server/stdio-server.js +27 -7
package/package.json +3 -3
package/readme.md +67 -99

package/dist/config/index.js CHANGED Viewed

@@ -22,8 +22,8 @@ const ConfigSchema = zod_1.z.object({
     // ShaBaas API authentication
     shabaasAuthUuid: zod_1.z.string().min(1, 'ShaBaas auth UUID is required'),
     // Base URLs (override via env; defaults are placeholders only)
-    sandboxUrl: zod_1.z.string().url().default('https://sandbox.example.com'),
-    productionUrl: zod_1.z.string().url().default('https://api.example.com'),
+    sandboxUrl: zod_1.z.string().url().default('https://mcp-staging.shabaas.com'),
+    productionUrl: zod_1.z.string().url().default('https://mcp.shabaas.com'),
     // HTTP mode configuration (optional)
     httpPort: zod_1.z.coerce.number().default(3000),
     httpHost: zod_1.z.string().default('0.0.0.0'),

package/dist/server/http-server.js CHANGED Viewed

@@ -229,7 +229,19 @@ class HttpMcpServer {
                 },
             };
         }
-        const policyResult = (0, policy_js_1.lookupClientPolicy)(token, this.config.environment);
+        let policyResult = (0, policy_js_1.lookupClientPolicy)(token, this.config.environment);
+        // POLICY BYPASS: Owner/Admin fallback for local dev
+        if (!policyResult.policy && this.config.shabaasAuthUuid && token === this.config.shabaasAuthUuid) {
+            policyResult = {
+                policy: {
+                    client_id: 'owner-admin',
+                    status: 'active',
+                    allowed_tools: ['*'],
+                    environment: this.config.environment,
+                    admin: true
+                }
+            };
+        }
         if (!policyResult.policy) {
             return {
                 success: false,
@@ -273,7 +285,19 @@ class HttpMcpServer {
                 },
             };
         }
-        const policyResult = (0, policy_js_1.lookupClientPolicy)(token, this.config.environment);
+        let policyResult = (0, policy_js_1.lookupClientPolicy)(token, this.config.environment);
+        // POLICY BYPASS: Owner/Admin fallback for local dev
+        if (!policyResult.policy && this.config.shabaasAuthUuid && token === this.config.shabaasAuthUuid) {
+            policyResult = {
+                policy: {
+                    client_id: 'owner-admin',
+                    status: 'active',
+                    allowed_tools: ['*'],
+                    environment: this.config.environment,
+                    admin: true
+                }
+            };
+        }
         if (!policyResult.policy) {
             return {
                 success: false,
@@ -358,7 +382,19 @@ class HttpMcpServer {
                     },
                 };
             }
-            const policyResult = (0, policy_js_1.lookupClientPolicy)(token, this.config.environment);
+            let policyResult = (0, policy_js_1.lookupClientPolicy)(token, this.config.environment);
+            // POLICY BYPASS: Owner/Admin fallback for local dev
+            if (!policyResult.policy && this.config.shabaasAuthUuid && token === this.config.shabaasAuthUuid) {
+                policyResult = {
+                    policy: {
+                        client_id: 'owner-admin',
+                        status: 'active',
+                        allowed_tools: ['*'],
+                        environment: this.config.environment,
+                        admin: true
+                    }
+                };
+            }
             if (!policyResult.policy || !(0, policy_js_1.isToolAllowed)(policyResult.policy, toolName)) {
                 return {
                     statusCode: 403,

package/dist/server/stdio-server.js CHANGED Viewed

@@ -54,19 +54,39 @@ class StdioMcpServer {
         this.server.setRequestHandler(types_js_1.CallToolRequestSchema, async (request) => {
             const { name, arguments: args } = request.params;
             console.error(`[STDIO] Executing tool: ${name}`);
-            console.error(`[STDIO] Arguments:`, JSON.stringify(args, null, 2));
-            // Auth guard: require authorization field in args (UUID or configured key)
-            const authToken = args?.authorization;
+            // console.error(`[STDIO] Arguments:`, JSON.stringify(args, null, 2));
+            // Auth guard: check args first, then fallback to env config
+            let authToken = args?.authorization;
             if (!authToken) {
-                throw new Error('STDIO authorization failed: missing authorization');
+                // Fallback for local dev / single tenant mode
+                if (self.config.shabaasAuthUuid) {
+                    authToken = self.config.shabaasAuthUuid;
+                }
+                else {
+                    throw new Error('STDIO authorization failed: missing authorization in args and SHABAAS_AUTH_UUID not set');
+                }
             }
+            // Optional: Check stdio specific key if configured
             if (self.config.mcpStdioApiKey && authToken !== self.config.mcpStdioApiKey) {
-                throw new Error('STDIO authorization failed: invalid authorization');
+                // If specific key is set, it MUST match
+                throw new Error('STDIO authorization failed: invalid authorization key');
             }
             // Tool allowlist via policy
-            const policyResult = (0, policy_js_1.lookupClientPolicy)(authToken, self.config.environment);
+            let policyResult = (0, policy_js_1.lookupClientPolicy)(authToken, self.config.environment);
+            // POLICY BYPASS: If no policy found, but token matches the owner UUID, allow it acting as Admin
+            if (!policyResult.policy && self.config.shabaasAuthUuid && authToken === self.config.shabaasAuthUuid) {
+                policyResult = {
+                    policy: {
+                        client_id: 'owner-admin',
+                        status: 'active',
+                        allowed_tools: ['*'],
+                        environment: self.config.environment,
+                        admin: true
+                    }
+                };
+            }
             if (!policyResult.policy) {
-                throw new Error('STDIO authorization failed: access denied');
+                throw new Error(`STDIO authorization failed: access denied (${policyResult.rejection})`);
             }
             if (!(0, policy_js_1.isToolAllowed)(policyResult.policy, name)) {
                 throw new Error('STDIO authorization failed: tool not permitted');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "shabaaspay-mcp-server",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "ShaBaas Pay MCP Server - Australian real time payment API for AI applications",
   "keywords": [
     "mcp-server",
@@ -48,7 +48,7 @@
     "inspect": "dotenv -e .env -- npx @modelcontextprotocol/inspector node dist/index.js"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@modelcontextprotocol/sdk": "^1.25.3",
     "axios": "^1.6.0",
     "dotenv": "^16.3.0",
     "zod": "^3.22.0",
@@ -59,6 +59,6 @@
     "dotenv-cli": "^11.0.0",
     "tsx": "^4.7.0",
     "typescript": "^5.3.0",
-    "wrangler": "^4.54.0"
+    "wrangler": "^4.59.3"
   }
 }

package/readme.md CHANGED Viewed

@@ -1,113 +1,81 @@
-# ShaBaas Pay MCP Server
-Australian real time payment processing for AI applications.
-Connect AI assistants to ShaBaas Pay to create and retrieve PayTo payment agreements with optional enrichment.
-## Quick start
-### Install
-npm install -g shabaaspay-mcp-server
-### Run locally
-shabaaspay-mcp
-### Run HTTP (for VS Code / HTTP MCP clients)
-shabaaspay-mcp-http
-The HTTP server exposes:
-- `GET /health` for health checks
-- `POST /tools/execute` for simple REST execution
-- `POST/GET /mcp` for MCP Streamable HTTP (use this endpoint in VS Code / HTTP clients)
-Environment (defaults shown):
-- `HTTP_PORT=3000`
-- `HTTP_HOST=0.0.0.0`
-- `MCP_HTTP_API_KEY=` (if empty, HTTP guard is disabled; set a value to lock down access)
-- `API_RATE_LIMIT_PER_MINUTE=60`, `API_RATE_LIMIT_PER_HOUR=1000`
-- `Authorization` header for tool calls: **plain ShaBaas-issued client UUID** (no Bearer prefix). Hosted Worker validates UUID against policy/secrets and fetches/caches the bearer internally.
-## Claude Desktop configuration
-Edit this file:
-%APPDATA%\Claude\claude_desktop_config.json
-Example:
+# ShaBaas Pay MCP Server
+Australian real time payment processing for AI applications.
+Connect AI assistants to ShaBaas Pay to create and retrieve PayTo payment agreements with optional enrichment.
+## Configuration
+### Environment Variables
+| Variable | Description | Required | Default |
+|----------|-------------|----------|---------|
+| `SHABAAS_AUTH_UUID` | Your ShaBaas Pay Client Secret UUID | Yes | - |
+| `SHABAAS_ENVIRONMENT` | `sandbox` or `production` | No | `sandbox` |
+| `HTTP_PORT` | Port for HTTP server | No | `3000` |
+### Claude Desktop
+Add this to `%APPDATA%\Claude\claude_desktop_config.json`:
+```json
 {
   "mcpServers": {
     "shabaaspay": {
-      "command": "shabaaspay-mcp",
+      "command": "npx",
+      "args": [
+        "-y",
+        "shabaaspay-mcp-server"
+      ],
       "env": {
         "SHABAAS_ENVIRONMENT": "sandbox",
-        "SHABAAS_SANDBOX_URL": "<sandbox_api_base_url>",
-        "SHABAAS_AUTH_UUID": "your_uuid_here"
+        "SHABAAS_AUTH_UUID": "your-uuid-here"
       }
     }
   }
 }
+```
-## VS Code / MCP HTTP configuration
+## Running Locally
-Hosted (staging/prod): point to `https://mcp-staging.shabaas.com/mcp` or `https://mcp.shabaas.com/mcp` and send `Authorization: <client_uuid_issued_by_shabaas>` (plain, no Bearer).
-Local dev: `http://localhost:3000/mcp` with `Authorization: <uuid>` (from your local env).
+### Classic Stdio (Node)
+```bash
+# Install dependencies
+npm install
-## LLM integration quickstart
-- **Auth header**: use your ShaBaas-issued client UUID as `Authorization: <uuid>` (plain, no Bearer). Hosted Worker validates it; server manages the bearer internally.
-- **Endpoints**: STDIO (`shabaaspay-mcp`) or HTTP MCP (`http://localhost:3000/mcp`), staging (`https://mcp-staging.shabaas.com/mcp`), production (`https://mcp.shabaas.com/mcp`).
-- **Common calls (curl)**:
-  - Get agreement:
-    ```bash
-    curl -X POST http://localhost:3000/mcp \
-      -H "Authorization: <uuid>" \
-      -H "Content-Type: application/json" \
-      -d '{"tool":"get_payment_agreement","arguments":{"payment_agreement_id":"2882PA20251227045450257","enrich":true}}'
-    ```
-  - Create agreement:
+# Build
+npm run build
+# Run
+export SHABAAS_AUTH_UUID=your-uuid
+node dist/index.js
+```
+### Docker
+```bash
+# Build
+docker build -t shabaaspay-mcp .
+# Run (Stdio)
+docker run -i --rm -e SHABAAS_AUTH_UUID=your-uuid shabaaspay-mcp
+# Run (HTTP)
+docker run --init -p 3000:3000 \
+  -e SHABAAS_AUTH_UUID=your-uuid \
+  shabaaspay-mcp node dist/server-http.js
+```
+## Publishing Recommendations
+To make this MCP easily accessible to LLMs, we recommend:
+1.  **NPM**: Publish the package (already done as `shabaaspay-mcp-server`). Ensure `v1.0.2` includes the latest fixes.
+2.  **Docker Hub**: Publish the image as `shabaaspay/mcp-server`.
     ```bash
-    curl -X POST http://localhost:3000/mcp \
-      -H "Authorization: <uuid>" \
-      -H "Content-Type: application/json" \
-      -d '{"tool":"create_payment_agreement","arguments":{"name":"Test","type":"email","maximum_amount":"10.00","frequency":"WEEK","number_of_transactions_permitted":1,"pay_id":"sample@shabaas.com"}}'
+    docker tag shabaaspay-mcp shabaaspay/mcp-server:latest
+    docker push shabaaspay/mcp-server:latest
     ```
-- **Inspector/VS Code**: set MCP URL to `/mcp` and header `Authorization: <uuid>`; list tools then call by name. Enrichment toggles (`enrich`, `include_raw`) are available on payment tools.
-## Tool manifest (LLM-friendly)
-- Catalog JSON: `docs/tool-catalog.json` (publishable at a stable URL for ingestion).
-- Tools:
-  - `get_auth_token` – fetch bearer (debug; server auto-manages tokens)
-  - `create_payment_agreement` – create PayTo agreement
-  - `get_payment_agreement` – retrieve agreement with enrichment toggle
-  - `initiate_payment` – initiate payment against agreement
-  - `get_payment_initiation` – retrieve payment initiation
-- Auth: `Authorization: <uuid>` (plain). Server fetches/caches ShaBaas bearer.
-## Auth & rate limits
-- Provide your ShaBaas UUID in the `Authorization` header (plain value, no `Bearer`). The MCP server fetches and caches the ShaBaas bearer internally.
-- HTTP guard is optional via `MCP_HTTP_API_KEY`; leave empty to avoid 403s in local testing.
-- Rate limits: defaults 60/min and 1000/hour; configure with `API_RATE_LIMIT_PER_MINUTE` / `API_RATE_LIMIT_PER_HOUR`.
-- CORS: configure `ALLOWED_ORIGINS` (comma separated) for HTTP clients (e.g., Inspector UI).
-## Enrichment toggle
-Tools support `enrich` (default true) and `include_raw` (default false) to control business context and raw payloads. Set `enrich: false` for lean responses.
-## Available tools
-Payment agreements
-1. create_payment_agreement
-2. get_payment_agreement
-Authentication helper
-1. get_auth_token
-## Examples
-See examples/basic.md
-## Documentation
-1. docs/installation.md
-2. docs/authentication.md
-3. docs/api-reference.md
-## License
-MIT, see LICENSE
+3.  **Smithery / Glama**: Register your MCP server on these registries for wider discovery.
+    -   Add `shabaaspay-mcp-server` to [smithery.ai](https://smithery.ai/docs/publishing)
+    -   Add to [glama.ai](https://glama.ai)
+## License
+MIT, see LICENSE