shabaaspay-mcp-server 1.0.2 → 1.0.4

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 ShaBaas
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 ShaBaas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/agent-toolkit/ai-sdk.d.ts

@@ -0,0 +1,5 @@
+import { ShabaasAgentToolkit, type ShabaasAgentToolkitOptions } from './index.js';
+export declare class ShabaasAgentToolkitAiSdk extends ShabaasAgentToolkit {
+    constructor(options: ShabaasAgentToolkitOptions);
+    getAiSdkTools(): Promise<Record<string, any>>;
+}

package/dist/agent-toolkit/ai-sdk.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ShabaasAgentToolkitAiSdk = void 0;
+const zod_to_json_schema_1 = require("zod-to-json-schema");
+const index_js_1 = require("./index.js");
+class ShabaasAgentToolkitAiSdk extends index_js_1.ShabaasAgentToolkit {
+    constructor(options) {
+        super(options);
+    }
+    async getAiSdkTools() {
+        let toolFactory;
+        try {
+            const aiModuleName = 'ai';
+            const aiModule = await import(aiModuleName);
+            toolFactory = aiModule.tool;
+        }
+        catch {
+            throw new Error('AI SDK adapter requires the "ai" package. Install it with: npm install ai');
+        }
+        const entries = this.getTools().map((toolDef) => {
+            const parameters = (0, zod_to_json_schema_1.zodToJsonSchema)(toolDef.inputSchema);
+            return [
+                toolDef.name,
+                toolFactory({
+                    description: toolDef.description,
+                    parameters,
+                    execute: async (args) => toolDef.execute(args ?? {}),
+                }),
+            ];
+        });
+        return Object.fromEntries(entries);
+    }
+}
+exports.ShabaasAgentToolkitAiSdk = ShabaasAgentToolkitAiSdk;

package/dist/agent-toolkit/index.d.ts

@@ -0,0 +1,16 @@
+export type ShabaasAgentToolkitOptions = {
+    apiKey: string;
+    environment?: 'sandbox' | 'production';
+};
+export type ShabaasFunctionTool = {
+    name: string;
+    description: string;
+    inputSchema: unknown;
+    execute: (args?: Record<string, unknown>) => Promise<unknown>;
+};
+export declare class ShabaasAgentToolkit {
+    private readonly apiKey;
+    private readonly tools;
+    constructor(options: ShabaasAgentToolkitOptions);
+    getTools(): ShabaasFunctionTool[];
+}

package/dist/agent-toolkit/index.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ShabaasAgentToolkit = void 0;
+const client_js_1 = require("../api/client.js");
+const backend_urls_js_1 = require("../constants/backend-urls.js");
+const index_js_1 = require("../tools/index.js");
+function toToolkitConfig(options) {
+    const environment = options.environment ?? 'sandbox';
+    return {
+        environment,
+        shabaasAuthUuid: options.apiKey,
+        sandboxUrl: backend_urls_js_1.CANONICAL_SANDBOX_BASE_URL,
+        productionUrl: backend_urls_js_1.CANONICAL_PRODUCTION_BASE_URL,
+        httpPort: 3001,
+        httpHost: '0.0.0.0',
+        mcpHttpApiKey: '',
+        mcpStdioApiKey: '',
+        allowedOrigins: ['*'],
+        rateLimitPerMinute: 60,
+        rateLimitPerHour: 1000,
+        authTokenMaxAgeMinutes: 50,
+        policyCacheTtlMs: 300_000,
+    };
+}
+class ShabaasAgentToolkit {
+    apiKey;
+    tools;
+    constructor(options) {
+        if (!options.apiKey) {
+            throw new Error('ShabaasAgentToolkit requires apiKey');
+        }
+        this.apiKey = options.apiKey;
+        const config = toToolkitConfig(options);
+        const apiClient = new client_js_1.ShabaasApiClient(config);
+        this.tools = (0, index_js_1.createAllTools)(apiClient, config);
+    }
+    getTools() {
+        return Object.values(this.tools).map((tool) => ({
+            name: tool.name,
+            description: tool.description,
+            inputSchema: tool.inputSchema,
+            execute: async (args) => tool.execute(args ?? {}, { requestUuid: this.apiKey }),
+        }));
+    }
+}
+exports.ShabaasAgentToolkit = ShabaasAgentToolkit;

package/dist/agent-toolkit/langchain.d.ts

@@ -0,0 +1,5 @@
+import { ShabaasAgentToolkit, type ShabaasAgentToolkitOptions } from './index.js';
+export declare class ShabaasAgentToolkitLangChain extends ShabaasAgentToolkit {
+    constructor(options: ShabaasAgentToolkitOptions);
+    getLangChainTools(): Promise<any[]>;
+}

package/dist/agent-toolkit/langchain.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ShabaasAgentToolkitLangChain = void 0;
+const zod_1 = require("zod");
+const index_js_1 = require("./index.js");
+class ShabaasAgentToolkitLangChain extends index_js_1.ShabaasAgentToolkit {
+    constructor(options) {
+        super(options);
+    }
+    async getLangChainTools() {
+        let DynamicStructuredTool;
+        try {
+            const langchainToolsModule = '@langchain/core/tools';
+            ({ DynamicStructuredTool } = await import(langchainToolsModule));
+        }
+        catch {
+            throw new Error('LangChain adapter requires @langchain/core. Install it with: npm install @langchain/core');
+        }
+        return this.getTools().map((tool) => new DynamicStructuredTool({
+            name: tool.name,
+            description: tool.description,
+            schema: tool.inputSchema ?? zod_1.z.object({}),
+            func: async (args) => {
+                const result = await tool.execute(args);
+                return JSON.stringify(result);
+            },
+        }));
+    }
+}
+exports.ShabaasAgentToolkitLangChain = ShabaasAgentToolkitLangChain;

package/dist/agent-toolkit/modelcontextprotocol.d.ts

@@ -0,0 +1,2 @@
+export { StdioMcpServer } from '../server/stdio-server.js';
+export { HttpMcpServer } from '../server/http-server.js';

package/dist/agent-toolkit/modelcontextprotocol.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HttpMcpServer = exports.StdioMcpServer = void 0;
+var stdio_server_js_1 = require("../server/stdio-server.js");
+Object.defineProperty(exports, "StdioMcpServer", { enumerable: true, get: function () { return stdio_server_js_1.StdioMcpServer; } });
+var http_server_js_1 = require("../server/http-server.js");
+Object.defineProperty(exports, "HttpMcpServer", { enumerable: true, get: function () { return http_server_js_1.HttpMcpServer; } });

package/dist/api/client.d.ts

@@ -1,60 +1,71 @@
 import { Config } from '../config/index.js';
 import { ApiResponse } from '../types/index.js';
+/** Options for API calls that need backend auth; requestApiKey comes from the request (no .env). */
+export type RequestAuthOptions = {
+    requestUuid?: string;
+};
+/**
+ * Discoverable auth behavior metadata used by docs/discovery surfaces.
+ * Additive-only metadata: does not alter runtime request handling.
+ */
+export declare const AUTH_BEHAVIOR: {
+    readonly token_cache_ttl_ms: number;
+    readonly accepts_authorization_formats: readonly ["sbp_live_xxx", "Bearer sbp_live_xxx"];
+    readonly upstream_token_exchange: true;
+    readonly cache_scope: "per_api_key";
+};
 export declare class ShabaasApiClient {
     private client;
     private config;
-    private bearerToken;
-    private bearerTokenFetchedAtMs;
     constructor(config: Config);
     private normalizeBearer;
     /**
-     * Exchanges the configured UUID for a Bearer token.
-     * UUID must be sent only to /api/public/authorization in the Authorization header.
-     * The returned token is used for all subsequent API calls.
+     * Returns a bearer token for backend API calls. Use the API key from the request (Authorization header).
+     * No .env or global API key; requestUuid must be provided by the caller (value is the API key from the authenticated request).
+     * The backend accepts API key only.
      */
-    authorize(): Promise<{
-        token: string;
-        raw: any;
-    }>;
-    private tokenLooksFresh;
-    ensureAuthenticated(): Promise<void>;
+    getTokenForRequest(requestUuid?: string): Promise<string>;
     private withAuthRetry;
-    getAuthToken(): Promise<{
+    getAuthToken(options?: RequestAuthOptions): Promise<{
         token: string;
         fetchedAt: string;
     }>;
-    getPaymentAgreement(id: string): Promise<ApiResponse>;
+    getPaymentAgreement(id: string, options?: RequestAuthOptions): Promise<ApiResponse>;
     createPaymentAgreement(data: {
         name: string;
         type: string;
         maximum_amount: string;
         frequency: string;
         number_of_transactions_permitted: number;
-        pay_id: string;
-        idempotency_key: string;
-    }): Promise<ApiResponse>;
-    cancelPaymentAgreement(id: string): Promise<ApiResponse>;
-    resendPaymentAgreement(id: string): Promise<ApiResponse>;
+        pay_id?: string;
+        phone_number?: string;
+        bsb?: string | number;
+        account_number?: string | number;
+        agreement_type?: string;
+        start_date?: string;
+        end_date?: string;
+    }, options?: RequestAuthOptions): Promise<ApiResponse>;
+    cancelPaymentAgreement(id: string, options?: RequestAuthOptions): Promise<ApiResponse>;
+    resendPaymentAgreement(id: string, options?: RequestAuthOptions): Promise<ApiResponse>;
     initiatePayment(data: {
         payment_agreement_id: string;
         amount: string | number;
         description?: string;
-        idempotency_key: string;
-    }): Promise<ApiResponse>;
-    getPaymentInitiation(id: string): Promise<ApiResponse>;
+        notes?: string;
+    }, options?: RequestAuthOptions): Promise<ApiResponse>;
+    getPaymentInitiation(id: string, options?: RequestAuthOptions): Promise<ApiResponse>;
     initiateDirectDebit(data: {
         payment_agreement_id: string;
         amount: string | number;
         description?: string;
-        idempotency_key: string;
-    }): Promise<ApiResponse>;
+    }, options?: RequestAuthOptions): Promise<ApiResponse>;
     getPaymentLink(data: {
         amount: string;
         reference?: string;
-    }): Promise<ApiResponse>;
+    }, options?: RequestAuthOptions): Promise<ApiResponse>;
     registerWebhook(data: {
         url: string;
         events: string[];
-    }): Promise<ApiResponse>;
-    listWebhooks(): Promise<ApiResponse>;
+    }, options?: RequestAuthOptions): Promise<ApiResponse>;
+    listWebhooks(options?: RequestAuthOptions): Promise<ApiResponse>;
 }

package/dist/api/client.js

@@ -3,14 +3,25 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ShabaasApiClient = void 0;
+exports.ShabaasApiClient = exports.AUTH_BEHAVIOR = void 0;
 const axios_1 = __importDefault(require("axios"));
 const index_js_1 = require("../config/index.js");
+/** Cache bearer token per API key so we don't refetch every request. */
+const tokenCache = new Map();
+const CACHE_TTL_MS = 50 * 60 * 1000; // 50 min
+/**
+ * Discoverable auth behavior metadata used by docs/discovery surfaces.
+ * Additive-only metadata: does not alter runtime request handling.
+ */
+exports.AUTH_BEHAVIOR = {
+    token_cache_ttl_ms: CACHE_TTL_MS,
+    accepts_authorization_formats: ['sbp_live_xxx', 'Bearer sbp_live_xxx'],
+    upstream_token_exchange: true,
+    cache_scope: 'per_api_key',
+};
 class ShabaasApiClient {
     client;
     config;
-    bearerToken = null;
-    bearerTokenFetchedAtMs = null;
     constructor(config) {
         this.config = config;
         const baseURL = (0, index_js_1.getApiUrl)(config);
@@ -18,12 +29,17 @@ class ShabaasApiClient {
             baseURL,
             headers: {
                 'Content-Type': 'application/json',
+                // Identify requests as coming from the MCP server so the backend
+                'X-Shabaas-Client': 'mcp',
             },
             timeout: 30000,
         });
         this.client.interceptors.request.use((cfg) => {
             // Log to stderr to keep STDIO transport stdout clean for MCP JSON
             console.error(`[API Request] ${cfg.method?.toUpperCase()} ${cfg.url}`);
+            if (process.env.MCP_DEBUG === '1' || process.env.SHABAAS_DEBUG_HEADERS === '1') {
+                console.error(`[API Request] X-Shabaas-Client: ${cfg.headers['X-Shabaas-Client'] ?? '(not set)'}`);
+            }
             return cfg;
         }, (error) => {
             console.error('[API Request Error]', error);
@@ -49,14 +65,24 @@ class ShabaasApiClient {
             : `Bearer ${trimmed}`;
     }
     /**
-     * Exchanges the configured UUID for a Bearer token.
-     * UUID must be sent only to /api/public/authorization in the Authorization header.
-     * The returned token is used for all subsequent API calls.
+     * Returns a bearer token for backend API calls. Use the API key from the request (Authorization header).
+     * No .env or global API key; requestUuid must be provided by the caller (value is the API key from the authenticated request).
+     * The backend accepts API key only.
      */
-    async authorize() {
+    async getTokenForRequest(requestUuid) {
+        const apiKey = (requestUuid ?? this.config.shabaasAuthUuid ?? '').trim();
+        if (!apiKey) {
+            throw new Error('Backend API auth requires the API key. Send it in the Authorization header (Bearer <your_api_key>) when calling the MCP server.');
+        }
+        const cacheKey = apiKey;
+        const cached = tokenCache.get(cacheKey);
+        if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+            return cached.token;
+        }
+        const authHeader = apiKey.toLowerCase().startsWith('bearer ') ? apiKey : `Bearer ${apiKey}`;
         const response = await this.client.post('/api/public/authorization', null, {
             headers: {
-                Authorization: this.config.shabaasAuthUuid,
+                Authorization: authHeader,
                 accept: 'application/json',
             },
         });
@@ -71,104 +97,107 @@ class ShabaasApiClient {
             throw new Error('Authorization succeeded but no token was returned. Expected token in response at data.token.');
         }
         const token = this.normalizeBearer(rawToken);
-        this.bearerToken = token;
-        this.bearerTokenFetchedAtMs = Date.now();
-        this.client.defaults.headers.common['Authorization'] = token;
-        return { token, raw: payload };
-    }
-    tokenLooksFresh() {
-        if (!this.bearerToken || !this.bearerTokenFetchedAtMs)
-            return false;
-        const ageMs = Date.now() - this.bearerTokenFetchedAtMs;
-        const maxAgeMs = this.config.authTokenMaxAgeMinutes * 60 * 1000;
-        return ageMs < maxAgeMs;
-    }
-    async ensureAuthenticated() {
-        if (this.tokenLooksFresh())
-            return;
-        await this.authorize();
-    }
-    async withAuthRetry(fn) {
+        tokenCache.set(cacheKey, { token, fetchedAt: Date.now() });
+        return token;
+    }
+    async withAuthRetry(fn, requestUuid) {
         try {
-            await this.ensureAuthenticated();
-            return await fn();
+            const token = await this.getTokenForRequest(requestUuid);
+            return await fn(token);
         }
         catch (err) {
             const status = err?.response?.status;
-            if (status === 401 || status === 403) {
-                await this.authorize();
-                return await fn();
+            if ((status === 401 || status === 403) && requestUuid) {
+                tokenCache.delete((requestUuid ?? '').trim());
+                const token = await this.getTokenForRequest(requestUuid);
+                return await fn(token);
             }
             throw err;
         }
     }
-    async getAuthToken() {
-        const { token } = await this.authorize();
+    async getAuthToken(options) {
+        const token = await this.getTokenForRequest(options?.requestUuid);
         return { token, fetchedAt: new Date().toISOString() };
     }
-    async getPaymentAgreement(id) {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.get(`/api/public/payment_agreement?id=${encodeURIComponent(id)}`);
+    async getPaymentAgreement(id, options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.get(`/api/public/payment_agreement?id=${encodeURIComponent(id)}`, { headers: { Authorization: token } });
             return response.data;
-        });
-    }
-    async createPaymentAgreement(data) {
-        return await this.withAuthRetry(async () => {
-            const body = {
-                payment_agreement: {
-                    name: data.name,
-                    type: data.type,
-                    maximum_amount: data.maximum_amount,
-                    frequency: data.frequency,
-                    number_of_transactions_permitted: data.number_of_transactions_permitted,
-                    pay_id: data.pay_id,
-                },
+        }, options?.requestUuid);
+    }
+    async createPaymentAgreement(data, options) {
+        return await this.withAuthRetry(async (token) => {
+            const pa = {
+                name: data.name,
+                type: data.type,
+                maximum_amount: data.maximum_amount,
+                frequency: data.frequency,
+                number_of_transactions_permitted: data.number_of_transactions_permitted,
             };
+            if (data.pay_id != null)
+                pa.pay_id = data.pay_id;
+            if (data.phone_number != null)
+                pa.phone_number = data.phone_number;
+            if (data.bsb != null)
+                pa.bsb = data.bsb;
+            if (data.account_number != null)
+                pa.account_number = data.account_number;
+            if (data.agreement_type != null)
+                pa.agreement_type = data.agreement_type;
+            if (data.start_date != null)
+                pa.start_date = data.start_date;
+            if (data.end_date != null)
+                pa.end_date = data.end_date;
+            const body = { payment_agreement: pa };
             const response = await this.client.post('/api/public/payment_agreement', body, {
                 headers: {
-                    'Idempotency-Key': data.idempotency_key,
+                    Authorization: token,
                 },
             });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async cancelPaymentAgreement(id) {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.delete(`/api/public/payment_agreement/cancel?id=${encodeURIComponent(id)}`);
+    async cancelPaymentAgreement(id, options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.delete(`/api/public/payment_agreement/cancel?id=${encodeURIComponent(id)}`, { headers: { Authorization: token } });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async resendPaymentAgreement(id) {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.patch('/api/public/payment_agreement/resend', { id });
+    async resendPaymentAgreement(id, options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.patch('/api/public/payment_agreement/resend', { id }, {
+                headers: { Authorization: token },
+            });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async initiatePayment(data) {
-        return await this.withAuthRetry(async () => {
+    async initiatePayment(data, options) {
+        return await this.withAuthRetry(async (token) => {
             const amount = normalizeAmount(data.amount);
             const response = await this.client.post('/api/public/payment_initiation', {
                 payment_initiation: {
                     payment_agreement_id: data.payment_agreement_id,
                     amount,
-                    description: data.description,
+                    notes: data.notes ?? data.description,
                 },
             }, {
                 headers: {
-                    'Idempotency-Key': data.idempotency_key,
+                    Authorization: token,
                 },
+                // Backend may call Monoova and can take up to Rack timeout (60s); use 65s so we get Rails response
+                timeout: 65000,
             });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async getPaymentInitiation(id) {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.get(`/api/public/payment_initiation?id=${encodeURIComponent(id)}`);
+    async getPaymentInitiation(id, options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.get(`/api/public/payment_initiation?id=${encodeURIComponent(id)}`, { headers: { Authorization: token } });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async initiateDirectDebit(data) {
-        return await this.withAuthRetry(async () => {
+    async initiateDirectDebit(data, options) {
+        return await this.withAuthRetry(async (token) => {
             const amount = normalizeAmount(data.amount);
             const response = await this.client.post('/api/public/payment_initiation/direct_debit', {
                 payment_initiation: {
@@ -178,29 +207,35 @@ class ShabaasApiClient {
                 },
             }, {
                 headers: {
-                    'Idempotency-Key': data.idempotency_key,
+                    Authorization: token,
                 },
             });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async getPaymentLink(data) {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.post('/api/get_url', data);
+    async getPaymentLink(data, options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.post('/api/get_url', data, {
+                headers: { Authorization: token },
+            });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async registerWebhook(data) {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.post('/api/public/webhooks', data);
+    async registerWebhook(data, options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.post('/api/public/webhooks', data, {
+                headers: { Authorization: token },
+            });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
-    async listWebhooks() {
-        return await this.withAuthRetry(async () => {
-            const response = await this.client.get('/api/public/webhooks');
+    async listWebhooks(options) {
+        return await this.withAuthRetry(async (token) => {
+            const response = await this.client.get('/api/public/webhooks', {
+                headers: { Authorization: token },
+            });
             return response.data;
-        });
+        }, options?.requestUuid);
     }
 }
 exports.ShabaasApiClient = ShabaasApiClient;

package/dist/api/mcp-auth.d.ts

@@ -0,0 +1,18 @@
+import type { ClientPolicy } from '../security/policy.js';
+export type FetchPolicyResult = {
+    policy: ClientPolicy;
+    rejection?: undefined;
+} | {
+    policy?: undefined;
+    rejection: string;
+};
+/**
+ * Returns policy for the given token, using in-memory cache when ttlMs > 0.
+ * On cache miss or when ttlMs <= 0, calls the backend. Only successful results are cached.
+ */
+export declare function getPolicyWithCache(token: string, baseUrl: string, environment: 'sandbox' | 'production', ttlMs: number): Promise<FetchPolicyResult>;
+/**
+ * Calls backend GET /api/mcp/auth with Bearer token (API key); returns policy or rejection.
+ * The backend looks up the user by API key only.
+ */
+export declare function fetchPolicyFromBackend(token: string, baseUrl: string, environment: 'sandbox' | 'production'): Promise<FetchPolicyResult>;