thebuyside-x402-agent 0.2.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may accept and charge a
+      fee for, acceptance of support, warranty, indemnity, or other
+      liability obligations and/or rights consistent with this License.
+      However, in accepting such obligations, You may act only on Your
+      own behalf and on Your sole responsibility, not on behalf of any
+      other Contributor, and only if You agree to indemnify, defend,
+      and hold each Contributor harmless for any liability incurred by,
+      or claims asserted against, such Contributor by reason of your
+      accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Joshua Harrington
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/NOTICE

@@ -0,0 +1,7 @@
+thebuyside-x402-agent
+Copyright 2026 Joshua Harrington
+
+This product is licensed under the Apache License, Version 2.0.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0

package/README.md

@@ -0,0 +1,148 @@
+# thebuyside-x402-agent
+
+The MCP gateway that lets any AI agent discover and pay x402-priced APIs — without the user wiring payments themselves.
+
+`thebuyside-x402-agent` is the canonical buyer-side reference implementation for [x402](https://x402.org), the HTTP 402 payment standard stewarded by the Linux Foundation. Drop it into Claude Code, Claude Desktop, Cursor, or any MCP client, and your agent gains three tools:
+
+- **`x402.discover`** — search a curated registry of x402-priced APIs
+- **`x402.fetch`** — call one (the gateway pays the 402 challenge automatically)
+- **`x402.wallet_status`** — show the gateway's wallet, today's spend, and caps
+
+The agent never sees the 402, never sees a wallet, never holds a private key.
+
+## Status
+
+**v0 shipped 2026-05-10.** First end-to-end paid call from Claude Code:
+
+> `$0.005 USDC` settled on Base mainnet — tx [`0xd0917b35d8b778cf8d0249cc1b107a48ff7125b9fcaf7b4b257d823f73cc6aac`](https://basescan.org/tx/0xd0917b35d8b778cf8d0249cc1b107a48ff7125b9fcaf7b4b257d823f73cc6aac)
+
+- 65 unit tests + MCP smoke test, all green
+- x402 v1 + v2 dual wire support (handles both transports)
+- Spend caps, host allowlist, receipts log, self-transfer guard, confirm-before-pay (MCP elicitation)
+- Apache 2.0, DCO not CLA
+
+## Quickstart
+
+Two steps. You need Node 20+ and a Base-mainnet wallet funded with at least `$0.01 USDC`.
+
+### 1. Set the wallet key in your environment
+
+```bash
+export X402_PAYER_PRIVATE_KEY=0x...
+```
+
+Use a fresh wallet, not your main one. (You can also pass this via your MCP client's `env` block — see below.)
+
+### 2. Register the gateway with your MCP client
+
+**Claude Code (CLI):**
+
+```bash
+claude mcp add x402-pay -- npx -y thebuyside-x402-agent
+```
+
+Open a session, type `/mcp` to verify, then ask: *"Use x402.wallet_status to show my wallet."*
+
+**Claude Desktop:**
+
+See [docs/install-claude-desktop.md](docs/install-claude-desktop.md).
+
+> Local stdio MCP servers can only be reached by **local** MCP clients (Claude Code CLI, Claude Desktop). The claude.ai web app's "Code" mode runs in Anthropic's cloud and can't reach a server on your laptop.
+
+## Try it
+
+Once connected, ask the model:
+
+> *"Use x402.discover to find APIs about news."*
+
+> *"Use x402.fetch to get https://news-ep.com/api/v1/stories?market=houston&limit=5"*
+
+The first returns the registry. The second pays `$0.005 USDC` and returns Houston news.
+
+After a successful call, ask `x402.wallet_status` and you'll see today's spend reflected.
+
+## Configuration
+
+Spend controls have safe defaults. Override via env if needed.
+
+| Var | Default | What it does |
+| --- | --- | --- |
+| `X402_PAYER_PRIVATE_KEY` | *(required for payment)* | Base-mainnet wallet key (0x-prefixed) |
+| `X402_DAILY_LIMIT` | `1.00` | Max USDC spent per rolling 24h window |
+| `X402_PER_CALL_LIMIT` | `0.05` | Max USDC per single call |
+| `X402_ALLOWLIST` | hosts in `seed.json` | Comma-separated extra allowed hostnames |
+| `X402_ALLOW_UNVERIFIED` | *(off)* | `1` allows any host — dev only |
+| `X402_REQUIRE_CONFIRM` | `always` | `always`, `never`, or a USDC threshold (e.g. `0.01`). Asks the user to approve via MCP elicitation before signing |
+| `X402_CONFIRM_STRICT` | *(off)* | `1` refuses payment when the client doesn't support elicitation (default: log a warning and proceed) |
+| `X402_RECEIPTS_PATH` | `.local/receipts.jsonl` | Where the receipts log is written |
+| `X402_TEST_URL` | news-ep stories | Override target for `pnpm pay-newsep` |
+
+Limit values accept either decimal USDC (`0.05`) or atomic units (`50000`). See [docs/configuring-spend-limits.md](docs/configuring-spend-limits.md) for the full guide.
+
+## How it works
+
+```
+   Claude Code / Claude Desktop / Cursor
+                  │
+                  │  MCP over stdio
+                  │
+            ┌─────▼─────┐
+            │  Gateway  │   ← src/server.ts (this repo)
+            └─────┬─────┘
+                  │
+                  │  HTTPS GET → 402 challenge → EIP-3009 sign
+                  │             → retry with PAYMENT-SIGNATURE
+                  │             → 200 + body
+                  │
+            ┌─────▼──────┐         ┌──────────────────┐
+            │ x402 server│ ──────→ │ CDP facilitator  │ ─→ Base USDC settle
+            │ (e.g.      │         │ (verify + submit │
+            │  news-ep)  │ ←────── │  tx)             │
+            └────────────┘         └──────────────────┘
+```
+
+The gateway holds the wallet, drives the 402 → sign → 200 loop, enforces spend caps, writes a receipts log. The agent stays at the MCP layer and never deals with payment plumbing.
+
+## Run from source
+
+For contributors and anyone who wants to hack on the gateway:
+
+```bash
+git clone https://github.com/jaysperspective/thebuyside-x402-agent.git
+cd thebuyside-x402-agent
+pnpm install
+cp .env.example .env   # then paste your key into X402_PAYER_PRIVATE_KEY
+```
+
+Useful scripts:
+
+- **`pnpm pay-newsep`** — standalone script that pays news-ep `$0.005` end-to-end without MCP. Useful for verifying your wallet + protocol setup.
+- **`pnpm smoke`** — spawns the MCP server in a subprocess and round-trips a few tool calls. CI-safe; no real payments.
+- **`pnpm verify-seed`** — hits each registry entry's example URL and asserts a valid 402 with the advertised price. Run nightly in CI.
+- **`pnpm test`** — the full vitest unit-test suite.
+- **`pnpm build`** — compiles to `dist/`. Used by `npm publish`.
+
+To point your MCP client at the local source instead of the published npm package:
+
+```bash
+claude mcp add x402-pay -- "$(pwd)/node_modules/.bin/tsx" "$(pwd)/src/index.ts"
+```
+
+## Adding an API to the registry
+
+The discover tool reads `src/registry/seed.json`. Adding a new x402-priced endpoint is a single PR — see [docs/adding-an-api.md](docs/adding-an-api.md). CI verifies the entry returns a clean 402 with your advertised price before merge.
+
+## What this is *not*
+
+- An agent framework. Bring your own.
+- An LLM router. Bring your own.
+- A marketplace. The registry is curated open-source data, not a vendor list.
+- A custodial wallet service. Keys live in your `.env`. A managed-wallet (KMS) seam exists for a future hosted version, but the OSS gateway will always work BYO-key.
+
+## Contributing
+
+Apache 2.0. Sign your commits with DCO (`git commit -s`). No CLA. PRs welcome — small, focused, with tests.
+
+## License
+
+[Apache License 2.0](./LICENSE).

package/dist/chains/adapter.d.ts

@@ -0,0 +1,33 @@
+/**
+ * ChainAdapter — encapsulates per-chain knowledge: network identifier
+ * matching, EIP-712 domain, and how to build the typed-data + authorization
+ * payload for an x402 payment.
+ *
+ * v0 has one implementation: `BaseUsdcAdapter`. Adding Solana (Pay.sh) for
+ * v0.2 means writing one new class and registering it; no rewrite.
+ *
+ * Note: the return type is currently EVM-shaped (EIP-712 typed data). When
+ * Solana lands we'll either widen this interface or split it into
+ * `EvmChainAdapter` / `SolanaChainAdapter` siblings — both are clean changes
+ * from here.
+ */
+import type { Address } from 'viem';
+import type { Eip712TypedData } from '../signer/signer.js';
+import type { Authorization, PaymentRequirements } from '../x402/types.js';
+export interface ChainAdapter {
+    /** Short identifier used in logs and receipts (e.g. 'base', 'solana'). */
+    readonly id: string;
+    /** Returns true if this adapter handles the network ID in a 402 challenge. */
+    matches(network: string): boolean;
+    /**
+     * Build the data to sign and the authorization body for a given payment
+     * requirement. The gateway then signs `typedData` with its `Signer`,
+     * combines the signature with `authorization`, and base64-encodes the
+     * whole thing into the `X-PAYMENT` header.
+     */
+    buildPayment(reqs: PaymentRequirements, payerAddress: Address): {
+        typedData: Eip712TypedData;
+        authorization: Authorization;
+    };
+}
+//# sourceMappingURL=adapter.d.ts.map

package/dist/chains/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../src/chains/adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAE3E,MAAM,WAAW,YAAY;IAC3B,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IAEpB,8EAA8E;IAC9E,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAElC;;;;;OAKG;IACH,YAAY,CACV,IAAI,EAAE,mBAAmB,EACzB,YAAY,EAAE,OAAO,GACpB;QAAE,SAAS,EAAE,eAAe,CAAC;QAAC,aAAa,EAAE,aAAa,CAAA;KAAE,CAAC;CACjE"}

package/dist/chains/adapter.js

@@ -0,0 +1,15 @@
+/**
+ * ChainAdapter — encapsulates per-chain knowledge: network identifier
+ * matching, EIP-712 domain, and how to build the typed-data + authorization
+ * payload for an x402 payment.
+ *
+ * v0 has one implementation: `BaseUsdcAdapter`. Adding Solana (Pay.sh) for
+ * v0.2 means writing one new class and registering it; no rewrite.
+ *
+ * Note: the return type is currently EVM-shaped (EIP-712 typed data). When
+ * Solana lands we'll either widen this interface or split it into
+ * `EvmChainAdapter` / `SolanaChainAdapter` siblings — both are clean changes
+ * from here.
+ */
+export {};
+//# sourceMappingURL=adapter.js.map

package/dist/chains/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../../src/chains/adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}

package/dist/chains/base-usdc.d.ts

@@ -0,0 +1,22 @@
+/**
+ * BaseUsdcAdapter — Base mainnet, USDC-as-asset, EIP-3009 transferWithAuthorization.
+ *
+ * Behaviour matches what news-ep.com expects: `network` of either "base" or
+ * "eip155:8453"; EIP-712 domain name "USD Coin" / version "2" (provided by
+ * the `extra` field of the 402 challenge — we don't hardcode these because
+ * different USDC deployments use different domain names, e.g. Base Sepolia
+ * uses "USDC").
+ */
+import type { Address } from 'viem';
+import type { Eip712TypedData } from '../signer/signer.js';
+import type { Authorization, PaymentRequirements } from '../x402/types.js';
+import type { ChainAdapter } from './adapter.js';
+export declare class BaseUsdcAdapter implements ChainAdapter {
+    readonly id = "base";
+    matches(network: string): boolean;
+    buildPayment(reqs: PaymentRequirements, payerAddress: Address): {
+        typedData: Eip712TypedData;
+        authorization: Authorization;
+    };
+}
+//# sourceMappingURL=base-usdc.d.ts.map

package/dist/chains/base-usdc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-usdc.d.ts","sourceRoot":"","sources":["../../src/chains/base-usdc.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAO,MAAM,MAAM,CAAC;AAEzC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAajD,qBAAa,eAAgB,YAAW,YAAY;IAClD,QAAQ,CAAC,EAAE,UAAU;IAErB,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAIjC,YAAY,CACV,IAAI,EAAE,mBAAmB,EACzB,YAAY,EAAE,OAAO,GACpB;QAAE,SAAS,EAAE,eAAe,CAAC;QAAC,aAAa,EAAE,aAAa,CAAA;KAAE;CAqChE"}

package/dist/chains/base-usdc.js

@@ -0,0 +1,60 @@
+/**
+ * BaseUsdcAdapter — Base mainnet, USDC-as-asset, EIP-3009 transferWithAuthorization.
+ *
+ * Behaviour matches what news-ep.com expects: `network` of either "base" or
+ * "eip155:8453"; EIP-712 domain name "USD Coin" / version "2" (provided by
+ * the `extra` field of the 402 challenge — we don't hardcode these because
+ * different USDC deployments use different domain names, e.g. Base Sepolia
+ * uses "USDC").
+ */
+import { randomBytes } from 'node:crypto';
+import { base } from 'viem/chains';
+const TRANSFER_WITH_AUTHORIZATION_TYPES = {
+    TransferWithAuthorization: [
+        { name: 'from', type: 'address' },
+        { name: 'to', type: 'address' },
+        { name: 'value', type: 'uint256' },
+        { name: 'validAfter', type: 'uint256' },
+        { name: 'validBefore', type: 'uint256' },
+        { name: 'nonce', type: 'bytes32' },
+    ],
+};
+export class BaseUsdcAdapter {
+    id = 'base';
+    matches(network) {
+        return network === 'base' || network === 'eip155:8453';
+    }
+    buildPayment(reqs, payerAddress) {
+        const validAfter = 0n;
+        const validBefore = BigInt(Math.floor(Date.now() / 1000) + reqs.maxTimeoutSeconds);
+        const nonce = `0x${randomBytes(32).toString('hex')}`;
+        const typedData = {
+            domain: {
+                name: reqs.extra.name,
+                version: reqs.extra.version,
+                chainId: base.id,
+                verifyingContract: reqs.asset,
+            },
+            types: TRANSFER_WITH_AUTHORIZATION_TYPES,
+            primaryType: 'TransferWithAuthorization',
+            message: {
+                from: payerAddress,
+                to: reqs.payTo,
+                value: BigInt(reqs.maxAmountRequired),
+                validAfter,
+                validBefore,
+                nonce,
+            },
+        };
+        const authorization = {
+            from: payerAddress,
+            to: reqs.payTo,
+            value: reqs.maxAmountRequired,
+            validAfter: validAfter.toString(),
+            validBefore: validBefore.toString(),
+            nonce,
+        };
+        return { typedData, authorization };
+    }
+}
+//# sourceMappingURL=base-usdc.js.map

package/dist/chains/base-usdc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-usdc.js","sourceRoot":"","sources":["../../src/chains/base-usdc.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAKnC,MAAM,iCAAiC,GAAG;IACxC,yBAAyB,EAAE;QACzB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;QACjC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;QAC/B,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;QAClC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE;QACvC,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE;QACxC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;KACnC;CACO,CAAC;AAEX,MAAM,OAAO,eAAe;IACjB,EAAE,GAAG,MAAM,CAAC;IAErB,OAAO,CAAC,OAAe;QACrB,OAAO,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,aAAa,CAAC;IACzD,CAAC;IAED,YAAY,CACV,IAAyB,EACzB,YAAqB;QAErB,MAAM,UAAU,GAAG,EAAE,CAAC;QACtB,MAAM,WAAW,GAAG,MAAM,CACxB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,iBAAiB,CACvD,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAS,CAAC;QAE5D,MAAM,SAAS,GAAoB;YACjC,MAAM,EAAE;gBACN,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI;gBACrB,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;gBAC3B,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,iBAAiB,EAAE,IAAI,CAAC,KAAK;aAC9B;YACD,KAAK,EAAE,iCAAiC;YACxC,WAAW,EAAE,2BAA2B;YACxC,OAAO,EAAE;gBACP,IAAI,EAAE,YAAY;gBAClB,EAAE,EAAE,IAAI,CAAC,KAAK;gBACd,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;gBACrC,UAAU;gBACV,WAAW;gBACX,KAAK;aACN;SACF,CAAC;QAEF,MAAM,aAAa,GAAkB;YACnC,IAAI,EAAE,YAAY;YAClB,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,KAAK,EAAE,IAAI,CAAC,iBAAiB;YAC7B,UAAU,EAAE,UAAU,CAAC,QAAQ,EAAE;YACjC,WAAW,EAAE,WAAW,CAAC,QAAQ,EAAE;YACnC,KAAK;SACN,CAAC;QAEF,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;IACtC,CAAC;CACF"}

package/dist/config.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Config loader. Reads `.env` (via dotenv) and validates env vars at startup.
+ *
+ * The wallet key is intentionally optional at M1 — the gateway boots and lists
+ * tools without it; payment-shaped tools just won't have a real address to use.
+ *
+ * `.env` is loaded by absolute path (relative to this file) so the gateway
+ * works correctly when spawned from any cwd — e.g. by Claude Desktop, where
+ * the working directory is not guaranteed to be the project root.
+ */
+import type { Hex } from 'viem';
+export type Config = {
+    /** Hex 0x-prefixed private key, or null if unset / placeholder. */
+    payerPrivateKey: Hex | null;
+};
+export declare function loadConfig(): Config;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAMhC,MAAM,MAAM,MAAM,GAAG;IACnB,mEAAmE;IACnE,eAAe,EAAE,GAAG,GAAG,IAAI,CAAC;CAC7B,CAAC;AAaF,wBAAgB,UAAU,IAAI,MAAM,CAInC"}

package/dist/config.js

@@ -0,0 +1,32 @@
+/**
+ * Config loader. Reads `.env` (via dotenv) and validates env vars at startup.
+ *
+ * The wallet key is intentionally optional at M1 — the gateway boots and lists
+ * tools without it; payment-shaped tools just won't have a real address to use.
+ *
+ * `.env` is loaded by absolute path (relative to this file) so the gateway
+ * works correctly when spawned from any cwd — e.g. by Claude Desktop, where
+ * the working directory is not guaranteed to be the project root.
+ */
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { config as loadDotenv } from 'dotenv';
+const here = dirname(fileURLToPath(import.meta.url));
+const projectRoot = resolve(here, '..');
+loadDotenv({ path: resolve(projectRoot, '.env') });
+function parsePrivateKey(raw) {
+    if (!raw)
+        return null;
+    if (raw === '0xPASTE_YOUR_PRIVATE_KEY_HERE')
+        return null;
+    if (!raw.startsWith('0x') || raw.length !== 66) {
+        throw new Error('X402_PAYER_PRIVATE_KEY is set but malformed. Expected 0x-prefixed 64 hex chars.');
+    }
+    return raw;
+}
+export function loadConfig() {
+    return {
+        payerPrivateKey: parsePrivateKey(process.env.X402_PAYER_PRIVATE_KEY),
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,QAAQ,CAAC;AAG9C,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACrD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACxC,UAAU,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;AAOnD,SAAS,eAAe,CAAC,GAAuB;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,KAAK,+BAA+B;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CACb,iFAAiF,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,GAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,OAAO;QACL,eAAe,EAAE,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;KACrE,CAAC;AACJ,CAAC"}

package/dist/gateway.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Gateway — the bundle of components every MCP tool needs.
+ *
+ * Built once at server startup and passed by reference to each tool's
+ * register function. Keeps tool signatures stable as we add modules
+ * (analytics, hosted-wallet, multi-chain, etc.) over time.
+ */
+import type { ChainAdapter } from './chains/adapter.js';
+import type { Config } from './config.js';
+import { Allowlist } from './policy/allowlist.js';
+import { CapPolicy } from './policy/caps.js';
+import { ConfirmPolicy } from './policy/confirm.js';
+import { Receipts } from './policy/receipts.js';
+import { Registry } from './registry/lookup.js';
+import type { Signer } from './signer/signer.js';
+export type Gateway = {
+    signer: Signer | null;
+    chains: ChainAdapter[];
+    allowlist: Allowlist;
+    receipts: Receipts;
+    caps: CapPolicy;
+    confirm: ConfirmPolicy;
+    registry: Registry;
+};
+export declare function buildGateway(config: Config): Promise<Gateway>;
+//# sourceMappingURL=gateway.d.ts.map

package/dist/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAEjD,MAAM,MAAM,OAAO,GAAG;IACpB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,YAAY,EAAE,CAAC;IACvB,SAAS,EAAE,SAAS,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,aAAa,CAAC;IACvB,QAAQ,EAAE,QAAQ,CAAC;CACpB,CAAC;AAEF,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAanE"}

package/dist/gateway.js

@@ -0,0 +1,28 @@
+/**
+ * Gateway — the bundle of components every MCP tool needs.
+ *
+ * Built once at server startup and passed by reference to each tool's
+ * register function. Keeps tool signatures stable as we add modules
+ * (analytics, hosted-wallet, multi-chain, etc.) over time.
+ */
+import { BaseUsdcAdapter } from './chains/base-usdc.js';
+import { Allowlist } from './policy/allowlist.js';
+import { CapPolicy } from './policy/caps.js';
+import { ConfirmPolicy } from './policy/confirm.js';
+import { Receipts } from './policy/receipts.js';
+import { Registry } from './registry/lookup.js';
+import { EnvKeySigner } from './signer/env-key.js';
+export async function buildGateway(config) {
+    const receipts = Receipts.fromEnv();
+    const registry = await Registry.load();
+    return {
+        signer: config.payerPrivateKey ? new EnvKeySigner(config.payerPrivateKey) : null,
+        chains: [new BaseUsdcAdapter()],
+        allowlist: Allowlist.fromEnv({ defaultHosts: registry.hosts() }),
+        receipts,
+        caps: CapPolicy.fromEnv(receipts),
+        confirm: ConfirmPolicy.fromEnv(),
+        registry,
+    };
+}
+//# sourceMappingURL=gateway.js.map

package/dist/gateway.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.js","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGxD,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAanD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAc;IAC/C,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEvC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,YAAY,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI;QAChF,MAAM,EAAE,CAAC,IAAI,eAAe,EAAE,CAAC;QAC/B,SAAS,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,YAAY,EAAE,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC;QAChE,QAAQ;QACR,IAAI,EAAE,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC;QACjC,OAAO,EAAE,aAAa,CAAC,OAAO,EAAE;QAChC,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * thebuyside-x402-agent — MCP gateway for x402-priced APIs.
+ * Entry point. See src/server.ts for the actual server.
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;GAGG"}