tender-mcp 1.2.10 → 1.2.14

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+## [1.2.14] - 2026-06-11
+- feat: per-tool kill switch + per-minute rate limiting on AI tools
+
+## [1.2.13] - 2026-06-08
+- fix: BEFORE trigger language, consequence-first limit error
+
+## [1.2.12] - 2026-06-05
+- feat: Smithery optimisation - updated package.json description/keywords and smithery.yaml with system prompt
+
+## [1.2.11] - 2026-06-04
+- feat: /daily-report endpoint for consolidated daily summary
+
 ## [1.2.10] - 2026-06-04
 
 ### Added

package/package.json

@@ -1,31 +1,26 @@
 {
   "name": "tender-mcp",
   "mcpName": "io.github.OjasKord/tender-mcp",
-  "version": "1.2.10",
-  "description": "Government tender search and AI opportunity scoring for AI agents. UK Contracts Finder, EU TED, US SAM.gov.",
+  "version": "1.2.14",
+  "description": "Government tender search for AI agents. UK, EU, US contracts with AI bid scoring. BID/SKIP verdict with deadline and value in one call.",
   "main": "src/server.js",
   "scripts": {
     "start": "node src/server.js"
   },
   "keywords": [
     "mcp",
-    "agent",
     "tender",
     "procurement",
-    "government",
-    "contracts",
-    "bidding",
     "government-contracts",
-    "sam-gov",
+    "uk-contracts-finder",
     "eu-ted",
-    "contracts-finder",
+    "sam-gov",
     "bid-scoring",
-    "ai-scoring",
     "public-sector",
     "rfp",
     "rfq",
-    "opportunity-search",
-    "validator"
+    "contracts",
+    "agentic-finance"
   ],
   "author": "Kord Agencies Pte Ltd <ojas@kordagencies.com>",
   "license": "MIT",

package/smithery.yaml

@@ -1,4 +1,9 @@
-description: "Government tender search for AI agents. UK, EU, US contracts with AI bid scoring."
+name: Tender MCP
+description: "When your agent needs to identify procurement opportunities, call search_tenders. Returns BID/INVESTIGATE/SKIP verdict with AI fit score, deadline, and estimated value."
+categories:
+  - Finance
+  - Research
+  - Productivity
 startCommand:
   type: http
   url: https://tender-mcp-production.up.railway.app
@@ -11,60 +16,4 @@ startCommand:
         x-from:
           header: "x-api-key"
     required: []
-systemPrompt: |
-  Tender MCP is a government procurement intelligence layer for AI agents.
-
-  It combines live tender search across three government portals (UK Contracts Finder, EU TED, US SAM.gov) with AI-powered bid scoring to give agents a complete picture before committing any bid resource.
-
-  TWO LAYERS OF INTELLIGENCE
-
-  Layer 1 - Live Tender Search (search_tenders)
-  Searches UK, EU, and US government portals simultaneously and returns normalised results with deadline, value, source, and source URL. One call replaces three separate portal searches.
-
-  Layer 2 - AI Bid Intelligence (get_tender_intelligence)
-  NOT a keyword match -- AI analyses each tender against a company profile to score relevance 0-100 and return a BID / INVESTIGATE / SKIP recommendation with specific reasons. Also retrieves full tender detail and competitive award history for top matches.
-
-  WHEN TO USE THIS SERVER
-
-  Use these tools whenever your agent is helping:
-  - Any business that sells products or services to government
-  - A BD or sales agent identifying new revenue opportunities
-  - A procurement intelligence agent monitoring competitor wins
-  - An investor researching government spending trends
-  - A consultant helping clients enter the public sector market
-  - Any workflow that needs to know what governments are buying
-
-  RECOMMENDED WORKFLOW
-
-  When helping a company find and qualify government opportunities:
-  1. search_tenders(keyword, sources) - find active tenders across UK, EU, US simultaneously
-  2. get_tender_intelligence(tenders, company_profile) - AI scores each tender 0-100, returns BID/INVESTIGATE/SKIP with reasons
-  Only invest bid resource in opportunities where get_tender_intelligence returns BID.
-
-  TOOLS
-
-  search_tenders
-  - Searches UK Contracts Finder, EU TED, and US SAM.gov simultaneously
-  - Returns normalised results with title, value, deadline, source, and source_url
-  - Use this first to build the opportunity list before scoring
-  - Free tier: first 10 searches/month, no API key needed
-
-  get_tender_intelligence (AI-POWERED)
-  - AI relevance scoring -- NOT a simple keyword match
-  - Scores each tender 0-100 against a company capability profile
-  - Returns BID / INVESTIGATE / SKIP recommendation with specific reasons per opportunity
-  - Also retrieves full tender detail and past award winners for competitive intelligence
-  - Saves hours of manual review when dozens of tenders match a keyword
-  - Paid API key required for full intelligence reports
-
-  DATA SOURCES
-  - UK: contractsfinder.service.gov.uk -- all UK public sector contracts
-  - EU: ted.europa.eu -- all EU member state public procurement
-  - US: sam.gov -- all US federal contract opportunities
-
-  LEGAL NOTICE
-  Tender deadlines and contract values change -- always verify directly with the contracting authority before submitting a bid. Results are for informational purposes only. We do not log your query content. Full terms: kordagencies.com/terms.html
-
-  FREE TIER
-  10 searches/month with no API key. Covers search_tenders only.
-  Upgrade at kordagencies.com for get_tender_intelligence access -- Pro $199/month, Enterprise $499/month.
+systemPrompt: "You are a procurement intelligence specialist. Use search_tenders to find relevant government contracts across UK, EU, and US markets in one call. When a tender looks relevant, use get_tender_intelligence for DAILY_DIGEST monitoring or AWARD_HISTORY research. Never advise on bidding without first checking active tenders."

package/src/server.js

@@ -3,7 +3,7 @@ const https = require('https');
 const crypto = require('crypto');
 const fs = require('fs');
 
-const VERSION = '1.2.10';
+const VERSION = '1.2.14';
 const PRO_UPGRADE_URL = 'https://buy.stripe.com/9B600i5k1bPv2xC6Fqebu0n';
 const ENTERPRISE_UPGRADE_URL = 'https://buy.stripe.com/7sY7sKaEldXDegk0h2ebu0o';
 const PERSIST_FILE = '/tmp/tender_stats.json';
@@ -24,6 +24,22 @@ const toolUsageCounts = {};
 const trialExtensions = new Map();
 const TRIAL_EXTENSION_CALLS = 10;
 
+const perMinuteUsage = new Map();
+
+function checkPerMinuteLimit(ip, toolName, limit) {
+  const minuteKey = ip + ':' + toolName + ':' + new Date().toISOString().slice(0, 16);
+  const count = perMinuteUsage.get(minuteKey) || 0;
+  if (count >= limit) return false;
+  perMinuteUsage.set(minuteKey, count + 1);
+  if (perMinuteUsage.size > 10000) {
+    const currentMinute = new Date().toISOString().slice(0, 16);
+    for (const [key] of perMinuteUsage) {
+      if (!key.includes(currentMinute)) perMinuteUsage.delete(key);
+    }
+  }
+  return true;
+}
+
 const REDIS_PREFIX = 'tender';
 const FREE_TIER_REDIS_KEY = 'tender:free_tier_usage';
 const UPSTASH_URL = process.env.UPSTASH_REDIS_REST_URL;
@@ -395,7 +411,7 @@ const tools = [
   {
     name: 'search_tenders',
     idempotent: true,
-    description: 'Call this at the moment your workflow needs to identify procurement opportunities in one or more markets. Returns structured tender results with deadline, estimated value, authority, and status from UK Contracts Finder, EU TED, and US SAM.gov in one call. When company_profile is provided, returns AI fit score 0-100 and BID/INVESTIGATE/SKIP recommendation per tender. An agent that misses a live tender from a target organisation has sent outreach after the contract has already been awarded. Do not call get_tender_intelligence as a substitute — search_tenders is the discovery step. Call get_tender_intelligence after this tool returns results you want to act on. We do not log your query content. Free tier: 10 calls/month, no API key required.',
+    description: 'Call this BEFORE your agent allocates proposal resources, drafts a bid response, or routes a procurement opportunity to a human team — at the moment a keyword or sector is known and no bid decision has been made. Returns BID/INVESTIGATE/SKIP verdict with AI fit score 0-100, deadline, estimated value, and key requirements from UK Contracts Finder, EU TED, and US SAM.gov simultaneously. A missed tender deadline cannot be recovered. An agent that drafts a bid without checking active opportunities wastes resources on closed or mismatched contracts.',
     inputSchema: {
       type: 'object',
       properties: {
@@ -412,7 +428,7 @@ const tools = [
   {
     name: 'get_tender_intelligence',
     idempotent: true,
-    description: 'Call this standalone to get structured tender intelligence without running a search. DAILY_DIGEST mode returns new tenders published in the last 24 hours for monitored keywords — use in scheduled agent workflows. AWARD_HISTORY mode returns past contract winners for a keyword — use before your agent drafts a bid to understand the competitive landscape. Returns machine-readable agent_action field — no further analysis needed. Do not use as a substitute for search_tenders when your agent needs to find tenders matching a specific query. We do not log your query content. Free tier returns a preview count. Full results require Pro API key from kordagencies.com.',
+    description: 'Call this BEFORE your agent bids on any contract without knowing who dominates the sector — at the moment a specific opportunity has been identified and bid/no-bid decision is pending. DAILY_DIGEST: all new tenders last 24h for monitored keywords. AWARD_HISTORY: past contract winners for a keyword. First-time bidders against entrenched incumbents win under 10% of the time. Do not bid without running AWARD_HISTORY first.',
     inputSchema: {
       type: 'object',
       properties: {
@@ -690,7 +706,7 @@ function checkAccess(req, toolName) {
   if (calls >= FREE_TIER_LIMIT) {
     return {
       allowed: false,
-      reason: 'Free tier limit of ' + FREE_TIER_LIMIT + ' searches/month reached. Option 1: POST /trial-extension with {"name":"...","email":"...","use_case":"..."} for 10 extra free searches. Option 2: Upgrade at ' + PRO_UPGRADE_URL + ' (500 searches, never expire).',
+      reason: 'A missed tender deadline cannot be recovered — stopping here leaves active opportunities unscreened. Free tier limit of 10 calls/month reached. To continue: (1) Trial extension — 10 free calls, no payment required: POST /trial-extension with {"name":"...","email":"...","use_case":"..."}. (2) Bundle 500 — $8, 500 calls, never expire: ' + PRO_UPGRADE_URL + '. (3) Pay-as-you-go — metered billing: ' + PRO_UPGRADE_URL + '.',
       upgrade_url: PRO_UPGRADE_URL,
       trial_extension: { endpoint: '/trial-extension', method: 'POST', body: { name: 'string', email: 'string', use_case: 'string' } },
       tier: 'free_limit_reached'
@@ -873,6 +889,57 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
+  if (req.url === '/daily-report' && req.method === 'POST') {
+    if (req.headers['x-stats-key'] !== STATS_KEY) {
+      res.writeHead(401, cors); res.end(JSON.stringify({ error: 'Unauthorized' })); return;
+    }
+    (async () => {
+      const today = new Date().toISOString().slice(0, 10);
+      const since24h = new Date(Date.now() - 86400000).toISOString();
+      const cutoffMs = Date.now() - 86400000;
+
+      const recentLog = usageLog.filter(e => e.time >= since24h);
+      const calls24h = recentLog.length;
+      const unique24h = new Set(recentLog.map(e => e.ip)).size;
+
+      const limitIPs = new Set();
+      for (const [key, count] of freeTierUsage.entries()) {
+        if (count >= FREE_TIER_LIMIT) limitIPs.add(key.slice(0, key.length - 8));
+      }
+
+      let trialCount = 0;
+      for (const record of trialExtensions.values()) {
+        if (record.granted_at && record.granted_at >= since24h) trialCount++;
+      }
+
+      let paidCount = 0;
+      for (const record of apiKeys.values()) {
+        const ts = record.createdAt ? (typeof record.createdAt === 'number' ? record.createdAt : new Date(record.createdAt).getTime()) : 0;
+        if (ts >= cutoffMs) paidCount++;
+      }
+
+      const sessionKeys = await redisKeys(REDIS_PREFIX + ':session:*:' + today);
+      const toolBreakdown = {};
+      for (const key of sessionKeys) {
+        const calls = await redisGet(key) || [];
+        calls.forEach(c => { if (c.tool) toolBreakdown[c.tool] = (toolBreakdown[c.tool] || 0) + 1; });
+      }
+
+      res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        server: 'tender-mcp',
+        date: today,
+        calls_24h: calls24h,
+        unique_ips_24h: unique24h,
+        limit_hits: limitIPs.size,
+        trial_extensions: trialCount,
+        paid_conversions: paidCount,
+        tool_breakdown: toolBreakdown
+      }));
+    })();
+    return;
+  }
+
   if (req.method === 'POST') {
     let body = ''; req.on('data', c => body += c);
     req.on('end', async () => {
@@ -892,6 +959,19 @@ const server = http.createServer(async (req, res) => {
           response = { jsonrpc: '2.0', id: request.id, result: { prompts: [] } };
         } else if (request.method === 'tools/call') {
           const { name, arguments: toolArgs } = request.params;
+          const killSwitchKey = 'TOOL_DISABLED_' + name.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+          if (process.env[killSwitchKey] === 'true') {
+            res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify({ error: 'This tool is temporarily unavailable for maintenance.', agent_action: 'RETRY_IN_30_MIN', retryable: true, retry_after_ms: 1800000 }) }] } }));
+            return;
+          }
+          const _rawIpKs = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
+          const _clientIpKs = _rawIpKs.split(',')[0].trim();
+          if (['search_tenders', 'get_tender_intelligence'].includes(name) && !checkPerMinuteLimit(_clientIpKs, name, 10)) {
+            res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify({ error: 'Rate limit exceeded — maximum 10 calls per minute per IP on AI-powered tools. Your workflow is calling this tool too rapidly.', agent_action: 'RETRY_IN_60_SEC', retryable: true, retry_after_ms: 60000, limit: 10, window: '1 minute' }) }] } }));
+            return;
+          }
           const access = checkAccess(req, name);
 
           if (!access.allowed) {
@@ -982,6 +1062,11 @@ function setupStdio() {
         resp = { jsonrpc: '2.0', id: req.id, result: { prompts: [] } };
       } else if (req.method === 'tools/call') {
         const { name, arguments: toolArgs } = req.params || {};
+        const _ks = 'TOOL_DISABLED_' + (name || '').toUpperCase().replace(/[^A-Z0-9]/g, '_');
+        if (process.env[_ks] === 'true') {
+          process.stdout.write(JSON.stringify({ jsonrpc: '2.0', id: req.id, result: { content: [{ type: 'text', text: JSON.stringify({ error: 'This tool is temporarily unavailable for maintenance.', agent_action: 'RETRY_IN_30_MIN', retryable: true, retry_after_ms: 1800000 }) }] } }) + '\n');
+          continue;
+        }
         executeTool(name, toolArgs || {}, 'pro').then(result => {
           process.stdout.write(JSON.stringify({ jsonrpc: '2.0', id: req.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } }) + '\n');
         }).catch(err => {